From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9FCC0138350 for ; Sat, 2 May 2020 19:20:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BC7B8E0C8E; Sat, 2 May 2020 19:20:29 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94646E0C8E for ; Sat, 2 May 2020 19:20:29 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DF29034F2E2 for ; Sat, 2 May 2020 19:20:27 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9F03626 for ; Sat, 2 May 2020 19:20:03 +0000 (UTC) From: "Mike Pagano" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Pagano" Message-ID: <1588447154.8a4471bfeb08692c493bc19741850ac8862cb669.mpagano@gentoo> Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: / X-VCS-Repository: proj/linux-patches X-VCS-Files: 0000_README 1220_linux-4.4.221.patch X-VCS-Directories: / X-VCS-Committer: mpagano X-VCS-Committer-Name: Mike Pagano X-VCS-Revision: 8a4471bfeb08692c493bc19741850ac8862cb669 X-VCS-Branch: 4.4 Date: Sat, 2 May 2020 19:20:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 75aa39b2-2b6d-4f5e-a333-9aa6552375f1 X-Archives-Hash: 52eca87b087672b2f3eeaf90a98e1c64 commit: 8a4471bfeb08692c493bc19741850ac8862cb669 Author: Mike Pagano gentoo org> AuthorDate: Sat May 2 19:19:14 2020 +0000 Commit: Mike Pagano gentoo org> CommitDate: Sat May 2 19:19:14 2020 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=8a4471bf Linux patch 4.4.221 Signed-off-by: Mike Pagano gentoo.org> 0000_README | 4 + 1220_linux-4.4.221.patch | 1954 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1958 insertions(+) diff --git a/0000_README b/0000_README index 5399fb2..0853ee6 100644 --- a/0000_README +++ b/0000_README @@ -923,6 +923,10 @@ Patch: 1219_linux-4.4.220.patch From: http://www.kernel.org Desc: Linux 4.4.220 +Patch: 1220_linux-4.4.221.patch +From: http://www.kernel.org +Desc: Linux 4.4.221 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1220_linux-4.4.221.patch b/1220_linux-4.4.221.patch new file mode 100644 index 0000000..1dad46d --- /dev/null +++ b/1220_linux-4.4.221.patch @@ -0,0 +1,1954 @@ +diff --git a/Makefile b/Makefile +index bbe2b37b2d23..ea97d0869c89 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 220 ++SUBLEVEL = 221 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/mach-imx/Makefile b/arch/arm/mach-imx/Makefile +index 6358ea48eaf9..2d78900ee282 100644 +--- a/arch/arm/mach-imx/Makefile ++++ b/arch/arm/mach-imx/Makefile +@@ -91,8 +91,10 @@ AFLAGS_suspend-imx6.o :=-Wa,-march=armv7-a + obj-$(CONFIG_SOC_IMX6) += suspend-imx6.o + obj-$(CONFIG_SOC_IMX53) += suspend-imx53.o + endif ++ifeq ($(CONFIG_ARM_CPU_SUSPEND),y) + AFLAGS_resume-imx6.o :=-Wa,-march=armv7-a + obj-$(CONFIG_SOC_IMX6) += resume-imx6.o ++endif + obj-$(CONFIG_SOC_IMX6) += pm-imx6.o + + obj-$(CONFIG_SOC_IMX50) += mach-imx50.o +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 2634b4556202..f9cb4536dd85 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5441,7 +5441,7 @@ static int handle_rmode_exception(struct kvm_vcpu *vcpu, + */ + static void kvm_machine_check(void) + { +-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64) ++#if defined(CONFIG_X86_MCE) + struct pt_regs regs = { + .cs = 3, /* Fake ring 3 no matter what the guest ran on */ + .flags = X86_EFLAGS_IF, +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index dd9a861fd526..bea13c35979e 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -145,6 +145,19 @@ static bool is_ereg(u32 reg) + BIT(BPF_REG_9)); + } + ++/* ++ * is_ereg_8l() == true if BPF register 'reg' is mapped to access x86-64 ++ * lower 8-bit registers dil,sil,bpl,spl,r8b..r15b, which need extra byte ++ * of encoding. al,cl,dl,bl have simpler encoding. ++ */ ++static bool is_ereg_8l(u32 reg) ++{ ++ return is_ereg(reg) || ++ (1 << reg) & (BIT(BPF_REG_1) | ++ BIT(BPF_REG_2) | ++ BIT(BPF_REG_FP)); ++} ++ + /* add modifiers if 'reg' maps to x64 registers r8..r15 */ + static u8 add_1mod(u8 byte, u32 reg) + { +@@ -731,9 +744,8 @@ st: if (is_imm8(insn->off)) + /* STX: *(u8*)(dst_reg + off) = src_reg */ + case BPF_STX | BPF_MEM | BPF_B: + /* emit 'mov byte ptr [rax + off], al' */ +- if (is_ereg(dst_reg) || is_ereg(src_reg) || +- /* have to add extra byte for x86 SIL, DIL regs */ +- src_reg == BPF_REG_1 || src_reg == BPF_REG_2) ++ if (is_ereg(dst_reg) || is_ereg_8l(src_reg)) ++ /* Add extra byte for eregs or SIL,DIL,BPL in src_reg */ + EMIT2(add_2mod(0x40, dst_reg, src_reg), 0x88); + else + EMIT1(0x88); +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index 68836939f934..1a8dc76e117e 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -37,11 +37,11 @@ + * Null hashes to align with hw behavior on imx6sl and ull + * these are flipped for consistency with hw output + */ +-const uint8_t sha1_null_hash[] = ++static const uint8_t sha1_null_hash[] = + "\x09\x07\xd8\xaf\x90\x18\x60\x95\xef\xbf" + "\x55\x32\x0d\x4b\x6b\x5e\xee\xa3\x39\xda"; + +-const uint8_t sha256_null_hash[] = ++static const uint8_t sha256_null_hash[] = + "\x55\xb8\x52\x78\x1b\x99\x95\xa4" + "\x4c\x93\x9b\x64\xe4\x41\xae\x27" + "\x24\xb9\x6f\x99\xc8\xf4\xfb\x9a" +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 6398e86a272b..182c3132cd30 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -660,7 +660,7 @@ static int xadc_trigger_set_state(struct iio_trigger *trigger, bool state) + + spin_lock_irqsave(&xadc->lock, flags); + xadc_read_reg(xadc, XADC_AXI_REG_IPIER, &val); +- xadc_write_reg(xadc, XADC_AXI_REG_IPISR, val & XADC_AXI_INT_EOS); ++ xadc_write_reg(xadc, XADC_AXI_REG_IPISR, XADC_AXI_INT_EOS); + if (state) + val |= XADC_AXI_INT_EOS; + else +@@ -709,13 +709,14 @@ static int xadc_power_adc_b(struct xadc *xadc, unsigned int seq_mode) + { + uint16_t val; + ++ /* Powerdown the ADC-B when it is not needed. */ + switch (seq_mode) { + case XADC_CONF1_SEQ_SIMULTANEOUS: + case XADC_CONF1_SEQ_INDEPENDENT: +- val = XADC_CONF2_PD_ADC_B; ++ val = 0; + break; + default: +- val = 0; ++ val = XADC_CONF2_PD_ADC_B; + break; + } + +@@ -784,6 +785,16 @@ static int xadc_preenable(struct iio_dev *indio_dev) + if (ret) + goto err; + ++ /* ++ * In simultaneous mode the upper and lower aux channels are samples at ++ * the same time. In this mode the upper 8 bits in the sequencer ++ * register are don't care and the lower 8 bits control two channels ++ * each. As such we must set the bit if either the channel in the lower ++ * group or the upper group is enabled. ++ */ ++ if (seq_mode == XADC_CONF1_SEQ_SIMULTANEOUS) ++ scan_mask = ((scan_mask >> 8) | scan_mask) & 0xff0000; ++ + ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(1), scan_mask >> 16); + if (ret) + goto err; +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 7589d891b311..972935f1b2f7 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1881,7 +1881,11 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip, + continue; + } + +- if (time_after(jiffies, timeo) && !chip_ready(map, adr)) ++ /* ++ * We check "time_after" and "!chip_good" before checking "chip_good" to avoid ++ * the failure due to scheduling. ++ */ ++ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) + break; + + if (chip_good(map, adr, datum)) { +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 832ad1bd1f29..fd6492fd3dc0 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3341,7 +3341,7 @@ int t4_phy_fw_ver(struct adapter *adap, int *phy_fw_ver) + FW_PARAMS_PARAM_Z_V(FW_PARAMS_PARAM_DEV_PHYFW_VERSION)); + ret = t4_query_params(adap, adap->mbox, adap->pf, 0, 1, + ¶m, &val); +- if (ret < 0) ++ if (ret) + return ret; + *phy_fw_ver = val; + return 0; +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 84767722065a..d5d4d109ee10 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1561,7 +1561,7 @@ static int macvlan_device_event(struct notifier_block *unused, + struct macvlan_dev, + list); + +- if (macvlan_sync_address(vlan->dev, dev->dev_addr)) ++ if (vlan && macvlan_sync_address(vlan->dev, dev->dev_addr)) + return NOTIFY_BAD; + + break; +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index e51fb7cb7728..d0943415aeff 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -466,6 +466,9 @@ static const struct team_mode *team_mode_get(const char *kind) + struct team_mode_item *mitem; + const struct team_mode *mode = NULL; + ++ if (!try_module_get(THIS_MODULE)) ++ return NULL; ++ + spin_lock(&mode_list_lock); + mitem = __find_mode(kind); + if (!mitem) { +@@ -481,6 +484,7 @@ static const struct team_mode *team_mode_get(const char *kind) + } + + spin_unlock(&mode_list_lock); ++ module_put(THIS_MODULE); + return mode; + } + +diff --git a/drivers/pwm/pwm-bcm2835.c b/drivers/pwm/pwm-bcm2835.c +index b4c7f956b6fa..388a9fa5c1d2 100644 +--- a/drivers/pwm/pwm-bcm2835.c ++++ b/drivers/pwm/pwm-bcm2835.c +@@ -160,6 +160,7 @@ static int bcm2835_pwm_probe(struct platform_device *pdev) + + pc->chip.dev = &pdev->dev; + pc->chip.ops = &bcm2835_pwm_ops; ++ pc->chip.base = -1; + pc->chip.npwm = 2; + + platform_set_drvdata(pdev, pc); +diff --git a/drivers/pwm/pwm-rcar.c b/drivers/pwm/pwm-rcar.c +index 6e99a63ffa29..df0723df1f99 100644 +--- a/drivers/pwm/pwm-rcar.c ++++ b/drivers/pwm/pwm-rcar.c +@@ -232,24 +232,28 @@ static int rcar_pwm_probe(struct platform_device *pdev) + rcar_pwm->chip.base = -1; + rcar_pwm->chip.npwm = 1; + ++ pm_runtime_enable(&pdev->dev); ++ + ret = pwmchip_add(&rcar_pwm->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to register PWM chip: %d\n", ret); ++ pm_runtime_disable(&pdev->dev); + return ret; + } + +- pm_runtime_enable(&pdev->dev); +- + return 0; + } + + static int rcar_pwm_remove(struct platform_device *pdev) + { + struct rcar_pwm_chip *rcar_pwm = platform_get_drvdata(pdev); ++ int ret; ++ ++ ret = pwmchip_remove(&rcar_pwm->chip); + + pm_runtime_disable(&pdev->dev); + +- return pwmchip_remove(&rcar_pwm->chip); ++ return ret; + } + + static const struct of_device_id rcar_pwm_of_table[] = { +diff --git a/drivers/pwm/pwm-renesas-tpu.c b/drivers/pwm/pwm-renesas-tpu.c +index 075c1a764ba2..6247a956cc08 100644 +--- a/drivers/pwm/pwm-renesas-tpu.c ++++ b/drivers/pwm/pwm-renesas-tpu.c +@@ -423,16 +423,17 @@ static int tpu_probe(struct platform_device *pdev) + tpu->chip.base = -1; + tpu->chip.npwm = TPU_CHANNEL_MAX; + ++ pm_runtime_enable(&pdev->dev); ++ + ret = pwmchip_add(&tpu->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to register PWM chip\n"); ++ pm_runtime_disable(&pdev->dev); + return ret; + } + + dev_info(&pdev->dev, "TPU PWM %d registered\n", tpu->pdev->id); + +- pm_runtime_enable(&pdev->dev); +- + return 0; + } + +@@ -442,12 +443,10 @@ static int tpu_remove(struct platform_device *pdev) + int ret; + + ret = pwmchip_remove(&tpu->chip); +- if (ret) +- return ret; + + pm_runtime_disable(&pdev->dev); + +- return 0; ++ return ret; + } + + #ifdef CONFIG_OF +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index b76ef5244b65..110ed37cbab6 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -288,7 +288,7 @@ void rproc_free_vring(struct rproc_vring *rvring) + { + int size = PAGE_ALIGN(vring_size(rvring->len, rvring->align)); + struct rproc *rproc = rvring->rvdev->rproc; +- int idx = rvring->rvdev->vring - rvring; ++ int idx = rvring - rvring->rvdev->vring; + struct fw_rsc_vdev *rsc; + + dma_free_coherent(rproc->dev.parent, size, rvring->va, rvring->dma); +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index 6aae68412802..2389a1dc6d30 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -872,8 +872,10 @@ static void io_subchannel_register(struct ccw_device *cdev) + * Now we know this subchannel will stay, we can throw + * our delayed uevent. + */ +- dev_set_uevent_suppress(&sch->dev, 0); +- kobject_uevent(&sch->dev.kobj, KOBJ_ADD); ++ if (dev_get_uevent_suppress(&sch->dev)) { ++ dev_set_uevent_suppress(&sch->dev, 0); ++ kobject_uevent(&sch->dev.kobj, KOBJ_ADD); ++ } + /* make it known to the system */ + ret = ccw_device_add(cdev); + if (ret) { +@@ -1082,8 +1084,11 @@ static int io_subchannel_probe(struct subchannel *sch) + * Throw the delayed uevent for the subchannel, register + * the ccw_device and exit. + */ +- dev_set_uevent_suppress(&sch->dev, 0); +- kobject_uevent(&sch->dev.kobj, KOBJ_ADD); ++ if (dev_get_uevent_suppress(&sch->dev)) { ++ /* should always be the case for the console */ ++ dev_set_uevent_suppress(&sch->dev, 0); ++ kobject_uevent(&sch->dev.kobj, KOBJ_ADD); ++ } + cdev = sch_get_cdev(sch); + rc = ccw_device_add(cdev); + if (rc) { +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 065fdc17bbfb..7a94c2d35239 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -2186,6 +2186,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) + !pmb->u.mb.mbxStatus) { + rpi = pmb->u.mb.un.varWords[0]; + vpi = pmb->u.mb.un.varRegLogin.vpi; ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ vpi -= phba->sli4_hba.max_cfg_param.vpi_base; + lpfc_unreg_login(phba, vpi, rpi, pmb); + pmb->mbox_cmpl = lpfc_sli_def_mbox_cmpl; + rc = lpfc_sli_issue_mbox(phba, pmb, MBX_NOWAIT); +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 20cf01d6ded7..de10b461ec7e 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2014,7 +2014,7 @@ static void __iscsi_unbind_session(struct work_struct *work) + if (session->target_id == ISCSI_MAX_TARGET) { + spin_unlock_irqrestore(&session->lock, flags); + mutex_unlock(&ihost->mutex); +- return; ++ goto unbind_session_exit; + } + + target_id = session->target_id; +@@ -2026,6 +2026,8 @@ static void __iscsi_unbind_session(struct work_struct *work) + ida_simple_remove(&iscsi_sess_ida, target_id); + + scsi_remove_target(&session->dev); ++ ++unbind_session_exit: + iscsi_session_event(session, ISCSI_KEVENT_UNBIND_SESSION); + ISCSI_DBG_TRANS_SESSION(session, "Completed target removal\n"); + } +diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c +index b831f08e2769..8ed4a44d3174 100644 +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2592,8 +2592,10 @@ static int comedi_open(struct inode *inode, struct file *file) + } + + cfp = kzalloc(sizeof(*cfp), GFP_KERNEL); +- if (!cfp) ++ if (!cfp) { ++ comedi_dev_put(dev); + return -ENOMEM; ++ } + + cfp->dev = dev; + +diff --git a/drivers/staging/comedi/drivers/dt2815.c b/drivers/staging/comedi/drivers/dt2815.c +index fb08569c1ac1..08d4f14a5e40 100644 +--- a/drivers/staging/comedi/drivers/dt2815.c ++++ b/drivers/staging/comedi/drivers/dt2815.c +@@ -101,6 +101,7 @@ static int dt2815_ao_insn(struct comedi_device *dev, struct comedi_subdevice *s, + int ret; + + for (i = 0; i < insn->n; i++) { ++ /* FIXME: lo bit 0 chooses voltage output or current output */ + lo = ((data[i] & 0x0f) << 4) | (chan << 1) | 0x01; + hi = (data[i] & 0xff0) >> 4; + +@@ -114,6 +115,8 @@ static int dt2815_ao_insn(struct comedi_device *dev, struct comedi_subdevice *s, + if (ret) + return ret; + ++ outb(hi, dev->iobase + DT2815_DATA); ++ + devpriv->ao_readback[chan] = data[i]; + } + return i; +diff --git a/drivers/staging/vt6656/int.c b/drivers/staging/vt6656/int.c +index cb22b5efe2be..e0a19a1105bc 100644 +--- a/drivers/staging/vt6656/int.c ++++ b/drivers/staging/vt6656/int.c +@@ -157,7 +157,8 @@ void vnt_int_process_data(struct vnt_private *priv) + priv->wake_up_count = + priv->hw->conf.listen_interval; + +- --priv->wake_up_count; ++ if (priv->wake_up_count) ++ --priv->wake_up_count; + + /* Turn on wake up to listen next beacon */ + if (priv->wake_up_count == 1) +diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c +index 66e658810229..7c2bddd6135e 100644 +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -762,12 +762,15 @@ static void vnt_bss_info_changed(struct ieee80211_hw *hw, + vnt_mac_reg_bits_on(priv, MAC_REG_TFTCTL, + TFTCTL_TSFCNTREN); + +- vnt_adjust_tsf(priv, conf->beacon_rate->hw_value, +- conf->sync_tsf, priv->current_tsf); +- + vnt_mac_set_beacon_interval(priv, conf->beacon_int); + + vnt_reset_next_tbtt(priv, conf->beacon_int); ++ ++ vnt_adjust_tsf(priv, conf->beacon_rate->hw_value, ++ conf->sync_tsf, priv->current_tsf); ++ ++ vnt_update_next_tbtt(priv, ++ conf->sync_tsf, conf->beacon_int); + } else { + vnt_clear_current_tsf(priv); + +diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c +index 6e75095af681..2ecb2f7042a1 100644 +--- a/drivers/target/target_core_fabric_lib.c ++++ b/drivers/target/target_core_fabric_lib.c +@@ -75,7 +75,7 @@ static int fc_get_pr_transport_id( + * encoded TransportID. + */ + ptr = &se_nacl->initiatorname[0]; +- for (i = 0; i < 24; ) { ++ for (i = 0; i < 23; ) { + if (!strncmp(&ptr[i], ":", 1)) { + i++; + continue; +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index e46d628998f5..acf6d143c753 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -289,10 +289,6 @@ int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops) + vtermnos[index] = vtermno; + cons_ops[index] = ops; + +- /* reserve all indices up to and including this index */ +- if (last_hvc < index) +- last_hvc = index; +- + /* check if we need to re-register the kernel console */ + hvc_check_console(index); + +@@ -896,13 +892,22 @@ struct hvc_struct *hvc_alloc(uint32_t vtermno, int data, + cons_ops[i] == hp->ops) + break; + +- /* no matching slot, just use a counter */ +- if (i >= MAX_NR_HVC_CONSOLES) +- i = ++last_hvc; ++ if (i >= MAX_NR_HVC_CONSOLES) { ++ ++ /* find 'empty' slot for console */ ++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) { ++ } ++ ++ /* no matching slot, just use a counter */ ++ if (i == MAX_NR_HVC_CONSOLES) ++ i = ++last_hvc + MAX_NR_HVC_CONSOLES; ++ } + + hp->index = i; +- cons_ops[i] = ops; +- vtermnos[i] = vtermno; ++ if (i < MAX_NR_HVC_CONSOLES) { ++ cons_ops[i] = ops; ++ vtermnos[i] = vtermno; ++ } + + list_add_tail(&(hp->next), &hvc_structs); + spin_unlock(&hvc_structs_lock); +diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c +index ec6d20f25e8b..0d3cc3324f46 100644 +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -645,18 +645,21 @@ static void init_r_port(int board, int aiop, int chan, struct pci_dev *pci_dev) + info->port.ops = &rocket_port_ops; + init_completion(&info->close_wait); + info->flags &= ~ROCKET_MODE_MASK; +- switch (pc104[board][line]) { +- case 422: +- info->flags |= ROCKET_MODE_RS422; +- break; +- case 485: +- info->flags |= ROCKET_MODE_RS485; +- break; +- case 232: +- default: ++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) ++ switch (pc104[board][line]) { ++ case 422: ++ info->flags |= ROCKET_MODE_RS422; ++ break; ++ case 485: ++ info->flags |= ROCKET_MODE_RS485; ++ break; ++ case 232: ++ default: ++ info->flags |= ROCKET_MODE_RS232; ++ break; ++ } ++ else + info->flags |= ROCKET_MODE_RS232; +- break; +- } + + info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; + if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) { +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 963dd8a4b540..c422b4df97e8 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1175,6 +1175,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + #ifdef CONFIG_PM + udev->reset_resume = 1; + #endif ++ /* Don't set the change_bits when the device ++ * was powered off. ++ */ ++ if (test_bit(port1, hub->power_bits)) ++ set_bit(port1, hub->change_bits); + + } else { + /* The power session is gone; tell hub_wq */ +@@ -2939,6 +2944,15 @@ static int check_port_resume_type(struct usb_device *udev, + if (portchange & USB_PORT_STAT_C_ENABLE) + usb_clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_ENABLE); ++ ++ /* ++ * Whatever made this reset-resume necessary may have ++ * turned on the port1 bit in hub->change_bits. But after ++ * a successful reset-resume we want the bit to be clear; ++ * if it was on it would indicate that something happened ++ * following the reset-resume. ++ */ ++ clear_bit(port1, hub->change_bits); + } + + return status; +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index adc696a76b20..747343c61398 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -306,9 +306,10 @@ static void sg_complete(struct urb *urb) + */ + spin_unlock(&io->lock); + for (i = 0, found = 0; i < io->entries; i++) { +- if (!io->urbs[i] || !io->urbs[i]->dev) ++ if (!io->urbs[i]) + continue; + if (found) { ++ usb_block_urb(io->urbs[i]); + retval = usb_unlink_urb(io->urbs[i]); + if (retval != -EINPROGRESS && + retval != -ENODEV && +@@ -519,12 +520,10 @@ void usb_sg_wait(struct usb_sg_request *io) + int retval; + + io->urbs[i]->dev = io->dev; +- retval = usb_submit_urb(io->urbs[i], GFP_ATOMIC); +- +- /* after we submit, let completions or cancellations fire; +- * we handshake using io->status. +- */ + spin_unlock_irq(&io->lock); ++ ++ retval = usb_submit_urb(io->urbs[i], GFP_NOIO); ++ + switch (retval) { + /* maybe we retrying will recover */ + case -ENXIO: /* hc didn't queue this one */ +@@ -582,30 +581,34 @@ EXPORT_SYMBOL_GPL(usb_sg_wait); + void usb_sg_cancel(struct usb_sg_request *io) + { + unsigned long flags; ++ int i, retval; + + spin_lock_irqsave(&io->lock, flags); ++ if (io->status || io->count == 0) { ++ spin_unlock_irqrestore(&io->lock, flags); ++ return; ++ } ++ /* shut everything down */ ++ io->status = -ECONNRESET; ++ io->count++; /* Keep the request alive until we're done */ ++ spin_unlock_irqrestore(&io->lock, flags); + +- /* shut everything down, if it didn't already */ +- if (!io->status) { +- int i; +- +- io->status = -ECONNRESET; +- spin_unlock(&io->lock); +- for (i = 0; i < io->entries; i++) { +- int retval; ++ for (i = io->entries - 1; i >= 0; --i) { ++ usb_block_urb(io->urbs[i]); + +- if (!io->urbs[i]->dev) +- continue; +- retval = usb_unlink_urb(io->urbs[i]); +- if (retval != -EINPROGRESS +- && retval != -ENODEV +- && retval != -EBUSY +- && retval != -EIDRM) +- dev_warn(&io->dev->dev, "%s, unlink --> %d\n", +- __func__, retval); +- } +- spin_lock(&io->lock); ++ retval = usb_unlink_urb(io->urbs[i]); ++ if (retval != -EINPROGRESS ++ && retval != -ENODEV ++ && retval != -EBUSY ++ && retval != -EIDRM) ++ dev_warn(&io->dev->dev, "%s, unlink --> %d\n", ++ __func__, retval); + } ++ ++ spin_lock_irqsave(&io->lock, flags); ++ io->count--; ++ if (!io->count) ++ complete(&io->complete); + spin_unlock_irqrestore(&io->lock, flags); + } + EXPORT_SYMBOL_GPL(usb_sg_cancel); +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 6c4bb47922ac..27d05f0134de 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -272,6 +272,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* Corsair K70 RGB RAPDIFIRE */ ++ { USB_DEVICE(0x1b1c, 0x1b38), .driver_info = USB_QUIRK_DELAY_INIT | ++ USB_QUIRK_DELAY_CTRL_MSG }, ++ + /* MIDI keyboard WORLDE MINI */ + { USB_DEVICE(0x1c75, 0x0204), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 23a9557c8234..f5f4a9927417 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1511,6 +1511,10 @@ static void ffs_data_reset(struct ffs_data *ffs) + ffs->state = FFS_READ_DESCRIPTORS; + ffs->setup_state = FFS_NO_SETUP; + ffs->flags = 0; ++ ++ ffs->ms_os_descs_ext_prop_count = 0; ++ ffs->ms_os_descs_ext_prop_name_len = 0; ++ ffs->ms_os_descs_ext_prop_data_len = 0; + } + + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index d6199507f861..3a65272fbed8 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -546,7 +546,7 @@ static void bdc_req_complete(struct bdc_ep *ep, struct bdc_req *req, + { + struct bdc *bdc = ep->bdc; + +- if (req == NULL || &req->queue == NULL || &req->usb_req == NULL) ++ if (req == NULL) + return; + + dev_dbg(bdc->dev, "%s ep:%s status:%d\n", __func__, ep->name, status); +diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c +index b9d50020c684..22da70fada5e 100644 +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -1243,20 +1243,20 @@ static int sisusb_read_mem_bulk(struct sisusb_usb_data *sisusb, u32 addr, + + #ifdef INCL_SISUSB_CON + int +-sisusb_setreg(struct sisusb_usb_data *sisusb, int port, u8 data) ++sisusb_setreg(struct sisusb_usb_data *sisusb, u32 port, u8 data) + { + return sisusb_write_memio_byte(sisusb, SISUSB_TYPE_IO, port, data); + } + + int +-sisusb_getreg(struct sisusb_usb_data *sisusb, int port, u8 *data) ++sisusb_getreg(struct sisusb_usb_data *sisusb, u32 port, u8 *data) + { + return sisusb_read_memio_byte(sisusb, SISUSB_TYPE_IO, port, data); + } + #endif + + int +-sisusb_setidxreg(struct sisusb_usb_data *sisusb, int port, u8 index, u8 data) ++sisusb_setidxreg(struct sisusb_usb_data *sisusb, u32 port, u8 index, u8 data) + { + int ret; + ret = sisusb_write_memio_byte(sisusb, SISUSB_TYPE_IO, port, index); +@@ -1265,7 +1265,7 @@ sisusb_setidxreg(struct sisusb_usb_data *sisusb, int port, u8 index, u8 data) + } + + int +-sisusb_getidxreg(struct sisusb_usb_data *sisusb, int port, u8 index, u8 *data) ++sisusb_getidxreg(struct sisusb_usb_data *sisusb, u32 port, u8 index, u8 *data) + { + int ret; + ret = sisusb_write_memio_byte(sisusb, SISUSB_TYPE_IO, port, index); +@@ -1274,7 +1274,7 @@ sisusb_getidxreg(struct sisusb_usb_data *sisusb, int port, u8 index, u8 *data) + } + + int +-sisusb_setidxregandor(struct sisusb_usb_data *sisusb, int port, u8 idx, ++sisusb_setidxregandor(struct sisusb_usb_data *sisusb, u32 port, u8 idx, + u8 myand, u8 myor) + { + int ret; +@@ -1289,7 +1289,7 @@ sisusb_setidxregandor(struct sisusb_usb_data *sisusb, int port, u8 idx, + } + + static int +-sisusb_setidxregmask(struct sisusb_usb_data *sisusb, int port, u8 idx, ++sisusb_setidxregmask(struct sisusb_usb_data *sisusb, u32 port, u8 idx, + u8 data, u8 mask) + { + int ret; +@@ -1303,13 +1303,13 @@ sisusb_setidxregmask(struct sisusb_usb_data *sisusb, int port, u8 idx, + } + + int +-sisusb_setidxregor(struct sisusb_usb_data *sisusb, int port, u8 index, u8 myor) ++sisusb_setidxregor(struct sisusb_usb_data *sisusb, u32 port, u8 index, u8 myor) + { + return(sisusb_setidxregandor(sisusb, port, index, 0xff, myor)); + } + + int +-sisusb_setidxregand(struct sisusb_usb_data *sisusb, int port, u8 idx, u8 myand) ++sisusb_setidxregand(struct sisusb_usb_data *sisusb, u32 port, u8 idx, u8 myand) + { + return(sisusb_setidxregandor(sisusb, port, idx, myand, 0x00)); + } +@@ -2849,8 +2849,8 @@ static int + sisusb_handle_command(struct sisusb_usb_data *sisusb, struct sisusb_command *y, + unsigned long arg) + { +- int retval, port, length; +- u32 address; ++ int retval, length; ++ u32 port, address; + + /* All our commands require the device + * to be initialized. +diff --git a/drivers/usb/misc/sisusbvga/sisusb_init.h b/drivers/usb/misc/sisusbvga/sisusb_init.h +index c46ce42d4489..82d953e4a6b3 100644 +--- a/drivers/usb/misc/sisusbvga/sisusb_init.h ++++ b/drivers/usb/misc/sisusbvga/sisusb_init.h +@@ -811,17 +811,17 @@ static const struct SiS_VCLKData SiSUSB_VCLKData[] = { + int SiSUSBSetMode(struct SiS_Private *SiS_Pr, unsigned short ModeNo); + int SiSUSBSetVESAMode(struct SiS_Private *SiS_Pr, unsigned short VModeNo); + +-extern int sisusb_setreg(struct sisusb_usb_data *sisusb, int port, u8 data); +-extern int sisusb_getreg(struct sisusb_usb_data *sisusb, int port, u8 * data); +-extern int sisusb_setidxreg(struct sisusb_usb_data *sisusb, int port, ++extern int sisusb_setreg(struct sisusb_usb_data *sisusb, u32 port, u8 data); ++extern int sisusb_getreg(struct sisusb_usb_data *sisusb, u32 port, u8 * data); ++extern int sisusb_setidxreg(struct sisusb_usb_data *sisusb, u32 port, + u8 index, u8 data); +-extern int sisusb_getidxreg(struct sisusb_usb_data *sisusb, int port, ++extern int sisusb_getidxreg(struct sisusb_usb_data *sisusb, u32 port, + u8 index, u8 * data); +-extern int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, int port, ++extern int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, u32 port, + u8 idx, u8 myand, u8 myor); +-extern int sisusb_setidxregor(struct sisusb_usb_data *sisusb, int port, ++extern int sisusb_setidxregor(struct sisusb_usb_data *sisusb, u32 port, + u8 index, u8 myor); +-extern int sisusb_setidxregand(struct sisusb_usb_data *sisusb, int port, ++extern int sisusb_setidxregand(struct sisusb_usb_data *sisusb, u32 port, + u8 idx, u8 myand); + + void sisusb_delete(struct kref *kref); +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index b38d9f162123..698ba127b635 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -82,6 +82,19 @@ static void uas_free_streams(struct uas_dev_info *devinfo); + static void uas_log_cmd_state(struct scsi_cmnd *cmnd, const char *prefix, + int status); + ++/* ++ * This driver needs its own workqueue, as we need to control memory allocation. ++ * ++ * In the course of error handling and power management uas_wait_for_pending_cmnds() ++ * needs to flush pending work items. In these contexts we cannot allocate memory ++ * by doing block IO as we would deadlock. For the same reason we cannot wait ++ * for anything allocating memory not heeding these constraints. ++ * ++ * So we have to control all work items that can be on the workqueue we flush. ++ * Hence we cannot share a queue and need our own. ++ */ ++static struct workqueue_struct *workqueue; ++ + static void uas_do_work(struct work_struct *work) + { + struct uas_dev_info *devinfo = +@@ -110,7 +123,7 @@ static void uas_do_work(struct work_struct *work) + if (!err) + cmdinfo->state &= ~IS_IN_WORK_LIST; + else +- schedule_work(&devinfo->work); ++ queue_work(workqueue, &devinfo->work); + } + out: + spin_unlock_irqrestore(&devinfo->lock, flags); +@@ -135,7 +148,7 @@ static void uas_add_work(struct uas_cmd_info *cmdinfo) + + lockdep_assert_held(&devinfo->lock); + cmdinfo->state |= IS_IN_WORK_LIST; +- schedule_work(&devinfo->work); ++ queue_work(workqueue, &devinfo->work); + } + + static void uas_zap_pending(struct uas_dev_info *devinfo, int result) +@@ -191,6 +204,9 @@ static void uas_log_cmd_state(struct scsi_cmnd *cmnd, const char *prefix, + struct uas_cmd_info *ci = (void *)&cmnd->SCp; + struct uas_cmd_info *cmdinfo = (void *)&cmnd->SCp; + ++ if (status == -ENODEV) /* too late */ ++ return; ++ + scmd_printk(KERN_INFO, cmnd, + "%s %d uas-tag %d inflight:%s%s%s%s%s%s%s%s%s%s%s%s ", + prefix, status, cmdinfo->uas_tag, +@@ -1173,7 +1189,31 @@ static struct usb_driver uas_driver = { + .id_table = uas_usb_ids, + }; + +-module_usb_driver(uas_driver); ++static int __init uas_init(void) ++{ ++ int rv; ++ ++ workqueue = alloc_workqueue("uas", WQ_MEM_RECLAIM, 0); ++ if (!workqueue) ++ return -ENOMEM; ++ ++ rv = usb_register(&uas_driver); ++ if (rv) { ++ destroy_workqueue(workqueue); ++ return -ENOMEM; ++ } ++ ++ return 0; ++} ++ ++static void __exit uas_exit(void) ++{ ++ usb_deregister(&uas_driver); ++ destroy_workqueue(workqueue); ++} ++ ++module_init(uas_init); ++module_exit(uas_exit); + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR( +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 2e0a8088ffe2..ccf2d50e0d2e 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2208,6 +2208,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x0000, + USB_SC_DEVICE,USB_PR_DEVICE,NULL, + US_FL_MAX_SECTORS_64 ), + ++/* Reported by Cyril Roelandt */ ++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, + "iRiver", +diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c +index 056da6ee1a35..df27cefb2fa3 100644 +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -469,7 +469,14 @@ EXPORT_SYMBOL_GPL(xenbus_free_evtchn); + int xenbus_map_ring_valloc(struct xenbus_device *dev, grant_ref_t *gnt_refs, + unsigned int nr_grefs, void **vaddr) + { +- return ring_ops->map(dev, gnt_refs, nr_grefs, vaddr); ++ int err; ++ ++ err = ring_ops->map(dev, gnt_refs, nr_grefs, vaddr); ++ /* Some hypervisors are buggy and can return 1. */ ++ if (err > 0) ++ err = GNTST_general_error; ++ ++ return err; + } + EXPORT_SYMBOL_GPL(xenbus_map_ring_valloc); + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index aa4df4a02252..efdf81ea3b5f 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1734,8 +1734,12 @@ retry_locked: + } + + /* want more caps from mds? */ +- if (want & ~(cap->mds_wanted | cap->issued)) +- goto ack; ++ if (want & ~cap->mds_wanted) { ++ if (want & ~(cap->mds_wanted | cap->issued)) ++ goto ack; ++ if (!__cap_is_valid(cap)) ++ goto ack; ++ } + + /* things we might delay */ + if ((cap->issued & ~retain) == 0 && +diff --git a/fs/ceph/export.c b/fs/ceph/export.c +index fe02ae7f056a..ff9e60daf086 100644 +--- a/fs/ceph/export.c ++++ b/fs/ceph/export.c +@@ -146,6 +146,11 @@ static struct dentry *__get_parent(struct super_block *sb, + } + req->r_num_caps = 1; + err = ceph_mdsc_do_request(mdsc, NULL, req); ++ if (err) { ++ ceph_mdsc_put_request(req); ++ return ERR_PTR(err); ++ } ++ + inode = req->r_target_inode; + if (inode) + ihold(inode); +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 02ddec6d8a7d..ccd80f2b3b19 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -136,6 +136,49 @@ static void debug_print_tree(struct ext4_sb_info *sbi) + printk("\n"); + } + ++static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino) ++{ ++ struct inode *inode; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ struct ext4_map_blocks map; ++ u32 i = 0, num; ++ int err = 0, n; ++ ++ if ((ino < EXT4_ROOT_INO) || ++ (ino > le32_to_cpu(sbi->s_es->s_inodes_count))) ++ return -EINVAL; ++ inode = ext4_iget(sb, ino, EXT4_IGET_SPECIAL); ++ if (IS_ERR(inode)) ++ return PTR_ERR(inode); ++ num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits; ++ while (i < num) { ++ map.m_lblk = i; ++ map.m_len = num - i; ++ n = ext4_map_blocks(NULL, inode, &map, 0); ++ if (n < 0) { ++ err = n; ++ break; ++ } ++ if (n == 0) { ++ i++; ++ } else { ++ if (!ext4_data_block_valid(sbi, map.m_pblk, n)) { ++ ext4_error(sb, "blocks %llu-%llu from inode %u " ++ "overlap system zone", map.m_pblk, ++ map.m_pblk + map.m_len - 1, ino); ++ err = -EFSCORRUPTED; ++ break; ++ } ++ err = add_system_zone(sbi, map.m_pblk, n); ++ if (err < 0) ++ break; ++ i += n; ++ } ++ } ++ iput(inode); ++ return err; ++} ++ + int ext4_setup_system_zone(struct super_block *sb) + { + ext4_group_t ngroups = ext4_get_groups_count(sb); +@@ -170,6 +213,12 @@ int ext4_setup_system_zone(struct super_block *sb) + if (ret) + return ret; + } ++ if (ext4_has_feature_journal(sb) && sbi->s_es->s_journal_inum) { ++ ret = ext4_protect_reserved_inode(sb, ++ le32_to_cpu(sbi->s_es->s_journal_inum)); ++ if (ret) ++ return ret; ++ } + + if (test_opt(sb, DEBUG)) + debug_print_tree(EXT4_SB(sb)); +@@ -226,6 +275,11 @@ int ext4_check_blockref(const char *function, unsigned int line, + __le32 *bref = p; + unsigned int blk; + ++ if (ext4_has_feature_journal(inode->i_sb) && ++ (inode->i_ino == ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ return 0; ++ + while (bref < p+max) { + blk = le32_to_cpu(*bref++); + if (blk && +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index ab0f08c89d5f..de47525972a1 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2497,8 +2497,19 @@ int do_journal_get_write_access(handle_t *handle, + #define FALL_BACK_TO_NONDELALLOC 1 + #define CONVERT_INLINE_DATA 2 + +-extern struct inode *ext4_iget(struct super_block *, unsigned long); +-extern struct inode *ext4_iget_normal(struct super_block *, unsigned long); ++typedef enum { ++ EXT4_IGET_NORMAL = 0, ++ EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ ++ EXT4_IGET_HANDLE = 0x0002 /* Inode # is from a handle */ ++} ext4_iget_flags; ++ ++extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ++ ext4_iget_flags flags, const char *function, ++ unsigned int line); ++ ++#define ext4_iget(sb, ino, flags) \ ++ __ext4_iget((sb), (ino), (flags), __func__, __LINE__) ++ + extern int ext4_write_inode(struct inode *, struct writeback_control *); + extern int ext4_setattr(struct dentry *, struct iattr *); + extern int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 7414bfd5a58e..96336830f035 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -505,6 +505,30 @@ int ext4_ext_check_inode(struct inode *inode) + return ext4_ext_check(inode, ext_inode_hdr(inode), ext_depth(inode), 0); + } + ++static void ext4_cache_extents(struct inode *inode, ++ struct ext4_extent_header *eh) ++{ ++ struct ext4_extent *ex = EXT_FIRST_EXTENT(eh); ++ ext4_lblk_t prev = 0; ++ int i; ++ ++ for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { ++ unsigned int status = EXTENT_STATUS_WRITTEN; ++ ext4_lblk_t lblk = le32_to_cpu(ex->ee_block); ++ int len = ext4_ext_get_actual_len(ex); ++ ++ if (prev && (prev != lblk)) ++ ext4_es_cache_extent(inode, prev, lblk - prev, ~0, ++ EXTENT_STATUS_HOLE); ++ ++ if (ext4_ext_is_unwritten(ex)) ++ status = EXTENT_STATUS_UNWRITTEN; ++ ext4_es_cache_extent(inode, lblk, len, ++ ext4_ext_pblock(ex), status); ++ prev = lblk + len; ++ } ++} ++ + static struct buffer_head * + __read_extent_tree_block(const char *function, unsigned int line, + struct inode *inode, ext4_fsblk_t pblk, int depth, +@@ -525,36 +549,21 @@ __read_extent_tree_block(const char *function, unsigned int line, + } + if (buffer_verified(bh) && !(flags & EXT4_EX_FORCE_CACHE)) + return bh; +- err = __ext4_ext_check(function, line, inode, +- ext_block_hdr(bh), depth, pblk); +- if (err) +- goto errout; ++ if (!ext4_has_feature_journal(inode->i_sb) || ++ (inode->i_ino != ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) { ++ err = __ext4_ext_check(function, line, inode, ++ ext_block_hdr(bh), depth, pblk); ++ if (err) ++ goto errout; ++ } + set_buffer_verified(bh); + /* + * If this is a leaf block, cache all of its entries + */ + if (!(flags & EXT4_EX_NOCACHE) && depth == 0) { + struct ext4_extent_header *eh = ext_block_hdr(bh); +- struct ext4_extent *ex = EXT_FIRST_EXTENT(eh); +- ext4_lblk_t prev = 0; +- int i; +- +- for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { +- unsigned int status = EXTENT_STATUS_WRITTEN; +- ext4_lblk_t lblk = le32_to_cpu(ex->ee_block); +- int len = ext4_ext_get_actual_len(ex); +- +- if (prev && (prev != lblk)) +- ext4_es_cache_extent(inode, prev, +- lblk - prev, ~0, +- EXTENT_STATUS_HOLE); +- +- if (ext4_ext_is_unwritten(ex)) +- status = EXTENT_STATUS_UNWRITTEN; +- ext4_es_cache_extent(inode, lblk, len, +- ext4_ext_pblock(ex), status); +- prev = lblk + len; +- } ++ ext4_cache_extents(inode, eh); + } + return bh; + errout: +@@ -902,6 +911,8 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + path[0].p_bh = NULL; + + i = depth; ++ if (!(flags & EXT4_EX_NOCACHE) && depth == 0) ++ ext4_cache_extents(inode, eh); + /* walk through the tree */ + while (i) { + ext_debug("depth %d: num %d, max %d\n", +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index c31b05f0bd69..3753a8a05a2e 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1150,7 +1150,7 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino) + if (!ext4_test_bit(bit, bitmap_bh->b_data)) + goto bad_orphan; + +- inode = ext4_iget(sb, ino); ++ inode = ext4_iget(sb, ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + ext4_error(sb, "couldn't read orphan inode %lu (err %d)", +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index a2bb9c60445c..805d38a14002 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -377,6 +377,10 @@ static int __check_block_validity(struct inode *inode, const char *func, + unsigned int line, + struct ext4_map_blocks *map) + { ++ if (ext4_has_feature_journal(inode->i_sb) && ++ (inode->i_ino == ++ le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ return 0; + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, + map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, +@@ -4214,7 +4218,9 @@ static inline void ext4_iget_extra_inode(struct inode *inode, + EXT4_I(inode)->i_inline_off = 0; + } + +-struct inode *ext4_iget(struct super_block *sb, unsigned long ino) ++struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ++ ext4_iget_flags flags, const char *function, ++ unsigned int line) + { + struct ext4_iloc iloc; + struct ext4_inode *raw_inode; +@@ -4227,6 +4233,18 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + uid_t i_uid; + gid_t i_gid; + ++ if (((flags & EXT4_IGET_NORMAL) && ++ (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)) || ++ (ino < EXT4_ROOT_INO) || ++ (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))) { ++ if (flags & EXT4_IGET_HANDLE) ++ return ERR_PTR(-ESTALE); ++ __ext4_error(sb, function, line, ++ "inode #%lu: comm %s: iget: illegal inode #", ++ ino, current->comm); ++ return ERR_PTR(-EFSCORRUPTED); ++ } ++ + inode = iget_locked(sb, ino); + if (!inode) + return ERR_PTR(-ENOMEM); +@@ -4242,11 +4260,18 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + raw_inode = ext4_raw_inode(&iloc); + + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- EXT4_ERROR_INODE(inode, "root inode unallocated"); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + ++ if ((flags & EXT4_IGET_HANDLE) && ++ (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { ++ ret = -ESTALE; ++ goto bad_inode; ++ } ++ + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > +@@ -4273,7 +4298,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + } + + if (!ext4_inode_csum_verify(inode, raw_inode, ei)) { +- EXT4_ERROR_INODE(inode, "checksum invalid"); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: checksum invalid"); + ret = -EFSBADCRC; + goto bad_inode; + } +@@ -4321,7 +4347,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + ((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32; + inode->i_size = ext4_isize(raw_inode); + if ((size = i_size_read(inode)) < 0) { +- EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bad i_size value: %lld", size); + ret = -EFSCORRUPTED; + goto bad_inode; + } +@@ -4404,7 +4431,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + ret = 0; + if (ei->i_file_acl && + !ext4_data_block_valid(EXT4_SB(sb), ei->i_file_acl, 1)) { +- EXT4_ERROR_INODE(inode, "bad extended attribute block %llu", ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bad extended attribute block %llu", + ei->i_file_acl); + ret = -EFSCORRUPTED; + goto bad_inode; +@@ -4459,7 +4487,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + make_bad_inode(inode); + } else { + ret = -EFSCORRUPTED; +- EXT4_ERROR_INODE(inode, "bogus i_mode (%o)", inode->i_mode); ++ ext4_error_inode(inode, function, line, 0, ++ "iget: bogus i_mode (%o)", inode->i_mode); + goto bad_inode; + } + brelse(iloc.bh); +@@ -4473,13 +4502,6 @@ bad_inode: + return ERR_PTR(ret); + } + +-struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino) +-{ +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) +- return ERR_PTR(-EFSCORRUPTED); +- return ext4_iget(sb, ino); +-} +- + static int ext4_inode_blocks_set(handle_t *handle, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index b02f210ea617..d4addcc5e4f1 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -105,7 +105,7 @@ static long swap_inode_boot_loader(struct super_block *sb, + if (!inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) + return -EPERM; + +- inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO); ++ inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(inode_bl)) + return PTR_ERR(inode_bl); + ei_bl = EXT4_I(inode_bl); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index fda49f4c5a8e..04fab14e630c 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1944,7 +1944,8 @@ void ext4_mb_complex_scan_group(struct ext4_allocation_context *ac, + int free; + + free = e4b->bd_info->bb_free; +- BUG_ON(free <= 0); ++ if (WARN_ON(free <= 0)) ++ return; + + i = e4b->bd_info->bb_first_free; + +@@ -1965,7 +1966,8 @@ void ext4_mb_complex_scan_group(struct ext4_allocation_context *ac, + } + + mb_find_extent(e4b, i, ac->ac_g_ex.fe_len, &ex); +- BUG_ON(ex.fe_len <= 0); ++ if (WARN_ON(ex.fe_len <= 0)) ++ break; + if (free < ex.fe_len) { + ext4_grp_locked_error(sb, e4b->bd_group, 0, 0, + "%d free clusters as per " +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 49e0d97b2ee7..566a8b08ccdd 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1601,7 +1601,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, unsi + dentry); + return ERR_PTR(-EFSCORRUPTED); + } +- inode = ext4_iget_normal(dir->i_sb, ino); ++ inode = ext4_iget(dir->i_sb, ino, EXT4_IGET_NORMAL); + if (inode == ERR_PTR(-ESTALE)) { + EXT4_ERROR_INODE(dir, + "deleted inode referenced: %u", +@@ -1646,7 +1646,7 @@ struct dentry *ext4_get_parent(struct dentry *child) + return ERR_PTR(-EFSCORRUPTED); + } + +- return d_obtain_alias(ext4_iget_normal(d_inode(child)->i_sb, ino)); ++ return d_obtain_alias(ext4_iget(d_inode(child)->i_sb, ino, EXT4_IGET_NORMAL)); + } + + /* +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index f5b6667b0ab0..7ed01bcc2419 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1649,7 +1649,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input) + "No reserved GDT blocks, can't resize"); + return -EPERM; + } +- inode = ext4_iget(sb, EXT4_RESIZE_INO); ++ inode = ext4_iget(sb, EXT4_RESIZE_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(inode)) { + ext4_warning(sb, "Error opening resize inode"); + return PTR_ERR(inode); +@@ -1977,7 +1977,8 @@ retry: + } + + if (!resize_inode) +- resize_inode = ext4_iget(sb, EXT4_RESIZE_INO); ++ resize_inode = ext4_iget(sb, EXT4_RESIZE_INO, ++ EXT4_IGET_SPECIAL); + if (IS_ERR(resize_inode)) { + ext4_warning(sb, "Error opening resize inode"); + return PTR_ERR(resize_inode); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 67faf147bade..aca086a25b2e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1022,20 +1022,11 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb, + { + struct inode *inode; + +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) +- return ERR_PTR(-ESTALE); +- if (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) +- return ERR_PTR(-ESTALE); +- +- /* iget isn't really right if the inode is currently unallocated!! +- * +- * ext4_read_inode will return a bad_inode if the inode had been +- * deleted, so we should be safe. +- * ++ /* + * Currently we don't know the generation for parent directory, so + * a generation of 0 means "accept any" + */ +- inode = ext4_iget_normal(sb, ino); ++ inode = ext4_iget(sb, ino, EXT4_IGET_HANDLE); + if (IS_ERR(inode)) + return ERR_CAST(inode); + if (generation && inode->i_generation != generation) { +@@ -4036,7 +4027,7 @@ no_journal: + * so we can safely mount the rest of the filesystem now. + */ + +- root = ext4_iget(sb, EXT4_ROOT_INO); ++ root = ext4_iget(sb, EXT4_ROOT_INO, EXT4_IGET_SPECIAL); + if (IS_ERR(root)) { + ext4_msg(sb, KERN_ERR, "get root inode failed"); + ret = PTR_ERR(root); +@@ -4273,11 +4264,12 @@ static journal_t *ext4_get_journal(struct super_block *sb, + + BUG_ON(!ext4_has_feature_journal(sb)); + +- /* First, test for the existence of a valid inode on disk. Bad +- * things happen if we iget() an unused inode, as the subsequent +- * iput() will try to delete it. */ +- +- journal_inode = ext4_iget(sb, journal_inum); ++ /* ++ * Test for the existence of a valid inode on disk. Bad things ++ * happen if we iget() an unused inode, as the subsequent iput() ++ * will try to delete it. ++ */ ++ journal_inode = ext4_iget(sb, journal_inum, EXT4_IGET_SPECIAL); + if (IS_ERR(journal_inode)) { + ext4_msg(sb, KERN_ERR, "no journal found"); + return NULL; +@@ -5241,7 +5233,7 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + if (!qf_inums[type]) + return -EPERM; + +- qf_inode = ext4_iget(sb, qf_inums[type]); ++ qf_inode = ext4_iget(sb, qf_inums[type], EXT4_IGET_SPECIAL); + if (IS_ERR(qf_inode)) { + ext4_error(sb, "Bad quota inode # %lu", qf_inums[type]); + return PTR_ERR(qf_inode); +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 16891f5364af..8142f6bf3d31 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -145,9 +145,13 @@ static bool fuse_block_alloc(struct fuse_conn *fc, bool for_background) + + static void fuse_drop_waiting(struct fuse_conn *fc) + { +- if (fc->connected) { +- atomic_dec(&fc->num_waiting); +- } else if (atomic_dec_and_test(&fc->num_waiting)) { ++ /* ++ * lockess check of fc->connected is okay, because atomic_dec_and_test() ++ * provides a memory barrier mached with the one in fuse_wait_aborted() ++ * to ensure no wake-up is missed. ++ */ ++ if (atomic_dec_and_test(&fc->num_waiting) && ++ !READ_ONCE(fc->connected)) { + /* wake up aborters */ + wake_up_all(&fc->blocked_waitq); + } +@@ -2222,6 +2226,8 @@ EXPORT_SYMBOL_GPL(fuse_abort_conn); + + void fuse_wait_aborted(struct fuse_conn *fc) + { ++ /* matches implicit memory barrier in fuse_drop_waiting() */ ++ smp_mb(); + wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0); + } + +diff --git a/fs/namespace.c b/fs/namespace.c +index 88c5d5bddf74..5fb1e4a430f8 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3161,8 +3161,8 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make certain new is below the root */ + if (!is_path_reachable(new_mnt, new.dentry, &root)) + goto out4; +- root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); ++ root_mp->m_count++; /* pin it so it won't go away */ + detach_mnt(new_mnt, &parent_path); + detach_mnt(root_mnt, &root_parent); + if (root_mnt->mnt.mnt_flags & MNT_LOCKED) { +diff --git a/fs/pnode.c b/fs/pnode.c +index d15c63e97ef1..64e9a401d67d 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -268,14 +268,13 @@ static int propagate_one(struct mount *m) + if (IS_ERR(child)) + return PTR_ERR(child); + child->mnt.mnt_flags &= ~MNT_LOCKED; ++ read_seqlock_excl(&mount_lock); + mnt_set_mountpoint(m, mp, child); ++ if (m->mnt_master != dest_master) ++ SET_MNT_MARK(m->mnt_master); ++ read_sequnlock_excl(&mount_lock); + last_dest = m; + last_source = child; +- if (m->mnt_master != dest_master) { +- read_seqlock_excl(&mount_lock); +- SET_MNT_MARK(m->mnt_master); +- read_sequnlock_excl(&mount_lock); +- } + hlist_add_head(&child->mnt_hash, list); + return count_mounts(m->mnt_ns, child); + } +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index d7ce4e3280db..19291f86d16c 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -934,7 +934,7 @@ search_memslots(struct kvm_memslots *slots, gfn_t gfn) + start = slot + 1; + } + +- if (gfn >= memslots[start].base_gfn && ++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn && + gfn < memslots[start].base_gfn + memslots[start].npages) { + atomic_set(&slots->lru_slot, start); + return &memslots[start]; +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 3bdd6ef95717..6e53dd63728d 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -52,7 +52,7 @@ extern struct inet_hashinfo tcp_hashinfo; + extern struct percpu_counter tcp_orphan_count; + void tcp_time_wait(struct sock *sk, int state, int timeo); + +-#define MAX_TCP_HEADER (128 + MAX_HEADER) ++#define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER) + #define MAX_TCP_OPTION_SPACE 40 + #define TCP_MIN_SND_MSS 48 + #define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE) +diff --git a/ipc/util.c b/ipc/util.c +index 0f401d94b7c6..2724f9071ab3 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -756,13 +756,13 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, + total++; + } + ++ *new_pos = pos + 1; + if (total >= ids->in_use) + return NULL; + + for (; pos < IPCMNI; pos++) { + ipc = idr_find(&ids->ipcs_idr, pos); + if (ipc != NULL) { +- *new_pos = pos + 1; + rcu_read_lock(); + ipc_lock_object(ipc); + return ipc; +diff --git a/kernel/audit.c b/kernel/audit.c +index 84c445db5fe1..b685672def35 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -919,6 +919,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: + if (!audit_enabled && msg_type != AUDIT_USER_AVC) + return 0; ++ /* exit early if there isn't at least one character to print */ ++ if (data_len < 2) ++ return -EINVAL; + + err = audit_filter_user(msg_type); + if (err == 1) { /* match or error */ +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 203384a71fee..feff3ba98cc9 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5810,10 +5810,17 @@ static void perf_event_task_output(struct perf_event *event, + goto out; + + task_event->event_id.pid = perf_event_pid(event, task); +- task_event->event_id.ppid = perf_event_pid(event, current); +- + task_event->event_id.tid = perf_event_tid(event, task); +- task_event->event_id.ptid = perf_event_tid(event, current); ++ ++ if (task_event->event_id.header.type == PERF_RECORD_EXIT) { ++ task_event->event_id.ppid = perf_event_pid(event, ++ task->real_parent); ++ task_event->event_id.ptid = perf_event_pid(event, ++ task->real_parent); ++ } else { /* PERF_RECORD_FORK */ ++ task_event->event_id.ppid = perf_event_pid(event, current); ++ task_event->event_id.ptid = perf_event_tid(event, current); ++ } + + task_event->event_id.time = perf_event_clock(event); + +diff --git a/kernel/gcov/fs.c b/kernel/gcov/fs.c +index edf67c493a8e..e473f6a1f6ca 100644 +--- a/kernel/gcov/fs.c ++++ b/kernel/gcov/fs.c +@@ -108,9 +108,9 @@ static void *gcov_seq_next(struct seq_file *seq, void *data, loff_t *pos) + { + struct gcov_iterator *iter = data; + ++ (*pos)++; + if (gcov_iter_next(iter)) + return NULL; +- (*pos)++; + + return iter; + } +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 3f48c7d6ca31..2fd6fce1851f 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -666,10 +666,8 @@ static int __init vti_init(void) + + msg = "ipip tunnel"; + err = xfrm4_tunnel_register(&ipip_handler, AF_INET); +- if (err < 0) { +- pr_info("%s: cant't register tunnel\n",__func__); ++ if (err < 0) + goto xfrm_tunnel_failed; +- } + + msg = "netlink interface"; + err = rtnl_link_register(&vti_link_ops); +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 3fb4aeeabf00..24ce13a79665 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -507,9 +507,11 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto out; + + /* hdrincl should be READ_ONCE(inet->hdrincl) +- * but READ_ONCE() doesn't work with bit fields ++ * but READ_ONCE() doesn't work with bit fields. ++ * Doing this indirectly yields the same result. + */ + hdrincl = inet->hdrincl; ++ hdrincl = READ_ONCE(hdrincl); + /* + * Check the flags. + */ +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 988c132319c4..74ae703c6909 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -131,8 +131,6 @@ static int ip_rt_min_advmss __read_mostly = 256; + + static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; + +-static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; +- + /* + * Interface to generic destination cache. + */ +@@ -2705,6 +2703,7 @@ void ip_rt_multicast_event(struct in_device *in_dev) + static int ip_rt_gc_interval __read_mostly = 60 * HZ; + static int ip_rt_gc_min_interval __read_mostly = HZ / 2; + static int ip_rt_gc_elasticity __read_mostly = 8; ++static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; + + static int ipv4_sysctl_rtcache_flush(struct ctl_table *__ctl, int write, + void __user *buffer, +diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c +index 7ee6518afa86..73705a2368d9 100644 +--- a/net/ipv4/xfrm4_output.c ++++ b/net/ipv4/xfrm4_output.c +@@ -75,9 +75,7 @@ int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb) + { + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + +-#ifdef CONFIG_NETFILTER + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index bd2a6ec7572a..e5513b7b5abf 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -185,15 +185,14 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + retv = -EBUSY; + break; + } +- } else if (sk->sk_protocol == IPPROTO_TCP) { +- if (sk->sk_prot != &tcpv6_prot) { +- retv = -EBUSY; +- break; +- } +- break; +- } else { ++ } ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_prot != &tcpv6_prot) { ++ retv = -EBUSY; + break; + } ++ if (sk->sk_protocol != IPPROTO_TCP) ++ break; + if (sk->sk_state != TCP_ESTABLISHED) { + retv = -ENOTCONN; + break; +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 64862c5084ee..b2dc9a820c6a 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -125,9 +125,7 @@ int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb) + { + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + +-#ifdef CONFIG_NETFILTER + IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + } +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index d72a4f1558f2..ef6a3d586591 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -199,6 +199,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, + /* refcount initialized at 1 */ + spin_unlock_bh(&nr_node_list_lock); + ++ nr_neigh_put(nr_neigh); + return 0; + } + nr_node_lock(nr_node); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 2b6c88b9a038..5803d0807e9a 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -185,13 +185,13 @@ static void sctp_for_each_tx_datachunk(struct sctp_association *asoc, + list_for_each_entry(chunk, &t->transmitted, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->retransmit, list) ++ list_for_each_entry(chunk, &q->retransmit, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->sacked, list) ++ list_for_each_entry(chunk, &q->sacked, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->abandoned, list) ++ list_for_each_entry(chunk, &q->abandoned, transmitted_list) + cb(chunk); + + list_for_each_entry(chunk, &q->out_chunk_list, list) +diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c +index 39231237e1c3..30f71620d4e3 100644 +--- a/net/x25/x25_dev.c ++++ b/net/x25/x25_dev.c +@@ -120,8 +120,10 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev, + goto drop; + } + +- if (!pskb_may_pull(skb, 1)) ++ if (!pskb_may_pull(skb, 1)) { ++ x25_neigh_put(nb); + return 0; ++ } + + switch (skb->data[0]) { + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index faf255439702..da9f6749b3be 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1978,7 +1978,6 @@ static const struct hdac_io_ops pci_hda_io_ops = { + * should be ignored from the beginning. + */ + static const struct snd_pci_quirk driver_blacklist[] = { +- SND_PCI_QUIRK(0x1043, 0x874f, "ASUS ROG Zenith II / Strix", 0), + SND_PCI_QUIRK(0x1462, 0xcb59, "MSI TRX40 Creator", 0), + SND_PCI_QUIRK(0x1462, 0xcb60, "MSI TRX40", 0), + {} +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 76cf438aa339..b236e94b5808 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3500,7 +3500,7 @@ static void alc280_fixup_hp_gpio4(struct hda_codec *codec, + } + } + +-#if IS_REACHABLE(INPUT) ++#if IS_REACHABLE(CONFIG_INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) + { +diff --git a/sound/soc/intel/atom/sst-atom-controls.c b/sound/soc/intel/atom/sst-atom-controls.c +index b070d4754745..067cee92d333 100644 +--- a/sound/soc/intel/atom/sst-atom-controls.c ++++ b/sound/soc/intel/atom/sst-atom-controls.c +@@ -963,7 +963,9 @@ static int sst_set_be_modules(struct snd_soc_dapm_widget *w, + dev_dbg(c->dev, "Enter: widget=%s\n", w->name); + + if (SND_SOC_DAPM_EVENT_ON(event)) { ++ mutex_lock(&drv->lock); + ret = sst_send_slot_map(drv); ++ mutex_unlock(&drv->lock); + if (ret) + return ret; + ret = sst_send_pipe_module_params(w, k); +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 2798f4bb7fe4..e7714c030a2e 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -384,7 +384,7 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget, + + memset(&template, 0, sizeof(template)); + template.reg = e->reg; +- template.mask = e->mask << e->shift_l; ++ template.mask = e->mask; + template.shift = e->shift_l; + template.off_val = snd_soc_enum_item_to_val(e, 0); + template.on_val = template.off_val; +@@ -510,8 +510,22 @@ static bool dapm_kcontrol_set_value(const struct snd_kcontrol *kcontrol, + if (data->value == value) + return false; + +- if (data->widget) +- data->widget->on_val = value; ++ if (data->widget) { ++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) { ++ case snd_soc_dapm_switch: ++ case snd_soc_dapm_mixer: ++ case snd_soc_dapm_mixer_named_ctl: ++ data->widget->on_val = value & data->widget->mask; ++ break; ++ case snd_soc_dapm_demux: ++ case snd_soc_dapm_mux: ++ data->widget->on_val = value >> data->widget->shift; ++ break; ++ default: ++ data->widget->on_val = value; ++ break; ++ } ++ } + + data->value = value; + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 789d19ec035d..f28a41194d17 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -222,6 +222,52 @@ static int parse_audio_format_rates_v1(struct snd_usb_audio *chip, struct audiof + return 0; + } + ++/* ++ * Many Focusrite devices supports a limited set of sampling rates per ++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type ++ * descriptor which has a non-standard bLength = 10. ++ */ ++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip, ++ struct audioformat *fp, ++ unsigned int rate) ++{ ++ struct usb_interface *iface; ++ struct usb_host_interface *alts; ++ unsigned char *fmt; ++ unsigned int max_rate; ++ ++ iface = usb_ifnum_to_if(chip->dev, fp->iface); ++ if (!iface) ++ return true; ++ ++ alts = &iface->altsetting[fp->altset_idx]; ++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen, ++ NULL, UAC_FORMAT_TYPE); ++ if (!fmt) ++ return true; ++ ++ if (fmt[0] == 10) { /* bLength */ ++ max_rate = combine_quad(&fmt[6]); ++ ++ /* Validate max rate */ ++ if (max_rate != 48000 && ++ max_rate != 96000 && ++ max_rate != 192000 && ++ max_rate != 384000) { ++ ++ usb_audio_info(chip, ++ "%u:%d : unexpected max rate: %u\n", ++ fp->iface, fp->altsetting, max_rate); ++ ++ return true; ++ } ++ ++ return rate <= max_rate; ++ } ++ ++ return true; ++} ++ + /* + * Helper function to walk the array of sample rate triplets reported by + * the device. The problem is that we need to parse whole array first to +@@ -258,6 +304,11 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, + } + + for (rate = min; rate <= max; rate += res) { ++ /* Filter out invalid rates on Focusrite devices */ ++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 && ++ !focusrite_valid_sample_rate(chip, fp, rate)) ++ goto skip_rate; ++ + if (fp->rate_table) + fp->rate_table[nr_rates] = rate; + if (!fp->rate_min || rate < fp->rate_min) +@@ -272,6 +323,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, + break; + } + ++skip_rate: + /* avoid endless loop */ + if (res == 0) + break; +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index f4fd9548c529..723b535ca2ec 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1519,11 +1519,15 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol, + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); +- if (!iface || iface->num_altsetting < 2) +- return -EINVAL; ++ if (!iface || iface->num_altsetting < 2) { ++ err = -EINVAL; ++ goto end; ++ } + alts = &iface->altsetting[1]; +- if (get_iface_desc(alts)->bNumEndpoints < 1) +- return -EINVAL; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) { ++ err = -EINVAL; ++ goto end; ++ } + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, +diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c +index 61d5dc2a3421..ca2e61c10892 100644 +--- a/sound/usb/usx2y/usbusx2yaudio.c ++++ b/sound/usb/usx2y/usbusx2yaudio.c +@@ -691,6 +691,8 @@ static int usX2Y_rate_set(struct usX2Ydev *usX2Y, int rate) + us->submitted = 2*NOOF_SETRATE_URBS; + for (i = 0; i < NOOF_SETRATE_URBS; ++i) { + struct urb *urb = us->urb[i]; ++ if (!urb) ++ continue; + if (urb->status) { + if (!err) + err = -ENODEV;