Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx-legacy/patches-4.9/0397-4.9.298-all-fixes.patch

    Contents of /trunk/kernel-alx-legacy/patches-4.9/0397-4.9.298-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3699 - (show annotations) (download)
    Mon Oct 24 14:08:13 2022 UTC (19 months ago) by niro
    File size: 160930 byte(s) 
    -linux-4.9.298
    1 diff --git a/Documentation/rbtree.txt b/Documentation/rbtree.txt
    2 index b9d9cc57be189..9fedfedfd85fc 100644
    3 --- a/Documentation/rbtree.txt
    4 +++ b/Documentation/rbtree.txt
    5 @@ -190,6 +190,39 @@ Example:
    6 for (node = rb_first(&mytree); node; node = rb_next(node))
    7 printk("key=%s\n", rb_entry(node, struct mytype, node)->keystring);
    8
    9 +Cached rbtrees
    10 +--------------
    11 +
    12 +Computing the leftmost (smallest) node is quite a common task for binary
    13 +search trees, such as for traversals or users relying on a the particular
    14 +order for their own logic. To this end, users can use 'struct rb_root_cached'
    15 +to optimize O(logN) rb_first() calls to a simple pointer fetch avoiding
    16 +potentially expensive tree iterations. This is done at negligible runtime
    17 +overhead for maintanence; albeit larger memory footprint.
    18 +
    19 +Similar to the rb_root structure, cached rbtrees are initialized to be
    20 +empty via:
    21 +
    22 + struct rb_root_cached mytree = RB_ROOT_CACHED;
    23 +
    24 +Cached rbtree is simply a regular rb_root with an extra pointer to cache the
    25 +leftmost node. This allows rb_root_cached to exist wherever rb_root does,
    26 +which permits augmented trees to be supported as well as only a few extra
    27 +interfaces:
    28 +
    29 + struct rb_node *rb_first_cached(struct rb_root_cached *tree);
    30 + void rb_insert_color_cached(struct rb_node *, struct rb_root_cached *, bool);
    31 + void rb_erase_cached(struct rb_node *node, struct rb_root_cached *);
    32 +
    33 +Both insert and erase calls have their respective counterpart of augmented
    34 +trees:
    35 +
    36 + void rb_insert_augmented_cached(struct rb_node *node, struct rb_root_cached *,
    37 + bool, struct rb_augment_callbacks *);
    38 + void rb_erase_augmented_cached(struct rb_node *, struct rb_root_cached *,
    39 + struct rb_augment_callbacks *);
    40 +
    41 +
    42 Support for Augmented rbtrees
    43 -----------------------------
    44
    45 diff --git a/Makefile b/Makefile
    46 index 70a11157b2404..b0f683f18df71 100644
    47 --- a/Makefile
    48 +++ b/Makefile
    49 @@ -1,6 +1,6 @@
    50 VERSION = 4
    51 PATCHLEVEL = 9
    52 -SUBLEVEL = 297
    53 +SUBLEVEL = 298
    54 EXTRAVERSION =
    55 NAME = Roaring Lionus
    56
    57 diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
    58 index c2557cf43b3dc..d8bf83d732be3 100644
    59 --- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
    60 +++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
    61 @@ -25,8 +25,8 @@
    62 #size-cells = <2>;
    63
    64 aliases {
    65 - sdhc1 = &sdhc_1; /* SDC1 eMMC slot */
    66 - sdhc2 = &sdhc_2; /* SDC2 SD card slot */
    67 + mmc0 = &sdhc_1; /* SDC1 eMMC slot */
    68 + mmc1 = &sdhc_2; /* SDC2 SD card slot */
    69 };
    70
    71 chosen { };
    72 diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
    73 index 4f375050ab8e9..3be875a45c834 100644
    74 --- a/arch/mips/bcm63xx/clk.c
    75 +++ b/arch/mips/bcm63xx/clk.c
    76 @@ -342,6 +342,12 @@ struct clk *clk_get_parent(struct clk *clk)
    77 }
    78 EXPORT_SYMBOL(clk_get_parent);
    79
    80 +int clk_set_parent(struct clk *clk, struct clk *parent)
    81 +{
    82 + return 0;
    83 +}
    84 +EXPORT_SYMBOL(clk_set_parent);
    85 +
    86 unsigned long clk_get_rate(struct clk *clk)
    87 {
    88 return clk->rate;
    89 diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
    90 index 62787765575ef..ce6e5fddce0bf 100644
    91 --- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h
    92 +++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
    93 @@ -315,7 +315,7 @@ enum cvmx_chip_types_enum {
    94
    95 /* Functions to return string based on type */
    96 #define ENUM_BRD_TYPE_CASE(x) \
    97 - case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */
    98 + case x: return (&#x[16]); /* Skip CVMX_BOARD_TYPE_ */
    99 static inline const char *cvmx_board_type_to_string(enum
    100 cvmx_board_types_enum type)
    101 {
    102 @@ -404,7 +404,7 @@ static inline const char *cvmx_board_type_to_string(enum
    103 }
    104
    105 #define ENUM_CHIP_TYPE_CASE(x) \
    106 - case x: return(#x + 15); /* Skip CVMX_CHIP_TYPE */
    107 + case x: return (&#x[15]); /* Skip CVMX_CHIP_TYPE */
    108 static inline const char *cvmx_chip_type_to_string(enum
    109 cvmx_chip_types_enum type)
    110 {
    111 diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c
    112 index 149f0513c4f5d..d1de57b86683c 100644
    113 --- a/arch/mips/lantiq/clk.c
    114 +++ b/arch/mips/lantiq/clk.c
    115 @@ -165,6 +165,12 @@ struct clk *of_clk_get_from_provider(struct of_phandle_args *clkspec)
    116 return NULL;
    117 }
    118
    119 +int clk_set_parent(struct clk *clk, struct clk *parent)
    120 +{
    121 + return 0;
    122 +}
    123 +EXPORT_SYMBOL(clk_set_parent);
    124 +
    125 static inline u32 get_counter_resolution(void)
    126 {
    127 u32 res;
    128 diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c
    129 index d8c3c159289a2..71a19d20bbb7a 100644
    130 --- a/arch/mips/mm/gup.c
    131 +++ b/arch/mips/mm/gup.c
    132 @@ -271,7 +271,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    133 next = pgd_addr_end(addr, end);
    134 if (pgd_none(pgd))
    135 goto slow;
    136 - if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
    137 + /*
    138 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    139 + * because get_user_pages() may need to cause an early COW in
    140 + * order to avoid confusing the normal COW routines. So only
    141 + * targets that are already writable are safe to do by just
    142 + * looking at the page tables.
    143 + */
    144 + if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
    145 goto slow;
    146 } while (pgdp++, addr = next, addr != end);
    147 local_irq_enable();
    148 diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
    149 index 11c91697d5f9e..5b41779de2337 100644
    150 --- a/arch/parisc/kernel/traps.c
    151 +++ b/arch/parisc/kernel/traps.c
    152 @@ -793,7 +793,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
    153 * unless pagefault_disable() was called before.
    154 */
    155
    156 - if (fault_space == 0 && !faulthandler_disabled())
    157 + if (faulthandler_disabled() || fault_space == 0)
    158 {
    159 /* Clean up and return if in exception table. */
    160 if (fixup_exception(regs))
    161 diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
    162 index 7f60b60601764..39b1c1fa0c81f 100644
    163 --- a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
    164 +++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
    165 @@ -78,6 +78,7 @@ fman0: fman@400000 {
    166 #size-cells = <0>;
    167 compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
    168 reg = <0xfc000 0x1000>;
    169 + fsl,erratum-a009885;
    170 };
    171
    172 xmdio0: mdio@fd000 {
    173 @@ -85,6 +86,7 @@ fman0: fman@400000 {
    174 #size-cells = <0>;
    175 compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
    176 reg = <0xfd000 0x1000>;
    177 + fsl,erratum-a009885;
    178 };
    179
    180 ptp_timer0: ptp-timer@fe000 {
    181 diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c
    182 index 8275858a434d9..2d91ba38b4524 100644
    183 --- a/arch/powerpc/kernel/btext.c
    184 +++ b/arch/powerpc/kernel/btext.c
    185 @@ -257,8 +257,10 @@ int __init btext_find_display(int allow_nonstdout)
    186 rc = btext_initialize(np);
    187 printk("result: %d\n", rc);
    188 }
    189 - if (rc == 0)
    190 + if (rc == 0) {
    191 + of_node_put(np);
    192 break;
    193 + }
    194 }
    195 return rc;
    196 }
    197 diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
    198 index 1e8c57207346e..df3af10b8cc95 100644
    199 --- a/arch/powerpc/kernel/prom_init.c
    200 +++ b/arch/powerpc/kernel/prom_init.c
    201 @@ -2528,7 +2528,7 @@ static void __init fixup_device_tree_efika_add_phy(void)
    202
    203 /* Check if the phy-handle property exists - bail if it does */
    204 rv = prom_getprop(node, "phy-handle", prop, sizeof(prop));
    205 - if (!rv)
    206 + if (rv <= 0)
    207 return;
    208
    209 /*
    210 diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
    211 index 9c6f3fd580597..31675c1d678b6 100644
    212 --- a/arch/powerpc/kernel/smp.c
    213 +++ b/arch/powerpc/kernel/smp.c
    214 @@ -759,10 +759,12 @@ void start_secondary(void *unused)
    215 BUG();
    216 }
    217
    218 +#ifdef CONFIG_PROFILING
    219 int setup_profiling_timer(unsigned int multiplier)
    220 {
    221 return 0;
    222 }
    223 +#endif
    224
    225 #ifdef CONFIG_SCHED_SMT
    226 /* cpumask of CPUs with asymetric SMT dependancy */
    227 diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c
    228 index 7ff51f96a00e8..8df43781f5db9 100644
    229 --- a/arch/powerpc/platforms/cell/iommu.c
    230 +++ b/arch/powerpc/platforms/cell/iommu.c
    231 @@ -1107,6 +1107,7 @@ static int __init cell_iommu_fixed_mapping_init(void)
    232 if (hbase < dbase || (hend > (dbase + dsize))) {
    233 pr_debug("iommu: hash window doesn't fit in"
    234 "real DMA window\n");
    235 + of_node_put(np);
    236 return -1;
    237 }
    238 }
    239 diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
    240 index bf4a125faec66..db2ea6b6889de 100644
    241 --- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
    242 +++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
    243 @@ -220,6 +220,7 @@ void hlwd_pic_probe(void)
    244 irq_set_chained_handler(cascade_virq,
    245 hlwd_pic_irq_cascade);
    246 hlwd_irq_host = host;
    247 + of_node_put(np);
    248 break;
    249 }
    250 }
    251 diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
    252 index e4169d68cb328..d28c4a9269c38 100644
    253 --- a/arch/powerpc/platforms/powernv/opal-lpc.c
    254 +++ b/arch/powerpc/platforms/powernv/opal-lpc.c
    255 @@ -401,6 +401,7 @@ void opal_lpc_init(void)
    256 if (!of_get_property(np, "primary", NULL))
    257 continue;
    258 opal_lpc_chip_id = of_get_ibm_chip_id(np);
    259 + of_node_put(np);
    260 break;
    261 }
    262 if (opal_lpc_chip_id < 0)
    263 diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
    264 index cf045f56581e3..be1e2ed6405d3 100644
    265 --- a/arch/s390/mm/gup.c
    266 +++ b/arch/s390/mm/gup.c
    267 @@ -261,7 +261,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    268
    269 might_sleep();
    270 start &= PAGE_MASK;
    271 - nr = __get_user_pages_fast(start, nr_pages, write, pages);
    272 + /*
    273 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    274 + * because get_user_pages() may need to cause an early COW in
    275 + * order to avoid confusing the normal COW routines. So only
    276 + * targets that are already writable are safe to do by just
    277 + * looking at the page tables.
    278 + */
    279 + nr = __get_user_pages_fast(start, nr_pages, 1, pages);
    280 if (nr == nr_pages)
    281 return nr;
    282
    283 diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c
    284 index 063c298ba56cc..7fec66e34af06 100644
    285 --- a/arch/sh/mm/gup.c
    286 +++ b/arch/sh/mm/gup.c
    287 @@ -239,7 +239,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    288 next = pgd_addr_end(addr, end);
    289 if (pgd_none(pgd))
    290 goto slow;
    291 - if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
    292 + /*
    293 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    294 + * because get_user_pages() may need to cause an early COW in
    295 + * order to avoid confusing the normal COW routines. So only
    296 + * targets that are already writable are safe to do by just
    297 + * looking at the page tables.
    298 + */
    299 + if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
    300 goto slow;
    301 } while (pgdp++, addr = next, addr != end);
    302 local_irq_enable();
    303 diff --git a/arch/sparc/mm/gup.c b/arch/sparc/mm/gup.c
    304 index cd0e32bbcb1de..685679f879888 100644
    305 --- a/arch/sparc/mm/gup.c
    306 +++ b/arch/sparc/mm/gup.c
    307 @@ -218,7 +218,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    308 next = pgd_addr_end(addr, end);
    309 if (pgd_none(pgd))
    310 goto slow;
    311 - if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
    312 + /*
    313 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    314 + * because get_user_pages() may need to cause an early COW in
    315 + * order to avoid confusing the normal COW routines. So only
    316 + * targets that are already writable are safe to do by just
    317 + * looking at the page tables.
    318 + */
    319 + if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
    320 goto slow;
    321 } while (pgdp++, addr = next, addr != end);
    322
    323 diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h
    324 index a74449b5b0e31..12ad7c435e97f 100644
    325 --- a/arch/um/include/shared/registers.h
    326 +++ b/arch/um/include/shared/registers.h
    327 @@ -16,8 +16,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs);
    328 extern int save_fpx_registers(int pid, unsigned long *fp_regs);
    329 extern int restore_fpx_registers(int pid, unsigned long *fp_regs);
    330 extern int save_registers(int pid, struct uml_pt_regs *regs);
    331 -extern int restore_registers(int pid, struct uml_pt_regs *regs);
    332 -extern int init_registers(int pid);
    333 +extern int restore_pid_registers(int pid, struct uml_pt_regs *regs);
    334 +extern int init_pid_registers(int pid);
    335 extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs);
    336 extern unsigned long get_thread_reg(int reg, jmp_buf *buf);
    337 extern int get_fp_registers(int pid, unsigned long *regs);
    338 diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c
    339 index 2ff8d4fe83c4f..34a5963bd7efd 100644
    340 --- a/arch/um/os-Linux/registers.c
    341 +++ b/arch/um/os-Linux/registers.c
    342 @@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs)
    343 return 0;
    344 }
    345
    346 -int restore_registers(int pid, struct uml_pt_regs *regs)
    347 +int restore_pid_registers(int pid, struct uml_pt_regs *regs)
    348 {
    349 int err;
    350
    351 @@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs)
    352 static unsigned long exec_regs[MAX_REG_NR];
    353 static unsigned long exec_fp_regs[FP_SIZE];
    354
    355 -int init_registers(int pid)
    356 +int init_pid_registers(int pid)
    357 {
    358 int err;
    359
    360 diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c
    361 index 22a358ef1b0cd..dc06933ba63d9 100644
    362 --- a/arch/um/os-Linux/start_up.c
    363 +++ b/arch/um/os-Linux/start_up.c
    364 @@ -334,7 +334,7 @@ void __init os_early_checks(void)
    365 check_tmpexec();
    366
    367 pid = start_ptraced_child();
    368 - if (init_registers(pid))
    369 + if (init_pid_registers(pid))
    370 fatal("Failed to initialize default registers");
    371 stop_ptraced_child(pid, 1, 1);
    372 }
    373 diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
    374 index 82f727fbbbd2c..549f89fb3abc9 100644
    375 --- a/arch/x86/mm/gup.c
    376 +++ b/arch/x86/mm/gup.c
    377 @@ -454,7 +454,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    378 next = pgd_addr_end(addr, end);
    379 if (pgd_none(pgd))
    380 goto slow;
    381 - if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
    382 + /*
    383 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    384 + * because get_user_pages() may need to cause an early COW in
    385 + * order to avoid confusing the normal COW routines. So only
    386 + * targets that are already writable are safe to do by just
    387 + * looking at the page tables.
    388 + */
    389 + if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
    390 goto slow;
    391 } while (pgdp++, addr = next, addr != end);
    392 local_irq_enable();
    393 diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c
    394 index e6552275320bc..40ecacb2c54b3 100644
    395 --- a/arch/x86/um/syscalls_64.c
    396 +++ b/arch/x86/um/syscalls_64.c
    397 @@ -9,6 +9,7 @@
    398 #include <linux/uaccess.h>
    399 #include <asm/prctl.h> /* XXX This should get the constants from libc */
    400 #include <os.h>
    401 +#include <registers.h>
    402
    403 long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr)
    404 {
    405 @@ -32,7 +33,7 @@ long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr)
    406 switch (code) {
    407 case ARCH_SET_FS:
    408 case ARCH_SET_GS:
    409 - ret = restore_registers(pid, &current->thread.regs.regs);
    410 + ret = restore_pid_registers(pid, &current->thread.regs.regs);
    411 if (ret)
    412 return ret;
    413 break;
    414 diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
    415 index 007300433cdea..1cea26a741474 100644
    416 --- a/drivers/acpi/acpica/exoparg1.c
    417 +++ b/drivers/acpi/acpica/exoparg1.c
    418 @@ -1029,7 +1029,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
    419 (walk_state, return_desc,
    420 &temp_desc);
    421 if (ACPI_FAILURE(status)) {
    422 - goto cleanup;
    423 + return_ACPI_STATUS
    424 + (status);
    425 }
    426
    427 return_desc = temp_desc;
    428 diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
    429 index 03a2282ceb9ca..81a9c47973ce8 100644
    430 --- a/drivers/acpi/acpica/utdelete.c
    431 +++ b/drivers/acpi/acpica/utdelete.c
    432 @@ -440,6 +440,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action)
    433 ACPI_WARNING((AE_INFO,
    434 "Obj %p, Reference Count is already zero, cannot decrement\n",
    435 object));
    436 + return;
    437 }
    438
    439 ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
    440 diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
    441 index 4496e7a492352..7164be9710e51 100644
    442 --- a/drivers/block/floppy.c
    443 +++ b/drivers/block/floppy.c
    444 @@ -994,7 +994,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn);
    445 static void cancel_activity(void)
    446 {
    447 do_floppy = NULL;
    448 - cancel_delayed_work_sync(&fd_timer);
    449 + cancel_delayed_work(&fd_timer);
    450 cancel_work_sync(&floppy_work);
    451 }
    452
    453 @@ -3116,6 +3116,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
    454 }
    455 }
    456
    457 +#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
    458 +
    459 static int raw_cmd_copyin(int cmd, void __user *param,
    460 struct floppy_raw_cmd **rcmd)
    461 {
    462 @@ -3153,7 +3155,7 @@ loop:
    463 ptr->resultcode = 0;
    464
    465 if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
    466 - if (ptr->length <= 0)
    467 + if (ptr->length <= 0 || ptr->length >= MAX_LEN)
    468 return -EINVAL;
    469 ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
    470 fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
    471 diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
    472 index 3bf4ec60e0736..cee2de027e5ad 100644
    473 --- a/drivers/bluetooth/bfusb.c
    474 +++ b/drivers/bluetooth/bfusb.c
    475 @@ -644,6 +644,9 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i
    476 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress;
    477 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize);
    478
    479 + if (!data->bulk_pkt_size)
    480 + goto done;
    481 +
    482 rwlock_init(&data->lock);
    483
    484 data->reassembly = NULL;
    485 diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h
    486 index 9ccb6b270b071..95164246afd1a 100644
    487 --- a/drivers/char/mwave/3780i.h
    488 +++ b/drivers/char/mwave/3780i.h
    489 @@ -68,7 +68,7 @@ typedef struct {
    490 unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */
    491 unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */
    492 unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */
    493 - unsigned char Reserved:5; /* 0: Reserved */
    494 + unsigned short Reserved:13; /* 0: Reserved */
    495 } DSP_ISA_SLAVE_CONTROL;
    496
    497
    498 diff --git a/drivers/char/random.c b/drivers/char/random.c
    499 index 2184d87623272..70ee86e034fcd 100644
    500 --- a/drivers/char/random.c
    501 +++ b/drivers/char/random.c
    502 @@ -845,8 +845,8 @@ static void do_numa_crng_init(struct work_struct *work)
    503 crng_initialize(crng);
    504 pool[i] = crng;
    505 }
    506 - mb();
    507 - if (cmpxchg(&crng_node_pool, NULL, pool)) {
    508 + /* pairs with READ_ONCE() in select_crng() */
    509 + if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
    510 for_each_node(i)
    511 kfree(pool[i]);
    512 kfree(pool);
    513 @@ -859,8 +859,26 @@ static void numa_crng_init(void)
    514 {
    515 schedule_work(&numa_crng_init_work);
    516 }
    517 +
    518 +static struct crng_state *select_crng(void)
    519 +{
    520 + struct crng_state **pool;
    521 + int nid = numa_node_id();
    522 +
    523 + /* pairs with cmpxchg_release() in do_numa_crng_init() */
    524 + pool = READ_ONCE(crng_node_pool);
    525 + if (pool && pool[nid])
    526 + return pool[nid];
    527 +
    528 + return &primary_crng;
    529 +}
    530 #else
    531 static void numa_crng_init(void) {}
    532 +
    533 +static struct crng_state *select_crng(void)
    534 +{
    535 + return &primary_crng;
    536 +}
    537 #endif
    538
    539 static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
    540 @@ -890,7 +908,7 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
    541 crng->state[i+4] ^= buf.key[i] ^ rv;
    542 }
    543 memzero_explicit(&buf, sizeof(buf));
    544 - crng->init_time = jiffies;
    545 + WRITE_ONCE(crng->init_time, jiffies);
    546 if (crng == &primary_crng && crng_init < 2) {
    547 numa_crng_init();
    548 crng_init = 2;
    549 @@ -928,12 +946,15 @@ static inline void crng_wait_ready(void)
    550 static void _extract_crng(struct crng_state *crng,
    551 __u8 out[CHACHA20_BLOCK_SIZE])
    552 {
    553 - unsigned long v, flags;
    554 -
    555 - if (crng_ready() &&
    556 - (time_after(crng_global_init_time, crng->init_time) ||
    557 - time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
    558 - crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
    559 + unsigned long v, flags, init_time;
    560 +
    561 + if (crng_ready()) {
    562 + init_time = READ_ONCE(crng->init_time);
    563 + if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
    564 + time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
    565 + crng_reseed(crng, crng == &primary_crng ?
    566 + &input_pool : NULL);
    567 + }
    568 spin_lock_irqsave(&crng->lock, flags);
    569 if (arch_get_random_long(&v))
    570 crng->state[14] ^= v;
    571 @@ -945,15 +966,7 @@ static void _extract_crng(struct crng_state *crng,
    572
    573 static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
    574 {
    575 - struct crng_state *crng = NULL;
    576 -
    577 -#ifdef CONFIG_NUMA
    578 - if (crng_node_pool)
    579 - crng = crng_node_pool[numa_node_id()];
    580 - if (crng == NULL)
    581 -#endif
    582 - crng = &primary_crng;
    583 - _extract_crng(crng, out);
    584 + _extract_crng(select_crng(), out);
    585 }
    586
    587 /*
    588 @@ -982,15 +995,7 @@ static void _crng_backtrack_protect(struct crng_state *crng,
    589
    590 static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
    591 {
    592 - struct crng_state *crng = NULL;
    593 -
    594 -#ifdef CONFIG_NUMA
    595 - if (crng_node_pool)
    596 - crng = crng_node_pool[numa_node_id()];
    597 - if (crng == NULL)
    598 -#endif
    599 - crng = &primary_crng;
    600 - _crng_backtrack_protect(crng, tmp, used);
    601 + _crng_backtrack_protect(select_crng(), tmp, used);
    602 }
    603
    604 static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
    605 @@ -1914,7 +1919,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
    606 if (crng_init < 2)
    607 return -ENODATA;
    608 crng_reseed(&primary_crng, &input_pool);
    609 - crng_global_init_time = jiffies - 1;
    610 + WRITE_ONCE(crng_global_init_time, jiffies - 1);
    611 return 0;
    612 default:
    613 return -EINVAL;
    614 diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c
    615 index 47e114ac09d01..ff1e788f92767 100644
    616 --- a/drivers/crypto/qce/sha.c
    617 +++ b/drivers/crypto/qce/sha.c
    618 @@ -544,8 +544,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def,
    619
    620 ret = crypto_register_ahash(alg);
    621 if (ret) {
    622 - kfree(tmpl);
    623 dev_err(qce->dev, "%s registration failed\n", base->cra_name);
    624 + kfree(tmpl);
    625 return ret;
    626 }
    627
    628 diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
    629 index a505be9ef96da..c15ca560fe60d 100644
    630 --- a/drivers/dma/at_xdmac.c
    631 +++ b/drivers/dma/at_xdmac.c
    632 @@ -100,6 +100,7 @@
    633 #define AT_XDMAC_CNDC_NDE (0x1 << 0) /* Channel x Next Descriptor Enable */
    634 #define AT_XDMAC_CNDC_NDSUP (0x1 << 1) /* Channel x Next Descriptor Source Update */
    635 #define AT_XDMAC_CNDC_NDDUP (0x1 << 2) /* Channel x Next Descriptor Destination Update */
    636 +#define AT_XDMAC_CNDC_NDVIEW_MASK GENMASK(28, 27)
    637 #define AT_XDMAC_CNDC_NDVIEW_NDV0 (0x0 << 3) /* Channel x Next Descriptor View 0 */
    638 #define AT_XDMAC_CNDC_NDVIEW_NDV1 (0x1 << 3) /* Channel x Next Descriptor View 1 */
    639 #define AT_XDMAC_CNDC_NDVIEW_NDV2 (0x2 << 3) /* Channel x Next Descriptor View 2 */
    640 @@ -232,15 +233,15 @@ struct at_xdmac {
    641
    642 /* Linked List Descriptor */
    643 struct at_xdmac_lld {
    644 - dma_addr_t mbr_nda; /* Next Descriptor Member */
    645 - u32 mbr_ubc; /* Microblock Control Member */
    646 - dma_addr_t mbr_sa; /* Source Address Member */
    647 - dma_addr_t mbr_da; /* Destination Address Member */
    648 - u32 mbr_cfg; /* Configuration Register */
    649 - u32 mbr_bc; /* Block Control Register */
    650 - u32 mbr_ds; /* Data Stride Register */
    651 - u32 mbr_sus; /* Source Microblock Stride Register */
    652 - u32 mbr_dus; /* Destination Microblock Stride Register */
    653 + u32 mbr_nda; /* Next Descriptor Member */
    654 + u32 mbr_ubc; /* Microblock Control Member */
    655 + u32 mbr_sa; /* Source Address Member */
    656 + u32 mbr_da; /* Destination Address Member */
    657 + u32 mbr_cfg; /* Configuration Register */
    658 + u32 mbr_bc; /* Block Control Register */
    659 + u32 mbr_ds; /* Data Stride Register */
    660 + u32 mbr_sus; /* Source Microblock Stride Register */
    661 + u32 mbr_dus; /* Destination Microblock Stride Register */
    662 };
    663
    664 /* 64-bit alignment needed to update CNDA and CUBC registers in an atomic way. */
    665 @@ -345,9 +346,6 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan,
    666
    667 dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, first);
    668
    669 - if (at_xdmac_chan_is_enabled(atchan))
    670 - return;
    671 -
    672 /* Set transfer as active to not try to start it again. */
    673 first->active_xfer = true;
    674
    675 @@ -363,7 +361,8 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan,
    676 */
    677 if (at_xdmac_chan_is_cyclic(atchan))
    678 reg = AT_XDMAC_CNDC_NDVIEW_NDV1;
    679 - else if (first->lld.mbr_ubc & AT_XDMAC_MBR_UBC_NDV3)
    680 + else if ((first->lld.mbr_ubc &
    681 + AT_XDMAC_CNDC_NDVIEW_MASK) == AT_XDMAC_MBR_UBC_NDV3)
    682 reg = AT_XDMAC_CNDC_NDVIEW_NDV3;
    683 else
    684 reg = AT_XDMAC_CNDC_NDVIEW_NDV2;
    685 @@ -428,13 +427,12 @@ static dma_cookie_t at_xdmac_tx_submit(struct dma_async_tx_descriptor *tx)
    686 spin_lock_irqsave(&atchan->lock, irqflags);
    687 cookie = dma_cookie_assign(tx);
    688
    689 + list_add_tail(&desc->xfer_node, &atchan->xfers_list);
    690 + spin_unlock_irqrestore(&atchan->lock, irqflags);
    691 +
    692 dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n",
    693 __func__, atchan, desc);
    694 - list_add_tail(&desc->xfer_node, &atchan->xfers_list);
    695 - if (list_is_singular(&atchan->xfers_list))
    696 - at_xdmac_start_xfer(atchan, desc);
    697
    698 - spin_unlock_irqrestore(&atchan->lock, irqflags);
    699 return cookie;
    700 }
    701
    702 diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c
    703 index eb3a1f42ab065..e8b2d3e31de80 100644
    704 --- a/drivers/dma/mmp_pdma.c
    705 +++ b/drivers/dma/mmp_pdma.c
    706 @@ -722,12 +722,6 @@ static int mmp_pdma_config(struct dma_chan *dchan,
    707
    708 chan->dir = cfg->direction;
    709 chan->dev_addr = addr;
    710 - /* FIXME: drivers should be ported over to use the filter
    711 - * function. Once that's done, the following two lines can
    712 - * be removed.
    713 - */
    714 - if (cfg->slave_id)
    715 - chan->drcmr = cfg->slave_id;
    716
    717 return 0;
    718 }
    719 diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
    720 index 3f56f9ca44824..5bd1ade187d3f 100644
    721 --- a/drivers/dma/pxa_dma.c
    722 +++ b/drivers/dma/pxa_dma.c
    723 @@ -975,13 +975,6 @@ static void pxad_get_config(struct pxad_chan *chan,
    724 *dcmd |= PXA_DCMD_BURST16;
    725 else if (maxburst == 32)
    726 *dcmd |= PXA_DCMD_BURST32;
    727 -
    728 - /* FIXME: drivers should be ported over to use the filter
    729 - * function. Once that's done, the following two lines can
    730 - * be removed.
    731 - */
    732 - if (chan->cfg.slave_id)
    733 - chan->drcmr = chan->cfg.slave_id;
    734 }
    735
    736 static struct dma_async_tx_descriptor *
    737 diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
    738 index 986248f7011aa..c479280590e42 100644
    739 --- a/drivers/gpio/gpiolib-acpi.c
    740 +++ b/drivers/gpio/gpiolib-acpi.c
    741 @@ -675,10 +675,17 @@ int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index)
    742 irq_flags = acpi_dev_get_irq_type(info.triggering,
    743 info.polarity);
    744
    745 - /* Set type if specified and different than the current one */
    746 - if (irq_flags != IRQ_TYPE_NONE &&
    747 - irq_flags != irq_get_trigger_type(irq))
    748 - irq_set_irq_type(irq, irq_flags);
    749 + /*
    750 + * If the IRQ is not already in use then set type
    751 + * if specified and different than the current one.
    752 + */
    753 + if (can_request_irq(irq, irq_flags)) {
    754 + if (irq_flags != IRQ_TYPE_NONE &&
    755 + irq_flags != irq_get_trigger_type(irq))
    756 + irq_set_irq_type(irq, irq_flags);
    757 + } else {
    758 + dev_dbg(&adev->dev, "IRQ %d already in use\n", irq);
    759 + }
    760
    761 return irq;
    762 }
    763 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
    764 index eb79d0d3d34f1..7264169d5f2a7 100644
    765 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
    766 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
    767 @@ -404,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
    768 native_mode->vdisplay != 0 &&
    769 native_mode->clock != 0) {
    770 mode = drm_mode_duplicate(dev, native_mode);
    771 + if (!mode)
    772 + return NULL;
    773 +
    774 mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
    775 drm_mode_set_name(mode);
    776
    777 @@ -418,6 +421,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
    778 * simpler.
    779 */
    780 mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
    781 + if (!mode)
    782 + return NULL;
    783 +
    784 mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
    785 DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
    786 }
    787 diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
    788 index 07d2a8e7f78c3..202c00b17df2d 100644
    789 --- a/drivers/gpu/drm/i915/intel_pm.c
    790 +++ b/drivers/gpu/drm/i915/intel_pm.c
    791 @@ -2274,9 +2274,9 @@ static void snb_wm_latency_quirk(struct drm_device *dev)
    792 * The BIOS provided WM memory latency values are often
    793 * inadequate for high resolution displays. Adjust them.
    794 */
    795 - changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12) |
    796 - ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12) |
    797 - ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12);
    798 + changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12);
    799 + changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12);
    800 + changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12);
    801
    802 if (!changed)
    803 return;
    804 diff --git a/drivers/gpu/drm/nouveau/nouveau_sgdma.c b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
    805 index db35ab5883acd..d3bfd7912a994 100644
    806 --- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c
    807 +++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
    808 @@ -105,12 +105,9 @@ nouveau_sgdma_create_ttm(struct ttm_bo_device *bdev,
    809 else
    810 nvbe->ttm.ttm.func = &nv50_sgdma_backend;
    811
    812 - if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page))
    813 - /*
    814 - * A failing ttm_dma_tt_init() will call ttm_tt_destroy()
    815 - * and thus our nouveau_sgdma_destroy() hook, so we don't need
    816 - * to free nvbe here.
    817 - */
    818 + if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) {
    819 + kfree(nvbe);
    820 return NULL;
    821 + }
    822 return &nvbe->ttm.ttm;
    823 }
    824 diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
    825 index 61000e3b2e793..b55403c99d804 100644
    826 --- a/drivers/gpu/drm/radeon/radeon_kms.c
    827 +++ b/drivers/gpu/drm/radeon/radeon_kms.c
    828 @@ -630,6 +630,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
    829 int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
    830 {
    831 struct radeon_device *rdev = dev->dev_private;
    832 + struct radeon_fpriv *fpriv;
    833 + struct radeon_vm *vm;
    834 int r;
    835
    836 file_priv->driver_priv = NULL;
    837 @@ -642,48 +644,52 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
    838
    839 /* new gpu have virtual address space support */
    840 if (rdev->family >= CHIP_CAYMAN) {
    841 - struct radeon_fpriv *fpriv;
    842 - struct radeon_vm *vm;
    843
    844 fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
    845 if (unlikely(!fpriv)) {
    846 r = -ENOMEM;
    847 - goto out_suspend;
    848 + goto err_suspend;
    849 }
    850
    851 if (rdev->accel_working) {
    852 vm = &fpriv->vm;
    853 r = radeon_vm_init(rdev, vm);
    854 - if (r) {
    855 - kfree(fpriv);
    856 - goto out_suspend;
    857 - }
    858 + if (r)
    859 + goto err_fpriv;
    860
    861 r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
    862 - if (r) {
    863 - radeon_vm_fini(rdev, vm);
    864 - kfree(fpriv);
    865 - goto out_suspend;
    866 - }
    867 + if (r)
    868 + goto err_vm_fini;
    869
    870 /* map the ib pool buffer read only into
    871 * virtual address space */
    872 vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
    873 rdev->ring_tmp_bo.bo);
    874 + if (!vm->ib_bo_va) {
    875 + r = -ENOMEM;
    876 + goto err_vm_fini;
    877 + }
    878 +
    879 r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
    880 RADEON_VA_IB_OFFSET,
    881 RADEON_VM_PAGE_READABLE |
    882 RADEON_VM_PAGE_SNOOPED);
    883 - if (r) {
    884 - radeon_vm_fini(rdev, vm);
    885 - kfree(fpriv);
    886 - goto out_suspend;
    887 - }
    888 + if (r)
    889 + goto err_vm_fini;
    890 }
    891 file_priv->driver_priv = fpriv;
    892 }
    893
    894 -out_suspend:
    895 + pm_runtime_mark_last_busy(dev->dev);
    896 + pm_runtime_put_autosuspend(dev->dev);
    897 + return 0;
    898 +
    899 +err_vm_fini:
    900 + radeon_vm_fini(rdev, vm);
    901 +err_fpriv:
    902 + kfree(fpriv);
    903 +
    904 +err_suspend:
    905 pm_runtime_mark_last_busy(dev->dev);
    906 pm_runtime_put_autosuspend(dev->dev);
    907 return r;
    908 diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
    909 index aee3c00f836e7..e4e24be523533 100644
    910 --- a/drivers/gpu/drm/ttm/ttm_tt.c
    911 +++ b/drivers/gpu/drm/ttm/ttm_tt.c
    912 @@ -195,7 +195,6 @@ int ttm_tt_init(struct ttm_tt *ttm, struct ttm_bo_device *bdev,
    913
    914 ttm_tt_alloc_page_directory(ttm);
    915 if (!ttm->pages) {
    916 - ttm_tt_destroy(ttm);
    917 pr_err("Failed allocating page table\n");
    918 return -ENOMEM;
    919 }
    920 @@ -228,7 +227,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_bo_device *bdev,
    921 INIT_LIST_HEAD(&ttm_dma->pages_list);
    922 ttm_dma_tt_alloc_page_directory(ttm_dma);
    923 if (!ttm->pages) {
    924 - ttm_tt_destroy(ttm);
    925 pr_err("Failed allocating page table\n");
    926 return -ENOMEM;
    927 }
    928 diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
    929 index 149902619cbc8..0074091c27aa2 100644
    930 --- a/drivers/hid/hid-apple.c
    931 +++ b/drivers/hid/hid-apple.c
    932 @@ -390,7 +390,7 @@ static int apple_input_configured(struct hid_device *hdev,
    933
    934 if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) {
    935 hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n");
    936 - asc->quirks = 0;
    937 + asc->quirks &= ~APPLE_HAS_FN;
    938 }
    939
    940 return 0;
    941 diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
    942 index e60e41e775020..f7705a057f0f4 100644
    943 --- a/drivers/hid/uhid.c
    944 +++ b/drivers/hid/uhid.c
    945 @@ -33,11 +33,22 @@
    946
    947 struct uhid_device {
    948 struct mutex devlock;
    949 +
    950 + /* This flag tracks whether the HID device is usable for commands from
    951 + * userspace. The flag is already set before hid_add_device(), which
    952 + * runs in workqueue context, to allow hid_add_device() to communicate
    953 + * with userspace.
    954 + * However, if hid_add_device() fails, the flag is cleared without
    955 + * holding devlock.
    956 + * We guarantee that if @running changes from true to false while you're
    957 + * holding @devlock, it's still fine to access @hid.
    958 + */
    959 bool running;
    960
    961 __u8 *rd_data;
    962 uint rd_size;
    963
    964 + /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */
    965 struct hid_device *hid;
    966 struct uhid_event input_buf;
    967
    968 @@ -68,9 +79,18 @@ static void uhid_device_add_worker(struct work_struct *work)
    969 if (ret) {
    970 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
    971
    972 - hid_destroy_device(uhid->hid);
    973 - uhid->hid = NULL;
    974 + /* We used to call hid_destroy_device() here, but that's really
    975 + * messy to get right because we have to coordinate with
    976 + * concurrent writes from userspace that might be in the middle
    977 + * of using uhid->hid.
    978 + * Just leave uhid->hid as-is for now, and clean it up when
    979 + * userspace tries to close or reinitialize the uhid instance.
    980 + *
    981 + * However, we do have to clear the ->running flag and do a
    982 + * wakeup to make sure userspace knows that the device is gone.
    983 + */
    984 uhid->running = false;
    985 + wake_up_interruptible(&uhid->report_wait);
    986 }
    987 }
    988
    989 @@ -479,7 +499,7 @@ static int uhid_dev_create2(struct uhid_device *uhid,
    990 void *rd_data;
    991 int ret;
    992
    993 - if (uhid->running)
    994 + if (uhid->hid)
    995 return -EALREADY;
    996
    997 rd_size = ev->u.create2.rd_size;
    998 @@ -560,7 +580,7 @@ static int uhid_dev_create(struct uhid_device *uhid,
    999
    1000 static int uhid_dev_destroy(struct uhid_device *uhid)
    1001 {
    1002 - if (!uhid->running)
    1003 + if (!uhid->hid)
    1004 return -EINVAL;
    1005
    1006 uhid->running = false;
    1007 @@ -569,6 +589,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid)
    1008 cancel_work_sync(&uhid->worker);
    1009
    1010 hid_destroy_device(uhid->hid);
    1011 + uhid->hid = NULL;
    1012 kfree(uhid->rd_data);
    1013
    1014 return 0;
    1015 diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
    1016 index fbf14a14bdd43..bfce62dbe0ace 100644
    1017 --- a/drivers/hid/wacom_wac.c
    1018 +++ b/drivers/hid/wacom_wac.c
    1019 @@ -1693,6 +1693,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev,
    1020 struct hid_data* hid_data = &wacom_wac->hid_data;
    1021 int i;
    1022
    1023 + hid_data->cc_report = 0;
    1024 + hid_data->cc_index = -1;
    1025 + hid_data->cc_value_index = -1;
    1026 +
    1027 for (i = 0; i < report->maxfield; i++) {
    1028 struct hid_field *field = report->field[i];
    1029 int j;
    1030 diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
    1031 index e9d63b966caff..4a9fd745b8cb4 100644
    1032 --- a/drivers/hsi/hsi_core.c
    1033 +++ b/drivers/hsi/hsi_core.c
    1034 @@ -115,6 +115,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port,
    1035 if (device_register(&cl->device) < 0) {
    1036 pr_err("hsi: failed to register client: %s\n", info->name);
    1037 put_device(&cl->device);
    1038 + goto err;
    1039 }
    1040
    1041 return cl;
    1042 diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c
    1043 index 96f8230cd2d33..5c32a7ef476da 100644
    1044 --- a/drivers/i2c/busses/i2c-designware-pcidrv.c
    1045 +++ b/drivers/i2c/busses/i2c-designware-pcidrv.c
    1046 @@ -49,10 +49,10 @@ enum dw_pci_ctl_id_t {
    1047 };
    1048
    1049 struct dw_scl_sda_cfg {
    1050 - u32 ss_hcnt;
    1051 - u32 fs_hcnt;
    1052 - u32 ss_lcnt;
    1053 - u32 fs_lcnt;
    1054 + u16 ss_hcnt;
    1055 + u16 fs_hcnt;
    1056 + u16 ss_lcnt;
    1057 + u16 fs_lcnt;
    1058 u32 sda_hold;
    1059 };
    1060
    1061 diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
    1062 index 0e04b27e3158d..b577c64f3b3ec 100644
    1063 --- a/drivers/i2c/busses/i2c-i801.c
    1064 +++ b/drivers/i2c/busses/i2c-i801.c
    1065 @@ -762,6 +762,11 @@ static int i801_block_transaction(struct i801_priv *priv,
    1066 int result = 0;
    1067 unsigned char hostc;
    1068
    1069 + if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA)
    1070 + data->block[0] = I2C_SMBUS_BLOCK_MAX;
    1071 + else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
    1072 + return -EPROTO;
    1073 +
    1074 if (command == I2C_SMBUS_I2C_BLOCK_DATA) {
    1075 if (read_write == I2C_SMBUS_WRITE) {
    1076 /* set I2C_EN bit in configuration register */
    1077 @@ -775,16 +780,6 @@ static int i801_block_transaction(struct i801_priv *priv,
    1078 }
    1079 }
    1080
    1081 - if (read_write == I2C_SMBUS_WRITE
    1082 - || command == I2C_SMBUS_I2C_BLOCK_DATA) {
    1083 - if (data->block[0] < 1)
    1084 - data->block[0] = 1;
    1085 - if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
    1086 - data->block[0] = I2C_SMBUS_BLOCK_MAX;
    1087 - } else {
    1088 - data->block[0] = 32; /* max for SMBus block reads */
    1089 - }
    1090 -
    1091 /* Experience has shown that the block buffer can only be used for
    1092 SMBus (not I2C) block transactions, even though the datasheet
    1093 doesn't mention this limitation. */
    1094 diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
    1095 index 90e4f839eb1cb..d153fc28e6bfb 100644
    1096 --- a/drivers/i2c/busses/i2c-mpc.c
    1097 +++ b/drivers/i2c/busses/i2c-mpc.c
    1098 @@ -107,23 +107,30 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id)
    1099 /* Sometimes 9th clock pulse isn't generated, and slave doesn't release
    1100 * the bus, because it wants to send ACK.
    1101 * Following sequence of enabling/disabling and sending start/stop generates
    1102 - * the 9 pulses, so it's all OK.
    1103 + * the 9 pulses, each with a START then ending with STOP, so it's all OK.
    1104 */
    1105 static void mpc_i2c_fixup(struct mpc_i2c *i2c)
    1106 {
    1107 int k;
    1108 - u32 delay_val = 1000000 / i2c->real_clk + 1;
    1109 -
    1110 - if (delay_val < 2)
    1111 - delay_val = 2;
    1112 + unsigned long flags;
    1113
    1114 for (k = 9; k; k--) {
    1115 writeccr(i2c, 0);
    1116 - writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN);
    1117 + writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */
    1118 + writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */
    1119 + readb(i2c->base + MPC_I2C_DR); /* init xfer */
    1120 + udelay(15); /* let it hit the bus */
    1121 + local_irq_save(flags); /* should not be delayed further */
    1122 + writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */
    1123 readb(i2c->base + MPC_I2C_DR);
    1124 - writeccr(i2c, CCR_MEN);
    1125 - udelay(delay_val << 1);
    1126 + if (k != 1)
    1127 + udelay(5);
    1128 + local_irq_restore(flags);
    1129 }
    1130 + writeccr(i2c, CCR_MEN); /* Initiate STOP */
    1131 + readb(i2c->base + MPC_I2C_DR);
    1132 + udelay(15); /* Let STOP propagate */
    1133 + writeccr(i2c, 0);
    1134 }
    1135
    1136 static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing)
    1137 diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
    1138 index 4b947d5cafe28..c5c175b72f21e 100644
    1139 --- a/drivers/infiniband/core/device.c
    1140 +++ b/drivers/infiniband/core/device.c
    1141 @@ -870,7 +870,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid,
    1142 for (i = 0; i < device->port_immutable[port].gid_tbl_len; ++i) {
    1143 ret = ib_query_gid(device, port, i, &tmp_gid, NULL);
    1144 if (ret)
    1145 - return ret;
    1146 + continue;
    1147 +
    1148 if (!memcmp(&tmp_gid, gid, sizeof *gid)) {
    1149 *port_num = port;
    1150 if (index)
    1151 diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
    1152 index 87bc7b0db892b..2eeac8401c927 100644
    1153 --- a/drivers/infiniband/hw/cxgb4/qp.c
    1154 +++ b/drivers/infiniband/hw/cxgb4/qp.c
    1155 @@ -1974,6 +1974,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
    1156 memset(attr, 0, sizeof *attr);
    1157 memset(init_attr, 0, sizeof *init_attr);
    1158 attr->qp_state = to_ib_qp_state(qhp->attr.state);
    1159 + attr->cur_qp_state = to_ib_qp_state(qhp->attr.state);
    1160 init_attr->cap.max_send_wr = qhp->attr.sq_num_entries;
    1161 init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries;
    1162 init_attr->cap.max_send_sge = qhp->attr.sq_max_sges;
    1163 diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
    1164 index 764e35a54457e..0aa2400db8fa0 100644
    1165 --- a/drivers/infiniband/hw/hns/hns_roce_main.c
    1166 +++ b/drivers/infiniband/hw/hns/hns_roce_main.c
    1167 @@ -475,6 +475,9 @@ static int hns_roce_query_gid(struct ib_device *ib_dev, u8 port_num, int index,
    1168 static int hns_roce_query_pkey(struct ib_device *ib_dev, u8 port, u16 index,
    1169 u16 *pkey)
    1170 {
    1171 + if (index > 0)
    1172 + return -EINVAL;
    1173 +
    1174 *pkey = PKEY_ID;
    1175
    1176 return 0;
    1177 @@ -553,7 +556,7 @@ static int hns_roce_mmap(struct ib_ucontext *context,
    1178 return -EINVAL;
    1179
    1180 if (vma->vm_pgoff == 0) {
    1181 - vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
    1182 + vma->vm_page_prot = pgprot_device(vma->vm_page_prot);
    1183 if (io_remap_pfn_range(vma, vma->vm_start,
    1184 to_hr_ucontext(context)->uar.pfn,
    1185 PAGE_SIZE, vma->vm_page_prot))
    1186 diff --git a/drivers/infiniband/sw/rxe/rxe_opcode.c b/drivers/infiniband/sw/rxe/rxe_opcode.c
    1187 index 61927c165b598..e67ed9141cd8a 100644
    1188 --- a/drivers/infiniband/sw/rxe/rxe_opcode.c
    1189 +++ b/drivers/infiniband/sw/rxe/rxe_opcode.c
    1190 @@ -137,7 +137,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NUM_OPCODE] = {
    1191 }
    1192 },
    1193 [IB_OPCODE_RC_SEND_MIDDLE] = {
    1194 - .name = "IB_OPCODE_RC_SEND_MIDDLE]",
    1195 + .name = "IB_OPCODE_RC_SEND_MIDDLE",
    1196 .mask = RXE_PAYLOAD_MASK | RXE_REQ_MASK | RXE_SEND_MASK
    1197 | RXE_MIDDLE_MASK,
    1198 .length = RXE_BTH_BYTES,
    1199 diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
    1200 index 386215245dfe2..85273da5da206 100644
    1201 --- a/drivers/md/persistent-data/dm-btree.c
    1202 +++ b/drivers/md/persistent-data/dm-btree.c
    1203 @@ -83,14 +83,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n,
    1204 }
    1205
    1206 static int insert_at(size_t value_size, struct btree_node *node, unsigned index,
    1207 - uint64_t key, void *value)
    1208 - __dm_written_to_disk(value)
    1209 + uint64_t key, void *value)
    1210 + __dm_written_to_disk(value)
    1211 {
    1212 uint32_t nr_entries = le32_to_cpu(node->header.nr_entries);
    1213 + uint32_t max_entries = le32_to_cpu(node->header.max_entries);
    1214 __le64 key_le = cpu_to_le64(key);
    1215
    1216 if (index > nr_entries ||
    1217 - index >= le32_to_cpu(node->header.max_entries)) {
    1218 + index >= max_entries ||
    1219 + nr_entries >= max_entries) {
    1220 DMERR("too many entries in btree node for insert");
    1221 __dm_unbless_for_disk(value);
    1222 return -ENOMEM;
    1223 diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c
    1224 index ca09ad2a639c4..6fa4a68e78b0d 100644
    1225 --- a/drivers/md/persistent-data/dm-space-map-common.c
    1226 +++ b/drivers/md/persistent-data/dm-space-map-common.c
    1227 @@ -279,6 +279,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result)
    1228 struct disk_index_entry ie_disk;
    1229 struct dm_block *blk;
    1230
    1231 + if (b >= ll->nr_blocks) {
    1232 + DMERR_LIMIT("metadata block out of bounds");
    1233 + return -EINVAL;
    1234 + }
    1235 +
    1236 b = do_div(index, ll->entries_per_block);
    1237 r = ll->load_ie(ll, index, &ie_disk);
    1238 if (r < 0)
    1239 diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
    1240 index 930d2c94d5d30..2c9365a39270a 100644
    1241 --- a/drivers/media/common/saa7146/saa7146_fops.c
    1242 +++ b/drivers/media/common/saa7146/saa7146_fops.c
    1243 @@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
    1244 ERR("out of memory. aborting.\n");
    1245 kfree(vv);
    1246 v4l2_ctrl_handler_free(hdl);
    1247 - return -1;
    1248 + return -ENOMEM;
    1249 }
    1250
    1251 saa7146_video_uops.init(dev,vv);
    1252 diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
    1253 index 0418b5a0fb645..32a2e6ffdb097 100644
    1254 --- a/drivers/media/dvb-core/dmxdev.c
    1255 +++ b/drivers/media/dvb-core/dmxdev.c
    1256 @@ -1225,7 +1225,7 @@ static const struct dvb_device dvbdev_dvr = {
    1257 };
    1258 int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
    1259 {
    1260 - int i;
    1261 + int i, ret;
    1262
    1263 if (dmxdev->demux->open(dmxdev->demux) < 0)
    1264 return -EUSERS;
    1265 @@ -1243,14 +1243,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
    1266 DMXDEV_STATE_FREE);
    1267 }
    1268
    1269 - dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
    1270 + ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
    1271 DVB_DEVICE_DEMUX, dmxdev->filternum);
    1272 - dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
    1273 + if (ret < 0)
    1274 + goto err_register_dvbdev;
    1275 +
    1276 + ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
    1277 dmxdev, DVB_DEVICE_DVR, dmxdev->filternum);
    1278 + if (ret < 0)
    1279 + goto err_register_dvr_dvbdev;
    1280
    1281 dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192);
    1282
    1283 return 0;
    1284 +
    1285 +err_register_dvr_dvbdev:
    1286 + dvb_unregister_device(dmxdev->dvbdev);
    1287 +err_register_dvbdev:
    1288 + vfree(dmxdev->filter);
    1289 + dmxdev->filter = NULL;
    1290 + return ret;
    1291 }
    1292
    1293 EXPORT_SYMBOL(dvb_dmxdev_init);
    1294 diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
    1295 index ddf9c44877a25..ea2eab2d5be91 100644
    1296 --- a/drivers/media/dvb-frontends/dib8000.c
    1297 +++ b/drivers/media/dvb-frontends/dib8000.c
    1298 @@ -4462,8 +4462,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad
    1299
    1300 state->timf_default = cfg->pll->timf;
    1301
    1302 - if (dib8000_identify(&state->i2c) == 0)
    1303 + if (dib8000_identify(&state->i2c) == 0) {
    1304 + kfree(fe);
    1305 goto error;
    1306 + }
    1307
    1308 dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr);
    1309
    1310 diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c
    1311 index 4cac1fc233f28..98e94cd8bfad7 100644
    1312 --- a/drivers/media/pci/b2c2/flexcop-pci.c
    1313 +++ b/drivers/media/pci/b2c2/flexcop-pci.c
    1314 @@ -184,6 +184,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
    1315 dma_addr_t cur_addr =
    1316 fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2;
    1317 u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0;
    1318 + if (cur_pos > fc_pci->dma[0].size * 2)
    1319 + goto error;
    1320
    1321 deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, "
    1322 "last_cur_pos: %08x ",
    1323 @@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
    1324 ret = IRQ_NONE;
    1325 }
    1326
    1327 +error:
    1328 spin_unlock_irqrestore(&fc_pci->irq_lock, flags);
    1329 return ret;
    1330 }
    1331 diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
    1332 index be85a2c4318e7..be91a2de81dcc 100644
    1333 --- a/drivers/media/pci/saa7146/hexium_gemini.c
    1334 +++ b/drivers/media/pci/saa7146/hexium_gemini.c
    1335 @@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
    1336 hexium_set_input(hexium, 0);
    1337 hexium->cur_input = 0;
    1338
    1339 - saa7146_vv_init(dev, &vv_data);
    1340 + ret = saa7146_vv_init(dev, &vv_data);
    1341 + if (ret) {
    1342 + i2c_del_adapter(&hexium->i2c_adapter);
    1343 + kfree(hexium);
    1344 + return ret;
    1345 + }
    1346
    1347 vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
    1348 vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
    1349 diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
    1350 index dc07ca37ebd06..e8e96c7a57844 100644
    1351 --- a/drivers/media/pci/saa7146/hexium_orion.c
    1352 +++ b/drivers/media/pci/saa7146/hexium_orion.c
    1353 @@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data;
    1354 static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
    1355 {
    1356 struct hexium *hexium = (struct hexium *) dev->ext_priv;
    1357 + int ret;
    1358
    1359 DEB_EE("\n");
    1360
    1361 - saa7146_vv_init(dev, &vv_data);
    1362 + ret = saa7146_vv_init(dev, &vv_data);
    1363 + if (ret) {
    1364 + pr_err("Error in saa7146_vv_init()\n");
    1365 + return ret;
    1366 + }
    1367 +
    1368 vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
    1369 vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
    1370 vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
    1371 diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c
    1372 index 3e8753c9e1e47..849c2a1d09f99 100644
    1373 --- a/drivers/media/pci/saa7146/mxb.c
    1374 +++ b/drivers/media/pci/saa7146/mxb.c
    1375 @@ -694,10 +694,16 @@ static struct saa7146_ext_vv vv_data;
    1376 static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
    1377 {
    1378 struct mxb *mxb;
    1379 + int ret;
    1380
    1381 DEB_EE("dev:%p\n", dev);
    1382
    1383 - saa7146_vv_init(dev, &vv_data);
    1384 + ret = saa7146_vv_init(dev, &vv_data);
    1385 + if (ret) {
    1386 + ERR("Error in saa7146_vv_init()");
    1387 + return ret;
    1388 + }
    1389 +
    1390 if (mxb_probe(dev)) {
    1391 saa7146_vv_release(dev);
    1392 return -1;
    1393 diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
    1394 index 5cf983be07a20..0f4c4c39bf6da 100644
    1395 --- a/drivers/media/rc/igorplugusb.c
    1396 +++ b/drivers/media/rc/igorplugusb.c
    1397 @@ -73,9 +73,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len)
    1398 if (start >= len) {
    1399 dev_err(ir->dev, "receive overflow invalid: %u", overflow);
    1400 } else {
    1401 - if (overflow > 0)
    1402 + if (overflow > 0) {
    1403 dev_warn(ir->dev, "receive overflow, at least %u lost",
    1404 overflow);
    1405 + ir_raw_event_reset(ir->rc);
    1406 + }
    1407
    1408 do {
    1409 rawir.duration = ir->buf_in[i] * 85333;
    1410 diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
    1411 index b78d70685b1c3..49122f442b872 100644
    1412 --- a/drivers/media/rc/mceusb.c
    1413 +++ b/drivers/media/rc/mceusb.c
    1414 @@ -1129,7 +1129,7 @@ static void mceusb_gen1_init(struct mceusb_dev *ir)
    1415 */
    1416 ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0),
    1417 USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0,
    1418 - data, USB_CTRL_MSG_SZ, HZ * 3);
    1419 + data, USB_CTRL_MSG_SZ, 3000);
    1420 dev_dbg(dev, "set address - ret = %d", ret);
    1421 dev_dbg(dev, "set address - data[0] = %d, data[1] = %d",
    1422 data[0], data[1]);
    1423 @@ -1137,20 +1137,20 @@ static void mceusb_gen1_init(struct mceusb_dev *ir)
    1424 /* set feature: bit rate 38400 bps */
    1425 ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
    1426 USB_REQ_SET_FEATURE, USB_TYPE_VENDOR,
    1427 - 0xc04e, 0x0000, NULL, 0, HZ * 3);
    1428 + 0xc04e, 0x0000, NULL, 0, 3000);
    1429
    1430 dev_dbg(dev, "set feature - ret = %d", ret);
    1431
    1432 /* bRequest 4: set char length to 8 bits */
    1433 ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
    1434 4, USB_TYPE_VENDOR,
    1435 - 0x0808, 0x0000, NULL, 0, HZ * 3);
    1436 + 0x0808, 0x0000, NULL, 0, 3000);
    1437 dev_dbg(dev, "set char length - retB = %d", ret);
    1438
    1439 /* bRequest 2: set handshaking to use DTR/DSR */
    1440 ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
    1441 2, USB_TYPE_VENDOR,
    1442 - 0x0000, 0x0100, NULL, 0, HZ * 3);
    1443 + 0x0000, 0x0100, NULL, 0, 3000);
    1444 dev_dbg(dev, "set handshake - retC = %d", ret);
    1445
    1446 /* device resume */
    1447 diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
    1448 index 05ba47bc0b613..5f3c1c204f643 100644
    1449 --- a/drivers/media/rc/redrat3.c
    1450 +++ b/drivers/media/rc/redrat3.c
    1451 @@ -427,7 +427,7 @@ static int redrat3_send_cmd(int cmd, struct redrat3_dev *rr3)
    1452 udev = rr3->udev;
    1453 res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd,
    1454 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
    1455 - 0x0000, 0x0000, data, sizeof(u8), HZ * 10);
    1456 + 0x0000, 0x0000, data, sizeof(u8), 10000);
    1457
    1458 if (res < 0) {
    1459 dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d",
    1460 @@ -493,7 +493,7 @@ static u32 redrat3_get_timeout(struct redrat3_dev *rr3)
    1461 pipe = usb_rcvctrlpipe(rr3->udev, 0);
    1462 ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM,
    1463 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
    1464 - RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5);
    1465 + RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000);
    1466 if (ret != len)
    1467 dev_warn(rr3->dev, "Failed to read timeout from hardware\n");
    1468 else {
    1469 @@ -523,7 +523,7 @@ static int redrat3_set_timeout(struct rc_dev *rc_dev, unsigned int timeoutns)
    1470 ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM,
    1471 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
    1472 RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout),
    1473 - HZ * 25);
    1474 + 25000);
    1475 dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n",
    1476 be32_to_cpu(*timeout), ret);
    1477
    1478 @@ -557,32 +557,32 @@ static void redrat3_reset(struct redrat3_dev *rr3)
    1479 *val = 0x01;
    1480 rc = usb_control_msg(udev, rxpipe, RR3_RESET,
    1481 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
    1482 - RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25);
    1483 + RR3_CPUCS_REG_ADDR, 0, val, len, 25000);
    1484 dev_dbg(dev, "reset returned 0x%02x\n", rc);
    1485
    1486 *val = length_fuzz;
    1487 rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
    1488 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
    1489 - RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25);
    1490 + RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000);
    1491 dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc);
    1492
    1493 *val = (65536 - (minimum_pause * 2000)) / 256;
    1494 rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
    1495 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
    1496 - RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25);
    1497 + RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000);
    1498 dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc);
    1499
    1500 *val = periods_measure_carrier;
    1501 rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
    1502 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
    1503 - RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25);
    1504 + RR3_IR_IO_PERIODS_MF, 0, val, len, 25000);
    1505 dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val,
    1506 rc);
    1507
    1508 *val = RR3_DRIVER_MAXLENS;
    1509 rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
    1510 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
    1511 - RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25);
    1512 + RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000);
    1513 dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc);
    1514
    1515 kfree(val);
    1516 @@ -602,7 +602,7 @@ static void redrat3_get_firmware_rev(struct redrat3_dev *rr3)
    1517 rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0),
    1518 RR3_FW_VERSION,
    1519 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
    1520 - 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5);
    1521 + 0, 0, buffer, RR3_FW_VERSION_LEN, 5000);
    1522
    1523 if (rc >= 0)
    1524 dev_info(rr3->dev, "Firmware rev: %s", buffer);
    1525 @@ -842,14 +842,14 @@ static int redrat3_transmit_ir(struct rc_dev *rcdev, unsigned *txbuf,
    1526
    1527 pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress);
    1528 ret = usb_bulk_msg(rr3->udev, pipe, irdata,
    1529 - sendbuf_len, &ret_len, 10 * HZ);
    1530 + sendbuf_len, &ret_len, 10000);
    1531 dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret);
    1532
    1533 /* now tell the hardware to transmit what we sent it */
    1534 pipe = usb_rcvctrlpipe(rr3->udev, 0);
    1535 ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL,
    1536 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
    1537 - 0, 0, irdata, 2, HZ * 10);
    1538 + 0, 0, irdata, 2, 10000);
    1539
    1540 if (ret < 0)
    1541 dev_err(dev, "Error: control msg send failed, rc %d\n", ret);
    1542 diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c
    1543 index 3a12ef35682b5..64d98517f470f 100644
    1544 --- a/drivers/media/tuners/msi001.c
    1545 +++ b/drivers/media/tuners/msi001.c
    1546 @@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi)
    1547 V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
    1548 dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
    1549 V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
    1550 + if (dev->hdl.error) {
    1551 + ret = dev->hdl.error;
    1552 + dev_err(&spi->dev, "Could not initialize controls\n");
    1553 + /* control init failed, free handler */
    1554 + goto err_ctrl_handler_free;
    1555 + }
    1556 +
    1557 v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
    1558 dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
    1559 V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
    1560 diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
    1561 index 72a47da0db2ae..e56837414e2c7 100644
    1562 --- a/drivers/media/tuners/si2157.c
    1563 +++ b/drivers/media/tuners/si2157.c
    1564 @@ -89,7 +89,7 @@ static int si2157_init(struct dvb_frontend *fe)
    1565 dev_dbg(&client->dev, "\n");
    1566
    1567 /* Try to get Xtal trim property, to verify tuner still running */
    1568 - memcpy(cmd.args, "\x15\x00\x04\x02", 4);
    1569 + memcpy(cmd.args, "\x15\x00\x02\x04", 4);
    1570 cmd.wlen = 4;
    1571 cmd.rlen = 4;
    1572 ret = si2157_cmd_execute(client, &cmd);
    1573 diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
    1574 index a93fc1839e139..3d6e991df9261 100644
    1575 --- a/drivers/media/usb/b2c2/flexcop-usb.c
    1576 +++ b/drivers/media/usb/b2c2/flexcop-usb.c
    1577 @@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(struct flexcop_device *fc, u16 wRegOffsPCI,
    1578 0,
    1579 fc_usb->data,
    1580 sizeof(u32),
    1581 - B2C2_WAIT_FOR_OPERATION_RDW * HZ);
    1582 + B2C2_WAIT_FOR_OPERATION_RDW);
    1583
    1584 if (ret != sizeof(u32)) {
    1585 err("error while %s dword from %d (%d).", read ? "reading" :
    1586 @@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(struct flexcop_usb *fc_usb,
    1587 wIndex,
    1588 fc_usb->data,
    1589 buflen,
    1590 - nWaitTime * HZ);
    1591 + nWaitTime);
    1592 if (ret != buflen)
    1593 ret = -EIO;
    1594
    1595 @@ -249,13 +249,13 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c,
    1596 /* DKT 020208 - add this to support special case of DiSEqC */
    1597 case USB_FUNC_I2C_CHECKWRITE:
    1598 pipe = B2C2_USB_CTRL_PIPE_OUT;
    1599 - nWaitTime = 2;
    1600 + nWaitTime = 2000;
    1601 request_type |= USB_DIR_OUT;
    1602 break;
    1603 case USB_FUNC_I2C_READ:
    1604 case USB_FUNC_I2C_REPEATREAD:
    1605 pipe = B2C2_USB_CTRL_PIPE_IN;
    1606 - nWaitTime = 2;
    1607 + nWaitTime = 2000;
    1608 request_type |= USB_DIR_IN;
    1609 break;
    1610 default:
    1611 @@ -282,7 +282,7 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c,
    1612 wIndex,
    1613 fc_usb->data,
    1614 buflen,
    1615 - nWaitTime * HZ);
    1616 + nWaitTime);
    1617
    1618 if (ret != buflen)
    1619 ret = -EIO;
    1620 diff --git a/drivers/media/usb/b2c2/flexcop-usb.h b/drivers/media/usb/b2c2/flexcop-usb.h
    1621 index 25ad43166e78c..247c7dbc8a619 100644
    1622 --- a/drivers/media/usb/b2c2/flexcop-usb.h
    1623 +++ b/drivers/media/usb/b2c2/flexcop-usb.h
    1624 @@ -90,13 +90,13 @@ typedef enum {
    1625 UTILITY_SRAM_TESTVERIFY = 0x16,
    1626 } flexcop_usb_utility_function_t;
    1627
    1628 -#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ)
    1629 -#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ)
    1630 -#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ)
    1631 +#define B2C2_WAIT_FOR_OPERATION_RW 1000
    1632 +#define B2C2_WAIT_FOR_OPERATION_RDW 3000
    1633 +#define B2C2_WAIT_FOR_OPERATION_WDW 1000
    1634
    1635 -#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ)
    1636 -#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ)
    1637 -#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ)
    1638 +#define B2C2_WAIT_FOR_OPERATION_V8READ 3000
    1639 +#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000
    1640 +#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000
    1641
    1642 typedef enum {
    1643 V8_MEMORY_PAGE_DVB_CI = 0x20,
    1644 diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
    1645 index 4f4a130f17af3..447d6a52af3b8 100644
    1646 --- a/drivers/media/usb/cpia2/cpia2_usb.c
    1647 +++ b/drivers/media/usb/cpia2/cpia2_usb.c
    1648 @@ -565,7 +565,7 @@ static int write_packet(struct usb_device *udev,
    1649 0, /* index */
    1650 buf, /* buffer */
    1651 size,
    1652 - HZ);
    1653 + 1000);
    1654
    1655 kfree(buf);
    1656 return ret;
    1657 @@ -597,7 +597,7 @@ static int read_packet(struct usb_device *udev,
    1658 0, /* index */
    1659 buf, /* buffer */
    1660 size,
    1661 - HZ);
    1662 + 1000);
    1663
    1664 if (ret >= 0)
    1665 memcpy(registers, buf, size);
    1666 diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c
    1667 index 4a5ea74c91d45..1b56824fbe51e 100644
    1668 --- a/drivers/media/usb/dvb-usb/dib0700_core.c
    1669 +++ b/drivers/media/usb/dvb-usb/dib0700_core.c
    1670 @@ -610,8 +610,6 @@ int dib0700_streaming_ctrl(struct dvb_usb_adapter *adap, int onoff)
    1671 deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint);
    1672 if (onoff)
    1673 st->channel_state |= 1 << (adap->id);
    1674 - else
    1675 - st->channel_state |= 1 << ~(adap->id);
    1676 } else {
    1677 if (onoff)
    1678 st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2);
    1679 diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c
    1680 index eafc5c82467f4..5b806779e2106 100644
    1681 --- a/drivers/media/usb/dvb-usb/m920x.c
    1682 +++ b/drivers/media/usb/dvb-usb/m920x.c
    1683 @@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
    1684 /* Should check for ack here, if we knew how. */
    1685 }
    1686 if (msg[i].flags & I2C_M_RD) {
    1687 + char *read = kmalloc(1, GFP_KERNEL);
    1688 + if (!read) {
    1689 + ret = -ENOMEM;
    1690 + kfree(read);
    1691 + goto unlock;
    1692 + }
    1693 +
    1694 for (j = 0; j < msg[i].len; j++) {
    1695 /* Last byte of transaction?
    1696 * Send STOP, otherwise send ACK. */
    1697 @@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
    1698
    1699 if ((ret = m920x_read(d->udev, M9206_I2C, 0x0,
    1700 0x20 | stop,
    1701 - &msg[i].buf[j], 1)) != 0)
    1702 + read, 1)) != 0)
    1703 goto unlock;
    1704 + msg[i].buf[j] = read[0];
    1705 }
    1706 +
    1707 + kfree(read);
    1708 } else {
    1709 for (j = 0; j < msg[i].len; j++) {
    1710 /* Last byte of transaction? Then send STOP. */
    1711 diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c
    1712 index eebd5d7088d00..fb3008a7233fe 100644
    1713 --- a/drivers/media/usb/em28xx/em28xx-core.c
    1714 +++ b/drivers/media/usb/em28xx/em28xx-core.c
    1715 @@ -99,7 +99,7 @@ int em28xx_read_reg_req_len(struct em28xx *dev, u8 req, u16 reg,
    1716 mutex_lock(&dev->ctrl_urb_lock);
    1717 ret = usb_control_msg(dev->udev, pipe, req,
    1718 USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
    1719 - 0x0000, reg, dev->urb_buf, len, HZ);
    1720 + 0x0000, reg, dev->urb_buf, len, 1000);
    1721 if (ret < 0) {
    1722 if (reg_debug)
    1723 printk(" failed!\n");
    1724 @@ -182,7 +182,7 @@ int em28xx_write_regs_req(struct em28xx *dev, u8 req, u16 reg, char *buf,
    1725 memcpy(dev->urb_buf, buf, len);
    1726 ret = usb_control_msg(dev->udev, pipe, req,
    1727 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
    1728 - 0x0000, reg, dev->urb_buf, len, HZ);
    1729 + 0x0000, reg, dev->urb_buf, len, 1000);
    1730 mutex_unlock(&dev->ctrl_urb_lock);
    1731
    1732 if (ret < 0)
    1733 diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
    1734 index 0cb8dd5852357..40535db585a0e 100644
    1735 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
    1736 +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
    1737 @@ -1488,7 +1488,7 @@ static int pvr2_upload_firmware1(struct pvr2_hdw *hdw)
    1738 for (address = 0; address < fwsize; address += 0x800) {
    1739 memcpy(fw_ptr, fw_entry->data + address, 0x800);
    1740 ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address,
    1741 - 0, fw_ptr, 0x800, HZ);
    1742 + 0, fw_ptr, 0x800, 1000);
    1743 }
    1744
    1745 trace_firmware("Upload done, releasing device's CPU");
    1746 @@ -1627,7 +1627,7 @@ int pvr2_upload_firmware2(struct pvr2_hdw *hdw)
    1747 ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]);
    1748
    1749 ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt,
    1750 - &actual_length, HZ);
    1751 + &actual_length, 1000);
    1752 ret |= (actual_length != bcnt);
    1753 if (ret) break;
    1754 fw_done += bcnt;
    1755 @@ -3486,7 +3486,7 @@ void pvr2_hdw_cpufw_set_enabled(struct pvr2_hdw *hdw,
    1756 0xa0,0xc0,
    1757 address,0,
    1758 hdw->fw_buffer+address,
    1759 - 0x800,HZ);
    1760 + 0x800,1000);
    1761 if (ret < 0) break;
    1762 }
    1763
    1764 @@ -4011,7 +4011,7 @@ void pvr2_hdw_cpureset_assert(struct pvr2_hdw *hdw,int val)
    1765 /* Write the CPUCS register on the 8051. The lsb of the register
    1766 is the reset bit; a 1 asserts reset while a 0 clears it. */
    1767 pipe = usb_sndctrlpipe(hdw->usb_dev, 0);
    1768 - ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ);
    1769 + ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000);
    1770 if (ret < 0) {
    1771 pvr2_trace(PVR2_TRACE_ERROR_LEGS,
    1772 "cpureset_assert(%d) error=%d",val,ret);
    1773 diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
    1774 index f7bb78c1873c9..fb5636f07e7eb 100644
    1775 --- a/drivers/media/usb/s2255/s2255drv.c
    1776 +++ b/drivers/media/usb/s2255/s2255drv.c
    1777 @@ -1913,7 +1913,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request,
    1778 USB_TYPE_VENDOR | USB_RECIP_DEVICE |
    1779 USB_DIR_IN,
    1780 Value, Index, buf,
    1781 - TransferBufferLength, HZ * 5);
    1782 + TransferBufferLength, USB_CTRL_SET_TIMEOUT);
    1783
    1784 if (r >= 0)
    1785 memcpy(TransferBuffer, buf, TransferBufferLength);
    1786 @@ -1922,7 +1922,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request,
    1787 r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
    1788 Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
    1789 Value, Index, buf,
    1790 - TransferBufferLength, HZ * 5);
    1791 + TransferBufferLength, USB_CTRL_SET_TIMEOUT);
    1792 }
    1793 kfree(buf);
    1794 return r;
    1795 diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c
    1796 index bc029478065a0..a526ea2fe587a 100644
    1797 --- a/drivers/media/usb/stk1160/stk1160-core.c
    1798 +++ b/drivers/media/usb/stk1160/stk1160-core.c
    1799 @@ -76,7 +76,7 @@ int stk1160_read_reg(struct stk1160 *dev, u16 reg, u8 *value)
    1800 return -ENOMEM;
    1801 ret = usb_control_msg(dev->udev, pipe, 0x00,
    1802 USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
    1803 - 0x00, reg, buf, sizeof(u8), HZ);
    1804 + 0x00, reg, buf, sizeof(u8), 1000);
    1805 if (ret < 0) {
    1806 stk1160_err("read failed on reg 0x%x (%d)\n",
    1807 reg, ret);
    1808 @@ -96,7 +96,7 @@ int stk1160_write_reg(struct stk1160 *dev, u16 reg, u16 value)
    1809
    1810 ret = usb_control_msg(dev->udev, pipe, 0x01,
    1811 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
    1812 - value, reg, NULL, 0, HZ);
    1813 + value, reg, NULL, 0, 1000);
    1814 if (ret < 0) {
    1815 stk1160_err("write failed on reg 0x%x (%d)\n",
    1816 reg, ret);
    1817 diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
    1818 index 1d724e86f3780..2a7d178a9d069 100644
    1819 --- a/drivers/media/usb/uvc/uvc_video.c
    1820 +++ b/drivers/media/usb/uvc/uvc_video.c
    1821 @@ -1716,6 +1716,10 @@ static int uvc_init_video(struct uvc_streaming *stream, gfp_t gfp_flags)
    1822 if (ep == NULL)
    1823 return -EIO;
    1824
    1825 + /* Reject broken descriptors. */
    1826 + if (usb_endpoint_maxp(&ep->desc) == 0)
    1827 + return -EIO;
    1828 +
    1829 ret = uvc_init_video_bulk(stream, ep, gfp_flags);
    1830 }
    1831
    1832 diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c
    1833 index 6bf8d643d9428..31fbfd9c4b11c 100644
    1834 --- a/drivers/mfd/intel-lpss-acpi.c
    1835 +++ b/drivers/mfd/intel-lpss-acpi.c
    1836 @@ -84,6 +84,7 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev)
    1837 {
    1838 struct intel_lpss_platform_info *info;
    1839 const struct acpi_device_id *id;
    1840 + int ret;
    1841
    1842 id = acpi_match_device(intel_lpss_acpi_ids, &pdev->dev);
    1843 if (!id)
    1844 @@ -97,10 +98,14 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev)
    1845 info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
    1846 info->irq = platform_get_irq(pdev, 0);
    1847
    1848 + ret = intel_lpss_probe(&pdev->dev, info);
    1849 + if (ret)
    1850 + return ret;
    1851 +
    1852 pm_runtime_set_active(&pdev->dev);
    1853 pm_runtime_enable(&pdev->dev);
    1854
    1855 - return intel_lpss_probe(&pdev->dev, info);
    1856 + return 0;
    1857 }
    1858
    1859 static int intel_lpss_acpi_remove(struct platform_device *pdev)
    1860 diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c
    1861 index 626fdcaf25101..645d26536114f 100644
    1862 --- a/drivers/misc/lattice-ecp3-config.c
    1863 +++ b/drivers/misc/lattice-ecp3-config.c
    1864 @@ -81,12 +81,12 @@ static void firmware_load(const struct firmware *fw, void *context)
    1865
    1866 if (fw == NULL) {
    1867 dev_err(&spi->dev, "Cannot load firmware, aborting\n");
    1868 - return;
    1869 + goto out;
    1870 }
    1871
    1872 if (fw->size == 0) {
    1873 dev_err(&spi->dev, "Error: Firmware size is 0!\n");
    1874 - return;
    1875 + goto out;
    1876 }
    1877
    1878 /* Fill dummy data (24 stuffing bits for commands) */
    1879 @@ -108,7 +108,7 @@ static void firmware_load(const struct firmware *fw, void *context)
    1880 dev_err(&spi->dev,
    1881 "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n",
    1882 jedec_id);
    1883 - return;
    1884 + goto out;
    1885 }
    1886
    1887 dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name);
    1888 @@ -121,7 +121,7 @@ static void firmware_load(const struct firmware *fw, void *context)
    1889 buffer = kzalloc(fw->size + 8, GFP_KERNEL);
    1890 if (!buffer) {
    1891 dev_err(&spi->dev, "Error: Can't allocate memory!\n");
    1892 - return;
    1893 + goto out;
    1894 }
    1895
    1896 /*
    1897 @@ -160,7 +160,7 @@ static void firmware_load(const struct firmware *fw, void *context)
    1898 "Error: Timeout waiting for FPGA to clear (status=%08x)!\n",
    1899 status);
    1900 kfree(buffer);
    1901 - return;
    1902 + goto out;
    1903 }
    1904
    1905 dev_info(&spi->dev, "Configuring the FPGA...\n");
    1906 @@ -186,7 +186,7 @@ static void firmware_load(const struct firmware *fw, void *context)
    1907 release_firmware(fw);
    1908
    1909 kfree(buffer);
    1910 -
    1911 +out:
    1912 complete(&data->fw_loaded);
    1913 }
    1914
    1915 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
    1916 index 2b721ed392adb..0d9226bdf6614 100644
    1917 --- a/drivers/net/bonding/bond_main.c
    1918 +++ b/drivers/net/bonding/bond_main.c
    1919 @@ -782,14 +782,14 @@ static bool bond_should_notify_peers(struct bonding *bond)
    1920 slave = rcu_dereference(bond->curr_active_slave);
    1921 rcu_read_unlock();
    1922
    1923 - netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
    1924 - slave ? slave->dev->name : "NULL");
    1925 -
    1926 if (!slave || !bond->send_peer_notif ||
    1927 !netif_carrier_ok(bond->dev) ||
    1928 test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state))
    1929 return false;
    1930
    1931 + netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
    1932 + slave ? slave->dev->name : "NULL");
    1933 +
    1934 return true;
    1935 }
    1936
    1937 diff --git a/drivers/net/can/softing/softing_cs.c b/drivers/net/can/softing/softing_cs.c
    1938 index cdc0c7433a4b5..9fbed88d6c821 100644
    1939 --- a/drivers/net/can/softing/softing_cs.c
    1940 +++ b/drivers/net/can/softing/softing_cs.c
    1941 @@ -304,7 +304,7 @@ static int softingcs_probe(struct pcmcia_device *pcmcia)
    1942 return 0;
    1943
    1944 platform_failed:
    1945 - kfree(dev);
    1946 + platform_device_put(pdev);
    1947 mem_failed:
    1948 pcmcia_bad:
    1949 pcmcia_failed:
    1950 diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c
    1951 index 52fe50725d749..a74c779feb90e 100644
    1952 --- a/drivers/net/can/softing/softing_fw.c
    1953 +++ b/drivers/net/can/softing/softing_fw.c
    1954 @@ -576,18 +576,19 @@ int softing_startstop(struct net_device *dev, int up)
    1955 if (ret < 0)
    1956 goto failed;
    1957 }
    1958 - /* enable_error_frame */
    1959 - /*
    1960 +
    1961 + /* enable_error_frame
    1962 + *
    1963 * Error reporting is switched off at the moment since
    1964 * the receiving of them is not yet 100% verified
    1965 * This should be enabled sooner or later
    1966 - *
    1967 - if (error_reporting) {
    1968 + */
    1969 + if (0 && error_reporting) {
    1970 ret = softing_fct_cmd(card, 51, "enable_error_frame");
    1971 if (ret < 0)
    1972 goto failed;
    1973 }
    1974 - */
    1975 +
    1976 /* initialize interface */
    1977 iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]);
    1978 iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]);
    1979 diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
    1980 index d21c68882e867..75399aa1ba951 100644
    1981 --- a/drivers/net/can/usb/gs_usb.c
    1982 +++ b/drivers/net/can/usb/gs_usb.c
    1983 @@ -328,7 +328,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
    1984
    1985 /* device reports out of range channel id */
    1986 if (hf->channel >= GS_MAX_INTF)
    1987 - goto resubmit_urb;
    1988 + goto device_detach;
    1989
    1990 dev = usbcan->canch[hf->channel];
    1991
    1992 @@ -413,6 +413,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
    1993
    1994 /* USB failure take down all interfaces */
    1995 if (rc == -ENODEV) {
    1996 + device_detach:
    1997 for (rc = 0; rc < GS_MAX_INTF; rc++) {
    1998 if (usbcan->canch[rc])
    1999 netif_device_detach(usbcan->canch[rc]->netdev);
    2000 @@ -514,6 +515,8 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb,
    2001
    2002 hf->echo_id = idx;
    2003 hf->channel = dev->channel;
    2004 + hf->flags = 0;
    2005 + hf->reserved = 0;
    2006
    2007 cf = (struct can_frame *)skb->data;
    2008
    2009 diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
    2010 index e680bab27dd7e..ef24b619e0e57 100644
    2011 --- a/drivers/net/can/xilinx_can.c
    2012 +++ b/drivers/net/can/xilinx_can.c
    2013 @@ -1302,7 +1302,12 @@ static int xcan_probe(struct platform_device *pdev)
    2014 spin_lock_init(&priv->tx_lock);
    2015
    2016 /* Get IRQ for the device */
    2017 - ndev->irq = platform_get_irq(pdev, 0);
    2018 + ret = platform_get_irq(pdev, 0);
    2019 + if (ret < 0)
    2020 + goto err_free;
    2021 +
    2022 + ndev->irq = ret;
    2023 +
    2024 ndev->flags |= IFF_ECHO; /* We support local echo */
    2025
    2026 platform_set_drvdata(pdev, ndev);
    2027 diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
    2028 index fae5517770834..6676924d5f3e7 100644
    2029 --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
    2030 +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
    2031 @@ -3358,10 +3358,12 @@ static int bcmgenet_probe(struct platform_device *pdev)
    2032
    2033 /* Request the WOL interrupt and advertise suspend if available */
    2034 priv->wol_irq_disabled = true;
    2035 - err = devm_request_irq(&pdev->dev, priv->wol_irq, bcmgenet_wol_isr, 0,
    2036 - dev->name, priv);
    2037 - if (!err)
    2038 - device_set_wakeup_capable(&pdev->dev, 1);
    2039 + if (priv->wol_irq > 0) {
    2040 + err = devm_request_irq(&pdev->dev, priv->wol_irq,
    2041 + bcmgenet_wol_isr, 0, dev->name, priv);
    2042 + if (!err)
    2043 + device_set_wakeup_capable(&pdev->dev, 1);
    2044 + }
    2045
    2046 /* Set the needed headroom to account for any possible
    2047 * features enabling/disabling at runtime
    2048 diff --git a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
    2049 index d04a6c1634452..da8d10475a08e 100644
    2050 --- a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
    2051 +++ b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
    2052 @@ -32,6 +32,7 @@
    2053
    2054 #include <linux/tcp.h>
    2055 #include <linux/ipv6.h>
    2056 +#include <net/inet_ecn.h>
    2057 #include <net/route.h>
    2058 #include <net/ip6_route.h>
    2059
    2060 @@ -99,7 +100,7 @@ cxgb_find_route(struct cxgb4_lld_info *lldi,
    2061
    2062 rt = ip_route_output_ports(&init_net, &fl4, NULL, peer_ip, local_ip,
    2063 peer_port, local_port, IPPROTO_TCP,
    2064 - tos, 0);
    2065 + tos & ~INET_ECN_MASK, 0);
    2066 if (IS_ERR(rt))
    2067 return NULL;
    2068 n = dst_neigh_lookup(&rt->dst, &peer_ip);
    2069 diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
    2070 index 81021f87e4f39..93b7ed361b82e 100644
    2071 --- a/drivers/net/ethernet/freescale/fman/mac.c
    2072 +++ b/drivers/net/ethernet/freescale/fman/mac.c
    2073 @@ -96,14 +96,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex)
    2074 __func__, ex);
    2075 }
    2076
    2077 -static void set_fman_mac_params(struct mac_device *mac_dev,
    2078 - struct fman_mac_params *params)
    2079 +static int set_fman_mac_params(struct mac_device *mac_dev,
    2080 + struct fman_mac_params *params)
    2081 {
    2082 struct mac_priv_s *priv = mac_dev->priv;
    2083
    2084 params->base_addr = (typeof(params->base_addr))
    2085 devm_ioremap(priv->dev, mac_dev->res->start,
    2086 resource_size(mac_dev->res));
    2087 + if (!params->base_addr)
    2088 + return -ENOMEM;
    2089 +
    2090 memcpy(&params->addr, mac_dev->addr, sizeof(mac_dev->addr));
    2091 params->max_speed = priv->max_speed;
    2092 params->phy_if = priv->phy_if;
    2093 @@ -114,6 +117,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev,
    2094 params->event_cb = mac_exception;
    2095 params->dev_id = mac_dev;
    2096 params->internal_phy_node = priv->internal_phy_node;
    2097 +
    2098 + return 0;
    2099 }
    2100
    2101 static int tgec_initialization(struct mac_device *mac_dev)
    2102 @@ -125,7 +130,9 @@ static int tgec_initialization(struct mac_device *mac_dev)
    2103
    2104 priv = mac_dev->priv;
    2105
    2106 - set_fman_mac_params(mac_dev, &params);
    2107 + err = set_fman_mac_params(mac_dev, &params);
    2108 + if (err)
    2109 + goto _return;
    2110
    2111 mac_dev->fman_mac = tgec_config(&params);
    2112 if (!mac_dev->fman_mac) {
    2113 @@ -171,7 +178,9 @@ static int dtsec_initialization(struct mac_device *mac_dev)
    2114
    2115 priv = mac_dev->priv;
    2116
    2117 - set_fman_mac_params(mac_dev, &params);
    2118 + err = set_fman_mac_params(mac_dev, &params);
    2119 + if (err)
    2120 + goto _return;
    2121
    2122 mac_dev->fman_mac = dtsec_config(&params);
    2123 if (!mac_dev->fman_mac) {
    2124 @@ -220,7 +229,9 @@ static int memac_initialization(struct mac_device *mac_dev)
    2125
    2126 priv = mac_dev->priv;
    2127
    2128 - set_fman_mac_params(mac_dev, &params);
    2129 + err = set_fman_mac_params(mac_dev, &params);
    2130 + if (err)
    2131 + goto _return;
    2132
    2133 if (priv->max_speed == SPEED_10000)
    2134 params.phy_if = PHY_INTERFACE_MODE_XGMII;
    2135 diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
    2136 index 9fd68cfdd9734..fc721a59a4086 100644
    2137 --- a/drivers/net/ethernet/freescale/gianfar.c
    2138 +++ b/drivers/net/ethernet/freescale/gianfar.c
    2139 @@ -2939,29 +2939,21 @@ static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus,
    2140 {
    2141 int size = lstatus & BD_LENGTH_MASK;
    2142 struct page *page = rxb->page;
    2143 - bool last = !!(lstatus & BD_LFLAG(RXBD_LAST));
    2144 -
    2145 - /* Remove the FCS from the packet length */
    2146 - if (last)
    2147 - size -= ETH_FCS_LEN;
    2148
    2149 if (likely(first)) {
    2150 skb_put(skb, size);
    2151 } else {
    2152 /* the last fragments' length contains the full frame length */
    2153 - if (last)
    2154 + if (lstatus & BD_LFLAG(RXBD_LAST))
    2155 size -= skb->len;
    2156
    2157 - /* Add the last fragment if it contains something other than
    2158 - * the FCS, otherwise drop it and trim off any part of the FCS
    2159 - * that was already received.
    2160 - */
    2161 - if (size > 0)
    2162 - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page,
    2163 - rxb->page_offset + RXBUF_ALIGNMENT,
    2164 - size, GFAR_RXB_TRUESIZE);
    2165 - else if (size < 0)
    2166 - pskb_trim(skb, skb->len + size);
    2167 + WARN(size < 0, "gianfar: rx fragment size underflow");
    2168 + if (size < 0)
    2169 + return false;
    2170 +
    2171 + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page,
    2172 + rxb->page_offset + RXBUF_ALIGNMENT,
    2173 + size, GFAR_RXB_TRUESIZE);
    2174 }
    2175
    2176 /* try reuse page */
    2177 @@ -3074,6 +3066,9 @@ static void gfar_process_frame(struct net_device *ndev, struct sk_buff *skb)
    2178 if (priv->padding)
    2179 skb_pull(skb, priv->padding);
    2180
    2181 + /* Trim off the FCS */
    2182 + pskb_trim(skb, skb->len - ETH_FCS_LEN);
    2183 +
    2184 if (ndev->features & NETIF_F_RXCSUM)
    2185 gfar_rx_checksum(skb, fcb);
    2186
    2187 @@ -3117,6 +3112,17 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit)
    2188 if (lstatus & BD_LFLAG(RXBD_EMPTY))
    2189 break;
    2190
    2191 + /* lost RXBD_LAST descriptor due to overrun */
    2192 + if (skb &&
    2193 + (lstatus & BD_LFLAG(RXBD_FIRST))) {
    2194 + /* discard faulty buffer */
    2195 + dev_kfree_skb(skb);
    2196 + skb = NULL;
    2197 + rx_queue->stats.rx_dropped++;
    2198 +
    2199 + /* can continue normally */
    2200 + }
    2201 +
    2202 /* order rx buffer descriptor reads */
    2203 rmb();
    2204
    2205 diff --git a/drivers/net/ethernet/freescale/xgmac_mdio.c b/drivers/net/ethernet/freescale/xgmac_mdio.c
    2206 index c82c85ef5fb34..c37aea7ba8502 100644
    2207 --- a/drivers/net/ethernet/freescale/xgmac_mdio.c
    2208 +++ b/drivers/net/ethernet/freescale/xgmac_mdio.c
    2209 @@ -301,9 +301,10 @@ err_ioremap:
    2210 static int xgmac_mdio_remove(struct platform_device *pdev)
    2211 {
    2212 struct mii_bus *bus = platform_get_drvdata(pdev);
    2213 + struct mdio_fsl_priv *priv = bus->priv;
    2214
    2215 mdiobus_unregister(bus);
    2216 - iounmap(bus->priv);
    2217 + iounmap(priv->mdio_base);
    2218 mdiobus_free(bus);
    2219
    2220 return 0;
    2221 diff --git a/drivers/net/ethernet/i825xx/sni_82596.c b/drivers/net/ethernet/i825xx/sni_82596.c
    2222 index 2af7f77345fbd..e4128e151b854 100644
    2223 --- a/drivers/net/ethernet/i825xx/sni_82596.c
    2224 +++ b/drivers/net/ethernet/i825xx/sni_82596.c
    2225 @@ -122,9 +122,10 @@ static int sni_82596_probe(struct platform_device *dev)
    2226 netdevice->dev_addr[5] = readb(eth_addr + 0x06);
    2227 iounmap(eth_addr);
    2228
    2229 - if (!netdevice->irq) {
    2230 + if (netdevice->irq < 0) {
    2231 printk(KERN_ERR "%s: IRQ not found for i82596 at 0x%lx\n",
    2232 __FILE__, netdevice->base_addr);
    2233 + retval = netdevice->irq;
    2234 goto probe_failed;
    2235 }
    2236
    2237 diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
    2238 index 46fcf3ec2caf7..46998a58e3d96 100644
    2239 --- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
    2240 +++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
    2241 @@ -278,6 +278,16 @@ static int axienet_dma_bd_init(struct net_device *ndev)
    2242 axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET,
    2243 cr | XAXIDMA_CR_RUNSTOP_MASK);
    2244
    2245 + /* Wait for PhyRstCmplt bit to be set, indicating the PHY reset has finished */
    2246 + ret = read_poll_timeout(axienet_ior, value,
    2247 + value & XAE_INT_PHYRSTCMPLT_MASK,
    2248 + DELAY_OF_ONE_MILLISEC, 50000, false, lp,
    2249 + XAE_IS_OFFSET);
    2250 + if (ret) {
    2251 + dev_err(lp->dev, "%s: timeout waiting for PhyRstCmplt\n", __func__);
    2252 + return ret;
    2253 + }
    2254 +
    2255 return 0;
    2256 out:
    2257 axienet_dma_bd_release(ndev);
    2258 @@ -670,7 +680,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
    2259 num_frag = skb_shinfo(skb)->nr_frags;
    2260 cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
    2261
    2262 - if (axienet_check_tx_bd_space(lp, num_frag)) {
    2263 + if (axienet_check_tx_bd_space(lp, num_frag + 1)) {
    2264 if (netif_queue_stopped(ndev))
    2265 return NETDEV_TX_BUSY;
    2266
    2267 @@ -680,7 +690,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
    2268 smp_mb();
    2269
    2270 /* Space might have just been freed - check again */
    2271 - if (axienet_check_tx_bd_space(lp, num_frag))
    2272 + if (axienet_check_tx_bd_space(lp, num_frag + 1))
    2273 return NETDEV_TX_BUSY;
    2274
    2275 netif_wake_queue(ndev);
    2276 diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
    2277 index 92fb664b56fbb..0fa6e2da4b5a2 100644
    2278 --- a/drivers/net/phy/mdio_bus.c
    2279 +++ b/drivers/net/phy/mdio_bus.c
    2280 @@ -347,7 +347,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
    2281 }
    2282
    2283 bus->state = MDIOBUS_REGISTERED;
    2284 - pr_info("%s: probed\n", bus->name);
    2285 + dev_dbg(&bus->dev, "probed\n");
    2286 return 0;
    2287
    2288 error:
    2289 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
    2290 index 0a29844676f92..6287d2ad77c6d 100644
    2291 --- a/drivers/net/ppp/ppp_generic.c
    2292 +++ b/drivers/net/ppp/ppp_generic.c
    2293 @@ -71,6 +71,8 @@
    2294 #define MPHDRLEN 6 /* multilink protocol header length */
    2295 #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */
    2296
    2297 +#define PPP_PROTO_LEN 2
    2298 +
    2299 /*
    2300 * An instance of /dev/ppp can be associated with either a ppp
    2301 * interface unit or a ppp channel. In both cases, file->private_data
    2302 @@ -500,6 +502,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
    2303
    2304 if (!pf)
    2305 return -ENXIO;
    2306 + /* All PPP packets should start with the 2-byte protocol */
    2307 + if (count < PPP_PROTO_LEN)
    2308 + return -EINVAL;
    2309 ret = -ENOMEM;
    2310 skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL);
    2311 if (!skb)
    2312 @@ -1563,7 +1568,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
    2313 }
    2314
    2315 ++ppp->stats64.tx_packets;
    2316 - ppp->stats64.tx_bytes += skb->len - 2;
    2317 + ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN;
    2318
    2319 switch (proto) {
    2320 case PPP_IP:
    2321 diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
    2322 index 4f345bd4e6e29..95151b46f2001 100644
    2323 --- a/drivers/net/usb/mcs7830.c
    2324 +++ b/drivers/net/usb/mcs7830.c
    2325 @@ -121,8 +121,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver";
    2326
    2327 static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data)
    2328 {
    2329 - return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
    2330 - 0x0000, index, data, size);
    2331 + int ret;
    2332 +
    2333 + ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
    2334 + 0x0000, index, data, size);
    2335 + if (ret < 0)
    2336 + return ret;
    2337 + else if (ret < size)
    2338 + return -ENODATA;
    2339 +
    2340 + return ret;
    2341 }
    2342
    2343 static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data)
    2344 diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
    2345 index 9f4ee1d125b68..0c6b33c464cd9 100644
    2346 --- a/drivers/net/wireless/ath/ar5523/ar5523.c
    2347 +++ b/drivers/net/wireless/ath/ar5523/ar5523.c
    2348 @@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb)
    2349 ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START");
    2350 return;
    2351 }
    2352 + if (!cmd->odata) {
    2353 + ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply");
    2354 + return;
    2355 + }
    2356 memcpy(cmd->odata, hdr + 1, sizeof(u32));
    2357 cmd->olen = sizeof(u32);
    2358 cmd->res = 0;
    2359 diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
    2360 index ae5b33fe5ba82..374ce35940d07 100644
    2361 --- a/drivers/net/wireless/ath/ath10k/htt_tx.c
    2362 +++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
    2363 @@ -158,6 +158,9 @@ void ath10k_htt_tx_dec_pending(struct ath10k_htt *htt)
    2364 htt->num_pending_tx--;
    2365 if (htt->num_pending_tx == htt->max_num_pending_tx - 1)
    2366 ath10k_mac_tx_unlock(htt->ar, ATH10K_TX_PAUSE_Q_FULL);
    2367 +
    2368 + if (htt->num_pending_tx == 0)
    2369 + wake_up(&htt->empty_tx_wq);
    2370 }
    2371
    2372 int ath10k_htt_tx_inc_pending(struct ath10k_htt *htt)
    2373 diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
    2374 index beeb6be06939b..b6c050452b757 100644
    2375 --- a/drivers/net/wireless/ath/ath10k/txrx.c
    2376 +++ b/drivers/net/wireless/ath/ath10k/txrx.c
    2377 @@ -89,8 +89,6 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
    2378
    2379 ath10k_htt_tx_free_msdu_id(htt, tx_done->msdu_id);
    2380 ath10k_htt_tx_dec_pending(htt);
    2381 - if (htt->num_pending_tx == 0)
    2382 - wake_up(&htt->empty_tx_wq);
    2383 spin_unlock_bh(&htt->tx_lock);
    2384
    2385 dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE);
    2386 diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
    2387 index 7c409cd43b709..33a6be0f21cac 100644
    2388 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c
    2389 +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
    2390 @@ -588,6 +588,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev,
    2391 return;
    2392 }
    2393
    2394 + if (pkt_len > 2 * MAX_RX_BUF_SIZE) {
    2395 + dev_err(&hif_dev->udev->dev,
    2396 + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len);
    2397 + RX_STAT_INC(skb_dropped);
    2398 + return;
    2399 + }
    2400 +
    2401 pad_len = 4 - (pkt_len & 0x3);
    2402 if (pad_len == 4)
    2403 pad_len = 0;
    2404 diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
    2405 index 914c210c9e605..da2f442cab271 100644
    2406 --- a/drivers/net/wireless/ath/wcn36xx/smd.c
    2407 +++ b/drivers/net/wireless/ath/wcn36xx/smd.c
    2408 @@ -2052,7 +2052,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
    2409 wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
    2410 tmp->bss_index);
    2411 vif = wcn36xx_priv_to_vif(tmp);
    2412 - ieee80211_connection_loss(vif);
    2413 + ieee80211_beacon_loss(vif);
    2414 }
    2415 return 0;
    2416 }
    2417 @@ -2067,7 +2067,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
    2418 wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
    2419 rsp->bss_index);
    2420 vif = wcn36xx_priv_to_vif(tmp);
    2421 - ieee80211_connection_loss(vif);
    2422 + ieee80211_beacon_loss(vif);
    2423 return 0;
    2424 }
    2425 }
    2426 diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    2427 index d46efa8d70732..f8c225a726bd4 100644
    2428 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    2429 +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    2430 @@ -1599,6 +1599,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
    2431 struct iwl_mvm_mc_iter_data iter_data = {
    2432 .mvm = mvm,
    2433 };
    2434 + int ret;
    2435
    2436 lockdep_assert_held(&mvm->mutex);
    2437
    2438 @@ -1608,6 +1609,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
    2439 ieee80211_iterate_active_interfaces_atomic(
    2440 mvm->hw, IEEE80211_IFACE_ITER_NORMAL,
    2441 iwl_mvm_mc_iface_iterator, &iter_data);
    2442 +
    2443 + /*
    2444 + * Send a (synchronous) ech command so that we wait for the
    2445 + * multiple asynchronous MCAST_FILTER_CMD commands sent by
    2446 + * the interface iterator. Otherwise, we might get here over
    2447 + * and over again (by userspace just sending a lot of these)
    2448 + * and the CPU can send them faster than the firmware can
    2449 + * process them.
    2450 + * Note that the CPU is still faster - but with this we'll
    2451 + * actually send fewer commands overall because the CPU will
    2452 + * not schedule the work in mac80211 as frequently if it's
    2453 + * still running when rescheduled (possibly multiple times).
    2454 + */
    2455 + ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL);
    2456 + if (ret)
    2457 + IWL_ERR(mvm, "Failed to synchronize multicast groups update\n");
    2458 }
    2459
    2460 static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw,
    2461 diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
    2462 index fa97432054912..a8470817689cf 100644
    2463 --- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
    2464 +++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
    2465 @@ -1260,7 +1260,7 @@ static int iwl_mvm_check_running_scans(struct iwl_mvm *mvm, int type)
    2466 return -EIO;
    2467 }
    2468
    2469 -#define SCAN_TIMEOUT 20000
    2470 +#define SCAN_TIMEOUT 30000
    2471
    2472 void iwl_mvm_scan_timeout_wk(struct work_struct *work)
    2473 {
    2474 diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
    2475 index 2c4225e57c396..3a26add665ca0 100644
    2476 --- a/drivers/net/wireless/marvell/mwifiex/usb.c
    2477 +++ b/drivers/net/wireless/marvell/mwifiex/usb.c
    2478 @@ -132,7 +132,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
    2479 default:
    2480 mwifiex_dbg(adapter, ERROR,
    2481 "unknown recv_type %#x\n", recv_type);
    2482 - return -1;
    2483 + ret = -1;
    2484 + goto exit_restore_skb;
    2485 }
    2486 break;
    2487 case MWIFIEX_USB_EP_DATA:
    2488 diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
    2489 index 39a6bd314ca3b..264c1d57e10bc 100644
    2490 --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
    2491 +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
    2492 @@ -1037,6 +1037,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
    2493 _InitPABias(hw);
    2494 rtl92c_dm_init(hw);
    2495 exit:
    2496 + local_irq_disable();
    2497 local_irq_restore(flags);
    2498 return err;
    2499 }
    2500 diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c
    2501 index 3651c3871d5b4..1b4aacf2ff9a5 100644
    2502 --- a/drivers/parisc/pdc_stable.c
    2503 +++ b/drivers/parisc/pdc_stable.c
    2504 @@ -992,8 +992,10 @@ pdcs_register_pathentries(void)
    2505 entry->kobj.kset = paths_kset;
    2506 err = kobject_init_and_add(&entry->kobj, &ktype_pdcspath, NULL,
    2507 "%s", entry->name);
    2508 - if (err)
    2509 + if (err) {
    2510 + kobject_put(&entry->kobj);
    2511 return err;
    2512 + }
    2513
    2514 /* kobject is now registered */
    2515 write_lock(&entry->rw_lock);
    2516 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
    2517 index 3ff2971102b61..8d34c6d0de796 100644
    2518 --- a/drivers/pci/quirks.c
    2519 +++ b/drivers/pci/quirks.c
    2520 @@ -3916,6 +3916,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9120,
    2521 quirk_dma_func1_alias);
    2522 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
    2523 quirk_dma_func1_alias);
    2524 +/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */
    2525 +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125,
    2526 + quirk_dma_func1_alias);
    2527 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
    2528 quirk_dma_func1_alias);
    2529 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
    2530 diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c
    2531 index c3b615c94b4bf..a92cbc952b70b 100644
    2532 --- a/drivers/pcmcia/cs.c
    2533 +++ b/drivers/pcmcia/cs.c
    2534 @@ -665,18 +665,16 @@ static int pccardd(void *__skt)
    2535 if (events || sysfs_events)
    2536 continue;
    2537
    2538 + set_current_state(TASK_INTERRUPTIBLE);
    2539 if (kthread_should_stop())
    2540 break;
    2541
    2542 - set_current_state(TASK_INTERRUPTIBLE);
    2543 -
    2544 schedule();
    2545
    2546 - /* make sure we are running */
    2547 - __set_current_state(TASK_RUNNING);
    2548 -
    2549 try_to_freeze();
    2550 }
    2551 + /* make sure we are running before we exit */
    2552 + __set_current_state(TASK_RUNNING);
    2553
    2554 /* shut down socket, if a device is still present */
    2555 if (skt->state & SOCKET_PRESENT) {
    2556 diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
    2557 index 5ef7b46a25786..2e96d9273b780 100644
    2558 --- a/drivers/pcmcia/rsrc_nonstatic.c
    2559 +++ b/drivers/pcmcia/rsrc_nonstatic.c
    2560 @@ -693,6 +693,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s,
    2561 unsigned long min = base;
    2562 int ret;
    2563
    2564 + if (!res)
    2565 + return NULL;
    2566 +
    2567 data.mask = align - 1;
    2568 data.offset = base & data.mask;
    2569 data.map = &s_data->io_db;
    2570 @@ -812,6 +815,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num,
    2571 unsigned long min, max;
    2572 int ret, i, j;
    2573
    2574 + if (!res)
    2575 + return NULL;
    2576 +
    2577 low = low || !(s->features & SS_CAP_PAGE_REGS);
    2578
    2579 data.mask = align - 1;
    2580 diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c
    2581 index f993a55cde20f..faf2a62435674 100644
    2582 --- a/drivers/power/supply/bq25890_charger.c
    2583 +++ b/drivers/power/supply/bq25890_charger.c
    2584 @@ -521,12 +521,12 @@ static void bq25890_handle_state_change(struct bq25890_device *bq,
    2585
    2586 if (!new_state->online) { /* power removed */
    2587 /* disable ADC */
    2588 - ret = bq25890_field_write(bq, F_CONV_START, 0);
    2589 + ret = bq25890_field_write(bq, F_CONV_RATE, 0);
    2590 if (ret < 0)
    2591 goto error;
    2592 } else if (!old_state.online) { /* power inserted */
    2593 /* enable ADC, to have control of charge current/voltage */
    2594 - ret = bq25890_field_write(bq, F_CONV_START, 1);
    2595 + ret = bq25890_field_write(bq, F_CONV_RATE, 1);
    2596 if (ret < 0)
    2597 goto error;
    2598 }
    2599 diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
    2600 index b962dbe51750d..1dbd8419df7d7 100644
    2601 --- a/drivers/rtc/rtc-cmos.c
    2602 +++ b/drivers/rtc/rtc-cmos.c
    2603 @@ -342,7 +342,10 @@ static int cmos_set_alarm(struct device *dev, struct rtc_wkalrm *t)
    2604 min = t->time.tm_min;
    2605 sec = t->time.tm_sec;
    2606
    2607 + spin_lock_irq(&rtc_lock);
    2608 rtc_control = CMOS_READ(RTC_CONTROL);
    2609 + spin_unlock_irq(&rtc_lock);
    2610 +
    2611 if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) {
    2612 /* Writing 0xff means "don't care" or "match all". */
    2613 mon = (mon <= 12) ? bin2bcd(mon) : 0xff;
    2614 diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
    2615 index 9b63e46edffcc..a2a4c6e22c68d 100644
    2616 --- a/drivers/scsi/sr.c
    2617 +++ b/drivers/scsi/sr.c
    2618 @@ -882,7 +882,7 @@ static void get_capabilities(struct scsi_cd *cd)
    2619
    2620
    2621 /* allocate transfer buffer */
    2622 - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
    2623 + buffer = kmalloc(512, GFP_KERNEL);
    2624 if (!buffer) {
    2625 sr_printk(KERN_ERR, cd, "out of memory.\n");
    2626 return;
    2627 diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c
    2628 index 11a238cb22223..629bfe1b20263 100644
    2629 --- a/drivers/scsi/sr_vendor.c
    2630 +++ b/drivers/scsi/sr_vendor.c
    2631 @@ -118,7 +118,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength)
    2632 density = (blocklength > 2048) ? 0x81 : 0x83;
    2633 #endif
    2634
    2635 - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
    2636 + buffer = kmalloc(512, GFP_KERNEL);
    2637 if (!buffer)
    2638 return -ENOMEM;
    2639
    2640 @@ -166,7 +166,7 @@ int sr_cd_check(struct cdrom_device_info *cdi)
    2641 if (cd->cdi.mask & CDC_MULTI_SESSION)
    2642 return 0;
    2643
    2644 - buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
    2645 + buffer = kmalloc(512, GFP_KERNEL);
    2646 if (!buffer)
    2647 return -ENOMEM;
    2648
    2649 diff --git a/drivers/scsi/ufs/tc-dwc-g210-pci.c b/drivers/scsi/ufs/tc-dwc-g210-pci.c
    2650 index c09a0fef0fe60..a1785b0239667 100644
    2651 --- a/drivers/scsi/ufs/tc-dwc-g210-pci.c
    2652 +++ b/drivers/scsi/ufs/tc-dwc-g210-pci.c
    2653 @@ -140,7 +140,6 @@ tc_dwc_g210_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
    2654 return err;
    2655 }
    2656
    2657 - pci_set_drvdata(pdev, hba);
    2658 pm_runtime_put_noidle(&pdev->dev);
    2659 pm_runtime_allow(&pdev->dev);
    2660
    2661 diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
    2662 index b47decc1fb5ba..e9b0cc4cbb4d2 100644
    2663 --- a/drivers/scsi/ufs/ufshcd-pltfrm.c
    2664 +++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
    2665 @@ -350,8 +350,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev,
    2666 goto dealloc_host;
    2667 }
    2668
    2669 - platform_set_drvdata(pdev, hba);
    2670 -
    2671 pm_runtime_set_active(&pdev->dev);
    2672 pm_runtime_enable(&pdev->dev);
    2673
    2674 diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
    2675 index a767d942bfca5..cf7946c840165 100644
    2676 --- a/drivers/scsi/ufs/ufshcd.c
    2677 +++ b/drivers/scsi/ufs/ufshcd.c
    2678 @@ -6766,6 +6766,13 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
    2679 struct Scsi_Host *host = hba->host;
    2680 struct device *dev = hba->dev;
    2681
    2682 + /*
    2683 + * dev_set_drvdata() must be called before any callbacks are registered
    2684 + * that use dev_get_drvdata() (frequency scaling, clock scaling, hwmon,
    2685 + * sysfs).
    2686 + */
    2687 + dev_set_drvdata(dev, hba);
    2688 +
    2689 if (!mmio_base) {
    2690 dev_err(hba->dev,
    2691 "Invalid memory reference for mmio_base is NULL\n");
    2692 diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c
    2693 index 616566e793c62..28975b6f054fa 100644
    2694 --- a/drivers/spi/spi-meson-spifc.c
    2695 +++ b/drivers/spi/spi-meson-spifc.c
    2696 @@ -357,6 +357,7 @@ static int meson_spifc_probe(struct platform_device *pdev)
    2697 return 0;
    2698 out_clk:
    2699 clk_disable_unprepare(spifc->clk);
    2700 + pm_runtime_disable(spifc->dev);
    2701 out_err:
    2702 spi_master_put(master);
    2703 return ret;
    2704 diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
    2705 index 9d4e3b0d366f4..fbaf3c407989d 100644
    2706 --- a/drivers/staging/wlan-ng/hfa384x_usb.c
    2707 +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
    2708 @@ -3848,18 +3848,18 @@ static void hfa384x_usb_throttlefn(unsigned long data)
    2709
    2710 spin_lock_irqsave(&hw->ctlxq.lock, flags);
    2711
    2712 - /*
    2713 - * We need to check BOTH the RX and the TX throttle controls,
    2714 - * so we use the bitwise OR instead of the logical OR.
    2715 - */
    2716 pr_debug("flags=0x%lx\n", hw->usb_flags);
    2717 - if (!hw->wlandev->hwremoved &&
    2718 - ((test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) &&
    2719 - !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags)) |
    2720 - (test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) &&
    2721 - !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags))
    2722 - )) {
    2723 - schedule_work(&hw->usb_work);
    2724 + if (!hw->wlandev->hwremoved) {
    2725 + bool rx_throttle = test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) &&
    2726 + !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags);
    2727 + bool tx_throttle = test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) &&
    2728 + !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags);
    2729 + /*
    2730 + * We need to check BOTH the RX and the TX throttle controls,
    2731 + * so we use the bitwise OR instead of the logical OR.
    2732 + */
    2733 + if (rx_throttle | tx_throttle)
    2734 + schedule_work(&hw->usb_work);
    2735 }
    2736
    2737 spin_unlock_irqrestore(&hw->ctlxq.lock, flags);
    2738 diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c
    2739 index 5d41d5b92619a..7f4ba92739663 100644
    2740 --- a/drivers/tty/serial/amba-pl010.c
    2741 +++ b/drivers/tty/serial/amba-pl010.c
    2742 @@ -465,14 +465,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios,
    2743 if ((termios->c_cflag & CREAD) == 0)
    2744 uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX;
    2745
    2746 - /* first, disable everything */
    2747 old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE;
    2748
    2749 if (UART_ENABLE_MS(port, termios->c_cflag))
    2750 old_cr |= UART010_CR_MSIE;
    2751
    2752 - writel(0, uap->port.membase + UART010_CR);
    2753 -
    2754 /* Set baud rate */
    2755 quot -= 1;
    2756 writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM);
    2757 diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
    2758 index e91bdd7d4c054..ad1d665e9962f 100644
    2759 --- a/drivers/tty/serial/amba-pl011.c
    2760 +++ b/drivers/tty/serial/amba-pl011.c
    2761 @@ -2090,32 +2090,13 @@ static const char *pl011_type(struct uart_port *port)
    2762 return uap->port.type == PORT_AMBA ? uap->type : NULL;
    2763 }
    2764
    2765 -/*
    2766 - * Release the memory region(s) being used by 'port'
    2767 - */
    2768 -static void pl011_release_port(struct uart_port *port)
    2769 -{
    2770 - release_mem_region(port->mapbase, SZ_4K);
    2771 -}
    2772 -
    2773 -/*
    2774 - * Request the memory region(s) being used by 'port'
    2775 - */
    2776 -static int pl011_request_port(struct uart_port *port)
    2777 -{
    2778 - return request_mem_region(port->mapbase, SZ_4K, "uart-pl011")
    2779 - != NULL ? 0 : -EBUSY;
    2780 -}
    2781 -
    2782 /*
    2783 * Configure/autoconfigure the port.
    2784 */
    2785 static void pl011_config_port(struct uart_port *port, int flags)
    2786 {
    2787 - if (flags & UART_CONFIG_TYPE) {
    2788 + if (flags & UART_CONFIG_TYPE)
    2789 port->type = PORT_AMBA;
    2790 - pl011_request_port(port);
    2791 - }
    2792 }
    2793
    2794 /*
    2795 @@ -2130,6 +2111,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser)
    2796 ret = -EINVAL;
    2797 if (ser->baud_base < 9600)
    2798 ret = -EINVAL;
    2799 + if (port->mapbase != (unsigned long) ser->iomem_base)
    2800 + ret = -EINVAL;
    2801 return ret;
    2802 }
    2803
    2804 @@ -2147,8 +2130,6 @@ static struct uart_ops amba_pl011_pops = {
    2805 .flush_buffer = pl011_dma_flush_buffer,
    2806 .set_termios = pl011_set_termios,
    2807 .type = pl011_type,
    2808 - .release_port = pl011_release_port,
    2809 - .request_port = pl011_request_port,
    2810 .config_port = pl011_config_port,
    2811 .verify_port = pl011_verify_port,
    2812 #ifdef CONFIG_CONSOLE_POLL
    2813 @@ -2178,8 +2159,6 @@ static const struct uart_ops sbsa_uart_pops = {
    2814 .shutdown = sbsa_uart_shutdown,
    2815 .set_termios = sbsa_uart_set_termios,
    2816 .type = pl011_type,
    2817 - .release_port = pl011_release_port,
    2818 - .request_port = pl011_request_port,
    2819 .config_port = pl011_config_port,
    2820 .verify_port = pl011_verify_port,
    2821 #ifdef CONFIG_CONSOLE_POLL
    2822 diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
    2823 index 4a7eb85f7c857..5dd04a1145b40 100644
    2824 --- a/drivers/tty/serial/atmel_serial.c
    2825 +++ b/drivers/tty/serial/atmel_serial.c
    2826 @@ -928,6 +928,13 @@ static void atmel_tx_dma(struct uart_port *port)
    2827 desc->callback = atmel_complete_tx_dma;
    2828 desc->callback_param = atmel_port;
    2829 atmel_port->cookie_tx = dmaengine_submit(desc);
    2830 + if (dma_submit_error(atmel_port->cookie_tx)) {
    2831 + dev_err(port->dev, "dma_submit_error %d\n",
    2832 + atmel_port->cookie_tx);
    2833 + return;
    2834 + }
    2835 +
    2836 + dma_async_issue_pending(chan);
    2837 }
    2838
    2839 if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
    2840 @@ -1186,6 +1193,13 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
    2841 desc->callback_param = port;
    2842 atmel_port->desc_rx = desc;
    2843 atmel_port->cookie_rx = dmaengine_submit(desc);
    2844 + if (dma_submit_error(atmel_port->cookie_rx)) {
    2845 + dev_err(port->dev, "dma_submit_error %d\n",
    2846 + atmel_port->cookie_rx);
    2847 + goto chan_err;
    2848 + }
    2849 +
    2850 + dma_async_issue_pending(atmel_port->chan_rx);
    2851
    2852 return 0;
    2853
    2854 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
    2855 index e97961dc3622d..ec458add38833 100644
    2856 --- a/drivers/tty/serial/serial_core.c
    2857 +++ b/drivers/tty/serial/serial_core.c
    2858 @@ -2349,7 +2349,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state,
    2859 * We probably don't need a spinlock around this, but
    2860 */
    2861 spin_lock_irqsave(&port->lock, flags);
    2862 - port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR);
    2863 + port->mctrl &= TIOCM_DTR;
    2864 + port->ops->set_mctrl(port, port->mctrl);
    2865 spin_unlock_irqrestore(&port->lock, flags);
    2866
    2867 /*
    2868 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
    2869 index 1dd4c65e9188a..2246731d96b0e 100644
    2870 --- a/drivers/usb/core/hcd.c
    2871 +++ b/drivers/usb/core/hcd.c
    2872 @@ -760,6 +760,7 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd)
    2873 {
    2874 struct urb *urb;
    2875 int length;
    2876 + int status;
    2877 unsigned long flags;
    2878 char buffer[6]; /* Any root hubs with > 31 ports? */
    2879
    2880 @@ -777,11 +778,17 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd)
    2881 if (urb) {
    2882 clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
    2883 hcd->status_urb = NULL;
    2884 + if (urb->transfer_buffer_length >= length) {
    2885 + status = 0;
    2886 + } else {
    2887 + status = -EOVERFLOW;
    2888 + length = urb->transfer_buffer_length;
    2889 + }
    2890 urb->actual_length = length;
    2891 memcpy(urb->transfer_buffer, buffer, length);
    2892
    2893 usb_hcd_unlink_urb_from_ep(hcd, urb);
    2894 - usb_hcd_giveback_urb(hcd, urb, 0);
    2895 + usb_hcd_giveback_urb(hcd, urb, status);
    2896 } else {
    2897 length = 0;
    2898 set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
    2899 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
    2900 index 0abcf8bbb73fe..33bf5ba438397 100644
    2901 --- a/drivers/usb/core/hub.c
    2902 +++ b/drivers/usb/core/hub.c
    2903 @@ -1070,7 +1070,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
    2904 } else {
    2905 hub_power_on(hub, true);
    2906 }
    2907 - }
    2908 + /* Give some time on remote wakeup to let links to transit to U0 */
    2909 + } else if (hub_is_superspeed(hub->hdev))
    2910 + msleep(20);
    2911 +
    2912 init2:
    2913
    2914 /*
    2915 @@ -1185,7 +1188,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
    2916 */
    2917 if (portchange || (hub_is_superspeed(hub->hdev) &&
    2918 port_resumed))
    2919 - set_bit(port1, hub->change_bits);
    2920 + set_bit(port1, hub->event_bits);
    2921
    2922 } else if (udev->persist_enabled) {
    2923 #ifdef CONFIG_PM
    2924 diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
    2925 index 0336392686935..e4826454de1a7 100644
    2926 --- a/drivers/usb/gadget/function/f_fs.c
    2927 +++ b/drivers/usb/gadget/function/f_fs.c
    2928 @@ -608,7 +608,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file)
    2929 file->private_data = ffs;
    2930 ffs_data_opened(ffs);
    2931
    2932 - return 0;
    2933 + return stream_open(inode, file);
    2934 }
    2935
    2936 static int ffs_ep0_release(struct inode *inode, struct file *file)
    2937 @@ -1071,7 +1071,7 @@ ffs_epfile_open(struct inode *inode, struct file *file)
    2938 file->private_data = epfile;
    2939 ffs_data_opened(epfile->ffs);
    2940
    2941 - return 0;
    2942 + return stream_open(inode, file);
    2943 }
    2944
    2945 static int ffs_aio_cancel(struct kiocb *kiocb)
    2946 diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c
    2947 index 9a82f8308ad7f..0738078fe8b82 100644
    2948 --- a/drivers/usb/misc/ftdi-elan.c
    2949 +++ b/drivers/usb/misc/ftdi-elan.c
    2950 @@ -206,6 +206,7 @@ static void ftdi_elan_delete(struct kref *kref)
    2951 mutex_unlock(&ftdi_module_lock);
    2952 kfree(ftdi->bulk_in_buffer);
    2953 ftdi->bulk_in_buffer = NULL;
    2954 + kfree(ftdi);
    2955 }
    2956
    2957 static void ftdi_elan_put_kref(struct usb_ftdi *ftdi)
    2958 diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c
    2959 index 5e348d38ec5c9..f4cf54c256fd8 100644
    2960 --- a/drivers/w1/slaves/w1_ds28e04.c
    2961 +++ b/drivers/w1/slaves/w1_ds28e04.c
    2962 @@ -39,7 +39,7 @@ static int w1_strong_pullup = 1;
    2963 module_param_named(strong_pullup, w1_strong_pullup, int, 0);
    2964
    2965 /* enable/disable CRC checking on DS28E04-100 memory accesses */
    2966 -static char w1_enable_crccheck = 1;
    2967 +static bool w1_enable_crccheck = true;
    2968
    2969 #define W1_EEPROM_SIZE 512
    2970 #define W1_PAGE_COUNT 16
    2971 @@ -346,32 +346,18 @@ static BIN_ATTR_RW(pio, 1);
    2972 static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr,
    2973 char *buf)
    2974 {
    2975 - if (put_user(w1_enable_crccheck + 0x30, buf))
    2976 - return -EFAULT;
    2977 -
    2978 - return sizeof(w1_enable_crccheck);
    2979 + return sysfs_emit(buf, "%d\n", w1_enable_crccheck);
    2980 }
    2981
    2982 static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr,
    2983 const char *buf, size_t count)
    2984 {
    2985 - char val;
    2986 -
    2987 - if (count != 1 || !buf)
    2988 - return -EINVAL;
    2989 + int err = kstrtobool(buf, &w1_enable_crccheck);
    2990
    2991 - if (get_user(val, buf))
    2992 - return -EFAULT;
    2993 + if (err)
    2994 + return err;
    2995
    2996 - /* convert to decimal */
    2997 - val = val - 0x30;
    2998 - if (val != 0 && val != 1)
    2999 - return -EINVAL;
    3000 -
    3001 - /* set the new value */
    3002 - w1_enable_crccheck = val;
    3003 -
    3004 - return sizeof(w1_enable_crccheck);
    3005 + return count;
    3006 }
    3007
    3008 static DEVICE_ATTR_RW(crccheck);
    3009 diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
    3010 index bb008ac507fe3..16169b35ab6e5 100644
    3011 --- a/fs/btrfs/backref.c
    3012 +++ b/fs/btrfs/backref.c
    3013 @@ -1271,7 +1271,12 @@ again:
    3014 ret = btrfs_search_slot(trans, fs_info->extent_root, &key, path, 0, 0);
    3015 if (ret < 0)
    3016 goto out;
    3017 - BUG_ON(ret == 0);
    3018 + if (ret == 0) {
    3019 + /* This shouldn't happen, indicates a bug or fs corruption. */
    3020 + ASSERT(ret != 0);
    3021 + ret = -EUCLEAN;
    3022 + goto out;
    3023 + }
    3024
    3025 #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS
    3026 if (trans && likely(trans->type != __TRANS_DUMMY) &&
    3027 @@ -1432,10 +1437,18 @@ again:
    3028 goto out;
    3029 if (!ret && extent_item_pos) {
    3030 /*
    3031 - * we've recorded that parent, so we must extend
    3032 - * its inode list here
    3033 + * We've recorded that parent, so we must extend
    3034 + * its inode list here.
    3035 + *
    3036 + * However if there was corruption we may not
    3037 + * have found an eie, return an error in this
    3038 + * case.
    3039 */
    3040 - BUG_ON(!eie);
    3041 + ASSERT(eie);
    3042 + if (!eie) {
    3043 + ret = -EUCLEAN;
    3044 + goto out;
    3045 + }
    3046 while (eie->next)
    3047 eie = eie->next;
    3048 eie->next = ref->inode_list;
    3049 diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
    3050 index 3a7f401e943c1..ffab7dc881574 100644
    3051 --- a/fs/dlm/lock.c
    3052 +++ b/fs/dlm/lock.c
    3053 @@ -3975,6 +3975,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
    3054 int from = ms->m_header.h_nodeid;
    3055 int error = 0;
    3056
    3057 + /* currently mixing of user/kernel locks are not supported */
    3058 + if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) {
    3059 + log_error(lkb->lkb_resource->res_ls,
    3060 + "got user dlm message for a kernel lock");
    3061 + error = -EINVAL;
    3062 + goto out;
    3063 + }
    3064 +
    3065 switch (ms->m_type) {
    3066 case DLM_MSG_CONVERT:
    3067 case DLM_MSG_UNLOCK:
    3068 @@ -4003,6 +4011,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
    3069 error = -EINVAL;
    3070 }
    3071
    3072 +out:
    3073 if (error)
    3074 log_error(lkb->lkb_resource->res_ls,
    3075 "ignore invalid message %d from %d %x %x %x %d",
    3076 diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
    3077 index 75fff707beb6a..e7384a6e6a083 100644
    3078 --- a/fs/ext4/ioctl.c
    3079 +++ b/fs/ext4/ioctl.c
    3080 @@ -760,8 +760,6 @@ resizefs_out:
    3081 sizeof(range)))
    3082 return -EFAULT;
    3083
    3084 - range.minlen = max((unsigned int)range.minlen,
    3085 - q->limits.discard_granularity);
    3086 ret = ext4_trim_fs(sb, &range);
    3087 if (ret < 0)
    3088 return ret;
    3089 diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
    3090 index 807331da9dfc1..2a7fb2cf19b81 100644
    3091 --- a/fs/ext4/mballoc.c
    3092 +++ b/fs/ext4/mballoc.c
    3093 @@ -5224,6 +5224,7 @@ out:
    3094 */
    3095 int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
    3096 {
    3097 + struct request_queue *q = bdev_get_queue(sb->s_bdev);
    3098 struct ext4_group_info *grp;
    3099 ext4_group_t group, first_group, last_group;
    3100 ext4_grpblk_t cnt = 0, first_cluster, last_cluster;
    3101 @@ -5242,6 +5243,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
    3102 start >= max_blks ||
    3103 range->len < sb->s_blocksize)
    3104 return -EINVAL;
    3105 + /* No point to try to trim less than discard granularity */
    3106 + if (range->minlen < q->limits.discard_granularity) {
    3107 + minlen = EXT4_NUM_B2C(EXT4_SB(sb),
    3108 + q->limits.discard_granularity >> sb->s_blocksize_bits);
    3109 + if (minlen > EXT4_CLUSTERS_PER_GROUP(sb))
    3110 + goto out;
    3111 + }
    3112 if (end >= max_blks)
    3113 end = max_blks - 1;
    3114 if (end <= first_data_blk)
    3115 diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
    3116 index bce2d696d6b9c..6967ab3306e7d 100644
    3117 --- a/fs/ext4/migrate.c
    3118 +++ b/fs/ext4/migrate.c
    3119 @@ -462,12 +462,12 @@ int ext4_ext_migrate(struct inode *inode)
    3120 percpu_down_write(&sbi->s_writepages_rwsem);
    3121
    3122 /*
    3123 - * Worst case we can touch the allocation bitmaps, a bgd
    3124 - * block, and a block to link in the orphan list. We do need
    3125 - * need to worry about credits for modifying the quota inode.
    3126 + * Worst case we can touch the allocation bitmaps and a block
    3127 + * group descriptor block. We do need need to worry about
    3128 + * credits for modifying the quota inode.
    3129 */
    3130 handle = ext4_journal_start(inode, EXT4_HT_MIGRATE,
    3131 - 4 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb));
    3132 + 3 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb));
    3133
    3134 if (IS_ERR(handle)) {
    3135 retval = PTR_ERR(handle);
    3136 @@ -484,6 +484,13 @@ int ext4_ext_migrate(struct inode *inode)
    3137 ext4_journal_stop(handle);
    3138 goto out_unlock;
    3139 }
    3140 + /*
    3141 + * Use the correct seed for checksum (i.e. the seed from 'inode'). This
    3142 + * is so that the metadata blocks will have the correct checksum after
    3143 + * the migration.
    3144 + */
    3145 + ei = EXT4_I(inode);
    3146 + EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed;
    3147 i_size_write(tmp_inode, i_size_read(inode));
    3148 /*
    3149 * Set the i_nlink to zero so it will be deleted later
    3150 @@ -492,7 +499,6 @@ int ext4_ext_migrate(struct inode *inode)
    3151 clear_nlink(tmp_inode);
    3152
    3153 ext4_ext_tree_init(handle, tmp_inode);
    3154 - ext4_orphan_add(handle, tmp_inode);
    3155 ext4_journal_stop(handle);
    3156
    3157 /*
    3158 @@ -517,17 +523,10 @@ int ext4_ext_migrate(struct inode *inode)
    3159
    3160 handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1);
    3161 if (IS_ERR(handle)) {
    3162 - /*
    3163 - * It is impossible to update on-disk structures without
    3164 - * a handle, so just rollback in-core changes and live other
    3165 - * work to orphan_list_cleanup()
    3166 - */
    3167 - ext4_orphan_del(NULL, tmp_inode);
    3168 retval = PTR_ERR(handle);
    3169 goto out_tmp_inode;
    3170 }
    3171
    3172 - ei = EXT4_I(inode);
    3173 i_data = ei->i_data;
    3174 memset(&lb, 0, sizeof(lb));
    3175
    3176 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
    3177 index ca89590d1df57..e17a6396bde6c 100644
    3178 --- a/fs/ext4/super.c
    3179 +++ b/fs/ext4/super.c
    3180 @@ -5602,7 +5602,7 @@ static ssize_t ext4_quota_write(struct super_block *sb, int type,
    3181 struct buffer_head *bh;
    3182 handle_t *handle = journal_current_handle();
    3183
    3184 - if (EXT4_SB(sb)->s_journal && !handle) {
    3185 + if (!handle) {
    3186 ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)"
    3187 " cancelled because transaction is not started",
    3188 (unsigned long long)off, (unsigned long long)len);
    3189 diff --git a/fs/fuse/acl.c b/fs/fuse/acl.c
    3190 index ec85765502f1f..990529da5354d 100644
    3191 --- a/fs/fuse/acl.c
    3192 +++ b/fs/fuse/acl.c
    3193 @@ -19,6 +19,9 @@ struct posix_acl *fuse_get_acl(struct inode *inode, int type)
    3194 void *value = NULL;
    3195 struct posix_acl *acl;
    3196
    3197 + if (fuse_is_bad(inode))
    3198 + return ERR_PTR(-EIO);
    3199 +
    3200 if (!fc->posix_acl || fc->no_getxattr)
    3201 return NULL;
    3202
    3203 @@ -53,6 +56,9 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
    3204 const char *name;
    3205 int ret;
    3206
    3207 + if (fuse_is_bad(inode))
    3208 + return -EIO;
    3209 +
    3210 if (!fc->posix_acl || fc->no_setxattr)
    3211 return -EOPNOTSUPP;
    3212
    3213 diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
    3214 index b41cc537eb311..c40bdfab0a859 100644
    3215 --- a/fs/fuse/dir.c
    3216 +++ b/fs/fuse/dir.c
    3217 @@ -187,7 +187,7 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)
    3218 int ret;
    3219
    3220 inode = d_inode_rcu(entry);
    3221 - if (inode && is_bad_inode(inode))
    3222 + if (inode && fuse_is_bad(inode))
    3223 goto invalid;
    3224 else if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) ||
    3225 (flags & LOOKUP_REVAL)) {
    3226 @@ -364,6 +364,9 @@ static struct dentry *fuse_lookup(struct inode *dir, struct dentry *entry,
    3227 bool outarg_valid = true;
    3228 bool locked;
    3229
    3230 + if (fuse_is_bad(dir))
    3231 + return ERR_PTR(-EIO);
    3232 +
    3233 locked = fuse_lock_inode(dir);
    3234 err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name,
    3235 &outarg, &inode);
    3236 @@ -504,6 +507,9 @@ static int fuse_atomic_open(struct inode *dir, struct dentry *entry,
    3237 struct fuse_conn *fc = get_fuse_conn(dir);
    3238 struct dentry *res = NULL;
    3239
    3240 + if (fuse_is_bad(dir))
    3241 + return -EIO;
    3242 +
    3243 if (d_in_lookup(entry)) {
    3244 res = fuse_lookup(dir, entry, 0);
    3245 if (IS_ERR(res))
    3246 @@ -551,6 +557,9 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
    3247 int err;
    3248 struct fuse_forget_link *forget;
    3249
    3250 + if (fuse_is_bad(dir))
    3251 + return -EIO;
    3252 +
    3253 forget = fuse_alloc_forget();
    3254 if (!forget)
    3255 return -ENOMEM;
    3256 @@ -672,6 +681,9 @@ static int fuse_unlink(struct inode *dir, struct dentry *entry)
    3257 struct fuse_conn *fc = get_fuse_conn(dir);
    3258 FUSE_ARGS(args);
    3259
    3260 + if (fuse_is_bad(dir))
    3261 + return -EIO;
    3262 +
    3263 args.in.h.opcode = FUSE_UNLINK;
    3264 args.in.h.nodeid = get_node_id(dir);
    3265 args.in.numargs = 1;
    3266 @@ -708,6 +720,9 @@ static int fuse_rmdir(struct inode *dir, struct dentry *entry)
    3267 struct fuse_conn *fc = get_fuse_conn(dir);
    3268 FUSE_ARGS(args);
    3269
    3270 + if (fuse_is_bad(dir))
    3271 + return -EIO;
    3272 +
    3273 args.in.h.opcode = FUSE_RMDIR;
    3274 args.in.h.nodeid = get_node_id(dir);
    3275 args.in.numargs = 1;
    3276 @@ -786,6 +801,9 @@ static int fuse_rename2(struct inode *olddir, struct dentry *oldent,
    3277 struct fuse_conn *fc = get_fuse_conn(olddir);
    3278 int err;
    3279
    3280 + if (fuse_is_bad(olddir))
    3281 + return -EIO;
    3282 +
    3283 if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE))
    3284 return -EINVAL;
    3285
    3286 @@ -921,7 +939,7 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat,
    3287 if (!err) {
    3288 if (fuse_invalid_attr(&outarg.attr) ||
    3289 (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
    3290 - make_bad_inode(inode);
    3291 + fuse_make_bad(inode);
    3292 err = -EIO;
    3293 } else {
    3294 fuse_change_attributes(inode, &outarg.attr,
    3295 @@ -1114,6 +1132,9 @@ static int fuse_permission(struct inode *inode, int mask)
    3296 bool refreshed = false;
    3297 int err = 0;
    3298
    3299 + if (fuse_is_bad(inode))
    3300 + return -EIO;
    3301 +
    3302 if (!fuse_allow_current_process(fc))
    3303 return -EACCES;
    3304
    3305 @@ -1251,7 +1272,7 @@ retry:
    3306 dput(dentry);
    3307 goto retry;
    3308 }
    3309 - if (is_bad_inode(inode)) {
    3310 + if (fuse_is_bad(inode)) {
    3311 dput(dentry);
    3312 return -EIO;
    3313 }
    3314 @@ -1349,7 +1370,7 @@ static int fuse_readdir(struct file *file, struct dir_context *ctx)
    3315 u64 attr_version = 0;
    3316 bool locked;
    3317
    3318 - if (is_bad_inode(inode))
    3319 + if (fuse_is_bad(inode))
    3320 return -EIO;
    3321
    3322 req = fuse_get_req(fc, 1);
    3323 @@ -1409,6 +1430,9 @@ static const char *fuse_get_link(struct dentry *dentry,
    3324 if (!dentry)
    3325 return ERR_PTR(-ECHILD);
    3326
    3327 + if (fuse_is_bad(inode))
    3328 + return ERR_PTR(-EIO);
    3329 +
    3330 link = kmalloc(PAGE_SIZE, GFP_KERNEL);
    3331 if (!link)
    3332 return ERR_PTR(-ENOMEM);
    3333 @@ -1707,7 +1731,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
    3334
    3335 if (fuse_invalid_attr(&outarg.attr) ||
    3336 (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
    3337 - make_bad_inode(inode);
    3338 + fuse_make_bad(inode);
    3339 err = -EIO;
    3340 goto error;
    3341 }
    3342 @@ -1763,6 +1787,9 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
    3343 struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;
    3344 int ret;
    3345
    3346 + if (fuse_is_bad(inode))
    3347 + return -EIO;
    3348 +
    3349 if (!fuse_allow_current_process(get_fuse_conn(inode)))
    3350 return -EACCES;
    3351
    3352 @@ -1821,6 +1848,9 @@ static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
    3353 struct inode *inode = d_inode(entry);
    3354 struct fuse_conn *fc = get_fuse_conn(inode);
    3355
    3356 + if (fuse_is_bad(inode))
    3357 + return -EIO;
    3358 +
    3359 if (!fuse_allow_current_process(fc))
    3360 return -EACCES;
    3361
    3362 diff --git a/fs/fuse/file.c b/fs/fuse/file.c
    3363 index cea2317e01380..8aef8e56eb1b6 100644
    3364 --- a/fs/fuse/file.c
    3365 +++ b/fs/fuse/file.c
    3366 @@ -206,6 +206,9 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
    3367 fc->atomic_o_trunc &&
    3368 fc->writeback_cache;
    3369
    3370 + if (fuse_is_bad(inode))
    3371 + return -EIO;
    3372 +
    3373 err = generic_file_open(inode, file);
    3374 if (err)
    3375 return err;
    3376 @@ -411,7 +414,7 @@ static int fuse_flush(struct file *file, fl_owner_t id)
    3377 struct fuse_flush_in inarg;
    3378 int err;
    3379
    3380 - if (is_bad_inode(inode))
    3381 + if (fuse_is_bad(inode))
    3382 return -EIO;
    3383
    3384 if (fc->no_flush)
    3385 @@ -459,7 +462,7 @@ int fuse_fsync_common(struct file *file, loff_t start, loff_t end,
    3386 struct fuse_fsync_in inarg;
    3387 int err;
    3388
    3389 - if (is_bad_inode(inode))
    3390 + if (fuse_is_bad(inode))
    3391 return -EIO;
    3392
    3393 inode_lock(inode);
    3394 @@ -771,7 +774,7 @@ static int fuse_readpage(struct file *file, struct page *page)
    3395 int err;
    3396
    3397 err = -EIO;
    3398 - if (is_bad_inode(inode))
    3399 + if (fuse_is_bad(inode))
    3400 goto out;
    3401
    3402 err = fuse_do_readpage(file, page);
    3403 @@ -898,7 +901,7 @@ static int fuse_readpages(struct file *file, struct address_space *mapping,
    3404 int nr_alloc = min_t(unsigned, nr_pages, FUSE_MAX_PAGES_PER_REQ);
    3405
    3406 err = -EIO;
    3407 - if (is_bad_inode(inode))
    3408 + if (fuse_is_bad(inode))
    3409 goto out;
    3410
    3411 data.file = file;
    3412 @@ -928,6 +931,9 @@ static ssize_t fuse_file_read_iter(struct kiocb *iocb, struct iov_iter *to)
    3413 struct inode *inode = iocb->ki_filp->f_mapping->host;
    3414 struct fuse_conn *fc = get_fuse_conn(inode);
    3415
    3416 + if (fuse_is_bad(inode))
    3417 + return -EIO;
    3418 +
    3419 /*
    3420 * In auto invalidate mode, always update attributes on read.
    3421 * Otherwise, only update if we attempt to read past EOF (to ensure
    3422 @@ -1123,7 +1129,7 @@ static ssize_t fuse_perform_write(struct file *file,
    3423 int err = 0;
    3424 ssize_t res = 0;
    3425
    3426 - if (is_bad_inode(inode))
    3427 + if (fuse_is_bad(inode))
    3428 return -EIO;
    3429
    3430 if (inode->i_size < pos + iov_iter_count(ii))
    3431 @@ -1180,6 +1186,9 @@ static ssize_t fuse_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
    3432 ssize_t err;
    3433 loff_t endbyte = 0;
    3434
    3435 + if (fuse_is_bad(inode))
    3436 + return -EIO;
    3437 +
    3438 if (get_fuse_conn(inode)->writeback_cache) {
    3439 /* Update size (EOF optimization) and mode (SUID clearing) */
    3440 err = fuse_update_attributes(mapping->host, NULL, file, NULL);
    3441 @@ -1415,7 +1424,7 @@ static ssize_t __fuse_direct_read(struct fuse_io_priv *io,
    3442 struct file *file = io->file;
    3443 struct inode *inode = file_inode(file);
    3444
    3445 - if (is_bad_inode(inode))
    3446 + if (fuse_is_bad(inode))
    3447 return -EIO;
    3448
    3449 res = fuse_direct_io(io, iter, ppos, 0);
    3450 @@ -1438,7 +1447,7 @@ static ssize_t fuse_direct_write_iter(struct kiocb *iocb, struct iov_iter *from)
    3451 struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file);
    3452 ssize_t res;
    3453
    3454 - if (is_bad_inode(inode))
    3455 + if (fuse_is_bad(inode))
    3456 return -EIO;
    3457
    3458 /* Don't allow parallel writes to the same file */
    3459 @@ -1911,7 +1920,7 @@ static int fuse_writepages(struct address_space *mapping,
    3460 int err;
    3461
    3462 err = -EIO;
    3463 - if (is_bad_inode(inode))
    3464 + if (fuse_is_bad(inode))
    3465 goto out;
    3466
    3467 data.inode = inode;
    3468 @@ -2687,7 +2696,7 @@ long fuse_ioctl_common(struct file *file, unsigned int cmd,
    3469 if (!fuse_allow_current_process(fc))
    3470 return -EACCES;
    3471
    3472 - if (is_bad_inode(inode))
    3473 + if (fuse_is_bad(inode))
    3474 return -EIO;
    3475
    3476 return fuse_do_ioctl(file, cmd, arg, flags);
    3477 diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
    3478 index f84dd6d87d90f..7e4b0e298bc73 100644
    3479 --- a/fs/fuse/fuse_i.h
    3480 +++ b/fs/fuse/fuse_i.h
    3481 @@ -115,6 +115,8 @@ enum {
    3482 FUSE_I_INIT_RDPLUS,
    3483 /** An operation changing file size is in progress */
    3484 FUSE_I_SIZE_UNSTABLE,
    3485 + /* Bad inode */
    3486 + FUSE_I_BAD,
    3487 };
    3488
    3489 struct fuse_conn;
    3490 @@ -688,6 +690,17 @@ static inline u64 get_node_id(struct inode *inode)
    3491 return get_fuse_inode(inode)->nodeid;
    3492 }
    3493
    3494 +static inline void fuse_make_bad(struct inode *inode)
    3495 +{
    3496 + remove_inode_hash(inode);
    3497 + set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);
    3498 +}
    3499 +
    3500 +static inline bool fuse_is_bad(struct inode *inode)
    3501 +{
    3502 + return unlikely(test_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state));
    3503 +}
    3504 +
    3505 /** Device operations */
    3506 extern const struct file_operations fuse_dev_operations;
    3507
    3508 diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
    3509 index 7a9b1069d267b..77b8f0f264078 100644
    3510 --- a/fs/fuse/inode.c
    3511 +++ b/fs/fuse/inode.c
    3512 @@ -316,7 +316,7 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid,
    3513 unlock_new_inode(inode);
    3514 } else if ((inode->i_mode ^ attr->mode) & S_IFMT) {
    3515 /* Inode has changed type, any I/O on the old should fail */
    3516 - make_bad_inode(inode);
    3517 + fuse_make_bad(inode);
    3518 iput(inode);
    3519 goto retry;
    3520 }
    3521 diff --git a/fs/fuse/xattr.c b/fs/fuse/xattr.c
    3522 index 3caac46b08b0e..134bbc432ae60 100644
    3523 --- a/fs/fuse/xattr.c
    3524 +++ b/fs/fuse/xattr.c
    3525 @@ -113,6 +113,9 @@ ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
    3526 struct fuse_getxattr_out outarg;
    3527 ssize_t ret;
    3528
    3529 + if (fuse_is_bad(inode))
    3530 + return -EIO;
    3531 +
    3532 if (!fuse_allow_current_process(fc))
    3533 return -EACCES;
    3534
    3535 @@ -178,6 +181,9 @@ static int fuse_xattr_get(const struct xattr_handler *handler,
    3536 struct dentry *dentry, struct inode *inode,
    3537 const char *name, void *value, size_t size)
    3538 {
    3539 + if (fuse_is_bad(inode))
    3540 + return -EIO;
    3541 +
    3542 return fuse_getxattr(inode, name, value, size);
    3543 }
    3544
    3545 @@ -186,6 +192,9 @@ static int fuse_xattr_set(const struct xattr_handler *handler,
    3546 const char *name, const void *value, size_t size,
    3547 int flags)
    3548 {
    3549 + if (fuse_is_bad(inode))
    3550 + return -EIO;
    3551 +
    3552 if (!value)
    3553 return fuse_removexattr(inode, name);
    3554
    3555 diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
    3556 index c12476e309c67..eb4e4d784d26e 100644
    3557 --- a/fs/jffs2/file.c
    3558 +++ b/fs/jffs2/file.c
    3559 @@ -135,20 +135,15 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
    3560 struct page *pg;
    3561 struct inode *inode = mapping->host;
    3562 struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
    3563 + struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
    3564 pgoff_t index = pos >> PAGE_SHIFT;
    3565 uint32_t pageofs = index << PAGE_SHIFT;
    3566 int ret = 0;
    3567
    3568 - pg = grab_cache_page_write_begin(mapping, index, flags);
    3569 - if (!pg)
    3570 - return -ENOMEM;
    3571 - *pagep = pg;
    3572 -
    3573 jffs2_dbg(1, "%s()\n", __func__);
    3574
    3575 if (pageofs > inode->i_size) {
    3576 /* Make new hole frag from old EOF to new page */
    3577 - struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
    3578 struct jffs2_raw_inode ri;
    3579 struct jffs2_full_dnode *fn;
    3580 uint32_t alloc_len;
    3581 @@ -159,7 +154,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
    3582 ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
    3583 ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
    3584 if (ret)
    3585 - goto out_page;
    3586 + goto out_err;
    3587
    3588 mutex_lock(&f->sem);
    3589 memset(&ri, 0, sizeof(ri));
    3590 @@ -189,7 +184,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
    3591 ret = PTR_ERR(fn);
    3592 jffs2_complete_reservation(c);
    3593 mutex_unlock(&f->sem);
    3594 - goto out_page;
    3595 + goto out_err;
    3596 }
    3597 ret = jffs2_add_full_dnode_to_inode(c, f, fn);
    3598 if (f->metadata) {
    3599 @@ -204,13 +199,26 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
    3600 jffs2_free_full_dnode(fn);
    3601 jffs2_complete_reservation(c);
    3602 mutex_unlock(&f->sem);
    3603 - goto out_page;
    3604 + goto out_err;
    3605 }
    3606 jffs2_complete_reservation(c);
    3607 inode->i_size = pageofs;
    3608 mutex_unlock(&f->sem);
    3609 }
    3610
    3611 + /*
    3612 + * While getting a page and reading data in, lock c->alloc_sem until
    3613 + * the page is Uptodate. Otherwise GC task may attempt to read the same
    3614 + * page in read_cache_page(), which causes a deadlock.
    3615 + */
    3616 + mutex_lock(&c->alloc_sem);
    3617 + pg = grab_cache_page_write_begin(mapping, index, flags);
    3618 + if (!pg) {
    3619 + ret = -ENOMEM;
    3620 + goto release_sem;
    3621 + }
    3622 + *pagep = pg;
    3623 +
    3624 /*
    3625 * Read in the page if it wasn't already present. Cannot optimize away
    3626 * the whole page write case until jffs2_write_end can handle the
    3627 @@ -220,15 +228,17 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
    3628 mutex_lock(&f->sem);
    3629 ret = jffs2_do_readpage_nolock(inode, pg);
    3630 mutex_unlock(&f->sem);
    3631 - if (ret)
    3632 - goto out_page;
    3633 + if (ret) {
    3634 + unlock_page(pg);
    3635 + put_page(pg);
    3636 + goto release_sem;
    3637 + }
    3638 }
    3639 jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags);
    3640 - return ret;
    3641
    3642 -out_page:
    3643 - unlock_page(pg);
    3644 - put_page(pg);
    3645 +release_sem:
    3646 + mutex_unlock(&c->alloc_sem);
    3647 +out_err:
    3648 return ret;
    3649 }
    3650
    3651 diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
    3652 index 727a9e3fa806f..ce58e857ae3bc 100644
    3653 --- a/fs/ubifs/super.c
    3654 +++ b/fs/ubifs/super.c
    3655 @@ -1695,7 +1695,6 @@ out:
    3656 kthread_stop(c->bgt);
    3657 c->bgt = NULL;
    3658 }
    3659 - free_wbufs(c);
    3660 kfree(c->write_reserve_buf);
    3661 c->write_reserve_buf = NULL;
    3662 vfree(c->ileb_buf);
    3663 diff --git a/include/linux/mm.h b/include/linux/mm.h
    3664 index 7a4c035b187f3..81ee5d0b26424 100644
    3665 --- a/include/linux/mm.h
    3666 +++ b/include/linux/mm.h
    3667 @@ -1269,6 +1269,8 @@ int copy_page_range(struct mm_struct *dst, struct mm_struct *src,
    3668 struct vm_area_struct *vma);
    3669 void unmap_mapping_range(struct address_space *mapping,
    3670 loff_t const holebegin, loff_t const holelen, int even_cows);
    3671 +int follow_pte_pmd(struct mm_struct *mm, unsigned long address,
    3672 + pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp);
    3673 int follow_pfn(struct vm_area_struct *vma, unsigned long address,
    3674 unsigned long *pfn);
    3675 int follow_phys(struct vm_area_struct *vma, unsigned long address,
    3676 diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h
    3677 index e585018498d59..d574361943ea8 100644
    3678 --- a/include/linux/rbtree.h
    3679 +++ b/include/linux/rbtree.h
    3680 @@ -44,10 +44,25 @@ struct rb_root {
    3681 struct rb_node *rb_node;
    3682 };
    3683
    3684 +/*
    3685 + * Leftmost-cached rbtrees.
    3686 + *
    3687 + * We do not cache the rightmost node based on footprint
    3688 + * size vs number of potential users that could benefit
    3689 + * from O(1) rb_last(). Just not worth it, users that want
    3690 + * this feature can always implement the logic explicitly.
    3691 + * Furthermore, users that want to cache both pointers may
    3692 + * find it a bit asymmetric, but that's ok.
    3693 + */
    3694 +struct rb_root_cached {
    3695 + struct rb_root rb_root;
    3696 + struct rb_node *rb_leftmost;
    3697 +};
    3698
    3699 #define rb_parent(r) ((struct rb_node *)((r)->__rb_parent_color & ~3))
    3700
    3701 #define RB_ROOT (struct rb_root) { NULL, }
    3702 +#define RB_ROOT_CACHED (struct rb_root_cached) { {NULL, }, NULL }
    3703 #define rb_entry(ptr, type, member) container_of(ptr, type, member)
    3704
    3705 #define RB_EMPTY_ROOT(root) (READ_ONCE((root)->rb_node) == NULL)
    3706 @@ -69,6 +84,12 @@ extern struct rb_node *rb_prev(const struct rb_node *);
    3707 extern struct rb_node *rb_first(const struct rb_root *);
    3708 extern struct rb_node *rb_last(const struct rb_root *);
    3709
    3710 +extern void rb_insert_color_cached(struct rb_node *,
    3711 + struct rb_root_cached *, bool);
    3712 +extern void rb_erase_cached(struct rb_node *node, struct rb_root_cached *);
    3713 +/* Same as rb_first(), but O(1) */
    3714 +#define rb_first_cached(root) (root)->rb_leftmost
    3715 +
    3716 /* Postorder iteration - always visit the parent after its children */
    3717 extern struct rb_node *rb_first_postorder(const struct rb_root *);
    3718 extern struct rb_node *rb_next_postorder(const struct rb_node *);
    3719 diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h
    3720 index d076183e49bec..023d64657e956 100644
    3721 --- a/include/linux/rbtree_augmented.h
    3722 +++ b/include/linux/rbtree_augmented.h
    3723 @@ -41,7 +41,9 @@ struct rb_augment_callbacks {
    3724 void (*rotate)(struct rb_node *old, struct rb_node *new);
    3725 };
    3726
    3727 -extern void __rb_insert_augmented(struct rb_node *node, struct rb_root *root,
    3728 +extern void __rb_insert_augmented(struct rb_node *node,
    3729 + struct rb_root *root,
    3730 + bool newleft, struct rb_node **leftmost,
    3731 void (*augment_rotate)(struct rb_node *old, struct rb_node *new));
    3732 /*
    3733 * Fixup the rbtree and update the augmented information when rebalancing.
    3734 @@ -57,7 +59,16 @@ static inline void
    3735 rb_insert_augmented(struct rb_node *node, struct rb_root *root,
    3736 const struct rb_augment_callbacks *augment)
    3737 {
    3738 - __rb_insert_augmented(node, root, augment->rotate);
    3739 + __rb_insert_augmented(node, root, false, NULL, augment->rotate);
    3740 +}
    3741 +
    3742 +static inline void
    3743 +rb_insert_augmented_cached(struct rb_node *node,
    3744 + struct rb_root_cached *root, bool newleft,
    3745 + const struct rb_augment_callbacks *augment)
    3746 +{
    3747 + __rb_insert_augmented(node, &root->rb_root,
    3748 + newleft, &root->rb_leftmost, augment->rotate);
    3749 }
    3750
    3751 #define RB_DECLARE_CALLBACKS(rbstatic, rbname, rbstruct, rbfield, \
    3752 @@ -148,6 +159,7 @@ extern void __rb_erase_color(struct rb_node *parent, struct rb_root *root,
    3753
    3754 static __always_inline struct rb_node *
    3755 __rb_erase_augmented(struct rb_node *node, struct rb_root *root,
    3756 + struct rb_node **leftmost,
    3757 const struct rb_augment_callbacks *augment)
    3758 {
    3759 struct rb_node *child = node->rb_right;
    3760 @@ -155,6 +167,9 @@ __rb_erase_augmented(struct rb_node *node, struct rb_root *root,
    3761 struct rb_node *parent, *rebalance;
    3762 unsigned long pc;
    3763
    3764 + if (leftmost && node == *leftmost)
    3765 + *leftmost = rb_next(node);
    3766 +
    3767 if (!tmp) {
    3768 /*
    3769 * Case 1: node to erase has no more than 1 child (easy!)
    3770 @@ -254,9 +269,21 @@ static __always_inline void
    3771 rb_erase_augmented(struct rb_node *node, struct rb_root *root,
    3772 const struct rb_augment_callbacks *augment)
    3773 {
    3774 - struct rb_node *rebalance = __rb_erase_augmented(node, root, augment);
    3775 + struct rb_node *rebalance = __rb_erase_augmented(node, root,
    3776 + NULL, augment);
    3777 if (rebalance)
    3778 __rb_erase_color(rebalance, root, augment->rotate);
    3779 }
    3780
    3781 +static __always_inline void
    3782 +rb_erase_augmented_cached(struct rb_node *node, struct rb_root_cached *root,
    3783 + const struct rb_augment_callbacks *augment)
    3784 +{
    3785 + struct rb_node *rebalance = __rb_erase_augmented(node, &root->rb_root,
    3786 + &root->rb_leftmost,
    3787 + augment);
    3788 + if (rebalance)
    3789 + __rb_erase_color(rebalance, &root->rb_root, augment->rotate);
    3790 +}
    3791 +
    3792 #endif /* _LINUX_RBTREE_AUGMENTED_H */
    3793 diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
    3794 index 7eec17ad7fa19..42868a9b43657 100644
    3795 --- a/include/linux/timerqueue.h
    3796 +++ b/include/linux/timerqueue.h
    3797 @@ -11,8 +11,7 @@ struct timerqueue_node {
    3798 };
    3799
    3800 struct timerqueue_head {
    3801 - struct rb_root head;
    3802 - struct timerqueue_node *next;
    3803 + struct rb_root_cached rb_root;
    3804 };
    3805
    3806
    3807 @@ -28,13 +27,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
    3808 *
    3809 * @head: head of timerqueue
    3810 *
    3811 - * Returns a pointer to the timer node that has the
    3812 - * earliest expiration time.
    3813 + * Returns a pointer to the timer node that has the earliest expiration time.
    3814 */
    3815 static inline
    3816 struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
    3817 {
    3818 - return head->next;
    3819 + struct rb_node *leftmost = rb_first_cached(&head->rb_root);
    3820 +
    3821 + return rb_entry(leftmost, struct timerqueue_node, node);
    3822 }
    3823
    3824 static inline void timerqueue_init(struct timerqueue_node *node)
    3825 @@ -44,7 +44,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
    3826
    3827 static inline void timerqueue_init_head(struct timerqueue_head *head)
    3828 {
    3829 - head->head = RB_ROOT;
    3830 - head->next = NULL;
    3831 + head->rb_root = RB_ROOT_CACHED;
    3832 }
    3833 #endif /* _LINUX_TIMERQUEUE_H */
    3834 diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
    3835 index 5d5a137b9067f..7ec889291dc48 100644
    3836 --- a/include/net/sch_generic.h
    3837 +++ b/include/net/sch_generic.h
    3838 @@ -837,6 +837,7 @@ struct psched_ratecfg {
    3839 u64 rate_bytes_ps; /* bytes per second */
    3840 u32 mult;
    3841 u16 overhead;
    3842 + u16 mpu;
    3843 u8 linklayer;
    3844 u8 shift;
    3845 };
    3846 @@ -846,6 +847,9 @@ static inline u64 psched_l2t_ns(const struct psched_ratecfg *r,
    3847 {
    3848 len += r->overhead;
    3849
    3850 + if (len < r->mpu)
    3851 + len = r->mpu;
    3852 +
    3853 if (unlikely(r->linklayer == TC_LINKLAYER_ATM))
    3854 return ((u64)(DIV_ROUND_UP(len,48)*53) * r->mult) >> r->shift;
    3855
    3856 @@ -868,6 +872,7 @@ static inline void psched_ratecfg_getrate(struct tc_ratespec *res,
    3857 res->rate = min_t(u64, r->rate_bytes_ps, ~0U);
    3858
    3859 res->overhead = r->overhead;
    3860 + res->mpu = r->mpu;
    3861 res->linklayer = (r->linklayer & TC_LINKLAYER_MASK);
    3862 }
    3863
    3864 diff --git a/lib/rbtree.c b/lib/rbtree.c
    3865 index eb8a19fee1100..53746be42903b 100644
    3866 --- a/lib/rbtree.c
    3867 +++ b/lib/rbtree.c
    3868 @@ -95,10 +95,14 @@ __rb_rotate_set_parents(struct rb_node *old, struct rb_node *new,
    3869
    3870 static __always_inline void
    3871 __rb_insert(struct rb_node *node, struct rb_root *root,
    3872 + bool newleft, struct rb_node **leftmost,
    3873 void (*augment_rotate)(struct rb_node *old, struct rb_node *new))
    3874 {
    3875 struct rb_node *parent = rb_red_parent(node), *gparent, *tmp;
    3876
    3877 + if (newleft)
    3878 + *leftmost = node;
    3879 +
    3880 while (true) {
    3881 /*
    3882 * Loop invariant: node is red
    3883 @@ -417,19 +421,38 @@ static const struct rb_augment_callbacks dummy_callbacks = {
    3884
    3885 void rb_insert_color(struct rb_node *node, struct rb_root *root)
    3886 {
    3887 - __rb_insert(node, root, dummy_rotate);
    3888 + __rb_insert(node, root, false, NULL, dummy_rotate);
    3889 }
    3890 EXPORT_SYMBOL(rb_insert_color);
    3891
    3892 void rb_erase(struct rb_node *node, struct rb_root *root)
    3893 {
    3894 struct rb_node *rebalance;
    3895 - rebalance = __rb_erase_augmented(node, root, &dummy_callbacks);
    3896 + rebalance = __rb_erase_augmented(node, root,
    3897 + NULL, &dummy_callbacks);
    3898 if (rebalance)
    3899 ____rb_erase_color(rebalance, root, dummy_rotate);
    3900 }
    3901 EXPORT_SYMBOL(rb_erase);
    3902
    3903 +void rb_insert_color_cached(struct rb_node *node,
    3904 + struct rb_root_cached *root, bool leftmost)
    3905 +{
    3906 + __rb_insert(node, &root->rb_root, leftmost,
    3907 + &root->rb_leftmost, dummy_rotate);
    3908 +}
    3909 +EXPORT_SYMBOL(rb_insert_color_cached);
    3910 +
    3911 +void rb_erase_cached(struct rb_node *node, struct rb_root_cached *root)
    3912 +{
    3913 + struct rb_node *rebalance;
    3914 + rebalance = __rb_erase_augmented(node, &root->rb_root,
    3915 + &root->rb_leftmost, &dummy_callbacks);
    3916 + if (rebalance)
    3917 + ____rb_erase_color(rebalance, &root->rb_root, dummy_rotate);
    3918 +}
    3919 +EXPORT_SYMBOL(rb_erase_cached);
    3920 +
    3921 /*
    3922 * Augmented rbtree manipulation functions.
    3923 *
    3924 @@ -438,9 +461,10 @@ EXPORT_SYMBOL(rb_erase);
    3925 */
    3926
    3927 void __rb_insert_augmented(struct rb_node *node, struct rb_root *root,
    3928 + bool newleft, struct rb_node **leftmost,
    3929 void (*augment_rotate)(struct rb_node *old, struct rb_node *new))
    3930 {
    3931 - __rb_insert(node, root, augment_rotate);
    3932 + __rb_insert(node, root, newleft, leftmost, augment_rotate);
    3933 }
    3934 EXPORT_SYMBOL(__rb_insert_augmented);
    3935
    3936 @@ -485,7 +509,7 @@ struct rb_node *rb_next(const struct rb_node *node)
    3937 * as we can.
    3938 */
    3939 if (node->rb_right) {
    3940 - node = node->rb_right;
    3941 + node = node->rb_right;
    3942 while (node->rb_left)
    3943 node=node->rb_left;
    3944 return (struct rb_node *)node;
    3945 @@ -517,7 +541,7 @@ struct rb_node *rb_prev(const struct rb_node *node)
    3946 * as we can.
    3947 */
    3948 if (node->rb_left) {
    3949 - node = node->rb_left;
    3950 + node = node->rb_left;
    3951 while (node->rb_right)
    3952 node=node->rb_right;
    3953 return (struct rb_node *)node;
    3954 diff --git a/lib/timerqueue.c b/lib/timerqueue.c
    3955 index 782ae8ca2c06f..4f99b5c3ac0ec 100644
    3956 --- a/lib/timerqueue.c
    3957 +++ b/lib/timerqueue.c
    3958 @@ -38,9 +38,10 @@
    3959 */
    3960 bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
    3961 {
    3962 - struct rb_node **p = &head->head.rb_node;
    3963 + struct rb_node **p = &head->rb_root.rb_root.rb_node;
    3964 struct rb_node *parent = NULL;
    3965 - struct timerqueue_node *ptr;
    3966 + struct timerqueue_node *ptr;
    3967 + bool leftmost = true;
    3968
    3969 /* Make sure we don't add nodes that are already added */
    3970 WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
    3971 @@ -48,19 +49,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
    3972 while (*p) {
    3973 parent = *p;
    3974 ptr = rb_entry(parent, struct timerqueue_node, node);
    3975 - if (node->expires.tv64 < ptr->expires.tv64)
    3976 + if (node->expires.tv64 < ptr->expires.tv64) {
    3977 p = &(*p)->rb_left;
    3978 - else
    3979 + } else {
    3980 p = &(*p)->rb_right;
    3981 + leftmost = false;
    3982 + }
    3983 }
    3984 rb_link_node(&node->node, parent, p);
    3985 - rb_insert_color(&node->node, &head->head);
    3986 + rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
    3987
    3988 - if (!head->next || node->expires.tv64 < head->next->expires.tv64) {
    3989 - head->next = node;
    3990 - return true;
    3991 - }
    3992 - return false;
    3993 + return leftmost;
    3994 }
    3995 EXPORT_SYMBOL_GPL(timerqueue_add);
    3996
    3997 @@ -76,16 +75,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
    3998 {
    3999 WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
    4000
    4001 - /* update next pointer */
    4002 - if (head->next == node) {
    4003 - struct rb_node *rbn = rb_next(&node->node);
    4004 -
    4005 - head->next = rbn ?
    4006 - rb_entry(rbn, struct timerqueue_node, node) : NULL;
    4007 - }
    4008 - rb_erase(&node->node, &head->head);
    4009 + rb_erase_cached(&node->node, &head->rb_root);
    4010 RB_CLEAR_NODE(&node->node);
    4011 - return head->next != NULL;
    4012 +
    4013 + return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
    4014 }
    4015 EXPORT_SYMBOL_GPL(timerqueue_del);
    4016
    4017 diff --git a/mm/gup.c b/mm/gup.c
    4018 index 301dd96ef176c..0b80bf3878dcf 100644
    4019 --- a/mm/gup.c
    4020 +++ b/mm/gup.c
    4021 @@ -1567,22 +1567,15 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
    4022 next = pgd_addr_end(addr, end);
    4023 if (pgd_none(pgd))
    4024 break;
    4025 - /*
    4026 - * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    4027 - * because get_user_pages() may need to cause an early COW in
    4028 - * order to avoid confusing the normal COW routines. So only
    4029 - * targets that are already writable are safe to do by just
    4030 - * looking at the page tables.
    4031 - */
    4032 if (unlikely(pgd_huge(pgd))) {
    4033 - if (!gup_huge_pgd(pgd, pgdp, addr, next, 1,
    4034 + if (!gup_huge_pgd(pgd, pgdp, addr, next, write,
    4035 pages, &nr))
    4036 break;
    4037 } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) {
    4038 if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr,
    4039 - PGDIR_SHIFT, next, 1, pages, &nr))
    4040 + PGDIR_SHIFT, next, write, pages, &nr))
    4041 break;
    4042 - } else if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
    4043 + } else if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
    4044 break;
    4045 } while (pgdp++, addr = next, addr != end);
    4046 local_irq_restore(flags);
    4047 @@ -1612,7 +1605,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
    4048 int nr, ret;
    4049
    4050 start &= PAGE_MASK;
    4051 - nr = __get_user_pages_fast(start, nr_pages, write, pages);
    4052 + /*
    4053 + * The FAST_GUP case requires FOLL_WRITE even for pure reads,
    4054 + * because get_user_pages() may need to cause an early COW in
    4055 + * order to avoid confusing the normal COW routines. So only
    4056 + * targets that are already writable are safe to do by just
    4057 + * looking at the page tables.
    4058 + */
    4059 + nr = __get_user_pages_fast(start, nr_pages, 1, pages);
    4060 ret = nr;
    4061
    4062 if (nr < nr_pages) {
    4063 diff --git a/mm/memory.c b/mm/memory.c
    4064 index c2890dc104d9e..2b2cc69ddccef 100644
    4065 --- a/mm/memory.c
    4066 +++ b/mm/memory.c
    4067 @@ -3780,8 +3780,8 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
    4068 }
    4069 #endif /* __PAGETABLE_PMD_FOLDED */
    4070
    4071 -static int __follow_pte(struct mm_struct *mm, unsigned long address,
    4072 - pte_t **ptepp, spinlock_t **ptlp)
    4073 +static int __follow_pte_pmd(struct mm_struct *mm, unsigned long address,
    4074 + pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp)
    4075 {
    4076 pgd_t *pgd;
    4077 pud_t *pud;
    4078 @@ -3798,11 +3798,20 @@ static int __follow_pte(struct mm_struct *mm, unsigned long address,
    4079
    4080 pmd = pmd_offset(pud, address);
    4081 VM_BUG_ON(pmd_trans_huge(*pmd));
    4082 - if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd)))
    4083 - goto out;
    4084
    4085 - /* We cannot handle huge page PFN maps. Luckily they don't exist. */
    4086 - if (pmd_huge(*pmd))
    4087 + if (pmd_huge(*pmd)) {
    4088 + if (!pmdpp)
    4089 + goto out;
    4090 +
    4091 + *ptlp = pmd_lock(mm, pmd);
    4092 + if (pmd_huge(*pmd)) {
    4093 + *pmdpp = pmd;
    4094 + return 0;
    4095 + }
    4096 + spin_unlock(*ptlp);
    4097 + }
    4098 +
    4099 + if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd)))
    4100 goto out;
    4101
    4102 ptep = pte_offset_map_lock(mm, pmd, address, ptlp);
    4103 @@ -3825,9 +3834,23 @@ static inline int follow_pte(struct mm_struct *mm, unsigned long address,
    4104
    4105 /* (void) is needed to make gcc happy */
    4106 (void) __cond_lock(*ptlp,
    4107 - !(res = __follow_pte(mm, address, ptepp, ptlp)));
    4108 + !(res = __follow_pte_pmd(mm, address, ptepp, NULL,
    4109 + ptlp)));
    4110 + return res;
    4111 +}
    4112 +
    4113 +int follow_pte_pmd(struct mm_struct *mm, unsigned long address,
    4114 + pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp)
    4115 +{
    4116 + int res;
    4117 +
    4118 + /* (void) is needed to make gcc happy */
    4119 + (void) __cond_lock(*ptlp,
    4120 + !(res = __follow_pte_pmd(mm, address, ptepp, pmdpp,
    4121 + ptlp)));
    4122 return res;
    4123 }
    4124 +EXPORT_SYMBOL(follow_pte_pmd);
    4125
    4126 /**
    4127 * follow_pfn - look up PFN at a user virtual address
    4128 diff --git a/mm/shmem.c b/mm/shmem.c
    4129 index 31b0c09fe6c60..51aa13f596220 100644
    4130 --- a/mm/shmem.c
    4131 +++ b/mm/shmem.c
    4132 @@ -436,7 +436,7 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
    4133 struct shmem_inode_info *info;
    4134 struct page *page;
    4135 unsigned long batch = sc ? sc->nr_to_scan : 128;
    4136 - int removed = 0, split = 0;
    4137 + int split = 0;
    4138
    4139 if (list_empty(&sbinfo->shrinklist))
    4140 return SHRINK_STOP;
    4141 @@ -451,7 +451,6 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
    4142 /* inode is about to be evicted */
    4143 if (!inode) {
    4144 list_del_init(&info->shrinklist);
    4145 - removed++;
    4146 goto next;
    4147 }
    4148
    4149 @@ -459,12 +458,12 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
    4150 if (round_up(inode->i_size, PAGE_SIZE) ==
    4151 round_up(inode->i_size, HPAGE_PMD_SIZE)) {
    4152 list_move(&info->shrinklist, &to_remove);
    4153 - removed++;
    4154 goto next;
    4155 }
    4156
    4157 list_move(&info->shrinklist, &list);
    4158 next:
    4159 + sbinfo->shrinklist_len--;
    4160 if (!--batch)
    4161 break;
    4162 }
    4163 @@ -484,7 +483,7 @@ next:
    4164 inode = &info->vfs_inode;
    4165
    4166 if (nr_to_split && split >= nr_to_split)
    4167 - goto leave;
    4168 + goto move_back;
    4169
    4170 page = find_get_page(inode->i_mapping,
    4171 (inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT);
    4172 @@ -498,38 +497,44 @@ next:
    4173 }
    4174
    4175 /*
    4176 - * Leave the inode on the list if we failed to lock
    4177 - * the page at this time.
    4178 + * Move the inode on the list back to shrinklist if we failed
    4179 + * to lock the page at this time.
    4180 *
    4181 * Waiting for the lock may lead to deadlock in the
    4182 * reclaim path.
    4183 */
    4184 if (!trylock_page(page)) {
    4185 put_page(page);
    4186 - goto leave;
    4187 + goto move_back;
    4188 }
    4189
    4190 ret = split_huge_page(page);
    4191 unlock_page(page);
    4192 put_page(page);
    4193
    4194 - /* If split failed leave the inode on the list */
    4195 + /* If split failed move the inode on the list back to shrinklist */
    4196 if (ret)
    4197 - goto leave;
    4198 + goto move_back;
    4199
    4200 split++;
    4201 drop:
    4202 list_del_init(&info->shrinklist);
    4203 - removed++;
    4204 -leave:
    4205 + goto put;
    4206 +move_back:
    4207 + /*
    4208 + * Make sure the inode is either on the global list or deleted
    4209 + * from any local list before iput() since it could be deleted
    4210 + * in another thread once we put the inode (then the local list
    4211 + * is corrupted).
    4212 + */
    4213 + spin_lock(&sbinfo->shrinklist_lock);
    4214 + list_move(&info->shrinklist, &sbinfo->shrinklist);
    4215 + sbinfo->shrinklist_len++;
    4216 + spin_unlock(&sbinfo->shrinklist_lock);
    4217 +put:
    4218 iput(inode);
    4219 }
    4220
    4221 - spin_lock(&sbinfo->shrinklist_lock);
    4222 - list_splice_tail(&list, &sbinfo->shrinklist);
    4223 - sbinfo->shrinklist_len -= removed;
    4224 - spin_unlock(&sbinfo->shrinklist_lock);
    4225 -
    4226 return split;
    4227 }
    4228
    4229 diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
    4230 index 0bb150e68c53f..e2e580c747f4b 100644
    4231 --- a/net/bluetooth/cmtp/core.c
    4232 +++ b/net/bluetooth/cmtp/core.c
    4233 @@ -499,9 +499,7 @@ static int __init cmtp_init(void)
    4234 {
    4235 BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);
    4236
    4237 - cmtp_init_sockets();
    4238 -
    4239 - return 0;
    4240 + return cmtp_init_sockets();
    4241 }
    4242
    4243 static void __exit cmtp_exit(void)
    4244 diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
    4245 index b43f31203a430..40e6e5feb1e06 100644
    4246 --- a/net/bluetooth/hci_core.c
    4247 +++ b/net/bluetooth/hci_core.c
    4248 @@ -3148,6 +3148,7 @@ int hci_register_dev(struct hci_dev *hdev)
    4249 return id;
    4250
    4251 err_wqueue:
    4252 + debugfs_remove_recursive(hdev->debugfs);
    4253 destroy_workqueue(hdev->workqueue);
    4254 destroy_workqueue(hdev->req_workqueue);
    4255 err:
    4256 diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
    4257 index f9484755a9baf..17cfd9f8e98e0 100644
    4258 --- a/net/bluetooth/hci_event.c
    4259 +++ b/net/bluetooth/hci_event.c
    4260 @@ -4967,7 +4967,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
    4261 struct hci_ev_le_advertising_info *ev = ptr;
    4262 s8 rssi;
    4263
    4264 - if (ev->length <= HCI_MAX_AD_LENGTH) {
    4265 + if (ev->length <= HCI_MAX_AD_LENGTH &&
    4266 + ev->data + ev->length <= skb_tail_pointer(skb)) {
    4267 rssi = ev->data[ev->length];
    4268 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
    4269 ev->bdaddr_type, NULL, 0, rssi,
    4270 @@ -4977,6 +4978,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
    4271 }
    4272
    4273 ptr += sizeof(*ev) + ev->length + 1;
    4274 +
    4275 + if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
    4276 + bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
    4277 + break;
    4278 + }
    4279 }
    4280
    4281 hci_dev_unlock(hdev);
    4282 diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
    4283 index 7104d5e64abb3..11d4d18012fed 100644
    4284 --- a/net/bridge/br_netfilter_hooks.c
    4285 +++ b/net/bridge/br_netfilter_hooks.c
    4286 @@ -724,6 +724,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
    4287 if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
    4288 mtu = nf_bridge->frag_max_size;
    4289
    4290 + nf_bridge_update_protocol(skb);
    4291 + nf_bridge_push_encap_header(skb);
    4292 +
    4293 if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
    4294 nf_bridge_info_free(skb);
    4295 return br_dev_queue_push_xmit(net, sk, skb);
    4296 @@ -741,8 +744,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
    4297
    4298 IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
    4299
    4300 - nf_bridge_update_protocol(skb);
    4301 -
    4302 data = this_cpu_ptr(&brnf_frag_data_storage);
    4303
    4304 data->vlan_tci = skb->vlan_tci;
    4305 @@ -765,8 +766,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
    4306
    4307 IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
    4308
    4309 - nf_bridge_update_protocol(skb);
    4310 -
    4311 data = this_cpu_ptr(&brnf_frag_data_storage);
    4312 data->encap_size = nf_bridge_encap_header_len(skb);
    4313 data->size = ETH_HLEN + data->encap_size;
    4314 diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
    4315 index 7630fa80db92a..48854eae294fd 100644
    4316 --- a/net/core/net_namespace.c
    4317 +++ b/net/core/net_namespace.c
    4318 @@ -132,8 +132,10 @@ static void ops_exit_list(const struct pernet_operations *ops,
    4319 {
    4320 struct net *net;
    4321 if (ops->exit) {
    4322 - list_for_each_entry(net, net_exit_list, exit_list)
    4323 + list_for_each_entry(net, net_exit_list, exit_list) {
    4324 ops->exit(net);
    4325 + cond_resched();
    4326 + }
    4327 }
    4328 if (ops->exit_batch)
    4329 ops->exit_batch(net_exit_list);
    4330 diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
    4331 index 553cda6f887ad..b7dc20a65b649 100644
    4332 --- a/net/ipv4/cipso_ipv4.c
    4333 +++ b/net/ipv4/cipso_ipv4.c
    4334 @@ -534,16 +534,10 @@ int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
    4335 ret_val = -ENOENT;
    4336 goto doi_remove_return;
    4337 }
    4338 - if (!atomic_dec_and_test(&doi_def->refcount)) {
    4339 - spin_unlock(&cipso_v4_doi_list_lock);
    4340 - ret_val = -EBUSY;
    4341 - goto doi_remove_return;
    4342 - }
    4343 list_del_rcu(&doi_def->list);
    4344 spin_unlock(&cipso_v4_doi_list_lock);
    4345
    4346 - cipso_v4_cache_invalidate();
    4347 - call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
    4348 + cipso_v4_doi_putdef(doi_def);
    4349 ret_val = 0;
    4350
    4351 doi_remove_return:
    4352 @@ -600,9 +594,6 @@ void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
    4353
    4354 if (!atomic_dec_and_test(&doi_def->refcount))
    4355 return;
    4356 - spin_lock(&cipso_v4_doi_list_lock);
    4357 - list_del_rcu(&doi_def->list);
    4358 - spin_unlock(&cipso_v4_doi_list_lock);
    4359
    4360 cipso_v4_cache_invalidate();
    4361 call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
    4362 diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
    4363 index b206415bbde74..7628963ddacc3 100644
    4364 --- a/net/ipv6/calipso.c
    4365 +++ b/net/ipv6/calipso.c
    4366 @@ -97,6 +97,9 @@ struct calipso_map_cache_entry {
    4367
    4368 static struct calipso_map_cache_bkt *calipso_cache;
    4369
    4370 +static void calipso_cache_invalidate(void);
    4371 +static void calipso_doi_putdef(struct calipso_doi *doi_def);
    4372 +
    4373 /* Label Mapping Cache Functions
    4374 */
    4375
    4376 @@ -458,15 +461,10 @@ static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
    4377 ret_val = -ENOENT;
    4378 goto doi_remove_return;
    4379 }
    4380 - if (!atomic_dec_and_test(&doi_def->refcount)) {
    4381 - spin_unlock(&calipso_doi_list_lock);
    4382 - ret_val = -EBUSY;
    4383 - goto doi_remove_return;
    4384 - }
    4385 list_del_rcu(&doi_def->list);
    4386 spin_unlock(&calipso_doi_list_lock);
    4387
    4388 - call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
    4389 + calipso_doi_putdef(doi_def);
    4390 ret_val = 0;
    4391
    4392 doi_remove_return:
    4393 @@ -522,10 +520,8 @@ static void calipso_doi_putdef(struct calipso_doi *doi_def)
    4394
    4395 if (!atomic_dec_and_test(&doi_def->refcount))
    4396 return;
    4397 - spin_lock(&calipso_doi_list_lock);
    4398 - list_del_rcu(&doi_def->list);
    4399 - spin_unlock(&calipso_doi_list_lock);
    4400
    4401 + calipso_cache_invalidate();
    4402 call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
    4403 }
    4404
    4405 diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
    4406 index 422fac2a4a3c8..9a256d0fb957a 100644
    4407 --- a/net/netlabel/netlabel_cipso_v4.c
    4408 +++ b/net/netlabel/netlabel_cipso_v4.c
    4409 @@ -587,6 +587,7 @@ list_start:
    4410
    4411 break;
    4412 }
    4413 + cipso_v4_doi_putdef(doi_def);
    4414 rcu_read_unlock();
    4415
    4416 genlmsg_end(ans_skb, data);
    4417 @@ -595,12 +596,14 @@ list_start:
    4418 list_retry:
    4419 /* XXX - this limit is a guesstimate */
    4420 if (nlsze_mult < 4) {
    4421 + cipso_v4_doi_putdef(doi_def);
    4422 rcu_read_unlock();
    4423 kfree_skb(ans_skb);
    4424 nlsze_mult *= 2;
    4425 goto list_start;
    4426 }
    4427 list_failure_lock:
    4428 + cipso_v4_doi_putdef(doi_def);
    4429 rcu_read_unlock();
    4430 list_failure:
    4431 kfree_skb(ans_skb);
    4432 diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
    4433 index 92c6fbfd51f79..bc59b2b5f9836 100644
    4434 --- a/net/nfc/llcp_sock.c
    4435 +++ b/net/nfc/llcp_sock.c
    4436 @@ -796,6 +796,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
    4437
    4438 lock_sock(sk);
    4439
    4440 + if (!llcp_sock->local) {
    4441 + release_sock(sk);
    4442 + return -ENODEV;
    4443 + }
    4444 +
    4445 if (sk->sk_type == SOCK_DGRAM) {
    4446 DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
    4447 msg->msg_name);
    4448 diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
    4449 index 04ca08f852209..daa24ec7db278 100644
    4450 --- a/net/sched/sch_generic.c
    4451 +++ b/net/sched/sch_generic.c
    4452 @@ -996,6 +996,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r,
    4453 {
    4454 memset(r, 0, sizeof(*r));
    4455 r->overhead = conf->overhead;
    4456 + r->mpu = conf->mpu;
    4457 r->rate_bytes_ps = max_t(u64, conf->rate, rate64);
    4458 r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK);
    4459 r->mult = 1;
    4460 diff --git a/net/unix/garbage.c b/net/unix/garbage.c
    4461 index 8bbe1b8e4ff7f..4d283e26d8162 100644
    4462 --- a/net/unix/garbage.c
    4463 +++ b/net/unix/garbage.c
    4464 @@ -197,8 +197,11 @@ void wait_for_unix_gc(void)
    4465 {
    4466 /* If number of inflight sockets is insane,
    4467 * force a garbage collect right now.
    4468 + * Paired with the WRITE_ONCE() in unix_inflight(),
    4469 + * unix_notinflight() and gc_in_progress().
    4470 */
    4471 - if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
    4472 + if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC &&
    4473 + !READ_ONCE(gc_in_progress))
    4474 unix_gc();
    4475 wait_event(unix_gc_wait, gc_in_progress == false);
    4476 }
    4477 @@ -218,7 +221,9 @@ void unix_gc(void)
    4478 if (gc_in_progress)
    4479 goto out;
    4480
    4481 - gc_in_progress = true;
    4482 + /* Paired with READ_ONCE() in wait_for_unix_gc(). */
    4483 + WRITE_ONCE(gc_in_progress, true);
    4484 +
    4485 /* First, select candidates for garbage collection. Only
    4486 * in-flight sockets are considered, and from those only ones
    4487 * which don't have any external reference.
    4488 @@ -304,7 +309,10 @@ void unix_gc(void)
    4489
    4490 /* All candidates should have been detached by now. */
    4491 BUG_ON(!list_empty(&gc_candidates));
    4492 - gc_in_progress = false;
    4493 +
    4494 + /* Paired with READ_ONCE() in wait_for_unix_gc(). */
    4495 + WRITE_ONCE(gc_in_progress, false);
    4496 +
    4497 wake_up(&unix_gc_wait);
    4498
    4499 out:
    4500 diff --git a/net/unix/scm.c b/net/unix/scm.c
    4501 index df8f636ab1d8c..bf1a8fa8c4f1d 100644
    4502 --- a/net/unix/scm.c
    4503 +++ b/net/unix/scm.c
    4504 @@ -56,7 +56,8 @@ void unix_inflight(struct user_struct *user, struct file *fp)
    4505 } else {
    4506 BUG_ON(list_empty(&u->link));
    4507 }
    4508 - unix_tot_inflight++;
    4509 + /* Paired with READ_ONCE() in wait_for_unix_gc() */
    4510 + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
    4511 }
    4512 user->unix_inflight++;
    4513 spin_unlock(&unix_gc_lock);
    4514 @@ -76,7 +77,8 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
    4515
    4516 if (atomic_long_dec_and_test(&u->inflight))
    4517 list_del_init(&u->link);
    4518 - unix_tot_inflight--;
    4519 + /* Paired with READ_ONCE() in wait_for_unix_gc() */
    4520 + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
    4521 }
    4522 user->unix_inflight--;
    4523 spin_unlock(&unix_gc_lock);
    4524 diff --git a/scripts/dtc/dtx_diff b/scripts/dtc/dtx_diff
    4525 index ec47f95991a3a..971e74f408a77 100755
    4526 --- a/scripts/dtc/dtx_diff
    4527 +++ b/scripts/dtc/dtx_diff
    4528 @@ -56,12 +56,8 @@ Otherwise DTx is treated as a dts source file (aka .dts).
    4529 or '/include/' to be processed.
    4530
    4531 If DTx_1 and DTx_2 are in different architectures, then this script
    4532 - may not work since \${ARCH} is part of the include path. Two possible
    4533 - workarounds:
    4534 -
    4535 - `basename $0` \\
    4536 - <(ARCH=arch_of_dtx_1 `basename $0` DTx_1) \\
    4537 - <(ARCH=arch_of_dtx_2 `basename $0` DTx_2)
    4538 + may not work since \${ARCH} is part of the include path. The following
    4539 + workaround can be used:
    4540
    4541 `basename $0` ARCH=arch_of_dtx_1 DTx_1 >tmp_dtx_1.dts
    4542 `basename $0` ARCH=arch_of_dtx_2 DTx_2 >tmp_dtx_2.dts
    4543 diff --git a/sound/core/jack.c b/sound/core/jack.c
    4544 index 5ddf81f091fa9..36cfe1c54109d 100644
    4545 --- a/sound/core/jack.c
    4546 +++ b/sound/core/jack.c
    4547 @@ -68,10 +68,13 @@ static int snd_jack_dev_free(struct snd_device *device)
    4548 struct snd_card *card = device->card;
    4549 struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl;
    4550
    4551 + down_write(&card->controls_rwsem);
    4552 list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) {
    4553 list_del_init(&jack_kctl->list);
    4554 snd_ctl_remove(card, jack_kctl->kctl);
    4555 }
    4556 + up_write(&card->controls_rwsem);
    4557 +
    4558 if (jack->private_free)
    4559 jack->private_free(jack);
    4560
    4561 diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
    4562 index 0ce3f42721c4d..440c16e0d0713 100644
    4563 --- a/sound/core/oss/pcm_oss.c
    4564 +++ b/sound/core/oss/pcm_oss.c
    4565 @@ -2122,7 +2122,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
    4566 int err, cmd;
    4567
    4568 #ifdef OSS_DEBUG
    4569 - pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger);
    4570 + pr_debug("pcm_oss: trigger = 0x%x\n", trigger);
    4571 #endif
    4572
    4573 psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
    4574 diff --git a/sound/core/pcm.c b/sound/core/pcm.c
    4575 index cdff5f9764808..6ae28dcd79945 100644
    4576 --- a/sound/core/pcm.c
    4577 +++ b/sound/core/pcm.c
    4578 @@ -857,7 +857,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal);
    4579 static void free_chmap(struct snd_pcm_str *pstr)
    4580 {
    4581 if (pstr->chmap_kctl) {
    4582 - snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
    4583 + struct snd_card *card = pstr->pcm->card;
    4584 +
    4585 + down_write(&card->controls_rwsem);
    4586 + snd_ctl_remove(card, pstr->chmap_kctl);
    4587 + up_write(&card->controls_rwsem);
    4588 pstr->chmap_kctl = NULL;
    4589 }
    4590 }
    4591 diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
    4592 index ea1aa07962761..b923059a22276 100644
    4593 --- a/sound/core/seq/seq_queue.c
    4594 +++ b/sound/core/seq/seq_queue.c
    4595 @@ -257,12 +257,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name)
    4596
    4597 /* -------------------------------------------------------- */
    4598
    4599 +#define MAX_CELL_PROCESSES_IN_QUEUE 1000
    4600 +
    4601 void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
    4602 {
    4603 unsigned long flags;
    4604 struct snd_seq_event_cell *cell;
    4605 snd_seq_tick_time_t cur_tick;
    4606 snd_seq_real_time_t cur_time;
    4607 + int processed = 0;
    4608
    4609 if (q == NULL)
    4610 return;
    4611 @@ -285,6 +288,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
    4612 if (!cell)
    4613 break;
    4614 snd_seq_dispatch_event(cell, atomic, hop);
    4615 + if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
    4616 + goto out; /* the rest processed at the next batch */
    4617 }
    4618
    4619 /* Process time queue... */
    4620 @@ -294,14 +299,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
    4621 if (!cell)
    4622 break;
    4623 snd_seq_dispatch_event(cell, atomic, hop);
    4624 + if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
    4625 + goto out; /* the rest processed at the next batch */
    4626 }
    4627
    4628 + out:
    4629 /* free lock */
    4630 spin_lock_irqsave(&q->check_lock, flags);
    4631 if (q->check_again) {
    4632 q->check_again = 0;
    4633 - spin_unlock_irqrestore(&q->check_lock, flags);
    4634 - goto __again;
    4635 + if (processed < MAX_CELL_PROCESSES_IN_QUEUE) {
    4636 + spin_unlock_irqrestore(&q->check_lock, flags);
    4637 + goto __again;
    4638 + }
    4639 }
    4640 q->check_blocked = 0;
    4641 spin_unlock_irqrestore(&q->check_lock, flags);
    4642 diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
    4643 index 4e67614f15f8e..8976da3e1e288 100644
    4644 --- a/sound/pci/hda/hda_codec.c
    4645 +++ b/sound/pci/hda/hda_codec.c
    4646 @@ -1608,8 +1608,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec)
    4647 {
    4648 int i;
    4649 struct hda_nid_item *items = codec->mixers.list;
    4650 +
    4651 + down_write(&codec->card->controls_rwsem);
    4652 for (i = 0; i < codec->mixers.used; i++)
    4653 snd_ctl_remove(codec->card, items[i].kctl);
    4654 + up_write(&codec->card->controls_rwsem);
    4655 snd_array_free(&codec->mixers);
    4656 snd_array_free(&codec->nids);
    4657 }
    4658 diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c
    4659 index 5524a2c727ec7..cab30cb48366d 100644
    4660 --- a/sound/soc/mediatek/mt8173/mt8173-max98090.c
    4661 +++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c
    4662 @@ -183,6 +183,9 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev)
    4663 if (ret)
    4664 dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
    4665 __func__, ret);
    4666 +
    4667 + of_node_put(codec_node);
    4668 + of_node_put(platform_node);
    4669 return ret;
    4670 }
    4671
    4672 diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
    4673 index 467f7049a2886..52fdd766ee82c 100644
    4674 --- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
    4675 +++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
    4676 @@ -228,6 +228,8 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
    4677 if (ret)
    4678 dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
    4679 __func__, ret);
    4680 +
    4681 + of_node_put(platform_node);
    4682 return ret;
    4683 }
    4684
    4685 diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
    4686 index 1b8b2a7788450..5d75b04f074fe 100644
    4687 --- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
    4688 +++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
    4689 @@ -285,6 +285,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev)
    4690 if (ret)
    4691 dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
    4692 __func__, ret);
    4693 +
    4694 + of_node_put(platform_node);
    4695 return ret;
    4696 }
    4697
    4698 diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
    4699 index ba65f4157a7e0..d02a90201b13b 100644
    4700 --- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c
    4701 +++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
    4702 @@ -317,6 +317,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev)
    4703 if (ret)
    4704 dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
    4705 __func__, ret);
    4706 +
    4707 + of_node_put(platform_node);
    4708 return ret;
    4709 }
    4710
    4711 diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c
    4712 index 3e408158625db..72014dea75422 100644
    4713 --- a/sound/soc/samsung/idma.c
    4714 +++ b/sound/soc/samsung/idma.c
    4715 @@ -369,6 +369,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream)
    4716 buf->addr = idma.lp_tx_addr;
    4717 buf->bytes = idma_hardware.buffer_bytes_max;
    4718 buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes);
    4719 + if (!buf->area)
    4720 + return -ENOMEM;
    4721
    4722 return 0;
    4723 }
    4724 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
    4725 index db859b595dba1..d9b7001227e3c 100644
    4726 --- a/virt/kvm/kvm_main.c
    4727 +++ b/virt/kvm/kvm_main.c
    4728 @@ -1513,15 +1513,24 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
    4729 return true;
    4730 }
    4731
    4732 +static int kvm_try_get_pfn(kvm_pfn_t pfn)
    4733 +{
    4734 + if (kvm_is_reserved_pfn(pfn))
    4735 + return 1;
    4736 + return get_page_unless_zero(pfn_to_page(pfn));
    4737 +}
    4738 +
    4739 static int hva_to_pfn_remapped(struct vm_area_struct *vma,
    4740 unsigned long addr, bool *async,
    4741 bool write_fault, bool *writable,
    4742 kvm_pfn_t *p_pfn)
    4743 {
    4744 - unsigned long pfn;
    4745 + kvm_pfn_t pfn;
    4746 + pte_t *ptep;
    4747 + spinlock_t *ptl;
    4748 int r;
    4749
    4750 - r = follow_pfn(vma, addr, &pfn);
    4751 + r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl);
    4752 if (r) {
    4753 /*
    4754 * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does
    4755 @@ -1536,14 +1545,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
    4756 if (r)
    4757 return r;
    4758
    4759 - r = follow_pfn(vma, addr, &pfn);
    4760 + r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl);
    4761 if (r)
    4762 return r;
    4763 + }
    4764
    4765 + if (write_fault && !pte_write(*ptep)) {
    4766 + pfn = KVM_PFN_ERR_RO_FAULT;
    4767 + goto out;
    4768 }
    4769
    4770 if (writable)
    4771 - *writable = true;
    4772 + *writable = pte_write(*ptep);
    4773 + pfn = pte_pfn(*ptep);
    4774
    4775 /*
    4776 * Get a reference here because callers of *hva_to_pfn* and
    4777 @@ -1555,11 +1569,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
    4778 * Whoever called remap_pfn_range is also going to call e.g.
    4779 * unmap_mapping_range before the underlying pages are freed,
    4780 * causing a call to our MMU notifier.
    4781 + *
    4782 + * Certain IO or PFNMAP mappings can be backed with valid
    4783 + * struct pages, but be allocated without refcounting e.g.,
    4784 + * tail pages of non-compound higher order allocations, which
    4785 + * would then underflow the refcount when the caller does the
    4786 + * required put_page. Don't allow those pages here.
    4787 */
    4788 - kvm_get_pfn(pfn);
    4789 + if (!kvm_try_get_pfn(pfn))
    4790 + r = -EFAULT;
    4791
    4792 +out:
    4793 + pte_unmap_unlock(ptep, ptl);
    4794 *p_pfn = pfn;
    4795 - return 0;
    4796 +
    4797 + return r;
    4798 }
    4799
    4800 /*