diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2015-08-19 03:05:46 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2015-08-19 03:05:46 -0400 |
commit | 004d09f6c59470641f7448c017d075cd00ff15ea (patch) | |
tree | dc1ef449a30d3f0e9b1f18ebffd6a70df409a06c | |
parent | grsecurity-{3.2.71,3.14.50,4.1.5}-201508142233 (diff) | |
download | hardened-patchset-004d09f6c59470641f7448c017d075cd00ff15ea.tar.gz hardened-patchset-004d09f6c59470641f7448c017d075cd00ff15ea.tar.bz2 hardened-patchset-004d09f6c59470641f7448c017d075cd00ff15ea.zip |
grsecurity-{3.14.51,4.1.6}-20150818195320150818
-rw-r--r-- | 3.14.50/1049_linux-3.14.50.patch | 700 | ||||
-rw-r--r-- | 3.14.51/0000_README (renamed from 3.14.50/0000_README) | 6 | ||||
-rw-r--r-- | 3.14.51/1050_linux-3.14.51.patch | 1929 | ||||
-rw-r--r-- | 3.14.51/4420_grsecurity-3.1-3.14.51-201508181951.patch (renamed from 3.14.50/4420_grsecurity-3.1-3.14.50-201508142232.patch) | 454 | ||||
-rw-r--r-- | 3.14.51/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.50/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.50/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.50/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4435_grsec-mute-warnings.patch (renamed from 3.14.50/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4440_grsec-remove-protected-paths.patch (renamed from 3.14.50/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.50/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.50/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4470_disable-compat_vdso.patch (renamed from 3.14.50/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.14.51/4475_emutramp_default_on.patch (renamed from 3.14.50/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 4.1.5/1004_linux-4.1.5.patch | 5750 | ||||
-rw-r--r-- | 4.1.6/0000_README (renamed from 4.1.5/0000_README) | 6 | ||||
-rw-r--r-- | 4.1.6/1005_linux-4.1.6.patch | 4380 | ||||
-rw-r--r-- | 4.1.6/4420_grsecurity-3.1-4.1.6-201508181953.patch (renamed from 4.1.5/4420_grsecurity-3.1-4.1.5-201508142233.patch) | 1238 | ||||
-rw-r--r-- | 4.1.6/4425_grsec_remove_EI_PAX.patch (renamed from 4.1.5/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.1.5/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4430_grsec-remove-localversion-grsec.patch (renamed from 4.1.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4435_grsec-mute-warnings.patch (renamed from 4.1.5/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4440_grsec-remove-protected-paths.patch (renamed from 4.1.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4450_grsec-kconfig-default-gids.patch (renamed from 4.1.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.1.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4470_disable-compat_vdso.patch (renamed from 4.1.5/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 4.1.6/4475_emutramp_default_on.patch (renamed from 4.1.5/4475_emutramp_default_on.patch) | 0 |
26 files changed, 6706 insertions, 7757 deletions
diff --git a/3.14.50/1049_linux-3.14.50.patch b/3.14.50/1049_linux-3.14.50.patch deleted file mode 100644 index bd7d238..0000000 --- a/3.14.50/1049_linux-3.14.50.patch +++ /dev/null @@ -1,700 +0,0 @@ -diff --git a/Makefile b/Makefile -index fee8460..d71c40a 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 14 --SUBLEVEL = 49 -+SUBLEVEL = 50 - EXTRAVERSION = - NAME = Remembering Coco - -diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h -index 1bfeec2..2a58af7 100644 ---- a/arch/arc/include/asm/ptrace.h -+++ b/arch/arc/include/asm/ptrace.h -@@ -63,7 +63,7 @@ struct callee_regs { - long r25, r24, r23, r22, r21, r20, r19, r18, r17, r16, r15, r14, r13; - }; - --#define instruction_pointer(regs) ((regs)->ret) -+#define instruction_pointer(regs) (unsigned long)((regs)->ret) - #define profile_pc(regs) instruction_pointer(regs) - - /* return 1 if user mode or 0 if kernel mode */ -diff --git a/arch/avr32/mach-at32ap/clock.c b/arch/avr32/mach-at32ap/clock.c -index 23b1a97..52c179b 100644 ---- a/arch/avr32/mach-at32ap/clock.c -+++ b/arch/avr32/mach-at32ap/clock.c -@@ -80,6 +80,9 @@ int clk_enable(struct clk *clk) - { - unsigned long flags; - -+ if (!clk) -+ return 0; -+ - spin_lock_irqsave(&clk_lock, flags); - __clk_enable(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -106,6 +109,9 @@ void clk_disable(struct clk *clk) - { - unsigned long flags; - -+ if (IS_ERR_OR_NULL(clk)) -+ return; -+ - spin_lock_irqsave(&clk_lock, flags); - __clk_disable(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -117,6 +123,9 @@ unsigned long clk_get_rate(struct clk *clk) - unsigned long flags; - unsigned long rate; - -+ if (!clk) -+ return 0; -+ - spin_lock_irqsave(&clk_lock, flags); - rate = clk->get_rate(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -129,6 +138,9 @@ long clk_round_rate(struct clk *clk, unsigned long rate) - { - unsigned long flags, actual_rate; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_rate) - return -ENOSYS; - -@@ -145,6 +157,9 @@ int clk_set_rate(struct clk *clk, unsigned long rate) - unsigned long flags; - long ret; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_rate) - return -ENOSYS; - -@@ -161,6 +176,9 @@ int clk_set_parent(struct clk *clk, struct clk *parent) - unsigned long flags; - int ret; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_parent) - return -ENOSYS; - -@@ -174,7 +192,7 @@ EXPORT_SYMBOL(clk_set_parent); - - struct clk *clk_get_parent(struct clk *clk) - { -- return clk->parent; -+ return !clk ? NULL : clk->parent; - } - EXPORT_SYMBOL(clk_get_parent); - -diff --git a/arch/s390/kernel/sclp.S b/arch/s390/kernel/sclp.S -index 29bd7be..1ecd47b 100644 ---- a/arch/s390/kernel/sclp.S -+++ b/arch/s390/kernel/sclp.S -@@ -276,6 +276,8 @@ ENTRY(_sclp_print_early) - jno .Lesa2 - ahi %r15,-80 - stmh %r6,%r15,96(%r15) # store upper register halves -+ basr %r13,0 -+ lmh %r0,%r15,.Lzeroes-.(%r13) # clear upper register halves - .Lesa2: - #endif - lr %r10,%r2 # save string pointer -@@ -299,6 +301,8 @@ ENTRY(_sclp_print_early) - #endif - lm %r6,%r15,120(%r15) # restore registers - br %r14 -+.Lzeroes: -+ .fill 64,4,0 - - .LwritedataS4: - .long 0x00760005 # SCLP command for write data -diff --git a/arch/tile/kernel/setup.c b/arch/tile/kernel/setup.c -index 74c9172..bdb3ecf 100644 ---- a/arch/tile/kernel/setup.c -+++ b/arch/tile/kernel/setup.c -@@ -1146,7 +1146,7 @@ static void __init load_hv_initrd(void) - - void __init free_initrd_mem(unsigned long begin, unsigned long end) - { -- free_bootmem(__pa(begin), end - begin); -+ free_bootmem_late(__pa(begin), end - begin); - } - - static int __init setup_initrd(char *str) -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 78cbb2d..ec5a3c7 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -560,6 +560,10 @@ static efi_status_t setup_e820(struct boot_params *params, - unsigned int e820_type = 0; - unsigned long m = efi->efi_memmap; - -+#ifdef CONFIG_X86_64 -+ m |= (u64)efi->efi_memmap_hi << 32; -+#endif -+ - d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size)); - switch (d->type) { - case EFI_RESERVED_TYPE: -diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S -index c5b56ed..a814c80 100644 ---- a/arch/x86/boot/compressed/head_32.S -+++ b/arch/x86/boot/compressed/head_32.S -@@ -54,7 +54,7 @@ ENTRY(efi_pe_entry) - call reloc - reloc: - popl %ecx -- subl reloc, %ecx -+ subl $reloc, %ecx - movl %ecx, BP_code32_start(%eax) - - sub $0x4, %esp -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index d8f80e7..a717585 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -703,8 +703,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - return -EINVAL; - - disk = get_gendisk(MKDEV(major, minor), &part); -- if (!disk || part) -+ if (!disk) - return -EINVAL; -+ if (part) { -+ put_disk(disk); -+ return -EINVAL; -+ } - - rcu_read_lock(); - spin_lock_irq(disk->queue->queue_lock); -diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c -index 7ccc084..85aa761 100644 ---- a/drivers/ata/libata-pmp.c -+++ b/drivers/ata/libata-pmp.c -@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_port *ap) - ATA_LFLAG_NO_SRST | - ATA_LFLAG_ASSUME_ATA; - } -+ } else if (vendor == 0x11ab && devid == 0x4140) { -+ /* Marvell 4140 quirks */ -+ ata_for_each_link(link, ap, EDGE) { -+ /* port 4 is for SEMB device and it doesn't like SRST */ -+ if (link->pmp == 4) -+ link->flags |= ATA_LFLAG_DISABLED; -+ } - } - } - -diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c -index a096633..c6f7e91 100644 ---- a/drivers/input/touchscreen/usbtouchscreen.c -+++ b/drivers/input/touchscreen/usbtouchscreen.c -@@ -625,6 +625,9 @@ static int dmc_tsc10_init(struct usbtouch_usb *usbtouch) - goto err_out; - } - -+ /* TSC-25 data sheet specifies a delay after the RESET command */ -+ msleep(150); -+ - /* set coordinate output rate */ - buf[0] = buf[1] = 0xFF; - ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0), -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index b96ee9d..9be97e0 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -336,7 +336,7 @@ static void raid1_end_read_request(struct bio *bio, int error) - spin_lock_irqsave(&conf->device_lock, flags); - if (r1_bio->mddev->degraded == conf->raid_disks || - (r1_bio->mddev->degraded == conf->raid_disks-1 && -- !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags))) -+ test_bit(In_sync, &conf->mirrors[mirror].rdev->flags))) - uptodate = 1; - spin_unlock_irqrestore(&conf->device_lock, flags); - } -diff --git a/drivers/mmc/host/sdhci-esdhc.h b/drivers/mmc/host/sdhci-esdhc.h -index a7d9f95..7fd86be 100644 ---- a/drivers/mmc/host/sdhci-esdhc.h -+++ b/drivers/mmc/host/sdhci-esdhc.h -@@ -47,6 +47,6 @@ - #define ESDHC_DMA_SYSCTL 0x40c - #define ESDHC_DMA_SNOOP 0x00000040 - --#define ESDHC_HOST_CONTROL_RES 0x05 -+#define ESDHC_HOST_CONTROL_RES 0x01 - - #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */ -diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c -index 561c6b4..b807666 100644 ---- a/drivers/mmc/host/sdhci-pxav3.c -+++ b/drivers/mmc/host/sdhci-pxav3.c -@@ -257,6 +257,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) - goto err_of_parse; - sdhci_get_of_property(pdev); - pdata = pxav3_get_mmc_pdata(dev); -+ pdev->dev.platform_data = pdata; - } else if (pdata) { - /* on-chip device */ - if (pdata->flags & PXA_FLAG_CARD_PERMANENT) -diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c -index a1d6986..f310982 100644 ---- a/drivers/scsi/st.c -+++ b/drivers/scsi/st.c -@@ -1262,9 +1262,9 @@ static int st_open(struct inode *inode, struct file *filp) - spin_lock(&st_use_lock); - STp->in_use = 0; - spin_unlock(&st_use_lock); -- scsi_tape_put(STp); - if (resumed) - scsi_autopm_put_device(STp->device); -+ scsi_tape_put(STp); - return retval; - - } -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index c8d7b30..55ec9b4 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -4476,7 +4476,18 @@ static void iscsit_logout_post_handler_closesession( - struct iscsi_conn *conn) - { - struct iscsi_session *sess = conn->sess; -- int sleep = cmpxchg(&conn->tx_thread_active, true, false); -+ int sleep = 1; -+ /* -+ * Traditional iscsi/tcp will invoke this logic from TX thread -+ * context during session logout, so clear tx_thread_active and -+ * sleep if iscsit_close_connection() has not already occured. -+ * -+ * Since iser-target invokes this logic from it's own workqueue, -+ * always sleep waiting for RX/TX thread shutdown to complete -+ * within iscsit_close_connection(). -+ */ -+ if (conn->conn_transport->transport_type == ISCSI_TCP) -+ sleep = cmpxchg(&conn->tx_thread_active, true, false); - - atomic_set(&conn->conn_logout_remove, 0); - complete(&conn->conn_logout_comp); -@@ -4490,7 +4501,10 @@ static void iscsit_logout_post_handler_closesession( - static void iscsit_logout_post_handler_samecid( - struct iscsi_conn *conn) - { -- int sleep = cmpxchg(&conn->tx_thread_active, true, false); -+ int sleep = 1; -+ -+ if (conn->conn_transport->transport_type == ISCSI_TCP) -+ sleep = cmpxchg(&conn->tx_thread_active, true, false); - - atomic_set(&conn->conn_logout_remove, 0); - complete(&conn->conn_logout_comp); -@@ -4709,6 +4723,7 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) - struct iscsi_session *sess; - struct se_portal_group *se_tpg = &tpg->tpg_se_tpg; - struct se_session *se_sess, *se_sess_tmp; -+ LIST_HEAD(free_list); - int session_count = 0; - - spin_lock_bh(&se_tpg->session_lock); -@@ -4730,14 +4745,17 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) - } - atomic_set(&sess->session_reinstatement, 1); - spin_unlock(&sess->conn_lock); -- spin_unlock_bh(&se_tpg->session_lock); - -- iscsit_free_session(sess); -- spin_lock_bh(&se_tpg->session_lock); -+ list_move_tail(&se_sess->sess_list, &free_list); -+ } -+ spin_unlock_bh(&se_tpg->session_lock); - -+ list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { -+ sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; -+ -+ iscsit_free_session(sess); - session_count++; - } -- spin_unlock_bh(&se_tpg->session_lock); - - pr_debug("Released %d iSCSI Session(s) from Target Portal" - " Group: %hu\n", session_count, tpg->tpgt); -diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c -index b9e16abb..5c95765 100644 ---- a/drivers/usb/host/xhci-hub.c -+++ b/drivers/usb/host/xhci-hub.c -@@ -480,10 +480,13 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci, - u32 pls = status_reg & PORT_PLS_MASK; - - /* resume state is a xHCI internal state. -- * Do not report it to usb core. -+ * Do not report it to usb core, instead, pretend to be U3, -+ * thus usb core knows it's not ready for transfer - */ -- if (pls == XDEV_RESUME) -+ if (pls == XDEV_RESUME) { -+ *status |= USB_SS_PORT_LS_U3; - return; -+ } - - /* When the CAS bit is set then warm reset - * should be performed on port -@@ -584,7 +587,14 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd, - status |= USB_PORT_STAT_C_RESET << 16; - /* USB3.0 only */ - if (hcd->speed == HCD_USB3) { -- if ((raw_port_status & PORT_PLC)) -+ /* Port link change with port in resume state should not be -+ * reported to usbcore, as this is an internal state to be -+ * handled by xhci driver. Reporting PLC to usbcore may -+ * cause usbcore clearing PLC first and port change event -+ * irq won't be generated. -+ */ -+ if ((raw_port_status & PORT_PLC) && -+ (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME) - status |= USB_PORT_STAT_C_LINK_STATE << 16; - if ((raw_port_status & PORT_WRC)) - status |= USB_PORT_STAT_C_BH_RESET << 16; -@@ -1114,10 +1124,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd) - spin_lock_irqsave(&xhci->lock, flags); - - if (hcd->self.root_hub->do_remote_wakeup) { -- if (bus_state->resuming_ports) { -+ if (bus_state->resuming_ports || /* USB2 */ -+ bus_state->port_remote_wakeup) { /* USB3 */ - spin_unlock_irqrestore(&xhci->lock, flags); -- xhci_dbg(xhci, "suspend failed because " -- "a port is resuming\n"); -+ xhci_dbg(xhci, "suspend failed because a port is resuming\n"); - return -EBUSY; - } - } -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index f615712..bcc43a2 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -1740,6 +1740,9 @@ static void handle_port_status(struct xhci_hcd *xhci, - usb_hcd_resume_root_hub(hcd); - } - -+ if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE) -+ bus_state->port_remote_wakeup &= ~(1 << faked_port_index); -+ - if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) { - xhci_dbg(xhci, "port resume event for port %d\n", port_id); - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 16f4f8d..fc61e663b 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -3424,6 +3424,9 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev) - return -EINVAL; - } - -+ if (virt_dev->tt_info) -+ old_active_eps = virt_dev->tt_info->active_eps; -+ - if (virt_dev->udev != udev) { - /* If the virt_dev and the udev does not match, this virt_dev - * may belong to another udev. -diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h -index 70facb7..c167485 100644 ---- a/drivers/usb/host/xhci.h -+++ b/drivers/usb/host/xhci.h -@@ -285,6 +285,7 @@ struct xhci_op_regs { - #define XDEV_U0 (0x0 << 5) - #define XDEV_U2 (0x2 << 5) - #define XDEV_U3 (0x3 << 5) -+#define XDEV_INACTIVE (0x6 << 5) - #define XDEV_RESUME (0xf << 5) - /* true: port has power (see HCC_PPC) */ - #define PORT_POWER (1 << 9) -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h -index 821e1e2..da380a9 100644 ---- a/drivers/usb/storage/unusual_devs.h -+++ b/drivers/usb/storage/unusual_devs.h -@@ -2032,6 +2032,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0200, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_NO_READ_DISC_INFO ), - -+/* Reported by Oliver Neukum <oneukum@suse.com> -+ * This device morphes spontaneously into another device if the access -+ * pattern of Windows isn't followed. Thus writable media would be dirty -+ * if the initial instance is used. So the device is limited to its -+ * virtual CD. -+ * And yes, the concept that BCD goes up to 9 is not heeded */ -+UNUSUAL_DEV( 0x19d2, 0x1225, 0x0000, 0xffff, -+ "ZTE,Incorporated", -+ "ZTE WCDMA Technologies MSM", -+ USB_SC_DEVICE, USB_PR_DEVICE, NULL, -+ US_FL_SINGLE_LUN ), -+ - /* Reported by Sven Geggus <sven-usbst@geggus.net> - * This encrypted pen drive returns bogus data for the initial READ(10). - */ -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 78987e4..85095d7 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -876,6 +876,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp) - } - if (eventfp != d->log_file) { - filep = d->log_file; -+ d->log_file = eventfp; - ctx = d->log_ctx; - d->log_ctx = eventfp ? - eventfd_ctx_fileget(eventfp) : NULL; -diff --git a/fs/dcache.c b/fs/dcache.c -index aa24f7d..3d2f27b 100644 ---- a/fs/dcache.c -+++ b/fs/dcache.c -@@ -587,6 +587,9 @@ repeat: - if (unlikely(d_unhashed(dentry))) - goto kill_it; - -+ if (unlikely(dentry->d_flags & DCACHE_DISCONNECTED)) -+ goto kill_it; -+ - if (unlikely(dentry->d_flags & DCACHE_OP_DELETE)) { - if (dentry->d_op->d_delete(dentry)) - goto kill_it; -diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c -index 9065107..7a5237a 100644 ---- a/kernel/irq/resend.c -+++ b/kernel/irq/resend.c -@@ -75,13 +75,21 @@ void check_irq_resend(struct irq_desc *desc, unsigned int irq) - !desc->irq_data.chip->irq_retrigger(&desc->irq_data)) { - #ifdef CONFIG_HARDIRQS_SW_RESEND - /* -- * If the interrupt has a parent irq and runs -- * in the thread context of the parent irq, -- * retrigger the parent. -+ * If the interrupt is running in the thread -+ * context of the parent irq we need to be -+ * careful, because we cannot trigger it -+ * directly. - */ -- if (desc->parent_irq && -- irq_settings_is_nested_thread(desc)) -+ if (irq_settings_is_nested_thread(desc)) { -+ /* -+ * If the parent_irq is valid, we -+ * retrigger the parent, otherwise we -+ * do nothing. -+ */ -+ if (!desc->parent_irq) -+ return; - irq = desc->parent_irq; -+ } - /* Set it pending and activate the softirq: */ - set_bit(irq, irqs_resend); - tasklet_schedule(&resend_tasklet); -diff --git a/mm/memory.c b/mm/memory.c -index 749e1c6..e9ddc7a 100644 ---- a/mm/memory.c -+++ b/mm/memory.c -@@ -3234,6 +3234,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, - - pte_unmap(page_table); - -+ /* File mapping without ->vm_ops ? */ -+ if (vma->vm_flags & VM_SHARED) -+ return VM_FAULT_SIGBUS; -+ - /* Check if we need to add a guard page to the stack */ - if (check_stack_guard_page(vma, address) < 0) - return VM_FAULT_SIGSEGV; -@@ -3502,6 +3506,9 @@ static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma, - - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; - - pte_unmap(page_table); -+ /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ -+ if (!vma->vm_ops->fault) -+ return VM_FAULT_SIGBUS; - return __do_fault(mm, vma, address, pmd, pgoff, flags, orig_pte); - } - -@@ -3650,11 +3657,9 @@ static int handle_pte_fault(struct mm_struct *mm, - entry = ACCESS_ONCE(*pte); - if (!pte_present(entry)) { - if (pte_none(entry)) { -- if (vma->vm_ops) { -- if (likely(vma->vm_ops->fault)) -- return do_linear_fault(mm, vma, address, -+ if (vma->vm_ops) -+ return do_linear_fault(mm, vma, address, - pte, pmd, flags, entry); -- } - return do_anonymous_page(mm, vma, address, - pte, pmd, flags); - } -diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c -index 653ce5d..5d8bc1f 100644 ---- a/net/mac80211/debugfs_netdev.c -+++ b/net/mac80211/debugfs_netdev.c -@@ -712,6 +712,7 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) - - debugfs_remove_recursive(sdata->vif.debugfs_dir); - sdata->vif.debugfs_dir = NULL; -+ sdata->debugfs.subdir_stations = NULL; - } - - void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata) -diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c -index e8fdb17..a985158 100644 ---- a/net/rds/ib_rdma.c -+++ b/net/rds/ib_rdma.c -@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents, - } - - ibmr = rds_ib_alloc_fmr(rds_ibdev); -- if (IS_ERR(ibmr)) -+ if (IS_ERR(ibmr)) { -+ rds_ib_dev_put(rds_ibdev); - return ibmr; -+ } - - ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents); - if (ret == 0) -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 2f503c0..907371d 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2282,7 +2282,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { - SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF), - SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF), - SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF), -- SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF), -+ SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF), - - SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), - SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), -diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c -index b16be39..9a3e107 100644 ---- a/sound/usb/mixer_maps.c -+++ b/sound/usb/mixer_maps.c -@@ -336,6 +336,20 @@ static const struct usbmix_name_map scms_usb3318_map[] = { - { 0 } - }; - -+/* Bose companion 5, the dB conversion factor is 16 instead of 256 */ -+static struct usbmix_dB_map bose_companion5_dB = {-5006, -6}; -+static struct usbmix_name_map bose_companion5_map[] = { -+ { 3, NULL, .dB = &bose_companion5_dB }, -+ { 0 } /* terminator */ -+}; -+ -+/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */ -+static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000}; -+static struct usbmix_name_map dragonfly_1_2_map[] = { -+ { 7, NULL, .dB = &dragonfly_1_2_dB }, -+ { 0 } /* terminator */ -+}; -+ - /* - * Control map entries - */ -@@ -442,6 +456,16 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = { - .id = USB_ID(0x25c4, 0x0003), - .map = scms_usb3318_map, - }, -+ { -+ /* Bose Companion 5 */ -+ .id = USB_ID(0x05a7, 0x1020), -+ .map = bose_companion5_map, -+ }, -+ { -+ /* Dragonfly DAC 1.2 */ -+ .id = USB_ID(0x21b4, 0x0081), -+ .map = dragonfly_1_2_map, -+ }, - { 0 } /* terminator */ - }; - -diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h -index 5293b5a..7c24088 100644 ---- a/sound/usb/quirks-table.h -+++ b/sound/usb/quirks-table.h -@@ -2516,6 +2516,74 @@ YAMAHA_DEVICE(0x7010, "UB99"), - } - }, - -+/* Steinberg devices */ -+{ -+ /* Steinberg MI2 */ -+ USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x2040), -+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { -+ .ifnum = QUIRK_ANY_INTERFACE, -+ .type = QUIRK_COMPOSITE, -+ .data = & (const struct snd_usb_audio_quirk[]) { -+ { -+ .ifnum = 0, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 1, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 2, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 3, -+ .type = QUIRK_MIDI_FIXED_ENDPOINT, -+ .data = &(const struct snd_usb_midi_endpoint_info) { -+ .out_cables = 0x0001, -+ .in_cables = 0x0001 -+ } -+ }, -+ { -+ .ifnum = -1 -+ } -+ } -+ } -+}, -+{ -+ /* Steinberg MI4 */ -+ USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x4040), -+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { -+ .ifnum = QUIRK_ANY_INTERFACE, -+ .type = QUIRK_COMPOSITE, -+ .data = & (const struct snd_usb_audio_quirk[]) { -+ { -+ .ifnum = 0, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 1, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 2, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 3, -+ .type = QUIRK_MIDI_FIXED_ENDPOINT, -+ .data = &(const struct snd_usb_midi_endpoint_info) { -+ .out_cables = 0x0001, -+ .in_cables = 0x0001 -+ } -+ }, -+ { -+ .ifnum = -1 -+ } -+ } -+ } -+}, -+ - /* TerraTec devices */ - { - USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0012), diff --git a/3.14.50/0000_README b/3.14.51/0000_README index 9ad9afc..430d8cd 100644 --- a/3.14.50/0000_README +++ b/3.14.51/0000_README @@ -2,11 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1049_linux-3.14.50.patch +Patch: 1050_linux-3.14.51.patch From: http://www.kernel.org -Desc: Linux 3.14.50 +Desc: Linux 3.14.51 -Patch: 4420_grsecurity-3.1-3.14.50-201508142232.patch +Patch: 4420_grsecurity-3.1-3.14.51-201508181951.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.51/1050_linux-3.14.51.patch b/3.14.51/1050_linux-3.14.51.patch new file mode 100644 index 0000000..8c28a74 --- /dev/null +++ b/3.14.51/1050_linux-3.14.51.patch @@ -0,0 +1,1929 @@ +diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy +index 4c3efe4..750ab97 100644 +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -20,16 +20,18 @@ Description: + action: measure | dont_measure | appraise | dont_appraise | audit + condition:= base | lsm [option] + base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] +- [fowner]] ++ [euid=] [fowner=]] + lsm: [[subj_user=] [subj_role=] [subj_type=] + [obj_user=] [obj_role=] [obj_type=]] + option: [[appraise_type=]] [permit_directio] + + base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] +- mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] ++ mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] ++ [[^]MAY_EXEC] + fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + uid:= decimal value ++ euid:= decimal value + fowner:=decimal value + lsm: are LSM specific + option: appraise_type:= [imasig] +diff --git a/Makefile b/Makefile +index d71c40a..83275d8e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 50 ++SUBLEVEL = 51 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h +index 22a3b9b..4157aec 100644 +--- a/arch/arm/include/asm/smp.h ++++ b/arch/arm/include/asm/smp.h +@@ -74,6 +74,7 @@ struct secondary_data { + }; + extern struct secondary_data secondary_data; + extern volatile int pen_release; ++extern void secondary_startup(void); + + extern int __cpu_disable(void); + +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index 4551efd..399af1e 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2452,6 +2452,9 @@ static int of_dev_hwmod_lookup(struct device_node *np, + * registers. This address is needed early so the OCP registers that + * are part of the device's address space can be ioremapped properly. + * ++ * If SYSC access is not needed, the registers will not be remapped ++ * and non-availability of MPU access is not treated as an error. ++ * + * Returns 0 on success, -EINVAL if an invalid hwmod is passed, and + * -ENXIO on absent or invalid register target address space. + */ +@@ -2466,6 +2469,11 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data, + + _save_mpu_port_index(oh); + ++ /* if we don't need sysc access we don't need to ioremap */ ++ if (!oh->class->sysc) ++ return 0; ++ ++ /* we can't continue without MPU PORT if we need sysc access */ + if (oh->_int_flags & _HWMOD_NO_MPU_PORT) + return -ENXIO; + +@@ -2475,8 +2483,10 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data, + oh->name); + + /* Extract the IO space from device tree blob */ +- if (!np) ++ if (!np) { ++ pr_err("omap_hwmod: %s: no dt node\n", oh->name); + return -ENXIO; ++ } + + va_start = of_iomap(np, index + oh->mpu_rt_idx); + } else { +@@ -2535,13 +2545,11 @@ static int __init _init(struct omap_hwmod *oh, void *data) + oh->name, np->name); + } + +- if (oh->class->sysc) { +- r = _init_mpu_rt_base(oh, NULL, index, np); +- if (r < 0) { +- WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n", +- oh->name); +- return 0; +- } ++ r = _init_mpu_rt_base(oh, NULL, index, np); ++ if (r < 0) { ++ WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n", ++ oh->name); ++ return 0; + } + + r = _init_clocks(oh, NULL); +diff --git a/arch/arm/mach-realview/include/mach/memory.h b/arch/arm/mach-realview/include/mach/memory.h +index 2022e09..db09170 100644 +--- a/arch/arm/mach-realview/include/mach/memory.h ++++ b/arch/arm/mach-realview/include/mach/memory.h +@@ -56,6 +56,8 @@ + #define PAGE_OFFSET1 (PAGE_OFFSET + 0x10000000) + #define PAGE_OFFSET2 (PAGE_OFFSET + 0x30000000) + ++#define PHYS_OFFSET PLAT_PHYS_OFFSET ++ + #define __phys_to_virt(phys) \ + ((phys) >= 0x80000000 ? (phys) - 0x80000000 + PAGE_OFFSET2 : \ + (phys) >= 0x20000000 ? (phys) - 0x20000000 + PAGE_OFFSET1 : \ +diff --git a/arch/arm/mach-sunxi/Makefile b/arch/arm/mach-sunxi/Makefile +index d939720..27b168f 100644 +--- a/arch/arm/mach-sunxi/Makefile ++++ b/arch/arm/mach-sunxi/Makefile +@@ -1,2 +1,2 @@ + obj-$(CONFIG_ARCH_SUNXI) += sunxi.o +-obj-$(CONFIG_SMP) += platsmp.o headsmp.o ++obj-$(CONFIG_SMP) += platsmp.o +diff --git a/arch/arm/mach-sunxi/headsmp.S b/arch/arm/mach-sunxi/headsmp.S +deleted file mode 100644 +index a10d494..0000000 +--- a/arch/arm/mach-sunxi/headsmp.S ++++ /dev/null +@@ -1,9 +0,0 @@ +-#include <linux/linkage.h> +-#include <linux/init.h> +- +- .section ".text.head", "ax" +- +-ENTRY(sun6i_secondary_startup) +- msr cpsr_fsxc, #0xd3 +- b secondary_startup +-ENDPROC(sun6i_secondary_startup) +diff --git a/arch/arm/mach-sunxi/platsmp.c b/arch/arm/mach-sunxi/platsmp.c +index 7b141d8..0c7dbce 100644 +--- a/arch/arm/mach-sunxi/platsmp.c ++++ b/arch/arm/mach-sunxi/platsmp.c +@@ -82,7 +82,7 @@ static int sun6i_smp_boot_secondary(unsigned int cpu, + spin_lock(&cpu_lock); + + /* Set CPU boot address */ +- writel(virt_to_phys(sun6i_secondary_startup), ++ writel(virt_to_phys(secondary_startup), + cpucfg_membase + CPUCFG_PRIVATE0_REG); + + /* Assert the CPU core in reset */ +diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c +index 7ed72dc..a966bac 100644 +--- a/arch/arm64/kernel/signal32.c ++++ b/arch/arm64/kernel/signal32.c +@@ -165,7 +165,8 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + * Other callers might not initialize the si_lsb field, + * so check explicitely for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + break; +@@ -192,8 +193,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE)) +diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h +index 008324d..b154953 100644 +--- a/arch/mips/include/asm/pgtable.h ++++ b/arch/mips/include/asm/pgtable.h +@@ -150,8 +150,39 @@ static inline void set_pte(pte_t *ptep, pte_t pteval) + * Make sure the buddy is global too (if it's !none, + * it better already be global) + */ ++#ifdef CONFIG_SMP ++ /* ++ * For SMP, multiple CPUs can race, so we need to do ++ * this atomically. ++ */ ++#ifdef CONFIG_64BIT ++#define LL_INSN "lld" ++#define SC_INSN "scd" ++#else /* CONFIG_32BIT */ ++#define LL_INSN "ll" ++#define SC_INSN "sc" ++#endif ++ unsigned long page_global = _PAGE_GLOBAL; ++ unsigned long tmp; ++ ++ __asm__ __volatile__ ( ++ " .set push\n" ++ " .set noreorder\n" ++ "1: " LL_INSN " %[tmp], %[buddy]\n" ++ " bnez %[tmp], 2f\n" ++ " or %[tmp], %[tmp], %[global]\n" ++ " " SC_INSN " %[tmp], %[buddy]\n" ++ " beqz %[tmp], 1b\n" ++ " nop\n" ++ "2:\n" ++ " .set pop" ++ : [buddy] "+m" (buddy->pte), ++ [tmp] "=&r" (tmp) ++ : [global] "r" (page_global)); ++#else /* !CONFIG_SMP */ + if (pte_none(*buddy)) + pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL; ++#endif /* CONFIG_SMP */ + } + #endif + } +diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c +index cb09862..ca16964 100644 +--- a/arch/mips/kernel/mips-mt-fpaff.c ++++ b/arch/mips/kernel/mips-mt-fpaff.c +@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len, + unsigned long __user *user_mask_ptr) + { + unsigned int real_len; +- cpumask_t mask; ++ cpumask_t allowed, mask; + int retval; + struct task_struct *p; + +@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len, + if (retval) + goto out_unlock; + +- cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask); ++ cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed); ++ cpumask_and(&mask, &allowed, cpu_active_mask); + + out_unlock: + read_unlock(&tasklist_lock); +diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c +index 3d60f77..ea585cf 100644 +--- a/arch/mips/kernel/signal32.c ++++ b/arch/mips/kernel/signal32.c +@@ -370,8 +370,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c +index 3190099..d4ab447 100644 +--- a/arch/mips/mti-malta/malta-time.c ++++ b/arch/mips/mti-malta/malta-time.c +@@ -168,14 +168,17 @@ unsigned int get_c0_compare_int(void) + + static void __init init_rtc(void) + { +- /* stop the clock whilst setting it up */ +- CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL); ++ unsigned char freq, ctrl; + +- /* 32KHz time base */ +- CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); ++ /* Set 32KHz time base if not already set */ ++ freq = CMOS_READ(RTC_FREQ_SELECT); ++ if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ) ++ CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); + +- /* start the clock */ +- CMOS_WRITE(RTC_24H, RTC_CONTROL); ++ /* Ensure SET bit is clear so RTC can run */ ++ ctrl = CMOS_READ(RTC_CONTROL); ++ if (ctrl & RTC_SET) ++ CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL); + } + + void __init plat_time_init(void) +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 4e47db6..e881e3f 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -967,8 +967,6 @@ int copy_siginfo_to_user32(struct compat_siginfo __user *d, const siginfo_t *s) + + int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h +index 11fdf0e..50d6f16 100644 +--- a/arch/sparc/include/asm/visasm.h ++++ b/arch/sparc/include/asm/visasm.h +@@ -28,16 +28,10 @@ + * Must preserve %o5 between VISEntryHalf and VISExitHalf */ + + #define VISEntryHalf \ +- rd %fprs, %o5; \ +- andcc %o5, FPRS_FEF, %g0; \ +- be,pt %icc, 297f; \ +- sethi %hi(298f), %g7; \ +- sethi %hi(VISenterhalf), %g1; \ +- jmpl %g1 + %lo(VISenterhalf), %g0; \ +- or %g7, %lo(298f), %g7; \ +- clr %o5; \ +-297: wr %o5, FPRS_FEF, %fprs; \ +-298: ++ VISEntry ++ ++#define VISExitHalf \ ++ VISExit + + #define VISEntryHalfFast(fail_label) \ + rd %fprs, %o5; \ +@@ -47,7 +41,7 @@ + ba,a,pt %xcc, fail_label; \ + 297: wr %o5, FPRS_FEF, %fprs; + +-#define VISExitHalf \ ++#define VISExitHalfFast \ + wr %o5, 0, %fprs; + + #ifndef __ASSEMBLY__ +diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S +index 140527a..83aeeb1 100644 +--- a/arch/sparc/lib/NG4memcpy.S ++++ b/arch/sparc/lib/NG4memcpy.S +@@ -240,8 +240,11 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ + add %o0, 0x40, %o0 + bne,pt %icc, 1b + LOAD(prefetch, %g1 + 0x200, #n_reads_strong) ++#ifdef NON_USER_COPY ++ VISExitHalfFast ++#else + VISExitHalf +- ++#endif + brz,pn %o2, .Lexit + cmp %o2, 19 + ble,pn %icc, .Lsmall_unaligned +diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S +index b320ae9..a063d84 100644 +--- a/arch/sparc/lib/VISsave.S ++++ b/arch/sparc/lib/VISsave.S +@@ -44,9 +44,8 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + + stx %g3, [%g6 + TI_GSR] + 2: add %g6, %g1, %g3 +- cmp %o5, FPRS_DU +- be,pn %icc, 6f +- sll %g1, 3, %g1 ++ mov FPRS_DU | FPRS_DL | FPRS_FEF, %o5 ++ sll %g1, 3, %g1 + stb %o5, [%g3 + TI_FPSAVED] + rd %gsr, %g2 + add %g6, %g1, %g3 +@@ -80,65 +79,3 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + .align 32 + 80: jmpl %g7 + %g0, %g0 + nop +- +-6: ldub [%g3 + TI_FPSAVED], %o5 +- or %o5, FPRS_DU, %o5 +- add %g6, TI_FPREGS+0x80, %g2 +- stb %o5, [%g3 + TI_FPSAVED] +- +- sll %g1, 5, %g1 +- add %g6, TI_FPREGS+0xc0, %g3 +- wr %g0, FPRS_FEF, %fprs +- membar #Sync +- stda %f32, [%g2 + %g1] ASI_BLK_P +- stda %f48, [%g3 + %g1] ASI_BLK_P +- membar #Sync +- ba,pt %xcc, 80f +- nop +- +- .align 32 +-80: jmpl %g7 + %g0, %g0 +- nop +- +- .align 32 +-VISenterhalf: +- ldub [%g6 + TI_FPDEPTH], %g1 +- brnz,a,pn %g1, 1f +- cmp %g1, 1 +- stb %g0, [%g6 + TI_FPSAVED] +- stx %fsr, [%g6 + TI_XFSR] +- clr %o5 +- jmpl %g7 + %g0, %g0 +- wr %g0, FPRS_FEF, %fprs +- +-1: bne,pn %icc, 2f +- srl %g1, 1, %g1 +- ba,pt %xcc, vis1 +- sub %g7, 8, %g7 +-2: addcc %g6, %g1, %g3 +- sll %g1, 3, %g1 +- andn %o5, FPRS_DU, %g2 +- stb %g2, [%g3 + TI_FPSAVED] +- +- rd %gsr, %g2 +- add %g6, %g1, %g3 +- stx %g2, [%g3 + TI_GSR] +- add %g6, %g1, %g2 +- stx %fsr, [%g2 + TI_XFSR] +- sll %g1, 5, %g1 +-3: andcc %o5, FPRS_DL, %g0 +- be,pn %icc, 4f +- add %g6, TI_FPREGS, %g2 +- +- add %g6, TI_FPREGS+0x40, %g3 +- membar #Sync +- stda %f0, [%g2 + %g1] ASI_BLK_P +- stda %f16, [%g3 + %g1] ASI_BLK_P +- membar #Sync +- ba,pt %xcc, 4f +- nop +- +- .align 32 +-4: and %o5, FPRS_DU, %o5 +- jmpl %g7 + %g0, %g0 +- wr %o5, FPRS_FEF, %fprs +diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c +index 323335b..ac094de 100644 +--- a/arch/sparc/lib/ksyms.c ++++ b/arch/sparc/lib/ksyms.c +@@ -126,10 +126,6 @@ EXPORT_SYMBOL(copy_user_page); + void VISenter(void); + EXPORT_SYMBOL(VISenter); + +-/* CRYPTO code needs this */ +-void VISenterhalf(void); +-EXPORT_SYMBOL(VISenterhalf); +- + extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *); + extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *, + unsigned long *); +diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h +index 6a11845..7205173 100644 +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct kvm_apic_map *map, u32 ldr) + + static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu) + { +- return vcpu->arch.apic->pending_events; ++ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events; + } + + bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector); +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 201d09a..2302f10 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -481,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) + pte_t pte; + unsigned long pfn; + struct page *page; ++ unsigned char dummy; + + ptep = lookup_address((unsigned long)v, &level); + BUG_ON(ptep == NULL); +@@ -490,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) + + pte = pfn_pte(pfn, prot); + ++ /* ++ * Careful: update_va_mapping() will fail if the virtual address ++ * we're poking isn't populated in the page tables. We don't ++ * need to worry about the direct map (that's always in the page ++ * tables), but we need to be careful about vmap space. In ++ * particular, the top level page table can lazily propagate ++ * entries between processes, so if we've switched mms since we ++ * vmapped the target in the first place, we might not have the ++ * top-level page table entry populated. ++ * ++ * We disable preemption because we want the same mm active when ++ * we probe the target and when we issue the hypercall. We'll ++ * have the same nominal mm, but if we're a kernel thread, lazy ++ * mm dropping could change our pgd. ++ * ++ * Out of an abundance of caution, this uses __get_user() to fault ++ * in the target address just in case there's some obscure case ++ * in which the target address isn't readable. ++ */ ++ ++ preempt_disable(); ++ ++ pagefault_disable(); /* Avoid warnings due to being atomic. */ ++ __get_user(dummy, (unsigned char __user __force *)v); ++ pagefault_enable(); ++ + if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) + BUG(); + +@@ -501,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) + BUG(); + } else + kmap_flush_unused(); ++ ++ preempt_enable(); + } + + static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) +@@ -508,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) + const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; + int i; + ++ /* ++ * We need to mark the all aliases of the LDT pages RO. We ++ * don't need to call vm_flush_aliases(), though, since that's ++ * only responsible for flushing aliases out the TLBs, not the ++ * page tables, and Xen will flush the TLB for us if needed. ++ * ++ * To avoid confusing future readers: none of this is necessary ++ * to load the LDT. The hypervisor only checks this when the ++ * LDT is faulted in due to subsequent descriptor access. ++ */ ++ + for(i = 0; i < entries; i += entries_per_page) + set_aliased_prot(ldt + i, PAGE_KERNEL_RO); + } +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 12be7cb..b583773 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -508,6 +508,7 @@ void rbd_warn(struct rbd_device *rbd_dev, const char *fmt, ...) + # define rbd_assert(expr) ((void) 0) + #endif /* !RBD_DEBUG */ + ++static void rbd_osd_copyup_callback(struct rbd_obj_request *obj_request); + static int rbd_img_obj_request_submit(struct rbd_obj_request *obj_request); + static void rbd_img_parent_read(struct rbd_obj_request *obj_request); + static void rbd_dev_remove_parent(struct rbd_device *rbd_dev); +@@ -1651,6 +1652,16 @@ static void rbd_osd_stat_callback(struct rbd_obj_request *obj_request) + obj_request_done_set(obj_request); + } + ++static void rbd_osd_call_callback(struct rbd_obj_request *obj_request) ++{ ++ dout("%s: obj %p\n", __func__, obj_request); ++ ++ if (obj_request_img_data_test(obj_request)) ++ rbd_osd_copyup_callback(obj_request); ++ else ++ obj_request_done_set(obj_request); ++} ++ + static void rbd_osd_req_callback(struct ceph_osd_request *osd_req, + struct ceph_msg *msg) + { +@@ -1689,6 +1700,8 @@ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req, + rbd_osd_stat_callback(obj_request); + break; + case CEPH_OSD_OP_CALL: ++ rbd_osd_call_callback(obj_request); ++ break; + case CEPH_OSD_OP_NOTIFY_ACK: + case CEPH_OSD_OP_WATCH: + rbd_osd_trivial_callback(obj_request); +@@ -2275,13 +2288,15 @@ out_unwind: + } + + static void +-rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request) ++rbd_osd_copyup_callback(struct rbd_obj_request *obj_request) + { + struct rbd_img_request *img_request; + struct rbd_device *rbd_dev; + struct page **pages; + u32 page_count; + ++ dout("%s: obj %p\n", __func__, obj_request); ++ + rbd_assert(obj_request->type == OBJ_REQUEST_BIO); + rbd_assert(obj_request_img_data_test(obj_request)); + img_request = obj_request->img_request; +@@ -2307,9 +2322,7 @@ rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request) + if (!obj_request->result) + obj_request->xferred = obj_request->length; + +- /* Finish up with the normal image object callback */ +- +- rbd_img_obj_callback(obj_request); ++ obj_request_done_set(obj_request); + } + + static void +@@ -2406,7 +2419,6 @@ rbd_img_obj_parent_read_full_callback(struct rbd_img_request *img_request) + + /* All set, send it off. */ + +- orig_request->callback = rbd_img_obj_copyup_callback; + osdc = &rbd_dev->rbd_client->client->osdc; + img_result = rbd_obj_request_submit(osdc, orig_request); + if (!img_result) +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index f757a0f..3beed38 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -904,7 +904,6 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt) + crypt->mode |= NPE_OP_NOT_IN_PLACE; + /* This was never tested by Intel + * for more than one dst buffer, I think. */ +- BUG_ON(req->dst->length < nbytes); + req_ctx->dst = NULL; + if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook, + flags, DMA_FROM_DEVICE)) +diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c +index 6651177..79a2669 100644 +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combios_get_lvds_info(struct radeon_encoder + + if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) && + (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) { ++ u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ ++ if (hss > lvds->native_mode.hdisplay) ++ hss = (10 - 1) * 8; ++ + lvds->native_mode.htotal = lvds->native_mode.hdisplay + + (RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8; + lvds->native_mode.hsync_start = lvds->native_mode.hdisplay + +- (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ hss; + lvds->native_mode.hsync_end = lvds->native_mode.hsync_start + + (RBIOS8(tmp + 23) * 8); + +diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c +index 8e51b3a..cc3dc0c 100644 +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -564,6 +564,8 @@ static int bitmap_read_sb(struct bitmap *bitmap) + if (err) + return err; + ++ err = -EINVAL; ++ + sb = kmap_atomic(sb_page); + + chunksize = le32_to_cpu(sb->chunksize); +diff --git a/drivers/md/md.c b/drivers/md/md.c +index b4067b9..2ffd277 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5645,8 +5645,7 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) + char *ptr, *buf = NULL; + int err = -ENOMEM; + +- file = kmalloc(sizeof(*file), GFP_NOIO); +- ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + goto out; + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 9be97e0..47b7c31 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1477,6 +1477,7 @@ static void error(struct mddev *mddev, struct md_rdev *rdev) + { + char b[BDEVNAME_SIZE]; + struct r1conf *conf = mddev->private; ++ unsigned long flags; + + /* + * If it is not operational, then we have already marked it as dead +@@ -1496,14 +1497,13 @@ static void error(struct mddev *mddev, struct md_rdev *rdev) + return; + } + set_bit(Blocked, &rdev->flags); ++ spin_lock_irqsave(&conf->device_lock, flags); + if (test_and_clear_bit(In_sync, &rdev->flags)) { +- unsigned long flags; +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded++; + set_bit(Faulty, &rdev->flags); +- spin_unlock_irqrestore(&conf->device_lock, flags); + } else + set_bit(Faulty, &rdev->flags); ++ spin_unlock_irqrestore(&conf->device_lock, flags); + /* + * if recovery is running, make sure it aborts. + */ +@@ -1569,7 +1569,10 @@ static int raid1_spare_active(struct mddev *mddev) + * Find all failed disks within the RAID1 configuration + * and mark them readable. + * Called under mddev lock, so rcu protection not needed. ++ * device_lock used to avoid races with raid1_end_read_request ++ * which expects 'In_sync' flags and ->degraded to be consistent. + */ ++ spin_lock_irqsave(&conf->device_lock, flags); + for (i = 0; i < conf->raid_disks; i++) { + struct md_rdev *rdev = conf->mirrors[i].rdev; + struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev; +@@ -1599,7 +1602,6 @@ static int raid1_spare_active(struct mddev *mddev) + sysfs_notify_dirent_safe(rdev->sysfs_state); + } + } +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded -= count; + spin_unlock_irqrestore(&conf->device_lock, flags); + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index b4ddb73..128dc2f 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -592,9 +592,10 @@ static void ipr_trc_hook(struct ipr_cmnd *ipr_cmd, + { + struct ipr_trace_entry *trace_entry; + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; ++ unsigned int trace_index; + +- trace_entry = &ioa_cfg->trace[atomic_add_return +- (1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES]; ++ trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK; ++ trace_entry = &ioa_cfg->trace[trace_index]; + trace_entry->time = jiffies; + trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0]; + trace_entry->type = type; +@@ -1044,10 +1045,15 @@ static void ipr_send_blocking_cmd(struct ipr_cmnd *ipr_cmd, + + static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg) + { ++ unsigned int hrrq; ++ + if (ioa_cfg->hrrq_num == 1) +- return 0; +- else +- return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1; ++ hrrq = 0; ++ else { ++ hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index); ++ hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1; ++ } ++ return hrrq; + } + + /** +@@ -6179,21 +6185,23 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd) + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; + struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd; + u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc); +- unsigned long hrrq_flags; ++ unsigned long lock_flags; + + scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len)); + + if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) { + scsi_dma_unmap(scsi_cmd); + +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags); + list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags); + } else { +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ spin_lock(&ipr_cmd->hrrq->_lock); + ipr_erp_start(ioa_cfg, ipr_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock(&ipr_cmd->hrrq->_lock); ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); + } + } + +diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h +index 02edae7..694ec20 100644 +--- a/drivers/scsi/ipr.h ++++ b/drivers/scsi/ipr.h +@@ -1459,6 +1459,7 @@ struct ipr_ioa_cfg { + + #define IPR_NUM_TRACE_INDEX_BITS 8 + #define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS) ++#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1) + #define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES) + char trace_start[8]; + #define IPR_TRACE_START_LABEL "trace" +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index eb81c98..721d839 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) + md->from_user = 0; + } + ++ if (unlikely(iov_count > UIO_MAXIOV)) ++ return -EINVAL; ++ + if (iov_count) { + int len, size = sizeof(struct sg_iovec) * iov_count; + struct iovec *iov; +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 55ec9b4..9dbf176 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3937,7 +3937,13 @@ get_immediate: + } + + transport_err: +- iscsit_take_action_for_connection_exit(conn); ++ /* ++ * Avoid the normal connection failure code-path if this connection ++ * is still within LOGIN mode, and iscsi_np process context is ++ * responsible for cleaning up the early connection failure. ++ */ ++ if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN) ++ iscsit_take_action_for_connection_exit(conn); + out: + return 0; + } +@@ -4023,7 +4029,7 @@ reject: + + int iscsi_target_rx_thread(void *arg) + { +- int ret; ++ int ret, rc; + u8 buffer[ISCSI_HDR_LEN], opcode; + u32 checksum = 0, digest = 0; + struct iscsi_conn *conn = arg; +@@ -4033,10 +4039,16 @@ int iscsi_target_rx_thread(void *arg) + * connection recovery / failure event can be triggered externally. + */ + allow_signal(SIGINT); ++ /* ++ * Wait for iscsi_post_login_handler() to complete before allowing ++ * incoming iscsi/tcp socket I/O, and/or failing the connection. ++ */ ++ rc = wait_for_completion_interruptible(&conn->rx_login_comp); ++ if (rc < 0) ++ return 0; + + if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { + struct completion comp; +- int rc; + + init_completion(&comp); + rc = wait_for_completion_interruptible(&comp); +diff --git a/drivers/target/iscsi/iscsi_target_core.h b/drivers/target/iscsi/iscsi_target_core.h +index 825b579..92abbe2 100644 +--- a/drivers/target/iscsi/iscsi_target_core.h ++++ b/drivers/target/iscsi/iscsi_target_core.h +@@ -604,6 +604,7 @@ struct iscsi_conn { + int bitmap_id; + int rx_thread_active; + struct task_struct *rx_thread; ++ struct completion rx_login_comp; + int tx_thread_active; + struct task_struct *tx_thread; + /* list_head for session connection list */ +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index 449df09..01c27aa 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -83,6 +83,7 @@ static struct iscsi_login *iscsi_login_init_conn(struct iscsi_conn *conn) + init_completion(&conn->conn_logout_comp); + init_completion(&conn->rx_half_close_comp); + init_completion(&conn->tx_half_close_comp); ++ init_completion(&conn->rx_login_comp); + spin_lock_init(&conn->cmd_lock); + spin_lock_init(&conn->conn_usage_lock); + spin_lock_init(&conn->immed_queue_lock); +@@ -716,6 +717,7 @@ int iscsit_start_kthreads(struct iscsi_conn *conn) + + return 0; + out_tx: ++ send_sig(SIGINT, conn->tx_thread, 1); + kthread_stop(conn->tx_thread); + conn->tx_thread_active = false; + out_bitmap: +@@ -726,7 +728,7 @@ out_bitmap: + return ret; + } + +-int iscsi_post_login_handler( ++void iscsi_post_login_handler( + struct iscsi_np *np, + struct iscsi_conn *conn, + u8 zero_tsih) +@@ -736,7 +738,6 @@ int iscsi_post_login_handler( + struct se_session *se_sess = sess->se_sess; + struct iscsi_portal_group *tpg = sess->tpg; + struct se_portal_group *se_tpg = &tpg->tpg_se_tpg; +- int rc; + + iscsit_inc_conn_usage_count(conn); + +@@ -777,10 +778,6 @@ int iscsi_post_login_handler( + sess->sess_ops->InitiatorName); + spin_unlock_bh(&sess->conn_lock); + +- rc = iscsit_start_kthreads(conn); +- if (rc) +- return rc; +- + iscsi_post_login_start_timers(conn); + /* + * Determine CPU mask to ensure connection's RX and TX kthreads +@@ -789,15 +786,20 @@ int iscsi_post_login_handler( + iscsit_thread_get_cpumask(conn); + conn->conn_rx_reset_cpumask = 1; + conn->conn_tx_reset_cpumask = 1; +- ++ /* ++ * Wakeup the sleeping iscsi_target_rx_thread() now that ++ * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state. ++ */ ++ complete(&conn->rx_login_comp); + iscsit_dec_conn_usage_count(conn); ++ + if (stop_timer) { + spin_lock_bh(&se_tpg->session_lock); + iscsit_stop_time2retain_timer(sess); + spin_unlock_bh(&se_tpg->session_lock); + } + iscsit_dec_session_usage_count(sess); +- return 0; ++ return; + } + + iscsi_set_session_parameters(sess->sess_ops, conn->param_list, 1); +@@ -838,10 +840,6 @@ int iscsi_post_login_handler( + " iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt); + spin_unlock_bh(&se_tpg->session_lock); + +- rc = iscsit_start_kthreads(conn); +- if (rc) +- return rc; +- + iscsi_post_login_start_timers(conn); + /* + * Determine CPU mask to ensure connection's RX and TX kthreads +@@ -850,10 +848,12 @@ int iscsi_post_login_handler( + iscsit_thread_get_cpumask(conn); + conn->conn_rx_reset_cpumask = 1; + conn->conn_tx_reset_cpumask = 1; +- ++ /* ++ * Wakeup the sleeping iscsi_target_rx_thread() now that ++ * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state. ++ */ ++ complete(&conn->rx_login_comp); + iscsit_dec_conn_usage_count(conn); +- +- return 0; + } + + static void iscsi_handle_login_thread_timeout(unsigned long data) +@@ -1418,23 +1418,12 @@ static int __iscsi_target_login_thread(struct iscsi_np *np) + if (ret < 0) + goto new_sess_out; + +- if (!conn->sess) { +- pr_err("struct iscsi_conn session pointer is NULL!\n"); +- goto new_sess_out; +- } +- + iscsi_stop_login_thread_timer(np); + +- if (signal_pending(current)) +- goto new_sess_out; +- + if (ret == 1) { + tpg_np = conn->tpg_np; + +- ret = iscsi_post_login_handler(np, conn, zero_tsih); +- if (ret < 0) +- goto new_sess_out; +- ++ iscsi_post_login_handler(np, conn, zero_tsih); + iscsit_deaccess_np(np, tpg, tpg_np); + } + +diff --git a/drivers/target/iscsi/iscsi_target_login.h b/drivers/target/iscsi/iscsi_target_login.h +index 29d0983..55cbf45 100644 +--- a/drivers/target/iscsi/iscsi_target_login.h ++++ b/drivers/target/iscsi/iscsi_target_login.h +@@ -12,7 +12,8 @@ extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *); + extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *); + extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32); + extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *); +-extern int iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8); ++extern int iscsit_start_kthreads(struct iscsi_conn *); ++extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8); + extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *, + bool, bool); + extern int iscsi_target_login_thread(void *); +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 582ba84..25ad113 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -17,6 +17,7 @@ + ******************************************************************************/ + + #include <linux/ctype.h> ++#include <linux/kthread.h> + #include <scsi/iscsi_proto.h> + #include <target/target_core_base.h> + #include <target/target_core_fabric.h> +@@ -361,10 +362,24 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log + ntohl(login_rsp->statsn), login->rsp_length); + + padding = ((-login->rsp_length) & 3); ++ /* ++ * Before sending the last login response containing the transition ++ * bit for full-feature-phase, go ahead and start up TX/RX threads ++ * now to avoid potential resource allocation failures after the ++ * final login response has been sent. ++ */ ++ if (login->login_complete) { ++ int rc = iscsit_start_kthreads(conn); ++ if (rc) { ++ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, ++ ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ return -1; ++ } ++ } + + if (conn->conn_transport->iscsit_put_login_tx(conn, login, + login->rsp_length + padding) < 0) +- return -1; ++ goto err; + + login->rsp_length = 0; + mutex_lock(&sess->cmdsn_mutex); +@@ -373,6 +388,23 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log + mutex_unlock(&sess->cmdsn_mutex); + + return 0; ++ ++err: ++ if (login->login_complete) { ++ if (conn->rx_thread && conn->rx_thread_active) { ++ send_sig(SIGINT, conn->rx_thread, 1); ++ kthread_stop(conn->rx_thread); ++ } ++ if (conn->tx_thread && conn->tx_thread_active) { ++ send_sig(SIGINT, conn->tx_thread, 1); ++ kthread_stop(conn->tx_thread); ++ } ++ spin_lock(&iscsit_global->ts_bitmap_lock); ++ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id, ++ get_order(1)); ++ spin_unlock(&iscsit_global->ts_bitmap_lock); ++ } ++ return -1; + } + + static void iscsi_target_sk_data_ready(struct sock *sk, int count) +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index bcc43a2..a365e97 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -86,7 +86,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg, + return 0; + /* offset in TRBs */ + segment_offset = trb - seg->trbs; +- if (segment_offset > TRBS_PER_SEGMENT) ++ if (segment_offset >= TRBS_PER_SEGMENT) + return 0; + return seg->dma + (segment_offset * sizeof(*trb)); + } +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index 74a9375..89c55d4 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -289,6 +289,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, ++ { USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */ + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 073b4a1..ff3c98f 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -529,12 +529,14 @@ static int gntdev_release(struct inode *inode, struct file *flip) + + pr_debug("priv %p\n", priv); + ++ mutex_lock(&priv->lock); + while (!list_empty(&priv->maps)) { + map = list_entry(priv->maps.next, struct grant_map, next); + list_del(&map->next); + gntdev_put_map(NULL /* already removed */, map); + } + WARN_ON(!list_empty(&priv->freeable_maps)); ++ mutex_unlock(&priv->lock); + + if (use_ptemod) + mmu_notifier_unregister(&priv->mn, priv->mm); +diff --git a/fs/dcache.c b/fs/dcache.c +index 3d2f27b..df323f8 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -244,17 +244,8 @@ static void __d_free(struct rcu_head *head) + kmem_cache_free(dentry_cache, dentry); + } + +-/* +- * no locks, please. +- */ +-static void d_free(struct dentry *dentry) ++static void dentry_free(struct dentry *dentry) + { +- WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias)); +- BUG_ON((int)dentry->d_lockref.count > 0); +- this_cpu_dec(nr_dentry); +- if (dentry->d_op && dentry->d_op->d_release) +- dentry->d_op->d_release(dentry); +- + /* if dentry was never visible to RCU, immediate free is OK */ + if (!(dentry->d_flags & DCACHE_RCUACCESS)) + __d_free(&dentry->d_u.d_rcu); +@@ -402,56 +393,6 @@ static void dentry_lru_add(struct dentry *dentry) + d_lru_add(dentry); + } + +-/* +- * Remove a dentry with references from the LRU. +- * +- * If we are on the shrink list, then we can get to try_prune_one_dentry() and +- * lose our last reference through the parent walk. In this case, we need to +- * remove ourselves from the shrink list, not the LRU. +- */ +-static void dentry_lru_del(struct dentry *dentry) +-{ +- if (dentry->d_flags & DCACHE_LRU_LIST) { +- if (dentry->d_flags & DCACHE_SHRINK_LIST) +- return d_shrink_del(dentry); +- d_lru_del(dentry); +- } +-} +- +-/** +- * d_kill - kill dentry and return parent +- * @dentry: dentry to kill +- * @parent: parent dentry +- * +- * The dentry must already be unhashed and removed from the LRU. +- * +- * If this is the root of the dentry tree, return NULL. +- * +- * dentry->d_lock and parent->d_lock must be held by caller, and are dropped by +- * d_kill. +- */ +-static struct dentry *d_kill(struct dentry *dentry, struct dentry *parent) +- __releases(dentry->d_lock) +- __releases(parent->d_lock) +- __releases(dentry->d_inode->i_lock) +-{ +- __list_del_entry(&dentry->d_child); +- /* +- * Inform d_walk() that we are no longer attached to the +- * dentry tree +- */ +- dentry->d_flags |= DCACHE_DENTRY_KILLED; +- if (parent) +- spin_unlock(&parent->d_lock); +- dentry_iput(dentry); +- /* +- * dentry_iput drops the locks, at which point nobody (except +- * transient RCU lookups) can reach this dentry. +- */ +- d_free(dentry); +- return parent; +-} +- + /** + * d_drop - drop a dentry + * @dentry: dentry to drop +@@ -509,7 +450,14 @@ dentry_kill(struct dentry *dentry, int unlock_on_failure) + __releases(dentry->d_lock) + { + struct inode *inode; +- struct dentry *parent; ++ struct dentry *parent = NULL; ++ bool can_free = true; ++ ++ if (unlikely(dentry->d_flags & DCACHE_DENTRY_KILLED)) { ++ can_free = dentry->d_flags & DCACHE_MAY_FREE; ++ spin_unlock(&dentry->d_lock); ++ goto out; ++ } + + inode = dentry->d_inode; + if (inode && !spin_trylock(&inode->i_lock)) { +@@ -520,9 +468,7 @@ relock: + } + return dentry; /* try again with same dentry */ + } +- if (IS_ROOT(dentry)) +- parent = NULL; +- else ++ if (!IS_ROOT(dentry)) + parent = dentry->d_parent; + if (parent && !spin_trylock(&parent->d_lock)) { + if (inode) +@@ -542,10 +488,40 @@ relock: + if ((dentry->d_flags & DCACHE_OP_PRUNE) && !d_unhashed(dentry)) + dentry->d_op->d_prune(dentry); + +- dentry_lru_del(dentry); ++ if (dentry->d_flags & DCACHE_LRU_LIST) { ++ if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) ++ d_lru_del(dentry); ++ } + /* if it was on the hash then remove it */ + __d_drop(dentry); +- return d_kill(dentry, parent); ++ __list_del_entry(&dentry->d_child); ++ /* ++ * Inform d_walk() that we are no longer attached to the ++ * dentry tree ++ */ ++ dentry->d_flags |= DCACHE_DENTRY_KILLED; ++ if (parent) ++ spin_unlock(&parent->d_lock); ++ dentry_iput(dentry); ++ /* ++ * dentry_iput drops the locks, at which point nobody (except ++ * transient RCU lookups) can reach this dentry. ++ */ ++ BUG_ON((int)dentry->d_lockref.count > 0); ++ this_cpu_dec(nr_dentry); ++ if (dentry->d_op && dentry->d_op->d_release) ++ dentry->d_op->d_release(dentry); ++ ++ spin_lock(&dentry->d_lock); ++ if (dentry->d_flags & DCACHE_SHRINK_LIST) { ++ dentry->d_flags |= DCACHE_MAY_FREE; ++ can_free = false; ++ } ++ spin_unlock(&dentry->d_lock); ++out: ++ if (likely(can_free)) ++ dentry_free(dentry); ++ return parent; + } + + /* +@@ -817,65 +793,13 @@ restart: + } + EXPORT_SYMBOL(d_prune_aliases); + +-/* +- * Try to throw away a dentry - free the inode, dput the parent. +- * Requires dentry->d_lock is held, and dentry->d_count == 0. +- * Releases dentry->d_lock. +- * +- * This may fail if locks cannot be acquired no problem, just try again. +- */ +-static struct dentry * try_prune_one_dentry(struct dentry *dentry) +- __releases(dentry->d_lock) +-{ +- struct dentry *parent; +- +- parent = dentry_kill(dentry, 0); +- /* +- * If dentry_kill returns NULL, we have nothing more to do. +- * if it returns the same dentry, trylocks failed. In either +- * case, just loop again. +- * +- * Otherwise, we need to prune ancestors too. This is necessary +- * to prevent quadratic behavior of shrink_dcache_parent(), but +- * is also expected to be beneficial in reducing dentry cache +- * fragmentation. +- */ +- if (!parent) +- return NULL; +- if (parent == dentry) +- return dentry; +- +- /* Prune ancestors. */ +- dentry = parent; +- while (dentry) { +- if (lockref_put_or_lock(&dentry->d_lockref)) +- return NULL; +- dentry = dentry_kill(dentry, 1); +- } +- return NULL; +-} +- + static void shrink_dentry_list(struct list_head *list) + { +- struct dentry *dentry; ++ struct dentry *dentry, *parent; + +- rcu_read_lock(); +- for (;;) { +- dentry = list_entry_rcu(list->prev, struct dentry, d_lru); +- if (&dentry->d_lru == list) +- break; /* empty */ +- +- /* +- * Get the dentry lock, and re-verify that the dentry is +- * this on the shrinking list. If it is, we know that +- * DCACHE_SHRINK_LIST and DCACHE_LRU_LIST are set. +- */ ++ while (!list_empty(list)) { ++ dentry = list_entry(list->prev, struct dentry, d_lru); + spin_lock(&dentry->d_lock); +- if (dentry != list_entry(list->prev, struct dentry, d_lru)) { +- spin_unlock(&dentry->d_lock); +- continue; +- } +- + /* + * The dispose list is isolated and dentries are not accounted + * to the LRU here, so we can simply remove it from the list +@@ -887,30 +811,38 @@ static void shrink_dentry_list(struct list_head *list) + * We found an inuse dentry which was not removed from + * the LRU because of laziness during lookup. Do not free it. + */ +- if (dentry->d_lockref.count) { ++ if ((int)dentry->d_lockref.count > 0) { + spin_unlock(&dentry->d_lock); + continue; + } +- rcu_read_unlock(); + ++ parent = dentry_kill(dentry, 0); + /* +- * If 'try_to_prune()' returns a dentry, it will +- * be the same one we passed in, and d_lock will +- * have been held the whole time, so it will not +- * have been added to any other lists. We failed +- * to get the inode lock. +- * +- * We just add it back to the shrink list. ++ * If dentry_kill returns NULL, we have nothing more to do. + */ +- dentry = try_prune_one_dentry(dentry); ++ if (!parent) ++ continue; + +- rcu_read_lock(); +- if (dentry) { ++ if (unlikely(parent == dentry)) { ++ /* ++ * trylocks have failed and d_lock has been held the ++ * whole time, so it could not have been added to any ++ * other lists. Just add it back to the shrink list. ++ */ + d_shrink_add(dentry, list); + spin_unlock(&dentry->d_lock); ++ continue; + } ++ /* ++ * We need to prune ancestors too. This is necessary to prevent ++ * quadratic behavior of shrink_dcache_parent(), but is also ++ * expected to be beneficial in reducing dentry cache ++ * fragmentation. ++ */ ++ dentry = parent; ++ while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) ++ dentry = dentry_kill(dentry, 1); + } +- rcu_read_unlock(); + } + + static enum lru_status +@@ -1264,34 +1196,23 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) + if (data->start == dentry) + goto out; + +- /* +- * move only zero ref count dentries to the dispose list. +- * +- * Those which are presently on the shrink list, being processed +- * by shrink_dentry_list(), shouldn't be moved. Otherwise the +- * loop in shrink_dcache_parent() might not make any progress +- * and loop forever. +- */ +- if (dentry->d_lockref.count) { +- dentry_lru_del(dentry); +- } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) { +- /* +- * We can't use d_lru_shrink_move() because we +- * need to get the global LRU lock and do the +- * LRU accounting. +- */ +- d_lru_del(dentry); +- d_shrink_add(dentry, &data->dispose); ++ if (dentry->d_flags & DCACHE_SHRINK_LIST) { + data->found++; +- ret = D_WALK_NORETRY; ++ } else { ++ if (dentry->d_flags & DCACHE_LRU_LIST) ++ d_lru_del(dentry); ++ if (!dentry->d_lockref.count) { ++ d_shrink_add(dentry, &data->dispose); ++ data->found++; ++ } + } + /* + * We can return to the caller if we have found some (this + * ensures forward progress). We'll be coming back to find + * the rest. + */ +- if (data->found && need_resched()) +- ret = D_WALK_QUIT; ++ if (!list_empty(&data->dispose)) ++ ret = need_resched() ? D_WALK_QUIT : D_WALK_NORETRY; + out: + return ret; + } +@@ -1321,45 +1242,35 @@ void shrink_dcache_parent(struct dentry *parent) + } + EXPORT_SYMBOL(shrink_dcache_parent); + +-static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) ++static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) + { +- struct select_data *data = _data; +- enum d_walk_ret ret = D_WALK_CONTINUE; ++ /* it has busy descendents; complain about those instead */ ++ if (!list_empty(&dentry->d_subdirs)) ++ return D_WALK_CONTINUE; + +- if (dentry->d_lockref.count) { +- dentry_lru_del(dentry); +- if (likely(!list_empty(&dentry->d_subdirs))) +- goto out; +- if (dentry == data->start && dentry->d_lockref.count == 1) +- goto out; +- printk(KERN_ERR +- "BUG: Dentry %p{i=%lx,n=%s}" +- " still in use (%d)" +- " [unmount of %s %s]\n", ++ /* root with refcount 1 is fine */ ++ if (dentry == _data && dentry->d_lockref.count == 1) ++ return D_WALK_CONTINUE; ++ ++ printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} " ++ " still in use (%d) [unmount of %s %s]\n", + dentry, + dentry->d_inode ? + dentry->d_inode->i_ino : 0UL, +- dentry->d_name.name, ++ dentry, + dentry->d_lockref.count, + dentry->d_sb->s_type->name, + dentry->d_sb->s_id); +- BUG(); +- } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) { +- /* +- * We can't use d_lru_shrink_move() because we +- * need to get the global LRU lock and do the +- * LRU accounting. +- */ +- if (dentry->d_flags & DCACHE_LRU_LIST) +- d_lru_del(dentry); +- d_shrink_add(dentry, &data->dispose); +- data->found++; +- ret = D_WALK_NORETRY; +- } +-out: +- if (data->found && need_resched()) +- ret = D_WALK_QUIT; +- return ret; ++ WARN_ON(1); ++ return D_WALK_CONTINUE; ++} ++ ++static void do_one_tree(struct dentry *dentry) ++{ ++ shrink_dcache_parent(dentry); ++ d_walk(dentry, dentry, umount_check, NULL); ++ d_drop(dentry); ++ dput(dentry); + } + + /* +@@ -1369,40 +1280,15 @@ void shrink_dcache_for_umount(struct super_block *sb) + { + struct dentry *dentry; + +- if (down_read_trylock(&sb->s_umount)) +- BUG(); ++ WARN(down_read_trylock(&sb->s_umount), "s_umount should've been locked"); + + dentry = sb->s_root; + sb->s_root = NULL; +- for (;;) { +- struct select_data data; +- +- INIT_LIST_HEAD(&data.dispose); +- data.start = dentry; +- data.found = 0; +- +- d_walk(dentry, &data, umount_collect, NULL); +- if (!data.found) +- break; +- +- shrink_dentry_list(&data.dispose); +- cond_resched(); +- } +- d_drop(dentry); +- dput(dentry); ++ do_one_tree(dentry); + + while (!hlist_bl_empty(&sb->s_anon)) { +- struct select_data data; +- dentry = hlist_bl_entry(hlist_bl_first(&sb->s_anon), struct dentry, d_hash); +- +- INIT_LIST_HEAD(&data.dispose); +- data.start = NULL; +- data.found = 0; +- +- d_walk(dentry, &data, umount_collect, NULL); +- if (data.found) +- shrink_dentry_list(&data.dispose); +- cond_resched(); ++ dentry = dget(hlist_bl_entry(hlist_bl_first(&sb->s_anon), struct dentry, d_hash)); ++ do_one_tree(dentry); + } + } + +diff --git a/fs/namei.c b/fs/namei.c +index ccb8000..c6fa079 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3171,7 +3171,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, + + if (unlikely(file->f_flags & __O_TMPFILE)) { + error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened); +- goto out; ++ goto out2; + } + + error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base); +@@ -3209,6 +3209,7 @@ out: + path_put(&nd->root); + if (base) + fput(base); ++out2: + if (!(opened & FILE_OPENED)) { + BUG_ON(!error); + put_filp(file); +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index 923fe4a..6bffc33 100644 +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -293,16 +293,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group, + unsigned int flags) + { + struct fsnotify_mark *lmark, *mark; ++ LIST_HEAD(to_free); + ++ /* ++ * We have to be really careful here. Anytime we drop mark_mutex, e.g. ++ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our ++ * to_free list so we have to use mark_mutex even when accessing that ++ * list. And freeing mark requires us to drop mark_mutex. So we can ++ * reliably free only the first mark in the list. That's why we first ++ * move marks to free to to_free list in one go and then free marks in ++ * to_free list one by one. ++ */ + mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); + list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) { +- if (mark->flags & flags) { +- fsnotify_get_mark(mark); +- fsnotify_destroy_mark_locked(mark, group); +- fsnotify_put_mark(mark); +- } ++ if (mark->flags & flags) ++ list_move(&mark->g_list, &to_free); + } + mutex_unlock(&group->mark_mutex); ++ ++ while (1) { ++ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ if (list_empty(&to_free)) { ++ mutex_unlock(&group->mark_mutex); ++ break; ++ } ++ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list); ++ fsnotify_get_mark(mark); ++ fsnotify_destroy_mark_locked(mark, group); ++ mutex_unlock(&group->mark_mutex); ++ fsnotify_put_mark(mark); ++ } + } + + /* +diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c +index 1998695..fa74259 100644 +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -3973,9 +3973,13 @@ static void ocfs2_downconvert_thread_do_work(struct ocfs2_super *osb) + osb->dc_work_sequence = osb->dc_wake_sequence; + + processed = osb->blocked_lock_count; +- while (processed) { +- BUG_ON(list_empty(&osb->blocked_lock_list)); +- ++ /* ++ * blocked lock processing in this loop might call iput which can ++ * remove items off osb->blocked_lock_list. Downconvert up to ++ * 'processed' number of locks, but stop short if we had some ++ * removed in ocfs2_mark_lockres_freeing when downconverting. ++ */ ++ while (processed && !list_empty(&osb->blocked_lock_list)) { + lockres = list_entry(osb->blocked_lock_list.next, + struct ocfs2_lock_res, l_blocked_list); + list_del_init(&lockres->l_blocked_list); +diff --git a/fs/signalfd.c b/fs/signalfd.c +index 424b7b6..148f8e7 100644 +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct signalfd_siginfo __user *uinfo, + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (kinfo->si_code == BUS_MCEERR_AR || +- kinfo->si_code == BUS_MCEERR_AO) ++ if (kinfo->si_signo == SIGBUS && ++ (kinfo->si_code == BUS_MCEERR_AR || ++ kinfo->si_code == BUS_MCEERR_AO)) + err |= __put_user((short) kinfo->si_addr_lsb, + &uinfo->ssi_addr_lsb); + #endif +diff --git a/include/linux/dcache.h b/include/linux/dcache.h +index 0f0eb1c..2a23ecb 100644 +--- a/include/linux/dcache.h ++++ b/include/linux/dcache.h +@@ -221,6 +221,8 @@ struct dentry_operations { + #define DCACHE_SYMLINK_TYPE 0x00300000 /* Symlink */ + #define DCACHE_FILE_TYPE 0x00400000 /* Other file type */ + ++#define DCACHE_MAY_FREE 0x00800000 ++ + extern seqlock_t rename_lock; + + static inline int dname_external(const struct dentry *dentry) +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h +index 30db069..788c5aa 100644 +--- a/include/uapi/linux/pci_regs.h ++++ b/include/uapi/linux/pci_regs.h +@@ -319,6 +319,7 @@ + #define PCI_MSIX_PBA 8 /* Pending Bit Array offset */ + #define PCI_MSIX_PBA_BIR 0x00000007 /* BAR index */ + #define PCI_MSIX_PBA_OFFSET 0xfffffff8 /* Offset into specified BAR */ ++#define PCI_MSIX_FLAGS_BIRMASK PCI_MSIX_PBA_BIR /* deprecated */ + #define PCI_CAP_MSIX_SIZEOF 12 /* size of MSIX registers */ + + /* MSI-X Table entry format */ +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index c3b3117..9699d3f 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info) + if (!leaf) + return -ENOMEM; + INIT_LIST_HEAD(&leaf->msg_list); +- info->qsize += sizeof(*leaf); + } + leaf->priority = msg->m_type; + rb_link_node(&leaf->rb_node, parent, p); +@@ -188,7 +187,6 @@ try_again: + "lazy leaf delete!\n"); + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -201,7 +199,6 @@ try_again: + if (list_empty(&leaf->msg_list)) { + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr, + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + new_leaf = NULL; + } else { + kfree(new_leaf); +@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr, + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + } else { + kfree(new_leaf); + } +diff --git a/kernel/signal.c b/kernel/signal.c +index 52f881d..15c22ee 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2768,7 +2768,8 @@ int copy_siginfo_to_user(siginfo_t __user *to, const siginfo_t *from) + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + break; +@@ -3035,7 +3036,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo, + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + int ret = copy_siginfo_from_user32(&info, uinfo); + if (unlikely(ret)) + return ret; +@@ -3081,7 +3082,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo, + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + + if (copy_siginfo_from_user32(&info, uinfo)) + return -EFAULT; +diff --git a/mm/vmscan.c b/mm/vmscan.c +index b850ced6..88edf53 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -871,21 +871,17 @@ static unsigned long shrink_page_list(struct list_head *page_list, + * + * 2) Global reclaim encounters a page, memcg encounters a + * page that is not marked for immediate reclaim or +- * the caller does not have __GFP_IO. In this case mark ++ * the caller does not have __GFP_FS (or __GFP_IO if it's ++ * simply going to swap, not to fs). In this case mark + * the page for immediate reclaim and continue scanning. + * +- * __GFP_IO is checked because a loop driver thread might ++ * Require may_enter_fs because we would wait on fs, which ++ * may not have submitted IO yet. And the loop driver might + * enter reclaim, and deadlock if it waits on a page for + * which it is needed to do the write (loop masks off + * __GFP_IO|__GFP_FS for this reason); but more thought + * would probably show more reasons. + * +- * Don't require __GFP_FS, since we're not going into the +- * FS, just waiting on its writeback completion. Worryingly, +- * ext4 gfs2 and xfs allocate pages with +- * grab_cache_page_write_begin(,,AOP_FLAG_NOFS), so testing +- * may_enter_fs here is liable to OOM on them. +- * + * 3) memcg encounters a page that is not already marked + * PageReclaim. memcg does not have any dirty pages + * throttling so we could easily OOM just because too many +@@ -902,7 +898,7 @@ static unsigned long shrink_page_list(struct list_head *page_list, + + /* Case 2 above */ + } else if (global_reclaim(sc) || +- !PageReclaim(page) || !(sc->gfp_mask & __GFP_IO)) { ++ !PageReclaim(page) || !may_enter_fs) { + /* + * This is slightly racy - end_page_writeback() + * might have just cleared PageReclaim, then +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 085c496..9d8e420 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -27,6 +27,8 @@ + #define IMA_UID 0x0008 + #define IMA_FOWNER 0x0010 + #define IMA_FSUUID 0x0020 ++#define IMA_INMASK 0x0040 ++#define IMA_EUID 0x0080 + + #define UNKNOWN 0 + #define MEASURE 0x0001 /* same as IMA_MEASURE */ +@@ -171,6 +173,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, + return false; + if ((rule->flags & IMA_MASK) && rule->mask != mask) + return false; ++ if ((rule->flags & IMA_INMASK) && ++ (!(rule->mask & mask) && func != POST_SETATTR)) ++ return false; + if ((rule->flags & IMA_FSMAGIC) + && rule->fsmagic != inode->i_sb->s_magic) + return false; +@@ -179,6 +184,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, + return false; + if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) + return false; ++ if (rule->flags & IMA_EUID) { ++ if (has_capability_noaudit(current, CAP_SETUID)) { ++ if (!uid_eq(rule->uid, cred->euid) ++ && !uid_eq(rule->uid, cred->suid) ++ && !uid_eq(rule->uid, cred->uid)) ++ return false; ++ } else if (!uid_eq(rule->uid, cred->euid)) ++ return false; ++ } ++ + if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) + return false; + for (i = 0; i < MAX_LSM_RULES; i++) { +@@ -350,7 +365,8 @@ enum { + Opt_audit, + Opt_obj_user, Opt_obj_role, Opt_obj_type, + Opt_subj_user, Opt_subj_role, Opt_subj_type, +- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, ++ Opt_func, Opt_mask, Opt_fsmagic, ++ Opt_uid, Opt_euid, Opt_fowner, + Opt_appraise_type, Opt_fsuuid, Opt_permit_directio + }; + +@@ -371,6 +387,7 @@ static match_table_t policy_tokens = { + {Opt_fsmagic, "fsmagic=%s"}, + {Opt_fsuuid, "fsuuid=%s"}, + {Opt_uid, "uid=%s"}, ++ {Opt_euid, "euid=%s"}, + {Opt_fowner, "fowner=%s"}, + {Opt_appraise_type, "appraise_type=%s"}, + {Opt_permit_directio, "permit_directio"}, +@@ -412,6 +429,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value) + static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + { + struct audit_buffer *ab; ++ char *from; + char *p; + int result = 0; + +@@ -500,18 +518,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + if (entry->mask) + result = -EINVAL; + +- if ((strcmp(args[0].from, "MAY_EXEC")) == 0) ++ from = args[0].from; ++ if (*from == '^') ++ from++; ++ ++ if ((strcmp(from, "MAY_EXEC")) == 0) + entry->mask = MAY_EXEC; +- else if (strcmp(args[0].from, "MAY_WRITE") == 0) ++ else if (strcmp(from, "MAY_WRITE") == 0) + entry->mask = MAY_WRITE; +- else if (strcmp(args[0].from, "MAY_READ") == 0) ++ else if (strcmp(from, "MAY_READ") == 0) + entry->mask = MAY_READ; +- else if (strcmp(args[0].from, "MAY_APPEND") == 0) ++ else if (strcmp(from, "MAY_APPEND") == 0) + entry->mask = MAY_APPEND; + else + result = -EINVAL; + if (!result) +- entry->flags |= IMA_MASK; ++ entry->flags |= (*args[0].from == '^') ++ ? IMA_INMASK : IMA_MASK; + break; + case Opt_fsmagic: + ima_log_string(ab, "fsmagic", args[0].from); +@@ -542,6 +565,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + break; + case Opt_uid: + ima_log_string(ab, "uid", args[0].from); ++ case Opt_euid: ++ if (token == Opt_euid) ++ ima_log_string(ab, "euid", args[0].from); + + if (uid_valid(entry->uid)) { + result = -EINVAL; +@@ -550,11 +576,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + + result = strict_strtoul(args[0].from, 10, &lnum); + if (!result) { +- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum); +- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum)) ++ entry->uid = make_kuid(current_user_ns(), ++ (uid_t) lnum); ++ if (!uid_valid(entry->uid) || ++ (uid_t)lnum != lnum) + result = -EINVAL; + else +- entry->flags |= IMA_UID; ++ entry->flags |= (token == Opt_uid) ++ ? IMA_UID : IMA_EUID; + } + break; + case Opt_fowner: +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 51e2080..7b0aac9 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -1002,9 +1002,7 @@ static void cs4210_spdif_automute(struct hda_codec *codec, + + spec->spdif_present = spdif_present; + /* SPDIF TX on/off */ +- if (spdif_present) +- snd_hda_set_pin_ctl(codec, spdif_pin, +- spdif_present ? PIN_OUT : 0); ++ snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0); + + cs_automute(codec); + } +diff --git a/sound/soc/codecs/pcm1681.c b/sound/soc/codecs/pcm1681.c +index 651e2fe..dfa9755 100644 +--- a/sound/soc/codecs/pcm1681.c ++++ b/sound/soc/codecs/pcm1681.c +@@ -102,7 +102,7 @@ static int pcm1681_set_deemph(struct snd_soc_codec *codec) + + if (val != -1) { + regmap_update_bits(priv->regmap, PCM1681_DEEMPH_CONTROL, +- PCM1681_DEEMPH_RATE_MASK, val); ++ PCM1681_DEEMPH_RATE_MASK, val << 3); + enable = 1; + } else + enable = 0; diff --git a/3.14.50/4420_grsecurity-3.1-3.14.50-201508142232.patch b/3.14.51/4420_grsecurity-3.1-3.14.51-201508181951.patch index f556dbc..80024c4 100644 --- a/3.14.50/4420_grsecurity-3.1-3.14.50-201508142232.patch +++ b/3.14.51/4420_grsecurity-3.1-3.14.51-201508181951.patch @@ -328,7 +328,7 @@ index 855d9b3..154c500 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index d71c40a..4d15036 100644 +index 83275d8e..235ffae 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2174,10 +2174,10 @@ index c4ae171..ea0c0c2 100644 extern struct psci_operations psci_ops; extern struct smp_operations psci_smp_ops; diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h -index 22a3b9b..7f214ee 100644 +index 4157aec..375a858 100644 --- a/arch/arm/include/asm/smp.h +++ b/arch/arm/include/asm/smp.h -@@ -112,7 +112,7 @@ struct smp_operations { +@@ -113,7 +113,7 @@ struct smp_operations { int (*cpu_disable)(unsigned int cpu); #endif #endif @@ -3721,7 +3721,7 @@ index 78c02b3..c94109a 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index 4551efd..d487c24 100644 +index 399af1e..ead318a5 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c @@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops { @@ -6932,7 +6932,7 @@ index b336037..5b874cc 100644 /* diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h -index 008324d..f67c239 100644 +index b154953..f5e6871 100644 --- a/arch/mips/include/asm/pgtable.h +++ b/arch/mips/include/asm/pgtable.h @@ -20,6 +20,9 @@ @@ -8965,10 +8965,10 @@ index 2e3d2bf..35df241 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 4e47db6..6dcc96e 100644 +index e881e3f..0fed4bce 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -1013,7 +1013,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, +@@ -1011,7 +1011,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -10431,40 +10431,6 @@ index ad7e178..26cd4a7 100644 if (unlikely(ret)) ret = copy_to_user_fixup(to, from, size); return ret; -diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h -index 11fdf0e..50d6f16 100644 ---- a/arch/sparc/include/asm/visasm.h -+++ b/arch/sparc/include/asm/visasm.h -@@ -28,16 +28,10 @@ - * Must preserve %o5 between VISEntryHalf and VISExitHalf */ - - #define VISEntryHalf \ -- rd %fprs, %o5; \ -- andcc %o5, FPRS_FEF, %g0; \ -- be,pt %icc, 297f; \ -- sethi %hi(298f), %g7; \ -- sethi %hi(VISenterhalf), %g1; \ -- jmpl %g1 + %lo(VISenterhalf), %g0; \ -- or %g7, %lo(298f), %g7; \ -- clr %o5; \ --297: wr %o5, FPRS_FEF, %fprs; \ --298: -+ VISEntry -+ -+#define VISExitHalf \ -+ VISExit - - #define VISEntryHalfFast(fail_label) \ - rd %fprs, %o5; \ -@@ -47,7 +41,7 @@ - ba,a,pt %xcc, fail_label; \ - 297: wr %o5, FPRS_FEF, %fprs; - --#define VISExitHalf \ -+#define VISExitHalfFast \ - wr %o5, 0, %fprs; - - #ifndef __ASSEMBLY__ diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile index d15cc17..d0ae796 100644 --- a/arch/sparc/kernel/Makefile @@ -11126,105 +11092,6 @@ index dbe119b..089c7c1 100644 lib-$(CONFIG_SPARC32) += ashrdi3.o lib-$(CONFIG_SPARC32) += memcpy.o memset.o -diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S -index 140527a..83aeeb1 100644 ---- a/arch/sparc/lib/NG4memcpy.S -+++ b/arch/sparc/lib/NG4memcpy.S -@@ -240,8 +240,11 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ - add %o0, 0x40, %o0 - bne,pt %icc, 1b - LOAD(prefetch, %g1 + 0x200, #n_reads_strong) -+#ifdef NON_USER_COPY -+ VISExitHalfFast -+#else - VISExitHalf -- -+#endif - brz,pn %o2, .Lexit - cmp %o2, 19 - ble,pn %icc, .Lsmall_unaligned -diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S -index b320ae9..a063d84 100644 ---- a/arch/sparc/lib/VISsave.S -+++ b/arch/sparc/lib/VISsave.S -@@ -44,9 +44,8 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 - - stx %g3, [%g6 + TI_GSR] - 2: add %g6, %g1, %g3 -- cmp %o5, FPRS_DU -- be,pn %icc, 6f -- sll %g1, 3, %g1 -+ mov FPRS_DU | FPRS_DL | FPRS_FEF, %o5 -+ sll %g1, 3, %g1 - stb %o5, [%g3 + TI_FPSAVED] - rd %gsr, %g2 - add %g6, %g1, %g3 -@@ -80,65 +79,3 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 - .align 32 - 80: jmpl %g7 + %g0, %g0 - nop -- --6: ldub [%g3 + TI_FPSAVED], %o5 -- or %o5, FPRS_DU, %o5 -- add %g6, TI_FPREGS+0x80, %g2 -- stb %o5, [%g3 + TI_FPSAVED] -- -- sll %g1, 5, %g1 -- add %g6, TI_FPREGS+0xc0, %g3 -- wr %g0, FPRS_FEF, %fprs -- membar #Sync -- stda %f32, [%g2 + %g1] ASI_BLK_P -- stda %f48, [%g3 + %g1] ASI_BLK_P -- membar #Sync -- ba,pt %xcc, 80f -- nop -- -- .align 32 --80: jmpl %g7 + %g0, %g0 -- nop -- -- .align 32 --VISenterhalf: -- ldub [%g6 + TI_FPDEPTH], %g1 -- brnz,a,pn %g1, 1f -- cmp %g1, 1 -- stb %g0, [%g6 + TI_FPSAVED] -- stx %fsr, [%g6 + TI_XFSR] -- clr %o5 -- jmpl %g7 + %g0, %g0 -- wr %g0, FPRS_FEF, %fprs -- --1: bne,pn %icc, 2f -- srl %g1, 1, %g1 -- ba,pt %xcc, vis1 -- sub %g7, 8, %g7 --2: addcc %g6, %g1, %g3 -- sll %g1, 3, %g1 -- andn %o5, FPRS_DU, %g2 -- stb %g2, [%g3 + TI_FPSAVED] -- -- rd %gsr, %g2 -- add %g6, %g1, %g3 -- stx %g2, [%g3 + TI_GSR] -- add %g6, %g1, %g2 -- stx %fsr, [%g2 + TI_XFSR] -- sll %g1, 5, %g1 --3: andcc %o5, FPRS_DL, %g0 -- be,pn %icc, 4f -- add %g6, TI_FPREGS, %g2 -- -- add %g6, TI_FPREGS+0x40, %g3 -- membar #Sync -- stda %f0, [%g2 + %g1] ASI_BLK_P -- stda %f16, [%g3 + %g1] ASI_BLK_P -- membar #Sync -- ba,pt %xcc, 4f -- nop -- -- .align 32 --4: and %o5, FPRS_DU, %o5 -- jmpl %g7 + %g0, %g0 -- wr %o5, FPRS_FEF, %fprs diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S index 85c233d..68500e0 100644 --- a/arch/sparc/lib/atomic_64.S @@ -11440,7 +11307,7 @@ index 85c233d..68500e0 100644 cmp %g1, %g7 bne,pn %xcc, BACKOFF_LABEL(2f, 1b) diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c -index 323335b..e8ee09d 100644 +index ac094de..e8ee09d 100644 --- a/arch/sparc/lib/ksyms.c +++ b/arch/sparc/lib/ksyms.c @@ -100,12 +100,18 @@ EXPORT_SYMBOL(__clear_user); @@ -11462,17 +11329,6 @@ index 323335b..e8ee09d 100644 EXPORT_SYMBOL(atomic64_sub_ret); EXPORT_SYMBOL(atomic64_dec_if_positive); -@@ -126,10 +132,6 @@ EXPORT_SYMBOL(copy_user_page); - void VISenter(void); - EXPORT_SYMBOL(VISenter); - --/* CRYPTO code needs this */ --void VISenterhalf(void); --EXPORT_SYMBOL(VISenterhalf); -- - extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *); - extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *, - unsigned long *); diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile index 30c3ecc..736f015 100644 --- a/arch/sparc/mm/Makefile @@ -29202,19 +29058,6 @@ index 6456734..b845039 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ -diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h -index 6a11845..7205173 100644 ---- a/arch/x86/kvm/lapic.h -+++ b/arch/x86/kvm/lapic.h -@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct kvm_apic_map *map, u32 ldr) - - static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu) - { -- return vcpu->arch.apic->pending_events; -+ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events; - } - - bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector); diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h index cba218a..1cc1bed 100644 --- a/arch/x86/kvm/paging_tmpl.h @@ -36599,7 +36442,7 @@ index 01b9026..1e476df 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 201d09a..9789e51 100644 +index 2302f10..9789e51 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -36611,75 +36454,7 @@ index 201d09a..9789e51 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -481,6 +479,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) - pte_t pte; - unsigned long pfn; - struct page *page; -+ unsigned char dummy; - - ptep = lookup_address((unsigned long)v, &level); - BUG_ON(ptep == NULL); -@@ -490,6 +489,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) - - pte = pfn_pte(pfn, prot); - -+ /* -+ * Careful: update_va_mapping() will fail if the virtual address -+ * we're poking isn't populated in the page tables. We don't -+ * need to worry about the direct map (that's always in the page -+ * tables), but we need to be careful about vmap space. In -+ * particular, the top level page table can lazily propagate -+ * entries between processes, so if we've switched mms since we -+ * vmapped the target in the first place, we might not have the -+ * top-level page table entry populated. -+ * -+ * We disable preemption because we want the same mm active when -+ * we probe the target and when we issue the hypercall. We'll -+ * have the same nominal mm, but if we're a kernel thread, lazy -+ * mm dropping could change our pgd. -+ * -+ * Out of an abundance of caution, this uses __get_user() to fault -+ * in the target address just in case there's some obscure case -+ * in which the target address isn't readable. -+ */ -+ -+ preempt_disable(); -+ -+ pagefault_disable(); /* Avoid warnings due to being atomic. */ -+ __get_user(dummy, (unsigned char __user __force *)v); -+ pagefault_enable(); -+ - if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) - BUG(); - -@@ -501,6 +526,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) - BUG(); - } else - kmap_flush_unused(); -+ -+ preempt_enable(); - } - - static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) -@@ -508,6 +535,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) - const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; - int i; - -+ /* -+ * We need to mark the all aliases of the LDT pages RO. We -+ * don't need to call vm_flush_aliases(), though, since that's -+ * only responsible for flushing aliases out the TLBs, not the -+ * page tables, and Xen will flush the TLB for us if needed. -+ * -+ * To avoid confusing future readers: none of this is necessary -+ * to load the LDT. The hypervisor only checks this when the -+ * LDT is faulted in due to subsequent descriptor access. -+ */ -+ - for(i = 0; i < entries; i += entries_per_page) - set_aliased_prot(ldt + i, PAGE_KERNEL_RO); - } -@@ -542,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -582,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36689,7 +36464,7 @@ index 201d09a..9789e51 100644 int f; /* -@@ -591,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -631,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36699,7 +36474,7 @@ index 201d09a..9789e51 100644 int f; /* -@@ -600,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -640,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -36708,7 +36483,7 @@ index 201d09a..9789e51 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -989,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -1029,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) return 0; } @@ -36717,7 +36492,7 @@ index 201d09a..9789e51 100644 { apic->read = xen_apic_read; apic->write = xen_apic_write; -@@ -1295,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1335,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -36755,7 +36530,7 @@ index 201d09a..9789e51 100644 { if (pm_power_off) pm_power_off(); -@@ -1455,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu) +@@ -1495,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu) pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; pv_cpu_ops.load_gdt = xen_load_gdt_boot; @@ -36769,7 +36544,7 @@ index 201d09a..9789e51 100644 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; pv_cpu_ops.load_gdt = xen_load_gdt; -@@ -1564,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1604,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -36788,7 +36563,7 @@ index 201d09a..9789e51 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1592,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1632,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -45760,10 +45535,10 @@ index 7ef7461..5a09dac 100644 cl->fn = fn; cl->wq = wq; diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c -index 8e51b3a..bc6febf 100644 +index cc3dc0c..5ca5ec9 100644 --- a/drivers/md/bitmap.c +++ b/drivers/md/bitmap.c -@@ -1775,7 +1775,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap) +@@ -1777,7 +1777,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap) chunk_kb ? "KB" : "B"); if (bitmap->storage.file) { seq_printf(seq, ", file: "); @@ -46030,7 +45805,7 @@ index e400591..a94ae6b 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index b4067b9..91b08f3 100644 +index 2ffd277..91b08f3 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -46102,13 +45877,7 @@ index b4067b9..91b08f3 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -5645,16 +5645,13 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) - char *ptr, *buf = NULL; - int err = -ENOMEM; - -- file = kmalloc(sizeof(*file), GFP_NOIO); -- -+ file = kzalloc(sizeof(*file), GFP_NOIO); +@@ -5649,11 +5649,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) if (!file) goto out; @@ -46122,7 +45891,7 @@ index b4067b9..91b08f3 100644 buf = kmalloc(sizeof(file->pathname), GFP_KERNEL); if (!buf) -@@ -7079,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -7078,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -46131,7 +45900,7 @@ index b4067b9..91b08f3 100644 return 0; } if (v == (void*)2) { -@@ -7182,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -7181,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -46140,7 +45909,7 @@ index b4067b9..91b08f3 100644 return error; } -@@ -7196,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -7195,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -46149,7 +45918,7 @@ index b4067b9..91b08f3 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -7240,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -7239,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -46222,10 +45991,10 @@ index 3e6d115..ffecdeb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 9be97e0..71b21b0 100644 +index 47b7c31..c48ab61 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c -@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) +@@ -1939,7 +1939,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) if (r1_sync_page_io(rdev, sect, s, bio->bi_io_vec[idx].bv_page, READ) != 0) @@ -46234,7 +46003,7 @@ index 9be97e0..71b21b0 100644 } sectors -= s; sect += s; -@@ -2171,7 +2171,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -2173,7 +2173,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, !test_bit(Faulty, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -53119,7 +52888,7 @@ index a107064..30775cf 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index eb81c98..0253222 100644 +index 721d839..0253222 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -53131,16 +52900,6 @@ index eb81c98..0253222 100644 case BLKTRACESTART: return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: -@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) - md->from_user = 0; - } - -+ if (unlikely(iov_count > UIO_MAXIOV)) -+ return -EINVAL; -+ - if (iov_count) { - int len, size = sizeof(struct sg_iovec) * iov_count; - struct iovec *iov; diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 40d8592..8e89146 100644 --- a/drivers/scsi/sr.c @@ -74507,19 +74266,10 @@ index a93f7e6..d58bcbe 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index 3d2f27b..8f1bf8c 100644 +index df323f8..8304de6 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head) - static void d_free(struct dentry *dentry) - { - WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias)); -- BUG_ON((int)dentry->d_lockref.count > 0); -+ BUG_ON((int)__lockref_read(&dentry->d_lockref) > 0); - this_cpu_dec(nr_dentry); - if (dentry->d_op && dentry->d_op->d_release) - dentry->d_op->d_release(dentry); -@@ -599,7 +599,7 @@ repeat: +@@ -575,7 +575,7 @@ repeat: dentry->d_flags |= DCACHE_REFERENCED; dentry_lru_add(dentry); @@ -74528,7 +74278,7 @@ index 3d2f27b..8f1bf8c 100644 spin_unlock(&dentry->d_lock); return; -@@ -654,7 +654,7 @@ int d_invalidate(struct dentry * dentry) +@@ -630,7 +630,7 @@ int d_invalidate(struct dentry * dentry) * We also need to leave mountpoints alone, * directory or not. */ @@ -74537,7 +74287,7 @@ index 3d2f27b..8f1bf8c 100644 if (S_ISDIR(dentry->d_inode->i_mode) || d_mountpoint(dentry)) { spin_unlock(&dentry->d_lock); return -EBUSY; -@@ -670,7 +670,7 @@ EXPORT_SYMBOL(d_invalidate); +@@ -646,7 +646,7 @@ EXPORT_SYMBOL(d_invalidate); /* This must be called with d_lock held */ static inline void __dget_dlock(struct dentry *dentry) { @@ -74546,7 +74296,7 @@ index 3d2f27b..8f1bf8c 100644 } static inline void __dget(struct dentry *dentry) -@@ -711,8 +711,8 @@ repeat: +@@ -687,8 +687,8 @@ repeat: goto repeat; } rcu_read_unlock(); @@ -74557,7 +74307,7 @@ index 3d2f27b..8f1bf8c 100644 spin_unlock(&ret->d_lock); return ret; } -@@ -795,7 +795,7 @@ restart: +@@ -771,7 +771,7 @@ restart: spin_lock(&inode->i_lock); hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) { spin_lock(&dentry->d_lock); @@ -74566,16 +74316,16 @@ index 3d2f27b..8f1bf8c 100644 /* * inform the fs via d_prune that this dentry * is about to be unhashed and destroyed. -@@ -887,7 +887,7 @@ static void shrink_dentry_list(struct list_head *list) +@@ -811,7 +811,7 @@ static void shrink_dentry_list(struct list_head *list) * We found an inuse dentry which was not removed from * the LRU because of laziness during lookup. Do not free it. */ -- if (dentry->d_lockref.count) { -+ if (__lockref_read(&dentry->d_lockref)) { +- if ((int)dentry->d_lockref.count > 0) { ++ if ((int)__lockref_read(&dentry->d_lockref) > 0) { spin_unlock(&dentry->d_lock); continue; } -@@ -933,7 +933,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg) +@@ -865,7 +865,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg) * counts, just remove them from the LRU. Otherwise give them * another pass through the LRU. */ @@ -74584,39 +74334,34 @@ index 3d2f27b..8f1bf8c 100644 d_lru_isolate(dentry); spin_unlock(&dentry->d_lock); return LRU_REMOVED; -@@ -1272,7 +1272,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) - * loop in shrink_dcache_parent() might not make any progress - * and loop forever. - */ -- if (dentry->d_lockref.count) { -+ if (__lockref_read(&dentry->d_lockref)) { - dentry_lru_del(dentry); - } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) { - /* -@@ -1326,11 +1326,11 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) - struct select_data *data = _data; - enum d_walk_ret ret = D_WALK_CONTINUE; +@@ -1201,7 +1201,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) + } else { + if (dentry->d_flags & DCACHE_LRU_LIST) + d_lru_del(dentry); +- if (!dentry->d_lockref.count) { ++ if (!__lockref_read(&dentry->d_lockref)) { + d_shrink_add(dentry, &data->dispose); + data->found++; + } +@@ -1249,7 +1249,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) + return D_WALK_CONTINUE; -- if (dentry->d_lockref.count) { -+ if (__lockref_read(&dentry->d_lockref)) { - dentry_lru_del(dentry); - if (likely(!list_empty(&dentry->d_subdirs))) - goto out; -- if (dentry == data->start && dentry->d_lockref.count == 1) -+ if (dentry == data->start && __lockref_read(&dentry->d_lockref) == 1) - goto out; - printk(KERN_ERR - "BUG: Dentry %p{i=%lx,n=%s}" -@@ -1340,7 +1340,7 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) + /* root with refcount 1 is fine */ +- if (dentry == _data && dentry->d_lockref.count == 1) ++ if (dentry == _data && __lockref_read(&dentry->d_lockref) == 1) + return D_WALK_CONTINUE; + + printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} " +@@ -1258,7 +1258,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) dentry->d_inode ? dentry->d_inode->i_ino : 0UL, - dentry->d_name.name, + dentry, - dentry->d_lockref.count, + __lockref_read(&dentry->d_lockref), dentry->d_sb->s_type->name, dentry->d_sb->s_id); - BUG(); -@@ -1498,7 +1498,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) + WARN_ON(1); +@@ -1384,7 +1384,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) */ dentry->d_iname[DNAME_INLINE_LEN-1] = 0; if (name->len > DNAME_INLINE_LEN-1) { @@ -74625,7 +74370,7 @@ index 3d2f27b..8f1bf8c 100644 if (!dname) { kmem_cache_free(dentry_cache, dentry); return NULL; -@@ -1516,7 +1516,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1402,7 +1402,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) smp_wmb(); dentry->d_name.name = dname; @@ -74634,7 +74379,7 @@ index 3d2f27b..8f1bf8c 100644 dentry->d_flags = 0; spin_lock_init(&dentry->d_lock); seqcount_init(&dentry->d_seq); -@@ -1525,6 +1525,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1411,6 +1411,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) dentry->d_sb = sb; dentry->d_op = NULL; dentry->d_fsdata = NULL; @@ -74644,7 +74389,7 @@ index 3d2f27b..8f1bf8c 100644 INIT_HLIST_BL_NODE(&dentry->d_hash); INIT_LIST_HEAD(&dentry->d_lru); INIT_LIST_HEAD(&dentry->d_subdirs); -@@ -2279,7 +2282,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) +@@ -2165,7 +2168,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) goto next; } @@ -74653,7 +74398,7 @@ index 3d2f27b..8f1bf8c 100644 found = dentry; spin_unlock(&dentry->d_lock); break; -@@ -2378,7 +2381,7 @@ again: +@@ -2264,7 +2267,7 @@ again: spin_lock(&dentry->d_lock); inode = dentry->d_inode; isdir = S_ISDIR(inode->i_mode); @@ -74662,7 +74407,7 @@ index 3d2f27b..8f1bf8c 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3311,7 +3314,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3197,7 +3200,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -74671,7 +74416,7 @@ index 3d2f27b..8f1bf8c 100644 } } return D_WALK_CONTINUE; -@@ -3427,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3313,7 +3316,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -78060,7 +77805,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index ccb8000..02d506e 100644 +index c6fa079..02d506e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask) @@ -78412,15 +78157,6 @@ index ccb8000..02d506e 100644 error = -EISDIR; if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) goto out; -@@ -3171,7 +3276,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, - - if (unlikely(file->f_flags & __O_TMPFILE)) { - error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened); -- goto out; -+ goto out2; - } - - error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base); @@ -3183,7 +3288,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -78439,15 +78175,7 @@ index ccb8000..02d506e 100644 put_link(nd, &link, cookie); } out: -@@ -3209,6 +3314,7 @@ out: - path_put(&nd->root); - if (base) - fput(base); -+out2: - if (!(opened & FILE_OPENED)) { - BUG_ON(!error); - put_filp(file); -@@ -3301,9 +3407,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3302,9 +3407,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -78461,7 +78189,7 @@ index ccb8000..02d506e 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3355,6 +3463,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3356,6 +3463,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -78482,7 +78210,7 @@ index ccb8000..02d506e 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3417,6 +3539,17 @@ retry: +@@ -3418,6 +3539,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -78500,7 +78228,7 @@ index ccb8000..02d506e 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3433,6 +3566,8 @@ retry: +@@ -3434,6 +3566,8 @@ retry: break; } out: @@ -78509,7 +78237,7 @@ index ccb8000..02d506e 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3485,9 +3620,16 @@ retry: +@@ -3486,9 +3620,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -78526,7 +78254,7 @@ index ccb8000..02d506e 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3568,6 +3710,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3569,6 +3710,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -78535,7 +78263,7 @@ index ccb8000..02d506e 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3600,10 +3744,21 @@ retry: +@@ -3601,10 +3744,21 @@ retry: error = -ENOENT; goto exit3; } @@ -78557,7 +78285,7 @@ index ccb8000..02d506e 100644 exit3: dput(dentry); exit2: -@@ -3693,6 +3848,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3694,6 +3848,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -78566,7 +78294,7 @@ index ccb8000..02d506e 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3719,10 +3876,22 @@ retry_deleg: +@@ -3720,10 +3876,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -78589,7 +78317,7 @@ index ccb8000..02d506e 100644 exit2: dput(dentry); } -@@ -3810,9 +3979,17 @@ retry: +@@ -3811,9 +3979,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -78607,7 +78335,7 @@ index ccb8000..02d506e 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3915,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3916,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -78615,7 +78343,7 @@ index ccb8000..02d506e 100644 int how = 0; int error; -@@ -3938,7 +4116,7 @@ retry: +@@ -3939,7 +4116,7 @@ retry: if (error) return error; @@ -78624,7 +78352,7 @@ index ccb8000..02d506e 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3950,11 +4128,28 @@ retry: +@@ -3951,11 +4128,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -78653,7 +78381,7 @@ index ccb8000..02d506e 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4241,6 +4436,20 @@ retry_deleg: +@@ -4242,6 +4436,20 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -78674,7 +78402,7 @@ index ccb8000..02d506e 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); if (error) -@@ -4248,6 +4457,9 @@ retry_deleg: +@@ -4249,6 +4457,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode); @@ -78684,7 +78412,7 @@ index ccb8000..02d506e 100644 exit5: dput(new_dentry); exit4: -@@ -4284,6 +4496,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4285,6 +4496,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -78693,7 +78421,7 @@ index ccb8000..02d506e 100644 int len; len = PTR_ERR(link); -@@ -4293,7 +4507,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -4294,7 +4507,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -95995,7 +95723,7 @@ index 653589e..4ef254a 100644 return c | 0x20; } diff --git a/include/linux/dcache.h b/include/linux/dcache.h -index 0f0eb1c..3c17a3d 100644 +index 2a23ecb..5116866 100644 --- a/include/linux/dcache.h +++ b/include/linux/dcache.h @@ -123,6 +123,9 @@ struct dentry { @@ -96017,7 +95745,7 @@ index 0f0eb1c..3c17a3d 100644 /* * dentry->d_lock spinlock nesting subclasses: -@@ -328,7 +331,8 @@ extern int d_validate(struct dentry *, struct dentry *); +@@ -330,7 +333,8 @@ extern int d_validate(struct dentry *, struct dentry *); /* * helper function for dentry_operations.d_dname() members */ @@ -103483,10 +103211,10 @@ index 5bb8bfe..a38ec05 100644 mq_table.data = get_mq(table); diff --git a/ipc/mqueue.c b/ipc/mqueue.c -index c3b3117..1efa933 100644 +index 9699d3f..8bf1694 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c -@@ -278,6 +278,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, +@@ -275,6 +275,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, mq_bytes = mq_treesize + (info->attr.mq_maxmsg * info->attr.mq_msgsize); @@ -108435,7 +108163,7 @@ index f964add..dcd823d 100644 #define sched_class_highest (&stop_sched_class) #define for_each_class(class) \ diff --git a/kernel/signal.c b/kernel/signal.c -index 52f881d..1e9f941 100644 +index 15c22ee..e9acb02 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -108544,7 +108272,7 @@ index 52f881d..1e9f941 100644 return ret; } -@@ -2926,7 +2949,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2927,7 +2950,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -108561,7 +108289,7 @@ index 52f881d..1e9f941 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -3239,8 +3270,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, +@@ -3240,8 +3271,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, } seg = get_fs(); set_fs(KERNEL_DS); diff --git a/3.14.50/4425_grsec_remove_EI_PAX.patch b/3.14.51/4425_grsec_remove_EI_PAX.patch index a80a5d7..a80a5d7 100644 --- a/3.14.50/4425_grsec_remove_EI_PAX.patch +++ b/3.14.51/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.50/4427_force_XATTR_PAX_tmpfs.patch b/3.14.51/4427_force_XATTR_PAX_tmpfs.patch index 4c236cc..4c236cc 100644 --- a/3.14.50/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.51/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.50/4430_grsec-remove-localversion-grsec.patch b/3.14.51/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.50/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.51/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.50/4435_grsec-mute-warnings.patch b/3.14.51/4435_grsec-mute-warnings.patch index 2c2d463..2c2d463 100644 --- a/3.14.50/4435_grsec-mute-warnings.patch +++ b/3.14.51/4435_grsec-mute-warnings.patch diff --git a/3.14.50/4440_grsec-remove-protected-paths.patch b/3.14.51/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.50/4440_grsec-remove-protected-paths.patch +++ b/3.14.51/4440_grsec-remove-protected-paths.patch diff --git a/3.14.50/4450_grsec-kconfig-default-gids.patch b/3.14.51/4450_grsec-kconfig-default-gids.patch index b96defc..b96defc 100644 --- a/3.14.50/4450_grsec-kconfig-default-gids.patch +++ b/3.14.51/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.50/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.51/4465_selinux-avc_audit-log-curr_ip.patch index bba906e..bba906e 100644 --- a/3.14.50/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.51/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.50/4470_disable-compat_vdso.patch b/3.14.51/4470_disable-compat_vdso.patch index 3b3953b..3b3953b 100644 --- a/3.14.50/4470_disable-compat_vdso.patch +++ b/3.14.51/4470_disable-compat_vdso.patch diff --git a/3.14.50/4475_emutramp_default_on.patch b/3.14.51/4475_emutramp_default_on.patch index a128205..a128205 100644 --- a/3.14.50/4475_emutramp_default_on.patch +++ b/3.14.51/4475_emutramp_default_on.patch diff --git a/4.1.5/1004_linux-4.1.5.patch b/4.1.5/1004_linux-4.1.5.patch deleted file mode 100644 index cb5d5d6..0000000 --- a/4.1.5/1004_linux-4.1.5.patch +++ /dev/null @@ -1,5750 +0,0 @@ -diff --git a/Documentation/hwmon/nct7904 b/Documentation/hwmon/nct7904 -index 014f112..57fffe3 100644 ---- a/Documentation/hwmon/nct7904 -+++ b/Documentation/hwmon/nct7904 -@@ -35,11 +35,11 @@ temp1_input Local temperature (1/1000 degree, - temp[2-9]_input CPU temperatures (1/1000 degree, - 0.125 degree resolution) - --fan[1-4]_mode R/W, 0/1 for manual or SmartFan mode -+pwm[1-4]_enable R/W, 1/2 for manual or SmartFan mode - Setting SmartFan mode is supported only if it has been - previously configured by BIOS (or configuration EEPROM) - --fan[1-4]_pwm R/O in SmartFan mode, R/W in manual control mode -+pwm[1-4] R/O in SmartFan mode, R/W in manual control mode - - The driver checks sensor control registers and does not export the sensors - that are not enabled. Anyway, a sensor that is enabled may actually be not -diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt -index 74b6c6d..d2b1c40 100644 ---- a/Documentation/kbuild/makefiles.txt -+++ b/Documentation/kbuild/makefiles.txt -@@ -952,6 +952,14 @@ When kbuild executes, the following steps are followed (roughly): - $(KBUILD_ARFLAGS) set by the top level Makefile to "D" (deterministic - mode) if this option is supported by $(AR). - -+ ARCH_CPPFLAGS, ARCH_AFLAGS, ARCH_CFLAGS Overrides the kbuild defaults -+ -+ These variables are appended to the KBUILD_CPPFLAGS, -+ KBUILD_AFLAGS, and KBUILD_CFLAGS, respectively, after the -+ top-level Makefile has set any other flags. This provides a -+ means for an architecture to override the defaults. -+ -+ - --- 6.2 Add prerequisites to archheaders: - - The archheaders: rule is used to generate header files that -diff --git a/Makefile b/Makefile -index 36f3225..068dd69 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 1 --SUBLEVEL = 4 -+SUBLEVEL = 5 - EXTRAVERSION = - NAME = Series 4800 - -@@ -783,10 +783,11 @@ endif - include scripts/Makefile.kasan - include scripts/Makefile.extrawarn - --# Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments --KBUILD_CPPFLAGS += $(KCPPFLAGS) --KBUILD_AFLAGS += $(KAFLAGS) --KBUILD_CFLAGS += $(KCFLAGS) -+# Add any arch overrides and user supplied CPPFLAGS, AFLAGS and CFLAGS as the -+# last assignments -+KBUILD_CPPFLAGS += $(ARCH_CPPFLAGS) $(KCPPFLAGS) -+KBUILD_AFLAGS += $(ARCH_AFLAGS) $(KAFLAGS) -+KBUILD_CFLAGS += $(ARCH_CFLAGS) $(KCFLAGS) - - # Use --build-id when available. - LDFLAGS_BUILD_ID = $(patsubst -Wl$(comma)%,%,\ -diff --git a/arch/arc/Makefile b/arch/arc/Makefile -index db72fec..2f21e1e 100644 ---- a/arch/arc/Makefile -+++ b/arch/arc/Makefile -@@ -43,7 +43,8 @@ endif - - ifndef CONFIG_CC_OPTIMIZE_FOR_SIZE - # Generic build system uses -O2, we want -O3 --cflags-y += -O3 -+# Note: No need to add to cflags-y as that happens anyways -+ARCH_CFLAGS += -O3 - endif - - # small data is default for elf32 tool-chain. If not usable, disable it -diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h -index 624a9d0..dae03e6 100644 ---- a/arch/arc/include/asm/bitops.h -+++ b/arch/arc/include/asm/bitops.h -@@ -18,83 +18,49 @@ - #include <linux/types.h> - #include <linux/compiler.h> - #include <asm/barrier.h> -+#ifndef CONFIG_ARC_HAS_LLSC -+#include <asm/smp.h> -+#endif - --/* -- * Hardware assisted read-modify-write using ARC700 LLOCK/SCOND insns. -- * The Kconfig glue ensures that in SMP, this is only set if the container -- * SoC/platform has cross-core coherent LLOCK/SCOND -- */ - #if defined(CONFIG_ARC_HAS_LLSC) - --static inline void set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned int temp; -- -- m += nr >> 5; -- -- /* -- * ARC ISA micro-optimization: -- * -- * Instructions dealing with bitpos only consider lower 5 bits (0-31) -- * e.g (x << 33) is handled like (x << 1) by ASL instruction -- * (mem pointer still needs adjustment to point to next word) -- * -- * Hence the masking to clamp @nr arg can be elided in general. -- * -- * However if @nr is a constant (above assumed it in a register), -- * and greater than 31, gcc can optimize away (x << 33) to 0, -- * as overflow, given the 32-bit ISA. Thus masking needs to be done -- * for constant @nr, but no code is generated due to const prop. -- */ -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- __asm__ __volatile__( -- "1: llock %0, [%1] \n" -- " bset %0, %0, %2 \n" -- " scond %0, [%1] \n" -- " bnz 1b \n" -- : "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); --} -- --static inline void clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned int temp; -- -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- __asm__ __volatile__( -- "1: llock %0, [%1] \n" -- " bclr %0, %0, %2 \n" -- " scond %0, [%1] \n" -- " bnz 1b \n" -- : "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); --} -- --static inline void change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned int temp; -- -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -+/* -+ * Hardware assisted Atomic-R-M-W -+ */ - -- __asm__ __volatile__( -- "1: llock %0, [%1] \n" -- " bxor %0, %0, %2 \n" -- " scond %0, [%1] \n" -- " bnz 1b \n" -- : "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); -+#define BIT_OP(op, c_op, asm_op) \ -+static inline void op##_bit(unsigned long nr, volatile unsigned long *m)\ -+{ \ -+ unsigned int temp; \ -+ \ -+ m += nr >> 5; \ -+ \ -+ /* \ -+ * ARC ISA micro-optimization: \ -+ * \ -+ * Instructions dealing with bitpos only consider lower 5 bits \ -+ * e.g (x << 33) is handled like (x << 1) by ASL instruction \ -+ * (mem pointer still needs adjustment to point to next word) \ -+ * \ -+ * Hence the masking to clamp @nr arg can be elided in general. \ -+ * \ -+ * However if @nr is a constant (above assumed in a register), \ -+ * and greater than 31, gcc can optimize away (x << 33) to 0, \ -+ * as overflow, given the 32-bit ISA. Thus masking needs to be \ -+ * done for const @nr, but no code is generated due to gcc \ -+ * const prop. \ -+ */ \ -+ nr &= 0x1f; \ -+ \ -+ __asm__ __volatile__( \ -+ "1: llock %0, [%1] \n" \ -+ " " #asm_op " %0, %0, %2 \n" \ -+ " scond %0, [%1] \n" \ -+ " bnz 1b \n" \ -+ : "=&r"(temp) /* Early clobber, to prevent reg reuse */ \ -+ : "r"(m), /* Not "m": llock only supports reg direct addr mode */ \ -+ "ir"(nr) \ -+ : "cc"); \ - } - - /* -@@ -108,91 +74,37 @@ static inline void change_bit(unsigned long nr, volatile unsigned long *m) - * Since ARC lacks a equivalent h/w primitive, the bit is set unconditionally - * and the old value of bit is returned - */ --static inline int test_and_set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old, temp; -- -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- /* -- * Explicit full memory barrier needed before/after as -- * LLOCK/SCOND themselves don't provide any such semantics -- */ -- smp_mb(); -- -- __asm__ __volatile__( -- "1: llock %0, [%2] \n" -- " bset %1, %0, %3 \n" -- " scond %1, [%2] \n" -- " bnz 1b \n" -- : "=&r"(old), "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); -- -- smp_mb(); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --test_and_clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned int old, temp; -- -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- smp_mb(); -- -- __asm__ __volatile__( -- "1: llock %0, [%2] \n" -- " bclr %1, %0, %3 \n" -- " scond %1, [%2] \n" -- " bnz 1b \n" -- : "=&r"(old), "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); -- -- smp_mb(); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --test_and_change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned int old, temp; -- -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- smp_mb(); -- -- __asm__ __volatile__( -- "1: llock %0, [%2] \n" -- " bxor %1, %0, %3 \n" -- " scond %1, [%2] \n" -- " bnz 1b \n" -- : "=&r"(old), "=&r"(temp) -- : "r"(m), "ir"(nr) -- : "cc"); -- -- smp_mb(); -- -- return (old & (1 << nr)) != 0; -+#define TEST_N_BIT_OP(op, c_op, asm_op) \ -+static inline int test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\ -+{ \ -+ unsigned long old, temp; \ -+ \ -+ m += nr >> 5; \ -+ \ -+ nr &= 0x1f; \ -+ \ -+ /* \ -+ * Explicit full memory barrier needed before/after as \ -+ * LLOCK/SCOND themselves don't provide any such smenatic \ -+ */ \ -+ smp_mb(); \ -+ \ -+ __asm__ __volatile__( \ -+ "1: llock %0, [%2] \n" \ -+ " " #asm_op " %1, %0, %3 \n" \ -+ " scond %1, [%2] \n" \ -+ " bnz 1b \n" \ -+ : "=&r"(old), "=&r"(temp) \ -+ : "r"(m), "ir"(nr) \ -+ : "cc"); \ -+ \ -+ smp_mb(); \ -+ \ -+ return (old & (1 << nr)) != 0; \ - } - - #else /* !CONFIG_ARC_HAS_LLSC */ - --#include <asm/smp.h> -- - /* - * Non hardware assisted Atomic-R-M-W - * Locking would change to irq-disabling only (UP) and spinlocks (SMP) -@@ -209,111 +121,37 @@ test_and_change_bit(unsigned long nr, volatile unsigned long *m) - * at compile time) - */ - --static inline void set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- bitops_lock(flags); -- -- temp = *m; -- *m = temp | (1UL << nr); -- -- bitops_unlock(flags); -+#define BIT_OP(op, c_op, asm_op) \ -+static inline void op##_bit(unsigned long nr, volatile unsigned long *m)\ -+{ \ -+ unsigned long temp, flags; \ -+ m += nr >> 5; \ -+ \ -+ /* \ -+ * spin lock/unlock provide the needed smp_mb() before/after \ -+ */ \ -+ bitops_lock(flags); \ -+ \ -+ temp = *m; \ -+ *m = temp c_op (1UL << (nr & 0x1f)); \ -+ \ -+ bitops_unlock(flags); \ - } - --static inline void clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- bitops_lock(flags); -- -- temp = *m; -- *m = temp & ~(1UL << nr); -- -- bitops_unlock(flags); --} -- --static inline void change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- bitops_lock(flags); -- -- temp = *m; -- *m = temp ^ (1UL << nr); -- -- bitops_unlock(flags); --} -- --static inline int test_and_set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- /* -- * spin lock/unlock provide the needed smp_mb() before/after -- */ -- bitops_lock(flags); -- -- old = *m; -- *m = old | (1 << nr); -- -- bitops_unlock(flags); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --test_and_clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- bitops_lock(flags); -- -- old = *m; -- *m = old & ~(1 << nr); -- -- bitops_unlock(flags); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --test_and_change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old, flags; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- bitops_lock(flags); -- -- old = *m; -- *m = old ^ (1 << nr); -- -- bitops_unlock(flags); -- -- return (old & (1 << nr)) != 0; -+#define TEST_N_BIT_OP(op, c_op, asm_op) \ -+static inline int test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\ -+{ \ -+ unsigned long old, flags; \ -+ m += nr >> 5; \ -+ \ -+ bitops_lock(flags); \ -+ \ -+ old = *m; \ -+ *m = old c_op (1UL << (nr & 0x1f)); \ -+ \ -+ bitops_unlock(flags); \ -+ \ -+ return (old & (1UL << (nr & 0x1f))) != 0; \ - } - - #endif /* CONFIG_ARC_HAS_LLSC */ -@@ -322,86 +160,45 @@ test_and_change_bit(unsigned long nr, volatile unsigned long *m) - * Non atomic variants - **************************************/ - --static inline void __set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- temp = *m; -- *m = temp | (1UL << nr); -+#define __BIT_OP(op, c_op, asm_op) \ -+static inline void __##op##_bit(unsigned long nr, volatile unsigned long *m) \ -+{ \ -+ unsigned long temp; \ -+ m += nr >> 5; \ -+ \ -+ temp = *m; \ -+ *m = temp c_op (1UL << (nr & 0x1f)); \ - } - --static inline void __clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- temp = *m; -- *m = temp & ~(1UL << nr); -+#define __TEST_N_BIT_OP(op, c_op, asm_op) \ -+static inline int __test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\ -+{ \ -+ unsigned long old; \ -+ m += nr >> 5; \ -+ \ -+ old = *m; \ -+ *m = old c_op (1UL << (nr & 0x1f)); \ -+ \ -+ return (old & (1UL << (nr & 0x1f))) != 0; \ - } - --static inline void __change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long temp; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- temp = *m; -- *m = temp ^ (1UL << nr); --} -- --static inline int --__test_and_set_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- old = *m; -- *m = old | (1 << nr); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --__test_and_clear_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- old = *m; -- *m = old & ~(1 << nr); -- -- return (old & (1 << nr)) != 0; --} -- --static inline int --__test_and_change_bit(unsigned long nr, volatile unsigned long *m) --{ -- unsigned long old; -- m += nr >> 5; -- -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- old = *m; -- *m = old ^ (1 << nr); -- -- return (old & (1 << nr)) != 0; --} -+#define BIT_OPS(op, c_op, asm_op) \ -+ \ -+ /* set_bit(), clear_bit(), change_bit() */ \ -+ BIT_OP(op, c_op, asm_op) \ -+ \ -+ /* test_and_set_bit(), test_and_clear_bit(), test_and_change_bit() */\ -+ TEST_N_BIT_OP(op, c_op, asm_op) \ -+ \ -+ /* __set_bit(), __clear_bit(), __change_bit() */ \ -+ __BIT_OP(op, c_op, asm_op) \ -+ \ -+ /* __test_and_set_bit(), __test_and_clear_bit(), __test_and_change_bit() */\ -+ __TEST_N_BIT_OP(op, c_op, asm_op) -+ -+BIT_OPS(set, |, bset) -+BIT_OPS(clear, & ~, bclr) -+BIT_OPS(change, ^, bxor) - - /* - * This routine doesn't need to be atomic. -@@ -413,10 +210,7 @@ test_bit(unsigned int nr, const volatile unsigned long *addr) - - addr += nr >> 5; - -- if (__builtin_constant_p(nr)) -- nr &= 0x1f; -- -- mask = 1 << nr; -+ mask = 1UL << (nr & 0x1f); - - return ((mask & *addr) != 0); - } -diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h -index 1bfeec2..2a58af7 100644 ---- a/arch/arc/include/asm/ptrace.h -+++ b/arch/arc/include/asm/ptrace.h -@@ -63,7 +63,7 @@ struct callee_regs { - long r25, r24, r23, r22, r21, r20, r19, r18, r17, r16, r15, r14, r13; - }; - --#define instruction_pointer(regs) ((regs)->ret) -+#define instruction_pointer(regs) (unsigned long)((regs)->ret) - #define profile_pc(regs) instruction_pointer(regs) - - /* return 1 if user mode or 0 if kernel mode */ -diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts -index 7128fad..c9df40e 100644 ---- a/arch/arm/boot/dts/am57xx-beagle-x15.dts -+++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts -@@ -544,6 +544,10 @@ - phy-supply = <&ldousb_reg>; - }; - -+&usb2_phy2 { -+ phy-supply = <&ldousb_reg>; -+}; -+ - &usb1 { - dr_mode = "host"; - pinctrl-names = "default"; -diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts -index aa46590..096f68b 100644 ---- a/arch/arm/boot/dts/dra7-evm.dts -+++ b/arch/arm/boot/dts/dra7-evm.dts -@@ -686,7 +686,8 @@ - - &dcan1 { - status = "ok"; -- pinctrl-names = "default", "sleep"; -- pinctrl-0 = <&dcan1_pins_default>; -+ pinctrl-names = "default", "sleep", "active"; -+ pinctrl-0 = <&dcan1_pins_sleep>; - pinctrl-1 = <&dcan1_pins_sleep>; -+ pinctrl-2 = <&dcan1_pins_default>; - }; -diff --git a/arch/arm/boot/dts/dra72-evm.dts b/arch/arm/boot/dts/dra72-evm.dts -index ce0390f..6b05f6a 100644 ---- a/arch/arm/boot/dts/dra72-evm.dts -+++ b/arch/arm/boot/dts/dra72-evm.dts -@@ -497,9 +497,10 @@ - - &dcan1 { - status = "ok"; -- pinctrl-names = "default", "sleep"; -- pinctrl-0 = <&dcan1_pins_default>; -+ pinctrl-names = "default", "sleep", "active"; -+ pinctrl-0 = <&dcan1_pins_sleep>; - pinctrl-1 = <&dcan1_pins_sleep>; -+ pinctrl-2 = <&dcan1_pins_default>; - }; - - &qspi { -diff --git a/arch/arm/mach-imx/gpc.c b/arch/arm/mach-imx/gpc.c -index 6d0893a..78b6fd0 100644 ---- a/arch/arm/mach-imx/gpc.c -+++ b/arch/arm/mach-imx/gpc.c -@@ -291,8 +291,6 @@ void __init imx_gpc_check_dt(void) - } - } - --#ifdef CONFIG_PM_GENERIC_DOMAINS -- - static void _imx6q_pm_pu_power_off(struct generic_pm_domain *genpd) - { - int iso, iso2sw; -@@ -399,7 +397,6 @@ static struct genpd_onecell_data imx_gpc_onecell_data = { - static int imx_gpc_genpd_init(struct device *dev, struct regulator *pu_reg) - { - struct clk *clk; -- bool is_off; - int i; - - imx6q_pu_domain.reg = pu_reg; -@@ -416,18 +413,13 @@ static int imx_gpc_genpd_init(struct device *dev, struct regulator *pu_reg) - } - imx6q_pu_domain.num_clks = i; - -- is_off = IS_ENABLED(CONFIG_PM); -- if (is_off) { -- _imx6q_pm_pu_power_off(&imx6q_pu_domain.base); -- } else { -- /* -- * Enable power if compiled without CONFIG_PM in case the -- * bootloader disabled it. -- */ -- imx6q_pm_pu_power_on(&imx6q_pu_domain.base); -- } -+ /* Enable power always in case bootloader disabled it. */ -+ imx6q_pm_pu_power_on(&imx6q_pu_domain.base); -+ -+ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) -+ return 0; - -- pm_genpd_init(&imx6q_pu_domain.base, NULL, is_off); -+ pm_genpd_init(&imx6q_pu_domain.base, NULL, false); - return of_genpd_add_provider_onecell(dev->of_node, - &imx_gpc_onecell_data); - -@@ -437,13 +429,6 @@ clk_err: - return -EINVAL; - } - --#else --static inline int imx_gpc_genpd_init(struct device *dev, struct regulator *reg) --{ -- return 0; --} --#endif /* CONFIG_PM_GENERIC_DOMAINS */ -- - static int imx_gpc_probe(struct platform_device *pdev) - { - struct regulator *pu_reg; -diff --git a/arch/arm/mach-pxa/capc7117.c b/arch/arm/mach-pxa/capc7117.c -index c092730..bf366b3 100644 ---- a/arch/arm/mach-pxa/capc7117.c -+++ b/arch/arm/mach-pxa/capc7117.c -@@ -24,6 +24,7 @@ - #include <linux/ata_platform.h> - #include <linux/serial_8250.h> - #include <linux/gpio.h> -+#include <linux/regulator/machine.h> - - #include <asm/mach-types.h> - #include <asm/mach/arch.h> -@@ -144,6 +145,8 @@ static void __init capc7117_init(void) - - capc7117_uarts_init(); - capc7117_ide_init(); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(CAPC7117, -diff --git a/arch/arm/mach-pxa/cm-x2xx.c b/arch/arm/mach-pxa/cm-x2xx.c -index bb99f59..a17a91e 100644 ---- a/arch/arm/mach-pxa/cm-x2xx.c -+++ b/arch/arm/mach-pxa/cm-x2xx.c -@@ -13,6 +13,7 @@ - #include <linux/syscore_ops.h> - #include <linux/irq.h> - #include <linux/gpio.h> -+#include <linux/regulator/machine.h> - - #include <linux/dm9000.h> - #include <linux/leds.h> -@@ -466,6 +467,8 @@ static void __init cmx2xx_init(void) - cmx2xx_init_ac97(); - cmx2xx_init_touchscreen(); - cmx2xx_init_leds(); -+ -+ regulator_has_full_constraints(); - } - - static void __init cmx2xx_init_irq(void) -diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c -index 4d3588d..5851f4c 100644 ---- a/arch/arm/mach-pxa/cm-x300.c -+++ b/arch/arm/mach-pxa/cm-x300.c -@@ -835,6 +835,8 @@ static void __init cm_x300_init(void) - cm_x300_init_ac97(); - cm_x300_init_wi2wi(); - cm_x300_init_bl(); -+ -+ regulator_has_full_constraints(); - } - - static void __init cm_x300_fixup(struct tag *tags, char **cmdline) -diff --git a/arch/arm/mach-pxa/colibri-pxa270.c b/arch/arm/mach-pxa/colibri-pxa270.c -index 5f9d930..3503826 100644 ---- a/arch/arm/mach-pxa/colibri-pxa270.c -+++ b/arch/arm/mach-pxa/colibri-pxa270.c -@@ -18,6 +18,7 @@ - #include <linux/mtd/partitions.h> - #include <linux/mtd/physmap.h> - #include <linux/platform_device.h> -+#include <linux/regulator/machine.h> - #include <linux/ucb1400.h> - - #include <asm/mach/arch.h> -@@ -294,6 +295,8 @@ static void __init colibri_pxa270_init(void) - printk(KERN_ERR "Illegal colibri_pxa270_baseboard type %d\n", - colibri_pxa270_baseboard); - } -+ -+ regulator_has_full_constraints(); - } - - /* The "Income s.r.o. SH-Dmaster PXA270 SBC" board can be booted either -diff --git a/arch/arm/mach-pxa/em-x270.c b/arch/arm/mach-pxa/em-x270.c -index 51531ec..9d7072b 100644 ---- a/arch/arm/mach-pxa/em-x270.c -+++ b/arch/arm/mach-pxa/em-x270.c -@@ -1306,6 +1306,8 @@ static void __init em_x270_init(void) - em_x270_init_i2c(); - em_x270_init_camera(); - em_x270_userspace_consumers_init(); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(EM_X270, "Compulab EM-X270") -diff --git a/arch/arm/mach-pxa/icontrol.c b/arch/arm/mach-pxa/icontrol.c -index c98511c..9b0eb02 100644 ---- a/arch/arm/mach-pxa/icontrol.c -+++ b/arch/arm/mach-pxa/icontrol.c -@@ -26,6 +26,7 @@ - #include <linux/spi/spi.h> - #include <linux/spi/pxa2xx_spi.h> - #include <linux/can/platform/mcp251x.h> -+#include <linux/regulator/machine.h> - - #include "generic.h" - -@@ -185,6 +186,8 @@ static void __init icontrol_init(void) - mxm_8x10_mmc_init(); - - icontrol_can_init(); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(ICONTROL, "iControl/SafeTcam boards using Embedian MXM-8x10 CoM") -diff --git a/arch/arm/mach-pxa/trizeps4.c b/arch/arm/mach-pxa/trizeps4.c -index 872dcb2..066e3a2 100644 ---- a/arch/arm/mach-pxa/trizeps4.c -+++ b/arch/arm/mach-pxa/trizeps4.c -@@ -26,6 +26,7 @@ - #include <linux/dm9000.h> - #include <linux/mtd/physmap.h> - #include <linux/mtd/partitions.h> -+#include <linux/regulator/machine.h> - #include <linux/i2c/pxa-i2c.h> - - #include <asm/types.h> -@@ -534,6 +535,8 @@ static void __init trizeps4_init(void) - - BCR_writew(trizeps_conxs_bcr); - board_backlight_power(1); -+ -+ regulator_has_full_constraints(); - } - - static void __init trizeps4_map_io(void) -diff --git a/arch/arm/mach-pxa/vpac270.c b/arch/arm/mach-pxa/vpac270.c -index aa89488..54122a9 100644 ---- a/arch/arm/mach-pxa/vpac270.c -+++ b/arch/arm/mach-pxa/vpac270.c -@@ -24,6 +24,7 @@ - #include <linux/dm9000.h> - #include <linux/ucb1400.h> - #include <linux/ata_platform.h> -+#include <linux/regulator/machine.h> - #include <linux/regulator/max1586.h> - #include <linux/i2c/pxa-i2c.h> - -@@ -711,6 +712,8 @@ static void __init vpac270_init(void) - vpac270_ts_init(); - vpac270_rtc_init(); - vpac270_ide_init(); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(VPAC270, "Voipac PXA270") -diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c -index ac2ae5c..6158566f 100644 ---- a/arch/arm/mach-pxa/zeus.c -+++ b/arch/arm/mach-pxa/zeus.c -@@ -868,6 +868,8 @@ static void __init zeus_init(void) - i2c_register_board_info(0, ARRAY_AND_SIZE(zeus_i2c_devices)); - pxa2xx_set_spi_info(3, &pxa2xx_spi_ssp3_master_info); - spi_register_board_info(zeus_spi_board_info, ARRAY_SIZE(zeus_spi_board_info)); -+ -+ regulator_has_full_constraints(); - } - - static struct map_desc zeus_io_desc[] __initdata = { -diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c -index 7e7583d..6e4b9ff 100644 ---- a/arch/arm/mm/dma-mapping.c -+++ b/arch/arm/mm/dma-mapping.c -@@ -1953,7 +1953,7 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping) - { - int next_bitmap; - -- if (mapping->nr_bitmaps > mapping->extensions) -+ if (mapping->nr_bitmaps >= mapping->extensions) - return -EINVAL; - - next_bitmap = mapping->nr_bitmaps; -diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c -index ab21e0d..352962b 100644 ---- a/arch/arm64/kernel/efi.c -+++ b/arch/arm64/kernel/efi.c -@@ -122,12 +122,12 @@ static int __init uefi_init(void) - - /* Show what we know for posterity */ - c16 = early_memremap(efi_to_phys(efi.systab->fw_vendor), -- sizeof(vendor)); -+ sizeof(vendor) * sizeof(efi_char16_t)); - if (c16) { - for (i = 0; i < (int) sizeof(vendor) - 1 && *c16; ++i) - vendor[i] = c16[i]; - vendor[i] = '\0'; -- early_memunmap(c16, sizeof(vendor)); -+ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t)); - } - - pr_info("EFI v%u.%.02u by %s\n", -diff --git a/arch/avr32/mach-at32ap/clock.c b/arch/avr32/mach-at32ap/clock.c -index 23b1a97..52c179b 100644 ---- a/arch/avr32/mach-at32ap/clock.c -+++ b/arch/avr32/mach-at32ap/clock.c -@@ -80,6 +80,9 @@ int clk_enable(struct clk *clk) - { - unsigned long flags; - -+ if (!clk) -+ return 0; -+ - spin_lock_irqsave(&clk_lock, flags); - __clk_enable(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -106,6 +109,9 @@ void clk_disable(struct clk *clk) - { - unsigned long flags; - -+ if (IS_ERR_OR_NULL(clk)) -+ return; -+ - spin_lock_irqsave(&clk_lock, flags); - __clk_disable(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -117,6 +123,9 @@ unsigned long clk_get_rate(struct clk *clk) - unsigned long flags; - unsigned long rate; - -+ if (!clk) -+ return 0; -+ - spin_lock_irqsave(&clk_lock, flags); - rate = clk->get_rate(clk); - spin_unlock_irqrestore(&clk_lock, flags); -@@ -129,6 +138,9 @@ long clk_round_rate(struct clk *clk, unsigned long rate) - { - unsigned long flags, actual_rate; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_rate) - return -ENOSYS; - -@@ -145,6 +157,9 @@ int clk_set_rate(struct clk *clk, unsigned long rate) - unsigned long flags; - long ret; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_rate) - return -ENOSYS; - -@@ -161,6 +176,9 @@ int clk_set_parent(struct clk *clk, struct clk *parent) - unsigned long flags; - int ret; - -+ if (!clk) -+ return 0; -+ - if (!clk->set_parent) - return -ENOSYS; - -@@ -174,7 +192,7 @@ EXPORT_SYMBOL(clk_set_parent); - - struct clk *clk_get_parent(struct clk *clk) - { -- return clk->parent; -+ return !clk ? NULL : clk->parent; - } - EXPORT_SYMBOL(clk_get_parent); - -diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig -index f501665..a3b1ffe 100644 ---- a/arch/mips/Kconfig -+++ b/arch/mips/Kconfig -@@ -1417,6 +1417,7 @@ config CPU_MIPS64_R6 - select CPU_SUPPORTS_HIGHMEM - select CPU_SUPPORTS_MSA - select GENERIC_CSUM -+ select MIPS_O32_FP64_SUPPORT if MIPS32_O32 - help - Choose this option to build a kernel for release 6 or later of the - MIPS64 architecture. New MIPS processors, starting with the Warrior -diff --git a/arch/mips/include/asm/fpu.h b/arch/mips/include/asm/fpu.h -index 084780b..1b06251 100644 ---- a/arch/mips/include/asm/fpu.h -+++ b/arch/mips/include/asm/fpu.h -@@ -74,7 +74,7 @@ static inline int __enable_fpu(enum fpu_mode mode) - goto fr_common; - - case FPU_64BIT: --#if !(defined(CONFIG_CPU_MIPS32_R2) || defined(CONFIG_CPU_MIPS32_R6) \ -+#if !(defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6) \ - || defined(CONFIG_64BIT)) - /* we only have a 32-bit FPU */ - return SIGFPE; -diff --git a/arch/mips/include/asm/smp.h b/arch/mips/include/asm/smp.h -index 2b25d1b..16f1ea9 100644 ---- a/arch/mips/include/asm/smp.h -+++ b/arch/mips/include/asm/smp.h -@@ -23,6 +23,7 @@ - extern int smp_num_siblings; - extern cpumask_t cpu_sibling_map[]; - extern cpumask_t cpu_core_map[]; -+extern cpumask_t cpu_foreign_map; - - #define raw_smp_processor_id() (current_thread_info()->cpu) - -diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c -index faa46eb..d0744cc 100644 ---- a/arch/mips/kernel/smp.c -+++ b/arch/mips/kernel/smp.c -@@ -63,6 +63,13 @@ EXPORT_SYMBOL(cpu_sibling_map); - cpumask_t cpu_core_map[NR_CPUS] __read_mostly; - EXPORT_SYMBOL(cpu_core_map); - -+/* -+ * A logcal cpu mask containing only one VPE per core to -+ * reduce the number of IPIs on large MT systems. -+ */ -+cpumask_t cpu_foreign_map __read_mostly; -+EXPORT_SYMBOL(cpu_foreign_map); -+ - /* representing cpus for which sibling maps can be computed */ - static cpumask_t cpu_sibling_setup_map; - -@@ -103,6 +110,29 @@ static inline void set_cpu_core_map(int cpu) - } - } - -+/* -+ * Calculate a new cpu_foreign_map mask whenever a -+ * new cpu appears or disappears. -+ */ -+static inline void calculate_cpu_foreign_map(void) -+{ -+ int i, k, core_present; -+ cpumask_t temp_foreign_map; -+ -+ /* Re-calculate the mask */ -+ for_each_online_cpu(i) { -+ core_present = 0; -+ for_each_cpu(k, &temp_foreign_map) -+ if (cpu_data[i].package == cpu_data[k].package && -+ cpu_data[i].core == cpu_data[k].core) -+ core_present = 1; -+ if (!core_present) -+ cpumask_set_cpu(i, &temp_foreign_map); -+ } -+ -+ cpumask_copy(&cpu_foreign_map, &temp_foreign_map); -+} -+ - struct plat_smp_ops *mp_ops; - EXPORT_SYMBOL(mp_ops); - -@@ -146,6 +176,8 @@ asmlinkage void start_secondary(void) - set_cpu_sibling_map(cpu); - set_cpu_core_map(cpu); - -+ calculate_cpu_foreign_map(); -+ - cpumask_set_cpu(cpu, &cpu_callin_map); - - synchronise_count_slave(cpu); -@@ -173,9 +205,18 @@ void __irq_entry smp_call_function_interrupt(void) - static void stop_this_cpu(void *dummy) - { - /* -- * Remove this CPU: -+ * Remove this CPU. Be a bit slow here and -+ * set the bits for every online CPU so we don't miss -+ * any IPI whilst taking this VPE down. - */ -+ -+ cpumask_copy(&cpu_foreign_map, cpu_online_mask); -+ -+ /* Make it visible to every other CPU */ -+ smp_mb(); -+ - set_cpu_online(smp_processor_id(), false); -+ calculate_cpu_foreign_map(); - local_irq_disable(); - while (1); - } -@@ -197,6 +238,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) - mp_ops->prepare_cpus(max_cpus); - set_cpu_sibling_map(0); - set_cpu_core_map(0); -+ calculate_cpu_foreign_map(); - #ifndef CONFIG_HOTPLUG_CPU - init_cpu_present(cpu_possible_mask); - #endif -diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c -index 22b9b2c..6983fcd 100644 ---- a/arch/mips/math-emu/cp1emu.c -+++ b/arch/mips/math-emu/cp1emu.c -@@ -451,7 +451,7 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn, - /* Fall through */ - case jr_op: - /* For R6, JR already emulated in jalr_op */ -- if (NO_R6EMU && insn.r_format.opcode == jr_op) -+ if (NO_R6EMU && insn.r_format.func == jr_op) - break; - *contpc = regs->regs[insn.r_format.rs]; - return 1; -diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c -index 2e03ab1..dca0efc 100644 ---- a/arch/mips/mm/c-r4k.c -+++ b/arch/mips/mm/c-r4k.c -@@ -37,6 +37,7 @@ - #include <asm/cacheflush.h> /* for run_uncached() */ - #include <asm/traps.h> - #include <asm/dma-coherence.h> -+#include <asm/mips-cm.h> - - /* - * Special Variant of smp_call_function for use by cache functions: -@@ -51,9 +52,16 @@ static inline void r4k_on_each_cpu(void (*func) (void *info), void *info) - { - preempt_disable(); - --#ifndef CONFIG_MIPS_MT_SMP -- smp_call_function(func, info, 1); --#endif -+ /* -+ * The Coherent Manager propagates address-based cache ops to other -+ * cores but not index-based ops. However, r4k_on_each_cpu is used -+ * in both cases so there is no easy way to tell what kind of op is -+ * executed to the other cores. The best we can probably do is -+ * to restrict that call when a CM is not present because both -+ * CM-based SMP protocols (CMP & CPS) restrict index-based cache ops. -+ */ -+ if (!mips_cm_present()) -+ smp_call_function_many(&cpu_foreign_map, func, info, 1); - func(info); - preempt_enable(); - } -diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h -index 3a08eae..3edbb9f 100644 ---- a/arch/parisc/include/asm/pgalloc.h -+++ b/arch/parisc/include/asm/pgalloc.h -@@ -72,7 +72,7 @@ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address) - - static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd) - { -- if(pmd_flag(*pmd) & PxD_FLAG_ATTACHED) -+ if (pmd_flag(*pmd) & PxD_FLAG_ATTACHED) { - /* - * This is the permanent pmd attached to the pgd; - * cannot free it. -@@ -81,6 +81,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd) - */ - mm_inc_nr_pmds(mm); - return; -+ } - free_pages((unsigned long)pmd, PMD_ORDER); - } - -diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h -index 0a18375..f93c4a4 100644 ---- a/arch/parisc/include/asm/pgtable.h -+++ b/arch/parisc/include/asm/pgtable.h -@@ -16,7 +16,7 @@ - #include <asm/processor.h> - #include <asm/cache.h> - --extern spinlock_t pa_dbit_lock; -+extern spinlock_t pa_tlb_lock; - - /* - * kern_addr_valid(ADDR) tests if ADDR is pointing to valid kernel -@@ -33,6 +33,19 @@ extern spinlock_t pa_dbit_lock; - */ - #define kern_addr_valid(addr) (1) - -+/* Purge data and instruction TLB entries. Must be called holding -+ * the pa_tlb_lock. The TLB purge instructions are slow on SMP -+ * machines since the purge must be broadcast to all CPUs. -+ */ -+ -+static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) -+{ -+ mtsp(mm->context, 1); -+ pdtlb(addr); -+ if (unlikely(split_tlb)) -+ pitlb(addr); -+} -+ - /* Certain architectures need to do special things when PTEs - * within a page table are directly modified. Thus, the following - * hook is made available. -@@ -42,15 +55,20 @@ extern spinlock_t pa_dbit_lock; - *(pteptr) = (pteval); \ - } while(0) - --extern void purge_tlb_entries(struct mm_struct *, unsigned long); -+#define pte_inserted(x) \ -+ ((pte_val(x) & (_PAGE_PRESENT|_PAGE_ACCESSED)) \ -+ == (_PAGE_PRESENT|_PAGE_ACCESSED)) - --#define set_pte_at(mm, addr, ptep, pteval) \ -- do { \ -+#define set_pte_at(mm, addr, ptep, pteval) \ -+ do { \ -+ pte_t old_pte; \ - unsigned long flags; \ -- spin_lock_irqsave(&pa_dbit_lock, flags); \ -- set_pte(ptep, pteval); \ -- purge_tlb_entries(mm, addr); \ -- spin_unlock_irqrestore(&pa_dbit_lock, flags); \ -+ spin_lock_irqsave(&pa_tlb_lock, flags); \ -+ old_pte = *ptep; \ -+ set_pte(ptep, pteval); \ -+ if (pte_inserted(old_pte)) \ -+ purge_tlb_entries(mm, addr); \ -+ spin_unlock_irqrestore(&pa_tlb_lock, flags); \ - } while (0) - - #endif /* !__ASSEMBLY__ */ -@@ -268,7 +286,7 @@ extern unsigned long *empty_zero_page; - - #define pte_none(x) (pte_val(x) == 0) - #define pte_present(x) (pte_val(x) & _PAGE_PRESENT) --#define pte_clear(mm,addr,xp) do { pte_val(*(xp)) = 0; } while (0) -+#define pte_clear(mm, addr, xp) set_pte_at(mm, addr, xp, __pte(0)) - - #define pmd_flag(x) (pmd_val(x) & PxD_FLAG_MASK) - #define pmd_address(x) ((unsigned long)(pmd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT) -@@ -435,15 +453,15 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned - if (!pte_young(*ptep)) - return 0; - -- spin_lock_irqsave(&pa_dbit_lock, flags); -+ spin_lock_irqsave(&pa_tlb_lock, flags); - pte = *ptep; - if (!pte_young(pte)) { -- spin_unlock_irqrestore(&pa_dbit_lock, flags); -+ spin_unlock_irqrestore(&pa_tlb_lock, flags); - return 0; - } - set_pte(ptep, pte_mkold(pte)); - purge_tlb_entries(vma->vm_mm, addr); -- spin_unlock_irqrestore(&pa_dbit_lock, flags); -+ spin_unlock_irqrestore(&pa_tlb_lock, flags); - return 1; - } - -@@ -453,11 +471,12 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, - pte_t old_pte; - unsigned long flags; - -- spin_lock_irqsave(&pa_dbit_lock, flags); -+ spin_lock_irqsave(&pa_tlb_lock, flags); - old_pte = *ptep; -- pte_clear(mm,addr,ptep); -- purge_tlb_entries(mm, addr); -- spin_unlock_irqrestore(&pa_dbit_lock, flags); -+ set_pte(ptep, __pte(0)); -+ if (pte_inserted(old_pte)) -+ purge_tlb_entries(mm, addr); -+ spin_unlock_irqrestore(&pa_tlb_lock, flags); - - return old_pte; - } -@@ -465,10 +484,10 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, - static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep) - { - unsigned long flags; -- spin_lock_irqsave(&pa_dbit_lock, flags); -+ spin_lock_irqsave(&pa_tlb_lock, flags); - set_pte(ptep, pte_wrprotect(*ptep)); - purge_tlb_entries(mm, addr); -- spin_unlock_irqrestore(&pa_dbit_lock, flags); -+ spin_unlock_irqrestore(&pa_tlb_lock, flags); - } - - #define pte_same(A,B) (pte_val(A) == pte_val(B)) -diff --git a/arch/parisc/include/asm/tlbflush.h b/arch/parisc/include/asm/tlbflush.h -index 9d086a5..e84b964 100644 ---- a/arch/parisc/include/asm/tlbflush.h -+++ b/arch/parisc/include/asm/tlbflush.h -@@ -13,6 +13,9 @@ - * active at any one time on the Merced bus. This tlb purge - * synchronisation is fairly lightweight and harmless so we activate - * it on all systems not just the N class. -+ -+ * It is also used to ensure PTE updates are atomic and consistent -+ * with the TLB. - */ - extern spinlock_t pa_tlb_lock; - -@@ -24,20 +27,24 @@ extern void flush_tlb_all_local(void *); - - #define smp_flush_tlb_all() flush_tlb_all() - -+int __flush_tlb_range(unsigned long sid, -+ unsigned long start, unsigned long end); -+ -+#define flush_tlb_range(vma, start, end) \ -+ __flush_tlb_range((vma)->vm_mm->context, start, end) -+ -+#define flush_tlb_kernel_range(start, end) \ -+ __flush_tlb_range(0, start, end) -+ - /* - * flush_tlb_mm() - * -- * XXX This code is NOT valid for HP-UX compatibility processes, -- * (although it will probably work 99% of the time). HP-UX -- * processes are free to play with the space id's and save them -- * over long periods of time, etc. so we have to preserve the -- * space and just flush the entire tlb. We need to check the -- * personality in order to do that, but the personality is not -- * currently being set correctly. -- * -- * Of course, Linux processes could do the same thing, but -- * we don't support that (and the compilers, dynamic linker, -- * etc. do not do that). -+ * The code to switch to a new context is NOT valid for processes -+ * which play with the space id's. Thus, we have to preserve the -+ * space and just flush the entire tlb. However, the compilers, -+ * dynamic linker, etc, do not manipulate space id's, so there -+ * could be a significant performance benefit in switching contexts -+ * and not flushing the whole tlb. - */ - - static inline void flush_tlb_mm(struct mm_struct *mm) -@@ -45,10 +52,18 @@ static inline void flush_tlb_mm(struct mm_struct *mm) - BUG_ON(mm == &init_mm); /* Should never happen */ - - #if 1 || defined(CONFIG_SMP) -+ /* Except for very small threads, flushing the whole TLB is -+ * faster than using __flush_tlb_range. The pdtlb and pitlb -+ * instructions are very slow because of the TLB broadcast. -+ * It might be faster to do local range flushes on all CPUs -+ * on PA 2.0 systems. -+ */ - flush_tlb_all(); - #else - /* FIXME: currently broken, causing space id and protection ids -- * to go out of sync, resulting in faults on userspace accesses. -+ * to go out of sync, resulting in faults on userspace accesses. -+ * This approach needs further investigation since running many -+ * small applications (e.g., GCC testsuite) is faster on HP-UX. - */ - if (mm) { - if (mm->context != 0) -@@ -65,22 +80,12 @@ static inline void flush_tlb_page(struct vm_area_struct *vma, - { - unsigned long flags, sid; - -- /* For one page, it's not worth testing the split_tlb variable */ -- -- mb(); - sid = vma->vm_mm->context; - purge_tlb_start(flags); - mtsp(sid, 1); - pdtlb(addr); -- pitlb(addr); -+ if (unlikely(split_tlb)) -+ pitlb(addr); - purge_tlb_end(flags); - } -- --void __flush_tlb_range(unsigned long sid, -- unsigned long start, unsigned long end); -- --#define flush_tlb_range(vma,start,end) __flush_tlb_range((vma)->vm_mm->context,start,end) -- --#define flush_tlb_kernel_range(start, end) __flush_tlb_range(0,start,end) -- - #endif -diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c -index f6448c7..cda6dbb 100644 ---- a/arch/parisc/kernel/cache.c -+++ b/arch/parisc/kernel/cache.c -@@ -342,12 +342,15 @@ EXPORT_SYMBOL(flush_data_cache_local); - EXPORT_SYMBOL(flush_kernel_icache_range_asm); - - #define FLUSH_THRESHOLD 0x80000 /* 0.5MB */ --int parisc_cache_flush_threshold __read_mostly = FLUSH_THRESHOLD; -+static unsigned long parisc_cache_flush_threshold __read_mostly = FLUSH_THRESHOLD; -+ -+#define FLUSH_TLB_THRESHOLD (2*1024*1024) /* 2MB initial TLB threshold */ -+static unsigned long parisc_tlb_flush_threshold __read_mostly = FLUSH_TLB_THRESHOLD; - - void __init parisc_setup_cache_timing(void) - { - unsigned long rangetime, alltime; -- unsigned long size; -+ unsigned long size, start; - - alltime = mfctl(16); - flush_data_cache(); -@@ -364,14 +367,43 @@ void __init parisc_setup_cache_timing(void) - /* Racy, but if we see an intermediate value, it's ok too... */ - parisc_cache_flush_threshold = size * alltime / rangetime; - -- parisc_cache_flush_threshold = (parisc_cache_flush_threshold + L1_CACHE_BYTES - 1) &~ (L1_CACHE_BYTES - 1); -+ parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold); - if (!parisc_cache_flush_threshold) - parisc_cache_flush_threshold = FLUSH_THRESHOLD; - - if (parisc_cache_flush_threshold > cache_info.dc_size) - parisc_cache_flush_threshold = cache_info.dc_size; - -- printk(KERN_INFO "Setting cache flush threshold to %x (%d CPUs online)\n", parisc_cache_flush_threshold, num_online_cpus()); -+ printk(KERN_INFO "Setting cache flush threshold to %lu kB\n", -+ parisc_cache_flush_threshold/1024); -+ -+ /* calculate TLB flush threshold */ -+ -+ alltime = mfctl(16); -+ flush_tlb_all(); -+ alltime = mfctl(16) - alltime; -+ -+ size = PAGE_SIZE; -+ start = (unsigned long) _text; -+ rangetime = mfctl(16); -+ while (start < (unsigned long) _end) { -+ flush_tlb_kernel_range(start, start + PAGE_SIZE); -+ start += PAGE_SIZE; -+ size += PAGE_SIZE; -+ } -+ rangetime = mfctl(16) - rangetime; -+ -+ printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n", -+ alltime, size, rangetime); -+ -+ parisc_tlb_flush_threshold = size * alltime / rangetime; -+ parisc_tlb_flush_threshold *= num_online_cpus(); -+ parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold); -+ if (!parisc_tlb_flush_threshold) -+ parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD; -+ -+ printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n", -+ parisc_tlb_flush_threshold/1024); - } - - extern void purge_kernel_dcache_page_asm(unsigned long); -@@ -403,48 +435,45 @@ void copy_user_page(void *vto, void *vfrom, unsigned long vaddr, - } - EXPORT_SYMBOL(copy_user_page); - --void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) --{ -- unsigned long flags; -- -- /* Note: purge_tlb_entries can be called at startup with -- no context. */ -- -- purge_tlb_start(flags); -- mtsp(mm->context, 1); -- pdtlb(addr); -- pitlb(addr); -- purge_tlb_end(flags); --} --EXPORT_SYMBOL(purge_tlb_entries); -- --void __flush_tlb_range(unsigned long sid, unsigned long start, -- unsigned long end) -+/* __flush_tlb_range() -+ * -+ * returns 1 if all TLBs were flushed. -+ */ -+int __flush_tlb_range(unsigned long sid, unsigned long start, -+ unsigned long end) - { -- unsigned long npages; -+ unsigned long flags, size; - -- npages = ((end - (start & PAGE_MASK)) + (PAGE_SIZE - 1)) >> PAGE_SHIFT; -- if (npages >= 512) /* 2MB of space: arbitrary, should be tuned */ -+ size = (end - start); -+ if (size >= parisc_tlb_flush_threshold) { - flush_tlb_all(); -- else { -- unsigned long flags; -+ return 1; -+ } - -+ /* Purge TLB entries for small ranges using the pdtlb and -+ pitlb instructions. These instructions execute locally -+ but cause a purge request to be broadcast to other TLBs. */ -+ if (likely(!split_tlb)) { -+ while (start < end) { -+ purge_tlb_start(flags); -+ mtsp(sid, 1); -+ pdtlb(start); -+ purge_tlb_end(flags); -+ start += PAGE_SIZE; -+ } -+ return 0; -+ } -+ -+ /* split TLB case */ -+ while (start < end) { - purge_tlb_start(flags); - mtsp(sid, 1); -- if (split_tlb) { -- while (npages--) { -- pdtlb(start); -- pitlb(start); -- start += PAGE_SIZE; -- } -- } else { -- while (npages--) { -- pdtlb(start); -- start += PAGE_SIZE; -- } -- } -+ pdtlb(start); -+ pitlb(start); - purge_tlb_end(flags); -+ start += PAGE_SIZE; - } -+ return 0; - } - - static void cacheflush_h_tmp_function(void *dummy) -diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S -index 7581961..c5ef408 100644 ---- a/arch/parisc/kernel/entry.S -+++ b/arch/parisc/kernel/entry.S -@@ -45,7 +45,7 @@ - .level 2.0 - #endif - -- .import pa_dbit_lock,data -+ .import pa_tlb_lock,data - - /* space_to_prot macro creates a prot id from a space id */ - -@@ -420,8 +420,8 @@ - SHLREG %r9,PxD_VALUE_SHIFT,\pmd - extru \va,31-PAGE_SHIFT,ASM_BITS_PER_PTE,\index - dep %r0,31,PAGE_SHIFT,\pmd /* clear offset */ -- shladd \index,BITS_PER_PTE_ENTRY,\pmd,\pmd -- LDREG %r0(\pmd),\pte /* pmd is now pte */ -+ shladd \index,BITS_PER_PTE_ENTRY,\pmd,\pmd /* pmd is now pte */ -+ LDREG %r0(\pmd),\pte - bb,>=,n \pte,_PAGE_PRESENT_BIT,\fault - .endm - -@@ -453,57 +453,53 @@ - L2_ptep \pgd,\pte,\index,\va,\fault - .endm - -- /* Acquire pa_dbit_lock lock. */ -- .macro dbit_lock spc,tmp,tmp1 -+ /* Acquire pa_tlb_lock lock and recheck page is still present. */ -+ .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault - #ifdef CONFIG_SMP - cmpib,COND(=),n 0,\spc,2f -- load32 PA(pa_dbit_lock),\tmp -+ load32 PA(pa_tlb_lock),\tmp - 1: LDCW 0(\tmp),\tmp1 - cmpib,COND(=) 0,\tmp1,1b - nop -+ LDREG 0(\ptp),\pte -+ bb,<,n \pte,_PAGE_PRESENT_BIT,2f -+ b \fault -+ stw \spc,0(\tmp) - 2: - #endif - .endm - -- /* Release pa_dbit_lock lock without reloading lock address. */ -- .macro dbit_unlock0 spc,tmp -+ /* Release pa_tlb_lock lock without reloading lock address. */ -+ .macro tlb_unlock0 spc,tmp - #ifdef CONFIG_SMP - or,COND(=) %r0,\spc,%r0 - stw \spc,0(\tmp) - #endif - .endm - -- /* Release pa_dbit_lock lock. */ -- .macro dbit_unlock1 spc,tmp -+ /* Release pa_tlb_lock lock. */ -+ .macro tlb_unlock1 spc,tmp - #ifdef CONFIG_SMP -- load32 PA(pa_dbit_lock),\tmp -- dbit_unlock0 \spc,\tmp -+ load32 PA(pa_tlb_lock),\tmp -+ tlb_unlock0 \spc,\tmp - #endif - .endm - - /* Set the _PAGE_ACCESSED bit of the PTE. Be clever and - * don't needlessly dirty the cache line if it was already set */ -- .macro update_ptep spc,ptep,pte,tmp,tmp1 --#ifdef CONFIG_SMP -- or,COND(=) %r0,\spc,%r0 -- LDREG 0(\ptep),\pte --#endif -+ .macro update_accessed ptp,pte,tmp,tmp1 - ldi _PAGE_ACCESSED,\tmp1 - or \tmp1,\pte,\tmp - and,COND(<>) \tmp1,\pte,%r0 -- STREG \tmp,0(\ptep) -+ STREG \tmp,0(\ptp) - .endm - - /* Set the dirty bit (and accessed bit). No need to be - * clever, this is only used from the dirty fault */ -- .macro update_dirty spc,ptep,pte,tmp --#ifdef CONFIG_SMP -- or,COND(=) %r0,\spc,%r0 -- LDREG 0(\ptep),\pte --#endif -+ .macro update_dirty ptp,pte,tmp - ldi _PAGE_ACCESSED|_PAGE_DIRTY,\tmp - or \tmp,\pte,\pte -- STREG \pte,0(\ptep) -+ STREG \pte,0(\ptp) - .endm - - /* bitshift difference between a PFN (based on kernel's PAGE_SIZE) -@@ -1148,14 +1144,14 @@ dtlb_miss_20w: - - L3_ptep ptp,pte,t0,va,dtlb_check_alias_20w - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20w -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - - idtlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1174,14 +1170,14 @@ nadtlb_miss_20w: - - L3_ptep ptp,pte,t0,va,nadtlb_check_alias_20w - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20w -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - - idtlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1202,20 +1198,20 @@ dtlb_miss_11: - - L2_ptep ptp,pte,t0,va,dtlb_check_alias_11 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_11 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb_11 spc,pte,prot - -- mfsp %sr1,t0 /* Save sr1 so we can use it in tlb inserts */ -+ mfsp %sr1,t1 /* Save sr1 so we can use it in tlb inserts */ - mtsp spc,%sr1 - - idtlba pte,(%sr1,va) - idtlbp prot,(%sr1,va) - -- mtsp t0, %sr1 /* Restore sr1 */ -- dbit_unlock1 spc,t0 -+ mtsp t1, %sr1 /* Restore sr1 */ - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1235,21 +1231,20 @@ nadtlb_miss_11: - - L2_ptep ptp,pte,t0,va,nadtlb_check_alias_11 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_11 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb_11 spc,pte,prot - -- -- mfsp %sr1,t0 /* Save sr1 so we can use it in tlb inserts */ -+ mfsp %sr1,t1 /* Save sr1 so we can use it in tlb inserts */ - mtsp spc,%sr1 - - idtlba pte,(%sr1,va) - idtlbp prot,(%sr1,va) - -- mtsp t0, %sr1 /* Restore sr1 */ -- dbit_unlock1 spc,t0 -+ mtsp t1, %sr1 /* Restore sr1 */ - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1269,16 +1264,16 @@ dtlb_miss_20: - - L2_ptep ptp,pte,t0,va,dtlb_check_alias_20 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - -- f_extend pte,t0 -+ f_extend pte,t1 - - idtlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1297,16 +1292,16 @@ nadtlb_miss_20: - - L2_ptep ptp,pte,t0,va,nadtlb_check_alias_20 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - -- f_extend pte,t0 -+ f_extend pte,t1 - -- idtlbt pte,prot -- dbit_unlock1 spc,t0 -+ idtlbt pte,prot - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1406,14 +1401,14 @@ itlb_miss_20w: - - L3_ptep ptp,pte,t0,va,itlb_fault - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,itlb_fault -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - - iitlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1430,14 +1425,14 @@ naitlb_miss_20w: - - L3_ptep ptp,pte,t0,va,naitlb_check_alias_20w - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20w -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - - iitlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1458,20 +1453,20 @@ itlb_miss_11: - - L2_ptep ptp,pte,t0,va,itlb_fault - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,itlb_fault -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb_11 spc,pte,prot - -- mfsp %sr1,t0 /* Save sr1 so we can use it in tlb inserts */ -+ mfsp %sr1,t1 /* Save sr1 so we can use it in tlb inserts */ - mtsp spc,%sr1 - - iitlba pte,(%sr1,va) - iitlbp prot,(%sr1,va) - -- mtsp t0, %sr1 /* Restore sr1 */ -- dbit_unlock1 spc,t0 -+ mtsp t1, %sr1 /* Restore sr1 */ - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1482,20 +1477,20 @@ naitlb_miss_11: - - L2_ptep ptp,pte,t0,va,naitlb_check_alias_11 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_11 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb_11 spc,pte,prot - -- mfsp %sr1,t0 /* Save sr1 so we can use it in tlb inserts */ -+ mfsp %sr1,t1 /* Save sr1 so we can use it in tlb inserts */ - mtsp spc,%sr1 - - iitlba pte,(%sr1,va) - iitlbp prot,(%sr1,va) - -- mtsp t0, %sr1 /* Restore sr1 */ -- dbit_unlock1 spc,t0 -+ mtsp t1, %sr1 /* Restore sr1 */ - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1516,16 +1511,16 @@ itlb_miss_20: - - L2_ptep ptp,pte,t0,va,itlb_fault - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,itlb_fault -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - -- f_extend pte,t0 -+ f_extend pte,t1 - - iitlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1536,16 +1531,16 @@ naitlb_miss_20: - - L2_ptep ptp,pte,t0,va,naitlb_check_alias_20 - -- dbit_lock spc,t0,t1 -- update_ptep spc,ptp,pte,t0,t1 -+ tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20 -+ update_accessed ptp,pte,t0,t1 - - make_insert_tlb spc,pte,prot - -- f_extend pte,t0 -+ f_extend pte,t1 - - iitlbt pte,prot -- dbit_unlock1 spc,t0 - -+ tlb_unlock1 spc,t0 - rfir - nop - -@@ -1568,14 +1563,14 @@ dbit_trap_20w: - - L3_ptep ptp,pte,t0,va,dbit_fault - -- dbit_lock spc,t0,t1 -- update_dirty spc,ptp,pte,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dbit_fault -+ update_dirty ptp,pte,t1 - - make_insert_tlb spc,pte,prot - - idtlbt pte,prot -- dbit_unlock0 spc,t0 - -+ tlb_unlock0 spc,t0 - rfir - nop - #else -@@ -1588,8 +1583,8 @@ dbit_trap_11: - - L2_ptep ptp,pte,t0,va,dbit_fault - -- dbit_lock spc,t0,t1 -- update_dirty spc,ptp,pte,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dbit_fault -+ update_dirty ptp,pte,t1 - - make_insert_tlb_11 spc,pte,prot - -@@ -1600,8 +1595,8 @@ dbit_trap_11: - idtlbp prot,(%sr1,va) - - mtsp t1, %sr1 /* Restore sr1 */ -- dbit_unlock0 spc,t0 - -+ tlb_unlock0 spc,t0 - rfir - nop - -@@ -1612,16 +1607,16 @@ dbit_trap_20: - - L2_ptep ptp,pte,t0,va,dbit_fault - -- dbit_lock spc,t0,t1 -- update_dirty spc,ptp,pte,t1 -+ tlb_lock spc,ptp,pte,t0,t1,dbit_fault -+ update_dirty ptp,pte,t1 - - make_insert_tlb spc,pte,prot - - f_extend pte,t1 - -- idtlbt pte,prot -- dbit_unlock0 spc,t0 -+ idtlbt pte,prot - -+ tlb_unlock0 spc,t0 - rfir - nop - #endif -diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index 47ee620..7f67c4c 100644 ---- a/arch/parisc/kernel/traps.c -+++ b/arch/parisc/kernel/traps.c -@@ -43,10 +43,6 @@ - - #include "../math-emu/math-emu.h" /* for handle_fpe() */ - --#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) --DEFINE_SPINLOCK(pa_dbit_lock); --#endif -- - static void parisc_show_stack(struct task_struct *task, unsigned long *sp, - struct pt_regs *regs); - -diff --git a/arch/powerpc/kernel/idle_power7.S b/arch/powerpc/kernel/idle_power7.S -index ccde8f0..112ccf4 100644 ---- a/arch/powerpc/kernel/idle_power7.S -+++ b/arch/powerpc/kernel/idle_power7.S -@@ -52,6 +52,22 @@ - .text - - /* -+ * Used by threads when the lock bit of core_idle_state is set. -+ * Threads will spin in HMT_LOW until the lock bit is cleared. -+ * r14 - pointer to core_idle_state -+ * r15 - used to load contents of core_idle_state -+ */ -+ -+core_idle_lock_held: -+ HMT_LOW -+3: lwz r15,0(r14) -+ andi. r15,r15,PNV_CORE_IDLE_LOCK_BIT -+ bne 3b -+ HMT_MEDIUM -+ lwarx r15,0,r14 -+ blr -+ -+/* - * Pass requested state in r3: - * r3 - PNV_THREAD_NAP/SLEEP/WINKLE - * -@@ -150,6 +166,10 @@ power7_enter_nap_mode: - ld r14,PACA_CORE_IDLE_STATE_PTR(r13) - lwarx_loop1: - lwarx r15,0,r14 -+ -+ andi. r9,r15,PNV_CORE_IDLE_LOCK_BIT -+ bnel core_idle_lock_held -+ - andc r15,r15,r7 /* Clear thread bit */ - - andi. r15,r15,PNV_CORE_IDLE_THREAD_BITS -@@ -294,7 +314,7 @@ lwarx_loop2: - * workaround undo code or resyncing timebase or restoring context - * In either case loop until the lock bit is cleared. - */ -- bne core_idle_lock_held -+ bnel core_idle_lock_held - - cmpwi cr2,r15,0 - lbz r4,PACA_SUBCORE_SIBLING_MASK(r13) -@@ -319,15 +339,6 @@ lwarx_loop2: - isync - b common_exit - --core_idle_lock_held: -- HMT_LOW --core_idle_lock_loop: -- lwz r15,0(14) -- andi. r9,r15,PNV_CORE_IDLE_LOCK_BIT -- bne core_idle_lock_loop -- HMT_MEDIUM -- b lwarx_loop2 -- - first_thread_in_subcore: - /* First thread in subcore to wakeup */ - ori r15,r15,PNV_CORE_IDLE_LOCK_BIT -diff --git a/arch/s390/include/asm/ctl_reg.h b/arch/s390/include/asm/ctl_reg.h -index cfad7fca..d7697ab 100644 ---- a/arch/s390/include/asm/ctl_reg.h -+++ b/arch/s390/include/asm/ctl_reg.h -@@ -57,7 +57,10 @@ union ctlreg0 { - unsigned long lap : 1; /* Low-address-protection control */ - unsigned long : 4; - unsigned long edat : 1; /* Enhanced-DAT-enablement control */ -- unsigned long : 23; -+ unsigned long : 4; -+ unsigned long afp : 1; /* AFP-register control */ -+ unsigned long vx : 1; /* Vector enablement control */ -+ unsigned long : 17; - }; - }; - -diff --git a/arch/s390/kernel/cache.c b/arch/s390/kernel/cache.c -index bff5e3b..8ba3243 100644 ---- a/arch/s390/kernel/cache.c -+++ b/arch/s390/kernel/cache.c -@@ -138,6 +138,8 @@ int init_cache_level(unsigned int cpu) - union cache_topology ct; - enum cache_type ctype; - -+ if (!test_facility(34)) -+ return -EOPNOTSUPP; - if (!this_cpu_ci) - return -EINVAL; - ct.raw = ecag(EXTRACT_TOPOLOGY, 0, 0); -diff --git a/arch/s390/kernel/nmi.c b/arch/s390/kernel/nmi.c -index 505c17c..56b5508 100644 ---- a/arch/s390/kernel/nmi.c -+++ b/arch/s390/kernel/nmi.c -@@ -21,6 +21,7 @@ - #include <asm/nmi.h> - #include <asm/crw.h> - #include <asm/switch_to.h> -+#include <asm/ctl_reg.h> - - struct mcck_struct { - int kill_task; -@@ -129,26 +130,30 @@ static int notrace s390_revalidate_registers(struct mci *mci) - } else - asm volatile("lfpc 0(%0)" : : "a" (fpt_creg_save_area)); - -- asm volatile( -- " ld 0,0(%0)\n" -- " ld 1,8(%0)\n" -- " ld 2,16(%0)\n" -- " ld 3,24(%0)\n" -- " ld 4,32(%0)\n" -- " ld 5,40(%0)\n" -- " ld 6,48(%0)\n" -- " ld 7,56(%0)\n" -- " ld 8,64(%0)\n" -- " ld 9,72(%0)\n" -- " ld 10,80(%0)\n" -- " ld 11,88(%0)\n" -- " ld 12,96(%0)\n" -- " ld 13,104(%0)\n" -- " ld 14,112(%0)\n" -- " ld 15,120(%0)\n" -- : : "a" (fpt_save_area)); -- /* Revalidate vector registers */ -- if (MACHINE_HAS_VX && current->thread.vxrs) { -+ if (!MACHINE_HAS_VX) { -+ /* Revalidate floating point registers */ -+ asm volatile( -+ " ld 0,0(%0)\n" -+ " ld 1,8(%0)\n" -+ " ld 2,16(%0)\n" -+ " ld 3,24(%0)\n" -+ " ld 4,32(%0)\n" -+ " ld 5,40(%0)\n" -+ " ld 6,48(%0)\n" -+ " ld 7,56(%0)\n" -+ " ld 8,64(%0)\n" -+ " ld 9,72(%0)\n" -+ " ld 10,80(%0)\n" -+ " ld 11,88(%0)\n" -+ " ld 12,96(%0)\n" -+ " ld 13,104(%0)\n" -+ " ld 14,112(%0)\n" -+ " ld 15,120(%0)\n" -+ : : "a" (fpt_save_area)); -+ } else { -+ /* Revalidate vector registers */ -+ union ctlreg0 cr0; -+ - if (!mci->vr) { - /* - * Vector registers can't be restored and therefore -@@ -156,8 +161,12 @@ static int notrace s390_revalidate_registers(struct mci *mci) - */ - kill_task = 1; - } -+ cr0.val = S390_lowcore.cregs_save_area[0]; -+ cr0.afp = cr0.vx = 1; -+ __ctl_load(cr0.val, 0, 0); - restore_vx_regs((__vector128 *) -- S390_lowcore.vector_save_area_addr); -+ &S390_lowcore.vector_save_area); -+ __ctl_load(S390_lowcore.cregs_save_area[0], 0, 0); - } - /* Revalidate access registers */ - asm volatile( -diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c -index dc5edc2..8f587d8 100644 ---- a/arch/s390/kernel/process.c -+++ b/arch/s390/kernel/process.c -@@ -163,7 +163,7 @@ int copy_thread(unsigned long clone_flags, unsigned long new_stackp, - asmlinkage void execve_tail(void) - { - current->thread.fp_regs.fpc = 0; -- asm volatile("sfpc %0,%0" : : "d" (0)); -+ asm volatile("sfpc %0" : : "d" (0)); - } - - /* -diff --git a/arch/s390/kernel/sclp.S b/arch/s390/kernel/sclp.S -index 43c3169..ada0c07 100644 ---- a/arch/s390/kernel/sclp.S -+++ b/arch/s390/kernel/sclp.S -@@ -270,6 +270,8 @@ ENTRY(_sclp_print_early) - jno .Lesa2 - ahi %r15,-80 - stmh %r6,%r15,96(%r15) # store upper register halves -+ basr %r13,0 -+ lmh %r0,%r15,.Lzeroes-.(%r13) # clear upper register halves - .Lesa2: - lr %r10,%r2 # save string pointer - lhi %r2,0 -@@ -291,6 +293,8 @@ ENTRY(_sclp_print_early) - .Lesa3: - lm %r6,%r15,120(%r15) # restore registers - br %r14 -+.Lzeroes: -+ .fill 64,4,0 - - .LwritedataS4: - .long 0x00760005 # SCLP command for write data -diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c -index 9afb9d6..dc2d7aa 100644 ---- a/arch/s390/net/bpf_jit_comp.c -+++ b/arch/s390/net/bpf_jit_comp.c -@@ -415,13 +415,13 @@ static void bpf_jit_prologue(struct bpf_jit *jit) - EMIT6_DISP_LH(0xe3000000, 0x0004, REG_SKB_DATA, REG_0, - BPF_REG_1, offsetof(struct sk_buff, data)); - } -- /* BPF compatibility: clear A (%b7) and X (%b8) registers */ -- if (REG_SEEN(BPF_REG_7)) -- /* lghi %b7,0 */ -- EMIT4_IMM(0xa7090000, BPF_REG_7, 0); -- if (REG_SEEN(BPF_REG_8)) -- /* lghi %b8,0 */ -- EMIT4_IMM(0xa7090000, BPF_REG_8, 0); -+ /* BPF compatibility: clear A (%b0) and X (%b7) registers */ -+ if (REG_SEEN(BPF_REG_A)) -+ /* lghi %ba,0 */ -+ EMIT4_IMM(0xa7090000, BPF_REG_A, 0); -+ if (REG_SEEN(BPF_REG_X)) -+ /* lghi %bx,0 */ -+ EMIT4_IMM(0xa7090000, BPF_REG_X, 0); - } - - /* -diff --git a/arch/tile/kernel/setup.c b/arch/tile/kernel/setup.c -index d366675..396b5c9 100644 ---- a/arch/tile/kernel/setup.c -+++ b/arch/tile/kernel/setup.c -@@ -1139,7 +1139,7 @@ static void __init load_hv_initrd(void) - - void __init free_initrd_mem(unsigned long begin, unsigned long end) - { -- free_bootmem(__pa(begin), end - begin); -+ free_bootmem_late(__pa(begin), end - begin); - } - - static int __init setup_initrd(char *str) -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 48304b8..0cdc154 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -1193,6 +1193,10 @@ static efi_status_t setup_e820(struct boot_params *params, - unsigned int e820_type = 0; - unsigned long m = efi->efi_memmap; - -+#ifdef CONFIG_X86_64 -+ m |= (u64)efi->efi_memmap_hi << 32; -+#endif -+ - d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size)); - switch (d->type) { - case EFI_RESERVED_TYPE: -diff --git a/arch/x86/include/asm/kasan.h b/arch/x86/include/asm/kasan.h -index 8b22422..74a2a8d 100644 ---- a/arch/x86/include/asm/kasan.h -+++ b/arch/x86/include/asm/kasan.h -@@ -14,15 +14,11 @@ - - #ifndef __ASSEMBLY__ - --extern pte_t kasan_zero_pte[]; --extern pte_t kasan_zero_pmd[]; --extern pte_t kasan_zero_pud[]; -- - #ifdef CONFIG_KASAN --void __init kasan_map_early_shadow(pgd_t *pgd); -+void __init kasan_early_init(void); - void __init kasan_init(void); - #else --static inline void kasan_map_early_shadow(pgd_t *pgd) { } -+static inline void kasan_early_init(void) { } - static inline void kasan_init(void) { } - #endif - -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 883f6b9..e997f70 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -23,7 +23,7 @@ extern struct static_key rdpmc_always_available; - - static inline void load_mm_cr4(struct mm_struct *mm) - { -- if (static_key_true(&rdpmc_always_available) || -+ if (static_key_false(&rdpmc_always_available) || - atomic_read(&mm->context.perf_rdpmc_allowed)) - cr4_set_bits(X86_CR4_PCE); - else -diff --git a/arch/x86/kernel/cpu/perf_event_intel_cqm.c b/arch/x86/kernel/cpu/perf_event_intel_cqm.c -index e4d1b8b..cb77b11 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel_cqm.c -+++ b/arch/x86/kernel/cpu/perf_event_intel_cqm.c -@@ -934,6 +934,14 @@ static u64 intel_cqm_event_count(struct perf_event *event) - return 0; - - /* -+ * Getting up-to-date values requires an SMP IPI which is not -+ * possible if we're being called in interrupt context. Return -+ * the cached values instead. -+ */ -+ if (unlikely(in_interrupt())) -+ goto out; -+ -+ /* - * Notice that we don't perform the reading of an RMID - * atomically, because we can't hold a spin lock across the - * IPIs. -diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index 5a46681..f129a9a 100644 ---- a/arch/x86/kernel/head64.c -+++ b/arch/x86/kernel/head64.c -@@ -161,11 +161,12 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data) - /* Kill off the identity-map trampoline */ - reset_early_page_tables(); - -- kasan_map_early_shadow(early_level4_pgt); -- -- /* clear bss before set_intr_gate with early_idt_handler */ - clear_bss(); - -+ clear_page(init_level4_pgt); -+ -+ kasan_early_init(); -+ - for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) - set_intr_gate(i, early_idt_handler_array[i]); - load_idt((const struct desc_ptr *)&idt_descr); -@@ -177,12 +178,9 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data) - */ - load_ucode_bsp(); - -- clear_page(init_level4_pgt); - /* set init_level4_pgt kernel high mapping*/ - init_level4_pgt[511] = early_level4_pgt[511]; - -- kasan_map_early_shadow(init_level4_pgt); -- - x86_64_start_reservations(real_mode_data); - } - -diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index df7e780..7e5da2c 100644 ---- a/arch/x86/kernel/head_64.S -+++ b/arch/x86/kernel/head_64.S -@@ -516,38 +516,9 @@ ENTRY(phys_base) - /* This must match the first entry in level2_kernel_pgt */ - .quad 0x0000000000000000 - --#ifdef CONFIG_KASAN --#define FILL(VAL, COUNT) \ -- .rept (COUNT) ; \ -- .quad (VAL) ; \ -- .endr -- --NEXT_PAGE(kasan_zero_pte) -- FILL(kasan_zero_page - __START_KERNEL_map + _KERNPG_TABLE, 512) --NEXT_PAGE(kasan_zero_pmd) -- FILL(kasan_zero_pte - __START_KERNEL_map + _KERNPG_TABLE, 512) --NEXT_PAGE(kasan_zero_pud) -- FILL(kasan_zero_pmd - __START_KERNEL_map + _KERNPG_TABLE, 512) -- --#undef FILL --#endif -- -- - #include "../../x86/xen/xen-head.S" - - __PAGE_ALIGNED_BSS - NEXT_PAGE(empty_zero_page) - .skip PAGE_SIZE - --#ifdef CONFIG_KASAN --/* -- * This page used as early shadow. We don't use empty_zero_page -- * at early stages, stack instrumentation could write some garbage -- * to this page. -- * Latter we reuse it as zero shadow for large ranges of memory -- * that allowed to access, but not instrumented by kasan -- * (vmalloc/vmemmap ...). -- */ --NEXT_PAGE(kasan_zero_page) -- .skip PAGE_SIZE --#endif -diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c -index 4860906..9a54dbe 100644 ---- a/arch/x86/mm/kasan_init_64.c -+++ b/arch/x86/mm/kasan_init_64.c -@@ -11,7 +11,19 @@ - extern pgd_t early_level4_pgt[PTRS_PER_PGD]; - extern struct range pfn_mapped[E820_X_MAX]; - --extern unsigned char kasan_zero_page[PAGE_SIZE]; -+static pud_t kasan_zero_pud[PTRS_PER_PUD] __page_aligned_bss; -+static pmd_t kasan_zero_pmd[PTRS_PER_PMD] __page_aligned_bss; -+static pte_t kasan_zero_pte[PTRS_PER_PTE] __page_aligned_bss; -+ -+/* -+ * This page used as early shadow. We don't use empty_zero_page -+ * at early stages, stack instrumentation could write some garbage -+ * to this page. -+ * Latter we reuse it as zero shadow for large ranges of memory -+ * that allowed to access, but not instrumented by kasan -+ * (vmalloc/vmemmap ...). -+ */ -+static unsigned char kasan_zero_page[PAGE_SIZE] __page_aligned_bss; - - static int __init map_range(struct range *range) - { -@@ -36,7 +48,7 @@ static void __init clear_pgds(unsigned long start, - pgd_clear(pgd_offset_k(start)); - } - --void __init kasan_map_early_shadow(pgd_t *pgd) -+static void __init kasan_map_early_shadow(pgd_t *pgd) - { - int i; - unsigned long start = KASAN_SHADOW_START; -@@ -73,7 +85,7 @@ static int __init zero_pmd_populate(pud_t *pud, unsigned long addr, - while (IS_ALIGNED(addr, PMD_SIZE) && addr + PMD_SIZE <= end) { - WARN_ON(!pmd_none(*pmd)); - set_pmd(pmd, __pmd(__pa_nodebug(kasan_zero_pte) -- | __PAGE_KERNEL_RO)); -+ | _KERNPG_TABLE)); - addr += PMD_SIZE; - pmd = pmd_offset(pud, addr); - } -@@ -99,7 +111,7 @@ static int __init zero_pud_populate(pgd_t *pgd, unsigned long addr, - while (IS_ALIGNED(addr, PUD_SIZE) && addr + PUD_SIZE <= end) { - WARN_ON(!pud_none(*pud)); - set_pud(pud, __pud(__pa_nodebug(kasan_zero_pmd) -- | __PAGE_KERNEL_RO)); -+ | _KERNPG_TABLE)); - addr += PUD_SIZE; - pud = pud_offset(pgd, addr); - } -@@ -124,7 +136,7 @@ static int __init zero_pgd_populate(unsigned long addr, unsigned long end) - while (IS_ALIGNED(addr, PGDIR_SIZE) && addr + PGDIR_SIZE <= end) { - WARN_ON(!pgd_none(*pgd)); - set_pgd(pgd, __pgd(__pa_nodebug(kasan_zero_pud) -- | __PAGE_KERNEL_RO)); -+ | _KERNPG_TABLE)); - addr += PGDIR_SIZE; - pgd = pgd_offset_k(addr); - } -@@ -166,6 +178,26 @@ static struct notifier_block kasan_die_notifier = { - }; - #endif - -+void __init kasan_early_init(void) -+{ -+ int i; -+ pteval_t pte_val = __pa_nodebug(kasan_zero_page) | __PAGE_KERNEL; -+ pmdval_t pmd_val = __pa_nodebug(kasan_zero_pte) | _KERNPG_TABLE; -+ pudval_t pud_val = __pa_nodebug(kasan_zero_pmd) | _KERNPG_TABLE; -+ -+ for (i = 0; i < PTRS_PER_PTE; i++) -+ kasan_zero_pte[i] = __pte(pte_val); -+ -+ for (i = 0; i < PTRS_PER_PMD; i++) -+ kasan_zero_pmd[i] = __pmd(pmd_val); -+ -+ for (i = 0; i < PTRS_PER_PUD; i++) -+ kasan_zero_pud[i] = __pud(pud_val); -+ -+ kasan_map_early_shadow(early_level4_pgt); -+ kasan_map_early_shadow(init_level4_pgt); -+} -+ - void __init kasan_init(void) - { - int i; -@@ -176,6 +208,7 @@ void __init kasan_init(void) - - memcpy(early_level4_pgt, init_level4_pgt, sizeof(early_level4_pgt)); - load_cr3(early_level4_pgt); -+ __flush_tlb_all(); - - clear_pgds(KASAN_SHADOW_START, KASAN_SHADOW_END); - -@@ -202,5 +235,6 @@ void __init kasan_init(void) - memset(kasan_zero_page, 0, PAGE_SIZE); - - load_cr3(init_level4_pgt); -+ __flush_tlb_all(); - init_task.kasan_depth = 0; - } -diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index 3250f23..90b924a 100644 ---- a/arch/x86/mm/tlb.c -+++ b/arch/x86/mm/tlb.c -@@ -117,7 +117,7 @@ static void flush_tlb_func(void *info) - } else { - unsigned long addr; - unsigned long nr_pages = -- f->flush_end - f->flush_start / PAGE_SIZE; -+ (f->flush_end - f->flush_start) / PAGE_SIZE; - addr = f->flush_start; - while (addr < f->flush_end) { - __flush_tlb_single(addr); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 02744df..841ea05 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phys_addr) - - static int __init arch_parse_efi_cmdline(char *str) - { -+ if (!str) { -+ pr_warn("need at least one option\n"); -+ return -EINVAL; -+ } -+ - if (parse_option_str(str, "old_map")) - set_bit(EFI_OLD_MEMMAP, &efi.flags); - if (parse_option_str(str, "debug")) -diff --git a/block/bio-integrity.c b/block/bio-integrity.c -index 5cbd5d9..39ce74d 100644 ---- a/block/bio-integrity.c -+++ b/block/bio-integrity.c -@@ -51,7 +51,7 @@ struct bio_integrity_payload *bio_integrity_alloc(struct bio *bio, - unsigned long idx = BIO_POOL_NONE; - unsigned inline_vecs; - -- if (!bs) { -+ if (!bs || !bs->bio_integrity_pool) { - bip = kmalloc(sizeof(struct bio_integrity_payload) + - sizeof(struct bio_vec) * nr_vecs, gfp_mask); - inline_vecs = nr_vecs; -@@ -104,7 +104,7 @@ void bio_integrity_free(struct bio *bio) - kfree(page_address(bip->bip_vec->bv_page) + - bip->bip_vec->bv_offset); - -- if (bs) { -+ if (bs && bs->bio_integrity_pool) { - if (bip->bip_slab != BIO_POOL_NONE) - bvec_free(bs->bvec_integrity_pool, bip->bip_vec, - bip->bip_slab); -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index 0ac817b..6817e28 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -716,8 +716,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - return -EINVAL; - - disk = get_gendisk(MKDEV(major, minor), &part); -- if (!disk || part) -+ if (!disk) - return -EINVAL; -+ if (part) { -+ put_disk(disk); -+ return -EINVAL; -+ } - - rcu_read_lock(); - spin_lock_irq(disk->queue->queue_lock); -diff --git a/block/blk-mq.c b/block/blk-mq.c -index 594eea0..2dc1fd6 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -1968,7 +1968,7 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, - goto err_hctxs; - - setup_timer(&q->timeout, blk_mq_rq_timer, (unsigned long) q); -- blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30000); -+ blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ); - - q->nr_queues = nr_cpu_ids; - q->nr_hw_queues = set->nr_hw_queues; -diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c -index 7ccc084..85aa761 100644 ---- a/drivers/ata/libata-pmp.c -+++ b/drivers/ata/libata-pmp.c -@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_port *ap) - ATA_LFLAG_NO_SRST | - ATA_LFLAG_ASSUME_ATA; - } -+ } else if (vendor == 0x11ab && devid == 0x4140) { -+ /* Marvell 4140 quirks */ -+ ata_for_each_link(link, ap, EDGE) { -+ /* port 4 is for SEMB device and it doesn't like SRST */ -+ if (link->pmp == 4) -+ link->flags |= ATA_LFLAG_DISABLED; -+ } - } - } - -diff --git a/drivers/clk/st/clk-flexgen.c b/drivers/clk/st/clk-flexgen.c -index bf12a25..0f8db28 100644 ---- a/drivers/clk/st/clk-flexgen.c -+++ b/drivers/clk/st/clk-flexgen.c -@@ -303,6 +303,8 @@ void __init st_of_flexgen_setup(struct device_node *np) - if (!rlock) - goto err; - -+ spin_lock_init(rlock); -+ - for (i = 0; i < clk_data->clk_num; i++) { - struct clk *clk; - const char *clk_name; -diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c -index a917c4c..6ae068a 100644 ---- a/drivers/clk/st/clkgen-fsyn.c -+++ b/drivers/clk/st/clkgen-fsyn.c -@@ -340,7 +340,7 @@ static const struct clkgen_quadfs_data st_fs660c32_C_407 = { - CLKGEN_FIELD(0x30c, 0xf, 20), - CLKGEN_FIELD(0x310, 0xf, 20) }, - .lockstatus_present = true, -- .lock_status = CLKGEN_FIELD(0x2A0, 0x1, 24), -+ .lock_status = CLKGEN_FIELD(0x2f0, 0x1, 24), - .powerup_polarity = 1, - .standby_polarity = 1, - .pll_ops = &st_quadfs_pll_c32_ops, -diff --git a/drivers/clk/st/clkgen-mux.c b/drivers/clk/st/clkgen-mux.c -index fdcff10..ef65146 100644 ---- a/drivers/clk/st/clkgen-mux.c -+++ b/drivers/clk/st/clkgen-mux.c -@@ -582,7 +582,7 @@ static struct clkgen_mux_data stih416_a9_mux_data = { - }; - static struct clkgen_mux_data stih407_a9_mux_data = { - .offset = 0x1a4, -- .shift = 1, -+ .shift = 0, - .width = 2, - }; - -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index c45d274..6f9d27f 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -678,6 +678,7 @@ static struct cpu_defaults knl_params = { - .get_max = core_get_max_pstate, - .get_min = core_get_min_pstate, - .get_turbo = knl_get_turbo_pstate, -+ .get_scaling = core_get_scaling, - .set = core_set_pstate, - }, - }; -diff --git a/drivers/crypto/omap-des.c b/drivers/crypto/omap-des.c -index 4630709..0a70e46 100644 ---- a/drivers/crypto/omap-des.c -+++ b/drivers/crypto/omap-des.c -@@ -536,9 +536,6 @@ static int omap_des_crypt_dma_stop(struct omap_des_dev *dd) - dmaengine_terminate_all(dd->dma_lch_in); - dmaengine_terminate_all(dd->dma_lch_out); - -- dma_unmap_sg(dd->dev, dd->in_sg, dd->in_sg_len, DMA_TO_DEVICE); -- dma_unmap_sg(dd->dev, dd->out_sg, dd->out_sg_len, DMA_FROM_DEVICE); -- - return err; - } - -diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c -index 4fd9961..d425374 100644 ---- a/drivers/firmware/efi/cper.c -+++ b/drivers/firmware/efi/cper.c -@@ -305,10 +305,17 @@ const char *cper_mem_err_unpack(struct trace_seq *p, - return ret; - } - --static void cper_print_mem(const char *pfx, const struct cper_sec_mem_err *mem) -+static void cper_print_mem(const char *pfx, const struct cper_sec_mem_err *mem, -+ int len) - { - struct cper_mem_err_compact cmem; - -+ /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */ -+ if (len == sizeof(struct cper_sec_mem_err_old) && -+ (mem->validation_bits & ~(CPER_MEM_VALID_RANK_NUMBER - 1))) { -+ pr_err(FW_WARN "valid bits set for fields beyond structure\n"); -+ return; -+ } - if (mem->validation_bits & CPER_MEM_VALID_ERROR_STATUS) - printk("%s""error_status: 0x%016llx\n", pfx, mem->error_status); - if (mem->validation_bits & CPER_MEM_VALID_PA) -@@ -405,8 +412,10 @@ static void cper_estatus_print_section( - } else if (!uuid_le_cmp(*sec_type, CPER_SEC_PLATFORM_MEM)) { - struct cper_sec_mem_err *mem_err = (void *)(gdata + 1); - printk("%s""section_type: memory error\n", newpfx); -- if (gdata->error_data_length >= sizeof(*mem_err)) -- cper_print_mem(newpfx, mem_err); -+ if (gdata->error_data_length >= -+ sizeof(struct cper_sec_mem_err_old)) -+ cper_print_mem(newpfx, mem_err, -+ gdata->error_data_length); - else - goto err_section_too_small; - } else if (!uuid_le_cmp(*sec_type, CPER_SEC_PCIE)) { -diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c -index e14363d..63226e9 100644 ---- a/drivers/firmware/efi/efi.c -+++ b/drivers/firmware/efi/efi.c -@@ -57,6 +57,11 @@ bool efi_runtime_disabled(void) - - static int __init parse_efi_cmdline(char *str) - { -+ if (!str) { -+ pr_warn("need at least one option\n"); -+ return -EINVAL; -+ } -+ - if (parse_option_str(str, "noruntime")) - disable_runtime = true; - -diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c -index 8904933..cd6dae0 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_drm.c -+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c -@@ -863,8 +863,10 @@ nouveau_drm_preclose(struct drm_device *dev, struct drm_file *fpriv) - - pm_runtime_get_sync(dev->dev); - -+ mutex_lock(&cli->mutex); - if (cli->abi16) - nouveau_abi16_fini(cli->abi16); -+ mutex_unlock(&cli->mutex); - - mutex_lock(&drm->client.mutex); - list_del(&cli->head); -diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c -index 4ef602c..495c576 100644 ---- a/drivers/gpu/drm/nouveau/nv04_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c -@@ -203,7 +203,7 @@ nv04_fbcon_accel_init(struct fb_info *info) - if (ret) - return ret; - -- if (RING_SPACE(chan, 49)) { -+ if (RING_SPACE(chan, 49 + (device->info.chipset >= 0x11 ? 4 : 0))) { - nouveau_fbcon_gpu_lockup(info); - return 0; - } -diff --git a/drivers/gpu/drm/nouveau/nv50_display.c b/drivers/gpu/drm/nouveau/nv50_display.c -index 7da7958..981342d 100644 ---- a/drivers/gpu/drm/nouveau/nv50_display.c -+++ b/drivers/gpu/drm/nouveau/nv50_display.c -@@ -979,7 +979,7 @@ nv50_crtc_cursor_show_hide(struct nouveau_crtc *nv_crtc, bool show, bool update) - { - struct nv50_mast *mast = nv50_mast(nv_crtc->base.dev); - -- if (show && nv_crtc->cursor.nvbo) -+ if (show && nv_crtc->cursor.nvbo && nv_crtc->base.enabled) - nv50_crtc_cursor_show(nv_crtc); - else - nv50_crtc_cursor_hide(nv_crtc); -diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c -index 80614f1..282143f 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c -+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c -@@ -50,7 +50,12 @@ nv04_instobj_dtor(struct nvkm_object *object) - { - struct nv04_instmem_priv *priv = (void *)nvkm_instmem(object); - struct nv04_instobj_priv *node = (void *)object; -+ struct nvkm_subdev *subdev = (void *)priv; -+ -+ mutex_lock(&subdev->mutex); - nvkm_mm_free(&priv->heap, &node->mem); -+ mutex_unlock(&subdev->mutex); -+ - nvkm_instobj_destroy(&node->base); - } - -@@ -62,6 +67,7 @@ nv04_instobj_ctor(struct nvkm_object *parent, struct nvkm_object *engine, - struct nv04_instmem_priv *priv = (void *)nvkm_instmem(parent); - struct nv04_instobj_priv *node; - struct nvkm_instobj_args *args = data; -+ struct nvkm_subdev *subdev = (void *)priv; - int ret; - - if (!args->align) -@@ -72,8 +78,10 @@ nv04_instobj_ctor(struct nvkm_object *parent, struct nvkm_object *engine, - if (ret) - return ret; - -+ mutex_lock(&subdev->mutex); - ret = nvkm_mm_head(&priv->heap, 0, 1, args->size, args->size, - args->align, &node->mem); -+ mutex_unlock(&subdev->mutex); - if (ret) - return ret; - -diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c -index 3318de6..a2dbbbe 100644 ---- a/drivers/hid/hid-cp2112.c -+++ b/drivers/hid/hid-cp2112.c -@@ -356,6 +356,8 @@ static int cp2112_read(struct cp2112_device *dev, u8 *data, size_t size) - struct cp2112_force_read_report report; - int ret; - -+ if (size > sizeof(dev->read_data)) -+ size = sizeof(dev->read_data); - report.report = CP2112_DATA_READ_FORCE_SEND; - report.length = cpu_to_be16(size); - -diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c -index 28fcb2e..fbfc02b 100644 ---- a/drivers/hwmon/nct7802.c -+++ b/drivers/hwmon/nct7802.c -@@ -195,7 +195,7 @@ abort: - } - - static int nct7802_write_voltage(struct nct7802_data *data, int nr, int index, -- unsigned int voltage) -+ unsigned long voltage) - { - int shift = 8 - REG_VOLTAGE_LIMIT_MSB_SHIFT[index - 1][nr]; - int err; -diff --git a/drivers/hwmon/nct7904.c b/drivers/hwmon/nct7904.c -index b77b82f..6153df73 100644 ---- a/drivers/hwmon/nct7904.c -+++ b/drivers/hwmon/nct7904.c -@@ -412,8 +412,9 @@ static ssize_t show_pwm(struct device *dev, - return sprintf(buf, "%d\n", val); - } - --static ssize_t store_mode(struct device *dev, struct device_attribute *devattr, -- const char *buf, size_t count) -+static ssize_t store_enable(struct device *dev, -+ struct device_attribute *devattr, -+ const char *buf, size_t count) - { - int index = to_sensor_dev_attr(devattr)->index; - struct nct7904_data *data = dev_get_drvdata(dev); -@@ -422,18 +423,18 @@ static ssize_t store_mode(struct device *dev, struct device_attribute *devattr, - - if (kstrtoul(buf, 10, &val) < 0) - return -EINVAL; -- if (val > 1 || (val && !data->fan_mode[index])) -+ if (val < 1 || val > 2 || (val == 2 && !data->fan_mode[index])) - return -EINVAL; - - ret = nct7904_write_reg(data, BANK_3, FANCTL1_FMR_REG + index, -- val ? data->fan_mode[index] : 0); -+ val == 2 ? data->fan_mode[index] : 0); - - return ret ? ret : count; - } - --/* Return 0 for manual mode or 1 for SmartFan mode */ --static ssize_t show_mode(struct device *dev, -- struct device_attribute *devattr, char *buf) -+/* Return 1 for manual mode or 2 for SmartFan mode */ -+static ssize_t show_enable(struct device *dev, -+ struct device_attribute *devattr, char *buf) - { - int index = to_sensor_dev_attr(devattr)->index; - struct nct7904_data *data = dev_get_drvdata(dev); -@@ -443,36 +444,36 @@ static ssize_t show_mode(struct device *dev, - if (val < 0) - return val; - -- return sprintf(buf, "%d\n", val ? 1 : 0); -+ return sprintf(buf, "%d\n", val ? 2 : 1); - } - - /* 2 attributes per channel: pwm and mode */ --static SENSOR_DEVICE_ATTR(fan1_pwm, S_IRUGO | S_IWUSR, -+static SENSOR_DEVICE_ATTR(pwm1, S_IRUGO | S_IWUSR, - show_pwm, store_pwm, 0); --static SENSOR_DEVICE_ATTR(fan1_mode, S_IRUGO | S_IWUSR, -- show_mode, store_mode, 0); --static SENSOR_DEVICE_ATTR(fan2_pwm, S_IRUGO | S_IWUSR, -+static SENSOR_DEVICE_ATTR(pwm1_enable, S_IRUGO | S_IWUSR, -+ show_enable, store_enable, 0); -+static SENSOR_DEVICE_ATTR(pwm2, S_IRUGO | S_IWUSR, - show_pwm, store_pwm, 1); --static SENSOR_DEVICE_ATTR(fan2_mode, S_IRUGO | S_IWUSR, -- show_mode, store_mode, 1); --static SENSOR_DEVICE_ATTR(fan3_pwm, S_IRUGO | S_IWUSR, -+static SENSOR_DEVICE_ATTR(pwm2_enable, S_IRUGO | S_IWUSR, -+ show_enable, store_enable, 1); -+static SENSOR_DEVICE_ATTR(pwm3, S_IRUGO | S_IWUSR, - show_pwm, store_pwm, 2); --static SENSOR_DEVICE_ATTR(fan3_mode, S_IRUGO | S_IWUSR, -- show_mode, store_mode, 2); --static SENSOR_DEVICE_ATTR(fan4_pwm, S_IRUGO | S_IWUSR, -+static SENSOR_DEVICE_ATTR(pwm3_enable, S_IRUGO | S_IWUSR, -+ show_enable, store_enable, 2); -+static SENSOR_DEVICE_ATTR(pwm4, S_IRUGO | S_IWUSR, - show_pwm, store_pwm, 3); --static SENSOR_DEVICE_ATTR(fan4_mode, S_IRUGO | S_IWUSR, -- show_mode, store_mode, 3); -+static SENSOR_DEVICE_ATTR(pwm4_enable, S_IRUGO | S_IWUSR, -+ show_enable, store_enable, 3); - - static struct attribute *nct7904_fanctl_attrs[] = { -- &sensor_dev_attr_fan1_pwm.dev_attr.attr, -- &sensor_dev_attr_fan1_mode.dev_attr.attr, -- &sensor_dev_attr_fan2_pwm.dev_attr.attr, -- &sensor_dev_attr_fan2_mode.dev_attr.attr, -- &sensor_dev_attr_fan3_pwm.dev_attr.attr, -- &sensor_dev_attr_fan3_mode.dev_attr.attr, -- &sensor_dev_attr_fan4_pwm.dev_attr.attr, -- &sensor_dev_attr_fan4_mode.dev_attr.attr, -+ &sensor_dev_attr_pwm1.dev_attr.attr, -+ &sensor_dev_attr_pwm1_enable.dev_attr.attr, -+ &sensor_dev_attr_pwm2.dev_attr.attr, -+ &sensor_dev_attr_pwm2_enable.dev_attr.attr, -+ &sensor_dev_attr_pwm3.dev_attr.attr, -+ &sensor_dev_attr_pwm3_enable.dev_attr.attr, -+ &sensor_dev_attr_pwm4.dev_attr.attr, -+ &sensor_dev_attr_pwm4_enable.dev_attr.attr, - NULL - }; - -diff --git a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c -index e5cc430..2d13fd0 100644 ---- a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c -+++ b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c -@@ -176,7 +176,8 @@ int ipoib_transport_dev_init(struct net_device *dev, struct ib_device *ca) - else - size += ipoib_recvq_size * ipoib_max_conn_qp; - } else -- goto out_free_wq; -+ if (ret != -ENOSYS) -+ goto out_free_wq; - - priv->recv_cq = ib_create_cq(priv->ca, ipoib_ib_completion, NULL, dev, size, 0); - if (IS_ERR(priv->recv_cq)) { -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 35c8d0c..3a32caf 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -1199,7 +1199,7 @@ static void set_input_params(struct psmouse *psmouse, - ABS_MT_POSITION_Y); - /* Image sensors can report per-contact pressure */ - input_set_abs_params(dev, ABS_MT_PRESSURE, 0, 255, 0, 0); -- input_mt_init_slots(dev, 3, INPUT_MT_POINTER | INPUT_MT_TRACK); -+ input_mt_init_slots(dev, 2, INPUT_MT_POINTER | INPUT_MT_TRACK); - - /* Image sensors can signal 4 and 5 finger clicks */ - __set_bit(BTN_TOOL_QUADTAP, dev->keybit); -diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c -index f2c6c35..2c41107 100644 ---- a/drivers/input/touchscreen/usbtouchscreen.c -+++ b/drivers/input/touchscreen/usbtouchscreen.c -@@ -627,6 +627,9 @@ static int dmc_tsc10_init(struct usbtouch_usb *usbtouch) - goto err_out; - } - -+ /* TSC-25 data sheet specifies a delay after the RESET command */ -+ msleep(150); -+ - /* set coordinate output rate */ - buf[0] = buf[1] = 0xFF; - ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0), -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index 5ecfaf2..c87c4b1 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -1756,8 +1756,9 @@ static int domain_init(struct dmar_domain *domain, int guest_width) - - static void domain_exit(struct dmar_domain *domain) - { -+ struct dmar_drhd_unit *drhd; -+ struct intel_iommu *iommu; - struct page *freelist = NULL; -- int i; - - /* Domain 0 is reserved, so dont process it */ - if (!domain) -@@ -1777,8 +1778,10 @@ static void domain_exit(struct dmar_domain *domain) - - /* clear attached or cached domains */ - rcu_read_lock(); -- for_each_set_bit(i, domain->iommu_bmp, g_num_of_iommus) -- iommu_detach_domain(domain, g_iommus[i]); -+ for_each_active_iommu(iommu, drhd) -+ if (domain_type_is_vm(domain) || -+ test_bit(iommu->seq_id, domain->iommu_bmp)) -+ iommu_detach_domain(domain, iommu); - rcu_read_unlock(); - - dma_free_pagelist(freelist); -diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c -index 1b7e155..c00e2db 100644 ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -75,6 +75,13 @@ struct its_node { - - #define ITS_ITT_ALIGN SZ_256 - -+struct event_lpi_map { -+ unsigned long *lpi_map; -+ u16 *col_map; -+ irq_hw_number_t lpi_base; -+ int nr_lpis; -+}; -+ - /* - * The ITS view of a device - belongs to an ITS, a collection, owns an - * interrupt translation table, and a list of interrupts. -@@ -82,11 +89,8 @@ struct its_node { - struct its_device { - struct list_head entry; - struct its_node *its; -- struct its_collection *collection; -+ struct event_lpi_map event_map; - void *itt; -- unsigned long *lpi_map; -- irq_hw_number_t lpi_base; -- int nr_lpis; - u32 nr_ites; - u32 device_id; - }; -@@ -99,6 +103,14 @@ static struct rdists *gic_rdists; - #define gic_data_rdist() (raw_cpu_ptr(gic_rdists->rdist)) - #define gic_data_rdist_rd_base() (gic_data_rdist()->rd_base) - -+static struct its_collection *dev_event_to_col(struct its_device *its_dev, -+ u32 event) -+{ -+ struct its_node *its = its_dev->its; -+ -+ return its->collections + its_dev->event_map.col_map[event]; -+} -+ - /* - * ITS command descriptors - parameters to be encoded in a command - * block. -@@ -134,7 +146,7 @@ struct its_cmd_desc { - struct { - struct its_device *dev; - struct its_collection *col; -- u32 id; -+ u32 event_id; - } its_movi_cmd; - - struct { -@@ -241,7 +253,7 @@ static struct its_collection *its_build_mapd_cmd(struct its_cmd_block *cmd, - - its_fixup_cmd(cmd); - -- return desc->its_mapd_cmd.dev->collection; -+ return NULL; - } - - static struct its_collection *its_build_mapc_cmd(struct its_cmd_block *cmd, -@@ -260,52 +272,72 @@ static struct its_collection *its_build_mapc_cmd(struct its_cmd_block *cmd, - static struct its_collection *its_build_mapvi_cmd(struct its_cmd_block *cmd, - struct its_cmd_desc *desc) - { -+ struct its_collection *col; -+ -+ col = dev_event_to_col(desc->its_mapvi_cmd.dev, -+ desc->its_mapvi_cmd.event_id); -+ - its_encode_cmd(cmd, GITS_CMD_MAPVI); - its_encode_devid(cmd, desc->its_mapvi_cmd.dev->device_id); - its_encode_event_id(cmd, desc->its_mapvi_cmd.event_id); - its_encode_phys_id(cmd, desc->its_mapvi_cmd.phys_id); -- its_encode_collection(cmd, desc->its_mapvi_cmd.dev->collection->col_id); -+ its_encode_collection(cmd, col->col_id); - - its_fixup_cmd(cmd); - -- return desc->its_mapvi_cmd.dev->collection; -+ return col; - } - - static struct its_collection *its_build_movi_cmd(struct its_cmd_block *cmd, - struct its_cmd_desc *desc) - { -+ struct its_collection *col; -+ -+ col = dev_event_to_col(desc->its_movi_cmd.dev, -+ desc->its_movi_cmd.event_id); -+ - its_encode_cmd(cmd, GITS_CMD_MOVI); - its_encode_devid(cmd, desc->its_movi_cmd.dev->device_id); -- its_encode_event_id(cmd, desc->its_movi_cmd.id); -+ its_encode_event_id(cmd, desc->its_movi_cmd.event_id); - its_encode_collection(cmd, desc->its_movi_cmd.col->col_id); - - its_fixup_cmd(cmd); - -- return desc->its_movi_cmd.dev->collection; -+ return col; - } - - static struct its_collection *its_build_discard_cmd(struct its_cmd_block *cmd, - struct its_cmd_desc *desc) - { -+ struct its_collection *col; -+ -+ col = dev_event_to_col(desc->its_discard_cmd.dev, -+ desc->its_discard_cmd.event_id); -+ - its_encode_cmd(cmd, GITS_CMD_DISCARD); - its_encode_devid(cmd, desc->its_discard_cmd.dev->device_id); - its_encode_event_id(cmd, desc->its_discard_cmd.event_id); - - its_fixup_cmd(cmd); - -- return desc->its_discard_cmd.dev->collection; -+ return col; - } - - static struct its_collection *its_build_inv_cmd(struct its_cmd_block *cmd, - struct its_cmd_desc *desc) - { -+ struct its_collection *col; -+ -+ col = dev_event_to_col(desc->its_inv_cmd.dev, -+ desc->its_inv_cmd.event_id); -+ - its_encode_cmd(cmd, GITS_CMD_INV); - its_encode_devid(cmd, desc->its_inv_cmd.dev->device_id); - its_encode_event_id(cmd, desc->its_inv_cmd.event_id); - - its_fixup_cmd(cmd); - -- return desc->its_inv_cmd.dev->collection; -+ return col; - } - - static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd, -@@ -497,7 +529,7 @@ static void its_send_movi(struct its_device *dev, - - desc.its_movi_cmd.dev = dev; - desc.its_movi_cmd.col = col; -- desc.its_movi_cmd.id = id; -+ desc.its_movi_cmd.event_id = id; - - its_send_single_command(dev->its, its_build_movi_cmd, &desc); - } -@@ -528,7 +560,7 @@ static void its_send_invall(struct its_node *its, struct its_collection *col) - static inline u32 its_get_event_id(struct irq_data *d) - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); -- return d->hwirq - its_dev->lpi_base; -+ return d->hwirq - its_dev->event_map.lpi_base; - } - - static void lpi_set_config(struct irq_data *d, bool enable) -@@ -583,7 +615,7 @@ static int its_set_affinity(struct irq_data *d, const struct cpumask *mask_val, - - target_col = &its_dev->its->collections[cpu]; - its_send_movi(its_dev, target_col, id); -- its_dev->collection = target_col; -+ its_dev->event_map.col_map[id] = cpu; - - return IRQ_SET_MASK_OK_DONE; - } -@@ -713,8 +745,10 @@ out: - return bitmap; - } - --static void its_lpi_free(unsigned long *bitmap, int base, int nr_ids) -+static void its_lpi_free(struct event_lpi_map *map) - { -+ int base = map->lpi_base; -+ int nr_ids = map->nr_lpis; - int lpi; - - spin_lock(&lpi_lock); -@@ -731,7 +765,8 @@ static void its_lpi_free(unsigned long *bitmap, int base, int nr_ids) - - spin_unlock(&lpi_lock); - -- kfree(bitmap); -+ kfree(map->lpi_map); -+ kfree(map->col_map); - } - - /* -@@ -1099,11 +1134,11 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id, - struct its_device *dev; - unsigned long *lpi_map; - unsigned long flags; -+ u16 *col_map = NULL; - void *itt; - int lpi_base; - int nr_lpis; - int nr_ites; -- int cpu; - int sz; - - dev = kzalloc(sizeof(*dev), GFP_KERNEL); -@@ -1117,20 +1152,24 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id, - sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1; - itt = kzalloc(sz, GFP_KERNEL); - lpi_map = its_lpi_alloc_chunks(nvecs, &lpi_base, &nr_lpis); -+ if (lpi_map) -+ col_map = kzalloc(sizeof(*col_map) * nr_lpis, GFP_KERNEL); - -- if (!dev || !itt || !lpi_map) { -+ if (!dev || !itt || !lpi_map || !col_map) { - kfree(dev); - kfree(itt); - kfree(lpi_map); -+ kfree(col_map); - return NULL; - } - - dev->its = its; - dev->itt = itt; - dev->nr_ites = nr_ites; -- dev->lpi_map = lpi_map; -- dev->lpi_base = lpi_base; -- dev->nr_lpis = nr_lpis; -+ dev->event_map.lpi_map = lpi_map; -+ dev->event_map.col_map = col_map; -+ dev->event_map.lpi_base = lpi_base; -+ dev->event_map.nr_lpis = nr_lpis; - dev->device_id = dev_id; - INIT_LIST_HEAD(&dev->entry); - -@@ -1138,10 +1177,6 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id, - list_add(&dev->entry, &its->its_device_list); - raw_spin_unlock_irqrestore(&its->lock, flags); - -- /* Bind the device to the first possible CPU */ -- cpu = cpumask_first(cpu_online_mask); -- dev->collection = &its->collections[cpu]; -- - /* Map device to its ITT */ - its_send_mapd(dev, 1); - -@@ -1163,12 +1198,13 @@ static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq) - { - int idx; - -- idx = find_first_zero_bit(dev->lpi_map, dev->nr_lpis); -- if (idx == dev->nr_lpis) -+ idx = find_first_zero_bit(dev->event_map.lpi_map, -+ dev->event_map.nr_lpis); -+ if (idx == dev->event_map.nr_lpis) - return -ENOSPC; - -- *hwirq = dev->lpi_base + idx; -- set_bit(idx, dev->lpi_map); -+ *hwirq = dev->event_map.lpi_base + idx; -+ set_bit(idx, dev->event_map.lpi_map); - - return 0; - } -@@ -1288,7 +1324,8 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq, - irq_domain_set_hwirq_and_chip(domain, virq + i, - hwirq, &its_irq_chip, its_dev); - dev_dbg(info->scratchpad[1].ptr, "ID:%d pID:%d vID:%d\n", -- (int)(hwirq - its_dev->lpi_base), (int)hwirq, virq + i); -+ (int)(hwirq - its_dev->event_map.lpi_base), -+ (int)hwirq, virq + i); - } - - return 0; -@@ -1300,6 +1337,9 @@ static void its_irq_domain_activate(struct irq_domain *domain, - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - u32 event = its_get_event_id(d); - -+ /* Bind the LPI to the first possible CPU */ -+ its_dev->event_map.col_map[event] = cpumask_first(cpu_online_mask); -+ - /* Map the GIC IRQ and event to the device */ - its_send_mapvi(its_dev, d->hwirq, event); - } -@@ -1327,17 +1367,16 @@ static void its_irq_domain_free(struct irq_domain *domain, unsigned int virq, - u32 event = its_get_event_id(data); - - /* Mark interrupt index as unused */ -- clear_bit(event, its_dev->lpi_map); -+ clear_bit(event, its_dev->event_map.lpi_map); - - /* Nuke the entry in the domain */ - irq_domain_reset_irq_data(data); - } - - /* If all interrupts have been freed, start mopping the floor */ -- if (bitmap_empty(its_dev->lpi_map, its_dev->nr_lpis)) { -- its_lpi_free(its_dev->lpi_map, -- its_dev->lpi_base, -- its_dev->nr_lpis); -+ if (bitmap_empty(its_dev->event_map.lpi_map, -+ its_dev->event_map.nr_lpis)) { -+ its_lpi_free(&its_dev->event_map); - - /* Unmap device/itt */ - its_send_mapd(its_dev, 0); -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 2caf492..e8d8456 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -1053,13 +1053,10 @@ static struct dm_rq_target_io *tio_from_request(struct request *rq) - */ - static void rq_completed(struct mapped_device *md, int rw, bool run_queue) - { -- int nr_requests_pending; -- - atomic_dec(&md->pending[rw]); - - /* nudge anyone waiting on suspend queue */ -- nr_requests_pending = md_in_flight(md); -- if (!nr_requests_pending) -+ if (!md_in_flight(md)) - wake_up(&md->wait); - - /* -@@ -1071,8 +1068,7 @@ static void rq_completed(struct mapped_device *md, int rw, bool run_queue) - if (run_queue) { - if (md->queue->mq_ops) - blk_mq_run_hw_queues(md->queue, true); -- else if (!nr_requests_pending || -- (nr_requests_pending >= md->queue->nr_congestion_on)) -+ else - blk_run_queue_async(md->queue); - } - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 9157a29..cd7b0c1 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -336,7 +336,7 @@ static void raid1_end_read_request(struct bio *bio, int error) - spin_lock_irqsave(&conf->device_lock, flags); - if (r1_bio->mddev->degraded == conf->raid_disks || - (r1_bio->mddev->degraded == conf->raid_disks-1 && -- !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags))) -+ test_bit(In_sync, &conf->mirrors[mirror].rdev->flags))) - uptodate = 1; - spin_unlock_irqrestore(&conf->device_lock, flags); - } -diff --git a/drivers/misc/cxl/context.c b/drivers/misc/cxl/context.c -index d1b55fe..e4dc8cd 100644 ---- a/drivers/misc/cxl/context.c -+++ b/drivers/misc/cxl/context.c -@@ -113,11 +113,11 @@ static int cxl_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) - - if (ctx->afu->current_mode == CXL_MODE_DEDICATED) { - area = ctx->afu->psn_phys; -- if (offset > ctx->afu->adapter->ps_size) -+ if (offset >= ctx->afu->adapter->ps_size) - return VM_FAULT_SIGBUS; - } else { - area = ctx->psn_phys; -- if (offset > ctx->psn_size) -+ if (offset >= ctx->psn_size) - return VM_FAULT_SIGBUS; - } - -diff --git a/drivers/misc/cxl/main.c b/drivers/misc/cxl/main.c -index 8ccddce..de350dd 100644 ---- a/drivers/misc/cxl/main.c -+++ b/drivers/misc/cxl/main.c -@@ -73,7 +73,7 @@ static inline void cxl_slbia_core(struct mm_struct *mm) - spin_lock(&adapter->afu_list_lock); - for (slice = 0; slice < adapter->slices; slice++) { - afu = adapter->afu[slice]; -- if (!afu->enabled) -+ if (!afu || !afu->enabled) - continue; - rcu_read_lock(); - idr_for_each_entry(&afu->contexts_idr, ctx, id) -diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c -index 3e29681..e40bcd03 100644 ---- a/drivers/misc/mei/main.c -+++ b/drivers/misc/mei/main.c -@@ -685,7 +685,7 @@ int mei_register(struct mei_device *dev, struct device *parent) - /* Fill in the data structures */ - devno = MKDEV(MAJOR(mei_devt), dev->minor); - cdev_init(&dev->cdev, &mei_fops); -- dev->cdev.owner = mei_fops.owner; -+ dev->cdev.owner = parent->driver->owner; - - /* Add the device */ - ret = cdev_add(&dev->cdev, devno, 1); -diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c -index 9df2b68..d0abdffb 100644 ---- a/drivers/mmc/host/omap_hsmmc.c -+++ b/drivers/mmc/host/omap_hsmmc.c -@@ -1062,6 +1062,10 @@ static void omap_hsmmc_do_irq(struct omap_hsmmc_host *host, int status) - - if (status & (CTO_EN | CCRC_EN)) - end_cmd = 1; -+ if (host->data || host->response_busy) { -+ end_trans = !end_cmd; -+ host->response_busy = 0; -+ } - if (status & (CTO_EN | DTO_EN)) - hsmmc_command_incomplete(host, -ETIMEDOUT, end_cmd); - else if (status & (CCRC_EN | DCRC_EN)) -@@ -1081,10 +1085,6 @@ static void omap_hsmmc_do_irq(struct omap_hsmmc_host *host, int status) - } - dev_dbg(mmc_dev(host->mmc), "AC12 err: 0x%x\n", ac12); - } -- if (host->data || host->response_busy) { -- end_trans = !end_cmd; -- host->response_busy = 0; -- } - } - - OMAP_HSMMC_WRITE(host->base, STAT, status); -diff --git a/drivers/mmc/host/sdhci-esdhc.h b/drivers/mmc/host/sdhci-esdhc.h -index 3497cfa..a870c42 100644 ---- a/drivers/mmc/host/sdhci-esdhc.h -+++ b/drivers/mmc/host/sdhci-esdhc.h -@@ -45,6 +45,6 @@ - #define ESDHC_DMA_SYSCTL 0x40c - #define ESDHC_DMA_SNOOP 0x00000040 - --#define ESDHC_HOST_CONTROL_RES 0x05 -+#define ESDHC_HOST_CONTROL_RES 0x01 - - #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */ -diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c -index b5103a2..065dc70 100644 ---- a/drivers/mmc/host/sdhci-pxav3.c -+++ b/drivers/mmc/host/sdhci-pxav3.c -@@ -411,6 +411,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) - goto err_of_parse; - sdhci_get_of_property(pdev); - pdata = pxav3_get_mmc_pdata(dev); -+ pdev->dev.platform_data = pdata; - } else if (pdata) { - /* on-chip device */ - if (pdata->flags & PXA_FLAG_CARD_PERMANENT) -diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c -index d3dbb28..bec8a30 100644 ---- a/drivers/mmc/host/sdhci.c -+++ b/drivers/mmc/host/sdhci.c -@@ -3037,8 +3037,11 @@ int sdhci_add_host(struct sdhci_host *host) - GFP_KERNEL); - host->align_buffer = kmalloc(host->align_buffer_sz, GFP_KERNEL); - if (!host->adma_table || !host->align_buffer) { -- dma_free_coherent(mmc_dev(mmc), host->adma_table_sz, -- host->adma_table, host->adma_addr); -+ if (host->adma_table) -+ dma_free_coherent(mmc_dev(mmc), -+ host->adma_table_sz, -+ host->adma_table, -+ host->adma_addr); - kfree(host->align_buffer); - pr_warn("%s: Unable to allocate ADMA buffers - falling back to standard DMA\n", - mmc_hostname(mmc)); -diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c -index 041525d..5d214d1 100644 ---- a/drivers/net/can/c_can/c_can.c -+++ b/drivers/net/can/c_can/c_can.c -@@ -592,6 +592,7 @@ static int c_can_start(struct net_device *dev) - { - struct c_can_priv *priv = netdev_priv(dev); - int err; -+ struct pinctrl *p; - - /* basic c_can configuration */ - err = c_can_chip_config(dev); -@@ -604,8 +605,13 @@ static int c_can_start(struct net_device *dev) - - priv->can.state = CAN_STATE_ERROR_ACTIVE; - -- /* activate pins */ -- pinctrl_pm_select_default_state(dev->dev.parent); -+ /* Attempt to use "active" if available else use "default" */ -+ p = pinctrl_get_select(priv->device, "active"); -+ if (!IS_ERR(p)) -+ pinctrl_put(p); -+ else -+ pinctrl_pm_select_default_state(priv->device); -+ - return 0; - } - -diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index e9b1810..aede704 100644 ---- a/drivers/net/can/dev.c -+++ b/drivers/net/can/dev.c -@@ -440,9 +440,6 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) - struct can_frame *cf = (struct can_frame *)skb->data; - u8 dlc = cf->can_dlc; - -- if (!(skb->tstamp.tv64)) -- __net_timestamp(skb); -- - netif_rx(priv->echo_skb[idx]); - priv->echo_skb[idx] = NULL; - -@@ -578,7 +575,6 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) - if (unlikely(!skb)) - return NULL; - -- __net_timestamp(skb); - skb->protocol = htons(ETH_P_CAN); - skb->pkt_type = PACKET_BROADCAST; - skb->ip_summed = CHECKSUM_UNNECESSARY; -@@ -589,6 +585,7 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) - - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - - *cf = (struct can_frame *)skb_put(skb, sizeof(struct can_frame)); - memset(*cf, 0, sizeof(struct can_frame)); -@@ -607,7 +604,6 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev, - if (unlikely(!skb)) - return NULL; - -- __net_timestamp(skb); - skb->protocol = htons(ETH_P_CANFD); - skb->pkt_type = PACKET_BROADCAST; - skb->ip_summed = CHECKSUM_UNNECESSARY; -@@ -618,6 +614,7 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev, - - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - - *cfd = (struct canfd_frame *)skb_put(skb, sizeof(struct canfd_frame)); - memset(*cfd, 0, sizeof(struct canfd_frame)); -diff --git a/drivers/net/can/rcar_can.c b/drivers/net/can/rcar_can.c -index 7deb80d..2f9ebad 100644 ---- a/drivers/net/can/rcar_can.c -+++ b/drivers/net/can/rcar_can.c -@@ -526,7 +526,7 @@ static int rcar_can_open(struct net_device *ndev) - napi_enable(&priv->napi); - err = request_irq(ndev->irq, rcar_can_interrupt, 0, ndev->name, ndev); - if (err) { -- netdev_err(ndev, "error requesting interrupt %x\n", ndev->irq); -+ netdev_err(ndev, "error requesting interrupt %d\n", ndev->irq); - goto out_close; - } - can_led_event(ndev, CAN_LED_EVENT_OPEN); -@@ -758,8 +758,9 @@ static int rcar_can_probe(struct platform_device *pdev) - } - - irq = platform_get_irq(pdev, 0); -- if (!irq) { -+ if (irq < 0) { - dev_err(&pdev->dev, "No IRQ resource\n"); -+ err = irq; - goto fail; - } - -@@ -823,7 +824,7 @@ static int rcar_can_probe(struct platform_device *pdev) - - devm_can_led_init(ndev); - -- dev_info(&pdev->dev, "device registered (reg_base=%p, irq=%u)\n", -+ dev_info(&pdev->dev, "device registered (regs @ %p, IRQ%d)\n", - priv->regs, ndev->irq); - - return 0; -diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c -index f64f529..a23a7af 100644 ---- a/drivers/net/can/slcan.c -+++ b/drivers/net/can/slcan.c -@@ -207,7 +207,6 @@ static void slc_bump(struct slcan *sl) - if (!skb) - return; - -- __net_timestamp(skb); - skb->dev = sl->dev; - skb->protocol = htons(ETH_P_CAN); - skb->pkt_type = PACKET_BROADCAST; -@@ -215,6 +214,7 @@ static void slc_bump(struct slcan *sl) - - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = sl->dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - - memcpy(skb_put(skb, sizeof(struct can_frame)), - &cf, sizeof(struct can_frame)); -diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c -index bf63fee..34c625e 100644 ---- a/drivers/net/can/spi/mcp251x.c -+++ b/drivers/net/can/spi/mcp251x.c -@@ -1221,17 +1221,16 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) - struct spi_device *spi = to_spi_device(dev); - struct mcp251x_priv *priv = spi_get_drvdata(spi); - -- if (priv->after_suspend & AFTER_SUSPEND_POWER) { -+ if (priv->after_suspend & AFTER_SUSPEND_POWER) - mcp251x_power_enable(priv->power, 1); -+ -+ if (priv->after_suspend & AFTER_SUSPEND_UP) { -+ mcp251x_power_enable(priv->transceiver, 1); - queue_work(priv->wq, &priv->restart_work); - } else { -- if (priv->after_suspend & AFTER_SUSPEND_UP) { -- mcp251x_power_enable(priv->transceiver, 1); -- queue_work(priv->wq, &priv->restart_work); -- } else { -- priv->after_suspend = 0; -- } -+ priv->after_suspend = 0; - } -+ - priv->force_quit = 0; - enable_irq(spi->irq); - return 0; -diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c -index 0ce868d..674f367 100644 ---- a/drivers/net/can/vcan.c -+++ b/drivers/net/can/vcan.c -@@ -78,9 +78,6 @@ static void vcan_rx(struct sk_buff *skb, struct net_device *dev) - skb->dev = dev; - skb->ip_summed = CHECKSUM_UNNECESSARY; - -- if (!(skb->tstamp.tv64)) -- __net_timestamp(skb); -- - netif_rx_ni(skb); - } - -diff --git a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c -index 8e604a3..ef20be0 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c -+++ b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c -@@ -540,13 +540,11 @@ static void iwl_set_hw_address_family_8000(struct device *dev, - hw_addr = (const u8 *)(mac_override + - MAC_ADDRESS_OVERRIDE_FAMILY_8000); - -- /* The byte order is little endian 16 bit, meaning 214365 */ -- data->hw_addr[0] = hw_addr[1]; -- data->hw_addr[1] = hw_addr[0]; -- data->hw_addr[2] = hw_addr[3]; -- data->hw_addr[3] = hw_addr[2]; -- data->hw_addr[4] = hw_addr[5]; -- data->hw_addr[5] = hw_addr[4]; -+ /* -+ * Store the MAC address from MAO section. -+ * No byte swapping is required in MAO section -+ */ -+ memcpy(data->hw_addr, hw_addr, ETH_ALEN); - - /* - * Force the use of the OTP MAC address in case of reserved MAC -diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c -index ef32e17..281451c 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/tx.c -+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c -@@ -225,7 +225,7 @@ void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm, struct iwl_tx_cmd *tx_cmd, - - if (info->band == IEEE80211_BAND_2GHZ && - !iwl_mvm_bt_coex_is_shared_ant_avail(mvm)) -- rate_flags = BIT(mvm->cfg->non_shared_ant) << RATE_MCS_ANT_POS; -+ rate_flags = mvm->cfg->non_shared_ant << RATE_MCS_ANT_POS; - else - rate_flags = - BIT(mvm->mgmt_last_antenna_idx) << RATE_MCS_ANT_POS; -diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index dc17909..37e6a6f 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/trans.c -+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c -@@ -2515,6 +2515,12 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct pci_dev *pdev, - trans->hw_rev = (trans->hw_rev & 0xfff0) | - (CSR_HW_REV_STEP(trans->hw_rev << 2) << 2); - -+ ret = iwl_pcie_prepare_card_hw(trans); -+ if (ret) { -+ IWL_WARN(trans, "Exit HW not ready\n"); -+ goto out_pci_disable_msi; -+ } -+ - /* - * in-order to recognize C step driver should read chip version - * id located at the AUX bus MISC address space. -diff --git a/drivers/pinctrl/freescale/pinctrl-imx1-core.c b/drivers/pinctrl/freescale/pinctrl-imx1-core.c -index 5ac59fb..d3a3be7 100644 ---- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c -+++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c -@@ -403,14 +403,13 @@ static int imx1_pinconf_set(struct pinctrl_dev *pctldev, - unsigned num_configs) - { - struct imx1_pinctrl *ipctl = pinctrl_dev_get_drvdata(pctldev); -- const struct imx1_pinctrl_soc_info *info = ipctl->info; - int i; - - for (i = 0; i != num_configs; ++i) { - imx1_write_bit(ipctl, pin_id, configs[i] & 0x01, MX1_PUEN); - - dev_dbg(ipctl->dev, "pinconf set pullup pin %s\n", -- info->pins[pin_id].name); -+ pin_desc_get(pctldev, pin_id)->name); - } - - return 0; -diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c -index ff82811..8de1351 100644 ---- a/drivers/regulator/s2mps11.c -+++ b/drivers/regulator/s2mps11.c -@@ -34,6 +34,8 @@ - #include <linux/mfd/samsung/s2mps14.h> - #include <linux/mfd/samsung/s2mpu02.h> - -+/* The highest number of possible regulators for supported devices. */ -+#define S2MPS_REGULATOR_MAX S2MPS13_REGULATOR_MAX - struct s2mps11_info { - unsigned int rdev_num; - int ramp_delay2; -@@ -49,7 +51,7 @@ struct s2mps11_info { - * One bit for each S2MPS13/S2MPS14/S2MPU02 regulator whether - * the suspend mode was enabled. - */ -- unsigned long long s2mps14_suspend_state:50; -+ DECLARE_BITMAP(suspend_state, S2MPS_REGULATOR_MAX); - - /* Array of size rdev_num with GPIO-s for external sleep control */ - int *ext_control_gpio; -@@ -500,7 +502,7 @@ static int s2mps14_regulator_enable(struct regulator_dev *rdev) - switch (s2mps11->dev_type) { - case S2MPS13X: - case S2MPS14X: -- if (s2mps11->s2mps14_suspend_state & (1 << rdev_get_id(rdev))) -+ if (test_bit(rdev_get_id(rdev), s2mps11->suspend_state)) - val = S2MPS14_ENABLE_SUSPEND; - else if (gpio_is_valid(s2mps11->ext_control_gpio[rdev_get_id(rdev)])) - val = S2MPS14_ENABLE_EXT_CONTROL; -@@ -508,7 +510,7 @@ static int s2mps14_regulator_enable(struct regulator_dev *rdev) - val = rdev->desc->enable_mask; - break; - case S2MPU02: -- if (s2mps11->s2mps14_suspend_state & (1 << rdev_get_id(rdev))) -+ if (test_bit(rdev_get_id(rdev), s2mps11->suspend_state)) - val = S2MPU02_ENABLE_SUSPEND; - else - val = rdev->desc->enable_mask; -@@ -562,7 +564,7 @@ static int s2mps14_regulator_set_suspend_disable(struct regulator_dev *rdev) - if (ret < 0) - return ret; - -- s2mps11->s2mps14_suspend_state |= (1 << rdev_get_id(rdev)); -+ set_bit(rdev_get_id(rdev), s2mps11->suspend_state); - /* - * Don't enable suspend mode if regulator is already disabled because - * this would effectively for a short time turn on the regulator after -@@ -960,18 +962,22 @@ static int s2mps11_pmic_probe(struct platform_device *pdev) - case S2MPS11X: - s2mps11->rdev_num = ARRAY_SIZE(s2mps11_regulators); - regulators = s2mps11_regulators; -+ BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num); - break; - case S2MPS13X: - s2mps11->rdev_num = ARRAY_SIZE(s2mps13_regulators); - regulators = s2mps13_regulators; -+ BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num); - break; - case S2MPS14X: - s2mps11->rdev_num = ARRAY_SIZE(s2mps14_regulators); - regulators = s2mps14_regulators; -+ BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num); - break; - case S2MPU02: - s2mps11->rdev_num = ARRAY_SIZE(s2mpu02_regulators); - regulators = s2mpu02_regulators; -+ BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num); - break; - default: - dev_err(&pdev->dev, "Invalid device type: %u\n", -diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c -index 0e6ee3c..e9ae6b9 100644 ---- a/drivers/scsi/qla2xxx/qla_dbg.c -+++ b/drivers/scsi/qla2xxx/qla_dbg.c -@@ -68,7 +68,7 @@ - * | | | 0xd101-0xd1fe | - * | | | 0xd214-0xd2fe | - * | Target Mode | 0xe079 | | -- * | Target Mode Management | 0xf072 | 0xf002 | -+ * | Target Mode Management | 0xf080 | 0xf002 | - * | | | 0xf046-0xf049 | - * | Target Mode Task Management | 0x1000b | | - * ---------------------------------------------------------------------- -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 285cb20..998498e 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -2924,6 +2924,7 @@ qla2x00_rport_del(void *data) - struct fc_rport *rport; - scsi_qla_host_t *vha = fcport->vha; - unsigned long flags; -+ unsigned long vha_flags; - - spin_lock_irqsave(fcport->vha->host->host_lock, flags); - rport = fcport->drport ? fcport->drport: fcport->rport; -@@ -2935,7 +2936,9 @@ qla2x00_rport_del(void *data) - * Release the target mode FC NEXUS in qla_target.c code - * if target mod is enabled. - */ -+ spin_lock_irqsave(&vha->hw->hardware_lock, vha_flags); - qlt_fc_port_deleted(vha, fcport); -+ spin_unlock_irqrestore(&vha->hw->hardware_lock, vha_flags); - } - } - -@@ -3303,6 +3306,7 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport) - * Create target mode FC NEXUS in qla_target.c if target mode is - * enabled.. - */ -+ - qlt_fc_port_added(vha, fcport); - - spin_lock_irqsave(fcport->vha->host->host_lock, flags); -@@ -3460,20 +3464,43 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha) - if ((fcport->flags & FCF_FABRIC_DEVICE) == 0) - continue; - -- if (fcport->scan_state == QLA_FCPORT_SCAN && -- atomic_read(&fcport->state) == FCS_ONLINE) { -- qla2x00_mark_device_lost(vha, fcport, -- ql2xplogiabsentdevice, 0); -- if (fcport->loop_id != FC_NO_LOOP_ID && -- (fcport->flags & FCF_FCP2_DEVICE) == 0 && -- fcport->port_type != FCT_INITIATOR && -- fcport->port_type != FCT_BROADCAST) { -- ha->isp_ops->fabric_logout(vha, -- fcport->loop_id, -- fcport->d_id.b.domain, -- fcport->d_id.b.area, -- fcport->d_id.b.al_pa); -- qla2x00_clear_loop_id(fcport); -+ if (fcport->scan_state == QLA_FCPORT_SCAN) { -+ if (qla_ini_mode_enabled(base_vha) && -+ atomic_read(&fcport->state) == FCS_ONLINE) { -+ qla2x00_mark_device_lost(vha, fcport, -+ ql2xplogiabsentdevice, 0); -+ if (fcport->loop_id != FC_NO_LOOP_ID && -+ (fcport->flags & FCF_FCP2_DEVICE) == 0 && -+ fcport->port_type != FCT_INITIATOR && -+ fcport->port_type != FCT_BROADCAST) { -+ ha->isp_ops->fabric_logout(vha, -+ fcport->loop_id, -+ fcport->d_id.b.domain, -+ fcport->d_id.b.area, -+ fcport->d_id.b.al_pa); -+ qla2x00_clear_loop_id(fcport); -+ } -+ } else if (!qla_ini_mode_enabled(base_vha)) { -+ /* -+ * In target mode, explicitly kill -+ * sessions and log out of devices -+ * that are gone, so that we don't -+ * end up with an initiator using the -+ * wrong ACL (if the fabric recycles -+ * an FC address and we have a stale -+ * session around) and so that we don't -+ * report initiators that are no longer -+ * on the fabric. -+ */ -+ ql_dbg(ql_dbg_tgt_mgt, vha, 0xf077, -+ "port gone, logging out/killing session: " -+ "%8phC state 0x%x flags 0x%x fc4_type 0x%x " -+ "scan_state %d\n", -+ fcport->port_name, -+ atomic_read(&fcport->state), -+ fcport->flags, fcport->fc4_type, -+ fcport->scan_state); -+ qlt_fc_port_deleted(vha, fcport); - } - } - } -@@ -3494,6 +3521,28 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha) - (fcport->flags & FCF_LOGIN_NEEDED) == 0) - continue; - -+ /* -+ * If we're not an initiator, skip looking for devices -+ * and logging in. There's no reason for us to do it, -+ * and it seems to actively cause problems in target -+ * mode if we race with the initiator logging into us -+ * (we might get the "port ID used" status back from -+ * our login command and log out the initiator, which -+ * seems to cause havoc). -+ */ -+ if (!qla_ini_mode_enabled(base_vha)) { -+ if (fcport->scan_state == QLA_FCPORT_FOUND) { -+ ql_dbg(ql_dbg_tgt_mgt, vha, 0xf078, -+ "port %8phC state 0x%x flags 0x%x fc4_type 0x%x " -+ "scan_state %d (initiator mode disabled; skipping " -+ "login)\n", fcport->port_name, -+ atomic_read(&fcport->state), -+ fcport->flags, fcport->fc4_type, -+ fcport->scan_state); -+ } -+ continue; -+ } -+ - if (fcport->loop_id == FC_NO_LOOP_ID) { - fcport->loop_id = next_loopid; - rval = qla2x00_find_new_loop_id( -@@ -3520,16 +3569,38 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha) - test_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags)) - break; - -- /* Find a new loop ID to use. */ -- fcport->loop_id = next_loopid; -- rval = qla2x00_find_new_loop_id(base_vha, fcport); -- if (rval != QLA_SUCCESS) { -- /* Ran out of IDs to use */ -- break; -- } -+ /* -+ * If we're not an initiator, skip looking for devices -+ * and logging in. There's no reason for us to do it, -+ * and it seems to actively cause problems in target -+ * mode if we race with the initiator logging into us -+ * (we might get the "port ID used" status back from -+ * our login command and log out the initiator, which -+ * seems to cause havoc). -+ */ -+ if (qla_ini_mode_enabled(base_vha)) { -+ /* Find a new loop ID to use. */ -+ fcport->loop_id = next_loopid; -+ rval = qla2x00_find_new_loop_id(base_vha, -+ fcport); -+ if (rval != QLA_SUCCESS) { -+ /* Ran out of IDs to use */ -+ break; -+ } - -- /* Login and update database */ -- qla2x00_fabric_dev_login(vha, fcport, &next_loopid); -+ /* Login and update database */ -+ qla2x00_fabric_dev_login(vha, fcport, -+ &next_loopid); -+ } else { -+ ql_dbg(ql_dbg_tgt_mgt, vha, 0xf079, -+ "new port %8phC state 0x%x flags 0x%x fc4_type " -+ "0x%x scan_state %d (initiator mode disabled; " -+ "skipping login)\n", -+ fcport->port_name, -+ atomic_read(&fcport->state), -+ fcport->flags, fcport->fc4_type, -+ fcport->scan_state); -+ } - - list_move_tail(&fcport->list, &vha->vp_fcports); - } -@@ -3725,11 +3796,12 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha, - fcport->fp_speed = new_fcport->fp_speed; - - /* -- * If address the same and state FCS_ONLINE, nothing -- * changed. -+ * If address the same and state FCS_ONLINE -+ * (or in target mode), nothing changed. - */ - if (fcport->d_id.b24 == new_fcport->d_id.b24 && -- atomic_read(&fcport->state) == FCS_ONLINE) { -+ (atomic_read(&fcport->state) == FCS_ONLINE || -+ !qla_ini_mode_enabled(base_vha))) { - break; - } - -@@ -3749,6 +3821,22 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha, - * Log it out if still logged in and mark it for - * relogin later. - */ -+ if (!qla_ini_mode_enabled(base_vha)) { -+ ql_dbg(ql_dbg_tgt_mgt, vha, 0xf080, -+ "port changed FC ID, %8phC" -+ " old %x:%x:%x (loop_id 0x%04x)-> new %x:%x:%x\n", -+ fcport->port_name, -+ fcport->d_id.b.domain, -+ fcport->d_id.b.area, -+ fcport->d_id.b.al_pa, -+ fcport->loop_id, -+ new_fcport->d_id.b.domain, -+ new_fcport->d_id.b.area, -+ new_fcport->d_id.b.al_pa); -+ fcport->d_id.b24 = new_fcport->d_id.b24; -+ break; -+ } -+ - fcport->d_id.b24 = new_fcport->d_id.b24; - fcport->flags |= FCF_LOGIN_NEEDED; - if (fcport->loop_id != FC_NO_LOOP_ID && -@@ -3768,6 +3856,7 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha, - if (found) - continue; - /* If device was not in our fcports list, then add it. */ -+ new_fcport->scan_state = QLA_FCPORT_FOUND; - list_add_tail(&new_fcport->list, new_fcports); - - /* Allocate a new replacement fcport. */ -diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c -index fe8a8d1..496a733 100644 ---- a/drivers/scsi/qla2xxx/qla_target.c -+++ b/drivers/scsi/qla2xxx/qla_target.c -@@ -113,6 +113,7 @@ static void qlt_abort_cmd_on_host_reset(struct scsi_qla_host *vha, - static void qlt_alloc_qfull_cmd(struct scsi_qla_host *vha, - struct atio_from_isp *atio, uint16_t status, int qfull); - static void qlt_disable_vha(struct scsi_qla_host *vha); -+static void qlt_clear_tgt_db(struct qla_tgt *tgt); - /* - * Global Variables - */ -@@ -431,10 +432,10 @@ static int qlt_reset(struct scsi_qla_host *vha, void *iocb, int mcmd) - - loop_id = le16_to_cpu(n->u.isp24.nport_handle); - if (loop_id == 0xFFFF) { --#if 0 /* FIXME: Re-enable Global event handling.. */ - /* Global event */ -- atomic_inc(&ha->tgt.qla_tgt->tgt_global_resets_count); -- qlt_clear_tgt_db(ha->tgt.qla_tgt); -+ atomic_inc(&vha->vha_tgt.qla_tgt->tgt_global_resets_count); -+ qlt_clear_tgt_db(vha->vha_tgt.qla_tgt); -+#if 0 /* FIXME: do we need to choose a session here? */ - if (!list_empty(&ha->tgt.qla_tgt->sess_list)) { - sess = list_entry(ha->tgt.qla_tgt->sess_list.next, - typeof(*sess), sess_list_entry); -@@ -782,25 +783,20 @@ void qlt_fc_port_added(struct scsi_qla_host *vha, fc_port_t *fcport) - - void qlt_fc_port_deleted(struct scsi_qla_host *vha, fc_port_t *fcport) - { -- struct qla_hw_data *ha = vha->hw; - struct qla_tgt *tgt = vha->vha_tgt.qla_tgt; - struct qla_tgt_sess *sess; -- unsigned long flags; - - if (!vha->hw->tgt.tgt_ops) - return; - -- if (!tgt || (fcport->port_type != FCT_INITIATOR)) -+ if (!tgt) - return; - -- spin_lock_irqsave(&ha->hardware_lock, flags); - if (tgt->tgt_stop) { -- spin_unlock_irqrestore(&ha->hardware_lock, flags); - return; - } - sess = qlt_find_sess_by_port_name(tgt, fcport->port_name); - if (!sess) { -- spin_unlock_irqrestore(&ha->hardware_lock, flags); - return; - } - -@@ -808,7 +804,6 @@ void qlt_fc_port_deleted(struct scsi_qla_host *vha, fc_port_t *fcport) - - sess->local = 1; - qlt_schedule_sess_for_deletion(sess, false); -- spin_unlock_irqrestore(&ha->hardware_lock, flags); - } - - static inline int test_tgt_sess_count(struct qla_tgt *tgt) -@@ -2347,9 +2342,10 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type, - res = qlt_build_ctio_crc2_pkt(&prm, vha); - else - res = qlt_24xx_build_ctio_pkt(&prm, vha); -- if (unlikely(res != 0)) -+ if (unlikely(res != 0)) { -+ vha->req->cnt += full_req_cnt; - goto out_unmap_unlock; -- -+ } - - pkt = (struct ctio7_to_24xx *)prm.pkt; - -@@ -2487,8 +2483,11 @@ int qlt_rdy_to_xfer(struct qla_tgt_cmd *cmd) - else - res = qlt_24xx_build_ctio_pkt(&prm, vha); - -- if (unlikely(res != 0)) -+ if (unlikely(res != 0)) { -+ vha->req->cnt += prm.req_cnt; - goto out_unlock_free_unmap; -+ } -+ - pkt = (struct ctio7_to_24xx *)prm.pkt; - pkt->u.status0.flags |= __constant_cpu_to_le16(CTIO7_FLAGS_DATA_OUT | - CTIO7_FLAGS_STATUS_MODE_0); -@@ -2717,7 +2716,7 @@ static int __qlt_send_term_exchange(struct scsi_qla_host *vha, - static void qlt_send_term_exchange(struct scsi_qla_host *vha, - struct qla_tgt_cmd *cmd, struct atio_from_isp *atio, int ha_locked) - { -- unsigned long flags; -+ unsigned long flags = 0; - int rc; - - if (qlt_issue_marker(vha, ha_locked) < 0) -@@ -2733,17 +2732,18 @@ static void qlt_send_term_exchange(struct scsi_qla_host *vha, - rc = __qlt_send_term_exchange(vha, cmd, atio); - if (rc == -ENOMEM) - qlt_alloc_qfull_cmd(vha, atio, 0, 0); -- spin_unlock_irqrestore(&vha->hw->hardware_lock, flags); - - done: - if (cmd && ((cmd->state != QLA_TGT_STATE_ABORTED) || - !cmd->cmd_sent_to_fw)) { -- if (!ha_locked && !in_interrupt()) -- msleep(250); /* just in case */ -- -- qlt_unmap_sg(vha, cmd); -+ if (cmd->sg_mapped) -+ qlt_unmap_sg(vha, cmd); - vha->hw->tgt.tgt_ops->free_cmd(cmd); - } -+ -+ if (!ha_locked) -+ spin_unlock_irqrestore(&vha->hw->hardware_lock, flags); -+ - return; - } - -@@ -3347,6 +3347,11 @@ static struct qla_tgt_cmd *qlt_get_tag(scsi_qla_host_t *vha, - cmd->loop_id = sess->loop_id; - cmd->conf_compl_supported = sess->conf_compl_supported; - -+ cmd->cmd_flags = 0; -+ cmd->jiffies_at_alloc = get_jiffies_64(); -+ -+ cmd->reset_count = vha->hw->chip_reset; -+ - return cmd; - } - -@@ -3453,11 +3458,6 @@ static int qlt_handle_cmd_for_atio(struct scsi_qla_host *vha, - return -ENOMEM; - } - -- cmd->cmd_flags = 0; -- cmd->jiffies_at_alloc = get_jiffies_64(); -- -- cmd->reset_count = vha->hw->chip_reset; -- - cmd->cmd_in_wq = 1; - cmd->cmd_flags |= BIT_0; - INIT_WORK(&cmd->work, qlt_do_work); -diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c -index c95a4e9..59c31bf 100644 ---- a/drivers/scsi/scsi_error.c -+++ b/drivers/scsi/scsi_error.c -@@ -944,7 +944,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd *scmd, struct scsi_eh_save *ses, - scmd->sdb.length); - scmd->sdb.table.sgl = &ses->sense_sgl; - scmd->sc_data_direction = DMA_FROM_DEVICE; -- scmd->sdb.table.nents = 1; -+ scmd->sdb.table.nents = scmd->sdb.table.orig_nents = 1; - scmd->cmnd[0] = REQUEST_SENSE; - scmd->cmnd[4] = scmd->sdb.length; - scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]); -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index b1a2631..448ebda 100644 ---- a/drivers/scsi/scsi_lib.c -+++ b/drivers/scsi/scsi_lib.c -@@ -583,7 +583,7 @@ static struct scatterlist *scsi_sg_alloc(unsigned int nents, gfp_t gfp_mask) - - static void scsi_free_sgtable(struct scsi_data_buffer *sdb, bool mq) - { -- if (mq && sdb->table.nents <= SCSI_MAX_SG_SEGMENTS) -+ if (mq && sdb->table.orig_nents <= SCSI_MAX_SG_SEGMENTS) - return; - __sg_free_table(&sdb->table, SCSI_MAX_SG_SEGMENTS, mq, scsi_sg_free); - } -@@ -597,8 +597,8 @@ static int scsi_alloc_sgtable(struct scsi_data_buffer *sdb, int nents, bool mq) - - if (mq) { - if (nents <= SCSI_MAX_SG_SEGMENTS) { -- sdb->table.nents = nents; -- sg_init_table(sdb->table.sgl, sdb->table.nents); -+ sdb->table.nents = sdb->table.orig_nents = nents; -+ sg_init_table(sdb->table.sgl, nents); - return 0; - } - first_chunk = sdb->table.sgl; -diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c -index 1ac38e7..9ad4116 100644 ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -859,7 +859,7 @@ sdev_store_queue_depth(struct device *dev, struct device_attribute *attr, - - depth = simple_strtoul(buf, NULL, 0); - -- if (depth < 1 || depth > sht->can_queue) -+ if (depth < 1 || depth > sdev->host->can_queue) - return -EINVAL; - - retval = sht->change_queue_depth(sdev, depth); -diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c -index 9a1c342..525ab4c 100644 ---- a/drivers/scsi/st.c -+++ b/drivers/scsi/st.c -@@ -1274,9 +1274,9 @@ static int st_open(struct inode *inode, struct file *filp) - spin_lock(&st_use_lock); - STp->in_use = 0; - spin_unlock(&st_use_lock); -- scsi_tape_put(STp); - if (resumed) - scsi_autopm_put_device(STp->device); -+ scsi_tape_put(STp); - return retval; - - } -diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c -index 788e2b1..acce90a 100644 ---- a/drivers/spi/spi-img-spfi.c -+++ b/drivers/spi/spi-img-spfi.c -@@ -40,6 +40,7 @@ - #define SPFI_CONTROL_SOFT_RESET BIT(11) - #define SPFI_CONTROL_SEND_DMA BIT(10) - #define SPFI_CONTROL_GET_DMA BIT(9) -+#define SPFI_CONTROL_SE BIT(8) - #define SPFI_CONTROL_TMODE_SHIFT 5 - #define SPFI_CONTROL_TMODE_MASK 0x7 - #define SPFI_CONTROL_TMODE_SINGLE 0 -@@ -491,6 +492,7 @@ static void img_spfi_config(struct spi_master *master, struct spi_device *spi, - else if (xfer->tx_nbits == SPI_NBITS_QUAD && - xfer->rx_nbits == SPI_NBITS_QUAD) - val |= SPFI_CONTROL_TMODE_QUAD << SPFI_CONTROL_TMODE_SHIFT; -+ val |= SPFI_CONTROL_SE; - spfi_writel(spfi, val, SPFI_CONTROL); - } - -diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c -index f08e812..412b9c8 100644 ---- a/drivers/spi/spi-imx.c -+++ b/drivers/spi/spi-imx.c -@@ -201,8 +201,9 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi, - { - struct spi_imx_data *spi_imx = spi_master_get_devdata(master); - -- if (spi_imx->dma_is_inited && (transfer->len > spi_imx->rx_wml) -- && (transfer->len > spi_imx->tx_wml)) -+ if (spi_imx->dma_is_inited -+ && transfer->len > spi_imx->rx_wml * sizeof(u32) -+ && transfer->len > spi_imx->tx_wml * sizeof(u32)) - return true; - return false; - } -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 74e6114f..305a5cb 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -4001,7 +4001,13 @@ get_immediate: - } - - transport_err: -- iscsit_take_action_for_connection_exit(conn); -+ /* -+ * Avoid the normal connection failure code-path if this connection -+ * is still within LOGIN mode, and iscsi_np process context is -+ * responsible for cleaning up the early connection failure. -+ */ -+ if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN) -+ iscsit_take_action_for_connection_exit(conn); - out: - return 0; - } -@@ -4093,7 +4099,7 @@ reject: - - int iscsi_target_rx_thread(void *arg) - { -- int ret; -+ int ret, rc; - u8 buffer[ISCSI_HDR_LEN], opcode; - u32 checksum = 0, digest = 0; - struct iscsi_conn *conn = arg; -@@ -4103,10 +4109,16 @@ int iscsi_target_rx_thread(void *arg) - * connection recovery / failure event can be triggered externally. - */ - allow_signal(SIGINT); -+ /* -+ * Wait for iscsi_post_login_handler() to complete before allowing -+ * incoming iscsi/tcp socket I/O, and/or failing the connection. -+ */ -+ rc = wait_for_completion_interruptible(&conn->rx_login_comp); -+ if (rc < 0) -+ return 0; - - if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { - struct completion comp; -- int rc; - - init_completion(&comp); - rc = wait_for_completion_interruptible(&comp); -@@ -4543,7 +4555,18 @@ static void iscsit_logout_post_handler_closesession( - struct iscsi_conn *conn) - { - struct iscsi_session *sess = conn->sess; -- int sleep = cmpxchg(&conn->tx_thread_active, true, false); -+ int sleep = 1; -+ /* -+ * Traditional iscsi/tcp will invoke this logic from TX thread -+ * context during session logout, so clear tx_thread_active and -+ * sleep if iscsit_close_connection() has not already occured. -+ * -+ * Since iser-target invokes this logic from it's own workqueue, -+ * always sleep waiting for RX/TX thread shutdown to complete -+ * within iscsit_close_connection(). -+ */ -+ if (conn->conn_transport->transport_type == ISCSI_TCP) -+ sleep = cmpxchg(&conn->tx_thread_active, true, false); - - atomic_set(&conn->conn_logout_remove, 0); - complete(&conn->conn_logout_comp); -@@ -4557,7 +4580,10 @@ static void iscsit_logout_post_handler_closesession( - static void iscsit_logout_post_handler_samecid( - struct iscsi_conn *conn) - { -- int sleep = cmpxchg(&conn->tx_thread_active, true, false); -+ int sleep = 1; -+ -+ if (conn->conn_transport->transport_type == ISCSI_TCP) -+ sleep = cmpxchg(&conn->tx_thread_active, true, false); - - atomic_set(&conn->conn_logout_remove, 0); - complete(&conn->conn_logout_comp); -@@ -4776,6 +4802,7 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) - struct iscsi_session *sess; - struct se_portal_group *se_tpg = &tpg->tpg_se_tpg; - struct se_session *se_sess, *se_sess_tmp; -+ LIST_HEAD(free_list); - int session_count = 0; - - spin_lock_bh(&se_tpg->session_lock); -@@ -4797,14 +4824,17 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) - } - atomic_set(&sess->session_reinstatement, 1); - spin_unlock(&sess->conn_lock); -- spin_unlock_bh(&se_tpg->session_lock); - -- iscsit_free_session(sess); -- spin_lock_bh(&se_tpg->session_lock); -+ list_move_tail(&se_sess->sess_list, &free_list); -+ } -+ spin_unlock_bh(&se_tpg->session_lock); -+ -+ list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { -+ sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; - -+ iscsit_free_session(sess); - session_count++; - } -- spin_unlock_bh(&se_tpg->session_lock); - - pr_debug("Released %d iSCSI Session(s) from Target Portal" - " Group: %hu\n", session_count, tpg->tpgt); -diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c -index 70d799d..c3bccad 100644 ---- a/drivers/target/iscsi/iscsi_target_login.c -+++ b/drivers/target/iscsi/iscsi_target_login.c -@@ -82,6 +82,7 @@ static struct iscsi_login *iscsi_login_init_conn(struct iscsi_conn *conn) - init_completion(&conn->conn_logout_comp); - init_completion(&conn->rx_half_close_comp); - init_completion(&conn->tx_half_close_comp); -+ init_completion(&conn->rx_login_comp); - spin_lock_init(&conn->cmd_lock); - spin_lock_init(&conn->conn_usage_lock); - spin_lock_init(&conn->immed_queue_lock); -@@ -699,7 +700,7 @@ static void iscsi_post_login_start_timers(struct iscsi_conn *conn) - iscsit_start_nopin_timer(conn); - } - --static int iscsit_start_kthreads(struct iscsi_conn *conn) -+int iscsit_start_kthreads(struct iscsi_conn *conn) - { - int ret = 0; - -@@ -734,6 +735,7 @@ static int iscsit_start_kthreads(struct iscsi_conn *conn) - - return 0; - out_tx: -+ send_sig(SIGINT, conn->tx_thread, 1); - kthread_stop(conn->tx_thread); - conn->tx_thread_active = false; - out_bitmap: -@@ -744,7 +746,7 @@ out_bitmap: - return ret; - } - --int iscsi_post_login_handler( -+void iscsi_post_login_handler( - struct iscsi_np *np, - struct iscsi_conn *conn, - u8 zero_tsih) -@@ -754,7 +756,6 @@ int iscsi_post_login_handler( - struct se_session *se_sess = sess->se_sess; - struct iscsi_portal_group *tpg = sess->tpg; - struct se_portal_group *se_tpg = &tpg->tpg_se_tpg; -- int rc; - - iscsit_inc_conn_usage_count(conn); - -@@ -795,10 +796,6 @@ int iscsi_post_login_handler( - sess->sess_ops->InitiatorName); - spin_unlock_bh(&sess->conn_lock); - -- rc = iscsit_start_kthreads(conn); -- if (rc) -- return rc; -- - iscsi_post_login_start_timers(conn); - /* - * Determine CPU mask to ensure connection's RX and TX kthreads -@@ -807,15 +804,20 @@ int iscsi_post_login_handler( - iscsit_thread_get_cpumask(conn); - conn->conn_rx_reset_cpumask = 1; - conn->conn_tx_reset_cpumask = 1; -- -+ /* -+ * Wakeup the sleeping iscsi_target_rx_thread() now that -+ * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state. -+ */ -+ complete(&conn->rx_login_comp); - iscsit_dec_conn_usage_count(conn); -+ - if (stop_timer) { - spin_lock_bh(&se_tpg->session_lock); - iscsit_stop_time2retain_timer(sess); - spin_unlock_bh(&se_tpg->session_lock); - } - iscsit_dec_session_usage_count(sess); -- return 0; -+ return; - } - - iscsi_set_session_parameters(sess->sess_ops, conn->param_list, 1); -@@ -856,10 +858,6 @@ int iscsi_post_login_handler( - " iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt); - spin_unlock_bh(&se_tpg->session_lock); - -- rc = iscsit_start_kthreads(conn); -- if (rc) -- return rc; -- - iscsi_post_login_start_timers(conn); - /* - * Determine CPU mask to ensure connection's RX and TX kthreads -@@ -868,10 +866,12 @@ int iscsi_post_login_handler( - iscsit_thread_get_cpumask(conn); - conn->conn_rx_reset_cpumask = 1; - conn->conn_tx_reset_cpumask = 1; -- -+ /* -+ * Wakeup the sleeping iscsi_target_rx_thread() now that -+ * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state. -+ */ -+ complete(&conn->rx_login_comp); - iscsit_dec_conn_usage_count(conn); -- -- return 0; - } - - static void iscsi_handle_login_thread_timeout(unsigned long data) -@@ -1436,23 +1436,12 @@ static int __iscsi_target_login_thread(struct iscsi_np *np) - if (ret < 0) - goto new_sess_out; - -- if (!conn->sess) { -- pr_err("struct iscsi_conn session pointer is NULL!\n"); -- goto new_sess_out; -- } -- - iscsi_stop_login_thread_timer(np); - -- if (signal_pending(current)) -- goto new_sess_out; -- - if (ret == 1) { - tpg_np = conn->tpg_np; - -- ret = iscsi_post_login_handler(np, conn, zero_tsih); -- if (ret < 0) -- goto new_sess_out; -- -+ iscsi_post_login_handler(np, conn, zero_tsih); - iscsit_deaccess_np(np, tpg, tpg_np); - } - -diff --git a/drivers/target/iscsi/iscsi_target_login.h b/drivers/target/iscsi/iscsi_target_login.h -index 29d0983..55cbf45 100644 ---- a/drivers/target/iscsi/iscsi_target_login.h -+++ b/drivers/target/iscsi/iscsi_target_login.h -@@ -12,7 +12,8 @@ extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *); - extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *); - extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32); - extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *); --extern int iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8); -+extern int iscsit_start_kthreads(struct iscsi_conn *); -+extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8); - extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *, - bool, bool); - extern int iscsi_target_login_thread(void *); -diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c -index 8c02fa3..f9cde91 100644 ---- a/drivers/target/iscsi/iscsi_target_nego.c -+++ b/drivers/target/iscsi/iscsi_target_nego.c -@@ -17,6 +17,7 @@ - ******************************************************************************/ - - #include <linux/ctype.h> -+#include <linux/kthread.h> - #include <scsi/iscsi_proto.h> - #include <target/target_core_base.h> - #include <target/target_core_fabric.h> -@@ -361,10 +362,24 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log - ntohl(login_rsp->statsn), login->rsp_length); - - padding = ((-login->rsp_length) & 3); -+ /* -+ * Before sending the last login response containing the transition -+ * bit for full-feature-phase, go ahead and start up TX/RX threads -+ * now to avoid potential resource allocation failures after the -+ * final login response has been sent. -+ */ -+ if (login->login_complete) { -+ int rc = iscsit_start_kthreads(conn); -+ if (rc) { -+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, -+ ISCSI_LOGIN_STATUS_NO_RESOURCES); -+ return -1; -+ } -+ } - - if (conn->conn_transport->iscsit_put_login_tx(conn, login, - login->rsp_length + padding) < 0) -- return -1; -+ goto err; - - login->rsp_length = 0; - mutex_lock(&sess->cmdsn_mutex); -@@ -373,6 +388,23 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log - mutex_unlock(&sess->cmdsn_mutex); - - return 0; -+ -+err: -+ if (login->login_complete) { -+ if (conn->rx_thread && conn->rx_thread_active) { -+ send_sig(SIGINT, conn->rx_thread, 1); -+ kthread_stop(conn->rx_thread); -+ } -+ if (conn->tx_thread && conn->tx_thread_active) { -+ send_sig(SIGINT, conn->tx_thread, 1); -+ kthread_stop(conn->tx_thread); -+ } -+ spin_lock(&iscsit_global->ts_bitmap_lock); -+ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id, -+ get_order(1)); -+ spin_unlock(&iscsit_global->ts_bitmap_lock); -+ } -+ return -1; - } - - static void iscsi_target_sk_data_ready(struct sock *sk) -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 396344c..16ed0b6 100644 ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -1108,19 +1108,29 @@ static void eraser(unsigned char c, struct tty_struct *tty) - * Locking: ctrl_lock - */ - --static void isig(int sig, struct tty_struct *tty) -+static void __isig(int sig, struct tty_struct *tty) - { -- struct n_tty_data *ldata = tty->disc_data; - struct pid *tty_pgrp = tty_get_pgrp(tty); - if (tty_pgrp) { - kill_pgrp(tty_pgrp, sig, 1); - put_pid(tty_pgrp); - } -+} - -- if (!L_NOFLSH(tty)) { -+static void isig(int sig, struct tty_struct *tty) -+{ -+ struct n_tty_data *ldata = tty->disc_data; -+ -+ if (L_NOFLSH(tty)) { -+ /* signal only */ -+ __isig(sig, tty); -+ -+ } else { /* signal and flush */ - up_read(&tty->termios_rwsem); - down_write(&tty->termios_rwsem); - -+ __isig(sig, tty); -+ - /* clear echo buffer */ - mutex_lock(&ldata->output_lock); - ldata->echo_head = ldata->echo_tail = 0; -diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c -index 8825039..01aa52f 100644 ---- a/drivers/tty/serial/imx.c -+++ b/drivers/tty/serial/imx.c -@@ -1132,11 +1132,6 @@ static int imx_startup(struct uart_port *port) - while (!(readl(sport->port.membase + UCR2) & UCR2_SRST) && (--i > 0)) - udelay(1); - -- /* Can we enable the DMA support? */ -- if (is_imx6q_uart(sport) && !uart_console(port) && -- !sport->dma_is_inited) -- imx_uart_dma_init(sport); -- - spin_lock_irqsave(&sport->port.lock, flags); - - /* -@@ -1145,9 +1140,6 @@ static int imx_startup(struct uart_port *port) - writel(USR1_RTSD, sport->port.membase + USR1); - writel(USR2_ORE, sport->port.membase + USR2); - -- if (sport->dma_is_inited && !sport->dma_is_enabled) -- imx_enable_dma(sport); -- - temp = readl(sport->port.membase + UCR1); - temp |= UCR1_RRDYEN | UCR1_RTSDEN | UCR1_UARTEN; - -@@ -1318,6 +1310,11 @@ imx_set_termios(struct uart_port *port, struct ktermios *termios, - } else { - ucr2 |= UCR2_CTSC; - } -+ -+ /* Can we enable the DMA support? */ -+ if (is_imx6q_uart(sport) && !uart_console(port) -+ && !sport->dma_is_inited) -+ imx_uart_dma_init(sport); - } else { - termios->c_cflag &= ~CRTSCTS; - } -@@ -1434,6 +1431,8 @@ imx_set_termios(struct uart_port *port, struct ktermios *termios, - if (UART_ENABLE_MS(&sport->port, termios->c_cflag)) - imx_enable_ms(&sport->port); - -+ if (sport->dma_is_inited && !sport->dma_is_enabled) -+ imx_enable_dma(sport); - spin_unlock_irqrestore(&sport->port.lock, flags); - } - -diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 0b7bb12..ec54044 100644 ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -1409,7 +1409,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp) - mutex_lock(&port->mutex); - uart_shutdown(tty, state); - tty_port_tty_set(port, NULL); -- tty->closing = 0; -+ - spin_lock_irqsave(&port->lock, flags); - - if (port->blocked_open) { -@@ -1435,6 +1435,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp) - mutex_unlock(&port->mutex); - - tty_ldisc_flush(tty); -+ tty->closing = 0; - } - - static void uart_wait_until_sent(struct tty_struct *tty, int timeout) -diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c -index 0827d7c..ee07ba4 100644 ---- a/drivers/usb/host/xhci-hub.c -+++ b/drivers/usb/host/xhci-hub.c -@@ -484,10 +484,13 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci, - u32 pls = status_reg & PORT_PLS_MASK; - - /* resume state is a xHCI internal state. -- * Do not report it to usb core. -+ * Do not report it to usb core, instead, pretend to be U3, -+ * thus usb core knows it's not ready for transfer - */ -- if (pls == XDEV_RESUME) -+ if (pls == XDEV_RESUME) { -+ *status |= USB_SS_PORT_LS_U3; - return; -+ } - - /* When the CAS bit is set then warm reset - * should be performed on port -@@ -588,7 +591,14 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd, - status |= USB_PORT_STAT_C_RESET << 16; - /* USB3.0 only */ - if (hcd->speed == HCD_USB3) { -- if ((raw_port_status & PORT_PLC)) -+ /* Port link change with port in resume state should not be -+ * reported to usbcore, as this is an internal state to be -+ * handled by xhci driver. Reporting PLC to usbcore may -+ * cause usbcore clearing PLC first and port change event -+ * irq won't be generated. -+ */ -+ if ((raw_port_status & PORT_PLC) && -+ (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME) - status |= USB_PORT_STAT_C_LINK_STATE << 16; - if ((raw_port_status & PORT_WRC)) - status |= USB_PORT_STAT_C_BH_RESET << 16; -@@ -1120,10 +1130,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd) - spin_lock_irqsave(&xhci->lock, flags); - - if (hcd->self.root_hub->do_remote_wakeup) { -- if (bus_state->resuming_ports) { -+ if (bus_state->resuming_ports || /* USB2 */ -+ bus_state->port_remote_wakeup) { /* USB3 */ - spin_unlock_irqrestore(&xhci->lock, flags); -- xhci_dbg(xhci, "suspend failed because " -- "a port is resuming\n"); -+ xhci_dbg(xhci, "suspend failed because a port is resuming\n"); - return -EBUSY; - } - } -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index 7d34cbf..d095677 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -1546,6 +1546,9 @@ static void handle_port_status(struct xhci_hcd *xhci, - usb_hcd_resume_root_hub(hcd); - } - -+ if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE) -+ bus_state->port_remote_wakeup &= ~(1 << faked_port_index); -+ - if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) { - xhci_dbg(xhci, "port resume event for port %d\n", port_id); - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 36bf089..c502c22 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -3453,6 +3453,9 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev) - return -EINVAL; - } - -+ if (virt_dev->tt_info) -+ old_active_eps = virt_dev->tt_info->active_eps; -+ - if (virt_dev->udev != udev) { - /* If the virt_dev and the udev does not match, this virt_dev - * may belong to another udev. -diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h -index 6977f84..0f26dd2 100644 ---- a/drivers/usb/host/xhci.h -+++ b/drivers/usb/host/xhci.h -@@ -285,6 +285,7 @@ struct xhci_op_regs { - #define XDEV_U0 (0x0 << 5) - #define XDEV_U2 (0x2 << 5) - #define XDEV_U3 (0x3 << 5) -+#define XDEV_INACTIVE (0x6 << 5) - #define XDEV_RESUME (0xf << 5) - /* true: port has power (see HCC_PPC) */ - #define PORT_POWER (1 << 9) -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h -index caf1888..87898ca 100644 ---- a/drivers/usb/storage/unusual_devs.h -+++ b/drivers/usb/storage/unusual_devs.h -@@ -2065,6 +2065,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0200, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_NO_READ_DISC_INFO ), - -+/* Reported by Oliver Neukum <oneukum@suse.com> -+ * This device morphes spontaneously into another device if the access -+ * pattern of Windows isn't followed. Thus writable media would be dirty -+ * if the initial instance is used. So the device is limited to its -+ * virtual CD. -+ * And yes, the concept that BCD goes up to 9 is not heeded */ -+UNUSUAL_DEV( 0x19d2, 0x1225, 0x0000, 0xffff, -+ "ZTE,Incorporated", -+ "ZTE WCDMA Technologies MSM", -+ USB_SC_DEVICE, USB_PR_DEVICE, NULL, -+ US_FL_SINGLE_LUN ), -+ - /* Reported by Sven Geggus <sven-usbst@geggus.net> - * This encrypted pen drive returns bogus data for the initial READ(10). - */ -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 2ee2826..fa49d329 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -886,6 +886,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp) - } - if (eventfp != d->log_file) { - filep = d->log_file; -+ d->log_file = eventfp; - ctx = d->log_ctx; - d->log_ctx = eventfp ? - eventfd_ctx_fileget(eventfp) : NULL; -diff --git a/fs/dcache.c b/fs/dcache.c -index 50bb3c2..5d03eb0 100644 ---- a/fs/dcache.c -+++ b/fs/dcache.c -@@ -642,7 +642,7 @@ static inline bool fast_dput(struct dentry *dentry) - - /* - * If we have a d_op->d_delete() operation, we sould not -- * let the dentry count go to zero, so use "put__or_lock". -+ * let the dentry count go to zero, so use "put_or_lock". - */ - if (unlikely(dentry->d_flags & DCACHE_OP_DELETE)) - return lockref_put_or_lock(&dentry->d_lockref); -@@ -697,7 +697,7 @@ static inline bool fast_dput(struct dentry *dentry) - */ - smp_rmb(); - d_flags = ACCESS_ONCE(dentry->d_flags); -- d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST; -+ d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST | DCACHE_DISCONNECTED; - - /* Nothing to do? Dropping the reference was all we needed? */ - if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) -@@ -776,6 +776,9 @@ repeat: - if (unlikely(d_unhashed(dentry))) - goto kill_it; - -+ if (unlikely(dentry->d_flags & DCACHE_DISCONNECTED)) -+ goto kill_it; -+ - if (unlikely(dentry->d_flags & DCACHE_OP_DELETE)) { - if (dentry->d_op->d_delete(dentry)) - goto kill_it; -diff --git a/fs/namespace.c b/fs/namespace.c -index 02c6875..fce3cc1 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -1350,6 +1350,36 @@ enum umount_tree_flags { - UMOUNT_PROPAGATE = 2, - UMOUNT_CONNECTED = 4, - }; -+ -+static bool disconnect_mount(struct mount *mnt, enum umount_tree_flags how) -+{ -+ /* Leaving mounts connected is only valid for lazy umounts */ -+ if (how & UMOUNT_SYNC) -+ return true; -+ -+ /* A mount without a parent has nothing to be connected to */ -+ if (!mnt_has_parent(mnt)) -+ return true; -+ -+ /* Because the reference counting rules change when mounts are -+ * unmounted and connected, umounted mounts may not be -+ * connected to mounted mounts. -+ */ -+ if (!(mnt->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) -+ return true; -+ -+ /* Has it been requested that the mount remain connected? */ -+ if (how & UMOUNT_CONNECTED) -+ return false; -+ -+ /* Is the mount locked such that it needs to remain connected? */ -+ if (IS_MNT_LOCKED(mnt)) -+ return false; -+ -+ /* By default disconnect the mount */ -+ return true; -+} -+ - /* - * mount_lock must be held - * namespace_sem must be held for write -@@ -1387,10 +1417,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) - if (how & UMOUNT_SYNC) - p->mnt.mnt_flags |= MNT_SYNC_UMOUNT; - -- disconnect = !(((how & UMOUNT_CONNECTED) && -- mnt_has_parent(p) && -- (p->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) || -- IS_MNT_LOCKED_AND_LAZY(p)); -+ disconnect = disconnect_mount(p, how); - - pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, - disconnect ? &unmounted : NULL); -@@ -1527,11 +1554,8 @@ void __detach_mounts(struct dentry *dentry) - while (!hlist_empty(&mp->m_list)) { - mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); - if (mnt->mnt.mnt_flags & MNT_UMOUNT) { -- struct mount *p, *tmp; -- list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) { -- hlist_add_head(&p->mnt_umount.s_list, &unmounted); -- umount_mnt(p); -- } -+ hlist_add_head(&mnt->mnt_umount.s_list, &unmounted); -+ umount_mnt(mnt); - } - else umount_tree(mnt, UMOUNT_CONNECTED); - } -diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c -index f734562..5d25b9d 100644 ---- a/fs/nfs/inode.c -+++ b/fs/nfs/inode.c -@@ -1242,9 +1242,11 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat - if (fattr->valid & NFS_ATTR_FATTR_SIZE) { - cur_size = i_size_read(inode); - new_isize = nfs_size_to_loff_t(fattr->size); -- if (cur_size != new_isize && nfsi->nrequests == 0) -+ if (cur_size != new_isize) - invalid |= NFS_INO_INVALID_ATTR|NFS_INO_REVAL_PAGECACHE; - } -+ if (nfsi->nrequests != 0) -+ invalid &= ~NFS_INO_REVAL_PAGECACHE; - - /* Have any file permissions changed? */ - if ((fattr->valid & NFS_ATTR_FATTR_MODE) && (inode->i_mode & S_IALLUGO) != (fattr->mode & S_IALLUGO)) -@@ -1682,8 +1684,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) - invalid |= NFS_INO_INVALID_ATTR - | NFS_INO_INVALID_DATA - | NFS_INO_INVALID_ACCESS -- | NFS_INO_INVALID_ACL -- | NFS_INO_REVAL_PAGECACHE; -+ | NFS_INO_INVALID_ACL; - if (S_ISDIR(inode->i_mode)) - nfs_force_lookup_revalidate(inode); - inode->i_version = fattr->change_attr; -@@ -1715,7 +1716,6 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) - if ((nfsi->nrequests == 0) || new_isize > cur_isize) { - i_size_write(inode, new_isize); - invalid |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA; -- invalid &= ~NFS_INO_REVAL_PAGECACHE; - } - dprintk("NFS: isize change on server for file %s/%ld " - "(%Ld to %Ld)\n", -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 55e1e3a..d3f2051 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1204,12 +1204,15 @@ static bool nfs_need_update_open_stateid(struct nfs4_state *state, - - static void nfs_resync_open_stateid_locked(struct nfs4_state *state) - { -+ if (!(state->n_wronly || state->n_rdonly || state->n_rdwr)) -+ return; - if (state->n_wronly) - set_bit(NFS_O_WRONLY_STATE, &state->flags); - if (state->n_rdonly) - set_bit(NFS_O_RDONLY_STATE, &state->flags); - if (state->n_rdwr) - set_bit(NFS_O_RDWR_STATE, &state->flags); -+ set_bit(NFS_OPEN_STATE, &state->flags); - } - - static void nfs_clear_open_stateid_locked(struct nfs4_state *state, -diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c -index 282b393..7b45526 100644 ---- a/fs/nfs/pagelist.c -+++ b/fs/nfs/pagelist.c -@@ -1110,8 +1110,11 @@ static int nfs_do_recoalesce(struct nfs_pageio_descriptor *desc) - nfs_list_remove_request(req); - if (__nfs_pageio_add_request(desc, req)) - continue; -- if (desc->pg_error < 0) -+ if (desc->pg_error < 0) { -+ list_splice_tail(&head, &mirror->pg_list); -+ mirror->pg_recoalesce = 1; - return 0; -+ } - break; - } - } while (mirror->pg_recoalesce); -diff --git a/fs/pnode.h b/fs/pnode.h -index 7114ce6..0fcdbe7 100644 ---- a/fs/pnode.h -+++ b/fs/pnode.h -@@ -20,8 +20,6 @@ - #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED) - #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED) - #define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED) --#define IS_MNT_LOCKED_AND_LAZY(m) \ -- (((m)->mnt.mnt_flags & (MNT_LOCKED|MNT_SYNC_UMOUNT)) == MNT_LOCKED) - - #define CL_EXPIRE 0x01 - #define CL_SLAVE 0x02 -diff --git a/fs/xfs/libxfs/xfs_attr_remote.c b/fs/xfs/libxfs/xfs_attr_remote.c -index 20de88d..dd71403 100644 ---- a/fs/xfs/libxfs/xfs_attr_remote.c -+++ b/fs/xfs/libxfs/xfs_attr_remote.c -@@ -159,11 +159,10 @@ xfs_attr3_rmt_write_verify( - struct xfs_buf *bp) - { - struct xfs_mount *mp = bp->b_target->bt_mount; -- struct xfs_buf_log_item *bip = bp->b_fspriv; -+ int blksize = mp->m_attr_geo->blksize; - char *ptr; - int len; - xfs_daddr_t bno; -- int blksize = mp->m_attr_geo->blksize; - - /* no verification of non-crc buffers */ - if (!xfs_sb_version_hascrc(&mp->m_sb)) -@@ -175,16 +174,22 @@ xfs_attr3_rmt_write_verify( - ASSERT(len >= blksize); - - while (len > 0) { -+ struct xfs_attr3_rmt_hdr *rmt = (struct xfs_attr3_rmt_hdr *)ptr; -+ - if (!xfs_attr3_rmt_verify(mp, ptr, blksize, bno)) { - xfs_buf_ioerror(bp, -EFSCORRUPTED); - xfs_verifier_error(bp); - return; - } -- if (bip) { -- struct xfs_attr3_rmt_hdr *rmt; - -- rmt = (struct xfs_attr3_rmt_hdr *)ptr; -- rmt->rm_lsn = cpu_to_be64(bip->bli_item.li_lsn); -+ /* -+ * Ensure we aren't writing bogus LSNs to disk. See -+ * xfs_attr3_rmt_hdr_set() for the explanation. -+ */ -+ if (rmt->rm_lsn != cpu_to_be64(NULLCOMMITLSN)) { -+ xfs_buf_ioerror(bp, -EFSCORRUPTED); -+ xfs_verifier_error(bp); -+ return; - } - xfs_update_cksum(ptr, blksize, XFS_ATTR3_RMT_CRC_OFF); - -@@ -221,6 +226,18 @@ xfs_attr3_rmt_hdr_set( - rmt->rm_owner = cpu_to_be64(ino); - rmt->rm_blkno = cpu_to_be64(bno); - -+ /* -+ * Remote attribute blocks are written synchronously, so we don't -+ * have an LSN that we can stamp in them that makes any sense to log -+ * recovery. To ensure that log recovery handles overwrites of these -+ * blocks sanely (i.e. once they've been freed and reallocated as some -+ * other type of metadata) we need to ensure that the LSN has a value -+ * that tells log recovery to ignore the LSN and overwrite the buffer -+ * with whatever is in it's log. To do this, we use the magic -+ * NULLCOMMITLSN to indicate that the LSN is invalid. -+ */ -+ rmt->rm_lsn = cpu_to_be64(NULLCOMMITLSN); -+ - return sizeof(struct xfs_attr3_rmt_hdr); - } - -@@ -434,14 +451,21 @@ xfs_attr_rmtval_set( - - /* - * Allocate a single extent, up to the size of the value. -+ * -+ * Note that we have to consider this a data allocation as we -+ * write the remote attribute without logging the contents. -+ * Hence we must ensure that we aren't using blocks that are on -+ * the busy list so that we don't overwrite blocks which have -+ * recently been freed but their transactions are not yet -+ * committed to disk. If we overwrite the contents of a busy -+ * extent and then crash then the block may not contain the -+ * correct metadata after log recovery occurs. - */ - xfs_bmap_init(args->flist, args->firstblock); - nmap = 1; - error = xfs_bmapi_write(args->trans, dp, (xfs_fileoff_t)lblkno, -- blkcnt, -- XFS_BMAPI_ATTRFORK | XFS_BMAPI_METADATA, -- args->firstblock, args->total, &map, &nmap, -- args->flist); -+ blkcnt, XFS_BMAPI_ATTRFORK, args->firstblock, -+ args->total, &map, &nmap, args->flist); - if (!error) { - error = xfs_bmap_finish(&args->trans, args->flist, - &committed); -diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c -index 4f5784f..a5d0339 100644 ---- a/fs/xfs/xfs_log_recover.c -+++ b/fs/xfs/xfs_log_recover.c -@@ -1887,9 +1887,14 @@ xlog_recover_get_buf_lsn( - uuid = &((struct xfs_dir3_blk_hdr *)blk)->uuid; - break; - case XFS_ATTR3_RMT_MAGIC: -- lsn = be64_to_cpu(((struct xfs_attr3_rmt_hdr *)blk)->rm_lsn); -- uuid = &((struct xfs_attr3_rmt_hdr *)blk)->rm_uuid; -- break; -+ /* -+ * Remote attr blocks are written synchronously, rather than -+ * being logged. That means they do not contain a valid LSN -+ * (i.e. transactionally ordered) in them, and hence any time we -+ * see a buffer to replay over the top of a remote attribute -+ * block we should simply do so. -+ */ -+ goto recover_immediately; - case XFS_SB_MAGIC: - lsn = be64_to_cpu(((struct xfs_dsb *)blk)->sb_lsn); - uuid = &((struct xfs_dsb *)blk)->sb_uuid; -diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h -index b6a52a4..51bb653 100644 ---- a/include/linux/can/skb.h -+++ b/include/linux/can/skb.h -@@ -27,10 +27,12 @@ - /** - * struct can_skb_priv - private additional data inside CAN sk_buffs - * @ifindex: ifindex of the first interface the CAN frame appeared on -+ * @skbcnt: atomic counter to have an unique id together with skb pointer - * @cf: align to the following CAN frame at skb->data - */ - struct can_skb_priv { - int ifindex; -+ int skbcnt; - struct can_frame cf[0]; - }; - -diff --git a/include/linux/cper.h b/include/linux/cper.h -index 76abba4..dcacb1a 100644 ---- a/include/linux/cper.h -+++ b/include/linux/cper.h -@@ -340,7 +340,27 @@ struct cper_ia_proc_ctx { - __u64 mm_reg_addr; - }; - --/* Memory Error Section */ -+/* Old Memory Error Section UEFI 2.1, 2.2 */ -+struct cper_sec_mem_err_old { -+ __u64 validation_bits; -+ __u64 error_status; -+ __u64 physical_addr; -+ __u64 physical_addr_mask; -+ __u16 node; -+ __u16 card; -+ __u16 module; -+ __u16 bank; -+ __u16 device; -+ __u16 row; -+ __u16 column; -+ __u16 bit_pos; -+ __u64 requestor_id; -+ __u64 responder_id; -+ __u64 target_id; -+ __u8 error_type; -+}; -+ -+/* Memory Error Section UEFI >= 2.3 */ - struct cper_sec_mem_err { - __u64 validation_bits; - __u64 error_status; -diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h -index 1da6029..6cd8c0e 100644 ---- a/include/linux/ftrace.h -+++ b/include/linux/ftrace.h -@@ -116,6 +116,7 @@ ftrace_func_t ftrace_ops_get_func(struct ftrace_ops *ops); - * SAVE_REGS. If another ops with this flag set is already registered - * for any of the functions that this ops will be registered for, then - * this ops will fail to register or set_filter_ip. -+ * PID - Is affected by set_ftrace_pid (allows filtering on those pids) - */ - enum { - FTRACE_OPS_FL_ENABLED = 1 << 0, -@@ -132,6 +133,7 @@ enum { - FTRACE_OPS_FL_MODIFYING = 1 << 11, - FTRACE_OPS_FL_ALLOC_TRAMP = 1 << 12, - FTRACE_OPS_FL_IPMODIFY = 1 << 13, -+ FTRACE_OPS_FL_PID = 1 << 14, - }; - - #ifdef CONFIG_DYNAMIC_FTRACE -@@ -159,6 +161,7 @@ struct ftrace_ops { - struct ftrace_ops *next; - unsigned long flags; - void *private; -+ ftrace_func_t saved_func; - int __percpu *disabled; - #ifdef CONFIG_DYNAMIC_FTRACE - int nr_trampolines; -diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h -index 54e7af3..73abbc5 100644 ---- a/include/target/iscsi/iscsi_target_core.h -+++ b/include/target/iscsi/iscsi_target_core.h -@@ -606,6 +606,7 @@ struct iscsi_conn { - int bitmap_id; - int rx_thread_active; - struct task_struct *rx_thread; -+ struct completion rx_login_comp; - int tx_thread_active; - struct task_struct *tx_thread; - /* list_head for session connection list */ -diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c -index 9065107..7a5237a 100644 ---- a/kernel/irq/resend.c -+++ b/kernel/irq/resend.c -@@ -75,13 +75,21 @@ void check_irq_resend(struct irq_desc *desc, unsigned int irq) - !desc->irq_data.chip->irq_retrigger(&desc->irq_data)) { - #ifdef CONFIG_HARDIRQS_SW_RESEND - /* -- * If the interrupt has a parent irq and runs -- * in the thread context of the parent irq, -- * retrigger the parent. -+ * If the interrupt is running in the thread -+ * context of the parent irq we need to be -+ * careful, because we cannot trigger it -+ * directly. - */ -- if (desc->parent_irq && -- irq_settings_is_nested_thread(desc)) -+ if (irq_settings_is_nested_thread(desc)) { -+ /* -+ * If the parent_irq is valid, we -+ * retrigger the parent, otherwise we -+ * do nothing. -+ */ -+ if (!desc->parent_irq) -+ return; - irq = desc->parent_irq; -+ } - /* Set it pending and activate the softirq: */ - set_bit(irq, irqs_resend); - tasklet_schedule(&resend_tasklet); -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 02bece4..eb11011 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -98,6 +98,13 @@ struct ftrace_pid { - struct pid *pid; - }; - -+static bool ftrace_pids_enabled(void) -+{ -+ return !list_empty(&ftrace_pids); -+} -+ -+static void ftrace_update_trampoline(struct ftrace_ops *ops); -+ - /* - * ftrace_disabled is set when an anomaly is discovered. - * ftrace_disabled is much stronger than ftrace_enabled. -@@ -109,7 +116,6 @@ static DEFINE_MUTEX(ftrace_lock); - static struct ftrace_ops *ftrace_control_list __read_mostly = &ftrace_list_end; - static struct ftrace_ops *ftrace_ops_list __read_mostly = &ftrace_list_end; - ftrace_func_t ftrace_trace_function __read_mostly = ftrace_stub; --ftrace_func_t ftrace_pid_function __read_mostly = ftrace_stub; - static struct ftrace_ops global_ops; - static struct ftrace_ops control_ops; - -@@ -183,14 +189,7 @@ static void ftrace_pid_func(unsigned long ip, unsigned long parent_ip, - if (!test_tsk_trace_trace(current)) - return; - -- ftrace_pid_function(ip, parent_ip, op, regs); --} -- --static void set_ftrace_pid_function(ftrace_func_t func) --{ -- /* do not set ftrace_pid_function to itself! */ -- if (func != ftrace_pid_func) -- ftrace_pid_function = func; -+ op->saved_func(ip, parent_ip, op, regs); - } - - /** -@@ -202,7 +201,6 @@ static void set_ftrace_pid_function(ftrace_func_t func) - void clear_ftrace_function(void) - { - ftrace_trace_function = ftrace_stub; -- ftrace_pid_function = ftrace_stub; - } - - static void control_ops_disable_all(struct ftrace_ops *ops) -@@ -436,6 +434,12 @@ static int __register_ftrace_function(struct ftrace_ops *ops) - } else - add_ftrace_ops(&ftrace_ops_list, ops); - -+ /* Always save the function, and reset at unregistering */ -+ ops->saved_func = ops->func; -+ -+ if (ops->flags & FTRACE_OPS_FL_PID && ftrace_pids_enabled()) -+ ops->func = ftrace_pid_func; -+ - ftrace_update_trampoline(ops); - - if (ftrace_enabled) -@@ -463,15 +467,28 @@ static int __unregister_ftrace_function(struct ftrace_ops *ops) - if (ftrace_enabled) - update_ftrace_function(); - -+ ops->func = ops->saved_func; -+ - return 0; - } - - static void ftrace_update_pid_func(void) - { -+ bool enabled = ftrace_pids_enabled(); -+ struct ftrace_ops *op; -+ - /* Only do something if we are tracing something */ - if (ftrace_trace_function == ftrace_stub) - return; - -+ do_for_each_ftrace_op(op, ftrace_ops_list) { -+ if (op->flags & FTRACE_OPS_FL_PID) { -+ op->func = enabled ? ftrace_pid_func : -+ op->saved_func; -+ ftrace_update_trampoline(op); -+ } -+ } while_for_each_ftrace_op(op); -+ - update_ftrace_function(); - } - -@@ -1133,7 +1150,8 @@ static struct ftrace_ops global_ops = { - .local_hash.filter_hash = EMPTY_HASH, - INIT_OPS_HASH(global_ops) - .flags = FTRACE_OPS_FL_RECURSION_SAFE | -- FTRACE_OPS_FL_INITIALIZED, -+ FTRACE_OPS_FL_INITIALIZED | -+ FTRACE_OPS_FL_PID, - }; - - /* -@@ -5023,7 +5041,9 @@ static void ftrace_update_trampoline(struct ftrace_ops *ops) - - static struct ftrace_ops global_ops = { - .func = ftrace_stub, -- .flags = FTRACE_OPS_FL_RECURSION_SAFE | FTRACE_OPS_FL_INITIALIZED, -+ .flags = FTRACE_OPS_FL_RECURSION_SAFE | -+ FTRACE_OPS_FL_INITIALIZED | -+ FTRACE_OPS_FL_PID, - }; - - static int __init ftrace_nodyn_init(void) -@@ -5080,11 +5100,6 @@ void ftrace_init_array_ops(struct trace_array *tr, ftrace_func_t func) - if (WARN_ON(tr->ops->func != ftrace_stub)) - printk("ftrace ops had %pS for function\n", - tr->ops->func); -- /* Only the top level instance does pid tracing */ -- if (!list_empty(&ftrace_pids)) { -- set_ftrace_pid_function(func); -- func = ftrace_pid_func; -- } - } - tr->ops->func = func; - tr->ops->private = tr; -@@ -5371,7 +5386,7 @@ static void *fpid_start(struct seq_file *m, loff_t *pos) - { - mutex_lock(&ftrace_lock); - -- if (list_empty(&ftrace_pids) && (!*pos)) -+ if (!ftrace_pids_enabled() && (!*pos)) - return (void *) 1; - - return seq_list_start(&ftrace_pids, *pos); -@@ -5610,6 +5625,7 @@ static struct ftrace_ops graph_ops = { - .func = ftrace_stub, - .flags = FTRACE_OPS_FL_RECURSION_SAFE | - FTRACE_OPS_FL_INITIALIZED | -+ FTRACE_OPS_FL_PID | - FTRACE_OPS_FL_STUB, - #ifdef FTRACE_GRAPH_TRAMP_ADDR - .trampoline = FTRACE_GRAPH_TRAMP_ADDR, -diff --git a/lib/dma-debug.c b/lib/dma-debug.c -index ae4b65e..dace71f 100644 ---- a/lib/dma-debug.c -+++ b/lib/dma-debug.c -@@ -574,6 +574,9 @@ void debug_dma_assert_idle(struct page *page) - unsigned long flags; - phys_addr_t cln; - -+ if (dma_debug_disabled()) -+ return; -+ - if (!page) - return; - -diff --git a/net/can/af_can.c b/net/can/af_can.c -index 689c818..62c635f 100644 ---- a/net/can/af_can.c -+++ b/net/can/af_can.c -@@ -89,6 +89,8 @@ struct timer_list can_stattimer; /* timer for statistics update */ - struct s_stats can_stats; /* packet statistics */ - struct s_pstats can_pstats; /* receive list statistics */ - -+static atomic_t skbcounter = ATOMIC_INIT(0); -+ - /* - * af_can socket functions - */ -@@ -310,12 +312,8 @@ int can_send(struct sk_buff *skb, int loop) - return err; - } - -- if (newskb) { -- if (!(newskb->tstamp.tv64)) -- __net_timestamp(newskb); -- -+ if (newskb) - netif_rx_ni(newskb); -- } - - /* update statistics */ - can_stats.tx_frames++; -@@ -683,6 +681,10 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) - can_stats.rx_frames++; - can_stats.rx_frames_delta++; - -+ /* create non-zero unique skb identifier together with *skb */ -+ while (!(can_skb_prv(skb)->skbcnt)) -+ can_skb_prv(skb)->skbcnt = atomic_inc_return(&skbcounter); -+ - rcu_read_lock(); - - /* deliver the packet to sockets listening on all devices */ -diff --git a/net/can/bcm.c b/net/can/bcm.c -index b523453..a1ba687 100644 ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -261,6 +261,7 @@ static void bcm_can_tx(struct bcm_op *op) - - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - - memcpy(skb_put(skb, CFSIZ), cf, CFSIZ); - -@@ -1217,6 +1218,7 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk) - } - - can_skb_prv(skb)->ifindex = dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - skb->dev = dev; - can_skb_set_owner(skb, sk); - err = can_send(skb, 1); /* send with loopback */ -diff --git a/net/can/raw.c b/net/can/raw.c -index 31b9748..2e67b14 100644 ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -75,7 +75,7 @@ MODULE_ALIAS("can-proto-1"); - */ - - struct uniqframe { -- ktime_t tstamp; -+ int skbcnt; - const struct sk_buff *skb; - unsigned int join_rx_count; - }; -@@ -133,7 +133,7 @@ static void raw_rcv(struct sk_buff *oskb, void *data) - - /* eliminate multiple filter matches for the same skb */ - if (this_cpu_ptr(ro->uniq)->skb == oskb && -- ktime_equal(this_cpu_ptr(ro->uniq)->tstamp, oskb->tstamp)) { -+ this_cpu_ptr(ro->uniq)->skbcnt == can_skb_prv(oskb)->skbcnt) { - if (ro->join_filters) { - this_cpu_inc(ro->uniq->join_rx_count); - /* drop frame until all enabled filters matched */ -@@ -144,7 +144,7 @@ static void raw_rcv(struct sk_buff *oskb, void *data) - } - } else { - this_cpu_ptr(ro->uniq)->skb = oskb; -- this_cpu_ptr(ro->uniq)->tstamp = oskb->tstamp; -+ this_cpu_ptr(ro->uniq)->skbcnt = can_skb_prv(oskb)->skbcnt; - this_cpu_ptr(ro->uniq)->join_rx_count = 1; - /* drop first frame to check all enabled filters? */ - if (ro->join_filters && ro->count > 1) -@@ -749,6 +749,7 @@ static int raw_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) - - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; -+ can_skb_prv(skb)->skbcnt = 0; - - err = memcpy_from_msg(skb_put(skb, size), msg, size); - if (err < 0) -diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c -index 29236e8..c09c013 100644 ---- a/net/mac80211/debugfs_netdev.c -+++ b/net/mac80211/debugfs_netdev.c -@@ -723,6 +723,7 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) - - debugfs_remove_recursive(sdata->vif.debugfs_dir); - sdata->vif.debugfs_dir = NULL; -+ sdata->debugfs.subdir_stations = NULL; - } - - void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata) -diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c -index 273b8bf..657ba9f 100644 ---- a/net/rds/ib_rdma.c -+++ b/net/rds/ib_rdma.c -@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents, - } - - ibmr = rds_ib_alloc_fmr(rds_ibdev); -- if (IS_ERR(ibmr)) -+ if (IS_ERR(ibmr)) { -+ rds_ib_dev_put(rds_ibdev); - return ibmr; -+ } - - ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents); - if (ret == 0) -diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index d126c03..75888dd 100644 ---- a/sound/core/pcm_native.c -+++ b/sound/core/pcm_native.c -@@ -85,7 +85,7 @@ static DECLARE_RWSEM(snd_pcm_link_rwsem); - void snd_pcm_stream_lock(struct snd_pcm_substream *substream) - { - if (substream->pcm->nonatomic) { -- down_read(&snd_pcm_link_rwsem); -+ down_read_nested(&snd_pcm_link_rwsem, SINGLE_DEPTH_NESTING); - mutex_lock(&substream->self_group.mutex); - } else { - read_lock(&snd_pcm_link_rwlock); -diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c -index c403dd1..44dfc7b 100644 ---- a/sound/pci/hda/hda_intel.c -+++ b/sound/pci/hda/hda_intel.c -@@ -2056,6 +2056,8 @@ static const struct pci_device_id azx_ids[] = { - /* ATI HDMI */ - { PCI_DEVICE(0x1002, 0x1308), - .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, -+ { PCI_DEVICE(0x1002, 0x157a), -+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, - { PCI_DEVICE(0x1002, 0x793b), - .driver_data = AZX_DRIVER_ATIHDMI | AZX_DCAPS_PRESET_ATI_HDMI }, - { PCI_DEVICE(0x1002, 0x7919), -@@ -2110,8 +2112,14 @@ static const struct pci_device_id azx_ids[] = { - .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, - { PCI_DEVICE(0x1002, 0xaab0), - .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, -+ { PCI_DEVICE(0x1002, 0xaac0), -+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, - { PCI_DEVICE(0x1002, 0xaac8), - .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, -+ { PCI_DEVICE(0x1002, 0xaad8), -+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, -+ { PCI_DEVICE(0x1002, 0xaae8), -+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, - /* VIA VT8251/VT8237A */ - { PCI_DEVICE(0x1106, 0x3288), - .driver_data = AZX_DRIVER_VIA | AZX_DCAPS_POSFIX_VIA }, -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index 5f44f60..225b78b 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -3333,6 +3333,7 @@ static const struct hda_codec_preset snd_hda_preset_hdmi[] = { - { .id = 0x10de0070, .name = "GPU 70 HDMI/DP", .patch = patch_nvhdmi }, - { .id = 0x10de0071, .name = "GPU 71 HDMI/DP", .patch = patch_nvhdmi }, - { .id = 0x10de0072, .name = "GPU 72 HDMI/DP", .patch = patch_nvhdmi }, -+{ .id = 0x10de007d, .name = "GPU 7d HDMI/DP", .patch = patch_nvhdmi }, - { .id = 0x10de8001, .name = "MCP73 HDMI", .patch = patch_nvhdmi_2ch }, - { .id = 0x11069f80, .name = "VX900 HDMI/DP", .patch = patch_via_hdmi }, - { .id = 0x11069f81, .name = "VX900 HDMI/DP", .patch = patch_via_hdmi }, -@@ -3396,6 +3397,7 @@ MODULE_ALIAS("snd-hda-codec-id:10de0067"); - MODULE_ALIAS("snd-hda-codec-id:10de0070"); - MODULE_ALIAS("snd-hda-codec-id:10de0071"); - MODULE_ALIAS("snd-hda-codec-id:10de0072"); -+MODULE_ALIAS("snd-hda-codec-id:10de007d"); - MODULE_ALIAS("snd-hda-codec-id:10de8001"); - MODULE_ALIAS("snd-hda-codec-id:11069f80"); - MODULE_ALIAS("snd-hda-codec-id:11069f81"); -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 0e75998..590bcfb0 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2224,7 +2224,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { - SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF), - SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF), - SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF), -- SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF), -+ SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF), - - SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), - SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), -@@ -5004,7 +5004,7 @@ static const struct hda_fixup alc269_fixups[] = { - { 0x14, 0x90170110 }, - { 0x17, 0x40000008 }, - { 0x18, 0x411111f0 }, -- { 0x19, 0x411111f0 }, -+ { 0x19, 0x01a1913c }, - { 0x1a, 0x411111f0 }, - { 0x1b, 0x411111f0 }, - { 0x1d, 0x40f89b2d }, -@@ -5114,6 +5114,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x064b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x0665, "Dell XPS 13", ALC288_FIXUP_DELL_XPS_13), -+ SND_PCI_QUIRK(0x1028, 0x069a, "Dell Vostro 5480", ALC290_FIXUP_SUBWOOFER_HSJACK), - SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), -@@ -5382,6 +5383,17 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { - {0x1d, 0x40700001}, - {0x21, 0x02211030}), - SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, -+ {0x12, 0x40000000}, -+ {0x14, 0x90170130}, -+ {0x17, 0x411111f0}, -+ {0x18, 0x411111f0}, -+ {0x19, 0x411111f0}, -+ {0x1a, 0x411111f0}, -+ {0x1b, 0x01014020}, -+ {0x1d, 0x4054c029}, -+ {0x1e, 0x411111f0}, -+ {0x21, 0x0221103f}), -+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, - {0x12, 0x90a60160}, - {0x14, 0x90170120}, - {0x17, 0x90170140}, -diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c -index 6c66d7e..25f0f45 100644 ---- a/sound/pci/hda/patch_sigmatel.c -+++ b/sound/pci/hda/patch_sigmatel.c -@@ -2920,7 +2920,8 @@ static const struct snd_pci_quirk stac92hd83xxx_fixup_tbl[] = { - SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x148a, - "HP Mini", STAC_92HD83XXX_HP_LED), - SND_PCI_QUIRK_VENDOR(PCI_VENDOR_ID_HP, "HP", STAC_92HD83XXX_HP), -- SND_PCI_QUIRK(PCI_VENDOR_ID_TOSHIBA, 0xfa91, -+ /* match both for 0xfa91 and 0xfa93 */ -+ SND_PCI_QUIRK_MASK(PCI_VENDOR_ID_TOSHIBA, 0xfffd, 0xfa91, - "Toshiba Satellite S50D", STAC_92HD83XXX_GPIO10_EAPD), - {} /* terminator */ - }; -diff --git a/sound/usb/line6/pcm.c b/sound/usb/line6/pcm.c -index 8461d6b..204cc07 100644 ---- a/sound/usb/line6/pcm.c -+++ b/sound/usb/line6/pcm.c -@@ -186,12 +186,8 @@ static int line6_stream_start(struct snd_line6_pcm *line6pcm, int direction, - int ret = 0; - - spin_lock_irqsave(&pstr->lock, flags); -- if (!test_and_set_bit(type, &pstr->running)) { -- if (pstr->active_urbs || pstr->unlink_urbs) { -- ret = -EBUSY; -- goto error; -- } -- -+ if (!test_and_set_bit(type, &pstr->running) && -+ !(pstr->active_urbs || pstr->unlink_urbs)) { - pstr->count = 0; - /* Submit all currently available URBs */ - if (direction == SNDRV_PCM_STREAM_PLAYBACK) -@@ -199,7 +195,6 @@ static int line6_stream_start(struct snd_line6_pcm *line6pcm, int direction, - else - ret = line6_submit_audio_in_all_urbs(line6pcm); - } -- error: - if (ret < 0) - clear_bit(type, &pstr->running); - spin_unlock_irqrestore(&pstr->lock, flags); -diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c -index e5000da..6a803ef 100644 ---- a/sound/usb/mixer_maps.c -+++ b/sound/usb/mixer_maps.c -@@ -341,6 +341,20 @@ static const struct usbmix_name_map scms_usb3318_map[] = { - { 0 } - }; - -+/* Bose companion 5, the dB conversion factor is 16 instead of 256 */ -+static struct usbmix_dB_map bose_companion5_dB = {-5006, -6}; -+static struct usbmix_name_map bose_companion5_map[] = { -+ { 3, NULL, .dB = &bose_companion5_dB }, -+ { 0 } /* terminator */ -+}; -+ -+/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */ -+static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000}; -+static struct usbmix_name_map dragonfly_1_2_map[] = { -+ { 7, NULL, .dB = &dragonfly_1_2_dB }, -+ { 0 } /* terminator */ -+}; -+ - /* - * Control map entries - */ -@@ -451,6 +465,16 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = { - .id = USB_ID(0x25c4, 0x0003), - .map = scms_usb3318_map, - }, -+ { -+ /* Bose Companion 5 */ -+ .id = USB_ID(0x05a7, 0x1020), -+ .map = bose_companion5_map, -+ }, -+ { -+ /* Dragonfly DAC 1.2 */ -+ .id = USB_ID(0x21b4, 0x0081), -+ .map = dragonfly_1_2_map, -+ }, - { 0 } /* terminator */ - }; - -diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h -index 2f6d3e9..e475665 100644 ---- a/sound/usb/quirks-table.h -+++ b/sound/usb/quirks-table.h -@@ -2512,6 +2512,74 @@ YAMAHA_DEVICE(0x7010, "UB99"), - } - }, - -+/* Steinberg devices */ -+{ -+ /* Steinberg MI2 */ -+ USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x2040), -+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { -+ .ifnum = QUIRK_ANY_INTERFACE, -+ .type = QUIRK_COMPOSITE, -+ .data = & (const struct snd_usb_audio_quirk[]) { -+ { -+ .ifnum = 0, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 1, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 2, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 3, -+ .type = QUIRK_MIDI_FIXED_ENDPOINT, -+ .data = &(const struct snd_usb_midi_endpoint_info) { -+ .out_cables = 0x0001, -+ .in_cables = 0x0001 -+ } -+ }, -+ { -+ .ifnum = -1 -+ } -+ } -+ } -+}, -+{ -+ /* Steinberg MI4 */ -+ USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x4040), -+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { -+ .ifnum = QUIRK_ANY_INTERFACE, -+ .type = QUIRK_COMPOSITE, -+ .data = & (const struct snd_usb_audio_quirk[]) { -+ { -+ .ifnum = 0, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 1, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 2, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 3, -+ .type = QUIRK_MIDI_FIXED_ENDPOINT, -+ .data = &(const struct snd_usb_midi_endpoint_info) { -+ .out_cables = 0x0001, -+ .in_cables = 0x0001 -+ } -+ }, -+ { -+ .ifnum = -1 -+ } -+ } -+ } -+}, -+ - /* TerraTec devices */ - { - USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0012), -diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c -index 995b7a8..658b0a8 100644 ---- a/tools/perf/ui/browsers/hists.c -+++ b/tools/perf/ui/browsers/hists.c -@@ -45,7 +45,7 @@ static struct rb_node *hists__filter_entries(struct rb_node *nd, - - static bool hist_browser__has_filter(struct hist_browser *hb) - { -- return hists__has_filter(hb->hists) || hb->min_pcnt; -+ return hists__has_filter(hb->hists) || hb->min_pcnt || symbol_conf.has_filter; - } - - static int hist_browser__get_folding(struct hist_browser *browser) -diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c -index 201f6c4c..99378a5 100644 ---- a/tools/perf/util/symbol.c -+++ b/tools/perf/util/symbol.c -@@ -1893,6 +1893,8 @@ int setup_intlist(struct intlist **list, const char *list_str, - pr_err("problems parsing %s list\n", list_name); - return -1; - } -+ -+ symbol_conf.has_filter = true; - return 0; - } - -diff --git a/tools/perf/util/symbol.h b/tools/perf/util/symbol.h -index 0956150..be02179 100644 ---- a/tools/perf/util/symbol.h -+++ b/tools/perf/util/symbol.h -@@ -105,7 +105,8 @@ struct symbol_conf { - demangle_kernel, - filter_relative, - show_hist_headers, -- branch_callstack; -+ branch_callstack, -+ has_filter; - const char *vmlinux_name, - *kallsyms_name, - *source_prefix, diff --git a/4.1.5/0000_README b/4.1.6/0000_README index 68f1c28..ddf2d35 100644 --- a/4.1.5/0000_README +++ b/4.1.6/0000_README @@ -2,11 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1004_linux-4.1.5.patch +Patch: 1005_linux-4.1.6.patch From: http://www.kernel.org -Desc: Linux 4.1.5 +Desc: Linux 4.1.6 -Patch: 4420_grsecurity-3.1-4.1.5-201508142233.patch +Patch: 4420_grsecurity-3.1-4.1.6-201508181953.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.1.6/1005_linux-4.1.6.patch b/4.1.6/1005_linux-4.1.6.patch new file mode 100644 index 0000000..0cc52e5 --- /dev/null +++ b/4.1.6/1005_linux-4.1.6.patch @@ -0,0 +1,4380 @@ +diff --git a/Documentation/devicetree/bindings/clock/keystone-pll.txt b/Documentation/devicetree/bindings/clock/keystone-pll.txt +index 225990f..47570d2 100644 +--- a/Documentation/devicetree/bindings/clock/keystone-pll.txt ++++ b/Documentation/devicetree/bindings/clock/keystone-pll.txt +@@ -15,8 +15,8 @@ Required properties: + - compatible : shall be "ti,keystone,main-pll-clock" or "ti,keystone,pll-clock" + - clocks : parent clock phandle + - reg - pll control0 and pll multipler registers +-- reg-names : control and multiplier. The multiplier is applicable only for +- main pll clock ++- reg-names : control, multiplier and post-divider. The multiplier and ++ post-divider registers are applicable only for main pll clock + - fixed-postdiv : fixed post divider value. If absent, use clkod register bits + for postdiv + +@@ -25,8 +25,8 @@ Example: + #clock-cells = <0>; + compatible = "ti,keystone,main-pll-clock"; + clocks = <&refclksys>; +- reg = <0x02620350 4>, <0x02310110 4>; +- reg-names = "control", "multiplier"; ++ reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>; ++ reg-names = "control", "multiplier", "post-divider"; + fixed-postdiv = <2>; + }; + +diff --git a/Documentation/input/alps.txt b/Documentation/input/alps.txt +index c86f2f1..1fec113 100644 +--- a/Documentation/input/alps.txt ++++ b/Documentation/input/alps.txt +@@ -119,8 +119,10 @@ ALPS Absolute Mode - Protocol Version 2 + byte 5: 0 z6 z5 z4 z3 z2 z1 z0 + + Protocol Version 2 DualPoint devices send standard PS/2 mouse packets for +-the DualPoint Stick. For non interleaved dualpoint devices the pointingstick +-buttons get reported separately in the PSM, PSR and PSL bits. ++the DualPoint Stick. The M, R and L bits signal the combined status of both ++the pointingstick and touchpad buttons, except for Dell dualpoint devices ++where the pointingstick buttons get reported separately in the PSM, PSR ++and PSL bits. + + Dualpoint device -- interleaved packet format + --------------------------------------------- +diff --git a/Makefile b/Makefile +index 068dd69..838dabc 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 5 ++SUBLEVEL = 6 + EXTRAVERSION = + NAME = Series 4800 + +diff --git a/arch/arm/boot/dts/imx35.dtsi b/arch/arm/boot/dts/imx35.dtsi +index b6478e9..e6540b5 100644 +--- a/arch/arm/boot/dts/imx35.dtsi ++++ b/arch/arm/boot/dts/imx35.dtsi +@@ -286,8 +286,8 @@ + can1: can@53fe4000 { + compatible = "fsl,imx35-flexcan", "fsl,p1010-flexcan"; + reg = <0x53fe4000 0x1000>; +- clocks = <&clks 33>; +- clock-names = "ipg"; ++ clocks = <&clks 33>, <&clks 33>; ++ clock-names = "ipg", "per"; + interrupts = <43>; + status = "disabled"; + }; +@@ -295,8 +295,8 @@ + can2: can@53fe8000 { + compatible = "fsl,imx35-flexcan", "fsl,p1010-flexcan"; + reg = <0x53fe8000 0x1000>; +- clocks = <&clks 34>; +- clock-names = "ipg"; ++ clocks = <&clks 34>, <&clks 34>; ++ clock-names = "ipg", "per"; + interrupts = <44>; + status = "disabled"; + }; +diff --git a/arch/arm/boot/dts/k2e-clocks.dtsi b/arch/arm/boot/dts/k2e-clocks.dtsi +index 4773d6a..d56d68f 100644 +--- a/arch/arm/boot/dts/k2e-clocks.dtsi ++++ b/arch/arm/boot/dts/k2e-clocks.dtsi +@@ -13,9 +13,8 @@ clocks { + #clock-cells = <0>; + compatible = "ti,keystone,main-pll-clock"; + clocks = <&refclksys>; +- reg = <0x02620350 4>, <0x02310110 4>; +- reg-names = "control", "multiplier"; +- fixed-postdiv = <2>; ++ reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>; ++ reg-names = "control", "multiplier", "post-divider"; + }; + + papllclk: papllclk@2620358 { +diff --git a/arch/arm/boot/dts/k2hk-clocks.dtsi b/arch/arm/boot/dts/k2hk-clocks.dtsi +index d5adee3..af9b719 100644 +--- a/arch/arm/boot/dts/k2hk-clocks.dtsi ++++ b/arch/arm/boot/dts/k2hk-clocks.dtsi +@@ -22,9 +22,8 @@ clocks { + #clock-cells = <0>; + compatible = "ti,keystone,main-pll-clock"; + clocks = <&refclksys>; +- reg = <0x02620350 4>, <0x02310110 4>; +- reg-names = "control", "multiplier"; +- fixed-postdiv = <2>; ++ reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>; ++ reg-names = "control", "multiplier", "post-divider"; + }; + + papllclk: papllclk@2620358 { +diff --git a/arch/arm/boot/dts/k2l-clocks.dtsi b/arch/arm/boot/dts/k2l-clocks.dtsi +index eb1e3e2..ef8464b 100644 +--- a/arch/arm/boot/dts/k2l-clocks.dtsi ++++ b/arch/arm/boot/dts/k2l-clocks.dtsi +@@ -22,9 +22,8 @@ clocks { + #clock-cells = <0>; + compatible = "ti,keystone,main-pll-clock"; + clocks = <&refclksys>; +- reg = <0x02620350 4>, <0x02310110 4>; +- reg-names = "control", "multiplier"; +- fixed-postdiv = <2>; ++ reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>; ++ reg-names = "control", "multiplier", "post-divider"; + }; + + papllclk: papllclk@2620358 { +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index 752969f..5286e77 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2373,6 +2373,9 @@ static int of_dev_hwmod_lookup(struct device_node *np, + * registers. This address is needed early so the OCP registers that + * are part of the device's address space can be ioremapped properly. + * ++ * If SYSC access is not needed, the registers will not be remapped ++ * and non-availability of MPU access is not treated as an error. ++ * + * Returns 0 on success, -EINVAL if an invalid hwmod is passed, and + * -ENXIO on absent or invalid register target address space. + */ +@@ -2387,6 +2390,11 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data, + + _save_mpu_port_index(oh); + ++ /* if we don't need sysc access we don't need to ioremap */ ++ if (!oh->class->sysc) ++ return 0; ++ ++ /* we can't continue without MPU PORT if we need sysc access */ + if (oh->_int_flags & _HWMOD_NO_MPU_PORT) + return -ENXIO; + +@@ -2396,8 +2404,10 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data, + oh->name); + + /* Extract the IO space from device tree blob */ +- if (!np) ++ if (!np) { ++ pr_err("omap_hwmod: %s: no dt node\n", oh->name); + return -ENXIO; ++ } + + va_start = of_iomap(np, index + oh->mpu_rt_idx); + } else { +@@ -2456,13 +2466,11 @@ static int __init _init(struct omap_hwmod *oh, void *data) + oh->name, np->name); + } + +- if (oh->class->sysc) { +- r = _init_mpu_rt_base(oh, NULL, index, np); +- if (r < 0) { +- WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n", +- oh->name); +- return 0; +- } ++ r = _init_mpu_rt_base(oh, NULL, index, np); ++ if (r < 0) { ++ WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n", ++ oh->name); ++ return 0; + } + + r = _init_clocks(oh, NULL); +diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c +index d26fcd4..c0cff34 100644 +--- a/arch/arm64/kernel/signal32.c ++++ b/arch/arm64/kernel/signal32.c +@@ -168,7 +168,8 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + * Other callers might not initialize the si_lsb field, + * so check explicitely for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + break; +@@ -201,8 +202,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE)) +diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c +index 7fc8397..fd2a36a 100644 +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -186,6 +186,7 @@ int get_c0_perfcount_int(void) + { + return ATH79_MISC_IRQ(5); + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + unsigned int get_c0_compare_int(void) + { +diff --git a/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h b/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h +deleted file mode 100644 +index 11d3b57..0000000 +--- a/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h ++++ /dev/null +@@ -1,10 +0,0 @@ +-#ifndef __ASM_MACH_BCM63XX_DMA_COHERENCE_H +-#define __ASM_MACH_BCM63XX_DMA_COHERENCE_H +- +-#include <asm/bmips.h> +- +-#define plat_post_dma_flush bmips_post_dma_flush +- +-#include <asm/mach-generic/dma-coherence.h> +- +-#endif /* __ASM_MACH_BCM63XX_DMA_COHERENCE_H */ +diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h +index 819af9d..70f6e7f 100644 +--- a/arch/mips/include/asm/pgtable.h ++++ b/arch/mips/include/asm/pgtable.h +@@ -182,8 +182,39 @@ static inline void set_pte(pte_t *ptep, pte_t pteval) + * Make sure the buddy is global too (if it's !none, + * it better already be global) + */ ++#ifdef CONFIG_SMP ++ /* ++ * For SMP, multiple CPUs can race, so we need to do ++ * this atomically. ++ */ ++#ifdef CONFIG_64BIT ++#define LL_INSN "lld" ++#define SC_INSN "scd" ++#else /* CONFIG_32BIT */ ++#define LL_INSN "ll" ++#define SC_INSN "sc" ++#endif ++ unsigned long page_global = _PAGE_GLOBAL; ++ unsigned long tmp; ++ ++ __asm__ __volatile__ ( ++ " .set push\n" ++ " .set noreorder\n" ++ "1: " LL_INSN " %[tmp], %[buddy]\n" ++ " bnez %[tmp], 2f\n" ++ " or %[tmp], %[tmp], %[global]\n" ++ " " SC_INSN " %[tmp], %[buddy]\n" ++ " beqz %[tmp], 1b\n" ++ " nop\n" ++ "2:\n" ++ " .set pop" ++ : [buddy] "+m" (buddy->pte), ++ [tmp] "=&r" (tmp) ++ : [global] "r" (page_global)); ++#else /* !CONFIG_SMP */ + if (pte_none(*buddy)) + pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL; ++#endif /* CONFIG_SMP */ + } + #endif + } +diff --git a/arch/mips/include/asm/stackframe.h b/arch/mips/include/asm/stackframe.h +index 28d6d93..a71da57 100644 +--- a/arch/mips/include/asm/stackframe.h ++++ b/arch/mips/include/asm/stackframe.h +@@ -152,6 +152,31 @@ + .set noreorder + bltz k0, 8f + move k1, sp ++#ifdef CONFIG_EVA ++ /* ++ * Flush interAptiv's Return Prediction Stack (RPS) by writing ++ * EntryHi. Toggling Config7.RPS is slower and less portable. ++ * ++ * The RPS isn't automatically flushed when exceptions are ++ * taken, which can result in kernel mode speculative accesses ++ * to user addresses if the RPS mispredicts. That's harmless ++ * when user and kernel share the same address space, but with ++ * EVA the same user segments may be unmapped to kernel mode, ++ * even containing sensitive MMIO regions or invalid memory. ++ * ++ * This can happen when the kernel sets the return address to ++ * ret_from_* and jr's to the exception handler, which looks ++ * more like a tail call than a function call. If nested calls ++ * don't evict the last user address in the RPS, it will ++ * mispredict the return and fetch from a user controlled ++ * address into the icache. ++ * ++ * More recent EVA-capable cores with MAAR to restrict ++ * speculative accesses aren't affected. ++ */ ++ MFC0 k0, CP0_ENTRYHI ++ MTC0 k0, CP0_ENTRYHI ++#endif + .set reorder + /* Called from user mode, new stack. */ + get_saved_sp +diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c +index 3e4491a..789d7bf 100644 +--- a/arch/mips/kernel/mips-mt-fpaff.c ++++ b/arch/mips/kernel/mips-mt-fpaff.c +@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len, + unsigned long __user *user_mask_ptr) + { + unsigned int real_len; +- cpumask_t mask; ++ cpumask_t allowed, mask; + int retval; + struct task_struct *p; + +@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len, + if (retval) + goto out_unlock; + +- cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask); ++ cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed); ++ cpumask_and(&mask, &allowed, cpu_active_mask); + + out_unlock: + read_unlock(&tasklist_lock); +diff --git a/arch/mips/kernel/relocate_kernel.S b/arch/mips/kernel/relocate_kernel.S +index 74bab9d..c6bbf21 100644 +--- a/arch/mips/kernel/relocate_kernel.S ++++ b/arch/mips/kernel/relocate_kernel.S +@@ -24,7 +24,7 @@ LEAF(relocate_new_kernel) + + process_entry: + PTR_L s2, (s0) +- PTR_ADD s0, s0, SZREG ++ PTR_ADDIU s0, s0, SZREG + + /* + * In case of a kdump/crash kernel, the indirection page is not +@@ -61,9 +61,9 @@ copy_word: + /* copy page word by word */ + REG_L s5, (s2) + REG_S s5, (s4) +- PTR_ADD s4, s4, SZREG +- PTR_ADD s2, s2, SZREG +- LONG_SUB s6, s6, 1 ++ PTR_ADDIU s4, s4, SZREG ++ PTR_ADDIU s2, s2, SZREG ++ LONG_ADDIU s6, s6, -1 + beq s6, zero, process_entry + b copy_word + b process_entry +diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c +index 19a7705..5d7f263 100644 +--- a/arch/mips/kernel/signal32.c ++++ b/arch/mips/kernel/signal32.c +@@ -409,8 +409,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index d2d1c19..5f5f44e 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -192,6 +192,7 @@ static void show_stacktrace(struct task_struct *task, + void show_stack(struct task_struct *task, unsigned long *sp) + { + struct pt_regs regs; ++ mm_segment_t old_fs = get_fs(); + if (sp) { + regs.regs[29] = (unsigned long)sp; + regs.regs[31] = 0; +@@ -210,7 +211,13 @@ void show_stack(struct task_struct *task, unsigned long *sp) + prepare_frametrace(®s); + } + } ++ /* ++ * show_stack() deals exclusively with kernel mode, so be sure to access ++ * the stack in the kernel (not user) address space. ++ */ ++ set_fs(KERNEL_DS); + show_stacktrace(task, ®s); ++ set_fs(old_fs); + } + + static void show_code(unsigned int __user *pc) +@@ -1518,6 +1525,7 @@ asmlinkage void do_mcheck(struct pt_regs *regs) + const int field = 2 * sizeof(unsigned long); + int multi_match = regs->cp0_status & ST0_TS; + enum ctx_state prev_state; ++ mm_segment_t old_fs = get_fs(); + + prev_state = exception_enter(); + show_regs(regs); +@@ -1539,8 +1547,13 @@ asmlinkage void do_mcheck(struct pt_regs *regs) + dump_tlb_all(); + } + ++ if (!user_mode(regs)) ++ set_fs(KERNEL_DS); ++ + show_code((unsigned int __user *) regs->cp0_epc); + ++ set_fs(old_fs); ++ + /* + * Some chips may have other causes of machine check (e.g. SB1 + * graduation timer) +diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c +index af84bef..eb3efd1 100644 +--- a/arch/mips/kernel/unaligned.c ++++ b/arch/mips/kernel/unaligned.c +@@ -438,7 +438,7 @@ do { \ + : "memory"); \ + } while(0) + +-#define StoreDW(addr, value, res) \ ++#define _StoreDW(addr, value, res) \ + do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index 6ab1057..d01ade6 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -466,6 +466,7 @@ int get_c0_perfcount_int(void) + { + return ltq_perfcount_irq; + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + unsigned int get_c0_compare_int(void) + { +diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c +index 185e682..a7f7d9f 100644 +--- a/arch/mips/mti-malta/malta-time.c ++++ b/arch/mips/mti-malta/malta-time.c +@@ -148,6 +148,7 @@ int get_c0_perfcount_int(void) + + return mips_cpu_perf_irq; + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + unsigned int get_c0_compare_int(void) + { +@@ -165,14 +166,17 @@ unsigned int get_c0_compare_int(void) + + static void __init init_rtc(void) + { +- /* stop the clock whilst setting it up */ +- CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL); ++ unsigned char freq, ctrl; + +- /* 32KHz time base */ +- CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); ++ /* Set 32KHz time base if not already set */ ++ freq = CMOS_READ(RTC_FREQ_SELECT); ++ if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ) ++ CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); + +- /* start the clock */ +- CMOS_WRITE(RTC_24H, RTC_CONTROL); ++ /* Ensure SET bit is clear so RTC can run */ ++ ctrl = CMOS_READ(RTC_CONTROL); ++ if (ctrl & RTC_SET) ++ CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL); + } + + void __init plat_time_init(void) +diff --git a/arch/mips/mti-sead3/sead3-time.c b/arch/mips/mti-sead3/sead3-time.c +index e1d6989..a120b7a 100644 +--- a/arch/mips/mti-sead3/sead3-time.c ++++ b/arch/mips/mti-sead3/sead3-time.c +@@ -77,6 +77,7 @@ int get_c0_perfcount_int(void) + return MIPS_CPU_IRQ_BASE + cp0_perfcount_irq; + return -1; + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + unsigned int get_c0_compare_int(void) + { +diff --git a/arch/mips/pistachio/time.c b/arch/mips/pistachio/time.c +index 67889fc..ab73f6f 100644 +--- a/arch/mips/pistachio/time.c ++++ b/arch/mips/pistachio/time.c +@@ -26,6 +26,7 @@ int get_c0_perfcount_int(void) + { + return gic_get_c0_perfcount_int(); + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + void __init plat_time_init(void) + { +diff --git a/arch/mips/ralink/irq.c b/arch/mips/ralink/irq.c +index 7cf91b9..199ace4 100644 +--- a/arch/mips/ralink/irq.c ++++ b/arch/mips/ralink/irq.c +@@ -89,6 +89,7 @@ int get_c0_perfcount_int(void) + { + return rt_perfcount_irq; + } ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + unsigned int get_c0_compare_int(void) + { +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index d3a831a..da50e0c 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -966,8 +966,6 @@ int copy_siginfo_to_user32(struct compat_siginfo __user *d, const siginfo_t *s) + + int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h +index 1f0aa20..6424249 100644 +--- a/arch/sparc/include/asm/visasm.h ++++ b/arch/sparc/include/asm/visasm.h +@@ -28,16 +28,10 @@ + * Must preserve %o5 between VISEntryHalf and VISExitHalf */ + + #define VISEntryHalf \ +- rd %fprs, %o5; \ +- andcc %o5, FPRS_FEF, %g0; \ +- be,pt %icc, 297f; \ +- sethi %hi(298f), %g7; \ +- sethi %hi(VISenterhalf), %g1; \ +- jmpl %g1 + %lo(VISenterhalf), %g0; \ +- or %g7, %lo(298f), %g7; \ +- clr %o5; \ +-297: wr %o5, FPRS_FEF, %fprs; \ +-298: ++ VISEntry ++ ++#define VISExitHalf \ ++ VISExit + + #define VISEntryHalfFast(fail_label) \ + rd %fprs, %o5; \ +@@ -47,7 +41,7 @@ + ba,a,pt %xcc, fail_label; \ + 297: wr %o5, FPRS_FEF, %fprs; + +-#define VISExitHalf \ ++#define VISExitHalfFast \ + wr %o5, 0, %fprs; + + #ifndef __ASSEMBLY__ +diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S +index 140527a..83aeeb1 100644 +--- a/arch/sparc/lib/NG4memcpy.S ++++ b/arch/sparc/lib/NG4memcpy.S +@@ -240,8 +240,11 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ + add %o0, 0x40, %o0 + bne,pt %icc, 1b + LOAD(prefetch, %g1 + 0x200, #n_reads_strong) ++#ifdef NON_USER_COPY ++ VISExitHalfFast ++#else + VISExitHalf +- ++#endif + brz,pn %o2, .Lexit + cmp %o2, 19 + ble,pn %icc, .Lsmall_unaligned +diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S +index b320ae9..a063d84 100644 +--- a/arch/sparc/lib/VISsave.S ++++ b/arch/sparc/lib/VISsave.S +@@ -44,9 +44,8 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + + stx %g3, [%g6 + TI_GSR] + 2: add %g6, %g1, %g3 +- cmp %o5, FPRS_DU +- be,pn %icc, 6f +- sll %g1, 3, %g1 ++ mov FPRS_DU | FPRS_DL | FPRS_FEF, %o5 ++ sll %g1, 3, %g1 + stb %o5, [%g3 + TI_FPSAVED] + rd %gsr, %g2 + add %g6, %g1, %g3 +@@ -80,65 +79,3 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 + .align 32 + 80: jmpl %g7 + %g0, %g0 + nop +- +-6: ldub [%g3 + TI_FPSAVED], %o5 +- or %o5, FPRS_DU, %o5 +- add %g6, TI_FPREGS+0x80, %g2 +- stb %o5, [%g3 + TI_FPSAVED] +- +- sll %g1, 5, %g1 +- add %g6, TI_FPREGS+0xc0, %g3 +- wr %g0, FPRS_FEF, %fprs +- membar #Sync +- stda %f32, [%g2 + %g1] ASI_BLK_P +- stda %f48, [%g3 + %g1] ASI_BLK_P +- membar #Sync +- ba,pt %xcc, 80f +- nop +- +- .align 32 +-80: jmpl %g7 + %g0, %g0 +- nop +- +- .align 32 +-VISenterhalf: +- ldub [%g6 + TI_FPDEPTH], %g1 +- brnz,a,pn %g1, 1f +- cmp %g1, 1 +- stb %g0, [%g6 + TI_FPSAVED] +- stx %fsr, [%g6 + TI_XFSR] +- clr %o5 +- jmpl %g7 + %g0, %g0 +- wr %g0, FPRS_FEF, %fprs +- +-1: bne,pn %icc, 2f +- srl %g1, 1, %g1 +- ba,pt %xcc, vis1 +- sub %g7, 8, %g7 +-2: addcc %g6, %g1, %g3 +- sll %g1, 3, %g1 +- andn %o5, FPRS_DU, %g2 +- stb %g2, [%g3 + TI_FPSAVED] +- +- rd %gsr, %g2 +- add %g6, %g1, %g3 +- stx %g2, [%g3 + TI_GSR] +- add %g6, %g1, %g2 +- stx %fsr, [%g2 + TI_XFSR] +- sll %g1, 5, %g1 +-3: andcc %o5, FPRS_DL, %g0 +- be,pn %icc, 4f +- add %g6, TI_FPREGS, %g2 +- +- add %g6, TI_FPREGS+0x40, %g3 +- membar #Sync +- stda %f0, [%g2 + %g1] ASI_BLK_P +- stda %f16, [%g3 + %g1] ASI_BLK_P +- membar #Sync +- ba,pt %xcc, 4f +- nop +- +- .align 32 +-4: and %o5, FPRS_DU, %o5 +- jmpl %g7 + %g0, %g0 +- wr %o5, FPRS_FEF, %fprs +diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c +index 1d649a9..8069ce1 100644 +--- a/arch/sparc/lib/ksyms.c ++++ b/arch/sparc/lib/ksyms.c +@@ -135,10 +135,6 @@ EXPORT_SYMBOL(copy_user_page); + void VISenter(void); + EXPORT_SYMBOL(VISenter); + +-/* CRYPTO code needs this */ +-void VISenterhalf(void); +-EXPORT_SYMBOL(VISenterhalf); +- + extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *); + extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *, + unsigned long *); +diff --git a/arch/tile/kernel/compat_signal.c b/arch/tile/kernel/compat_signal.c +index e8c2c04..c667e10 100644 +--- a/arch/tile/kernel/compat_signal.c ++++ b/arch/tile/kernel/compat_signal.c +@@ -113,8 +113,6 @@ int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from) + if (!access_ok(VERIFY_READ, from, sizeof(struct compat_siginfo))) + return -EFAULT; + +- memset(to, 0, sizeof(*to)); +- + err = __get_user(to->si_signo, &from->si_signo); + err |= __get_user(to->si_errno, &from->si_errno); + err |= __get_user(to->si_code, &from->si_code); +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S +index 02c2eff..4bd6c19 100644 +--- a/arch/x86/kernel/entry_64.S ++++ b/arch/x86/kernel/entry_64.S +@@ -793,8 +793,6 @@ retint_kernel: + restore_c_regs_and_iret: + RESTORE_C_REGS + REMOVE_PT_GPREGS_FROM_STACK 8 +- +-irq_return: + INTERRUPT_RETURN + + ENTRY(native_iret) +@@ -1413,11 +1411,12 @@ ENTRY(nmi) + * If the variable is not set and the stack is not the NMI + * stack then: + * o Set the special variable on the stack +- * o Copy the interrupt frame into a "saved" location on the stack +- * o Copy the interrupt frame into a "copy" location on the stack ++ * o Copy the interrupt frame into an "outermost" location on the ++ * stack ++ * o Copy the interrupt frame into an "iret" location on the stack + * o Continue processing the NMI + * If the variable is set or the previous stack is the NMI stack: +- * o Modify the "copy" location to jump to the repeate_nmi ++ * o Modify the "iret" location to jump to the repeat_nmi + * o return back to the first NMI + * + * Now on exit of the first NMI, we first clear the stack variable +@@ -1426,32 +1425,151 @@ ENTRY(nmi) + * a nested NMI that updated the copy interrupt stack frame, a + * jump will be made to the repeat_nmi code that will handle the second + * NMI. ++ * ++ * However, espfix prevents us from directly returning to userspace ++ * with a single IRET instruction. Similarly, IRET to user mode ++ * can fault. We therefore handle NMIs from user space like ++ * other IST entries. + */ + + /* Use %rdx as our temp variable throughout */ + pushq_cfi %rdx + CFI_REL_OFFSET rdx, 0 + ++ testb $3, CS-RIP+8(%rsp) ++ jz .Lnmi_from_kernel ++ + /* +- * If %cs was not the kernel segment, then the NMI triggered in user +- * space, which means it is definitely not nested. ++ * NMI from user mode. We need to run on the thread stack, but we ++ * can't go through the normal entry paths: NMIs are masked, and ++ * we don't want to enable interrupts, because then we'll end ++ * up in an awkward situation in which IRQs are on but NMIs ++ * are off. + */ +- cmpl $__KERNEL_CS, 16(%rsp) +- jne first_nmi ++ ++ SWAPGS ++ cld ++ movq %rsp, %rdx ++ movq PER_CPU_VAR(kernel_stack), %rsp ++ pushq 5*8(%rdx) /* pt_regs->ss */ ++ pushq 4*8(%rdx) /* pt_regs->rsp */ ++ pushq 3*8(%rdx) /* pt_regs->flags */ ++ pushq 2*8(%rdx) /* pt_regs->cs */ ++ pushq 1*8(%rdx) /* pt_regs->rip */ ++ pushq $-1 /* pt_regs->orig_ax */ ++ pushq %rdi /* pt_regs->di */ ++ pushq %rsi /* pt_regs->si */ ++ pushq (%rdx) /* pt_regs->dx */ ++ pushq %rcx /* pt_regs->cx */ ++ pushq %rax /* pt_regs->ax */ ++ pushq %r8 /* pt_regs->r8 */ ++ pushq %r9 /* pt_regs->r9 */ ++ pushq %r10 /* pt_regs->r10 */ ++ pushq %r11 /* pt_regs->r11 */ ++ pushq %rbx /* pt_regs->rbx */ ++ pushq %rbp /* pt_regs->rbp */ ++ pushq %r12 /* pt_regs->r12 */ ++ pushq %r13 /* pt_regs->r13 */ ++ pushq %r14 /* pt_regs->r14 */ ++ pushq %r15 /* pt_regs->r15 */ + + /* +- * Check the special variable on the stack to see if NMIs are +- * executing. ++ * At this point we no longer need to worry about stack damage ++ * due to nesting -- we're on the normal thread stack and we're ++ * done with the NMI stack. ++ */ ++ movq %rsp, %rdi ++ movq $-1, %rsi ++ call do_nmi ++ ++ /* ++ * Return back to user mode. We must *not* do the normal exit ++ * work, because we don't want to enable interrupts. Fortunately, ++ * do_nmi doesn't modify pt_regs. ++ */ ++ SWAPGS ++ jmp restore_c_regs_and_iret ++ ++.Lnmi_from_kernel: ++ /* ++ * Here's what our stack frame will look like: ++ * +---------------------------------------------------------+ ++ * | original SS | ++ * | original Return RSP | ++ * | original RFLAGS | ++ * | original CS | ++ * | original RIP | ++ * +---------------------------------------------------------+ ++ * | temp storage for rdx | ++ * +---------------------------------------------------------+ ++ * | "NMI executing" variable | ++ * +---------------------------------------------------------+ ++ * | iret SS } Copied from "outermost" frame | ++ * | iret Return RSP } on each loop iteration; overwritten | ++ * | iret RFLAGS } by a nested NMI to force another | ++ * | iret CS } iteration if needed. | ++ * | iret RIP } | ++ * +---------------------------------------------------------+ ++ * | outermost SS } initialized in first_nmi; | ++ * | outermost Return RSP } will not be changed before | ++ * | outermost RFLAGS } NMI processing is done. | ++ * | outermost CS } Copied to "iret" frame on each | ++ * | outermost RIP } iteration. | ++ * +---------------------------------------------------------+ ++ * | pt_regs | ++ * +---------------------------------------------------------+ ++ * ++ * The "original" frame is used by hardware. Before re-enabling ++ * NMIs, we need to be done with it, and we need to leave enough ++ * space for the asm code here. ++ * ++ * We return by executing IRET while RSP points to the "iret" frame. ++ * That will either return for real or it will loop back into NMI ++ * processing. ++ * ++ * The "outermost" frame is copied to the "iret" frame on each ++ * iteration of the loop, so each iteration starts with the "iret" ++ * frame pointing to the final return target. ++ */ ++ ++ /* ++ * Determine whether we're a nested NMI. ++ * ++ * If we interrupted kernel code between repeat_nmi and ++ * end_repeat_nmi, then we are a nested NMI. We must not ++ * modify the "iret" frame because it's being written by ++ * the outer NMI. That's okay; the outer NMI handler is ++ * about to about to call do_nmi anyway, so we can just ++ * resume the outer NMI. ++ */ ++ ++ movq $repeat_nmi, %rdx ++ cmpq 8(%rsp), %rdx ++ ja 1f ++ movq $end_repeat_nmi, %rdx ++ cmpq 8(%rsp), %rdx ++ ja nested_nmi_out ++1: ++ ++ /* ++ * Now check "NMI executing". If it's set, then we're nested. ++ * This will not detect if we interrupted an outer NMI just ++ * before IRET. + */ + cmpl $1, -8(%rsp) + je nested_nmi + + /* +- * Now test if the previous stack was an NMI stack. +- * We need the double check. We check the NMI stack to satisfy the +- * race when the first NMI clears the variable before returning. +- * We check the variable because the first NMI could be in a +- * breakpoint routine using a breakpoint stack. ++ * Now test if the previous stack was an NMI stack. This covers ++ * the case where we interrupt an outer NMI after it clears ++ * "NMI executing" but before IRET. We need to be careful, though: ++ * there is one case in which RSP could point to the NMI stack ++ * despite there being no NMI active: naughty userspace controls ++ * RSP at the very beginning of the SYSCALL targets. We can ++ * pull a fast one on naughty userspace, though: we program ++ * SYSCALL to mask DF, so userspace cannot cause DF to be set ++ * if it controls the kernel's RSP. We set DF before we clear ++ * "NMI executing". + */ + lea 6*8(%rsp), %rdx + /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */ +@@ -1462,25 +1580,21 @@ ENTRY(nmi) + cmpq %rdx, 4*8(%rsp) + /* If it is below the NMI stack, it is a normal NMI */ + jb first_nmi +- /* Ah, it is within the NMI stack, treat it as nested */ ++ ++ /* Ah, it is within the NMI stack. */ ++ ++ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp) ++ jz first_nmi /* RSP was user controlled. */ ++ ++ /* This is a nested NMI. */ + + CFI_REMEMBER_STATE + + nested_nmi: + /* +- * Do nothing if we interrupted the fixup in repeat_nmi. +- * It's about to repeat the NMI handler, so we are fine +- * with ignoring this one. ++ * Modify the "iret" frame to point to repeat_nmi, forcing another ++ * iteration of NMI handling. + */ +- movq $repeat_nmi, %rdx +- cmpq 8(%rsp), %rdx +- ja 1f +- movq $end_repeat_nmi, %rdx +- cmpq 8(%rsp), %rdx +- ja nested_nmi_out +- +-1: +- /* Set up the interrupted NMIs stack to jump to repeat_nmi */ + leaq -1*8(%rsp), %rdx + movq %rdx, %rsp + CFI_ADJUST_CFA_OFFSET 1*8 +@@ -1499,60 +1613,23 @@ nested_nmi_out: + popq_cfi %rdx + CFI_RESTORE rdx + +- /* No need to check faults here */ ++ /* We are returning to kernel mode, so this cannot result in a fault. */ + INTERRUPT_RETURN + + CFI_RESTORE_STATE + first_nmi: +- /* +- * Because nested NMIs will use the pushed location that we +- * stored in rdx, we must keep that space available. +- * Here's what our stack frame will look like: +- * +-------------------------+ +- * | original SS | +- * | original Return RSP | +- * | original RFLAGS | +- * | original CS | +- * | original RIP | +- * +-------------------------+ +- * | temp storage for rdx | +- * +-------------------------+ +- * | NMI executing variable | +- * +-------------------------+ +- * | copied SS | +- * | copied Return RSP | +- * | copied RFLAGS | +- * | copied CS | +- * | copied RIP | +- * +-------------------------+ +- * | Saved SS | +- * | Saved Return RSP | +- * | Saved RFLAGS | +- * | Saved CS | +- * | Saved RIP | +- * +-------------------------+ +- * | pt_regs | +- * +-------------------------+ +- * +- * The saved stack frame is used to fix up the copied stack frame +- * that a nested NMI may change to make the interrupted NMI iret jump +- * to the repeat_nmi. The original stack frame and the temp storage +- * is also used by nested NMIs and can not be trusted on exit. +- */ +- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */ ++ /* Restore rdx. */ + movq (%rsp), %rdx + CFI_RESTORE rdx + +- /* Set the NMI executing variable on the stack. */ ++ /* Set "NMI executing" on the stack. */ + pushq_cfi $1 + +- /* +- * Leave room for the "copied" frame +- */ ++ /* Leave room for the "iret" frame */ + subq $(5*8), %rsp + CFI_ADJUST_CFA_OFFSET 5*8 + +- /* Copy the stack frame to the Saved frame */ ++ /* Copy the "original" frame to the "outermost" frame */ + .rept 5 + pushq_cfi 11*8(%rsp) + .endr +@@ -1560,6 +1637,7 @@ first_nmi: + + /* Everything up to here is safe from nested NMIs */ + ++repeat_nmi: + /* + * If there was a nested NMI, the first NMI's iret will return + * here. But NMIs are still enabled and we can take another +@@ -1568,16 +1646,21 @@ first_nmi: + * it will just return, as we are about to repeat an NMI anyway. + * This makes it safe to copy to the stack frame that a nested + * NMI will update. +- */ +-repeat_nmi: +- /* +- * Update the stack variable to say we are still in NMI (the update +- * is benign for the non-repeat case, where 1 was pushed just above +- * to this very stack slot). ++ * ++ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if ++ * we're repeating an NMI, gsbase has the same value that it had on ++ * the first iteration. paranoid_entry will load the kernel ++ * gsbase if needed before we call do_nmi. ++ * ++ * Set "NMI executing" in case we came back here via IRET. + */ + movq $1, 10*8(%rsp) + +- /* Make another copy, this one may be modified by nested NMIs */ ++ /* ++ * Copy the "outermost" frame to the "iret" frame. NMIs that nest ++ * here must not modify the "iret" frame while we're writing to ++ * it or it will end up containing garbage. ++ */ + addq $(10*8), %rsp + CFI_ADJUST_CFA_OFFSET -10*8 + .rept 5 +@@ -1588,9 +1671,9 @@ repeat_nmi: + end_repeat_nmi: + + /* +- * Everything below this point can be preempted by a nested +- * NMI if the first NMI took an exception and reset our iret stack +- * so that we repeat another NMI. ++ * Everything below this point can be preempted by a nested NMI. ++ * If this happens, then the inner NMI will change the "iret" ++ * frame to point back to repeat_nmi. + */ + pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */ + ALLOC_PT_GPREGS_ON_STACK +@@ -1605,29 +1688,11 @@ end_repeat_nmi: + call paranoid_entry + DEFAULT_FRAME 0 + +- /* +- * Save off the CR2 register. If we take a page fault in the NMI then +- * it could corrupt the CR2 value. If the NMI preempts a page fault +- * handler before it was able to read the CR2 register, and then the +- * NMI itself takes a page fault, the page fault that was preempted +- * will read the information from the NMI page fault and not the +- * origin fault. Save it off and restore it if it changes. +- * Use the r12 callee-saved register. +- */ +- movq %cr2, %r12 +- + /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ + movq %rsp,%rdi + movq $-1,%rsi + call do_nmi + +- /* Did the NMI take a page fault? Restore cr2 if it did */ +- movq %cr2, %rcx +- cmpq %rcx, %r12 +- je 1f +- movq %r12, %cr2 +-1: +- + testl %ebx,%ebx /* swapgs needed? */ + jnz nmi_restore + nmi_swapgs: +@@ -1635,12 +1700,27 @@ nmi_swapgs: + nmi_restore: + RESTORE_EXTRA_REGS + RESTORE_C_REGS +- /* Pop the extra iret frame at once */ ++ ++ /* Point RSP at the "iret" frame. */ + REMOVE_PT_GPREGS_FROM_STACK 6*8 + +- /* Clear the NMI executing stack variable */ +- movq $0, 5*8(%rsp) +- jmp irq_return ++ /* ++ * Clear "NMI executing". Set DF first so that we can easily ++ * distinguish the remaining code between here and IRET from ++ * the SYSCALL entry and exit paths. On a native kernel, we ++ * could just inspect RIP, but, on paravirt kernels, ++ * INTERRUPT_RETURN can translate into a jump into a ++ * hypercall page. ++ */ ++ std ++ movq $0, 5*8(%rsp) /* clear "NMI executing" */ ++ ++ /* ++ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI ++ * stack in a single instruction. We are returning to kernel ++ * mode, so this cannot result in a fault. ++ */ ++ INTERRUPT_RETURN + CFI_ENDPROC + END(nmi) + +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c +index c3e985d..d05bd2e 100644 +--- a/arch/x86/kernel/nmi.c ++++ b/arch/x86/kernel/nmi.c +@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_regs *regs) + NOKPROBE_SYMBOL(default_do_nmi); + + /* +- * NMIs can hit breakpoints which will cause it to lose its +- * NMI context with the CPU when the breakpoint does an iret. +- */ +-#ifdef CONFIG_X86_32 +-/* +- * For i386, NMIs use the same stack as the kernel, and we can +- * add a workaround to the iret problem in C (preventing nested +- * NMIs if an NMI takes a trap). Simply have 3 states the NMI +- * can be in: ++ * NMIs can page fault or hit breakpoints which will cause it to lose ++ * its NMI context with the CPU when the breakpoint or page fault does an IRET. ++ * ++ * As a result, NMIs can nest if NMIs get unmasked due an IRET during ++ * NMI processing. On x86_64, the asm glue protects us from nested NMIs ++ * if the outer NMI came from kernel mode, but we can still nest if the ++ * outer NMI came from user mode. ++ * ++ * To handle these nested NMIs, we have three states: + * + * 1) not running + * 2) executing +@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi); + * (Note, the latch is binary, thus multiple NMIs triggering, + * when one is running, are ignored. Only one NMI is restarted.) + * +- * If an NMI hits a breakpoint that executes an iret, another +- * NMI can preempt it. We do not want to allow this new NMI +- * to run, but we want to execute it when the first one finishes. +- * We set the state to "latched", and the exit of the first NMI will +- * perform a dec_return, if the result is zero (NOT_RUNNING), then +- * it will simply exit the NMI handler. If not, the dec_return +- * would have set the state to NMI_EXECUTING (what we want it to +- * be when we are running). In this case, we simply jump back +- * to rerun the NMI handler again, and restart the 'latched' NMI. ++ * If an NMI executes an iret, another NMI can preempt it. We do not ++ * want to allow this new NMI to run, but we want to execute it when the ++ * first one finishes. We set the state to "latched", and the exit of ++ * the first NMI will perform a dec_return, if the result is zero ++ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the ++ * dec_return would have set the state to NMI_EXECUTING (what we want it ++ * to be when we are running). In this case, we simply jump back to ++ * rerun the NMI handler again, and restart the 'latched' NMI. + * + * No trap (breakpoint or page fault) should be hit before nmi_restart, + * thus there is no race between the first check of state for NOT_RUNNING +@@ -461,49 +460,36 @@ enum nmi_states { + static DEFINE_PER_CPU(enum nmi_states, nmi_state); + static DEFINE_PER_CPU(unsigned long, nmi_cr2); + +-#define nmi_nesting_preprocess(regs) \ +- do { \ +- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \ +- this_cpu_write(nmi_state, NMI_LATCHED); \ +- return; \ +- } \ +- this_cpu_write(nmi_state, NMI_EXECUTING); \ +- this_cpu_write(nmi_cr2, read_cr2()); \ +- } while (0); \ +- nmi_restart: +- +-#define nmi_nesting_postprocess() \ +- do { \ +- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \ +- write_cr2(this_cpu_read(nmi_cr2)); \ +- if (this_cpu_dec_return(nmi_state)) \ +- goto nmi_restart; \ +- } while (0) +-#else /* x86_64 */ ++#ifdef CONFIG_X86_64 + /* +- * In x86_64 things are a bit more difficult. This has the same problem +- * where an NMI hitting a breakpoint that calls iret will remove the +- * NMI context, allowing a nested NMI to enter. What makes this more +- * difficult is that both NMIs and breakpoints have their own stack. +- * When a new NMI or breakpoint is executed, the stack is set to a fixed +- * point. If an NMI is nested, it will have its stack set at that same +- * fixed address that the first NMI had, and will start corrupting the +- * stack. This is handled in entry_64.S, but the same problem exists with +- * the breakpoint stack. ++ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without ++ * some care, the inner breakpoint will clobber the outer breakpoint's ++ * stack. + * +- * If a breakpoint is being processed, and the debug stack is being used, +- * if an NMI comes in and also hits a breakpoint, the stack pointer +- * will be set to the same fixed address as the breakpoint that was +- * interrupted, causing that stack to be corrupted. To handle this case, +- * check if the stack that was interrupted is the debug stack, and if +- * so, change the IDT so that new breakpoints will use the current stack +- * and not switch to the fixed address. On return of the NMI, switch back +- * to the original IDT. ++ * If a breakpoint is being processed, and the debug stack is being ++ * used, if an NMI comes in and also hits a breakpoint, the stack ++ * pointer will be set to the same fixed address as the breakpoint that ++ * was interrupted, causing that stack to be corrupted. To handle this ++ * case, check if the stack that was interrupted is the debug stack, and ++ * if so, change the IDT so that new breakpoints will use the current ++ * stack and not switch to the fixed address. On return of the NMI, ++ * switch back to the original IDT. + */ + static DEFINE_PER_CPU(int, update_debug_stack); ++#endif + +-static inline void nmi_nesting_preprocess(struct pt_regs *regs) ++dotraplinkage notrace void ++do_nmi(struct pt_regs *regs, long error_code) + { ++ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { ++ this_cpu_write(nmi_state, NMI_LATCHED); ++ return; ++ } ++ this_cpu_write(nmi_state, NMI_EXECUTING); ++ this_cpu_write(nmi_cr2, read_cr2()); ++nmi_restart: ++ ++#ifdef CONFIG_X86_64 + /* + * If we interrupted a breakpoint, it is possible that + * the nmi handler will have breakpoints too. We need to +@@ -514,22 +500,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs) + debug_stack_set_zero(); + this_cpu_write(update_debug_stack, 1); + } +-} +- +-static inline void nmi_nesting_postprocess(void) +-{ +- if (unlikely(this_cpu_read(update_debug_stack))) { +- debug_stack_reset(); +- this_cpu_write(update_debug_stack, 0); +- } +-} + #endif + +-dotraplinkage notrace void +-do_nmi(struct pt_regs *regs, long error_code) +-{ +- nmi_nesting_preprocess(regs); +- + nmi_enter(); + + inc_irq_stat(__nmi_count); +@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_code) + + nmi_exit(); + +- /* On i386, may loop back to preprocess */ +- nmi_nesting_postprocess(); ++#ifdef CONFIG_X86_64 ++ if (unlikely(this_cpu_read(update_debug_stack))) { ++ debug_stack_reset(); ++ this_cpu_write(update_debug_stack, 0); ++ } ++#endif ++ ++ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) ++ write_cr2(this_cpu_read(nmi_cr2)); ++ if (this_cpu_dec_return(nmi_state)) ++ goto nmi_restart; + } + NOKPROBE_SYMBOL(do_nmi); + +diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h +index 9d28383..c4ea87e 100644 +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -150,7 +150,7 @@ static inline bool kvm_apic_vid_enabled(struct kvm *kvm) + + static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu) + { +- return vcpu->arch.apic->pending_events; ++ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events; + } + + bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector); +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 46957ea..a671e83 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -483,6 +483,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) + pte_t pte; + unsigned long pfn; + struct page *page; ++ unsigned char dummy; + + ptep = lookup_address((unsigned long)v, &level); + BUG_ON(ptep == NULL); +@@ -492,6 +493,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) + + pte = pfn_pte(pfn, prot); + ++ /* ++ * Careful: update_va_mapping() will fail if the virtual address ++ * we're poking isn't populated in the page tables. We don't ++ * need to worry about the direct map (that's always in the page ++ * tables), but we need to be careful about vmap space. In ++ * particular, the top level page table can lazily propagate ++ * entries between processes, so if we've switched mms since we ++ * vmapped the target in the first place, we might not have the ++ * top-level page table entry populated. ++ * ++ * We disable preemption because we want the same mm active when ++ * we probe the target and when we issue the hypercall. We'll ++ * have the same nominal mm, but if we're a kernel thread, lazy ++ * mm dropping could change our pgd. ++ * ++ * Out of an abundance of caution, this uses __get_user() to fault ++ * in the target address just in case there's some obscure case ++ * in which the target address isn't readable. ++ */ ++ ++ preempt_disable(); ++ ++ pagefault_disable(); /* Avoid warnings due to being atomic. */ ++ __get_user(dummy, (unsigned char __user __force *)v); ++ pagefault_enable(); ++ + if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) + BUG(); + +@@ -503,6 +530,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) + BUG(); + } else + kmap_flush_unused(); ++ ++ preempt_enable(); + } + + static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) +@@ -510,6 +539,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) + const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; + int i; + ++ /* ++ * We need to mark the all aliases of the LDT pages RO. We ++ * don't need to call vm_flush_aliases(), though, since that's ++ * only responsible for flushing aliases out the TLBs, not the ++ * page tables, and Xen will flush the TLB for us if needed. ++ * ++ * To avoid confusing future readers: none of this is necessary ++ * to load the LDT. The hypervisor only checks this when the ++ * LDT is faulted in due to subsequent descriptor access. ++ */ ++ + for(i = 0; i < entries; i += entries_per_page) + set_aliased_prot(ldt + i, PAGE_KERNEL_RO); + } +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 53f2535..010ce0b 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -522,6 +522,7 @@ void rbd_warn(struct rbd_device *rbd_dev, const char *fmt, ...) + # define rbd_assert(expr) ((void) 0) + #endif /* !RBD_DEBUG */ + ++static void rbd_osd_copyup_callback(struct rbd_obj_request *obj_request); + static int rbd_img_obj_request_submit(struct rbd_obj_request *obj_request); + static void rbd_img_parent_read(struct rbd_obj_request *obj_request); + static void rbd_dev_remove_parent(struct rbd_device *rbd_dev); +@@ -1797,6 +1798,16 @@ static void rbd_osd_stat_callback(struct rbd_obj_request *obj_request) + obj_request_done_set(obj_request); + } + ++static void rbd_osd_call_callback(struct rbd_obj_request *obj_request) ++{ ++ dout("%s: obj %p\n", __func__, obj_request); ++ ++ if (obj_request_img_data_test(obj_request)) ++ rbd_osd_copyup_callback(obj_request); ++ else ++ obj_request_done_set(obj_request); ++} ++ + static void rbd_osd_req_callback(struct ceph_osd_request *osd_req, + struct ceph_msg *msg) + { +@@ -1845,6 +1856,8 @@ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req, + rbd_osd_discard_callback(obj_request); + break; + case CEPH_OSD_OP_CALL: ++ rbd_osd_call_callback(obj_request); ++ break; + case CEPH_OSD_OP_NOTIFY_ACK: + case CEPH_OSD_OP_WATCH: + rbd_osd_trivial_callback(obj_request); +@@ -2509,13 +2522,15 @@ out_unwind: + } + + static void +-rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request) ++rbd_osd_copyup_callback(struct rbd_obj_request *obj_request) + { + struct rbd_img_request *img_request; + struct rbd_device *rbd_dev; + struct page **pages; + u32 page_count; + ++ dout("%s: obj %p\n", __func__, obj_request); ++ + rbd_assert(obj_request->type == OBJ_REQUEST_BIO || + obj_request->type == OBJ_REQUEST_NODATA); + rbd_assert(obj_request_img_data_test(obj_request)); +@@ -2542,9 +2557,7 @@ rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request) + if (!obj_request->result) + obj_request->xferred = obj_request->length; + +- /* Finish up with the normal image object callback */ +- +- rbd_img_obj_callback(obj_request); ++ obj_request_done_set(obj_request); + } + + static void +@@ -2629,7 +2642,6 @@ rbd_img_obj_parent_read_full_callback(struct rbd_img_request *img_request) + + /* All set, send it off. */ + +- orig_request->callback = rbd_img_obj_copyup_callback; + osdc = &rbd_dev->rbd_client->client->osdc; + img_result = rbd_obj_request_submit(osdc, orig_request); + if (!img_result) +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c +index da8faf7..5643b65 100644 +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -429,7 +429,7 @@ static int hwrng_fillfn(void *unused) + static void start_khwrngd(void) + { + hwrng_fill = kthread_run(hwrng_fillfn, NULL, "hwrng"); +- if (hwrng_fill == ERR_PTR(-ENOMEM)) { ++ if (IS_ERR(hwrng_fill)) { + pr_err("hwrng_fill thread creation failed"); + hwrng_fill = NULL; + } +diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c +index a43048b..3c1a123 100644 +--- a/drivers/char/i8k.c ++++ b/drivers/char/i8k.c +@@ -900,6 +900,21 @@ static struct dmi_system_id i8k_dmi_table[] __initdata = { + + MODULE_DEVICE_TABLE(dmi, i8k_dmi_table); + ++static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = { ++ { ++ /* ++ * CPU fan speed going up and down on Dell Studio XPS 8100 ++ * for unknown reasons. ++ */ ++ .ident = "Dell Studio XPS 8100", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Studio XPS 8100"), ++ }, ++ }, ++ { } ++}; ++ + /* + * Probe for the presence of a supported laptop. + */ +@@ -911,7 +926,8 @@ static int __init i8k_probe(void) + /* + * Get DMI information + */ +- if (!dmi_check_system(i8k_dmi_table)) { ++ if (!dmi_check_system(i8k_dmi_table) || ++ dmi_check_system(i8k_blacklist_dmi_table)) { + if (!ignore_dmi && !force) + return -ENODEV; + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index 0dd8a4b..4a375ea 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -37,7 +37,8 @@ + * Main PLL or any other PLLs in the device such as ARM PLL, DDR PLL + * or PA PLL available on keystone2. These PLLs are controlled by + * this register. Main PLL is controlled by a PLL controller. +- * @pllm: PLL register map address ++ * @pllm: PLL register map address for multiplier bits ++ * @pllod: PLL register map address for post divider bits + * @pll_ctl0: PLL controller map address + * @pllm_lower_mask: multiplier lower mask + * @pllm_upper_mask: multiplier upper mask +@@ -53,6 +54,7 @@ struct clk_pll_data { + u32 phy_pllm; + u32 phy_pll_ctl0; + void __iomem *pllm; ++ void __iomem *pllod; + void __iomem *pll_ctl0; + u32 pllm_lower_mask; + u32 pllm_upper_mask; +@@ -102,7 +104,11 @@ static unsigned long clk_pllclk_recalc(struct clk_hw *hw, + /* read post divider from od bits*/ + postdiv = ((val & pll_data->clkod_mask) >> + pll_data->clkod_shift) + 1; +- else ++ else if (pll_data->pllod) { ++ postdiv = readl(pll_data->pllod); ++ postdiv = ((postdiv & pll_data->clkod_mask) >> ++ pll_data->clkod_shift) + 1; ++ } else + postdiv = pll_data->postdiv; + + rate /= (prediv + 1); +@@ -172,12 +178,21 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl) + /* assume the PLL has output divider register bits */ + pll_data->clkod_mask = CLKOD_MASK; + pll_data->clkod_shift = CLKOD_SHIFT; ++ ++ /* ++ * Check if there is an post-divider register. If not ++ * assume od bits are part of control register. ++ */ ++ i = of_property_match_string(node, "reg-names", ++ "post-divider"); ++ pll_data->pllod = of_iomap(node, i); + } + + i = of_property_match_string(node, "reg-names", "control"); + pll_data->pll_ctl0 = of_iomap(node, i); + if (!pll_data->pll_ctl0) { + pr_err("%s: ioremap failed\n", __func__); ++ iounmap(pll_data->pllod); + goto out; + } + +@@ -193,6 +208,7 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl) + pll_data->pllm = of_iomap(node, i); + if (!pll_data->pllm) { + iounmap(pll_data->pll_ctl0); ++ iounmap(pll_data->pllod); + goto out; + } + } +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 48f4535..ede9e9e3 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -904,7 +904,6 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt) + crypt->mode |= NPE_OP_NOT_IN_PLACE; + /* This was never tested by Intel + * for more than one dst buffer, I think. */ +- BUG_ON(req->dst->length < nbytes); + req_ctx->dst = NULL; + if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook, + flags, DMA_FROM_DEVICE)) +diff --git a/drivers/crypto/nx/nx-aes-ccm.c b/drivers/crypto/nx/nx-aes-ccm.c +index 67f8081..e4311ce 100644 +--- a/drivers/crypto/nx/nx-aes-ccm.c ++++ b/drivers/crypto/nx/nx-aes-ccm.c +@@ -494,8 +494,9 @@ out: + static int ccm4309_aes_nx_encrypt(struct aead_request *req) + { + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); + struct blkcipher_desc desc; +- u8 *iv = nx_ctx->priv.ccm.iv; ++ u8 *iv = rctx->iv; + + iv[0] = 3; + memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3); +@@ -525,8 +526,9 @@ static int ccm_aes_nx_encrypt(struct aead_request *req) + static int ccm4309_aes_nx_decrypt(struct aead_request *req) + { + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); + struct blkcipher_desc desc; +- u8 *iv = nx_ctx->priv.ccm.iv; ++ u8 *iv = rctx->iv; + + iv[0] = 3; + memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3); +diff --git a/drivers/crypto/nx/nx-aes-ctr.c b/drivers/crypto/nx/nx-aes-ctr.c +index 2617cd4..dd7e9f3 100644 +--- a/drivers/crypto/nx/nx-aes-ctr.c ++++ b/drivers/crypto/nx/nx-aes-ctr.c +@@ -72,7 +72,7 @@ static int ctr3686_aes_nx_set_key(struct crypto_tfm *tfm, + if (key_len < CTR_RFC3686_NONCE_SIZE) + return -EINVAL; + +- memcpy(nx_ctx->priv.ctr.iv, ++ memcpy(nx_ctx->priv.ctr.nonce, + in_key + key_len - CTR_RFC3686_NONCE_SIZE, + CTR_RFC3686_NONCE_SIZE); + +@@ -131,14 +131,15 @@ static int ctr3686_aes_nx_crypt(struct blkcipher_desc *desc, + unsigned int nbytes) + { + struct nx_crypto_ctx *nx_ctx = crypto_blkcipher_ctx(desc->tfm); +- u8 *iv = nx_ctx->priv.ctr.iv; ++ u8 iv[16]; + ++ memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_IV_SIZE); + memcpy(iv + CTR_RFC3686_NONCE_SIZE, + desc->info, CTR_RFC3686_IV_SIZE); + iv[12] = iv[13] = iv[14] = 0; + iv[15] = 1; + +- desc->info = nx_ctx->priv.ctr.iv; ++ desc->info = iv; + + return ctr_aes_nx_crypt(desc, dst, src, nbytes); + } +diff --git a/drivers/crypto/nx/nx-aes-gcm.c b/drivers/crypto/nx/nx-aes-gcm.c +index 88c5624..c6ebeb6 100644 +--- a/drivers/crypto/nx/nx-aes-gcm.c ++++ b/drivers/crypto/nx/nx-aes-gcm.c +@@ -330,6 +330,7 @@ out: + static int gcm_aes_nx_crypt(struct aead_request *req, int enc) + { + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); + struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; + struct blkcipher_desc desc; + unsigned int nbytes = req->cryptlen; +@@ -339,7 +340,7 @@ static int gcm_aes_nx_crypt(struct aead_request *req, int enc) + + spin_lock_irqsave(&nx_ctx->lock, irq_flags); + +- desc.info = nx_ctx->priv.gcm.iv; ++ desc.info = rctx->iv; + /* initialize the counter */ + *(u32 *)(desc.info + NX_GCM_CTR_OFFSET) = 1; + +@@ -434,8 +435,8 @@ out: + + static int gcm_aes_nx_encrypt(struct aead_request *req) + { +- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); +- char *iv = nx_ctx->priv.gcm.iv; ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); ++ char *iv = rctx->iv; + + memcpy(iv, req->iv, 12); + +@@ -444,8 +445,8 @@ static int gcm_aes_nx_encrypt(struct aead_request *req) + + static int gcm_aes_nx_decrypt(struct aead_request *req) + { +- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); +- char *iv = nx_ctx->priv.gcm.iv; ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); ++ char *iv = rctx->iv; + + memcpy(iv, req->iv, 12); + +@@ -455,7 +456,8 @@ static int gcm_aes_nx_decrypt(struct aead_request *req) + static int gcm4106_aes_nx_encrypt(struct aead_request *req) + { + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); +- char *iv = nx_ctx->priv.gcm.iv; ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); ++ char *iv = rctx->iv; + char *nonce = nx_ctx->priv.gcm.nonce; + + memcpy(iv, nonce, NX_GCM4106_NONCE_LEN); +@@ -467,7 +469,8 @@ static int gcm4106_aes_nx_encrypt(struct aead_request *req) + static int gcm4106_aes_nx_decrypt(struct aead_request *req) + { + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); +- char *iv = nx_ctx->priv.gcm.iv; ++ struct nx_gcm_rctx *rctx = aead_request_ctx(req); ++ char *iv = rctx->iv; + char *nonce = nx_ctx->priv.gcm.nonce; + + memcpy(iv, nonce, NX_GCM4106_NONCE_LEN); +diff --git a/drivers/crypto/nx/nx-aes-xcbc.c b/drivers/crypto/nx/nx-aes-xcbc.c +index 8c2faff..c2f7d4b 100644 +--- a/drivers/crypto/nx/nx-aes-xcbc.c ++++ b/drivers/crypto/nx/nx-aes-xcbc.c +@@ -42,6 +42,7 @@ static int nx_xcbc_set_key(struct crypto_shash *desc, + unsigned int key_len) + { + struct nx_crypto_ctx *nx_ctx = crypto_shash_ctx(desc); ++ struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; + + switch (key_len) { + case AES_KEYSIZE_128: +@@ -51,7 +52,7 @@ static int nx_xcbc_set_key(struct crypto_shash *desc, + return -EINVAL; + } + +- memcpy(nx_ctx->priv.xcbc.key, in_key, key_len); ++ memcpy(csbcpb->cpb.aes_xcbc.key, in_key, key_len); + + return 0; + } +@@ -148,32 +149,29 @@ out: + return rc; + } + +-static int nx_xcbc_init(struct shash_desc *desc) ++static int nx_crypto_ctx_aes_xcbc_init2(struct crypto_tfm *tfm) + { +- struct xcbc_state *sctx = shash_desc_ctx(desc); +- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); ++ struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm); + struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; +- struct nx_sg *out_sg; +- int len; ++ int err; + +- nx_ctx_init(nx_ctx, HCOP_FC_AES); ++ err = nx_crypto_ctx_aes_xcbc_init(tfm); ++ if (err) ++ return err; + +- memset(sctx, 0, sizeof *sctx); ++ nx_ctx_init(nx_ctx, HCOP_FC_AES); + + NX_CPB_SET_KEY_SIZE(csbcpb, NX_KS_AES_128); + csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC; + +- memcpy(csbcpb->cpb.aes_xcbc.key, nx_ctx->priv.xcbc.key, AES_BLOCK_SIZE); +- memset(nx_ctx->priv.xcbc.key, 0, sizeof *nx_ctx->priv.xcbc.key); +- +- len = AES_BLOCK_SIZE; +- out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state, +- &len, nx_ctx->ap->sglen); ++ return 0; ++} + +- if (len != AES_BLOCK_SIZE) +- return -EINVAL; ++static int nx_xcbc_init(struct shash_desc *desc) ++{ ++ struct xcbc_state *sctx = shash_desc_ctx(desc); + +- nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); ++ memset(sctx, 0, sizeof *sctx); + + return 0; + } +@@ -186,6 +184,7 @@ static int nx_xcbc_update(struct shash_desc *desc, + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); + struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; + struct nx_sg *in_sg; ++ struct nx_sg *out_sg; + u32 to_process = 0, leftover, total; + unsigned int max_sg_len; + unsigned long irq_flags; +@@ -213,6 +212,17 @@ static int nx_xcbc_update(struct shash_desc *desc, + max_sg_len = min_t(u64, max_sg_len, + nx_ctx->ap->databytelen/NX_PAGE_SIZE); + ++ data_len = AES_BLOCK_SIZE; ++ out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state, ++ &len, nx_ctx->ap->sglen); ++ ++ if (data_len != AES_BLOCK_SIZE) { ++ rc = -EINVAL; ++ goto out; ++ } ++ ++ nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); ++ + do { + to_process = total - to_process; + to_process = to_process & ~(AES_BLOCK_SIZE - 1); +@@ -235,8 +245,10 @@ static int nx_xcbc_update(struct shash_desc *desc, + (u8 *) sctx->buffer, + &data_len, + max_sg_len); +- if (data_len != sctx->count) +- return -EINVAL; ++ if (data_len != sctx->count) { ++ rc = -EINVAL; ++ goto out; ++ } + } + + data_len = to_process - sctx->count; +@@ -245,8 +257,10 @@ static int nx_xcbc_update(struct shash_desc *desc, + &data_len, + max_sg_len); + +- if (data_len != to_process - sctx->count) +- return -EINVAL; ++ if (data_len != to_process - sctx->count) { ++ rc = -EINVAL; ++ goto out; ++ } + + nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * + sizeof(struct nx_sg); +@@ -325,15 +339,19 @@ static int nx_xcbc_final(struct shash_desc *desc, u8 *out) + in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *)sctx->buffer, + &len, nx_ctx->ap->sglen); + +- if (len != sctx->count) +- return -EINVAL; ++ if (len != sctx->count) { ++ rc = -EINVAL; ++ goto out; ++ } + + len = AES_BLOCK_SIZE; + out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len, + nx_ctx->ap->sglen); + +- if (len != AES_BLOCK_SIZE) +- return -EINVAL; ++ if (len != AES_BLOCK_SIZE) { ++ rc = -EINVAL; ++ goto out; ++ } + + nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg); + nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); +@@ -372,7 +390,7 @@ struct shash_alg nx_shash_aes_xcbc_alg = { + .cra_blocksize = AES_BLOCK_SIZE, + .cra_module = THIS_MODULE, + .cra_ctxsize = sizeof(struct nx_crypto_ctx), +- .cra_init = nx_crypto_ctx_aes_xcbc_init, ++ .cra_init = nx_crypto_ctx_aes_xcbc_init2, + .cra_exit = nx_crypto_ctx_exit, + } + }; +diff --git a/drivers/crypto/nx/nx-sha256.c b/drivers/crypto/nx/nx-sha256.c +index 23621da..08f8d5c 100644 +--- a/drivers/crypto/nx/nx-sha256.c ++++ b/drivers/crypto/nx/nx-sha256.c +@@ -29,30 +29,28 @@ + #include "nx.h" + + +-static int nx_sha256_init(struct shash_desc *desc) ++static int nx_crypto_ctx_sha256_init(struct crypto_tfm *tfm) + { +- struct sha256_state *sctx = shash_desc_ctx(desc); +- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); +- int len; +- int rc; ++ struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm); ++ int err; + +- nx_ctx_init(nx_ctx, HCOP_FC_SHA); ++ err = nx_crypto_ctx_sha_init(tfm); ++ if (err) ++ return err; + +- memset(sctx, 0, sizeof *sctx); ++ nx_ctx_init(nx_ctx, HCOP_FC_SHA); + + nx_ctx->ap = &nx_ctx->props[NX_PROPS_SHA256]; + + NX_CPB_SET_DIGEST_SIZE(nx_ctx->csbcpb, NX_DS_SHA256); + +- len = SHA256_DIGEST_SIZE; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg, +- &nx_ctx->op.outlen, +- &len, +- (u8 *) sctx->state, +- NX_DS_SHA256); ++ return 0; ++} + +- if (rc) +- goto out; ++static int nx_sha256_init(struct shash_desc *desc) { ++ struct sha256_state *sctx = shash_desc_ctx(desc); ++ ++ memset(sctx, 0, sizeof *sctx); + + sctx->state[0] = __cpu_to_be32(SHA256_H0); + sctx->state[1] = __cpu_to_be32(SHA256_H1); +@@ -64,7 +62,6 @@ static int nx_sha256_init(struct shash_desc *desc) + sctx->state[7] = __cpu_to_be32(SHA256_H7); + sctx->count = 0; + +-out: + return 0; + } + +@@ -74,10 +71,13 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data, + struct sha256_state *sctx = shash_desc_ctx(desc); + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); + struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb; ++ struct nx_sg *in_sg; ++ struct nx_sg *out_sg; + u64 to_process = 0, leftover, total; + unsigned long irq_flags; + int rc = 0; + int data_len; ++ u32 max_sg_len; + u64 buf_len = (sctx->count % SHA256_BLOCK_SIZE); + + spin_lock_irqsave(&nx_ctx->lock, irq_flags); +@@ -97,6 +97,22 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data, + NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE; + NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION; + ++ in_sg = nx_ctx->in_sg; ++ max_sg_len = min_t(u64, nx_ctx->ap->sglen, ++ nx_driver.of.max_sg_len/sizeof(struct nx_sg)); ++ max_sg_len = min_t(u64, max_sg_len, ++ nx_ctx->ap->databytelen/NX_PAGE_SIZE); ++ ++ data_len = SHA256_DIGEST_SIZE; ++ out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state, ++ &data_len, max_sg_len); ++ nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); ++ ++ if (data_len != SHA256_DIGEST_SIZE) { ++ rc = -EINVAL; ++ goto out; ++ } ++ + do { + /* + * to_process: the SHA256_BLOCK_SIZE data chunk to process in +@@ -108,25 +124,22 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data, + + if (buf_len) { + data_len = buf_len; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &data_len, +- (u8 *) sctx->buf, +- NX_DS_SHA256); ++ in_sg = nx_build_sg_list(nx_ctx->in_sg, ++ (u8 *) sctx->buf, ++ &data_len, ++ max_sg_len); + +- if (rc || data_len != buf_len) ++ if (data_len != buf_len) { ++ rc = -EINVAL; + goto out; ++ } + } + + data_len = to_process - buf_len; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &data_len, +- (u8 *) data, +- NX_DS_SHA256); ++ in_sg = nx_build_sg_list(in_sg, (u8 *) data, ++ &data_len, max_sg_len); + +- if (rc) +- goto out; ++ nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg); + + to_process = (data_len + buf_len); + leftover = total - to_process; +@@ -173,12 +186,19 @@ static int nx_sha256_final(struct shash_desc *desc, u8 *out) + struct sha256_state *sctx = shash_desc_ctx(desc); + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); + struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb; ++ struct nx_sg *in_sg, *out_sg; + unsigned long irq_flags; +- int rc; ++ u32 max_sg_len; ++ int rc = 0; + int len; + + spin_lock_irqsave(&nx_ctx->lock, irq_flags); + ++ max_sg_len = min_t(u64, nx_ctx->ap->sglen, ++ nx_driver.of.max_sg_len/sizeof(struct nx_sg)); ++ max_sg_len = min_t(u64, max_sg_len, ++ nx_ctx->ap->databytelen/NX_PAGE_SIZE); ++ + /* final is represented by continuing the operation and indicating that + * this is not an intermediate operation */ + if (sctx->count >= SHA256_BLOCK_SIZE) { +@@ -195,25 +215,24 @@ static int nx_sha256_final(struct shash_desc *desc, u8 *out) + csbcpb->cpb.sha256.message_bit_length = (u64) (sctx->count * 8); + + len = sctx->count & (SHA256_BLOCK_SIZE - 1); +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &len, +- (u8 *) sctx->buf, +- NX_DS_SHA256); ++ in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) sctx->buf, ++ &len, max_sg_len); + +- if (rc || len != (sctx->count & (SHA256_BLOCK_SIZE - 1))) ++ if (len != (sctx->count & (SHA256_BLOCK_SIZE - 1))) { ++ rc = -EINVAL; + goto out; ++ } + + len = SHA256_DIGEST_SIZE; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg, +- &nx_ctx->op.outlen, +- &len, +- out, +- NX_DS_SHA256); ++ out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len, max_sg_len); + +- if (rc || len != SHA256_DIGEST_SIZE) ++ if (len != SHA256_DIGEST_SIZE) { ++ rc = -EINVAL; + goto out; ++ } + ++ nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg); ++ nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); + if (!nx_ctx->op.outlen) { + rc = -EINVAL; + goto out; +@@ -268,7 +287,7 @@ struct shash_alg nx_shash_sha256_alg = { + .cra_blocksize = SHA256_BLOCK_SIZE, + .cra_module = THIS_MODULE, + .cra_ctxsize = sizeof(struct nx_crypto_ctx), +- .cra_init = nx_crypto_ctx_sha_init, ++ .cra_init = nx_crypto_ctx_sha256_init, + .cra_exit = nx_crypto_ctx_exit, + } + }; +diff --git a/drivers/crypto/nx/nx-sha512.c b/drivers/crypto/nx/nx-sha512.c +index b3adf10..aff0fe5 100644 +--- a/drivers/crypto/nx/nx-sha512.c ++++ b/drivers/crypto/nx/nx-sha512.c +@@ -28,30 +28,29 @@ + #include "nx.h" + + +-static int nx_sha512_init(struct shash_desc *desc) ++static int nx_crypto_ctx_sha512_init(struct crypto_tfm *tfm) + { +- struct sha512_state *sctx = shash_desc_ctx(desc); +- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); +- int len; +- int rc; ++ struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm); ++ int err; + +- nx_ctx_init(nx_ctx, HCOP_FC_SHA); ++ err = nx_crypto_ctx_sha_init(tfm); ++ if (err) ++ return err; + +- memset(sctx, 0, sizeof *sctx); ++ nx_ctx_init(nx_ctx, HCOP_FC_SHA); + + nx_ctx->ap = &nx_ctx->props[NX_PROPS_SHA512]; + + NX_CPB_SET_DIGEST_SIZE(nx_ctx->csbcpb, NX_DS_SHA512); + +- len = SHA512_DIGEST_SIZE; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg, +- &nx_ctx->op.outlen, +- &len, +- (u8 *)sctx->state, +- NX_DS_SHA512); ++ return 0; ++} + +- if (rc || len != SHA512_DIGEST_SIZE) +- goto out; ++static int nx_sha512_init(struct shash_desc *desc) ++{ ++ struct sha512_state *sctx = shash_desc_ctx(desc); ++ ++ memset(sctx, 0, sizeof *sctx); + + sctx->state[0] = __cpu_to_be64(SHA512_H0); + sctx->state[1] = __cpu_to_be64(SHA512_H1); +@@ -63,7 +62,6 @@ static int nx_sha512_init(struct shash_desc *desc) + sctx->state[7] = __cpu_to_be64(SHA512_H7); + sctx->count[0] = 0; + +-out: + return 0; + } + +@@ -73,10 +71,13 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data, + struct sha512_state *sctx = shash_desc_ctx(desc); + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); + struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb; ++ struct nx_sg *in_sg; ++ struct nx_sg *out_sg; + u64 to_process, leftover = 0, total; + unsigned long irq_flags; + int rc = 0; + int data_len; ++ u32 max_sg_len; + u64 buf_len = (sctx->count[0] % SHA512_BLOCK_SIZE); + + spin_lock_irqsave(&nx_ctx->lock, irq_flags); +@@ -96,6 +97,22 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data, + NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE; + NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION; + ++ in_sg = nx_ctx->in_sg; ++ max_sg_len = min_t(u64, nx_ctx->ap->sglen, ++ nx_driver.of.max_sg_len/sizeof(struct nx_sg)); ++ max_sg_len = min_t(u64, max_sg_len, ++ nx_ctx->ap->databytelen/NX_PAGE_SIZE); ++ ++ data_len = SHA512_DIGEST_SIZE; ++ out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state, ++ &data_len, max_sg_len); ++ nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); ++ ++ if (data_len != SHA512_DIGEST_SIZE) { ++ rc = -EINVAL; ++ goto out; ++ } ++ + do { + /* + * to_process: the SHA512_BLOCK_SIZE data chunk to process in +@@ -108,25 +125,26 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data, + + if (buf_len) { + data_len = buf_len; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &data_len, +- (u8 *) sctx->buf, +- NX_DS_SHA512); ++ in_sg = nx_build_sg_list(nx_ctx->in_sg, ++ (u8 *) sctx->buf, ++ &data_len, max_sg_len); + +- if (rc || data_len != buf_len) ++ if (data_len != buf_len) { ++ rc = -EINVAL; + goto out; ++ } + } + + data_len = to_process - buf_len; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &data_len, +- (u8 *) data, +- NX_DS_SHA512); ++ in_sg = nx_build_sg_list(in_sg, (u8 *) data, ++ &data_len, max_sg_len); ++ ++ nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg); + +- if (rc || data_len != (to_process - buf_len)) ++ if (data_len != (to_process - buf_len)) { ++ rc = -EINVAL; + goto out; ++ } + + to_process = (data_len + buf_len); + leftover = total - to_process; +@@ -172,13 +190,20 @@ static int nx_sha512_final(struct shash_desc *desc, u8 *out) + struct sha512_state *sctx = shash_desc_ctx(desc); + struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base); + struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb; ++ struct nx_sg *in_sg, *out_sg; ++ u32 max_sg_len; + u64 count0; + unsigned long irq_flags; +- int rc; ++ int rc = 0; + int len; + + spin_lock_irqsave(&nx_ctx->lock, irq_flags); + ++ max_sg_len = min_t(u64, nx_ctx->ap->sglen, ++ nx_driver.of.max_sg_len/sizeof(struct nx_sg)); ++ max_sg_len = min_t(u64, max_sg_len, ++ nx_ctx->ap->databytelen/NX_PAGE_SIZE); ++ + /* final is represented by continuing the operation and indicating that + * this is not an intermediate operation */ + if (sctx->count[0] >= SHA512_BLOCK_SIZE) { +@@ -200,24 +225,20 @@ static int nx_sha512_final(struct shash_desc *desc, u8 *out) + csbcpb->cpb.sha512.message_bit_length_lo = count0; + + len = sctx->count[0] & (SHA512_BLOCK_SIZE - 1); +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg, +- &nx_ctx->op.inlen, +- &len, +- (u8 *)sctx->buf, +- NX_DS_SHA512); ++ in_sg = nx_build_sg_list(nx_ctx->in_sg, sctx->buf, &len, ++ max_sg_len); + +- if (rc || len != (sctx->count[0] & (SHA512_BLOCK_SIZE - 1))) ++ if (len != (sctx->count[0] & (SHA512_BLOCK_SIZE - 1))) { ++ rc = -EINVAL; + goto out; ++ } + + len = SHA512_DIGEST_SIZE; +- rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg, +- &nx_ctx->op.outlen, +- &len, +- out, +- NX_DS_SHA512); ++ out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len, ++ max_sg_len); + +- if (rc) +- goto out; ++ nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg); ++ nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg); + + if (!nx_ctx->op.outlen) { + rc = -EINVAL; +@@ -273,7 +294,7 @@ struct shash_alg nx_shash_sha512_alg = { + .cra_blocksize = SHA512_BLOCK_SIZE, + .cra_module = THIS_MODULE, + .cra_ctxsize = sizeof(struct nx_crypto_ctx), +- .cra_init = nx_crypto_ctx_sha_init, ++ .cra_init = nx_crypto_ctx_sha512_init, + .cra_exit = nx_crypto_ctx_exit, + } + }; +diff --git a/drivers/crypto/nx/nx.c b/drivers/crypto/nx/nx.c +index 1da6dc5..737d33d 100644 +--- a/drivers/crypto/nx/nx.c ++++ b/drivers/crypto/nx/nx.c +@@ -215,8 +215,15 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *nx_dst, + * @delta: is the amount we need to crop in order to bound the list. + * + */ +-static long int trim_sg_list(struct nx_sg *sg, struct nx_sg *end, unsigned int delta) ++static long int trim_sg_list(struct nx_sg *sg, ++ struct nx_sg *end, ++ unsigned int delta, ++ unsigned int *nbytes) + { ++ long int oplen; ++ long int data_back; ++ unsigned int is_delta = delta; ++ + while (delta && end > sg) { + struct nx_sg *last = end - 1; + +@@ -228,54 +235,20 @@ static long int trim_sg_list(struct nx_sg *sg, struct nx_sg *end, unsigned int d + delta -= last->len; + } + } +- return (sg - end) * sizeof(struct nx_sg); +-} +- +-/** +- * nx_sha_build_sg_list - walk and build sg list to sha modes +- * using right bounds and limits. +- * @nx_ctx: NX crypto context for the lists we're building +- * @nx_sg: current sg list in or out list +- * @op_len: current op_len to be used in order to build a sg list +- * @nbytes: number or bytes to be processed +- * @offset: buf offset +- * @mode: SHA256 or SHA512 +- */ +-int nx_sha_build_sg_list(struct nx_crypto_ctx *nx_ctx, +- struct nx_sg *nx_in_outsg, +- s64 *op_len, +- unsigned int *nbytes, +- u8 *offset, +- u32 mode) +-{ +- unsigned int delta = 0; +- unsigned int total = *nbytes; +- struct nx_sg *nx_insg = nx_in_outsg; +- unsigned int max_sg_len; + +- max_sg_len = min_t(u64, nx_ctx->ap->sglen, +- nx_driver.of.max_sg_len/sizeof(struct nx_sg)); +- max_sg_len = min_t(u64, max_sg_len, +- nx_ctx->ap->databytelen/NX_PAGE_SIZE); +- +- *nbytes = min_t(u64, *nbytes, nx_ctx->ap->databytelen); +- nx_insg = nx_build_sg_list(nx_insg, offset, nbytes, max_sg_len); +- +- switch (mode) { +- case NX_DS_SHA256: +- if (*nbytes < total) +- delta = *nbytes - (*nbytes & ~(SHA256_BLOCK_SIZE - 1)); +- break; +- case NX_DS_SHA512: +- if (*nbytes < total) +- delta = *nbytes - (*nbytes & ~(SHA512_BLOCK_SIZE - 1)); +- break; +- default: +- return -EINVAL; ++ /* There are cases where we need to crop list in order to make it ++ * a block size multiple, but we also need to align data. In order to ++ * that we need to calculate how much we need to put back to be ++ * processed ++ */ ++ oplen = (sg - end) * sizeof(struct nx_sg); ++ if (is_delta) { ++ data_back = (abs(oplen) / AES_BLOCK_SIZE) * sg->len; ++ data_back = *nbytes - (data_back & ~(AES_BLOCK_SIZE - 1)); ++ *nbytes -= data_back; + } +- *op_len = trim_sg_list(nx_in_outsg, nx_insg, delta); + +- return 0; ++ return oplen; + } + + /** +@@ -330,8 +303,8 @@ int nx_build_sg_lists(struct nx_crypto_ctx *nx_ctx, + /* these lengths should be negative, which will indicate to phyp that + * the input and output parameters are scatterlists, not linear + * buffers */ +- nx_ctx->op.inlen = trim_sg_list(nx_ctx->in_sg, nx_insg, delta); +- nx_ctx->op.outlen = trim_sg_list(nx_ctx->out_sg, nx_outsg, delta); ++ nx_ctx->op.inlen = trim_sg_list(nx_ctx->in_sg, nx_insg, delta, nbytes); ++ nx_ctx->op.outlen = trim_sg_list(nx_ctx->out_sg, nx_outsg, delta, nbytes); + + return 0; + } +@@ -662,12 +635,14 @@ static int nx_crypto_ctx_init(struct nx_crypto_ctx *nx_ctx, u32 fc, u32 mode) + /* entry points from the crypto tfm initializers */ + int nx_crypto_ctx_aes_ccm_init(struct crypto_tfm *tfm) + { ++ tfm->crt_aead.reqsize = sizeof(struct nx_ccm_rctx); + return nx_crypto_ctx_init(crypto_tfm_ctx(tfm), NX_FC_AES, + NX_MODE_AES_CCM); + } + + int nx_crypto_ctx_aes_gcm_init(struct crypto_tfm *tfm) + { ++ tfm->crt_aead.reqsize = sizeof(struct nx_gcm_rctx); + return nx_crypto_ctx_init(crypto_tfm_ctx(tfm), NX_FC_AES, + NX_MODE_AES_GCM); + } +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index 6c9ecaa..c3ed837 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -2,6 +2,8 @@ + #ifndef __NX_H__ + #define __NX_H__ + ++#include <crypto/ctr.h> ++ + #define NX_NAME "nx-crypto" + #define NX_STRING "IBM Power7+ Nest Accelerator Crypto Driver" + #define NX_VERSION "1.0" +@@ -91,8 +93,11 @@ struct nx_crypto_driver { + + #define NX_GCM4106_NONCE_LEN (4) + #define NX_GCM_CTR_OFFSET (12) +-struct nx_gcm_priv { ++struct nx_gcm_rctx { + u8 iv[16]; ++}; ++ ++struct nx_gcm_priv { + u8 iauth_tag[16]; + u8 nonce[NX_GCM4106_NONCE_LEN]; + }; +@@ -100,8 +105,11 @@ struct nx_gcm_priv { + #define NX_CCM_AES_KEY_LEN (16) + #define NX_CCM4309_AES_KEY_LEN (19) + #define NX_CCM4309_NONCE_LEN (3) +-struct nx_ccm_priv { ++struct nx_ccm_rctx { + u8 iv[16]; ++}; ++ ++struct nx_ccm_priv { + u8 b0[16]; + u8 iauth_tag[16]; + u8 oauth_tag[16]; +@@ -113,7 +121,7 @@ struct nx_xcbc_priv { + }; + + struct nx_ctr_priv { +- u8 iv[16]; ++ u8 nonce[CTR_RFC3686_NONCE_SIZE]; + }; + + struct nx_crypto_ctx { +@@ -153,8 +161,6 @@ void nx_crypto_ctx_exit(struct crypto_tfm *tfm); + void nx_ctx_init(struct nx_crypto_ctx *nx_ctx, unsigned int function); + int nx_hcall_sync(struct nx_crypto_ctx *ctx, struct vio_pfo_op *op, + u32 may_sleep); +-int nx_sha_build_sg_list(struct nx_crypto_ctx *, struct nx_sg *, +- s64 *, unsigned int *, u8 *, u32); + struct nx_sg *nx_build_sg_list(struct nx_sg *, u8 *, unsigned int *, u32); + int nx_build_sg_lists(struct nx_crypto_ctx *, struct blkcipher_desc *, + struct scatterlist *, struct scatterlist *, unsigned int *, +diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c +index 1dc5b0a..34139a8 100644 +--- a/drivers/crypto/qat/qat_common/qat_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_algs.c +@@ -73,7 +73,8 @@ + ICP_QAT_HW_CIPHER_KEY_CONVERT, \ + ICP_QAT_HW_CIPHER_DECRYPT) + +-static atomic_t active_dev; ++static DEFINE_MUTEX(algs_lock); ++static unsigned int active_devs; + + struct qat_alg_buf { + uint32_t len; +@@ -1271,7 +1272,10 @@ static struct crypto_alg qat_algs[] = { { + + int qat_algs_register(void) + { +- if (atomic_add_return(1, &active_dev) == 1) { ++ int ret = 0; ++ ++ mutex_lock(&algs_lock); ++ if (++active_devs == 1) { + int i; + + for (i = 0; i < ARRAY_SIZE(qat_algs); i++) +@@ -1280,21 +1284,25 @@ int qat_algs_register(void) + CRYPTO_ALG_TYPE_AEAD | CRYPTO_ALG_ASYNC : + CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC; + +- return crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs)); ++ ret = crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs)); + } +- return 0; ++ mutex_unlock(&algs_lock); ++ return ret; + } + + int qat_algs_unregister(void) + { +- if (atomic_sub_return(1, &active_dev) == 0) +- return crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs)); +- return 0; ++ int ret = 0; ++ ++ mutex_lock(&algs_lock); ++ if (--active_devs == 0) ++ ret = crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs)); ++ mutex_unlock(&algs_lock); ++ return ret; + } + + int qat_algs_init(void) + { +- atomic_set(&active_dev, 0); + crypto_get_default_rng(); + return 0; + } +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 7992164e..c89a7ab 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -648,16 +648,17 @@ at_xdmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + desc->lld.mbr_sa = mem; + desc->lld.mbr_da = atchan->sconfig.dst_addr; + } +- desc->lld.mbr_cfg = atchan->cfg; +- dwidth = at_xdmac_get_dwidth(desc->lld.mbr_cfg); ++ dwidth = at_xdmac_get_dwidth(atchan->cfg); + fixed_dwidth = IS_ALIGNED(len, 1 << dwidth) +- ? at_xdmac_get_dwidth(desc->lld.mbr_cfg) ++ ? dwidth + : AT_XDMAC_CC_DWIDTH_BYTE; + desc->lld.mbr_ubc = AT_XDMAC_MBR_UBC_NDV2 /* next descriptor view */ + | AT_XDMAC_MBR_UBC_NDEN /* next descriptor dst parameter update */ + | AT_XDMAC_MBR_UBC_NSEN /* next descriptor src parameter update */ + | (i == sg_len - 1 ? 0 : AT_XDMAC_MBR_UBC_NDE) /* descriptor fetch */ + | (len >> fixed_dwidth); /* microblock length */ ++ desc->lld.mbr_cfg = (atchan->cfg & ~AT_XDMAC_CC_DWIDTH_MASK) | ++ AT_XDMAC_CC_DWIDTH(fixed_dwidth); + dev_dbg(chan2dev(chan), + "%s: lld: mbr_sa=%pad, mbr_da=%pad, mbr_ubc=0x%08x\n", + __func__, &desc->lld.mbr_sa, &desc->lld.mbr_da, desc->lld.mbr_ubc); +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 340f9e6..3dabc52 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2328,7 +2328,7 @@ static dma_cookie_t pl330_tx_submit(struct dma_async_tx_descriptor *tx) + desc->txd.callback = last->txd.callback; + desc->txd.callback_param = last->txd.callback_param; + } +- last->last = false; ++ desc->last = false; + + dma_cookie_assign(&desc->txd); + +@@ -2621,6 +2621,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + desc->rqcfg.brst_len = 1; + + desc->rqcfg.brst_len = get_burst_len(desc, len); ++ desc->bytes_requested = len; + + desc->txd.flags = flags; + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 778bbb6..b0487c9f 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1294,7 +1294,6 @@ retry: + goto retry; + } + DRM_DEBUG_KMS("failed to dpcd write %d %d\n", tosend, ret); +- WARN(1, "fail\n"); + + return -EIO; + } +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 8ae6f7f..683a9b0 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -3190,15 +3190,14 @@ int intel_freq_opcode(struct drm_i915_private *dev_priv, int val); + #define I915_READ64(reg) dev_priv->uncore.funcs.mmio_readq(dev_priv, (reg), true) + + #define I915_READ64_2x32(lower_reg, upper_reg) ({ \ +- u32 upper = I915_READ(upper_reg); \ +- u32 lower = I915_READ(lower_reg); \ +- u32 tmp = I915_READ(upper_reg); \ +- if (upper != tmp) { \ +- upper = tmp; \ +- lower = I915_READ(lower_reg); \ +- WARN_ON(I915_READ(upper_reg) != upper); \ +- } \ +- (u64)upper << 32 | lower; }) ++ u32 upper, lower, tmp; \ ++ tmp = I915_READ(upper_reg); \ ++ do { \ ++ upper = tmp; \ ++ lower = I915_READ(lower_reg); \ ++ tmp = I915_READ(upper_reg); \ ++ } while (upper != tmp); \ ++ (u64)upper << 32 | lower; }) + + #define POSTING_READ(reg) (void)I915_READ_NOTRACE(reg) + #define POSTING_READ16(reg) (void)I915_READ16_NOTRACE(reg) +diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c +index 6377b22..7ee23d1 100644 +--- a/drivers/gpu/drm/i915/i915_gem_tiling.c ++++ b/drivers/gpu/drm/i915/i915_gem_tiling.c +@@ -464,7 +464,10 @@ i915_gem_get_tiling(struct drm_device *dev, void *data, + } + + /* Hide bit 17 from the user -- see comment in i915_gem_set_tiling */ +- args->phys_swizzle_mode = args->swizzle_mode; ++ if (dev_priv->quirks & QUIRK_PIN_SWIZZLED_PAGES) ++ args->phys_swizzle_mode = I915_BIT_6_SWIZZLE_UNKNOWN; ++ else ++ args->phys_swizzle_mode = args->swizzle_mode; + if (args->swizzle_mode == I915_BIT_6_SWIZZLE_9_17) + args->swizzle_mode = I915_BIT_6_SWIZZLE_9; + if (args->swizzle_mode == I915_BIT_6_SWIZZLE_9_10_17) +diff --git a/drivers/gpu/drm/radeon/dce6_afmt.c b/drivers/gpu/drm/radeon/dce6_afmt.c +index 68fd9fc..44480c1 100644 +--- a/drivers/gpu/drm/radeon/dce6_afmt.c ++++ b/drivers/gpu/drm/radeon/dce6_afmt.c +@@ -93,30 +93,26 @@ void dce6_afmt_select_pin(struct drm_encoder *encoder) + struct radeon_device *rdev = encoder->dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +- u32 offset; + +- if (!dig || !dig->afmt || !dig->afmt->pin) ++ if (!dig || !dig->afmt || !dig->pin) + return; + +- offset = dig->afmt->offset; +- +- WREG32(AFMT_AUDIO_SRC_CONTROL + offset, +- AFMT_AUDIO_SRC_SELECT(dig->afmt->pin->id)); ++ WREG32(AFMT_AUDIO_SRC_CONTROL + dig->afmt->offset, ++ AFMT_AUDIO_SRC_SELECT(dig->pin->id)); + } + + void dce6_afmt_write_latency_fields(struct drm_encoder *encoder, +- struct drm_connector *connector, struct drm_display_mode *mode) ++ struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + struct radeon_device *rdev = encoder->dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +- u32 tmp = 0, offset; ++ u32 tmp = 0; + +- if (!dig || !dig->afmt || !dig->afmt->pin) ++ if (!dig || !dig->afmt || !dig->pin) + return; + +- offset = dig->afmt->pin->offset; +- + if (mode->flags & DRM_MODE_FLAG_INTERLACE) { + if (connector->latency_present[1]) + tmp = VIDEO_LIPSYNC(connector->video_latency[1]) | +@@ -130,24 +126,24 @@ void dce6_afmt_write_latency_fields(struct drm_encoder *encoder, + else + tmp = VIDEO_LIPSYNC(0) | AUDIO_LIPSYNC(0); + } +- WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_RESPONSE_LIPSYNC, tmp); ++ WREG32_ENDPOINT(dig->pin->offset, ++ AZ_F0_CODEC_PIN_CONTROL_RESPONSE_LIPSYNC, tmp); + } + + void dce6_afmt_hdmi_write_speaker_allocation(struct drm_encoder *encoder, +- u8 *sadb, int sad_count) ++ u8 *sadb, int sad_count) + { + struct radeon_device *rdev = encoder->dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +- u32 offset, tmp; ++ u32 tmp; + +- if (!dig || !dig->afmt || !dig->afmt->pin) ++ if (!dig || !dig->afmt || !dig->pin) + return; + +- offset = dig->afmt->pin->offset; +- + /* program the speaker allocation */ +- tmp = RREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER); ++ tmp = RREG32_ENDPOINT(dig->pin->offset, ++ AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER); + tmp &= ~(DP_CONNECTION | SPEAKER_ALLOCATION_MASK); + /* set HDMI mode */ + tmp |= HDMI_CONNECTION; +@@ -155,24 +151,24 @@ void dce6_afmt_hdmi_write_speaker_allocation(struct drm_encoder *encoder, + tmp |= SPEAKER_ALLOCATION(sadb[0]); + else + tmp |= SPEAKER_ALLOCATION(5); /* stereo */ +- WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp); ++ WREG32_ENDPOINT(dig->pin->offset, ++ AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp); + } + + void dce6_afmt_dp_write_speaker_allocation(struct drm_encoder *encoder, +- u8 *sadb, int sad_count) ++ u8 *sadb, int sad_count) + { + struct radeon_device *rdev = encoder->dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +- u32 offset, tmp; ++ u32 tmp; + +- if (!dig || !dig->afmt || !dig->afmt->pin) ++ if (!dig || !dig->afmt || !dig->pin) + return; + +- offset = dig->afmt->pin->offset; +- + /* program the speaker allocation */ +- tmp = RREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER); ++ tmp = RREG32_ENDPOINT(dig->pin->offset, ++ AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER); + tmp &= ~(HDMI_CONNECTION | SPEAKER_ALLOCATION_MASK); + /* set DP mode */ + tmp |= DP_CONNECTION; +@@ -180,13 +176,13 @@ void dce6_afmt_dp_write_speaker_allocation(struct drm_encoder *encoder, + tmp |= SPEAKER_ALLOCATION(sadb[0]); + else + tmp |= SPEAKER_ALLOCATION(5); /* stereo */ +- WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp); ++ WREG32_ENDPOINT(dig->pin->offset, ++ AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp); + } + + void dce6_afmt_write_sad_regs(struct drm_encoder *encoder, +- struct cea_sad *sads, int sad_count) ++ struct cea_sad *sads, int sad_count) + { +- u32 offset; + int i; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +@@ -206,11 +202,9 @@ void dce6_afmt_write_sad_regs(struct drm_encoder *encoder, + { AZ_F0_CODEC_PIN_CONTROL_AUDIO_DESCRIPTOR13, HDMI_AUDIO_CODING_TYPE_WMA_PRO }, + }; + +- if (!dig || !dig->afmt || !dig->afmt->pin) ++ if (!dig || !dig->afmt || !dig->pin) + return; + +- offset = dig->afmt->pin->offset; +- + for (i = 0; i < ARRAY_SIZE(eld_reg_to_type); i++) { + u32 value = 0; + u8 stereo_freqs = 0; +@@ -237,7 +231,7 @@ void dce6_afmt_write_sad_regs(struct drm_encoder *encoder, + + value |= SUPPORTED_FREQUENCIES_STEREO(stereo_freqs); + +- WREG32_ENDPOINT(offset, eld_reg_to_type[i][0], value); ++ WREG32_ENDPOINT(dig->pin->offset, eld_reg_to_type[i][0], value); + } + } + +@@ -253,7 +247,7 @@ void dce6_audio_enable(struct radeon_device *rdev, + } + + void dce6_hdmi_audio_set_dto(struct radeon_device *rdev, +- struct radeon_crtc *crtc, unsigned int clock) ++ struct radeon_crtc *crtc, unsigned int clock) + { + /* Two dtos; generally use dto0 for HDMI */ + u32 value = 0; +@@ -272,7 +266,7 @@ void dce6_hdmi_audio_set_dto(struct radeon_device *rdev, + } + + void dce6_dp_audio_set_dto(struct radeon_device *rdev, +- struct radeon_crtc *crtc, unsigned int clock) ++ struct radeon_crtc *crtc, unsigned int clock) + { + /* Two dtos; generally use dto1 for DP */ + u32 value = 0; +diff --git a/drivers/gpu/drm/radeon/radeon_audio.c b/drivers/gpu/drm/radeon/radeon_audio.c +index fa719c5..59b3d32 100644 +--- a/drivers/gpu/drm/radeon/radeon_audio.c ++++ b/drivers/gpu/drm/radeon/radeon_audio.c +@@ -245,6 +245,28 @@ static struct radeon_audio_funcs dce6_dp_funcs = { + static void radeon_audio_enable(struct radeon_device *rdev, + struct r600_audio_pin *pin, u8 enable_mask) + { ++ struct drm_encoder *encoder; ++ struct radeon_encoder *radeon_encoder; ++ struct radeon_encoder_atom_dig *dig; ++ int pin_count = 0; ++ ++ if (!pin) ++ return; ++ ++ if (rdev->mode_info.mode_config_initialized) { ++ list_for_each_entry(encoder, &rdev->ddev->mode_config.encoder_list, head) { ++ if (radeon_encoder_is_digital(encoder)) { ++ radeon_encoder = to_radeon_encoder(encoder); ++ dig = radeon_encoder->enc_priv; ++ if (dig->pin == pin) ++ pin_count++; ++ } ++ } ++ ++ if ((pin_count > 1) && (enable_mask == 0)) ++ return; ++ } ++ + if (rdev->audio.funcs->enable) + rdev->audio.funcs->enable(rdev, pin, enable_mask); + } +@@ -336,24 +358,13 @@ void radeon_audio_endpoint_wreg(struct radeon_device *rdev, u32 offset, + + static void radeon_audio_write_sad_regs(struct drm_encoder *encoder) + { +- struct radeon_encoder *radeon_encoder; +- struct drm_connector *connector; +- struct radeon_connector *radeon_connector = NULL; ++ struct drm_connector *connector = radeon_get_connector_for_encoder(encoder); ++ struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct cea_sad *sads; + int sad_count; + +- list_for_each_entry(connector, +- &encoder->dev->mode_config.connector_list, head) { +- if (connector->encoder == encoder) { +- radeon_connector = to_radeon_connector(connector); +- break; +- } +- } +- +- if (!radeon_connector) { +- DRM_ERROR("Couldn't find encoder's connector\n"); ++ if (!connector) + return; +- } + + sad_count = drm_edid_to_sad(radeon_connector_edid(connector), &sads); + if (sad_count <= 0) { +@@ -362,8 +373,6 @@ static void radeon_audio_write_sad_regs(struct drm_encoder *encoder) + } + BUG_ON(!sads); + +- radeon_encoder = to_radeon_encoder(encoder); +- + if (radeon_encoder->audio && radeon_encoder->audio->write_sad_regs) + radeon_encoder->audio->write_sad_regs(encoder, sads, sad_count); + +@@ -372,27 +381,16 @@ static void radeon_audio_write_sad_regs(struct drm_encoder *encoder) + + static void radeon_audio_write_speaker_allocation(struct drm_encoder *encoder) + { ++ struct drm_connector *connector = radeon_get_connector_for_encoder(encoder); + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); +- struct drm_connector *connector; +- struct radeon_connector *radeon_connector = NULL; + u8 *sadb = NULL; + int sad_count; + +- list_for_each_entry(connector, +- &encoder->dev->mode_config.connector_list, head) { +- if (connector->encoder == encoder) { +- radeon_connector = to_radeon_connector(connector); +- break; +- } +- } +- +- if (!radeon_connector) { +- DRM_ERROR("Couldn't find encoder's connector\n"); ++ if (!connector) + return; +- } + +- sad_count = drm_edid_to_speaker_allocation( +- radeon_connector_edid(connector), &sadb); ++ sad_count = drm_edid_to_speaker_allocation(radeon_connector_edid(connector), ++ &sadb); + if (sad_count < 0) { + DRM_DEBUG("Couldn't read Speaker Allocation Data Block: %d\n", + sad_count); +@@ -406,26 +404,13 @@ static void radeon_audio_write_speaker_allocation(struct drm_encoder *encoder) + } + + static void radeon_audio_write_latency_fields(struct drm_encoder *encoder, +- struct drm_display_mode *mode) ++ struct drm_display_mode *mode) + { +- struct radeon_encoder *radeon_encoder; +- struct drm_connector *connector; +- struct radeon_connector *radeon_connector = 0; +- +- list_for_each_entry(connector, +- &encoder->dev->mode_config.connector_list, head) { +- if (connector->encoder == encoder) { +- radeon_connector = to_radeon_connector(connector); +- break; +- } +- } ++ struct drm_connector *connector = radeon_get_connector_for_encoder(encoder); ++ struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + +- if (!radeon_connector) { +- DRM_ERROR("Couldn't find encoder's connector\n"); ++ if (!connector) + return; +- } +- +- radeon_encoder = to_radeon_encoder(encoder); + + if (radeon_encoder->audio && radeon_encoder->audio->write_latency_fields) + radeon_encoder->audio->write_latency_fields(encoder, connector, mode); +@@ -451,29 +436,23 @@ static void radeon_audio_select_pin(struct drm_encoder *encoder) + } + + void radeon_audio_detect(struct drm_connector *connector, ++ struct drm_encoder *encoder, + enum drm_connector_status status) + { +- struct radeon_device *rdev; +- struct radeon_encoder *radeon_encoder; ++ struct drm_device *dev = connector->dev; ++ struct radeon_device *rdev = dev->dev_private; ++ struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig; + +- if (!connector || !connector->encoder) ++ if (!radeon_audio_chipset_supported(rdev)) + return; + +- rdev = connector->encoder->dev->dev_private; +- +- if (!radeon_audio_chipset_supported(rdev)) ++ if (!radeon_encoder_is_digital(encoder)) + return; + +- radeon_encoder = to_radeon_encoder(connector->encoder); + dig = radeon_encoder->enc_priv; + + if (status == connector_status_connected) { +- if (!drm_detect_monitor_audio(radeon_connector_edid(connector))) { +- radeon_encoder->audio = NULL; +- return; +- } +- + if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort) { + struct radeon_connector *radeon_connector = to_radeon_connector(connector); + +@@ -486,11 +465,17 @@ void radeon_audio_detect(struct drm_connector *connector, + radeon_encoder->audio = rdev->audio.hdmi_funcs; + } + +- dig->afmt->pin = radeon_audio_get_pin(connector->encoder); +- radeon_audio_enable(rdev, dig->afmt->pin, 0xf); ++ if (drm_detect_monitor_audio(radeon_connector_edid(connector))) { ++ if (!dig->pin) ++ dig->pin = radeon_audio_get_pin(encoder); ++ radeon_audio_enable(rdev, dig->pin, 0xf); ++ } else { ++ radeon_audio_enable(rdev, dig->pin, 0); ++ dig->pin = NULL; ++ } + } else { +- radeon_audio_enable(rdev, dig->afmt->pin, 0); +- dig->afmt->pin = NULL; ++ radeon_audio_enable(rdev, dig->pin, 0); ++ dig->pin = NULL; + } + } + +@@ -518,29 +503,18 @@ static void radeon_audio_set_dto(struct drm_encoder *encoder, unsigned int clock + } + + static int radeon_audio_set_avi_packet(struct drm_encoder *encoder, +- struct drm_display_mode *mode) ++ struct drm_display_mode *mode) + { + struct radeon_device *rdev = encoder->dev->dev_private; + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; +- struct drm_connector *connector; +- struct radeon_connector *radeon_connector = NULL; ++ struct drm_connector *connector = radeon_get_connector_for_encoder(encoder); + u8 buffer[HDMI_INFOFRAME_HEADER_SIZE + HDMI_AVI_INFOFRAME_SIZE]; + struct hdmi_avi_infoframe frame; + int err; + +- list_for_each_entry(connector, +- &encoder->dev->mode_config.connector_list, head) { +- if (connector->encoder == encoder) { +- radeon_connector = to_radeon_connector(connector); +- break; +- } +- } +- +- if (!radeon_connector) { +- DRM_ERROR("Couldn't find encoder's connector\n"); +- return -ENOENT; +- } ++ if (!connector) ++ return -EINVAL; + + err = drm_hdmi_avi_infoframe_from_display_mode(&frame, mode); + if (err < 0) { +@@ -563,8 +537,8 @@ static int radeon_audio_set_avi_packet(struct drm_encoder *encoder, + return err; + } + +- if (dig && dig->afmt && +- radeon_encoder->audio && radeon_encoder->audio->set_avi_packet) ++ if (dig && dig->afmt && radeon_encoder->audio && ++ radeon_encoder->audio->set_avi_packet) + radeon_encoder->audio->set_avi_packet(rdev, dig->afmt->offset, + buffer, sizeof(buffer)); + +@@ -745,7 +719,7 @@ static void radeon_audio_hdmi_mode_set(struct drm_encoder *encoder, + } + + static void radeon_audio_dp_mode_set(struct drm_encoder *encoder, +- struct drm_display_mode *mode) ++ struct drm_display_mode *mode) + { + struct drm_device *dev = encoder->dev; + struct radeon_device *rdev = dev->dev_private; +@@ -756,6 +730,9 @@ static void radeon_audio_dp_mode_set(struct drm_encoder *encoder, + struct radeon_connector_atom_dig *dig_connector = + radeon_connector->con_priv; + ++ if (!connector) ++ return; ++ + if (!dig || !dig->afmt) + return; + +@@ -774,7 +751,7 @@ static void radeon_audio_dp_mode_set(struct drm_encoder *encoder, + } + + void radeon_audio_mode_set(struct drm_encoder *encoder, +- struct drm_display_mode *mode) ++ struct drm_display_mode *mode) + { + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); + +diff --git a/drivers/gpu/drm/radeon/radeon_audio.h b/drivers/gpu/drm/radeon/radeon_audio.h +index 8438304..059cc30 100644 +--- a/drivers/gpu/drm/radeon/radeon_audio.h ++++ b/drivers/gpu/drm/radeon/radeon_audio.h +@@ -68,7 +68,8 @@ struct radeon_audio_funcs + + int radeon_audio_init(struct radeon_device *rdev); + void radeon_audio_detect(struct drm_connector *connector, +- enum drm_connector_status status); ++ struct drm_encoder *encoder, ++ enum drm_connector_status status); + u32 radeon_audio_endpoint_rreg(struct radeon_device *rdev, + u32 offset, u32 reg); + void radeon_audio_endpoint_wreg(struct radeon_device *rdev, +diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c +index 3e5f6b7..c097d3a 100644 +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combios_get_lvds_info(struct radeon_encoder + + if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) && + (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) { ++ u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ ++ if (hss > lvds->native_mode.hdisplay) ++ hss = (10 - 1) * 8; ++ + lvds->native_mode.htotal = lvds->native_mode.hdisplay + + (RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8; + lvds->native_mode.hsync_start = lvds->native_mode.hdisplay + +- (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ hss; + lvds->native_mode.hsync_end = lvds->native_mode.hsync_start + + (RBIOS8(tmp + 23) * 8); + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index cebb65e..94b21ae 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -1379,8 +1379,16 @@ out: + /* updated in get modes as well since we need to know if it's analog or digital */ + radeon_connector_update_scratch_regs(connector, ret); + +- if (radeon_audio != 0) +- radeon_audio_detect(connector, ret); ++ if ((radeon_audio != 0) && radeon_connector->use_digital) { ++ const struct drm_connector_helper_funcs *connector_funcs = ++ connector->helper_private; ++ ++ encoder = connector_funcs->best_encoder(connector); ++ if (encoder && (encoder->encoder_type == DRM_MODE_ENCODER_TMDS)) { ++ radeon_connector_get_edid(connector); ++ radeon_audio_detect(connector, encoder, ret); ++ } ++ } + + exit: + pm_runtime_mark_last_busy(connector->dev->dev); +@@ -1717,8 +1725,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force) + + radeon_connector_update_scratch_regs(connector, ret); + +- if (radeon_audio != 0) +- radeon_audio_detect(connector, ret); ++ if ((radeon_audio != 0) && encoder) { ++ radeon_connector_get_edid(connector); ++ radeon_audio_detect(connector, encoder, ret); ++ } + + out: + pm_runtime_mark_last_busy(connector->dev->dev); +diff --git a/drivers/gpu/drm/radeon/radeon_mode.h b/drivers/gpu/drm/radeon/radeon_mode.h +index f01c797..9af2d83 100644 +--- a/drivers/gpu/drm/radeon/radeon_mode.h ++++ b/drivers/gpu/drm/radeon/radeon_mode.h +@@ -237,7 +237,6 @@ struct radeon_afmt { + int offset; + bool last_buffer_filled_status; + int id; +- struct r600_audio_pin *pin; + }; + + struct radeon_mode_info { +@@ -439,6 +438,7 @@ struct radeon_encoder_atom_dig { + uint8_t backlight_level; + int panel_mode; + struct radeon_afmt *afmt; ++ struct r600_audio_pin *pin; + int active_mst_links; + }; + +diff --git a/drivers/hwmon/nct7904.c b/drivers/hwmon/nct7904.c +index 6153df73..08ff89d 100644 +--- a/drivers/hwmon/nct7904.c ++++ b/drivers/hwmon/nct7904.c +@@ -575,6 +575,7 @@ static const struct i2c_device_id nct7904_id[] = { + {"nct7904", 0}, + {} + }; ++MODULE_DEVICE_TABLE(i2c, nct7904_id); + + static struct i2c_driver nct7904_driver = { + .class = I2C_CLASS_HWMON, +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c +index a353b7d..bc7eed6 100644 +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -20,6 +20,7 @@ + #include <linux/input/mt.h> + #include <linux/serio.h> + #include <linux/libps2.h> ++#include <linux/dmi.h> + + #include "psmouse.h" + #include "alps.h" +@@ -99,6 +100,7 @@ static const struct alps_nibble_commands alps_v6_nibble_commands[] = { + #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */ + #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with + 6-byte ALPS packet */ ++#define ALPS_DELL 0x100 /* device is a Dell laptop */ + #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */ + + static const struct alps_model_info alps_model_data[] = { +@@ -251,9 +253,9 @@ static void alps_process_packet_v1_v2(struct psmouse *psmouse) + return; + } + +- /* Non interleaved V2 dualpoint has separate stick button bits */ ++ /* Dell non interleaved V2 dualpoint has separate stick button bits */ + if (priv->proto_version == ALPS_PROTO_V2 && +- priv->flags == (ALPS_PASS | ALPS_DUALPOINT)) { ++ priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) { + left |= packet[0] & 1; + right |= packet[0] & 2; + middle |= packet[0] & 4; +@@ -2542,6 +2544,8 @@ static int alps_set_protocol(struct psmouse *psmouse, + priv->byte0 = protocol->byte0; + priv->mask0 = protocol->mask0; + priv->flags = protocol->flags; ++ if (dmi_name_in_vendors("Dell")) ++ priv->flags |= ALPS_DELL; + + priv->x_max = 2000; + priv->y_max = 1400; +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index e8d8456..697f34f 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1719,7 +1719,8 @@ static int dm_merge_bvec(struct request_queue *q, + struct mapped_device *md = q->queuedata; + struct dm_table *map = dm_get_live_table_fast(md); + struct dm_target *ti; +- sector_t max_sectors, max_size = 0; ++ sector_t max_sectors; ++ int max_size = 0; + + if (unlikely(!map)) + goto out; +@@ -1732,18 +1733,10 @@ static int dm_merge_bvec(struct request_queue *q, + * Find maximum amount of I/O that won't need splitting + */ + max_sectors = min(max_io_len(bvm->bi_sector, ti), +- (sector_t) queue_max_sectors(q)); ++ (sector_t) BIO_MAX_SECTORS); + max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size; +- +- /* +- * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t +- * to the targets' merge function since it holds sectors not bytes). +- * Just doing this as an interim fix for stable@ because the more +- * comprehensive cleanup of switching to sector_t will impact every +- * DM target that implements a ->merge hook. +- */ +- if (max_size > INT_MAX) +- max_size = INT_MAX; ++ if (max_size < 0) ++ max_size = 0; + + /* + * merge_bvec_fn() returns number of bytes +@@ -1751,13 +1744,13 @@ static int dm_merge_bvec(struct request_queue *q, + * max is precomputed maximal io size + */ + if (max_size && ti->type->merge) +- max_size = ti->type->merge(ti, bvm, biovec, (int) max_size); ++ max_size = ti->type->merge(ti, bvm, biovec, max_size); + /* + * If the target doesn't support merge method and some of the devices +- * provided their merge_bvec method (we know this by looking for the +- * max_hw_sectors that dm_set_device_limits may set), then we can't +- * allow bios with multiple vector entries. So always set max_size +- * to 0, and the code below allows just one page. ++ * provided their merge_bvec method (we know this by looking at ++ * queue_max_hw_sectors), then we can't allow bios with multiple vector ++ * entries. So always set max_size to 0, and the code below allows ++ * just one page. + */ + else if (queue_max_hw_sectors(q) <= PAGE_SIZE >> 9) + max_size = 0; +diff --git a/drivers/md/md.c b/drivers/md/md.c +index b920028..e462151 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) + char *ptr; + int err; + +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + return -ENOMEM; + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index cd7b0c1..5ce3cd5 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1475,6 +1475,7 @@ static void error(struct mddev *mddev, struct md_rdev *rdev) + { + char b[BDEVNAME_SIZE]; + struct r1conf *conf = mddev->private; ++ unsigned long flags; + + /* + * If it is not operational, then we have already marked it as dead +@@ -1494,14 +1495,13 @@ static void error(struct mddev *mddev, struct md_rdev *rdev) + return; + } + set_bit(Blocked, &rdev->flags); ++ spin_lock_irqsave(&conf->device_lock, flags); + if (test_and_clear_bit(In_sync, &rdev->flags)) { +- unsigned long flags; +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded++; + set_bit(Faulty, &rdev->flags); +- spin_unlock_irqrestore(&conf->device_lock, flags); + } else + set_bit(Faulty, &rdev->flags); ++ spin_unlock_irqrestore(&conf->device_lock, flags); + /* + * if recovery is running, make sure it aborts. + */ +@@ -1567,7 +1567,10 @@ static int raid1_spare_active(struct mddev *mddev) + * Find all failed disks within the RAID1 configuration + * and mark them readable. + * Called under mddev lock, so rcu protection not needed. ++ * device_lock used to avoid races with raid1_end_read_request ++ * which expects 'In_sync' flags and ->degraded to be consistent. + */ ++ spin_lock_irqsave(&conf->device_lock, flags); + for (i = 0; i < conf->raid_disks; i++) { + struct md_rdev *rdev = conf->mirrors[i].rdev; + struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev; +@@ -1598,7 +1601,6 @@ static int raid1_spare_active(struct mddev *mddev) + sysfs_notify_dirent_safe(rdev->sysfs_state); + } + } +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded -= count; + spin_unlock_irqrestore(&conf->device_lock, flags); + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 7681237..ead5432 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1524,12 +1524,11 @@ static int ath10k_pci_get_num_banks(struct ath10k *ar) + switch (MS(ar->chip_id, SOC_CHIP_ID_REV)) { + case QCA6174_HW_1_0_CHIP_ID_REV: + case QCA6174_HW_1_1_CHIP_ID_REV: ++ case QCA6174_HW_2_1_CHIP_ID_REV: ++ case QCA6174_HW_2_2_CHIP_ID_REV: + return 3; + case QCA6174_HW_1_3_CHIP_ID_REV: + return 2; +- case QCA6174_HW_2_1_CHIP_ID_REV: +- case QCA6174_HW_2_2_CHIP_ID_REV: +- return 6; + case QCA6174_HW_3_0_CHIP_ID_REV: + case QCA6174_HW_3_1_CHIP_ID_REV: + case QCA6174_HW_3_2_CHIP_ID_REV: +diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c +index 8882afb..6285f46 100644 +--- a/drivers/phy/phy-twl4030-usb.c ++++ b/drivers/phy/phy-twl4030-usb.c +@@ -144,6 +144,16 @@ + #define PMBR1 0x0D + #define GPIO_USB_4PIN_ULPI_2430C (3 << 0) + ++/* ++ * If VBUS is valid or ID is ground, then we know a ++ * cable is present and we need to be runtime-enabled ++ */ ++static inline bool cable_present(enum omap_musb_vbus_id_status stat) ++{ ++ return stat == OMAP_MUSB_VBUS_VALID || ++ stat == OMAP_MUSB_ID_GROUND; ++} ++ + struct twl4030_usb { + struct usb_phy phy; + struct device *dev; +@@ -536,8 +546,10 @@ static irqreturn_t twl4030_usb_irq(int irq, void *_twl) + + mutex_lock(&twl->lock); + if (status >= 0 && status != twl->linkstat) { ++ status_changed = ++ cable_present(twl->linkstat) != ++ cable_present(status); + twl->linkstat = status; +- status_changed = true; + } + mutex_unlock(&twl->lock); + +@@ -553,15 +565,11 @@ static irqreturn_t twl4030_usb_irq(int irq, void *_twl) + * USB_LINK_VBUS state. musb_hdrc won't care until it + * starts to handle softconnect right. + */ +- if ((status == OMAP_MUSB_VBUS_VALID) || +- (status == OMAP_MUSB_ID_GROUND)) { +- if (pm_runtime_suspended(twl->dev)) +- pm_runtime_get_sync(twl->dev); ++ if (cable_present(status)) { ++ pm_runtime_get_sync(twl->dev); + } else { +- if (pm_runtime_active(twl->dev)) { +- pm_runtime_mark_last_busy(twl->dev); +- pm_runtime_put_autosuspend(twl->dev); +- } ++ pm_runtime_mark_last_busy(twl->dev); ++ pm_runtime_put_autosuspend(twl->dev); + } + omap_musb_mailbox(status); + } +@@ -766,6 +774,9 @@ static int twl4030_usb_remove(struct platform_device *pdev) + + /* disable complete OTG block */ + twl4030_usb_clear_bits(twl, POWER_CTRL, POWER_CTRL_OTG_ENAB); ++ ++ if (cable_present(twl->linkstat)) ++ pm_runtime_put_noidle(twl->dev); + pm_runtime_mark_last_busy(twl->dev); + pm_runtime_put(twl->dev); + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 8827448..a9aa389 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -599,9 +599,10 @@ static void ipr_trc_hook(struct ipr_cmnd *ipr_cmd, + { + struct ipr_trace_entry *trace_entry; + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; ++ unsigned int trace_index; + +- trace_entry = &ioa_cfg->trace[atomic_add_return +- (1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES]; ++ trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK; ++ trace_entry = &ioa_cfg->trace[trace_index]; + trace_entry->time = jiffies; + trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0]; + trace_entry->type = type; +@@ -1051,10 +1052,15 @@ static void ipr_send_blocking_cmd(struct ipr_cmnd *ipr_cmd, + + static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg) + { ++ unsigned int hrrq; ++ + if (ioa_cfg->hrrq_num == 1) +- return 0; +- else +- return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1; ++ hrrq = 0; ++ else { ++ hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index); ++ hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1; ++ } ++ return hrrq; + } + + /** +@@ -6263,21 +6269,23 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd) + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; + struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd; + u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc); +- unsigned long hrrq_flags; ++ unsigned long lock_flags; + + scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len)); + + if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) { + scsi_dma_unmap(scsi_cmd); + +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags); + list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags); + } else { +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ spin_lock(&ipr_cmd->hrrq->_lock); + ipr_erp_start(ioa_cfg, ipr_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock(&ipr_cmd->hrrq->_lock); ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); + } + } + +diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h +index 73790a1..6b97ee4 100644 +--- a/drivers/scsi/ipr.h ++++ b/drivers/scsi/ipr.h +@@ -1486,6 +1486,7 @@ struct ipr_ioa_cfg { + + #define IPR_NUM_TRACE_INDEX_BITS 8 + #define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS) ++#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1) + #define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES) + char trace_start[8]; + #define IPR_TRACE_START_LABEL "trace" +diff --git a/drivers/staging/lustre/lustre/obdclass/debug.c b/drivers/staging/lustre/lustre/obdclass/debug.c +index 9c934e6..c61add4 100644 +--- a/drivers/staging/lustre/lustre/obdclass/debug.c ++++ b/drivers/staging/lustre/lustre/obdclass/debug.c +@@ -40,7 +40,7 @@ + + #define DEBUG_SUBSYSTEM D_OTHER + +-#include <linux/unaligned/access_ok.h> ++#include <asm/unaligned.h> + + #include "../include/obd_support.h" + #include "../include/lustre_debug.h" +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index 15baacb..376e4a0 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -1486,8 +1486,9 @@ static void vnt_bss_info_changed(struct ieee80211_hw *hw, + } + } + +- if (changed & BSS_CHANGED_ASSOC && priv->op_mode != NL80211_IFTYPE_AP) { +- if (conf->assoc) { ++ if (changed & (BSS_CHANGED_ASSOC | BSS_CHANGED_BEACON_INFO) && ++ priv->op_mode != NL80211_IFTYPE_AP) { ++ if (conf->assoc && conf->beacon_rate) { + CARDbUpdateTSF(priv, conf->beacon_rate->hw_value, + conf->sync_tsf); + +diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c +index 1d30b09..67098a8 100644 +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -1209,6 +1209,8 @@ err_clk_sec: + if (!IS_ERR(data->clk_sec)) + clk_unprepare(data->clk_sec); + err_sensor: ++ if (!IS_ERR_OR_NULL(data->regulator)) ++ regulator_disable(data->regulator); + thermal_zone_of_sensor_unregister(&pdev->dev, data->tzd); + + return ret; +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 74fea4f..3ad48e1 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -1024,7 +1024,18 @@ static struct platform_driver ci_hdrc_driver = { + }, + }; + +-module_platform_driver(ci_hdrc_driver); ++static int __init ci_hdrc_platform_register(void) ++{ ++ ci_hdrc_host_driver_init(); ++ return platform_driver_register(&ci_hdrc_driver); ++} ++module_init(ci_hdrc_platform_register); ++ ++static void __exit ci_hdrc_platform_unregister(void) ++{ ++ platform_driver_unregister(&ci_hdrc_driver); ++} ++module_exit(ci_hdrc_platform_unregister); + + MODULE_ALIAS("platform:ci_hdrc"); + MODULE_LICENSE("GPL v2"); +diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c +index 21fe1a3..2f8af40 100644 +--- a/drivers/usb/chipidea/host.c ++++ b/drivers/usb/chipidea/host.c +@@ -237,9 +237,12 @@ int ci_hdrc_host_init(struct ci_hdrc *ci) + rdrv->name = "host"; + ci->roles[CI_ROLE_HOST] = rdrv; + ++ return 0; ++} ++ ++void ci_hdrc_host_driver_init(void) ++{ + ehci_init_driver(&ci_ehci_hc_driver, &ehci_ci_overrides); + orig_bus_suspend = ci_ehci_hc_driver.bus_suspend; + ci_ehci_hc_driver.bus_suspend = ci_ehci_bus_suspend; +- +- return 0; + } +diff --git a/drivers/usb/chipidea/host.h b/drivers/usb/chipidea/host.h +index 5707bf3..0f12f13 100644 +--- a/drivers/usb/chipidea/host.h ++++ b/drivers/usb/chipidea/host.h +@@ -5,6 +5,7 @@ + + int ci_hdrc_host_init(struct ci_hdrc *ci); + void ci_hdrc_host_destroy(struct ci_hdrc *ci); ++void ci_hdrc_host_driver_init(void); + + #else + +@@ -18,6 +19,11 @@ static inline void ci_hdrc_host_destroy(struct ci_hdrc *ci) + + } + ++static void ci_hdrc_host_driver_init(void) ++{ ++ ++} ++ + #endif + + #endif /* __DRIVERS_USB_CHIPIDEA_HOST_H */ +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 6d3eb8b..5318615 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1162,14 +1162,14 @@ afunc_set_alt(struct usb_function *fn, unsigned intf, unsigned alt) + factor = 1000; + } else { + ep_desc = &hs_epin_desc; +- factor = 125; ++ factor = 8000; + } + + /* pre-compute some values for iso_complete() */ + uac2->p_framesize = opts->p_ssize * + num_channels(opts->p_chmask); + rate = opts->p_srate * uac2->p_framesize; +- uac2->p_interval = (1 << (ep_desc->bInterval - 1)) * factor; ++ uac2->p_interval = factor / (1 << (ep_desc->bInterval - 1)); + uac2->p_pktsize = min_t(unsigned int, rate / uac2->p_interval, + prm->max_psize); + +diff --git a/drivers/usb/gadget/udc/udc-core.c b/drivers/usb/gadget/udc/udc-core.c +index d69c355..7d69931 100644 +--- a/drivers/usb/gadget/udc/udc-core.c ++++ b/drivers/usb/gadget/udc/udc-core.c +@@ -321,6 +321,7 @@ err4: + + err3: + put_device(&udc->dev); ++ device_del(&gadget->dev); + + err2: + put_device(&gadget->dev); +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 3e442f7..9a8c936 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1792,7 +1792,8 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) + int size; + int i, j, num_ports; + +- del_timer_sync(&xhci->cmd_timer); ++ if (timer_pending(&xhci->cmd_timer)) ++ del_timer_sync(&xhci->cmd_timer); + + /* Free the Event Ring Segment Table and the actual Event Ring */ + size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries); +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index d095677..b3a0a22 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -82,7 +82,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg, + return 0; + /* offset in TRBs */ + segment_offset = trb - seg->trbs; +- if (segment_offset > TRBS_PER_SEGMENT) ++ if (segment_offset >= TRBS_PER_SEGMENT) + return 0; + return seg->dma + (segment_offset * sizeof(*trb)); + } +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 19b85ee..876423b 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1099,6 +1099,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ + { USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x68c0, 0xff), + .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC73xx */ ++ { USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x9041, 0xff), ++ .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC7305/MC7355 */ + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 9c63897..d156545 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -145,7 +145,6 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */ + {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */ + {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */ +- {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */ + {DEVICE_SWI(0x1199, 0x9051)}, /* Netgear AirCard 340U */ + {DEVICE_SWI(0x1199, 0x9053)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9054)}, /* Sierra Wireless Modem */ +@@ -158,6 +157,7 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ ++ {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */ +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index 46179a0..07d1ecd 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -289,6 +289,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, ++ { USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */ + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 8927485..4bd23bb 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -568,12 +568,14 @@ static int gntdev_release(struct inode *inode, struct file *flip) + + pr_debug("priv %p\n", priv); + ++ mutex_lock(&priv->lock); + while (!list_empty(&priv->maps)) { + map = list_entry(priv->maps.next, struct grant_map, next); + list_del(&map->next); + gntdev_put_map(NULL /* already removed */, map); + } + WARN_ON(!list_empty(&priv->freeable_maps)); ++ mutex_unlock(&priv->lock); + + if (use_ptemod) + mmu_notifier_unregister(&priv->mn, priv->mm); +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 039f9c8a..6e13504 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laundry) + queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ); + } + +-static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp) ++static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp) + { +- if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle)) ++ if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle)) + return nfserr_bad_stateid; + return nfs_ok; + } +@@ -4574,20 +4574,48 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate, + return nfs_ok; + } + ++static struct file * ++nfs4_find_file(struct nfs4_stid *s, int flags) ++{ ++ switch (s->sc_type) { ++ case NFS4_DELEG_STID: ++ if (WARN_ON_ONCE(!s->sc_file->fi_deleg_file)) ++ return NULL; ++ return get_file(s->sc_file->fi_deleg_file); ++ case NFS4_OPEN_STID: ++ case NFS4_LOCK_STID: ++ if (flags & RD_STATE) ++ return find_readable_file(s->sc_file); ++ else ++ return find_writeable_file(s->sc_file); ++ break; ++ } ++ ++ return NULL; ++} ++ ++static __be32 ++nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags) ++{ ++ __be32 status; ++ ++ status = nfsd4_check_openowner_confirmed(ols); ++ if (status) ++ return status; ++ return nfs4_check_openmode(ols, flags); ++} ++ + /* +-* Checks for stateid operations +-*/ ++ * Checks for stateid operations ++ */ + __be32 + nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate, + stateid_t *stateid, int flags, struct file **filpp) + { +- struct nfs4_stid *s; +- struct nfs4_ol_stateid *stp = NULL; +- struct nfs4_delegation *dp = NULL; +- struct svc_fh *current_fh = &cstate->current_fh; +- struct inode *ino = d_inode(current_fh->fh_dentry); ++ struct svc_fh *fhp = &cstate->current_fh; ++ struct inode *ino = d_inode(fhp->fh_dentry); + struct nfsd_net *nn = net_generic(net, nfsd_net_id); +- struct file *file = NULL; ++ struct nfs4_stid *s; + __be32 status; + + if (filpp) +@@ -4597,60 +4625,39 @@ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate, + return nfserr_grace; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) +- return check_special_stateids(net, current_fh, stateid, flags); ++ return check_special_stateids(net, fhp, stateid, flags); + + status = nfsd4_lookup_stateid(cstate, stateid, + NFS4_DELEG_STID|NFS4_OPEN_STID|NFS4_LOCK_STID, + &s, nn); + if (status) + return status; +- status = check_stateid_generation(stateid, &s->sc_stateid, nfsd4_has_session(cstate)); ++ status = check_stateid_generation(stateid, &s->sc_stateid, ++ nfsd4_has_session(cstate)); + if (status) + goto out; ++ + switch (s->sc_type) { + case NFS4_DELEG_STID: +- dp = delegstateid(s); +- status = nfs4_check_delegmode(dp, flags); +- if (status) +- goto out; +- if (filpp) { +- file = dp->dl_stid.sc_file->fi_deleg_file; +- if (!file) { +- WARN_ON_ONCE(1); +- status = nfserr_serverfault; +- goto out; +- } +- get_file(file); +- } ++ status = nfs4_check_delegmode(delegstateid(s), flags); + break; + case NFS4_OPEN_STID: + case NFS4_LOCK_STID: +- stp = openlockstateid(s); +- status = nfs4_check_fh(current_fh, stp); +- if (status) +- goto out; +- status = nfsd4_check_openowner_confirmed(stp); +- if (status) +- goto out; +- status = nfs4_check_openmode(stp, flags); +- if (status) +- goto out; +- if (filpp) { +- struct nfs4_file *fp = stp->st_stid.sc_file; +- +- if (flags & RD_STATE) +- file = find_readable_file(fp); +- else +- file = find_writeable_file(fp); +- } ++ status = nfs4_check_olstateid(fhp, openlockstateid(s), flags); + break; + default: + status = nfserr_bad_stateid; ++ break; ++ } ++ if (status) + goto out; ++ status = nfs4_check_fh(fhp, s); ++ ++ if (!status && filpp) { ++ *filpp = nfs4_find_file(s, flags); ++ if (!*filpp) ++ status = nfserr_serverfault; + } +- status = nfs_ok; +- if (file) +- *filpp = file; + out: + nfs4_put_stid(s); + return status; +@@ -4754,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_ + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); + if (status) + return status; +- return nfs4_check_fh(current_fh, stp); ++ return nfs4_check_fh(current_fh, &stp->st_stid); + } + + /* +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 158badf..d4d8445 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2142,6 +2142,7 @@ nfsd4_encode_aclname(struct xdr_stream *xdr, struct svc_rqst *rqstp, + #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \ + FATTR4_WORD0_RDATTR_ERROR) + #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID ++#define WORD2_ABSENT_FS_ATTRS 0 + + #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + static inline __be32 +@@ -2170,7 +2171,7 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, + { return 0; } + #endif + +-static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err) ++static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *bmval2, u32 *rdattr_err) + { + /* As per referral draft: */ + if (*bmval0 & ~WORD0_ABSENT_FS_ATTRS || +@@ -2183,6 +2184,7 @@ static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err) + } + *bmval0 &= WORD0_ABSENT_FS_ATTRS; + *bmval1 &= WORD1_ABSENT_FS_ATTRS; ++ *bmval2 &= WORD2_ABSENT_FS_ATTRS; + return 0; + } + +@@ -2246,8 +2248,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, + BUG_ON(bmval2 & ~nfsd_suppattrs2(minorversion)); + + if (exp->ex_fslocs.migrated) { +- BUG_ON(bmval[2]); +- status = fattr_handle_absent_fs(&bmval0, &bmval1, &rdattr_err); ++ status = fattr_handle_absent_fs(&bmval0, &bmval1, &bmval2, &rdattr_err); + if (status) + goto out; + } +@@ -2290,8 +2291,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, + } + + #ifdef CONFIG_NFSD_V4_SECURITY_LABEL +- if ((bmval[2] & FATTR4_WORD2_SECURITY_LABEL) || +- bmval[0] & FATTR4_WORD0_SUPPORTED_ATTRS) { ++ if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) || ++ bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { + err = security_inode_getsecctx(d_inode(dentry), + &context, &contextlen); + contextsupport = (err == 0); +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index 92e48c7..39ddcaf 100644 +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -412,16 +412,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group, + unsigned int flags) + { + struct fsnotify_mark *lmark, *mark; ++ LIST_HEAD(to_free); + ++ /* ++ * We have to be really careful here. Anytime we drop mark_mutex, e.g. ++ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our ++ * to_free list so we have to use mark_mutex even when accessing that ++ * list. And freeing mark requires us to drop mark_mutex. So we can ++ * reliably free only the first mark in the list. That's why we first ++ * move marks to free to to_free list in one go and then free marks in ++ * to_free list one by one. ++ */ + mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); + list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) { +- if (mark->flags & flags) { +- fsnotify_get_mark(mark); +- fsnotify_destroy_mark_locked(mark, group); +- fsnotify_put_mark(mark); +- } ++ if (mark->flags & flags) ++ list_move(&mark->g_list, &to_free); + } + mutex_unlock(&group->mark_mutex); ++ ++ while (1) { ++ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ if (list_empty(&to_free)) { ++ mutex_unlock(&group->mark_mutex); ++ break; ++ } ++ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list); ++ fsnotify_get_mark(mark); ++ fsnotify_destroy_mark_locked(mark, group); ++ mutex_unlock(&group->mark_mutex); ++ fsnotify_put_mark(mark); ++ } + } + + /* +diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c +index f906a25..9ea7012 100644 +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -686,7 +686,7 @@ static int ocfs2_direct_IO_zero_extend(struct ocfs2_super *osb, + + if (p_cpos && !(ext_flags & OCFS2_EXT_UNWRITTEN)) { + u64 s = i_size_read(inode); +- sector_t sector = (p_cpos << (osb->s_clustersize_bits - 9)) + ++ sector_t sector = ((u64)p_cpos << (osb->s_clustersize_bits - 9)) + + (do_div(s, osb->s_clustersize) >> 9); + + ret = blkdev_issue_zeroout(osb->sb->s_bdev, sector, +@@ -911,7 +911,7 @@ static ssize_t ocfs2_direct_IO_write(struct kiocb *iocb, + BUG_ON(!p_cpos || (ext_flags & OCFS2_EXT_UNWRITTEN)); + + ret = blkdev_issue_zeroout(osb->sb->s_bdev, +- p_cpos << (osb->s_clustersize_bits - 9), ++ (u64)p_cpos << (osb->s_clustersize_bits - 9), + zero_len_head >> 9, GFP_NOFS, false); + if (ret < 0) + mlog_errno(ret); +diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c +index 8b23aa2..23157e4 100644 +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -4025,9 +4025,13 @@ static void ocfs2_downconvert_thread_do_work(struct ocfs2_super *osb) + osb->dc_work_sequence = osb->dc_wake_sequence; + + processed = osb->blocked_lock_count; +- while (processed) { +- BUG_ON(list_empty(&osb->blocked_lock_list)); +- ++ /* ++ * blocked lock processing in this loop might call iput which can ++ * remove items off osb->blocked_lock_list. Downconvert up to ++ * 'processed' number of locks, but stop short if we had some ++ * removed in ocfs2_mark_lockres_freeing when downconverting. ++ */ ++ while (processed && !list_empty(&osb->blocked_lock_list)) { + lockres = list_entry(osb->blocked_lock_list.next, + struct ocfs2_lock_res, l_blocked_list); + list_del_init(&lockres->l_blocked_list); +diff --git a/fs/signalfd.c b/fs/signalfd.c +index 7e412ad..270221f 100644 +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct signalfd_siginfo __user *uinfo, + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (kinfo->si_code == BUS_MCEERR_AR || +- kinfo->si_code == BUS_MCEERR_AO) ++ if (kinfo->si_signo == SIGBUS && ++ (kinfo->si_code == BUS_MCEERR_AR || ++ kinfo->si_code == BUS_MCEERR_AO)) + err |= __put_user((short) kinfo->si_addr_lsb, + &uinfo->ssi_addr_lsb); + #endif +diff --git a/include/linux/mtd/nand.h b/include/linux/mtd/nand.h +index 3d4ea7e..12b75f3 100644 +--- a/include/linux/mtd/nand.h ++++ b/include/linux/mtd/nand.h +@@ -176,17 +176,17 @@ typedef enum { + /* Chip may not exist, so silence any errors in scan */ + #define NAND_SCAN_SILENT_NODEV 0x00040000 + /* +- * This option could be defined by controller drivers to protect against +- * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers +- */ +-#define NAND_USE_BOUNCE_BUFFER 0x00080000 +-/* + * Autodetect nand buswidth with readid/onfi. + * This suppose the driver will configure the hardware in 8 bits mode + * when calling nand_scan_ident, and update its configuration + * before calling nand_scan_tail. + */ + #define NAND_BUSWIDTH_AUTO 0x00080000 ++/* ++ * This option could be defined by controller drivers to protect against ++ * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers ++ */ ++#define NAND_USE_BOUNCE_BUFFER 0x00100000 + + /* Options set by nand scan */ + /* Nand scan has allocated controller struct */ +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h +index efe3443..413417f 100644 +--- a/include/uapi/linux/pci_regs.h ++++ b/include/uapi/linux/pci_regs.h +@@ -319,6 +319,7 @@ + #define PCI_MSIX_PBA 8 /* Pending Bit Array offset */ + #define PCI_MSIX_PBA_BIR 0x00000007 /* BAR index */ + #define PCI_MSIX_PBA_OFFSET 0xfffffff8 /* Offset into specified BAR */ ++#define PCI_MSIX_FLAGS_BIRMASK PCI_MSIX_PBA_BIR /* deprecated */ + #define PCI_CAP_MSIX_SIZEOF 12 /* size of MSIX registers */ + + /* MSI-X Table entry format */ +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 3aaea7f..c3fc5c2 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info) + if (!leaf) + return -ENOMEM; + INIT_LIST_HEAD(&leaf->msg_list); +- info->qsize += sizeof(*leaf); + } + leaf->priority = msg->m_type; + rb_link_node(&leaf->rb_node, parent, p); +@@ -188,7 +187,6 @@ try_again: + "lazy leaf delete!\n"); + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -201,7 +199,6 @@ try_again: + if (list_empty(&leaf->msg_list)) { + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr, + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + new_leaf = NULL; + } else { + kfree(new_leaf); +@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr, + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + } else { + kfree(new_leaf); + } +diff --git a/kernel/signal.c b/kernel/signal.c +index d51c5dd..0206be7 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2753,12 +2753,15 @@ int copy_siginfo_to_user(siginfo_t __user *to, const siginfo_t *from) + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + #ifdef SEGV_BNDERR +- err |= __put_user(from->si_lower, &to->si_lower); +- err |= __put_user(from->si_upper, &to->si_upper); ++ if (from->si_signo == SIGSEGV && from->si_code == SEGV_BNDERR) { ++ err |= __put_user(from->si_lower, &to->si_lower); ++ err |= __put_user(from->si_upper, &to->si_upper); ++ } + #endif + break; + case __SI_CHLD: +@@ -3022,7 +3025,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo, + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + int ret = copy_siginfo_from_user32(&info, uinfo); + if (unlikely(ret)) + return ret; +@@ -3066,7 +3069,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo, + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + + if (copy_siginfo_from_user32(&info, uinfo)) + return -EFAULT; +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 5e8eadd..0d024fc 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -937,21 +937,17 @@ static unsigned long shrink_page_list(struct list_head *page_list, + * + * 2) Global reclaim encounters a page, memcg encounters a + * page that is not marked for immediate reclaim or +- * the caller does not have __GFP_IO. In this case mark ++ * the caller does not have __GFP_FS (or __GFP_IO if it's ++ * simply going to swap, not to fs). In this case mark + * the page for immediate reclaim and continue scanning. + * +- * __GFP_IO is checked because a loop driver thread might ++ * Require may_enter_fs because we would wait on fs, which ++ * may not have submitted IO yet. And the loop driver might + * enter reclaim, and deadlock if it waits on a page for + * which it is needed to do the write (loop masks off + * __GFP_IO|__GFP_FS for this reason); but more thought + * would probably show more reasons. + * +- * Don't require __GFP_FS, since we're not going into the +- * FS, just waiting on its writeback completion. Worryingly, +- * ext4 gfs2 and xfs allocate pages with +- * grab_cache_page_write_begin(,,AOP_FLAG_NOFS), so testing +- * may_enter_fs here is liable to OOM on them. +- * + * 3) memcg encounters a page that is not already marked + * PageReclaim. memcg does not have any dirty pages + * throttling so we could easily OOM just because too many +@@ -968,7 +964,7 @@ static unsigned long shrink_page_list(struct list_head *page_list, + + /* Case 2 above */ + } else if (global_reclaim(sc) || +- !PageReclaim(page) || !(sc->gfp_mask & __GFP_IO)) { ++ !PageReclaim(page) || !may_enter_fs) { + /* + * This is slightly racy - end_page_writeback() + * might have just cleared PageReclaim, then +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 1ab3dc9..7b815bc 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2295,6 +2295,10 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) + return 1; + + chan = conn->smp; ++ if (!chan) { ++ BT_ERR("SMP security requested but not available"); ++ return 1; ++ } + + if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) + return 1; +diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c +index e061355..bf20593 100644 +--- a/sound/firewire/amdtp.c ++++ b/sound/firewire/amdtp.c +@@ -730,8 +730,9 @@ static void handle_in_packet(struct amdtp_stream *s, + s->data_block_counter != UINT_MAX) + data_block_counter = s->data_block_counter; + +- if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) && data_block_counter == 0) || +- (s->data_block_counter == UINT_MAX)) { ++ if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) && ++ data_block_counter == s->tx_first_dbc) || ++ s->data_block_counter == UINT_MAX) { + lost = false; + } else if (!(s->flags & CIP_DBC_IS_END_EVENT)) { + lost = data_block_counter != s->data_block_counter; +diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h +index 8a03a91..25c9055 100644 +--- a/sound/firewire/amdtp.h ++++ b/sound/firewire/amdtp.h +@@ -153,6 +153,8 @@ struct amdtp_stream { + + /* quirk: fixed interval of dbc between previos/current packets. */ + unsigned int tx_dbc_interval; ++ /* quirk: indicate the value of dbc field in a first packet. */ ++ unsigned int tx_first_dbc; + + bool callbacked; + wait_queue_head_t callback_wait; +diff --git a/sound/firewire/fireworks/fireworks.c b/sound/firewire/fireworks/fireworks.c +index 2682e7e..c94a432 100644 +--- a/sound/firewire/fireworks/fireworks.c ++++ b/sound/firewire/fireworks/fireworks.c +@@ -248,8 +248,16 @@ efw_probe(struct fw_unit *unit, + err = get_hardware_info(efw); + if (err < 0) + goto error; ++ /* AudioFire8 (since 2009) and AudioFirePre8 */ + if (entry->model_id == MODEL_ECHO_AUDIOFIRE_9) + efw->is_af9 = true; ++ /* These models uses the same firmware. */ ++ if (entry->model_id == MODEL_ECHO_AUDIOFIRE_2 || ++ entry->model_id == MODEL_ECHO_AUDIOFIRE_4 || ++ entry->model_id == MODEL_ECHO_AUDIOFIRE_9 || ++ entry->model_id == MODEL_GIBSON_RIP || ++ entry->model_id == MODEL_GIBSON_GOLDTOP) ++ efw->is_fireworks3 = true; + + snd_efw_proc_init(efw); + +diff --git a/sound/firewire/fireworks/fireworks.h b/sound/firewire/fireworks/fireworks.h +index 4f0201a..084d414 100644 +--- a/sound/firewire/fireworks/fireworks.h ++++ b/sound/firewire/fireworks/fireworks.h +@@ -71,6 +71,7 @@ struct snd_efw { + + /* for quirks */ + bool is_af9; ++ bool is_fireworks3; + u32 firmware_version; + + unsigned int midi_in_ports; +diff --git a/sound/firewire/fireworks/fireworks_stream.c b/sound/firewire/fireworks/fireworks_stream.c +index c55db1b..7e353f1 100644 +--- a/sound/firewire/fireworks/fireworks_stream.c ++++ b/sound/firewire/fireworks/fireworks_stream.c +@@ -172,6 +172,15 @@ int snd_efw_stream_init_duplex(struct snd_efw *efw) + efw->tx_stream.flags |= CIP_DBC_IS_END_EVENT; + /* Fireworks reset dbc at bus reset. */ + efw->tx_stream.flags |= CIP_SKIP_DBC_ZERO_CHECK; ++ /* ++ * But Recent firmwares starts packets with non-zero dbc. ++ * Driver version 5.7.6 installs firmware version 5.7.3. ++ */ ++ if (efw->is_fireworks3 && ++ (efw->firmware_version == 0x5070000 || ++ efw->firmware_version == 0x5070300 || ++ efw->firmware_version == 0x5080000)) ++ efw->tx_stream.tx_first_dbc = 0x02; + /* AudioFire9 always reports wrong dbs. */ + if (efw->is_af9) + efw->tx_stream.flags |= CIP_WRONG_DBS; +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 50e9dd6..3a24f77 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -1001,9 +1001,7 @@ static void cs4210_spdif_automute(struct hda_codec *codec, + + spec->spdif_present = spdif_present; + /* SPDIF TX on/off */ +- if (spdif_present) +- snd_hda_set_pin_ctl(codec, spdif_pin, +- spdif_present ? PIN_OUT : 0); ++ snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0); + + cs_automute(codec); + } +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 590bcfb0..1e99f07 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5118,6 +5118,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC292_FIXUP_DISABLE_AAMIX), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +diff --git a/sound/soc/codecs/pcm1681.c b/sound/soc/codecs/pcm1681.c +index 477e13d..e7ba557 100644 +--- a/sound/soc/codecs/pcm1681.c ++++ b/sound/soc/codecs/pcm1681.c +@@ -102,7 +102,7 @@ static int pcm1681_set_deemph(struct snd_soc_codec *codec) + + if (val != -1) { + regmap_update_bits(priv->regmap, PCM1681_DEEMPH_CONTROL, +- PCM1681_DEEMPH_RATE_MASK, val); ++ PCM1681_DEEMPH_RATE_MASK, val << 3); + enable = 1; + } else + enable = 0; +diff --git a/sound/soc/codecs/ssm4567.c b/sound/soc/codecs/ssm4567.c +index a984485..f7549cc 100644 +--- a/sound/soc/codecs/ssm4567.c ++++ b/sound/soc/codecs/ssm4567.c +@@ -315,7 +315,13 @@ static int ssm4567_set_dai_fmt(struct snd_soc_dai *dai, unsigned int fmt) + if (invert_fclk) + ctrl1 |= SSM4567_SAI_CTRL_1_FSYNC; + +- return regmap_write(ssm4567->regmap, SSM4567_REG_SAI_CTRL_1, ctrl1); ++ return regmap_update_bits(ssm4567->regmap, SSM4567_REG_SAI_CTRL_1, ++ SSM4567_SAI_CTRL_1_BCLK | ++ SSM4567_SAI_CTRL_1_FSYNC | ++ SSM4567_SAI_CTRL_1_LJ | ++ SSM4567_SAI_CTRL_1_TDM | ++ SSM4567_SAI_CTRL_1_PDM, ++ ctrl1); + } + + static int ssm4567_set_power(struct ssm4567 *ssm4567, bool enable) +diff --git a/sound/soc/intel/atom/sst/sst_drv_interface.c b/sound/soc/intel/atom/sst/sst_drv_interface.c +index 7b50a9d..edc1869 100644 +--- a/sound/soc/intel/atom/sst/sst_drv_interface.c ++++ b/sound/soc/intel/atom/sst/sst_drv_interface.c +@@ -42,6 +42,11 @@ + #define MIN_FRAGMENT_SIZE (50 * 1024) + #define MAX_FRAGMENT_SIZE (1024 * 1024) + #define SST_GET_BYTES_PER_SAMPLE(pcm_wd_sz) (((pcm_wd_sz + 15) >> 4) << 1) ++#ifdef CONFIG_PM ++#define GET_USAGE_COUNT(dev) (atomic_read(&dev->power.usage_count)) ++#else ++#define GET_USAGE_COUNT(dev) 1 ++#endif + + int free_stream_context(struct intel_sst_drv *ctx, unsigned int str_id) + { +@@ -141,15 +146,9 @@ static int sst_power_control(struct device *dev, bool state) + int ret = 0; + int usage_count = 0; + +-#ifdef CONFIG_PM +- usage_count = atomic_read(&dev->power.usage_count); +-#else +- usage_count = 1; +-#endif +- + if (state == true) { + ret = pm_runtime_get_sync(dev); +- ++ usage_count = GET_USAGE_COUNT(dev); + dev_dbg(ctx->dev, "Enable: pm usage count: %d\n", usage_count); + if (ret < 0) { + dev_err(ctx->dev, "Runtime get failed with err: %d\n", ret); +@@ -164,6 +163,7 @@ static int sst_power_control(struct device *dev, bool state) + } + } + } else { ++ usage_count = GET_USAGE_COUNT(dev); + dev_dbg(ctx->dev, "Disable: pm usage count: %d\n", usage_count); + return sst_pm_runtime_put(ctx); + } +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 158204d..b6c12dc 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1811,6 +1811,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + size_t count, loff_t *ppos) + { + struct snd_soc_dapm_widget *w = file->private_data; ++ struct snd_soc_card *card = w->dapm->card; + char *buf; + int in, out; + ssize_t ret; +@@ -1820,6 +1821,8 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + if (!buf) + return -ENOMEM; + ++ mutex_lock(&card->dapm_mutex); ++ + /* Supply widgets are not handled by is_connected_{input,output}_ep() */ + if (w->is_supply) { + in = 0; +@@ -1866,6 +1869,8 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + p->sink->name); + } + ++ mutex_unlock(&card->dapm_mutex); ++ + ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret); + + kfree(buf); +@@ -2140,11 +2145,15 @@ static ssize_t dapm_widget_show(struct device *dev, + struct snd_soc_pcm_runtime *rtd = dev_get_drvdata(dev); + int i, count = 0; + ++ mutex_lock(&rtd->card->dapm_mutex); ++ + for (i = 0; i < rtd->num_codecs; i++) { + struct snd_soc_codec *codec = rtd->codec_dais[i]->codec; + count += dapm_widget_show_codec(codec, buf + count); + } + ++ mutex_unlock(&rtd->card->dapm_mutex); ++ + return count; + } + +@@ -3100,16 +3109,10 @@ snd_soc_dapm_new_control(struct snd_soc_dapm_context *dapm, + } + + prefix = soc_dapm_prefix(dapm); +- if (prefix) { ++ if (prefix) + w->name = kasprintf(GFP_KERNEL, "%s %s", prefix, widget->name); +- if (widget->sname) +- w->sname = kasprintf(GFP_KERNEL, "%s %s", prefix, +- widget->sname); +- } else { ++ else + w->name = kasprintf(GFP_KERNEL, "%s", widget->name); +- if (widget->sname) +- w->sname = kasprintf(GFP_KERNEL, "%s", widget->sname); +- } + if (w->name == NULL) { + kfree(w); + return NULL; +@@ -3557,7 +3560,7 @@ int snd_soc_dapm_link_dai_widgets(struct snd_soc_card *card) + break; + } + +- if (!w->sname || !strstr(w->sname, dai_w->name)) ++ if (!w->sname || !strstr(w->sname, dai_w->sname)) + continue; + + if (dai_w->id == snd_soc_dapm_dai_in) { diff --git a/4.1.5/4420_grsecurity-3.1-4.1.5-201508142233.patch b/4.1.6/4420_grsecurity-3.1-4.1.6-201508181953.patch index 5e56e38..ddef976 100644 --- a/4.1.5/4420_grsecurity-3.1-4.1.5-201508142233.patch +++ b/4.1.6/4420_grsecurity-3.1-4.1.6-201508181953.patch @@ -406,7 +406,7 @@ index c831001..1bfbbf6 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 068dd69..e4ad6b7 100644 +index 838dabc..90df77d 100644 --- a/Makefile +++ b/Makefile @@ -299,7 +299,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3643,7 +3643,7 @@ index 78c02b3..c94109a 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index 752969f..a34b446 100644 +index 5286e77..fdd234c 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c @@ -199,10 +199,10 @@ struct omap_hwmod_soc_ops { @@ -6588,7 +6588,7 @@ index b336037..5b874cc 100644 /* diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h -index 819af9d..439839d 100644 +index 70f6e7f..11f4ada 100644 --- a/arch/mips/include/asm/pgtable.h +++ b/arch/mips/include/asm/pgtable.h @@ -20,6 +20,9 @@ @@ -6892,10 +6892,10 @@ index 2242bdd..b284048 100644 } /* Arrange for an interrupt in a short while */ diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c -index d2d1c19..3e21d8d 100644 +index 5f5f44e..cf10625 100644 --- a/arch/mips/kernel/traps.c +++ b/arch/mips/kernel/traps.c -@@ -689,7 +689,18 @@ asmlinkage void do_ov(struct pt_regs *regs) +@@ -696,7 +696,18 @@ asmlinkage void do_ov(struct pt_regs *regs) siginfo_t info; prev_state = exception_enter(); @@ -9056,10 +9056,10 @@ index f21897b..28c0428 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index d3a831a..3a33123 100644 +index da50e0c..5ff6307 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -1011,7 +1011,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, +@@ -1009,7 +1009,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -10470,40 +10470,6 @@ index a35194b..47dabc0d 100644 if (unlikely(ret)) ret = copy_to_user_fixup(to, from, size); return ret; -diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h -index 1f0aa20..6424249 100644 ---- a/arch/sparc/include/asm/visasm.h -+++ b/arch/sparc/include/asm/visasm.h -@@ -28,16 +28,10 @@ - * Must preserve %o5 between VISEntryHalf and VISExitHalf */ - - #define VISEntryHalf \ -- rd %fprs, %o5; \ -- andcc %o5, FPRS_FEF, %g0; \ -- be,pt %icc, 297f; \ -- sethi %hi(298f), %g7; \ -- sethi %hi(VISenterhalf), %g1; \ -- jmpl %g1 + %lo(VISenterhalf), %g0; \ -- or %g7, %lo(298f), %g7; \ -- clr %o5; \ --297: wr %o5, FPRS_FEF, %fprs; \ --298: -+ VISEntry -+ -+#define VISExitHalf \ -+ VISExit - - #define VISEntryHalfFast(fail_label) \ - rd %fprs, %o5; \ -@@ -47,7 +41,7 @@ - ba,a,pt %xcc, fail_label; \ - 297: wr %o5, FPRS_FEF, %fprs; - --#define VISExitHalf \ -+#define VISExitHalfFast \ - wr %o5, 0, %fprs; - - #ifndef __ASSEMBLY__ diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile index 7cf9c6e..6206648 100644 --- a/arch/sparc/kernel/Makefile @@ -11154,105 +11120,6 @@ index 3269b02..64f5231 100644 lib-$(CONFIG_SPARC32) += ashrdi3.o lib-$(CONFIG_SPARC32) += memcpy.o memset.o -diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S -index 140527a..83aeeb1 100644 ---- a/arch/sparc/lib/NG4memcpy.S -+++ b/arch/sparc/lib/NG4memcpy.S -@@ -240,8 +240,11 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ - add %o0, 0x40, %o0 - bne,pt %icc, 1b - LOAD(prefetch, %g1 + 0x200, #n_reads_strong) -+#ifdef NON_USER_COPY -+ VISExitHalfFast -+#else - VISExitHalf -- -+#endif - brz,pn %o2, .Lexit - cmp %o2, 19 - ble,pn %icc, .Lsmall_unaligned -diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S -index b320ae9..a063d84 100644 ---- a/arch/sparc/lib/VISsave.S -+++ b/arch/sparc/lib/VISsave.S -@@ -44,9 +44,8 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 - - stx %g3, [%g6 + TI_GSR] - 2: add %g6, %g1, %g3 -- cmp %o5, FPRS_DU -- be,pn %icc, 6f -- sll %g1, 3, %g1 -+ mov FPRS_DU | FPRS_DL | FPRS_FEF, %o5 -+ sll %g1, 3, %g1 - stb %o5, [%g3 + TI_FPSAVED] - rd %gsr, %g2 - add %g6, %g1, %g3 -@@ -80,65 +79,3 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3 - .align 32 - 80: jmpl %g7 + %g0, %g0 - nop -- --6: ldub [%g3 + TI_FPSAVED], %o5 -- or %o5, FPRS_DU, %o5 -- add %g6, TI_FPREGS+0x80, %g2 -- stb %o5, [%g3 + TI_FPSAVED] -- -- sll %g1, 5, %g1 -- add %g6, TI_FPREGS+0xc0, %g3 -- wr %g0, FPRS_FEF, %fprs -- membar #Sync -- stda %f32, [%g2 + %g1] ASI_BLK_P -- stda %f48, [%g3 + %g1] ASI_BLK_P -- membar #Sync -- ba,pt %xcc, 80f -- nop -- -- .align 32 --80: jmpl %g7 + %g0, %g0 -- nop -- -- .align 32 --VISenterhalf: -- ldub [%g6 + TI_FPDEPTH], %g1 -- brnz,a,pn %g1, 1f -- cmp %g1, 1 -- stb %g0, [%g6 + TI_FPSAVED] -- stx %fsr, [%g6 + TI_XFSR] -- clr %o5 -- jmpl %g7 + %g0, %g0 -- wr %g0, FPRS_FEF, %fprs -- --1: bne,pn %icc, 2f -- srl %g1, 1, %g1 -- ba,pt %xcc, vis1 -- sub %g7, 8, %g7 --2: addcc %g6, %g1, %g3 -- sll %g1, 3, %g1 -- andn %o5, FPRS_DU, %g2 -- stb %g2, [%g3 + TI_FPSAVED] -- -- rd %gsr, %g2 -- add %g6, %g1, %g3 -- stx %g2, [%g3 + TI_GSR] -- add %g6, %g1, %g2 -- stx %fsr, [%g2 + TI_XFSR] -- sll %g1, 5, %g1 --3: andcc %o5, FPRS_DL, %g0 -- be,pn %icc, 4f -- add %g6, TI_FPREGS, %g2 -- -- add %g6, TI_FPREGS+0x40, %g3 -- membar #Sync -- stda %f0, [%g2 + %g1] ASI_BLK_P -- stda %f16, [%g3 + %g1] ASI_BLK_P -- membar #Sync -- ba,pt %xcc, 4f -- nop -- -- .align 32 --4: and %o5, FPRS_DU, %o5 -- jmpl %g7 + %g0, %g0 -- wr %o5, FPRS_FEF, %fprs diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S index 05dac43..76f8ed4 100644 --- a/arch/sparc/lib/atomic_64.S @@ -11375,7 +11242,7 @@ index 05dac43..76f8ed4 100644 ENTRY(atomic64_dec_if_positive) /* %o0 = atomic_ptr */ BACKOFF_SETUP(%o2) diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c -index 1d649a9..c2e23c4 100644 +index 8069ce1..c2e23c4 100644 --- a/arch/sparc/lib/ksyms.c +++ b/arch/sparc/lib/ksyms.c @@ -101,7 +101,9 @@ EXPORT_SYMBOL(__clear_user); @@ -11398,17 +11265,6 @@ index 1d649a9..c2e23c4 100644 ATOMIC_OPS(sub) #undef ATOMIC_OPS -@@ -135,10 +139,6 @@ EXPORT_SYMBOL(copy_user_page); - void VISenter(void); - EXPORT_SYMBOL(VISenter); - --/* CRYPTO code needs this */ --void VISenterhalf(void); --EXPORT_SYMBOL(VISenterhalf); -- - extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *); - extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *, - unsigned long *); diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile index 30c3ecc..736f015 100644 --- a/arch/sparc/mm/Makefile @@ -12608,7 +12464,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 226d569..d420edc 100644 +index 226d569..297bf74 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -32,7 +32,7 @@ config X86 @@ -12679,7 +12535,15 @@ index 226d569..d420edc 100644 default 0x40000000 if VMSPLIT_1G default 0xC0000000 depends on X86_32 -@@ -1717,6 +1721,7 @@ source kernel/Kconfig.hz +@@ -1286,7 +1290,6 @@ config X86_PAE + + config ARCH_PHYS_ADDR_T_64BIT + def_bool y +- depends on X86_64 || X86_PAE + + config ARCH_DMA_ADDR_T_64BIT + def_bool y +@@ -1717,6 +1720,7 @@ source kernel/Kconfig.hz config KEXEC bool "kexec system call" @@ -12687,7 +12551,7 @@ index 226d569..d420edc 100644 ---help--- kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot -@@ -1899,7 +1904,9 @@ config X86_NEED_RELOCS +@@ -1899,7 +1903,9 @@ config X86_NEED_RELOCS config PHYSICAL_ALIGN hex "Alignment value to which kernel should be aligned" @@ -12698,7 +12562,7 @@ index 226d569..d420edc 100644 range 0x2000 0x1000000 if X86_32 range 0x200000 0x1000000 if X86_64 ---help--- -@@ -1982,6 +1989,7 @@ config COMPAT_VDSO +@@ -1982,6 +1988,7 @@ config COMPAT_VDSO def_bool n prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)" depends on X86_32 || IA32_EMULATION @@ -12706,7 +12570,7 @@ index 226d569..d420edc 100644 ---help--- Certain buggy versions of glibc will crash if they are presented with a 32-bit vDSO that is not mapped at the address -@@ -2046,6 +2054,22 @@ config CMDLINE_OVERRIDE +@@ -2046,6 +2053,22 @@ config CMDLINE_OVERRIDE This is used to work around broken boot loaders. This should be set to 'N' under normal conditions. @@ -17786,8 +17650,33 @@ index 802dde3..9183e68 100644 #endif /* __ASSEMBLY__ */ #include <asm-generic/memory_model.h> +diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h +index 904f528..b4d0d24 100644 +--- a/arch/x86/include/asm/page_32.h ++++ b/arch/x86/include/asm/page_32.h +@@ -7,11 +7,17 @@ + + #define __phys_addr_nodebug(x) ((x) - PAGE_OFFSET) + #ifdef CONFIG_DEBUG_VIRTUAL +-extern unsigned long __phys_addr(unsigned long); ++extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long); + #else +-#define __phys_addr(x) __phys_addr_nodebug(x) ++static inline unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x) ++{ ++ return __phys_addr_nodebug(x); ++} + #endif +-#define __phys_addr_symbol(x) __phys_addr(x) ++static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x) ++{ ++ return __phys_addr(x); ++} + #define __phys_reloc_hide(x) RELOC_HIDE((x), 0) + + #ifdef CONFIG_FLATMEM diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h -index b3bebf9..13ac22e 100644 +index b3bebf9..b7e1204 100644 --- a/arch/x86/include/asm/page_64.h +++ b/arch/x86/include/asm/page_64.h @@ -7,9 +7,9 @@ @@ -17802,7 +17691,7 @@ index b3bebf9..13ac22e 100644 { unsigned long y = x - __START_KERNEL_map; -@@ -20,8 +20,8 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x) +@@ -20,12 +20,14 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x) } #ifdef CONFIG_DEBUG_VIRTUAL @@ -17812,7 +17701,15 @@ index b3bebf9..13ac22e 100644 +extern unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long); #else #define __phys_addr(x) __phys_addr_nodebug(x) - #define __phys_addr_symbol(x) \ +-#define __phys_addr_symbol(x) \ +- ((unsigned long)(x) - __START_KERNEL_map + phys_base) ++static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(const void *x) ++{ ++ return (unsigned long)x - __START_KERNEL_map + phys_base; ++} + #endif + + #define __phys_reloc_hide(x) (x) diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h index 8957810..f34efb4 100644 --- a/arch/x86/include/asm/paravirt.h @@ -19466,10 +19363,10 @@ index b4bdec3..e8af9bc 100644 #endif #endif /* _ASM_X86_THREAD_INFO_H */ diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index cd79194..c72ad3f 100644 +index cd79194..6a9956f 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h -@@ -86,18 +86,45 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask) +@@ -86,18 +86,44 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask) static inline void __native_flush_tlb(void) { @@ -19492,7 +19389,6 @@ index cd79194..c72ad3f 100644 + } +#endif + -+ native_write_cr3(native_read_cr3()); } @@ -19521,7 +19417,7 @@ index cd79194..c72ad3f 100644 } static inline void __native_flush_tlb_global(void) -@@ -118,6 +145,43 @@ static inline void __native_flush_tlb_global(void) +@@ -118,6 +144,43 @@ static inline void __native_flush_tlb_global(void) static inline void __native_flush_tlb_single(unsigned long addr) { @@ -20681,7 +20577,7 @@ index 665c6b7..eae4d56 100644 bogus_magic: jmp bogus_magic diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c -index aef6531..2044b66 100644 +index aef6531..d7ca83a 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -248,7 +248,9 @@ static void __init_or_module add_nops(void *insns, unsigned int len) @@ -20694,55 +20590,115 @@ index aef6531..2044b66 100644 insns += noplen; len -= noplen; } -@@ -276,6 +278,11 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf) +@@ -276,6 +278,13 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf) if (a->replacementlen != 5) return; +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) + if (orig_insn < (u8 *)_text || (u8 *)_einittext <= orig_insn) + orig_insn = ktva_ktla(orig_insn); ++ else ++ orig_insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; +#endif + o_dspl = *(s32 *)(insnbuf + 1); /* next_rip of the replacement JMP */ -@@ -362,7 +369,23 @@ void __init_or_module apply_alternatives(struct alt_instr *start, +@@ -346,6 +355,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start, + { + struct alt_instr *a; + u8 *instr, *replacement; ++ u8 *vinstr, *vreplacement; + u8 insnbuf[MAX_PATCH_LEN]; + + DPRINTK("alt table %p -> %p", start, end); +@@ -361,46 +371,71 @@ void __init_or_module apply_alternatives(struct alt_instr *start, + for (a = start; a < end; a++) { int insnbuf_sz = 0; - instr = (u8 *)&a->instr_offset + a->instr_offset; +- instr = (u8 *)&a->instr_offset + a->instr_offset; +- replacement = (u8 *)&a->repl_offset + a->repl_offset; ++ vinstr = instr = (u8 *)&a->instr_offset + a->instr_offset; + +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if ((u8 *)_text <= instr && instr < (u8 *)_einittext) { ++ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= instr && ++ instr < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) { + instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; -+ instr = ktla_ktva(instr); ++ vinstr = ktla_ktva(instr); ++ } else if ((u8 *)_text <= instr && instr < (u8 *)_einittext) { ++ vinstr = ktla_ktva(instr); ++ } else { ++ instr = ktva_ktla(instr); + } +#endif + - replacement = (u8 *)&a->repl_offset + a->repl_offset; ++ vreplacement = replacement = (u8 *)&a->repl_offset + a->repl_offset; + +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) { ++ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= replacement && ++ replacement < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) { + replacement += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; -+ replacement = ktla_ktva(replacement); -+ } ++ vreplacement = ktla_ktva(replacement); ++ } else if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) { ++ vreplacement = ktla_ktva(replacement); ++ } else ++ replacement = ktva_ktla(replacement); +#endif + BUG_ON(a->instrlen > sizeof(insnbuf)); BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32); if (!boot_cpu_has(a->cpuid)) { -@@ -402,6 +425,11 @@ void __init_or_module apply_alternatives(struct alt_instr *start, + if (a->padlen > 1) +- optimize_nops(a, instr); ++ optimize_nops(a, vinstr); + + continue; } - DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr); -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if (instr < (u8 *)_text || (u8 *)_einittext <= instr) -+ instr = ktva_ktla(instr); -+#endif -+ +- DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d", ++ DPRINTK("feat: %d*32+%d, old: (%p/%p, len: %d), repl: (%p, len: %d), pad: %d", + a->cpuid >> 5, + a->cpuid & 0x1f, +- instr, a->instrlen, +- replacement, a->replacementlen, a->padlen); ++ instr, vinstr, a->instrlen, ++ vreplacement, a->replacementlen, a->padlen); + +- DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr); +- DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement); ++ DUMP_BYTES(vinstr, a->instrlen, "%p: old_insn: ", vinstr); ++ DUMP_BYTES(vreplacement, a->replacementlen, "%p: rpl_insn: ", vreplacement); + +- memcpy(insnbuf, replacement, a->replacementlen); ++ memcpy(insnbuf, vreplacement, a->replacementlen); + insnbuf_sz = a->replacementlen; + + /* 0xe8 is a relative jump; fix the offset. */ + if (*insnbuf == 0xe8 && a->replacementlen == 5) { +- *(s32 *)(insnbuf + 1) += replacement - instr; ++ *(s32 *)(insnbuf + 1) += vreplacement - vinstr; + DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx", + *(s32 *)(insnbuf + 1), +- (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5); ++ (unsigned long)vinstr + *(s32 *)(insnbuf + 1) + 5); + } + +- if (a->replacementlen && is_jmp(replacement[0])) +- recompute_jump(a, instr, replacement, insnbuf); ++ if (a->replacementlen && is_jmp(vreplacement[0])) ++ recompute_jump(a, instr, vreplacement, insnbuf); + + if (a->instrlen > a->replacementlen) { + add_nops(insnbuf + a->replacementlen, + a->instrlen - a->replacementlen); + insnbuf_sz += a->instrlen - a->replacementlen; + } +- DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr); ++ DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", vinstr); + text_poke_early(instr, insnbuf, insnbuf_sz); } - } -@@ -416,10 +444,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end, +@@ -416,10 +451,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end, for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -20760,7 +20716,7 @@ index aef6531..2044b66 100644 text_poke(ptr, ((unsigned char []){0xf0}), 1); } mutex_unlock(&text_mutex); -@@ -434,10 +468,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end, +@@ -434,10 +475,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end, for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -20778,7 +20734,7 @@ index aef6531..2044b66 100644 text_poke(ptr, ((unsigned char []){0x3E}), 1); } mutex_unlock(&text_mutex); -@@ -574,7 +614,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start, +@@ -574,7 +621,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start, BUG_ON(p->len > MAX_PATCH_LEN); /* prep the buffer with the original instructions */ @@ -20787,7 +20743,7 @@ index aef6531..2044b66 100644 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf, (unsigned long)p->instr, p->len); -@@ -621,7 +661,7 @@ void __init alternative_instructions(void) +@@ -621,7 +668,7 @@ void __init alternative_instructions(void) if (!uniproc_patched || num_possible_cpus() == 1) free_init_pages("SMP alternatives", (unsigned long)__smp_locks, @@ -20796,7 +20752,7 @@ index aef6531..2044b66 100644 #endif apply_paravirt(__parainstructions, __parainstructions_end); -@@ -641,13 +681,17 @@ void __init alternative_instructions(void) +@@ -641,13 +688,17 @@ void __init alternative_instructions(void) * instructions. And on the local CPU you need to be protected again NMI or MCE * handlers seeing an inconsistent instruction while you patch. */ @@ -20816,7 +20772,7 @@ index aef6531..2044b66 100644 local_irq_restore(flags); /* Could also do a CLFLUSH here to speed up CPU recovery; but that causes hangs on some VIA CPUs. */ -@@ -669,36 +713,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode, +@@ -669,36 +720,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode, */ void *text_poke(void *addr, const void *opcode, size_t len) { @@ -20861,7 +20817,7 @@ index aef6531..2044b66 100644 return addr; } -@@ -752,7 +782,7 @@ int poke_int3_handler(struct pt_regs *regs) +@@ -752,7 +789,7 @@ int poke_int3_handler(struct pt_regs *regs) */ void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler) { @@ -23222,7 +23178,7 @@ index 1c30976..71b41b9 100644 #endif diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 02c2eff..9c9ea72 100644 +index 4bd6c19..a0eba01 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -46,6 +46,8 @@ @@ -23234,7 +23190,7 @@ index 02c2eff..9c9ea72 100644 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> -@@ -64,6 +66,402 @@ ENTRY(native_usergs_sysret64) +@@ -64,6 +66,401 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -23263,7 +23219,6 @@ index 02c2eff..9c9ea72 100644 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + call pax_exit_kernel +#endif -+ + .endm + +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) @@ -23637,7 +23592,7 @@ index 02c2eff..9c9ea72 100644 .macro TRACE_IRQS_IRETQ #ifdef CONFIG_TRACE_IRQFLAGS -@@ -100,7 +498,7 @@ ENDPROC(native_usergs_sysret64) +@@ -100,7 +497,7 @@ ENDPROC(native_usergs_sysret64) .endm .macro TRACE_IRQS_IRETQ_DEBUG @@ -23646,7 +23601,7 @@ index 02c2eff..9c9ea72 100644 jnc 1f TRACE_IRQS_ON_DEBUG 1: -@@ -221,14 +619,6 @@ GLOBAL(system_call_after_swapgs) +@@ -221,14 +618,6 @@ GLOBAL(system_call_after_swapgs) /* Construct struct pt_regs on stack */ pushq_cfi $__USER_DS /* pt_regs->ss */ pushq_cfi PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */ @@ -23661,7 +23616,7 @@ index 02c2eff..9c9ea72 100644 pushq_cfi %r11 /* pt_regs->flags */ pushq_cfi $__USER_CS /* pt_regs->cs */ pushq_cfi %rcx /* pt_regs->ip */ -@@ -246,7 +636,27 @@ GLOBAL(system_call_after_swapgs) +@@ -246,7 +635,27 @@ GLOBAL(system_call_after_swapgs) sub $(6*8),%rsp /* pt_regs->bp,bx,r12-15 not saved */ CFI_ADJUST_CFA_OFFSET 6*8 @@ -23690,7 +23645,7 @@ index 02c2eff..9c9ea72 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -279,10 +689,13 @@ system_call_fastpath: +@@ -279,10 +688,13 @@ system_call_fastpath: * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is * very bad. */ @@ -23705,7 +23660,7 @@ index 02c2eff..9c9ea72 100644 RESTORE_C_REGS_EXCEPT_RCX_R11 movq RIP(%rsp),%rcx -@@ -316,6 +729,9 @@ tracesys: +@@ -316,6 +728,9 @@ tracesys: call syscall_trace_enter_phase1 test %rax, %rax jnz tracesys_phase2 /* if needed, run the slow path */ @@ -23715,7 +23670,7 @@ index 02c2eff..9c9ea72 100644 RESTORE_C_REGS_EXCEPT_RAX /* else restore clobbered regs */ movq ORIG_RAX(%rsp), %rax jmp system_call_fastpath /* and return to the fast path */ -@@ -327,6 +743,8 @@ tracesys_phase2: +@@ -327,6 +742,8 @@ tracesys_phase2: movq %rax,%rdx call syscall_trace_enter_phase2 @@ -23724,7 +23679,7 @@ index 02c2eff..9c9ea72 100644 /* * Reload registers from stack in case ptrace changed them. * We don't reload %rax because syscall_trace_entry_phase2() returned -@@ -364,6 +782,8 @@ GLOBAL(int_with_check) +@@ -364,6 +781,8 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -23733,7 +23688,7 @@ index 02c2eff..9c9ea72 100644 jmp syscall_return /* Either reschedule or signal or syscall exit tracking needed. */ -@@ -485,7 +905,7 @@ opportunistic_sysret_failed: +@@ -485,7 +904,7 @@ opportunistic_sysret_failed: SWAPGS jmp restore_c_regs_and_iret CFI_ENDPROC @@ -23742,7 +23697,7 @@ index 02c2eff..9c9ea72 100644 .macro FORK_LIKE func -@@ -495,7 +915,7 @@ ENTRY(stub_\func) +@@ -495,7 +914,7 @@ ENTRY(stub_\func) SAVE_EXTRA_REGS 8 jmp sys_\func CFI_ENDPROC @@ -23751,7 +23706,7 @@ index 02c2eff..9c9ea72 100644 .endm FORK_LIKE clone -@@ -519,7 +939,7 @@ return_from_execve: +@@ -519,7 +938,7 @@ return_from_execve: movq %rax,RAX(%rsp) jmp int_ret_from_sys_call CFI_ENDPROC @@ -23760,7 +23715,7 @@ index 02c2eff..9c9ea72 100644 /* * Remaining execve stubs are only 7 bytes long. * ENTRY() often aligns to 16 bytes, which in this case has no benefits. -@@ -531,7 +951,7 @@ GLOBAL(stub_execveat) +@@ -531,7 +950,7 @@ GLOBAL(stub_execveat) call sys_execveat jmp return_from_execve CFI_ENDPROC @@ -23769,7 +23724,7 @@ index 02c2eff..9c9ea72 100644 #ifdef CONFIG_X86_X32_ABI .align 8 -@@ -541,7 +961,7 @@ GLOBAL(stub_x32_execve) +@@ -541,7 +960,7 @@ GLOBAL(stub_x32_execve) call compat_sys_execve jmp return_from_execve CFI_ENDPROC @@ -23778,7 +23733,7 @@ index 02c2eff..9c9ea72 100644 .align 8 GLOBAL(stub_x32_execveat) CFI_STARTPROC -@@ -549,7 +969,7 @@ GLOBAL(stub_x32_execveat) +@@ -549,7 +968,7 @@ GLOBAL(stub_x32_execveat) call compat_sys_execveat jmp return_from_execve CFI_ENDPROC @@ -23787,7 +23742,7 @@ index 02c2eff..9c9ea72 100644 #endif #ifdef CONFIG_IA32_EMULATION -@@ -592,7 +1012,7 @@ return_from_stub: +@@ -592,7 +1011,7 @@ return_from_stub: movq %rax,RAX(%rsp) jmp int_ret_from_sys_call CFI_ENDPROC @@ -23796,7 +23751,7 @@ index 02c2eff..9c9ea72 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -602,7 +1022,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -602,7 +1021,7 @@ ENTRY(stub_x32_rt_sigreturn) call sys32_x32_rt_sigreturn jmp return_from_stub CFI_ENDPROC @@ -23805,7 +23760,7 @@ index 02c2eff..9c9ea72 100644 #endif /* -@@ -622,7 +1042,7 @@ ENTRY(ret_from_fork) +@@ -622,7 +1041,7 @@ ENTRY(ret_from_fork) RESTORE_EXTRA_REGS @@ -23814,7 +23769,7 @@ index 02c2eff..9c9ea72 100644 /* * By the time we get here, we have no idea whether our pt_regs, -@@ -641,7 +1061,7 @@ ENTRY(ret_from_fork) +@@ -641,7 +1060,7 @@ ENTRY(ret_from_fork) RESTORE_EXTRA_REGS jmp int_ret_from_sys_call CFI_ENDPROC @@ -23823,7 +23778,7 @@ index 02c2eff..9c9ea72 100644 /* * Build the entry stubs with some assembler magic. -@@ -659,7 +1079,7 @@ ENTRY(irq_entries_start) +@@ -659,7 +1078,7 @@ ENTRY(irq_entries_start) .align 8 .endr CFI_ENDPROC @@ -23832,7 +23787,7 @@ index 02c2eff..9c9ea72 100644 /* * Interrupt entry/exit. -@@ -672,21 +1092,13 @@ END(irq_entries_start) +@@ -672,21 +1091,13 @@ END(irq_entries_start) /* 0(%rsp): ~(interrupt number) */ .macro interrupt func cld @@ -23859,7 +23814,7 @@ index 02c2eff..9c9ea72 100644 je 1f SWAPGS 1: -@@ -709,8 +1121,20 @@ END(irq_entries_start) +@@ -709,8 +1120,20 @@ END(irq_entries_start) CFI_ESCAPE 0x0f /* DW_CFA_def_cfa_expression */, 6, \ 0x77 /* DW_OP_breg7 (rsp) */, 0, \ 0x06 /* DW_OP_deref */, \ @@ -23881,7 +23836,7 @@ index 02c2eff..9c9ea72 100644 /* We entered an interrupt context - irqs are off: */ TRACE_IRQS_OFF -@@ -735,13 +1159,12 @@ ret_from_intr: +@@ -735,13 +1158,12 @@ ret_from_intr: /* Restore saved previous stack */ popq %rsi @@ -23899,7 +23854,7 @@ index 02c2eff..9c9ea72 100644 je retint_kernel /* Interrupt came from user space */ -@@ -763,6 +1186,8 @@ retint_swapgs: /* return to user-space */ +@@ -763,6 +1185,8 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -23908,7 +23863,7 @@ index 02c2eff..9c9ea72 100644 TRACE_IRQS_IRETQ SWAPGS -@@ -781,6 +1206,21 @@ retint_kernel: +@@ -781,6 +1205,21 @@ retint_kernel: jmp 0b 1: #endif @@ -23930,16 +23885,7 @@ index 02c2eff..9c9ea72 100644 /* * The iretq could re-enable interrupts: */ -@@ -793,8 +1233,6 @@ retint_kernel: - restore_c_regs_and_iret: - RESTORE_C_REGS - REMOVE_PT_GPREGS_FROM_STACK 8 -- --irq_return: - INTERRUPT_RETURN - - ENTRY(native_iret) -@@ -824,15 +1262,15 @@ native_irq_return_ldt: +@@ -822,15 +1261,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr),%rdi movq %rax,(0*8)(%rdi) /* RAX */ @@ -23960,7 +23906,7 @@ index 02c2eff..9c9ea72 100644 movq %rax,(4*8)(%rdi) andl $0xffff0000,%eax popq_cfi %rdi -@@ -875,7 +1313,7 @@ retint_signal: +@@ -873,7 +1312,7 @@ retint_signal: jmp retint_with_reschedule CFI_ENDPROC @@ -23969,7 +23915,7 @@ index 02c2eff..9c9ea72 100644 /* * APIC interrupts. -@@ -889,7 +1327,7 @@ ENTRY(\sym) +@@ -887,7 +1326,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -23978,7 +23924,7 @@ index 02c2eff..9c9ea72 100644 .endm #ifdef CONFIG_TRACING -@@ -962,7 +1400,7 @@ apicinterrupt IRQ_WORK_VECTOR \ +@@ -960,7 +1399,7 @@ apicinterrupt IRQ_WORK_VECTOR \ /* * Exception entry points. */ @@ -23987,7 +23933,7 @@ index 02c2eff..9c9ea72 100644 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1 ENTRY(\sym) -@@ -1018,6 +1456,12 @@ ENTRY(\sym) +@@ -1016,6 +1455,12 @@ ENTRY(\sym) .endif .if \shift_ist != -1 @@ -24000,7 +23946,7 @@ index 02c2eff..9c9ea72 100644 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist) .endif -@@ -1065,7 +1509,7 @@ ENTRY(\sym) +@@ -1063,7 +1508,7 @@ ENTRY(\sym) .endif CFI_ENDPROC @@ -24009,7 +23955,7 @@ index 02c2eff..9c9ea72 100644 .endm #ifdef CONFIG_TRACING -@@ -1106,9 +1550,10 @@ gs_change: +@@ -1104,9 +1549,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -24021,7 +23967,7 @@ index 02c2eff..9c9ea72 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1136,9 +1581,10 @@ ENTRY(do_softirq_own_stack) +@@ -1134,9 +1580,10 @@ ENTRY(do_softirq_own_stack) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -24033,7 +23979,7 @@ index 02c2eff..9c9ea72 100644 #ifdef CONFIG_XEN idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0 -@@ -1179,7 +1625,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1177,7 +1624,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) #endif jmp error_exit CFI_ENDPROC @@ -24042,7 +23988,7 @@ index 02c2eff..9c9ea72 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1240,7 +1686,7 @@ ENTRY(xen_failsafe_callback) +@@ -1238,7 +1685,7 @@ ENTRY(xen_failsafe_callback) SAVE_EXTRA_REGS jmp error_exit CFI_ENDPROC @@ -24051,7 +23997,7 @@ index 02c2eff..9c9ea72 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1286,9 +1732,39 @@ ENTRY(paranoid_entry) +@@ -1284,9 +1731,39 @@ ENTRY(paranoid_entry) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -24093,7 +24039,7 @@ index 02c2eff..9c9ea72 100644 /* * "Paranoid" exit path from exception stack. This is invoked -@@ -1305,20 +1781,27 @@ ENTRY(paranoid_exit) +@@ -1303,20 +1780,27 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -24123,7 +24069,7 @@ index 02c2eff..9c9ea72 100644 /* * Save all registers in pt_regs, and switch gs if needed. -@@ -1330,12 +1813,23 @@ ENTRY(error_entry) +@@ -1328,12 +1812,23 @@ ENTRY(error_entry) SAVE_C_REGS 8 SAVE_EXTRA_REGS 8 xorl %ebx,%ebx @@ -24148,7 +24094,7 @@ index 02c2eff..9c9ea72 100644 ret /* -@@ -1370,7 +1864,7 @@ error_bad_iret: +@@ -1368,7 +1863,7 @@ error_bad_iret: decl %ebx /* Return to usergs */ jmp error_sti CFI_ENDPROC @@ -24157,7 +24103,7 @@ index 02c2eff..9c9ea72 100644 /* On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) */ -@@ -1381,7 +1875,7 @@ ENTRY(error_exit) +@@ -1379,7 +1874,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -24166,7 +24112,7 @@ index 02c2eff..9c9ea72 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1390,7 +1884,7 @@ ENTRY(error_exit) +@@ -1388,7 +1883,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -24175,74 +24121,10 @@ index 02c2eff..9c9ea72 100644 /* Runs on exception stack */ ENTRY(nmi) -@@ -1413,11 +1907,12 @@ ENTRY(nmi) - * If the variable is not set and the stack is not the NMI - * stack then: - * o Set the special variable on the stack -- * o Copy the interrupt frame into a "saved" location on the stack -- * o Copy the interrupt frame into a "copy" location on the stack -+ * o Copy the interrupt frame into an "outermost" location on the -+ * stack -+ * o Copy the interrupt frame into an "iret" location on the stack - * o Continue processing the NMI - * If the variable is set or the previous stack is the NMI stack: -- * o Modify the "copy" location to jump to the repeate_nmi -+ * o Modify the "iret" location to jump to the repeat_nmi - * o return back to the first NMI - * - * Now on exit of the first NMI, we first clear the stack variable -@@ -1426,32 +1921,185 @@ ENTRY(nmi) - * a nested NMI that updated the copy interrupt stack frame, a - * jump will be made to the repeat_nmi code that will handle the second - * NMI. -+ * -+ * However, espfix prevents us from directly returning to userspace -+ * with a single IRET instruction. Similarly, IRET to user mode -+ * can fault. We therefore handle NMIs from user space like -+ * other IST entries. - */ +@@ -1473,6 +1968,12 @@ ENTRY(nmi) + pushq %r14 /* pt_regs->r14 */ + pushq %r15 /* pt_regs->r15 */ - /* Use %rdx as our temp variable throughout */ - pushq_cfi %rdx - CFI_REL_OFFSET rdx, 0 - -+ testb $3, CS-RIP+8(%rsp) -+ jz .Lnmi_from_kernel -+ -+ /* -+ * NMI from user mode. We need to run on the thread stack, but we -+ * can't go through the normal entry paths: NMIs are masked, and -+ * we don't want to enable interrupts, because then we'll end -+ * up in an awkward situation in which IRQs are on but NMIs -+ * are off. -+ */ -+ -+ SWAPGS -+ cld -+ movq %rsp, %rdx -+ movq PER_CPU_VAR(kernel_stack), %rsp -+ pushq 5*8(%rdx) /* pt_regs->ss */ -+ pushq 4*8(%rdx) /* pt_regs->rsp */ -+ pushq 3*8(%rdx) /* pt_regs->flags */ -+ pushq 2*8(%rdx) /* pt_regs->cs */ -+ pushq 1*8(%rdx) /* pt_regs->rip */ -+ pushq $-1 /* pt_regs->orig_ax */ -+ pushq %rdi /* pt_regs->di */ -+ pushq %rsi /* pt_regs->si */ -+ pushq (%rdx) /* pt_regs->dx */ -+ pushq %rcx /* pt_regs->cx */ -+ pushq %rax /* pt_regs->ax */ -+ pushq %r8 /* pt_regs->r8 */ -+ pushq %r9 /* pt_regs->r9 */ -+ pushq %r10 /* pt_regs->r10 */ -+ pushq %r11 /* pt_regs->r11 */ -+ pushq %rbx /* pt_regs->rbx */ -+ pushq %rbp /* pt_regs->rbp */ -+ pushq %r12 /* pt_regs->r12 */ -+ pushq %r13 /* pt_regs->r13 */ -+ pushq %r14 /* pt_regs->r14 */ -+ pushq %r15 /* pt_regs->r15 */ -+ +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + xorl %ebx,%ebx +#endif @@ -24250,297 +24132,47 @@ index 02c2eff..9c9ea72 100644 + pax_enter_kernel_nmi + /* -- * If %cs was not the kernel segment, then the NMI triggered in user -- * space, which means it is definitely not nested. -+ * At this point we no longer need to worry about stack damage -+ * due to nesting -- we're on the normal thread stack and we're -+ * done with the NMI stack. - */ -- cmpl $__KERNEL_CS, 16(%rsp) -- jne first_nmi -+ -+ movq %rsp, %rdi -+ movq $-1, %rsi -+ call do_nmi -+ + * At this point we no longer need to worry about stack damage + * due to nesting -- we're on the normal thread stack and we're +@@ -1482,12 +1983,19 @@ ENTRY(nmi) + movq $-1, %rsi + call do_nmi + + pax_exit_kernel_nmi + -+ /* -+ * Return back to user mode. We must *not* do the normal exit -+ * work, because we don't want to enable interrupts. Fortunately, -+ * do_nmi doesn't modify pt_regs. -+ */ -+ SWAPGS -+ -+ /* -+ * Open-code the entire return process for compatibility with varying -+ * register layouts across different kernel versions. -+ */ -+ -+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) -+ movq RBX(%rsp), %rbx /* pt_regs->rbx*/ -+#endif -+ -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR -+ movq R12(%rsp), %r12 /* pt_regs->r12*/ -+#endif -+ -+ addq $6*8, %rsp /* skip bx, bp, and r12-r15 */ -+ popq %r11 /* pt_regs->r11 */ -+ popq %r10 /* pt_regs->r10 */ -+ popq %r9 /* pt_regs->r9 */ -+ popq %r8 /* pt_regs->r8 */ -+ popq %rax /* pt_regs->ax */ -+ popq %rcx /* pt_regs->cx */ -+ popq %rdx /* pt_regs->dx */ -+ popq %rsi /* pt_regs->si */ -+ popq %rdi /* pt_regs->di */ -+ addq $8, %rsp /* skip orig_ax */ -+ INTERRUPT_RETURN -+ -+.Lnmi_from_kernel: -+ /* -+ * Here's what our stack frame will look like: -+ * +---------------------------------------------------------+ -+ * | original SS | -+ * | original Return RSP | -+ * | original RFLAGS | -+ * | original CS | -+ * | original RIP | -+ * +---------------------------------------------------------+ -+ * | temp storage for rdx | -+ * +---------------------------------------------------------+ -+ * | "NMI executing" variable | -+ * +---------------------------------------------------------+ -+ * | iret SS } Copied from "outermost" frame | -+ * | iret Return RSP } on each loop iteration; overwritten | -+ * | iret RFLAGS } by a nested NMI to force another | -+ * | iret CS } iteration if needed. | -+ * | iret RIP } | -+ * +---------------------------------------------------------+ -+ * | outermost SS } initialized in first_nmi; | -+ * | outermost Return RSP } will not be changed before | -+ * | outermost RFLAGS } NMI processing is done. | -+ * | outermost CS } Copied to "iret" frame on each | -+ * | outermost RIP } iteration. | -+ * +---------------------------------------------------------+ -+ * | pt_regs | -+ * +---------------------------------------------------------+ -+ * -+ * The "original" frame is used by hardware. Before re-enabling -+ * NMIs, we need to be done with it, and we need to leave enough -+ * space for the asm code here. -+ * -+ * We return by executing IRET while RSP points to the "iret" frame. -+ * That will either return for real or it will loop back into NMI -+ * processing. -+ * -+ * The "outermost" frame is copied to the "iret" frame on each -+ * iteration of the loop, so each iteration starts with the "iret" -+ * frame pointing to the final return target. -+ */ -+ -+ /* -+ * If we interrupted kernel code between repeat_nmi and -+ * end_repeat_nmi, then we are a nested NMI. We must not -+ * modify the "iret" frame because it's being written by -+ * the outer NMI. That's okay: the outer NMI handler is -+ * about to about to call do_nmi anyway, so we can just -+ * resume the outer NMI. -+ */ -+ -+ movq $repeat_nmi, %rdx -+ cmpq 8(%rsp), %rdx -+ ja 1f -+ movq $end_repeat_nmi, %rdx -+ cmpq 8(%rsp), %rdx -+ ja nested_nmi_out -+1: - /* -- * Check the special variable on the stack to see if NMIs are -- * executing. -+ * Now check "NMI executing". If it's set, then we're nested. -+ * -+ * First check "NMI executing". If it's set, then we're nested. -+ * This will not detect if we interrupted an outer NMI just -+ * before IRET. + * Return back to user mode. We must *not* do the normal exit + * work, because we don't want to enable interrupts. Fortunately, + * do_nmi doesn't modify pt_regs. */ - cmpl $1, -8(%rsp) - je nested_nmi - - /* -- * Now test if the previous stack was an NMI stack. -- * We need the double check. We check the NMI stack to satisfy the -- * race when the first NMI clears the variable before returning. -- * We check the variable because the first NMI could be in a -- * breakpoint routine using a breakpoint stack. -+ * Now test if the previous stack was an NMI stack. This covers -+ * the case where we interrupt an outer NMI after it clears -+ * "NMI executing" but before IRET. We need to be careful, though: -+ * there is one case in which RSP could point to the NMI stack -+ * despite there being no NMI active: naughty userspace controls -+ * RSP at the very beginning of the SYSCALL targets. We can -+ * pull a fast one on naughty userspace, though: we program -+ * SYSCALL to mask DF, so userspace cannot cause DF to be set -+ * if it controls the kernel's RSP. We set DF before we clear -+ * "NMI executing". - */ - lea 6*8(%rsp), %rdx - /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */ -@@ -1462,27 +2110,22 @@ ENTRY(nmi) - cmpq %rdx, 4*8(%rsp) - /* If it is below the NMI stack, it is a normal NMI */ - jb first_nmi -- /* Ah, it is within the NMI stack, treat it as nested */ + SWAPGS + -+ /* Ah, it is within the NMI stack. */ ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ movq_cfi_restore RBX, rbx ++#endif + -+ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp) -+ jz first_nmi /* RSP was user controlled. */ - - CFI_REMEMBER_STATE + jmp restore_c_regs_and_iret -+ /* This is a nested NMI. */ -+ - nested_nmi: - /* -- * Do nothing if we interrupted the fixup in repeat_nmi. -- * It's about to repeat the NMI handler, so we are fine -- * with ignoring this one. -+ * Modify the "iret" frame to point to repeat_nmi, forcing another -+ * iteration of NMI handling. + .Lnmi_from_kernel: +@@ -1595,8 +2103,7 @@ nested_nmi: + * Modify the "iret" frame to point to repeat_nmi, forcing another + * iteration of NMI handling. */ -- movq $repeat_nmi, %rdx -- cmpq 8(%rsp), %rdx -- ja 1f -- movq $end_repeat_nmi, %rdx -- cmpq 8(%rsp), %rdx -- ja nested_nmi_out -- --1: -- /* Set up the interrupted NMIs stack to jump to repeat_nmi */ - leaq -1*8(%rsp), %rdx - movq %rdx, %rsp + subq $8, %rsp CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1499,60 +2142,24 @@ nested_nmi_out: - popq_cfi %rdx +@@ -1614,6 +2121,7 @@ nested_nmi_out: CFI_RESTORE rdx -- /* No need to check faults here */ -+ /* We are returning to kernel mode, so this cannot result in a fault. */ + /* We are returning to kernel mode, so this cannot result in a fault. */ +# pax_force_retaddr_bts INTERRUPT_RETURN CFI_RESTORE_STATE - first_nmi: -- /* -- * Because nested NMIs will use the pushed location that we -- * stored in rdx, we must keep that space available. -- * Here's what our stack frame will look like: -- * +-------------------------+ -- * | original SS | -- * | original Return RSP | -- * | original RFLAGS | -- * | original CS | -- * | original RIP | -- * +-------------------------+ -- * | temp storage for rdx | -- * +-------------------------+ -- * | NMI executing variable | -- * +-------------------------+ -- * | copied SS | -- * | copied Return RSP | -- * | copied RFLAGS | -- * | copied CS | -- * | copied RIP | -- * +-------------------------+ -- * | Saved SS | -- * | Saved Return RSP | -- * | Saved RFLAGS | -- * | Saved CS | -- * | Saved RIP | -- * +-------------------------+ -- * | pt_regs | -- * +-------------------------+ -- * -- * The saved stack frame is used to fix up the copied stack frame -- * that a nested NMI may change to make the interrupted NMI iret jump -- * to the repeat_nmi. The original stack frame and the temp storage -- * is also used by nested NMIs and can not be trusted on exit. -- */ -- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */ -+ /* Restore rdx. */ - movq (%rsp), %rdx - CFI_RESTORE rdx - - /* Set the NMI executing variable on the stack. */ - pushq_cfi $1 - -- /* -- * Leave room for the "copied" frame -- */ -+ /* Leave room for the "iret" frame */ - subq $(5*8), %rsp - CFI_ADJUST_CFA_OFFSET 5*8 - -- /* Copy the stack frame to the Saved frame */ -+ /* Copy the "original" frame to the "outermost" frame */ - .rept 5 - pushq_cfi 11*8(%rsp) - .endr -@@ -1560,6 +2167,7 @@ first_nmi: - - /* Everything up to here is safe from nested NMIs */ - -+repeat_nmi: - /* - * If there was a nested NMI, the first NMI's iret will return - * here. But NMIs are still enabled and we can take another -@@ -1568,16 +2176,21 @@ first_nmi: - * it will just return, as we are about to repeat an NMI anyway. - * This makes it safe to copy to the stack frame that a nested - * NMI will update. -- */ --repeat_nmi: -- /* -- * Update the stack variable to say we are still in NMI (the update -- * is benign for the non-repeat case, where 1 was pushed just above -- * to this very stack slot). -+ * -+ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if -+ * we're repeating an NMI, gsbase has the same value that it had on -+ * the first iteration. paranoid_entry will load the kernel -+ * gsbase if needed before we call do_nmi. -+ * -+ * Set "NMI executing" in case we came back here via IRET. - */ - movq $1, 10*8(%rsp) - -- /* Make another copy, this one may be modified by nested NMIs */ -+ /* -+ * Copy the "outermost" frame to the "iret" frame. NMIs that nest -+ * here must not modify the "iret" frame while we're writing to -+ * it or it will end up containing garbage. -+ */ - addq $(10*8), %rsp - CFI_ADJUST_CFA_OFFSET -10*8 - .rept 5 -@@ -1588,66 +2201,66 @@ repeat_nmi: - end_repeat_nmi: - - /* -- * Everything below this point can be preempted by a nested -- * NMI if the first NMI took an exception and reset our iret stack -- * so that we repeat another NMI. -+ * Everything below this point can be preempted by a nested NMI. -+ * If this happens, then the inner NMI will change the "iret" -+ * frame to point back to repeat_nmi. - */ - pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */ +@@ -1679,13 +2187,13 @@ end_repeat_nmi: ALLOC_PT_GPREGS_ON_STACK /* @@ -24555,29 +24187,11 @@ index 02c2eff..9c9ea72 100644 + call paranoid_entry_nmi DEFAULT_FRAME 0 -- /* -- * Save off the CR2 register. If we take a page fault in the NMI then -- * it could corrupt the CR2 value. If the NMI preempts a page fault -- * handler before it was able to read the CR2 register, and then the -- * NMI itself takes a page fault, the page fault that was preempted -- * will read the information from the NMI page fault and not the -- * origin fault. Save it off and restore it if it changes. -- * Use the r12 callee-saved register. -- */ -- movq %cr2, %r12 -- /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ - movq %rsp,%rdi +@@ -1693,7 +2201,9 @@ end_repeat_nmi: movq $-1,%rsi call do_nmi -- /* Did the NMI take a page fault? Restore cr2 if it did */ -- movq %cr2, %rcx -- cmpq %rcx, %r12 -- je 1f -- movq %r12, %cr2 --1: -- - testl %ebx,%ebx /* swapgs needed? */ + pax_exit_kernel_nmi + @@ -24585,35 +24199,18 @@ index 02c2eff..9c9ea72 100644 jnz nmi_restore nmi_swapgs: SWAPGS_UNSAFE_STACK - nmi_restore: - RESTORE_EXTRA_REGS - RESTORE_C_REGS -- /* Pop the extra iret frame at once */ -+ +@@ -1704,6 +2214,8 @@ nmi_restore: + /* Point RSP at the "iret" frame. */ REMOVE_PT_GPREGS_FROM_STACK 6*8 -- /* Clear the NMI executing stack variable */ -- movq $0, 5*8(%rsp) -- jmp irq_return + pax_force_retaddr_bts + -+ /* -+ * Clear "NMI executing". Set DF first so that we can easily -+ * distinguish the remaining code between here and IRET from -+ * the SYSCALL entry and exit paths. On a native kernel, we -+ * could just inspect RIP, but, on paravirt kernels, -+ * INTERRUPT_RETURN can translate into a jump into a -+ * hypercall page. -+ */ -+ std -+ movq $0, 5*8(%rsp) /* clear "NMI executing" */ -+ -+ /* -+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI -+ * stack in a single instruction. We are returning to kernel -+ * mode, so this cannot result in a fault. -+ */ -+ INTERRUPT_RETURN + /* + * Clear "NMI executing". Set DF first so that we can easily + * distinguish the remaining code between here and IRET from +@@ -1722,12 +2234,12 @@ nmi_restore: + */ + INTERRUPT_RETURN CFI_ENDPROC -END(nmi) +ENDPROC(nmi) @@ -25826,10 +25423,19 @@ index 394e643..824fce8 100644 panic("low stack detected by irq handler - check messages\n"); #endif diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c -index 26d5a55..a01160a 100644 +index 26d5a55..bf8b49b 100644 --- a/arch/x86/kernel/jump_label.c +++ b/arch/x86/kernel/jump_label.c -@@ -51,7 +51,7 @@ static void __jump_label_transform(struct jump_entry *entry, +@@ -31,6 +31,8 @@ static void bug_at(unsigned char *ip, int line) + * Something went wrong. Crash the box, as something could be + * corrupting the kernel. + */ ++ ip = ktla_ktva(ip); ++ pr_warning("Unexpected op at %pS [%p] %s:%d\n", ip, ip, __FILE__, line); + pr_warning("Unexpected op at %pS [%p] (%02x %02x %02x %02x %02x) %s:%d\n", + ip, ip, ip[0], ip[1], ip[2], ip[3], ip[4], __FILE__, line); + BUG(); +@@ -51,7 +53,7 @@ static void __jump_label_transform(struct jump_entry *entry, * Jump label is enabled for the first time. * So we expect a default_nop... */ @@ -25838,7 +25444,7 @@ index 26d5a55..a01160a 100644 != 0)) bug_at((void *)entry->code, __LINE__); } else { -@@ -59,7 +59,7 @@ static void __jump_label_transform(struct jump_entry *entry, +@@ -59,7 +61,7 @@ static void __jump_label_transform(struct jump_entry *entry, * ...otherwise expect an ideal_nop. Otherwise * something went horribly wrong. */ @@ -25847,7 +25453,7 @@ index 26d5a55..a01160a 100644 != 0)) bug_at((void *)entry->code, __LINE__); } -@@ -75,13 +75,13 @@ static void __jump_label_transform(struct jump_entry *entry, +@@ -75,13 +77,13 @@ static void __jump_label_transform(struct jump_entry *entry, * are converting the default nop to the ideal nop. */ if (init) { @@ -26583,7 +26189,7 @@ index 113e707..0a690e1 100644 }; diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c -index c3e985d..f690edd 100644 +index d05bd2e..f690edd 100644 --- a/arch/x86/kernel/nmi.c +++ b/arch/x86/kernel/nmi.c @@ -98,16 +98,16 @@ fs_initcall(nmi_warning_debugfs); @@ -26661,116 +26267,9 @@ index c3e985d..f690edd 100644 break; } } -@@ -408,15 +409,15 @@ static void default_do_nmi(struct pt_regs *regs) - NOKPROBE_SYMBOL(default_do_nmi); - - /* -- * NMIs can hit breakpoints which will cause it to lose its -- * NMI context with the CPU when the breakpoint does an iret. -- */ --#ifdef CONFIG_X86_32 --/* -- * For i386, NMIs use the same stack as the kernel, and we can -- * add a workaround to the iret problem in C (preventing nested -- * NMIs if an NMI takes a trap). Simply have 3 states the NMI -- * can be in: -+ * NMIs can page fault or hit breakpoints which will cause it to lose -+ * its NMI context with the CPU when the breakpoint or page fault does an IRET. -+ * -+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during -+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs -+ * if the outer NMI came from kernel mode, but we can still nest if the -+ * outer NMI came from user mode. -+ * -+ * To handle these nested NMIs, we have three states: - * - * 1) not running - * 2) executing -@@ -430,15 +431,14 @@ NOKPROBE_SYMBOL(default_do_nmi); - * (Note, the latch is binary, thus multiple NMIs triggering, - * when one is running, are ignored. Only one NMI is restarted.) - * -- * If an NMI hits a breakpoint that executes an iret, another -- * NMI can preempt it. We do not want to allow this new NMI -- * to run, but we want to execute it when the first one finishes. -- * We set the state to "latched", and the exit of the first NMI will -- * perform a dec_return, if the result is zero (NOT_RUNNING), then -- * it will simply exit the NMI handler. If not, the dec_return -- * would have set the state to NMI_EXECUTING (what we want it to -- * be when we are running). In this case, we simply jump back -- * to rerun the NMI handler again, and restart the 'latched' NMI. -+ * If an NMI executes an iret, another NMI can preempt it. We do not -+ * want to allow this new NMI to run, but we want to execute it when the -+ * first one finishes. We set the state to "latched", and the exit of -+ * the first NMI will perform a dec_return, if the result is zero -+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the -+ * dec_return would have set the state to NMI_EXECUTING (what we want it -+ * to be when we are running). In this case, we simply jump back to -+ * rerun the NMI handler again, and restart the 'latched' NMI. - * - * No trap (breakpoint or page fault) should be hit before nmi_restart, - * thus there is no race between the first check of state for NOT_RUNNING -@@ -461,49 +461,47 @@ enum nmi_states { - static DEFINE_PER_CPU(enum nmi_states, nmi_state); - static DEFINE_PER_CPU(unsigned long, nmi_cr2); - --#define nmi_nesting_preprocess(regs) \ -- do { \ -- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \ -- this_cpu_write(nmi_state, NMI_LATCHED); \ -- return; \ -- } \ -- this_cpu_write(nmi_state, NMI_EXECUTING); \ -- this_cpu_write(nmi_cr2, read_cr2()); \ -- } while (0); \ -- nmi_restart: -- --#define nmi_nesting_postprocess() \ -- do { \ -- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \ -- write_cr2(this_cpu_read(nmi_cr2)); \ -- if (this_cpu_dec_return(nmi_state)) \ -- goto nmi_restart; \ -- } while (0) --#else /* x86_64 */ -+#ifdef CONFIG_X86_64 - /* -- * In x86_64 things are a bit more difficult. This has the same problem -- * where an NMI hitting a breakpoint that calls iret will remove the -- * NMI context, allowing a nested NMI to enter. What makes this more -- * difficult is that both NMIs and breakpoints have their own stack. -- * When a new NMI or breakpoint is executed, the stack is set to a fixed -- * point. If an NMI is nested, it will have its stack set at that same -- * fixed address that the first NMI had, and will start corrupting the -- * stack. This is handled in entry_64.S, but the same problem exists with -- * the breakpoint stack. -+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without -+ * some care, the inner breakpoint will clobber the outer breakpoint's -+ * stack. - * -- * If a breakpoint is being processed, and the debug stack is being used, -- * if an NMI comes in and also hits a breakpoint, the stack pointer -- * will be set to the same fixed address as the breakpoint that was -- * interrupted, causing that stack to be corrupted. To handle this case, -- * check if the stack that was interrupted is the debug stack, and if -- * so, change the IDT so that new breakpoints will use the current stack -- * and not switch to the fixed address. On return of the NMI, switch back -- * to the original IDT. -+ * If a breakpoint is being processed, and the debug stack is being -+ * used, if an NMI comes in and also hits a breakpoint, the stack -+ * pointer will be set to the same fixed address as the breakpoint that -+ * was interrupted, causing that stack to be corrupted. To handle this -+ * case, check if the stack that was interrupted is the debug stack, and -+ * if so, change the IDT so that new breakpoints will use the current -+ * stack and not switch to the fixed address. On return of the NMI, -+ * switch back to the original IDT. - */ - static DEFINE_PER_CPU(int, update_debug_stack); -+#endif - --static inline void nmi_nesting_preprocess(struct pt_regs *regs) -+dotraplinkage notrace void -+do_nmi(struct pt_regs *regs, long error_code) +@@ -481,6 +482,17 @@ static DEFINE_PER_CPU(int, update_debug_stack); + dotraplinkage notrace void + do_nmi(struct pt_regs *regs, long error_code) { + +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) @@ -26783,61 +26282,9 @@ index c3e985d..f690edd 100644 + } +#endif + -+ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { -+ this_cpu_write(nmi_state, NMI_LATCHED); -+ return; -+ } -+ this_cpu_write(nmi_state, NMI_EXECUTING); -+ this_cpu_write(nmi_cr2, read_cr2()); -+nmi_restart: -+ -+#ifdef CONFIG_X86_64 - /* - * If we interrupted a breakpoint, it is possible that - * the nmi handler will have breakpoints too. We need to -@@ -514,22 +512,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs) - debug_stack_set_zero(); - this_cpu_write(update_debug_stack, 1); - } --} -- --static inline void nmi_nesting_postprocess(void) --{ -- if (unlikely(this_cpu_read(update_debug_stack))) { -- debug_stack_reset(); -- this_cpu_write(update_debug_stack, 0); -- } --} - #endif - --dotraplinkage notrace void --do_nmi(struct pt_regs *regs, long error_code) --{ -- nmi_nesting_preprocess(regs); -- - nmi_enter(); - - inc_irq_stat(__nmi_count); -@@ -539,8 +523,17 @@ do_nmi(struct pt_regs *regs, long error_code) - - nmi_exit(); - -- /* On i386, may loop back to preprocess */ -- nmi_nesting_postprocess(); -+#ifdef CONFIG_X86_64 -+ if (unlikely(this_cpu_read(update_debug_stack))) { -+ debug_stack_reset(); -+ this_cpu_write(update_debug_stack, 0); -+ } -+#endif -+ -+ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) -+ write_cr2(this_cpu_read(nmi_cr2)); -+ if (this_cpu_dec_return(nmi_state)) -+ goto nmi_restart; - } - NOKPROBE_SYMBOL(do_nmi); - + if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { + this_cpu_write(nmi_state, NMI_LATCHED); + return; diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c index 6d9582e..f746287 100644 --- a/arch/x86/kernel/nmi_selftest.c @@ -27698,7 +27145,7 @@ index 98111b3..73ca125 100644 identity_mapped: /* set return address to 0 if not preserving context */ diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d74ac33..d9efe04 100644 +index d74ac33..6d14941 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -111,6 +111,7 @@ @@ -27743,20 +27190,18 @@ index d74ac33..d9efe04 100644 u64 size = __pa_symbol(_end) - start; /* -@@ -860,8 +863,12 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p) +@@ -860,8 +863,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p) void __init setup_arch(char **cmdline_p) { -+#ifdef CONFIG_X86_32 -+ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR); -+#else - memblock_reserve(__pa_symbol(_text), - (unsigned long)__bss_stop - (unsigned long)_text); -+#endif +- memblock_reserve(__pa_symbol(_text), +- (unsigned long)__bss_stop - (unsigned long)_text); ++ memblock_reserve(__pa_symbol(ktla_ktva((unsigned long)_text)), ++ (unsigned long)__bss_stop - ktla_ktva((unsigned long)_text)); early_reserve_initrd(); -@@ -959,16 +966,16 @@ void __init setup_arch(char **cmdline_p) +@@ -959,16 +962,16 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -29278,19 +28723,6 @@ index 67d07e0..10769d5 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ -diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h -index 9d28383..c4ea87e 100644 ---- a/arch/x86/kvm/lapic.h -+++ b/arch/x86/kvm/lapic.h -@@ -150,7 +150,7 @@ static inline bool kvm_apic_vid_enabled(struct kvm *kvm) - - static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu) - { -- return vcpu->arch.apic->pending_events; -+ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events; - } - - bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector); diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h index 6e6d115..43fecbf 100644 --- a/arch/x86/kvm/paging_tmpl.h @@ -36264,7 +35696,7 @@ index e88fda8..76ce7ce 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 46957ea..a9dc1d9 100644 +index a671e83..a9dc1d9 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -36276,75 +35708,7 @@ index 46957ea..a9dc1d9 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -483,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) - pte_t pte; - unsigned long pfn; - struct page *page; -+ unsigned char dummy; - - ptep = lookup_address((unsigned long)v, &level); - BUG_ON(ptep == NULL); -@@ -492,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) - - pte = pfn_pte(pfn, prot); - -+ /* -+ * Careful: update_va_mapping() will fail if the virtual address -+ * we're poking isn't populated in the page tables. We don't -+ * need to worry about the direct map (that's always in the page -+ * tables), but we need to be careful about vmap space. In -+ * particular, the top level page table can lazily propagate -+ * entries between processes, so if we've switched mms since we -+ * vmapped the target in the first place, we might not have the -+ * top-level page table entry populated. -+ * -+ * We disable preemption because we want the same mm active when -+ * we probe the target and when we issue the hypercall. We'll -+ * have the same nominal mm, but if we're a kernel thread, lazy -+ * mm dropping could change our pgd. -+ * -+ * Out of an abundance of caution, this uses __get_user() to fault -+ * in the target address just in case there's some obscure case -+ * in which the target address isn't readable. -+ */ -+ -+ preempt_disable(); -+ -+ pagefault_disable(); /* Avoid warnings due to being atomic. */ -+ __get_user(dummy, (unsigned char __user __force *)v); -+ pagefault_enable(); -+ - if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) - BUG(); - -@@ -503,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) - BUG(); - } else - kmap_flush_unused(); -+ -+ preempt_enable(); - } - - static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) -@@ -510,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) - const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; - int i; - -+ /* -+ * We need to mark the all aliases of the LDT pages RO. We -+ * don't need to call vm_flush_aliases(), though, since that's -+ * only responsible for flushing aliases out the TLBs, not the -+ * page tables, and Xen will flush the TLB for us if needed. -+ * -+ * To avoid confusing future readers: none of this is necessary -+ * to load the LDT. The hypervisor only checks this when the -+ * LDT is faulted in due to subsequent descriptor access. -+ */ -+ - for(i = 0; i < entries; i += entries_per_page) - set_aliased_prot(ldt + i, PAGE_KERNEL_RO); - } -@@ -544,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -584,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36354,7 +35718,7 @@ index 46957ea..a9dc1d9 100644 int f; /* -@@ -593,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -633,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36364,7 +35728,7 @@ index 46957ea..a9dc1d9 100644 int f; /* -@@ -602,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -642,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -36373,7 +35737,7 @@ index 46957ea..a9dc1d9 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -1223,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1263,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -36411,7 +35775,7 @@ index 46957ea..a9dc1d9 100644 { if (pm_power_off) pm_power_off(); -@@ -1399,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu) +@@ -1439,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu) pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; pv_cpu_ops.load_gdt = xen_load_gdt_boot; @@ -36425,7 +35789,7 @@ index 46957ea..a9dc1d9 100644 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; pv_cpu_ops.load_gdt = xen_load_gdt; -@@ -1515,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1555,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -36444,7 +35808,7 @@ index 46957ea..a9dc1d9 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1543,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1583,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -39135,7 +38499,7 @@ index 09e628da..7607aaa 100644 if (ti.nwa_v) { pd->nwa = be32_to_cpu(ti.next_writable); diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c -index 53f2535..b8a9ce0 100644 +index 010ce0b..7c0049e 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -64,7 +64,7 @@ @@ -39377,7 +38741,7 @@ index 5c0baa9..44011b1 100644 { struct hpet_timer __iomem *timer; diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c -index a43048b..14724d5 100644 +index 3c1a123..a33c99f 100644 --- a/drivers/char/i8k.c +++ b/drivers/char/i8k.c @@ -790,7 +790,7 @@ static const struct i8k_config_data i8k_config_data[] = { @@ -45963,7 +45327,7 @@ index 79f6941..b33b4e0 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index e8d8456..d04a41a 100644 +index 697f34f..8301900 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -191,9 +191,9 @@ struct mapped_device { @@ -45978,7 +45342,7 @@ index e8d8456..d04a41a 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -2294,8 +2294,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -2287,8 +2287,8 @@ static struct mapped_device *alloc_dev(int minor) spin_lock_init(&md->deferred_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -45989,7 +45353,7 @@ index e8d8456..d04a41a 100644 INIT_LIST_HEAD(&md->uevent_list); INIT_LIST_HEAD(&md->table_devices); spin_lock_init(&md->uevent_lock); -@@ -2462,7 +2462,7 @@ static void event_callback(void *context) +@@ -2455,7 +2455,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -45998,7 +45362,7 @@ index e8d8456..d04a41a 100644 wake_up(&md->eventq); } -@@ -3461,18 +3461,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -3454,18 +3454,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -46021,7 +45385,7 @@ index e8d8456..d04a41a 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index b920028..8ac9655 100644 +index e462151..8ac9655 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -46093,14 +45457,7 @@ index b920028..8ac9655 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -5740,22 +5740,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) - char *ptr; - int err; - -- file = kmalloc(sizeof(*file), GFP_NOIO); -+ file = kzalloc(sizeof(*file), GFP_NOIO); - if (!file) - return -ENOMEM; +@@ -5746,16 +5746,16 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) err = 0; spin_lock(&mddev->lock); @@ -46227,10 +45584,10 @@ index 3e6d115..ffecdeb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index cd7b0c1..377cd70 100644 +index 5ce3cd5c..f147017 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c -@@ -1934,7 +1934,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) +@@ -1936,7 +1936,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) if (r1_sync_page_io(rdev, sect, s, bio->bi_io_vec[idx].bv_page, READ) != 0) @@ -46239,7 +45596,7 @@ index cd7b0c1..377cd70 100644 } sectors -= s; sect += s; -@@ -2167,7 +2167,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -2169,7 +2169,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, !test_bit(Faulty, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -53694,7 +53051,7 @@ index 9d7b7db..33ecc51 100644 return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c -index 8bd54a6..dd037a5 100644 +index 8bd54a6..58fa0d6 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -80,7 +80,7 @@ static DEFINE_MUTEX(sr_mutex); @@ -53706,7 +53063,7 @@ index 8bd54a6..dd037a5 100644 static int sr_runtime_suspend(struct device *dev); static struct dev_pm_ops sr_pm_ops = { -@@ -312,11 +312,11 @@ do_tur: +@@ -312,13 +312,13 @@ do_tur: * It will be notified on the end of a SCSI read / write, and will take one * of several actions based on success or failure. */ @@ -53716,11 +53073,31 @@ index 8bd54a6..dd037a5 100644 int result = SCpnt->result; - int this_count = scsi_bufflen(SCpnt); - int good_bytes = (result == 0 ? this_count : 0); +- int block_sectors = 0; +- long error_sector; + unsigned int this_count = scsi_bufflen(SCpnt); + unsigned int good_bytes = (result == 0 ? this_count : 0); - int block_sectors = 0; - long error_sector; ++ unsigned int block_sectors = 0; ++ sector_t error_sector; struct scsi_cd *cd = scsi_cd(SCpnt->request->rq_disk); + + #ifdef DEBUG +@@ -351,9 +351,12 @@ static int sr_done(struct scsi_cmnd *SCpnt) + if (cd->device->sector_size == 2048) + error_sector <<= 2; + error_sector &= ~(block_sectors - 1); +- good_bytes = (error_sector - +- blk_rq_pos(SCpnt->request)) << 9; +- if (good_bytes < 0 || good_bytes >= this_count) ++ if (error_sector >= blk_rq_pos(SCpnt->request)) { ++ good_bytes = (error_sector - ++ blk_rq_pos(SCpnt->request)) << 9; ++ if (good_bytes >= this_count) ++ good_bytes = 0; ++ } else + good_bytes = 0; + /* + * The SCSI specification allows for the value diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c index c0d660f..24a5854 100644 --- a/drivers/soc/tegra/fuse/fuse-tegra.c @@ -79416,7 +78793,7 @@ index 864e200..357c255 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 158badf..f7132ea 100644 +index d4d8445..36ae1a1 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1703,7 +1703,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -103349,10 +102726,10 @@ index 68d4e95..1477ded 100644 mq_table.data = get_mq(table); diff --git a/ipc/mqueue.c b/ipc/mqueue.c -index 3aaea7f..e8a13d6 100644 +index c3fc5c2..1f32fe2 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c -@@ -278,6 +278,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, +@@ -275,6 +275,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, mq_bytes = mq_treesize + (info->attr.mq_maxmsg * info->attr.mq_msgsize); @@ -108344,7 +107721,7 @@ index e0e1299..e1e896b 100644 static inline void put_prev_task(struct rq *rq, struct task_struct *prev) { diff --git a/kernel/signal.c b/kernel/signal.c -index d51c5dd..065c4c8 100644 +index 0206be7..6445784 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -108453,7 +107830,7 @@ index d51c5dd..065c4c8 100644 return ret; } -@@ -2915,7 +2938,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2918,7 +2941,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -108470,7 +107847,7 @@ index d51c5dd..065c4c8 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -3244,8 +3275,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, +@@ -3247,8 +3278,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, } seg = get_fs(); set_fs(KERNEL_DS); @@ -117008,21 +116385,6 @@ index 8e385a0..a5bdd8e 100644 tty_port_close(&dev->port, tty, filp); } -diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c -index 1ab3dc9..7b815bc 100644 ---- a/net/bluetooth/smp.c -+++ b/net/bluetooth/smp.c -@@ -2295,6 +2295,10 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) - return 1; - - chan = conn->smp; -+ if (!chan) { -+ BT_ERR("SMP security requested but not available"); -+ return 1; -+ } - - if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) - return 1; diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c index e29ad70b..cc00066 100644 --- a/net/bridge/br_mdb.c @@ -126206,7 +125568,7 @@ index 464385a..46ab3f6 100644 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS]; }; diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c -index e061355..baed278 100644 +index bf20593..dec8a14 100644 --- a/sound/firewire/amdtp.c +++ b/sound/firewire/amdtp.c @@ -573,7 +573,7 @@ static void update_pcm_pointers(struct amdtp_stream *s, @@ -126218,7 +125580,7 @@ index e061355..baed278 100644 s->pcm_period_pointer += frames; if (s->pcm_period_pointer >= pcm->runtime->period_size) { -@@ -1013,7 +1013,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer); +@@ -1014,7 +1014,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer); */ void amdtp_stream_update(struct amdtp_stream *s) { @@ -126228,10 +125590,10 @@ index e061355..baed278 100644 } EXPORT_SYMBOL(amdtp_stream_update); diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h -index 8a03a91..aaacc0c 100644 +index 25c9055..e861b6a 100644 --- a/sound/firewire/amdtp.h +++ b/sound/firewire/amdtp.h -@@ -231,7 +231,7 @@ static inline bool amdtp_stream_pcm_running(struct amdtp_stream *s) +@@ -233,7 +233,7 @@ static inline bool amdtp_stream_pcm_running(struct amdtp_stream *s) static inline void amdtp_stream_pcm_trigger(struct amdtp_stream *s, struct snd_pcm_substream *pcm) { @@ -126240,7 +125602,7 @@ index 8a03a91..aaacc0c 100644 } /** -@@ -249,7 +249,7 @@ static inline void amdtp_stream_midi_trigger(struct amdtp_stream *s, +@@ -251,7 +251,7 @@ static inline void amdtp_stream_midi_trigger(struct amdtp_stream *s, struct snd_rawmidi_substream *midi) { if (port < s->midi_ports) diff --git a/4.1.5/4425_grsec_remove_EI_PAX.patch b/4.1.6/4425_grsec_remove_EI_PAX.patch index a80a5d7..a80a5d7 100644 --- a/4.1.5/4425_grsec_remove_EI_PAX.patch +++ b/4.1.6/4425_grsec_remove_EI_PAX.patch diff --git a/4.1.5/4427_force_XATTR_PAX_tmpfs.patch b/4.1.6/4427_force_XATTR_PAX_tmpfs.patch index a789f0b..a789f0b 100644 --- a/4.1.5/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.1.6/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.1.5/4430_grsec-remove-localversion-grsec.patch b/4.1.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.1.5/4430_grsec-remove-localversion-grsec.patch +++ b/4.1.6/4430_grsec-remove-localversion-grsec.patch diff --git a/4.1.5/4435_grsec-mute-warnings.patch b/4.1.6/4435_grsec-mute-warnings.patch index b7564e4..b7564e4 100644 --- a/4.1.5/4435_grsec-mute-warnings.patch +++ b/4.1.6/4435_grsec-mute-warnings.patch diff --git a/4.1.5/4440_grsec-remove-protected-paths.patch b/4.1.6/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.1.5/4440_grsec-remove-protected-paths.patch +++ b/4.1.6/4440_grsec-remove-protected-paths.patch diff --git a/4.1.5/4450_grsec-kconfig-default-gids.patch b/4.1.6/4450_grsec-kconfig-default-gids.patch index 61d903e..61d903e 100644 --- a/4.1.5/4450_grsec-kconfig-default-gids.patch +++ b/4.1.6/4450_grsec-kconfig-default-gids.patch diff --git a/4.1.5/4465_selinux-avc_audit-log-curr_ip.patch b/4.1.6/4465_selinux-avc_audit-log-curr_ip.patch index ba89596..ba89596 100644 --- a/4.1.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.1.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.1.5/4470_disable-compat_vdso.patch b/4.1.6/4470_disable-compat_vdso.patch index 7aefa02..7aefa02 100644 --- a/4.1.5/4470_disable-compat_vdso.patch +++ b/4.1.6/4470_disable-compat_vdso.patch diff --git a/4.1.5/4475_emutramp_default_on.patch b/4.1.6/4475_emutramp_default_on.patch index a128205..a128205 100644 --- a/4.1.5/4475_emutramp_default_on.patch +++ b/4.1.6/4475_emutramp_default_on.patch |