Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx-legacy/patches-4.9/0139-4.9.40-all-fixes.patch

    Contents of /trunk/kernel-alx-legacy/patches-4.9/0139-4.9.40-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3608 - (show annotations) (download)
    Fri Aug 14 07:34:29 2020 UTC (3 years, 8 months ago) by niro
    File size: 138398 byte(s) 
    -added kerenl-alx-legacy pkg
    1 diff --git a/Makefile b/Makefile
    2 index a872ece51ee5..d9397a912c31 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,6 +1,6 @@
    6 VERSION = 4
    7 PATCHLEVEL = 9
    8 -SUBLEVEL = 39
    9 +SUBLEVEL = 40
    10 EXTRAVERSION =
    11 NAME = Roaring Lionus
    12
    13 @@ -629,6 +629,9 @@ include arch/$(SRCARCH)/Makefile
    14
    15 KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
    16 KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
    17 +KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation)
    18 +KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow)
    19 +KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context)
    20
    21 ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
    22 KBUILD_CFLAGS += $(call cc-option,-ffunction-sections,)
    23 diff --git a/arch/mips/include/asm/branch.h b/arch/mips/include/asm/branch.h
    24 index de781cf54bc7..da80878f2c0d 100644
    25 --- a/arch/mips/include/asm/branch.h
    26 +++ b/arch/mips/include/asm/branch.h
    27 @@ -74,10 +74,7 @@ static inline int compute_return_epc(struct pt_regs *regs)
    28 return __microMIPS_compute_return_epc(regs);
    29 if (cpu_has_mips16)
    30 return __MIPS16e_compute_return_epc(regs);
    31 - return regs->cp0_epc;
    32 - }
    33 -
    34 - if (!delay_slot(regs)) {
    35 + } else if (!delay_slot(regs)) {
    36 regs->cp0_epc += 4;
    37 return 0;
    38 }
    39 diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c
    40 index c86b66b57fc6..c3f2fb34751e 100644
    41 --- a/arch/mips/kernel/branch.c
    42 +++ b/arch/mips/kernel/branch.c
    43 @@ -399,7 +399,7 @@ int __MIPS16e_compute_return_epc(struct pt_regs *regs)
    44 *
    45 * @regs: Pointer to pt_regs
    46 * @insn: branch instruction to decode
    47 - * @returns: -EFAULT on error and forces SIGBUS, and on success
    48 + * @returns: -EFAULT on error and forces SIGILL, and on success
    49 * returns 0 or BRANCH_LIKELY_TAKEN as appropriate after
    50 * evaluating the branch.
    51 *
    52 @@ -431,7 +431,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    53 /* Fall through */
    54 case jr_op:
    55 if (NO_R6EMU && insn.r_format.func == jr_op)
    56 - goto sigill_r6;
    57 + goto sigill_r2r6;
    58 regs->cp0_epc = regs->regs[insn.r_format.rs];
    59 break;
    60 }
    61 @@ -446,7 +446,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    62 switch (insn.i_format.rt) {
    63 case bltzl_op:
    64 if (NO_R6EMU)
    65 - goto sigill_r6;
    66 + goto sigill_r2r6;
    67 case bltz_op:
    68 if ((long)regs->regs[insn.i_format.rs] < 0) {
    69 epc = epc + 4 + (insn.i_format.simmediate << 2);
    70 @@ -459,7 +459,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    71
    72 case bgezl_op:
    73 if (NO_R6EMU)
    74 - goto sigill_r6;
    75 + goto sigill_r2r6;
    76 case bgez_op:
    77 if ((long)regs->regs[insn.i_format.rs] >= 0) {
    78 epc = epc + 4 + (insn.i_format.simmediate << 2);
    79 @@ -473,10 +473,8 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    80 case bltzal_op:
    81 case bltzall_op:
    82 if (NO_R6EMU && (insn.i_format.rs ||
    83 - insn.i_format.rt == bltzall_op)) {
    84 - ret = -SIGILL;
    85 - break;
    86 - }
    87 + insn.i_format.rt == bltzall_op))
    88 + goto sigill_r2r6;
    89 regs->regs[31] = epc + 8;
    90 /*
    91 * OK we are here either because we hit a NAL
    92 @@ -507,10 +505,8 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    93 case bgezal_op:
    94 case bgezall_op:
    95 if (NO_R6EMU && (insn.i_format.rs ||
    96 - insn.i_format.rt == bgezall_op)) {
    97 - ret = -SIGILL;
    98 - break;
    99 - }
    100 + insn.i_format.rt == bgezall_op))
    101 + goto sigill_r2r6;
    102 regs->regs[31] = epc + 8;
    103 /*
    104 * OK we are here either because we hit a BAL
    105 @@ -556,6 +552,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    106 /*
    107 * These are unconditional and in j_format.
    108 */
    109 + case jalx_op:
    110 case jal_op:
    111 regs->regs[31] = regs->cp0_epc + 8;
    112 case j_op:
    113 @@ -573,7 +570,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    114 */
    115 case beql_op:
    116 if (NO_R6EMU)
    117 - goto sigill_r6;
    118 + goto sigill_r2r6;
    119 case beq_op:
    120 if (regs->regs[insn.i_format.rs] ==
    121 regs->regs[insn.i_format.rt]) {
    122 @@ -587,7 +584,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    123
    124 case bnel_op:
    125 if (NO_R6EMU)
    126 - goto sigill_r6;
    127 + goto sigill_r2r6;
    128 case bne_op:
    129 if (regs->regs[insn.i_format.rs] !=
    130 regs->regs[insn.i_format.rt]) {
    131 @@ -601,7 +598,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    132
    133 case blezl_op: /* not really i_format */
    134 if (!insn.i_format.rt && NO_R6EMU)
    135 - goto sigill_r6;
    136 + goto sigill_r2r6;
    137 case blez_op:
    138 /*
    139 * Compact branches for R6 for the
    140 @@ -636,7 +633,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    141
    142 case bgtzl_op:
    143 if (!insn.i_format.rt && NO_R6EMU)
    144 - goto sigill_r6;
    145 + goto sigill_r2r6;
    146 case bgtz_op:
    147 /*
    148 * Compact branches for R6 for the
    149 @@ -774,35 +771,27 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    150 #else
    151 case bc6_op:
    152 /* Only valid for MIPS R6 */
    153 - if (!cpu_has_mips_r6) {
    154 - ret = -SIGILL;
    155 - break;
    156 - }
    157 + if (!cpu_has_mips_r6)
    158 + goto sigill_r6;
    159 regs->cp0_epc += 8;
    160 break;
    161 case balc6_op:
    162 - if (!cpu_has_mips_r6) {
    163 - ret = -SIGILL;
    164 - break;
    165 - }
    166 + if (!cpu_has_mips_r6)
    167 + goto sigill_r6;
    168 /* Compact branch: BALC */
    169 regs->regs[31] = epc + 4;
    170 epc += 4 + (insn.i_format.simmediate << 2);
    171 regs->cp0_epc = epc;
    172 break;
    173 case pop66_op:
    174 - if (!cpu_has_mips_r6) {
    175 - ret = -SIGILL;
    176 - break;
    177 - }
    178 + if (!cpu_has_mips_r6)
    179 + goto sigill_r6;
    180 /* Compact branch: BEQZC || JIC */
    181 regs->cp0_epc += 8;
    182 break;
    183 case pop76_op:
    184 - if (!cpu_has_mips_r6) {
    185 - ret = -SIGILL;
    186 - break;
    187 - }
    188 + if (!cpu_has_mips_r6)
    189 + goto sigill_r6;
    190 /* Compact branch: BNEZC || JIALC */
    191 if (!insn.i_format.rs) {
    192 /* JIALC: set $31/ra */
    193 @@ -814,10 +803,8 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    194 case pop10_op:
    195 case pop30_op:
    196 /* Only valid for MIPS R6 */
    197 - if (!cpu_has_mips_r6) {
    198 - ret = -SIGILL;
    199 - break;
    200 - }
    201 + if (!cpu_has_mips_r6)
    202 + goto sigill_r6;
    203 /*
    204 * Compact branches:
    205 * bovc, beqc, beqzalc, bnvc, bnec, bnezlac
    206 @@ -831,11 +818,17 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
    207 return ret;
    208
    209 sigill_dsp:
    210 - printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm);
    211 - force_sig(SIGBUS, current);
    212 + pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n",
    213 + current->comm);
    214 + force_sig(SIGILL, current);
    215 + return -EFAULT;
    216 +sigill_r2r6:
    217 + pr_info("%s: R2 branch but r2-to-r6 emulator is not present - sending SIGILL.\n",
    218 + current->comm);
    219 + force_sig(SIGILL, current);
    220 return -EFAULT;
    221 sigill_r6:
    222 - pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n",
    223 + pr_info("%s: R6 branch but no MIPSr6 ISA support - sending SIGILL.\n",
    224 current->comm);
    225 force_sig(SIGILL, current);
    226 return -EFAULT;
    227 diff --git a/arch/mips/kernel/proc.c b/arch/mips/kernel/proc.c
    228 index 4eff2aed7360..4c01ee5b88c9 100644
    229 --- a/arch/mips/kernel/proc.c
    230 +++ b/arch/mips/kernel/proc.c
    231 @@ -83,7 +83,7 @@ static int show_cpuinfo(struct seq_file *m, void *v)
    232 }
    233
    234 seq_printf(m, "isa\t\t\t:");
    235 - if (cpu_has_mips_r1)
    236 + if (cpu_has_mips_1)
    237 seq_printf(m, " mips1");
    238 if (cpu_has_mips_2)
    239 seq_printf(m, "%s", " mips2");
    240 diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
    241 index bf83dc1eecfb..3de026034c35 100644
    242 --- a/arch/mips/kernel/ptrace.c
    243 +++ b/arch/mips/kernel/ptrace.c
    244 @@ -924,7 +924,7 @@ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
    245 audit_syscall_exit(regs);
    246
    247 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
    248 - trace_sys_exit(regs, regs->regs[2]);
    249 + trace_sys_exit(regs, regs_return_value(regs));
    250
    251 if (test_thread_flag(TIF_SYSCALL_TRACE))
    252 tracehook_report_syscall_exit(regs, 0);
    253 diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
    254 index c29d397eee86..e6be1f6210ba 100644
    255 --- a/arch/mips/kernel/scall32-o32.S
    256 +++ b/arch/mips/kernel/scall32-o32.S
    257 @@ -371,7 +371,7 @@ EXPORT(sys_call_table)
    258 PTR sys_writev
    259 PTR sys_cacheflush
    260 PTR sys_cachectl
    261 - PTR sys_sysmips
    262 + PTR __sys_sysmips
    263 PTR sys_ni_syscall /* 4150 */
    264 PTR sys_getsid
    265 PTR sys_fdatasync
    266 diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
    267 index 0687f96ee912..aa27dafa1c78 100644
    268 --- a/arch/mips/kernel/scall64-64.S
    269 +++ b/arch/mips/kernel/scall64-64.S
    270 @@ -311,7 +311,7 @@ EXPORT(sys_call_table)
    271 PTR sys_sched_getaffinity
    272 PTR sys_cacheflush
    273 PTR sys_cachectl
    274 - PTR sys_sysmips
    275 + PTR __sys_sysmips
    276 PTR sys_io_setup /* 5200 */
    277 PTR sys_io_destroy
    278 PTR sys_io_getevents
    279 diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
    280 index 0331ba39a065..37f608f2a76f 100644
    281 --- a/arch/mips/kernel/scall64-n32.S
    282 +++ b/arch/mips/kernel/scall64-n32.S
    283 @@ -302,7 +302,7 @@ EXPORT(sysn32_call_table)
    284 PTR compat_sys_sched_getaffinity
    285 PTR sys_cacheflush
    286 PTR sys_cachectl
    287 - PTR sys_sysmips
    288 + PTR __sys_sysmips
    289 PTR compat_sys_io_setup /* 6200 */
    290 PTR sys_io_destroy
    291 PTR compat_sys_io_getevents
    292 diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
    293 index 5a47042dd25f..7913a5cf6806 100644
    294 --- a/arch/mips/kernel/scall64-o32.S
    295 +++ b/arch/mips/kernel/scall64-o32.S
    296 @@ -371,7 +371,7 @@ EXPORT(sys32_call_table)
    297 PTR compat_sys_writev
    298 PTR sys_cacheflush
    299 PTR sys_cachectl
    300 - PTR sys_sysmips
    301 + PTR __sys_sysmips
    302 PTR sys_ni_syscall /* 4150 */
    303 PTR sys_getsid
    304 PTR sys_fdatasync
    305 diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c
    306 index 53a7ef9a8f32..4234b2d726c5 100644
    307 --- a/arch/mips/kernel/syscall.c
    308 +++ b/arch/mips/kernel/syscall.c
    309 @@ -28,6 +28,7 @@
    310 #include <linux/elf.h>
    311
    312 #include <asm/asm.h>
    313 +#include <asm/asm-eva.h>
    314 #include <asm/branch.h>
    315 #include <asm/cachectl.h>
    316 #include <asm/cacheflush.h>
    317 @@ -138,10 +139,12 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new)
    318 __asm__ __volatile__ (
    319 " .set "MIPS_ISA_ARCH_LEVEL" \n"
    320 " li %[err], 0 \n"
    321 - "1: ll %[old], (%[addr]) \n"
    322 + "1: \n"
    323 + user_ll("%[old]", "(%[addr])")
    324 " move %[tmp], %[new] \n"
    325 - "2: sc %[tmp], (%[addr]) \n"
    326 - " bnez %[tmp], 4f \n"
    327 + "2: \n"
    328 + user_sc("%[tmp]", "(%[addr])")
    329 + " beqz %[tmp], 4f \n"
    330 "3: \n"
    331 " .insn \n"
    332 " .subsection 2 \n"
    333 @@ -199,6 +202,12 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new)
    334 unreachable();
    335 }
    336
    337 +/*
    338 + * mips_atomic_set() normally returns directly via syscall_exit potentially
    339 + * clobbering static registers, so be sure to preserve them.
    340 + */
    341 +save_static_function(sys_sysmips);
    342 +
    343 SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2)
    344 {
    345 switch (cmd) {
    346 diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
    347 index f8b7bf836437..e9385bcd9723 100644
    348 --- a/arch/mips/math-emu/cp1emu.c
    349 +++ b/arch/mips/math-emu/cp1emu.c
    350 @@ -2522,6 +2522,35 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
    351 return 0;
    352 }
    353
    354 +/*
    355 + * Emulate FPU instructions.
    356 + *
    357 + * If we use FPU hardware, then we have been typically called to handle
    358 + * an unimplemented operation, such as where an operand is a NaN or
    359 + * denormalized. In that case exit the emulation loop after a single
    360 + * iteration so as to let hardware execute any subsequent instructions.
    361 + *
    362 + * If we have no FPU hardware or it has been disabled, then continue
    363 + * emulating floating-point instructions until one of these conditions
    364 + * has occurred:
    365 + *
    366 + * - a non-FPU instruction has been encountered,
    367 + *
    368 + * - an attempt to emulate has ended with a signal,
    369 + *
    370 + * - the ISA mode has been switched.
    371 + *
    372 + * We need to terminate the emulation loop if we got switched to the
    373 + * MIPS16 mode, whether supported or not, so that we do not attempt
    374 + * to emulate a MIPS16 instruction as a regular MIPS FPU instruction.
    375 + * Similarly if we got switched to the microMIPS mode and only the
    376 + * regular MIPS mode is supported, so that we do not attempt to emulate
    377 + * a microMIPS instruction as a regular MIPS FPU instruction. Or if
    378 + * we got switched to the regular MIPS mode and only the microMIPS mode
    379 + * is supported, so that we do not attempt to emulate a regular MIPS
    380 + * instruction that should cause an Address Error exception instead.
    381 + * For simplicity we always terminate upon an ISA mode switch.
    382 + */
    383 int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
    384 int has_fpu, void *__user *fault_addr)
    385 {
    386 @@ -2607,6 +2636,15 @@ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
    387 break;
    388 if (sig)
    389 break;
    390 + /*
    391 + * We have to check for the ISA bit explicitly here,
    392 + * because `get_isa16_mode' may return 0 if support
    393 + * for code compression has been globally disabled,
    394 + * or otherwise we may produce the wrong signal or
    395 + * even proceed successfully where we must not.
    396 + */
    397 + if ((xcp->cp0_epc ^ prevepc) & 0x1)
    398 + break;
    399
    400 cond_resched();
    401 } while (xcp->cp0_epc > prevepc);
    402 diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
    403 index 2b90335194a7..a2cc8010cd72 100644
    404 --- a/arch/powerpc/include/asm/atomic.h
    405 +++ b/arch/powerpc/include/asm/atomic.h
    406 @@ -560,7 +560,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
    407 * Atomically increments @v by 1, so long as @v is non-zero.
    408 * Returns non-zero if @v was non-zero, and zero otherwise.
    409 */
    410 -static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
    411 +static __inline__ int atomic64_inc_not_zero(atomic64_t *v)
    412 {
    413 long t1, t2;
    414
    415 @@ -579,7 +579,7 @@ static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
    416 : "r" (&v->counter)
    417 : "cc", "xer", "memory");
    418
    419 - return t1;
    420 + return t1 != 0;
    421 }
    422
    423 #endif /* __powerpc64__ */
    424 diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
    425 index e7d9eca53af3..ceb168cd3b81 100644
    426 --- a/arch/powerpc/include/asm/reg.h
    427 +++ b/arch/powerpc/include/asm/reg.h
    428 @@ -1283,7 +1283,7 @@ static inline void msr_check_and_clear(unsigned long bits)
    429 " .llong 0\n" \
    430 ".previous" \
    431 : "=r" (rval) \
    432 - : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \
    433 + : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \
    434 rval;})
    435 #else
    436 #define mftb() ({unsigned long rval; \
    437 diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
    438 index 6ca3b902f7b9..776c1a1f9bc2 100644
    439 --- a/arch/powerpc/lib/sstep.c
    440 +++ b/arch/powerpc/lib/sstep.c
    441 @@ -687,8 +687,10 @@ int __kprobes analyse_instr(struct instruction_op *op, struct pt_regs *regs,
    442 case 19:
    443 switch ((instr >> 1) & 0x3ff) {
    444 case 0: /* mcrf */
    445 - rd = (instr >> 21) & 0x1c;
    446 - ra = (instr >> 16) & 0x1c;
    447 + rd = 7 - ((instr >> 23) & 0x7);
    448 + ra = 7 - ((instr >> 18) & 0x7);
    449 + rd *= 4;
    450 + ra *= 4;
    451 val = (regs->ccr >> ra) & 0xf;
    452 regs->ccr = (regs->ccr & ~(0xfUL << rd)) | (val << rd);
    453 goto instr_done;
    454 @@ -968,6 +970,19 @@ int __kprobes analyse_instr(struct instruction_op *op, struct pt_regs *regs,
    455 #endif
    456
    457 case 19: /* mfcr */
    458 + if ((instr >> 20) & 1) {
    459 + imm = 0xf0000000UL;
    460 + for (sh = 0; sh < 8; ++sh) {
    461 + if (instr & (0x80000 >> sh)) {
    462 + regs->gpr[rd] = regs->ccr & imm;
    463 + break;
    464 + }
    465 + imm >>= 4;
    466 + }
    467 +
    468 + goto instr_done;
    469 + }
    470 +
    471 regs->gpr[rd] = regs->ccr;
    472 regs->gpr[rd] &= 0xffffffffUL;
    473 goto instr_done;
    474 diff --git a/arch/powerpc/mm/mmu_context_book3s64.c b/arch/powerpc/mm/mmu_context_book3s64.c
    475 index 73bf6e14c3aa..a006f822b154 100644
    476 --- a/arch/powerpc/mm/mmu_context_book3s64.c
    477 +++ b/arch/powerpc/mm/mmu_context_book3s64.c
    478 @@ -167,9 +167,15 @@ void destroy_context(struct mm_struct *mm)
    479 mm->context.cop_lockp = NULL;
    480 #endif /* CONFIG_PPC_ICSWX */
    481
    482 - if (radix_enabled())
    483 - process_tb[mm->context.id].prtb1 = 0;
    484 - else
    485 + if (radix_enabled()) {
    486 + /*
    487 + * Radix doesn't have a valid bit in the process table
    488 + * entries. However we know that at least P9 implementation
    489 + * will avoid caching an entry with an invalid RTS field,
    490 + * and 0 is invalid. So this will do.
    491 + */
    492 + process_tb[mm->context.id].prtb0 = 0;
    493 + } else
    494 subpage_prot_free(mm);
    495 destroy_pagetable_page(mm);
    496 __destroy_context(mm->context.id);
    497 diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
    498 index f2c98f6c1c9c..a7bb872a0dc4 100644
    499 --- a/arch/powerpc/platforms/pseries/lpar.c
    500 +++ b/arch/powerpc/platforms/pseries/lpar.c
    501 @@ -279,7 +279,7 @@ static long pSeries_lpar_hpte_updatepp(unsigned long slot,
    502 int ssize, unsigned long inv_flags)
    503 {
    504 unsigned long lpar_rc;
    505 - unsigned long flags = (newpp & 7) | H_AVPN;
    506 + unsigned long flags;
    507 unsigned long want_v;
    508
    509 want_v = hpte_encode_avpn(vpn, psize, ssize);
    510 @@ -287,6 +287,11 @@ static long pSeries_lpar_hpte_updatepp(unsigned long slot,
    511 pr_devel(" update: avpnv=%016lx, hash=%016lx, f=%lx, psize: %d ...",
    512 want_v, slot, flags, psize);
    513
    514 + flags = (newpp & 7) | H_AVPN;
    515 + if (mmu_has_feature(MMU_FTR_KERNEL_RO))
    516 + /* Move pp0 into bit 8 (IBM 55) */
    517 + flags |= (newpp & HPTE_R_PP0) >> 55;
    518 +
    519 lpar_rc = plpar_pte_protect(flags, slot, want_v);
    520
    521 if (lpar_rc == H_NOT_FOUND) {
    522 @@ -358,6 +363,10 @@ static void pSeries_lpar_hpte_updateboltedpp(unsigned long newpp,
    523 BUG_ON(slot == -1);
    524
    525 flags = newpp & 7;
    526 + if (mmu_has_feature(MMU_FTR_KERNEL_RO))
    527 + /* Move pp0 into bit 8 (IBM 55) */
    528 + flags |= (newpp & HPTE_R_PP0) >> 55;
    529 +
    530 lpar_rc = plpar_pte_protect(flags, slot, 0);
    531
    532 BUG_ON(lpar_rc != H_SUCCESS);
    533 diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h
    534 index 6ba0bf928909..6bc941be6921 100644
    535 --- a/arch/s390/include/asm/syscall.h
    536 +++ b/arch/s390/include/asm/syscall.h
    537 @@ -64,6 +64,12 @@ static inline void syscall_get_arguments(struct task_struct *task,
    538 {
    539 unsigned long mask = -1UL;
    540
    541 + /*
    542 + * No arguments for this syscall, there's nothing to do.
    543 + */
    544 + if (!n)
    545 + return;
    546 +
    547 BUG_ON(i + n > 6);
    548 #ifdef CONFIG_COMPAT
    549 if (test_tsk_thread_flag(task, TIF_31BIT))
    550 diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
    551 index a12a047184ee..8b678af866f7 100644
    552 --- a/arch/x86/include/asm/xen/hypercall.h
    553 +++ b/arch/x86/include/asm/xen/hypercall.h
    554 @@ -43,6 +43,7 @@
    555
    556 #include <asm/page.h>
    557 #include <asm/pgtable.h>
    558 +#include <asm/smap.h>
    559
    560 #include <xen/interface/xen.h>
    561 #include <xen/interface/sched.h>
    562 @@ -214,10 +215,12 @@ privcmd_call(unsigned call,
    563 __HYPERCALL_DECLS;
    564 __HYPERCALL_5ARG(a1, a2, a3, a4, a5);
    565
    566 + stac();
    567 asm volatile("call *%[call]"
    568 : __HYPERCALL_5PARAM
    569 : [call] "a" (&hypercall_page[call])
    570 : __HYPERCALL_CLOBBER5);
    571 + clac();
    572
    573 return (long)__res;
    574 }
    575 diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
    576 index 931ced8ca345..d3e0d049a0c2 100644
    577 --- a/arch/x86/kernel/acpi/boot.c
    578 +++ b/arch/x86/kernel/acpi/boot.c
    579 @@ -338,6 +338,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
    580 struct mpc_intsrc mp_irq;
    581
    582 /*
    583 + * Check bus_irq boundary.
    584 + */
    585 + if (bus_irq >= NR_IRQS_LEGACY) {
    586 + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
    587 + return;
    588 + }
    589 +
    590 + /*
    591 * Convert 'gsi' to 'ioapic.pin'.
    592 */
    593 ioapic = mp_find_ioapic(gsi);
    594 diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
    595 index 7249f1500bcb..cf89928dbd46 100644
    596 --- a/arch/x86/kernel/apic/io_apic.c
    597 +++ b/arch/x86/kernel/apic/io_apic.c
    598 @@ -2116,7 +2116,7 @@ static inline void __init check_timer(void)
    599 int idx;
    600 idx = find_irq_entry(apic1, pin1, mp_INT);
    601 if (idx != -1 && irq_trigger(idx))
    602 - unmask_ioapic_irq(irq_get_chip_data(0));
    603 + unmask_ioapic_irq(irq_get_irq_data(0));
    604 }
    605 irq_domain_deactivate_irq(irq_data);
    606 irq_domain_activate_irq(irq_data);
    607 diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
    608 index 6d52b94f4bb9..20fa7c84109d 100644
    609 --- a/arch/x86/pci/fixup.c
    610 +++ b/arch/x86/pci/fixup.c
    611 @@ -571,3 +571,35 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x2fc0, pci_invalid_bar);
    612 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_invalid_bar);
    613 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_invalid_bar);
    614 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar);
    615 +
    616 +/*
    617 + * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff]
    618 + *
    619 + * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to
    620 + * the 00:1c.0 Root Port, causes a conflict with [io 0x1804], which is used
    621 + * for soft poweroff and suspend-to-RAM.
    622 + *
    623 + * As far as we know, this is related to the address space, not to the Root
    624 + * Port itself. Attaching the quirk to the Root Port is a convenience, but
    625 + * it could probably also be a standalone DMI quirk.
    626 + *
    627 + * https://bugzilla.kernel.org/show_bug.cgi?id=103211
    628 + */
    629 +static void quirk_apple_mbp_poweroff(struct pci_dev *pdev)
    630 +{
    631 + struct device *dev = &pdev->dev;
    632 + struct resource *res;
    633 +
    634 + if ((!dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,4") &&
    635 + !dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,5")) ||
    636 + pdev->bus->number != 0 || pdev->devfn != PCI_DEVFN(0x1c, 0))
    637 + return;
    638 +
    639 + res = request_mem_region(0x7fa00000, 0x200000,
    640 + "MacBook Pro poweroff workaround");
    641 + if (res)
    642 + dev_info(dev, "claimed %s %pR\n", res->name, res);
    643 + else
    644 + dev_info(dev, "can't work around MacBook Pro poweroff issue\n");
    645 +}
    646 +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x8c10, quirk_apple_mbp_poweroff);
    647 diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
    648 index 22ca89242518..79152dbc5528 100644
    649 --- a/drivers/acpi/ec.c
    650 +++ b/drivers/acpi/ec.c
    651 @@ -147,7 +147,7 @@ static unsigned int ec_storm_threshold __read_mostly = 8;
    652 module_param(ec_storm_threshold, uint, 0644);
    653 MODULE_PARM_DESC(ec_storm_threshold, "Maxim false GPE numbers not considered as GPE storm");
    654
    655 -static bool ec_freeze_events __read_mostly = true;
    656 +static bool ec_freeze_events __read_mostly = false;
    657 module_param(ec_freeze_events, bool, 0644);
    658 MODULE_PARM_DESC(ec_freeze_events, "Disabling event handling during suspend/resume");
    659
    660 @@ -1865,24 +1865,6 @@ int __init acpi_ec_ecdt_probe(void)
    661 }
    662
    663 #ifdef CONFIG_PM_SLEEP
    664 -static int acpi_ec_suspend_noirq(struct device *dev)
    665 -{
    666 - struct acpi_ec *ec =
    667 - acpi_driver_data(to_acpi_device(dev));
    668 -
    669 - acpi_ec_enter_noirq(ec);
    670 - return 0;
    671 -}
    672 -
    673 -static int acpi_ec_resume_noirq(struct device *dev)
    674 -{
    675 - struct acpi_ec *ec =
    676 - acpi_driver_data(to_acpi_device(dev));
    677 -
    678 - acpi_ec_leave_noirq(ec);
    679 - return 0;
    680 -}
    681 -
    682 static int acpi_ec_suspend(struct device *dev)
    683 {
    684 struct acpi_ec *ec =
    685 @@ -1904,7 +1886,6 @@ static int acpi_ec_resume(struct device *dev)
    686 #endif
    687
    688 static const struct dev_pm_ops acpi_ec_pm = {
    689 - SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend_noirq, acpi_ec_resume_noirq)
    690 SET_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend, acpi_ec_resume)
    691 };
    692
    693 diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
    694 index 9ef3941eeff0..f3bc901ac930 100644
    695 --- a/drivers/acpi/nfit/core.c
    696 +++ b/drivers/acpi/nfit/core.c
    697 @@ -2945,6 +2945,8 @@ static struct acpi_driver acpi_nfit_driver = {
    698
    699 static __init int nfit_init(void)
    700 {
    701 + int ret;
    702 +
    703 BUILD_BUG_ON(sizeof(struct acpi_table_nfit) != 40);
    704 BUILD_BUG_ON(sizeof(struct acpi_nfit_system_address) != 56);
    705 BUILD_BUG_ON(sizeof(struct acpi_nfit_memory_map) != 48);
    706 @@ -2972,8 +2974,14 @@ static __init int nfit_init(void)
    707 return -ENOMEM;
    708
    709 nfit_mce_register();
    710 + ret = acpi_bus_register_driver(&acpi_nfit_driver);
    711 + if (ret) {
    712 + nfit_mce_unregister();
    713 + destroy_workqueue(nfit_wq);
    714 + }
    715 +
    716 + return ret;
    717
    718 - return acpi_bus_register_driver(&acpi_nfit_driver);
    719 }
    720
    721 static __exit void nfit_exit(void)
    722 diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
    723 index e023066e4215..8c7d0f33bd53 100644
    724 --- a/drivers/base/power/domain.c
    725 +++ b/drivers/base/power/domain.c
    726 @@ -1029,8 +1029,6 @@ static struct generic_pm_domain_data *genpd_alloc_dev_data(struct device *dev,
    727
    728 spin_unlock_irq(&dev->power.lock);
    729
    730 - dev_pm_domain_set(dev, &genpd->domain);
    731 -
    732 return gpd_data;
    733
    734 err_free:
    735 @@ -1044,8 +1042,6 @@ static struct generic_pm_domain_data *genpd_alloc_dev_data(struct device *dev,
    736 static void genpd_free_dev_data(struct device *dev,
    737 struct generic_pm_domain_data *gpd_data)
    738 {
    739 - dev_pm_domain_set(dev, NULL);
    740 -
    741 spin_lock_irq(&dev->power.lock);
    742
    743 dev->power.subsys_data->domain_data = NULL;
    744 @@ -1082,6 +1078,8 @@ static int genpd_add_device(struct generic_pm_domain *genpd, struct device *dev,
    745 if (ret)
    746 goto out;
    747
    748 + dev_pm_domain_set(dev, &genpd->domain);
    749 +
    750 genpd->device_count++;
    751 genpd->max_off_time_changed = true;
    752
    753 @@ -1143,6 +1141,8 @@ static int genpd_remove_device(struct generic_pm_domain *genpd,
    754 if (genpd->detach_dev)
    755 genpd->detach_dev(genpd, dev);
    756
    757 + dev_pm_domain_set(dev, NULL);
    758 +
    759 list_del_init(&pdd->list_node);
    760
    761 mutex_unlock(&genpd->lock);
    762 @@ -1244,7 +1244,7 @@ EXPORT_SYMBOL_GPL(pm_genpd_add_subdomain);
    763 int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd,
    764 struct generic_pm_domain *subdomain)
    765 {
    766 - struct gpd_link *link;
    767 + struct gpd_link *l, *link;
    768 int ret = -EINVAL;
    769
    770 if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain))
    771 @@ -1260,7 +1260,7 @@ int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd,
    772 goto out;
    773 }
    774
    775 - list_for_each_entry(link, &genpd->master_links, master_node) {
    776 + list_for_each_entry_safe(link, l, &genpd->master_links, master_node) {
    777 if (link->slave != subdomain)
    778 continue;
    779
    780 @@ -1607,12 +1607,12 @@ EXPORT_SYMBOL_GPL(of_genpd_add_provider_onecell);
    781 */
    782 void of_genpd_del_provider(struct device_node *np)
    783 {
    784 - struct of_genpd_provider *cp;
    785 + struct of_genpd_provider *cp, *tmp;
    786 struct generic_pm_domain *gpd;
    787
    788 mutex_lock(&gpd_list_lock);
    789 mutex_lock(&of_genpd_mutex);
    790 - list_for_each_entry(cp, &of_genpd_providers, link) {
    791 + list_for_each_entry_safe(cp, tmp, &of_genpd_providers, link) {
    792 if (cp->node == np) {
    793 /*
    794 * For each PM domain associated with the
    795 @@ -1752,14 +1752,14 @@ EXPORT_SYMBOL_GPL(of_genpd_add_subdomain);
    796 */
    797 struct generic_pm_domain *of_genpd_remove_last(struct device_node *np)
    798 {
    799 - struct generic_pm_domain *gpd, *genpd = ERR_PTR(-ENOENT);
    800 + struct generic_pm_domain *gpd, *tmp, *genpd = ERR_PTR(-ENOENT);
    801 int ret;
    802
    803 if (IS_ERR_OR_NULL(np))
    804 return ERR_PTR(-EINVAL);
    805
    806 mutex_lock(&gpd_list_lock);
    807 - list_for_each_entry(gpd, &gpd_list, gpd_list_node) {
    808 + list_for_each_entry_safe(gpd, tmp, &gpd_list, gpd_list_node) {
    809 if (gpd->provider == &np->fwnode) {
    810 ret = genpd_remove(gpd);
    811 genpd = ret ? ERR_PTR(ret) : gpd;
    812 diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
    813 index fcdd886819f5..172a9dc06ec9 100644
    814 --- a/drivers/char/ipmi/ipmi_msghandler.c
    815 +++ b/drivers/char/ipmi/ipmi_msghandler.c
    816 @@ -3877,6 +3877,9 @@ static void smi_recv_tasklet(unsigned long val)
    817 * because the lower layer is allowed to hold locks while calling
    818 * message delivery.
    819 */
    820 +
    821 + rcu_read_lock();
    822 +
    823 if (!run_to_completion)
    824 spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
    825 if (intf->curr_msg == NULL && !intf->in_shutdown) {
    826 @@ -3899,6 +3902,8 @@ static void smi_recv_tasklet(unsigned long val)
    827 if (newmsg)
    828 intf->handlers->sender(intf->send_info, newmsg);
    829
    830 + rcu_read_unlock();
    831 +
    832 handle_new_recv_msgs(intf);
    833 }
    834
    835 diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
    836 index 6958b5ce9145..510fc104bcdc 100644
    837 --- a/drivers/char/ipmi/ipmi_ssif.c
    838 +++ b/drivers/char/ipmi/ipmi_ssif.c
    839 @@ -762,6 +762,11 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
    840 result, len, data[2]);
    841 } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
    842 || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
    843 + /*
    844 + * Don't abort here, maybe it was a queued
    845 + * response to a previous command.
    846 + */
    847 + ipmi_ssif_unlock_cond(ssif_info, flags);
    848 pr_warn(PFX "Invalid response getting flags: %x %x\n",
    849 data[0], data[1]);
    850 } else {
    851 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
    852 index dcaf691f56b5..264899df9bfc 100644
    853 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
    854 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
    855 @@ -1419,6 +1419,9 @@ static ssize_t amdgpu_ttm_vram_read(struct file *f, char __user *buf,
    856 if (size & 0x3 || *pos & 0x3)
    857 return -EINVAL;
    858
    859 + if (*pos >= adev->mc.mc_vram_size)
    860 + return -ENXIO;
    861 +
    862 while (size) {
    863 unsigned long flags;
    864 uint32_t value;
    865 diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
    866 index f59771da52ee..db7890cb254e 100644
    867 --- a/drivers/gpu/drm/drm_dp_mst_topology.c
    868 +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
    869 @@ -330,6 +330,13 @@ static bool drm_dp_sideband_msg_build(struct drm_dp_sideband_msg_rx *msg,
    870 return false;
    871 }
    872
    873 + /*
    874 + * ignore out-of-order messages or messages that are part of a
    875 + * failed transaction
    876 + */
    877 + if (!recv_hdr.somt && !msg->have_somt)
    878 + return false;
    879 +
    880 /* get length contained in this portion */
    881 msg->curchunk_len = recv_hdr.msg_len;
    882 msg->curchunk_hdrlen = hdrlen;
    883 @@ -2168,7 +2175,7 @@ int drm_dp_mst_topology_mgr_resume(struct drm_dp_mst_topology_mgr *mgr)
    884 }
    885 EXPORT_SYMBOL(drm_dp_mst_topology_mgr_resume);
    886
    887 -static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
    888 +static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
    889 {
    890 int len;
    891 u8 replyblock[32];
    892 @@ -2183,12 +2190,12 @@ static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
    893 replyblock, len);
    894 if (ret != len) {
    895 DRM_DEBUG_KMS("failed to read DPCD down rep %d %d\n", len, ret);
    896 - return;
    897 + return false;
    898 }
    899 ret = drm_dp_sideband_msg_build(msg, replyblock, len, true);
    900 if (!ret) {
    901 DRM_DEBUG_KMS("sideband msg build failed %d\n", replyblock[0]);
    902 - return;
    903 + return false;
    904 }
    905 replylen = msg->curchunk_len + msg->curchunk_hdrlen;
    906
    907 @@ -2200,21 +2207,32 @@ static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up)
    908 ret = drm_dp_dpcd_read(mgr->aux, basereg + curreply,
    909 replyblock, len);
    910 if (ret != len) {
    911 - DRM_DEBUG_KMS("failed to read a chunk\n");
    912 + DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n",
    913 + len, ret);
    914 + return false;
    915 }
    916 +
    917 ret = drm_dp_sideband_msg_build(msg, replyblock, len, false);
    918 - if (ret == false)
    919 + if (!ret) {
    920 DRM_DEBUG_KMS("failed to build sideband msg\n");
    921 + return false;
    922 + }
    923 +
    924 curreply += len;
    925 replylen -= len;
    926 }
    927 + return true;
    928 }
    929
    930 static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
    931 {
    932 int ret = 0;
    933
    934 - drm_dp_get_one_sb_msg(mgr, false);
    935 + if (!drm_dp_get_one_sb_msg(mgr, false)) {
    936 + memset(&mgr->down_rep_recv, 0,
    937 + sizeof(struct drm_dp_sideband_msg_rx));
    938 + return 0;
    939 + }
    940
    941 if (mgr->down_rep_recv.have_eomt) {
    942 struct drm_dp_sideband_msg_tx *txmsg;
    943 @@ -2270,7 +2288,12 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
    944 static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
    945 {
    946 int ret = 0;
    947 - drm_dp_get_one_sb_msg(mgr, true);
    948 +
    949 + if (!drm_dp_get_one_sb_msg(mgr, true)) {
    950 + memset(&mgr->up_req_recv, 0,
    951 + sizeof(struct drm_dp_sideband_msg_rx));
    952 + return 0;
    953 + }
    954
    955 if (mgr->up_req_recv.have_eomt) {
    956 struct drm_dp_sideband_msg_req_body msg;
    957 @@ -2322,7 +2345,9 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr)
    958 DRM_DEBUG_KMS("Got RSN: pn: %d avail_pbn %d\n", msg.u.resource_stat.port_number, msg.u.resource_stat.available_pbn);
    959 }
    960
    961 - drm_dp_put_mst_branch_device(mstb);
    962 + if (mstb)
    963 + drm_dp_put_mst_branch_device(mstb);
    964 +
    965 memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx));
    966 }
    967 return ret;
    968 diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
    969 index 56bb758f4e33..7bb1e531325b 100644
    970 --- a/drivers/gpu/drm/radeon/atombios_encoders.c
    971 +++ b/drivers/gpu/drm/radeon/atombios_encoders.c
    972 @@ -30,6 +30,7 @@
    973 #include "radeon_audio.h"
    974 #include "atom.h"
    975 #include <linux/backlight.h>
    976 +#include <linux/dmi.h>
    977
    978 extern int atom_debug;
    979
    980 @@ -2183,9 +2184,17 @@ int radeon_atom_pick_dig_encoder(struct drm_encoder *encoder, int fe_idx)
    981 goto assigned;
    982 }
    983
    984 - /* on DCE32 and encoder can driver any block so just crtc id */
    985 + /*
    986 + * On DCE32 any encoder can drive any block so usually just use crtc id,
    987 + * but Apple thinks different at least on iMac10,1, so there use linkb,
    988 + * otherwise the internal eDP panel will stay dark.
    989 + */
    990 if (ASIC_IS_DCE32(rdev)) {
    991 - enc_idx = radeon_crtc->crtc_id;
    992 + if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1"))
    993 + enc_idx = (dig->linkb) ? 1 : 0;
    994 + else
    995 + enc_idx = radeon_crtc->crtc_id;
    996 +
    997 goto assigned;
    998 }
    999
    1000 diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
    1001 index ea36dc4dd5d2..24810492d2c1 100644
    1002 --- a/drivers/gpu/drm/radeon/ci_dpm.c
    1003 +++ b/drivers/gpu/drm/radeon/ci_dpm.c
    1004 @@ -782,6 +782,12 @@ bool ci_dpm_vblank_too_short(struct radeon_device *rdev)
    1005 if (r600_dpm_get_vrefresh(rdev) > 120)
    1006 return true;
    1007
    1008 + /* disable mclk switching if the refresh is >120Hz, even if the
    1009 + * blanking period would allow it
    1010 + */
    1011 + if (r600_dpm_get_vrefresh(rdev) > 120)
    1012 + return true;
    1013 +
    1014 if (vblank_time < switch_limit)
    1015 return true;
    1016 else
    1017 diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
    1018 index 35cc16f9fec9..d09276ec7e90 100644
    1019 --- a/drivers/gpu/drm/ttm/ttm_bo.c
    1020 +++ b/drivers/gpu/drm/ttm/ttm_bo.c
    1021 @@ -1343,7 +1343,6 @@ int ttm_bo_clean_mm(struct ttm_bo_device *bdev, unsigned mem_type)
    1022 mem_type);
    1023 return ret;
    1024 }
    1025 - fence_put(man->move);
    1026
    1027 man->use_type = false;
    1028 man->has_type = false;
    1029 @@ -1355,6 +1354,9 @@ int ttm_bo_clean_mm(struct ttm_bo_device *bdev, unsigned mem_type)
    1030 ret = (*man->func->takedown)(man);
    1031 }
    1032
    1033 + fence_put(man->move);
    1034 + man->move = NULL;
    1035 +
    1036 return ret;
    1037 }
    1038 EXPORT_SYMBOL(ttm_bo_clean_mm);
    1039 diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
    1040 index 8fd108d89527..63e82f8e8308 100644
    1041 --- a/drivers/infiniband/core/addr.c
    1042 +++ b/drivers/infiniband/core/addr.c
    1043 @@ -518,6 +518,11 @@ static int addr_resolve(struct sockaddr *src_in,
    1044 struct dst_entry *dst;
    1045 int ret;
    1046
    1047 + if (!addr->net) {
    1048 + pr_warn_ratelimited("%s: missing namespace\n", __func__);
    1049 + return -EINVAL;
    1050 + }
    1051 +
    1052 if (src_in->sa_family == AF_INET) {
    1053 struct rtable *rt = NULL;
    1054 const struct sockaddr_in *dst_in4 =
    1055 @@ -555,7 +560,6 @@ static int addr_resolve(struct sockaddr *src_in,
    1056 }
    1057
    1058 addr->bound_dev_if = ndev->ifindex;
    1059 - addr->net = dev_net(ndev);
    1060 dev_put(ndev);
    1061
    1062 return ret;
    1063 diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
    1064 index f2d40c05ef9e..809a02800102 100644
    1065 --- a/drivers/infiniband/core/cma.c
    1066 +++ b/drivers/infiniband/core/cma.c
    1067 @@ -976,6 +976,8 @@ int rdma_init_qp_attr(struct rdma_cm_id *id, struct ib_qp_attr *qp_attr,
    1068 } else
    1069 ret = iw_cm_init_qp_attr(id_priv->cm_id.iw, qp_attr,
    1070 qp_attr_mask);
    1071 + qp_attr->port_num = id_priv->id.port_num;
    1072 + *qp_attr_mask |= IB_QP_PORT;
    1073 } else
    1074 ret = -ENOSYS;
    1075
    1076 diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
    1077 index 1fb31a47966d..0a260a06876d 100644
    1078 --- a/drivers/infiniband/hw/mlx5/mr.c
    1079 +++ b/drivers/infiniband/hw/mlx5/mr.c
    1080 @@ -1823,7 +1823,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr,
    1081 mr->ndescs = sg_nents;
    1082
    1083 for_each_sg(sgl, sg, sg_nents, i) {
    1084 - if (unlikely(i > mr->max_descs))
    1085 + if (unlikely(i >= mr->max_descs))
    1086 break;
    1087 klms[i].va = cpu_to_be64(sg_dma_address(sg) + sg_offset);
    1088 klms[i].bcount = cpu_to_be32(sg_dma_len(sg) - sg_offset);
    1089 diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c
    1090 index 140f3f354cf3..e46e2b095c18 100644
    1091 --- a/drivers/infiniband/ulp/iser/iscsi_iser.c
    1092 +++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
    1093 @@ -83,6 +83,7 @@ static struct scsi_host_template iscsi_iser_sht;
    1094 static struct iscsi_transport iscsi_iser_transport;
    1095 static struct scsi_transport_template *iscsi_iser_scsi_transport;
    1096 static struct workqueue_struct *release_wq;
    1097 +static DEFINE_MUTEX(unbind_iser_conn_mutex);
    1098 struct iser_global ig;
    1099
    1100 int iser_debug_level = 0;
    1101 @@ -550,12 +551,14 @@ iscsi_iser_conn_stop(struct iscsi_cls_conn *cls_conn, int flag)
    1102 */
    1103 if (iser_conn) {
    1104 mutex_lock(&iser_conn->state_mutex);
    1105 + mutex_lock(&unbind_iser_conn_mutex);
    1106 iser_conn_terminate(iser_conn);
    1107 iscsi_conn_stop(cls_conn, flag);
    1108
    1109 /* unbind */
    1110 iser_conn->iscsi_conn = NULL;
    1111 conn->dd_data = NULL;
    1112 + mutex_unlock(&unbind_iser_conn_mutex);
    1113
    1114 complete(&iser_conn->stop_completion);
    1115 mutex_unlock(&iser_conn->state_mutex);
    1116 @@ -973,13 +976,21 @@ static int iscsi_iser_slave_alloc(struct scsi_device *sdev)
    1117 struct iser_conn *iser_conn;
    1118 struct ib_device *ib_dev;
    1119
    1120 + mutex_lock(&unbind_iser_conn_mutex);
    1121 +
    1122 session = starget_to_session(scsi_target(sdev))->dd_data;
    1123 iser_conn = session->leadconn->dd_data;
    1124 + if (!iser_conn) {
    1125 + mutex_unlock(&unbind_iser_conn_mutex);
    1126 + return -ENOTCONN;
    1127 + }
    1128 ib_dev = iser_conn->ib_conn.device->ib_device;
    1129
    1130 if (!(ib_dev->attrs.device_cap_flags & IB_DEVICE_SG_GAPS_REG))
    1131 blk_queue_virt_boundary(sdev->request_queue, ~MASK_4K);
    1132
    1133 + mutex_unlock(&unbind_iser_conn_mutex);
    1134 +
    1135 return 0;
    1136 }
    1137
    1138 diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
    1139 index 6dd43f63238e..39d28375aa37 100644
    1140 --- a/drivers/infiniband/ulp/isert/ib_isert.c
    1141 +++ b/drivers/infiniband/ulp/isert/ib_isert.c
    1142 @@ -1447,7 +1447,7 @@ static void
    1143 isert_login_recv_done(struct ib_cq *cq, struct ib_wc *wc)
    1144 {
    1145 struct isert_conn *isert_conn = wc->qp->qp_context;
    1146 - struct ib_device *ib_dev = isert_conn->cm_id->device;
    1147 + struct ib_device *ib_dev = isert_conn->device->ib_device;
    1148
    1149 if (unlikely(wc->status != IB_WC_SUCCESS)) {
    1150 isert_print_wc(wc, "login recv");
    1151 diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
    1152 index 89abfdb539ac..c84c685056b9 100644
    1153 --- a/drivers/input/serio/i8042.c
    1154 +++ b/drivers/input/serio/i8042.c
    1155 @@ -434,8 +434,10 @@ static int i8042_start(struct serio *serio)
    1156 {
    1157 struct i8042_port *port = serio->port_data;
    1158
    1159 + spin_lock_irq(&i8042_lock);
    1160 port->exists = true;
    1161 - mb();
    1162 + spin_unlock_irq(&i8042_lock);
    1163 +
    1164 return 0;
    1165 }
    1166
    1167 @@ -448,16 +450,20 @@ static void i8042_stop(struct serio *serio)
    1168 {
    1169 struct i8042_port *port = serio->port_data;
    1170
    1171 + spin_lock_irq(&i8042_lock);
    1172 port->exists = false;
    1173 + port->serio = NULL;
    1174 + spin_unlock_irq(&i8042_lock);
    1175
    1176 /*
    1177 + * We need to make sure that interrupt handler finishes using
    1178 + * our serio port before we return from this function.
    1179 * We synchronize with both AUX and KBD IRQs because there is
    1180 * a (very unlikely) chance that AUX IRQ is raised for KBD port
    1181 * and vice versa.
    1182 */
    1183 synchronize_irq(I8042_AUX_IRQ);
    1184 synchronize_irq(I8042_KBD_IRQ);
    1185 - port->serio = NULL;
    1186 }
    1187
    1188 /*
    1189 @@ -574,7 +580,7 @@ static irqreturn_t i8042_interrupt(int irq, void *dev_id)
    1190
    1191 spin_unlock_irqrestore(&i8042_lock, flags);
    1192
    1193 - if (likely(port->exists && !filtered))
    1194 + if (likely(serio && !filtered))
    1195 serio_interrupt(serio, data, dfl);
    1196
    1197 out:
    1198 diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
    1199 index ac8235bda61b..0d437c98ab08 100644
    1200 --- a/drivers/md/dm-mpath.c
    1201 +++ b/drivers/md/dm-mpath.c
    1202 @@ -431,7 +431,7 @@ static struct pgpath *choose_pgpath(struct multipath *m, size_t nr_bytes)
    1203 unsigned long flags;
    1204 struct priority_group *pg;
    1205 struct pgpath *pgpath;
    1206 - bool bypassed = true;
    1207 + unsigned bypassed = 1;
    1208
    1209 if (!atomic_read(&m->nr_valid_paths)) {
    1210 clear_bit(MPATHF_QUEUE_IO, &m->flags);
    1211 @@ -470,7 +470,7 @@ static struct pgpath *choose_pgpath(struct multipath *m, size_t nr_bytes)
    1212 */
    1213 do {
    1214 list_for_each_entry(pg, &m->priority_groups, list) {
    1215 - if (pg->bypassed == bypassed)
    1216 + if (pg->bypassed == !!bypassed)
    1217 continue;
    1218 pgpath = choose_path_in_pg(m, pg, nr_bytes);
    1219 if (!IS_ERR_OR_NULL(pgpath)) {
    1220 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
    1221 index 29e2df5cd77b..81a78757bc78 100644
    1222 --- a/drivers/md/raid1.c
    1223 +++ b/drivers/md/raid1.c
    1224 @@ -1073,7 +1073,7 @@ static void raid1_make_request(struct mddev *mddev, struct bio * bio)
    1225 */
    1226 DEFINE_WAIT(w);
    1227 for (;;) {
    1228 - flush_signals(current);
    1229 + sigset_t full, old;
    1230 prepare_to_wait(&conf->wait_barrier,
    1231 &w, TASK_INTERRUPTIBLE);
    1232 if (bio_end_sector(bio) <= mddev->suspend_lo ||
    1233 @@ -1082,7 +1082,10 @@ static void raid1_make_request(struct mddev *mddev, struct bio * bio)
    1234 !md_cluster_ops->area_resyncing(mddev, WRITE,
    1235 bio->bi_iter.bi_sector, bio_end_sector(bio))))
    1236 break;
    1237 + sigfillset(&full);
    1238 + sigprocmask(SIG_BLOCK, &full, &old);
    1239 schedule();
    1240 + sigprocmask(SIG_SETMASK, &old, NULL);
    1241 }
    1242 finish_wait(&conf->wait_barrier, &w);
    1243 }
    1244 diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
    1245 index f34ad2be66a1..8f117d6372c9 100644
    1246 --- a/drivers/md/raid5.c
    1247 +++ b/drivers/md/raid5.c
    1248 @@ -5300,12 +5300,15 @@ static void raid5_make_request(struct mddev *mddev, struct bio * bi)
    1249 * userspace, we want an interruptible
    1250 * wait.
    1251 */
    1252 - flush_signals(current);
    1253 prepare_to_wait(&conf->wait_for_overlap,
    1254 &w, TASK_INTERRUPTIBLE);
    1255 if (logical_sector >= mddev->suspend_lo &&
    1256 logical_sector < mddev->suspend_hi) {
    1257 + sigset_t full, old;
    1258 + sigfillset(&full);
    1259 + sigprocmask(SIG_BLOCK, &full, &old);
    1260 schedule();
    1261 + sigprocmask(SIG_SETMASK, &old, NULL);
    1262 do_prepare = true;
    1263 }
    1264 goto retry;
    1265 @@ -7557,12 +7560,10 @@ static void end_reshape(struct r5conf *conf)
    1266 {
    1267
    1268 if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) {
    1269 - struct md_rdev *rdev;
    1270
    1271 spin_lock_irq(&conf->device_lock);
    1272 conf->previous_raid_disks = conf->raid_disks;
    1273 - rdev_for_each(rdev, conf->mddev)
    1274 - rdev->data_offset = rdev->new_data_offset;
    1275 + md_finish_reshape(conf->mddev);
    1276 smp_wmb();
    1277 conf->reshape_progress = MaxSector;
    1278 conf->mddev->reshape_position = MaxSector;
    1279 diff --git a/drivers/media/pci/cx88/cx88-cards.c b/drivers/media/pci/cx88/cx88-cards.c
    1280 index 8f2556ec3971..61611d1682d1 100644
    1281 --- a/drivers/media/pci/cx88/cx88-cards.c
    1282 +++ b/drivers/media/pci/cx88/cx88-cards.c
    1283 @@ -3691,7 +3691,14 @@ struct cx88_core *cx88_core_create(struct pci_dev *pci, int nr)
    1284 core->nr = nr;
    1285 sprintf(core->name, "cx88[%d]", core->nr);
    1286
    1287 - core->tvnorm = V4L2_STD_NTSC_M;
    1288 + /*
    1289 + * Note: Setting initial standard here would cause first call to
    1290 + * cx88_set_tvnorm() to return without programming any registers. Leave
    1291 + * it blank for at this point and it will get set later in
    1292 + * cx8800_initdev()
    1293 + */
    1294 + core->tvnorm = 0;
    1295 +
    1296 core->width = 320;
    1297 core->height = 240;
    1298 core->field = V4L2_FIELD_INTERLACED;
    1299 diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
    1300 index d83eb3b10f54..3b140ad598de 100644
    1301 --- a/drivers/media/pci/cx88/cx88-video.c
    1302 +++ b/drivers/media/pci/cx88/cx88-video.c
    1303 @@ -1422,7 +1422,7 @@ static int cx8800_initdev(struct pci_dev *pci_dev,
    1304
    1305 /* initial device configuration */
    1306 mutex_lock(&core->lock);
    1307 - cx88_set_tvnorm(core, core->tvnorm);
    1308 + cx88_set_tvnorm(core, V4L2_STD_NTSC_M);
    1309 v4l2_ctrl_handler_setup(&core->video_hdl);
    1310 v4l2_ctrl_handler_setup(&core->audio_hdl);
    1311 cx88_video_mux(core, 0);
    1312 diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
    1313 index 52dc7941db65..1da2c94e1dca 100644
    1314 --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
    1315 +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
    1316 @@ -1099,10 +1099,10 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
    1317 struct s5p_jpeg_ctx *ctx)
    1318 {
    1319 int c, components = 0, notfound, n_dht = 0, n_dqt = 0;
    1320 - unsigned int height, width, word, subsampling = 0, sos = 0, sof = 0,
    1321 - sof_len = 0;
    1322 - unsigned int dht[S5P_JPEG_MAX_MARKER], dht_len[S5P_JPEG_MAX_MARKER],
    1323 - dqt[S5P_JPEG_MAX_MARKER], dqt_len[S5P_JPEG_MAX_MARKER];
    1324 + unsigned int height = 0, width = 0, word, subsampling = 0;
    1325 + unsigned int sos = 0, sof = 0, sof_len = 0;
    1326 + unsigned int dht[S5P_JPEG_MAX_MARKER], dht_len[S5P_JPEG_MAX_MARKER];
    1327 + unsigned int dqt[S5P_JPEG_MAX_MARKER], dqt_len[S5P_JPEG_MAX_MARKER];
    1328 long length;
    1329 struct s5p_jpeg_buffer jpeg_buffer;
    1330
    1331 diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
    1332 index 86cc70fe2534..2d4b83635018 100644
    1333 --- a/drivers/media/rc/imon.c
    1334 +++ b/drivers/media/rc/imon.c
    1335 @@ -1629,7 +1629,7 @@ static void imon_incoming_packet(struct imon_context *ictx,
    1336 if (kc == KEY_KEYBOARD && !ictx->release_code) {
    1337 ictx->last_keycode = kc;
    1338 if (!nomouse) {
    1339 - ictx->pad_mouse = ~(ictx->pad_mouse) & 0x1;
    1340 + ictx->pad_mouse = !ictx->pad_mouse;
    1341 dev_dbg(dev, "toggling to %s mode\n",
    1342 ictx->pad_mouse ? "mouse" : "keyboard");
    1343 spin_unlock_irqrestore(&ictx->kc_lock, flags);
    1344 diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c b/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c
    1345 index 283495c84ba3..aab8eeec601f 100644
    1346 --- a/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c
    1347 +++ b/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c
    1348 @@ -320,7 +320,7 @@ static int mxl111sf_i2c_sw_xfer_msg(struct mxl111sf_state *state,
    1349 static int mxl111sf_i2c_send_data(struct mxl111sf_state *state,
    1350 u8 index, u8 *wdata)
    1351 {
    1352 - int ret = mxl111sf_ctrl_msg(state->d, wdata[0],
    1353 + int ret = mxl111sf_ctrl_msg(state, wdata[0],
    1354 &wdata[1], 25, NULL, 0);
    1355 mxl_fail(ret);
    1356
    1357 @@ -330,7 +330,7 @@ static int mxl111sf_i2c_send_data(struct mxl111sf_state *state,
    1358 static int mxl111sf_i2c_get_data(struct mxl111sf_state *state,
    1359 u8 index, u8 *wdata, u8 *rdata)
    1360 {
    1361 - int ret = mxl111sf_ctrl_msg(state->d, wdata[0],
    1362 + int ret = mxl111sf_ctrl_msg(state, wdata[0],
    1363 &wdata[1], 25, rdata, 24);
    1364 mxl_fail(ret);
    1365
    1366 diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf.c b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
    1367 index 5d676b533a3a..f1f448650e6f 100644
    1368 --- a/drivers/media/usb/dvb-usb-v2/mxl111sf.c
    1369 +++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
    1370 @@ -24,9 +24,6 @@
    1371 #include "lgdt3305.h"
    1372 #include "lg2160.h"
    1373
    1374 -/* Max transfer size done by I2C transfer functions */
    1375 -#define MAX_XFER_SIZE 64
    1376 -
    1377 int dvb_usb_mxl111sf_debug;
    1378 module_param_named(debug, dvb_usb_mxl111sf_debug, int, 0644);
    1379 MODULE_PARM_DESC(debug, "set debugging level "
    1380 @@ -56,27 +53,34 @@ MODULE_PARM_DESC(rfswitch, "force rf switch position (0=auto, 1=ext, 2=int).");
    1381
    1382 DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
    1383
    1384 -int mxl111sf_ctrl_msg(struct dvb_usb_device *d,
    1385 +int mxl111sf_ctrl_msg(struct mxl111sf_state *state,
    1386 u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen)
    1387 {
    1388 + struct dvb_usb_device *d = state->d;
    1389 int wo = (rbuf == NULL || rlen == 0); /* write-only */
    1390 int ret;
    1391 - u8 sndbuf[MAX_XFER_SIZE];
    1392
    1393 - if (1 + wlen > sizeof(sndbuf)) {
    1394 + if (1 + wlen > MXL_MAX_XFER_SIZE) {
    1395 pr_warn("%s: len=%d is too big!\n", __func__, wlen);
    1396 return -EOPNOTSUPP;
    1397 }
    1398
    1399 pr_debug("%s(wlen = %d, rlen = %d)\n", __func__, wlen, rlen);
    1400
    1401 - memset(sndbuf, 0, 1+wlen);
    1402 + mutex_lock(&state->msg_lock);
    1403 + memset(state->sndbuf, 0, 1+wlen);
    1404 + memset(state->rcvbuf, 0, rlen);
    1405 +
    1406 + state->sndbuf[0] = cmd;
    1407 + memcpy(&state->sndbuf[1], wbuf, wlen);
    1408
    1409 - sndbuf[0] = cmd;
    1410 - memcpy(&sndbuf[1], wbuf, wlen);
    1411 + ret = (wo) ? dvb_usbv2_generic_write(d, state->sndbuf, 1+wlen) :
    1412 + dvb_usbv2_generic_rw(d, state->sndbuf, 1+wlen, state->rcvbuf,
    1413 + rlen);
    1414 +
    1415 + memcpy(rbuf, state->rcvbuf, rlen);
    1416 + mutex_unlock(&state->msg_lock);
    1417
    1418 - ret = (wo) ? dvb_usbv2_generic_write(d, sndbuf, 1+wlen) :
    1419 - dvb_usbv2_generic_rw(d, sndbuf, 1+wlen, rbuf, rlen);
    1420 mxl_fail(ret);
    1421
    1422 return ret;
    1423 @@ -92,7 +96,7 @@ int mxl111sf_read_reg(struct mxl111sf_state *state, u8 addr, u8 *data)
    1424 u8 buf[2];
    1425 int ret;
    1426
    1427 - ret = mxl111sf_ctrl_msg(state->d, MXL_CMD_REG_READ, &addr, 1, buf, 2);
    1428 + ret = mxl111sf_ctrl_msg(state, MXL_CMD_REG_READ, &addr, 1, buf, 2);
    1429 if (mxl_fail(ret)) {
    1430 mxl_debug("error reading reg: 0x%02x", addr);
    1431 goto fail;
    1432 @@ -118,7 +122,7 @@ int mxl111sf_write_reg(struct mxl111sf_state *state, u8 addr, u8 data)
    1433
    1434 pr_debug("W: (0x%02x, 0x%02x)\n", addr, data);
    1435
    1436 - ret = mxl111sf_ctrl_msg(state->d, MXL_CMD_REG_WRITE, buf, 2, NULL, 0);
    1437 + ret = mxl111sf_ctrl_msg(state, MXL_CMD_REG_WRITE, buf, 2, NULL, 0);
    1438 if (mxl_fail(ret))
    1439 pr_err("error writing reg: 0x%02x, val: 0x%02x", addr, data);
    1440 return ret;
    1441 @@ -922,6 +926,8 @@ static int mxl111sf_init(struct dvb_usb_device *d)
    1442 static u8 eeprom[256];
    1443 struct i2c_client c;
    1444
    1445 + mutex_init(&state->msg_lock);
    1446 +
    1447 ret = get_chip_info(state);
    1448 if (mxl_fail(ret))
    1449 pr_err("failed to get chip info during probe");
    1450 diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf.h b/drivers/media/usb/dvb-usb-v2/mxl111sf.h
    1451 index 846260e0eec0..3e6f5880bd1e 100644
    1452 --- a/drivers/media/usb/dvb-usb-v2/mxl111sf.h
    1453 +++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.h
    1454 @@ -19,6 +19,9 @@
    1455 #include <media/tveeprom.h>
    1456 #include <media/media-entity.h>
    1457
    1458 +/* Max transfer size done by I2C transfer functions */
    1459 +#define MXL_MAX_XFER_SIZE 64
    1460 +
    1461 #define MXL_EP1_REG_READ 1
    1462 #define MXL_EP2_REG_WRITE 2
    1463 #define MXL_EP3_INTERRUPT 3
    1464 @@ -86,6 +89,9 @@ struct mxl111sf_state {
    1465 struct mutex fe_lock;
    1466 u8 num_frontends;
    1467 struct mxl111sf_adap_state adap_state[3];
    1468 + u8 sndbuf[MXL_MAX_XFER_SIZE];
    1469 + u8 rcvbuf[MXL_MAX_XFER_SIZE];
    1470 + struct mutex msg_lock;
    1471 #ifdef CONFIG_MEDIA_CONTROLLER_DVB
    1472 struct media_entity tuner;
    1473 struct media_pad tuner_pads[2];
    1474 @@ -108,7 +114,7 @@ int mxl111sf_ctrl_program_regs(struct mxl111sf_state *state,
    1475
    1476 /* needed for hardware i2c functions in mxl111sf-i2c.c:
    1477 * mxl111sf_i2c_send_data / mxl111sf_i2c_get_data */
    1478 -int mxl111sf_ctrl_msg(struct dvb_usb_device *d,
    1479 +int mxl111sf_ctrl_msg(struct mxl111sf_state *state,
    1480 u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen);
    1481
    1482 #define mxl_printk(kern, fmt, arg...) \
    1483 diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
    1484 index 65fed7146e9b..cc91f7b3d90c 100644
    1485 --- a/drivers/misc/enclosure.c
    1486 +++ b/drivers/misc/enclosure.c
    1487 @@ -375,6 +375,7 @@ int enclosure_add_device(struct enclosure_device *edev, int component,
    1488 struct device *dev)
    1489 {
    1490 struct enclosure_component *cdev;
    1491 + int err;
    1492
    1493 if (!edev || component >= edev->components)
    1494 return -EINVAL;
    1495 @@ -384,12 +385,17 @@ int enclosure_add_device(struct enclosure_device *edev, int component,
    1496 if (cdev->dev == dev)
    1497 return -EEXIST;
    1498
    1499 - if (cdev->dev)
    1500 + if (cdev->dev) {
    1501 enclosure_remove_links(cdev);
    1502 -
    1503 - put_device(cdev->dev);
    1504 + put_device(cdev->dev);
    1505 + }
    1506 cdev->dev = get_device(dev);
    1507 - return enclosure_add_links(cdev);
    1508 + err = enclosure_add_links(cdev);
    1509 + if (err) {
    1510 + put_device(cdev->dev);
    1511 + cdev->dev = NULL;
    1512 + }
    1513 + return err;
    1514 }
    1515 EXPORT_SYMBOL_GPL(enclosure_add_device);
    1516
    1517 diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c
    1518 index a61447fd778e..1264a3616acf 100644
    1519 --- a/drivers/net/ethernet/intel/igb/e1000_82575.c
    1520 +++ b/drivers/net/ethernet/intel/igb/e1000_82575.c
    1521 @@ -246,6 +246,7 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw)
    1522 E1000_STATUS_FUNC_SHIFT;
    1523
    1524 /* Set phy->phy_addr and phy->id. */
    1525 + igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, 0);
    1526 ret_val = igb_get_phy_id_82575(hw);
    1527 if (ret_val)
    1528 return ret_val;
    1529 diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
    1530 index ae3043559b6d..fe5102ca5010 100644
    1531 --- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
    1532 +++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
    1533 @@ -1821,8 +1821,6 @@ static void ar9003_hw_spectral_scan_wait(struct ath_hw *ah)
    1534 static void ar9003_hw_tx99_start(struct ath_hw *ah, u32 qnum)
    1535 {
    1536 REG_SET_BIT(ah, AR_PHY_TEST, PHY_AGC_CLR);
    1537 - REG_SET_BIT(ah, 0x9864, 0x7f000);
    1538 - REG_SET_BIT(ah, 0x9924, 0x7f00fe);
    1539 REG_CLR_BIT(ah, AR_DIAG_SW, AR_DIAG_RX_DIS);
    1540 REG_WRITE(ah, AR_CR, AR_CR_RXD);
    1541 REG_WRITE(ah, AR_DLCL_IFS(qnum), 0);
    1542 diff --git a/drivers/net/wireless/ath/ath9k/rng.c b/drivers/net/wireless/ath/ath9k/rng.c
    1543 index d38e50f96db7..e0374ebe7bdc 100644
    1544 --- a/drivers/net/wireless/ath/ath9k/rng.c
    1545 +++ b/drivers/net/wireless/ath/ath9k/rng.c
    1546 @@ -120,6 +120,8 @@ void ath9k_rng_start(struct ath_softc *sc)
    1547
    1548 void ath9k_rng_stop(struct ath_softc *sc)
    1549 {
    1550 - if (sc->rng_task)
    1551 + if (sc->rng_task) {
    1552 kthread_stop(sc->rng_task);
    1553 + sc->rng_task = NULL;
    1554 + }
    1555 }
    1556 diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c
    1557 index 16aca9e28b77..1fa7f844b5da 100644
    1558 --- a/drivers/net/wireless/ath/ath9k/tx99.c
    1559 +++ b/drivers/net/wireless/ath/ath9k/tx99.c
    1560 @@ -189,22 +189,27 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
    1561 if (strtobool(buf, &start))
    1562 return -EINVAL;
    1563
    1564 + mutex_lock(&sc->mutex);
    1565 +
    1566 if (start == sc->tx99_state) {
    1567 if (!start)
    1568 - return count;
    1569 + goto out;
    1570 ath_dbg(common, XMIT, "Resetting TX99\n");
    1571 ath9k_tx99_deinit(sc);
    1572 }
    1573
    1574 if (!start) {
    1575 ath9k_tx99_deinit(sc);
    1576 - return count;
    1577 + goto out;
    1578 }
    1579
    1580 r = ath9k_tx99_init(sc);
    1581 - if (r)
    1582 + if (r) {
    1583 + mutex_unlock(&sc->mutex);
    1584 return r;
    1585 -
    1586 + }
    1587 +out:
    1588 + mutex_unlock(&sc->mutex);
    1589 return count;
    1590 }
    1591
    1592 diff --git a/drivers/net/wireless/ti/wlcore/spi.c b/drivers/net/wireless/ti/wlcore/spi.c
    1593 index f949ad2bd898..fa3547e06424 100644
    1594 --- a/drivers/net/wireless/ti/wlcore/spi.c
    1595 +++ b/drivers/net/wireless/ti/wlcore/spi.c
    1596 @@ -70,10 +70,10 @@
    1597 #define WSPI_MAX_CHUNK_SIZE 4092
    1598
    1599 /*
    1600 - * wl18xx driver aggregation buffer size is (13 * PAGE_SIZE) compared to
    1601 - * (4 * PAGE_SIZE) for wl12xx, so use the larger buffer needed for wl18xx
    1602 + * wl18xx driver aggregation buffer size is (13 * 4K) compared to
    1603 + * (4 * 4K) for wl12xx, so use the larger buffer needed for wl18xx
    1604 */
    1605 -#define SPI_AGGR_BUFFER_SIZE (13 * PAGE_SIZE)
    1606 +#define SPI_AGGR_BUFFER_SIZE (13 * SZ_4K)
    1607
    1608 /* Maximum number of SPI write chunks */
    1609 #define WSPI_MAX_NUM_OF_CHUNKS \
    1610 diff --git a/drivers/nfc/nfcmrvl/fw_dnld.c b/drivers/nfc/nfcmrvl/fw_dnld.c
    1611 index f8dcdf4b24f6..af62c4c854f3 100644
    1612 --- a/drivers/nfc/nfcmrvl/fw_dnld.c
    1613 +++ b/drivers/nfc/nfcmrvl/fw_dnld.c
    1614 @@ -459,7 +459,7 @@ int nfcmrvl_fw_dnld_init(struct nfcmrvl_private *priv)
    1615
    1616 INIT_WORK(&priv->fw_dnld.rx_work, fw_dnld_rx_work);
    1617 snprintf(name, sizeof(name), "%s_nfcmrvl_fw_dnld_rx_wq",
    1618 - dev_name(priv->dev));
    1619 + dev_name(&priv->ndev->nfc_dev->dev));
    1620 priv->fw_dnld.rx_wq = create_singlethread_workqueue(name);
    1621 if (!priv->fw_dnld.rx_wq)
    1622 return -ENOMEM;
    1623 @@ -496,6 +496,7 @@ int nfcmrvl_fw_dnld_start(struct nci_dev *ndev, const char *firmware_name)
    1624 {
    1625 struct nfcmrvl_private *priv = nci_get_drvdata(ndev);
    1626 struct nfcmrvl_fw_dnld *fw_dnld = &priv->fw_dnld;
    1627 + int res;
    1628
    1629 if (!priv->support_fw_dnld)
    1630 return -ENOTSUPP;
    1631 @@ -511,7 +512,9 @@ int nfcmrvl_fw_dnld_start(struct nci_dev *ndev, const char *firmware_name)
    1632 */
    1633
    1634 /* Retrieve FW binary */
    1635 - if (request_firmware(&fw_dnld->fw, firmware_name, priv->dev) < 0) {
    1636 + res = request_firmware(&fw_dnld->fw, firmware_name,
    1637 + &ndev->nfc_dev->dev);
    1638 + if (res < 0) {
    1639 nfc_err(priv->dev, "failed to retrieve FW %s", firmware_name);
    1640 return -ENOENT;
    1641 }
    1642 diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c
    1643 index 51c8240a1672..a446590a71ca 100644
    1644 --- a/drivers/nfc/nfcmrvl/main.c
    1645 +++ b/drivers/nfc/nfcmrvl/main.c
    1646 @@ -124,12 +124,13 @@ struct nfcmrvl_private *nfcmrvl_nci_register_dev(enum nfcmrvl_phy phy,
    1647 memcpy(&priv->config, pdata, sizeof(*pdata));
    1648
    1649 if (priv->config.reset_n_io) {
    1650 - rc = devm_gpio_request_one(dev,
    1651 - priv->config.reset_n_io,
    1652 - GPIOF_OUT_INIT_LOW,
    1653 - "nfcmrvl_reset_n");
    1654 - if (rc < 0)
    1655 + rc = gpio_request_one(priv->config.reset_n_io,
    1656 + GPIOF_OUT_INIT_LOW,
    1657 + "nfcmrvl_reset_n");
    1658 + if (rc < 0) {
    1659 + priv->config.reset_n_io = 0;
    1660 nfc_err(dev, "failed to request reset_n io\n");
    1661 + }
    1662 }
    1663
    1664 if (phy == NFCMRVL_PHY_SPI) {
    1665 @@ -154,7 +155,13 @@ struct nfcmrvl_private *nfcmrvl_nci_register_dev(enum nfcmrvl_phy phy,
    1666 if (!priv->ndev) {
    1667 nfc_err(dev, "nci_allocate_device failed\n");
    1668 rc = -ENOMEM;
    1669 - goto error;
    1670 + goto error_free_gpio;
    1671 + }
    1672 +
    1673 + rc = nfcmrvl_fw_dnld_init(priv);
    1674 + if (rc) {
    1675 + nfc_err(dev, "failed to initialize FW download %d\n", rc);
    1676 + goto error_free_dev;
    1677 }
    1678
    1679 nci_set_drvdata(priv->ndev, priv);
    1680 @@ -162,24 +169,22 @@ struct nfcmrvl_private *nfcmrvl_nci_register_dev(enum nfcmrvl_phy phy,
    1681 rc = nci_register_device(priv->ndev);
    1682 if (rc) {
    1683 nfc_err(dev, "nci_register_device failed %d\n", rc);
    1684 - goto error_free_dev;
    1685 + goto error_fw_dnld_deinit;
    1686 }
    1687
    1688 /* Ensure that controller is powered off */
    1689 nfcmrvl_chip_halt(priv);
    1690
    1691 - rc = nfcmrvl_fw_dnld_init(priv);
    1692 - if (rc) {
    1693 - nfc_err(dev, "failed to initialize FW download %d\n", rc);
    1694 - goto error_free_dev;
    1695 - }
    1696 -
    1697 nfc_info(dev, "registered with nci successfully\n");
    1698 return priv;
    1699
    1700 +error_fw_dnld_deinit:
    1701 + nfcmrvl_fw_dnld_deinit(priv);
    1702 error_free_dev:
    1703 nci_free_device(priv->ndev);
    1704 -error:
    1705 +error_free_gpio:
    1706 + if (priv->config.reset_n_io)
    1707 + gpio_free(priv->config.reset_n_io);
    1708 kfree(priv);
    1709 return ERR_PTR(rc);
    1710 }
    1711 @@ -195,7 +200,7 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv)
    1712 nfcmrvl_fw_dnld_deinit(priv);
    1713
    1714 if (priv->config.reset_n_io)
    1715 - devm_gpio_free(priv->dev, priv->config.reset_n_io);
    1716 + gpio_free(priv->config.reset_n_io);
    1717
    1718 nci_unregister_device(ndev);
    1719 nci_free_device(ndev);
    1720 diff --git a/drivers/nfc/nfcmrvl/uart.c b/drivers/nfc/nfcmrvl/uart.c
    1721 index 83a99e38e7bd..6c0c301611c4 100644
    1722 --- a/drivers/nfc/nfcmrvl/uart.c
    1723 +++ b/drivers/nfc/nfcmrvl/uart.c
    1724 @@ -109,6 +109,7 @@ static int nfcmrvl_nci_uart_open(struct nci_uart *nu)
    1725 struct nfcmrvl_private *priv;
    1726 struct nfcmrvl_platform_data *pdata = NULL;
    1727 struct nfcmrvl_platform_data config;
    1728 + struct device *dev = nu->tty->dev;
    1729
    1730 /*
    1731 * Platform data cannot be used here since usually it is already used
    1732 @@ -116,9 +117,8 @@ static int nfcmrvl_nci_uart_open(struct nci_uart *nu)
    1733 * and check if DT entries were added.
    1734 */
    1735
    1736 - if (nu->tty->dev->parent && nu->tty->dev->parent->of_node)
    1737 - if (nfcmrvl_uart_parse_dt(nu->tty->dev->parent->of_node,
    1738 - &config) == 0)
    1739 + if (dev && dev->parent && dev->parent->of_node)
    1740 + if (nfcmrvl_uart_parse_dt(dev->parent->of_node, &config) == 0)
    1741 pdata = &config;
    1742
    1743 if (!pdata) {
    1744 @@ -131,7 +131,7 @@ static int nfcmrvl_nci_uart_open(struct nci_uart *nu)
    1745 }
    1746
    1747 priv = nfcmrvl_nci_register_dev(NFCMRVL_PHY_UART, nu, &uart_ops,
    1748 - nu->tty->dev, pdata);
    1749 + dev, pdata);
    1750 if (IS_ERR(priv))
    1751 return PTR_ERR(priv);
    1752
    1753 diff --git a/drivers/nvdimm/btt.c b/drivers/nvdimm/btt.c
    1754 index 368795aad5c9..94733f73d37f 100644
    1755 --- a/drivers/nvdimm/btt.c
    1756 +++ b/drivers/nvdimm/btt.c
    1757 @@ -1203,10 +1203,13 @@ static int btt_rw_page(struct block_device *bdev, sector_t sector,
    1758 struct page *page, bool is_write)
    1759 {
    1760 struct btt *btt = bdev->bd_disk->private_data;
    1761 + int rc;
    1762
    1763 - btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
    1764 - page_endio(page, is_write, 0);
    1765 - return 0;
    1766 + rc = btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector);
    1767 + if (rc == 0)
    1768 + page_endio(page, is_write, 0);
    1769 +
    1770 + return rc;
    1771 }
    1772
    1773
    1774 diff --git a/drivers/nvdimm/core.c b/drivers/nvdimm/core.c
    1775 index 7ceba08774b6..18a0bea115df 100644
    1776 --- a/drivers/nvdimm/core.c
    1777 +++ b/drivers/nvdimm/core.c
    1778 @@ -450,14 +450,15 @@ static void set_badblock(struct badblocks *bb, sector_t s, int num)
    1779 static void __add_badblock_range(struct badblocks *bb, u64 ns_offset, u64 len)
    1780 {
    1781 const unsigned int sector_size = 512;
    1782 - sector_t start_sector;
    1783 + sector_t start_sector, end_sector;
    1784 u64 num_sectors;
    1785 u32 rem;
    1786
    1787 start_sector = div_u64(ns_offset, sector_size);
    1788 - num_sectors = div_u64_rem(len, sector_size, &rem);
    1789 + end_sector = div_u64_rem(ns_offset + len, sector_size, &rem);
    1790 if (rem)
    1791 - num_sectors++;
    1792 + end_sector++;
    1793 + num_sectors = end_sector - start_sector;
    1794
    1795 if (unlikely(num_sectors > (u64)INT_MAX)) {
    1796 u64 remaining = num_sectors;
    1797 diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
    1798 index 3222f3e987eb..286fda4ee100 100644
    1799 --- a/drivers/nvme/host/rdma.c
    1800 +++ b/drivers/nvme/host/rdma.c
    1801 @@ -88,7 +88,7 @@ enum nvme_rdma_queue_flags {
    1802
    1803 struct nvme_rdma_queue {
    1804 struct nvme_rdma_qe *rsp_ring;
    1805 - u8 sig_count;
    1806 + atomic_t sig_count;
    1807 int queue_size;
    1808 size_t cmnd_capsule_len;
    1809 struct nvme_rdma_ctrl *ctrl;
    1810 @@ -555,6 +555,7 @@ static int nvme_rdma_init_queue(struct nvme_rdma_ctrl *ctrl,
    1811 queue->cmnd_capsule_len = sizeof(struct nvme_command);
    1812
    1813 queue->queue_size = queue_size;
    1814 + atomic_set(&queue->sig_count, 0);
    1815
    1816 queue->cm_id = rdma_create_id(&init_net, nvme_rdma_cm_handler, queue,
    1817 RDMA_PS_TCP, IB_QPT_RC);
    1818 @@ -1011,17 +1012,16 @@ static void nvme_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc)
    1819 nvme_rdma_wr_error(cq, wc, "SEND");
    1820 }
    1821
    1822 -static inline int nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue)
    1823 +/*
    1824 + * We want to signal completion at least every queue depth/2. This returns the
    1825 + * largest power of two that is not above half of (queue size + 1) to optimize
    1826 + * (avoid divisions).
    1827 + */
    1828 +static inline bool nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue)
    1829 {
    1830 - int sig_limit;
    1831 + int limit = 1 << ilog2((queue->queue_size + 1) / 2);
    1832
    1833 - /*
    1834 - * We signal completion every queue depth/2 and also handle the
    1835 - * degenerated case of a device with queue_depth=1, where we
    1836 - * would need to signal every message.
    1837 - */
    1838 - sig_limit = max(queue->queue_size / 2, 1);
    1839 - return (++queue->sig_count % sig_limit) == 0;
    1840 + return (atomic_inc_return(&queue->sig_count) & (limit - 1)) == 0;
    1841 }
    1842
    1843 static int nvme_rdma_post_send(struct nvme_rdma_queue *queue,
    1844 diff --git a/drivers/of/device.c b/drivers/of/device.c
    1845 index fd5cfad7c403..f7a970120055 100644
    1846 --- a/drivers/of/device.c
    1847 +++ b/drivers/of/device.c
    1848 @@ -225,6 +225,7 @@ ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len)
    1849
    1850 return tsize;
    1851 }
    1852 +EXPORT_SYMBOL_GPL(of_device_get_modalias);
    1853
    1854 /**
    1855 * of_device_uevent - Display OF related uevent information
    1856 @@ -287,3 +288,4 @@ int of_device_uevent_modalias(struct device *dev, struct kobj_uevent_env *env)
    1857
    1858 return 0;
    1859 }
    1860 +EXPORT_SYMBOL_GPL(of_device_uevent_modalias);
    1861 diff --git a/drivers/pci/host/pcie-rockchip.c b/drivers/pci/host/pcie-rockchip.c
    1862 index 3452983d3569..03ebfd574735 100644
    1863 --- a/drivers/pci/host/pcie-rockchip.c
    1864 +++ b/drivers/pci/host/pcie-rockchip.c
    1865 @@ -131,6 +131,7 @@
    1866 PCIE_CORE_INT_CT | PCIE_CORE_INT_UTC | \
    1867 PCIE_CORE_INT_MMVC)
    1868
    1869 +#define PCIE_RC_CONFIG_NORMAL_BASE 0x800000
    1870 #define PCIE_RC_CONFIG_BASE 0xa00000
    1871 #define PCIE_RC_CONFIG_VENDOR (PCIE_RC_CONFIG_BASE + 0x00)
    1872 #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08)
    1873 @@ -267,7 +268,9 @@ static int rockchip_pcie_valid_device(struct rockchip_pcie *rockchip,
    1874 static int rockchip_pcie_rd_own_conf(struct rockchip_pcie *rockchip,
    1875 int where, int size, u32 *val)
    1876 {
    1877 - void __iomem *addr = rockchip->apb_base + PCIE_RC_CONFIG_BASE + where;
    1878 + void __iomem *addr;
    1879 +
    1880 + addr = rockchip->apb_base + PCIE_RC_CONFIG_NORMAL_BASE + where;
    1881
    1882 if (!IS_ALIGNED((uintptr_t)addr, size)) {
    1883 *val = 0;
    1884 @@ -291,11 +294,13 @@ static int rockchip_pcie_wr_own_conf(struct rockchip_pcie *rockchip,
    1885 int where, int size, u32 val)
    1886 {
    1887 u32 mask, tmp, offset;
    1888 + void __iomem *addr;
    1889
    1890 offset = where & ~0x3;
    1891 + addr = rockchip->apb_base + PCIE_RC_CONFIG_NORMAL_BASE + offset;
    1892
    1893 if (size == 4) {
    1894 - writel(val, rockchip->apb_base + PCIE_RC_CONFIG_BASE + offset);
    1895 + writel(val, addr);
    1896 return PCIBIOS_SUCCESSFUL;
    1897 }
    1898
    1899 @@ -306,9 +311,9 @@ static int rockchip_pcie_wr_own_conf(struct rockchip_pcie *rockchip,
    1900 * corrupt RW1C bits in adjacent registers. But the hardware
    1901 * doesn't support smaller writes.
    1902 */
    1903 - tmp = readl(rockchip->apb_base + PCIE_RC_CONFIG_BASE + offset) & mask;
    1904 + tmp = readl(addr) & mask;
    1905 tmp |= val << ((where & 0x3) * 8);
    1906 - writel(tmp, rockchip->apb_base + PCIE_RC_CONFIG_BASE + offset);
    1907 + writel(tmp, addr);
    1908
    1909 return PCIBIOS_SUCCESSFUL;
    1910 }
    1911 diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
    1912 index 1ccce1cd6aca..8a68e2b554e1 100644
    1913 --- a/drivers/pci/pci-driver.c
    1914 +++ b/drivers/pci/pci-driver.c
    1915 @@ -954,6 +954,7 @@ static int pci_pm_thaw_noirq(struct device *dev)
    1916 return pci_legacy_resume_early(dev);
    1917
    1918 pci_update_current_state(pci_dev, PCI_D0);
    1919 + pci_restore_state(pci_dev);
    1920
    1921 if (drv && drv->pm && drv->pm->thaw_noirq)
    1922 error = drv->pm->thaw_noirq(dev);
    1923 diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
    1924 index 6f7128f49c30..27a6d3c6cb7c 100644
    1925 --- a/drivers/scsi/scsi_scan.c
    1926 +++ b/drivers/scsi/scsi_scan.c
    1927 @@ -384,11 +384,12 @@ static void scsi_target_reap_ref_release(struct kref *kref)
    1928 = container_of(kref, struct scsi_target, reap_ref);
    1929
    1930 /*
    1931 - * if we get here and the target is still in the CREATED state that
    1932 + * if we get here and the target is still in a CREATED state that
    1933 * means it was allocated but never made visible (because a scan
    1934 * turned up no LUNs), so don't call device_del() on it.
    1935 */
    1936 - if (starget->state != STARGET_CREATED) {
    1937 + if ((starget->state != STARGET_CREATED) &&
    1938 + (starget->state != STARGET_CREATED_REMOVE)) {
    1939 transport_remove_device(&starget->dev);
    1940 device_del(&starget->dev);
    1941 }
    1942 diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
    1943 index 82dfe07b1d47..3a6f557ec128 100644
    1944 --- a/drivers/scsi/scsi_sysfs.c
    1945 +++ b/drivers/scsi/scsi_sysfs.c
    1946 @@ -1370,11 +1370,15 @@ void scsi_remove_target(struct device *dev)
    1947 spin_lock_irqsave(shost->host_lock, flags);
    1948 list_for_each_entry(starget, &shost->__targets, siblings) {
    1949 if (starget->state == STARGET_DEL ||
    1950 - starget->state == STARGET_REMOVE)
    1951 + starget->state == STARGET_REMOVE ||
    1952 + starget->state == STARGET_CREATED_REMOVE)
    1953 continue;
    1954 if (starget->dev.parent == dev || &starget->dev == dev) {
    1955 kref_get(&starget->reap_ref);
    1956 - starget->state = STARGET_REMOVE;
    1957 + if (starget->state == STARGET_CREATED)
    1958 + starget->state = STARGET_CREATED_REMOVE;
    1959 + else
    1960 + starget->state = STARGET_REMOVE;
    1961 spin_unlock_irqrestore(shost->host_lock, flags);
    1962 __scsi_remove_target(starget);
    1963 scsi_target_reap(starget);
    1964 diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c
    1965 index 2b9b0941d9eb..6d23226e5f69 100644
    1966 --- a/drivers/spmi/spmi.c
    1967 +++ b/drivers/spmi/spmi.c
    1968 @@ -365,11 +365,23 @@ static int spmi_drv_remove(struct device *dev)
    1969 return 0;
    1970 }
    1971
    1972 +static int spmi_drv_uevent(struct device *dev, struct kobj_uevent_env *env)
    1973 +{
    1974 + int ret;
    1975 +
    1976 + ret = of_device_uevent_modalias(dev, env);
    1977 + if (ret != -ENODEV)
    1978 + return ret;
    1979 +
    1980 + return 0;
    1981 +}
    1982 +
    1983 static struct bus_type spmi_bus_type = {
    1984 .name = "spmi",
    1985 .match = spmi_device_match,
    1986 .probe = spmi_drv_probe,
    1987 .remove = spmi_drv_remove,
    1988 + .uevent = spmi_drv_uevent,
    1989 };
    1990
    1991 /**
    1992 diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c
    1993 index 1c967c30e4ce..a574885ffba9 100644
    1994 --- a/drivers/staging/comedi/drivers/ni_mio_common.c
    1995 +++ b/drivers/staging/comedi/drivers/ni_mio_common.c
    1996 @@ -3078,8 +3078,7 @@ static void ni_ao_cmd_set_update(struct comedi_device *dev,
    1997 /* following line: 2-1 per STC */
    1998 ni_stc_writel(dev, 1, NISTC_AO_UI_LOADA_REG);
    1999 ni_stc_writew(dev, NISTC_AO_CMD1_UI_LOAD, NISTC_AO_CMD1_REG);
    2000 - /* following line: N-1 per STC */
    2001 - ni_stc_writel(dev, trigvar - 1, NISTC_AO_UI_LOADA_REG);
    2002 + ni_stc_writel(dev, trigvar, NISTC_AO_UI_LOADA_REG);
    2003 } else { /* TRIG_EXT */
    2004 /* FIXME: assert scan_begin_arg != 0, ret failure otherwise */
    2005 devpriv->ao_cmd2 |= NISTC_AO_CMD2_BC_GATE_ENA;
    2006 diff --git a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
    2007 index b27de8888149..995f2dac7f26 100644
    2008 --- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
    2009 +++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
    2010 @@ -1650,8 +1650,13 @@ kiblnd_send(lnet_ni_t *ni, void *private, lnet_msg_t *lntmsg)
    2011 ibmsg = tx->tx_msg;
    2012 ibmsg->ibm_u.immediate.ibim_hdr = *hdr;
    2013
    2014 - copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, IBLND_MSG_SIZE,
    2015 - &from);
    2016 + rc = copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, payload_nob,
    2017 + &from);
    2018 + if (rc != payload_nob) {
    2019 + kiblnd_pool_free_node(&tx->tx_pool->tpo_pool, &tx->tx_list);
    2020 + return -EFAULT;
    2021 + }
    2022 +
    2023 nob = offsetof(struct kib_immediate_msg, ibim_payload[payload_nob]);
    2024 kiblnd_init_tx_msg(ni, tx, IBLND_MSG_IMMEDIATE, nob);
    2025
    2026 @@ -1751,8 +1756,14 @@ kiblnd_recv(lnet_ni_t *ni, void *private, lnet_msg_t *lntmsg, int delayed,
    2027 break;
    2028 }
    2029
    2030 - copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload,
    2031 - IBLND_MSG_SIZE, to);
    2032 + rc = copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload, rlen,
    2033 + to);
    2034 + if (rc != rlen) {
    2035 + rc = -EFAULT;
    2036 + break;
    2037 + }
    2038 +
    2039 + rc = 0;
    2040 lnet_finalize(ni, lntmsg, 0);
    2041 break;
    2042
    2043 diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
    2044 index 68e1e6bbe87f..b432153a6c5a 100644
    2045 --- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
    2046 +++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
    2047 @@ -43,6 +43,7 @@ static struct usb_device_id rtw_usb_id_tbl[] = {
    2048 {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
    2049 {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
    2050 {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
    2051 + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
    2052 {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
    2053 {} /* Terminating entry */
    2054 };
    2055 diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
    2056 index 7d90e250142c..86ace1449309 100644
    2057 --- a/drivers/staging/sm750fb/sm750.c
    2058 +++ b/drivers/staging/sm750fb/sm750.c
    2059 @@ -1049,6 +1049,26 @@ static int sm750fb_frambuffer_alloc(struct sm750_dev *sm750_dev, int fbidx)
    2060 return err;
    2061 }
    2062
    2063 +static int lynxfb_kick_out_firmware_fb(struct pci_dev *pdev)
    2064 +{
    2065 + struct apertures_struct *ap;
    2066 + bool primary = false;
    2067 +
    2068 + ap = alloc_apertures(1);
    2069 + if (!ap)
    2070 + return -ENOMEM;
    2071 +
    2072 + ap->ranges[0].base = pci_resource_start(pdev, 0);
    2073 + ap->ranges[0].size = pci_resource_len(pdev, 0);
    2074 +#ifdef CONFIG_X86
    2075 + primary = pdev->resource[PCI_ROM_RESOURCE].flags &
    2076 + IORESOURCE_ROM_SHADOW;
    2077 +#endif
    2078 + remove_conflicting_framebuffers(ap, "sm750_fb1", primary);
    2079 + kfree(ap);
    2080 + return 0;
    2081 +}
    2082 +
    2083 static int lynxfb_pci_probe(struct pci_dev *pdev,
    2084 const struct pci_device_id *ent)
    2085 {
    2086 @@ -1057,6 +1077,10 @@ static int lynxfb_pci_probe(struct pci_dev *pdev,
    2087 int fbidx;
    2088 int err;
    2089
    2090 + err = lynxfb_kick_out_firmware_fb(pdev);
    2091 + if (err)
    2092 + return err;
    2093 +
    2094 /* enable device */
    2095 err = pcim_enable_device(pdev);
    2096 if (err)
    2097 diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
    2098 index 7e70fe849f0d..9cbbc9cf63fb 100644
    2099 --- a/drivers/target/iscsi/iscsi_target_configfs.c
    2100 +++ b/drivers/target/iscsi/iscsi_target_configfs.c
    2101 @@ -802,6 +802,7 @@ DEF_TPG_ATTRIB(default_erl);
    2102 DEF_TPG_ATTRIB(t10_pi);
    2103 DEF_TPG_ATTRIB(fabric_prot_type);
    2104 DEF_TPG_ATTRIB(tpg_enabled_sendtargets);
    2105 +DEF_TPG_ATTRIB(login_keys_workaround);
    2106
    2107 static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {
    2108 &iscsi_tpg_attrib_attr_authentication,
    2109 @@ -817,6 +818,7 @@ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {
    2110 &iscsi_tpg_attrib_attr_t10_pi,
    2111 &iscsi_tpg_attrib_attr_fabric_prot_type,
    2112 &iscsi_tpg_attrib_attr_tpg_enabled_sendtargets,
    2113 + &iscsi_tpg_attrib_attr_login_keys_workaround,
    2114 NULL,
    2115 };
    2116
    2117 diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
    2118 index 89d34bd6d87f..6693d7c69f97 100644
    2119 --- a/drivers/target/iscsi/iscsi_target_nego.c
    2120 +++ b/drivers/target/iscsi/iscsi_target_nego.c
    2121 @@ -819,7 +819,8 @@ static int iscsi_target_handle_csg_zero(
    2122 SENDER_TARGET,
    2123 login->rsp_buf,
    2124 &login->rsp_length,
    2125 - conn->param_list);
    2126 + conn->param_list,
    2127 + conn->tpg->tpg_attrib.login_keys_workaround);
    2128 if (ret < 0)
    2129 return -1;
    2130
    2131 @@ -889,7 +890,8 @@ static int iscsi_target_handle_csg_one(struct iscsi_conn *conn, struct iscsi_log
    2132 SENDER_TARGET,
    2133 login->rsp_buf,
    2134 &login->rsp_length,
    2135 - conn->param_list);
    2136 + conn->param_list,
    2137 + conn->tpg->tpg_attrib.login_keys_workaround);
    2138 if (ret < 0) {
    2139 iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
    2140 ISCSI_LOGIN_STATUS_INIT_ERR);
    2141 diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
    2142 index 4a073339ae2e..0151776fb48e 100644
    2143 --- a/drivers/target/iscsi/iscsi_target_parameters.c
    2144 +++ b/drivers/target/iscsi/iscsi_target_parameters.c
    2145 @@ -765,7 +765,8 @@ static int iscsi_check_for_auth_key(char *key)
    2146 return 0;
    2147 }
    2148
    2149 -static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param)
    2150 +static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param,
    2151 + bool keys_workaround)
    2152 {
    2153 if (IS_TYPE_BOOL_AND(param)) {
    2154 if (!strcmp(param->value, NO))
    2155 @@ -773,19 +774,31 @@ static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param)
    2156 } else if (IS_TYPE_BOOL_OR(param)) {
    2157 if (!strcmp(param->value, YES))
    2158 SET_PSTATE_REPLY_OPTIONAL(param);
    2159 - /*
    2160 - * Required for gPXE iSCSI boot client
    2161 - */
    2162 - if (!strcmp(param->name, IMMEDIATEDATA))
    2163 - SET_PSTATE_REPLY_OPTIONAL(param);
    2164 +
    2165 + if (keys_workaround) {
    2166 + /*
    2167 + * Required for gPXE iSCSI boot client
    2168 + */
    2169 + if (!strcmp(param->name, IMMEDIATEDATA))
    2170 + SET_PSTATE_REPLY_OPTIONAL(param);
    2171 + }
    2172 } else if (IS_TYPE_NUMBER(param)) {
    2173 if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
    2174 SET_PSTATE_REPLY_OPTIONAL(param);
    2175 - /*
    2176 - * Required for gPXE iSCSI boot client
    2177 - */
    2178 - if (!strcmp(param->name, MAXCONNECTIONS))
    2179 - SET_PSTATE_REPLY_OPTIONAL(param);
    2180 +
    2181 + if (keys_workaround) {
    2182 + /*
    2183 + * Required for Mellanox Flexboot PXE boot ROM
    2184 + */
    2185 + if (!strcmp(param->name, FIRSTBURSTLENGTH))
    2186 + SET_PSTATE_REPLY_OPTIONAL(param);
    2187 +
    2188 + /*
    2189 + * Required for gPXE iSCSI boot client
    2190 + */
    2191 + if (!strcmp(param->name, MAXCONNECTIONS))
    2192 + SET_PSTATE_REPLY_OPTIONAL(param);
    2193 + }
    2194 } else if (IS_PHASE_DECLARATIVE(param))
    2195 SET_PSTATE_REPLY_OPTIONAL(param);
    2196 }
    2197 @@ -1422,7 +1435,8 @@ int iscsi_encode_text_output(
    2198 u8 sender,
    2199 char *textbuf,
    2200 u32 *length,
    2201 - struct iscsi_param_list *param_list)
    2202 + struct iscsi_param_list *param_list,
    2203 + bool keys_workaround)
    2204 {
    2205 char *output_buf = NULL;
    2206 struct iscsi_extra_response *er;
    2207 @@ -1458,7 +1472,8 @@ int iscsi_encode_text_output(
    2208 *length += 1;
    2209 output_buf = textbuf + *length;
    2210 SET_PSTATE_PROPOSER(param);
    2211 - iscsi_check_proposer_for_optional_reply(param);
    2212 + iscsi_check_proposer_for_optional_reply(param,
    2213 + keys_workaround);
    2214 pr_debug("Sending key: %s=%s\n",
    2215 param->name, param->value);
    2216 }
    2217 diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
    2218 index a0751e3f0813..17a58c2913f2 100644
    2219 --- a/drivers/target/iscsi/iscsi_target_parameters.h
    2220 +++ b/drivers/target/iscsi/iscsi_target_parameters.h
    2221 @@ -40,7 +40,7 @@ extern int iscsi_extract_key_value(char *, char **, char **);
    2222 extern int iscsi_update_param_value(struct iscsi_param *, char *);
    2223 extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *);
    2224 extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
    2225 - struct iscsi_param_list *);
    2226 + struct iscsi_param_list *, bool);
    2227 extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
    2228 extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
    2229 struct iscsi_param_list *);
    2230 diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
    2231 index 205a509b0dfb..63e1dcc5914d 100644
    2232 --- a/drivers/target/iscsi/iscsi_target_tpg.c
    2233 +++ b/drivers/target/iscsi/iscsi_target_tpg.c
    2234 @@ -227,6 +227,7 @@ static void iscsit_set_default_tpg_attribs(struct iscsi_portal_group *tpg)
    2235 a->t10_pi = TA_DEFAULT_T10_PI;
    2236 a->fabric_prot_type = TA_DEFAULT_FABRIC_PROT_TYPE;
    2237 a->tpg_enabled_sendtargets = TA_DEFAULT_TPG_ENABLED_SENDTARGETS;
    2238 + a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND;
    2239 }
    2240
    2241 int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg)
    2242 @@ -899,3 +900,21 @@ int iscsit_ta_tpg_enabled_sendtargets(
    2243
    2244 return 0;
    2245 }
    2246 +
    2247 +int iscsit_ta_login_keys_workaround(
    2248 + struct iscsi_portal_group *tpg,
    2249 + u32 flag)
    2250 +{
    2251 + struct iscsi_tpg_attrib *a = &tpg->tpg_attrib;
    2252 +
    2253 + if ((flag != 0) && (flag != 1)) {
    2254 + pr_err("Illegal value %d\n", flag);
    2255 + return -EINVAL;
    2256 + }
    2257 +
    2258 + a->login_keys_workaround = flag;
    2259 + pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ",
    2260 + tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF");
    2261 +
    2262 + return 0;
    2263 +}
    2264 diff --git a/drivers/target/iscsi/iscsi_target_tpg.h b/drivers/target/iscsi/iscsi_target_tpg.h
    2265 index 2da211920c18..901a712180f0 100644
    2266 --- a/drivers/target/iscsi/iscsi_target_tpg.h
    2267 +++ b/drivers/target/iscsi/iscsi_target_tpg.h
    2268 @@ -39,5 +39,6 @@ extern int iscsit_ta_default_erl(struct iscsi_portal_group *, u32);
    2269 extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32);
    2270 extern int iscsit_ta_fabric_prot_type(struct iscsi_portal_group *, u32);
    2271 extern int iscsit_ta_tpg_enabled_sendtargets(struct iscsi_portal_group *, u32);
    2272 +extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32);
    2273
    2274 #endif /* ISCSI_TARGET_TPG_H */
    2275 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
    2276 index 1f9bfa4195ea..e8a1f5cadba5 100644
    2277 --- a/drivers/target/target_core_transport.c
    2278 +++ b/drivers/target/target_core_transport.c
    2279 @@ -753,6 +753,15 @@ void target_complete_cmd(struct se_cmd *cmd, u8 scsi_status)
    2280 if (cmd->transport_state & CMD_T_ABORTED ||
    2281 cmd->transport_state & CMD_T_STOP) {
    2282 spin_unlock_irqrestore(&cmd->t_state_lock, flags);
    2283 + /*
    2284 + * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(),
    2285 + * release se_device->caw_sem obtained by sbc_compare_and_write()
    2286 + * since target_complete_ok_work() or target_complete_failure_work()
    2287 + * won't be called to invoke the normal CAW completion callbacks.
    2288 + */
    2289 + if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
    2290 + up(&dev->caw_sem);
    2291 + }
    2292 complete_all(&cmd->t_transport_stop_comp);
    2293 return;
    2294 } else if (!success) {
    2295 diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
    2296 index 9ce0e9eef923..f49d2989d000 100644
    2297 --- a/drivers/thermal/cpu_cooling.c
    2298 +++ b/drivers/thermal/cpu_cooling.c
    2299 @@ -191,8 +191,10 @@ unsigned long cpufreq_cooling_get_level(unsigned int cpu, unsigned int freq)
    2300 mutex_lock(&cooling_list_lock);
    2301 list_for_each_entry(cpufreq_dev, &cpufreq_dev_list, node) {
    2302 if (cpumask_test_cpu(cpu, &cpufreq_dev->allowed_cpus)) {
    2303 + unsigned long level = get_level(cpufreq_dev, freq);
    2304 +
    2305 mutex_unlock(&cooling_list_lock);
    2306 - return get_level(cpufreq_dev, freq);
    2307 + return level;
    2308 }
    2309 }
    2310 mutex_unlock(&cooling_list_lock);
    2311 diff --git a/drivers/thermal/max77620_thermal.c b/drivers/thermal/max77620_thermal.c
    2312 index 83905ff46e40..7e989277a890 100644
    2313 --- a/drivers/thermal/max77620_thermal.c
    2314 +++ b/drivers/thermal/max77620_thermal.c
    2315 @@ -104,8 +104,6 @@ static int max77620_thermal_probe(struct platform_device *pdev)
    2316 return -EINVAL;
    2317 }
    2318
    2319 - pdev->dev.of_node = pdev->dev.parent->of_node;
    2320 -
    2321 mtherm->dev = &pdev->dev;
    2322 mtherm->rmap = dev_get_regmap(pdev->dev.parent, NULL);
    2323 if (!mtherm->rmap) {
    2324 @@ -113,6 +111,14 @@ static int max77620_thermal_probe(struct platform_device *pdev)
    2325 return -ENODEV;
    2326 }
    2327
    2328 + /*
    2329 + * Drop any current reference to a device-tree node and get a
    2330 + * reference to the parent's node which will be balanced on reprobe or
    2331 + * on platform-device release.
    2332 + */
    2333 + of_node_put(pdev->dev.of_node);
    2334 + pdev->dev.of_node = of_node_get(pdev->dev.parent->of_node);
    2335 +
    2336 mtherm->tz_device = devm_thermal_zone_of_sensor_register(&pdev->dev, 0,
    2337 mtherm, &max77620_thermal_ops);
    2338 if (IS_ERR(mtherm->tz_device)) {
    2339 diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
    2340 index a876d47246dc..f16491c25e73 100644
    2341 --- a/drivers/usb/class/cdc-acm.c
    2342 +++ b/drivers/usb/class/cdc-acm.c
    2343 @@ -1770,6 +1770,9 @@ static const struct usb_device_id acm_ids[] = {
    2344 { USB_DEVICE(0x1576, 0x03b1), /* Maretron USB100 */
    2345 .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
    2346 },
    2347 + { USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */
    2348 + .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
    2349 + },
    2350
    2351 { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
    2352 .driver_info = CLEAR_HALT_CONDITIONS,
    2353 diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
    2354 index a9a1e4c40480..c8989c62a262 100644
    2355 --- a/drivers/usb/host/pci-quirks.c
    2356 +++ b/drivers/usb/host/pci-quirks.c
    2357 @@ -77,6 +77,16 @@
    2358 #define USB_INTEL_USB3_PSSEN 0xD8
    2359 #define USB_INTEL_USB3PRM 0xDC
    2360
    2361 +/* ASMEDIA quirk use */
    2362 +#define ASMT_DATA_WRITE0_REG 0xF8
    2363 +#define ASMT_DATA_WRITE1_REG 0xFC
    2364 +#define ASMT_CONTROL_REG 0xE0
    2365 +#define ASMT_CONTROL_WRITE_BIT 0x02
    2366 +#define ASMT_WRITEREG_CMD 0x10423
    2367 +#define ASMT_FLOWCTL_ADDR 0xFA30
    2368 +#define ASMT_FLOWCTL_DATA 0xBA
    2369 +#define ASMT_PSEUDO_DATA 0
    2370 +
    2371 /*
    2372 * amd_chipset_gen values represent AMD different chipset generations
    2373 */
    2374 @@ -412,6 +422,50 @@ void usb_amd_quirk_pll_disable(void)
    2375 }
    2376 EXPORT_SYMBOL_GPL(usb_amd_quirk_pll_disable);
    2377
    2378 +static int usb_asmedia_wait_write(struct pci_dev *pdev)
    2379 +{
    2380 + unsigned long retry_count;
    2381 + unsigned char value;
    2382 +
    2383 + for (retry_count = 1000; retry_count > 0; --retry_count) {
    2384 +
    2385 + pci_read_config_byte(pdev, ASMT_CONTROL_REG, &value);
    2386 +
    2387 + if (value == 0xff) {
    2388 + dev_err(&pdev->dev, "%s: check_ready ERROR", __func__);
    2389 + return -EIO;
    2390 + }
    2391 +
    2392 + if ((value & ASMT_CONTROL_WRITE_BIT) == 0)
    2393 + return 0;
    2394 +
    2395 + usleep_range(40, 60);
    2396 + }
    2397 +
    2398 + dev_warn(&pdev->dev, "%s: check_write_ready timeout", __func__);
    2399 + return -ETIMEDOUT;
    2400 +}
    2401 +
    2402 +void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev)
    2403 +{
    2404 + if (usb_asmedia_wait_write(pdev) != 0)
    2405 + return;
    2406 +
    2407 + /* send command and address to device */
    2408 + pci_write_config_dword(pdev, ASMT_DATA_WRITE0_REG, ASMT_WRITEREG_CMD);
    2409 + pci_write_config_dword(pdev, ASMT_DATA_WRITE1_REG, ASMT_FLOWCTL_ADDR);
    2410 + pci_write_config_byte(pdev, ASMT_CONTROL_REG, ASMT_CONTROL_WRITE_BIT);
    2411 +
    2412 + if (usb_asmedia_wait_write(pdev) != 0)
    2413 + return;
    2414 +
    2415 + /* send data to device */
    2416 + pci_write_config_dword(pdev, ASMT_DATA_WRITE0_REG, ASMT_FLOWCTL_DATA);
    2417 + pci_write_config_dword(pdev, ASMT_DATA_WRITE1_REG, ASMT_PSEUDO_DATA);
    2418 + pci_write_config_byte(pdev, ASMT_CONTROL_REG, ASMT_CONTROL_WRITE_BIT);
    2419 +}
    2420 +EXPORT_SYMBOL_GPL(usb_asmedia_modifyflowcontrol);
    2421 +
    2422 void usb_amd_quirk_pll_enable(void)
    2423 {
    2424 usb_amd_quirk_pll(0);
    2425 diff --git a/drivers/usb/host/pci-quirks.h b/drivers/usb/host/pci-quirks.h
    2426 index c622ddf21c94..6463fdb403c2 100644
    2427 --- a/drivers/usb/host/pci-quirks.h
    2428 +++ b/drivers/usb/host/pci-quirks.h
    2429 @@ -11,6 +11,7 @@ bool usb_amd_prefetch_quirk(void);
    2430 void usb_amd_dev_put(void);
    2431 void usb_amd_quirk_pll_disable(void);
    2432 void usb_amd_quirk_pll_enable(void);
    2433 +void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev);
    2434 void usb_enable_intel_xhci_ports(struct pci_dev *xhci_pdev);
    2435 void usb_disable_xhci_ports(struct pci_dev *xhci_pdev);
    2436 void sb800_prefetch(struct device *dev, int on);
    2437 @@ -18,6 +19,7 @@ void sb800_prefetch(struct device *dev, int on);
    2438 struct pci_dev;
    2439 static inline void usb_amd_quirk_pll_disable(void) {}
    2440 static inline void usb_amd_quirk_pll_enable(void) {}
    2441 +static inline void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev) {}
    2442 static inline void usb_amd_dev_put(void) {}
    2443 static inline void usb_disable_xhci_ports(struct pci_dev *xhci_pdev) {}
    2444 static inline void sb800_prefetch(struct device *dev, int on) {}
    2445 diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
    2446 index ff544f20872c..36b7789f8f22 100644
    2447 --- a/drivers/usb/host/xhci-hub.c
    2448 +++ b/drivers/usb/host/xhci-hub.c
    2449 @@ -783,6 +783,9 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
    2450 clear_bit(wIndex, &bus_state->resuming_ports);
    2451
    2452 set_bit(wIndex, &bus_state->rexit_ports);
    2453 +
    2454 + xhci_test_and_clear_bit(xhci, port_array, wIndex,
    2455 + PORT_PLC);
    2456 xhci_set_link_state(xhci, port_array, wIndex,
    2457 XDEV_U0);
    2458
    2459 diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
    2460 index 672751ed2ba1..23833448e602 100644
    2461 --- a/drivers/usb/host/xhci-pci.c
    2462 +++ b/drivers/usb/host/xhci-pci.c
    2463 @@ -59,6 +59,8 @@
    2464 #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
    2465 #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
    2466
    2467 +#define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
    2468 +
    2469 static const char hcd_name[] = "xhci_hcd";
    2470
    2471 static struct hc_driver __read_mostly xhci_pci_hc_driver;
    2472 @@ -217,6 +219,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
    2473 pdev->device == 0x1142)
    2474 xhci->quirks |= XHCI_TRUST_TX_LENGTH;
    2475
    2476 + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
    2477 + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
    2478 + xhci->quirks |= XHCI_ASMEDIA_MODIFY_FLOWCONTROL;
    2479 +
    2480 if (pdev->vendor == PCI_VENDOR_ID_TI && pdev->device == 0x8241)
    2481 xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_7;
    2482
    2483 diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
    2484 index 521c1816a26a..63735b5310bb 100644
    2485 --- a/drivers/usb/host/xhci-ring.c
    2486 +++ b/drivers/usb/host/xhci-ring.c
    2487 @@ -860,13 +860,16 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
    2488 (ep->ep_state & EP_GETTING_NO_STREAMS)) {
    2489 int stream_id;
    2490
    2491 - for (stream_id = 0; stream_id < ep->stream_info->num_streams;
    2492 + for (stream_id = 1; stream_id < ep->stream_info->num_streams;
    2493 stream_id++) {
    2494 + ring = ep->stream_info->stream_rings[stream_id];
    2495 + if (!ring)
    2496 + continue;
    2497 +
    2498 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
    2499 "Killing URBs for slot ID %u, ep index %u, stream %u",
    2500 - slot_id, ep_index, stream_id + 1);
    2501 - xhci_kill_ring_urbs(xhci,
    2502 - ep->stream_info->stream_rings[stream_id]);
    2503 + slot_id, ep_index, stream_id);
    2504 + xhci_kill_ring_urbs(xhci, ring);
    2505 }
    2506 } else {
    2507 ring = ep->ring;
    2508 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
    2509 index 34e23c7d7797..82308af5801b 100644
    2510 --- a/drivers/usb/host/xhci.c
    2511 +++ b/drivers/usb/host/xhci.c
    2512 @@ -192,6 +192,9 @@ int xhci_reset(struct xhci_hcd *xhci)
    2513 if (ret)
    2514 return ret;
    2515
    2516 + if (xhci->quirks & XHCI_ASMEDIA_MODIFY_FLOWCONTROL)
    2517 + usb_asmedia_modifyflowcontrol(to_pci_dev(xhci_to_hcd(xhci)->self.controller));
    2518 +
    2519 xhci_dbg_trace(xhci, trace_xhci_dbg_init,
    2520 "Wait for controller to be ready for doorbell rings");
    2521 /*
    2522 @@ -1122,6 +1125,9 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
    2523 if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && !comp_timer_running)
    2524 compliance_mode_recovery_timer_init(xhci);
    2525
    2526 + if (xhci->quirks & XHCI_ASMEDIA_MODIFY_FLOWCONTROL)
    2527 + usb_asmedia_modifyflowcontrol(to_pci_dev(hcd->self.controller));
    2528 +
    2529 /* Re-enable port polling. */
    2530 xhci_dbg(xhci, "%s: starting port polling.\n", __func__);
    2531 set_bit(HCD_FLAG_POLL_RH, &xhci->shared_hcd->flags);
    2532 diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
    2533 index 8336e07dc5f9..a0f4a9feb058 100644
    2534 --- a/drivers/usb/host/xhci.h
    2535 +++ b/drivers/usb/host/xhci.h
    2536 @@ -1661,6 +1661,7 @@ struct xhci_hcd {
    2537 #define XHCI_BROKEN_PORT_PED (1 << 25)
    2538 #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26)
    2539 #define XHCI_U2_DISABLE_WAKE (1 << 27)
    2540 +#define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28)
    2541
    2542 unsigned int num_active_eps;
    2543 unsigned int limit_active_eps;
    2544 diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
    2545 index 012a37aa3e0d..7994208be5de 100644
    2546 --- a/drivers/usb/renesas_usbhs/common.c
    2547 +++ b/drivers/usb/renesas_usbhs/common.c
    2548 @@ -752,8 +752,10 @@ static int usbhsc_resume(struct device *dev)
    2549 struct usbhs_priv *priv = dev_get_drvdata(dev);
    2550 struct platform_device *pdev = usbhs_priv_to_pdev(priv);
    2551
    2552 - if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL))
    2553 + if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL)) {
    2554 usbhsc_power_ctrl(priv, 1);
    2555 + usbhs_mod_autonomy_mode(priv);
    2556 + }
    2557
    2558 usbhs_platform_call(priv, phy_reset, pdev);
    2559
    2560 diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
    2561 index 5bc7a6138855..93fba9033b00 100644
    2562 --- a/drivers/usb/renesas_usbhs/mod_gadget.c
    2563 +++ b/drivers/usb/renesas_usbhs/mod_gadget.c
    2564 @@ -37,6 +37,7 @@ struct usbhsg_gpriv;
    2565 struct usbhsg_uep {
    2566 struct usb_ep ep;
    2567 struct usbhs_pipe *pipe;
    2568 + spinlock_t lock; /* protect the pipe */
    2569
    2570 char ep_name[EP_NAME_SIZE];
    2571
    2572 @@ -636,10 +637,16 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
    2573 static int usbhsg_ep_disable(struct usb_ep *ep)
    2574 {
    2575 struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
    2576 - struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
    2577 + struct usbhs_pipe *pipe;
    2578 + unsigned long flags;
    2579 + int ret = 0;
    2580
    2581 - if (!pipe)
    2582 - return -EINVAL;
    2583 + spin_lock_irqsave(&uep->lock, flags);
    2584 + pipe = usbhsg_uep_to_pipe(uep);
    2585 + if (!pipe) {
    2586 + ret = -EINVAL;
    2587 + goto out;
    2588 + }
    2589
    2590 usbhsg_pipe_disable(uep);
    2591 usbhs_pipe_free(pipe);
    2592 @@ -647,6 +654,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep)
    2593 uep->pipe->mod_private = NULL;
    2594 uep->pipe = NULL;
    2595
    2596 +out:
    2597 + spin_unlock_irqrestore(&uep->lock, flags);
    2598 +
    2599 return 0;
    2600 }
    2601
    2602 @@ -696,8 +706,11 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req)
    2603 {
    2604 struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
    2605 struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);
    2606 - struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
    2607 + struct usbhs_pipe *pipe;
    2608 + unsigned long flags;
    2609
    2610 + spin_lock_irqsave(&uep->lock, flags);
    2611 + pipe = usbhsg_uep_to_pipe(uep);
    2612 if (pipe)
    2613 usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
    2614
    2615 @@ -706,6 +719,7 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req)
    2616 * even if the pipe is NULL.
    2617 */
    2618 usbhsg_queue_pop(uep, ureq, -ECONNRESET);
    2619 + spin_unlock_irqrestore(&uep->lock, flags);
    2620
    2621 return 0;
    2622 }
    2623 @@ -852,10 +866,10 @@ static int usbhsg_try_stop(struct usbhs_priv *priv, u32 status)
    2624 {
    2625 struct usbhsg_gpriv *gpriv = usbhsg_priv_to_gpriv(priv);
    2626 struct usbhs_mod *mod = usbhs_mod_get_current(priv);
    2627 - struct usbhsg_uep *dcp = usbhsg_gpriv_to_dcp(gpriv);
    2628 + struct usbhsg_uep *uep;
    2629 struct device *dev = usbhs_priv_to_dev(priv);
    2630 unsigned long flags;
    2631 - int ret = 0;
    2632 + int ret = 0, i;
    2633
    2634 /******************** spin lock ********************/
    2635 usbhs_lock(priv, flags);
    2636 @@ -887,7 +901,9 @@ static int usbhsg_try_stop(struct usbhs_priv *priv, u32 status)
    2637 usbhs_sys_set_test_mode(priv, 0);
    2638 usbhs_sys_function_ctrl(priv, 0);
    2639
    2640 - usbhsg_ep_disable(&dcp->ep);
    2641 + /* disable all eps */
    2642 + usbhsg_for_each_uep_with_dcp(uep, gpriv, i)
    2643 + usbhsg_ep_disable(&uep->ep);
    2644
    2645 dev_dbg(dev, "stop gadget\n");
    2646
    2647 @@ -1069,6 +1085,7 @@ int usbhs_mod_gadget_probe(struct usbhs_priv *priv)
    2648 ret = -ENOMEM;
    2649 goto usbhs_mod_gadget_probe_err_gpriv;
    2650 }
    2651 + spin_lock_init(&uep->lock);
    2652
    2653 gpriv->transceiver = usb_get_phy(USB_PHY_TYPE_UNDEFINED);
    2654 dev_info(dev, "%stransceiver found\n",
    2655 diff --git a/drivers/usb/storage/isd200.c b/drivers/usb/storage/isd200.c
    2656 index fba4005dd737..6a7720e66595 100644
    2657 --- a/drivers/usb/storage/isd200.c
    2658 +++ b/drivers/usb/storage/isd200.c
    2659 @@ -1529,8 +1529,11 @@ static void isd200_ata_command(struct scsi_cmnd *srb, struct us_data *us)
    2660
    2661 /* Make sure driver was initialized */
    2662
    2663 - if (us->extra == NULL)
    2664 + if (us->extra == NULL) {
    2665 usb_stor_dbg(us, "ERROR Driver not initialized\n");
    2666 + srb->result = DID_ERROR << 16;
    2667 + return;
    2668 + }
    2669
    2670 scsi_set_resid(srb, 0);
    2671 /* scsi_bufflen might change in protocol translation to ata */
    2672 diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
    2673 index d1d70e0b011b..881fc3a55edc 100644
    2674 --- a/drivers/vfio/vfio.c
    2675 +++ b/drivers/vfio/vfio.c
    2676 @@ -419,6 +419,34 @@ static void vfio_group_put(struct vfio_group *group)
    2677 kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
    2678 }
    2679
    2680 +struct vfio_group_put_work {
    2681 + struct work_struct work;
    2682 + struct vfio_group *group;
    2683 +};
    2684 +
    2685 +static void vfio_group_put_bg(struct work_struct *work)
    2686 +{
    2687 + struct vfio_group_put_work *do_work;
    2688 +
    2689 + do_work = container_of(work, struct vfio_group_put_work, work);
    2690 +
    2691 + vfio_group_put(do_work->group);
    2692 + kfree(do_work);
    2693 +}
    2694 +
    2695 +static void vfio_group_schedule_put(struct vfio_group *group)
    2696 +{
    2697 + struct vfio_group_put_work *do_work;
    2698 +
    2699 + do_work = kmalloc(sizeof(*do_work), GFP_KERNEL);
    2700 + if (WARN_ON(!do_work))
    2701 + return;
    2702 +
    2703 + INIT_WORK(&do_work->work, vfio_group_put_bg);
    2704 + do_work->group = group;
    2705 + schedule_work(&do_work->work);
    2706 +}
    2707 +
    2708 /* Assume group_lock or group reference is held */
    2709 static void vfio_group_get(struct vfio_group *group)
    2710 {
    2711 @@ -743,7 +771,14 @@ static int vfio_iommu_group_notifier(struct notifier_block *nb,
    2712 break;
    2713 }
    2714
    2715 - vfio_group_put(group);
    2716 + /*
    2717 + * If we're the last reference to the group, the group will be
    2718 + * released, which includes unregistering the iommu group notifier.
    2719 + * We hold a read-lock on that notifier list, unregistering needs
    2720 + * a write-lock... deadlock. Release our reference asynchronously
    2721 + * to avoid that situation.
    2722 + */
    2723 + vfio_group_schedule_put(group);
    2724 return NOTIFY_OK;
    2725 }
    2726
    2727 @@ -1716,6 +1751,15 @@ void vfio_group_put_external_user(struct vfio_group *group)
    2728 }
    2729 EXPORT_SYMBOL_GPL(vfio_group_put_external_user);
    2730
    2731 +bool vfio_external_group_match_file(struct vfio_group *test_group,
    2732 + struct file *filep)
    2733 +{
    2734 + struct vfio_group *group = filep->private_data;
    2735 +
    2736 + return (filep->f_op == &vfio_group_fops) && (group == test_group);
    2737 +}
    2738 +EXPORT_SYMBOL_GPL(vfio_external_group_match_file);
    2739 +
    2740 int vfio_external_user_iommu_id(struct vfio_group *group)
    2741 {
    2742 return iommu_group_id(group->iommu_group);
    2743 diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
    2744 index d6950e0802b7..980f32817305 100644
    2745 --- a/drivers/xen/xen-scsiback.c
    2746 +++ b/drivers/xen/xen-scsiback.c
    2747 @@ -134,9 +134,7 @@ struct vscsibk_pend {
    2748 struct page *pages[VSCSI_MAX_GRANTS];
    2749
    2750 struct se_cmd se_cmd;
    2751 -};
    2752
    2753 -struct scsiback_tmr {
    2754 atomic_t tmr_complete;
    2755 wait_queue_head_t tmr_wait;
    2756 };
    2757 @@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req,
    2758 struct scsiback_tpg *tpg = pending_req->v2p->tpg;
    2759 struct scsiback_nexus *nexus = tpg->tpg_nexus;
    2760 struct se_cmd *se_cmd = &pending_req->se_cmd;
    2761 - struct scsiback_tmr *tmr;
    2762 u64 unpacked_lun = pending_req->v2p->lun;
    2763 int rc, err = FAILED;
    2764
    2765 - tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
    2766 - if (!tmr) {
    2767 - target_put_sess_cmd(se_cmd);
    2768 - goto err;
    2769 - }
    2770 -
    2771 - init_waitqueue_head(&tmr->tmr_wait);
    2772 + init_waitqueue_head(&pending_req->tmr_wait);
    2773
    2774 rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
    2775 &pending_req->sense_buffer[0],
    2776 - unpacked_lun, tmr, act, GFP_KERNEL,
    2777 + unpacked_lun, NULL, act, GFP_KERNEL,
    2778 tag, TARGET_SCF_ACK_KREF);
    2779 if (rc)
    2780 goto err;
    2781
    2782 - wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
    2783 + wait_event(pending_req->tmr_wait,
    2784 + atomic_read(&pending_req->tmr_complete));
    2785
    2786 err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
    2787 SUCCESS : FAILED;
    2788 @@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req,
    2789 scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
    2790 transport_generic_free_cmd(&pending_req->se_cmd, 1);
    2791 return;
    2792 +
    2793 err:
    2794 - if (tmr)
    2795 - kfree(tmr);
    2796 scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
    2797 }
    2798
    2799 @@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd *se_cmd)
    2800 static void scsiback_release_cmd(struct se_cmd *se_cmd)
    2801 {
    2802 struct se_session *se_sess = se_cmd->se_sess;
    2803 - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
    2804 -
    2805 - if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
    2806 - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
    2807 - kfree(tmr);
    2808 - }
    2809
    2810 percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
    2811 }
    2812 @@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd)
    2813
    2814 static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
    2815 {
    2816 - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
    2817 - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
    2818 + struct vscsibk_pend *pending_req = container_of(se_cmd,
    2819 + struct vscsibk_pend, se_cmd);
    2820
    2821 - atomic_set(&tmr->tmr_complete, 1);
    2822 - wake_up(&tmr->tmr_wait);
    2823 + atomic_set(&pending_req->tmr_complete, 1);
    2824 + wake_up(&pending_req->tmr_wait);
    2825 }
    2826
    2827 static void scsiback_aborted_task(struct se_cmd *se_cmd)
    2828 diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
    2829 index 247b8dfaf6e5..8d8370ddb6b2 100644
    2830 --- a/fs/btrfs/acl.c
    2831 +++ b/fs/btrfs/acl.c
    2832 @@ -78,12 +78,6 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans,
    2833 switch (type) {
    2834 case ACL_TYPE_ACCESS:
    2835 name = XATTR_NAME_POSIX_ACL_ACCESS;
    2836 - if (acl) {
    2837 - ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    2838 - if (ret)
    2839 - return ret;
    2840 - }
    2841 - ret = 0;
    2842 break;
    2843 case ACL_TYPE_DEFAULT:
    2844 if (!S_ISDIR(inode->i_mode))
    2845 @@ -119,6 +113,13 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans,
    2846
    2847 int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2848 {
    2849 + int ret;
    2850 +
    2851 + if (type == ACL_TYPE_ACCESS && acl) {
    2852 + ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    2853 + if (ret)
    2854 + return ret;
    2855 + }
    2856 return __btrfs_set_acl(NULL, inode, acl, type);
    2857 }
    2858
    2859 diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
    2860 index aca0d884de73..cec25691cbae 100644
    2861 --- a/fs/ceph/dir.c
    2862 +++ b/fs/ceph/dir.c
    2863 @@ -292,6 +292,11 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx,
    2864 if (ret < 0)
    2865 err = ret;
    2866 dput(last);
    2867 + /* last_name no longer match cache index */
    2868 + if (fi->readdir_cache_idx >= 0) {
    2869 + fi->readdir_cache_idx = -1;
    2870 + fi->dir_release_count = 0;
    2871 + }
    2872 }
    2873 return err;
    2874 }
    2875 diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
    2876 index 79dafa71effd..069c0dceda01 100644
    2877 --- a/fs/ext2/acl.c
    2878 +++ b/fs/ext2/acl.c
    2879 @@ -175,11 +175,8 @@ ext2_get_acl(struct inode *inode, int type)
    2880 return acl;
    2881 }
    2882
    2883 -/*
    2884 - * inode->i_mutex: down
    2885 - */
    2886 -int
    2887 -ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2888 +static int
    2889 +__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2890 {
    2891 int name_index;
    2892 void *value = NULL;
    2893 @@ -189,13 +186,6 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2894 switch(type) {
    2895 case ACL_TYPE_ACCESS:
    2896 name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
    2897 - if (acl) {
    2898 - error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    2899 - if (error)
    2900 - return error;
    2901 - inode->i_ctime = current_time(inode);
    2902 - mark_inode_dirty(inode);
    2903 - }
    2904 break;
    2905
    2906 case ACL_TYPE_DEFAULT:
    2907 @@ -222,6 +212,24 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2908 }
    2909
    2910 /*
    2911 + * inode->i_mutex: down
    2912 + */
    2913 +int
    2914 +ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    2915 +{
    2916 + int error;
    2917 +
    2918 + if (type == ACL_TYPE_ACCESS && acl) {
    2919 + error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    2920 + if (error)
    2921 + return error;
    2922 + inode->i_ctime = current_time(inode);
    2923 + mark_inode_dirty(inode);
    2924 + }
    2925 + return __ext2_set_acl(inode, acl, type);
    2926 +}
    2927 +
    2928 +/*
    2929 * Initialize the ACLs of a new inode. Called from ext2_new_inode.
    2930 *
    2931 * dir->i_mutex: down
    2932 @@ -238,12 +246,12 @@ ext2_init_acl(struct inode *inode, struct inode *dir)
    2933 return error;
    2934
    2935 if (default_acl) {
    2936 - error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
    2937 + error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
    2938 posix_acl_release(default_acl);
    2939 }
    2940 if (acl) {
    2941 if (!error)
    2942 - error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
    2943 + error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
    2944 posix_acl_release(acl);
    2945 }
    2946 return error;
    2947 diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
    2948 index 6fe23af509e1..55aa29c0c78d 100644
    2949 --- a/fs/f2fs/acl.c
    2950 +++ b/fs/f2fs/acl.c
    2951 @@ -211,7 +211,7 @@ static int __f2fs_set_acl(struct inode *inode, int type,
    2952 switch (type) {
    2953 case ACL_TYPE_ACCESS:
    2954 name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
    2955 - if (acl) {
    2956 + if (acl && !ipage) {
    2957 error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    2958 if (error)
    2959 return error;
    2960 diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
    2961 index a7943f861d68..74a2b444406d 100644
    2962 --- a/fs/f2fs/segment.c
    2963 +++ b/fs/f2fs/segment.c
    2964 @@ -1805,6 +1805,8 @@ static int read_normal_summaries(struct f2fs_sb_info *sbi, int type)
    2965
    2966 static int restore_curseg_summaries(struct f2fs_sb_info *sbi)
    2967 {
    2968 + struct f2fs_journal *sit_j = CURSEG_I(sbi, CURSEG_COLD_DATA)->journal;
    2969 + struct f2fs_journal *nat_j = CURSEG_I(sbi, CURSEG_HOT_DATA)->journal;
    2970 int type = CURSEG_HOT_DATA;
    2971 int err;
    2972
    2973 @@ -1831,6 +1833,11 @@ static int restore_curseg_summaries(struct f2fs_sb_info *sbi)
    2974 return err;
    2975 }
    2976
    2977 + /* sanity check for summary blocks */
    2978 + if (nats_in_cursum(nat_j) > NAT_JOURNAL_ENTRIES ||
    2979 + sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES)
    2980 + return -EINVAL;
    2981 +
    2982 return 0;
    2983 }
    2984
    2985 diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c
    2986 index 9b92058a1240..6bb5d7c42888 100644
    2987 --- a/fs/hfsplus/posix_acl.c
    2988 +++ b/fs/hfsplus/posix_acl.c
    2989 @@ -51,8 +51,8 @@ struct posix_acl *hfsplus_get_posix_acl(struct inode *inode, int type)
    2990 return acl;
    2991 }
    2992
    2993 -int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
    2994 - int type)
    2995 +static int __hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
    2996 + int type)
    2997 {
    2998 int err;
    2999 char *xattr_name;
    3000 @@ -64,12 +64,6 @@ int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
    3001 switch (type) {
    3002 case ACL_TYPE_ACCESS:
    3003 xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
    3004 - if (acl) {
    3005 - err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    3006 - if (err)
    3007 - return err;
    3008 - }
    3009 - err = 0;
    3010 break;
    3011
    3012 case ACL_TYPE_DEFAULT:
    3013 @@ -105,6 +99,18 @@ int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
    3014 return err;
    3015 }
    3016
    3017 +int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type)
    3018 +{
    3019 + int err;
    3020 +
    3021 + if (type == ACL_TYPE_ACCESS && acl) {
    3022 + err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    3023 + if (err)
    3024 + return err;
    3025 + }
    3026 + return __hfsplus_set_posix_acl(inode, acl, type);
    3027 +}
    3028 +
    3029 int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir)
    3030 {
    3031 int err = 0;
    3032 @@ -122,15 +128,15 @@ int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir)
    3033 return err;
    3034
    3035 if (default_acl) {
    3036 - err = hfsplus_set_posix_acl(inode, default_acl,
    3037 - ACL_TYPE_DEFAULT);
    3038 + err = __hfsplus_set_posix_acl(inode, default_acl,
    3039 + ACL_TYPE_DEFAULT);
    3040 posix_acl_release(default_acl);
    3041 }
    3042
    3043 if (acl) {
    3044 if (!err)
    3045 - err = hfsplus_set_posix_acl(inode, acl,
    3046 - ACL_TYPE_ACCESS);
    3047 + err = __hfsplus_set_posix_acl(inode, acl,
    3048 + ACL_TYPE_ACCESS);
    3049 posix_acl_release(acl);
    3050 }
    3051 return err;
    3052 diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
    3053 index 53e02b8bd9bd..d04ec3814779 100644
    3054 --- a/fs/nfs/dir.c
    3055 +++ b/fs/nfs/dir.c
    3056 @@ -1167,11 +1167,13 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
    3057 /* Force a full look up iff the parent directory has changed */
    3058 if (!nfs_is_exclusive_create(dir, flags) &&
    3059 nfs_check_verifier(dir, dentry, flags & LOOKUP_RCU)) {
    3060 -
    3061 - if (nfs_lookup_verify_inode(inode, flags)) {
    3062 + error = nfs_lookup_verify_inode(inode, flags);
    3063 + if (error) {
    3064 if (flags & LOOKUP_RCU)
    3065 return -ECHILD;
    3066 - goto out_zap_parent;
    3067 + if (error == -ESTALE)
    3068 + goto out_zap_parent;
    3069 + goto out_error;
    3070 }
    3071 goto out_valid;
    3072 }
    3073 @@ -1195,8 +1197,10 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
    3074 trace_nfs_lookup_revalidate_enter(dir, dentry, flags);
    3075 error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
    3076 trace_nfs_lookup_revalidate_exit(dir, dentry, flags, error);
    3077 - if (error)
    3078 + if (error == -ESTALE || error == -ENOENT)
    3079 goto out_bad;
    3080 + if (error)
    3081 + goto out_error;
    3082 if (nfs_compare_fh(NFS_FH(inode), fhandle))
    3083 goto out_bad;
    3084 if ((error = nfs_refresh_inode(inode, fattr)) != 0)
    3085 diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
    3086 index bf4ec5ecc97e..76ae25661d3f 100644
    3087 --- a/fs/nfs/inode.c
    3088 +++ b/fs/nfs/inode.c
    3089 @@ -1278,9 +1278,9 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat
    3090 return 0;
    3091 /* Has the inode gone and changed behind our back? */
    3092 if ((fattr->valid & NFS_ATTR_FATTR_FILEID) && nfsi->fileid != fattr->fileid)
    3093 - return -EIO;
    3094 + return -ESTALE;
    3095 if ((fattr->valid & NFS_ATTR_FATTR_TYPE) && (inode->i_mode & S_IFMT) != (fattr->mode & S_IFMT))
    3096 - return -EIO;
    3097 + return -ESTALE;
    3098
    3099 if (!nfs_file_has_buffered_writers(nfsi)) {
    3100 /* Verify a few of the more important attributes */
    3101 diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
    3102 index 0e100856c7b8..e7c8ac41e288 100644
    3103 --- a/fs/overlayfs/super.c
    3104 +++ b/fs/overlayfs/super.c
    3105 @@ -1146,6 +1146,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
    3106 unsigned int stacklen = 0;
    3107 unsigned int i;
    3108 bool remote = false;
    3109 + struct cred *cred;
    3110 int err;
    3111
    3112 err = -ENOMEM;
    3113 @@ -1309,10 +1310,14 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
    3114 else
    3115 sb->s_d_op = &ovl_dentry_operations;
    3116
    3117 - ufs->creator_cred = prepare_creds();
    3118 - if (!ufs->creator_cred)
    3119 + err = -ENOMEM;
    3120 + ufs->creator_cred = cred = prepare_creds();
    3121 + if (!cred)
    3122 goto out_put_lower_mnt;
    3123
    3124 + /* Never override disk quota limits or use reserved space */
    3125 + cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
    3126 +
    3127 err = -ENOMEM;
    3128 oe = ovl_alloc_entry(numlower);
    3129 if (!oe)
    3130 diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
    3131 index 3d2256a425ee..d92a1dc6ee70 100644
    3132 --- a/fs/reiserfs/xattr_acl.c
    3133 +++ b/fs/reiserfs/xattr_acl.c
    3134 @@ -37,7 +37,14 @@ reiserfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    3135 error = journal_begin(&th, inode->i_sb, jcreate_blocks);
    3136 reiserfs_write_unlock(inode->i_sb);
    3137 if (error == 0) {
    3138 + if (type == ACL_TYPE_ACCESS && acl) {
    3139 + error = posix_acl_update_mode(inode, &inode->i_mode,
    3140 + &acl);
    3141 + if (error)
    3142 + goto unlock;
    3143 + }
    3144 error = __reiserfs_set_acl(&th, inode, type, acl);
    3145 +unlock:
    3146 reiserfs_write_lock(inode->i_sb);
    3147 error2 = journal_end(&th);
    3148 reiserfs_write_unlock(inode->i_sb);
    3149 @@ -241,11 +248,6 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
    3150 switch (type) {
    3151 case ACL_TYPE_ACCESS:
    3152 name = XATTR_NAME_POSIX_ACL_ACCESS;
    3153 - if (acl) {
    3154 - error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
    3155 - if (error)
    3156 - return error;
    3157 - }
    3158 break;
    3159 case ACL_TYPE_DEFAULT:
    3160 name = XATTR_NAME_POSIX_ACL_DEFAULT;
    3161 diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
    3162 index 91bc76dc559e..7d764e3b6c79 100644
    3163 --- a/fs/ubifs/journal.c
    3164 +++ b/fs/ubifs/journal.c
    3165 @@ -576,7 +576,7 @@ int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir,
    3166 /* Make sure to also account for extended attributes */
    3167 len += host_ui->data_len;
    3168
    3169 - dent = kmalloc(len, GFP_NOFS);
    3170 + dent = kzalloc(len, GFP_NOFS);
    3171 if (!dent)
    3172 return -ENOMEM;
    3173
    3174 @@ -952,7 +952,7 @@ int ubifs_jnl_xrename(struct ubifs_info *c, const struct inode *fst_dir,
    3175 if (twoparents)
    3176 len += plen;
    3177
    3178 - dent1 = kmalloc(len, GFP_NOFS);
    3179 + dent1 = kzalloc(len, GFP_NOFS);
    3180 if (!dent1)
    3181 return -ENOMEM;
    3182
    3183 @@ -1102,7 +1102,7 @@ int ubifs_jnl_rename(struct ubifs_info *c, const struct inode *old_dir,
    3184 len = aligned_dlen1 + aligned_dlen2 + ALIGN(ilen, 8) + ALIGN(plen, 8);
    3185 if (move)
    3186 len += plen;
    3187 - dent = kmalloc(len, GFP_NOFS);
    3188 + dent = kzalloc(len, GFP_NOFS);
    3189 if (!dent)
    3190 return -ENOMEM;
    3191
    3192 @@ -1466,7 +1466,7 @@ int ubifs_jnl_delete_xattr(struct ubifs_info *c, const struct inode *host,
    3193 hlen = host_ui->data_len + UBIFS_INO_NODE_SZ;
    3194 len = aligned_xlen + UBIFS_INO_NODE_SZ + ALIGN(hlen, 8);
    3195
    3196 - xent = kmalloc(len, GFP_NOFS);
    3197 + xent = kzalloc(len, GFP_NOFS);
    3198 if (!xent)
    3199 return -ENOMEM;
    3200
    3201 @@ -1573,7 +1573,7 @@ int ubifs_jnl_change_xattr(struct ubifs_info *c, const struct inode *inode,
    3202 aligned_len1 = ALIGN(len1, 8);
    3203 aligned_len = aligned_len1 + ALIGN(len2, 8);
    3204
    3205 - ino = kmalloc(aligned_len, GFP_NOFS);
    3206 + ino = kzalloc(aligned_len, GFP_NOFS);
    3207 if (!ino)
    3208 return -ENOMEM;
    3209
    3210 diff --git a/fs/udf/inode.c b/fs/udf/inode.c
    3211 index 129b18a29c8f..035943501b9f 100644
    3212 --- a/fs/udf/inode.c
    3213 +++ b/fs/udf/inode.c
    3214 @@ -1243,8 +1243,8 @@ int udf_setsize(struct inode *inode, loff_t newsize)
    3215 return err;
    3216 }
    3217 set_size:
    3218 - truncate_setsize(inode, newsize);
    3219 up_write(&iinfo->i_data_sem);
    3220 + truncate_setsize(inode, newsize);
    3221 } else {
    3222 if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
    3223 down_write(&iinfo->i_data_sem);
    3224 @@ -1261,9 +1261,9 @@ int udf_setsize(struct inode *inode, loff_t newsize)
    3225 udf_get_block);
    3226 if (err)
    3227 return err;
    3228 + truncate_setsize(inode, newsize);
    3229 down_write(&iinfo->i_data_sem);
    3230 udf_clear_extent_cache(inode);
    3231 - truncate_setsize(inode, newsize);
    3232 udf_truncate_extents(inode);
    3233 up_write(&iinfo->i_data_sem);
    3234 }
    3235 diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
    3236 index b468e041f207..7034e17535de 100644
    3237 --- a/fs/xfs/xfs_acl.c
    3238 +++ b/fs/xfs/xfs_acl.c
    3239 @@ -170,8 +170,8 @@ xfs_get_acl(struct inode *inode, int type)
    3240 return acl;
    3241 }
    3242
    3243 -STATIC int
    3244 -__xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
    3245 +int
    3246 +__xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    3247 {
    3248 struct xfs_inode *ip = XFS_I(inode);
    3249 unsigned char *ea_name;
    3250 @@ -268,5 +268,5 @@ xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    3251 }
    3252
    3253 set_acl:
    3254 - return __xfs_set_acl(inode, type, acl);
    3255 + return __xfs_set_acl(inode, acl, type);
    3256 }
    3257 diff --git a/fs/xfs/xfs_acl.h b/fs/xfs/xfs_acl.h
    3258 index 286fa89217f5..04327318ef67 100644
    3259 --- a/fs/xfs/xfs_acl.h
    3260 +++ b/fs/xfs/xfs_acl.h
    3261 @@ -24,6 +24,7 @@ struct posix_acl;
    3262 #ifdef CONFIG_XFS_POSIX_ACL
    3263 extern struct posix_acl *xfs_get_acl(struct inode *inode, int type);
    3264 extern int xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
    3265 +extern int __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
    3266 #else
    3267 static inline struct posix_acl *xfs_get_acl(struct inode *inode, int type)
    3268 {
    3269 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
    3270 index f5e0f608e245..a1247c3c1efb 100644
    3271 --- a/fs/xfs/xfs_iops.c
    3272 +++ b/fs/xfs/xfs_iops.c
    3273 @@ -190,12 +190,12 @@ xfs_generic_create(
    3274
    3275 #ifdef CONFIG_XFS_POSIX_ACL
    3276 if (default_acl) {
    3277 - error = xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
    3278 + error = __xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
    3279 if (error)
    3280 goto out_cleanup_inode;
    3281 }
    3282 if (acl) {
    3283 - error = xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
    3284 + error = __xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
    3285 if (error)
    3286 goto out_cleanup_inode;
    3287 }
    3288 diff --git a/include/linux/vfio.h b/include/linux/vfio.h
    3289 index 0ecae0b1cd34..ed466750e744 100644
    3290 --- a/include/linux/vfio.h
    3291 +++ b/include/linux/vfio.h
    3292 @@ -88,6 +88,8 @@ extern void vfio_unregister_iommu_driver(
    3293 */
    3294 extern struct vfio_group *vfio_group_get_external_user(struct file *filep);
    3295 extern void vfio_group_put_external_user(struct vfio_group *group);
    3296 +extern bool vfio_external_group_match_file(struct vfio_group *group,
    3297 + struct file *filep);
    3298 extern int vfio_external_user_iommu_id(struct vfio_group *group);
    3299 extern long vfio_external_check_extension(struct vfio_group *group,
    3300 unsigned long arg);
    3301 diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
    3302 index b9ec4939b80c..f2b9a2ffe9e6 100644
    3303 --- a/include/scsi/scsi_device.h
    3304 +++ b/include/scsi/scsi_device.h
    3305 @@ -248,6 +248,7 @@ enum scsi_target_state {
    3306 STARGET_CREATED = 1,
    3307 STARGET_RUNNING,
    3308 STARGET_REMOVE,
    3309 + STARGET_CREATED_REMOVE,
    3310 STARGET_DEL,
    3311 };
    3312
    3313 diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
    3314 index 4ac24f5a3308..33b2e75bf2eb 100644
    3315 --- a/include/target/iscsi/iscsi_target_core.h
    3316 +++ b/include/target/iscsi/iscsi_target_core.h
    3317 @@ -64,6 +64,14 @@
    3318 #define TA_DEFAULT_FABRIC_PROT_TYPE 0
    3319 /* TPG status needs to be enabled to return sendtargets discovery endpoint info */
    3320 #define TA_DEFAULT_TPG_ENABLED_SENDTARGETS 1
    3321 +/*
    3322 + * Used to control the sending of keys with optional to respond state bit,
    3323 + * as a workaround for non RFC compliant initiators,that do not propose,
    3324 + * nor respond to specific keys required for login to complete.
    3325 + *
    3326 + * See iscsi_check_proposer_for_optional_reply() for more details.
    3327 + */
    3328 +#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1
    3329
    3330 #define ISCSI_IOV_DATA_BUFFER 5
    3331
    3332 @@ -766,6 +774,7 @@ struct iscsi_tpg_attrib {
    3333 u8 t10_pi;
    3334 u32 fabric_prot_type;
    3335 u32 tpg_enabled_sendtargets;
    3336 + u32 login_keys_workaround;
    3337 struct iscsi_portal_group *tpg;
    3338 };
    3339
    3340 diff --git a/kernel/events/core.c b/kernel/events/core.c
    3341 index 30ccc7029d18..f5a693589d66 100644
    3342 --- a/kernel/events/core.c
    3343 +++ b/kernel/events/core.c
    3344 @@ -7088,21 +7088,6 @@ static void perf_log_itrace_start(struct perf_event *event)
    3345 perf_output_end(&handle);
    3346 }
    3347
    3348 -static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
    3349 -{
    3350 - /*
    3351 - * Due to interrupt latency (AKA "skid"), we may enter the
    3352 - * kernel before taking an overflow, even if the PMU is only
    3353 - * counting user events.
    3354 - * To avoid leaking information to userspace, we must always
    3355 - * reject kernel samples when exclude_kernel is set.
    3356 - */
    3357 - if (event->attr.exclude_kernel && !user_mode(regs))
    3358 - return false;
    3359 -
    3360 - return true;
    3361 -}
    3362 -
    3363 /*
    3364 * Generic event overflow handling, sampling.
    3365 */
    3366 @@ -7150,12 +7135,6 @@ static int __perf_event_overflow(struct perf_event *event,
    3367 }
    3368
    3369 /*
    3370 - * For security, drop the skid kernel samples if necessary.
    3371 - */
    3372 - if (!sample_is_allowed(event, regs))
    3373 - return ret;
    3374 -
    3375 - /*
    3376 * XXX event_limit might not quite work as expected on inherited
    3377 * events
    3378 */
    3379 diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
    3380 index 9ba04aa740b9..d67ef56ca9bc 100644
    3381 --- a/kernel/time/alarmtimer.c
    3382 +++ b/kernel/time/alarmtimer.c
    3383 @@ -629,7 +629,8 @@ static int alarm_timer_set(struct k_itimer *timr, int flags,
    3384 * Rate limit to the tick as a hot fix to prevent DOS. Will be
    3385 * mopped up later.
    3386 */
    3387 - if (ktime_to_ns(timr->it.alarm.interval) < TICK_NSEC)
    3388 + if (timr->it.alarm.interval.tv64 &&
    3389 + ktime_to_ns(timr->it.alarm.interval) < TICK_NSEC)
    3390 timr->it.alarm.interval = ktime_set(0, TICK_NSEC);
    3391
    3392 exp = timespec_to_ktime(new_setting->it_value);
    3393 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
    3394 index 221eb59272e1..4f7ea8446bb5 100644
    3395 --- a/kernel/trace/ftrace.c
    3396 +++ b/kernel/trace/ftrace.c
    3397 @@ -3590,7 +3590,7 @@ match_records(struct ftrace_hash *hash, char *func, int len, char *mod)
    3398 int exclude_mod = 0;
    3399 int found = 0;
    3400 int ret;
    3401 - int clear_filter;
    3402 + int clear_filter = 0;
    3403
    3404 if (func) {
    3405 func_g.type = filter_parse_regex(func, len, &func_g.search,
    3406 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
    3407 index 52ee2c51f4b3..53c308068e39 100644
    3408 --- a/kernel/trace/trace.c
    3409 +++ b/kernel/trace/trace.c
    3410 @@ -7162,6 +7162,7 @@ static int instance_rmdir(const char *name)
    3411 }
    3412 kfree(tr->topts);
    3413
    3414 + free_cpumask_var(tr->tracing_cpumask);
    3415 kfree(tr->name);
    3416 kfree(tr);
    3417
    3418 diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
    3419 index 43faf2aea2ab..658c900752c6 100644
    3420 --- a/net/bluetooth/smp.c
    3421 +++ b/net/bluetooth/smp.c
    3422 @@ -23,6 +23,7 @@
    3423 #include <linux/debugfs.h>
    3424 #include <linux/scatterlist.h>
    3425 #include <linux/crypto.h>
    3426 +#include <crypto/algapi.h>
    3427 #include <crypto/b128ops.h>
    3428 #include <crypto/hash.h>
    3429
    3430 @@ -506,7 +507,7 @@ bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
    3431 if (err)
    3432 return false;
    3433
    3434 - return !memcmp(bdaddr->b, hash, 3);
    3435 + return !crypto_memneq(bdaddr->b, hash, 3);
    3436 }
    3437
    3438 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
    3439 @@ -559,7 +560,7 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
    3440 /* This is unlikely, but we need to check that
    3441 * we didn't accidentially generate a debug key.
    3442 */
    3443 - if (memcmp(smp->local_sk, debug_sk, 32))
    3444 + if (crypto_memneq(smp->local_sk, debug_sk, 32))
    3445 break;
    3446 }
    3447 smp->debug_key = false;
    3448 @@ -973,7 +974,7 @@ static u8 smp_random(struct smp_chan *smp)
    3449 if (ret)
    3450 return SMP_UNSPECIFIED;
    3451
    3452 - if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
    3453 + if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
    3454 BT_ERR("Pairing failed (confirmation values mismatch)");
    3455 return SMP_CONFIRM_FAILED;
    3456 }
    3457 @@ -1473,7 +1474,7 @@ static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
    3458 smp->rrnd, r, cfm))
    3459 return SMP_UNSPECIFIED;
    3460
    3461 - if (memcmp(smp->pcnf, cfm, 16))
    3462 + if (crypto_memneq(smp->pcnf, cfm, 16))
    3463 return SMP_CONFIRM_FAILED;
    3464
    3465 smp->passkey_round++;
    3466 @@ -1857,7 +1858,7 @@ static u8 sc_send_public_key(struct smp_chan *smp)
    3467 /* This is unlikely, but we need to check that
    3468 * we didn't accidentially generate a debug key.
    3469 */
    3470 - if (memcmp(smp->local_sk, debug_sk, 32))
    3471 + if (crypto_memneq(smp->local_sk, debug_sk, 32))
    3472 break;
    3473 }
    3474 }
    3475 @@ -2122,7 +2123,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
    3476 if (err)
    3477 return SMP_UNSPECIFIED;
    3478
    3479 - if (memcmp(smp->pcnf, cfm, 16))
    3480 + if (crypto_memneq(smp->pcnf, cfm, 16))
    3481 return SMP_CONFIRM_FAILED;
    3482 } else {
    3483 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
    3484 @@ -2603,7 +2604,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
    3485 if (err)
    3486 return SMP_UNSPECIFIED;
    3487
    3488 - if (memcmp(cfm.confirm_val, smp->pcnf, 16))
    3489 + if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
    3490 return SMP_CONFIRM_FAILED;
    3491 }
    3492
    3493 @@ -2636,7 +2637,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
    3494 else
    3495 hcon->pending_sec_level = BT_SECURITY_FIPS;
    3496
    3497 - if (!memcmp(debug_pk, smp->remote_pk, 64))
    3498 + if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
    3499 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
    3500
    3501 if (smp->method == DSP_PASSKEY) {
    3502 @@ -2735,7 +2736,7 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
    3503 if (err)
    3504 return SMP_UNSPECIFIED;
    3505
    3506 - if (memcmp(check->e, e, 16))
    3507 + if (crypto_memneq(check->e, e, 16))
    3508 return SMP_DHKEY_CHECK_FAILED;
    3509
    3510 if (!hcon->out) {
    3511 @@ -3446,7 +3447,7 @@ static int __init test_ah(struct crypto_cipher *tfm_aes)
    3512 if (err)
    3513 return err;
    3514
    3515 - if (memcmp(res, exp, 3))
    3516 + if (crypto_memneq(res, exp, 3))
    3517 return -EINVAL;
    3518
    3519 return 0;
    3520 @@ -3476,7 +3477,7 @@ static int __init test_c1(struct crypto_cipher *tfm_aes)
    3521 if (err)
    3522 return err;
    3523
    3524 - if (memcmp(res, exp, 16))
    3525 + if (crypto_memneq(res, exp, 16))
    3526 return -EINVAL;
    3527
    3528 return 0;
    3529 @@ -3501,7 +3502,7 @@ static int __init test_s1(struct crypto_cipher *tfm_aes)
    3530 if (err)
    3531 return err;
    3532
    3533 - if (memcmp(res, exp, 16))
    3534 + if (crypto_memneq(res, exp, 16))
    3535 return -EINVAL;
    3536
    3537 return 0;
    3538 @@ -3533,7 +3534,7 @@ static int __init test_f4(struct crypto_shash *tfm_cmac)
    3539 if (err)
    3540 return err;
    3541
    3542 - if (memcmp(res, exp, 16))
    3543 + if (crypto_memneq(res, exp, 16))
    3544 return -EINVAL;
    3545
    3546 return 0;
    3547 @@ -3567,10 +3568,10 @@ static int __init test_f5(struct crypto_shash *tfm_cmac)
    3548 if (err)
    3549 return err;
    3550
    3551 - if (memcmp(mackey, exp_mackey, 16))
    3552 + if (crypto_memneq(mackey, exp_mackey, 16))
    3553 return -EINVAL;
    3554
    3555 - if (memcmp(ltk, exp_ltk, 16))
    3556 + if (crypto_memneq(ltk, exp_ltk, 16))
    3557 return -EINVAL;
    3558
    3559 return 0;
    3560 @@ -3603,7 +3604,7 @@ static int __init test_f6(struct crypto_shash *tfm_cmac)
    3561 if (err)
    3562 return err;
    3563
    3564 - if (memcmp(res, exp, 16))
    3565 + if (crypto_memneq(res, exp, 16))
    3566 return -EINVAL;
    3567
    3568 return 0;
    3569 @@ -3657,7 +3658,7 @@ static int __init test_h6(struct crypto_shash *tfm_cmac)
    3570 if (err)
    3571 return err;
    3572
    3573 - if (memcmp(res, exp, 16))
    3574 + if (crypto_memneq(res, exp, 16))
    3575 return -EINVAL;
    3576
    3577 return 0;
    3578 diff --git a/net/key/af_key.c b/net/key/af_key.c
    3579 index e67c28e614b9..d8d95b6415e4 100644
    3580 --- a/net/key/af_key.c
    3581 +++ b/net/key/af_key.c
    3582 @@ -65,6 +65,10 @@ struct pfkey_sock {
    3583 } dump;
    3584 };
    3585
    3586 +static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
    3587 + xfrm_address_t *saddr, xfrm_address_t *daddr,
    3588 + u16 *family);
    3589 +
    3590 static inline struct pfkey_sock *pfkey_sk(struct sock *sk)
    3591 {
    3592 return (struct pfkey_sock *)sk;
    3593 @@ -1922,19 +1926,14 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
    3594
    3595 /* addresses present only in tunnel mode */
    3596 if (t->mode == XFRM_MODE_TUNNEL) {
    3597 - u8 *sa = (u8 *) (rq + 1);
    3598 - int family, socklen;
    3599 + int err;
    3600
    3601 - family = pfkey_sockaddr_extract((struct sockaddr *)sa,
    3602 - &t->saddr);
    3603 - if (!family)
    3604 - return -EINVAL;
    3605 -
    3606 - socklen = pfkey_sockaddr_len(family);
    3607 - if (pfkey_sockaddr_extract((struct sockaddr *)(sa + socklen),
    3608 - &t->id.daddr) != family)
    3609 - return -EINVAL;
    3610 - t->encap_family = family;
    3611 + err = parse_sockaddr_pair(
    3612 + (struct sockaddr *)(rq + 1),
    3613 + rq->sadb_x_ipsecrequest_len - sizeof(*rq),
    3614 + &t->saddr, &t->id.daddr, &t->encap_family);
    3615 + if (err)
    3616 + return err;
    3617 } else
    3618 t->encap_family = xp->family;
    3619
    3620 @@ -1954,7 +1953,11 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
    3621 if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))
    3622 return -EINVAL;
    3623
    3624 - while (len >= sizeof(struct sadb_x_ipsecrequest)) {
    3625 + while (len >= sizeof(*rq)) {
    3626 + if (len < rq->sadb_x_ipsecrequest_len ||
    3627 + rq->sadb_x_ipsecrequest_len < sizeof(*rq))
    3628 + return -EINVAL;
    3629 +
    3630 if ((err = parse_ipsecrequest(xp, rq)) < 0)
    3631 return err;
    3632 len -= rq->sadb_x_ipsecrequest_len;
    3633 @@ -2417,7 +2420,6 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
    3634 return err;
    3635 }
    3636
    3637 -#ifdef CONFIG_NET_KEY_MIGRATE
    3638 static int pfkey_sockaddr_pair_size(sa_family_t family)
    3639 {
    3640 return PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);
    3641 @@ -2429,7 +2431,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
    3642 {
    3643 int af, socklen;
    3644
    3645 - if (ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
    3646 + if (ext_len < 2 || ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
    3647 return -EINVAL;
    3648
    3649 af = pfkey_sockaddr_extract(sa, saddr);
    3650 @@ -2445,6 +2447,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
    3651 return 0;
    3652 }
    3653
    3654 +#ifdef CONFIG_NET_KEY_MIGRATE
    3655 static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
    3656 struct xfrm_migrate *m)
    3657 {
    3658 @@ -2452,13 +2455,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
    3659 struct sadb_x_ipsecrequest *rq2;
    3660 int mode;
    3661
    3662 - if (len <= sizeof(struct sadb_x_ipsecrequest) ||
    3663 - len < rq1->sadb_x_ipsecrequest_len)
    3664 + if (len < sizeof(*rq1) ||
    3665 + len < rq1->sadb_x_ipsecrequest_len ||
    3666 + rq1->sadb_x_ipsecrequest_len < sizeof(*rq1))
    3667 return -EINVAL;
    3668
    3669 /* old endoints */
    3670 err = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),
    3671 - rq1->sadb_x_ipsecrequest_len,
    3672 + rq1->sadb_x_ipsecrequest_len - sizeof(*rq1),
    3673 &m->old_saddr, &m->old_daddr,
    3674 &m->old_family);
    3675 if (err)
    3676 @@ -2467,13 +2471,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
    3677 rq2 = (struct sadb_x_ipsecrequest *)((u8 *)rq1 + rq1->sadb_x_ipsecrequest_len);
    3678 len -= rq1->sadb_x_ipsecrequest_len;
    3679
    3680 - if (len <= sizeof(struct sadb_x_ipsecrequest) ||
    3681 - len < rq2->sadb_x_ipsecrequest_len)
    3682 + if (len <= sizeof(*rq2) ||
    3683 + len < rq2->sadb_x_ipsecrequest_len ||
    3684 + rq2->sadb_x_ipsecrequest_len < sizeof(*rq2))
    3685 return -EINVAL;
    3686
    3687 /* new endpoints */
    3688 err = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),
    3689 - rq2->sadb_x_ipsecrequest_len,
    3690 + rq2->sadb_x_ipsecrequest_len - sizeof(*rq2),
    3691 &m->new_saddr, &m->new_daddr,
    3692 &m->new_family);
    3693 if (err)
    3694 diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
    3695 index 2c1b498a7a27..e34d3f60fccd 100644
    3696 --- a/net/netfilter/ipvs/ip_vs_core.c
    3697 +++ b/net/netfilter/ipvs/ip_vs_core.c
    3698 @@ -849,10 +849,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
    3699 {
    3700 unsigned int verdict = NF_DROP;
    3701
    3702 - if (IP_VS_FWD_METHOD(cp) != 0) {
    3703 - pr_err("shouldn't reach here, because the box is on the "
    3704 - "half connection in the tun/dr module.\n");
    3705 - }
    3706 + if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
    3707 + goto ignore_cp;
    3708
    3709 /* Ensure the checksum is correct */
    3710 if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
    3711 @@ -886,6 +884,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
    3712 ip_vs_notrack(skb);
    3713 else
    3714 ip_vs_update_conntrack(skb, cp, 0);
    3715 +
    3716 +ignore_cp:
    3717 verdict = NF_ACCEPT;
    3718
    3719 out:
    3720 @@ -1385,8 +1385,11 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
    3721 */
    3722 cp = pp->conn_out_get(ipvs, af, skb, &iph);
    3723
    3724 - if (likely(cp))
    3725 + if (likely(cp)) {
    3726 + if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
    3727 + goto ignore_cp;
    3728 return handle_response(af, skb, pd, cp, &iph, hooknum);
    3729 + }
    3730
    3731 /* Check for real-server-started requests */
    3732 if (atomic_read(&ipvs->conn_out_counter)) {
    3733 @@ -1444,9 +1447,15 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
    3734 }
    3735 }
    3736 }
    3737 +
    3738 +out:
    3739 IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
    3740 "ip_vs_out: packet continues traversal as normal");
    3741 return NF_ACCEPT;
    3742 +
    3743 +ignore_cp:
    3744 + __ip_vs_conn_put(cp);
    3745 + goto out;
    3746 }
    3747
    3748 /*
    3749 diff --git a/net/nfc/core.c b/net/nfc/core.c
    3750 index 122bb81da918..5cf33df888c3 100644
    3751 --- a/net/nfc/core.c
    3752 +++ b/net/nfc/core.c
    3753 @@ -982,6 +982,8 @@ static void nfc_release(struct device *d)
    3754 kfree(se);
    3755 }
    3756
    3757 + ida_simple_remove(&nfc_index_ida, dev->idx);
    3758 +
    3759 kfree(dev);
    3760 }
    3761
    3762 @@ -1056,6 +1058,7 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
    3763 int tx_headroom, int tx_tailroom)
    3764 {
    3765 struct nfc_dev *dev;
    3766 + int rc;
    3767
    3768 if (!ops->start_poll || !ops->stop_poll || !ops->activate_target ||
    3769 !ops->deactivate_target || !ops->im_transceive)
    3770 @@ -1068,6 +1071,15 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
    3771 if (!dev)
    3772 return NULL;
    3773
    3774 + rc = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
    3775 + if (rc < 0)
    3776 + goto err_free_dev;
    3777 + dev->idx = rc;
    3778 +
    3779 + dev->dev.class = &nfc_class;
    3780 + dev_set_name(&dev->dev, "nfc%d", dev->idx);
    3781 + device_initialize(&dev->dev);
    3782 +
    3783 dev->ops = ops;
    3784 dev->supported_protocols = supported_protocols;
    3785 dev->tx_headroom = tx_headroom;
    3786 @@ -1090,6 +1102,11 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
    3787 }
    3788
    3789 return dev;
    3790 +
    3791 +err_free_dev:
    3792 + kfree(dev);
    3793 +
    3794 + return ERR_PTR(rc);
    3795 }
    3796 EXPORT_SYMBOL(nfc_allocate_device);
    3797
    3798 @@ -1104,14 +1121,6 @@ int nfc_register_device(struct nfc_dev *dev)
    3799
    3800 pr_debug("dev_name=%s\n", dev_name(&dev->dev));
    3801
    3802 - dev->idx = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
    3803 - if (dev->idx < 0)
    3804 - return dev->idx;
    3805 -
    3806 - dev->dev.class = &nfc_class;
    3807 - dev_set_name(&dev->dev, "nfc%d", dev->idx);
    3808 - device_initialize(&dev->dev);
    3809 -
    3810 mutex_lock(&nfc_devlist_mutex);
    3811 nfc_devlist_generation++;
    3812 rc = device_add(&dev->dev);
    3813 @@ -1149,12 +1158,10 @@ EXPORT_SYMBOL(nfc_register_device);
    3814 */
    3815 void nfc_unregister_device(struct nfc_dev *dev)
    3816 {
    3817 - int rc, id;
    3818 + int rc;
    3819
    3820 pr_debug("dev_name=%s\n", dev_name(&dev->dev));
    3821
    3822 - id = dev->idx;
    3823 -
    3824 if (dev->rfkill) {
    3825 rfkill_unregister(dev->rfkill);
    3826 rfkill_destroy(dev->rfkill);
    3827 @@ -1179,8 +1186,6 @@ void nfc_unregister_device(struct nfc_dev *dev)
    3828 nfc_devlist_generation++;
    3829 device_del(&dev->dev);
    3830 mutex_unlock(&nfc_devlist_mutex);
    3831 -
    3832 - ida_simple_remove(&nfc_index_ida, id);
    3833 }
    3834 EXPORT_SYMBOL(nfc_unregister_device);
    3835
    3836 diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
    3837 index b9edf5fae6ae..e31dea17473d 100644
    3838 --- a/net/nfc/llcp_sock.c
    3839 +++ b/net/nfc/llcp_sock.c
    3840 @@ -76,7 +76,8 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
    3841 struct sockaddr_nfc_llcp llcp_addr;
    3842 int len, ret = 0;
    3843
    3844 - if (!addr || addr->sa_family != AF_NFC)
    3845 + if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
    3846 + addr->sa_family != AF_NFC)
    3847 return -EINVAL;
    3848
    3849 pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family);
    3850 @@ -150,7 +151,8 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr,
    3851 struct sockaddr_nfc_llcp llcp_addr;
    3852 int len, ret = 0;
    3853
    3854 - if (!addr || addr->sa_family != AF_NFC)
    3855 + if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
    3856 + addr->sa_family != AF_NFC)
    3857 return -EINVAL;
    3858
    3859 pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family);
    3860 @@ -661,8 +663,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
    3861
    3862 pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags);
    3863
    3864 - if (!addr || len < sizeof(struct sockaddr_nfc) ||
    3865 - addr->sa_family != AF_NFC)
    3866 + if (!addr || len < sizeof(*addr) || addr->sa_family != AF_NFC)
    3867 return -EINVAL;
    3868
    3869 if (addr->service_name_len == 0 && addr->dsap == 0)
    3870 diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
    3871 index 61fff422424f..85a3d9ed4c29 100644
    3872 --- a/net/nfc/nci/core.c
    3873 +++ b/net/nfc/nci/core.c
    3874 @@ -1173,8 +1173,7 @@ struct nci_dev *nci_allocate_device(struct nci_ops *ops,
    3875 return ndev;
    3876
    3877 free_nfc:
    3878 - kfree(ndev->nfc_dev);
    3879 -
    3880 + nfc_free_device(ndev->nfc_dev);
    3881 free_nci:
    3882 kfree(ndev);
    3883 return NULL;
    3884 diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
    3885 index ea023b35f1c2..102c681c48b5 100644
    3886 --- a/net/nfc/netlink.c
    3887 +++ b/net/nfc/netlink.c
    3888 @@ -910,7 +910,9 @@ static int nfc_genl_activate_target(struct sk_buff *skb, struct genl_info *info)
    3889 u32 device_idx, target_idx, protocol;
    3890 int rc;
    3891
    3892 - if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
    3893 + if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
    3894 + !info->attrs[NFC_ATTR_TARGET_INDEX] ||
    3895 + !info->attrs[NFC_ATTR_PROTOCOLS])
    3896 return -EINVAL;
    3897
    3898 device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
    3899 diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
    3900 index 90115ceefd49..79aec90259cd 100644
    3901 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
    3902 +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
    3903 @@ -34,6 +34,7 @@
    3904 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
    3905 */
    3906
    3907 +#include <crypto/algapi.h>
    3908 #include <crypto/hash.h>
    3909 #include <crypto/skcipher.h>
    3910 #include <linux/err.h>
    3911 @@ -927,7 +928,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
    3912 if (ret)
    3913 goto out_err;
    3914
    3915 - if (memcmp(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
    3916 + if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
    3917 ret = GSS_S_BAD_SIG;
    3918 goto out_err;
    3919 }
    3920 diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
    3921 index bf7b52fce597..ff093edccea9 100644
    3922 --- a/sound/soc/soc-compress.c
    3923 +++ b/sound/soc/soc-compress.c
    3924 @@ -68,7 +68,8 @@ static int soc_compr_open(struct snd_compr_stream *cstream)
    3925 static int soc_compr_open_fe(struct snd_compr_stream *cstream)
    3926 {
    3927 struct snd_soc_pcm_runtime *fe = cstream->private_data;
    3928 - struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
    3929 + struct snd_pcm_substream *fe_substream =
    3930 + fe->pcm->streams[cstream->direction].substream;
    3931 struct snd_soc_platform *platform = fe->platform;
    3932 struct snd_soc_dpcm *dpcm;
    3933 struct snd_soc_dapm_widget_list *list;
    3934 @@ -414,7 +415,8 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
    3935 struct snd_compr_params *params)
    3936 {
    3937 struct snd_soc_pcm_runtime *fe = cstream->private_data;
    3938 - struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
    3939 + struct snd_pcm_substream *fe_substream =
    3940 + fe->pcm->streams[cstream->direction].substream;
    3941 struct snd_soc_platform *platform = fe->platform;
    3942 int ret = 0, stream;
    3943
    3944 diff --git a/tools/perf/ui/browser.c b/tools/perf/ui/browser.c
    3945 index 3eb3edb307a4..a1309010d109 100644
    3946 --- a/tools/perf/ui/browser.c
    3947 +++ b/tools/perf/ui/browser.c
    3948 @@ -702,7 +702,7 @@ static void __ui_browser__line_arrow_down(struct ui_browser *browser,
    3949 ui_browser__gotorc(browser, row, column + 1);
    3950 SLsmg_draw_hline(2);
    3951
    3952 - if (row++ == 0)
    3953 + if (++row == 0)
    3954 goto out;
    3955 } else
    3956 row = 0;
    3957 diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
    3958 index 04387ab31316..7e27207d0f45 100644
    3959 --- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
    3960 +++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
    3961 @@ -64,6 +64,25 @@ enum intel_pt_pkt_state {
    3962 INTEL_PT_STATE_FUP_NO_TIP,
    3963 };
    3964
    3965 +static inline bool intel_pt_sample_time(enum intel_pt_pkt_state pkt_state)
    3966 +{
    3967 + switch (pkt_state) {
    3968 + case INTEL_PT_STATE_NO_PSB:
    3969 + case INTEL_PT_STATE_NO_IP:
    3970 + case INTEL_PT_STATE_ERR_RESYNC:
    3971 + case INTEL_PT_STATE_IN_SYNC:
    3972 + case INTEL_PT_STATE_TNT:
    3973 + return true;
    3974 + case INTEL_PT_STATE_TIP:
    3975 + case INTEL_PT_STATE_TIP_PGD:
    3976 + case INTEL_PT_STATE_FUP:
    3977 + case INTEL_PT_STATE_FUP_NO_TIP:
    3978 + return false;
    3979 + default:
    3980 + return true;
    3981 + };
    3982 +}
    3983 +
    3984 #ifdef INTEL_PT_STRICT
    3985 #define INTEL_PT_STATE_ERR1 INTEL_PT_STATE_NO_PSB
    3986 #define INTEL_PT_STATE_ERR2 INTEL_PT_STATE_NO_PSB
    3987 @@ -92,6 +111,7 @@ struct intel_pt_decoder {
    3988 bool have_tma;
    3989 bool have_cyc;
    3990 bool fixup_last_mtc;
    3991 + bool have_last_ip;
    3992 uint64_t pos;
    3993 uint64_t last_ip;
    3994 uint64_t ip;
    3995 @@ -99,6 +119,7 @@ struct intel_pt_decoder {
    3996 uint64_t timestamp;
    3997 uint64_t tsc_timestamp;
    3998 uint64_t ref_timestamp;
    3999 + uint64_t sample_timestamp;
    4000 uint64_t ret_addr;
    4001 uint64_t ctc_timestamp;
    4002 uint64_t ctc_delta;
    4003 @@ -139,6 +160,7 @@ struct intel_pt_decoder {
    4004 unsigned int fup_tx_flags;
    4005 unsigned int tx_flags;
    4006 uint64_t timestamp_insn_cnt;
    4007 + uint64_t sample_insn_cnt;
    4008 uint64_t stuck_ip;
    4009 int no_progress;
    4010 int stuck_ip_prd;
    4011 @@ -398,6 +420,7 @@ static uint64_t intel_pt_calc_ip(const struct intel_pt_pkt *packet,
    4012 static inline void intel_pt_set_last_ip(struct intel_pt_decoder *decoder)
    4013 {
    4014 decoder->last_ip = intel_pt_calc_ip(&decoder->packet, decoder->last_ip);
    4015 + decoder->have_last_ip = true;
    4016 }
    4017
    4018 static inline void intel_pt_set_ip(struct intel_pt_decoder *decoder)
    4019 @@ -898,6 +921,7 @@ static int intel_pt_walk_insn(struct intel_pt_decoder *decoder,
    4020
    4021 decoder->tot_insn_cnt += insn_cnt;
    4022 decoder->timestamp_insn_cnt += insn_cnt;
    4023 + decoder->sample_insn_cnt += insn_cnt;
    4024 decoder->period_insn_cnt += insn_cnt;
    4025
    4026 if (err) {
    4027 @@ -1444,7 +1468,8 @@ static int intel_pt_walk_psbend(struct intel_pt_decoder *decoder)
    4028
    4029 case INTEL_PT_FUP:
    4030 decoder->pge = true;
    4031 - intel_pt_set_last_ip(decoder);
    4032 + if (decoder->packet.count)
    4033 + intel_pt_set_last_ip(decoder);
    4034 break;
    4035
    4036 case INTEL_PT_MODE_TSX:
    4037 @@ -1648,6 +1673,8 @@ static int intel_pt_walk_trace(struct intel_pt_decoder *decoder)
    4038 break;
    4039
    4040 case INTEL_PT_PSB:
    4041 + decoder->last_ip = 0;
    4042 + decoder->have_last_ip = true;
    4043 intel_pt_clear_stack(&decoder->stack);
    4044 err = intel_pt_walk_psbend(decoder);
    4045 if (err == -EAGAIN)
    4046 @@ -1728,8 +1755,9 @@ static int intel_pt_walk_trace(struct intel_pt_decoder *decoder)
    4047
    4048 static inline bool intel_pt_have_ip(struct intel_pt_decoder *decoder)
    4049 {
    4050 - return decoder->last_ip || decoder->packet.count == 0 ||
    4051 - decoder->packet.count == 3 || decoder->packet.count == 6;
    4052 + return decoder->packet.count &&
    4053 + (decoder->have_last_ip || decoder->packet.count == 3 ||
    4054 + decoder->packet.count == 6);
    4055 }
    4056
    4057 /* Walk PSB+ packets to get in sync. */
    4058 @@ -1852,14 +1880,10 @@ static int intel_pt_walk_to_ip(struct intel_pt_decoder *decoder)
    4059 break;
    4060
    4061 case INTEL_PT_FUP:
    4062 - if (decoder->overflow) {
    4063 - if (intel_pt_have_ip(decoder))
    4064 - intel_pt_set_ip(decoder);
    4065 - if (decoder->ip)
    4066 - return 0;
    4067 - }
    4068 - if (decoder->packet.count)
    4069 - intel_pt_set_last_ip(decoder);
    4070 + if (intel_pt_have_ip(decoder))
    4071 + intel_pt_set_ip(decoder);
    4072 + if (decoder->ip)
    4073 + return 0;
    4074 break;
    4075
    4076 case INTEL_PT_MTC:
    4077 @@ -1908,6 +1932,9 @@ static int intel_pt_walk_to_ip(struct intel_pt_decoder *decoder)
    4078 break;
    4079
    4080 case INTEL_PT_PSB:
    4081 + decoder->last_ip = 0;
    4082 + decoder->have_last_ip = true;
    4083 + intel_pt_clear_stack(&decoder->stack);
    4084 err = intel_pt_walk_psb(decoder);
    4085 if (err)
    4086 return err;
    4087 @@ -1933,6 +1960,8 @@ static int intel_pt_sync_ip(struct intel_pt_decoder *decoder)
    4088 {
    4089 int err;
    4090
    4091 + decoder->set_fup_tx_flags = false;
    4092 +
    4093 intel_pt_log("Scanning for full IP\n");
    4094 err = intel_pt_walk_to_ip(decoder);
    4095 if (err)
    4096 @@ -2041,6 +2070,7 @@ static int intel_pt_sync(struct intel_pt_decoder *decoder)
    4097
    4098 decoder->pge = false;
    4099 decoder->continuous_period = false;
    4100 + decoder->have_last_ip = false;
    4101 decoder->last_ip = 0;
    4102 decoder->ip = 0;
    4103 intel_pt_clear_stack(&decoder->stack);
    4104 @@ -2049,6 +2079,7 @@ static int intel_pt_sync(struct intel_pt_decoder *decoder)
    4105 if (err)
    4106 return err;
    4107
    4108 + decoder->have_last_ip = true;
    4109 decoder->pkt_state = INTEL_PT_STATE_NO_IP;
    4110
    4111 err = intel_pt_walk_psb(decoder);
    4112 @@ -2067,7 +2098,7 @@ static int intel_pt_sync(struct intel_pt_decoder *decoder)
    4113
    4114 static uint64_t intel_pt_est_timestamp(struct intel_pt_decoder *decoder)
    4115 {
    4116 - uint64_t est = decoder->timestamp_insn_cnt << 1;
    4117 + uint64_t est = decoder->sample_insn_cnt << 1;
    4118
    4119 if (!decoder->cbr || !decoder->max_non_turbo_ratio)
    4120 goto out;
    4121 @@ -2075,7 +2106,7 @@ static uint64_t intel_pt_est_timestamp(struct intel_pt_decoder *decoder)
    4122 est *= decoder->max_non_turbo_ratio;
    4123 est /= decoder->cbr;
    4124 out:
    4125 - return decoder->timestamp + est;
    4126 + return decoder->sample_timestamp + est;
    4127 }
    4128
    4129 const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder)
    4130 @@ -2091,7 +2122,9 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder)
    4131 err = intel_pt_sync(decoder);
    4132 break;
    4133 case INTEL_PT_STATE_NO_IP:
    4134 + decoder->have_last_ip = false;
    4135 decoder->last_ip = 0;
    4136 + decoder->ip = 0;
    4137 /* Fall through */
    4138 case INTEL_PT_STATE_ERR_RESYNC:
    4139 err = intel_pt_sync_ip(decoder);
    4140 @@ -2128,15 +2161,24 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder)
    4141 }
    4142 } while (err == -ENOLINK);
    4143
    4144 - decoder->state.err = err ? intel_pt_ext_err(err) : 0;
    4145 - decoder->state.timestamp = decoder->timestamp;
    4146 + if (err) {
    4147 + decoder->state.err = intel_pt_ext_err(err);
    4148 + decoder->state.from_ip = decoder->ip;
    4149 + decoder->sample_timestamp = decoder->timestamp;
    4150 + decoder->sample_insn_cnt = decoder->timestamp_insn_cnt;
    4151 + } else {
    4152 + decoder->state.err = 0;
    4153 + if (intel_pt_sample_time(decoder->pkt_state)) {
    4154 + decoder->sample_timestamp = decoder->timestamp;
    4155 + decoder->sample_insn_cnt = decoder->timestamp_insn_cnt;
    4156 + }
    4157 + }
    4158 +
    4159 + decoder->state.timestamp = decoder->sample_timestamp;
    4160 decoder->state.est_timestamp = intel_pt_est_timestamp(decoder);
    4161 decoder->state.cr3 = decoder->cr3;
    4162 decoder->state.tot_insn_cnt = decoder->tot_insn_cnt;
    4163
    4164 - if (err)
    4165 - decoder->state.from_ip = decoder->ip;
    4166 -
    4167 return &decoder->state;
    4168 }
    4169
    4170 diff --git a/virt/kvm/vfio.c b/virt/kvm/vfio.c
    4171 index 1dd087da6f31..111e09c3f4bf 100644
    4172 --- a/virt/kvm/vfio.c
    4173 +++ b/virt/kvm/vfio.c
    4174 @@ -47,6 +47,22 @@ static struct vfio_group *kvm_vfio_group_get_external_user(struct file *filep)
    4175 return vfio_group;
    4176 }
    4177
    4178 +static bool kvm_vfio_external_group_match_file(struct vfio_group *group,
    4179 + struct file *filep)
    4180 +{
    4181 + bool ret, (*fn)(struct vfio_group *, struct file *);
    4182 +
    4183 + fn = symbol_get(vfio_external_group_match_file);
    4184 + if (!fn)
    4185 + return false;
    4186 +
    4187 + ret = fn(group, filep);
    4188 +
    4189 + symbol_put(vfio_external_group_match_file);
    4190 +
    4191 + return ret;
    4192 +}
    4193 +
    4194 static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group)
    4195 {
    4196 void (*fn)(struct vfio_group *);
    4197 @@ -171,18 +187,13 @@ static int kvm_vfio_set_group(struct kvm_device *dev, long attr, u64 arg)
    4198 if (!f.file)
    4199 return -EBADF;
    4200
    4201 - vfio_group = kvm_vfio_group_get_external_user(f.file);
    4202 - fdput(f);
    4203 -
    4204 - if (IS_ERR(vfio_group))
    4205 - return PTR_ERR(vfio_group);
    4206 -
    4207 ret = -ENOENT;
    4208
    4209 mutex_lock(&kv->lock);
    4210
    4211 list_for_each_entry(kvg, &kv->group_list, node) {
    4212 - if (kvg->vfio_group != vfio_group)
    4213 + if (!kvm_vfio_external_group_match_file(kvg->vfio_group,
    4214 + f.file))
    4215 continue;
    4216
    4217 list_del(&kvg->node);
    4218 @@ -196,7 +207,7 @@ static int kvm_vfio_set_group(struct kvm_device *dev, long attr, u64 arg)
    4219
    4220 mutex_unlock(&kv->lock);
    4221
    4222 - kvm_vfio_group_put_external_user(vfio_group);
    4223 + fdput(f);
    4224
    4225 kvm_vfio_update_coherency(dev);
    4226