From: "Alice Ferrazzi" <alicef@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/linux-patches:4.1 commit in: /
Date: Fri, 15 Dec 2017 20:22:25 +0000 (UTC) [thread overview]
Message-ID: <1513369334.4f5e8935a83b7b615e64287b1ba50633ac6e39b1.alicef@gentoo> (raw)
commit: 4f5e8935a83b7b615e64287b1ba50633ac6e39b1
Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 15 20:22:14 2017 +0000
Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
CommitDate: Fri Dec 15 20:22:14 2017 +0000
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=4f5e8935
linux kernel 4.1.48
0000_README | 4 +
1047_linux-4.1.48.patch | 3434 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 3438 insertions(+)
diff --git a/0000_README b/0000_README
index b37932b..1b3166c 100644
--- a/0000_README
+++ b/0000_README
@@ -231,6 +231,10 @@ Patch: 1046_linux-4.1.47.patch
From: http://www.kernel.org
Desc: Linux 4.1.47
+Patch: 1047_linux-4.1.48.patch
+From: http://www.kernel.org
+Desc: Linux 4.1.48
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1047_linux-4.1.48.patch b/1047_linux-4.1.48.patch
new file mode 100644
index 0000000..bf1334d
--- /dev/null
+++ b/1047_linux-4.1.48.patch
@@ -0,0 +1,3434 @@
+diff --git a/Makefile b/Makefile
+index c730c9719f6d..97edf556bfe4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 1
+-SUBLEVEL = 47
++SUBLEVEL = 48
+ EXTRAVERSION =
+ NAME = Series 4800
+
+diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/dump.c
+index 9fe8e241335c..e1f6f0daa847 100644
+--- a/arch/arm/mm/dump.c
++++ b/arch/arm/mm/dump.c
+@@ -126,8 +126,8 @@ static const struct prot_bits section_bits[] = {
+ .val = PMD_SECT_USER,
+ .set = "USR",
+ }, {
+- .mask = L_PMD_SECT_RDONLY,
+- .val = L_PMD_SECT_RDONLY,
++ .mask = L_PMD_SECT_RDONLY | PMD_SECT_AP2,
++ .val = L_PMD_SECT_RDONLY | PMD_SECT_AP2,
+ .set = "ro",
+ .clear = "RW",
+ #elif __LINUX_ARM_ARCH__ >= 6
+diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
+index be92fa0f2f35..10058c00ddd9 100644
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -609,8 +609,8 @@ static struct section_perm ro_perms[] = {
+ .start = (unsigned long)_stext,
+ .end = (unsigned long)__init_begin,
+ #ifdef CONFIG_ARM_LPAE
+- .mask = ~L_PMD_SECT_RDONLY,
+- .prot = L_PMD_SECT_RDONLY,
++ .mask = ~(L_PMD_SECT_RDONLY | PMD_SECT_AP2),
++ .prot = L_PMD_SECT_RDONLY | PMD_SECT_AP2,
+ #else
+ .mask = ~(PMD_SECT_APX | PMD_SECT_AP_WRITE),
+ .prot = PMD_SECT_APX | PMD_SECT_AP_WRITE,
+diff --git a/arch/mips/bcm47xx/leds.c b/arch/mips/bcm47xx/leds.c
+index 0e4ade342333..5c2e12923327 100644
+--- a/arch/mips/bcm47xx/leds.c
++++ b/arch/mips/bcm47xx/leds.c
+@@ -330,7 +330,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __initconst = {
+ /* Verified on: WRT54GS V1.0 */
+ static const struct gpio_led
+ bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = {
+- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF),
+ BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON),
+ BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF),
+ };
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index 5c3aa41a162f..81a13fd56d13 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -561,6 +561,19 @@ static const struct user_regset_view user_mips64_view = {
+ .n = ARRAY_SIZE(mips64_regsets),
+ };
+
++#ifdef CONFIG_MIPS32_N32
++
++static const struct user_regset_view user_mipsn32_view = {
++ .name = "mipsn32",
++ .e_flags = EF_MIPS_ABI2,
++ .e_machine = ELF_ARCH,
++ .ei_osabi = ELF_OSABI,
++ .regsets = mips64_regsets,
++ .n = ARRAY_SIZE(mips64_regsets),
++};
++
++#endif /* CONFIG_MIPS32_N32 */
++
+ #endif /* CONFIG_64BIT */
+
+ const struct user_regset_view *task_user_regset_view(struct task_struct *task)
+@@ -571,6 +584,10 @@ const struct user_regset_view *task_user_regset_view(struct task_struct *task)
+ #ifdef CONFIG_MIPS32_O32
+ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return &user_mips_view;
++#endif
++#ifdef CONFIG_MIPS32_N32
++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
++ return &user_mipsn32_view;
+ #endif
+ return &user_mips64_view;
+ #endif
+diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
+index 51e77841f9f6..2734f6a4857d 100644
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -147,35 +147,6 @@ void __init detect_memory_region(phys_addr_t start, phys_addr_t sz_min, phys_add
+ add_memory_region(start, size, BOOT_MEM_RAM);
+ }
+
+-bool __init memory_region_available(phys_addr_t start, phys_addr_t size)
+-{
+- int i;
+- bool in_ram = false, free = true;
+-
+- for (i = 0; i < boot_mem_map.nr_map; i++) {
+- phys_addr_t start_, end_;
+-
+- start_ = boot_mem_map.map[i].addr;
+- end_ = boot_mem_map.map[i].addr + boot_mem_map.map[i].size;
+-
+- switch (boot_mem_map.map[i].type) {
+- case BOOT_MEM_RAM:
+- if (start >= start_ && start + size <= end_)
+- in_ram = true;
+- break;
+- case BOOT_MEM_RESERVED:
+- if ((start >= start_ && start < end_) ||
+- (start < start_ && start + size >= start_))
+- free = false;
+- break;
+- default:
+- continue;
+- }
+- }
+-
+- return in_ram && free;
+-}
+-
+ static void __init print_memory_map(void)
+ {
+ int i;
+@@ -324,19 +295,11 @@ static void __init bootmem_init(void)
+
+ #else /* !CONFIG_SGI_IP27 */
+
+-static unsigned long __init bootmap_bytes(unsigned long pages)
+-{
+- unsigned long bytes = DIV_ROUND_UP(pages, 8);
+-
+- return ALIGN(bytes, sizeof(long));
+-}
+-
+ static void __init bootmem_init(void)
+ {
+ unsigned long reserved_end;
+ unsigned long mapstart = ~0UL;
+ unsigned long bootmap_size;
+- bool bootmap_valid = false;
+ int i;
+
+ /*
+@@ -411,43 +374,12 @@ static void __init bootmem_init(void)
+ mapstart = max(mapstart, (unsigned long)PFN_UP(__pa(initrd_end)));
+ #endif
+
+- /*
+- * check that mapstart doesn't overlap with any of
+- * memory regions that have been reserved through eg. DTB
+- */
+- bootmap_size = bootmap_bytes(max_low_pfn - min_low_pfn);
+-
+- bootmap_valid = memory_region_available(PFN_PHYS(mapstart),
+- bootmap_size);
+- for (i = 0; i < boot_mem_map.nr_map && !bootmap_valid; i++) {
+- unsigned long mapstart_addr;
+-
+- switch (boot_mem_map.map[i].type) {
+- case BOOT_MEM_RESERVED:
+- mapstart_addr = PFN_ALIGN(boot_mem_map.map[i].addr +
+- boot_mem_map.map[i].size);
+- if (PHYS_PFN(mapstart_addr) < mapstart)
+- break;
+-
+- bootmap_valid = memory_region_available(mapstart_addr,
+- bootmap_size);
+- if (bootmap_valid)
+- mapstart = PHYS_PFN(mapstart_addr);
+- break;
+- default:
+- break;
+- }
+- }
+-
+- if (!bootmap_valid)
+- panic("No memory area to place a bootmap bitmap");
+-
+ /*
+ * Initialize the boot-time allocator with low memory only.
+ */
+- if (bootmap_size != init_bootmem_node(NODE_DATA(0), mapstart,
+- min_low_pfn, max_low_pfn))
+- panic("Unexpected memory size required for bootmap");
++ bootmap_size = init_bootmem_node(NODE_DATA(0), mapstart,
++ min_low_pfn, max_low_pfn);
++
+
+ for (i = 0; i < boot_mem_map.nr_map; i++) {
+ unsigned long start, end;
+diff --git a/arch/mips/ralink/mt7620.c b/arch/mips/ralink/mt7620.c
+index c57215a66181..e916b14234e6 100644
+--- a/arch/mips/ralink/mt7620.c
++++ b/arch/mips/ralink/mt7620.c
+@@ -132,8 +132,8 @@ static struct rt2880_pmx_func i2c_grp_mt7628[] = {
+ FUNC("i2c", 0, 4, 2),
+ };
+
+-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 36, 1) };
+-static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 37, 1) };
++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("refclk", 0, 37, 1) };
++static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) };
+ static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) };
+ static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) };
+
+diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S
+index 95f090fe385a..196395a0ac91 100644
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -688,15 +688,15 @@ cas_action:
+ /* ELF32 Process entry path */
+ lws_compare_and_swap_2:
+ #ifdef CONFIG_64BIT
+- /* Clip the input registers */
++ /* Clip the input registers. We don't need to clip %r23 as we
++ only use it for word operations */
+ depdi 0, 31, 32, %r26
+ depdi 0, 31, 32, %r25
+ depdi 0, 31, 32, %r24
+- depdi 0, 31, 32, %r23
+ #endif
+
+ /* Check the validity of the size pointer */
+- subi,>>= 4, %r23, %r0
++ subi,>>= 3, %r23, %r0
+ b,n lws_exit_nosys
+
+ /* Jump to the functions which will load the old and new values into
+diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
+index cf8c7e4e0b21..984a54c85952 100644
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -102,7 +102,7 @@ static void check_syscall_restart(struct pt_regs *regs, struct k_sigaction *ka,
+ static void do_signal(struct pt_regs *regs)
+ {
+ sigset_t *oldset = sigmask_to_save();
+- struct ksignal ksig;
++ struct ksignal ksig = { .sig = 0 };
+ int ret;
+ int is32 = is_32bit_task();
+
+diff --git a/arch/s390/include/asm/asm-prototypes.h b/arch/s390/include/asm/asm-prototypes.h
+new file mode 100644
+index 000000000000..2c3413b0ca52
+--- /dev/null
++++ b/arch/s390/include/asm/asm-prototypes.h
+@@ -0,0 +1,8 @@
++#ifndef _ASM_S390_PROTOTYPES_H
++
++#include <linux/kvm_host.h>
++#include <linux/ftrace.h>
++#include <asm/fpu/api.h>
++#include <asm-generic/asm-prototypes.h>
++
++#endif /* _ASM_S390_PROTOTYPES_H */
+diff --git a/arch/s390/kernel/dis.c b/arch/s390/kernel/dis.c
+index 8140d10c6785..d7c277664ec4 100644
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -1549,6 +1549,7 @@ static struct s390_insn opcode_e7[] = {
+ { "vfsq", 0xce, INSTR_VRR_VV000MM },
+ { "vfs", 0xe2, INSTR_VRR_VVV00MM },
+ { "vftci", 0x4a, INSTR_VRI_VVIMM },
++ { "", 0, INSTR_INVALID }
+ };
+
+ static struct s390_insn opcode_eb[] = {
+@@ -1954,7 +1955,7 @@ void show_code(struct pt_regs *regs)
+ {
+ char *mode = user_mode(regs) ? "User" : "Krnl";
+ unsigned char code[64];
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ mm_segment_t old_fs;
+ unsigned long addr;
+ int start, end, opsize, hops, i;
+@@ -2017,7 +2018,7 @@ void show_code(struct pt_regs *regs)
+ start += opsize;
+ printk(buffer);
+ ptr = buffer;
+- ptr += sprintf(ptr, "\n ");
++ ptr += sprintf(ptr, "\n\t ");
+ hops++;
+ }
+ printk("\n");
+diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c
+index 26b4ae96fdd7..ddbec1054f75 100644
+--- a/arch/s390/kernel/runtime_instr.c
++++ b/arch/s390/kernel/runtime_instr.c
+@@ -53,12 +53,14 @@ void exit_thread_runtime_instr(void)
+ {
+ struct task_struct *task = current;
+
++ preempt_disable();
+ if (!task->thread.ri_cb)
+ return;
+ disable_runtime_instr();
+ kfree(task->thread.ri_cb);
+ task->thread.ri_signum = 0;
+ task->thread.ri_cb = NULL;
++ preempt_enable();
+ }
+
+ static void runtime_instr_int_handler(struct ext_code ext_code,
+@@ -100,9 +102,7 @@ SYSCALL_DEFINE2(s390_runtime_instr, int, command, int, signum)
+ return -EOPNOTSUPP;
+
+ if (command == S390_RUNTIME_INSTR_STOP) {
+- preempt_disable();
+ exit_thread_runtime_instr();
+- preempt_enable();
+ return 0;
+ }
+
+diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
+index 3738b138b843..b047734842df 100644
+--- a/arch/x86/include/asm/efi.h
++++ b/arch/x86/include/asm/efi.h
+@@ -3,6 +3,7 @@
+
+ #include <asm/i387.h>
+ #include <asm/pgtable.h>
++#include <asm/tlb.h>
+
+ /*
+ * We map the EFI regions needed for runtime services non-contiguously,
+@@ -64,6 +65,17 @@ extern u64 asmlinkage efi_call(void *fp, ...);
+
+ #define efi_call_phys(f, args...) efi_call((f), args)
+
++/*
++ * Scratch space used for switching the pagetable in the EFI stub
++ */
++struct efi_scratch {
++ u64 r15;
++ u64 prev_cr3;
++ pgd_t *efi_pgt;
++ bool use_pgd;
++ u64 phys_stack;
++} __packed;
++
+ #define efi_call_virt(f, ...) \
+ ({ \
+ efi_status_t __s; \
+@@ -71,7 +83,20 @@ extern u64 asmlinkage efi_call(void *fp, ...);
+ efi_sync_low_kernel_mappings(); \
+ preempt_disable(); \
+ __kernel_fpu_begin(); \
++ \
++ if (efi_scratch.use_pgd) { \
++ efi_scratch.prev_cr3 = read_cr3(); \
++ write_cr3((unsigned long)efi_scratch.efi_pgt); \
++ __flush_tlb_all(); \
++ } \
++ \
+ __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \
++ \
++ if (efi_scratch.use_pgd) { \
++ write_cr3(efi_scratch.prev_cr3); \
++ __flush_tlb_all(); \
++ } \
++ \
+ __kernel_fpu_end(); \
+ preempt_enable(); \
+ __s; \
+@@ -98,6 +123,7 @@ extern void __init efi_memory_uc(u64 addr, unsigned long size);
+ extern void __init efi_map_region(efi_memory_desc_t *md);
+ extern void __init efi_map_region_fixed(efi_memory_desc_t *md);
+ extern void efi_sync_low_kernel_mappings(void);
++extern int __init efi_alloc_page_tables(void);
+ extern int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages);
+ extern void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages);
+ extern void __init old_map_region(efi_memory_desc_t *md);
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 23be7ffebb4b..c5ecf85227e0 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1780,6 +1780,8 @@ static int ud_interception(struct vcpu_svm *svm)
+ int er;
+
+ er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);
++ if (er == EMULATE_USER_EXIT)
++ return 0;
+ if (er != EMULATE_DONE)
+ kvm_queue_exception(&svm->vcpu, UD_VECTOR);
+ return 1;
+@@ -3196,6 +3198,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+ u32 ecx = msr->index;
+ u64 data = msr->data;
+ switch (ecx) {
++ case MSR_IA32_CR_PAT:
++ if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
++ return 1;
++ vcpu->arch.pat = data;
++ svm->vmcb->save.g_pat = data;
++ mark_dirty(svm->vmcb, VMCB_NPT);
++ break;
+ case MSR_IA32_TSC:
+ kvm_write_tsc(vcpu, msr);
+ break;
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 33c1b5311b98..665b10a55b30 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5096,6 +5096,8 @@ static int handle_exception(struct kvm_vcpu *vcpu)
+ return 1;
+ }
+ er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
++ if (er == EMULATE_USER_EXIT)
++ return 0;
+ if (er != EMULATE_DONE)
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 1;
+@@ -9966,6 +9968,8 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
+ vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip);
+ vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base);
+ vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base);
++ vmcs_write32(GUEST_IDTR_LIMIT, 0xFFFF);
++ vmcs_write32(GUEST_GDTR_LIMIT, 0xFFFF);
+
+ /* If not VM_EXIT_CLEAR_BNDCFGS, the L2 value propagates to L1. */
+ if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 5f9cf11f9446..e4e7d45fd551 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1697,6 +1697,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+ */
+ BUILD_BUG_ON(offsetof(struct pvclock_vcpu_time_info, version) != 0);
+
++ if (guest_hv_clock.version & 1)
++ ++guest_hv_clock.version; /* first time write, random junk */
++
+ vcpu->hv_clock.version = guest_hv_clock.version + 1;
+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
+ &vcpu->hv_clock,
+@@ -5433,6 +5436,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+ if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
+ emulation_type))
+ return EMULATE_DONE;
++ if (ctxt->have_exception && inject_emulated_exception(vcpu))
++ return EMULATE_DONE;
+ if (emulation_type & EMULTYPE_SKIP)
+ return EMULATE_FAIL;
+ return handle_emulation_failure(vcpu);
+diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt
+index 816488c0b97e..2dc6a7df16cd 100644
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -822,7 +822,7 @@ EndTable
+
+ GrpTable: Grp3_1
+ 0: TEST Eb,Ib
+-1:
++1: TEST Eb,Ib
+ 2: NOT Eb
+ 3: NEG Eb
+ 4: MUL AL,Eb
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index 2dd9b3ad3bb5..1e5a786e75ce 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -884,15 +884,10 @@ static void populate_pte(struct cpa_data *cpa,
+ pte = pte_offset_kernel(pmd, start);
+
+ while (num_pages-- && start < end) {
+-
+- /* deal with the NX bit */
+- if (!(pgprot_val(pgprot) & _PAGE_NX))
+- cpa->pfn &= ~_PAGE_NX;
+-
+- set_pte(pte, pfn_pte(cpa->pfn >> PAGE_SHIFT, pgprot));
++ set_pte(pte, pfn_pte(cpa->pfn, pgprot));
+
+ start += PAGE_SIZE;
+- cpa->pfn += PAGE_SIZE;
++ cpa->pfn++;
+ pte++;
+ }
+ }
+@@ -948,11 +943,11 @@ static int populate_pmd(struct cpa_data *cpa,
+
+ pmd = pmd_offset(pud, start);
+
+- set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE |
++ set_pmd(pmd, __pmd(cpa->pfn << PAGE_SHIFT | _PAGE_PSE |
+ massage_pgprot(pmd_pgprot)));
+
+ start += PMD_SIZE;
+- cpa->pfn += PMD_SIZE;
++ cpa->pfn += PMD_SIZE >> PAGE_SHIFT;
+ cur_pages += PMD_SIZE >> PAGE_SHIFT;
+ }
+
+@@ -1021,11 +1016,11 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+ * Map everything starting from the Gb boundary, possibly with 1G pages
+ */
+ while (end - start >= PUD_SIZE) {
+- set_pud(pud, __pud(cpa->pfn | _PAGE_PSE |
++ set_pud(pud, __pud(cpa->pfn << PAGE_SHIFT | _PAGE_PSE |
+ massage_pgprot(pud_pgprot)));
+
+ start += PUD_SIZE;
+- cpa->pfn += PUD_SIZE;
++ cpa->pfn += PUD_SIZE >> PAGE_SHIFT;
+ cur_pages += PUD_SIZE >> PAGE_SHIFT;
+ pud++;
+ }
+diff --git a/arch/x86/platform/efi/efi-bgrt.c b/arch/x86/platform/efi/efi-bgrt.c
+index d7f997f7c26d..10380c8749b7 100644
+--- a/arch/x86/platform/efi/efi-bgrt.c
++++ b/arch/x86/platform/efi/efi-bgrt.c
+@@ -28,8 +28,7 @@ struct bmp_header {
+ void __init efi_bgrt_init(void)
+ {
+ acpi_status status;
+- void __iomem *image;
+- bool ioremapped = false;
++ void *image;
+ struct bmp_header bmp_header;
+
+ if (acpi_disabled)
+@@ -65,20 +64,14 @@ void __init efi_bgrt_init(void)
+ return;
+ }
+
+- image = efi_lookup_mapped_addr(bgrt_tab->image_address);
++ image = early_memremap(bgrt_tab->image_address, sizeof(bmp_header));
+ if (!image) {
+- image = early_ioremap(bgrt_tab->image_address,
+- sizeof(bmp_header));
+- ioremapped = true;
+- if (!image) {
+- pr_err("Ignoring BGRT: failed to map image header memory\n");
+- return;
+- }
++ pr_err("Ignoring BGRT: failed to map image header memory\n");
++ return;
+ }
+
+- memcpy_fromio(&bmp_header, image, sizeof(bmp_header));
+- if (ioremapped)
+- early_iounmap(image, sizeof(bmp_header));
++ memcpy(&bmp_header, image, sizeof(bmp_header));
++ early_memunmap(image, sizeof(bmp_header));
+ bgrt_image_size = bmp_header.size;
+
+ bgrt_image = kmalloc(bgrt_image_size, GFP_KERNEL | __GFP_NOWARN);
+@@ -88,18 +81,14 @@ void __init efi_bgrt_init(void)
+ return;
+ }
+
+- if (ioremapped) {
+- image = early_ioremap(bgrt_tab->image_address,
+- bmp_header.size);
+- if (!image) {
+- pr_err("Ignoring BGRT: failed to map image memory\n");
+- kfree(bgrt_image);
+- bgrt_image = NULL;
+- return;
+- }
++ image = early_memremap(bgrt_tab->image_address, bmp_header.size);
++ if (!image) {
++ pr_err("Ignoring BGRT: failed to map image memory\n");
++ kfree(bgrt_image);
++ bgrt_image = NULL;
++ return;
+ }
+
+- memcpy_fromio(bgrt_image, image, bgrt_image_size);
+- if (ioremapped)
+- early_iounmap(image, bmp_header.size);
++ memcpy(bgrt_image, image, bgrt_image_size);
++ early_memunmap(image, bmp_header.size);
+ }
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 477384985ac9..9b2fe733e9f7 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -843,7 +843,7 @@ static void __init kexec_enter_virtual_mode(void)
+ * This function will switch the EFI runtime services to virtual mode.
+ * Essentially, we look through the EFI memmap and map every region that
+ * has the runtime attribute bit set in its memory descriptor into the
+- * ->trampoline_pgd page table using a top-down VA allocation scheme.
++ * efi_pgd page table.
+ *
+ * The old method which used to update that memory descriptor with the
+ * virtual address obtained from ioremap() is still supported when the
+@@ -853,8 +853,8 @@ static void __init kexec_enter_virtual_mode(void)
+ *
+ * The new method does a pagetable switch in a preemption-safe manner
+ * so that we're in a different address space when calling a runtime
+- * function. For function arguments passing we do copy the PGDs of the
+- * kernel page table into ->trampoline_pgd prior to each call.
++ * function. For function arguments passing we do copy the PUDs of the
++ * kernel page table into efi_pgd prior to each call.
+ *
+ * Specially for kexec boot, efi runtime maps in previous kernel should
+ * be passed in via setup_data. In that case runtime ranges will be mapped
+@@ -869,6 +869,12 @@ static void __init __efi_enter_virtual_mode(void)
+
+ efi.systab = NULL;
+
++ if (efi_alloc_page_tables()) {
++ pr_err("Failed to allocate EFI page tables\n");
++ clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
++ return;
++ }
++
+ efi_merge_regions();
+ new_memmap = efi_map_regions(&count, &pg_shift);
+ if (!new_memmap) {
+@@ -928,28 +934,11 @@ static void __init __efi_enter_virtual_mode(void)
+ efi_runtime_mkexec();
+
+ /*
+- * We mapped the descriptor array into the EFI pagetable above but we're
+- * not unmapping it here. Here's why:
+- *
+- * We're copying select PGDs from the kernel page table to the EFI page
+- * table and when we do so and make changes to those PGDs like unmapping
+- * stuff from them, those changes appear in the kernel page table and we
+- * go boom.
+- *
+- * From setup_real_mode():
+- *
+- * ...
+- * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
+- *
+- * In this particular case, our allocation is in PGD 0 of the EFI page
+- * table but we've copied that PGD from PGD[272] of the EFI page table:
+- *
+- * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272
+- *
+- * where the direct memory mapping in kernel space is.
+- *
+- * new_memmap's VA comes from that direct mapping and thus clearing it,
+- * it would get cleared in the kernel page table too.
++ * We mapped the descriptor array into the EFI pagetable above
++ * but we're not unmapping it here because if we're running in
++ * EFI mixed mode we need all of memory to be accessible when
++ * we pass parameters to the EFI runtime services in the
++ * thunking code.
+ *
+ * efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift);
+ */
+diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
+index ed5b67338294..58d669bc8250 100644
+--- a/arch/x86/platform/efi/efi_32.c
++++ b/arch/x86/platform/efi/efi_32.c
+@@ -38,6 +38,11 @@
+ * say 0 - 3G.
+ */
+
++int __init efi_alloc_page_tables(void)
++{
++ return 0;
++}
++
+ void efi_sync_low_kernel_mappings(void) {}
+ void __init efi_dump_pagetable(void) {}
+ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index a0ac0f9c307f..18dfaad71c99 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -40,6 +40,7 @@
+ #include <asm/fixmap.h>
+ #include <asm/realmode.h>
+ #include <asm/time.h>
++#include <asm/pgalloc.h>
+
+ /*
+ * We allocate runtime services regions bottom-up, starting from -4G, i.e.
+@@ -47,16 +48,7 @@
+ */
+ static u64 efi_va = EFI_VA_START;
+
+-/*
+- * Scratch space used for switching the pagetable in the EFI stub
+- */
+-struct efi_scratch {
+- u64 r15;
+- u64 prev_cr3;
+- pgd_t *efi_pgt;
+- bool use_pgd;
+- u64 phys_stack;
+-} __packed;
++struct efi_scratch efi_scratch;
+
+ static void __init early_code_mapping_set_exec(int executable)
+ {
+@@ -83,8 +75,11 @@ pgd_t * __init efi_call_phys_prolog(void)
+ int pgd;
+ int n_pgds;
+
+- if (!efi_enabled(EFI_OLD_MEMMAP))
+- return NULL;
++ if (!efi_enabled(EFI_OLD_MEMMAP)) {
++ save_pgd = (pgd_t *)read_cr3();
++ write_cr3((unsigned long)efi_scratch.efi_pgt);
++ goto out;
++ }
+
+ early_code_mapping_set_exec(1);
+
+@@ -96,6 +91,7 @@ pgd_t * __init efi_call_phys_prolog(void)
+ vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
+ set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
+ }
++out:
+ __flush_tlb_all();
+
+ return save_pgd;
+@@ -109,8 +105,11 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
+ int pgd_idx;
+ int nr_pgds;
+
+- if (!save_pgd)
++ if (!efi_enabled(EFI_OLD_MEMMAP)) {
++ write_cr3((unsigned long)save_pgd);
++ __flush_tlb_all();
+ return;
++ }
+
+ nr_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE);
+
+@@ -123,27 +122,97 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
+ early_code_mapping_set_exec(0);
+ }
+
++static pgd_t *efi_pgd;
++
++/*
++ * We need our own copy of the higher levels of the page tables
++ * because we want to avoid inserting EFI region mappings (EFI_VA_END
++ * to EFI_VA_START) into the standard kernel page tables. Everything
++ * else can be shared, see efi_sync_low_kernel_mappings().
++ */
++int __init efi_alloc_page_tables(void)
++{
++ pgd_t *pgd;
++ pud_t *pud;
++ gfp_t gfp_mask;
++
++ if (efi_enabled(EFI_OLD_MEMMAP))
++ return 0;
++
++ gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO;
++ efi_pgd = (pgd_t *)__get_free_page(gfp_mask);
++ if (!efi_pgd)
++ return -ENOMEM;
++
++ pgd = efi_pgd + pgd_index(EFI_VA_END);
++
++ pud = pud_alloc_one(NULL, 0);
++ if (!pud) {
++ free_page((unsigned long)efi_pgd);
++ return -ENOMEM;
++ }
++
++ pgd_populate(NULL, pgd, pud);
++
++ return 0;
++}
++
+ /*
+ * Add low kernel mappings for passing arguments to EFI functions.
+ */
+ void efi_sync_low_kernel_mappings(void)
+ {
+- unsigned num_pgds;
+- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
++ unsigned num_entries;
++ pgd_t *pgd_k, *pgd_efi;
++ pud_t *pud_k, *pud_efi;
+
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return;
+
+- num_pgds = pgd_index(MODULES_END - 1) - pgd_index(PAGE_OFFSET);
++ /*
++ * We can share all PGD entries apart from the one entry that
++ * covers the EFI runtime mapping space.
++ *
++ * Make sure the EFI runtime region mappings are guaranteed to
++ * only span a single PGD entry and that the entry also maps
++ * other important kernel regions.
++ */
++ BUILD_BUG_ON(pgd_index(EFI_VA_END) != pgd_index(MODULES_END));
++ BUILD_BUG_ON((EFI_VA_START & PGDIR_MASK) !=
++ (EFI_VA_END & PGDIR_MASK));
++
++ pgd_efi = efi_pgd + pgd_index(PAGE_OFFSET);
++ pgd_k = pgd_offset_k(PAGE_OFFSET);
+
+- memcpy(pgd + pgd_index(PAGE_OFFSET),
+- init_mm.pgd + pgd_index(PAGE_OFFSET),
+- sizeof(pgd_t) * num_pgds);
++ num_entries = pgd_index(EFI_VA_END) - pgd_index(PAGE_OFFSET);
++ memcpy(pgd_efi, pgd_k, sizeof(pgd_t) * num_entries);
++
++ /*
++ * We share all the PUD entries apart from those that map the
++ * EFI regions. Copy around them.
++ */
++ BUILD_BUG_ON((EFI_VA_START & ~PUD_MASK) != 0);
++ BUILD_BUG_ON((EFI_VA_END & ~PUD_MASK) != 0);
++
++ pgd_efi = efi_pgd + pgd_index(EFI_VA_END);
++ pud_efi = pud_offset(pgd_efi, 0);
++
++ pgd_k = pgd_offset_k(EFI_VA_END);
++ pud_k = pud_offset(pgd_k, 0);
++
++ num_entries = pud_index(EFI_VA_END);
++ memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries);
++
++ pud_efi = pud_offset(pgd_efi, EFI_VA_START);
++ pud_k = pud_offset(pgd_k, EFI_VA_START);
++
++ num_entries = PTRS_PER_PUD - pud_index(EFI_VA_START);
++ memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries);
+ }
+
+ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+ {
+- unsigned long text;
++ unsigned long pfn, text;
+ struct page *page;
+ unsigned npages;
+ pgd_t *pgd;
+@@ -151,8 +220,8 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return 0;
+
+- efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd;
+- pgd = __va(efi_scratch.efi_pgt);
++ efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd);
++ pgd = efi_pgd;
+
+ /*
+ * It can happen that the physical address of new_memmap lands in memory
+@@ -160,7 +229,8 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+ * and ident-map those pages containing the map before calling
+ * phys_efi_set_virtual_address_map().
+ */
+- if (kernel_map_pages_in_pgd(pgd, pa_memmap, pa_memmap, num_pages, _PAGE_NX)) {
++ pfn = pa_memmap >> PAGE_SHIFT;
++ if (kernel_map_pages_in_pgd(pgd, pfn, pa_memmap, num_pages, _PAGE_NX)) {
+ pr_err("Error ident-mapping new memmap (0x%lx)!\n", pa_memmap);
+ return 1;
+ }
+@@ -185,8 +255,9 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+
+ npages = (_end - _text) >> PAGE_SHIFT;
+ text = __pa(_text);
++ pfn = text >> PAGE_SHIFT;
+
+- if (kernel_map_pages_in_pgd(pgd, text >> PAGE_SHIFT, text, npages, 0)) {
++ if (kernel_map_pages_in_pgd(pgd, pfn, text, npages, 0)) {
+ pr_err("Failed to map kernel text 1:1\n");
+ return 1;
+ }
+@@ -196,20 +267,20 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+
+ void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+ {
+- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
+-
+- kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages);
++ kernel_unmap_pages_in_pgd(efi_pgd, pa_memmap, num_pages);
+ }
+
+ static void __init __map_region(efi_memory_desc_t *md, u64 va)
+ {
+- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
+- unsigned long pf = 0;
++ unsigned long flags = 0;
++ unsigned long pfn;
++ pgd_t *pgd = efi_pgd;
+
+ if (!(md->attribute & EFI_MEMORY_WB))
+- pf |= _PAGE_PCD;
++ flags |= _PAGE_PCD;
+
+- if (kernel_map_pages_in_pgd(pgd, md->phys_addr, va, md->num_pages, pf))
++ pfn = md->phys_addr >> PAGE_SHIFT;
++ if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags))
+ pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n",
+ md->phys_addr, va);
+ }
+@@ -312,9 +383,7 @@ void __init efi_runtime_mkexec(void)
+ void __init efi_dump_pagetable(void)
+ {
+ #ifdef CONFIG_EFI_PGT_DUMP
+- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd);
+-
+- ptdump_walk_pgd_level(NULL, pgd);
++ ptdump_walk_pgd_level(NULL, efi_pgd);
+ #endif
+ }
+
+diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S
+index 86d0f9e08dd9..32020cb8bb08 100644
+--- a/arch/x86/platform/efi/efi_stub_64.S
++++ b/arch/x86/platform/efi/efi_stub_64.S
+@@ -38,41 +38,6 @@
+ mov %rsi, %cr0; \
+ mov (%rsp), %rsp
+
+- /* stolen from gcc */
+- .macro FLUSH_TLB_ALL
+- movq %r15, efi_scratch(%rip)
+- movq %r14, efi_scratch+8(%rip)
+- movq %cr4, %r15
+- movq %r15, %r14
+- andb $0x7f, %r14b
+- movq %r14, %cr4
+- movq %r15, %cr4
+- movq efi_scratch+8(%rip), %r14
+- movq efi_scratch(%rip), %r15
+- .endm
+-
+- .macro SWITCH_PGT
+- cmpb $0, efi_scratch+24(%rip)
+- je 1f
+- movq %r15, efi_scratch(%rip) # r15
+- # save previous CR3
+- movq %cr3, %r15
+- movq %r15, efi_scratch+8(%rip) # prev_cr3
+- movq efi_scratch+16(%rip), %r15 # EFI pgt
+- movq %r15, %cr3
+- 1:
+- .endm
+-
+- .macro RESTORE_PGT
+- cmpb $0, efi_scratch+24(%rip)
+- je 2f
+- movq efi_scratch+8(%rip), %r15
+- movq %r15, %cr3
+- movq efi_scratch(%rip), %r15
+- FLUSH_TLB_ALL
+- 2:
+- .endm
+-
+ ENTRY(efi_call)
+ SAVE_XMM
+ mov (%rsp), %rax
+@@ -83,16 +48,8 @@ ENTRY(efi_call)
+ mov %r8, %r9
+ mov %rcx, %r8
+ mov %rsi, %rcx
+- SWITCH_PGT
+ call *%rdi
+- RESTORE_PGT
+ addq $48, %rsp
+ RESTORE_XMM
+ ret
+ ENDPROC(efi_call)
+-
+- .data
+-ENTRY(efi_scratch)
+- .fill 3,8,0
+- .byte 0
+- .quad 0
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 5ab6fa9cfc2f..5e8c07abf2e7 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2237,8 +2237,8 @@ static void ata_eh_link_autopsy(struct ata_link *link)
+ if (dev->flags & ATA_DFLAG_DUBIOUS_XFER)
+ eflags |= ATA_EFLAG_DUBIOUS_XFER;
+ ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask);
++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ }
+- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ DPRINTK("EXIT\n");
+ }
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index 0a1df821860f..6fe6e08479e6 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -264,7 +264,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+
+ /* Get configuration for the ATL instances */
+ snprintf(prop, sizeof(prop), "atl%u", i);
+- cfg_node = of_find_node_by_name(node, prop);
++ cfg_node = of_get_child_by_name(node, prop);
+ if (cfg_node) {
+ ret = of_property_read_u32(cfg_node, "bws",
+ &cdesc->bws);
+@@ -277,6 +277,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ atl_write(cinfo, DRA7_ATL_AWSMUX_REG(i),
+ cdesc->aws);
+ }
++ of_node_put(cfg_node);
+ }
+
+ cdesc->probed = true;
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 1f2c86d81176..91231143d991 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -237,38 +237,6 @@ err_put:
+ subsys_initcall(efisubsys_init);
+
+
+-/*
+- * We can't ioremap data in EFI boot services RAM, because we've already mapped
+- * it as RAM. So, look it up in the existing EFI memory map instead. Only
+- * callable after efi_enter_virtual_mode and before efi_free_boot_services.
+- */
+-void __iomem *efi_lookup_mapped_addr(u64 phys_addr)
+-{
+- struct efi_memory_map *map;
+- void *p;
+- map = efi.memmap;
+- if (!map)
+- return NULL;
+- if (WARN_ON(!map->map))
+- return NULL;
+- for (p = map->map; p < map->map_end; p += map->desc_size) {
+- efi_memory_desc_t *md = p;
+- u64 size = md->num_pages << EFI_PAGE_SHIFT;
+- u64 end = md->phys_addr + size;
+- if (!(md->attribute & EFI_MEMORY_RUNTIME) &&
+- md->type != EFI_BOOT_SERVICES_CODE &&
+- md->type != EFI_BOOT_SERVICES_DATA)
+- continue;
+- if (!md->virt_addr)
+- continue;
+- if (phys_addr >= md->phys_addr && phys_addr < end) {
+- phys_addr += md->virt_addr - md->phys_addr;
+- return (__force void __iomem *)(unsigned long)phys_addr;
+- }
+- }
+- return NULL;
+-}
+-
+ static __initdata efi_config_table_type_t common_tables[] = {
+ {ACPI_20_TABLE_GUID, "ACPI 2.0", &efi.acpi20},
+ {ACPI_TABLE_GUID, "ACPI", &efi.acpi},
+diff --git a/drivers/gpu/drm/armada/Makefile b/drivers/gpu/drm/armada/Makefile
+index d6f43e06150a..c9c619727806 100644
+--- a/drivers/gpu/drm/armada/Makefile
++++ b/drivers/gpu/drm/armada/Makefile
+@@ -5,3 +5,5 @@ armada-y += armada_510.o
+ armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
+
+ obj-$(CONFIG_DRM_ARMADA) := armada.o
++
++CFLAGS_armada_trace.o := -I$(src)
+diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c
+index ae628001fd97..b4891066a369 100644
+--- a/drivers/gpu/drm/i915/intel_i2c.c
++++ b/drivers/gpu/drm/i915/intel_i2c.c
+@@ -394,7 +394,9 @@ static bool
+ gmbus_is_index_read(struct i2c_msg *msgs, int i, int num)
+ {
+ return (i + 1 < num &&
+- !(msgs[i].flags & I2C_M_RD) && msgs[i].len <= 2 &&
++ msgs[i].addr == msgs[i + 1].addr &&
++ !(msgs[i].flags & I2C_M_RD) &&
++ (msgs[i].len == 1 || msgs[i].len == 2) &&
+ (msgs[i + 1].flags & I2C_M_RD));
+ }
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 30904a9b2a4c..91848659b38e 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -352,6 +352,7 @@ static int panel_simple_remove(struct device *dev)
+ drm_panel_remove(&panel->base);
+
+ panel_simple_disable(&panel->base);
++ panel_simple_unprepare(&panel->base);
+
+ if (panel->ddc)
+ put_device(&panel->ddc->dev);
+@@ -367,6 +368,7 @@ static void panel_simple_shutdown(struct device *dev)
+ struct panel_simple *panel = dev_get_drvdata(dev);
+
+ panel_simple_disable(&panel->base);
++ panel_simple_unprepare(&panel->base);
+ }
+
+ static const struct drm_display_mode ampire_am800480r3tmqwa1h_mode = {
+diff --git a/drivers/iio/light/cm3232.c b/drivers/iio/light/cm3232.c
+index 39c8d99cc48e..02107ccf57a1 100644
+--- a/drivers/iio/light/cm3232.c
++++ b/drivers/iio/light/cm3232.c
+@@ -119,7 +119,7 @@ static int cm3232_reg_init(struct cm3232_chip *chip)
+ if (ret < 0)
+ dev_err(&chip->client->dev, "Error writing reg_cmd\n");
+
+- return 0;
++ return ret;
+ }
+
+ /**
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index b60fde9d9878..18e688d68e66 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -670,12 +670,19 @@ static void srp_path_rec_completion(int status,
+ static int srp_lookup_path(struct srp_rdma_ch *ch)
+ {
+ struct srp_target_port *target = ch->target;
+- int ret;
++ int ret = -ENODEV;
+
+ ch->path.numb_path = 1;
+
+ init_completion(&ch->done);
+
++ /*
++ * Avoid that the SCSI host can be removed by srp_remove_target()
++ * before srp_path_rec_completion() is called.
++ */
++ if (!scsi_host_get(target->scsi_host))
++ goto out;
++
+ ch->path_query_id = ib_sa_path_rec_get(&srp_sa_client,
+ target->srp_host->srp_dev->dev,
+ target->srp_host->port,
+@@ -689,18 +696,24 @@ static int srp_lookup_path(struct srp_rdma_ch *ch)
+ GFP_KERNEL,
+ srp_path_rec_completion,
+ ch, &ch->path_query);
+- if (ch->path_query_id < 0)
+- return ch->path_query_id;
++ ret = ch->path_query_id;
++ if (ret < 0)
++ goto put;
+
+ ret = wait_for_completion_interruptible(&ch->done);
+ if (ret < 0)
+- return ret;
++ goto put;
+
+- if (ch->status < 0)
++ ret = ch->status;
++ if (ret < 0)
+ shost_printk(KERN_WARNING, target->scsi_host,
+ PFX "Path record query failed\n");
+
+- return ch->status;
++put:
++ scsi_host_put(target->scsi_host);
++
++out:
++ return ret;
+ }
+
+ static int srp_send_req(struct srp_rdma_ch *ch, bool multich)
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 27e5b0090e40..416cd07ab87a 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -3516,7 +3516,7 @@ static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name)
+ {
+ const char *p;
+ unsigned len, count, leading_zero_bytes;
+- int ret, rc;
++ int ret;
+
+ p = name;
+ if (strncasecmp(p, "0x", 2) == 0)
+@@ -3528,10 +3528,9 @@ static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name)
+ count = min(len / 2, 16U);
+ leading_zero_bytes = 16 - count;
+ memset(i_port_id, 0, leading_zero_bytes);
+- rc = hex2bin(i_port_id + leading_zero_bytes, p, count);
+- if (rc < 0)
+- pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc);
+- ret = 0;
++ ret = hex2bin(i_port_id + leading_zero_bytes, p, count);
++ if (ret < 0)
++ pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret);
+ out:
+ return ret;
+ }
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index 8eeab72b93e2..4d46f2ce606f 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, unsigned reserve, bool wait)
+
+ finish_wait(&ca->set->bucket_wait, &w);
+ out:
+- wake_up_process(ca->alloc_thread);
++ if (ca->alloc_thread)
++ wake_up_process(ca->alloc_thread);
+
+ trace_bcache_alloc(ca, reserve);
+
+@@ -478,7 +479,7 @@ int __bch_bucket_alloc_set(struct cache_set *c, unsigned reserve,
+ if (b == -1)
+ goto err;
+
+- k->ptr[i] = PTR(ca->buckets[b].gen,
++ k->ptr[i] = MAKE_PTR(ca->buckets[b].gen,
+ bucket_to_sector(c, b),
+ ca->sb.nr_this_dev);
+
+diff --git a/drivers/md/bcache/extents.c b/drivers/md/bcache/extents.c
+index 243de0bf15cd..4bf15182c4da 100644
+--- a/drivers/md/bcache/extents.c
++++ b/drivers/md/bcache/extents.c
+@@ -584,7 +584,7 @@ static bool bch_extent_merge(struct btree_keys *bk, struct bkey *l, struct bkey
+ return false;
+
+ for (i = 0; i < KEY_PTRS(l); i++)
+- if (l->ptr[i] + PTR(0, KEY_SIZE(l), 0) != r->ptr[i] ||
++ if (l->ptr[i] + MAKE_PTR(0, KEY_SIZE(l), 0) != r->ptr[i] ||
+ PTR_BUCKET_NR(b->c, l, i) != PTR_BUCKET_NR(b->c, r, i))
+ return false;
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index fe080ad0e558..6fb47a2a3d9d 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -508,7 +508,7 @@ static void journal_reclaim(struct cache_set *c)
+ continue;
+
+ ja->cur_idx = next;
+- k->ptr[n++] = PTR(0,
++ k->ptr[n++] = MAKE_PTR(0,
+ bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
+ ca->sb.nr_this_dev);
+ }
+diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
+index 4520bca6dc3f..51dc353f7962 100644
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -922,7 +922,8 @@ static void __get_memory_limit(struct dm_bufio_client *c,
+ buffers = c->minimum_buffers;
+
+ *limit_buffers = buffers;
+- *threshold_buffers = buffers * DM_BUFIO_WRITEBACK_PERCENT / 100;
++ *threshold_buffers = mult_frac(buffers,
++ DM_BUFIO_WRITEBACK_PERCENT, 100);
+ }
+
+ /*
+@@ -1823,19 +1824,15 @@ static int __init dm_bufio_init(void)
+ memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches);
+ memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names);
+
+- mem = (__u64)((totalram_pages - totalhigh_pages) *
+- DM_BUFIO_MEMORY_PERCENT / 100) << PAGE_SHIFT;
++ mem = (__u64)mult_frac(totalram_pages - totalhigh_pages,
++ DM_BUFIO_MEMORY_PERCENT, 100) << PAGE_SHIFT;
+
+ if (mem > ULONG_MAX)
+ mem = ULONG_MAX;
+
+ #ifdef CONFIG_MMU
+- /*
+- * Get the size of vmalloc space the same way as VMALLOC_TOTAL
+- * in fs/proc/internal.h
+- */
+- if (mem > (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT / 100)
+- mem = (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT / 100;
++ if (mem > mult_frac(VMALLOC_TOTAL, DM_BUFIO_VMALLOC_PERCENT, 100))
++ mem = mult_frac(VMALLOC_TOTAL, DM_BUFIO_VMALLOC_PERCENT, 100);
+ #endif
+
+ dm_bufio_default_cache_size = mem;
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 87de9a0848b7..d192ab2ed17c 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -3516,11 +3516,15 @@ struct mapped_device *dm_get_from_kobject(struct kobject *kobj)
+
+ md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
+
+- if (test_bit(DMF_FREEING, &md->flags) ||
+- dm_deleting_md(md))
+- return NULL;
+-
++ spin_lock(&_minor_lock);
++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
++ md = NULL;
++ goto out;
++ }
+ dm_get(md);
++out:
++ spin_unlock(&_minor_lock);
++
+ return md;
+ }
+
+diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c
+index 4795c31ceebc..d2c1b340cf67 100644
+--- a/drivers/media/rc/ir-lirc-codec.c
++++ b/drivers/media/rc/ir-lirc-codec.c
+@@ -289,11 +289,14 @@ static long ir_lirc_ioctl(struct file *filep, unsigned int cmd,
+ if (!dev->max_timeout)
+ return -ENOSYS;
+
++ /* Check for multiply overflow */
++ if (val > U32_MAX / 1000)
++ return -EINVAL;
++
+ tmp = val * 1000;
+
+- if (tmp < dev->min_timeout ||
+- tmp > dev->max_timeout)
+- return -EINVAL;
++ if (tmp < dev->min_timeout || tmp > dev->max_timeout)
++ return -EINVAL;
+
+ dev->timeout = tmp;
+ break;
+diff --git a/drivers/media/usb/as102/as102_fw.c b/drivers/media/usb/as102/as102_fw.c
+index 07d08c49f4d4..b2e16bb67572 100644
+--- a/drivers/media/usb/as102/as102_fw.c
++++ b/drivers/media/usb/as102/as102_fw.c
+@@ -101,18 +101,23 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap,
+ unsigned char *cmd,
+ const struct firmware *firmware) {
+
+- struct as10x_fw_pkt_t fw_pkt;
++ struct as10x_fw_pkt_t *fw_pkt;
+ int total_read_bytes = 0, errno = 0;
+ unsigned char addr_has_changed = 0;
+
++ fw_pkt = kmalloc(sizeof(*fw_pkt), GFP_KERNEL);
++ if (!fw_pkt)
++ return -ENOMEM;
++
++
+ for (total_read_bytes = 0; total_read_bytes < firmware->size; ) {
+ int read_bytes = 0, data_len = 0;
+
+ /* parse intel hex line */
+ read_bytes = parse_hex_line(
+ (u8 *) (firmware->data + total_read_bytes),
+- fw_pkt.raw.address,
+- fw_pkt.raw.data,
++ fw_pkt->raw.address,
++ fw_pkt->raw.data,
+ &data_len,
+ &addr_has_changed);
+
+@@ -122,28 +127,28 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap,
+ /* detect the end of file */
+ total_read_bytes += read_bytes;
+ if (total_read_bytes == firmware->size) {
+- fw_pkt.u.request[0] = 0x00;
+- fw_pkt.u.request[1] = 0x03;
++ fw_pkt->u.request[0] = 0x00;
++ fw_pkt->u.request[1] = 0x03;
+
+ /* send EOF command */
+ errno = bus_adap->ops->upload_fw_pkt(bus_adap,
+ (uint8_t *)
+- &fw_pkt, 2, 0);
++ fw_pkt, 2, 0);
+ if (errno < 0)
+ goto error;
+ } else {
+ if (!addr_has_changed) {
+ /* prepare command to send */
+- fw_pkt.u.request[0] = 0x00;
+- fw_pkt.u.request[1] = 0x01;
++ fw_pkt->u.request[0] = 0x00;
++ fw_pkt->u.request[1] = 0x01;
+
+- data_len += sizeof(fw_pkt.u.request);
+- data_len += sizeof(fw_pkt.raw.address);
++ data_len += sizeof(fw_pkt->u.request);
++ data_len += sizeof(fw_pkt->raw.address);
+
+ /* send cmd to device */
+ errno = bus_adap->ops->upload_fw_pkt(bus_adap,
+ (uint8_t *)
+- &fw_pkt,
++ fw_pkt,
+ data_len,
+ 0);
+ if (errno < 0)
+@@ -152,6 +157,7 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap,
+ }
+ }
+ error:
++ kfree(fw_pkt);
+ return (errno == 0) ? total_read_bytes : errno;
+ }
+
+diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
+index 3503fcef7b51..2b437d89d32c 100644
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1636,7 +1636,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface,
+ nr = dev->devno;
+
+ assoc_desc = udev->actconfig->intf_assoc[0];
+- if (assoc_desc->bFirstInterface != ifnum) {
++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
+ dev_err(d, "Not found matching IAD interface\n");
+ retval = -ENODEV;
+ goto err_if;
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
+index e3a3468002e6..a8423943ffe4 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -1198,6 +1198,16 @@ void v4l2_ctrl_fill(u32 id, const char **name, enum v4l2_ctrl_type *type,
+ }
+ EXPORT_SYMBOL(v4l2_ctrl_fill);
+
++static u32 user_flags(const struct v4l2_ctrl *ctrl)
++{
++ u32 flags = ctrl->flags;
++
++ if (ctrl->is_ptr)
++ flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD;
++
++ return flags;
++}
++
+ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
+ {
+ memset(ev->reserved, 0, sizeof(ev->reserved));
+@@ -1205,7 +1215,7 @@ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 change
+ ev->id = ctrl->id;
+ ev->u.ctrl.changes = changes;
+ ev->u.ctrl.type = ctrl->type;
+- ev->u.ctrl.flags = ctrl->flags;
++ ev->u.ctrl.flags = user_flags(ctrl);
+ if (ctrl->is_ptr)
+ ev->u.ctrl.value64 = 0;
+ else
+@@ -2549,10 +2559,8 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl_handler *hdl, struct v4l2_query_ext_ctr
+ else
+ qc->id = ctrl->id;
+ strlcpy(qc->name, ctrl->name, sizeof(qc->name));
+- qc->flags = ctrl->flags;
++ qc->flags = user_flags(ctrl);
+ qc->type = ctrl->type;
+- if (ctrl->is_ptr)
+- qc->flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD;
+ qc->elem_size = ctrl->elem_size;
+ qc->elems = ctrl->elems;
+ qc->nr_of_dims = ctrl->nr_of_dims;
+diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
+index 2d3db81be099..b3b69f0e0dd7 100644
+--- a/drivers/misc/eeprom/at24.c
++++ b/drivers/misc/eeprom/at24.c
+@@ -275,6 +275,9 @@ static ssize_t at24_read(struct at24_data *at24,
+ if (unlikely(!count))
+ return count;
+
++ if (off + count > at24->chip.byte_len)
++ return -EINVAL;
++
+ /*
+ * Read data from chip, protecting against concurrent updates
+ * from this host, but not from other I2C masters.
+@@ -329,6 +332,9 @@ static ssize_t at24_eeprom_write(struct at24_data *at24, const char *buf,
+ unsigned long timeout, write_time;
+ unsigned next_page;
+
++ if (offset + count > at24->chip.byte_len)
++ return -EINVAL;
++
+ /* Get corresponding I2C address and adjust offset */
+ client = at24_translate_offset(at24, &offset);
+
+diff --git a/drivers/mmc/core/bus.c b/drivers/mmc/core/bus.c
+index 972ff844cf5a..cf7c7bc1e940 100644
+--- a/drivers/mmc/core/bus.c
++++ b/drivers/mmc/core/bus.c
+@@ -155,6 +155,9 @@ static int mmc_bus_suspend(struct device *dev)
+ return ret;
+
+ ret = host->bus_ops->suspend(host);
++ if (ret)
++ pm_generic_resume(dev);
++
+ return ret;
+ }
+
+diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
+index fa5cd51cba38..f84113fc7cb7 100644
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2518,15 +2518,18 @@ static int panic_nand_write(struct mtd_info *mtd, loff_t to, size_t len,
+ size_t *retlen, const uint8_t *buf)
+ {
+ struct nand_chip *chip = mtd->priv;
++ int chipnr = (int)(to >> chip->chip_shift);
+ struct mtd_oob_ops ops;
+ int ret;
+
+- /* Wait for the device to get ready */
+- panic_nand_wait(mtd, chip, 400);
+-
+ /* Grab the device */
+ panic_nand_get_device(chip, mtd, FL_WRITING);
+
++ chip->select_chip(mtd, chipnr);
++
++ /* Wait for the device to get ready */
++ panic_nand_wait(mtd, chip, 400);
++
+ memset(&ops, 0, sizeof(ops));
+ ops.len = len;
+ ops.datbuf = (uint8_t *)buf;
+diff --git a/drivers/net/ethernet/3com/typhoon.c b/drivers/net/ethernet/3com/typhoon.c
+index 8f8418d2ac4a..a0012c3cb4f6 100644
+--- a/drivers/net/ethernet/3com/typhoon.c
++++ b/drivers/net/ethernet/3com/typhoon.c
+@@ -2366,9 +2366,9 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ * 4) Get the hardware address.
+ * 5) Put the card to sleep.
+ */
+- if (typhoon_reset(ioaddr, WaitSleep) < 0) {
++ err = typhoon_reset(ioaddr, WaitSleep);
++ if (err < 0) {
+ err_msg = "could not reset 3XP";
+- err = -EIO;
+ goto error_out_dma;
+ }
+
+@@ -2382,24 +2382,25 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ typhoon_init_interface(tp);
+ typhoon_init_rings(tp);
+
+- if(typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST) < 0) {
++ err = typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST);
++ if (err < 0) {
+ err_msg = "cannot boot 3XP sleep image";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
+ INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_MAC_ADDRESS);
+- if(typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp) < 0) {
++ err = typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp);
++ if (err < 0) {
+ err_msg = "cannot read MAC address";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
+ *(__be16 *)&dev->dev_addr[0] = htons(le16_to_cpu(xp_resp[0].parm1));
+ *(__be32 *)&dev->dev_addr[2] = htonl(le32_to_cpu(xp_resp[0].parm2));
+
+- if(!is_valid_ether_addr(dev->dev_addr)) {
++ if (!is_valid_ether_addr(dev->dev_addr)) {
+ err_msg = "Could not obtain valid ethernet address, aborting";
++ err = -EIO;
+ goto error_out_reset;
+ }
+
+@@ -2407,7 +2408,8 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ * later when we print out the version reported.
+ */
+ INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_VERSIONS);
+- if(typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp) < 0) {
++ err = typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp);
++ if (err < 0) {
+ err_msg = "Could not get Sleep Image version";
+ goto error_out_reset;
+ }
+@@ -2424,9 +2426,9 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if(xp_resp[0].numDesc != 0)
+ tp->capabilities |= TYPHOON_WAKEUP_NEEDS_RESET;
+
+- if(typhoon_sleep(tp, PCI_D3hot, 0) < 0) {
++ err = typhoon_sleep(tp, PCI_D3hot, 0);
++ if (err < 0) {
+ err_msg = "cannot put adapter to sleep";
+- err = -EIO;
+ goto error_out_reset;
+ }
+
+@@ -2449,7 +2451,8 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ dev->features = dev->hw_features |
+ NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_RXCSUM;
+
+- if(register_netdev(dev) < 0) {
++ err = register_netdev(dev);
++ if (err < 0) {
+ err_msg = "unable to register netdev";
+ goto error_out_reset;
+ }
+diff --git a/drivers/net/ethernet/intel/e1000e/mac.c b/drivers/net/ethernet/intel/e1000e/mac.c
+index 30b74d590bee..1c9cb53c25a3 100644
+--- a/drivers/net/ethernet/intel/e1000e/mac.c
++++ b/drivers/net/ethernet/intel/e1000e/mac.c
+@@ -410,6 +410,9 @@ void e1000e_clear_hw_cntrs_base(struct e1000_hw *hw)
+ * Checks to see of the link status of the hardware has changed. If a
+ * change in link status has been detected, then we read the PHY registers
+ * to get the current speed/duplex if link exists.
++ *
++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ * up).
+ **/
+ s32 e1000e_check_for_copper_link(struct e1000_hw *hw)
+ {
+@@ -423,7 +426,7 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw)
+ * Change or Rx Sequence Error interrupt.
+ */
+ if (!mac->get_link_status)
+- return 0;
++ return 1;
+
+ /* First we want to see if the MII Status Register reports
+ * link. If so, then we want to get the current speed/duplex
+@@ -461,10 +464,12 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw)
+ * different link partner.
+ */
+ ret_val = e1000e_config_fc_after_link_up(hw);
+- if (ret_val)
++ if (ret_val) {
+ e_dbg("Error configuring flow control\n");
++ return ret_val;
++ }
+
+- return ret_val;
++ return 1;
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 68913d103542..39e9d7db23df 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -4866,7 +4866,7 @@ static bool e1000e_has_link(struct e1000_adapter *adapter)
+ case e1000_media_type_copper:
+ if (hw->mac.get_link_status) {
+ ret_val = hw->mac.ops.check_for_link(hw);
+- link_active = !hw->mac.get_link_status;
++ link_active = ret_val > 0;
+ } else {
+ link_active = true;
+ }
+@@ -4884,7 +4884,7 @@ static bool e1000e_has_link(struct e1000_adapter *adapter)
+ break;
+ }
+
+- if ((ret_val == E1000_ERR_PHY) && (hw->phy.type == e1000_phy_igp_3) &&
++ if ((ret_val == -E1000_ERR_PHY) && (hw->phy.type == e1000_phy_igp_3) &&
+ (er32(CTRL) & E1000_PHY_CTRL_GBE_DISABLE)) {
+ /* See e1000_kmrn_lock_loss_workaround_ich8lan() */
+ e_info("Gigabit has been disabled, downgrading speed\n");
+diff --git a/drivers/net/ethernet/intel/e1000e/phy.c b/drivers/net/ethernet/intel/e1000e/phy.c
+index b2005e13fb01..0963aa2d5e45 100644
+--- a/drivers/net/ethernet/intel/e1000e/phy.c
++++ b/drivers/net/ethernet/intel/e1000e/phy.c
+@@ -1744,6 +1744,7 @@ s32 e1000e_phy_has_link_generic(struct e1000_hw *hw, u32 iterations,
+ s32 ret_val = 0;
+ u16 i, phy_status;
+
++ *success = false;
+ for (i = 0; i < iterations; i++) {
+ /* Some PHYs require the MII_BMSR register to be read
+ * twice due to the link bit being sticky. No harm doing
+@@ -1763,16 +1764,16 @@ s32 e1000e_phy_has_link_generic(struct e1000_hw *hw, u32 iterations,
+ ret_val = e1e_rphy(hw, MII_BMSR, &phy_status);
+ if (ret_val)
+ break;
+- if (phy_status & BMSR_LSTATUS)
++ if (phy_status & BMSR_LSTATUS) {
++ *success = true;
+ break;
++ }
+ if (usec_interval >= 1000)
+ msleep(usec_interval / 1000);
+ else
+ udelay(usec_interval);
+ }
+
+- *success = (i < iterations);
+-
+ return ret_val;
+ }
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+index c9da1b5d4804..ae0b9300ab08 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -1239,7 +1239,7 @@ static bool fm10k_clean_tx_irq(struct fm10k_q_vector *q_vector,
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->flags & FM10K_TXD_FLAG_DONE))
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 5b5bea159bd5..13e0cf90e567 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -3283,7 +3283,7 @@ static bool i40e_clean_fdir_tx_irq(struct i40e_ring *tx_ring, int budget)
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if the descriptor isn't done, no work yet to do */
+ if (!(eop_desc->cmd_type_offset_bsz &
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 9d95042d5a0f..c1e8303062de 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -712,7 +712,7 @@ static bool i40e_clean_tx_irq(struct i40e_ring *tx_ring, int budget)
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* we have caught up to head, no work left to do */
+ if (tx_head == tx_desc)
+diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+index 458fbb421090..1045ba3a554d 100644
+--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+@@ -231,7 +231,7 @@ static bool i40e_clean_tx_irq(struct i40e_ring *tx_ring, int budget)
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* we have caught up to head, no work left to do */
+ if (tx_head == tx_desc)
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index b5a8a5e40870..34f15f56b2a1 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6427,7 +6427,7 @@ static bool igb_clean_tx_irq(struct igb_q_vector *q_vector)
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))
+diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
+index 95af14e139d7..70f8f743a416 100644
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -808,7 +808,7 @@ static bool igbvf_clean_tx_irq(struct igbvf_ring *tx_ring)
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 2462b3c5fa40..e9762d0079eb 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -1100,7 +1100,7 @@ static bool ixgbe_clean_tx_irq(struct ixgbe_q_vector *q_vector,
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)))
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+index 1d7b00b038a2..80029560dd11 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -312,7 +312,7 @@ static bool ixgbevf_clean_tx_irq(struct ixgbevf_q_vector *q_vector,
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)))
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 56e0a1de0c37..6757d9c63bf2 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3118,7 +3118,8 @@ static int ath10k_mac_txpower_recalc(struct ath10k *ar)
+ lockdep_assert_held(&ar->conf_mutex);
+
+ list_for_each_entry(arvif, &ar->arvifs, list) {
+- WARN_ON(arvif->txpower < 0);
++ if (arvif->txpower <= 0)
++ continue;
+
+ if (txpower == -1)
+ txpower = arvif->txpower;
+@@ -3126,8 +3127,8 @@ static int ath10k_mac_txpower_recalc(struct ath10k *ar)
+ txpower = min(txpower, arvif->txpower);
+ }
+
+- if (WARN_ON(txpower == -1))
+- return -EINVAL;
++ if (txpower == -1)
++ return 0;
+
+ ret = ath10k_mac_txpower_setup(ar, txpower);
+ if (ret) {
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index ee0c5f602e29..87638a6e7388 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -953,8 +953,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
+ struct ath10k_fw_stats_pdev *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
+@@ -974,8 +976,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
+ struct ath10k_fw_stats_vdev *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
+@@ -993,8 +997,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar,
+ struct ath10k_fw_stats_peer *dst;
+
+ src = data;
+- if (data_len < sizeof(*src))
++ if (data_len < sizeof(*src)) {
++ kfree(tb);
+ return -EPROTO;
++ }
+
+ data += sizeof(*src);
+ data_len -= sizeof(*src);
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 3c4e709cf9a1..5754d7b48c1f 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1319,8 +1319,16 @@ static void program_hpp_type0(struct pci_dev *dev, struct hpp_type0 *hpp)
+
+ static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp)
+ {
+- if (hpp)
+- dev_warn(&dev->dev, "PCI-X settings not supported\n");
++ int pos;
++
++ if (!hpp)
++ return;
++
++ pos = pci_find_capability(dev, PCI_CAP_ID_PCIX);
++ if (!pos)
++ return;
++
++ dev_warn(&dev->dev, "PCI-X settings not supported\n");
+ }
+
+ static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp)
+@@ -1331,6 +1339,9 @@ static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp)
+ if (!hpp)
+ return;
+
++ if (!pci_is_pcie(dev))
++ return;
++
+ if (hpp->revision > 1) {
+ dev_warn(&dev->dev, "PCIe settings rev %d not supported\n",
+ hpp->revision);
+diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c
+index a2b7ae3329c0..9fe1d5793cee 100644
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -275,7 +275,7 @@ static int ad7150_write_event_config(struct iio_dev *indio_dev,
+ error_ret:
+ mutex_unlock(&chip->state_lock);
+
+- return 0;
++ return ret;
+ }
+
+ static int ad7150_read_event_value(struct iio_dev *indio_dev,
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 89d01943ca93..8df1ff3766c4 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1919,12 +1919,14 @@ attach:
+
+ if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+ int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
+- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP)
++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) {
+ out_of_order_cmdsn = 1;
+- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP)
++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
++ target_put_sess_cmd(&cmd->se_cmd);
+ return 0;
+- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
+ return -1;
++ }
+ }
+ iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
+
+diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
+index 2209040bff95..46ae8d258669 100644
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -862,6 +862,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write,
+ struct scatterlist *sg, int sg_count)
+ {
+ size_t off = iter->iov_offset;
++ struct scatterlist *p = sg;
+ int i, ret;
+
+ for (i = 0; i < iter->nr_segs; i++) {
+@@ -870,8 +871,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write,
+
+ ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write);
+ if (ret < 0) {
+- for (i = 0; i < sg_count; i++) {
+- struct page *page = sg_page(&sg[i]);
++ while (p < sg) {
++ struct page *page = sg_page(p++);
+ if (page)
+ put_page(page);
+ }
+diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
+index 0e0eb10f82a0..816a0e08ef10 100644
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsigned msg_type,
+ rc = -ENOMEM;
+ goto out;
+ }
+- } else if (msg_type == XS_TRANSACTION_END) {
++ } else if (u->u.msg.tx_id != 0) {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
+index 99c3c4ffe1d9..2df79195652b 100644
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode *inode, void *data)
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
+diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
+index ce7ab92f7e84..095424bfab5e 100644
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct inode *inode, void *data)
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
+diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
+index 35b755e79c2d..fe6e7050fe50 100644
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_sb_info *sbi,
+ spin_unlock_irqrestore(¤t->sighand->siglock, flags);
+ }
+
+- return (bytes > 0);
++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */
++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO;
+ }
+
+ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+ } pkt;
+ struct file *pipe = NULL;
+ size_t pktsz;
++ int ret;
+
+ DPRINTK("wait id = 0x%08lx, name = %.*s, type=%d",
+ (unsigned long) wq->wait_queue_token, wq->name.len, wq->name.name, type);
+@@ -173,7 +175,18 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+ mutex_unlock(&sbi->wq_mutex);
+
+ if (autofs4_write(sbi, pipe, &pkt, pktsz))
++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) {
++ case 0:
++ break;
++ case -ENOMEM:
++ case -ERESTARTSYS:
++ /* Just fail this one */
++ autofs4_wait_release(sbi, wq->wait_queue_token, ret);
++ break;
++ default:
+ autofs4_catatonic_mode(sbi);
++ break;
++ }
+ fput(pipe);
+ }
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 1d8b3f8c3654..0fd2354dfd0a 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3260,13 +3260,6 @@ again:
+ goto again;
+ }
+
+- /* We've already setup this transaction, go ahead and exit */
+- if (block_group->cache_generation == trans->transid &&
+- i_size_read(inode)) {
+- dcs = BTRFS_DC_SETUP;
+- goto out_put;
+- }
+-
+ /*
+ * We want to set the generation to 0, that way if anything goes wrong
+ * from here on out we know not to trust this cache when we load up next
+@@ -3290,6 +3283,13 @@ again:
+ }
+ WARN_ON(ret);
+
++ /* We've already setup this transaction, go ahead and exit */
++ if (block_group->cache_generation == trans->transid &&
++ i_size_read(inode)) {
++ dcs = BTRFS_DC_SETUP;
++ goto out_put;
++ }
++
+ if (i_size_read(inode) > 0) {
+ ret = btrfs_check_trunc_cache_free_space(root,
+ &root->fs_info->global_block_rsv);
+diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
+index 286f10b0363b..4f457d5c4933 100644
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void)
+ }
+ if (ecryptfs_daemon_hash) {
+ struct ecryptfs_daemon *daemon;
++ struct hlist_node *n;
+ int i;
+
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+ for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
+ int rc;
+
+- hlist_for_each_entry(daemon,
+- &ecryptfs_daemon_hash[i],
+- euid_chain) {
++ hlist_for_each_entry_safe(daemon, n,
++ &ecryptfs_daemon_hash[i],
++ euid_chain) {
+ rc = ecryptfs_exorcise_daemon(daemon);
+ if (rc)
+ printk(KERN_ERR "%s: Error whilst "
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index a3276bf9ac00..447d64e47c4c 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4795,7 +4795,8 @@ static long ext4_zero_range(struct file *file, loff_t offset,
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+@@ -4964,7 +4965,8 @@ long ext4_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
+index 0ac4c1f73fbd..25177e6bd603 100644
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(char *p)
+ /* Ignore bigendian datum due to broken mastering programs */
+ return get_unaligned_le32(p);
+ }
+-extern int iso_date(char *, int);
++extern int iso_date(u8 *, int);
+
+ struct inode; /* To make gcc happy */
+
+diff --git a/fs/isofs/rock.h b/fs/isofs/rock.h
+index ed09e2b08637..f835976ce033 100644
+--- a/fs/isofs/rock.h
++++ b/fs/isofs/rock.h
+@@ -65,7 +65,7 @@ struct RR_PL_s {
+ };
+
+ struct stamp {
+- char time[7];
++ __u8 time[7]; /* actually 6 unsigned, 1 signed */
+ } __attribute__ ((packed));
+
+ struct RR_TF_s {
+diff --git a/fs/isofs/util.c b/fs/isofs/util.c
+index 005a15cfd30a..37860fea364d 100644
+--- a/fs/isofs/util.c
++++ b/fs/isofs/util.c
+@@ -15,7 +15,7 @@
+ * to GMT. Thus we should always be correct.
+ */
+
+-int iso_date(char * p, int flag)
++int iso_date(u8 *p, int flag)
+ {
+ int year, month, day, hour, minute, second, tz;
+ int crtime;
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index 4227adce3e52..1484ae1907c6 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1279,7 +1279,7 @@ static int nfs_weak_revalidate(struct dentry *dentry, unsigned int flags)
+ return 0;
+ }
+
+- error = nfs_revalidate_inode(NFS_SERVER(inode), inode);
++ error = nfs_lookup_verify_inode(inode, flags);
+ dfprintk(LOOKUPCACHE, "NFS: %s: inode %lu is %s\n",
+ __func__, inode->i_ino, error ? "invalid" : "valid");
+ return !error;
+@@ -1439,6 +1439,7 @@ static int nfs4_lookup_revalidate(struct dentry *, unsigned int);
+
+ const struct dentry_operations nfs4_dentry_operations = {
+ .d_revalidate = nfs4_lookup_revalidate,
++ .d_weak_revalidate = nfs_weak_revalidate,
+ .d_delete = nfs_dentry_delete,
+ .d_iput = nfs_dentry_iput,
+ .d_automount = nfs_d_automount,
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index f06af7248be7..1ce18913762a 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -242,15 +242,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATTR4_WORD0_MAXFILESIZE
+ };
+
+ const u32 nfs4_fs_locations_bitmap[3] = {
+- FATTR4_WORD0_TYPE
+- | FATTR4_WORD0_CHANGE
++ FATTR4_WORD0_CHANGE
+ | FATTR4_WORD0_SIZE
+ | FATTR4_WORD0_FSID
+ | FATTR4_WORD0_FILEID
+ | FATTR4_WORD0_FS_LOCATIONS,
+- FATTR4_WORD1_MODE
+- | FATTR4_WORD1_NUMLINKS
+- | FATTR4_WORD1_OWNER
++ FATTR4_WORD1_OWNER
+ | FATTR4_WORD1_OWNER_GROUP
+ | FATTR4_WORD1_RAWDEV
+ | FATTR4_WORD1_SPACE_USED
+@@ -6212,9 +6209,7 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,
+ struct page *page)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+- u32 bitmask[3] = {
+- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+- };
++ u32 bitmask[3];
+ struct nfs4_fs_locations_arg args = {
+ .dir_fh = NFS_FH(dir),
+ .name = name,
+@@ -6233,12 +6228,15 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,
+
+ dprintk("%s: start\n", __func__);
+
++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
++ bitmask[1] = nfs4_fattr_bitmap[1];
++
+ /* Ask for the fileid of the absent filesystem if mounted_on_fileid
+ * is not supported */
+ if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
+- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
++ bitmask[0] &= ~FATTR4_WORD0_FILEID;
+ else
+- bitmask[0] |= FATTR4_WORD0_FILEID;
++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
+
+ nfs_fattr_init(&fs_locations->fattr);
+ fs_locations->server = server;
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index f175b833b6ba..0ee31759ddde 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1319,7 +1319,7 @@ static int nfs_parse_mount_options(char *raw,
+ mnt->options |= NFS_OPTION_MIGRATION;
+ break;
+ case Opt_nomigration:
+- mnt->options &= NFS_OPTION_MIGRATION;
++ mnt->options &= ~NFS_OPTION_MIGRATION;
+ break;
+
+ /*
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 22e9799323ad..529434f926f1 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3776,7 +3776,8 @@ static struct nfs4_delegation *find_deleg_stateid(struct nfs4_client *cl, statei
+ {
+ struct nfs4_stid *ret;
+
+- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID);
++ ret = find_stateid_by_type(cl, s,
++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID);
+ if (!ret)
+ return NULL;
+ return delegstateid(ret);
+@@ -3799,6 +3800,12 @@ nfs4_check_deleg(struct nfs4_client *cl, struct nfsd4_open *open,
+ deleg = find_deleg_stateid(cl, &open->op_delegate_stateid);
+ if (deleg == NULL)
+ goto out;
++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) {
++ nfs4_put_stid(&deleg->dl_stid);
++ if (cl->cl_minorversion)
++ status = nfserr_deleg_revoked;
++ goto out;
++ }
+ flags = share_access_to_flags(open->op_share_access);
+ status = nfs4_check_delegmode(deleg, flags);
+ if (status) {
+@@ -4655,6 +4662,16 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
+ struct nfs4_stid **s, struct nfsd_net *nn)
+ {
+ __be32 status;
++ bool return_revoked = false;
++
++ /*
++ * only return revoked delegations if explicitly asked.
++ * otherwise we report revoked or bad_stateid status.
++ */
++ if (typemask & NFS4_REVOKED_DELEG_STID)
++ return_revoked = true;
++ else if (typemask & NFS4_DELEG_STID)
++ typemask |= NFS4_REVOKED_DELEG_STID;
+
+ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+ return nfserr_bad_stateid;
+@@ -4669,6 +4686,12 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
+ *s = find_stateid_by_type(cstate->clp, stateid, typemask);
+ if (!*s)
+ return nfserr_bad_stateid;
++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) {
++ nfs4_put_stid(*s);
++ if (cstate->minorversion)
++ return nfserr_deleg_revoked;
++ return nfserr_bad_stateid;
++ }
+ return nfs_ok;
+ }
+
+diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
+index c6abbad9b8e3..3cdd5cc80c11 100644
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1883,8 +1883,6 @@ static int nilfs_segctor_collect_dirty_files(struct nilfs_sc_info *sci,
+ "failed to get inode block.\n");
+ return err;
+ }
+- mark_buffer_dirty(ibh);
+- nilfs_mdt_mark_dirty(ifile);
+ spin_lock(&nilfs->ns_inode_lock);
+ if (likely(!ii->i_bh))
+ ii->i_bh = ibh;
+@@ -1893,6 +1891,10 @@ static int nilfs_segctor_collect_dirty_files(struct nilfs_sc_info *sci,
+ goto retry;
+ }
+
++ // Always redirty the buffer to avoid race condition
++ mark_buffer_dirty(ii->i_bh);
++ nilfs_mdt_mark_dirty(ifile);
++
+ clear_bit(NILFS_I_QUEUED, &ii->i_state);
+ set_bit(NILFS_I_BUSY, &ii->i_state);
+ list_move_tail(&ii->i_dirty, &sci->sc_dirty_files);
+diff --git a/include/linux/netlink.h b/include/linux/netlink.h
+index 6835c1279df7..0a9f48df9c9e 100644
+--- a/include/linux/netlink.h
++++ b/include/linux/netlink.h
+@@ -120,6 +120,7 @@ netlink_skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
+ struct netlink_callback {
+ struct sk_buff *skb;
+ const struct nlmsghdr *nlh;
++ int (*start)(struct netlink_callback *);
+ int (*dump)(struct sk_buff * skb,
+ struct netlink_callback *cb);
+ int (*done)(struct netlink_callback *cb);
+@@ -142,6 +143,7 @@ struct nlmsghdr *
+ __nlmsg_put(struct sk_buff *skb, u32 portid, u32 seq, int type, int len, int flags);
+
+ struct netlink_dump_control {
++ int (*start)(struct netlink_callback *);
+ int (*dump)(struct sk_buff *skb, struct netlink_callback *);
+ int (*done)(struct netlink_callback *);
+ void *data;
+diff --git a/include/net/genetlink.h b/include/net/genetlink.h
+index a9af1cc8c1bc..d76f2da89b5a 100644
+--- a/include/net/genetlink.h
++++ b/include/net/genetlink.h
+@@ -114,6 +114,7 @@ static inline void genl_info_net_set(struct genl_info *info, struct net *net)
+ * @flags: flags
+ * @policy: attribute validation policy
+ * @doit: standard command callback
++ * @start: start callback for dumps
+ * @dumpit: callback for dumpers
+ * @done: completion callback for dumps
+ * @ops_list: operations list
+@@ -122,6 +123,7 @@ struct genl_ops {
+ const struct nla_policy *policy;
+ int (*doit)(struct sk_buff *skb,
+ struct genl_info *info);
++ int (*start)(struct netlink_callback *cb);
+ int (*dumpit)(struct sk_buff *skb,
+ struct netlink_callback *cb);
+ int (*done)(struct netlink_callback *cb);
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 5664ca07c9c7..a01a076ea060 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -455,20 +455,22 @@ TRACE_EVENT(svc_recv,
+ TP_ARGS(rqst, status),
+
+ TP_STRUCT__entry(
+- __field(struct sockaddr *, addr)
+ __field(__be32, xid)
+ __field(int, status)
+ __field(unsigned long, flags)
++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen)
+ ),
+
+ TP_fast_assign(
+- __entry->addr = (struct sockaddr *)&rqst->rq_addr;
+ __entry->xid = status > 0 ? rqst->rq_xid : 0;
+ __entry->status = status;
+ __entry->flags = rqst->rq_flags;
++ memcpy(__get_dynamic_array(addr),
++ &rqst->rq_addr, rqst->rq_addrlen);
+ ),
+
+- TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s", __entry->addr,
++ TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s",
++ (struct sockaddr *)__get_dynamic_array(addr),
+ be32_to_cpu(__entry->xid), __entry->status,
+ show_rqstp_flags(__entry->flags))
+ );
+@@ -480,22 +482,23 @@ DECLARE_EVENT_CLASS(svc_rqst_status,
+ TP_ARGS(rqst, status),
+
+ TP_STRUCT__entry(
+- __field(struct sockaddr *, addr)
+ __field(__be32, xid)
+- __field(int, dropme)
+ __field(int, status)
+ __field(unsigned long, flags)
++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen)
+ ),
+
+ TP_fast_assign(
+- __entry->addr = (struct sockaddr *)&rqst->rq_addr;
+ __entry->xid = rqst->rq_xid;
+ __entry->status = status;
+ __entry->flags = rqst->rq_flags;
++ memcpy(__get_dynamic_array(addr),
++ &rqst->rq_addr, rqst->rq_addrlen);
+ ),
+
+ TP_printk("addr=%pIScp rq_xid=0x%x status=%d flags=%s",
+- __entry->addr, be32_to_cpu(__entry->xid),
++ (struct sockaddr *)__get_dynamic_array(addr),
++ be32_to_cpu(__entry->xid),
+ __entry->status, show_rqstp_flags(__entry->flags))
+ );
+
+diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h
+index 22b6ad31c706..8562b1cb776b 100644
+--- a/include/uapi/linux/bcache.h
++++ b/include/uapi/linux/bcache.h
+@@ -90,7 +90,7 @@ PTR_FIELD(PTR_GEN, 0, 8)
+
+ #define PTR_CHECK_DEV ((1 << PTR_DEV_BITS) - 1)
+
+-#define PTR(gen, offset, dev) \
++#define MAKE_PTR(gen, offset, dev) \
+ ((((__u64) dev) << 51) | ((__u64) offset) << 8 | gen)
+
+ /* Bkey utility code */
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index f2f8ff54d2c0..8fbedeb5553f 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -577,8 +577,7 @@ void resched_cpu(int cpu)
+ struct rq *rq = cpu_rq(cpu);
+ unsigned long flags;
+
+- if (!raw_spin_trylock_irqsave(&rq->lock, flags))
+- return;
++ raw_spin_lock_irqsave(&rq->lock, flags);
+ resched_curr(rq);
+ raw_spin_unlock_irqrestore(&rq->lock, flags);
+ }
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index bdd6a8dd5797..4aa31c77cbab 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1235,17 +1235,11 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
+ VM_BUG_ON_PAGE(!PageHead(page), page);
+ if (flags & FOLL_TOUCH) {
+ pmd_t _pmd;
+- /*
+- * We should set the dirty bit only for FOLL_WRITE but
+- * for now the dirty bit in the pmd is meaningless.
+- * And if the dirty bit will become meaningful and
+- * we'll only set it with FOLL_WRITE, an atomic
+- * set_bit will be required on the pmd to set the
+- * young bit, instead of the current set_pmd_at.
+- */
+- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
++ _pmd = pmd_mkyoung(*pmd);
++ if (flags & FOLL_WRITE)
++ _pmd = pmd_mkdirty(_pmd);
+ if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
+- pmd, _pmd, 1))
++ pmd, _pmd, flags & FOLL_WRITE))
+ update_mmu_cache_pmd(vma, addr, pmd);
+ }
+ if ((flags & FOLL_POPULATE) && (vma->vm_flags & VM_LOCKED)) {
+diff --git a/mm/madvise.c b/mm/madvise.c
+index d551475517bf..a9c866c9cc0e 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -221,15 +221,14 @@ static long madvise_willneed(struct vm_area_struct *vma,
+ {
+ struct file *file = vma->vm_file;
+
++ *prev = vma;
+ #ifdef CONFIG_SWAP
+ if (!file) {
+- *prev = vma;
+ force_swapin_readahead(vma, start, end);
+ return 0;
+ }
+
+ if (shmem_mapping(file->f_mapping)) {
+- *prev = vma;
+ force_shm_swapin_readahead(vma, start, end,
+ file->f_mapping);
+ return 0;
+@@ -244,7 +243,6 @@ static long madvise_willneed(struct vm_area_struct *vma,
+ return 0;
+ }
+
+- *prev = vma;
+ start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
+ if (end > vma->vm_end)
+ end = vma->vm_end;
+diff --git a/net/9p/client.c b/net/9p/client.c
+index fb4ac475311c..77b608dee691 100644
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -749,8 +749,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
+ }
+ again:
+ /* Wait for the response */
+- err = wait_event_interruptible(*req->wq,
+- req->status >= REQ_STATUS_RCVD);
++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+
+ /*
+ * Make sure our req is coherent with regard to updates in other
+diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
+index 9dd49ca67dbc..202923a36677 100644
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -290,8 +290,8 @@ req_retry:
+ if (err == -ENOSPC) {
+ chan->ring_bufs_avail = 0;
+ spin_unlock_irqrestore(&chan->lock, flags);
+- err = wait_event_interruptible(*chan->vc_wq,
+- chan->ring_bufs_avail);
++ err = wait_event_killable(*chan->vc_wq,
++ chan->ring_bufs_avail);
+ if (err == -ERESTARTSYS)
+ return err;
+
+@@ -331,7 +331,7 @@ static int p9_get_mapped_pages(struct virtio_chan *chan,
+ * Other zc request to finish here
+ */
+ if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
+- err = wait_event_interruptible(vp_wq,
++ err = wait_event_killable(vp_wq,
+ (atomic_read(&vp_pinned) < chan->p9_max_pages));
+ if (err == -ERESTARTSYS)
+ return err;
+@@ -475,8 +475,8 @@ req_retry_pinned:
+ if (err == -ENOSPC) {
+ chan->ring_bufs_avail = 0;
+ spin_unlock_irqrestore(&chan->lock, flags);
+- err = wait_event_interruptible(*chan->vc_wq,
+- chan->ring_bufs_avail);
++ err = wait_event_killable(*chan->vc_wq,
++ chan->ring_bufs_avail);
+ if (err == -ERESTARTSYS)
+ goto err_out;
+
+@@ -493,8 +493,7 @@ req_retry_pinned:
+ virtqueue_kick(chan->vq);
+ spin_unlock_irqrestore(&chan->lock, flags);
+ p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
+- err = wait_event_interruptible(*req->wq,
+- req->status >= REQ_STATUS_RCVD);
++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+ /*
+ * Non kernel buffers are pinned, unpin them
+ */
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 897f5941d86b..135fe458bfac 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3056,7 +3056,11 @@ static int ip6_route_dev_notify(struct notifier_block *this,
+ net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
+ net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
+ #endif
+- } else if (event == NETDEV_UNREGISTER) {
++ } else if (event == NETDEV_UNREGISTER &&
++ dev->reg_state != NETREG_UNREGISTERED) {
++ /* NETDEV_UNREGISTER could be fired for multiple times by
++ * netdev_wait_allrefs(). Make sure we only call this once.
++ */
+ in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev);
+ #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+ in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev);
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index cdf8609a6240..d0f2ce65e474 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -690,7 +690,6 @@ struct ieee80211_if_mesh {
+ const struct ieee80211_mesh_sync_ops *sync_ops;
+ s64 sync_offset_clockdrift_max;
+ spinlock_t sync_offset_lock;
+- bool adjusting_tbtt;
+ /* mesh power save */
+ enum nl80211_mesh_power_mode nonpeer_pm;
+ int ps_peers_light_sleep;
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index c5af4e3d4497..48257f17688f 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -289,8 +289,6 @@ int mesh_add_meshconf_ie(struct ieee80211_sub_if_data *sdata,
+ /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */
+ *pos |= ifmsh->ps_peers_deep_sleep ?
+ IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00;
+- *pos++ |= ifmsh->adjusting_tbtt ?
+- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING : 0x00;
+ *pos++ = 0x00;
+
+ return 0;
+@@ -792,7 +790,6 @@ int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata)
+ ifmsh->mesh_cc_id = 0; /* Disabled */
+ /* register sync ops from extensible synchronization framework */
+ ifmsh->sync_ops = ieee80211_mesh_sync_ops_get(ifmsh->mesh_sp_id);
+- ifmsh->adjusting_tbtt = false;
+ ifmsh->sync_offset_clockdrift_max = 0;
+ set_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags);
+ ieee80211_mesh_root_setup(ifmsh);
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index 60d737f144e3..7f758c9aa200 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -452,12 +452,14 @@ mesh_sta_info_alloc(struct ieee80211_sub_if_data *sdata, u8 *addr,
+
+ /* Userspace handles station allocation */
+ if (sdata->u.mesh.user_mpm ||
+- sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED)
+- cfg80211_notify_new_peer_candidate(sdata->dev, addr,
+- elems->ie_start,
+- elems->total_len,
+- GFP_KERNEL);
+- else
++ sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) {
++ if (mesh_peer_accepts_plinks(elems) &&
++ mesh_plink_availables(sdata))
++ cfg80211_notify_new_peer_candidate(sdata->dev, addr,
++ elems->ie_start,
++ elems->total_len,
++ GFP_KERNEL);
++ } else
+ sta = __mesh_sta_info_alloc(sdata, addr);
+
+ return sta;
+diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
+index 09625d6205c3..6e8ece73bfa6 100644
+--- a/net/mac80211/mesh_sync.c
++++ b/net/mac80211/mesh_sync.c
+@@ -119,7 +119,6 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
+ */
+
+ if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) {
+- clear_sta_flag(sta, WLAN_STA_TOFFSET_KNOWN);
+ msync_dbg(sdata, "STA %pM : is adjusting TBTT\n",
+ sta->sta.addr);
+ goto no_sync;
+@@ -168,11 +167,9 @@ static void mesh_sync_offset_adjust_tbtt(struct ieee80211_sub_if_data *sdata,
+ struct beacon_data *beacon)
+ {
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+- u8 cap;
+
+ WARN_ON(ifmsh->mesh_sp_id != IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET);
+ WARN_ON(!rcu_read_lock_held());
+- cap = beacon->meshconf->meshconf_cap;
+
+ spin_lock_bh(&ifmsh->sync_offset_lock);
+
+@@ -186,21 +183,13 @@ static void mesh_sync_offset_adjust_tbtt(struct ieee80211_sub_if_data *sdata,
+ "TBTT : kicking off TBTT adjustment with clockdrift_max=%lld\n",
+ ifmsh->sync_offset_clockdrift_max);
+ set_bit(MESH_WORK_DRIFT_ADJUST, &ifmsh->wrkq_flags);
+-
+- ifmsh->adjusting_tbtt = true;
+ } else {
+ msync_dbg(sdata,
+ "TBTT : max clockdrift=%lld; too small to adjust\n",
+ (long long)ifmsh->sync_offset_clockdrift_max);
+ ifmsh->sync_offset_clockdrift_max = 0;
+-
+- ifmsh->adjusting_tbtt = false;
+ }
+ spin_unlock_bh(&ifmsh->sync_offset_lock);
+-
+- beacon->meshconf->meshconf_cap = ifmsh->adjusting_tbtt ?
+- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING | cap :
+- ~IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING & cap;
+ }
+
+ static const struct sync_method sync_methods[] = {
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 34ded09317e7..792f6637c83e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1925,7 +1925,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+ * is called on error from nf_tables_newrule().
+ */
+ expr = nft_expr_first(rule);
+- while (expr->ops && expr != nft_expr_last(rule)) {
++ while (expr != nft_expr_last(rule) && expr->ops) {
+ nf_tables_expr_destroy(ctx, expr);
+ expr = nft_expr_next(expr);
+ }
+diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c
+index 96805d21d618..b204b7db515f 100644
+--- a/net/netfilter/nft_queue.c
++++ b/net/netfilter/nft_queue.c
+@@ -37,7 +37,7 @@ static void nft_queue_eval(const struct nft_expr *expr,
+
+ if (priv->queues_total > 1) {
+ if (priv->flags & NFT_QUEUE_FLAG_CPU_FANOUT) {
+- int cpu = smp_processor_id();
++ int cpu = raw_smp_processor_id();
+
+ queue = priv->queuenum + cpu % priv->queues_total;
+ } else {
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 1c0d4aee783d..a5815be7c81c 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2821,6 +2821,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+
+ cb = &nlk->cb;
+ memset(cb, 0, sizeof(*cb));
++ cb->start = control->start;
+ cb->dump = control->dump;
+ cb->done = control->done;
+ cb->nlh = nlh;
+@@ -2834,6 +2835,9 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+
+ mutex_unlock(nlk->cb_mutex);
+
++ if (cb->start)
++ cb->start(cb);
++
+ ret = netlink_dump(sk);
+ sock_put(sk);
+
+diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
+index 2ed5f964772e..3d111b053e3e 100644
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -513,6 +513,20 @@ void *genlmsg_put(struct sk_buff *skb, u32 portid, u32 seq,
+ }
+ EXPORT_SYMBOL(genlmsg_put);
+
++static int genl_lock_start(struct netlink_callback *cb)
++{
++ /* our ops are always const - netlink API doesn't propagate that */
++ const struct genl_ops *ops = cb->data;
++ int rc = 0;
++
++ if (ops->start) {
++ genl_lock();
++ rc = ops->start(cb);
++ genl_unlock();
++ }
++ return rc;
++}
++
+ static int genl_lock_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ /* our ops are always const - netlink API doesn't propagate that */
+@@ -577,6 +591,7 @@ static int genl_family_rcv_msg(struct genl_family *family,
+ .module = family->module,
+ /* we have const, but the netlink API doesn't */
+ .data = (void *)ops,
++ .start = genl_lock_start,
+ .dump = genl_lock_dumpit,
+ .done = genl_lock_done,
+ };
+@@ -588,6 +603,7 @@ static int genl_family_rcv_msg(struct genl_family *family,
+ } else {
+ struct netlink_dump_control c = {
+ .module = family->module,
++ .start = ops->start,
+ .dump = ops->dumpit,
+ .done = ops->done,
+ };
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 54596f609d04..ab4b1e1d186d 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1093,7 +1093,7 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
+ err_free_dev:
+ kfree(dev);
+
+- return ERR_PTR(rc);
++ return NULL;
+ }
+ EXPORT_SYMBOL(nfc_allocate_device);
+
+diff --git a/net/rds/send.c b/net/rds/send.c
+index eba0eaf4cc38..37730bfa393f 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -932,6 +932,11 @@ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
+ ret = rds_cmsg_rdma_map(rs, rm, cmsg);
+ if (!ret)
+ *allocated_mr = 1;
++ else if (ret == -ENODEV)
++ /* Accommodate the get_mr() case which can fail
++ * if connection isn't established yet.
++ */
++ ret = -EAGAIN;
+ break;
+ case RDS_CMSG_ATOMIC_CSWP:
+ case RDS_CMSG_ATOMIC_FADD:
+@@ -1039,8 +1044,12 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+
+ /* Parse any control messages the user may have included. */
+ ret = rds_cmsg_send(rs, rm, msg, &allocated_mr);
+- if (ret)
++ if (ret) {
++ /* Trigger connection so that its ready for the next retry */
++ if (ret == -EAGAIN)
++ rds_conn_connect_if_down(conn);
+ goto out;
++ }
+
+ if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) {
+ printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n",
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index e1c69b216db3..dfc542ecf9c4 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1209,10 +1209,14 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+
+ if (signal_pending(current)) {
+ err = sock_intr_errno(timeout);
+- goto out_wait_error;
++ sk->sk_state = SS_UNCONNECTED;
++ sock->state = SS_UNCONNECTED;
++ goto out_wait;
+ } else if (timeout == 0) {
+ err = -ETIMEDOUT;
+- goto out_wait_error;
++ sk->sk_state = SS_UNCONNECTED;
++ sock->state = SS_UNCONNECTED;
++ goto out_wait;
+ }
+
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+@@ -1220,20 +1224,17 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+
+ if (sk->sk_err) {
+ err = -sk->sk_err;
+- goto out_wait_error;
+- } else
++ sk->sk_state = SS_UNCONNECTED;
++ sock->state = SS_UNCONNECTED;
++ } else {
+ err = 0;
++ }
+
+ out_wait:
+ finish_wait(sk_sleep(sk), &wait);
+ out:
+ release_sock(sk);
+ return err;
+-
+-out_wait_error:
+- sk->sk_state = SS_UNCONNECTED;
+- sock->state = SS_UNCONNECTED;
+- goto out_wait;
+ }
+
+ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags)
+@@ -1270,18 +1271,20 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags)
+ listener->sk_err == 0) {
+ release_sock(listener);
+ timeout = schedule_timeout(timeout);
++ finish_wait(sk_sleep(listener), &wait);
+ lock_sock(listener);
+
+ if (signal_pending(current)) {
+ err = sock_intr_errno(timeout);
+- goto out_wait;
++ goto out;
+ } else if (timeout == 0) {
+ err = -EAGAIN;
+- goto out_wait;
++ goto out;
+ }
+
+ prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE);
+ }
++ finish_wait(sk_sleep(listener), &wait);
+
+ if (listener->sk_err)
+ err = -listener->sk_err;
+@@ -1301,19 +1304,15 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags)
+ */
+ if (err) {
+ vconnected->rejected = true;
+- release_sock(connected);
+- sock_put(connected);
+- goto out_wait;
++ } else {
++ newsock->state = SS_CONNECTED;
++ sock_graft(connected, newsock);
+ }
+
+- newsock->state = SS_CONNECTED;
+- sock_graft(connected, newsock);
+ release_sock(connected);
+ sock_put(connected);
+ }
+
+-out_wait:
+- finish_wait(sk_sleep(listener), &wait);
+ out:
+ release_sock(listener);
+ return err;
+@@ -1513,8 +1512,7 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ long timeout;
+ int err;
+ struct vsock_transport_send_notify_data send_data;
+-
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+
+ sk = sock->sk;
+ vsk = vsock_sk(sk);
+@@ -1557,11 +1555,10 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (err < 0)
+ goto out;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+-
+ while (total_written < len) {
+ ssize_t written;
+
++ add_wait_queue(sk_sleep(sk), &wait);
+ while (vsock_stream_has_space(vsk) == 0 &&
+ sk->sk_err == 0 &&
+ !(sk->sk_shutdown & SEND_SHUTDOWN) &&
+@@ -1570,27 +1567,30 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ /* Don't wait for non-blocking sockets. */
+ if (timeout == 0) {
+ err = -EAGAIN;
+- goto out_wait;
++ remove_wait_queue(sk_sleep(sk), &wait);
++ goto out_err;
+ }
+
+ err = transport->notify_send_pre_block(vsk, &send_data);
+- if (err < 0)
+- goto out_wait;
++ if (err < 0) {
++ remove_wait_queue(sk_sleep(sk), &wait);
++ goto out_err;
++ }
+
+ release_sock(sk);
+- timeout = schedule_timeout(timeout);
++ timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout);
+ lock_sock(sk);
+ if (signal_pending(current)) {
+ err = sock_intr_errno(timeout);
+- goto out_wait;
++ remove_wait_queue(sk_sleep(sk), &wait);
++ goto out_err;
+ } else if (timeout == 0) {
+ err = -EAGAIN;
+- goto out_wait;
++ remove_wait_queue(sk_sleep(sk), &wait);
++ goto out_err;
+ }
+-
+- prepare_to_wait(sk_sleep(sk), &wait,
+- TASK_INTERRUPTIBLE);
+ }
++ remove_wait_queue(sk_sleep(sk), &wait);
+
+ /* These checks occur both as part of and after the loop
+ * conditional since we need to check before and after
+@@ -1598,16 +1598,16 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ */
+ if (sk->sk_err) {
+ err = -sk->sk_err;
+- goto out_wait;
++ goto out_err;
+ } else if ((sk->sk_shutdown & SEND_SHUTDOWN) ||
+ (vsk->peer_shutdown & RCV_SHUTDOWN)) {
+ err = -EPIPE;
+- goto out_wait;
++ goto out_err;
+ }
+
+ err = transport->notify_send_pre_enqueue(vsk, &send_data);
+ if (err < 0)
+- goto out_wait;
++ goto out_err;
+
+ /* Note that enqueue will only write as many bytes as are free
+ * in the produce queue, so we don't need to ensure len is
+@@ -1620,7 +1620,7 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ len - total_written);
+ if (written < 0) {
+ err = -ENOMEM;
+- goto out_wait;
++ goto out_err;
+ }
+
+ total_written += written;
+@@ -1628,14 +1628,13 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ err = transport->notify_send_post_enqueue(
+ vsk, written, &send_data);
+ if (err < 0)
+- goto out_wait;
++ goto out_err;
+
+ }
+
+-out_wait:
++out_err:
+ if (total_written > 0)
+ err = total_written;
+- finish_wait(sk_sleep(sk), &wait);
+ out:
+ release_sock(sk);
+ return err;
+@@ -1716,21 +1715,61 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ if (err < 0)
+ goto out;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+
+ while (1) {
+- s64 ready = vsock_stream_has_data(vsk);
++ s64 ready;
+
+- if (ready < 0) {
+- /* Invalid queue pair content. XXX This should be
+- * changed to a connection reset in a later change.
+- */
++ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ ready = vsock_stream_has_data(vsk);
+
+- err = -ENOMEM;
+- goto out_wait;
+- } else if (ready > 0) {
++ if (ready == 0) {
++ if (sk->sk_err != 0 ||
++ (sk->sk_shutdown & RCV_SHUTDOWN) ||
++ (vsk->peer_shutdown & SEND_SHUTDOWN)) {
++ finish_wait(sk_sleep(sk), &wait);
++ break;
++ }
++ /* Don't wait for non-blocking sockets. */
++ if (timeout == 0) {
++ err = -EAGAIN;
++ finish_wait(sk_sleep(sk), &wait);
++ break;
++ }
++
++ err = transport->notify_recv_pre_block(
++ vsk, target, &recv_data);
++ if (err < 0) {
++ finish_wait(sk_sleep(sk), &wait);
++ break;
++ }
++ release_sock(sk);
++ timeout = schedule_timeout(timeout);
++ lock_sock(sk);
++
++ if (signal_pending(current)) {
++ err = sock_intr_errno(timeout);
++ finish_wait(sk_sleep(sk), &wait);
++ break;
++ } else if (timeout == 0) {
++ err = -EAGAIN;
++ finish_wait(sk_sleep(sk), &wait);
++ break;
++ }
++ } else {
+ ssize_t read;
+
++ finish_wait(sk_sleep(sk), &wait);
++
++ if (ready < 0) {
++ /* Invalid queue pair content. XXX This should
++ * be changed to a connection reset in a later
++ * change.
++ */
++
++ err = -ENOMEM;
++ goto out;
++ }
++
+ err = transport->notify_recv_pre_dequeue(
+ vsk, target, &recv_data);
+ if (err < 0)
+@@ -1750,42 +1789,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ vsk, target, read,
+ !(flags & MSG_PEEK), &recv_data);
+ if (err < 0)
+- goto out_wait;
++ goto out;
+
+ if (read >= target || flags & MSG_PEEK)
+ break;
+
+ target -= read;
+- } else {
+- if (sk->sk_err != 0 || (sk->sk_shutdown & RCV_SHUTDOWN)
+- || (vsk->peer_shutdown & SEND_SHUTDOWN)) {
+- break;
+- }
+- /* Don't wait for non-blocking sockets. */
+- if (timeout == 0) {
+- err = -EAGAIN;
+- break;
+- }
+-
+- err = transport->notify_recv_pre_block(
+- vsk, target, &recv_data);
+- if (err < 0)
+- break;
+-
+- release_sock(sk);
+- timeout = schedule_timeout(timeout);
+- lock_sock(sk);
+-
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeout);
+- break;
+- } else if (timeout == 0) {
+- err = -EAGAIN;
+- break;
+- }
+-
+- prepare_to_wait(sk_sleep(sk), &wait,
+- TASK_INTERRUPTIBLE);
+ }
+ }
+
+@@ -1797,8 +1806,6 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ if (copied > 0)
+ err = copied;
+
+-out_wait:
+- finish_wait(sk_sleep(sk), &wait);
+ out:
+ release_sock(sk);
+ return err;
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 2091664295ba..18d9cf2eb648 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1622,32 +1622,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
+
+ static int xfrm_dump_policy_done(struct netlink_callback *cb)
+ {
+- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+ struct net *net = sock_net(cb->skb->sk);
+
+ xfrm_policy_walk_done(walk, net);
+ return 0;
+ }
+
++static int xfrm_dump_policy_start(struct netlink_callback *cb)
++{
++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
++
++ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
++
++ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
++ return 0;
++}
++
+ static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+ struct xfrm_dump_info info;
+
+- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
+- sizeof(cb->args) - sizeof(cb->args[0]));
+-
+ info.in_skb = cb->skb;
+ info.out_skb = skb;
+ info.nlmsg_seq = cb->nlh->nlmsg_seq;
+ info.nlmsg_flags = NLM_F_MULTI;
+
+- if (!cb->args[0]) {
+- cb->args[0] = 1;
+- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+- }
+-
+ (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
+
+ return skb->len;
+@@ -2383,6 +2385,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
+
+ static const struct xfrm_link {
+ int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
++ int (*start)(struct netlink_callback *);
+ int (*dump)(struct sk_buff *, struct netlink_callback *);
+ int (*done)(struct netlink_callback *);
+ const struct nla_policy *nla_pol;
+@@ -2396,6 +2399,7 @@ static const struct xfrm_link {
+ [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
+ [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },
+ [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
++ .start = xfrm_dump_policy_start,
+ .dump = xfrm_dump_policy,
+ .done = xfrm_dump_policy_done },
+ [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
+@@ -2447,6 +2451,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+
+ {
+ struct netlink_dump_control c = {
++ .start = link->start,
+ .dump = link->dump,
+ .done = link->done,
+ };
+diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
+index 253a2da05cf0..9a7cc9a56a21 100644
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -264,8 +264,10 @@ static void update_audio_tstamp(struct snd_pcm_substream *substream,
+ runtime->rate);
+ *audio_tstamp = ns_to_timespec(audio_nsecs);
+ }
+- runtime->status->audio_tstamp = *audio_tstamp;
+- runtime->status->tstamp = *curr_tstamp;
++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) {
++ runtime->status->audio_tstamp = *audio_tstamp;
++ runtime->status->tstamp = *curr_tstamp;
++ }
+
+ /*
+ * re-take a driver timestamp to let apps detect if the reference tstamp
+diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c
+index 0b4b028e8e98..de9155eed727 100644
+--- a/sound/core/timer_compat.c
++++ b/sound/core/timer_compat.c
+@@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(struct file *file,
+ struct snd_timer *t;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ t = tu->timeri->timer;
+- if (snd_BUG_ON(!t))
+- return -ENXIO;
++ if (!t)
++ return -EBADFD;
+ memset(&info, 0, sizeof(info));
+ info.card = t->card ? t->card->number : -1;
+ if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
+@@ -73,8 +73,8 @@ static int snd_timer_user_status_compat(struct file *file,
+ struct snd_timer_status32 status;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ memset(&status, 0, sizeof(status));
+ status.tstamp.tv_sec = tu->tstamp.tv_sec;
+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 68bd0ba8bab8..b8886d493083 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2126,6 +2126,9 @@ static const struct pci_device_id azx_ids[] = {
+ /* AMD Hudson */
+ { PCI_DEVICE(0x1022, 0x780d),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ /* AMD Raven */
++ { PCI_DEVICE(0x1022, 0x15e3),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* ATI HDMI */
+ { PCI_DEVICE(0x1002, 0x0002),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 55601ce89e0f..75c4e14f4156 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4297,7 +4297,7 @@ static void alc_no_shutup(struct hda_codec *codec)
+ static void alc_fixup_no_shutup(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+- if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ if (action == HDA_FIXUP_ACT_PROBE) {
+ struct alc_spec *spec = codec->spec;
+ spec->shutup = alc_no_shutup;
+ }
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index 431d94397219..21a2f1bd7369 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -533,7 +533,7 @@ static int wm_adsp_load(struct wm_adsp *dsp)
+ const struct wmfw_region *region;
+ const struct wm_adsp_region *mem;
+ const char *region_name;
+- char *file, *text;
++ char *file, *text = NULL;
+ struct wm_adsp_buf *buf;
+ unsigned int reg;
+ int regions = 0;
+@@ -678,10 +678,21 @@ static int wm_adsp_load(struct wm_adsp *dsp)
+ regions, le32_to_cpu(region->len), offset,
+ region_name);
+
++ if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
++ firmware->size) {
++ adsp_err(dsp,
++ "%s.%d: %s region len %d bytes exceeds file length %zu\n",
++ file, regions, region_name,
++ le32_to_cpu(region->len), firmware->size);
++ ret = -EINVAL;
++ goto out_fw;
++ }
++
+ if (text) {
+ memcpy(text, region->data, le32_to_cpu(region->len));
+ adsp_info(dsp, "%s: %s\n", file, text);
+ kfree(text);
++ text = NULL;
+ }
+
+ if (reg) {
+@@ -724,6 +735,7 @@ out_fw:
+ regmap_async_complete(regmap);
+ wm_adsp_buf_free(&buf_list);
+ release_firmware(firmware);
++ kfree(text);
+ out:
+ kfree(file);
+
+@@ -1312,6 +1324,17 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp)
+ }
+
+ if (reg) {
++ if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
++ firmware->size) {
++ adsp_err(dsp,
++ "%s.%d: %s region len %d bytes exceeds file length %zu\n",
++ file, blocks, region_name,
++ le32_to_cpu(blk->len),
++ firmware->size);
++ ret = -EINVAL;
++ goto out_fw;
++ }
++
+ buf = wm_adsp_buf_alloc(blk->data,
+ le32_to_cpu(blk->len),
+ &buf_list);
+diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
+index 9f48d75fa992..9a198248e6cb 100644
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -850,10 +850,8 @@ static int __rsnd_kctrl_new(struct rsnd_mod *mod,
+ return -ENOMEM;
+
+ ret = snd_ctl_add(card, kctrl);
+- if (ret < 0) {
+- snd_ctl_free_one(kctrl);
++ if (ret < 0)
+ return ret;
+- }
+
+ cfg->update = update;
+ cfg->card = card;
+diff --git a/sound/usb/clock.c b/sound/usb/clock.c
+index 7ccbcaf6a147..66294eb64501 100644
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -43,7 +43,7 @@ static struct uac_clock_source_descriptor *
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SOURCE))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
+@@ -59,8 +59,11 @@ static struct uac_clock_selector_descriptor *
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SELECTOR))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
++ if (cs->bLength < 5 + cs->bNrInPins)
++ return NULL;
+ return cs;
++ }
+ }
+
+ return NULL;
+@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descriptor *
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_MULTIPLIER))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index cb0ef39adc36..3ebfaa527825 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1391,6 +1391,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
+ __u8 *bmaControls;
+
+ if (state->mixer->protocol == UAC_VERSION_1) {
++ if (hdr->bLength < 7) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = hdr->bControlSize;
+ if (!csize) {
+ usb_audio_dbg(state->chip,
+@@ -1408,6 +1414,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid,
+ }
+ } else {
+ struct uac2_feature_unit_descriptor *ftr = _ftr;
++ if (hdr->bLength < 6) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = 4;
+ channels = (hdr->bLength - 6) / 4 - 1;
+ bmaControls = ftr->bmaControls;
+@@ -2008,7 +2020,8 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
+ const struct usbmix_name_map *map;
+ char **namelist;
+
+- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
++ if (desc->bLength < 5 || !desc->bNrInPins ||
++ desc->bLength < 5 + desc->bNrInPins) {
+ usb_audio_err(state->chip,
+ "invalid SELECTOR UNIT descriptor %d\n", unitid);
+ return -EINVAL;
next reply other threads:[~2017-12-15 20:22 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-15 20:22 Alice Ferrazzi [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-05-29 10:34 [gentoo-commits] proj/linux-patches:4.1 commit in: / Mike Pagano
2018-01-23 9:37 Alice Ferrazzi
2017-12-08 14:48 Mike Pagano
2017-12-07 18:53 Mike Pagano
2017-10-18 11:51 Mike Pagano
2017-09-13 19:38 Mike Pagano
2017-08-06 18:01 Mike Pagano
2017-04-14 19:17 Mike Pagano
2017-03-14 11:39 Mike Pagano
2017-03-02 16:31 Mike Pagano
2017-03-02 16:31 Mike Pagano
2017-02-24 16:11 Mike Pagano
2017-01-18 23:50 Alice Ferrazzi
2017-01-10 4:02 Alice Ferrazzi
2016-12-08 0:43 Mike Pagano
2016-11-30 11:45 Mike Pagano
2016-11-23 11:25 Mike Pagano
2016-10-28 10:19 Mike Pagano
2016-10-12 19:52 Mike Pagano
2016-09-18 12:47 Mike Pagano
2016-08-22 23:29 Mike Pagano
2016-08-10 12:55 Mike Pagano
2016-07-31 16:01 Mike Pagano
2016-07-15 14:18 Mike Pagano
2016-07-13 23:38 Mike Pagano
2016-07-02 15:31 Mike Pagano
2016-07-01 19:56 Mike Pagano
2016-06-23 11:45 Mike Pagano
2016-06-08 11:17 Mike Pagano
2016-05-24 12:39 Mike Pagano
2016-05-12 0:12 Mike Pagano
2016-04-28 18:56 Mike Pagano
2016-04-22 18:06 Mike Pagano
2016-04-20 11:23 Mike Pagano
2016-04-06 11:23 Mike Pagano
2016-03-22 22:47 Mike Pagano
2016-03-17 22:52 Mike Pagano
2016-03-05 23:38 Mike Pagano
2016-02-16 15:28 Mike Pagano
2016-01-31 23:29 Mike Pagano
2016-01-23 18:30 Mike Pagano
2016-01-20 13:54 Mike Pagano
2015-12-15 11:17 Mike Pagano
2015-12-10 13:54 Mike Pagano
2015-11-10 0:30 Mike Pagano
2015-11-05 23:29 Mike Pagano
2015-11-05 23:29 Mike Pagano
2015-10-27 13:19 Mike Pagano
2015-10-26 20:51 Mike Pagano
2015-10-26 20:49 Mike Pagano
2015-10-03 16:07 Mike Pagano
2015-10-02 12:08 Mike Pagano
2015-09-29 17:50 Mike Pagano
2015-09-28 23:57 Mike Pagano
2015-09-21 22:16 Mike Pagano
2015-09-14 15:20 Mike Pagano
2015-08-17 15:38 Mike Pagano
2015-08-12 14:17 Mike Pagano
2015-08-10 23:42 Mike Pagano
2015-08-03 19:01 Mike Pagano
2015-07-22 10:31 Mike Pagano
2015-07-22 10:09 Mike Pagano
2015-07-19 18:55 Mike Pagano
2015-07-17 15:24 Mike Pagano
2015-07-10 23:47 Mike Pagano
2015-07-01 15:33 Mike Pagano
2015-06-27 19:50 Mike Pagano
2015-06-26 22:36 Mike Pagano
2015-06-20 17:37 Mike Pagano
2015-06-08 17:59 Mike Pagano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1513369334.4f5e8935a83b7b615e64287b1ba50633ac6e39b1.alicef@gentoo \
--to=alicef@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox