diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-10-02 07:28:25 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-10-02 07:28:25 -0400 |
commit | 84e27b52688dcc72e845611abcd61e81cf9d8c31 (patch) | |
tree | 3b8ac8f6d32e021377db6c6c9d863c567455adac | |
parent | Grsec/PaX: 2.9.1-{2.6.32.61,3.2.51,3.11.2}-201309281102 (diff) | |
download | hardened-patchset-84e27b52688dcc72e845611abcd61e81cf9d8c31.tar.gz hardened-patchset-84e27b52688dcc72e845611abcd61e81cf9d8c31.tar.bz2 hardened-patchset-84e27b52688dcc72e845611abcd61e81cf9d8c31.zip |
Grsec/PaX: 2.9.1-3.11.3-20131001224920131001
-rw-r--r-- | 3.11.2/1001_linux-3.11.2.patch | 4419 | ||||
-rw-r--r-- | 3.11.3/0000_README (renamed from 3.11.2/0000_README) | 6 | ||||
-rw-r--r-- | 3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch (renamed from 3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch) | 480 | ||||
-rw-r--r-- | 3.11.3/4425_grsec_remove_EI_PAX.patch (renamed from 3.11.2/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.11.2/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4430_grsec-remove-localversion-grsec.patch (renamed from 3.11.2/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4435_grsec-mute-warnings.patch (renamed from 3.11.2/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4440_grsec-remove-protected-paths.patch (renamed from 3.11.2/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4450_grsec-kconfig-default-gids.patch (renamed from 3.11.2/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.11.2/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4470_disable-compat_vdso.patch (renamed from 3.11.2/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.11.3/4475_emutramp_default_on.patch (renamed from 3.11.2/4475_emutramp_default_on.patch) | 0 |
12 files changed, 64 insertions, 4841 deletions
diff --git a/3.11.2/1001_linux-3.11.2.patch b/3.11.2/1001_linux-3.11.2.patch deleted file mode 100644 index 5d8bdf1..0000000 --- a/3.11.2/1001_linux-3.11.2.patch +++ /dev/null @@ -1,4419 +0,0 @@ -diff --git a/Makefile b/Makefile -index efd2396..aede319 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 11 --SUBLEVEL = 1 -+SUBLEVEL = 2 - EXTRAVERSION = - NAME = Linux for Workgroups - -diff --git a/arch/arc/include/asm/sections.h b/arch/arc/include/asm/sections.h -index 6fc1159..764f1e3 100644 ---- a/arch/arc/include/asm/sections.h -+++ b/arch/arc/include/asm/sections.h -@@ -11,7 +11,6 @@ - - #include <asm-generic/sections.h> - --extern char _int_vec_base_lds[]; - extern char __arc_dccm_base[]; - extern char __dtb_start[]; - -diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S -index 2a913f8..0f944f0 100644 ---- a/arch/arc/kernel/head.S -+++ b/arch/arc/kernel/head.S -@@ -34,6 +34,9 @@ stext: - ; IDENTITY Reg [ 3 2 1 0 ] - ; (cpu-id) ^^^ => Zero for UP ARC700 - ; => #Core-ID if SMP (Master 0) -+ ; Note that non-boot CPUs might not land here if halt-on-reset and -+ ; instead breath life from @first_lines_of_secondary, but we still -+ ; need to make sure only boot cpu takes this path. - GET_CPU_ID r5 - cmp r5, 0 - jnz arc_platform_smp_wait_to_boot -@@ -98,6 +101,8 @@ stext: - - first_lines_of_secondary: - -+ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] -+ - ; setup per-cpu idle task as "current" on this CPU - ld r0, [@secondary_idle_tsk] - SET_CURR_TASK_ON_CPU r0, r1 -diff --git a/arch/arc/kernel/irq.c b/arch/arc/kernel/irq.c -index 305b3f8..5fc9245 100644 ---- a/arch/arc/kernel/irq.c -+++ b/arch/arc/kernel/irq.c -@@ -24,7 +24,6 @@ - * -Needed for each CPU (hence not foldable into init_IRQ) - * - * what it does ? -- * -setup Vector Table Base Reg - in case Linux not linked at 0x8000_0000 - * -Disable all IRQs (on CPU side) - * -Optionally, setup the High priority Interrupts as Level 2 IRQs - */ -diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c -index 6b08345..e818563 100644 ---- a/arch/arc/kernel/setup.c -+++ b/arch/arc/kernel/setup.c -@@ -47,10 +47,7 @@ void read_arc_build_cfg_regs(void) - READ_BCR(AUX_IDENTITY, cpu->core); - - cpu->timers = read_aux_reg(ARC_REG_TIMERS_BCR); -- - cpu->vec_base = read_aux_reg(AUX_INTR_VEC_BASE); -- if (cpu->vec_base == 0) -- cpu->vec_base = (unsigned int)_int_vec_base_lds; - - READ_BCR(ARC_REG_D_UNCACH_BCR, uncached_space); - cpu->uncached_base = uncached_space.start << 24; -diff --git a/arch/arm/mach-versatile/include/mach/platform.h b/arch/arm/mach-versatile/include/mach/platform.h -index ec08740..6f938cc 100644 ---- a/arch/arm/mach-versatile/include/mach/platform.h -+++ b/arch/arm/mach-versatile/include/mach/platform.h -@@ -231,12 +231,14 @@ - /* PCI space */ - #define VERSATILE_PCI_BASE 0x41000000 /* PCI Interface */ - #define VERSATILE_PCI_CFG_BASE 0x42000000 -+#define VERSATILE_PCI_IO_BASE 0x43000000 - #define VERSATILE_PCI_MEM_BASE0 0x44000000 - #define VERSATILE_PCI_MEM_BASE1 0x50000000 - #define VERSATILE_PCI_MEM_BASE2 0x60000000 - /* Sizes of above maps */ - #define VERSATILE_PCI_BASE_SIZE 0x01000000 - #define VERSATILE_PCI_CFG_BASE_SIZE 0x02000000 -+#define VERSATILE_PCI_IO_BASE_SIZE 0x01000000 - #define VERSATILE_PCI_MEM_BASE0_SIZE 0x0c000000 /* 32Mb */ - #define VERSATILE_PCI_MEM_BASE1_SIZE 0x10000000 /* 256Mb */ - #define VERSATILE_PCI_MEM_BASE2_SIZE 0x10000000 /* 256Mb */ -diff --git a/arch/arm/mach-versatile/pci.c b/arch/arm/mach-versatile/pci.c -index e92e5e0..c97be4e 100644 ---- a/arch/arm/mach-versatile/pci.c -+++ b/arch/arm/mach-versatile/pci.c -@@ -43,9 +43,9 @@ - #define PCI_IMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x0) - #define PCI_IMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x4) - #define PCI_IMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x8) --#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x10) --#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14) --#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18) -+#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14) -+#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18) -+#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x1c) - #define PCI_SELFID __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0xc) - - #define DEVICE_ID_OFFSET 0x00 -@@ -170,8 +170,8 @@ static struct pci_ops pci_versatile_ops = { - .write = versatile_write_config, - }; - --static struct resource io_mem = { -- .name = "PCI I/O space", -+static struct resource unused_mem = { -+ .name = "PCI unused", - .start = VERSATILE_PCI_MEM_BASE0, - .end = VERSATILE_PCI_MEM_BASE0+VERSATILE_PCI_MEM_BASE0_SIZE-1, - .flags = IORESOURCE_MEM, -@@ -195,9 +195,9 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys) - { - int ret = 0; - -- ret = request_resource(&iomem_resource, &io_mem); -+ ret = request_resource(&iomem_resource, &unused_mem); - if (ret) { -- printk(KERN_ERR "PCI: unable to allocate I/O " -+ printk(KERN_ERR "PCI: unable to allocate unused " - "memory region (%d)\n", ret); - goto out; - } -@@ -205,7 +205,7 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys) - if (ret) { - printk(KERN_ERR "PCI: unable to allocate non-prefetchable " - "memory region (%d)\n", ret); -- goto release_io_mem; -+ goto release_unused_mem; - } - ret = request_resource(&iomem_resource, &pre_mem); - if (ret) { -@@ -225,8 +225,8 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys) - - release_non_mem: - release_resource(&non_mem); -- release_io_mem: -- release_resource(&io_mem); -+ release_unused_mem: -+ release_resource(&unused_mem); - out: - return ret; - } -@@ -246,7 +246,7 @@ int __init pci_versatile_setup(int nr, struct pci_sys_data *sys) - goto out; - } - -- ret = pci_ioremap_io(0, VERSATILE_PCI_MEM_BASE0); -+ ret = pci_ioremap_io(0, VERSATILE_PCI_IO_BASE); - if (ret) - goto out; - -@@ -295,6 +295,19 @@ int __init pci_versatile_setup(int nr, struct pci_sys_data *sys) - __raw_writel(PHYS_OFFSET, local_pci_cfg_base + PCI_BASE_ADDRESS_2); - - /* -+ * For many years the kernel and QEMU were symbiotically buggy -+ * in that they both assumed the same broken IRQ mapping. -+ * QEMU therefore attempts to auto-detect old broken kernels -+ * so that they still work on newer QEMU as they did on old -+ * QEMU. Since we now use the correct (ie matching-hardware) -+ * IRQ mapping we write a definitely different value to a -+ * PCI_INTERRUPT_LINE register to tell QEMU that we expect -+ * real hardware behaviour and it need not be backwards -+ * compatible for us. This write is harmless on real hardware. -+ */ -+ __raw_writel(0, VERSATILE_PCI_VIRT_BASE+PCI_INTERRUPT_LINE); -+ -+ /* - * Do not to map Versatile FPGA PCI device into memory space - */ - pci_slot_ignore |= (1 << myslot); -@@ -327,13 +340,13 @@ static int __init versatile_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) - { - int irq; - -- /* slot, pin, irq -- * 24 1 IRQ_SIC_PCI0 -- * 25 1 IRQ_SIC_PCI1 -- * 26 1 IRQ_SIC_PCI2 -- * 27 1 IRQ_SIC_PCI3 -+ /* -+ * Slot INTA INTB INTC INTD -+ * 31 PCI1 PCI2 PCI3 PCI0 -+ * 30 PCI0 PCI1 PCI2 PCI3 -+ * 29 PCI3 PCI0 PCI1 PCI2 - */ -- irq = IRQ_SIC_PCI0 + ((slot - 24 + pin - 1) & 3); -+ irq = IRQ_SIC_PCI0 + ((slot + 2 + pin - 1) & 3); - - return irq; - } -diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c -index 8a6295c..7071fca 100644 ---- a/arch/arm/xen/enlighten.c -+++ b/arch/arm/xen/enlighten.c -@@ -273,12 +273,15 @@ core_initcall(xen_guest_init); - - static int __init xen_pm_init(void) - { -+ if (!xen_domain()) -+ return -ENODEV; -+ - pm_power_off = xen_power_off; - arm_pm_restart = xen_restart; - - return 0; - } --subsys_initcall(xen_pm_init); -+late_initcall(xen_pm_init); - - static irqreturn_t xen_arm_callback(int irq, void *arg) - { -diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c -index 12e6ccb..cea1594 100644 ---- a/arch/arm64/kernel/perf_event.c -+++ b/arch/arm64/kernel/perf_event.c -@@ -325,7 +325,10 @@ validate_event(struct pmu_hw_events *hw_events, - if (is_software_event(event)) - return 1; - -- if (event->pmu != leader_pmu || event->state <= PERF_EVENT_STATE_OFF) -+ if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) -+ return 1; -+ -+ if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec) - return 1; - - return armpmu->get_event_idx(hw_events, &fake_event) >= 0; -@@ -781,7 +784,7 @@ static const unsigned armv8_pmuv3_perf_cache_map[PERF_COUNT_HW_CACHE_MAX] - /* - * PMXEVTYPER: Event selection reg - */ --#define ARMV8_EVTYPE_MASK 0xc00000ff /* Mask for writable bits */ -+#define ARMV8_EVTYPE_MASK 0xc80000ff /* Mask for writable bits */ - #define ARMV8_EVTYPE_EVENT 0xff /* Mask for EVENT bits */ - - /* -diff --git a/arch/mips/ath79/clock.c b/arch/mips/ath79/clock.c -index 765ef30..733017b 100644 ---- a/arch/mips/ath79/clock.c -+++ b/arch/mips/ath79/clock.c -@@ -164,7 +164,7 @@ static void __init ar933x_clocks_init(void) - ath79_ahb_clk.rate = freq / t; - } - -- ath79_wdt_clk.rate = ath79_ref_clk.rate; -+ ath79_wdt_clk.rate = ath79_ahb_clk.rate; - ath79_uart_clk.rate = ath79_ref_clk.rate; - } - -diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c -index ee5b690..52e5758 100644 ---- a/arch/powerpc/kernel/align.c -+++ b/arch/powerpc/kernel/align.c -@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs) - nb = aligninfo[instr].len; - flags = aligninfo[instr].flags; - -+ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */ -+ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) { -+ nb = 8; -+ flags = LD+SW; -+ } else if (IS_XFORM(instruction) && -+ ((instruction >> 1) & 0x3ff) == 660) { -+ nb = 8; -+ flags = ST+SW; -+ } -+ - /* Byteswap little endian loads and stores */ - swiz = 0; - if (regs->msr & MSR_LE) { -diff --git a/arch/powerpc/kvm/book3s_xics.c b/arch/powerpc/kvm/book3s_xics.c -index 94c1dd4..a3a5cb8 100644 ---- a/arch/powerpc/kvm/book3s_xics.c -+++ b/arch/powerpc/kvm/book3s_xics.c -@@ -19,6 +19,7 @@ - #include <asm/hvcall.h> - #include <asm/xics.h> - #include <asm/debug.h> -+#include <asm/time.h> - - #include <linux/debugfs.h> - #include <linux/seq_file.h> -diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c -index c11c823..54b998f 100644 ---- a/arch/powerpc/platforms/pseries/setup.c -+++ b/arch/powerpc/platforms/pseries/setup.c -@@ -354,7 +354,7 @@ static int alloc_dispatch_log_kmem_cache(void) - } - early_initcall(alloc_dispatch_log_kmem_cache); - --static void pSeries_idle(void) -+static void pseries_lpar_idle(void) - { - /* This would call on the cpuidle framework, and the back-end pseries - * driver to go to idle states -@@ -362,10 +362,22 @@ static void pSeries_idle(void) - if (cpuidle_idle_call()) { - /* On error, execute default handler - * to go into low thread priority and possibly -- * low power mode. -+ * low power mode by cedeing processor to hypervisor - */ -- HMT_low(); -- HMT_very_low(); -+ -+ /* Indicate to hypervisor that we are idle. */ -+ get_lppaca()->idle = 1; -+ -+ /* -+ * Yield the processor to the hypervisor. We return if -+ * an external interrupt occurs (which are driven prior -+ * to returning here) or if a prod occurs from another -+ * processor. When returning here, external interrupts -+ * are enabled. -+ */ -+ cede_processor(); -+ -+ get_lppaca()->idle = 0; - } - } - -@@ -456,15 +468,14 @@ static void __init pSeries_setup_arch(void) - - pSeries_nvram_init(); - -- if (firmware_has_feature(FW_FEATURE_SPLPAR)) { -+ if (firmware_has_feature(FW_FEATURE_LPAR)) { - vpa_init(boot_cpuid); -- ppc_md.power_save = pSeries_idle; -- } -- -- if (firmware_has_feature(FW_FEATURE_LPAR)) -+ ppc_md.power_save = pseries_lpar_idle; - ppc_md.enable_pmcs = pseries_lpar_enable_pmcs; -- else -+ } else { -+ /* No special idle routine */ - ppc_md.enable_pmcs = power4_enable_pmcs; -+ } - - ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare; - -diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c -index d5f10a4..7092392 100644 ---- a/arch/s390/net/bpf_jit_comp.c -+++ b/arch/s390/net/bpf_jit_comp.c -@@ -805,7 +805,7 @@ static struct bpf_binary_header *bpf_alloc_binary(unsigned int bpfsize, - return NULL; - memset(header, 0, sz); - header->pages = sz / PAGE_SIZE; -- hole = sz - bpfsize + sizeof(*header); -+ hole = sz - (bpfsize + sizeof(*header)); - /* Insert random number of illegal instructions before BPF code - * and make sure the first instruction starts at an even address. - */ -diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h -index 95feaa4..c70a234 100644 ---- a/arch/um/include/shared/os.h -+++ b/arch/um/include/shared/os.h -@@ -200,6 +200,7 @@ extern int os_unmap_memory(void *addr, int len); - extern int os_drop_memory(void *addr, int length); - extern int can_drop_memory(void); - extern void os_flush_stdout(void); -+extern int os_mincore(void *addr, unsigned long len); - - /* execvp.c */ - extern int execvp_noalloc(char *buf, const char *file, char *const argv[]); -diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile -index babe218..d8b78a0 100644 ---- a/arch/um/kernel/Makefile -+++ b/arch/um/kernel/Makefile -@@ -13,7 +13,7 @@ clean-files := - obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \ - physmem.o process.o ptrace.o reboot.o sigio.o \ - signal.o smp.o syscall.o sysrq.o time.o tlb.o trap.o \ -- um_arch.o umid.o skas/ -+ um_arch.o umid.o maccess.o skas/ - - obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o - obj-$(CONFIG_GPROF) += gprof_syms.o -diff --git a/arch/um/kernel/maccess.c b/arch/um/kernel/maccess.c -new file mode 100644 -index 0000000..1f3d5c4 ---- /dev/null -+++ b/arch/um/kernel/maccess.c -@@ -0,0 +1,24 @@ -+/* -+ * Copyright (C) 2013 Richard Weinberger <richrd@nod.at> -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2 as -+ * published by the Free Software Foundation. -+ */ -+ -+#include <linux/uaccess.h> -+#include <linux/kernel.h> -+#include <os.h> -+ -+long probe_kernel_read(void *dst, const void *src, size_t size) -+{ -+ void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE); -+ -+ if ((unsigned long)src < PAGE_SIZE || size <= 0) -+ return -EFAULT; -+ -+ if (os_mincore(psrc, size + src - psrc) <= 0) -+ return -EFAULT; -+ -+ return __probe_kernel_read(dst, src, size); -+} -diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c -index b8f34c9..67b9c8f 100644 ---- a/arch/um/os-Linux/process.c -+++ b/arch/um/os-Linux/process.c -@@ -4,6 +4,7 @@ - */ - - #include <stdio.h> -+#include <stdlib.h> - #include <unistd.h> - #include <errno.h> - #include <signal.h> -@@ -232,6 +233,57 @@ out: - return ok; - } - -+static int os_page_mincore(void *addr) -+{ -+ char vec[2]; -+ int ret; -+ -+ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); -+ if (ret < 0) { -+ if (errno == ENOMEM || errno == EINVAL) -+ return 0; -+ else -+ return -errno; -+ } -+ -+ return vec[0] & 1; -+} -+ -+int os_mincore(void *addr, unsigned long len) -+{ -+ char *vec; -+ int ret, i; -+ -+ if (len <= UM_KERN_PAGE_SIZE) -+ return os_page_mincore(addr); -+ -+ vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); -+ if (!vec) -+ return -ENOMEM; -+ -+ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); -+ if (ret < 0) { -+ if (errno == ENOMEM || errno == EINVAL) -+ ret = 0; -+ else -+ ret = -errno; -+ -+ goto out; -+ } -+ -+ for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) { -+ if (!(vec[i] & 1)) { -+ ret = 0; -+ goto out; -+ } -+ } -+ -+ ret = 1; -+out: -+ free(vec); -+ return ret; -+} -+ - void init_new_thread_signals(void) - { - set_handler(SIGSEGV); -diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c -index bccfca6..665a730 100644 ---- a/arch/x86/ia32/ia32_signal.c -+++ b/arch/x86/ia32/ia32_signal.c -@@ -457,7 +457,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, - else - put_user_ex(0, &frame->uc.uc_flags); - put_user_ex(0, &frame->uc.uc_link); -- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp); -+ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp); - - if (ksig->ka.sa.sa_flags & SA_RESTORER) - restorer = ksig->ka.sa.sa_restorer; -diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h -index 46fc474..f50de69 100644 ---- a/arch/x86/include/asm/checksum_32.h -+++ b/arch/x86/include/asm/checksum_32.h -@@ -49,9 +49,15 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src, - int len, __wsum sum, - int *err_ptr) - { -+ __wsum ret; -+ - might_sleep(); -- return csum_partial_copy_generic((__force void *)src, dst, -- len, sum, err_ptr, NULL); -+ stac(); -+ ret = csum_partial_copy_generic((__force void *)src, dst, -+ len, sum, err_ptr, NULL); -+ clac(); -+ -+ return ret; - } - - /* -@@ -176,10 +182,16 @@ static inline __wsum csum_and_copy_to_user(const void *src, - int len, __wsum sum, - int *err_ptr) - { -+ __wsum ret; -+ - might_sleep(); -- if (access_ok(VERIFY_WRITE, dst, len)) -- return csum_partial_copy_generic(src, (__force void *)dst, -- len, sum, NULL, err_ptr); -+ if (access_ok(VERIFY_WRITE, dst, len)) { -+ stac(); -+ ret = csum_partial_copy_generic(src, (__force void *)dst, -+ len, sum, NULL, err_ptr); -+ clac(); -+ return ret; -+ } - - if (len) - *err_ptr = -EFAULT; -diff --git a/arch/x86/include/asm/mce.h b/arch/x86/include/asm/mce.h -index 29e3093..aa97342 100644 ---- a/arch/x86/include/asm/mce.h -+++ b/arch/x86/include/asm/mce.h -@@ -32,11 +32,20 @@ - #define MCI_STATUS_PCC (1ULL<<57) /* processor context corrupt */ - #define MCI_STATUS_S (1ULL<<56) /* Signaled machine check */ - #define MCI_STATUS_AR (1ULL<<55) /* Action required */ --#define MCACOD 0xffff /* MCA Error Code */ -+ -+/* -+ * Note that the full MCACOD field of IA32_MCi_STATUS MSR is -+ * bits 15:0. But bit 12 is the 'F' bit, defined for corrected -+ * errors to indicate that errors are being filtered by hardware. -+ * We should mask out bit 12 when looking for specific signatures -+ * of uncorrected errors - so the F bit is deliberately skipped -+ * in this #define. -+ */ -+#define MCACOD 0xefff /* MCA Error Code */ - - /* Architecturally defined codes from SDM Vol. 3B Chapter 15 */ - #define MCACOD_SCRUB 0x00C0 /* 0xC0-0xCF Memory Scrubbing */ --#define MCACOD_SCRUBMSK 0xfff0 -+#define MCACOD_SCRUBMSK 0xeff0 /* Skip bit 12 ('F' bit) */ - #define MCACOD_L3WB 0x017A /* L3 Explicit Writeback */ - #define MCACOD_DATA 0x0134 /* Data Load */ - #define MCACOD_INSTR 0x0150 /* Instruction Fetch */ -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index cdbf367..be12c53 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -45,22 +45,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - /* Re-load page tables */ - load_cr3(next->pgd); - -- /* stop flush ipis for the previous mm */ -+ /* Stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); - -- /* -- * load the LDT, if the LDT is different: -- */ -+ /* Load the LDT, if the LDT is different: */ - if (unlikely(prev->context.ldt != next->context.ldt)) - load_LDT_nolock(&next->context); - } - #ifdef CONFIG_SMP -- else { -+ else { - this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); - BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); - -- if (!cpumask_test_and_set_cpu(cpu, mm_cpumask(next))) { -- /* We were in lazy tlb mode and leave_mm disabled -+ if (!cpumask_test_cpu(cpu, mm_cpumask(next))) { -+ /* -+ * On established mms, the mm_cpumask is only changed -+ * from irq context, from ptep_clear_flush() while in -+ * lazy tlb mode, and here. Irqs are blocked during -+ * schedule, protecting us from simultaneous changes. -+ */ -+ cpumask_set_cpu(cpu, mm_cpumask(next)); -+ /* -+ * We were in lazy tlb mode and leave_mm disabled - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. - */ -diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c -index 3048ded..59554dc 100644 ---- a/arch/x86/kernel/amd_nb.c -+++ b/arch/x86/kernel/amd_nb.c -@@ -20,6 +20,7 @@ const struct pci_device_id amd_nb_misc_ids[] = { - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) }, - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F3) }, - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M10H_F3) }, -+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F3) }, - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) }, - {} - }; -@@ -27,6 +28,7 @@ EXPORT_SYMBOL(amd_nb_misc_ids); - - static const struct pci_device_id amd_nb_link_ids[] = { - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) }, -+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F4) }, - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) }, - {} - }; -@@ -81,13 +83,20 @@ int amd_cache_northbridges(void) - next_northbridge(misc, amd_nb_misc_ids); - node_to_amd_nb(i)->link = link = - next_northbridge(link, amd_nb_link_ids); -- } -+ } - -+ /* GART present only on Fam15h upto model 0fh */ - if (boot_cpu_data.x86 == 0xf || boot_cpu_data.x86 == 0x10 || -- boot_cpu_data.x86 == 0x15) -+ (boot_cpu_data.x86 == 0x15 && boot_cpu_data.x86_model < 0x10)) - amd_northbridges.flags |= AMD_NB_GART; - - /* -+ * Check for L3 cache presence. -+ */ -+ if (!cpuid_edx(0x80000006)) -+ return 0; -+ -+ /* - * Some CPU families support L3 Cache Index Disable. There are some - * limitations because of E382 and E388 on family 0x10. - */ -diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index cf91358..d859eea 100644 ---- a/arch/x86/kernel/signal.c -+++ b/arch/x86/kernel/signal.c -@@ -358,7 +358,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, - else - put_user_ex(0, &frame->uc.uc_flags); - put_user_ex(0, &frame->uc.uc_link); -- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); -+ save_altstack_ex(&frame->uc.uc_stack, regs->sp); - - /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); -@@ -423,7 +423,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, - else - put_user_ex(0, &frame->uc.uc_flags); - put_user_ex(0, &frame->uc.uc_link); -- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); -+ save_altstack_ex(&frame->uc.uc_stack, regs->sp); - - /* Set up to return from userspace. If provided, use a stub - already in userspace. */ -@@ -490,7 +490,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig, - else - put_user_ex(0, &frame->uc.uc_flags); - put_user_ex(0, &frame->uc.uc_link); -- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp); -+ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp); - put_user_ex(0, &frame->uc.uc__pad0); - - if (ksig->ka.sa.sa_flags & SA_RESTORER) { -diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 25b7ae8..7609e0e 100644 ---- a/arch/x86/lib/csum-wrappers_64.c -+++ b/arch/x86/lib/csum-wrappers_64.c -@@ -6,6 +6,7 @@ - */ - #include <asm/checksum.h> - #include <linux/module.h> -+#include <asm/smap.h> - - /** - * csum_partial_copy_from_user - Copy and checksum from user space. -@@ -52,8 +53,10 @@ csum_partial_copy_from_user(const void __user *src, void *dst, - len -= 2; - } - } -+ stac(); - isum = csum_partial_copy_generic((__force const void *)src, - dst, len, isum, errp, NULL); -+ clac(); - if (unlikely(*errp)) - goto out_err; - -@@ -82,6 +85,8 @@ __wsum - csum_partial_copy_to_user(const void *src, void __user *dst, - int len, __wsum isum, int *errp) - { -+ __wsum ret; -+ - might_sleep(); - - if (unlikely(!access_ok(VERIFY_WRITE, dst, len))) { -@@ -105,8 +110,11 @@ csum_partial_copy_to_user(const void *src, void __user *dst, - } - - *errp = 0; -- return csum_partial_copy_generic(src, (void __force *)dst, -- len, isum, NULL, errp); -+ stac(); -+ ret = csum_partial_copy_generic(src, (void __force *)dst, -+ len, isum, NULL, errp); -+ clac(); -+ return ret; - } - EXPORT_SYMBOL(csum_partial_copy_to_user); - -diff --git a/arch/xtensa/kernel/xtensa_ksyms.c b/arch/xtensa/kernel/xtensa_ksyms.c -index d8507f8..74a60c7 100644 ---- a/arch/xtensa/kernel/xtensa_ksyms.c -+++ b/arch/xtensa/kernel/xtensa_ksyms.c -@@ -25,6 +25,7 @@ - #include <asm/io.h> - #include <asm/page.h> - #include <asm/pgalloc.h> -+#include <asm/ftrace.h> - #ifdef CONFIG_BLK_DEV_FD - #include <asm/floppy.h> - #endif -diff --git a/crypto/api.c b/crypto/api.c -index 3b61803..37c4c72 100644 ---- a/crypto/api.c -+++ b/crypto/api.c -@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); - BLOCKING_NOTIFIER_HEAD(crypto_chain); - EXPORT_SYMBOL_GPL(crypto_chain); - -+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); -+ - struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) - { - return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; -@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type, - } - up_write(&crypto_alg_sem); - -- if (alg != &larval->alg) -+ if (alg != &larval->alg) { - kfree(larval); -+ if (crypto_is_larval(alg)) -+ alg = crypto_larval_wait(alg); -+ } - - return alg; - } -diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c -index 6a38218..fb78bb9 100644 ---- a/drivers/acpi/acpi_lpss.c -+++ b/drivers/acpi/acpi_lpss.c -@@ -257,12 +257,13 @@ static int acpi_lpss_create_device(struct acpi_device *adev, - pdata->mmio_size = resource_size(&rentry->res); - pdata->mmio_base = ioremap(rentry->res.start, - pdata->mmio_size); -- pdata->dev_desc = dev_desc; - break; - } - - acpi_dev_free_resource_list(&resource_list); - -+ pdata->dev_desc = dev_desc; -+ - if (dev_desc->clk_required) { - ret = register_device_clock(adev, pdata); - if (ret) { -diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c -index 5917839..a67853e 100644 ---- a/drivers/acpi/pci_root.c -+++ b/drivers/acpi/pci_root.c -@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - struct acpi_pci_root *root; - u32 flags, base_flags; - acpi_handle handle = device->handle; -+ bool no_aspm = false, clear_aspm = false; - - root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL); - if (!root) -@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device, - flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT; - acpi_pci_osc_support(root, flags); - -- /* -- * TBD: Need PCI interface for enumeration/configuration of roots. -- */ -- -- /* -- * Scan the Root Bridge -- * -------------------- -- * Must do this prior to any attempt to bind the root device, as the -- * PCI namespace does not get created until this call is made (and -- * thus the root bridge's pci_dev does not exist). -- */ -- root->bus = pci_acpi_scan_root(root); -- if (!root->bus) { -- dev_err(&device->dev, -- "Bus %04x:%02x not present in PCI namespace\n", -- root->segment, (unsigned int)root->secondary.start); -- result = -ENODEV; -- goto end; -- } -- -- /* Indicate support for various _OSC capabilities. */ - if (pci_ext_cfg_avail()) - flags |= OSC_EXT_PCI_CONFIG_SUPPORT; - if (pcie_aspm_support_enabled()) { -@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - if (ACPI_FAILURE(status)) { - dev_info(&device->dev, "ACPI _OSC support " - "notification failed, disabling PCIe ASPM\n"); -- pcie_no_aspm(); -+ no_aspm = true; - flags = base_flags; - } - } -@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - * We have ASPM control, but the FADT indicates - * that it's unsupported. Clear it. - */ -- pcie_clear_aspm(root->bus); -+ clear_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device, - acpi_format_exception(status), flags); - dev_info(&device->dev, - "ACPI _OSC control for PCIe not granted, disabling ASPM\n"); -- pcie_no_aspm(); -+ /* -+ * We want to disable ASPM here, but aspm_disabled -+ * needs to remain in its state from boot so that we -+ * properly handle PCIe 1.1 devices. So we set this -+ * flag here, to defer the action until after the ACPI -+ * root scan. -+ */ -+ no_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device, - "(_OSC support mask: 0x%02x)\n", flags); - } - -+ /* -+ * TBD: Need PCI interface for enumeration/configuration of roots. -+ */ -+ -+ /* -+ * Scan the Root Bridge -+ * -------------------- -+ * Must do this prior to any attempt to bind the root device, as the -+ * PCI namespace does not get created until this call is made (and -+ * thus the root bridge's pci_dev does not exist). -+ */ -+ root->bus = pci_acpi_scan_root(root); -+ if (!root->bus) { -+ dev_err(&device->dev, -+ "Bus %04x:%02x not present in PCI namespace\n", -+ root->segment, (unsigned int)root->secondary.start); -+ result = -ENODEV; -+ goto end; -+ } -+ -+ if (clear_aspm) { -+ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n"); -+ pcie_clear_aspm(root->bus); -+ } -+ if (no_aspm) -+ pcie_no_aspm(); -+ - pci_acpi_add_bus_pm_notifier(device, root->bus); - if (device->wakeup.flags.run_wake) - device_set_run_wake(root->bus->bridge, true); -diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c -index a439602..c8dac74 100644 ---- a/drivers/base/firmware_class.c -+++ b/drivers/base/firmware_class.c -@@ -868,8 +868,15 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent, - goto err_del_dev; - } - -+ mutex_lock(&fw_lock); -+ list_add(&buf->pending_list, &pending_fw_head); -+ mutex_unlock(&fw_lock); -+ - retval = device_create_file(f_dev, &dev_attr_loading); - if (retval) { -+ mutex_lock(&fw_lock); -+ list_del_init(&buf->pending_list); -+ mutex_unlock(&fw_lock); - dev_err(f_dev, "%s: device_create_file failed\n", __func__); - goto err_del_bin_attr; - } -@@ -884,10 +891,6 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent, - kobject_uevent(&fw_priv->dev.kobj, KOBJ_ADD); - } - -- mutex_lock(&fw_lock); -- list_add(&buf->pending_list, &pending_fw_head); -- mutex_unlock(&fw_lock); -- - wait_for_completion(&buf->completion); - - cancel_delayed_work_sync(&fw_priv->timeout_work); -diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c -index 5349575..6c2652a 100644 ---- a/drivers/base/regmap/regmap-debugfs.c -+++ b/drivers/base/regmap/regmap-debugfs.c -@@ -85,8 +85,8 @@ static unsigned int regmap_debugfs_get_dump_start(struct regmap *map, - unsigned int reg_offset; - - /* Suppress the cache if we're using a subrange */ -- if (from) -- return from; -+ if (base) -+ return base; - - /* - * If we don't have a cache build one so we don't have to do a -diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c -index 4ad2ad9..45aa20a 100644 ---- a/drivers/block/rbd.c -+++ b/drivers/block/rbd.c -@@ -1557,11 +1557,12 @@ rbd_img_obj_request_read_callback(struct rbd_obj_request *obj_request) - obj_request, obj_request->img_request, obj_request->result, - xferred, length); - /* -- * ENOENT means a hole in the image. We zero-fill the -- * entire length of the request. A short read also implies -- * zero-fill to the end of the request. Either way we -- * update the xferred count to indicate the whole request -- * was satisfied. -+ * ENOENT means a hole in the image. We zero-fill the entire -+ * length of the request. A short read also implies zero-fill -+ * to the end of the request. An error requires the whole -+ * length of the request to be reported finished with an error -+ * to the block layer. In each case we update the xferred -+ * count to indicate the whole request was satisfied. - */ - rbd_assert(obj_request->type != OBJ_REQUEST_NODATA); - if (obj_request->result == -ENOENT) { -@@ -1570,14 +1571,13 @@ rbd_img_obj_request_read_callback(struct rbd_obj_request *obj_request) - else - zero_pages(obj_request->pages, 0, length); - obj_request->result = 0; -- obj_request->xferred = length; - } else if (xferred < length && !obj_request->result) { - if (obj_request->type == OBJ_REQUEST_BIO) - zero_bio_chain(obj_request->bio_list, xferred); - else - zero_pages(obj_request->pages, xferred, length); -- obj_request->xferred = length; - } -+ obj_request->xferred = length; - obj_request_done_set(obj_request); - } - -diff --git a/drivers/clk/clk-wm831x.c b/drivers/clk/clk-wm831x.c -index 1b3f8c9..1d5af3f 100644 ---- a/drivers/clk/clk-wm831x.c -+++ b/drivers/clk/clk-wm831x.c -@@ -360,6 +360,8 @@ static int wm831x_clk_probe(struct platform_device *pdev) - if (!clkdata) - return -ENOMEM; - -+ clkdata->wm831x = wm831x; -+ - /* XTAL_ENA can only be set via OTP/InstantConfig so just read once */ - ret = wm831x_reg_read(wm831x, WM831X_CLOCK_CONTROL_2); - if (ret < 0) { -diff --git a/drivers/cpuidle/coupled.c b/drivers/cpuidle/coupled.c -index 2a297f8..fe853903 100644 ---- a/drivers/cpuidle/coupled.c -+++ b/drivers/cpuidle/coupled.c -@@ -106,6 +106,7 @@ struct cpuidle_coupled { - cpumask_t coupled_cpus; - int requested_state[NR_CPUS]; - atomic_t ready_waiting_counts; -+ atomic_t abort_barrier; - int online_count; - int refcnt; - int prevent; -@@ -122,12 +123,19 @@ static DEFINE_MUTEX(cpuidle_coupled_lock); - static DEFINE_PER_CPU(struct call_single_data, cpuidle_coupled_poke_cb); - - /* -- * The cpuidle_coupled_poked_mask mask is used to avoid calling -+ * The cpuidle_coupled_poke_pending mask is used to avoid calling - * __smp_call_function_single with the per cpu call_single_data struct already - * in use. This prevents a deadlock where two cpus are waiting for each others - * call_single_data struct to be available - */ --static cpumask_t cpuidle_coupled_poked_mask; -+static cpumask_t cpuidle_coupled_poke_pending; -+ -+/* -+ * The cpuidle_coupled_poked mask is used to ensure that each cpu has been poked -+ * once to minimize entering the ready loop with a poke pending, which would -+ * require aborting and retrying. -+ */ -+static cpumask_t cpuidle_coupled_poked; - - /** - * cpuidle_coupled_parallel_barrier - synchronize all online coupled cpus -@@ -291,10 +299,11 @@ static inline int cpuidle_coupled_get_state(struct cpuidle_device *dev, - return state; - } - --static void cpuidle_coupled_poked(void *info) -+static void cpuidle_coupled_handle_poke(void *info) - { - int cpu = (unsigned long)info; -- cpumask_clear_cpu(cpu, &cpuidle_coupled_poked_mask); -+ cpumask_set_cpu(cpu, &cpuidle_coupled_poked); -+ cpumask_clear_cpu(cpu, &cpuidle_coupled_poke_pending); - } - - /** -@@ -313,7 +322,7 @@ static void cpuidle_coupled_poke(int cpu) - { - struct call_single_data *csd = &per_cpu(cpuidle_coupled_poke_cb, cpu); - -- if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poked_mask)) -+ if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poke_pending)) - __smp_call_function_single(cpu, csd, 0); - } - -@@ -340,30 +349,19 @@ static void cpuidle_coupled_poke_others(int this_cpu, - * @coupled: the struct coupled that contains the current cpu - * @next_state: the index in drv->states of the requested state for this cpu - * -- * Updates the requested idle state for the specified cpuidle device, -- * poking all coupled cpus out of idle if necessary to let them see the new -- * state. -+ * Updates the requested idle state for the specified cpuidle device. -+ * Returns the number of waiting cpus. - */ --static void cpuidle_coupled_set_waiting(int cpu, -+static int cpuidle_coupled_set_waiting(int cpu, - struct cpuidle_coupled *coupled, int next_state) - { -- int w; -- - coupled->requested_state[cpu] = next_state; - - /* -- * If this is the last cpu to enter the waiting state, poke -- * all the other cpus out of their waiting state so they can -- * enter a deeper state. This can race with one of the cpus -- * exiting the waiting state due to an interrupt and -- * decrementing waiting_count, see comment below. -- * - * The atomic_inc_return provides a write barrier to order the write - * to requested_state with the later write that increments ready_count. - */ -- w = atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK; -- if (w == coupled->online_count) -- cpuidle_coupled_poke_others(cpu, coupled); -+ return atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK; - } - - /** -@@ -410,19 +408,33 @@ static void cpuidle_coupled_set_done(int cpu, struct cpuidle_coupled *coupled) - * been processed and the poke bit has been cleared. - * - * Other interrupts may also be processed while interrupts are enabled, so -- * need_resched() must be tested after turning interrupts off again to make sure -+ * need_resched() must be tested after this function returns to make sure - * the interrupt didn't schedule work that should take the cpu out of idle. - * -- * Returns 0 if need_resched was false, -EINTR if need_resched was true. -+ * Returns 0 if no poke was pending, 1 if a poke was cleared. - */ - static int cpuidle_coupled_clear_pokes(int cpu) - { -+ if (!cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending)) -+ return 0; -+ - local_irq_enable(); -- while (cpumask_test_cpu(cpu, &cpuidle_coupled_poked_mask)) -+ while (cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending)) - cpu_relax(); - local_irq_disable(); - -- return need_resched() ? -EINTR : 0; -+ return 1; -+} -+ -+static bool cpuidle_coupled_any_pokes_pending(struct cpuidle_coupled *coupled) -+{ -+ cpumask_t cpus; -+ int ret; -+ -+ cpumask_and(&cpus, cpu_online_mask, &coupled->coupled_cpus); -+ ret = cpumask_and(&cpus, &cpuidle_coupled_poke_pending, &cpus); -+ -+ return ret; - } - - /** -@@ -449,12 +461,14 @@ int cpuidle_enter_state_coupled(struct cpuidle_device *dev, - { - int entered_state = -1; - struct cpuidle_coupled *coupled = dev->coupled; -+ int w; - - if (!coupled) - return -EINVAL; - - while (coupled->prevent) { -- if (cpuidle_coupled_clear_pokes(dev->cpu)) { -+ cpuidle_coupled_clear_pokes(dev->cpu); -+ if (need_resched()) { - local_irq_enable(); - return entered_state; - } -@@ -465,15 +479,37 @@ int cpuidle_enter_state_coupled(struct cpuidle_device *dev, - /* Read barrier ensures online_count is read after prevent is cleared */ - smp_rmb(); - -- cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state); -+reset: -+ cpumask_clear_cpu(dev->cpu, &cpuidle_coupled_poked); -+ -+ w = cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state); -+ /* -+ * If this is the last cpu to enter the waiting state, poke -+ * all the other cpus out of their waiting state so they can -+ * enter a deeper state. This can race with one of the cpus -+ * exiting the waiting state due to an interrupt and -+ * decrementing waiting_count, see comment below. -+ */ -+ if (w == coupled->online_count) { -+ cpumask_set_cpu(dev->cpu, &cpuidle_coupled_poked); -+ cpuidle_coupled_poke_others(dev->cpu, coupled); -+ } - - retry: - /* - * Wait for all coupled cpus to be idle, using the deepest state -- * allowed for a single cpu. -+ * allowed for a single cpu. If this was not the poking cpu, wait -+ * for at least one poke before leaving to avoid a race where -+ * two cpus could arrive at the waiting loop at the same time, -+ * but the first of the two to arrive could skip the loop without -+ * processing the pokes from the last to arrive. - */ -- while (!cpuidle_coupled_cpus_waiting(coupled)) { -- if (cpuidle_coupled_clear_pokes(dev->cpu)) { -+ while (!cpuidle_coupled_cpus_waiting(coupled) || -+ !cpumask_test_cpu(dev->cpu, &cpuidle_coupled_poked)) { -+ if (cpuidle_coupled_clear_pokes(dev->cpu)) -+ continue; -+ -+ if (need_resched()) { - cpuidle_coupled_set_not_waiting(dev->cpu, coupled); - goto out; - } -@@ -487,12 +523,19 @@ retry: - dev->safe_state_index); - } - -- if (cpuidle_coupled_clear_pokes(dev->cpu)) { -+ cpuidle_coupled_clear_pokes(dev->cpu); -+ if (need_resched()) { - cpuidle_coupled_set_not_waiting(dev->cpu, coupled); - goto out; - } - - /* -+ * Make sure final poke status for this cpu is visible before setting -+ * cpu as ready. -+ */ -+ smp_wmb(); -+ -+ /* - * All coupled cpus are probably idle. There is a small chance that - * one of the other cpus just became active. Increment the ready count, - * and spin until all coupled cpus have incremented the counter. Once a -@@ -511,6 +554,28 @@ retry: - cpu_relax(); - } - -+ /* -+ * Make sure read of all cpus ready is done before reading pending pokes -+ */ -+ smp_rmb(); -+ -+ /* -+ * There is a small chance that a cpu left and reentered idle after this -+ * cpu saw that all cpus were waiting. The cpu that reentered idle will -+ * have sent this cpu a poke, which will still be pending after the -+ * ready loop. The pending interrupt may be lost by the interrupt -+ * controller when entering the deep idle state. It's not possible to -+ * clear a pending interrupt without turning interrupts on and handling -+ * it, and it's too late to turn on interrupts here, so reset the -+ * coupled idle state of all cpus and retry. -+ */ -+ if (cpuidle_coupled_any_pokes_pending(coupled)) { -+ cpuidle_coupled_set_done(dev->cpu, coupled); -+ /* Wait for all cpus to see the pending pokes */ -+ cpuidle_coupled_parallel_barrier(dev, &coupled->abort_barrier); -+ goto reset; -+ } -+ - /* all cpus have acked the coupled state */ - next_state = cpuidle_coupled_get_state(dev, coupled); - -@@ -596,7 +661,7 @@ have_coupled: - coupled->refcnt++; - - csd = &per_cpu(cpuidle_coupled_poke_cb, dev->cpu); -- csd->func = cpuidle_coupled_poked; -+ csd->func = cpuidle_coupled_handle_poke; - csd->info = (void *)(unsigned long)dev->cpu; - - return 0; -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 8b6a034..8b3d901 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2) - layers[0].size = pvt->csels[0].b_cnt; - layers[0].is_virt_csrow = true; - layers[1].type = EDAC_MC_LAYER_CHANNEL; -- layers[1].size = pvt->channel_count; -+ -+ /* -+ * Always allocate two channels since we can have setups with DIMMs on -+ * only one channel. Also, this simplifies handling later for the price -+ * of a couple of KBs tops. -+ */ -+ layers[1].size = 2; - layers[1].is_virt_csrow = false; -+ - mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0); - if (!mci) - goto err_siblings; -diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c -index 95d6f4b..70fc133 100644 ---- a/drivers/gpu/drm/drm_edid.c -+++ b/drivers/gpu/drm/drm_edid.c -@@ -125,6 +125,9 @@ static struct edid_quirk { - - /* ViewSonic VA2026w */ - { "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING }, -+ -+ /* Medion MD 30217 PG */ -+ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 }, - }; - - /* -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index be79f47..ca40d1b 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -7809,6 +7809,19 @@ intel_modeset_pipe_config(struct drm_crtc *crtc, - pipe_config->cpu_transcoder = to_intel_crtc(crtc)->pipe; - pipe_config->shared_dpll = DPLL_ID_PRIVATE; - -+ /* -+ * Sanitize sync polarity flags based on requested ones. If neither -+ * positive or negative polarity is requested, treat this as meaning -+ * negative polarity. -+ */ -+ if (!(pipe_config->adjusted_mode.flags & -+ (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_NHSYNC))) -+ pipe_config->adjusted_mode.flags |= DRM_MODE_FLAG_NHSYNC; -+ -+ if (!(pipe_config->adjusted_mode.flags & -+ (DRM_MODE_FLAG_PVSYNC | DRM_MODE_FLAG_NVSYNC))) -+ pipe_config->adjusted_mode.flags |= DRM_MODE_FLAG_NVSYNC; -+ - /* Compute a starting value for pipe_config->pipe_bpp taking the source - * plane pixel format and any sink constraints into account. Returns the - * source plane bpp so that dithering can be selected on mismatches -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5956445 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -@@ -1152,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - -@@ -1597,6 +1606,7 @@ static const struct hid_device_id hid_have_special_driver[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index ffe4c7a..22134d4 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -135,9 +135,9 @@ - #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS 0x023b - #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ANSI 0x0255 - #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO 0x0256 --#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0291 --#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0292 --#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0293 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292 - #define USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY 0x030a - #define USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY 0x030b - #define USB_DEVICE_ID_APPLE_IRCONTROL 0x8240 -@@ -482,6 +482,7 @@ - #define USB_VENDOR_ID_KYE 0x0458 - #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 - #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 -+#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018 - #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 - #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 - #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 -@@ -658,6 +659,7 @@ - #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_16 0x0012 - #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_17 0x0013 - #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_18 0x0014 -+#define USB_DEVICE_ID_NTRIG_DUOSENSE 0x1500 - - #define USB_VENDOR_ID_ONTRAK 0x0a07 - #define USB_DEVICE_ID_ONTRAK_ADU100 0x0064 -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index 7480799..3fc4034 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -340,7 +340,7 @@ static int hidinput_get_battery_property(struct power_supply *psy, - { - struct hid_device *dev = container_of(psy, struct hid_device, battery); - int ret = 0; -- __u8 buf[2] = {}; -+ __u8 *buf; - - switch (prop) { - case POWER_SUPPLY_PROP_PRESENT: -@@ -349,12 +349,19 @@ static int hidinput_get_battery_property(struct power_supply *psy, - break; - - case POWER_SUPPLY_PROP_CAPACITY: -+ -+ buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL); -+ if (!buf) { -+ ret = -ENOMEM; -+ break; -+ } - ret = dev->hid_get_raw_report(dev, dev->battery_report_id, -- buf, sizeof(buf), -+ buf, 2, - dev->battery_report_type); - - if (ret != 2) { - ret = -ENODATA; -+ kfree(buf); - break; - } - ret = 0; -@@ -364,6 +371,7 @@ static int hidinput_get_battery_property(struct power_supply *psy, - buf[1] <= dev->battery_max) - val->intval = (100 * (buf[1] - dev->battery_min)) / - (dev->battery_max - dev->battery_min); -+ kfree(buf); - break; - - case POWER_SUPPLY_PROP_MODEL_NAME: -diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c -index 1e2ee2aa..7384512 100644 ---- a/drivers/hid/hid-kye.c -+++ b/drivers/hid/hid-kye.c -@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = { - 0xC0 /* End Collection */ - }; - -+static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc, -+ unsigned int *rsize, int offset, const char *device_name) { -+ /* -+ * the fixup that need to be done: -+ * - change Usage Maximum in the Comsumer Control -+ * (report ID 3) to a reasonable value -+ */ -+ if (*rsize >= offset + 31 && -+ /* Usage Page (Consumer Devices) */ -+ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c && -+ /* Usage (Consumer Control) */ -+ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 && -+ /* Usage Maximum > 12287 */ -+ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) { -+ hid_info(hdev, "fixing up %s report descriptor\n", device_name); -+ rdesc[offset + 12] = 0x2f; -+ } -+ return rdesc; -+} -+ - static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - } - break; - case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: -- /* -- * the fixup that need to be done: -- * - change Usage Maximum in the Comsumer Control -- * (report ID 3) to a reasonable value -- */ -- if (*rsize >= 135 && -- /* Usage Page (Consumer Devices) */ -- rdesc[104] == 0x05 && rdesc[105] == 0x0c && -- /* Usage (Consumer Control) */ -- rdesc[106] == 0x09 && rdesc[107] == 0x01 && -- /* Usage Maximum > 12287 */ -- rdesc[114] == 0x2a && rdesc[116] > 0x2f) { -- hid_info(hdev, -- "fixing up Genius Gila Gaming Mouse " -- "report descriptor\n"); -- rdesc[116] = 0x2f; -- } -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104, -+ "Genius Gila Gaming Mouse"); -+ break; -+ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR: -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83, -+ "Genius Gx Imperator Keyboard"); - break; - } - return rdesc; -@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = { - USB_DEVICE_ID_KYE_EASYPEN_M610X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, - USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, -+ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { } - }; - MODULE_DEVICE_TABLE(hid, kye_devices); -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index ef95102..5482156 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); -diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c -index e346038..59d5eb1 100644 ---- a/drivers/hid/hid-picolcd_cir.c -+++ b/drivers/hid/hid-picolcd_cir.c -@@ -145,6 +145,7 @@ void picolcd_exit_cir(struct picolcd_data *data) - struct rc_dev *rdev = data->rc_dev; - - data->rc_dev = NULL; -- rc_unregister_device(rdev); -+ if (rdev) -+ rc_unregister_device(rdev); - } - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..acbb0210 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield != 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) -diff --git a/drivers/hid/hid-picolcd_fb.c b/drivers/hid/hid-picolcd_fb.c -index 591f6b2..c930ab8 100644 ---- a/drivers/hid/hid-picolcd_fb.c -+++ b/drivers/hid/hid-picolcd_fb.c -@@ -593,10 +593,14 @@ err_nomem: - void picolcd_exit_framebuffer(struct picolcd_data *data) - { - struct fb_info *info = data->fb_info; -- struct picolcd_fb_data *fbdata = info->par; -+ struct picolcd_fb_data *fbdata; - unsigned long flags; - -+ if (!info) -+ return; -+ - device_remove_file(&data->hdev->dev, &dev_attr_fb_update_rate); -+ fbdata = info->par; - - /* disconnect framebuffer from HID dev */ - spin_lock_irqsave(&fbdata->lock, flags); -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ca749810..aa34755 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } -diff --git a/drivers/hid/hid-speedlink.c b/drivers/hid/hid-speedlink.c -index a2f587d..7112f3e 100644 ---- a/drivers/hid/hid-speedlink.c -+++ b/drivers/hid/hid-speedlink.c -@@ -3,7 +3,7 @@ - * Fixes "jumpy" cursor and removes nonexistent keyboard LEDS from - * the HID descriptor. - * -- * Copyright (c) 2011 Stefan Kriwanek <mail@stefankriwanek.de> -+ * Copyright (c) 2011, 2013 Stefan Kriwanek <dev@stefankriwanek.de> - */ - - /* -@@ -46,8 +46,13 @@ static int speedlink_event(struct hid_device *hdev, struct hid_field *field, - struct hid_usage *usage, __s32 value) - { - /* No other conditions due to usage_table. */ -- /* Fix "jumpy" cursor (invalid events sent by device). */ -- if (value == 256) -+ -+ /* This fixes the "jumpy" cursor occuring due to invalid events sent -+ * by the device. Some devices only send them with value==+256, others -+ * don't. However, catching abs(value)>=256 is restrictive enough not -+ * to interfere with devices that were bug-free (has been tested). -+ */ -+ if (abs(value) >= 256) - return 1; - /* Drop useless distance 0 events (on button clicks etc.) as well */ - if (value == 0) -diff --git a/drivers/hid/hid-wiimote-core.c b/drivers/hid/hid-wiimote-core.c -index 0c06054..6602098 100644 ---- a/drivers/hid/hid-wiimote-core.c -+++ b/drivers/hid/hid-wiimote-core.c -@@ -212,10 +212,12 @@ static __u8 select_drm(struct wiimote_data *wdata) - - if (ir == WIIPROTO_FLAG_IR_BASIC) { - if (wdata->state.flags & WIIPROTO_FLAG_ACCEL) { -- if (ext) -- return WIIPROTO_REQ_DRM_KAIE; -- else -- return WIIPROTO_REQ_DRM_KAI; -+ /* GEN10 and ealier devices bind IR formats to DRMs. -+ * Hence, we cannot use DRM_KAI here as it might be -+ * bound to IR_EXT. Use DRM_KAIE unconditionally so we -+ * work with all devices and our parsers can use the -+ * fixed formats, too. */ -+ return WIIPROTO_REQ_DRM_KAIE; - } else { - return WIIPROTO_REQ_DRM_KIE; - } -diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c -index 6f1feb2..dbfe300 100644 ---- a/drivers/hid/hidraw.c -+++ b/drivers/hid/hidraw.c -@@ -113,7 +113,7 @@ static ssize_t hidraw_send_report(struct file *file, const char __user *buffer, - __u8 *buf; - int ret = 0; - -- if (!hidraw_table[minor]) { -+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { - ret = -ENODEV; - goto out; - } -@@ -261,7 +261,7 @@ static int hidraw_open(struct inode *inode, struct file *file) - } - - mutex_lock(&minors_lock); -- if (!hidraw_table[minor]) { -+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { - err = -ENODEV; - goto out_unlock; - } -@@ -302,39 +302,38 @@ static int hidraw_fasync(int fd, struct file *file, int on) - return fasync_helper(fd, file, on, &list->fasync); - } - -+static void drop_ref(struct hidraw *hidraw, int exists_bit) -+{ -+ if (exists_bit) { -+ hid_hw_close(hidraw->hid); -+ hidraw->exist = 0; -+ if (hidraw->open) -+ wake_up_interruptible(&hidraw->wait); -+ } else { -+ --hidraw->open; -+ } -+ -+ if (!hidraw->open && !hidraw->exist) { -+ device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor)); -+ hidraw_table[hidraw->minor] = NULL; -+ kfree(hidraw); -+ } -+} -+ - static int hidraw_release(struct inode * inode, struct file * file) - { - unsigned int minor = iminor(inode); -- struct hidraw *dev; - struct hidraw_list *list = file->private_data; -- int ret; -- int i; - - mutex_lock(&minors_lock); -- if (!hidraw_table[minor]) { -- ret = -ENODEV; -- goto unlock; -- } - - list_del(&list->node); -- dev = hidraw_table[minor]; -- if (!--dev->open) { -- if (list->hidraw->exist) { -- hid_hw_power(dev->hid, PM_HINT_NORMAL); -- hid_hw_close(dev->hid); -- } else { -- kfree(list->hidraw); -- } -- } -- -- for (i = 0; i < HIDRAW_BUFFER_SIZE; ++i) -- kfree(list->buffer[i].value); - kfree(list); -- ret = 0; --unlock: -- mutex_unlock(&minors_lock); - -- return ret; -+ drop_ref(hidraw_table[minor], 0); -+ -+ mutex_unlock(&minors_lock); -+ return 0; - } - - static long hidraw_ioctl(struct file *file, unsigned int cmd, -@@ -539,18 +538,9 @@ void hidraw_disconnect(struct hid_device *hid) - struct hidraw *hidraw = hid->hidraw; - - mutex_lock(&minors_lock); -- hidraw->exist = 0; -- -- device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor)); - -- hidraw_table[hidraw->minor] = NULL; -+ drop_ref(hidraw, 1); - -- if (hidraw->open) { -- hid_hw_close(hid); -- wake_up_interruptible(&hidraw->wait); -- } else { -- kfree(hidraw); -- } - mutex_unlock(&minors_lock); - } - EXPORT_SYMBOL_GPL(hidraw_disconnect); -diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c -index 19b8360..0734552 100644 ---- a/drivers/hid/usbhid/hid-quirks.c -+++ b/drivers/hid/usbhid/hid-quirks.c -@@ -109,6 +109,8 @@ static const struct hid_blacklist { - { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT }, - { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT }, -+ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS }, -+ - { 0, 0 } - }; - -diff --git a/drivers/input/mouse/bcm5974.c b/drivers/input/mouse/bcm5974.c -index 4ef4d5e..a73f961 100644 ---- a/drivers/input/mouse/bcm5974.c -+++ b/drivers/input/mouse/bcm5974.c -@@ -89,9 +89,9 @@ - #define USB_DEVICE_ID_APPLE_WELLSPRING7A_ISO 0x025a - #define USB_DEVICE_ID_APPLE_WELLSPRING7A_JIS 0x025b - /* MacbookAir6,2 (unibody, June 2013) */ --#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0291 --#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0292 --#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0293 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291 -+#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292 - - #define BCM5974_DEVICE(prod) { \ - .match_flags = (USB_DEVICE_ID_MATCH_DEVICE | \ -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index eec0d3e..15e9b57 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -890,56 +890,54 @@ static int dma_pte_clear_range(struct dmar_domain *domain, - return order; - } - -+static void dma_pte_free_level(struct dmar_domain *domain, int level, -+ struct dma_pte *pte, unsigned long pfn, -+ unsigned long start_pfn, unsigned long last_pfn) -+{ -+ pfn = max(start_pfn, pfn); -+ pte = &pte[pfn_level_offset(pfn, level)]; -+ -+ do { -+ unsigned long level_pfn; -+ struct dma_pte *level_pte; -+ -+ if (!dma_pte_present(pte) || dma_pte_superpage(pte)) -+ goto next; -+ -+ level_pfn = pfn & level_mask(level - 1); -+ level_pte = phys_to_virt(dma_pte_addr(pte)); -+ -+ if (level > 2) -+ dma_pte_free_level(domain, level - 1, level_pte, -+ level_pfn, start_pfn, last_pfn); -+ -+ /* If range covers entire pagetable, free it */ -+ if (!(start_pfn > level_pfn || -+ last_pfn < level_pfn + level_size(level))) { -+ dma_clear_pte(pte); -+ domain_flush_cache(domain, pte, sizeof(*pte)); -+ free_pgtable_page(level_pte); -+ } -+next: -+ pfn += level_size(level); -+ } while (!first_pte_in_page(++pte) && pfn <= last_pfn); -+} -+ - /* free page table pages. last level pte should already be cleared */ - static void dma_pte_free_pagetable(struct dmar_domain *domain, - unsigned long start_pfn, - unsigned long last_pfn) - { - int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT; -- struct dma_pte *first_pte, *pte; -- int total = agaw_to_level(domain->agaw); -- int level; -- unsigned long tmp; -- int large_page = 2; - - BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width); - BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width); - BUG_ON(start_pfn > last_pfn); - - /* We don't need lock here; nobody else touches the iova range */ -- level = 2; -- while (level <= total) { -- tmp = align_to_level(start_pfn, level); -- -- /* If we can't even clear one PTE at this level, we're done */ -- if (tmp + level_size(level) - 1 > last_pfn) -- return; -- -- do { -- large_page = level; -- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page); -- if (large_page > level) -- level = large_page + 1; -- if (!pte) { -- tmp = align_to_level(tmp + 1, level + 1); -- continue; -- } -- do { -- if (dma_pte_present(pte)) { -- free_pgtable_page(phys_to_virt(dma_pte_addr(pte))); -- dma_clear_pte(pte); -- } -- pte++; -- tmp += level_size(level); -- } while (!first_pte_in_page(pte) && -- tmp + level_size(level) - 1 <= last_pfn); -+ dma_pte_free_level(domain, agaw_to_level(domain->agaw), -+ domain->pgd, 0, start_pfn, last_pfn); - -- domain_flush_cache(domain, first_pte, -- (void *)pte - (void *)first_pte); -- -- } while (tmp && tmp + level_size(level) - 1 <= last_pfn); -- level++; -- } - /* free pgd */ - if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) { - free_pgtable_page(domain->pgd); -diff --git a/drivers/leds/leds-wm831x-status.c b/drivers/leds/leds-wm831x-status.c -index 120815a..5a19abd 100644 ---- a/drivers/leds/leds-wm831x-status.c -+++ b/drivers/leds/leds-wm831x-status.c -@@ -230,9 +230,9 @@ static int wm831x_status_probe(struct platform_device *pdev) - int id = pdev->id % ARRAY_SIZE(chip_pdata->status); - int ret; - -- res = platform_get_resource(pdev, IORESOURCE_IO, 0); -+ res = platform_get_resource(pdev, IORESOURCE_REG, 0); - if (res == NULL) { -- dev_err(&pdev->dev, "No I/O resource\n"); -+ dev_err(&pdev->dev, "No register resource\n"); - ret = -EINVAL; - goto err; - } -diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c -index 0862622..63676a8 100644 ---- a/drivers/media/common/siano/smsdvb-main.c -+++ b/drivers/media/common/siano/smsdvb-main.c -@@ -276,7 +276,8 @@ static void smsdvb_update_per_slices(struct smsdvb_client_t *client, - - /* Legacy PER/BER */ - tmp = p->ets_packets * 65535; -- do_div(tmp, p->ts_packets + p->ets_packets); -+ if (p->ts_packets + p->ets_packets) -+ do_div(tmp, p->ts_packets + p->ets_packets); - client->legacy_per = tmp; - } - -diff --git a/drivers/media/dvb-frontends/mb86a20s.c b/drivers/media/dvb-frontends/mb86a20s.c -index 856374b..2c7217f 100644 ---- a/drivers/media/dvb-frontends/mb86a20s.c -+++ b/drivers/media/dvb-frontends/mb86a20s.c -@@ -157,7 +157,6 @@ static struct regdata mb86a20s_init2[] = { - { 0x45, 0x04 }, /* CN symbol 4 */ - { 0x48, 0x04 }, /* CN manual mode */ - -- { 0x50, 0xd5 }, { 0x51, 0x01 }, /* Serial */ - { 0x50, 0xd6 }, { 0x51, 0x1f }, - { 0x50, 0xd2 }, { 0x51, 0x03 }, - { 0x50, 0xd7 }, { 0x51, 0xbf }, -@@ -1860,16 +1859,15 @@ static int mb86a20s_initfe(struct dvb_frontend *fe) - dev_dbg(&state->i2c->dev, "%s: IF=%d, IF reg=0x%06llx\n", - __func__, state->if_freq, (long long)pll); - -- if (!state->config->is_serial) { -+ if (!state->config->is_serial) - regD5 &= ~1; - -- rc = mb86a20s_writereg(state, 0x50, 0xd5); -- if (rc < 0) -- goto err; -- rc = mb86a20s_writereg(state, 0x51, regD5); -- if (rc < 0) -- goto err; -- } -+ rc = mb86a20s_writereg(state, 0x50, 0xd5); -+ if (rc < 0) -+ goto err; -+ rc = mb86a20s_writereg(state, 0x51, regD5); -+ if (rc < 0) -+ goto err; - - rc = mb86a20s_writeregdata(state, mb86a20s_init2); - if (rc < 0) -diff --git a/drivers/media/pci/cx88/cx88.h b/drivers/media/pci/cx88/cx88.h -index afe0eae..28893a6 100644 ---- a/drivers/media/pci/cx88/cx88.h -+++ b/drivers/media/pci/cx88/cx88.h -@@ -259,7 +259,7 @@ struct cx88_input { - }; - - enum cx88_audio_chip { -- CX88_AUDIO_WM8775, -+ CX88_AUDIO_WM8775 = 1, - CX88_AUDIO_TVAUDIO, - }; - -diff --git a/drivers/media/platform/exynos-gsc/gsc-core.c b/drivers/media/platform/exynos-gsc/gsc-core.c -index 559fab2..1ec60264 100644 ---- a/drivers/media/platform/exynos-gsc/gsc-core.c -+++ b/drivers/media/platform/exynos-gsc/gsc-core.c -@@ -1122,10 +1122,14 @@ static int gsc_probe(struct platform_device *pdev) - goto err_clk; - } - -- ret = gsc_register_m2m_device(gsc); -+ ret = v4l2_device_register(dev, &gsc->v4l2_dev); - if (ret) - goto err_clk; - -+ ret = gsc_register_m2m_device(gsc); -+ if (ret) -+ goto err_v4l2; -+ - platform_set_drvdata(pdev, gsc); - pm_runtime_enable(dev); - ret = pm_runtime_get_sync(&pdev->dev); -@@ -1147,6 +1151,8 @@ err_pm: - pm_runtime_put(dev); - err_m2m: - gsc_unregister_m2m_device(gsc); -+err_v4l2: -+ v4l2_device_unregister(&gsc->v4l2_dev); - err_clk: - gsc_clk_put(gsc); - return ret; -@@ -1157,6 +1163,7 @@ static int gsc_remove(struct platform_device *pdev) - struct gsc_dev *gsc = platform_get_drvdata(pdev); - - gsc_unregister_m2m_device(gsc); -+ v4l2_device_unregister(&gsc->v4l2_dev); - - vb2_dma_contig_cleanup_ctx(gsc->alloc_ctx); - pm_runtime_disable(&pdev->dev); -diff --git a/drivers/media/platform/exynos-gsc/gsc-core.h b/drivers/media/platform/exynos-gsc/gsc-core.h -index cc19bba..76435d3 100644 ---- a/drivers/media/platform/exynos-gsc/gsc-core.h -+++ b/drivers/media/platform/exynos-gsc/gsc-core.h -@@ -343,6 +343,7 @@ struct gsc_dev { - unsigned long state; - struct vb2_alloc_ctx *alloc_ctx; - struct video_device vdev; -+ struct v4l2_device v4l2_dev; - }; - - /** -diff --git a/drivers/media/platform/exynos-gsc/gsc-m2m.c b/drivers/media/platform/exynos-gsc/gsc-m2m.c -index 40a73f7..e576ff2 100644 ---- a/drivers/media/platform/exynos-gsc/gsc-m2m.c -+++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c -@@ -751,6 +751,7 @@ int gsc_register_m2m_device(struct gsc_dev *gsc) - gsc->vdev.release = video_device_release_empty; - gsc->vdev.lock = &gsc->lock; - gsc->vdev.vfl_dir = VFL_DIR_M2M; -+ gsc->vdev.v4l2_dev = &gsc->v4l2_dev; - snprintf(gsc->vdev.name, sizeof(gsc->vdev.name), "%s.%d:m2m", - GSC_MODULE_NAME, gsc->id); - -diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c -index 08fbfed..e85dc4f 100644 ---- a/drivers/media/platform/exynos4-is/fimc-lite.c -+++ b/drivers/media/platform/exynos4-is/fimc-lite.c -@@ -90,7 +90,7 @@ static const struct fimc_fmt fimc_lite_formats[] = { - .name = "RAW10 (GRBG)", - .fourcc = V4L2_PIX_FMT_SGRBG10, - .colorspace = V4L2_COLORSPACE_SRGB, -- .depth = { 10 }, -+ .depth = { 16 }, - .color = FIMC_FMT_RAW10, - .memplanes = 1, - .mbus_code = V4L2_MBUS_FMT_SGRBG10_1X10, -@@ -99,7 +99,7 @@ static const struct fimc_fmt fimc_lite_formats[] = { - .name = "RAW12 (GRBG)", - .fourcc = V4L2_PIX_FMT_SGRBG12, - .colorspace = V4L2_COLORSPACE_SRGB, -- .depth = { 12 }, -+ .depth = { 16 }, - .color = FIMC_FMT_RAW12, - .memplanes = 1, - .mbus_code = V4L2_MBUS_FMT_SGRBG12_1X12, -diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c -index 19f556c..91f21e2 100644 ---- a/drivers/media/platform/exynos4-is/media-dev.c -+++ b/drivers/media/platform/exynos4-is/media-dev.c -@@ -1530,9 +1530,9 @@ static int fimc_md_probe(struct platform_device *pdev) - err_unlock: - mutex_unlock(&fmd->media_dev.graph_mutex); - err_clk: -- media_device_unregister(&fmd->media_dev); - fimc_md_put_clocks(fmd); - fimc_md_unregister_entities(fmd); -+ media_device_unregister(&fmd->media_dev); - err_md: - v4l2_device_unregister(&fmd->v4l2_dev); - return ret; -diff --git a/drivers/mmc/host/tmio_mmc_dma.c b/drivers/mmc/host/tmio_mmc_dma.c -index 47bdb8f..65edb4a 100644 ---- a/drivers/mmc/host/tmio_mmc_dma.c -+++ b/drivers/mmc/host/tmio_mmc_dma.c -@@ -104,6 +104,7 @@ static void tmio_mmc_start_dma_rx(struct tmio_mmc_host *host) - pio: - if (!desc) { - /* DMA failed, fall back to PIO */ -+ tmio_mmc_enable_dma(host, false); - if (ret >= 0) - ret = -EIO; - host->chan_rx = NULL; -@@ -116,7 +117,6 @@ pio: - } - dev_warn(&host->pdev->dev, - "DMA failed: %d, falling back to PIO\n", ret); -- tmio_mmc_enable_dma(host, false); - } - - dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__, -@@ -185,6 +185,7 @@ static void tmio_mmc_start_dma_tx(struct tmio_mmc_host *host) - pio: - if (!desc) { - /* DMA failed, fall back to PIO */ -+ tmio_mmc_enable_dma(host, false); - if (ret >= 0) - ret = -EIO; - host->chan_tx = NULL; -@@ -197,7 +198,6 @@ pio: - } - dev_warn(&host->pdev->dev, - "DMA failed: %d, falling back to PIO\n", ret); -- tmio_mmc_enable_dma(host, false); - } - - dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__, -diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c -index dfcd0a5..fb8c4de 100644 ---- a/drivers/mtd/nand/nand_base.c -+++ b/drivers/mtd/nand/nand_base.c -@@ -2793,7 +2793,9 @@ static void nand_set_defaults(struct nand_chip *chip, int busw) - - if (!chip->select_chip) - chip->select_chip = nand_select_chip; -- if (!chip->read_byte) -+ -+ /* If called twice, pointers that depend on busw may need to be reset */ -+ if (!chip->read_byte || chip->read_byte == nand_read_byte) - chip->read_byte = busw ? nand_read_byte16 : nand_read_byte; - if (!chip->read_word) - chip->read_word = nand_read_word; -@@ -2801,9 +2803,9 @@ static void nand_set_defaults(struct nand_chip *chip, int busw) - chip->block_bad = nand_block_bad; - if (!chip->block_markbad) - chip->block_markbad = nand_default_block_markbad; -- if (!chip->write_buf) -+ if (!chip->write_buf || chip->write_buf == nand_write_buf) - chip->write_buf = busw ? nand_write_buf16 : nand_write_buf; -- if (!chip->read_buf) -+ if (!chip->read_buf || chip->read_buf == nand_read_buf) - chip->read_buf = busw ? nand_read_buf16 : nand_read_buf; - if (!chip->scan_bbt) - chip->scan_bbt = nand_default_bbt; -diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c -index 5df49d3..c95bfb1 100644 ---- a/drivers/mtd/ubi/wl.c -+++ b/drivers/mtd/ubi/wl.c -@@ -1069,6 +1069,9 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, - if (!(e2->ec - e1->ec >= UBI_WL_THRESHOLD)) { - dbg_wl("no WL needed: min used EC %d, max free EC %d", - e1->ec, e2->ec); -+ -+ /* Give the unused PEB back */ -+ wl_tree_add(e2, &ubi->free); - goto out_cancel; - } - self_check_in_wl_tree(ubi, e1, &ubi->used); -diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c -index b017818..90ab292 100644 ---- a/drivers/net/ethernet/marvell/mvneta.c -+++ b/drivers/net/ethernet/marvell/mvneta.c -@@ -138,7 +138,9 @@ - #define MVNETA_GMAC_FORCE_LINK_PASS BIT(1) - #define MVNETA_GMAC_CONFIG_MII_SPEED BIT(5) - #define MVNETA_GMAC_CONFIG_GMII_SPEED BIT(6) -+#define MVNETA_GMAC_AN_SPEED_EN BIT(7) - #define MVNETA_GMAC_CONFIG_FULL_DUPLEX BIT(12) -+#define MVNETA_GMAC_AN_DUPLEX_EN BIT(13) - #define MVNETA_MIB_COUNTERS_BASE 0x3080 - #define MVNETA_MIB_LATE_COLLISION 0x7c - #define MVNETA_DA_FILT_SPEC_MCAST 0x3400 -@@ -915,6 +917,13 @@ static void mvneta_defaults_set(struct mvneta_port *pp) - /* Assign port SDMA configuration */ - mvreg_write(pp, MVNETA_SDMA_CONFIG, val); - -+ /* Disable PHY polling in hardware, since we're using the -+ * kernel phylib to do this. -+ */ -+ val = mvreg_read(pp, MVNETA_UNIT_CONTROL); -+ val &= ~MVNETA_PHY_POLLING_ENABLE; -+ mvreg_write(pp, MVNETA_UNIT_CONTROL, val); -+ - mvneta_set_ucast_table(pp, -1); - mvneta_set_special_mcast_table(pp, -1); - mvneta_set_other_mcast_table(pp, -1); -@@ -2307,7 +2316,9 @@ static void mvneta_adjust_link(struct net_device *ndev) - val = mvreg_read(pp, MVNETA_GMAC_AUTONEG_CONFIG); - val &= ~(MVNETA_GMAC_CONFIG_MII_SPEED | - MVNETA_GMAC_CONFIG_GMII_SPEED | -- MVNETA_GMAC_CONFIG_FULL_DUPLEX); -+ MVNETA_GMAC_CONFIG_FULL_DUPLEX | -+ MVNETA_GMAC_AN_SPEED_EN | -+ MVNETA_GMAC_AN_DUPLEX_EN); - - if (phydev->duplex) - val |= MVNETA_GMAC_CONFIG_FULL_DUPLEX; -diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c -index 1f694ab..77d3a70 100644 ---- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c -+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c -@@ -1173,6 +1173,10 @@ skip_ws_det: - * is_on == 0 means MRC CCK is OFF (more noise imm) - */ - bool is_on = param ? 1 : 0; -+ -+ if (ah->caps.rx_chainmask == 1) -+ break; -+ - REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL, - AR_PHY_MRC_CCK_ENABLE, is_on); - REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL, -diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h -index c1224b5..020b9b3 100644 ---- a/drivers/net/wireless/ath/ath9k/ath9k.h -+++ b/drivers/net/wireless/ath/ath9k/ath9k.h -@@ -79,10 +79,6 @@ struct ath_config { - sizeof(struct ath_buf_state)); \ - } while (0) - --#define ATH_RXBUF_RESET(_bf) do { \ -- (_bf)->bf_stale = false; \ -- } while (0) -- - /** - * enum buffer_type - Buffer type flags - * -@@ -317,6 +313,7 @@ struct ath_rx { - struct ath_descdma rxdma; - struct ath_rx_edma rx_edma[ATH9K_RX_QUEUE_MAX]; - -+ struct ath_buf *buf_hold; - struct sk_buff *frag; - - u32 ampdu_ref; -diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c -index 865e043..b4902b3 100644 ---- a/drivers/net/wireless/ath/ath9k/recv.c -+++ b/drivers/net/wireless/ath/ath9k/recv.c -@@ -42,8 +42,6 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf) - struct ath_desc *ds; - struct sk_buff *skb; - -- ATH_RXBUF_RESET(bf); -- - ds = bf->bf_desc; - ds->ds_link = 0; /* link to null */ - ds->ds_data = bf->bf_buf_addr; -@@ -70,6 +68,14 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf) - sc->rx.rxlink = &ds->ds_link; - } - -+static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_buf *bf) -+{ -+ if (sc->rx.buf_hold) -+ ath_rx_buf_link(sc, sc->rx.buf_hold); -+ -+ sc->rx.buf_hold = bf; -+} -+ - static void ath_setdefantenna(struct ath_softc *sc, u32 antenna) - { - /* XXX block beacon interrupts */ -@@ -117,7 +123,6 @@ static bool ath_rx_edma_buf_link(struct ath_softc *sc, - - skb = bf->bf_mpdu; - -- ATH_RXBUF_RESET(bf); - memset(skb->data, 0, ah->caps.rx_status_len); - dma_sync_single_for_device(sc->dev, bf->bf_buf_addr, - ah->caps.rx_status_len, DMA_TO_DEVICE); -@@ -432,6 +437,7 @@ int ath_startrecv(struct ath_softc *sc) - if (list_empty(&sc->rx.rxbuf)) - goto start_recv; - -+ sc->rx.buf_hold = NULL; - sc->rx.rxlink = NULL; - list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) { - ath_rx_buf_link(sc, bf); -@@ -677,6 +683,9 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc, - } - - bf = list_first_entry(&sc->rx.rxbuf, struct ath_buf, list); -+ if (bf == sc->rx.buf_hold) -+ return NULL; -+ - ds = bf->bf_desc; - - /* -@@ -1375,7 +1384,7 @@ requeue: - if (edma) { - ath_rx_edma_buf_link(sc, qtype); - } else { -- ath_rx_buf_link(sc, bf); -+ ath_rx_buf_relink(sc, bf); - ath9k_hw_rxena(ah); - } - } while (1); -diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c -index 9279927..ab64683 100644 ---- a/drivers/net/wireless/ath/ath9k/xmit.c -+++ b/drivers/net/wireless/ath/ath9k/xmit.c -@@ -2602,6 +2602,7 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an) - for (acno = 0, ac = &an->ac[acno]; - acno < IEEE80211_NUM_ACS; acno++, ac++) { - ac->sched = false; -+ ac->clear_ps_filter = true; - ac->txq = sc->tx.txq_map[acno]; - INIT_LIST_HEAD(&ac->tid_q); - } -diff --git a/drivers/net/wireless/brcm80211/brcmsmac/dma.c b/drivers/net/wireless/brcm80211/brcmsmac/dma.c -index 1860c57..4fb9635 100644 ---- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c -+++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c -@@ -1015,9 +1015,10 @@ static bool dma64_txidle(struct dma_info *di) - - /* - * post receive buffers -- * return false is refill failed completely and ring is empty this will stall -- * the rx dma and user might want to call rxfill again asap. This unlikely -- * happens on memory-rich NIC, but often on memory-constrained dongle -+ * Return false if refill failed completely or dma mapping failed. The ring -+ * is empty, which will stall the rx dma and user might want to call rxfill -+ * again asap. This is unlikely to happen on a memory-rich NIC, but often on -+ * memory-constrained dongle. - */ - bool dma_rxfill(struct dma_pub *pub) - { -@@ -1078,6 +1079,8 @@ bool dma_rxfill(struct dma_pub *pub) - - pa = dma_map_single(di->dmadev, p->data, di->rxbufsize, - DMA_FROM_DEVICE); -+ if (dma_mapping_error(di->dmadev, pa)) -+ return false; - - /* save the free packet pointer */ - di->rxp[rxout] = p; -@@ -1284,7 +1287,11 @@ static void dma_txenq(struct dma_info *di, struct sk_buff *p) - - /* get physical address of buffer start */ - pa = dma_map_single(di->dmadev, data, len, DMA_TO_DEVICE); -- -+ /* if mapping failed, free skb */ -+ if (dma_mapping_error(di->dmadev, pa)) { -+ brcmu_pkt_buf_free_skb(p); -+ return; -+ } - /* With a DMA segment list, Descriptor table is filled - * using the segment list instead of looping over - * buffers in multi-chain DMA. Therefore, EOF for SGLIST -diff --git a/drivers/of/base.c b/drivers/of/base.c -index 5c54279..bf8432f 100644 ---- a/drivers/of/base.c -+++ b/drivers/of/base.c -@@ -1629,6 +1629,7 @@ void of_alias_scan(void * (*dt_alloc)(u64 size, u64 align)) - ap = dt_alloc(sizeof(*ap) + len + 1, 4); - if (!ap) - continue; -+ memset(ap, 0, sizeof(*ap) + len + 1); - ap->alias = start; - of_alias_add(ap, np, id, start, len); - } -diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c -index b90a3a0..19afb9a 100644 ---- a/drivers/pinctrl/pinctrl-at91.c -+++ b/drivers/pinctrl/pinctrl-at91.c -@@ -325,7 +325,7 @@ static void at91_mux_disable_interrupt(void __iomem *pio, unsigned mask) - - static unsigned at91_mux_get_pullup(void __iomem *pio, unsigned pin) - { -- return (readl_relaxed(pio + PIO_PUSR) >> pin) & 0x1; -+ return !((readl_relaxed(pio + PIO_PUSR) >> pin) & 0x1); - } - - static void at91_mux_set_pullup(void __iomem *pio, unsigned mask, bool on) -@@ -445,7 +445,7 @@ static void at91_mux_pio3_set_debounce(void __iomem *pio, unsigned mask, - - static bool at91_mux_pio3_get_pulldown(void __iomem *pio, unsigned pin) - { -- return (__raw_readl(pio + PIO_PPDSR) >> pin) & 0x1; -+ return !((__raw_readl(pio + PIO_PPDSR) >> pin) & 0x1); - } - - static void at91_mux_pio3_set_pulldown(void __iomem *pio, unsigned mask, bool is_on) -diff --git a/drivers/scsi/mpt3sas/Makefile b/drivers/scsi/mpt3sas/Makefile -index 4c1d2e7..efb0c4c 100644 ---- a/drivers/scsi/mpt3sas/Makefile -+++ b/drivers/scsi/mpt3sas/Makefile -@@ -1,5 +1,5 @@ - # mpt3sas makefile --obj-m += mpt3sas.o -+obj-$(CONFIG_SCSI_MPT3SAS) += mpt3sas.o - mpt3sas-y += mpt3sas_base.o \ - mpt3sas_config.o \ - mpt3sas_scsih.o \ -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 86fcf2c..2783dd7 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -2419,14 +2419,9 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer) - } - } - -- if (modepage == 0x3F) { -- sd_printk(KERN_ERR, sdkp, "No Caching mode page " -- "present\n"); -- goto defaults; -- } else if ((buffer[offset] & 0x3f) != modepage) { -- sd_printk(KERN_ERR, sdkp, "Got wrong page\n"); -- goto defaults; -- } -+ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n"); -+ goto defaults; -+ - Page_found: - if (modepage == 8) { - sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0); -diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c -index c1950e3..674b236 100644 ---- a/drivers/staging/comedi/drivers/dt282x.c -+++ b/drivers/staging/comedi/drivers/dt282x.c -@@ -264,8 +264,9 @@ struct dt282x_private { - } \ - udelay(5); \ - } \ -- if (_i) \ -+ if (_i) { \ - b \ -+ } \ - } while (0) - - static int prep_ai_dma(struct comedi_device *dev, int chan, int size); -diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c -index e77fb6e..8f54c50 100644 ---- a/drivers/staging/zram/zram_drv.c -+++ b/drivers/staging/zram/zram_drv.c -@@ -445,6 +445,14 @@ static int zram_bvec_write(struct zram *zram, struct bio_vec *bvec, u32 index, - goto out; - } - -+ /* -+ * zram_slot_free_notify could miss free so that let's -+ * double check. -+ */ -+ if (unlikely(meta->table[index].handle || -+ zram_test_flag(meta, index, ZRAM_ZERO))) -+ zram_free_page(zram, index); -+ - ret = lzo1x_1_compress(uncmem, PAGE_SIZE, src, &clen, - meta->compress_workmem); - -@@ -504,6 +512,20 @@ out: - return ret; - } - -+static void handle_pending_slot_free(struct zram *zram) -+{ -+ struct zram_slot_free *free_rq; -+ -+ spin_lock(&zram->slot_free_lock); -+ while (zram->slot_free_rq) { -+ free_rq = zram->slot_free_rq; -+ zram->slot_free_rq = free_rq->next; -+ zram_free_page(zram, free_rq->index); -+ kfree(free_rq); -+ } -+ spin_unlock(&zram->slot_free_lock); -+} -+ - static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index, - int offset, struct bio *bio, int rw) - { -@@ -511,10 +533,12 @@ static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index, - - if (rw == READ) { - down_read(&zram->lock); -+ handle_pending_slot_free(zram); - ret = zram_bvec_read(zram, bvec, index, offset, bio); - up_read(&zram->lock); - } else { - down_write(&zram->lock); -+ handle_pending_slot_free(zram); - ret = zram_bvec_write(zram, bvec, index, offset); - up_write(&zram->lock); - } -@@ -522,11 +546,13 @@ static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index, - return ret; - } - --static void zram_reset_device(struct zram *zram) -+static void zram_reset_device(struct zram *zram, bool reset_capacity) - { - size_t index; - struct zram_meta *meta; - -+ flush_work(&zram->free_work); -+ - down_write(&zram->init_lock); - if (!zram->init_done) { - up_write(&zram->init_lock); -@@ -551,7 +577,8 @@ static void zram_reset_device(struct zram *zram) - memset(&zram->stats, 0, sizeof(zram->stats)); - - zram->disksize = 0; -- set_capacity(zram->disk, 0); -+ if (reset_capacity) -+ set_capacity(zram->disk, 0); - up_write(&zram->init_lock); - } - -@@ -635,7 +662,7 @@ static ssize_t reset_store(struct device *dev, - if (bdev) - fsync_bdev(bdev); - -- zram_reset_device(zram); -+ zram_reset_device(zram, true); - return len; - } - -@@ -720,16 +747,40 @@ error: - bio_io_error(bio); - } - -+static void zram_slot_free(struct work_struct *work) -+{ -+ struct zram *zram; -+ -+ zram = container_of(work, struct zram, free_work); -+ down_write(&zram->lock); -+ handle_pending_slot_free(zram); -+ up_write(&zram->lock); -+} -+ -+static void add_slot_free(struct zram *zram, struct zram_slot_free *free_rq) -+{ -+ spin_lock(&zram->slot_free_lock); -+ free_rq->next = zram->slot_free_rq; -+ zram->slot_free_rq = free_rq; -+ spin_unlock(&zram->slot_free_lock); -+} -+ - static void zram_slot_free_notify(struct block_device *bdev, - unsigned long index) - { - struct zram *zram; -+ struct zram_slot_free *free_rq; - - zram = bdev->bd_disk->private_data; -- down_write(&zram->lock); -- zram_free_page(zram, index); -- up_write(&zram->lock); - atomic64_inc(&zram->stats.notify_free); -+ -+ free_rq = kmalloc(sizeof(struct zram_slot_free), GFP_ATOMIC); -+ if (!free_rq) -+ return; -+ -+ free_rq->index = index; -+ add_slot_free(zram, free_rq); -+ schedule_work(&zram->free_work); - } - - static const struct block_device_operations zram_devops = { -@@ -776,6 +827,10 @@ static int create_device(struct zram *zram, int device_id) - init_rwsem(&zram->lock); - init_rwsem(&zram->init_lock); - -+ INIT_WORK(&zram->free_work, zram_slot_free); -+ spin_lock_init(&zram->slot_free_lock); -+ zram->slot_free_rq = NULL; -+ - zram->queue = blk_alloc_queue(GFP_KERNEL); - if (!zram->queue) { - pr_err("Error allocating disk queue for device %d\n", -@@ -902,10 +957,12 @@ static void __exit zram_exit(void) - for (i = 0; i < num_devices; i++) { - zram = &zram_devices[i]; - -- get_disk(zram->disk); - destroy_device(zram); -- zram_reset_device(zram); -- put_disk(zram->disk); -+ /* -+ * Shouldn't access zram->disk after destroy_device -+ * because destroy_device already released zram->disk. -+ */ -+ zram_reset_device(zram, false); - } - - unregister_blkdev(zram_major, "zram"); -diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h -index 9e57bfb..97a3acf 100644 ---- a/drivers/staging/zram/zram_drv.h -+++ b/drivers/staging/zram/zram_drv.h -@@ -94,11 +94,20 @@ struct zram_meta { - struct zs_pool *mem_pool; - }; - -+struct zram_slot_free { -+ unsigned long index; -+ struct zram_slot_free *next; -+}; -+ - struct zram { - struct zram_meta *meta; - struct rw_semaphore lock; /* protect compression buffers, table, - * 32bit stat counters against concurrent - * notifications, reads and writes */ -+ -+ struct work_struct free_work; /* handle pending free request */ -+ struct zram_slot_free *slot_free_rq; /* list head of free request */ -+ - struct request_queue *queue; - struct gendisk *disk; - int init_done; -@@ -109,6 +118,7 @@ struct zram { - * we can store in a disk. - */ - u64 disksize; /* bytes */ -+ spinlock_t slot_free_lock; - - struct zram_stats stats; - }; -diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c -index cbe48ab..f608fbc 100644 ---- a/drivers/target/target_core_alua.c -+++ b/drivers/target/target_core_alua.c -@@ -730,7 +730,7 @@ static int core_alua_write_tpg_metadata( - if (ret < 0) - pr_err("Error writing ALUA metadata file: %s\n", path); - fput(file); -- return ret ? -EIO : 0; -+ return (ret < 0) ? -EIO : 0; - } - - /* -diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c -index bd78faf..adec5a8 100644 ---- a/drivers/target/target_core_pr.c -+++ b/drivers/target/target_core_pr.c -@@ -1949,7 +1949,7 @@ static int __core_scsi3_write_aptpl_to_file( - pr_debug("Error writing APTPL metadata file: %s\n", path); - fput(file); - -- return ret ? -EIO : 0; -+ return (ret < 0) ? -EIO : 0; - } - - /* -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 366af83..20689b9 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -850,7 +850,8 @@ void disassociate_ctty(int on_exit) - struct pid *tty_pgrp = tty_get_pgrp(tty); - if (tty_pgrp) { - kill_pgrp(tty_pgrp, SIGHUP, on_exit); -- kill_pgrp(tty_pgrp, SIGCONT, on_exit); -+ if (!on_exit) -+ kill_pgrp(tty_pgrp, SIGCONT, on_exit); - put_pid(tty_pgrp); - } - } -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c -index 8a230f0..d3318a0 100644 ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -209,6 +209,7 @@ skip_error: - static void wdm_int_callback(struct urb *urb) - { - int rv = 0; -+ int responding; - int status = urb->status; - struct wdm_device *desc; - struct usb_cdc_notification *dr; -@@ -262,8 +263,8 @@ static void wdm_int_callback(struct urb *urb) - - spin_lock(&desc->iuspin); - clear_bit(WDM_READ, &desc->flags); -- set_bit(WDM_RESPONDING, &desc->flags); -- if (!test_bit(WDM_DISCONNECTING, &desc->flags) -+ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags); -+ if (!responding && !test_bit(WDM_DISCONNECTING, &desc->flags) - && !test_bit(WDM_SUSPENDING, &desc->flags)) { - rv = usb_submit_urb(desc->response, GFP_ATOMIC); - dev_dbg(&desc->intf->dev, "%s: usb_submit_urb %d", -@@ -685,16 +686,20 @@ static void wdm_rxwork(struct work_struct *work) - { - struct wdm_device *desc = container_of(work, struct wdm_device, rxwork); - unsigned long flags; -- int rv; -+ int rv = 0; -+ int responding; - - spin_lock_irqsave(&desc->iuspin, flags); - if (test_bit(WDM_DISCONNECTING, &desc->flags)) { - spin_unlock_irqrestore(&desc->iuspin, flags); - } else { -+ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags); - spin_unlock_irqrestore(&desc->iuspin, flags); -- rv = usb_submit_urb(desc->response, GFP_KERNEL); -+ if (!responding) -+ rv = usb_submit_urb(desc->response, GFP_KERNEL); - if (rv < 0 && rv != -EPERM) { - spin_lock_irqsave(&desc->iuspin, flags); -+ clear_bit(WDM_RESPONDING, &desc->flags); - if (!test_bit(WDM_DISCONNECTING, &desc->flags)) - schedule_work(&desc->rxwork); - spin_unlock_irqrestore(&desc->iuspin, flags); -diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c -index 7199adc..a6b2cab 100644 ---- a/drivers/usb/core/config.c -+++ b/drivers/usb/core/config.c -@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, - - memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); - if (config->desc.bDescriptorType != USB_DT_CONFIG || -- config->desc.bLength < USB_DT_CONFIG_SIZE) { -+ config->desc.bLength < USB_DT_CONFIG_SIZE || -+ config->desc.bLength > size) { - dev_err(ddev, "invalid descriptor for config index %d: " - "type = 0x%X, length = %d\n", cfgidx, - config->desc.bDescriptorType, config->desc.bLength); -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 558313d..17c3785 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -2918,7 +2918,6 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) - { - struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); - struct usb_port *port_dev = hub->ports[udev->portnum - 1]; -- enum pm_qos_flags_status pm_qos_stat; - int port1 = udev->portnum; - int status; - bool really_suspend = true; -@@ -2956,7 +2955,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) - status); - /* bail if autosuspend is requested */ - if (PMSG_IS_AUTO(msg)) -- return status; -+ goto err_wakeup; - } - } - -@@ -2965,14 +2964,16 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) - usb_set_usb2_hardware_lpm(udev, 0); - - if (usb_disable_ltm(udev)) { -- dev_err(&udev->dev, "%s Failed to disable LTM before suspend\n.", -- __func__); -- return -ENOMEM; -+ dev_err(&udev->dev, "Failed to disable LTM before suspend\n."); -+ status = -ENOMEM; -+ if (PMSG_IS_AUTO(msg)) -+ goto err_ltm; - } - if (usb_unlocked_disable_lpm(udev)) { -- dev_err(&udev->dev, "%s Failed to disable LPM before suspend\n.", -- __func__); -- return -ENOMEM; -+ dev_err(&udev->dev, "Failed to disable LPM before suspend\n."); -+ status = -ENOMEM; -+ if (PMSG_IS_AUTO(msg)) -+ goto err_lpm3; - } - - /* see 7.1.7.6 */ -@@ -3000,28 +3001,31 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) - if (status) { - dev_dbg(hub->intfdev, "can't suspend port %d, status %d\n", - port1, status); -- /* paranoia: "should not happen" */ -- if (udev->do_remote_wakeup) { -- if (!hub_is_superspeed(hub->hdev)) { -- (void) usb_control_msg(udev, -- usb_sndctrlpipe(udev, 0), -- USB_REQ_CLEAR_FEATURE, -- USB_RECIP_DEVICE, -- USB_DEVICE_REMOTE_WAKEUP, 0, -- NULL, 0, -- USB_CTRL_SET_TIMEOUT); -- } else -- (void) usb_disable_function_remotewakeup(udev); -- -- } - -+ /* Try to enable USB3 LPM and LTM again */ -+ usb_unlocked_enable_lpm(udev); -+ err_lpm3: -+ usb_enable_ltm(udev); -+ err_ltm: - /* Try to enable USB2 hardware LPM again */ - if (udev->usb2_hw_lpm_capable == 1) - usb_set_usb2_hardware_lpm(udev, 1); - -- /* Try to enable USB3 LTM and LPM again */ -- usb_enable_ltm(udev); -- usb_unlocked_enable_lpm(udev); -+ if (udev->do_remote_wakeup) { -+ if (udev->speed < USB_SPEED_SUPER) -+ usb_control_msg(udev, usb_sndctrlpipe(udev, 0), -+ USB_REQ_CLEAR_FEATURE, -+ USB_RECIP_DEVICE, -+ USB_DEVICE_REMOTE_WAKEUP, 0, -+ NULL, 0, USB_CTRL_SET_TIMEOUT); -+ else -+ usb_control_msg(udev, usb_sndctrlpipe(udev, 0), -+ USB_REQ_CLEAR_FEATURE, -+ USB_RECIP_INTERFACE, -+ USB_INTRF_FUNC_SUSPEND, 0, -+ NULL, 0, USB_CTRL_SET_TIMEOUT); -+ } -+ err_wakeup: - - /* System sleep transitions should never fail */ - if (!PMSG_IS_AUTO(msg)) -@@ -3039,16 +3043,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) - usb_set_device_state(udev, USB_STATE_SUSPENDED); - } - -- /* -- * Check whether current status meets the requirement of -- * usb port power off mechanism -- */ -- pm_qos_stat = dev_pm_qos_flags(&port_dev->dev, -- PM_QOS_FLAG_NO_POWER_OFF); -- if (!udev->do_remote_wakeup -- && pm_qos_stat != PM_QOS_FLAGS_ALL -- && udev->persist_enabled -- && !status) { -+ if (status == 0 && !udev->do_remote_wakeup && udev->persist_enabled) { - pm_runtime_put_sync(&port_dev->dev); - port_dev->did_runtime_put = true; - } -diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c -index d6b0fad..9909911 100644 ---- a/drivers/usb/core/port.c -+++ b/drivers/usb/core/port.c -@@ -89,22 +89,19 @@ static int usb_port_runtime_resume(struct device *dev) - retval = usb_hub_set_port_power(hdev, hub, port1, true); - if (port_dev->child && !retval) { - /* -- * Wait for usb hub port to be reconnected in order to make -- * the resume procedure successful. -+ * Attempt to wait for usb hub port to be reconnected in order -+ * to make the resume procedure successful. The device may have -+ * disconnected while the port was powered off, so ignore the -+ * return status. - */ - retval = hub_port_debounce_be_connected(hub, port1); -- if (retval < 0) { -+ if (retval < 0) - dev_dbg(&port_dev->dev, "can't get reconnection after setting port power on, status %d\n", - retval); -- goto out; -- } - usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_ENABLE); -- -- /* Set return value to 0 if debounce successful */ - retval = 0; - } - --out: - clear_bit(port1, hub->busy_bits); - usb_autopm_put_interface(intf); - return retval; -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index f77083f..14d28d6 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -1508,6 +1508,15 @@ static int dwc3_gadget_start(struct usb_gadget *g, - int irq; - u32 reg; - -+ irq = platform_get_irq(to_platform_device(dwc->dev), 0); -+ ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt, -+ IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc); -+ if (ret) { -+ dev_err(dwc->dev, "failed to request irq #%d --> %d\n", -+ irq, ret); -+ goto err0; -+ } -+ - spin_lock_irqsave(&dwc->lock, flags); - - if (dwc->gadget_driver) { -@@ -1515,7 +1524,7 @@ static int dwc3_gadget_start(struct usb_gadget *g, - dwc->gadget.name, - dwc->gadget_driver->driver.name); - ret = -EBUSY; -- goto err0; -+ goto err1; - } - - dwc->gadget_driver = driver; -@@ -1551,42 +1560,38 @@ static int dwc3_gadget_start(struct usb_gadget *g, - ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false); - if (ret) { - dev_err(dwc->dev, "failed to enable %s\n", dep->name); -- goto err0; -+ goto err2; - } - - dep = dwc->eps[1]; - ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false); - if (ret) { - dev_err(dwc->dev, "failed to enable %s\n", dep->name); -- goto err1; -+ goto err3; - } - - /* begin to receive SETUP packets */ - dwc->ep0state = EP0_SETUP_PHASE; - dwc3_ep0_out_start(dwc); - -- irq = platform_get_irq(to_platform_device(dwc->dev), 0); -- ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt, -- IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc); -- if (ret) { -- dev_err(dwc->dev, "failed to request irq #%d --> %d\n", -- irq, ret); -- goto err1; -- } -- - dwc3_gadget_enable_irq(dwc); - - spin_unlock_irqrestore(&dwc->lock, flags); - - return 0; - --err1: -+err3: - __dwc3_gadget_ep_disable(dwc->eps[0]); - --err0: -+err2: - dwc->gadget_driver = NULL; -+ -+err1: - spin_unlock_irqrestore(&dwc->lock, flags); - -+ free_irq(irq, dwc); -+ -+err0: - return ret; - } - -@@ -1600,9 +1605,6 @@ static int dwc3_gadget_stop(struct usb_gadget *g, - spin_lock_irqsave(&dwc->lock, flags); - - dwc3_gadget_disable_irq(dwc); -- irq = platform_get_irq(to_platform_device(dwc->dev), 0); -- free_irq(irq, dwc); -- - __dwc3_gadget_ep_disable(dwc->eps[0]); - __dwc3_gadget_ep_disable(dwc->eps[1]); - -@@ -1610,6 +1612,9 @@ static int dwc3_gadget_stop(struct usb_gadget *g, - - spin_unlock_irqrestore(&dwc->lock, flags); - -+ irq = platform_get_irq(to_platform_device(dwc->dev), 0); -+ free_irq(irq, dwc); -+ - return 0; - } - -diff --git a/drivers/usb/gadget/uvc_queue.c b/drivers/usb/gadget/uvc_queue.c -index e617047..0bb5d50 100644 ---- a/drivers/usb/gadget/uvc_queue.c -+++ b/drivers/usb/gadget/uvc_queue.c -@@ -193,12 +193,16 @@ static int uvc_queue_buffer(struct uvc_video_queue *queue, - - mutex_lock(&queue->mutex); - ret = vb2_qbuf(&queue->queue, buf); -+ if (ret < 0) -+ goto done; -+ - spin_lock_irqsave(&queue->irqlock, flags); - ret = (queue->flags & UVC_QUEUE_PAUSED) != 0; - queue->flags &= ~UVC_QUEUE_PAUSED; - spin_unlock_irqrestore(&queue->irqlock, flags); -- mutex_unlock(&queue->mutex); - -+done: -+ mutex_unlock(&queue->mutex); - return ret; - } - -diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c -index e4c34ac..4c166e1 100644 ---- a/drivers/usb/host/ehci-mxc.c -+++ b/drivers/usb/host/ehci-mxc.c -@@ -184,7 +184,7 @@ static int ehci_mxc_drv_remove(struct platform_device *pdev) - if (pdata && pdata->exit) - pdata->exit(pdev); - -- if (pdata->otg) -+ if (pdata && pdata->otg) - usb_phy_shutdown(pdata->otg); - - clk_disable_unprepare(priv->usbclk); -diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c -index 279b049..ec337c2 100644 ---- a/drivers/usb/host/ohci-pci.c -+++ b/drivers/usb/host/ohci-pci.c -@@ -289,7 +289,7 @@ static struct pci_driver ohci_pci_driver = { - .remove = usb_hcd_pci_remove, - .shutdown = usb_hcd_pci_shutdown, - --#ifdef CONFIG_PM_SLEEP -+#ifdef CONFIG_PM - .driver = { - .pm = &usb_hcd_pci_pm_ops - }, -diff --git a/drivers/usb/host/xhci-ext-caps.h b/drivers/usb/host/xhci-ext-caps.h -index 8d7a132..9fe3225 100644 ---- a/drivers/usb/host/xhci-ext-caps.h -+++ b/drivers/usb/host/xhci-ext-caps.h -@@ -71,7 +71,7 @@ - - /* USB 2.0 xHCI 1.0 hardware LMP capability - section 7.2.2.1.3.2 */ - #define XHCI_HLC (1 << 19) --#define XHCI_BLC (1 << 19) -+#define XHCI_BLC (1 << 20) - - /* command register values to disable interrupts and halt the HC */ - /* start/stop HC execution - do not write unless HC is halted*/ -diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c -index 51e22bf..6eca5a5 100644 ---- a/drivers/usb/host/xhci-plat.c -+++ b/drivers/usb/host/xhci-plat.c -@@ -24,7 +24,7 @@ static void xhci_plat_quirks(struct device *dev, struct xhci_hcd *xhci) - * here that the generic code does not try to make a pci_dev from our - * dev struct in order to setup MSI - */ -- xhci->quirks |= XHCI_BROKEN_MSI; -+ xhci->quirks |= XHCI_PLAT; - } - - /* called during probe() after chip reset completes */ -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 9478caa..b3c4162 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -343,9 +343,14 @@ static void __maybe_unused xhci_msix_sync_irqs(struct xhci_hcd *xhci) - static int xhci_try_enable_msi(struct usb_hcd *hcd) - { - struct xhci_hcd *xhci = hcd_to_xhci(hcd); -- struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller); -+ struct pci_dev *pdev; - int ret; - -+ /* The xhci platform device has set up IRQs through usb_add_hcd. */ -+ if (xhci->quirks & XHCI_PLAT) -+ return 0; -+ -+ pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller); - /* - * Some Fresco Logic host controllers advertise MSI, but fail to - * generate interrupts. Don't even try to enable MSI. -@@ -3581,10 +3586,21 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) - { - struct xhci_hcd *xhci = hcd_to_xhci(hcd); - struct xhci_virt_device *virt_dev; -+ struct device *dev = hcd->self.controller; - unsigned long flags; - u32 state; - int i, ret; - -+#ifndef CONFIG_USB_DEFAULT_PERSIST -+ /* -+ * We called pm_runtime_get_noresume when the device was attached. -+ * Decrement the counter here to allow controller to runtime suspend -+ * if no devices remain. -+ */ -+ if (xhci->quirks & XHCI_RESET_ON_RESUME) -+ pm_runtime_put_noidle(dev); -+#endif -+ - ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__); - /* If the host is halted due to driver unload, we still need to free the - * device. -@@ -3656,6 +3672,7 @@ static int xhci_reserve_host_control_ep_resources(struct xhci_hcd *xhci) - int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) - { - struct xhci_hcd *xhci = hcd_to_xhci(hcd); -+ struct device *dev = hcd->self.controller; - unsigned long flags; - int timeleft; - int ret; -@@ -3708,6 +3725,16 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) - goto disable_slot; - } - udev->slot_id = xhci->slot_id; -+ -+#ifndef CONFIG_USB_DEFAULT_PERSIST -+ /* -+ * If resetting upon resume, we can't put the controller into runtime -+ * suspend if there is a device attached. -+ */ -+ if (xhci->quirks & XHCI_RESET_ON_RESUME) -+ pm_runtime_get_noresume(dev); -+#endif -+ - /* Is this a LS or FS device under a HS hub? */ - /* Hub or peripherial? */ - return 1; -diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h -index c338741..6ab1e60 100644 ---- a/drivers/usb/host/xhci.h -+++ b/drivers/usb/host/xhci.h -@@ -1542,6 +1542,7 @@ struct xhci_hcd { - #define XHCI_SPURIOUS_REBOOT (1 << 13) - #define XHCI_COMP_MODE_QUIRK (1 << 14) - #define XHCI_AVOID_BEI (1 << 15) -+#define XHCI_PLAT (1 << 16) - unsigned int num_active_eps; - unsigned int limit_active_eps; - /* There are two roothubs to keep track of bus suspend info for */ -diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c -index b013001..84657e0 100644 ---- a/drivers/usb/serial/mos7720.c -+++ b/drivers/usb/serial/mos7720.c -@@ -374,7 +374,7 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, - kfree(urbtrack); - return -ENOMEM; - } -- urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL); -+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_ATOMIC); - if (!urbtrack->setup) { - usb_free_urb(urbtrack->urb); - kfree(urbtrack); -@@ -382,8 +382,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, - } - urbtrack->setup->bRequestType = (__u8)0x40; - urbtrack->setup->bRequest = (__u8)0x0e; -- urbtrack->setup->wValue = get_reg_value(reg, dummy); -- urbtrack->setup->wIndex = get_reg_index(reg); -+ urbtrack->setup->wValue = cpu_to_le16(get_reg_value(reg, dummy)); -+ urbtrack->setup->wIndex = cpu_to_le16(get_reg_index(reg)); - urbtrack->setup->wLength = 0; - usb_fill_control_urb(urbtrack->urb, usbdev, - usb_sndctrlpipe(usbdev, 0), -diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c -index 04cdeb8..c4d2298 100644 ---- a/drivers/xen/grant-table.c -+++ b/drivers/xen/grant-table.c -@@ -730,9 +730,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback, - void (*fn)(void *), void *arg, u16 count) - { - unsigned long flags; -+ struct gnttab_free_callback *cb; -+ - spin_lock_irqsave(&gnttab_list_lock, flags); -- if (callback->next) -- goto out; -+ -+ /* Check if the callback is already on the list */ -+ cb = gnttab_free_callback_list; -+ while (cb) { -+ if (cb == callback) -+ goto out; -+ cb = cb->next; -+ } -+ - callback->fn = fn; - callback->arg = arg; - callback->count = count; -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 238a055..9877a2a 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -3312,6 +3312,9 @@ static long btrfs_ioctl_dev_replace(struct btrfs_root *root, void __user *arg) - - switch (p->cmd) { - case BTRFS_IOCTL_DEV_REPLACE_CMD_START: -+ if (root->fs_info->sb->s_flags & MS_RDONLY) -+ return -EROFS; -+ - if (atomic_xchg( - &root->fs_info->mutually_exclusive_operation_running, - 1)) { -diff --git a/fs/ceph/ioctl.c b/fs/ceph/ioctl.c -index e0b4ef3..a5ce62e 100644 ---- a/fs/ceph/ioctl.c -+++ b/fs/ceph/ioctl.c -@@ -196,8 +196,10 @@ static long ceph_ioctl_get_dataloc(struct file *file, void __user *arg) - r = ceph_calc_file_object_mapping(&ci->i_layout, dl.file_offset, len, - &dl.object_no, &dl.object_offset, - &olen); -- if (r < 0) -+ if (r < 0) { -+ up_read(&osdc->map_sem); - return -EIO; -+ } - dl.file_offset -= dl.object_offset; - dl.object_size = ceph_file_layout_object_size(ci->i_layout); - dl.block_size = ceph_file_layout_su(ci->i_layout); -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c -index d67c550..37950c6 100644 ---- a/fs/cifs/connect.c -+++ b/fs/cifs/connect.c -@@ -379,6 +379,7 @@ cifs_reconnect(struct TCP_Server_Info *server) - try_to_freeze(); - - /* we should try only the port we connected to before */ -+ mutex_lock(&server->srv_mutex); - rc = generic_ip_connect(server); - if (rc) { - cifs_dbg(FYI, "reconnect error %d\n", rc); -@@ -390,6 +391,7 @@ cifs_reconnect(struct TCP_Server_Info *server) - server->tcpStatus = CifsNeedNegotiate; - spin_unlock(&GlobalMid_Lock); - } -+ mutex_unlock(&server->srv_mutex); - } while (server->tcpStatus == CifsNeedReconnect); - - return rc; -diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c -index b0c4334..f851d03 100644 ---- a/fs/cifs/smb2misc.c -+++ b/fs/cifs/smb2misc.c -@@ -417,96 +417,108 @@ cifs_ses_oplock_break(struct work_struct *work) - } - - static bool --smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) -+smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, -+ struct smb2_lease_break_work *lw) - { -- struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; -- struct list_head *tmp, *tmp1, *tmp2; -- struct cifs_ses *ses; -- struct cifs_tcon *tcon; -- struct cifsInodeInfo *cinode; -+ bool found; -+ __u8 lease_state; -+ struct list_head *tmp; - struct cifsFileInfo *cfile; - struct cifs_pending_open *open; -- struct smb2_lease_break_work *lw; -- bool found; -+ struct cifsInodeInfo *cinode; - int ack_req = le32_to_cpu(rsp->Flags & - SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); - -- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); -- if (!lw) -- return false; -+ lease_state = smb2_map_lease_to_oplock(rsp->NewLeaseState); - -- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); -- lw->lease_state = rsp->NewLeaseState; -+ list_for_each(tmp, &tcon->openFileList) { -+ cfile = list_entry(tmp, struct cifsFileInfo, tlist); -+ cinode = CIFS_I(cfile->dentry->d_inode); - -- cifs_dbg(FYI, "Checking for lease break\n"); -+ if (memcmp(cinode->lease_key, rsp->LeaseKey, -+ SMB2_LEASE_KEY_SIZE)) -+ continue; - -- /* look up tcon based on tid & uid */ -- spin_lock(&cifs_tcp_ses_lock); -- list_for_each(tmp, &server->smb_ses_list) { -- ses = list_entry(tmp, struct cifs_ses, smb_ses_list); -+ cifs_dbg(FYI, "found in the open list\n"); -+ cifs_dbg(FYI, "lease key match, lease break 0x%d\n", -+ le32_to_cpu(rsp->NewLeaseState)); - -- spin_lock(&cifs_file_list_lock); -- list_for_each(tmp1, &ses->tcon_list) { -- tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); -+ smb2_set_oplock_level(cinode, lease_state); - -- cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks); -- list_for_each(tmp2, &tcon->openFileList) { -- cfile = list_entry(tmp2, struct cifsFileInfo, -- tlist); -- cinode = CIFS_I(cfile->dentry->d_inode); -+ if (ack_req) -+ cfile->oplock_break_cancelled = false; -+ else -+ cfile->oplock_break_cancelled = true; - -- if (memcmp(cinode->lease_key, rsp->LeaseKey, -- SMB2_LEASE_KEY_SIZE)) -- continue; -+ queue_work(cifsiod_wq, &cfile->oplock_break); -+ kfree(lw); -+ return true; -+ } - -- cifs_dbg(FYI, "found in the open list\n"); -- cifs_dbg(FYI, "lease key match, lease break 0x%d\n", -- le32_to_cpu(rsp->NewLeaseState)); -+ found = false; -+ list_for_each_entry(open, &tcon->pending_opens, olist) { -+ if (memcmp(open->lease_key, rsp->LeaseKey, -+ SMB2_LEASE_KEY_SIZE)) -+ continue; -+ -+ if (!found && ack_req) { -+ found = true; -+ memcpy(lw->lease_key, open->lease_key, -+ SMB2_LEASE_KEY_SIZE); -+ lw->tlink = cifs_get_tlink(open->tlink); -+ queue_work(cifsiod_wq, &lw->lease_break); -+ } - -- smb2_set_oplock_level(cinode, -- smb2_map_lease_to_oplock(rsp->NewLeaseState)); -+ cifs_dbg(FYI, "found in the pending open list\n"); -+ cifs_dbg(FYI, "lease key match, lease break 0x%d\n", -+ le32_to_cpu(rsp->NewLeaseState)); - -- if (ack_req) -- cfile->oplock_break_cancelled = false; -- else -- cfile->oplock_break_cancelled = true; -+ open->oplock = lease_state; -+ } -+ return found; -+} - -- queue_work(cifsiod_wq, &cfile->oplock_break); -+static bool -+smb2_is_valid_lease_break(char *buffer) -+{ -+ struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; -+ struct list_head *tmp, *tmp1, *tmp2; -+ struct TCP_Server_Info *server; -+ struct cifs_ses *ses; -+ struct cifs_tcon *tcon; -+ struct smb2_lease_break_work *lw; - -- spin_unlock(&cifs_file_list_lock); -- spin_unlock(&cifs_tcp_ses_lock); -- return true; -- } -+ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); -+ if (!lw) -+ return false; - -- found = false; -- list_for_each_entry(open, &tcon->pending_opens, olist) { -- if (memcmp(open->lease_key, rsp->LeaseKey, -- SMB2_LEASE_KEY_SIZE)) -- continue; -+ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); -+ lw->lease_state = rsp->NewLeaseState; - -- if (!found && ack_req) { -- found = true; -- memcpy(lw->lease_key, open->lease_key, -- SMB2_LEASE_KEY_SIZE); -- lw->tlink = cifs_get_tlink(open->tlink); -- queue_work(cifsiod_wq, -- &lw->lease_break); -- } -+ cifs_dbg(FYI, "Checking for lease break\n"); -+ -+ /* look up tcon based on tid & uid */ -+ spin_lock(&cifs_tcp_ses_lock); -+ list_for_each(tmp, &cifs_tcp_ses_list) { -+ server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list); - -- cifs_dbg(FYI, "found in the pending open list\n"); -- cifs_dbg(FYI, "lease key match, lease break 0x%d\n", -- le32_to_cpu(rsp->NewLeaseState)); -+ list_for_each(tmp1, &server->smb_ses_list) { -+ ses = list_entry(tmp1, struct cifs_ses, smb_ses_list); - -- open->oplock = -- smb2_map_lease_to_oplock(rsp->NewLeaseState); -- } -- if (found) { -- spin_unlock(&cifs_file_list_lock); -- spin_unlock(&cifs_tcp_ses_lock); -- return true; -+ spin_lock(&cifs_file_list_lock); -+ list_for_each(tmp2, &ses->tcon_list) { -+ tcon = list_entry(tmp2, struct cifs_tcon, -+ tcon_list); -+ cifs_stats_inc( -+ &tcon->stats.cifs_stats.num_oplock_brks); -+ if (smb2_tcon_has_lease(tcon, rsp, lw)) { -+ spin_unlock(&cifs_file_list_lock); -+ spin_unlock(&cifs_tcp_ses_lock); -+ return true; -+ } - } -+ spin_unlock(&cifs_file_list_lock); - } -- spin_unlock(&cifs_file_list_lock); - } - spin_unlock(&cifs_tcp_ses_lock); - kfree(lw); -@@ -532,7 +544,7 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) - if (rsp->StructureSize != - smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { - if (le16_to_cpu(rsp->StructureSize) == 44) -- return smb2_is_valid_lease_break(buffer, server); -+ return smb2_is_valid_lease_break(buffer); - else - return false; - } -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index c2ca04e..ea4d188 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -1890,6 +1890,26 @@ static int ext4_writepage(struct page *page, - return ret; - } - -+static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page) -+{ -+ int len; -+ loff_t size = i_size_read(mpd->inode); -+ int err; -+ -+ BUG_ON(page->index != mpd->first_page); -+ if (page->index == size >> PAGE_CACHE_SHIFT) -+ len = size & ~PAGE_CACHE_MASK; -+ else -+ len = PAGE_CACHE_SIZE; -+ clear_page_dirty_for_io(page); -+ err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc); -+ if (!err) -+ mpd->wbc->nr_to_write--; -+ mpd->first_page++; -+ -+ return err; -+} -+ - #define BH_FLAGS ((1 << BH_Unwritten) | (1 << BH_Delay)) - - /* -@@ -1904,82 +1924,94 @@ static int ext4_writepage(struct page *page, - * - * @mpd - extent of blocks - * @lblk - logical number of the block in the file -- * @b_state - b_state of the buffer head added -+ * @bh - buffer head we want to add to the extent - * -- * the function is used to collect contig. blocks in same state -+ * The function is used to collect contig. blocks in the same state. If the -+ * buffer doesn't require mapping for writeback and we haven't started the -+ * extent of buffers to map yet, the function returns 'true' immediately - the -+ * caller can write the buffer right away. Otherwise the function returns true -+ * if the block has been added to the extent, false if the block couldn't be -+ * added. - */ --static int mpage_add_bh_to_extent(struct mpage_da_data *mpd, ext4_lblk_t lblk, -- unsigned long b_state) -+static bool mpage_add_bh_to_extent(struct mpage_da_data *mpd, ext4_lblk_t lblk, -+ struct buffer_head *bh) - { - struct ext4_map_blocks *map = &mpd->map; - -- /* Don't go larger than mballoc is willing to allocate */ -- if (map->m_len >= MAX_WRITEPAGES_EXTENT_LEN) -- return 0; -+ /* Buffer that doesn't need mapping for writeback? */ -+ if (!buffer_dirty(bh) || !buffer_mapped(bh) || -+ (!buffer_delay(bh) && !buffer_unwritten(bh))) { -+ /* So far no extent to map => we write the buffer right away */ -+ if (map->m_len == 0) -+ return true; -+ return false; -+ } - - /* First block in the extent? */ - if (map->m_len == 0) { - map->m_lblk = lblk; - map->m_len = 1; -- map->m_flags = b_state & BH_FLAGS; -- return 1; -+ map->m_flags = bh->b_state & BH_FLAGS; -+ return true; - } - -+ /* Don't go larger than mballoc is willing to allocate */ -+ if (map->m_len >= MAX_WRITEPAGES_EXTENT_LEN) -+ return false; -+ - /* Can we merge the block to our big extent? */ - if (lblk == map->m_lblk + map->m_len && -- (b_state & BH_FLAGS) == map->m_flags) { -+ (bh->b_state & BH_FLAGS) == map->m_flags) { - map->m_len++; -- return 1; -+ return true; - } -- return 0; -+ return false; - } - --static bool add_page_bufs_to_extent(struct mpage_da_data *mpd, -- struct buffer_head *head, -- struct buffer_head *bh, -- ext4_lblk_t lblk) -+/* -+ * mpage_process_page_bufs - submit page buffers for IO or add them to extent -+ * -+ * @mpd - extent of blocks for mapping -+ * @head - the first buffer in the page -+ * @bh - buffer we should start processing from -+ * @lblk - logical number of the block in the file corresponding to @bh -+ * -+ * Walk through page buffers from @bh upto @head (exclusive) and either submit -+ * the page for IO if all buffers in this page were mapped and there's no -+ * accumulated extent of buffers to map or add buffers in the page to the -+ * extent of buffers to map. The function returns 1 if the caller can continue -+ * by processing the next page, 0 if it should stop adding buffers to the -+ * extent to map because we cannot extend it anymore. It can also return value -+ * < 0 in case of error during IO submission. -+ */ -+static int mpage_process_page_bufs(struct mpage_da_data *mpd, -+ struct buffer_head *head, -+ struct buffer_head *bh, -+ ext4_lblk_t lblk) - { - struct inode *inode = mpd->inode; -+ int err; - ext4_lblk_t blocks = (i_size_read(inode) + (1 << inode->i_blkbits) - 1) - >> inode->i_blkbits; - - do { - BUG_ON(buffer_locked(bh)); - -- if (!buffer_dirty(bh) || !buffer_mapped(bh) || -- (!buffer_delay(bh) && !buffer_unwritten(bh)) || -- lblk >= blocks) { -+ if (lblk >= blocks || !mpage_add_bh_to_extent(mpd, lblk, bh)) { - /* Found extent to map? */ - if (mpd->map.m_len) -- return false; -- if (lblk >= blocks) -- return true; -- continue; -+ return 0; -+ /* Everything mapped so far and we hit EOF */ -+ break; - } -- if (!mpage_add_bh_to_extent(mpd, lblk, bh->b_state)) -- return false; - } while (lblk++, (bh = bh->b_this_page) != head); -- return true; --} -- --static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page) --{ -- int len; -- loff_t size = i_size_read(mpd->inode); -- int err; -- -- BUG_ON(page->index != mpd->first_page); -- if (page->index == size >> PAGE_CACHE_SHIFT) -- len = size & ~PAGE_CACHE_MASK; -- else -- len = PAGE_CACHE_SIZE; -- clear_page_dirty_for_io(page); -- err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc); -- if (!err) -- mpd->wbc->nr_to_write--; -- mpd->first_page++; -- -- return err; -+ /* So far everything mapped? Submit the page for IO. */ -+ if (mpd->map.m_len == 0) { -+ err = mpage_submit_page(mpd, head->b_page); -+ if (err < 0) -+ return err; -+ } -+ return lblk < blocks; - } - - /* -@@ -2003,8 +2035,6 @@ static int mpage_map_and_submit_buffers(struct mpage_da_data *mpd) - struct inode *inode = mpd->inode; - struct buffer_head *head, *bh; - int bpp_bits = PAGE_CACHE_SHIFT - inode->i_blkbits; -- ext4_lblk_t blocks = (i_size_read(inode) + (1 << inode->i_blkbits) - 1) -- >> inode->i_blkbits; - pgoff_t start, end; - ext4_lblk_t lblk; - sector_t pblock; -@@ -2039,18 +2069,26 @@ static int mpage_map_and_submit_buffers(struct mpage_da_data *mpd) - */ - mpd->map.m_len = 0; - mpd->map.m_flags = 0; -- add_page_bufs_to_extent(mpd, head, bh, -- lblk); -+ /* -+ * FIXME: If dioread_nolock supports -+ * blocksize < pagesize, we need to make -+ * sure we add size mapped so far to -+ * io_end->size as the following call -+ * can submit the page for IO. -+ */ -+ err = mpage_process_page_bufs(mpd, head, -+ bh, lblk); - pagevec_release(&pvec); -- return 0; -+ if (err > 0) -+ err = 0; -+ return err; - } - if (buffer_delay(bh)) { - clear_buffer_delay(bh); - bh->b_blocknr = pblock++; - } - clear_buffer_unwritten(bh); -- } while (++lblk < blocks && -- (bh = bh->b_this_page) != head); -+ } while (lblk++, (bh = bh->b_this_page) != head); - - /* - * FIXME: This is going to break if dioread_nolock -@@ -2319,14 +2357,10 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd) - lblk = ((ext4_lblk_t)page->index) << - (PAGE_CACHE_SHIFT - blkbits); - head = page_buffers(page); -- if (!add_page_bufs_to_extent(mpd, head, head, lblk)) -+ err = mpage_process_page_bufs(mpd, head, head, lblk); -+ if (err <= 0) - goto out; -- /* So far everything mapped? Submit the page for IO. */ -- if (mpd->map.m_len == 0) { -- err = mpage_submit_page(mpd, page); -- if (err < 0) -- goto out; -- } -+ err = 0; - - /* - * Accumulated enough dirty pages? This doesn't apply -@@ -4566,7 +4600,9 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr) - ext4_journal_stop(handle); - } - -- if (attr->ia_valid & ATTR_SIZE) { -+ if (attr->ia_valid & ATTR_SIZE && attr->ia_size != inode->i_size) { -+ handle_t *handle; -+ loff_t oldsize = inode->i_size; - - if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) { - struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); -@@ -4574,73 +4610,60 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr) - if (attr->ia_size > sbi->s_bitmap_maxbytes) - return -EFBIG; - } -- } -- -- if (S_ISREG(inode->i_mode) && -- attr->ia_valid & ATTR_SIZE && -- (attr->ia_size < inode->i_size)) { -- handle_t *handle; -- -- handle = ext4_journal_start(inode, EXT4_HT_INODE, 3); -- if (IS_ERR(handle)) { -- error = PTR_ERR(handle); -- goto err_out; -- } -- if (ext4_handle_valid(handle)) { -- error = ext4_orphan_add(handle, inode); -- orphan = 1; -- } -- EXT4_I(inode)->i_disksize = attr->ia_size; -- rc = ext4_mark_inode_dirty(handle, inode); -- if (!error) -- error = rc; -- ext4_journal_stop(handle); -- -- if (ext4_should_order_data(inode)) { -- error = ext4_begin_ordered_truncate(inode, -+ if (S_ISREG(inode->i_mode) && -+ (attr->ia_size < inode->i_size)) { -+ if (ext4_should_order_data(inode)) { -+ error = ext4_begin_ordered_truncate(inode, - attr->ia_size); -- if (error) { -- /* Do as much error cleanup as possible */ -- handle = ext4_journal_start(inode, -- EXT4_HT_INODE, 3); -- if (IS_ERR(handle)) { -- ext4_orphan_del(NULL, inode); -+ if (error) - goto err_out; -- } -- ext4_orphan_del(handle, inode); -- orphan = 0; -- ext4_journal_stop(handle); -+ } -+ handle = ext4_journal_start(inode, EXT4_HT_INODE, 3); -+ if (IS_ERR(handle)) { -+ error = PTR_ERR(handle); -+ goto err_out; -+ } -+ if (ext4_handle_valid(handle)) { -+ error = ext4_orphan_add(handle, inode); -+ orphan = 1; -+ } -+ EXT4_I(inode)->i_disksize = attr->ia_size; -+ rc = ext4_mark_inode_dirty(handle, inode); -+ if (!error) -+ error = rc; -+ ext4_journal_stop(handle); -+ if (error) { -+ ext4_orphan_del(NULL, inode); - goto err_out; - } - } -- } -- -- if (attr->ia_valid & ATTR_SIZE) { -- if (attr->ia_size != inode->i_size) { -- loff_t oldsize = inode->i_size; - -- i_size_write(inode, attr->ia_size); -- /* -- * Blocks are going to be removed from the inode. Wait -- * for dio in flight. Temporarily disable -- * dioread_nolock to prevent livelock. -- */ -- if (orphan) { -- if (!ext4_should_journal_data(inode)) { -- ext4_inode_block_unlocked_dio(inode); -- inode_dio_wait(inode); -- ext4_inode_resume_unlocked_dio(inode); -- } else -- ext4_wait_for_tail_page_commit(inode); -- } -- /* -- * Truncate pagecache after we've waited for commit -- * in data=journal mode to make pages freeable. -- */ -- truncate_pagecache(inode, oldsize, inode->i_size); -+ i_size_write(inode, attr->ia_size); -+ /* -+ * Blocks are going to be removed from the inode. Wait -+ * for dio in flight. Temporarily disable -+ * dioread_nolock to prevent livelock. -+ */ -+ if (orphan) { -+ if (!ext4_should_journal_data(inode)) { -+ ext4_inode_block_unlocked_dio(inode); -+ inode_dio_wait(inode); -+ ext4_inode_resume_unlocked_dio(inode); -+ } else -+ ext4_wait_for_tail_page_commit(inode); - } -- ext4_truncate(inode); -+ /* -+ * Truncate pagecache after we've waited for commit -+ * in data=journal mode to make pages freeable. -+ */ -+ truncate_pagecache(inode, oldsize, inode->i_size); - } -+ /* -+ * We want to call ext4_truncate() even if attr->ia_size == -+ * inode->i_size for cases like truncation of fallocated space -+ */ -+ if (attr->ia_valid & ATTR_SIZE) -+ ext4_truncate(inode); - - if (!rc) { - setattr_copy(inode, attr); -diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c -index 72a5d5b..8fec28f 100644 ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -1174,6 +1174,8 @@ static int parse_dirfile(char *buf, size_t nbytes, struct file *file, - return -EIO; - if (reclen > nbytes) - break; -+ if (memchr(dirent->name, '/', dirent->namelen) != NULL) -+ return -EIO; - - if (!dir_emit(ctx, dirent->name, dirent->namelen, - dirent->ino, dirent->type)) -@@ -1320,6 +1322,8 @@ static int parse_dirplusfile(char *buf, size_t nbytes, struct file *file, - return -EIO; - if (reclen > nbytes) - break; -+ if (memchr(dirent->name, '/', dirent->namelen) != NULL) -+ return -EIO; - - if (!over) { - /* We fill entries into dstbuf only as much as -@@ -1590,6 +1594,7 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr, - struct file *file) - { - struct fuse_conn *fc = get_fuse_conn(inode); -+ struct fuse_inode *fi = get_fuse_inode(inode); - struct fuse_req *req; - struct fuse_setattr_in inarg; - struct fuse_attr_out outarg; -@@ -1617,8 +1622,10 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr, - if (IS_ERR(req)) - return PTR_ERR(req); - -- if (is_truncate) -+ if (is_truncate) { - fuse_set_nowrite(inode); -+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); -+ } - - memset(&inarg, 0, sizeof(inarg)); - memset(&outarg, 0, sizeof(outarg)); -@@ -1680,12 +1687,14 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr, - invalidate_inode_pages2(inode->i_mapping); - } - -+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); - return 0; - - error: - if (is_truncate) - fuse_release_nowrite(inode); - -+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); - return err; - } - -@@ -1749,6 +1758,8 @@ static int fuse_setxattr(struct dentry *entry, const char *name, - fc->no_setxattr = 1; - err = -EOPNOTSUPP; - } -+ if (!err) -+ fuse_invalidate_attr(inode); - return err; - } - -@@ -1878,6 +1889,8 @@ static int fuse_removexattr(struct dentry *entry, const char *name) - fc->no_removexattr = 1; - err = -EOPNOTSUPP; - } -+ if (!err) -+ fuse_invalidate_attr(inode); - return err; - } - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 5c121fe..d409dea 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -629,7 +629,8 @@ static void fuse_read_update_size(struct inode *inode, loff_t size, - struct fuse_inode *fi = get_fuse_inode(inode); - - spin_lock(&fc->lock); -- if (attr_ver == fi->attr_version && size < inode->i_size) { -+ if (attr_ver == fi->attr_version && size < inode->i_size && -+ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) { - fi->attr_version = ++fc->attr_version; - i_size_write(inode, size); - } -@@ -1032,12 +1033,16 @@ static ssize_t fuse_perform_write(struct file *file, - { - struct inode *inode = mapping->host; - struct fuse_conn *fc = get_fuse_conn(inode); -+ struct fuse_inode *fi = get_fuse_inode(inode); - int err = 0; - ssize_t res = 0; - - if (is_bad_inode(inode)) - return -EIO; - -+ if (inode->i_size < pos + iov_iter_count(ii)) -+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); -+ - do { - struct fuse_req *req; - ssize_t count; -@@ -1073,6 +1078,7 @@ static ssize_t fuse_perform_write(struct file *file, - if (res > 0) - fuse_write_update_size(inode, pos); - -+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); - fuse_invalidate_attr(inode); - - return res > 0 ? res : err; -@@ -1529,7 +1535,6 @@ static int fuse_writepage_locked(struct page *page) - - inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK); - inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP); -- end_page_writeback(page); - - spin_lock(&fc->lock); - list_add(&req->writepages_entry, &fi->writepages); -@@ -1537,6 +1542,8 @@ static int fuse_writepage_locked(struct page *page) - fuse_flush_writepages(inode); - spin_unlock(&fc->lock); - -+ end_page_writeback(page); -+ - return 0; - - err_free: -diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h -index fde7249..5ced199 100644 ---- a/fs/fuse/fuse_i.h -+++ b/fs/fuse/fuse_i.h -@@ -115,6 +115,8 @@ struct fuse_inode { - enum { - /** Advise readdirplus */ - FUSE_I_ADVISE_RDPLUS, -+ /** An operation changing file size is in progress */ -+ FUSE_I_SIZE_UNSTABLE, - }; - - struct fuse_conn; -diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c -index 0b57859..e0fe703 100644 ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -201,7 +201,8 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr, - struct timespec old_mtime; - - spin_lock(&fc->lock); -- if (attr_version != 0 && fi->attr_version > attr_version) { -+ if ((attr_version != 0 && fi->attr_version > attr_version) || -+ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) { - spin_unlock(&fc->lock); - return; - } -diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c -index c348d6d..e5d408a 100644 ---- a/fs/isofs/inode.c -+++ b/fs/isofs/inode.c -@@ -117,8 +117,8 @@ static void destroy_inodecache(void) - - static int isofs_remount(struct super_block *sb, int *flags, char *data) - { -- /* we probably want a lot more here */ -- *flags |= MS_RDONLY; -+ if (!(*flags & MS_RDONLY)) -+ return -EROFS; - return 0; - } - -@@ -763,15 +763,6 @@ root_found: - */ - s->s_maxbytes = 0x80000000000LL; - -- /* -- * The CDROM is read-only, has no nodes (devices) on it, and since -- * all of the files appear to be owned by root, we really do not want -- * to allow suid. (suid or devices will not show up unless we have -- * Rock Ridge extensions) -- */ -- -- s->s_flags |= MS_RDONLY /* | MS_NODEV | MS_NOSUID */; -- - /* Set this for reference. Its not currently used except on write - which we don't have .. */ - -@@ -1530,6 +1521,9 @@ struct inode *isofs_iget(struct super_block *sb, - static struct dentry *isofs_mount(struct file_system_type *fs_type, - int flags, const char *dev_name, void *data) - { -+ /* We don't support read-write mounts */ -+ if (!(flags & MS_RDONLY)) -+ return ERR_PTR(-EACCES); - return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super); - } - -diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c -index 2487116..8460647 100644 ---- a/fs/ocfs2/extent_map.c -+++ b/fs/ocfs2/extent_map.c -@@ -781,7 +781,6 @@ int ocfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, - cpos = map_start >> osb->s_clustersize_bits; - mapping_end = ocfs2_clusters_for_bytes(inode->i_sb, - map_start + map_len); -- mapping_end -= cpos; - is_last = 0; - while (cpos < mapping_end && !is_last) { - u32 fe_flags; -diff --git a/fs/proc/root.c b/fs/proc/root.c -index e0a790d..0e0e83c 100644 ---- a/fs/proc/root.c -+++ b/fs/proc/root.c -@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct file_system_type *fs_type, - ns = task_active_pid_ns(current); - options = data; - -- if (!current_user_ns()->may_mount_proc) -+ if (!current_user_ns()->may_mount_proc || -+ !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) - return ERR_PTR(-EPERM); - } - -diff --git a/include/linux/compat.h b/include/linux/compat.h -index 7f0c1dd..ec1aee4 100644 ---- a/include/linux/compat.h -+++ b/include/linux/compat.h -@@ -669,6 +669,13 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr, - - int compat_restore_altstack(const compat_stack_t __user *uss); - int __compat_save_altstack(compat_stack_t __user *, unsigned long); -+#define compat_save_altstack_ex(uss, sp) do { \ -+ compat_stack_t __user *__uss = uss; \ -+ struct task_struct *t = current; \ -+ put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &__uss->ss_sp); \ -+ put_user_ex(sas_ss_flags(sp), &__uss->ss_flags); \ -+ put_user_ex(t->sas_ss_size, &__uss->ss_size); \ -+} while (0); - - asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid, - struct compat_timespec __user *interval); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 -diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h -index 3bed2e8..d1fe5d0 100644 ---- a/include/linux/pci_ids.h -+++ b/include/linux/pci_ids.h -@@ -518,6 +518,8 @@ - #define PCI_DEVICE_ID_AMD_11H_NB_MISC 0x1303 - #define PCI_DEVICE_ID_AMD_11H_NB_LINK 0x1304 - #define PCI_DEVICE_ID_AMD_15H_M10H_F3 0x1403 -+#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F3 0x141d -+#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F4 0x141e - #define PCI_DEVICE_ID_AMD_15H_NB_F0 0x1600 - #define PCI_DEVICE_ID_AMD_15H_NB_F1 0x1601 - #define PCI_DEVICE_ID_AMD_15H_NB_F2 0x1602 -diff --git a/include/linux/rculist.h b/include/linux/rculist.h -index f4b1001..4106721 100644 ---- a/include/linux/rculist.h -+++ b/include/linux/rculist.h -@@ -267,8 +267,9 @@ static inline void list_splice_init_rcu(struct list_head *list, - */ - #define list_first_or_null_rcu(ptr, type, member) \ - ({struct list_head *__ptr = (ptr); \ -- struct list_head __rcu *__next = list_next_rcu(__ptr); \ -- likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \ -+ struct list_head *__next = ACCESS_ONCE(__ptr->next); \ -+ likely(__ptr != __next) ? \ -+ list_entry_rcu(__next, type, member) : NULL; \ - }) - - /** -diff --git a/include/linux/signal.h b/include/linux/signal.h -index d897484..2ac423b 100644 ---- a/include/linux/signal.h -+++ b/include/linux/signal.h -@@ -434,6 +434,14 @@ void signals_init(void); - int restore_altstack(const stack_t __user *); - int __save_altstack(stack_t __user *, unsigned long); - -+#define save_altstack_ex(uss, sp) do { \ -+ stack_t __user *__uss = uss; \ -+ struct task_struct *t = current; \ -+ put_user_ex((void __user *)t->sas_ss_sp, &__uss->ss_sp); \ -+ put_user_ex(sas_ss_flags(sp), &__uss->ss_flags); \ -+ put_user_ex(t->sas_ss_size, &__uss->ss_size); \ -+} while (0); -+ - #ifdef CONFIG_PROC_FS - struct seq_file; - extern void render_sigset_t(struct seq_file *, const char *, sigset_t *); -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index 1e88377..3e541e6 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -411,7 +411,7 @@ extern int usb_hcd_pci_probe(struct pci_dev *dev, - extern void usb_hcd_pci_remove(struct pci_dev *dev); - extern void usb_hcd_pci_shutdown(struct pci_dev *dev); - --#ifdef CONFIG_PM_SLEEP -+#ifdef CONFIG_PM - extern const struct dev_pm_ops usb_hcd_pci_pm_ops; - #endif - #endif /* CONFIG_PCI */ -diff --git a/ipc/msg.c b/ipc/msg.c -index 9f29d9e..b65fdf1 100644 ---- a/ipc/msg.c -+++ b/ipc/msg.c -@@ -680,16 +680,18 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext, - goto out_unlock1; - } - -+ ipc_lock_object(&msq->q_perm); -+ - for (;;) { - struct msg_sender s; - - err = -EACCES; - if (ipcperms(ns, &msq->q_perm, S_IWUGO)) -- goto out_unlock1; -+ goto out_unlock0; - - err = security_msg_queue_msgsnd(msq, msg, msgflg); - if (err) -- goto out_unlock1; -+ goto out_unlock0; - - if (msgsz + msq->q_cbytes <= msq->q_qbytes && - 1 + msq->q_qnum <= msq->q_qbytes) { -@@ -699,10 +701,9 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext, - /* queue full, wait: */ - if (msgflg & IPC_NOWAIT) { - err = -EAGAIN; -- goto out_unlock1; -+ goto out_unlock0; - } - -- ipc_lock_object(&msq->q_perm); - ss_add(msq, &s); - - if (!ipc_rcu_getref(msq)) { -@@ -730,10 +731,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext, - goto out_unlock0; - } - -- ipc_unlock_object(&msq->q_perm); - } -- -- ipc_lock_object(&msq->q_perm); - msq->q_lspid = task_tgid_vnr(current); - msq->q_stime = get_seconds(); - -diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c -index f356974..ad8e1bd 100644 ---- a/kernel/events/uprobes.c -+++ b/kernel/events/uprobes.c -@@ -1682,12 +1682,10 @@ static bool handle_trampoline(struct pt_regs *regs) - tmp = ri; - ri = ri->next; - kfree(tmp); -+ utask->depth--; - - if (!chained) - break; -- -- utask->depth--; -- - BUG_ON(!ri); - } - -diff --git a/kernel/fork.c b/kernel/fork.c -index bf46287..200a7a2 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -1173,10 +1173,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, - return ERR_PTR(-EINVAL); - - /* -- * If the new process will be in a different pid namespace -- * don't allow the creation of threads. -+ * If the new process will be in a different pid namespace don't -+ * allow it to share a thread group or signal handlers with the -+ * forking task. - */ -- if ((clone_flags & (CLONE_VM|CLONE_NEWPID)) && -+ if ((clone_flags & (CLONE_SIGHAND | CLONE_NEWPID)) && - (task_active_pid_ns(current) != - current->nsproxy->pid_ns_for_children)) - return ERR_PTR(-EINVAL); -diff --git a/kernel/pid.c b/kernel/pid.c -index 66505c1..ebe5e80 100644 ---- a/kernel/pid.c -+++ b/kernel/pid.c -@@ -265,6 +265,7 @@ void free_pid(struct pid *pid) - struct pid_namespace *ns = upid->ns; - hlist_del_rcu(&upid->pid_chain); - switch(--ns->nr_hashed) { -+ case 2: - case 1: - /* When all that is left in the pid namespace - * is the reaper wake up the reaper. The reaper -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index a92012a..f2820fb 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -2296,6 +2296,8 @@ static void collapse_huge_page(struct mm_struct *mm, - goto out; - - vma = find_vma(mm, address); -+ if (!vma) -+ goto out; - hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK; - hend = vma->vm_end & HPAGE_PMD_MASK; - if (address < hstart || address + HPAGE_PMD_SIZE > hend) -diff --git a/mm/memcontrol.c b/mm/memcontrol.c -index 0878ff7..aa44621 100644 ---- a/mm/memcontrol.c -+++ b/mm/memcontrol.c -@@ -5616,7 +5616,13 @@ static int compare_thresholds(const void *a, const void *b) - const struct mem_cgroup_threshold *_a = a; - const struct mem_cgroup_threshold *_b = b; - -- return _a->threshold - _b->threshold; -+ if (_a->threshold > _b->threshold) -+ return 1; -+ -+ if (_a->threshold < _b->threshold) -+ return -1; -+ -+ return 0; - } - - static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg) -diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c -index dd47889..dbc0a73 100644 ---- a/net/ceph/osd_client.c -+++ b/net/ceph/osd_client.c -@@ -2129,6 +2129,8 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc, - dout("osdc_start_request failed map, " - " will retry %lld\n", req->r_tid); - rc = 0; -+ } else { -+ __unregister_request(osdc, req); - } - goto out_unlock; - } -diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c -index 603ddd9..dbd9a47 100644 ---- a/net/ceph/osdmap.c -+++ b/net/ceph/osdmap.c -@@ -1129,7 +1129,7 @@ static int *calc_pg_raw(struct ceph_osdmap *osdmap, struct ceph_pg pgid, - - /* pg_temp? */ - pgid.seed = ceph_stable_mod(pgid.seed, pool->pg_num, -- pool->pgp_num_mask); -+ pool->pg_num_mask); - pg = __lookup_pg_mapping(&osdmap->pg_temp, pgid); - if (pg) { - *num = pg->len; -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index cc9e02d..7a98d52 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -2851,14 +2851,6 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, - ieee80211_rx_bss_put(local, bss); - sdata->vif.bss_conf.beacon_rate = bss->beacon_rate; - } -- -- if (!sdata->u.mgd.associated || -- !ether_addr_equal(mgmt->bssid, sdata->u.mgd.associated->bssid)) -- return; -- -- ieee80211_sta_process_chanswitch(sdata, rx_status->mactime, -- elems, true); -- - } - - -@@ -3147,6 +3139,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, - - ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems); - -+ ieee80211_sta_process_chanswitch(sdata, rx_status->mactime, -+ &elems, true); -+ - if (ieee80211_sta_wmm_params(local, sdata, elems.wmm_param, - elems.wmm_param_len)) - changed |= BSS_CHANGED_QOS; -diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c -index 8860dd5..9552da2 100644 ---- a/sound/pci/hda/hda_intel.c -+++ b/sound/pci/hda/hda_intel.c -@@ -3376,6 +3376,7 @@ static struct snd_pci_quirk msi_black_list[] = { - SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */ - SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */ - SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */ -+ SND_PCI_QUIRK(0x1179, 0xfb44, "Toshiba Satellite C870", 0), /* AMD Hudson */ - SND_PCI_QUIRK(0x1849, 0x0888, "ASRock", 0), /* Athlon64 X2 + nvidia */ - SND_PCI_QUIRK(0xa0a0, 0x0575, "Aopen MZ915-M", 0), /* ICH6 */ - {} -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index 9f35862..45850f6 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -67,6 +67,8 @@ struct hdmi_spec_per_pin { - struct delayed_work work; - struct snd_kcontrol *eld_ctl; - int repoll_count; -+ bool setup; /* the stream has been set up by prepare callback */ -+ int channels; /* current number of channels */ - bool non_pcm; - bool chmap_set; /* channel-map override by ALSA API? */ - unsigned char chmap[8]; /* ALSA API channel-map */ -@@ -551,6 +553,17 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels) - } - } - -+ if (!ca) { -+ /* if there was no match, select the regular ALSA channel -+ * allocation with the matching number of channels */ -+ for (i = 0; i < ARRAY_SIZE(channel_allocations); i++) { -+ if (channels == channel_allocations[i].channels) { -+ ca = channel_allocations[i].ca_index; -+ break; -+ } -+ } -+ } -+ - snd_print_channel_allocation(eld->info.spk_alloc, buf, sizeof(buf)); - snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n", - ca, channels, buf); -@@ -868,18 +881,19 @@ static bool hdmi_infoframe_uptodate(struct hda_codec *codec, hda_nid_t pin_nid, - return true; - } - --static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx, -- bool non_pcm, -- struct snd_pcm_substream *substream) -+static void hdmi_setup_audio_infoframe(struct hda_codec *codec, -+ struct hdmi_spec_per_pin *per_pin, -+ bool non_pcm) - { -- struct hdmi_spec *spec = codec->spec; -- struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx); - hda_nid_t pin_nid = per_pin->pin_nid; -- int channels = substream->runtime->channels; -+ int channels = per_pin->channels; - struct hdmi_eld *eld; - int ca; - union audio_infoframe ai; - -+ if (!channels) -+ return; -+ - eld = &per_pin->sink_eld; - if (!eld->monitor_present) - return; -@@ -1329,6 +1343,7 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll) - eld_changed = true; - } - if (update_eld) { -+ bool old_eld_valid = pin_eld->eld_valid; - pin_eld->eld_valid = eld->eld_valid; - eld_changed = pin_eld->eld_size != eld->eld_size || - memcmp(pin_eld->eld_buffer, eld->eld_buffer, -@@ -1338,6 +1353,18 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll) - eld->eld_size); - pin_eld->eld_size = eld->eld_size; - pin_eld->info = eld->info; -+ -+ /* Haswell-specific workaround: re-setup when the transcoder is -+ * changed during the stream playback -+ */ -+ if (codec->vendor_id == 0x80862807 && -+ eld->eld_valid && !old_eld_valid && per_pin->setup) { -+ snd_hda_codec_write(codec, pin_nid, 0, -+ AC_VERB_SET_AMP_GAIN_MUTE, -+ AMP_OUT_UNMUTE); -+ hdmi_setup_audio_infoframe(codec, per_pin, -+ per_pin->non_pcm); -+ } - } - mutex_unlock(&pin_eld->lock); - -@@ -1510,14 +1537,17 @@ static int generic_hdmi_playback_pcm_prepare(struct hda_pcm_stream *hinfo, - hda_nid_t cvt_nid = hinfo->nid; - struct hdmi_spec *spec = codec->spec; - int pin_idx = hinfo_to_pin_index(spec, hinfo); -- hda_nid_t pin_nid = get_pin(spec, pin_idx)->pin_nid; -+ struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx); -+ hda_nid_t pin_nid = per_pin->pin_nid; - bool non_pcm; - - non_pcm = check_non_pcm_per_cvt(codec, cvt_nid); -+ per_pin->channels = substream->runtime->channels; -+ per_pin->setup = true; - - hdmi_set_channel_count(codec, cvt_nid, substream->runtime->channels); - -- hdmi_setup_audio_infoframe(codec, pin_idx, non_pcm, substream); -+ hdmi_setup_audio_infoframe(codec, per_pin, non_pcm); - - return hdmi_setup_stream(codec, cvt_nid, pin_nid, stream_tag, format); - } -@@ -1557,6 +1587,9 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo, - snd_hda_spdif_ctls_unassign(codec, pin_idx); - per_pin->chmap_set = false; - memset(per_pin->chmap, 0, sizeof(per_pin->chmap)); -+ -+ per_pin->setup = false; -+ per_pin->channels = 0; - } - - return 0; -@@ -1692,8 +1725,7 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, - per_pin->chmap_set = true; - memcpy(per_pin->chmap, chmap, sizeof(chmap)); - if (prepared) -- hdmi_setup_audio_infoframe(codec, pin_idx, per_pin->non_pcm, -- substream); -+ hdmi_setup_audio_infoframe(codec, per_pin, per_pin->non_pcm); - - return 0; - } -diff --git a/sound/soc/codecs/mc13783.c b/sound/soc/codecs/mc13783.c -index 5402dfb..8a8d936 100644 ---- a/sound/soc/codecs/mc13783.c -+++ b/sound/soc/codecs/mc13783.c -@@ -126,6 +126,10 @@ static int mc13783_write(struct snd_soc_codec *codec, - - ret = mc13xxx_reg_write(priv->mc13xxx, reg, value); - -+ /* include errata fix for spi audio problems */ -+ if (reg == MC13783_AUDIO_CODEC || reg == MC13783_AUDIO_DAC) -+ ret = mc13xxx_reg_write(priv->mc13xxx, reg, value); -+ - mc13xxx_unlock(priv->mc13xxx); - - return ret; -diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c -index 0a4ffdd..5e5af89 100644 ---- a/sound/soc/codecs/wm8960.c -+++ b/sound/soc/codecs/wm8960.c -@@ -857,9 +857,9 @@ static int wm8960_set_dai_pll(struct snd_soc_dai *codec_dai, int pll_id, - if (pll_div.k) { - reg |= 0x20; - -- snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 18) & 0x3f); -- snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 9) & 0x1ff); -- snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0x1ff); -+ snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 16) & 0xff); -+ snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 8) & 0xff); -+ snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0xff); - } - snd_soc_write(codec, WM8960_PLL1, reg); - diff --git a/3.11.2/0000_README b/3.11.3/0000_README index b666b59..b7b1adc 100644 --- a/3.11.2/0000_README +++ b/3.11.3/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1001_linux-3.11.2.patch -From: http://www.kernel.org -Desc: Linux 3.11.2 - -Patch: 4420_grsecurity-2.9.1-3.11.2-201309281103.patch +Patch: 4420_grsecurity-2.9.1-3.11.3-201310012249.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch b/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch index 3abf324..bfc60cf 100644 --- a/3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch +++ b/3.11.3/4420_grsecurity-2.9.1-3.11.3-201310012249.patch @@ -281,7 +281,7 @@ index 7f9d4f5..6d1afd6 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index aede319..6bf55a4 100644 +index 4f91b99..cb9dcfc 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -9442,6 +9442,24 @@ index d432fb2..6056af1 100644 extra-y := head_$(BITS).o +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index 62d6b15..9231031 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -849,10 +849,9 @@ void ldom_reboot(const char *boot_command) + if (boot_command && strlen(boot_command)) { + unsigned long len; + +- strcpy(full_boot_str, "boot "); +- strlcpy(full_boot_str + strlen("boot "), boot_command, +- sizeof(full_boot_str + strlen("boot "))); +- len = strlen(full_boot_str); ++ len = snprintf(full_boot_str, sizeof(full_boot_str), "boot %s", boot_command); ++ if (len >= sizeof(full_boot_str)) ++ len = sizeof(full_boot_str) - 1; + + if (reboot_data_supported) { + unsigned long ra = kimage_addr_to_ra(full_boot_str); diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c index fdd819d..5af08c8 100644 --- a/arch/sparc/kernel/process_32.c @@ -38340,7 +38358,7 @@ index f466980..8f2883f 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 1929bff..dab130d 100644 +index 2f09e80..077876d 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -1028,7 +1028,7 @@ typedef struct drm_i915_private { @@ -38404,10 +38422,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index 3d92a7c..9a9cfd7 100644 +index 46d46ba..6e49848 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -970,7 +970,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) +@@ -975,7 +975,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) int pipe; u32 pipe_stats[I915_MAX_PIPES]; @@ -38416,7 +38434,7 @@ index 3d92a7c..9a9cfd7 100644 while (true) { iir = I915_READ(VLV_IIR); -@@ -1187,7 +1187,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) +@@ -1192,7 +1192,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) irqreturn_t ret = IRQ_NONE; int i; @@ -38425,7 +38443,7 @@ index 3d92a7c..9a9cfd7 100644 /* We get interrupts on unclaimed registers, so check for this before we * do any I915_{READ,WRITE}. */ -@@ -1307,7 +1307,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) +@@ -1312,7 +1312,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) int ret = IRQ_NONE; u32 de_iir, gt_iir, de_ier, pm_iir, sde_ier; @@ -38434,7 +38452,7 @@ index 3d92a7c..9a9cfd7 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -2566,7 +2566,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -2617,7 +2617,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -38443,7 +38461,7 @@ index 3d92a7c..9a9cfd7 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -2588,7 +2588,7 @@ static void ivybridge_irq_preinstall(struct drm_device *dev) +@@ -2639,7 +2639,7 @@ static void ivybridge_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -38452,7 +38470,7 @@ index 3d92a7c..9a9cfd7 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -2616,7 +2616,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) +@@ -2667,7 +2667,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -38461,7 +38479,7 @@ index 3d92a7c..9a9cfd7 100644 /* VLV magic */ I915_WRITE(VLV_IMR, 0); -@@ -2928,7 +2928,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) +@@ -2979,7 +2979,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -38470,7 +38488,7 @@ index 3d92a7c..9a9cfd7 100644 for_each_pipe(pipe) I915_WRITE(PIPESTAT(pipe), 0); -@@ -3007,7 +3007,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) +@@ -3058,7 +3058,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -38479,7 +38497,7 @@ index 3d92a7c..9a9cfd7 100644 iir = I915_READ16(IIR); if (iir == 0) -@@ -3082,7 +3082,7 @@ static void i915_irq_preinstall(struct drm_device * dev) +@@ -3133,7 +3133,7 @@ static void i915_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -38488,7 +38506,7 @@ index 3d92a7c..9a9cfd7 100644 if (I915_HAS_HOTPLUG(dev)) { I915_WRITE(PORT_HOTPLUG_EN, 0); -@@ -3181,7 +3181,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) +@@ -3232,7 +3232,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; int pipe, ret = IRQ_NONE; @@ -38497,7 +38515,7 @@ index 3d92a7c..9a9cfd7 100644 iir = I915_READ(IIR); do { -@@ -3305,7 +3305,7 @@ static void i965_irq_preinstall(struct drm_device * dev) +@@ -3356,7 +3356,7 @@ static void i965_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -38506,7 +38524,7 @@ index 3d92a7c..9a9cfd7 100644 I915_WRITE(PORT_HOTPLUG_EN, 0); I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); -@@ -3414,7 +3414,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) +@@ -3465,7 +3465,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -38516,10 +38534,10 @@ index 3d92a7c..9a9cfd7 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index ca40d1b..6baacfd 100644 +index bedf15a..d02d1e6 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -9431,13 +9431,13 @@ struct intel_quirk { +@@ -9424,13 +9424,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -38535,7 +38553,7 @@ index ca40d1b..6baacfd 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -9445,18 +9445,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -9438,18 +9438,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -39392,67 +39410,10 @@ index 5360e5a..c2c0d26 100644 err = drm_debugfs_create_files(dc->debugfs_files, ARRAY_SIZE(debugfs_files), diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 5956445..1d30d7e 100644 +index ee75486..65621fd 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) - } - EXPORT_SYMBOL_GPL(hid_parse_report); - -+static const char * const hid_report_names[] = { -+ "HID_INPUT_REPORT", -+ "HID_OUTPUT_REPORT", -+ "HID_FEATURE_REPORT", -+}; -+/** -+ * hid_validate_report - validate existing device report -+ * -+ * @device: hid device -+ * @type: which report type to examine -+ * @id: which report ID to examine (0 for first) -+ * @fields: expected number of fields -+ * @report_counts: expected number of values per field -+ * -+ * Validate the report details after parsing. -+ */ -+struct hid_report *hid_validate_report(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int fields, -+ unsigned int report_counts) -+{ -+ struct hid_report *report; -+ unsigned int i; -+ -+ if (type > HID_FEATURE_REPORT) { -+ hid_err(hid, "invalid HID report %u\n", type); -+ return NULL; -+ } -+ -+ report = hid->report_enum[type].report_id_hash[id]; -+ if (!report) { -+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->maxfield < fields) { -+ hid_err(hid, "not enough fields in %s %u\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ for (i = 0; i < fields; i++) { -+ if (report->field[i]->report_count < report_counts) { -+ hid_err(hid, "not enough values in %s %u fields\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ } -+ return report; -+} -+EXPORT_SYMBOL_GPL(hid_validate_report); -+ - /** - * hid_open_report - open a driver-specific device report - * -@@ -2295,7 +2345,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -2351,7 +2351,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -39461,7 +39422,7 @@ index 5956445..1d30d7e 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2329,7 +2379,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2385,7 +2385,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -39470,287 +39431,6 @@ index 5956445..1d30d7e 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 07837f5..b697ada 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) - char *name_mute, *name_micmute; - int ret; - -+ /* Validate required reports. */ -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || -+ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) -+ return -ENODEV; -+ - if (sysfs_create_group(&hdev->dev.kobj, - &tpkbd_attr_group_pointer)) { - hid_warn(hdev, "Could not create sysfs group\n"); -diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c -index b3cd150..9805197 100644 ---- a/drivers/hid/hid-lg2ff.c -+++ b/drivers/hid/hid-lg2ff.c -@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ /* Check that the report looks ok */ -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 1) { -- hid_err(hid, "output report is empty\n"); -- return -ENODEV; -- } -- if (report->field[0]->report_count < 7) { -- hid_err(hid, "not enough values in the field\n"); -- return -ENODEV; -- } - - lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); - if (!lg2ff) -diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c -index e52f181..53ac79b 100644 ---- a/drivers/hid/hid-lg3ff.c -+++ b/drivers/hid/hid-lg3ff.c -@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, - int x, y; - - /* -- * Maxusage should always be 63 (maximum fields) -- * likely a better way to ensure this data is clean -+ * Available values in the field should always be 63, but we only use up to -+ * 35. Instead, clear the entire area, however big it is. - */ -- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); -+ memset(report->field[0]->value, 0, -+ sizeof(__s32) * report->field[0]->report_count); - - switch (effect->type) { - case FF_CONSTANT: -@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { - int lg3ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff3_joystick_ac; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -- return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) -+ return -ENODEV; - - /* Assume single fixed device G940 */ - for (i = 0; ff_bits[i] >= 0; i++) -diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c -index 0ddae2a..8b89f0f 100644 ---- a/drivers/hid/hid-lg4ff.c -+++ b/drivers/hid/hid-lg4ff.c -@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde - int lg4ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - struct lg4ff_device_entry *entry; - struct lg_drv_data *drv_data; - struct usb_device_descriptor *udesc; - int error, i, j; - __u16 bcdDevice, rev_maj, rev_min; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) - return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } - - /* Check what wheel has been connected */ - for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { -diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c -index d7ea8c8..a84fb40 100644 ---- a/drivers/hid/hid-lgff.c -+++ b/drivers/hid/hid-lgff.c -@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) - int lgff_init(struct hid_device* hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff_joystick; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) -+ return -ENODEV; - - for (i = 0; i < ARRAY_SIZE(devices); i++) { - if (dev->id.vendor == devices[i].idVendor && -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index cd33084..7b99c2a 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct hid_report *report; - struct hid_report_enum *output_report_enum; - u8 *data = (u8 *)(&dj_report->device_index); -- int i; -+ unsigned int i, length; - - output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; - report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - return -ENODEV; - } - -- for (i = 0; i < report->field[0]->report_count; i++) -+ length = min_t(size_t, sizeof(*dj_report) - 1, -+ report->field[0]->report_count); -+ for (i = 0; i < length; i++) - report->field[0]->value[i] = data[i]; - - hid_hw_request(hdev, report, HID_REQ_SET_REPORT); -@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev, - goto hid_parse_fail; - } - -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, -+ 1, 3)) { -+ retval = -ENODEV; -+ goto hid_parse_fail; -+ } -+ - /* Starts the usb device and connects to upper interfaces hiddev and - * hidraw */ - retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index cb0e361..2aa275e 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - } -+ /* Ignore if value index is out of bounds. */ -+ if (td->inputmode_index < 0 || -+ td->inputmode_index >= field->report_count) { -+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); -+ td->inputmode = -1; -+ } - - break; - case HID_DG_CONTACTMAX: -+ /* Ignore if value count is out of bounds. */ -+ if (field->report_count < 1) -+ break; - td->maxcontact_report_id = field->report->id; - td->maxcontacts = field->value[0]; - if (!td->maxcontacts && -@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) - unsigned count; - int r, n; - -+ if (report->maxfield == 0) -+ return; -+ - /* - * Includes multi-packet support where subsequent - * packets are sent with zero contactcount. - */ -- if (td->cc_index >= 0) { -- struct hid_field *field = report->field[td->cc_index]; -- int value = field->value[td->cc_value_index]; -- if (value) -- td->num_expected = value; -+ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { -+ field = report->field[td->cc_index]; -+ if (td->cc_value_index >= 0 && -+ td->cc_value_index < field->report_count) { -+ int value = field->value[td->cc_value_index]; -+ if (value) -+ td->num_expected = value; -+ } - } - - for (r = 0; r < report->maxfield; r++) { -diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c -index d164911..ef42e86 100644 ---- a/drivers/hid/hid-steelseries.c -+++ b/drivers/hid/hid-steelseries.c -@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, - goto err_free; - } - -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { -+ ret = -ENODEV; -+ goto err_free; -+ } -+ - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hw start failed\n"); diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index c13fb5b..55a3802 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -39764,35 +39444,6 @@ index c13fb5b..55a3802 100644 return -EFAULT; *off += size; -diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c -index 6ec28a3..b124991 100644 ---- a/drivers/hid/hid-zpff.c -+++ b/drivers/hid/hid-zpff.c -@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 4) { -- hid_err(hid, "not enough fields in report\n"); -- return -ENODEV; -- } - - zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); - if (!zpff) diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index fc307e0..2b255e8 100644 --- a/drivers/hid/uhid.c @@ -74461,21 +74112,6 @@ index 0000000..e7ffaaf + const int protocol); + +#endif -diff --git a/include/linux/hid.h b/include/linux/hid.h -index ff545cc..76e41d8 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); - struct hid_device *hid_allocate_device(void); - struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); - int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -+struct hid_report *hid_validate_report(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int fields, -+ unsigned int report_counts); - int hid_open_report(struct hid_device *device); - int hid_check_keys_pressed(struct hid_device *hid); - int hid_connect(struct hid_device *hid, unsigned int connect_mask); diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 7fb31da..08b5114 100644 --- a/include/linux/highmem.h @@ -79462,7 +79098,7 @@ index 8d6e145..33e0b1e 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index 91e53d0..d9e3ec4 100644 +index 7b0e23a..861041e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -118,7 +118,7 @@ u32 audit_sig_sid = 0; @@ -83576,7 +83212,7 @@ index 05c39f0..442e6fe 100644 #else static void register_sched_domain_sysctl(void) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 68f1609..2a9fe8a 100644 +index 31cbc15..ba68c15 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -869,7 +869,7 @@ void task_numa_fault(int node, int pages, bool migrated) @@ -84331,7 +83967,7 @@ index eec50fc..65e5df6 100644 .clock_get = alarm_clock_get, .timer_create = alarm_timer_create, diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index 48b9fff..9e07e5f 100644 +index 947ba25..20cbade 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -15,6 +15,7 @@ @@ -90259,18 +89895,10 @@ index 308d503..3dbbd04 100644 } } diff --git a/mm/swap.c b/mm/swap.c -index 62b78a6..0bcf28f 100644 +index c899502..d4dc2cd 100644 --- a/mm/swap.c +++ b/mm/swap.c -@@ -31,6 +31,7 @@ - #include <linux/memcontrol.h> - #include <linux/gfp.h> - #include <linux/uio.h> -+#include <linux/hugetlb.h> - - #include "internal.h" - -@@ -76,6 +77,8 @@ static void __put_compound_page(struct page *page) +@@ -77,6 +77,8 @@ static void __put_compound_page(struct page *page) __page_cache_release(page); dtor = get_compound_page_dtor(page); @@ -93157,7 +92785,7 @@ index 7cfc8d2..c5394b6 100644 table = kmemdup(ipv6_icmp_table_template, sizeof(ipv6_icmp_table_template), diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 90747f1..505320d 100644 +index 90747f1..76fbb5d 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -74,7 +74,7 @@ struct ip6gre_net { @@ -93169,6 +92797,24 @@ index 90747f1..505320d 100644 static int ip6gre_tunnel_init(struct net_device *dev); static void ip6gre_tunnel_setup(struct net_device *dev); static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t); +@@ -620,7 +620,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb, + struct ip6_tnl *tunnel = netdev_priv(dev); + struct net_device *tdev; /* Device to other host */ + struct ipv6hdr *ipv6h; /* Our new IP header */ +- unsigned int max_headroom; /* The extra header space needed */ ++ unsigned int max_headroom = 0; /* The extra header space needed */ + int gre_hlen; + struct ipv6_tel_txoption opt; + int mtu; +@@ -693,7 +693,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb, + tunnel->err_count = 0; + } + +- max_headroom = LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len; ++ max_headroom += LL_RESERVED_SPACE(tdev) + gre_hlen + dst->header_len; + + if (skb_headroom(skb) < max_headroom || skb_shared(skb) || + (skb_cloned(skb) && !skb_clone_writable(skb, 0))) { @@ -1288,7 +1288,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) } diff --git a/3.11.2/4425_grsec_remove_EI_PAX.patch b/3.11.3/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.11.2/4425_grsec_remove_EI_PAX.patch +++ b/3.11.3/4425_grsec_remove_EI_PAX.patch diff --git a/3.11.2/4427_force_XATTR_PAX_tmpfs.patch b/3.11.3/4427_force_XATTR_PAX_tmpfs.patch index 23e60cd..23e60cd 100644 --- a/3.11.2/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.11.3/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.11.2/4430_grsec-remove-localversion-grsec.patch b/3.11.3/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.11.2/4430_grsec-remove-localversion-grsec.patch +++ b/3.11.3/4430_grsec-remove-localversion-grsec.patch diff --git a/3.11.2/4435_grsec-mute-warnings.patch b/3.11.3/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.11.2/4435_grsec-mute-warnings.patch +++ b/3.11.3/4435_grsec-mute-warnings.patch diff --git a/3.11.2/4440_grsec-remove-protected-paths.patch b/3.11.3/4440_grsec-remove-protected-paths.patch index 05710b1..05710b1 100644 --- a/3.11.2/4440_grsec-remove-protected-paths.patch +++ b/3.11.3/4440_grsec-remove-protected-paths.patch diff --git a/3.11.2/4450_grsec-kconfig-default-gids.patch b/3.11.3/4450_grsec-kconfig-default-gids.patch index 8c7b0b2..8c7b0b2 100644 --- a/3.11.2/4450_grsec-kconfig-default-gids.patch +++ b/3.11.3/4450_grsec-kconfig-default-gids.patch diff --git a/3.11.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch index fea3943..fea3943 100644 --- a/3.11.2/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.11.3/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.11.2/4470_disable-compat_vdso.patch b/3.11.3/4470_disable-compat_vdso.patch index 4572f4f..4572f4f 100644 --- a/3.11.2/4470_disable-compat_vdso.patch +++ b/3.11.3/4470_disable-compat_vdso.patch diff --git a/3.11.2/4475_emutramp_default_on.patch b/3.11.3/4475_emutramp_default_on.patch index cfde6f8..cfde6f8 100644 --- a/3.11.2/4475_emutramp_default_on.patch +++ b/3.11.3/4475_emutramp_default_on.patch |