summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--3.14.40/1039_linux-3.14.40.patch2462
-rw-r--r--3.14.41/0000_README (renamed from 3.14.40/0000_README)6
-rw-r--r--3.14.41/1040_linux-3.14.41.patch3586
-rw-r--r--3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch (renamed from 3.14.40/4420_grsecurity-3.1-3.14.40-201505042052.patch)532
-rw-r--r--3.14.41/4425_grsec_remove_EI_PAX.patch (renamed from 4.0.1/4425_grsec_remove_EI_PAX.patch)2
-rw-r--r--3.14.41/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.40/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--3.14.41/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.40/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.14.41/4435_grsec-mute-warnings.patch (renamed from 3.14.40/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.14.41/4440_grsec-remove-protected-paths.patch (renamed from 3.14.40/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.14.41/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.40/4450_grsec-kconfig-default-gids.patch)8
-rw-r--r--3.14.41/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.40/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.14.41/4470_disable-compat_vdso.patch (renamed from 3.14.40/4470_disable-compat_vdso.patch)0
-rw-r--r--3.14.41/4475_emutramp_default_on.patch (renamed from 4.0.1/4475_emutramp_default_on.patch)4
-rw-r--r--3.2.68/0000_README2
-rw-r--r--3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch (renamed from 3.2.68/4420_grsecurity-3.1-3.2.68-201505042051.patch)172
-rw-r--r--3.2.68/4425_grsec_remove_EI_PAX.patch2
-rw-r--r--3.2.68/4450_grsec-kconfig-default-gids.patch8
-rw-r--r--3.2.68/4475_emutramp_default_on.patch4
-rw-r--r--4.0.2/0000_README (renamed from 4.0.1/0000_README)6
-rw-r--r--4.0.2/1001_linux-4.0.2.patch8587
-rw-r--r--4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch (renamed from 4.0.1/4420_grsecurity-3.1-4.0.1-201505042053.patch)1226
-rw-r--r--4.0.2/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.40/4425_grsec_remove_EI_PAX.patch)2
-rw-r--r--4.0.2/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.0.1/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.0.2/4430_grsec-remove-localversion-grsec.patch (renamed from 4.0.1/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.0.2/4435_grsec-mute-warnings.patch (renamed from 4.0.1/4435_grsec-mute-warnings.patch)10
-rw-r--r--4.0.2/4440_grsec-remove-protected-paths.patch (renamed from 4.0.1/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.0.2/4450_grsec-kconfig-default-gids.patch (renamed from 4.0.1/4450_grsec-kconfig-default-gids.patch)8
-rw-r--r--4.0.2/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.0.1/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.0.2/4470_disable-compat_vdso.patch (renamed from 4.0.1/4470_disable-compat_vdso.patch)0
-rw-r--r--4.0.2/4475_emutramp_default_on.patch (renamed from 3.14.40/4475_emutramp_default_on.patch)4
31 files changed, 13645 insertions, 2987 deletions
diff --git a/.gitignore b/.gitignore
index 284ec2b..2b7bb0a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
grsecurity*
hardened*
+genpatches*
rsbac*
xtpax*
diff --git a/3.14.40/1039_linux-3.14.40.patch b/3.14.40/1039_linux-3.14.40.patch
deleted file mode 100644
index 6afa4bd..0000000
--- a/3.14.40/1039_linux-3.14.40.patch
+++ /dev/null
@@ -1,2462 +0,0 @@
-diff --git a/Makefile b/Makefile
-index b40845e..070e0eb 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 39
-+SUBLEVEL = 40
- EXTRAVERSION =
- NAME = Remembering Coco
-
-diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
-index 98838a0..9d0ac09 100644
---- a/arch/alpha/mm/fault.c
-+++ b/arch/alpha/mm/fault.c
-@@ -156,6 +156,8 @@ retry:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/arc/mm/fault.c b/arch/arc/mm/fault.c
-index 9c69552..01e18b5 100644
---- a/arch/arc/mm/fault.c
-+++ b/arch/arc/mm/fault.c
-@@ -162,6 +162,8 @@ good_area:
- /* TBD: switch to pagefault_out_of_memory() */
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
-
-diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h
-index 626989f..9fd61c7 100644
---- a/arch/arm/include/asm/pgtable-3level-hwdef.h
-+++ b/arch/arm/include/asm/pgtable-3level-hwdef.h
-@@ -43,7 +43,7 @@
- #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
- #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
- #define PMD_SECT_USER (_AT(pmdval_t, 1) << 6) /* AP[1] */
--#define PMD_SECT_RDONLY (_AT(pmdval_t, 1) << 7) /* AP[2] */
-+#define PMD_SECT_AP2 (_AT(pmdval_t, 1) << 7) /* read only */
- #define PMD_SECT_S (_AT(pmdval_t, 3) << 8)
- #define PMD_SECT_AF (_AT(pmdval_t, 1) << 10)
- #define PMD_SECT_nG (_AT(pmdval_t, 1) << 11)
-@@ -72,6 +72,7 @@
- #define PTE_TABLE_BIT (_AT(pteval_t, 1) << 1)
- #define PTE_BUFFERABLE (_AT(pteval_t, 1) << 2) /* AttrIndx[0] */
- #define PTE_CACHEABLE (_AT(pteval_t, 1) << 3) /* AttrIndx[1] */
-+#define PTE_AP2 (_AT(pteval_t, 1) << 7) /* AP[2] */
- #define PTE_EXT_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
- #define PTE_EXT_AF (_AT(pteval_t, 1) << 10) /* Access Flag */
- #define PTE_EXT_NG (_AT(pteval_t, 1) << 11) /* nG */
-diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
-index 85c60ad..06e0bc0 100644
---- a/arch/arm/include/asm/pgtable-3level.h
-+++ b/arch/arm/include/asm/pgtable-3level.h
-@@ -79,18 +79,19 @@
- #define L_PTE_PRESENT (_AT(pteval_t, 3) << 0) /* Present */
- #define L_PTE_FILE (_AT(pteval_t, 1) << 2) /* only when !PRESENT */
- #define L_PTE_USER (_AT(pteval_t, 1) << 6) /* AP[1] */
--#define L_PTE_RDONLY (_AT(pteval_t, 1) << 7) /* AP[2] */
- #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
- #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */
- #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */
--#define L_PTE_DIRTY (_AT(pteval_t, 1) << 55) /* unused */
--#define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56) /* unused */
-+#define L_PTE_DIRTY (_AT(pteval_t, 1) << 55)
-+#define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56)
- #define L_PTE_NONE (_AT(pteval_t, 1) << 57) /* PROT_NONE */
-+#define L_PTE_RDONLY (_AT(pteval_t, 1) << 58) /* READ ONLY */
-
--#define PMD_SECT_VALID (_AT(pmdval_t, 1) << 0)
--#define PMD_SECT_DIRTY (_AT(pmdval_t, 1) << 55)
--#define PMD_SECT_SPLITTING (_AT(pmdval_t, 1) << 56)
--#define PMD_SECT_NONE (_AT(pmdval_t, 1) << 57)
-+#define L_PMD_SECT_VALID (_AT(pmdval_t, 1) << 0)
-+#define L_PMD_SECT_DIRTY (_AT(pmdval_t, 1) << 55)
-+#define L_PMD_SECT_SPLITTING (_AT(pmdval_t, 1) << 56)
-+#define L_PMD_SECT_NONE (_AT(pmdval_t, 1) << 57)
-+#define L_PMD_SECT_RDONLY (_AT(pteval_t, 1) << 58)
-
- /*
- * To be used in assembly code with the upper page attributes.
-@@ -207,27 +208,32 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr)
- #define pte_huge(pte) (pte_val(pte) && !(pte_val(pte) & PTE_TABLE_BIT))
- #define pte_mkhuge(pte) (__pte(pte_val(pte) & ~PTE_TABLE_BIT))
-
--#define pmd_young(pmd) (pmd_val(pmd) & PMD_SECT_AF)
-+#define pmd_isset(pmd, val) ((u32)(val) == (val) ? pmd_val(pmd) & (val) \
-+ : !!(pmd_val(pmd) & (val)))
-+#define pmd_isclear(pmd, val) (!(pmd_val(pmd) & (val)))
-+
-+#define pmd_young(pmd) (pmd_isset((pmd), PMD_SECT_AF))
-
- #define __HAVE_ARCH_PMD_WRITE
--#define pmd_write(pmd) (!(pmd_val(pmd) & PMD_SECT_RDONLY))
-+#define pmd_write(pmd) (pmd_isclear((pmd), L_PMD_SECT_RDONLY))
-+#define pmd_dirty(pmd) (pmd_isset((pmd), L_PMD_SECT_DIRTY))
-
- #define pmd_hugewillfault(pmd) (!pmd_young(pmd) || !pmd_write(pmd))
- #define pmd_thp_or_huge(pmd) (pmd_huge(pmd) || pmd_trans_huge(pmd))
-
- #ifdef CONFIG_TRANSPARENT_HUGEPAGE
--#define pmd_trans_huge(pmd) (pmd_val(pmd) && !(pmd_val(pmd) & PMD_TABLE_BIT))
--#define pmd_trans_splitting(pmd) (pmd_val(pmd) & PMD_SECT_SPLITTING)
-+#define pmd_trans_huge(pmd) (pmd_val(pmd) && !pmd_table(pmd))
-+#define pmd_trans_splitting(pmd) (pmd_isset((pmd), L_PMD_SECT_SPLITTING))
- #endif
-
- #define PMD_BIT_FUNC(fn,op) \
- static inline pmd_t pmd_##fn(pmd_t pmd) { pmd_val(pmd) op; return pmd; }
-
--PMD_BIT_FUNC(wrprotect, |= PMD_SECT_RDONLY);
-+PMD_BIT_FUNC(wrprotect, |= L_PMD_SECT_RDONLY);
- PMD_BIT_FUNC(mkold, &= ~PMD_SECT_AF);
--PMD_BIT_FUNC(mksplitting, |= PMD_SECT_SPLITTING);
--PMD_BIT_FUNC(mkwrite, &= ~PMD_SECT_RDONLY);
--PMD_BIT_FUNC(mkdirty, |= PMD_SECT_DIRTY);
-+PMD_BIT_FUNC(mksplitting, |= L_PMD_SECT_SPLITTING);
-+PMD_BIT_FUNC(mkwrite, &= ~L_PMD_SECT_RDONLY);
-+PMD_BIT_FUNC(mkdirty, |= L_PMD_SECT_DIRTY);
- PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF);
-
- #define pmd_mkhuge(pmd) (__pmd(pmd_val(pmd) & ~PMD_TABLE_BIT))
-@@ -241,8 +247,8 @@ PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF);
-
- static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
- {
-- const pmdval_t mask = PMD_SECT_USER | PMD_SECT_XN | PMD_SECT_RDONLY |
-- PMD_SECT_VALID | PMD_SECT_NONE;
-+ const pmdval_t mask = PMD_SECT_USER | PMD_SECT_XN | L_PMD_SECT_RDONLY |
-+ L_PMD_SECT_VALID | L_PMD_SECT_NONE;
- pmd_val(pmd) = (pmd_val(pmd) & ~mask) | (pgprot_val(newprot) & mask);
- return pmd;
- }
-@@ -253,8 +259,13 @@ static inline void set_pmd_at(struct mm_struct *mm, unsigned long addr,
- BUG_ON(addr >= TASK_SIZE);
-
- /* create a faulting entry if PROT_NONE protected */
-- if (pmd_val(pmd) & PMD_SECT_NONE)
-- pmd_val(pmd) &= ~PMD_SECT_VALID;
-+ if (pmd_val(pmd) & L_PMD_SECT_NONE)
-+ pmd_val(pmd) &= ~L_PMD_SECT_VALID;
-+
-+ if (pmd_write(pmd) && pmd_dirty(pmd))
-+ pmd_val(pmd) &= ~PMD_SECT_AP2;
-+ else
-+ pmd_val(pmd) |= PMD_SECT_AP2;
-
- *pmdp = __pmd(pmd_val(pmd) | PMD_SECT_nG);
- flush_pmd_entry(pmdp);
-diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
-index 7d59b52..89dba13 100644
---- a/arch/arm/include/asm/pgtable.h
-+++ b/arch/arm/include/asm/pgtable.h
-@@ -214,12 +214,16 @@ static inline pte_t *pmd_page_vaddr(pmd_t pmd)
-
- #define pte_clear(mm,addr,ptep) set_pte_ext(ptep, __pte(0), 0)
-
-+#define pte_isset(pte, val) ((u32)(val) == (val) ? pte_val(pte) & (val) \
-+ : !!(pte_val(pte) & (val)))
-+#define pte_isclear(pte, val) (!(pte_val(pte) & (val)))
-+
- #define pte_none(pte) (!pte_val(pte))
--#define pte_present(pte) (pte_val(pte) & L_PTE_PRESENT)
--#define pte_write(pte) (!(pte_val(pte) & L_PTE_RDONLY))
--#define pte_dirty(pte) (pte_val(pte) & L_PTE_DIRTY)
--#define pte_young(pte) (pte_val(pte) & L_PTE_YOUNG)
--#define pte_exec(pte) (!(pte_val(pte) & L_PTE_XN))
-+#define pte_present(pte) (pte_isset((pte), L_PTE_PRESENT))
-+#define pte_write(pte) (pte_isclear((pte), L_PTE_RDONLY))
-+#define pte_dirty(pte) (pte_isset((pte), L_PTE_DIRTY))
-+#define pte_young(pte) (pte_isset((pte), L_PTE_YOUNG))
-+#define pte_exec(pte) (pte_isclear((pte), L_PTE_XN))
- #define pte_special(pte) (0)
-
- #define pte_present_user(pte) (pte_present(pte) && (pte_val(pte) & L_PTE_USER))
-diff --git a/arch/arm/mm/proc-v7-3level.S b/arch/arm/mm/proc-v7-3level.S
-index 22e3ad6..eb81123 100644
---- a/arch/arm/mm/proc-v7-3level.S
-+++ b/arch/arm/mm/proc-v7-3level.S
-@@ -86,8 +86,13 @@ ENTRY(cpu_v7_set_pte_ext)
- tst rh, #1 << (57 - 32) @ L_PTE_NONE
- bicne rl, #L_PTE_VALID
- bne 1f
-- tst rh, #1 << (55 - 32) @ L_PTE_DIRTY
-- orreq rl, #L_PTE_RDONLY
-+
-+ eor ip, rh, #1 << (55 - 32) @ toggle L_PTE_DIRTY in temp reg to
-+ @ test for !L_PTE_DIRTY || L_PTE_RDONLY
-+ tst ip, #1 << (55 - 32) | 1 << (58 - 32)
-+ orrne rl, #PTE_AP2
-+ biceq rl, #PTE_AP2
-+
- 1: strd r2, r3, [r0]
- ALT_SMP(W(nop))
- ALT_UP (mcr p15, 0, r0, c7, c10, 1) @ flush_pte
-diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
-index 0eca933..d223a8b 100644
---- a/arch/avr32/mm/fault.c
-+++ b/arch/avr32/mm/fault.c
-@@ -142,6 +142,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/cris/mm/fault.c b/arch/cris/mm/fault.c
-index 1790f22..2686a7a 100644
---- a/arch/cris/mm/fault.c
-+++ b/arch/cris/mm/fault.c
-@@ -176,6 +176,8 @@ retry:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/frv/mm/fault.c b/arch/frv/mm/fault.c
-index 9a66372..ec4917d 100644
---- a/arch/frv/mm/fault.c
-+++ b/arch/frv/mm/fault.c
-@@ -168,6 +168,8 @@ asmlinkage void do_page_fault(int datammu, unsigned long esr0, unsigned long ear
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
-index 7225dad..ba5ba7a 100644
---- a/arch/ia64/mm/fault.c
-+++ b/arch/ia64/mm/fault.c
-@@ -172,6 +172,8 @@ retry:
- */
- if (fault & VM_FAULT_OOM) {
- goto out_of_memory;
-+ } else if (fault & VM_FAULT_SIGSEGV) {
-+ goto bad_area;
- } else if (fault & VM_FAULT_SIGBUS) {
- signal = SIGBUS;
- goto bad_area;
-diff --git a/arch/m32r/mm/fault.c b/arch/m32r/mm/fault.c
-index e9c6a80..e3d4d48901 100644
---- a/arch/m32r/mm/fault.c
-+++ b/arch/m32r/mm/fault.c
-@@ -200,6 +200,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/m68k/mm/fault.c b/arch/m68k/mm/fault.c
-index 2bd7487..b2f04ae 100644
---- a/arch/m68k/mm/fault.c
-+++ b/arch/m68k/mm/fault.c
-@@ -145,6 +145,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto map_err;
- else if (fault & VM_FAULT_SIGBUS)
- goto bus_err;
- BUG();
-diff --git a/arch/metag/mm/fault.c b/arch/metag/mm/fault.c
-index 332680e..2de5dc6 100644
---- a/arch/metag/mm/fault.c
-+++ b/arch/metag/mm/fault.c
-@@ -141,6 +141,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/microblaze/mm/fault.c b/arch/microblaze/mm/fault.c
-index fa4cf52..d46a5eb 100644
---- a/arch/microblaze/mm/fault.c
-+++ b/arch/microblaze/mm/fault.c
-@@ -224,6 +224,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
-index becc42b..70ab5d6 100644
---- a/arch/mips/mm/fault.c
-+++ b/arch/mips/mm/fault.c
-@@ -158,6 +158,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/mn10300/mm/fault.c b/arch/mn10300/mm/fault.c
-index 3516cbd..0c2cc5d 100644
---- a/arch/mn10300/mm/fault.c
-+++ b/arch/mn10300/mm/fault.c
-@@ -262,6 +262,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/openrisc/mm/fault.c b/arch/openrisc/mm/fault.c
-index 0703acf..230ac20 100644
---- a/arch/openrisc/mm/fault.c
-+++ b/arch/openrisc/mm/fault.c
-@@ -171,6 +171,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
-index d72197f..d27e388 100644
---- a/arch/parisc/mm/fault.c
-+++ b/arch/parisc/mm/fault.c
-@@ -256,6 +256,8 @@ good_area:
- */
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto bad_area;
- BUG();
-diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
-index 51ab9e7..010fabf 100644
---- a/arch/powerpc/mm/fault.c
-+++ b/arch/powerpc/mm/fault.c
-@@ -432,6 +432,8 @@ good_area:
- */
- fault = handle_mm_fault(mm, vma, address, flags);
- if (unlikely(fault & (VM_FAULT_RETRY|VM_FAULT_ERROR))) {
-+ if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- rc = mm_fault_error(regs, address, fault);
- if (rc >= MM_FAULT_RETURN)
- goto bail;
-diff --git a/arch/powerpc/platforms/cell/spu_fault.c b/arch/powerpc/platforms/cell/spu_fault.c
-index 641e727..62f3e4e 100644
---- a/arch/powerpc/platforms/cell/spu_fault.c
-+++ b/arch/powerpc/platforms/cell/spu_fault.c
-@@ -75,7 +75,7 @@ int spu_handle_mm_fault(struct mm_struct *mm, unsigned long ea,
- if (*flt & VM_FAULT_OOM) {
- ret = -ENOMEM;
- goto out_unlock;
-- } else if (*flt & VM_FAULT_SIGBUS) {
-+ } else if (*flt & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) {
- ret = -EFAULT;
- goto out_unlock;
- }
-diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
-index 87ba7cf..65d633f 100644
---- a/arch/powerpc/platforms/cell/spufs/inode.c
-+++ b/arch/powerpc/platforms/cell/spufs/inode.c
-@@ -164,7 +164,7 @@ static void spufs_prune_dir(struct dentry *dir)
- struct dentry *dentry, *tmp;
-
- mutex_lock(&dir->d_inode->i_mutex);
-- list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_u.d_child) {
-+ list_for_each_entry_safe(dentry, tmp, &dir->d_subdirs, d_child) {
- spin_lock(&dentry->d_lock);
- if (!(d_unhashed(dentry)) && dentry->d_inode) {
- dget_dlock(dentry);
-diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
-index d95265b2..8e95432 100644
---- a/arch/s390/mm/fault.c
-+++ b/arch/s390/mm/fault.c
-@@ -239,6 +239,12 @@ static noinline void do_fault_error(struct pt_regs *regs, int fault)
- do_no_context(regs);
- else
- pagefault_out_of_memory();
-+ } else if (fault & VM_FAULT_SIGSEGV) {
-+ /* Kernel mode? Handle exceptions or die */
-+ if (!user_mode(regs))
-+ do_no_context(regs);
-+ else
-+ do_sigsegv(regs, SEGV_MAPERR);
- } else if (fault & VM_FAULT_SIGBUS) {
- /* Kernel mode? Handle exceptions or die */
- if (!user_mode(regs))
-diff --git a/arch/score/mm/fault.c b/arch/score/mm/fault.c
-index 52238983..6860beb 100644
---- a/arch/score/mm/fault.c
-+++ b/arch/score/mm/fault.c
-@@ -114,6 +114,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/sh/mm/fault.c b/arch/sh/mm/fault.c
-index 541dc61..a58fec9 100644
---- a/arch/sh/mm/fault.c
-+++ b/arch/sh/mm/fault.c
-@@ -353,6 +353,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
- } else {
- if (fault & VM_FAULT_SIGBUS)
- do_sigbus(regs, error_code, address);
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ bad_area(regs, error_code, address);
- else
- BUG();
- }
-diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
-index 59dbd46..163c787 100644
---- a/arch/sparc/mm/fault_32.c
-+++ b/arch/sparc/mm/fault_32.c
-@@ -252,6 +252,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
-index 45a413e..0d6de79 100644
---- a/arch/sparc/mm/fault_64.c
-+++ b/arch/sparc/mm/fault_64.c
-@@ -448,6 +448,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/tile/mm/fault.c b/arch/tile/mm/fault.c
-index 6c05712..c6d2a76 100644
---- a/arch/tile/mm/fault.c
-+++ b/arch/tile/mm/fault.c
-@@ -444,6 +444,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
-index 974b874..53b8320 100644
---- a/arch/um/kernel/trap.c
-+++ b/arch/um/kernel/trap.c
-@@ -80,6 +80,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM) {
- goto out_of_memory;
-+ } else if (fault & VM_FAULT_SIGSEGV) {
-+ goto out;
- } else if (fault & VM_FAULT_SIGBUS) {
- err = -EACCES;
- goto out;
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 09651d4..cf1eeea 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- * Not recognized on AMD in compat mode (but is recognized in legacy
- * mode).
- */
-- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
-+ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
- && !vendor_intel(ctxt))
- return emulate_ud(ctxt);
-
-@@ -2271,25 +2271,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- setup_syscalls_segments(ctxt, &cs, &ss);
-
- ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
-- switch (ctxt->mode) {
-- case X86EMUL_MODE_PROT32:
-- if ((msr_data & 0xfffc) == 0x0)
-- return emulate_gp(ctxt, 0);
-- break;
-- case X86EMUL_MODE_PROT64:
-- if (msr_data == 0x0)
-- return emulate_gp(ctxt, 0);
-- break;
-- default:
-- break;
-- }
-+ if ((msr_data & 0xfffc) == 0x0)
-+ return emulate_gp(ctxt, 0);
-
- ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
-- cs_sel = (u16)msr_data;
-- cs_sel &= ~SELECTOR_RPL_MASK;
-+ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
- ss_sel = cs_sel + 8;
-- ss_sel &= ~SELECTOR_RPL_MASK;
-- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
-+ if (efer & EFER_LMA) {
- cs.d = 0;
- cs.l = 1;
- }
-@@ -2298,10 +2286,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
-
- ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
-- ctxt->_eip = msr_data;
-+ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
-
- ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
-- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
-+ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
-+ (u32)msr_data;
-
- return X86EMUL_CONTINUE;
- }
-diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index a10c8c7..ebc551c 100644
---- a/arch/x86/mm/fault.c
-+++ b/arch/x86/mm/fault.c
-@@ -833,11 +833,8 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
- unsigned int fault)
- {
- struct task_struct *tsk = current;
-- struct mm_struct *mm = tsk->mm;
- int code = BUS_ADRERR;
-
-- up_read(&mm->mmap_sem);
--
- /* Kernel mode? Handle exceptions or die: */
- if (!(error_code & PF_USER)) {
- no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
-@@ -868,7 +865,6 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
- unsigned long address, unsigned int fault)
- {
- if (fatal_signal_pending(current) && !(error_code & PF_USER)) {
-- up_read(&current->mm->mmap_sem);
- no_context(regs, error_code, address, 0, 0);
- return;
- }
-@@ -876,14 +872,11 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
- if (fault & VM_FAULT_OOM) {
- /* Kernel mode? Handle exceptions or die: */
- if (!(error_code & PF_USER)) {
-- up_read(&current->mm->mmap_sem);
- no_context(regs, error_code, address,
- SIGSEGV, SEGV_MAPERR);
- return;
- }
-
-- up_read(&current->mm->mmap_sem);
--
- /*
- * We ran out of memory, call the OOM killer, and return the
- * userspace (which will retry the fault, or kill us if we got
-@@ -894,6 +887,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
- if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
- VM_FAULT_HWPOISON_LARGE))
- do_sigbus(regs, error_code, address, fault);
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ bad_area_nosemaphore(regs, error_code, address);
- else
- BUG();
- }
-@@ -1216,6 +1211,7 @@ good_area:
- return;
-
- if (unlikely(fault & VM_FAULT_ERROR)) {
-+ up_read(&mm->mmap_sem);
- mm_fault_error(regs, error_code, address, fault);
- return;
- }
-diff --git a/arch/xtensa/mm/fault.c b/arch/xtensa/mm/fault.c
-index b57c4f9..9e3571a 100644
---- a/arch/xtensa/mm/fault.c
-+++ b/arch/xtensa/mm/fault.c
-@@ -117,6 +117,8 @@ good_area:
- if (unlikely(fault & VM_FAULT_ERROR)) {
- if (fault & VM_FAULT_OOM)
- goto out_of_memory;
-+ else if (fault & VM_FAULT_SIGSEGV)
-+ goto bad_area;
- else if (fault & VM_FAULT_SIGBUS)
- goto do_sigbus;
- BUG();
-diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
-index f667e37..5afe556 100644
---- a/drivers/bluetooth/ath3k.c
-+++ b/drivers/bluetooth/ath3k.c
-@@ -62,51 +62,59 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x0CF3, 0x3000) },
-
- /* Atheros AR3011 with sflash firmware*/
-+ { USB_DEVICE(0x0489, 0xE027) },
-+ { USB_DEVICE(0x0489, 0xE03D) },
-+ { USB_DEVICE(0x0930, 0x0215) },
- { USB_DEVICE(0x0CF3, 0x3002) },
- { USB_DEVICE(0x0CF3, 0xE019) },
- { USB_DEVICE(0x13d3, 0x3304) },
-- { USB_DEVICE(0x0930, 0x0215) },
-- { USB_DEVICE(0x0489, 0xE03D) },
-- { USB_DEVICE(0x0489, 0xE027) },
-
- /* Atheros AR9285 Malbec with sflash firmware */
- { USB_DEVICE(0x03F0, 0x311D) },
-
- /* Atheros AR3012 with sflash firmware*/
-- { USB_DEVICE(0x0CF3, 0x0036) },
-- { USB_DEVICE(0x0CF3, 0x3004) },
-- { USB_DEVICE(0x0CF3, 0x3008) },
-- { USB_DEVICE(0x0CF3, 0x311D) },
-- { USB_DEVICE(0x0CF3, 0x817a) },
-- { USB_DEVICE(0x13d3, 0x3375) },
-+ { USB_DEVICE(0x0489, 0xe04d) },
-+ { USB_DEVICE(0x0489, 0xe04e) },
-+ { USB_DEVICE(0x0489, 0xe057) },
-+ { USB_DEVICE(0x0489, 0xe056) },
-+ { USB_DEVICE(0x0489, 0xe05f) },
-+ { USB_DEVICE(0x0489, 0xe078) },
-+ { USB_DEVICE(0x04c5, 0x1330) },
- { USB_DEVICE(0x04CA, 0x3004) },
- { USB_DEVICE(0x04CA, 0x3005) },
- { USB_DEVICE(0x04CA, 0x3006) },
- { USB_DEVICE(0x04CA, 0x3007) },
- { USB_DEVICE(0x04CA, 0x3008) },
- { USB_DEVICE(0x04CA, 0x300b) },
-- { USB_DEVICE(0x13d3, 0x3362) },
-- { USB_DEVICE(0x0CF3, 0xE004) },
-- { USB_DEVICE(0x0CF3, 0xE005) },
-+ { USB_DEVICE(0x04CA, 0x3010) },
- { USB_DEVICE(0x0930, 0x0219) },
- { USB_DEVICE(0x0930, 0x0220) },
-- { USB_DEVICE(0x0489, 0xe057) },
-- { USB_DEVICE(0x13d3, 0x3393) },
-- { USB_DEVICE(0x0489, 0xe04e) },
-- { USB_DEVICE(0x0489, 0xe056) },
-- { USB_DEVICE(0x0489, 0xe04d) },
-- { USB_DEVICE(0x04c5, 0x1330) },
-- { USB_DEVICE(0x13d3, 0x3402) },
-+ { USB_DEVICE(0x0930, 0x0227) },
-+ { USB_DEVICE(0x0b05, 0x17d0) },
-+ { USB_DEVICE(0x0CF3, 0x0036) },
-+ { USB_DEVICE(0x0CF3, 0x3004) },
-+ { USB_DEVICE(0x0CF3, 0x3008) },
-+ { USB_DEVICE(0x0CF3, 0x311D) },
-+ { USB_DEVICE(0x0CF3, 0x311E) },
-+ { USB_DEVICE(0x0CF3, 0x311F) },
- { USB_DEVICE(0x0cf3, 0x3121) },
-+ { USB_DEVICE(0x0CF3, 0x817a) },
- { USB_DEVICE(0x0cf3, 0xe003) },
-- { USB_DEVICE(0x0489, 0xe05f) },
-+ { USB_DEVICE(0x0CF3, 0xE004) },
-+ { USB_DEVICE(0x0CF3, 0xE005) },
-+ { USB_DEVICE(0x13d3, 0x3362) },
-+ { USB_DEVICE(0x13d3, 0x3375) },
-+ { USB_DEVICE(0x13d3, 0x3393) },
-+ { USB_DEVICE(0x13d3, 0x3402) },
-+ { USB_DEVICE(0x13d3, 0x3408) },
-+ { USB_DEVICE(0x13d3, 0x3432) },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xE02C) },
-
- /* Atheros AR5BBU22 with sflash firmware */
-- { USB_DEVICE(0x0489, 0xE03C) },
- { USB_DEVICE(0x0489, 0xE036) },
-+ { USB_DEVICE(0x0489, 0xE03C) },
-
- { } /* Terminating entry */
- };
-@@ -119,37 +127,45 @@ MODULE_DEVICE_TABLE(usb, ath3k_table);
- static const struct usb_device_id ath3k_blist_tbl[] = {
-
- /* Atheros AR3012 with sflash firmware*/
-- { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU22 with sflash firmware */
-- { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
-
- { } /* Terminating entry */
- };
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index e00c3f8..03b3317 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -49,6 +49,7 @@ static struct usb_driver btusb_driver;
- #define BTUSB_WRONG_SCO_MTU 0x40
- #define BTUSB_ATH3012 0x80
- #define BTUSB_INTEL 0x100
-+#define BTUSB_INTEL_BOOT 0x200
-
- static const struct usb_device_id btusb_table[] = {
- /* Generic Bluetooth USB device */
-@@ -101,21 +102,31 @@ static const struct usb_device_id btusb_table[] = {
- { USB_DEVICE(0x0c10, 0x0000) },
-
- /* Broadcom BCM20702A0 */
-+ { USB_DEVICE(0x0489, 0xe042) },
-+ { USB_DEVICE(0x04ca, 0x2003) },
- { USB_DEVICE(0x0b05, 0x17b5) },
- { USB_DEVICE(0x0b05, 0x17cb) },
-- { USB_DEVICE(0x04ca, 0x2003) },
-- { USB_DEVICE(0x0489, 0xe042) },
- { USB_DEVICE(0x413c, 0x8197) },
-
- /* Foxconn - Hon Hai */
- { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
-
-- /*Broadcom devices with vendor specific id */
-+ /* Broadcom devices with vendor specific id */
- { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
-
-+ /* ASUSTek Computer - Broadcom based */
-+ { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },
-+
- /* Belkin F8065bf - Broadcom based */
- { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
-
-+ /* IMC Networks - Broadcom based */
-+ { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
-+
-+ /* Intel Bluetooth USB Bootloader (RAM module) */
-+ { USB_DEVICE(0x8087, 0x0a5a),
-+ .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
-+
- { } /* Terminating entry */
- };
-
-@@ -129,56 +140,64 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
-
- /* Atheros 3011 with sflash firmware */
-+ { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
-+ { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
-+ { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
- { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
- { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
- { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
-- { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
-- { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
-- { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
-
- /* Atheros AR9285 Malbec with sflash firmware */
- { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
-
- /* Atheros 3012 with sflash firmware */
-- { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
-- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
-
- /* Atheros AR5BBU12 with sflash firmware */
-- { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
-
- /* Broadcom BCM2035 */
-- { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
-- { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
- { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
-+ { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
-+ { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
-
- /* Broadcom BCM2045 */
- { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
-@@ -1491,6 +1510,9 @@ static int btusb_probe(struct usb_interface *intf,
- if (id->driver_info & BTUSB_INTEL)
- hdev->setup = btusb_setup_intel;
-
-+ if (id->driver_info & BTUSB_INTEL_BOOT)
-+ set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
-+
- /* Interface numbers are hardcoded in the specification */
- data->isoc = usb_ifnum_to_if(data->udev, 1);
-
-diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c
-index 54e2abe..c611bcc 100644
---- a/drivers/edac/sb_edac.c
-+++ b/drivers/edac/sb_edac.c
-@@ -285,8 +285,9 @@ static const u32 correrrthrsld[] = {
- * sbridge structs
- */
-
--#define NUM_CHANNELS 4
--#define MAX_DIMMS 3 /* Max DIMMS per channel */
-+#define NUM_CHANNELS 4
-+#define MAX_DIMMS 3 /* Max DIMMS per channel */
-+#define CHANNEL_UNSPECIFIED 0xf /* Intel IA32 SDM 15-14 */
-
- enum type {
- SANDY_BRIDGE,
-@@ -1750,6 +1751,9 @@ static void sbridge_mce_output_error(struct mem_ctl_info *mci,
-
- /* FIXME: need support for channel mask */
-
-+ if (channel == CHANNEL_UNSPECIFIED)
-+ channel = -1;
-+
- /* Call the helper to output message */
- edac_mc_handle_error(tp_event, mci, core_err_cnt,
- m->addr >> PAGE_SHIFT, m->addr & ~PAGE_MASK, 0,
-diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
-index dcde5605..3177498 100644
---- a/drivers/net/bonding/bond_3ad.c
-+++ b/drivers/net/bonding/bond_3ad.c
-@@ -2479,7 +2479,7 @@ out:
- return NETDEV_TX_OK;
- err_free:
- /* no suitable interface, frame not sent */
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- goto out;
- }
-
-diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
-index e8f133e..c67bbc9 100644
---- a/drivers/net/bonding/bond_alb.c
-+++ b/drivers/net/bonding/bond_alb.c
-@@ -1479,7 +1479,7 @@ int bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev)
- }
-
- /* no suitable interface, frame not sent */
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- out:
- return NETDEV_TX_OK;
- }
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 1537982..32b0e705 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -3568,7 +3568,7 @@ static void bond_xmit_slave_id(struct bonding *bond, struct sk_buff *skb, int sl
- }
- }
- /* no slave that can tx has been found */
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- }
-
- /**
-@@ -3650,7 +3650,7 @@ static int bond_xmit_activebackup(struct sk_buff *skb, struct net_device *bond_d
- if (slave)
- bond_dev_queue_xmit(bond, skb, slave->dev);
- else
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
-
- return NETDEV_TX_OK;
- }
-@@ -3698,7 +3698,7 @@ static int bond_xmit_broadcast(struct sk_buff *skb, struct net_device *bond_dev)
- if (slave && IS_UP(slave->dev) && slave->link == BOND_LINK_UP)
- bond_dev_queue_xmit(bond, skb, slave->dev);
- else
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
-
- return NETDEV_TX_OK;
- }
-@@ -3785,7 +3785,7 @@ static netdev_tx_t __bond_start_xmit(struct sk_buff *skb, struct net_device *dev
- pr_err("%s: Error: Unknown bonding mode %d\n",
- dev->name, bond->params.mode);
- WARN_ON_ONCE(1);
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
- }
-@@ -3806,7 +3806,7 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev)
- if (bond_has_slaves(bond))
- ret = __bond_start_xmit(skb, dev);
- else
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- rcu_read_unlock();
-
- return ret;
-diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c
-index 6c9e1c9..0c8a168 100644
---- a/drivers/net/ethernet/broadcom/bnx2.c
-+++ b/drivers/net/ethernet/broadcom/bnx2.c
-@@ -2886,7 +2886,7 @@ bnx2_tx_int(struct bnx2 *bp, struct bnx2_napi *bnapi, int budget)
- sw_cons = BNX2_NEXT_TX_BD(sw_cons);
-
- tx_bytes += skb->len;
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- tx_pkt++;
- if (tx_pkt == budget)
- break;
-@@ -6640,7 +6640,7 @@ bnx2_start_xmit(struct sk_buff *skb, struct net_device *dev)
-
- mapping = dma_map_single(&bp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE);
- if (dma_mapping_error(&bp->pdev->dev, mapping)) {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
-@@ -6733,7 +6733,7 @@ dma_error:
- PCI_DMA_TODEVICE);
- }
-
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
-diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
-index 8206113..bc65dc8 100644
---- a/drivers/net/ethernet/broadcom/tg3.c
-+++ b/drivers/net/ethernet/broadcom/tg3.c
-@@ -6593,7 +6593,7 @@ static void tg3_tx(struct tg3_napi *tnapi)
- pkts_compl++;
- bytes_compl += skb->len;
-
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
-
- if (unlikely(tx_bug)) {
- tg3_tx_recover(tp);
-@@ -6925,7 +6925,7 @@ static int tg3_rx(struct tg3_napi *tnapi, int budget)
- if (len > (tp->dev->mtu + ETH_HLEN) &&
- skb->protocol != htons(ETH_P_8021Q) &&
- skb->protocol != htons(ETH_P_8021AD)) {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- goto drop_it_no_recycle;
- }
-
-@@ -7808,7 +7808,7 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
- PCI_DMA_TODEVICE);
- /* Make sure the mapping succeeded */
- if (pci_dma_mapping_error(tp->pdev, new_addr)) {
-- dev_kfree_skb(new_skb);
-+ dev_kfree_skb_any(new_skb);
- ret = -1;
- } else {
- u32 save_entry = *entry;
-@@ -7823,13 +7823,13 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
- new_skb->len, base_flags,
- mss, vlan)) {
- tg3_tx_skb_unmap(tnapi, save_entry, -1);
-- dev_kfree_skb(new_skb);
-+ dev_kfree_skb_any(new_skb);
- ret = -1;
- }
- }
- }
-
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- *pskb = new_skb;
- return ret;
- }
-@@ -7872,7 +7872,7 @@ static int tg3_tso_bug(struct tg3 *tp, struct sk_buff *skb)
- } while (segs);
-
- tg3_tso_bug_end:
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
-
- return NETDEV_TX_OK;
- }
-@@ -8110,7 +8110,7 @@ dma_error:
- tg3_tx_skb_unmap(tnapi, tnapi->tx_prod, --i);
- tnapi->tx_buffers[tnapi->tx_prod].skb = NULL;
- drop:
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- drop_nofree:
- tp->tx_dropped++;
- return NETDEV_TX_OK;
-diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
-index 80bfa03..075e7e7 100644
---- a/drivers/net/ethernet/emulex/benet/be_main.c
-+++ b/drivers/net/ethernet/emulex/benet/be_main.c
-@@ -1883,7 +1883,7 @@ static u16 be_tx_compl_process(struct be_adapter *adapter,
- queue_tail_inc(txq);
- } while (cur_index != last_index);
-
-- kfree_skb(sent_skb);
-+ dev_kfree_skb_any(sent_skb);
- return num_wrbs;
- }
-
-diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
-index ad5a5aa..70eb4d2 100644
---- a/drivers/net/ethernet/freescale/gianfar.c
-+++ b/drivers/net/ethernet/freescale/gianfar.c
-@@ -2152,13 +2152,13 @@ static int gfar_start_xmit(struct sk_buff *skb, struct net_device *dev)
- skb_new = skb_realloc_headroom(skb, fcb_len);
- if (!skb_new) {
- dev->stats.tx_errors++;
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
- if (skb->sk)
- skb_set_owner_w(skb_new, skb->sk);
-- consume_skb(skb);
-+ dev_consume_skb_any(skb);
- skb = skb_new;
- }
-
-diff --git a/drivers/net/ethernet/intel/ixgb/ixgb_main.c b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
-index 57e390c..f42c201 100644
---- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c
-+++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
-@@ -1521,12 +1521,12 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
- int tso;
-
- if (test_bit(__IXGB_DOWN, &adapter->flags)) {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
- if (skb->len <= 0) {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
-@@ -1543,7 +1543,7 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
-
- tso = ixgb_tso(adapter, skb);
- if (tso < 0) {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return NETDEV_TX_OK;
- }
-
-diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
-index 2f83f34..8be0f3e 100644
---- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
-+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
-@@ -2497,13 +2497,6 @@ int mlx4_en_init_netdev(struct mlx4_en_dev *mdev, int port,
- netif_carrier_off(dev);
- mlx4_en_set_default_moderation(priv);
-
-- err = register_netdev(dev);
-- if (err) {
-- en_err(priv, "Netdev registration failed for port %d\n", port);
-- goto out;
-- }
-- priv->registered = 1;
--
- en_warn(priv, "Using %d TX rings\n", prof->tx_ring_num);
- en_warn(priv, "Using %d RX rings\n", prof->rx_ring_num);
-
-@@ -2543,6 +2536,14 @@ int mlx4_en_init_netdev(struct mlx4_en_dev *mdev, int port,
- queue_delayed_work(mdev->workqueue, &priv->service_task,
- SERVICE_TASK_DELAY);
-
-+ err = register_netdev(dev);
-+ if (err) {
-+ en_err(priv, "Netdev registration failed for port %d\n", port);
-+ goto out;
-+ }
-+
-+ priv->registered = 1;
-+
- return 0;
-
- out:
-diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
-index 1345703..019a04a 100644
---- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
-+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
-@@ -325,7 +325,7 @@ static u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv,
- }
- }
- }
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- return tx_info->nr_txbb;
- }
-
-diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
-index 737c1a8..a3c1daa 100644
---- a/drivers/net/ethernet/realtek/8139cp.c
-+++ b/drivers/net/ethernet/realtek/8139cp.c
-@@ -899,7 +899,7 @@ out_unlock:
-
- return NETDEV_TX_OK;
- out_dma_error:
-- kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- cp->dev->stats.tx_dropped++;
- goto out_unlock;
- }
-diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c
-index da5972e..8cb2f35 100644
---- a/drivers/net/ethernet/realtek/8139too.c
-+++ b/drivers/net/ethernet/realtek/8139too.c
-@@ -1717,9 +1717,9 @@ static netdev_tx_t rtl8139_start_xmit (struct sk_buff *skb,
- if (len < ETH_ZLEN)
- memset(tp->tx_buf[entry], 0, ETH_ZLEN);
- skb_copy_and_csum_dev(skb, tp->tx_buf[entry]);
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- } else {
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- dev->stats.tx_dropped++;
- return NETDEV_TX_OK;
- }
-diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index 3ff7bc3..90c14d1 100644
---- a/drivers/net/ethernet/realtek/r8169.c
-+++ b/drivers/net/ethernet/realtek/r8169.c
-@@ -5834,7 +5834,7 @@ static void rtl8169_tx_clear_range(struct rtl8169_private *tp, u32 start,
- tp->TxDescArray + entry);
- if (skb) {
- tp->dev->stats.tx_dropped++;
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- tx_skb->skb = NULL;
- }
- }
-@@ -6059,7 +6059,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
- err_dma_1:
- rtl8169_unmap_tx_skb(d, tp->tx_skb + entry, txd);
- err_dma_0:
-- dev_kfree_skb(skb);
-+ dev_kfree_skb_any(skb);
- err_update_stats:
- dev->stats.tx_dropped++;
- return NETDEV_TX_OK;
-@@ -6142,7 +6142,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp)
- tp->tx_stats.packets++;
- tp->tx_stats.bytes += tx_skb->skb->len;
- u64_stats_update_end(&tp->tx_stats.syncp);
-- dev_kfree_skb(tx_skb->skb);
-+ dev_kfree_skb_any(tx_skb->skb);
- tx_skb->skb = NULL;
- }
- dirty_tx++;
-diff --git a/drivers/staging/lustre/lustre/llite/dcache.c b/drivers/staging/lustre/lustre/llite/dcache.c
-index cbd663e..19405ed 100644
---- a/drivers/staging/lustre/lustre/llite/dcache.c
-+++ b/drivers/staging/lustre/lustre/llite/dcache.c
-@@ -278,7 +278,7 @@ void ll_invalidate_aliases(struct inode *inode)
- inode->i_ino, inode->i_generation, inode);
-
- ll_lock_dcache(inode);
-- ll_d_hlist_for_each_entry(dentry, p, &inode->i_dentry, d_alias) {
-+ ll_d_hlist_for_each_entry(dentry, p, &inode->i_dentry, d_u.d_alias) {
- CDEBUG(D_DENTRY, "dentry in drop %.*s (%p) parent %p "
- "inode %p flags %d\n", dentry->d_name.len,
- dentry->d_name.name, dentry, dentry->d_parent,
-diff --git a/drivers/staging/lustre/lustre/llite/llite_lib.c b/drivers/staging/lustre/lustre/llite/llite_lib.c
-index 6cfdb9e..5ae562e 100644
---- a/drivers/staging/lustre/lustre/llite/llite_lib.c
-+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
-@@ -678,7 +678,7 @@ void lustre_dump_dentry(struct dentry *dentry, int recur)
- return;
-
- list_for_each(tmp, &dentry->d_subdirs) {
-- struct dentry *d = list_entry(tmp, struct dentry, d_u.d_child);
-+ struct dentry *d = list_entry(tmp, struct dentry, d_child);
- lustre_dump_dentry(d, recur - 1);
- }
- }
-diff --git a/drivers/staging/lustre/lustre/llite/namei.c b/drivers/staging/lustre/lustre/llite/namei.c
-index fc8d264..8e9a9e9 100644
---- a/drivers/staging/lustre/lustre/llite/namei.c
-+++ b/drivers/staging/lustre/lustre/llite/namei.c
-@@ -175,14 +175,14 @@ static void ll_invalidate_negative_children(struct inode *dir)
- struct ll_d_hlist_node *p;
-
- ll_lock_dcache(dir);
-- ll_d_hlist_for_each_entry(dentry, p, &dir->i_dentry, d_alias) {
-+ ll_d_hlist_for_each_entry(dentry, p, &dir->i_dentry, d_u.d_alias) {
- spin_lock(&dentry->d_lock);
- if (!list_empty(&dentry->d_subdirs)) {
- struct dentry *child;
-
- list_for_each_entry_safe(child, tmp_subdir,
- &dentry->d_subdirs,
-- d_u.d_child) {
-+ d_child) {
- if (child->d_inode == NULL)
- d_lustre_invalidate(child, 1);
- }
-@@ -364,7 +364,7 @@ static struct dentry *ll_find_alias(struct inode *inode, struct dentry *dentry)
- discon_alias = invalid_alias = NULL;
-
- ll_lock_dcache(inode);
-- ll_d_hlist_for_each_entry(alias, p, &inode->i_dentry, d_alias) {
-+ ll_d_hlist_for_each_entry(alias, p, &inode->i_dentry, d_u.d_alias) {
- LASSERT(alias != dentry);
-
- spin_lock(&alias->d_lock);
-@@ -953,7 +953,7 @@ static void ll_get_child_fid(struct inode * dir, struct qstr *name,
- {
- struct dentry *parent, *child;
-
-- parent = ll_d_hlist_entry(dir->i_dentry, struct dentry, d_alias);
-+ parent = ll_d_hlist_entry(dir->i_dentry, struct dentry, d_u.d_alias);
- child = d_lookup(parent, name);
- if (child) {
- if (child->d_inode)
-diff --git a/drivers/staging/lustre/lustre/llite/vvp_io.c b/drivers/staging/lustre/lustre/llite/vvp_io.c
-index 93cbfbb..6096771 100644
---- a/drivers/staging/lustre/lustre/llite/vvp_io.c
-+++ b/drivers/staging/lustre/lustre/llite/vvp_io.c
-@@ -642,7 +642,7 @@ static int vvp_io_kernel_fault(struct vvp_fault_io *cfio)
- return 0;
- }
-
-- if (cfio->fault.ft_flags & VM_FAULT_SIGBUS) {
-+ if (cfio->fault.ft_flags & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) {
- CDEBUG(D_PAGE, "got addr %p - SIGBUS\n", vmf->virtual_address);
- return -EFAULT;
- }
-diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
-index d9a4367..9cca0ea 100644
---- a/fs/affs/amigaffs.c
-+++ b/fs/affs/amigaffs.c
-@@ -126,7 +126,7 @@ affs_fix_dcache(struct inode *inode, u32 entry_ino)
- {
- struct dentry *dentry;
- spin_lock(&inode->i_lock);
-- hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- if (entry_ino == (u32)(long)dentry->d_fsdata) {
- dentry->d_fsdata = (void *)inode->i_ino;
- break;
-diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
-index 394e90b..edb46e6 100644
---- a/fs/autofs4/expire.c
-+++ b/fs/autofs4/expire.c
-@@ -91,7 +91,7 @@ static struct dentry *get_next_positive_subdir(struct dentry *prev,
- spin_lock(&root->d_lock);
-
- if (prev)
-- next = prev->d_u.d_child.next;
-+ next = prev->d_child.next;
- else {
- prev = dget_dlock(root);
- next = prev->d_subdirs.next;
-@@ -105,13 +105,13 @@ cont:
- return NULL;
- }
-
-- q = list_entry(next, struct dentry, d_u.d_child);
-+ q = list_entry(next, struct dentry, d_child);
-
- spin_lock_nested(&q->d_lock, DENTRY_D_LOCK_NESTED);
- /* Already gone or negative dentry (under construction) - try next */
- if (!d_count(q) || !simple_positive(q)) {
- spin_unlock(&q->d_lock);
-- next = q->d_u.d_child.next;
-+ next = q->d_child.next;
- goto cont;
- }
- dget_dlock(q);
-@@ -161,13 +161,13 @@ again:
- goto relock;
- }
- spin_unlock(&p->d_lock);
-- next = p->d_u.d_child.next;
-+ next = p->d_child.next;
- p = parent;
- if (next != &parent->d_subdirs)
- break;
- }
- }
-- ret = list_entry(next, struct dentry, d_u.d_child);
-+ ret = list_entry(next, struct dentry, d_child);
-
- spin_lock_nested(&ret->d_lock, DENTRY_D_LOCK_NESTED);
- /* Negative dentry - try next */
-@@ -461,7 +461,7 @@ found:
- spin_lock(&sbi->lookup_lock);
- spin_lock(&expired->d_parent->d_lock);
- spin_lock_nested(&expired->d_lock, DENTRY_D_LOCK_NESTED);
-- list_move(&expired->d_parent->d_subdirs, &expired->d_u.d_child);
-+ list_move(&expired->d_parent->d_subdirs, &expired->d_child);
- spin_unlock(&expired->d_lock);
- spin_unlock(&expired->d_parent->d_lock);
- spin_unlock(&sbi->lookup_lock);
-diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
-index cc87c1a..9e016e6 100644
---- a/fs/autofs4/root.c
-+++ b/fs/autofs4/root.c
-@@ -655,7 +655,7 @@ static void autofs_clear_leaf_automount_flags(struct dentry *dentry)
- /* only consider parents below dentrys in the root */
- if (IS_ROOT(parent->d_parent))
- return;
-- d_child = &dentry->d_u.d_child;
-+ d_child = &dentry->d_child;
- /* Set parent managed if it's becoming empty */
- if (d_child->next == &parent->d_subdirs &&
- d_child->prev == &parent->d_subdirs)
-diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
-index 5e0982a..18e14cf 100644
---- a/fs/ceph/dir.c
-+++ b/fs/ceph/dir.c
-@@ -111,7 +111,7 @@ static int fpos_cmp(loff_t l, loff_t r)
- /*
- * When possible, we try to satisfy a readdir by peeking at the
- * dcache. We make this work by carefully ordering dentries on
-- * d_u.d_child when we initially get results back from the MDS, and
-+ * d_child when we initially get results back from the MDS, and
- * falling back to a "normal" sync readdir if any dentries in the dir
- * are dropped.
- *
-@@ -146,11 +146,11 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx)
- p = parent->d_subdirs.prev;
- dout(" initial p %p/%p\n", p->prev, p->next);
- } else {
-- p = last->d_u.d_child.prev;
-+ p = last->d_child.prev;
- }
-
- more:
-- dentry = list_entry(p, struct dentry, d_u.d_child);
-+ dentry = list_entry(p, struct dentry, d_child);
- di = ceph_dentry(dentry);
- while (1) {
- dout(" p %p/%p %s d_subdirs %p/%p\n", p->prev, p->next,
-@@ -172,7 +172,7 @@ more:
- !dentry->d_inode ? " null" : "");
- spin_unlock(&dentry->d_lock);
- p = p->prev;
-- dentry = list_entry(p, struct dentry, d_u.d_child);
-+ dentry = list_entry(p, struct dentry, d_child);
- di = ceph_dentry(dentry);
- }
-
-diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
-index 6471f9c..ee24490 100644
---- a/fs/ceph/inode.c
-+++ b/fs/ceph/inode.c
-@@ -1289,7 +1289,7 @@ retry_lookup:
- /* reorder parent's d_subdirs */
- spin_lock(&parent->d_lock);
- spin_lock_nested(&dn->d_lock, DENTRY_D_LOCK_NESTED);
-- list_move(&dn->d_u.d_child, &parent->d_subdirs);
-+ list_move(&dn->d_child, &parent->d_subdirs);
- spin_unlock(&dn->d_lock);
- spin_unlock(&parent->d_lock);
- }
-diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
-index f2ddcf7..7ee427e 100644
---- a/fs/cifs/inode.c
-+++ b/fs/cifs/inode.c
-@@ -883,7 +883,7 @@ inode_has_hashed_dentries(struct inode *inode)
- struct dentry *dentry;
-
- spin_lock(&inode->i_lock);
-- hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- if (!d_unhashed(dentry) || IS_ROOT(dentry)) {
- spin_unlock(&inode->i_lock);
- return true;
-diff --git a/fs/coda/cache.c b/fs/coda/cache.c
-index 1da168c..9bc1147 100644
---- a/fs/coda/cache.c
-+++ b/fs/coda/cache.c
-@@ -92,7 +92,7 @@ static void coda_flag_children(struct dentry *parent, int flag)
- struct dentry *de;
-
- spin_lock(&parent->d_lock);
-- list_for_each_entry(de, &parent->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(de, &parent->d_subdirs, d_child) {
- /* don't know what to do with negative dentries */
- if (de->d_inode )
- coda_flag_inode(de->d_inode, flag);
-diff --git a/fs/dcache.c b/fs/dcache.c
-index 4366127..c345f5f 100644
---- a/fs/dcache.c
-+++ b/fs/dcache.c
-@@ -44,7 +44,7 @@
- /*
- * Usage:
- * dcache->d_inode->i_lock protects:
-- * - i_dentry, d_alias, d_inode of aliases
-+ * - i_dentry, d_u.d_alias, d_inode of aliases
- * dcache_hash_bucket lock protects:
- * - the dcache hash table
- * s_anon bl list spinlock protects:
-@@ -59,7 +59,7 @@
- * - d_unhashed()
- * - d_parent and d_subdirs
- * - childrens' d_child and d_parent
-- * - d_alias, d_inode
-+ * - d_u.d_alias, d_inode
- *
- * Ordering:
- * dentry->d_inode->i_lock
-@@ -239,7 +239,6 @@ static void __d_free(struct rcu_head *head)
- {
- struct dentry *dentry = container_of(head, struct dentry, d_u.d_rcu);
-
-- WARN_ON(!hlist_unhashed(&dentry->d_alias));
- if (dname_external(dentry))
- kfree(dentry->d_name.name);
- kmem_cache_free(dentry_cache, dentry);
-@@ -250,6 +249,7 @@ static void __d_free(struct rcu_head *head)
- */
- static void d_free(struct dentry *dentry)
- {
-+ WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
- BUG_ON((int)dentry->d_lockref.count > 0);
- this_cpu_dec(nr_dentry);
- if (dentry->d_op && dentry->d_op->d_release)
-@@ -288,7 +288,7 @@ static void dentry_iput(struct dentry * dentry)
- struct inode *inode = dentry->d_inode;
- if (inode) {
- dentry->d_inode = NULL;
-- hlist_del_init(&dentry->d_alias);
-+ hlist_del_init(&dentry->d_u.d_alias);
- spin_unlock(&dentry->d_lock);
- spin_unlock(&inode->i_lock);
- if (!inode->i_nlink)
-@@ -313,7 +313,7 @@ static void dentry_unlink_inode(struct dentry * dentry)
- struct inode *inode = dentry->d_inode;
- __d_clear_type(dentry);
- dentry->d_inode = NULL;
-- hlist_del_init(&dentry->d_alias);
-+ hlist_del_init(&dentry->d_u.d_alias);
- dentry_rcuwalk_barrier(dentry);
- spin_unlock(&dentry->d_lock);
- spin_unlock(&inode->i_lock);
-@@ -435,7 +435,7 @@ static struct dentry *d_kill(struct dentry *dentry, struct dentry *parent)
- __releases(parent->d_lock)
- __releases(dentry->d_inode->i_lock)
- {
-- list_del(&dentry->d_u.d_child);
-+ list_del(&dentry->d_child);
- /*
- * Inform d_walk() that we are no longer attached to the
- * dentry tree
-@@ -737,7 +737,7 @@ static struct dentry *__d_find_alias(struct inode *inode, int want_discon)
-
- again:
- discon_alias = NULL;
-- hlist_for_each_entry(alias, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
- spin_lock(&alias->d_lock);
- if (S_ISDIR(inode->i_mode) || !d_unhashed(alias)) {
- if (IS_ROOT(alias) &&
-@@ -790,7 +790,7 @@ void d_prune_aliases(struct inode *inode)
- struct dentry *dentry;
- restart:
- spin_lock(&inode->i_lock);
-- hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- spin_lock(&dentry->d_lock);
- if (!dentry->d_lockref.count) {
- /*
-@@ -1091,7 +1091,7 @@ repeat:
- resume:
- while (next != &this_parent->d_subdirs) {
- struct list_head *tmp = next;
-- struct dentry *dentry = list_entry(tmp, struct dentry, d_u.d_child);
-+ struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
- next = tmp->next;
-
- spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
-@@ -1143,7 +1143,7 @@ resume:
- goto rename_retry;
- }
- rcu_read_unlock();
-- next = child->d_u.d_child.next;
-+ next = child->d_child.next;
- goto resume;
- }
- if (need_seqretry(&rename_lock, seq)) {
-@@ -1524,8 +1524,8 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
- INIT_HLIST_BL_NODE(&dentry->d_hash);
- INIT_LIST_HEAD(&dentry->d_lru);
- INIT_LIST_HEAD(&dentry->d_subdirs);
-- INIT_HLIST_NODE(&dentry->d_alias);
-- INIT_LIST_HEAD(&dentry->d_u.d_child);
-+ INIT_HLIST_NODE(&dentry->d_u.d_alias);
-+ INIT_LIST_HEAD(&dentry->d_child);
- d_set_d_op(dentry, dentry->d_sb->s_d_op);
-
- this_cpu_inc(nr_dentry);
-@@ -1555,7 +1555,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name)
- */
- __dget_dlock(parent);
- dentry->d_parent = parent;
-- list_add(&dentry->d_u.d_child, &parent->d_subdirs);
-+ list_add(&dentry->d_child, &parent->d_subdirs);
- spin_unlock(&parent->d_lock);
-
- return dentry;
-@@ -1648,7 +1648,7 @@ static void __d_instantiate(struct dentry *dentry, struct inode *inode)
- spin_lock(&dentry->d_lock);
- __d_set_type(dentry, add_flags);
- if (inode)
-- hlist_add_head(&dentry->d_alias, &inode->i_dentry);
-+ hlist_add_head(&dentry->d_u.d_alias, &inode->i_dentry);
- dentry->d_inode = inode;
- dentry_rcuwalk_barrier(dentry);
- spin_unlock(&dentry->d_lock);
-@@ -1672,7 +1672,7 @@ static void __d_instantiate(struct dentry *dentry, struct inode *inode)
-
- void d_instantiate(struct dentry *entry, struct inode * inode)
- {
-- BUG_ON(!hlist_unhashed(&entry->d_alias));
-+ BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
- if (inode)
- spin_lock(&inode->i_lock);
- __d_instantiate(entry, inode);
-@@ -1711,7 +1711,7 @@ static struct dentry *__d_instantiate_unique(struct dentry *entry,
- return NULL;
- }
-
-- hlist_for_each_entry(alias, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
- /*
- * Don't need alias->d_lock here, because aliases with
- * d_parent == entry->d_parent are not subject to name or
-@@ -1737,7 +1737,7 @@ struct dentry *d_instantiate_unique(struct dentry *entry, struct inode *inode)
- {
- struct dentry *result;
-
-- BUG_ON(!hlist_unhashed(&entry->d_alias));
-+ BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
-
- if (inode)
- spin_lock(&inode->i_lock);
-@@ -1768,7 +1768,7 @@ EXPORT_SYMBOL(d_instantiate_unique);
- */
- int d_instantiate_no_diralias(struct dentry *entry, struct inode *inode)
- {
-- BUG_ON(!hlist_unhashed(&entry->d_alias));
-+ BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
-
- spin_lock(&inode->i_lock);
- if (S_ISDIR(inode->i_mode) && !hlist_empty(&inode->i_dentry)) {
-@@ -1807,7 +1807,7 @@ static struct dentry * __d_find_any_alias(struct inode *inode)
-
- if (hlist_empty(&inode->i_dentry))
- return NULL;
-- alias = hlist_entry(inode->i_dentry.first, struct dentry, d_alias);
-+ alias = hlist_entry(inode->i_dentry.first, struct dentry, d_u.d_alias);
- __dget(alias);
- return alias;
- }
-@@ -1884,7 +1884,7 @@ struct dentry *d_obtain_alias(struct inode *inode)
- spin_lock(&tmp->d_lock);
- tmp->d_inode = inode;
- tmp->d_flags |= add_flags;
-- hlist_add_head(&tmp->d_alias, &inode->i_dentry);
-+ hlist_add_head(&tmp->d_u.d_alias, &inode->i_dentry);
- hlist_bl_lock(&tmp->d_sb->s_anon);
- hlist_bl_add_head(&tmp->d_hash, &tmp->d_sb->s_anon);
- hlist_bl_unlock(&tmp->d_sb->s_anon);
-@@ -2327,7 +2327,7 @@ int d_validate(struct dentry *dentry, struct dentry *dparent)
- struct dentry *child;
-
- spin_lock(&dparent->d_lock);
-- list_for_each_entry(child, &dparent->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(child, &dparent->d_subdirs, d_child) {
- if (dentry == child) {
- spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
- __dget_dlock(dentry);
-@@ -2574,8 +2574,8 @@ static void __d_move(struct dentry * dentry, struct dentry * target)
- /* Unhash the target: dput() will then get rid of it */
- __d_drop(target);
-
-- list_del(&dentry->d_u.d_child);
-- list_del(&target->d_u.d_child);
-+ list_del(&dentry->d_child);
-+ list_del(&target->d_child);
-
- /* Switch the names.. */
- switch_names(dentry, target);
-@@ -2585,15 +2585,15 @@ static void __d_move(struct dentry * dentry, struct dentry * target)
- if (IS_ROOT(dentry)) {
- dentry->d_parent = target->d_parent;
- target->d_parent = target;
-- INIT_LIST_HEAD(&target->d_u.d_child);
-+ INIT_LIST_HEAD(&target->d_child);
- } else {
- swap(dentry->d_parent, target->d_parent);
-
- /* And add them back to the (new) parent lists */
-- list_add(&target->d_u.d_child, &target->d_parent->d_subdirs);
-+ list_add(&target->d_child, &target->d_parent->d_subdirs);
- }
-
-- list_add(&dentry->d_u.d_child, &dentry->d_parent->d_subdirs);
-+ list_add(&dentry->d_child, &dentry->d_parent->d_subdirs);
-
- write_seqcount_end(&target->d_seq);
- write_seqcount_end(&dentry->d_seq);
-@@ -2700,9 +2700,9 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
- swap(dentry->d_name.hash, anon->d_name.hash);
-
- dentry->d_parent = dentry;
-- list_del_init(&dentry->d_u.d_child);
-+ list_del_init(&dentry->d_child);
- anon->d_parent = dparent;
-- list_move(&anon->d_u.d_child, &dparent->d_subdirs);
-+ list_move(&anon->d_child, &dparent->d_subdirs);
-
- write_seqcount_end(&dentry->d_seq);
- write_seqcount_end(&anon->d_seq);
-@@ -3333,7 +3333,7 @@ void d_tmpfile(struct dentry *dentry, struct inode *inode)
- {
- inode_dec_link_count(inode);
- BUG_ON(dentry->d_name.name != dentry->d_iname ||
-- !hlist_unhashed(&dentry->d_alias) ||
-+ !hlist_unhashed(&dentry->d_u.d_alias) ||
- !d_unlinked(dentry));
- spin_lock(&dentry->d_parent->d_lock);
- spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 1ff8fe5..4a9f0e0 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -552,7 +552,7 @@ void debugfs_remove_recursive(struct dentry *dentry)
- * use the d_u.d_child as the rcu head and corrupt this list.
- */
- spin_lock(&parent->d_lock);
-- list_for_each_entry(child, &parent->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(child, &parent->d_subdirs, d_child) {
- if (!debugfs_positive(child))
- continue;
-
-diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
-index 48a359d..831d4f0 100644
---- a/fs/exportfs/expfs.c
-+++ b/fs/exportfs/expfs.c
-@@ -50,7 +50,7 @@ find_acceptable_alias(struct dentry *result,
-
- inode = result->d_inode;
- spin_lock(&inode->i_lock);
-- hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- dget(dentry);
- spin_unlock(&inode->i_lock);
- if (toput)
-diff --git a/fs/libfs.c b/fs/libfs.c
-index a184424..868c0b7 100644
---- a/fs/libfs.c
-+++ b/fs/libfs.c
-@@ -113,18 +113,18 @@ loff_t dcache_dir_lseek(struct file *file, loff_t offset, int whence)
-
- spin_lock(&dentry->d_lock);
- /* d_lock not required for cursor */
-- list_del(&cursor->d_u.d_child);
-+ list_del(&cursor->d_child);
- p = dentry->d_subdirs.next;
- while (n && p != &dentry->d_subdirs) {
- struct dentry *next;
-- next = list_entry(p, struct dentry, d_u.d_child);
-+ next = list_entry(p, struct dentry, d_child);
- spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
- if (simple_positive(next))
- n--;
- spin_unlock(&next->d_lock);
- p = p->next;
- }
-- list_add_tail(&cursor->d_u.d_child, p);
-+ list_add_tail(&cursor->d_child, p);
- spin_unlock(&dentry->d_lock);
- }
- }
-@@ -149,7 +149,7 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
- {
- struct dentry *dentry = file->f_path.dentry;
- struct dentry *cursor = file->private_data;
-- struct list_head *p, *q = &cursor->d_u.d_child;
-+ struct list_head *p, *q = &cursor->d_child;
-
- if (!dir_emit_dots(file, ctx))
- return 0;
-@@ -158,7 +158,7 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
- list_move(q, &dentry->d_subdirs);
-
- for (p = q->next; p != &dentry->d_subdirs; p = p->next) {
-- struct dentry *next = list_entry(p, struct dentry, d_u.d_child);
-+ struct dentry *next = list_entry(p, struct dentry, d_child);
- spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
- if (!simple_positive(next)) {
- spin_unlock(&next->d_lock);
-@@ -286,7 +286,7 @@ int simple_empty(struct dentry *dentry)
- int ret = 0;
-
- spin_lock(&dentry->d_lock);
-- list_for_each_entry(child, &dentry->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(child, &dentry->d_subdirs, d_child) {
- spin_lock_nested(&child->d_lock, DENTRY_D_LOCK_NESTED);
- if (simple_positive(child)) {
- spin_unlock(&child->d_lock);
-diff --git a/fs/ncpfs/dir.c b/fs/ncpfs/dir.c
-index c320ac5..dc9747d 100644
---- a/fs/ncpfs/dir.c
-+++ b/fs/ncpfs/dir.c
-@@ -406,7 +406,7 @@ ncp_dget_fpos(struct dentry *dentry, struct dentry *parent, unsigned long fpos)
- spin_lock(&parent->d_lock);
- next = parent->d_subdirs.next;
- while (next != &parent->d_subdirs) {
-- dent = list_entry(next, struct dentry, d_u.d_child);
-+ dent = list_entry(next, struct dentry, d_child);
- if ((unsigned long)dent->d_fsdata == fpos) {
- if (dent->d_inode)
- dget(dent);
-diff --git a/fs/ncpfs/ncplib_kernel.h b/fs/ncpfs/ncplib_kernel.h
-index 32c0658..6d5e7c5 100644
---- a/fs/ncpfs/ncplib_kernel.h
-+++ b/fs/ncpfs/ncplib_kernel.h
-@@ -194,7 +194,7 @@ ncp_renew_dentries(struct dentry *parent)
- spin_lock(&parent->d_lock);
- next = parent->d_subdirs.next;
- while (next != &parent->d_subdirs) {
-- dentry = list_entry(next, struct dentry, d_u.d_child);
-+ dentry = list_entry(next, struct dentry, d_child);
-
- if (dentry->d_fsdata == NULL)
- ncp_age_dentry(server, dentry);
-@@ -216,7 +216,7 @@ ncp_invalidate_dircache_entries(struct dentry *parent)
- spin_lock(&parent->d_lock);
- next = parent->d_subdirs.next;
- while (next != &parent->d_subdirs) {
-- dentry = list_entry(next, struct dentry, d_u.d_child);
-+ dentry = list_entry(next, struct dentry, d_child);
- dentry->d_fsdata = NULL;
- ncp_age_dentry(server, dentry);
- next = next->next;
-diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
-index 66984a9..5b8ab0e 100644
---- a/fs/nfs/getroot.c
-+++ b/fs/nfs/getroot.c
-@@ -58,7 +58,7 @@ static int nfs_superblock_set_dummy_root(struct super_block *sb, struct inode *i
- */
- spin_lock(&sb->s_root->d_inode->i_lock);
- spin_lock(&sb->s_root->d_lock);
-- hlist_del_init(&sb->s_root->d_alias);
-+ hlist_del_init(&sb->s_root->d_u.d_alias);
- spin_unlock(&sb->s_root->d_lock);
- spin_unlock(&sb->s_root->d_inode->i_lock);
- }
-diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
-index 9d3e9c5..7001299 100644
---- a/fs/notify/fsnotify.c
-+++ b/fs/notify/fsnotify.c
-@@ -63,14 +63,14 @@ void __fsnotify_update_child_dentry_flags(struct inode *inode)
- spin_lock(&inode->i_lock);
- /* run all of the dentries associated with this inode. Since this is a
- * directory, there damn well better only be one item on this list */
-- hlist_for_each_entry(alias, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) {
- struct dentry *child;
-
- /* run all of the children of the original inode and fix their
- * d_flags to indicate parental interest (their parent is the
- * original inode) */
- spin_lock(&alias->d_lock);
-- list_for_each_entry(child, &alias->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(child, &alias->d_subdirs, d_child) {
- if (!child->d_inode)
- continue;
-
-diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c
-index 0d3a97d..1167485 100644
---- a/fs/ocfs2/dcache.c
-+++ b/fs/ocfs2/dcache.c
-@@ -173,7 +173,7 @@ struct dentry *ocfs2_find_local_alias(struct inode *inode,
- struct dentry *dentry;
-
- spin_lock(&inode->i_lock);
-- hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) {
-+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- spin_lock(&dentry->d_lock);
- if (ocfs2_match_dentry(dentry, parent_blkno, skip_unhashed)) {
- trace_ocfs2_find_local_alias(dentry->d_name.len,
-diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index c254671..eaa7374 100644
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -993,9 +993,8 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
- struct vm_area_struct *vma;
- struct pagemapread *pm = walk->private;
- spinlock_t *ptl;
-- pte_t *pte;
-+ pte_t *pte, *orig_pte;
- int err = 0;
-- pagemap_entry_t pme = make_pme(PM_NOT_PRESENT(pm->v2));
-
- /* find the first VMA at or above 'addr' */
- vma = find_vma(walk->mm, addr);
-@@ -1009,6 +1008,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
-
- for (; addr != end; addr += PAGE_SIZE) {
- unsigned long offset;
-+ pagemap_entry_t pme;
-
- offset = (addr & ~PAGEMAP_WALK_MASK) >>
- PAGE_SHIFT;
-@@ -1023,32 +1023,55 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
-
- if (pmd_trans_unstable(pmd))
- return 0;
-- for (; addr != end; addr += PAGE_SIZE) {
-- int flags2;
--
-- /* check to see if we've left 'vma' behind
-- * and need a new, higher one */
-- if (vma && (addr >= vma->vm_end)) {
-- vma = find_vma(walk->mm, addr);
-- if (vma && (vma->vm_flags & VM_SOFTDIRTY))
-- flags2 = __PM_SOFT_DIRTY;
-- else
-- flags2 = 0;
-- pme = make_pme(PM_NOT_PRESENT(pm->v2) | PM_STATUS2(pm->v2, flags2));
-+
-+ while (1) {
-+ /* End of address space hole, which we mark as non-present. */
-+ unsigned long hole_end;
-+
-+ if (vma)
-+ hole_end = min(end, vma->vm_start);
-+ else
-+ hole_end = end;
-+
-+ for (; addr < hole_end; addr += PAGE_SIZE) {
-+ pagemap_entry_t pme = make_pme(PM_NOT_PRESENT(pm->v2));
-+
-+ err = add_to_pagemap(addr, &pme, pm);
-+ if (err)
-+ return err;
- }
-
-- /* check that 'vma' actually covers this address,
-- * and that it isn't a huge page vma */
-- if (vma && (vma->vm_start <= addr) &&
-- !is_vm_hugetlb_page(vma)) {
-- pte = pte_offset_map(pmd, addr);
-+ if (!vma || vma->vm_start >= end)
-+ break;
-+ /*
-+ * We can't possibly be in a hugetlb VMA. In general,
-+ * for a mm_walk with a pmd_entry and a hugetlb_entry,
-+ * the pmd_entry can only be called on addresses in a
-+ * hugetlb if the walk starts in a non-hugetlb VMA and
-+ * spans a hugepage VMA. Since pagemap_read walks are
-+ * PMD-sized and PMD-aligned, this will never be true.
-+ */
-+ BUG_ON(is_vm_hugetlb_page(vma));
-+
-+ /* Addresses in the VMA. */
-+ orig_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
-+ for (; addr < min(end, vma->vm_end); pte++, addr += PAGE_SIZE) {
-+ pagemap_entry_t pme;
-+
- pte_to_pagemap_entry(&pme, pm, vma, addr, *pte);
-- /* unmap before userspace copy */
-- pte_unmap(pte);
-+ err = add_to_pagemap(addr, &pme, pm);
-+ if (err)
-+ break;
- }
-- err = add_to_pagemap(addr, &pme, pm);
-+ pte_unmap_unlock(orig_pte, ptl);
-+
- if (err)
- return err;
-+
-+ if (addr == end)
-+ break;
-+
-+ vma = find_vma(walk->mm, addr);
- }
-
- cond_resched();
-diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 3b50cac..0f0eb1c 100644
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -124,15 +124,15 @@ struct dentry {
- void *d_fsdata; /* fs-specific data */
-
- struct list_head d_lru; /* LRU list */
-+ struct list_head d_child; /* child of parent list */
-+ struct list_head d_subdirs; /* our children */
- /*
-- * d_child and d_rcu can share memory
-+ * d_alias and d_rcu can share memory
- */
- union {
-- struct list_head d_child; /* child of parent list */
-+ struct hlist_node d_alias; /* inode alias list */
- struct rcu_head d_rcu;
- } d_u;
-- struct list_head d_subdirs; /* our children */
-- struct hlist_node d_alias; /* inode alias list */
- };
-
- /*
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 46b8ab5..a7b311d 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1009,6 +1009,7 @@ static inline int page_mapped(struct page *page)
- #define VM_FAULT_WRITE 0x0008 /* Special case for get_user_pages */
- #define VM_FAULT_HWPOISON 0x0010 /* Hit poisoned small page */
- #define VM_FAULT_HWPOISON_LARGE 0x0020 /* Hit poisoned large page. Index encoded in upper bits */
-+#define VM_FAULT_SIGSEGV 0x0040
-
- #define VM_FAULT_NOPAGE 0x0100 /* ->fault installed the pte, not return page */
- #define VM_FAULT_LOCKED 0x0200 /* ->fault locked the returned page */
-@@ -1017,8 +1018,9 @@ static inline int page_mapped(struct page *page)
-
- #define VM_FAULT_HWPOISON_LARGE_MASK 0xf000 /* encodes hpage index for large hwpoison */
-
--#define VM_FAULT_ERROR (VM_FAULT_OOM | VM_FAULT_SIGBUS | VM_FAULT_HWPOISON | \
-- VM_FAULT_FALLBACK | VM_FAULT_HWPOISON_LARGE)
-+#define VM_FAULT_ERROR (VM_FAULT_OOM | VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV | \
-+ VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE | \
-+ VM_FAULT_FALLBACK)
-
- /* Encode hstate index for a hwpoisoned large page */
- #define VM_FAULT_SET_HINDEX(x) ((x) << 12)
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 911718f..bf46cc8 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -1880,6 +1880,12 @@ void netdev_freemem(struct net_device *dev);
- void synchronize_net(void);
- int init_dummy_netdev(struct net_device *dev);
-
-+DECLARE_PER_CPU(int, xmit_recursion);
-+static inline int dev_recursion_level(void)
-+{
-+ return this_cpu_read(xmit_recursion);
-+}
-+
- struct net_device *dev_get_by_index(struct net *net, int ifindex);
- struct net_device *__dev_get_by_index(struct net *net, int ifindex);
- struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex);
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 218b058..91fe6a3 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -1695,7 +1695,7 @@ static inline pid_t task_tgid_vnr(struct task_struct *tsk)
- }
-
-
--static int pid_alive(const struct task_struct *p);
-+static inline int pid_alive(const struct task_struct *p);
- static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)
- {
- pid_t pid = 0;
-diff --git a/include/net/ip.h b/include/net/ip.h
-index 3446cdd..5128fa7 100644
---- a/include/net/ip.h
-+++ b/include/net/ip.h
-@@ -407,22 +407,6 @@ static __inline__ void inet_reset_saddr(struct sock *sk)
-
- #endif
-
--static inline int sk_mc_loop(struct sock *sk)
--{
-- if (!sk)
-- return 1;
-- switch (sk->sk_family) {
-- case AF_INET:
-- return inet_sk(sk)->mc_loop;
--#if IS_ENABLED(CONFIG_IPV6)
-- case AF_INET6:
-- return inet6_sk(sk)->mc_loop;
--#endif
-- }
-- WARN_ON(1);
-- return 1;
--}
--
- bool ip_call_ra_chain(struct sk_buff *skb);
-
- /*
-diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
-index 2e74c6c..ee2d53a 100644
---- a/include/net/ip6_route.h
-+++ b/include/net/ip6_route.h
-@@ -168,7 +168,8 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
-
- static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
- {
-- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
-+ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
-+ inet6_sk(skb->sk) : NULL;
-
- return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ?
- skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
-diff --git a/include/net/sock.h b/include/net/sock.h
-index f66b2b1..0c79a74 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1815,6 +1815,8 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie);
-
- struct dst_entry *sk_dst_check(struct sock *sk, u32 cookie);
-
-+bool sk_mc_loop(struct sock *sk);
-+
- static inline bool sk_can_gso(const struct sock *sk)
- {
- return net_gso_ok(sk->sk_route_caps, sk->sk_gso_type);
-diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 550e205..18711f3 100644
---- a/kernel/cgroup.c
-+++ b/kernel/cgroup.c
-@@ -971,7 +971,7 @@ static void cgroup_d_remove_dir(struct dentry *dentry)
- parent = dentry->d_parent;
- spin_lock(&parent->d_lock);
- spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
-- list_del_init(&dentry->d_u.d_child);
-+ list_del_init(&dentry->d_child);
- spin_unlock(&dentry->d_lock);
- spin_unlock(&parent->d_lock);
- remove_dir(dentry);
-diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 813b021..a2d62b3 100644
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -6158,7 +6158,7 @@ static int instance_mkdir (struct inode *inode, struct dentry *dentry, umode_t m
- int ret;
-
- /* Paranoid: Make sure the parent is the "instances" directory */
-- parent = hlist_entry(inode->i_dentry.first, struct dentry, d_alias);
-+ parent = hlist_entry(inode->i_dentry.first, struct dentry, d_u.d_alias);
- if (WARN_ON_ONCE(parent != trace_instance_dir))
- return -ENOENT;
-
-@@ -6185,7 +6185,7 @@ static int instance_rmdir(struct inode *inode, struct dentry *dentry)
- int ret;
-
- /* Paranoid: Make sure the parent is the "instances" directory */
-- parent = hlist_entry(inode->i_dentry.first, struct dentry, d_alias);
-+ parent = hlist_entry(inode->i_dentry.first, struct dentry, d_u.d_alias);
- if (WARN_ON_ONCE(parent != trace_instance_dir))
- return -ENOENT;
-
-diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
-index e4c4efc..c6646a5 100644
---- a/kernel/trace/trace_events.c
-+++ b/kernel/trace/trace_events.c
-@@ -428,7 +428,7 @@ static void remove_event_file_dir(struct ftrace_event_file *file)
-
- if (dir) {
- spin_lock(&dir->d_lock); /* probably unneeded */
-- list_for_each_entry(child, &dir->d_subdirs, d_u.d_child) {
-+ list_for_each_entry(child, &dir->d_subdirs, d_child) {
- if (child->d_inode) /* probably unneeded */
- child->d_inode->i_private = NULL;
- }
-diff --git a/mm/ksm.c b/mm/ksm.c
-index 68710e8..5e706e3 100644
---- a/mm/ksm.c
-+++ b/mm/ksm.c
-@@ -376,7 +376,7 @@ static int break_ksm(struct vm_area_struct *vma, unsigned long addr)
- else
- ret = VM_FAULT_WRITE;
- put_page(page);
-- } while (!(ret & (VM_FAULT_WRITE | VM_FAULT_SIGBUS | VM_FAULT_OOM)));
-+ } while (!(ret & (VM_FAULT_WRITE | VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV | VM_FAULT_OOM)));
- /*
- * We must loop because handle_mm_fault() may back out if there's
- * any difficulty e.g. if pte accessed bit gets updated concurrently.
-diff --git a/mm/memory-failure.c b/mm/memory-failure.c
-index a98c7fc..ffc7bf0 100644
---- a/mm/memory-failure.c
-+++ b/mm/memory-failure.c
-@@ -1645,8 +1645,6 @@ static int __soft_offline_page(struct page *page, int flags)
- * setting PG_hwpoison.
- */
- if (!is_free_buddy_page(page))
-- lru_add_drain_all();
-- if (!is_free_buddy_page(page))
- drain_all_pages();
- SetPageHWPoison(page);
- if (!is_free_buddy_page(page))
-diff --git a/mm/memory.c b/mm/memory.c
-index 102af09..749e1c6 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1836,7 +1836,8 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
- else
- return -EFAULT;
- }
-- if (ret & VM_FAULT_SIGBUS)
-+ if (ret & (VM_FAULT_SIGBUS |
-+ VM_FAULT_SIGSEGV))
- return i ? i : -EFAULT;
- BUG();
- }
-@@ -1946,7 +1947,7 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
- return -ENOMEM;
- if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE))
- return -EHWPOISON;
-- if (ret & VM_FAULT_SIGBUS)
-+ if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
- return -EFAULT;
- BUG();
- }
-@@ -3235,7 +3236,7 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
-
- /* Check if we need to add a guard page to the stack */
- if (check_stack_guard_page(vma, address) < 0)
-- return VM_FAULT_SIGBUS;
-+ return VM_FAULT_SIGSEGV;
-
- /* Use the zero-page for reads */
- if (!(flags & FAULT_FLAG_WRITE)) {
-diff --git a/net/core/dev.c b/net/core/dev.c
-index f6d8d7f..73abbd7 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -2775,7 +2775,9 @@ static void skb_update_prio(struct sk_buff *skb)
- #define skb_update_prio(skb)
- #endif
-
--static DEFINE_PER_CPU(int, xmit_recursion);
-+DEFINE_PER_CPU(int, xmit_recursion);
-+EXPORT_SYMBOL(xmit_recursion);
-+
- #define RECURSION_LIMIT 10
-
- /**
-diff --git a/net/core/sock.c b/net/core/sock.c
-index c806956..650dd58 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -659,6 +659,25 @@ static inline void sock_valbool_flag(struct sock *sk, int bit, int valbool)
- sock_reset_flag(sk, bit);
- }
-
-+bool sk_mc_loop(struct sock *sk)
-+{
-+ if (dev_recursion_level())
-+ return false;
-+ if (!sk)
-+ return true;
-+ switch (sk->sk_family) {
-+ case AF_INET:
-+ return inet_sk(sk)->mc_loop;
-+#if IS_ENABLED(CONFIG_IPV6)
-+ case AF_INET6:
-+ return inet6_sk(sk)->mc_loop;
-+#endif
-+ }
-+ WARN_ON(1);
-+ return true;
-+}
-+EXPORT_SYMBOL(sk_mc_loop);
-+
- /*
- * This is meant for all protocols to use and covers goings on
- * at the socket level. Everything here is generic.
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 2291791..9fbd69e 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -3064,10 +3064,11 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
- if (seq_rtt < 0) {
- seq_rtt = ca_seq_rtt;
- }
-- if (!(sacked & TCPCB_SACKED_ACKED))
-+ if (!(sacked & TCPCB_SACKED_ACKED)) {
- reord = min(pkts_acked, reord);
-- if (!after(scb->end_seq, tp->high_seq))
-- flag |= FLAG_ORIG_SACK_ACKED;
-+ if (!after(scb->end_seq, tp->high_seq))
-+ flag |= FLAG_ORIG_SACK_ACKED;
-+ }
- }
-
- if (sacked & TCPCB_SACKED_ACKED)
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index b7effad..e2f8bd0 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1875,7 +1875,7 @@ void tcp_v4_early_demux(struct sk_buff *skb)
- skb->sk = sk;
- skb->destructor = sock_edemux;
- if (sk->sk_state != TCP_TIME_WAIT) {
-- struct dst_entry *dst = sk->sk_rx_dst;
-+ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
-
- if (dst)
- dst = dst_check(dst, 0);
-diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 96f64e5..8c70c73 100644
---- a/net/ipv4/tcp_output.c
-+++ b/net/ipv4/tcp_output.c
-@@ -2796,6 +2796,8 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
- }
- #endif
-
-+ /* Do not fool tcpdump (if any), clean our debris */
-+ skb->tstamp.tv64 = 0;
- return skb;
- }
- EXPORT_SYMBOL(tcp_make_synack);
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index d7907ec..066d0b0 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -555,7 +555,8 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
- {
- struct sk_buff *frag;
- struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
-- struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
-+ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
-+ inet6_sk(skb->sk) : NULL;
- struct ipv6hdr *tmp_hdr;
- struct frag_hdr *fh;
- unsigned int mtu, hlen, left, len;
-diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
-index 09a22f4..bcd6518 100644
---- a/net/ipv6/ndisc.c
-+++ b/net/ipv6/ndisc.c
-@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
- if (rt)
- rt6_set_expires(rt, jiffies + (HZ * lifetime));
- if (ra_msg->icmph.icmp6_hop_limit) {
-- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
-+ /* Only set hop_limit on the interface if it is higher than
-+ * the current hop_limit.
-+ */
-+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
-+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
-+ } else {
-+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
-+ }
- if (rt)
- dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
- ra_msg->icmph.icmp6_hop_limit);
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index a4f890d..9d4332d 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1633,7 +1633,7 @@ static void tcp_v6_early_demux(struct sk_buff *skb)
- skb->sk = sk;
- skb->destructor = sock_edemux;
- if (sk->sk_state != TCP_TIME_WAIT) {
-- struct dst_entry *dst = sk->sk_rx_dst;
-+ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
-
- if (dst)
- dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
-diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
-index d25f293..957c1db 100644
---- a/net/netfilter/nf_conntrack_proto_generic.c
-+++ b/net/netfilter/nf_conntrack_proto_generic.c
-@@ -14,6 +14,30 @@
-
- static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
-
-+static bool nf_generic_should_process(u8 proto)
-+{
-+ switch (proto) {
-+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
-+ case IPPROTO_SCTP:
-+ return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
-+ case IPPROTO_DCCP:
-+ return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
-+ case IPPROTO_GRE:
-+ return false;
-+#endif
-+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
-+ case IPPROTO_UDPLITE:
-+ return false;
-+#endif
-+ default:
-+ return true;
-+ }
-+}
-+
- static inline struct nf_generic_net *generic_pernet(struct net *net)
- {
- return &net->ct.nf_ct_proto.generic;
-@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct,
- static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
- unsigned int dataoff, unsigned int *timeouts)
- {
-- return true;
-+ return nf_generic_should_process(nf_ct_protonum(ct));
- }
-
- #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
-diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
-index 6c4cbd9..fc68bf6 100644
---- a/security/selinux/selinuxfs.c
-+++ b/security/selinux/selinuxfs.c
-@@ -1200,7 +1200,7 @@ static void sel_remove_entries(struct dentry *de)
- spin_lock(&de->d_lock);
- node = de->d_subdirs.next;
- while (node != &de->d_subdirs) {
-- struct dentry *d = list_entry(node, struct dentry, d_u.d_child);
-+ struct dentry *d = list_entry(node, struct dentry, d_child);
-
- spin_lock_nested(&d->d_lock, DENTRY_D_LOCK_NESTED);
- list_del_init(node);
-@@ -1674,12 +1674,12 @@ static void sel_remove_classes(void)
-
- list_for_each(class_node, &class_dir->d_subdirs) {
- struct dentry *class_subdir = list_entry(class_node,
-- struct dentry, d_u.d_child);
-+ struct dentry, d_child);
- struct list_head *class_subdir_node;
-
- list_for_each(class_subdir_node, &class_subdir->d_subdirs) {
- struct dentry *d = list_entry(class_subdir_node,
-- struct dentry, d_u.d_child);
-+ struct dentry, d_child);
-
- if (d->d_inode)
- if (d->d_inode->i_mode & S_IFDIR)
diff --git a/3.14.40/0000_README b/3.14.41/0000_README
index 39720d8..77861d5 100644
--- a/3.14.40/0000_README
+++ b/3.14.41/0000_README
@@ -2,11 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1039_linux-3.14.40.patch
+Patch: 1040_linux-3.14.41.patch
From: http://www.kernel.org
-Desc: Linux 3.14.40
+Desc: Linux 3.14.41
-Patch: 4420_grsecurity-3.1-3.14.40-201505042052.patch
+Patch: 4420_grsecurity-3.1-3.14.41-201505091723.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.41/1040_linux-3.14.41.patch b/3.14.41/1040_linux-3.14.41.patch
new file mode 100644
index 0000000..444b427
--- /dev/null
+++ b/3.14.41/1040_linux-3.14.41.patch
@@ -0,0 +1,3586 @@
+diff --git a/Makefile b/Makefile
+index 070e0eb..7a60d4a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 40
++SUBLEVEL = 41
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi
+index 187fd46..355117c 100644
+--- a/arch/arm/boot/dts/dove.dtsi
++++ b/arch/arm/boot/dts/dove.dtsi
+@@ -154,7 +154,7 @@
+
+ uart2: serial@12200 {
+ compatible = "ns16550a";
+- reg = <0x12000 0x100>;
++ reg = <0x12200 0x100>;
+ reg-shift = <2>;
+ interrupts = <9>;
+ clocks = <&core_clk 0>;
+@@ -163,7 +163,7 @@
+
+ uart3: serial@12300 {
+ compatible = "ns16550a";
+- reg = <0x12100 0x100>;
++ reg = <0x12300 0x100>;
+ reg-shift = <2>;
+ interrupts = <10>;
+ clocks = <&core_clk 0>;
+diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
+index f4b46d3..051b726 100644
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -114,7 +114,7 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+ /* When the program starts, a1 contains a pointer to a function to be
+ registered with atexit, as per the SVR4 ABI. A value of 0 means we
+diff --git a/arch/arm/mach-s3c64xx/crag6410.h b/arch/arm/mach-s3c64xx/crag6410.h
+index 7bc6668..dcbe17f 100644
+--- a/arch/arm/mach-s3c64xx/crag6410.h
++++ b/arch/arm/mach-s3c64xx/crag6410.h
+@@ -14,6 +14,7 @@
+ #include <mach/gpio-samsung.h>
+
+ #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START
++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64)
+
+ #define PCA935X_GPIO_BASE GPIO_BOARD_START
+ #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8)
+diff --git a/arch/arm/mach-s3c64xx/mach-crag6410.c b/arch/arm/mach-s3c64xx/mach-crag6410.c
+index 3df3c37..66b95c4 100644
+--- a/arch/arm/mach-s3c64xx/mach-crag6410.c
++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c
+@@ -555,6 +555,7 @@ static struct wm831x_touch_pdata touch_pdata = {
+
+ static struct wm831x_pdata crag_pmic_pdata = {
+ .wm831x_num = 1,
++ .irq_base = BANFF_PMIC_IRQ_BASE,
+ .gpio_base = BANFF_PMIC_GPIO_BASE,
+ .soft_shutdown = true,
+
+diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
+index 6d20b7d..a268a9a 100644
+--- a/arch/arm64/kernel/vdso/Makefile
++++ b/arch/arm64/kernel/vdso/Makefile
+@@ -43,7 +43,7 @@ $(obj)/vdso-offsets.h: $(obj)/vdso.so.dbg FORCE
+ $(call if_changed,vdsosym)
+
+ # Assembly rules for the .S files
+-$(obj-vdso): %.o: %.S
++$(obj-vdso): %.o: %.S FORCE
+ $(call if_changed_dep,vdsoas)
+
+ # Actual build commands
+diff --git a/arch/c6x/kernel/time.c b/arch/c6x/kernel/time.c
+index 356ee84..04845aa 100644
+--- a/arch/c6x/kernel/time.c
++++ b/arch/c6x/kernel/time.c
+@@ -49,7 +49,7 @@ u64 sched_clock(void)
+ return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT;
+ }
+
+-void time_init(void)
++void __init time_init(void)
+ {
+ u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT;
+
+diff --git a/arch/mips/include/asm/suspend.h b/arch/mips/include/asm/suspend.h
+deleted file mode 100644
+index 3adac3b..0000000
+--- a/arch/mips/include/asm/suspend.h
++++ /dev/null
+@@ -1,7 +0,0 @@
+-#ifndef __ASM_SUSPEND_H
+-#define __ASM_SUSPEND_H
+-
+-/* References to section boundaries */
+-extern const void __nosave_begin, __nosave_end;
+-
+-#endif /* __ASM_SUSPEND_H */
+diff --git a/arch/mips/power/cpu.c b/arch/mips/power/cpu.c
+index 521e596..2129e67 100644
+--- a/arch/mips/power/cpu.c
++++ b/arch/mips/power/cpu.c
+@@ -7,7 +7,7 @@
+ * Author: Hu Hongbing <huhb@lemote.com>
+ * Wu Zhangjin <wuzhangjin@gmail.com>
+ */
+-#include <asm/suspend.h>
++#include <asm/sections.h>
+ #include <asm/fpu.h>
+ #include <asm/dsp.h>
+
+diff --git a/arch/mips/power/hibernate.S b/arch/mips/power/hibernate.S
+index 32a7c82..e7567c8 100644
+--- a/arch/mips/power/hibernate.S
++++ b/arch/mips/power/hibernate.S
+@@ -30,6 +30,8 @@ LEAF(swsusp_arch_suspend)
+ END(swsusp_arch_suspend)
+
+ LEAF(swsusp_arch_resume)
++ /* Avoid TLB mismatch during and after kernel resume */
++ jal local_flush_tlb_all
+ PTR_L t0, restore_pblist
+ 0:
+ PTR_L t1, PBE_ADDRESS(t0) /* source */
+@@ -43,7 +45,6 @@ LEAF(swsusp_arch_resume)
+ bne t1, t3, 1b
+ PTR_L t0, PBE_NEXT(t0)
+ bnez t0, 0b
+- jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */
+ PTR_LA t0, saved_regs
+ PTR_L ra, PT_R31(t0)
+ PTR_L sp, PT_R29(t0)
+diff --git a/arch/powerpc/kernel/cacheinfo.c b/arch/powerpc/kernel/cacheinfo.c
+index 2912b87..3eb36ce 100644
+--- a/arch/powerpc/kernel/cacheinfo.c
++++ b/arch/powerpc/kernel/cacheinfo.c
+@@ -61,12 +61,22 @@ struct cache_type_info {
+ };
+
+ /* These are used to index the cache_type_info array. */
+-#define CACHE_TYPE_UNIFIED 0
+-#define CACHE_TYPE_INSTRUCTION 1
+-#define CACHE_TYPE_DATA 2
++#define CACHE_TYPE_UNIFIED 0 /* cache-size, cache-block-size, etc. */
++#define CACHE_TYPE_UNIFIED_D 1 /* d-cache-size, d-cache-block-size, etc */
++#define CACHE_TYPE_INSTRUCTION 2
++#define CACHE_TYPE_DATA 3
+
+ static const struct cache_type_info cache_type_info[] = {
+ {
++ /* Embedded systems that use cache-size, cache-block-size,
++ * etc. for the Unified (typically L2) cache. */
++ .name = "Unified",
++ .size_prop = "cache-size",
++ .line_size_props = { "cache-line-size",
++ "cache-block-size", },
++ .nr_sets_prop = "cache-sets",
++ },
++ {
+ /* PowerPC Processor binding says the [di]-cache-*
+ * must be equal on unified caches, so just use
+ * d-cache properties. */
+@@ -293,7 +303,8 @@ static struct cache *cache_find_first_sibling(struct cache *cache)
+ {
+ struct cache *iter;
+
+- if (cache->type == CACHE_TYPE_UNIFIED)
++ if (cache->type == CACHE_TYPE_UNIFIED ||
++ cache->type == CACHE_TYPE_UNIFIED_D)
+ return cache;
+
+ list_for_each_entry(iter, &cache_list, list)
+@@ -324,16 +335,29 @@ static bool cache_node_is_unified(const struct device_node *np)
+ return of_get_property(np, "cache-unified", NULL);
+ }
+
+-static struct cache *cache_do_one_devnode_unified(struct device_node *node,
+- int level)
++/*
++ * Unified caches can have two different sets of tags. Most embedded
++ * use cache-size, etc. for the unified cache size, but open firmware systems
++ * use d-cache-size, etc. Check on initialization for which type we have, and
++ * return the appropriate structure type. Assume it's embedded if it isn't
++ * open firmware. If it's yet a 3rd type, then there will be missing entries
++ * in /sys/devices/system/cpu/cpu0/cache/index2/, and this code will need
++ * to be extended further.
++ */
++static int cache_is_unified_d(const struct device_node *np)
+ {
+- struct cache *cache;
++ return of_get_property(np,
++ cache_type_info[CACHE_TYPE_UNIFIED_D].size_prop, NULL) ?
++ CACHE_TYPE_UNIFIED_D : CACHE_TYPE_UNIFIED;
++}
+
++/*
++ */
++static struct cache *cache_do_one_devnode_unified(struct device_node *node, int level)
++{
+ pr_debug("creating L%d ucache for %s\n", level, node->full_name);
+
+- cache = new_cache(CACHE_TYPE_UNIFIED, level, node);
+-
+- return cache;
++ return new_cache(cache_is_unified_d(node), level, node);
+ }
+
+ static struct cache *cache_do_one_devnode_split(struct device_node *node,
+diff --git a/arch/powerpc/kernel/suspend.c b/arch/powerpc/kernel/suspend.c
+index 0167d53..a531154 100644
+--- a/arch/powerpc/kernel/suspend.c
++++ b/arch/powerpc/kernel/suspend.c
+@@ -9,9 +9,7 @@
+
+ #include <linux/mm.h>
+ #include <asm/page.h>
+-
+-/* References to section boundaries */
+-extern const void __nosave_begin, __nosave_end;
++#include <asm/sections.h>
+
+ /*
+ * pfn_is_nosave - check if given pfn is in the 'nosave' section
+diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
+index 2396dda..ead5535 100644
+--- a/arch/powerpc/perf/callchain.c
++++ b/arch/powerpc/perf/callchain.c
+@@ -243,7 +243,7 @@ static void perf_callchain_user_64(struct perf_callchain_entry *entry,
+ sp = regs->gpr[1];
+ perf_callchain_store(entry, next_ip);
+
+- for (;;) {
++ while (entry->nr < PERF_MAX_STACK_DEPTH) {
+ fp = (unsigned long __user *) sp;
+ if (!valid_user_sp(sp, 1) || read_user_stack_64(fp, &next_sp))
+ return;
+diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c
+index 2b90ff8..59ef76c 100644
+--- a/arch/powerpc/platforms/cell/iommu.c
++++ b/arch/powerpc/platforms/cell/iommu.c
+@@ -197,7 +197,7 @@ static int tce_build_cell(struct iommu_table *tbl, long index, long npages,
+
+ io_pte = (unsigned long *)tbl->it_base + (index - tbl->it_offset);
+
+- for (i = 0; i < npages; i++, uaddr += tbl->it_page_shift)
++ for (i = 0; i < npages; i++, uaddr += (1 << tbl->it_page_shift))
+ io_pte[i] = base_pte | (__pa(uaddr) & CBE_IOPTE_RPN_Mask);
+
+ mb();
+diff --git a/arch/s390/kernel/suspend.c b/arch/s390/kernel/suspend.c
+index a7a7537..d3236c9 100644
+--- a/arch/s390/kernel/suspend.c
++++ b/arch/s390/kernel/suspend.c
+@@ -13,14 +13,10 @@
+ #include <asm/ipl.h>
+ #include <asm/cio.h>
+ #include <asm/pci.h>
++#include <asm/sections.h>
+ #include "entry.h"
+
+ /*
+- * References to section boundaries
+- */
+-extern const void __nosave_begin, __nosave_end;
+-
+-/*
+ * The restore of the saved pages in an hibernation image will set
+ * the change and referenced bits in the storage key for each page.
+ * Overindication of the referenced bits after an hibernation cycle
+@@ -142,6 +138,8 @@ int pfn_is_nosave(unsigned long pfn)
+ {
+ unsigned long nosave_begin_pfn = PFN_DOWN(__pa(&__nosave_begin));
+ unsigned long nosave_end_pfn = PFN_DOWN(__pa(&__nosave_end));
++ unsigned long eshared_pfn = PFN_DOWN(__pa(&_eshared)) - 1;
++ unsigned long stext_pfn = PFN_DOWN(__pa(&_stext));
+
+ /* Always save lowcore pages (LC protection might be enabled). */
+ if (pfn <= LC_PAGES)
+@@ -149,6 +147,8 @@ int pfn_is_nosave(unsigned long pfn)
+ if (pfn >= nosave_begin_pfn && pfn < nosave_end_pfn)
+ return 1;
+ /* Skip memory holes and read-only pages (NSS, DCSS, ...). */
++ if (pfn >= stext_pfn && pfn <= eshared_pfn)
++ return ipl_info.type == IPL_TYPE_NSS ? 1 : 0;
+ if (tprot(PFN_PHYS(pfn)))
+ return 1;
+ return 0;
+diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
+index 75beea6..3588f2f 100644
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -414,6 +414,7 @@ static void handle_stsi_3_2_2(struct kvm_vcpu *vcpu, struct sysinfo_3_2_2 *mem)
+ for (n = mem->count - 1; n > 0 ; n--)
+ memcpy(&mem->vm[n], &mem->vm[n - 1], sizeof(mem->vm[0]));
+
++ memset(&mem->vm[0], 0, sizeof(mem->vm[0]));
+ mem->vm[0].cpus_total = cpus;
+ mem->vm[0].cpus_configured = cpus;
+ mem->vm[0].cpus_standby = 0;
+diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h
+index 1b61997..7a99e6a 100644
+--- a/arch/sh/include/asm/sections.h
++++ b/arch/sh/include/asm/sections.h
+@@ -3,7 +3,6 @@
+
+ #include <asm-generic/sections.h>
+
+-extern long __nosave_begin, __nosave_end;
+ extern long __machvec_start, __machvec_end;
+ extern char __uncached_start, __uncached_end;
+ extern char __start_eh_frame[], __stop_eh_frame[];
+diff --git a/arch/sparc/power/hibernate.c b/arch/sparc/power/hibernate.c
+index 42b0b8c..17bd2e1 100644
+--- a/arch/sparc/power/hibernate.c
++++ b/arch/sparc/power/hibernate.c
+@@ -9,11 +9,9 @@
+ #include <asm/hibernate.h>
+ #include <asm/visasm.h>
+ #include <asm/page.h>
++#include <asm/sections.h>
+ #include <asm/tlb.h>
+
+-/* References to section boundaries */
+-extern const void __nosave_begin, __nosave_end;
+-
+ struct saved_context saved_context;
+
+ /*
+diff --git a/arch/unicore32/include/mach/pm.h b/arch/unicore32/include/mach/pm.h
+index 4dcd34a..77b5226 100644
+--- a/arch/unicore32/include/mach/pm.h
++++ b/arch/unicore32/include/mach/pm.h
+@@ -36,8 +36,5 @@ extern int puv3_pm_enter(suspend_state_t state);
+ /* Defined in hibernate_asm.S */
+ extern int restore_image(pgd_t *resume_pg_dir, struct pbe *restore_pblist);
+
+-/* References to section boundaries */
+-extern const void __nosave_begin, __nosave_end;
+-
+ extern struct pbe *restore_pblist;
+ #endif
+diff --git a/arch/unicore32/kernel/hibernate.c b/arch/unicore32/kernel/hibernate.c
+index d75ef8b..9969ec3 100644
+--- a/arch/unicore32/kernel/hibernate.c
++++ b/arch/unicore32/kernel/hibernate.c
+@@ -18,6 +18,7 @@
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
++#include <asm/sections.h>
+ #include <asm/suspend.h>
+
+ #include "mach/pm.h"
+diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
+index 1da25a5..3ba047c 100644
+--- a/arch/x86/include/asm/mwait.h
++++ b/arch/x86/include/asm/mwait.h
+@@ -30,6 +30,14 @@ static inline void __mwait(unsigned long eax, unsigned long ecx)
+ :: "a" (eax), "c" (ecx));
+ }
+
++static inline void __sti_mwait(unsigned long eax, unsigned long ecx)
++{
++ trace_hardirqs_on();
++ /* "mwait %eax, %ecx;" */
++ asm volatile("sti; .byte 0x0f, 0x01, 0xc9;"
++ :: "a" (eax), "c" (ecx));
++}
++
+ /*
+ * This uses new MONITOR/MWAIT instructions on P4 processors with PNI,
+ * which can obviate IPI to trigger checking of need_resched.
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index 3fb8d95..1a1ff42 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -28,6 +28,7 @@
+ #include <asm/fpu-internal.h>
+ #include <asm/debugreg.h>
+ #include <asm/nmi.h>
++#include <asm/mwait.h>
+
+ /*
+ * per-CPU TSS segments. Threads are completely 'soft' on Linux,
+@@ -398,6 +399,52 @@ static void amd_e400_idle(void)
+ default_idle();
+ }
+
++/*
++ * Intel Core2 and older machines prefer MWAIT over HALT for C1.
++ * We can't rely on cpuidle installing MWAIT, because it will not load
++ * on systems that support only C1 -- so the boot default must be MWAIT.
++ *
++ * Some AMD machines are the opposite, they depend on using HALT.
++ *
++ * So for default C1, which is used during boot until cpuidle loads,
++ * use MWAIT-C1 on Intel HW that has it, else use HALT.
++ */
++static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
++{
++ if (c->x86_vendor != X86_VENDOR_INTEL)
++ return 0;
++
++ if (!cpu_has(c, X86_FEATURE_MWAIT))
++ return 0;
++
++ return 1;
++}
++
++/*
++ * MONITOR/MWAIT with no hints, used for default default C1 state.
++ * This invokes MWAIT with interrutps enabled and no flags,
++ * which is backwards compatible with the original MWAIT implementation.
++ */
++
++static void mwait_idle(void)
++{
++ if (!current_set_polling_and_test()) {
++ if (static_cpu_has(X86_FEATURE_CLFLUSH_MONITOR)) {
++ mb();
++ clflush((void *)&current_thread_info()->flags);
++ mb();
++ }
++
++ __monitor((void *)&current_thread_info()->flags, 0, 0);
++ if (!need_resched())
++ __sti_mwait(0, 0);
++ else
++ local_irq_enable();
++ } else
++ local_irq_enable();
++ current_clr_polling();
++}
++
+ void select_idle_routine(const struct cpuinfo_x86 *c)
+ {
+ #ifdef CONFIG_SMP
+@@ -411,6 +458,9 @@ void select_idle_routine(const struct cpuinfo_x86 *c)
+ /* E400: APIC timer interrupt does not wake up CPU from C1e */
+ pr_info("using AMD E400 aware idle routine\n");
+ x86_idle = amd_e400_idle;
++ } else if (prefer_mwait_c1_over_halt(c)) {
++ pr_info("using mwait in idle threads\n");
++ x86_idle = mwait_idle;
+ } else
+ x86_idle = default_idle;
+ }
+diff --git a/arch/x86/power/hibernate_32.c b/arch/x86/power/hibernate_32.c
+index 7d28c88..291226b 100644
+--- a/arch/x86/power/hibernate_32.c
++++ b/arch/x86/power/hibernate_32.c
+@@ -13,13 +13,11 @@
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+ #include <asm/mmzone.h>
++#include <asm/sections.h>
+
+ /* Defined in hibernate_asm_32.S */
+ extern int restore_image(void);
+
+-/* References to section boundaries */
+-extern const void __nosave_begin, __nosave_end;
+-
+ /* Pointer to the temporary resume page tables */
+ pgd_t *resume_pg_dir;
+
+diff --git a/arch/x86/power/hibernate_64.c b/arch/x86/power/hibernate_64.c
+index 304fca2..2276238 100644
+--- a/arch/x86/power/hibernate_64.c
++++ b/arch/x86/power/hibernate_64.c
+@@ -17,11 +17,9 @@
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+ #include <asm/mtrr.h>
++#include <asm/sections.h>
+ #include <asm/suspend.h>
+
+-/* References to section boundaries */
+-extern __visible const void __nosave_begin, __nosave_end;
+-
+ /* Defined in hibernate_asm_64.S */
+ extern asmlinkage int restore_image(void);
+
+diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig
+index c87ae7c..8879361 100644
+--- a/arch/xtensa/Kconfig
++++ b/arch/xtensa/Kconfig
+@@ -336,6 +336,36 @@ menu "Executable file formats"
+
+ source "fs/Kconfig.binfmt"
+
++config XTFPGA_LCD
++ bool "Enable XTFPGA LCD driver"
++ depends on XTENSA_PLATFORM_XTFPGA
++ default n
++ help
++ There's a 2x16 LCD on most of XTFPGA boards, kernel may output
++ progress messages there during bootup/shutdown. It may be useful
++ during board bringup.
++
++ If unsure, say N.
++
++config XTFPGA_LCD_BASE_ADDR
++ hex "XTFPGA LCD base address"
++ depends on XTFPGA_LCD
++ default "0x0d0c0000"
++ help
++ Base address of the LCD controller inside KIO region.
++ Different boards from XTFPGA family have LCD controller at different
++ addresses. Please consult prototyping user guide for your board for
++ the correct address. Wrong address here may lead to hardware lockup.
++
++config XTFPGA_LCD_8BIT_ACCESS
++ bool "Use 8-bit access to XTFPGA LCD"
++ depends on XTFPGA_LCD
++ default n
++ help
++ LCD may be connected with 4- or 8-bit interface, 8-bit access may
++ only be used with 8-bit interface. Please consult prototyping user
++ guide for your board for the correct interface width.
++
+ endmenu
+
+ source "net/Kconfig"
+diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h
+index 50084f7..b54fa1b 100644
+--- a/arch/xtensa/include/uapi/asm/unistd.h
++++ b/arch/xtensa/include/uapi/asm/unistd.h
+@@ -715,7 +715,7 @@ __SYSCALL(323, sys_process_vm_writev, 6)
+ __SYSCALL(324, sys_name_to_handle_at, 5)
+ #define __NR_open_by_handle_at 325
+ __SYSCALL(325, sys_open_by_handle_at, 3)
+-#define __NR_sync_file_range 326
++#define __NR_sync_file_range2 326
+ __SYSCALL(326, sys_sync_file_range2, 6)
+ #define __NR_perf_event_open 327
+ __SYSCALL(327, sys_perf_event_open, 5)
+diff --git a/arch/xtensa/platforms/iss/network.c b/arch/xtensa/platforms/iss/network.c
+index d05f8fe..17b1ef3 100644
+--- a/arch/xtensa/platforms/iss/network.c
++++ b/arch/xtensa/platforms/iss/network.c
+@@ -349,8 +349,8 @@ static void iss_net_timer(unsigned long priv)
+ {
+ struct iss_net_private *lp = (struct iss_net_private *)priv;
+
+- spin_lock(&lp->lock);
+ iss_net_poll();
++ spin_lock(&lp->lock);
+ mod_timer(&lp->timer, jiffies + lp->timer_val);
+ spin_unlock(&lp->lock);
+ }
+@@ -361,7 +361,7 @@ static int iss_net_open(struct net_device *dev)
+ struct iss_net_private *lp = netdev_priv(dev);
+ int err;
+
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+
+ err = lp->tp.open(lp);
+ if (err < 0)
+@@ -376,9 +376,11 @@ static int iss_net_open(struct net_device *dev)
+ while ((err = iss_net_rx(dev)) > 0)
+ ;
+
+- spin_lock(&opened_lock);
++ spin_unlock_bh(&lp->lock);
++ spin_lock_bh(&opened_lock);
+ list_add(&lp->opened_list, &opened);
+- spin_unlock(&opened_lock);
++ spin_unlock_bh(&opened_lock);
++ spin_lock_bh(&lp->lock);
+
+ init_timer(&lp->timer);
+ lp->timer_val = ISS_NET_TIMER_VALUE;
+@@ -387,7 +389,7 @@ static int iss_net_open(struct net_device *dev)
+ mod_timer(&lp->timer, jiffies + lp->timer_val);
+
+ out:
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return err;
+ }
+
+@@ -395,7 +397,7 @@ static int iss_net_close(struct net_device *dev)
+ {
+ struct iss_net_private *lp = netdev_priv(dev);
+ netif_stop_queue(dev);
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+
+ spin_lock(&opened_lock);
+ list_del(&opened);
+@@ -405,18 +407,17 @@ static int iss_net_close(struct net_device *dev)
+
+ lp->tp.close(lp);
+
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return 0;
+ }
+
+ static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct iss_net_private *lp = netdev_priv(dev);
+- unsigned long flags;
+ int len;
+
+ netif_stop_queue(dev);
+- spin_lock_irqsave(&lp->lock, flags);
++ spin_lock_bh(&lp->lock);
+
+ len = lp->tp.write(lp, &skb);
+
+@@ -438,7 +439,7 @@ static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ pr_err("%s: %s failed(%d)\n", dev->name, __func__, len);
+ }
+
+- spin_unlock_irqrestore(&lp->lock, flags);
++ spin_unlock_bh(&lp->lock);
+
+ dev_kfree_skb(skb);
+ return NETDEV_TX_OK;
+@@ -466,9 +467,9 @@ static int iss_net_set_mac(struct net_device *dev, void *addr)
+
+ if (!is_valid_ether_addr(hwaddr->sa_data))
+ return -EADDRNOTAVAIL;
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+ memcpy(dev->dev_addr, hwaddr->sa_data, ETH_ALEN);
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return 0;
+ }
+
+@@ -520,11 +521,11 @@ static int iss_net_configure(int index, char *init)
+ *lp = (struct iss_net_private) {
+ .device_list = LIST_HEAD_INIT(lp->device_list),
+ .opened_list = LIST_HEAD_INIT(lp->opened_list),
+- .lock = __SPIN_LOCK_UNLOCKED(lp.lock),
+ .dev = dev,
+ .index = index,
+- };
++ };
+
++ spin_lock_init(&lp->lock);
+ /*
+ * If this name ends up conflicting with an existing registered
+ * netdevice, that is OK, register_netdev{,ice}() will notice this
+diff --git a/arch/xtensa/platforms/xtfpga/Makefile b/arch/xtensa/platforms/xtfpga/Makefile
+index b9ae206..7839d38 100644
+--- a/arch/xtensa/platforms/xtfpga/Makefile
++++ b/arch/xtensa/platforms/xtfpga/Makefile
+@@ -6,4 +6,5 @@
+ #
+ # Note 2! The CFLAGS definitions are in the main makefile...
+
+-obj-y = setup.o lcd.o
++obj-y += setup.o
++obj-$(CONFIG_XTFPGA_LCD) += lcd.o
+diff --git a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
+index aeb316b..e8cc86f 100644
+--- a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
++++ b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
+@@ -40,9 +40,6 @@
+
+ /* UART */
+ #define DUART16552_PADDR (XCHAL_KIO_PADDR + 0x0D050020)
+-/* LCD instruction and data addresses. */
+-#define LCD_INSTR_ADDR ((char *)IOADDR(0x0D040000))
+-#define LCD_DATA_ADDR ((char *)IOADDR(0x0D040004))
+
+ /* Misc. */
+ #define XTFPGA_FPGAREGS_VADDR IOADDR(0x0D020000)
+diff --git a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
+index 0e43564..4c8541e 100644
+--- a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
++++ b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
+@@ -11,10 +11,25 @@
+ #ifndef __XTENSA_XTAVNET_LCD_H
+ #define __XTENSA_XTAVNET_LCD_H
+
++#ifdef CONFIG_XTFPGA_LCD
+ /* Display string STR at position POS on the LCD. */
+ void lcd_disp_at_pos(char *str, unsigned char pos);
+
+ /* Shift the contents of the LCD display left or right. */
+ void lcd_shiftleft(void);
+ void lcd_shiftright(void);
++#else
++static inline void lcd_disp_at_pos(char *str, unsigned char pos)
++{
++}
++
++static inline void lcd_shiftleft(void)
++{
++}
++
++static inline void lcd_shiftright(void)
++{
++}
++#endif
++
+ #endif
+diff --git a/arch/xtensa/platforms/xtfpga/lcd.c b/arch/xtensa/platforms/xtfpga/lcd.c
+index 2872301..4dc0c1b 100644
+--- a/arch/xtensa/platforms/xtfpga/lcd.c
++++ b/arch/xtensa/platforms/xtfpga/lcd.c
+@@ -1,50 +1,63 @@
+ /*
+- * Driver for the LCD display on the Tensilica LX60 Board.
++ * Driver for the LCD display on the Tensilica XTFPGA board family.
++ * http://www.mytechcorp.com/cfdata/productFile/File1/MOC-16216B-B-A0A04.pdf
+ *
+ * This file is subject to the terms and conditions of the GNU General Public
+ * License. See the file "COPYING" in the main directory of this archive
+ * for more details.
+ *
+ * Copyright (C) 2001, 2006 Tensilica Inc.
++ * Copyright (C) 2015 Cadence Design Systems Inc.
+ */
+
+-/*
+- *
+- * FIXME: this code is from the examples from the LX60 user guide.
+- *
+- * The lcd_pause function does busy waiting, which is probably not
+- * great. Maybe the code could be changed to use kernel timers, or
+- * change the hardware to not need to wait.
+- */
+-
++#include <linux/delay.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
+
+ #include <platform/hardware.h>
+ #include <platform/lcd.h>
+-#include <linux/delay.h>
+
+-#define LCD_PAUSE_ITERATIONS 4000
++/* LCD instruction and data addresses. */
++#define LCD_INSTR_ADDR ((char *)IOADDR(CONFIG_XTFPGA_LCD_BASE_ADDR))
++#define LCD_DATA_ADDR (LCD_INSTR_ADDR + 4)
++
+ #define LCD_CLEAR 0x1
+ #define LCD_DISPLAY_ON 0xc
+
+ /* 8bit and 2 lines display */
+ #define LCD_DISPLAY_MODE8BIT 0x38
++#define LCD_DISPLAY_MODE4BIT 0x28
+ #define LCD_DISPLAY_POS 0x80
+ #define LCD_SHIFT_LEFT 0x18
+ #define LCD_SHIFT_RIGHT 0x1c
+
++static void lcd_put_byte(u8 *addr, u8 data)
++{
++#ifdef CONFIG_XTFPGA_LCD_8BIT_ACCESS
++ ACCESS_ONCE(*addr) = data;
++#else
++ ACCESS_ONCE(*addr) = data & 0xf0;
++ ACCESS_ONCE(*addr) = (data << 4) & 0xf0;
++#endif
++}
++
+ static int __init lcd_init(void)
+ {
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
+ mdelay(5);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
+ udelay(200);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
++ udelay(50);
++#ifndef CONFIG_XTFPGA_LCD_8BIT_ACCESS
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE4BIT;
++ udelay(50);
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_MODE4BIT);
+ udelay(50);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_ON;
++#endif
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_ON);
+ udelay(50);
+- *LCD_INSTR_ADDR = LCD_CLEAR;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_CLEAR);
+ mdelay(10);
+ lcd_disp_at_pos("XTENSA LINUX", 0);
+ return 0;
+@@ -52,10 +65,10 @@ static int __init lcd_init(void)
+
+ void lcd_disp_at_pos(char *str, unsigned char pos)
+ {
+- *LCD_INSTR_ADDR = LCD_DISPLAY_POS | pos;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_POS | pos);
+ udelay(100);
+ while (*str != 0) {
+- *LCD_DATA_ADDR = *str;
++ lcd_put_byte(LCD_DATA_ADDR, *str);
+ udelay(200);
+ str++;
+ }
+@@ -63,13 +76,13 @@ void lcd_disp_at_pos(char *str, unsigned char pos)
+
+ void lcd_shiftleft(void)
+ {
+- *LCD_INSTR_ADDR = LCD_SHIFT_LEFT;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_LEFT);
+ udelay(50);
+ }
+
+ void lcd_shiftright(void)
+ {
+- *LCD_INSTR_ADDR = LCD_SHIFT_RIGHT;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_RIGHT);
+ udelay(50);
+ }
+
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 666beea..9498c3d 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -192,7 +192,11 @@ bool acpi_scan_is_offline(struct acpi_device *adev, bool uevent)
+ struct acpi_device_physical_node *pn;
+ bool offline = true;
+
+- mutex_lock(&adev->physical_node_lock);
++ /*
++ * acpi_container_offline() calls this for all of the container's
++ * children under the container's physical_node_lock lock.
++ */
++ mutex_lock_nested(&adev->physical_node_lock, SINGLE_DEPTH_NESTING);
+
+ list_for_each_entry(pn, &adev->physical_node_list, node)
+ if (device_supports_offline(pn->dev) && !pn->dev->offline) {
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index 45d0fa7..12b39dc 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -515,11 +515,11 @@ int bus_add_device(struct device *dev)
+ goto out_put;
+ error = device_add_groups(dev, bus->dev_groups);
+ if (error)
+- goto out_groups;
++ goto out_id;
+ error = sysfs_create_link(&bus->p->devices_kset->kobj,
+ &dev->kobj, dev_name(dev));
+ if (error)
+- goto out_id;
++ goto out_groups;
+ error = sysfs_create_link(&dev->kobj,
+ &dev->bus->p->subsys.kobj, "subsystem");
+ if (error)
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 5afe556..26b03e1 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -64,6 +64,7 @@ static const struct usb_device_id ath3k_table[] = {
+ /* Atheros AR3011 with sflash firmware*/
+ { USB_DEVICE(0x0489, 0xE027) },
+ { USB_DEVICE(0x0489, 0xE03D) },
++ { USB_DEVICE(0x04F2, 0xAFF1) },
+ { USB_DEVICE(0x0930, 0x0215) },
+ { USB_DEVICE(0x0CF3, 0x3002) },
+ { USB_DEVICE(0x0CF3, 0xE019) },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 03b3317..9eb1669 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -142,6 +142,7 @@ static const struct usb_device_id blacklist_table[] = {
+ /* Atheros 3011 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
++ { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c
+index 0996a3a..a9dd21a 100644
+--- a/drivers/clk/qcom/clk-rcg2.c
++++ b/drivers/clk/qcom/clk-rcg2.c
+@@ -257,7 +257,7 @@ static int __clk_rcg2_set_rate(struct clk_hw *hw, unsigned long rate)
+ mask |= CFG_SRC_SEL_MASK | CFG_MODE_MASK;
+ cfg = f->pre_div << CFG_SRC_DIV_SHIFT;
+ cfg |= rcg->parent_map[f->src] << CFG_SRC_SEL_SHIFT;
+- if (rcg->mnd_width && f->n)
++ if (rcg->mnd_width && f->n && (f->m != f->n))
+ cfg |= CFG_MODE_DUAL_EDGE;
+ ret = regmap_update_bits(rcg->clkr.regmap, rcg->cmd_rcgr + CFG_REG, mask,
+ cfg);
+diff --git a/drivers/clk/tegra/clk.c b/drivers/clk/tegra/clk.c
+index c0a7d77..a90af17 100644
+--- a/drivers/clk/tegra/clk.c
++++ b/drivers/clk/tegra/clk.c
+@@ -266,7 +266,7 @@ void __init tegra_add_of_provider(struct device_node *np)
+ of_clk_add_provider(np, of_clk_src_onecell_get, &clk_data);
+
+ rst_ctlr.of_node = np;
+- rst_ctlr.nr_resets = clk_num * 32;
++ rst_ctlr.nr_resets = periph_banks * 32;
+ reset_controller_register(&rst_ctlr);
+ }
+
+diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
+index dde41f1d..d522396 100644
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struct omap_aes_dev *dd)
+ return err;
+ }
+
+-static int omap_aes_check_aligned(struct scatterlist *sg)
++static int omap_aes_check_aligned(struct scatterlist *sg, int total)
+ {
++ int len = 0;
++
+ while (sg) {
+ if (!IS_ALIGNED(sg->offset, 4))
+ return -1;
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE))
+ return -1;
++
++ len += sg->length;
+ sg = sg_next(sg);
+ }
++
++ if (len != total)
++ return -1;
++
+ return 0;
+ }
+
+@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct omap_aes_dev *dd,
+ dd->in_sg = req->src;
+ dd->out_sg = req->dst;
+
+- if (omap_aes_check_aligned(dd->in_sg) ||
+- omap_aes_check_aligned(dd->out_sg)) {
++ if (omap_aes_check_aligned(dd->in_sg, dd->total) ||
++ omap_aes_check_aligned(dd->out_sg, dd->total)) {
+ if (omap_aes_copy_sgs(dd))
+ pr_err("Failed to copy SGs for unaligned cases\n");
+ dd->sgs_copied = 1;
+diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
+index 3b1fd1c..e9d8cf6 100644
+--- a/drivers/gpio/gpio-mvebu.c
++++ b/drivers/gpio/gpio-mvebu.c
+@@ -304,11 +304,13 @@ static void mvebu_gpio_edge_irq_mask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache &= ~mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip));
++ ct->mask_cache_priv &= ~mask;
++
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -316,11 +318,13 @@ static void mvebu_gpio_edge_irq_unmask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache |= mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip));
++ ct->mask_cache_priv |= mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -328,11 +332,13 @@ static void mvebu_gpio_level_irq_mask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache &= ~mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip));
++ ct->mask_cache_priv &= ~mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -340,11 +346,13 @@ static void mvebu_gpio_level_irq_unmask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache |= mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip));
++ ct->mask_cache_priv |= mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 8f42bd7..f1fc14c 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1928,15 +1928,15 @@ EXPORT_SYMBOL_GPL(gpiod_is_active_low);
+ * that the GPIO was actually requested.
+ */
+
+-static int _gpiod_get_raw_value(const struct gpio_desc *desc)
++static bool _gpiod_get_raw_value(const struct gpio_desc *desc)
+ {
+ struct gpio_chip *chip;
+- int value;
++ bool value;
+ int offset;
+
+ chip = desc->chip;
+ offset = gpio_chip_hwgpio(desc);
+- value = chip->get ? chip->get(chip, offset) : 0;
++ value = chip->get ? chip->get(chip, offset) : false;
+ trace_gpio_value(desc_to_gpio(desc), 1, value);
+ return value;
+ }
+@@ -1992,7 +1992,7 @@ EXPORT_SYMBOL_GPL(gpiod_get_value);
+ * @desc: gpio descriptor whose state need to be set.
+ * @value: Non-zero for setting it HIGH otherise it will set to LOW.
+ */
+-static void _gpio_set_open_drain_value(struct gpio_desc *desc, int value)
++static void _gpio_set_open_drain_value(struct gpio_desc *desc, bool value)
+ {
+ int err = 0;
+ struct gpio_chip *chip = desc->chip;
+@@ -2019,7 +2019,7 @@ static void _gpio_set_open_drain_value(struct gpio_desc *desc, int value)
+ * @desc: gpio descriptor whose state need to be set.
+ * @value: Non-zero for setting it HIGH otherise it will set to LOW.
+ */
+-static void _gpio_set_open_source_value(struct gpio_desc *desc, int value)
++static void _gpio_set_open_source_value(struct gpio_desc *desc, bool value)
+ {
+ int err = 0;
+ struct gpio_chip *chip = desc->chip;
+@@ -2041,7 +2041,7 @@ static void _gpio_set_open_source_value(struct gpio_desc *desc, int value)
+ __func__, err);
+ }
+
+-static void _gpiod_set_raw_value(struct gpio_desc *desc, int value)
++static void _gpiod_set_raw_value(struct gpio_desc *desc, bool value)
+ {
+ struct gpio_chip *chip;
+
+diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
+index 0c83b3d..5b38bf8 100644
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1181,6 +1181,7 @@
+ #define GMBUS_CYCLE_INDEX (2<<25)
+ #define GMBUS_CYCLE_STOP (4<<25)
+ #define GMBUS_BYTE_COUNT_SHIFT 16
++#define GMBUS_BYTE_COUNT_MAX 256U
+ #define GMBUS_SLAVE_INDEX_SHIFT 8
+ #define GMBUS_SLAVE_ADDR_SHIFT 1
+ #define GMBUS_SLAVE_READ (1<<0)
+diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c
+index d33b61d..1d02970 100644
+--- a/drivers/gpu/drm/i915/intel_i2c.c
++++ b/drivers/gpu/drm/i915/intel_i2c.c
+@@ -324,18 +324,17 @@ gmbus_wait_idle(struct drm_i915_private *dev_priv)
+ }
+
+ static int
+-gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
+- u32 gmbus1_index)
++gmbus_xfer_read_chunk(struct drm_i915_private *dev_priv,
++ unsigned short addr, u8 *buf, unsigned int len,
++ u32 gmbus1_index)
+ {
+ int reg_offset = dev_priv->gpio_mmio_base;
+- u16 len = msg->len;
+- u8 *buf = msg->buf;
+
+ I915_WRITE(GMBUS1 + reg_offset,
+ gmbus1_index |
+ GMBUS_CYCLE_WAIT |
+ (len << GMBUS_BYTE_COUNT_SHIFT) |
+- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
++ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ GMBUS_SLAVE_READ | GMBUS_SW_RDY);
+ while (len) {
+ int ret;
+@@ -357,11 +356,35 @@ gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
+ }
+
+ static int
+-gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
++gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
++ u32 gmbus1_index)
+ {
+- int reg_offset = dev_priv->gpio_mmio_base;
+- u16 len = msg->len;
+ u8 *buf = msg->buf;
++ unsigned int rx_size = msg->len;
++ unsigned int len;
++ int ret;
++
++ do {
++ len = min(rx_size, GMBUS_BYTE_COUNT_MAX);
++
++ ret = gmbus_xfer_read_chunk(dev_priv, msg->addr,
++ buf, len, gmbus1_index);
++ if (ret)
++ return ret;
++
++ rx_size -= len;
++ buf += len;
++ } while (rx_size != 0);
++
++ return 0;
++}
++
++static int
++gmbus_xfer_write_chunk(struct drm_i915_private *dev_priv,
++ unsigned short addr, u8 *buf, unsigned int len)
++{
++ int reg_offset = dev_priv->gpio_mmio_base;
++ unsigned int chunk_size = len;
+ u32 val, loop;
+
+ val = loop = 0;
+@@ -373,8 +396,8 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+ I915_WRITE(GMBUS3 + reg_offset, val);
+ I915_WRITE(GMBUS1 + reg_offset,
+ GMBUS_CYCLE_WAIT |
+- (msg->len << GMBUS_BYTE_COUNT_SHIFT) |
+- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
++ (chunk_size << GMBUS_BYTE_COUNT_SHIFT) |
++ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ GMBUS_SLAVE_WRITE | GMBUS_SW_RDY);
+ while (len) {
+ int ret;
+@@ -391,6 +414,29 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+ if (ret)
+ return ret;
+ }
++
++ return 0;
++}
++
++static int
++gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
++{
++ u8 *buf = msg->buf;
++ unsigned int tx_size = msg->len;
++ unsigned int len;
++ int ret;
++
++ do {
++ len = min(tx_size, GMBUS_BYTE_COUNT_MAX);
++
++ ret = gmbus_xfer_write_chunk(dev_priv, msg->addr, buf, len);
++ if (ret)
++ return ret;
++
++ buf += len;
++ tx_size -= len;
++ } while (tx_size != 0);
++
+ return 0;
+ }
+
+diff --git a/drivers/gpu/drm/msm/adreno/a3xx_gpu.c b/drivers/gpu/drm/msm/adreno/a3xx_gpu.c
+index 461df93..4f32b34 100644
+--- a/drivers/gpu/drm/msm/adreno/a3xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a3xx_gpu.c
+@@ -35,8 +35,6 @@
+ A3XX_INT0_CP_AHB_ERROR_HALT | \
+ A3XX_INT0_UCHE_OOB_ACCESS)
+
+-static struct platform_device *a3xx_pdev;
+-
+ static void a3xx_me_init(struct msm_gpu *gpu)
+ {
+ struct msm_ringbuffer *ring = gpu->rb;
+@@ -311,7 +309,6 @@ static void a3xx_destroy(struct msm_gpu *gpu)
+ ocmem_free(OCMEM_GRAPHICS, a3xx_gpu->ocmem_hdl);
+ #endif
+
+- put_device(&a3xx_gpu->pdev->dev);
+ kfree(a3xx_gpu);
+ }
+
+@@ -439,7 +436,8 @@ struct msm_gpu *a3xx_gpu_init(struct drm_device *dev)
+ struct a3xx_gpu *a3xx_gpu = NULL;
+ struct adreno_gpu *adreno_gpu;
+ struct msm_gpu *gpu;
+- struct platform_device *pdev = a3xx_pdev;
++ struct msm_drm_private *priv = dev->dev_private;
++ struct platform_device *pdev = priv->gpu_pdev;
+ struct adreno_platform_config *config;
+ int ret;
+
+@@ -460,7 +458,6 @@ struct msm_gpu *a3xx_gpu_init(struct drm_device *dev)
+ adreno_gpu = &a3xx_gpu->base;
+ gpu = &adreno_gpu->base;
+
+- get_device(&pdev->dev);
+ a3xx_gpu->pdev = pdev;
+
+ gpu->fast_rate = config->fast_rate;
+@@ -522,17 +519,24 @@ fail:
+ # include <mach/kgsl.h>
+ #endif
+
+-static int a3xx_probe(struct platform_device *pdev)
++static void set_gpu_pdev(struct drm_device *dev,
++ struct platform_device *pdev)
++{
++ struct msm_drm_private *priv = dev->dev_private;
++ priv->gpu_pdev = pdev;
++}
++
++static int a3xx_bind(struct device *dev, struct device *master, void *data)
+ {
+ static struct adreno_platform_config config = {};
+ #ifdef CONFIG_OF
+- struct device_node *child, *node = pdev->dev.of_node;
++ struct device_node *child, *node = dev->of_node;
+ u32 val;
+ int ret;
+
+ ret = of_property_read_u32(node, "qcom,chipid", &val);
+ if (ret) {
+- dev_err(&pdev->dev, "could not find chipid: %d\n", ret);
++ dev_err(dev, "could not find chipid: %d\n", ret);
+ return ret;
+ }
+
+@@ -548,7 +552,7 @@ static int a3xx_probe(struct platform_device *pdev)
+ for_each_child_of_node(child, pwrlvl) {
+ ret = of_property_read_u32(pwrlvl, "qcom,gpu-freq", &val);
+ if (ret) {
+- dev_err(&pdev->dev, "could not find gpu-freq: %d\n", ret);
++ dev_err(dev, "could not find gpu-freq: %d\n", ret);
+ return ret;
+ }
+ config.fast_rate = max(config.fast_rate, val);
+@@ -558,12 +562,12 @@ static int a3xx_probe(struct platform_device *pdev)
+ }
+
+ if (!config.fast_rate) {
+- dev_err(&pdev->dev, "could not find clk rates\n");
++ dev_err(dev, "could not find clk rates\n");
+ return -ENXIO;
+ }
+
+ #else
+- struct kgsl_device_platform_data *pdata = pdev->dev.platform_data;
++ struct kgsl_device_platform_data *pdata = dev->platform_data;
+ uint32_t version = socinfo_get_version();
+ if (cpu_is_apq8064ab()) {
+ config.fast_rate = 450000000;
+@@ -609,14 +613,30 @@ static int a3xx_probe(struct platform_device *pdev)
+ config.bus_scale_table = pdata->bus_scale_table;
+ # endif
+ #endif
+- pdev->dev.platform_data = &config;
+- a3xx_pdev = pdev;
++ dev->platform_data = &config;
++ set_gpu_pdev(dev_get_drvdata(master), to_platform_device(dev));
+ return 0;
+ }
+
++static void a3xx_unbind(struct device *dev, struct device *master,
++ void *data)
++{
++ set_gpu_pdev(dev_get_drvdata(master), NULL);
++}
++
++static const struct component_ops a3xx_ops = {
++ .bind = a3xx_bind,
++ .unbind = a3xx_unbind,
++};
++
++static int a3xx_probe(struct platform_device *pdev)
++{
++ return component_add(&pdev->dev, &a3xx_ops);
++}
++
+ static int a3xx_remove(struct platform_device *pdev)
+ {
+- a3xx_pdev = NULL;
++ component_del(&pdev->dev, &a3xx_ops);
+ return 0;
+ }
+
+@@ -624,7 +644,6 @@ static const struct of_device_id dt_match[] = {
+ { .compatible = "qcom,kgsl-3d0" },
+ {}
+ };
+-MODULE_DEVICE_TABLE(of, dt_match);
+
+ static struct platform_driver a3xx_driver = {
+ .probe = a3xx_probe,
+diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
+index 6f1588a..8a04a1d 100644
+--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
+@@ -17,8 +17,6 @@
+
+ #include "hdmi.h"
+
+-static struct platform_device *hdmi_pdev;
+-
+ void hdmi_set_mode(struct hdmi *hdmi, bool power_on)
+ {
+ uint32_t ctrl = 0;
+@@ -75,7 +73,7 @@ struct hdmi *hdmi_init(struct drm_device *dev, struct drm_encoder *encoder)
+ {
+ struct hdmi *hdmi = NULL;
+ struct msm_drm_private *priv = dev->dev_private;
+- struct platform_device *pdev = hdmi_pdev;
++ struct platform_device *pdev = priv->hdmi_pdev;
+ struct hdmi_platform_config *config;
+ int i, ret;
+
+@@ -95,8 +93,6 @@ struct hdmi *hdmi_init(struct drm_device *dev, struct drm_encoder *encoder)
+
+ kref_init(&hdmi->refcount);
+
+- get_device(&pdev->dev);
+-
+ hdmi->dev = dev;
+ hdmi->pdev = pdev;
+ hdmi->config = config;
+@@ -249,17 +245,24 @@ fail:
+
+ #include <linux/of_gpio.h>
+
+-static int hdmi_dev_probe(struct platform_device *pdev)
++static void set_hdmi_pdev(struct drm_device *dev,
++ struct platform_device *pdev)
++{
++ struct msm_drm_private *priv = dev->dev_private;
++ priv->hdmi_pdev = pdev;
++}
++
++static int hdmi_bind(struct device *dev, struct device *master, void *data)
+ {
+ static struct hdmi_platform_config config = {};
+ #ifdef CONFIG_OF
+- struct device_node *of_node = pdev->dev.of_node;
++ struct device_node *of_node = dev->of_node;
+
+ int get_gpio(const char *name)
+ {
+ int gpio = of_get_named_gpio(of_node, name, 0);
+ if (gpio < 0) {
+- dev_err(&pdev->dev, "failed to get gpio: %s (%d)\n",
++ dev_err(dev, "failed to get gpio: %s (%d)\n",
+ name, gpio);
+ gpio = -1;
+ }
+@@ -336,14 +339,30 @@ static int hdmi_dev_probe(struct platform_device *pdev)
+ config.mux_sel_gpio = -1;
+ }
+ #endif
+- pdev->dev.platform_data = &config;
+- hdmi_pdev = pdev;
++ dev->platform_data = &config;
++ set_hdmi_pdev(dev_get_drvdata(master), to_platform_device(dev));
+ return 0;
+ }
+
++static void hdmi_unbind(struct device *dev, struct device *master,
++ void *data)
++{
++ set_hdmi_pdev(dev_get_drvdata(master), NULL);
++}
++
++static const struct component_ops hdmi_ops = {
++ .bind = hdmi_bind,
++ .unbind = hdmi_unbind,
++};
++
++static int hdmi_dev_probe(struct platform_device *pdev)
++{
++ return component_add(&pdev->dev, &hdmi_ops);
++}
++
+ static int hdmi_dev_remove(struct platform_device *pdev)
+ {
+- hdmi_pdev = NULL;
++ component_del(&pdev->dev, &hdmi_ops);
+ return 0;
+ }
+
+@@ -351,7 +370,6 @@ static const struct of_device_id dt_match[] = {
+ { .compatible = "qcom,hdmi-tx" },
+ {}
+ };
+-MODULE_DEVICE_TABLE(of, dt_match);
+
+ static struct platform_driver hdmi_driver = {
+ .probe = hdmi_dev_probe,
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index e6adafc..e79cfd0 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -56,6 +56,10 @@ static char *vram;
+ MODULE_PARM_DESC(vram, "Configure VRAM size (for devices without IOMMU/GPUMMU");
+ module_param(vram, charp, 0);
+
++/*
++ * Util/helpers:
++ */
++
+ void __iomem *msm_ioremap(struct platform_device *pdev, const char *name,
+ const char *dbgname)
+ {
+@@ -143,6 +147,8 @@ static int msm_unload(struct drm_device *dev)
+ priv->vram.paddr, &attrs);
+ }
+
++ component_unbind_all(dev->dev, dev);
++
+ dev->dev_private = NULL;
+
+ kfree(priv);
+@@ -175,6 +181,7 @@ static int msm_load(struct drm_device *dev, unsigned long flags)
+ struct msm_kms *kms;
+ int ret;
+
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv) {
+ dev_err(dev->dev, "failed to allocate private data\n");
+@@ -226,6 +233,13 @@ static int msm_load(struct drm_device *dev, unsigned long flags)
+ (uint32_t)(priv->vram.paddr + size));
+ }
+
++ platform_set_drvdata(pdev, dev);
++
++ /* Bind all our sub-components: */
++ ret = component_bind_all(dev->dev, dev);
++ if (ret)
++ return ret;
++
+ switch (get_mdp_ver(pdev)) {
+ case 4:
+ kms = mdp4_kms_init(dev);
+@@ -281,8 +295,6 @@ static int msm_load(struct drm_device *dev, unsigned long flags)
+ goto fail;
+ }
+
+- platform_set_drvdata(pdev, dev);
+-
+ #ifdef CONFIG_DRM_MSM_FBDEV
+ priv->fbdev = msm_fbdev_init(dev);
+ #endif
+@@ -819,18 +831,110 @@ static const struct dev_pm_ops msm_pm_ops = {
+ };
+
+ /*
++ * Componentized driver support:
++ */
++
++#ifdef CONFIG_OF
++/* NOTE: the CONFIG_OF case duplicates the same code as exynos or imx
++ * (or probably any other).. so probably some room for some helpers
++ */
++static int compare_of(struct device *dev, void *data)
++{
++ return dev->of_node == data;
++}
++
++static int msm_drm_add_components(struct device *master, struct master *m)
++{
++ struct device_node *np = master->of_node;
++ unsigned i;
++ int ret;
++
++ for (i = 0; ; i++) {
++ struct device_node *node;
++
++ node = of_parse_phandle(np, "connectors", i);
++ if (!node)
++ break;
++
++ ret = component_master_add_child(m, compare_of, node);
++ of_node_put(node);
++
++ if (ret)
++ return ret;
++ }
++ return 0;
++}
++#else
++static int compare_dev(struct device *dev, void *data)
++{
++ return dev == data;
++}
++
++static int msm_drm_add_components(struct device *master, struct master *m)
++{
++ /* For non-DT case, it kinda sucks. We don't actually have a way
++ * to know whether or not we are waiting for certain devices (or if
++ * they are simply not present). But for non-DT we only need to
++ * care about apq8064/apq8060/etc (all mdp4/a3xx):
++ */
++ static const char *devnames[] = {
++ "hdmi_msm.0", "kgsl-3d0.0",
++ };
++ int i;
++
++ DBG("Adding components..");
++
++ for (i = 0; i < ARRAY_SIZE(devnames); i++) {
++ struct device *dev;
++ int ret;
++
++ dev = bus_find_device_by_name(&platform_bus_type,
++ NULL, devnames[i]);
++ if (!dev) {
++ dev_info(master, "still waiting for %s\n", devnames[i]);
++ return -EPROBE_DEFER;
++ }
++
++ ret = component_master_add_child(m, compare_dev, dev);
++ if (ret) {
++ DBG("could not add child: %d", ret);
++ return ret;
++ }
++ }
++
++ return 0;
++}
++#endif
++
++static int msm_drm_bind(struct device *dev)
++{
++ return drm_platform_init(&msm_driver, to_platform_device(dev));
++}
++
++static void msm_drm_unbind(struct device *dev)
++{
++ drm_put_dev(platform_get_drvdata(to_platform_device(dev)));
++}
++
++static const struct component_master_ops msm_drm_ops = {
++ .add_components = msm_drm_add_components,
++ .bind = msm_drm_bind,
++ .unbind = msm_drm_unbind,
++};
++
++/*
+ * Platform driver:
+ */
+
+ static int msm_pdev_probe(struct platform_device *pdev)
+ {
+ pdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+- return drm_platform_init(&msm_driver, pdev);
++ return component_master_add(&pdev->dev, &msm_drm_ops);
+ }
+
+ static int msm_pdev_remove(struct platform_device *pdev)
+ {
+- drm_put_dev(platform_get_drvdata(pdev));
++ component_master_del(&pdev->dev, &msm_drm_ops);
+
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
+index 3d63269..9d10ee0 100644
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -22,6 +22,7 @@
+ #include <linux/clk.h>
+ #include <linux/cpufreq.h>
+ #include <linux/module.h>
++#include <linux/component.h>
+ #include <linux/platform_device.h>
+ #include <linux/pm.h>
+ #include <linux/pm_runtime.h>
+@@ -69,6 +70,9 @@ struct msm_drm_private {
+
+ struct msm_kms *kms;
+
++ /* subordinate devices, if present: */
++ struct platform_device *hdmi_pdev, *gpu_pdev;
++
+ /* when we have more than one 'msm_gpu' these need to be an array: */
+ struct msm_gpu *gpu;
+ struct msm_file_private *lastctx;
+diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c
+index 663394f..0db3e20 100644
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -330,8 +330,10 @@ atombios_set_crtc_dtd_timing(struct drm_crtc *crtc,
+ misc |= ATOM_COMPOSITESYNC;
+ if (mode->flags & DRM_MODE_FLAG_INTERLACE)
+ misc |= ATOM_INTERLACE;
+- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
+ misc |= ATOM_DOUBLE_CLOCK_MODE;
++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;
+
+ args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
+ args.ucCRTC = radeon_crtc->crtc_id;
+@@ -374,8 +376,10 @@ static void atombios_crtc_set_timing(struct drm_crtc *crtc,
+ misc |= ATOM_COMPOSITESYNC;
+ if (mode->flags & DRM_MODE_FLAG_INTERLACE)
+ misc |= ATOM_INTERLACE;
+- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
+ misc |= ATOM_DOUBLE_CLOCK_MODE;
++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;
+
+ args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
+ args.ucCRTC = radeon_crtc->crtc_id;
+diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
+index e99e71a..356f22f 100644
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -134,7 +134,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
+ GFP_KERNEL);
+ if (!open_info) {
+ err = -ENOMEM;
+- goto error0;
++ goto error_gpadl;
+ }
+
+ init_completion(&open_info->waitevent);
+@@ -150,7 +150,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
+
+ if (userdatalen > MAX_USER_DEFINED_BYTES) {
+ err = -EINVAL;
+- goto error0;
++ goto error_gpadl;
+ }
+
+ if (userdatalen)
+@@ -194,6 +194,9 @@ error1:
+ list_del(&open_info->msglistentry);
+ spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
+
++error_gpadl:
++ vmbus_teardown_gpadl(newchannel, newchannel->ringbuffer_gpadlhandle);
++
+ error0:
+ free_pages((unsigned long)out,
+ get_order(send_ringbuffer_size + recv_ringbuffer_size));
+diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
+index 5fb80b8..43fe15a 100644
+--- a/drivers/i2c/i2c-core.c
++++ b/drivers/i2c/i2c-core.c
+@@ -217,6 +217,7 @@ int i2c_generic_scl_recovery(struct i2c_adapter *adap)
+ adap->bus_recovery_info->set_scl(adap, 1);
+ return i2c_generic_recovery(adap);
+ }
++EXPORT_SYMBOL_GPL(i2c_generic_scl_recovery);
+
+ int i2c_generic_gpio_recovery(struct i2c_adapter *adap)
+ {
+@@ -231,6 +232,7 @@ int i2c_generic_gpio_recovery(struct i2c_adapter *adap)
+
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(i2c_generic_gpio_recovery);
+
+ int i2c_recover_bus(struct i2c_adapter *adap)
+ {
+@@ -240,6 +242,7 @@ int i2c_recover_bus(struct i2c_adapter *adap)
+ dev_dbg(&adap->dev, "Trying i2c bus recovery\n");
+ return adap->bus_recovery_info->recover_bus(adap);
+ }
++EXPORT_SYMBOL_GPL(i2c_recover_bus);
+
+ static int i2c_device_probe(struct device *dev)
+ {
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index 055ebeb..c1fef27 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -94,12 +94,15 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
+ if (dmasync)
+ dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+
++ if (!size)
++ return ERR_PTR(-EINVAL);
++
+ /*
+ * If the combination of the addr and size requested for this memory
+ * region causes an integer overflow, return error.
+ */
+- if ((PAGE_ALIGN(addr + size) <= size) ||
+- (PAGE_ALIGN(addr + size) <= addr))
++ if (((addr + size) < addr) ||
++ PAGE_ALIGN(addr + size) < (addr + size))
+ return ERR_PTR(-EINVAL);
+
+ if (!can_do_mlock())
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index d8f4d1f..8d7cd98 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2274,8 +2274,7 @@ static int build_lso_seg(struct mlx4_wqe_lso_seg *wqe, struct ib_send_wr *wr,
+
+ memcpy(wqe->header, wr->wr.ud.header, wr->wr.ud.hlen);
+
+- *lso_hdr_sz = cpu_to_be32((wr->wr.ud.mss - wr->wr.ud.hlen) << 16 |
+- wr->wr.ud.hlen);
++ *lso_hdr_sz = cpu_to_be32(wr->wr.ud.mss << 16 | wr->wr.ud.hlen);
+ *lso_seg_len = halign;
+ return 0;
+ }
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 0b75b57..cfc5a2e 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -814,6 +814,21 @@ static psmouse_ret_t elantech_process_byte(struct psmouse *psmouse)
+ }
+
+ /*
++ * This writes the reg_07 value again to the hardware at the end of every
++ * set_rate call because the register loses its value. reg_07 allows setting
++ * absolute mode on v4 hardware
++ */
++static void elantech_set_rate_restore_reg_07(struct psmouse *psmouse,
++ unsigned int rate)
++{
++ struct elantech_data *etd = psmouse->private;
++
++ etd->original_set_rate(psmouse, rate);
++ if (elantech_write_reg(psmouse, 0x07, etd->reg_07))
++ psmouse_err(psmouse, "restoring reg_07 failed\n");
++}
++
++/*
+ * Put the touchpad into absolute mode
+ */
+ static int elantech_set_absolute_mode(struct psmouse *psmouse)
+@@ -1015,6 +1030,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse,
+ * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons
+ * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons
+ * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons
++ * Asus TP500LN 0x381f17 10, 14, 0e clickpad
++ * Asus X750JN 0x381f17 10, 14, 0e clickpad
+ * Asus UX31 0x361f00 20, 15, 0e clickpad
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
+@@ -1490,6 +1507,11 @@ int elantech_init(struct psmouse *psmouse)
+ goto init_fail;
+ }
+
++ if (etd->fw_version == 0x381f17) {
++ etd->original_set_rate = psmouse->set_rate;
++ psmouse->set_rate = elantech_set_rate_restore_reg_07;
++ }
++
+ if (elantech_set_input_params(psmouse)) {
+ psmouse_err(psmouse, "failed to query touchpad range.\n");
+ goto init_fail;
+diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h
+index 9e0e2a1..59263a3 100644
+--- a/drivers/input/mouse/elantech.h
++++ b/drivers/input/mouse/elantech.h
+@@ -139,6 +139,7 @@ struct elantech_data {
+ struct finger_pos mt[ETP_MAX_FINGERS];
+ unsigned char parity[256];
+ int (*send_cmd)(struct psmouse *psmouse, unsigned char c, unsigned char *param);
++ void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate);
+ };
+
+ #ifdef CONFIG_MOUSE_PS2_ELANTECH
+diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
+index 4a8d19d..5a4cda2 100644
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -915,11 +915,10 @@ static int crypt_convert(struct crypt_config *cc,
+
+ switch (r) {
+ /* async */
++ case -EINPROGRESS:
+ case -EBUSY:
+ wait_for_completion(&ctx->restart);
+ reinit_completion(&ctx->restart);
+- /* fall through*/
+- case -EINPROGRESS:
+ ctx->req = NULL;
+ ctx->cc_sector++;
+ continue;
+@@ -1314,10 +1313,8 @@ static void kcryptd_async_done(struct crypto_async_request *async_req,
+ struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
+ struct crypt_config *cc = io->cc;
+
+- if (error == -EINPROGRESS) {
+- complete(&ctx->restart);
++ if (error == -EINPROGRESS)
+ return;
+- }
+
+ if (!error && cc->iv_gen_ops && cc->iv_gen_ops->post)
+ error = cc->iv_gen_ops->post(cc, iv_of_dmreq(cc, dmreq), dmreq);
+@@ -1328,12 +1325,15 @@ static void kcryptd_async_done(struct crypto_async_request *async_req,
+ mempool_free(req_of_dmreq(cc, dmreq), cc->req_pool);
+
+ if (!atomic_dec_and_test(&ctx->cc_pending))
+- return;
++ goto done;
+
+ if (bio_data_dir(io->base_bio) == READ)
+ kcryptd_crypt_read_done(io);
+ else
+ kcryptd_crypt_write_io_submit(io, 1);
++done:
++ if (!completion_done(&ctx->restart))
++ complete(&ctx->restart);
+ }
+
+ static void kcryptd_crypt(struct work_struct *work)
+diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
+index 407a99e..683e685 100644
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -320,7 +320,7 @@ static struct strip_zone *find_zone(struct r0conf *conf,
+
+ /*
+ * remaps the bio to the target device. we separate two flows.
+- * power 2 flow and a general flow for the sake of perfromance
++ * power 2 flow and a general flow for the sake of performance
+ */
+ static struct md_rdev *map_sector(struct mddev *mddev, struct strip_zone *zone,
+ sector_t sector, sector_t *sector_offset)
+@@ -538,6 +538,7 @@ static void raid0_make_request(struct mddev *mddev, struct bio *bio)
+ split = bio;
+ }
+
++ sector = bio->bi_iter.bi_sector;
+ zone = find_zone(mddev->private, &sector);
+ tmp_dev = map_sector(mddev, zone, sector, &sector);
+ split->bi_bdev = tmp_dev->bdev;
+diff --git a/drivers/media/usb/stk1160/stk1160-v4l.c b/drivers/media/usb/stk1160/stk1160-v4l.c
+index c45c988..4572530 100644
+--- a/drivers/media/usb/stk1160/stk1160-v4l.c
++++ b/drivers/media/usb/stk1160/stk1160-v4l.c
+@@ -244,6 +244,11 @@ static int stk1160_stop_streaming(struct stk1160 *dev)
+ if (mutex_lock_interruptible(&dev->v4l_lock))
+ return -ERESTARTSYS;
+
++ /*
++ * Once URBs are cancelled, the URB complete handler
++ * won't be running. This is required to safely release the
++ * current buffer (dev->isoc_ctl.buf).
++ */
+ stk1160_cancel_isoc(dev);
+
+ /*
+@@ -624,8 +629,16 @@ void stk1160_clear_queue(struct stk1160 *dev)
+ stk1160_info("buffer [%p/%d] aborted\n",
+ buf, buf->vb.v4l2_buf.index);
+ }
+- /* It's important to clear current buffer */
+- dev->isoc_ctl.buf = NULL;
++
++ /* It's important to release the current buffer */
++ if (dev->isoc_ctl.buf) {
++ buf = dev->isoc_ctl.buf;
++ dev->isoc_ctl.buf = NULL;
++
++ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
++ stk1160_info("buffer [%p/%d] aborted\n",
++ buf, buf->vb.v4l2_buf.index);
++ }
+ spin_unlock_irqrestore(&dev->buf_lock, flags);
+ }
+
+diff --git a/drivers/memstick/core/mspro_block.c b/drivers/memstick/core/mspro_block.c
+index fc145d2..922a750 100644
+--- a/drivers/memstick/core/mspro_block.c
++++ b/drivers/memstick/core/mspro_block.c
+@@ -758,7 +758,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error)
+
+ if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) {
+ if (msb->data_dir == READ) {
+- for (cnt = 0; cnt < msb->current_seg; cnt++)
++ for (cnt = 0; cnt < msb->current_seg; cnt++) {
+ t_len += msb->req_sg[cnt].length
+ / msb->page_size;
+
+@@ -766,6 +766,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error)
+ t_len += msb->current_page - 1;
+
+ t_len *= msb->page_size;
++ }
+ }
+ } else
+ t_len = blk_rq_bytes(msb->block_req);
+diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c
+index 6f27d9a..21841fe 100644
+--- a/drivers/mtd/ubi/attach.c
++++ b/drivers/mtd/ubi/attach.c
+@@ -408,7 +408,7 @@ int ubi_compare_lebs(struct ubi_device *ubi, const struct ubi_ainf_peb *aeb,
+ second_is_newer = !second_is_newer;
+ } else {
+ dbg_bld("PEB %d CRC is OK", pnum);
+- bitflips = !!err;
++ bitflips |= !!err;
+ }
+ mutex_unlock(&ubi->buf_mutex);
+
+diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c
+index 8ca49f2..4cbbd55 100644
+--- a/drivers/mtd/ubi/cdev.c
++++ b/drivers/mtd/ubi/cdev.c
+@@ -451,7 +451,7 @@ static long vol_cdev_ioctl(struct file *file, unsigned int cmd,
+ /* Validate the request */
+ err = -EINVAL;
+ if (req.lnum < 0 || req.lnum >= vol->reserved_pebs ||
+- req.bytes < 0 || req.lnum >= vol->usable_leb_size)
++ req.bytes < 0 || req.bytes > vol->usable_leb_size)
+ break;
+
+ err = get_exclusive(desc);
+diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
+index 0e11671d..930cf2c 100644
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -1362,7 +1362,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
+ * during re-size.
+ */
+ ubi_move_aeb_to_list(av, aeb, &ai->erase);
+- vol->eba_tbl[aeb->lnum] = aeb->pnum;
++ else
++ vol->eba_tbl[aeb->lnum] = aeb->pnum;
+ }
+ }
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 68b924e..c6b0b07 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -995,7 +995,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ int cancel)
+ {
+ int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0;
+- int vol_id = -1, uninitialized_var(lnum);
++ int vol_id = -1, lnum = -1;
+ #ifdef CONFIG_MTD_UBI_FASTMAP
+ int anchor = wrk->anchor;
+ #endif
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 46e6544..b655fe4 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
+ static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int *work_done, int work_to_do);
++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter,
++ struct e1000_rx_ring *rx_ring,
++ int cleaned_count)
++{
++}
+ static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int cleaned_count);
+@@ -3531,8 +3536,11 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
+ msleep(1);
+ /* e1000_down has a dependency on max_frame_size */
+ hw->max_frame_size = max_frame;
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ /* prevent buffers from being reallocated */
++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers;
+ e1000_down(adapter);
++ }
+
+ /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN
+ * means we reserve 2 more, this pushes us to allocate from the next
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+index f583167..66c92a1 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -314,6 +314,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
+ {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
+@@ -370,6 +371,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
+ {RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/
+ {RTL_USB_DEVICE(0x2001, 0x3309, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
+ {RTL_USB_DEVICE(0x2001, 0x330a, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
++ {RTL_USB_DEVICE(0x2001, 0x330d, rtl92cu_hal_cfg)}, /*D-Link DWA-131 */
+ {RTL_USB_DEVICE(0x2019, 0xab2b, rtl92cu_hal_cfg)}, /*Planex -Abocom*/
+ {RTL_USB_DEVICE(0x20f4, 0x624d, rtl92cu_hal_cfg)}, /*TRENDNet*/
+ {RTL_USB_DEVICE(0x2357, 0x0100, rtl92cu_hal_cfg)}, /*TP-Link WN8200ND*/
+diff --git a/drivers/net/wireless/ti/wl18xx/debugfs.c b/drivers/net/wireless/ti/wl18xx/debugfs.c
+index 7f1669c..779dc2b 100644
+--- a/drivers/net/wireless/ti/wl18xx/debugfs.c
++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c
+@@ -136,7 +136,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, protection_filter, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u");
+
+-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u");
++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50);
+
+ WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate,
+ AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE);
+diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h
+index f7381dd..1bce432 100644
+--- a/drivers/net/wireless/ti/wlcore/debugfs.h
++++ b/drivers/net/wireless/ti/wlcore/debugfs.h
+@@ -26,8 +26,8 @@
+
+ #include "wlcore.h"
+
+-int wl1271_format_buffer(char __user *userbuf, size_t count,
+- loff_t *ppos, char *fmt, ...);
++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count,
++ loff_t *ppos, char *fmt, ...);
+
+ int wl1271_debugfs_init(struct wl1271 *wl);
+ void wl1271_debugfs_exit(struct wl1271 *wl);
+diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
+index 7297df2..2d9d198 100644
+--- a/drivers/platform/x86/compal-laptop.c
++++ b/drivers/platform/x86/compal-laptop.c
+@@ -1037,7 +1037,9 @@ static int compal_probe(struct platform_device *pdev)
+
+ /* Power supply */
+ initialize_power_supply_data(data);
+- power_supply_register(&compal_device->dev, &data->psy);
++ err = power_supply_register(&compal_device->dev, &data->psy);
++ if (err < 0)
++ goto remove;
+
+ platform_set_drvdata(pdev, data);
+
+diff --git a/drivers/power/lp8788-charger.c b/drivers/power/lp8788-charger.c
+index ed49b50..72da2a6 100644
+--- a/drivers/power/lp8788-charger.c
++++ b/drivers/power/lp8788-charger.c
+@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct platform_device *pdev,
+ pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop);
+ pchg->battery.get_property = lp8788_battery_get_property;
+
+- if (power_supply_register(&pdev->dev, &pchg->battery))
++ if (power_supply_register(&pdev->dev, &pchg->battery)) {
++ power_supply_unregister(&pchg->charger);
+ return -EPERM;
++ }
+
+ return 0;
+ }
+diff --git a/drivers/power/twl4030_madc_battery.c b/drivers/power/twl4030_madc_battery.c
+index 7ef445a..cf90760 100644
+--- a/drivers/power/twl4030_madc_battery.c
++++ b/drivers/power/twl4030_madc_battery.c
+@@ -192,6 +192,7 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev)
+ {
+ struct twl4030_madc_battery *twl4030_madc_bat;
+ struct twl4030_madc_bat_platform_data *pdata = pdev->dev.platform_data;
++ int ret = 0;
+
+ twl4030_madc_bat = kzalloc(sizeof(*twl4030_madc_bat), GFP_KERNEL);
+ if (!twl4030_madc_bat)
+@@ -216,9 +217,11 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev)
+
+ twl4030_madc_bat->pdata = pdata;
+ platform_set_drvdata(pdev, twl4030_madc_bat);
+- power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ ret = power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ if (ret < 0)
++ kfree(twl4030_madc_bat);
+
+- return 0;
++ return ret;
+ }
+
+ static int twl4030_madc_battery_remove(struct platform_device *pdev)
+diff --git a/drivers/scsi/bfa/bfa_ioc.c b/drivers/scsi/bfa/bfa_ioc.c
+index 65180e1..50c75e1 100644
+--- a/drivers/scsi/bfa/bfa_ioc.c
++++ b/drivers/scsi/bfa/bfa_ioc.c
+@@ -7006,7 +7006,7 @@ bfa_flash_sem_get(void __iomem *bar)
+ while (!bfa_raw_sem_get(bar)) {
+ if (--n <= 0)
+ return BFA_STATUS_BADFLASH;
+- udelay(10000);
++ mdelay(10);
+ }
+ return BFA_STATUS_OK;
+ }
+diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
+index 6c1f223..4c0b8b4 100644
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -441,14 +441,11 @@ static u32 mvs_get_ncq_tag(struct sas_task *task, u32 *tag)
+ static int mvs_task_prep_ata(struct mvs_info *mvi,
+ struct mvs_task_exec_info *tei)
+ {
+- struct sas_ha_struct *sha = mvi->sas;
+ struct sas_task *task = tei->task;
+ struct domain_device *dev = task->dev;
+ struct mvs_device *mvi_dev = dev->lldd_dev;
+ struct mvs_cmd_hdr *hdr = tei->hdr;
+ struct asd_sas_port *sas_port = dev->port;
+- struct sas_phy *sphy = dev->phy;
+- struct asd_sas_phy *sas_phy = sha->sas_phy[sphy->number];
+ struct mvs_slot_info *slot;
+ void *buf_prd;
+ u32 tag = tei->tag, hdr_tag;
+@@ -468,7 +465,7 @@ static int mvs_task_prep_ata(struct mvs_info *mvi,
+ slot->tx = mvi->tx_prod;
+ del_q = TXQ_MODE_I | tag |
+ (TXQ_CMD_STP << TXQ_CMD_SHIFT) |
+- (MVS_PHY_ID << TXQ_PHY_SHIFT) |
++ ((sas_port->phy_mask & TXQ_PHY_MASK) << TXQ_PHY_SHIFT) |
+ (mvi_dev->taskfileset << TXQ_SRS_SHIFT);
+ mvi->tx[mvi->tx_prod] = cpu_to_le32(del_q);
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index 86b0515..97892f2 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -739,21 +739,22 @@ static unsigned int copy_to_bounce_buffer(struct scatterlist *orig_sgl,
+ if (bounce_sgl[j].length == PAGE_SIZE) {
+ /* full..move to next entry */
+ sg_kunmap_atomic(bounce_addr);
++ bounce_addr = 0;
+ j++;
++ }
+
+- /* if we need to use another bounce buffer */
+- if (srclen || i != orig_sgl_count - 1)
+- bounce_addr = sg_kmap_atomic(bounce_sgl,j);
++ /* if we need to use another bounce buffer */
++ if (srclen && bounce_addr == 0)
++ bounce_addr = sg_kmap_atomic(bounce_sgl, j);
+
+- } else if (srclen == 0 && i == orig_sgl_count - 1) {
+- /* unmap the last bounce that is < PAGE_SIZE */
+- sg_kunmap_atomic(bounce_addr);
+- }
+ }
+
+ sg_kunmap_atomic(src_addr - orig_sgl[i].offset);
+ }
+
++ if (bounce_addr)
++ sg_kunmap_atomic(bounce_addr);
++
+ local_irq_restore(flags);
+
+ return total_copied;
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index d7c6e36..2fe5b61 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -243,7 +243,10 @@ static int spidev_message(struct spidev_data *spidev,
+ k_tmp->len = u_tmp->len;
+
+ total += k_tmp->len;
+- if (total > bufsiz) {
++ /* Check total length of transfers. Also check each
++ * transfer length to avoid arithmetic overflow.
++ */
++ if (total > bufsiz || k_tmp->len > bufsiz) {
+ status = -EMSGSIZE;
+ goto done;
+ }
+diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
+index 41eff7d..b199f1e 100644
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -263,40 +263,32 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot,
+ struct se_device *se_dev = cmd->se_dev;
+ struct fd_dev *dev = FD_DEV(se_dev);
+ struct file *prot_fd = dev->fd_prot_file;
+- struct scatterlist *sg;
+ loff_t pos = (cmd->t_task_lba * se_dev->prot_length);
+ unsigned char *buf;
+- u32 prot_size, len, size;
+- int rc, ret = 1, i;
++ u32 prot_size;
++ int rc, ret = 1;
+
+ prot_size = (cmd->data_length / se_dev->dev_attrib.block_size) *
+ se_dev->prot_length;
+
+ if (!is_write) {
+- fd_prot->prot_buf = vzalloc(prot_size);
++ fd_prot->prot_buf = kzalloc(prot_size, GFP_KERNEL);
+ if (!fd_prot->prot_buf) {
+ pr_err("Unable to allocate fd_prot->prot_buf\n");
+ return -ENOMEM;
+ }
+ buf = fd_prot->prot_buf;
+
+- fd_prot->prot_sg_nents = cmd->t_prot_nents;
+- fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist) *
+- fd_prot->prot_sg_nents, GFP_KERNEL);
++ fd_prot->prot_sg_nents = 1;
++ fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist),
++ GFP_KERNEL);
+ if (!fd_prot->prot_sg) {
+ pr_err("Unable to allocate fd_prot->prot_sg\n");
+- vfree(fd_prot->prot_buf);
++ kfree(fd_prot->prot_buf);
+ return -ENOMEM;
+ }
+- size = prot_size;
+-
+- for_each_sg(fd_prot->prot_sg, sg, fd_prot->prot_sg_nents, i) {
+-
+- len = min_t(u32, PAGE_SIZE, size);
+- sg_set_buf(sg, buf, len);
+- size -= len;
+- buf += len;
+- }
++ sg_init_table(fd_prot->prot_sg, fd_prot->prot_sg_nents);
++ sg_set_buf(fd_prot->prot_sg, buf, prot_size);
+ }
+
+ if (is_write) {
+@@ -317,7 +309,7 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot,
+
+ if (is_write || ret < 0) {
+ kfree(fd_prot->prot_sg);
+- vfree(fd_prot->prot_buf);
++ kfree(fd_prot->prot_buf);
+ }
+
+ return ret;
+@@ -652,11 +644,11 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+ 0, fd_prot.prot_sg, 0);
+ if (rc) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return rc;
+ }
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ }
+ } else {
+ memset(&fd_prot, 0, sizeof(struct fd_prot));
+@@ -672,7 +664,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+ 0, fd_prot.prot_sg, 0);
+ if (rc) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return rc;
+ }
+ }
+@@ -703,7 +695,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+
+ if (ret < 0) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index 68511e8..f89b24a 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -314,7 +314,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ return 0;
+ }
+
+-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd)
++static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success)
+ {
+ unsigned char *buf, *addr;
+ struct scatterlist *sg;
+@@ -378,7 +378,7 @@ sbc_execute_rw(struct se_cmd *cmd)
+ cmd->data_direction);
+ }
+
+-static sense_reason_t compare_and_write_post(struct se_cmd *cmd)
++static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
+ {
+ struct se_device *dev = cmd->se_dev;
+
+@@ -401,7 +401,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd)
+ return TCM_NO_SENSE;
+ }
+
+-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd)
++static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success)
+ {
+ struct se_device *dev = cmd->se_dev;
+ struct scatterlist *write_sg = NULL, *sg;
+@@ -416,11 +416,16 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd)
+
+ /*
+ * Handle early failure in transport_generic_request_failure(),
+- * which will not have taken ->caw_mutex yet..
++ * which will not have taken ->caw_sem yet..
+ */
+- if (!cmd->t_data_sg || !cmd->t_bidi_data_sg)
++ if (!success && (!cmd->t_data_sg || !cmd->t_bidi_data_sg))
+ return TCM_NO_SENSE;
+ /*
++ * Handle special case for zero-length COMPARE_AND_WRITE
++ */
++ if (!cmd->data_length)
++ goto out;
++ /*
+ * Immediately exit + release dev->caw_sem if command has already
+ * been failed with a non-zero SCSI status.
+ */
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 9e54c0f..6fc3890 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1600,11 +1600,11 @@ void transport_generic_request_failure(struct se_cmd *cmd,
+ transport_complete_task_attr(cmd);
+ /*
+ * Handle special case for COMPARE_AND_WRITE failure, where the
+- * callback is expected to drop the per device ->caw_mutex.
++ * callback is expected to drop the per device ->caw_sem.
+ */
+ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
+ cmd->transport_complete_callback)
+- cmd->transport_complete_callback(cmd);
++ cmd->transport_complete_callback(cmd, false);
+
+ switch (sense_reason) {
+ case TCM_NON_EXISTENT_LUN:
+@@ -1941,8 +1941,12 @@ static void target_complete_ok_work(struct work_struct *work)
+ if (cmd->transport_complete_callback) {
+ sense_reason_t rc;
+
+- rc = cmd->transport_complete_callback(cmd);
++ rc = cmd->transport_complete_callback(cmd, true);
+ if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) {
++ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
++ !cmd->data_length)
++ goto queue_rsp;
++
+ return;
+ } else if (rc) {
+ ret = transport_send_check_condition_and_sense(cmd,
+@@ -1956,6 +1960,7 @@ static void target_complete_ok_work(struct work_struct *work)
+ }
+ }
+
++queue_rsp:
+ switch (cmd->data_direction) {
+ case DMA_FROM_DEVICE:
+ spin_lock(&cmd->se_lun->lun_sep_lock);
+@@ -2044,6 +2049,16 @@ static inline void transport_reset_sgl_orig(struct se_cmd *cmd)
+ static inline void transport_free_pages(struct se_cmd *cmd)
+ {
+ if (cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) {
++ /*
++ * Release special case READ buffer payload required for
++ * SG_TO_MEM_NOALLOC to function with COMPARE_AND_WRITE
++ */
++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
++ transport_free_sgl(cmd->t_bidi_data_sg,
++ cmd->t_bidi_data_nents);
++ cmd->t_bidi_data_sg = NULL;
++ cmd->t_bidi_data_nents = 0;
++ }
+ transport_reset_sgl_orig(cmd);
+ return;
+ }
+@@ -2192,6 +2207,7 @@ sense_reason_t
+ transport_generic_new_cmd(struct se_cmd *cmd)
+ {
+ int ret = 0;
++ bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB);
+
+ /*
+ * Determine is the TCM fabric module has already allocated physical
+@@ -2200,7 +2216,6 @@ transport_generic_new_cmd(struct se_cmd *cmd)
+ */
+ if (!(cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) &&
+ cmd->data_length) {
+- bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB);
+
+ if ((cmd->se_cmd_flags & SCF_BIDI) ||
+ (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE)) {
+@@ -2223,6 +2238,20 @@ transport_generic_new_cmd(struct se_cmd *cmd)
+ cmd->data_length, zero_flag);
+ if (ret < 0)
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
++ } else if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
++ cmd->data_length) {
++ /*
++ * Special case for COMPARE_AND_WRITE with fabrics
++ * using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC.
++ */
++ u32 caw_length = cmd->t_task_nolb *
++ cmd->se_dev->dev_attrib.block_size;
++
++ ret = target_alloc_sgl(&cmd->t_bidi_data_sg,
++ &cmd->t_bidi_data_nents,
++ caw_length, zero_flag);
++ if (ret < 0)
++ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+ /*
+ * If this command is not a write we can execute it right here,
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index a051a7a..a81f9dd 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -245,7 +245,7 @@ static void wdm_int_callback(struct urb *urb)
+ case USB_CDC_NOTIFY_RESPONSE_AVAILABLE:
+ dev_dbg(&desc->intf->dev,
+ "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d",
+- dr->wIndex, dr->wLength);
++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength));
+ break;
+
+ case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -262,7 +262,9 @@ static void wdm_int_callback(struct urb *urb)
+ clear_bit(WDM_POLL_RUNNING, &desc->flags);
+ dev_err(&desc->intf->dev,
+ "unknown notification %d received: index %d len %d\n",
+- dr->bNotificationType, dr->wIndex, dr->wLength);
++ dr->bNotificationType,
++ le16_to_cpu(dr->wIndex),
++ le16_to_cpu(dr->wLength));
+ goto exit;
+ }
+
+@@ -408,7 +410,7 @@ static ssize_t wdm_write
+ USB_RECIP_INTERFACE);
+ req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND;
+ req->wValue = 0;
+- req->wIndex = desc->inum;
++ req->wIndex = desc->inum; /* already converted */
+ req->wLength = cpu_to_le16(count);
+ set_bit(WDM_IN_USE, &desc->flags);
+ desc->outbuf = buf;
+@@ -422,7 +424,7 @@ static ssize_t wdm_write
+ rv = usb_translate_errors(rv);
+ } else {
+ dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d",
+- req->wIndex);
++ le16_to_cpu(req->wIndex));
+ }
+ out:
+ usb_autopm_put_interface(desc->intf);
+@@ -820,7 +822,7 @@ static int wdm_create(struct usb_interface *intf, struct usb_endpoint_descriptor
+ desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE);
+ desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE;
+ desc->irq->wValue = 0;
+- desc->irq->wIndex = desc->inum;
++ desc->irq->wIndex = desc->inum; /* already converted */
+ desc->irq->wLength = cpu_to_le16(desc->wMaxCommand);
+
+ usb_fill_control_urb(
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index d2bd9d7..1847a7d 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3289,10 +3289,10 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
+ dev_dbg(hub->intfdev, "can't resume port %d, status %d\n",
+ port1, status);
+ } else {
+- /* drive resume for at least 20 msec */
++ /* drive resume for USB_RESUME_TIMEOUT msec */
+ dev_dbg(&udev->dev, "usb %sresume\n",
+ (PMSG_IS_AUTO(msg) ? "auto-" : ""));
+- msleep(25);
++ msleep(USB_RESUME_TIMEOUT);
+
+ /* Virtual root hubs can trigger on GET_PORT_STATUS to
+ * stop resume signaling. Then finish the resume
+diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
+index 4d918ed..0f99800 100644
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -1501,7 +1501,7 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq,
+ dev_dbg(hsotg->dev,
+ "ClearPortFeature USB_PORT_FEAT_SUSPEND\n");
+ writel(0, hsotg->regs + PCGCTL);
+- usleep_range(20000, 40000);
++ msleep(USB_RESUME_TIMEOUT);
+
+ hprt0 = dwc2_read_hprt0(hsotg);
+ hprt0 |= HPRT0_RES;
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index d742bed..82df926 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -528,7 +528,7 @@ static int bos_desc(struct usb_composite_dev *cdev)
+ usb_ext->bLength = USB_DT_USB_EXT_CAP_SIZE;
+ usb_ext->bDescriptorType = USB_DT_DEVICE_CAPABILITY;
+ usb_ext->bDevCapabilityType = USB_CAP_TYPE_EXT;
+- usb_ext->bmAttributes = cpu_to_le32(USB_LPM_SUPPORT);
++ usb_ext->bmAttributes = cpu_to_le32(USB_LPM_SUPPORT | USB_BESL_SUPPORT);
+
+ /*
+ * The Superspeed USB Capability descriptor shall be implemented by all
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 98a89d1..8aa4ba0 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -1595,7 +1595,7 @@ static int fotg210_hub_control(
+ /* resume signaling for 20 msec */
+ fotg210_writel(fotg210, temp | PORT_RESUME, status_reg);
+ fotg210->reset_done[wIndex] = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_C_SUSPEND:
+ clear_bit(wIndex, &fotg210->port_c_suspend);
+diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c
+index ba94990..3e3926a 100644
+--- a/drivers/usb/host/fusbh200-hcd.c
++++ b/drivers/usb/host/fusbh200-hcd.c
+@@ -1550,10 +1550,9 @@ static int fusbh200_hub_control (
+ if ((temp & PORT_PE) == 0)
+ goto error;
+
+- /* resume signaling for 20 msec */
+ fusbh200_writel(fusbh200, temp | PORT_RESUME, status_reg);
+ fusbh200->reset_done[wIndex] = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_C_SUSPEND:
+ clear_bit(wIndex, &fusbh200->port_c_suspend);
+diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c
+index 240e792..b62298f 100644
+--- a/drivers/usb/host/isp116x-hcd.c
++++ b/drivers/usb/host/isp116x-hcd.c
+@@ -1487,7 +1487,7 @@ static int isp116x_bus_resume(struct usb_hcd *hcd)
+ spin_unlock_irq(&isp116x->lock);
+
+ hcd->state = HC_STATE_RESUMING;
+- msleep(20);
++ msleep(USB_RESUME_TIMEOUT);
+
+ /* Go operational */
+ spin_lock_irq(&isp116x->lock);
+diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
+index 110b4b9..f130bb2 100644
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -2300,7 +2300,7 @@ static int r8a66597_bus_resume(struct usb_hcd *hcd)
+ rh->port &= ~USB_PORT_STAT_SUSPEND;
+ rh->port |= USB_PORT_STAT_C_SUSPEND << 16;
+ r8a66597_mdfy(r8a66597, RESUME, RESUME | UACT, dvstctr_reg);
+- msleep(50);
++ msleep(USB_RESUME_TIMEOUT);
+ r8a66597_mdfy(r8a66597, UACT, RESUME | UACT, dvstctr_reg);
+ }
+
+diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c
+index a517151..0f53cc8 100644
+--- a/drivers/usb/host/sl811-hcd.c
++++ b/drivers/usb/host/sl811-hcd.c
+@@ -1259,7 +1259,7 @@ sl811h_hub_control(
+ sl811_write(sl811, SL11H_CTLREG1, sl811->ctrl1);
+
+ mod_timer(&sl811->timer, jiffies
+- + msecs_to_jiffies(20));
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ break;
+ case USB_PORT_FEAT_POWER:
+ port_power(sl811, 0);
+diff --git a/drivers/usb/host/uhci-hub.c b/drivers/usb/host/uhci-hub.c
+index 93e17b1..98c66d8 100644
+--- a/drivers/usb/host/uhci-hub.c
++++ b/drivers/usb/host/uhci-hub.c
+@@ -165,7 +165,7 @@ static void uhci_check_ports(struct uhci_hcd *uhci)
+ /* Port received a wakeup request */
+ set_bit(port, &uhci->resuming_ports);
+ uhci->ports_timeout = jiffies +
+- msecs_to_jiffies(25);
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ usb_hcd_start_port_resume(
+ &uhci_to_hcd(uhci)->self, port);
+
+@@ -337,7 +337,8 @@ static int uhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ uhci_finish_suspend(uhci, port, port_addr);
+
+ /* USB v2.0 7.1.7.5 */
+- uhci->ports_timeout = jiffies + msecs_to_jiffies(50);
++ uhci->ports_timeout = jiffies +
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_POWER:
+ /* UHCI has no power switching */
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index a95eee8..05185b9 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1768,7 +1768,7 @@ static void handle_port_status(struct xhci_hcd *xhci,
+ } else {
+ xhci_dbg(xhci, "resume HS port %d\n", port_id);
+ bus_state->resume_done[faked_port_index] = jiffies +
+- msecs_to_jiffies(20);
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ set_bit(faked_port_index, &bus_state->resuming_ports);
+ mod_timer(&hcd->rh_timer,
+ bus_state->resume_done[faked_port_index]);
+diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c
+index 0180eef..964ebaf 100644
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -78,7 +78,9 @@ static void devm_usb_phy_release(struct device *dev, void *res)
+
+ static int devm_usb_phy_match(struct device *dev, void *res, void *match_data)
+ {
+- return res == match_data;
++ struct usb_phy **phy = res;
++
++ return *phy == match_data;
+ }
+
+ /**
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index f4d7b2f..78f4608 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -751,6 +751,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
+ int elf_prot = 0, elf_flags;
+ unsigned long k, vaddr;
++ unsigned long total_size = 0;
+
+ if (elf_ppnt->p_type != PT_LOAD)
+ continue;
+@@ -815,10 +816,16 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ #else
+ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+ #endif
++ total_size = total_mapping_size(elf_phdata,
++ loc->elf_ex.e_phnum);
++ if (!total_size) {
++ error = -EINVAL;
++ goto out_free_dentry;
++ }
+ }
+
+ error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
+- elf_prot, elf_flags, 0);
++ elf_prot, elf_flags, total_size);
+ if (BAD_ADDR(error)) {
+ send_sig(SIGKILL, current, 0);
+ retval = IS_ERR((void *)error) ?
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index d2f1c01..794d7c6 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -6645,12 +6645,11 @@ static int __btrfs_free_reserved_extent(struct btrfs_root *root,
+ return -ENOSPC;
+ }
+
+- if (btrfs_test_opt(root, DISCARD))
+- ret = btrfs_discard_extent(root, start, len, NULL);
+-
+ if (pin)
+ pin_down_extent(root, cache, start, len, 1);
+ else {
++ if (btrfs_test_opt(root, DISCARD))
++ ret = btrfs_discard_extent(root, start, len, NULL);
+ btrfs_add_free_space(cache, start, len);
+ btrfs_update_reserved_bytes(cache, len, RESERVE_FREE);
+ }
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 0b72006..3e16042 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2708,6 +2708,9 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 len,
+ if (src == dst)
+ return -EINVAL;
+
++ if (len == 0)
++ return 0;
++
+ btrfs_double_lock(src, loff, dst, dst_loff, len);
+
+ ret = extent_same_check_offsets(src, loff, len);
+@@ -3226,6 +3229,11 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
+ if (off + len == src->i_size)
+ len = ALIGN(src->i_size, bs) - off;
+
++ if (len == 0) {
++ ret = 0;
++ goto out_unlock;
++ }
++
+ /* verify the end result is block aligned */
+ if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) ||
+ !IS_ALIGNED(destoff, bs))
+diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
+index ad8328d..488e987 100644
+--- a/fs/btrfs/xattr.c
++++ b/fs/btrfs/xattr.c
+@@ -324,22 +324,42 @@ const struct xattr_handler *btrfs_xattr_handlers[] = {
+ /*
+ * Check if the attribute is in a supported namespace.
+ *
+- * This applied after the check for the synthetic attributes in the system
++ * This is applied after the check for the synthetic attributes in the system
+ * namespace.
+ */
+-static bool btrfs_is_valid_xattr(const char *name)
++static int btrfs_is_valid_xattr(const char *name)
+ {
+- return !strncmp(name, XATTR_SECURITY_PREFIX,
+- XATTR_SECURITY_PREFIX_LEN) ||
+- !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) ||
+- !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) ||
+- !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) ||
+- !strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN);
++ int len = strlen(name);
++ int prefixlen = 0;
++
++ if (!strncmp(name, XATTR_SECURITY_PREFIX,
++ XATTR_SECURITY_PREFIX_LEN))
++ prefixlen = XATTR_SECURITY_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
++ prefixlen = XATTR_SYSTEM_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
++ prefixlen = XATTR_TRUSTED_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
++ prefixlen = XATTR_USER_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
++ prefixlen = XATTR_BTRFS_PREFIX_LEN;
++ else
++ return -EOPNOTSUPP;
++
++ /*
++ * The name cannot consist of just prefix
++ */
++ if (len <= prefixlen)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ ssize_t btrfs_getxattr(struct dentry *dentry, const char *name,
+ void *buffer, size_t size)
+ {
++ int ret;
++
+ /*
+ * If this is a request for a synthetic attribute in the system.*
+ * namespace use the generic infrastructure to resolve a handler
+@@ -348,8 +368,9 @@ ssize_t btrfs_getxattr(struct dentry *dentry, const char *name,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_getxattr(dentry, name, buffer, size);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+ return __btrfs_getxattr(dentry->d_inode, name, buffer, size);
+ }
+
+@@ -357,6 +378,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ size_t size, int flags)
+ {
+ struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
++ int ret;
+
+ /*
+ * The permission on security.* and system.* is not checked
+@@ -373,8 +395,9 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_setxattr(dentry, name, value, size, flags);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+
+ if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
+ return btrfs_set_prop(dentry->d_inode, name,
+@@ -390,6 +413,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ int btrfs_removexattr(struct dentry *dentry, const char *name)
+ {
+ struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
++ int ret;
+
+ /*
+ * The permission on security.* and system.* is not checked
+@@ -406,8 +430,9 @@ int btrfs_removexattr(struct dentry *dentry, const char *name)
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_removexattr(dentry, name);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+
+ if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
+ return btrfs_set_prop(dentry->d_inode, name,
+diff --git a/fs/exec.c b/fs/exec.c
+index ea4449d..05f1942 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1268,6 +1268,53 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
+ spin_unlock(&p->fs->lock);
+ }
+
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++ struct inode *inode;
++ unsigned int mode;
++ kuid_t uid;
++ kgid_t gid;
++
++ /* clear any previous set[ug]id data from a previous binary */
++ bprm->cred->euid = current_euid();
++ bprm->cred->egid = current_egid();
++
++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++ return;
++
++ if (current->no_new_privs)
++ return;
++
++ inode = file_inode(bprm->file);
++ mode = ACCESS_ONCE(inode->i_mode);
++ if (!(mode & (S_ISUID|S_ISGID)))
++ return;
++
++ /* Be careful if suid/sgid is set */
++ mutex_lock(&inode->i_mutex);
++
++ /* reload atomically mode/uid/gid now that lock held */
++ mode = inode->i_mode;
++ uid = inode->i_uid;
++ gid = inode->i_gid;
++ mutex_unlock(&inode->i_mutex);
++
++ /* We ignore suid/sgid if there are no mappings for them in the ns */
++ if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
++ !kgid_has_mapping(bprm->cred->user_ns, gid))
++ return;
++
++ if (mode & S_ISUID) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->euid = uid;
++ }
++
++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->egid = gid;
++ }
++}
++
+ /*
+ * Fill the binprm structure from the inode.
+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1276,36 +1323,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
+ */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+- struct inode *inode = file_inode(bprm->file);
+- umode_t mode = inode->i_mode;
+ int retval;
+
+-
+- /* clear any previous set[ug]id data from a previous binary */
+- bprm->cred->euid = current_euid();
+- bprm->cred->egid = current_egid();
+-
+- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+- !current->no_new_privs &&
+- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
+- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
+- /* Set-uid? */
+- if (mode & S_ISUID) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->euid = inode->i_uid;
+- }
+-
+- /* Set-gid? */
+- /*
+- * If setgid is set but no group execute bit then this
+- * is a candidate for mandatory locking, not a setgid
+- * executable.
+- */
+- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->egid = inode->i_gid;
+- }
+- }
++ bprm_fill_uid(bprm);
+
+ /* fill in binprm security blob */
+ retval = security_bprm_set_creds(bprm);
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 2dcbfb6..bc7e37b 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1869,7 +1869,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ struct inode *inode)
+ {
+ struct inode *dir = dentry->d_parent->d_inode;
+- struct buffer_head *bh;
++ struct buffer_head *bh = NULL;
+ struct ext4_dir_entry_2 *de;
+ struct ext4_dir_entry_tail *t;
+ struct super_block *sb;
+@@ -1893,14 +1893,14 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ return retval;
+ if (retval == 1) {
+ retval = 0;
+- return retval;
++ goto out;
+ }
+ }
+
+ if (is_dx(dir)) {
+ retval = ext4_dx_add_entry(handle, dentry, inode);
+ if (!retval || (retval != ERR_BAD_DX_DIR))
+- return retval;
++ goto out;
+ ext4_clear_inode_flag(dir, EXT4_INODE_INDEX);
+ dx_fallback++;
+ ext4_mark_inode_dirty(handle, dir);
+@@ -1912,14 +1912,15 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ return PTR_ERR(bh);
+
+ retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh);
+- if (retval != -ENOSPC) {
+- brelse(bh);
+- return retval;
+- }
++ if (retval != -ENOSPC)
++ goto out;
+
+ if (blocks == 1 && !dx_fallback &&
+- EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX))
+- return make_indexed_dir(handle, dentry, inode, bh);
++ EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX)) {
++ retval = make_indexed_dir(handle, dentry, inode, bh);
++ bh = NULL; /* make_indexed_dir releases bh */
++ goto out;
++ }
+ brelse(bh);
+ }
+ bh = ext4_append(handle, dir, &block);
+@@ -1935,6 +1936,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ }
+
+ retval = add_dirent_to_buf(handle, dentry, inode, de, bh);
++out:
+ brelse(bh);
+ if (retval == 0)
+ ext4_set_inode_state(inode, EXT4_STATE_NEWENTRY);
+diff --git a/fs/namei.c b/fs/namei.c
+index 0dd72c8..ccb8000 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1545,7 +1545,8 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
+
+ if (should_follow_link(path->dentry, follow)) {
+ if (nd->flags & LOOKUP_RCU) {
+- if (unlikely(unlazy_walk(nd, path->dentry))) {
++ if (unlikely(nd->path.mnt != path->mnt ||
++ unlazy_walk(nd, path->dentry))) {
+ err = -ECHILD;
+ goto out_err;
+ }
+@@ -2992,7 +2993,8 @@ finish_lookup:
+
+ if (should_follow_link(path->dentry, !symlink_ok)) {
+ if (nd->flags & LOOKUP_RCU) {
+- if (unlikely(unlazy_walk(nd, path->dentry))) {
++ if (unlikely(nd->path.mnt != path->mnt ||
++ unlazy_walk(nd, path->dentry))) {
+ error = -ECHILD;
+ goto out;
+ }
+diff --git a/fs/open.c b/fs/open.c
+index 2ed7325..17679f2 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -539,6 +539,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
+ uid = make_kuid(current_user_ns(), user);
+ gid = make_kgid(current_user_ns(), group);
+
++retry_deleg:
+ newattrs.ia_valid = ATTR_CTIME;
+ if (user != (uid_t) -1) {
+ if (!uid_valid(uid))
+@@ -555,7 +556,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
+ if (!S_ISDIR(inode->i_mode))
+ newattrs.ia_valid |=
+ ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
+-retry_deleg:
+ mutex_lock(&inode->i_mutex);
+ error = security_path_chown(path, uid, gid);
+ if (!error)
+diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
+index 68a3ada..8fc12f8 100644
+--- a/include/acpi/actypes.h
++++ b/include/acpi/actypes.h
+@@ -198,9 +198,29 @@ typedef int INT32;
+ typedef s32 acpi_native_int;
+
+ typedef u32 acpi_size;
++
++#ifdef ACPI_32BIT_PHYSICAL_ADDRESS
++
++/*
++ * OSPMs can define this to shrink the size of the structures for 32-bit
++ * none PAE environment. ASL compiler may always define this to generate
++ * 32-bit OSPM compliant tables.
++ */
+ typedef u32 acpi_io_address;
+ typedef u32 acpi_physical_address;
+
++#else /* ACPI_32BIT_PHYSICAL_ADDRESS */
++
++/*
++ * It is reported that, after some calculations, the physical addresses can
++ * wrap over the 32-bit boundary on 32-bit PAE environment.
++ * https://bugzilla.kernel.org/show_bug.cgi?id=87971
++ */
++typedef u64 acpi_io_address;
++typedef u64 acpi_physical_address;
++
++#endif /* ACPI_32BIT_PHYSICAL_ADDRESS */
++
+ #define ACPI_MAX_PTR ACPI_UINT32_MAX
+ #define ACPI_SIZE_MAX ACPI_UINT32_MAX
+
+diff --git a/include/acpi/platform/acenv.h b/include/acpi/platform/acenv.h
+index b402eb6..579912c 100644
+--- a/include/acpi/platform/acenv.h
++++ b/include/acpi/platform/acenv.h
+@@ -76,6 +76,7 @@
+ #define ACPI_LARGE_NAMESPACE_NODE
+ #define ACPI_DATA_TABLE_DISASSEMBLY
+ #define ACPI_SINGLE_THREADED
++#define ACPI_32BIT_PHYSICAL_ADDRESS
+ #endif
+
+ /* acpi_exec configuration. Multithreaded with full AML debugger */
+diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
+index f1a24b5..b58fd66 100644
+--- a/include/asm-generic/sections.h
++++ b/include/asm-generic/sections.h
+@@ -3,6 +3,8 @@
+
+ /* References to section boundaries */
+
++#include <linux/compiler.h>
++
+ /*
+ * Usage guidelines:
+ * _text, _data: architecture specific, don't use them in arch-independent code
+@@ -37,6 +39,8 @@ extern char __start_rodata[], __end_rodata[];
+ /* Start and end of .ctors section - used for constructor calls. */
+ extern char __ctors_start[], __ctors_end[];
+
++extern __visible const void __nosave_begin, __nosave_end;
++
+ /* function descriptor handling (if any). Override
+ * in asm/sections.h */
+ #ifndef dereference_function_descriptor
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index ad8f859..ab31337 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -661,6 +661,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+
+ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
+ int node);
++struct sk_buff *__build_skb(void *data, unsigned int frag_size);
+ struct sk_buff *build_skb(void *data, unsigned int frag_size);
+ static inline struct sk_buff *alloc_skb(unsigned int size,
+ gfp_t priority)
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index 7f6eb85..49466be 100644
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -206,6 +206,32 @@ void usb_put_intf(struct usb_interface *intf);
+ #define USB_MAXINTERFACES 32
+ #define USB_MAXIADS (USB_MAXINTERFACES/2)
+
++/*
++ * USB Resume Timer: Every Host controller driver should drive the resume
++ * signalling on the bus for the amount of time defined by this macro.
++ *
++ * That way we will have a 'stable' behavior among all HCDs supported by Linux.
++ *
++ * Note that the USB Specification states we should drive resume for *at least*
++ * 20 ms, but it doesn't give an upper bound. This creates two possible
++ * situations which we want to avoid:
++ *
++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes
++ * us to fail USB Electrical Tests, thus failing Certification
++ *
++ * (b) Some (many) devices actually need more than 20 ms of resume signalling,
++ * and while we can argue that's against the USB Specification, we don't have
++ * control over which devices a certification laboratory will be using for
++ * certification. If CertLab uses a device which was tested against Windows and
++ * that happens to have relaxed resume signalling rules, we might fall into
++ * situations where we fail interoperability and electrical tests.
++ *
++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which
++ * should cope with both LPJ calibration errors and devices not following every
++ * detail of the USB Specification.
++ */
++#define USB_RESUME_TIMEOUT 40 /* ms */
++
+ /**
+ * struct usb_interface_cache - long-term representation of a device interface
+ * @num_altsetting: number of altsettings defined.
+diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
+index 34932540..e4b9e01 100644
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -513,7 +513,7 @@ struct se_cmd {
+ sense_reason_t (*execute_cmd)(struct se_cmd *);
+ sense_reason_t (*execute_rw)(struct se_cmd *, struct scatterlist *,
+ u32, enum dma_data_direction);
+- sense_reason_t (*transport_complete_callback)(struct se_cmd *);
++ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool);
+
+ unsigned char *t_task_cdb;
+ unsigned char __t_task_cdb[TCM_MAX_COMMAND_SIZE];
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 1f4bcb3..be9760f 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -720,6 +720,8 @@ static int ptrace_peek_siginfo(struct task_struct *child,
+ static int ptrace_resume(struct task_struct *child, long request,
+ unsigned long data)
+ {
++ bool need_siglock;
++
+ if (!valid_signal(data))
+ return -EIO;
+
+@@ -747,8 +749,26 @@ static int ptrace_resume(struct task_struct *child, long request,
+ user_disable_single_step(child);
+ }
+
++ /*
++ * Change ->exit_code and ->state under siglock to avoid the race
++ * with wait_task_stopped() in between; a non-zero ->exit_code will
++ * wrongly look like another report from tracee.
++ *
++ * Note that we need siglock even if ->exit_code == data and/or this
++ * status was not reported yet, the new status must not be cleared by
++ * wait_task_stopped() after resume.
++ *
++ * If data == 0 we do not care if wait_task_stopped() reports the old
++ * status and clears the code too; this can't race with the tracee, it
++ * takes siglock after resume.
++ */
++ need_siglock = data && !thread_group_empty(current);
++ if (need_siglock)
++ spin_lock_irq(&child->sighand->siglock);
+ child->exit_code = data;
+ wake_up_state(child, __TASK_TRACED);
++ if (need_siglock)
++ spin_unlock_irq(&child->sighand->siglock);
+
+ return 0;
+ }
+diff --git a/kernel/softirq.c b/kernel/softirq.c
+index 490fcbb..93be750 100644
+--- a/kernel/softirq.c
++++ b/kernel/softirq.c
+@@ -657,9 +657,13 @@ static void run_ksoftirqd(unsigned int cpu)
+ * in the task stack here.
+ */
+ __do_softirq();
+- rcu_note_context_switch(cpu);
+ local_irq_enable();
+ cond_resched();
++
++ preempt_disable();
++ rcu_note_context_switch(cpu);
++ preempt_enable();
++
+ return;
+ }
+ local_irq_enable();
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 774a080..da41de9 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -2651,7 +2651,7 @@ static DEFINE_PER_CPU(unsigned int, current_context);
+
+ static __always_inline int trace_recursive_lock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+ int bit;
+
+ if (in_interrupt()) {
+@@ -2668,18 +2668,17 @@ static __always_inline int trace_recursive_lock(void)
+ return 1;
+
+ val |= (1 << bit);
+- this_cpu_write(current_context, val);
++ __this_cpu_write(current_context, val);
+
+ return 0;
+ }
+
+ static __always_inline void trace_recursive_unlock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+
+- val--;
+- val &= this_cpu_read(current_context);
+- this_cpu_write(current_context, val);
++ val &= val & (val - 1);
++ __this_cpu_write(current_context, val);
+ }
+
+ #else
+diff --git a/lib/string.c b/lib/string.c
+index 43d0781..cb9ea21 100644
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -598,7 +598,7 @@ EXPORT_SYMBOL(memset);
+ void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+- OPTIMIZER_HIDE_VAR(s);
++ barrier();
+ }
+ EXPORT_SYMBOL(memzero_explicit);
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index e2b1bba..69ec61a 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -278,13 +278,14 @@ nodata:
+ EXPORT_SYMBOL(__alloc_skb);
+
+ /**
+- * build_skb - build a network buffer
++ * __build_skb - build a network buffer
+ * @data: data buffer provided by caller
+- * @frag_size: size of fragment, or 0 if head was kmalloced
++ * @frag_size: size of data, or 0 if head was kmalloced
+ *
+ * Allocate a new &sk_buff. Caller provides space holding head and
+ * skb_shared_info. @data must have been allocated by kmalloc() only if
+- * @frag_size is 0, otherwise data should come from the page allocator.
++ * @frag_size is 0, otherwise data should come from the page allocator
++ * or vmalloc()
+ * The return is the new skb buffer.
+ * On a failure the return is %NULL, and @data is not freed.
+ * Notes :
+@@ -295,7 +296,7 @@ EXPORT_SYMBOL(__alloc_skb);
+ * before giving packet to stack.
+ * RX rings only contains data buffers, not full skbs.
+ */
+-struct sk_buff *build_skb(void *data, unsigned int frag_size)
++struct sk_buff *__build_skb(void *data, unsigned int frag_size)
+ {
+ struct skb_shared_info *shinfo;
+ struct sk_buff *skb;
+@@ -309,7 +310,6 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size)
+
+ memset(skb, 0, offsetof(struct sk_buff, tail));
+ skb->truesize = SKB_TRUESIZE(size);
+- skb->head_frag = frag_size != 0;
+ atomic_set(&skb->users, 1);
+ skb->head = data;
+ skb->data = data;
+@@ -326,6 +326,23 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size)
+
+ return skb;
+ }
++
++/* build_skb() is wrapper over __build_skb(), that specifically
++ * takes care of skb->head and skb->pfmemalloc
++ * This means that if @frag_size is not zero, then @data must be backed
++ * by a page fragment, not kmalloc() or vmalloc()
++ */
++struct sk_buff *build_skb(void *data, unsigned int frag_size)
++{
++ struct sk_buff *skb = __build_skb(data, frag_size);
++
++ if (skb && frag_size) {
++ skb->head_frag = 1;
++ if (virt_to_head_page(data)->pfmemalloc)
++ skb->pfmemalloc = 1;
++ }
++ return skb;
++}
+ EXPORT_SYMBOL(build_skb);
+
+ struct netdev_alloc_cache {
+@@ -352,7 +369,8 @@ refill:
+ gfp_t gfp = gfp_mask;
+
+ if (order)
+- gfp |= __GFP_COMP | __GFP_NOWARN;
++ gfp |= __GFP_COMP | __GFP_NOWARN |
++ __GFP_NOMEMALLOC;
+ nc->frag.page = alloc_pages(gfp, order);
+ if (likely(nc->frag.page))
+ break;
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index ecb34b5..57075c4 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -127,6 +127,9 @@ int ip_forward(struct sk_buff *skb)
+ struct rtable *rt; /* Route we use */
+ struct ip_options *opt = &(IPCB(skb)->opt);
+
++ if (unlikely(skb->sk))
++ goto drop;
++
+ if (skb_warn_if_lro(skb))
+ goto drop;
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 8c70c73..a68cd71 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2595,39 +2595,65 @@ begin_fwd:
+ }
+ }
+
+-/* Send a fin. The caller locks the socket for us. This cannot be
+- * allowed to fail queueing a FIN frame under any circumstances.
++/* We allow to exceed memory limits for FIN packets to expedite
++ * connection tear down and (memory) recovery.
++ * Otherwise tcp_send_fin() could be tempted to either delay FIN
++ * or even be forced to close flow without any FIN.
++ */
++static void sk_forced_wmem_schedule(struct sock *sk, int size)
++{
++ int amt, status;
++
++ if (size <= sk->sk_forward_alloc)
++ return;
++ amt = sk_mem_pages(size);
++ sk->sk_forward_alloc += amt * SK_MEM_QUANTUM;
++ sk_memory_allocated_add(sk, amt, &status);
++}
++
++/* Send a FIN. The caller locks the socket for us.
++ * We should try to send a FIN packet really hard, but eventually give up.
+ */
+ void tcp_send_fin(struct sock *sk)
+ {
++ struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+- struct sk_buff *skb = tcp_write_queue_tail(sk);
+- int mss_now;
+
+- /* Optimization, tack on the FIN if we have a queue of
+- * unsent frames. But be careful about outgoing SACKS
+- * and IP options.
++ /* Optimization, tack on the FIN if we have one skb in write queue and
++ * this skb was not yet sent, or we are under memory pressure.
++ * Note: in the latter case, FIN packet will be sent after a timeout,
++ * as TCP stack thinks it has already been transmitted.
+ */
+- mss_now = tcp_current_mss(sk);
+-
+- if (tcp_send_head(sk) != NULL) {
+- TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN;
+- TCP_SKB_CB(skb)->end_seq++;
++ if (tskb && (tcp_send_head(sk) || sk_under_memory_pressure(sk))) {
++coalesce:
++ TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN;
++ TCP_SKB_CB(tskb)->end_seq++;
+ tp->write_seq++;
++ if (!tcp_send_head(sk)) {
++ /* This means tskb was already sent.
++ * Pretend we included the FIN on previous transmit.
++ * We need to set tp->snd_nxt to the value it would have
++ * if FIN had been sent. This is because retransmit path
++ * does not change tp->snd_nxt.
++ */
++ tp->snd_nxt++;
++ return;
++ }
+ } else {
+- /* Socket is locked, keep trying until memory is available. */
+- for (;;) {
+- skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
+- if (skb)
+- break;
+- yield();
++ skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);
++ if (unlikely(!skb)) {
++ if (tskb)
++ goto coalesce;
++ return;
+ }
++ skb_reserve(skb, MAX_TCP_HEADER);
++ sk_forced_wmem_schedule(sk, skb->truesize);
+ /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
+ tcp_init_nondata_skb(skb, tp->write_seq,
+ TCPHDR_ACK | TCPHDR_FIN);
+ tcp_queue_skb(sk, skb);
+ }
+- __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF);
++ __tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF);
+ }
+
+ /* We get here when a process closes a file descriptor (either due to
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 1d52506..a0b0ea9 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1624,13 +1624,11 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size,
+ if (data == NULL)
+ return NULL;
+
+- skb = build_skb(data, size);
++ skb = __build_skb(data, size);
+ if (skb == NULL)
+ vfree(data);
+- else {
+- skb->head_frag = 0;
++ else
+ skb->destructor = netlink_skb_destructor;
+- }
+
+ return skb;
+ }
+diff --git a/sound/pci/emu10k1/emuproc.c b/sound/pci/emu10k1/emuproc.c
+index 2ca9f2e..53745f4 100644
+--- a/sound/pci/emu10k1/emuproc.c
++++ b/sound/pci/emu10k1/emuproc.c
+@@ -241,31 +241,22 @@ static void snd_emu10k1_proc_spdif_read(struct snd_info_entry *entry,
+ struct snd_emu10k1 *emu = entry->private_data;
+ u32 value;
+ u32 value2;
+- unsigned long flags;
+ u32 rate;
+
+ if (emu->card_capabilities->emu_model) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x38, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ if ((value & 0x1) == 0) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x2a, &value);
+ snd_emu1010_fpga_read(emu, 0x2b, &value2);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ rate = 0x1770000 / (((value << 5) | value2)+1);
+ snd_iprintf(buffer, "ADAT Locked : %u\n", rate);
+ } else {
+ snd_iprintf(buffer, "ADAT Unlocked\n");
+ }
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x20, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ if ((value & 0x4) == 0) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x28, &value);
+ snd_emu1010_fpga_read(emu, 0x29, &value2);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ rate = 0x1770000 / (((value << 5) | value2)+1);
+ snd_iprintf(buffer, "SPDIF Locked : %d\n", rate);
+ } else {
+@@ -410,14 +401,11 @@ static void snd_emu_proc_emu1010_reg_read(struct snd_info_entry *entry,
+ {
+ struct snd_emu10k1 *emu = entry->private_data;
+ u32 value;
+- unsigned long flags;
+ int i;
+ snd_iprintf(buffer, "EMU1010 Registers:\n\n");
+
+ for(i = 0; i < 0x40; i+=1) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, i, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ snd_iprintf(buffer, "%02X: %08X, %02X\n", i, value, (value >> 8) & 0x7f);
+ }
+ }
+diff --git a/sound/soc/davinci/davinci-evm.c b/sound/soc/davinci/davinci-evm.c
+index 5e3bc3c..f40a7a4 100644
+--- a/sound/soc/davinci/davinci-evm.c
++++ b/sound/soc/davinci/davinci-evm.c
+@@ -384,18 +384,8 @@ static int davinci_evm_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int davinci_evm_remove(struct platform_device *pdev)
+-{
+- struct snd_soc_card *card = platform_get_drvdata(pdev);
+-
+- snd_soc_unregister_card(card);
+-
+- return 0;
+-}
+-
+ static struct platform_driver davinci_evm_driver = {
+ .probe = davinci_evm_probe,
+- .remove = davinci_evm_remove,
+ .driver = {
+ .name = "davinci_evm",
+ .owner = THIS_MODULE,
+diff --git a/tools/lib/traceevent/kbuffer-parse.c b/tools/lib/traceevent/kbuffer-parse.c
+index dcc6652..deb3569 100644
+--- a/tools/lib/traceevent/kbuffer-parse.c
++++ b/tools/lib/traceevent/kbuffer-parse.c
+@@ -372,7 +372,6 @@ translate_data(struct kbuffer *kbuf, void *data, void **rptr,
+ switch (type_len) {
+ case KBUFFER_TYPE_PADDING:
+ *length = read_4(kbuf, data);
+- data += *length;
+ break;
+
+ case KBUFFER_TYPE_TIME_EXTEND:
+diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile
+index d1b3a36..4039854 100644
+--- a/tools/power/x86/turbostat/Makefile
++++ b/tools/power/x86/turbostat/Makefile
+@@ -1,8 +1,12 @@
+ CC = $(CROSS_COMPILE)gcc
+-BUILD_OUTPUT := $(PWD)
++BUILD_OUTPUT := $(CURDIR)
+ PREFIX := /usr
+ DESTDIR :=
+
++ifeq ("$(origin O)", "command line")
++ BUILD_OUTPUT := $(O)
++endif
++
+ turbostat : turbostat.c
+ CFLAGS += -Wall
+ CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/uapi/asm/msr-index.h"'
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 6611253..eed250e 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1549,8 +1549,8 @@ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ ghc->generation = slots->generation;
+ ghc->len = len;
+ ghc->memslot = gfn_to_memslot(kvm, start_gfn);
+- ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, &nr_pages_avail);
+- if (!kvm_is_error_hva(ghc->hva) && nr_pages_avail >= nr_pages_needed) {
++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, NULL);
++ if (!kvm_is_error_hva(ghc->hva) && nr_pages_needed <= 1) {
+ ghc->hva += offset;
+ } else {
+ /*
diff --git a/3.14.40/4420_grsecurity-3.1-3.14.40-201505042052.patch b/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch
index e1edd45..9842fc2 100644
--- a/3.14.40/4420_grsecurity-3.1-3.14.40-201505042052.patch
+++ b/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch
@@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 070e0eb..e3359b0 100644
+index 7a60d4a..74e3f6c 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1701,14 +1701,14 @@ index 6ddbe44..b5e38b1a 100644
static inline void set_domain(unsigned val) { }
static inline void modify_domain(unsigned dom, unsigned type) { }
diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
-index f4b46d3..abc9b2b 100644
+index 051b726..abc9b2b 100644
--- a/arch/arm/include/asm/elf.h
+++ b/arch/arm/include/asm/elf.h
@@ -114,7 +114,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
the loader. We need to make sure that it is out of the way of the program
that it will "exec", and that there is sufficient room for the brk. */
--#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
+-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+#ifdef CONFIG_PAX_ASLR
@@ -26591,10 +26591,10 @@ index ca7f0d5..8996469 100644
CFI_ENDPROC
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
-index 3fb8d95..254dc51 100644
+index 1a1ff42..ea87a2b 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
-@@ -36,7 +36,8 @@
+@@ -37,7 +37,8 @@
* section. Since TSS's are completely CPU-local, we want them
* on exact cacheline boundaries, to eliminate cacheline ping-pong.
*/
@@ -26604,7 +26604,7 @@ index 3fb8d95..254dc51 100644
#ifdef CONFIG_X86_64
static DEFINE_PER_CPU(unsigned char, is_idle);
-@@ -92,7 +93,7 @@ void arch_task_cache_init(void)
+@@ -93,7 +94,7 @@ void arch_task_cache_init(void)
task_xstate_cachep =
kmem_cache_create("task_xstate", xstate_size,
__alignof__(union thread_xstate),
@@ -26613,7 +26613,7 @@ index 3fb8d95..254dc51 100644
}
/*
-@@ -105,7 +106,7 @@ void exit_thread(void)
+@@ -106,7 +107,7 @@ void exit_thread(void)
unsigned long *bp = t->io_bitmap_ptr;
if (bp) {
@@ -26622,7 +26622,7 @@ index 3fb8d95..254dc51 100644
t->io_bitmap_ptr = NULL;
clear_thread_flag(TIF_IO_BITMAP);
-@@ -125,6 +126,9 @@ void flush_thread(void)
+@@ -126,6 +127,9 @@ void flush_thread(void)
{
struct task_struct *tsk = current;
@@ -26632,7 +26632,7 @@ index 3fb8d95..254dc51 100644
flush_ptrace_hw_breakpoint(tsk);
memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
drop_init_fpu(tsk);
-@@ -271,7 +275,7 @@ static void __exit_idle(void)
+@@ -272,7 +276,7 @@ static void __exit_idle(void)
void exit_idle(void)
{
/* idle loop has pid 0 */
@@ -26641,7 +26641,7 @@ index 3fb8d95..254dc51 100644
return;
__exit_idle();
}
-@@ -327,7 +331,7 @@ bool xen_set_default_idle(void)
+@@ -328,7 +332,7 @@ bool xen_set_default_idle(void)
return ret;
}
#endif
@@ -26650,7 +26650,7 @@ index 3fb8d95..254dc51 100644
{
local_irq_disable();
/*
-@@ -456,16 +460,37 @@ static int __init idle_setup(char *str)
+@@ -506,16 +510,37 @@ static int __init idle_setup(char *str)
}
early_param("idle", idle_setup);
@@ -38386,7 +38386,7 @@ index 969c3c2..9b72956 100644
}
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
-index 45d0fa7..89244c9 100644
+index 12b39dc..c244bbd 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif)
@@ -42945,10 +42945,10 @@ index cedc6da..2c3da2a 100644
if (atomic_read(&uhid->report_done))
goto unlock;
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
-index e99e71a..e4ae549 100644
+index 356f22f..7dfce95 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
-@@ -365,8 +365,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+@@ -368,8 +368,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
unsigned long flags;
int ret = 0;
@@ -48354,7 +48354,7 @@ index c11ecbc..13bb299 100644
#include "ftgmac100.h"
diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
-index 8be5b40..081bc1b 100644
+index 8be5b40..081bc1b6 100644
--- a/drivers/net/ethernet/faraday/ftmac100.c
+++ b/drivers/net/ethernet/faraday/ftmac100.c
@@ -31,6 +31,8 @@
@@ -50454,7 +50454,7 @@ index c5e082f..d6307a0 100644
1, asus->debug.method_id,
&input, &output);
diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
-index 7297df2..b832a73 100644
+index 2d9d198..dbf6b11 100644
--- a/drivers/platform/x86/compal-laptop.c
+++ b/drivers/platform/x86/compal-laptop.c
@@ -767,7 +767,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id)
@@ -53288,7 +53288,7 @@ index 093b8cb..9f07935 100644
spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
INIT_LIST_HEAD(&dev->t10_pr.registration_list);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 9e54c0f..9c8d784 100644
+index 6fc3890..bf962ce 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1154,7 +1154,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
@@ -54966,7 +54966,7 @@ index ee6c556..001eb9e 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index d2bd9d7..1ddb53a 100644
+index 1847a7d..7fa9e59 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -59185,7 +59185,7 @@ index ca0ba15..0fa3257 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index f4d7b2f..97fd3fc 100644
+index 78f4608..0f8b54b 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -34,6 +34,7 @@
@@ -59819,10 +59819,15 @@ index f4d7b2f..97fd3fc 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -815,6 +1252,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -816,12 +1253,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
+- total_size = total_mapping_size(elf_phdata,
+- loc->elf_ex.e_phnum);
+- if (!total_size) {
+- error = -EINVAL;
+- goto out_free_dentry;
+
+#ifdef CONFIG_PAX_RANDMMAP
+ /* PaX: randomize base address at the default exe base if requested */
@@ -59834,13 +59839,14 @@ index f4d7b2f..97fd3fc 100644
+#endif
+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
+ elf_flags |= MAP_FIXED;
-+ }
+ }
+#endif
+
++ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum);
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -847,9 +1298,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -854,9 +1300,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -59853,7 +59859,7 @@ index f4d7b2f..97fd3fc 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -888,17 +1339,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -895,17 +1341,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -59905,7 +59911,7 @@ index f4d7b2f..97fd3fc 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1120,7 +1599,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1127,7 +1601,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -59914,7 +59920,7 @@ index f4d7b2f..97fd3fc 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1158,7 +1637,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1165,7 +1639,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -59923,7 +59929,7 @@ index f4d7b2f..97fd3fc 100644
goto whole;
/*
-@@ -1365,9 +1844,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1372,9 +1846,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -59935,7 +59941,7 @@ index f4d7b2f..97fd3fc 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1376,7 +1855,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
+@@ -1383,7 +1857,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
{
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -59944,7 +59950,7 @@ index f4d7b2f..97fd3fc 100644
set_fs(old_fs);
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
}
-@@ -2000,14 +2479,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2007,14 +2481,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -59961,7 +59967,7 @@ index f4d7b2f..97fd3fc 100644
return size;
}
-@@ -2098,7 +2577,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2105,7 +2579,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -59970,7 +59976,7 @@ index f4d7b2f..97fd3fc 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -2126,7 +2605,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2133,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -59979,7 +59985,7 @@ index f4d7b2f..97fd3fc 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2159,7 +2638,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2166,7 +2640,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -59988,7 +59994,7 @@ index f4d7b2f..97fd3fc 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2200,6 +2679,167 @@ out:
+@@ -2207,6 +2681,167 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -61606,7 +61612,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index ea4449d..747fc21 100644
+index 05f1942..747fc21 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,8 +56,20 @@
@@ -61939,7 +61945,7 @@ index ea4449d..747fc21 100644
if (likely(leader->exit_state))
break;
__set_current_state(TASK_KILLABLE);
-@@ -1261,13 +1344,60 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1261,7 +1344,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -61948,98 +61954,7 @@ index ea4449d..747fc21 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
else
p->fs->in_exec = 1;
- spin_unlock(&p->fs->lock);
- }
-
-+static void bprm_fill_uid(struct linux_binprm *bprm)
-+{
-+ struct inode *inode;
-+ unsigned int mode;
-+ kuid_t uid;
-+ kgid_t gid;
-+
-+ /* clear any previous set[ug]id data from a previous binary */
-+ bprm->cred->euid = current_euid();
-+ bprm->cred->egid = current_egid();
-+
-+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
-+ return;
-+
-+ if (current->no_new_privs)
-+ return;
-+
-+ inode = file_inode(bprm->file);
-+ mode = ACCESS_ONCE(inode->i_mode);
-+ if (!(mode & (S_ISUID|S_ISGID)))
-+ return;
-+
-+ /* Be careful if suid/sgid is set */
-+ mutex_lock(&inode->i_mutex);
-+
-+ /* reload atomically mode/uid/gid now that lock held */
-+ mode = inode->i_mode;
-+ uid = inode->i_uid;
-+ gid = inode->i_gid;
-+ mutex_unlock(&inode->i_mutex);
-+
-+ /* We ignore suid/sgid if there are no mappings for them in the ns */
-+ if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
-+ !kgid_has_mapping(bprm->cred->user_ns, gid))
-+ return;
-+
-+ if (mode & S_ISUID) {
-+ bprm->per_clear |= PER_CLEAR_ON_SETID;
-+ bprm->cred->euid = uid;
-+ }
-+
-+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-+ bprm->per_clear |= PER_CLEAR_ON_SETID;
-+ bprm->cred->egid = gid;
-+ }
-+}
-+
- /*
- * Fill the binprm structure from the inode.
- * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
-@@ -1276,36 +1406,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
- */
- int prepare_binprm(struct linux_binprm *bprm)
- {
-- struct inode *inode = file_inode(bprm->file);
-- umode_t mode = inode->i_mode;
- int retval;
-
--
-- /* clear any previous set[ug]id data from a previous binary */
-- bprm->cred->euid = current_euid();
-- bprm->cred->egid = current_egid();
--
-- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
-- !current->no_new_privs &&
-- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
-- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
-- /* Set-uid? */
-- if (mode & S_ISUID) {
-- bprm->per_clear |= PER_CLEAR_ON_SETID;
-- bprm->cred->euid = inode->i_uid;
-- }
--
-- /* Set-gid? */
-- /*
-- * If setgid is set but no group execute bit then this
-- * is a candidate for mandatory locking, not a setgid
-- * executable.
-- */
-- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-- bprm->per_clear |= PER_CLEAR_ON_SETID;
-- bprm->cred->egid = inode->i_gid;
-- }
-- }
-+ bprm_fill_uid(bprm);
-
- /* fill in binprm security blob */
- retval = security_bprm_set_creds(bprm);
-@@ -1437,6 +1540,31 @@ static int exec_binprm(struct linux_binprm *bprm)
+@@ -1457,6 +1540,31 @@ static int exec_binprm(struct linux_binprm *bprm)
return ret;
}
@@ -62071,7 +61986,7 @@ index ea4449d..747fc21 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1444,6 +1572,11 @@ static int do_execve_common(struct filename *filename,
+@@ -1464,6 +1572,11 @@ static int do_execve_common(struct filename *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -62083,7 +61998,7 @@ index ea4449d..747fc21 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1452,6 +1585,8 @@ static int do_execve_common(struct filename *filename,
+@@ -1472,6 +1585,8 @@ static int do_execve_common(struct filename *filename,
if (IS_ERR(filename))
return PTR_ERR(filename);
@@ -62092,7 +62007,7 @@ index ea4449d..747fc21 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1489,11 +1624,21 @@ static int do_execve_common(struct filename *filename,
+@@ -1509,11 +1624,21 @@ static int do_execve_common(struct filename *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -62114,7 +62029,7 @@ index ea4449d..747fc21 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_unmark;
-@@ -1510,24 +1655,70 @@ static int do_execve_common(struct filename *filename,
+@@ -1530,24 +1655,70 @@ static int do_execve_common(struct filename *filename,
if (retval < 0)
goto out;
@@ -62189,7 +62104,7 @@ index ea4449d..747fc21 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1538,6 +1729,14 @@ static int do_execve_common(struct filename *filename,
+@@ -1558,6 +1729,14 @@ static int do_execve_common(struct filename *filename,
put_files_struct(displaced);
return retval;
@@ -62204,7 +62119,7 @@ index ea4449d..747fc21 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1629,3 +1828,312 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1649,3 +1828,312 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return compat_do_execve(getname(filename), argv, envp);
}
#endif
@@ -65034,7 +64949,7 @@ index b29e42f..5ea7fdf 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index 0dd72c8..07c6710 100644
+index ccb8000..ac58c5a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -65150,7 +65065,7 @@ index 0dd72c8..07c6710 100644
return 0;
failed:
-@@ -1593,6 +1612,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
+@@ -1594,6 +1613,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
if (res)
break;
res = walk_component(nd, path, LOOKUP_FOLLOW);
@@ -65159,7 +65074,7 @@ index 0dd72c8..07c6710 100644
put_link(nd, &link, cookie);
} while (res > 0);
-@@ -1665,7 +1686,7 @@ EXPORT_SYMBOL(full_name_hash);
+@@ -1666,7 +1687,7 @@ EXPORT_SYMBOL(full_name_hash);
static inline unsigned long hash_name(const char *name, unsigned int *hashp)
{
unsigned long a, b, adata, bdata, mask, hash, len;
@@ -65168,7 +65083,7 @@ index 0dd72c8..07c6710 100644
hash = a = 0;
len = -sizeof(unsigned long);
-@@ -1894,7 +1915,14 @@ static int path_init(int dfd, const char *name, unsigned int flags,
+@@ -1895,7 +1916,14 @@ static int path_init(int dfd, const char *name, unsigned int flags,
}
nd->inode = nd->path.dentry->d_inode;
@@ -65184,7 +65099,7 @@ index 0dd72c8..07c6710 100644
}
static inline int lookup_last(struct nameidata *nd, struct path *path)
-@@ -1949,6 +1977,8 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1950,6 +1978,8 @@ static int path_lookupat(int dfd, const char *name,
if (err)
break;
err = lookup_last(nd, &path);
@@ -65193,7 +65108,7 @@ index 0dd72c8..07c6710 100644
put_link(nd, &link, cookie);
}
}
-@@ -1956,6 +1986,13 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1957,6 +1987,13 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
@@ -65207,7 +65122,7 @@ index 0dd72c8..07c6710 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!d_can_lookup(nd->path.dentry)) {
path_put(&nd->path);
-@@ -1983,8 +2020,15 @@ static int filename_lookup(int dfd, struct filename *name,
+@@ -1984,8 +2021,15 @@ static int filename_lookup(int dfd, struct filename *name,
retval = path_lookupat(dfd, name->name,
flags | LOOKUP_REVAL, nd);
@@ -65224,7 +65139,7 @@ index 0dd72c8..07c6710 100644
return retval;
}
-@@ -2559,6 +2603,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2560,6 +2604,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -65238,7 +65153,7 @@ index 0dd72c8..07c6710 100644
return 0;
}
-@@ -2790,7 +2841,7 @@ looked_up:
+@@ -2791,7 +2842,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -65247,7 +65162,7 @@ index 0dd72c8..07c6710 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2825,6 +2876,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2826,6 +2877,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -65265,7 +65180,7 @@ index 0dd72c8..07c6710 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2846,6 +2908,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2847,6 +2909,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -65274,7 +65189,7 @@ index 0dd72c8..07c6710 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2860,7 +2924,7 @@ out_dput:
+@@ -2861,7 +2925,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -65283,7 +65198,7 @@ index 0dd72c8..07c6710 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2910,6 +2974,15 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2911,6 +2975,15 @@ static int do_last(struct nameidata *nd, struct path *path,
if (error)
return error;
@@ -65299,7 +65214,7 @@ index 0dd72c8..07c6710 100644
audit_inode(name, dir, LOOKUP_PARENT);
error = -EISDIR;
/* trailing slashes? */
-@@ -2929,7 +3002,7 @@ retry_lookup:
+@@ -2930,7 +3003,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -65308,7 +65223,7 @@ index 0dd72c8..07c6710 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2953,11 +3026,28 @@ retry_lookup:
+@@ -2954,11 +3027,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -65338,7 +65253,7 @@ index 0dd72c8..07c6710 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -2998,6 +3088,11 @@ finish_lookup:
+@@ -3000,6 +3090,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -65350,7 +65265,7 @@ index 0dd72c8..07c6710 100644
return 1;
}
-@@ -3007,7 +3102,6 @@ finish_lookup:
+@@ -3009,7 +3104,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -65358,7 +65273,7 @@ index 0dd72c8..07c6710 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -3017,7 +3111,18 @@ finish_open:
+@@ -3019,7 +3113,18 @@ finish_open:
path_put(&save_parent);
return error;
}
@@ -65377,7 +65292,16 @@ index 0dd72c8..07c6710 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
goto out;
-@@ -3181,7 +3286,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3171,7 +3276,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+
+ if (unlikely(file->f_flags & __O_TMPFILE)) {
+ error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+- goto out;
++ goto out2;
+ }
+
+ error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
+@@ -3183,7 +3288,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -65386,7 +65310,7 @@ index 0dd72c8..07c6710 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -3199,7 +3304,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3201,7 +3306,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -65395,7 +65319,15 @@ index 0dd72c8..07c6710 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3299,9 +3404,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3209,6 +3314,7 @@ out:
+ path_put(&nd->root);
+ if (base)
+ fput(base);
++out2:
+ if (!(opened & FILE_OPENED)) {
+ BUG_ON(!error);
+ put_filp(file);
+@@ -3301,9 +3407,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -65409,7 +65341,7 @@ index 0dd72c8..07c6710 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3353,6 +3460,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3355,6 +3463,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -65430,7 +65362,7 @@ index 0dd72c8..07c6710 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3415,6 +3536,17 @@ retry:
+@@ -3417,6 +3539,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -65448,7 +65380,7 @@ index 0dd72c8..07c6710 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3431,6 +3563,8 @@ retry:
+@@ -3433,6 +3566,8 @@ retry:
break;
}
out:
@@ -65457,7 +65389,7 @@ index 0dd72c8..07c6710 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3483,9 +3617,16 @@ retry:
+@@ -3485,9 +3620,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -65474,7 +65406,7 @@ index 0dd72c8..07c6710 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3566,6 +3707,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3568,6 +3710,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -65483,7 +65415,7 @@ index 0dd72c8..07c6710 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3598,10 +3741,21 @@ retry:
+@@ -3600,10 +3744,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -65505,7 +65437,7 @@ index 0dd72c8..07c6710 100644
exit3:
dput(dentry);
exit2:
-@@ -3691,6 +3845,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3693,6 +3848,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
@@ -65514,7 +65446,7 @@ index 0dd72c8..07c6710 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3717,10 +3873,22 @@ retry_deleg:
+@@ -3719,10 +3876,22 @@ retry_deleg:
if (d_is_negative(dentry))
goto slashes;
ihold(inode);
@@ -65537,7 +65469,7 @@ index 0dd72c8..07c6710 100644
exit2:
dput(dentry);
}
-@@ -3808,9 +3976,17 @@ retry:
+@@ -3810,9 +3979,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -65555,7 +65487,7 @@ index 0dd72c8..07c6710 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3913,6 +4089,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3915,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
struct dentry *new_dentry;
struct path old_path, new_path;
struct inode *delegated_inode = NULL;
@@ -65563,7 +65495,7 @@ index 0dd72c8..07c6710 100644
int how = 0;
int error;
-@@ -3936,7 +4113,7 @@ retry:
+@@ -3938,7 +4116,7 @@ retry:
if (error)
return error;
@@ -65572,7 +65504,7 @@ index 0dd72c8..07c6710 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3948,11 +4125,28 @@ retry:
+@@ -3950,11 +4128,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -65601,7 +65533,7 @@ index 0dd72c8..07c6710 100644
done_path_create(&new_path, new_dentry);
if (delegated_inode) {
error = break_deleg_wait(&delegated_inode);
-@@ -4239,6 +4433,20 @@ retry_deleg:
+@@ -4241,6 +4436,20 @@ retry_deleg:
if (new_dentry == trap)
goto exit5;
@@ -65622,7 +65554,7 @@ index 0dd72c8..07c6710 100644
error = security_path_rename(&oldnd.path, old_dentry,
&newnd.path, new_dentry);
if (error)
-@@ -4246,6 +4454,9 @@ retry_deleg:
+@@ -4248,6 +4457,9 @@ retry_deleg:
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry,
&delegated_inode);
@@ -65632,7 +65564,7 @@ index 0dd72c8..07c6710 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4282,6 +4493,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4284,6 +4496,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -65641,7 +65573,7 @@ index 0dd72c8..07c6710 100644
int len;
len = PTR_ERR(link);
-@@ -4291,7 +4504,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4293,7 +4507,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -66295,7 +66227,7 @@ index 49d84f8..4807e0b 100644
/* Copy the blockcheck stats from the superblock probe */
osb->osb_ecc_stats = *stats;
diff --git a/fs/open.c b/fs/open.c
-index 2ed7325..4e77ac3 100644
+index 17679f2..85f4981 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -32,6 +32,8 @@
@@ -66396,9 +66328,9 @@ index 2ed7325..4e77ac3 100644
+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
+ return -EACCES;
+
+ retry_deleg:
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
- if (!uid_valid(uid))
@@ -982,6 +1019,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
} else {
fsnotify_open(f);
@@ -66408,9 +66340,18 @@ index 2ed7325..4e77ac3 100644
}
putname(tmp);
diff --git a/fs/pipe.c b/fs/pipe.c
-index 78fd0d0..f71fc09 100644
+index 78fd0d0..6757bcf 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
+@@ -37,7 +37,7 @@ unsigned int pipe_max_size = 1048576;
+ /*
+ * Minimum pipe size, as required by POSIX
+ */
+-unsigned int pipe_min_size = PAGE_SIZE;
++unsigned int pipe_min_size __read_only = PAGE_SIZE;
+
+ /*
+ * We use a start+len construction, which provides full use of the
@@ -56,7 +56,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
@@ -66617,6 +66558,35 @@ index 78fd0d0..f71fc09 100644
wake_up_interruptible(&pipe->wait);
ret = -ERESTARTSYS;
goto err;
+@@ -1208,7 +1209,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
+ * Currently we rely on the pipe array holding a power-of-2 number
+ * of pages.
+ */
+-static inline unsigned int round_pipe_size(unsigned int size)
++static inline unsigned long round_pipe_size(unsigned long size)
+ {
+ unsigned long nr_pages;
+
+@@ -1256,13 +1257,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ switch (cmd) {
+ case F_SETPIPE_SZ: {
+- unsigned int size, nr_pages;
++ unsigned long size, nr_pages;
++
++ ret = -EINVAL;
++ if (arg < pipe_min_size)
++ goto out;
+
+ size = round_pipe_size(arg);
+ nr_pages = size >> PAGE_SHIFT;
+
+- ret = -EINVAL;
+- if (!nr_pages)
++ if (size < pipe_min_size)
+ goto out;
+
+ if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 0855f77..6787d50 100644
--- a/fs/posix_acl.c
@@ -68762,7 +68732,7 @@ index 1d641bb..9ca7f61 100644
{
const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 12028fa..a6f2619 100644
+index 12028fa..2cde9b2 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -196,7 +196,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -68844,6 +68814,15 @@ index 12028fa..a6f2619 100644
return 0;
if (sd->flags & SPLICE_F_NONBLOCK)
+@@ -1171,7 +1171,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ long ret, bytes;
+ umode_t i_mode;
+ size_t len;
+- int i, flags;
++ int i, flags, more;
+
+ /*
+ * We require the input being a regular file, as we don't want to
@@ -1197,7 +1197,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
@@ -68853,7 +68832,31 @@ index 12028fa..a6f2619 100644
current->splice_pipe = pipe;
}
-@@ -1493,6 +1493,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+@@ -1214,6 +1214,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ * Don't block on output, we have to drain the direct pipe.
+ */
+ sd->flags &= ~SPLICE_F_NONBLOCK;
++ more = sd->flags & SPLICE_F_MORE;
+
+ while (len) {
+ size_t read_len;
+@@ -1227,6 +1228,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ sd->total_len = read_len;
+
+ /*
++ * If more data is pending, set SPLICE_F_MORE
++ * If this is the last data and SPLICE_F_MORE was not set
++ * initially, clears it.
++ */
++ if (read_len < len)
++ sd->flags |= SPLICE_F_MORE;
++ else if (!more)
++ sd->flags &= ~SPLICE_F_MORE;
++ /*
+ * NOTE: nonblocking mode only applies to the input. We
+ * must not do the output in nonblocking mode as then we
+ * could get stuck data in the internal pipe:
+@@ -1493,6 +1503,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
partial[buffers].offset = off;
partial[buffers].len = plen;
@@ -68861,7 +68864,7 @@ index 12028fa..a6f2619 100644
off = 0;
len -= plen;
-@@ -1795,9 +1796,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1795,9 +1806,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -68873,7 +68876,7 @@ index 12028fa..a6f2619 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1829,7 +1830,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1829,7 +1840,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -68882,7 +68885,7 @@ index 12028fa..a6f2619 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1842,9 +1843,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1842,9 +1853,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -68894,7 +68897,7 @@ index 12028fa..a6f2619 100644
}
pipe_unlock(pipe);
-@@ -1880,14 +1881,14 @@ retry:
+@@ -1880,14 +1891,14 @@ retry:
pipe_double_lock(ipipe, opipe);
do {
@@ -68911,7 +68914,7 @@ index 12028fa..a6f2619 100644
break;
/*
-@@ -1984,7 +1985,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1984,7 +1995,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -68920,7 +68923,7 @@ index 12028fa..a6f2619 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -2029,7 +2030,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -2029,7 +2040,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -82295,7 +82298,7 @@ index 939533d..cf0a57c 100644
/**
* struct clk_init_data - holds init data that's common to all clocks and is
diff --git a/include/linux/compat.h b/include/linux/compat.h
-index 3f448c6..df3ce1d 100644
+index 3f448c6..8dd869d 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -313,7 +313,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
@@ -82307,6 +82310,15 @@ index 3f448c6..df3ce1d 100644
asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
compat_ssize_t msgsz, int msgflg);
+@@ -322,7 +322,7 @@ asmlinkage long compat_sys_msgrcv(int msqid, compat_uptr_t msgp,
+ long compat_sys_msgctl(int first, int second, void __user *uptr);
+ long compat_sys_shmctl(int first, int second, void __user *uptr);
+ long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+- unsigned nsems, const struct compat_timespec __user *timeout);
++ compat_long_t nsems, const struct compat_timespec __user *timeout);
+ asmlinkage long compat_sys_keyctl(u32 option,
+ u32 arg2, u32 arg3, u32 arg4, u32 arg5);
+ asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
@@ -420,7 +420,7 @@ extern int compat_ptrace_request(struct task_struct *child,
extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
compat_ulong_t addr, compat_ulong_t data);
@@ -87137,19 +87149,19 @@ index 1e2cd2e..0288750 100644
/* shm_mode upper byte flags */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index ad8f859..e93b2e4 100644
+index ab31337..95e2121 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -662,7 +662,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
- struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
+@@ -663,7 +663,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
int node);
+ struct sk_buff *__build_skb(void *data, unsigned int frag_size);
struct sk_buff *build_skb(void *data, unsigned int frag_size);
-static inline struct sk_buff *alloc_skb(unsigned int size,
+static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
gfp_t priority)
{
return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
-@@ -1768,7 +1768,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
+@@ -1769,7 +1769,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
return skb->inner_transport_header - skb->inner_network_header;
}
@@ -87158,7 +87170,7 @@ index ad8f859..e93b2e4 100644
{
return skb_network_header(skb) - skb->data;
}
-@@ -1828,7 +1828,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+@@ -1829,7 +1829,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
* NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
*/
#ifndef NET_SKB_PAD
@@ -87167,7 +87179,7 @@ index ad8f859..e93b2e4 100644
#endif
int ___pskb_trim(struct sk_buff *skb, unsigned int len);
-@@ -2427,7 +2427,7 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
+@@ -2428,7 +2428,7 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
int *err);
unsigned int datagram_poll(struct file *file, struct socket *sock,
struct poll_table_struct *wait);
@@ -87176,7 +87188,7 @@ index ad8f859..e93b2e4 100644
struct iovec *to, int size);
int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, int hlen,
struct iovec *iov);
-@@ -2722,6 +2722,9 @@ static inline void nf_reset(struct sk_buff *skb)
+@@ -2723,6 +2723,9 @@ static inline void nf_reset(struct sk_buff *skb)
nf_bridge_put(skb->nf_bridge);
skb->nf_bridge = NULL;
#endif
@@ -87492,7 +87504,7 @@ index a5ffd32..0935dea 100644
extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index a747a77..02cf063 100644
+index a747a77..b44c9b4 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -99,7 +99,12 @@ struct sigaltstack;
@@ -87534,6 +87546,19 @@ index a747a77..02cf063 100644
asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
unsigned int vlen, unsigned flags);
+@@ -646,10 +651,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
+
+ asmlinkage long sys_semget(key_t key, int nsems, int semflg);
+ asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
+- unsigned nsops);
++ long nsops);
+ asmlinkage long sys_semctl(int semid, int semnum, int cmd, unsigned long arg);
+ asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
+- unsigned nsops,
++ long nsops,
+ const struct timespec __user *timeout);
+ asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
+ asmlinkage long sys_shmget(key_t key, size_t size, int flag);
diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
index 27b3b0b..e093dd9 100644
--- a/include/linux/syscore_ops.h
@@ -87833,10 +87858,10 @@ index 99c1b4d..562e6f3 100644
static inline void put_unaligned_le16(u16 val, void *p)
diff --git a/include/linux/usb.h b/include/linux/usb.h
-index 7f6eb85..656e806 100644
+index 49466be..5954884 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
-@@ -563,7 +563,7 @@ struct usb_device {
+@@ -589,7 +589,7 @@ struct usb_device {
int maxchild;
u32 quirks;
@@ -87845,7 +87870,7 @@ index 7f6eb85..656e806 100644
unsigned long active_duration;
-@@ -1642,7 +1642,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
+@@ -1668,7 +1668,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
@@ -89042,7 +89067,7 @@ index 9a00147..d814573 100644
struct snd_soc_platform {
const char *name;
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
-index 34932540..8d54ec7 100644
+index e4b9e01..bc9fff0 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -754,7 +754,7 @@ struct se_device {
@@ -90014,7 +90039,7 @@ index 58c132d..310b5fa 100644
* Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the
diff --git a/ipc/compat.c b/ipc/compat.c
-index f486b00..442867f 100644
+index f486b00..fbb78e9 100644
--- a/ipc/compat.c
+++ b/ipc/compat.c
@@ -399,7 +399,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second,
@@ -90026,6 +90051,15 @@ index f486b00..442867f 100644
}
case SHMDT:
return sys_shmdt(compat_ptr(ptr));
+@@ -750,7 +750,7 @@ long compat_sys_shmctl(int first, int second, void __user *uptr)
+ }
+
+ long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+- unsigned nsops, const struct compat_timespec __user *timeout)
++ compat_long_t nsops, const struct compat_timespec __user *timeout)
+ {
+ struct timespec __user *ts64 = NULL;
+ if (timeout) {
diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index cadddc8..c263084 100644
--- a/ipc/ipc_sysctl.c
@@ -90139,7 +90173,7 @@ index 6498531..b0ff3c8 100644
msg_params.flg = msgflg;
diff --git a/ipc/sem.c b/ipc/sem.c
-index bee5554..e9af81dd 100644
+index bee5554..ec7d947 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -561,10 +561,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
@@ -90170,6 +90204,24 @@ index bee5554..e9af81dd 100644
sem_params.key = key;
sem_params.flg = semflg;
sem_params.u.nsems = nsems;
+@@ -1760,7 +1761,7 @@ static int get_queue_result(struct sem_queue *q)
+ }
+
+ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops, const struct timespec __user *, timeout)
++ long, nsops, const struct timespec __user *, timeout)
+ {
+ int error = -EINVAL;
+ struct sem_array *sma;
+@@ -1996,7 +1997,7 @@ out_free:
+ }
+
+ SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops)
++ long, nsops)
+ {
+ return sys_semtimedop(semid, tsops, nsops, NULL);
+ }
diff --git a/ipc/shm.c b/ipc/shm.c
index 7645961..afc7f02 100644
--- a/ipc/shm.c
@@ -93786,7 +93838,7 @@ index ebdd9c1..612ee05 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 1f4bcb3..99cf7ab 100644
+index be9760f..6ee48dd 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -327,7 +327,7 @@ static int ptrace_attach(struct task_struct *task, long request,
@@ -93807,7 +93859,7 @@ index 1f4bcb3..99cf7ab 100644
return -EFAULT;
copied += retval;
src += retval;
-@@ -806,7 +806,7 @@ int ptrace_request(struct task_struct *child, long request,
+@@ -826,7 +826,7 @@ int ptrace_request(struct task_struct *child, long request,
bool seized = child->ptrace & PT_SEIZED;
int ret = -EIO;
siginfo_t siginfo, *si;
@@ -93816,7 +93868,7 @@ index 1f4bcb3..99cf7ab 100644
unsigned long __user *datalp = datavp;
unsigned long flags;
-@@ -1052,14 +1052,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+@@ -1072,14 +1072,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
goto out;
}
@@ -93839,7 +93891,7 @@ index 1f4bcb3..99cf7ab 100644
goto out_put_task_struct;
}
-@@ -1087,7 +1094,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
+@@ -1107,7 +1114,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
return -EIO;
@@ -93848,7 +93900,7 @@ index 1f4bcb3..99cf7ab 100644
}
int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
-@@ -1181,7 +1188,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+@@ -1201,7 +1208,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
}
asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
@@ -93857,7 +93909,7 @@ index 1f4bcb3..99cf7ab 100644
{
struct task_struct *child;
long ret;
-@@ -1197,14 +1204,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+@@ -1217,14 +1224,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
goto out;
}
@@ -95109,7 +95161,7 @@ index 60d35ac5..59d289f 100644
mutex_unlock(&smpboot_threads_lock);
put_online_cpus();
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index 490fcbb..1e502c6 100644
+index 93be750..06335f9 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -52,7 +52,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -95157,7 +95209,7 @@ index 490fcbb..1e502c6 100644
{
struct tasklet_struct *list;
-@@ -742,7 +742,7 @@ static struct notifier_block cpu_nfb = {
+@@ -746,7 +746,7 @@ static struct notifier_block cpu_nfb = {
.notifier_call = cpu_callback
};
@@ -95920,7 +95972,7 @@ index e3be87e..abc908f 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 774a080..d09b170 100644
+index da41de9..7f9f568 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -352,9 +352,9 @@ struct buffer_data_page {
@@ -96132,7 +96184,7 @@ index 774a080..d09b170 100644
return NULL;
}
#endif
-@@ -2863,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2862,7 +2862,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
/* Do the likely case first */
if (likely(bpage->page == (void *)addr)) {
@@ -96141,7 +96193,7 @@ index 774a080..d09b170 100644
return;
}
-@@ -2875,7 +2875,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2874,7 +2874,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
start = bpage;
do {
if (bpage->page == (void *)addr) {
@@ -96150,7 +96202,7 @@ index 774a080..d09b170 100644
return;
}
rb_inc_page(cpu_buffer, &bpage);
-@@ -3159,7 +3159,7 @@ static inline unsigned long
+@@ -3158,7 +3158,7 @@ static inline unsigned long
rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
{
return local_read(&cpu_buffer->entries) -
@@ -96159,7 +96211,7 @@ index 774a080..d09b170 100644
}
/**
-@@ -3248,7 +3248,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3247,7 +3247,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -96168,7 +96220,7 @@ index 774a080..d09b170 100644
return ret;
}
-@@ -3271,7 +3271,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3270,7 +3270,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -96177,7 +96229,7 @@ index 774a080..d09b170 100644
return ret;
}
-@@ -3293,7 +3293,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3292,7 +3292,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -96186,7 +96238,7 @@ index 774a080..d09b170 100644
return ret;
}
-@@ -3356,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
+@@ -3355,7 +3355,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
cpu_buffer = buffer->buffers[cpu];
@@ -96195,7 +96247,7 @@ index 774a080..d09b170 100644
}
return overruns;
-@@ -3527,8 +3527,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3526,8 +3526,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
/*
* Reset the reader page to size zero.
*/
@@ -96206,7 +96258,7 @@ index 774a080..d09b170 100644
local_set(&cpu_buffer->reader_page->page->commit, 0);
cpu_buffer->reader_page->real_end = 0;
-@@ -3562,7 +3562,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3561,7 +3561,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
* want to compare with the last_overrun.
*/
smp_mb();
@@ -96215,7 +96267,7 @@ index 774a080..d09b170 100644
/*
* Here's the tricky part.
-@@ -4134,8 +4134,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4133,8 +4133,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
cpu_buffer->head_page
= list_entry(cpu_buffer->pages, struct buffer_page, list);
@@ -96226,7 +96278,7 @@ index 774a080..d09b170 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4145,18 +4145,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4144,18 +4144,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -96251,7 +96303,7 @@ index 774a080..d09b170 100644
cpu_buffer->read = 0;
cpu_buffer->read_bytes = 0;
-@@ -4557,8 +4557,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
+@@ -4556,8 +4556,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
reader->page = *data_page;
@@ -96715,6 +96767,20 @@ index e0731c3..ad66444 100644
if (is_on_stack == onstack)
return;
+diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
+index f504027..97a15c0 100644
+--- a/lib/decompress_bunzip2.c
++++ b/lib/decompress_bunzip2.c
+@@ -665,7 +665,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, int len,
+
+ /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
+ uncompressed data. Allocate intermediate buffer for block. */
+- bd->dbufSize = 100000*(i-BZh0);
++ i -= BZh0;
++ bd->dbufSize = 100000 * i;
+
+ bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
+ if (!bd->dbuf)
diff --git a/lib/devres.c b/lib/devres.c
index 8235331..5881053 100644
--- a/lib/devres.c
@@ -97277,7 +97343,7 @@ index 0922579..9d7adb9 100644
#endif
}
diff --git a/lib/string.c b/lib/string.c
-index 43d0781..64941b2 100644
+index cb9ea21..909c993 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -805,9 +805,9 @@ void *memchr_inv(const void *start, int c, size_t bytes)
@@ -104044,10 +104110,10 @@ index b442e7e..6f5b5a2 100644
{
struct socket *sock;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index e2b1bba..71bd8fe 100644
+index 69ec61a..61843ef 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
-@@ -360,18 +360,29 @@ refill:
+@@ -378,18 +378,29 @@ refill:
goto end;
}
nc->frag.size = PAGE_SIZE << order;
@@ -104084,7 +104150,7 @@ index e2b1bba..71bd8fe 100644
}
data = page_address(nc->frag.page) + nc->frag.offset;
-@@ -2004,7 +2015,7 @@ EXPORT_SYMBOL(__skb_checksum);
+@@ -2022,7 +2033,7 @@ EXPORT_SYMBOL(__skb_checksum);
__wsum skb_checksum(const struct sk_buff *skb, int offset,
int len, __wsum csum)
{
@@ -104093,7 +104159,7 @@ index e2b1bba..71bd8fe 100644
.update = csum_partial_ext,
.combine = csum_block_add_ext,
};
-@@ -3225,13 +3236,15 @@ void __init skb_init(void)
+@@ -3243,13 +3254,15 @@ void __init skb_init(void)
skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
sizeof(struct sk_buff),
0,
@@ -104694,7 +104760,7 @@ index bf2cb4a..d83ba8a 100644
p->rate_tokens = 0;
/* 60*HZ is arbitrary, but chosen enough high so that the first
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
-index ecb34b5..5c5ab40 100644
+index 57075c4..bf162142 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -82,7 +82,7 @@ static int ip_forward_finish_gso(struct sk_buff *skb)
@@ -107805,7 +107871,7 @@ index 11de55e..f25e448 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 1d52506..b772b22 100644
+index a0b0ea9..62f0bc3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk)
@@ -107817,7 +107883,7 @@ index 1d52506..b772b22 100644
}
static void netlink_rcv_wake(struct sock *sk)
-@@ -2983,7 +2983,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2981,7 +2981,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
sk_wmem_alloc_get(s),
nlk->cb_running,
atomic_read(&s->sk_refcnt),
@@ -110564,10 +110630,10 @@ index 8fac3fd..32ff38d 100644
unsigned int secindex_strings;
diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..86bc440 100644
+index beb86b5..57a1143 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,974 @@
+@@ -4,6 +4,979 @@
menu "Security options"
@@ -110635,6 +110701,11 @@ index beb86b5..86bc440 100644
+ grsecurity and PaX settings manually. Via this method, no options are
+ automatically enabled.
+
++ Take note that if menuconfig is exited with this configuration method
++ chosen, you will not be able to use the automatic configuration methods
++ without starting again with a kernel configuration with no grsecurity
++ or PaX options specified inside.
++
+endchoice
+
+choice
@@ -111542,7 +111613,7 @@ index beb86b5..86bc440 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1071,7 @@ config INTEL_TXT
+@@ -103,7 +1076,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -121159,10 +121230,10 @@ index 0000000..4378111
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..f314f81
+index 0000000..038e79d
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,6058 @@
+@@ -0,0 +1,6059 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
@@ -125366,6 +125437,7 @@ index 0000000..f314f81
+unix_dgram_sendmsg_45699 unix_dgram_sendmsg 4 45699 NULL nohasharray
+bscnl_emit_45699 bscnl_emit 2-5-0 45699 &unix_dgram_sendmsg_45699
+sg_proc_write_adio_45704 sg_proc_write_adio 3 45704 NULL
++sk_forced_wmem_schedule_45721 sk_forced_wmem_schedule 2 45721 NULL
+snd_cs46xx_io_read_45734 snd_cs46xx_io_read 5 45734 NULL nohasharray
+task_cgroup_path_45734 task_cgroup_path 3 45734 &snd_cs46xx_io_read_45734
+rw_copy_check_uvector_45748 rw_copy_check_uvector 3-0 45748 NULL nohasharray
@@ -128741,7 +128813,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 6611253..eb4bc0f 100644
+index eed250e..df7bf8c 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -77,12 +77,17 @@ LIST_HEAD(vm_list);
diff --git a/4.0.1/4425_grsec_remove_EI_PAX.patch b/3.14.41/4425_grsec_remove_EI_PAX.patch
index 86e242a..a80a5d7 100644
--- a/4.0.1/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.41/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
-@@ -273,7 +273,7 @@
+@@ -278,7 +278,7 @@
config PAX_EI_PAX
bool 'Use legacy ELF header marking'
diff --git a/3.14.40/4427_force_XATTR_PAX_tmpfs.patch b/3.14.41/4427_force_XATTR_PAX_tmpfs.patch
index 4c236cc..4c236cc 100644
--- a/3.14.40/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.41/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.40/4430_grsec-remove-localversion-grsec.patch b/3.14.41/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.40/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.41/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.40/4435_grsec-mute-warnings.patch b/3.14.41/4435_grsec-mute-warnings.patch
index 392cefb..392cefb 100644
--- a/3.14.40/4435_grsec-mute-warnings.patch
+++ b/3.14.41/4435_grsec-mute-warnings.patch
diff --git a/3.14.40/4440_grsec-remove-protected-paths.patch b/3.14.41/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.40/4440_grsec-remove-protected-paths.patch
+++ b/3.14.41/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.40/4450_grsec-kconfig-default-gids.patch b/3.14.41/4450_grsec-kconfig-default-gids.patch
index 8c878fc..b96defc 100644
--- a/3.14.40/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.41/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
diff -Nuar a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
-@@ -201,7 +201,7 @@
+@@ -206,7 +206,7 @@
config GRKERNSEC_PROC_GID
int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group will be exempted from
grsecurity's /proc restrictions, allowing users of the specified
-@@ -212,7 +212,7 @@
+@@ -217,7 +217,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group untrusted users should
be added to. These users will be placed under grsecurity's Trusted Path
-@@ -224,7 +224,7 @@
+@@ -229,7 +229,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -233,7 +233,7 @@
+@@ -238,7 +238,7 @@
config GRKERNSEC_SYMLINKOWN_GID
int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.14.40/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.41/4465_selinux-avc_audit-log-curr_ip.patch
index bba906e..bba906e 100644
--- a/3.14.40/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.41/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.40/4470_disable-compat_vdso.patch b/3.14.41/4470_disable-compat_vdso.patch
index 3b3953b..3b3953b 100644
--- a/3.14.40/4470_disable-compat_vdso.patch
+++ b/3.14.41/4470_disable-compat_vdso.patch
diff --git a/4.0.1/4475_emutramp_default_on.patch b/3.14.41/4475_emutramp_default_on.patch
index ad4967a..a128205 100644
--- a/4.0.1/4475_emutramp_default_on.patch
+++ b/3.14.41/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
-@@ -433,7 +433,7 @@
+@@ -438,7 +438,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
help
There are some programs and libraries that for one reason or
-@@ -456,6 +456,12 @@
+@@ -461,6 +461,12 @@
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
for the affected files.
diff --git a/3.2.68/0000_README b/3.2.68/0000_README
index 6316628..fb78cb8 100644
--- a/3.2.68/0000_README
+++ b/3.2.68/0000_README
@@ -190,7 +190,7 @@ Patch: 1067_linux-3.2.68.patch
From: http://www.kernel.org
Desc: Linux 3.2.68
-Patch: 4420_grsecurity-3.1-3.2.68-201505042051.patch
+Patch: 4420_grsecurity-3.1-3.2.68-201505091720.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.68/4420_grsecurity-3.1-3.2.68-201505042051.patch b/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch
index a45a2c2..eaddb1d 100644
--- a/3.2.68/4420_grsecurity-3.1-3.2.68-201505042051.patch
+++ b/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch
@@ -64660,9 +64660,18 @@ index bd8ae78..539d250 100644
ldm_crit ("Out of memory.");
return false;
diff --git a/fs/pipe.c b/fs/pipe.c
-index 8ca88fc..d1f8b8a 100644
+index 8ca88fc..a2aefd9 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
+@@ -33,7 +33,7 @@ unsigned int pipe_max_size = 1048576;
+ /*
+ * Minimum pipe size, as required by POSIX
+ */
+-unsigned int pipe_min_size = PAGE_SIZE;
++unsigned int pipe_min_size __read_only = PAGE_SIZE;
+
+ /*
+ * We use a start+len construction, which provides full use of the
@@ -437,9 +437,9 @@ redo:
}
if (bufs) /* More to do? */
@@ -64786,6 +64795,35 @@ index 8ca88fc..d1f8b8a 100644
inode->i_fop = &rdwr_pipefifo_fops;
/*
+@@ -1203,7 +1204,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
+ * Currently we rely on the pipe array holding a power-of-2 number
+ * of pages.
+ */
+-static inline unsigned int round_pipe_size(unsigned int size)
++static inline unsigned long round_pipe_size(unsigned long size)
+ {
+ unsigned long nr_pages;
+
+@@ -1253,13 +1254,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ switch (cmd) {
+ case F_SETPIPE_SZ: {
+- unsigned int size, nr_pages;
++ unsigned long size, nr_pages;
++
++ ret = -EINVAL;
++ if (arg < pipe_min_size)
++ goto out;
+
+ size = round_pipe_size(arg);
+ nr_pages = size >> PAGE_SHIFT;
+
+- ret = -EINVAL;
+- if (!nr_pages)
++ if (size < pipe_min_size)
+ goto out;
+
+ if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 6c70ab2..54c5656 100644
--- a/fs/posix_acl.c
@@ -66986,7 +67024,7 @@ index dba43c3..cb3437c 100644
{
const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 34c2b2b..2f91055 100644
+index 34c2b2b..cb9a1ed 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -195,7 +195,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -67050,6 +67088,15 @@ index 34c2b2b..2f91055 100644
return 0;
if (sd->flags & SPLICE_F_NONBLOCK)
+@@ -1187,7 +1187,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ long ret, bytes;
+ umode_t i_mode;
+ size_t len;
+- int i, flags;
++ int i, flags, more;
+
+ /*
+ * We require the input being a regular file, as we don't want to
@@ -1213,7 +1213,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
@@ -67059,7 +67106,31 @@ index 34c2b2b..2f91055 100644
current->splice_pipe = pipe;
}
-@@ -1481,6 +1481,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+@@ -1230,6 +1230,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ * Don't block on output, we have to drain the direct pipe.
+ */
+ sd->flags &= ~SPLICE_F_NONBLOCK;
++ more = sd->flags & SPLICE_F_MORE;
+
+ while (len) {
+ size_t read_len;
+@@ -1243,6 +1244,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ sd->total_len = read_len;
+
+ /*
++ * If more data is pending, set SPLICE_F_MORE
++ * If this is the last data and SPLICE_F_MORE was not set
++ * initially, clears it.
++ */
++ if (read_len < len)
++ sd->flags |= SPLICE_F_MORE;
++ else if (!more)
++ sd->flags &= ~SPLICE_F_MORE;
++ /*
+ * NOTE: nonblocking mode only applies to the input. We
+ * must not do the output in nonblocking mode as then we
+ * could get stuck data in the internal pipe:
+@@ -1481,6 +1491,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
partial[buffers].offset = off;
partial[buffers].len = plen;
@@ -67067,7 +67138,7 @@ index 34c2b2b..2f91055 100644
off = 0;
len -= plen;
-@@ -1766,9 +1767,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1766,9 +1777,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -67079,7 +67150,7 @@ index 34c2b2b..2f91055 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1800,7 +1801,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1800,7 +1811,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -67088,7 +67159,7 @@ index 34c2b2b..2f91055 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1813,9 +1814,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1813,9 +1824,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -67100,7 +67171,7 @@ index 34c2b2b..2f91055 100644
}
pipe_unlock(pipe);
-@@ -1851,14 +1852,14 @@ retry:
+@@ -1851,14 +1862,14 @@ retry:
pipe_double_lock(ipipe, opipe);
do {
@@ -67117,7 +67188,7 @@ index 34c2b2b..2f91055 100644
break;
/*
-@@ -1955,7 +1956,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1955,7 +1966,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -67126,7 +67197,7 @@ index 34c2b2b..2f91055 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -2000,7 +2001,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -2000,7 +2011,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -80829,10 +80900,10 @@ index 081147d..da89543 100644
extern void
diff --git a/include/linux/compat.h b/include/linux/compat.h
-index d42bd48..554dcd5 100644
+index d42bd48..a20850d 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
-@@ -240,7 +240,7 @@ long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
+@@ -240,10 +240,10 @@ long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
int version, void __user *uptr);
long compat_sys_msgctl(int first, int second, void __user *uptr);
long compat_sys_shmat(int first, int second, compat_uptr_t third, int version,
@@ -80840,7 +80911,11 @@ index d42bd48..554dcd5 100644
+ void __user *uptr) __intentional_overflow(0);
long compat_sys_shmctl(int first, int second, void __user *uptr);
long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
- unsigned nsems, const struct compat_timespec __user *timeout);
+- unsigned nsems, const struct compat_timespec __user *timeout);
++ compat_long_t nsems, const struct compat_timespec __user *timeout);
+ asmlinkage long compat_sys_keyctl(u32 option,
+ u32 arg2, u32 arg3, u32 arg4, u32 arg5);
+ asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
@@ -334,7 +334,7 @@ extern int compat_ptrace_request(struct task_struct *child,
extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
compat_ulong_t addr, compat_ulong_t data);
@@ -86408,7 +86483,7 @@ index ea0c02f..0eed39d 100644
#ifdef __arch_swab64
return __arch_swab64(val);
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index 86a24b11..b6048c1 100644
+index 86a24b11..a84e6d1 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -83,12 +83,19 @@ struct file_handle;
@@ -86462,6 +86537,19 @@ index 86a24b11..b6048c1 100644
asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
unsigned int vlen, unsigned flags);
+@@ -667,10 +674,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
+
+ asmlinkage long sys_semget(key_t key, int nsems, int semflg);
+ asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
+- unsigned nsops);
++ long nsops);
+ asmlinkage long sys_semctl(int semid, int semnum, int cmd, union semun arg);
+ asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
+- unsigned nsops,
++ long nsops,
+ const struct timespec __user *timeout);
+ asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
+ asmlinkage long sys_shmget(key_t key, size_t size, int flag);
diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
index 27b3b0b..e093dd9 100644
--- a/include/linux/syscore_ops.h
@@ -89095,6 +89183,19 @@ index e937d9b..4700693 100644
/*
* Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the
+diff --git a/ipc/compat.c b/ipc/compat.c
+index 845a287..6a0666b 100644
+--- a/ipc/compat.c
++++ b/ipc/compat.c
+@@ -672,7 +672,7 @@ long compat_sys_shmctl(int first, int second, void __user *uptr)
+ }
+
+ long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+- unsigned nsops, const struct compat_timespec __user *timeout)
++ compat_long_t nsops, const struct compat_timespec __user *timeout)
+ {
+ struct timespec __user *ts64 = NULL;
+ if (timeout) {
diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index 00fba2b..9afd545 100644
--- a/ipc/ipc_sysctl.c
@@ -89208,7 +89309,7 @@ index 25f1a61..58f7ac1 100644
msg_params.flg = msgflg;
diff --git a/ipc/sem.c b/ipc/sem.c
-index 5215a81..cfc0cac 100644
+index 5215a81..bbbca2e 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -364,10 +364,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
@@ -89239,6 +89340,24 @@ index 5215a81..cfc0cac 100644
sem_params.key = key;
sem_params.flg = semflg;
sem_params.u.nsems = nsems;
+@@ -1328,7 +1329,7 @@ static int get_queue_result(struct sem_queue *q)
+
+
+ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops, const struct timespec __user *, timeout)
++ long, nsops, const struct timespec __user *, timeout)
+ {
+ int error = -EINVAL;
+ struct sem_array *sma;
+@@ -1546,7 +1547,7 @@ out_free:
+ }
+
+ SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops)
++ long, nsops)
+ {
+ return sys_semtimedop(semid, tsops, nsops, NULL);
+ }
diff --git a/ipc/shm.c b/ipc/shm.c
index 326a20b..62e6b7e 100644
--- a/ipc/shm.c
@@ -96546,6 +96665,20 @@ index a78b7c6..2c73084 100644
if (is_on_stack == onstack)
return;
+diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
+index 6a110e2..799667a 100644
+--- a/lib/decompress_bunzip2.c
++++ b/lib/decompress_bunzip2.c
+@@ -666,7 +666,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, int len,
+
+ /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
+ uncompressed data. Allocate intermediate buffer for block. */
+- bd->dbufSize = 100000*(i-BZh0);
++ i -= BZh0;
++ bd->dbufSize = 100000 * i;
+
+ bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
+ if (!bd->dbuf)
diff --git a/lib/devres.c b/lib/devres.c
index 7c0e953..f642b5c 100644
--- a/lib/devres.c
@@ -112432,10 +112565,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..60c36a1 100644
+index 51bd5a0..9cb2b83 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,972 @@
+@@ -4,6 +4,977 @@
menu "Security options"
@@ -112502,6 +112635,11 @@ index 51bd5a0..60c36a1 100644
+ grsecurity and PaX settings manually. Via this method, no options are
+ automatically enabled.
+
++ Take note that if menuconfig is exited with this configuration method
++ chosen, you will not be able to use the automatic configuration methods
++ without starting again with a kernel configuration with no grsecurity
++ or PaX options specified inside.
++
+endchoice
+
+choice
@@ -113408,7 +113546,7 @@ index 51bd5a0..60c36a1 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1135,7 @@ config INTEL_TXT
+@@ -169,7 +1140,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.68/4425_grsec_remove_EI_PAX.patch b/3.2.68/4425_grsec_remove_EI_PAX.patch
index 366baa8..ba92792 100644
--- a/3.2.68/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.68/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
-@@ -272,7 +272,7 @@
+@@ -277,7 +277,7 @@
config PAX_EI_PAX
bool 'Use legacy ELF header marking'
diff --git a/3.2.68/4450_grsec-kconfig-default-gids.patch b/3.2.68/4450_grsec-kconfig-default-gids.patch
index 26dedae..5e1cb04 100644
--- a/3.2.68/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.68/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
diff -Nuar a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
-@@ -200,7 +200,7 @@
+@@ -205,7 +205,7 @@
config GRKERNSEC_PROC_GID
int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group will be exempted from
grsecurity's /proc restrictions, allowing users of the specified
-@@ -211,7 +211,7 @@
+@@ -216,7 +216,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group untrusted users should
be added to. These users will be placed under grsecurity's Trusted Path
-@@ -223,7 +223,7 @@
+@@ -228,7 +228,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -232,7 +232,7 @@
+@@ -237,7 +237,7 @@
config GRKERNSEC_SYMLINKOWN_GID
int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.2.68/4475_emutramp_default_on.patch b/3.2.68/4475_emutramp_default_on.patch
index 1f3d51a..2db58ab 100644
--- a/3.2.68/4475_emutramp_default_on.patch
+++ b/3.2.68/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
-@@ -432,7 +432,7 @@
+@@ -437,7 +437,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
help
There are some programs and libraries that for one reason or
-@@ -455,6 +455,12 @@
+@@ -460,6 +460,12 @@
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
for the affected files.
diff --git a/4.0.1/0000_README b/4.0.2/0000_README
index 9db745a..f34197d 100644
--- a/4.0.1/0000_README
+++ b/4.0.2/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.0.1-201505042053.patch
+Patch: 1002_linux-4.0.2.patch
+From: http://www.kernel.org
+Desc: Linux 4.0.2
+
+Patch: 4420_grsecurity-3.1-4.0.2-201505091724.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.0.2/1001_linux-4.0.2.patch b/4.0.2/1001_linux-4.0.2.patch
new file mode 100644
index 0000000..38a75b2
--- /dev/null
+++ b/4.0.2/1001_linux-4.0.2.patch
@@ -0,0 +1,8587 @@
+diff --git a/Documentation/networking/scaling.txt b/Documentation/networking/scaling.txt
+index 99ca40e..5c204df 100644
+--- a/Documentation/networking/scaling.txt
++++ b/Documentation/networking/scaling.txt
+@@ -282,7 +282,7 @@ following is true:
+
+ - The current CPU's queue head counter >= the recorded tail counter
+ value in rps_dev_flow[i]
+-- The current CPU is unset (equal to RPS_NO_CPU)
++- The current CPU is unset (>= nr_cpu_ids)
+ - The current CPU is offline
+
+ After this check, the packet is sent to the (possibly updated) current
+diff --git a/Documentation/virtual/kvm/devices/s390_flic.txt b/Documentation/virtual/kvm/devices/s390_flic.txt
+index 4ceef53..d1ad9d5 100644
+--- a/Documentation/virtual/kvm/devices/s390_flic.txt
++++ b/Documentation/virtual/kvm/devices/s390_flic.txt
+@@ -27,6 +27,9 @@ Groups:
+ Copies all floating interrupts into a buffer provided by userspace.
+ When the buffer is too small it returns -ENOMEM, which is the indication
+ for userspace to try again with a bigger buffer.
++ -ENOBUFS is returned when the allocation of a kernelspace buffer has
++ failed.
++ -EFAULT is returned when copying data to userspace failed.
+ All interrupts remain pending, i.e. are not deleted from the list of
+ currently pending interrupts.
+ attr->addr contains the userspace address of the buffer into which all
+diff --git a/Makefile b/Makefile
+index f499cd2..0649a60 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 0
+-SUBLEVEL = 1
++SUBLEVEL = 2
+ EXTRAVERSION =
+ NAME = Hurr durr I'ma sheep
+
+diff --git a/arch/arm/boot/dts/at91-sama5d3_xplained.dts b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+index fec1fca..6c4bc53 100644
+--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+@@ -167,7 +167,13 @@
+
+ macb1: ethernet@f802c000 {
+ phy-mode = "rmii";
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "okay";
++
++ ethernet-phy@1 {
++ reg = <0x1>;
++ };
+ };
+
+ dbgu: serial@ffffee00 {
+diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi
+index a5441d5..3cc8b83 100644
+--- a/arch/arm/boot/dts/dove.dtsi
++++ b/arch/arm/boot/dts/dove.dtsi
+@@ -154,7 +154,7 @@
+
+ uart2: serial@12200 {
+ compatible = "ns16550a";
+- reg = <0x12000 0x100>;
++ reg = <0x12200 0x100>;
+ reg-shift = <2>;
+ interrupts = <9>;
+ clocks = <&core_clk 0>;
+@@ -163,7 +163,7 @@
+
+ uart3: serial@12300 {
+ compatible = "ns16550a";
+- reg = <0x12100 0x100>;
++ reg = <0x12300 0x100>;
+ reg-shift = <2>;
+ interrupts = <10>;
+ clocks = <&core_clk 0>;
+diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts
+index f027754..c41600e 100644
+--- a/arch/arm/boot/dts/exynos5250-spring.dts
++++ b/arch/arm/boot/dts/exynos5250-spring.dts
+@@ -429,7 +429,6 @@
+ &mmc_0 {
+ status = "okay";
+ num-slots = <1>;
+- supports-highspeed;
+ broken-cd;
+ card-detect-delay = <200>;
+ samsung,dw-mshc-ciu-div = <3>;
+@@ -437,11 +436,8 @@
+ samsung,dw-mshc-ddr-timing = <1 2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sd0_clk &sd0_cmd &sd0_cd &sd0_bus4 &sd0_bus8>;
+-
+- slot@0 {
+- reg = <0>;
+- bus-width = <8>;
+- };
++ bus-width = <8>;
++ cap-mmc-highspeed;
+ };
+
+ /*
+@@ -451,7 +447,6 @@
+ &mmc_1 {
+ status = "okay";
+ num-slots = <1>;
+- supports-highspeed;
+ broken-cd;
+ card-detect-delay = <200>;
+ samsung,dw-mshc-ciu-div = <3>;
+@@ -459,11 +454,8 @@
+ samsung,dw-mshc-ddr-timing = <1 2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sd1_clk &sd1_cmd &sd1_cd &sd1_bus4>;
+-
+- slot@0 {
+- reg = <0>;
+- bus-width = <4>;
+- };
++ bus-width = <4>;
++ cap-sd-highspeed;
+ };
+
+ &pinctrl_0 {
+diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
+index afb9caf..674d03f 100644
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -115,7 +115,7 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+ /* When the program starts, a1 contains a pointer to a function to be
+ registered with atexit, as per the SVR4 ABI. A value of 0 means we
+diff --git a/arch/arm/include/uapi/asm/kvm.h b/arch/arm/include/uapi/asm/kvm.h
+index 0db25bc..3a42ac6 100644
+--- a/arch/arm/include/uapi/asm/kvm.h
++++ b/arch/arm/include/uapi/asm/kvm.h
+@@ -195,8 +195,14 @@ struct kvm_arch_memory_slot {
+ #define KVM_ARM_IRQ_CPU_IRQ 0
+ #define KVM_ARM_IRQ_CPU_FIQ 1
+
+-/* Highest supported SPI, from VGIC_NR_IRQS */
++/*
++ * This used to hold the highest supported SPI, but it is now obsolete
++ * and only here to provide source code level compatibility with older
++ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS.
++ */
++#ifndef __KERNEL__
+ #define KVM_ARM_IRQ_GIC_MAX 127
++#endif
+
+ /* PSCI interface */
+ #define KVM_PSCI_FN_BASE 0x95c1ba5e
+diff --git a/arch/arm/kernel/hibernate.c b/arch/arm/kernel/hibernate.c
+index c4cc50e..cfb354f 100644
+--- a/arch/arm/kernel/hibernate.c
++++ b/arch/arm/kernel/hibernate.c
+@@ -22,6 +22,7 @@
+ #include <asm/suspend.h>
+ #include <asm/memory.h>
+ #include <asm/sections.h>
++#include "reboot.h"
+
+ int pfn_is_nosave(unsigned long pfn)
+ {
+@@ -61,7 +62,7 @@ static int notrace arch_save_image(unsigned long unused)
+
+ ret = swsusp_save();
+ if (ret == 0)
+- soft_restart(virt_to_phys(cpu_resume));
++ _soft_restart(virt_to_phys(cpu_resume), false);
+ return ret;
+ }
+
+@@ -86,7 +87,7 @@ static void notrace arch_restore_image(void *unused)
+ for (pbe = restore_pblist; pbe; pbe = pbe->next)
+ copy_page(pbe->orig_address, pbe->address);
+
+- soft_restart(virt_to_phys(cpu_resume));
++ _soft_restart(virt_to_phys(cpu_resume), false);
+ }
+
+ static u64 resume_stack[PAGE_SIZE/2/sizeof(u64)] __nosavedata;
+diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
+index fdfa3a7..2bf1a16 100644
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -41,6 +41,7 @@
+ #include <asm/system_misc.h>
+ #include <asm/mach/time.h>
+ #include <asm/tls.h>
++#include "reboot.h"
+
+ #ifdef CONFIG_CC_STACKPROTECTOR
+ #include <linux/stackprotector.h>
+@@ -95,7 +96,7 @@ static void __soft_restart(void *addr)
+ BUG();
+ }
+
+-void soft_restart(unsigned long addr)
++void _soft_restart(unsigned long addr, bool disable_l2)
+ {
+ u64 *stack = soft_restart_stack + ARRAY_SIZE(soft_restart_stack);
+
+@@ -104,7 +105,7 @@ void soft_restart(unsigned long addr)
+ local_fiq_disable();
+
+ /* Disable the L2 if we're the last man standing. */
+- if (num_online_cpus() == 1)
++ if (disable_l2)
+ outer_disable();
+
+ /* Change to the new stack and continue with the reset. */
+@@ -114,6 +115,11 @@ void soft_restart(unsigned long addr)
+ BUG();
+ }
+
++void soft_restart(unsigned long addr)
++{
++ _soft_restart(addr, num_online_cpus() == 1);
++}
++
+ /*
+ * Function pointers to optional machine specific functions
+ */
+diff --git a/arch/arm/kernel/reboot.h b/arch/arm/kernel/reboot.h
+new file mode 100644
+index 0000000..c87f058
+--- /dev/null
++++ b/arch/arm/kernel/reboot.h
+@@ -0,0 +1,6 @@
++#ifndef REBOOT_H
++#define REBOOT_H
++
++extern void _soft_restart(unsigned long addr, bool disable_l2);
++
++#endif
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index 5560f74..b652af5 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -651,8 +651,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
+ if (!irqchip_in_kernel(kvm))
+ return -ENXIO;
+
+- if (irq_num < VGIC_NR_PRIVATE_IRQS ||
+- irq_num > KVM_ARM_IRQ_GIC_MAX)
++ if (irq_num < VGIC_NR_PRIVATE_IRQS)
+ return -EINVAL;
+
+ return kvm_vgic_inject_irq(kvm, 0, irq_num, level);
+diff --git a/arch/arm/mach-mvebu/pmsu.c b/arch/arm/mach-mvebu/pmsu.c
+index 8b9f5e2..4f4e222 100644
+--- a/arch/arm/mach-mvebu/pmsu.c
++++ b/arch/arm/mach-mvebu/pmsu.c
+@@ -415,6 +415,9 @@ static __init int armada_38x_cpuidle_init(void)
+ void __iomem *mpsoc_base;
+ u32 reg;
+
++ pr_warn("CPU idle is currently broken on Armada 38x: disabling");
++ return 0;
++
+ np = of_find_compatible_node(NULL, NULL,
+ "marvell,armada-380-coherency-fabric");
+ if (!np)
+@@ -476,6 +479,16 @@ static int __init mvebu_v7_cpu_pm_init(void)
+ return 0;
+ of_node_put(np);
+
++ /*
++ * Currently the CPU idle support for Armada 38x is broken, as
++ * the CPU hotplug uses some of the CPU idle functions it is
++ * broken too, so let's disable it
++ */
++ if (of_machine_is_compatible("marvell,armada380")) {
++ cpu_hotplug_disable();
++ pr_warn("CPU hotplug support is currently broken on Armada 38x: disabling");
++ }
++
+ if (of_machine_is_compatible("marvell,armadaxp"))
+ ret = armada_xp_cpuidle_init();
+ else if (of_machine_is_compatible("marvell,armada370"))
+@@ -489,7 +502,8 @@ static int __init mvebu_v7_cpu_pm_init(void)
+ return ret;
+
+ mvebu_v7_pmsu_enable_l2_powerdown_onidle();
+- platform_device_register(&mvebu_v7_cpuidle_device);
++ if (mvebu_v7_cpuidle_device.name)
++ platform_device_register(&mvebu_v7_cpuidle_device);
+ cpu_pm_register_notifier(&mvebu_v7_cpu_pm_notifier);
+
+ return 0;
+diff --git a/arch/arm/mach-s3c64xx/crag6410.h b/arch/arm/mach-s3c64xx/crag6410.h
+index 7bc6668..dcbe17f 100644
+--- a/arch/arm/mach-s3c64xx/crag6410.h
++++ b/arch/arm/mach-s3c64xx/crag6410.h
+@@ -14,6 +14,7 @@
+ #include <mach/gpio-samsung.h>
+
+ #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START
++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64)
+
+ #define PCA935X_GPIO_BASE GPIO_BOARD_START
+ #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8)
+diff --git a/arch/arm/mach-s3c64xx/mach-crag6410.c b/arch/arm/mach-s3c64xx/mach-crag6410.c
+index 10b913b..65c426b 100644
+--- a/arch/arm/mach-s3c64xx/mach-crag6410.c
++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c
+@@ -554,6 +554,7 @@ static struct wm831x_touch_pdata touch_pdata = {
+
+ static struct wm831x_pdata crag_pmic_pdata = {
+ .wm831x_num = 1,
++ .irq_base = BANFF_PMIC_IRQ_BASE,
+ .gpio_base = BANFF_PMIC_GPIO_BASE,
+ .soft_shutdown = true,
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 1b8e973..a6186c2 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -361,6 +361,27 @@ config ARM64_ERRATUM_832075
+
+ If unsure, say Y.
+
++config ARM64_ERRATUM_845719
++ bool "Cortex-A53: 845719: a load might read incorrect data"
++ depends on COMPAT
++ default y
++ help
++ This option adds an alternative code sequence to work around ARM
++ erratum 845719 on Cortex-A53 parts up to r0p4.
++
++ When running a compat (AArch32) userspace on an affected Cortex-A53
++ part, a load at EL0 from a virtual address that matches the bottom 32
++ bits of the virtual address used by a recent load at (AArch64) EL1
++ might return incorrect data.
++
++ The workaround is to write the contextidr_el1 register on exception
++ return to a 32-bit task.
++ Please note that this does not necessarily enable the workaround,
++ as it depends on the alternative framework, which will only patch
++ the kernel if an affected CPU is detected.
++
++ If unsure, say Y.
++
+ endmenu
+
+
+@@ -470,6 +491,10 @@ config HOTPLUG_CPU
+
+ source kernel/Kconfig.preempt
+
++config UP_LATE_INIT
++ def_bool y
++ depends on !SMP
++
+ config HZ
+ int
+ default 100
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 69ceedc..4d2a925 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -48,7 +48,7 @@ core-$(CONFIG_KVM) += arch/arm64/kvm/
+ core-$(CONFIG_XEN) += arch/arm64/xen/
+ core-$(CONFIG_CRYPTO) += arch/arm64/crypto/
+ libs-y := arch/arm64/lib/ $(libs-y)
+-libs-$(CONFIG_EFI_STUB) += drivers/firmware/efi/libstub/
++core-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
+
+ # Default target when executing plain make
+ KBUILD_IMAGE := Image.gz
+diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
+index b6c16d5..3f0c53c 100644
+--- a/arch/arm64/include/asm/cpufeature.h
++++ b/arch/arm64/include/asm/cpufeature.h
+@@ -23,8 +23,9 @@
+
+ #define ARM64_WORKAROUND_CLEAN_CACHE 0
+ #define ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE 1
++#define ARM64_WORKAROUND_845719 2
+
+-#define ARM64_NCAPS 2
++#define ARM64_NCAPS 3
+
+ #ifndef __ASSEMBLY__
+
+diff --git a/arch/arm64/include/asm/smp_plat.h b/arch/arm64/include/asm/smp_plat.h
+index 59e2823..8dcd61e 100644
+--- a/arch/arm64/include/asm/smp_plat.h
++++ b/arch/arm64/include/asm/smp_plat.h
+@@ -40,4 +40,6 @@ static inline u32 mpidr_hash_size(void)
+ extern u64 __cpu_logical_map[NR_CPUS];
+ #define cpu_logical_map(cpu) __cpu_logical_map[cpu]
+
++void __init do_post_cpus_up_work(void);
++
+ #endif /* __ASM_SMP_PLAT_H */
+diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h
+index 3ef77a4..bc49a18 100644
+--- a/arch/arm64/include/uapi/asm/kvm.h
++++ b/arch/arm64/include/uapi/asm/kvm.h
+@@ -188,8 +188,14 @@ struct kvm_arch_memory_slot {
+ #define KVM_ARM_IRQ_CPU_IRQ 0
+ #define KVM_ARM_IRQ_CPU_FIQ 1
+
+-/* Highest supported SPI, from VGIC_NR_IRQS */
++/*
++ * This used to hold the highest supported SPI, but it is now obsolete
++ * and only here to provide source code level compatibility with older
++ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS.
++ */
++#ifndef __KERNEL__
+ #define KVM_ARM_IRQ_GIC_MAX 127
++#endif
+
+ /* PSCI interface */
+ #define KVM_PSCI_FN_BASE 0x95c1ba5e
+diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
+index fa62637..ad6d523 100644
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -88,7 +88,16 @@ struct arm64_cpu_capabilities arm64_errata[] = {
+ /* Cortex-A57 r0p0 - r1p2 */
+ .desc = "ARM erratum 832075",
+ .capability = ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE,
+- MIDR_RANGE(MIDR_CORTEX_A57, 0x00, 0x12),
++ MIDR_RANGE(MIDR_CORTEX_A57, 0x00,
++ (1 << MIDR_VARIANT_SHIFT) | 2),
++ },
++#endif
++#ifdef CONFIG_ARM64_ERRATUM_845719
++ {
++ /* Cortex-A53 r0p[01234] */
++ .desc = "ARM erratum 845719",
++ .capability = ARM64_WORKAROUND_845719,
++ MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x04),
+ },
+ #endif
+ {
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index cf21bb3..959fe87 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -21,8 +21,10 @@
+ #include <linux/init.h>
+ #include <linux/linkage.h>
+
++#include <asm/alternative-asm.h>
+ #include <asm/assembler.h>
+ #include <asm/asm-offsets.h>
++#include <asm/cpufeature.h>
+ #include <asm/errno.h>
+ #include <asm/esr.h>
+ #include <asm/thread_info.h>
+@@ -120,6 +122,24 @@
+ ct_user_enter
+ ldr x23, [sp, #S_SP] // load return stack pointer
+ msr sp_el0, x23
++
++#ifdef CONFIG_ARM64_ERRATUM_845719
++ alternative_insn \
++ "nop", \
++ "tbz x22, #4, 1f", \
++ ARM64_WORKAROUND_845719
++#ifdef CONFIG_PID_IN_CONTEXTIDR
++ alternative_insn \
++ "nop; nop", \
++ "mrs x29, contextidr_el1; msr contextidr_el1, x29; 1:", \
++ ARM64_WORKAROUND_845719
++#else
++ alternative_insn \
++ "nop", \
++ "msr contextidr_el1, xzr; 1:", \
++ ARM64_WORKAROUND_845719
++#endif
++#endif
+ .endif
+ msr elr_el1, x21 // set up the return data
+ msr spsr_el1, x22
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 07f9305..c237ffb 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -426,6 +426,7 @@ __create_page_tables:
+ */
+ mov x0, x25
+ add x1, x26, #SWAPPER_DIR_SIZE
++ dmb sy
+ bl __inval_cache_range
+
+ mov lr, x27
+diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
+index e8420f6..781f469 100644
+--- a/arch/arm64/kernel/setup.c
++++ b/arch/arm64/kernel/setup.c
+@@ -207,6 +207,18 @@ static void __init smp_build_mpidr_hash(void)
+ }
+ #endif
+
++void __init do_post_cpus_up_work(void)
++{
++ apply_alternatives_all();
++}
++
++#ifdef CONFIG_UP_LATE_INIT
++void __init up_late_init(void)
++{
++ do_post_cpus_up_work();
++}
++#endif /* CONFIG_UP_LATE_INIT */
++
+ static void __init setup_processor(void)
+ {
+ struct cpu_info *cpu_info;
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index 328b8ce..4257369 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -309,7 +309,7 @@ void cpu_die(void)
+ void __init smp_cpus_done(unsigned int max_cpus)
+ {
+ pr_info("SMP: Total of %d processors activated.\n", num_online_cpus());
+- apply_alternatives_all();
++ do_post_cpus_up_work();
+ }
+
+ void __init smp_prepare_boot_cpu(void)
+diff --git a/arch/c6x/kernel/time.c b/arch/c6x/kernel/time.c
+index 356ee84..04845aa 100644
+--- a/arch/c6x/kernel/time.c
++++ b/arch/c6x/kernel/time.c
+@@ -49,7 +49,7 @@ u64 sched_clock(void)
+ return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT;
+ }
+
+-void time_init(void)
++void __init time_init(void)
+ {
+ u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT;
+
+diff --git a/arch/mips/include/asm/asm-eva.h b/arch/mips/include/asm/asm-eva.h
+index e41c56e..1e38f0e 100644
+--- a/arch/mips/include/asm/asm-eva.h
++++ b/arch/mips/include/asm/asm-eva.h
+@@ -11,6 +11,36 @@
+ #define __ASM_ASM_EVA_H
+
+ #ifndef __ASSEMBLY__
++
++/* Kernel variants */
++
++#define kernel_cache(op, base) "cache " op ", " base "\n"
++#define kernel_ll(reg, addr) "ll " reg ", " addr "\n"
++#define kernel_sc(reg, addr) "sc " reg ", " addr "\n"
++#define kernel_lw(reg, addr) "lw " reg ", " addr "\n"
++#define kernel_lwl(reg, addr) "lwl " reg ", " addr "\n"
++#define kernel_lwr(reg, addr) "lwr " reg ", " addr "\n"
++#define kernel_lh(reg, addr) "lh " reg ", " addr "\n"
++#define kernel_lb(reg, addr) "lb " reg ", " addr "\n"
++#define kernel_lbu(reg, addr) "lbu " reg ", " addr "\n"
++#define kernel_sw(reg, addr) "sw " reg ", " addr "\n"
++#define kernel_swl(reg, addr) "swl " reg ", " addr "\n"
++#define kernel_swr(reg, addr) "swr " reg ", " addr "\n"
++#define kernel_sh(reg, addr) "sh " reg ", " addr "\n"
++#define kernel_sb(reg, addr) "sb " reg ", " addr "\n"
++
++#ifdef CONFIG_32BIT
++/*
++ * No 'sd' or 'ld' instructions in 32-bit but the code will
++ * do the correct thing
++ */
++#define kernel_sd(reg, addr) user_sw(reg, addr)
++#define kernel_ld(reg, addr) user_lw(reg, addr)
++#else
++#define kernel_sd(reg, addr) "sd " reg", " addr "\n"
++#define kernel_ld(reg, addr) "ld " reg", " addr "\n"
++#endif /* CONFIG_32BIT */
++
+ #ifdef CONFIG_EVA
+
+ #define __BUILD_EVA_INSN(insn, reg, addr) \
+@@ -41,37 +71,60 @@
+
+ #else
+
+-#define user_cache(op, base) "cache " op ", " base "\n"
+-#define user_ll(reg, addr) "ll " reg ", " addr "\n"
+-#define user_sc(reg, addr) "sc " reg ", " addr "\n"
+-#define user_lw(reg, addr) "lw " reg ", " addr "\n"
+-#define user_lwl(reg, addr) "lwl " reg ", " addr "\n"
+-#define user_lwr(reg, addr) "lwr " reg ", " addr "\n"
+-#define user_lh(reg, addr) "lh " reg ", " addr "\n"
+-#define user_lb(reg, addr) "lb " reg ", " addr "\n"
+-#define user_lbu(reg, addr) "lbu " reg ", " addr "\n"
+-#define user_sw(reg, addr) "sw " reg ", " addr "\n"
+-#define user_swl(reg, addr) "swl " reg ", " addr "\n"
+-#define user_swr(reg, addr) "swr " reg ", " addr "\n"
+-#define user_sh(reg, addr) "sh " reg ", " addr "\n"
+-#define user_sb(reg, addr) "sb " reg ", " addr "\n"
++#define user_cache(op, base) kernel_cache(op, base)
++#define user_ll(reg, addr) kernel_ll(reg, addr)
++#define user_sc(reg, addr) kernel_sc(reg, addr)
++#define user_lw(reg, addr) kernel_lw(reg, addr)
++#define user_lwl(reg, addr) kernel_lwl(reg, addr)
++#define user_lwr(reg, addr) kernel_lwr(reg, addr)
++#define user_lh(reg, addr) kernel_lh(reg, addr)
++#define user_lb(reg, addr) kernel_lb(reg, addr)
++#define user_lbu(reg, addr) kernel_lbu(reg, addr)
++#define user_sw(reg, addr) kernel_sw(reg, addr)
++#define user_swl(reg, addr) kernel_swl(reg, addr)
++#define user_swr(reg, addr) kernel_swr(reg, addr)
++#define user_sh(reg, addr) kernel_sh(reg, addr)
++#define user_sb(reg, addr) kernel_sb(reg, addr)
+
+ #ifdef CONFIG_32BIT
+-/*
+- * No 'sd' or 'ld' instructions in 32-bit but the code will
+- * do the correct thing
+- */
+-#define user_sd(reg, addr) user_sw(reg, addr)
+-#define user_ld(reg, addr) user_lw(reg, addr)
++#define user_sd(reg, addr) kernel_sw(reg, addr)
++#define user_ld(reg, addr) kernel_lw(reg, addr)
+ #else
+-#define user_sd(reg, addr) "sd " reg", " addr "\n"
+-#define user_ld(reg, addr) "ld " reg", " addr "\n"
++#define user_sd(reg, addr) kernel_sd(reg, addr)
++#define user_ld(reg, addr) kernel_ld(reg, addr)
+ #endif /* CONFIG_32BIT */
+
+ #endif /* CONFIG_EVA */
+
+ #else /* __ASSEMBLY__ */
+
++#define kernel_cache(op, base) cache op, base
++#define kernel_ll(reg, addr) ll reg, addr
++#define kernel_sc(reg, addr) sc reg, addr
++#define kernel_lw(reg, addr) lw reg, addr
++#define kernel_lwl(reg, addr) lwl reg, addr
++#define kernel_lwr(reg, addr) lwr reg, addr
++#define kernel_lh(reg, addr) lh reg, addr
++#define kernel_lb(reg, addr) lb reg, addr
++#define kernel_lbu(reg, addr) lbu reg, addr
++#define kernel_sw(reg, addr) sw reg, addr
++#define kernel_swl(reg, addr) swl reg, addr
++#define kernel_swr(reg, addr) swr reg, addr
++#define kernel_sh(reg, addr) sh reg, addr
++#define kernel_sb(reg, addr) sb reg, addr
++
++#ifdef CONFIG_32BIT
++/*
++ * No 'sd' or 'ld' instructions in 32-bit but the code will
++ * do the correct thing
++ */
++#define kernel_sd(reg, addr) user_sw(reg, addr)
++#define kernel_ld(reg, addr) user_lw(reg, addr)
++#else
++#define kernel_sd(reg, addr) sd reg, addr
++#define kernel_ld(reg, addr) ld reg, addr
++#endif /* CONFIG_32BIT */
++
+ #ifdef CONFIG_EVA
+
+ #define __BUILD_EVA_INSN(insn, reg, addr) \
+@@ -101,31 +154,27 @@
+ #define user_sd(reg, addr) user_sw(reg, addr)
+ #else
+
+-#define user_cache(op, base) cache op, base
+-#define user_ll(reg, addr) ll reg, addr
+-#define user_sc(reg, addr) sc reg, addr
+-#define user_lw(reg, addr) lw reg, addr
+-#define user_lwl(reg, addr) lwl reg, addr
+-#define user_lwr(reg, addr) lwr reg, addr
+-#define user_lh(reg, addr) lh reg, addr
+-#define user_lb(reg, addr) lb reg, addr
+-#define user_lbu(reg, addr) lbu reg, addr
+-#define user_sw(reg, addr) sw reg, addr
+-#define user_swl(reg, addr) swl reg, addr
+-#define user_swr(reg, addr) swr reg, addr
+-#define user_sh(reg, addr) sh reg, addr
+-#define user_sb(reg, addr) sb reg, addr
++#define user_cache(op, base) kernel_cache(op, base)
++#define user_ll(reg, addr) kernel_ll(reg, addr)
++#define user_sc(reg, addr) kernel_sc(reg, addr)
++#define user_lw(reg, addr) kernel_lw(reg, addr)
++#define user_lwl(reg, addr) kernel_lwl(reg, addr)
++#define user_lwr(reg, addr) kernel_lwr(reg, addr)
++#define user_lh(reg, addr) kernel_lh(reg, addr)
++#define user_lb(reg, addr) kernel_lb(reg, addr)
++#define user_lbu(reg, addr) kernel_lbu(reg, addr)
++#define user_sw(reg, addr) kernel_sw(reg, addr)
++#define user_swl(reg, addr) kernel_swl(reg, addr)
++#define user_swr(reg, addr) kernel_swr(reg, addr)
++#define user_sh(reg, addr) kernel_sh(reg, addr)
++#define user_sb(reg, addr) kernel_sb(reg, addr)
+
+ #ifdef CONFIG_32BIT
+-/*
+- * No 'sd' or 'ld' instructions in 32-bit but the code will
+- * do the correct thing
+- */
+-#define user_sd(reg, addr) user_sw(reg, addr)
+-#define user_ld(reg, addr) user_lw(reg, addr)
++#define user_sd(reg, addr) kernel_sw(reg, addr)
++#define user_ld(reg, addr) kernel_lw(reg, addr)
+ #else
+-#define user_sd(reg, addr) sd reg, addr
+-#define user_ld(reg, addr) ld reg, addr
++#define user_sd(reg, addr) kernel_sd(reg, addr)
++#define user_ld(reg, addr) kernel_sd(reg, addr)
+ #endif /* CONFIG_32BIT */
+
+ #endif /* CONFIG_EVA */
+diff --git a/arch/mips/include/asm/fpu.h b/arch/mips/include/asm/fpu.h
+index dd083e9..9f26b07 100644
+--- a/arch/mips/include/asm/fpu.h
++++ b/arch/mips/include/asm/fpu.h
+@@ -170,6 +170,7 @@ static inline void lose_fpu(int save)
+ }
+ disable_msa();
+ clear_thread_flag(TIF_USEDMSA);
++ __disable_fpu();
+ } else if (is_fpu_owner()) {
+ if (save)
+ _save_fp(current);
+diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h
+index ac4fc71..f722b05 100644
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -322,6 +322,7 @@ enum mips_mmu_types {
+ #define T_TRAP 13 /* Trap instruction */
+ #define T_VCEI 14 /* Virtual coherency exception */
+ #define T_FPE 15 /* Floating point exception */
++#define T_MSADIS 21 /* MSA disabled exception */
+ #define T_WATCH 23 /* Watch address reference */
+ #define T_VCED 31 /* Virtual coherency data */
+
+@@ -578,6 +579,7 @@ struct kvm_mips_callbacks {
+ int (*handle_syscall)(struct kvm_vcpu *vcpu);
+ int (*handle_res_inst)(struct kvm_vcpu *vcpu);
+ int (*handle_break)(struct kvm_vcpu *vcpu);
++ int (*handle_msa_disabled)(struct kvm_vcpu *vcpu);
+ int (*vm_init)(struct kvm *kvm);
+ int (*vcpu_init)(struct kvm_vcpu *vcpu);
+ int (*vcpu_setup)(struct kvm_vcpu *vcpu);
+diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c
+index bbb6969..7659da2 100644
+--- a/arch/mips/kernel/unaligned.c
++++ b/arch/mips/kernel/unaligned.c
+@@ -109,10 +109,11 @@ static u32 unaligned_action;
+ extern void show_registers(struct pt_regs *regs);
+
+ #ifdef __BIG_ENDIAN
+-#define LoadHW(addr, value, res) \
++#define _LoadHW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ (".set\tnoat\n" \
+- "1:\t"user_lb("%0", "0(%2)")"\n" \
+- "2:\t"user_lbu("$1", "1(%2)")"\n\t" \
++ "1:\t"type##_lb("%0", "0(%2)")"\n" \
++ "2:\t"type##_lbu("$1", "1(%2)")"\n\t"\
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -127,13 +128,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+ #ifndef CONFIG_CPU_MIPSR6
+-#define LoadW(addr, value, res) \
++#define _LoadW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_lwl("%0", "(%2)")"\n" \
+- "2:\t"user_lwr("%0", "3(%2)")"\n\t" \
++ "1:\t"type##_lwl("%0", "(%2)")"\n" \
++ "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\
+ "li\t%1, 0\n" \
+ "3:\n\t" \
+ ".insn\n\t" \
+@@ -146,21 +149,24 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has no lwl instruction */
+-#define LoadW(addr, value, res) \
++#define _LoadW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n" \
+ ".set\tnoat\n\t" \
+- "1:"user_lb("%0", "0(%2)")"\n\t" \
+- "2:"user_lbu("$1", "1(%2)")"\n\t" \
++ "1:"type##_lb("%0", "0(%2)")"\n\t" \
++ "2:"type##_lbu("$1", "1(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "3:"user_lbu("$1", "2(%2)")"\n\t" \
++ "3:"type##_lbu("$1", "2(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "4:"user_lbu("$1", "3(%2)")"\n\t" \
++ "4:"type##_lbu("$1", "3(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -178,14 +184,17 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t4b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #endif /* CONFIG_CPU_MIPSR6 */
+
+-#define LoadHWU(addr, value, res) \
++#define _LoadHWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tnoat\n" \
+- "1:\t"user_lbu("%0", "0(%2)")"\n" \
+- "2:\t"user_lbu("$1", "1(%2)")"\n\t" \
++ "1:\t"type##_lbu("%0", "0(%2)")"\n" \
++ "2:\t"type##_lbu("$1", "1(%2)")"\n\t"\
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -201,13 +210,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+ #ifndef CONFIG_CPU_MIPSR6
+-#define LoadWU(addr, value, res) \
++#define _LoadWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_lwl("%0", "(%2)")"\n" \
+- "2:\t"user_lwr("%0", "3(%2)")"\n\t" \
++ "1:\t"type##_lwl("%0", "(%2)")"\n" \
++ "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\
+ "dsll\t%0, %0, 32\n\t" \
+ "dsrl\t%0, %0, 32\n\t" \
+ "li\t%1, 0\n" \
+@@ -222,9 +233,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define LoadDW(addr, value, res) \
++#define _LoadDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ "1:\tldl\t%0, (%2)\n" \
+ "2:\tldr\t%0, 7(%2)\n\t" \
+@@ -240,21 +253,24 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has not lwl and ldl instructions */
+-#define LoadWU(addr, value, res) \
++#define _LoadWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+- "1:"user_lbu("%0", "0(%2)")"\n\t" \
+- "2:"user_lbu("$1", "1(%2)")"\n\t" \
++ "1:"type##_lbu("%0", "0(%2)")"\n\t" \
++ "2:"type##_lbu("$1", "1(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "3:"user_lbu("$1", "2(%2)")"\n\t" \
++ "3:"type##_lbu("$1", "2(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "4:"user_lbu("$1", "3(%2)")"\n\t" \
++ "4:"type##_lbu("$1", "3(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -272,9 +288,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t4b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define LoadDW(addr, value, res) \
++#define _LoadDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+@@ -319,16 +337,19 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t8b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #endif /* CONFIG_CPU_MIPSR6 */
+
+
+-#define StoreHW(addr, value, res) \
++#define _StoreHW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tnoat\n" \
+- "1:\t"user_sb("%1", "1(%2)")"\n" \
++ "1:\t"type##_sb("%1", "1(%2)")"\n" \
+ "srl\t$1, %1, 0x8\n" \
+- "2:\t"user_sb("$1", "0(%2)")"\n" \
++ "2:\t"type##_sb("$1", "0(%2)")"\n" \
+ ".set\tat\n\t" \
+ "li\t%0, 0\n" \
+ "3:\n\t" \
+@@ -342,13 +363,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT));\
++} while(0)
+
+ #ifndef CONFIG_CPU_MIPSR6
+-#define StoreW(addr, value, res) \
++#define _StoreW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_swl("%1", "(%2)")"\n" \
+- "2:\t"user_swr("%1", "3(%2)")"\n\t" \
++ "1:\t"type##_swl("%1", "(%2)")"\n" \
++ "2:\t"type##_swr("%1", "3(%2)")"\n\t"\
+ "li\t%0, 0\n" \
+ "3:\n\t" \
+ ".insn\n\t" \
+@@ -361,9 +384,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define StoreDW(addr, value, res) \
++#define _StoreDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ "1:\tsdl\t%1,(%2)\n" \
+ "2:\tsdr\t%1, 7(%2)\n\t" \
+@@ -379,20 +404,23 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has no swl and sdl instructions */
+-#define StoreW(addr, value, res) \
++#define _StoreW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+- "1:"user_sb("%1", "3(%2)")"\n\t" \
++ "1:"type##_sb("%1", "3(%2)")"\n\t" \
+ "srl\t$1, %1, 0x8\n\t" \
+- "2:"user_sb("$1", "2(%2)")"\n\t" \
++ "2:"type##_sb("$1", "2(%2)")"\n\t" \
+ "srl\t$1, $1, 0x8\n\t" \
+- "3:"user_sb("$1", "1(%2)")"\n\t" \
++ "3:"type##_sb("$1", "1(%2)")"\n\t" \
+ "srl\t$1, $1, 0x8\n\t" \
+- "4:"user_sb("$1", "0(%2)")"\n\t" \
++ "4:"type##_sb("$1", "0(%2)")"\n\t" \
+ ".set\tpop\n\t" \
+ "li\t%0, 0\n" \
+ "10:\n\t" \
+@@ -409,9 +437,11 @@ extern void show_registers(struct pt_regs *regs);
+ ".previous" \
+ : "=&r" (res) \
+ : "r" (value), "r" (addr), "i" (-EFAULT) \
+- : "memory");
++ : "memory"); \
++} while(0)
+
+ #define StoreDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+@@ -451,15 +481,18 @@ extern void show_registers(struct pt_regs *regs);
+ ".previous" \
+ : "=&r" (res) \
+ : "r" (value), "r" (addr), "i" (-EFAULT) \
+- : "memory");
++ : "memory"); \
++} while(0)
++
+ #endif /* CONFIG_CPU_MIPSR6 */
+
+ #else /* __BIG_ENDIAN */
+
+-#define LoadHW(addr, value, res) \
++#define _LoadHW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ (".set\tnoat\n" \
+- "1:\t"user_lb("%0", "1(%2)")"\n" \
+- "2:\t"user_lbu("$1", "0(%2)")"\n\t" \
++ "1:\t"type##_lb("%0", "1(%2)")"\n" \
++ "2:\t"type##_lbu("$1", "0(%2)")"\n\t"\
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -474,13 +507,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+ #ifndef CONFIG_CPU_MIPSR6
+-#define LoadW(addr, value, res) \
++#define _LoadW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_lwl("%0", "3(%2)")"\n" \
+- "2:\t"user_lwr("%0", "(%2)")"\n\t" \
++ "1:\t"type##_lwl("%0", "3(%2)")"\n" \
++ "2:\t"type##_lwr("%0", "(%2)")"\n\t"\
+ "li\t%1, 0\n" \
+ "3:\n\t" \
+ ".insn\n\t" \
+@@ -493,21 +528,24 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has no lwl instruction */
+-#define LoadW(addr, value, res) \
++#define _LoadW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n" \
+ ".set\tnoat\n\t" \
+- "1:"user_lb("%0", "3(%2)")"\n\t" \
+- "2:"user_lbu("$1", "2(%2)")"\n\t" \
++ "1:"type##_lb("%0", "3(%2)")"\n\t" \
++ "2:"type##_lbu("$1", "2(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "3:"user_lbu("$1", "1(%2)")"\n\t" \
++ "3:"type##_lbu("$1", "1(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "4:"user_lbu("$1", "0(%2)")"\n\t" \
++ "4:"type##_lbu("$1", "0(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -525,15 +563,18 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t4b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #endif /* CONFIG_CPU_MIPSR6 */
+
+
+-#define LoadHWU(addr, value, res) \
++#define _LoadHWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tnoat\n" \
+- "1:\t"user_lbu("%0", "1(%2)")"\n" \
+- "2:\t"user_lbu("$1", "0(%2)")"\n\t" \
++ "1:\t"type##_lbu("%0", "1(%2)")"\n" \
++ "2:\t"type##_lbu("$1", "0(%2)")"\n\t"\
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -549,13 +590,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+ #ifndef CONFIG_CPU_MIPSR6
+-#define LoadWU(addr, value, res) \
++#define _LoadWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_lwl("%0", "3(%2)")"\n" \
+- "2:\t"user_lwr("%0", "(%2)")"\n\t" \
++ "1:\t"type##_lwl("%0", "3(%2)")"\n" \
++ "2:\t"type##_lwr("%0", "(%2)")"\n\t"\
+ "dsll\t%0, %0, 32\n\t" \
+ "dsrl\t%0, %0, 32\n\t" \
+ "li\t%1, 0\n" \
+@@ -570,9 +613,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define LoadDW(addr, value, res) \
++#define _LoadDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ "1:\tldl\t%0, 7(%2)\n" \
+ "2:\tldr\t%0, (%2)\n\t" \
+@@ -588,21 +633,24 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has not lwl and ldl instructions */
+-#define LoadWU(addr, value, res) \
++#define _LoadWU(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+- "1:"user_lbu("%0", "3(%2)")"\n\t" \
+- "2:"user_lbu("$1", "2(%2)")"\n\t" \
++ "1:"type##_lbu("%0", "3(%2)")"\n\t" \
++ "2:"type##_lbu("$1", "2(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "3:"user_lbu("$1", "1(%2)")"\n\t" \
++ "3:"type##_lbu("$1", "1(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+- "4:"user_lbu("$1", "0(%2)")"\n\t" \
++ "4:"type##_lbu("$1", "0(%2)")"\n\t" \
+ "sll\t%0, 0x8\n\t" \
+ "or\t%0, $1\n\t" \
+ "li\t%1, 0\n" \
+@@ -620,9 +668,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t4b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define LoadDW(addr, value, res) \
++#define _LoadDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+@@ -667,15 +717,17 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t8b, 11b\n\t" \
+ ".previous" \
+ : "=&r" (value), "=r" (res) \
+- : "r" (addr), "i" (-EFAULT));
++ : "r" (addr), "i" (-EFAULT)); \
++} while(0)
+ #endif /* CONFIG_CPU_MIPSR6 */
+
+-#define StoreHW(addr, value, res) \
++#define _StoreHW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tnoat\n" \
+- "1:\t"user_sb("%1", "0(%2)")"\n" \
++ "1:\t"type##_sb("%1", "0(%2)")"\n" \
+ "srl\t$1,%1, 0x8\n" \
+- "2:\t"user_sb("$1", "1(%2)")"\n" \
++ "2:\t"type##_sb("$1", "1(%2)")"\n" \
+ ".set\tat\n\t" \
+ "li\t%0, 0\n" \
+ "3:\n\t" \
+@@ -689,12 +741,15 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT));\
++} while(0)
++
+ #ifndef CONFIG_CPU_MIPSR6
+-#define StoreW(addr, value, res) \
++#define _StoreW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+- "1:\t"user_swl("%1", "3(%2)")"\n" \
+- "2:\t"user_swr("%1", "(%2)")"\n\t" \
++ "1:\t"type##_swl("%1", "3(%2)")"\n" \
++ "2:\t"type##_swr("%1", "(%2)")"\n\t"\
+ "li\t%0, 0\n" \
+ "3:\n\t" \
+ ".insn\n\t" \
+@@ -707,9 +762,11 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT)); \
++} while(0)
+
+-#define StoreDW(addr, value, res) \
++#define _StoreDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ "1:\tsdl\t%1, 7(%2)\n" \
+ "2:\tsdr\t%1, (%2)\n\t" \
+@@ -725,20 +782,23 @@ extern void show_registers(struct pt_regs *regs);
+ STR(PTR)"\t2b, 4b\n\t" \
+ ".previous" \
+ : "=r" (res) \
+- : "r" (value), "r" (addr), "i" (-EFAULT));
++ : "r" (value), "r" (addr), "i" (-EFAULT)); \
++} while(0)
++
+ #else
+ /* MIPSR6 has no swl and sdl instructions */
+-#define StoreW(addr, value, res) \
++#define _StoreW(addr, value, res, type) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+- "1:"user_sb("%1", "0(%2)")"\n\t" \
++ "1:"type##_sb("%1", "0(%2)")"\n\t" \
+ "srl\t$1, %1, 0x8\n\t" \
+- "2:"user_sb("$1", "1(%2)")"\n\t" \
++ "2:"type##_sb("$1", "1(%2)")"\n\t" \
+ "srl\t$1, $1, 0x8\n\t" \
+- "3:"user_sb("$1", "2(%2)")"\n\t" \
++ "3:"type##_sb("$1", "2(%2)")"\n\t" \
+ "srl\t$1, $1, 0x8\n\t" \
+- "4:"user_sb("$1", "3(%2)")"\n\t" \
++ "4:"type##_sb("$1", "3(%2)")"\n\t" \
+ ".set\tpop\n\t" \
+ "li\t%0, 0\n" \
+ "10:\n\t" \
+@@ -755,9 +815,11 @@ extern void show_registers(struct pt_regs *regs);
+ ".previous" \
+ : "=&r" (res) \
+ : "r" (value), "r" (addr), "i" (-EFAULT) \
+- : "memory");
++ : "memory"); \
++} while(0)
+
+-#define StoreDW(addr, value, res) \
++#define _StoreDW(addr, value, res) \
++do { \
+ __asm__ __volatile__ ( \
+ ".set\tpush\n\t" \
+ ".set\tnoat\n\t" \
+@@ -797,10 +859,28 @@ extern void show_registers(struct pt_regs *regs);
+ ".previous" \
+ : "=&r" (res) \
+ : "r" (value), "r" (addr), "i" (-EFAULT) \
+- : "memory");
++ : "memory"); \
++} while(0)
++
+ #endif /* CONFIG_CPU_MIPSR6 */
+ #endif
+
++#define LoadHWU(addr, value, res) _LoadHWU(addr, value, res, kernel)
++#define LoadHWUE(addr, value, res) _LoadHWU(addr, value, res, user)
++#define LoadWU(addr, value, res) _LoadWU(addr, value, res, kernel)
++#define LoadWUE(addr, value, res) _LoadWU(addr, value, res, user)
++#define LoadHW(addr, value, res) _LoadHW(addr, value, res, kernel)
++#define LoadHWE(addr, value, res) _LoadHW(addr, value, res, user)
++#define LoadW(addr, value, res) _LoadW(addr, value, res, kernel)
++#define LoadWE(addr, value, res) _LoadW(addr, value, res, user)
++#define LoadDW(addr, value, res) _LoadDW(addr, value, res)
++
++#define StoreHW(addr, value, res) _StoreHW(addr, value, res, kernel)
++#define StoreHWE(addr, value, res) _StoreHW(addr, value, res, user)
++#define StoreW(addr, value, res) _StoreW(addr, value, res, kernel)
++#define StoreWE(addr, value, res) _StoreW(addr, value, res, user)
++#define StoreDW(addr, value, res) _StoreDW(addr, value, res)
++
+ static void emulate_load_store_insn(struct pt_regs *regs,
+ void __user *addr, unsigned int __user *pc)
+ {
+@@ -872,7 +952,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ set_fs(seg);
+ goto sigbus;
+ }
+- LoadHW(addr, value, res);
++ LoadHWE(addr, value, res);
+ if (res) {
+ set_fs(seg);
+ goto fault;
+@@ -885,7 +965,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ set_fs(seg);
+ goto sigbus;
+ }
+- LoadW(addr, value, res);
++ LoadWE(addr, value, res);
+ if (res) {
+ set_fs(seg);
+ goto fault;
+@@ -898,7 +978,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ set_fs(seg);
+ goto sigbus;
+ }
+- LoadHWU(addr, value, res);
++ LoadHWUE(addr, value, res);
+ if (res) {
+ set_fs(seg);
+ goto fault;
+@@ -913,7 +993,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ }
+ compute_return_epc(regs);
+ value = regs->regs[insn.spec3_format.rt];
+- StoreHW(addr, value, res);
++ StoreHWE(addr, value, res);
+ if (res) {
+ set_fs(seg);
+ goto fault;
+@@ -926,7 +1006,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ }
+ compute_return_epc(regs);
+ value = regs->regs[insn.spec3_format.rt];
+- StoreW(addr, value, res);
++ StoreWE(addr, value, res);
+ if (res) {
+ set_fs(seg);
+ goto fault;
+@@ -943,7 +1023,15 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ if (!access_ok(VERIFY_READ, addr, 2))
+ goto sigbus;
+
+- LoadHW(addr, value, res);
++ if (config_enabled(CONFIG_EVA)) {
++ if (segment_eq(get_fs(), get_ds()))
++ LoadHW(addr, value, res);
++ else
++ LoadHWE(addr, value, res);
++ } else {
++ LoadHW(addr, value, res);
++ }
++
+ if (res)
+ goto fault;
+ compute_return_epc(regs);
+@@ -954,7 +1042,15 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ if (!access_ok(VERIFY_READ, addr, 4))
+ goto sigbus;
+
+- LoadW(addr, value, res);
++ if (config_enabled(CONFIG_EVA)) {
++ if (segment_eq(get_fs(), get_ds()))
++ LoadW(addr, value, res);
++ else
++ LoadWE(addr, value, res);
++ } else {
++ LoadW(addr, value, res);
++ }
++
+ if (res)
+ goto fault;
+ compute_return_epc(regs);
+@@ -965,7 +1061,15 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+ if (!access_ok(VERIFY_READ, addr, 2))
+ goto sigbus;
+
+- LoadHWU(addr, value, res);
++ if (config_enabled(CONFIG_EVA)) {
++ if (segment_eq(get_fs(), get_ds()))
++ LoadHWU(addr, value, res);
++ else
++ LoadHWUE(addr, value, res);
++ } else {
++ LoadHWU(addr, value, res);
++ }
++
+ if (res)
+ goto fault;
+ compute_return_epc(regs);
+@@ -1024,7 +1128,16 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+
+ compute_return_epc(regs);
+ value = regs->regs[insn.i_format.rt];
+- StoreHW(addr, value, res);
++
++ if (config_enabled(CONFIG_EVA)) {
++ if (segment_eq(get_fs(), get_ds()))
++ StoreHW(addr, value, res);
++ else
++ StoreHWE(addr, value, res);
++ } else {
++ StoreHW(addr, value, res);
++ }
++
+ if (res)
+ goto fault;
+ break;
+@@ -1035,7 +1148,16 @@ static void emulate_load_store_insn(struct pt_regs *regs,
+
+ compute_return_epc(regs);
+ value = regs->regs[insn.i_format.rt];
+- StoreW(addr, value, res);
++
++ if (config_enabled(CONFIG_EVA)) {
++ if (segment_eq(get_fs(), get_ds()))
++ StoreW(addr, value, res);
++ else
++ StoreWE(addr, value, res);
++ } else {
++ StoreW(addr, value, res);
++ }
++
+ if (res)
+ goto fault;
+ break;
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index fb3e8df..838d3a6 100644
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -2176,6 +2176,7 @@ enum emulation_result kvm_mips_check_privilege(unsigned long cause,
+ case T_SYSCALL:
+ case T_BREAK:
+ case T_RES_INST:
++ case T_MSADIS:
+ break;
+
+ case T_COP_UNUSABLE:
+diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
+index c9eccf5..f5e7dda 100644
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -1119,6 +1119,10 @@ int kvm_mips_handle_exit(struct kvm_run *run, struct kvm_vcpu *vcpu)
+ ret = kvm_mips_callbacks->handle_break(vcpu);
+ break;
+
++ case T_MSADIS:
++ ret = kvm_mips_callbacks->handle_msa_disabled(vcpu);
++ break;
++
+ default:
+ kvm_err("Exception Code: %d, not yet handled, @ PC: %p, inst: 0x%08x BadVaddr: %#lx Status: %#lx\n",
+ exccode, opc, kvm_get_inst(opc, vcpu), badvaddr,
+diff --git a/arch/mips/kvm/trap_emul.c b/arch/mips/kvm/trap_emul.c
+index fd7257b..4372cc8 100644
+--- a/arch/mips/kvm/trap_emul.c
++++ b/arch/mips/kvm/trap_emul.c
+@@ -330,6 +330,33 @@ static int kvm_trap_emul_handle_break(struct kvm_vcpu *vcpu)
+ return ret;
+ }
+
++static int kvm_trap_emul_handle_msa_disabled(struct kvm_vcpu *vcpu)
++{
++ struct kvm_run *run = vcpu->run;
++ uint32_t __user *opc = (uint32_t __user *) vcpu->arch.pc;
++ unsigned long cause = vcpu->arch.host_cp0_cause;
++ enum emulation_result er = EMULATE_DONE;
++ int ret = RESUME_GUEST;
++
++ /* No MSA supported in guest, guest reserved instruction exception */
++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
++
++ switch (er) {
++ case EMULATE_DONE:
++ ret = RESUME_GUEST;
++ break;
++
++ case EMULATE_FAIL:
++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ ret = RESUME_HOST;
++ break;
++
++ default:
++ BUG();
++ }
++ return ret;
++}
++
+ static int kvm_trap_emul_vm_init(struct kvm *kvm)
+ {
+ return 0;
+@@ -470,6 +497,7 @@ static struct kvm_mips_callbacks kvm_trap_emul_callbacks = {
+ .handle_syscall = kvm_trap_emul_handle_syscall,
+ .handle_res_inst = kvm_trap_emul_handle_res_inst,
+ .handle_break = kvm_trap_emul_handle_break,
++ .handle_msa_disabled = kvm_trap_emul_handle_msa_disabled,
+
+ .vm_init = kvm_trap_emul_vm_init,
+ .vcpu_init = kvm_trap_emul_vcpu_init,
+diff --git a/arch/mips/loongson/loongson-3/irq.c b/arch/mips/loongson/loongson-3/irq.c
+index 21221ed..0f75b6b 100644
+--- a/arch/mips/loongson/loongson-3/irq.c
++++ b/arch/mips/loongson/loongson-3/irq.c
+@@ -44,6 +44,7 @@ void mach_irq_dispatch(unsigned int pending)
+
+ static struct irqaction cascade_irqaction = {
+ .handler = no_action,
++ .flags = IRQF_NO_SUSPEND,
+ .name = "cascade",
+ };
+
+diff --git a/arch/mips/mti-malta/malta-memory.c b/arch/mips/mti-malta/malta-memory.c
+index 8fddd2cd..efe366d 100644
+--- a/arch/mips/mti-malta/malta-memory.c
++++ b/arch/mips/mti-malta/malta-memory.c
+@@ -53,6 +53,12 @@ fw_memblock_t * __init fw_getmdesc(int eva)
+ pr_warn("memsize not set in YAMON, set to default (32Mb)\n");
+ physical_memsize = 0x02000000;
+ } else {
++ if (memsize > (256 << 20)) { /* memsize should be capped to 256M */
++ pr_warn("Unsupported memsize value (0x%lx) detected! "
++ "Using 0x10000000 (256M) instead\n",
++ memsize);
++ memsize = 256 << 20;
++ }
+ /* If ememsize is set, then set physical_memsize to that */
+ physical_memsize = ememsize ? : memsize;
+ }
+diff --git a/arch/mips/power/hibernate.S b/arch/mips/power/hibernate.S
+index 32a7c82..e7567c8 100644
+--- a/arch/mips/power/hibernate.S
++++ b/arch/mips/power/hibernate.S
+@@ -30,6 +30,8 @@ LEAF(swsusp_arch_suspend)
+ END(swsusp_arch_suspend)
+
+ LEAF(swsusp_arch_resume)
++ /* Avoid TLB mismatch during and after kernel resume */
++ jal local_flush_tlb_all
+ PTR_L t0, restore_pblist
+ 0:
+ PTR_L t1, PBE_ADDRESS(t0) /* source */
+@@ -43,7 +45,6 @@ LEAF(swsusp_arch_resume)
+ bne t1, t3, 1b
+ PTR_L t0, PBE_NEXT(t0)
+ bnez t0, 0b
+- jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */
+ PTR_LA t0, saved_regs
+ PTR_L ra, PT_R31(t0)
+ PTR_L sp, PT_R29(t0)
+diff --git a/arch/powerpc/kernel/cacheinfo.c b/arch/powerpc/kernel/cacheinfo.c
+index ae77b7e..c641983 100644
+--- a/arch/powerpc/kernel/cacheinfo.c
++++ b/arch/powerpc/kernel/cacheinfo.c
+@@ -61,12 +61,22 @@ struct cache_type_info {
+ };
+
+ /* These are used to index the cache_type_info array. */
+-#define CACHE_TYPE_UNIFIED 0
+-#define CACHE_TYPE_INSTRUCTION 1
+-#define CACHE_TYPE_DATA 2
++#define CACHE_TYPE_UNIFIED 0 /* cache-size, cache-block-size, etc. */
++#define CACHE_TYPE_UNIFIED_D 1 /* d-cache-size, d-cache-block-size, etc */
++#define CACHE_TYPE_INSTRUCTION 2
++#define CACHE_TYPE_DATA 3
+
+ static const struct cache_type_info cache_type_info[] = {
+ {
++ /* Embedded systems that use cache-size, cache-block-size,
++ * etc. for the Unified (typically L2) cache. */
++ .name = "Unified",
++ .size_prop = "cache-size",
++ .line_size_props = { "cache-line-size",
++ "cache-block-size", },
++ .nr_sets_prop = "cache-sets",
++ },
++ {
+ /* PowerPC Processor binding says the [di]-cache-*
+ * must be equal on unified caches, so just use
+ * d-cache properties. */
+@@ -293,7 +303,8 @@ static struct cache *cache_find_first_sibling(struct cache *cache)
+ {
+ struct cache *iter;
+
+- if (cache->type == CACHE_TYPE_UNIFIED)
++ if (cache->type == CACHE_TYPE_UNIFIED ||
++ cache->type == CACHE_TYPE_UNIFIED_D)
+ return cache;
+
+ list_for_each_entry(iter, &cache_list, list)
+@@ -324,16 +335,29 @@ static bool cache_node_is_unified(const struct device_node *np)
+ return of_get_property(np, "cache-unified", NULL);
+ }
+
+-static struct cache *cache_do_one_devnode_unified(struct device_node *node,
+- int level)
++/*
++ * Unified caches can have two different sets of tags. Most embedded
++ * use cache-size, etc. for the unified cache size, but open firmware systems
++ * use d-cache-size, etc. Check on initialization for which type we have, and
++ * return the appropriate structure type. Assume it's embedded if it isn't
++ * open firmware. If it's yet a 3rd type, then there will be missing entries
++ * in /sys/devices/system/cpu/cpu0/cache/index2/, and this code will need
++ * to be extended further.
++ */
++static int cache_is_unified_d(const struct device_node *np)
+ {
+- struct cache *cache;
++ return of_get_property(np,
++ cache_type_info[CACHE_TYPE_UNIFIED_D].size_prop, NULL) ?
++ CACHE_TYPE_UNIFIED_D : CACHE_TYPE_UNIFIED;
++}
+
++/*
++ */
++static struct cache *cache_do_one_devnode_unified(struct device_node *node, int level)
++{
+ pr_debug("creating L%d ucache for %s\n", level, node->full_name);
+
+- cache = new_cache(CACHE_TYPE_UNIFIED, level, node);
+-
+- return cache;
++ return new_cache(cache_is_unified_d(node), level, node);
+ }
+
+ static struct cache *cache_do_one_devnode_split(struct device_node *node,
+diff --git a/arch/powerpc/mm/hugetlbpage.c b/arch/powerpc/mm/hugetlbpage.c
+index 7e408bf..cecbe00 100644
+--- a/arch/powerpc/mm/hugetlbpage.c
++++ b/arch/powerpc/mm/hugetlbpage.c
+@@ -581,6 +581,7 @@ static void hugetlb_free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
+ pmd = pmd_offset(pud, start);
+ pud_clear(pud);
+ pmd_free_tlb(tlb, pmd, start);
++ mm_dec_nr_pmds(tlb->mm);
+ }
+
+ static void hugetlb_free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
+diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
+index 2396dda..ead5535 100644
+--- a/arch/powerpc/perf/callchain.c
++++ b/arch/powerpc/perf/callchain.c
+@@ -243,7 +243,7 @@ static void perf_callchain_user_64(struct perf_callchain_entry *entry,
+ sp = regs->gpr[1];
+ perf_callchain_store(entry, next_ip);
+
+- for (;;) {
++ while (entry->nr < PERF_MAX_STACK_DEPTH) {
+ fp = (unsigned long __user *) sp;
+ if (!valid_user_sp(sp, 1) || read_user_stack_64(fp, &next_sp))
+ return;
+diff --git a/arch/powerpc/platforms/cell/interrupt.c b/arch/powerpc/platforms/cell/interrupt.c
+index 4c11421..3af8324 100644
+--- a/arch/powerpc/platforms/cell/interrupt.c
++++ b/arch/powerpc/platforms/cell/interrupt.c
+@@ -163,7 +163,7 @@ static unsigned int iic_get_irq(void)
+
+ void iic_setup_cpu(void)
+ {
+- out_be64(this_cpu_ptr(&cpu_iic.regs->prio), 0xff);
++ out_be64(&this_cpu_ptr(&cpu_iic)->regs->prio, 0xff);
+ }
+
+ u8 iic_get_target_id(int cpu)
+diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c
+index c7c8720..63db1b0 100644
+--- a/arch/powerpc/platforms/cell/iommu.c
++++ b/arch/powerpc/platforms/cell/iommu.c
+@@ -197,7 +197,7 @@ static int tce_build_cell(struct iommu_table *tbl, long index, long npages,
+
+ io_pte = (unsigned long *)tbl->it_base + (index - tbl->it_offset);
+
+- for (i = 0; i < npages; i++, uaddr += tbl->it_page_shift)
++ for (i = 0; i < npages; i++, uaddr += (1 << tbl->it_page_shift))
+ io_pte[i] = base_pte | (__pa(uaddr) & CBE_IOPTE_RPN_Mask);
+
+ mb();
+diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
+index 6c9ff2b..1d9369e 100644
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -1777,7 +1777,8 @@ static void pnv_ioda_setup_pe_seg(struct pci_controller *hose,
+ region.start += phb->ioda.io_segsize;
+ index++;
+ }
+- } else if (res->flags & IORESOURCE_MEM) {
++ } else if ((res->flags & IORESOURCE_MEM) &&
++ !pnv_pci_is_mem_pref_64(res->flags)) {
+ region.start = res->start -
+ hose->mem_offset[0] -
+ phb->ioda.m32_pci_base;
+diff --git a/arch/s390/kernel/suspend.c b/arch/s390/kernel/suspend.c
+index 1c4c5ac..d3236c9 100644
+--- a/arch/s390/kernel/suspend.c
++++ b/arch/s390/kernel/suspend.c
+@@ -138,6 +138,8 @@ int pfn_is_nosave(unsigned long pfn)
+ {
+ unsigned long nosave_begin_pfn = PFN_DOWN(__pa(&__nosave_begin));
+ unsigned long nosave_end_pfn = PFN_DOWN(__pa(&__nosave_end));
++ unsigned long eshared_pfn = PFN_DOWN(__pa(&_eshared)) - 1;
++ unsigned long stext_pfn = PFN_DOWN(__pa(&_stext));
+
+ /* Always save lowcore pages (LC protection might be enabled). */
+ if (pfn <= LC_PAGES)
+@@ -145,6 +147,8 @@ int pfn_is_nosave(unsigned long pfn)
+ if (pfn >= nosave_begin_pfn && pfn < nosave_end_pfn)
+ return 1;
+ /* Skip memory holes and read-only pages (NSS, DCSS, ...). */
++ if (pfn >= stext_pfn && pfn <= eshared_pfn)
++ return ipl_info.type == IPL_TYPE_NSS ? 1 : 0;
+ if (tprot(PFN_PHYS(pfn)))
+ return 1;
+ return 0;
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index 073b5f3..e7bc2fd 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -17,6 +17,7 @@
+ #include <linux/signal.h>
+ #include <linux/slab.h>
+ #include <linux/bitmap.h>
++#include <linux/vmalloc.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/uaccess.h>
+ #include <asm/sclp.h>
+@@ -1332,10 +1333,10 @@ int kvm_s390_inject_vm(struct kvm *kvm,
+ return rc;
+ }
+
+-void kvm_s390_reinject_io_int(struct kvm *kvm,
++int kvm_s390_reinject_io_int(struct kvm *kvm,
+ struct kvm_s390_interrupt_info *inti)
+ {
+- __inject_vm(kvm, inti);
++ return __inject_vm(kvm, inti);
+ }
+
+ int s390int_to_s390irq(struct kvm_s390_interrupt *s390int,
+@@ -1455,61 +1456,66 @@ void kvm_s390_clear_float_irqs(struct kvm *kvm)
+ spin_unlock(&fi->lock);
+ }
+
+-static inline int copy_irq_to_user(struct kvm_s390_interrupt_info *inti,
+- u8 *addr)
++static void inti_to_irq(struct kvm_s390_interrupt_info *inti,
++ struct kvm_s390_irq *irq)
+ {
+- struct kvm_s390_irq __user *uptr = (struct kvm_s390_irq __user *) addr;
+- struct kvm_s390_irq irq = {0};
+-
+- irq.type = inti->type;
++ irq->type = inti->type;
+ switch (inti->type) {
+ case KVM_S390_INT_PFAULT_INIT:
+ case KVM_S390_INT_PFAULT_DONE:
+ case KVM_S390_INT_VIRTIO:
+ case KVM_S390_INT_SERVICE:
+- irq.u.ext = inti->ext;
++ irq->u.ext = inti->ext;
+ break;
+ case KVM_S390_INT_IO_MIN...KVM_S390_INT_IO_MAX:
+- irq.u.io = inti->io;
++ irq->u.io = inti->io;
+ break;
+ case KVM_S390_MCHK:
+- irq.u.mchk = inti->mchk;
++ irq->u.mchk = inti->mchk;
+ break;
+- default:
+- return -EINVAL;
+ }
+-
+- if (copy_to_user(uptr, &irq, sizeof(irq)))
+- return -EFAULT;
+-
+- return 0;
+ }
+
+-static int get_all_floating_irqs(struct kvm *kvm, __u8 *buf, __u64 len)
++static int get_all_floating_irqs(struct kvm *kvm, u8 __user *usrbuf, u64 len)
+ {
+ struct kvm_s390_interrupt_info *inti;
+ struct kvm_s390_float_interrupt *fi;
++ struct kvm_s390_irq *buf;
++ int max_irqs;
+ int ret = 0;
+ int n = 0;
+
++ if (len > KVM_S390_FLIC_MAX_BUFFER || len == 0)
++ return -EINVAL;
++
++ /*
++ * We are already using -ENOMEM to signal
++ * userspace it may retry with a bigger buffer,
++ * so we need to use something else for this case
++ */
++ buf = vzalloc(len);
++ if (!buf)
++ return -ENOBUFS;
++
++ max_irqs = len / sizeof(struct kvm_s390_irq);
++
+ fi = &kvm->arch.float_int;
+ spin_lock(&fi->lock);
+-
+ list_for_each_entry(inti, &fi->list, list) {
+- if (len < sizeof(struct kvm_s390_irq)) {
++ if (n == max_irqs) {
+ /* signal userspace to try again */
+ ret = -ENOMEM;
+ break;
+ }
+- ret = copy_irq_to_user(inti, buf);
+- if (ret)
+- break;
+- buf += sizeof(struct kvm_s390_irq);
+- len -= sizeof(struct kvm_s390_irq);
++ inti_to_irq(inti, &buf[n]);
+ n++;
+ }
+-
+ spin_unlock(&fi->lock);
++ if (!ret && n > 0) {
++ if (copy_to_user(usrbuf, buf, sizeof(struct kvm_s390_irq) * n))
++ ret = -EFAULT;
++ }
++ vfree(buf);
+
+ return ret < 0 ? ret : n;
+ }
+@@ -1520,7 +1526,7 @@ static int flic_get_attr(struct kvm_device *dev, struct kvm_device_attr *attr)
+
+ switch (attr->group) {
+ case KVM_DEV_FLIC_GET_ALL_IRQS:
+- r = get_all_floating_irqs(dev->kvm, (u8 *) attr->addr,
++ r = get_all_floating_irqs(dev->kvm, (u8 __user *) attr->addr,
+ attr->attr);
+ break;
+ default:
+diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h
+index c34109a..6995a30 100644
+--- a/arch/s390/kvm/kvm-s390.h
++++ b/arch/s390/kvm/kvm-s390.h
+@@ -151,8 +151,8 @@ int __must_check kvm_s390_inject_vcpu(struct kvm_vcpu *vcpu,
+ int __must_check kvm_s390_inject_program_int(struct kvm_vcpu *vcpu, u16 code);
+ struct kvm_s390_interrupt_info *kvm_s390_get_io_int(struct kvm *kvm,
+ u64 cr6, u64 schid);
+-void kvm_s390_reinject_io_int(struct kvm *kvm,
+- struct kvm_s390_interrupt_info *inti);
++int kvm_s390_reinject_io_int(struct kvm *kvm,
++ struct kvm_s390_interrupt_info *inti);
+ int kvm_s390_mask_adapter(struct kvm *kvm, unsigned int id, bool masked);
+
+ /* implemented in intercept.c */
+diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
+index 3511169..b982fbc 100644
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -229,18 +229,19 @@ static int handle_tpi(struct kvm_vcpu *vcpu)
+ struct kvm_s390_interrupt_info *inti;
+ unsigned long len;
+ u32 tpi_data[3];
+- int cc, rc;
++ int rc;
+ u64 addr;
+
+- rc = 0;
+ addr = kvm_s390_get_base_disp_s(vcpu);
+ if (addr & 3)
+ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
+- cc = 0;
++
+ inti = kvm_s390_get_io_int(vcpu->kvm, vcpu->arch.sie_block->gcr[6], 0);
+- if (!inti)
+- goto no_interrupt;
+- cc = 1;
++ if (!inti) {
++ kvm_s390_set_psw_cc(vcpu, 0);
++ return 0;
++ }
++
+ tpi_data[0] = inti->io.subchannel_id << 16 | inti->io.subchannel_nr;
+ tpi_data[1] = inti->io.io_int_parm;
+ tpi_data[2] = inti->io.io_int_word;
+@@ -251,30 +252,38 @@ static int handle_tpi(struct kvm_vcpu *vcpu)
+ */
+ len = sizeof(tpi_data) - 4;
+ rc = write_guest(vcpu, addr, &tpi_data, len);
+- if (rc)
+- return kvm_s390_inject_prog_cond(vcpu, rc);
++ if (rc) {
++ rc = kvm_s390_inject_prog_cond(vcpu, rc);
++ goto reinject_interrupt;
++ }
+ } else {
+ /*
+ * Store the three-word I/O interruption code into
+ * the appropriate lowcore area.
+ */
+ len = sizeof(tpi_data);
+- if (write_guest_lc(vcpu, __LC_SUBCHANNEL_ID, &tpi_data, len))
++ if (write_guest_lc(vcpu, __LC_SUBCHANNEL_ID, &tpi_data, len)) {
++ /* failed writes to the low core are not recoverable */
+ rc = -EFAULT;
++ goto reinject_interrupt;
++ }
+ }
++
++ /* irq was successfully handed to the guest */
++ kfree(inti);
++ kvm_s390_set_psw_cc(vcpu, 1);
++ return 0;
++reinject_interrupt:
+ /*
+ * If we encounter a problem storing the interruption code, the
+ * instruction is suppressed from the guest's view: reinject the
+ * interrupt.
+ */
+- if (!rc)
++ if (kvm_s390_reinject_io_int(vcpu->kvm, inti)) {
+ kfree(inti);
+- else
+- kvm_s390_reinject_io_int(vcpu->kvm, inti);
+-no_interrupt:
+- /* Set condition code and we're done. */
+- if (!rc)
+- kvm_s390_set_psw_cc(vcpu, cc);
++ rc = -EFAULT;
++ }
++ /* don't set the cc, a pgm irq was injected or we drop to user space */
+ return rc ? -EFAULT : 0;
+ }
+
+@@ -467,6 +476,7 @@ static void handle_stsi_3_2_2(struct kvm_vcpu *vcpu, struct sysinfo_3_2_2 *mem)
+ for (n = mem->count - 1; n > 0 ; n--)
+ memcpy(&mem->vm[n], &mem->vm[n - 1], sizeof(mem->vm[0]));
+
++ memset(&mem->vm[0], 0, sizeof(mem->vm[0]));
+ mem->vm[0].cpus_total = cpus;
+ mem->vm[0].cpus_configured = cpus;
+ mem->vm[0].cpus_standby = 0;
+diff --git a/arch/x86/include/asm/insn.h b/arch/x86/include/asm/insn.h
+index 47f29b1..e7814b7 100644
+--- a/arch/x86/include/asm/insn.h
++++ b/arch/x86/include/asm/insn.h
+@@ -69,7 +69,7 @@ struct insn {
+ const insn_byte_t *next_byte;
+ };
+
+-#define MAX_INSN_SIZE 16
++#define MAX_INSN_SIZE 15
+
+ #define X86_MODRM_MOD(modrm) (((modrm) & 0xc0) >> 6)
+ #define X86_MODRM_REG(modrm) (((modrm) & 0x38) >> 3)
+diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
+index a1410db..653dfa7 100644
+--- a/arch/x86/include/asm/mwait.h
++++ b/arch/x86/include/asm/mwait.h
+@@ -30,6 +30,14 @@ static inline void __mwait(unsigned long eax, unsigned long ecx)
+ :: "a" (eax), "c" (ecx));
+ }
+
++static inline void __sti_mwait(unsigned long eax, unsigned long ecx)
++{
++ trace_hardirqs_on();
++ /* "mwait %eax, %ecx;" */
++ asm volatile("sti; .byte 0x0f, 0x01, 0xc9;"
++ :: "a" (eax), "c" (ecx));
++}
++
+ /*
+ * This uses new MONITOR/MWAIT instructions on P4 processors with PNI,
+ * which can obviate IPI to trigger checking of need_resched.
+diff --git a/arch/x86/include/asm/pvclock.h b/arch/x86/include/asm/pvclock.h
+index d6b078e..25b1cc0 100644
+--- a/arch/x86/include/asm/pvclock.h
++++ b/arch/x86/include/asm/pvclock.h
+@@ -95,6 +95,7 @@ unsigned __pvclock_read_cycles(const struct pvclock_vcpu_time_info *src,
+
+ struct pvclock_vsyscall_time_info {
+ struct pvclock_vcpu_time_info pvti;
++ u32 migrate_count;
+ } __attribute__((__aligned__(SMP_CACHE_BYTES)));
+
+ #define PVTI_SIZE sizeof(struct pvclock_vsyscall_time_info)
+diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c
+index 0739833..666bcf1 100644
+--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
+@@ -557,6 +557,8 @@ struct event_constraint intel_core2_pebs_event_constraints[] = {
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c5, 0x1), /* BR_INST_RETIRED.MISPRED */
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x1fc7, 0x1), /* SIMD_INST_RETURED.ANY */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */
++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */
++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01),
+ EVENT_CONSTRAINT_END
+ };
+
+@@ -564,6 +566,8 @@ struct event_constraint intel_atom_pebs_event_constraints[] = {
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c0, 0x1), /* INST_RETIRED.ANY */
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c5, 0x1), /* MISPREDICTED_BRANCH_RETIRED */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */
++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */
++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01),
+ EVENT_CONSTRAINT_END
+ };
+
+@@ -587,6 +591,8 @@ struct event_constraint intel_nehalem_pebs_event_constraints[] = {
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x20c8, 0xf), /* ITLB_MISS_RETIRED */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */
++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */
++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f),
+ EVENT_CONSTRAINT_END
+ };
+
+@@ -602,6 +608,8 @@ struct event_constraint intel_westmere_pebs_event_constraints[] = {
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x20c8, 0xf), /* ITLB_MISS_RETIRED */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */
++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */
++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f),
+ EVENT_CONSTRAINT_END
+ };
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index 046e2d6..a388bb8 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -24,6 +24,7 @@
+ #include <asm/syscalls.h>
+ #include <asm/idle.h>
+ #include <asm/uaccess.h>
++#include <asm/mwait.h>
+ #include <asm/i387.h>
+ #include <asm/fpu-internal.h>
+ #include <asm/debugreg.h>
+@@ -399,6 +400,53 @@ static void amd_e400_idle(void)
+ default_idle();
+ }
+
++/*
++ * Intel Core2 and older machines prefer MWAIT over HALT for C1.
++ * We can't rely on cpuidle installing MWAIT, because it will not load
++ * on systems that support only C1 -- so the boot default must be MWAIT.
++ *
++ * Some AMD machines are the opposite, they depend on using HALT.
++ *
++ * So for default C1, which is used during boot until cpuidle loads,
++ * use MWAIT-C1 on Intel HW that has it, else use HALT.
++ */
++static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
++{
++ if (c->x86_vendor != X86_VENDOR_INTEL)
++ return 0;
++
++ if (!cpu_has(c, X86_FEATURE_MWAIT))
++ return 0;
++
++ return 1;
++}
++
++/*
++ * MONITOR/MWAIT with no hints, used for default default C1 state.
++ * This invokes MWAIT with interrutps enabled and no flags,
++ * which is backwards compatible with the original MWAIT implementation.
++ */
++
++static void mwait_idle(void)
++{
++ if (!current_set_polling_and_test()) {
++ if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) {
++ smp_mb(); /* quirk */
++ clflush((void *)&current_thread_info()->flags);
++ smp_mb(); /* quirk */
++ }
++
++ __monitor((void *)&current_thread_info()->flags, 0, 0);
++ if (!need_resched())
++ __sti_mwait(0, 0);
++ else
++ local_irq_enable();
++ } else {
++ local_irq_enable();
++ }
++ __current_clr_polling();
++}
++
+ void select_idle_routine(const struct cpuinfo_x86 *c)
+ {
+ #ifdef CONFIG_SMP
+@@ -412,6 +460,9 @@ void select_idle_routine(const struct cpuinfo_x86 *c)
+ /* E400: APIC timer interrupt does not wake up CPU from C1e */
+ pr_info("using AMD E400 aware idle routine\n");
+ x86_idle = amd_e400_idle;
++ } else if (prefer_mwait_c1_over_halt(c)) {
++ pr_info("using mwait in idle threads\n");
++ x86_idle = mwait_idle;
+ } else
+ x86_idle = default_idle;
+ }
+diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
+index 2f355d2..e5ecd20 100644
+--- a/arch/x86/kernel/pvclock.c
++++ b/arch/x86/kernel/pvclock.c
+@@ -141,7 +141,46 @@ void pvclock_read_wallclock(struct pvclock_wall_clock *wall_clock,
+ set_normalized_timespec(ts, now.tv_sec, now.tv_nsec);
+ }
+
++static struct pvclock_vsyscall_time_info *pvclock_vdso_info;
++
++static struct pvclock_vsyscall_time_info *
++pvclock_get_vsyscall_user_time_info(int cpu)
++{
++ if (!pvclock_vdso_info) {
++ BUG();
++ return NULL;
++ }
++
++ return &pvclock_vdso_info[cpu];
++}
++
++struct pvclock_vcpu_time_info *pvclock_get_vsyscall_time_info(int cpu)
++{
++ return &pvclock_get_vsyscall_user_time_info(cpu)->pvti;
++}
++
+ #ifdef CONFIG_X86_64
++static int pvclock_task_migrate(struct notifier_block *nb, unsigned long l,
++ void *v)
++{
++ struct task_migration_notifier *mn = v;
++ struct pvclock_vsyscall_time_info *pvti;
++
++ pvti = pvclock_get_vsyscall_user_time_info(mn->from_cpu);
++
++ /* this is NULL when pvclock vsyscall is not initialized */
++ if (unlikely(pvti == NULL))
++ return NOTIFY_DONE;
++
++ pvti->migrate_count++;
++
++ return NOTIFY_DONE;
++}
++
++static struct notifier_block pvclock_migrate = {
++ .notifier_call = pvclock_task_migrate,
++};
++
+ /*
+ * Initialize the generic pvclock vsyscall state. This will allocate
+ * a/some page(s) for the per-vcpu pvclock information, set up a
+@@ -155,12 +194,17 @@ int __init pvclock_init_vsyscall(struct pvclock_vsyscall_time_info *i,
+
+ WARN_ON (size != PVCLOCK_VSYSCALL_NR_PAGES*PAGE_SIZE);
+
++ pvclock_vdso_info = i;
++
+ for (idx = 0; idx <= (PVCLOCK_FIXMAP_END-PVCLOCK_FIXMAP_BEGIN); idx++) {
+ __set_fixmap(PVCLOCK_FIXMAP_BEGIN + idx,
+ __pa(i) + (idx*PAGE_SIZE),
+ PAGE_KERNEL_VVAR);
+ }
+
++
++ register_task_migration_notifier(&pvclock_migrate);
++
+ return 0;
+ }
+ #endif
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ae4f6d3..a60bd3a 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -3621,8 +3621,16 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
+
+ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+- unsigned long hw_cr4 = cr4 | (to_vmx(vcpu)->rmode.vm86_active ?
+- KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON);
++ /*
++ * Pass through host's Machine Check Enable value to hw_cr4, which
++ * is in force while we are in guest mode. Do not let guests control
++ * this bit, even if host CR4.MCE == 0.
++ */
++ unsigned long hw_cr4 =
++ (cr4_read_shadow() & X86_CR4_MCE) |
++ (cr4 & ~X86_CR4_MCE) |
++ (to_vmx(vcpu)->rmode.vm86_active ?
++ KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON);
+
+ if (cr4 & X86_CR4_VMXE) {
+ /*
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 32bf19e..e222ba5 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5775,7 +5775,6 @@ int kvm_arch_init(void *opaque)
+ kvm_set_mmio_spte_mask();
+
+ kvm_x86_ops = ops;
+- kvm_init_msr_list();
+
+ kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK,
+ PT_DIRTY_MASK, PT64_NX_MASK, 0);
+@@ -7209,7 +7208,14 @@ void kvm_arch_hardware_disable(void)
+
+ int kvm_arch_hardware_setup(void)
+ {
+- return kvm_x86_ops->hardware_setup();
++ int r;
++
++ r = kvm_x86_ops->hardware_setup();
++ if (r != 0)
++ return r;
++
++ kvm_init_msr_list();
++ return 0;
+ }
+
+ void kvm_arch_hardware_unsetup(void)
+diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
+index 1313ae6..85994f5 100644
+--- a/arch/x86/lib/insn.c
++++ b/arch/x86/lib/insn.c
+@@ -52,6 +52,13 @@
+ */
+ void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
+ {
++ /*
++ * Instructions longer than MAX_INSN_SIZE (15 bytes) are invalid
++ * even if the input buffer is long enough to hold them.
++ */
++ if (buf_len > MAX_INSN_SIZE)
++ buf_len = MAX_INSN_SIZE;
++
+ memset(insn, 0, sizeof(*insn));
+ insn->kaddr = kaddr;
+ insn->end_kaddr = kaddr + buf_len;
+diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
+index 1f33b3d..0a42327 100644
+--- a/arch/x86/lib/usercopy_64.c
++++ b/arch/x86/lib/usercopy_64.c
+@@ -82,7 +82,7 @@ copy_user_handle_tail(char *to, char *from, unsigned len)
+ clac();
+
+ /* If the destination is a kernel buffer, we always clear the end */
+- if ((unsigned long)to >= TASK_SIZE_MAX)
++ if (!__addr_ok(to))
+ memset(to, 0, len);
+ return len;
+ }
+diff --git a/arch/x86/vdso/vclock_gettime.c b/arch/x86/vdso/vclock_gettime.c
+index 9793322..40d2473 100644
+--- a/arch/x86/vdso/vclock_gettime.c
++++ b/arch/x86/vdso/vclock_gettime.c
+@@ -82,18 +82,15 @@ static notrace cycle_t vread_pvclock(int *mode)
+ cycle_t ret;
+ u64 last;
+ u32 version;
++ u32 migrate_count;
+ u8 flags;
+ unsigned cpu, cpu1;
+
+
+ /*
+- * Note: hypervisor must guarantee that:
+- * 1. cpu ID number maps 1:1 to per-CPU pvclock time info.
+- * 2. that per-CPU pvclock time info is updated if the
+- * underlying CPU changes.
+- * 3. that version is increased whenever underlying CPU
+- * changes.
+- *
++ * When looping to get a consistent (time-info, tsc) pair, we
++ * also need to deal with the possibility we can switch vcpus,
++ * so make sure we always re-fetch time-info for the current vcpu.
+ */
+ do {
+ cpu = __getcpu() & VGETCPU_CPU_MASK;
+@@ -102,20 +99,27 @@ static notrace cycle_t vread_pvclock(int *mode)
+ * __getcpu() calls (Gleb).
+ */
+
+- pvti = get_pvti(cpu);
++ /* Make sure migrate_count will change if we leave the VCPU. */
++ do {
++ pvti = get_pvti(cpu);
++ migrate_count = pvti->migrate_count;
++
++ cpu1 = cpu;
++ cpu = __getcpu() & VGETCPU_CPU_MASK;
++ } while (unlikely(cpu != cpu1));
+
+ version = __pvclock_read_cycles(&pvti->pvti, &ret, &flags);
+
+ /*
+ * Test we're still on the cpu as well as the version.
+- * We could have been migrated just after the first
+- * vgetcpu but before fetching the version, so we
+- * wouldn't notice a version change.
++ * - We must read TSC of pvti's VCPU.
++ * - KVM doesn't follow the versioning protocol, so data could
++ * change before version if we left the VCPU.
+ */
+- cpu1 = __getcpu() & VGETCPU_CPU_MASK;
+- } while (unlikely(cpu != cpu1 ||
+- (pvti->pvti.version & 1) ||
+- pvti->pvti.version != version));
++ smp_rmb();
++ } while (unlikely((pvti->pvti.version & 1) ||
++ pvti->pvti.version != version ||
++ pvti->migrate_count != migrate_count));
+
+ if (unlikely(!(flags & PVCLOCK_TSC_STABLE_BIT)))
+ *mode = VCLOCK_NONE;
+diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig
+index e31d494..87be10e 100644
+--- a/arch/xtensa/Kconfig
++++ b/arch/xtensa/Kconfig
+@@ -428,6 +428,36 @@ config DEFAULT_MEM_SIZE
+
+ If unsure, leave the default value here.
+
++config XTFPGA_LCD
++ bool "Enable XTFPGA LCD driver"
++ depends on XTENSA_PLATFORM_XTFPGA
++ default n
++ help
++ There's a 2x16 LCD on most of XTFPGA boards, kernel may output
++ progress messages there during bootup/shutdown. It may be useful
++ during board bringup.
++
++ If unsure, say N.
++
++config XTFPGA_LCD_BASE_ADDR
++ hex "XTFPGA LCD base address"
++ depends on XTFPGA_LCD
++ default "0x0d0c0000"
++ help
++ Base address of the LCD controller inside KIO region.
++ Different boards from XTFPGA family have LCD controller at different
++ addresses. Please consult prototyping user guide for your board for
++ the correct address. Wrong address here may lead to hardware lockup.
++
++config XTFPGA_LCD_8BIT_ACCESS
++ bool "Use 8-bit access to XTFPGA LCD"
++ depends on XTFPGA_LCD
++ default n
++ help
++ LCD may be connected with 4- or 8-bit interface, 8-bit access may
++ only be used with 8-bit interface. Please consult prototyping user
++ guide for your board for the correct interface width.
++
+ endmenu
+
+ menu "Executable file formats"
+diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h
+index db5bb72..62d8465 100644
+--- a/arch/xtensa/include/uapi/asm/unistd.h
++++ b/arch/xtensa/include/uapi/asm/unistd.h
+@@ -715,7 +715,7 @@ __SYSCALL(323, sys_process_vm_writev, 6)
+ __SYSCALL(324, sys_name_to_handle_at, 5)
+ #define __NR_open_by_handle_at 325
+ __SYSCALL(325, sys_open_by_handle_at, 3)
+-#define __NR_sync_file_range 326
++#define __NR_sync_file_range2 326
+ __SYSCALL(326, sys_sync_file_range2, 6)
+ #define __NR_perf_event_open 327
+ __SYSCALL(327, sys_perf_event_open, 5)
+diff --git a/arch/xtensa/platforms/iss/network.c b/arch/xtensa/platforms/iss/network.c
+index d05f8fe..17b1ef3 100644
+--- a/arch/xtensa/platforms/iss/network.c
++++ b/arch/xtensa/platforms/iss/network.c
+@@ -349,8 +349,8 @@ static void iss_net_timer(unsigned long priv)
+ {
+ struct iss_net_private *lp = (struct iss_net_private *)priv;
+
+- spin_lock(&lp->lock);
+ iss_net_poll();
++ spin_lock(&lp->lock);
+ mod_timer(&lp->timer, jiffies + lp->timer_val);
+ spin_unlock(&lp->lock);
+ }
+@@ -361,7 +361,7 @@ static int iss_net_open(struct net_device *dev)
+ struct iss_net_private *lp = netdev_priv(dev);
+ int err;
+
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+
+ err = lp->tp.open(lp);
+ if (err < 0)
+@@ -376,9 +376,11 @@ static int iss_net_open(struct net_device *dev)
+ while ((err = iss_net_rx(dev)) > 0)
+ ;
+
+- spin_lock(&opened_lock);
++ spin_unlock_bh(&lp->lock);
++ spin_lock_bh(&opened_lock);
+ list_add(&lp->opened_list, &opened);
+- spin_unlock(&opened_lock);
++ spin_unlock_bh(&opened_lock);
++ spin_lock_bh(&lp->lock);
+
+ init_timer(&lp->timer);
+ lp->timer_val = ISS_NET_TIMER_VALUE;
+@@ -387,7 +389,7 @@ static int iss_net_open(struct net_device *dev)
+ mod_timer(&lp->timer, jiffies + lp->timer_val);
+
+ out:
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return err;
+ }
+
+@@ -395,7 +397,7 @@ static int iss_net_close(struct net_device *dev)
+ {
+ struct iss_net_private *lp = netdev_priv(dev);
+ netif_stop_queue(dev);
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+
+ spin_lock(&opened_lock);
+ list_del(&opened);
+@@ -405,18 +407,17 @@ static int iss_net_close(struct net_device *dev)
+
+ lp->tp.close(lp);
+
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return 0;
+ }
+
+ static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct iss_net_private *lp = netdev_priv(dev);
+- unsigned long flags;
+ int len;
+
+ netif_stop_queue(dev);
+- spin_lock_irqsave(&lp->lock, flags);
++ spin_lock_bh(&lp->lock);
+
+ len = lp->tp.write(lp, &skb);
+
+@@ -438,7 +439,7 @@ static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ pr_err("%s: %s failed(%d)\n", dev->name, __func__, len);
+ }
+
+- spin_unlock_irqrestore(&lp->lock, flags);
++ spin_unlock_bh(&lp->lock);
+
+ dev_kfree_skb(skb);
+ return NETDEV_TX_OK;
+@@ -466,9 +467,9 @@ static int iss_net_set_mac(struct net_device *dev, void *addr)
+
+ if (!is_valid_ether_addr(hwaddr->sa_data))
+ return -EADDRNOTAVAIL;
+- spin_lock(&lp->lock);
++ spin_lock_bh(&lp->lock);
+ memcpy(dev->dev_addr, hwaddr->sa_data, ETH_ALEN);
+- spin_unlock(&lp->lock);
++ spin_unlock_bh(&lp->lock);
+ return 0;
+ }
+
+@@ -520,11 +521,11 @@ static int iss_net_configure(int index, char *init)
+ *lp = (struct iss_net_private) {
+ .device_list = LIST_HEAD_INIT(lp->device_list),
+ .opened_list = LIST_HEAD_INIT(lp->opened_list),
+- .lock = __SPIN_LOCK_UNLOCKED(lp.lock),
+ .dev = dev,
+ .index = index,
+- };
++ };
+
++ spin_lock_init(&lp->lock);
+ /*
+ * If this name ends up conflicting with an existing registered
+ * netdevice, that is OK, register_netdev{,ice}() will notice this
+diff --git a/arch/xtensa/platforms/xtfpga/Makefile b/arch/xtensa/platforms/xtfpga/Makefile
+index b9ae206..7839d38 100644
+--- a/arch/xtensa/platforms/xtfpga/Makefile
++++ b/arch/xtensa/platforms/xtfpga/Makefile
+@@ -6,4 +6,5 @@
+ #
+ # Note 2! The CFLAGS definitions are in the main makefile...
+
+-obj-y = setup.o lcd.o
++obj-y += setup.o
++obj-$(CONFIG_XTFPGA_LCD) += lcd.o
+diff --git a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
+index 6edd20b..4e0af26 100644
+--- a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
++++ b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
+@@ -40,9 +40,6 @@
+
+ /* UART */
+ #define DUART16552_PADDR (XCHAL_KIO_PADDR + 0x0D050020)
+-/* LCD instruction and data addresses. */
+-#define LCD_INSTR_ADDR ((char *)IOADDR(0x0D040000))
+-#define LCD_DATA_ADDR ((char *)IOADDR(0x0D040004))
+
+ /* Misc. */
+ #define XTFPGA_FPGAREGS_VADDR IOADDR(0x0D020000)
+diff --git a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
+index 0e43564..4c8541e 100644
+--- a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
++++ b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h
+@@ -11,10 +11,25 @@
+ #ifndef __XTENSA_XTAVNET_LCD_H
+ #define __XTENSA_XTAVNET_LCD_H
+
++#ifdef CONFIG_XTFPGA_LCD
+ /* Display string STR at position POS on the LCD. */
+ void lcd_disp_at_pos(char *str, unsigned char pos);
+
+ /* Shift the contents of the LCD display left or right. */
+ void lcd_shiftleft(void);
+ void lcd_shiftright(void);
++#else
++static inline void lcd_disp_at_pos(char *str, unsigned char pos)
++{
++}
++
++static inline void lcd_shiftleft(void)
++{
++}
++
++static inline void lcd_shiftright(void)
++{
++}
++#endif
++
+ #endif
+diff --git a/arch/xtensa/platforms/xtfpga/lcd.c b/arch/xtensa/platforms/xtfpga/lcd.c
+index 2872301..4dc0c1b 100644
+--- a/arch/xtensa/platforms/xtfpga/lcd.c
++++ b/arch/xtensa/platforms/xtfpga/lcd.c
+@@ -1,50 +1,63 @@
+ /*
+- * Driver for the LCD display on the Tensilica LX60 Board.
++ * Driver for the LCD display on the Tensilica XTFPGA board family.
++ * http://www.mytechcorp.com/cfdata/productFile/File1/MOC-16216B-B-A0A04.pdf
+ *
+ * This file is subject to the terms and conditions of the GNU General Public
+ * License. See the file "COPYING" in the main directory of this archive
+ * for more details.
+ *
+ * Copyright (C) 2001, 2006 Tensilica Inc.
++ * Copyright (C) 2015 Cadence Design Systems Inc.
+ */
+
+-/*
+- *
+- * FIXME: this code is from the examples from the LX60 user guide.
+- *
+- * The lcd_pause function does busy waiting, which is probably not
+- * great. Maybe the code could be changed to use kernel timers, or
+- * change the hardware to not need to wait.
+- */
+-
++#include <linux/delay.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
+
+ #include <platform/hardware.h>
+ #include <platform/lcd.h>
+-#include <linux/delay.h>
+
+-#define LCD_PAUSE_ITERATIONS 4000
++/* LCD instruction and data addresses. */
++#define LCD_INSTR_ADDR ((char *)IOADDR(CONFIG_XTFPGA_LCD_BASE_ADDR))
++#define LCD_DATA_ADDR (LCD_INSTR_ADDR + 4)
++
+ #define LCD_CLEAR 0x1
+ #define LCD_DISPLAY_ON 0xc
+
+ /* 8bit and 2 lines display */
+ #define LCD_DISPLAY_MODE8BIT 0x38
++#define LCD_DISPLAY_MODE4BIT 0x28
+ #define LCD_DISPLAY_POS 0x80
+ #define LCD_SHIFT_LEFT 0x18
+ #define LCD_SHIFT_RIGHT 0x1c
+
++static void lcd_put_byte(u8 *addr, u8 data)
++{
++#ifdef CONFIG_XTFPGA_LCD_8BIT_ACCESS
++ ACCESS_ONCE(*addr) = data;
++#else
++ ACCESS_ONCE(*addr) = data & 0xf0;
++ ACCESS_ONCE(*addr) = (data << 4) & 0xf0;
++#endif
++}
++
+ static int __init lcd_init(void)
+ {
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
+ mdelay(5);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
+ udelay(200);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT;
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT;
++ udelay(50);
++#ifndef CONFIG_XTFPGA_LCD_8BIT_ACCESS
++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE4BIT;
++ udelay(50);
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_MODE4BIT);
+ udelay(50);
+- *LCD_INSTR_ADDR = LCD_DISPLAY_ON;
++#endif
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_ON);
+ udelay(50);
+- *LCD_INSTR_ADDR = LCD_CLEAR;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_CLEAR);
+ mdelay(10);
+ lcd_disp_at_pos("XTENSA LINUX", 0);
+ return 0;
+@@ -52,10 +65,10 @@ static int __init lcd_init(void)
+
+ void lcd_disp_at_pos(char *str, unsigned char pos)
+ {
+- *LCD_INSTR_ADDR = LCD_DISPLAY_POS | pos;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_POS | pos);
+ udelay(100);
+ while (*str != 0) {
+- *LCD_DATA_ADDR = *str;
++ lcd_put_byte(LCD_DATA_ADDR, *str);
+ udelay(200);
+ str++;
+ }
+@@ -63,13 +76,13 @@ void lcd_disp_at_pos(char *str, unsigned char pos)
+
+ void lcd_shiftleft(void)
+ {
+- *LCD_INSTR_ADDR = LCD_SHIFT_LEFT;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_LEFT);
+ udelay(50);
+ }
+
+ void lcd_shiftright(void)
+ {
+- *LCD_INSTR_ADDR = LCD_SHIFT_RIGHT;
++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_RIGHT);
+ udelay(50);
+ }
+
+diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c
+index 5ed064e..ccf7932 100644
+--- a/drivers/acpi/acpica/evgpe.c
++++ b/drivers/acpi/acpica/evgpe.c
+@@ -92,6 +92,7 @@ acpi_ev_update_gpe_enable_mask(struct acpi_gpe_event_info *gpe_event_info)
+ ACPI_SET_BIT(gpe_register_info->enable_for_run,
+ (u8)register_bit);
+ }
++ gpe_register_info->enable_mask = gpe_register_info->enable_for_run;
+
+ return_ACPI_STATUS(AE_OK);
+ }
+@@ -123,7 +124,7 @@ acpi_status acpi_ev_enable_gpe(struct acpi_gpe_event_info *gpe_event_info)
+
+ /* Enable the requested GPE */
+
+- status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE_SAVE);
++ status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE);
+ return_ACPI_STATUS(status);
+ }
+
+@@ -202,7 +203,7 @@ acpi_ev_remove_gpe_reference(struct acpi_gpe_event_info *gpe_event_info)
+ if (ACPI_SUCCESS(status)) {
+ status =
+ acpi_hw_low_set_gpe(gpe_event_info,
+- ACPI_GPE_DISABLE_SAVE);
++ ACPI_GPE_DISABLE);
+ }
+
+ if (ACPI_FAILURE(status)) {
+diff --git a/drivers/acpi/acpica/hwgpe.c b/drivers/acpi/acpica/hwgpe.c
+index 84bc550..af6514e 100644
+--- a/drivers/acpi/acpica/hwgpe.c
++++ b/drivers/acpi/acpica/hwgpe.c
+@@ -89,6 +89,8 @@ u32 acpi_hw_get_gpe_register_bit(struct acpi_gpe_event_info *gpe_event_info)
+ * RETURN: Status
+ *
+ * DESCRIPTION: Enable or disable a single GPE in the parent enable register.
++ * The enable_mask field of the involved GPE register must be
++ * updated by the caller if necessary.
+ *
+ ******************************************************************************/
+
+@@ -119,7 +121,7 @@ acpi_hw_low_set_gpe(struct acpi_gpe_event_info *gpe_event_info, u32 action)
+ /* Set or clear just the bit that corresponds to this GPE */
+
+ register_bit = acpi_hw_get_gpe_register_bit(gpe_event_info);
+- switch (action & ~ACPI_GPE_SAVE_MASK) {
++ switch (action) {
+ case ACPI_GPE_CONDITIONAL_ENABLE:
+
+ /* Only enable if the corresponding enable_mask bit is set */
+@@ -149,9 +151,6 @@ acpi_hw_low_set_gpe(struct acpi_gpe_event_info *gpe_event_info, u32 action)
+ /* Write the updated enable mask */
+
+ status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address);
+- if (ACPI_SUCCESS(status) && (action & ACPI_GPE_SAVE_MASK)) {
+- gpe_register_info->enable_mask = (u8)enable_mask;
+- }
+ return (status);
+ }
+
+@@ -286,10 +285,8 @@ acpi_hw_gpe_enable_write(u8 enable_mask,
+ {
+ acpi_status status;
+
++ gpe_register_info->enable_mask = enable_mask;
+ status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address);
+- if (ACPI_SUCCESS(status)) {
+- gpe_register_info->enable_mask = enable_mask;
+- }
+ return (status);
+ }
+
+diff --git a/drivers/acpi/acpica/tbinstal.c b/drivers/acpi/acpica/tbinstal.c
+index 9bad45e..7fbc2b9 100644
+--- a/drivers/acpi/acpica/tbinstal.c
++++ b/drivers/acpi/acpica/tbinstal.c
+@@ -346,7 +346,6 @@ acpi_tb_install_standard_table(acpi_physical_address address,
+ */
+ acpi_tb_uninstall_table(&new_table_desc);
+ *table_index = i;
+- (void)acpi_ut_release_mutex(ACPI_MTX_TABLES);
+ return_ACPI_STATUS(AE_OK);
+ }
+ }
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index bbca783..349f4fd 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -298,7 +298,11 @@ bool acpi_scan_is_offline(struct acpi_device *adev, bool uevent)
+ struct acpi_device_physical_node *pn;
+ bool offline = true;
+
+- mutex_lock(&adev->physical_node_lock);
++ /*
++ * acpi_container_offline() calls this for all of the container's
++ * children under the container's physical_node_lock lock.
++ */
++ mutex_lock_nested(&adev->physical_node_lock, SINGLE_DEPTH_NESTING);
+
+ list_for_each_entry(pn, &adev->physical_node_list, node)
+ if (device_supports_offline(pn->dev) && !pn->dev->offline) {
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index 876bae5..79bc203 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -515,11 +515,11 @@ int bus_add_device(struct device *dev)
+ goto out_put;
+ error = device_add_groups(dev, bus->dev_groups);
+ if (error)
+- goto out_groups;
++ goto out_id;
+ error = sysfs_create_link(&bus->p->devices_kset->kobj,
+ &dev->kobj, dev_name(dev));
+ if (error)
+- goto out_id;
++ goto out_groups;
+ error = sysfs_create_link(&dev->kobj,
+ &dev->bus->p->subsys.kobj, "subsystem");
+ if (error)
+diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
+index 6e64563..9c2ba1c 100644
+--- a/drivers/base/cacheinfo.c
++++ b/drivers/base/cacheinfo.c
+@@ -62,15 +62,21 @@ static int cache_setup_of_node(unsigned int cpu)
+ return -ENOENT;
+ }
+
+- while (np && index < cache_leaves(cpu)) {
++ while (index < cache_leaves(cpu)) {
+ this_leaf = this_cpu_ci->info_list + index;
+ if (this_leaf->level != 1)
+ np = of_find_next_cache_node(np);
+ else
+ np = of_node_get(np);/* cpu node itself */
++ if (!np)
++ break;
+ this_leaf->of_node = np;
+ index++;
+ }
++
++ if (index != cache_leaves(cpu)) /* not all OF nodes populated */
++ return -ENOENT;
++
+ return 0;
+ }
+
+@@ -189,8 +195,11 @@ static int detect_cache_attributes(unsigned int cpu)
+ * will be set up here only if they are not populated already
+ */
+ ret = cache_shared_cpu_map_setup(cpu);
+- if (ret)
++ if (ret) {
++ pr_warn("Unable to detect cache hierarcy from DT for CPU %d\n",
++ cpu);
+ goto free_ci;
++ }
+ return 0;
+
+ free_ci:
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 9421fed..e68ab79 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -101,6 +101,15 @@ int platform_get_irq(struct platform_device *dev, unsigned int num)
+ }
+
+ r = platform_get_resource(dev, IORESOURCE_IRQ, num);
++ /*
++ * The resources may pass trigger flags to the irqs that need
++ * to be set up. It so happens that the trigger flags for
++ * IORESOURCE_BITS correspond 1-to-1 to the IRQF_TRIGGER*
++ * settings.
++ */
++ if (r && r->flags & IORESOURCE_BITS)
++ irqd_set_trigger_type(irq_get_irq_data(r->start),
++ r->flags & IORESOURCE_BITS);
+
+ return r ? r->start : -ENXIO;
+ #endif
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index de4c849..288547a 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -65,6 +65,7 @@ static const struct usb_device_id ath3k_table[] = {
+ /* Atheros AR3011 with sflash firmware*/
+ { USB_DEVICE(0x0489, 0xE027) },
+ { USB_DEVICE(0x0489, 0xE03D) },
++ { USB_DEVICE(0x04F2, 0xAFF1) },
+ { USB_DEVICE(0x0930, 0x0215) },
+ { USB_DEVICE(0x0CF3, 0x3002) },
+ { USB_DEVICE(0x0CF3, 0xE019) },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 8bfc4c2..2c527da 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -159,6 +159,7 @@ static const struct usb_device_id blacklist_table[] = {
+ /* Atheros 3011 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
++ { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
+index e096e9c..283f00a 100644
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -170,6 +170,41 @@ static void tpm_dev_del_device(struct tpm_chip *chip)
+ device_unregister(&chip->dev);
+ }
+
++static int tpm1_chip_register(struct tpm_chip *chip)
++{
++ int rc;
++
++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
++ return 0;
++
++ rc = tpm_sysfs_add_device(chip);
++ if (rc)
++ return rc;
++
++ rc = tpm_add_ppi(chip);
++ if (rc) {
++ tpm_sysfs_del_device(chip);
++ return rc;
++ }
++
++ chip->bios_dir = tpm_bios_log_setup(chip->devname);
++
++ return 0;
++}
++
++static void tpm1_chip_unregister(struct tpm_chip *chip)
++{
++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
++ return;
++
++ if (chip->bios_dir)
++ tpm_bios_log_teardown(chip->bios_dir);
++
++ tpm_remove_ppi(chip);
++
++ tpm_sysfs_del_device(chip);
++}
++
+ /*
+ * tpm_chip_register() - create a character device for the TPM chip
+ * @chip: TPM chip to use.
+@@ -185,22 +220,13 @@ int tpm_chip_register(struct tpm_chip *chip)
+ {
+ int rc;
+
+- /* Populate sysfs for TPM1 devices. */
+- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
+- rc = tpm_sysfs_add_device(chip);
+- if (rc)
+- goto del_misc;
+-
+- rc = tpm_add_ppi(chip);
+- if (rc)
+- goto del_sysfs;
+-
+- chip->bios_dir = tpm_bios_log_setup(chip->devname);
+- }
++ rc = tpm1_chip_register(chip);
++ if (rc)
++ return rc;
+
+ rc = tpm_dev_add_device(chip);
+ if (rc)
+- return rc;
++ goto out_err;
+
+ /* Make the chip available. */
+ spin_lock(&driver_lock);
+@@ -210,10 +236,8 @@ int tpm_chip_register(struct tpm_chip *chip)
+ chip->flags |= TPM_CHIP_FLAG_REGISTERED;
+
+ return 0;
+-del_sysfs:
+- tpm_sysfs_del_device(chip);
+-del_misc:
+- tpm_dev_del_device(chip);
++out_err:
++ tpm1_chip_unregister(chip);
+ return rc;
+ }
+ EXPORT_SYMBOL_GPL(tpm_chip_register);
+@@ -238,13 +262,7 @@ void tpm_chip_unregister(struct tpm_chip *chip)
+ spin_unlock(&driver_lock);
+ synchronize_rcu();
+
+- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
+- if (chip->bios_dir)
+- tpm_bios_log_teardown(chip->bios_dir);
+- tpm_remove_ppi(chip);
+- tpm_sysfs_del_device(chip);
+- }
+-
++ tpm1_chip_unregister(chip);
+ tpm_dev_del_device(chip);
+ }
+ EXPORT_SYMBOL_GPL(tpm_chip_unregister);
+diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c
+index a23ac0c..0b7c3e8 100644
+--- a/drivers/clk/at91/clk-usb.c
++++ b/drivers/clk/at91/clk-usb.c
+@@ -56,22 +56,55 @@ static unsigned long at91sam9x5_clk_usb_recalc_rate(struct clk_hw *hw,
+ return DIV_ROUND_CLOSEST(parent_rate, (usbdiv + 1));
+ }
+
+-static long at91sam9x5_clk_usb_round_rate(struct clk_hw *hw, unsigned long rate,
+- unsigned long *parent_rate)
++static long at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw,
++ unsigned long rate,
++ unsigned long min_rate,
++ unsigned long max_rate,
++ unsigned long *best_parent_rate,
++ struct clk_hw **best_parent_hw)
+ {
+- unsigned long div;
++ struct clk *parent = NULL;
++ long best_rate = -EINVAL;
++ unsigned long tmp_rate;
++ int best_diff = -1;
++ int tmp_diff;
++ int i;
+
+- if (!rate)
+- return -EINVAL;
++ for (i = 0; i < __clk_get_num_parents(hw->clk); i++) {
++ int div;
+
+- if (rate >= *parent_rate)
+- return *parent_rate;
++ parent = clk_get_parent_by_index(hw->clk, i);
++ if (!parent)
++ continue;
++
++ for (div = 1; div < SAM9X5_USB_MAX_DIV + 2; div++) {
++ unsigned long tmp_parent_rate;
++
++ tmp_parent_rate = rate * div;
++ tmp_parent_rate = __clk_round_rate(parent,
++ tmp_parent_rate);
++ tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div);
++ if (tmp_rate < rate)
++ tmp_diff = rate - tmp_rate;
++ else
++ tmp_diff = tmp_rate - rate;
++
++ if (best_diff < 0 || best_diff > tmp_diff) {
++ best_rate = tmp_rate;
++ best_diff = tmp_diff;
++ *best_parent_rate = tmp_parent_rate;
++ *best_parent_hw = __clk_get_hw(parent);
++ }
++
++ if (!best_diff || tmp_rate < rate)
++ break;
++ }
+
+- div = DIV_ROUND_CLOSEST(*parent_rate, rate);
+- if (div > SAM9X5_USB_MAX_DIV + 1)
+- div = SAM9X5_USB_MAX_DIV + 1;
++ if (!best_diff)
++ break;
++ }
+
+- return DIV_ROUND_CLOSEST(*parent_rate, div);
++ return best_rate;
+ }
+
+ static int at91sam9x5_clk_usb_set_parent(struct clk_hw *hw, u8 index)
+@@ -121,7 +154,7 @@ static int at91sam9x5_clk_usb_set_rate(struct clk_hw *hw, unsigned long rate,
+
+ static const struct clk_ops at91sam9x5_usb_ops = {
+ .recalc_rate = at91sam9x5_clk_usb_recalc_rate,
+- .round_rate = at91sam9x5_clk_usb_round_rate,
++ .determine_rate = at91sam9x5_clk_usb_determine_rate,
+ .get_parent = at91sam9x5_clk_usb_get_parent,
+ .set_parent = at91sam9x5_clk_usb_set_parent,
+ .set_rate = at91sam9x5_clk_usb_set_rate,
+@@ -159,7 +192,7 @@ static const struct clk_ops at91sam9n12_usb_ops = {
+ .disable = at91sam9n12_clk_usb_disable,
+ .is_enabled = at91sam9n12_clk_usb_is_enabled,
+ .recalc_rate = at91sam9x5_clk_usb_recalc_rate,
+- .round_rate = at91sam9x5_clk_usb_round_rate,
++ .determine_rate = at91sam9x5_clk_usb_determine_rate,
+ .set_rate = at91sam9x5_clk_usb_set_rate,
+ };
+
+@@ -179,7 +212,8 @@ at91sam9x5_clk_register_usb(struct at91_pmc *pmc, const char *name,
+ init.ops = &at91sam9x5_usb_ops;
+ init.parent_names = parent_names;
+ init.num_parents = num_parents;
+- init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE;
++ init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE |
++ CLK_SET_RATE_PARENT;
+
+ usb->hw.init = &init;
+ usb->pmc = pmc;
+@@ -207,7 +241,7 @@ at91sam9n12_clk_register_usb(struct at91_pmc *pmc, const char *name,
+ init.ops = &at91sam9n12_usb_ops;
+ init.parent_names = &parent_name;
+ init.num_parents = 1;
+- init.flags = CLK_SET_RATE_GATE;
++ init.flags = CLK_SET_RATE_GATE | CLK_SET_RATE_PARENT;
+
+ usb->hw.init = &init;
+ usb->pmc = pmc;
+diff --git a/drivers/clk/qcom/clk-rcg.c b/drivers/clk/qcom/clk-rcg.c
+index 0039bd7..466f30c 100644
+--- a/drivers/clk/qcom/clk-rcg.c
++++ b/drivers/clk/qcom/clk-rcg.c
+@@ -495,6 +495,57 @@ static int clk_rcg_bypass_set_rate(struct clk_hw *hw, unsigned long rate,
+ return __clk_rcg_set_rate(rcg, rcg->freq_tbl);
+ }
+
++/*
++ * This type of clock has a glitch-free mux that switches between the output of
++ * the M/N counter and an always on clock source (XO). When clk_set_rate() is
++ * called we need to make sure that we don't switch to the M/N counter if it
++ * isn't clocking because the mux will get stuck and the clock will stop
++ * outputting a clock. This can happen if the framework isn't aware that this
++ * clock is on and so clk_set_rate() doesn't turn on the new parent. To fix
++ * this we switch the mux in the enable/disable ops and reprogram the M/N
++ * counter in the set_rate op. We also make sure to switch away from the M/N
++ * counter in set_rate if software thinks the clock is off.
++ */
++static int clk_rcg_lcc_set_rate(struct clk_hw *hw, unsigned long rate,
++ unsigned long parent_rate)
++{
++ struct clk_rcg *rcg = to_clk_rcg(hw);
++ const struct freq_tbl *f;
++ int ret;
++ u32 gfm = BIT(10);
++
++ f = qcom_find_freq(rcg->freq_tbl, rate);
++ if (!f)
++ return -EINVAL;
++
++ /* Switch to XO to avoid glitches */
++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, 0);
++ ret = __clk_rcg_set_rate(rcg, f);
++ /* Switch back to M/N if it's clocking */
++ if (__clk_is_enabled(hw->clk))
++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, gfm);
++
++ return ret;
++}
++
++static int clk_rcg_lcc_enable(struct clk_hw *hw)
++{
++ struct clk_rcg *rcg = to_clk_rcg(hw);
++ u32 gfm = BIT(10);
++
++ /* Use M/N */
++ return regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, gfm);
++}
++
++static void clk_rcg_lcc_disable(struct clk_hw *hw)
++{
++ struct clk_rcg *rcg = to_clk_rcg(hw);
++ u32 gfm = BIT(10);
++
++ /* Use XO */
++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, 0);
++}
++
+ static int __clk_dyn_rcg_set_rate(struct clk_hw *hw, unsigned long rate)
+ {
+ struct clk_dyn_rcg *rcg = to_clk_dyn_rcg(hw);
+@@ -543,6 +594,17 @@ const struct clk_ops clk_rcg_bypass_ops = {
+ };
+ EXPORT_SYMBOL_GPL(clk_rcg_bypass_ops);
+
++const struct clk_ops clk_rcg_lcc_ops = {
++ .enable = clk_rcg_lcc_enable,
++ .disable = clk_rcg_lcc_disable,
++ .get_parent = clk_rcg_get_parent,
++ .set_parent = clk_rcg_set_parent,
++ .recalc_rate = clk_rcg_recalc_rate,
++ .determine_rate = clk_rcg_determine_rate,
++ .set_rate = clk_rcg_lcc_set_rate,
++};
++EXPORT_SYMBOL_GPL(clk_rcg_lcc_ops);
++
+ const struct clk_ops clk_dyn_rcg_ops = {
+ .enable = clk_enable_regmap,
+ .is_enabled = clk_is_enabled_regmap,
+diff --git a/drivers/clk/qcom/clk-rcg.h b/drivers/clk/qcom/clk-rcg.h
+index 687e41f..d09d06b 100644
+--- a/drivers/clk/qcom/clk-rcg.h
++++ b/drivers/clk/qcom/clk-rcg.h
+@@ -96,6 +96,7 @@ struct clk_rcg {
+
+ extern const struct clk_ops clk_rcg_ops;
+ extern const struct clk_ops clk_rcg_bypass_ops;
++extern const struct clk_ops clk_rcg_lcc_ops;
+
+ #define to_clk_rcg(_hw) container_of(to_clk_regmap(_hw), struct clk_rcg, clkr)
+
+diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c
+index 742acfa..381f274 100644
+--- a/drivers/clk/qcom/clk-rcg2.c
++++ b/drivers/clk/qcom/clk-rcg2.c
+@@ -243,7 +243,7 @@ static int clk_rcg2_configure(struct clk_rcg2 *rcg, const struct freq_tbl *f)
+ mask |= CFG_SRC_SEL_MASK | CFG_MODE_MASK;
+ cfg = f->pre_div << CFG_SRC_DIV_SHIFT;
+ cfg |= rcg->parent_map[f->src] << CFG_SRC_SEL_SHIFT;
+- if (rcg->mnd_width && f->n)
++ if (rcg->mnd_width && f->n && (f->m != f->n))
+ cfg |= CFG_MODE_DUAL_EDGE;
+ ret = regmap_update_bits(rcg->clkr.regmap,
+ rcg->cmd_rcgr + CFG_REG, mask, cfg);
+diff --git a/drivers/clk/qcom/gcc-ipq806x.c b/drivers/clk/qcom/gcc-ipq806x.c
+index cbdc31d..a015bb0 100644
+--- a/drivers/clk/qcom/gcc-ipq806x.c
++++ b/drivers/clk/qcom/gcc-ipq806x.c
+@@ -525,8 +525,8 @@ static struct freq_tbl clk_tbl_gsbi_qup[] = {
+ { 10800000, P_PXO, 1, 2, 5 },
+ { 15060000, P_PLL8, 1, 2, 51 },
+ { 24000000, P_PLL8, 4, 1, 4 },
++ { 25000000, P_PXO, 1, 0, 0 },
+ { 25600000, P_PLL8, 1, 1, 15 },
+- { 27000000, P_PXO, 1, 0, 0 },
+ { 48000000, P_PLL8, 4, 1, 2 },
+ { 51200000, P_PLL8, 1, 2, 15 },
+ { }
+diff --git a/drivers/clk/qcom/lcc-ipq806x.c b/drivers/clk/qcom/lcc-ipq806x.c
+index c9ff27b..a6d3a67 100644
+--- a/drivers/clk/qcom/lcc-ipq806x.c
++++ b/drivers/clk/qcom/lcc-ipq806x.c
+@@ -294,14 +294,14 @@ static struct clk_regmap_mux pcm_clk = {
+ };
+
+ static struct freq_tbl clk_tbl_aif_osr[] = {
+- { 22050, P_PLL4, 1, 147, 20480 },
+- { 32000, P_PLL4, 1, 1, 96 },
+- { 44100, P_PLL4, 1, 147, 10240 },
+- { 48000, P_PLL4, 1, 1, 64 },
+- { 88200, P_PLL4, 1, 147, 5120 },
+- { 96000, P_PLL4, 1, 1, 32 },
+- { 176400, P_PLL4, 1, 147, 2560 },
+- { 192000, P_PLL4, 1, 1, 16 },
++ { 2822400, P_PLL4, 1, 147, 20480 },
++ { 4096000, P_PLL4, 1, 1, 96 },
++ { 5644800, P_PLL4, 1, 147, 10240 },
++ { 6144000, P_PLL4, 1, 1, 64 },
++ { 11289600, P_PLL4, 1, 147, 5120 },
++ { 12288000, P_PLL4, 1, 1, 32 },
++ { 22579200, P_PLL4, 1, 147, 2560 },
++ { 24576000, P_PLL4, 1, 1, 16 },
+ { },
+ };
+
+@@ -360,7 +360,7 @@ static struct clk_branch spdif_clk = {
+ };
+
+ static struct freq_tbl clk_tbl_ahbix[] = {
+- { 131072, P_PLL4, 1, 1, 3 },
++ { 131072000, P_PLL4, 1, 1, 3 },
+ { },
+ };
+
+@@ -386,13 +386,12 @@ static struct clk_rcg ahbix_clk = {
+ .freq_tbl = clk_tbl_ahbix,
+ .clkr = {
+ .enable_reg = 0x38,
+- .enable_mask = BIT(10), /* toggle the gfmux to select mn/pxo */
++ .enable_mask = BIT(11),
+ .hw.init = &(struct clk_init_data){
+ .name = "ahbix",
+ .parent_names = lcc_pxo_pll4,
+ .num_parents = 2,
+- .ops = &clk_rcg_ops,
+- .flags = CLK_SET_RATE_GATE,
++ .ops = &clk_rcg_lcc_ops,
+ },
+ },
+ };
+diff --git a/drivers/clk/samsung/clk-exynos4.c b/drivers/clk/samsung/clk-exynos4.c
+index 51462e8..714d6ba 100644
+--- a/drivers/clk/samsung/clk-exynos4.c
++++ b/drivers/clk/samsung/clk-exynos4.c
+@@ -1354,7 +1354,7 @@ static struct samsung_pll_clock exynos4x12_plls[nr_plls] __initdata = {
+ VPLL_LOCK, VPLL_CON0, NULL),
+ };
+
+-static void __init exynos4_core_down_clock(enum exynos4_soc soc)
++static void __init exynos4x12_core_down_clock(void)
+ {
+ unsigned int tmp;
+
+@@ -1373,11 +1373,9 @@ static void __init exynos4_core_down_clock(enum exynos4_soc soc)
+ __raw_writel(tmp, reg_base + PWR_CTRL1);
+
+ /*
+- * Disable the clock up feature on Exynos4x12, in case it was
+- * enabled by bootloader.
++ * Disable the clock up feature in case it was enabled by bootloader.
+ */
+- if (exynos4_soc == EXYNOS4X12)
+- __raw_writel(0x0, reg_base + E4X12_PWR_CTRL2);
++ __raw_writel(0x0, reg_base + E4X12_PWR_CTRL2);
+ }
+
+ /* register exynos4 clocks */
+@@ -1474,7 +1472,8 @@ static void __init exynos4_clk_init(struct device_node *np,
+ samsung_clk_register_alias(ctx, exynos4_aliases,
+ ARRAY_SIZE(exynos4_aliases));
+
+- exynos4_core_down_clock(soc);
++ if (soc == EXYNOS4X12)
++ exynos4x12_core_down_clock();
+ exynos4_clk_sleep_init();
+
+ samsung_clk_of_add_provider(np, ctx);
+diff --git a/drivers/clk/tegra/clk-tegra124.c b/drivers/clk/tegra/clk-tegra124.c
+index 9a893f2..23ce0af 100644
+--- a/drivers/clk/tegra/clk-tegra124.c
++++ b/drivers/clk/tegra/clk-tegra124.c
+@@ -1110,16 +1110,18 @@ static __init void tegra124_periph_clk_init(void __iomem *clk_base,
+ 1, 2);
+ clks[TEGRA124_CLK_XUSB_SS_DIV2] = clk;
+
+- clk = clk_register_gate(NULL, "plld_dsi", "plld_out0", 0,
++ clk = clk_register_gate(NULL, "pll_d_dsi_out", "pll_d_out0", 0,
+ clk_base + PLLD_MISC, 30, 0, &pll_d_lock);
+- clks[TEGRA124_CLK_PLLD_DSI] = clk;
++ clks[TEGRA124_CLK_PLL_D_DSI_OUT] = clk;
+
+- clk = tegra_clk_register_periph_gate("dsia", "plld_dsi", 0, clk_base,
+- 0, 48, periph_clk_enb_refcnt);
++ clk = tegra_clk_register_periph_gate("dsia", "pll_d_dsi_out", 0,
++ clk_base, 0, 48,
++ periph_clk_enb_refcnt);
+ clks[TEGRA124_CLK_DSIA] = clk;
+
+- clk = tegra_clk_register_periph_gate("dsib", "plld_dsi", 0, clk_base,
+- 0, 82, periph_clk_enb_refcnt);
++ clk = tegra_clk_register_periph_gate("dsib", "pll_d_dsi_out", 0,
++ clk_base, 0, 82,
++ periph_clk_enb_refcnt);
+ clks[TEGRA124_CLK_DSIB] = clk;
+
+ /* emc mux */
+diff --git a/drivers/clk/tegra/clk.c b/drivers/clk/tegra/clk.c
+index 9ddb754..7a1df61 100644
+--- a/drivers/clk/tegra/clk.c
++++ b/drivers/clk/tegra/clk.c
+@@ -272,7 +272,7 @@ void __init tegra_add_of_provider(struct device_node *np)
+ of_clk_add_provider(np, of_clk_src_onecell_get, &clk_data);
+
+ rst_ctlr.of_node = np;
+- rst_ctlr.nr_resets = clk_num * 32;
++ rst_ctlr.nr_resets = periph_banks * 32;
+ reset_controller_register(&rst_ctlr);
+ }
+
+diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
+index 42f95a4..9a28b7e 100644
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struct omap_aes_dev *dd)
+ return err;
+ }
+
+-static int omap_aes_check_aligned(struct scatterlist *sg)
++static int omap_aes_check_aligned(struct scatterlist *sg, int total)
+ {
++ int len = 0;
++
+ while (sg) {
+ if (!IS_ALIGNED(sg->offset, 4))
+ return -1;
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE))
+ return -1;
++
++ len += sg->length;
+ sg = sg_next(sg);
+ }
++
++ if (len != total)
++ return -1;
++
+ return 0;
+ }
+
+@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct omap_aes_dev *dd,
+ dd->in_sg = req->src;
+ dd->out_sg = req->dst;
+
+- if (omap_aes_check_aligned(dd->in_sg) ||
+- omap_aes_check_aligned(dd->out_sg)) {
++ if (omap_aes_check_aligned(dd->in_sg, dd->total) ||
++ omap_aes_check_aligned(dd->out_sg, dd->total)) {
+ if (omap_aes_copy_sgs(dd))
+ pr_err("Failed to copy SGs for unaligned cases\n");
+ dd->sgs_copied = 1;
+diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
+index d0bc123..1a54205 100644
+--- a/drivers/gpio/gpio-mvebu.c
++++ b/drivers/gpio/gpio-mvebu.c
+@@ -320,11 +320,13 @@ static void mvebu_gpio_edge_irq_mask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache &= ~mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip));
++ ct->mask_cache_priv &= ~mask;
++
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -332,11 +334,13 @@ static void mvebu_gpio_edge_irq_unmask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache |= mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip));
++ ct->mask_cache_priv |= mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -344,11 +348,13 @@ static void mvebu_gpio_level_irq_mask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache &= ~mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip));
++ ct->mask_cache_priv &= ~mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+@@ -356,11 +362,13 @@ static void mvebu_gpio_level_irq_unmask(struct irq_data *d)
+ {
+ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+ struct mvebu_gpio_chip *mvchip = gc->private;
++ struct irq_chip_type *ct = irq_data_get_chip_type(d);
++
+ u32 mask = 1 << (d->irq - gc->irq_base);
+
+ irq_gc_lock(gc);
+- gc->mask_cache |= mask;
+- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip));
++ ct->mask_cache_priv |= mask;
++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip));
+ irq_gc_unlock(gc);
+ }
+
+diff --git a/drivers/gpu/drm/exynos/exynos_dp_core.c b/drivers/gpu/drm/exynos/exynos_dp_core.c
+index bf17a60..1dbfba5 100644
+--- a/drivers/gpu/drm/exynos/exynos_dp_core.c
++++ b/drivers/gpu/drm/exynos/exynos_dp_core.c
+@@ -32,10 +32,16 @@
+ #include <drm/bridge/ptn3460.h>
+
+ #include "exynos_dp_core.h"
++#include "exynos_drm_fimd.h"
+
+ #define ctx_from_connector(c) container_of(c, struct exynos_dp_device, \
+ connector)
+
++static inline struct exynos_drm_crtc *dp_to_crtc(struct exynos_dp_device *dp)
++{
++ return to_exynos_crtc(dp->encoder->crtc);
++}
++
+ static inline struct exynos_dp_device *
+ display_to_dp(struct exynos_drm_display *d)
+ {
+@@ -1070,6 +1076,8 @@ static void exynos_dp_poweron(struct exynos_dp_device *dp)
+ }
+ }
+
++ fimd_dp_clock_enable(dp_to_crtc(dp), true);
++
+ clk_prepare_enable(dp->clock);
+ exynos_dp_phy_init(dp);
+ exynos_dp_init_dp(dp);
+@@ -1094,6 +1102,8 @@ static void exynos_dp_poweroff(struct exynos_dp_device *dp)
+ exynos_dp_phy_exit(dp);
+ clk_disable_unprepare(dp->clock);
+
++ fimd_dp_clock_enable(dp_to_crtc(dp), false);
++
+ if (dp->panel) {
+ if (drm_panel_unprepare(dp->panel))
+ DRM_ERROR("failed to turnoff the panel\n");
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+index 33a10ce..5d58f6c 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+@@ -32,6 +32,7 @@
+ #include "exynos_drm_fbdev.h"
+ #include "exynos_drm_crtc.h"
+ #include "exynos_drm_iommu.h"
++#include "exynos_drm_fimd.h"
+
+ /*
+ * FIMD stands for Fully Interactive Mobile Display and
+@@ -1233,6 +1234,24 @@ static int fimd_remove(struct platform_device *pdev)
+ return 0;
+ }
+
++void fimd_dp_clock_enable(struct exynos_drm_crtc *crtc, bool enable)
++{
++ struct fimd_context *ctx = crtc->ctx;
++ u32 val;
++
++ /*
++ * Only Exynos 5250, 5260, 5410 and 542x requires enabling DP/MIE
++ * clock. On these SoCs the bootloader may enable it but any
++ * power domain off/on will reset it to disable state.
++ */
++ if (ctx->driver_data != &exynos5_fimd_driver_data)
++ return;
++
++ val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE;
++ writel(DP_MIE_CLK_DP_ENABLE, ctx->regs + DP_MIE_CLKCON);
++}
++EXPORT_SYMBOL_GPL(fimd_dp_clock_enable);
++
+ struct platform_driver fimd_driver = {
+ .probe = fimd_probe,
+ .remove = fimd_remove,
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.h b/drivers/gpu/drm/exynos/exynos_drm_fimd.h
+new file mode 100644
+index 0000000..b4fcaa5
+--- /dev/null
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.h
+@@ -0,0 +1,15 @@
++/*
++ * Copyright (c) 2015 Samsung Electronics Co., Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.
++ */
++
++#ifndef _EXYNOS_DRM_FIMD_H_
++#define _EXYNOS_DRM_FIMD_H_
++
++extern void fimd_dp_clock_enable(struct exynos_drm_crtc *crtc, bool enable);
++
++#endif /* _EXYNOS_DRM_FIMD_H_ */
+diff --git a/drivers/gpu/drm/i2c/adv7511.c b/drivers/gpu/drm/i2c/adv7511.c
+index fa140e0..60ab1f7 100644
+--- a/drivers/gpu/drm/i2c/adv7511.c
++++ b/drivers/gpu/drm/i2c/adv7511.c
+@@ -33,6 +33,7 @@ struct adv7511 {
+
+ unsigned int current_edid_segment;
+ uint8_t edid_buf[256];
++ bool edid_read;
+
+ wait_queue_head_t wq;
+ struct drm_encoder *encoder;
+@@ -379,69 +380,71 @@ static bool adv7511_hpd(struct adv7511 *adv7511)
+ return false;
+ }
+
+-static irqreturn_t adv7511_irq_handler(int irq, void *devid)
+-{
+- struct adv7511 *adv7511 = devid;
+-
+- if (adv7511_hpd(adv7511))
+- drm_helper_hpd_irq_event(adv7511->encoder->dev);
+-
+- wake_up_all(&adv7511->wq);
+-
+- return IRQ_HANDLED;
+-}
+-
+-static unsigned int adv7511_is_interrupt_pending(struct adv7511 *adv7511,
+- unsigned int irq)
++static int adv7511_irq_process(struct adv7511 *adv7511)
+ {
+ unsigned int irq0, irq1;
+- unsigned int pending;
+ int ret;
+
+ ret = regmap_read(adv7511->regmap, ADV7511_REG_INT(0), &irq0);
+ if (ret < 0)
+- return 0;
++ return ret;
++
+ ret = regmap_read(adv7511->regmap, ADV7511_REG_INT(1), &irq1);
+ if (ret < 0)
+- return 0;
++ return ret;
++
++ regmap_write(adv7511->regmap, ADV7511_REG_INT(0), irq0);
++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1), irq1);
++
++ if (irq0 & ADV7511_INT0_HDP)
++ drm_helper_hpd_irq_event(adv7511->encoder->dev);
++
++ if (irq0 & ADV7511_INT0_EDID_READY || irq1 & ADV7511_INT1_DDC_ERROR) {
++ adv7511->edid_read = true;
++
++ if (adv7511->i2c_main->irq)
++ wake_up_all(&adv7511->wq);
++ }
++
++ return 0;
++}
+
+- pending = (irq1 << 8) | irq0;
++static irqreturn_t adv7511_irq_handler(int irq, void *devid)
++{
++ struct adv7511 *adv7511 = devid;
++ int ret;
+
+- return pending & irq;
++ ret = adv7511_irq_process(adv7511);
++ return ret < 0 ? IRQ_NONE : IRQ_HANDLED;
+ }
+
+-static int adv7511_wait_for_interrupt(struct adv7511 *adv7511, int irq,
+- int timeout)
++/* -----------------------------------------------------------------------------
++ * EDID retrieval
++ */
++
++static int adv7511_wait_for_edid(struct adv7511 *adv7511, int timeout)
+ {
+- unsigned int pending;
+ int ret;
+
+ if (adv7511->i2c_main->irq) {
+ ret = wait_event_interruptible_timeout(adv7511->wq,
+- adv7511_is_interrupt_pending(adv7511, irq),
+- msecs_to_jiffies(timeout));
+- if (ret <= 0)
+- return 0;
+- pending = adv7511_is_interrupt_pending(adv7511, irq);
++ adv7511->edid_read, msecs_to_jiffies(timeout));
+ } else {
+- if (timeout < 25)
+- timeout = 25;
+- do {
+- pending = adv7511_is_interrupt_pending(adv7511, irq);
+- if (pending)
++ for (; timeout > 0; timeout -= 25) {
++ ret = adv7511_irq_process(adv7511);
++ if (ret < 0)
+ break;
++
++ if (adv7511->edid_read)
++ break;
++
+ msleep(25);
+- timeout -= 25;
+- } while (timeout >= 25);
++ }
+ }
+
+- return pending;
++ return adv7511->edid_read ? 0 : -EIO;
+ }
+
+-/* -----------------------------------------------------------------------------
+- * EDID retrieval
+- */
+-
+ static int adv7511_get_edid_block(void *data, u8 *buf, unsigned int block,
+ size_t len)
+ {
+@@ -463,19 +466,14 @@ static int adv7511_get_edid_block(void *data, u8 *buf, unsigned int block,
+ return ret;
+
+ if (status != 2) {
++ adv7511->edid_read = false;
+ regmap_write(adv7511->regmap, ADV7511_REG_EDID_SEGMENT,
+ block);
+- ret = adv7511_wait_for_interrupt(adv7511,
+- ADV7511_INT0_EDID_READY |
+- ADV7511_INT1_DDC_ERROR, 200);
+-
+- if (!(ret & ADV7511_INT0_EDID_READY))
+- return -EIO;
++ ret = adv7511_wait_for_edid(adv7511, 200);
++ if (ret < 0)
++ return ret;
+ }
+
+- regmap_write(adv7511->regmap, ADV7511_REG_INT(0),
+- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR);
+-
+ /* Break this apart, hopefully more I2C controllers will
+ * support 64 byte transfers than 256 byte transfers
+ */
+@@ -528,7 +526,9 @@ static int adv7511_get_modes(struct drm_encoder *encoder,
+ /* Reading the EDID only works if the device is powered */
+ if (adv7511->dpms_mode != DRM_MODE_DPMS_ON) {
+ regmap_write(adv7511->regmap, ADV7511_REG_INT(0),
+- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR);
++ ADV7511_INT0_EDID_READY);
++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1),
++ ADV7511_INT1_DDC_ERROR);
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_POWER,
+ ADV7511_POWER_POWER_DOWN, 0);
+ adv7511->current_edid_segment = -1;
+@@ -563,7 +563,9 @@ static void adv7511_encoder_dpms(struct drm_encoder *encoder, int mode)
+ adv7511->current_edid_segment = -1;
+
+ regmap_write(adv7511->regmap, ADV7511_REG_INT(0),
+- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR);
++ ADV7511_INT0_EDID_READY);
++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1),
++ ADV7511_INT1_DDC_ERROR);
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_POWER,
+ ADV7511_POWER_POWER_DOWN, 0);
+ /*
+diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
+index 5c66b56..ec4d932 100644
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -1042,7 +1042,7 @@ static void vlv_save_gunit_s0ix_state(struct drm_i915_private *dev_priv)
+ s->lra_limits[i] = I915_READ(GEN7_LRA_LIMITS_BASE + i * 4);
+
+ s->media_max_req_count = I915_READ(GEN7_MEDIA_MAX_REQ_COUNT);
+- s->gfx_max_req_count = I915_READ(GEN7_MEDIA_MAX_REQ_COUNT);
++ s->gfx_max_req_count = I915_READ(GEN7_GFX_MAX_REQ_COUNT);
+
+ s->render_hwsp = I915_READ(RENDER_HWS_PGA_GEN7);
+ s->ecochk = I915_READ(GAM_ECOCHK);
+@@ -1124,7 +1124,7 @@ static void vlv_restore_gunit_s0ix_state(struct drm_i915_private *dev_priv)
+ I915_WRITE(GEN7_LRA_LIMITS_BASE + i * 4, s->lra_limits[i]);
+
+ I915_WRITE(GEN7_MEDIA_MAX_REQ_COUNT, s->media_max_req_count);
+- I915_WRITE(GEN7_MEDIA_MAX_REQ_COUNT, s->gfx_max_req_count);
++ I915_WRITE(GEN7_GFX_MAX_REQ_COUNT, s->gfx_max_req_count);
+
+ I915_WRITE(RENDER_HWS_PGA_GEN7, s->render_hwsp);
+ I915_WRITE(GAM_ECOCHK, s->ecochk);
+diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
+index ede5bbb..07320cb 100644
+--- a/drivers/gpu/drm/i915/i915_irq.c
++++ b/drivers/gpu/drm/i915/i915_irq.c
+@@ -3718,14 +3718,12 @@ static int i8xx_irq_postinstall(struct drm_device *dev)
+ ~(I915_DISPLAY_PIPE_A_EVENT_INTERRUPT |
+ I915_DISPLAY_PIPE_B_EVENT_INTERRUPT |
+ I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
+- I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT |
+- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT);
++ I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT);
+ I915_WRITE16(IMR, dev_priv->irq_mask);
+
+ I915_WRITE16(IER,
+ I915_DISPLAY_PIPE_A_EVENT_INTERRUPT |
+ I915_DISPLAY_PIPE_B_EVENT_INTERRUPT |
+- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT |
+ I915_USER_INTERRUPT);
+ POSTING_READ16(IER);
+
+@@ -3887,14 +3885,12 @@ static int i915_irq_postinstall(struct drm_device *dev)
+ I915_DISPLAY_PIPE_A_EVENT_INTERRUPT |
+ I915_DISPLAY_PIPE_B_EVENT_INTERRUPT |
+ I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
+- I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT |
+- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT);
++ I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT);
+
+ enable_mask =
+ I915_ASLE_INTERRUPT |
+ I915_DISPLAY_PIPE_A_EVENT_INTERRUPT |
+ I915_DISPLAY_PIPE_B_EVENT_INTERRUPT |
+- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT |
+ I915_USER_INTERRUPT;
+
+ if (I915_HAS_HOTPLUG(dev)) {
+diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
+index 33b3d0a2..f536ff2 100644
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1740,6 +1740,7 @@ enum punit_power_well {
+ #define GMBUS_CYCLE_INDEX (2<<25)
+ #define GMBUS_CYCLE_STOP (4<<25)
+ #define GMBUS_BYTE_COUNT_SHIFT 16
++#define GMBUS_BYTE_COUNT_MAX 256U
+ #define GMBUS_SLAVE_INDEX_SHIFT 8
+ #define GMBUS_SLAVE_ADDR_SHIFT 1
+ #define GMBUS_SLAVE_READ (1<<0)
+diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c
+index b31088a..56e437e 100644
+--- a/drivers/gpu/drm/i915/intel_i2c.c
++++ b/drivers/gpu/drm/i915/intel_i2c.c
+@@ -270,18 +270,17 @@ gmbus_wait_idle(struct drm_i915_private *dev_priv)
+ }
+
+ static int
+-gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
+- u32 gmbus1_index)
++gmbus_xfer_read_chunk(struct drm_i915_private *dev_priv,
++ unsigned short addr, u8 *buf, unsigned int len,
++ u32 gmbus1_index)
+ {
+ int reg_offset = dev_priv->gpio_mmio_base;
+- u16 len = msg->len;
+- u8 *buf = msg->buf;
+
+ I915_WRITE(GMBUS1 + reg_offset,
+ gmbus1_index |
+ GMBUS_CYCLE_WAIT |
+ (len << GMBUS_BYTE_COUNT_SHIFT) |
+- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
++ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ GMBUS_SLAVE_READ | GMBUS_SW_RDY);
+ while (len) {
+ int ret;
+@@ -303,11 +302,35 @@ gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
+ }
+
+ static int
+-gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
++gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
++ u32 gmbus1_index)
+ {
+- int reg_offset = dev_priv->gpio_mmio_base;
+- u16 len = msg->len;
+ u8 *buf = msg->buf;
++ unsigned int rx_size = msg->len;
++ unsigned int len;
++ int ret;
++
++ do {
++ len = min(rx_size, GMBUS_BYTE_COUNT_MAX);
++
++ ret = gmbus_xfer_read_chunk(dev_priv, msg->addr,
++ buf, len, gmbus1_index);
++ if (ret)
++ return ret;
++
++ rx_size -= len;
++ buf += len;
++ } while (rx_size != 0);
++
++ return 0;
++}
++
++static int
++gmbus_xfer_write_chunk(struct drm_i915_private *dev_priv,
++ unsigned short addr, u8 *buf, unsigned int len)
++{
++ int reg_offset = dev_priv->gpio_mmio_base;
++ unsigned int chunk_size = len;
+ u32 val, loop;
+
+ val = loop = 0;
+@@ -319,8 +342,8 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+ I915_WRITE(GMBUS3 + reg_offset, val);
+ I915_WRITE(GMBUS1 + reg_offset,
+ GMBUS_CYCLE_WAIT |
+- (msg->len << GMBUS_BYTE_COUNT_SHIFT) |
+- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
++ (chunk_size << GMBUS_BYTE_COUNT_SHIFT) |
++ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ GMBUS_SLAVE_WRITE | GMBUS_SW_RDY);
+ while (len) {
+ int ret;
+@@ -337,6 +360,29 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+ if (ret)
+ return ret;
+ }
++
++ return 0;
++}
++
++static int
++gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
++{
++ u8 *buf = msg->buf;
++ unsigned int tx_size = msg->len;
++ unsigned int len;
++ int ret;
++
++ do {
++ len = min(tx_size, GMBUS_BYTE_COUNT_MAX);
++
++ ret = gmbus_xfer_write_chunk(dev_priv, msg->addr, buf, len);
++ if (ret)
++ return ret;
++
++ buf += len;
++ tx_size -= len;
++ } while (tx_size != 0);
++
+ return 0;
+ }
+
+diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c
+index 86807ee..9bd5611 100644
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -330,8 +330,10 @@ atombios_set_crtc_dtd_timing(struct drm_crtc *crtc,
+ misc |= ATOM_COMPOSITESYNC;
+ if (mode->flags & DRM_MODE_FLAG_INTERLACE)
+ misc |= ATOM_INTERLACE;
+- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
+ misc |= ATOM_DOUBLE_CLOCK_MODE;
++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;
+
+ args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
+ args.ucCRTC = radeon_crtc->crtc_id;
+@@ -374,8 +376,10 @@ static void atombios_crtc_set_timing(struct drm_crtc *crtc,
+ misc |= ATOM_COMPOSITESYNC;
+ if (mode->flags & DRM_MODE_FLAG_INTERLACE)
+ misc |= ATOM_INTERLACE;
+- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
+ misc |= ATOM_DOUBLE_CLOCK_MODE;
++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;
+
+ args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
+ args.ucCRTC = radeon_crtc->crtc_id;
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 9c47867..7fe5590 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -459,6 +459,10 @@
+ #define USB_DEVICE_ID_UGCI_FLYING 0x0020
+ #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030
+
++#define USB_VENDOR_ID_HP 0x03f0
++#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a
++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a
++
+ #define USB_VENDOR_ID_HUION 0x256c
+ #define USB_DEVICE_ID_HUION_TABLET 0x006e
+
+diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
+index a821277..4e3ae9f 100644
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -78,6 +78,8 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },
+diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
+index 2978f5e..00bc30e 100644
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -135,7 +135,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
+ GFP_KERNEL);
+ if (!open_info) {
+ err = -ENOMEM;
+- goto error0;
++ goto error_gpadl;
+ }
+
+ init_completion(&open_info->waitevent);
+@@ -151,7 +151,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
+
+ if (userdatalen > MAX_USER_DEFINED_BYTES) {
+ err = -EINVAL;
+- goto error0;
++ goto error_gpadl;
+ }
+
+ if (userdatalen)
+@@ -195,6 +195,9 @@ error1:
+ list_del(&open_info->msglistentry);
+ spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
+
++error_gpadl:
++ vmbus_teardown_gpadl(newchannel, newchannel->ringbuffer_gpadlhandle);
++
+ error0:
+ free_pages((unsigned long)out,
+ get_order(send_ringbuffer_size + recv_ringbuffer_size));
+diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c
+index 5f96b1b..019d542 100644
+--- a/drivers/i2c/busses/i2c-rk3x.c
++++ b/drivers/i2c/busses/i2c-rk3x.c
+@@ -833,7 +833,7 @@ static int rk3x_i2c_xfer(struct i2c_adapter *adap,
+ clk_disable(i2c->clk);
+ spin_unlock_irqrestore(&i2c->lock, flags);
+
+- return ret;
++ return ret < 0 ? ret : num;
+ }
+
+ static u32 rk3x_i2c_func(struct i2c_adapter *adap)
+diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
+index edf274c..8143162 100644
+--- a/drivers/i2c/i2c-core.c
++++ b/drivers/i2c/i2c-core.c
+@@ -596,6 +596,7 @@ int i2c_generic_scl_recovery(struct i2c_adapter *adap)
+ adap->bus_recovery_info->set_scl(adap, 1);
+ return i2c_generic_recovery(adap);
+ }
++EXPORT_SYMBOL_GPL(i2c_generic_scl_recovery);
+
+ int i2c_generic_gpio_recovery(struct i2c_adapter *adap)
+ {
+@@ -610,6 +611,7 @@ int i2c_generic_gpio_recovery(struct i2c_adapter *adap)
+
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(i2c_generic_gpio_recovery);
+
+ int i2c_recover_bus(struct i2c_adapter *adap)
+ {
+@@ -619,6 +621,7 @@ int i2c_recover_bus(struct i2c_adapter *adap)
+ dev_dbg(&adap->dev, "Trying i2c bus recovery\n");
+ return adap->bus_recovery_info->recover_bus(adap);
+ }
++EXPORT_SYMBOL_GPL(i2c_recover_bus);
+
+ static int i2c_device_probe(struct device *dev)
+ {
+@@ -1410,6 +1413,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
+
+ dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name);
+
++ pm_runtime_no_callbacks(&adap->dev);
++
+ #ifdef CONFIG_I2C_COMPAT
+ res = class_compat_create_link(i2c_adapter_compat_class, &adap->dev,
+ adap->dev.parent);
+diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c
+index 593f7ca..06cc1ff 100644
+--- a/drivers/i2c/i2c-mux.c
++++ b/drivers/i2c/i2c-mux.c
+@@ -32,8 +32,9 @@ struct i2c_mux_priv {
+ struct i2c_algorithm algo;
+
+ struct i2c_adapter *parent;
+- void *mux_priv; /* the mux chip/device */
+- u32 chan_id; /* the channel id */
++ struct device *mux_dev;
++ void *mux_priv;
++ u32 chan_id;
+
+ int (*select)(struct i2c_adapter *, void *mux_priv, u32 chan_id);
+ int (*deselect)(struct i2c_adapter *, void *mux_priv, u32 chan_id);
+@@ -119,6 +120,7 @@ struct i2c_adapter *i2c_add_mux_adapter(struct i2c_adapter *parent,
+
+ /* Set up private adapter data */
+ priv->parent = parent;
++ priv->mux_dev = mux_dev;
+ priv->mux_priv = mux_priv;
+ priv->chan_id = chan_id;
+ priv->select = select;
+@@ -203,7 +205,7 @@ void i2c_del_mux_adapter(struct i2c_adapter *adap)
+ char symlink_name[20];
+
+ snprintf(symlink_name, sizeof(symlink_name), "channel-%u", priv->chan_id);
+- sysfs_remove_link(&adap->dev.parent->kobj, symlink_name);
++ sysfs_remove_link(&priv->mux_dev->kobj, symlink_name);
+
+ sysfs_remove_link(&priv->adap.dev.kobj, "mux_device");
+ i2c_del_adapter(adap);
+diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c
+index b0e5852..44d1d79 100644
+--- a/drivers/idle/intel_idle.c
++++ b/drivers/idle/intel_idle.c
+@@ -218,18 +218,10 @@ static struct cpuidle_state byt_cstates[] = {
+ .enter = &intel_idle,
+ .enter_freeze = intel_idle_freeze, },
+ {
+- .name = "C1E-BYT",
+- .desc = "MWAIT 0x01",
+- .flags = MWAIT2flg(0x01),
+- .exit_latency = 15,
+- .target_residency = 30,
+- .enter = &intel_idle,
+- .enter_freeze = intel_idle_freeze, },
+- {
+ .name = "C6N-BYT",
+ .desc = "MWAIT 0x58",
+ .flags = MWAIT2flg(0x58) | CPUIDLE_FLAG_TLB_FLUSHED,
+- .exit_latency = 40,
++ .exit_latency = 300,
+ .target_residency = 275,
+ .enter = &intel_idle,
+ .enter_freeze = intel_idle_freeze, },
+@@ -237,7 +229,7 @@ static struct cpuidle_state byt_cstates[] = {
+ .name = "C6S-BYT",
+ .desc = "MWAIT 0x52",
+ .flags = MWAIT2flg(0x52) | CPUIDLE_FLAG_TLB_FLUSHED,
+- .exit_latency = 140,
++ .exit_latency = 500,
+ .target_residency = 560,
+ .enter = &intel_idle,
+ .enter_freeze = intel_idle_freeze, },
+@@ -246,7 +238,7 @@ static struct cpuidle_state byt_cstates[] = {
+ .desc = "MWAIT 0x60",
+ .flags = MWAIT2flg(0x60) | CPUIDLE_FLAG_TLB_FLUSHED,
+ .exit_latency = 1200,
+- .target_residency = 1500,
++ .target_residency = 4000,
+ .enter = &intel_idle,
+ .enter_freeze = intel_idle_freeze, },
+ {
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index 8c014b5..38acb3c 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -99,12 +99,15 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
+ if (dmasync)
+ dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+
++ if (!size)
++ return ERR_PTR(-EINVAL);
++
+ /*
+ * If the combination of the addr and size requested for this memory
+ * region causes an integer overflow, return error.
+ */
+- if ((PAGE_ALIGN(addr + size) <= size) ||
+- (PAGE_ALIGN(addr + size) <= addr))
++ if (((addr + size) < addr) ||
++ PAGE_ALIGN(addr + size) < (addr + size))
+ return ERR_PTR(-EINVAL);
+
+ if (!can_do_mlock())
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index ed2bd67..fbde33a 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2605,8 +2605,7 @@ static int build_lso_seg(struct mlx4_wqe_lso_seg *wqe, struct ib_send_wr *wr,
+
+ memcpy(wqe->header, wr->wr.ud.header, wr->wr.ud.hlen);
+
+- *lso_hdr_sz = cpu_to_be32((wr->wr.ud.mss - wr->wr.ud.hlen) << 16 |
+- wr->wr.ud.hlen);
++ *lso_hdr_sz = cpu_to_be32(wr->wr.ud.mss << 16 | wr->wr.ud.hlen);
+ *lso_seg_len = halign;
+ return 0;
+ }
+diff --git a/drivers/infiniband/ulp/iser/iser_initiator.c b/drivers/infiniband/ulp/iser/iser_initiator.c
+index 20e859a..76eb57b 100644
+--- a/drivers/infiniband/ulp/iser/iser_initiator.c
++++ b/drivers/infiniband/ulp/iser/iser_initiator.c
+@@ -409,8 +409,8 @@ int iser_send_command(struct iscsi_conn *conn,
+ if (scsi_prot_sg_count(sc)) {
+ prot_buf->buf = scsi_prot_sglist(sc);
+ prot_buf->size = scsi_prot_sg_count(sc);
+- prot_buf->data_len = data_buf->data_len >>
+- ilog2(sc->device->sector_size) * 8;
++ prot_buf->data_len = (data_buf->data_len >>
++ ilog2(sc->device->sector_size)) * 8;
+ }
+
+ if (hdr->flags & ISCSI_FLAG_CMD_READ) {
+diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
+index 075b19c..147029a 100644
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -222,7 +222,7 @@ fail:
+ static void
+ isert_free_rx_descriptors(struct isert_conn *isert_conn)
+ {
+- struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
++ struct ib_device *ib_dev = isert_conn->conn_device->ib_device;
+ struct iser_rx_desc *rx_desc;
+ int i;
+
+@@ -719,8 +719,8 @@ out:
+ static void
+ isert_connect_release(struct isert_conn *isert_conn)
+ {
+- struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
+ struct isert_device *device = isert_conn->conn_device;
++ struct ib_device *ib_dev = device->ib_device;
+
+ isert_dbg("conn %p\n", isert_conn);
+
+@@ -728,7 +728,8 @@ isert_connect_release(struct isert_conn *isert_conn)
+ isert_conn_free_fastreg_pool(isert_conn);
+
+ isert_free_rx_descriptors(isert_conn);
+- rdma_destroy_id(isert_conn->conn_cm_id);
++ if (isert_conn->conn_cm_id)
++ rdma_destroy_id(isert_conn->conn_cm_id);
+
+ if (isert_conn->conn_qp) {
+ struct isert_comp *comp = isert_conn->conn_qp->recv_cq->cq_context;
+@@ -878,12 +879,15 @@ isert_disconnected_handler(struct rdma_cm_id *cma_id,
+ return 0;
+ }
+
+-static void
++static int
+ isert_connect_error(struct rdma_cm_id *cma_id)
+ {
+ struct isert_conn *isert_conn = cma_id->qp->qp_context;
+
++ isert_conn->conn_cm_id = NULL;
+ isert_put_conn(isert_conn);
++
++ return -1;
+ }
+
+ static int
+@@ -912,7 +916,7 @@ isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
+ case RDMA_CM_EVENT_REJECTED: /* FALLTHRU */
+ case RDMA_CM_EVENT_UNREACHABLE: /* FALLTHRU */
+ case RDMA_CM_EVENT_CONNECT_ERROR:
+- isert_connect_error(cma_id);
++ ret = isert_connect_error(cma_id);
+ break;
+ default:
+ isert_err("Unhandled RDMA CMA event: %d\n", event->event);
+@@ -1861,11 +1865,13 @@ isert_completion_rdma_read(struct iser_tx_desc *tx_desc,
+ cmd->i_state = ISTATE_RECEIVED_LAST_DATAOUT;
+ spin_unlock_bh(&cmd->istate_lock);
+
+- if (ret)
++ if (ret) {
++ target_put_sess_cmd(se_cmd->se_sess, se_cmd);
+ transport_send_check_condition_and_sense(se_cmd,
+ se_cmd->pi_err, 0);
+- else
++ } else {
+ target_execute_cmd(se_cmd);
++ }
+ }
+
+ static void
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index 27bcdbc..ea6cb64 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -1159,13 +1159,14 @@ static void alps_report_bare_ps2_packet(struct psmouse *psmouse,
+ bool report_buttons)
+ {
+ struct alps_data *priv = psmouse->private;
+- struct input_dev *dev;
++ struct input_dev *dev, *dev2 = NULL;
+
+ /* Figure out which device to use to report the bare packet */
+ if (priv->proto_version == ALPS_PROTO_V2 &&
+ (priv->flags & ALPS_DUALPOINT)) {
+ /* On V2 devices the DualPoint Stick reports bare packets */
+ dev = priv->dev2;
++ dev2 = psmouse->dev;
+ } else if (unlikely(IS_ERR_OR_NULL(priv->dev3))) {
+ /* Register dev3 mouse if we received PS/2 packet first time */
+ if (!IS_ERR(priv->dev3))
+@@ -1177,7 +1178,7 @@ static void alps_report_bare_ps2_packet(struct psmouse *psmouse,
+ }
+
+ if (report_buttons)
+- alps_report_buttons(dev, NULL,
++ alps_report_buttons(dev, dev2,
+ packet[0] & 1, packet[0] & 2, packet[0] & 4);
+
+ input_report_rel(dev, REL_X,
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 6e22682..991dc6b 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -893,6 +893,21 @@ static psmouse_ret_t elantech_process_byte(struct psmouse *psmouse)
+ }
+
+ /*
++ * This writes the reg_07 value again to the hardware at the end of every
++ * set_rate call because the register loses its value. reg_07 allows setting
++ * absolute mode on v4 hardware
++ */
++static void elantech_set_rate_restore_reg_07(struct psmouse *psmouse,
++ unsigned int rate)
++{
++ struct elantech_data *etd = psmouse->private;
++
++ etd->original_set_rate(psmouse, rate);
++ if (elantech_write_reg(psmouse, 0x07, etd->reg_07))
++ psmouse_err(psmouse, "restoring reg_07 failed\n");
++}
++
++/*
+ * Put the touchpad into absolute mode
+ */
+ static int elantech_set_absolute_mode(struct psmouse *psmouse)
+@@ -1094,6 +1109,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse,
+ * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons
+ * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons
+ * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons
++ * Asus TP500LN 0x381f17 10, 14, 0e clickpad
++ * Asus X750JN 0x381f17 10, 14, 0e clickpad
+ * Asus UX31 0x361f00 20, 15, 0e clickpad
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
+@@ -1635,6 +1652,11 @@ int elantech_init(struct psmouse *psmouse)
+ goto init_fail;
+ }
+
++ if (etd->fw_version == 0x381f17) {
++ etd->original_set_rate = psmouse->set_rate;
++ psmouse->set_rate = elantech_set_rate_restore_reg_07;
++ }
++
+ if (elantech_set_input_params(psmouse)) {
+ psmouse_err(psmouse, "failed to query touchpad range.\n");
+ goto init_fail;
+diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h
+index 6f3afec..f965d15 100644
+--- a/drivers/input/mouse/elantech.h
++++ b/drivers/input/mouse/elantech.h
+@@ -142,6 +142,7 @@ struct elantech_data {
+ struct finger_pos mt[ETP_MAX_FINGERS];
+ unsigned char parity[256];
+ int (*send_cmd)(struct psmouse *psmouse, unsigned char c, unsigned char *param);
++ void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate);
+ };
+
+ #ifdef CONFIG_MOUSE_PS2_ELANTECH
+diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
+index 713a962..41473929 100644
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -925,11 +925,10 @@ static int crypt_convert(struct crypt_config *cc,
+
+ switch (r) {
+ /* async */
++ case -EINPROGRESS:
+ case -EBUSY:
+ wait_for_completion(&ctx->restart);
+ reinit_completion(&ctx->restart);
+- /* fall through*/
+- case -EINPROGRESS:
+ ctx->req = NULL;
+ ctx->cc_sector++;
+ continue;
+@@ -1346,10 +1345,8 @@ static void kcryptd_async_done(struct crypto_async_request *async_req,
+ struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
+ struct crypt_config *cc = io->cc;
+
+- if (error == -EINPROGRESS) {
+- complete(&ctx->restart);
++ if (error == -EINPROGRESS)
+ return;
+- }
+
+ if (!error && cc->iv_gen_ops && cc->iv_gen_ops->post)
+ error = cc->iv_gen_ops->post(cc, iv_of_dmreq(cc, dmreq), dmreq);
+@@ -1360,12 +1357,15 @@ static void kcryptd_async_done(struct crypto_async_request *async_req,
+ crypt_free_req(cc, req_of_dmreq(cc, dmreq), io->base_bio);
+
+ if (!atomic_dec_and_test(&ctx->cc_pending))
+- return;
++ goto done;
+
+ if (bio_data_dir(io->base_bio) == READ)
+ kcryptd_crypt_read_done(io);
+ else
+ kcryptd_crypt_write_io_submit(io, 1);
++done:
++ if (!completion_done(&ctx->restart))
++ complete(&ctx->restart);
+ }
+
+ static void kcryptd_crypt(struct work_struct *work)
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 717daad..e617878 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -249,6 +249,7 @@ static void md_make_request(struct request_queue *q, struct bio *bio)
+ const int rw = bio_data_dir(bio);
+ struct mddev *mddev = q->queuedata;
+ unsigned int sectors;
++ int cpu;
+
+ if (mddev == NULL || mddev->pers == NULL
+ || !mddev->ready) {
+@@ -284,7 +285,10 @@ static void md_make_request(struct request_queue *q, struct bio *bio)
+ sectors = bio_sectors(bio);
+ mddev->pers->make_request(mddev, bio);
+
+- generic_start_io_acct(rw, sectors, &mddev->gendisk->part0);
++ cpu = part_stat_lock();
++ part_stat_inc(cpu, &mddev->gendisk->part0, ios[rw]);
++ part_stat_add(cpu, &mddev->gendisk->part0, sectors[rw], sectors);
++ part_stat_unlock();
+
+ if (atomic_dec_and_test(&mddev->active_io) && mddev->suspended)
+ wake_up(&mddev->sb_wait);
+diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
+index 3ed9f42..3b5d7f7 100644
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -313,7 +313,7 @@ static struct strip_zone *find_zone(struct r0conf *conf,
+
+ /*
+ * remaps the bio to the target device. we separate two flows.
+- * power 2 flow and a general flow for the sake of perfromance
++ * power 2 flow and a general flow for the sake of performance
+ */
+ static struct md_rdev *map_sector(struct mddev *mddev, struct strip_zone *zone,
+ sector_t sector, sector_t *sector_offset)
+@@ -524,6 +524,7 @@ static void raid0_make_request(struct mddev *mddev, struct bio *bio)
+ split = bio;
+ }
+
++ sector = bio->bi_iter.bi_sector;
+ zone = find_zone(mddev->private, &sector);
+ tmp_dev = map_sector(mddev, zone, sector, &sector);
+ split->bi_bdev = tmp_dev->bdev;
+diff --git a/drivers/media/rc/img-ir/img-ir-core.c b/drivers/media/rc/img-ir/img-ir-core.c
+index 77c78de..7020659 100644
+--- a/drivers/media/rc/img-ir/img-ir-core.c
++++ b/drivers/media/rc/img-ir/img-ir-core.c
+@@ -146,7 +146,7 @@ static int img_ir_remove(struct platform_device *pdev)
+ {
+ struct img_ir_priv *priv = platform_get_drvdata(pdev);
+
+- free_irq(priv->irq, img_ir_isr);
++ free_irq(priv->irq, priv);
+ img_ir_remove_hw(priv);
+ img_ir_remove_raw(priv);
+
+diff --git a/drivers/media/usb/stk1160/stk1160-v4l.c b/drivers/media/usb/stk1160/stk1160-v4l.c
+index 65a326c..749ad56 100644
+--- a/drivers/media/usb/stk1160/stk1160-v4l.c
++++ b/drivers/media/usb/stk1160/stk1160-v4l.c
+@@ -240,6 +240,11 @@ static int stk1160_stop_streaming(struct stk1160 *dev)
+ if (mutex_lock_interruptible(&dev->v4l_lock))
+ return -ERESTARTSYS;
+
++ /*
++ * Once URBs are cancelled, the URB complete handler
++ * won't be running. This is required to safely release the
++ * current buffer (dev->isoc_ctl.buf).
++ */
+ stk1160_cancel_isoc(dev);
+
+ /*
+@@ -620,8 +625,16 @@ void stk1160_clear_queue(struct stk1160 *dev)
+ stk1160_info("buffer [%p/%d] aborted\n",
+ buf, buf->vb.v4l2_buf.index);
+ }
+- /* It's important to clear current buffer */
+- dev->isoc_ctl.buf = NULL;
++
++ /* It's important to release the current buffer */
++ if (dev->isoc_ctl.buf) {
++ buf = dev->isoc_ctl.buf;
++ dev->isoc_ctl.buf = NULL;
++
++ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
++ stk1160_info("buffer [%p/%d] aborted\n",
++ buf, buf->vb.v4l2_buf.index);
++ }
+ spin_unlock_irqrestore(&dev->buf_lock, flags);
+ }
+
+diff --git a/drivers/memstick/core/mspro_block.c b/drivers/memstick/core/mspro_block.c
+index fc145d2..922a750 100644
+--- a/drivers/memstick/core/mspro_block.c
++++ b/drivers/memstick/core/mspro_block.c
+@@ -758,7 +758,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error)
+
+ if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) {
+ if (msb->data_dir == READ) {
+- for (cnt = 0; cnt < msb->current_seg; cnt++)
++ for (cnt = 0; cnt < msb->current_seg; cnt++) {
+ t_len += msb->req_sg[cnt].length
+ / msb->page_size;
+
+@@ -766,6 +766,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error)
+ t_len += msb->current_page - 1;
+
+ t_len *= msb->page_size;
++ }
+ }
+ } else
+ t_len = blk_rq_bytes(msb->block_req);
+diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
+index 2a87f69..1aed3b7 100644
+--- a/drivers/mfd/mfd-core.c
++++ b/drivers/mfd/mfd-core.c
+@@ -128,7 +128,7 @@ static int mfd_add_device(struct device *parent, int id,
+ int platform_id;
+ int r;
+
+- if (id < 0)
++ if (id == PLATFORM_DEVID_AUTO)
+ platform_id = id;
+ else
+ platform_id = id + cell->id;
+diff --git a/drivers/mmc/host/sunxi-mmc.c b/drivers/mmc/host/sunxi-mmc.c
+index e8a4218..459ed1b 100644
+--- a/drivers/mmc/host/sunxi-mmc.c
++++ b/drivers/mmc/host/sunxi-mmc.c
+@@ -930,7 +930,9 @@ static int sunxi_mmc_resource_request(struct sunxi_mmc_host *host,
+ return PTR_ERR(host->clk_sample);
+ }
+
+- host->reset = devm_reset_control_get(&pdev->dev, "ahb");
++ host->reset = devm_reset_control_get_optional(&pdev->dev, "ahb");
++ if (PTR_ERR(host->reset) == -EPROBE_DEFER)
++ return PTR_ERR(host->reset);
+
+ ret = clk_prepare_enable(host->clk_ahb);
+ if (ret) {
+diff --git a/drivers/mmc/host/tmio_mmc_pio.c b/drivers/mmc/host/tmio_mmc_pio.c
+index a31c357..dba7e1c 100644
+--- a/drivers/mmc/host/tmio_mmc_pio.c
++++ b/drivers/mmc/host/tmio_mmc_pio.c
+@@ -1073,8 +1073,6 @@ EXPORT_SYMBOL(tmio_mmc_host_alloc);
+ void tmio_mmc_host_free(struct tmio_mmc_host *host)
+ {
+ mmc_free_host(host->mmc);
+-
+- host->mmc = NULL;
+ }
+ EXPORT_SYMBOL(tmio_mmc_host_free);
+
+diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c
+index 9d2e16f..b5e1548 100644
+--- a/drivers/mtd/ubi/attach.c
++++ b/drivers/mtd/ubi/attach.c
+@@ -410,7 +410,7 @@ int ubi_compare_lebs(struct ubi_device *ubi, const struct ubi_ainf_peb *aeb,
+ second_is_newer = !second_is_newer;
+ } else {
+ dbg_bld("PEB %d CRC is OK", pnum);
+- bitflips = !!err;
++ bitflips |= !!err;
+ }
+ mutex_unlock(&ubi->buf_mutex);
+
+diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c
+index d647e50..d16fccf 100644
+--- a/drivers/mtd/ubi/cdev.c
++++ b/drivers/mtd/ubi/cdev.c
+@@ -455,7 +455,7 @@ static long vol_cdev_ioctl(struct file *file, unsigned int cmd,
+ /* Validate the request */
+ err = -EINVAL;
+ if (req.lnum < 0 || req.lnum >= vol->reserved_pebs ||
+- req.bytes < 0 || req.lnum >= vol->usable_leb_size)
++ req.bytes < 0 || req.bytes > vol->usable_leb_size)
+ break;
+
+ err = get_exclusive(desc);
+diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
+index 16e34b3..8c9a710 100644
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -1419,7 +1419,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
+ * during re-size.
+ */
+ ubi_move_aeb_to_list(av, aeb, &ai->erase);
+- vol->eba_tbl[aeb->lnum] = aeb->pnum;
++ else
++ vol->eba_tbl[aeb->lnum] = aeb->pnum;
+ }
+ }
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 8f7bde6..0bd92d8 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1002,7 +1002,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ int shutdown)
+ {
+ int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0;
+- int vol_id = -1, uninitialized_var(lnum);
++ int vol_id = -1, lnum = -1;
+ #ifdef CONFIG_MTD_UBI_FASTMAP
+ int anchor = wrk->anchor;
+ #endif
+diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c
+index 81d4153..77bf133 100644
+--- a/drivers/net/ethernet/cadence/macb.c
++++ b/drivers/net/ethernet/cadence/macb.c
+@@ -2165,7 +2165,7 @@ static void macb_configure_caps(struct macb *bp)
+ }
+ }
+
+- if (MACB_BFEXT(IDNUM, macb_readl(bp, MID)) == 0x2)
++ if (MACB_BFEXT(IDNUM, macb_readl(bp, MID)) >= 0x2)
+ bp->caps |= MACB_CAPS_MACB_IS_GEM;
+
+ if (macb_is_gem(bp)) {
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 7f997d3..a71c446 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
+ static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int *work_done, int work_to_do);
++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter,
++ struct e1000_rx_ring *rx_ring,
++ int cleaned_count)
++{
++}
+ static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int cleaned_count);
+@@ -3552,8 +3557,11 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
+ msleep(1);
+ /* e1000_down has a dependency on max_frame_size */
+ hw->max_frame_size = max_frame;
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ /* prevent buffers from being reallocated */
++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers;
+ e1000_down(adapter);
++ }
+
+ /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN
+ * means we reserve 2 more, this pushes us to allocate from the next
+diff --git a/drivers/net/ethernet/marvell/pxa168_eth.c b/drivers/net/ethernet/marvell/pxa168_eth.c
+index af829c5..7ace07d 100644
+--- a/drivers/net/ethernet/marvell/pxa168_eth.c
++++ b/drivers/net/ethernet/marvell/pxa168_eth.c
+@@ -1508,7 +1508,8 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+ np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0);
+ if (!np) {
+ dev_err(&pdev->dev, "missing phy-handle\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto err_netdev;
+ }
+ of_property_read_u32(np, "reg", &pep->phy_addr);
+ pep->phy_intf = of_get_phy_mode(pdev->dev.of_node);
+@@ -1526,7 +1527,7 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+ pep->smi_bus = mdiobus_alloc();
+ if (pep->smi_bus == NULL) {
+ err = -ENOMEM;
+- goto err_base;
++ goto err_netdev;
+ }
+ pep->smi_bus->priv = pep;
+ pep->smi_bus->name = "pxa168_eth smi";
+@@ -1551,13 +1552,10 @@ err_mdiobus:
+ mdiobus_unregister(pep->smi_bus);
+ err_free_mdio:
+ mdiobus_free(pep->smi_bus);
+-err_base:
+- iounmap(pep->base);
+ err_netdev:
+ free_netdev(dev);
+ err_clk:
+- clk_disable(clk);
+- clk_put(clk);
++ clk_disable_unprepare(clk);
+ return err;
+ }
+
+@@ -1574,13 +1572,9 @@ static int pxa168_eth_remove(struct platform_device *pdev)
+ if (pep->phy)
+ phy_disconnect(pep->phy);
+ if (pep->clk) {
+- clk_disable(pep->clk);
+- clk_put(pep->clk);
+- pep->clk = NULL;
++ clk_disable_unprepare(pep->clk);
+ }
+
+- iounmap(pep->base);
+- pep->base = NULL;
+ mdiobus_unregister(pep->smi_bus);
+ mdiobus_free(pep->smi_bus);
+ unregister_netdev(dev);
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+index a7b58ba..3dccf01 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -981,20 +981,21 @@ static int mlx4_en_check_rxfh_func(struct net_device *dev, u8 hfunc)
+ struct mlx4_en_priv *priv = netdev_priv(dev);
+
+ /* check if requested function is supported by the device */
+- if ((hfunc == ETH_RSS_HASH_TOP &&
+- !(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_TOP)) ||
+- (hfunc == ETH_RSS_HASH_XOR &&
+- !(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_XOR)))
+- return -EINVAL;
++ if (hfunc == ETH_RSS_HASH_TOP) {
++ if (!(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_TOP))
++ return -EINVAL;
++ if (!(dev->features & NETIF_F_RXHASH))
++ en_warn(priv, "Toeplitz hash function should be used in conjunction with RX hashing for optimal performance\n");
++ return 0;
++ } else if (hfunc == ETH_RSS_HASH_XOR) {
++ if (!(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_XOR))
++ return -EINVAL;
++ if (dev->features & NETIF_F_RXHASH)
++ en_warn(priv, "Enabling both XOR Hash function and RX Hashing can limit RPS functionality\n");
++ return 0;
++ }
+
+- priv->rss_hash_fn = hfunc;
+- if (hfunc == ETH_RSS_HASH_TOP && !(dev->features & NETIF_F_RXHASH))
+- en_warn(priv,
+- "Toeplitz hash function should be used in conjunction with RX hashing for optimal performance\n");
+- if (hfunc == ETH_RSS_HASH_XOR && (dev->features & NETIF_F_RXHASH))
+- en_warn(priv,
+- "Enabling both XOR Hash function and RX Hashing can limit RPS functionality\n");
+- return 0;
++ return -EINVAL;
+ }
+
+ static int mlx4_en_get_rxfh(struct net_device *dev, u32 *ring_index, u8 *key,
+@@ -1068,6 +1069,8 @@ static int mlx4_en_set_rxfh(struct net_device *dev, const u32 *ring_index,
+ priv->prof->rss_rings = rss_rings;
+ if (key)
+ memcpy(priv->rss_key, key, MLX4_EN_RSS_KEY_SIZE);
++ if (hfunc != ETH_RSS_HASH_NO_CHANGE)
++ priv->rss_hash_fn = hfunc;
+
+ if (port_up) {
+ err = mlx4_en_start_port(dev);
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index af034db..9d15566 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1716,6 +1716,7 @@ ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
+ {
+ /* note: a 0-length skb is used as an error indication */
+ if (skb->len > 0) {
++ skb_checksum_complete_unset(skb);
+ #ifdef CONFIG_PPP_MULTILINK
+ /* XXX do channel-level decompression here */
+ if (PPP_PROTO(skb) == PPP_MP)
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+index 90a714c..23806c2 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
++ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
+ {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
+ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
+ {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
+@@ -377,6 +378,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
+ {RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/
+ {RTL_USB_DEVICE(0x2001, 0x3309, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
+ {RTL_USB_DEVICE(0x2001, 0x330a, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
++ {RTL_USB_DEVICE(0x2001, 0x330d, rtl92cu_hal_cfg)}, /*D-Link DWA-131 */
+ {RTL_USB_DEVICE(0x2019, 0xab2b, rtl92cu_hal_cfg)}, /*Planex -Abocom*/
+ {RTL_USB_DEVICE(0x20f4, 0x624d, rtl92cu_hal_cfg)}, /*TRENDNet*/
+ {RTL_USB_DEVICE(0x2357, 0x0100, rtl92cu_hal_cfg)}, /*TP-Link WN8200ND*/
+diff --git a/drivers/net/wireless/ti/wl18xx/debugfs.c b/drivers/net/wireless/ti/wl18xx/debugfs.c
+index c93fae9..5fbd223 100644
+--- a/drivers/net/wireless/ti/wl18xx/debugfs.c
++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c
+@@ -139,7 +139,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, protection_filter, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u");
+
+-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u");
++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50);
+
+ WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate,
+ AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE);
+diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h
+index 0f2cfb0..bf14676 100644
+--- a/drivers/net/wireless/ti/wlcore/debugfs.h
++++ b/drivers/net/wireless/ti/wlcore/debugfs.h
+@@ -26,8 +26,8 @@
+
+ #include "wlcore.h"
+
+-int wl1271_format_buffer(char __user *userbuf, size_t count,
+- loff_t *ppos, char *fmt, ...);
++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count,
++ loff_t *ppos, char *fmt, ...);
+
+ int wl1271_debugfs_init(struct wl1271 *wl);
+ void wl1271_debugfs_exit(struct wl1271 *wl);
+diff --git a/drivers/nfc/st21nfcb/i2c.c b/drivers/nfc/st21nfcb/i2c.c
+index eb88693..7b53a5c 100644
+--- a/drivers/nfc/st21nfcb/i2c.c
++++ b/drivers/nfc/st21nfcb/i2c.c
+@@ -109,7 +109,7 @@ static int st21nfcb_nci_i2c_write(void *phy_id, struct sk_buff *skb)
+ return phy->ndlc->hard_fault;
+
+ r = i2c_master_send(client, skb->data, skb->len);
+- if (r == -EREMOTEIO) { /* Retry, chip was in standby */
++ if (r < 0) { /* Retry, chip was in standby */
+ usleep_range(1000, 4000);
+ r = i2c_master_send(client, skb->data, skb->len);
+ }
+@@ -148,7 +148,7 @@ static int st21nfcb_nci_i2c_read(struct st21nfcb_i2c_phy *phy,
+ struct i2c_client *client = phy->i2c_dev;
+
+ r = i2c_master_recv(client, buf, ST21NFCB_NCI_I2C_MIN_SIZE);
+- if (r == -EREMOTEIO) { /* Retry, chip was in standby */
++ if (r < 0) { /* Retry, chip was in standby */
+ usleep_range(1000, 4000);
+ r = i2c_master_recv(client, buf, ST21NFCB_NCI_I2C_MIN_SIZE);
+ }
+diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
+index 15c0fab..bceb30b 100644
+--- a/drivers/platform/x86/compal-laptop.c
++++ b/drivers/platform/x86/compal-laptop.c
+@@ -1026,9 +1026,9 @@ static int compal_probe(struct platform_device *pdev)
+ if (err)
+ return err;
+
+- hwmon_dev = hwmon_device_register_with_groups(&pdev->dev,
+- "compal", data,
+- compal_hwmon_groups);
++ hwmon_dev = devm_hwmon_device_register_with_groups(&pdev->dev,
++ "compal", data,
++ compal_hwmon_groups);
+ if (IS_ERR(hwmon_dev)) {
+ err = PTR_ERR(hwmon_dev);
+ goto remove;
+@@ -1036,7 +1036,9 @@ static int compal_probe(struct platform_device *pdev)
+
+ /* Power supply */
+ initialize_power_supply_data(data);
+- power_supply_register(&compal_device->dev, &data->psy);
++ err = power_supply_register(&compal_device->dev, &data->psy);
++ if (err < 0)
++ goto remove;
+
+ platform_set_drvdata(pdev, data);
+
+diff --git a/drivers/power/ipaq_micro_battery.c b/drivers/power/ipaq_micro_battery.c
+index 9d69460..96b15e0 100644
+--- a/drivers/power/ipaq_micro_battery.c
++++ b/drivers/power/ipaq_micro_battery.c
+@@ -226,6 +226,7 @@ static struct power_supply micro_ac_power = {
+ static int micro_batt_probe(struct platform_device *pdev)
+ {
+ struct micro_battery *mb;
++ int ret;
+
+ mb = devm_kzalloc(&pdev->dev, sizeof(*mb), GFP_KERNEL);
+ if (!mb)
+@@ -233,14 +234,30 @@ static int micro_batt_probe(struct platform_device *pdev)
+
+ mb->micro = dev_get_drvdata(pdev->dev.parent);
+ mb->wq = create_singlethread_workqueue("ipaq-battery-wq");
++ if (!mb->wq)
++ return -ENOMEM;
++
+ INIT_DELAYED_WORK(&mb->update, micro_battery_work);
+ platform_set_drvdata(pdev, mb);
+ queue_delayed_work(mb->wq, &mb->update, 1);
+- power_supply_register(&pdev->dev, &micro_batt_power);
+- power_supply_register(&pdev->dev, &micro_ac_power);
++
++ ret = power_supply_register(&pdev->dev, &micro_batt_power);
++ if (ret < 0)
++ goto batt_err;
++
++ ret = power_supply_register(&pdev->dev, &micro_ac_power);
++ if (ret < 0)
++ goto ac_err;
+
+ dev_info(&pdev->dev, "iPAQ micro battery driver\n");
+ return 0;
++
++ac_err:
++ power_supply_unregister(&micro_ac_power);
++batt_err:
++ cancel_delayed_work_sync(&mb->update);
++ destroy_workqueue(mb->wq);
++ return ret;
+ }
+
+ static int micro_batt_remove(struct platform_device *pdev)
+@@ -251,6 +268,7 @@ static int micro_batt_remove(struct platform_device *pdev)
+ power_supply_unregister(&micro_ac_power);
+ power_supply_unregister(&micro_batt_power);
+ cancel_delayed_work_sync(&mb->update);
++ destroy_workqueue(mb->wq);
+
+ return 0;
+ }
+diff --git a/drivers/power/lp8788-charger.c b/drivers/power/lp8788-charger.c
+index 21fc233..176dab2 100644
+--- a/drivers/power/lp8788-charger.c
++++ b/drivers/power/lp8788-charger.c
+@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct platform_device *pdev,
+ pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop);
+ pchg->battery.get_property = lp8788_battery_get_property;
+
+- if (power_supply_register(&pdev->dev, &pchg->battery))
++ if (power_supply_register(&pdev->dev, &pchg->battery)) {
++ power_supply_unregister(&pchg->charger);
+ return -EPERM;
++ }
+
+ return 0;
+ }
+diff --git a/drivers/power/twl4030_madc_battery.c b/drivers/power/twl4030_madc_battery.c
+index 7ef445a..cf90760 100644
+--- a/drivers/power/twl4030_madc_battery.c
++++ b/drivers/power/twl4030_madc_battery.c
+@@ -192,6 +192,7 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev)
+ {
+ struct twl4030_madc_battery *twl4030_madc_bat;
+ struct twl4030_madc_bat_platform_data *pdata = pdev->dev.platform_data;
++ int ret = 0;
+
+ twl4030_madc_bat = kzalloc(sizeof(*twl4030_madc_bat), GFP_KERNEL);
+ if (!twl4030_madc_bat)
+@@ -216,9 +217,11 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev)
+
+ twl4030_madc_bat->pdata = pdata;
+ platform_set_drvdata(pdev, twl4030_madc_bat);
+- power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ ret = power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ if (ret < 0)
++ kfree(twl4030_madc_bat);
+
+- return 0;
++ return ret;
+ }
+
+ static int twl4030_madc_battery_remove(struct platform_device *pdev)
+diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+index 675b5e7..5a0800d 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -1584,11 +1584,11 @@ megasas_build_ldio_fusion(struct megasas_instance *instance,
+ fp_possible = io_info.fpOkForIo;
+ }
+
+- /* Use smp_processor_id() for now until cmd->request->cpu is CPU
++ /* Use raw_smp_processor_id() for now until cmd->request->cpu is CPU
+ id by default, not CPU group id, otherwise all MSI-X queues won't
+ be utilized */
+ cmd->request_desc->SCSIIO.MSIxIndex = instance->msix_vectors ?
+- smp_processor_id() % instance->msix_vectors : 0;
++ raw_smp_processor_id() % instance->msix_vectors : 0;
+
+ if (fp_possible) {
+ megasas_set_pd_lba(io_request, scp->cmd_len, &io_info, scp,
+@@ -1693,7 +1693,10 @@ megasas_build_dcdb_fusion(struct megasas_instance *instance,
+ << MR_RAID_CTX_RAID_FLAGS_IO_SUB_TYPE_SHIFT;
+ cmd->request_desc->SCSIIO.DevHandle = io_request->DevHandle;
+ cmd->request_desc->SCSIIO.MSIxIndex =
+- instance->msix_vectors ? smp_processor_id() % instance->msix_vectors : 0;
++ instance->msix_vectors ?
++ raw_smp_processor_id() %
++ instance->msix_vectors :
++ 0;
+ os_timeout_value = scmd->request->timeout / HZ;
+
+ if (instance->secure_jbod_support &&
+diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
+index 2d5ab6d..454536c 100644
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -441,14 +441,11 @@ static u32 mvs_get_ncq_tag(struct sas_task *task, u32 *tag)
+ static int mvs_task_prep_ata(struct mvs_info *mvi,
+ struct mvs_task_exec_info *tei)
+ {
+- struct sas_ha_struct *sha = mvi->sas;
+ struct sas_task *task = tei->task;
+ struct domain_device *dev = task->dev;
+ struct mvs_device *mvi_dev = dev->lldd_dev;
+ struct mvs_cmd_hdr *hdr = tei->hdr;
+ struct asd_sas_port *sas_port = dev->port;
+- struct sas_phy *sphy = dev->phy;
+- struct asd_sas_phy *sas_phy = sha->sas_phy[sphy->number];
+ struct mvs_slot_info *slot;
+ void *buf_prd;
+ u32 tag = tei->tag, hdr_tag;
+@@ -468,7 +465,7 @@ static int mvs_task_prep_ata(struct mvs_info *mvi,
+ slot->tx = mvi->tx_prod;
+ del_q = TXQ_MODE_I | tag |
+ (TXQ_CMD_STP << TXQ_CMD_SHIFT) |
+- (MVS_PHY_ID << TXQ_PHY_SHIFT) |
++ ((sas_port->phy_mask & TXQ_PHY_MASK) << TXQ_PHY_SHIFT) |
+ (mvi_dev->taskfileset << TXQ_SRS_SHIFT);
+ mvi->tx[mvi->tx_prod] = cpu_to_le32(del_q);
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 6b78476..3290a3e 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3100,6 +3100,7 @@ static void scsi_disk_release(struct device *dev)
+ ida_remove(&sd_index_ida, sdkp->index);
+ spin_unlock(&sd_index_lock);
+
++ blk_integrity_unregister(disk);
+ disk->private_data = NULL;
+ put_disk(disk);
+ put_device(&sdkp->device->sdev_gendev);
+diff --git a/drivers/scsi/sd_dif.c b/drivers/scsi/sd_dif.c
+index 14c7d42..5c06d29 100644
+--- a/drivers/scsi/sd_dif.c
++++ b/drivers/scsi/sd_dif.c
+@@ -77,7 +77,7 @@ void sd_dif_config_host(struct scsi_disk *sdkp)
+
+ disk->integrity->flags |= BLK_INTEGRITY_DEVICE_CAPABLE;
+
+- if (!sdkp)
++ if (!sdkp->ATO)
+ return;
+
+ if (type == SD_DIF_TYPE3_PROTECTION)
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index efc6e44..bf8c5c1 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -746,21 +746,22 @@ static unsigned int copy_to_bounce_buffer(struct scatterlist *orig_sgl,
+ if (bounce_sgl[j].length == PAGE_SIZE) {
+ /* full..move to next entry */
+ sg_kunmap_atomic(bounce_addr);
++ bounce_addr = 0;
+ j++;
++ }
+
+- /* if we need to use another bounce buffer */
+- if (srclen || i != orig_sgl_count - 1)
+- bounce_addr = sg_kmap_atomic(bounce_sgl,j);
++ /* if we need to use another bounce buffer */
++ if (srclen && bounce_addr == 0)
++ bounce_addr = sg_kmap_atomic(bounce_sgl, j);
+
+- } else if (srclen == 0 && i == orig_sgl_count - 1) {
+- /* unmap the last bounce that is < PAGE_SIZE */
+- sg_kunmap_atomic(bounce_addr);
+- }
+ }
+
+ sg_kunmap_atomic(src_addr - orig_sgl[i].offset);
+ }
+
++ if (bounce_addr)
++ sg_kunmap_atomic(bounce_addr);
++
+ local_irq_restore(flags);
+
+ return total_copied;
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 6fea4af..aea3a67 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -370,8 +370,6 @@ static int __maybe_unused mx51_ecspi_config(struct spi_imx_data *spi_imx,
+ if (spi_imx->dma_is_inited) {
+ dma = readl(spi_imx->base + MX51_ECSPI_DMA);
+
+- spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2;
+- spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2;
+ spi_imx->rxt_wml = spi_imx_get_fifosize(spi_imx) / 2;
+ rx_wml_cfg = spi_imx->rx_wml << MX51_ECSPI_DMA_RX_WML_OFFSET;
+ tx_wml_cfg = spi_imx->tx_wml << MX51_ECSPI_DMA_TX_WML_OFFSET;
+@@ -868,6 +866,8 @@ static int spi_imx_sdma_init(struct device *dev, struct spi_imx_data *spi_imx,
+ master->max_dma_len = MAX_SDMA_BD_BYTES;
+ spi_imx->bitbang.master->flags = SPI_MASTER_MUST_RX |
+ SPI_MASTER_MUST_TX;
++ spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2;
++ spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2;
+ spi_imx->dma_is_inited = 1;
+
+ return 0;
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 4eb7a98..7bf5186 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -245,7 +245,10 @@ static int spidev_message(struct spidev_data *spidev,
+ k_tmp->len = u_tmp->len;
+
+ total += k_tmp->len;
+- if (total > bufsiz) {
++ /* Check total length of transfers. Also check each
++ * transfer length to avoid arithmetic overflow.
++ */
++ if (total > bufsiz || k_tmp->len > bufsiz) {
+ status = -EMSGSIZE;
+ goto done;
+ }
+diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
+index 7bdb62b..f83e00c 100644
+--- a/drivers/staging/android/sync.c
++++ b/drivers/staging/android/sync.c
+@@ -114,7 +114,7 @@ void sync_timeline_signal(struct sync_timeline *obj)
+ list_for_each_entry_safe(pt, next, &obj->active_list_head,
+ active_list) {
+ if (fence_is_signaled_locked(&pt->base))
+- list_del(&pt->active_list);
++ list_del_init(&pt->active_list);
+ }
+
+ spin_unlock_irqrestore(&obj->child_list_lock, flags);
+diff --git a/drivers/staging/panel/panel.c b/drivers/staging/panel/panel.c
+index 6ed35b6..04fc217 100644
+--- a/drivers/staging/panel/panel.c
++++ b/drivers/staging/panel/panel.c
+@@ -335,11 +335,11 @@ static unsigned char lcd_bits[LCD_PORTS][LCD_BITS][BIT_STATES];
+ * LCD types
+ */
+ #define LCD_TYPE_NONE 0
+-#define LCD_TYPE_OLD 1
+-#define LCD_TYPE_KS0074 2
+-#define LCD_TYPE_HANTRONIX 3
+-#define LCD_TYPE_NEXCOM 4
+-#define LCD_TYPE_CUSTOM 5
++#define LCD_TYPE_CUSTOM 1
++#define LCD_TYPE_OLD 2
++#define LCD_TYPE_KS0074 3
++#define LCD_TYPE_HANTRONIX 4
++#define LCD_TYPE_NEXCOM 5
+
+ /*
+ * keypad types
+@@ -502,7 +502,7 @@ MODULE_PARM_DESC(keypad_type,
+ static int lcd_type = NOT_SET;
+ module_param(lcd_type, int, 0000);
+ MODULE_PARM_DESC(lcd_type,
+- "LCD type: 0=none, 1=old //, 2=serial ks0074, 3=hantronix //, 4=nexcom //, 5=compiled-in");
++ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom");
+
+ static int lcd_height = NOT_SET;
+ module_param(lcd_height, int, 0000);
+diff --git a/drivers/staging/vt6655/rxtx.c b/drivers/staging/vt6655/rxtx.c
+index 07ce3fd..fdf5c56 100644
+--- a/drivers/staging/vt6655/rxtx.c
++++ b/drivers/staging/vt6655/rxtx.c
+@@ -1308,10 +1308,18 @@ int vnt_generate_fifo_header(struct vnt_private *priv, u32 dma_idx,
+ priv->hw->conf.chandef.chan->hw_value);
+ }
+
+- if (current_rate > RATE_11M)
+- pkt_type = (u8)priv->byPacketType;
+- else
++ if (current_rate > RATE_11M) {
++ if (info->band == IEEE80211_BAND_5GHZ) {
++ pkt_type = PK_TYPE_11A;
++ } else {
++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT)
++ pkt_type = PK_TYPE_11GB;
++ else
++ pkt_type = PK_TYPE_11GA;
++ }
++ } else {
+ pkt_type = PK_TYPE_11B;
++ }
+
+ /*Set fifo controls */
+ if (pkt_type == PK_TYPE_11A)
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 77d6425..5e35612 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -537,7 +537,7 @@ static struct iscsit_transport iscsi_target_transport = {
+
+ static int __init iscsi_target_init_module(void)
+ {
+- int ret = 0;
++ int ret = 0, size;
+
+ pr_debug("iSCSI-Target "ISCSIT_VERSION"\n");
+
+@@ -546,6 +546,7 @@ static int __init iscsi_target_init_module(void)
+ pr_err("Unable to allocate memory for iscsit_global\n");
+ return -1;
+ }
++ spin_lock_init(&iscsit_global->ts_bitmap_lock);
+ mutex_init(&auth_id_lock);
+ spin_lock_init(&sess_idr_lock);
+ idr_init(&tiqn_idr);
+@@ -555,15 +556,11 @@ static int __init iscsi_target_init_module(void)
+ if (ret < 0)
+ goto out;
+
+- ret = iscsi_thread_set_init();
+- if (ret < 0)
++ size = BITS_TO_LONGS(ISCSIT_BITMAP_BITS) * sizeof(long);
++ iscsit_global->ts_bitmap = vzalloc(size);
++ if (!iscsit_global->ts_bitmap) {
++ pr_err("Unable to allocate iscsit_global->ts_bitmap\n");
+ goto configfs_out;
+-
+- if (iscsi_allocate_thread_sets(TARGET_THREAD_SET_COUNT) !=
+- TARGET_THREAD_SET_COUNT) {
+- pr_err("iscsi_allocate_thread_sets() returned"
+- " unexpected value!\n");
+- goto ts_out1;
+ }
+
+ lio_qr_cache = kmem_cache_create("lio_qr_cache",
+@@ -572,7 +569,7 @@ static int __init iscsi_target_init_module(void)
+ if (!lio_qr_cache) {
+ pr_err("nable to kmem_cache_create() for"
+ " lio_qr_cache\n");
+- goto ts_out2;
++ goto bitmap_out;
+ }
+
+ lio_dr_cache = kmem_cache_create("lio_dr_cache",
+@@ -617,10 +614,8 @@ dr_out:
+ kmem_cache_destroy(lio_dr_cache);
+ qr_out:
+ kmem_cache_destroy(lio_qr_cache);
+-ts_out2:
+- iscsi_deallocate_thread_sets();
+-ts_out1:
+- iscsi_thread_set_free();
++bitmap_out:
++ vfree(iscsit_global->ts_bitmap);
+ configfs_out:
+ iscsi_target_deregister_configfs();
+ out:
+@@ -630,8 +625,6 @@ out:
+
+ static void __exit iscsi_target_cleanup_module(void)
+ {
+- iscsi_deallocate_thread_sets();
+- iscsi_thread_set_free();
+ iscsit_release_discovery_tpg();
+ iscsit_unregister_transport(&iscsi_target_transport);
+ kmem_cache_destroy(lio_qr_cache);
+@@ -641,6 +634,7 @@ static void __exit iscsi_target_cleanup_module(void)
+
+ iscsi_target_deregister_configfs();
+
++ vfree(iscsit_global->ts_bitmap);
+ kfree(iscsit_global);
+ }
+
+@@ -3715,17 +3709,16 @@ static int iscsit_send_reject(
+
+ void iscsit_thread_get_cpumask(struct iscsi_conn *conn)
+ {
+- struct iscsi_thread_set *ts = conn->thread_set;
+ int ord, cpu;
+ /*
+- * thread_id is assigned from iscsit_global->ts_bitmap from
+- * within iscsi_thread_set.c:iscsi_allocate_thread_sets()
++ * bitmap_id is assigned from iscsit_global->ts_bitmap from
++ * within iscsit_start_kthreads()
+ *
+- * Here we use thread_id to determine which CPU that this
+- * iSCSI connection's iscsi_thread_set will be scheduled to
++ * Here we use bitmap_id to determine which CPU that this
++ * iSCSI connection's RX/TX threads will be scheduled to
+ * execute upon.
+ */
+- ord = ts->thread_id % cpumask_weight(cpu_online_mask);
++ ord = conn->bitmap_id % cpumask_weight(cpu_online_mask);
+ for_each_online_cpu(cpu) {
+ if (ord-- == 0) {
+ cpumask_set_cpu(cpu, conn->conn_cpumask);
+@@ -3914,7 +3907,7 @@ check_rsp_state:
+ switch (state) {
+ case ISTATE_SEND_LOGOUTRSP:
+ if (!iscsit_logout_post_handler(cmd, conn))
+- goto restart;
++ return -ECONNRESET;
+ /* fall through */
+ case ISTATE_SEND_STATUS:
+ case ISTATE_SEND_ASYNCMSG:
+@@ -3942,8 +3935,6 @@ check_rsp_state:
+
+ err:
+ return -1;
+-restart:
+- return -EAGAIN;
+ }
+
+ static int iscsit_handle_response_queue(struct iscsi_conn *conn)
+@@ -3970,21 +3961,13 @@ static int iscsit_handle_response_queue(struct iscsi_conn *conn)
+ int iscsi_target_tx_thread(void *arg)
+ {
+ int ret = 0;
+- struct iscsi_conn *conn;
+- struct iscsi_thread_set *ts = arg;
++ struct iscsi_conn *conn = arg;
+ /*
+ * Allow ourselves to be interrupted by SIGINT so that a
+ * connection recovery / failure event can be triggered externally.
+ */
+ allow_signal(SIGINT);
+
+-restart:
+- conn = iscsi_tx_thread_pre_handler(ts);
+- if (!conn)
+- goto out;
+-
+- ret = 0;
+-
+ while (!kthread_should_stop()) {
+ /*
+ * Ensure that both TX and RX per connection kthreads
+@@ -3993,11 +3976,9 @@ restart:
+ iscsit_thread_check_cpumask(conn, current, 1);
+
+ wait_event_interruptible(conn->queues_wq,
+- !iscsit_conn_all_queues_empty(conn) ||
+- ts->status == ISCSI_THREAD_SET_RESET);
++ !iscsit_conn_all_queues_empty(conn));
+
+- if ((ts->status == ISCSI_THREAD_SET_RESET) ||
+- signal_pending(current))
++ if (signal_pending(current))
+ goto transport_err;
+
+ get_immediate:
+@@ -4008,15 +3989,14 @@ get_immediate:
+ ret = iscsit_handle_response_queue(conn);
+ if (ret == 1)
+ goto get_immediate;
+- else if (ret == -EAGAIN)
+- goto restart;
++ else if (ret == -ECONNRESET)
++ goto out;
+ else if (ret < 0)
+ goto transport_err;
+ }
+
+ transport_err:
+ iscsit_take_action_for_connection_exit(conn);
+- goto restart;
+ out:
+ return 0;
+ }
+@@ -4111,8 +4091,7 @@ int iscsi_target_rx_thread(void *arg)
+ int ret;
+ u8 buffer[ISCSI_HDR_LEN], opcode;
+ u32 checksum = 0, digest = 0;
+- struct iscsi_conn *conn = NULL;
+- struct iscsi_thread_set *ts = arg;
++ struct iscsi_conn *conn = arg;
+ struct kvec iov;
+ /*
+ * Allow ourselves to be interrupted by SIGINT so that a
+@@ -4120,11 +4099,6 @@ int iscsi_target_rx_thread(void *arg)
+ */
+ allow_signal(SIGINT);
+
+-restart:
+- conn = iscsi_rx_thread_pre_handler(ts);
+- if (!conn)
+- goto out;
+-
+ if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
+ struct completion comp;
+ int rc;
+@@ -4134,7 +4108,7 @@ restart:
+ if (rc < 0)
+ goto transport_err;
+
+- goto out;
++ goto transport_err;
+ }
+
+ while (!kthread_should_stop()) {
+@@ -4210,8 +4184,6 @@ transport_err:
+ if (!signal_pending(current))
+ atomic_set(&conn->transport_failed, 1);
+ iscsit_take_action_for_connection_exit(conn);
+- goto restart;
+-out:
+ return 0;
+ }
+
+@@ -4273,7 +4245,24 @@ int iscsit_close_connection(
+ if (conn->conn_transport->transport_type == ISCSI_TCP)
+ complete(&conn->conn_logout_comp);
+
+- iscsi_release_thread_set(conn);
++ if (!strcmp(current->comm, ISCSI_RX_THREAD_NAME)) {
++ if (conn->tx_thread &&
++ cmpxchg(&conn->tx_thread_active, true, false)) {
++ send_sig(SIGINT, conn->tx_thread, 1);
++ kthread_stop(conn->tx_thread);
++ }
++ } else if (!strcmp(current->comm, ISCSI_TX_THREAD_NAME)) {
++ if (conn->rx_thread &&
++ cmpxchg(&conn->rx_thread_active, true, false)) {
++ send_sig(SIGINT, conn->rx_thread, 1);
++ kthread_stop(conn->rx_thread);
++ }
++ }
++
++ spin_lock(&iscsit_global->ts_bitmap_lock);
++ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
++ get_order(1));
++ spin_unlock(&iscsit_global->ts_bitmap_lock);
+
+ iscsit_stop_timers_for_cmds(conn);
+ iscsit_stop_nopin_response_timer(conn);
+@@ -4551,15 +4540,13 @@ static void iscsit_logout_post_handler_closesession(
+ struct iscsi_conn *conn)
+ {
+ struct iscsi_session *sess = conn->sess;
+-
+- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD);
+- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD);
++ int sleep = cmpxchg(&conn->tx_thread_active, true, false);
+
+ atomic_set(&conn->conn_logout_remove, 0);
+ complete(&conn->conn_logout_comp);
+
+ iscsit_dec_conn_usage_count(conn);
+- iscsit_stop_session(sess, 1, 1);
++ iscsit_stop_session(sess, sleep, sleep);
+ iscsit_dec_session_usage_count(sess);
+ target_put_session(sess->se_sess);
+ }
+@@ -4567,13 +4554,12 @@ static void iscsit_logout_post_handler_closesession(
+ static void iscsit_logout_post_handler_samecid(
+ struct iscsi_conn *conn)
+ {
+- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD);
+- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD);
++ int sleep = cmpxchg(&conn->tx_thread_active, true, false);
+
+ atomic_set(&conn->conn_logout_remove, 0);
+ complete(&conn->conn_logout_comp);
+
+- iscsit_cause_connection_reinstatement(conn, 1);
++ iscsit_cause_connection_reinstatement(conn, sleep);
+ iscsit_dec_conn_usage_count(conn);
+ }
+
+diff --git a/drivers/target/iscsi/iscsi_target_erl0.c b/drivers/target/iscsi/iscsi_target_erl0.c
+index bdd8731..e008ed2 100644
+--- a/drivers/target/iscsi/iscsi_target_erl0.c
++++ b/drivers/target/iscsi/iscsi_target_erl0.c
+@@ -860,7 +860,10 @@ void iscsit_connection_reinstatement_rcfr(struct iscsi_conn *conn)
+ }
+ spin_unlock_bh(&conn->state_lock);
+
+- iscsi_thread_set_force_reinstatement(conn);
++ if (conn->tx_thread && conn->tx_thread_active)
++ send_sig(SIGINT, conn->tx_thread, 1);
++ if (conn->rx_thread && conn->rx_thread_active)
++ send_sig(SIGINT, conn->rx_thread, 1);
+
+ sleep:
+ wait_for_completion(&conn->conn_wait_rcfr_comp);
+@@ -885,10 +888,10 @@ void iscsit_cause_connection_reinstatement(struct iscsi_conn *conn, int sleep)
+ return;
+ }
+
+- if (iscsi_thread_set_force_reinstatement(conn) < 0) {
+- spin_unlock_bh(&conn->state_lock);
+- return;
+- }
++ if (conn->tx_thread && conn->tx_thread_active)
++ send_sig(SIGINT, conn->tx_thread, 1);
++ if (conn->rx_thread && conn->rx_thread_active)
++ send_sig(SIGINT, conn->rx_thread, 1);
+
+ atomic_set(&conn->connection_reinstatement, 1);
+ if (!sleep) {
+diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
+index 153fb66..345f073 100644
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -699,6 +699,51 @@ static void iscsi_post_login_start_timers(struct iscsi_conn *conn)
+ iscsit_start_nopin_timer(conn);
+ }
+
++int iscsit_start_kthreads(struct iscsi_conn *conn)
++{
++ int ret = 0;
++
++ spin_lock(&iscsit_global->ts_bitmap_lock);
++ conn->bitmap_id = bitmap_find_free_region(iscsit_global->ts_bitmap,
++ ISCSIT_BITMAP_BITS, get_order(1));
++ spin_unlock(&iscsit_global->ts_bitmap_lock);
++
++ if (conn->bitmap_id < 0) {
++ pr_err("bitmap_find_free_region() failed for"
++ " iscsit_start_kthreads()\n");
++ return -ENOMEM;
++ }
++
++ conn->tx_thread = kthread_run(iscsi_target_tx_thread, conn,
++ "%s", ISCSI_TX_THREAD_NAME);
++ if (IS_ERR(conn->tx_thread)) {
++ pr_err("Unable to start iscsi_target_tx_thread\n");
++ ret = PTR_ERR(conn->tx_thread);
++ goto out_bitmap;
++ }
++ conn->tx_thread_active = true;
++
++ conn->rx_thread = kthread_run(iscsi_target_rx_thread, conn,
++ "%s", ISCSI_RX_THREAD_NAME);
++ if (IS_ERR(conn->rx_thread)) {
++ pr_err("Unable to start iscsi_target_rx_thread\n");
++ ret = PTR_ERR(conn->rx_thread);
++ goto out_tx;
++ }
++ conn->rx_thread_active = true;
++
++ return 0;
++out_tx:
++ kthread_stop(conn->tx_thread);
++ conn->tx_thread_active = false;
++out_bitmap:
++ spin_lock(&iscsit_global->ts_bitmap_lock);
++ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
++ get_order(1));
++ spin_unlock(&iscsit_global->ts_bitmap_lock);
++ return ret;
++}
++
+ int iscsi_post_login_handler(
+ struct iscsi_np *np,
+ struct iscsi_conn *conn,
+@@ -709,7 +754,7 @@ int iscsi_post_login_handler(
+ struct se_session *se_sess = sess->se_sess;
+ struct iscsi_portal_group *tpg = sess->tpg;
+ struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
+- struct iscsi_thread_set *ts;
++ int rc;
+
+ iscsit_inc_conn_usage_count(conn);
+
+@@ -724,7 +769,6 @@ int iscsi_post_login_handler(
+ /*
+ * SCSI Initiator -> SCSI Target Port Mapping
+ */
+- ts = iscsi_get_thread_set();
+ if (!zero_tsih) {
+ iscsi_set_session_parameters(sess->sess_ops,
+ conn->param_list, 0);
+@@ -751,9 +795,11 @@ int iscsi_post_login_handler(
+ sess->sess_ops->InitiatorName);
+ spin_unlock_bh(&sess->conn_lock);
+
+- iscsi_post_login_start_timers(conn);
++ rc = iscsit_start_kthreads(conn);
++ if (rc)
++ return rc;
+
+- iscsi_activate_thread_set(conn, ts);
++ iscsi_post_login_start_timers(conn);
+ /*
+ * Determine CPU mask to ensure connection's RX and TX kthreads
+ * are scheduled on the same CPU.
+@@ -810,8 +856,11 @@ int iscsi_post_login_handler(
+ " iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt);
+ spin_unlock_bh(&se_tpg->session_lock);
+
++ rc = iscsit_start_kthreads(conn);
++ if (rc)
++ return rc;
++
+ iscsi_post_login_start_timers(conn);
+- iscsi_activate_thread_set(conn, ts);
+ /*
+ * Determine CPU mask to ensure connection's RX and TX kthreads
+ * are scheduled on the same CPU.
+diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
+index 44620fb..cbb0cc2 100644
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -264,40 +264,32 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot,
+ struct se_device *se_dev = cmd->se_dev;
+ struct fd_dev *dev = FD_DEV(se_dev);
+ struct file *prot_fd = dev->fd_prot_file;
+- struct scatterlist *sg;
+ loff_t pos = (cmd->t_task_lba * se_dev->prot_length);
+ unsigned char *buf;
+- u32 prot_size, len, size;
+- int rc, ret = 1, i;
++ u32 prot_size;
++ int rc, ret = 1;
+
+ prot_size = (cmd->data_length / se_dev->dev_attrib.block_size) *
+ se_dev->prot_length;
+
+ if (!is_write) {
+- fd_prot->prot_buf = vzalloc(prot_size);
++ fd_prot->prot_buf = kzalloc(prot_size, GFP_KERNEL);
+ if (!fd_prot->prot_buf) {
+ pr_err("Unable to allocate fd_prot->prot_buf\n");
+ return -ENOMEM;
+ }
+ buf = fd_prot->prot_buf;
+
+- fd_prot->prot_sg_nents = cmd->t_prot_nents;
+- fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist) *
+- fd_prot->prot_sg_nents, GFP_KERNEL);
++ fd_prot->prot_sg_nents = 1;
++ fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist),
++ GFP_KERNEL);
+ if (!fd_prot->prot_sg) {
+ pr_err("Unable to allocate fd_prot->prot_sg\n");
+- vfree(fd_prot->prot_buf);
++ kfree(fd_prot->prot_buf);
+ return -ENOMEM;
+ }
+- size = prot_size;
+-
+- for_each_sg(fd_prot->prot_sg, sg, fd_prot->prot_sg_nents, i) {
+-
+- len = min_t(u32, PAGE_SIZE, size);
+- sg_set_buf(sg, buf, len);
+- size -= len;
+- buf += len;
+- }
++ sg_init_table(fd_prot->prot_sg, fd_prot->prot_sg_nents);
++ sg_set_buf(fd_prot->prot_sg, buf, prot_size);
+ }
+
+ if (is_write) {
+@@ -318,7 +310,7 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot,
+
+ if (is_write || ret < 0) {
+ kfree(fd_prot->prot_sg);
+- vfree(fd_prot->prot_buf);
++ kfree(fd_prot->prot_buf);
+ }
+
+ return ret;
+@@ -549,6 +541,56 @@ fd_execute_write_same(struct se_cmd *cmd)
+ return 0;
+ }
+
++static int
++fd_do_prot_fill(struct se_device *se_dev, sector_t lba, sector_t nolb,
++ void *buf, size_t bufsize)
++{
++ struct fd_dev *fd_dev = FD_DEV(se_dev);
++ struct file *prot_fd = fd_dev->fd_prot_file;
++ sector_t prot_length, prot;
++ loff_t pos = lba * se_dev->prot_length;
++
++ if (!prot_fd) {
++ pr_err("Unable to locate fd_dev->fd_prot_file\n");
++ return -ENODEV;
++ }
++
++ prot_length = nolb * se_dev->prot_length;
++
++ for (prot = 0; prot < prot_length;) {
++ sector_t len = min_t(sector_t, bufsize, prot_length - prot);
++ ssize_t ret = kernel_write(prot_fd, buf, len, pos + prot);
++
++ if (ret != len) {
++ pr_err("vfs_write to prot file failed: %zd\n", ret);
++ return ret < 0 ? ret : -ENODEV;
++ }
++ prot += ret;
++ }
++
++ return 0;
++}
++
++static int
++fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
++{
++ void *buf;
++ int rc;
++
++ buf = (void *)__get_free_page(GFP_KERNEL);
++ if (!buf) {
++ pr_err("Unable to allocate FILEIO prot buf\n");
++ return -ENOMEM;
++ }
++ memset(buf, 0xff, PAGE_SIZE);
++
++ rc = fd_do_prot_fill(cmd->se_dev, lba, nolb, buf, PAGE_SIZE);
++
++ free_page((unsigned long)buf);
++
++ return rc;
++}
++
+ static sense_reason_t
+ fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb)
+ {
+@@ -556,6 +598,12 @@ fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb)
+ struct inode *inode = file->f_mapping->host;
+ int ret;
+
++ if (cmd->se_dev->dev_attrib.pi_prot_type) {
++ ret = fd_do_prot_unmap(cmd, lba, nolb);
++ if (ret)
++ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
++ }
++
+ if (S_ISBLK(inode->i_mode)) {
+ /* The backend is block device, use discard */
+ struct block_device *bdev = inode->i_bdev;
+@@ -658,11 +706,11 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+ 0, fd_prot.prot_sg, 0);
+ if (rc) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return rc;
+ }
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ }
+ } else {
+ memset(&fd_prot, 0, sizeof(struct fd_prot));
+@@ -678,7 +726,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+ 0, fd_prot.prot_sg, 0);
+ if (rc) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return rc;
+ }
+ }
+@@ -714,7 +762,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
+
+ if (ret < 0) {
+ kfree(fd_prot.prot_sg);
+- vfree(fd_prot.prot_buf);
++ kfree(fd_prot.prot_buf);
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+
+@@ -878,48 +926,28 @@ static int fd_init_prot(struct se_device *dev)
+
+ static int fd_format_prot(struct se_device *dev)
+ {
+- struct fd_dev *fd_dev = FD_DEV(dev);
+- struct file *prot_fd = fd_dev->fd_prot_file;
+- sector_t prot_length, prot;
+ unsigned char *buf;
+- loff_t pos = 0;
+ int unit_size = FDBD_FORMAT_UNIT_SIZE * dev->dev_attrib.block_size;
+- int rc, ret = 0, size, len;
++ int ret;
+
+ if (!dev->dev_attrib.pi_prot_type) {
+ pr_err("Unable to format_prot while pi_prot_type == 0\n");
+ return -ENODEV;
+ }
+- if (!prot_fd) {
+- pr_err("Unable to locate fd_dev->fd_prot_file\n");
+- return -ENODEV;
+- }
+
+ buf = vzalloc(unit_size);
+ if (!buf) {
+ pr_err("Unable to allocate FILEIO prot buf\n");
+ return -ENOMEM;
+ }
+- prot_length = (dev->transport->get_blocks(dev) + 1) * dev->prot_length;
+- size = prot_length;
+
+ pr_debug("Using FILEIO prot_length: %llu\n",
+- (unsigned long long)prot_length);
++ (unsigned long long)(dev->transport->get_blocks(dev) + 1) *
++ dev->prot_length);
+
+ memset(buf, 0xff, unit_size);
+- for (prot = 0; prot < prot_length; prot += unit_size) {
+- len = min(unit_size, size);
+- rc = kernel_write(prot_fd, buf, len, pos);
+- if (rc != len) {
+- pr_err("vfs_write to prot file failed: %d\n", rc);
+- ret = -ENODEV;
+- goto out;
+- }
+- pos += len;
+- size -= len;
+- }
+-
+-out:
++ ret = fd_do_prot_fill(dev, 0, dev->transport->get_blocks(dev) + 1,
++ buf, unit_size);
+ vfree(buf);
+ return ret;
+ }
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index 3e72974..755bd9b3 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -312,7 +312,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ return 0;
+ }
+
+-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd)
++static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success)
+ {
+ unsigned char *buf, *addr;
+ struct scatterlist *sg;
+@@ -376,7 +376,7 @@ sbc_execute_rw(struct se_cmd *cmd)
+ cmd->data_direction);
+ }
+
+-static sense_reason_t compare_and_write_post(struct se_cmd *cmd)
++static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
+ {
+ struct se_device *dev = cmd->se_dev;
+
+@@ -399,7 +399,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd)
+ return TCM_NO_SENSE;
+ }
+
+-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd)
++static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success)
+ {
+ struct se_device *dev = cmd->se_dev;
+ struct scatterlist *write_sg = NULL, *sg;
+@@ -414,11 +414,16 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd)
+
+ /*
+ * Handle early failure in transport_generic_request_failure(),
+- * which will not have taken ->caw_mutex yet..
++ * which will not have taken ->caw_sem yet..
+ */
+- if (!cmd->t_data_sg || !cmd->t_bidi_data_sg)
++ if (!success && (!cmd->t_data_sg || !cmd->t_bidi_data_sg))
+ return TCM_NO_SENSE;
+ /*
++ * Handle special case for zero-length COMPARE_AND_WRITE
++ */
++ if (!cmd->data_length)
++ goto out;
++ /*
+ * Immediately exit + release dev->caw_sem if command has already
+ * been failed with a non-zero SCSI status.
+ */
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index ac3cbab..f786de0 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1615,11 +1615,11 @@ void transport_generic_request_failure(struct se_cmd *cmd,
+ transport_complete_task_attr(cmd);
+ /*
+ * Handle special case for COMPARE_AND_WRITE failure, where the
+- * callback is expected to drop the per device ->caw_mutex.
++ * callback is expected to drop the per device ->caw_sem.
+ */
+ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
+ cmd->transport_complete_callback)
+- cmd->transport_complete_callback(cmd);
++ cmd->transport_complete_callback(cmd, false);
+
+ switch (sense_reason) {
+ case TCM_NON_EXISTENT_LUN:
+@@ -1975,8 +1975,12 @@ static void target_complete_ok_work(struct work_struct *work)
+ if (cmd->transport_complete_callback) {
+ sense_reason_t rc;
+
+- rc = cmd->transport_complete_callback(cmd);
++ rc = cmd->transport_complete_callback(cmd, true);
+ if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) {
++ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
++ !cmd->data_length)
++ goto queue_rsp;
++
+ return;
+ } else if (rc) {
+ ret = transport_send_check_condition_and_sense(cmd,
+@@ -1990,6 +1994,7 @@ static void target_complete_ok_work(struct work_struct *work)
+ }
+ }
+
++queue_rsp:
+ switch (cmd->data_direction) {
+ case DMA_FROM_DEVICE:
+ spin_lock(&cmd->se_lun->lun_sep_lock);
+@@ -2094,6 +2099,16 @@ static inline void transport_reset_sgl_orig(struct se_cmd *cmd)
+ static inline void transport_free_pages(struct se_cmd *cmd)
+ {
+ if (cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) {
++ /*
++ * Release special case READ buffer payload required for
++ * SG_TO_MEM_NOALLOC to function with COMPARE_AND_WRITE
++ */
++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
++ transport_free_sgl(cmd->t_bidi_data_sg,
++ cmd->t_bidi_data_nents);
++ cmd->t_bidi_data_sg = NULL;
++ cmd->t_bidi_data_nents = 0;
++ }
+ transport_reset_sgl_orig(cmd);
+ return;
+ }
+@@ -2246,6 +2261,7 @@ sense_reason_t
+ transport_generic_new_cmd(struct se_cmd *cmd)
+ {
+ int ret = 0;
++ bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB);
+
+ /*
+ * Determine is the TCM fabric module has already allocated physical
+@@ -2254,7 +2270,6 @@ transport_generic_new_cmd(struct se_cmd *cmd)
+ */
+ if (!(cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) &&
+ cmd->data_length) {
+- bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB);
+
+ if ((cmd->se_cmd_flags & SCF_BIDI) ||
+ (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE)) {
+@@ -2285,6 +2300,20 @@ transport_generic_new_cmd(struct se_cmd *cmd)
+ cmd->data_length, zero_flag);
+ if (ret < 0)
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
++ } else if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
++ cmd->data_length) {
++ /*
++ * Special case for COMPARE_AND_WRITE with fabrics
++ * using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC.
++ */
++ u32 caw_length = cmd->t_task_nolb *
++ cmd->se_dev->dev_attrib.block_size;
++
++ ret = target_alloc_sgl(&cmd->t_bidi_data_sg,
++ &cmd->t_bidi_data_nents,
++ caw_length, zero_flag);
++ if (ret < 0)
++ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+ /*
+ * If this command is not a write we can execute it right here,
+diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
+index deae122..d465ace 100644
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -3444,7 +3444,8 @@ void serial8250_suspend_port(int line)
+ port->type != PORT_8250) {
+ unsigned char canary = 0xa5;
+ serial_out(up, UART_SCR, canary);
+- up->canary = canary;
++ if (serial_in(up, UART_SCR) == canary)
++ up->canary = canary;
+ }
+
+ uart_suspend_port(&serial8250_reg, port);
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index 6ae5b85..7a80250 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -629,6 +629,7 @@ static const struct acpi_device_id dw8250_acpi_match[] = {
+ { "80860F0A", 0 },
+ { "8086228A", 0 },
+ { "APMC0D08", 0},
++ { "AMD0020", 0 },
+ { },
+ };
+ MODULE_DEVICE_TABLE(acpi, dw8250_acpi_match);
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 0eb29b1..2306191 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -818,7 +818,7 @@ static irqreturn_t imx_int(int irq, void *dev_id)
+ if (sts2 & USR2_ORE) {
+ dev_err(sport->port.dev, "Rx FIFO overrun\n");
+ sport->port.icount.overrun++;
+- writel(sts2 | USR2_ORE, sport->port.membase + USR2);
++ writel(USR2_ORE, sport->port.membase + USR2);
+ }
+
+ return IRQ_HANDLED;
+@@ -1181,10 +1181,12 @@ static int imx_startup(struct uart_port *port)
+ imx_uart_dma_init(sport);
+
+ spin_lock_irqsave(&sport->port.lock, flags);
++
+ /*
+ * Finally, clear and enable interrupts
+ */
+ writel(USR1_RTSD, sport->port.membase + USR1);
++ writel(USR2_ORE, sport->port.membase + USR2);
+
+ if (sport->dma_is_inited && !sport->dma_is_enabled)
+ imx_enable_dma(sport);
+@@ -1199,10 +1201,6 @@ static int imx_startup(struct uart_port *port)
+
+ writel(temp, sport->port.membase + UCR1);
+
+- /* Clear any pending ORE flag before enabling interrupt */
+- temp = readl(sport->port.membase + USR2);
+- writel(temp | USR2_ORE, sport->port.membase + USR2);
+-
+ temp = readl(sport->port.membase + UCR4);
+ temp |= UCR4_OREN;
+ writel(temp, sport->port.membase + UCR4);
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index a051a7a..a81f9dd 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -245,7 +245,7 @@ static void wdm_int_callback(struct urb *urb)
+ case USB_CDC_NOTIFY_RESPONSE_AVAILABLE:
+ dev_dbg(&desc->intf->dev,
+ "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d",
+- dr->wIndex, dr->wLength);
++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength));
+ break;
+
+ case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -262,7 +262,9 @@ static void wdm_int_callback(struct urb *urb)
+ clear_bit(WDM_POLL_RUNNING, &desc->flags);
+ dev_err(&desc->intf->dev,
+ "unknown notification %d received: index %d len %d\n",
+- dr->bNotificationType, dr->wIndex, dr->wLength);
++ dr->bNotificationType,
++ le16_to_cpu(dr->wIndex),
++ le16_to_cpu(dr->wLength));
+ goto exit;
+ }
+
+@@ -408,7 +410,7 @@ static ssize_t wdm_write
+ USB_RECIP_INTERFACE);
+ req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND;
+ req->wValue = 0;
+- req->wIndex = desc->inum;
++ req->wIndex = desc->inum; /* already converted */
+ req->wLength = cpu_to_le16(count);
+ set_bit(WDM_IN_USE, &desc->flags);
+ desc->outbuf = buf;
+@@ -422,7 +424,7 @@ static ssize_t wdm_write
+ rv = usb_translate_errors(rv);
+ } else {
+ dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d",
+- req->wIndex);
++ le16_to_cpu(req->wIndex));
+ }
+ out:
+ usb_autopm_put_interface(desc->intf);
+@@ -820,7 +822,7 @@ static int wdm_create(struct usb_interface *intf, struct usb_endpoint_descriptor
+ desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE);
+ desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE;
+ desc->irq->wValue = 0;
+- desc->irq->wIndex = desc->inum;
++ desc->irq->wIndex = desc->inum; /* already converted */
+ desc->irq->wLength = cpu_to_le16(desc->wMaxCommand);
+
+ usb_fill_control_urb(
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index d7c3d5a..3b71516 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3406,10 +3406,10 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
+ if (status) {
+ dev_dbg(&port_dev->dev, "can't resume, status %d\n", status);
+ } else {
+- /* drive resume for at least 20 msec */
++ /* drive resume for USB_RESUME_TIMEOUT msec */
+ dev_dbg(&udev->dev, "usb %sresume\n",
+ (PMSG_IS_AUTO(msg) ? "auto-" : ""));
+- msleep(25);
++ msleep(USB_RESUME_TIMEOUT);
+
+ /* Virtual root hubs can trigger on GET_PORT_STATUS to
+ * stop resume signaling. Then finish the resume
+diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
+index c78c874..758b7e0 100644
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -1521,7 +1521,7 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq,
+ dev_dbg(hsotg->dev,
+ "ClearPortFeature USB_PORT_FEAT_SUSPEND\n");
+ writel(0, hsotg->regs + PCGCTL);
+- usleep_range(20000, 40000);
++ msleep(USB_RESUME_TIMEOUT);
+
+ hprt0 = dwc2_read_hprt0(hsotg);
+ hprt0 |= HPRT0_RES;
+diff --git a/drivers/usb/gadget/legacy/printer.c b/drivers/usb/gadget/legacy/printer.c
+index 9054598..6385c19 100644
+--- a/drivers/usb/gadget/legacy/printer.c
++++ b/drivers/usb/gadget/legacy/printer.c
+@@ -1031,6 +1031,15 @@ unknown:
+ break;
+ }
+ /* host either stalls (value < 0) or reports success */
++ if (value >= 0) {
++ req->length = value;
++ req->zero = value < wLength;
++ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
++ if (value < 0) {
++ ERROR(dev, "%s:%d Error!\n", __func__, __LINE__);
++ req->status = 0;
++ }
++ }
+ return value;
+ }
+
+diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
+index 85e56d1..f4d88df 100644
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -792,12 +792,12 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd)
+ ehci->reset_done[i] == 0))
+ continue;
+
+- /* start 20 msec resume signaling from this port,
+- * and make hub_wq collect PORT_STAT_C_SUSPEND to
+- * stop that signaling. Use 5 ms extra for safety,
+- * like usb_port_resume() does.
++ /* start USB_RESUME_TIMEOUT msec resume signaling from
++ * this port, and make hub_wq collect
++ * PORT_STAT_C_SUSPEND to stop that signaling.
+ */
+- ehci->reset_done[i] = jiffies + msecs_to_jiffies(25);
++ ehci->reset_done[i] = jiffies +
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ set_bit(i, &ehci->resuming_ports);
+ ehci_dbg (ehci, "port %d remote wakeup\n", i + 1);
+ usb_hcd_start_port_resume(&hcd->self, i);
+diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
+index 87cf86f..7354d01 100644
+--- a/drivers/usb/host/ehci-hub.c
++++ b/drivers/usb/host/ehci-hub.c
+@@ -471,10 +471,13 @@ static int ehci_bus_resume (struct usb_hcd *hcd)
+ ehci_writel(ehci, temp, &ehci->regs->port_status [i]);
+ }
+
+- /* msleep for 20ms only if code is trying to resume port */
++ /*
++ * msleep for USB_RESUME_TIMEOUT ms only if code is trying to resume
++ * port
++ */
+ if (resume_needed) {
+ spin_unlock_irq(&ehci->lock);
+- msleep(20);
++ msleep(USB_RESUME_TIMEOUT);
+ spin_lock_irq(&ehci->lock);
+ if (ehci->shutdown)
+ goto shutdown;
+@@ -942,7 +945,7 @@ int ehci_hub_control(
+ temp &= ~PORT_WAKE_BITS;
+ ehci_writel(ehci, temp | PORT_RESUME, status_reg);
+ ehci->reset_done[wIndex] = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ set_bit(wIndex, &ehci->resuming_ports);
+ usb_hcd_start_port_resume(&hcd->self, wIndex);
+ break;
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 475b21f..7a6681f 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -1595,7 +1595,7 @@ static int fotg210_hub_control(
+ /* resume signaling for 20 msec */
+ fotg210_writel(fotg210, temp | PORT_RESUME, status_reg);
+ fotg210->reset_done[wIndex] = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_C_SUSPEND:
+ clear_bit(wIndex, &fotg210->port_c_suspend);
+diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c
+index a83eefe..ba77e2e 100644
+--- a/drivers/usb/host/fusbh200-hcd.c
++++ b/drivers/usb/host/fusbh200-hcd.c
+@@ -1550,10 +1550,9 @@ static int fusbh200_hub_control (
+ if ((temp & PORT_PE) == 0)
+ goto error;
+
+- /* resume signaling for 20 msec */
+ fusbh200_writel(fusbh200, temp | PORT_RESUME, status_reg);
+ fusbh200->reset_done[wIndex] = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_C_SUSPEND:
+ clear_bit(wIndex, &fusbh200->port_c_suspend);
+diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c
+index 113d0cc..9ef5644 100644
+--- a/drivers/usb/host/isp116x-hcd.c
++++ b/drivers/usb/host/isp116x-hcd.c
+@@ -1490,7 +1490,7 @@ static int isp116x_bus_resume(struct usb_hcd *hcd)
+ spin_unlock_irq(&isp116x->lock);
+
+ hcd->state = HC_STATE_RESUMING;
+- msleep(20);
++ msleep(USB_RESUME_TIMEOUT);
+
+ /* Go operational */
+ spin_lock_irq(&isp116x->lock);
+diff --git a/drivers/usb/host/oxu210hp-hcd.c b/drivers/usb/host/oxu210hp-hcd.c
+index ef7efb2..28a2866 100644
+--- a/drivers/usb/host/oxu210hp-hcd.c
++++ b/drivers/usb/host/oxu210hp-hcd.c
+@@ -2500,11 +2500,12 @@ static irqreturn_t oxu210_hcd_irq(struct usb_hcd *hcd)
+ || oxu->reset_done[i] != 0)
+ continue;
+
+- /* start 20 msec resume signaling from this port,
+- * and make hub_wq collect PORT_STAT_C_SUSPEND to
++ /* start USB_RESUME_TIMEOUT resume signaling from this
++ * port, and make hub_wq collect PORT_STAT_C_SUSPEND to
+ * stop that signaling.
+ */
+- oxu->reset_done[i] = jiffies + msecs_to_jiffies(20);
++ oxu->reset_done[i] = jiffies +
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ oxu_dbg(oxu, "port %d remote wakeup\n", i + 1);
+ mod_timer(&hcd->rh_timer, oxu->reset_done[i]);
+ }
+diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
+index bdc82fe..54a4170 100644
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -2301,7 +2301,7 @@ static int r8a66597_bus_resume(struct usb_hcd *hcd)
+ rh->port &= ~USB_PORT_STAT_SUSPEND;
+ rh->port |= USB_PORT_STAT_C_SUSPEND << 16;
+ r8a66597_mdfy(r8a66597, RESUME, RESUME | UACT, dvstctr_reg);
+- msleep(50);
++ msleep(USB_RESUME_TIMEOUT);
+ r8a66597_mdfy(r8a66597, UACT, RESUME | UACT, dvstctr_reg);
+ }
+
+diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c
+index 4f4ba1e..9118cd8 100644
+--- a/drivers/usb/host/sl811-hcd.c
++++ b/drivers/usb/host/sl811-hcd.c
+@@ -1259,7 +1259,7 @@ sl811h_hub_control(
+ sl811_write(sl811, SL11H_CTLREG1, sl811->ctrl1);
+
+ mod_timer(&sl811->timer, jiffies
+- + msecs_to_jiffies(20));
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ break;
+ case USB_PORT_FEAT_POWER:
+ port_power(sl811, 0);
+diff --git a/drivers/usb/host/uhci-hub.c b/drivers/usb/host/uhci-hub.c
+index 19ba5ea..7b3d1af 100644
+--- a/drivers/usb/host/uhci-hub.c
++++ b/drivers/usb/host/uhci-hub.c
+@@ -166,7 +166,7 @@ static void uhci_check_ports(struct uhci_hcd *uhci)
+ /* Port received a wakeup request */
+ set_bit(port, &uhci->resuming_ports);
+ uhci->ports_timeout = jiffies +
+- msecs_to_jiffies(25);
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ usb_hcd_start_port_resume(
+ &uhci_to_hcd(uhci)->self, port);
+
+@@ -338,7 +338,8 @@ static int uhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ uhci_finish_suspend(uhci, port, port_addr);
+
+ /* USB v2.0 7.1.7.5 */
+- uhci->ports_timeout = jiffies + msecs_to_jiffies(50);
++ uhci->ports_timeout = jiffies +
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ break;
+ case USB_PORT_FEAT_POWER:
+ /* UHCI has no power switching */
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 73485fa..eeedde8 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1574,7 +1574,7 @@ static void handle_port_status(struct xhci_hcd *xhci,
+ } else {
+ xhci_dbg(xhci, "resume HS port %d\n", port_id);
+ bus_state->resume_done[faked_port_index] = jiffies +
+- msecs_to_jiffies(20);
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ set_bit(faked_port_index, &bus_state->resuming_ports);
+ mod_timer(&hcd->rh_timer,
+ bus_state->resume_done[faked_port_index]);
+diff --git a/drivers/usb/isp1760/isp1760-hcd.c b/drivers/usb/isp1760/isp1760-hcd.c
+index 3cb98b1..7911b6b 100644
+--- a/drivers/usb/isp1760/isp1760-hcd.c
++++ b/drivers/usb/isp1760/isp1760-hcd.c
+@@ -1869,7 +1869,7 @@ static int isp1760_hub_control(struct usb_hcd *hcd, u16 typeReq,
+ reg_write32(hcd->regs, HC_PORTSC1,
+ temp | PORT_RESUME);
+ priv->reset_done = jiffies +
+- msecs_to_jiffies(20);
++ msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ }
+ break;
+ case USB_PORT_FEAT_C_SUSPEND:
+diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
+index 067920f..ec0ee3b 100644
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -99,6 +99,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/io.h>
+ #include <linux/dma-mapping.h>
++#include <linux/usb.h>
+
+ #include "musb_core.h"
+
+@@ -562,7 +563,7 @@ static irqreturn_t musb_stage0_irq(struct musb *musb, u8 int_usb,
+ (USB_PORT_STAT_C_SUSPEND << 16)
+ | MUSB_PORT_STAT_RESUME;
+ musb->rh_timer = jiffies
+- + msecs_to_jiffies(20);
++ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
+ musb->need_finish_resume = 1;
+
+ musb->xceiv->otg->state = OTG_STATE_A_HOST;
+@@ -1597,16 +1598,30 @@ irqreturn_t musb_interrupt(struct musb *musb)
+ is_host_active(musb) ? "host" : "peripheral",
+ musb->int_usb, musb->int_tx, musb->int_rx);
+
+- /* the core can interrupt us for multiple reasons; docs have
+- * a generic interrupt flowchart to follow
++ /**
++ * According to Mentor Graphics' documentation, flowchart on page 98,
++ * IRQ should be handled as follows:
++ *
++ * . Resume IRQ
++ * . Session Request IRQ
++ * . VBUS Error IRQ
++ * . Suspend IRQ
++ * . Connect IRQ
++ * . Disconnect IRQ
++ * . Reset/Babble IRQ
++ * . SOF IRQ (we're not using this one)
++ * . Endpoint 0 IRQ
++ * . TX Endpoints
++ * . RX Endpoints
++ *
++ * We will be following that flowchart in order to avoid any problems
++ * that might arise with internal Finite State Machine.
+ */
++
+ if (musb->int_usb)
+ retval |= musb_stage0_irq(musb, musb->int_usb,
+ devctl);
+
+- /* "stage 1" is handling endpoint irqs */
+-
+- /* handle endpoint 0 first */
+ if (musb->int_tx & 1) {
+ if (is_host_active(musb))
+ retval |= musb_h_ep0_irq(musb);
+@@ -1614,37 +1629,31 @@ irqreturn_t musb_interrupt(struct musb *musb)
+ retval |= musb_g_ep0_irq(musb);
+ }
+
+- /* RX on endpoints 1-15 */
+- reg = musb->int_rx >> 1;
++ reg = musb->int_tx >> 1;
+ ep_num = 1;
+ while (reg) {
+ if (reg & 1) {
+- /* musb_ep_select(musb->mregs, ep_num); */
+- /* REVISIT just retval = ep->rx_irq(...) */
+ retval = IRQ_HANDLED;
+ if (is_host_active(musb))
+- musb_host_rx(musb, ep_num);
++ musb_host_tx(musb, ep_num);
+ else
+- musb_g_rx(musb, ep_num);
++ musb_g_tx(musb, ep_num);
+ }
+-
+ reg >>= 1;
+ ep_num++;
+ }
+
+- /* TX on endpoints 1-15 */
+- reg = musb->int_tx >> 1;
++ reg = musb->int_rx >> 1;
+ ep_num = 1;
+ while (reg) {
+ if (reg & 1) {
+- /* musb_ep_select(musb->mregs, ep_num); */
+- /* REVISIT just retval |= ep->tx_irq(...) */
+ retval = IRQ_HANDLED;
+ if (is_host_active(musb))
+- musb_host_tx(musb, ep_num);
++ musb_host_rx(musb, ep_num);
+ else
+- musb_g_tx(musb, ep_num);
++ musb_g_rx(musb, ep_num);
+ }
++
+ reg >>= 1;
+ ep_num++;
+ }
+@@ -2463,7 +2472,7 @@ static int musb_resume(struct device *dev)
+ if (musb->need_finish_resume) {
+ musb->need_finish_resume = 0;
+ schedule_delayed_work(&musb->finish_resume_work,
+- msecs_to_jiffies(20));
++ msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ }
+
+ /*
+@@ -2506,7 +2515,7 @@ static int musb_runtime_resume(struct device *dev)
+ if (musb->need_finish_resume) {
+ musb->need_finish_resume = 0;
+ schedule_delayed_work(&musb->finish_resume_work,
+- msecs_to_jiffies(20));
++ msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ }
+
+ return 0;
+diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c
+index 294e159..5428ed1 100644
+--- a/drivers/usb/musb/musb_virthub.c
++++ b/drivers/usb/musb/musb_virthub.c
+@@ -136,7 +136,7 @@ void musb_port_suspend(struct musb *musb, bool do_suspend)
+ /* later, GetPortStatus will stop RESUME signaling */
+ musb->port1_status |= MUSB_PORT_STAT_RESUME;
+ schedule_delayed_work(&musb->finish_resume_work,
+- msecs_to_jiffies(20));
++ msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ }
+ }
+
+diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c
+index 2f9735b..d1cd6b5 100644
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -81,7 +81,9 @@ static void devm_usb_phy_release(struct device *dev, void *res)
+
+ static int devm_usb_phy_match(struct device *dev, void *res, void *match_data)
+ {
+- return res == match_data;
++ struct usb_phy **phy = res;
++
++ return *phy == match_data;
+ }
+
+ /**
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 995986b..d925f55 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -862,6 +862,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
+ int elf_prot = 0, elf_flags;
+ unsigned long k, vaddr;
++ unsigned long total_size = 0;
+
+ if (elf_ppnt->p_type != PT_LOAD)
+ continue;
+@@ -924,10 +925,16 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ #else
+ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+ #endif
++ total_size = total_mapping_size(elf_phdata,
++ loc->elf_ex.e_phnum);
++ if (!total_size) {
++ error = -EINVAL;
++ goto out_free_dentry;
++ }
+ }
+
+ error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
+- elf_prot, elf_flags, 0);
++ elf_prot, elf_flags, total_size);
+ if (BAD_ADDR(error)) {
+ retval = IS_ERR((void *)error) ?
+ PTR_ERR((void*)error) : -EINVAL;
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 8b353ad..0a795c9 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -6956,12 +6956,11 @@ static int __btrfs_free_reserved_extent(struct btrfs_root *root,
+ return -ENOSPC;
+ }
+
+- if (btrfs_test_opt(root, DISCARD))
+- ret = btrfs_discard_extent(root, start, len, NULL);
+-
+ if (pin)
+ pin_down_extent(root, cache, start, len, 1);
+ else {
++ if (btrfs_test_opt(root, DISCARD))
++ ret = btrfs_discard_extent(root, start, len, NULL);
+ btrfs_add_free_space(cache, start, len);
+ btrfs_update_reserved_bytes(cache, len, RESERVE_FREE, delalloc);
+ }
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 74609b9..f23d4be 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2897,6 +2897,9 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 len,
+ if (src == dst)
+ return -EINVAL;
+
++ if (len == 0)
++ return 0;
++
+ btrfs_double_lock(src, loff, dst, dst_loff, len);
+
+ ret = extent_same_check_offsets(src, loff, len);
+@@ -3626,6 +3629,11 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
+ if (off + len == src->i_size)
+ len = ALIGN(src->i_size, bs) - off;
+
++ if (len == 0) {
++ ret = 0;
++ goto out_unlock;
++ }
++
+ /* verify the end result is block aligned */
+ if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) ||
+ !IS_ALIGNED(destoff, bs))
+diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
+index 883b936..45ea704 100644
+--- a/fs/btrfs/xattr.c
++++ b/fs/btrfs/xattr.c
+@@ -364,22 +364,42 @@ const struct xattr_handler *btrfs_xattr_handlers[] = {
+ /*
+ * Check if the attribute is in a supported namespace.
+ *
+- * This applied after the check for the synthetic attributes in the system
++ * This is applied after the check for the synthetic attributes in the system
+ * namespace.
+ */
+-static bool btrfs_is_valid_xattr(const char *name)
++static int btrfs_is_valid_xattr(const char *name)
+ {
+- return !strncmp(name, XATTR_SECURITY_PREFIX,
+- XATTR_SECURITY_PREFIX_LEN) ||
+- !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) ||
+- !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) ||
+- !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) ||
+- !strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN);
++ int len = strlen(name);
++ int prefixlen = 0;
++
++ if (!strncmp(name, XATTR_SECURITY_PREFIX,
++ XATTR_SECURITY_PREFIX_LEN))
++ prefixlen = XATTR_SECURITY_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
++ prefixlen = XATTR_SYSTEM_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
++ prefixlen = XATTR_TRUSTED_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
++ prefixlen = XATTR_USER_PREFIX_LEN;
++ else if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
++ prefixlen = XATTR_BTRFS_PREFIX_LEN;
++ else
++ return -EOPNOTSUPP;
++
++ /*
++ * The name cannot consist of just prefix
++ */
++ if (len <= prefixlen)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ ssize_t btrfs_getxattr(struct dentry *dentry, const char *name,
+ void *buffer, size_t size)
+ {
++ int ret;
++
+ /*
+ * If this is a request for a synthetic attribute in the system.*
+ * namespace use the generic infrastructure to resolve a handler
+@@ -388,8 +408,9 @@ ssize_t btrfs_getxattr(struct dentry *dentry, const char *name,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_getxattr(dentry, name, buffer, size);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+ return __btrfs_getxattr(dentry->d_inode, name, buffer, size);
+ }
+
+@@ -397,6 +418,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ size_t size, int flags)
+ {
+ struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
++ int ret;
+
+ /*
+ * The permission on security.* and system.* is not checked
+@@ -413,8 +435,9 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_setxattr(dentry, name, value, size, flags);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+
+ if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
+ return btrfs_set_prop(dentry->d_inode, name,
+@@ -430,6 +453,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ int btrfs_removexattr(struct dentry *dentry, const char *name)
+ {
+ struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
++ int ret;
+
+ /*
+ * The permission on security.* and system.* is not checked
+@@ -446,8 +470,9 @@ int btrfs_removexattr(struct dentry *dentry, const char *name)
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return generic_removexattr(dentry, name);
+
+- if (!btrfs_is_valid_xattr(name))
+- return -EOPNOTSUPP;
++ ret = btrfs_is_valid_xattr(name);
++ if (ret)
++ return ret;
+
+ if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN))
+ return btrfs_set_prop(dentry->d_inode, name,
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 28fe71a..aae7011 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1865,7 +1865,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ struct inode *inode)
+ {
+ struct inode *dir = dentry->d_parent->d_inode;
+- struct buffer_head *bh;
++ struct buffer_head *bh = NULL;
+ struct ext4_dir_entry_2 *de;
+ struct ext4_dir_entry_tail *t;
+ struct super_block *sb;
+@@ -1889,14 +1889,14 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ return retval;
+ if (retval == 1) {
+ retval = 0;
+- return retval;
++ goto out;
+ }
+ }
+
+ if (is_dx(dir)) {
+ retval = ext4_dx_add_entry(handle, dentry, inode);
+ if (!retval || (retval != ERR_BAD_DX_DIR))
+- return retval;
++ goto out;
+ ext4_clear_inode_flag(dir, EXT4_INODE_INDEX);
+ dx_fallback++;
+ ext4_mark_inode_dirty(handle, dir);
+@@ -1908,14 +1908,15 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ return PTR_ERR(bh);
+
+ retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh);
+- if (retval != -ENOSPC) {
+- brelse(bh);
+- return retval;
+- }
++ if (retval != -ENOSPC)
++ goto out;
+
+ if (blocks == 1 && !dx_fallback &&
+- EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX))
+- return make_indexed_dir(handle, dentry, inode, bh);
++ EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX)) {
++ retval = make_indexed_dir(handle, dentry, inode, bh);
++ bh = NULL; /* make_indexed_dir releases bh */
++ goto out;
++ }
+ brelse(bh);
+ }
+ bh = ext4_append(handle, dir, &block);
+@@ -1931,6 +1932,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry,
+ }
+
+ retval = add_dirent_to_buf(handle, dentry, inode, de, bh);
++out:
+ brelse(bh);
+ if (retval == 0)
+ ext4_set_inode_state(inode, EXT4_STATE_NEWENTRY);
+diff --git a/fs/lockd/svcsubs.c b/fs/lockd/svcsubs.c
+index 665ef5a..a563ddb 100644
+--- a/fs/lockd/svcsubs.c
++++ b/fs/lockd/svcsubs.c
+@@ -31,7 +31,7 @@
+ static struct hlist_head nlm_files[FILE_NRHASH];
+ static DEFINE_MUTEX(nlm_file_mutex);
+
+-#ifdef NFSD_DEBUG
++#ifdef CONFIG_SUNRPC_DEBUG
+ static inline void nlm_debug_print_fh(char *msg, struct nfs_fh *f)
+ {
+ u32 *fhp = (u32*)f->data;
+diff --git a/fs/namei.c b/fs/namei.c
+index c83145a..caa38a2 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1591,7 +1591,8 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
+
+ if (should_follow_link(path->dentry, follow)) {
+ if (nd->flags & LOOKUP_RCU) {
+- if (unlikely(unlazy_walk(nd, path->dentry))) {
++ if (unlikely(nd->path.mnt != path->mnt ||
++ unlazy_walk(nd, path->dentry))) {
+ err = -ECHILD;
+ goto out_err;
+ }
+@@ -3047,7 +3048,8 @@ finish_lookup:
+
+ if (should_follow_link(path->dentry, !symlink_ok)) {
+ if (nd->flags & LOOKUP_RCU) {
+- if (unlikely(unlazy_walk(nd, path->dentry))) {
++ if (unlikely(nd->path.mnt != path->mnt ||
++ unlazy_walk(nd, path->dentry))) {
+ error = -ECHILD;
+ goto out;
+ }
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 82ef140..4622ee3 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -632,14 +632,17 @@ struct mount *__lookup_mnt(struct vfsmount *mnt, struct dentry *dentry)
+ */
+ struct mount *__lookup_mnt_last(struct vfsmount *mnt, struct dentry *dentry)
+ {
+- struct mount *p, *res;
+- res = p = __lookup_mnt(mnt, dentry);
++ struct mount *p, *res = NULL;
++ p = __lookup_mnt(mnt, dentry);
+ if (!p)
+ goto out;
++ if (!(p->mnt.mnt_flags & MNT_UMOUNT))
++ res = p;
+ hlist_for_each_entry_continue(p, mnt_hash) {
+ if (&p->mnt_parent->mnt != mnt || p->mnt_mountpoint != dentry)
+ break;
+- res = p;
++ if (!(p->mnt.mnt_flags & MNT_UMOUNT))
++ res = p;
+ }
+ out:
+ return res;
+@@ -795,10 +798,8 @@ static void __touch_mnt_namespace(struct mnt_namespace *ns)
+ /*
+ * vfsmount lock must be held for write
+ */
+-static void detach_mnt(struct mount *mnt, struct path *old_path)
++static void unhash_mnt(struct mount *mnt)
+ {
+- old_path->dentry = mnt->mnt_mountpoint;
+- old_path->mnt = &mnt->mnt_parent->mnt;
+ mnt->mnt_parent = mnt;
+ mnt->mnt_mountpoint = mnt->mnt.mnt_root;
+ list_del_init(&mnt->mnt_child);
+@@ -811,6 +812,26 @@ static void detach_mnt(struct mount *mnt, struct path *old_path)
+ /*
+ * vfsmount lock must be held for write
+ */
++static void detach_mnt(struct mount *mnt, struct path *old_path)
++{
++ old_path->dentry = mnt->mnt_mountpoint;
++ old_path->mnt = &mnt->mnt_parent->mnt;
++ unhash_mnt(mnt);
++}
++
++/*
++ * vfsmount lock must be held for write
++ */
++static void umount_mnt(struct mount *mnt)
++{
++ /* old mountpoint will be dropped when we can do that */
++ mnt->mnt_ex_mountpoint = mnt->mnt_mountpoint;
++ unhash_mnt(mnt);
++}
++
++/*
++ * vfsmount lock must be held for write
++ */
+ void mnt_set_mountpoint(struct mount *mnt,
+ struct mountpoint *mp,
+ struct mount *child_mnt)
+@@ -1078,6 +1099,13 @@ static void mntput_no_expire(struct mount *mnt)
+ rcu_read_unlock();
+
+ list_del(&mnt->mnt_instance);
++
++ if (unlikely(!list_empty(&mnt->mnt_mounts))) {
++ struct mount *p, *tmp;
++ list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) {
++ umount_mnt(p);
++ }
++ }
+ unlock_mount_hash();
+
+ if (likely(!(mnt->mnt.mnt_flags & MNT_INTERNAL))) {
+@@ -1319,49 +1347,63 @@ static inline void namespace_lock(void)
+ down_write(&namespace_sem);
+ }
+
++enum umount_tree_flags {
++ UMOUNT_SYNC = 1,
++ UMOUNT_PROPAGATE = 2,
++ UMOUNT_CONNECTED = 4,
++};
+ /*
+ * mount_lock must be held
+ * namespace_sem must be held for write
+- * how = 0 => just this tree, don't propagate
+- * how = 1 => propagate; we know that nobody else has reference to any victims
+- * how = 2 => lazy umount
+ */
+-void umount_tree(struct mount *mnt, int how)
++static void umount_tree(struct mount *mnt, enum umount_tree_flags how)
+ {
+- HLIST_HEAD(tmp_list);
++ LIST_HEAD(tmp_list);
+ struct mount *p;
+
++ if (how & UMOUNT_PROPAGATE)
++ propagate_mount_unlock(mnt);
++
++ /* Gather the mounts to umount */
+ for (p = mnt; p; p = next_mnt(p, mnt)) {
+- hlist_del_init_rcu(&p->mnt_hash);
+- hlist_add_head(&p->mnt_hash, &tmp_list);
++ p->mnt.mnt_flags |= MNT_UMOUNT;
++ list_move(&p->mnt_list, &tmp_list);
+ }
+
+- hlist_for_each_entry(p, &tmp_list, mnt_hash)
++ /* Hide the mounts from mnt_mounts */
++ list_for_each_entry(p, &tmp_list, mnt_list) {
+ list_del_init(&p->mnt_child);
++ }
+
+- if (how)
++ /* Add propogated mounts to the tmp_list */
++ if (how & UMOUNT_PROPAGATE)
+ propagate_umount(&tmp_list);
+
+- while (!hlist_empty(&tmp_list)) {
+- p = hlist_entry(tmp_list.first, struct mount, mnt_hash);
+- hlist_del_init_rcu(&p->mnt_hash);
++ while (!list_empty(&tmp_list)) {
++ bool disconnect;
++ p = list_first_entry(&tmp_list, struct mount, mnt_list);
+ list_del_init(&p->mnt_expire);
+ list_del_init(&p->mnt_list);
+ __touch_mnt_namespace(p->mnt_ns);
+ p->mnt_ns = NULL;
+- if (how < 2)
++ if (how & UMOUNT_SYNC)
+ p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
+
+- pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted);
++ disconnect = !(((how & UMOUNT_CONNECTED) &&
++ mnt_has_parent(p) &&
++ (p->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) ||
++ IS_MNT_LOCKED_AND_LAZY(p));
++
++ pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt,
++ disconnect ? &unmounted : NULL);
+ if (mnt_has_parent(p)) {
+- hlist_del_init(&p->mnt_mp_list);
+- put_mountpoint(p->mnt_mp);
+ mnt_add_count(p->mnt_parent, -1);
+- /* old mountpoint will be dropped when we can do that */
+- p->mnt_ex_mountpoint = p->mnt_mountpoint;
+- p->mnt_mountpoint = p->mnt.mnt_root;
+- p->mnt_parent = p;
+- p->mnt_mp = NULL;
++ if (!disconnect) {
++ /* Don't forget about p */
++ list_add_tail(&p->mnt_child, &p->mnt_parent->mnt_mounts);
++ } else {
++ umount_mnt(p);
++ }
+ }
+ change_mnt_propagation(p, MS_PRIVATE);
+ }
+@@ -1447,14 +1489,14 @@ static int do_umount(struct mount *mnt, int flags)
+
+ if (flags & MNT_DETACH) {
+ if (!list_empty(&mnt->mnt_list))
+- umount_tree(mnt, 2);
++ umount_tree(mnt, UMOUNT_PROPAGATE);
+ retval = 0;
+ } else {
+ shrink_submounts(mnt);
+ retval = -EBUSY;
+ if (!propagate_mount_busy(mnt, 2)) {
+ if (!list_empty(&mnt->mnt_list))
+- umount_tree(mnt, 1);
++ umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC);
+ retval = 0;
+ }
+ }
+@@ -1480,13 +1522,20 @@ void __detach_mounts(struct dentry *dentry)
+
+ namespace_lock();
+ mp = lookup_mountpoint(dentry);
+- if (!mp)
++ if (IS_ERR_OR_NULL(mp))
+ goto out_unlock;
+
+ lock_mount_hash();
+ while (!hlist_empty(&mp->m_list)) {
+ mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
+- umount_tree(mnt, 2);
++ if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
++ struct mount *p, *tmp;
++ list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) {
++ hlist_add_head(&p->mnt_umount.s_list, &unmounted);
++ umount_mnt(p);
++ }
++ }
++ else umount_tree(mnt, UMOUNT_CONNECTED);
+ }
+ unlock_mount_hash();
+ put_mountpoint(mp);
+@@ -1648,7 +1697,7 @@ struct mount *copy_tree(struct mount *mnt, struct dentry *dentry,
+ out:
+ if (res) {
+ lock_mount_hash();
+- umount_tree(res, 0);
++ umount_tree(res, UMOUNT_SYNC);
+ unlock_mount_hash();
+ }
+ return q;
+@@ -1672,7 +1721,7 @@ void drop_collected_mounts(struct vfsmount *mnt)
+ {
+ namespace_lock();
+ lock_mount_hash();
+- umount_tree(real_mount(mnt), 0);
++ umount_tree(real_mount(mnt), UMOUNT_SYNC);
+ unlock_mount_hash();
+ namespace_unlock();
+ }
+@@ -1855,7 +1904,7 @@ static int attach_recursive_mnt(struct mount *source_mnt,
+ out_cleanup_ids:
+ while (!hlist_empty(&tree_list)) {
+ child = hlist_entry(tree_list.first, struct mount, mnt_hash);
+- umount_tree(child, 0);
++ umount_tree(child, UMOUNT_SYNC);
+ }
+ unlock_mount_hash();
+ cleanup_group_ids(source_mnt, NULL);
+@@ -2035,7 +2084,7 @@ static int do_loopback(struct path *path, const char *old_name,
+ err = graft_tree(mnt, parent, mp);
+ if (err) {
+ lock_mount_hash();
+- umount_tree(mnt, 0);
++ umount_tree(mnt, UMOUNT_SYNC);
+ unlock_mount_hash();
+ }
+ out2:
+@@ -2406,7 +2455,7 @@ void mark_mounts_for_expiry(struct list_head *mounts)
+ while (!list_empty(&graveyard)) {
+ mnt = list_first_entry(&graveyard, struct mount, mnt_expire);
+ touch_mnt_namespace(mnt->mnt_ns);
+- umount_tree(mnt, 1);
++ umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC);
+ }
+ unlock_mount_hash();
+ namespace_unlock();
+@@ -2477,7 +2526,7 @@ static void shrink_submounts(struct mount *mnt)
+ m = list_first_entry(&graveyard, struct mount,
+ mnt_expire);
+ touch_mnt_namespace(m->mnt_ns);
+- umount_tree(m, 1);
++ umount_tree(m, UMOUNT_PROPAGATE|UMOUNT_SYNC);
+ }
+ }
+ }
+diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
+index 351be920..8d129bb 100644
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -128,7 +128,7 @@ nfs41_callback_svc(void *vrqstp)
+ if (try_to_freeze())
+ continue;
+
+- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE);
++ prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE);
+ spin_lock_bh(&serv->sv_cb_lock);
+ if (!list_empty(&serv->sv_cb_list)) {
+ req = list_first_entry(&serv->sv_cb_list,
+@@ -142,10 +142,10 @@ nfs41_callback_svc(void *vrqstp)
+ error);
+ } else {
+ spin_unlock_bh(&serv->sv_cb_lock);
+- /* schedule_timeout to game the hung task watchdog */
+- schedule_timeout(60 * HZ);
++ schedule();
+ finish_wait(&serv->sv_cb_waitq, &wq);
+ }
++ flush_signals(current);
+ }
+ return 0;
+ }
+diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
+index e907c8c..ab21ef1 100644
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -129,22 +129,25 @@ nfs_direct_good_bytes(struct nfs_direct_req *dreq, struct nfs_pgio_header *hdr)
+ int i;
+ ssize_t count;
+
+- WARN_ON_ONCE(hdr->pgio_mirror_idx >= dreq->mirror_count);
+-
+- count = dreq->mirrors[hdr->pgio_mirror_idx].count;
+- if (count + dreq->io_start < hdr->io_start + hdr->good_bytes) {
+- count = hdr->io_start + hdr->good_bytes - dreq->io_start;
+- dreq->mirrors[hdr->pgio_mirror_idx].count = count;
+- }
+-
+- /* update the dreq->count by finding the minimum agreed count from all
+- * mirrors */
+- count = dreq->mirrors[0].count;
++ if (dreq->mirror_count == 1) {
++ dreq->mirrors[hdr->pgio_mirror_idx].count += hdr->good_bytes;
++ dreq->count += hdr->good_bytes;
++ } else {
++ /* mirrored writes */
++ count = dreq->mirrors[hdr->pgio_mirror_idx].count;
++ if (count + dreq->io_start < hdr->io_start + hdr->good_bytes) {
++ count = hdr->io_start + hdr->good_bytes - dreq->io_start;
++ dreq->mirrors[hdr->pgio_mirror_idx].count = count;
++ }
++ /* update the dreq->count by finding the minimum agreed count from all
++ * mirrors */
++ count = dreq->mirrors[0].count;
+
+- for (i = 1; i < dreq->mirror_count; i++)
+- count = min(count, dreq->mirrors[i].count);
++ for (i = 1; i < dreq->mirror_count; i++)
++ count = min(count, dreq->mirrors[i].count);
+
+- dreq->count = count;
++ dreq->count = count;
++ }
+ }
+
+ /*
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 5c399ec..d494ea2 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -7365,6 +7365,11 @@ nfs4_stat_to_errno(int stat)
+ .p_name = #proc, \
+ }
+
++#define STUB(proc) \
++[NFSPROC4_CLNT_##proc] = { \
++ .p_name = #proc, \
++}
++
+ struct rpc_procinfo nfs4_procedures[] = {
+ PROC(READ, enc_read, dec_read),
+ PROC(WRITE, enc_write, dec_write),
+@@ -7417,6 +7422,7 @@ struct rpc_procinfo nfs4_procedures[] = {
+ PROC(SECINFO_NO_NAME, enc_secinfo_no_name, dec_secinfo_no_name),
+ PROC(TEST_STATEID, enc_test_stateid, dec_test_stateid),
+ PROC(FREE_STATEID, enc_free_stateid, dec_free_stateid),
++ STUB(GETDEVICELIST),
+ PROC(BIND_CONN_TO_SESSION,
+ enc_bind_conn_to_session, dec_bind_conn_to_session),
+ PROC(DESTROY_CLIENTID, enc_destroy_clientid, dec_destroy_clientid),
+diff --git a/fs/nfs/read.c b/fs/nfs/read.c
+index 568ecf0..848d8b1 100644
+--- a/fs/nfs/read.c
++++ b/fs/nfs/read.c
+@@ -284,7 +284,7 @@ int nfs_readpage(struct file *file, struct page *page)
+ dprintk("NFS: nfs_readpage (%p %ld@%lu)\n",
+ page, PAGE_CACHE_SIZE, page_file_index(page));
+ nfs_inc_stats(inode, NFSIOS_VFSREADPAGE);
+- nfs_inc_stats(inode, NFSIOS_READPAGES);
++ nfs_add_stats(inode, NFSIOS_READPAGES, 1);
+
+ /*
+ * Try to flush any pending writes to the file..
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 849ed78..41b3f1096 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -580,7 +580,7 @@ static int nfs_do_writepage(struct page *page, struct writeback_control *wbc, st
+ int ret;
+
+ nfs_inc_stats(inode, NFSIOS_VFSWRITEPAGE);
+- nfs_inc_stats(inode, NFSIOS_WRITEPAGES);
++ nfs_add_stats(inode, NFSIOS_WRITEPAGES, 1);
+
+ nfs_pageio_cond_complete(pgio, page_file_index(page));
+ ret = nfs_page_async_flush(pgio, page, wbc->sync_mode == WB_SYNC_NONE);
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 92b9d97..5416968 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1030,6 +1030,8 @@ nfsd4_fallocate(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ dprintk("NFSD: nfsd4_fallocate: couldn't process stateid!\n");
+ return status;
+ }
++ if (!file)
++ return nfserr_bad_stateid;
+
+ status = nfsd4_vfs_fallocate(rqstp, &cstate->current_fh, file,
+ fallocate->falloc_offset,
+@@ -1069,6 +1071,8 @@ nfsd4_seek(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ dprintk("NFSD: nfsd4_seek: couldn't process stateid!\n");
+ return status;
+ }
++ if (!file)
++ return nfserr_bad_stateid;
+
+ switch (seek->seek_whence) {
+ case NFS4_CONTENT_DATA:
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 8ba1d88..ee1cccd 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1139,7 +1139,7 @@ hash_sessionid(struct nfs4_sessionid *sessionid)
+ return sid->sequence % SESSION_HASH_SIZE;
+ }
+
+-#ifdef NFSD_DEBUG
++#ifdef CONFIG_SUNRPC_DEBUG
+ static inline void
+ dump_sessionid(const char *fn, struct nfs4_sessionid *sessionid)
+ {
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 5fb7e78..5b33ce1 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3422,6 +3422,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr,
+ unsigned long maxcount;
+ struct xdr_stream *xdr = &resp->xdr;
+ struct file *file = read->rd_filp;
++ struct svc_fh *fhp = read->rd_fhp;
+ int starting_len = xdr->buf->len;
+ struct raparms *ra;
+ __be32 *p;
+@@ -3445,12 +3446,15 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr,
+ maxcount = min_t(unsigned long, maxcount, (xdr->buf->buflen - xdr->buf->len));
+ maxcount = min_t(unsigned long, maxcount, read->rd_length);
+
+- if (!read->rd_filp) {
++ if (read->rd_filp)
++ err = nfsd_permission(resp->rqstp, fhp->fh_export,
++ fhp->fh_dentry,
++ NFSD_MAY_READ|NFSD_MAY_OWNER_OVERRIDE);
++ else
+ err = nfsd_get_tmp_read_open(resp->rqstp, read->rd_fhp,
+ &file, &ra);
+- if (err)
+- goto err_truncate;
+- }
++ if (err)
++ goto err_truncate;
+
+ if (file->f_op->splice_read && test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags))
+ err = nfsd4_encode_splice_read(resp, read, file, maxcount);
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index aa47d75..9690cb4 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1250,15 +1250,15 @@ static int __init init_nfsd(void)
+ int retval;
+ printk(KERN_INFO "Installing knfsd (copyright (C) 1996 okir@monad.swb.de).\n");
+
+- retval = register_cld_notifier();
+- if (retval)
+- return retval;
+ retval = register_pernet_subsys(&nfsd_net_ops);
+ if (retval < 0)
+- goto out_unregister_notifier;
+- retval = nfsd4_init_slabs();
++ return retval;
++ retval = register_cld_notifier();
+ if (retval)
+ goto out_unregister_pernet;
++ retval = nfsd4_init_slabs();
++ if (retval)
++ goto out_unregister_notifier;
+ retval = nfsd4_init_pnfs();
+ if (retval)
+ goto out_free_slabs;
+@@ -1290,10 +1290,10 @@ out_exit_pnfs:
+ nfsd4_exit_pnfs();
+ out_free_slabs:
+ nfsd4_free_slabs();
+-out_unregister_pernet:
+- unregister_pernet_subsys(&nfsd_net_ops);
+ out_unregister_notifier:
+ unregister_cld_notifier();
++out_unregister_pernet:
++ unregister_pernet_subsys(&nfsd_net_ops);
+ return retval;
+ }
+
+@@ -1308,8 +1308,8 @@ static void __exit exit_nfsd(void)
+ nfsd4_exit_pnfs();
+ nfsd_fault_inject_cleanup();
+ unregister_filesystem(&nfsd_fs_type);
+- unregister_pernet_subsys(&nfsd_net_ops);
+ unregister_cld_notifier();
++ unregister_pernet_subsys(&nfsd_net_ops);
+ }
+
+ MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
+diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
+index 565c4da..cf98052 100644
+--- a/fs/nfsd/nfsd.h
++++ b/fs/nfsd/nfsd.h
+@@ -24,7 +24,7 @@
+ #include "export.h"
+
+ #undef ifdebug
+-#ifdef NFSD_DEBUG
++#ifdef CONFIG_SUNRPC_DEBUG
+ # define ifdebug(flag) if (nfsd_debug & NFSDDBG_##flag)
+ #else
+ # define ifdebug(flag) if (0)
+diff --git a/fs/open.c b/fs/open.c
+index 33f9cbf..44a3be1 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
+ uid = make_kuid(current_user_ns(), user);
+ gid = make_kgid(current_user_ns(), group);
+
++retry_deleg:
+ newattrs.ia_valid = ATTR_CTIME;
+ if (user != (uid_t) -1) {
+ if (!uid_valid(uid))
+@@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
+ if (!S_ISDIR(inode->i_mode))
+ newattrs.ia_valid |=
+ ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
+-retry_deleg:
+ mutex_lock(&inode->i_mutex);
+ error = security_path_chown(path, uid, gid);
+ if (!error)
+diff --git a/fs/pnode.c b/fs/pnode.c
+index 260ac8f..6367e1e 100644
+--- a/fs/pnode.c
++++ b/fs/pnode.c
+@@ -362,6 +362,46 @@ int propagate_mount_busy(struct mount *mnt, int refcnt)
+ }
+
+ /*
++ * Clear MNT_LOCKED when it can be shown to be safe.
++ *
++ * mount_lock lock must be held for write
++ */
++void propagate_mount_unlock(struct mount *mnt)
++{
++ struct mount *parent = mnt->mnt_parent;
++ struct mount *m, *child;
++
++ BUG_ON(parent == mnt);
++
++ for (m = propagation_next(parent, parent); m;
++ m = propagation_next(m, parent)) {
++ child = __lookup_mnt_last(&m->mnt, mnt->mnt_mountpoint);
++ if (child)
++ child->mnt.mnt_flags &= ~MNT_LOCKED;
++ }
++}
++
++/*
++ * Mark all mounts that the MNT_LOCKED logic will allow to be unmounted.
++ */
++static void mark_umount_candidates(struct mount *mnt)
++{
++ struct mount *parent = mnt->mnt_parent;
++ struct mount *m;
++
++ BUG_ON(parent == mnt);
++
++ for (m = propagation_next(parent, parent); m;
++ m = propagation_next(m, parent)) {
++ struct mount *child = __lookup_mnt_last(&m->mnt,
++ mnt->mnt_mountpoint);
++ if (child && (!IS_MNT_LOCKED(child) || IS_MNT_MARKED(m))) {
++ SET_MNT_MARK(child);
++ }
++ }
++}
++
++/*
+ * NOTE: unmounting 'mnt' naturally propagates to all other mounts its
+ * parent propagates to.
+ */
+@@ -378,13 +418,16 @@ static void __propagate_umount(struct mount *mnt)
+ struct mount *child = __lookup_mnt_last(&m->mnt,
+ mnt->mnt_mountpoint);
+ /*
+- * umount the child only if the child has no
+- * other children
++ * umount the child only if the child has no children
++ * and the child is marked safe to unmount.
+ */
+- if (child && list_empty(&child->mnt_mounts)) {
++ if (!child || !IS_MNT_MARKED(child))
++ continue;
++ CLEAR_MNT_MARK(child);
++ if (list_empty(&child->mnt_mounts)) {
+ list_del_init(&child->mnt_child);
+- hlist_del_init_rcu(&child->mnt_hash);
+- hlist_add_before_rcu(&child->mnt_hash, &mnt->mnt_hash);
++ child->mnt.mnt_flags |= MNT_UMOUNT;
++ list_move_tail(&child->mnt_list, &mnt->mnt_list);
+ }
+ }
+ }
+@@ -396,11 +439,14 @@ static void __propagate_umount(struct mount *mnt)
+ *
+ * vfsmount lock must be held for write
+ */
+-int propagate_umount(struct hlist_head *list)
++int propagate_umount(struct list_head *list)
+ {
+ struct mount *mnt;
+
+- hlist_for_each_entry(mnt, list, mnt_hash)
++ list_for_each_entry_reverse(mnt, list, mnt_list)
++ mark_umount_candidates(mnt);
++
++ list_for_each_entry(mnt, list, mnt_list)
+ __propagate_umount(mnt);
+ return 0;
+ }
+diff --git a/fs/pnode.h b/fs/pnode.h
+index 4a24635..7114ce6 100644
+--- a/fs/pnode.h
++++ b/fs/pnode.h
+@@ -19,6 +19,9 @@
+ #define IS_MNT_MARKED(m) ((m)->mnt.mnt_flags & MNT_MARKED)
+ #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED)
+ #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED)
++#define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED)
++#define IS_MNT_LOCKED_AND_LAZY(m) \
++ (((m)->mnt.mnt_flags & (MNT_LOCKED|MNT_SYNC_UMOUNT)) == MNT_LOCKED)
+
+ #define CL_EXPIRE 0x01
+ #define CL_SLAVE 0x02
+@@ -40,14 +43,14 @@ static inline void set_mnt_shared(struct mount *mnt)
+ void change_mnt_propagation(struct mount *, int);
+ int propagate_mnt(struct mount *, struct mountpoint *, struct mount *,
+ struct hlist_head *);
+-int propagate_umount(struct hlist_head *);
++int propagate_umount(struct list_head *);
+ int propagate_mount_busy(struct mount *, int);
++void propagate_mount_unlock(struct mount *);
+ void mnt_release_group_id(struct mount *);
+ int get_dominating_id(struct mount *mnt, const struct path *root);
+ unsigned int mnt_get_count(struct mount *mnt);
+ void mnt_set_mountpoint(struct mount *, struct mountpoint *,
+ struct mount *);
+-void umount_tree(struct mount *, int);
+ struct mount *copy_tree(struct mount *, struct dentry *, int);
+ bool is_path_reachable(struct mount *, struct dentry *,
+ const struct path *root);
+diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
+index b034f10..0d58525 100644
+--- a/include/acpi/actypes.h
++++ b/include/acpi/actypes.h
+@@ -199,9 +199,29 @@ typedef int s32;
+ typedef s32 acpi_native_int;
+
+ typedef u32 acpi_size;
++
++#ifdef ACPI_32BIT_PHYSICAL_ADDRESS
++
++/*
++ * OSPMs can define this to shrink the size of the structures for 32-bit
++ * none PAE environment. ASL compiler may always define this to generate
++ * 32-bit OSPM compliant tables.
++ */
+ typedef u32 acpi_io_address;
+ typedef u32 acpi_physical_address;
+
++#else /* ACPI_32BIT_PHYSICAL_ADDRESS */
++
++/*
++ * It is reported that, after some calculations, the physical addresses can
++ * wrap over the 32-bit boundary on 32-bit PAE environment.
++ * https://bugzilla.kernel.org/show_bug.cgi?id=87971
++ */
++typedef u64 acpi_io_address;
++typedef u64 acpi_physical_address;
++
++#endif /* ACPI_32BIT_PHYSICAL_ADDRESS */
++
+ #define ACPI_MAX_PTR ACPI_UINT32_MAX
+ #define ACPI_SIZE_MAX ACPI_UINT32_MAX
+
+@@ -736,10 +756,6 @@ typedef u32 acpi_event_status;
+ #define ACPI_GPE_ENABLE 0
+ #define ACPI_GPE_DISABLE 1
+ #define ACPI_GPE_CONDITIONAL_ENABLE 2
+-#define ACPI_GPE_SAVE_MASK 4
+-
+-#define ACPI_GPE_ENABLE_SAVE (ACPI_GPE_ENABLE | ACPI_GPE_SAVE_MASK)
+-#define ACPI_GPE_DISABLE_SAVE (ACPI_GPE_DISABLE | ACPI_GPE_SAVE_MASK)
+
+ /*
+ * GPE info flags - Per GPE
+diff --git a/include/acpi/platform/acenv.h b/include/acpi/platform/acenv.h
+index ad74dc5..ecdf940 100644
+--- a/include/acpi/platform/acenv.h
++++ b/include/acpi/platform/acenv.h
+@@ -76,6 +76,7 @@
+ #define ACPI_LARGE_NAMESPACE_NODE
+ #define ACPI_DATA_TABLE_DISASSEMBLY
+ #define ACPI_SINGLE_THREADED
++#define ACPI_32BIT_PHYSICAL_ADDRESS
+ #endif
+
+ /* acpi_exec configuration. Multithreaded with full AML debugger */
+diff --git a/include/dt-bindings/clock/tegra124-car-common.h b/include/dt-bindings/clock/tegra124-car-common.h
+index ae2eb17..a215609 100644
+--- a/include/dt-bindings/clock/tegra124-car-common.h
++++ b/include/dt-bindings/clock/tegra124-car-common.h
+@@ -297,7 +297,7 @@
+ #define TEGRA124_CLK_PLL_C4 270
+ #define TEGRA124_CLK_PLL_DP 271
+ #define TEGRA124_CLK_PLL_E_MUX 272
+-#define TEGRA124_CLK_PLLD_DSI 273
++#define TEGRA124_CLK_PLL_D_DSI_OUT 273
+ /* 274 */
+ /* 275 */
+ /* 276 */
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index bbfceb7..33b52fb 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -48,7 +48,7 @@ struct bpf_map *bpf_map_get(struct fd f);
+
+ /* function argument constraints */
+ enum bpf_arg_type {
+- ARG_ANYTHING = 0, /* any argument is ok */
++ ARG_DONTCARE = 0, /* unused argument in helper function */
+
+ /* the following constraints used to prototype
+ * bpf_map_lookup/update/delete_elem() functions
+@@ -62,6 +62,8 @@ enum bpf_arg_type {
+ */
+ ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */
+ ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */
++
++ ARG_ANYTHING, /* any (initialized) argument is ok */
+ };
+
+ /* type of values returned from helper functions */
+diff --git a/include/linux/mount.h b/include/linux/mount.h
+index c2c561d..564beee 100644
+--- a/include/linux/mount.h
++++ b/include/linux/mount.h
+@@ -61,6 +61,7 @@ struct mnt_namespace;
+ #define MNT_DOOMED 0x1000000
+ #define MNT_SYNC_UMOUNT 0x2000000
+ #define MNT_MARKED 0x4000000
++#define MNT_UMOUNT 0x8000000
+
+ struct vfsmount {
+ struct dentry *mnt_root; /* root of the mounted tree */
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index a419b65..51348f7 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -176,6 +176,14 @@ extern void get_iowait_load(unsigned long *nr_waiters, unsigned long *load);
+ extern void calc_global_load(unsigned long ticks);
+ extern void update_cpu_load_nohz(void);
+
++/* Notifier for when a task gets migrated to a new CPU */
++struct task_migration_notifier {
++ struct task_struct *task;
++ int from_cpu;
++ int to_cpu;
++};
++extern void register_task_migration_notifier(struct notifier_block *n);
++
+ extern unsigned long get_parent_ip(unsigned long addr);
+
+ extern void dump_cpu_task(int cpu);
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index f54d665..bdccc4b 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -769,6 +769,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+
+ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
+ int node);
++struct sk_buff *__build_skb(void *data, unsigned int frag_size);
+ struct sk_buff *build_skb(void *data, unsigned int frag_size);
+ static inline struct sk_buff *alloc_skb(unsigned int size,
+ gfp_t priority)
+@@ -3013,6 +3014,18 @@ static inline bool __skb_checksum_validate_needed(struct sk_buff *skb,
+ */
+ #define CHECKSUM_BREAK 76
+
++/* Unset checksum-complete
++ *
++ * Unset checksum complete can be done when packet is being modified
++ * (uncompressed for instance) and checksum-complete value is
++ * invalidated.
++ */
++static inline void skb_checksum_complete_unset(struct sk_buff *skb)
++{
++ if (skb->ip_summed == CHECKSUM_COMPLETE)
++ skb->ip_summed = CHECKSUM_NONE;
++}
++
+ /* Validate (init) checksum based on checksum complete.
+ *
+ * Return values:
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index 7ee1b5c..447fe29 100644
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -205,6 +205,32 @@ void usb_put_intf(struct usb_interface *intf);
+ #define USB_MAXINTERFACES 32
+ #define USB_MAXIADS (USB_MAXINTERFACES/2)
+
++/*
++ * USB Resume Timer: Every Host controller driver should drive the resume
++ * signalling on the bus for the amount of time defined by this macro.
++ *
++ * That way we will have a 'stable' behavior among all HCDs supported by Linux.
++ *
++ * Note that the USB Specification states we should drive resume for *at least*
++ * 20 ms, but it doesn't give an upper bound. This creates two possible
++ * situations which we want to avoid:
++ *
++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes
++ * us to fail USB Electrical Tests, thus failing Certification
++ *
++ * (b) Some (many) devices actually need more than 20 ms of resume signalling,
++ * and while we can argue that's against the USB Specification, we don't have
++ * control over which devices a certification laboratory will be using for
++ * certification. If CertLab uses a device which was tested against Windows and
++ * that happens to have relaxed resume signalling rules, we might fall into
++ * situations where we fail interoperability and electrical tests.
++ *
++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which
++ * should cope with both LPJ calibration errors and devices not following every
++ * detail of the USB Specification.
++ */
++#define USB_RESUME_TIMEOUT 40 /* ms */
++
+ /**
+ * struct usb_interface_cache - long-term representation of a device interface
+ * @num_altsetting: number of altsettings defined.
+diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
+index d3583d3..dd0f3ab 100644
+--- a/include/target/iscsi/iscsi_target_core.h
++++ b/include/target/iscsi/iscsi_target_core.h
+@@ -602,6 +602,11 @@ struct iscsi_conn {
+ struct iscsi_session *sess;
+ /* Pointer to thread_set in use for this conn's threads */
+ struct iscsi_thread_set *thread_set;
++ int bitmap_id;
++ int rx_thread_active;
++ struct task_struct *rx_thread;
++ int tx_thread_active;
++ struct task_struct *tx_thread;
+ /* list_head for session connection list */
+ struct list_head conn_list;
+ } ____cacheline_aligned;
+@@ -871,10 +876,12 @@ struct iscsit_global {
+ /* Unique identifier used for the authentication daemon */
+ u32 auth_id;
+ u32 inactive_ts;
++#define ISCSIT_BITMAP_BITS 262144
+ /* Thread Set bitmap count */
+ int ts_bitmap_count;
+ /* Thread Set bitmap pointer */
+ unsigned long *ts_bitmap;
++ spinlock_t ts_bitmap_lock;
+ /* Used for iSCSI discovery session authentication */
+ struct iscsi_node_acl discovery_acl;
+ struct iscsi_portal_group *discovery_tpg;
+diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
+index 672150b..985ca4c 100644
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -524,7 +524,7 @@ struct se_cmd {
+ sense_reason_t (*execute_cmd)(struct se_cmd *);
+ sense_reason_t (*execute_rw)(struct se_cmd *, struct scatterlist *,
+ u32, enum dma_data_direction);
+- sense_reason_t (*transport_complete_callback)(struct se_cmd *);
++ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool);
+
+ unsigned char *t_task_cdb;
+ unsigned char __t_task_cdb[TCM_MAX_COMMAND_SIZE];
+diff --git a/include/uapi/linux/nfsd/debug.h b/include/uapi/linux/nfsd/debug.h
+index 0bf130a..28ec6c9 100644
+--- a/include/uapi/linux/nfsd/debug.h
++++ b/include/uapi/linux/nfsd/debug.h
+@@ -12,14 +12,6 @@
+ #include <linux/sunrpc/debug.h>
+
+ /*
+- * Enable debugging for nfsd.
+- * Requires RPC_DEBUG.
+- */
+-#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
+-# define NFSD_DEBUG 1
+-#endif
+-
+-/*
+ * knfsd debug flags
+ */
+ #define NFSDDBG_SOCK 0x0001
+diff --git a/include/video/samsung_fimd.h b/include/video/samsung_fimd.h
+index a20e4a3..847a0a2 100644
+--- a/include/video/samsung_fimd.h
++++ b/include/video/samsung_fimd.h
+@@ -436,6 +436,12 @@
+ #define BLENDCON_NEW_8BIT_ALPHA_VALUE (1 << 0)
+ #define BLENDCON_NEW_4BIT_ALPHA_VALUE (0 << 0)
+
++/* Display port clock control */
++#define DP_MIE_CLKCON 0x27c
++#define DP_MIE_CLK_DISABLE 0x0
++#define DP_MIE_CLK_DP_ENABLE 0x2
++#define DP_MIE_CLK_MIE_ENABLE 0x3
++
+ /* Notes on per-window bpp settings
+ *
+ * Value Win0 Win1 Win2 Win3 Win 4
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 36508e6..5d8ea3d 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -755,7 +755,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
+ enum bpf_reg_type expected_type;
+ int err = 0;
+
+- if (arg_type == ARG_ANYTHING)
++ if (arg_type == ARG_DONTCARE)
+ return 0;
+
+ if (reg->type == NOT_INIT) {
+@@ -763,6 +763,9 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
+ return -EACCES;
+ }
+
++ if (arg_type == ARG_ANYTHING)
++ return 0;
++
+ if (arg_type == ARG_PTR_TO_STACK || arg_type == ARG_PTR_TO_MAP_KEY ||
+ arg_type == ARG_PTR_TO_MAP_VALUE) {
+ expected_type = PTR_TO_STACK;
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 227fec3..9a34bd8 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -697,6 +697,8 @@ static int ptrace_peek_siginfo(struct task_struct *child,
+ static int ptrace_resume(struct task_struct *child, long request,
+ unsigned long data)
+ {
++ bool need_siglock;
++
+ if (!valid_signal(data))
+ return -EIO;
+
+@@ -724,8 +726,26 @@ static int ptrace_resume(struct task_struct *child, long request,
+ user_disable_single_step(child);
+ }
+
++ /*
++ * Change ->exit_code and ->state under siglock to avoid the race
++ * with wait_task_stopped() in between; a non-zero ->exit_code will
++ * wrongly look like another report from tracee.
++ *
++ * Note that we need siglock even if ->exit_code == data and/or this
++ * status was not reported yet, the new status must not be cleared by
++ * wait_task_stopped() after resume.
++ *
++ * If data == 0 we do not care if wait_task_stopped() reports the old
++ * status and clears the code too; this can't race with the tracee, it
++ * takes siglock after resume.
++ */
++ need_siglock = data && !thread_group_empty(current);
++ if (need_siglock)
++ spin_lock_irq(&child->sighand->siglock);
+ child->exit_code = data;
+ wake_up_state(child, __TASK_TRACED);
++ if (need_siglock)
++ spin_unlock_irq(&child->sighand->siglock);
+
+ return 0;
+ }
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 62671f5..3d5f6f6 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -996,6 +996,13 @@ void check_preempt_curr(struct rq *rq, struct task_struct *p, int flags)
+ rq_clock_skip_update(rq, true);
+ }
+
++static ATOMIC_NOTIFIER_HEAD(task_migration_notifier);
++
++void register_task_migration_notifier(struct notifier_block *n)
++{
++ atomic_notifier_chain_register(&task_migration_notifier, n);
++}
++
+ #ifdef CONFIG_SMP
+ void set_task_cpu(struct task_struct *p, unsigned int new_cpu)
+ {
+@@ -1026,10 +1033,18 @@ void set_task_cpu(struct task_struct *p, unsigned int new_cpu)
+ trace_sched_migrate_task(p, new_cpu);
+
+ if (task_cpu(p) != new_cpu) {
++ struct task_migration_notifier tmn;
++
+ if (p->sched_class->migrate_task_rq)
+ p->sched_class->migrate_task_rq(p, new_cpu);
+ p->se.nr_migrations++;
+ perf_sw_event_sched(PERF_COUNT_SW_CPU_MIGRATIONS, 1, 0);
++
++ tmn.task = p;
++ tmn.from_cpu = task_cpu(p);
++ tmn.to_cpu = new_cpu;
++
++ atomic_notifier_call_chain(&task_migration_notifier, 0, &tmn);
+ }
+
+ __set_task_cpu(p, new_cpu);
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 3fa8fa6..f670cbb 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -514,7 +514,7 @@ static enum hrtimer_restart dl_task_timer(struct hrtimer *timer)
+ unsigned long flags;
+ struct rq *rq;
+
+- rq = task_rq_lock(current, &flags);
++ rq = task_rq_lock(p, &flags);
+
+ /*
+ * We need to take care of several possible races here:
+@@ -569,7 +569,7 @@ static enum hrtimer_restart dl_task_timer(struct hrtimer *timer)
+ push_dl_task(rq);
+ #endif
+ unlock:
+- task_rq_unlock(rq, current, &flags);
++ task_rq_unlock(rq, p, &flags);
+
+ return HRTIMER_NORESTART;
+ }
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 5040d44..922048a 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -2679,7 +2679,7 @@ static DEFINE_PER_CPU(unsigned int, current_context);
+
+ static __always_inline int trace_recursive_lock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+ int bit;
+
+ if (in_interrupt()) {
+@@ -2696,18 +2696,17 @@ static __always_inline int trace_recursive_lock(void)
+ return 1;
+
+ val |= (1 << bit);
+- this_cpu_write(current_context, val);
++ __this_cpu_write(current_context, val);
+
+ return 0;
+ }
+
+ static __always_inline void trace_recursive_unlock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+
+- val--;
+- val &= this_cpu_read(current_context);
+- this_cpu_write(current_context, val);
++ val &= val & (val - 1);
++ __this_cpu_write(current_context, val);
+ }
+
+ #else
+diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
+index db54dda..a9c10a3 100644
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -565,6 +565,7 @@ static int __ftrace_set_clr_event(struct trace_array *tr, const char *match,
+ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
+ {
+ char *event = NULL, *sub = NULL, *match;
++ int ret;
+
+ /*
+ * The buf format can be <subsystem>:<event-name>
+@@ -590,7 +591,13 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
+ event = NULL;
+ }
+
+- return __ftrace_set_clr_event(tr, match, sub, event, set);
++ ret = __ftrace_set_clr_event(tr, match, sub, event, set);
++
++ /* Put back the colon to allow this to be called again */
++ if (buf)
++ *(buf - 1) = ':';
++
++ return ret;
+ }
+
+ /**
+diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
+index 2d25ad1..b6fce36 100644
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -1309,15 +1309,19 @@ void graph_trace_open(struct trace_iterator *iter)
+ {
+ /* pid and depth on the last trace processed */
+ struct fgraph_data *data;
++ gfp_t gfpflags;
+ int cpu;
+
+ iter->private = NULL;
+
+- data = kzalloc(sizeof(*data), GFP_KERNEL);
++ /* We can be called in atomic context via ftrace_dump() */
++ gfpflags = (in_atomic() || irqs_disabled()) ? GFP_ATOMIC : GFP_KERNEL;
++
++ data = kzalloc(sizeof(*data), gfpflags);
+ if (!data)
+ goto out_err;
+
+- data->cpu_data = alloc_percpu(struct fgraph_cpu_data);
++ data->cpu_data = alloc_percpu_gfp(struct fgraph_cpu_data, gfpflags);
+ if (!data->cpu_data)
+ goto out_err_free;
+
+diff --git a/lib/string.c b/lib/string.c
+index ce81aae..a579201 100644
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -607,7 +607,7 @@ EXPORT_SYMBOL(memset);
+ void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+- OPTIMIZER_HIDE_VAR(s);
++ barrier();
+ }
+ EXPORT_SYMBOL(memzero_explicit);
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 6817b03..956d4db 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2316,8 +2316,14 @@ static struct page
+ struct vm_area_struct *vma, unsigned long address,
+ int node)
+ {
++ gfp_t flags;
++
+ VM_BUG_ON_PAGE(*hpage, *hpage);
+
++ /* Only allocate from the target node */
++ flags = alloc_hugepage_gfpmask(khugepaged_defrag(), __GFP_OTHER_NODE) |
++ __GFP_THISNODE;
++
+ /*
+ * Before allocating the hugepage, release the mmap_sem read lock.
+ * The allocation can take potentially a long time if it involves
+@@ -2326,8 +2332,7 @@ static struct page
+ */
+ up_read(&mm->mmap_sem);
+
+- *hpage = alloc_pages_exact_node(node, alloc_hugepage_gfpmask(
+- khugepaged_defrag(), __GFP_OTHER_NODE), HPAGE_PMD_ORDER);
++ *hpage = alloc_pages_exact_node(node, flags, HPAGE_PMD_ORDER);
+ if (unlikely(!*hpage)) {
+ count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+ *hpage = ERR_PTR(-ENOMEM);
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index c41b2a0..caad3c5 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3735,8 +3735,7 @@ retry:
+ if (!pmd_huge(*pmd))
+ goto out;
+ if (pmd_present(*pmd)) {
+- page = pte_page(*(pte_t *)pmd) +
+- ((address & ~PMD_MASK) >> PAGE_SHIFT);
++ page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT);
+ if (flags & FOLL_GET)
+ get_page(page);
+ } else {
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 4721046..de5dc5e 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1985,7 +1985,8 @@ retry_cpuset:
+ nmask = policy_nodemask(gfp, pol);
+ if (!nmask || node_isset(node, *nmask)) {
+ mpol_cond_put(pol);
+- page = alloc_pages_exact_node(node, gfp, order);
++ page = alloc_pages_exact_node(node,
++ gfp | __GFP_THISNODE, order);
+ goto out;
+ }
+ }
+diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
+index 0ee453f..f371cbf 100644
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -651,6 +651,13 @@ static int br_nf_forward_finish(struct sk_buff *skb)
+ struct net_device *in;
+
+ if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
++ int frag_max_size;
++
++ if (skb->protocol == htons(ETH_P_IP)) {
++ frag_max_size = IPCB(skb)->frag_max_size;
++ BR_INPUT_SKB_CB(skb)->frag_max_size = frag_max_size;
++ }
++
+ in = nf_bridge->physindev;
+ if (nf_bridge->mask & BRNF_PKT_TYPE) {
+ skb->pkt_type = PACKET_OTHERHOST;
+@@ -710,8 +717,14 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
+ nf_bridge->mask |= BRNF_PKT_TYPE;
+ }
+
+- if (pf == NFPROTO_IPV4 && br_parse_ip_options(skb))
+- return NF_DROP;
++ if (pf == NFPROTO_IPV4) {
++ int frag_max = BR_INPUT_SKB_CB(skb)->frag_max_size;
++
++ if (br_parse_ip_options(skb))
++ return NF_DROP;
++
++ IPCB(skb)->frag_max_size = frag_max;
++ }
+
+ /* The physdev module checks on this */
+ nf_bridge->mask |= BRNF_BRIDGED;
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 45109b7..22a53ac 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3041,7 +3041,7 @@ static struct rps_dev_flow *
+ set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
+ struct rps_dev_flow *rflow, u16 next_cpu)
+ {
+- if (next_cpu != RPS_NO_CPU) {
++ if (next_cpu < nr_cpu_ids) {
+ #ifdef CONFIG_RFS_ACCEL
+ struct netdev_rx_queue *rxqueue;
+ struct rps_dev_flow_table *flow_table;
+@@ -3146,7 +3146,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
+ * If the desired CPU (where last recvmsg was done) is
+ * different from current CPU (one in the rx-queue flow
+ * table entry), switch if one of the following holds:
+- * - Current CPU is unset (equal to RPS_NO_CPU).
++ * - Current CPU is unset (>= nr_cpu_ids).
+ * - Current CPU is offline.
+ * - The current CPU's queue tail has advanced beyond the
+ * last packet that was enqueued using this table entry.
+@@ -3154,14 +3154,14 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
+ * have been dequeued, thus preserving in order delivery.
+ */
+ if (unlikely(tcpu != next_cpu) &&
+- (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
++ (tcpu >= nr_cpu_ids || !cpu_online(tcpu) ||
+ ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
+ rflow->last_qtail)) >= 0)) {
+ tcpu = next_cpu;
+ rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
+ }
+
+- if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
++ if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
+ *rflowp = rflow;
+ cpu = tcpu;
+ goto done;
+@@ -3202,14 +3202,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
+ struct rps_dev_flow_table *flow_table;
+ struct rps_dev_flow *rflow;
+ bool expire = true;
+- int cpu;
++ unsigned int cpu;
+
+ rcu_read_lock();
+ flow_table = rcu_dereference(rxqueue->rps_flow_table);
+ if (flow_table && flow_id <= flow_table->mask) {
+ rflow = &flow_table->flows[flow_id];
+ cpu = ACCESS_ONCE(rflow->cpu);
+- if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&
++ if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
+ ((int)(per_cpu(softnet_data, cpu).input_queue_head -
+ rflow->last_qtail) <
+ (int)(10 * flow_table->mask)))
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 98d45fe..e9f9a15 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -280,13 +280,14 @@ nodata:
+ EXPORT_SYMBOL(__alloc_skb);
+
+ /**
+- * build_skb - build a network buffer
++ * __build_skb - build a network buffer
+ * @data: data buffer provided by caller
+- * @frag_size: size of fragment, or 0 if head was kmalloced
++ * @frag_size: size of data, or 0 if head was kmalloced
+ *
+ * Allocate a new &sk_buff. Caller provides space holding head and
+ * skb_shared_info. @data must have been allocated by kmalloc() only if
+- * @frag_size is 0, otherwise data should come from the page allocator.
++ * @frag_size is 0, otherwise data should come from the page allocator
++ * or vmalloc()
+ * The return is the new skb buffer.
+ * On a failure the return is %NULL, and @data is not freed.
+ * Notes :
+@@ -297,7 +298,7 @@ EXPORT_SYMBOL(__alloc_skb);
+ * before giving packet to stack.
+ * RX rings only contains data buffers, not full skbs.
+ */
+-struct sk_buff *build_skb(void *data, unsigned int frag_size)
++struct sk_buff *__build_skb(void *data, unsigned int frag_size)
+ {
+ struct skb_shared_info *shinfo;
+ struct sk_buff *skb;
+@@ -311,7 +312,6 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size)
+
+ memset(skb, 0, offsetof(struct sk_buff, tail));
+ skb->truesize = SKB_TRUESIZE(size);
+- skb->head_frag = frag_size != 0;
+ atomic_set(&skb->users, 1);
+ skb->head = data;
+ skb->data = data;
+@@ -328,6 +328,23 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size)
+
+ return skb;
+ }
++
++/* build_skb() is wrapper over __build_skb(), that specifically
++ * takes care of skb->head and skb->pfmemalloc
++ * This means that if @frag_size is not zero, then @data must be backed
++ * by a page fragment, not kmalloc() or vmalloc()
++ */
++struct sk_buff *build_skb(void *data, unsigned int frag_size)
++{
++ struct sk_buff *skb = __build_skb(data, frag_size);
++
++ if (skb && frag_size) {
++ skb->head_frag = 1;
++ if (virt_to_head_page(data)->pfmemalloc)
++ skb->pfmemalloc = 1;
++ }
++ return skb;
++}
+ EXPORT_SYMBOL(build_skb);
+
+ struct netdev_alloc_cache {
+@@ -348,7 +365,8 @@ static struct page *__page_frag_refill(struct netdev_alloc_cache *nc,
+ gfp_t gfp = gfp_mask;
+
+ if (order) {
+- gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY;
++ gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY |
++ __GFP_NOMEMALLOC;
+ page = alloc_pages_node(NUMA_NO_NODE, gfp_mask, order);
+ nc->frag.size = PAGE_SIZE << (page ? order : 0);
+ }
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index d9bc28a..53bd53f 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -82,6 +82,9 @@ int ip_forward(struct sk_buff *skb)
+ if (skb->pkt_type != PACKET_HOST)
+ goto drop;
+
++ if (unlikely(skb->sk))
++ goto drop;
++
+ if (skb_warn_if_lro(skb))
+ goto drop;
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index d520492..9d48dc4 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2751,39 +2751,65 @@ begin_fwd:
+ }
+ }
+
+-/* Send a fin. The caller locks the socket for us. This cannot be
+- * allowed to fail queueing a FIN frame under any circumstances.
++/* We allow to exceed memory limits for FIN packets to expedite
++ * connection tear down and (memory) recovery.
++ * Otherwise tcp_send_fin() could be tempted to either delay FIN
++ * or even be forced to close flow without any FIN.
++ */
++static void sk_forced_wmem_schedule(struct sock *sk, int size)
++{
++ int amt, status;
++
++ if (size <= sk->sk_forward_alloc)
++ return;
++ amt = sk_mem_pages(size);
++ sk->sk_forward_alloc += amt * SK_MEM_QUANTUM;
++ sk_memory_allocated_add(sk, amt, &status);
++}
++
++/* Send a FIN. The caller locks the socket for us.
++ * We should try to send a FIN packet really hard, but eventually give up.
+ */
+ void tcp_send_fin(struct sock *sk)
+ {
++ struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+- struct sk_buff *skb = tcp_write_queue_tail(sk);
+- int mss_now;
+
+- /* Optimization, tack on the FIN if we have a queue of
+- * unsent frames. But be careful about outgoing SACKS
+- * and IP options.
++ /* Optimization, tack on the FIN if we have one skb in write queue and
++ * this skb was not yet sent, or we are under memory pressure.
++ * Note: in the latter case, FIN packet will be sent after a timeout,
++ * as TCP stack thinks it has already been transmitted.
+ */
+- mss_now = tcp_current_mss(sk);
+-
+- if (tcp_send_head(sk) != NULL) {
+- TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN;
+- TCP_SKB_CB(skb)->end_seq++;
++ if (tskb && (tcp_send_head(sk) || sk_under_memory_pressure(sk))) {
++coalesce:
++ TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN;
++ TCP_SKB_CB(tskb)->end_seq++;
+ tp->write_seq++;
++ if (!tcp_send_head(sk)) {
++ /* This means tskb was already sent.
++ * Pretend we included the FIN on previous transmit.
++ * We need to set tp->snd_nxt to the value it would have
++ * if FIN had been sent. This is because retransmit path
++ * does not change tp->snd_nxt.
++ */
++ tp->snd_nxt++;
++ return;
++ }
+ } else {
+- /* Socket is locked, keep trying until memory is available. */
+- for (;;) {
+- skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
+- if (skb)
+- break;
+- yield();
++ skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);
++ if (unlikely(!skb)) {
++ if (tskb)
++ goto coalesce;
++ return;
+ }
++ skb_reserve(skb, MAX_TCP_HEADER);
++ sk_forced_wmem_schedule(sk, skb->truesize);
+ /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
+ tcp_init_nondata_skb(skb, tp->write_seq,
+ TCPHDR_ACK | TCPHDR_FIN);
+ tcp_queue_skb(sk, skb);
+ }
+- __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF);
++ __tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF);
+ }
+
+ /* We get here when a process closes a file descriptor (either due to
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 142f66a..0ca013d 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2260,7 +2260,7 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
+ else
+ ssid_len = ssid[1];
+
+- ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL,
++ ieee80211_send_probe_req(sdata, sdata->vif.addr, dst,
+ ssid + 2, ssid_len, NULL,
+ 0, (u32) -1, true, 0,
+ ifmgd->associated->channel, false);
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 05919bf..d1d7a81 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1616,13 +1616,11 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size,
+ if (data == NULL)
+ return NULL;
+
+- skb = build_skb(data, size);
++ skb = __build_skb(data, size);
+ if (skb == NULL)
+ vfree(data);
+- else {
+- skb->head_frag = 0;
++ else
+ skb->destructor = netlink_skb_destructor;
+- }
+
+ return skb;
+ }
+diff --git a/sound/pci/emu10k1/emuproc.c b/sound/pci/emu10k1/emuproc.c
+index 2ca9f2e..53745f4 100644
+--- a/sound/pci/emu10k1/emuproc.c
++++ b/sound/pci/emu10k1/emuproc.c
+@@ -241,31 +241,22 @@ static void snd_emu10k1_proc_spdif_read(struct snd_info_entry *entry,
+ struct snd_emu10k1 *emu = entry->private_data;
+ u32 value;
+ u32 value2;
+- unsigned long flags;
+ u32 rate;
+
+ if (emu->card_capabilities->emu_model) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x38, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ if ((value & 0x1) == 0) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x2a, &value);
+ snd_emu1010_fpga_read(emu, 0x2b, &value2);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ rate = 0x1770000 / (((value << 5) | value2)+1);
+ snd_iprintf(buffer, "ADAT Locked : %u\n", rate);
+ } else {
+ snd_iprintf(buffer, "ADAT Unlocked\n");
+ }
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x20, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ if ((value & 0x4) == 0) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, 0x28, &value);
+ snd_emu1010_fpga_read(emu, 0x29, &value2);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ rate = 0x1770000 / (((value << 5) | value2)+1);
+ snd_iprintf(buffer, "SPDIF Locked : %d\n", rate);
+ } else {
+@@ -410,14 +401,11 @@ static void snd_emu_proc_emu1010_reg_read(struct snd_info_entry *entry,
+ {
+ struct snd_emu10k1 *emu = entry->private_data;
+ u32 value;
+- unsigned long flags;
+ int i;
+ snd_iprintf(buffer, "EMU1010 Registers:\n\n");
+
+ for(i = 0; i < 0x40; i+=1) {
+- spin_lock_irqsave(&emu->emu_lock, flags);
+ snd_emu1010_fpga_read(emu, i, &value);
+- spin_unlock_irqrestore(&emu->emu_lock, flags);
+ snd_iprintf(buffer, "%02X: %08X, %02X\n", i, value, (value >> 8) & 0x7f);
+ }
+ }
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index f9d12c0..2fd490b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5047,12 +5047,14 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
+ SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x5026, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x5034, "Thinkpad T450", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x5036, "Thinkpad T450s", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
+@@ -5142,6 +5144,16 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {0x1b, 0x411111f0}, \
+ {0x1e, 0x411111f0}
+
++#define ALC256_STANDARD_PINS \
++ {0x12, 0x90a60140}, \
++ {0x14, 0x90170110}, \
++ {0x19, 0x411111f0}, \
++ {0x1a, 0x411111f0}, \
++ {0x1b, 0x411111f0}, \
++ {0x1d, 0x40700001}, \
++ {0x1e, 0x411111f0}, \
++ {0x21, 0x02211020}
++
+ #define ALC282_STANDARD_PINS \
+ {0x14, 0x90170110}, \
+ {0x18, 0x411111f0}, \
+@@ -5235,15 +5247,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
+ {0x1d, 0x40700001},
+ {0x21, 0x02211050}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+- {0x12, 0x90a60140},
+- {0x13, 0x40000000},
+- {0x14, 0x90170110},
+- {0x19, 0x411111f0},
+- {0x1a, 0x411111f0},
+- {0x1b, 0x411111f0},
+- {0x1d, 0x40700001},
+- {0x1e, 0x411111f0},
+- {0x21, 0x02211020}),
++ ALC256_STANDARD_PINS,
++ {0x13, 0x40000000}),
++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC256_STANDARD_PINS,
++ {0x13, 0x411111f0}),
+ SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4,
+ {0x12, 0x90a60130},
+ {0x13, 0x40000000},
+@@ -5563,6 +5571,8 @@ static int patch_alc269(struct hda_codec *codec)
+ break;
+ case 0x10ec0256:
+ spec->codec_variant = ALC269_TYPE_ALC256;
++ spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */
++ alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/
+ break;
+ }
+
+@@ -5576,8 +5586,8 @@ static int patch_alc269(struct hda_codec *codec)
+ if (err < 0)
+ goto error;
+
+- if (!spec->gen.no_analog && spec->gen.beep_nid)
+- set_beep_amp(spec, 0x0b, 0x04, HDA_INPUT);
++ if (!spec->gen.no_analog && spec->gen.beep_nid && spec->gen.mixer_nid)
++ set_beep_amp(spec, spec->gen.mixer_nid, 0x04, HDA_INPUT);
+
+ codec->patch_ops = alc_patch_ops;
+ #ifdef CONFIG_PM
+diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c
+index 7d3a6ac..e770ee6 100644
+--- a/sound/soc/codecs/cs4271.c
++++ b/sound/soc/codecs/cs4271.c
+@@ -561,10 +561,10 @@ static int cs4271_codec_probe(struct snd_soc_codec *codec)
+ if (gpio_is_valid(cs4271->gpio_nreset)) {
+ /* Reset codec */
+ gpio_direction_output(cs4271->gpio_nreset, 0);
+- udelay(1);
++ mdelay(1);
+ gpio_set_value(cs4271->gpio_nreset, 1);
+ /* Give the codec time to wake up */
+- udelay(1);
++ mdelay(1);
+ }
+
+ ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2,
+diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c
+index 474cae8..8c09e3f 100644
+--- a/sound/soc/codecs/pcm512x.c
++++ b/sound/soc/codecs/pcm512x.c
+@@ -304,9 +304,9 @@ static const struct soc_enum pcm512x_veds =
+ static const struct snd_kcontrol_new pcm512x_controls[] = {
+ SOC_DOUBLE_R_TLV("Digital Playback Volume", PCM512x_DIGITAL_VOLUME_2,
+ PCM512x_DIGITAL_VOLUME_3, 0, 255, 1, digital_tlv),
+-SOC_DOUBLE_TLV("Playback Volume", PCM512x_ANALOG_GAIN_CTRL,
++SOC_DOUBLE_TLV("Analogue Playback Volume", PCM512x_ANALOG_GAIN_CTRL,
+ PCM512x_LAGN_SHIFT, PCM512x_RAGN_SHIFT, 1, 1, analog_tlv),
+-SOC_DOUBLE_TLV("Playback Boost Volume", PCM512x_ANALOG_GAIN_BOOST,
++SOC_DOUBLE_TLV("Analogue Playback Boost Volume", PCM512x_ANALOG_GAIN_BOOST,
+ PCM512x_AGBL_SHIFT, PCM512x_AGBR_SHIFT, 1, 0, boost_tlv),
+ SOC_DOUBLE("Digital Playback Switch", PCM512x_MUTE, PCM512x_RQML_SHIFT,
+ PCM512x_RQMR_SHIFT, 1, 1),
+@@ -576,8 +576,8 @@ static int pcm512x_find_pll_coeff(struct snd_soc_dai *dai,
+
+ /* pllin_rate / P (or here, den) cannot be greater than 20 MHz */
+ if (pllin_rate / den > 20000000 && num < 8) {
+- num *= 20000000 / (pllin_rate / den);
+- den *= 20000000 / (pllin_rate / den);
++ num *= DIV_ROUND_UP(pllin_rate / den, 20000000);
++ den *= DIV_ROUND_UP(pllin_rate / den, 20000000);
+ }
+ dev_dbg(dev, "num / den = %lu / %lu\n", num, den);
+
+diff --git a/sound/soc/codecs/wm8741.c b/sound/soc/codecs/wm8741.c
+index 31bb480..9e71c76 100644
+--- a/sound/soc/codecs/wm8741.c
++++ b/sound/soc/codecs/wm8741.c
+@@ -123,7 +123,7 @@ static struct {
+ };
+
+ static const unsigned int rates_11289[] = {
+- 44100, 88235,
++ 44100, 88200,
+ };
+
+ static const struct snd_pcm_hw_constraint_list constraints_11289 = {
+@@ -150,7 +150,7 @@ static const struct snd_pcm_hw_constraint_list constraints_16384 = {
+ };
+
+ static const unsigned int rates_16934[] = {
+- 44100, 88235,
++ 44100, 88200,
+ };
+
+ static const struct snd_pcm_hw_constraint_list constraints_16934 = {
+@@ -168,7 +168,7 @@ static const struct snd_pcm_hw_constraint_list constraints_18432 = {
+ };
+
+ static const unsigned int rates_22579[] = {
+- 44100, 88235, 1764000
++ 44100, 88200, 176400
+ };
+
+ static const struct snd_pcm_hw_constraint_list constraints_22579 = {
+@@ -186,7 +186,7 @@ static const struct snd_pcm_hw_constraint_list constraints_24576 = {
+ };
+
+ static const unsigned int rates_36864[] = {
+- 48000, 96000, 19200
++ 48000, 96000, 192000
+ };
+
+ static const struct snd_pcm_hw_constraint_list constraints_36864 = {
+diff --git a/sound/soc/davinci/davinci-evm.c b/sound/soc/davinci/davinci-evm.c
+index b6bb594..8c2b9be 100644
+--- a/sound/soc/davinci/davinci-evm.c
++++ b/sound/soc/davinci/davinci-evm.c
+@@ -425,18 +425,8 @@ static int davinci_evm_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int davinci_evm_remove(struct platform_device *pdev)
+-{
+- struct snd_soc_card *card = platform_get_drvdata(pdev);
+-
+- snd_soc_unregister_card(card);
+-
+- return 0;
+-}
+-
+ static struct platform_driver davinci_evm_driver = {
+ .probe = davinci_evm_probe,
+- .remove = davinci_evm_remove,
+ .driver = {
+ .name = "davinci_evm",
+ .pm = &snd_soc_pm_ops,
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 9a28365..32631a8 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1115,6 +1115,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip)
+ {
+ /* devices which do not support reading the sample rate. */
+ switch (chip->usb_id) {
++ case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */
+ case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */
+ case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
+ return true;
+diff --git a/tools/lib/traceevent/kbuffer-parse.c b/tools/lib/traceevent/kbuffer-parse.c
+index dcc6652..deb3569 100644
+--- a/tools/lib/traceevent/kbuffer-parse.c
++++ b/tools/lib/traceevent/kbuffer-parse.c
+@@ -372,7 +372,6 @@ translate_data(struct kbuffer *kbuf, void *data, void **rptr,
+ switch (type_len) {
+ case KBUFFER_TYPE_PADDING:
+ *length = read_4(kbuf, data);
+- data += *length;
+ break;
+
+ case KBUFFER_TYPE_TIME_EXTEND:
+diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile
+index cc22408..0884d31 100644
+--- a/tools/perf/config/Makefile
++++ b/tools/perf/config/Makefile
+@@ -651,7 +651,7 @@ ifeq (${IS_64_BIT}, 1)
+ NO_PERF_READ_VDSO32 := 1
+ endif
+ endif
+- ifneq (${IS_X86_64}, 1)
++ ifneq ($(ARCH), x86)
+ NO_PERF_READ_VDSOX32 := 1
+ endif
+ ifndef NO_PERF_READ_VDSOX32
+@@ -699,7 +699,7 @@ sysconfdir = $(prefix)/etc
+ ETC_PERFCONFIG = etc/perfconfig
+ endif
+ ifndef lib
+-ifeq ($(IS_X86_64),1)
++ifeq ($(ARCH)$(IS_64_BIT), x861)
+ lib = lib64
+ else
+ lib = lib
+diff --git a/tools/perf/tests/make b/tools/perf/tests/make
+index 75709d2..bff8532 100644
+--- a/tools/perf/tests/make
++++ b/tools/perf/tests/make
+@@ -5,7 +5,7 @@ include config/Makefile.arch
+
+ # FIXME looks like x86 is the only arch running tests ;-)
+ # we need some IS_(32/64) flag to make this generic
+-ifeq ($(IS_X86_64),1)
++ifeq ($(ARCH)$(IS_64_BIT), x861)
+ lib = lib64
+ else
+ lib = lib
+diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c
+index 6da965b..85b5238 100644
+--- a/tools/perf/util/cloexec.c
++++ b/tools/perf/util/cloexec.c
+@@ -7,6 +7,12 @@
+
+ static unsigned long flag = PERF_FLAG_FD_CLOEXEC;
+
++int __weak sched_getcpu(void)
++{
++ errno = ENOSYS;
++ return -1;
++}
++
+ static int perf_flag_probe(void)
+ {
+ /* use 'safest' configuration as used in perf_evsel__fallback() */
+diff --git a/tools/perf/util/cloexec.h b/tools/perf/util/cloexec.h
+index 94a5a7d..68888c2 100644
+--- a/tools/perf/util/cloexec.h
++++ b/tools/perf/util/cloexec.h
+@@ -3,4 +3,10 @@
+
+ unsigned long perf_event_open_cloexec_flag(void);
+
++#ifdef __GLIBC_PREREQ
++#if !__GLIBC_PREREQ(2, 6)
++extern int sched_getcpu(void) __THROW;
++#endif
++#endif
++
+ #endif /* __PERF_CLOEXEC_H */
+diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
+index 33b7a2a..9bdf007 100644
+--- a/tools/perf/util/symbol-elf.c
++++ b/tools/perf/util/symbol-elf.c
+@@ -74,6 +74,10 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym)
+ return GELF_ST_TYPE(sym->st_info);
+ }
+
++#ifndef STT_GNU_IFUNC
++#define STT_GNU_IFUNC 10
++#endif
++
+ static inline int elf_sym__is_function(const GElf_Sym *sym)
+ {
+ return (elf_sym__type(sym) == STT_FUNC ||
+diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile
+index d1b3a36..4039854 100644
+--- a/tools/power/x86/turbostat/Makefile
++++ b/tools/power/x86/turbostat/Makefile
+@@ -1,8 +1,12 @@
+ CC = $(CROSS_COMPILE)gcc
+-BUILD_OUTPUT := $(PWD)
++BUILD_OUTPUT := $(CURDIR)
+ PREFIX := /usr
+ DESTDIR :=
+
++ifeq ("$(origin O)", "command line")
++ BUILD_OUTPUT := $(O)
++endif
++
+ turbostat : turbostat.c
+ CFLAGS += -Wall
+ CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/uapi/asm/msr-index.h"'
+diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
+index c9f60f5..e5abe7c 100644
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1371,6 +1371,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num,
+ goto out;
+ }
+
++ if (irq_num >= kvm->arch.vgic.nr_irqs)
++ return -EINVAL;
++
+ vcpu_id = vgic_update_irq_pending(kvm, cpuid, irq_num, level);
+ if (vcpu_id >= 0) {
+ /* kick the specified vcpu */
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index cc6a25d..f8f3f5f 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1653,8 +1653,8 @@ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ ghc->generation = slots->generation;
+ ghc->len = len;
+ ghc->memslot = gfn_to_memslot(kvm, start_gfn);
+- ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, &nr_pages_avail);
+- if (!kvm_is_error_hva(ghc->hva) && nr_pages_avail >= nr_pages_needed) {
++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, NULL);
++ if (!kvm_is_error_hva(ghc->hva) && nr_pages_needed <= 1) {
+ ghc->hva += offset;
+ } else {
+ /*
diff --git a/4.0.1/4420_grsecurity-3.1-4.0.1-201505042053.patch b/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch
index 505b676..86c9e65 100644
--- a/4.0.1/4420_grsecurity-3.1-4.0.1-201505042053.patch
+++ b/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch
@@ -373,7 +373,7 @@ index bfcb1a6..2dae09b 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index f499cd2..37a187f 100644
+index 0649a60..1084563 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -381,7 +381,7 @@ index f499cd2..37a187f 100644
HOSTCXX = g++
HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
-HOSTCXXFLAGS = -O2
-+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -std=gnu89 -fno-delete-null-pointer-checks
++HOSTCFLAGS = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
+HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
@@ -1678,14 +1678,14 @@ index 6ddbe44..b5e38b1a 100644
static inline void set_domain(unsigned val) { }
static inline void modify_domain(unsigned dom, unsigned type) { }
diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
-index afb9caf..9a0bac0 100644
+index 674d03f..9a0bac0 100644
--- a/arch/arm/include/asm/elf.h
+++ b/arch/arm/include/asm/elf.h
@@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
the loader. We need to make sure that it is out of the way of the program
that it will "exec", and that there is sufficient room for the brk. */
--#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
+-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+#ifdef CONFIG_PAX_ASLR
@@ -2847,10 +2847,10 @@ index 69bda1a..755113a 100644
if (waddr != addr) {
flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index fdfa3a7..5d208b8 100644
+index 2bf1a16..d959d40 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
-@@ -207,6 +207,7 @@ void machine_power_off(void)
+@@ -213,6 +213,7 @@ void machine_power_off(void)
if (pm_power_off)
pm_power_off();
@@ -2858,7 +2858,7 @@ index fdfa3a7..5d208b8 100644
}
/*
-@@ -220,7 +221,7 @@ void machine_power_off(void)
+@@ -226,7 +227,7 @@ void machine_power_off(void)
* executing pre-reset code, and using RAM that the primary CPU's code wishes
* to use. Implementing such co-ordination would be essentially impossible.
*/
@@ -2867,7 +2867,7 @@ index fdfa3a7..5d208b8 100644
{
local_irq_disable();
smp_send_stop();
-@@ -246,8 +247,8 @@ void __show_regs(struct pt_regs *regs)
+@@ -252,8 +253,8 @@ void __show_regs(struct pt_regs *regs)
show_regs_print_info(KERN_DEFAULT);
@@ -2878,7 +2878,7 @@ index fdfa3a7..5d208b8 100644
printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
"sp : %08lx ip : %08lx fp : %08lx\n",
regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
-@@ -424,12 +425,6 @@ unsigned long get_wchan(struct task_struct *p)
+@@ -430,12 +431,6 @@ unsigned long get_wchan(struct task_struct *p)
return 0;
}
@@ -2891,7 +2891,7 @@ index fdfa3a7..5d208b8 100644
#ifdef CONFIG_MMU
#ifdef CONFIG_KUSER_HELPERS
/*
-@@ -445,7 +440,7 @@ static struct vm_area_struct gate_vma = {
+@@ -451,7 +446,7 @@ static struct vm_area_struct gate_vma = {
static int __init gate_vma_init(void)
{
@@ -2900,7 +2900,7 @@ index fdfa3a7..5d208b8 100644
return 0;
}
arch_initcall(gate_vma_init);
-@@ -474,81 +469,13 @@ const char *arch_vma_name(struct vm_area_struct *vma)
+@@ -480,81 +475,13 @@ const char *arch_vma_name(struct vm_area_struct *vma)
return is_gate_vma(vma) ? "[vectors]" : NULL;
}
@@ -3240,7 +3240,7 @@ index b31aa73..cc4b7a1 100644
# ifdef CONFIG_ARM_KERNMEM_PERMS
. = ALIGN(1<<SECTION_SHIFT);
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index 5560f74..1cc00ea 100644
+index b652af5..60231ab 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3279,7 +3279,7 @@ index 5560f74..1cc00ea 100644
kvm->arch.vmid = kvm_next_vmid;
kvm_next_vmid++;
-@@ -1088,7 +1088,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
+@@ -1087,7 +1087,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
/**
* Initialize Hyp-mode and memory mappings on all CPUs.
*/
@@ -5094,7 +5094,7 @@ index 836f147..4cf23f5 100644
if (!(addr & ~PAGE_MASK))
goto success;
diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
-index 69952c1..4fa2908 100644
+index 69952c18..4fa2908 100644
--- a/arch/hexagon/include/asm/cache.h
+++ b/arch/hexagon/include/asm/cache.h
@@ -21,9 +21,11 @@
@@ -6890,7 +6890,7 @@ index 33984c0..666a96d 100644
info.si_code = FPE_INTOVF;
info.si_signo = SIGFPE;
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
-index c9eccf5..3903621 100644
+index f5e7dda..47198ec 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -816,7 +816,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
@@ -24750,7 +24750,7 @@ index f36bd42..0ab4474 100644
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
+ .endr
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 6fd514d9..c4221b8 100644
+index 6fd514d9..55fd355 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -20,6 +20,8 @@
@@ -24775,7 +24775,7 @@ index 6fd514d9..c4221b8 100644
.text
__HEAD
-@@ -89,11 +97,24 @@ startup_64:
+@@ -89,11 +97,26 @@ startup_64:
* Fixup the physical addresses in the page table
*/
addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
@@ -24791,18 +24791,20 @@ index 6fd514d9..c4221b8 100644
+#ifndef CONFIG_XEN
+ addq %rbp, level3_ident_pgt + (1*8)(%rip)
+#endif
-+
+
+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
+
+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
+ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
-
++
++ addq %rbp, level2_fixmap_pgt + (504*8)(%rip)
++ addq %rbp, level2_fixmap_pgt + (505*8)(%rip)
addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
/*
* Set up the identity mapping for the switchover. These
-@@ -174,11 +195,12 @@ ENTRY(secondary_startup_64)
+@@ -174,11 +197,12 @@ ENTRY(secondary_startup_64)
* after the boot processor executes this code.
*/
@@ -24817,7 +24819,7 @@ index 6fd514d9..c4221b8 100644
movq %rcx, %cr4
/* Setup early boot stage 4 level pagetables. */
-@@ -199,10 +221,19 @@ ENTRY(secondary_startup_64)
+@@ -199,10 +223,21 @@ ENTRY(secondary_startup_64)
movl $MSR_EFER, %ecx
rdmsr
btsl $_EFER_SCE, %eax /* Enable System Call */
@@ -24832,13 +24834,15 @@ index 6fd514d9..c4221b8 100644
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip)
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip)
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip)
++ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip)
++ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*505(%rip)
+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*506(%rip)
+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*507(%rip)
+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
1: wrmsr /* Make changes effective */
/* Setup cr0 */
-@@ -282,6 +313,7 @@ ENTRY(secondary_startup_64)
+@@ -282,6 +317,7 @@ ENTRY(secondary_startup_64)
* REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
* address given in m16:64.
*/
@@ -24846,7 +24850,7 @@ index 6fd514d9..c4221b8 100644
movq initial_code(%rip),%rax
pushq $0 # fake return address to stop unwinder
pushq $__KERNEL_CS # set correct cs
-@@ -313,7 +345,7 @@ ENDPROC(start_cpu0)
+@@ -313,7 +349,7 @@ ENDPROC(start_cpu0)
.quad INIT_PER_CPU_VAR(irq_stack_union)
GLOBAL(stack_start)
@@ -24855,7 +24859,7 @@ index 6fd514d9..c4221b8 100644
.word 0
__FINITDATA
-@@ -391,7 +423,7 @@ ENTRY(early_idt_handler)
+@@ -391,7 +427,7 @@ ENTRY(early_idt_handler)
call dump_stack
#ifdef CONFIG_KALLSYMS
leaq early_idt_ripmsg(%rip),%rdi
@@ -24864,7 +24868,7 @@ index 6fd514d9..c4221b8 100644
call __print_symbol
#endif
#endif /* EARLY_PRINTK */
-@@ -420,6 +452,7 @@ ENDPROC(early_idt_handler)
+@@ -420,6 +456,7 @@ ENDPROC(early_idt_handler)
early_recursion_flag:
.long 0
@@ -24872,7 +24876,7 @@ index 6fd514d9..c4221b8 100644
#ifdef CONFIG_EARLY_PRINTK
early_idt_msg:
.asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
-@@ -447,29 +480,52 @@ NEXT_PAGE(early_level4_pgt)
+@@ -447,29 +484,52 @@ NEXT_PAGE(early_level4_pgt)
NEXT_PAGE(early_dynamic_pgts)
.fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
@@ -24934,7 +24938,7 @@ index 6fd514d9..c4221b8 100644
NEXT_PAGE(level3_kernel_pgt)
.fill L3_START_KERNEL,8,0
-@@ -477,6 +533,9 @@ NEXT_PAGE(level3_kernel_pgt)
+@@ -477,6 +537,9 @@ NEXT_PAGE(level3_kernel_pgt)
.quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
.quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
@@ -24944,22 +24948,26 @@ index 6fd514d9..c4221b8 100644
NEXT_PAGE(level2_kernel_pgt)
/*
* 512 MB kernel mapping. We spend a full page on this pagetable
-@@ -494,21 +553,57 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -492,23 +555,59 @@ NEXT_PAGE(level2_kernel_pgt)
+ KERNEL_IMAGE_SIZE/PMD_SIZE)
+
NEXT_PAGE(level2_fixmap_pgt)
- .fill 506,8,0
- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
+- .fill 506,8,0
+- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
- .fill 5,8,0
++ .fill 504,8,0
++ PMDS(level1_fixmap_pgt - __START_KERNEL_map, _PAGE_TABLE, 3)
+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
+ .fill 4,8,0
NEXT_PAGE(level1_fixmap_pgt)
++ .fill 3*512,8,0
++
++NEXT_PAGE(level1_vsyscall_pgt)
.fill 512,8,0
-+NEXT_PAGE(level1_vsyscall_pgt)
-+ .fill 512,8,0
-+
#undef PMDS
- .data
@@ -25006,7 +25014,7 @@ index 6fd514d9..c4221b8 100644
ENTRY(phys_base)
/* This must match the first entry in level2_kernel_pgt */
-@@ -532,8 +627,8 @@ NEXT_PAGE(kasan_zero_pud)
+@@ -532,8 +631,8 @@ NEXT_PAGE(kasan_zero_pud)
#include "../../x86/xen/xen-head.S"
@@ -26448,10 +26456,10 @@ index 77dd0ad..9ec4723 100644
dma_generic_free_coherent(dev, size, vaddr, dma_addr, attrs);
}
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
-index 046e2d6..2cc8ad2 100644
+index a388bb8..97064ad 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
-@@ -37,7 +37,8 @@
+@@ -38,7 +38,8 @@
* section. Since TSS's are completely CPU-local, we want them
* on exact cacheline boundaries, to eliminate cacheline ping-pong.
*/
@@ -26461,7 +26469,7 @@ index 046e2d6..2cc8ad2 100644
#ifdef CONFIG_X86_64
static DEFINE_PER_CPU(unsigned char, is_idle);
-@@ -95,7 +96,7 @@ void arch_task_cache_init(void)
+@@ -96,7 +97,7 @@ void arch_task_cache_init(void)
task_xstate_cachep =
kmem_cache_create("task_xstate", xstate_size,
__alignof__(union thread_xstate),
@@ -26470,7 +26478,7 @@ index 046e2d6..2cc8ad2 100644
setup_xstate_comp();
}
-@@ -109,7 +110,7 @@ void exit_thread(void)
+@@ -110,7 +111,7 @@ void exit_thread(void)
unsigned long *bp = t->io_bitmap_ptr;
if (bp) {
@@ -26479,7 +26487,7 @@ index 046e2d6..2cc8ad2 100644
t->io_bitmap_ptr = NULL;
clear_thread_flag(TIF_IO_BITMAP);
-@@ -129,6 +130,9 @@ void flush_thread(void)
+@@ -130,6 +131,9 @@ void flush_thread(void)
{
struct task_struct *tsk = current;
@@ -26489,7 +26497,7 @@ index 046e2d6..2cc8ad2 100644
flush_ptrace_hw_breakpoint(tsk);
memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
drop_init_fpu(tsk);
-@@ -275,7 +279,7 @@ static void __exit_idle(void)
+@@ -276,7 +280,7 @@ static void __exit_idle(void)
void exit_idle(void)
{
/* idle loop has pid 0 */
@@ -26498,7 +26506,7 @@ index 046e2d6..2cc8ad2 100644
return;
__exit_idle();
}
-@@ -328,7 +332,7 @@ bool xen_set_default_idle(void)
+@@ -329,7 +333,7 @@ bool xen_set_default_idle(void)
return ret;
}
#endif
@@ -26507,7 +26515,7 @@ index 046e2d6..2cc8ad2 100644
{
local_irq_disable();
/*
-@@ -457,16 +461,37 @@ static int __init idle_setup(char *str)
+@@ -508,16 +512,37 @@ static int __init idle_setup(char *str)
}
early_param("idle", idle_setup);
@@ -26889,7 +26897,7 @@ index e510618..5165ac0 100644
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
-index 2f355d2..e75ed0a 100644
+index e5ecd20..60f7eef 100644
--- a/arch/x86/kernel/pvclock.c
+++ b/arch/x86/kernel/pvclock.c
@@ -51,11 +51,11 @@ void pvclock_touch_watchdogs(void)
@@ -27702,10 +27710,18 @@ index 30277e2..5664a29 100644
if (!(addr & ~PAGE_MASK))
return addr;
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
-index 91a4496..bb87552 100644
+index 91a4496..42fc304 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
-@@ -221,7 +221,7 @@ static int tboot_setup_sleep(void)
+@@ -44,6 +44,7 @@
+ #include <asm/setup.h>
+ #include <asm/e820.h>
+ #include <asm/io.h>
++#include <asm/tlbflush.h>
+
+ #include "../realmode/rm/wakeup.h"
+
+@@ -221,7 +222,7 @@ static int tboot_setup_sleep(void)
void tboot_shutdown(u32 shutdown_type)
{
@@ -27714,16 +27730,18 @@ index 91a4496..bb87552 100644
if (!tboot_enabled())
return;
-@@ -243,7 +243,7 @@ void tboot_shutdown(u32 shutdown_type)
+@@ -242,8 +243,9 @@ void tboot_shutdown(u32 shutdown_type)
+ tboot->shutdown_type = shutdown_type;
switch_to_tboot_pt();
++ cr4_clear_bits(X86_CR4_PCIDE);
- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
+ shutdown = (void *)(unsigned long)tboot->shutdown_entry;
shutdown();
/* should not reach here */
-@@ -310,7 +310,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b)
+@@ -310,7 +312,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b)
return -ENODEV;
}
@@ -27732,7 +27750,7 @@ index 91a4496..bb87552 100644
static int tboot_wait_for_aps(int num_aps)
{
-@@ -334,9 +334,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action,
+@@ -334,9 +336,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action,
{
switch (action) {
case CPU_DYING:
@@ -27744,7 +27762,7 @@ index 91a4496..bb87552 100644
return NOTIFY_BAD;
break;
}
-@@ -422,7 +422,7 @@ static __init int tboot_late_init(void)
+@@ -422,7 +424,7 @@ static __init int tboot_late_init(void)
tboot_create_trampoline();
@@ -28729,7 +28747,7 @@ index cc618c8..3f72f76 100644
local_irq_disable();
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index ae4f6d3..7f5f59b 100644
+index a60bd3a..748e856 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -28779,7 +28797,7 @@ index ae4f6d3..7f5f59b 100644
{
u64 host_tsc, tsc_offset;
-@@ -4458,7 +4466,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4466,7 +4474,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
unsigned long cr4;
vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
@@ -28790,7 +28808,7 @@ index ae4f6d3..7f5f59b 100644
/* Save the most likely value for this task's CR4 in the VMCS. */
cr4 = cr4_read_shadow();
-@@ -4485,7 +4496,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4493,7 +4504,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
vmx->host_idt_base = dt.address;
@@ -28799,7 +28817,7 @@ index ae4f6d3..7f5f59b 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6096,11 +6107,17 @@ static __init int hardware_setup(void)
+@@ -6104,11 +6115,17 @@ static __init int hardware_setup(void)
* page upon invalidation. No need to do anything if not
* using the APIC_ACCESS_ADDR VMCS field.
*/
@@ -28821,7 +28839,7 @@ index ae4f6d3..7f5f59b 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -6111,14 +6128,16 @@ static __init int hardware_setup(void)
+@@ -6119,14 +6136,16 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
@@ -28843,7 +28861,7 @@ index ae4f6d3..7f5f59b 100644
vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
-@@ -6171,10 +6190,12 @@ static __init int hardware_setup(void)
+@@ -6179,10 +6198,12 @@ static __init int hardware_setup(void)
enable_pml = 0;
if (!enable_pml) {
@@ -28860,7 +28878,7 @@ index ae4f6d3..7f5f59b 100644
}
return alloc_kvm_area();
-@@ -8219,6 +8240,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8227,6 +8248,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -28873,7 +28891,7 @@ index ae4f6d3..7f5f59b 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -8271,6 +8298,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8279,6 +8306,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -28885,7 +28903,7 @@ index ae4f6d3..7f5f59b 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -8284,7 +8316,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8292,7 +8324,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -28894,7 +28912,7 @@ index ae4f6d3..7f5f59b 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -8293,8 +8325,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8301,8 +8333,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -28916,7 +28934,7 @@ index ae4f6d3..7f5f59b 100644
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 32bf19e..c8de1b5 100644
+index e222ba5..6f0f2de 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1897,8 +1897,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
@@ -30290,7 +30308,7 @@ index a451235..a74bfa3 100644
CFI_ENDPROC
END(bad_get_user_8)
diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
-index 1313ae6..84f25ea 100644
+index 85994f5..9929d7f 100644
--- a/arch/x86/lib/insn.c
+++ b/arch/x86/lib/insn.c
@@ -20,8 +20,10 @@
@@ -30304,9 +30322,9 @@ index 1313ae6..84f25ea 100644
#endif
#include <asm/inat.h>
#include <asm/insn.h>
-@@ -53,9 +55,9 @@
- void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
- {
+@@ -60,9 +62,9 @@ void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
+ buf_len = MAX_INSN_SIZE;
+
memset(insn, 0, sizeof(*insn));
- insn->kaddr = kaddr;
- insn->end_kaddr = kaddr + buf_len;
@@ -31619,7 +31637,7 @@ index e2f5e21..4b22130 100644
+EXPORT_SYMBOL(set_fs);
+#endif
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
-index 1f33b3d..83c151d 100644
+index 0a42327..1c3a136 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
@@ -31678,7 +31696,7 @@ index 1f33b3d..83c151d 100644
- clac();
/* If the destination is a kernel buffer, we always clear the end */
- if ((unsigned long)to >= TASK_SIZE_MAX)
+ if (!__addr_ok(to))
diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
index c4cc740..60a7362 100644
--- a/arch/x86/mm/Makefile
@@ -35187,6 +35205,21 @@ index a28221d..93c40f1 100644
.long __KERNEL32_CS
#endif
END(real_mode_header)
+diff --git a/arch/x86/realmode/rm/reboot.S b/arch/x86/realmode/rm/reboot.S
+index d66c607..3def845 100644
+--- a/arch/x86/realmode/rm/reboot.S
++++ b/arch/x86/realmode/rm/reboot.S
+@@ -27,6 +27,10 @@ ENTRY(machine_real_restart_asm)
+ lgdtl pa_tr_gdt
+
+ /* Disable paging to drop us out of long mode */
++ movl %cr4, %eax
++ andl $~X86_CR4_PCIDE, %eax
++ movl %eax, %cr4
++
+ movl %cr0, %eax
+ andl $~X86_CR0_PG, %eax
+ movl %eax, %cr0
diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S
index 48ddd76..c26749f 100644
--- a/arch/x86/realmode/rm/trampoline_32.S
@@ -37718,7 +37751,7 @@ index cecfb94..87009ec 100644
}
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
-index 876bae5..8978785 100644
+index 79bc203..fa3945b 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif)
@@ -42096,10 +42129,10 @@ index c13fb5b..55a3802 100644
*off += size;
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
-index 2978f5e..ac3a23c 100644
+index 00bc30e..d8e5097 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
-@@ -367,7 +367,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+@@ -370,7 +370,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
int ret = 0;
next_gpadl_handle =
@@ -43699,6 +43732,480 @@ index 48882c1..93e0987 100644
cmd->data[2] = 1;
CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
}
+diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
+index a3adde6..988ee96 100644
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -338,7 +338,7 @@ enum arm_smmu_domain_stage {
+
+ struct arm_smmu_domain {
+ struct arm_smmu_device *smmu;
+- struct io_pgtable_ops *pgtbl_ops;
++ struct io_pgtable *pgtbl;
+ spinlock_t pgtbl_lock;
+ struct arm_smmu_cfg cfg;
+ enum arm_smmu_domain_stage stage;
+@@ -833,7 +833,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
+ {
+ int irq, start, ret = 0;
+ unsigned long ias, oas;
+- struct io_pgtable_ops *pgtbl_ops;
++ struct io_pgtable *pgtbl;
+ struct io_pgtable_cfg pgtbl_cfg;
+ enum io_pgtable_fmt fmt;
+ struct arm_smmu_domain *smmu_domain = domain->priv;
+@@ -918,14 +918,16 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
+ };
+
+ smmu_domain->smmu = smmu;
+- pgtbl_ops = alloc_io_pgtable_ops(fmt, &pgtbl_cfg, smmu_domain);
+- if (!pgtbl_ops) {
++ pgtbl = alloc_io_pgtable(fmt, &pgtbl_cfg, smmu_domain);
++ if (!pgtbl) {
+ ret = -ENOMEM;
+ goto out_clear_smmu;
+ }
+
+ /* Update our support page sizes to reflect the page table format */
+- arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
++ pax_open_kernel();
++ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
++ pax_close_kernel();
+
+ /* Initialise the context bank with our page table cfg */
+ arm_smmu_init_context_bank(smmu_domain, &pgtbl_cfg);
+@@ -946,7 +948,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
+ mutex_unlock(&smmu_domain->init_mutex);
+
+ /* Publish page table ops for map/unmap */
+- smmu_domain->pgtbl_ops = pgtbl_ops;
++ smmu_domain->pgtbl = pgtbl;
+ return 0;
+
+ out_clear_smmu:
+@@ -979,8 +981,7 @@ static void arm_smmu_destroy_domain_context(struct iommu_domain *domain)
+ free_irq(irq, domain);
+ }
+
+- if (smmu_domain->pgtbl_ops)
+- free_io_pgtable_ops(smmu_domain->pgtbl_ops);
++ free_io_pgtable(smmu_domain->pgtbl);
+
+ __arm_smmu_free_bitmap(smmu->context_map, cfg->cbndx);
+ }
+@@ -1204,13 +1205,13 @@ static int arm_smmu_map(struct iommu_domain *domain, unsigned long iova,
+ int ret;
+ unsigned long flags;
+ struct arm_smmu_domain *smmu_domain = domain->priv;
+- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
++ struct io_pgtable *iop = smmu_domain->pgtbl;
+
+- if (!ops)
++ if (!iop)
+ return -ENODEV;
+
+ spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
+- ret = ops->map(ops, iova, paddr, size, prot);
++ ret = iop->ops->map(iop, iova, paddr, size, prot);
+ spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
+ return ret;
+ }
+@@ -1221,13 +1222,13 @@ static size_t arm_smmu_unmap(struct iommu_domain *domain, unsigned long iova,
+ size_t ret;
+ unsigned long flags;
+ struct arm_smmu_domain *smmu_domain = domain->priv;
+- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
++ struct io_pgtable *iop = smmu_domain->pgtbl;
+
+- if (!ops)
++ if (!iop)
+ return 0;
+
+ spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
+- ret = ops->unmap(ops, iova, size);
++ ret = iop->ops->unmap(iop, iova, size);
+ spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
+ return ret;
+ }
+@@ -1238,7 +1239,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
+ struct arm_smmu_domain *smmu_domain = domain->priv;
+ struct arm_smmu_device *smmu = smmu_domain->smmu;
+ struct arm_smmu_cfg *cfg = &smmu_domain->cfg;
+- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
++ struct io_pgtable *iop = smmu_domain->pgtbl;
+ struct device *dev = smmu->dev;
+ void __iomem *cb_base;
+ u32 tmp;
+@@ -1261,7 +1262,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
+ dev_err(dev,
+ "iova to phys timed out on 0x%pad. Falling back to software table walk.\n",
+ &iova);
+- return ops->iova_to_phys(ops, iova);
++ return iop->ops->iova_to_phys(iop, iova);
+ }
+
+ phys = readl_relaxed(cb_base + ARM_SMMU_CB_PAR_LO);
+@@ -1282,9 +1283,9 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
+ phys_addr_t ret;
+ unsigned long flags;
+ struct arm_smmu_domain *smmu_domain = domain->priv;
+- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
++ struct io_pgtable *iop = smmu_domain->pgtbl;
+
+- if (!ops)
++ if (!iop)
+ return 0;
+
+ spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
+@@ -1292,7 +1293,7 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
+ smmu_domain->stage == ARM_SMMU_DOMAIN_S1) {
+ ret = arm_smmu_iova_to_phys_hard(domain, iova);
+ } else {
+- ret = ops->iova_to_phys(ops, iova);
++ ret = iop->ops->iova_to_phys(iop, iova);
+ }
+
+ spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
+@@ -1651,7 +1652,9 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu)
+ size |= SZ_64K | SZ_512M;
+ }
+
+- arm_smmu_ops.pgsize_bitmap &= size;
++ pax_open_kernel();
++ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap &= size;
++ pax_close_kernel();
+ dev_notice(smmu->dev, "\tSupported page sizes: 0x%08lx\n", size);
+
+ if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
+diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
+index b610a8d..08eb879 100644
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -36,12 +36,6 @@
+ #define io_pgtable_to_data(x) \
+ container_of((x), struct arm_lpae_io_pgtable, iop)
+
+-#define io_pgtable_ops_to_pgtable(x) \
+- container_of((x), struct io_pgtable, ops)
+-
+-#define io_pgtable_ops_to_data(x) \
+- io_pgtable_to_data(io_pgtable_ops_to_pgtable(x))
+-
+ /*
+ * For consistency with the architecture, we always consider
+ * ARM_LPAE_MAX_LEVELS levels, with the walk starting at level n >=0
+@@ -302,10 +296,10 @@ static arm_lpae_iopte arm_lpae_prot_to_pte(struct arm_lpae_io_pgtable *data,
+ return pte;
+ }
+
+-static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
++static int arm_lpae_map(struct io_pgtable *iop, unsigned long iova,
+ phys_addr_t paddr, size_t size, int iommu_prot)
+ {
+- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
++ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
+ arm_lpae_iopte *ptep = data->pgd;
+ int lvl = ARM_LPAE_START_LVL(data);
+ arm_lpae_iopte prot;
+@@ -445,12 +439,11 @@ static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
+ return __arm_lpae_unmap(data, iova, size, lvl + 1, ptep);
+ }
+
+-static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
++static int arm_lpae_unmap(struct io_pgtable *iop, unsigned long iova,
+ size_t size)
+ {
+ size_t unmapped;
+- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
+- struct io_pgtable *iop = &data->iop;
++ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
+ arm_lpae_iopte *ptep = data->pgd;
+ int lvl = ARM_LPAE_START_LVL(data);
+
+@@ -461,10 +454,10 @@ static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
+ return unmapped;
+ }
+
+-static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable_ops *ops,
++static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable *iop,
+ unsigned long iova)
+ {
+- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
++ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
+ arm_lpae_iopte pte, *ptep = data->pgd;
+ int lvl = ARM_LPAE_START_LVL(data);
+
+@@ -531,6 +524,12 @@ static void arm_lpae_restrict_pgsizes(struct io_pgtable_cfg *cfg)
+ }
+ }
+
++static struct io_pgtable_ops arm_lpae_io_pgtable_ops = {
++ .map = arm_lpae_map,
++ .unmap = arm_lpae_unmap,
++ .iova_to_phys = arm_lpae_iova_to_phys,
++};
++
+ static struct arm_lpae_io_pgtable *
+ arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
+ {
+@@ -562,11 +561,7 @@ arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
+ pgd_bits = va_bits - (data->bits_per_level * (data->levels - 1));
+ data->pgd_size = 1UL << (pgd_bits + ilog2(sizeof(arm_lpae_iopte)));
+
+- data->iop.ops = (struct io_pgtable_ops) {
+- .map = arm_lpae_map,
+- .unmap = arm_lpae_unmap,
+- .iova_to_phys = arm_lpae_iova_to_phys,
+- };
++ data->iop.ops = &arm_lpae_io_pgtable_ops;
+
+ return data;
+ }
+@@ -825,9 +820,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
+ .flush_pgtable = dummy_flush_pgtable,
+ };
+
+-static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
++static void __init arm_lpae_dump_ops(struct io_pgtable *iop)
+ {
+- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
++ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
+ struct io_pgtable_cfg *cfg = &data->iop.cfg;
+
+ pr_err("cfg: pgsize_bitmap 0x%lx, ias %u-bit\n",
+@@ -837,9 +832,9 @@ static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
+ data->bits_per_level, data->pgd);
+ }
+
+-#define __FAIL(ops, i) ({ \
++#define __FAIL(iop, i) ({ \
+ WARN(1, "selftest: test failed for fmt idx %d\n", (i)); \
+- arm_lpae_dump_ops(ops); \
++ arm_lpae_dump_ops(iop); \
+ selftest_running = false; \
+ -EFAULT; \
+ })
+@@ -854,30 +849,32 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
+ int i, j;
+ unsigned long iova;
+ size_t size;
+- struct io_pgtable_ops *ops;
++ struct io_pgtable *iop;
++ const struct io_pgtable_ops *ops;
+
+ selftest_running = true;
+
+ for (i = 0; i < ARRAY_SIZE(fmts); ++i) {
+ cfg_cookie = cfg;
+- ops = alloc_io_pgtable_ops(fmts[i], cfg, cfg);
+- if (!ops) {
++ iop = alloc_io_pgtable(fmts[i], cfg, cfg);
++ if (!iop) {
+ pr_err("selftest: failed to allocate io pgtable ops\n");
+ return -ENOMEM;
+ }
++ ops = iop->ops;
+
+ /*
+ * Initial sanity checks.
+ * Empty page tables shouldn't provide any translations.
+ */
+- if (ops->iova_to_phys(ops, 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, 42))
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, SZ_1G + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, SZ_1G + 42))
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, SZ_2G + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, SZ_2G + 42))
++ return __FAIL(iop, i);
+
+ /*
+ * Distinct mappings of different granule sizes.
+@@ -887,19 +884,19 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
+ while (j != BITS_PER_LONG) {
+ size = 1UL << j;
+
+- if (ops->map(ops, iova, iova, size, IOMMU_READ |
++ if (ops->map(iop, iova, iova, size, IOMMU_READ |
+ IOMMU_WRITE |
+ IOMMU_NOEXEC |
+ IOMMU_CACHE))
+- return __FAIL(ops, i);
++ return __FAIL(iop, i);
+
+ /* Overlapping mappings */
+- if (!ops->map(ops, iova, iova + size, size,
++ if (!ops->map(iop, iova, iova + size, size,
+ IOMMU_READ | IOMMU_NOEXEC))
+- return __FAIL(ops, i);
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
++ return __FAIL(iop, i);
+
+ iova += SZ_1G;
+ j++;
+@@ -908,15 +905,15 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
+
+ /* Partial unmap */
+ size = 1UL << __ffs(cfg->pgsize_bitmap);
+- if (ops->unmap(ops, SZ_1G + size, size) != size)
+- return __FAIL(ops, i);
++ if (ops->unmap(iop, SZ_1G + size, size) != size)
++ return __FAIL(iop, i);
+
+ /* Remap of partial unmap */
+- if (ops->map(ops, SZ_1G + size, size, size, IOMMU_READ))
+- return __FAIL(ops, i);
++ if (ops->map(iop, SZ_1G + size, size, size, IOMMU_READ))
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, SZ_1G + size + 42) != (size + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, SZ_1G + size + 42) != (size + 42))
++ return __FAIL(iop, i);
+
+ /* Full unmap */
+ iova = 0;
+@@ -924,25 +921,25 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
+ while (j != BITS_PER_LONG) {
+ size = 1UL << j;
+
+- if (ops->unmap(ops, iova, size) != size)
+- return __FAIL(ops, i);
++ if (ops->unmap(iop, iova, size) != size)
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, iova + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, iova + 42))
++ return __FAIL(iop, i);
+
+ /* Remap full block */
+- if (ops->map(ops, iova, iova, size, IOMMU_WRITE))
+- return __FAIL(ops, i);
++ if (ops->map(iop, iova, iova, size, IOMMU_WRITE))
++ return __FAIL(iop, i);
+
+- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
+- return __FAIL(ops, i);
++ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
++ return __FAIL(iop, i);
+
+ iova += SZ_1G;
+ j++;
+ j = find_next_bit(&cfg->pgsize_bitmap, BITS_PER_LONG, j);
+ }
+
+- free_io_pgtable_ops(ops);
++ free_io_pgtable(iop);
+ }
+
+ selftest_running = false;
+diff --git a/drivers/iommu/io-pgtable.c b/drivers/iommu/io-pgtable.c
+index 6436fe2..088c965 100644
+--- a/drivers/iommu/io-pgtable.c
++++ b/drivers/iommu/io-pgtable.c
+@@ -40,7 +40,7 @@ io_pgtable_init_table[IO_PGTABLE_NUM_FMTS] =
+ #endif
+ };
+
+-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
++struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
+ struct io_pgtable_cfg *cfg,
+ void *cookie)
+ {
+@@ -62,21 +62,18 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
+ iop->cookie = cookie;
+ iop->cfg = *cfg;
+
+- return &iop->ops;
++ return iop;
+ }
+
+ /*
+ * It is the IOMMU driver's responsibility to ensure that the page table
+ * is no longer accessible to the walker by this point.
+ */
+-void free_io_pgtable_ops(struct io_pgtable_ops *ops)
++void free_io_pgtable(struct io_pgtable *iop)
+ {
+- struct io_pgtable *iop;
+-
+- if (!ops)
++ if (!iop)
+ return;
+
+- iop = container_of(ops, struct io_pgtable, ops);
+ iop->cfg.tlb->tlb_flush_all(iop->cookie);
+ io_pgtable_init_table[iop->fmt]->free(iop);
+ }
+diff --git a/drivers/iommu/io-pgtable.h b/drivers/iommu/io-pgtable.h
+index 10e32f6..0b276c8 100644
+--- a/drivers/iommu/io-pgtable.h
++++ b/drivers/iommu/io-pgtable.h
+@@ -75,17 +75,18 @@ struct io_pgtable_cfg {
+ * These functions map directly onto the iommu_ops member functions with
+ * the same names.
+ */
++struct io_pgtable;
+ struct io_pgtable_ops {
+- int (*map)(struct io_pgtable_ops *ops, unsigned long iova,
++ int (*map)(struct io_pgtable *iop, unsigned long iova,
+ phys_addr_t paddr, size_t size, int prot);
+- int (*unmap)(struct io_pgtable_ops *ops, unsigned long iova,
++ int (*unmap)(struct io_pgtable *iop, unsigned long iova,
+ size_t size);
+- phys_addr_t (*iova_to_phys)(struct io_pgtable_ops *ops,
++ phys_addr_t (*iova_to_phys)(struct io_pgtable *iop,
+ unsigned long iova);
+ };
+
+ /**
+- * alloc_io_pgtable_ops() - Allocate a page table allocator for use by an IOMMU.
++ * alloc_io_pgtable() - Allocate a page table allocator for use by an IOMMU.
+ *
+ * @fmt: The page table format.
+ * @cfg: The page table configuration. This will be modified to represent
+@@ -94,9 +95,9 @@ struct io_pgtable_ops {
+ * @cookie: An opaque token provided by the IOMMU driver and passed back to
+ * the callback routines in cfg->tlb.
+ */
+-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
+- struct io_pgtable_cfg *cfg,
+- void *cookie);
++struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
++ struct io_pgtable_cfg *cfg,
++ void *cookie);
+
+ /**
+ * free_io_pgtable_ops() - Free an io_pgtable_ops structure. The caller
+@@ -105,7 +106,7 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
+ *
+ * @ops: The ops returned from alloc_io_pgtable_ops.
+ */
+-void free_io_pgtable_ops(struct io_pgtable_ops *ops);
++void free_io_pgtable(struct io_pgtable *iop);
+
+
+ /*
+@@ -125,7 +126,7 @@ struct io_pgtable {
+ enum io_pgtable_fmt fmt;
+ void *cookie;
+ struct io_pgtable_cfg cfg;
+- struct io_pgtable_ops ops;
++ const struct io_pgtable_ops *ops;
+ };
+
+ /**
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 72e683d..c9db262 100644
--- a/drivers/iommu/iommu.c
@@ -43712,6 +44219,65 @@ index 72e683d..c9db262 100644
struct iommu_callback_data cb = {
.ops = ops,
};
+diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c
+index bc39bdf..e2de272 100644
+--- a/drivers/iommu/ipmmu-vmsa.c
++++ b/drivers/iommu/ipmmu-vmsa.c
+@@ -41,7 +41,7 @@ struct ipmmu_vmsa_domain {
+ struct iommu_domain *io_domain;
+
+ struct io_pgtable_cfg cfg;
+- struct io_pgtable_ops *iop;
++ struct io_pgtable *iop;
+
+ unsigned int context_id;
+ spinlock_t lock; /* Protects mappings */
+@@ -323,8 +323,7 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain)
+ domain->cfg.oas = 40;
+ domain->cfg.tlb = &ipmmu_gather_ops;
+
+- domain->iop = alloc_io_pgtable_ops(ARM_32_LPAE_S1, &domain->cfg,
+- domain);
++ domain->iop = alloc_io_pgtable(ARM_32_LPAE_S1, &domain->cfg, domain);
+ if (!domain->iop)
+ return -EINVAL;
+
+@@ -482,7 +481,7 @@ static void ipmmu_domain_destroy(struct iommu_domain *io_domain)
+ * been detached.
+ */
+ ipmmu_domain_destroy_context(domain);
+- free_io_pgtable_ops(domain->iop);
++ free_io_pgtable(domain->iop);
+ kfree(domain);
+ }
+
+@@ -551,7 +550,7 @@ static int ipmmu_map(struct iommu_domain *io_domain, unsigned long iova,
+ if (!domain)
+ return -ENODEV;
+
+- return domain->iop->map(domain->iop, iova, paddr, size, prot);
++ return domain->iop->ops->map(domain->iop, iova, paddr, size, prot);
+ }
+
+ static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
+@@ -559,7 +558,7 @@ static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
+ {
+ struct ipmmu_vmsa_domain *domain = io_domain->priv;
+
+- return domain->iop->unmap(domain->iop, iova, size);
++ return domain->iop->ops->unmap(domain->iop, iova, size);
+ }
+
+ static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
+@@ -569,7 +568,7 @@ static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
+
+ /* TODO: Is locking needed ? */
+
+- return domain->iop->iova_to_phys(domain->iop, iova);
++ return domain->iop->ops->iova_to_phys(domain->iop, iova);
+ }
+
+ static int ipmmu_find_utlbs(struct ipmmu_vmsa_device *mmu, struct device *dev,
diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
index 390079e..1da9d6c 100644
--- a/drivers/iommu/irq_remapping.c
@@ -44619,7 +45185,7 @@ index 8001fe9..abdd0d0 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 717daad..6dd103f 100644
+index e617878..d423ee3 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -191,10 +191,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -44644,7 +45210,7 @@ index 717daad..6dd103f 100644
wake_up(&md_event_waiters);
}
-@@ -1438,7 +1438,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
+@@ -1442,7 +1442,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
(le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
@@ -44653,7 +45219,7 @@ index 717daad..6dd103f 100644
rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
-@@ -1689,7 +1689,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1693,7 +1693,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
else
sb->resync_offset = cpu_to_le64(0);
@@ -44662,7 +45228,7 @@ index 717daad..6dd103f 100644
sb->raid_disks = cpu_to_le32(mddev->raid_disks);
sb->size = cpu_to_le64(mddev->dev_sectors);
-@@ -2560,7 +2560,7 @@ __ATTR_PREALLOC(state, S_IRUGO|S_IWUSR, state_show, state_store);
+@@ -2564,7 +2564,7 @@ __ATTR_PREALLOC(state, S_IRUGO|S_IWUSR, state_show, state_store);
static ssize_t
errors_show(struct md_rdev *rdev, char *page)
{
@@ -44671,7 +45237,7 @@ index 717daad..6dd103f 100644
}
static ssize_t
-@@ -2569,7 +2569,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
+@@ -2573,7 +2573,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
char *e;
unsigned long n = simple_strtoul(buf, &e, 10);
if (*buf && (*e == 0 || *e == '\n')) {
@@ -44680,7 +45246,7 @@ index 717daad..6dd103f 100644
return len;
}
return -EINVAL;
-@@ -3005,8 +3005,8 @@ int md_rdev_init(struct md_rdev *rdev)
+@@ -3009,8 +3009,8 @@ int md_rdev_init(struct md_rdev *rdev)
rdev->sb_loaded = 0;
rdev->bb_page = NULL;
atomic_set(&rdev->nr_pending, 0);
@@ -44691,7 +45257,7 @@ index 717daad..6dd103f 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -7079,7 +7079,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -7083,7 +7083,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -44700,7 +45266,7 @@ index 717daad..6dd103f 100644
return 0;
}
if (v == (void*)2) {
-@@ -7182,7 +7182,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7186,7 +7186,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -44709,7 +45275,7 @@ index 717daad..6dd103f 100644
return error;
}
-@@ -7199,7 +7199,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7203,7 +7203,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -44718,7 +45284,7 @@ index 717daad..6dd103f 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7246,7 +7246,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7250,7 +7250,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -48372,7 +48938,7 @@ index bdfe51f..e7845c7 100644
r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids);
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index af034db..1611c0b2 100644
+index 9d15566..5ad4ef6 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1022,7 +1022,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
@@ -50140,7 +50706,7 @@ index 7543a56..367ca8ed 100644
1, asus->debug.method_id,
&input, &output);
diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
-index 15c0fab..f674006 100644
+index bceb30b..bf063d4 100644
--- a/drivers/platform/x86/compal-laptop.c
+++ b/drivers/platform/x86/compal-laptop.c
@@ -766,7 +766,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id)
@@ -52009,7 +52575,7 @@ index ae45bd9..c32a586 100644
transport_setup_device(&rport->dev);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index 6b78476..d40476f 100644
+index 3290a3e..d65ac1c 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3006,7 +3006,7 @@ static int sd_probe(struct device *dev)
@@ -52676,7 +53242,7 @@ index 7faa6ae..ae6c410 100644
spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
INIT_LIST_HEAD(&dev->t10_pr.registration_list);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index ac3cbab..f0d1dd2 100644
+index f786de0..04b643e 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1168,7 +1168,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
@@ -54377,7 +54943,7 @@ index 45a915c..09f9735 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index d7c3d5a..2f87607 100644
+index 3b71516..1f26579 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -26,6 +26,7 @@
@@ -54607,10 +55173,10 @@ index c78c841..48fd281 100644
#include "u_uac1.h"
diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
-index 87cf86f..3de9809 100644
+index 7354d01..299478e 100644
--- a/drivers/usb/host/ehci-hub.c
+++ b/drivers/usb/host/ehci-hub.c
-@@ -769,7 +769,7 @@ static struct urb *request_single_step_set_feature_urb(
+@@ -772,7 +772,7 @@ static struct urb *request_single_step_set_feature_urb(
urb->transfer_flags = URB_DIR_IN;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
@@ -54619,7 +55185,7 @@ index 87cf86f..3de9809 100644
urb->setup_dma = dma_map_single(
hcd->self.controller,
urb->setup_packet,
-@@ -836,7 +836,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port)
+@@ -839,7 +839,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port)
urb->status = -EINPROGRESS;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
@@ -58614,7 +59180,7 @@ index 4c55668..eeae150 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex))
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 995986b..dcc4ef2 100644
+index d925f55..d31f527 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -34,6 +34,7 @@
@@ -59235,10 +59801,15 @@ index 995986b..dcc4ef2 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -924,6 +1363,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -925,12 +1364,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
+- total_size = total_mapping_size(elf_phdata,
+- loc->elf_ex.e_phnum);
+- if (!total_size) {
+- error = -EINVAL;
+- goto out_free_dentry;
+
+#ifdef CONFIG_PAX_RANDMMAP
+ /* PaX: randomize base address at the default exe base if requested */
@@ -59250,13 +59821,14 @@ index 995986b..dcc4ef2 100644
+#endif
+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
+ elf_flags |= MAP_FIXED;
-+ }
+ }
+#endif
+
++ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum);
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -955,9 +1408,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -962,9 +1410,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -59269,7 +59841,7 @@ index 995986b..dcc4ef2 100644
/* set_brk can never work. Avoid overflows. */
retval = -EINVAL;
goto out_free_dentry;
-@@ -993,16 +1446,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -1000,16 +1448,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
if (retval)
goto out_free_dentry;
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -59318,7 +59890,7 @@ index 995986b..dcc4ef2 100644
load_bias, interp_elf_phdata);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1230,7 +1710,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1237,7 +1712,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -59327,7 +59899,7 @@ index 995986b..dcc4ef2 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1268,7 +1748,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1275,7 +1750,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -59336,7 +59908,7 @@ index 995986b..dcc4ef2 100644
goto whole;
/*
-@@ -1475,9 +1955,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1482,9 +1957,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -59348,7 +59920,7 @@ index 995986b..dcc4ef2 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1486,7 +1966,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
+@@ -1493,7 +1968,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
{
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -59357,7 +59929,7 @@ index 995986b..dcc4ef2 100644
set_fs(old_fs);
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
}
-@@ -2206,7 +2686,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2213,7 +2688,7 @@ static int elf_core_dump(struct coredump_params *cprm)
vma = next_vma(vma, gate_vma)) {
unsigned long dump_size;
@@ -59366,7 +59938,7 @@ index 995986b..dcc4ef2 100644
vma_filesz[i++] = dump_size;
vma_data_size += dump_size;
}
-@@ -2314,6 +2794,167 @@ out:
+@@ -2321,6 +2796,167 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -64355,7 +64927,7 @@ index 6a61c2b..bd79179 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index c83145a..a78aa13 100644
+index caa38a2..44c470a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -337,17 +337,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -64457,7 +65029,7 @@ index c83145a..a78aa13 100644
nd->last_type = LAST_BIND;
*p = dentry->d_inode->i_op->follow_link(dentry, nd);
error = PTR_ERR(*p);
-@@ -1639,6 +1652,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
+@@ -1640,6 +1653,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
if (res)
break;
res = walk_component(nd, path, LOOKUP_FOLLOW);
@@ -64466,7 +65038,7 @@ index c83145a..a78aa13 100644
put_link(nd, &link, cookie);
} while (res > 0);
-@@ -1711,7 +1726,7 @@ EXPORT_SYMBOL(full_name_hash);
+@@ -1712,7 +1727,7 @@ EXPORT_SYMBOL(full_name_hash);
static inline u64 hash_name(const char *name)
{
unsigned long a, b, adata, bdata, mask, hash, len;
@@ -64475,7 +65047,7 @@ index c83145a..a78aa13 100644
hash = a = 0;
len = -sizeof(unsigned long);
-@@ -2006,6 +2021,8 @@ static int path_lookupat(int dfd, const char *name,
+@@ -2007,6 +2022,8 @@ static int path_lookupat(int dfd, const char *name,
if (err)
break;
err = lookup_last(nd, &path);
@@ -64484,7 +65056,7 @@ index c83145a..a78aa13 100644
put_link(nd, &link, cookie);
}
}
-@@ -2013,6 +2030,13 @@ static int path_lookupat(int dfd, const char *name,
+@@ -2014,6 +2031,13 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
@@ -64498,7 +65070,7 @@ index c83145a..a78aa13 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!d_can_lookup(nd->path.dentry)) {
path_put(&nd->path);
-@@ -2034,8 +2058,15 @@ static int filename_lookup(int dfd, struct filename *name,
+@@ -2035,8 +2059,15 @@ static int filename_lookup(int dfd, struct filename *name,
retval = path_lookupat(dfd, name->name,
flags | LOOKUP_REVAL, nd);
@@ -64515,7 +65087,7 @@ index c83145a..a78aa13 100644
return retval;
}
-@@ -2614,6 +2645,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2615,6 +2646,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -64529,7 +65101,7 @@ index c83145a..a78aa13 100644
return 0;
}
-@@ -2845,7 +2883,7 @@ looked_up:
+@@ -2846,7 +2884,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -64538,7 +65110,7 @@ index c83145a..a78aa13 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2880,6 +2918,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2881,6 +2919,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -64556,7 +65128,7 @@ index c83145a..a78aa13 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2901,6 +2950,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2902,6 +2951,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -64565,7 +65137,7 @@ index c83145a..a78aa13 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2915,7 +2966,7 @@ out_dput:
+@@ -2916,7 +2967,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -64574,7 +65146,7 @@ index c83145a..a78aa13 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2965,6 +3016,15 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2966,6 +3017,15 @@ static int do_last(struct nameidata *nd, struct path *path,
if (error)
return error;
@@ -64590,7 +65162,7 @@ index c83145a..a78aa13 100644
audit_inode(name, dir, LOOKUP_PARENT);
error = -EISDIR;
/* trailing slashes? */
-@@ -2984,7 +3044,7 @@ retry_lookup:
+@@ -2985,7 +3045,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -64599,7 +65171,7 @@ index c83145a..a78aa13 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -3008,11 +3068,28 @@ retry_lookup:
+@@ -3009,11 +3069,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -64629,7 +65201,7 @@ index c83145a..a78aa13 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -3053,6 +3130,11 @@ finish_lookup:
+@@ -3055,6 +3132,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -64641,7 +65213,7 @@ index c83145a..a78aa13 100644
return 1;
}
-@@ -3072,7 +3154,18 @@ finish_open:
+@@ -3074,7 +3156,18 @@ finish_open:
path_put(&save_parent);
return error;
}
@@ -64660,7 +65232,15 @@ index c83145a..a78aa13 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
goto out;
-@@ -3233,7 +3326,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3228,14 +3321,14 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+
+ if (unlikely(file->f_flags & __O_TMPFILE)) {
+ error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+- goto out;
++ goto out2;
+ }
+
+ error = path_init(dfd, pathname->name, flags, nd);
if (unlikely(error))
goto out;
@@ -64669,7 +65249,7 @@ index c83145a..a78aa13 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -3251,7 +3344,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3253,11 +3346,12 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -64678,7 +65258,12 @@ index c83145a..a78aa13 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3353,9 +3446,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
+ path_cleanup(nd);
++out2:
+ if (!(opened & FILE_OPENED)) {
+ BUG_ON(!error);
+ put_filp(file);
+@@ -3355,9 +3449,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
goto unlock;
error = -EEXIST;
@@ -64692,7 +65277,7 @@ index c83145a..a78aa13 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3420,6 +3515,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3422,6 +3518,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -64713,7 +65298,7 @@ index c83145a..a78aa13 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3483,6 +3592,17 @@ retry:
+@@ -3485,6 +3595,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -64731,7 +65316,7 @@ index c83145a..a78aa13 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3498,6 +3618,8 @@ retry:
+@@ -3500,6 +3621,8 @@ retry:
error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
break;
}
@@ -64740,7 +65325,7 @@ index c83145a..a78aa13 100644
out:
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
-@@ -3552,9 +3674,16 @@ retry:
+@@ -3554,9 +3677,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -64757,7 +65342,7 @@ index c83145a..a78aa13 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3587,7 +3716,7 @@ void dentry_unhash(struct dentry *dentry)
+@@ -3589,7 +3719,7 @@ void dentry_unhash(struct dentry *dentry)
{
shrink_dcache_parent(dentry);
spin_lock(&dentry->d_lock);
@@ -64766,7 +65351,7 @@ index c83145a..a78aa13 100644
__d_drop(dentry);
spin_unlock(&dentry->d_lock);
}
-@@ -3638,6 +3767,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3640,6 +3770,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -64775,7 +65360,7 @@ index c83145a..a78aa13 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3670,10 +3801,21 @@ retry:
+@@ -3672,10 +3804,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -64797,7 +65382,7 @@ index c83145a..a78aa13 100644
exit3:
dput(dentry);
exit2:
-@@ -3766,6 +3908,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3768,6 +3911,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
@@ -64806,7 +65391,7 @@ index c83145a..a78aa13 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3792,10 +3936,22 @@ retry_deleg:
+@@ -3794,10 +3939,22 @@ retry_deleg:
if (d_is_negative(dentry))
goto slashes;
ihold(inode);
@@ -64829,7 +65414,7 @@ index c83145a..a78aa13 100644
exit2:
dput(dentry);
}
-@@ -3884,9 +4040,17 @@ retry:
+@@ -3886,9 +4043,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -64847,7 +65432,7 @@ index c83145a..a78aa13 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3990,6 +4154,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3992,6 +4157,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
struct dentry *new_dentry;
struct path old_path, new_path;
struct inode *delegated_inode = NULL;
@@ -64855,7 +65440,7 @@ index c83145a..a78aa13 100644
int how = 0;
int error;
-@@ -4013,7 +4178,7 @@ retry:
+@@ -4015,7 +4181,7 @@ retry:
if (error)
return error;
@@ -64864,7 +65449,7 @@ index c83145a..a78aa13 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -4025,11 +4190,28 @@ retry:
+@@ -4027,11 +4193,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -64893,7 +65478,7 @@ index c83145a..a78aa13 100644
done_path_create(&new_path, new_dentry);
if (delegated_inode) {
error = break_deleg_wait(&delegated_inode);
-@@ -4345,6 +4527,20 @@ retry_deleg:
+@@ -4347,6 +4530,20 @@ retry_deleg:
if (new_dentry == trap)
goto exit5;
@@ -64914,7 +65499,7 @@ index c83145a..a78aa13 100644
error = security_path_rename(&oldnd.path, old_dentry,
&newnd.path, new_dentry, flags);
if (error)
-@@ -4352,6 +4548,9 @@ retry_deleg:
+@@ -4354,6 +4551,9 @@ retry_deleg:
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry,
&delegated_inode, flags);
@@ -64924,7 +65509,7 @@ index c83145a..a78aa13 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4408,14 +4607,24 @@ EXPORT_SYMBOL(vfs_whiteout);
+@@ -4410,14 +4610,24 @@ EXPORT_SYMBOL(vfs_whiteout);
int readlink_copy(char __user *buffer, int buflen, const char *link)
{
@@ -64951,10 +65536,10 @@ index c83145a..a78aa13 100644
out:
return len;
diff --git a/fs/namespace.c b/fs/namespace.c
-index 82ef140..5335e75 100644
+index 4622ee3..2db42e3 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
-@@ -1438,6 +1438,9 @@ static int do_umount(struct mount *mnt, int flags)
+@@ -1480,6 +1480,9 @@ static int do_umount(struct mount *mnt, int flags)
if (!(sb->s_flags & MS_RDONLY))
retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
up_write(&sb->s_umount);
@@ -64964,7 +65549,7 @@ index 82ef140..5335e75 100644
return retval;
}
-@@ -1460,6 +1463,9 @@ static int do_umount(struct mount *mnt, int flags)
+@@ -1502,6 +1505,9 @@ static int do_umount(struct mount *mnt, int flags)
}
unlock_mount_hash();
namespace_unlock();
@@ -64974,7 +65559,7 @@ index 82ef140..5335e75 100644
return retval;
}
-@@ -1510,7 +1516,7 @@ static inline bool may_mount(void)
+@@ -1559,7 +1565,7 @@ static inline bool may_mount(void)
* unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
*/
@@ -64983,7 +65568,7 @@ index 82ef140..5335e75 100644
{
struct path path;
struct mount *mnt;
-@@ -1555,7 +1561,7 @@ out:
+@@ -1604,7 +1610,7 @@ out:
/*
* The 2.0 compatible umount. No flags.
*/
@@ -64992,7 +65577,7 @@ index 82ef140..5335e75 100644
{
return sys_umount(name, 0);
}
-@@ -2621,6 +2627,16 @@ long do_mount(const char *dev_name, const char __user *dir_name,
+@@ -2670,6 +2676,16 @@ long do_mount(const char *dev_name, const char __user *dir_name,
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
MS_STRICTATIME);
@@ -65009,7 +65594,7 @@ index 82ef140..5335e75 100644
if (flags & MS_REMOUNT)
retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
data_page);
-@@ -2634,7 +2650,10 @@ long do_mount(const char *dev_name, const char __user *dir_name,
+@@ -2683,7 +2699,10 @@ long do_mount(const char *dev_name, const char __user *dir_name,
retval = do_new_mount(&path, type_page, flags, mnt_flags,
dev_name, data_page);
dput_out:
@@ -65020,7 +65605,7 @@ index 82ef140..5335e75 100644
return retval;
}
-@@ -2652,7 +2671,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
+@@ -2701,7 +2720,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
* number incrementing at 10Ghz will take 12,427 years to wrap which
* is effectively never, so we can ignore the possibility.
*/
@@ -65029,7 +65614,7 @@ index 82ef140..5335e75 100644
static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
{
-@@ -2668,7 +2687,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
+@@ -2717,7 +2736,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
return ERR_PTR(ret);
}
new_ns->ns.ops = &mntns_operations;
@@ -65038,7 +65623,7 @@ index 82ef140..5335e75 100644
atomic_set(&new_ns->count, 1);
new_ns->root = NULL;
INIT_LIST_HEAD(&new_ns->list);
-@@ -2678,7 +2697,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
+@@ -2727,7 +2746,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
return new_ns;
}
@@ -65047,7 +65632,7 @@ index 82ef140..5335e75 100644
struct user_namespace *user_ns, struct fs_struct *new_fs)
{
struct mnt_namespace *new_ns;
-@@ -2799,8 +2818,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
+@@ -2848,8 +2867,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
}
EXPORT_SYMBOL(mount_subtree);
@@ -65058,7 +65643,7 @@ index 82ef140..5335e75 100644
{
int ret;
char *kernel_type;
-@@ -2906,6 +2925,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+@@ -2955,6 +2974,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
if (error)
goto out2;
@@ -65070,7 +65655,7 @@ index 82ef140..5335e75 100644
get_fs_root(current->fs, &root);
old_mp = lock_mount(&old);
error = PTR_ERR(old_mp);
-@@ -3180,7 +3204,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
+@@ -3229,7 +3253,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
@@ -65117,10 +65702,10 @@ index d42dff6..ecbdf42 100644
EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
-index 92b9d97..045e58c 100644
+index 5416968..0942042 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
-@@ -1492,7 +1492,7 @@ struct nfsd4_operation {
+@@ -1496,7 +1496,7 @@ struct nfsd4_operation {
nfsd4op_rsize op_rsize_bop;
stateid_getter op_get_currentstateid;
stateid_setter op_set_currentstateid;
@@ -65130,7 +65715,7 @@ index 92b9d97..045e58c 100644
static struct nfsd4_operation nfsd4_ops[];
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 5fb7e78..cc8a22e 100644
+index 5b33ce1..c2a92aa 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1703,7 +1703,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -65556,7 +66141,7 @@ index 2667518..24bcf79 100644
/* Copy the blockcheck stats from the superblock probe */
osb->osb_ecc_stats = *stats;
diff --git a/fs/open.c b/fs/open.c
-index 33f9cbf..8abe053 100644
+index 44a3be1..5e97aa1 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -32,6 +32,8 @@
@@ -65657,9 +66242,9 @@ index 33f9cbf..8abe053 100644
+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
+ return -EACCES;
+
+ retry_deleg:
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
- if (!uid_valid(uid))
@@ -1017,6 +1054,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
} else {
fsnotify_open(f);
@@ -65693,9 +66278,18 @@ index 5f0d199..13b74b9 100644
struct ovl_entry *oe;
struct ovl_fs *ufs;
diff --git a/fs/pipe.c b/fs/pipe.c
-index 21981e5..3d5f55c 100644
+index 21981e5..2c0bffb 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
+@@ -37,7 +37,7 @@ unsigned int pipe_max_size = 1048576;
+ /*
+ * Minimum pipe size, as required by POSIX
+ */
+-unsigned int pipe_min_size = PAGE_SIZE;
++unsigned int pipe_min_size __read_only = PAGE_SIZE;
+
+ /*
+ * We use a start+len construction, which provides full use of the
@@ -56,7 +56,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
@@ -65902,6 +66496,35 @@ index 21981e5..3d5f55c 100644
wake_up_interruptible(&pipe->wait);
ret = -ERESTARTSYS;
goto err;
+@@ -1010,7 +1011,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
+ * Currently we rely on the pipe array holding a power-of-2 number
+ * of pages.
+ */
+-static inline unsigned int round_pipe_size(unsigned int size)
++static inline unsigned long round_pipe_size(unsigned long size)
+ {
+ unsigned long nr_pages;
+
+@@ -1058,13 +1059,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ switch (cmd) {
+ case F_SETPIPE_SZ: {
+- unsigned int size, nr_pages;
++ unsigned long size, nr_pages;
++
++ ret = -EINVAL;
++ if (arg < pipe_min_size)
++ goto out;
+
+ size = round_pipe_size(arg);
+ nr_pages = size >> PAGE_SHIFT;
+
+- ret = -EINVAL;
+- if (!nr_pages)
++ if (size < pipe_min_size)
+ goto out;
+
+ if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 3a48bb7..403067b 100644
--- a/fs/posix_acl.c
@@ -67998,7 +68621,7 @@ index 555f821..34684d7 100644
{
const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 7968da9..275187d 100644
+index 7968da9..4ce985b 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -193,7 +193,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -68089,6 +68712,15 @@ index 7968da9..275187d 100644
sd.need_wakeup = true;
} else {
buf->offset += ret;
+@@ -1159,7 +1159,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ long ret, bytes;
+ umode_t i_mode;
+ size_t len;
+- int i, flags;
++ int i, flags, more;
+
+ /*
+ * We require the input being a regular file, as we don't want to
@@ -1185,7 +1185,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
@@ -68098,7 +68730,31 @@ index 7968da9..275187d 100644
current->splice_pipe = pipe;
}
-@@ -1482,6 +1482,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+@@ -1202,6 +1202,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ * Don't block on output, we have to drain the direct pipe.
+ */
+ sd->flags &= ~SPLICE_F_NONBLOCK;
++ more = sd->flags & SPLICE_F_MORE;
+
+ while (len) {
+ size_t read_len;
+@@ -1215,6 +1216,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+ sd->total_len = read_len;
+
+ /*
++ * If more data is pending, set SPLICE_F_MORE
++ * If this is the last data and SPLICE_F_MORE was not set
++ * initially, clears it.
++ */
++ if (read_len < len)
++ sd->flags |= SPLICE_F_MORE;
++ else if (!more)
++ sd->flags &= ~SPLICE_F_MORE;
++ /*
+ * NOTE: nonblocking mode only applies to the input. We
+ * must not do the output in nonblocking mode as then we
+ * could get stuck data in the internal pipe:
+@@ -1482,6 +1492,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
partial[buffers].offset = off;
partial[buffers].len = plen;
@@ -68106,7 +68762,7 @@ index 7968da9..275187d 100644
off = 0;
len -= plen;
-@@ -1718,9 +1719,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1718,9 +1729,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -68118,7 +68774,7 @@ index 7968da9..275187d 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1752,7 +1753,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1752,7 +1763,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -68127,7 +68783,7 @@ index 7968da9..275187d 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1765,9 +1766,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1765,9 +1776,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -68139,7 +68795,7 @@ index 7968da9..275187d 100644
}
pipe_unlock(pipe);
-@@ -1803,14 +1804,14 @@ retry:
+@@ -1803,14 +1814,14 @@ retry:
pipe_double_lock(ipipe, opipe);
do {
@@ -68156,7 +68812,7 @@ index 7968da9..275187d 100644
break;
/*
-@@ -1907,7 +1908,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1907,7 +1918,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -68165,7 +68821,7 @@ index 7968da9..275187d 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -1952,7 +1953,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1952,7 +1963,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -80822,7 +81478,7 @@ index 5591ea7..61b77ce 100644
/**
* struct clk_init_data - holds init data that's common to all clocks and is
diff --git a/include/linux/compat.h b/include/linux/compat.h
-index ab25814..9026bca 100644
+index ab25814..d1540d1 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -316,7 +316,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
@@ -80834,6 +81490,15 @@ index ab25814..9026bca 100644
asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
compat_ssize_t msgsz, int msgflg);
+@@ -325,7 +325,7 @@ asmlinkage long compat_sys_msgrcv(int msqid, compat_uptr_t msgp,
+ long compat_sys_msgctl(int first, int second, void __user *uptr);
+ long compat_sys_shmctl(int first, int second, void __user *uptr);
+ long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+- unsigned nsems, const struct compat_timespec __user *timeout);
++ compat_long_t nsems, const struct compat_timespec __user *timeout);
+ asmlinkage long compat_sys_keyctl(u32 option,
+ u32 arg2, u32 arg3, u32 arg4, u32 arg5);
+ asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
@@ -439,7 +439,7 @@ extern int compat_ptrace_request(struct task_struct *child,
extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
compat_ulong_t addr, compat_ulong_t data);
@@ -84390,10 +85055,10 @@ index 1c9effa..1160bdd 100644
.ops = &param_ops_##type, \
.elemsize = sizeof(array[0]), .elem = array }; \
diff --git a/include/linux/mount.h b/include/linux/mount.h
-index c2c561d..a5f2a8c 100644
+index 564beee..653be6f 100644
--- a/include/linux/mount.h
+++ b/include/linux/mount.h
-@@ -66,7 +66,7 @@ struct vfsmount {
+@@ -67,7 +67,7 @@ struct vfsmount {
struct dentry *mnt_root; /* root of the mounted tree */
struct super_block *mnt_sb; /* pointer to superblock */
int mnt_flags;
@@ -85254,7 +85919,7 @@ index ed8f9e70..999bc96 100644
}
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index a419b65..6dd8f3f 100644
+index 51348f7..8c8b0ba 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -133,6 +133,7 @@ struct fs_struct;
@@ -85265,7 +85930,7 @@ index a419b65..6dd8f3f 100644
#define VMACACHE_BITS 2
#define VMACACHE_SIZE (1U << VMACACHE_BITS)
-@@ -412,7 +413,7 @@ extern char __sched_text_start[], __sched_text_end[];
+@@ -420,7 +421,7 @@ extern char __sched_text_start[], __sched_text_end[];
extern int in_sched_functions(unsigned long addr);
#define MAX_SCHEDULE_TIMEOUT LONG_MAX
@@ -85274,7 +85939,7 @@ index a419b65..6dd8f3f 100644
extern signed long schedule_timeout_interruptible(signed long timeout);
extern signed long schedule_timeout_killable(signed long timeout);
extern signed long schedule_timeout_uninterruptible(signed long timeout);
-@@ -430,6 +431,19 @@ struct nsproxy;
+@@ -438,6 +439,19 @@ struct nsproxy;
struct user_namespace;
#ifdef CONFIG_MMU
@@ -85294,7 +85959,7 @@ index a419b65..6dd8f3f 100644
extern void arch_pick_mmap_layout(struct mm_struct *mm);
extern unsigned long
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
-@@ -728,6 +742,17 @@ struct signal_struct {
+@@ -736,6 +750,17 @@ struct signal_struct {
#ifdef CONFIG_TASKSTATS
struct taskstats *stats;
#endif
@@ -85312,7 +85977,7 @@ index a419b65..6dd8f3f 100644
#ifdef CONFIG_AUDIT
unsigned audit_tty;
unsigned audit_tty_log_passwd;
-@@ -754,7 +779,7 @@ struct signal_struct {
+@@ -762,7 +787,7 @@ struct signal_struct {
struct mutex cred_guard_mutex; /* guard against foreign influences on
* credential calculations
* (notably. ptrace) */
@@ -85321,7 +85986,7 @@ index a419b65..6dd8f3f 100644
/*
* Bits in flags field of signal_struct.
-@@ -807,6 +832,14 @@ struct user_struct {
+@@ -815,6 +840,14 @@ struct user_struct {
struct key *session_keyring; /* UID's default session keyring */
#endif
@@ -85336,7 +86001,7 @@ index a419b65..6dd8f3f 100644
/* Hash table maintenance information */
struct hlist_node uidhash_node;
kuid_t uid;
-@@ -814,7 +847,7 @@ struct user_struct {
+@@ -822,7 +855,7 @@ struct user_struct {
#ifdef CONFIG_PERF_EVENTS
atomic_long_t locked_vm;
#endif
@@ -85345,7 +86010,7 @@ index a419b65..6dd8f3f 100644
extern int uids_sysfs_init(void);
-@@ -1278,6 +1311,9 @@ enum perf_event_task_context {
+@@ -1286,6 +1319,9 @@ enum perf_event_task_context {
struct task_struct {
volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
void *stack;
@@ -85355,7 +86020,7 @@ index a419b65..6dd8f3f 100644
atomic_t usage;
unsigned int flags; /* per process flags, defined below */
unsigned int ptrace;
-@@ -1411,8 +1447,8 @@ struct task_struct {
+@@ -1419,8 +1455,8 @@ struct task_struct {
struct list_head thread_node;
struct completion *vfork_done; /* for vfork() */
@@ -85366,7 +86031,7 @@ index a419b65..6dd8f3f 100644
cputime_t utime, stime, utimescaled, stimescaled;
cputime_t gtime;
-@@ -1437,11 +1473,6 @@ struct task_struct {
+@@ -1445,11 +1481,6 @@ struct task_struct {
struct task_cputime cputime_expires;
struct list_head cpu_timers[3];
@@ -85378,7 +86043,7 @@ index a419b65..6dd8f3f 100644
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
-@@ -1459,6 +1490,10 @@ struct task_struct {
+@@ -1467,6 +1498,10 @@ struct task_struct {
#endif
/* CPU-specific state of this task */
struct thread_struct thread;
@@ -85389,7 +86054,7 @@ index a419b65..6dd8f3f 100644
/* filesystem information */
struct fs_struct *fs;
/* open file information */
-@@ -1533,6 +1568,10 @@ struct task_struct {
+@@ -1541,6 +1576,10 @@ struct task_struct {
gfp_t lockdep_reclaim_gfp;
#endif
@@ -85400,7 +86065,7 @@ index a419b65..6dd8f3f 100644
/* journalling filesystem info */
void *journal_info;
-@@ -1571,6 +1610,10 @@ struct task_struct {
+@@ -1579,6 +1618,10 @@ struct task_struct {
/* cg_list protected by css_set_lock and tsk->alloc_lock */
struct list_head cg_list;
#endif
@@ -85411,7 +86076,7 @@ index a419b65..6dd8f3f 100644
#ifdef CONFIG_FUTEX
struct robust_list_head __user *robust_list;
#ifdef CONFIG_COMPAT
-@@ -1682,7 +1725,7 @@ struct task_struct {
+@@ -1690,7 +1733,7 @@ struct task_struct {
* Number of functions that haven't been traced
* because of depth overrun.
*/
@@ -85420,7 +86085,7 @@ index a419b65..6dd8f3f 100644
/* Pause for the tracing */
atomic_t tracing_graph_pause;
#endif
-@@ -1710,7 +1753,78 @@ struct task_struct {
+@@ -1718,7 +1761,78 @@ struct task_struct {
#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
unsigned long task_state_change;
#endif
@@ -85500,7 +86165,7 @@ index a419b65..6dd8f3f 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -1793,7 +1907,7 @@ struct pid_namespace;
+@@ -1801,7 +1915,7 @@ struct pid_namespace;
pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
struct pid_namespace *ns);
@@ -85509,7 +86174,7 @@ index a419b65..6dd8f3f 100644
{
return tsk->pid;
}
-@@ -2161,6 +2275,25 @@ extern u64 sched_clock_cpu(int cpu);
+@@ -2169,6 +2283,25 @@ extern u64 sched_clock_cpu(int cpu);
extern void sched_clock_init(void);
@@ -85535,7 +86200,7 @@ index a419b65..6dd8f3f 100644
#ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
static inline void sched_clock_tick(void)
{
-@@ -2294,7 +2427,9 @@ void yield(void);
+@@ -2302,7 +2435,9 @@ void yield(void);
extern struct exec_domain default_exec_domain;
union thread_union {
@@ -85545,7 +86210,7 @@ index a419b65..6dd8f3f 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2327,6 +2462,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2335,6 +2470,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -85553,7 +86218,7 @@ index a419b65..6dd8f3f 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2491,7 +2627,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2499,7 +2635,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -85562,7 +86227,7 @@ index a419b65..6dd8f3f 100644
extern int do_execve(struct filename *,
const char __user * const __user *,
-@@ -2712,9 +2848,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2720,9 +2856,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#define task_stack_end_corrupted(task) \
(*(end_of_stack(task)) != STACK_END_MAGIC)
@@ -85696,19 +86361,19 @@ index ab1e039..ad4229e 100644
static inline void disallow_signal(int sig)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index f54d665..e41848d 100644
+index bdccc4b..e9f8670 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -770,7 +770,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
- struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
+@@ -771,7 +771,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
int node);
+ struct sk_buff *__build_skb(void *data, unsigned int frag_size);
struct sk_buff *build_skb(void *data, unsigned int frag_size);
-static inline struct sk_buff *alloc_skb(unsigned int size,
+static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
gfp_t priority)
{
return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
-@@ -1966,7 +1966,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
+@@ -1967,7 +1967,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
return skb->inner_transport_header - skb->inner_network_header;
}
@@ -85717,7 +86382,7 @@ index f54d665..e41848d 100644
{
return skb_network_header(skb) - skb->data;
}
-@@ -2026,7 +2026,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+@@ -2027,7 +2027,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
* NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
*/
#ifndef NET_SKB_PAD
@@ -85726,7 +86391,7 @@ index f54d665..e41848d 100644
#endif
int ___pskb_trim(struct sk_buff *skb, unsigned int len);
-@@ -2668,9 +2668,9 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
+@@ -2669,9 +2669,9 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
int *err);
unsigned int datagram_poll(struct file *file, struct socket *sock,
struct poll_table_struct *wait);
@@ -85738,7 +86403,7 @@ index f54d665..e41848d 100644
struct msghdr *msg, int size)
{
return skb_copy_datagram_iter(from, offset, &msg->msg_iter, size);
-@@ -3180,6 +3180,9 @@ static inline void nf_reset(struct sk_buff *skb)
+@@ -3193,6 +3193,9 @@ static inline void nf_reset(struct sk_buff *skb)
nf_bridge_put(skb->nf_bridge);
skb->nf_bridge = NULL;
#endif
@@ -86050,7 +86715,7 @@ index e7a018e..49f8b17 100644
extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index 76d1e38..d92ff38 100644
+index 76d1e38..200776e 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -102,7 +102,12 @@ union bpf_attr;
@@ -86092,6 +86757,19 @@ index 76d1e38..d92ff38 100644
asmlinkage long sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned flags);
asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
unsigned int vlen, unsigned flags);
+@@ -663,10 +668,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
+
+ asmlinkage long sys_semget(key_t key, int nsems, int semflg);
+ asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
+- unsigned nsops);
++ long nsops);
+ asmlinkage long sys_semctl(int semid, int semnum, int cmd, unsigned long arg);
+ asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
+- unsigned nsops,
++ long nsops,
+ const struct timespec __user *timeout);
+ asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
+ asmlinkage long sys_shmget(key_t key, size_t size, int flag);
diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
index 27b3b0b..e093dd9 100644
--- a/include/linux/syscore_ops.h
@@ -86396,10 +87074,10 @@ index 99c1b4d..562e6f3 100644
static inline void put_unaligned_le16(u16 val, void *p)
diff --git a/include/linux/usb.h b/include/linux/usb.h
-index 7ee1b5c..82e2c1a 100644
+index 447fe29..9fc875f 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
-@@ -566,7 +566,7 @@ struct usb_device {
+@@ -592,7 +592,7 @@ struct usb_device {
int maxchild;
u32 quirks;
@@ -86408,7 +87086,7 @@ index 7ee1b5c..82e2c1a 100644
unsigned long active_duration;
-@@ -1650,7 +1650,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
+@@ -1676,7 +1676,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype, __u16 value, __u16 index,
@@ -87537,7 +88215,7 @@ index 0d1ade1..34e77d3 100644
struct snd_soc_dai_link_component {
const char *name;
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
-index 672150b..9d4bec4 100644
+index 985ca4c..b55b54a 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -767,7 +767,7 @@ struct se_device {
@@ -88472,7 +89150,7 @@ index 6f0f1c5f..a542824 100644
* Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the
diff --git a/ipc/compat.c b/ipc/compat.c
-index 9b3c85f..1c4d897 100644
+index 9b3c85f..5266b0f 100644
--- a/ipc/compat.c
+++ b/ipc/compat.c
@@ -396,7 +396,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second,
@@ -88484,6 +89162,15 @@ index 9b3c85f..1c4d897 100644
}
case SHMDT:
return sys_shmdt(compat_ptr(ptr));
+@@ -747,7 +747,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, first, int, second, void __user *, uptr)
+ }
+
+ COMPAT_SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsems,
+- unsigned, nsops,
++ compat_long_t, nsops,
+ const struct compat_timespec __user *, timeout)
+ {
+ struct timespec __user *ts64;
diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index 8ad93c2..efd80f8 100644
--- a/ipc/ipc_sysctl.c
@@ -88558,6 +89245,28 @@ index 7635a1c..7432cb6 100644
spin_lock(&mq_lock);
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 9284211..bca5b1b 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -1780,7 +1780,7 @@ static int get_queue_result(struct sem_queue *q)
+ }
+
+ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops, const struct timespec __user *, timeout)
++ long, nsops, const struct timespec __user *, timeout)
+ {
+ int error = -EINVAL;
+ struct sem_array *sma;
+@@ -2015,7 +2015,7 @@ out_free:
+ }
+
+ SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
+- unsigned, nsops)
++ long, nsops)
+ {
+ return sys_semtimedop(semid, tsops, nsops, NULL);
+ }
diff --git a/ipc/shm.c b/ipc/shm.c
index 19633b4..d454904 100644
--- a/ipc/shm.c
@@ -92050,7 +92759,7 @@ index a7bcd28..5b368fa 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 227fec3..3aea55b 100644
+index 9a34bd8..38d90e5 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request,
@@ -92071,7 +92780,7 @@ index 227fec3..3aea55b 100644
return -EFAULT;
copied += retval;
src += retval;
-@@ -783,7 +783,7 @@ int ptrace_request(struct task_struct *child, long request,
+@@ -803,7 +803,7 @@ int ptrace_request(struct task_struct *child, long request,
bool seized = child->ptrace & PT_SEIZED;
int ret = -EIO;
siginfo_t siginfo, *si;
@@ -92080,7 +92789,7 @@ index 227fec3..3aea55b 100644
unsigned long __user *datalp = datavp;
unsigned long flags;
-@@ -1029,14 +1029,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+@@ -1049,14 +1049,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
goto out;
}
@@ -92103,7 +92812,7 @@ index 227fec3..3aea55b 100644
goto out_put_task_struct;
}
-@@ -1064,7 +1071,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
+@@ -1084,7 +1091,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
return -EIO;
@@ -92112,7 +92821,7 @@ index 227fec3..3aea55b 100644
}
int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
-@@ -1157,7 +1164,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+@@ -1177,7 +1184,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
}
COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
@@ -92121,7 +92830,7 @@ index 227fec3..3aea55b 100644
{
struct task_struct *child;
long ret;
-@@ -1173,14 +1180,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
+@@ -1193,14 +1200,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
goto out;
}
@@ -93260,10 +93969,10 @@ index 8d0f35d..c16360d 100644
unsigned long timeout)
{
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 62671f5..7b3505b 100644
+index 3d5f6f6..a94298f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
-@@ -1847,7 +1847,7 @@ void set_numabalancing_state(bool enabled)
+@@ -1862,7 +1862,7 @@ void set_numabalancing_state(bool enabled)
int sysctl_numa_balancing(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -93272,7 +93981,7 @@ index 62671f5..7b3505b 100644
int err;
int state = numabalancing_enabled;
-@@ -2297,8 +2297,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
+@@ -2312,8 +2312,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
next->active_mm = oldmm;
atomic_inc(&oldmm->mm_count);
enter_lazy_tlb(oldmm, next);
@@ -93284,7 +93993,7 @@ index 62671f5..7b3505b 100644
if (!prev->mm) {
prev->active_mm = NULL;
-@@ -3109,6 +3111,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -3124,6 +3126,8 @@ int can_nice(const struct task_struct *p, const int nice)
/* convert nice value [19,-20] to rlimit style value [1,40] */
int nice_rlim = nice_to_rlimit(nice);
@@ -93293,7 +94002,7 @@ index 62671f5..7b3505b 100644
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
capable(CAP_SYS_NICE));
}
-@@ -3135,7 +3139,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -3150,7 +3154,8 @@ SYSCALL_DEFINE1(nice, int, increment)
nice = task_nice(current) + increment;
nice = clamp_val(nice, MIN_NICE, MAX_NICE);
@@ -93303,7 +94012,7 @@ index 62671f5..7b3505b 100644
return -EPERM;
retval = security_task_setnice(current, nice);
-@@ -3444,6 +3449,7 @@ recheck:
+@@ -3459,6 +3464,7 @@ recheck:
if (policy != p->policy && !rlim_rtprio)
return -EPERM;
@@ -93311,7 +94020,7 @@ index 62671f5..7b3505b 100644
/* can't increase priority */
if (attr->sched_priority > p->rt_priority &&
attr->sched_priority > rlim_rtprio)
-@@ -4931,6 +4937,7 @@ void idle_task_exit(void)
+@@ -4946,6 +4952,7 @@ void idle_task_exit(void)
if (mm != &init_mm) {
switch_mm(mm, &init_mm, current);
@@ -93319,7 +94028,7 @@ index 62671f5..7b3505b 100644
finish_arch_post_lock_switch();
}
mmdrop(mm);
-@@ -5026,7 +5033,7 @@ static void migrate_tasks(unsigned int dead_cpu)
+@@ -5041,7 +5048,7 @@ static void migrate_tasks(unsigned int dead_cpu)
#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
@@ -93328,7 +94037,7 @@ index 62671f5..7b3505b 100644
{
.procname = "sched_domain",
.mode = 0555,
-@@ -5043,17 +5050,17 @@ static struct ctl_table sd_ctl_root[] = {
+@@ -5058,17 +5065,17 @@ static struct ctl_table sd_ctl_root[] = {
{}
};
@@ -93350,7 +94059,7 @@ index 62671f5..7b3505b 100644
/*
* In the intermediate directories, both the child directory and
-@@ -5061,22 +5068,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
+@@ -5076,22 +5083,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
* will always be set. In the lowest directory the names are
* static strings and all have proc handlers.
*/
@@ -93382,7 +94091,7 @@ index 62671f5..7b3505b 100644
const char *procname, void *data, int maxlen,
umode_t mode, proc_handler *proc_handler,
bool load_idx)
-@@ -5096,7 +5106,7 @@ set_table_entry(struct ctl_table *entry,
+@@ -5111,7 +5121,7 @@ set_table_entry(struct ctl_table *entry,
static struct ctl_table *
sd_alloc_ctl_domain_table(struct sched_domain *sd)
{
@@ -93391,7 +94100,7 @@ index 62671f5..7b3505b 100644
if (table == NULL)
return NULL;
-@@ -5134,9 +5144,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
+@@ -5149,9 +5159,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
return table;
}
@@ -93403,7 +94112,7 @@ index 62671f5..7b3505b 100644
struct sched_domain *sd;
int domain_num = 0, i;
char buf[32];
-@@ -5163,11 +5173,13 @@ static struct ctl_table_header *sd_sysctl_header;
+@@ -5178,11 +5188,13 @@ static struct ctl_table_header *sd_sysctl_header;
static void register_sched_domain_sysctl(void)
{
int i, cpu_num = num_possible_cpus();
@@ -93418,7 +94127,7 @@ index 62671f5..7b3505b 100644
if (entry == NULL)
return;
-@@ -5190,8 +5202,12 @@ static void unregister_sched_domain_sysctl(void)
+@@ -5205,8 +5217,12 @@ static void unregister_sched_domain_sysctl(void)
if (sd_sysctl_header)
unregister_sysctl_table(sd_sysctl_header);
sd_sysctl_header = NULL;
@@ -94603,7 +95312,7 @@ index 4f22802..bd268b1 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 5040d44..d43b2b9 100644
+index 922048a..bb71a55 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -348,9 +348,9 @@ struct buffer_data_page {
@@ -94815,7 +95524,7 @@ index 5040d44..d43b2b9 100644
return NULL;
}
#endif
-@@ -2902,7 +2902,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2901,7 +2901,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
/* Do the likely case first */
if (likely(bpage->page == (void *)addr)) {
@@ -94824,7 +95533,7 @@ index 5040d44..d43b2b9 100644
return;
}
-@@ -2914,7 +2914,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2913,7 +2913,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
start = bpage;
do {
if (bpage->page == (void *)addr) {
@@ -94833,7 +95542,7 @@ index 5040d44..d43b2b9 100644
return;
}
rb_inc_page(cpu_buffer, &bpage);
-@@ -3198,7 +3198,7 @@ static inline unsigned long
+@@ -3197,7 +3197,7 @@ static inline unsigned long
rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
{
return local_read(&cpu_buffer->entries) -
@@ -94842,7 +95551,7 @@ index 5040d44..d43b2b9 100644
}
/**
-@@ -3287,7 +3287,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3286,7 +3286,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -94851,7 +95560,7 @@ index 5040d44..d43b2b9 100644
return ret;
}
-@@ -3310,7 +3310,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3309,7 +3309,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -94860,7 +95569,7 @@ index 5040d44..d43b2b9 100644
return ret;
}
-@@ -3332,7 +3332,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3331,7 +3331,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -94869,7 +95578,7 @@ index 5040d44..d43b2b9 100644
return ret;
}
-@@ -3395,7 +3395,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
+@@ -3394,7 +3394,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
cpu_buffer = buffer->buffers[cpu];
@@ -94878,7 +95587,7 @@ index 5040d44..d43b2b9 100644
}
return overruns;
-@@ -3566,8 +3566,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3565,8 +3565,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
/*
* Reset the reader page to size zero.
*/
@@ -94889,7 +95598,7 @@ index 5040d44..d43b2b9 100644
local_set(&cpu_buffer->reader_page->page->commit, 0);
cpu_buffer->reader_page->real_end = 0;
-@@ -3601,7 +3601,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3600,7 +3600,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
* want to compare with the last_overrun.
*/
smp_mb();
@@ -94898,7 +95607,7 @@ index 5040d44..d43b2b9 100644
/*
* Here's the tricky part.
-@@ -4173,8 +4173,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4172,8 +4172,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
cpu_buffer->head_page
= list_entry(cpu_buffer->pages, struct buffer_page, list);
@@ -94909,7 +95618,7 @@ index 5040d44..d43b2b9 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4184,18 +4184,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4183,18 +4183,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -94934,7 +95643,7 @@ index 5040d44..d43b2b9 100644
cpu_buffer->read = 0;
cpu_buffer->read_bytes = 0;
-@@ -4596,8 +4596,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
+@@ -4595,8 +4595,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
reader->page = *data_page;
@@ -94992,10 +95701,10 @@ index 57b67b1..66082a9 100644
+ return atomic64_inc_return_unchecked(&trace_counter);
}
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
-index db54dda..b9e4f03 100644
+index a9c10a3..1864f6b 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
-@@ -1755,7 +1755,6 @@ __trace_early_add_new_event(struct ftrace_event_call *call,
+@@ -1762,7 +1762,6 @@ __trace_early_add_new_event(struct ftrace_event_call *call,
return 0;
}
@@ -95004,7 +95713,7 @@ index db54dda..b9e4f03 100644
/* Add an additional event_call dynamically */
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
-index 2d25ad1..5bfd931 100644
+index b6fce36..d9f11a3 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -133,7 +133,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
@@ -95397,6 +96106,20 @@ index 547f7f9..a6d4ba0 100644
if (is_on_stack == onstack)
return;
+diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
+index 6dd0335..1e9c239 100644
+--- a/lib/decompress_bunzip2.c
++++ b/lib/decompress_bunzip2.c
+@@ -665,7 +665,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, long len,
+
+ /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
+ uncompressed data. Allocate intermediate buffer for block. */
+- bd->dbufSize = 100000*(i-BZh0);
++ i -= BZh0;
++ bd->dbufSize = 100000 * i;
+
+ bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
+ if (!bd->dbuf)
diff --git a/lib/div64.c b/lib/div64.c
index 4382ad7..08aa558 100644
--- a/lib/div64.c
@@ -96293,7 +97016,7 @@ index 123bcd3..0de52ba 100644
set_page_address(page, (void *)vaddr);
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index c41b2a0..100cf92 100644
+index caad3c5..4f68807 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2260,6 +2260,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
@@ -97357,7 +98080,7 @@ index 97839f5..4bc5530 100644
mm = get_task_mm(tsk);
if (!mm)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 4721046..6ae2056 100644
+index de5dc5e..68a4ea3 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -703,6 +703,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -102158,7 +102881,7 @@ index df493d6..1145766 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 45109b7..6b58f14a 100644
+index 22a53ac..1d19af7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1681,14 +1681,14 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
@@ -102569,10 +103292,10 @@ index 3b6899b..cf36238 100644
{
struct socket *sock;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 98d45fe..4f9608f 100644
+index e9f9a15..6eb024e 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
-@@ -2121,7 +2121,7 @@ EXPORT_SYMBOL(__skb_checksum);
+@@ -2139,7 +2139,7 @@ EXPORT_SYMBOL(__skb_checksum);
__wsum skb_checksum(const struct sk_buff *skb, int offset,
int len, __wsum csum)
{
@@ -102581,7 +103304,7 @@ index 98d45fe..4f9608f 100644
.update = csum_partial_ext,
.combine = csum_block_add_ext,
};
-@@ -3361,12 +3361,14 @@ void __init skb_init(void)
+@@ -3379,12 +3379,14 @@ void __init skb_init(void)
skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
sizeof(struct sk_buff),
0,
@@ -106035,7 +106758,7 @@ index 11de55e..f25e448 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 05919bf..fcb6be3 100644
+index d1d7a81..b45b03d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -260,7 +260,7 @@ static void netlink_overrun(struct sock *sk)
@@ -106047,7 +106770,7 @@ index 05919bf..fcb6be3 100644
}
static void netlink_rcv_wake(struct sock *sk)
-@@ -3004,7 +3004,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -3002,7 +3002,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
sk_wmem_alloc_get(s),
nlk->cb_running,
atomic_read(&s->sk_refcnt),
@@ -108747,10 +109470,10 @@ index cdb491d..8d32bfc 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..3bc66c1 100644
+index beb86b5..135675f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,975 @@
+@@ -4,6 +4,980 @@
menu "Security options"
@@ -108818,6 +109541,11 @@ index beb86b5..3bc66c1 100644
+ grsecurity and PaX settings manually. Via this method, no options are
+ automatically enabled.
+
++ Take note that if menuconfig is exited with this configuration method
++ chosen, you will not be able to use the automatic configuration methods
++ without starting again with a kernel configuration with no grsecurity
++ or PaX options specified inside.
++
+endchoice
+
+choice
@@ -109726,7 +110454,7 @@ index beb86b5..3bc66c1 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1072,7 @@ config INTEL_TXT
+@@ -103,7 +1077,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -117635,10 +118363,10 @@ index 0000000..b8e7188
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..a0b019b
+index 0000000..df41844
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,28039 @@
+@@ -0,0 +1,28043 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL nohasharray
+iwl_set_tx_power_1 iwl_set_tx_power 0 1 &intel_fake_agp_alloc_by_type_1
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
@@ -118005,6 +118733,7 @@ index 0000000..a0b019b
+set_node_desc_885 set_node_desc 0-4 885 NULL
+show_fnode_max_burst_len_889 show_fnode_max_burst_len 0 889 NULL
+vsock_stream_sendmsg_898 vsock_stream_sendmsg 0-4 898 NULL
++btrfs_is_valid_xattr_899 btrfs_is_valid_xattr 0 899 NULL
+drv_attr_show_903 drv_attr_show 0 903 NULL nohasharray
+regulator_bulk_enable_903 regulator_bulk_enable 0 903 &drv_attr_show_903
+tcpprobe_read_904 tcpprobe_read 0-3 904 NULL
@@ -126241,6 +126970,7 @@ index 0000000..a0b019b
+attr_press_speed_store_tpkbd_20100 attr_press_speed_store_tpkbd 0-4 20100 NULL
+snd_es1938_playback1_trigger_20102 snd_es1938_playback1_trigger 0 20102 NULL
+xfs_qm_dqget_20103 xfs_qm_dqget 0 20103 NULL
++fd_do_unmap_20109 fd_do_unmap 4 20109 NULL
+nilfs_segments_clean_segments_show_20115 nilfs_segments_clean_segments_show 0 20115 NULL
+iscsi_tpg_param_store_TargetAlias_20119 iscsi_tpg_param_store_TargetAlias 0-3 20119 NULL
+cx18_s_audio_sampling_freq_20123 cx18_s_audio_sampling_freq 0 20123 NULL nohasharray
@@ -129102,6 +129832,7 @@ index 0000000..a0b019b
+pch_gbe_set_mac_26647 pch_gbe_set_mac 0 26647 NULL
+statfs_quantum_show_26649 statfs_quantum_show 0 26649 NULL
+irq_alloc_generic_chip_26650 irq_alloc_generic_chip 2 26650 NULL
++fd_do_prot_fill_26652 fd_do_prot_fill 5-3 26652 NULL
+show_state_desc_26653 show_state_desc 0 26653 NULL nohasharray
+rom_index_show_26653 rom_index_show 0 26653 &show_state_desc_26653
+nouveau_volt_create__26654 nouveau_volt_create_ 4 26654 NULL
@@ -130918,6 +131649,7 @@ index 0000000..a0b019b
+copy_send_mad_30897 copy_send_mad 0 30897 NULL nohasharray
+ubifs_wbuf_seek_nolock_30897 ubifs_wbuf_seek_nolock 0 30897 &copy_send_mad_30897
+pxa168_get_settings_30899 pxa168_get_settings 0 30899 NULL
++fd_do_prot_unmap_30900 fd_do_prot_unmap 3 30900 NULL
+copy_to_iter_30901 copy_to_iter 0-2 30901 NULL
+bq2415x_get_battery_regulation_voltage_30903 bq2415x_get_battery_regulation_voltage 0 30903 NULL nohasharray
+fc_host_post_vendor_event_30903 fc_host_post_vendor_event 3 30903 &bq2415x_get_battery_regulation_voltage_30903
@@ -149481,7 +150213,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index cc6a25d..babf9ee 100644
+index f8f3f5fe..9bc113f 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -81,12 +81,17 @@ LIST_HEAD(vm_list);
diff --git a/3.14.40/4425_grsec_remove_EI_PAX.patch b/4.0.2/4425_grsec_remove_EI_PAX.patch
index 86e242a..a80a5d7 100644
--- a/3.14.40/4425_grsec_remove_EI_PAX.patch
+++ b/4.0.2/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
-@@ -273,7 +273,7 @@
+@@ -278,7 +278,7 @@
config PAX_EI_PAX
bool 'Use legacy ELF header marking'
diff --git a/4.0.1/4427_force_XATTR_PAX_tmpfs.patch b/4.0.2/4427_force_XATTR_PAX_tmpfs.patch
index a789f0b..a789f0b 100644
--- a/4.0.1/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.0.2/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.0.1/4430_grsec-remove-localversion-grsec.patch b/4.0.2/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.0.1/4430_grsec-remove-localversion-grsec.patch
+++ b/4.0.2/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.0.1/4435_grsec-mute-warnings.patch b/4.0.2/4435_grsec-mute-warnings.patch
index 0585e08..b7564e4 100644
--- a/4.0.1/4435_grsec-mute-warnings.patch
+++ b/4.0.2/4435_grsec-mute-warnings.patch
@@ -29,15 +29,15 @@ warning flags of vanilla kernel versions.
Acked-by: Christian Heim <phreak@gentoo.org>
---
-diff -Naur a/Makefile b/Makefile
---- a/Makefile 2014-12-30 10:18:12.697915684 -0500
-+++ b/Makefile 2014-12-30 10:25:59.132931931 -0500
+diff -Naur linux-4.0.2-hardened.orig/Makefile linux-4.0.2-hardened/Makefile
+--- linux-4.0.2-hardened.orig/Makefile 2015-05-09 21:08:19.243113731 -0400
++++ linux-4.0.2-hardened/Makefile 2015-05-09 21:10:37.775120037 -0400
@@ -298,7 +298,7 @@
HOSTCC = gcc
HOSTCXX = g++
HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
--HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -std=gnu89 -fno-delete-null-pointer-checks
-+HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -std=gnu89 -fno-delete-null-pointer-checks
+-HOSTCFLAGS = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
++HOSTCFLAGS = -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
diff --git a/4.0.1/4440_grsec-remove-protected-paths.patch b/4.0.2/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.0.1/4440_grsec-remove-protected-paths.patch
+++ b/4.0.2/4440_grsec-remove-protected-paths.patch
diff --git a/4.0.1/4450_grsec-kconfig-default-gids.patch b/4.0.2/4450_grsec-kconfig-default-gids.patch
index 5c025da..61d903e 100644
--- a/4.0.1/4450_grsec-kconfig-default-gids.patch
+++ b/4.0.2/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
diff -Nuar a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
-@@ -201,7 +201,7 @@
+@@ -206,7 +206,7 @@
config GRKERNSEC_PROC_GID
int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group will be exempted from
grsecurity's /proc restrictions, allowing users of the specified
-@@ -212,7 +212,7 @@
+@@ -217,7 +217,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group untrusted users should
be added to. These users will be placed under grsecurity's Trusted Path
-@@ -224,7 +224,7 @@
+@@ -229,7 +229,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -233,7 +233,7 @@
+@@ -238,7 +238,7 @@
config GRKERNSEC_SYMLINKOWN_GID
int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
depends on GRKERNSEC_CONFIG_SERVER
diff --git a/4.0.1/4465_selinux-avc_audit-log-curr_ip.patch b/4.0.2/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/4.0.1/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.0.2/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.0.1/4470_disable-compat_vdso.patch b/4.0.2/4470_disable-compat_vdso.patch
index 7aefa02..7aefa02 100644
--- a/4.0.1/4470_disable-compat_vdso.patch
+++ b/4.0.2/4470_disable-compat_vdso.patch
diff --git a/3.14.40/4475_emutramp_default_on.patch b/4.0.2/4475_emutramp_default_on.patch
index ad4967a..a128205 100644
--- a/3.14.40/4475_emutramp_default_on.patch
+++ b/4.0.2/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
-@@ -433,7 +433,7 @@
+@@ -438,7 +438,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
help
There are some programs and libraries that for one reason or
-@@ -456,6 +456,12 @@
+@@ -461,6 +461,12 @@
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
for the affected files.