commit: eaaa44972b7ad8d289587ded544c4513f4b40732 Author: Anthony G. Basile gentoo org> AuthorDate: Wed Nov 18 09:53:20 2015 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Wed Nov 18 09:53:20 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=eaaa4497 grsecurity-3.1-4.2.6-201511172005 4.2.6/0000_README | 6 +- 4.2.6/1005_linux-4.2.6.patch | 3380 -------------------- ...> 4420_grsecurity-3.1-4.2.6-201511172005.patch} | 251 +- 3 files changed, 226 insertions(+), 3411 deletions(-) diff --git a/4.2.6/0000_README b/4.2.6/0000_README index 7ec57e5..730b6c8 100644 --- a/4.2.6/0000_README +++ b/4.2.6/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1005_linux-4.2.6.patch -From: http://www.kernel.org -Desc: Linux 4.2.6 - -Patch: 4420_grsecurity-3.1-4.2.6-201511141543.patch +Patch: 4420_grsecurity-3.1-4.2.6-201511172005.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.2.6/1005_linux-4.2.6.patch b/4.2.6/1005_linux-4.2.6.patch deleted file mode 100644 index 8a09a7b..0000000 --- a/4.2.6/1005_linux-4.2.6.patch +++ /dev/null @@ -1,3380 +0,0 @@ -diff --git a/Makefile b/Makefile -index 96076dc..9ef3739 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 2 --SUBLEVEL = 5 -+SUBLEVEL = 6 - EXTRAVERSION = - NAME = Hurr durr I'ma sheep - -diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts -index a63bf78..03385fa 100644 ---- a/arch/arm/boot/dts/am57xx-beagle-x15.dts -+++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts -@@ -415,11 +415,12 @@ - /* SMPS9 unused */ - - ldo1_reg: ldo1 { -- /* VDD_SD */ -+ /* VDD_SD / VDDSHV8 */ - regulator-name = "ldo1"; - regulator-min-microvolt = <1800000>; - regulator-max-microvolt = <3300000>; - regulator-boot-on; -+ regulator-always-on; - }; - - ldo2_reg: ldo2 { -diff --git a/arch/arm/boot/dts/armada-385-db-ap.dts b/arch/arm/boot/dts/armada-385-db-ap.dts -index 89f5a95..4047621 100644 ---- a/arch/arm/boot/dts/armada-385-db-ap.dts -+++ b/arch/arm/boot/dts/armada-385-db-ap.dts -@@ -46,7 +46,7 @@ - - / { - model = "Marvell Armada 385 Access Point Development Board"; -- compatible = "marvell,a385-db-ap", "marvell,armada385", "marvell,armada38x"; -+ compatible = "marvell,a385-db-ap", "marvell,armada385", "marvell,armada380"; - - chosen { - stdout-path = "serial1:115200n8"; -diff --git a/arch/arm/boot/dts/berlin2q.dtsi b/arch/arm/boot/dts/berlin2q.dtsi -index 63a4849..d4dbd28 100644 ---- a/arch/arm/boot/dts/berlin2q.dtsi -+++ b/arch/arm/boot/dts/berlin2q.dtsi -@@ -152,7 +152,7 @@ - }; - - usb_phy2: phy@a2f400 { -- compatible = "marvell,berlin2-usb-phy"; -+ compatible = "marvell,berlin2cd-usb-phy"; - reg = <0xa2f400 0x128>; - #phy-cells = <0>; - resets = <&chip_rst 0x104 14>; -@@ -170,7 +170,7 @@ - }; - - usb_phy0: phy@b74000 { -- compatible = "marvell,berlin2-usb-phy"; -+ compatible = "marvell,berlin2cd-usb-phy"; - reg = <0xb74000 0x128>; - #phy-cells = <0>; - resets = <&chip_rst 0x104 12>; -@@ -178,7 +178,7 @@ - }; - - usb_phy1: phy@b78000 { -- compatible = "marvell,berlin2-usb-phy"; -+ compatible = "marvell,berlin2cd-usb-phy"; - reg = <0xb78000 0x128>; - #phy-cells = <0>; - resets = <&chip_rst 0x104 13>; -diff --git a/arch/arm/boot/dts/exynos5420-peach-pit.dts b/arch/arm/boot/dts/exynos5420-peach-pit.dts -index 8f4d76c..1b95da7 100644 ---- a/arch/arm/boot/dts/exynos5420-peach-pit.dts -+++ b/arch/arm/boot/dts/exynos5420-peach-pit.dts -@@ -915,6 +915,11 @@ - }; - }; - -+&pmu_system_controller { -+ assigned-clocks = <&pmu_system_controller 0>; -+ assigned-clock-parents = <&clock CLK_FIN_PLL>; -+}; -+ - &rtc { - status = "okay"; - clocks = <&clock CLK_RTC>, <&max77802 MAX77802_CLK_32K_AP>; -diff --git a/arch/arm/boot/dts/exynos5800-peach-pi.dts b/arch/arm/boot/dts/exynos5800-peach-pi.dts -index 7d5b386..8f40c7e 100644 ---- a/arch/arm/boot/dts/exynos5800-peach-pi.dts -+++ b/arch/arm/boot/dts/exynos5800-peach-pi.dts -@@ -878,6 +878,11 @@ - }; - }; - -+&pmu_system_controller { -+ assigned-clocks = <&pmu_system_controller 0>; -+ assigned-clock-parents = <&clock CLK_FIN_PLL>; -+}; -+ - &rtc { - status = "okay"; - clocks = <&clock CLK_RTC>, <&max77802 MAX77802_CLK_32K_AP>; -diff --git a/arch/arm/boot/dts/imx7d.dtsi b/arch/arm/boot/dts/imx7d.dtsi -index c42cf8d..9accbae 100644 ---- a/arch/arm/boot/dts/imx7d.dtsi -+++ b/arch/arm/boot/dts/imx7d.dtsi -@@ -340,10 +340,10 @@ - status = "disabled"; - }; - -- uart2: serial@30870000 { -+ uart2: serial@30890000 { - compatible = "fsl,imx7d-uart", - "fsl,imx6q-uart"; -- reg = <0x30870000 0x10000>; -+ reg = <0x30890000 0x10000>; - interrupts = ; - clocks = <&clks IMX7D_UART2_ROOT_CLK>, - <&clks IMX7D_UART2_ROOT_CLK>; -diff --git a/arch/arm/boot/dts/ste-hrefv60plus.dtsi b/arch/arm/boot/dts/ste-hrefv60plus.dtsi -index 810cda7..9c2387b 100644 ---- a/arch/arm/boot/dts/ste-hrefv60plus.dtsi -+++ b/arch/arm/boot/dts/ste-hrefv60plus.dtsi -@@ -56,7 +56,7 @@ - /* VMMCI level-shifter enable */ - default_hrefv60_cfg2 { - pins = "GPIO169_D22"; -- ste,config = <&gpio_out_lo>; -+ ste,config = <&gpio_out_hi>; - }; - /* VMMCI level-shifter voltage select */ - default_hrefv60_cfg3 { -diff --git a/arch/arm/kvm/Kconfig b/arch/arm/kvm/Kconfig -index bfb915d..dd5fc1e 100644 ---- a/arch/arm/kvm/Kconfig -+++ b/arch/arm/kvm/Kconfig -@@ -21,6 +21,7 @@ config KVM - depends on MMU && OF - select PREEMPT_NOTIFIERS - select ANON_INODES -+ select ARM_GIC - select HAVE_KVM_CPU_RELAX_INTERCEPT - select HAVE_KVM_ARCH_TLB_FLUSH_ALL - select KVM_MMIO -diff --git a/arch/arm/mach-exynos/pm_domains.c b/arch/arm/mach-exynos/pm_domains.c -index 4a87e86..7c21760 100644 ---- a/arch/arm/mach-exynos/pm_domains.c -+++ b/arch/arm/mach-exynos/pm_domains.c -@@ -200,15 +200,15 @@ no_clk: - args.args_count = 0; - child_domain = of_genpd_get_from_provider(&args); - if (IS_ERR(child_domain)) -- goto next_pd; -+ continue; - - if (of_parse_phandle_with_args(np, "power-domains", - "#power-domain-cells", 0, &args) != 0) -- goto next_pd; -+ continue; - - parent_domain = of_genpd_get_from_provider(&args); - if (IS_ERR(parent_domain)) -- goto next_pd; -+ continue; - - if (pm_genpd_add_subdomain(parent_domain, child_domain)) - pr_warn("%s failed to add subdomain: %s\n", -@@ -216,8 +216,6 @@ no_clk: - else - pr_info("%s has as child subdomain: %s.\n", - parent_domain->name, child_domain->name); --next_pd: -- of_node_put(np); - } - - return 0; -diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c -index 2235081..8861c36 100644 ---- a/arch/arm/plat-orion/common.c -+++ b/arch/arm/plat-orion/common.c -@@ -495,7 +495,7 @@ void __init orion_ge00_switch_init(struct dsa_platform_data *d, int irq) - - d->netdev = &orion_ge00.dev; - for (i = 0; i < d->nr_chips; i++) -- d->chip[i].host_dev = &orion_ge00_shared.dev; -+ d->chip[i].host_dev = &orion_ge_mvmdio.dev; - orion_switch_device.dev.platform_data = d; - - platform_device_register(&orion_switch_device); -diff --git a/arch/arm/vdso/vdsomunge.c b/arch/arm/vdso/vdsomunge.c -index aedec81..f645527 100644 ---- a/arch/arm/vdso/vdsomunge.c -+++ b/arch/arm/vdso/vdsomunge.c -@@ -45,7 +45,6 @@ - * it does. - */ - --#include - #include - #include - #include -@@ -59,6 +58,16 @@ - #include - #include - -+#define swab16(x) \ -+ ((((x) & 0x00ff) << 8) | \ -+ (((x) & 0xff00) >> 8)) -+ -+#define swab32(x) \ -+ ((((x) & 0x000000ff) << 24) | \ -+ (((x) & 0x0000ff00) << 8) | \ -+ (((x) & 0x00ff0000) >> 8) | \ -+ (((x) & 0xff000000) >> 24)) -+ - #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ - #define HOST_ORDER ELFDATA2LSB - #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -@@ -104,17 +113,17 @@ static void cleanup(void) - - static Elf32_Word read_elf_word(Elf32_Word word, bool swap) - { -- return swap ? bswap_32(word) : word; -+ return swap ? swab32(word) : word; - } - - static Elf32_Half read_elf_half(Elf32_Half half, bool swap) - { -- return swap ? bswap_16(half) : half; -+ return swap ? swab16(half) : half; - } - - static void write_elf_word(Elf32_Word val, Elf32_Word *dst, bool swap) - { -- *dst = swap ? bswap_32(val) : val; -+ *dst = swap ? swab32(val) : val; - } - - int main(int argc, char **argv) -diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c -index 7922c2e..7ac3920 100644 ---- a/arch/arm64/kernel/armv8_deprecated.c -+++ b/arch/arm64/kernel/armv8_deprecated.c -@@ -279,22 +279,24 @@ static void register_insn_emulation_sysctl(struct ctl_table *table) - */ - #define __user_swpX_asm(data, addr, res, temp, B) \ - __asm__ __volatile__( \ -- " mov %w2, %w1\n" \ -- "0: ldxr"B" %w1, [%3]\n" \ -- "1: stxr"B" %w0, %w2, [%3]\n" \ -+ "0: ldxr"B" %w2, [%3]\n" \ -+ "1: stxr"B" %w0, %w1, [%3]\n" \ - " cbz %w0, 2f\n" \ - " mov %w0, %w4\n" \ -+ " b 3f\n" \ - "2:\n" \ -+ " mov %w1, %w2\n" \ -+ "3:\n" \ - " .pushsection .fixup,\"ax\"\n" \ - " .align 2\n" \ -- "3: mov %w0, %w5\n" \ -- " b 2b\n" \ -+ "4: mov %w0, %w5\n" \ -+ " b 3b\n" \ - " .popsection" \ - " .pushsection __ex_table,\"a\"\n" \ - " .align 3\n" \ -- " .quad 0b, 3b\n" \ -- " .quad 1b, 3b\n" \ -- " .popsection" \ -+ " .quad 0b, 4b\n" \ -+ " .quad 1b, 4b\n" \ -+ " .popsection\n" \ - : "=&r" (res), "+r" (data), "=&r" (temp) \ - : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT) \ - : "memory") -diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c -index 407991b..ccb6078 100644 ---- a/arch/arm64/kernel/stacktrace.c -+++ b/arch/arm64/kernel/stacktrace.c -@@ -48,11 +48,7 @@ int notrace unwind_frame(struct stackframe *frame) - - frame->sp = fp + 0x10; - frame->fp = *(unsigned long *)(fp); -- /* -- * -4 here because we care about the PC at time of bl, -- * not where the return will go. -- */ -- frame->pc = *(unsigned long *)(fp + 8) - 4; -+ frame->pc = *(unsigned long *)(fp + 8); - - return 0; - } -diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c -index 8297d50..44ca414 100644 ---- a/arch/arm64/kernel/suspend.c -+++ b/arch/arm64/kernel/suspend.c -@@ -80,17 +80,21 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) - if (ret == 0) { - /* - * We are resuming from reset with TTBR0_EL1 set to the -- * idmap to enable the MMU; restore the active_mm mappings in -- * TTBR0_EL1 unless the active_mm == &init_mm, in which case -- * the thread entered cpu_suspend with TTBR0_EL1 set to -- * reserved TTBR0 page tables and should be restored as such. -+ * idmap to enable the MMU; set the TTBR0 to the reserved -+ * page tables to prevent speculative TLB allocations, flush -+ * the local tlb and set the default tcr_el1.t0sz so that -+ * the TTBR0 address space set-up is properly restored. -+ * If the current active_mm != &init_mm we entered cpu_suspend -+ * with mappings in TTBR0 that must be restored, so we switch -+ * them back to complete the address space configuration -+ * restoration before returning. - */ -- if (mm == &init_mm) -- cpu_set_reserved_ttbr0(); -- else -- cpu_switch_mm(mm->pgd, mm); -- -+ cpu_set_reserved_ttbr0(); - flush_tlb_all(); -+ cpu_set_default_tcr_t0sz(); -+ -+ if (mm != &init_mm) -+ cpu_switch_mm(mm->pgd, mm); - - /* - * Restore per-cpu offset before any kernel -diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c -index caffb10..5607693 100644 ---- a/arch/powerpc/kernel/rtas.c -+++ b/arch/powerpc/kernel/rtas.c -@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs) - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (!rtas.entry) -+ return -EINVAL; -+ - if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0) - return -EFAULT; - -diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c -index 557232f..5610b18 100644 ---- a/arch/um/kernel/trap.c -+++ b/arch/um/kernel/trap.c -@@ -220,7 +220,7 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user, - show_regs(container_of(regs, struct pt_regs, regs)); - panic("Segfault with no mm"); - } -- else if (!is_user && address < TASK_SIZE) { -+ else if (!is_user && address > PAGE_SIZE && address < TASK_SIZE) { - show_regs(container_of(regs, struct pt_regs, regs)); - panic("Kernel tried to access user memory at addr 0x%lx, ip 0x%lx", - address, ip); -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 7d69afd..16edc0f 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -667,6 +667,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto, - bool conout_found = false; - void *dummy = NULL; - u32 h = handles[i]; -+ u32 current_fb_base; - - status = efi_call_early(handle_protocol, h, - proto, (void **)&gop32); -@@ -678,7 +679,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto, - if (status == EFI_SUCCESS) - conout_found = true; - -- status = __gop_query32(gop32, &info, &size, &fb_base); -+ status = __gop_query32(gop32, &info, &size, ¤t_fb_base); - if (status == EFI_SUCCESS && (!first_gop || conout_found)) { - /* - * Systems that use the UEFI Console Splitter may -@@ -692,6 +693,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto, - pixel_format = info->pixel_format; - pixel_info = info->pixel_information; - pixels_per_scan_line = info->pixels_per_scan_line; -+ fb_base = current_fb_base; - - /* - * Once we've found a GOP supporting ConOut, -@@ -770,6 +772,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto, - bool conout_found = false; - void *dummy = NULL; - u64 h = handles[i]; -+ u32 current_fb_base; - - status = efi_call_early(handle_protocol, h, - proto, (void **)&gop64); -@@ -781,7 +784,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto, - if (status == EFI_SUCCESS) - conout_found = true; - -- status = __gop_query64(gop64, &info, &size, &fb_base); -+ status = __gop_query64(gop64, &info, &size, ¤t_fb_base); - if (status == EFI_SUCCESS && (!first_gop || conout_found)) { - /* - * Systems that use the UEFI Console Splitter may -@@ -795,6 +798,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto, - pixel_format = info->pixel_format; - pixel_info = info->pixel_information; - pixels_per_scan_line = info->pixels_per_scan_line; -+ fb_base = current_fb_base; - - /* - * Once we've found a GOP supporting ConOut, -diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c -index 5880b48..11b46d9 100644 ---- a/arch/x86/kernel/apic/io_apic.c -+++ b/arch/x86/kernel/apic/io_apic.c -@@ -2547,7 +2547,9 @@ void __init setup_ioapic_dest(void) - mask = apic->target_cpus(); - - chip = irq_data_get_irq_chip(idata); -- chip->irq_set_affinity(idata, mask, false); -+ /* Might be lapic_chip for irq 0 */ -+ if (chip->irq_set_affinity) -+ chip->irq_set_affinity(idata, mask, false); - } - } - #endif -diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 777ad2f..3cebc65 100644 ---- a/arch/x86/xen/enlighten.c -+++ b/arch/x86/xen/enlighten.c -@@ -33,7 +33,7 @@ - #include - #include - --#ifdef CONFIG_KEXEC_CORE -+#ifdef CONFIG_KEXEC - #include - #endif - -@@ -1804,7 +1804,7 @@ static struct notifier_block xen_hvm_cpu_notifier = { - .notifier_call = xen_hvm_cpu_notify, - }; - --#ifdef CONFIG_KEXEC_CORE -+#ifdef CONFIG_KEXEC - static void xen_hvm_shutdown(void) - { - native_machine_shutdown(); -@@ -1838,7 +1838,7 @@ static void __init xen_hvm_guest_init(void) - x86_init.irqs.intr_init = xen_init_IRQ; - xen_hvm_init_time_ops(); - xen_hvm_init_mmu_ops(); --#ifdef CONFIG_KEXEC_CORE -+#ifdef CONFIG_KEXEC - machine_ops.shutdown = xen_hvm_shutdown; - machine_ops.crash_shutdown = xen_hvm_crash_shutdown; - #endif -diff --git a/block/blk-core.c b/block/blk-core.c -index 627ed0c..1955ed3 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -578,7 +578,7 @@ void blk_cleanup_queue(struct request_queue *q) - q->queue_lock = &q->__queue_lock; - spin_unlock_irq(lock); - -- bdi_destroy(&q->backing_dev_info); -+ bdi_unregister(&q->backing_dev_info); - - /* @q is and will stay empty, shutdown and put */ - blk_put_queue(q); -diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c -index 9115c6d..2735198 100644 ---- a/block/blk-mq-tag.c -+++ b/block/blk-mq-tag.c -@@ -628,6 +628,7 @@ void blk_mq_free_tags(struct blk_mq_tags *tags) - { - bt_free(&tags->bitmap_tags); - bt_free(&tags->breserved_tags); -+ free_cpumask_var(tags->cpumask); - kfree(tags); - } - -diff --git a/block/blk-mq.c b/block/blk-mq.c -index c699026..4d6ff52 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -2263,10 +2263,8 @@ void blk_mq_free_tag_set(struct blk_mq_tag_set *set) - int i; - - for (i = 0; i < set->nr_hw_queues; i++) { -- if (set->tags[i]) { -+ if (set->tags[i]) - blk_mq_free_rq_map(set, set->tags[i], i); -- free_cpumask_var(set->tags[i]->cpumask); -- } - } - - kfree(set->tags); -diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c -index 6264b38..145ddb6 100644 ---- a/block/blk-sysfs.c -+++ b/block/blk-sysfs.c -@@ -502,6 +502,7 @@ static void blk_release_queue(struct kobject *kobj) - struct request_queue *q = - container_of(kobj, struct request_queue, kobj); - -+ bdi_exit(&q->backing_dev_info); - blkcg_exit_queue(q); - - if (q->elevator) { -diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c -index b788f16..b4ffc5b 100644 ---- a/crypto/ablkcipher.c -+++ b/crypto/ablkcipher.c -@@ -706,7 +706,7 @@ struct crypto_ablkcipher *crypto_alloc_ablkcipher(const char *alg_name, - err: - if (err != -EAGAIN) - break; -- if (signal_pending(current)) { -+ if (fatal_signal_pending(current)) { - err = -EINTR; - break; - } -diff --git a/crypto/algapi.c b/crypto/algapi.c -index 3c079b7..b603b34 100644 ---- a/crypto/algapi.c -+++ b/crypto/algapi.c -@@ -335,7 +335,7 @@ static void crypto_wait_for_test(struct crypto_larval *larval) - crypto_alg_tested(larval->alg.cra_driver_name, 0); - } - -- err = wait_for_completion_interruptible(&larval->completion); -+ err = wait_for_completion_killable(&larval->completion); - WARN_ON(err); - - out: -diff --git a/crypto/api.c b/crypto/api.c -index afe4610..bbc147c 100644 ---- a/crypto/api.c -+++ b/crypto/api.c -@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg) - struct crypto_larval *larval = (void *)alg; - long timeout; - -- timeout = wait_for_completion_interruptible_timeout( -+ timeout = wait_for_completion_killable_timeout( - &larval->completion, 60 * HZ); - - alg = larval->adult; -@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(const char *alg_name, u32 type, u32 mask) - err: - if (err != -EAGAIN) - break; -- if (signal_pending(current)) { -+ if (fatal_signal_pending(current)) { - err = -EINTR; - break; - } -@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_name, - err: - if (err != -EAGAIN) - break; -- if (signal_pending(current)) { -+ if (fatal_signal_pending(current)) { - err = -EINTR; - break; - } -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index 08ea286..d59fb4e 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -376,7 +376,7 @@ static struct crypto_alg *crypto_user_skcipher_alg(const char *name, u32 type, - err = PTR_ERR(alg); - if (err != -EAGAIN) - break; -- if (signal_pending(current)) { -+ if (fatal_signal_pending(current)) { - err = -EINTR; - break; - } -diff --git a/drivers/block/nvme-core.c b/drivers/block/nvme-core.c -index 7920c27..cf91c11 100644 ---- a/drivers/block/nvme-core.c -+++ b/drivers/block/nvme-core.c -@@ -597,6 +597,7 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx, - struct nvme_iod *iod = ctx; - struct request *req = iod_get_private(iod); - struct nvme_cmd_info *cmd_rq = blk_mq_rq_to_pdu(req); -+ bool requeue = false; - - u16 status = le16_to_cpup(&cqe->status) >> 1; - -@@ -605,12 +606,13 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx, - && (jiffies - req->start_time) < req->timeout) { - unsigned long flags; - -+ requeue = true; - blk_mq_requeue_request(req); - spin_lock_irqsave(req->q->queue_lock, flags); - if (!blk_queue_stopped(req->q)) - blk_mq_kick_requeue_list(req->q); - spin_unlock_irqrestore(req->q->queue_lock, flags); -- return; -+ goto release_iod; - } - if (req->cmd_type == REQ_TYPE_DRV_PRIV) { - if (cmd_rq->ctx == CMD_CTX_CANCELLED) -@@ -631,7 +633,7 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx, - dev_warn(nvmeq->dev->dev, - "completing aborted command with status:%04x\n", - status); -- -+ release_iod: - if (iod->nents) { - dma_unmap_sg(nvmeq->dev->dev, iod->sg, iod->nents, - rq_data_dir(req) ? DMA_TO_DEVICE : DMA_FROM_DEVICE); -@@ -644,7 +646,8 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx, - } - nvme_free_iod(nvmeq->dev, iod); - -- blk_mq_complete_request(req); -+ if (likely(!requeue)) -+ blk_mq_complete_request(req); - } - - /* length is in bytes. gfp flags indicates whether we may sleep. */ -@@ -1764,7 +1767,7 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio) - - length = (io.nblocks + 1) << ns->lba_shift; - meta_len = (io.nblocks + 1) * ns->ms; -- metadata = (void __user *)(unsigned long)io.metadata; -+ metadata = (void __user *)(uintptr_t)io.metadata; - write = io.opcode & 1; - - if (ns->ext) { -@@ -1804,7 +1807,7 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio) - c.rw.metadata = cpu_to_le64(meta_dma); - - status = __nvme_submit_sync_cmd(ns->queue, &c, NULL, -- (void __user *)io.addr, length, NULL, 0); -+ (void __user *)(uintptr_t)io.addr, length, NULL, 0); - unmap: - if (meta) { - if (status == NVME_SC_SUCCESS && !write) { -@@ -1846,7 +1849,7 @@ static int nvme_user_cmd(struct nvme_dev *dev, struct nvme_ns *ns, - timeout = msecs_to_jiffies(cmd.timeout_ms); - - status = __nvme_submit_sync_cmd(ns ? ns->queue : dev->admin_q, &c, -- NULL, (void __user *)cmd.addr, cmd.data_len, -+ NULL, (void __user *)(uintptr_t)cmd.addr, cmd.data_len, - &cmd.result, timeout); - if (status >= 0) { - if (put_user(cmd.result, &ucmd->result)) -diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c -index 324bf35..017b7d5 100644 ---- a/drivers/block/rbd.c -+++ b/drivers/block/rbd.c -@@ -96,6 +96,8 @@ static int atomic_dec_return_safe(atomic_t *v) - #define RBD_MINORS_PER_MAJOR 256 - #define RBD_SINGLE_MAJOR_PART_SHIFT 4 - -+#define RBD_MAX_PARENT_CHAIN_LEN 16 -+ - #define RBD_SNAP_DEV_NAME_PREFIX "snap_" - #define RBD_MAX_SNAP_NAME_LEN \ - (NAME_MAX - (sizeof (RBD_SNAP_DEV_NAME_PREFIX) - 1)) -@@ -426,7 +428,7 @@ static ssize_t rbd_add_single_major(struct bus_type *bus, const char *buf, - size_t count); - static ssize_t rbd_remove_single_major(struct bus_type *bus, const char *buf, - size_t count); --static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping); -+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth); - static void rbd_spec_put(struct rbd_spec *spec); - - static int rbd_dev_id_to_minor(int dev_id) -@@ -3819,6 +3821,9 @@ static int rbd_init_disk(struct rbd_device *rbd_dev) - q->limits.discard_zeroes_data = 1; - - blk_queue_merge_bvec(q, rbd_merge_bvec); -+ if (!ceph_test_opt(rbd_dev->rbd_client->client, NOCRC)) -+ q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES; -+ - disk->queue = q; - - q->queuedata = rbd_dev; -@@ -5169,44 +5174,51 @@ out_err: - return ret; - } - --static int rbd_dev_probe_parent(struct rbd_device *rbd_dev) -+/* -+ * @depth is rbd_dev_image_probe() -> rbd_dev_probe_parent() -> -+ * rbd_dev_image_probe() recursion depth, which means it's also the -+ * length of the already discovered part of the parent chain. -+ */ -+static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth) - { - struct rbd_device *parent = NULL; -- struct rbd_spec *parent_spec; -- struct rbd_client *rbdc; - int ret; - - if (!rbd_dev->parent_spec) - return 0; -- /* -- * We need to pass a reference to the client and the parent -- * spec when creating the parent rbd_dev. Images related by -- * parent/child relationships always share both. -- */ -- parent_spec = rbd_spec_get(rbd_dev->parent_spec); -- rbdc = __rbd_get_client(rbd_dev->rbd_client); - -- ret = -ENOMEM; -- parent = rbd_dev_create(rbdc, parent_spec, NULL); -- if (!parent) -+ if (++depth > RBD_MAX_PARENT_CHAIN_LEN) { -+ pr_info("parent chain is too long (%d)\n", depth); -+ ret = -EINVAL; - goto out_err; -+ } - -- ret = rbd_dev_image_probe(parent, false); -+ parent = rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec, -+ NULL); -+ if (!parent) { -+ ret = -ENOMEM; -+ goto out_err; -+ } -+ -+ /* -+ * Images related by parent/child relationships always share -+ * rbd_client and spec/parent_spec, so bump their refcounts. -+ */ -+ __rbd_get_client(rbd_dev->rbd_client); -+ rbd_spec_get(rbd_dev->parent_spec); -+ -+ ret = rbd_dev_image_probe(parent, depth); - if (ret < 0) - goto out_err; -+ - rbd_dev->parent = parent; - atomic_set(&rbd_dev->parent_ref, 1); -- - return 0; -+ - out_err: -- if (parent) { -- rbd_dev_unparent(rbd_dev); -+ rbd_dev_unparent(rbd_dev); -+ if (parent) - rbd_dev_destroy(parent); -- } else { -- rbd_put_client(rbdc); -- rbd_spec_put(parent_spec); -- } -- - return ret; - } - -@@ -5324,7 +5336,7 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev) - * parent), initiate a watch on its header object before using that - * object to get detailed information about the rbd image. - */ --static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping) -+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) - { - int ret; - -@@ -5342,7 +5354,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping) - if (ret) - goto err_out_format; - -- if (mapping) { -+ if (!depth) { - ret = rbd_dev_header_watch_sync(rbd_dev); - if (ret) { - if (ret == -ENOENT) -@@ -5363,7 +5375,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping) - * Otherwise this is a parent image, identified by pool, image - * and snap ids - need to fill in names for those ids. - */ -- if (mapping) -+ if (!depth) - ret = rbd_spec_fill_snap_id(rbd_dev); - else - ret = rbd_spec_fill_names(rbd_dev); -@@ -5385,12 +5397,12 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping) - * Need to warn users if this image is the one being - * mapped and has a parent. - */ -- if (mapping && rbd_dev->parent_spec) -+ if (!depth && rbd_dev->parent_spec) - rbd_warn(rbd_dev, - "WARNING: kernel layering is EXPERIMENTAL!"); - } - -- ret = rbd_dev_probe_parent(rbd_dev); -+ ret = rbd_dev_probe_parent(rbd_dev, depth); - if (ret) - goto err_out_probe; - -@@ -5401,7 +5413,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping) - err_out_probe: - rbd_dev_unprobe(rbd_dev); - err_out_watch: -- if (mapping) -+ if (!depth) - rbd_dev_header_unwatch_sync(rbd_dev); - out_header_name: - kfree(rbd_dev->header_name); -@@ -5464,7 +5476,7 @@ static ssize_t do_rbd_add(struct bus_type *bus, - spec = NULL; /* rbd_dev now owns this */ - rbd_opts = NULL; /* rbd_dev now owns this */ - -- rc = rbd_dev_image_probe(rbd_dev, true); -+ rc = rbd_dev_image_probe(rbd_dev, 0); - if (rc < 0) - goto err_out_rbd_dev; - -diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c -index 7a8a73f..d68b08a 100644 ---- a/drivers/block/xen-blkfront.c -+++ b/drivers/block/xen-blkfront.c -@@ -1984,7 +1984,8 @@ static void blkback_changed(struct xenbus_device *dev, - break; - /* Missed the backend's Closing state -- fallthrough */ - case XenbusStateClosing: -- blkfront_closing(info); -+ if (info) -+ blkfront_closing(info); - break; - } - } -diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c -index 7d9879e..395cb7f 100644 ---- a/drivers/bus/arm-ccn.c -+++ b/drivers/bus/arm-ccn.c -@@ -1188,7 +1188,8 @@ static int arm_ccn_pmu_cpu_notifier(struct notifier_block *nb, - break; - perf_pmu_migrate_context(&dt->pmu, cpu, target); - cpumask_set_cpu(target, &dt->cpu); -- WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0); -+ if (ccn->irq) -+ WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0); - default: - break; - } -diff --git a/drivers/clk/clkdev.c b/drivers/clk/clkdev.c -index c0eaf09..779b6ff 100644 ---- a/drivers/clk/clkdev.c -+++ b/drivers/clk/clkdev.c -@@ -333,7 +333,8 @@ int clk_add_alias(const char *alias, const char *alias_dev_name, - if (IS_ERR(r)) - return PTR_ERR(r); - -- l = clkdev_create(r, alias, "%s", alias_dev_name); -+ l = clkdev_create(r, alias, alias_dev_name ? "%s" : NULL, -+ alias_dev_name); - clk_put(r); - - return l ? 0 : -ENODEV; -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index fcb929e..aba2117 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -766,6 +766,11 @@ static inline void intel_pstate_sample(struct cpudata *cpu) - local_irq_save(flags); - rdmsrl(MSR_IA32_APERF, aperf); - rdmsrl(MSR_IA32_MPERF, mperf); -+ if (cpu->prev_mperf == mperf) { -+ local_irq_restore(flags); -+ return; -+ } -+ - tsc = native_read_tsc(); - local_irq_restore(flags); - -diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c -index ca78311..91cf710 100644 ---- a/drivers/edac/sb_edac.c -+++ b/drivers/edac/sb_edac.c -@@ -1648,6 +1648,7 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci, - { - struct sbridge_pvt *pvt = mci->pvt_info; - struct pci_dev *pdev; -+ u8 saw_chan_mask = 0; - int i; - - for (i = 0; i < sbridge_dev->n_devs; i++) { -@@ -1681,6 +1682,7 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci, - { - int id = pdev->device - PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TAD0; - pvt->pci_tad[id] = pdev; -+ saw_chan_mask |= 1 << id; - } - break; - case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_DDRIO: -@@ -1701,10 +1703,8 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci, - !pvt-> pci_tad || !pvt->pci_ras || !pvt->pci_ta) - goto enodev; - -- for (i = 0; i < NUM_CHANNELS; i++) { -- if (!pvt->pci_tad[i]) -- goto enodev; -- } -+ if (saw_chan_mask != 0x0f) -+ goto enodev; - return 0; - - enodev: -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h -index f7b49d5c..e3305a5 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h -@@ -1583,6 +1583,7 @@ struct amdgpu_pm { - u8 fan_max_rpm; - /* dpm */ - bool dpm_enabled; -+ bool sysfs_initialized; - struct amdgpu_dpm dpm; - const struct firmware *fw; /* SMC firmware */ - uint32_t fw_version; -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c -index ed13baa..91c7556 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c -@@ -693,6 +693,9 @@ int amdgpu_pm_sysfs_init(struct amdgpu_device *adev) - { - int ret; - -+ if (adev->pm.sysfs_initialized) -+ return 0; -+ - if (adev->pm.funcs->get_temperature == NULL) - return 0; - adev->pm.int_hwmon_dev = hwmon_device_register_with_groups(adev->dev, -@@ -721,6 +724,8 @@ int amdgpu_pm_sysfs_init(struct amdgpu_device *adev) - return ret; - } - -+ adev->pm.sysfs_initialized = true; -+ - return 0; - } - -diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c -index 9745ed3..7e9154c 100644 ---- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c -+++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c -@@ -2997,6 +2997,9 @@ static int kv_dpm_late_init(void *handle) - struct amdgpu_device *adev = (struct amdgpu_device *)handle; - int ret; - -+ if (!amdgpu_dpm) -+ return 0; -+ - /* init the sysfs and debugfs files late */ - ret = amdgpu_pm_sysfs_init(adev); - if (ret) -diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index fed7483..4e8d72d 100644 ---- a/drivers/gpu/drm/drm_crtc.c -+++ b/drivers/gpu/drm/drm_crtc.c -@@ -4221,7 +4221,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, - struct drm_property_blob *blob; - int ret; - -- if (!length) -+ if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) - return ERR_PTR(-EINVAL); - - blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); -@@ -4573,7 +4573,7 @@ int drm_mode_createblob_ioctl(struct drm_device *dev, - * not associated with any file_priv. */ - mutex_lock(&dev->mode_config.blob_lock); - out_resp->blob_id = blob->base.id; -- list_add_tail(&file_priv->blobs, &blob->head_file); -+ list_add_tail(&blob->head_file, &file_priv->blobs); - mutex_unlock(&dev->mode_config.blob_lock); - - return 0; -diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c -index 27a2426..1f94219 100644 ---- a/drivers/gpu/drm/drm_dp_mst_topology.c -+++ b/drivers/gpu/drm/drm_dp_mst_topology.c -@@ -1193,17 +1193,18 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_ - - list_for_each_entry(port, &mstb->ports, next) { - if (port->port_num == port_num) { -- if (!port->mstb) { -+ mstb = port->mstb; -+ if (!mstb) { - DRM_ERROR("failed to lookup MSTB with lct %d, rad %02x\n", lct, rad[0]); -- return NULL; -+ goto out; - } - -- mstb = port->mstb; - break; - } - } - } - kref_get(&mstb->kref); -+out: - mutex_unlock(&mgr->lock); - return mstb; - } -diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c -index 8fd431b..a96b900 100644 ---- a/drivers/gpu/drm/i915/i915_gem_userptr.c -+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c -@@ -804,7 +804,10 @@ static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = { - * Also note, that the object created here is not currently a "first class" - * object, in that several ioctls are banned. These are the CPU access - * ioctls: mmap(), pwrite and pread. In practice, you are expected to use -- * direct access via your pointer rather than use those ioctls. -+ * direct access via your pointer rather than use those ioctls. Another -+ * restriction is that we do not allow userptr surfaces to be pinned to the -+ * hardware and so we reject any attempt to create a framebuffer out of a -+ * userptr. - * - * If you think this is a good interface to use to pass GPU memory between - * drivers, please use dma-buf instead. In fact, wherever possible use -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 107c6c0..10b1b65 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -1729,6 +1729,8 @@ static void i9xx_enable_pll(struct intel_crtc *crtc) - I915_READ(DPLL(!crtc->pipe)) | DPLL_DVO_2X_MODE); - } - -+ I915_WRITE(reg, dpll); -+ - /* Wait for the clocks to stabilize. */ - POSTING_READ(reg); - udelay(150); -@@ -14070,6 +14072,11 @@ static int intel_user_framebuffer_create_handle(struct drm_framebuffer *fb, - struct intel_framebuffer *intel_fb = to_intel_framebuffer(fb); - struct drm_i915_gem_object *obj = intel_fb->obj; - -+ if (obj->userptr.mm) { -+ DRM_DEBUG("attempting to use a userptr for a framebuffer, denied\n"); -+ return -EINVAL; -+ } -+ - return drm_gem_handle_create(file, &obj->base, handle); - } - -diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c -index 7f2161a..504728b 100644 ---- a/drivers/gpu/drm/i915/intel_lrc.c -+++ b/drivers/gpu/drm/i915/intel_lrc.c -@@ -1250,6 +1250,7 @@ static int gen8_emit_flush_render(struct intel_ringbuffer *ringbuf, - if (flush_domains) { - flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; - flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; -+ flags |= PIPE_CONTROL_FLUSH_ENABLE; - } - - if (invalidate_domains) { -diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c -index 3817a6f..ba672aa 100644 ---- a/drivers/gpu/drm/i915/intel_ringbuffer.c -+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c -@@ -342,6 +342,7 @@ gen7_render_ring_flush(struct intel_engine_cs *ring, - if (flush_domains) { - flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; - flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; -+ flags |= PIPE_CONTROL_FLUSH_ENABLE; - } - if (invalidate_domains) { - flags |= PIPE_CONTROL_TLB_INVALIDATE; -@@ -412,6 +413,7 @@ gen8_render_ring_flush(struct intel_engine_cs *ring, - if (flush_domains) { - flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; - flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; -+ flags |= PIPE_CONTROL_FLUSH_ENABLE; - } - if (invalidate_domains) { - flags |= PIPE_CONTROL_TLB_INVALIDATE; -diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index af1ee51..0b22394 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_gem.c -+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c -@@ -227,11 +227,12 @@ nouveau_gem_info(struct drm_file *file_priv, struct drm_gem_object *gem, - struct nouveau_bo *nvbo = nouveau_gem_object(gem); - struct nvkm_vma *vma; - -- if (nvbo->bo.mem.mem_type == TTM_PL_TT) -+ if (is_power_of_2(nvbo->valid_domains)) -+ rep->domain = nvbo->valid_domains; -+ else if (nvbo->bo.mem.mem_type == TTM_PL_TT) - rep->domain = NOUVEAU_GEM_DOMAIN_GART; - else - rep->domain = NOUVEAU_GEM_DOMAIN_VRAM; -- - rep->offset = nvbo->bo.offset; - if (cli->vm) { - vma = nouveau_bo_vma_find(nvbo, cli->vm); -diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c -index 65adb9c..bb29214 100644 ---- a/drivers/gpu/drm/radeon/atombios_encoders.c -+++ b/drivers/gpu/drm/radeon/atombios_encoders.c -@@ -237,6 +237,7 @@ void radeon_atom_backlight_init(struct radeon_encoder *radeon_encoder, - backlight_update_status(bd); - - DRM_INFO("radeon atom DIG backlight initialized\n"); -+ rdev->mode_info.bl_encoder = radeon_encoder; - - return; - -@@ -1624,9 +1625,14 @@ radeon_atom_encoder_dpms_avivo(struct drm_encoder *encoder, int mode) - } else - atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); - if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { -- struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; -+ if (rdev->mode_info.bl_encoder) { -+ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; - -- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); -+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); -+ } else { -+ args.ucAction = ATOM_LCD_BLON; -+ atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); -+ } - } - break; - case DRM_MODE_DPMS_STANDBY: -@@ -1706,8 +1712,13 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode) - if (ASIC_IS_DCE4(rdev)) - atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0); - } -- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) -- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); -+ if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { -+ if (rdev->mode_info.bl_encoder) -+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); -+ else -+ atombios_dig_transmitter_setup(encoder, -+ ATOM_TRANSMITTER_ACTION_LCD_BLON, 0, 0); -+ } - if (ext_encoder) - atombios_external_encoder_setup(encoder, ext_encoder, ATOM_ENABLE); - break; -diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h -index f03b7eb..b6cbd81 100644 ---- a/drivers/gpu/drm/radeon/radeon.h -+++ b/drivers/gpu/drm/radeon/radeon.h -@@ -1658,6 +1658,7 @@ struct radeon_pm { - u8 fan_max_rpm; - /* dpm */ - bool dpm_enabled; -+ bool sysfs_initialized; - struct radeon_dpm dpm; - }; - -diff --git a/drivers/gpu/drm/radeon/radeon_encoders.c b/drivers/gpu/drm/radeon/radeon_encoders.c -index ef99917..c6ee802 100644 ---- a/drivers/gpu/drm/radeon/radeon_encoders.c -+++ b/drivers/gpu/drm/radeon/radeon_encoders.c -@@ -194,7 +194,6 @@ static void radeon_encoder_add_backlight(struct radeon_encoder *radeon_encoder, - radeon_atom_backlight_init(radeon_encoder, connector); - else - radeon_legacy_backlight_init(radeon_encoder, connector); -- rdev->mode_info.bl_encoder = radeon_encoder; - } - } - -diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c -index 4571530..30de433 100644 ---- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c -+++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c -@@ -441,6 +441,7 @@ void radeon_legacy_backlight_init(struct radeon_encoder *radeon_encoder, - backlight_update_status(bd); - - DRM_INFO("radeon legacy LVDS backlight initialized\n"); -+ rdev->mode_info.bl_encoder = radeon_encoder; - - return; - -diff --git a/drivers/gpu/drm/radeon/radeon_pm.c b/drivers/gpu/drm/radeon/radeon_pm.c -index 948c331..9176432 100644 ---- a/drivers/gpu/drm/radeon/radeon_pm.c -+++ b/drivers/gpu/drm/radeon/radeon_pm.c -@@ -720,10 +720,14 @@ static umode_t hwmon_attributes_visible(struct kobject *kobj, - struct radeon_device *rdev = dev_get_drvdata(dev); - umode_t effective_mode = attr->mode; - -- /* Skip limit attributes if DPM is not enabled */ -+ /* Skip attributes if DPM is not enabled */ - if (rdev->pm.pm_method != PM_METHOD_DPM && - (attr == &sensor_dev_attr_temp1_crit.dev_attr.attr || -- attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr)) -+ attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr || -+ attr == &sensor_dev_attr_pwm1.dev_attr.attr || -+ attr == &sensor_dev_attr_pwm1_enable.dev_attr.attr || -+ attr == &sensor_dev_attr_pwm1_max.dev_attr.attr || -+ attr == &sensor_dev_attr_pwm1_min.dev_attr.attr)) - return 0; - - /* Skip fan attributes if fan is not present */ -@@ -1529,19 +1533,23 @@ int radeon_pm_late_init(struct radeon_device *rdev) - - if (rdev->pm.pm_method == PM_METHOD_DPM) { - if (rdev->pm.dpm_enabled) { -- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); -- if (ret) -- DRM_ERROR("failed to create device file for dpm state\n"); -- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); -- if (ret) -- DRM_ERROR("failed to create device file for dpm state\n"); -- /* XXX: these are noops for dpm but are here for backwards compat */ -- ret = device_create_file(rdev->dev, &dev_attr_power_profile); -- if (ret) -- DRM_ERROR("failed to create device file for power profile\n"); -- ret = device_create_file(rdev->dev, &dev_attr_power_method); -- if (ret) -- DRM_ERROR("failed to create device file for power method\n"); -+ if (!rdev->pm.sysfs_initialized) { -+ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); -+ if (ret) -+ DRM_ERROR("failed to create device file for dpm state\n"); -+ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); -+ if (ret) -+ DRM_ERROR("failed to create device file for dpm state\n"); -+ /* XXX: these are noops for dpm but are here for backwards compat */ -+ ret = device_create_file(rdev->dev, &dev_attr_power_profile); -+ if (ret) -+ DRM_ERROR("failed to create device file for power profile\n"); -+ ret = device_create_file(rdev->dev, &dev_attr_power_method); -+ if (ret) -+ DRM_ERROR("failed to create device file for power method\n"); -+ if (!ret) -+ rdev->pm.sysfs_initialized = true; -+ } - - mutex_lock(&rdev->pm.mutex); - ret = radeon_dpm_late_enable(rdev); -@@ -1557,7 +1565,8 @@ int radeon_pm_late_init(struct radeon_device *rdev) - } - } - } else { -- if (rdev->pm.num_power_states > 1) { -+ if ((rdev->pm.num_power_states > 1) && -+ (!rdev->pm.sysfs_initialized)) { - /* where's the best place to put these? */ - ret = device_create_file(rdev->dev, &dev_attr_power_profile); - if (ret) -@@ -1565,6 +1574,8 @@ int radeon_pm_late_init(struct radeon_device *rdev) - ret = device_create_file(rdev->dev, &dev_attr_power_method); - if (ret) - DRM_ERROR("failed to create device file for power method\n"); -+ if (!ret) -+ rdev->pm.sysfs_initialized = true; - } - } - return ret; -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -index 620bb5c..15a8d77 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -@@ -1458,6 +1458,9 @@ static void __exit vmwgfx_exit(void) - drm_pci_exit(&driver, &vmw_pci_driver); - } - -+MODULE_INFO(vmw_patch, "ed7d78b2"); -+MODULE_INFO(vmw_patch, "54c12bc3"); -+ - module_init(vmwgfx_init); - module_exit(vmwgfx_exit); - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h -index d26a6da..d8896ed 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h -@@ -636,7 +636,8 @@ extern int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv, - uint32_t size, - bool shareable, - uint32_t *handle, -- struct vmw_dma_buffer **p_dma_buf); -+ struct vmw_dma_buffer **p_dma_buf, -+ struct ttm_base_object **p_base); - extern int vmw_user_dmabuf_reference(struct ttm_object_file *tfile, - struct vmw_dma_buffer *dma_buf, - uint32_t *handle); -@@ -650,7 +651,8 @@ extern uint32_t vmw_dmabuf_validate_node(struct ttm_buffer_object *bo, - uint32_t cur_validate_node); - extern void vmw_dmabuf_validate_clear(struct ttm_buffer_object *bo); - extern int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile, -- uint32_t id, struct vmw_dma_buffer **out); -+ uint32_t id, struct vmw_dma_buffer **out, -+ struct ttm_base_object **base); - extern int vmw_stream_claim_ioctl(struct drm_device *dev, void *data, - struct drm_file *file_priv); - extern int vmw_stream_unref_ioctl(struct drm_device *dev, void *data, -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c -index 97ad3bc..aee1c6c 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c -@@ -887,7 +887,8 @@ static int vmw_translate_mob_ptr(struct vmw_private *dev_priv, - struct vmw_relocation *reloc; - int ret; - -- ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo); -+ ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo, -+ NULL); - if (unlikely(ret != 0)) { - DRM_ERROR("Could not find or use MOB buffer.\n"); - ret = -EINVAL; -@@ -949,7 +950,8 @@ static int vmw_translate_guest_ptr(struct vmw_private *dev_priv, - struct vmw_relocation *reloc; - int ret; - -- ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo); -+ ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo, -+ NULL); - if (unlikely(ret != 0)) { - DRM_ERROR("Could not find or use GMR region.\n"); - ret = -EINVAL; -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c -index 87e39f6..e189898 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c -@@ -484,7 +484,7 @@ int vmw_overlay_ioctl(struct drm_device *dev, void *data, - goto out_unlock; - } - -- ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &buf); -+ ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &buf, NULL); - if (ret) - goto out_unlock; - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -index 210ef15..c5b4c47 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -@@ -356,7 +356,7 @@ int vmw_user_lookup_handle(struct vmw_private *dev_priv, - } - - *out_surf = NULL; -- ret = vmw_user_dmabuf_lookup(tfile, handle, out_buf); -+ ret = vmw_user_dmabuf_lookup(tfile, handle, out_buf, NULL); - return ret; - } - -@@ -483,7 +483,8 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv, - uint32_t size, - bool shareable, - uint32_t *handle, -- struct vmw_dma_buffer **p_dma_buf) -+ struct vmw_dma_buffer **p_dma_buf, -+ struct ttm_base_object **p_base) - { - struct vmw_user_dma_buffer *user_bo; - struct ttm_buffer_object *tmp; -@@ -517,6 +518,10 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv, - } - - *p_dma_buf = &user_bo->dma; -+ if (p_base) { -+ *p_base = &user_bo->prime.base; -+ kref_get(&(*p_base)->refcount); -+ } - *handle = user_bo->prime.base.hash.key; - - out_no_base_object: -@@ -633,6 +638,7 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data, - struct vmw_dma_buffer *dma_buf; - struct vmw_user_dma_buffer *user_bo; - struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; -+ struct ttm_base_object *buffer_base; - int ret; - - if ((arg->flags & (drm_vmw_synccpu_read | drm_vmw_synccpu_write)) == 0 -@@ -645,7 +651,8 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data, - - switch (arg->op) { - case drm_vmw_synccpu_grab: -- ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &dma_buf); -+ ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &dma_buf, -+ &buffer_base); - if (unlikely(ret != 0)) - return ret; - -@@ -653,6 +660,7 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data, - dma); - ret = vmw_user_dmabuf_synccpu_grab(user_bo, tfile, arg->flags); - vmw_dmabuf_unreference(&dma_buf); -+ ttm_base_object_unref(&buffer_base); - if (unlikely(ret != 0 && ret != -ERESTARTSYS && - ret != -EBUSY)) { - DRM_ERROR("Failed synccpu grab on handle 0x%08x.\n", -@@ -694,7 +702,8 @@ int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data, - return ret; - - ret = vmw_user_dmabuf_alloc(dev_priv, vmw_fpriv(file_priv)->tfile, -- req->size, false, &handle, &dma_buf); -+ req->size, false, &handle, &dma_buf, -+ NULL); - if (unlikely(ret != 0)) - goto out_no_dmabuf; - -@@ -723,7 +732,8 @@ int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data, - } - - int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile, -- uint32_t handle, struct vmw_dma_buffer **out) -+ uint32_t handle, struct vmw_dma_buffer **out, -+ struct ttm_base_object **p_base) - { - struct vmw_user_dma_buffer *vmw_user_bo; - struct ttm_base_object *base; -@@ -745,7 +755,10 @@ int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile, - vmw_user_bo = container_of(base, struct vmw_user_dma_buffer, - prime.base); - (void)ttm_bo_reference(&vmw_user_bo->dma.base); -- ttm_base_object_unref(&base); -+ if (p_base) -+ *p_base = base; -+ else -+ ttm_base_object_unref(&base); - *out = &vmw_user_bo->dma; - - return 0; -@@ -1006,7 +1019,7 @@ int vmw_dumb_create(struct drm_file *file_priv, - - ret = vmw_user_dmabuf_alloc(dev_priv, vmw_fpriv(file_priv)->tfile, - args->size, false, &args->handle, -- &dma_buf); -+ &dma_buf, NULL); - if (unlikely(ret != 0)) - goto out_no_dmabuf; - -@@ -1034,7 +1047,7 @@ int vmw_dumb_map_offset(struct drm_file *file_priv, - struct vmw_dma_buffer *out_buf; - int ret; - -- ret = vmw_user_dmabuf_lookup(tfile, handle, &out_buf); -+ ret = vmw_user_dmabuf_lookup(tfile, handle, &out_buf, NULL); - if (ret != 0) - return -EINVAL; - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c -index 6a4584a..d2751ad 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c -@@ -470,7 +470,7 @@ int vmw_shader_define_ioctl(struct drm_device *dev, void *data, - - if (arg->buffer_handle != SVGA3D_INVALID_ID) { - ret = vmw_user_dmabuf_lookup(tfile, arg->buffer_handle, -- &buffer); -+ &buffer, NULL); - if (unlikely(ret != 0)) { - DRM_ERROR("Could not find buffer for shader " - "creation.\n"); -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index 4ecdbf3..17a4107 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -43,6 +43,7 @@ struct vmw_user_surface { - struct vmw_surface srf; - uint32_t size; - struct drm_master *master; -+ struct ttm_base_object *backup_base; - }; - - /** -@@ -652,6 +653,8 @@ static void vmw_user_surface_base_release(struct ttm_base_object **p_base) - struct vmw_resource *res = &user_srf->srf.res; - - *p_base = NULL; -+ if (user_srf->backup_base) -+ ttm_base_object_unref(&user_srf->backup_base); - vmw_resource_unreference(&res); - } - -@@ -846,7 +849,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - res->backup_size, - true, - &backup_handle, -- &res->backup); -+ &res->backup, -+ &user_srf->backup_base); - if (unlikely(ret != 0)) { - vmw_resource_unreference(&res); - goto out_unlock; -@@ -1309,7 +1313,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, - - if (req->buffer_handle != SVGA3D_INVALID_ID) { - ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle, -- &res->backup); -+ &res->backup, -+ &user_srf->backup_base); - } else if (req->drm_surface_flags & - drm_vmw_surface_flag_create_buffer) - ret = vmw_user_dmabuf_alloc(dev_priv, tfile, -@@ -1317,7 +1322,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, - req->drm_surface_flags & - drm_vmw_surface_flag_shareable, - &backup_handle, -- &res->backup); -+ &res->backup, -+ &user_srf->backup_base); - - if (unlikely(ret != 0)) { - vmw_resource_unreference(&res); -diff --git a/drivers/i2c/busses/i2c-mv64xxx.c b/drivers/i2c/busses/i2c-mv64xxx.c -index 30059c1..5801227 100644 ---- a/drivers/i2c/busses/i2c-mv64xxx.c -+++ b/drivers/i2c/busses/i2c-mv64xxx.c -@@ -669,8 +669,6 @@ mv64xxx_i2c_can_offload(struct mv64xxx_i2c_data *drv_data) - struct i2c_msg *msgs = drv_data->msgs; - int num = drv_data->num_msgs; - -- return false; -- - if (!drv_data->offload_enabled) - return false; - -diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c -index 4002e64..c472477 100644 ---- a/drivers/iio/accel/st_accel_core.c -+++ b/drivers/iio/accel/st_accel_core.c -@@ -149,8 +149,6 @@ - #define ST_ACCEL_4_BDU_MASK 0x40 - #define ST_ACCEL_4_DRDY_IRQ_ADDR 0x21 - #define ST_ACCEL_4_DRDY_IRQ_INT1_MASK 0x04 --#define ST_ACCEL_4_IG1_EN_ADDR 0x21 --#define ST_ACCEL_4_IG1_EN_MASK 0x08 - #define ST_ACCEL_4_MULTIREAD_BIT true - - /* CUSTOM VALUES FOR SENSOR 5 */ -@@ -484,10 +482,6 @@ static const struct st_sensor_settings st_accel_sensors_settings[] = { - .drdy_irq = { - .addr = ST_ACCEL_4_DRDY_IRQ_ADDR, - .mask_int1 = ST_ACCEL_4_DRDY_IRQ_INT1_MASK, -- .ig1 = { -- .en_addr = ST_ACCEL_4_IG1_EN_ADDR, -- .en_mask = ST_ACCEL_4_IG1_EN_MASK, -- }, - }, - .multi_read_bit = ST_ACCEL_4_MULTIREAD_BIT, - .bootime = 2, /* guess */ -diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c -index 3a972eb..8be7352 100644 ---- a/drivers/infiniband/core/cm.c -+++ b/drivers/infiniband/core/cm.c -@@ -873,6 +873,11 @@ retest: - case IB_CM_SIDR_REQ_RCVD: - spin_unlock_irq(&cm_id_priv->lock); - cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT); -+ spin_lock_irq(&cm.lock); -+ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) -+ rb_erase(&cm_id_priv->sidr_id_node, -+ &cm.remote_sidr_table); -+ spin_unlock_irq(&cm.lock); - break; - case IB_CM_REQ_SENT: - case IB_CM_MRA_REQ_RCVD: -@@ -3112,7 +3117,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id *cm_id, - spin_unlock_irqrestore(&cm_id_priv->lock, flags); - - spin_lock_irqsave(&cm.lock, flags); -- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); -+ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) { -+ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); -+ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node); -+ } - spin_unlock_irqrestore(&cm.lock, flags); - return 0; - -diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c -index 4d24686..41e6cb5 100644 ---- a/drivers/input/mouse/alps.c -+++ b/drivers/input/mouse/alps.c -@@ -100,7 +100,7 @@ static const struct alps_nibble_commands alps_v6_nibble_commands[] = { - #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */ - #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with - 6-byte ALPS packet */ --#define ALPS_DELL 0x100 /* device is a Dell laptop */ -+#define ALPS_STICK_BITS 0x100 /* separate stick button bits */ - #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */ - - static const struct alps_model_info alps_model_data[] = { -@@ -159,6 +159,43 @@ static const struct alps_protocol_info alps_v8_protocol_data = { - ALPS_PROTO_V8, 0x18, 0x18, 0 - }; - -+/* -+ * Some v2 models report the stick buttons in separate bits -+ */ -+static const struct dmi_system_id alps_dmi_has_separate_stick_buttons[] = { -+#if defined(CONFIG_DMI) && defined(CONFIG_X86) -+ { -+ /* Extrapolated from other entries */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D420"), -+ }, -+ }, -+ { -+ /* Reported-by: Hans de Bruin */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D430"), -+ }, -+ }, -+ { -+ /* Reported-by: Hans de Goede */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D620"), -+ }, -+ }, -+ { -+ /* Extrapolated from other entries */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D630"), -+ }, -+ }, -+#endif -+ { } -+}; -+ - static void alps_set_abs_params_st(struct alps_data *priv, - struct input_dev *dev1); - static void alps_set_abs_params_semi_mt(struct alps_data *priv, -@@ -253,9 +290,8 @@ static void alps_process_packet_v1_v2(struct psmouse *psmouse) - return; - } - -- /* Dell non interleaved V2 dualpoint has separate stick button bits */ -- if (priv->proto_version == ALPS_PROTO_V2 && -- priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) { -+ /* Some models have separate stick button bits */ -+ if (priv->flags & ALPS_STICK_BITS) { - left |= packet[0] & 1; - right |= packet[0] & 2; - middle |= packet[0] & 4; -@@ -2552,8 +2588,6 @@ static int alps_set_protocol(struct psmouse *psmouse, - priv->byte0 = protocol->byte0; - priv->mask0 = protocol->mask0; - priv->flags = protocol->flags; -- if (dmi_name_in_vendors("Dell")) -- priv->flags |= ALPS_DELL; - - priv->x_max = 2000; - priv->y_max = 1400; -@@ -2568,6 +2602,8 @@ static int alps_set_protocol(struct psmouse *psmouse, - priv->set_abs_params = alps_set_abs_params_st; - priv->x_max = 1023; - priv->y_max = 767; -+ if (dmi_check_system(alps_dmi_has_separate_stick_buttons)) -+ priv->flags |= ALPS_STICK_BITS; - break; - - case ALPS_PROTO_V3: -diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c -index 658ee39..1b10e5fd 100644 ---- a/drivers/iommu/amd_iommu.c -+++ b/drivers/iommu/amd_iommu.c -@@ -1974,8 +1974,8 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, bool ats) - static void clear_dte_entry(u16 devid) - { - /* remove entry from the device table seen by the hardware */ -- amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; -- amd_iommu_dev_table[devid].data[1] = 0; -+ amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; -+ amd_iommu_dev_table[devid].data[1] &= DTE_FLAG_MASK; - - amd_iommu_apply_erratum_63(devid); - } -diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h -index f659088..c9b6472 100644 ---- a/drivers/iommu/amd_iommu_types.h -+++ b/drivers/iommu/amd_iommu_types.h -@@ -295,6 +295,7 @@ - #define IOMMU_PTE_IR (1ULL << 61) - #define IOMMU_PTE_IW (1ULL << 62) - -+#define DTE_FLAG_MASK (0x3ffULL << 32) - #define DTE_FLAG_IOTLB (0x01UL << 32) - #define DTE_FLAG_GV (0x01ULL << 55) - #define DTE_GLX_SHIFT (56) -diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c -index f7b875b..c3b8a5b 100644 ---- a/drivers/iommu/amd_iommu_v2.c -+++ b/drivers/iommu/amd_iommu_v2.c -@@ -516,6 +516,13 @@ static void do_fault(struct work_struct *work) - goto out; - } - -+ if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) { -+ /* handle_mm_fault would BUG_ON() */ -+ up_read(&mm->mmap_sem); -+ handle_fault_error(fault); -+ goto out; -+ } -+ - ret = handle_mm_fault(mm, vma, address, write); - if (ret & VM_FAULT_ERROR) { - /* failed to service fault */ -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index 7553cb9..bd1b8ad 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -2109,15 +2109,19 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn, - return -ENOMEM; - /* It is large page*/ - if (largepage_lvl > 1) { -+ unsigned long nr_superpages, end_pfn; -+ - pteval |= DMA_PTE_LARGE_PAGE; - lvl_pages = lvl_to_nr_pages(largepage_lvl); -+ -+ nr_superpages = sg_res / lvl_pages; -+ end_pfn = iov_pfn + nr_superpages * lvl_pages - 1; -+ - /* - * Ensure that old small page tables are -- * removed to make room for superpage, -- * if they exist. -+ * removed to make room for superpage(s). - */ -- dma_pte_free_pagetable(domain, iov_pfn, -- iov_pfn + lvl_pages - 1); -+ dma_pte_free_pagetable(domain, iov_pfn, end_pfn); - } else { - pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE; - } -diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c -index f67bbd8..ab5353a 100644 ---- a/drivers/irqchip/irq-tegra.c -+++ b/drivers/irqchip/irq-tegra.c -@@ -215,6 +215,7 @@ static struct irq_chip tegra_ictlr_chip = { - .irq_unmask = tegra_unmask, - .irq_retrigger = tegra_retrigger, - .irq_set_wake = tegra_set_wake, -+ .irq_set_type = irq_chip_set_type_parent, - .flags = IRQCHIP_MASK_ON_SUSPEND, - #ifdef CONFIG_SMP - .irq_set_affinity = irq_chip_set_affinity_parent, -diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c -index 20cc36b..0a17d1b 100644 ---- a/drivers/md/dm-cache-metadata.c -+++ b/drivers/md/dm-cache-metadata.c -@@ -634,10 +634,10 @@ static int __commit_transaction(struct dm_cache_metadata *cmd, - - disk_super = dm_block_data(sblock); - -+ disk_super->flags = cpu_to_le32(cmd->flags); - if (mutator) - update_flags(disk_super, mutator); - -- disk_super->flags = cpu_to_le32(cmd->flags); - disk_super->mapping_root = cpu_to_le64(cmd->root); - disk_super->hint_root = cpu_to_le64(cmd->hint_root); - disk_super->discard_root = cpu_to_le64(cmd->discard_root); -diff --git a/drivers/md/md.c b/drivers/md/md.c -index e25f00f..95e7b72 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -8030,8 +8030,7 @@ static int remove_and_add_spares(struct mddev *mddev, - !test_bit(Bitmap_sync, &rdev->flags))) - continue; - -- if (rdev->saved_raid_disk < 0) -- rdev->recovery_offset = 0; -+ rdev->recovery_offset = 0; - if (mddev->pers-> - hot_add_disk(mddev, rdev) == 0) { - if (sysfs_link_rdev(mddev, rdev)) -diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c -index 4222f77..1dac15d 100644 ---- a/drivers/md/persistent-data/dm-btree-remove.c -+++ b/drivers/md/persistent-data/dm-btree-remove.c -@@ -301,11 +301,16 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent, - { - int s; - uint32_t max_entries = le32_to_cpu(left->header.max_entries); -- unsigned target = (nr_left + nr_center + nr_right) / 3; -- BUG_ON(target > max_entries); -+ unsigned total = nr_left + nr_center + nr_right; -+ unsigned target_right = total / 3; -+ unsigned remainder = (target_right * 3) != total; -+ unsigned target_left = target_right + remainder; -+ -+ BUG_ON(target_left > max_entries); -+ BUG_ON(target_right > max_entries); - - if (nr_left < nr_right) { -- s = nr_left - target; -+ s = nr_left - target_left; - - if (s < 0 && nr_center < -s) { - /* not enough in central node */ -@@ -316,10 +321,10 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent, - } else - shift(left, center, s); - -- shift(center, right, target - nr_right); -+ shift(center, right, target_right - nr_right); - - } else { -- s = target - nr_right; -+ s = target_right - nr_right; - if (s > 0 && nr_center < s) { - /* not enough in central node */ - shift(center, right, nr_center); -@@ -329,7 +334,7 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent, - } else - shift(center, right, s); - -- shift(left, center, nr_left - target); -+ shift(left, center, nr_left - target_left); - } - - *key_ptr(parent, c->index) = center->keys[0]; -diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c -index c7726ce..d6e4703 100644 ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -523,7 +523,7 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key) - - r = new_block(s->info, &right); - if (r < 0) { -- /* FIXME: put left */ -+ unlock_block(s->info, left); - return r; - } - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 967a4ed..d10d300 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -2249,7 +2249,7 @@ static int narrow_write_error(struct r1bio *r1_bio, int i) - bio_trim(wbio, sector - r1_bio->sector, sectors); - wbio->bi_iter.bi_sector += rdev->data_offset; - wbio->bi_bdev = rdev->bdev; -- if (submit_bio_wait(WRITE, wbio) == 0) -+ if (submit_bio_wait(WRITE, wbio) < 0) - /* failure! */ - ok = rdev_set_badblocks(rdev, sector, - sectors, 0) -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 38c58e1..d4b70d9 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -2580,7 +2580,7 @@ static int narrow_write_error(struct r10bio *r10_bio, int i) - choose_data_offset(r10_bio, rdev) + - (sector - r10_bio->sector)); - wbio->bi_bdev = rdev->bdev; -- if (submit_bio_wait(WRITE, wbio) == 0) -+ if (submit_bio_wait(WRITE, wbio) < 0) - /* Failure! */ - ok = rdev_set_badblocks(rdev, sector, - sectors, 0) -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index f757023..0d4f7b1 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3505,6 +3505,7 @@ returnbi: - } - if (!discard_pending && - test_bit(R5_Discard, &sh->dev[sh->pd_idx].flags)) { -+ int hash; - clear_bit(R5_Discard, &sh->dev[sh->pd_idx].flags); - clear_bit(R5_UPTODATE, &sh->dev[sh->pd_idx].flags); - if (sh->qd_idx >= 0) { -@@ -3518,16 +3519,17 @@ returnbi: - * no updated data, so remove it from hash list and the stripe - * will be reinitialized - */ -- spin_lock_irq(&conf->device_lock); - unhash: -+ hash = sh->hash_lock_index; -+ spin_lock_irq(conf->hash_locks + hash); - remove_hash(sh); -+ spin_unlock_irq(conf->hash_locks + hash); - if (head_sh->batch_head) { - sh = list_first_entry(&sh->batch_list, - struct stripe_head, batch_list); - if (sh != head_sh) - goto unhash; - } -- spin_unlock_irq(&conf->device_lock); - sh = head_sh; - - if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state)) -diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c -index e9b2d2b..377fb69 100644 ---- a/drivers/media/dvb-frontends/m88ds3103.c -+++ b/drivers/media/dvb-frontends/m88ds3103.c -@@ -18,6 +18,27 @@ - - static struct dvb_frontend_ops m88ds3103_ops; - -+/* write single register with mask */ -+static int m88ds3103_update_bits(struct m88ds3103_dev *dev, -+ u8 reg, u8 mask, u8 val) -+{ -+ int ret; -+ u8 tmp; -+ -+ /* no need for read if whole reg is written */ -+ if (mask != 0xff) { -+ ret = regmap_bulk_read(dev->regmap, reg, &tmp, 1); -+ if (ret) -+ return ret; -+ -+ val &= mask; -+ tmp &= ~mask; -+ val |= tmp; -+ } -+ -+ return regmap_bulk_write(dev->regmap, reg, &val, 1); -+} -+ - /* write reg val table using reg addr auto increment */ - static int m88ds3103_wr_reg_val_tab(struct m88ds3103_dev *dev, - const struct m88ds3103_reg_val *tab, int tab_len) -@@ -394,10 +415,10 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) - u8tmp2 = 0x00; /* 0b00 */ - break; - } -- ret = regmap_update_bits(dev->regmap, 0x22, 0xc0, u8tmp1 << 6); -+ ret = m88ds3103_update_bits(dev, 0x22, 0xc0, u8tmp1 << 6); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x24, 0xc0, u8tmp2 << 6); -+ ret = m88ds3103_update_bits(dev, 0x24, 0xc0, u8tmp2 << 6); - if (ret) - goto err; - } -@@ -455,13 +476,13 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) - if (ret) - goto err; - } -- ret = regmap_update_bits(dev->regmap, 0x9d, 0x08, 0x08); -+ ret = m88ds3103_update_bits(dev, 0x9d, 0x08, 0x08); - if (ret) - goto err; - ret = regmap_write(dev->regmap, 0xf1, 0x01); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x30, 0x80, 0x80); -+ ret = m88ds3103_update_bits(dev, 0x30, 0x80, 0x80); - if (ret) - goto err; - } -@@ -498,7 +519,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) - switch (dev->cfg->ts_mode) { - case M88DS3103_TS_SERIAL: - case M88DS3103_TS_SERIAL_D7: -- ret = regmap_update_bits(dev->regmap, 0x29, 0x20, u8tmp1); -+ ret = m88ds3103_update_bits(dev, 0x29, 0x20, u8tmp1); - if (ret) - goto err; - u8tmp1 = 0; -@@ -567,11 +588,11 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) - if (ret) - goto err; - -- ret = regmap_update_bits(dev->regmap, 0x4d, 0x02, dev->cfg->spec_inv << 1); -+ ret = m88ds3103_update_bits(dev, 0x4d, 0x02, dev->cfg->spec_inv << 1); - if (ret) - goto err; - -- ret = regmap_update_bits(dev->regmap, 0x30, 0x10, dev->cfg->agc_inv << 4); -+ ret = m88ds3103_update_bits(dev, 0x30, 0x10, dev->cfg->agc_inv << 4); - if (ret) - goto err; - -@@ -625,13 +646,13 @@ static int m88ds3103_init(struct dvb_frontend *fe) - dev->warm = false; - - /* wake up device from sleep */ -- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x01); -+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x01); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x00); -+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x00); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x00); -+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x00); - if (ret) - goto err; - -@@ -749,18 +770,18 @@ static int m88ds3103_sleep(struct dvb_frontend *fe) - utmp = 0x29; - else - utmp = 0x27; -- ret = regmap_update_bits(dev->regmap, utmp, 0x01, 0x00); -+ ret = m88ds3103_update_bits(dev, utmp, 0x01, 0x00); - if (ret) - goto err; - - /* sleep */ -- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00); -+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01); -+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01); - if (ret) - goto err; -- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10); -+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10); - if (ret) - goto err; - -@@ -992,12 +1013,12 @@ static int m88ds3103_set_tone(struct dvb_frontend *fe, - } - - utmp = tone << 7 | dev->cfg->envelope_mode << 5; -- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); - if (ret) - goto err; - - utmp = 1 << 2; -- ret = regmap_update_bits(dev->regmap, 0xa1, reg_a1_mask, utmp); -+ ret = m88ds3103_update_bits(dev, 0xa1, reg_a1_mask, utmp); - if (ret) - goto err; - -@@ -1047,7 +1068,7 @@ static int m88ds3103_set_voltage(struct dvb_frontend *fe, - voltage_dis ^= dev->cfg->lnb_en_pol; - - utmp = voltage_dis << 1 | voltage_sel << 0; -- ret = regmap_update_bits(dev->regmap, 0xa2, 0x03, utmp); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0x03, utmp); - if (ret) - goto err; - -@@ -1080,7 +1101,7 @@ static int m88ds3103_diseqc_send_master_cmd(struct dvb_frontend *fe, - } - - utmp = dev->cfg->envelope_mode << 5; -- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); - if (ret) - goto err; - -@@ -1115,12 +1136,12 @@ static int m88ds3103_diseqc_send_master_cmd(struct dvb_frontend *fe, - } else { - dev_dbg(&client->dev, "diseqc tx timeout\n"); - -- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40); -+ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40); - if (ret) - goto err; - } - -- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80); - if (ret) - goto err; - -@@ -1152,7 +1173,7 @@ static int m88ds3103_diseqc_send_burst(struct dvb_frontend *fe, - } - - utmp = dev->cfg->envelope_mode << 5; -- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); - if (ret) - goto err; - -@@ -1194,12 +1215,12 @@ static int m88ds3103_diseqc_send_burst(struct dvb_frontend *fe, - } else { - dev_dbg(&client->dev, "diseqc tx timeout\n"); - -- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40); -+ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40); - if (ret) - goto err; - } - -- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80); -+ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80); - if (ret) - goto err; - -@@ -1435,13 +1456,13 @@ static int m88ds3103_probe(struct i2c_client *client, - goto err_kfree; - - /* sleep */ -- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00); -+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00); - if (ret) - goto err_kfree; -- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01); -+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01); - if (ret) - goto err_kfree; -- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10); -+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10); - if (ret) - goto err_kfree; - -diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c -index 25e238c..cb6a49b 100644 ---- a/drivers/media/dvb-frontends/si2168.c -+++ b/drivers/media/dvb-frontends/si2168.c -@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe) - /* firmware is in the new format */ - for (remaining = fw->size; remaining > 0; remaining -= 17) { - len = fw->data[fw->size - remaining]; -+ if (len > SI2168_ARGLEN) { -+ ret = -EINVAL; -+ break; -+ } - memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); - cmd.wlen = len; - cmd.rlen = 1; -diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c -index a6245ef..416c865 100644 ---- a/drivers/media/tuners/si2157.c -+++ b/drivers/media/tuners/si2157.c -@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe) - - for (remaining = fw->size; remaining > 0; remaining -= 17) { - len = fw->data[fw->size - remaining]; -+ if (len > SI2157_ARGLEN) { -+ dev_err(&client->dev, "Bad firmware length\n"); -+ goto err_release_firmware; -+ } - memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); - cmd.wlen = len; - cmd.rlen = 1; -diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c -index c3cac4c..197a4f2 100644 ---- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c -+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c -@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req) - unsigned int pipe; - u8 requesttype; - -+ mutex_lock(&d->usb_mutex); -+ -+ if (req->size > sizeof(dev->buf)) { -+ dev_err(&d->intf->dev, "too large message %u\n", req->size); -+ ret = -EINVAL; -+ goto err_mutex_unlock; -+ } -+ - if (req->index & CMD_WR_FLAG) { - /* write */ - memcpy(dev->buf, req->data, req->size); -@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req) - dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value, - req->index, dev->buf, req->size); - if (ret < 0) -- goto err; -+ goto err_mutex_unlock; - - /* read request, copy returned data to return buf */ - if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN)) - memcpy(req->data, dev->buf, req->size); - -+ mutex_unlock(&d->usb_mutex); -+ - return 0; --err: -+err_mutex_unlock: -+ mutex_unlock(&d->usb_mutex); - dev_dbg(&d->intf->dev, "failed=%d\n", ret); - return ret; - } -diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h -index 9f6115a..1380629 100644 ---- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h -+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h -@@ -71,7 +71,7 @@ - - - struct rtl28xxu_dev { -- u8 buf[28]; -+ u8 buf[128]; - u8 chip_id; - u8 tuner; - char *tuner_name; -diff --git a/drivers/mmc/card/mmc_test.c b/drivers/mmc/card/mmc_test.c -index b78cf5d..7fc9174 100644 ---- a/drivers/mmc/card/mmc_test.c -+++ b/drivers/mmc/card/mmc_test.c -@@ -2263,15 +2263,12 @@ static int mmc_test_profile_sglen_r_nonblock_perf(struct mmc_test_card *test) - /* - * eMMC hardware reset. - */ --static int mmc_test_hw_reset(struct mmc_test_card *test) -+static int mmc_test_reset(struct mmc_test_card *test) - { - struct mmc_card *card = test->card; - struct mmc_host *host = card->host; - int err; - -- if (!mmc_card_mmc(card) || !mmc_can_reset(card)) -- return RESULT_UNSUP_CARD; -- - err = mmc_hw_reset(host); - if (!err) - return RESULT_OK; -@@ -2605,8 +2602,8 @@ static const struct mmc_test_case mmc_test_cases[] = { - }, - - { -- .name = "eMMC hardware reset", -- .run = mmc_test_hw_reset, -+ .name = "Reset test", -+ .run = mmc_test_reset, - }, - }; - -diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c -index e726903..f6cd995 100644 ---- a/drivers/mmc/core/mmc.c -+++ b/drivers/mmc/core/mmc.c -@@ -1924,7 +1924,6 @@ EXPORT_SYMBOL(mmc_can_reset); - static int mmc_reset(struct mmc_host *host) - { - struct mmc_card *card = host->card; -- u32 status; - - if (!(host->caps & MMC_CAP_HW_RESET) || !host->ops->hw_reset) - return -EOPNOTSUPP; -@@ -1937,12 +1936,6 @@ static int mmc_reset(struct mmc_host *host) - - host->ops->hw_reset(host); - -- /* If the reset has happened, then a status command will fail */ -- if (!mmc_send_status(card, &status)) { -- mmc_host_clk_release(host); -- return -ENOSYS; -- } -- - /* Set initial state and call mmc_set_ios */ - mmc_set_initial_state(host); - mmc_host_clk_release(host); -diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c -index eff0e53..bfddc9e 100644 ---- a/drivers/net/wireless/ath/ath9k/init.c -+++ b/drivers/net/wireless/ath/ath9k/init.c -@@ -874,6 +874,7 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw) - hw->max_rate_tries = 10; - hw->sta_data_size = sizeof(struct ath_node); - hw->vif_data_size = sizeof(struct ath_vif); -+ hw->extra_tx_headroom = 4; - - hw->wiphy->available_antennas_rx = BIT(ah->caps.max_rxchains) - 1; - hw->wiphy->available_antennas_tx = BIT(ah->caps.max_txchains) - 1; -diff --git a/drivers/net/wireless/iwlwifi/dvm/lib.c b/drivers/net/wireless/iwlwifi/dvm/lib.c -index 1d2223d..e7d3566 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/lib.c -+++ b/drivers/net/wireless/iwlwifi/dvm/lib.c -@@ -1022,7 +1022,7 @@ static void iwlagn_wowlan_program_keys(struct ieee80211_hw *hw, - u8 *pn = seq.ccmp.pn; - - ieee80211_get_key_rx_seq(key, i, &seq); -- aes_sc->pn = cpu_to_le64( -+ aes_sc[i].pn = cpu_to_le64( - (u64)pn[5] | - ((u64)pn[4] << 8) | - ((u64)pn[3] << 16) | -diff --git a/drivers/net/wireless/iwlwifi/iwl-7000.c b/drivers/net/wireless/iwlwifi/iwl-7000.c -index cc35f79..d7acbd1 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-7000.c -+++ b/drivers/net/wireless/iwlwifi/iwl-7000.c -@@ -348,6 +348,6 @@ const struct iwl_cfg iwl7265d_n_cfg = { - }; - - MODULE_FIRMWARE(IWL7260_MODULE_FIRMWARE(IWL7260_UCODE_API_OK)); --MODULE_FIRMWARE(IWL3160_MODULE_FIRMWARE(IWL3160_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL3160_MODULE_FIRMWARE(IWL7260_UCODE_API_OK)); - MODULE_FIRMWARE(IWL7265_MODULE_FIRMWARE(IWL7260_UCODE_API_OK)); - MODULE_FIRMWARE(IWL7265D_MODULE_FIRMWARE(IWL7260_UCODE_API_OK)); -diff --git a/drivers/net/wireless/iwlwifi/mvm/d3.c b/drivers/net/wireless/iwlwifi/mvm/d3.c -index 4165d10..f60b89b 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/d3.c -+++ b/drivers/net/wireless/iwlwifi/mvm/d3.c -@@ -274,18 +274,13 @@ static void iwl_mvm_wowlan_program_keys(struct ieee80211_hw *hw, - break; - case WLAN_CIPHER_SUITE_CCMP: - if (sta) { -- u8 *pn = seq.ccmp.pn; -+ u64 pn64; - - aes_sc = data->rsc_tsc->all_tsc_rsc.aes.unicast_rsc; - aes_tx_sc = &data->rsc_tsc->all_tsc_rsc.aes.tsc; - -- ieee80211_get_key_tx_seq(key, &seq); -- aes_tx_sc->pn = cpu_to_le64((u64)pn[5] | -- ((u64)pn[4] << 8) | -- ((u64)pn[3] << 16) | -- ((u64)pn[2] << 24) | -- ((u64)pn[1] << 32) | -- ((u64)pn[0] << 40)); -+ pn64 = atomic64_read(&key->tx_pn); -+ aes_tx_sc->pn = cpu_to_le64(pn64); - } else { - aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc; - } -@@ -298,12 +293,12 @@ static void iwl_mvm_wowlan_program_keys(struct ieee80211_hw *hw, - u8 *pn = seq.ccmp.pn; - - ieee80211_get_key_rx_seq(key, i, &seq); -- aes_sc->pn = cpu_to_le64((u64)pn[5] | -- ((u64)pn[4] << 8) | -- ((u64)pn[3] << 16) | -- ((u64)pn[2] << 24) | -- ((u64)pn[1] << 32) | -- ((u64)pn[0] << 40)); -+ aes_sc[i].pn = cpu_to_le64((u64)pn[5] | -+ ((u64)pn[4] << 8) | -+ ((u64)pn[3] << 16) | -+ ((u64)pn[2] << 24) | -+ ((u64)pn[1] << 32) | -+ ((u64)pn[0] << 40)); - } - data->use_rsc_tsc = true; - break; -@@ -1446,15 +1441,15 @@ static void iwl_mvm_d3_update_gtks(struct ieee80211_hw *hw, - - switch (key->cipher) { - case WLAN_CIPHER_SUITE_CCMP: -- iwl_mvm_aes_sc_to_seq(&sc->aes.tsc, &seq); - iwl_mvm_set_aes_rx_seq(sc->aes.unicast_rsc, key); -+ atomic64_set(&key->tx_pn, le64_to_cpu(sc->aes.tsc.pn)); - break; - case WLAN_CIPHER_SUITE_TKIP: - iwl_mvm_tkip_sc_to_seq(&sc->tkip.tsc, &seq); - iwl_mvm_set_tkip_rx_seq(sc->tkip.unicast_rsc, key); -+ ieee80211_set_key_tx_seq(key, &seq); - break; - } -- ieee80211_set_key_tx_seq(key, &seq); - - /* that's it for this key */ - return; -diff --git a/drivers/net/wireless/iwlwifi/mvm/fw.c b/drivers/net/wireless/iwlwifi/mvm/fw.c -index eb10c5e..b49367e 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/fw.c -+++ b/drivers/net/wireless/iwlwifi/mvm/fw.c -@@ -364,7 +364,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm) - * abort after reading the nvm in case RF Kill is on, we will complete - * the init seq later when RF kill will switch to off - */ -- if (iwl_mvm_is_radio_killed(mvm)) { -+ if (iwl_mvm_is_radio_hw_killed(mvm)) { - IWL_DEBUG_RF_KILL(mvm, - "jump over all phy activities due to RF kill\n"); - iwl_remove_notification(&mvm->notif_wait, &calib_wait); -@@ -397,7 +397,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm) - ret = iwl_wait_notification(&mvm->notif_wait, &calib_wait, - MVM_UCODE_CALIB_TIMEOUT); - -- if (ret && iwl_mvm_is_radio_killed(mvm)) { -+ if (ret && iwl_mvm_is_radio_hw_killed(mvm)) { - IWL_DEBUG_RF_KILL(mvm, "RFKILL while calibrating.\n"); - ret = 1; - } -diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -index dfdab38..f82019c 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -@@ -2373,6 +2373,7 @@ static void iwl_mvm_stop_ap_ibss(struct ieee80211_hw *hw, - iwl_mvm_remove_time_event(mvm, mvmvif, - &mvmvif->time_event_data); - RCU_INIT_POINTER(mvm->csa_vif, NULL); -+ mvmvif->csa_countdown = false; - } - - if (rcu_access_pointer(mvm->csa_tx_blocked_vif) == vif) { -diff --git a/drivers/net/wireless/iwlwifi/mvm/mvm.h b/drivers/net/wireless/iwlwifi/mvm/mvm.h -index 2d4bad5..4a6f162 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/mvm.h -+++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h -@@ -848,6 +848,11 @@ static inline bool iwl_mvm_is_radio_killed(struct iwl_mvm *mvm) - test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status); - } - -+static inline bool iwl_mvm_is_radio_hw_killed(struct iwl_mvm *mvm) -+{ -+ return test_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status); -+} -+ - /* Must be called with rcu_read_lock() held and it can only be - * released when mvmsta is not needed anymore. - */ -diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c -index e4fa500..61c2b0a 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/ops.c -+++ b/drivers/net/wireless/iwlwifi/mvm/ops.c -@@ -582,6 +582,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg, - ieee80211_unregister_hw(mvm->hw); - iwl_mvm_leds_exit(mvm); - out_free: -+ flush_delayed_work(&mvm->fw_dump_wk); - iwl_phy_db_free(mvm->phy_db); - kfree(mvm->scan_cmd); - if (!cfg->no_power_up_nic_in_init || !mvm->nvm_file_name) -diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c -index 9f65c1c..865d578d 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c -@@ -414,6 +414,11 @@ static const struct pci_device_id iwl_hw_card_ids[] = { - {IWL_PCI_DEVICE(0x095A, 0x5590, iwl7265_2ac_cfg)}, - {IWL_PCI_DEVICE(0x095B, 0x5290, iwl7265_2ac_cfg)}, - {IWL_PCI_DEVICE(0x095A, 0x5490, iwl7265_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x095A, 0x5F10, iwl7265_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x095B, 0x5212, iwl7265_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, - - /* 8000 Series */ - {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, -diff --git a/drivers/net/wireless/rtlwifi/pci.h b/drivers/net/wireless/rtlwifi/pci.h -index d4567d1..5da6703 100644 ---- a/drivers/net/wireless/rtlwifi/pci.h -+++ b/drivers/net/wireless/rtlwifi/pci.h -@@ -247,6 +247,8 @@ struct rtl_pci { - /* MSI support */ - bool msi_support; - bool using_msi; -+ /* interrupt clear before set */ -+ bool int_clear; - }; - - struct mp_adapter { -diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c -index b7f18e21..6e9418e 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c -@@ -2253,11 +2253,28 @@ void rtl8821ae_set_qos(struct ieee80211_hw *hw, int aci) - } - } - -+static void rtl8821ae_clear_interrupt(struct ieee80211_hw *hw) -+{ -+ struct rtl_priv *rtlpriv = rtl_priv(hw); -+ u32 tmp = rtl_read_dword(rtlpriv, REG_HISR); -+ -+ rtl_write_dword(rtlpriv, REG_HISR, tmp); -+ -+ tmp = rtl_read_dword(rtlpriv, REG_HISRE); -+ rtl_write_dword(rtlpriv, REG_HISRE, tmp); -+ -+ tmp = rtl_read_dword(rtlpriv, REG_HSISR); -+ rtl_write_dword(rtlpriv, REG_HSISR, tmp); -+} -+ - void rtl8821ae_enable_interrupt(struct ieee80211_hw *hw) - { - struct rtl_priv *rtlpriv = rtl_priv(hw); - struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); - -+ if (!rtlpci->int_clear) -+ rtl8821ae_clear_interrupt(hw);/*clear it here first*/ -+ - rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF); - rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF); - rtlpci->irq_enabled = true; -diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c -index a4988121..8ee141a 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c -@@ -96,6 +96,7 @@ int rtl8821ae_init_sw_vars(struct ieee80211_hw *hw) - - rtl8821ae_bt_reg_init(hw); - rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; -+ rtlpci->int_clear = rtlpriv->cfg->mod_params->int_clear; - rtlpriv->btcoexist.btc_ops = rtl_btc_get_ops_pointer(); - - rtlpriv->dm.dm_initialgain_enable = 1; -@@ -167,6 +168,7 @@ int rtl8821ae_init_sw_vars(struct ieee80211_hw *hw) - rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; - rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; - rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; -+ rtlpci->msi_support = rtlpriv->cfg->mod_params->int_clear; - if (rtlpriv->cfg->mod_params->disable_watchdog) - pr_info("watchdog disabled\n"); - rtlpriv->psc.reg_fwctrl_lps = 3; -@@ -308,6 +310,7 @@ static struct rtl_mod_params rtl8821ae_mod_params = { - .swctrl_lps = false, - .fwctrl_lps = true, - .msi_support = true, -+ .int_clear = true, - .debug = DBG_EMERG, - .disable_watchdog = 0, - }; -@@ -437,6 +440,7 @@ module_param_named(fwlps, rtl8821ae_mod_params.fwctrl_lps, bool, 0444); - module_param_named(msi, rtl8821ae_mod_params.msi_support, bool, 0444); - module_param_named(disable_watchdog, rtl8821ae_mod_params.disable_watchdog, - bool, 0444); -+module_param_named(int_clear, rtl8821ae_mod_params.int_clear, bool, 0444); - MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); - MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); - MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); -@@ -444,6 +448,7 @@ MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 1)\n"); - MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 1)\n"); - MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); - MODULE_PARM_DESC(disable_watchdog, "Set to 1 to disable the watchdog (default 0)\n"); -+MODULE_PARM_DESC(int_clear, "Set to 1 to disable interrupt clear before set (default 0)\n"); - - static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); - -diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h -index 2b770b5..0a3570a 100644 ---- a/drivers/net/wireless/rtlwifi/wifi.h -+++ b/drivers/net/wireless/rtlwifi/wifi.h -@@ -2234,6 +2234,9 @@ struct rtl_mod_params { - - /* default 0: 1 means disable */ - bool disable_watchdog; -+ -+ /* default 0: 1 means do not disable interrupts */ -+ bool int_clear; - }; - - struct rtl_hal_usbint_cfg { -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 312f23a..9261868 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, - if (ret) - return ret; - -- if (!node_online(node)) -+ if (node >= MAX_NUMNODES || !node_online(node)) - return -EINVAL; - - add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); -diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c -index 2062c22..b260221 100644 ---- a/drivers/pinctrl/intel/pinctrl-baytrail.c -+++ b/drivers/pinctrl/intel/pinctrl-baytrail.c -@@ -146,7 +146,7 @@ struct byt_gpio_pin_context { - struct byt_gpio { - struct gpio_chip chip; - struct platform_device *pdev; -- spinlock_t lock; -+ raw_spinlock_t lock; - void __iomem *reg_base; - struct pinctrl_gpio_range *range; - struct byt_gpio_pin_context *saved_context; -@@ -174,11 +174,11 @@ static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned offset) - unsigned long flags; - u32 value; - -- spin_lock_irqsave(&vg->lock, flags); -+ raw_spin_lock_irqsave(&vg->lock, flags); - value = readl(reg); - value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); - writel(value, reg); -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - } - - static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset) -@@ -201,6 +201,9 @@ static int byt_gpio_request(struct gpio_chip *chip, unsigned offset) - struct byt_gpio *vg = to_byt_gpio(chip); - void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG); - u32 value, gpio_mux; -+ unsigned long flags; -+ -+ raw_spin_lock_irqsave(&vg->lock, flags); - - /* - * In most cases, func pin mux 000 means GPIO function. -@@ -214,18 +217,16 @@ static int byt_gpio_request(struct gpio_chip *chip, unsigned offset) - value = readl(reg) & BYT_PIN_MUX; - gpio_mux = byt_get_gpio_mux(vg, offset); - if (WARN_ON(gpio_mux != value)) { -- unsigned long flags; -- -- spin_lock_irqsave(&vg->lock, flags); - value = readl(reg) & ~BYT_PIN_MUX; - value |= gpio_mux; - writel(value, reg); -- spin_unlock_irqrestore(&vg->lock, flags); - - dev_warn(&vg->pdev->dev, - "pin %u forcibly re-configured as GPIO\n", offset); - } - -+ raw_spin_unlock_irqrestore(&vg->lock, flags); -+ - pm_runtime_get(&vg->pdev->dev); - - return 0; -@@ -250,7 +251,7 @@ static int byt_irq_type(struct irq_data *d, unsigned type) - if (offset >= vg->chip.ngpio) - return -EINVAL; - -- spin_lock_irqsave(&vg->lock, flags); -+ raw_spin_lock_irqsave(&vg->lock, flags); - value = readl(reg); - - WARN(value & BYT_DIRECT_IRQ_EN, -@@ -269,7 +270,7 @@ static int byt_irq_type(struct irq_data *d, unsigned type) - else if (type & IRQ_TYPE_LEVEL_MASK) - __irq_set_handler_locked(d->irq, handle_level_irq); - -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - - return 0; - } -@@ -277,7 +278,15 @@ static int byt_irq_type(struct irq_data *d, unsigned type) - static int byt_gpio_get(struct gpio_chip *chip, unsigned offset) - { - void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG); -- return readl(reg) & BYT_LEVEL; -+ struct byt_gpio *vg = to_byt_gpio(chip); -+ unsigned long flags; -+ u32 val; -+ -+ raw_spin_lock_irqsave(&vg->lock, flags); -+ val = readl(reg); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); -+ -+ return val & BYT_LEVEL; - } - - static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value) -@@ -287,7 +296,7 @@ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value) - unsigned long flags; - u32 old_val; - -- spin_lock_irqsave(&vg->lock, flags); -+ raw_spin_lock_irqsave(&vg->lock, flags); - - old_val = readl(reg); - -@@ -296,7 +305,7 @@ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value) - else - writel(old_val & ~BYT_LEVEL, reg); - -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - } - - static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset) -@@ -306,13 +315,13 @@ static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset) - unsigned long flags; - u32 value; - -- spin_lock_irqsave(&vg->lock, flags); -+ raw_spin_lock_irqsave(&vg->lock, flags); - - value = readl(reg) | BYT_DIR_MASK; - value &= ~BYT_INPUT_EN; /* active low */ - writel(value, reg); - -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - - return 0; - } -@@ -326,7 +335,7 @@ static int byt_gpio_direction_output(struct gpio_chip *chip, - unsigned long flags; - u32 reg_val; - -- spin_lock_irqsave(&vg->lock, flags); -+ raw_spin_lock_irqsave(&vg->lock, flags); - - /* - * Before making any direction modifications, do a check if gpio -@@ -345,7 +354,7 @@ static int byt_gpio_direction_output(struct gpio_chip *chip, - else - writel(reg_val & ~BYT_LEVEL, reg); - -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - - return 0; - } -@@ -354,18 +363,19 @@ static void byt_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) - { - struct byt_gpio *vg = to_byt_gpio(chip); - int i; -- unsigned long flags; - u32 conf0, val, offs; - -- spin_lock_irqsave(&vg->lock, flags); -- - for (i = 0; i < vg->chip.ngpio; i++) { - const char *pull_str = NULL; - const char *pull = NULL; -+ unsigned long flags; - const char *label; - offs = vg->range->pins[i] * 16; -+ -+ raw_spin_lock_irqsave(&vg->lock, flags); - conf0 = readl(vg->reg_base + offs + BYT_CONF0_REG); - val = readl(vg->reg_base + offs + BYT_VAL_REG); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - - label = gpiochip_is_requested(chip, i); - if (!label) -@@ -418,7 +428,6 @@ static void byt_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) - - seq_puts(s, "\n"); - } -- spin_unlock_irqrestore(&vg->lock, flags); - } - - static void byt_gpio_irq_handler(unsigned irq, struct irq_desc *desc) -@@ -450,8 +459,10 @@ static void byt_irq_ack(struct irq_data *d) - unsigned offset = irqd_to_hwirq(d); - void __iomem *reg; - -+ raw_spin_lock(&vg->lock); - reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG); - writel(BIT(offset % 32), reg); -+ raw_spin_unlock(&vg->lock); - } - - static void byt_irq_unmask(struct irq_data *d) -@@ -463,9 +474,9 @@ static void byt_irq_unmask(struct irq_data *d) - void __iomem *reg; - u32 value; - -- spin_lock_irqsave(&vg->lock, flags); -- - reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG); -+ -+ raw_spin_lock_irqsave(&vg->lock, flags); - value = readl(reg); - - switch (irqd_get_trigger_type(d)) { -@@ -486,7 +497,7 @@ static void byt_irq_unmask(struct irq_data *d) - - writel(value, reg); - -- spin_unlock_irqrestore(&vg->lock, flags); -+ raw_spin_unlock_irqrestore(&vg->lock, flags); - } - - static void byt_irq_mask(struct irq_data *d) -@@ -578,7 +589,7 @@ static int byt_gpio_probe(struct platform_device *pdev) - if (IS_ERR(vg->reg_base)) - return PTR_ERR(vg->reg_base); - -- spin_lock_init(&vg->lock); -+ raw_spin_lock_init(&vg->lock); - - gc = &vg->chip; - gc->label = dev_name(&pdev->dev); -diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c -index 454536c..9c78074 100644 ---- a/drivers/scsi/mvsas/mv_sas.c -+++ b/drivers/scsi/mvsas/mv_sas.c -@@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_info *mvi, u32 rx_desc) - static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, - struct mvs_slot_info *slot, u32 slot_idx) - { -+ if (!slot) -+ return; - if (!slot->task) - return; - if (!sas_protocol_ata(task->task_proto)) -diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c -index 23685e7..bd2c69f 100644 ---- a/drivers/staging/iio/accel/sca3000_ring.c -+++ b/drivers/staging/iio/accel/sca3000_ring.c -@@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r, - if (ret) - goto error_ret; - -- for (i = 0; i < num_read; i++) -+ for (i = 0; i < num_read / sizeof(u16); i++) - *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); - - if (copy_to_user(buf, rx, num_read)) -diff --git a/drivers/staging/iio/adc/mxs-lradc.c b/drivers/staging/iio/adc/mxs-lradc.c -index d7c5223..2931ea9 100644 ---- a/drivers/staging/iio/adc/mxs-lradc.c -+++ b/drivers/staging/iio/adc/mxs-lradc.c -@@ -919,11 +919,12 @@ static int mxs_lradc_read_raw(struct iio_dev *iio_dev, - case IIO_CHAN_INFO_OFFSET: - if (chan->type == IIO_TEMP) { - /* The calculated value from the ADC is in Kelvin, we -- * want Celsius for hwmon so the offset is -- * -272.15 * scale -+ * want Celsius for hwmon so the offset is -273.15 -+ * The offset is applied before scaling so it is -+ * actually -213.15 * 4 / 1.012 = -1079.644268 - */ -- *val = -1075; -- *val2 = 691699; -+ *val = -1079; -+ *val2 = 644268; - - return IIO_VAL_INT_PLUS_MICRO; - } -diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c -index c96ff10..af68d06 100644 ---- a/drivers/thermal/samsung/exynos_tmu.c -+++ b/drivers/thermal/samsung/exynos_tmu.c -@@ -933,7 +933,7 @@ static void exynos4412_tmu_set_emulation(struct exynos_tmu_data *data, - - if (data->soc == SOC_ARCH_EXYNOS5260) - emul_con = EXYNOS5260_EMUL_CON; -- if (data->soc == SOC_ARCH_EXYNOS5433) -+ else if (data->soc == SOC_ARCH_EXYNOS5433) - emul_con = EXYNOS5433_TMU_EMUL_CON; - else if (data->soc == SOC_ARCH_EXYNOS7) - emul_con = EXYNOS7_TMU_REG_EMUL_CON; -diff --git a/drivers/tty/serial/8250/8250_dma.c b/drivers/tty/serial/8250/8250_dma.c -index 21d01a4..e508939 100644 ---- a/drivers/tty/serial/8250/8250_dma.c -+++ b/drivers/tty/serial/8250/8250_dma.c -@@ -80,10 +80,6 @@ int serial8250_tx_dma(struct uart_8250_port *p) - return 0; - - dma->tx_size = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE); -- if (dma->tx_size < p->port.fifosize) { -- ret = -EINVAL; -- goto err; -- } - - desc = dmaengine_prep_slave_single(dma->txchan, - dma->tx_addr + xmit->tail, -diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c -index c79d336..c47d3e4 100644 ---- a/drivers/usb/host/xhci-pci.c -+++ b/drivers/usb/host/xhci-pci.c -@@ -147,6 +147,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) - if (pdev->vendor == PCI_VENDOR_ID_INTEL && - pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) { - xhci->quirks |= XHCI_SPURIOUS_REBOOT; -+ xhci->quirks |= XHCI_SPURIOUS_WAKEUP; - } - if (pdev->vendor == PCI_VENDOR_ID_INTEL && - (pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI || -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index 8aadf3d..63041c1 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -2239,6 +2239,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, - u32 trb_comp_code; - int ret = 0; - int td_num = 0; -+ bool handling_skipped_tds = false; - - slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); - xdev = xhci->devs[slot_id]; -@@ -2372,6 +2373,10 @@ static int handle_tx_event(struct xhci_hcd *xhci, - ep->skip = true; - xhci_dbg(xhci, "Miss service interval error, set skip flag\n"); - goto cleanup; -+ case COMP_PING_ERR: -+ ep->skip = true; -+ xhci_dbg(xhci, "No Ping response error, Skip one Isoc TD\n"); -+ goto cleanup; - default: - if (xhci_is_vendor_info_code(xhci, trb_comp_code)) { - status = 0; -@@ -2508,13 +2513,18 @@ static int handle_tx_event(struct xhci_hcd *xhci, - ep, &status); - - cleanup: -+ -+ -+ handling_skipped_tds = ep->skip && -+ trb_comp_code != COMP_MISSED_INT && -+ trb_comp_code != COMP_PING_ERR; -+ - /* -- * Do not update event ring dequeue pointer if ep->skip is set. -- * Will roll back to continue process missed tds. -+ * Do not update event ring dequeue pointer if we're in a loop -+ * processing missed tds. - */ -- if (trb_comp_code == COMP_MISSED_INT || !ep->skip) { -+ if (!handling_skipped_tds) - inc_deq(xhci, xhci->event_ring); -- } - - if (ret) { - urb = td->urb; -@@ -2549,7 +2559,7 @@ cleanup: - * Process them as short transfer until reach the td pointed by - * the event. - */ -- } while (ep->skip && trb_comp_code != COMP_MISSED_INT); -+ } while (handling_skipped_tds); - - return 0; - } -diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c -index ebcec8c..f49d262 100644 ---- a/drivers/usb/serial/qcserial.c -+++ b/drivers/usb/serial/qcserial.c -@@ -153,6 +153,8 @@ static const struct usb_device_id id_table[] = { - {DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */ - {DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */ - {DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */ -+ {DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx/EM74xx */ -+ {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx/EM74xx */ - {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ - {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ - {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ -diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c -index 1aaf893..92f3949 100644 ---- a/drivers/video/console/fbcon.c -+++ b/drivers/video/console/fbcon.c -@@ -1093,6 +1093,7 @@ static void fbcon_init(struct vc_data *vc, int init) - con_copy_unimap(vc, svc); - - ops = info->fbcon_par; -+ ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms); - p->con_rotate = initial_rotation; - set_blitting_type(vc, info); - -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index f490b61..641d3dc 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -4649,7 +4649,7 @@ locked: - - if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) { - ret = -EINVAL; -- goto out_bargs; -+ goto out_bctl; - } - - do_balance: -@@ -4663,12 +4663,15 @@ do_balance: - need_unlock = false; - - ret = btrfs_balance(bctl, bargs); -+ bctl = NULL; - - if (arg) { - if (copy_to_user(arg, bargs, sizeof(*bargs))) - ret = -EFAULT; - } - -+out_bctl: -+ kfree(bctl); - out_bargs: - kfree(bargs); - out_unlock: -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 84d693d..871fcb6 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -81,11 +81,11 @@ static int ovl_copy_up_data(struct path *old, struct path *new, loff_t len) - if (len == 0) - return 0; - -- old_file = ovl_path_open(old, O_RDONLY); -+ old_file = ovl_path_open(old, O_LARGEFILE | O_RDONLY); - if (IS_ERR(old_file)) - return PTR_ERR(old_file); - -- new_file = ovl_path_open(new, O_WRONLY); -+ new_file = ovl_path_open(new, O_LARGEFILE | O_WRONLY); - if (IS_ERR(new_file)) { - error = PTR_ERR(new_file); - goto out_fput; -@@ -267,7 +267,7 @@ out: - - out_cleanup: - ovl_cleanup(wdir, newdentry); -- goto out; -+ goto out2; - } - - /* -diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index d9da5a4..ec0c2a0 100644 ---- a/fs/overlayfs/inode.c -+++ b/fs/overlayfs/inode.c -@@ -363,6 +363,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags) - ovl_path_upper(dentry, &realpath); - } - -+ if (realpath.dentry->d_flags & DCACHE_OP_SELECT_INODE) -+ return realpath.dentry->d_op->d_select_inode(realpath.dentry, file_flags); -+ - return d_backing_inode(realpath.dentry); - } - -diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c -index 79073d6..e38ee0f 100644 ---- a/fs/overlayfs/super.c -+++ b/fs/overlayfs/super.c -@@ -544,6 +544,7 @@ static void ovl_put_super(struct super_block *sb) - mntput(ufs->upper_mnt); - for (i = 0; i < ufs->numlower; i++) - mntput(ufs->lower_mnt[i]); -+ kfree(ufs->lower_mnt); - - kfree(ufs->config.lowerdir); - kfree(ufs->config.upperdir); -@@ -1048,6 +1049,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) - oe->lowerstack[i].dentry = stack[i].dentry; - oe->lowerstack[i].mnt = ufs->lower_mnt[i]; - } -+ kfree(stack); - - root_dentry->d_fsdata = oe; - -diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h -index 0fe9df9..fe0ab98 100644 ---- a/include/linux/backing-dev.h -+++ b/include/linux/backing-dev.h -@@ -18,13 +18,17 @@ - #include - - int __must_check bdi_init(struct backing_dev_info *bdi); --void bdi_destroy(struct backing_dev_info *bdi); -+void bdi_exit(struct backing_dev_info *bdi); - - __printf(3, 4) - int bdi_register(struct backing_dev_info *bdi, struct device *parent, - const char *fmt, ...); - int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev); -+void bdi_unregister(struct backing_dev_info *bdi); -+ - int __must_check bdi_setup_and_register(struct backing_dev_info *, char *); -+void bdi_destroy(struct backing_dev_info *bdi); -+ - void wb_start_writeback(struct bdi_writeback *wb, long nr_pages, - bool range_cyclic, enum wb_reason reason); - void wb_start_background_writeback(struct bdi_writeback *wb); -diff --git a/include/linux/omap-dma.h b/include/linux/omap-dma.h -index e5a7013..88fa8af 100644 ---- a/include/linux/omap-dma.h -+++ b/include/linux/omap-dma.h -@@ -17,7 +17,7 @@ - - #include - --#define INT_DMA_LCD 25 -+#define INT_DMA_LCD (NR_IRQS_LEGACY + 25) - - #define OMAP1_DMA_TOUT_IRQ (1 << 0) - #define OMAP_DMA_DROP_IRQ (1 << 1) -diff --git a/include/sound/soc.h b/include/sound/soc.h -index 93df8bf..334d0d2 100644 ---- a/include/sound/soc.h -+++ b/include/sound/soc.h -@@ -86,7 +86,7 @@ - .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ - SNDRV_CTL_ELEM_ACCESS_READWRITE, \ - .tlv.p = (tlv_array),\ -- .info = snd_soc_info_volsw, \ -+ .info = snd_soc_info_volsw_sx, \ - .get = snd_soc_get_volsw_sx,\ - .put = snd_soc_put_volsw_sx, \ - .private_value = (unsigned long)&(struct soc_mixer_control) \ -@@ -156,7 +156,7 @@ - .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ - SNDRV_CTL_ELEM_ACCESS_READWRITE, \ - .tlv.p = (tlv_array), \ -- .info = snd_soc_info_volsw, \ -+ .info = snd_soc_info_volsw_sx, \ - .get = snd_soc_get_volsw_sx, \ - .put = snd_soc_put_volsw_sx, \ - .private_value = (unsigned long)&(struct soc_mixer_control) \ -@@ -573,6 +573,8 @@ int snd_soc_put_enum_double(struct snd_kcontrol *kcontrol, - struct snd_ctl_elem_value *ucontrol); - int snd_soc_info_volsw(struct snd_kcontrol *kcontrol, - struct snd_ctl_elem_info *uinfo); -+int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, -+ struct snd_ctl_elem_info *uinfo); - #define snd_soc_info_bool_ext snd_ctl_boolean_mono_info - int snd_soc_get_volsw(struct snd_kcontrol *kcontrol, - struct snd_ctl_elem_value *ucontrol); -diff --git a/include/sound/wm8904.h b/include/sound/wm8904.h -index 898be3a..6d8f8fb 100644 ---- a/include/sound/wm8904.h -+++ b/include/sound/wm8904.h -@@ -119,7 +119,7 @@ - #define WM8904_MIC_REGS 2 - #define WM8904_GPIO_REGS 4 - #define WM8904_DRC_REGS 4 --#define WM8904_EQ_REGS 25 -+#define WM8904_EQ_REGS 24 - - /** - * DRC configurations are specified with a label and a set of register -diff --git a/kernel/module.c b/kernel/module.c -index b86b7bf..8f051a1 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -1063,11 +1063,15 @@ void symbol_put_addr(void *addr) - if (core_kernel_text(a)) - return; - -- /* module_text_address is safe here: we're supposed to have reference -- * to module from symbol_get, so it can't go away. */ -+ /* -+ * Even though we hold a reference on the module; we still need to -+ * disable preemption in order to safely traverse the data structure. -+ */ -+ preempt_disable(); - modaddr = __module_text_address(a); - BUG_ON(!modaddr); - module_put(modaddr); -+ preempt_enable(); - } - EXPORT_SYMBOL_GPL(symbol_put_addr); - -diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c -index 0a17af35..da7f826 100644 ---- a/kernel/sched/deadline.c -+++ b/kernel/sched/deadline.c -@@ -1066,8 +1066,9 @@ select_task_rq_dl(struct task_struct *p, int cpu, int sd_flag, int flags) - int target = find_later_rq(p); - - if (target != -1 && -- dl_time_before(p->dl.deadline, -- cpu_rq(target)->dl.earliest_dl.curr)) -+ (dl_time_before(p->dl.deadline, -+ cpu_rq(target)->dl.earliest_dl.curr) || -+ (cpu_rq(target)->dl.dl_nr_running == 0))) - cpu = target; - } - rcu_read_unlock(); -@@ -1417,7 +1418,8 @@ static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq) - - later_rq = cpu_rq(cpu); - -- if (!dl_time_before(task->dl.deadline, -+ if (later_rq->dl.dl_nr_running && -+ !dl_time_before(task->dl.deadline, - later_rq->dl.earliest_dl.curr)) { - /* - * Target rq has tasks of equal or earlier deadline, -diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c -index 3f34496..9696901 100644 ---- a/kernel/trace/trace_stack.c -+++ b/kernel/trace/trace_stack.c -@@ -94,6 +94,12 @@ check_stack(unsigned long ip, unsigned long *stack) - local_irq_save(flags); - arch_spin_lock(&max_stack_lock); - -+ /* -+ * RCU may not be watching, make it see us. -+ * The stack trace code uses rcu_sched. -+ */ -+ rcu_irq_enter(); -+ - /* In case another CPU set the tracer_frame on us */ - if (unlikely(!frame_size)) - this_size -= tracer_frame; -@@ -174,6 +180,7 @@ check_stack(unsigned long ip, unsigned long *stack) - } - - out: -+ rcu_irq_exit(); - arch_spin_unlock(&max_stack_lock); - local_irq_restore(flags); - } -diff --git a/lib/fault-inject.c b/lib/fault-inject.c -index f1cdeb0..6a823a5 100644 ---- a/lib/fault-inject.c -+++ b/lib/fault-inject.c -@@ -44,7 +44,7 @@ static void fail_dump(struct fault_attr *attr) - printk(KERN_NOTICE "FAULT_INJECTION: forcing a failure.\n" - "name %pd, interval %lu, probability %lu, " - "space %d, times %d\n", attr->dname, -- attr->probability, attr->interval, -+ attr->interval, attr->probability, - atomic_read(&attr->space), - atomic_read(&attr->times)); - if (attr->verbose > 1) -diff --git a/mm/backing-dev.c b/mm/backing-dev.c -index dac5bf5..dc07d88 100644 ---- a/mm/backing-dev.c -+++ b/mm/backing-dev.c -@@ -823,7 +823,7 @@ static void bdi_remove_from_list(struct backing_dev_info *bdi) - synchronize_rcu_expedited(); - } - --void bdi_destroy(struct backing_dev_info *bdi) -+void bdi_unregister(struct backing_dev_info *bdi) - { - /* make sure nobody finds us on the bdi_list anymore */ - bdi_remove_from_list(bdi); -@@ -835,9 +835,19 @@ void bdi_destroy(struct backing_dev_info *bdi) - device_unregister(bdi->dev); - bdi->dev = NULL; - } -+} - -+void bdi_exit(struct backing_dev_info *bdi) -+{ -+ WARN_ON_ONCE(bdi->dev); - wb_exit(&bdi->wb); - } -+ -+void bdi_destroy(struct backing_dev_info *bdi) -+{ -+ bdi_unregister(bdi); -+ bdi_exit(bdi); -+} - EXPORT_SYMBOL(bdi_destroy); - - /* -diff --git a/mm/filemap.c b/mm/filemap.c -index 1283fc8..3fd68ee 100644 ---- a/mm/filemap.c -+++ b/mm/filemap.c -@@ -2488,6 +2488,11 @@ again: - break; - } - -+ if (fatal_signal_pending(current)) { -+ status = -EINTR; -+ break; -+ } -+ - status = a_ops->write_begin(file, mapping, pos, bytes, flags, - &page, &fsdata); - if (unlikely(status < 0)) -@@ -2525,10 +2530,6 @@ again: - written += copied; - - balance_dirty_pages_ratelimited(mapping); -- if (fatal_signal_pending(current)) { -- status = -EINTR; -- break; -- } - } while (iov_iter_count(i)); - - return written ? written : status; -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 097c7a4..da0ac6a 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -2132,7 +2132,8 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma, - for (_pte = pte; _pte < pte+HPAGE_PMD_NR; - _pte++, address += PAGE_SIZE) { - pte_t pteval = *_pte; -- if (pte_none(pteval) || is_zero_pfn(pte_pfn(pteval))) { -+ if (pte_none(pteval) || (pte_present(pteval) && -+ is_zero_pfn(pte_pfn(pteval)))) { - if (++none_or_zero <= khugepaged_max_ptes_none) - continue; - else -diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c -index 3ea8b7d..58d9a81 100644 ---- a/net/mac80211/debugfs.c -+++ b/net/mac80211/debugfs.c -@@ -148,7 +148,7 @@ static ssize_t hwflags_read(struct file *file, char __user *user_buf, - - for (i = 0; i < NUM_IEEE80211_HW_FLAGS; i++) { - if (test_bit(i, local->hw.flags)) -- pos += scnprintf(pos, end - pos, "%s", -+ pos += scnprintf(pos, end - pos, "%s\n", - hw_flag_names[i]); - } - -diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c -index a1fe537..5a30ce6 100644 ---- a/net/netfilter/ipset/ip_set_list_set.c -+++ b/net/netfilter/ipset/ip_set_list_set.c -@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext, - ip_set_timeout_expired(ext_timeout(n, set)))) - n = NULL; - -- e = kzalloc(set->dsize, GFP_KERNEL); -+ e = kzalloc(set->dsize, GFP_ATOMIC); - if (!e) - return -ENOMEM; - e->id = d->id; -diff --git a/sound/hda/ext/hdac_ext_bus.c b/sound/hda/ext/hdac_ext_bus.c -index 0aa5d9e..d85aa1a 100644 ---- a/sound/hda/ext/hdac_ext_bus.c -+++ b/sound/hda/ext/hdac_ext_bus.c -@@ -19,6 +19,7 @@ - - #include - #include -+#include - #include - - MODULE_DESCRIPTION("HDA extended core"); -diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c -index d1a2cb6..ca37446 100644 ---- a/sound/pci/hda/hda_codec.c -+++ b/sound/pci/hda/hda_codec.c -@@ -3438,10 +3438,8 @@ int snd_hda_codec_build_pcms(struct hda_codec *codec) - int dev, err; - - err = snd_hda_codec_parse_pcms(codec); -- if (err < 0) { -- snd_hda_codec_reset(codec); -+ if (err < 0) - return err; -- } - - /* attach a new PCM streams */ - list_for_each_entry(cpcm, &codec->pcm_list_head, list) { -diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c -index ca03c40..2f0ec7c 100644 ---- a/sound/pci/hda/patch_conexant.c -+++ b/sound/pci/hda/patch_conexant.c -@@ -819,6 +819,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { - SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), - SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), - SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), -+ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), -diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c -index 100d92b..05977ae 100644 ---- a/sound/soc/soc-ops.c -+++ b/sound/soc/soc-ops.c -@@ -207,6 +207,34 @@ int snd_soc_info_volsw(struct snd_kcontrol *kcontrol, - EXPORT_SYMBOL_GPL(snd_soc_info_volsw); - - /** -+ * snd_soc_info_volsw_sx - Mixer info callback for SX TLV controls -+ * @kcontrol: mixer control -+ * @uinfo: control element information -+ * -+ * Callback to provide information about a single mixer control, or a double -+ * mixer control that spans 2 registers of the SX TLV type. SX TLV controls -+ * have a range that represents both positive and negative values either side -+ * of zero but without a sign bit. -+ * -+ * Returns 0 for success. -+ */ -+int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, -+ struct snd_ctl_elem_info *uinfo) -+{ -+ struct soc_mixer_control *mc = -+ (struct soc_mixer_control *)kcontrol->private_value; -+ -+ snd_soc_info_volsw(kcontrol, uinfo); -+ /* Max represents the number of levels in an SX control not the -+ * maximum value, so add the minimum value back on -+ */ -+ uinfo->value.integer.max += mc->min; -+ -+ return 0; -+} -+EXPORT_SYMBOL_GPL(snd_soc_info_volsw_sx); -+ -+/** - * snd_soc_get_volsw - single mixer get callback - * @kcontrol: mixer control - * @ucontrol: control element information -diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c -index 21c1424..d7ea8e2 100644 ---- a/virt/kvm/irqchip.c -+++ b/virt/kvm/irqchip.c -@@ -213,11 +213,15 @@ int kvm_set_irq_routing(struct kvm *kvm, - goto out; - - r = -EINVAL; -- if (ue->flags) -+ if (ue->flags) { -+ kfree(e); - goto out; -+ } - r = setup_routing_entry(new, e, ue); -- if (r) -+ if (r) { -+ kfree(e); - goto out; -+ } - ++ue; - } - diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch similarity index 99% rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch index 27bda59..3806d62 100644 --- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch +++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch @@ -26061,7 +26061,7 @@ index 0e2d96f..5889003 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 1d40ca8..4d38dbd 100644 +index 1d40ca8..2dbedb3 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -26086,7 +26086,17 @@ index 1d40ca8..4d38dbd 100644 .text __HEAD -@@ -89,11 +97,33 @@ startup_64: +@@ -65,6 +73,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -89,11 +100,33 @@ startup_64: * Fixup the physical addresses in the page table */ addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip) @@ -26122,11 +26132,15 @@ index 1d40ca8..4d38dbd 100644 /* * Set up the identity mapping for the switchover. These -@@ -174,11 +204,12 @@ ENTRY(secondary_startup_64) +@@ -174,11 +207,16 @@ ENTRY(secondary_startup_64) * after the boot processor executes this code. */ ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + orq $-1, %rbp ++ movq $(init_level4_pgt - __START_KERNEL_map), %rax 1: @@ -26137,7 +26151,7 @@ index 1d40ca8..4d38dbd 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -199,10 +230,21 @@ ENTRY(secondary_startup_64) +@@ -199,10 +237,21 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -26160,7 +26174,7 @@ index 1d40ca8..4d38dbd 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -282,6 +324,7 @@ ENTRY(secondary_startup_64) +@@ -282,12 +331,15 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -26168,7 +26182,15 @@ index 1d40ca8..4d38dbd 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs -@@ -313,7 +356,7 @@ ENDPROC(start_cpu0) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +@@ -313,7 +365,7 @@ ENDPROC(start_cpu0) .quad INIT_PER_CPU_VAR(irq_stack_union) GLOBAL(stack_start) @@ -26177,7 +26199,7 @@ index 1d40ca8..4d38dbd 100644 .word 0 __FINITDATA -@@ -393,7 +436,7 @@ early_idt_handler_common: +@@ -393,7 +445,7 @@ early_idt_handler_common: call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -26186,7 +26208,7 @@ index 1d40ca8..4d38dbd 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -422,6 +465,7 @@ ENDPROC(early_idt_handler_common) +@@ -422,6 +474,7 @@ ENDPROC(early_idt_handler_common) early_recursion_flag: .long 0 @@ -26194,7 +26216,7 @@ index 1d40ca8..4d38dbd 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -444,40 +488,67 @@ GLOBAL(name) +@@ -444,40 +497,67 @@ GLOBAL(name) __INITDATA NEXT_PAGE(early_level4_pgt) .fill 511,8,0 @@ -26274,7 +26296,7 @@ index 1d40ca8..4d38dbd 100644 NEXT_PAGE(level2_kernel_pgt) /* -@@ -494,31 +565,79 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -494,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -29417,7 +29439,7 @@ index 6647624..2056791 100644 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current); } diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S -index b9242ba..50c5edd 100644 +index b9242ba..ae8c9cf 100644 --- a/arch/x86/kernel/verify_cpu.S +++ b/arch/x86/kernel/verify_cpu.S @@ -20,6 +20,7 @@ @@ -29428,6 +29450,42 @@ index b9242ba..50c5edd 100644 * * verify_cpu, returns the status of longmode and SSE in register %eax. * 0: Success 1: Failure +@@ -34,10 +35,11 @@ + #include + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +50,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +133,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c index fc9db6e..2c5865d 100644 --- a/arch/x86/kernel/vm86_32.c @@ -34763,7 +34821,7 @@ index 844b06d..f363c86 100644 const char *arch_vma_name(struct vm_area_struct *vma) diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c -index 0057a7a..95c7edd 100644 +index 0057a7acc..95c7edd 100644 --- a/arch/x86/mm/mmio-mod.c +++ b/arch/x86/mm/mmio-mod.c @@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs, @@ -86026,11 +86084,11 @@ index 0000000..31f8fe4 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..30ababb +index 0000000..6fb2175 --- /dev/null +++ b/grsecurity/Makefile @@ -0,0 +1,54 @@ -+# grsecurity – access control and security hardening for Linux ++# grsecurity - access control and security hardening for Linux +# All code in this directory and various hooks located throughout the Linux kernel are +# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. +# http://www.grsecurity.net spender@grsecurity.net @@ -103454,6 +103512,24 @@ index d5fe9f2..8da10ed 100644 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs); static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index b8529aa..b0f7445 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -83,11 +83,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + err = ip6_local_out_sk(sk, skb); + + if (net_xmit_eval(err) == 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += pkt_len; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else { + stats->tx_errors++; + stats->tx_aborted_errors++; diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 5fa643b..d871e20 100644 --- a/include/net/ip_fib.h @@ -103467,6 +103543,25 @@ index 5fa643b..d871e20 100644 FIB_RES_NH(res).nh_saddr : \ fib_info_update_nh_saddr((net), &FIB_RES_NH(res))) #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw) +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index d8214cb..9c2897e 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -207,12 +207,13 @@ static inline void iptunnel_xmit_stats(int err, + struct pcpu_sw_netstats __percpu *stats) + { + if (err > 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats); + + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += err; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else if (err < 0) { + err_stats->tx_errors++; + err_stats->tx_aborted_errors++; diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 4e3731e..a242e28 100644 --- a/include/net/ip_vs.h @@ -108825,10 +108920,20 @@ index 564f786..361a18e 100644 if (pm_wakeup_pending()) { diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c -index cf8c242..84e7843 100644 +index cf8c242..16bca7e 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c -@@ -475,7 +475,7 @@ static int log_store(int facility, int level, +@@ -269,6 +269,9 @@ static u32 clear_idx; + #define PREFIX_MAX 32 + #define LOG_LINE_MAX (1024 - PREFIX_MAX) + ++#define LOG_LEVEL(v) ((v) & 0x07) ++#define LOG_FACILITY(v) ((v) >> 3 & 0xff) ++ + /* record buffer */ + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) + #define LOG_ALIGN 4 +@@ -475,7 +478,7 @@ static int log_store(int facility, int level, return msg->text_len; } @@ -108837,7 +108942,7 @@ index cf8c242..84e7843 100644 static int syslog_action_restricted(int type) { -@@ -498,6 +498,11 @@ int check_syslog_permissions(int type, int source) +@@ -498,6 +501,11 @@ int check_syslog_permissions(int type, int source) if (source == SYSLOG_FROM_PROC && type != SYSLOG_ACTION_OPEN) goto ok; @@ -108849,6 +108954,32 @@ index cf8c242..84e7843 100644 if (syslog_action_restricted(type)) { if (capable(CAP_SYSLOG)) goto ok; +@@ -611,7 +619,6 @@ struct devkmsg_user { + static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from) + { + char *buf, *line; +- int i; + int level = default_message_loglevel; + int facility = 1; /* LOG_USER */ + size_t len = iov_iter_count(from); +@@ -641,12 +648,13 @@ static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from) + line = buf; + if (line[0] == '<') { + char *endp = NULL; ++ unsigned int u; + +- i = simple_strtoul(line+1, &endp, 10); ++ u = simple_strtoul(line + 1, &endp, 10); + if (endp && endp[0] == '>') { +- level = i & 7; +- if (i >> 3) +- facility = i >> 3; ++ level = LOG_LEVEL(u); ++ if (LOG_FACILITY(u) != 0) ++ facility = LOG_FACILITY(u); + endp++; + len -= endp - line; + line = endp; diff --git a/kernel/profile.c b/kernel/profile.c index a7bcd28..5b368fa 100644 --- a/kernel/profile.c @@ -122752,13 +122883,13 @@ index 9c8fab0..5080c7c 100644 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = { diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 -index 0000000..c566332 +index 0000000..a7cb915 --- /dev/null +++ b/net/netfilter/xt_gradm.c @@ -0,0 +1,51 @@ +/* + * gradm match for netfilter -+ * Copyright � Zbigniew Krzystolik, 2010 ++ * Copyright (c) Zbigniew Krzystolik, 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License; either version @@ -124396,10 +124527,18 @@ index 350cca3..a108fc5 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 94f6582..b71ef93 100644 +index 94f6582..2272bfc 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c -@@ -802,6 +802,12 @@ static struct sock *unix_find_other(struct net *net, +@@ -440,6 +440,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + if (state == TCP_LISTEN) + unix_release_sock(skb->sk, 1); + /* passed fds are erased in the kfree_skb hook */ ++ UNIXCB(skb).consumed = skb->len; + kfree_skb(skb); + } + +@@ -802,6 +803,12 @@ static struct sock *unix_find_other(struct net *net, err = -ECONNREFUSED; if (!S_ISSOCK(inode->i_mode)) goto put_fail; @@ -124412,7 +124551,7 @@ index 94f6582..b71ef93 100644 u = unix_find_socket_byinode(inode); if (!u) goto put_fail; -@@ -822,6 +828,13 @@ static struct sock *unix_find_other(struct net *net, +@@ -822,6 +829,13 @@ static struct sock *unix_find_other(struct net *net, if (u) { struct dentry *dentry; dentry = unix_sk(u)->path.dentry; @@ -124426,7 +124565,7 @@ index 94f6582..b71ef93 100644 if (dentry) touch_atime(&unix_sk(u)->path); } else -@@ -855,12 +868,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) +@@ -855,12 +869,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) */ err = security_path_mknod(&path, dentry, mode, 0); if (!err) { @@ -124445,7 +124584,67 @@ index 94f6582..b71ef93 100644 done_path_create(&path, dentry); return err; } -@@ -2455,11 +2474,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, +@@ -1798,6 +1818,7 @@ alloc_skb: + * this - does no harm + */ + consume_skb(newskb); ++ newskb = NULL; + } + + if (skb_append_pagefrags(skb, page, offset, size)) { +@@ -1810,8 +1831,11 @@ alloc_skb: + skb->truesize += size; + atomic_add(size, &sk->sk_wmem_alloc); + +- if (newskb) ++ if (newskb) { ++ spin_lock(&other->sk_receive_queue.lock); + __skb_queue_tail(&other->sk_receive_queue, newskb); ++ spin_unlock(&other->sk_receive_queue.lock); ++ } + + unix_state_unlock(other); + mutex_unlock(&unix_sk(other)->readlock); +@@ -2071,6 +2095,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) + + do { + int chunk; ++ bool drop_skb; + struct sk_buff *skb, *last; + + unix_state_lock(sk); +@@ -2151,7 +2176,11 @@ unlock: + } + + chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size); ++ skb_get(skb); + chunk = state->recv_actor(skb, skip, chunk, state); ++ drop_skb = !unix_skb_len(skb); ++ /* skb is only safe to use if !drop_skb */ ++ consume_skb(skb); + if (chunk < 0) { + if (copied == 0) + copied = -EFAULT; +@@ -2160,6 +2189,18 @@ unlock: + copied += chunk; + size -= chunk; + ++ if (drop_skb) { ++ /* the skb was touched by a concurrent reader; ++ * we should not expect anything from this skb ++ * anymore and assume it invalid - we can be ++ * sure it was dropped from the socket queue ++ * ++ * let's report a short read ++ */ ++ err = 0; ++ break; ++ } ++ + /* Mark read part of skb as used */ + if (!(flags & MSG_PEEK)) { + UNIXCB(skb).consumed += chunk; +@@ -2455,11 +2496,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, writable = unix_writable(sk); other = unix_peer_get(sk); if (other) { @@ -124462,7 +124661,7 @@ index 94f6582..b71ef93 100644 sock_put(other); } -@@ -2556,9 +2578,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2556,9 +2600,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -124477,7 +124676,7 @@ index 94f6582..b71ef93 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2583,10 +2609,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2583,10 +2631,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; }