Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-magellan/patches-4.11/0107-4.11.8-all-fixes.patch

    Contents of /trunk/kernel-magellan/patches-4.11/0107-4.11.8-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 2950 - (show annotations) (download)
    Tue Jul 4 08:38:28 2017 UTC (7 years, 4 months ago) by niro
    File size: 86606 byte(s) 
    -linux-4.11.8
    1 diff --git a/Makefile b/Makefile
    2 index 1b0fe238d633..8c5c94ca56d9 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,6 +1,6 @@
    6 VERSION = 4
    7 PATCHLEVEL = 11
    8 -SUBLEVEL = 7
    9 +SUBLEVEL = 8
    10 EXTRAVERSION =
    11 NAME = Fearless Coyote
    12
    13 diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c
    14 index 41b6e31f8f55..d0cb007fa482 100644
    15 --- a/arch/arm64/kernel/vdso.c
    16 +++ b/arch/arm64/kernel/vdso.c
    17 @@ -221,10 +221,11 @@ void update_vsyscall(struct timekeeper *tk)
    18 /* tkr_mono.cycle_last == tkr_raw.cycle_last */
    19 vdso_data->cs_cycle_last = tk->tkr_mono.cycle_last;
    20 vdso_data->raw_time_sec = tk->raw_time.tv_sec;
    21 - vdso_data->raw_time_nsec = tk->raw_time.tv_nsec;
    22 + vdso_data->raw_time_nsec = (tk->raw_time.tv_nsec <<
    23 + tk->tkr_raw.shift) +
    24 + tk->tkr_raw.xtime_nsec;
    25 vdso_data->xtime_clock_sec = tk->xtime_sec;
    26 vdso_data->xtime_clock_nsec = tk->tkr_mono.xtime_nsec;
    27 - /* tkr_raw.xtime_nsec == 0 */
    28 vdso_data->cs_mono_mult = tk->tkr_mono.mult;
    29 vdso_data->cs_raw_mult = tk->tkr_raw.mult;
    30 /* tkr_mono.shift == tkr_raw.shift */
    31 diff --git a/arch/arm64/kernel/vdso/gettimeofday.S b/arch/arm64/kernel/vdso/gettimeofday.S
    32 index e00b4671bd7c..76320e920965 100644
    33 --- a/arch/arm64/kernel/vdso/gettimeofday.S
    34 +++ b/arch/arm64/kernel/vdso/gettimeofday.S
    35 @@ -256,7 +256,6 @@ monotonic_raw:
    36 seqcnt_check fail=monotonic_raw
    37
    38 /* All computations are done with left-shifted nsecs. */
    39 - lsl x14, x14, x12
    40 get_nsec_per_sec res=x9
    41 lsl x9, x9, x12
    42
    43 diff --git a/arch/mips/kvm/tlb.c b/arch/mips/kvm/tlb.c
    44 index 2819eb793345..3b5b7936345c 100644
    45 --- a/arch/mips/kvm/tlb.c
    46 +++ b/arch/mips/kvm/tlb.c
    47 @@ -147,7 +147,11 @@ static int _kvm_mips_host_tlb_inv(unsigned long entryhi)
    48 int kvm_mips_host_tlb_inv(struct kvm_vcpu *vcpu, unsigned long va,
    49 bool user, bool kernel)
    50 {
    51 - int idx_user, idx_kernel;
    52 + /*
    53 + * Initialize idx_user and idx_kernel to workaround bogus
    54 + * maybe-initialized warning when using GCC 6.
    55 + */
    56 + int idx_user = 0, idx_kernel = 0;
    57 unsigned long flags, old_entryhi;
    58
    59 local_irq_save(flags);
    60 diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
    61 index 6353019966e6..a59880c81d52 100644
    62 --- a/arch/powerpc/kernel/exceptions-64s.S
    63 +++ b/arch/powerpc/kernel/exceptions-64s.S
    64 @@ -1425,10 +1425,8 @@ USE_TEXT_SECTION()
    65 .balign IFETCH_ALIGN_BYTES
    66 do_hash_page:
    67 #ifdef CONFIG_PPC_STD_MMU_64
    68 - andis. r0,r4,0xa410 /* weird error? */
    69 + andis. r0,r4,0xa450 /* weird error? */
    70 bne- handle_page_fault /* if not, try to insert a HPTE */
    71 - andis. r0,r4,DSISR_DABRMATCH@h
    72 - bne- handle_dabr_fault
    73 CURRENT_THREAD_INFO(r11, r1)
    74 lwz r0,TI_PREEMPT(r11) /* If we're in an "NMI" */
    75 andis. r0,r0,NMI_MASK@h /* (i.e. an irq when soft-disabled) */
    76 @@ -1452,11 +1450,16 @@ do_hash_page:
    77
    78 /* Error */
    79 blt- 13f
    80 +
    81 + /* Reload DSISR into r4 for the DABR check below */
    82 + ld r4,_DSISR(r1)
    83 #endif /* CONFIG_PPC_STD_MMU_64 */
    84
    85 /* Here we have a page fault that hash_page can't handle. */
    86 handle_page_fault:
    87 -11: ld r4,_DAR(r1)
    88 +11: andis. r0,r4,DSISR_DABRMATCH@h
    89 + bne- handle_dabr_fault
    90 + ld r4,_DAR(r1)
    91 ld r5,_DSISR(r1)
    92 addi r3,r1,STACK_FRAME_OVERHEAD
    93 bl do_page_fault
    94 diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c
    95 index fce05a38851c..49d5f193438a 100644
    96 --- a/arch/powerpc/kernel/kprobes.c
    97 +++ b/arch/powerpc/kernel/kprobes.c
    98 @@ -495,6 +495,15 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
    99 regs->gpr[2] = (unsigned long)(((func_descr_t *)jp->entry)->toc);
    100 #endif
    101
    102 + /*
    103 + * jprobes use jprobe_return() which skips the normal return
    104 + * path of the function, and this messes up the accounting of the
    105 + * function graph tracer.
    106 + *
    107 + * Pause function graph tracing while performing the jprobe function.
    108 + */
    109 + pause_graph_tracing();
    110 +
    111 return 1;
    112 }
    113
    114 @@ -517,6 +526,8 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
    115 * saved regs...
    116 */
    117 memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
    118 + /* It's OK to start function graph tracing again */
    119 + unpause_graph_tracing();
    120 preempt_enable_no_resched();
    121 return 1;
    122 }
    123 diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
    124 index 1ec86d9e2a82..e6a94bd2b158 100644
    125 --- a/arch/powerpc/kvm/book3s_hv.c
    126 +++ b/arch/powerpc/kvm/book3s_hv.c
    127 @@ -1481,6 +1481,14 @@ static int kvmppc_set_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
    128 r = set_vpa(vcpu, &vcpu->arch.dtl, addr, len);
    129 break;
    130 case KVM_REG_PPC_TB_OFFSET:
    131 + /*
    132 + * POWER9 DD1 has an erratum where writing TBU40 causes
    133 + * the timebase to lose ticks. So we don't let the
    134 + * timebase offset be changed on P9 DD1. (It is
    135 + * initialized to zero.)
    136 + */
    137 + if (cpu_has_feature(CPU_FTR_POWER9_DD1))
    138 + break;
    139 /* round up to multiple of 2^24 */
    140 vcpu->arch.vcore->tb_offset =
    141 ALIGN(set_reg_val(id, *val), 1UL << 24);
    142 @@ -2902,12 +2910,36 @@ static int kvmppc_vcpu_run_hv(struct kvm_run *run, struct kvm_vcpu *vcpu)
    143 {
    144 int r;
    145 int srcu_idx;
    146 + unsigned long ebb_regs[3] = {}; /* shut up GCC */
    147 + unsigned long user_tar = 0;
    148 + unsigned int user_vrsave;
    149
    150 if (!vcpu->arch.sane) {
    151 run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
    152 return -EINVAL;
    153 }
    154
    155 + /*
    156 + * Don't allow entry with a suspended transaction, because
    157 + * the guest entry/exit code will lose it.
    158 + * If the guest has TM enabled, save away their TM-related SPRs
    159 + * (they will get restored by the TM unavailable interrupt).
    160 + */
    161 +#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
    162 + if (cpu_has_feature(CPU_FTR_TM) && current->thread.regs &&
    163 + (current->thread.regs->msr & MSR_TM)) {
    164 + if (MSR_TM_ACTIVE(current->thread.regs->msr)) {
    165 + run->exit_reason = KVM_EXIT_FAIL_ENTRY;
    166 + run->fail_entry.hardware_entry_failure_reason = 0;
    167 + return -EINVAL;
    168 + }
    169 + current->thread.tm_tfhar = mfspr(SPRN_TFHAR);
    170 + current->thread.tm_tfiar = mfspr(SPRN_TFIAR);
    171 + current->thread.tm_texasr = mfspr(SPRN_TEXASR);
    172 + current->thread.regs->msr &= ~MSR_TM;
    173 + }
    174 +#endif
    175 +
    176 kvmppc_core_prepare_to_enter(vcpu);
    177
    178 /* No need to go into the guest when all we'll do is come back out */
    179 @@ -2929,6 +2961,15 @@ static int kvmppc_vcpu_run_hv(struct kvm_run *run, struct kvm_vcpu *vcpu)
    180
    181 flush_all_to_thread(current);
    182
    183 + /* Save userspace EBB and other register values */
    184 + if (cpu_has_feature(CPU_FTR_ARCH_207S)) {
    185 + ebb_regs[0] = mfspr(SPRN_EBBHR);
    186 + ebb_regs[1] = mfspr(SPRN_EBBRR);
    187 + ebb_regs[2] = mfspr(SPRN_BESCR);
    188 + user_tar = mfspr(SPRN_TAR);
    189 + }
    190 + user_vrsave = mfspr(SPRN_VRSAVE);
    191 +
    192 vcpu->arch.wqp = &vcpu->arch.vcore->wq;
    193 vcpu->arch.pgdir = current->mm->pgd;
    194 vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST;
    195 @@ -2951,6 +2992,16 @@ static int kvmppc_vcpu_run_hv(struct kvm_run *run, struct kvm_vcpu *vcpu)
    196 r = kvmppc_xics_rm_complete(vcpu, 0);
    197 } while (is_kvmppc_resume_guest(r));
    198
    199 + /* Restore userspace EBB and other register values */
    200 + if (cpu_has_feature(CPU_FTR_ARCH_207S)) {
    201 + mtspr(SPRN_EBBHR, ebb_regs[0]);
    202 + mtspr(SPRN_EBBRR, ebb_regs[1]);
    203 + mtspr(SPRN_BESCR, ebb_regs[2]);
    204 + mtspr(SPRN_TAR, user_tar);
    205 + mtspr(SPRN_FSCR, current->thread.fscr);
    206 + }
    207 + mtspr(SPRN_VRSAVE, user_vrsave);
    208 +
    209 out:
    210 vcpu->arch.state = KVMPPC_VCPU_NOTREADY;
    211 atomic_dec(&vcpu->kvm->arch.vcpus_running);
    212 diff --git a/arch/powerpc/kvm/book3s_hv_interrupts.S b/arch/powerpc/kvm/book3s_hv_interrupts.S
    213 index 0fdc4a28970b..404deb512844 100644
    214 --- a/arch/powerpc/kvm/book3s_hv_interrupts.S
    215 +++ b/arch/powerpc/kvm/book3s_hv_interrupts.S
    216 @@ -121,10 +121,20 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    217 * Put whatever is in the decrementer into the
    218 * hypervisor decrementer.
    219 */
    220 +BEGIN_FTR_SECTION
    221 + ld r5, HSTATE_KVM_VCORE(r13)
    222 + ld r6, VCORE_KVM(r5)
    223 + ld r9, KVM_HOST_LPCR(r6)
    224 + andis. r9, r9, LPCR_LD@h
    225 +END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
    226 mfspr r8,SPRN_DEC
    227 mftb r7
    228 - mtspr SPRN_HDEC,r8
    229 +BEGIN_FTR_SECTION
    230 + /* On POWER9, don't sign-extend if host LPCR[LD] bit is set */
    231 + bne 32f
    232 +END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
    233 extsw r8,r8
    234 +32: mtspr SPRN_HDEC,r8
    235 add r8,r8,r7
    236 std r8,HSTATE_DECEXP(r13)
    237
    238 diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    239 index 7c6477d1840a..9250866cc900 100644
    240 --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    241 +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    242 @@ -31,12 +31,29 @@
    243 #include <asm/tm.h>
    244 #include <asm/opal.h>
    245
    246 +/* Sign-extend HDEC if not on POWER9 */
    247 +#define EXTEND_HDEC(reg) \
    248 +BEGIN_FTR_SECTION; \
    249 + extsw reg, reg; \
    250 +END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_300)
    251 +
    252 #define VCPU_GPRS_TM(reg) (((reg) * ULONG_SIZE) + VCPU_GPR_TM)
    253
    254 /* Values in HSTATE_NAPPING(r13) */
    255 #define NAPPING_CEDE 1
    256 #define NAPPING_NOVCPU 2
    257
    258 +/* Stack frame offsets for kvmppc_hv_entry */
    259 +#define SFS 144
    260 +#define STACK_SLOT_TRAP (SFS-4)
    261 +#define STACK_SLOT_TID (SFS-16)
    262 +#define STACK_SLOT_PSSCR (SFS-24)
    263 +#define STACK_SLOT_PID (SFS-32)
    264 +#define STACK_SLOT_IAMR (SFS-40)
    265 +#define STACK_SLOT_CIABR (SFS-48)
    266 +#define STACK_SLOT_DAWR (SFS-56)
    267 +#define STACK_SLOT_DAWRX (SFS-64)
    268 +
    269 /*
    270 * Call kvmppc_hv_entry in real mode.
    271 * Must be called with interrupts hard-disabled.
    272 @@ -213,6 +230,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    273 kvmppc_primary_no_guest:
    274 /* We handle this much like a ceded vcpu */
    275 /* put the HDEC into the DEC, since HDEC interrupts don't wake us */
    276 + /* HDEC may be larger than DEC for arch >= v3.00, but since the */
    277 + /* HDEC value came from DEC in the first place, it will fit */
    278 mfspr r3, SPRN_HDEC
    279 mtspr SPRN_DEC, r3
    280 /*
    281 @@ -294,8 +313,9 @@ kvm_novcpu_wakeup:
    282
    283 /* See if our timeslice has expired (HDEC is negative) */
    284 mfspr r0, SPRN_HDEC
    285 + EXTEND_HDEC(r0)
    286 li r12, BOOK3S_INTERRUPT_HV_DECREMENTER
    287 - cmpwi r0, 0
    288 + cmpdi r0, 0
    289 blt kvm_novcpu_exit
    290
    291 /* Got an IPI but other vcpus aren't yet exiting, must be a latecomer */
    292 @@ -318,10 +338,10 @@ kvm_novcpu_exit:
    293 bl kvmhv_accumulate_time
    294 #endif
    295 13: mr r3, r12
    296 - stw r12, 112-4(r1)
    297 + stw r12, STACK_SLOT_TRAP(r1)
    298 bl kvmhv_commence_exit
    299 nop
    300 - lwz r12, 112-4(r1)
    301 + lwz r12, STACK_SLOT_TRAP(r1)
    302 b kvmhv_switch_to_host
    303
    304 /*
    305 @@ -389,8 +409,8 @@ kvm_secondary_got_guest:
    306 lbz r4, HSTATE_PTID(r13)
    307 cmpwi r4, 0
    308 bne 63f
    309 - lis r6, 0x7fff
    310 - ori r6, r6, 0xffff
    311 + LOAD_REG_ADDR(r6, decrementer_max)
    312 + ld r6, 0(r6)
    313 mtspr SPRN_HDEC, r6
    314 /* and set per-LPAR registers, if doing dynamic micro-threading */
    315 ld r6, HSTATE_SPLIT_MODE(r13)
    316 @@ -544,11 +564,6 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    317 * *
    318 *****************************************************************************/
    319
    320 -/* Stack frame offsets */
    321 -#define STACK_SLOT_TID (112-16)
    322 -#define STACK_SLOT_PSSCR (112-24)
    323 -#define STACK_SLOT_PID (112-32)
    324 -
    325 .global kvmppc_hv_entry
    326 kvmppc_hv_entry:
    327
    328 @@ -564,7 +579,7 @@ kvmppc_hv_entry:
    329 */
    330 mflr r0
    331 std r0, PPC_LR_STKOFF(r1)
    332 - stdu r1, -112(r1)
    333 + stdu r1, -SFS(r1)
    334
    335 /* Save R1 in the PACA */
    336 std r1, HSTATE_HOST_R1(r13)
    337 @@ -748,10 +763,20 @@ BEGIN_FTR_SECTION
    338 mfspr r5, SPRN_TIDR
    339 mfspr r6, SPRN_PSSCR
    340 mfspr r7, SPRN_PID
    341 + mfspr r8, SPRN_IAMR
    342 std r5, STACK_SLOT_TID(r1)
    343 std r6, STACK_SLOT_PSSCR(r1)
    344 std r7, STACK_SLOT_PID(r1)
    345 + std r8, STACK_SLOT_IAMR(r1)
    346 END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
    347 +BEGIN_FTR_SECTION
    348 + mfspr r5, SPRN_CIABR
    349 + mfspr r6, SPRN_DAWR
    350 + mfspr r7, SPRN_DAWRX
    351 + std r5, STACK_SLOT_CIABR(r1)
    352 + std r6, STACK_SLOT_DAWR(r1)
    353 + std r7, STACK_SLOT_DAWRX(r1)
    354 +END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    355
    356 BEGIN_FTR_SECTION
    357 /* Set partition DABR */
    358 @@ -967,7 +992,8 @@ ALT_FTR_SECTION_END_IFCLR(CPU_FTR_ARCH_300)
    359
    360 /* Check if HDEC expires soon */
    361 mfspr r3, SPRN_HDEC
    362 - cmpwi r3, 512 /* 1 microsecond */
    363 + EXTEND_HDEC(r3)
    364 + cmpdi r3, 512 /* 1 microsecond */
    365 blt hdec_soon
    366
    367 deliver_guest_interrupt:
    368 @@ -1451,11 +1477,10 @@ ALT_FTR_SECTION_END_IFCLR(CPU_FTR_ARCH_300)
    369 * set by the guest could disrupt the host.
    370 */
    371 li r0, 0
    372 - mtspr SPRN_IAMR, r0
    373 - mtspr SPRN_CIABR, r0
    374 - mtspr SPRN_DAWRX, r0
    375 + mtspr SPRN_PSPB, r0
    376 mtspr SPRN_WORT, r0
    377 BEGIN_FTR_SECTION
    378 + mtspr SPRN_IAMR, r0
    379 mtspr SPRN_TCSCR, r0
    380 /* Set MMCRS to 1<<31 to freeze and disable the SPMC counters */
    381 li r0, 1
    382 @@ -1471,6 +1496,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_300)
    383 std r6,VCPU_UAMOR(r9)
    384 li r6,0
    385 mtspr SPRN_AMR,r6
    386 + mtspr SPRN_UAMOR, r6
    387
    388 /* Switch DSCR back to host value */
    389 mfspr r8, SPRN_DSCR
    390 @@ -1616,12 +1642,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    391
    392 /* Restore host values of some registers */
    393 BEGIN_FTR_SECTION
    394 + ld r5, STACK_SLOT_CIABR(r1)
    395 + ld r6, STACK_SLOT_DAWR(r1)
    396 + ld r7, STACK_SLOT_DAWRX(r1)
    397 + mtspr SPRN_CIABR, r5
    398 + mtspr SPRN_DAWR, r6
    399 + mtspr SPRN_DAWRX, r7
    400 +END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
    401 +BEGIN_FTR_SECTION
    402 ld r5, STACK_SLOT_TID(r1)
    403 ld r6, STACK_SLOT_PSSCR(r1)
    404 ld r7, STACK_SLOT_PID(r1)
    405 + ld r8, STACK_SLOT_IAMR(r1)
    406 mtspr SPRN_TIDR, r5
    407 mtspr SPRN_PSSCR, r6
    408 mtspr SPRN_PID, r7
    409 + mtspr SPRN_IAMR, r8
    410 END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
    411 BEGIN_FTR_SECTION
    412 PPC_INVALIDATE_ERAT
    413 @@ -1765,8 +1801,8 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX)
    414 li r0, KVM_GUEST_MODE_NONE
    415 stb r0, HSTATE_IN_GUEST(r13)
    416
    417 - ld r0, 112+PPC_LR_STKOFF(r1)
    418 - addi r1, r1, 112
    419 + ld r0, SFS+PPC_LR_STKOFF(r1)
    420 + addi r1, r1, SFS
    421 mtlr r0
    422 blr
    423
    424 @@ -2308,12 +2344,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
    425 mfspr r3, SPRN_DEC
    426 mfspr r4, SPRN_HDEC
    427 mftb r5
    428 - cmpw r3, r4
    429 + extsw r3, r3
    430 + EXTEND_HDEC(r4)
    431 + cmpd r3, r4
    432 ble 67f
    433 mtspr SPRN_DEC, r4
    434 67:
    435 /* save expiry time of guest decrementer */
    436 - extsw r3, r3
    437 add r3, r3, r5
    438 ld r4, HSTATE_KVM_VCPU(r13)
    439 ld r5, HSTATE_KVM_VCORE(r13)
    440 diff --git a/arch/powerpc/perf/perf_regs.c b/arch/powerpc/perf/perf_regs.c
    441 index cbd82fde5770..09ceea6175ba 100644
    442 --- a/arch/powerpc/perf/perf_regs.c
    443 +++ b/arch/powerpc/perf/perf_regs.c
    444 @@ -101,5 +101,6 @@ void perf_get_regs_user(struct perf_regs *regs_user,
    445 struct pt_regs *regs_user_copy)
    446 {
    447 regs_user->regs = task_pt_regs(current);
    448 - regs_user->abi = perf_reg_abi(current);
    449 + regs_user->abi = (regs_user->regs) ? perf_reg_abi(current) :
    450 + PERF_SAMPLE_REGS_ABI_NONE;
    451 }
    452 diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c
    453 index ddbffb715b40..e92f5bd9d0b4 100644
    454 --- a/arch/s390/kvm/gaccess.c
    455 +++ b/arch/s390/kvm/gaccess.c
    456 @@ -977,11 +977,12 @@ static int kvm_s390_shadow_tables(struct gmap *sg, unsigned long saddr,
    457 ptr = asce.origin * 4096;
    458 if (asce.r) {
    459 *fake = 1;
    460 + ptr = 0;
    461 asce.dt = ASCE_TYPE_REGION1;
    462 }
    463 switch (asce.dt) {
    464 case ASCE_TYPE_REGION1:
    465 - if (vaddr.rfx01 > asce.tl && !asce.r)
    466 + if (vaddr.rfx01 > asce.tl && !*fake)
    467 return PGM_REGION_FIRST_TRANS;
    468 break;
    469 case ASCE_TYPE_REGION2:
    470 @@ -1009,8 +1010,7 @@ static int kvm_s390_shadow_tables(struct gmap *sg, unsigned long saddr,
    471 union region1_table_entry rfte;
    472
    473 if (*fake) {
    474 - /* offset in 16EB guest memory block */
    475 - ptr = ptr + ((unsigned long) vaddr.rsx << 53UL);
    476 + ptr += (unsigned long) vaddr.rfx << 53;
    477 rfte.val = ptr;
    478 goto shadow_r2t;
    479 }
    480 @@ -1036,8 +1036,7 @@ static int kvm_s390_shadow_tables(struct gmap *sg, unsigned long saddr,
    481 union region2_table_entry rste;
    482
    483 if (*fake) {
    484 - /* offset in 8PB guest memory block */
    485 - ptr = ptr + ((unsigned long) vaddr.rtx << 42UL);
    486 + ptr += (unsigned long) vaddr.rsx << 42;
    487 rste.val = ptr;
    488 goto shadow_r3t;
    489 }
    490 @@ -1064,8 +1063,7 @@ static int kvm_s390_shadow_tables(struct gmap *sg, unsigned long saddr,
    491 union region3_table_entry rtte;
    492
    493 if (*fake) {
    494 - /* offset in 4TB guest memory block */
    495 - ptr = ptr + ((unsigned long) vaddr.sx << 31UL);
    496 + ptr += (unsigned long) vaddr.rtx << 31;
    497 rtte.val = ptr;
    498 goto shadow_sgt;
    499 }
    500 @@ -1101,8 +1099,7 @@ static int kvm_s390_shadow_tables(struct gmap *sg, unsigned long saddr,
    501 union segment_table_entry ste;
    502
    503 if (*fake) {
    504 - /* offset in 2G guest memory block */
    505 - ptr = ptr + ((unsigned long) vaddr.sx << 20UL);
    506 + ptr += (unsigned long) vaddr.sx << 20;
    507 ste.val = ptr;
    508 goto shadow_pgt;
    509 }
    510 diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
    511 index eb1484c86bb4..65c2ca578556 100644
    512 --- a/arch/x86/events/intel/core.c
    513 +++ b/arch/x86/events/intel/core.c
    514 @@ -431,11 +431,11 @@ static __initconst const u64 skl_hw_cache_event_ids
    515 [ C(DTLB) ] = {
    516 [ C(OP_READ) ] = {
    517 [ C(RESULT_ACCESS) ] = 0x81d0, /* MEM_INST_RETIRED.ALL_LOADS */
    518 - [ C(RESULT_MISS) ] = 0x608, /* DTLB_LOAD_MISSES.WALK_COMPLETED */
    519 + [ C(RESULT_MISS) ] = 0xe08, /* DTLB_LOAD_MISSES.WALK_COMPLETED */
    520 },
    521 [ C(OP_WRITE) ] = {
    522 [ C(RESULT_ACCESS) ] = 0x82d0, /* MEM_INST_RETIRED.ALL_STORES */
    523 - [ C(RESULT_MISS) ] = 0x649, /* DTLB_STORE_MISSES.WALK_COMPLETED */
    524 + [ C(RESULT_MISS) ] = 0xe49, /* DTLB_STORE_MISSES.WALK_COMPLETED */
    525 },
    526 [ C(OP_PREFETCH) ] = {
    527 [ C(RESULT_ACCESS) ] = 0x0,
    528 diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
    529 index 3e8c287090e4..d5f83cda1dea 100644
    530 --- a/arch/x86/include/asm/kvm_emulate.h
    531 +++ b/arch/x86/include/asm/kvm_emulate.h
    532 @@ -294,6 +294,7 @@ struct x86_emulate_ctxt {
    533
    534 bool perm_ok; /* do not check permissions if true */
    535 bool ud; /* inject an #UD if host doesn't support insn */
    536 + bool tf; /* TF value before instruction (after for syscall/sysret) */
    537
    538 bool have_exception;
    539 struct x86_exception exception;
    540 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
    541 index 45c7306c8780..ce7f80baa664 100644
    542 --- a/arch/x86/kvm/emulate.c
    543 +++ b/arch/x86/kvm/emulate.c
    544 @@ -2742,6 +2742,7 @@ static int em_syscall(struct x86_emulate_ctxt *ctxt)
    545 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
    546 }
    547
    548 + ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
    549 return X86EMUL_CONTINUE;
    550 }
    551
    552 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    553 index 6557c790c8c1..dd1fe338c5f5 100644
    554 --- a/arch/x86/kvm/x86.c
    555 +++ b/arch/x86/kvm/x86.c
    556 @@ -5330,6 +5330,8 @@ static void init_emulate_ctxt(struct kvm_vcpu *vcpu)
    557 kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
    558
    559 ctxt->eflags = kvm_get_rflags(vcpu);
    560 + ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
    561 +
    562 ctxt->eip = kvm_rip_read(vcpu);
    563 ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
    564 (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
    565 @@ -5546,36 +5548,25 @@ static int kvm_vcpu_check_hw_bp(unsigned long addr, u32 type, u32 dr7,
    566 return dr6;
    567 }
    568
    569 -static void kvm_vcpu_check_singlestep(struct kvm_vcpu *vcpu, unsigned long rflags, int *r)
    570 +static void kvm_vcpu_do_singlestep(struct kvm_vcpu *vcpu, int *r)
    571 {
    572 struct kvm_run *kvm_run = vcpu->run;
    573
    574 - /*
    575 - * rflags is the old, "raw" value of the flags. The new value has
    576 - * not been saved yet.
    577 - *
    578 - * This is correct even for TF set by the guest, because "the
    579 - * processor will not generate this exception after the instruction
    580 - * that sets the TF flag".
    581 - */
    582 - if (unlikely(rflags & X86_EFLAGS_TF)) {
    583 - if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
    584 - kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1 |
    585 - DR6_RTM;
    586 - kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
    587 - kvm_run->debug.arch.exception = DB_VECTOR;
    588 - kvm_run->exit_reason = KVM_EXIT_DEBUG;
    589 - *r = EMULATE_USER_EXIT;
    590 - } else {
    591 - /*
    592 - * "Certain debug exceptions may clear bit 0-3. The
    593 - * remaining contents of the DR6 register are never
    594 - * cleared by the processor".
    595 - */
    596 - vcpu->arch.dr6 &= ~15;
    597 - vcpu->arch.dr6 |= DR6_BS | DR6_RTM;
    598 - kvm_queue_exception(vcpu, DB_VECTOR);
    599 - }
    600 + if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
    601 + kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1 | DR6_RTM;
    602 + kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
    603 + kvm_run->debug.arch.exception = DB_VECTOR;
    604 + kvm_run->exit_reason = KVM_EXIT_DEBUG;
    605 + *r = EMULATE_USER_EXIT;
    606 + } else {
    607 + /*
    608 + * "Certain debug exceptions may clear bit 0-3. The
    609 + * remaining contents of the DR6 register are never
    610 + * cleared by the processor".
    611 + */
    612 + vcpu->arch.dr6 &= ~15;
    613 + vcpu->arch.dr6 |= DR6_BS | DR6_RTM;
    614 + kvm_queue_exception(vcpu, DB_VECTOR);
    615 }
    616 }
    617
    618 @@ -5585,7 +5576,17 @@ int kvm_skip_emulated_instruction(struct kvm_vcpu *vcpu)
    619 int r = EMULATE_DONE;
    620
    621 kvm_x86_ops->skip_emulated_instruction(vcpu);
    622 - kvm_vcpu_check_singlestep(vcpu, rflags, &r);
    623 +
    624 + /*
    625 + * rflags is the old, "raw" value of the flags. The new value has
    626 + * not been saved yet.
    627 + *
    628 + * This is correct even for TF set by the guest, because "the
    629 + * processor will not generate this exception after the instruction
    630 + * that sets the TF flag".
    631 + */
    632 + if (unlikely(rflags & X86_EFLAGS_TF))
    633 + kvm_vcpu_do_singlestep(vcpu, &r);
    634 return r == EMULATE_DONE;
    635 }
    636 EXPORT_SYMBOL_GPL(kvm_skip_emulated_instruction);
    637 @@ -5746,8 +5747,9 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
    638 if (vcpu->arch.hflags != ctxt->emul_flags)
    639 kvm_set_hflags(vcpu, ctxt->emul_flags);
    640 kvm_rip_write(vcpu, ctxt->eip);
    641 - if (r == EMULATE_DONE)
    642 - kvm_vcpu_check_singlestep(vcpu, rflags, &r);
    643 + if (r == EMULATE_DONE &&
    644 + (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
    645 + kvm_vcpu_do_singlestep(vcpu, &r);
    646 if (!ctxt->have_exception ||
    647 exception_type(ctxt->exception.vector) == EXCPT_TRAP)
    648 __kvm_set_rflags(vcpu, ctxt->eflags);
    649 diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
    650 index 2433569b02ef..bc9adb4a2fd7 100644
    651 --- a/drivers/acpi/scan.c
    652 +++ b/drivers/acpi/scan.c
    653 @@ -1433,6 +1433,37 @@ static void acpi_init_coherency(struct acpi_device *adev)
    654 adev->flags.coherent_dma = cca;
    655 }
    656
    657 +static int acpi_check_spi_i2c_slave(struct acpi_resource *ares, void *data)
    658 +{
    659 + bool *is_spi_i2c_slave_p = data;
    660 +
    661 + if (ares->type != ACPI_RESOURCE_TYPE_SERIAL_BUS)
    662 + return 1;
    663 +
    664 + /*
    665 + * devices that are connected to UART still need to be enumerated to
    666 + * platform bus
    667 + */
    668 + if (ares->data.common_serial_bus.type != ACPI_RESOURCE_SERIAL_TYPE_UART)
    669 + *is_spi_i2c_slave_p = true;
    670 +
    671 + /* no need to do more checking */
    672 + return -1;
    673 +}
    674 +
    675 +static bool acpi_is_spi_i2c_slave(struct acpi_device *device)
    676 +{
    677 + struct list_head resource_list;
    678 + bool is_spi_i2c_slave = false;
    679 +
    680 + INIT_LIST_HEAD(&resource_list);
    681 + acpi_dev_get_resources(device, &resource_list, acpi_check_spi_i2c_slave,
    682 + &is_spi_i2c_slave);
    683 + acpi_dev_free_resource_list(&resource_list);
    684 +
    685 + return is_spi_i2c_slave;
    686 +}
    687 +
    688 void acpi_init_device_object(struct acpi_device *device, acpi_handle handle,
    689 int type, unsigned long long sta)
    690 {
    691 @@ -1448,6 +1479,7 @@ void acpi_init_device_object(struct acpi_device *device, acpi_handle handle,
    692 acpi_bus_get_flags(device);
    693 device->flags.match_driver = false;
    694 device->flags.initialized = true;
    695 + device->flags.spi_i2c_slave = acpi_is_spi_i2c_slave(device);
    696 acpi_device_clear_enumerated(device);
    697 device_initialize(&device->dev);
    698 dev_set_uevent_suppress(&device->dev, true);
    699 @@ -1732,38 +1764,13 @@ static acpi_status acpi_bus_check_add(acpi_handle handle, u32 lvl_not_used,
    700 return AE_OK;
    701 }
    702
    703 -static int acpi_check_spi_i2c_slave(struct acpi_resource *ares, void *data)
    704 -{
    705 - bool *is_spi_i2c_slave_p = data;
    706 -
    707 - if (ares->type != ACPI_RESOURCE_TYPE_SERIAL_BUS)
    708 - return 1;
    709 -
    710 - /*
    711 - * devices that are connected to UART still need to be enumerated to
    712 - * platform bus
    713 - */
    714 - if (ares->data.common_serial_bus.type != ACPI_RESOURCE_SERIAL_TYPE_UART)
    715 - *is_spi_i2c_slave_p = true;
    716 -
    717 - /* no need to do more checking */
    718 - return -1;
    719 -}
    720 -
    721 static void acpi_default_enumeration(struct acpi_device *device)
    722 {
    723 - struct list_head resource_list;
    724 - bool is_spi_i2c_slave = false;
    725 -
    726 /*
    727 * Do not enumerate SPI/I2C slaves as they will be enumerated by their
    728 * respective parents.
    729 */
    730 - INIT_LIST_HEAD(&resource_list);
    731 - acpi_dev_get_resources(device, &resource_list, acpi_check_spi_i2c_slave,
    732 - &is_spi_i2c_slave);
    733 - acpi_dev_free_resource_list(&resource_list);
    734 - if (!is_spi_i2c_slave) {
    735 + if (!device->flags.spi_i2c_slave) {
    736 acpi_create_platform_device(device, NULL);
    737 acpi_device_set_enumerated(device);
    738 } else {
    739 @@ -1857,7 +1864,7 @@ static void acpi_bus_attach(struct acpi_device *device)
    740 return;
    741
    742 device->flags.match_driver = true;
    743 - if (ret > 0) {
    744 + if (ret > 0 && !device->flags.spi_i2c_slave) {
    745 acpi_device_set_enumerated(device);
    746 goto ok;
    747 }
    748 @@ -1866,7 +1873,7 @@ static void acpi_bus_attach(struct acpi_device *device)
    749 if (ret < 0)
    750 return;
    751
    752 - if (ret > 0 || !device->pnp.type.platform_id)
    753 + if (!device->pnp.type.platform_id && !device->flags.spi_i2c_slave)
    754 acpi_device_set_enumerated(device);
    755 else
    756 acpi_default_enumeration(device);
    757 diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
    758 index 726c32e35db9..fbe0dfdffc0d 100644
    759 --- a/drivers/block/xen-blkback/blkback.c
    760 +++ b/drivers/block/xen-blkback/blkback.c
    761 @@ -1436,34 +1436,35 @@ static int dispatch_rw_block_io(struct xen_blkif_ring *ring,
    762 static void make_response(struct xen_blkif_ring *ring, u64 id,
    763 unsigned short op, int st)
    764 {
    765 - struct blkif_response resp;
    766 + struct blkif_response *resp;
    767 unsigned long flags;
    768 union blkif_back_rings *blk_rings;
    769 int notify;
    770
    771 - resp.id = id;
    772 - resp.operation = op;
    773 - resp.status = st;
    774 -
    775 spin_lock_irqsave(&ring->blk_ring_lock, flags);
    776 blk_rings = &ring->blk_rings;
    777 /* Place on the response ring for the relevant domain. */
    778 switch (ring->blkif->blk_protocol) {
    779 case BLKIF_PROTOCOL_NATIVE:
    780 - memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
    781 - &resp, sizeof(resp));
    782 + resp = RING_GET_RESPONSE(&blk_rings->native,
    783 + blk_rings->native.rsp_prod_pvt);
    784 break;
    785 case BLKIF_PROTOCOL_X86_32:
    786 - memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
    787 - &resp, sizeof(resp));
    788 + resp = RING_GET_RESPONSE(&blk_rings->x86_32,
    789 + blk_rings->x86_32.rsp_prod_pvt);
    790 break;
    791 case BLKIF_PROTOCOL_X86_64:
    792 - memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
    793 - &resp, sizeof(resp));
    794 + resp = RING_GET_RESPONSE(&blk_rings->x86_64,
    795 + blk_rings->x86_64.rsp_prod_pvt);
    796 break;
    797 default:
    798 BUG();
    799 }
    800 +
    801 + resp->id = id;
    802 + resp->operation = op;
    803 + resp->status = st;
    804 +
    805 blk_rings->common.rsp_prod_pvt++;
    806 RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
    807 spin_unlock_irqrestore(&ring->blk_ring_lock, flags);
    808 diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
    809 index dea61f6ab8cb..ecb35fe8ca8d 100644
    810 --- a/drivers/block/xen-blkback/common.h
    811 +++ b/drivers/block/xen-blkback/common.h
    812 @@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues;
    813 struct blkif_common_request {
    814 char dummy;
    815 };
    816 -struct blkif_common_response {
    817 - char dummy;
    818 -};
    819 +
    820 +/* i386 protocol version */
    821
    822 struct blkif_x86_32_request_rw {
    823 uint8_t nr_segments; /* number of segments */
    824 @@ -129,14 +128,6 @@ struct blkif_x86_32_request {
    825 } u;
    826 } __attribute__((__packed__));
    827
    828 -/* i386 protocol version */
    829 -#pragma pack(push, 4)
    830 -struct blkif_x86_32_response {
    831 - uint64_t id; /* copied from request */
    832 - uint8_t operation; /* copied from request */
    833 - int16_t status; /* BLKIF_RSP_??? */
    834 -};
    835 -#pragma pack(pop)
    836 /* x86_64 protocol version */
    837
    838 struct blkif_x86_64_request_rw {
    839 @@ -193,18 +184,12 @@ struct blkif_x86_64_request {
    840 } u;
    841 } __attribute__((__packed__));
    842
    843 -struct blkif_x86_64_response {
    844 - uint64_t __attribute__((__aligned__(8))) id;
    845 - uint8_t operation; /* copied from request */
    846 - int16_t status; /* BLKIF_RSP_??? */
    847 -};
    848 -
    849 DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
    850 - struct blkif_common_response);
    851 + struct blkif_response);
    852 DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
    853 - struct blkif_x86_32_response);
    854 + struct blkif_response __packed);
    855 DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
    856 - struct blkif_x86_64_response);
    857 + struct blkif_response);
    858
    859 union blkif_back_rings {
    860 struct blkif_back_ring native;
    861 @@ -281,6 +266,7 @@ struct xen_blkif_ring {
    862
    863 wait_queue_head_t wq;
    864 atomic_t inflight;
    865 + bool active;
    866 /* One thread per blkif ring. */
    867 struct task_struct *xenblkd;
    868 unsigned int waiting_reqs;
    869 diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
    870 index 8fe61b5dc5a6..dcabf52425ff 100644
    871 --- a/drivers/block/xen-blkback/xenbus.c
    872 +++ b/drivers/block/xen-blkback/xenbus.c
    873 @@ -159,7 +159,7 @@ static int xen_blkif_alloc_rings(struct xen_blkif *blkif)
    874 init_waitqueue_head(&ring->shutdown_wq);
    875 ring->blkif = blkif;
    876 ring->st_print = jiffies;
    877 - xen_blkif_get(blkif);
    878 + ring->active = true;
    879 }
    880
    881 return 0;
    882 @@ -249,6 +249,9 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif)
    883 struct xen_blkif_ring *ring = &blkif->rings[r];
    884 unsigned int i = 0;
    885
    886 + if (!ring->active)
    887 + continue;
    888 +
    889 if (ring->xenblkd) {
    890 kthread_stop(ring->xenblkd);
    891 wake_up(&ring->shutdown_wq);
    892 @@ -296,7 +299,7 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif)
    893 BUG_ON(ring->free_pages_num != 0);
    894 BUG_ON(ring->persistent_gnt_c != 0);
    895 WARN_ON(i != (XEN_BLKIF_REQS_PER_PAGE * blkif->nr_ring_pages));
    896 - xen_blkif_put(blkif);
    897 + ring->active = false;
    898 }
    899 blkif->nr_ring_pages = 0;
    900 /*
    901 diff --git a/drivers/char/random.c b/drivers/char/random.c
    902 index 2291e6224ed3..8944a844ca95 100644
    903 --- a/drivers/char/random.c
    904 +++ b/drivers/char/random.c
    905 @@ -803,13 +803,13 @@ static int crng_fast_load(const char *cp, size_t len)
    906 p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
    907 cp++; crng_init_cnt++; len--;
    908 }
    909 + spin_unlock_irqrestore(&primary_crng.lock, flags);
    910 if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
    911 invalidate_batched_entropy();
    912 crng_init = 1;
    913 wake_up_interruptible(&crng_init_wait);
    914 pr_notice("random: fast init done\n");
    915 }
    916 - spin_unlock_irqrestore(&primary_crng.lock, flags);
    917 return 1;
    918 }
    919
    920 @@ -841,6 +841,7 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
    921 }
    922 memzero_explicit(&buf, sizeof(buf));
    923 crng->init_time = jiffies;
    924 + spin_unlock_irqrestore(&primary_crng.lock, flags);
    925 if (crng == &primary_crng && crng_init < 2) {
    926 invalidate_batched_entropy();
    927 crng_init = 2;
    928 @@ -848,7 +849,6 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
    929 wake_up_interruptible(&crng_init_wait);
    930 pr_notice("random: crng init done\n");
    931 }
    932 - spin_unlock_irqrestore(&primary_crng.lock, flags);
    933 }
    934
    935 static inline void crng_wait_ready(void)
    936 @@ -2037,8 +2037,8 @@ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
    937 u64 get_random_u64(void)
    938 {
    939 u64 ret;
    940 - bool use_lock = crng_init < 2;
    941 - unsigned long flags;
    942 + bool use_lock = READ_ONCE(crng_init) < 2;
    943 + unsigned long flags = 0;
    944 struct batched_entropy *batch;
    945
    946 #if BITS_PER_LONG == 64
    947 @@ -2069,8 +2069,8 @@ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
    948 u32 get_random_u32(void)
    949 {
    950 u32 ret;
    951 - bool use_lock = crng_init < 2;
    952 - unsigned long flags;
    953 + bool use_lock = READ_ONCE(crng_init) < 2;
    954 + unsigned long flags = 0;
    955 struct batched_entropy *batch;
    956
    957 if (arch_get_random_int(&ret))
    958 diff --git a/drivers/clk/sunxi-ng/ccu-sun5i.c b/drivers/clk/sunxi-ng/ccu-sun5i.c
    959 index 06edaa523479..2999618e1a59 100644
    960 --- a/drivers/clk/sunxi-ng/ccu-sun5i.c
    961 +++ b/drivers/clk/sunxi-ng/ccu-sun5i.c
    962 @@ -243,7 +243,7 @@ static SUNXI_CCU_GATE(ahb_ss_clk, "ahb-ss", "ahb",
    963 static SUNXI_CCU_GATE(ahb_dma_clk, "ahb-dma", "ahb",
    964 0x060, BIT(6), 0);
    965 static SUNXI_CCU_GATE(ahb_bist_clk, "ahb-bist", "ahb",
    966 - 0x060, BIT(6), 0);
    967 + 0x060, BIT(7), 0);
    968 static SUNXI_CCU_GATE(ahb_mmc0_clk, "ahb-mmc0", "ahb",
    969 0x060, BIT(8), 0);
    970 static SUNXI_CCU_GATE(ahb_mmc1_clk, "ahb-mmc1", "ahb",
    971 diff --git a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
    972 index 89e68d29bf45..df97e25aec76 100644
    973 --- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
    974 +++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
    975 @@ -556,7 +556,7 @@ static SUNXI_CCU_M_WITH_MUX_GATE(lcd0_ch1_clk, "lcd0-ch1", lcd_ch1_parents,
    976 0x12c, 0, 4, 24, 3, BIT(31),
    977 CLK_SET_RATE_PARENT);
    978 static SUNXI_CCU_M_WITH_MUX_GATE(lcd1_ch1_clk, "lcd1-ch1", lcd_ch1_parents,
    979 - 0x12c, 0, 4, 24, 3, BIT(31),
    980 + 0x130, 0, 4, 24, 3, BIT(31),
    981 CLK_SET_RATE_PARENT);
    982
    983 static const char * const csi_sclk_parents[] = { "pll-video0", "pll-video1",
    984 diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
    985 index e58706b40ae9..6297add857b5 100644
    986 --- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
    987 +++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
    988 @@ -537,7 +537,7 @@ static struct ccu_reset_map sun8i_v3s_ccu_resets[] = {
    989 [RST_BUS_EMAC] = { 0x2c0, BIT(17) },
    990 [RST_BUS_HSTIMER] = { 0x2c0, BIT(19) },
    991 [RST_BUS_SPI0] = { 0x2c0, BIT(20) },
    992 - [RST_BUS_OTG] = { 0x2c0, BIT(23) },
    993 + [RST_BUS_OTG] = { 0x2c0, BIT(24) },
    994 [RST_BUS_EHCI0] = { 0x2c0, BIT(26) },
    995 [RST_BUS_OHCI0] = { 0x2c0, BIT(29) },
    996
    997 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
    998 index 56a86dd5789e..2de6475a684e 100644
    999 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
    1000 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
    1001 @@ -693,6 +693,10 @@ int amdgpu_atombios_get_clock_info(struct amdgpu_device *adev)
    1002 DRM_INFO("Changing default dispclk from %dMhz to 600Mhz\n",
    1003 adev->clock.default_dispclk / 100);
    1004 adev->clock.default_dispclk = 60000;
    1005 + } else if (adev->clock.default_dispclk <= 60000) {
    1006 + DRM_INFO("Changing default dispclk from %dMhz to 625Mhz\n",
    1007 + adev->clock.default_dispclk / 100);
    1008 + adev->clock.default_dispclk = 62500;
    1009 }
    1010 adev->clock.dp_extclk =
    1011 le16_to_cpu(firmware_info->info_21.usUniphyDPModeExtClkFreq);
    1012 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
    1013 index b76cd699eb0d..b1f02277be79 100644
    1014 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
    1015 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
    1016 @@ -422,6 +422,7 @@ static const struct pci_device_id pciidlist[] = {
    1017 {0x1002, 0x6986, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_POLARIS12},
    1018 {0x1002, 0x6987, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_POLARIS12},
    1019 {0x1002, 0x6995, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_POLARIS12},
    1020 + {0x1002, 0x6997, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_POLARIS12},
    1021 {0x1002, 0x699F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_POLARIS12},
    1022
    1023 {0, 0, 0}
    1024 diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_crtc.c b/drivers/gpu/drm/amd/amdgpu/atombios_crtc.c
    1025 index 8c9bc75a9c2d..8a0818b23ea4 100644
    1026 --- a/drivers/gpu/drm/amd/amdgpu/atombios_crtc.c
    1027 +++ b/drivers/gpu/drm/amd/amdgpu/atombios_crtc.c
    1028 @@ -165,7 +165,7 @@ void amdgpu_atombios_crtc_powergate(struct drm_crtc *crtc, int state)
    1029 struct drm_device *dev = crtc->dev;
    1030 struct amdgpu_device *adev = dev->dev_private;
    1031 int index = GetIndexIntoMasterTable(COMMAND, EnableDispPowerGating);
    1032 - ENABLE_DISP_POWER_GATING_PARAMETERS_V2_1 args;
    1033 + ENABLE_DISP_POWER_GATING_PS_ALLOCATION args;
    1034
    1035 memset(&args, 0, sizeof(args));
    1036
    1037 @@ -178,7 +178,7 @@ void amdgpu_atombios_crtc_powergate(struct drm_crtc *crtc, int state)
    1038 void amdgpu_atombios_crtc_powergate_init(struct amdgpu_device *adev)
    1039 {
    1040 int index = GetIndexIntoMasterTable(COMMAND, EnableDispPowerGating);
    1041 - ENABLE_DISP_POWER_GATING_PARAMETERS_V2_1 args;
    1042 + ENABLE_DISP_POWER_GATING_PS_ALLOCATION args;
    1043
    1044 memset(&args, 0, sizeof(args));
    1045
    1046 diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
    1047 index 45464c8b797d..2a6059ce3842 100644
    1048 --- a/drivers/gpu/drm/drm_connector.c
    1049 +++ b/drivers/gpu/drm/drm_connector.c
    1050 @@ -1169,21 +1169,6 @@ int drm_mode_getconnector(struct drm_device *dev, void *data,
    1051 if (!connector)
    1052 return -ENOENT;
    1053
    1054 - drm_modeset_lock(&dev->mode_config.connection_mutex, NULL);
    1055 - encoder = drm_connector_get_encoder(connector);
    1056 - if (encoder)
    1057 - out_resp->encoder_id = encoder->base.id;
    1058 - else
    1059 - out_resp->encoder_id = 0;
    1060 -
    1061 - ret = drm_mode_object_get_properties(&connector->base, file_priv->atomic,
    1062 - (uint32_t __user *)(unsigned long)(out_resp->props_ptr),
    1063 - (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr),
    1064 - &out_resp->count_props);
    1065 - drm_modeset_unlock(&dev->mode_config.connection_mutex);
    1066 - if (ret)
    1067 - goto out_unref;
    1068 -
    1069 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++)
    1070 if (connector->encoder_ids[i] != 0)
    1071 encoders_count++;
    1072 @@ -1196,7 +1181,7 @@ int drm_mode_getconnector(struct drm_device *dev, void *data,
    1073 if (put_user(connector->encoder_ids[i],
    1074 encoder_ptr + copied)) {
    1075 ret = -EFAULT;
    1076 - goto out_unref;
    1077 + goto out;
    1078 }
    1079 copied++;
    1080 }
    1081 @@ -1240,15 +1225,32 @@ int drm_mode_getconnector(struct drm_device *dev, void *data,
    1082 if (copy_to_user(mode_ptr + copied,
    1083 &u_mode, sizeof(u_mode))) {
    1084 ret = -EFAULT;
    1085 + mutex_unlock(&dev->mode_config.mutex);
    1086 +
    1087 goto out;
    1088 }
    1089 copied++;
    1090 }
    1091 }
    1092 out_resp->count_modes = mode_count;
    1093 -out:
    1094 mutex_unlock(&dev->mode_config.mutex);
    1095 -out_unref:
    1096 +
    1097 + drm_modeset_lock(&dev->mode_config.connection_mutex, NULL);
    1098 + encoder = drm_connector_get_encoder(connector);
    1099 + if (encoder)
    1100 + out_resp->encoder_id = encoder->base.id;
    1101 + else
    1102 + out_resp->encoder_id = 0;
    1103 +
    1104 + /* Only grab properties after probing, to make sure EDID and other
    1105 + * properties reflect the latest status. */
    1106 + ret = drm_mode_object_get_properties(&connector->base, file_priv->atomic,
    1107 + (uint32_t __user *)(unsigned long)(out_resp->props_ptr),
    1108 + (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr),
    1109 + &out_resp->count_props);
    1110 + drm_modeset_unlock(&dev->mode_config.connection_mutex);
    1111 +
    1112 +out:
    1113 drm_connector_unreference(connector);
    1114
    1115 return ret;
    1116 diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
    1117 index 432480ff9d22..3178ba0c537c 100644
    1118 --- a/drivers/gpu/drm/radeon/radeon_combios.c
    1119 +++ b/drivers/gpu/drm/radeon/radeon_combios.c
    1120 @@ -3393,6 +3393,13 @@ void radeon_combios_asic_init(struct drm_device *dev)
    1121 rdev->pdev->subsystem_vendor == 0x103c &&
    1122 rdev->pdev->subsystem_device == 0x280a)
    1123 return;
    1124 + /* quirk for rs4xx Toshiba Sattellite L20-183 latop to make it resume
    1125 + * - it hangs on resume inside the dynclk 1 table.
    1126 + */
    1127 + if (rdev->family == CHIP_RS400 &&
    1128 + rdev->pdev->subsystem_vendor == 0x1179 &&
    1129 + rdev->pdev->subsystem_device == 0xff31)
    1130 + return;
    1131
    1132 /* DYN CLK 1 */
    1133 table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE);
    1134 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
    1135 index 4b0c388be3f5..5cdc39125b42 100644
    1136 --- a/drivers/gpu/drm/radeon/radeon_device.c
    1137 +++ b/drivers/gpu/drm/radeon/radeon_device.c
    1138 @@ -136,6 +136,10 @@ static struct radeon_px_quirk radeon_px_quirk_list[] = {
    1139 * https://bugzilla.kernel.org/show_bug.cgi?id=51381
    1140 */
    1141 { PCI_VENDOR_ID_ATI, 0x6840, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX },
    1142 + /* Asus K53TK laptop with AMD A6-3420M APU and Radeon 7670m GPU
    1143 + * https://bugs.freedesktop.org/show_bug.cgi?id=101491
    1144 + */
    1145 + { PCI_VENDOR_ID_ATI, 0x6741, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX },
    1146 /* macbook pro 8.2 */
    1147 { PCI_VENDOR_ID_ATI, 0x6741, PCI_VENDOR_ID_APPLE, 0x00e2, RADEON_PX_QUIRK_LONG_WAKEUP },
    1148 { 0, 0, 0, 0, 0 },
    1149 diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
    1150 index b26c030926c1..d3793867adae 100644
    1151 --- a/drivers/hid/hid-ids.h
    1152 +++ b/drivers/hid/hid-ids.h
    1153 @@ -315,6 +315,9 @@
    1154 #define USB_VENDOR_ID_DELCOM 0x0fc5
    1155 #define USB_DEVICE_ID_DELCOM_VISUAL_IND 0xb080
    1156
    1157 +#define USB_VENDOR_ID_DELL 0x413c
    1158 +#define USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE 0x301a
    1159 +
    1160 #define USB_VENDOR_ID_DELORME 0x1163
    1161 #define USB_DEVICE_ID_DELORME_EARTHMATE 0x0100
    1162 #define USB_DEVICE_ID_DELORME_EM_LT20 0x0200
    1163 diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
    1164 index a69a3c88ab29..9f9eb32ab7db 100644
    1165 --- a/drivers/hid/usbhid/hid-quirks.c
    1166 +++ b/drivers/hid/usbhid/hid-quirks.c
    1167 @@ -84,6 +84,7 @@ static const struct hid_blacklist {
    1168 { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
    1169 { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_SCIMITAR_PRO_RGB, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
    1170 { USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
    1171 + { USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
    1172 { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
    1173 { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },
    1174 { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3, HID_QUIRK_MULTI_INPUT },
    1175 diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
    1176 index 09720d950686..f932a83b4990 100644
    1177 --- a/drivers/input/serio/i8042-x86ia64io.h
    1178 +++ b/drivers/input/serio/i8042-x86ia64io.h
    1179 @@ -723,6 +723,13 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = {
    1180 DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"),
    1181 },
    1182 },
    1183 + {
    1184 + /* Fujitsu UH554 laptop */
    1185 + .matches = {
    1186 + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
    1187 + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK UH544"),
    1188 + },
    1189 + },
    1190 { }
    1191 };
    1192
    1193 diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
    1194 index 012194bc92d3..1238c4ec5215 100644
    1195 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
    1196 +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
    1197 @@ -2192,9 +2192,10 @@ static int cxgb_up(struct adapter *adap)
    1198 {
    1199 int err;
    1200
    1201 + mutex_lock(&uld_mutex);
    1202 err = setup_sge_queues(adap);
    1203 if (err)
    1204 - goto out;
    1205 + goto rel_lock;
    1206 err = setup_rss(adap);
    1207 if (err)
    1208 goto freeq;
    1209 @@ -2218,7 +2219,6 @@ static int cxgb_up(struct adapter *adap)
    1210 goto irq_err;
    1211 }
    1212
    1213 - mutex_lock(&uld_mutex);
    1214 enable_rx(adap);
    1215 t4_sge_start(adap);
    1216 t4_intr_enable(adap);
    1217 @@ -2231,13 +2231,15 @@ static int cxgb_up(struct adapter *adap)
    1218 #endif
    1219 /* Initialize hash mac addr list*/
    1220 INIT_LIST_HEAD(&adap->mac_hlist);
    1221 - out:
    1222 return err;
    1223 +
    1224 irq_err:
    1225 dev_err(adap->pdev_dev, "request_irq failed, err %d\n", err);
    1226 freeq:
    1227 t4_free_sge_resources(adap);
    1228 - goto out;
    1229 + rel_lock:
    1230 + mutex_unlock(&uld_mutex);
    1231 + return err;
    1232 }
    1233
    1234 static void cxgb_down(struct adapter *adapter)
    1235 diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
    1236 index 9097e42bec2e..57297ba23987 100644
    1237 --- a/drivers/net/phy/marvell.c
    1238 +++ b/drivers/net/phy/marvell.c
    1239 @@ -1127,8 +1127,6 @@ static int marvell_read_status_page(struct phy_device *phydev, int page)
    1240 if (adv < 0)
    1241 return adv;
    1242
    1243 - lpa &= adv;
    1244 -
    1245 if (status & MII_M1011_PHY_STATUS_FULLDUPLEX)
    1246 phydev->duplex = DUPLEX_FULL;
    1247 else
    1248 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
    1249 index c7c1e9906500..d231042f19d6 100644
    1250 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
    1251 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
    1252 @@ -442,7 +442,7 @@ struct brcmf_fw {
    1253 const char *nvram_name;
    1254 u16 domain_nr;
    1255 u16 bus_nr;
    1256 - void (*done)(struct device *dev, const struct firmware *fw,
    1257 + void (*done)(struct device *dev, int err, const struct firmware *fw,
    1258 void *nvram_image, u32 nvram_len);
    1259 };
    1260
    1261 @@ -477,52 +477,51 @@ static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx)
    1262 if (!nvram && !(fwctx->flags & BRCMF_FW_REQ_NV_OPTIONAL))
    1263 goto fail;
    1264
    1265 - fwctx->done(fwctx->dev, fwctx->code, nvram, nvram_length);
    1266 + fwctx->done(fwctx->dev, 0, fwctx->code, nvram, nvram_length);
    1267 kfree(fwctx);
    1268 return;
    1269
    1270 fail:
    1271 brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
    1272 release_firmware(fwctx->code);
    1273 - device_release_driver(fwctx->dev);
    1274 + fwctx->done(fwctx->dev, -ENOENT, NULL, NULL, 0);
    1275 kfree(fwctx);
    1276 }
    1277
    1278 static void brcmf_fw_request_code_done(const struct firmware *fw, void *ctx)
    1279 {
    1280 struct brcmf_fw *fwctx = ctx;
    1281 - int ret;
    1282 + int ret = 0;
    1283
    1284 brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(fwctx->dev));
    1285 - if (!fw)
    1286 + if (!fw) {
    1287 + ret = -ENOENT;
    1288 goto fail;
    1289 -
    1290 - /* only requested code so done here */
    1291 - if (!(fwctx->flags & BRCMF_FW_REQUEST_NVRAM)) {
    1292 - fwctx->done(fwctx->dev, fw, NULL, 0);
    1293 - kfree(fwctx);
    1294 - return;
    1295 }
    1296 + /* only requested code so done here */
    1297 + if (!(fwctx->flags & BRCMF_FW_REQUEST_NVRAM))
    1298 + goto done;
    1299 +
    1300 fwctx->code = fw;
    1301 ret = request_firmware_nowait(THIS_MODULE, true, fwctx->nvram_name,
    1302 fwctx->dev, GFP_KERNEL, fwctx,
    1303 brcmf_fw_request_nvram_done);
    1304
    1305 - if (!ret)
    1306 - return;
    1307 -
    1308 - brcmf_fw_request_nvram_done(NULL, fwctx);
    1309 + /* pass NULL to nvram callback for bcm47xx fallback */
    1310 + if (ret)
    1311 + brcmf_fw_request_nvram_done(NULL, fwctx);
    1312 return;
    1313
    1314 fail:
    1315 brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
    1316 - device_release_driver(fwctx->dev);
    1317 +done:
    1318 + fwctx->done(fwctx->dev, ret, fw, NULL, 0);
    1319 kfree(fwctx);
    1320 }
    1321
    1322 int brcmf_fw_get_firmwares_pcie(struct device *dev, u16 flags,
    1323 const char *code, const char *nvram,
    1324 - void (*fw_cb)(struct device *dev,
    1325 + void (*fw_cb)(struct device *dev, int err,
    1326 const struct firmware *fw,
    1327 void *nvram_image, u32 nvram_len),
    1328 u16 domain_nr, u16 bus_nr)
    1329 @@ -555,7 +554,7 @@ int brcmf_fw_get_firmwares_pcie(struct device *dev, u16 flags,
    1330
    1331 int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
    1332 const char *code, const char *nvram,
    1333 - void (*fw_cb)(struct device *dev,
    1334 + void (*fw_cb)(struct device *dev, int err,
    1335 const struct firmware *fw,
    1336 void *nvram_image, u32 nvram_len))
    1337 {
    1338 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
    1339 index d3c9f0d52ae3..8fa4b7e1ab3d 100644
    1340 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
    1341 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h
    1342 @@ -73,13 +73,13 @@ void brcmf_fw_nvram_free(void *nvram);
    1343 */
    1344 int brcmf_fw_get_firmwares_pcie(struct device *dev, u16 flags,
    1345 const char *code, const char *nvram,
    1346 - void (*fw_cb)(struct device *dev,
    1347 + void (*fw_cb)(struct device *dev, int err,
    1348 const struct firmware *fw,
    1349 void *nvram_image, u32 nvram_len),
    1350 u16 domain_nr, u16 bus_nr);
    1351 int brcmf_fw_get_firmwares(struct device *dev, u16 flags,
    1352 const char *code, const char *nvram,
    1353 - void (*fw_cb)(struct device *dev,
    1354 + void (*fw_cb)(struct device *dev, int err,
    1355 const struct firmware *fw,
    1356 void *nvram_image, u32 nvram_len));
    1357
    1358 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
    1359 index 6fae4cf3f6ab..42c081d9fb9a 100644
    1360 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
    1361 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
    1362 @@ -1650,16 +1650,23 @@ static const struct brcmf_buscore_ops brcmf_pcie_buscore_ops = {
    1363 .write32 = brcmf_pcie_buscore_write32,
    1364 };
    1365
    1366 -static void brcmf_pcie_setup(struct device *dev, const struct firmware *fw,
    1367 +static void brcmf_pcie_setup(struct device *dev, int ret,
    1368 + const struct firmware *fw,
    1369 void *nvram, u32 nvram_len)
    1370 {
    1371 - struct brcmf_bus *bus = dev_get_drvdata(dev);
    1372 - struct brcmf_pciedev *pcie_bus_dev = bus->bus_priv.pcie;
    1373 - struct brcmf_pciedev_info *devinfo = pcie_bus_dev->devinfo;
    1374 + struct brcmf_bus *bus;
    1375 + struct brcmf_pciedev *pcie_bus_dev;
    1376 + struct brcmf_pciedev_info *devinfo;
    1377 struct brcmf_commonring **flowrings;
    1378 - int ret;
    1379 u32 i;
    1380
    1381 + /* check firmware loading result */
    1382 + if (ret)
    1383 + goto fail;
    1384 +
    1385 + bus = dev_get_drvdata(dev);
    1386 + pcie_bus_dev = bus->bus_priv.pcie;
    1387 + devinfo = pcie_bus_dev->devinfo;
    1388 brcmf_pcie_attach(devinfo);
    1389
    1390 /* Some of the firmwares have the size of the memory of the device
    1391 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
    1392 index 65689469c5a1..67bff5b8cd60 100644
    1393 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
    1394 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
    1395 @@ -3976,21 +3976,26 @@ static const struct brcmf_bus_ops brcmf_sdio_bus_ops = {
    1396 .get_memdump = brcmf_sdio_bus_get_memdump,
    1397 };
    1398
    1399 -static void brcmf_sdio_firmware_callback(struct device *dev,
    1400 +static void brcmf_sdio_firmware_callback(struct device *dev, int err,
    1401 const struct firmware *code,
    1402 void *nvram, u32 nvram_len)
    1403 {
    1404 - struct brcmf_bus *bus_if = dev_get_drvdata(dev);
    1405 - struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
    1406 - struct brcmf_sdio *bus = sdiodev->bus;
    1407 - int err = 0;
    1408 + struct brcmf_bus *bus_if;
    1409 + struct brcmf_sdio_dev *sdiodev;
    1410 + struct brcmf_sdio *bus;
    1411 u8 saveclk;
    1412
    1413 - brcmf_dbg(TRACE, "Enter: dev=%s\n", dev_name(dev));
    1414 + brcmf_dbg(TRACE, "Enter: dev=%s, err=%d\n", dev_name(dev), err);
    1415 + bus_if = dev_get_drvdata(dev);
    1416 + sdiodev = bus_if->bus_priv.sdio;
    1417 + if (err)
    1418 + goto fail;
    1419
    1420 if (!bus_if->drvr)
    1421 return;
    1422
    1423 + bus = sdiodev->bus;
    1424 +
    1425 /* try to download image and nvram to the dongle */
    1426 bus->alp_only = true;
    1427 err = brcmf_sdio_download_firmware(bus, code, nvram, nvram_len);
    1428 @@ -4077,6 +4082,7 @@ static void brcmf_sdio_firmware_callback(struct device *dev,
    1429 fail:
    1430 brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
    1431 device_release_driver(dev);
    1432 + device_release_driver(&sdiodev->func[2]->dev);
    1433 }
    1434
    1435 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
    1436 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
    1437 index d93ebbdc7737..1242c3f05aad 100644
    1438 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
    1439 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
    1440 @@ -1158,17 +1158,18 @@ static int brcmf_usb_bus_setup(struct brcmf_usbdev_info *devinfo)
    1441 return ret;
    1442 }
    1443
    1444 -static void brcmf_usb_probe_phase2(struct device *dev,
    1445 +static void brcmf_usb_probe_phase2(struct device *dev, int ret,
    1446 const struct firmware *fw,
    1447 void *nvram, u32 nvlen)
    1448 {
    1449 struct brcmf_bus *bus = dev_get_drvdata(dev);
    1450 - struct brcmf_usbdev_info *devinfo;
    1451 - int ret;
    1452 + struct brcmf_usbdev_info *devinfo = bus->bus_priv.usb->devinfo;
    1453 +
    1454 + if (ret)
    1455 + goto error;
    1456
    1457 brcmf_dbg(USB, "Start fw downloading\n");
    1458
    1459 - devinfo = bus->bus_priv.usb->devinfo;
    1460 ret = check_file(fw->data);
    1461 if (ret < 0) {
    1462 brcmf_err("invalid firmware\n");
    1463 diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
    1464 index 90b5b2efafbf..b4a8bb7759b2 100644
    1465 --- a/drivers/spi/spi.c
    1466 +++ b/drivers/spi/spi.c
    1467 @@ -1015,7 +1015,7 @@ static int spi_transfer_one_message(struct spi_master *master,
    1468 ret = 0;
    1469 ms = 8LL * 1000LL * xfer->len;
    1470 do_div(ms, xfer->speed_hz);
    1471 - ms += ms + 100; /* some tolerance */
    1472 + ms += ms + 200; /* some tolerance */
    1473
    1474 if (ms > UINT_MAX)
    1475 ms = UINT_MAX;
    1476 diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
    1477 index fd45b48480cb..86433ef7f953 100644
    1478 --- a/drivers/target/iscsi/iscsi_target.c
    1479 +++ b/drivers/target/iscsi/iscsi_target.c
    1480 @@ -1289,6 +1289,18 @@ iscsit_get_immediate_data(struct iscsi_cmd *cmd, struct iscsi_scsi_req *hdr,
    1481 */
    1482 if (dump_payload)
    1483 goto after_immediate_data;
    1484 + /*
    1485 + * Check for underflow case where both EDTL and immediate data payload
    1486 + * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
    1487 + * already been set in target_cmd_size_check() as se_cmd->data_length.
    1488 + *
    1489 + * For this special case, fail the command and dump the immediate data
    1490 + * payload.
    1491 + */
    1492 + if (cmd->first_burst_len > cmd->se_cmd.data_length) {
    1493 + cmd->sense_reason = TCM_INVALID_CDB_FIELD;
    1494 + goto after_immediate_data;
    1495 + }
    1496
    1497 immed_ret = iscsit_handle_immediate_data(cmd, hdr,
    1498 cmd->first_burst_len);
    1499 @@ -4443,8 +4455,11 @@ static void iscsit_logout_post_handler_closesession(
    1500 * always sleep waiting for RX/TX thread shutdown to complete
    1501 * within iscsit_close_connection().
    1502 */
    1503 - if (!conn->conn_transport->rdma_shutdown)
    1504 + if (!conn->conn_transport->rdma_shutdown) {
    1505 sleep = cmpxchg(&conn->tx_thread_active, true, false);
    1506 + if (!sleep)
    1507 + return;
    1508 + }
    1509
    1510 atomic_set(&conn->conn_logout_remove, 0);
    1511 complete(&conn->conn_logout_comp);
    1512 @@ -4460,8 +4475,11 @@ static void iscsit_logout_post_handler_samecid(
    1513 {
    1514 int sleep = 1;
    1515
    1516 - if (!conn->conn_transport->rdma_shutdown)
    1517 + if (!conn->conn_transport->rdma_shutdown) {
    1518 sleep = cmpxchg(&conn->tx_thread_active, true, false);
    1519 + if (!sleep)
    1520 + return;
    1521 + }
    1522
    1523 atomic_set(&conn->conn_logout_remove, 0);
    1524 complete(&conn->conn_logout_comp);
    1525 diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
    1526 index 9ab7090f7c83..0912de7c0cf8 100644
    1527 --- a/drivers/target/target_core_internal.h
    1528 +++ b/drivers/target/target_core_internal.h
    1529 @@ -136,7 +136,7 @@ int init_se_kmem_caches(void);
    1530 void release_se_kmem_caches(void);
    1531 u32 scsi_get_new_index(scsi_index_t);
    1532 void transport_subsystem_check_init(void);
    1533 -void transport_cmd_finish_abort(struct se_cmd *, int);
    1534 +int transport_cmd_finish_abort(struct se_cmd *, int);
    1535 unsigned char *transport_dump_cmd_direction(struct se_cmd *);
    1536 void transport_dump_dev_state(struct se_device *, char *, int *);
    1537 void transport_dump_dev_info(struct se_device *, struct se_lun *,
    1538 diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
    1539 index dce1e1b47316..13f47bf4d16b 100644
    1540 --- a/drivers/target/target_core_tmr.c
    1541 +++ b/drivers/target/target_core_tmr.c
    1542 @@ -75,7 +75,7 @@ void core_tmr_release_req(struct se_tmr_req *tmr)
    1543 kfree(tmr);
    1544 }
    1545
    1546 -static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
    1547 +static int core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
    1548 {
    1549 unsigned long flags;
    1550 bool remove = true, send_tas;
    1551 @@ -91,7 +91,7 @@ static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
    1552 transport_send_task_abort(cmd);
    1553 }
    1554
    1555 - transport_cmd_finish_abort(cmd, remove);
    1556 + return transport_cmd_finish_abort(cmd, remove);
    1557 }
    1558
    1559 static int target_check_cdb_and_preempt(struct list_head *list,
    1560 @@ -184,8 +184,8 @@ void core_tmr_abort_task(
    1561 cancel_work_sync(&se_cmd->work);
    1562 transport_wait_for_tasks(se_cmd);
    1563
    1564 - transport_cmd_finish_abort(se_cmd, true);
    1565 - target_put_sess_cmd(se_cmd);
    1566 + if (!transport_cmd_finish_abort(se_cmd, true))
    1567 + target_put_sess_cmd(se_cmd);
    1568
    1569 printk("ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for"
    1570 " ref_tag: %llu\n", ref_tag);
    1571 @@ -281,8 +281,8 @@ static void core_tmr_drain_tmr_list(
    1572 cancel_work_sync(&cmd->work);
    1573 transport_wait_for_tasks(cmd);
    1574
    1575 - transport_cmd_finish_abort(cmd, 1);
    1576 - target_put_sess_cmd(cmd);
    1577 + if (!transport_cmd_finish_abort(cmd, 1))
    1578 + target_put_sess_cmd(cmd);
    1579 }
    1580 }
    1581
    1582 @@ -380,8 +380,8 @@ static void core_tmr_drain_state_list(
    1583 cancel_work_sync(&cmd->work);
    1584 transport_wait_for_tasks(cmd);
    1585
    1586 - core_tmr_handle_tas_abort(cmd, tas);
    1587 - target_put_sess_cmd(cmd);
    1588 + if (!core_tmr_handle_tas_abort(cmd, tas))
    1589 + target_put_sess_cmd(cmd);
    1590 }
    1591 }
    1592
    1593 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
    1594 index ff26626d94ef..690c790431dd 100644
    1595 --- a/drivers/target/target_core_transport.c
    1596 +++ b/drivers/target/target_core_transport.c
    1597 @@ -651,9 +651,10 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
    1598 percpu_ref_put(&lun->lun_ref);
    1599 }
    1600
    1601 -void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
    1602 +int transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
    1603 {
    1604 bool ack_kref = (cmd->se_cmd_flags & SCF_ACK_KREF);
    1605 + int ret = 0;
    1606
    1607 if (cmd->se_cmd_flags & SCF_SE_LUN_CMD)
    1608 transport_lun_remove_cmd(cmd);
    1609 @@ -665,9 +666,11 @@ void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
    1610 cmd->se_tfo->aborted_task(cmd);
    1611
    1612 if (transport_cmd_check_stop_to_fabric(cmd))
    1613 - return;
    1614 + return 1;
    1615 if (remove && ack_kref)
    1616 - transport_put_cmd(cmd);
    1617 + ret = transport_put_cmd(cmd);
    1618 +
    1619 + return ret;
    1620 }
    1621
    1622 static void target_complete_failure_work(struct work_struct *work)
    1623 diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
    1624 index a0085571824d..4c32c96f9c90 100644
    1625 --- a/drivers/usb/gadget/function/f_fs.c
    1626 +++ b/drivers/usb/gadget/function/f_fs.c
    1627 @@ -1859,12 +1859,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
    1628 ep->ep->driver_data = ep;
    1629 ep->ep->desc = ds;
    1630
    1631 - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
    1632 - USB_DT_ENDPOINT_SIZE);
    1633 - ep->ep->maxburst = comp_desc->bMaxBurst + 1;
    1634 -
    1635 - if (needs_comp_desc)
    1636 + if (needs_comp_desc) {
    1637 + comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
    1638 + USB_DT_ENDPOINT_SIZE);
    1639 + ep->ep->maxburst = comp_desc->bMaxBurst + 1;
    1640 ep->ep->comp_desc = comp_desc;
    1641 + }
    1642
    1643 ret = usb_ep_enable(ep->ep);
    1644 if (likely(!ret)) {
    1645 diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
    1646 index 734cbf8d9676..dd9f1bebb5a3 100644
    1647 --- a/fs/autofs4/dev-ioctl.c
    1648 +++ b/fs/autofs4/dev-ioctl.c
    1649 @@ -344,7 +344,7 @@ static int autofs_dev_ioctl_fail(struct file *fp,
    1650 int status;
    1651
    1652 token = (autofs_wqt_t) param->fail.token;
    1653 - status = param->fail.status ? param->fail.status : -ENOENT;
    1654 + status = param->fail.status < 0 ? param->fail.status : -ENOENT;
    1655 return autofs4_wait_release(sbi, token, status);
    1656 }
    1657
    1658 diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
    1659 index 27bc360c7ffd..a723df3e0197 100644
    1660 --- a/fs/cifs/smb1ops.c
    1661 +++ b/fs/cifs/smb1ops.c
    1662 @@ -849,8 +849,13 @@ cifs_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon,
    1663 struct cifs_fid *fid, __u16 search_flags,
    1664 struct cifs_search_info *srch_inf)
    1665 {
    1666 - return CIFSFindFirst(xid, tcon, path, cifs_sb,
    1667 - &fid->netfid, search_flags, srch_inf, true);
    1668 + int rc;
    1669 +
    1670 + rc = CIFSFindFirst(xid, tcon, path, cifs_sb,
    1671 + &fid->netfid, search_flags, srch_inf, true);
    1672 + if (rc)
    1673 + cifs_dbg(FYI, "find first failed=%d\n", rc);
    1674 + return rc;
    1675 }
    1676
    1677 static int
    1678 diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
    1679 index c58691834eb2..7e48561abd29 100644
    1680 --- a/fs/cifs/smb2ops.c
    1681 +++ b/fs/cifs/smb2ops.c
    1682 @@ -982,7 +982,7 @@ smb2_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon,
    1683 rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
    1684 kfree(utf16_path);
    1685 if (rc) {
    1686 - cifs_dbg(VFS, "open dir failed\n");
    1687 + cifs_dbg(FYI, "open dir failed rc=%d\n", rc);
    1688 return rc;
    1689 }
    1690
    1691 @@ -992,7 +992,7 @@ smb2_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon,
    1692 rc = SMB2_query_directory(xid, tcon, fid->persistent_fid,
    1693 fid->volatile_fid, 0, srch_inf);
    1694 if (rc) {
    1695 - cifs_dbg(VFS, "query directory failed\n");
    1696 + cifs_dbg(FYI, "query directory failed rc=%d\n", rc);
    1697 SMB2_close(xid, tcon, fid->persistent_fid, fid->volatile_fid);
    1698 }
    1699 return rc;
    1700 @@ -1809,7 +1809,8 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
    1701
    1702 sg = init_sg(rqst, sign);
    1703 if (!sg) {
    1704 - cifs_dbg(VFS, "%s: Failed to init sg %d", __func__, rc);
    1705 + cifs_dbg(VFS, "%s: Failed to init sg", __func__);
    1706 + rc = -ENOMEM;
    1707 goto free_req;
    1708 }
    1709
    1710 @@ -1817,6 +1818,7 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
    1711 iv = kzalloc(iv_len, GFP_KERNEL);
    1712 if (!iv) {
    1713 cifs_dbg(VFS, "%s: Failed to alloc IV", __func__);
    1714 + rc = -ENOMEM;
    1715 goto free_sg;
    1716 }
    1717 iv[0] = 3;
    1718 diff --git a/fs/dax.c b/fs/dax.c
    1719 index 285f4ab6f498..08a793c61580 100644
    1720 --- a/fs/dax.c
    1721 +++ b/fs/dax.c
    1722 @@ -875,6 +875,7 @@ int dax_writeback_mapping_range(struct address_space *mapping,
    1723 if (ret < 0)
    1724 return ret;
    1725 }
    1726 + start_index = indices[pvec.nr - 1] + 1;
    1727 }
    1728 return 0;
    1729 }
    1730 diff --git a/fs/exec.c b/fs/exec.c
    1731 index 65145a3df065..ce0901e65c40 100644
    1732 --- a/fs/exec.c
    1733 +++ b/fs/exec.c
    1734 @@ -220,8 +220,26 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
    1735
    1736 if (write) {
    1737 unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
    1738 + unsigned long ptr_size;
    1739 struct rlimit *rlim;
    1740
    1741 + /*
    1742 + * Since the stack will hold pointers to the strings, we
    1743 + * must account for them as well.
    1744 + *
    1745 + * The size calculation is the entire vma while each arg page is
    1746 + * built, so each time we get here it's calculating how far it
    1747 + * is currently (rather than each call being just the newly
    1748 + * added size from the arg page). As a result, we need to
    1749 + * always add the entire size of the pointers, so that on the
    1750 + * last call to get_arg_page() we'll actually have the entire
    1751 + * correct size.
    1752 + */
    1753 + ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
    1754 + if (ptr_size > ULONG_MAX - size)
    1755 + goto fail;
    1756 + size += ptr_size;
    1757 +
    1758 acct_arg_size(bprm, size / PAGE_SIZE);
    1759
    1760 /*
    1761 @@ -239,13 +257,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
    1762 * to work from.
    1763 */
    1764 rlim = current->signal->rlim;
    1765 - if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
    1766 - put_page(page);
    1767 - return NULL;
    1768 - }
    1769 + if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
    1770 + goto fail;
    1771 }
    1772
    1773 return page;
    1774 +
    1775 +fail:
    1776 + put_page(page);
    1777 + return NULL;
    1778 }
    1779
    1780 static void put_arg_page(struct page *page)
    1781 diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
    1782 index ef0ae8aaa567..94f18da4be87 100644
    1783 --- a/include/acpi/acpi_bus.h
    1784 +++ b/include/acpi/acpi_bus.h
    1785 @@ -209,7 +209,8 @@ struct acpi_device_flags {
    1786 u32 of_compatible_ok:1;
    1787 u32 coherent_dma:1;
    1788 u32 cca_seen:1;
    1789 - u32 reserved:20;
    1790 + u32 spi_i2c_slave:1;
    1791 + u32 reserved:19;
    1792 };
    1793
    1794 /* File System */
    1795 diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
    1796 index be378cf47fcc..b3044c2c62cb 100644
    1797 --- a/include/linux/netfilter/x_tables.h
    1798 +++ b/include/linux/netfilter/x_tables.h
    1799 @@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_entry_match *m,
    1800 int xt_target_to_user(const struct xt_entry_target *t,
    1801 struct xt_entry_target __user *u);
    1802 int xt_data_to_user(void __user *dst, const void *src,
    1803 - int usersize, int size);
    1804 + int usersize, int size, int aligned_size);
    1805
    1806 void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
    1807 struct xt_counters_info *info, bool compat);
    1808 diff --git a/include/linux/timekeeper_internal.h b/include/linux/timekeeper_internal.h
    1809 index 110f4532188c..f7043ccca81c 100644
    1810 --- a/include/linux/timekeeper_internal.h
    1811 +++ b/include/linux/timekeeper_internal.h
    1812 @@ -29,7 +29,6 @@
    1813 */
    1814 struct tk_read_base {
    1815 struct clocksource *clock;
    1816 - u64 (*read)(struct clocksource *cs);
    1817 u64 mask;
    1818 u64 cycle_last;
    1819 u32 mult;
    1820 @@ -58,7 +57,7 @@ struct tk_read_base {
    1821 * interval.
    1822 * @xtime_remainder: Shifted nano seconds left over when rounding
    1823 * @cycle_interval
    1824 - * @raw_interval: Raw nano seconds accumulated per NTP interval.
    1825 + * @raw_interval: Shifted raw nano seconds accumulated per NTP interval.
    1826 * @ntp_error: Difference between accumulated time and NTP time in ntp
    1827 * shifted nano seconds.
    1828 * @ntp_error_shift: Shift conversion between clock shifted nano seconds and
    1829 @@ -100,7 +99,7 @@ struct timekeeper {
    1830 u64 cycle_interval;
    1831 u64 xtime_interval;
    1832 s64 xtime_remainder;
    1833 - u32 raw_interval;
    1834 + u64 raw_interval;
    1835 /* The ntp_tick_length() value currently being used.
    1836 * This cached copy ensures we consistently apply the tick
    1837 * length for an entire tick, as ntp_tick_length may change
    1838 diff --git a/kernel/signal.c b/kernel/signal.c
    1839 index 7e59ebc2c25e..e75e9601817e 100644
    1840 --- a/kernel/signal.c
    1841 +++ b/kernel/signal.c
    1842 @@ -510,7 +510,8 @@ int unhandled_signal(struct task_struct *tsk, int sig)
    1843 return !tsk->ptrace;
    1844 }
    1845
    1846 -static void collect_signal(int sig, struct sigpending *list, siginfo_t *info)
    1847 +static void collect_signal(int sig, struct sigpending *list, siginfo_t *info,
    1848 + bool *resched_timer)
    1849 {
    1850 struct sigqueue *q, *first = NULL;
    1851
    1852 @@ -532,6 +533,12 @@ static void collect_signal(int sig, struct sigpending *list, siginfo_t *info)
    1853 still_pending:
    1854 list_del_init(&first->list);
    1855 copy_siginfo(info, &first->info);
    1856 +
    1857 + *resched_timer =
    1858 + (first->flags & SIGQUEUE_PREALLOC) &&
    1859 + (info->si_code == SI_TIMER) &&
    1860 + (info->si_sys_private);
    1861 +
    1862 __sigqueue_free(first);
    1863 } else {
    1864 /*
    1865 @@ -548,12 +555,12 @@ static void collect_signal(int sig, struct sigpending *list, siginfo_t *info)
    1866 }
    1867
    1868 static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
    1869 - siginfo_t *info)
    1870 + siginfo_t *info, bool *resched_timer)
    1871 {
    1872 int sig = next_signal(pending, mask);
    1873
    1874 if (sig)
    1875 - collect_signal(sig, pending, info);
    1876 + collect_signal(sig, pending, info, resched_timer);
    1877 return sig;
    1878 }
    1879
    1880 @@ -565,15 +572,16 @@ static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
    1881 */
    1882 int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
    1883 {
    1884 + bool resched_timer = false;
    1885 int signr;
    1886
    1887 /* We only dequeue private signals from ourselves, we don't let
    1888 * signalfd steal them
    1889 */
    1890 - signr = __dequeue_signal(&tsk->pending, mask, info);
    1891 + signr = __dequeue_signal(&tsk->pending, mask, info, &resched_timer);
    1892 if (!signr) {
    1893 signr = __dequeue_signal(&tsk->signal->shared_pending,
    1894 - mask, info);
    1895 + mask, info, &resched_timer);
    1896 #ifdef CONFIG_POSIX_TIMERS
    1897 /*
    1898 * itimer signal ?
    1899 @@ -621,7 +629,7 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
    1900 current->jobctl |= JOBCTL_STOP_DEQUEUED;
    1901 }
    1902 #ifdef CONFIG_POSIX_TIMERS
    1903 - if ((info->si_code & __SI_MASK) == __SI_TIMER && info->si_sys_private) {
    1904 + if (resched_timer) {
    1905 /*
    1906 * Release the siglock to ensure proper locking order
    1907 * of timer locks outside of siglocks. Note, we leave
    1908 diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
    1909 index 5b63a2102c29..0eaf309aae63 100644
    1910 --- a/kernel/time/timekeeping.c
    1911 +++ b/kernel/time/timekeeping.c
    1912 @@ -118,6 +118,26 @@ static inline void tk_update_sleep_time(struct timekeeper *tk, ktime_t delta)
    1913 tk->offs_boot = ktime_add(tk->offs_boot, delta);
    1914 }
    1915
    1916 +/*
    1917 + * tk_clock_read - atomic clocksource read() helper
    1918 + *
    1919 + * This helper is necessary to use in the read paths because, while the
    1920 + * seqlock ensures we don't return a bad value while structures are updated,
    1921 + * it doesn't protect from potential crashes. There is the possibility that
    1922 + * the tkr's clocksource may change between the read reference, and the
    1923 + * clock reference passed to the read function. This can cause crashes if
    1924 + * the wrong clocksource is passed to the wrong read function.
    1925 + * This isn't necessary to use when holding the timekeeper_lock or doing
    1926 + * a read of the fast-timekeeper tkrs (which is protected by its own locking
    1927 + * and update logic).
    1928 + */
    1929 +static inline u64 tk_clock_read(struct tk_read_base *tkr)
    1930 +{
    1931 + struct clocksource *clock = READ_ONCE(tkr->clock);
    1932 +
    1933 + return clock->read(clock);
    1934 +}
    1935 +
    1936 #ifdef CONFIG_DEBUG_TIMEKEEPING
    1937 #define WARNING_FREQ (HZ*300) /* 5 minute rate-limiting */
    1938
    1939 @@ -175,7 +195,7 @@ static inline u64 timekeeping_get_delta(struct tk_read_base *tkr)
    1940 */
    1941 do {
    1942 seq = read_seqcount_begin(&tk_core.seq);
    1943 - now = tkr->read(tkr->clock);
    1944 + now = tk_clock_read(tkr);
    1945 last = tkr->cycle_last;
    1946 mask = tkr->mask;
    1947 max = tkr->clock->max_cycles;
    1948 @@ -209,7 +229,7 @@ static inline u64 timekeeping_get_delta(struct tk_read_base *tkr)
    1949 u64 cycle_now, delta;
    1950
    1951 /* read clocksource */
    1952 - cycle_now = tkr->read(tkr->clock);
    1953 + cycle_now = tk_clock_read(tkr);
    1954
    1955 /* calculate the delta since the last update_wall_time */
    1956 delta = clocksource_delta(cycle_now, tkr->cycle_last, tkr->mask);
    1957 @@ -238,12 +258,10 @@ static void tk_setup_internals(struct timekeeper *tk, struct clocksource *clock)
    1958 ++tk->cs_was_changed_seq;
    1959 old_clock = tk->tkr_mono.clock;
    1960 tk->tkr_mono.clock = clock;
    1961 - tk->tkr_mono.read = clock->read;
    1962 tk->tkr_mono.mask = clock->mask;
    1963 - tk->tkr_mono.cycle_last = tk->tkr_mono.read(clock);
    1964 + tk->tkr_mono.cycle_last = tk_clock_read(&tk->tkr_mono);
    1965
    1966 tk->tkr_raw.clock = clock;
    1967 - tk->tkr_raw.read = clock->read;
    1968 tk->tkr_raw.mask = clock->mask;
    1969 tk->tkr_raw.cycle_last = tk->tkr_mono.cycle_last;
    1970
    1971 @@ -262,7 +280,7 @@ static void tk_setup_internals(struct timekeeper *tk, struct clocksource *clock)
    1972 /* Go back from cycles -> shifted ns */
    1973 tk->xtime_interval = interval * clock->mult;
    1974 tk->xtime_remainder = ntpinterval - tk->xtime_interval;
    1975 - tk->raw_interval = (interval * clock->mult) >> clock->shift;
    1976 + tk->raw_interval = interval * clock->mult;
    1977
    1978 /* if changing clocks, convert xtime_nsec shift units */
    1979 if (old_clock) {
    1980 @@ -404,7 +422,7 @@ static __always_inline u64 __ktime_get_fast_ns(struct tk_fast *tkf)
    1981
    1982 now += timekeeping_delta_to_ns(tkr,
    1983 clocksource_delta(
    1984 - tkr->read(tkr->clock),
    1985 + tk_clock_read(tkr),
    1986 tkr->cycle_last,
    1987 tkr->mask));
    1988 } while (read_seqcount_retry(&tkf->seq, seq));
    1989 @@ -461,6 +479,10 @@ static u64 dummy_clock_read(struct clocksource *cs)
    1990 return cycles_at_suspend;
    1991 }
    1992
    1993 +static struct clocksource dummy_clock = {
    1994 + .read = dummy_clock_read,
    1995 +};
    1996 +
    1997 /**
    1998 * halt_fast_timekeeper - Prevent fast timekeeper from accessing clocksource.
    1999 * @tk: Timekeeper to snapshot.
    2000 @@ -477,13 +499,13 @@ static void halt_fast_timekeeper(struct timekeeper *tk)
    2001 struct tk_read_base *tkr = &tk->tkr_mono;
    2002
    2003 memcpy(&tkr_dummy, tkr, sizeof(tkr_dummy));
    2004 - cycles_at_suspend = tkr->read(tkr->clock);
    2005 - tkr_dummy.read = dummy_clock_read;
    2006 + cycles_at_suspend = tk_clock_read(tkr);
    2007 + tkr_dummy.clock = &dummy_clock;
    2008 update_fast_timekeeper(&tkr_dummy, &tk_fast_mono);
    2009
    2010 tkr = &tk->tkr_raw;
    2011 memcpy(&tkr_dummy, tkr, sizeof(tkr_dummy));
    2012 - tkr_dummy.read = dummy_clock_read;
    2013 + tkr_dummy.clock = &dummy_clock;
    2014 update_fast_timekeeper(&tkr_dummy, &tk_fast_raw);
    2015 }
    2016
    2017 @@ -649,11 +671,10 @@ static void timekeeping_update(struct timekeeper *tk, unsigned int action)
    2018 */
    2019 static void timekeeping_forward_now(struct timekeeper *tk)
    2020 {
    2021 - struct clocksource *clock = tk->tkr_mono.clock;
    2022 u64 cycle_now, delta;
    2023 u64 nsec;
    2024
    2025 - cycle_now = tk->tkr_mono.read(clock);
    2026 + cycle_now = tk_clock_read(&tk->tkr_mono);
    2027 delta = clocksource_delta(cycle_now, tk->tkr_mono.cycle_last, tk->tkr_mono.mask);
    2028 tk->tkr_mono.cycle_last = cycle_now;
    2029 tk->tkr_raw.cycle_last = cycle_now;
    2030 @@ -929,8 +950,7 @@ void ktime_get_snapshot(struct system_time_snapshot *systime_snapshot)
    2031
    2032 do {
    2033 seq = read_seqcount_begin(&tk_core.seq);
    2034 -
    2035 - now = tk->tkr_mono.read(tk->tkr_mono.clock);
    2036 + now = tk_clock_read(&tk->tkr_mono);
    2037 systime_snapshot->cs_was_changed_seq = tk->cs_was_changed_seq;
    2038 systime_snapshot->clock_was_set_seq = tk->clock_was_set_seq;
    2039 base_real = ktime_add(tk->tkr_mono.base,
    2040 @@ -1109,7 +1129,7 @@ int get_device_system_crosststamp(int (*get_time_fn)
    2041 * Check whether the system counter value provided by the
    2042 * device driver is on the current timekeeping interval.
    2043 */
    2044 - now = tk->tkr_mono.read(tk->tkr_mono.clock);
    2045 + now = tk_clock_read(&tk->tkr_mono);
    2046 interval_start = tk->tkr_mono.cycle_last;
    2047 if (!cycle_between(interval_start, cycles, now)) {
    2048 clock_was_set_seq = tk->clock_was_set_seq;
    2049 @@ -1630,7 +1650,7 @@ void timekeeping_resume(void)
    2050 * The less preferred source will only be tried if there is no better
    2051 * usable source. The rtc part is handled separately in rtc core code.
    2052 */
    2053 - cycle_now = tk->tkr_mono.read(clock);
    2054 + cycle_now = tk_clock_read(&tk->tkr_mono);
    2055 if ((clock->flags & CLOCK_SOURCE_SUSPEND_NONSTOP) &&
    2056 cycle_now > tk->tkr_mono.cycle_last) {
    2057 u64 nsec, cyc_delta;
    2058 @@ -1977,7 +1997,7 @@ static u64 logarithmic_accumulation(struct timekeeper *tk, u64 offset,
    2059 u32 shift, unsigned int *clock_set)
    2060 {
    2061 u64 interval = tk->cycle_interval << shift;
    2062 - u64 raw_nsecs;
    2063 + u64 snsec_per_sec;
    2064
    2065 /* If the offset is smaller than a shifted interval, do nothing */
    2066 if (offset < interval)
    2067 @@ -1992,14 +2012,15 @@ static u64 logarithmic_accumulation(struct timekeeper *tk, u64 offset,
    2068 *clock_set |= accumulate_nsecs_to_secs(tk);
    2069
    2070 /* Accumulate raw time */
    2071 - raw_nsecs = (u64)tk->raw_interval << shift;
    2072 - raw_nsecs += tk->raw_time.tv_nsec;
    2073 - if (raw_nsecs >= NSEC_PER_SEC) {
    2074 - u64 raw_secs = raw_nsecs;
    2075 - raw_nsecs = do_div(raw_secs, NSEC_PER_SEC);
    2076 - tk->raw_time.tv_sec += raw_secs;
    2077 + tk->tkr_raw.xtime_nsec += (u64)tk->raw_time.tv_nsec << tk->tkr_raw.shift;
    2078 + tk->tkr_raw.xtime_nsec += tk->raw_interval << shift;
    2079 + snsec_per_sec = (u64)NSEC_PER_SEC << tk->tkr_raw.shift;
    2080 + while (tk->tkr_raw.xtime_nsec >= snsec_per_sec) {
    2081 + tk->tkr_raw.xtime_nsec -= snsec_per_sec;
    2082 + tk->raw_time.tv_sec++;
    2083 }
    2084 - tk->raw_time.tv_nsec = raw_nsecs;
    2085 + tk->raw_time.tv_nsec = tk->tkr_raw.xtime_nsec >> tk->tkr_raw.shift;
    2086 + tk->tkr_raw.xtime_nsec -= (u64)tk->raw_time.tv_nsec << tk->tkr_raw.shift;
    2087
    2088 /* Accumulate error between NTP and clock interval */
    2089 tk->ntp_error += tk->ntp_tick << shift;
    2090 @@ -2031,7 +2052,7 @@ void update_wall_time(void)
    2091 #ifdef CONFIG_ARCH_USES_GETTIMEOFFSET
    2092 offset = real_tk->cycle_interval;
    2093 #else
    2094 - offset = clocksource_delta(tk->tkr_mono.read(tk->tkr_mono.clock),
    2095 + offset = clocksource_delta(tk_clock_read(&tk->tkr_mono),
    2096 tk->tkr_mono.cycle_last, tk->tkr_mono.mask);
    2097 #endif
    2098
    2099 diff --git a/lib/cmdline.c b/lib/cmdline.c
    2100 index 8f13cf73c2ec..79069d7938ea 100644
    2101 --- a/lib/cmdline.c
    2102 +++ b/lib/cmdline.c
    2103 @@ -22,14 +22,14 @@
    2104 * the values[M, M+1, ..., N] into the ints array in get_options.
    2105 */
    2106
    2107 -static int get_range(char **str, int *pint)
    2108 +static int get_range(char **str, int *pint, int n)
    2109 {
    2110 int x, inc_counter, upper_range;
    2111
    2112 (*str)++;
    2113 upper_range = simple_strtol((*str), NULL, 0);
    2114 inc_counter = upper_range - *pint;
    2115 - for (x = *pint; x < upper_range; x++)
    2116 + for (x = *pint; n && x < upper_range; x++, n--)
    2117 *pint++ = x;
    2118 return inc_counter;
    2119 }
    2120 @@ -96,7 +96,7 @@ char *get_options(const char *str, int nints, int *ints)
    2121 break;
    2122 if (res == 3) {
    2123 int range_nums;
    2124 - range_nums = get_range((char **)&str, ints + i);
    2125 + range_nums = get_range((char **)&str, ints + i, nints - i);
    2126 if (range_nums < 0)
    2127 break;
    2128 /*
    2129 diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
    2130 index 79b69917f521..656c259bcc14 100644
    2131 --- a/net/bridge/netfilter/ebtables.c
    2132 +++ b/net/bridge/netfilter/ebtables.c
    2133 @@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char __user *um, const char *_name,
    2134 strlcpy(name, _name, sizeof(name));
    2135 if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
    2136 put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
    2137 - xt_data_to_user(um + entrysize, data, usersize, datasize))
    2138 + xt_data_to_user(um + entrysize, data, usersize, datasize,
    2139 + XT_ALIGN(datasize)))
    2140 return -EFAULT;
    2141
    2142 return 0;
    2143 @@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
    2144 if (match->compat_to_user(cm->data, m->data))
    2145 return -EFAULT;
    2146 } else {
    2147 - if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
    2148 + if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
    2149 + COMPAT_XT_ALIGN(msize)))
    2150 return -EFAULT;
    2151 }
    2152
    2153 @@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
    2154 if (target->compat_to_user(cm->data, t->data))
    2155 return -EFAULT;
    2156 } else {
    2157 - if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
    2158 + if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
    2159 + COMPAT_XT_ALIGN(tsize)))
    2160 return -EFAULT;
    2161 }
    2162
    2163 diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
    2164 index 14857afc9937..32488c09cfb9 100644
    2165 --- a/net/netfilter/x_tables.c
    2166 +++ b/net/netfilter/x_tables.c
    2167 @@ -283,28 +283,30 @@ static int xt_obj_to_user(u16 __user *psize, u16 size,
    2168 &U->u.user.revision, K->u.kernel.TYPE->revision)
    2169
    2170 int xt_data_to_user(void __user *dst, const void *src,
    2171 - int usersize, int size)
    2172 + int usersize, int size, int aligned_size)
    2173 {
    2174 usersize = usersize ? : size;
    2175 if (copy_to_user(dst, src, usersize))
    2176 return -EFAULT;
    2177 - if (usersize != size && clear_user(dst + usersize, size - usersize))
    2178 + if (usersize != aligned_size &&
    2179 + clear_user(dst + usersize, aligned_size - usersize))
    2180 return -EFAULT;
    2181
    2182 return 0;
    2183 }
    2184 EXPORT_SYMBOL_GPL(xt_data_to_user);
    2185
    2186 -#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
    2187 +#define XT_DATA_TO_USER(U, K, TYPE) \
    2188 xt_data_to_user(U->data, K->data, \
    2189 K->u.kernel.TYPE->usersize, \
    2190 - C_SIZE ? : K->u.kernel.TYPE->TYPE##size)
    2191 + K->u.kernel.TYPE->TYPE##size, \
    2192 + XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
    2193
    2194 int xt_match_to_user(const struct xt_entry_match *m,
    2195 struct xt_entry_match __user *u)
    2196 {
    2197 return XT_OBJ_TO_USER(u, m, match, 0) ||
    2198 - XT_DATA_TO_USER(u, m, match, 0);
    2199 + XT_DATA_TO_USER(u, m, match);
    2200 }
    2201 EXPORT_SYMBOL_GPL(xt_match_to_user);
    2202
    2203 @@ -312,7 +314,7 @@ int xt_target_to_user(const struct xt_entry_target *t,
    2204 struct xt_entry_target __user *u)
    2205 {
    2206 return XT_OBJ_TO_USER(u, t, target, 0) ||
    2207 - XT_DATA_TO_USER(u, t, target, 0);
    2208 + XT_DATA_TO_USER(u, t, target);
    2209 }
    2210 EXPORT_SYMBOL_GPL(xt_target_to_user);
    2211
    2212 @@ -611,6 +613,12 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
    2213 }
    2214 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
    2215
    2216 +#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
    2217 + xt_data_to_user(U->data, K->data, \
    2218 + K->u.kernel.TYPE->usersize, \
    2219 + C_SIZE, \
    2220 + COMPAT_XT_ALIGN(C_SIZE))
    2221 +
    2222 int xt_compat_match_to_user(const struct xt_entry_match *m,
    2223 void __user **dstptr, unsigned int *size)
    2224 {
    2225 @@ -626,7 +634,7 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
    2226 if (match->compat_to_user((void __user *)cm->data, m->data))
    2227 return -EFAULT;
    2228 } else {
    2229 - if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
    2230 + if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
    2231 return -EFAULT;
    2232 }
    2233
    2234 @@ -981,7 +989,7 @@ int xt_compat_target_to_user(const struct xt_entry_target *t,
    2235 if (target->compat_to_user((void __user *)ct->data, t->data))
    2236 return -EFAULT;
    2237 } else {
    2238 - if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
    2239 + if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
    2240 return -EFAULT;
    2241 }
    2242
    2243 diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
    2244 index 0a4e28477ad9..54369225766e 100644
    2245 --- a/net/rxrpc/key.c
    2246 +++ b/net/rxrpc/key.c
    2247 @@ -217,7 +217,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
    2248 unsigned int *_toklen)
    2249 {
    2250 const __be32 *xdr = *_xdr;
    2251 - unsigned int toklen = *_toklen, n_parts, loop, tmp;
    2252 + unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen;
    2253
    2254 /* there must be at least one name, and at least #names+1 length
    2255 * words */
    2256 @@ -247,16 +247,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
    2257 toklen -= 4;
    2258 if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX)
    2259 return -EINVAL;
    2260 - if (tmp > toklen)
    2261 + paddedlen = (tmp + 3) & ~3;
    2262 + if (paddedlen > toklen)
    2263 return -EINVAL;
    2264 princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL);
    2265 if (!princ->name_parts[loop])
    2266 return -ENOMEM;
    2267 memcpy(princ->name_parts[loop], xdr, tmp);
    2268 princ->name_parts[loop][tmp] = 0;
    2269 - tmp = (tmp + 3) & ~3;
    2270 - toklen -= tmp;
    2271 - xdr += tmp >> 2;
    2272 + toklen -= paddedlen;
    2273 + xdr += paddedlen >> 2;
    2274 }
    2275
    2276 if (toklen < 4)
    2277 @@ -265,16 +265,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
    2278 toklen -= 4;
    2279 if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX)
    2280 return -EINVAL;
    2281 - if (tmp > toklen)
    2282 + paddedlen = (tmp + 3) & ~3;
    2283 + if (paddedlen > toklen)
    2284 return -EINVAL;
    2285 princ->realm = kmalloc(tmp + 1, GFP_KERNEL);
    2286 if (!princ->realm)
    2287 return -ENOMEM;
    2288 memcpy(princ->realm, xdr, tmp);
    2289 princ->realm[tmp] = 0;
    2290 - tmp = (tmp + 3) & ~3;
    2291 - toklen -= tmp;
    2292 - xdr += tmp >> 2;
    2293 + toklen -= paddedlen;
    2294 + xdr += paddedlen >> 2;
    2295
    2296 _debug("%s/...@%s", princ->name_parts[0], princ->realm);
    2297
    2298 @@ -293,7 +293,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
    2299 unsigned int *_toklen)
    2300 {
    2301 const __be32 *xdr = *_xdr;
    2302 - unsigned int toklen = *_toklen, len;
    2303 + unsigned int toklen = *_toklen, len, paddedlen;
    2304
    2305 /* there must be at least one tag and one length word */
    2306 if (toklen <= 8)
    2307 @@ -307,15 +307,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
    2308 toklen -= 8;
    2309 if (len > max_data_size)
    2310 return -EINVAL;
    2311 + paddedlen = (len + 3) & ~3;
    2312 + if (paddedlen > toklen)
    2313 + return -EINVAL;
    2314 td->data_len = len;
    2315
    2316 if (len > 0) {
    2317 td->data = kmemdup(xdr, len, GFP_KERNEL);
    2318 if (!td->data)
    2319 return -ENOMEM;
    2320 - len = (len + 3) & ~3;
    2321 - toklen -= len;
    2322 - xdr += len >> 2;
    2323 + toklen -= paddedlen;
    2324 + xdr += paddedlen >> 2;
    2325 }
    2326
    2327 _debug("tag %x len %x", td->tag, td->data_len);
    2328 @@ -387,7 +389,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
    2329 const __be32 **_xdr, unsigned int *_toklen)
    2330 {
    2331 const __be32 *xdr = *_xdr;
    2332 - unsigned int toklen = *_toklen, len;
    2333 + unsigned int toklen = *_toklen, len, paddedlen;
    2334
    2335 /* there must be at least one length word */
    2336 if (toklen <= 4)
    2337 @@ -399,6 +401,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
    2338 toklen -= 4;
    2339 if (len > AFSTOKEN_K5_TIX_MAX)
    2340 return -EINVAL;
    2341 + paddedlen = (len + 3) & ~3;
    2342 + if (paddedlen > toklen)
    2343 + return -EINVAL;
    2344 *_tktlen = len;
    2345
    2346 _debug("ticket len %u", len);
    2347 @@ -407,9 +412,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
    2348 *_ticket = kmemdup(xdr, len, GFP_KERNEL);
    2349 if (!*_ticket)
    2350 return -ENOMEM;
    2351 - len = (len + 3) & ~3;
    2352 - toklen -= len;
    2353 - xdr += len >> 2;
    2354 + toklen -= paddedlen;
    2355 + xdr += paddedlen >> 2;
    2356 }
    2357
    2358 *_xdr = xdr;
    2359 @@ -552,7 +556,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
    2360 {
    2361 const __be32 *xdr = prep->data, *token;
    2362 const char *cp;
    2363 - unsigned int len, tmp, loop, ntoken, toklen, sec_ix;
    2364 + unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix;
    2365 size_t datalen = prep->datalen;
    2366 int ret;
    2367
    2368 @@ -578,22 +582,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
    2369 if (len < 1 || len > AFSTOKEN_CELL_MAX)
    2370 goto not_xdr;
    2371 datalen -= 4;
    2372 - tmp = (len + 3) & ~3;
    2373 - if (tmp > datalen)
    2374 + paddedlen = (len + 3) & ~3;
    2375 + if (paddedlen > datalen)
    2376 goto not_xdr;
    2377
    2378 cp = (const char *) xdr;
    2379 for (loop = 0; loop < len; loop++)
    2380 if (!isprint(cp[loop]))
    2381 goto not_xdr;
    2382 - if (len < tmp)
    2383 - for (; loop < tmp; loop++)
    2384 - if (cp[loop])
    2385 - goto not_xdr;
    2386 + for (; loop < paddedlen; loop++)
    2387 + if (cp[loop])
    2388 + goto not_xdr;
    2389 _debug("cellname: [%u/%u] '%*.*s'",
    2390 - len, tmp, len, len, (const char *) xdr);
    2391 - datalen -= tmp;
    2392 - xdr += tmp >> 2;
    2393 + len, paddedlen, len, len, (const char *) xdr);
    2394 + datalen -= paddedlen;
    2395 + xdr += paddedlen >> 2;
    2396
    2397 /* get the token count */
    2398 if (datalen < 12)
    2399 @@ -614,10 +617,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
    2400 sec_ix = ntohl(*xdr);
    2401 datalen -= 4;
    2402 _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix);
    2403 - if (toklen < 20 || toklen > datalen)
    2404 + paddedlen = (toklen + 3) & ~3;
    2405 + if (toklen < 20 || toklen > datalen || paddedlen > datalen)
    2406 goto not_xdr;
    2407 - datalen -= (toklen + 3) & ~3;
    2408 - xdr += (toklen + 3) >> 2;
    2409 + datalen -= paddedlen;
    2410 + xdr += paddedlen >> 2;
    2411
    2412 } while (--loop > 0);
    2413
    2414 diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
    2415 index 5088d4b8db22..009e6c98754e 100644
    2416 --- a/sound/core/pcm_lib.c
    2417 +++ b/sound/core/pcm_lib.c
    2418 @@ -2492,7 +2492,7 @@ static int pcm_chmap_ctl_get(struct snd_kcontrol *kcontrol,
    2419 struct snd_pcm_substream *substream;
    2420 const struct snd_pcm_chmap_elem *map;
    2421
    2422 - if (snd_BUG_ON(!info->chmap))
    2423 + if (!info->chmap)
    2424 return -EINVAL;
    2425 substream = snd_pcm_chmap_substream(info, idx);
    2426 if (!substream)
    2427 @@ -2524,7 +2524,7 @@ static int pcm_chmap_ctl_tlv(struct snd_kcontrol *kcontrol, int op_flag,
    2428 unsigned int __user *dst;
    2429 int c, count = 0;
    2430
    2431 - if (snd_BUG_ON(!info->chmap))
    2432 + if (!info->chmap)
    2433 return -EINVAL;
    2434 if (size < 8)
    2435 return -ENOMEM;
    2436 diff --git a/sound/firewire/amdtp-stream.c b/sound/firewire/amdtp-stream.c
    2437 index 00060c4a9deb..9741757436be 100644
    2438 --- a/sound/firewire/amdtp-stream.c
    2439 +++ b/sound/firewire/amdtp-stream.c
    2440 @@ -606,7 +606,9 @@ static void out_stream_callback(struct fw_iso_context *context, u32 tstamp,
    2441 cycle = increment_cycle_count(cycle, 1);
    2442 if (handle_out_packet(s, cycle, i) < 0) {
    2443 s->packet_index = -1;
    2444 - amdtp_stream_pcm_abort(s);
    2445 + if (in_interrupt())
    2446 + amdtp_stream_pcm_abort(s);
    2447 + WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN);
    2448 return;
    2449 }
    2450 }
    2451 @@ -658,7 +660,9 @@ static void in_stream_callback(struct fw_iso_context *context, u32 tstamp,
    2452 /* Queueing error or detecting invalid payload. */
    2453 if (i < packets) {
    2454 s->packet_index = -1;
    2455 - amdtp_stream_pcm_abort(s);
    2456 + if (in_interrupt())
    2457 + amdtp_stream_pcm_abort(s);
    2458 + WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN);
    2459 return;
    2460 }
    2461
    2462 diff --git a/sound/firewire/amdtp-stream.h b/sound/firewire/amdtp-stream.h
    2463 index c1bc7fad056e..f7c054bc9d92 100644
    2464 --- a/sound/firewire/amdtp-stream.h
    2465 +++ b/sound/firewire/amdtp-stream.h
    2466 @@ -124,7 +124,7 @@ struct amdtp_stream {
    2467 /* For a PCM substream processing. */
    2468 struct snd_pcm_substream *pcm;
    2469 struct tasklet_struct period_tasklet;
    2470 - unsigned int pcm_buffer_pointer;
    2471 + snd_pcm_uframes_t pcm_buffer_pointer;
    2472 unsigned int pcm_period_pointer;
    2473
    2474 /* To wait for first packet. */
    2475 diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
    2476 index 23d685636a67..69097cc96660 100644
    2477 --- a/sound/pci/hda/hda_intel.c
    2478 +++ b/sound/pci/hda/hda_intel.c
    2479 @@ -369,10 +369,12 @@ enum {
    2480 #define IS_KBL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d71)
    2481 #define IS_KBL_H(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa2f0)
    2482 #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
    2483 +#define IS_BXT_T(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x1a98)
    2484 #define IS_GLK(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x3198)
    2485 -#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) || \
    2486 - IS_KBL(pci) || IS_KBL_LP(pci) || IS_KBL_H(pci) || \
    2487 - IS_GLK(pci)
    2488 +#define IS_CFL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa348)
    2489 +#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci) || \
    2490 + IS_BXT_T(pci) || IS_KBL(pci) || IS_KBL_LP(pci) || \
    2491 + IS_KBL_H(pci) || IS_GLK(pci) || IS_CFL(pci))
    2492
    2493 static char *driver_short_names[] = {
    2494 [AZX_DRIVER_ICH] = "HDA Intel",
    2495 @@ -2251,6 +2253,9 @@ static const struct pci_device_id azx_ids[] = {
    2496 /* Kabylake-H */
    2497 { PCI_DEVICE(0x8086, 0xa2f0),
    2498 .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
    2499 + /* Coffelake */
    2500 + { PCI_DEVICE(0x8086, 0xa348),
    2501 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE},
    2502 /* Broxton-P(Apollolake) */
    2503 { PCI_DEVICE(0x8086, 0x5a98),
    2504 .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_BROXTON },
    2505 diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
    2506 index 28fb62c32678..e0f9e6a20556 100644
    2507 --- a/tools/perf/util/probe-event.c
    2508 +++ b/tools/perf/util/probe-event.c
    2509 @@ -615,7 +615,7 @@ static int post_process_probe_trace_point(struct probe_trace_point *tp,
    2510 struct map *map, unsigned long offs)
    2511 {
    2512 struct symbol *sym;
    2513 - u64 addr = tp->address + tp->offset - offs;
    2514 + u64 addr = tp->address - offs;
    2515
    2516 sym = map__find_symbol(map, addr);
    2517 if (!sym)