diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2014-11-14 15:53:04 -0500 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2014-11-14 15:53:04 -0500 |
| commit | 4a4c4f47be6d043e68533a0a2011a7d9f61fc61e (patch) | |
| tree | 82f41ba7b1b3103f1cb4bb85b79885e815b0aec9 | |
| parent | Linux patch 3.10.59 (diff) | |
| download | linux-patches-3.10-67.tar.gz linux-patches-3.10-67.tar.bz2 linux-patches-3.10-67.zip | |
Linux patch 3.10.603.10-67
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1059_linux-3.10.60.patch | 4170 |
2 files changed, 4174 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 580573b6..6a1392d2 100644 --- a/0000_README +++ b/0000_README @@ -278,6 +278,10 @@ Patch: 1058_linux-3.10.59.patch From: http://www.kernel.org Desc: Linux 3.10.59 +Patch: 1059_linux-3.10.60.patch +From: http://www.kernel.org +Desc: Linux 3.10.60 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1059_linux-3.10.60.patch b/1059_linux-3.10.60.patch new file mode 100644 index 00000000..92b4f57c --- /dev/null +++ b/1059_linux-3.10.60.patch @@ -0,0 +1,4170 @@ +diff --git a/Makefile b/Makefile +index 7baf27f5cf0f..9d4f30d0d201 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 10 +-SUBLEVEL = 59 ++SUBLEVEL = 60 + EXTRAVERSION = + NAME = TOSSUG Baby Fish + +diff --git a/arch/arc/boot/dts/nsimosci.dts b/arch/arc/boot/dts/nsimosci.dts +index 4f31b2eb5cdf..398064cef746 100644 +--- a/arch/arc/boot/dts/nsimosci.dts ++++ b/arch/arc/boot/dts/nsimosci.dts +@@ -20,7 +20,7 @@ + /* this is for console on PGU */ + /* bootargs = "console=tty0 consoleblank=0"; */ + /* this is for console on serial */ +- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; ++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug"; + }; + + aliases { +diff --git a/arch/arc/include/asm/kgdb.h b/arch/arc/include/asm/kgdb.h +index 4930957ca3d3..e897610c657a 100644 +--- a/arch/arc/include/asm/kgdb.h ++++ b/arch/arc/include/asm/kgdb.h +@@ -19,7 +19,7 @@ + * register API yet */ + #undef DBG_MAX_REG_NUM + +-#define GDB_MAX_REGS 39 ++#define GDB_MAX_REGS 87 + + #define BREAK_INSTR_SIZE 2 + #define CACHE_FLUSH_IS_SAFE 1 +@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint(void) + + extern void kgdb_trap(struct pt_regs *regs, int param); + +-enum arc700_linux_regnums { ++/* This is the numbering of registers according to the GDB. See GDB's ++ * arc-tdep.h for details. ++ * ++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */ ++enum arc_linux_regnums { + _R0 = 0, + _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13, + _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24, + _R25, _R26, +- _BTA = 27, +- _LP_START = 28, +- _LP_END = 29, +- _LP_COUNT = 30, +- _STATUS32 = 31, +- _BLINK = 32, +- _FP = 33, +- __SP = 34, +- _EFA = 35, +- _RET = 36, +- _ORIG_R8 = 37, +- _STOP_PC = 38 ++ _FP = 27, ++ __SP = 28, ++ _R30 = 30, ++ _BLINK = 31, ++ _LP_COUNT = 60, ++ _STOP_PC = 64, ++ _RET = 64, ++ _LP_START = 65, ++ _LP_END = 66, ++ _STATUS32 = 67, ++ _ECR = 76, ++ _BTA = 82, + }; + + #else +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 0e17e1352718..a91a7a99f70f 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1091,6 +1091,7 @@ static void __cpuinit build_update_entries(u32 **p, unsigned int tmp, + struct mips_huge_tlb_info { + int huge_pte; + int restore_scratch; ++ bool need_reload_pte; + }; + + static struct mips_huge_tlb_info __cpuinit +@@ -1105,6 +1106,7 @@ build_fast_tlb_refill_handler (u32 **p, struct uasm_label **l, + + rv.huge_pte = scratch; + rv.restore_scratch = 0; ++ rv.need_reload_pte = false; + + if (check_for_high_segbits) { + UASM_i_MFC0(p, tmp, C0_BADVADDR); +@@ -1293,6 +1295,7 @@ static void __cpuinit build_r4000_tlb_refill_handler(void) + } else { + htlb_info.huge_pte = K0; + htlb_info.restore_scratch = 0; ++ htlb_info.need_reload_pte = true; + vmalloc_mode = refill_noscratch; + /* + * create the plain linear handler +@@ -1329,7 +1332,8 @@ static void __cpuinit build_r4000_tlb_refill_handler(void) + } + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT + uasm_l_tlb_huge_update(&l, p); +- UASM_i_LW(&p, K0, 0, K1); ++ if (htlb_info.need_reload_pte) ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); + build_huge_update_entries(&p, htlb_info.huge_pte, K1); + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, + htlb_info.restore_scratch); +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 474dc1b59f72..c9305ef1d411 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -151,6 +151,16 @@ ENTRY(ia32_sysenter_target) + 1: movl (%rbp),%ebp + _ASM_EXTABLE(1b,ia32_badarg) + ASM_CLAC ++ ++ /* ++ * Sysenter doesn't filter flags, so we need to clear NT ++ * ourselves. To save a few cycles, we can check whether ++ * NT was set instead of doing an unconditional popfq. ++ */ ++ testl $X86_EFLAGS_NT,EFLAGS-ARGOFFSET(%rsp) ++ jnz sysenter_fix_flags ++sysenter_flags_fixed: ++ + orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) + CFI_REMEMBER_STATE +@@ -184,6 +194,8 @@ sysexit_from_sys_call: + TRACE_IRQS_ON + ENABLE_INTERRUPTS_SYSEXIT32 + ++ CFI_RESTORE_STATE ++ + #ifdef CONFIG_AUDITSYSCALL + .macro auditsys_entry_common + movl %esi,%r9d /* 6th arg: 4th syscall arg */ +@@ -226,7 +238,6 @@ sysexit_from_sys_call: + .endm + + sysenter_auditsys: +- CFI_RESTORE_STATE + auditsys_entry_common + movl %ebp,%r9d /* reload 6th syscall arg */ + jmp sysenter_dispatch +@@ -235,6 +246,11 @@ sysexit_audit: + auditsys_exit sysexit_from_sys_call + #endif + ++sysenter_fix_flags: ++ pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED) ++ popfq_cfi ++ jmp sysenter_flags_fixed ++ + sysenter_tracesys: + #ifdef CONFIG_AUDITSYSCALL + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 9c999c1674fa..01f15b227d7e 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -155,8 +155,9 @@ do { \ + #define elf_check_arch(x) \ + ((x)->e_machine == EM_X86_64) + +-#define compat_elf_check_arch(x) \ +- (elf_check_arch_ia32(x) || (x)->e_machine == EM_X86_64) ++#define compat_elf_check_arch(x) \ ++ (elf_check_arch_ia32(x) || \ ++ (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64)) + + #if __USER32_DS != __USER_DS + # error "The following code assumes __USER32_DS == __USER_DS" +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 373058c9b75d..4c481e751e8e 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -953,6 +953,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code) + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +@@ -1011,7 +1025,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcpu *v); + void kvm_vcpu_reset(struct kvm_vcpu *vcpu); + + void kvm_define_shared_msr(unsigned index, u32 msr); +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); + +diff --git a/arch/x86/include/uapi/asm/processor-flags.h b/arch/x86/include/uapi/asm/processor-flags.h +index 54991a746043..b16e6d28f149 100644 +--- a/arch/x86/include/uapi/asm/processor-flags.h ++++ b/arch/x86/include/uapi/asm/processor-flags.h +@@ -6,7 +6,7 @@ + * EFLAGS bits + */ + #define X86_EFLAGS_CF 0x00000001 /* Carry Flag */ +-#define X86_EFLAGS_BIT1 0x00000002 /* Bit 1 - always on */ ++#define X86_EFLAGS_FIXED 0x00000002 /* Bit 1 - always on */ + #define X86_EFLAGS_PF 0x00000004 /* Parity Flag */ + #define X86_EFLAGS_AF 0x00000010 /* Auxiliary carry Flag */ + #define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */ +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 904611bf0e5a..033eb44dc661 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1263,7 +1263,7 @@ void __cpuinit setup_local_APIC(void) + unsigned int value, queued; + int i, j, acked = 0; + unsigned long long tsc = 0, ntsc; +- long long max_loops = cpu_khz; ++ long long max_loops = cpu_khz ? cpu_khz : 1000000; + + if (cpu_has_tsc) + rdtscll(tsc); +@@ -1360,7 +1360,7 @@ void __cpuinit setup_local_APIC(void) + break; + } + if (queued) { +- if (cpu_has_tsc) { ++ if (cpu_has_tsc && cpu_khz) { + rdtscll(ntsc); + max_loops = (cpu_khz << 10) - (ntsc - tsc); + } else +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index deeb48d9459b..6a7e3e9cffc3 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1134,7 +1134,7 @@ void syscall_init(void) + /* Flags to clear on syscall */ + wrmsrl(MSR_SYSCALL_MASK, + X86_EFLAGS_TF|X86_EFLAGS_DF|X86_EFLAGS_IF| +- X86_EFLAGS_IOPL|X86_EFLAGS_AC); ++ X86_EFLAGS_IOPL|X86_EFLAGS_AC|X86_EFLAGS_NT); + } + + /* +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S +index 39ba6914bbc6..8c6b5c2284c7 100644 +--- a/arch/x86/kernel/entry_64.S ++++ b/arch/x86/kernel/entry_64.S +@@ -366,7 +366,7 @@ ENDPROC(native_usergs_sysret64) + /*CFI_REL_OFFSET ss,0*/ + pushq_cfi %rax /* rsp */ + CFI_REL_OFFSET rsp,0 +- pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_BIT1) /* eflags - interrupts on */ ++ pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED) /* eflags - interrupts on */ + /*CFI_REL_OFFSET rflags,0*/ + pushq_cfi $__KERNEL_CS /* cs */ + /*CFI_REL_OFFSET cs,0*/ +diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c +index 7305f7dfc7ab..0339f5c14bf9 100644 +--- a/arch/x86/kernel/process_32.c ++++ b/arch/x86/kernel/process_32.c +@@ -147,7 +147,7 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + childregs->bp = arg; + childregs->orig_ax = -1; + childregs->cs = __KERNEL_CS | get_kernel_rpl(); +- childregs->flags = X86_EFLAGS_IF | X86_EFLAGS_BIT1; ++ childregs->flags = X86_EFLAGS_IF | X86_EFLAGS_FIXED; + p->fpu_counter = 0; + p->thread.io_bitmap_ptr = NULL; + memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index 355ae06dbf94..f99a242730e9 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -176,7 +176,7 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + childregs->bp = arg; + childregs->orig_ax = -1; + childregs->cs = __KERNEL_CS | get_kernel_rpl(); +- childregs->flags = X86_EFLAGS_IF | X86_EFLAGS_BIT1; ++ childregs->flags = X86_EFLAGS_IF | X86_EFLAGS_FIXED; + return 0; + } + *childregs = *current_pt_regs(); +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c +index 087ab2af381a..66deef41512f 100644 +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -677,6 +677,11 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) + * handler too. + */ + regs->flags &= ~X86_EFLAGS_TF; ++ /* ++ * Ensure the signal handler starts with the new fpu state. ++ */ ++ if (used_math()) ++ drop_init_fpu(current); + } + signal_setup_done(failed, ksig, test_thread_flag(TIF_SINGLESTEP)); + } +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index 098b3cfda72e..4e27ba53c40c 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -968,14 +968,17 @@ void __init tsc_init(void) + + x86_init.timers.tsc_pre_init(); + +- if (!cpu_has_tsc) ++ if (!cpu_has_tsc) { ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; ++ } + + tsc_khz = x86_platform.calibrate_tsc(); + cpu_khz = tsc_khz; + + if (!tsc_khz) { + mark_tsc_unstable("could not calculate TSC khz"); ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; + } + +diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c +index ada87a329edc..1ee723298e90 100644 +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -268,8 +268,6 @@ int save_xstate_sig(void __user *buf, void __user *buf_fx, int size) + if (use_fxsr() && save_xstate_epilog(buf_fx, ia32_fxstate)) + return -1; + +- drop_init_fpu(tsk); /* trigger finit */ +- + return 0; + } + +@@ -400,8 +398,11 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + set_used_math(); + } + +- if (use_eager_fpu()) ++ if (use_eager_fpu()) { ++ preempt_disable(); + math_state_restore(); ++ preempt_enable(); ++ } + + return err; + } else { +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index fb3fddc322f8..4c01f022c6ac 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -663,11 +663,6 @@ static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc) + masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -741,6 +736,38 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++ case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst & ~(u32)-1))) ++ return emulate_gp(ctxt, 0); ++ ctxt->_eip = dst; ++ break; ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); ++} ++ ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ return assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; +@@ -2161,13 +2188,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -2199,10 +2228,14 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt) + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) +@@ -2469,7 +2502,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + { + const struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2485,6 +2518,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = reg_read(ctxt, VCPU_REGS_RCX); ++ rdx = reg_read(ctxt, VCPU_REGS_RDX); ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2502,6 +2538,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2510,8 +2549,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); +- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); ++ ctxt->_eip = rdx; ++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; + } +@@ -3050,10 +3089,13 @@ static int em_aad(struct x86_emulate_ctxt *ctxt) + + static int em_call(struct x86_emulate_ctxt *ctxt) + { ++ int rc; + long rel = ctxt->src.val; + + ctxt->src.val = (unsigned long)ctxt->_eip; +- jmp_rel(ctxt, rel); ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + return em_push(ctxt); + } + +@@ -3085,11 +3127,12 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + rsp_increment(ctxt, ctxt->src.val); +@@ -3379,20 +3422,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); + if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_in(struct x86_emulate_ctxt *ctxt) +@@ -4721,7 +4768,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -4750,7 +4797,7 @@ special_insn: + break; + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xf4: /* hlt */ +@@ -4862,7 +4909,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 518d86471b76..298781d4cfb4 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) + return; + + timer = &pit->pit_state.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 765210d4d925..8bf40a243d75 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3196,7 +3196,7 @@ static int wrmsr_interception(struct vcpu_svm *svm) + msr.host_initiated = false; + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, &msr)) { ++ if (kvm_set_msr(&svm->vcpu, &msr)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +@@ -3478,9 +3478,9 @@ static int handle_exit(struct kvm_vcpu *vcpu) + + if (exit_code >= ARRAY_SIZE(svm_exit_handlers) + || !svm_exit_handlers[exit_code]) { +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN; +- kvm_run->hw.hardware_exit_reason = exit_code; +- return 0; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } + + return svm_exit_handlers[exit_code](svm); +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 7cdafb6dc705..51139ff34917 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2493,12 +2493,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + break; + msr = find_msr_entry(vmx, msr_index); + if (msr) { ++ u64 old_msr_data = msr->data; + msr->data = data; + if (msr - vmx->guest_msrs < vmx->save_nmsrs) { + preempt_disable(); +- kvm_set_shared_msr(msr->index, msr->data, +- msr->mask); ++ ret = kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); + preempt_enable(); ++ if (ret) ++ msr->data = old_msr_data; + } + break; + } +@@ -5062,7 +5065,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu) + msr.data = data; + msr.index = ecx; + msr.host_initiated = false; +- if (vmx_set_msr(vcpu, &msr) != 0) { ++ if (kvm_set_msr(vcpu, &msr) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +@@ -6651,10 +6654,10 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu) + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); + else { +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; +- vcpu->run->hw.hardware_exit_reason = exit_reason; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } +- return 0; + } + + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr) +@@ -7949,7 +7952,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, + + kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->host_rsp); + kvm_register_write(vcpu, VCPU_REGS_RIP, vmcs12->host_rip); +- vmx_set_rflags(vcpu, X86_EFLAGS_BIT1); ++ vmx_set_rflags(vcpu, X86_EFLAGS_FIXED); + /* + * Note that calling vmx_set_cr0 is important, even if cr0 hasn't + * actually changed, because it depends on the current state of +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index e8753555f144..684f46dc87de 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(void) + shared_msr_update(i, shared_msrs_global.msrs[i]); + } + +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) + { + unsigned int cpu = smp_processor_id(); + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); ++ int err; + + if (((value ^ smsr->values[slot].curr) & mask) == 0) +- return; ++ return 0; + smsr->values[slot].curr = value; +- wrmsrl(shared_msrs_global.msrs[slot], value); ++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); ++ if (err) ++ return 1; ++ + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); + smsr->registered = true; + } ++ return 0; + } + EXPORT_SYMBOL_GPL(kvm_set_shared_msr); + +@@ -920,7 +925,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -928,8 +932,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + { ++ switch (msr->index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(msr->data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ msr->data = get_canonical(msr->data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index bb32480c2d71..aabdf762f592 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -389,7 +389,7 @@ phys_addr_t slow_virt_to_phys(void *__virt_addr) + psize = page_level_size(level); + pmask = page_level_mask(level); + offset = virt_addr & ~pmask; +- phys_addr = pte_pfn(*pte) << PAGE_SHIFT; ++ phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT; + return (phys_addr | offset); + } + EXPORT_SYMBOL_GPL(slow_virt_to_phys); +diff --git a/block/blk-settings.c b/block/blk-settings.c +index 53309333c2f0..ec00a0f75212 100644 +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -553,7 +553,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + bottom = max(b->physical_block_size, b->io_min) + alignment; + + /* Verify that top and bottom intervals line up */ +- if (max(top, bottom) & (min(top, bottom) - 1)) { ++ if (max(top, bottom) % min(top, bottom)) { + t->misaligned = 1; + ret = -1; + } +@@ -594,7 +594,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + + /* Find lowest common alignment_offset */ + t->alignment_offset = lcm(t->alignment_offset, alignment) +- & (max(t->physical_block_size, t->io_min) - 1); ++ % max(t->physical_block_size, t->io_min); + + /* Verify that new alignment_offset is on a logical block boundary */ + if (t->alignment_offset & (t->logical_block_size - 1)) { +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index a5ffcc988f0b..1b4988b4bc11 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -506,7 +506,7 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + + if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) { + err = DRIVER_ERROR << 24; +- goto out; ++ goto error; + } + + memset(sense, 0, sizeof(sense)); +@@ -516,7 +516,6 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + + blk_execute_rq(q, disk, rq, 0); + +-out: + err = rq->errors & 0xff; /* only 8 bit SCSI status */ + if (err) { + if (rq->sense_len && rq->sense) { +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index a19c027b29bd..83187f497c7c 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -49,7 +49,7 @@ struct skcipher_ctx { + struct ablkcipher_request req; + }; + +-#define MAX_SGL_ENTS ((PAGE_SIZE - sizeof(struct skcipher_sg_list)) / \ ++#define MAX_SGL_ENTS ((4096 - sizeof(struct skcipher_sg_list)) / \ + sizeof(struct scatterlist) - 1) + + static inline int skcipher_sndbuf(struct sock *sk) +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index b603720b877d..37acda6fa7e4 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -2008,13 +2008,15 @@ static int ata_bus_softreset(struct ata_port *ap, unsigned int devmask, + + DPRINTK("ata%u: bus reset via SRST\n", ap->print_id); + +- /* software reset. causes dev0 to be selected */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- ap->last_ctl = ap->ctl; ++ if (ap->ioaddr.ctl_addr) { ++ /* software reset. causes dev0 to be selected */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ ap->last_ctl = ap->ctl; ++ } + + /* wait the port to become ready */ + return ata_sff_wait_after_reset(&ap->link, devmask, deadline); +@@ -2215,10 +2217,6 @@ void ata_sff_error_handler(struct ata_port *ap) + + spin_unlock_irqrestore(ap->lock, flags); + +- /* ignore ata_sff_softreset if ctl isn't accessible */ +- if (softreset == ata_sff_softreset && !ap->ioaddr.ctl_addr) +- softreset = NULL; +- + /* ignore built-in hardresets if SCR access is not available */ + if ((hardreset == sata_std_hardreset || + hardreset == sata_sff_hardreset) && !sata_scr_valid(&ap->link)) +diff --git a/drivers/ata/pata_serverworks.c b/drivers/ata/pata_serverworks.c +index f3febbce6c46..34c91ac3a814 100644 +--- a/drivers/ata/pata_serverworks.c ++++ b/drivers/ata/pata_serverworks.c +@@ -252,12 +252,18 @@ static void serverworks_set_dmamode(struct ata_port *ap, struct ata_device *adev + pci_write_config_byte(pdev, 0x54, ultra_cfg); + } + +-static struct scsi_host_template serverworks_sht = { ++static struct scsi_host_template serverworks_osb4_sht = { ++ ATA_BMDMA_SHT(DRV_NAME), ++ .sg_tablesize = LIBATA_DUMB_MAX_PRD, ++}; ++ ++static struct scsi_host_template serverworks_csb_sht = { + ATA_BMDMA_SHT(DRV_NAME), + }; + + static struct ata_port_operations serverworks_osb4_port_ops = { + .inherits = &ata_bmdma_port_ops, ++ .qc_prep = ata_bmdma_dumb_qc_prep, + .cable_detect = serverworks_cable_detect, + .mode_filter = serverworks_osb4_filter, + .set_piomode = serverworks_set_piomode, +@@ -266,6 +272,7 @@ static struct ata_port_operations serverworks_osb4_port_ops = { + + static struct ata_port_operations serverworks_csb_port_ops = { + .inherits = &serverworks_osb4_port_ops, ++ .qc_prep = ata_bmdma_qc_prep, + .mode_filter = serverworks_csb_filter, + }; + +@@ -405,6 +412,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + } + }; + const struct ata_port_info *ppi[] = { &info[id->driver_data], NULL }; ++ struct scsi_host_template *sht = &serverworks_csb_sht; + int rc; + + rc = pcim_enable_device(pdev); +@@ -418,6 +426,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + /* Select non UDMA capable OSB4 if we can't do fixups */ + if (rc < 0) + ppi[0] = &info[1]; ++ sht = &serverworks_osb4_sht; + } + /* setup CSB5/CSB6 : South Bridge and IDE option RAID */ + else if ((pdev->device == PCI_DEVICE_ID_SERVERWORKS_CSB5IDE) || +@@ -434,7 +443,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + ppi[1] = &ata_dummy_port_info; + } + +- return ata_pci_bmdma_init_one(pdev, ppi, &serverworks_sht, NULL, 0); ++ return ata_pci_bmdma_init_one(pdev, ppi, sht, NULL, 0); + } + + #ifdef CONFIG_PM +diff --git a/drivers/base/core.c b/drivers/base/core.c +index ca4bcb8b3938..2a19097a7cb1 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -765,12 +765,12 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) + return &dir->kobj; + } + ++static DEFINE_MUTEX(gdp_mutex); + + static struct kobject *get_device_parent(struct device *dev, + struct device *parent) + { + if (dev->class) { +- static DEFINE_MUTEX(gdp_mutex); + struct kobject *kobj = NULL; + struct kobject *parent_kobj; + struct kobject *k; +@@ -834,7 +834,9 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) + glue_dir->kset != &dev->class->p->glue_dirs) + return; + ++ mutex_lock(&gdp_mutex); + kobject_put(glue_dir); ++ mutex_unlock(&gdp_mutex); + } + + static void cleanup_device_parent(struct device *dev) +diff --git a/drivers/block/drbd/drbd_interval.c b/drivers/block/drbd/drbd_interval.c +index 89c497c630b4..04a14e0f8878 100644 +--- a/drivers/block/drbd/drbd_interval.c ++++ b/drivers/block/drbd/drbd_interval.c +@@ -79,6 +79,7 @@ bool + drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + { + struct rb_node **new = &root->rb_node, *parent = NULL; ++ sector_t this_end = this->sector + (this->size >> 9); + + BUG_ON(!IS_ALIGNED(this->size, 512)); + +@@ -87,6 +88,8 @@ drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + rb_entry(*new, struct drbd_interval, rb); + + parent = *new; ++ if (here->end < this_end) ++ here->end = this_end; + if (this->sector < here->sector) + new = &(*new)->rb_left; + else if (this->sector > here->sector) +@@ -99,6 +102,7 @@ drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + return false; + } + ++ this->end = this_end; + rb_link_node(&this->rb, parent, new); + rb_insert_augmented(&this->rb, root, &augment_callbacks); + return true; +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 07caf44d5755..9951e66b8502 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3227,7 +3227,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, + page_count = (u32) calc_pages_for(offset, length); + pages = ceph_alloc_page_vector(page_count, GFP_KERNEL); + if (IS_ERR(pages)) +- ret = PTR_ERR(pages); ++ return PTR_ERR(pages); + + ret = -ENOMEM; + obj_request = rbd_obj_request_create(object_name, offset, length, +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 81eefa1c0d3f..aee3464a5bdc 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -933,8 +933,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + * pool while mixing, and hash one final time. + */ + sha_transform(hash.w, extract, workspace); +- memset(extract, 0, sizeof(extract)); +- memset(workspace, 0, sizeof(workspace)); ++ memzero_explicit(extract, sizeof(extract)); ++ memzero_explicit(workspace, sizeof(workspace)); + + /* + * In case the hash function has some recognizable output +@@ -957,7 +957,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + } + + memcpy(out, &hash, EXTRACT_SIZE); +- memset(&hash, 0, sizeof(hash)); ++ memzero_explicit(&hash, sizeof(hash)); + } + + static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -1005,7 +1005,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + } + + /* Wipe data just returned from memory */ +- memset(tmp, 0, sizeof(tmp)); ++ memzero_explicit(tmp, sizeof(tmp)); + + return ret; + } +@@ -1043,7 +1043,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, + } + + /* Wipe data just returned from memory */ +- memset(tmp, 0, sizeof(tmp)); ++ memzero_explicit(tmp, sizeof(tmp)); + + return ret; + } +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 34d19b1984a1..decf84e71943 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -599,6 +599,7 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy) + if (policy->policy == CPUFREQ_POLICY_PERFORMANCE) { + limits.min_perf_pct = 100; + limits.min_perf = int_tofp(1); ++ limits.max_policy_pct = 100; + limits.max_perf_pct = 100; + limits.max_perf = int_tofp(1); + limits.no_turbo = 0; +diff --git a/drivers/edac/cpc925_edac.c b/drivers/edac/cpc925_edac.c +index 7f3c57113ba1..1e08ce765f0c 100644 +--- a/drivers/edac/cpc925_edac.c ++++ b/drivers/edac/cpc925_edac.c +@@ -562,7 +562,7 @@ static void cpc925_mc_check(struct mem_ctl_info *mci) + + if (apiexcp & UECC_EXCP_DETECTED) { + cpc925_mc_printk(mci, KERN_INFO, "DRAM UECC Fault\n"); +- edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, + pfn, offset, 0, + csrow, -1, -1, + mci->ctl_name, ""); +diff --git a/drivers/edac/e7xxx_edac.c b/drivers/edac/e7xxx_edac.c +index 1c4056a50383..2697deae3ab7 100644 +--- a/drivers/edac/e7xxx_edac.c ++++ b/drivers/edac/e7xxx_edac.c +@@ -226,7 +226,7 @@ static void process_ce(struct mem_ctl_info *mci, struct e7xxx_error_info *info) + static void process_ce_no_info(struct mem_ctl_info *mci) + { + edac_dbg(3, "\n"); +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, + "e7xxx CE log register overflow", ""); + } + +diff --git a/drivers/edac/i3200_edac.c b/drivers/edac/i3200_edac.c +index aa44c1718f50..71b26513b93b 100644 +--- a/drivers/edac/i3200_edac.c ++++ b/drivers/edac/i3200_edac.c +@@ -242,11 +242,11 @@ static void i3200_process_error_info(struct mem_ctl_info *mci, + -1, -1, + "i3000 UE", ""); + } else if (log & I3200_ECCERRLOG_CE) { +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + 0, 0, eccerrlog_syndrome(log), + eccerrlog_row(channel, log), + -1, -1, +- "i3000 UE", ""); ++ "i3000 CE", ""); + } + } + } +diff --git a/drivers/edac/i82860_edac.c b/drivers/edac/i82860_edac.c +index 3e3e431c8301..b93b0d006ebb 100644 +--- a/drivers/edac/i82860_edac.c ++++ b/drivers/edac/i82860_edac.c +@@ -124,7 +124,7 @@ static int i82860_process_error_info(struct mem_ctl_info *mci, + dimm->location[0], dimm->location[1], -1, + "i82860 UE", ""); + else +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + info->eap, 0, info->derrsyn, + dimm->location[0], dimm->location[1], -1, + "i82860 CE", ""); +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 7fc9f7272b56..e8f6418b6dec 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -1012,8 +1012,8 @@ static u32 copy_cursor_image(u8 *src, u8 *dst, int width, int height) + srcdata32[1].ul = *((u32 *)(srcxor + 4)) & 0xf0f0f0f0; + data32.b[0] = srcdata32[0].b[1] | (srcdata32[0].b[0] >> 4); + data32.b[1] = srcdata32[0].b[3] | (srcdata32[0].b[2] >> 4); +- data32.b[2] = srcdata32[0].b[1] | (srcdata32[1].b[0] >> 4); +- data32.b[3] = srcdata32[0].b[3] | (srcdata32[1].b[2] >> 4); ++ data32.b[2] = srcdata32[1].b[1] | (srcdata32[1].b[0] >> 4); ++ data32.b[3] = srcdata32[1].b[3] | (srcdata32[1].b[2] >> 4); + + writel(data32.ul, dstxor); + csum += data32.ul; +diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c b/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c +index 2d9b9d7a7992..f3edd2841f2d 100644 +--- a/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c ++++ b/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c +@@ -124,6 +124,7 @@ dcb_outp_parse(struct nouveau_bios *bios, u8 idx, u8 *ver, u8 *len, + struct dcb_output *outp) + { + u16 dcb = dcb_outp(bios, idx, ver, len); ++ memset(outp, 0x00, sizeof(*outp)); + if (dcb) { + if (*ver >= 0x20) { + u32 conn = nv_ro32(bios, dcb + 0x00); +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.c b/drivers/gpu/drm/tilcdc/tilcdc_drv.c +index f060b7487c34..f5ddd3550796 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c +@@ -78,6 +78,7 @@ static int modeset_init(struct drm_device *dev) + if ((priv->num_encoders == 0) || (priv->num_connectors == 0)) { + /* oh nos! */ + dev_err(dev->dev, "no encoders/connectors found\n"); ++ drm_mode_config_cleanup(dev); + return -ENXIO; + } + +@@ -170,33 +171,37 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + dev->dev_private = priv; + + priv->wq = alloc_ordered_workqueue("tilcdc", 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto fail_free_priv; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { + dev_err(dev->dev, "failed to get memory resource\n"); + ret = -EINVAL; +- goto fail; ++ goto fail_free_wq; + } + + priv->mmio = ioremap_nocache(res->start, resource_size(res)); + if (!priv->mmio) { + dev_err(dev->dev, "failed to ioremap\n"); + ret = -ENOMEM; +- goto fail; ++ goto fail_free_wq; + } + + priv->clk = clk_get(dev->dev, "fck"); + if (IS_ERR(priv->clk)) { + dev_err(dev->dev, "failed to get functional clock\n"); + ret = -ENODEV; +- goto fail; ++ goto fail_iounmap; + } + + priv->disp_clk = clk_get(dev->dev, "dpll_disp_ck"); + if (IS_ERR(priv->clk)) { + dev_err(dev->dev, "failed to get display clock\n"); + ret = -ENODEV; +- goto fail; ++ goto fail_put_clk; + } + + #ifdef CONFIG_CPU_FREQ +@@ -206,7 +211,7 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + CPUFREQ_TRANSITION_NOTIFIER); + if (ret) { + dev_err(dev->dev, "failed to register cpufreq notifier\n"); +- goto fail; ++ goto fail_put_disp_clk; + } + #endif + +@@ -238,13 +243,13 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + ret = modeset_init(dev); + if (ret < 0) { + dev_err(dev->dev, "failed to initialize mode setting\n"); +- goto fail; ++ goto fail_cpufreq_unregister; + } + + ret = drm_vblank_init(dev, 1); + if (ret < 0) { + dev_err(dev->dev, "failed to initialize vblank\n"); +- goto fail; ++ goto fail_mode_config_cleanup; + } + + pm_runtime_get_sync(dev->dev); +@@ -252,7 +257,7 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + pm_runtime_put_sync(dev->dev); + if (ret < 0) { + dev_err(dev->dev, "failed to install IRQ handler\n"); +- goto fail; ++ goto fail_vblank_cleanup; + } + + platform_set_drvdata(pdev, dev); +@@ -260,13 +265,48 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + priv->fbdev = drm_fbdev_cma_init(dev, 16, + dev->mode_config.num_crtc, + dev->mode_config.num_connector); ++ if (IS_ERR(priv->fbdev)) { ++ ret = PTR_ERR(priv->fbdev); ++ goto fail_irq_uninstall; ++ } + + drm_kms_helper_poll_init(dev); + + return 0; + +-fail: +- tilcdc_unload(dev); ++fail_irq_uninstall: ++ pm_runtime_get_sync(dev->dev); ++ drm_irq_uninstall(dev); ++ pm_runtime_put_sync(dev->dev); ++ ++fail_vblank_cleanup: ++ drm_vblank_cleanup(dev); ++ ++fail_mode_config_cleanup: ++ drm_mode_config_cleanup(dev); ++ ++fail_cpufreq_unregister: ++ pm_runtime_disable(dev->dev); ++#ifdef CONFIG_CPU_FREQ ++ cpufreq_unregister_notifier(&priv->freq_transition, ++ CPUFREQ_TRANSITION_NOTIFIER); ++fail_put_disp_clk: ++ clk_put(priv->disp_clk); ++#endif ++ ++fail_put_clk: ++ clk_put(priv->clk); ++ ++fail_iounmap: ++ iounmap(priv->mmio); ++ ++fail_free_wq: ++ flush_workqueue(priv->wq); ++ destroy_workqueue(priv->wq); ++ ++fail_free_priv: ++ dev->dev_private = NULL; ++ kfree(priv); + return ret; + } + +diff --git a/drivers/i2c/busses/i2c-at91.c b/drivers/i2c/busses/i2c-at91.c +index b1240a250149..09324d0178d5 100644 +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -435,7 +435,7 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev) + } + } + +- ret = wait_for_completion_io_timeout(&dev->cmd_complete, ++ ret = wait_for_completion_timeout(&dev->cmd_complete, + dev->adapter.timeout); + if (ret == 0) { + dev_err(dev->dev, "controller timed out\n"); +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 1291673bd57e..ce715b1bee46 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -101,6 +101,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { + }, + { + .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"), ++ }, ++ }, ++ { ++ .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), + DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"), + DMI_MATCH(DMI_PRODUCT_VERSION, "8500"), +@@ -609,6 +615,22 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { + }, + }, + { ++ /* Fujitsu A544 laptop */ ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"), ++ }, ++ }, ++ { ++ /* Fujitsu AH544 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"), ++ }, ++ }, ++ { + /* Fujitsu U574 laptop */ + /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ + .matches = { +diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c +index f0a3347b6441..516923926335 100644 +--- a/drivers/lguest/x86/core.c ++++ b/drivers/lguest/x86/core.c +@@ -700,7 +700,7 @@ void lguest_arch_setup_regs(struct lg_cpu *cpu, unsigned long start) + * interrupts are enabled. We always leave interrupts enabled while + * running the Guest. + */ +- regs->eflags = X86_EFLAGS_IF | X86_EFLAGS_BIT1; ++ regs->eflags = X86_EFLAGS_IF | X86_EFLAGS_FIXED; + + /* + * The "Extended Instruction Pointer" register says where the Guest is +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index a6e985fcceb8..c9b4ca9e0696 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -462,6 +462,7 @@ static void __relink_lru(struct dm_buffer *b, int dirty) + c->n_buffers[dirty]++; + b->list_mode = dirty; + list_move(&b->lru_list, &c->lru[dirty]); ++ b->last_accessed = jiffies; + } + + /*---------------------------------------------------------------- +diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-log-userspace-transfer.c +index 08d9a207259a..c69d0b787746 100644 +--- a/drivers/md/dm-log-userspace-transfer.c ++++ b/drivers/md/dm-log-userspace-transfer.c +@@ -272,7 +272,7 @@ int dm_ulog_tfr_init(void) + + r = cn_add_callback(&ulog_cn_id, "dmlogusr", cn_ulog_callback); + if (r) { +- cn_del_callback(&ulog_cn_id); ++ kfree(prealloced_cn_msg); + return r; + } + +diff --git a/drivers/media/dvb-frontends/ds3000.c b/drivers/media/dvb-frontends/ds3000.c +index 1e344b033277..22e8c2032f6d 100644 +--- a/drivers/media/dvb-frontends/ds3000.c ++++ b/drivers/media/dvb-frontends/ds3000.c +@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const struct ds3000_config *config, + memcpy(&state->frontend.ops, &ds3000_ops, + sizeof(struct dvb_frontend_ops)); + state->frontend.demodulator_priv = state; ++ ++ /* ++ * Some devices like T480 starts with voltage on. Be sure ++ * to turn voltage off during init, as this can otherwise ++ * interfere with Unicable SCR systems. ++ */ ++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF); + return &state->frontend; + + error3: +diff --git a/drivers/media/i2c/tda7432.c b/drivers/media/i2c/tda7432.c +index 28b5121881f5..09f4387dbc49 100644 +--- a/drivers/media/i2c/tda7432.c ++++ b/drivers/media/i2c/tda7432.c +@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ctrl *ctrl) + if (t->mute->val) { + lf |= TDA7432_MUTE; + lr |= TDA7432_MUTE; +- lf |= TDA7432_MUTE; ++ rf |= TDA7432_MUTE; + rr |= TDA7432_MUTE; + } + /* Mute & update balance*/ +diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c +index 32d60e5546bc..a2737b4b090b 100644 +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -696,13 +696,16 @@ static int em28xx_stop_streaming(struct vb2_queue *vq) + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vid_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vid_buf = NULL; ++ } + while (!list_empty(&vidq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vidq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vid_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +@@ -724,13 +727,16 @@ int em28xx_stop_vbi_streaming(struct vb2_queue *vq) + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vbi_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vbi_buf = NULL; ++ } + while (!list_empty(&vbiq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vbiq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vbi_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c +index 3fed63f4e026..ec9a4fa3bc86 100644 +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -485,16 +485,13 @@ static unsigned int clamp_align(unsigned int x, unsigned int min, + /* Bits that must be zero to be aligned */ + unsigned int mask = ~((1 << align) - 1); + ++ /* Clamp to aligned min and max */ ++ x = clamp(x, (min + ~mask) & mask, max & mask); ++ + /* Round to nearest aligned value */ + if (align) + x = (x + (1 << (align - 1))) & mask; + +- /* Clamp to aligned value of min and max */ +- if (x < min) +- x = (min + ~mask) & mask; +- else if (x > max) +- x = max & mask; +- + return x; + } + +diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c +index 45f26be359ea..7e28bd0de554 100644 +--- a/drivers/mfd/rtsx_pcr.c ++++ b/drivers/mfd/rtsx_pcr.c +@@ -1137,7 +1137,7 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + pcr->msi_en = msi_en; + if (pcr->msi_en) { + ret = pci_enable_msi(pcidev); +- if (ret < 0) ++ if (ret) + pcr->msi_en = false; + } + +diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c +index 7ffb5cba30a9..4c65a5a4d8f4 100644 +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -341,6 +341,13 @@ static void sd_send_cmd_get_rsp(struct realtek_pci_sdmmc *host, + } + + if (rsp_type == SD_RSP_TYPE_R2) { ++ /* ++ * The controller offloads the last byte {CRC-7, end bit 1'b1} ++ * of response type R2. Assign dummy CRC, 0, and end bit to the ++ * byte(ptr[16], goes into the LSB of resp[3] later). ++ */ ++ ptr[16] = 1; ++ + for (i = 0; i < 4; i++) { + cmd->resp[i] = get_unaligned_be32(ptr + 1 + i * 4); + dev_dbg(sdmmc_dev(host), "cmd->resp[%d] = 0x%08x\n", +diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c +index 0648c6996d43..bf8108d65b73 100644 +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -330,6 +330,7 @@ static int process_pool_aeb(struct ubi_device *ubi, struct ubi_attach_info *ai, + av = tmp_av; + else { + ubi_err("orphaned volume in fastmap pool!"); ++ kmem_cache_free(ai->aeb_slab_cache, new_aeb); + return UBI_BAD_FASTMAP; + } + +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig +index 3835321b8cf3..3bc3ebc0882f 100644 +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -139,6 +139,7 @@ config MACVLAN + config MACVTAP + tristate "MAC-VLAN based tap driver" + depends on MACVLAN ++ depends on INET + help + This adds a specialized tap character device driver that is based + on the MAC-VLAN network interface, called macvtap. A macvtap device +@@ -209,6 +210,7 @@ config RIONET_RX_SIZE + + config TUN + tristate "Universal TUN/TAP device driver support" ++ depends on INET + select CRC32 + ---help--- + TUN/TAP provides packet reception and transmission for user space +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 72ff14b811c6..5a1897d86e94 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -601,7 +601,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (file == ppp->owner) + ppp_shutdown_interface(ppp); + } +- if (atomic_long_read(&file->f_count) <= 2) { ++ if (atomic_long_read(&file->f_count) < 2) { + ppp_release(NULL, file); + err = 0; + } else +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index d33c3ae2fcea..3b449c4ecf72 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -695,6 +695,7 @@ static int ax88179_set_mac_addr(struct net_device *net, void *p) + { + struct usbnet *dev = netdev_priv(net); + struct sockaddr *addr = p; ++ int ret; + + if (netif_running(net)) + return -EBUSY; +@@ -704,8 +705,12 @@ static int ax88179_set_mac_addr(struct net_device *net, void *p) + memcpy(net->dev_addr, addr->sa_data, ETH_ALEN); + + /* Set the MAC address */ +- return ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN, ++ ret = ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN, + ETH_ALEN, net->dev_addr); ++ if (ret < 0) ++ return ret; ++ ++ return 0; + } + + static const struct net_device_ops ax88179_netdev_ops = { +diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c +index 9ef0711a5cc1..400b8679796a 100644 +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -1091,6 +1091,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + /* Ovislink */ + { USB_DEVICE(0x1b75, 0x3071) }, + { USB_DEVICE(0x1b75, 0x3072) }, ++ { USB_DEVICE(0x1b75, 0xa200) }, + /* Para */ + { USB_DEVICE(0x20b8, 0x8888) }, + /* Pegatron */ +diff --git a/drivers/of/base.c b/drivers/of/base.c +index 1d10b4ec6814..b60f9a77ab03 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -963,52 +963,6 @@ int of_property_read_string(struct device_node *np, const char *propname, + EXPORT_SYMBOL_GPL(of_property_read_string); + + /** +- * of_property_read_string_index - Find and read a string from a multiple +- * strings property. +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @index: index of the string in the list of strings +- * @out_string: pointer to null terminated return string, modified only if +- * return value is 0. +- * +- * Search for a property in a device tree node and retrieve a null +- * terminated string value (pointer to data, not a copy) in the list of strings +- * contained in that property. +- * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if +- * property does not have a value, and -EILSEQ if the string is not +- * null-terminated within the length of the property data. +- * +- * The out_string pointer is modified only if a valid string can be decoded. +- */ +-int of_property_read_string_index(struct device_node *np, const char *propname, +- int index, const char **output) +-{ +- struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; +- +- if (!prop) +- return -EINVAL; +- if (!prop->value) +- return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- +- p = prop->value; +- +- for (i = 0; total < prop->length; total += l, p += l) { +- l = strlen(p) + 1; +- if (i++ == index) { +- *output = p; +- return 0; +- } +- } +- return -ENODATA; +-} +-EXPORT_SYMBOL_GPL(of_property_read_string_index); +- +-/** + * of_property_match_string() - Find string in a list and return index + * @np: pointer to node containing string list property + * @propname: string list property name +@@ -1034,7 +988,7 @@ int of_property_match_string(struct device_node *np, const char *propname, + end = p + prop->length; + + for (i = 0; p < end; i++, p += l) { +- l = strlen(p) + 1; ++ l = strnlen(p, end - p) + 1; + if (p + l > end) + return -EILSEQ; + pr_debug("comparing %s with %s\n", string, p); +@@ -1046,39 +1000,41 @@ int of_property_match_string(struct device_node *np, const char *propname, + EXPORT_SYMBOL_GPL(of_property_match_string); + + /** +- * of_property_count_strings - Find and return the number of strings from a +- * multiple strings property. ++ * of_property_read_string_util() - Utility helper for parsing string properties + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * @skip: Number of strings to skip over at beginning of list. + * +- * Search for a property in a device tree node and retrieve the number of null +- * terminated string contain in it. Returns the number of strings on +- * success, -EINVAL if the property does not exist, -ENODATA if property +- * does not have a value, and -EILSEQ if the string is not null-terminated +- * within the length of the property data. ++ * Don't call this function directly. It is a utility helper for the ++ * of_property_read_string*() family of functions. + */ +-int of_property_count_strings(struct device_node *np, const char *propname) ++int of_property_read_string_helper(struct device_node *np, const char *propname, ++ const char **out_strs, size_t sz, int skip) + { + struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; ++ int l = 0, i = 0; ++ const char *p, *end; + + if (!prop) + return -EINVAL; + if (!prop->value) + return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- + p = prop->value; ++ end = p + prop->length; + +- for (i = 0; total < prop->length; total += l, p += l, i++) +- l = strlen(p) + 1; +- +- return i; ++ for (i = 0; p < end && (!out_strs || i < skip + sz); i++, p += l) { ++ l = strnlen(p, end - p) + 1; ++ if (p + l > end) ++ return -EILSEQ; ++ if (out_strs && i >= skip) ++ *out_strs++ = p; ++ } ++ i -= skip; ++ return i <= 0 ? -ENODATA : i; + } +-EXPORT_SYMBOL_GPL(of_property_count_strings); ++EXPORT_SYMBOL_GPL(of_property_read_string_helper); + + /** + * of_parse_phandle - Resolve a phandle property to a device_node pointer +diff --git a/drivers/of/selftest.c b/drivers/of/selftest.c +index 0eb5c38b4e07..f5e8dc7a725c 100644 +--- a/drivers/of/selftest.c ++++ b/drivers/of/selftest.c +@@ -126,8 +126,9 @@ static void __init of_selftest_parse_phandle_with_args(void) + selftest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); + } + +-static void __init of_selftest_property_match_string(void) ++static void __init of_selftest_property_string(void) + { ++ const char *strings[4]; + struct device_node *np; + int rc; + +@@ -145,13 +146,66 @@ static void __init of_selftest_property_match_string(void) + rc = of_property_match_string(np, "phandle-list-names", "third"); + selftest(rc == 2, "third expected:0 got:%i\n", rc); + rc = of_property_match_string(np, "phandle-list-names", "fourth"); +- selftest(rc == -ENODATA, "unmatched string; rc=%i", rc); ++ selftest(rc == -ENODATA, "unmatched string; rc=%i\n", rc); + rc = of_property_match_string(np, "missing-property", "blah"); +- selftest(rc == -EINVAL, "missing property; rc=%i", rc); ++ selftest(rc == -EINVAL, "missing property; rc=%i\n", rc); + rc = of_property_match_string(np, "empty-property", "blah"); +- selftest(rc == -ENODATA, "empty property; rc=%i", rc); ++ selftest(rc == -ENODATA, "empty property; rc=%i\n", rc); + rc = of_property_match_string(np, "unterminated-string", "blah"); +- selftest(rc == -EILSEQ, "unterminated string; rc=%i", rc); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ ++ /* of_property_count_strings() tests */ ++ rc = of_property_count_strings(np, "string-property"); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "phandle-list-names"); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string"); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string-list"); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ ++ /* of_property_read_string_index() tests */ ++ rc = of_property_read_string_index(np, "string-property", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "foobar"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "string-property", 1, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 1, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "second"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 2, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "third"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "phandle-list-names", 3, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string", 0, strings); ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "unterminated-string-list", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string-list", 2, strings); /* should fail */ ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ ++ /* of_property_read_string_array() tests */ ++ rc = of_property_read_string_array(np, "string-property", strings, 4); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 4); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "unterminated-string", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ /* -- An incorrectly formed string should cause a failure */ ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ /* -- parsing the correctly formed strings should still work: */ ++ strings[2] = NULL; ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 2); ++ selftest(rc == 2 && strings[2] == NULL, "of_property_read_string_array() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 1); ++ selftest(rc == 1 && strings[1] == NULL, "Overwrote end of string array; rc=%i, str='%s'\n", rc, strings[1]); + } + + static int __init of_selftest(void) +@@ -167,7 +221,7 @@ static int __init of_selftest(void) + + pr_info("start of selftest - you will see error messages\n"); + of_selftest_parse_phandle_with_args(); +- of_selftest_property_match_string(); ++ of_selftest_property_string(); + pr_info("end of selftest - %s\n", selftest_passed ? "PASS" : "FAIL"); + return 0; + } +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c +index c9076bdaf2c1..59a8d325a697 100644 +--- a/drivers/platform/x86/acer-wmi.c ++++ b/drivers/platform/x86/acer-wmi.c +@@ -572,6 +572,17 @@ static const struct dmi_system_id video_vendor_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5750"), + }, + }, ++ { ++ /* ++ * Note no video_set_backlight_video_vendor, we must use the ++ * acer interface, as there is no native backlight interface. ++ */ ++ .ident = "Acer KAV80", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "KAV80"), ++ }, ++ }, + {} + }; + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index 66b0b26a1381..cfd49eca67aa 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -762,7 +762,16 @@ static void tcm_qla2xxx_clear_nacl_from_fcport_map(struct qla_tgt_sess *sess) + pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id); + + node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id); +- WARN_ON(node && (node != se_nacl)); ++ if (WARN_ON(node && (node != se_nacl))) { ++ /* ++ * The nacl no longer matches what we think it should be. ++ * Most likely a new dynamic acl has been added while ++ * someone dropped the hardware lock. It clearly is a ++ * bug elsewhere, but this bit can't make things worse. ++ */ ++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id, ++ node, GFP_ATOMIC); ++ } + + pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n", + se_nacl, nacl->nport_wwnn, nacl->nport_id); +diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c +index 371cc66f1a0e..5266c89fc989 100644 +--- a/drivers/spi/spi-pl022.c ++++ b/drivers/spi/spi-pl022.c +@@ -1080,7 +1080,7 @@ err_rxdesc: + pl022->sgt_tx.nents, DMA_TO_DEVICE); + err_tx_sgmap: + dma_unmap_sg(rxchan->device->dev, pl022->sgt_rx.sgl, +- pl022->sgt_tx.nents, DMA_FROM_DEVICE); ++ pl022->sgt_rx.nents, DMA_FROM_DEVICE); + err_rx_sgmap: + sg_free_table(&pl022->sgt_tx); + err_alloc_tx_sg: +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index 48b396fced0a..d26a2d195d21 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1324,7 +1324,9 @@ static int pxa2xx_spi_suspend(struct device *dev) + if (status != 0) + return status; + write_SSCR0(0, drv_data->ioaddr); +- clk_disable_unprepare(ssp->clk); ++ ++ if (!pm_runtime_suspended(dev)) ++ clk_disable_unprepare(ssp->clk); + + return 0; + } +@@ -1338,7 +1340,8 @@ static int pxa2xx_spi_resume(struct device *dev) + pxa2xx_spi_dma_resume(drv_data); + + /* Enable the SSP clock */ +- clk_prepare_enable(ssp->clk); ++ if (!pm_runtime_suspended(dev)) ++ clk_prepare_enable(ssp->clk); + + /* Start the queue running */ + status = spi_master_resume(drv_data->master); +diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c +index 6330af656a0f..bc23d66a7a1e 100644 +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -115,6 +115,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .channel = 0, + .info_mask_separate = BIT(IIO_CHAN_INFO_PROCESSED), + .address = AD5933_REG_TEMP_DATA, ++ .scan_index = -1, + .scan_type = { + .sign = 's', + .realbits = 14, +@@ -124,9 +125,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "real_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "real", + .address = AD5933_REG_REAL_DATA, + .scan_index = 0, + .scan_type = { +@@ -138,9 +137,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "imag_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "imag", + .address = AD5933_REG_IMAG_DATA, + .scan_index = 1, + .scan_type = { +@@ -746,14 +743,14 @@ static int ad5933_probe(struct i2c_client *client, + indio_dev->name = id->name; + indio_dev->modes = INDIO_DIRECT_MODE; + indio_dev->channels = ad5933_channels; +- indio_dev->num_channels = 1; /* only register temp0_input */ ++ indio_dev->num_channels = ARRAY_SIZE(ad5933_channels); + + ret = ad5933_register_ring_funcs_and_init(indio_dev); + if (ret) + goto error_disable_reg; + +- /* skip temp0_input, register in0_(real|imag)_raw */ +- ret = iio_buffer_register(indio_dev, &ad5933_channels[1], 2); ++ ret = iio_buffer_register(indio_dev, ad5933_channels, ++ ARRAY_SIZE(ad5933_channels)); + if (ret) + goto error_unreg_ring; + +diff --git a/drivers/staging/iio/meter/ade7758.h b/drivers/staging/iio/meter/ade7758.h +index 07318203a836..e8c98cf57070 100644 +--- a/drivers/staging/iio/meter/ade7758.h ++++ b/drivers/staging/iio/meter/ade7758.h +@@ -119,7 +119,6 @@ struct ade7758_state { + u8 *tx; + u8 *rx; + struct mutex buf_lock; +- const struct iio_chan_spec *ade7758_ring_channels; + struct spi_transfer ring_xfer[4]; + struct spi_message ring_msg; + /* +diff --git a/drivers/staging/iio/meter/ade7758_core.c b/drivers/staging/iio/meter/ade7758_core.c +index 8f5bcfab3563..75d9fe6a1bc1 100644 +--- a/drivers/staging/iio/meter/ade7758_core.c ++++ b/drivers/staging/iio/meter/ade7758_core.c +@@ -648,9 +648,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_A, AD7758_VOLTAGE), + .scan_index = 0, + .scan_type = { +@@ -662,9 +659,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 0, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_A, AD7758_CURRENT), + .scan_index = 1, + .scan_type = { +@@ -676,9 +670,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_APP_PWR), + .scan_index = 2, + .scan_type = { +@@ -690,9 +682,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_ACT_PWR), + .scan_index = 3, + .scan_type = { +@@ -704,9 +694,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_REACT_PWR), + .scan_index = 4, + .scan_type = { +@@ -718,9 +706,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 1, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_B, AD7758_VOLTAGE), + .scan_index = 5, + .scan_type = { +@@ -732,9 +717,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 1, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_B, AD7758_CURRENT), + .scan_index = 6, + .scan_type = { +@@ -746,9 +728,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_APP_PWR), + .scan_index = 7, + .scan_type = { +@@ -760,9 +740,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_ACT_PWR), + .scan_index = 8, + .scan_type = { +@@ -774,9 +752,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_REACT_PWR), + .scan_index = 9, + .scan_type = { +@@ -788,9 +764,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 2, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_C, AD7758_VOLTAGE), + .scan_index = 10, + .scan_type = { +@@ -802,9 +775,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 2, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_C, AD7758_CURRENT), + .scan_index = 11, + .scan_type = { +@@ -816,9 +786,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_APP_PWR), + .scan_index = 12, + .scan_type = { +@@ -830,9 +798,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_ACT_PWR), + .scan_index = 13, + .scan_type = { +@@ -844,9 +810,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_REACT_PWR), + .scan_index = 14, + .scan_type = { +@@ -890,13 +854,14 @@ static int ade7758_probe(struct spi_device *spi) + goto error_free_rx; + } + st->us = spi; +- st->ade7758_ring_channels = &ade7758_channels[0]; + mutex_init(&st->buf_lock); + + indio_dev->name = spi->dev.driver->name; + indio_dev->dev.parent = &spi->dev; + indio_dev->info = &ade7758_info; + indio_dev->modes = INDIO_DIRECT_MODE; ++ indio_dev->channels = ade7758_channels; ++ indio_dev->num_channels = ARRAY_SIZE(ade7758_channels); + + ret = ade7758_configure_ring(indio_dev); + if (ret) +diff --git a/drivers/staging/iio/meter/ade7758_ring.c b/drivers/staging/iio/meter/ade7758_ring.c +index b29e2d5d9937..6a0ef97e9146 100644 +--- a/drivers/staging/iio/meter/ade7758_ring.c ++++ b/drivers/staging/iio/meter/ade7758_ring.c +@@ -89,11 +89,10 @@ static irqreturn_t ade7758_trigger_handler(int irq, void *p) + **/ + static int ade7758_ring_preenable(struct iio_dev *indio_dev) + { +- struct ade7758_state *st = iio_priv(indio_dev); + unsigned channel; + int ret; + +- if (!bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength)) ++ if (bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength)) + return -EINVAL; + + ret = iio_sw_buffer_preenable(indio_dev); +@@ -104,7 +103,7 @@ static int ade7758_ring_preenable(struct iio_dev *indio_dev) + indio_dev->masklength); + + ade7758_write_waveform_type(&indio_dev->dev, +- st->ade7758_ring_channels[channel].address); ++ indio_dev->channels[channel].address); + + return 0; + } +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 68398753eb82..2be407e22eb4 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1293,7 +1293,8 @@ int core_dev_add_initiator_node_lun_acl( + * Check to see if there are any existing persistent reservation APTPL + * pre-registrations that need to be enabled for this LUN ACL.. + */ +- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl); ++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl, ++ lacl->mapped_lun); + return 0; + } + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 04a74938bb43..27ec6e4d1c7c 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -945,10 +945,10 @@ int core_scsi3_check_aptpl_registration( + struct se_device *dev, + struct se_portal_group *tpg, + struct se_lun *lun, +- struct se_lun_acl *lun_acl) ++ struct se_node_acl *nacl, ++ u32 mapped_lun) + { +- struct se_node_acl *nacl = lun_acl->se_lun_nacl; +- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun]; ++ struct se_dev_entry *deve = nacl->device_list[mapped_lun]; + + if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS) + return 0; +diff --git a/drivers/target/target_core_pr.h b/drivers/target/target_core_pr.h +index b4a004247ab2..ea9220de1dff 100644 +--- a/drivers/target/target_core_pr.h ++++ b/drivers/target/target_core_pr.h +@@ -55,7 +55,7 @@ extern int core_scsi3_alloc_aptpl_registration( + unsigned char *, u16, u32, int, int, u8); + extern int core_scsi3_check_aptpl_registration(struct se_device *, + struct se_portal_group *, struct se_lun *, +- struct se_lun_acl *); ++ struct se_node_acl *, u32); + extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *, + struct se_node_acl *); + extern void core_scsi3_free_all_registrations(struct se_device *); +diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c +index aac9d2727e3c..8572207e3d4d 100644 +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -40,6 +40,7 @@ + #include <target/target_core_fabric.h> + + #include "target_core_internal.h" ++#include "target_core_pr.h" + + extern struct se_device *g_lun0_dev; + +@@ -165,6 +166,13 @@ void core_tpg_add_node_to_devs( + + core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun, + lun_access, acl, tpg); ++ /* ++ * Check to see if there are any existing persistent reservation ++ * APTPL pre-registrations that need to be enabled for this dynamic ++ * LUN ACL now.. ++ */ ++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl, ++ lun->unpacked_lun); + spin_lock(&tpg->tpg_lun_lock); + } + spin_unlock(&tpg->tpg_lun_lock); +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 6866d86e8663..12342695ed79 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1788,8 +1788,7 @@ static void transport_complete_qf(struct se_cmd *cmd) + + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) { + ret = cmd->se_tfo->queue_status(cmd); +- if (ret) +- goto out; ++ goto out; + } + + switch (cmd->data_direction) { +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 0f1cc2c8c22a..1fabb22ae615 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -359,7 +359,7 @@ uart_get_baud_rate(struct uart_port *port, struct ktermios *termios, + * The spd_hi, spd_vhi, spd_shi, spd_warp kludge... + * Die! Die! Die! + */ +- if (baud == 38400) ++ if (try == 0 && baud == 38400) + baud = altbaud; + + /* +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 3723c0ebb316..d35afccdb6c9 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1698,6 +1698,7 @@ int tty_release(struct inode *inode, struct file *filp) + int pty_master, tty_closing, o_tty_closing, do_sleep; + int idx; + char buf[64]; ++ long timeout = 0; + + if (tty_paranoia_check(tty, inode, __func__)) + return 0; +@@ -1782,7 +1783,11 @@ int tty_release(struct inode *inode, struct file *filp) + __func__, tty_name(tty, buf)); + tty_unlock_pair(tty, o_tty); + mutex_unlock(&tty_mutex); +- schedule(); ++ schedule_timeout_killable(timeout); ++ if (timeout < 120 * HZ) ++ timeout = 2 * timeout + 1; ++ else ++ timeout = MAX_SCHEDULE_TIMEOUT; + } + + /* +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index fbf3f11aed2c..1e71f918eb9f 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -883,11 +883,12 @@ static void acm_tty_set_termios(struct tty_struct *tty, + /* FIXME: Needs to clear unsupported bits in the termios */ + acm->clocal = ((termios->c_cflag & CLOCAL) != 0); + +- if (!newline.dwDTERate) { ++ if (C_BAUD(tty) == B0) { + newline.dwDTERate = acm->line.dwDTERate; + newctrl &= ~ACM_CTRL_DTR; +- } else ++ } else if (termios_old && (termios_old->c_cflag & CBAUD) == B0) { + newctrl |= ACM_CTRL_DTR; ++ } + + if (newctrl != acm->ctrlout) + acm_set_control(acm, acm->ctrlout = newctrl); +@@ -1588,6 +1589,7 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */ + { USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */ + }, + /* Motorola H24 HSPA module: */ +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index d53547d2e4c7..f6e5ceb03afb 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1947,6 +1947,8 @@ int usb_alloc_streams(struct usb_interface *interface, + return -EINVAL; + if (dev->speed != USB_SPEED_SUPER) + return -EINVAL; ++ if (dev->state < USB_STATE_CONFIGURED) ++ return -ENODEV; + + /* Streams only apply to bulk endpoints. */ + for (i = 0; i < num_eps; i++) +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c +index 3cea676ba901..6cd418f6ac07 100644 +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -270,7 +270,7 @@ static void dwc3_ep0_stall_and_restart(struct dwc3 *dwc) + + /* stall is always issued on EP0 */ + dep = dwc->eps[0]; +- __dwc3_gadget_ep_set_halt(dep, 1); ++ __dwc3_gadget_ep_set_halt(dep, 1, false); + dep->flags = DWC3_EP_ENABLED; + dwc->delayed_status = false; + +@@ -480,7 +480,7 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc, + return -EINVAL; + if (set == 0 && (dep->flags & DWC3_EP_WEDGE)) + break; +- ret = __dwc3_gadget_ep_set_halt(dep, set); ++ ret = __dwc3_gadget_ep_set_halt(dep, set, true); + if (ret) + return -EINVAL; + break; +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index d868b62c1a16..8f8e75e392de 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -550,12 +550,11 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, + if (!usb_endpoint_xfer_isoc(desc)) + return 0; + +- memset(&trb_link, 0, sizeof(trb_link)); +- + /* Link TRB for ISOC. The HWO bit is never reset */ + trb_st_hw = &dep->trb_pool[0]; + + trb_link = &dep->trb_pool[DWC3_TRB_NUM - 1]; ++ memset(trb_link, 0, sizeof(*trb_link)); + + trb_link->bpl = lower_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw)); + trb_link->bph = upper_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw)); +@@ -606,7 +605,7 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) + + /* make sure HW endpoint isn't stalled */ + if (dep->flags & DWC3_EP_STALL) +- __dwc3_gadget_ep_set_halt(dep, 0); ++ __dwc3_gadget_ep_set_halt(dep, 0, false); + + reg = dwc3_readl(dwc->regs, DWC3_DALEPENA); + reg &= ~DWC3_DALEPENA_EP(dep->number); +@@ -1206,7 +1205,7 @@ out0: + return ret; + } + +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol) + { + struct dwc3_gadget_ep_cmd_params params; + struct dwc3 *dwc = dep->dwc; +@@ -1215,6 +1214,14 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) + memset(¶ms, 0x00, sizeof(params)); + + if (value) { ++ if (!protocol && ((dep->direction && dep->flags & DWC3_EP_BUSY) || ++ (!list_empty(&dep->req_queued) || ++ !list_empty(&dep->request_list)))) { ++ dev_dbg(dwc->dev, "%s: pending request, cannot halt\n", ++ dep->name); ++ return -EAGAIN; ++ } ++ + ret = dwc3_send_gadget_ep_cmd(dwc, dep->number, + DWC3_DEPCMD_SETSTALL, ¶ms); + if (ret) +@@ -1254,7 +1261,7 @@ static int dwc3_gadget_ep_set_halt(struct usb_ep *ep, int value) + goto out; + } + +- ret = __dwc3_gadget_ep_set_halt(dep, value); ++ ret = __dwc3_gadget_ep_set_halt(dep, value, false); + out: + spin_unlock_irqrestore(&dwc->lock, flags); + +@@ -1274,7 +1281,7 @@ static int dwc3_gadget_ep_set_wedge(struct usb_ep *ep) + if (dep->number == 0 || dep->number == 1) + return dwc3_gadget_ep0_set_halt(ep, 1); + else +- return dwc3_gadget_ep_set_halt(ep, 1); ++ return __dwc3_gadget_ep_set_halt(dep, 1, false); + } + + /* -------------------------------------------------------------------------- */ +diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h +index 99e6d7248820..b3f25c302e35 100644 +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -114,7 +114,7 @@ void dwc3_ep0_out_start(struct dwc3 *dwc); + int dwc3_gadget_ep0_set_halt(struct usb_ep *ep, int value); + int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request, + gfp_t gfp_flags); +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value); ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol); + int dwc3_send_gadget_ep_cmd(struct dwc3 *dwc, unsigned ep, + unsigned cmd, struct dwc3_gadget_ep_cmd_params *params); + int dwc3_send_gadget_generic_command(struct dwc3 *dwc, int cmd, u32 param); +diff --git a/drivers/usb/gadget/f_acm.c b/drivers/usb/gadget/f_acm.c +index ab1065afbbd0..3384486c2884 100644 +--- a/drivers/usb/gadget/f_acm.c ++++ b/drivers/usb/gadget/f_acm.c +@@ -430,11 +430,12 @@ static int acm_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + if (acm->notify->driver_data) { + VDBG(cdev, "reset acm control interface %d\n", intf); + usb_ep_disable(acm->notify); +- } else { +- VDBG(cdev, "init acm ctrl interface %d\n", intf); ++ } ++ ++ if (!acm->notify->desc) + if (config_ep_by_speed(cdev->gadget, f, acm->notify)) + return -EINVAL; +- } ++ + usb_ep_enable(acm->notify); + acm->notify->driver_data = acm; + +diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c +index 5514822114a5..817a26cbfab1 100644 +--- a/drivers/usb/gadget/udc-core.c ++++ b/drivers/usb/gadget/udc-core.c +@@ -439,6 +439,11 @@ static ssize_t usb_udc_softconn_store(struct device *dev, + { + struct usb_udc *udc = container_of(dev, struct usb_udc, dev); + ++ if (!udc->driver) { ++ dev_err(dev, "soft-connect without a gadget driver\n"); ++ return -EOPNOTSUPP; ++ } ++ + if (sysfs_streq(buf, "connect")) { + usb_gadget_udc_start(udc->gadget, udc->driver); + usb_gadget_connect(udc->gadget); +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index b22a4bc308e2..e9183eda39e0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -155,6 +155,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ ++ { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ + { USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */ + { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 4235693ba2f7..768c2b4722d1 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -148,6 +148,7 @@ static struct ftdi_sio_quirk ftdi_8u2232c_quirk = { + * /sys/bus/usb/ftdi_sio/new_id, then send patch/report! + */ + static struct usb_device_id id_table_combined [] = { ++ { USB_DEVICE(FTDI_VID, FTDI_BRICK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) }, +@@ -677,6 +678,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_5_PID) }, + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_6_PID) }, + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_7_PID) }, ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_DONGLE_PID) }, ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_MTW_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_OMNI1509) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 8927a5c39b00..302ab9a71f06 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -30,6 +30,12 @@ + + /*** third-party PIDs (using FTDI_VID) ***/ + ++/* ++ * Certain versions of the official Windows FTDI driver reprogrammed ++ * counterfeit FTDI devices to PID 0. Support these devices anyway. ++ */ ++#define FTDI_BRICK_PID 0x0000 ++ + #define FTDI_LUMEL_PD12_PID 0x6002 + + /* +@@ -143,8 +149,12 @@ + * Xsens Technologies BV products (http://www.xsens.com). + */ + #define XSENS_VID 0x2639 +-#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */ ++#define XSENS_AWINDA_STATION_PID 0x0101 ++#define XSENS_AWINDA_DONGLE_PID 0x0102 + #define XSENS_MTW_PID 0x0200 /* Xsens MTw */ ++#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */ ++ ++/* Xsens devices using FTDI VID */ + #define XSENS_CONVERTER_0_PID 0xD388 /* Xsens USB converter */ + #define XSENS_CONVERTER_1_PID 0xD389 /* Xsens Wireless Receiver */ + #define XSENS_CONVERTER_2_PID 0xD38A +diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c +index 5f4b0cd0f6e9..b0eb1dfc601a 100644 +--- a/drivers/usb/serial/opticon.c ++++ b/drivers/usb/serial/opticon.c +@@ -219,7 +219,7 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port, + + /* The conncected devices do not have a bulk write endpoint, + * to transmit data to de barcode device the control endpoint is used */ +- dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO); ++ dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_ATOMIC); + if (!dr) { + dev_err(&port->dev, "out of memory\n"); + count = -ENOMEM; +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index e47aabe0c760..8b3484134ab0 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -269,6 +269,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_DE910_DUAL 0x1010 + #define TELIT_PRODUCT_UE910_V2 0x1012 + #define TELIT_PRODUCT_LE920 0x1200 ++#define TELIT_PRODUCT_LE910 0x1201 + + /* ZTE PRODUCTS */ + #define ZTE_VENDOR_ID 0x19d2 +@@ -361,6 +362,7 @@ static void option_instat_callback(struct urb *urb); + + /* Haier products */ + #define HAIER_VENDOR_ID 0x201e ++#define HAIER_PRODUCT_CE81B 0x10f8 + #define HAIER_PRODUCT_CE100 0x2009 + + /* Cinterion (formerly Siemens) products */ +@@ -588,6 +590,11 @@ static const struct option_blacklist_info zte_1255_blacklist = { + .reserved = BIT(3) | BIT(4), + }; + ++static const struct option_blacklist_info telit_le910_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1) | BIT(2), ++}; ++ + static const struct option_blacklist_info telit_le920_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(5), +@@ -1137,6 +1144,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), ++ .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), + .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ +@@ -1612,6 +1621,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, + { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HAIER_VENDOR_ID, HAIER_PRODUCT_CE81B, 0xff, 0xff, 0xff) }, + /* Pirelli */ + { USB_DEVICE_INTERFACE_CLASS(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_1, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_2, 0xff) }, +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c +index 22c7d4360fa2..b1d815eb6d0b 100644 +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -1118,6 +1118,31 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us) + */ + if (result == USB_STOR_XFER_LONG) + fake_sense = 1; ++ ++ /* ++ * Sometimes a device will mistakenly skip the data phase ++ * and go directly to the status phase without sending a ++ * zero-length packet. If we get a 13-byte response here, ++ * check whether it really is a CSW. ++ */ ++ if (result == USB_STOR_XFER_SHORT && ++ srb->sc_data_direction == DMA_FROM_DEVICE && ++ transfer_length - scsi_get_resid(srb) == ++ US_BULK_CS_WRAP_LEN) { ++ struct scatterlist *sg = NULL; ++ unsigned int offset = 0; ++ ++ if (usb_stor_access_xfer_buf((unsigned char *) bcs, ++ US_BULK_CS_WRAP_LEN, srb, &sg, ++ &offset, FROM_XFER_BUF) == ++ US_BULK_CS_WRAP_LEN && ++ bcs->Signature == ++ cpu_to_le32(US_BULK_CS_SIGN)) { ++ usb_stor_dbg(us, "Device skipped data phase\n"); ++ scsi_set_resid(srb, transfer_length); ++ goto skipped_data_phase; ++ } ++ } + } + + /* See flow chart on pg 15 of the Bulk Only Transport spec for +@@ -1153,6 +1178,7 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us) + if (result != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; + ++ skipped_data_phase: + /* check bulk status */ + residue = le32_to_cpu(bcs->Residue); + usb_stor_dbg(us, "Bulk Status S 0x%x T 0x%x R %u Stat 0x%x\n", +diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c +index 61b182bf32a2..dbfe4eecf12e 100644 +--- a/drivers/video/console/bitblit.c ++++ b/drivers/video/console/bitblit.c +@@ -205,7 +205,6 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, + static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + int bottom_only) + { +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + unsigned int cw = vc->vc_font.width; + unsigned int ch = vc->vc_font.height; + unsigned int rw = info->var.xres - (vc->vc_cols*cw); +@@ -214,7 +213,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bs = info->var.yres - bh; + struct fb_fillrect region; + +- region.color = attr_bgcol_ec(bgshift, vc, info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c +index 41b32ae23dac..5a3cbf6dff4d 100644 +--- a/drivers/video/console/fbcon_ccw.c ++++ b/drivers/video/console/fbcon_ccw.c +@@ -197,9 +197,8 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bh = info->var.xres - (vc->vc_rows*ch); + unsigned int bs = vc->vc_rows*ch; + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c +index a93670ef7f89..e7ee44db4e98 100644 +--- a/drivers/video/console/fbcon_cw.c ++++ b/drivers/video/console/fbcon_cw.c +@@ -180,9 +180,8 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bh = info->var.xres - (vc->vc_rows*ch); + unsigned int rs = info->var.yres - rw; + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c +index ff0872c0498b..19e3714abfe8 100644 +--- a/drivers/video/console/fbcon_ud.c ++++ b/drivers/video/console/fbcon_ud.c +@@ -227,9 +227,8 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int rw = info->var.xres - (vc->vc_cols*cw); + unsigned int bh = info->var.yres - (vc->vc_rows*ch); + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c +index a7ce73029f59..933241a6ab10 100644 +--- a/drivers/virtio/virtio_pci.c ++++ b/drivers/virtio/virtio_pci.c +@@ -791,6 +791,7 @@ static int virtio_pci_restore(struct device *dev) + struct pci_dev *pci_dev = to_pci_dev(dev); + struct virtio_pci_device *vp_dev = pci_get_drvdata(pci_dev); + struct virtio_driver *drv; ++ unsigned status = 0; + int ret; + + drv = container_of(vp_dev->vdev.dev.driver, +@@ -801,14 +802,40 @@ static int virtio_pci_restore(struct device *dev) + return ret; + + pci_set_master(pci_dev); ++ /* We always start by resetting the device, in case a previous ++ * driver messed it up. */ ++ vp_reset(&vp_dev->vdev); ++ ++ /* Acknowledge that we've seen the device. */ ++ status |= VIRTIO_CONFIG_S_ACKNOWLEDGE; ++ vp_set_status(&vp_dev->vdev, status); ++ ++ /* Maybe driver failed before freeze. ++ * Restore the failed status, for debugging. */ ++ status |= vp_dev->saved_status & VIRTIO_CONFIG_S_FAILED; ++ vp_set_status(&vp_dev->vdev, status); ++ ++ if (!drv) ++ return 0; ++ ++ /* We have a driver! */ ++ status |= VIRTIO_CONFIG_S_DRIVER; ++ vp_set_status(&vp_dev->vdev, status); ++ + vp_finalize_features(&vp_dev->vdev); + +- if (drv && drv->restore) ++ if (drv->restore) { + ret = drv->restore(&vp_dev->vdev); ++ if (ret) { ++ status |= VIRTIO_CONFIG_S_FAILED; ++ vp_set_status(&vp_dev->vdev, status); ++ return ret; ++ } ++ } + + /* Finally, tell the device we're all set */ +- if (!ret) +- vp_set_status(&vp_dev->vdev, vp_dev->saved_status); ++ status |= VIRTIO_CONFIG_S_DRIVER_OK; ++ vp_set_status(&vp_dev->vdev, status); + + return ret; + } +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index 3af77aa051d2..e4bcfec7787e 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -403,7 +403,7 @@ int btrfs_lookup_csums_range(struct btrfs_root *root, u64 start, u64 end, + ret = 0; + fail: + while (ret < 0 && !list_empty(&tmplist)) { +- sums = list_entry(&tmplist, struct btrfs_ordered_sum, list); ++ sums = list_entry(tmplist.next, struct btrfs_ordered_sum, list); + list_del(&sums->list); + kfree(sums); + } +diff --git a/fs/buffer.c b/fs/buffer.c +index 10fca21ee8aa..83fedaa53b55 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2018,6 +2018,7 @@ int generic_write_end(struct file *file, struct address_space *mapping, + struct page *page, void *fsdata) + { + struct inode *inode = mapping->host; ++ loff_t old_size = inode->i_size; + int i_size_changed = 0; + + copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); +@@ -2037,6 +2038,8 @@ int generic_write_end(struct file *file, struct address_space *mapping, + unlock_page(page); + page_cache_release(page); + ++ if (old_size < pos) ++ pagecache_isize_extended(inode, old_size, pos); + /* + * Don't mark the inode dirty under page lock. First, it unnecessarily + * makes the holding time of page lock longer. Second, it forces lock +@@ -2254,6 +2257,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping, + err = 0; + + balance_dirty_pages_ratelimited(mapping); ++ ++ if (unlikely(fatal_signal_pending(current))) { ++ err = -EINTR; ++ goto out; ++ } + } + + /* page covers the boundary, find the boundary offset */ +diff --git a/fs/ext3/super.c b/fs/ext3/super.c +index 6356665a74bb..882d4bdfd428 100644 +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -1300,13 +1300,6 @@ set_qf_format: + "not specified."); + return 0; + } +- } else { +- if (sbi->s_jquota_fmt) { +- ext3_msg(sb, KERN_ERR, "error: journaled quota format " +- "specified with no journaling " +- "enabled."); +- return 0; +- } + } + #endif + return 1; +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 790b14c5f262..e4c4ac07cc32 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2088,6 +2088,7 @@ int do_journal_get_write_access(handle_t *handle, + #define CONVERT_INLINE_DATA 2 + + extern struct inode *ext4_iget(struct super_block *, unsigned long); ++extern struct inode *ext4_iget_normal(struct super_block *, unsigned long); + extern int ext4_write_inode(struct inode *, struct writeback_control *); + extern int ext4_setattr(struct dentry *, struct iattr *); + extern int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, +@@ -2260,8 +2261,8 @@ extern int ext4_register_li_request(struct super_block *sb, + static inline int ext4_has_group_desc_csum(struct super_block *sb) + { + return EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_GDT_CSUM | +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM); ++ EXT4_FEATURE_RO_COMPAT_GDT_CSUM) || ++ (EXT4_SB(sb)->s_chksum_driver != NULL); + } + + static inline ext4_fsblk_t ext4_blocks_count(struct ext4_super_block *es) +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 1ecd3a8c2444..4d4718cf25ab 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -793,6 +793,10 @@ got: + struct buffer_head *block_bitmap_bh; + + block_bitmap_bh = ext4_read_block_bitmap(sb, group); ++ if (!block_bitmap_bh) { ++ err = -EIO; ++ goto out; ++ } + BUFFER_TRACE(block_bitmap_bh, "get block bitmap access"); + err = ext4_journal_get_write_access(handle, block_bitmap_bh); + if (err) { +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index f9e11df768d5..e48bd5a1814b 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2647,6 +2647,20 @@ static int ext4_nonda_switch(struct super_block *sb) + return 0; + } + ++/* We always reserve for an inode update; the superblock could be there too */ ++static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len) ++{ ++ if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, ++ EXT4_FEATURE_RO_COMPAT_LARGE_FILE))) ++ return 1; ++ ++ if (pos + len <= 0x7fffffffULL) ++ return 1; ++ ++ /* We might need to update the superblock to set LARGE_FILE */ ++ return 2; ++} ++ + static int ext4_da_write_begin(struct file *file, struct address_space *mapping, + loff_t pos, unsigned len, unsigned flags, + struct page **pagep, void **fsdata) +@@ -2697,7 +2711,8 @@ retry_grab: + * of file which has an already mapped buffer. + */ + retry_journal: +- handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, 1); ++ handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, ++ ext4_da_write_credits(inode, pos, len)); + if (IS_ERR(handle)) { + page_cache_release(page); + return PTR_ERR(handle); +@@ -4351,6 +4366,13 @@ bad_inode: + return ERR_PTR(ret); + } + ++struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino) ++{ ++ if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) ++ return ERR_PTR(-EIO); ++ return ext4_iget(sb, ino); ++} ++ + static int ext4_inode_blocks_set(handle_t *handle, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 42624a995b00..d4fd81c44f55 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -549,9 +549,17 @@ group_add_out: + } + + case EXT4_IOC_SWAP_BOOT: ++ { ++ int err; + if (!(filp->f_mode & FMODE_WRITE)) + return -EBADF; +- return swap_inode_boot_loader(sb, inode); ++ err = mnt_want_write_file(filp); ++ if (err) ++ return err; ++ err = swap_inode_boot_loader(sb, inode); ++ mnt_drop_write_file(filp); ++ return err; ++ } + + case EXT4_IOC_RESIZE_FS: { + ext4_fsblk_t n_blocks_count; +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index ab2f6dc44b3a..f1312173fa90 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1430,7 +1430,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, unsi + dentry->d_name.name); + return ERR_PTR(-EIO); + } +- inode = ext4_iget(dir->i_sb, ino); ++ inode = ext4_iget_normal(dir->i_sb, ino); + if (inode == ERR_PTR(-ESTALE)) { + EXT4_ERROR_INODE(dir, + "deleted inode referenced: %u", +@@ -1461,7 +1461,7 @@ struct dentry *ext4_get_parent(struct dentry *child) + return ERR_PTR(-EIO); + } + +- return d_obtain_alias(ext4_iget(child->d_inode->i_sb, ino)); ++ return d_obtain_alias(ext4_iget_normal(child->d_inode->i_sb, ino)); + } + + /* +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index c503850a61a8..a69bd74ed390 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1066,7 +1066,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, + break; + + if (meta_bg == 0) +- backup_block = group * bpg + blk_off; ++ backup_block = ((ext4_fsblk_t)group) * bpg + blk_off; + else + backup_block = (ext4_group_first_block_no(sb, group) + + ext4_bg_has_super(sb, group)); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 1fc14f7a08b2..21a0b43a7d31 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -964,7 +964,7 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb, + * Currently we don't know the generation for parent directory, so + * a generation of 0 means "accept any" + */ +- inode = ext4_iget(sb, ino); ++ inode = ext4_iget_normal(sb, ino); + if (IS_ERR(inode)) + return ERR_CAST(inode); + if (generation && inode->i_generation != generation) { +@@ -1632,13 +1632,6 @@ static int parse_options(char *options, struct super_block *sb, + "not specified"); + return 0; + } +- } else { +- if (sbi->s_jquota_fmt) { +- ext4_msg(sb, KERN_ERR, "journaled quota format " +- "specified with no journaling " +- "enabled"); +- return 0; +- } + } + #endif + if (test_opt(sb, DIOREAD_NOLOCK)) { +@@ -1957,6 +1950,10 @@ static __le16 ext4_group_desc_csum(struct ext4_sb_info *sbi, __u32 block_group, + } + + /* old crc16 code */ ++ if (!(sbi->s_es->s_feature_ro_compat & ++ cpu_to_le32(EXT4_FEATURE_RO_COMPAT_GDT_CSUM))) ++ return 0; ++ + offset = offsetof(struct ext4_group_desc, bg_checksum); + + crc = crc16(~0, sbi->s_es->s_uuid, sizeof(sbi->s_es->s_uuid)); +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 298e9c8da364..a20816e7eb3a 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -189,14 +189,28 @@ ext4_listxattr(struct dentry *dentry, char *buffer, size_t size) + } + + static int +-ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end) ++ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end, ++ void *value_start) + { +- while (!IS_LAST_ENTRY(entry)) { +- struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(entry); ++ struct ext4_xattr_entry *e = entry; ++ ++ while (!IS_LAST_ENTRY(e)) { ++ struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); + if ((void *)next >= end) + return -EIO; +- entry = next; ++ e = next; + } ++ ++ while (!IS_LAST_ENTRY(entry)) { ++ if (entry->e_value_size != 0 && ++ (value_start + le16_to_cpu(entry->e_value_offs) < ++ (void *)e + sizeof(__u32) || ++ value_start + le16_to_cpu(entry->e_value_offs) + ++ le32_to_cpu(entry->e_value_size) > end)) ++ return -EIO; ++ entry = EXT4_XATTR_NEXT(entry); ++ } ++ + return 0; + } + +@@ -213,7 +227,8 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh) + return -EIO; + if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh))) + return -EIO; +- error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size); ++ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size, ++ bh->b_data); + if (!error) + set_buffer_verified(bh); + return error; +@@ -329,7 +344,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, + header = IHDR(inode, raw_inode); + entry = IFIRST(header); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(entry, end); ++ error = ext4_xattr_check_names(entry, end, entry); + if (error) + goto cleanup; + error = ext4_xattr_find_entry(&entry, name_index, name, +@@ -457,7 +472,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size) + raw_inode = ext4_raw_inode(&iloc); + header = IHDR(inode, raw_inode); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(IFIRST(header), end); ++ error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); + if (error) + goto cleanup; + error = ext4_xattr_list_entries(dentry, IFIRST(header), +@@ -972,7 +987,8 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i, + is->s.here = is->s.first; + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { +- error = ext4_xattr_check_names(IFIRST(header), is->s.end); ++ error = ext4_xattr_check_names(IFIRST(header), is->s.end, ++ IFIRST(header)); + if (error) + return error; + /* Find the named attribute. */ +diff --git a/fs/jbd2/recovery.c b/fs/jbd2/recovery.c +index 3bacc1909ddb..6e2fb5cbacde 100644 +--- a/fs/jbd2/recovery.c ++++ b/fs/jbd2/recovery.c +@@ -522,6 +522,7 @@ static int do_one_pass(journal_t *journal, + !jbd2_descr_block_csum_verify(journal, + bh->b_data)) { + err = -EIO; ++ brelse(bh); + goto failed; + } + +diff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h +index 413ef89c2d1b..046fee8b6e9b 100644 +--- a/fs/jffs2/jffs2_fs_sb.h ++++ b/fs/jffs2/jffs2_fs_sb.h +@@ -134,8 +134,6 @@ struct jffs2_sb_info { + struct rw_semaphore wbuf_sem; /* Protects the write buffer */ + + struct delayed_work wbuf_dwork; /* write-buffer write-out work */ +- int wbuf_queued; /* non-zero delayed work is queued */ +- spinlock_t wbuf_dwork_lock; /* protects wbuf_dwork and and wbuf_queued */ + + unsigned char *oobbuf; + int oobavail; /* How many bytes are available for JFFS2 in OOB */ +diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c +index a6597d60d76d..09ed55190ee2 100644 +--- a/fs/jffs2/wbuf.c ++++ b/fs/jffs2/wbuf.c +@@ -1162,10 +1162,6 @@ static void delayed_wbuf_sync(struct work_struct *work) + struct jffs2_sb_info *c = work_to_sb(work); + struct super_block *sb = OFNI_BS_2SFFJ(c); + +- spin_lock(&c->wbuf_dwork_lock); +- c->wbuf_queued = 0; +- spin_unlock(&c->wbuf_dwork_lock); +- + if (!(sb->s_flags & MS_RDONLY)) { + jffs2_dbg(1, "%s()\n", __func__); + jffs2_flush_wbuf_gc(c, 0); +@@ -1180,14 +1176,9 @@ void jffs2_dirty_trigger(struct jffs2_sb_info *c) + if (sb->s_flags & MS_RDONLY) + return; + +- spin_lock(&c->wbuf_dwork_lock); +- if (!c->wbuf_queued) { ++ delay = msecs_to_jiffies(dirty_writeback_interval * 10); ++ if (queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay)) + jffs2_dbg(1, "%s()\n", __func__); +- delay = msecs_to_jiffies(dirty_writeback_interval * 10); +- queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay); +- c->wbuf_queued = 1; +- } +- spin_unlock(&c->wbuf_dwork_lock); + } + + int jffs2_nand_flash_setup(struct jffs2_sb_info *c) +@@ -1211,7 +1202,6 @@ int jffs2_nand_flash_setup(struct jffs2_sb_info *c) + + /* Initialise write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + c->wbuf_pagesize = c->mtd->writesize; + c->wbuf_ofs = 0xFFFFFFFF; +@@ -1251,7 +1241,6 @@ int jffs2_dataflash_setup(struct jffs2_sb_info *c) { + + /* Initialize write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + c->wbuf_pagesize = c->mtd->erasesize; + +@@ -1311,7 +1300,6 @@ int jffs2_nor_wbuf_flash_setup(struct jffs2_sb_info *c) { + + /* Initialize write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + + c->wbuf_pagesize = c->mtd->writesize; +@@ -1346,7 +1334,6 @@ int jffs2_ubivol_setup(struct jffs2_sb_info *c) { + return 0; + + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + + c->wbuf_pagesize = c->mtd->writesize; +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 1812f026960c..6ae664b489af 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -159,6 +159,12 @@ static int nsm_mon_unmon(struct nsm_handle *nsm, u32 proc, struct nsm_res *res, + + msg.rpc_proc = &clnt->cl_procinfo[proc]; + status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ if (status == -ECONNREFUSED) { ++ dprintk("lockd: NSM upcall RPC failed, status=%d, forcing rebind\n", ++ status); ++ rpc_force_rebind(clnt); ++ status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ } + if (status < 0) + dprintk("lockd: NSM upcall RPC failed, status=%d\n", + status); +diff --git a/fs/namespace.c b/fs/namespace.c +index 7f6a9348c589..154822397780 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2696,6 +2696,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make sure we can reach put_old from new_root */ + if (!is_path_reachable(old_mnt, old.dentry, &new)) + goto out4; ++ /* make certain new is below the root */ ++ if (!is_path_reachable(new_mnt, new.dentry, &root)) ++ goto out4; + root_mp->m_count++; /* pin it so it won't go away */ + br_write_lock(&vfsmount_lock); + detach_mnt(new_mnt, &parent_path); +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 0f9ce13972d0..9240dd1678da 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1191,7 +1191,8 @@ static bool need_wrongsec_check(struct svc_rqst *rqstp) + */ + if (argp->opcnt == resp->opcnt) + return false; +- ++ if (next->opnum == OP_ILLEGAL) ++ return false; + nextd = OPDESC(next); + /* + * Rest of 2.6.3.1.1: certain operations will return WRONGSEC +diff --git a/fs/pstore/inode.c b/fs/pstore/inode.c +index e4bcb2cf055a..3ba30825f387 100644 +--- a/fs/pstore/inode.c ++++ b/fs/pstore/inode.c +@@ -316,10 +316,10 @@ int pstore_mkfile(enum pstore_type_id type, char *psname, u64 id, int count, + sprintf(name, "dmesg-%s-%lld", psname, id); + break; + case PSTORE_TYPE_CONSOLE: +- sprintf(name, "console-%s", psname); ++ sprintf(name, "console-%s-%lld", psname, id); + break; + case PSTORE_TYPE_FTRACE: +- sprintf(name, "ftrace-%s", psname); ++ sprintf(name, "ftrace-%s-%lld", psname, id); + break; + case PSTORE_TYPE_MCE: + sprintf(name, "mce-%s-%lld", psname, id); +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 38802d683969..7a10e047bc33 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -637,7 +637,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + dqstats_inc(DQST_LOOKUPS); + err = sb->dq_op->write_dquot(dquot); + if (!ret && err) +- err = ret; ++ ret = err; + dqput(dquot); + spin_lock(&dq_list_lock); + } +diff --git a/fs/super.c b/fs/super.c +index 68307c029228..e028b508db25 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -76,6 +76,8 @@ static int prune_super(struct shrinker *shrink, struct shrink_control *sc) + + total_objects = sb->s_nr_dentry_unused + + sb->s_nr_inodes_unused + fs_objects + 1; ++ if (!total_objects) ++ total_objects = 1; + + if (sc->nr_to_scan) { + int dentries; +diff --git a/fs/ubifs/commit.c b/fs/ubifs/commit.c +index ff8229340cd5..26b69b2d4a45 100644 +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -166,15 +166,10 @@ static int do_commit(struct ubifs_info *c) + err = ubifs_orphan_end_commit(c); + if (err) + goto out; +- old_ltail_lnum = c->ltail_lnum; +- err = ubifs_log_end_commit(c, new_ltail_lnum); +- if (err) +- goto out; + err = dbg_check_old_index(c, &zroot); + if (err) + goto out; + +- mutex_lock(&c->mst_mutex); + c->mst_node->cmt_no = cpu_to_le64(c->cmt_no); + c->mst_node->log_lnum = cpu_to_le32(new_ltail_lnum); + c->mst_node->root_lnum = cpu_to_le32(zroot.lnum); +@@ -203,8 +198,9 @@ static int do_commit(struct ubifs_info *c) + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); + else + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS); +- err = ubifs_write_master(c); +- mutex_unlock(&c->mst_mutex); ++ ++ old_ltail_lnum = c->ltail_lnum; ++ err = ubifs_log_end_commit(c, new_ltail_lnum); + if (err) + goto out; + +diff --git a/fs/ubifs/log.c b/fs/ubifs/log.c +index 36bd4efd0819..06649d21b056 100644 +--- a/fs/ubifs/log.c ++++ b/fs/ubifs/log.c +@@ -106,10 +106,14 @@ static inline long long empty_log_bytes(const struct ubifs_info *c) + h = (long long)c->lhead_lnum * c->leb_size + c->lhead_offs; + t = (long long)c->ltail_lnum * c->leb_size; + +- if (h >= t) ++ if (h > t) + return c->log_bytes - h + t; +- else ++ else if (h != t) + return t - h; ++ else if (c->lhead_lnum != c->ltail_lnum) ++ return 0; ++ else ++ return c->log_bytes; + } + + /** +@@ -447,9 +451,9 @@ out: + * @ltail_lnum: new log tail LEB number + * + * This function is called on when the commit operation was finished. It +- * moves log tail to new position and unmaps LEBs which contain obsolete data. +- * Returns zero in case of success and a negative error code in case of +- * failure. ++ * moves log tail to new position and updates the master node so that it stores ++ * the new log tail LEB number. Returns zero in case of success and a negative ++ * error code in case of failure. + */ + int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum) + { +@@ -477,7 +481,12 @@ int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum) + spin_unlock(&c->buds_lock); + + err = dbg_check_bud_bytes(c); ++ if (err) ++ goto out; + ++ err = ubifs_write_master(c); ++ ++out: + mutex_unlock(&c->log_mutex); + return err; + } +diff --git a/fs/ubifs/master.c b/fs/ubifs/master.c +index ab83ace9910a..1a4bb9e8b3b8 100644 +--- a/fs/ubifs/master.c ++++ b/fs/ubifs/master.c +@@ -352,10 +352,9 @@ int ubifs_read_master(struct ubifs_info *c) + * ubifs_write_master - write master node. + * @c: UBIFS file-system description object + * +- * This function writes the master node. The caller has to take the +- * @c->mst_mutex lock before calling this function. Returns zero in case of +- * success and a negative error code in case of failure. The master node is +- * written twice to enable recovery. ++ * This function writes the master node. Returns zero in case of success and a ++ * negative error code in case of failure. The master node is written twice to ++ * enable recovery. + */ + int ubifs_write_master(struct ubifs_info *c) + { +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 879b9976c12b..05115d719408 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1970,7 +1970,6 @@ static struct ubifs_info *alloc_ubifs_info(struct ubi_volume_desc *ubi) + mutex_init(&c->lp_mutex); + mutex_init(&c->tnc_mutex); + mutex_init(&c->log_mutex); +- mutex_init(&c->mst_mutex); + mutex_init(&c->umount_mutex); + mutex_init(&c->bu_mutex); + mutex_init(&c->write_reserve_mutex); +diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h +index b2babce4d70f..bd51277f6fe1 100644 +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -1042,7 +1042,6 @@ struct ubifs_debug_info; + * + * @mst_node: master node + * @mst_offs: offset of valid master node +- * @mst_mutex: protects the master node area, @mst_node, and @mst_offs + * + * @max_bu_buf_len: maximum bulk-read buffer length + * @bu_mutex: protects the pre-allocated bulk-read buffer and @c->bu +@@ -1282,7 +1281,6 @@ struct ubifs_info { + + struct ubifs_mst_node *mst_node; + int mst_offs; +- struct mutex mst_mutex; + + int max_bu_buf_len; + struct mutex bu_mutex; +diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h +index 3a1cff56ef20..d7b717090f2f 100644 +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -52,7 +52,6 @@ + {0x1002, 0x4C64, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4C66, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4C67, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ +- {0x1002, 0x4C6E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV280|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4E44, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ + {0x1002, 0x4E45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ + {0x1002, 0x4E46, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 2fdb4a451b49..494d228a91dd 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1187,10 +1187,9 @@ static inline int queue_alignment_offset(struct request_queue *q) + static inline int queue_limit_alignment_offset(struct queue_limits *lim, sector_t sector) + { + unsigned int granularity = max(lim->physical_block_size, lim->io_min); +- unsigned int alignment = (sector << 9) & (granularity - 1); ++ unsigned int alignment = sector_div(sector, granularity >> 9) << 9; + +- return (granularity + lim->alignment_offset - alignment) +- & (granularity - 1); ++ return (granularity + lim->alignment_offset - alignment) % granularity; + } + + static inline int bdev_alignment_offset(struct block_device *bdev) +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h +index 24545cd90a25..02ae99e8e6d3 100644 +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -37,6 +37,9 @@ + __asm__ ("" : "=r"(__ptr) : "0"(ptr)); \ + (typeof(ptr)) (__ptr + (off)); }) + ++/* Make the optimizer believe the variable can be manipulated arbitrarily. */ ++#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var)) ++ + #ifdef __CHECKER__ + #define __must_be_array(arr) 0 + #else +diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h +index dc1bd3dcf11f..5529c5239421 100644 +--- a/include/linux/compiler-intel.h ++++ b/include/linux/compiler-intel.h +@@ -15,6 +15,7 @@ + */ + #undef barrier + #undef RELOC_HIDE ++#undef OPTIMIZER_HIDE_VAR + + #define barrier() __memory_barrier() + +@@ -23,6 +24,12 @@ + __ptr = (unsigned long) (ptr); \ + (typeof(ptr)) (__ptr + (off)); }) + ++/* This should act as an optimization barrier on var. ++ * Given that this compiler does not have inline assembly, a compiler barrier ++ * is the best we can do. ++ */ ++#define OPTIMIZER_HIDE_VAR(var) barrier() ++ + /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */ + #define __must_be_array(a) 0 + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 92669cd182a6..a2329c5e6206 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -170,6 +170,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#ifndef OPTIMIZER_HIDE_VAR ++#define OPTIMIZER_HIDE_VAR(var) barrier() ++#endif ++ + /* Not-quite-unique ID. */ + #ifndef __UNIQUE_ID + # define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __LINE__) +diff --git a/include/linux/mm.h b/include/linux/mm.h +index a9a48309f045..7da14357aa76 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1004,6 +1004,7 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping, + + extern void truncate_pagecache(struct inode *inode, loff_t old, loff_t new); + extern void truncate_setsize(struct inode *inode, loff_t newsize); ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to); + void truncate_pagecache_range(struct inode *inode, loff_t offset, loff_t end); + int truncate_inode_page(struct address_space *mapping, struct page *page); + int generic_error_remove_page(struct address_space *mapping, struct page *page); +diff --git a/include/linux/of.h b/include/linux/of.h +index 1fd08ca23106..5e9d35233a65 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -252,14 +252,12 @@ extern int of_property_read_u64(const struct device_node *np, + extern int of_property_read_string(struct device_node *np, + const char *propname, + const char **out_string); +-extern int of_property_read_string_index(struct device_node *np, +- const char *propname, +- int index, const char **output); + extern int of_property_match_string(struct device_node *np, + const char *propname, + const char *string); +-extern int of_property_count_strings(struct device_node *np, +- const char *propname); ++extern int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index); + extern int of_device_is_compatible(const struct device_node *device, + const char *); + extern int of_device_is_available(const struct device_node *device); +@@ -439,15 +437,9 @@ static inline int of_property_read_string(struct device_node *np, + return -ENOSYS; + } + +-static inline int of_property_read_string_index(struct device_node *np, +- const char *propname, int index, +- const char **out_string) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_count_strings(struct device_node *np, +- const char *propname) ++static inline int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index) + { + return -ENOSYS; + } +@@ -523,6 +515,70 @@ static inline int of_node_to_nid(struct device_node *np) + #endif + + /** ++ * of_property_read_string_array() - Read an array of strings from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * ++ * Search for a property in a device tree node and retrieve a list of ++ * terminated string values (pointer to data, not a copy) in that property. ++ * ++ * If @out_strs is NULL, the number of strings in the property is returned. ++ */ ++static inline int of_property_read_string_array(struct device_node *np, ++ const char *propname, const char **out_strs, ++ size_t sz) ++{ ++ return of_property_read_string_helper(np, propname, out_strs, sz, 0); ++} ++ ++/** ++ * of_property_count_strings() - Find and return the number of strings from a ++ * multiple strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * ++ * Search for a property in a device tree node and retrieve the number of null ++ * terminated string contain in it. Returns the number of strings on ++ * success, -EINVAL if the property does not exist, -ENODATA if property ++ * does not have a value, and -EILSEQ if the string is not null-terminated ++ * within the length of the property data. ++ */ ++static inline int of_property_count_strings(struct device_node *np, ++ const char *propname) ++{ ++ return of_property_read_string_helper(np, propname, NULL, 0, 0); ++} ++ ++/** ++ * of_property_read_string_index() - Find and read a string from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @index: index of the string in the list of strings ++ * @out_string: pointer to null terminated return string, modified only if ++ * return value is 0. ++ * ++ * Search for a property in a device tree node and retrieve a null ++ * terminated string value (pointer to data, not a copy) in the list of strings ++ * contained in that property. ++ * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if ++ * property does not have a value, and -EILSEQ if the string is not ++ * null-terminated within the length of the property data. ++ * ++ * The out_string pointer is modified only if a valid string can be decoded. ++ */ ++static inline int of_property_read_string_index(struct device_node *np, ++ const char *propname, ++ int index, const char **output) ++{ ++ int rc = of_property_read_string_helper(np, propname, output, 1, index); ++ return rc < 0 ? rc : 0; ++} ++ ++/** + * of_property_read_bool - Findfrom a property + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. +diff --git a/include/linux/oom.h b/include/linux/oom.h +index da60007075b5..297cda528855 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -50,6 +50,9 @@ static inline bool oom_task_origin(const struct task_struct *p) + extern unsigned long oom_badness(struct task_struct *p, + struct mem_cgroup *memcg, const nodemask_t *nodemask, + unsigned long totalpages); ++ ++extern int oom_kills_count(void); ++extern void note_oom_kill(void); + extern void oom_kill_process(struct task_struct *p, gfp_t gfp_mask, int order, + unsigned int points, unsigned long totalpages, + struct mem_cgroup *memcg, nodemask_t *nodemask, +diff --git a/include/linux/string.h b/include/linux/string.h +index ac889c5ea11b..0ed878d0465c 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -129,7 +129,7 @@ int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4); + #endif + + extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos, +- const void *from, size_t available); ++ const void *from, size_t available); + + /** + * strstarts - does @str start with @prefix? +@@ -141,7 +141,8 @@ static inline bool strstarts(const char *str, const char *prefix) + return strncmp(str, prefix, strlen(prefix)) == 0; + } + +-extern size_t memweight(const void *ptr, size_t bytes); ++size_t memweight(const void *ptr, size_t bytes); ++void memzero_explicit(void *s, size_t count); + + /** + * kbasename - return the last part of a pathname. +diff --git a/kernel/freezer.c b/kernel/freezer.c +index 78758512b1e1..bd733f6e610d 100644 +--- a/kernel/freezer.c ++++ b/kernel/freezer.c +@@ -42,6 +42,9 @@ bool freezing_slow_path(struct task_struct *p) + if (p->flags & PF_NOFREEZE) + return false; + ++ if (test_thread_flag(TIF_MEMDIE)) ++ return false; ++ + if (pm_nosig_freezing || cgroup_freezing(p)) + return true; + +diff --git a/kernel/module.c b/kernel/module.c +index 10a3af821d28..61fb677211cb 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1866,7 +1866,9 @@ static void free_module(struct module *mod) + + /* We leave it in list to prevent duplicate loads, but make sure + * that noone uses it while it's being deconstructed. */ ++ mutex_lock(&module_mutex); + mod->state = MODULE_STATE_UNFORMED; ++ mutex_unlock(&module_mutex); + + /* Remove dynamic debug info */ + ddebug_remove_module(mod->name); +diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c +index 424c2d4265c9..77e6b83c0431 100644 +--- a/kernel/posix-timers.c ++++ b/kernel/posix-timers.c +@@ -634,6 +634,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock, + goto out; + } + } else { ++ memset(&event.sigev_value, 0, sizeof(event.sigev_value)); + event.sigev_notify = SIGEV_SIGNAL; + event.sigev_signo = SIGALRM; + event.sigev_value.sival_int = new_timer->it_id; +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index b26f5f1e773e..1634dc6e2fe7 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -491,8 +491,14 @@ int hibernation_restore(int platform_mode) + error = dpm_suspend_start(PMSG_QUIESCE); + if (!error) { + error = resume_target_kernel(platform_mode); +- dpm_resume_end(PMSG_RECOVER); ++ /* ++ * The above should either succeed and jump to the new kernel, ++ * or return with an error. Otherwise things are just ++ * undefined, so let's be paranoid. ++ */ ++ BUG_ON(!error); + } ++ dpm_resume_end(PMSG_RECOVER); + pm_restore_gfp_mask(); + ftrace_start(); + resume_console(); +diff --git a/kernel/power/process.c b/kernel/power/process.c +index 1b212bee1510..0695319b5fde 100644 +--- a/kernel/power/process.c ++++ b/kernel/power/process.c +@@ -103,6 +103,28 @@ static int try_to_freeze_tasks(bool user_only) + return todo ? -EBUSY : 0; + } + ++/* ++ * Returns true if all freezable tasks (except for current) are frozen already ++ */ ++static bool check_frozen_processes(void) ++{ ++ struct task_struct *g, *p; ++ bool ret = true; ++ ++ read_lock(&tasklist_lock); ++ for_each_process_thread(g, p) { ++ if (p != current && !freezer_should_skip(p) && ++ !frozen(p)) { ++ ret = false; ++ goto done; ++ } ++ } ++done: ++ read_unlock(&tasklist_lock); ++ ++ return ret; ++} ++ + /** + * freeze_processes - Signal user space processes to enter the refrigerator. + * +@@ -111,6 +133,7 @@ static int try_to_freeze_tasks(bool user_only) + int freeze_processes(void) + { + int error; ++ int oom_kills_saved; + + error = __usermodehelper_disable(UMH_FREEZING); + if (error) +@@ -121,12 +144,27 @@ int freeze_processes(void) + + printk("Freezing user space processes ... "); + pm_freezing = true; ++ oom_kills_saved = oom_kills_count(); + error = try_to_freeze_tasks(true); + if (!error) { +- printk("done."); + __usermodehelper_set_disable_depth(UMH_DISABLED); + oom_killer_disable(); ++ ++ /* ++ * There might have been an OOM kill while we were ++ * freezing tasks and the killed task might be still ++ * on the way out so we have to double check for race. ++ */ ++ if (oom_kills_count() != oom_kills_saved && ++ !check_frozen_processes()) { ++ __usermodehelper_set_disable_depth(UMH_ENABLED); ++ printk("OOM in progress."); ++ error = -EBUSY; ++ goto done; ++ } ++ printk("done."); + } ++done: + printk("\n"); + BUG_ON(in_atomic()); + +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c +index 322e16461072..bdb9ee0af991 100644 +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, tr->enabled_enter_syscalls)) + return; +@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret) + int syscall_nr; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, tr->enabled_exit_syscalls)) + return; +@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) + return; +@@ -633,7 +633,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) + return; +diff --git a/lib/bitmap.c b/lib/bitmap.c +index 06f7e4fe8d2d..e5c4ebe586ba 100644 +--- a/lib/bitmap.c ++++ b/lib/bitmap.c +@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long *dst, + lower = src[off + k]; + if (left && off + k == lim - 1) + lower &= mask; +- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem; ++ dst[k] = lower >> rem; ++ if (rem) ++ dst[k] |= upper << (BITS_PER_LONG - rem); + if (left && k == lim - 1) + dst[k] &= mask; + } +@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long *dst, + upper = src[k]; + if (left && k == lim - 1) + upper &= (1UL << left) - 1; +- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem; ++ dst[k + off] = upper << rem; ++ if (rem) ++ dst[k + off] |= lower >> (BITS_PER_LONG - rem); + if (left && k + off == lim - 1) + dst[k + off] &= (1UL << left) - 1; + } +diff --git a/lib/string.c b/lib/string.c +index e5878de4f101..43d0781daf47 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -586,6 +586,22 @@ void *memset(void *s, int c, size_t count) + EXPORT_SYMBOL(memset); + #endif + ++/** ++ * memzero_explicit - Fill a region of memory (e.g. sensitive ++ * keying data) with 0s. ++ * @s: Pointer to the start of the area. ++ * @count: The size of the area. ++ * ++ * memzero_explicit() doesn't need an arch-specific version as ++ * it just invokes the one of memset() implicitly. ++ */ ++void memzero_explicit(void *s, size_t count) ++{ ++ memset(s, 0, count); ++ OPTIMIZER_HIDE_VAR(s); ++} ++EXPORT_SYMBOL(memzero_explicit); ++ + #ifndef __HAVE_ARCH_MEMCPY + /** + * memcpy - Copy one area of memory to another +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 8e40908e724a..f104c7e9f61e 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -402,6 +402,23 @@ static void dump_header(struct task_struct *p, gfp_t gfp_mask, int order, + dump_tasks(memcg, nodemask); + } + ++/* ++ * Number of OOM killer invocations (including memcg OOM killer). ++ * Primarily used by PM freezer to check for potential races with ++ * OOM killed frozen task. ++ */ ++static atomic_t oom_kills = ATOMIC_INIT(0); ++ ++int oom_kills_count(void) ++{ ++ return atomic_read(&oom_kills); ++} ++ ++void note_oom_kill(void) ++{ ++ atomic_inc(&oom_kills); ++} ++ + #define K(x) ((x) << (PAGE_SHIFT-10)) + /* + * Must be called while holding a reference to p, which will be released upon +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 71305c6aba5b..494a081ec5e4 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2120,6 +2120,14 @@ __alloc_pages_may_oom(gfp_t gfp_mask, unsigned int order, + } + + /* ++ * PM-freezer should be notified that there might be an OOM killer on ++ * its way to kill and wake somebody up. This is too early and we might ++ * end up not killing anything but false positives are acceptable. ++ * See freeze_processes. ++ */ ++ note_oom_kill(); ++ ++ /* + * Go through the zonelist yet one more time, keep very high watermark + * here, this is only to catch a parallel oom killing, we must fail if + * we're still under heavy pressure. +diff --git a/mm/page_cgroup.c b/mm/page_cgroup.c +index 6d757e3a872a..e007236f345a 100644 +--- a/mm/page_cgroup.c ++++ b/mm/page_cgroup.c +@@ -170,6 +170,7 @@ static void free_page_cgroup(void *addr) + sizeof(struct page_cgroup) * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +diff --git a/mm/percpu.c b/mm/percpu.c +index 9bc1bf914cc8..25e2ea52db82 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1910,8 +1910,6 @@ void __init setup_per_cpu_areas(void) + + if (pcpu_setup_first_chunk(ai, fc) < 0) + panic("Failed to initialize percpu areas."); +- +- pcpu_free_alloc_info(ai); + } + + #endif /* CONFIG_SMP */ +diff --git a/mm/truncate.c b/mm/truncate.c +index c75b736e54b7..2d6151fc8f08 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -20,6 +20,7 @@ + #include <linux/buffer_head.h> /* grr. try_to_release_page, + do_invalidatepage */ + #include <linux/cleancache.h> ++#include <linux/rmap.h> + #include "internal.h" + + +@@ -567,16 +568,67 @@ EXPORT_SYMBOL(truncate_pagecache); + */ + void truncate_setsize(struct inode *inode, loff_t newsize) + { +- loff_t oldsize; ++ loff_t oldsize = inode->i_size; + +- oldsize = inode->i_size; + i_size_write(inode, newsize); +- ++ if (newsize > oldsize) ++ pagecache_isize_extended(inode, oldsize, newsize); + truncate_pagecache(inode, oldsize, newsize); + } + EXPORT_SYMBOL(truncate_setsize); + + /** ++ * pagecache_isize_extended - update pagecache after extension of i_size ++ * @inode: inode for which i_size was extended ++ * @from: original inode size ++ * @to: new inode size ++ * ++ * Handle extension of inode size either caused by extending truncate or by ++ * write starting after current i_size. We mark the page straddling current ++ * i_size RO so that page_mkwrite() is called on the nearest write access to ++ * the page. This way filesystem can be sure that page_mkwrite() is called on ++ * the page before user writes to the page via mmap after the i_size has been ++ * changed. ++ * ++ * The function must be called after i_size is updated so that page fault ++ * coming after we unlock the page will already see the new i_size. ++ * The function must be called while we still hold i_mutex - this not only ++ * makes sure i_size is stable but also that userspace cannot observe new ++ * i_size value before we are prepared to store mmap writes at new inode size. ++ */ ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to) ++{ ++ int bsize = 1 << inode->i_blkbits; ++ loff_t rounded_from; ++ struct page *page; ++ pgoff_t index; ++ ++ WARN_ON(to > inode->i_size); ++ ++ if (from >= to || bsize == PAGE_CACHE_SIZE) ++ return; ++ /* Page straddling @from will not have any hole block created? */ ++ rounded_from = round_up(from, bsize); ++ if (to <= rounded_from || !(rounded_from & (PAGE_CACHE_SIZE - 1))) ++ return; ++ ++ index = from >> PAGE_CACHE_SHIFT; ++ page = find_lock_page(inode->i_mapping, index); ++ /* Page not cached? Nothing to do */ ++ if (!page) ++ return; ++ /* ++ * See clear_page_dirty_for_io() for details why set_page_dirty() ++ * is needed. ++ */ ++ if (page_mkclean(page)) ++ set_page_dirty(page); ++ unlock_page(page); ++ page_cache_release(page); ++} ++EXPORT_SYMBOL(pagecache_isize_extended); ++ ++/** + * truncate_pagecache_range - unmap and remove pagecache that is hole-punched + * @inode: inode + * @lstart: offset of beginning of hole +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 66e77f380fce..e3bea2e0821a 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -290,7 +290,8 @@ int ceph_msgr_init(void) + if (ceph_msgr_slab_init()) + return -ENOMEM; + +- ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_NON_REENTRANT, 0); ++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", ++ WQ_NON_REENTRANT | WQ_MEM_RECLAIM, 0); + if (ceph_msgr_wq) + return 0; + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 9c3979a50804..bc773a10dca6 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -533,7 +533,7 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi) + return 1; + + attrlen = rtnh_attrlen(rtnh); +- if (attrlen < 0) { ++ if (attrlen > 0) { + struct nlattr *nla, *attrs = rtnh_attrs(rtnh); + + nla = nla_find(attrs, attrlen, RTA_GATEWAY); +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 5afbbbe03b0e..22fa05e041ea 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1481,6 +1481,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + struct sk_buff *nskb; + struct sock *sk; + struct inet_sock *inet; ++ int err; + + if (ip_options_echo(&replyopts.opt.opt, skb)) + return; +@@ -1517,8 +1518,13 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + sock_net_set(sk, net); + __skb_queue_head_init(&sk->sk_write_queue); + sk->sk_sndbuf = sysctl_wmem_default; +- ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0, +- &ipc, &rt, MSG_DONTWAIT); ++ err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, ++ len, 0, &ipc, &rt, MSG_DONTWAIT); ++ if (unlikely(err)) { ++ ip_flush_pending_frames(sk); ++ goto out; ++ } ++ + nskb = skb_peek(&sk->sk_write_queue); + if (nskb) { + if (arg->csumoffset >= 0) +@@ -1530,7 +1536,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb)); + ip_push_pending_frames(sk, &fl4); + } +- ++out: + put_cpu_var(unicast_sock); + + ip_rt_put(rt); +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index a02bef35b134..d68d6cfac3b5 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -448,7 +448,7 @@ static void rate_fixup_ratelist(struct ieee80211_vif *vif, + */ + if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) { + u32 basic_rates = vif->bss_conf.basic_rates; +- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0; ++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0; + + rate = &sband->bitrates[rates[0].idx]; + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 5ed562dfe743..afe41178c9fb 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -571,7 +571,7 @@ static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg, + * after validation, the socket and the ring may only be used by a + * single process, otherwise we fall back to copying. + */ +- if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 || ++ if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 || + atomic_read(&nlk->mapped) > 1) + excl = false; + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index b9b2bebeb350..b980a6ce5c79 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -286,9 +286,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, + { + const struct evm_ima_xattr_data *xattr_data = xattr_value; + +- if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) +- && (xattr_data->type == EVM_XATTR_HMAC)) +- return -EPERM; ++ if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { ++ if (!xattr_value_len) ++ return -EINVAL; ++ if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) ++ return -EPERM; ++ } + return evm_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + } +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 70d4a8a7f21c..fdd6e4f8be39 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -437,6 +437,7 @@ next_inode: + list_entry(sbsec->isec_head.next, + struct inode_security_struct, list); + struct inode *inode = isec->inode; ++ list_del_init(&isec->list); + spin_unlock(&sbsec->isec_lock); + inode = igrab(inode); + if (inode) { +@@ -445,7 +446,6 @@ next_inode: + iput(inode); + } + spin_lock(&sbsec->isec_lock); +- list_del_init(&isec->list); + goto next_inode; + } + spin_unlock(&sbsec->isec_lock); +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index af49721ba0e3..c4ac3c1e19af 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -206,6 +206,8 @@ static int snd_pcm_status_user_compat(struct snd_pcm_substream *substream, + if (err < 0) + return err; + ++ if (clear_user(src, sizeof(*src))) ++ return -EFAULT; + if (put_user(status.state, &src->state) || + compat_put_timespec(&status.trigger_tstamp, &src->trigger_tstamp) || + compat_put_timespec(&status.tstamp, &src->tstamp) || +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index dec997188dfb..a650aa48c786 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm, + gfn_t base_gfn, unsigned long npages); + + static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, +- unsigned long size) ++ unsigned long npages) + { + gfn_t end_gfn; + pfn_t pfn; + + pfn = gfn_to_pfn_memslot(slot, gfn); +- end_gfn = gfn + (size >> PAGE_SHIFT); ++ end_gfn = gfn + npages; + gfn += 1; + + if (is_error_noslot_pfn(pfn)) +@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. + */ +- pfn = kvm_pin_pages(slot, gfn, page_size); ++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); + if (is_error_noslot_pfn(pfn)) { + gfn += 1; + continue; +@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) + if (r) { + printk(KERN_ERR "kvm_iommu_map_address:" + "iommu failed to map pfn=%llx\n", pfn); +- kvm_unpin_pages(kvm, pfn, page_size); ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); + goto unmap_pages; + } + |