grsecurity-{3.14.51,4.1.6}-20150818195320150818

26 files changed, 6706 insertions, 7757 deletions

diff --git a/3.14.50/1049_linux-3.14.50.patch b/3.14.50/1049_linux-3.14.50.patch
deleted file mode 100644
index bd7d238..0000000
--- a/3.14.50/1049_linux-3.14.50.patch
+++ /dev/null
@@ -1,700 +0,0 @@
-diff --git a/Makefile b/Makefile
-index fee8460..d71c40a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 49
-+SUBLEVEL = 50
- EXTRAVERSION =
- NAME = Remembering Coco
- 
-diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h
-index 1bfeec2..2a58af7 100644
---- a/arch/arc/include/asm/ptrace.h
-+++ b/arch/arc/include/asm/ptrace.h
-@@ -63,7 +63,7 @@ struct callee_regs {
- 	long r25, r24, r23, r22, r21, r20, r19, r18, r17, r16, r15, r14, r13;
- };
- 
--#define instruction_pointer(regs)	((regs)->ret)
-+#define instruction_pointer(regs)	(unsigned long)((regs)->ret)
- #define profile_pc(regs)		instruction_pointer(regs)
- 
- /* return 1 if user mode or 0 if kernel mode */
-diff --git a/arch/avr32/mach-at32ap/clock.c b/arch/avr32/mach-at32ap/clock.c
-index 23b1a97..52c179b 100644
---- a/arch/avr32/mach-at32ap/clock.c
-+++ b/arch/avr32/mach-at32ap/clock.c
-@@ -80,6 +80,9 @@ int clk_enable(struct clk *clk)
- {
- 	unsigned long flags;
- 
-+	if (!clk)
-+		return 0;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	__clk_enable(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -106,6 +109,9 @@ void clk_disable(struct clk *clk)
- {
- 	unsigned long flags;
- 
-+	if (IS_ERR_OR_NULL(clk))
-+		return;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	__clk_disable(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -117,6 +123,9 @@ unsigned long clk_get_rate(struct clk *clk)
- 	unsigned long flags;
- 	unsigned long rate;
- 
-+	if (!clk)
-+		return 0;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	rate = clk->get_rate(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -129,6 +138,9 @@ long clk_round_rate(struct clk *clk, unsigned long rate)
- {
- 	unsigned long flags, actual_rate;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_rate)
- 		return -ENOSYS;
- 
-@@ -145,6 +157,9 @@ int clk_set_rate(struct clk *clk, unsigned long rate)
- 	unsigned long flags;
- 	long ret;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_rate)
- 		return -ENOSYS;
- 
-@@ -161,6 +176,9 @@ int clk_set_parent(struct clk *clk, struct clk *parent)
- 	unsigned long flags;
- 	int ret;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_parent)
- 		return -ENOSYS;
- 
-@@ -174,7 +192,7 @@ EXPORT_SYMBOL(clk_set_parent);
- 
- struct clk *clk_get_parent(struct clk *clk)
- {
--	return clk->parent;
-+	return !clk ? NULL : clk->parent;
- }
- EXPORT_SYMBOL(clk_get_parent);
- 
-diff --git a/arch/s390/kernel/sclp.S b/arch/s390/kernel/sclp.S
-index 29bd7be..1ecd47b 100644
---- a/arch/s390/kernel/sclp.S
-+++ b/arch/s390/kernel/sclp.S
-@@ -276,6 +276,8 @@ ENTRY(_sclp_print_early)
- 	jno	.Lesa2
- 	ahi	%r15,-80
- 	stmh	%r6,%r15,96(%r15)		# store upper register halves
-+	basr	%r13,0
-+	lmh	%r0,%r15,.Lzeroes-.(%r13)	# clear upper register halves
- .Lesa2:
- #endif
- 	lr	%r10,%r2			# save string pointer
-@@ -299,6 +301,8 @@ ENTRY(_sclp_print_early)
- #endif
- 	lm	%r6,%r15,120(%r15)		# restore registers
- 	br	%r14
-+.Lzeroes:
-+	.fill	64,4,0
- 
- .LwritedataS4:
- 	.long	0x00760005			# SCLP command for write data
-diff --git a/arch/tile/kernel/setup.c b/arch/tile/kernel/setup.c
-index 74c9172..bdb3ecf 100644
---- a/arch/tile/kernel/setup.c
-+++ b/arch/tile/kernel/setup.c
-@@ -1146,7 +1146,7 @@ static void __init load_hv_initrd(void)
- 
- void __init free_initrd_mem(unsigned long begin, unsigned long end)
- {
--	free_bootmem(__pa(begin), end - begin);
-+	free_bootmem_late(__pa(begin), end - begin);
- }
- 
- static int __init setup_initrd(char *str)
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 78cbb2d..ec5a3c7 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -560,6 +560,10 @@ static efi_status_t setup_e820(struct boot_params *params,
- 		unsigned int e820_type = 0;
- 		unsigned long m = efi->efi_memmap;
- 
-+#ifdef CONFIG_X86_64
-+		m |= (u64)efi->efi_memmap_hi << 32;
-+#endif
-+
- 		d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
- 		switch (d->type) {
- 		case EFI_RESERVED_TYPE:
-diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
-index c5b56ed..a814c80 100644
---- a/arch/x86/boot/compressed/head_32.S
-+++ b/arch/x86/boot/compressed/head_32.S
-@@ -54,7 +54,7 @@ ENTRY(efi_pe_entry)
- 	call	reloc
- reloc:
- 	popl	%ecx
--	subl	reloc, %ecx
-+	subl	$reloc, %ecx
- 	movl	%ecx, BP_code32_start(%eax)
- 
- 	sub	$0x4, %esp
-diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
-index d8f80e7..a717585 100644
---- a/block/blk-cgroup.c
-+++ b/block/blk-cgroup.c
-@@ -703,8 +703,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol,
- 		return -EINVAL;
- 
- 	disk = get_gendisk(MKDEV(major, minor), &part);
--	if (!disk || part)
-+	if (!disk)
- 		return -EINVAL;
-+	if (part) {
-+		put_disk(disk);
-+		return -EINVAL;
-+	}
- 
- 	rcu_read_lock();
- 	spin_lock_irq(disk->queue->queue_lock);
-diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
-index 7ccc084..85aa761 100644
---- a/drivers/ata/libata-pmp.c
-+++ b/drivers/ata/libata-pmp.c
-@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_port *ap)
- 				       ATA_LFLAG_NO_SRST |
- 				       ATA_LFLAG_ASSUME_ATA;
- 		}
-+	} else if (vendor == 0x11ab && devid == 0x4140) {
-+		/* Marvell 4140 quirks */
-+		ata_for_each_link(link, ap, EDGE) {
-+			/* port 4 is for SEMB device and it doesn't like SRST */
-+			if (link->pmp == 4)
-+				link->flags |= ATA_LFLAG_DISABLED;
-+		}
- 	}
- }
- 
-diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c
-index a096633..c6f7e91 100644
---- a/drivers/input/touchscreen/usbtouchscreen.c
-+++ b/drivers/input/touchscreen/usbtouchscreen.c
-@@ -625,6 +625,9 @@ static int dmc_tsc10_init(struct usbtouch_usb *usbtouch)
- 		goto err_out;
- 	}
- 
-+	/* TSC-25 data sheet specifies a delay after the RESET command */
-+	msleep(150);
-+
- 	/* set coordinate output rate */
- 	buf[0] = buf[1] = 0xFF;
- 	ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
-diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index b96ee9d..9be97e0 100644
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -336,7 +336,7 @@ static void raid1_end_read_request(struct bio *bio, int error)
- 		spin_lock_irqsave(&conf->device_lock, flags);
- 		if (r1_bio->mddev->degraded == conf->raid_disks ||
- 		    (r1_bio->mddev->degraded == conf->raid_disks-1 &&
--		     !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags)))
-+		     test_bit(In_sync, &conf->mirrors[mirror].rdev->flags)))
- 			uptodate = 1;
- 		spin_unlock_irqrestore(&conf->device_lock, flags);
- 	}
-diff --git a/drivers/mmc/host/sdhci-esdhc.h b/drivers/mmc/host/sdhci-esdhc.h
-index a7d9f95..7fd86be 100644
---- a/drivers/mmc/host/sdhci-esdhc.h
-+++ b/drivers/mmc/host/sdhci-esdhc.h
-@@ -47,6 +47,6 @@
- #define ESDHC_DMA_SYSCTL	0x40c
- #define ESDHC_DMA_SNOOP		0x00000040
- 
--#define ESDHC_HOST_CONTROL_RES	0x05
-+#define ESDHC_HOST_CONTROL_RES	0x01
- 
- #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */
-diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c
-index 561c6b4..b807666 100644
---- a/drivers/mmc/host/sdhci-pxav3.c
-+++ b/drivers/mmc/host/sdhci-pxav3.c
-@@ -257,6 +257,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev)
- 			goto err_of_parse;
- 		sdhci_get_of_property(pdev);
- 		pdata = pxav3_get_mmc_pdata(dev);
-+		pdev->dev.platform_data = pdata;
- 	} else if (pdata) {
- 		/* on-chip device */
- 		if (pdata->flags & PXA_FLAG_CARD_PERMANENT)
-diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
-index a1d6986..f310982 100644
---- a/drivers/scsi/st.c
-+++ b/drivers/scsi/st.c
-@@ -1262,9 +1262,9 @@ static int st_open(struct inode *inode, struct file *filp)
- 	spin_lock(&st_use_lock);
- 	STp->in_use = 0;
- 	spin_unlock(&st_use_lock);
--	scsi_tape_put(STp);
- 	if (resumed)
- 		scsi_autopm_put_device(STp->device);
-+	scsi_tape_put(STp);
- 	return retval;
- 
- }
-diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
-index c8d7b30..55ec9b4 100644
---- a/drivers/target/iscsi/iscsi_target.c
-+++ b/drivers/target/iscsi/iscsi_target.c
-@@ -4476,7 +4476,18 @@ static void iscsit_logout_post_handler_closesession(
- 	struct iscsi_conn *conn)
- {
- 	struct iscsi_session *sess = conn->sess;
--	int sleep = cmpxchg(&conn->tx_thread_active, true, false);
-+	int sleep = 1;
-+	/*
-+	 * Traditional iscsi/tcp will invoke this logic from TX thread
-+	 * context during session logout, so clear tx_thread_active and
-+	 * sleep if iscsit_close_connection() has not already occured.
-+	 *
-+	 * Since iser-target invokes this logic from it's own workqueue,
-+	 * always sleep waiting for RX/TX thread shutdown to complete
-+	 * within iscsit_close_connection().
-+	 */
-+	if (conn->conn_transport->transport_type == ISCSI_TCP)
-+		sleep = cmpxchg(&conn->tx_thread_active, true, false);
- 
- 	atomic_set(&conn->conn_logout_remove, 0);
- 	complete(&conn->conn_logout_comp);
-@@ -4490,7 +4501,10 @@ static void iscsit_logout_post_handler_closesession(
- static void iscsit_logout_post_handler_samecid(
- 	struct iscsi_conn *conn)
- {
--	int sleep = cmpxchg(&conn->tx_thread_active, true, false);
-+	int sleep = 1;
-+
-+	if (conn->conn_transport->transport_type == ISCSI_TCP)
-+		sleep = cmpxchg(&conn->tx_thread_active, true, false);
- 
- 	atomic_set(&conn->conn_logout_remove, 0);
- 	complete(&conn->conn_logout_comp);
-@@ -4709,6 +4723,7 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force)
- 	struct iscsi_session *sess;
- 	struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
- 	struct se_session *se_sess, *se_sess_tmp;
-+	LIST_HEAD(free_list);
- 	int session_count = 0;
- 
- 	spin_lock_bh(&se_tpg->session_lock);
-@@ -4730,14 +4745,17 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force)
- 		}
- 		atomic_set(&sess->session_reinstatement, 1);
- 		spin_unlock(&sess->conn_lock);
--		spin_unlock_bh(&se_tpg->session_lock);
- 
--		iscsit_free_session(sess);
--		spin_lock_bh(&se_tpg->session_lock);
-+		list_move_tail(&se_sess->sess_list, &free_list);
-+	}
-+	spin_unlock_bh(&se_tpg->session_lock);
- 
-+	list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) {
-+		sess = (struct iscsi_session *)se_sess->fabric_sess_ptr;
-+
-+		iscsit_free_session(sess);
- 		session_count++;
- 	}
--	spin_unlock_bh(&se_tpg->session_lock);
- 
- 	pr_debug("Released %d iSCSI Session(s) from Target Portal"
- 			" Group: %hu\n", session_count, tpg->tpgt);
-diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
-index b9e16abb..5c95765 100644
---- a/drivers/usb/host/xhci-hub.c
-+++ b/drivers/usb/host/xhci-hub.c
-@@ -480,10 +480,13 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci,
- 	u32 pls = status_reg & PORT_PLS_MASK;
- 
- 	/* resume state is a xHCI internal state.
--	 * Do not report it to usb core.
-+	 * Do not report it to usb core, instead, pretend to be U3,
-+	 * thus usb core knows it's not ready for transfer
- 	 */
--	if (pls == XDEV_RESUME)
-+	if (pls == XDEV_RESUME) {
-+		*status |= USB_SS_PORT_LS_U3;
- 		return;
-+	}
- 
- 	/* When the CAS bit is set then warm reset
- 	 * should be performed on port
-@@ -584,7 +587,14 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
- 		status |= USB_PORT_STAT_C_RESET << 16;
- 	/* USB3.0 only */
- 	if (hcd->speed == HCD_USB3) {
--		if ((raw_port_status & PORT_PLC))
-+		/* Port link change with port in resume state should not be
-+		 * reported to usbcore, as this is an internal state to be
-+		 * handled by xhci driver. Reporting PLC to usbcore may
-+		 * cause usbcore clearing PLC first and port change event
-+		 * irq won't be generated.
-+		 */
-+		if ((raw_port_status & PORT_PLC) &&
-+			(raw_port_status & PORT_PLS_MASK) != XDEV_RESUME)
- 			status |= USB_PORT_STAT_C_LINK_STATE << 16;
- 		if ((raw_port_status & PORT_WRC))
- 			status |= USB_PORT_STAT_C_BH_RESET << 16;
-@@ -1114,10 +1124,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
- 	spin_lock_irqsave(&xhci->lock, flags);
- 
- 	if (hcd->self.root_hub->do_remote_wakeup) {
--		if (bus_state->resuming_ports) {
-+		if (bus_state->resuming_ports ||	/* USB2 */
-+		    bus_state->port_remote_wakeup) {	/* USB3 */
- 			spin_unlock_irqrestore(&xhci->lock, flags);
--			xhci_dbg(xhci, "suspend failed because "
--						"a port is resuming\n");
-+			xhci_dbg(xhci, "suspend failed because a port is resuming\n");
- 			return -EBUSY;
- 		}
- 	}
-diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
-index f615712..bcc43a2 100644
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -1740,6 +1740,9 @@ static void handle_port_status(struct xhci_hcd *xhci,
- 		usb_hcd_resume_root_hub(hcd);
- 	}
- 
-+	if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE)
-+		bus_state->port_remote_wakeup &= ~(1 << faked_port_index);
-+
- 	if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) {
- 		xhci_dbg(xhci, "port resume event for port %d\n", port_id);
- 
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 16f4f8d..fc61e663b 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -3424,6 +3424,9 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
- 			return -EINVAL;
- 	}
- 
-+	if (virt_dev->tt_info)
-+		old_active_eps = virt_dev->tt_info->active_eps;
-+
- 	if (virt_dev->udev != udev) {
- 		/* If the virt_dev and the udev does not match, this virt_dev
- 		 * may belong to another udev.
-diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
-index 70facb7..c167485 100644
---- a/drivers/usb/host/xhci.h
-+++ b/drivers/usb/host/xhci.h
-@@ -285,6 +285,7 @@ struct xhci_op_regs {
- #define XDEV_U0		(0x0 << 5)
- #define XDEV_U2		(0x2 << 5)
- #define XDEV_U3		(0x3 << 5)
-+#define XDEV_INACTIVE	(0x6 << 5)
- #define XDEV_RESUME	(0xf << 5)
- /* true: port has power (see HCC_PPC) */
- #define PORT_POWER	(1 << 9)
-diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
-index 821e1e2..da380a9 100644
---- a/drivers/usb/storage/unusual_devs.h
-+++ b/drivers/usb/storage/unusual_devs.h
-@@ -2032,6 +2032,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0200,
- 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
- 		US_FL_NO_READ_DISC_INFO ),
- 
-+/* Reported by Oliver Neukum <oneukum@suse.com>
-+ * This device morphes spontaneously into another device if the access
-+ * pattern of Windows isn't followed. Thus writable media would be dirty
-+ * if the initial instance is used. So the device is limited to its
-+ * virtual CD.
-+ * And yes, the concept that BCD goes up to 9 is not heeded */
-+UNUSUAL_DEV( 0x19d2, 0x1225, 0x0000, 0xffff,
-+		"ZTE,Incorporated",
-+		"ZTE WCDMA Technologies MSM",
-+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-+		US_FL_SINGLE_LUN ),
-+
- /* Reported by Sven Geggus <sven-usbst@geggus.net>
-  * This encrypted pen drive returns bogus data for the initial READ(10).
-  */
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 78987e4..85095d7 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -876,6 +876,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
- 		}
- 		if (eventfp != d->log_file) {
- 			filep = d->log_file;
-+			d->log_file = eventfp;
- 			ctx = d->log_ctx;
- 			d->log_ctx = eventfp ?
- 				eventfd_ctx_fileget(eventfp) : NULL;
-diff --git a/fs/dcache.c b/fs/dcache.c
-index aa24f7d..3d2f27b 100644
---- a/fs/dcache.c
-+++ b/fs/dcache.c
-@@ -587,6 +587,9 @@ repeat:
- 	if (unlikely(d_unhashed(dentry)))
- 		goto kill_it;
- 
-+	if (unlikely(dentry->d_flags & DCACHE_DISCONNECTED))
-+		goto kill_it;
-+
- 	if (unlikely(dentry->d_flags & DCACHE_OP_DELETE)) {
- 		if (dentry->d_op->d_delete(dentry))
- 			goto kill_it;
-diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c
-index 9065107..7a5237a 100644
---- a/kernel/irq/resend.c
-+++ b/kernel/irq/resend.c
-@@ -75,13 +75,21 @@ void check_irq_resend(struct irq_desc *desc, unsigned int irq)
- 		    !desc->irq_data.chip->irq_retrigger(&desc->irq_data)) {
- #ifdef CONFIG_HARDIRQS_SW_RESEND
- 			/*
--			 * If the interrupt has a parent irq and runs
--			 * in the thread context of the parent irq,
--			 * retrigger the parent.
-+			 * If the interrupt is running in the thread
-+			 * context of the parent irq we need to be
-+			 * careful, because we cannot trigger it
-+			 * directly.
- 			 */
--			if (desc->parent_irq &&
--			    irq_settings_is_nested_thread(desc))
-+			if (irq_settings_is_nested_thread(desc)) {
-+				/*
-+				 * If the parent_irq is valid, we
-+				 * retrigger the parent, otherwise we
-+				 * do nothing.
-+				 */
-+				if (!desc->parent_irq)
-+					return;
- 				irq = desc->parent_irq;
-+			}
- 			/* Set it pending and activate the softirq: */
- 			set_bit(irq, irqs_resend);
- 			tasklet_schedule(&resend_tasklet);
-diff --git a/mm/memory.c b/mm/memory.c
-index 749e1c6..e9ddc7a 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -3234,6 +3234,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
- 
- 	pte_unmap(page_table);
- 
-+	/* File mapping without ->vm_ops ? */
-+	if (vma->vm_flags & VM_SHARED)
-+		return VM_FAULT_SIGBUS;
-+
- 	/* Check if we need to add a guard page to the stack */
- 	if (check_stack_guard_page(vma, address) < 0)
- 		return VM_FAULT_SIGSEGV;
-@@ -3502,6 +3506,9 @@ static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- 			- vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- 
- 	pte_unmap(page_table);
-+	/* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
-+	if (!vma->vm_ops->fault)
-+		return VM_FAULT_SIGBUS;
- 	return __do_fault(mm, vma, address, pmd, pgoff, flags, orig_pte);
- }
- 
-@@ -3650,11 +3657,9 @@ static int handle_pte_fault(struct mm_struct *mm,
- 	entry = ACCESS_ONCE(*pte);
- 	if (!pte_present(entry)) {
- 		if (pte_none(entry)) {
--			if (vma->vm_ops) {
--				if (likely(vma->vm_ops->fault))
--					return do_linear_fault(mm, vma, address,
-+			if (vma->vm_ops)
-+				return do_linear_fault(mm, vma, address,
- 						pte, pmd, flags, entry);
--			}
- 			return do_anonymous_page(mm, vma, address,
- 						 pte, pmd, flags);
- 		}
-diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
-index 653ce5d..5d8bc1f 100644
---- a/net/mac80211/debugfs_netdev.c
-+++ b/net/mac80211/debugfs_netdev.c
-@@ -712,6 +712,7 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
- 
- 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
- 	sdata->vif.debugfs_dir = NULL;
-+	sdata->debugfs.subdir_stations = NULL;
- }
- 
- void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
-diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
-index e8fdb17..a985158 100644
---- a/net/rds/ib_rdma.c
-+++ b/net/rds/ib_rdma.c
-@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
- 	}
- 
- 	ibmr = rds_ib_alloc_fmr(rds_ibdev);
--	if (IS_ERR(ibmr))
-+	if (IS_ERR(ibmr)) {
-+		rds_ib_dev_put(rds_ibdev);
- 		return ibmr;
-+	}
- 
- 	ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
- 	if (ret == 0)
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 2f503c0..907371d 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -2282,7 +2282,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
- 	SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF),
- 	SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF),
- 	SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF),
--	SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF),
-+	SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF),
- 
- 	SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
- 	SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
-diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
-index b16be39..9a3e107 100644
---- a/sound/usb/mixer_maps.c
-+++ b/sound/usb/mixer_maps.c
-@@ -336,6 +336,20 @@ static const struct usbmix_name_map scms_usb3318_map[] = {
- 	{ 0 }
- };
- 
-+/* Bose companion 5, the dB conversion factor is 16 instead of 256 */
-+static struct usbmix_dB_map bose_companion5_dB = {-5006, -6};
-+static struct usbmix_name_map bose_companion5_map[] = {
-+	{ 3, NULL, .dB = &bose_companion5_dB },
-+	{ 0 }	/* terminator */
-+};
-+
-+/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */
-+static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000};
-+static struct usbmix_name_map dragonfly_1_2_map[] = {
-+	{ 7, NULL, .dB = &dragonfly_1_2_dB },
-+	{ 0 }	/* terminator */
-+};
-+
- /*
-  * Control map entries
-  */
-@@ -442,6 +456,16 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = {
- 		.id = USB_ID(0x25c4, 0x0003),
- 		.map = scms_usb3318_map,
- 	},
-+	{
-+		/* Bose Companion 5 */
-+		.id = USB_ID(0x05a7, 0x1020),
-+		.map = bose_companion5_map,
-+	},
-+	{
-+		/* Dragonfly DAC 1.2 */
-+		.id = USB_ID(0x21b4, 0x0081),
-+		.map = dragonfly_1_2_map,
-+	},
- 	{ 0 } /* terminator */
- };
- 
-diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
-index 5293b5a..7c24088 100644
---- a/sound/usb/quirks-table.h
-+++ b/sound/usb/quirks-table.h
-@@ -2516,6 +2516,74 @@ YAMAHA_DEVICE(0x7010, "UB99"),
- 	}
- },
- 
-+/* Steinberg devices */
-+{
-+	/* Steinberg MI2 */
-+	USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x2040),
-+	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
-+		.ifnum = QUIRK_ANY_INTERFACE,
-+		.type = QUIRK_COMPOSITE,
-+		.data = & (const struct snd_usb_audio_quirk[]) {
-+			{
-+				.ifnum = 0,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 1,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 2,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 3,
-+				.type = QUIRK_MIDI_FIXED_ENDPOINT,
-+				.data = &(const struct snd_usb_midi_endpoint_info) {
-+					.out_cables = 0x0001,
-+					.in_cables  = 0x0001
-+				}
-+			},
-+			{
-+				.ifnum = -1
-+			}
-+		}
-+	}
-+},
-+{
-+	/* Steinberg MI4 */
-+	USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x4040),
-+	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
-+		.ifnum = QUIRK_ANY_INTERFACE,
-+		.type = QUIRK_COMPOSITE,
-+		.data = & (const struct snd_usb_audio_quirk[]) {
-+			{
-+				.ifnum = 0,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 1,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 2,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 3,
-+				.type = QUIRK_MIDI_FIXED_ENDPOINT,
-+				.data = &(const struct snd_usb_midi_endpoint_info) {
-+					.out_cables = 0x0001,
-+					.in_cables  = 0x0001
-+				}
-+			},
-+			{
-+				.ifnum = -1
-+			}
-+		}
-+	}
-+},
-+
- /* TerraTec devices */
- {
- 	USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0012),
diff --git a/3.14.50/0000_README b/3.14.51/0000_README
index 9ad9afc..430d8cd 100644
--- a/3.14.50/0000_README
+++ b/3.14.51/0000_README
@@ -2,11 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	1049_linux-3.14.50.patch
+Patch:	1050_linux-3.14.51.patch
 From:	http://www.kernel.org
-Desc:	Linux 3.14.50
+Desc:	Linux 3.14.51
 
-Patch:	4420_grsecurity-3.1-3.14.50-201508142232.patch
+Patch:	4420_grsecurity-3.1-3.14.51-201508181951.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.51/1050_linux-3.14.51.patch b/3.14.51/1050_linux-3.14.51.patch
new file mode 100644
index 0000000..8c28a74
--- /dev/null
+++ b/3.14.51/1050_linux-3.14.51.patch
@@ -0,0 +1,1929 @@
+diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
+index 4c3efe4..750ab97 100644
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -20,16 +20,18 @@ Description:
+ 		action: measure | dont_measure | appraise | dont_appraise | audit
+ 		condition:= base | lsm  [option]
+ 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
+-				 [fowner]]
++				[euid=] [fowner=]]
+ 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
+ 				 [obj_user=] [obj_role=] [obj_type=]]
+ 			option:	[[appraise_type=]] [permit_directio]
+ 
+ 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+-			mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
++			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
++			       [[^]MAY_EXEC]
+ 			fsmagic:= hex value
+ 			fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
+ 			uid:= decimal value
++			euid:= decimal value
+ 			fowner:=decimal value
+ 		lsm:  	are LSM specific
+ 		option:	appraise_type:= [imasig]
+diff --git a/Makefile b/Makefile
+index d71c40a..83275d8e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 50
++SUBLEVEL = 51
+ EXTRAVERSION =
+ NAME = Remembering Coco
+ 
+diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
+index 22a3b9b..4157aec 100644
+--- a/arch/arm/include/asm/smp.h
++++ b/arch/arm/include/asm/smp.h
+@@ -74,6 +74,7 @@ struct secondary_data {
+ };
+ extern struct secondary_data secondary_data;
+ extern volatile int pen_release;
++extern void secondary_startup(void);
+ 
+ extern int __cpu_disable(void);
+ 
+diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
+index 4551efd..399af1e 100644
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -2452,6 +2452,9 @@ static int of_dev_hwmod_lookup(struct device_node *np,
+  * registers.  This address is needed early so the OCP registers that
+  * are part of the device's address space can be ioremapped properly.
+  *
++ * If SYSC access is not needed, the registers will not be remapped
++ * and non-availability of MPU access is not treated as an error.
++ *
+  * Returns 0 on success, -EINVAL if an invalid hwmod is passed, and
+  * -ENXIO on absent or invalid register target address space.
+  */
+@@ -2466,6 +2469,11 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data,
+ 
+ 	_save_mpu_port_index(oh);
+ 
++	/* if we don't need sysc access we don't need to ioremap */
++	if (!oh->class->sysc)
++		return 0;
++
++	/* we can't continue without MPU PORT if we need sysc access */
+ 	if (oh->_int_flags & _HWMOD_NO_MPU_PORT)
+ 		return -ENXIO;
+ 
+@@ -2475,8 +2483,10 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data,
+ 			 oh->name);
+ 
+ 		/* Extract the IO space from device tree blob */
+-		if (!np)
++		if (!np) {
++			pr_err("omap_hwmod: %s: no dt node\n", oh->name);
+ 			return -ENXIO;
++		}
+ 
+ 		va_start = of_iomap(np, index + oh->mpu_rt_idx);
+ 	} else {
+@@ -2535,13 +2545,11 @@ static int __init _init(struct omap_hwmod *oh, void *data)
+ 				oh->name, np->name);
+ 	}
+ 
+-	if (oh->class->sysc) {
+-		r = _init_mpu_rt_base(oh, NULL, index, np);
+-		if (r < 0) {
+-			WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n",
+-			     oh->name);
+-			return 0;
+-		}
++	r = _init_mpu_rt_base(oh, NULL, index, np);
++	if (r < 0) {
++		WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n",
++		     oh->name);
++		return 0;
+ 	}
+ 
+ 	r = _init_clocks(oh, NULL);
+diff --git a/arch/arm/mach-realview/include/mach/memory.h b/arch/arm/mach-realview/include/mach/memory.h
+index 2022e09..db09170 100644
+--- a/arch/arm/mach-realview/include/mach/memory.h
++++ b/arch/arm/mach-realview/include/mach/memory.h
+@@ -56,6 +56,8 @@
+ #define PAGE_OFFSET1	(PAGE_OFFSET + 0x10000000)
+ #define PAGE_OFFSET2	(PAGE_OFFSET + 0x30000000)
+ 
++#define PHYS_OFFSET PLAT_PHYS_OFFSET
++
+ #define __phys_to_virt(phys)						\
+ 	((phys) >= 0x80000000 ?	(phys) - 0x80000000 + PAGE_OFFSET2 :	\
+ 	 (phys) >= 0x20000000 ?	(phys) - 0x20000000 + PAGE_OFFSET1 :	\
+diff --git a/arch/arm/mach-sunxi/Makefile b/arch/arm/mach-sunxi/Makefile
+index d939720..27b168f 100644
+--- a/arch/arm/mach-sunxi/Makefile
++++ b/arch/arm/mach-sunxi/Makefile
+@@ -1,2 +1,2 @@
+ obj-$(CONFIG_ARCH_SUNXI) += sunxi.o
+-obj-$(CONFIG_SMP) += platsmp.o headsmp.o
++obj-$(CONFIG_SMP) += platsmp.o
+diff --git a/arch/arm/mach-sunxi/headsmp.S b/arch/arm/mach-sunxi/headsmp.S
+deleted file mode 100644
+index a10d494..0000000
+--- a/arch/arm/mach-sunxi/headsmp.S
++++ /dev/null
+@@ -1,9 +0,0 @@
+-#include <linux/linkage.h>
+-#include <linux/init.h>
+-
+-        .section ".text.head", "ax"
+-
+-ENTRY(sun6i_secondary_startup)
+-	msr	cpsr_fsxc, #0xd3
+-	b	secondary_startup
+-ENDPROC(sun6i_secondary_startup)
+diff --git a/arch/arm/mach-sunxi/platsmp.c b/arch/arm/mach-sunxi/platsmp.c
+index 7b141d8..0c7dbce 100644
+--- a/arch/arm/mach-sunxi/platsmp.c
++++ b/arch/arm/mach-sunxi/platsmp.c
+@@ -82,7 +82,7 @@ static int sun6i_smp_boot_secondary(unsigned int cpu,
+ 	spin_lock(&cpu_lock);
+ 
+ 	/* Set CPU boot address */
+-	writel(virt_to_phys(sun6i_secondary_startup),
++	writel(virt_to_phys(secondary_startup),
+ 	       cpucfg_membase + CPUCFG_PRIVATE0_REG);
+ 
+ 	/* Assert the CPU core in reset */
+diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
+index 7ed72dc..a966bac 100644
+--- a/arch/arm64/kernel/signal32.c
++++ b/arch/arm64/kernel/signal32.c
+@@ -165,7 +165,8 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitely for the right codes here.
+ 		 */
+-		if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)
++		if (from->si_signo == SIGBUS &&
++		    (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb);
+ #endif
+ 		break;
+@@ -192,8 +193,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE))
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 008324d..b154953 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -150,8 +150,39 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
+ 		 * Make sure the buddy is global too (if it's !none,
+ 		 * it better already be global)
+ 		 */
++#ifdef CONFIG_SMP
++		/*
++		 * For SMP, multiple CPUs can race, so we need to do
++		 * this atomically.
++		 */
++#ifdef CONFIG_64BIT
++#define LL_INSN "lld"
++#define SC_INSN "scd"
++#else /* CONFIG_32BIT */
++#define LL_INSN "ll"
++#define SC_INSN "sc"
++#endif
++		unsigned long page_global = _PAGE_GLOBAL;
++		unsigned long tmp;
++
++		__asm__ __volatile__ (
++			"	.set	push\n"
++			"	.set	noreorder\n"
++			"1:	" LL_INSN "	%[tmp], %[buddy]\n"
++			"	bnez	%[tmp], 2f\n"
++			"	 or	%[tmp], %[tmp], %[global]\n"
++			"	" SC_INSN "	%[tmp], %[buddy]\n"
++			"	beqz	%[tmp], 1b\n"
++			"	 nop\n"
++			"2:\n"
++			"	.set pop"
++			: [buddy] "+m" (buddy->pte),
++			  [tmp] "=&r" (tmp)
++			: [global] "r" (page_global));
++#else /* !CONFIG_SMP */
+ 		if (pte_none(*buddy))
+ 			pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL;
++#endif /* CONFIG_SMP */
+ 	}
+ #endif
+ }
+diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c
+index cb09862..ca16964 100644
+--- a/arch/mips/kernel/mips-mt-fpaff.c
++++ b/arch/mips/kernel/mips-mt-fpaff.c
+@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
+ 				      unsigned long __user *user_mask_ptr)
+ {
+ 	unsigned int real_len;
+-	cpumask_t mask;
++	cpumask_t allowed, mask;
+ 	int retval;
+ 	struct task_struct *p;
+ 
+@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
+ 	if (retval)
+ 		goto out_unlock;
+ 
+-	cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask);
++	cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed);
++	cpumask_and(&mask, &allowed, cpu_active_mask);
+ 
+ out_unlock:
+ 	read_unlock(&tasklist_lock);
+diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c
+index 3d60f77..ea585cf 100644
+--- a/arch/mips/kernel/signal32.c
++++ b/arch/mips/kernel/signal32.c
+@@ -370,8 +370,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, 3*sizeof(int)) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE32))
+diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c
+index 3190099..d4ab447 100644
+--- a/arch/mips/mti-malta/malta-time.c
++++ b/arch/mips/mti-malta/malta-time.c
+@@ -168,14 +168,17 @@ unsigned int get_c0_compare_int(void)
+ 
+ static void __init init_rtc(void)
+ {
+-	/* stop the clock whilst setting it up */
+-	CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL);
++	unsigned char freq, ctrl;
+ 
+-	/* 32KHz time base */
+-	CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
++	/* Set 32KHz time base if not already set */
++	freq = CMOS_READ(RTC_FREQ_SELECT);
++	if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ)
++		CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
+ 
+-	/* start the clock */
+-	CMOS_WRITE(RTC_24H, RTC_CONTROL);
++	/* Ensure SET bit is clear so RTC can run */
++	ctrl = CMOS_READ(RTC_CONTROL);
++	if (ctrl & RTC_SET)
++		CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL);
+ }
+ 
+ void __init plat_time_init(void)
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index 4e47db6..e881e3f 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -967,8 +967,6 @@ int copy_siginfo_to_user32(struct compat_siginfo __user *d, const siginfo_t *s)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, 3*sizeof(int)) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE32))
+diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h
+index 11fdf0e..50d6f16 100644
+--- a/arch/sparc/include/asm/visasm.h
++++ b/arch/sparc/include/asm/visasm.h
+@@ -28,16 +28,10 @@
+  * Must preserve %o5 between VISEntryHalf and VISExitHalf */
+ 
+ #define VISEntryHalf					\
+-	rd		%fprs, %o5;			\
+-	andcc		%o5, FPRS_FEF, %g0;		\
+-	be,pt		%icc, 297f;			\
+-	 sethi		%hi(298f), %g7;			\
+-	sethi		%hi(VISenterhalf), %g1;		\
+-	jmpl		%g1 + %lo(VISenterhalf), %g0;	\
+-	 or		%g7, %lo(298f), %g7;		\
+-	clr		%o5;				\
+-297:	wr		%o5, FPRS_FEF, %fprs;		\
+-298:
++	VISEntry
++
++#define VISExitHalf					\
++	VISExit
+ 
+ #define VISEntryHalfFast(fail_label)			\
+ 	rd		%fprs, %o5;			\
+@@ -47,7 +41,7 @@
+ 	ba,a,pt		%xcc, fail_label;		\
+ 297:	wr		%o5, FPRS_FEF, %fprs;
+ 
+-#define VISExitHalf					\
++#define VISExitHalfFast					\
+ 	wr		%o5, 0, %fprs;
+ 
+ #ifndef __ASSEMBLY__
+diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
+index 140527a..83aeeb1 100644
+--- a/arch/sparc/lib/NG4memcpy.S
++++ b/arch/sparc/lib/NG4memcpy.S
+@@ -240,8 +240,11 @@ FUNC_NAME:	/* %o0=dst, %o1=src, %o2=len */
+ 	add		%o0, 0x40, %o0
+ 	bne,pt		%icc, 1b
+ 	 LOAD(prefetch, %g1 + 0x200, #n_reads_strong)
++#ifdef NON_USER_COPY
++	VISExitHalfFast
++#else
+ 	VISExitHalf
+-
++#endif
+ 	brz,pn		%o2, .Lexit
+ 	 cmp		%o2, 19
+ 	ble,pn		%icc, .Lsmall_unaligned
+diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S
+index b320ae9..a063d84 100644
+--- a/arch/sparc/lib/VISsave.S
++++ b/arch/sparc/lib/VISsave.S
+@@ -44,9 +44,8 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
+ 
+ 	 stx		%g3, [%g6 + TI_GSR]
+ 2:	add		%g6, %g1, %g3
+-	cmp		%o5, FPRS_DU
+-	be,pn		%icc, 6f
+-	 sll		%g1, 3, %g1
++	mov		FPRS_DU | FPRS_DL | FPRS_FEF, %o5
++	sll		%g1, 3, %g1
+ 	stb		%o5, [%g3 + TI_FPSAVED]
+ 	rd		%gsr, %g2
+ 	add		%g6, %g1, %g3
+@@ -80,65 +79,3 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
+ 	.align		32
+ 80:	jmpl		%g7 + %g0, %g0
+ 	 nop
+-
+-6:	ldub		[%g3 + TI_FPSAVED], %o5
+-	or		%o5, FPRS_DU, %o5
+-	add		%g6, TI_FPREGS+0x80, %g2
+-	stb		%o5, [%g3 + TI_FPSAVED]
+-
+-	sll		%g1, 5, %g1
+-	add		%g6, TI_FPREGS+0xc0, %g3
+-	wr		%g0, FPRS_FEF, %fprs
+-	membar		#Sync
+-	stda		%f32, [%g2 + %g1] ASI_BLK_P
+-	stda		%f48, [%g3 + %g1] ASI_BLK_P
+-	membar		#Sync
+-	ba,pt		%xcc, 80f
+-	 nop
+-
+-	.align		32
+-80:	jmpl		%g7 + %g0, %g0
+-	 nop
+-
+-	.align		32
+-VISenterhalf:
+-	ldub		[%g6 + TI_FPDEPTH], %g1
+-	brnz,a,pn	%g1, 1f
+-	 cmp		%g1, 1
+-	stb		%g0, [%g6 + TI_FPSAVED]
+-	stx		%fsr, [%g6 + TI_XFSR]
+-	clr		%o5
+-	jmpl		%g7 + %g0, %g0
+-	 wr		%g0, FPRS_FEF, %fprs
+-
+-1:	bne,pn		%icc, 2f
+-	 srl		%g1, 1, %g1
+-	ba,pt		%xcc, vis1
+-	 sub		%g7, 8, %g7
+-2:	addcc		%g6, %g1, %g3
+-	sll		%g1, 3, %g1
+-	andn		%o5, FPRS_DU, %g2
+-	stb		%g2, [%g3 + TI_FPSAVED]
+-
+-	rd		%gsr, %g2
+-	add		%g6, %g1, %g3
+-	stx		%g2, [%g3 + TI_GSR]
+-	add		%g6, %g1, %g2
+-	stx		%fsr, [%g2 + TI_XFSR]
+-	sll		%g1, 5, %g1
+-3:	andcc		%o5, FPRS_DL, %g0
+-	be,pn		%icc, 4f
+-	 add		%g6, TI_FPREGS, %g2
+-
+-	add		%g6, TI_FPREGS+0x40, %g3
+-	membar		#Sync
+-	stda		%f0, [%g2 + %g1] ASI_BLK_P
+-	stda		%f16, [%g3 + %g1] ASI_BLK_P
+-	membar		#Sync
+-	ba,pt		%xcc, 4f
+-	 nop
+-
+-	.align		32
+-4:	and		%o5, FPRS_DU, %o5
+-	jmpl		%g7 + %g0, %g0
+-	 wr		%o5, FPRS_FEF, %fprs
+diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
+index 323335b..ac094de 100644
+--- a/arch/sparc/lib/ksyms.c
++++ b/arch/sparc/lib/ksyms.c
+@@ -126,10 +126,6 @@ EXPORT_SYMBOL(copy_user_page);
+ void VISenter(void);
+ EXPORT_SYMBOL(VISenter);
+ 
+-/* CRYPTO code needs this */
+-void VISenterhalf(void);
+-EXPORT_SYMBOL(VISenterhalf);
+-
+ extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *);
+ extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *,
+ 		unsigned long *);
+diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
+index 6a11845..7205173 100644
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct kvm_apic_map *map, u32 ldr)
+ 
+ static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
+ {
+-	return vcpu->arch.apic->pending_events;
++	return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
+ }
+ 
+ bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 201d09a..2302f10 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -481,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 	pte_t pte;
+ 	unsigned long pfn;
+ 	struct page *page;
++	unsigned char dummy;
+ 
+ 	ptep = lookup_address((unsigned long)v, &level);
+ 	BUG_ON(ptep == NULL);
+@@ -490,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 
+ 	pte = pfn_pte(pfn, prot);
+ 
++	/*
++	 * Careful: update_va_mapping() will fail if the virtual address
++	 * we're poking isn't populated in the page tables.  We don't
++	 * need to worry about the direct map (that's always in the page
++	 * tables), but we need to be careful about vmap space.  In
++	 * particular, the top level page table can lazily propagate
++	 * entries between processes, so if we've switched mms since we
++	 * vmapped the target in the first place, we might not have the
++	 * top-level page table entry populated.
++	 *
++	 * We disable preemption because we want the same mm active when
++	 * we probe the target and when we issue the hypercall.  We'll
++	 * have the same nominal mm, but if we're a kernel thread, lazy
++	 * mm dropping could change our pgd.
++	 *
++	 * Out of an abundance of caution, this uses __get_user() to fault
++	 * in the target address just in case there's some obscure case
++	 * in which the target address isn't readable.
++	 */
++
++	preempt_disable();
++
++	pagefault_disable();	/* Avoid warnings due to being atomic. */
++	__get_user(dummy, (unsigned char __user __force *)v);
++	pagefault_enable();
++
+ 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ 		BUG();
+ 
+@@ -501,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 				BUG();
+ 	} else
+ 		kmap_flush_unused();
++
++	preempt_enable();
+ }
+ 
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -508,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ 	int i;
+ 
++	/*
++	 * We need to mark the all aliases of the LDT pages RO.  We
++	 * don't need to call vm_flush_aliases(), though, since that's
++	 * only responsible for flushing aliases out the TLBs, not the
++	 * page tables, and Xen will flush the TLB for us if needed.
++	 *
++	 * To avoid confusing future readers: none of this is necessary
++	 * to load the LDT.  The hypervisor only checks this when the
++	 * LDT is faulted in due to subsequent descriptor access.
++	 */
++
+ 	for(i = 0; i < entries; i += entries_per_page)
+ 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
+index 12be7cb..b583773 100644
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -508,6 +508,7 @@ void rbd_warn(struct rbd_device *rbd_dev, const char *fmt, ...)
+ #  define rbd_assert(expr)	((void) 0)
+ #endif /* !RBD_DEBUG */
+ 
++static void rbd_osd_copyup_callback(struct rbd_obj_request *obj_request);
+ static int rbd_img_obj_request_submit(struct rbd_obj_request *obj_request);
+ static void rbd_img_parent_read(struct rbd_obj_request *obj_request);
+ static void rbd_dev_remove_parent(struct rbd_device *rbd_dev);
+@@ -1651,6 +1652,16 @@ static void rbd_osd_stat_callback(struct rbd_obj_request *obj_request)
+ 	obj_request_done_set(obj_request);
+ }
+ 
++static void rbd_osd_call_callback(struct rbd_obj_request *obj_request)
++{
++	dout("%s: obj %p\n", __func__, obj_request);
++
++	if (obj_request_img_data_test(obj_request))
++		rbd_osd_copyup_callback(obj_request);
++	else
++		obj_request_done_set(obj_request);
++}
++
+ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
+ 				struct ceph_msg *msg)
+ {
+@@ -1689,6 +1700,8 @@ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
+ 		rbd_osd_stat_callback(obj_request);
+ 		break;
+ 	case CEPH_OSD_OP_CALL:
++		rbd_osd_call_callback(obj_request);
++		break;
+ 	case CEPH_OSD_OP_NOTIFY_ACK:
+ 	case CEPH_OSD_OP_WATCH:
+ 		rbd_osd_trivial_callback(obj_request);
+@@ -2275,13 +2288,15 @@ out_unwind:
+ }
+ 
+ static void
+-rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
++rbd_osd_copyup_callback(struct rbd_obj_request *obj_request)
+ {
+ 	struct rbd_img_request *img_request;
+ 	struct rbd_device *rbd_dev;
+ 	struct page **pages;
+ 	u32 page_count;
+ 
++	dout("%s: obj %p\n", __func__, obj_request);
++
+ 	rbd_assert(obj_request->type == OBJ_REQUEST_BIO);
+ 	rbd_assert(obj_request_img_data_test(obj_request));
+ 	img_request = obj_request->img_request;
+@@ -2307,9 +2322,7 @@ rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
+ 	if (!obj_request->result)
+ 		obj_request->xferred = obj_request->length;
+ 
+-	/* Finish up with the normal image object callback */
+-
+-	rbd_img_obj_callback(obj_request);
++	obj_request_done_set(obj_request);
+ }
+ 
+ static void
+@@ -2406,7 +2419,6 @@ rbd_img_obj_parent_read_full_callback(struct rbd_img_request *img_request)
+ 
+ 	/* All set, send it off. */
+ 
+-	orig_request->callback = rbd_img_obj_copyup_callback;
+ 	osdc = &rbd_dev->rbd_client->client->osdc;
+ 	img_result = rbd_obj_request_submit(osdc, orig_request);
+ 	if (!img_result)
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index f757a0f..3beed38 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -904,7 +904,6 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
+ 		crypt->mode |= NPE_OP_NOT_IN_PLACE;
+ 		/* This was never tested by Intel
+ 		 * for more than one dst buffer, I think. */
+-		BUG_ON(req->dst->length < nbytes);
+ 		req_ctx->dst = NULL;
+ 		if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
+ 					flags, DMA_FROM_DEVICE))
+diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
+index 6651177..79a2669 100644
+--- a/drivers/gpu/drm/radeon/radeon_combios.c
++++ b/drivers/gpu/drm/radeon/radeon_combios.c
+@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combios_get_lvds_info(struct radeon_encoder
+ 
+ 			if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) &&
+ 			    (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) {
++				u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++
++				if (hss > lvds->native_mode.hdisplay)
++					hss = (10 - 1) * 8;
++
+ 				lvds->native_mode.htotal = lvds->native_mode.hdisplay +
+ 					(RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8;
+ 				lvds->native_mode.hsync_start = lvds->native_mode.hdisplay +
+-					(RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++					hss;
+ 				lvds->native_mode.hsync_end = lvds->native_mode.hsync_start +
+ 					(RBIOS8(tmp + 23) * 8);
+ 
+diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
+index 8e51b3a..cc3dc0c 100644
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -564,6 +564,8 @@ static int bitmap_read_sb(struct bitmap *bitmap)
+ 	if (err)
+ 		return err;
+ 
++	err = -EINVAL;
++
+ 	sb = kmap_atomic(sb_page);
+ 
+ 	chunksize = le32_to_cpu(sb->chunksize);
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b4067b9..2ffd277 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5645,8 +5645,7 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+ 	char *ptr, *buf = NULL;
+ 	int err = -ENOMEM;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
+-
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		goto out;
+ 
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 9be97e0..47b7c31 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1477,6 +1477,7 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
+ {
+ 	char b[BDEVNAME_SIZE];
+ 	struct r1conf *conf = mddev->private;
++	unsigned long flags;
+ 
+ 	/*
+ 	 * If it is not operational, then we have already marked it as dead
+@@ -1496,14 +1497,13 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
+ 		return;
+ 	}
+ 	set_bit(Blocked, &rdev->flags);
++	spin_lock_irqsave(&conf->device_lock, flags);
+ 	if (test_and_clear_bit(In_sync, &rdev->flags)) {
+-		unsigned long flags;
+-		spin_lock_irqsave(&conf->device_lock, flags);
+ 		mddev->degraded++;
+ 		set_bit(Faulty, &rdev->flags);
+-		spin_unlock_irqrestore(&conf->device_lock, flags);
+ 	} else
+ 		set_bit(Faulty, &rdev->flags);
++	spin_unlock_irqrestore(&conf->device_lock, flags);
+ 	/*
+ 	 * if recovery is running, make sure it aborts.
+ 	 */
+@@ -1569,7 +1569,10 @@ static int raid1_spare_active(struct mddev *mddev)
+ 	 * Find all failed disks within the RAID1 configuration 
+ 	 * and mark them readable.
+ 	 * Called under mddev lock, so rcu protection not needed.
++	 * device_lock used to avoid races with raid1_end_read_request
++	 * which expects 'In_sync' flags and ->degraded to be consistent.
+ 	 */
++	spin_lock_irqsave(&conf->device_lock, flags);
+ 	for (i = 0; i < conf->raid_disks; i++) {
+ 		struct md_rdev *rdev = conf->mirrors[i].rdev;
+ 		struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
+@@ -1599,7 +1602,6 @@ static int raid1_spare_active(struct mddev *mddev)
+ 			sysfs_notify_dirent_safe(rdev->sysfs_state);
+ 		}
+ 	}
+-	spin_lock_irqsave(&conf->device_lock, flags);
+ 	mddev->degraded -= count;
+ 	spin_unlock_irqrestore(&conf->device_lock, flags);
+ 
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index b4ddb73..128dc2f 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -592,9 +592,10 @@ static void ipr_trc_hook(struct ipr_cmnd *ipr_cmd,
+ {
+ 	struct ipr_trace_entry *trace_entry;
+ 	struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
++	unsigned int trace_index;
+ 
+-	trace_entry = &ioa_cfg->trace[atomic_add_return
+-			(1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES];
++	trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK;
++	trace_entry = &ioa_cfg->trace[trace_index];
+ 	trace_entry->time = jiffies;
+ 	trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0];
+ 	trace_entry->type = type;
+@@ -1044,10 +1045,15 @@ static void ipr_send_blocking_cmd(struct ipr_cmnd *ipr_cmd,
+ 
+ static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg)
+ {
++	unsigned int hrrq;
++
+ 	if (ioa_cfg->hrrq_num == 1)
+-		return 0;
+-	else
+-		return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1;
++		hrrq = 0;
++	else {
++		hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index);
++		hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1;
++	}
++	return hrrq;
+ }
+ 
+ /**
+@@ -6179,21 +6185,23 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd)
+ 	struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
+ 	struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd;
+ 	u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc);
+-	unsigned long hrrq_flags;
++	unsigned long lock_flags;
+ 
+ 	scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len));
+ 
+ 	if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) {
+ 		scsi_dma_unmap(scsi_cmd);
+ 
+-		spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
+ 		list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
+ 		scsi_cmd->scsi_done(scsi_cmd);
+-		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
+ 	} else {
+-		spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++		spin_lock(&ipr_cmd->hrrq->_lock);
+ 		ipr_erp_start(ioa_cfg, ipr_cmd);
+-		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_unlock(&ipr_cmd->hrrq->_lock);
++		spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+ 	}
+ }
+ 
+diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h
+index 02edae7..694ec20 100644
+--- a/drivers/scsi/ipr.h
++++ b/drivers/scsi/ipr.h
+@@ -1459,6 +1459,7 @@ struct ipr_ioa_cfg {
+ 
+ #define IPR_NUM_TRACE_INDEX_BITS	8
+ #define IPR_NUM_TRACE_ENTRIES		(1 << IPR_NUM_TRACE_INDEX_BITS)
++#define IPR_TRACE_INDEX_MASK		(IPR_NUM_TRACE_ENTRIES - 1)
+ #define IPR_TRACE_SIZE	(sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES)
+ 	char trace_start[8];
+ #define IPR_TRACE_START_LABEL			"trace"
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index eb81c98..721d839 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+ 			md->from_user = 0;
+ 	}
+ 
++	if (unlikely(iov_count > UIO_MAXIOV))
++		return -EINVAL;
++
+ 	if (iov_count) {
+ 		int len, size = sizeof(struct sg_iovec) * iov_count;
+ 		struct iovec *iov;
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 55ec9b4..9dbf176 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -3937,7 +3937,13 @@ get_immediate:
+ 	}
+ 
+ transport_err:
+-	iscsit_take_action_for_connection_exit(conn);
++	/*
++	 * Avoid the normal connection failure code-path if this connection
++	 * is still within LOGIN mode, and iscsi_np process context is
++	 * responsible for cleaning up the early connection failure.
++	 */
++	if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN)
++		iscsit_take_action_for_connection_exit(conn);
+ out:
+ 	return 0;
+ }
+@@ -4023,7 +4029,7 @@ reject:
+ 
+ int iscsi_target_rx_thread(void *arg)
+ {
+-	int ret;
++	int ret, rc;
+ 	u8 buffer[ISCSI_HDR_LEN], opcode;
+ 	u32 checksum = 0, digest = 0;
+ 	struct iscsi_conn *conn = arg;
+@@ -4033,10 +4039,16 @@ int iscsi_target_rx_thread(void *arg)
+ 	 * connection recovery / failure event can be triggered externally.
+ 	 */
+ 	allow_signal(SIGINT);
++	/*
++	 * Wait for iscsi_post_login_handler() to complete before allowing
++	 * incoming iscsi/tcp socket I/O, and/or failing the connection.
++	 */
++	rc = wait_for_completion_interruptible(&conn->rx_login_comp);
++	if (rc < 0)
++		return 0;
+ 
+ 	if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
+ 		struct completion comp;
+-		int rc;
+ 
+ 		init_completion(&comp);
+ 		rc = wait_for_completion_interruptible(&comp);
+diff --git a/drivers/target/iscsi/iscsi_target_core.h b/drivers/target/iscsi/iscsi_target_core.h
+index 825b579..92abbe2 100644
+--- a/drivers/target/iscsi/iscsi_target_core.h
++++ b/drivers/target/iscsi/iscsi_target_core.h
+@@ -604,6 +604,7 @@ struct iscsi_conn {
+ 	int			bitmap_id;
+ 	int			rx_thread_active;
+ 	struct task_struct	*rx_thread;
++	struct completion	rx_login_comp;
+ 	int			tx_thread_active;
+ 	struct task_struct	*tx_thread;
+ 	/* list_head for session connection list */
+diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
+index 449df09..01c27aa 100644
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -83,6 +83,7 @@ static struct iscsi_login *iscsi_login_init_conn(struct iscsi_conn *conn)
+ 	init_completion(&conn->conn_logout_comp);
+ 	init_completion(&conn->rx_half_close_comp);
+ 	init_completion(&conn->tx_half_close_comp);
++	init_completion(&conn->rx_login_comp);
+ 	spin_lock_init(&conn->cmd_lock);
+ 	spin_lock_init(&conn->conn_usage_lock);
+ 	spin_lock_init(&conn->immed_queue_lock);
+@@ -716,6 +717,7 @@ int iscsit_start_kthreads(struct iscsi_conn *conn)
+ 
+ 	return 0;
+ out_tx:
++	send_sig(SIGINT, conn->tx_thread, 1);
+ 	kthread_stop(conn->tx_thread);
+ 	conn->tx_thread_active = false;
+ out_bitmap:
+@@ -726,7 +728,7 @@ out_bitmap:
+ 	return ret;
+ }
+ 
+-int iscsi_post_login_handler(
++void iscsi_post_login_handler(
+ 	struct iscsi_np *np,
+ 	struct iscsi_conn *conn,
+ 	u8 zero_tsih)
+@@ -736,7 +738,6 @@ int iscsi_post_login_handler(
+ 	struct se_session *se_sess = sess->se_sess;
+ 	struct iscsi_portal_group *tpg = sess->tpg;
+ 	struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
+-	int rc;
+ 
+ 	iscsit_inc_conn_usage_count(conn);
+ 
+@@ -777,10 +778,6 @@ int iscsi_post_login_handler(
+ 			sess->sess_ops->InitiatorName);
+ 		spin_unlock_bh(&sess->conn_lock);
+ 
+-		rc = iscsit_start_kthreads(conn);
+-		if (rc)
+-			return rc;
+-
+ 		iscsi_post_login_start_timers(conn);
+ 		/*
+ 		 * Determine CPU mask to ensure connection's RX and TX kthreads
+@@ -789,15 +786,20 @@ int iscsi_post_login_handler(
+ 		iscsit_thread_get_cpumask(conn);
+ 		conn->conn_rx_reset_cpumask = 1;
+ 		conn->conn_tx_reset_cpumask = 1;
+-
++		/*
++		 * Wakeup the sleeping iscsi_target_rx_thread() now that
++		 * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state.
++		 */
++		complete(&conn->rx_login_comp);
+ 		iscsit_dec_conn_usage_count(conn);
++
+ 		if (stop_timer) {
+ 			spin_lock_bh(&se_tpg->session_lock);
+ 			iscsit_stop_time2retain_timer(sess);
+ 			spin_unlock_bh(&se_tpg->session_lock);
+ 		}
+ 		iscsit_dec_session_usage_count(sess);
+-		return 0;
++		return;
+ 	}
+ 
+ 	iscsi_set_session_parameters(sess->sess_ops, conn->param_list, 1);
+@@ -838,10 +840,6 @@ int iscsi_post_login_handler(
+ 		" iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt);
+ 	spin_unlock_bh(&se_tpg->session_lock);
+ 
+-	rc = iscsit_start_kthreads(conn);
+-	if (rc)
+-		return rc;
+-
+ 	iscsi_post_login_start_timers(conn);
+ 	/*
+ 	 * Determine CPU mask to ensure connection's RX and TX kthreads
+@@ -850,10 +848,12 @@ int iscsi_post_login_handler(
+ 	iscsit_thread_get_cpumask(conn);
+ 	conn->conn_rx_reset_cpumask = 1;
+ 	conn->conn_tx_reset_cpumask = 1;
+-
++	/*
++	 * Wakeup the sleeping iscsi_target_rx_thread() now that
++	 * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state.
++	 */
++	complete(&conn->rx_login_comp);
+ 	iscsit_dec_conn_usage_count(conn);
+-
+-	return 0;
+ }
+ 
+ static void iscsi_handle_login_thread_timeout(unsigned long data)
+@@ -1418,23 +1418,12 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ 	if (ret < 0)
+ 		goto new_sess_out;
+ 
+-	if (!conn->sess) {
+-		pr_err("struct iscsi_conn session pointer is NULL!\n");
+-		goto new_sess_out;
+-	}
+-
+ 	iscsi_stop_login_thread_timer(np);
+ 
+-	if (signal_pending(current))
+-		goto new_sess_out;
+-
+ 	if (ret == 1) {
+ 		tpg_np = conn->tpg_np;
+ 
+-		ret = iscsi_post_login_handler(np, conn, zero_tsih);
+-		if (ret < 0)
+-			goto new_sess_out;
+-
++		iscsi_post_login_handler(np, conn, zero_tsih);
+ 		iscsit_deaccess_np(np, tpg, tpg_np);
+ 	}
+ 
+diff --git a/drivers/target/iscsi/iscsi_target_login.h b/drivers/target/iscsi/iscsi_target_login.h
+index 29d0983..55cbf45 100644
+--- a/drivers/target/iscsi/iscsi_target_login.h
++++ b/drivers/target/iscsi/iscsi_target_login.h
+@@ -12,7 +12,8 @@ extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *);
+ extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *);
+ extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32);
+ extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *);
+-extern int iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
++extern int iscsit_start_kthreads(struct iscsi_conn *);
++extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
+ extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *,
+ 				bool, bool);
+ extern int iscsi_target_login_thread(void *);
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index 582ba84..25ad113 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -17,6 +17,7 @@
+  ******************************************************************************/
+ 
+ #include <linux/ctype.h>
++#include <linux/kthread.h>
+ #include <scsi/iscsi_proto.h>
+ #include <target/target_core_base.h>
+ #include <target/target_core_fabric.h>
+@@ -361,10 +362,24 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log
+ 		ntohl(login_rsp->statsn), login->rsp_length);
+ 
+ 	padding = ((-login->rsp_length) & 3);
++	/*
++	 * Before sending the last login response containing the transition
++	 * bit for full-feature-phase, go ahead and start up TX/RX threads
++	 * now to avoid potential resource allocation failures after the
++	 * final login response has been sent.
++	 */
++	if (login->login_complete) {
++		int rc = iscsit_start_kthreads(conn);
++		if (rc) {
++			iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
++					    ISCSI_LOGIN_STATUS_NO_RESOURCES);
++			return -1;
++		}
++	}
+ 
+ 	if (conn->conn_transport->iscsit_put_login_tx(conn, login,
+ 					login->rsp_length + padding) < 0)
+-		return -1;
++		goto err;
+ 
+ 	login->rsp_length		= 0;
+ 	mutex_lock(&sess->cmdsn_mutex);
+@@ -373,6 +388,23 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log
+ 	mutex_unlock(&sess->cmdsn_mutex);
+ 
+ 	return 0;
++
++err:
++	if (login->login_complete) {
++		if (conn->rx_thread && conn->rx_thread_active) {
++			send_sig(SIGINT, conn->rx_thread, 1);
++			kthread_stop(conn->rx_thread);
++		}
++		if (conn->tx_thread && conn->tx_thread_active) {
++			send_sig(SIGINT, conn->tx_thread, 1);
++			kthread_stop(conn->tx_thread);
++		}
++		spin_lock(&iscsit_global->ts_bitmap_lock);
++		bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
++				      get_order(1));
++		spin_unlock(&iscsit_global->ts_bitmap_lock);
++	}
++	return -1;
+ }
+ 
+ static void iscsi_target_sk_data_ready(struct sock *sk, int count)
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index bcc43a2..a365e97 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -86,7 +86,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
+ 		return 0;
+ 	/* offset in TRBs */
+ 	segment_offset = trb - seg->trbs;
+-	if (segment_offset > TRBS_PER_SEGMENT)
++	if (segment_offset >= TRBS_PER_SEGMENT)
+ 		return 0;
+ 	return seg->dma + (segment_offset * sizeof(*trb));
+ }
+diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
+index 74a9375..89c55d4 100644
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -289,6 +289,7 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF),
+ 	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+ 	},
++	{ USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */
+ 	/* AT&T Direct IP LTE modems */
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF),
+ 	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index 073b4a1..ff3c98f 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -529,12 +529,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ 
+ 	pr_debug("priv %p\n", priv);
+ 
++	mutex_lock(&priv->lock);
+ 	while (!list_empty(&priv->maps)) {
+ 		map = list_entry(priv->maps.next, struct grant_map, next);
+ 		list_del(&map->next);
+ 		gntdev_put_map(NULL /* already removed */, map);
+ 	}
+ 	WARN_ON(!list_empty(&priv->freeable_maps));
++	mutex_unlock(&priv->lock);
+ 
+ 	if (use_ptemod)
+ 		mmu_notifier_unregister(&priv->mn, priv->mm);
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 3d2f27b..df323f8 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -244,17 +244,8 @@ static void __d_free(struct rcu_head *head)
+ 	kmem_cache_free(dentry_cache, dentry); 
+ }
+ 
+-/*
+- * no locks, please.
+- */
+-static void d_free(struct dentry *dentry)
++static void dentry_free(struct dentry *dentry)
+ {
+-	WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
+-	BUG_ON((int)dentry->d_lockref.count > 0);
+-	this_cpu_dec(nr_dentry);
+-	if (dentry->d_op && dentry->d_op->d_release)
+-		dentry->d_op->d_release(dentry);
+-
+ 	/* if dentry was never visible to RCU, immediate free is OK */
+ 	if (!(dentry->d_flags & DCACHE_RCUACCESS))
+ 		__d_free(&dentry->d_u.d_rcu);
+@@ -402,56 +393,6 @@ static void dentry_lru_add(struct dentry *dentry)
+ 		d_lru_add(dentry);
+ }
+ 
+-/*
+- * Remove a dentry with references from the LRU.
+- *
+- * If we are on the shrink list, then we can get to try_prune_one_dentry() and
+- * lose our last reference through the parent walk. In this case, we need to
+- * remove ourselves from the shrink list, not the LRU.
+- */
+-static void dentry_lru_del(struct dentry *dentry)
+-{
+-	if (dentry->d_flags & DCACHE_LRU_LIST) {
+-		if (dentry->d_flags & DCACHE_SHRINK_LIST)
+-			return d_shrink_del(dentry);
+-		d_lru_del(dentry);
+-	}
+-}
+-
+-/**
+- * d_kill - kill dentry and return parent
+- * @dentry: dentry to kill
+- * @parent: parent dentry
+- *
+- * The dentry must already be unhashed and removed from the LRU.
+- *
+- * If this is the root of the dentry tree, return NULL.
+- *
+- * dentry->d_lock and parent->d_lock must be held by caller, and are dropped by
+- * d_kill.
+- */
+-static struct dentry *d_kill(struct dentry *dentry, struct dentry *parent)
+-	__releases(dentry->d_lock)
+-	__releases(parent->d_lock)
+-	__releases(dentry->d_inode->i_lock)
+-{
+-	__list_del_entry(&dentry->d_child);
+-	/*
+-	 * Inform d_walk() that we are no longer attached to the
+-	 * dentry tree
+-	 */
+-	dentry->d_flags |= DCACHE_DENTRY_KILLED;
+-	if (parent)
+-		spin_unlock(&parent->d_lock);
+-	dentry_iput(dentry);
+-	/*
+-	 * dentry_iput drops the locks, at which point nobody (except
+-	 * transient RCU lookups) can reach this dentry.
+-	 */
+-	d_free(dentry);
+-	return parent;
+-}
+-
+ /**
+  * d_drop - drop a dentry
+  * @dentry: dentry to drop
+@@ -509,7 +450,14 @@ dentry_kill(struct dentry *dentry, int unlock_on_failure)
+ 	__releases(dentry->d_lock)
+ {
+ 	struct inode *inode;
+-	struct dentry *parent;
++	struct dentry *parent = NULL;
++	bool can_free = true;
++
++	if (unlikely(dentry->d_flags & DCACHE_DENTRY_KILLED)) {
++		can_free = dentry->d_flags & DCACHE_MAY_FREE;
++		spin_unlock(&dentry->d_lock);
++		goto out;
++	}
+ 
+ 	inode = dentry->d_inode;
+ 	if (inode && !spin_trylock(&inode->i_lock)) {
+@@ -520,9 +468,7 @@ relock:
+ 		}
+ 		return dentry; /* try again with same dentry */
+ 	}
+-	if (IS_ROOT(dentry))
+-		parent = NULL;
+-	else
++	if (!IS_ROOT(dentry))
+ 		parent = dentry->d_parent;
+ 	if (parent && !spin_trylock(&parent->d_lock)) {
+ 		if (inode)
+@@ -542,10 +488,40 @@ relock:
+ 	if ((dentry->d_flags & DCACHE_OP_PRUNE) && !d_unhashed(dentry))
+ 		dentry->d_op->d_prune(dentry);
+ 
+-	dentry_lru_del(dentry);
++	if (dentry->d_flags & DCACHE_LRU_LIST) {
++		if (!(dentry->d_flags & DCACHE_SHRINK_LIST))
++			d_lru_del(dentry);
++	}
+ 	/* if it was on the hash then remove it */
+ 	__d_drop(dentry);
+-	return d_kill(dentry, parent);
++	__list_del_entry(&dentry->d_child);
++	/*
++	 * Inform d_walk() that we are no longer attached to the
++	 * dentry tree
++	 */
++	dentry->d_flags |= DCACHE_DENTRY_KILLED;
++	if (parent)
++		spin_unlock(&parent->d_lock);
++	dentry_iput(dentry);
++	/*
++	 * dentry_iput drops the locks, at which point nobody (except
++	 * transient RCU lookups) can reach this dentry.
++	 */
++	BUG_ON((int)dentry->d_lockref.count > 0);
++	this_cpu_dec(nr_dentry);
++	if (dentry->d_op && dentry->d_op->d_release)
++		dentry->d_op->d_release(dentry);
++
++	spin_lock(&dentry->d_lock);
++	if (dentry->d_flags & DCACHE_SHRINK_LIST) {
++		dentry->d_flags |= DCACHE_MAY_FREE;
++		can_free = false;
++	}
++	spin_unlock(&dentry->d_lock);
++out:
++	if (likely(can_free))
++		dentry_free(dentry);
++	return parent;
+ }
+ 
+ /* 
+@@ -817,65 +793,13 @@ restart:
+ }
+ EXPORT_SYMBOL(d_prune_aliases);
+ 
+-/*
+- * Try to throw away a dentry - free the inode, dput the parent.
+- * Requires dentry->d_lock is held, and dentry->d_count == 0.
+- * Releases dentry->d_lock.
+- *
+- * This may fail if locks cannot be acquired no problem, just try again.
+- */
+-static struct dentry * try_prune_one_dentry(struct dentry *dentry)
+-	__releases(dentry->d_lock)
+-{
+-	struct dentry *parent;
+-
+-	parent = dentry_kill(dentry, 0);
+-	/*
+-	 * If dentry_kill returns NULL, we have nothing more to do.
+-	 * if it returns the same dentry, trylocks failed. In either
+-	 * case, just loop again.
+-	 *
+-	 * Otherwise, we need to prune ancestors too. This is necessary
+-	 * to prevent quadratic behavior of shrink_dcache_parent(), but
+-	 * is also expected to be beneficial in reducing dentry cache
+-	 * fragmentation.
+-	 */
+-	if (!parent)
+-		return NULL;
+-	if (parent == dentry)
+-		return dentry;
+-
+-	/* Prune ancestors. */
+-	dentry = parent;
+-	while (dentry) {
+-		if (lockref_put_or_lock(&dentry->d_lockref))
+-			return NULL;
+-		dentry = dentry_kill(dentry, 1);
+-	}
+-	return NULL;
+-}
+-
+ static void shrink_dentry_list(struct list_head *list)
+ {
+-	struct dentry *dentry;
++	struct dentry *dentry, *parent;
+ 
+-	rcu_read_lock();
+-	for (;;) {
+-		dentry = list_entry_rcu(list->prev, struct dentry, d_lru);
+-		if (&dentry->d_lru == list)
+-			break; /* empty */
+-
+-		/*
+-		 * Get the dentry lock, and re-verify that the dentry is
+-		 * this on the shrinking list. If it is, we know that
+-		 * DCACHE_SHRINK_LIST and DCACHE_LRU_LIST are set.
+-		 */
++	while (!list_empty(list)) {
++		dentry = list_entry(list->prev, struct dentry, d_lru);
+ 		spin_lock(&dentry->d_lock);
+-		if (dentry != list_entry(list->prev, struct dentry, d_lru)) {
+-			spin_unlock(&dentry->d_lock);
+-			continue;
+-		}
+-
+ 		/*
+ 		 * The dispose list is isolated and dentries are not accounted
+ 		 * to the LRU here, so we can simply remove it from the list
+@@ -887,30 +811,38 @@ static void shrink_dentry_list(struct list_head *list)
+ 		 * We found an inuse dentry which was not removed from
+ 		 * the LRU because of laziness during lookup. Do not free it.
+ 		 */
+-		if (dentry->d_lockref.count) {
++		if ((int)dentry->d_lockref.count > 0) {
+ 			spin_unlock(&dentry->d_lock);
+ 			continue;
+ 		}
+-		rcu_read_unlock();
+ 
++		parent = dentry_kill(dentry, 0);
+ 		/*
+-		 * If 'try_to_prune()' returns a dentry, it will
+-		 * be the same one we passed in, and d_lock will
+-		 * have been held the whole time, so it will not
+-		 * have been added to any other lists. We failed
+-		 * to get the inode lock.
+-		 *
+-		 * We just add it back to the shrink list.
++		 * If dentry_kill returns NULL, we have nothing more to do.
+ 		 */
+-		dentry = try_prune_one_dentry(dentry);
++		if (!parent)
++			continue;
+ 
+-		rcu_read_lock();
+-		if (dentry) {
++		if (unlikely(parent == dentry)) {
++			/*
++			 * trylocks have failed and d_lock has been held the
++			 * whole time, so it could not have been added to any
++			 * other lists. Just add it back to the shrink list.
++			 */
+ 			d_shrink_add(dentry, list);
+ 			spin_unlock(&dentry->d_lock);
++			continue;
+ 		}
++		/*
++		 * We need to prune ancestors too. This is necessary to prevent
++		 * quadratic behavior of shrink_dcache_parent(), but is also
++		 * expected to be beneficial in reducing dentry cache
++		 * fragmentation.
++		 */
++		dentry = parent;
++		while (dentry && !lockref_put_or_lock(&dentry->d_lockref))
++			dentry = dentry_kill(dentry, 1);
+ 	}
+-	rcu_read_unlock();
+ }
+ 
+ static enum lru_status
+@@ -1264,34 +1196,23 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
+ 	if (data->start == dentry)
+ 		goto out;
+ 
+-	/*
+-	 * move only zero ref count dentries to the dispose list.
+-	 *
+-	 * Those which are presently on the shrink list, being processed
+-	 * by shrink_dentry_list(), shouldn't be moved.  Otherwise the
+-	 * loop in shrink_dcache_parent() might not make any progress
+-	 * and loop forever.
+-	 */
+-	if (dentry->d_lockref.count) {
+-		dentry_lru_del(dentry);
+-	} else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) {
+-		/*
+-		 * We can't use d_lru_shrink_move() because we
+-		 * need to get the global LRU lock and do the
+-		 * LRU accounting.
+-		 */
+-		d_lru_del(dentry);
+-		d_shrink_add(dentry, &data->dispose);
++	if (dentry->d_flags & DCACHE_SHRINK_LIST) {
+ 		data->found++;
+-		ret = D_WALK_NORETRY;
++	} else {
++		if (dentry->d_flags & DCACHE_LRU_LIST)
++			d_lru_del(dentry);
++		if (!dentry->d_lockref.count) {
++			d_shrink_add(dentry, &data->dispose);
++			data->found++;
++		}
+ 	}
+ 	/*
+ 	 * We can return to the caller if we have found some (this
+ 	 * ensures forward progress). We'll be coming back to find
+ 	 * the rest.
+ 	 */
+-	if (data->found && need_resched())
+-		ret = D_WALK_QUIT;
++	if (!list_empty(&data->dispose))
++		ret = need_resched() ? D_WALK_QUIT : D_WALK_NORETRY;
+ out:
+ 	return ret;
+ }
+@@ -1321,45 +1242,35 @@ void shrink_dcache_parent(struct dentry *parent)
+ }
+ EXPORT_SYMBOL(shrink_dcache_parent);
+ 
+-static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry)
++static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+ {
+-	struct select_data *data = _data;
+-	enum d_walk_ret ret = D_WALK_CONTINUE;
++	/* it has busy descendents; complain about those instead */
++	if (!list_empty(&dentry->d_subdirs))
++		return D_WALK_CONTINUE;
+ 
+-	if (dentry->d_lockref.count) {
+-		dentry_lru_del(dentry);
+-		if (likely(!list_empty(&dentry->d_subdirs)))
+-			goto out;
+-		if (dentry == data->start && dentry->d_lockref.count == 1)
+-			goto out;
+-		printk(KERN_ERR
+-		       "BUG: Dentry %p{i=%lx,n=%s}"
+-		       " still in use (%d)"
+-		       " [unmount of %s %s]\n",
++	/* root with refcount 1 is fine */
++	if (dentry == _data && dentry->d_lockref.count == 1)
++		return D_WALK_CONTINUE;
++
++	printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
++			" still in use (%d) [unmount of %s %s]\n",
+ 		       dentry,
+ 		       dentry->d_inode ?
+ 		       dentry->d_inode->i_ino : 0UL,
+-		       dentry->d_name.name,
++		       dentry,
+ 		       dentry->d_lockref.count,
+ 		       dentry->d_sb->s_type->name,
+ 		       dentry->d_sb->s_id);
+-		BUG();
+-	} else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) {
+-		/*
+-		 * We can't use d_lru_shrink_move() because we
+-		 * need to get the global LRU lock and do the
+-		 * LRU accounting.
+-		 */
+-		if (dentry->d_flags & DCACHE_LRU_LIST)
+-			d_lru_del(dentry);
+-		d_shrink_add(dentry, &data->dispose);
+-		data->found++;
+-		ret = D_WALK_NORETRY;
+-	}
+-out:
+-	if (data->found && need_resched())
+-		ret = D_WALK_QUIT;
+-	return ret;
++	WARN_ON(1);
++	return D_WALK_CONTINUE;
++}
++
++static void do_one_tree(struct dentry *dentry)
++{
++	shrink_dcache_parent(dentry);
++	d_walk(dentry, dentry, umount_check, NULL);
++	d_drop(dentry);
++	dput(dentry);
+ }
+ 
+ /*
+@@ -1369,40 +1280,15 @@ void shrink_dcache_for_umount(struct super_block *sb)
+ {
+ 	struct dentry *dentry;
+ 
+-	if (down_read_trylock(&sb->s_umount))
+-		BUG();
++	WARN(down_read_trylock(&sb->s_umount), "s_umount should've been locked");
+ 
+ 	dentry = sb->s_root;
+ 	sb->s_root = NULL;
+-	for (;;) {
+-		struct select_data data;
+-
+-		INIT_LIST_HEAD(&data.dispose);
+-		data.start = dentry;
+-		data.found = 0;
+-
+-		d_walk(dentry, &data, umount_collect, NULL);
+-		if (!data.found)
+-			break;
+-
+-		shrink_dentry_list(&data.dispose);
+-		cond_resched();
+-	}
+-	d_drop(dentry);
+-	dput(dentry);
++	do_one_tree(dentry);
+ 
+ 	while (!hlist_bl_empty(&sb->s_anon)) {
+-		struct select_data data;
+-		dentry = hlist_bl_entry(hlist_bl_first(&sb->s_anon), struct dentry, d_hash);
+-
+-		INIT_LIST_HEAD(&data.dispose);
+-		data.start = NULL;
+-		data.found = 0;
+-
+-		d_walk(dentry, &data, umount_collect, NULL);
+-		if (data.found)
+-			shrink_dentry_list(&data.dispose);
+-		cond_resched();
++		dentry = dget(hlist_bl_entry(hlist_bl_first(&sb->s_anon), struct dentry, d_hash));
++		do_one_tree(dentry);
+ 	}
+ }
+ 
+diff --git a/fs/namei.c b/fs/namei.c
+index ccb8000..c6fa079 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3171,7 +3171,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+ 
+ 	if (unlikely(file->f_flags & __O_TMPFILE)) {
+ 		error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+-		goto out;
++		goto out2;
+ 	}
+ 
+ 	error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
+@@ -3209,6 +3209,7 @@ out:
+ 		path_put(&nd->root);
+ 	if (base)
+ 		fput(base);
++out2:
+ 	if (!(opened & FILE_OPENED)) {
+ 		BUG_ON(!error);
+ 		put_filp(file);
+diff --git a/fs/notify/mark.c b/fs/notify/mark.c
+index 923fe4a..6bffc33 100644
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -293,16 +293,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group,
+ 					 unsigned int flags)
+ {
+ 	struct fsnotify_mark *lmark, *mark;
++	LIST_HEAD(to_free);
+ 
++	/*
++	 * We have to be really careful here. Anytime we drop mark_mutex, e.g.
++	 * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
++	 * to_free list so we have to use mark_mutex even when accessing that
++	 * list. And freeing mark requires us to drop mark_mutex. So we can
++	 * reliably free only the first mark in the list. That's why we first
++	 * move marks to free to to_free list in one go and then free marks in
++	 * to_free list one by one.
++	 */
+ 	mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+ 	list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
+-		if (mark->flags & flags) {
+-			fsnotify_get_mark(mark);
+-			fsnotify_destroy_mark_locked(mark, group);
+-			fsnotify_put_mark(mark);
+-		}
++		if (mark->flags & flags)
++			list_move(&mark->g_list, &to_free);
+ 	}
+ 	mutex_unlock(&group->mark_mutex);
++
++	while (1) {
++		mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
++		if (list_empty(&to_free)) {
++			mutex_unlock(&group->mark_mutex);
++			break;
++		}
++		mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
++		fsnotify_get_mark(mark);
++		fsnotify_destroy_mark_locked(mark, group);
++		mutex_unlock(&group->mark_mutex);
++		fsnotify_put_mark(mark);
++	}
+ }
+ 
+ /*
+diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
+index 1998695..fa74259 100644
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -3973,9 +3973,13 @@ static void ocfs2_downconvert_thread_do_work(struct ocfs2_super *osb)
+ 	osb->dc_work_sequence = osb->dc_wake_sequence;
+ 
+ 	processed = osb->blocked_lock_count;
+-	while (processed) {
+-		BUG_ON(list_empty(&osb->blocked_lock_list));
+-
++	/*
++	 * blocked lock processing in this loop might call iput which can
++	 * remove items off osb->blocked_lock_list. Downconvert up to
++	 * 'processed' number of locks, but stop short if we had some
++	 * removed in ocfs2_mark_lockres_freeing when downconverting.
++	 */
++	while (processed && !list_empty(&osb->blocked_lock_list)) {
+ 		lockres = list_entry(osb->blocked_lock_list.next,
+ 				     struct ocfs2_lock_res, l_blocked_list);
+ 		list_del_init(&lockres->l_blocked_list);
+diff --git a/fs/signalfd.c b/fs/signalfd.c
+index 424b7b6..148f8e7 100644
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct signalfd_siginfo __user *uinfo,
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitly for the right codes here.
+ 		 */
+-		if (kinfo->si_code == BUS_MCEERR_AR ||
+-		    kinfo->si_code == BUS_MCEERR_AO)
++		if (kinfo->si_signo == SIGBUS &&
++		    (kinfo->si_code == BUS_MCEERR_AR ||
++		     kinfo->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user((short) kinfo->si_addr_lsb,
+ 					  &uinfo->ssi_addr_lsb);
+ #endif
+diff --git a/include/linux/dcache.h b/include/linux/dcache.h
+index 0f0eb1c..2a23ecb 100644
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -221,6 +221,8 @@ struct dentry_operations {
+ #define DCACHE_SYMLINK_TYPE		0x00300000 /* Symlink */
+ #define DCACHE_FILE_TYPE		0x00400000 /* Other file type */
+ 
++#define DCACHE_MAY_FREE			0x00800000
++
+ extern seqlock_t rename_lock;
+ 
+ static inline int dname_external(const struct dentry *dentry)
+diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
+index 30db069..788c5aa 100644
+--- a/include/uapi/linux/pci_regs.h
++++ b/include/uapi/linux/pci_regs.h
+@@ -319,6 +319,7 @@
+ #define PCI_MSIX_PBA		8	/* Pending Bit Array offset */
+ #define  PCI_MSIX_PBA_BIR	0x00000007 /* BAR index */
+ #define  PCI_MSIX_PBA_OFFSET	0xfffffff8 /* Offset into specified BAR */
++#define PCI_MSIX_FLAGS_BIRMASK	PCI_MSIX_PBA_BIR /* deprecated */
+ #define PCI_CAP_MSIX_SIZEOF	12	/* size of MSIX registers */
+ 
+ /* MSI-X Table entry format */
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index c3b3117..9699d3f 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info)
+ 		if (!leaf)
+ 			return -ENOMEM;
+ 		INIT_LIST_HEAD(&leaf->msg_list);
+-		info->qsize += sizeof(*leaf);
+ 	}
+ 	leaf->priority = msg->m_type;
+ 	rb_link_node(&leaf->rb_node, parent, p);
+@@ -188,7 +187,6 @@ try_again:
+ 			     "lazy leaf delete!\n");
+ 		rb_erase(&leaf->rb_node, &info->msg_tree);
+ 		if (info->node_cache) {
+-			info->qsize -= sizeof(*leaf);
+ 			kfree(leaf);
+ 		} else {
+ 			info->node_cache = leaf;
+@@ -201,7 +199,6 @@ try_again:
+ 		if (list_empty(&leaf->msg_list)) {
+ 			rb_erase(&leaf->rb_node, &info->msg_tree);
+ 			if (info->node_cache) {
+-				info->qsize -= sizeof(*leaf);
+ 				kfree(leaf);
+ 			} else {
+ 				info->node_cache = leaf;
+@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr,
+ 		/* Save our speculative allocation into the cache */
+ 		INIT_LIST_HEAD(&new_leaf->msg_list);
+ 		info->node_cache = new_leaf;
+-		info->qsize += sizeof(*new_leaf);
+ 		new_leaf = NULL;
+ 	} else {
+ 		kfree(new_leaf);
+@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr,
+ 		/* Save our speculative allocation into the cache */
+ 		INIT_LIST_HEAD(&new_leaf->msg_list);
+ 		info->node_cache = new_leaf;
+-		info->qsize += sizeof(*new_leaf);
+ 	} else {
+ 		kfree(new_leaf);
+ 	}
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 52f881d..15c22ee 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2768,7 +2768,8 @@ int copy_siginfo_to_user(siginfo_t __user *to, const siginfo_t *from)
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitly for the right codes here.
+ 		 */
+-		if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)
++		if (from->si_signo == SIGBUS &&
++		    (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb);
+ #endif
+ 		break;
+@@ -3035,7 +3036,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,
+ 			int, sig,
+ 			struct compat_siginfo __user *, uinfo)
+ {
+-	siginfo_t info;
++	siginfo_t info = {};
+ 	int ret = copy_siginfo_from_user32(&info, uinfo);
+ 	if (unlikely(ret))
+ 		return ret;
+@@ -3081,7 +3082,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo,
+ 			int, sig,
+ 			struct compat_siginfo __user *, uinfo)
+ {
+-	siginfo_t info;
++	siginfo_t info = {};
+ 
+ 	if (copy_siginfo_from_user32(&info, uinfo))
+ 		return -EFAULT;
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index b850ced6..88edf53 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -871,21 +871,17 @@ static unsigned long shrink_page_list(struct list_head *page_list,
+ 		 *
+ 		 * 2) Global reclaim encounters a page, memcg encounters a
+ 		 *    page that is not marked for immediate reclaim or
+-		 *    the caller does not have __GFP_IO. In this case mark
++		 *    the caller does not have __GFP_FS (or __GFP_IO if it's
++		 *    simply going to swap, not to fs). In this case mark
+ 		 *    the page for immediate reclaim and continue scanning.
+ 		 *
+-		 *    __GFP_IO is checked  because a loop driver thread might
++		 *    Require may_enter_fs because we would wait on fs, which
++		 *    may not have submitted IO yet. And the loop driver might
+ 		 *    enter reclaim, and deadlock if it waits on a page for
+ 		 *    which it is needed to do the write (loop masks off
+ 		 *    __GFP_IO|__GFP_FS for this reason); but more thought
+ 		 *    would probably show more reasons.
+ 		 *
+-		 *    Don't require __GFP_FS, since we're not going into the
+-		 *    FS, just waiting on its writeback completion. Worryingly,
+-		 *    ext4 gfs2 and xfs allocate pages with
+-		 *    grab_cache_page_write_begin(,,AOP_FLAG_NOFS), so testing
+-		 *    may_enter_fs here is liable to OOM on them.
+-		 *
+ 		 * 3) memcg encounters a page that is not already marked
+ 		 *    PageReclaim. memcg does not have any dirty pages
+ 		 *    throttling so we could easily OOM just because too many
+@@ -902,7 +898,7 @@ static unsigned long shrink_page_list(struct list_head *page_list,
+ 
+ 			/* Case 2 above */
+ 			} else if (global_reclaim(sc) ||
+-			    !PageReclaim(page) || !(sc->gfp_mask & __GFP_IO)) {
++			    !PageReclaim(page) || !may_enter_fs) {
+ 				/*
+ 				 * This is slightly racy - end_page_writeback()
+ 				 * might have just cleared PageReclaim, then
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 085c496..9d8e420 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -27,6 +27,8 @@
+ #define IMA_UID		0x0008
+ #define IMA_FOWNER	0x0010
+ #define IMA_FSUUID	0x0020
++#define IMA_INMASK	0x0040
++#define IMA_EUID	0x0080
+ 
+ #define UNKNOWN		0
+ #define MEASURE		0x0001	/* same as IMA_MEASURE */
+@@ -171,6 +173,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+ 		return false;
+ 	if ((rule->flags & IMA_MASK) && rule->mask != mask)
+ 		return false;
++	if ((rule->flags & IMA_INMASK) &&
++	    (!(rule->mask & mask) && func != POST_SETATTR))
++		return false;
+ 	if ((rule->flags & IMA_FSMAGIC)
+ 	    && rule->fsmagic != inode->i_sb->s_magic)
+ 		return false;
+@@ -179,6 +184,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+ 		return false;
+ 	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+ 		return false;
++	if (rule->flags & IMA_EUID) {
++		if (has_capability_noaudit(current, CAP_SETUID)) {
++			if (!uid_eq(rule->uid, cred->euid)
++			    && !uid_eq(rule->uid, cred->suid)
++			    && !uid_eq(rule->uid, cred->uid))
++				return false;
++		} else if (!uid_eq(rule->uid, cred->euid))
++			return false;
++	}
++
+ 	if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+ 		return false;
+ 	for (i = 0; i < MAX_LSM_RULES; i++) {
+@@ -350,7 +365,8 @@ enum {
+ 	Opt_audit,
+ 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
+ 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
+-	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
++	Opt_func, Opt_mask, Opt_fsmagic,
++	Opt_uid, Opt_euid, Opt_fowner,
+ 	Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
+ };
+ 
+@@ -371,6 +387,7 @@ static match_table_t policy_tokens = {
+ 	{Opt_fsmagic, "fsmagic=%s"},
+ 	{Opt_fsuuid, "fsuuid=%s"},
+ 	{Opt_uid, "uid=%s"},
++	{Opt_euid, "euid=%s"},
+ 	{Opt_fowner, "fowner=%s"},
+ 	{Opt_appraise_type, "appraise_type=%s"},
+ 	{Opt_permit_directio, "permit_directio"},
+@@ -412,6 +429,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
+ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ {
+ 	struct audit_buffer *ab;
++	char *from;
+ 	char *p;
+ 	int result = 0;
+ 
+@@ -500,18 +518,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ 			if (entry->mask)
+ 				result = -EINVAL;
+ 
+-			if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
++			from = args[0].from;
++			if (*from == '^')
++				from++;
++
++			if ((strcmp(from, "MAY_EXEC")) == 0)
+ 				entry->mask = MAY_EXEC;
+-			else if (strcmp(args[0].from, "MAY_WRITE") == 0)
++			else if (strcmp(from, "MAY_WRITE") == 0)
+ 				entry->mask = MAY_WRITE;
+-			else if (strcmp(args[0].from, "MAY_READ") == 0)
++			else if (strcmp(from, "MAY_READ") == 0)
+ 				entry->mask = MAY_READ;
+-			else if (strcmp(args[0].from, "MAY_APPEND") == 0)
++			else if (strcmp(from, "MAY_APPEND") == 0)
+ 				entry->mask = MAY_APPEND;
+ 			else
+ 				result = -EINVAL;
+ 			if (!result)
+-				entry->flags |= IMA_MASK;
++				entry->flags |= (*args[0].from == '^')
++				     ? IMA_INMASK : IMA_MASK;
+ 			break;
+ 		case Opt_fsmagic:
+ 			ima_log_string(ab, "fsmagic", args[0].from);
+@@ -542,6 +565,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ 			break;
+ 		case Opt_uid:
+ 			ima_log_string(ab, "uid", args[0].from);
++		case Opt_euid:
++			if (token == Opt_euid)
++				ima_log_string(ab, "euid", args[0].from);
+ 
+ 			if (uid_valid(entry->uid)) {
+ 				result = -EINVAL;
+@@ -550,11 +576,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ 
+ 			result = strict_strtoul(args[0].from, 10, &lnum);
+ 			if (!result) {
+-				entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
+-				if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
++				entry->uid = make_kuid(current_user_ns(),
++						       (uid_t) lnum);
++				if (!uid_valid(entry->uid) ||
++				    (uid_t)lnum != lnum)
+ 					result = -EINVAL;
+ 				else
+-					entry->flags |= IMA_UID;
++					entry->flags |= (token == Opt_uid)
++					    ? IMA_UID : IMA_EUID;
+ 			}
+ 			break;
+ 		case Opt_fowner:
+diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
+index 51e2080..7b0aac9 100644
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -1002,9 +1002,7 @@ static void cs4210_spdif_automute(struct hda_codec *codec,
+ 
+ 	spec->spdif_present = spdif_present;
+ 	/* SPDIF TX on/off */
+-	if (spdif_present)
+-		snd_hda_set_pin_ctl(codec, spdif_pin,
+-				    spdif_present ? PIN_OUT : 0);
++	snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0);
+ 
+ 	cs_automute(codec);
+ }
+diff --git a/sound/soc/codecs/pcm1681.c b/sound/soc/codecs/pcm1681.c
+index 651e2fe..dfa9755 100644
+--- a/sound/soc/codecs/pcm1681.c
++++ b/sound/soc/codecs/pcm1681.c
+@@ -102,7 +102,7 @@ static int pcm1681_set_deemph(struct snd_soc_codec *codec)
+ 
+ 	if (val != -1) {
+ 		regmap_update_bits(priv->regmap, PCM1681_DEEMPH_CONTROL,
+-					PCM1681_DEEMPH_RATE_MASK, val);
++				   PCM1681_DEEMPH_RATE_MASK, val << 3);
+ 		enable = 1;
+ 	} else
+ 		enable = 0;
diff --git a/3.14.50/4420_grsecurity-3.1-3.14.50-201508142232.patch b/3.14.51/4420_grsecurity-3.1-3.14.51-201508181951.patch
index f556dbc..80024c4 100644
--- a/3.14.50/4420_grsecurity-3.1-3.14.50-201508142232.patch
+++ b/3.14.51/4420_grsecurity-3.1-3.14.51-201508181951.patch
@@ -328,7 +328,7 @@ index 855d9b3..154c500 100644
  
  A toggle value indicating if modules are allowed to be loaded
 diff --git a/Makefile b/Makefile
-index d71c40a..4d15036 100644
+index 83275d8e..235ffae 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -2174,10 +2174,10 @@ index c4ae171..ea0c0c2 100644
  extern struct psci_operations psci_ops;
  extern struct smp_operations psci_smp_ops;
 diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
-index 22a3b9b..7f214ee 100644
+index 4157aec..375a858 100644
 --- a/arch/arm/include/asm/smp.h
 +++ b/arch/arm/include/asm/smp.h
-@@ -112,7 +112,7 @@ struct smp_operations {
+@@ -113,7 +113,7 @@ struct smp_operations {
  	int  (*cpu_disable)(unsigned int cpu);
  #endif
  #endif
@@ -3721,7 +3721,7 @@ index 78c02b3..c94109a 100644
  struct omap_device *omap_device_alloc(struct platform_device *pdev,
  				      struct omap_hwmod **ohs, int oh_cnt);
 diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index 4551efd..d487c24 100644
+index 399af1e..ead318a5 100644
 --- a/arch/arm/mach-omap2/omap_hwmod.c
 +++ b/arch/arm/mach-omap2/omap_hwmod.c
 @@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops {
@@ -6932,7 +6932,7 @@ index b336037..5b874cc 100644
  
  /*
 diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
-index 008324d..f67c239 100644
+index b154953..f5e6871 100644
 --- a/arch/mips/include/asm/pgtable.h
 +++ b/arch/mips/include/asm/pgtable.h
 @@ -20,6 +20,9 @@
@@ -8965,10 +8965,10 @@ index 2e3d2bf..35df241 100644
  
  	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index 4e47db6..6dcc96e 100644
+index e881e3f..0fed4bce 100644
 --- a/arch/powerpc/kernel/signal_32.c
 +++ b/arch/powerpc/kernel/signal_32.c
-@@ -1013,7 +1013,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
+@@ -1011,7 +1011,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
  	/* Save user registers on the stack */
  	frame = &rt_sf->uc.uc_mcontext;
  	addr = frame;
@@ -10431,40 +10431,6 @@ index ad7e178..26cd4a7 100644
  	if (unlikely(ret))
  		ret = copy_to_user_fixup(to, from, size);
  	return ret;
-diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h
-index 11fdf0e..50d6f16 100644
---- a/arch/sparc/include/asm/visasm.h
-+++ b/arch/sparc/include/asm/visasm.h
-@@ -28,16 +28,10 @@
-  * Must preserve %o5 between VISEntryHalf and VISExitHalf */
- 
- #define VISEntryHalf					\
--	rd		%fprs, %o5;			\
--	andcc		%o5, FPRS_FEF, %g0;		\
--	be,pt		%icc, 297f;			\
--	 sethi		%hi(298f), %g7;			\
--	sethi		%hi(VISenterhalf), %g1;		\
--	jmpl		%g1 + %lo(VISenterhalf), %g0;	\
--	 or		%g7, %lo(298f), %g7;		\
--	clr		%o5;				\
--297:	wr		%o5, FPRS_FEF, %fprs;		\
--298:
-+	VISEntry
-+
-+#define VISExitHalf					\
-+	VISExit
- 
- #define VISEntryHalfFast(fail_label)			\
- 	rd		%fprs, %o5;			\
-@@ -47,7 +41,7 @@
- 	ba,a,pt		%xcc, fail_label;		\
- 297:	wr		%o5, FPRS_FEF, %fprs;
- 
--#define VISExitHalf					\
-+#define VISExitHalfFast					\
- 	wr		%o5, 0, %fprs;
- 
- #ifndef __ASSEMBLY__
 diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
 index d15cc17..d0ae796 100644
 --- a/arch/sparc/kernel/Makefile
@@ -11126,105 +11092,6 @@ index dbe119b..089c7c1 100644
  
  lib-$(CONFIG_SPARC32) += ashrdi3.o
  lib-$(CONFIG_SPARC32) += memcpy.o memset.o
-diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
-index 140527a..83aeeb1 100644
---- a/arch/sparc/lib/NG4memcpy.S
-+++ b/arch/sparc/lib/NG4memcpy.S
-@@ -240,8 +240,11 @@ FUNC_NAME:	/* %o0=dst, %o1=src, %o2=len */
- 	add		%o0, 0x40, %o0
- 	bne,pt		%icc, 1b
- 	 LOAD(prefetch, %g1 + 0x200, #n_reads_strong)
-+#ifdef NON_USER_COPY
-+	VISExitHalfFast
-+#else
- 	VISExitHalf
--
-+#endif
- 	brz,pn		%o2, .Lexit
- 	 cmp		%o2, 19
- 	ble,pn		%icc, .Lsmall_unaligned
-diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S
-index b320ae9..a063d84 100644
---- a/arch/sparc/lib/VISsave.S
-+++ b/arch/sparc/lib/VISsave.S
-@@ -44,9 +44,8 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
- 
- 	 stx		%g3, [%g6 + TI_GSR]
- 2:	add		%g6, %g1, %g3
--	cmp		%o5, FPRS_DU
--	be,pn		%icc, 6f
--	 sll		%g1, 3, %g1
-+	mov		FPRS_DU | FPRS_DL | FPRS_FEF, %o5
-+	sll		%g1, 3, %g1
- 	stb		%o5, [%g3 + TI_FPSAVED]
- 	rd		%gsr, %g2
- 	add		%g6, %g1, %g3
-@@ -80,65 +79,3 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
- 	.align		32
- 80:	jmpl		%g7 + %g0, %g0
- 	 nop
--
--6:	ldub		[%g3 + TI_FPSAVED], %o5
--	or		%o5, FPRS_DU, %o5
--	add		%g6, TI_FPREGS+0x80, %g2
--	stb		%o5, [%g3 + TI_FPSAVED]
--
--	sll		%g1, 5, %g1
--	add		%g6, TI_FPREGS+0xc0, %g3
--	wr		%g0, FPRS_FEF, %fprs
--	membar		#Sync
--	stda		%f32, [%g2 + %g1] ASI_BLK_P
--	stda		%f48, [%g3 + %g1] ASI_BLK_P
--	membar		#Sync
--	ba,pt		%xcc, 80f
--	 nop
--
--	.align		32
--80:	jmpl		%g7 + %g0, %g0
--	 nop
--
--	.align		32
--VISenterhalf:
--	ldub		[%g6 + TI_FPDEPTH], %g1
--	brnz,a,pn	%g1, 1f
--	 cmp		%g1, 1
--	stb		%g0, [%g6 + TI_FPSAVED]
--	stx		%fsr, [%g6 + TI_XFSR]
--	clr		%o5
--	jmpl		%g7 + %g0, %g0
--	 wr		%g0, FPRS_FEF, %fprs
--
--1:	bne,pn		%icc, 2f
--	 srl		%g1, 1, %g1
--	ba,pt		%xcc, vis1
--	 sub		%g7, 8, %g7
--2:	addcc		%g6, %g1, %g3
--	sll		%g1, 3, %g1
--	andn		%o5, FPRS_DU, %g2
--	stb		%g2, [%g3 + TI_FPSAVED]
--
--	rd		%gsr, %g2
--	add		%g6, %g1, %g3
--	stx		%g2, [%g3 + TI_GSR]
--	add		%g6, %g1, %g2
--	stx		%fsr, [%g2 + TI_XFSR]
--	sll		%g1, 5, %g1
--3:	andcc		%o5, FPRS_DL, %g0
--	be,pn		%icc, 4f
--	 add		%g6, TI_FPREGS, %g2
--
--	add		%g6, TI_FPREGS+0x40, %g3
--	membar		#Sync
--	stda		%f0, [%g2 + %g1] ASI_BLK_P
--	stda		%f16, [%g3 + %g1] ASI_BLK_P
--	membar		#Sync
--	ba,pt		%xcc, 4f
--	 nop
--
--	.align		32
--4:	and		%o5, FPRS_DU, %o5
--	jmpl		%g7 + %g0, %g0
--	 wr		%o5, FPRS_FEF, %fprs
 diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
 index 85c233d..68500e0 100644
 --- a/arch/sparc/lib/atomic_64.S
@@ -11440,7 +11307,7 @@ index 85c233d..68500e0 100644
  	cmp	%g1, %g7
  	bne,pn	%xcc, BACKOFF_LABEL(2f, 1b)
 diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
-index 323335b..e8ee09d 100644
+index ac094de..e8ee09d 100644
 --- a/arch/sparc/lib/ksyms.c
 +++ b/arch/sparc/lib/ksyms.c
 @@ -100,12 +100,18 @@ EXPORT_SYMBOL(__clear_user);
@@ -11462,17 +11329,6 @@ index 323335b..e8ee09d 100644
  EXPORT_SYMBOL(atomic64_sub_ret);
  EXPORT_SYMBOL(atomic64_dec_if_positive);
  
-@@ -126,10 +132,6 @@ EXPORT_SYMBOL(copy_user_page);
- void VISenter(void);
- EXPORT_SYMBOL(VISenter);
- 
--/* CRYPTO code needs this */
--void VISenterhalf(void);
--EXPORT_SYMBOL(VISenterhalf);
--
- extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *);
- extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *,
- 		unsigned long *);
 diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
 index 30c3ecc..736f015 100644
 --- a/arch/sparc/mm/Makefile
@@ -29202,19 +29058,6 @@ index 6456734..b845039 100644
  
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
-diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
-index 6a11845..7205173 100644
---- a/arch/x86/kvm/lapic.h
-+++ b/arch/x86/kvm/lapic.h
-@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct kvm_apic_map *map, u32 ldr)
- 
- static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
- {
--	return vcpu->arch.apic->pending_events;
-+	return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
- }
- 
- bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
 diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
 index cba218a..1cc1bed 100644
 --- a/arch/x86/kvm/paging_tmpl.h
@@ -36599,7 +36442,7 @@ index 01b9026..1e476df 100644
  	  This is the Linux Xen port.  Enabling this will allow the
  	  kernel to boot in a paravirtualized environment under the
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 201d09a..9789e51 100644
+index 2302f10..9789e51 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
 @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36611,75 +36454,7 @@ index 201d09a..9789e51 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -481,6 +479,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 	pte_t pte;
- 	unsigned long pfn;
- 	struct page *page;
-+	unsigned char dummy;
- 
- 	ptep = lookup_address((unsigned long)v, &level);
- 	BUG_ON(ptep == NULL);
-@@ -490,6 +489,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 
- 	pte = pfn_pte(pfn, prot);
- 
-+	/*
-+	 * Careful: update_va_mapping() will fail if the virtual address
-+	 * we're poking isn't populated in the page tables.  We don't
-+	 * need to worry about the direct map (that's always in the page
-+	 * tables), but we need to be careful about vmap space.  In
-+	 * particular, the top level page table can lazily propagate
-+	 * entries between processes, so if we've switched mms since we
-+	 * vmapped the target in the first place, we might not have the
-+	 * top-level page table entry populated.
-+	 *
-+	 * We disable preemption because we want the same mm active when
-+	 * we probe the target and when we issue the hypercall.  We'll
-+	 * have the same nominal mm, but if we're a kernel thread, lazy
-+	 * mm dropping could change our pgd.
-+	 *
-+	 * Out of an abundance of caution, this uses __get_user() to fault
-+	 * in the target address just in case there's some obscure case
-+	 * in which the target address isn't readable.
-+	 */
-+
-+	preempt_disable();
-+
-+	pagefault_disable();	/* Avoid warnings due to being atomic. */
-+	__get_user(dummy, (unsigned char __user __force *)v);
-+	pagefault_enable();
-+
- 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
- 		BUG();
- 
-@@ -501,6 +526,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 				BUG();
- 	} else
- 		kmap_flush_unused();
-+
-+	preempt_enable();
- }
- 
- static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
-@@ -508,6 +535,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
- 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
- 	int i;
- 
-+	/*
-+	 * We need to mark the all aliases of the LDT pages RO.  We
-+	 * don't need to call vm_flush_aliases(), though, since that's
-+	 * only responsible for flushing aliases out the TLBs, not the
-+	 * page tables, and Xen will flush the TLB for us if needed.
-+	 *
-+	 * To avoid confusing future readers: none of this is necessary
-+	 * to load the LDT.  The hypervisor only checks this when the
-+	 * LDT is faulted in due to subsequent descriptor access.
-+	 */
-+
- 	for(i = 0; i < entries; i += entries_per_page)
- 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
- }
-@@ -542,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -582,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36689,7 +36464,7 @@ index 201d09a..9789e51 100644
  	int f;
  
  	/*
-@@ -591,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -631,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36699,7 +36474,7 @@ index 201d09a..9789e51 100644
  	int f;
  
  	/*
-@@ -600,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -640,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  	 * 8-byte entries, or 16 4k pages..
  	 */
  
@@ -36708,7 +36483,7 @@ index 201d09a..9789e51 100644
  	BUG_ON(va & ~PAGE_MASK);
  
  	for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -989,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+@@ -1029,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
          return 0;
  }
  
@@ -36717,7 +36492,7 @@ index 201d09a..9789e51 100644
  {
  	apic->read = xen_apic_read;
  	apic->write = xen_apic_write;
-@@ -1295,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1335,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -36755,7 +36530,7 @@ index 201d09a..9789e51 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1455,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1495,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu)
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
  	pv_cpu_ops.load_gdt = xen_load_gdt_boot;
  
@@ -36769,7 +36544,7 @@ index 201d09a..9789e51 100644
  
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
  	pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1564,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1604,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -36788,7 +36563,7 @@ index 201d09a..9789e51 100644
  
  	/* Get mfn list */
  	xen_build_dynamic_phys_to_machine();
-@@ -1592,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1632,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -45760,10 +45535,10 @@ index 7ef7461..5a09dac 100644
  	cl->fn = fn;
  	cl->wq = wq;
 diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
-index 8e51b3a..bc6febf 100644
+index cc3dc0c..5ca5ec9 100644
 --- a/drivers/md/bitmap.c
 +++ b/drivers/md/bitmap.c
-@@ -1775,7 +1775,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
+@@ -1777,7 +1777,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
  		   chunk_kb ? "KB" : "B");
  	if (bitmap->storage.file) {
  		seq_printf(seq, ", file: ");
@@ -46030,7 +45805,7 @@ index e400591..a94ae6b 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index b4067b9..91b08f3 100644
+index 2ffd277..91b08f3 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -46102,13 +45877,7 @@ index b4067b9..91b08f3 100644
  
  	INIT_LIST_HEAD(&rdev->same_set);
  	init_waitqueue_head(&rdev->blocked_wait);
-@@ -5645,16 +5645,13 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
- 	char *ptr, *buf = NULL;
- 	int err = -ENOMEM;
- 
--	file = kmalloc(sizeof(*file), GFP_NOIO);
--
-+	file = kzalloc(sizeof(*file), GFP_NOIO);
+@@ -5649,11 +5649,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
  	if (!file)
  		goto out;
  
@@ -46122,7 +45891,7 @@ index b4067b9..91b08f3 100644
  
  	buf = kmalloc(sizeof(file->pathname), GFP_KERNEL);
  	if (!buf)
-@@ -7079,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -7078,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
  
  		spin_unlock(&pers_lock);
  		seq_printf(seq, "\n");
@@ -46131,7 +45900,7 @@ index b4067b9..91b08f3 100644
  		return 0;
  	}
  	if (v == (void*)2) {
-@@ -7182,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7181,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
  		return error;
  
  	seq = file->private_data;
@@ -46140,7 +45909,7 @@ index b4067b9..91b08f3 100644
  	return error;
  }
  
-@@ -7196,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7195,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
  	/* always allow read */
  	mask = POLLIN | POLLRDNORM;
  
@@ -46149,7 +45918,7 @@ index b4067b9..91b08f3 100644
  		mask |= POLLERR | POLLPRI;
  	return mask;
  }
-@@ -7240,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7239,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
  		struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
  		curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
  			      (int)part_stat_read(&disk->part0, sectors[1]) -
@@ -46222,10 +45991,10 @@ index 3e6d115..ffecdeb 100644
  /*----------------------------------------------------------------*/
  
 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 9be97e0..71b21b0 100644
+index 47b7c31..c48ab61 100644
 --- a/drivers/md/raid1.c
 +++ b/drivers/md/raid1.c
-@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1939,7 +1939,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
  			if (r1_sync_page_io(rdev, sect, s,
  					    bio->bi_io_vec[idx].bv_page,
  					    READ) != 0)
@@ -46234,7 +46003,7 @@ index 9be97e0..71b21b0 100644
  		}
  		sectors -= s;
  		sect += s;
-@@ -2171,7 +2171,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -2173,7 +2173,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
  			    !test_bit(Faulty, &rdev->flags)) {
  				if (r1_sync_page_io(rdev, sect, s,
  						    conf->tmppage, READ)) {
@@ -53119,7 +52888,7 @@ index a107064..30775cf 100644
  	if (!sdp->request_queue->rq_timeout) {
  		if (sdp->type != TYPE_MOD)
 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index eb81c98..0253222 100644
+index 721d839..0253222 100644
 --- a/drivers/scsi/sg.c
 +++ b/drivers/scsi/sg.c
 @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -53131,16 +52900,6 @@ index eb81c98..0253222 100644
  	case BLKTRACESTART:
  		return blk_trace_startstop(sdp->device->request_queue, 1);
  	case BLKTRACESTOP:
-@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
- 			md->from_user = 0;
- 	}
- 
-+	if (unlikely(iov_count > UIO_MAXIOV))
-+		return -EINVAL;
-+
- 	if (iov_count) {
- 		int len, size = sizeof(struct sg_iovec) * iov_count;
- 		struct iovec *iov;
 diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
 index 40d8592..8e89146 100644
 --- a/drivers/scsi/sr.c
@@ -74507,19 +74266,10 @@ index a93f7e6..d58bcbe 100644
  		return 0;
  	while (nr) {
 diff --git a/fs/dcache.c b/fs/dcache.c
-index 3d2f27b..8f1bf8c 100644
+index df323f8..8304de6 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
-@@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head)
- static void d_free(struct dentry *dentry)
- {
- 	WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
--	BUG_ON((int)dentry->d_lockref.count > 0);
-+	BUG_ON((int)__lockref_read(&dentry->d_lockref) > 0);
- 	this_cpu_dec(nr_dentry);
- 	if (dentry->d_op && dentry->d_op->d_release)
- 		dentry->d_op->d_release(dentry);
-@@ -599,7 +599,7 @@ repeat:
+@@ -575,7 +575,7 @@ repeat:
  		dentry->d_flags |= DCACHE_REFERENCED;
  	dentry_lru_add(dentry);
  
@@ -74528,7 +74278,7 @@ index 3d2f27b..8f1bf8c 100644
  	spin_unlock(&dentry->d_lock);
  	return;
  
-@@ -654,7 +654,7 @@ int d_invalidate(struct dentry * dentry)
+@@ -630,7 +630,7 @@ int d_invalidate(struct dentry * dentry)
  	 * We also need to leave mountpoints alone,
  	 * directory or not.
  	 */
@@ -74537,7 +74287,7 @@ index 3d2f27b..8f1bf8c 100644
  		if (S_ISDIR(dentry->d_inode->i_mode) || d_mountpoint(dentry)) {
  			spin_unlock(&dentry->d_lock);
  			return -EBUSY;
-@@ -670,7 +670,7 @@ EXPORT_SYMBOL(d_invalidate);
+@@ -646,7 +646,7 @@ EXPORT_SYMBOL(d_invalidate);
  /* This must be called with d_lock held */
  static inline void __dget_dlock(struct dentry *dentry)
  {
@@ -74546,7 +74296,7 @@ index 3d2f27b..8f1bf8c 100644
  }
  
  static inline void __dget(struct dentry *dentry)
-@@ -711,8 +711,8 @@ repeat:
+@@ -687,8 +687,8 @@ repeat:
  		goto repeat;
  	}
  	rcu_read_unlock();
@@ -74557,7 +74307,7 @@ index 3d2f27b..8f1bf8c 100644
  	spin_unlock(&ret->d_lock);
  	return ret;
  }
-@@ -795,7 +795,7 @@ restart:
+@@ -771,7 +771,7 @@ restart:
  	spin_lock(&inode->i_lock);
  	hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
  		spin_lock(&dentry->d_lock);
@@ -74566,16 +74316,16 @@ index 3d2f27b..8f1bf8c 100644
  			/*
  			 * inform the fs via d_prune that this dentry
  			 * is about to be unhashed and destroyed.
-@@ -887,7 +887,7 @@ static void shrink_dentry_list(struct list_head *list)
+@@ -811,7 +811,7 @@ static void shrink_dentry_list(struct list_head *list)
  		 * We found an inuse dentry which was not removed from
  		 * the LRU because of laziness during lookup. Do not free it.
  		 */
--		if (dentry->d_lockref.count) {
-+		if (__lockref_read(&dentry->d_lockref)) {
+-		if ((int)dentry->d_lockref.count > 0) {
++		if ((int)__lockref_read(&dentry->d_lockref) > 0) {
  			spin_unlock(&dentry->d_lock);
  			continue;
  		}
-@@ -933,7 +933,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg)
+@@ -865,7 +865,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg)
  	 * counts, just remove them from the LRU. Otherwise give them
  	 * another pass through the LRU.
  	 */
@@ -74584,39 +74334,34 @@ index 3d2f27b..8f1bf8c 100644
  		d_lru_isolate(dentry);
  		spin_unlock(&dentry->d_lock);
  		return LRU_REMOVED;
-@@ -1272,7 +1272,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
- 	 * loop in shrink_dcache_parent() might not make any progress
- 	 * and loop forever.
- 	 */
--	if (dentry->d_lockref.count) {
-+	if (__lockref_read(&dentry->d_lockref)) {
- 		dentry_lru_del(dentry);
- 	} else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) {
- 		/*
-@@ -1326,11 +1326,11 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry)
- 	struct select_data *data = _data;
- 	enum d_walk_ret ret = D_WALK_CONTINUE;
+@@ -1201,7 +1201,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
+ 	} else {
+ 		if (dentry->d_flags & DCACHE_LRU_LIST)
+ 			d_lru_del(dentry);
+-		if (!dentry->d_lockref.count) {
++		if (!__lockref_read(&dentry->d_lockref)) {
+ 			d_shrink_add(dentry, &data->dispose);
+ 			data->found++;
+ 		}
+@@ -1249,7 +1249,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+ 		return D_WALK_CONTINUE;
  
--	if (dentry->d_lockref.count) {
-+	if (__lockref_read(&dentry->d_lockref)) {
- 		dentry_lru_del(dentry);
- 		if (likely(!list_empty(&dentry->d_subdirs)))
- 			goto out;
--		if (dentry == data->start && dentry->d_lockref.count == 1)
-+		if (dentry == data->start && __lockref_read(&dentry->d_lockref) == 1)
- 			goto out;
- 		printk(KERN_ERR
- 		       "BUG: Dentry %p{i=%lx,n=%s}"
-@@ -1340,7 +1340,7 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry)
+ 	/* root with refcount 1 is fine */
+-	if (dentry == _data && dentry->d_lockref.count == 1)
++	if (dentry == _data && __lockref_read(&dentry->d_lockref) == 1)
+ 		return D_WALK_CONTINUE;
+ 
+ 	printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
+@@ -1258,7 +1258,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
  		       dentry->d_inode ?
  		       dentry->d_inode->i_ino : 0UL,
- 		       dentry->d_name.name,
+ 		       dentry,
 -		       dentry->d_lockref.count,
 +		       __lockref_read(&dentry->d_lockref),
  		       dentry->d_sb->s_type->name,
  		       dentry->d_sb->s_id);
- 		BUG();
-@@ -1498,7 +1498,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+ 	WARN_ON(1);
+@@ -1384,7 +1384,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  	 */
  	dentry->d_iname[DNAME_INLINE_LEN-1] = 0;
  	if (name->len > DNAME_INLINE_LEN-1) {
@@ -74625,7 +74370,7 @@ index 3d2f27b..8f1bf8c 100644
  		if (!dname) {
  			kmem_cache_free(dentry_cache, dentry); 
  			return NULL;
-@@ -1516,7 +1516,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1402,7 +1402,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  	smp_wmb();
  	dentry->d_name.name = dname;
  
@@ -74634,7 +74379,7 @@ index 3d2f27b..8f1bf8c 100644
  	dentry->d_flags = 0;
  	spin_lock_init(&dentry->d_lock);
  	seqcount_init(&dentry->d_seq);
-@@ -1525,6 +1525,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1411,6 +1411,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  	dentry->d_sb = sb;
  	dentry->d_op = NULL;
  	dentry->d_fsdata = NULL;
@@ -74644,7 +74389,7 @@ index 3d2f27b..8f1bf8c 100644
  	INIT_HLIST_BL_NODE(&dentry->d_hash);
  	INIT_LIST_HEAD(&dentry->d_lru);
  	INIT_LIST_HEAD(&dentry->d_subdirs);
-@@ -2279,7 +2282,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
+@@ -2165,7 +2168,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
  				goto next;
  		}
  
@@ -74653,7 +74398,7 @@ index 3d2f27b..8f1bf8c 100644
  		found = dentry;
  		spin_unlock(&dentry->d_lock);
  		break;
-@@ -2378,7 +2381,7 @@ again:
+@@ -2264,7 +2267,7 @@ again:
  	spin_lock(&dentry->d_lock);
  	inode = dentry->d_inode;
  	isdir = S_ISDIR(inode->i_mode);
@@ -74662,7 +74407,7 @@ index 3d2f27b..8f1bf8c 100644
  		if (!spin_trylock(&inode->i_lock)) {
  			spin_unlock(&dentry->d_lock);
  			cpu_relax();
-@@ -3311,7 +3314,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3197,7 +3200,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
  
  		if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
  			dentry->d_flags |= DCACHE_GENOCIDE;
@@ -74671,7 +74416,7 @@ index 3d2f27b..8f1bf8c 100644
  		}
  	}
  	return D_WALK_CONTINUE;
-@@ -3427,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3313,7 +3316,8 @@ void __init vfs_caches_init(unsigned long mempages)
  	mempages -= reserve;
  
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -78060,7 +77805,7 @@ index b29e42f..5ea7fdf 100644
  #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
  
 diff --git a/fs/namei.c b/fs/namei.c
-index ccb8000..02d506e 100644
+index c6fa079..02d506e 100644
 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -78412,15 +78157,6 @@ index ccb8000..02d506e 100644
  	error = -EISDIR;
  	if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
  		goto out;
-@@ -3171,7 +3276,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
- 
- 	if (unlikely(file->f_flags & __O_TMPFILE)) {
- 		error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
--		goto out;
-+		goto out2;
- 	}
- 
- 	error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
 @@ -3183,7 +3288,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
  	if (unlikely(error))
  		goto out;
@@ -78439,15 +78175,7 @@ index ccb8000..02d506e 100644
  		put_link(nd, &link, cookie);
  	}
  out:
-@@ -3209,6 +3314,7 @@ out:
- 		path_put(&nd->root);
- 	if (base)
- 		fput(base);
-+out2:
- 	if (!(opened & FILE_OPENED)) {
- 		BUG_ON(!error);
- 		put_filp(file);
-@@ -3301,9 +3407,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3302,9 +3407,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
  		goto unlock;
  
  	error = -EEXIST;
@@ -78461,7 +78189,7 @@ index ccb8000..02d506e 100644
  	/*
  	 * Special case - lookup gave negative, but... we had foo/bar/
  	 * From the vfs_mknod() POV we just have a negative dentry -
-@@ -3355,6 +3463,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3356,6 +3463,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
  }
  EXPORT_SYMBOL(user_path_create);
  
@@ -78482,7 +78210,7 @@ index ccb8000..02d506e 100644
  int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
  {
  	int error = may_create(dir, dentry);
-@@ -3417,6 +3539,17 @@ retry:
+@@ -3418,6 +3539,17 @@ retry:
  
  	if (!IS_POSIXACL(path.dentry->d_inode))
  		mode &= ~current_umask();
@@ -78500,7 +78228,7 @@ index ccb8000..02d506e 100644
  	error = security_path_mknod(&path, dentry, mode, dev);
  	if (error)
  		goto out;
-@@ -3433,6 +3566,8 @@ retry:
+@@ -3434,6 +3566,8 @@ retry:
  			break;
  	}
  out:
@@ -78509,7 +78237,7 @@ index ccb8000..02d506e 100644
  	done_path_create(&path, dentry);
  	if (retry_estale(error, lookup_flags)) {
  		lookup_flags |= LOOKUP_REVAL;
-@@ -3485,9 +3620,16 @@ retry:
+@@ -3486,9 +3620,16 @@ retry:
  
  	if (!IS_POSIXACL(path.dentry->d_inode))
  		mode &= ~current_umask();
@@ -78526,7 +78254,7 @@ index ccb8000..02d506e 100644
  	done_path_create(&path, dentry);
  	if (retry_estale(error, lookup_flags)) {
  		lookup_flags |= LOOKUP_REVAL;
-@@ -3568,6 +3710,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3569,6 +3710,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
  	struct filename *name;
  	struct dentry *dentry;
  	struct nameidata nd;
@@ -78535,7 +78263,7 @@ index ccb8000..02d506e 100644
  	unsigned int lookup_flags = 0;
  retry:
  	name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3600,10 +3744,21 @@ retry:
+@@ -3601,10 +3744,21 @@ retry:
  		error = -ENOENT;
  		goto exit3;
  	}
@@ -78557,7 +78285,7 @@ index ccb8000..02d506e 100644
  exit3:
  	dput(dentry);
  exit2:
-@@ -3693,6 +3848,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3694,6 +3848,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  	struct nameidata nd;
  	struct inode *inode = NULL;
  	struct inode *delegated_inode = NULL;
@@ -78566,7 +78294,7 @@ index ccb8000..02d506e 100644
  	unsigned int lookup_flags = 0;
  retry:
  	name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3719,10 +3876,22 @@ retry_deleg:
+@@ -3720,10 +3876,22 @@ retry_deleg:
  		if (d_is_negative(dentry))
  			goto slashes;
  		ihold(inode);
@@ -78589,7 +78317,7 @@ index ccb8000..02d506e 100644
  exit2:
  		dput(dentry);
  	}
-@@ -3810,9 +3979,17 @@ retry:
+@@ -3811,9 +3979,17 @@ retry:
  	if (IS_ERR(dentry))
  		goto out_putname;
  
@@ -78607,7 +78335,7 @@ index ccb8000..02d506e 100644
  	done_path_create(&path, dentry);
  	if (retry_estale(error, lookup_flags)) {
  		lookup_flags |= LOOKUP_REVAL;
-@@ -3915,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3916,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  	struct dentry *new_dentry;
  	struct path old_path, new_path;
  	struct inode *delegated_inode = NULL;
@@ -78615,7 +78343,7 @@ index ccb8000..02d506e 100644
  	int how = 0;
  	int error;
  
-@@ -3938,7 +4116,7 @@ retry:
+@@ -3939,7 +4116,7 @@ retry:
  	if (error)
  		return error;
  
@@ -78624,7 +78352,7 @@ index ccb8000..02d506e 100644
  					(how & LOOKUP_REVAL));
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
-@@ -3950,11 +4128,28 @@ retry:
+@@ -3951,11 +4128,28 @@ retry:
  	error = may_linkat(&old_path);
  	if (unlikely(error))
  		goto out_dput;
@@ -78653,7 +78381,7 @@ index ccb8000..02d506e 100644
  	done_path_create(&new_path, new_dentry);
  	if (delegated_inode) {
  		error = break_deleg_wait(&delegated_inode);
-@@ -4241,6 +4436,20 @@ retry_deleg:
+@@ -4242,6 +4436,20 @@ retry_deleg:
  	if (new_dentry == trap)
  		goto exit5;
  
@@ -78674,7 +78402,7 @@ index ccb8000..02d506e 100644
  	error = security_path_rename(&oldnd.path, old_dentry,
  				     &newnd.path, new_dentry);
  	if (error)
-@@ -4248,6 +4457,9 @@ retry_deleg:
+@@ -4249,6 +4457,9 @@ retry_deleg:
  	error = vfs_rename(old_dir->d_inode, old_dentry,
  				   new_dir->d_inode, new_dentry,
  				   &delegated_inode);
@@ -78684,7 +78412,7 @@ index ccb8000..02d506e 100644
  exit5:
  	dput(new_dentry);
  exit4:
-@@ -4284,6 +4496,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4285,6 +4496,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
  
  int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
  {
@@ -78693,7 +78421,7 @@ index ccb8000..02d506e 100644
  	int len;
  
  	len = PTR_ERR(link);
-@@ -4293,7 +4507,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4294,7 +4507,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
  	len = strlen(link);
  	if (len > (unsigned) buflen)
  		len = buflen;
@@ -95995,7 +95723,7 @@ index 653589e..4ef254a 100644
  	return c | 0x20;
  }
 diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 0f0eb1c..3c17a3d 100644
+index 2a23ecb..5116866 100644
 --- a/include/linux/dcache.h
 +++ b/include/linux/dcache.h
 @@ -123,6 +123,9 @@ struct dentry {
@@ -96017,7 +95745,7 @@ index 0f0eb1c..3c17a3d 100644
  
  /*
   * dentry->d_lock spinlock nesting subclasses:
-@@ -328,7 +331,8 @@ extern int d_validate(struct dentry *, struct dentry *);
+@@ -330,7 +333,8 @@ extern int d_validate(struct dentry *, struct dentry *);
  /*
   * helper function for dentry_operations.d_dname() members
   */
@@ -103483,10 +103211,10 @@ index 5bb8bfe..a38ec05 100644
  	mq_table.data = get_mq(table);
  
 diff --git a/ipc/mqueue.c b/ipc/mqueue.c
-index c3b3117..1efa933 100644
+index 9699d3f..8bf1694 100644
 --- a/ipc/mqueue.c
 +++ b/ipc/mqueue.c
-@@ -278,6 +278,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
+@@ -275,6 +275,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
  		mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
  					  info->attr.mq_msgsize);
  
@@ -108435,7 +108163,7 @@ index f964add..dcd823d 100644
  #define sched_class_highest (&stop_sched_class)
  #define for_each_class(class) \
 diff --git a/kernel/signal.c b/kernel/signal.c
-index 52f881d..1e9f941 100644
+index 15c22ee..e9acb02 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -108544,7 +108272,7 @@ index 52f881d..1e9f941 100644
  
  	return ret;
  }
-@@ -2926,7 +2949,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2927,7 +2950,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
  	int error = -ESRCH;
  
  	rcu_read_lock();
@@ -108561,7 +108289,7 @@ index 52f881d..1e9f941 100644
  	if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
  		error = check_kill_permission(sig, info, p);
  		/*
-@@ -3239,8 +3270,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3240,8 +3271,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
  	}
  	seg = get_fs();
  	set_fs(KERNEL_DS);
diff --git a/3.14.50/4425_grsec_remove_EI_PAX.patch b/3.14.51/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/3.14.50/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.51/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.50/4427_force_XATTR_PAX_tmpfs.patch b/3.14.51/4427_force_XATTR_PAX_tmpfs.patch
index 4c236cc..4c236cc 100644
--- a/3.14.50/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.51/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.50/4430_grsec-remove-localversion-grsec.patch b/3.14.51/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.50/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.51/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.50/4435_grsec-mute-warnings.patch b/3.14.51/4435_grsec-mute-warnings.patch
index 2c2d463..2c2d463 100644
--- a/3.14.50/4435_grsec-mute-warnings.patch
+++ b/3.14.51/4435_grsec-mute-warnings.patch
diff --git a/3.14.50/4440_grsec-remove-protected-paths.patch b/3.14.51/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.50/4440_grsec-remove-protected-paths.patch
+++ b/3.14.51/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.50/4450_grsec-kconfig-default-gids.patch b/3.14.51/4450_grsec-kconfig-default-gids.patch
index b96defc..b96defc 100644
--- a/3.14.50/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.51/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.50/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.51/4465_selinux-avc_audit-log-curr_ip.patch
index bba906e..bba906e 100644
--- a/3.14.50/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.51/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.50/4470_disable-compat_vdso.patch b/3.14.51/4470_disable-compat_vdso.patch
index 3b3953b..3b3953b 100644
--- a/3.14.50/4470_disable-compat_vdso.patch
+++ b/3.14.51/4470_disable-compat_vdso.patch
diff --git a/3.14.50/4475_emutramp_default_on.patch b/3.14.51/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/3.14.50/4475_emutramp_default_on.patch
+++ b/3.14.51/4475_emutramp_default_on.patch
diff --git a/4.1.5/1004_linux-4.1.5.patch b/4.1.5/1004_linux-4.1.5.patch
deleted file mode 100644
index cb5d5d6..0000000
--- a/4.1.5/1004_linux-4.1.5.patch
+++ /dev/null
@@ -1,5750 +0,0 @@
-diff --git a/Documentation/hwmon/nct7904 b/Documentation/hwmon/nct7904
-index 014f112..57fffe3 100644
---- a/Documentation/hwmon/nct7904
-+++ b/Documentation/hwmon/nct7904
-@@ -35,11 +35,11 @@ temp1_input		Local temperature (1/1000 degree,
- temp[2-9]_input		CPU temperatures (1/1000 degree,
- 			0.125 degree resolution)
- 
--fan[1-4]_mode		R/W, 0/1 for manual or SmartFan mode
-+pwm[1-4]_enable		R/W, 1/2 for manual or SmartFan mode
- 			Setting SmartFan mode is supported only if it has been
- 			previously configured by BIOS (or configuration EEPROM)
- 
--fan[1-4]_pwm		R/O in SmartFan mode, R/W in manual control mode
-+pwm[1-4]		R/O in SmartFan mode, R/W in manual control mode
- 
- The driver checks sensor control registers and does not export the sensors
- that are not enabled. Anyway, a sensor that is enabled may actually be not
-diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt
-index 74b6c6d..d2b1c40 100644
---- a/Documentation/kbuild/makefiles.txt
-+++ b/Documentation/kbuild/makefiles.txt
-@@ -952,6 +952,14 @@ When kbuild executes, the following steps are followed (roughly):
- 	$(KBUILD_ARFLAGS) set by the top level Makefile to "D" (deterministic
- 	mode) if this option is supported by $(AR).
- 
-+    ARCH_CPPFLAGS, ARCH_AFLAGS, ARCH_CFLAGS   Overrides the kbuild defaults
-+
-+	These variables are appended to the KBUILD_CPPFLAGS,
-+	KBUILD_AFLAGS, and KBUILD_CFLAGS, respectively, after the
-+	top-level Makefile has set any other flags. This provides a
-+	means for an architecture to override the defaults.
-+
-+
- --- 6.2 Add prerequisites to archheaders:
- 
- 	The archheaders: rule is used to generate header files that
-diff --git a/Makefile b/Makefile
-index 36f3225..068dd69 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 1
--SUBLEVEL = 4
-+SUBLEVEL = 5
- EXTRAVERSION =
- NAME = Series 4800
- 
-@@ -783,10 +783,11 @@ endif
- include scripts/Makefile.kasan
- include scripts/Makefile.extrawarn
- 
--# Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments
--KBUILD_CPPFLAGS += $(KCPPFLAGS)
--KBUILD_AFLAGS += $(KAFLAGS)
--KBUILD_CFLAGS += $(KCFLAGS)
-+# Add any arch overrides and user supplied CPPFLAGS, AFLAGS and CFLAGS as the
-+# last assignments
-+KBUILD_CPPFLAGS += $(ARCH_CPPFLAGS) $(KCPPFLAGS)
-+KBUILD_AFLAGS   += $(ARCH_AFLAGS)   $(KAFLAGS)
-+KBUILD_CFLAGS   += $(ARCH_CFLAGS)   $(KCFLAGS)
- 
- # Use --build-id when available.
- LDFLAGS_BUILD_ID = $(patsubst -Wl$(comma)%,%,\
-diff --git a/arch/arc/Makefile b/arch/arc/Makefile
-index db72fec..2f21e1e 100644
---- a/arch/arc/Makefile
-+++ b/arch/arc/Makefile
-@@ -43,7 +43,8 @@ endif
- 
- ifndef CONFIG_CC_OPTIMIZE_FOR_SIZE
- # Generic build system uses -O2, we want -O3
--cflags-y  += -O3
-+# Note: No need to add to cflags-y as that happens anyways
-+ARCH_CFLAGS += -O3
- endif
- 
- # small data is default for elf32 tool-chain. If not usable, disable it
-diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h
-index 624a9d0..dae03e6 100644
---- a/arch/arc/include/asm/bitops.h
-+++ b/arch/arc/include/asm/bitops.h
-@@ -18,83 +18,49 @@
- #include <linux/types.h>
- #include <linux/compiler.h>
- #include <asm/barrier.h>
-+#ifndef CONFIG_ARC_HAS_LLSC
-+#include <asm/smp.h>
-+#endif
- 
--/*
-- * Hardware assisted read-modify-write using ARC700 LLOCK/SCOND insns.
-- * The Kconfig glue ensures that in SMP, this is only set if the container
-- * SoC/platform has cross-core coherent LLOCK/SCOND
-- */
- #if defined(CONFIG_ARC_HAS_LLSC)
- 
--static inline void set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned int temp;
--
--	m += nr >> 5;
--
--	/*
--	 * ARC ISA micro-optimization:
--	 *
--	 * Instructions dealing with bitpos only consider lower 5 bits (0-31)
--	 * e.g (x << 33) is handled like (x << 1) by ASL instruction
--	 *  (mem pointer still needs adjustment to point to next word)
--	 *
--	 * Hence the masking to clamp @nr arg can be elided in general.
--	 *
--	 * However if @nr is a constant (above assumed it in a register),
--	 * and greater than 31, gcc can optimize away (x << 33) to 0,
--	 * as overflow, given the 32-bit ISA. Thus masking needs to be done
--	 * for constant @nr, but no code is generated due to const prop.
--	 */
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	__asm__ __volatile__(
--	"1:	llock   %0, [%1]	\n"
--	"	bset    %0, %0, %2	\n"
--	"	scond   %0, [%1]	\n"
--	"	bnz     1b	\n"
--	: "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
--}
--
--static inline void clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned int temp;
--
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	__asm__ __volatile__(
--	"1:	llock   %0, [%1]	\n"
--	"	bclr    %0, %0, %2	\n"
--	"	scond   %0, [%1]	\n"
--	"	bnz     1b	\n"
--	: "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
--}
--
--static inline void change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned int temp;
--
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
-+/*
-+ * Hardware assisted Atomic-R-M-W
-+ */
- 
--	__asm__ __volatile__(
--	"1:	llock   %0, [%1]	\n"
--	"	bxor    %0, %0, %2	\n"
--	"	scond   %0, [%1]	\n"
--	"	bnz     1b		\n"
--	: "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
-+#define BIT_OP(op, c_op, asm_op)					\
-+static inline void op##_bit(unsigned long nr, volatile unsigned long *m)\
-+{									\
-+	unsigned int temp;						\
-+									\
-+	m += nr >> 5;							\
-+									\
-+	/*								\
-+	 * ARC ISA micro-optimization:					\
-+	 *								\
-+	 * Instructions dealing with bitpos only consider lower 5 bits	\
-+	 * e.g (x << 33) is handled like (x << 1) by ASL instruction	\
-+	 *  (mem pointer still needs adjustment to point to next word)	\
-+	 *								\
-+	 * Hence the masking to clamp @nr arg can be elided in general.	\
-+	 *								\
-+	 * However if @nr is a constant (above assumed in a register),	\
-+	 * and greater than 31, gcc can optimize away (x << 33) to 0,	\
-+	 * as overflow, given the 32-bit ISA. Thus masking needs to be	\
-+	 * done for const @nr, but no code is generated due to gcc	\
-+	 * const prop.							\
-+	 */								\
-+	nr &= 0x1f;							\
-+									\
-+	__asm__ __volatile__(						\
-+	"1:	llock       %0, [%1]		\n"			\
-+	"	" #asm_op " %0, %0, %2	\n"				\
-+	"	scond       %0, [%1]		\n"			\
-+	"	bnz         1b			\n"			\
-+	: "=&r"(temp)	/* Early clobber, to prevent reg reuse */	\
-+	: "r"(m),	/* Not "m": llock only supports reg direct addr mode */	\
-+	  "ir"(nr)							\
-+	: "cc");							\
- }
- 
- /*
-@@ -108,91 +74,37 @@ static inline void change_bit(unsigned long nr, volatile unsigned long *m)
-  * Since ARC lacks a equivalent h/w primitive, the bit is set unconditionally
-  * and the old value of bit is returned
-  */
--static inline int test_and_set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old, temp;
--
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	/*
--	 * Explicit full memory barrier needed before/after as
--	 * LLOCK/SCOND themselves don't provide any such semantics
--	 */
--	smp_mb();
--
--	__asm__ __volatile__(
--	"1:	llock   %0, [%2]	\n"
--	"	bset    %1, %0, %3	\n"
--	"	scond   %1, [%2]	\n"
--	"	bnz     1b		\n"
--	: "=&r"(old), "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
--
--	smp_mb();
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--test_and_clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned int old, temp;
--
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	smp_mb();
--
--	__asm__ __volatile__(
--	"1:	llock   %0, [%2]	\n"
--	"	bclr    %1, %0, %3	\n"
--	"	scond   %1, [%2]	\n"
--	"	bnz     1b		\n"
--	: "=&r"(old), "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
--
--	smp_mb();
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--test_and_change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned int old, temp;
--
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	smp_mb();
--
--	__asm__ __volatile__(
--	"1:	llock   %0, [%2]	\n"
--	"	bxor    %1, %0, %3	\n"
--	"	scond   %1, [%2]	\n"
--	"	bnz     1b		\n"
--	: "=&r"(old), "=&r"(temp)
--	: "r"(m), "ir"(nr)
--	: "cc");
--
--	smp_mb();
--
--	return (old & (1 << nr)) != 0;
-+#define TEST_N_BIT_OP(op, c_op, asm_op)					\
-+static inline int test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\
-+{									\
-+	unsigned long old, temp;					\
-+									\
-+	m += nr >> 5;							\
-+									\
-+	nr &= 0x1f;							\
-+									\
-+	/*								\
-+	 * Explicit full memory barrier needed before/after as		\
-+	 * LLOCK/SCOND themselves don't provide any such smenatic	\
-+	 */								\
-+	smp_mb();							\
-+									\
-+	__asm__ __volatile__(						\
-+	"1:	llock       %0, [%2]	\n"				\
-+	"	" #asm_op " %1, %0, %3	\n"				\
-+	"	scond       %1, [%2]	\n"				\
-+	"	bnz         1b		\n"				\
-+	: "=&r"(old), "=&r"(temp)					\
-+	: "r"(m), "ir"(nr)						\
-+	: "cc");							\
-+									\
-+	smp_mb();							\
-+									\
-+	return (old & (1 << nr)) != 0;					\
- }
- 
- #else	/* !CONFIG_ARC_HAS_LLSC */
- 
--#include <asm/smp.h>
--
- /*
-  * Non hardware assisted Atomic-R-M-W
-  * Locking would change to irq-disabling only (UP) and spinlocks (SMP)
-@@ -209,111 +121,37 @@ test_and_change_bit(unsigned long nr, volatile unsigned long *m)
-  *             at compile time)
-  */
- 
--static inline void set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	bitops_lock(flags);
--
--	temp = *m;
--	*m = temp | (1UL << nr);
--
--	bitops_unlock(flags);
-+#define BIT_OP(op, c_op, asm_op)					\
-+static inline void op##_bit(unsigned long nr, volatile unsigned long *m)\
-+{									\
-+	unsigned long temp, flags;					\
-+	m += nr >> 5;							\
-+									\
-+	/*								\
-+	 * spin lock/unlock provide the needed smp_mb() before/after	\
-+	 */								\
-+	bitops_lock(flags);						\
-+									\
-+	temp = *m;							\
-+	*m = temp c_op (1UL << (nr & 0x1f));					\
-+									\
-+	bitops_unlock(flags);						\
- }
- 
--static inline void clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	bitops_lock(flags);
--
--	temp = *m;
--	*m = temp & ~(1UL << nr);
--
--	bitops_unlock(flags);
--}
--
--static inline void change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	bitops_lock(flags);
--
--	temp = *m;
--	*m = temp ^ (1UL << nr);
--
--	bitops_unlock(flags);
--}
--
--static inline int test_and_set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	/*
--	 * spin lock/unlock provide the needed smp_mb() before/after
--	 */
--	bitops_lock(flags);
--
--	old = *m;
--	*m = old | (1 << nr);
--
--	bitops_unlock(flags);
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--test_and_clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	bitops_lock(flags);
--
--	old = *m;
--	*m = old & ~(1 << nr);
--
--	bitops_unlock(flags);
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--test_and_change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old, flags;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	bitops_lock(flags);
--
--	old = *m;
--	*m = old ^ (1 << nr);
--
--	bitops_unlock(flags);
--
--	return (old & (1 << nr)) != 0;
-+#define TEST_N_BIT_OP(op, c_op, asm_op)					\
-+static inline int test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\
-+{									\
-+	unsigned long old, flags;					\
-+	m += nr >> 5;							\
-+									\
-+	bitops_lock(flags);						\
-+									\
-+	old = *m;							\
-+	*m = old c_op (1UL << (nr & 0x1f));				\
-+									\
-+	bitops_unlock(flags);						\
-+									\
-+	return (old & (1UL << (nr & 0x1f))) != 0;			\
- }
- 
- #endif /* CONFIG_ARC_HAS_LLSC */
-@@ -322,86 +160,45 @@ test_and_change_bit(unsigned long nr, volatile unsigned long *m)
-  * Non atomic variants
-  **************************************/
- 
--static inline void __set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	temp = *m;
--	*m = temp | (1UL << nr);
-+#define __BIT_OP(op, c_op, asm_op)					\
-+static inline void __##op##_bit(unsigned long nr, volatile unsigned long *m)	\
-+{									\
-+	unsigned long temp;						\
-+	m += nr >> 5;							\
-+									\
-+	temp = *m;							\
-+	*m = temp c_op (1UL << (nr & 0x1f));				\
- }
- 
--static inline void __clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	temp = *m;
--	*m = temp & ~(1UL << nr);
-+#define __TEST_N_BIT_OP(op, c_op, asm_op)				\
-+static inline int __test_and_##op##_bit(unsigned long nr, volatile unsigned long *m)\
-+{									\
-+	unsigned long old;						\
-+	m += nr >> 5;							\
-+									\
-+	old = *m;							\
-+	*m = old c_op (1UL << (nr & 0x1f));				\
-+									\
-+	return (old & (1UL << (nr & 0x1f))) != 0;			\
- }
- 
--static inline void __change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long temp;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	temp = *m;
--	*m = temp ^ (1UL << nr);
--}
--
--static inline int
--__test_and_set_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	old = *m;
--	*m = old | (1 << nr);
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--__test_and_clear_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	old = *m;
--	*m = old & ~(1 << nr);
--
--	return (old & (1 << nr)) != 0;
--}
--
--static inline int
--__test_and_change_bit(unsigned long nr, volatile unsigned long *m)
--{
--	unsigned long old;
--	m += nr >> 5;
--
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	old = *m;
--	*m = old ^ (1 << nr);
--
--	return (old & (1 << nr)) != 0;
--}
-+#define BIT_OPS(op, c_op, asm_op)					\
-+									\
-+	/* set_bit(), clear_bit(), change_bit() */			\
-+	BIT_OP(op, c_op, asm_op)					\
-+									\
-+	/* test_and_set_bit(), test_and_clear_bit(), test_and_change_bit() */\
-+	TEST_N_BIT_OP(op, c_op, asm_op)					\
-+									\
-+	/* __set_bit(), __clear_bit(), __change_bit() */		\
-+	__BIT_OP(op, c_op, asm_op)					\
-+									\
-+	/* __test_and_set_bit(), __test_and_clear_bit(), __test_and_change_bit() */\
-+	__TEST_N_BIT_OP(op, c_op, asm_op)
-+
-+BIT_OPS(set, |, bset)
-+BIT_OPS(clear, & ~, bclr)
-+BIT_OPS(change, ^, bxor)
- 
- /*
-  * This routine doesn't need to be atomic.
-@@ -413,10 +210,7 @@ test_bit(unsigned int nr, const volatile unsigned long *addr)
- 
- 	addr += nr >> 5;
- 
--	if (__builtin_constant_p(nr))
--		nr &= 0x1f;
--
--	mask = 1 << nr;
-+	mask = 1UL << (nr & 0x1f);
- 
- 	return ((mask & *addr) != 0);
- }
-diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h
-index 1bfeec2..2a58af7 100644
---- a/arch/arc/include/asm/ptrace.h
-+++ b/arch/arc/include/asm/ptrace.h
-@@ -63,7 +63,7 @@ struct callee_regs {
- 	long r25, r24, r23, r22, r21, r20, r19, r18, r17, r16, r15, r14, r13;
- };
- 
--#define instruction_pointer(regs)	((regs)->ret)
-+#define instruction_pointer(regs)	(unsigned long)((regs)->ret)
- #define profile_pc(regs)		instruction_pointer(regs)
- 
- /* return 1 if user mode or 0 if kernel mode */
-diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts
-index 7128fad..c9df40e 100644
---- a/arch/arm/boot/dts/am57xx-beagle-x15.dts
-+++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts
-@@ -544,6 +544,10 @@
- 	phy-supply = <&ldousb_reg>;
- };
- 
-+&usb2_phy2 {
-+	phy-supply = <&ldousb_reg>;
-+};
-+
- &usb1 {
- 	dr_mode = "host";
- 	pinctrl-names = "default";
-diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts
-index aa46590..096f68b 100644
---- a/arch/arm/boot/dts/dra7-evm.dts
-+++ b/arch/arm/boot/dts/dra7-evm.dts
-@@ -686,7 +686,8 @@
- 
- &dcan1 {
- 	status = "ok";
--	pinctrl-names = "default", "sleep";
--	pinctrl-0 = <&dcan1_pins_default>;
-+	pinctrl-names = "default", "sleep", "active";
-+	pinctrl-0 = <&dcan1_pins_sleep>;
- 	pinctrl-1 = <&dcan1_pins_sleep>;
-+	pinctrl-2 = <&dcan1_pins_default>;
- };
-diff --git a/arch/arm/boot/dts/dra72-evm.dts b/arch/arm/boot/dts/dra72-evm.dts
-index ce0390f..6b05f6a 100644
---- a/arch/arm/boot/dts/dra72-evm.dts
-+++ b/arch/arm/boot/dts/dra72-evm.dts
-@@ -497,9 +497,10 @@
- 
- &dcan1 {
- 	status = "ok";
--	pinctrl-names = "default", "sleep";
--	pinctrl-0 = <&dcan1_pins_default>;
-+	pinctrl-names = "default", "sleep", "active";
-+	pinctrl-0 = <&dcan1_pins_sleep>;
- 	pinctrl-1 = <&dcan1_pins_sleep>;
-+	pinctrl-2 = <&dcan1_pins_default>;
- };
- 
- &qspi {
-diff --git a/arch/arm/mach-imx/gpc.c b/arch/arm/mach-imx/gpc.c
-index 6d0893a..78b6fd0 100644
---- a/arch/arm/mach-imx/gpc.c
-+++ b/arch/arm/mach-imx/gpc.c
-@@ -291,8 +291,6 @@ void __init imx_gpc_check_dt(void)
- 	}
- }
- 
--#ifdef CONFIG_PM_GENERIC_DOMAINS
--
- static void _imx6q_pm_pu_power_off(struct generic_pm_domain *genpd)
- {
- 	int iso, iso2sw;
-@@ -399,7 +397,6 @@ static struct genpd_onecell_data imx_gpc_onecell_data = {
- static int imx_gpc_genpd_init(struct device *dev, struct regulator *pu_reg)
- {
- 	struct clk *clk;
--	bool is_off;
- 	int i;
- 
- 	imx6q_pu_domain.reg = pu_reg;
-@@ -416,18 +413,13 @@ static int imx_gpc_genpd_init(struct device *dev, struct regulator *pu_reg)
- 	}
- 	imx6q_pu_domain.num_clks = i;
- 
--	is_off = IS_ENABLED(CONFIG_PM);
--	if (is_off) {
--		_imx6q_pm_pu_power_off(&imx6q_pu_domain.base);
--	} else {
--		/*
--		 * Enable power if compiled without CONFIG_PM in case the
--		 * bootloader disabled it.
--		 */
--		imx6q_pm_pu_power_on(&imx6q_pu_domain.base);
--	}
-+	/* Enable power always in case bootloader disabled it. */
-+	imx6q_pm_pu_power_on(&imx6q_pu_domain.base);
-+
-+	if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS))
-+		return 0;
- 
--	pm_genpd_init(&imx6q_pu_domain.base, NULL, is_off);
-+	pm_genpd_init(&imx6q_pu_domain.base, NULL, false);
- 	return of_genpd_add_provider_onecell(dev->of_node,
- 					     &imx_gpc_onecell_data);
- 
-@@ -437,13 +429,6 @@ clk_err:
- 	return -EINVAL;
- }
- 
--#else
--static inline int imx_gpc_genpd_init(struct device *dev, struct regulator *reg)
--{
--	return 0;
--}
--#endif /* CONFIG_PM_GENERIC_DOMAINS */
--
- static int imx_gpc_probe(struct platform_device *pdev)
- {
- 	struct regulator *pu_reg;
-diff --git a/arch/arm/mach-pxa/capc7117.c b/arch/arm/mach-pxa/capc7117.c
-index c092730..bf366b3 100644
---- a/arch/arm/mach-pxa/capc7117.c
-+++ b/arch/arm/mach-pxa/capc7117.c
-@@ -24,6 +24,7 @@
- #include <linux/ata_platform.h>
- #include <linux/serial_8250.h>
- #include <linux/gpio.h>
-+#include <linux/regulator/machine.h>
- 
- #include <asm/mach-types.h>
- #include <asm/mach/arch.h>
-@@ -144,6 +145,8 @@ static void __init capc7117_init(void)
- 
- 	capc7117_uarts_init();
- 	capc7117_ide_init();
-+
-+	regulator_has_full_constraints();
- }
- 
- MACHINE_START(CAPC7117,
-diff --git a/arch/arm/mach-pxa/cm-x2xx.c b/arch/arm/mach-pxa/cm-x2xx.c
-index bb99f59..a17a91e 100644
---- a/arch/arm/mach-pxa/cm-x2xx.c
-+++ b/arch/arm/mach-pxa/cm-x2xx.c
-@@ -13,6 +13,7 @@
- #include <linux/syscore_ops.h>
- #include <linux/irq.h>
- #include <linux/gpio.h>
-+#include <linux/regulator/machine.h>
- 
- #include <linux/dm9000.h>
- #include <linux/leds.h>
-@@ -466,6 +467,8 @@ static void __init cmx2xx_init(void)
- 	cmx2xx_init_ac97();
- 	cmx2xx_init_touchscreen();
- 	cmx2xx_init_leds();
-+
-+	regulator_has_full_constraints();
- }
- 
- static void __init cmx2xx_init_irq(void)
-diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c
-index 4d3588d..5851f4c 100644
---- a/arch/arm/mach-pxa/cm-x300.c
-+++ b/arch/arm/mach-pxa/cm-x300.c
-@@ -835,6 +835,8 @@ static void __init cm_x300_init(void)
- 	cm_x300_init_ac97();
- 	cm_x300_init_wi2wi();
- 	cm_x300_init_bl();
-+
-+	regulator_has_full_constraints();
- }
- 
- static void __init cm_x300_fixup(struct tag *tags, char **cmdline)
-diff --git a/arch/arm/mach-pxa/colibri-pxa270.c b/arch/arm/mach-pxa/colibri-pxa270.c
-index 5f9d930..3503826 100644
---- a/arch/arm/mach-pxa/colibri-pxa270.c
-+++ b/arch/arm/mach-pxa/colibri-pxa270.c
-@@ -18,6 +18,7 @@
- #include <linux/mtd/partitions.h>
- #include <linux/mtd/physmap.h>
- #include <linux/platform_device.h>
-+#include <linux/regulator/machine.h>
- #include <linux/ucb1400.h>
- 
- #include <asm/mach/arch.h>
-@@ -294,6 +295,8 @@ static void __init colibri_pxa270_init(void)
- 		printk(KERN_ERR "Illegal colibri_pxa270_baseboard type %d\n",
- 				colibri_pxa270_baseboard);
- 	}
-+
-+	regulator_has_full_constraints();
- }
- 
- /* The "Income s.r.o. SH-Dmaster PXA270 SBC" board can be booted either
-diff --git a/arch/arm/mach-pxa/em-x270.c b/arch/arm/mach-pxa/em-x270.c
-index 51531ec..9d7072b 100644
---- a/arch/arm/mach-pxa/em-x270.c
-+++ b/arch/arm/mach-pxa/em-x270.c
-@@ -1306,6 +1306,8 @@ static void __init em_x270_init(void)
- 	em_x270_init_i2c();
- 	em_x270_init_camera();
- 	em_x270_userspace_consumers_init();
-+
-+	regulator_has_full_constraints();
- }
- 
- MACHINE_START(EM_X270, "Compulab EM-X270")
-diff --git a/arch/arm/mach-pxa/icontrol.c b/arch/arm/mach-pxa/icontrol.c
-index c98511c..9b0eb02 100644
---- a/arch/arm/mach-pxa/icontrol.c
-+++ b/arch/arm/mach-pxa/icontrol.c
-@@ -26,6 +26,7 @@
- #include <linux/spi/spi.h>
- #include <linux/spi/pxa2xx_spi.h>
- #include <linux/can/platform/mcp251x.h>
-+#include <linux/regulator/machine.h>
- 
- #include "generic.h"
- 
-@@ -185,6 +186,8 @@ static void __init icontrol_init(void)
- 	mxm_8x10_mmc_init();
- 
- 	icontrol_can_init();
-+
-+	regulator_has_full_constraints();
- }
- 
- MACHINE_START(ICONTROL, "iControl/SafeTcam boards using Embedian MXM-8x10 CoM")
-diff --git a/arch/arm/mach-pxa/trizeps4.c b/arch/arm/mach-pxa/trizeps4.c
-index 872dcb2..066e3a2 100644
---- a/arch/arm/mach-pxa/trizeps4.c
-+++ b/arch/arm/mach-pxa/trizeps4.c
-@@ -26,6 +26,7 @@
- #include <linux/dm9000.h>
- #include <linux/mtd/physmap.h>
- #include <linux/mtd/partitions.h>
-+#include <linux/regulator/machine.h>
- #include <linux/i2c/pxa-i2c.h>
- 
- #include <asm/types.h>
-@@ -534,6 +535,8 @@ static void __init trizeps4_init(void)
- 
- 	BCR_writew(trizeps_conxs_bcr);
- 	board_backlight_power(1);
-+
-+	regulator_has_full_constraints();
- }
- 
- static void __init trizeps4_map_io(void)
-diff --git a/arch/arm/mach-pxa/vpac270.c b/arch/arm/mach-pxa/vpac270.c
-index aa89488..54122a9 100644
---- a/arch/arm/mach-pxa/vpac270.c
-+++ b/arch/arm/mach-pxa/vpac270.c
-@@ -24,6 +24,7 @@
- #include <linux/dm9000.h>
- #include <linux/ucb1400.h>
- #include <linux/ata_platform.h>
-+#include <linux/regulator/machine.h>
- #include <linux/regulator/max1586.h>
- #include <linux/i2c/pxa-i2c.h>
- 
-@@ -711,6 +712,8 @@ static void __init vpac270_init(void)
- 	vpac270_ts_init();
- 	vpac270_rtc_init();
- 	vpac270_ide_init();
-+
-+	regulator_has_full_constraints();
- }
- 
- MACHINE_START(VPAC270, "Voipac PXA270")
-diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c
-index ac2ae5c..6158566f 100644
---- a/arch/arm/mach-pxa/zeus.c
-+++ b/arch/arm/mach-pxa/zeus.c
-@@ -868,6 +868,8 @@ static void __init zeus_init(void)
- 	i2c_register_board_info(0, ARRAY_AND_SIZE(zeus_i2c_devices));
- 	pxa2xx_set_spi_info(3, &pxa2xx_spi_ssp3_master_info);
- 	spi_register_board_info(zeus_spi_board_info, ARRAY_SIZE(zeus_spi_board_info));
-+
-+	regulator_has_full_constraints();
- }
- 
- static struct map_desc zeus_io_desc[] __initdata = {
-diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
-index 7e7583d..6e4b9ff 100644
---- a/arch/arm/mm/dma-mapping.c
-+++ b/arch/arm/mm/dma-mapping.c
-@@ -1953,7 +1953,7 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
- {
- 	int next_bitmap;
- 
--	if (mapping->nr_bitmaps > mapping->extensions)
-+	if (mapping->nr_bitmaps >= mapping->extensions)
- 		return -EINVAL;
- 
- 	next_bitmap = mapping->nr_bitmaps;
-diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
-index ab21e0d..352962b 100644
---- a/arch/arm64/kernel/efi.c
-+++ b/arch/arm64/kernel/efi.c
-@@ -122,12 +122,12 @@ static int __init uefi_init(void)
- 
- 	/* Show what we know for posterity */
- 	c16 = early_memremap(efi_to_phys(efi.systab->fw_vendor),
--			     sizeof(vendor));
-+			     sizeof(vendor) * sizeof(efi_char16_t));
- 	if (c16) {
- 		for (i = 0; i < (int) sizeof(vendor) - 1 && *c16; ++i)
- 			vendor[i] = c16[i];
- 		vendor[i] = '\0';
--		early_memunmap(c16, sizeof(vendor));
-+		early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t));
- 	}
- 
- 	pr_info("EFI v%u.%.02u by %s\n",
-diff --git a/arch/avr32/mach-at32ap/clock.c b/arch/avr32/mach-at32ap/clock.c
-index 23b1a97..52c179b 100644
---- a/arch/avr32/mach-at32ap/clock.c
-+++ b/arch/avr32/mach-at32ap/clock.c
-@@ -80,6 +80,9 @@ int clk_enable(struct clk *clk)
- {
- 	unsigned long flags;
- 
-+	if (!clk)
-+		return 0;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	__clk_enable(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -106,6 +109,9 @@ void clk_disable(struct clk *clk)
- {
- 	unsigned long flags;
- 
-+	if (IS_ERR_OR_NULL(clk))
-+		return;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	__clk_disable(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -117,6 +123,9 @@ unsigned long clk_get_rate(struct clk *clk)
- 	unsigned long flags;
- 	unsigned long rate;
- 
-+	if (!clk)
-+		return 0;
-+
- 	spin_lock_irqsave(&clk_lock, flags);
- 	rate = clk->get_rate(clk);
- 	spin_unlock_irqrestore(&clk_lock, flags);
-@@ -129,6 +138,9 @@ long clk_round_rate(struct clk *clk, unsigned long rate)
- {
- 	unsigned long flags, actual_rate;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_rate)
- 		return -ENOSYS;
- 
-@@ -145,6 +157,9 @@ int clk_set_rate(struct clk *clk, unsigned long rate)
- 	unsigned long flags;
- 	long ret;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_rate)
- 		return -ENOSYS;
- 
-@@ -161,6 +176,9 @@ int clk_set_parent(struct clk *clk, struct clk *parent)
- 	unsigned long flags;
- 	int ret;
- 
-+	if (!clk)
-+		return 0;
-+
- 	if (!clk->set_parent)
- 		return -ENOSYS;
- 
-@@ -174,7 +192,7 @@ EXPORT_SYMBOL(clk_set_parent);
- 
- struct clk *clk_get_parent(struct clk *clk)
- {
--	return clk->parent;
-+	return !clk ? NULL : clk->parent;
- }
- EXPORT_SYMBOL(clk_get_parent);
- 
-diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
-index f501665..a3b1ffe 100644
---- a/arch/mips/Kconfig
-+++ b/arch/mips/Kconfig
-@@ -1417,6 +1417,7 @@ config CPU_MIPS64_R6
- 	select CPU_SUPPORTS_HIGHMEM
- 	select CPU_SUPPORTS_MSA
- 	select GENERIC_CSUM
-+	select MIPS_O32_FP64_SUPPORT if MIPS32_O32
- 	help
- 	  Choose this option to build a kernel for release 6 or later of the
- 	  MIPS64 architecture.  New MIPS processors, starting with the Warrior
-diff --git a/arch/mips/include/asm/fpu.h b/arch/mips/include/asm/fpu.h
-index 084780b..1b06251 100644
---- a/arch/mips/include/asm/fpu.h
-+++ b/arch/mips/include/asm/fpu.h
-@@ -74,7 +74,7 @@ static inline int __enable_fpu(enum fpu_mode mode)
- 		goto fr_common;
- 
- 	case FPU_64BIT:
--#if !(defined(CONFIG_CPU_MIPS32_R2) || defined(CONFIG_CPU_MIPS32_R6) \
-+#if !(defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6) \
-       || defined(CONFIG_64BIT))
- 		/* we only have a 32-bit FPU */
- 		return SIGFPE;
-diff --git a/arch/mips/include/asm/smp.h b/arch/mips/include/asm/smp.h
-index 2b25d1b..16f1ea9 100644
---- a/arch/mips/include/asm/smp.h
-+++ b/arch/mips/include/asm/smp.h
-@@ -23,6 +23,7 @@
- extern int smp_num_siblings;
- extern cpumask_t cpu_sibling_map[];
- extern cpumask_t cpu_core_map[];
-+extern cpumask_t cpu_foreign_map;
- 
- #define raw_smp_processor_id() (current_thread_info()->cpu)
- 
-diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c
-index faa46eb..d0744cc 100644
---- a/arch/mips/kernel/smp.c
-+++ b/arch/mips/kernel/smp.c
-@@ -63,6 +63,13 @@ EXPORT_SYMBOL(cpu_sibling_map);
- cpumask_t cpu_core_map[NR_CPUS] __read_mostly;
- EXPORT_SYMBOL(cpu_core_map);
- 
-+/*
-+ * A logcal cpu mask containing only one VPE per core to
-+ * reduce the number of IPIs on large MT systems.
-+ */
-+cpumask_t cpu_foreign_map __read_mostly;
-+EXPORT_SYMBOL(cpu_foreign_map);
-+
- /* representing cpus for which sibling maps can be computed */
- static cpumask_t cpu_sibling_setup_map;
- 
-@@ -103,6 +110,29 @@ static inline void set_cpu_core_map(int cpu)
- 	}
- }
- 
-+/*
-+ * Calculate a new cpu_foreign_map mask whenever a
-+ * new cpu appears or disappears.
-+ */
-+static inline void calculate_cpu_foreign_map(void)
-+{
-+	int i, k, core_present;
-+	cpumask_t temp_foreign_map;
-+
-+	/* Re-calculate the mask */
-+	for_each_online_cpu(i) {
-+		core_present = 0;
-+		for_each_cpu(k, &temp_foreign_map)
-+			if (cpu_data[i].package == cpu_data[k].package &&
-+			    cpu_data[i].core == cpu_data[k].core)
-+				core_present = 1;
-+		if (!core_present)
-+			cpumask_set_cpu(i, &temp_foreign_map);
-+	}
-+
-+	cpumask_copy(&cpu_foreign_map, &temp_foreign_map);
-+}
-+
- struct plat_smp_ops *mp_ops;
- EXPORT_SYMBOL(mp_ops);
- 
-@@ -146,6 +176,8 @@ asmlinkage void start_secondary(void)
- 	set_cpu_sibling_map(cpu);
- 	set_cpu_core_map(cpu);
- 
-+	calculate_cpu_foreign_map();
-+
- 	cpumask_set_cpu(cpu, &cpu_callin_map);
- 
- 	synchronise_count_slave(cpu);
-@@ -173,9 +205,18 @@ void __irq_entry smp_call_function_interrupt(void)
- static void stop_this_cpu(void *dummy)
- {
- 	/*
--	 * Remove this CPU:
-+	 * Remove this CPU. Be a bit slow here and
-+	 * set the bits for every online CPU so we don't miss
-+	 * any IPI whilst taking this VPE down.
- 	 */
-+
-+	cpumask_copy(&cpu_foreign_map, cpu_online_mask);
-+
-+	/* Make it visible to every other CPU */
-+	smp_mb();
-+
- 	set_cpu_online(smp_processor_id(), false);
-+	calculate_cpu_foreign_map();
- 	local_irq_disable();
- 	while (1);
- }
-@@ -197,6 +238,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
- 	mp_ops->prepare_cpus(max_cpus);
- 	set_cpu_sibling_map(0);
- 	set_cpu_core_map(0);
-+	calculate_cpu_foreign_map();
- #ifndef CONFIG_HOTPLUG_CPU
- 	init_cpu_present(cpu_possible_mask);
- #endif
-diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
-index 22b9b2c..6983fcd 100644
---- a/arch/mips/math-emu/cp1emu.c
-+++ b/arch/mips/math-emu/cp1emu.c
-@@ -451,7 +451,7 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
- 			/* Fall through */
- 		case jr_op:
- 			/* For R6, JR already emulated in jalr_op */
--			if (NO_R6EMU && insn.r_format.opcode == jr_op)
-+			if (NO_R6EMU && insn.r_format.func == jr_op)
- 				break;
- 			*contpc = regs->regs[insn.r_format.rs];
- 			return 1;
-diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
-index 2e03ab1..dca0efc 100644
---- a/arch/mips/mm/c-r4k.c
-+++ b/arch/mips/mm/c-r4k.c
-@@ -37,6 +37,7 @@
- #include <asm/cacheflush.h> /* for run_uncached() */
- #include <asm/traps.h>
- #include <asm/dma-coherence.h>
-+#include <asm/mips-cm.h>
- 
- /*
-  * Special Variant of smp_call_function for use by cache functions:
-@@ -51,9 +52,16 @@ static inline void r4k_on_each_cpu(void (*func) (void *info), void *info)
- {
- 	preempt_disable();
- 
--#ifndef CONFIG_MIPS_MT_SMP
--	smp_call_function(func, info, 1);
--#endif
-+	/*
-+	 * The Coherent Manager propagates address-based cache ops to other
-+	 * cores but not index-based ops. However, r4k_on_each_cpu is used
-+	 * in both cases so there is no easy way to tell what kind of op is
-+	 * executed to the other cores. The best we can probably do is
-+	 * to restrict that call when a CM is not present because both
-+	 * CM-based SMP protocols (CMP & CPS) restrict index-based cache ops.
-+	 */
-+	if (!mips_cm_present())
-+		smp_call_function_many(&cpu_foreign_map, func, info, 1);
- 	func(info);
- 	preempt_enable();
- }
-diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
-index 3a08eae..3edbb9f 100644
---- a/arch/parisc/include/asm/pgalloc.h
-+++ b/arch/parisc/include/asm/pgalloc.h
-@@ -72,7 +72,7 @@ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
- 
- static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
- {
--	if(pmd_flag(*pmd) & PxD_FLAG_ATTACHED)
-+	if (pmd_flag(*pmd) & PxD_FLAG_ATTACHED) {
- 		/*
- 		 * This is the permanent pmd attached to the pgd;
- 		 * cannot free it.
-@@ -81,6 +81,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
- 		 */
- 		mm_inc_nr_pmds(mm);
- 		return;
-+	}
- 	free_pages((unsigned long)pmd, PMD_ORDER);
- }
- 
-diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
-index 0a18375..f93c4a4 100644
---- a/arch/parisc/include/asm/pgtable.h
-+++ b/arch/parisc/include/asm/pgtable.h
-@@ -16,7 +16,7 @@
- #include <asm/processor.h>
- #include <asm/cache.h>
- 
--extern spinlock_t pa_dbit_lock;
-+extern spinlock_t pa_tlb_lock;
- 
- /*
-  * kern_addr_valid(ADDR) tests if ADDR is pointing to valid kernel
-@@ -33,6 +33,19 @@ extern spinlock_t pa_dbit_lock;
-  */
- #define kern_addr_valid(addr)	(1)
- 
-+/* Purge data and instruction TLB entries.  Must be called holding
-+ * the pa_tlb_lock.  The TLB purge instructions are slow on SMP
-+ * machines since the purge must be broadcast to all CPUs.
-+ */
-+
-+static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
-+{
-+	mtsp(mm->context, 1);
-+	pdtlb(addr);
-+	if (unlikely(split_tlb))
-+		pitlb(addr);
-+}
-+
- /* Certain architectures need to do special things when PTEs
-  * within a page table are directly modified.  Thus, the following
-  * hook is made available.
-@@ -42,15 +55,20 @@ extern spinlock_t pa_dbit_lock;
-                 *(pteptr) = (pteval);                           \
-         } while(0)
- 
--extern void purge_tlb_entries(struct mm_struct *, unsigned long);
-+#define pte_inserted(x)						\
-+	((pte_val(x) & (_PAGE_PRESENT|_PAGE_ACCESSED))		\
-+	 == (_PAGE_PRESENT|_PAGE_ACCESSED))
- 
--#define set_pte_at(mm, addr, ptep, pteval)                      \
--	do {                                                    \
-+#define set_pte_at(mm, addr, ptep, pteval)			\
-+	do {							\
-+		pte_t old_pte;					\
- 		unsigned long flags;				\
--		spin_lock_irqsave(&pa_dbit_lock, flags);	\
--		set_pte(ptep, pteval);                          \
--		purge_tlb_entries(mm, addr);                    \
--		spin_unlock_irqrestore(&pa_dbit_lock, flags);	\
-+		spin_lock_irqsave(&pa_tlb_lock, flags);		\
-+		old_pte = *ptep;				\
-+		set_pte(ptep, pteval);				\
-+		if (pte_inserted(old_pte))			\
-+			purge_tlb_entries(mm, addr);		\
-+		spin_unlock_irqrestore(&pa_tlb_lock, flags);	\
- 	} while (0)
- 
- #endif /* !__ASSEMBLY__ */
-@@ -268,7 +286,7 @@ extern unsigned long *empty_zero_page;
- 
- #define pte_none(x)     (pte_val(x) == 0)
- #define pte_present(x)	(pte_val(x) & _PAGE_PRESENT)
--#define pte_clear(mm,addr,xp)	do { pte_val(*(xp)) = 0; } while (0)
-+#define pte_clear(mm, addr, xp)  set_pte_at(mm, addr, xp, __pte(0))
- 
- #define pmd_flag(x)	(pmd_val(x) & PxD_FLAG_MASK)
- #define pmd_address(x)	((unsigned long)(pmd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT)
-@@ -435,15 +453,15 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned
- 	if (!pte_young(*ptep))
- 		return 0;
- 
--	spin_lock_irqsave(&pa_dbit_lock, flags);
-+	spin_lock_irqsave(&pa_tlb_lock, flags);
- 	pte = *ptep;
- 	if (!pte_young(pte)) {
--		spin_unlock_irqrestore(&pa_dbit_lock, flags);
-+		spin_unlock_irqrestore(&pa_tlb_lock, flags);
- 		return 0;
- 	}
- 	set_pte(ptep, pte_mkold(pte));
- 	purge_tlb_entries(vma->vm_mm, addr);
--	spin_unlock_irqrestore(&pa_dbit_lock, flags);
-+	spin_unlock_irqrestore(&pa_tlb_lock, flags);
- 	return 1;
- }
- 
-@@ -453,11 +471,12 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
- 	pte_t old_pte;
- 	unsigned long flags;
- 
--	spin_lock_irqsave(&pa_dbit_lock, flags);
-+	spin_lock_irqsave(&pa_tlb_lock, flags);
- 	old_pte = *ptep;
--	pte_clear(mm,addr,ptep);
--	purge_tlb_entries(mm, addr);
--	spin_unlock_irqrestore(&pa_dbit_lock, flags);
-+	set_pte(ptep, __pte(0));
-+	if (pte_inserted(old_pte))
-+		purge_tlb_entries(mm, addr);
-+	spin_unlock_irqrestore(&pa_tlb_lock, flags);
- 
- 	return old_pte;
- }
-@@ -465,10 +484,10 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
- static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
- {
- 	unsigned long flags;
--	spin_lock_irqsave(&pa_dbit_lock, flags);
-+	spin_lock_irqsave(&pa_tlb_lock, flags);
- 	set_pte(ptep, pte_wrprotect(*ptep));
- 	purge_tlb_entries(mm, addr);
--	spin_unlock_irqrestore(&pa_dbit_lock, flags);
-+	spin_unlock_irqrestore(&pa_tlb_lock, flags);
- }
- 
- #define pte_same(A,B)	(pte_val(A) == pte_val(B))
-diff --git a/arch/parisc/include/asm/tlbflush.h b/arch/parisc/include/asm/tlbflush.h
-index 9d086a5..e84b964 100644
---- a/arch/parisc/include/asm/tlbflush.h
-+++ b/arch/parisc/include/asm/tlbflush.h
-@@ -13,6 +13,9 @@
-  * active at any one time on the Merced bus.  This tlb purge
-  * synchronisation is fairly lightweight and harmless so we activate
-  * it on all systems not just the N class.
-+
-+ * It is also used to ensure PTE updates are atomic and consistent
-+ * with the TLB.
-  */
- extern spinlock_t pa_tlb_lock;
- 
-@@ -24,20 +27,24 @@ extern void flush_tlb_all_local(void *);
- 
- #define smp_flush_tlb_all()	flush_tlb_all()
- 
-+int __flush_tlb_range(unsigned long sid,
-+	unsigned long start, unsigned long end);
-+
-+#define flush_tlb_range(vma, start, end) \
-+	__flush_tlb_range((vma)->vm_mm->context, start, end)
-+
-+#define flush_tlb_kernel_range(start, end) \
-+	__flush_tlb_range(0, start, end)
-+
- /*
-  * flush_tlb_mm()
-  *
-- * XXX This code is NOT valid for HP-UX compatibility processes,
-- * (although it will probably work 99% of the time). HP-UX
-- * processes are free to play with the space id's and save them
-- * over long periods of time, etc. so we have to preserve the
-- * space and just flush the entire tlb. We need to check the
-- * personality in order to do that, but the personality is not
-- * currently being set correctly.
-- *
-- * Of course, Linux processes could do the same thing, but
-- * we don't support that (and the compilers, dynamic linker,
-- * etc. do not do that).
-+ * The code to switch to a new context is NOT valid for processes
-+ * which play with the space id's.  Thus, we have to preserve the
-+ * space and just flush the entire tlb.  However, the compilers,
-+ * dynamic linker, etc, do not manipulate space id's, so there
-+ * could be a significant performance benefit in switching contexts
-+ * and not flushing the whole tlb.
-  */
- 
- static inline void flush_tlb_mm(struct mm_struct *mm)
-@@ -45,10 +52,18 @@ static inline void flush_tlb_mm(struct mm_struct *mm)
- 	BUG_ON(mm == &init_mm); /* Should never happen */
- 
- #if 1 || defined(CONFIG_SMP)
-+	/* Except for very small threads, flushing the whole TLB is
-+	 * faster than using __flush_tlb_range.  The pdtlb and pitlb
-+	 * instructions are very slow because of the TLB broadcast.
-+	 * It might be faster to do local range flushes on all CPUs
-+	 * on PA 2.0 systems.
-+	 */
- 	flush_tlb_all();
- #else
- 	/* FIXME: currently broken, causing space id and protection ids
--	 *  to go out of sync, resulting in faults on userspace accesses.
-+	 * to go out of sync, resulting in faults on userspace accesses.
-+	 * This approach needs further investigation since running many
-+	 * small applications (e.g., GCC testsuite) is faster on HP-UX.
- 	 */
- 	if (mm) {
- 		if (mm->context != 0)
-@@ -65,22 +80,12 @@ static inline void flush_tlb_page(struct vm_area_struct *vma,
- {
- 	unsigned long flags, sid;
- 
--	/* For one page, it's not worth testing the split_tlb variable */
--
--	mb();
- 	sid = vma->vm_mm->context;
- 	purge_tlb_start(flags);
- 	mtsp(sid, 1);
- 	pdtlb(addr);
--	pitlb(addr);
-+	if (unlikely(split_tlb))
-+		pitlb(addr);
- 	purge_tlb_end(flags);
- }
--
--void __flush_tlb_range(unsigned long sid,
--	unsigned long start, unsigned long end);
--
--#define flush_tlb_range(vma,start,end) __flush_tlb_range((vma)->vm_mm->context,start,end)
--
--#define flush_tlb_kernel_range(start, end) __flush_tlb_range(0,start,end)
--
- #endif
-diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
-index f6448c7..cda6dbb 100644
---- a/arch/parisc/kernel/cache.c
-+++ b/arch/parisc/kernel/cache.c
-@@ -342,12 +342,15 @@ EXPORT_SYMBOL(flush_data_cache_local);
- EXPORT_SYMBOL(flush_kernel_icache_range_asm);
- 
- #define FLUSH_THRESHOLD 0x80000 /* 0.5MB */
--int parisc_cache_flush_threshold __read_mostly = FLUSH_THRESHOLD;
-+static unsigned long parisc_cache_flush_threshold __read_mostly = FLUSH_THRESHOLD;
-+
-+#define FLUSH_TLB_THRESHOLD (2*1024*1024) /* 2MB initial TLB threshold */
-+static unsigned long parisc_tlb_flush_threshold __read_mostly = FLUSH_TLB_THRESHOLD;
- 
- void __init parisc_setup_cache_timing(void)
- {
- 	unsigned long rangetime, alltime;
--	unsigned long size;
-+	unsigned long size, start;
- 
- 	alltime = mfctl(16);
- 	flush_data_cache();
-@@ -364,14 +367,43 @@ void __init parisc_setup_cache_timing(void)
- 	/* Racy, but if we see an intermediate value, it's ok too... */
- 	parisc_cache_flush_threshold = size * alltime / rangetime;
- 
--	parisc_cache_flush_threshold = (parisc_cache_flush_threshold + L1_CACHE_BYTES - 1) &~ (L1_CACHE_BYTES - 1); 
-+	parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold);
- 	if (!parisc_cache_flush_threshold)
- 		parisc_cache_flush_threshold = FLUSH_THRESHOLD;
- 
- 	if (parisc_cache_flush_threshold > cache_info.dc_size)
- 		parisc_cache_flush_threshold = cache_info.dc_size;
- 
--	printk(KERN_INFO "Setting cache flush threshold to %x (%d CPUs online)\n", parisc_cache_flush_threshold, num_online_cpus());
-+	printk(KERN_INFO "Setting cache flush threshold to %lu kB\n",
-+		parisc_cache_flush_threshold/1024);
-+
-+	/* calculate TLB flush threshold */
-+
-+	alltime = mfctl(16);
-+	flush_tlb_all();
-+	alltime = mfctl(16) - alltime;
-+
-+	size = PAGE_SIZE;
-+	start = (unsigned long) _text;
-+	rangetime = mfctl(16);
-+	while (start < (unsigned long) _end) {
-+		flush_tlb_kernel_range(start, start + PAGE_SIZE);
-+		start += PAGE_SIZE;
-+		size += PAGE_SIZE;
-+	}
-+	rangetime = mfctl(16) - rangetime;
-+
-+	printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n",
-+		alltime, size, rangetime);
-+
-+	parisc_tlb_flush_threshold = size * alltime / rangetime;
-+	parisc_tlb_flush_threshold *= num_online_cpus();
-+	parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold);
-+	if (!parisc_tlb_flush_threshold)
-+		parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD;
-+
-+	printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n",
-+		parisc_tlb_flush_threshold/1024);
- }
- 
- extern void purge_kernel_dcache_page_asm(unsigned long);
-@@ -403,48 +435,45 @@ void copy_user_page(void *vto, void *vfrom, unsigned long vaddr,
- }
- EXPORT_SYMBOL(copy_user_page);
- 
--void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
--{
--	unsigned long flags;
--
--	/* Note: purge_tlb_entries can be called at startup with
--	   no context.  */
--
--	purge_tlb_start(flags);
--	mtsp(mm->context, 1);
--	pdtlb(addr);
--	pitlb(addr);
--	purge_tlb_end(flags);
--}
--EXPORT_SYMBOL(purge_tlb_entries);
--
--void __flush_tlb_range(unsigned long sid, unsigned long start,
--		       unsigned long end)
-+/* __flush_tlb_range()
-+ *
-+ * returns 1 if all TLBs were flushed.
-+ */
-+int __flush_tlb_range(unsigned long sid, unsigned long start,
-+		      unsigned long end)
- {
--	unsigned long npages;
-+	unsigned long flags, size;
- 
--	npages = ((end - (start & PAGE_MASK)) + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
--	if (npages >= 512)  /* 2MB of space: arbitrary, should be tuned */
-+	size = (end - start);
-+	if (size >= parisc_tlb_flush_threshold) {
- 		flush_tlb_all();
--	else {
--		unsigned long flags;
-+		return 1;
-+	}
- 
-+	/* Purge TLB entries for small ranges using the pdtlb and
-+	   pitlb instructions.  These instructions execute locally
-+	   but cause a purge request to be broadcast to other TLBs.  */
-+	if (likely(!split_tlb)) {
-+		while (start < end) {
-+			purge_tlb_start(flags);
-+			mtsp(sid, 1);
-+			pdtlb(start);
-+			purge_tlb_end(flags);
-+			start += PAGE_SIZE;
-+		}
-+		return 0;
-+	}
-+
-+	/* split TLB case */
-+	while (start < end) {
- 		purge_tlb_start(flags);
- 		mtsp(sid, 1);
--		if (split_tlb) {
--			while (npages--) {
--				pdtlb(start);
--				pitlb(start);
--				start += PAGE_SIZE;
--			}
--		} else {
--			while (npages--) {
--				pdtlb(start);
--				start += PAGE_SIZE;
--			}
--		}
-+		pdtlb(start);
-+		pitlb(start);
- 		purge_tlb_end(flags);
-+		start += PAGE_SIZE;
- 	}
-+	return 0;
- }
- 
- static void cacheflush_h_tmp_function(void *dummy)
-diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
-index 7581961..c5ef408 100644
---- a/arch/parisc/kernel/entry.S
-+++ b/arch/parisc/kernel/entry.S
-@@ -45,7 +45,7 @@
- 	.level 2.0
- #endif
- 
--	.import         pa_dbit_lock,data
-+	.import		pa_tlb_lock,data
- 
- 	/* space_to_prot macro creates a prot id from a space id */
- 
-@@ -420,8 +420,8 @@
- 	SHLREG		%r9,PxD_VALUE_SHIFT,\pmd
- 	extru		\va,31-PAGE_SHIFT,ASM_BITS_PER_PTE,\index
- 	dep		%r0,31,PAGE_SHIFT,\pmd  /* clear offset */
--	shladd		\index,BITS_PER_PTE_ENTRY,\pmd,\pmd
--	LDREG		%r0(\pmd),\pte		/* pmd is now pte */
-+	shladd		\index,BITS_PER_PTE_ENTRY,\pmd,\pmd /* pmd is now pte */
-+	LDREG		%r0(\pmd),\pte
- 	bb,>=,n		\pte,_PAGE_PRESENT_BIT,\fault
- 	.endm
- 
-@@ -453,57 +453,53 @@
- 	L2_ptep		\pgd,\pte,\index,\va,\fault
- 	.endm
- 
--	/* Acquire pa_dbit_lock lock. */
--	.macro		dbit_lock	spc,tmp,tmp1
-+	/* Acquire pa_tlb_lock lock and recheck page is still present. */
-+	.macro		tlb_lock	spc,ptp,pte,tmp,tmp1,fault
- #ifdef CONFIG_SMP
- 	cmpib,COND(=),n	0,\spc,2f
--	load32		PA(pa_dbit_lock),\tmp
-+	load32		PA(pa_tlb_lock),\tmp
- 1:	LDCW		0(\tmp),\tmp1
- 	cmpib,COND(=)	0,\tmp1,1b
- 	nop
-+	LDREG		0(\ptp),\pte
-+	bb,<,n		\pte,_PAGE_PRESENT_BIT,2f
-+	b		\fault
-+	stw		 \spc,0(\tmp)
- 2:
- #endif
- 	.endm
- 
--	/* Release pa_dbit_lock lock without reloading lock address. */
--	.macro		dbit_unlock0	spc,tmp
-+	/* Release pa_tlb_lock lock without reloading lock address. */
-+	.macro		tlb_unlock0	spc,tmp
- #ifdef CONFIG_SMP
- 	or,COND(=)	%r0,\spc,%r0
- 	stw             \spc,0(\tmp)
- #endif
- 	.endm
- 
--	/* Release pa_dbit_lock lock. */
--	.macro		dbit_unlock1	spc,tmp
-+	/* Release pa_tlb_lock lock. */
-+	.macro		tlb_unlock1	spc,tmp
- #ifdef CONFIG_SMP
--	load32		PA(pa_dbit_lock),\tmp
--	dbit_unlock0	\spc,\tmp
-+	load32		PA(pa_tlb_lock),\tmp
-+	tlb_unlock0	\spc,\tmp
- #endif
- 	.endm
- 
- 	/* Set the _PAGE_ACCESSED bit of the PTE.  Be clever and
- 	 * don't needlessly dirty the cache line if it was already set */
--	.macro		update_ptep	spc,ptep,pte,tmp,tmp1
--#ifdef CONFIG_SMP
--	or,COND(=)	%r0,\spc,%r0
--	LDREG		0(\ptep),\pte
--#endif
-+	.macro		update_accessed	ptp,pte,tmp,tmp1
- 	ldi		_PAGE_ACCESSED,\tmp1
- 	or		\tmp1,\pte,\tmp
- 	and,COND(<>)	\tmp1,\pte,%r0
--	STREG		\tmp,0(\ptep)
-+	STREG		\tmp,0(\ptp)
- 	.endm
- 
- 	/* Set the dirty bit (and accessed bit).  No need to be
- 	 * clever, this is only used from the dirty fault */
--	.macro		update_dirty	spc,ptep,pte,tmp
--#ifdef CONFIG_SMP
--	or,COND(=)	%r0,\spc,%r0
--	LDREG		0(\ptep),\pte
--#endif
-+	.macro		update_dirty	ptp,pte,tmp
- 	ldi		_PAGE_ACCESSED|_PAGE_DIRTY,\tmp
- 	or		\tmp,\pte,\pte
--	STREG		\pte,0(\ptep)
-+	STREG		\pte,0(\ptp)
- 	.endm
- 
- 	/* bitshift difference between a PFN (based on kernel's PAGE_SIZE)
-@@ -1148,14 +1144,14 @@ dtlb_miss_20w:
- 
- 	L3_ptep		ptp,pte,t0,va,dtlb_check_alias_20w
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dtlb_check_alias_20w
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 	
- 	idtlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1174,14 +1170,14 @@ nadtlb_miss_20w:
- 
- 	L3_ptep		ptp,pte,t0,va,nadtlb_check_alias_20w
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,nadtlb_check_alias_20w
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
- 	idtlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1202,20 +1198,20 @@ dtlb_miss_11:
- 
- 	L2_ptep		ptp,pte,t0,va,dtlb_check_alias_11
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dtlb_check_alias_11
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb_11	spc,pte,prot
- 
--	mfsp		%sr1,t0  /* Save sr1 so we can use it in tlb inserts */
-+	mfsp		%sr1,t1  /* Save sr1 so we can use it in tlb inserts */
- 	mtsp		spc,%sr1
- 
- 	idtlba		pte,(%sr1,va)
- 	idtlbp		prot,(%sr1,va)
- 
--	mtsp		t0, %sr1	/* Restore sr1 */
--	dbit_unlock1	spc,t0
-+	mtsp		t1, %sr1	/* Restore sr1 */
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1235,21 +1231,20 @@ nadtlb_miss_11:
- 
- 	L2_ptep		ptp,pte,t0,va,nadtlb_check_alias_11
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,nadtlb_check_alias_11
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb_11	spc,pte,prot
- 
--
--	mfsp		%sr1,t0  /* Save sr1 so we can use it in tlb inserts */
-+	mfsp		%sr1,t1  /* Save sr1 so we can use it in tlb inserts */
- 	mtsp		spc,%sr1
- 
- 	idtlba		pte,(%sr1,va)
- 	idtlbp		prot,(%sr1,va)
- 
--	mtsp		t0, %sr1	/* Restore sr1 */
--	dbit_unlock1	spc,t0
-+	mtsp		t1, %sr1	/* Restore sr1 */
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1269,16 +1264,16 @@ dtlb_miss_20:
- 
- 	L2_ptep		ptp,pte,t0,va,dtlb_check_alias_20
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dtlb_check_alias_20
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
--	f_extend	pte,t0
-+	f_extend	pte,t1
- 
- 	idtlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1297,16 +1292,16 @@ nadtlb_miss_20:
- 
- 	L2_ptep		ptp,pte,t0,va,nadtlb_check_alias_20
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,nadtlb_check_alias_20
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
--	f_extend	pte,t0
-+	f_extend	pte,t1
- 	
--        idtlbt          pte,prot
--	dbit_unlock1	spc,t0
-+	idtlbt		pte,prot
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1406,14 +1401,14 @@ itlb_miss_20w:
- 
- 	L3_ptep		ptp,pte,t0,va,itlb_fault
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,itlb_fault
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 	
- 	iitlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1430,14 +1425,14 @@ naitlb_miss_20w:
- 
- 	L3_ptep		ptp,pte,t0,va,naitlb_check_alias_20w
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,naitlb_check_alias_20w
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
- 	iitlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1458,20 +1453,20 @@ itlb_miss_11:
- 
- 	L2_ptep		ptp,pte,t0,va,itlb_fault
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,itlb_fault
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb_11	spc,pte,prot
- 
--	mfsp		%sr1,t0  /* Save sr1 so we can use it in tlb inserts */
-+	mfsp		%sr1,t1  /* Save sr1 so we can use it in tlb inserts */
- 	mtsp		spc,%sr1
- 
- 	iitlba		pte,(%sr1,va)
- 	iitlbp		prot,(%sr1,va)
- 
--	mtsp		t0, %sr1	/* Restore sr1 */
--	dbit_unlock1	spc,t0
-+	mtsp		t1, %sr1	/* Restore sr1 */
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1482,20 +1477,20 @@ naitlb_miss_11:
- 
- 	L2_ptep		ptp,pte,t0,va,naitlb_check_alias_11
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,naitlb_check_alias_11
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb_11	spc,pte,prot
- 
--	mfsp		%sr1,t0  /* Save sr1 so we can use it in tlb inserts */
-+	mfsp		%sr1,t1  /* Save sr1 so we can use it in tlb inserts */
- 	mtsp		spc,%sr1
- 
- 	iitlba		pte,(%sr1,va)
- 	iitlbp		prot,(%sr1,va)
- 
--	mtsp		t0, %sr1	/* Restore sr1 */
--	dbit_unlock1	spc,t0
-+	mtsp		t1, %sr1	/* Restore sr1 */
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1516,16 +1511,16 @@ itlb_miss_20:
- 
- 	L2_ptep		ptp,pte,t0,va,itlb_fault
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,itlb_fault
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
--	f_extend	pte,t0	
-+	f_extend	pte,t1
- 
- 	iitlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1536,16 +1531,16 @@ naitlb_miss_20:
- 
- 	L2_ptep		ptp,pte,t0,va,naitlb_check_alias_20
- 
--	dbit_lock	spc,t0,t1
--	update_ptep	spc,ptp,pte,t0,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,naitlb_check_alias_20
-+	update_accessed	ptp,pte,t0,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
--	f_extend	pte,t0
-+	f_extend	pte,t1
- 
- 	iitlbt          pte,prot
--	dbit_unlock1	spc,t0
- 
-+	tlb_unlock1	spc,t0
- 	rfir
- 	nop
- 
-@@ -1568,14 +1563,14 @@ dbit_trap_20w:
- 
- 	L3_ptep		ptp,pte,t0,va,dbit_fault
- 
--	dbit_lock	spc,t0,t1
--	update_dirty	spc,ptp,pte,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dbit_fault
-+	update_dirty	ptp,pte,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 		
- 	idtlbt          pte,prot
--	dbit_unlock0	spc,t0
- 
-+	tlb_unlock0	spc,t0
- 	rfir
- 	nop
- #else
-@@ -1588,8 +1583,8 @@ dbit_trap_11:
- 
- 	L2_ptep		ptp,pte,t0,va,dbit_fault
- 
--	dbit_lock	spc,t0,t1
--	update_dirty	spc,ptp,pte,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dbit_fault
-+	update_dirty	ptp,pte,t1
- 
- 	make_insert_tlb_11	spc,pte,prot
- 
-@@ -1600,8 +1595,8 @@ dbit_trap_11:
- 	idtlbp		prot,(%sr1,va)
- 
- 	mtsp            t1, %sr1     /* Restore sr1 */
--	dbit_unlock0	spc,t0
- 
-+	tlb_unlock0	spc,t0
- 	rfir
- 	nop
- 
-@@ -1612,16 +1607,16 @@ dbit_trap_20:
- 
- 	L2_ptep		ptp,pte,t0,va,dbit_fault
- 
--	dbit_lock	spc,t0,t1
--	update_dirty	spc,ptp,pte,t1
-+	tlb_lock	spc,ptp,pte,t0,t1,dbit_fault
-+	update_dirty	ptp,pte,t1
- 
- 	make_insert_tlb	spc,pte,prot
- 
- 	f_extend	pte,t1
- 	
--        idtlbt          pte,prot
--	dbit_unlock0	spc,t0
-+	idtlbt		pte,prot
- 
-+	tlb_unlock0	spc,t0
- 	rfir
- 	nop
- #endif
-diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
-index 47ee620..7f67c4c 100644
---- a/arch/parisc/kernel/traps.c
-+++ b/arch/parisc/kernel/traps.c
-@@ -43,10 +43,6 @@
- 
- #include "../math-emu/math-emu.h"	/* for handle_fpe() */
- 
--#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
--DEFINE_SPINLOCK(pa_dbit_lock);
--#endif
--
- static void parisc_show_stack(struct task_struct *task, unsigned long *sp,
- 	struct pt_regs *regs);
- 
-diff --git a/arch/powerpc/kernel/idle_power7.S b/arch/powerpc/kernel/idle_power7.S
-index ccde8f0..112ccf4 100644
---- a/arch/powerpc/kernel/idle_power7.S
-+++ b/arch/powerpc/kernel/idle_power7.S
-@@ -52,6 +52,22 @@
- 	.text
- 
- /*
-+ * Used by threads when the lock bit of core_idle_state is set.
-+ * Threads will spin in HMT_LOW until the lock bit is cleared.
-+ * r14 - pointer to core_idle_state
-+ * r15 - used to load contents of core_idle_state
-+ */
-+
-+core_idle_lock_held:
-+	HMT_LOW
-+3:	lwz	r15,0(r14)
-+	andi.   r15,r15,PNV_CORE_IDLE_LOCK_BIT
-+	bne	3b
-+	HMT_MEDIUM
-+	lwarx	r15,0,r14
-+	blr
-+
-+/*
-  * Pass requested state in r3:
-  *	r3 - PNV_THREAD_NAP/SLEEP/WINKLE
-  *
-@@ -150,6 +166,10 @@ power7_enter_nap_mode:
- 	ld	r14,PACA_CORE_IDLE_STATE_PTR(r13)
- lwarx_loop1:
- 	lwarx	r15,0,r14
-+
-+	andi.   r9,r15,PNV_CORE_IDLE_LOCK_BIT
-+	bnel	core_idle_lock_held
-+
- 	andc	r15,r15,r7			/* Clear thread bit */
- 
- 	andi.	r15,r15,PNV_CORE_IDLE_THREAD_BITS
-@@ -294,7 +314,7 @@ lwarx_loop2:
- 	 * workaround undo code or resyncing timebase or restoring context
- 	 * In either case loop until the lock bit is cleared.
- 	 */
--	bne	core_idle_lock_held
-+	bnel	core_idle_lock_held
- 
- 	cmpwi	cr2,r15,0
- 	lbz	r4,PACA_SUBCORE_SIBLING_MASK(r13)
-@@ -319,15 +339,6 @@ lwarx_loop2:
- 	isync
- 	b	common_exit
- 
--core_idle_lock_held:
--	HMT_LOW
--core_idle_lock_loop:
--	lwz	r15,0(14)
--	andi.   r9,r15,PNV_CORE_IDLE_LOCK_BIT
--	bne	core_idle_lock_loop
--	HMT_MEDIUM
--	b	lwarx_loop2
--
- first_thread_in_subcore:
- 	/* First thread in subcore to wakeup */
- 	ori	r15,r15,PNV_CORE_IDLE_LOCK_BIT
-diff --git a/arch/s390/include/asm/ctl_reg.h b/arch/s390/include/asm/ctl_reg.h
-index cfad7fca..d7697ab 100644
---- a/arch/s390/include/asm/ctl_reg.h
-+++ b/arch/s390/include/asm/ctl_reg.h
-@@ -57,7 +57,10 @@ union ctlreg0 {
- 		unsigned long lap  : 1; /* Low-address-protection control */
- 		unsigned long	   : 4;
- 		unsigned long edat : 1; /* Enhanced-DAT-enablement control */
--		unsigned long	   : 23;
-+		unsigned long	   : 4;
-+		unsigned long afp  : 1; /* AFP-register control */
-+		unsigned long vx   : 1; /* Vector enablement control */
-+		unsigned long	   : 17;
- 	};
- };
- 
-diff --git a/arch/s390/kernel/cache.c b/arch/s390/kernel/cache.c
-index bff5e3b..8ba3243 100644
---- a/arch/s390/kernel/cache.c
-+++ b/arch/s390/kernel/cache.c
-@@ -138,6 +138,8 @@ int init_cache_level(unsigned int cpu)
- 	union cache_topology ct;
- 	enum cache_type ctype;
- 
-+	if (!test_facility(34))
-+		return -EOPNOTSUPP;
- 	if (!this_cpu_ci)
- 		return -EINVAL;
- 	ct.raw = ecag(EXTRACT_TOPOLOGY, 0, 0);
-diff --git a/arch/s390/kernel/nmi.c b/arch/s390/kernel/nmi.c
-index 505c17c..56b5508 100644
---- a/arch/s390/kernel/nmi.c
-+++ b/arch/s390/kernel/nmi.c
-@@ -21,6 +21,7 @@
- #include <asm/nmi.h>
- #include <asm/crw.h>
- #include <asm/switch_to.h>
-+#include <asm/ctl_reg.h>
- 
- struct mcck_struct {
- 	int kill_task;
-@@ -129,26 +130,30 @@ static int notrace s390_revalidate_registers(struct mci *mci)
- 	} else
- 		asm volatile("lfpc 0(%0)" : : "a" (fpt_creg_save_area));
- 
--	asm volatile(
--		"	ld	0,0(%0)\n"
--		"	ld	1,8(%0)\n"
--		"	ld	2,16(%0)\n"
--		"	ld	3,24(%0)\n"
--		"	ld	4,32(%0)\n"
--		"	ld	5,40(%0)\n"
--		"	ld	6,48(%0)\n"
--		"	ld	7,56(%0)\n"
--		"	ld	8,64(%0)\n"
--		"	ld	9,72(%0)\n"
--		"	ld	10,80(%0)\n"
--		"	ld	11,88(%0)\n"
--		"	ld	12,96(%0)\n"
--		"	ld	13,104(%0)\n"
--		"	ld	14,112(%0)\n"
--		"	ld	15,120(%0)\n"
--		: : "a" (fpt_save_area));
--	/* Revalidate vector registers */
--	if (MACHINE_HAS_VX && current->thread.vxrs) {
-+	if (!MACHINE_HAS_VX) {
-+		/* Revalidate floating point registers */
-+		asm volatile(
-+			"	ld	0,0(%0)\n"
-+			"	ld	1,8(%0)\n"
-+			"	ld	2,16(%0)\n"
-+			"	ld	3,24(%0)\n"
-+			"	ld	4,32(%0)\n"
-+			"	ld	5,40(%0)\n"
-+			"	ld	6,48(%0)\n"
-+			"	ld	7,56(%0)\n"
-+			"	ld	8,64(%0)\n"
-+			"	ld	9,72(%0)\n"
-+			"	ld	10,80(%0)\n"
-+			"	ld	11,88(%0)\n"
-+			"	ld	12,96(%0)\n"
-+			"	ld	13,104(%0)\n"
-+			"	ld	14,112(%0)\n"
-+			"	ld	15,120(%0)\n"
-+			: : "a" (fpt_save_area));
-+	} else {
-+		/* Revalidate vector registers */
-+		union ctlreg0 cr0;
-+
- 		if (!mci->vr) {
- 			/*
- 			 * Vector registers can't be restored and therefore
-@@ -156,8 +161,12 @@ static int notrace s390_revalidate_registers(struct mci *mci)
- 			 */
- 			kill_task = 1;
- 		}
-+		cr0.val = S390_lowcore.cregs_save_area[0];
-+		cr0.afp = cr0.vx = 1;
-+		__ctl_load(cr0.val, 0, 0);
- 		restore_vx_regs((__vector128 *)
--				S390_lowcore.vector_save_area_addr);
-+				&S390_lowcore.vector_save_area);
-+		__ctl_load(S390_lowcore.cregs_save_area[0], 0, 0);
- 	}
- 	/* Revalidate access registers */
- 	asm volatile(
-diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
-index dc5edc2..8f587d8 100644
---- a/arch/s390/kernel/process.c
-+++ b/arch/s390/kernel/process.c
-@@ -163,7 +163,7 @@ int copy_thread(unsigned long clone_flags, unsigned long new_stackp,
- asmlinkage void execve_tail(void)
- {
- 	current->thread.fp_regs.fpc = 0;
--	asm volatile("sfpc %0,%0" : : "d" (0));
-+	asm volatile("sfpc %0" : : "d" (0));
- }
- 
- /*
-diff --git a/arch/s390/kernel/sclp.S b/arch/s390/kernel/sclp.S
-index 43c3169..ada0c07 100644
---- a/arch/s390/kernel/sclp.S
-+++ b/arch/s390/kernel/sclp.S
-@@ -270,6 +270,8 @@ ENTRY(_sclp_print_early)
- 	jno	.Lesa2
- 	ahi	%r15,-80
- 	stmh	%r6,%r15,96(%r15)		# store upper register halves
-+	basr	%r13,0
-+	lmh	%r0,%r15,.Lzeroes-.(%r13)	# clear upper register halves
- .Lesa2:
- 	lr	%r10,%r2			# save string pointer
- 	lhi	%r2,0
-@@ -291,6 +293,8 @@ ENTRY(_sclp_print_early)
- .Lesa3:
- 	lm	%r6,%r15,120(%r15)		# restore registers
- 	br	%r14
-+.Lzeroes:
-+	.fill	64,4,0
- 
- .LwritedataS4:
- 	.long	0x00760005			# SCLP command for write data
-diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
-index 9afb9d6..dc2d7aa 100644
---- a/arch/s390/net/bpf_jit_comp.c
-+++ b/arch/s390/net/bpf_jit_comp.c
-@@ -415,13 +415,13 @@ static void bpf_jit_prologue(struct bpf_jit *jit)
- 		EMIT6_DISP_LH(0xe3000000, 0x0004, REG_SKB_DATA, REG_0,
- 			      BPF_REG_1, offsetof(struct sk_buff, data));
- 	}
--	/* BPF compatibility: clear A (%b7) and X (%b8) registers */
--	if (REG_SEEN(BPF_REG_7))
--		/* lghi %b7,0 */
--		EMIT4_IMM(0xa7090000, BPF_REG_7, 0);
--	if (REG_SEEN(BPF_REG_8))
--		/* lghi %b8,0 */
--		EMIT4_IMM(0xa7090000, BPF_REG_8, 0);
-+	/* BPF compatibility: clear A (%b0) and X (%b7) registers */
-+	if (REG_SEEN(BPF_REG_A))
-+		/* lghi %ba,0 */
-+		EMIT4_IMM(0xa7090000, BPF_REG_A, 0);
-+	if (REG_SEEN(BPF_REG_X))
-+		/* lghi %bx,0 */
-+		EMIT4_IMM(0xa7090000, BPF_REG_X, 0);
- }
- 
- /*
-diff --git a/arch/tile/kernel/setup.c b/arch/tile/kernel/setup.c
-index d366675..396b5c9 100644
---- a/arch/tile/kernel/setup.c
-+++ b/arch/tile/kernel/setup.c
-@@ -1139,7 +1139,7 @@ static void __init load_hv_initrd(void)
- 
- void __init free_initrd_mem(unsigned long begin, unsigned long end)
- {
--	free_bootmem(__pa(begin), end - begin);
-+	free_bootmem_late(__pa(begin), end - begin);
- }
- 
- static int __init setup_initrd(char *str)
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 48304b8..0cdc154 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -1193,6 +1193,10 @@ static efi_status_t setup_e820(struct boot_params *params,
- 		unsigned int e820_type = 0;
- 		unsigned long m = efi->efi_memmap;
- 
-+#ifdef CONFIG_X86_64
-+		m |= (u64)efi->efi_memmap_hi << 32;
-+#endif
-+
- 		d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
- 		switch (d->type) {
- 		case EFI_RESERVED_TYPE:
-diff --git a/arch/x86/include/asm/kasan.h b/arch/x86/include/asm/kasan.h
-index 8b22422..74a2a8d 100644
---- a/arch/x86/include/asm/kasan.h
-+++ b/arch/x86/include/asm/kasan.h
-@@ -14,15 +14,11 @@
- 
- #ifndef __ASSEMBLY__
- 
--extern pte_t kasan_zero_pte[];
--extern pte_t kasan_zero_pmd[];
--extern pte_t kasan_zero_pud[];
--
- #ifdef CONFIG_KASAN
--void __init kasan_map_early_shadow(pgd_t *pgd);
-+void __init kasan_early_init(void);
- void __init kasan_init(void);
- #else
--static inline void kasan_map_early_shadow(pgd_t *pgd) { }
-+static inline void kasan_early_init(void) { }
- static inline void kasan_init(void) { }
- #endif
- 
-diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 883f6b9..e997f70 100644
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -23,7 +23,7 @@ extern struct static_key rdpmc_always_available;
- 
- static inline void load_mm_cr4(struct mm_struct *mm)
- {
--	if (static_key_true(&rdpmc_always_available) ||
-+	if (static_key_false(&rdpmc_always_available) ||
- 	    atomic_read(&mm->context.perf_rdpmc_allowed))
- 		cr4_set_bits(X86_CR4_PCE);
- 	else
-diff --git a/arch/x86/kernel/cpu/perf_event_intel_cqm.c b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
-index e4d1b8b..cb77b11 100644
---- a/arch/x86/kernel/cpu/perf_event_intel_cqm.c
-+++ b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
-@@ -934,6 +934,14 @@ static u64 intel_cqm_event_count(struct perf_event *event)
- 		return 0;
- 
- 	/*
-+	 * Getting up-to-date values requires an SMP IPI which is not
-+	 * possible if we're being called in interrupt context. Return
-+	 * the cached values instead.
-+	 */
-+	if (unlikely(in_interrupt()))
-+		goto out;
-+
-+	/*
- 	 * Notice that we don't perform the reading of an RMID
- 	 * atomically, because we can't hold a spin lock across the
- 	 * IPIs.
-diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
-index 5a46681..f129a9a 100644
---- a/arch/x86/kernel/head64.c
-+++ b/arch/x86/kernel/head64.c
-@@ -161,11 +161,12 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
- 	/* Kill off the identity-map trampoline */
- 	reset_early_page_tables();
- 
--	kasan_map_early_shadow(early_level4_pgt);
--
--	/* clear bss before set_intr_gate with early_idt_handler */
- 	clear_bss();
- 
-+	clear_page(init_level4_pgt);
-+
-+	kasan_early_init();
-+
- 	for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
- 		set_intr_gate(i, early_idt_handler_array[i]);
- 	load_idt((const struct desc_ptr *)&idt_descr);
-@@ -177,12 +178,9 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
- 	 */
- 	load_ucode_bsp();
- 
--	clear_page(init_level4_pgt);
- 	/* set init_level4_pgt kernel high mapping*/
- 	init_level4_pgt[511] = early_level4_pgt[511];
- 
--	kasan_map_early_shadow(init_level4_pgt);
--
- 	x86_64_start_reservations(real_mode_data);
- }
- 
-diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index df7e780..7e5da2c 100644
---- a/arch/x86/kernel/head_64.S
-+++ b/arch/x86/kernel/head_64.S
-@@ -516,38 +516,9 @@ ENTRY(phys_base)
- 	/* This must match the first entry in level2_kernel_pgt */
- 	.quad   0x0000000000000000
- 
--#ifdef CONFIG_KASAN
--#define FILL(VAL, COUNT)				\
--	.rept (COUNT) ;					\
--	.quad	(VAL) ;					\
--	.endr
--
--NEXT_PAGE(kasan_zero_pte)
--	FILL(kasan_zero_page - __START_KERNEL_map + _KERNPG_TABLE, 512)
--NEXT_PAGE(kasan_zero_pmd)
--	FILL(kasan_zero_pte - __START_KERNEL_map + _KERNPG_TABLE, 512)
--NEXT_PAGE(kasan_zero_pud)
--	FILL(kasan_zero_pmd - __START_KERNEL_map + _KERNPG_TABLE, 512)
--
--#undef FILL
--#endif
--
--
- #include "../../x86/xen/xen-head.S"
- 	
- 	__PAGE_ALIGNED_BSS
- NEXT_PAGE(empty_zero_page)
- 	.skip PAGE_SIZE
- 
--#ifdef CONFIG_KASAN
--/*
-- * This page used as early shadow. We don't use empty_zero_page
-- * at early stages, stack instrumentation could write some garbage
-- * to this page.
-- * Latter we reuse it as zero shadow for large ranges of memory
-- * that allowed to access, but not instrumented by kasan
-- * (vmalloc/vmemmap ...).
-- */
--NEXT_PAGE(kasan_zero_page)
--	.skip PAGE_SIZE
--#endif
-diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
-index 4860906..9a54dbe 100644
---- a/arch/x86/mm/kasan_init_64.c
-+++ b/arch/x86/mm/kasan_init_64.c
-@@ -11,7 +11,19 @@
- extern pgd_t early_level4_pgt[PTRS_PER_PGD];
- extern struct range pfn_mapped[E820_X_MAX];
- 
--extern unsigned char kasan_zero_page[PAGE_SIZE];
-+static pud_t kasan_zero_pud[PTRS_PER_PUD] __page_aligned_bss;
-+static pmd_t kasan_zero_pmd[PTRS_PER_PMD] __page_aligned_bss;
-+static pte_t kasan_zero_pte[PTRS_PER_PTE] __page_aligned_bss;
-+
-+/*
-+ * This page used as early shadow. We don't use empty_zero_page
-+ * at early stages, stack instrumentation could write some garbage
-+ * to this page.
-+ * Latter we reuse it as zero shadow for large ranges of memory
-+ * that allowed to access, but not instrumented by kasan
-+ * (vmalloc/vmemmap ...).
-+ */
-+static unsigned char kasan_zero_page[PAGE_SIZE] __page_aligned_bss;
- 
- static int __init map_range(struct range *range)
- {
-@@ -36,7 +48,7 @@ static void __init clear_pgds(unsigned long start,
- 		pgd_clear(pgd_offset_k(start));
- }
- 
--void __init kasan_map_early_shadow(pgd_t *pgd)
-+static void __init kasan_map_early_shadow(pgd_t *pgd)
- {
- 	int i;
- 	unsigned long start = KASAN_SHADOW_START;
-@@ -73,7 +85,7 @@ static int __init zero_pmd_populate(pud_t *pud, unsigned long addr,
- 	while (IS_ALIGNED(addr, PMD_SIZE) && addr + PMD_SIZE <= end) {
- 		WARN_ON(!pmd_none(*pmd));
- 		set_pmd(pmd, __pmd(__pa_nodebug(kasan_zero_pte)
--					| __PAGE_KERNEL_RO));
-+					| _KERNPG_TABLE));
- 		addr += PMD_SIZE;
- 		pmd = pmd_offset(pud, addr);
- 	}
-@@ -99,7 +111,7 @@ static int __init zero_pud_populate(pgd_t *pgd, unsigned long addr,
- 	while (IS_ALIGNED(addr, PUD_SIZE) && addr + PUD_SIZE <= end) {
- 		WARN_ON(!pud_none(*pud));
- 		set_pud(pud, __pud(__pa_nodebug(kasan_zero_pmd)
--					| __PAGE_KERNEL_RO));
-+					| _KERNPG_TABLE));
- 		addr += PUD_SIZE;
- 		pud = pud_offset(pgd, addr);
- 	}
-@@ -124,7 +136,7 @@ static int __init zero_pgd_populate(unsigned long addr, unsigned long end)
- 	while (IS_ALIGNED(addr, PGDIR_SIZE) && addr + PGDIR_SIZE <= end) {
- 		WARN_ON(!pgd_none(*pgd));
- 		set_pgd(pgd, __pgd(__pa_nodebug(kasan_zero_pud)
--					| __PAGE_KERNEL_RO));
-+					| _KERNPG_TABLE));
- 		addr += PGDIR_SIZE;
- 		pgd = pgd_offset_k(addr);
- 	}
-@@ -166,6 +178,26 @@ static struct notifier_block kasan_die_notifier = {
- };
- #endif
- 
-+void __init kasan_early_init(void)
-+{
-+	int i;
-+	pteval_t pte_val = __pa_nodebug(kasan_zero_page) | __PAGE_KERNEL;
-+	pmdval_t pmd_val = __pa_nodebug(kasan_zero_pte) | _KERNPG_TABLE;
-+	pudval_t pud_val = __pa_nodebug(kasan_zero_pmd) | _KERNPG_TABLE;
-+
-+	for (i = 0; i < PTRS_PER_PTE; i++)
-+		kasan_zero_pte[i] = __pte(pte_val);
-+
-+	for (i = 0; i < PTRS_PER_PMD; i++)
-+		kasan_zero_pmd[i] = __pmd(pmd_val);
-+
-+	for (i = 0; i < PTRS_PER_PUD; i++)
-+		kasan_zero_pud[i] = __pud(pud_val);
-+
-+	kasan_map_early_shadow(early_level4_pgt);
-+	kasan_map_early_shadow(init_level4_pgt);
-+}
-+
- void __init kasan_init(void)
- {
- 	int i;
-@@ -176,6 +208,7 @@ void __init kasan_init(void)
- 
- 	memcpy(early_level4_pgt, init_level4_pgt, sizeof(early_level4_pgt));
- 	load_cr3(early_level4_pgt);
-+	__flush_tlb_all();
- 
- 	clear_pgds(KASAN_SHADOW_START, KASAN_SHADOW_END);
- 
-@@ -202,5 +235,6 @@ void __init kasan_init(void)
- 	memset(kasan_zero_page, 0, PAGE_SIZE);
- 
- 	load_cr3(init_level4_pgt);
-+	__flush_tlb_all();
- 	init_task.kasan_depth = 0;
- }
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 3250f23..90b924a 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -117,7 +117,7 @@ static void flush_tlb_func(void *info)
- 		} else {
- 			unsigned long addr;
- 			unsigned long nr_pages =
--				f->flush_end - f->flush_start / PAGE_SIZE;
-+				(f->flush_end - f->flush_start) / PAGE_SIZE;
- 			addr = f->flush_start;
- 			while (addr < f->flush_end) {
- 				__flush_tlb_single(addr);
-diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
-index 02744df..841ea05 100644
---- a/arch/x86/platform/efi/efi.c
-+++ b/arch/x86/platform/efi/efi.c
-@@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phys_addr)
- 
- static int __init arch_parse_efi_cmdline(char *str)
- {
-+	if (!str) {
-+		pr_warn("need at least one option\n");
-+		return -EINVAL;
-+	}
-+
- 	if (parse_option_str(str, "old_map"))
- 		set_bit(EFI_OLD_MEMMAP, &efi.flags);
- 	if (parse_option_str(str, "debug"))
-diff --git a/block/bio-integrity.c b/block/bio-integrity.c
-index 5cbd5d9..39ce74d 100644
---- a/block/bio-integrity.c
-+++ b/block/bio-integrity.c
-@@ -51,7 +51,7 @@ struct bio_integrity_payload *bio_integrity_alloc(struct bio *bio,
- 	unsigned long idx = BIO_POOL_NONE;
- 	unsigned inline_vecs;
- 
--	if (!bs) {
-+	if (!bs || !bs->bio_integrity_pool) {
- 		bip = kmalloc(sizeof(struct bio_integrity_payload) +
- 			      sizeof(struct bio_vec) * nr_vecs, gfp_mask);
- 		inline_vecs = nr_vecs;
-@@ -104,7 +104,7 @@ void bio_integrity_free(struct bio *bio)
- 		kfree(page_address(bip->bip_vec->bv_page) +
- 		      bip->bip_vec->bv_offset);
- 
--	if (bs) {
-+	if (bs && bs->bio_integrity_pool) {
- 		if (bip->bip_slab != BIO_POOL_NONE)
- 			bvec_free(bs->bvec_integrity_pool, bip->bip_vec,
- 				  bip->bip_slab);
-diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
-index 0ac817b..6817e28 100644
---- a/block/blk-cgroup.c
-+++ b/block/blk-cgroup.c
-@@ -716,8 +716,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol,
- 		return -EINVAL;
- 
- 	disk = get_gendisk(MKDEV(major, minor), &part);
--	if (!disk || part)
-+	if (!disk)
- 		return -EINVAL;
-+	if (part) {
-+		put_disk(disk);
-+		return -EINVAL;
-+	}
- 
- 	rcu_read_lock();
- 	spin_lock_irq(disk->queue->queue_lock);
-diff --git a/block/blk-mq.c b/block/blk-mq.c
-index 594eea0..2dc1fd6 100644
---- a/block/blk-mq.c
-+++ b/block/blk-mq.c
-@@ -1968,7 +1968,7 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
- 		goto err_hctxs;
- 
- 	setup_timer(&q->timeout, blk_mq_rq_timer, (unsigned long) q);
--	blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30000);
-+	blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ);
- 
- 	q->nr_queues = nr_cpu_ids;
- 	q->nr_hw_queues = set->nr_hw_queues;
-diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
-index 7ccc084..85aa761 100644
---- a/drivers/ata/libata-pmp.c
-+++ b/drivers/ata/libata-pmp.c
-@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_port *ap)
- 				       ATA_LFLAG_NO_SRST |
- 				       ATA_LFLAG_ASSUME_ATA;
- 		}
-+	} else if (vendor == 0x11ab && devid == 0x4140) {
-+		/* Marvell 4140 quirks */
-+		ata_for_each_link(link, ap, EDGE) {
-+			/* port 4 is for SEMB device and it doesn't like SRST */
-+			if (link->pmp == 4)
-+				link->flags |= ATA_LFLAG_DISABLED;
-+		}
- 	}
- }
- 
-diff --git a/drivers/clk/st/clk-flexgen.c b/drivers/clk/st/clk-flexgen.c
-index bf12a25..0f8db28 100644
---- a/drivers/clk/st/clk-flexgen.c
-+++ b/drivers/clk/st/clk-flexgen.c
-@@ -303,6 +303,8 @@ void __init st_of_flexgen_setup(struct device_node *np)
- 	if (!rlock)
- 		goto err;
- 
-+	spin_lock_init(rlock);
-+
- 	for (i = 0; i < clk_data->clk_num; i++) {
- 		struct clk *clk;
- 		const char *clk_name;
-diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c
-index a917c4c..6ae068a 100644
---- a/drivers/clk/st/clkgen-fsyn.c
-+++ b/drivers/clk/st/clkgen-fsyn.c
-@@ -340,7 +340,7 @@ static const struct clkgen_quadfs_data st_fs660c32_C_407 = {
- 		    CLKGEN_FIELD(0x30c, 0xf, 20),
- 		    CLKGEN_FIELD(0x310, 0xf, 20) },
- 	.lockstatus_present = true,
--	.lock_status = CLKGEN_FIELD(0x2A0, 0x1, 24),
-+	.lock_status = CLKGEN_FIELD(0x2f0, 0x1, 24),
- 	.powerup_polarity = 1,
- 	.standby_polarity = 1,
- 	.pll_ops	= &st_quadfs_pll_c32_ops,
-diff --git a/drivers/clk/st/clkgen-mux.c b/drivers/clk/st/clkgen-mux.c
-index fdcff10..ef65146 100644
---- a/drivers/clk/st/clkgen-mux.c
-+++ b/drivers/clk/st/clkgen-mux.c
-@@ -582,7 +582,7 @@ static struct clkgen_mux_data stih416_a9_mux_data = {
- };
- static struct clkgen_mux_data stih407_a9_mux_data = {
- 	.offset = 0x1a4,
--	.shift = 1,
-+	.shift = 0,
- 	.width = 2,
- };
- 
-diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index c45d274..6f9d27f 100644
---- a/drivers/cpufreq/intel_pstate.c
-+++ b/drivers/cpufreq/intel_pstate.c
-@@ -678,6 +678,7 @@ static struct cpu_defaults knl_params = {
- 		.get_max = core_get_max_pstate,
- 		.get_min = core_get_min_pstate,
- 		.get_turbo = knl_get_turbo_pstate,
-+		.get_scaling = core_get_scaling,
- 		.set = core_set_pstate,
- 	},
- };
-diff --git a/drivers/crypto/omap-des.c b/drivers/crypto/omap-des.c
-index 4630709..0a70e46 100644
---- a/drivers/crypto/omap-des.c
-+++ b/drivers/crypto/omap-des.c
-@@ -536,9 +536,6 @@ static int omap_des_crypt_dma_stop(struct omap_des_dev *dd)
- 	dmaengine_terminate_all(dd->dma_lch_in);
- 	dmaengine_terminate_all(dd->dma_lch_out);
- 
--	dma_unmap_sg(dd->dev, dd->in_sg, dd->in_sg_len, DMA_TO_DEVICE);
--	dma_unmap_sg(dd->dev, dd->out_sg, dd->out_sg_len, DMA_FROM_DEVICE);
--
- 	return err;
- }
- 
-diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
-index 4fd9961..d425374 100644
---- a/drivers/firmware/efi/cper.c
-+++ b/drivers/firmware/efi/cper.c
-@@ -305,10 +305,17 @@ const char *cper_mem_err_unpack(struct trace_seq *p,
- 	return ret;
- }
- 
--static void cper_print_mem(const char *pfx, const struct cper_sec_mem_err *mem)
-+static void cper_print_mem(const char *pfx, const struct cper_sec_mem_err *mem,
-+	int len)
- {
- 	struct cper_mem_err_compact cmem;
- 
-+	/* Don't trust UEFI 2.1/2.2 structure with bad validation bits */
-+	if (len == sizeof(struct cper_sec_mem_err_old) &&
-+	    (mem->validation_bits & ~(CPER_MEM_VALID_RANK_NUMBER - 1))) {
-+		pr_err(FW_WARN "valid bits set for fields beyond structure\n");
-+		return;
-+	}
- 	if (mem->validation_bits & CPER_MEM_VALID_ERROR_STATUS)
- 		printk("%s""error_status: 0x%016llx\n", pfx, mem->error_status);
- 	if (mem->validation_bits & CPER_MEM_VALID_PA)
-@@ -405,8 +412,10 @@ static void cper_estatus_print_section(
- 	} else if (!uuid_le_cmp(*sec_type, CPER_SEC_PLATFORM_MEM)) {
- 		struct cper_sec_mem_err *mem_err = (void *)(gdata + 1);
- 		printk("%s""section_type: memory error\n", newpfx);
--		if (gdata->error_data_length >= sizeof(*mem_err))
--			cper_print_mem(newpfx, mem_err);
-+		if (gdata->error_data_length >=
-+		    sizeof(struct cper_sec_mem_err_old))
-+			cper_print_mem(newpfx, mem_err,
-+				       gdata->error_data_length);
- 		else
- 			goto err_section_too_small;
- 	} else if (!uuid_le_cmp(*sec_type, CPER_SEC_PCIE)) {
-diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index e14363d..63226e9 100644
---- a/drivers/firmware/efi/efi.c
-+++ b/drivers/firmware/efi/efi.c
-@@ -57,6 +57,11 @@ bool efi_runtime_disabled(void)
- 
- static int __init parse_efi_cmdline(char *str)
- {
-+	if (!str) {
-+		pr_warn("need at least one option\n");
-+		return -EINVAL;
-+	}
-+
- 	if (parse_option_str(str, "noruntime"))
- 		disable_runtime = true;
- 
-diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
-index 8904933..cd6dae0 100644
---- a/drivers/gpu/drm/nouveau/nouveau_drm.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
-@@ -863,8 +863,10 @@ nouveau_drm_preclose(struct drm_device *dev, struct drm_file *fpriv)
- 
- 	pm_runtime_get_sync(dev->dev);
- 
-+	mutex_lock(&cli->mutex);
- 	if (cli->abi16)
- 		nouveau_abi16_fini(cli->abi16);
-+	mutex_unlock(&cli->mutex);
- 
- 	mutex_lock(&drm->client.mutex);
- 	list_del(&cli->head);
-diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c
-index 4ef602c..495c576 100644
---- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
-+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
-@@ -203,7 +203,7 @@ nv04_fbcon_accel_init(struct fb_info *info)
- 	if (ret)
- 		return ret;
- 
--	if (RING_SPACE(chan, 49)) {
-+	if (RING_SPACE(chan, 49 + (device->info.chipset >= 0x11 ? 4 : 0))) {
- 		nouveau_fbcon_gpu_lockup(info);
- 		return 0;
- 	}
-diff --git a/drivers/gpu/drm/nouveau/nv50_display.c b/drivers/gpu/drm/nouveau/nv50_display.c
-index 7da7958..981342d 100644
---- a/drivers/gpu/drm/nouveau/nv50_display.c
-+++ b/drivers/gpu/drm/nouveau/nv50_display.c
-@@ -979,7 +979,7 @@ nv50_crtc_cursor_show_hide(struct nouveau_crtc *nv_crtc, bool show, bool update)
- {
- 	struct nv50_mast *mast = nv50_mast(nv_crtc->base.dev);
- 
--	if (show && nv_crtc->cursor.nvbo)
-+	if (show && nv_crtc->cursor.nvbo && nv_crtc->base.enabled)
- 		nv50_crtc_cursor_show(nv_crtc);
- 	else
- 		nv50_crtc_cursor_hide(nv_crtc);
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c
-index 80614f1..282143f 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv04.c
-@@ -50,7 +50,12 @@ nv04_instobj_dtor(struct nvkm_object *object)
- {
- 	struct nv04_instmem_priv *priv = (void *)nvkm_instmem(object);
- 	struct nv04_instobj_priv *node = (void *)object;
-+	struct nvkm_subdev *subdev = (void *)priv;
-+
-+	mutex_lock(&subdev->mutex);
- 	nvkm_mm_free(&priv->heap, &node->mem);
-+	mutex_unlock(&subdev->mutex);
-+
- 	nvkm_instobj_destroy(&node->base);
- }
- 
-@@ -62,6 +67,7 @@ nv04_instobj_ctor(struct nvkm_object *parent, struct nvkm_object *engine,
- 	struct nv04_instmem_priv *priv = (void *)nvkm_instmem(parent);
- 	struct nv04_instobj_priv *node;
- 	struct nvkm_instobj_args *args = data;
-+	struct nvkm_subdev *subdev = (void *)priv;
- 	int ret;
- 
- 	if (!args->align)
-@@ -72,8 +78,10 @@ nv04_instobj_ctor(struct nvkm_object *parent, struct nvkm_object *engine,
- 	if (ret)
- 		return ret;
- 
-+	mutex_lock(&subdev->mutex);
- 	ret = nvkm_mm_head(&priv->heap, 0, 1, args->size, args->size,
- 			   args->align, &node->mem);
-+	mutex_unlock(&subdev->mutex);
- 	if (ret)
- 		return ret;
- 
-diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
-index 3318de6..a2dbbbe 100644
---- a/drivers/hid/hid-cp2112.c
-+++ b/drivers/hid/hid-cp2112.c
-@@ -356,6 +356,8 @@ static int cp2112_read(struct cp2112_device *dev, u8 *data, size_t size)
- 	struct cp2112_force_read_report report;
- 	int ret;
- 
-+	if (size > sizeof(dev->read_data))
-+		size = sizeof(dev->read_data);
- 	report.report = CP2112_DATA_READ_FORCE_SEND;
- 	report.length = cpu_to_be16(size);
- 
-diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c
-index 28fcb2e..fbfc02b 100644
---- a/drivers/hwmon/nct7802.c
-+++ b/drivers/hwmon/nct7802.c
-@@ -195,7 +195,7 @@ abort:
- }
- 
- static int nct7802_write_voltage(struct nct7802_data *data, int nr, int index,
--				 unsigned int voltage)
-+				 unsigned long voltage)
- {
- 	int shift = 8 - REG_VOLTAGE_LIMIT_MSB_SHIFT[index - 1][nr];
- 	int err;
-diff --git a/drivers/hwmon/nct7904.c b/drivers/hwmon/nct7904.c
-index b77b82f..6153df73 100644
---- a/drivers/hwmon/nct7904.c
-+++ b/drivers/hwmon/nct7904.c
-@@ -412,8 +412,9 @@ static ssize_t show_pwm(struct device *dev,
- 	return sprintf(buf, "%d\n", val);
- }
- 
--static ssize_t store_mode(struct device *dev, struct device_attribute *devattr,
--			  const char *buf, size_t count)
-+static ssize_t store_enable(struct device *dev,
-+			    struct device_attribute *devattr,
-+			    const char *buf, size_t count)
- {
- 	int index = to_sensor_dev_attr(devattr)->index;
- 	struct nct7904_data *data = dev_get_drvdata(dev);
-@@ -422,18 +423,18 @@ static ssize_t store_mode(struct device *dev, struct device_attribute *devattr,
- 
- 	if (kstrtoul(buf, 10, &val) < 0)
- 		return -EINVAL;
--	if (val > 1 || (val && !data->fan_mode[index]))
-+	if (val < 1 || val > 2 || (val == 2 && !data->fan_mode[index]))
- 		return -EINVAL;
- 
- 	ret = nct7904_write_reg(data, BANK_3, FANCTL1_FMR_REG + index,
--				val ? data->fan_mode[index] : 0);
-+				val == 2 ? data->fan_mode[index] : 0);
- 
- 	return ret ? ret : count;
- }
- 
--/* Return 0 for manual mode or 1 for SmartFan mode */
--static ssize_t show_mode(struct device *dev,
--			 struct device_attribute *devattr, char *buf)
-+/* Return 1 for manual mode or 2 for SmartFan mode */
-+static ssize_t show_enable(struct device *dev,
-+			   struct device_attribute *devattr, char *buf)
- {
- 	int index = to_sensor_dev_attr(devattr)->index;
- 	struct nct7904_data *data = dev_get_drvdata(dev);
-@@ -443,36 +444,36 @@ static ssize_t show_mode(struct device *dev,
- 	if (val < 0)
- 		return val;
- 
--	return sprintf(buf, "%d\n", val ? 1 : 0);
-+	return sprintf(buf, "%d\n", val ? 2 : 1);
- }
- 
- /* 2 attributes per channel: pwm and mode */
--static SENSOR_DEVICE_ATTR(fan1_pwm, S_IRUGO | S_IWUSR,
-+static SENSOR_DEVICE_ATTR(pwm1, S_IRUGO | S_IWUSR,
- 			show_pwm, store_pwm, 0);
--static SENSOR_DEVICE_ATTR(fan1_mode, S_IRUGO | S_IWUSR,
--			show_mode, store_mode, 0);
--static SENSOR_DEVICE_ATTR(fan2_pwm, S_IRUGO | S_IWUSR,
-+static SENSOR_DEVICE_ATTR(pwm1_enable, S_IRUGO | S_IWUSR,
-+			show_enable, store_enable, 0);
-+static SENSOR_DEVICE_ATTR(pwm2, S_IRUGO | S_IWUSR,
- 			show_pwm, store_pwm, 1);
--static SENSOR_DEVICE_ATTR(fan2_mode, S_IRUGO | S_IWUSR,
--			show_mode, store_mode, 1);
--static SENSOR_DEVICE_ATTR(fan3_pwm, S_IRUGO | S_IWUSR,
-+static SENSOR_DEVICE_ATTR(pwm2_enable, S_IRUGO | S_IWUSR,
-+			show_enable, store_enable, 1);
-+static SENSOR_DEVICE_ATTR(pwm3, S_IRUGO | S_IWUSR,
- 			show_pwm, store_pwm, 2);
--static SENSOR_DEVICE_ATTR(fan3_mode, S_IRUGO | S_IWUSR,
--			show_mode, store_mode, 2);
--static SENSOR_DEVICE_ATTR(fan4_pwm, S_IRUGO | S_IWUSR,
-+static SENSOR_DEVICE_ATTR(pwm3_enable, S_IRUGO | S_IWUSR,
-+			show_enable, store_enable, 2);
-+static SENSOR_DEVICE_ATTR(pwm4, S_IRUGO | S_IWUSR,
- 			show_pwm, store_pwm, 3);
--static SENSOR_DEVICE_ATTR(fan4_mode, S_IRUGO | S_IWUSR,
--			show_mode, store_mode, 3);
-+static SENSOR_DEVICE_ATTR(pwm4_enable, S_IRUGO | S_IWUSR,
-+			show_enable, store_enable, 3);
- 
- static struct attribute *nct7904_fanctl_attrs[] = {
--	&sensor_dev_attr_fan1_pwm.dev_attr.attr,
--	&sensor_dev_attr_fan1_mode.dev_attr.attr,
--	&sensor_dev_attr_fan2_pwm.dev_attr.attr,
--	&sensor_dev_attr_fan2_mode.dev_attr.attr,
--	&sensor_dev_attr_fan3_pwm.dev_attr.attr,
--	&sensor_dev_attr_fan3_mode.dev_attr.attr,
--	&sensor_dev_attr_fan4_pwm.dev_attr.attr,
--	&sensor_dev_attr_fan4_mode.dev_attr.attr,
-+	&sensor_dev_attr_pwm1.dev_attr.attr,
-+	&sensor_dev_attr_pwm1_enable.dev_attr.attr,
-+	&sensor_dev_attr_pwm2.dev_attr.attr,
-+	&sensor_dev_attr_pwm2_enable.dev_attr.attr,
-+	&sensor_dev_attr_pwm3.dev_attr.attr,
-+	&sensor_dev_attr_pwm3_enable.dev_attr.attr,
-+	&sensor_dev_attr_pwm4.dev_attr.attr,
-+	&sensor_dev_attr_pwm4_enable.dev_attr.attr,
- 	NULL
- };
- 
-diff --git a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
-index e5cc430..2d13fd0 100644
---- a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
-+++ b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
-@@ -176,7 +176,8 @@ int ipoib_transport_dev_init(struct net_device *dev, struct ib_device *ca)
- 		else
- 			size += ipoib_recvq_size * ipoib_max_conn_qp;
- 	} else
--		goto out_free_wq;
-+		if (ret != -ENOSYS)
-+			goto out_free_wq;
- 
- 	priv->recv_cq = ib_create_cq(priv->ca, ipoib_ib_completion, NULL, dev, size, 0);
- 	if (IS_ERR(priv->recv_cq)) {
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 35c8d0c..3a32caf 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -1199,7 +1199,7 @@ static void set_input_params(struct psmouse *psmouse,
- 					ABS_MT_POSITION_Y);
- 		/* Image sensors can report per-contact pressure */
- 		input_set_abs_params(dev, ABS_MT_PRESSURE, 0, 255, 0, 0);
--		input_mt_init_slots(dev, 3, INPUT_MT_POINTER | INPUT_MT_TRACK);
-+		input_mt_init_slots(dev, 2, INPUT_MT_POINTER | INPUT_MT_TRACK);
- 
- 		/* Image sensors can signal 4 and 5 finger clicks */
- 		__set_bit(BTN_TOOL_QUADTAP, dev->keybit);
-diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c
-index f2c6c35..2c41107 100644
---- a/drivers/input/touchscreen/usbtouchscreen.c
-+++ b/drivers/input/touchscreen/usbtouchscreen.c
-@@ -627,6 +627,9 @@ static int dmc_tsc10_init(struct usbtouch_usb *usbtouch)
- 		goto err_out;
- 	}
- 
-+	/* TSC-25 data sheet specifies a delay after the RESET command */
-+	msleep(150);
-+
- 	/* set coordinate output rate */
- 	buf[0] = buf[1] = 0xFF;
- 	ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
-diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index 5ecfaf2..c87c4b1 100644
---- a/drivers/iommu/intel-iommu.c
-+++ b/drivers/iommu/intel-iommu.c
-@@ -1756,8 +1756,9 @@ static int domain_init(struct dmar_domain *domain, int guest_width)
- 
- static void domain_exit(struct dmar_domain *domain)
- {
-+	struct dmar_drhd_unit *drhd;
-+	struct intel_iommu *iommu;
- 	struct page *freelist = NULL;
--	int i;
- 
- 	/* Domain 0 is reserved, so dont process it */
- 	if (!domain)
-@@ -1777,8 +1778,10 @@ static void domain_exit(struct dmar_domain *domain)
- 
- 	/* clear attached or cached domains */
- 	rcu_read_lock();
--	for_each_set_bit(i, domain->iommu_bmp, g_num_of_iommus)
--		iommu_detach_domain(domain, g_iommus[i]);
-+	for_each_active_iommu(iommu, drhd)
-+		if (domain_type_is_vm(domain) ||
-+		    test_bit(iommu->seq_id, domain->iommu_bmp))
-+			iommu_detach_domain(domain, iommu);
- 	rcu_read_unlock();
- 
- 	dma_free_pagelist(freelist);
-diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
-index 1b7e155..c00e2db 100644
---- a/drivers/irqchip/irq-gic-v3-its.c
-+++ b/drivers/irqchip/irq-gic-v3-its.c
-@@ -75,6 +75,13 @@ struct its_node {
- 
- #define ITS_ITT_ALIGN		SZ_256
- 
-+struct event_lpi_map {
-+	unsigned long		*lpi_map;
-+	u16			*col_map;
-+	irq_hw_number_t		lpi_base;
-+	int			nr_lpis;
-+};
-+
- /*
-  * The ITS view of a device - belongs to an ITS, a collection, owns an
-  * interrupt translation table, and a list of interrupts.
-@@ -82,11 +89,8 @@ struct its_node {
- struct its_device {
- 	struct list_head	entry;
- 	struct its_node		*its;
--	struct its_collection	*collection;
-+	struct event_lpi_map	event_map;
- 	void			*itt;
--	unsigned long		*lpi_map;
--	irq_hw_number_t		lpi_base;
--	int			nr_lpis;
- 	u32			nr_ites;
- 	u32			device_id;
- };
-@@ -99,6 +103,14 @@ static struct rdists *gic_rdists;
- #define gic_data_rdist()		(raw_cpu_ptr(gic_rdists->rdist))
- #define gic_data_rdist_rd_base()	(gic_data_rdist()->rd_base)
- 
-+static struct its_collection *dev_event_to_col(struct its_device *its_dev,
-+					       u32 event)
-+{
-+	struct its_node *its = its_dev->its;
-+
-+	return its->collections + its_dev->event_map.col_map[event];
-+}
-+
- /*
-  * ITS command descriptors - parameters to be encoded in a command
-  * block.
-@@ -134,7 +146,7 @@ struct its_cmd_desc {
- 		struct {
- 			struct its_device *dev;
- 			struct its_collection *col;
--			u32 id;
-+			u32 event_id;
- 		} its_movi_cmd;
- 
- 		struct {
-@@ -241,7 +253,7 @@ static struct its_collection *its_build_mapd_cmd(struct its_cmd_block *cmd,
- 
- 	its_fixup_cmd(cmd);
- 
--	return desc->its_mapd_cmd.dev->collection;
-+	return NULL;
- }
- 
- static struct its_collection *its_build_mapc_cmd(struct its_cmd_block *cmd,
-@@ -260,52 +272,72 @@ static struct its_collection *its_build_mapc_cmd(struct its_cmd_block *cmd,
- static struct its_collection *its_build_mapvi_cmd(struct its_cmd_block *cmd,
- 						  struct its_cmd_desc *desc)
- {
-+	struct its_collection *col;
-+
-+	col = dev_event_to_col(desc->its_mapvi_cmd.dev,
-+			       desc->its_mapvi_cmd.event_id);
-+
- 	its_encode_cmd(cmd, GITS_CMD_MAPVI);
- 	its_encode_devid(cmd, desc->its_mapvi_cmd.dev->device_id);
- 	its_encode_event_id(cmd, desc->its_mapvi_cmd.event_id);
- 	its_encode_phys_id(cmd, desc->its_mapvi_cmd.phys_id);
--	its_encode_collection(cmd, desc->its_mapvi_cmd.dev->collection->col_id);
-+	its_encode_collection(cmd, col->col_id);
- 
- 	its_fixup_cmd(cmd);
- 
--	return desc->its_mapvi_cmd.dev->collection;
-+	return col;
- }
- 
- static struct its_collection *its_build_movi_cmd(struct its_cmd_block *cmd,
- 						 struct its_cmd_desc *desc)
- {
-+	struct its_collection *col;
-+
-+	col = dev_event_to_col(desc->its_movi_cmd.dev,
-+			       desc->its_movi_cmd.event_id);
-+
- 	its_encode_cmd(cmd, GITS_CMD_MOVI);
- 	its_encode_devid(cmd, desc->its_movi_cmd.dev->device_id);
--	its_encode_event_id(cmd, desc->its_movi_cmd.id);
-+	its_encode_event_id(cmd, desc->its_movi_cmd.event_id);
- 	its_encode_collection(cmd, desc->its_movi_cmd.col->col_id);
- 
- 	its_fixup_cmd(cmd);
- 
--	return desc->its_movi_cmd.dev->collection;
-+	return col;
- }
- 
- static struct its_collection *its_build_discard_cmd(struct its_cmd_block *cmd,
- 						    struct its_cmd_desc *desc)
- {
-+	struct its_collection *col;
-+
-+	col = dev_event_to_col(desc->its_discard_cmd.dev,
-+			       desc->its_discard_cmd.event_id);
-+
- 	its_encode_cmd(cmd, GITS_CMD_DISCARD);
- 	its_encode_devid(cmd, desc->its_discard_cmd.dev->device_id);
- 	its_encode_event_id(cmd, desc->its_discard_cmd.event_id);
- 
- 	its_fixup_cmd(cmd);
- 
--	return desc->its_discard_cmd.dev->collection;
-+	return col;
- }
- 
- static struct its_collection *its_build_inv_cmd(struct its_cmd_block *cmd,
- 						struct its_cmd_desc *desc)
- {
-+	struct its_collection *col;
-+
-+	col = dev_event_to_col(desc->its_inv_cmd.dev,
-+			       desc->its_inv_cmd.event_id);
-+
- 	its_encode_cmd(cmd, GITS_CMD_INV);
- 	its_encode_devid(cmd, desc->its_inv_cmd.dev->device_id);
- 	its_encode_event_id(cmd, desc->its_inv_cmd.event_id);
- 
- 	its_fixup_cmd(cmd);
- 
--	return desc->its_inv_cmd.dev->collection;
-+	return col;
- }
- 
- static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd,
-@@ -497,7 +529,7 @@ static void its_send_movi(struct its_device *dev,
- 
- 	desc.its_movi_cmd.dev = dev;
- 	desc.its_movi_cmd.col = col;
--	desc.its_movi_cmd.id = id;
-+	desc.its_movi_cmd.event_id = id;
- 
- 	its_send_single_command(dev->its, its_build_movi_cmd, &desc);
- }
-@@ -528,7 +560,7 @@ static void its_send_invall(struct its_node *its, struct its_collection *col)
- static inline u32 its_get_event_id(struct irq_data *d)
- {
- 	struct its_device *its_dev = irq_data_get_irq_chip_data(d);
--	return d->hwirq - its_dev->lpi_base;
-+	return d->hwirq - its_dev->event_map.lpi_base;
- }
- 
- static void lpi_set_config(struct irq_data *d, bool enable)
-@@ -583,7 +615,7 @@ static int its_set_affinity(struct irq_data *d, const struct cpumask *mask_val,
- 
- 	target_col = &its_dev->its->collections[cpu];
- 	its_send_movi(its_dev, target_col, id);
--	its_dev->collection = target_col;
-+	its_dev->event_map.col_map[id] = cpu;
- 
- 	return IRQ_SET_MASK_OK_DONE;
- }
-@@ -713,8 +745,10 @@ out:
- 	return bitmap;
- }
- 
--static void its_lpi_free(unsigned long *bitmap, int base, int nr_ids)
-+static void its_lpi_free(struct event_lpi_map *map)
- {
-+	int base = map->lpi_base;
-+	int nr_ids = map->nr_lpis;
- 	int lpi;
- 
- 	spin_lock(&lpi_lock);
-@@ -731,7 +765,8 @@ static void its_lpi_free(unsigned long *bitmap, int base, int nr_ids)
- 
- 	spin_unlock(&lpi_lock);
- 
--	kfree(bitmap);
-+	kfree(map->lpi_map);
-+	kfree(map->col_map);
- }
- 
- /*
-@@ -1099,11 +1134,11 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id,
- 	struct its_device *dev;
- 	unsigned long *lpi_map;
- 	unsigned long flags;
-+	u16 *col_map = NULL;
- 	void *itt;
- 	int lpi_base;
- 	int nr_lpis;
- 	int nr_ites;
--	int cpu;
- 	int sz;
- 
- 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
-@@ -1117,20 +1152,24 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id,
- 	sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
- 	itt = kzalloc(sz, GFP_KERNEL);
- 	lpi_map = its_lpi_alloc_chunks(nvecs, &lpi_base, &nr_lpis);
-+	if (lpi_map)
-+		col_map = kzalloc(sizeof(*col_map) * nr_lpis, GFP_KERNEL);
- 
--	if (!dev || !itt || !lpi_map) {
-+	if (!dev || !itt || !lpi_map || !col_map) {
- 		kfree(dev);
- 		kfree(itt);
- 		kfree(lpi_map);
-+		kfree(col_map);
- 		return NULL;
- 	}
- 
- 	dev->its = its;
- 	dev->itt = itt;
- 	dev->nr_ites = nr_ites;
--	dev->lpi_map = lpi_map;
--	dev->lpi_base = lpi_base;
--	dev->nr_lpis = nr_lpis;
-+	dev->event_map.lpi_map = lpi_map;
-+	dev->event_map.col_map = col_map;
-+	dev->event_map.lpi_base = lpi_base;
-+	dev->event_map.nr_lpis = nr_lpis;
- 	dev->device_id = dev_id;
- 	INIT_LIST_HEAD(&dev->entry);
- 
-@@ -1138,10 +1177,6 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id,
- 	list_add(&dev->entry, &its->its_device_list);
- 	raw_spin_unlock_irqrestore(&its->lock, flags);
- 
--	/* Bind the device to the first possible CPU */
--	cpu = cpumask_first(cpu_online_mask);
--	dev->collection = &its->collections[cpu];
--
- 	/* Map device to its ITT */
- 	its_send_mapd(dev, 1);
- 
-@@ -1163,12 +1198,13 @@ static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq)
- {
- 	int idx;
- 
--	idx = find_first_zero_bit(dev->lpi_map, dev->nr_lpis);
--	if (idx == dev->nr_lpis)
-+	idx = find_first_zero_bit(dev->event_map.lpi_map,
-+				  dev->event_map.nr_lpis);
-+	if (idx == dev->event_map.nr_lpis)
- 		return -ENOSPC;
- 
--	*hwirq = dev->lpi_base + idx;
--	set_bit(idx, dev->lpi_map);
-+	*hwirq = dev->event_map.lpi_base + idx;
-+	set_bit(idx, dev->event_map.lpi_map);
- 
- 	return 0;
- }
-@@ -1288,7 +1324,8 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq,
- 		irq_domain_set_hwirq_and_chip(domain, virq + i,
- 					      hwirq, &its_irq_chip, its_dev);
- 		dev_dbg(info->scratchpad[1].ptr, "ID:%d pID:%d vID:%d\n",
--			(int)(hwirq - its_dev->lpi_base), (int)hwirq, virq + i);
-+			(int)(hwirq - its_dev->event_map.lpi_base),
-+			(int)hwirq, virq + i);
- 	}
- 
- 	return 0;
-@@ -1300,6 +1337,9 @@ static void its_irq_domain_activate(struct irq_domain *domain,
- 	struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- 	u32 event = its_get_event_id(d);
- 
-+	/* Bind the LPI to the first possible CPU */
-+	its_dev->event_map.col_map[event] = cpumask_first(cpu_online_mask);
-+
- 	/* Map the GIC IRQ and event to the device */
- 	its_send_mapvi(its_dev, d->hwirq, event);
- }
-@@ -1327,17 +1367,16 @@ static void its_irq_domain_free(struct irq_domain *domain, unsigned int virq,
- 		u32 event = its_get_event_id(data);
- 
- 		/* Mark interrupt index as unused */
--		clear_bit(event, its_dev->lpi_map);
-+		clear_bit(event, its_dev->event_map.lpi_map);
- 
- 		/* Nuke the entry in the domain */
- 		irq_domain_reset_irq_data(data);
- 	}
- 
- 	/* If all interrupts have been freed, start mopping the floor */
--	if (bitmap_empty(its_dev->lpi_map, its_dev->nr_lpis)) {
--		its_lpi_free(its_dev->lpi_map,
--			     its_dev->lpi_base,
--			     its_dev->nr_lpis);
-+	if (bitmap_empty(its_dev->event_map.lpi_map,
-+			 its_dev->event_map.nr_lpis)) {
-+		its_lpi_free(&its_dev->event_map);
- 
- 		/* Unmap device/itt */
- 		its_send_mapd(its_dev, 0);
-diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 2caf492..e8d8456 100644
---- a/drivers/md/dm.c
-+++ b/drivers/md/dm.c
-@@ -1053,13 +1053,10 @@ static struct dm_rq_target_io *tio_from_request(struct request *rq)
-  */
- static void rq_completed(struct mapped_device *md, int rw, bool run_queue)
- {
--	int nr_requests_pending;
--
- 	atomic_dec(&md->pending[rw]);
- 
- 	/* nudge anyone waiting on suspend queue */
--	nr_requests_pending = md_in_flight(md);
--	if (!nr_requests_pending)
-+	if (!md_in_flight(md))
- 		wake_up(&md->wait);
- 
- 	/*
-@@ -1071,8 +1068,7 @@ static void rq_completed(struct mapped_device *md, int rw, bool run_queue)
- 	if (run_queue) {
- 		if (md->queue->mq_ops)
- 			blk_mq_run_hw_queues(md->queue, true);
--		else if (!nr_requests_pending ||
--			 (nr_requests_pending >= md->queue->nr_congestion_on))
-+		else
- 			blk_run_queue_async(md->queue);
- 	}
- 
-diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 9157a29..cd7b0c1 100644
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -336,7 +336,7 @@ static void raid1_end_read_request(struct bio *bio, int error)
- 		spin_lock_irqsave(&conf->device_lock, flags);
- 		if (r1_bio->mddev->degraded == conf->raid_disks ||
- 		    (r1_bio->mddev->degraded == conf->raid_disks-1 &&
--		     !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags)))
-+		     test_bit(In_sync, &conf->mirrors[mirror].rdev->flags)))
- 			uptodate = 1;
- 		spin_unlock_irqrestore(&conf->device_lock, flags);
- 	}
-diff --git a/drivers/misc/cxl/context.c b/drivers/misc/cxl/context.c
-index d1b55fe..e4dc8cd 100644
---- a/drivers/misc/cxl/context.c
-+++ b/drivers/misc/cxl/context.c
-@@ -113,11 +113,11 @@ static int cxl_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
- 
- 	if (ctx->afu->current_mode == CXL_MODE_DEDICATED) {
- 		area = ctx->afu->psn_phys;
--		if (offset > ctx->afu->adapter->ps_size)
-+		if (offset >= ctx->afu->adapter->ps_size)
- 			return VM_FAULT_SIGBUS;
- 	} else {
- 		area = ctx->psn_phys;
--		if (offset > ctx->psn_size)
-+		if (offset >= ctx->psn_size)
- 			return VM_FAULT_SIGBUS;
- 	}
- 
-diff --git a/drivers/misc/cxl/main.c b/drivers/misc/cxl/main.c
-index 8ccddce..de350dd 100644
---- a/drivers/misc/cxl/main.c
-+++ b/drivers/misc/cxl/main.c
-@@ -73,7 +73,7 @@ static inline void cxl_slbia_core(struct mm_struct *mm)
- 		spin_lock(&adapter->afu_list_lock);
- 		for (slice = 0; slice < adapter->slices; slice++) {
- 			afu = adapter->afu[slice];
--			if (!afu->enabled)
-+			if (!afu || !afu->enabled)
- 				continue;
- 			rcu_read_lock();
- 			idr_for_each_entry(&afu->contexts_idr, ctx, id)
-diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
-index 3e29681..e40bcd03 100644
---- a/drivers/misc/mei/main.c
-+++ b/drivers/misc/mei/main.c
-@@ -685,7 +685,7 @@ int mei_register(struct mei_device *dev, struct device *parent)
- 	/* Fill in the data structures */
- 	devno = MKDEV(MAJOR(mei_devt), dev->minor);
- 	cdev_init(&dev->cdev, &mei_fops);
--	dev->cdev.owner = mei_fops.owner;
-+	dev->cdev.owner = parent->driver->owner;
- 
- 	/* Add the device */
- 	ret = cdev_add(&dev->cdev, devno, 1);
-diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
-index 9df2b68..d0abdffb 100644
---- a/drivers/mmc/host/omap_hsmmc.c
-+++ b/drivers/mmc/host/omap_hsmmc.c
-@@ -1062,6 +1062,10 @@ static void omap_hsmmc_do_irq(struct omap_hsmmc_host *host, int status)
- 
- 		if (status & (CTO_EN | CCRC_EN))
- 			end_cmd = 1;
-+		if (host->data || host->response_busy) {
-+			end_trans = !end_cmd;
-+			host->response_busy = 0;
-+		}
- 		if (status & (CTO_EN | DTO_EN))
- 			hsmmc_command_incomplete(host, -ETIMEDOUT, end_cmd);
- 		else if (status & (CCRC_EN | DCRC_EN))
-@@ -1081,10 +1085,6 @@ static void omap_hsmmc_do_irq(struct omap_hsmmc_host *host, int status)
- 			}
- 			dev_dbg(mmc_dev(host->mmc), "AC12 err: 0x%x\n", ac12);
- 		}
--		if (host->data || host->response_busy) {
--			end_trans = !end_cmd;
--			host->response_busy = 0;
--		}
- 	}
- 
- 	OMAP_HSMMC_WRITE(host->base, STAT, status);
-diff --git a/drivers/mmc/host/sdhci-esdhc.h b/drivers/mmc/host/sdhci-esdhc.h
-index 3497cfa..a870c42 100644
---- a/drivers/mmc/host/sdhci-esdhc.h
-+++ b/drivers/mmc/host/sdhci-esdhc.h
-@@ -45,6 +45,6 @@
- #define ESDHC_DMA_SYSCTL	0x40c
- #define ESDHC_DMA_SNOOP		0x00000040
- 
--#define ESDHC_HOST_CONTROL_RES	0x05
-+#define ESDHC_HOST_CONTROL_RES	0x01
- 
- #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */
-diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c
-index b5103a2..065dc70 100644
---- a/drivers/mmc/host/sdhci-pxav3.c
-+++ b/drivers/mmc/host/sdhci-pxav3.c
-@@ -411,6 +411,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev)
- 			goto err_of_parse;
- 		sdhci_get_of_property(pdev);
- 		pdata = pxav3_get_mmc_pdata(dev);
-+		pdev->dev.platform_data = pdata;
- 	} else if (pdata) {
- 		/* on-chip device */
- 		if (pdata->flags & PXA_FLAG_CARD_PERMANENT)
-diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
-index d3dbb28..bec8a30 100644
---- a/drivers/mmc/host/sdhci.c
-+++ b/drivers/mmc/host/sdhci.c
-@@ -3037,8 +3037,11 @@ int sdhci_add_host(struct sdhci_host *host)
- 						      GFP_KERNEL);
- 		host->align_buffer = kmalloc(host->align_buffer_sz, GFP_KERNEL);
- 		if (!host->adma_table || !host->align_buffer) {
--			dma_free_coherent(mmc_dev(mmc), host->adma_table_sz,
--					  host->adma_table, host->adma_addr);
-+			if (host->adma_table)
-+				dma_free_coherent(mmc_dev(mmc),
-+						  host->adma_table_sz,
-+						  host->adma_table,
-+						  host->adma_addr);
- 			kfree(host->align_buffer);
- 			pr_warn("%s: Unable to allocate ADMA buffers - falling back to standard DMA\n",
- 				mmc_hostname(mmc));
-diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c
-index 041525d..5d214d1 100644
---- a/drivers/net/can/c_can/c_can.c
-+++ b/drivers/net/can/c_can/c_can.c
-@@ -592,6 +592,7 @@ static int c_can_start(struct net_device *dev)
- {
- 	struct c_can_priv *priv = netdev_priv(dev);
- 	int err;
-+	struct pinctrl *p;
- 
- 	/* basic c_can configuration */
- 	err = c_can_chip_config(dev);
-@@ -604,8 +605,13 @@ static int c_can_start(struct net_device *dev)
- 
- 	priv->can.state = CAN_STATE_ERROR_ACTIVE;
- 
--	/* activate pins */
--	pinctrl_pm_select_default_state(dev->dev.parent);
-+	/* Attempt to use "active" if available else use "default" */
-+	p = pinctrl_get_select(priv->device, "active");
-+	if (!IS_ERR(p))
-+		pinctrl_put(p);
-+	else
-+		pinctrl_pm_select_default_state(priv->device);
-+
- 	return 0;
- }
- 
-diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
-index e9b1810..aede704 100644
---- a/drivers/net/can/dev.c
-+++ b/drivers/net/can/dev.c
-@@ -440,9 +440,6 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
- 		struct can_frame *cf = (struct can_frame *)skb->data;
- 		u8 dlc = cf->can_dlc;
- 
--		if (!(skb->tstamp.tv64))
--			__net_timestamp(skb);
--
- 		netif_rx(priv->echo_skb[idx]);
- 		priv->echo_skb[idx] = NULL;
- 
-@@ -578,7 +575,6 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf)
- 	if (unlikely(!skb))
- 		return NULL;
- 
--	__net_timestamp(skb);
- 	skb->protocol = htons(ETH_P_CAN);
- 	skb->pkt_type = PACKET_BROADCAST;
- 	skb->ip_summed = CHECKSUM_UNNECESSARY;
-@@ -589,6 +585,7 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf)
- 
- 	can_skb_reserve(skb);
- 	can_skb_prv(skb)->ifindex = dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 
- 	*cf = (struct can_frame *)skb_put(skb, sizeof(struct can_frame));
- 	memset(*cf, 0, sizeof(struct can_frame));
-@@ -607,7 +604,6 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev,
- 	if (unlikely(!skb))
- 		return NULL;
- 
--	__net_timestamp(skb);
- 	skb->protocol = htons(ETH_P_CANFD);
- 	skb->pkt_type = PACKET_BROADCAST;
- 	skb->ip_summed = CHECKSUM_UNNECESSARY;
-@@ -618,6 +614,7 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev,
- 
- 	can_skb_reserve(skb);
- 	can_skb_prv(skb)->ifindex = dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 
- 	*cfd = (struct canfd_frame *)skb_put(skb, sizeof(struct canfd_frame));
- 	memset(*cfd, 0, sizeof(struct canfd_frame));
-diff --git a/drivers/net/can/rcar_can.c b/drivers/net/can/rcar_can.c
-index 7deb80d..2f9ebad 100644
---- a/drivers/net/can/rcar_can.c
-+++ b/drivers/net/can/rcar_can.c
-@@ -526,7 +526,7 @@ static int rcar_can_open(struct net_device *ndev)
- 	napi_enable(&priv->napi);
- 	err = request_irq(ndev->irq, rcar_can_interrupt, 0, ndev->name, ndev);
- 	if (err) {
--		netdev_err(ndev, "error requesting interrupt %x\n", ndev->irq);
-+		netdev_err(ndev, "error requesting interrupt %d\n", ndev->irq);
- 		goto out_close;
- 	}
- 	can_led_event(ndev, CAN_LED_EVENT_OPEN);
-@@ -758,8 +758,9 @@ static int rcar_can_probe(struct platform_device *pdev)
- 	}
- 
- 	irq = platform_get_irq(pdev, 0);
--	if (!irq) {
-+	if (irq < 0) {
- 		dev_err(&pdev->dev, "No IRQ resource\n");
-+		err = irq;
- 		goto fail;
- 	}
- 
-@@ -823,7 +824,7 @@ static int rcar_can_probe(struct platform_device *pdev)
- 
- 	devm_can_led_init(ndev);
- 
--	dev_info(&pdev->dev, "device registered (reg_base=%p, irq=%u)\n",
-+	dev_info(&pdev->dev, "device registered (regs @ %p, IRQ%d)\n",
- 		 priv->regs, ndev->irq);
- 
- 	return 0;
-diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
-index f64f529..a23a7af 100644
---- a/drivers/net/can/slcan.c
-+++ b/drivers/net/can/slcan.c
-@@ -207,7 +207,6 @@ static void slc_bump(struct slcan *sl)
- 	if (!skb)
- 		return;
- 
--	__net_timestamp(skb);
- 	skb->dev = sl->dev;
- 	skb->protocol = htons(ETH_P_CAN);
- 	skb->pkt_type = PACKET_BROADCAST;
-@@ -215,6 +214,7 @@ static void slc_bump(struct slcan *sl)
- 
- 	can_skb_reserve(skb);
- 	can_skb_prv(skb)->ifindex = sl->dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 
- 	memcpy(skb_put(skb, sizeof(struct can_frame)),
- 	       &cf, sizeof(struct can_frame));
-diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
-index bf63fee..34c625e 100644
---- a/drivers/net/can/spi/mcp251x.c
-+++ b/drivers/net/can/spi/mcp251x.c
-@@ -1221,17 +1221,16 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
- 	struct spi_device *spi = to_spi_device(dev);
- 	struct mcp251x_priv *priv = spi_get_drvdata(spi);
- 
--	if (priv->after_suspend & AFTER_SUSPEND_POWER) {
-+	if (priv->after_suspend & AFTER_SUSPEND_POWER)
- 		mcp251x_power_enable(priv->power, 1);
-+
-+	if (priv->after_suspend & AFTER_SUSPEND_UP) {
-+		mcp251x_power_enable(priv->transceiver, 1);
- 		queue_work(priv->wq, &priv->restart_work);
- 	} else {
--		if (priv->after_suspend & AFTER_SUSPEND_UP) {
--			mcp251x_power_enable(priv->transceiver, 1);
--			queue_work(priv->wq, &priv->restart_work);
--		} else {
--			priv->after_suspend = 0;
--		}
-+		priv->after_suspend = 0;
- 	}
-+
- 	priv->force_quit = 0;
- 	enable_irq(spi->irq);
- 	return 0;
-diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
-index 0ce868d..674f367 100644
---- a/drivers/net/can/vcan.c
-+++ b/drivers/net/can/vcan.c
-@@ -78,9 +78,6 @@ static void vcan_rx(struct sk_buff *skb, struct net_device *dev)
- 	skb->dev       = dev;
- 	skb->ip_summed = CHECKSUM_UNNECESSARY;
- 
--	if (!(skb->tstamp.tv64))
--		__net_timestamp(skb);
--
- 	netif_rx_ni(skb);
- }
- 
-diff --git a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
-index 8e604a3..ef20be0 100644
---- a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
-@@ -540,13 +540,11 @@ static void iwl_set_hw_address_family_8000(struct device *dev,
- 		hw_addr = (const u8 *)(mac_override +
- 				 MAC_ADDRESS_OVERRIDE_FAMILY_8000);
- 
--		/* The byte order is little endian 16 bit, meaning 214365 */
--		data->hw_addr[0] = hw_addr[1];
--		data->hw_addr[1] = hw_addr[0];
--		data->hw_addr[2] = hw_addr[3];
--		data->hw_addr[3] = hw_addr[2];
--		data->hw_addr[4] = hw_addr[5];
--		data->hw_addr[5] = hw_addr[4];
-+		/*
-+		 * Store the MAC address from MAO section.
-+		 * No byte swapping is required in MAO section
-+		 */
-+		memcpy(data->hw_addr, hw_addr, ETH_ALEN);
- 
- 		/*
- 		 * Force the use of the OTP MAC address in case of reserved MAC
-diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c
-index ef32e17..281451c 100644
---- a/drivers/net/wireless/iwlwifi/mvm/tx.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
-@@ -225,7 +225,7 @@ void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm, struct iwl_tx_cmd *tx_cmd,
- 
- 	if (info->band == IEEE80211_BAND_2GHZ &&
- 	    !iwl_mvm_bt_coex_is_shared_ant_avail(mvm))
--		rate_flags = BIT(mvm->cfg->non_shared_ant) << RATE_MCS_ANT_POS;
-+		rate_flags = mvm->cfg->non_shared_ant << RATE_MCS_ANT_POS;
- 	else
- 		rate_flags =
- 			BIT(mvm->mgmt_last_antenna_idx) << RATE_MCS_ANT_POS;
-diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
-index dc17909..37e6a6f 100644
---- a/drivers/net/wireless/iwlwifi/pcie/trans.c
-+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
-@@ -2515,6 +2515,12 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct pci_dev *pdev,
- 		trans->hw_rev = (trans->hw_rev & 0xfff0) |
- 				(CSR_HW_REV_STEP(trans->hw_rev << 2) << 2);
- 
-+		ret = iwl_pcie_prepare_card_hw(trans);
-+		if (ret) {
-+			IWL_WARN(trans, "Exit HW not ready\n");
-+			goto out_pci_disable_msi;
-+		}
-+
- 		/*
- 		 * in-order to recognize C step driver should read chip version
- 		 * id located at the AUX bus MISC address space.
-diff --git a/drivers/pinctrl/freescale/pinctrl-imx1-core.c b/drivers/pinctrl/freescale/pinctrl-imx1-core.c
-index 5ac59fb..d3a3be7 100644
---- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c
-+++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c
-@@ -403,14 +403,13 @@ static int imx1_pinconf_set(struct pinctrl_dev *pctldev,
- 			     unsigned num_configs)
- {
- 	struct imx1_pinctrl *ipctl = pinctrl_dev_get_drvdata(pctldev);
--	const struct imx1_pinctrl_soc_info *info = ipctl->info;
- 	int i;
- 
- 	for (i = 0; i != num_configs; ++i) {
- 		imx1_write_bit(ipctl, pin_id, configs[i] & 0x01, MX1_PUEN);
- 
- 		dev_dbg(ipctl->dev, "pinconf set pullup pin %s\n",
--			info->pins[pin_id].name);
-+			pin_desc_get(pctldev, pin_id)->name);
- 	}
- 
- 	return 0;
-diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c
-index ff82811..8de1351 100644
---- a/drivers/regulator/s2mps11.c
-+++ b/drivers/regulator/s2mps11.c
-@@ -34,6 +34,8 @@
- #include <linux/mfd/samsung/s2mps14.h>
- #include <linux/mfd/samsung/s2mpu02.h>
- 
-+/* The highest number of possible regulators for supported devices. */
-+#define S2MPS_REGULATOR_MAX		S2MPS13_REGULATOR_MAX
- struct s2mps11_info {
- 	unsigned int rdev_num;
- 	int ramp_delay2;
-@@ -49,7 +51,7 @@ struct s2mps11_info {
- 	 * One bit for each S2MPS13/S2MPS14/S2MPU02 regulator whether
- 	 * the suspend mode was enabled.
- 	 */
--	unsigned long long s2mps14_suspend_state:50;
-+	DECLARE_BITMAP(suspend_state, S2MPS_REGULATOR_MAX);
- 
- 	/* Array of size rdev_num with GPIO-s for external sleep control */
- 	int *ext_control_gpio;
-@@ -500,7 +502,7 @@ static int s2mps14_regulator_enable(struct regulator_dev *rdev)
- 	switch (s2mps11->dev_type) {
- 	case S2MPS13X:
- 	case S2MPS14X:
--		if (s2mps11->s2mps14_suspend_state & (1 << rdev_get_id(rdev)))
-+		if (test_bit(rdev_get_id(rdev), s2mps11->suspend_state))
- 			val = S2MPS14_ENABLE_SUSPEND;
- 		else if (gpio_is_valid(s2mps11->ext_control_gpio[rdev_get_id(rdev)]))
- 			val = S2MPS14_ENABLE_EXT_CONTROL;
-@@ -508,7 +510,7 @@ static int s2mps14_regulator_enable(struct regulator_dev *rdev)
- 			val = rdev->desc->enable_mask;
- 		break;
- 	case S2MPU02:
--		if (s2mps11->s2mps14_suspend_state & (1 << rdev_get_id(rdev)))
-+		if (test_bit(rdev_get_id(rdev), s2mps11->suspend_state))
- 			val = S2MPU02_ENABLE_SUSPEND;
- 		else
- 			val = rdev->desc->enable_mask;
-@@ -562,7 +564,7 @@ static int s2mps14_regulator_set_suspend_disable(struct regulator_dev *rdev)
- 	if (ret < 0)
- 		return ret;
- 
--	s2mps11->s2mps14_suspend_state |= (1 << rdev_get_id(rdev));
-+	set_bit(rdev_get_id(rdev), s2mps11->suspend_state);
- 	/*
- 	 * Don't enable suspend mode if regulator is already disabled because
- 	 * this would effectively for a short time turn on the regulator after
-@@ -960,18 +962,22 @@ static int s2mps11_pmic_probe(struct platform_device *pdev)
- 	case S2MPS11X:
- 		s2mps11->rdev_num = ARRAY_SIZE(s2mps11_regulators);
- 		regulators = s2mps11_regulators;
-+		BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num);
- 		break;
- 	case S2MPS13X:
- 		s2mps11->rdev_num = ARRAY_SIZE(s2mps13_regulators);
- 		regulators = s2mps13_regulators;
-+		BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num);
- 		break;
- 	case S2MPS14X:
- 		s2mps11->rdev_num = ARRAY_SIZE(s2mps14_regulators);
- 		regulators = s2mps14_regulators;
-+		BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num);
- 		break;
- 	case S2MPU02:
- 		s2mps11->rdev_num = ARRAY_SIZE(s2mpu02_regulators);
- 		regulators = s2mpu02_regulators;
-+		BUILD_BUG_ON(S2MPS_REGULATOR_MAX < s2mps11->rdev_num);
- 		break;
- 	default:
- 		dev_err(&pdev->dev, "Invalid device type: %u\n",
-diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
-index 0e6ee3c..e9ae6b9 100644
---- a/drivers/scsi/qla2xxx/qla_dbg.c
-+++ b/drivers/scsi/qla2xxx/qla_dbg.c
-@@ -68,7 +68,7 @@
-  * |                              |                    | 0xd101-0xd1fe	|
-  * |                              |                    | 0xd214-0xd2fe	|
-  * | Target Mode		  |	  0xe079       |		|
-- * | Target Mode Management	  |	  0xf072       | 0xf002		|
-+ * | Target Mode Management	  |	  0xf080       | 0xf002		|
-  * |                              |                    | 0xf046-0xf049  |
-  * | Target Mode Task Management  |	  0x1000b      |		|
-  * ----------------------------------------------------------------------
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index 285cb20..998498e 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -2924,6 +2924,7 @@ qla2x00_rport_del(void *data)
- 	struct fc_rport *rport;
- 	scsi_qla_host_t *vha = fcport->vha;
- 	unsigned long flags;
-+	unsigned long vha_flags;
- 
- 	spin_lock_irqsave(fcport->vha->host->host_lock, flags);
- 	rport = fcport->drport ? fcport->drport: fcport->rport;
-@@ -2935,7 +2936,9 @@ qla2x00_rport_del(void *data)
- 		 * Release the target mode FC NEXUS in qla_target.c code
- 		 * if target mod is enabled.
- 		 */
-+		spin_lock_irqsave(&vha->hw->hardware_lock, vha_flags);
- 		qlt_fc_port_deleted(vha, fcport);
-+		spin_unlock_irqrestore(&vha->hw->hardware_lock, vha_flags);
- 	}
- }
- 
-@@ -3303,6 +3306,7 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport)
- 	 * Create target mode FC NEXUS in qla_target.c if target mode is
- 	 * enabled..
- 	 */
-+
- 	qlt_fc_port_added(vha, fcport);
- 
- 	spin_lock_irqsave(fcport->vha->host->host_lock, flags);
-@@ -3460,20 +3464,43 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha)
- 			if ((fcport->flags & FCF_FABRIC_DEVICE) == 0)
- 				continue;
- 
--			if (fcport->scan_state == QLA_FCPORT_SCAN &&
--			    atomic_read(&fcport->state) == FCS_ONLINE) {
--				qla2x00_mark_device_lost(vha, fcport,
--				    ql2xplogiabsentdevice, 0);
--				if (fcport->loop_id != FC_NO_LOOP_ID &&
--				    (fcport->flags & FCF_FCP2_DEVICE) == 0 &&
--				    fcport->port_type != FCT_INITIATOR &&
--				    fcport->port_type != FCT_BROADCAST) {
--					ha->isp_ops->fabric_logout(vha,
--					    fcport->loop_id,
--					    fcport->d_id.b.domain,
--					    fcport->d_id.b.area,
--					    fcport->d_id.b.al_pa);
--					qla2x00_clear_loop_id(fcport);
-+			if (fcport->scan_state == QLA_FCPORT_SCAN) {
-+				if (qla_ini_mode_enabled(base_vha) &&
-+				    atomic_read(&fcport->state) == FCS_ONLINE) {
-+					qla2x00_mark_device_lost(vha, fcport,
-+					    ql2xplogiabsentdevice, 0);
-+					if (fcport->loop_id != FC_NO_LOOP_ID &&
-+					    (fcport->flags & FCF_FCP2_DEVICE) == 0 &&
-+					    fcport->port_type != FCT_INITIATOR &&
-+					    fcport->port_type != FCT_BROADCAST) {
-+						ha->isp_ops->fabric_logout(vha,
-+						    fcport->loop_id,
-+						    fcport->d_id.b.domain,
-+						    fcport->d_id.b.area,
-+						    fcport->d_id.b.al_pa);
-+						qla2x00_clear_loop_id(fcport);
-+					}
-+				} else if (!qla_ini_mode_enabled(base_vha)) {
-+					/*
-+					 * In target mode, explicitly kill
-+					 * sessions and log out of devices
-+					 * that are gone, so that we don't
-+					 * end up with an initiator using the
-+					 * wrong ACL (if the fabric recycles
-+					 * an FC address and we have a stale
-+					 * session around) and so that we don't
-+					 * report initiators that are no longer
-+					 * on the fabric.
-+					 */
-+					ql_dbg(ql_dbg_tgt_mgt, vha, 0xf077,
-+					    "port gone, logging out/killing session: "
-+					    "%8phC state 0x%x flags 0x%x fc4_type 0x%x "
-+					    "scan_state %d\n",
-+					    fcport->port_name,
-+					    atomic_read(&fcport->state),
-+					    fcport->flags, fcport->fc4_type,
-+					    fcport->scan_state);
-+					qlt_fc_port_deleted(vha, fcport);
- 				}
- 			}
- 		}
-@@ -3494,6 +3521,28 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha)
- 			    (fcport->flags & FCF_LOGIN_NEEDED) == 0)
- 				continue;
- 
-+			/*
-+			 * If we're not an initiator, skip looking for devices
-+			 * and logging in.  There's no reason for us to do it,
-+			 * and it seems to actively cause problems in target
-+			 * mode if we race with the initiator logging into us
-+			 * (we might get the "port ID used" status back from
-+			 * our login command and log out the initiator, which
-+			 * seems to cause havoc).
-+			 */
-+			if (!qla_ini_mode_enabled(base_vha)) {
-+				if (fcport->scan_state == QLA_FCPORT_FOUND) {
-+					ql_dbg(ql_dbg_tgt_mgt, vha, 0xf078,
-+					    "port %8phC state 0x%x flags 0x%x fc4_type 0x%x "
-+					    "scan_state %d (initiator mode disabled; skipping "
-+					    "login)\n", fcport->port_name,
-+					    atomic_read(&fcport->state),
-+					    fcport->flags, fcport->fc4_type,
-+					    fcport->scan_state);
-+				}
-+				continue;
-+			}
-+
- 			if (fcport->loop_id == FC_NO_LOOP_ID) {
- 				fcport->loop_id = next_loopid;
- 				rval = qla2x00_find_new_loop_id(
-@@ -3520,16 +3569,38 @@ qla2x00_configure_fabric(scsi_qla_host_t *vha)
- 			    test_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags))
- 				break;
- 
--			/* Find a new loop ID to use. */
--			fcport->loop_id = next_loopid;
--			rval = qla2x00_find_new_loop_id(base_vha, fcport);
--			if (rval != QLA_SUCCESS) {
--				/* Ran out of IDs to use */
--				break;
--			}
-+			/*
-+			 * If we're not an initiator, skip looking for devices
-+			 * and logging in.  There's no reason for us to do it,
-+			 * and it seems to actively cause problems in target
-+			 * mode if we race with the initiator logging into us
-+			 * (we might get the "port ID used" status back from
-+			 * our login command and log out the initiator, which
-+			 * seems to cause havoc).
-+			 */
-+			if (qla_ini_mode_enabled(base_vha)) {
-+				/* Find a new loop ID to use. */
-+				fcport->loop_id = next_loopid;
-+				rval = qla2x00_find_new_loop_id(base_vha,
-+				    fcport);
-+				if (rval != QLA_SUCCESS) {
-+					/* Ran out of IDs to use */
-+					break;
-+				}
- 
--			/* Login and update database */
--			qla2x00_fabric_dev_login(vha, fcport, &next_loopid);
-+				/* Login and update database */
-+				qla2x00_fabric_dev_login(vha, fcport,
-+				    &next_loopid);
-+			} else {
-+				ql_dbg(ql_dbg_tgt_mgt, vha, 0xf079,
-+					"new port %8phC state 0x%x flags 0x%x fc4_type "
-+					"0x%x scan_state %d (initiator mode disabled; "
-+					"skipping login)\n",
-+					fcport->port_name,
-+					atomic_read(&fcport->state),
-+					fcport->flags, fcport->fc4_type,
-+					fcport->scan_state);
-+			}
- 
- 			list_move_tail(&fcport->list, &vha->vp_fcports);
- 		}
-@@ -3725,11 +3796,12 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha,
- 			fcport->fp_speed = new_fcport->fp_speed;
- 
- 			/*
--			 * If address the same and state FCS_ONLINE, nothing
--			 * changed.
-+			 * If address the same and state FCS_ONLINE
-+			 * (or in target mode), nothing changed.
- 			 */
- 			if (fcport->d_id.b24 == new_fcport->d_id.b24 &&
--			    atomic_read(&fcport->state) == FCS_ONLINE) {
-+			    (atomic_read(&fcport->state) == FCS_ONLINE ||
-+			     !qla_ini_mode_enabled(base_vha))) {
- 				break;
- 			}
- 
-@@ -3749,6 +3821,22 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha,
- 			 * Log it out if still logged in and mark it for
- 			 * relogin later.
- 			 */
-+			if (!qla_ini_mode_enabled(base_vha)) {
-+				ql_dbg(ql_dbg_tgt_mgt, vha, 0xf080,
-+					 "port changed FC ID, %8phC"
-+					 " old %x:%x:%x (loop_id 0x%04x)-> new %x:%x:%x\n",
-+					 fcport->port_name,
-+					 fcport->d_id.b.domain,
-+					 fcport->d_id.b.area,
-+					 fcport->d_id.b.al_pa,
-+					 fcport->loop_id,
-+					 new_fcport->d_id.b.domain,
-+					 new_fcport->d_id.b.area,
-+					 new_fcport->d_id.b.al_pa);
-+				fcport->d_id.b24 = new_fcport->d_id.b24;
-+				break;
-+			}
-+
- 			fcport->d_id.b24 = new_fcport->d_id.b24;
- 			fcport->flags |= FCF_LOGIN_NEEDED;
- 			if (fcport->loop_id != FC_NO_LOOP_ID &&
-@@ -3768,6 +3856,7 @@ qla2x00_find_all_fabric_devs(scsi_qla_host_t *vha,
- 		if (found)
- 			continue;
- 		/* If device was not in our fcports list, then add it. */
-+		new_fcport->scan_state = QLA_FCPORT_FOUND;
- 		list_add_tail(&new_fcport->list, new_fcports);
- 
- 		/* Allocate a new replacement fcport. */
-diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
-index fe8a8d1..496a733 100644
---- a/drivers/scsi/qla2xxx/qla_target.c
-+++ b/drivers/scsi/qla2xxx/qla_target.c
-@@ -113,6 +113,7 @@ static void qlt_abort_cmd_on_host_reset(struct scsi_qla_host *vha,
- static void qlt_alloc_qfull_cmd(struct scsi_qla_host *vha,
- 	struct atio_from_isp *atio, uint16_t status, int qfull);
- static void qlt_disable_vha(struct scsi_qla_host *vha);
-+static void qlt_clear_tgt_db(struct qla_tgt *tgt);
- /*
-  * Global Variables
-  */
-@@ -431,10 +432,10 @@ static int qlt_reset(struct scsi_qla_host *vha, void *iocb, int mcmd)
- 
- 	loop_id = le16_to_cpu(n->u.isp24.nport_handle);
- 	if (loop_id == 0xFFFF) {
--#if 0 /* FIXME: Re-enable Global event handling.. */
- 		/* Global event */
--		atomic_inc(&ha->tgt.qla_tgt->tgt_global_resets_count);
--		qlt_clear_tgt_db(ha->tgt.qla_tgt);
-+		atomic_inc(&vha->vha_tgt.qla_tgt->tgt_global_resets_count);
-+		qlt_clear_tgt_db(vha->vha_tgt.qla_tgt);
-+#if 0 /* FIXME: do we need to choose a session here? */
- 		if (!list_empty(&ha->tgt.qla_tgt->sess_list)) {
- 			sess = list_entry(ha->tgt.qla_tgt->sess_list.next,
- 			    typeof(*sess), sess_list_entry);
-@@ -782,25 +783,20 @@ void qlt_fc_port_added(struct scsi_qla_host *vha, fc_port_t *fcport)
- 
- void qlt_fc_port_deleted(struct scsi_qla_host *vha, fc_port_t *fcport)
- {
--	struct qla_hw_data *ha = vha->hw;
- 	struct qla_tgt *tgt = vha->vha_tgt.qla_tgt;
- 	struct qla_tgt_sess *sess;
--	unsigned long flags;
- 
- 	if (!vha->hw->tgt.tgt_ops)
- 		return;
- 
--	if (!tgt || (fcport->port_type != FCT_INITIATOR))
-+	if (!tgt)
- 		return;
- 
--	spin_lock_irqsave(&ha->hardware_lock, flags);
- 	if (tgt->tgt_stop) {
--		spin_unlock_irqrestore(&ha->hardware_lock, flags);
- 		return;
- 	}
- 	sess = qlt_find_sess_by_port_name(tgt, fcport->port_name);
- 	if (!sess) {
--		spin_unlock_irqrestore(&ha->hardware_lock, flags);
- 		return;
- 	}
- 
-@@ -808,7 +804,6 @@ void qlt_fc_port_deleted(struct scsi_qla_host *vha, fc_port_t *fcport)
- 
- 	sess->local = 1;
- 	qlt_schedule_sess_for_deletion(sess, false);
--	spin_unlock_irqrestore(&ha->hardware_lock, flags);
- }
- 
- static inline int test_tgt_sess_count(struct qla_tgt *tgt)
-@@ -2347,9 +2342,10 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type,
- 		res = qlt_build_ctio_crc2_pkt(&prm, vha);
- 	else
- 		res = qlt_24xx_build_ctio_pkt(&prm, vha);
--	if (unlikely(res != 0))
-+	if (unlikely(res != 0)) {
-+		vha->req->cnt += full_req_cnt;
- 		goto out_unmap_unlock;
--
-+	}
- 
- 	pkt = (struct ctio7_to_24xx *)prm.pkt;
- 
-@@ -2487,8 +2483,11 @@ int qlt_rdy_to_xfer(struct qla_tgt_cmd *cmd)
- 	else
- 		res = qlt_24xx_build_ctio_pkt(&prm, vha);
- 
--	if (unlikely(res != 0))
-+	if (unlikely(res != 0)) {
-+		vha->req->cnt += prm.req_cnt;
- 		goto out_unlock_free_unmap;
-+	}
-+
- 	pkt = (struct ctio7_to_24xx *)prm.pkt;
- 	pkt->u.status0.flags |= __constant_cpu_to_le16(CTIO7_FLAGS_DATA_OUT |
- 	    CTIO7_FLAGS_STATUS_MODE_0);
-@@ -2717,7 +2716,7 @@ static int __qlt_send_term_exchange(struct scsi_qla_host *vha,
- static void qlt_send_term_exchange(struct scsi_qla_host *vha,
- 	struct qla_tgt_cmd *cmd, struct atio_from_isp *atio, int ha_locked)
- {
--	unsigned long flags;
-+	unsigned long flags = 0;
- 	int rc;
- 
- 	if (qlt_issue_marker(vha, ha_locked) < 0)
-@@ -2733,17 +2732,18 @@ static void qlt_send_term_exchange(struct scsi_qla_host *vha,
- 	rc = __qlt_send_term_exchange(vha, cmd, atio);
- 	if (rc == -ENOMEM)
- 		qlt_alloc_qfull_cmd(vha, atio, 0, 0);
--	spin_unlock_irqrestore(&vha->hw->hardware_lock, flags);
- 
- done:
- 	if (cmd && ((cmd->state != QLA_TGT_STATE_ABORTED) ||
- 	    !cmd->cmd_sent_to_fw)) {
--		if (!ha_locked && !in_interrupt())
--			msleep(250); /* just in case */
--
--		qlt_unmap_sg(vha, cmd);
-+		if (cmd->sg_mapped)
-+			qlt_unmap_sg(vha, cmd);
- 		vha->hw->tgt.tgt_ops->free_cmd(cmd);
- 	}
-+
-+	if (!ha_locked)
-+		spin_unlock_irqrestore(&vha->hw->hardware_lock, flags);
-+
- 	return;
- }
- 
-@@ -3347,6 +3347,11 @@ static struct qla_tgt_cmd *qlt_get_tag(scsi_qla_host_t *vha,
- 	cmd->loop_id = sess->loop_id;
- 	cmd->conf_compl_supported = sess->conf_compl_supported;
- 
-+	cmd->cmd_flags = 0;
-+	cmd->jiffies_at_alloc = get_jiffies_64();
-+
-+	cmd->reset_count = vha->hw->chip_reset;
-+
- 	return cmd;
- }
- 
-@@ -3453,11 +3458,6 @@ static int qlt_handle_cmd_for_atio(struct scsi_qla_host *vha,
- 		return -ENOMEM;
- 	}
- 
--	cmd->cmd_flags = 0;
--	cmd->jiffies_at_alloc = get_jiffies_64();
--
--	cmd->reset_count = vha->hw->chip_reset;
--
- 	cmd->cmd_in_wq = 1;
- 	cmd->cmd_flags |= BIT_0;
- 	INIT_WORK(&cmd->work, qlt_do_work);
-diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
-index c95a4e9..59c31bf 100644
---- a/drivers/scsi/scsi_error.c
-+++ b/drivers/scsi/scsi_error.c
-@@ -944,7 +944,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd *scmd, struct scsi_eh_save *ses,
- 			    scmd->sdb.length);
- 		scmd->sdb.table.sgl = &ses->sense_sgl;
- 		scmd->sc_data_direction = DMA_FROM_DEVICE;
--		scmd->sdb.table.nents = 1;
-+		scmd->sdb.table.nents = scmd->sdb.table.orig_nents = 1;
- 		scmd->cmnd[0] = REQUEST_SENSE;
- 		scmd->cmnd[4] = scmd->sdb.length;
- 		scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
-diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index b1a2631..448ebda 100644
---- a/drivers/scsi/scsi_lib.c
-+++ b/drivers/scsi/scsi_lib.c
-@@ -583,7 +583,7 @@ static struct scatterlist *scsi_sg_alloc(unsigned int nents, gfp_t gfp_mask)
- 
- static void scsi_free_sgtable(struct scsi_data_buffer *sdb, bool mq)
- {
--	if (mq && sdb->table.nents <= SCSI_MAX_SG_SEGMENTS)
-+	if (mq && sdb->table.orig_nents <= SCSI_MAX_SG_SEGMENTS)
- 		return;
- 	__sg_free_table(&sdb->table, SCSI_MAX_SG_SEGMENTS, mq, scsi_sg_free);
- }
-@@ -597,8 +597,8 @@ static int scsi_alloc_sgtable(struct scsi_data_buffer *sdb, int nents, bool mq)
- 
- 	if (mq) {
- 		if (nents <= SCSI_MAX_SG_SEGMENTS) {
--			sdb->table.nents = nents;
--			sg_init_table(sdb->table.sgl, sdb->table.nents);
-+			sdb->table.nents = sdb->table.orig_nents = nents;
-+			sg_init_table(sdb->table.sgl, nents);
- 			return 0;
- 		}
- 		first_chunk = sdb->table.sgl;
-diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
-index 1ac38e7..9ad4116 100644
---- a/drivers/scsi/scsi_sysfs.c
-+++ b/drivers/scsi/scsi_sysfs.c
-@@ -859,7 +859,7 @@ sdev_store_queue_depth(struct device *dev, struct device_attribute *attr,
- 
- 	depth = simple_strtoul(buf, NULL, 0);
- 
--	if (depth < 1 || depth > sht->can_queue)
-+	if (depth < 1 || depth > sdev->host->can_queue)
- 		return -EINVAL;
- 
- 	retval = sht->change_queue_depth(sdev, depth);
-diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
-index 9a1c342..525ab4c 100644
---- a/drivers/scsi/st.c
-+++ b/drivers/scsi/st.c
-@@ -1274,9 +1274,9 @@ static int st_open(struct inode *inode, struct file *filp)
- 	spin_lock(&st_use_lock);
- 	STp->in_use = 0;
- 	spin_unlock(&st_use_lock);
--	scsi_tape_put(STp);
- 	if (resumed)
- 		scsi_autopm_put_device(STp->device);
-+	scsi_tape_put(STp);
- 	return retval;
- 
- }
-diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c
-index 788e2b1..acce90a 100644
---- a/drivers/spi/spi-img-spfi.c
-+++ b/drivers/spi/spi-img-spfi.c
-@@ -40,6 +40,7 @@
- #define SPFI_CONTROL_SOFT_RESET			BIT(11)
- #define SPFI_CONTROL_SEND_DMA			BIT(10)
- #define SPFI_CONTROL_GET_DMA			BIT(9)
-+#define SPFI_CONTROL_SE			BIT(8)
- #define SPFI_CONTROL_TMODE_SHIFT		5
- #define SPFI_CONTROL_TMODE_MASK			0x7
- #define SPFI_CONTROL_TMODE_SINGLE		0
-@@ -491,6 +492,7 @@ static void img_spfi_config(struct spi_master *master, struct spi_device *spi,
- 	else if (xfer->tx_nbits == SPI_NBITS_QUAD &&
- 		 xfer->rx_nbits == SPI_NBITS_QUAD)
- 		val |= SPFI_CONTROL_TMODE_QUAD << SPFI_CONTROL_TMODE_SHIFT;
-+	val |= SPFI_CONTROL_SE;
- 	spfi_writel(spfi, val, SPFI_CONTROL);
- }
- 
-diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
-index f08e812..412b9c8 100644
---- a/drivers/spi/spi-imx.c
-+++ b/drivers/spi/spi-imx.c
-@@ -201,8 +201,9 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi,
- {
- 	struct spi_imx_data *spi_imx = spi_master_get_devdata(master);
- 
--	if (spi_imx->dma_is_inited && (transfer->len > spi_imx->rx_wml)
--	    && (transfer->len > spi_imx->tx_wml))
-+	if (spi_imx->dma_is_inited
-+	    && transfer->len > spi_imx->rx_wml * sizeof(u32)
-+	    && transfer->len > spi_imx->tx_wml * sizeof(u32))
- 		return true;
- 	return false;
- }
-diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
-index 74e6114f..305a5cb 100644
---- a/drivers/target/iscsi/iscsi_target.c
-+++ b/drivers/target/iscsi/iscsi_target.c
-@@ -4001,7 +4001,13 @@ get_immediate:
- 	}
- 
- transport_err:
--	iscsit_take_action_for_connection_exit(conn);
-+	/*
-+	 * Avoid the normal connection failure code-path if this connection
-+	 * is still within LOGIN mode, and iscsi_np process context is
-+	 * responsible for cleaning up the early connection failure.
-+	 */
-+	if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN)
-+		iscsit_take_action_for_connection_exit(conn);
- out:
- 	return 0;
- }
-@@ -4093,7 +4099,7 @@ reject:
- 
- int iscsi_target_rx_thread(void *arg)
- {
--	int ret;
-+	int ret, rc;
- 	u8 buffer[ISCSI_HDR_LEN], opcode;
- 	u32 checksum = 0, digest = 0;
- 	struct iscsi_conn *conn = arg;
-@@ -4103,10 +4109,16 @@ int iscsi_target_rx_thread(void *arg)
- 	 * connection recovery / failure event can be triggered externally.
- 	 */
- 	allow_signal(SIGINT);
-+	/*
-+	 * Wait for iscsi_post_login_handler() to complete before allowing
-+	 * incoming iscsi/tcp socket I/O, and/or failing the connection.
-+	 */
-+	rc = wait_for_completion_interruptible(&conn->rx_login_comp);
-+	if (rc < 0)
-+		return 0;
- 
- 	if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
- 		struct completion comp;
--		int rc;
- 
- 		init_completion(&comp);
- 		rc = wait_for_completion_interruptible(&comp);
-@@ -4543,7 +4555,18 @@ static void iscsit_logout_post_handler_closesession(
- 	struct iscsi_conn *conn)
- {
- 	struct iscsi_session *sess = conn->sess;
--	int sleep = cmpxchg(&conn->tx_thread_active, true, false);
-+	int sleep = 1;
-+	/*
-+	 * Traditional iscsi/tcp will invoke this logic from TX thread
-+	 * context during session logout, so clear tx_thread_active and
-+	 * sleep if iscsit_close_connection() has not already occured.
-+	 *
-+	 * Since iser-target invokes this logic from it's own workqueue,
-+	 * always sleep waiting for RX/TX thread shutdown to complete
-+	 * within iscsit_close_connection().
-+	 */
-+	if (conn->conn_transport->transport_type == ISCSI_TCP)
-+		sleep = cmpxchg(&conn->tx_thread_active, true, false);
- 
- 	atomic_set(&conn->conn_logout_remove, 0);
- 	complete(&conn->conn_logout_comp);
-@@ -4557,7 +4580,10 @@ static void iscsit_logout_post_handler_closesession(
- static void iscsit_logout_post_handler_samecid(
- 	struct iscsi_conn *conn)
- {
--	int sleep = cmpxchg(&conn->tx_thread_active, true, false);
-+	int sleep = 1;
-+
-+	if (conn->conn_transport->transport_type == ISCSI_TCP)
-+		sleep = cmpxchg(&conn->tx_thread_active, true, false);
- 
- 	atomic_set(&conn->conn_logout_remove, 0);
- 	complete(&conn->conn_logout_comp);
-@@ -4776,6 +4802,7 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force)
- 	struct iscsi_session *sess;
- 	struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
- 	struct se_session *se_sess, *se_sess_tmp;
-+	LIST_HEAD(free_list);
- 	int session_count = 0;
- 
- 	spin_lock_bh(&se_tpg->session_lock);
-@@ -4797,14 +4824,17 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force)
- 		}
- 		atomic_set(&sess->session_reinstatement, 1);
- 		spin_unlock(&sess->conn_lock);
--		spin_unlock_bh(&se_tpg->session_lock);
- 
--		iscsit_free_session(sess);
--		spin_lock_bh(&se_tpg->session_lock);
-+		list_move_tail(&se_sess->sess_list, &free_list);
-+	}
-+	spin_unlock_bh(&se_tpg->session_lock);
-+
-+	list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) {
-+		sess = (struct iscsi_session *)se_sess->fabric_sess_ptr;
- 
-+		iscsit_free_session(sess);
- 		session_count++;
- 	}
--	spin_unlock_bh(&se_tpg->session_lock);
- 
- 	pr_debug("Released %d iSCSI Session(s) from Target Portal"
- 			" Group: %hu\n", session_count, tpg->tpgt);
-diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
-index 70d799d..c3bccad 100644
---- a/drivers/target/iscsi/iscsi_target_login.c
-+++ b/drivers/target/iscsi/iscsi_target_login.c
-@@ -82,6 +82,7 @@ static struct iscsi_login *iscsi_login_init_conn(struct iscsi_conn *conn)
- 	init_completion(&conn->conn_logout_comp);
- 	init_completion(&conn->rx_half_close_comp);
- 	init_completion(&conn->tx_half_close_comp);
-+	init_completion(&conn->rx_login_comp);
- 	spin_lock_init(&conn->cmd_lock);
- 	spin_lock_init(&conn->conn_usage_lock);
- 	spin_lock_init(&conn->immed_queue_lock);
-@@ -699,7 +700,7 @@ static void iscsi_post_login_start_timers(struct iscsi_conn *conn)
- 		iscsit_start_nopin_timer(conn);
- }
- 
--static int iscsit_start_kthreads(struct iscsi_conn *conn)
-+int iscsit_start_kthreads(struct iscsi_conn *conn)
- {
- 	int ret = 0;
- 
-@@ -734,6 +735,7 @@ static int iscsit_start_kthreads(struct iscsi_conn *conn)
- 
- 	return 0;
- out_tx:
-+	send_sig(SIGINT, conn->tx_thread, 1);
- 	kthread_stop(conn->tx_thread);
- 	conn->tx_thread_active = false;
- out_bitmap:
-@@ -744,7 +746,7 @@ out_bitmap:
- 	return ret;
- }
- 
--int iscsi_post_login_handler(
-+void iscsi_post_login_handler(
- 	struct iscsi_np *np,
- 	struct iscsi_conn *conn,
- 	u8 zero_tsih)
-@@ -754,7 +756,6 @@ int iscsi_post_login_handler(
- 	struct se_session *se_sess = sess->se_sess;
- 	struct iscsi_portal_group *tpg = sess->tpg;
- 	struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
--	int rc;
- 
- 	iscsit_inc_conn_usage_count(conn);
- 
-@@ -795,10 +796,6 @@ int iscsi_post_login_handler(
- 			sess->sess_ops->InitiatorName);
- 		spin_unlock_bh(&sess->conn_lock);
- 
--		rc = iscsit_start_kthreads(conn);
--		if (rc)
--			return rc;
--
- 		iscsi_post_login_start_timers(conn);
- 		/*
- 		 * Determine CPU mask to ensure connection's RX and TX kthreads
-@@ -807,15 +804,20 @@ int iscsi_post_login_handler(
- 		iscsit_thread_get_cpumask(conn);
- 		conn->conn_rx_reset_cpumask = 1;
- 		conn->conn_tx_reset_cpumask = 1;
--
-+		/*
-+		 * Wakeup the sleeping iscsi_target_rx_thread() now that
-+		 * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state.
-+		 */
-+		complete(&conn->rx_login_comp);
- 		iscsit_dec_conn_usage_count(conn);
-+
- 		if (stop_timer) {
- 			spin_lock_bh(&se_tpg->session_lock);
- 			iscsit_stop_time2retain_timer(sess);
- 			spin_unlock_bh(&se_tpg->session_lock);
- 		}
- 		iscsit_dec_session_usage_count(sess);
--		return 0;
-+		return;
- 	}
- 
- 	iscsi_set_session_parameters(sess->sess_ops, conn->param_list, 1);
-@@ -856,10 +858,6 @@ int iscsi_post_login_handler(
- 		" iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt);
- 	spin_unlock_bh(&se_tpg->session_lock);
- 
--	rc = iscsit_start_kthreads(conn);
--	if (rc)
--		return rc;
--
- 	iscsi_post_login_start_timers(conn);
- 	/*
- 	 * Determine CPU mask to ensure connection's RX and TX kthreads
-@@ -868,10 +866,12 @@ int iscsi_post_login_handler(
- 	iscsit_thread_get_cpumask(conn);
- 	conn->conn_rx_reset_cpumask = 1;
- 	conn->conn_tx_reset_cpumask = 1;
--
-+	/*
-+	 * Wakeup the sleeping iscsi_target_rx_thread() now that
-+	 * iscsi_conn is in TARG_CONN_STATE_LOGGED_IN state.
-+	 */
-+	complete(&conn->rx_login_comp);
- 	iscsit_dec_conn_usage_count(conn);
--
--	return 0;
- }
- 
- static void iscsi_handle_login_thread_timeout(unsigned long data)
-@@ -1436,23 +1436,12 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
- 	if (ret < 0)
- 		goto new_sess_out;
- 
--	if (!conn->sess) {
--		pr_err("struct iscsi_conn session pointer is NULL!\n");
--		goto new_sess_out;
--	}
--
- 	iscsi_stop_login_thread_timer(np);
- 
--	if (signal_pending(current))
--		goto new_sess_out;
--
- 	if (ret == 1) {
- 		tpg_np = conn->tpg_np;
- 
--		ret = iscsi_post_login_handler(np, conn, zero_tsih);
--		if (ret < 0)
--			goto new_sess_out;
--
-+		iscsi_post_login_handler(np, conn, zero_tsih);
- 		iscsit_deaccess_np(np, tpg, tpg_np);
- 	}
- 
-diff --git a/drivers/target/iscsi/iscsi_target_login.h b/drivers/target/iscsi/iscsi_target_login.h
-index 29d0983..55cbf45 100644
---- a/drivers/target/iscsi/iscsi_target_login.h
-+++ b/drivers/target/iscsi/iscsi_target_login.h
-@@ -12,7 +12,8 @@ extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *);
- extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *);
- extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32);
- extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *);
--extern int iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
-+extern int iscsit_start_kthreads(struct iscsi_conn *);
-+extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
- extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *,
- 				bool, bool);
- extern int iscsi_target_login_thread(void *);
-diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
-index 8c02fa3..f9cde91 100644
---- a/drivers/target/iscsi/iscsi_target_nego.c
-+++ b/drivers/target/iscsi/iscsi_target_nego.c
-@@ -17,6 +17,7 @@
-  ******************************************************************************/
- 
- #include <linux/ctype.h>
-+#include <linux/kthread.h>
- #include <scsi/iscsi_proto.h>
- #include <target/target_core_base.h>
- #include <target/target_core_fabric.h>
-@@ -361,10 +362,24 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log
- 		ntohl(login_rsp->statsn), login->rsp_length);
- 
- 	padding = ((-login->rsp_length) & 3);
-+	/*
-+	 * Before sending the last login response containing the transition
-+	 * bit for full-feature-phase, go ahead and start up TX/RX threads
-+	 * now to avoid potential resource allocation failures after the
-+	 * final login response has been sent.
-+	 */
-+	if (login->login_complete) {
-+		int rc = iscsit_start_kthreads(conn);
-+		if (rc) {
-+			iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
-+					    ISCSI_LOGIN_STATUS_NO_RESOURCES);
-+			return -1;
-+		}
-+	}
- 
- 	if (conn->conn_transport->iscsit_put_login_tx(conn, login,
- 					login->rsp_length + padding) < 0)
--		return -1;
-+		goto err;
- 
- 	login->rsp_length		= 0;
- 	mutex_lock(&sess->cmdsn_mutex);
-@@ -373,6 +388,23 @@ static int iscsi_target_do_tx_login_io(struct iscsi_conn *conn, struct iscsi_log
- 	mutex_unlock(&sess->cmdsn_mutex);
- 
- 	return 0;
-+
-+err:
-+	if (login->login_complete) {
-+		if (conn->rx_thread && conn->rx_thread_active) {
-+			send_sig(SIGINT, conn->rx_thread, 1);
-+			kthread_stop(conn->rx_thread);
-+		}
-+		if (conn->tx_thread && conn->tx_thread_active) {
-+			send_sig(SIGINT, conn->tx_thread, 1);
-+			kthread_stop(conn->tx_thread);
-+		}
-+		spin_lock(&iscsit_global->ts_bitmap_lock);
-+		bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
-+				      get_order(1));
-+		spin_unlock(&iscsit_global->ts_bitmap_lock);
-+	}
-+	return -1;
- }
- 
- static void iscsi_target_sk_data_ready(struct sock *sk)
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 396344c..16ed0b6 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -1108,19 +1108,29 @@ static void eraser(unsigned char c, struct tty_struct *tty)
-  *	Locking: ctrl_lock
-  */
- 
--static void isig(int sig, struct tty_struct *tty)
-+static void __isig(int sig, struct tty_struct *tty)
- {
--	struct n_tty_data *ldata = tty->disc_data;
- 	struct pid *tty_pgrp = tty_get_pgrp(tty);
- 	if (tty_pgrp) {
- 		kill_pgrp(tty_pgrp, sig, 1);
- 		put_pid(tty_pgrp);
- 	}
-+}
- 
--	if (!L_NOFLSH(tty)) {
-+static void isig(int sig, struct tty_struct *tty)
-+{
-+	struct n_tty_data *ldata = tty->disc_data;
-+
-+	if (L_NOFLSH(tty)) {
-+		/* signal only */
-+		__isig(sig, tty);
-+
-+	} else { /* signal and flush */
- 		up_read(&tty->termios_rwsem);
- 		down_write(&tty->termios_rwsem);
- 
-+		__isig(sig, tty);
-+
- 		/* clear echo buffer */
- 		mutex_lock(&ldata->output_lock);
- 		ldata->echo_head = ldata->echo_tail = 0;
-diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
-index 8825039..01aa52f 100644
---- a/drivers/tty/serial/imx.c
-+++ b/drivers/tty/serial/imx.c
-@@ -1132,11 +1132,6 @@ static int imx_startup(struct uart_port *port)
- 	while (!(readl(sport->port.membase + UCR2) & UCR2_SRST) && (--i > 0))
- 		udelay(1);
- 
--	/* Can we enable the DMA support? */
--	if (is_imx6q_uart(sport) && !uart_console(port) &&
--	    !sport->dma_is_inited)
--		imx_uart_dma_init(sport);
--
- 	spin_lock_irqsave(&sport->port.lock, flags);
- 
- 	/*
-@@ -1145,9 +1140,6 @@ static int imx_startup(struct uart_port *port)
- 	writel(USR1_RTSD, sport->port.membase + USR1);
- 	writel(USR2_ORE, sport->port.membase + USR2);
- 
--	if (sport->dma_is_inited && !sport->dma_is_enabled)
--		imx_enable_dma(sport);
--
- 	temp = readl(sport->port.membase + UCR1);
- 	temp |= UCR1_RRDYEN | UCR1_RTSDEN | UCR1_UARTEN;
- 
-@@ -1318,6 +1310,11 @@ imx_set_termios(struct uart_port *port, struct ktermios *termios,
- 			} else {
- 				ucr2 |= UCR2_CTSC;
- 			}
-+
-+			/* Can we enable the DMA support? */
-+			if (is_imx6q_uart(sport) && !uart_console(port)
-+				&& !sport->dma_is_inited)
-+				imx_uart_dma_init(sport);
- 		} else {
- 			termios->c_cflag &= ~CRTSCTS;
- 		}
-@@ -1434,6 +1431,8 @@ imx_set_termios(struct uart_port *port, struct ktermios *termios,
- 	if (UART_ENABLE_MS(&sport->port, termios->c_cflag))
- 		imx_enable_ms(&sport->port);
- 
-+	if (sport->dma_is_inited && !sport->dma_is_enabled)
-+		imx_enable_dma(sport);
- 	spin_unlock_irqrestore(&sport->port.lock, flags);
- }
- 
-diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 0b7bb12..ec54044 100644
---- a/drivers/tty/serial/serial_core.c
-+++ b/drivers/tty/serial/serial_core.c
-@@ -1409,7 +1409,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
- 	mutex_lock(&port->mutex);
- 	uart_shutdown(tty, state);
- 	tty_port_tty_set(port, NULL);
--	tty->closing = 0;
-+
- 	spin_lock_irqsave(&port->lock, flags);
- 
- 	if (port->blocked_open) {
-@@ -1435,6 +1435,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
- 	mutex_unlock(&port->mutex);
- 
- 	tty_ldisc_flush(tty);
-+	tty->closing = 0;
- }
- 
- static void uart_wait_until_sent(struct tty_struct *tty, int timeout)
-diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
-index 0827d7c..ee07ba4 100644
---- a/drivers/usb/host/xhci-hub.c
-+++ b/drivers/usb/host/xhci-hub.c
-@@ -484,10 +484,13 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci,
- 	u32 pls = status_reg & PORT_PLS_MASK;
- 
- 	/* resume state is a xHCI internal state.
--	 * Do not report it to usb core.
-+	 * Do not report it to usb core, instead, pretend to be U3,
-+	 * thus usb core knows it's not ready for transfer
- 	 */
--	if (pls == XDEV_RESUME)
-+	if (pls == XDEV_RESUME) {
-+		*status |= USB_SS_PORT_LS_U3;
- 		return;
-+	}
- 
- 	/* When the CAS bit is set then warm reset
- 	 * should be performed on port
-@@ -588,7 +591,14 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
- 		status |= USB_PORT_STAT_C_RESET << 16;
- 	/* USB3.0 only */
- 	if (hcd->speed == HCD_USB3) {
--		if ((raw_port_status & PORT_PLC))
-+		/* Port link change with port in resume state should not be
-+		 * reported to usbcore, as this is an internal state to be
-+		 * handled by xhci driver. Reporting PLC to usbcore may
-+		 * cause usbcore clearing PLC first and port change event
-+		 * irq won't be generated.
-+		 */
-+		if ((raw_port_status & PORT_PLC) &&
-+			(raw_port_status & PORT_PLS_MASK) != XDEV_RESUME)
- 			status |= USB_PORT_STAT_C_LINK_STATE << 16;
- 		if ((raw_port_status & PORT_WRC))
- 			status |= USB_PORT_STAT_C_BH_RESET << 16;
-@@ -1120,10 +1130,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
- 	spin_lock_irqsave(&xhci->lock, flags);
- 
- 	if (hcd->self.root_hub->do_remote_wakeup) {
--		if (bus_state->resuming_ports) {
-+		if (bus_state->resuming_ports ||	/* USB2 */
-+		    bus_state->port_remote_wakeup) {	/* USB3 */
- 			spin_unlock_irqrestore(&xhci->lock, flags);
--			xhci_dbg(xhci, "suspend failed because "
--						"a port is resuming\n");
-+			xhci_dbg(xhci, "suspend failed because a port is resuming\n");
- 			return -EBUSY;
- 		}
- 	}
-diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
-index 7d34cbf..d095677 100644
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -1546,6 +1546,9 @@ static void handle_port_status(struct xhci_hcd *xhci,
- 		usb_hcd_resume_root_hub(hcd);
- 	}
- 
-+	if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE)
-+		bus_state->port_remote_wakeup &= ~(1 << faked_port_index);
-+
- 	if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) {
- 		xhci_dbg(xhci, "port resume event for port %d\n", port_id);
- 
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 36bf089..c502c22 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -3453,6 +3453,9 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
- 			return -EINVAL;
- 	}
- 
-+	if (virt_dev->tt_info)
-+		old_active_eps = virt_dev->tt_info->active_eps;
-+
- 	if (virt_dev->udev != udev) {
- 		/* If the virt_dev and the udev does not match, this virt_dev
- 		 * may belong to another udev.
-diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
-index 6977f84..0f26dd2 100644
---- a/drivers/usb/host/xhci.h
-+++ b/drivers/usb/host/xhci.h
-@@ -285,6 +285,7 @@ struct xhci_op_regs {
- #define XDEV_U0		(0x0 << 5)
- #define XDEV_U2		(0x2 << 5)
- #define XDEV_U3		(0x3 << 5)
-+#define XDEV_INACTIVE	(0x6 << 5)
- #define XDEV_RESUME	(0xf << 5)
- /* true: port has power (see HCC_PPC) */
- #define PORT_POWER	(1 << 9)
-diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
-index caf1888..87898ca 100644
---- a/drivers/usb/storage/unusual_devs.h
-+++ b/drivers/usb/storage/unusual_devs.h
-@@ -2065,6 +2065,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0200,
- 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
- 		US_FL_NO_READ_DISC_INFO ),
- 
-+/* Reported by Oliver Neukum <oneukum@suse.com>
-+ * This device morphes spontaneously into another device if the access
-+ * pattern of Windows isn't followed. Thus writable media would be dirty
-+ * if the initial instance is used. So the device is limited to its
-+ * virtual CD.
-+ * And yes, the concept that BCD goes up to 9 is not heeded */
-+UNUSUAL_DEV( 0x19d2, 0x1225, 0x0000, 0xffff,
-+		"ZTE,Incorporated",
-+		"ZTE WCDMA Technologies MSM",
-+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-+		US_FL_SINGLE_LUN ),
-+
- /* Reported by Sven Geggus <sven-usbst@geggus.net>
-  * This encrypted pen drive returns bogus data for the initial READ(10).
-  */
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 2ee2826..fa49d329 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -886,6 +886,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
- 		}
- 		if (eventfp != d->log_file) {
- 			filep = d->log_file;
-+			d->log_file = eventfp;
- 			ctx = d->log_ctx;
- 			d->log_ctx = eventfp ?
- 				eventfd_ctx_fileget(eventfp) : NULL;
-diff --git a/fs/dcache.c b/fs/dcache.c
-index 50bb3c2..5d03eb0 100644
---- a/fs/dcache.c
-+++ b/fs/dcache.c
-@@ -642,7 +642,7 @@ static inline bool fast_dput(struct dentry *dentry)
- 
- 	/*
- 	 * If we have a d_op->d_delete() operation, we sould not
--	 * let the dentry count go to zero, so use "put__or_lock".
-+	 * let the dentry count go to zero, so use "put_or_lock".
- 	 */
- 	if (unlikely(dentry->d_flags & DCACHE_OP_DELETE))
- 		return lockref_put_or_lock(&dentry->d_lockref);
-@@ -697,7 +697,7 @@ static inline bool fast_dput(struct dentry *dentry)
- 	 */
- 	smp_rmb();
- 	d_flags = ACCESS_ONCE(dentry->d_flags);
--	d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST;
-+	d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST | DCACHE_DISCONNECTED;
- 
- 	/* Nothing to do? Dropping the reference was all we needed? */
- 	if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry))
-@@ -776,6 +776,9 @@ repeat:
- 	if (unlikely(d_unhashed(dentry)))
- 		goto kill_it;
- 
-+	if (unlikely(dentry->d_flags & DCACHE_DISCONNECTED))
-+		goto kill_it;
-+
- 	if (unlikely(dentry->d_flags & DCACHE_OP_DELETE)) {
- 		if (dentry->d_op->d_delete(dentry))
- 			goto kill_it;
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 02c6875..fce3cc1 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1350,6 +1350,36 @@ enum umount_tree_flags {
- 	UMOUNT_PROPAGATE = 2,
- 	UMOUNT_CONNECTED = 4,
- };
-+
-+static bool disconnect_mount(struct mount *mnt, enum umount_tree_flags how)
-+{
-+	/* Leaving mounts connected is only valid for lazy umounts */
-+	if (how & UMOUNT_SYNC)
-+		return true;
-+
-+	/* A mount without a parent has nothing to be connected to */
-+	if (!mnt_has_parent(mnt))
-+		return true;
-+
-+	/* Because the reference counting rules change when mounts are
-+	 * unmounted and connected, umounted mounts may not be
-+	 * connected to mounted mounts.
-+	 */
-+	if (!(mnt->mnt_parent->mnt.mnt_flags & MNT_UMOUNT))
-+		return true;
-+
-+	/* Has it been requested that the mount remain connected? */
-+	if (how & UMOUNT_CONNECTED)
-+		return false;
-+
-+	/* Is the mount locked such that it needs to remain connected? */
-+	if (IS_MNT_LOCKED(mnt))
-+		return false;
-+
-+	/* By default disconnect the mount */
-+	return true;
-+}
-+
- /*
-  * mount_lock must be held
-  * namespace_sem must be held for write
-@@ -1387,10 +1417,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how)
- 		if (how & UMOUNT_SYNC)
- 			p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
- 
--		disconnect = !(((how & UMOUNT_CONNECTED) &&
--				mnt_has_parent(p) &&
--				(p->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) ||
--			       IS_MNT_LOCKED_AND_LAZY(p));
-+		disconnect = disconnect_mount(p, how);
- 
- 		pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt,
- 				 disconnect ? &unmounted : NULL);
-@@ -1527,11 +1554,8 @@ void __detach_mounts(struct dentry *dentry)
- 	while (!hlist_empty(&mp->m_list)) {
- 		mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
- 		if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
--			struct mount *p, *tmp;
--			list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts,  mnt_child) {
--				hlist_add_head(&p->mnt_umount.s_list, &unmounted);
--				umount_mnt(p);
--			}
-+			hlist_add_head(&mnt->mnt_umount.s_list, &unmounted);
-+			umount_mnt(mnt);
- 		}
- 		else umount_tree(mnt, UMOUNT_CONNECTED);
- 	}
-diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index f734562..5d25b9d 100644
---- a/fs/nfs/inode.c
-+++ b/fs/nfs/inode.c
-@@ -1242,9 +1242,11 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat
- 	if (fattr->valid & NFS_ATTR_FATTR_SIZE) {
- 		cur_size = i_size_read(inode);
- 		new_isize = nfs_size_to_loff_t(fattr->size);
--		if (cur_size != new_isize && nfsi->nrequests == 0)
-+		if (cur_size != new_isize)
- 			invalid |= NFS_INO_INVALID_ATTR|NFS_INO_REVAL_PAGECACHE;
- 	}
-+	if (nfsi->nrequests != 0)
-+		invalid &= ~NFS_INO_REVAL_PAGECACHE;
- 
- 	/* Have any file permissions changed? */
- 	if ((fattr->valid & NFS_ATTR_FATTR_MODE) && (inode->i_mode & S_IALLUGO) != (fattr->mode & S_IALLUGO))
-@@ -1682,8 +1684,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
- 			invalid |= NFS_INO_INVALID_ATTR
- 				| NFS_INO_INVALID_DATA
- 				| NFS_INO_INVALID_ACCESS
--				| NFS_INO_INVALID_ACL
--				| NFS_INO_REVAL_PAGECACHE;
-+				| NFS_INO_INVALID_ACL;
- 			if (S_ISDIR(inode->i_mode))
- 				nfs_force_lookup_revalidate(inode);
- 			inode->i_version = fattr->change_attr;
-@@ -1715,7 +1716,6 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
- 			if ((nfsi->nrequests == 0) || new_isize > cur_isize) {
- 				i_size_write(inode, new_isize);
- 				invalid |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA;
--				invalid &= ~NFS_INO_REVAL_PAGECACHE;
- 			}
- 			dprintk("NFS: isize change on server for file %s/%ld "
- 					"(%Ld to %Ld)\n",
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 55e1e3a..d3f2051 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -1204,12 +1204,15 @@ static bool nfs_need_update_open_stateid(struct nfs4_state *state,
- 
- static void nfs_resync_open_stateid_locked(struct nfs4_state *state)
- {
-+	if (!(state->n_wronly || state->n_rdonly || state->n_rdwr))
-+		return;
- 	if (state->n_wronly)
- 		set_bit(NFS_O_WRONLY_STATE, &state->flags);
- 	if (state->n_rdonly)
- 		set_bit(NFS_O_RDONLY_STATE, &state->flags);
- 	if (state->n_rdwr)
- 		set_bit(NFS_O_RDWR_STATE, &state->flags);
-+	set_bit(NFS_OPEN_STATE, &state->flags);
- }
- 
- static void nfs_clear_open_stateid_locked(struct nfs4_state *state,
-diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
-index 282b393..7b45526 100644
---- a/fs/nfs/pagelist.c
-+++ b/fs/nfs/pagelist.c
-@@ -1110,8 +1110,11 @@ static int nfs_do_recoalesce(struct nfs_pageio_descriptor *desc)
- 			nfs_list_remove_request(req);
- 			if (__nfs_pageio_add_request(desc, req))
- 				continue;
--			if (desc->pg_error < 0)
-+			if (desc->pg_error < 0) {
-+				list_splice_tail(&head, &mirror->pg_list);
-+				mirror->pg_recoalesce = 1;
- 				return 0;
-+			}
- 			break;
- 		}
- 	} while (mirror->pg_recoalesce);
-diff --git a/fs/pnode.h b/fs/pnode.h
-index 7114ce6..0fcdbe7 100644
---- a/fs/pnode.h
-+++ b/fs/pnode.h
-@@ -20,8 +20,6 @@
- #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED)
- #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED)
- #define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED)
--#define IS_MNT_LOCKED_AND_LAZY(m) \
--	(((m)->mnt.mnt_flags & (MNT_LOCKED|MNT_SYNC_UMOUNT)) == MNT_LOCKED)
- 
- #define CL_EXPIRE    		0x01
- #define CL_SLAVE     		0x02
-diff --git a/fs/xfs/libxfs/xfs_attr_remote.c b/fs/xfs/libxfs/xfs_attr_remote.c
-index 20de88d..dd71403 100644
---- a/fs/xfs/libxfs/xfs_attr_remote.c
-+++ b/fs/xfs/libxfs/xfs_attr_remote.c
-@@ -159,11 +159,10 @@ xfs_attr3_rmt_write_verify(
- 	struct xfs_buf	*bp)
- {
- 	struct xfs_mount *mp = bp->b_target->bt_mount;
--	struct xfs_buf_log_item	*bip = bp->b_fspriv;
-+	int		blksize = mp->m_attr_geo->blksize;
- 	char		*ptr;
- 	int		len;
- 	xfs_daddr_t	bno;
--	int		blksize = mp->m_attr_geo->blksize;
- 
- 	/* no verification of non-crc buffers */
- 	if (!xfs_sb_version_hascrc(&mp->m_sb))
-@@ -175,16 +174,22 @@ xfs_attr3_rmt_write_verify(
- 	ASSERT(len >= blksize);
- 
- 	while (len > 0) {
-+		struct xfs_attr3_rmt_hdr *rmt = (struct xfs_attr3_rmt_hdr *)ptr;
-+
- 		if (!xfs_attr3_rmt_verify(mp, ptr, blksize, bno)) {
- 			xfs_buf_ioerror(bp, -EFSCORRUPTED);
- 			xfs_verifier_error(bp);
- 			return;
- 		}
--		if (bip) {
--			struct xfs_attr3_rmt_hdr *rmt;
- 
--			rmt = (struct xfs_attr3_rmt_hdr *)ptr;
--			rmt->rm_lsn = cpu_to_be64(bip->bli_item.li_lsn);
-+		/*
-+		 * Ensure we aren't writing bogus LSNs to disk. See
-+		 * xfs_attr3_rmt_hdr_set() for the explanation.
-+		 */
-+		if (rmt->rm_lsn != cpu_to_be64(NULLCOMMITLSN)) {
-+			xfs_buf_ioerror(bp, -EFSCORRUPTED);
-+			xfs_verifier_error(bp);
-+			return;
- 		}
- 		xfs_update_cksum(ptr, blksize, XFS_ATTR3_RMT_CRC_OFF);
- 
-@@ -221,6 +226,18 @@ xfs_attr3_rmt_hdr_set(
- 	rmt->rm_owner = cpu_to_be64(ino);
- 	rmt->rm_blkno = cpu_to_be64(bno);
- 
-+	/*
-+	 * Remote attribute blocks are written synchronously, so we don't
-+	 * have an LSN that we can stamp in them that makes any sense to log
-+	 * recovery. To ensure that log recovery handles overwrites of these
-+	 * blocks sanely (i.e. once they've been freed and reallocated as some
-+	 * other type of metadata) we need to ensure that the LSN has a value
-+	 * that tells log recovery to ignore the LSN and overwrite the buffer
-+	 * with whatever is in it's log. To do this, we use the magic
-+	 * NULLCOMMITLSN to indicate that the LSN is invalid.
-+	 */
-+	rmt->rm_lsn = cpu_to_be64(NULLCOMMITLSN);
-+
- 	return sizeof(struct xfs_attr3_rmt_hdr);
- }
- 
-@@ -434,14 +451,21 @@ xfs_attr_rmtval_set(
- 
- 		/*
- 		 * Allocate a single extent, up to the size of the value.
-+		 *
-+		 * Note that we have to consider this a data allocation as we
-+		 * write the remote attribute without logging the contents.
-+		 * Hence we must ensure that we aren't using blocks that are on
-+		 * the busy list so that we don't overwrite blocks which have
-+		 * recently been freed but their transactions are not yet
-+		 * committed to disk. If we overwrite the contents of a busy
-+		 * extent and then crash then the block may not contain the
-+		 * correct metadata after log recovery occurs.
- 		 */
- 		xfs_bmap_init(args->flist, args->firstblock);
- 		nmap = 1;
- 		error = xfs_bmapi_write(args->trans, dp, (xfs_fileoff_t)lblkno,
--				  blkcnt,
--				  XFS_BMAPI_ATTRFORK | XFS_BMAPI_METADATA,
--				  args->firstblock, args->total, &map, &nmap,
--				  args->flist);
-+				  blkcnt, XFS_BMAPI_ATTRFORK, args->firstblock,
-+				  args->total, &map, &nmap, args->flist);
- 		if (!error) {
- 			error = xfs_bmap_finish(&args->trans, args->flist,
- 						&committed);
-diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
-index 4f5784f..a5d0339 100644
---- a/fs/xfs/xfs_log_recover.c
-+++ b/fs/xfs/xfs_log_recover.c
-@@ -1887,9 +1887,14 @@ xlog_recover_get_buf_lsn(
- 		uuid = &((struct xfs_dir3_blk_hdr *)blk)->uuid;
- 		break;
- 	case XFS_ATTR3_RMT_MAGIC:
--		lsn = be64_to_cpu(((struct xfs_attr3_rmt_hdr *)blk)->rm_lsn);
--		uuid = &((struct xfs_attr3_rmt_hdr *)blk)->rm_uuid;
--		break;
-+		/*
-+		 * Remote attr blocks are written synchronously, rather than
-+		 * being logged. That means they do not contain a valid LSN
-+		 * (i.e. transactionally ordered) in them, and hence any time we
-+		 * see a buffer to replay over the top of a remote attribute
-+		 * block we should simply do so.
-+		 */
-+		goto recover_immediately;
- 	case XFS_SB_MAGIC:
- 		lsn = be64_to_cpu(((struct xfs_dsb *)blk)->sb_lsn);
- 		uuid = &((struct xfs_dsb *)blk)->sb_uuid;
-diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h
-index b6a52a4..51bb653 100644
---- a/include/linux/can/skb.h
-+++ b/include/linux/can/skb.h
-@@ -27,10 +27,12 @@
- /**
-  * struct can_skb_priv - private additional data inside CAN sk_buffs
-  * @ifindex:	ifindex of the first interface the CAN frame appeared on
-+ * @skbcnt:	atomic counter to have an unique id together with skb pointer
-  * @cf:		align to the following CAN frame at skb->data
-  */
- struct can_skb_priv {
- 	int ifindex;
-+	int skbcnt;
- 	struct can_frame cf[0];
- };
- 
-diff --git a/include/linux/cper.h b/include/linux/cper.h
-index 76abba4..dcacb1a 100644
---- a/include/linux/cper.h
-+++ b/include/linux/cper.h
-@@ -340,7 +340,27 @@ struct cper_ia_proc_ctx {
- 	__u64	mm_reg_addr;
- };
- 
--/* Memory Error Section */
-+/* Old Memory Error Section UEFI 2.1, 2.2 */
-+struct cper_sec_mem_err_old {
-+	__u64	validation_bits;
-+	__u64	error_status;
-+	__u64	physical_addr;
-+	__u64	physical_addr_mask;
-+	__u16	node;
-+	__u16	card;
-+	__u16	module;
-+	__u16	bank;
-+	__u16	device;
-+	__u16	row;
-+	__u16	column;
-+	__u16	bit_pos;
-+	__u64	requestor_id;
-+	__u64	responder_id;
-+	__u64	target_id;
-+	__u8	error_type;
-+};
-+
-+/* Memory Error Section UEFI >= 2.3 */
- struct cper_sec_mem_err {
- 	__u64	validation_bits;
- 	__u64	error_status;
-diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
-index 1da6029..6cd8c0e 100644
---- a/include/linux/ftrace.h
-+++ b/include/linux/ftrace.h
-@@ -116,6 +116,7 @@ ftrace_func_t ftrace_ops_get_func(struct ftrace_ops *ops);
-  *            SAVE_REGS. If another ops with this flag set is already registered
-  *            for any of the functions that this ops will be registered for, then
-  *            this ops will fail to register or set_filter_ip.
-+ * PID     - Is affected by set_ftrace_pid (allows filtering on those pids)
-  */
- enum {
- 	FTRACE_OPS_FL_ENABLED			= 1 << 0,
-@@ -132,6 +133,7 @@ enum {
- 	FTRACE_OPS_FL_MODIFYING			= 1 << 11,
- 	FTRACE_OPS_FL_ALLOC_TRAMP		= 1 << 12,
- 	FTRACE_OPS_FL_IPMODIFY			= 1 << 13,
-+	FTRACE_OPS_FL_PID			= 1 << 14,
- };
- 
- #ifdef CONFIG_DYNAMIC_FTRACE
-@@ -159,6 +161,7 @@ struct ftrace_ops {
- 	struct ftrace_ops		*next;
- 	unsigned long			flags;
- 	void				*private;
-+	ftrace_func_t			saved_func;
- 	int __percpu			*disabled;
- #ifdef CONFIG_DYNAMIC_FTRACE
- 	int				nr_trampolines;
-diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
-index 54e7af3..73abbc5 100644
---- a/include/target/iscsi/iscsi_target_core.h
-+++ b/include/target/iscsi/iscsi_target_core.h
-@@ -606,6 +606,7 @@ struct iscsi_conn {
- 	int			bitmap_id;
- 	int			rx_thread_active;
- 	struct task_struct	*rx_thread;
-+	struct completion	rx_login_comp;
- 	int			tx_thread_active;
- 	struct task_struct	*tx_thread;
- 	/* list_head for session connection list */
-diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c
-index 9065107..7a5237a 100644
---- a/kernel/irq/resend.c
-+++ b/kernel/irq/resend.c
-@@ -75,13 +75,21 @@ void check_irq_resend(struct irq_desc *desc, unsigned int irq)
- 		    !desc->irq_data.chip->irq_retrigger(&desc->irq_data)) {
- #ifdef CONFIG_HARDIRQS_SW_RESEND
- 			/*
--			 * If the interrupt has a parent irq and runs
--			 * in the thread context of the parent irq,
--			 * retrigger the parent.
-+			 * If the interrupt is running in the thread
-+			 * context of the parent irq we need to be
-+			 * careful, because we cannot trigger it
-+			 * directly.
- 			 */
--			if (desc->parent_irq &&
--			    irq_settings_is_nested_thread(desc))
-+			if (irq_settings_is_nested_thread(desc)) {
-+				/*
-+				 * If the parent_irq is valid, we
-+				 * retrigger the parent, otherwise we
-+				 * do nothing.
-+				 */
-+				if (!desc->parent_irq)
-+					return;
- 				irq = desc->parent_irq;
-+			}
- 			/* Set it pending and activate the softirq: */
- 			set_bit(irq, irqs_resend);
- 			tasklet_schedule(&resend_tasklet);
-diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 02bece4..eb11011 100644
---- a/kernel/trace/ftrace.c
-+++ b/kernel/trace/ftrace.c
-@@ -98,6 +98,13 @@ struct ftrace_pid {
- 	struct pid *pid;
- };
- 
-+static bool ftrace_pids_enabled(void)
-+{
-+	return !list_empty(&ftrace_pids);
-+}
-+
-+static void ftrace_update_trampoline(struct ftrace_ops *ops);
-+
- /*
-  * ftrace_disabled is set when an anomaly is discovered.
-  * ftrace_disabled is much stronger than ftrace_enabled.
-@@ -109,7 +116,6 @@ static DEFINE_MUTEX(ftrace_lock);
- static struct ftrace_ops *ftrace_control_list __read_mostly = &ftrace_list_end;
- static struct ftrace_ops *ftrace_ops_list __read_mostly = &ftrace_list_end;
- ftrace_func_t ftrace_trace_function __read_mostly = ftrace_stub;
--ftrace_func_t ftrace_pid_function __read_mostly = ftrace_stub;
- static struct ftrace_ops global_ops;
- static struct ftrace_ops control_ops;
- 
-@@ -183,14 +189,7 @@ static void ftrace_pid_func(unsigned long ip, unsigned long parent_ip,
- 	if (!test_tsk_trace_trace(current))
- 		return;
- 
--	ftrace_pid_function(ip, parent_ip, op, regs);
--}
--
--static void set_ftrace_pid_function(ftrace_func_t func)
--{
--	/* do not set ftrace_pid_function to itself! */
--	if (func != ftrace_pid_func)
--		ftrace_pid_function = func;
-+	op->saved_func(ip, parent_ip, op, regs);
- }
- 
- /**
-@@ -202,7 +201,6 @@ static void set_ftrace_pid_function(ftrace_func_t func)
- void clear_ftrace_function(void)
- {
- 	ftrace_trace_function = ftrace_stub;
--	ftrace_pid_function = ftrace_stub;
- }
- 
- static void control_ops_disable_all(struct ftrace_ops *ops)
-@@ -436,6 +434,12 @@ static int __register_ftrace_function(struct ftrace_ops *ops)
- 	} else
- 		add_ftrace_ops(&ftrace_ops_list, ops);
- 
-+	/* Always save the function, and reset at unregistering */
-+	ops->saved_func = ops->func;
-+
-+	if (ops->flags & FTRACE_OPS_FL_PID && ftrace_pids_enabled())
-+		ops->func = ftrace_pid_func;
-+
- 	ftrace_update_trampoline(ops);
- 
- 	if (ftrace_enabled)
-@@ -463,15 +467,28 @@ static int __unregister_ftrace_function(struct ftrace_ops *ops)
- 	if (ftrace_enabled)
- 		update_ftrace_function();
- 
-+	ops->func = ops->saved_func;
-+
- 	return 0;
- }
- 
- static void ftrace_update_pid_func(void)
- {
-+	bool enabled = ftrace_pids_enabled();
-+	struct ftrace_ops *op;
-+
- 	/* Only do something if we are tracing something */
- 	if (ftrace_trace_function == ftrace_stub)
- 		return;
- 
-+	do_for_each_ftrace_op(op, ftrace_ops_list) {
-+		if (op->flags & FTRACE_OPS_FL_PID) {
-+			op->func = enabled ? ftrace_pid_func :
-+				op->saved_func;
-+			ftrace_update_trampoline(op);
-+		}
-+	} while_for_each_ftrace_op(op);
-+
- 	update_ftrace_function();
- }
- 
-@@ -1133,7 +1150,8 @@ static struct ftrace_ops global_ops = {
- 	.local_hash.filter_hash		= EMPTY_HASH,
- 	INIT_OPS_HASH(global_ops)
- 	.flags				= FTRACE_OPS_FL_RECURSION_SAFE |
--					  FTRACE_OPS_FL_INITIALIZED,
-+					  FTRACE_OPS_FL_INITIALIZED |
-+					  FTRACE_OPS_FL_PID,
- };
- 
- /*
-@@ -5023,7 +5041,9 @@ static void ftrace_update_trampoline(struct ftrace_ops *ops)
- 
- static struct ftrace_ops global_ops = {
- 	.func			= ftrace_stub,
--	.flags			= FTRACE_OPS_FL_RECURSION_SAFE | FTRACE_OPS_FL_INITIALIZED,
-+	.flags			= FTRACE_OPS_FL_RECURSION_SAFE |
-+				  FTRACE_OPS_FL_INITIALIZED |
-+				  FTRACE_OPS_FL_PID,
- };
- 
- static int __init ftrace_nodyn_init(void)
-@@ -5080,11 +5100,6 @@ void ftrace_init_array_ops(struct trace_array *tr, ftrace_func_t func)
- 		if (WARN_ON(tr->ops->func != ftrace_stub))
- 			printk("ftrace ops had %pS for function\n",
- 			       tr->ops->func);
--		/* Only the top level instance does pid tracing */
--		if (!list_empty(&ftrace_pids)) {
--			set_ftrace_pid_function(func);
--			func = ftrace_pid_func;
--		}
- 	}
- 	tr->ops->func = func;
- 	tr->ops->private = tr;
-@@ -5371,7 +5386,7 @@ static void *fpid_start(struct seq_file *m, loff_t *pos)
- {
- 	mutex_lock(&ftrace_lock);
- 
--	if (list_empty(&ftrace_pids) && (!*pos))
-+	if (!ftrace_pids_enabled() && (!*pos))
- 		return (void *) 1;
- 
- 	return seq_list_start(&ftrace_pids, *pos);
-@@ -5610,6 +5625,7 @@ static struct ftrace_ops graph_ops = {
- 	.func			= ftrace_stub,
- 	.flags			= FTRACE_OPS_FL_RECURSION_SAFE |
- 				   FTRACE_OPS_FL_INITIALIZED |
-+				   FTRACE_OPS_FL_PID |
- 				   FTRACE_OPS_FL_STUB,
- #ifdef FTRACE_GRAPH_TRAMP_ADDR
- 	.trampoline		= FTRACE_GRAPH_TRAMP_ADDR,
-diff --git a/lib/dma-debug.c b/lib/dma-debug.c
-index ae4b65e..dace71f 100644
---- a/lib/dma-debug.c
-+++ b/lib/dma-debug.c
-@@ -574,6 +574,9 @@ void debug_dma_assert_idle(struct page *page)
- 	unsigned long flags;
- 	phys_addr_t cln;
- 
-+	if (dma_debug_disabled())
-+		return;
-+
- 	if (!page)
- 		return;
- 
-diff --git a/net/can/af_can.c b/net/can/af_can.c
-index 689c818..62c635f 100644
---- a/net/can/af_can.c
-+++ b/net/can/af_can.c
-@@ -89,6 +89,8 @@ struct timer_list can_stattimer;   /* timer for statistics update */
- struct s_stats    can_stats;       /* packet statistics */
- struct s_pstats   can_pstats;      /* receive list statistics */
- 
-+static atomic_t skbcounter = ATOMIC_INIT(0);
-+
- /*
-  * af_can socket functions
-  */
-@@ -310,12 +312,8 @@ int can_send(struct sk_buff *skb, int loop)
- 		return err;
- 	}
- 
--	if (newskb) {
--		if (!(newskb->tstamp.tv64))
--			__net_timestamp(newskb);
--
-+	if (newskb)
- 		netif_rx_ni(newskb);
--	}
- 
- 	/* update statistics */
- 	can_stats.tx_frames++;
-@@ -683,6 +681,10 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
- 	can_stats.rx_frames++;
- 	can_stats.rx_frames_delta++;
- 
-+	/* create non-zero unique skb identifier together with *skb */
-+	while (!(can_skb_prv(skb)->skbcnt))
-+		can_skb_prv(skb)->skbcnt = atomic_inc_return(&skbcounter);
-+
- 	rcu_read_lock();
- 
- 	/* deliver the packet to sockets listening on all devices */
-diff --git a/net/can/bcm.c b/net/can/bcm.c
-index b523453..a1ba687 100644
---- a/net/can/bcm.c
-+++ b/net/can/bcm.c
-@@ -261,6 +261,7 @@ static void bcm_can_tx(struct bcm_op *op)
- 
- 	can_skb_reserve(skb);
- 	can_skb_prv(skb)->ifindex = dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 
- 	memcpy(skb_put(skb, CFSIZ), cf, CFSIZ);
- 
-@@ -1217,6 +1218,7 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk)
- 	}
- 
- 	can_skb_prv(skb)->ifindex = dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 	skb->dev = dev;
- 	can_skb_set_owner(skb, sk);
- 	err = can_send(skb, 1); /* send with loopback */
-diff --git a/net/can/raw.c b/net/can/raw.c
-index 31b9748..2e67b14 100644
---- a/net/can/raw.c
-+++ b/net/can/raw.c
-@@ -75,7 +75,7 @@ MODULE_ALIAS("can-proto-1");
-  */
- 
- struct uniqframe {
--	ktime_t tstamp;
-+	int skbcnt;
- 	const struct sk_buff *skb;
- 	unsigned int join_rx_count;
- };
-@@ -133,7 +133,7 @@ static void raw_rcv(struct sk_buff *oskb, void *data)
- 
- 	/* eliminate multiple filter matches for the same skb */
- 	if (this_cpu_ptr(ro->uniq)->skb == oskb &&
--	    ktime_equal(this_cpu_ptr(ro->uniq)->tstamp, oskb->tstamp)) {
-+	    this_cpu_ptr(ro->uniq)->skbcnt == can_skb_prv(oskb)->skbcnt) {
- 		if (ro->join_filters) {
- 			this_cpu_inc(ro->uniq->join_rx_count);
- 			/* drop frame until all enabled filters matched */
-@@ -144,7 +144,7 @@ static void raw_rcv(struct sk_buff *oskb, void *data)
- 		}
- 	} else {
- 		this_cpu_ptr(ro->uniq)->skb = oskb;
--		this_cpu_ptr(ro->uniq)->tstamp = oskb->tstamp;
-+		this_cpu_ptr(ro->uniq)->skbcnt = can_skb_prv(oskb)->skbcnt;
- 		this_cpu_ptr(ro->uniq)->join_rx_count = 1;
- 		/* drop first frame to check all enabled filters? */
- 		if (ro->join_filters && ro->count > 1)
-@@ -749,6 +749,7 @@ static int raw_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
- 
- 	can_skb_reserve(skb);
- 	can_skb_prv(skb)->ifindex = dev->ifindex;
-+	can_skb_prv(skb)->skbcnt = 0;
- 
- 	err = memcpy_from_msg(skb_put(skb, size), msg, size);
- 	if (err < 0)
-diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
-index 29236e8..c09c013 100644
---- a/net/mac80211/debugfs_netdev.c
-+++ b/net/mac80211/debugfs_netdev.c
-@@ -723,6 +723,7 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
- 
- 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
- 	sdata->vif.debugfs_dir = NULL;
-+	sdata->debugfs.subdir_stations = NULL;
- }
- 
- void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
-diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
-index 273b8bf..657ba9f 100644
---- a/net/rds/ib_rdma.c
-+++ b/net/rds/ib_rdma.c
-@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
- 	}
- 
- 	ibmr = rds_ib_alloc_fmr(rds_ibdev);
--	if (IS_ERR(ibmr))
-+	if (IS_ERR(ibmr)) {
-+		rds_ib_dev_put(rds_ibdev);
- 		return ibmr;
-+	}
- 
- 	ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
- 	if (ret == 0)
-diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
-index d126c03..75888dd 100644
---- a/sound/core/pcm_native.c
-+++ b/sound/core/pcm_native.c
-@@ -85,7 +85,7 @@ static DECLARE_RWSEM(snd_pcm_link_rwsem);
- void snd_pcm_stream_lock(struct snd_pcm_substream *substream)
- {
- 	if (substream->pcm->nonatomic) {
--		down_read(&snd_pcm_link_rwsem);
-+		down_read_nested(&snd_pcm_link_rwsem, SINGLE_DEPTH_NESTING);
- 		mutex_lock(&substream->self_group.mutex);
- 	} else {
- 		read_lock(&snd_pcm_link_rwlock);
-diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
-index c403dd1..44dfc7b 100644
---- a/sound/pci/hda/hda_intel.c
-+++ b/sound/pci/hda/hda_intel.c
-@@ -2056,6 +2056,8 @@ static const struct pci_device_id azx_ids[] = {
- 	/* ATI HDMI */
- 	{ PCI_DEVICE(0x1002, 0x1308),
- 	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
-+	{ PCI_DEVICE(0x1002, 0x157a),
-+	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
- 	{ PCI_DEVICE(0x1002, 0x793b),
- 	  .driver_data = AZX_DRIVER_ATIHDMI | AZX_DCAPS_PRESET_ATI_HDMI },
- 	{ PCI_DEVICE(0x1002, 0x7919),
-@@ -2110,8 +2112,14 @@ static const struct pci_device_id azx_ids[] = {
- 	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
- 	{ PCI_DEVICE(0x1002, 0xaab0),
- 	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
-+	{ PCI_DEVICE(0x1002, 0xaac0),
-+	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
- 	{ PCI_DEVICE(0x1002, 0xaac8),
- 	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
-+	{ PCI_DEVICE(0x1002, 0xaad8),
-+	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
-+	{ PCI_DEVICE(0x1002, 0xaae8),
-+	  .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
- 	/* VIA VT8251/VT8237A */
- 	{ PCI_DEVICE(0x1106, 0x3288),
- 	  .driver_data = AZX_DRIVER_VIA | AZX_DCAPS_POSFIX_VIA },
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index 5f44f60..225b78b 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -3333,6 +3333,7 @@ static const struct hda_codec_preset snd_hda_preset_hdmi[] = {
- { .id = 0x10de0070, .name = "GPU 70 HDMI/DP",	.patch = patch_nvhdmi },
- { .id = 0x10de0071, .name = "GPU 71 HDMI/DP",	.patch = patch_nvhdmi },
- { .id = 0x10de0072, .name = "GPU 72 HDMI/DP",	.patch = patch_nvhdmi },
-+{ .id = 0x10de007d, .name = "GPU 7d HDMI/DP",	.patch = patch_nvhdmi },
- { .id = 0x10de8001, .name = "MCP73 HDMI",	.patch = patch_nvhdmi_2ch },
- { .id = 0x11069f80, .name = "VX900 HDMI/DP",	.patch = patch_via_hdmi },
- { .id = 0x11069f81, .name = "VX900 HDMI/DP",	.patch = patch_via_hdmi },
-@@ -3396,6 +3397,7 @@ MODULE_ALIAS("snd-hda-codec-id:10de0067");
- MODULE_ALIAS("snd-hda-codec-id:10de0070");
- MODULE_ALIAS("snd-hda-codec-id:10de0071");
- MODULE_ALIAS("snd-hda-codec-id:10de0072");
-+MODULE_ALIAS("snd-hda-codec-id:10de007d");
- MODULE_ALIAS("snd-hda-codec-id:10de8001");
- MODULE_ALIAS("snd-hda-codec-id:11069f80");
- MODULE_ALIAS("snd-hda-codec-id:11069f81");
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 0e75998..590bcfb0 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -2224,7 +2224,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
- 	SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF),
- 	SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF),
- 	SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF),
--	SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF),
-+	SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF),
- 
- 	SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
- 	SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
-@@ -5004,7 +5004,7 @@ static const struct hda_fixup alc269_fixups[] = {
- 			{ 0x14, 0x90170110 },
- 			{ 0x17, 0x40000008 },
- 			{ 0x18, 0x411111f0 },
--			{ 0x19, 0x411111f0 },
-+			{ 0x19, 0x01a1913c },
- 			{ 0x1a, 0x411111f0 },
- 			{ 0x1b, 0x411111f0 },
- 			{ 0x1d, 0x40f89b2d },
-@@ -5114,6 +5114,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- 	SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
- 	SND_PCI_QUIRK(0x1028, 0x064b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
- 	SND_PCI_QUIRK(0x1028, 0x0665, "Dell XPS 13", ALC288_FIXUP_DELL_XPS_13),
-+	SND_PCI_QUIRK(0x1028, 0x069a, "Dell Vostro 5480", ALC290_FIXUP_SUBWOOFER_HSJACK),
- 	SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE),
- 	SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
- 	SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
-@@ -5382,6 +5383,17 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
- 		{0x1d, 0x40700001},
- 		{0x21, 0x02211030}),
- 	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
-+		{0x12, 0x40000000},
-+		{0x14, 0x90170130},
-+		{0x17, 0x411111f0},
-+		{0x18, 0x411111f0},
-+		{0x19, 0x411111f0},
-+		{0x1a, 0x411111f0},
-+		{0x1b, 0x01014020},
-+		{0x1d, 0x4054c029},
-+		{0x1e, 0x411111f0},
-+		{0x21, 0x0221103f}),
-+	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
- 		{0x12, 0x90a60160},
- 		{0x14, 0x90170120},
- 		{0x17, 0x90170140},
-diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
-index 6c66d7e..25f0f45 100644
---- a/sound/pci/hda/patch_sigmatel.c
-+++ b/sound/pci/hda/patch_sigmatel.c
-@@ -2920,7 +2920,8 @@ static const struct snd_pci_quirk stac92hd83xxx_fixup_tbl[] = {
- 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x148a,
- 		      "HP Mini", STAC_92HD83XXX_HP_LED),
- 	SND_PCI_QUIRK_VENDOR(PCI_VENDOR_ID_HP, "HP", STAC_92HD83XXX_HP),
--	SND_PCI_QUIRK(PCI_VENDOR_ID_TOSHIBA, 0xfa91,
-+	/* match both for 0xfa91 and 0xfa93 */
-+	SND_PCI_QUIRK_MASK(PCI_VENDOR_ID_TOSHIBA, 0xfffd, 0xfa91,
- 		      "Toshiba Satellite S50D", STAC_92HD83XXX_GPIO10_EAPD),
- 	{} /* terminator */
- };
-diff --git a/sound/usb/line6/pcm.c b/sound/usb/line6/pcm.c
-index 8461d6b..204cc07 100644
---- a/sound/usb/line6/pcm.c
-+++ b/sound/usb/line6/pcm.c
-@@ -186,12 +186,8 @@ static int line6_stream_start(struct snd_line6_pcm *line6pcm, int direction,
- 	int ret = 0;
- 
- 	spin_lock_irqsave(&pstr->lock, flags);
--	if (!test_and_set_bit(type, &pstr->running)) {
--		if (pstr->active_urbs || pstr->unlink_urbs) {
--			ret = -EBUSY;
--			goto error;
--		}
--
-+	if (!test_and_set_bit(type, &pstr->running) &&
-+	    !(pstr->active_urbs || pstr->unlink_urbs)) {
- 		pstr->count = 0;
- 		/* Submit all currently available URBs */
- 		if (direction == SNDRV_PCM_STREAM_PLAYBACK)
-@@ -199,7 +195,6 @@ static int line6_stream_start(struct snd_line6_pcm *line6pcm, int direction,
- 		else
- 			ret = line6_submit_audio_in_all_urbs(line6pcm);
- 	}
-- error:
- 	if (ret < 0)
- 		clear_bit(type, &pstr->running);
- 	spin_unlock_irqrestore(&pstr->lock, flags);
-diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
-index e5000da..6a803ef 100644
---- a/sound/usb/mixer_maps.c
-+++ b/sound/usb/mixer_maps.c
-@@ -341,6 +341,20 @@ static const struct usbmix_name_map scms_usb3318_map[] = {
- 	{ 0 }
- };
- 
-+/* Bose companion 5, the dB conversion factor is 16 instead of 256 */
-+static struct usbmix_dB_map bose_companion5_dB = {-5006, -6};
-+static struct usbmix_name_map bose_companion5_map[] = {
-+	{ 3, NULL, .dB = &bose_companion5_dB },
-+	{ 0 }	/* terminator */
-+};
-+
-+/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */
-+static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000};
-+static struct usbmix_name_map dragonfly_1_2_map[] = {
-+	{ 7, NULL, .dB = &dragonfly_1_2_dB },
-+	{ 0 }	/* terminator */
-+};
-+
- /*
-  * Control map entries
-  */
-@@ -451,6 +465,16 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = {
- 		.id = USB_ID(0x25c4, 0x0003),
- 		.map = scms_usb3318_map,
- 	},
-+	{
-+		/* Bose Companion 5 */
-+		.id = USB_ID(0x05a7, 0x1020),
-+		.map = bose_companion5_map,
-+	},
-+	{
-+		/* Dragonfly DAC 1.2 */
-+		.id = USB_ID(0x21b4, 0x0081),
-+		.map = dragonfly_1_2_map,
-+	},
- 	{ 0 } /* terminator */
- };
- 
-diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
-index 2f6d3e9..e475665 100644
---- a/sound/usb/quirks-table.h
-+++ b/sound/usb/quirks-table.h
-@@ -2512,6 +2512,74 @@ YAMAHA_DEVICE(0x7010, "UB99"),
- 	}
- },
- 
-+/* Steinberg devices */
-+{
-+	/* Steinberg MI2 */
-+	USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x2040),
-+	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
-+		.ifnum = QUIRK_ANY_INTERFACE,
-+		.type = QUIRK_COMPOSITE,
-+		.data = & (const struct snd_usb_audio_quirk[]) {
-+			{
-+				.ifnum = 0,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 1,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 2,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 3,
-+				.type = QUIRK_MIDI_FIXED_ENDPOINT,
-+				.data = &(const struct snd_usb_midi_endpoint_info) {
-+					.out_cables = 0x0001,
-+					.in_cables  = 0x0001
-+				}
-+			},
-+			{
-+				.ifnum = -1
-+			}
-+		}
-+	}
-+},
-+{
-+	/* Steinberg MI4 */
-+	USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x4040),
-+	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
-+		.ifnum = QUIRK_ANY_INTERFACE,
-+		.type = QUIRK_COMPOSITE,
-+		.data = & (const struct snd_usb_audio_quirk[]) {
-+			{
-+				.ifnum = 0,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 1,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 2,
-+				.type = QUIRK_AUDIO_STANDARD_INTERFACE
-+			},
-+			{
-+				.ifnum = 3,
-+				.type = QUIRK_MIDI_FIXED_ENDPOINT,
-+				.data = &(const struct snd_usb_midi_endpoint_info) {
-+					.out_cables = 0x0001,
-+					.in_cables  = 0x0001
-+				}
-+			},
-+			{
-+				.ifnum = -1
-+			}
-+		}
-+	}
-+},
-+
- /* TerraTec devices */
- {
- 	USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0012),
-diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
-index 995b7a8..658b0a8 100644
---- a/tools/perf/ui/browsers/hists.c
-+++ b/tools/perf/ui/browsers/hists.c
-@@ -45,7 +45,7 @@ static struct rb_node *hists__filter_entries(struct rb_node *nd,
- 
- static bool hist_browser__has_filter(struct hist_browser *hb)
- {
--	return hists__has_filter(hb->hists) || hb->min_pcnt;
-+	return hists__has_filter(hb->hists) || hb->min_pcnt || symbol_conf.has_filter;
- }
- 
- static int hist_browser__get_folding(struct hist_browser *browser)
-diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
-index 201f6c4c..99378a5 100644
---- a/tools/perf/util/symbol.c
-+++ b/tools/perf/util/symbol.c
-@@ -1893,6 +1893,8 @@ int setup_intlist(struct intlist **list, const char *list_str,
- 		pr_err("problems parsing %s list\n", list_name);
- 		return -1;
- 	}
-+
-+	symbol_conf.has_filter = true;
- 	return 0;
- }
- 
-diff --git a/tools/perf/util/symbol.h b/tools/perf/util/symbol.h
-index 0956150..be02179 100644
---- a/tools/perf/util/symbol.h
-+++ b/tools/perf/util/symbol.h
-@@ -105,7 +105,8 @@ struct symbol_conf {
- 			demangle_kernel,
- 			filter_relative,
- 			show_hist_headers,
--			branch_callstack;
-+			branch_callstack,
-+			has_filter;
- 	const char	*vmlinux_name,
- 			*kallsyms_name,
- 			*source_prefix,
diff --git a/4.1.5/0000_README b/4.1.6/0000_README
index 68f1c28..ddf2d35 100644
--- a/4.1.5/0000_README
+++ b/4.1.6/0000_README
@@ -2,11 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	1004_linux-4.1.5.patch
+Patch:	1005_linux-4.1.6.patch
 From:	http://www.kernel.org
-Desc:	Linux 4.1.5
+Desc:	Linux 4.1.6
 
-Patch:	4420_grsecurity-3.1-4.1.5-201508142233.patch
+Patch:	4420_grsecurity-3.1-4.1.6-201508181953.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.1.6/1005_linux-4.1.6.patch b/4.1.6/1005_linux-4.1.6.patch
new file mode 100644
index 0000000..0cc52e5
--- /dev/null
+++ b/4.1.6/1005_linux-4.1.6.patch
@@ -0,0 +1,4380 @@
+diff --git a/Documentation/devicetree/bindings/clock/keystone-pll.txt b/Documentation/devicetree/bindings/clock/keystone-pll.txt
+index 225990f..47570d2 100644
+--- a/Documentation/devicetree/bindings/clock/keystone-pll.txt
++++ b/Documentation/devicetree/bindings/clock/keystone-pll.txt
+@@ -15,8 +15,8 @@ Required properties:
+ - compatible : shall be "ti,keystone,main-pll-clock" or "ti,keystone,pll-clock"
+ - clocks : parent clock phandle
+ - reg - pll control0 and pll multipler registers
+-- reg-names : control and multiplier. The multiplier is applicable only for
+-		main pll clock
++- reg-names : control, multiplier and post-divider. The multiplier and
++		post-divider registers are applicable only for main pll clock
+ - fixed-postdiv : fixed post divider value. If absent, use clkod register bits
+ 		for postdiv
+ 
+@@ -25,8 +25,8 @@ Example:
+ 		#clock-cells = <0>;
+ 		compatible = "ti,keystone,main-pll-clock";
+ 		clocks = <&refclksys>;
+-		reg = <0x02620350 4>, <0x02310110 4>;
+-		reg-names = "control", "multiplier";
++		reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>;
++		reg-names = "control", "multiplier", "post-divider";
+ 		fixed-postdiv = <2>;
+ 	};
+ 
+diff --git a/Documentation/input/alps.txt b/Documentation/input/alps.txt
+index c86f2f1..1fec113 100644
+--- a/Documentation/input/alps.txt
++++ b/Documentation/input/alps.txt
+@@ -119,8 +119,10 @@ ALPS Absolute Mode - Protocol Version 2
+  byte 5:  0   z6   z5   z4   z3   z2   z1   z0
+ 
+ Protocol Version 2 DualPoint devices send standard PS/2 mouse packets for
+-the DualPoint Stick. For non interleaved dualpoint devices the pointingstick
+-buttons get reported separately in the PSM, PSR and PSL bits.
++the DualPoint Stick. The M, R and L bits signal the combined status of both
++the pointingstick and touchpad buttons, except for Dell dualpoint devices
++where the pointingstick buttons get reported separately in the PSM, PSR
++and PSL bits.
+ 
+ Dualpoint device -- interleaved packet format
+ ---------------------------------------------
+diff --git a/Makefile b/Makefile
+index 068dd69..838dabc 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 1
+-SUBLEVEL = 5
++SUBLEVEL = 6
+ EXTRAVERSION =
+ NAME = Series 4800
+ 
+diff --git a/arch/arm/boot/dts/imx35.dtsi b/arch/arm/boot/dts/imx35.dtsi
+index b6478e9..e6540b5 100644
+--- a/arch/arm/boot/dts/imx35.dtsi
++++ b/arch/arm/boot/dts/imx35.dtsi
+@@ -286,8 +286,8 @@
+ 			can1: can@53fe4000 {
+ 				compatible = "fsl,imx35-flexcan", "fsl,p1010-flexcan";
+ 				reg = <0x53fe4000 0x1000>;
+-				clocks = <&clks 33>;
+-				clock-names = "ipg";
++				clocks = <&clks 33>, <&clks 33>;
++				clock-names = "ipg", "per";
+ 				interrupts = <43>;
+ 				status = "disabled";
+ 			};
+@@ -295,8 +295,8 @@
+ 			can2: can@53fe8000 {
+ 				compatible = "fsl,imx35-flexcan", "fsl,p1010-flexcan";
+ 				reg = <0x53fe8000 0x1000>;
+-				clocks = <&clks 34>;
+-				clock-names = "ipg";
++				clocks = <&clks 34>, <&clks 34>;
++				clock-names = "ipg", "per";
+ 				interrupts = <44>;
+ 				status = "disabled";
+ 			};
+diff --git a/arch/arm/boot/dts/k2e-clocks.dtsi b/arch/arm/boot/dts/k2e-clocks.dtsi
+index 4773d6a..d56d68f 100644
+--- a/arch/arm/boot/dts/k2e-clocks.dtsi
++++ b/arch/arm/boot/dts/k2e-clocks.dtsi
+@@ -13,9 +13,8 @@ clocks {
+ 		#clock-cells = <0>;
+ 		compatible = "ti,keystone,main-pll-clock";
+ 		clocks = <&refclksys>;
+-		reg = <0x02620350 4>, <0x02310110 4>;
+-		reg-names = "control", "multiplier";
+-		fixed-postdiv = <2>;
++		reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>;
++		reg-names = "control", "multiplier", "post-divider";
+ 	};
+ 
+ 	papllclk: papllclk@2620358 {
+diff --git a/arch/arm/boot/dts/k2hk-clocks.dtsi b/arch/arm/boot/dts/k2hk-clocks.dtsi
+index d5adee3..af9b719 100644
+--- a/arch/arm/boot/dts/k2hk-clocks.dtsi
++++ b/arch/arm/boot/dts/k2hk-clocks.dtsi
+@@ -22,9 +22,8 @@ clocks {
+ 		#clock-cells = <0>;
+ 		compatible = "ti,keystone,main-pll-clock";
+ 		clocks = <&refclksys>;
+-		reg = <0x02620350 4>, <0x02310110 4>;
+-		reg-names = "control", "multiplier";
+-		fixed-postdiv = <2>;
++		reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>;
++		reg-names = "control", "multiplier", "post-divider";
+ 	};
+ 
+ 	papllclk: papllclk@2620358 {
+diff --git a/arch/arm/boot/dts/k2l-clocks.dtsi b/arch/arm/boot/dts/k2l-clocks.dtsi
+index eb1e3e2..ef8464b 100644
+--- a/arch/arm/boot/dts/k2l-clocks.dtsi
++++ b/arch/arm/boot/dts/k2l-clocks.dtsi
+@@ -22,9 +22,8 @@ clocks {
+ 		#clock-cells = <0>;
+ 		compatible = "ti,keystone,main-pll-clock";
+ 		clocks = <&refclksys>;
+-		reg = <0x02620350 4>, <0x02310110 4>;
+-		reg-names = "control", "multiplier";
+-		fixed-postdiv = <2>;
++		reg = <0x02620350 4>, <0x02310110 4>, <0x02310108 4>;
++		reg-names = "control", "multiplier", "post-divider";
+ 	};
+ 
+ 	papllclk: papllclk@2620358 {
+diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
+index 752969f..5286e77 100644
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -2373,6 +2373,9 @@ static int of_dev_hwmod_lookup(struct device_node *np,
+  * registers.  This address is needed early so the OCP registers that
+  * are part of the device's address space can be ioremapped properly.
+  *
++ * If SYSC access is not needed, the registers will not be remapped
++ * and non-availability of MPU access is not treated as an error.
++ *
+  * Returns 0 on success, -EINVAL if an invalid hwmod is passed, and
+  * -ENXIO on absent or invalid register target address space.
+  */
+@@ -2387,6 +2390,11 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data,
+ 
+ 	_save_mpu_port_index(oh);
+ 
++	/* if we don't need sysc access we don't need to ioremap */
++	if (!oh->class->sysc)
++		return 0;
++
++	/* we can't continue without MPU PORT if we need sysc access */
+ 	if (oh->_int_flags & _HWMOD_NO_MPU_PORT)
+ 		return -ENXIO;
+ 
+@@ -2396,8 +2404,10 @@ static int __init _init_mpu_rt_base(struct omap_hwmod *oh, void *data,
+ 			 oh->name);
+ 
+ 		/* Extract the IO space from device tree blob */
+-		if (!np)
++		if (!np) {
++			pr_err("omap_hwmod: %s: no dt node\n", oh->name);
+ 			return -ENXIO;
++		}
+ 
+ 		va_start = of_iomap(np, index + oh->mpu_rt_idx);
+ 	} else {
+@@ -2456,13 +2466,11 @@ static int __init _init(struct omap_hwmod *oh, void *data)
+ 				oh->name, np->name);
+ 	}
+ 
+-	if (oh->class->sysc) {
+-		r = _init_mpu_rt_base(oh, NULL, index, np);
+-		if (r < 0) {
+-			WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n",
+-			     oh->name);
+-			return 0;
+-		}
++	r = _init_mpu_rt_base(oh, NULL, index, np);
++	if (r < 0) {
++		WARN(1, "omap_hwmod: %s: doesn't have mpu register target base\n",
++		     oh->name);
++		return 0;
+ 	}
+ 
+ 	r = _init_clocks(oh, NULL);
+diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
+index d26fcd4..c0cff34 100644
+--- a/arch/arm64/kernel/signal32.c
++++ b/arch/arm64/kernel/signal32.c
+@@ -168,7 +168,8 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitely for the right codes here.
+ 		 */
+-		if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)
++		if (from->si_signo == SIGBUS &&
++		    (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb);
+ #endif
+ 		break;
+@@ -201,8 +202,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE))
+diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c
+index 7fc8397..fd2a36a 100644
+--- a/arch/mips/ath79/setup.c
++++ b/arch/mips/ath79/setup.c
+@@ -186,6 +186,7 @@ int get_c0_perfcount_int(void)
+ {
+ 	return ATH79_MISC_IRQ(5);
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ unsigned int get_c0_compare_int(void)
+ {
+diff --git a/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h b/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h
+deleted file mode 100644
+index 11d3b57..0000000
+--- a/arch/mips/include/asm/mach-bcm63xx/dma-coherence.h
++++ /dev/null
+@@ -1,10 +0,0 @@
+-#ifndef __ASM_MACH_BCM63XX_DMA_COHERENCE_H
+-#define __ASM_MACH_BCM63XX_DMA_COHERENCE_H
+-
+-#include <asm/bmips.h>
+-
+-#define plat_post_dma_flush	bmips_post_dma_flush
+-
+-#include <asm/mach-generic/dma-coherence.h>
+-
+-#endif /* __ASM_MACH_BCM63XX_DMA_COHERENCE_H */
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 819af9d..70f6e7f 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -182,8 +182,39 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
+ 		 * Make sure the buddy is global too (if it's !none,
+ 		 * it better already be global)
+ 		 */
++#ifdef CONFIG_SMP
++		/*
++		 * For SMP, multiple CPUs can race, so we need to do
++		 * this atomically.
++		 */
++#ifdef CONFIG_64BIT
++#define LL_INSN "lld"
++#define SC_INSN "scd"
++#else /* CONFIG_32BIT */
++#define LL_INSN "ll"
++#define SC_INSN "sc"
++#endif
++		unsigned long page_global = _PAGE_GLOBAL;
++		unsigned long tmp;
++
++		__asm__ __volatile__ (
++			"	.set	push\n"
++			"	.set	noreorder\n"
++			"1:	" LL_INSN "	%[tmp], %[buddy]\n"
++			"	bnez	%[tmp], 2f\n"
++			"	 or	%[tmp], %[tmp], %[global]\n"
++			"	" SC_INSN "	%[tmp], %[buddy]\n"
++			"	beqz	%[tmp], 1b\n"
++			"	 nop\n"
++			"2:\n"
++			"	.set pop"
++			: [buddy] "+m" (buddy->pte),
++			  [tmp] "=&r" (tmp)
++			: [global] "r" (page_global));
++#else /* !CONFIG_SMP */
+ 		if (pte_none(*buddy))
+ 			pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL;
++#endif /* CONFIG_SMP */
+ 	}
+ #endif
+ }
+diff --git a/arch/mips/include/asm/stackframe.h b/arch/mips/include/asm/stackframe.h
+index 28d6d93..a71da57 100644
+--- a/arch/mips/include/asm/stackframe.h
++++ b/arch/mips/include/asm/stackframe.h
+@@ -152,6 +152,31 @@
+ 		.set	noreorder
+ 		bltz	k0, 8f
+ 		 move	k1, sp
++#ifdef CONFIG_EVA
++		/*
++		 * Flush interAptiv's Return Prediction Stack (RPS) by writing
++		 * EntryHi. Toggling Config7.RPS is slower and less portable.
++		 *
++		 * The RPS isn't automatically flushed when exceptions are
++		 * taken, which can result in kernel mode speculative accesses
++		 * to user addresses if the RPS mispredicts. That's harmless
++		 * when user and kernel share the same address space, but with
++		 * EVA the same user segments may be unmapped to kernel mode,
++		 * even containing sensitive MMIO regions or invalid memory.
++		 *
++		 * This can happen when the kernel sets the return address to
++		 * ret_from_* and jr's to the exception handler, which looks
++		 * more like a tail call than a function call. If nested calls
++		 * don't evict the last user address in the RPS, it will
++		 * mispredict the return and fetch from a user controlled
++		 * address into the icache.
++		 *
++		 * More recent EVA-capable cores with MAAR to restrict
++		 * speculative accesses aren't affected.
++		 */
++		MFC0	k0, CP0_ENTRYHI
++		MTC0	k0, CP0_ENTRYHI
++#endif
+ 		.set	reorder
+ 		/* Called from user mode, new stack. */
+ 		get_saved_sp
+diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c
+index 3e4491a..789d7bf 100644
+--- a/arch/mips/kernel/mips-mt-fpaff.c
++++ b/arch/mips/kernel/mips-mt-fpaff.c
+@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
+ 				      unsigned long __user *user_mask_ptr)
+ {
+ 	unsigned int real_len;
+-	cpumask_t mask;
++	cpumask_t allowed, mask;
+ 	int retval;
+ 	struct task_struct *p;
+ 
+@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
+ 	if (retval)
+ 		goto out_unlock;
+ 
+-	cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask);
++	cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed);
++	cpumask_and(&mask, &allowed, cpu_active_mask);
+ 
+ out_unlock:
+ 	read_unlock(&tasklist_lock);
+diff --git a/arch/mips/kernel/relocate_kernel.S b/arch/mips/kernel/relocate_kernel.S
+index 74bab9d..c6bbf21 100644
+--- a/arch/mips/kernel/relocate_kernel.S
++++ b/arch/mips/kernel/relocate_kernel.S
+@@ -24,7 +24,7 @@ LEAF(relocate_new_kernel)
+ 
+ process_entry:
+ 	PTR_L		s2, (s0)
+-	PTR_ADD		s0, s0, SZREG
++	PTR_ADDIU	s0, s0, SZREG
+ 
+ 	/*
+ 	 * In case of a kdump/crash kernel, the indirection page is not
+@@ -61,9 +61,9 @@ copy_word:
+ 	/* copy page word by word */
+ 	REG_L		s5, (s2)
+ 	REG_S		s5, (s4)
+-	PTR_ADD		s4, s4, SZREG
+-	PTR_ADD		s2, s2, SZREG
+-	LONG_SUB	s6, s6, 1
++	PTR_ADDIU	s4, s4, SZREG
++	PTR_ADDIU	s2, s2, SZREG
++	LONG_ADDIU	s6, s6, -1
+ 	beq		s6, zero, process_entry
+ 	b		copy_word
+ 	b		process_entry
+diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c
+index 19a7705..5d7f263 100644
+--- a/arch/mips/kernel/signal32.c
++++ b/arch/mips/kernel/signal32.c
+@@ -409,8 +409,6 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, 3*sizeof(int)) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE32))
+diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
+index d2d1c19..5f5f44e 100644
+--- a/arch/mips/kernel/traps.c
++++ b/arch/mips/kernel/traps.c
+@@ -192,6 +192,7 @@ static void show_stacktrace(struct task_struct *task,
+ void show_stack(struct task_struct *task, unsigned long *sp)
+ {
+ 	struct pt_regs regs;
++	mm_segment_t old_fs = get_fs();
+ 	if (sp) {
+ 		regs.regs[29] = (unsigned long)sp;
+ 		regs.regs[31] = 0;
+@@ -210,7 +211,13 @@ void show_stack(struct task_struct *task, unsigned long *sp)
+ 			prepare_frametrace(&regs);
+ 		}
+ 	}
++	/*
++	 * show_stack() deals exclusively with kernel mode, so be sure to access
++	 * the stack in the kernel (not user) address space.
++	 */
++	set_fs(KERNEL_DS);
+ 	show_stacktrace(task, &regs);
++	set_fs(old_fs);
+ }
+ 
+ static void show_code(unsigned int __user *pc)
+@@ -1518,6 +1525,7 @@ asmlinkage void do_mcheck(struct pt_regs *regs)
+ 	const int field = 2 * sizeof(unsigned long);
+ 	int multi_match = regs->cp0_status & ST0_TS;
+ 	enum ctx_state prev_state;
++	mm_segment_t old_fs = get_fs();
+ 
+ 	prev_state = exception_enter();
+ 	show_regs(regs);
+@@ -1539,8 +1547,13 @@ asmlinkage void do_mcheck(struct pt_regs *regs)
+ 		dump_tlb_all();
+ 	}
+ 
++	if (!user_mode(regs))
++		set_fs(KERNEL_DS);
++
+ 	show_code((unsigned int __user *) regs->cp0_epc);
+ 
++	set_fs(old_fs);
++
+ 	/*
+ 	 * Some chips may have other causes of machine check (e.g. SB1
+ 	 * graduation timer)
+diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c
+index af84bef..eb3efd1 100644
+--- a/arch/mips/kernel/unaligned.c
++++ b/arch/mips/kernel/unaligned.c
+@@ -438,7 +438,7 @@ do {                                                        \
+ 		: "memory");                                \
+ } while(0)
+ 
+-#define     StoreDW(addr, value, res) \
++#define     _StoreDW(addr, value, res) \
+ do {                                                        \
+ 		__asm__ __volatile__ (                      \
+ 			".set\tpush\n\t"		    \
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index 6ab1057..d01ade6 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -466,6 +466,7 @@ int get_c0_perfcount_int(void)
+ {
+ 	return ltq_perfcount_irq;
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ unsigned int get_c0_compare_int(void)
+ {
+diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c
+index 185e682..a7f7d9f 100644
+--- a/arch/mips/mti-malta/malta-time.c
++++ b/arch/mips/mti-malta/malta-time.c
+@@ -148,6 +148,7 @@ int get_c0_perfcount_int(void)
+ 
+ 	return mips_cpu_perf_irq;
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ unsigned int get_c0_compare_int(void)
+ {
+@@ -165,14 +166,17 @@ unsigned int get_c0_compare_int(void)
+ 
+ static void __init init_rtc(void)
+ {
+-	/* stop the clock whilst setting it up */
+-	CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL);
++	unsigned char freq, ctrl;
+ 
+-	/* 32KHz time base */
+-	CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
++	/* Set 32KHz time base if not already set */
++	freq = CMOS_READ(RTC_FREQ_SELECT);
++	if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ)
++		CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
+ 
+-	/* start the clock */
+-	CMOS_WRITE(RTC_24H, RTC_CONTROL);
++	/* Ensure SET bit is clear so RTC can run */
++	ctrl = CMOS_READ(RTC_CONTROL);
++	if (ctrl & RTC_SET)
++		CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL);
+ }
+ 
+ void __init plat_time_init(void)
+diff --git a/arch/mips/mti-sead3/sead3-time.c b/arch/mips/mti-sead3/sead3-time.c
+index e1d6989..a120b7a 100644
+--- a/arch/mips/mti-sead3/sead3-time.c
++++ b/arch/mips/mti-sead3/sead3-time.c
+@@ -77,6 +77,7 @@ int get_c0_perfcount_int(void)
+ 		return MIPS_CPU_IRQ_BASE + cp0_perfcount_irq;
+ 	return -1;
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ unsigned int get_c0_compare_int(void)
+ {
+diff --git a/arch/mips/pistachio/time.c b/arch/mips/pistachio/time.c
+index 67889fc..ab73f6f 100644
+--- a/arch/mips/pistachio/time.c
++++ b/arch/mips/pistachio/time.c
+@@ -26,6 +26,7 @@ int get_c0_perfcount_int(void)
+ {
+ 	return gic_get_c0_perfcount_int();
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ void __init plat_time_init(void)
+ {
+diff --git a/arch/mips/ralink/irq.c b/arch/mips/ralink/irq.c
+index 7cf91b9..199ace4 100644
+--- a/arch/mips/ralink/irq.c
++++ b/arch/mips/ralink/irq.c
+@@ -89,6 +89,7 @@ int get_c0_perfcount_int(void)
+ {
+ 	return rt_perfcount_irq;
+ }
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+ 
+ unsigned int get_c0_compare_int(void)
+ {
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index d3a831a..da50e0c 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -966,8 +966,6 @@ int copy_siginfo_to_user32(struct compat_siginfo __user *d, const siginfo_t *s)
+ 
+ int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from)
+ {
+-	memset(to, 0, sizeof *to);
+-
+ 	if (copy_from_user(to, from, 3*sizeof(int)) ||
+ 	    copy_from_user(to->_sifields._pad,
+ 			   from->_sifields._pad, SI_PAD_SIZE32))
+diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h
+index 1f0aa20..6424249 100644
+--- a/arch/sparc/include/asm/visasm.h
++++ b/arch/sparc/include/asm/visasm.h
+@@ -28,16 +28,10 @@
+  * Must preserve %o5 between VISEntryHalf and VISExitHalf */
+ 
+ #define VISEntryHalf					\
+-	rd		%fprs, %o5;			\
+-	andcc		%o5, FPRS_FEF, %g0;		\
+-	be,pt		%icc, 297f;			\
+-	 sethi		%hi(298f), %g7;			\
+-	sethi		%hi(VISenterhalf), %g1;		\
+-	jmpl		%g1 + %lo(VISenterhalf), %g0;	\
+-	 or		%g7, %lo(298f), %g7;		\
+-	clr		%o5;				\
+-297:	wr		%o5, FPRS_FEF, %fprs;		\
+-298:
++	VISEntry
++
++#define VISExitHalf					\
++	VISExit
+ 
+ #define VISEntryHalfFast(fail_label)			\
+ 	rd		%fprs, %o5;			\
+@@ -47,7 +41,7 @@
+ 	ba,a,pt		%xcc, fail_label;		\
+ 297:	wr		%o5, FPRS_FEF, %fprs;
+ 
+-#define VISExitHalf					\
++#define VISExitHalfFast					\
+ 	wr		%o5, 0, %fprs;
+ 
+ #ifndef __ASSEMBLY__
+diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
+index 140527a..83aeeb1 100644
+--- a/arch/sparc/lib/NG4memcpy.S
++++ b/arch/sparc/lib/NG4memcpy.S
+@@ -240,8 +240,11 @@ FUNC_NAME:	/* %o0=dst, %o1=src, %o2=len */
+ 	add		%o0, 0x40, %o0
+ 	bne,pt		%icc, 1b
+ 	 LOAD(prefetch, %g1 + 0x200, #n_reads_strong)
++#ifdef NON_USER_COPY
++	VISExitHalfFast
++#else
+ 	VISExitHalf
+-
++#endif
+ 	brz,pn		%o2, .Lexit
+ 	 cmp		%o2, 19
+ 	ble,pn		%icc, .Lsmall_unaligned
+diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S
+index b320ae9..a063d84 100644
+--- a/arch/sparc/lib/VISsave.S
++++ b/arch/sparc/lib/VISsave.S
+@@ -44,9 +44,8 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
+ 
+ 	 stx		%g3, [%g6 + TI_GSR]
+ 2:	add		%g6, %g1, %g3
+-	cmp		%o5, FPRS_DU
+-	be,pn		%icc, 6f
+-	 sll		%g1, 3, %g1
++	mov		FPRS_DU | FPRS_DL | FPRS_FEF, %o5
++	sll		%g1, 3, %g1
+ 	stb		%o5, [%g3 + TI_FPSAVED]
+ 	rd		%gsr, %g2
+ 	add		%g6, %g1, %g3
+@@ -80,65 +79,3 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
+ 	.align		32
+ 80:	jmpl		%g7 + %g0, %g0
+ 	 nop
+-
+-6:	ldub		[%g3 + TI_FPSAVED], %o5
+-	or		%o5, FPRS_DU, %o5
+-	add		%g6, TI_FPREGS+0x80, %g2
+-	stb		%o5, [%g3 + TI_FPSAVED]
+-
+-	sll		%g1, 5, %g1
+-	add		%g6, TI_FPREGS+0xc0, %g3
+-	wr		%g0, FPRS_FEF, %fprs
+-	membar		#Sync
+-	stda		%f32, [%g2 + %g1] ASI_BLK_P
+-	stda		%f48, [%g3 + %g1] ASI_BLK_P
+-	membar		#Sync
+-	ba,pt		%xcc, 80f
+-	 nop
+-
+-	.align		32
+-80:	jmpl		%g7 + %g0, %g0
+-	 nop
+-
+-	.align		32
+-VISenterhalf:
+-	ldub		[%g6 + TI_FPDEPTH], %g1
+-	brnz,a,pn	%g1, 1f
+-	 cmp		%g1, 1
+-	stb		%g0, [%g6 + TI_FPSAVED]
+-	stx		%fsr, [%g6 + TI_XFSR]
+-	clr		%o5
+-	jmpl		%g7 + %g0, %g0
+-	 wr		%g0, FPRS_FEF, %fprs
+-
+-1:	bne,pn		%icc, 2f
+-	 srl		%g1, 1, %g1
+-	ba,pt		%xcc, vis1
+-	 sub		%g7, 8, %g7
+-2:	addcc		%g6, %g1, %g3
+-	sll		%g1, 3, %g1
+-	andn		%o5, FPRS_DU, %g2
+-	stb		%g2, [%g3 + TI_FPSAVED]
+-
+-	rd		%gsr, %g2
+-	add		%g6, %g1, %g3
+-	stx		%g2, [%g3 + TI_GSR]
+-	add		%g6, %g1, %g2
+-	stx		%fsr, [%g2 + TI_XFSR]
+-	sll		%g1, 5, %g1
+-3:	andcc		%o5, FPRS_DL, %g0
+-	be,pn		%icc, 4f
+-	 add		%g6, TI_FPREGS, %g2
+-
+-	add		%g6, TI_FPREGS+0x40, %g3
+-	membar		#Sync
+-	stda		%f0, [%g2 + %g1] ASI_BLK_P
+-	stda		%f16, [%g3 + %g1] ASI_BLK_P
+-	membar		#Sync
+-	ba,pt		%xcc, 4f
+-	 nop
+-
+-	.align		32
+-4:	and		%o5, FPRS_DU, %o5
+-	jmpl		%g7 + %g0, %g0
+-	 wr		%o5, FPRS_FEF, %fprs
+diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
+index 1d649a9..8069ce1 100644
+--- a/arch/sparc/lib/ksyms.c
++++ b/arch/sparc/lib/ksyms.c
+@@ -135,10 +135,6 @@ EXPORT_SYMBOL(copy_user_page);
+ void VISenter(void);
+ EXPORT_SYMBOL(VISenter);
+ 
+-/* CRYPTO code needs this */
+-void VISenterhalf(void);
+-EXPORT_SYMBOL(VISenterhalf);
+-
+ extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *);
+ extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *,
+ 		unsigned long *);
+diff --git a/arch/tile/kernel/compat_signal.c b/arch/tile/kernel/compat_signal.c
+index e8c2c04..c667e10 100644
+--- a/arch/tile/kernel/compat_signal.c
++++ b/arch/tile/kernel/compat_signal.c
+@@ -113,8 +113,6 @@ int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from)
+ 	if (!access_ok(VERIFY_READ, from, sizeof(struct compat_siginfo)))
+ 		return -EFAULT;
+ 
+-	memset(to, 0, sizeof(*to));
+-
+ 	err = __get_user(to->si_signo, &from->si_signo);
+ 	err |= __get_user(to->si_errno, &from->si_errno);
+ 	err |= __get_user(to->si_code, &from->si_code);
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 02c2eff..4bd6c19 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -793,8 +793,6 @@ retint_kernel:
+ restore_c_regs_and_iret:
+ 	RESTORE_C_REGS
+ 	REMOVE_PT_GPREGS_FROM_STACK 8
+-
+-irq_return:
+ 	INTERRUPT_RETURN
+ 
+ ENTRY(native_iret)
+@@ -1413,11 +1411,12 @@ ENTRY(nmi)
+ 	 *  If the variable is not set and the stack is not the NMI
+ 	 *  stack then:
+ 	 *    o Set the special variable on the stack
+-	 *    o Copy the interrupt frame into a "saved" location on the stack
+-	 *    o Copy the interrupt frame into a "copy" location on the stack
++	 *    o Copy the interrupt frame into an "outermost" location on the
++	 *      stack
++	 *    o Copy the interrupt frame into an "iret" location on the stack
+ 	 *    o Continue processing the NMI
+ 	 *  If the variable is set or the previous stack is the NMI stack:
+-	 *    o Modify the "copy" location to jump to the repeate_nmi
++	 *    o Modify the "iret" location to jump to the repeat_nmi
+ 	 *    o return back to the first NMI
+ 	 *
+ 	 * Now on exit of the first NMI, we first clear the stack variable
+@@ -1426,32 +1425,151 @@ ENTRY(nmi)
+ 	 * a nested NMI that updated the copy interrupt stack frame, a
+ 	 * jump will be made to the repeat_nmi code that will handle the second
+ 	 * NMI.
++	 *
++	 * However, espfix prevents us from directly returning to userspace
++	 * with a single IRET instruction.  Similarly, IRET to user mode
++	 * can fault.  We therefore handle NMIs from user space like
++	 * other IST entries.
+ 	 */
+ 
+ 	/* Use %rdx as our temp variable throughout */
+ 	pushq_cfi %rdx
+ 	CFI_REL_OFFSET rdx, 0
+ 
++	testb	$3, CS-RIP+8(%rsp)
++	jz	.Lnmi_from_kernel
++
+ 	/*
+-	 * If %cs was not the kernel segment, then the NMI triggered in user
+-	 * space, which means it is definitely not nested.
++	 * NMI from user mode.  We need to run on the thread stack, but we
++	 * can't go through the normal entry paths: NMIs are masked, and
++	 * we don't want to enable interrupts, because then we'll end
++	 * up in an awkward situation in which IRQs are on but NMIs
++	 * are off.
+ 	 */
+-	cmpl $__KERNEL_CS, 16(%rsp)
+-	jne first_nmi
++
++	SWAPGS
++	cld
++	movq	%rsp, %rdx
++	movq	PER_CPU_VAR(kernel_stack), %rsp
++	pushq	5*8(%rdx)	/* pt_regs->ss */
++	pushq	4*8(%rdx)	/* pt_regs->rsp */
++	pushq	3*8(%rdx)	/* pt_regs->flags */
++	pushq	2*8(%rdx)	/* pt_regs->cs */
++	pushq	1*8(%rdx)	/* pt_regs->rip */
++	pushq   $-1		/* pt_regs->orig_ax */
++	pushq   %rdi		/* pt_regs->di */
++	pushq   %rsi		/* pt_regs->si */
++	pushq   (%rdx)		/* pt_regs->dx */
++	pushq   %rcx		/* pt_regs->cx */
++	pushq   %rax		/* pt_regs->ax */
++	pushq   %r8		/* pt_regs->r8 */
++	pushq   %r9		/* pt_regs->r9 */
++	pushq   %r10		/* pt_regs->r10 */
++	pushq   %r11		/* pt_regs->r11 */
++	pushq	%rbx		/* pt_regs->rbx */
++	pushq	%rbp		/* pt_regs->rbp */
++	pushq	%r12		/* pt_regs->r12 */
++	pushq	%r13		/* pt_regs->r13 */
++	pushq	%r14		/* pt_regs->r14 */
++	pushq	%r15		/* pt_regs->r15 */
+ 
+ 	/*
+-	 * Check the special variable on the stack to see if NMIs are
+-	 * executing.
++	 * At this point we no longer need to worry about stack damage
++	 * due to nesting -- we're on the normal thread stack and we're
++	 * done with the NMI stack.
++	 */
++	movq	%rsp, %rdi
++	movq	$-1, %rsi
++	call	do_nmi
++
++	/*
++	 * Return back to user mode.  We must *not* do the normal exit
++	 * work, because we don't want to enable interrupts.  Fortunately,
++	 * do_nmi doesn't modify pt_regs.
++	 */
++	SWAPGS
++	jmp	restore_c_regs_and_iret
++
++.Lnmi_from_kernel:
++	/*
++	 * Here's what our stack frame will look like:
++	 * +---------------------------------------------------------+
++	 * | original SS                                             |
++	 * | original Return RSP                                     |
++	 * | original RFLAGS                                         |
++	 * | original CS                                             |
++	 * | original RIP                                            |
++	 * +---------------------------------------------------------+
++	 * | temp storage for rdx                                    |
++	 * +---------------------------------------------------------+
++	 * | "NMI executing" variable                                |
++	 * +---------------------------------------------------------+
++	 * | iret SS          } Copied from "outermost" frame        |
++	 * | iret Return RSP  } on each loop iteration; overwritten  |
++	 * | iret RFLAGS      } by a nested NMI to force another     |
++	 * | iret CS          } iteration if needed.                 |
++	 * | iret RIP         }                                      |
++	 * +---------------------------------------------------------+
++	 * | outermost SS          } initialized in first_nmi;       |
++	 * | outermost Return RSP  } will not be changed before      |
++	 * | outermost RFLAGS      } NMI processing is done.         |
++	 * | outermost CS          } Copied to "iret" frame on each  |
++	 * | outermost RIP         } iteration.                      |
++	 * +---------------------------------------------------------+
++	 * | pt_regs                                                 |
++	 * +---------------------------------------------------------+
++	 *
++	 * The "original" frame is used by hardware.  Before re-enabling
++	 * NMIs, we need to be done with it, and we need to leave enough
++	 * space for the asm code here.
++	 *
++	 * We return by executing IRET while RSP points to the "iret" frame.
++	 * That will either return for real or it will loop back into NMI
++	 * processing.
++	 *
++	 * The "outermost" frame is copied to the "iret" frame on each
++	 * iteration of the loop, so each iteration starts with the "iret"
++	 * frame pointing to the final return target.
++	 */
++
++	/*
++	 * Determine whether we're a nested NMI.
++	 *
++	 * If we interrupted kernel code between repeat_nmi and
++	 * end_repeat_nmi, then we are a nested NMI.  We must not
++	 * modify the "iret" frame because it's being written by
++	 * the outer NMI.  That's okay; the outer NMI handler is
++	 * about to about to call do_nmi anyway, so we can just
++	 * resume the outer NMI.
++	 */
++
++	movq	$repeat_nmi, %rdx
++	cmpq	8(%rsp), %rdx
++	ja	1f
++	movq	$end_repeat_nmi, %rdx
++	cmpq	8(%rsp), %rdx
++	ja	nested_nmi_out
++1:
++
++	/*
++	 * Now check "NMI executing".  If it's set, then we're nested.
++	 * This will not detect if we interrupted an outer NMI just
++	 * before IRET.
+ 	 */
+ 	cmpl $1, -8(%rsp)
+ 	je nested_nmi
+ 
+ 	/*
+-	 * Now test if the previous stack was an NMI stack.
+-	 * We need the double check. We check the NMI stack to satisfy the
+-	 * race when the first NMI clears the variable before returning.
+-	 * We check the variable because the first NMI could be in a
+-	 * breakpoint routine using a breakpoint stack.
++	 * Now test if the previous stack was an NMI stack.  This covers
++	 * the case where we interrupt an outer NMI after it clears
++	 * "NMI executing" but before IRET.  We need to be careful, though:
++	 * there is one case in which RSP could point to the NMI stack
++	 * despite there being no NMI active: naughty userspace controls
++	 * RSP at the very beginning of the SYSCALL targets.  We can
++	 * pull a fast one on naughty userspace, though: we program
++	 * SYSCALL to mask DF, so userspace cannot cause DF to be set
++	 * if it controls the kernel's RSP.  We set DF before we clear
++	 * "NMI executing".
+ 	 */
+ 	lea	6*8(%rsp), %rdx
+ 	/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
+@@ -1462,25 +1580,21 @@ ENTRY(nmi)
+ 	cmpq	%rdx, 4*8(%rsp)
+ 	/* If it is below the NMI stack, it is a normal NMI */
+ 	jb	first_nmi
+-	/* Ah, it is within the NMI stack, treat it as nested */
++
++	/* Ah, it is within the NMI stack. */
++
++	testb	$(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
++	jz	first_nmi	/* RSP was user controlled. */
++
++	/* This is a nested NMI. */
+ 
+ 	CFI_REMEMBER_STATE
+ 
+ nested_nmi:
+ 	/*
+-	 * Do nothing if we interrupted the fixup in repeat_nmi.
+-	 * It's about to repeat the NMI handler, so we are fine
+-	 * with ignoring this one.
++	 * Modify the "iret" frame to point to repeat_nmi, forcing another
++	 * iteration of NMI handling.
+ 	 */
+-	movq $repeat_nmi, %rdx
+-	cmpq 8(%rsp), %rdx
+-	ja 1f
+-	movq $end_repeat_nmi, %rdx
+-	cmpq 8(%rsp), %rdx
+-	ja nested_nmi_out
+-
+-1:
+-	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
+ 	leaq -1*8(%rsp), %rdx
+ 	movq %rdx, %rsp
+ 	CFI_ADJUST_CFA_OFFSET 1*8
+@@ -1499,60 +1613,23 @@ nested_nmi_out:
+ 	popq_cfi %rdx
+ 	CFI_RESTORE rdx
+ 
+-	/* No need to check faults here */
++	/* We are returning to kernel mode, so this cannot result in a fault. */
+ 	INTERRUPT_RETURN
+ 
+ 	CFI_RESTORE_STATE
+ first_nmi:
+-	/*
+-	 * Because nested NMIs will use the pushed location that we
+-	 * stored in rdx, we must keep that space available.
+-	 * Here's what our stack frame will look like:
+-	 * +-------------------------+
+-	 * | original SS             |
+-	 * | original Return RSP     |
+-	 * | original RFLAGS         |
+-	 * | original CS             |
+-	 * | original RIP            |
+-	 * +-------------------------+
+-	 * | temp storage for rdx    |
+-	 * +-------------------------+
+-	 * | NMI executing variable  |
+-	 * +-------------------------+
+-	 * | copied SS               |
+-	 * | copied Return RSP       |
+-	 * | copied RFLAGS           |
+-	 * | copied CS               |
+-	 * | copied RIP              |
+-	 * +-------------------------+
+-	 * | Saved SS                |
+-	 * | Saved Return RSP        |
+-	 * | Saved RFLAGS            |
+-	 * | Saved CS                |
+-	 * | Saved RIP               |
+-	 * +-------------------------+
+-	 * | pt_regs                 |
+-	 * +-------------------------+
+-	 *
+-	 * The saved stack frame is used to fix up the copied stack frame
+-	 * that a nested NMI may change to make the interrupted NMI iret jump
+-	 * to the repeat_nmi. The original stack frame and the temp storage
+-	 * is also used by nested NMIs and can not be trusted on exit.
+-	 */
+-	/* Do not pop rdx, nested NMIs will corrupt that part of the stack */
++	/* Restore rdx. */
+ 	movq (%rsp), %rdx
+ 	CFI_RESTORE rdx
+ 
+-	/* Set the NMI executing variable on the stack. */
++	/* Set "NMI executing" on the stack. */
+ 	pushq_cfi $1
+ 
+-	/*
+-	 * Leave room for the "copied" frame
+-	 */
++	/* Leave room for the "iret" frame */
+ 	subq $(5*8), %rsp
+ 	CFI_ADJUST_CFA_OFFSET 5*8
+ 
+-	/* Copy the stack frame to the Saved frame */
++	/* Copy the "original" frame to the "outermost" frame */
+ 	.rept 5
+ 	pushq_cfi 11*8(%rsp)
+ 	.endr
+@@ -1560,6 +1637,7 @@ first_nmi:
+ 
+ 	/* Everything up to here is safe from nested NMIs */
+ 
++repeat_nmi:
+ 	/*
+ 	 * If there was a nested NMI, the first NMI's iret will return
+ 	 * here. But NMIs are still enabled and we can take another
+@@ -1568,16 +1646,21 @@ first_nmi:
+ 	 * it will just return, as we are about to repeat an NMI anyway.
+ 	 * This makes it safe to copy to the stack frame that a nested
+ 	 * NMI will update.
+-	 */
+-repeat_nmi:
+-	/*
+-	 * Update the stack variable to say we are still in NMI (the update
+-	 * is benign for the non-repeat case, where 1 was pushed just above
+-	 * to this very stack slot).
++	 *
++	 * RSP is pointing to "outermost RIP".  gsbase is unknown, but, if
++	 * we're repeating an NMI, gsbase has the same value that it had on
++	 * the first iteration.  paranoid_entry will load the kernel
++	 * gsbase if needed before we call do_nmi.
++	 *
++	 * Set "NMI executing" in case we came back here via IRET.
+ 	 */
+ 	movq $1, 10*8(%rsp)
+ 
+-	/* Make another copy, this one may be modified by nested NMIs */
++	/*
++	 * Copy the "outermost" frame to the "iret" frame.  NMIs that nest
++	 * here must not modify the "iret" frame while we're writing to
++	 * it or it will end up containing garbage.
++	 */
+ 	addq $(10*8), %rsp
+ 	CFI_ADJUST_CFA_OFFSET -10*8
+ 	.rept 5
+@@ -1588,9 +1671,9 @@ repeat_nmi:
+ end_repeat_nmi:
+ 
+ 	/*
+-	 * Everything below this point can be preempted by a nested
+-	 * NMI if the first NMI took an exception and reset our iret stack
+-	 * so that we repeat another NMI.
++	 * Everything below this point can be preempted by a nested NMI.
++	 * If this happens, then the inner NMI will change the "iret"
++	 * frame to point back to repeat_nmi.
+ 	 */
+ 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
+ 	ALLOC_PT_GPREGS_ON_STACK
+@@ -1605,29 +1688,11 @@ end_repeat_nmi:
+ 	call paranoid_entry
+ 	DEFAULT_FRAME 0
+ 
+-	/*
+-	 * Save off the CR2 register. If we take a page fault in the NMI then
+-	 * it could corrupt the CR2 value. If the NMI preempts a page fault
+-	 * handler before it was able to read the CR2 register, and then the
+-	 * NMI itself takes a page fault, the page fault that was preempted
+-	 * will read the information from the NMI page fault and not the
+-	 * origin fault. Save it off and restore it if it changes.
+-	 * Use the r12 callee-saved register.
+-	 */
+-	movq %cr2, %r12
+-
+ 	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
+ 	movq %rsp,%rdi
+ 	movq $-1,%rsi
+ 	call do_nmi
+ 
+-	/* Did the NMI take a page fault? Restore cr2 if it did */
+-	movq %cr2, %rcx
+-	cmpq %rcx, %r12
+-	je 1f
+-	movq %r12, %cr2
+-1:
+-	
+ 	testl %ebx,%ebx				/* swapgs needed? */
+ 	jnz nmi_restore
+ nmi_swapgs:
+@@ -1635,12 +1700,27 @@ nmi_swapgs:
+ nmi_restore:
+ 	RESTORE_EXTRA_REGS
+ 	RESTORE_C_REGS
+-	/* Pop the extra iret frame at once */
++
++	/* Point RSP at the "iret" frame. */
+ 	REMOVE_PT_GPREGS_FROM_STACK 6*8
+ 
+-	/* Clear the NMI executing stack variable */
+-	movq $0, 5*8(%rsp)
+-	jmp irq_return
++	/*
++	 * Clear "NMI executing".  Set DF first so that we can easily
++	 * distinguish the remaining code between here and IRET from
++	 * the SYSCALL entry and exit paths.  On a native kernel, we
++	 * could just inspect RIP, but, on paravirt kernels,
++	 * INTERRUPT_RETURN can translate into a jump into a
++	 * hypercall page.
++	 */
++	std
++	movq	$0, 5*8(%rsp)		/* clear "NMI executing" */
++
++	/*
++	 * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
++	 * stack in a single instruction.  We are returning to kernel
++	 * mode, so this cannot result in a fault.
++	 */
++	INTERRUPT_RETURN
+ 	CFI_ENDPROC
+ END(nmi)
+ 
+diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
+index c3e985d..d05bd2e 100644
+--- a/arch/x86/kernel/nmi.c
++++ b/arch/x86/kernel/nmi.c
+@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_regs *regs)
+ NOKPROBE_SYMBOL(default_do_nmi);
+ 
+ /*
+- * NMIs can hit breakpoints which will cause it to lose its
+- * NMI context with the CPU when the breakpoint does an iret.
+- */
+-#ifdef CONFIG_X86_32
+-/*
+- * For i386, NMIs use the same stack as the kernel, and we can
+- * add a workaround to the iret problem in C (preventing nested
+- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
+- * can be in:
++ * NMIs can page fault or hit breakpoints which will cause it to lose
++ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
++ *
++ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
++ * NMI processing.  On x86_64, the asm glue protects us from nested NMIs
++ * if the outer NMI came from kernel mode, but we can still nest if the
++ * outer NMI came from user mode.
++ *
++ * To handle these nested NMIs, we have three states:
+  *
+  *  1) not running
+  *  2) executing
+@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
+  * (Note, the latch is binary, thus multiple NMIs triggering,
+  *  when one is running, are ignored. Only one NMI is restarted.)
+  *
+- * If an NMI hits a breakpoint that executes an iret, another
+- * NMI can preempt it. We do not want to allow this new NMI
+- * to run, but we want to execute it when the first one finishes.
+- * We set the state to "latched", and the exit of the first NMI will
+- * perform a dec_return, if the result is zero (NOT_RUNNING), then
+- * it will simply exit the NMI handler. If not, the dec_return
+- * would have set the state to NMI_EXECUTING (what we want it to
+- * be when we are running). In this case, we simply jump back
+- * to rerun the NMI handler again, and restart the 'latched' NMI.
++ * If an NMI executes an iret, another NMI can preempt it. We do not
++ * want to allow this new NMI to run, but we want to execute it when the
++ * first one finishes.  We set the state to "latched", and the exit of
++ * the first NMI will perform a dec_return, if the result is zero
++ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
++ * dec_return would have set the state to NMI_EXECUTING (what we want it
++ * to be when we are running). In this case, we simply jump back to
++ * rerun the NMI handler again, and restart the 'latched' NMI.
+  *
+  * No trap (breakpoint or page fault) should be hit before nmi_restart,
+  * thus there is no race between the first check of state for NOT_RUNNING
+@@ -461,49 +460,36 @@ enum nmi_states {
+ static DEFINE_PER_CPU(enum nmi_states, nmi_state);
+ static DEFINE_PER_CPU(unsigned long, nmi_cr2);
+ 
+-#define nmi_nesting_preprocess(regs)					\
+-	do {								\
+-		if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {	\
+-			this_cpu_write(nmi_state, NMI_LATCHED);		\
+-			return;						\
+-		}							\
+-		this_cpu_write(nmi_state, NMI_EXECUTING);		\
+-		this_cpu_write(nmi_cr2, read_cr2());			\
+-	} while (0);							\
+-	nmi_restart:
+-
+-#define nmi_nesting_postprocess()					\
+-	do {								\
+-		if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))	\
+-			write_cr2(this_cpu_read(nmi_cr2));		\
+-		if (this_cpu_dec_return(nmi_state))			\
+-			goto nmi_restart;				\
+-	} while (0)
+-#else /* x86_64 */
++#ifdef CONFIG_X86_64
+ /*
+- * In x86_64 things are a bit more difficult. This has the same problem
+- * where an NMI hitting a breakpoint that calls iret will remove the
+- * NMI context, allowing a nested NMI to enter. What makes this more
+- * difficult is that both NMIs and breakpoints have their own stack.
+- * When a new NMI or breakpoint is executed, the stack is set to a fixed
+- * point. If an NMI is nested, it will have its stack set at that same
+- * fixed address that the first NMI had, and will start corrupting the
+- * stack. This is handled in entry_64.S, but the same problem exists with
+- * the breakpoint stack.
++ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint.  Without
++ * some care, the inner breakpoint will clobber the outer breakpoint's
++ * stack.
+  *
+- * If a breakpoint is being processed, and the debug stack is being used,
+- * if an NMI comes in and also hits a breakpoint, the stack pointer
+- * will be set to the same fixed address as the breakpoint that was
+- * interrupted, causing that stack to be corrupted. To handle this case,
+- * check if the stack that was interrupted is the debug stack, and if
+- * so, change the IDT so that new breakpoints will use the current stack
+- * and not switch to the fixed address. On return of the NMI, switch back
+- * to the original IDT.
++ * If a breakpoint is being processed, and the debug stack is being
++ * used, if an NMI comes in and also hits a breakpoint, the stack
++ * pointer will be set to the same fixed address as the breakpoint that
++ * was interrupted, causing that stack to be corrupted. To handle this
++ * case, check if the stack that was interrupted is the debug stack, and
++ * if so, change the IDT so that new breakpoints will use the current
++ * stack and not switch to the fixed address. On return of the NMI,
++ * switch back to the original IDT.
+  */
+ static DEFINE_PER_CPU(int, update_debug_stack);
++#endif
+ 
+-static inline void nmi_nesting_preprocess(struct pt_regs *regs)
++dotraplinkage notrace void
++do_nmi(struct pt_regs *regs, long error_code)
+ {
++	if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
++		this_cpu_write(nmi_state, NMI_LATCHED);
++		return;
++	}
++	this_cpu_write(nmi_state, NMI_EXECUTING);
++	this_cpu_write(nmi_cr2, read_cr2());
++nmi_restart:
++
++#ifdef CONFIG_X86_64
+ 	/*
+ 	 * If we interrupted a breakpoint, it is possible that
+ 	 * the nmi handler will have breakpoints too. We need to
+@@ -514,22 +500,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs)
+ 		debug_stack_set_zero();
+ 		this_cpu_write(update_debug_stack, 1);
+ 	}
+-}
+-
+-static inline void nmi_nesting_postprocess(void)
+-{
+-	if (unlikely(this_cpu_read(update_debug_stack))) {
+-		debug_stack_reset();
+-		this_cpu_write(update_debug_stack, 0);
+-	}
+-}
+ #endif
+ 
+-dotraplinkage notrace void
+-do_nmi(struct pt_regs *regs, long error_code)
+-{
+-	nmi_nesting_preprocess(regs);
+-
+ 	nmi_enter();
+ 
+ 	inc_irq_stat(__nmi_count);
+@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_code)
+ 
+ 	nmi_exit();
+ 
+-	/* On i386, may loop back to preprocess */
+-	nmi_nesting_postprocess();
++#ifdef CONFIG_X86_64
++	if (unlikely(this_cpu_read(update_debug_stack))) {
++		debug_stack_reset();
++		this_cpu_write(update_debug_stack, 0);
++	}
++#endif
++
++	if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
++		write_cr2(this_cpu_read(nmi_cr2));
++	if (this_cpu_dec_return(nmi_state))
++		goto nmi_restart;
+ }
+ NOKPROBE_SYMBOL(do_nmi);
+ 
+diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
+index 9d28383..c4ea87e 100644
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -150,7 +150,7 @@ static inline bool kvm_apic_vid_enabled(struct kvm *kvm)
+ 
+ static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
+ {
+-	return vcpu->arch.apic->pending_events;
++	return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
+ }
+ 
+ bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 46957ea..a671e83 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -483,6 +483,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 	pte_t pte;
+ 	unsigned long pfn;
+ 	struct page *page;
++	unsigned char dummy;
+ 
+ 	ptep = lookup_address((unsigned long)v, &level);
+ 	BUG_ON(ptep == NULL);
+@@ -492,6 +493,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 
+ 	pte = pfn_pte(pfn, prot);
+ 
++	/*
++	 * Careful: update_va_mapping() will fail if the virtual address
++	 * we're poking isn't populated in the page tables.  We don't
++	 * need to worry about the direct map (that's always in the page
++	 * tables), but we need to be careful about vmap space.  In
++	 * particular, the top level page table can lazily propagate
++	 * entries between processes, so if we've switched mms since we
++	 * vmapped the target in the first place, we might not have the
++	 * top-level page table entry populated.
++	 *
++	 * We disable preemption because we want the same mm active when
++	 * we probe the target and when we issue the hypercall.  We'll
++	 * have the same nominal mm, but if we're a kernel thread, lazy
++	 * mm dropping could change our pgd.
++	 *
++	 * Out of an abundance of caution, this uses __get_user() to fault
++	 * in the target address just in case there's some obscure case
++	 * in which the target address isn't readable.
++	 */
++
++	preempt_disable();
++
++	pagefault_disable();	/* Avoid warnings due to being atomic. */
++	__get_user(dummy, (unsigned char __user __force *)v);
++	pagefault_enable();
++
+ 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ 		BUG();
+ 
+@@ -503,6 +530,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 				BUG();
+ 	} else
+ 		kmap_flush_unused();
++
++	preempt_enable();
+ }
+ 
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -510,6 +539,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ 	int i;
+ 
++	/*
++	 * We need to mark the all aliases of the LDT pages RO.  We
++	 * don't need to call vm_flush_aliases(), though, since that's
++	 * only responsible for flushing aliases out the TLBs, not the
++	 * page tables, and Xen will flush the TLB for us if needed.
++	 *
++	 * To avoid confusing future readers: none of this is necessary
++	 * to load the LDT.  The hypervisor only checks this when the
++	 * LDT is faulted in due to subsequent descriptor access.
++	 */
++
+ 	for(i = 0; i < entries; i += entries_per_page)
+ 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
+index 53f2535..010ce0b 100644
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -522,6 +522,7 @@ void rbd_warn(struct rbd_device *rbd_dev, const char *fmt, ...)
+ #  define rbd_assert(expr)	((void) 0)
+ #endif /* !RBD_DEBUG */
+ 
++static void rbd_osd_copyup_callback(struct rbd_obj_request *obj_request);
+ static int rbd_img_obj_request_submit(struct rbd_obj_request *obj_request);
+ static void rbd_img_parent_read(struct rbd_obj_request *obj_request);
+ static void rbd_dev_remove_parent(struct rbd_device *rbd_dev);
+@@ -1797,6 +1798,16 @@ static void rbd_osd_stat_callback(struct rbd_obj_request *obj_request)
+ 	obj_request_done_set(obj_request);
+ }
+ 
++static void rbd_osd_call_callback(struct rbd_obj_request *obj_request)
++{
++	dout("%s: obj %p\n", __func__, obj_request);
++
++	if (obj_request_img_data_test(obj_request))
++		rbd_osd_copyup_callback(obj_request);
++	else
++		obj_request_done_set(obj_request);
++}
++
+ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
+ 				struct ceph_msg *msg)
+ {
+@@ -1845,6 +1856,8 @@ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
+ 		rbd_osd_discard_callback(obj_request);
+ 		break;
+ 	case CEPH_OSD_OP_CALL:
++		rbd_osd_call_callback(obj_request);
++		break;
+ 	case CEPH_OSD_OP_NOTIFY_ACK:
+ 	case CEPH_OSD_OP_WATCH:
+ 		rbd_osd_trivial_callback(obj_request);
+@@ -2509,13 +2522,15 @@ out_unwind:
+ }
+ 
+ static void
+-rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
++rbd_osd_copyup_callback(struct rbd_obj_request *obj_request)
+ {
+ 	struct rbd_img_request *img_request;
+ 	struct rbd_device *rbd_dev;
+ 	struct page **pages;
+ 	u32 page_count;
+ 
++	dout("%s: obj %p\n", __func__, obj_request);
++
+ 	rbd_assert(obj_request->type == OBJ_REQUEST_BIO ||
+ 		obj_request->type == OBJ_REQUEST_NODATA);
+ 	rbd_assert(obj_request_img_data_test(obj_request));
+@@ -2542,9 +2557,7 @@ rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
+ 	if (!obj_request->result)
+ 		obj_request->xferred = obj_request->length;
+ 
+-	/* Finish up with the normal image object callback */
+-
+-	rbd_img_obj_callback(obj_request);
++	obj_request_done_set(obj_request);
+ }
+ 
+ static void
+@@ -2629,7 +2642,6 @@ rbd_img_obj_parent_read_full_callback(struct rbd_img_request *img_request)
+ 
+ 	/* All set, send it off. */
+ 
+-	orig_request->callback = rbd_img_obj_copyup_callback;
+ 	osdc = &rbd_dev->rbd_client->client->osdc;
+ 	img_result = rbd_obj_request_submit(osdc, orig_request);
+ 	if (!img_result)
+diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
+index da8faf7..5643b65 100644
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -429,7 +429,7 @@ static int hwrng_fillfn(void *unused)
+ static void start_khwrngd(void)
+ {
+ 	hwrng_fill = kthread_run(hwrng_fillfn, NULL, "hwrng");
+-	if (hwrng_fill == ERR_PTR(-ENOMEM)) {
++	if (IS_ERR(hwrng_fill)) {
+ 		pr_err("hwrng_fill thread creation failed");
+ 		hwrng_fill = NULL;
+ 	}
+diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c
+index a43048b..3c1a123 100644
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -900,6 +900,21 @@ static struct dmi_system_id i8k_dmi_table[] __initdata = {
+ 
+ MODULE_DEVICE_TABLE(dmi, i8k_dmi_table);
+ 
++static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = {
++	{
++		/*
++		 * CPU fan speed going up and down on Dell Studio XPS 8100
++		 * for unknown reasons.
++		 */
++		.ident = "Dell Studio XPS 8100",
++		.matches = {
++			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Studio XPS 8100"),
++		},
++	},
++	{ }
++};
++
+ /*
+  * Probe for the presence of a supported laptop.
+  */
+@@ -911,7 +926,8 @@ static int __init i8k_probe(void)
+ 	/*
+ 	 * Get DMI information
+ 	 */
+-	if (!dmi_check_system(i8k_dmi_table)) {
++	if (!dmi_check_system(i8k_dmi_table) ||
++	    dmi_check_system(i8k_blacklist_dmi_table)) {
+ 		if (!ignore_dmi && !force)
+ 			return -ENODEV;
+ 
+diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c
+index 0dd8a4b..4a375ea 100644
+--- a/drivers/clk/keystone/pll.c
++++ b/drivers/clk/keystone/pll.c
+@@ -37,7 +37,8 @@
+  *	Main PLL or any other PLLs in the device such as ARM PLL, DDR PLL
+  *	or PA PLL available on keystone2. These PLLs are controlled by
+  *	this register. Main PLL is controlled by a PLL controller.
+- * @pllm: PLL register map address
++ * @pllm: PLL register map address for multiplier bits
++ * @pllod: PLL register map address for post divider bits
+  * @pll_ctl0: PLL controller map address
+  * @pllm_lower_mask: multiplier lower mask
+  * @pllm_upper_mask: multiplier upper mask
+@@ -53,6 +54,7 @@ struct clk_pll_data {
+ 	u32 phy_pllm;
+ 	u32 phy_pll_ctl0;
+ 	void __iomem *pllm;
++	void __iomem *pllod;
+ 	void __iomem *pll_ctl0;
+ 	u32 pllm_lower_mask;
+ 	u32 pllm_upper_mask;
+@@ -102,7 +104,11 @@ static unsigned long clk_pllclk_recalc(struct clk_hw *hw,
+ 		/* read post divider from od bits*/
+ 		postdiv = ((val & pll_data->clkod_mask) >>
+ 				 pll_data->clkod_shift) + 1;
+-	else
++	else if (pll_data->pllod) {
++		postdiv = readl(pll_data->pllod);
++		postdiv = ((postdiv & pll_data->clkod_mask) >>
++				pll_data->clkod_shift) + 1;
++	} else
+ 		postdiv = pll_data->postdiv;
+ 
+ 	rate /= (prediv + 1);
+@@ -172,12 +178,21 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl)
+ 		/* assume the PLL has output divider register bits */
+ 		pll_data->clkod_mask = CLKOD_MASK;
+ 		pll_data->clkod_shift = CLKOD_SHIFT;
++
++		/*
++		 * Check if there is an post-divider register. If not
++		 * assume od bits are part of control register.
++		 */
++		i = of_property_match_string(node, "reg-names",
++					     "post-divider");
++		pll_data->pllod = of_iomap(node, i);
+ 	}
+ 
+ 	i = of_property_match_string(node, "reg-names", "control");
+ 	pll_data->pll_ctl0 = of_iomap(node, i);
+ 	if (!pll_data->pll_ctl0) {
+ 		pr_err("%s: ioremap failed\n", __func__);
++		iounmap(pll_data->pllod);
+ 		goto out;
+ 	}
+ 
+@@ -193,6 +208,7 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl)
+ 		pll_data->pllm = of_iomap(node, i);
+ 		if (!pll_data->pllm) {
+ 			iounmap(pll_data->pll_ctl0);
++			iounmap(pll_data->pllod);
+ 			goto out;
+ 		}
+ 	}
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index 48f4535..ede9e9e3 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -904,7 +904,6 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
+ 		crypt->mode |= NPE_OP_NOT_IN_PLACE;
+ 		/* This was never tested by Intel
+ 		 * for more than one dst buffer, I think. */
+-		BUG_ON(req->dst->length < nbytes);
+ 		req_ctx->dst = NULL;
+ 		if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
+ 					flags, DMA_FROM_DEVICE))
+diff --git a/drivers/crypto/nx/nx-aes-ccm.c b/drivers/crypto/nx/nx-aes-ccm.c
+index 67f8081..e4311ce 100644
+--- a/drivers/crypto/nx/nx-aes-ccm.c
++++ b/drivers/crypto/nx/nx-aes-ccm.c
+@@ -494,8 +494,9 @@ out:
+ static int ccm4309_aes_nx_encrypt(struct aead_request *req)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
+ 	struct blkcipher_desc desc;
+-	u8 *iv = nx_ctx->priv.ccm.iv;
++	u8 *iv = rctx->iv;
+ 
+ 	iv[0] = 3;
+ 	memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3);
+@@ -525,8 +526,9 @@ static int ccm_aes_nx_encrypt(struct aead_request *req)
+ static int ccm4309_aes_nx_decrypt(struct aead_request *req)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
+ 	struct blkcipher_desc desc;
+-	u8 *iv = nx_ctx->priv.ccm.iv;
++	u8 *iv = rctx->iv;
+ 
+ 	iv[0] = 3;
+ 	memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3);
+diff --git a/drivers/crypto/nx/nx-aes-ctr.c b/drivers/crypto/nx/nx-aes-ctr.c
+index 2617cd4..dd7e9f3 100644
+--- a/drivers/crypto/nx/nx-aes-ctr.c
++++ b/drivers/crypto/nx/nx-aes-ctr.c
+@@ -72,7 +72,7 @@ static int ctr3686_aes_nx_set_key(struct crypto_tfm *tfm,
+ 	if (key_len < CTR_RFC3686_NONCE_SIZE)
+ 		return -EINVAL;
+ 
+-	memcpy(nx_ctx->priv.ctr.iv,
++	memcpy(nx_ctx->priv.ctr.nonce,
+ 	       in_key + key_len - CTR_RFC3686_NONCE_SIZE,
+ 	       CTR_RFC3686_NONCE_SIZE);
+ 
+@@ -131,14 +131,15 @@ static int ctr3686_aes_nx_crypt(struct blkcipher_desc *desc,
+ 				unsigned int           nbytes)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_blkcipher_ctx(desc->tfm);
+-	u8 *iv = nx_ctx->priv.ctr.iv;
++	u8 iv[16];
+ 
++	memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_IV_SIZE);
+ 	memcpy(iv + CTR_RFC3686_NONCE_SIZE,
+ 	       desc->info, CTR_RFC3686_IV_SIZE);
+ 	iv[12] = iv[13] = iv[14] = 0;
+ 	iv[15] = 1;
+ 
+-	desc->info = nx_ctx->priv.ctr.iv;
++	desc->info = iv;
+ 
+ 	return ctr_aes_nx_crypt(desc, dst, src, nbytes);
+ }
+diff --git a/drivers/crypto/nx/nx-aes-gcm.c b/drivers/crypto/nx/nx-aes-gcm.c
+index 88c5624..c6ebeb6 100644
+--- a/drivers/crypto/nx/nx-aes-gcm.c
++++ b/drivers/crypto/nx/nx-aes-gcm.c
+@@ -330,6 +330,7 @@ out:
+ static int gcm_aes_nx_crypt(struct aead_request *req, int enc)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
+ 	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
+ 	struct blkcipher_desc desc;
+ 	unsigned int nbytes = req->cryptlen;
+@@ -339,7 +340,7 @@ static int gcm_aes_nx_crypt(struct aead_request *req, int enc)
+ 
+ 	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
+ 
+-	desc.info = nx_ctx->priv.gcm.iv;
++	desc.info = rctx->iv;
+ 	/* initialize the counter */
+ 	*(u32 *)(desc.info + NX_GCM_CTR_OFFSET) = 1;
+ 
+@@ -434,8 +435,8 @@ out:
+ 
+ static int gcm_aes_nx_encrypt(struct aead_request *req)
+ {
+-	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
+-	char *iv = nx_ctx->priv.gcm.iv;
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
++	char *iv = rctx->iv;
+ 
+ 	memcpy(iv, req->iv, 12);
+ 
+@@ -444,8 +445,8 @@ static int gcm_aes_nx_encrypt(struct aead_request *req)
+ 
+ static int gcm_aes_nx_decrypt(struct aead_request *req)
+ {
+-	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
+-	char *iv = nx_ctx->priv.gcm.iv;
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
++	char *iv = rctx->iv;
+ 
+ 	memcpy(iv, req->iv, 12);
+ 
+@@ -455,7 +456,8 @@ static int gcm_aes_nx_decrypt(struct aead_request *req)
+ static int gcm4106_aes_nx_encrypt(struct aead_request *req)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
+-	char *iv = nx_ctx->priv.gcm.iv;
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
++	char *iv = rctx->iv;
+ 	char *nonce = nx_ctx->priv.gcm.nonce;
+ 
+ 	memcpy(iv, nonce, NX_GCM4106_NONCE_LEN);
+@@ -467,7 +469,8 @@ static int gcm4106_aes_nx_encrypt(struct aead_request *req)
+ static int gcm4106_aes_nx_decrypt(struct aead_request *req)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm);
+-	char *iv = nx_ctx->priv.gcm.iv;
++	struct nx_gcm_rctx *rctx = aead_request_ctx(req);
++	char *iv = rctx->iv;
+ 	char *nonce = nx_ctx->priv.gcm.nonce;
+ 
+ 	memcpy(iv, nonce, NX_GCM4106_NONCE_LEN);
+diff --git a/drivers/crypto/nx/nx-aes-xcbc.c b/drivers/crypto/nx/nx-aes-xcbc.c
+index 8c2faff..c2f7d4b 100644
+--- a/drivers/crypto/nx/nx-aes-xcbc.c
++++ b/drivers/crypto/nx/nx-aes-xcbc.c
+@@ -42,6 +42,7 @@ static int nx_xcbc_set_key(struct crypto_shash *desc,
+ 			   unsigned int         key_len)
+ {
+ 	struct nx_crypto_ctx *nx_ctx = crypto_shash_ctx(desc);
++	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
+ 
+ 	switch (key_len) {
+ 	case AES_KEYSIZE_128:
+@@ -51,7 +52,7 @@ static int nx_xcbc_set_key(struct crypto_shash *desc,
+ 		return -EINVAL;
+ 	}
+ 
+-	memcpy(nx_ctx->priv.xcbc.key, in_key, key_len);
++	memcpy(csbcpb->cpb.aes_xcbc.key, in_key, key_len);
+ 
+ 	return 0;
+ }
+@@ -148,32 +149,29 @@ out:
+ 	return rc;
+ }
+ 
+-static int nx_xcbc_init(struct shash_desc *desc)
++static int nx_crypto_ctx_aes_xcbc_init2(struct crypto_tfm *tfm)
+ {
+-	struct xcbc_state *sctx = shash_desc_ctx(desc);
+-	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
++	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
+ 	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
+-	struct nx_sg *out_sg;
+-	int len;
++	int err;
+ 
+-	nx_ctx_init(nx_ctx, HCOP_FC_AES);
++	err = nx_crypto_ctx_aes_xcbc_init(tfm);
++	if (err)
++		return err;
+ 
+-	memset(sctx, 0, sizeof *sctx);
++	nx_ctx_init(nx_ctx, HCOP_FC_AES);
+ 
+ 	NX_CPB_SET_KEY_SIZE(csbcpb, NX_KS_AES_128);
+ 	csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
+ 
+-	memcpy(csbcpb->cpb.aes_xcbc.key, nx_ctx->priv.xcbc.key, AES_BLOCK_SIZE);
+-	memset(nx_ctx->priv.xcbc.key, 0, sizeof *nx_ctx->priv.xcbc.key);
+-
+-	len = AES_BLOCK_SIZE;
+-	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
+-				  &len, nx_ctx->ap->sglen);
++	return 0;
++}
+ 
+-	if (len != AES_BLOCK_SIZE)
+-		return -EINVAL;
++static int nx_xcbc_init(struct shash_desc *desc)
++{
++	struct xcbc_state *sctx = shash_desc_ctx(desc);
+ 
+-	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
++	memset(sctx, 0, sizeof *sctx);
+ 
+ 	return 0;
+ }
+@@ -186,6 +184,7 @@ static int nx_xcbc_update(struct shash_desc *desc,
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+ 	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
+ 	struct nx_sg *in_sg;
++	struct nx_sg *out_sg;
+ 	u32 to_process = 0, leftover, total;
+ 	unsigned int max_sg_len;
+ 	unsigned long irq_flags;
+@@ -213,6 +212,17 @@ static int nx_xcbc_update(struct shash_desc *desc,
+ 	max_sg_len = min_t(u64, max_sg_len,
+ 				nx_ctx->ap->databytelen/NX_PAGE_SIZE);
+ 
++	data_len = AES_BLOCK_SIZE;
++	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
++				  &len, nx_ctx->ap->sglen);
++
++	if (data_len != AES_BLOCK_SIZE) {
++		rc = -EINVAL;
++		goto out;
++	}
++
++	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
++
+ 	do {
+ 		to_process = total - to_process;
+ 		to_process = to_process & ~(AES_BLOCK_SIZE - 1);
+@@ -235,8 +245,10 @@ static int nx_xcbc_update(struct shash_desc *desc,
+ 						(u8 *) sctx->buffer,
+ 						&data_len,
+ 						max_sg_len);
+-			if (data_len != sctx->count)
+-				return -EINVAL;
++			if (data_len != sctx->count) {
++				rc = -EINVAL;
++				goto out;
++			}
+ 		}
+ 
+ 		data_len = to_process - sctx->count;
+@@ -245,8 +257,10 @@ static int nx_xcbc_update(struct shash_desc *desc,
+ 					&data_len,
+ 					max_sg_len);
+ 
+-		if (data_len != to_process - sctx->count)
+-			return -EINVAL;
++		if (data_len != to_process - sctx->count) {
++			rc = -EINVAL;
++			goto out;
++		}
+ 
+ 		nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) *
+ 					sizeof(struct nx_sg);
+@@ -325,15 +339,19 @@ static int nx_xcbc_final(struct shash_desc *desc, u8 *out)
+ 	in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *)sctx->buffer,
+ 				 &len, nx_ctx->ap->sglen);
+ 
+-	if (len != sctx->count)
+-		return -EINVAL;
++	if (len != sctx->count) {
++		rc = -EINVAL;
++		goto out;
++	}
+ 
+ 	len = AES_BLOCK_SIZE;
+ 	out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
+ 				  nx_ctx->ap->sglen);
+ 
+-	if (len != AES_BLOCK_SIZE)
+-		return -EINVAL;
++	if (len != AES_BLOCK_SIZE) {
++		rc = -EINVAL;
++		goto out;
++	}
+ 
+ 	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
+ 	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
+@@ -372,7 +390,7 @@ struct shash_alg nx_shash_aes_xcbc_alg = {
+ 		.cra_blocksize   = AES_BLOCK_SIZE,
+ 		.cra_module      = THIS_MODULE,
+ 		.cra_ctxsize     = sizeof(struct nx_crypto_ctx),
+-		.cra_init        = nx_crypto_ctx_aes_xcbc_init,
++		.cra_init        = nx_crypto_ctx_aes_xcbc_init2,
+ 		.cra_exit        = nx_crypto_ctx_exit,
+ 	}
+ };
+diff --git a/drivers/crypto/nx/nx-sha256.c b/drivers/crypto/nx/nx-sha256.c
+index 23621da..08f8d5c 100644
+--- a/drivers/crypto/nx/nx-sha256.c
++++ b/drivers/crypto/nx/nx-sha256.c
+@@ -29,30 +29,28 @@
+ #include "nx.h"
+ 
+ 
+-static int nx_sha256_init(struct shash_desc *desc)
++static int nx_crypto_ctx_sha256_init(struct crypto_tfm *tfm)
+ {
+-	struct sha256_state *sctx = shash_desc_ctx(desc);
+-	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+-	int len;
+-	int rc;
++	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
++	int err;
+ 
+-	nx_ctx_init(nx_ctx, HCOP_FC_SHA);
++	err = nx_crypto_ctx_sha_init(tfm);
++	if (err)
++		return err;
+ 
+-	memset(sctx, 0, sizeof *sctx);
++	nx_ctx_init(nx_ctx, HCOP_FC_SHA);
+ 
+ 	nx_ctx->ap = &nx_ctx->props[NX_PROPS_SHA256];
+ 
+ 	NX_CPB_SET_DIGEST_SIZE(nx_ctx->csbcpb, NX_DS_SHA256);
+ 
+-	len = SHA256_DIGEST_SIZE;
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg,
+-				  &nx_ctx->op.outlen,
+-				  &len,
+-				  (u8 *) sctx->state,
+-				  NX_DS_SHA256);
++	return 0;
++}
+ 
+-	if (rc)
+-		goto out;
++static int nx_sha256_init(struct shash_desc *desc) {
++	struct sha256_state *sctx = shash_desc_ctx(desc);
++
++	memset(sctx, 0, sizeof *sctx);
+ 
+ 	sctx->state[0] = __cpu_to_be32(SHA256_H0);
+ 	sctx->state[1] = __cpu_to_be32(SHA256_H1);
+@@ -64,7 +62,6 @@ static int nx_sha256_init(struct shash_desc *desc)
+ 	sctx->state[7] = __cpu_to_be32(SHA256_H7);
+ 	sctx->count = 0;
+ 
+-out:
+ 	return 0;
+ }
+ 
+@@ -74,10 +71,13 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data,
+ 	struct sha256_state *sctx = shash_desc_ctx(desc);
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+ 	struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb;
++	struct nx_sg *in_sg;
++	struct nx_sg *out_sg;
+ 	u64 to_process = 0, leftover, total;
+ 	unsigned long irq_flags;
+ 	int rc = 0;
+ 	int data_len;
++	u32 max_sg_len;
+ 	u64 buf_len = (sctx->count % SHA256_BLOCK_SIZE);
+ 
+ 	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
+@@ -97,6 +97,22 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data,
+ 	NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE;
+ 	NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION;
+ 
++	in_sg = nx_ctx->in_sg;
++	max_sg_len = min_t(u64, nx_ctx->ap->sglen,
++			nx_driver.of.max_sg_len/sizeof(struct nx_sg));
++	max_sg_len = min_t(u64, max_sg_len,
++			nx_ctx->ap->databytelen/NX_PAGE_SIZE);
++
++	data_len = SHA256_DIGEST_SIZE;
++	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
++				  &data_len, max_sg_len);
++	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
++
++	if (data_len != SHA256_DIGEST_SIZE) {
++		rc = -EINVAL;
++		goto out;
++	}
++
+ 	do {
+ 		/*
+ 		 * to_process: the SHA256_BLOCK_SIZE data chunk to process in
+@@ -108,25 +124,22 @@ static int nx_sha256_update(struct shash_desc *desc, const u8 *data,
+ 
+ 		if (buf_len) {
+ 			data_len = buf_len;
+-			rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-						  &nx_ctx->op.inlen,
+-						  &data_len,
+-						  (u8 *) sctx->buf,
+-						  NX_DS_SHA256);
++			in_sg = nx_build_sg_list(nx_ctx->in_sg,
++						 (u8 *) sctx->buf,
++						 &data_len,
++						 max_sg_len);
+ 
+-			if (rc || data_len != buf_len)
++			if (data_len != buf_len) {
++				rc = -EINVAL;
+ 				goto out;
++			}
+ 		}
+ 
+ 		data_len = to_process - buf_len;
+-		rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-					  &nx_ctx->op.inlen,
+-					  &data_len,
+-					  (u8 *) data,
+-					  NX_DS_SHA256);
++		in_sg = nx_build_sg_list(in_sg, (u8 *) data,
++					 &data_len, max_sg_len);
+ 
+-		if (rc)
+-			goto out;
++		nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
+ 
+ 		to_process = (data_len + buf_len);
+ 		leftover = total - to_process;
+@@ -173,12 +186,19 @@ static int nx_sha256_final(struct shash_desc *desc, u8 *out)
+ 	struct sha256_state *sctx = shash_desc_ctx(desc);
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+ 	struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb;
++	struct nx_sg *in_sg, *out_sg;
+ 	unsigned long irq_flags;
+-	int rc;
++	u32 max_sg_len;
++	int rc = 0;
+ 	int len;
+ 
+ 	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
+ 
++	max_sg_len = min_t(u64, nx_ctx->ap->sglen,
++			nx_driver.of.max_sg_len/sizeof(struct nx_sg));
++	max_sg_len = min_t(u64, max_sg_len,
++			nx_ctx->ap->databytelen/NX_PAGE_SIZE);
++
+ 	/* final is represented by continuing the operation and indicating that
+ 	 * this is not an intermediate operation */
+ 	if (sctx->count >= SHA256_BLOCK_SIZE) {
+@@ -195,25 +215,24 @@ static int nx_sha256_final(struct shash_desc *desc, u8 *out)
+ 	csbcpb->cpb.sha256.message_bit_length = (u64) (sctx->count * 8);
+ 
+ 	len = sctx->count & (SHA256_BLOCK_SIZE - 1);
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-				  &nx_ctx->op.inlen,
+-				  &len,
+-				  (u8 *) sctx->buf,
+-				  NX_DS_SHA256);
++	in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) sctx->buf,
++				 &len, max_sg_len);
+ 
+-	if (rc || len != (sctx->count & (SHA256_BLOCK_SIZE - 1)))
++	if (len != (sctx->count & (SHA256_BLOCK_SIZE - 1))) {
++		rc = -EINVAL;
+ 		goto out;
++	}
+ 
+ 	len = SHA256_DIGEST_SIZE;
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg,
+-				  &nx_ctx->op.outlen,
+-				  &len,
+-				  out,
+-				  NX_DS_SHA256);
++	out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len, max_sg_len);
+ 
+-	if (rc || len != SHA256_DIGEST_SIZE)
++	if (len != SHA256_DIGEST_SIZE) {
++		rc = -EINVAL;
+ 		goto out;
++	}
+ 
++	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
++	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
+ 	if (!nx_ctx->op.outlen) {
+ 		rc = -EINVAL;
+ 		goto out;
+@@ -268,7 +287,7 @@ struct shash_alg nx_shash_sha256_alg = {
+ 		.cra_blocksize   = SHA256_BLOCK_SIZE,
+ 		.cra_module      = THIS_MODULE,
+ 		.cra_ctxsize     = sizeof(struct nx_crypto_ctx),
+-		.cra_init        = nx_crypto_ctx_sha_init,
++		.cra_init        = nx_crypto_ctx_sha256_init,
+ 		.cra_exit        = nx_crypto_ctx_exit,
+ 	}
+ };
+diff --git a/drivers/crypto/nx/nx-sha512.c b/drivers/crypto/nx/nx-sha512.c
+index b3adf10..aff0fe5 100644
+--- a/drivers/crypto/nx/nx-sha512.c
++++ b/drivers/crypto/nx/nx-sha512.c
+@@ -28,30 +28,29 @@
+ #include "nx.h"
+ 
+ 
+-static int nx_sha512_init(struct shash_desc *desc)
++static int nx_crypto_ctx_sha512_init(struct crypto_tfm *tfm)
+ {
+-	struct sha512_state *sctx = shash_desc_ctx(desc);
+-	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+-	int len;
+-	int rc;
++	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
++	int err;
+ 
+-	nx_ctx_init(nx_ctx, HCOP_FC_SHA);
++	err = nx_crypto_ctx_sha_init(tfm);
++	if (err)
++		return err;
+ 
+-	memset(sctx, 0, sizeof *sctx);
++	nx_ctx_init(nx_ctx, HCOP_FC_SHA);
+ 
+ 	nx_ctx->ap = &nx_ctx->props[NX_PROPS_SHA512];
+ 
+ 	NX_CPB_SET_DIGEST_SIZE(nx_ctx->csbcpb, NX_DS_SHA512);
+ 
+-	len = SHA512_DIGEST_SIZE;
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg,
+-				  &nx_ctx->op.outlen,
+-				  &len,
+-				  (u8 *)sctx->state,
+-				  NX_DS_SHA512);
++	return 0;
++}
+ 
+-	if (rc || len != SHA512_DIGEST_SIZE)
+-		goto out;
++static int nx_sha512_init(struct shash_desc *desc)
++{
++	struct sha512_state *sctx = shash_desc_ctx(desc);
++
++	memset(sctx, 0, sizeof *sctx);
+ 
+ 	sctx->state[0] = __cpu_to_be64(SHA512_H0);
+ 	sctx->state[1] = __cpu_to_be64(SHA512_H1);
+@@ -63,7 +62,6 @@ static int nx_sha512_init(struct shash_desc *desc)
+ 	sctx->state[7] = __cpu_to_be64(SHA512_H7);
+ 	sctx->count[0] = 0;
+ 
+-out:
+ 	return 0;
+ }
+ 
+@@ -73,10 +71,13 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data,
+ 	struct sha512_state *sctx = shash_desc_ctx(desc);
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+ 	struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb;
++	struct nx_sg *in_sg;
++	struct nx_sg *out_sg;
+ 	u64 to_process, leftover = 0, total;
+ 	unsigned long irq_flags;
+ 	int rc = 0;
+ 	int data_len;
++	u32 max_sg_len;
+ 	u64 buf_len = (sctx->count[0] % SHA512_BLOCK_SIZE);
+ 
+ 	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
+@@ -96,6 +97,22 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data,
+ 	NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE;
+ 	NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION;
+ 
++	in_sg = nx_ctx->in_sg;
++	max_sg_len = min_t(u64, nx_ctx->ap->sglen,
++			nx_driver.of.max_sg_len/sizeof(struct nx_sg));
++	max_sg_len = min_t(u64, max_sg_len,
++			nx_ctx->ap->databytelen/NX_PAGE_SIZE);
++
++	data_len = SHA512_DIGEST_SIZE;
++	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
++				  &data_len, max_sg_len);
++	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
++
++	if (data_len != SHA512_DIGEST_SIZE) {
++		rc = -EINVAL;
++		goto out;
++	}
++
+ 	do {
+ 		/*
+ 		 * to_process: the SHA512_BLOCK_SIZE data chunk to process in
+@@ -108,25 +125,26 @@ static int nx_sha512_update(struct shash_desc *desc, const u8 *data,
+ 
+ 		if (buf_len) {
+ 			data_len = buf_len;
+-			rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-						  &nx_ctx->op.inlen,
+-						  &data_len,
+-						  (u8 *) sctx->buf,
+-						  NX_DS_SHA512);
++			in_sg = nx_build_sg_list(nx_ctx->in_sg,
++						 (u8 *) sctx->buf,
++						 &data_len, max_sg_len);
+ 
+-			if (rc || data_len != buf_len)
++			if (data_len != buf_len) {
++				rc = -EINVAL;
+ 				goto out;
++			}
+ 		}
+ 
+ 		data_len = to_process - buf_len;
+-		rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-					  &nx_ctx->op.inlen,
+-					  &data_len,
+-					  (u8 *) data,
+-					  NX_DS_SHA512);
++		in_sg = nx_build_sg_list(in_sg, (u8 *) data,
++					 &data_len, max_sg_len);
++
++		nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
+ 
+-		if (rc || data_len != (to_process - buf_len))
++		if (data_len != (to_process - buf_len)) {
++			rc = -EINVAL;
+ 			goto out;
++		}
+ 
+ 		to_process = (data_len + buf_len);
+ 		leftover = total - to_process;
+@@ -172,13 +190,20 @@ static int nx_sha512_final(struct shash_desc *desc, u8 *out)
+ 	struct sha512_state *sctx = shash_desc_ctx(desc);
+ 	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
+ 	struct nx_csbcpb *csbcpb = (struct nx_csbcpb *)nx_ctx->csbcpb;
++	struct nx_sg *in_sg, *out_sg;
++	u32 max_sg_len;
+ 	u64 count0;
+ 	unsigned long irq_flags;
+-	int rc;
++	int rc = 0;
+ 	int len;
+ 
+ 	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
+ 
++	max_sg_len = min_t(u64, nx_ctx->ap->sglen,
++			nx_driver.of.max_sg_len/sizeof(struct nx_sg));
++	max_sg_len = min_t(u64, max_sg_len,
++			nx_ctx->ap->databytelen/NX_PAGE_SIZE);
++
+ 	/* final is represented by continuing the operation and indicating that
+ 	 * this is not an intermediate operation */
+ 	if (sctx->count[0] >= SHA512_BLOCK_SIZE) {
+@@ -200,24 +225,20 @@ static int nx_sha512_final(struct shash_desc *desc, u8 *out)
+ 	csbcpb->cpb.sha512.message_bit_length_lo = count0;
+ 
+ 	len = sctx->count[0] & (SHA512_BLOCK_SIZE - 1);
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->in_sg,
+-				  &nx_ctx->op.inlen,
+-				  &len,
+-				  (u8 *)sctx->buf,
+-				  NX_DS_SHA512);
++	in_sg = nx_build_sg_list(nx_ctx->in_sg, sctx->buf, &len,
++				 max_sg_len);
+ 
+-	if (rc || len != (sctx->count[0] & (SHA512_BLOCK_SIZE - 1)))
++	if (len != (sctx->count[0] & (SHA512_BLOCK_SIZE - 1))) {
++		rc = -EINVAL;
+ 		goto out;
++	}
+ 
+ 	len = SHA512_DIGEST_SIZE;
+-	rc = nx_sha_build_sg_list(nx_ctx, nx_ctx->out_sg,
+-				  &nx_ctx->op.outlen,
+-				  &len,
+-				  out,
+-				  NX_DS_SHA512);
++	out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
++				 max_sg_len);
+ 
+-	if (rc)
+-		goto out;
++	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
++	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
+ 
+ 	if (!nx_ctx->op.outlen) {
+ 		rc = -EINVAL;
+@@ -273,7 +294,7 @@ struct shash_alg nx_shash_sha512_alg = {
+ 		.cra_blocksize   = SHA512_BLOCK_SIZE,
+ 		.cra_module      = THIS_MODULE,
+ 		.cra_ctxsize     = sizeof(struct nx_crypto_ctx),
+-		.cra_init        = nx_crypto_ctx_sha_init,
++		.cra_init        = nx_crypto_ctx_sha512_init,
+ 		.cra_exit        = nx_crypto_ctx_exit,
+ 	}
+ };
+diff --git a/drivers/crypto/nx/nx.c b/drivers/crypto/nx/nx.c
+index 1da6dc5..737d33d 100644
+--- a/drivers/crypto/nx/nx.c
++++ b/drivers/crypto/nx/nx.c
+@@ -215,8 +215,15 @@ struct nx_sg *nx_walk_and_build(struct nx_sg       *nx_dst,
+  * @delta:  is the amount we need to crop in order to bound the list.
+  *
+  */
+-static long int trim_sg_list(struct nx_sg *sg, struct nx_sg *end, unsigned int delta)
++static long int trim_sg_list(struct nx_sg *sg,
++			     struct nx_sg *end,
++			     unsigned int delta,
++			     unsigned int *nbytes)
+ {
++	long int oplen;
++	long int data_back;
++	unsigned int is_delta = delta;
++
+ 	while (delta && end > sg) {
+ 		struct nx_sg *last = end - 1;
+ 
+@@ -228,54 +235,20 @@ static long int trim_sg_list(struct nx_sg *sg, struct nx_sg *end, unsigned int d
+ 			delta -= last->len;
+ 		}
+ 	}
+-	return (sg - end) * sizeof(struct nx_sg);
+-}
+-
+-/**
+- * nx_sha_build_sg_list - walk and build sg list to sha modes
+- *			  using right bounds and limits.
+- * @nx_ctx: NX crypto context for the lists we're building
+- * @nx_sg: current sg list in or out list
+- * @op_len: current op_len to be used in order to build a sg list
+- * @nbytes:  number or bytes to be processed
+- * @offset: buf offset
+- * @mode: SHA256 or SHA512
+- */
+-int nx_sha_build_sg_list(struct nx_crypto_ctx *nx_ctx,
+-			  struct nx_sg 	      *nx_in_outsg,
+-			  s64		      *op_len,
+-			  unsigned int        *nbytes,
+-			  u8 		      *offset,
+-			  u32		      mode)
+-{
+-	unsigned int delta = 0;
+-	unsigned int total = *nbytes;
+-	struct nx_sg *nx_insg = nx_in_outsg;
+-	unsigned int max_sg_len;
+ 
+-	max_sg_len = min_t(u64, nx_ctx->ap->sglen,
+-			nx_driver.of.max_sg_len/sizeof(struct nx_sg));
+-	max_sg_len = min_t(u64, max_sg_len,
+-			nx_ctx->ap->databytelen/NX_PAGE_SIZE);
+-
+-	*nbytes = min_t(u64, *nbytes, nx_ctx->ap->databytelen);
+-	nx_insg = nx_build_sg_list(nx_insg, offset, nbytes, max_sg_len);
+-
+-	switch (mode) {
+-	case NX_DS_SHA256:
+-		if (*nbytes < total)
+-			delta = *nbytes - (*nbytes & ~(SHA256_BLOCK_SIZE - 1));
+-		break;
+-	case NX_DS_SHA512:
+-		if (*nbytes < total)
+-			delta = *nbytes - (*nbytes & ~(SHA512_BLOCK_SIZE - 1));
+-		break;
+-	default:
+-		return -EINVAL;
++	/* There are cases where we need to crop list in order to make it
++	 * a block size multiple, but we also need to align data. In order to
++	 * that we need to calculate how much we need to put back to be
++	 * processed
++	 */
++	oplen = (sg - end) * sizeof(struct nx_sg);
++	if (is_delta) {
++		data_back = (abs(oplen) / AES_BLOCK_SIZE) *  sg->len;
++		data_back = *nbytes - (data_back & ~(AES_BLOCK_SIZE - 1));
++		*nbytes -= data_back;
+ 	}
+-	*op_len = trim_sg_list(nx_in_outsg, nx_insg, delta);
+ 
+-	return 0;
++	return oplen;
+ }
+ 
+ /**
+@@ -330,8 +303,8 @@ int nx_build_sg_lists(struct nx_crypto_ctx  *nx_ctx,
+ 	/* these lengths should be negative, which will indicate to phyp that
+ 	 * the input and output parameters are scatterlists, not linear
+ 	 * buffers */
+-	nx_ctx->op.inlen = trim_sg_list(nx_ctx->in_sg, nx_insg, delta);
+-	nx_ctx->op.outlen = trim_sg_list(nx_ctx->out_sg, nx_outsg, delta);
++	nx_ctx->op.inlen = trim_sg_list(nx_ctx->in_sg, nx_insg, delta, nbytes);
++	nx_ctx->op.outlen = trim_sg_list(nx_ctx->out_sg, nx_outsg, delta, nbytes);
+ 
+ 	return 0;
+ }
+@@ -662,12 +635,14 @@ static int nx_crypto_ctx_init(struct nx_crypto_ctx *nx_ctx, u32 fc, u32 mode)
+ /* entry points from the crypto tfm initializers */
+ int nx_crypto_ctx_aes_ccm_init(struct crypto_tfm *tfm)
+ {
++	tfm->crt_aead.reqsize = sizeof(struct nx_ccm_rctx);
+ 	return nx_crypto_ctx_init(crypto_tfm_ctx(tfm), NX_FC_AES,
+ 				  NX_MODE_AES_CCM);
+ }
+ 
+ int nx_crypto_ctx_aes_gcm_init(struct crypto_tfm *tfm)
+ {
++	tfm->crt_aead.reqsize = sizeof(struct nx_gcm_rctx);
+ 	return nx_crypto_ctx_init(crypto_tfm_ctx(tfm), NX_FC_AES,
+ 				  NX_MODE_AES_GCM);
+ }
+diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h
+index 6c9ecaa..c3ed837 100644
+--- a/drivers/crypto/nx/nx.h
++++ b/drivers/crypto/nx/nx.h
+@@ -2,6 +2,8 @@
+ #ifndef __NX_H__
+ #define __NX_H__
+ 
++#include <crypto/ctr.h>
++
+ #define NX_NAME		"nx-crypto"
+ #define NX_STRING	"IBM Power7+ Nest Accelerator Crypto Driver"
+ #define NX_VERSION	"1.0"
+@@ -91,8 +93,11 @@ struct nx_crypto_driver {
+ 
+ #define NX_GCM4106_NONCE_LEN		(4)
+ #define NX_GCM_CTR_OFFSET		(12)
+-struct nx_gcm_priv {
++struct nx_gcm_rctx {
+ 	u8 iv[16];
++};
++
++struct nx_gcm_priv {
+ 	u8 iauth_tag[16];
+ 	u8 nonce[NX_GCM4106_NONCE_LEN];
+ };
+@@ -100,8 +105,11 @@ struct nx_gcm_priv {
+ #define NX_CCM_AES_KEY_LEN		(16)
+ #define NX_CCM4309_AES_KEY_LEN		(19)
+ #define NX_CCM4309_NONCE_LEN		(3)
+-struct nx_ccm_priv {
++struct nx_ccm_rctx {
+ 	u8 iv[16];
++};
++
++struct nx_ccm_priv {
+ 	u8 b0[16];
+ 	u8 iauth_tag[16];
+ 	u8 oauth_tag[16];
+@@ -113,7 +121,7 @@ struct nx_xcbc_priv {
+ };
+ 
+ struct nx_ctr_priv {
+-	u8 iv[16];
++	u8 nonce[CTR_RFC3686_NONCE_SIZE];
+ };
+ 
+ struct nx_crypto_ctx {
+@@ -153,8 +161,6 @@ void nx_crypto_ctx_exit(struct crypto_tfm *tfm);
+ void nx_ctx_init(struct nx_crypto_ctx *nx_ctx, unsigned int function);
+ int nx_hcall_sync(struct nx_crypto_ctx *ctx, struct vio_pfo_op *op,
+ 		  u32 may_sleep);
+-int nx_sha_build_sg_list(struct nx_crypto_ctx *, struct nx_sg *,
+-			 s64 *, unsigned int *, u8 *, u32);
+ struct nx_sg *nx_build_sg_list(struct nx_sg *, u8 *, unsigned int *, u32);
+ int nx_build_sg_lists(struct nx_crypto_ctx *, struct blkcipher_desc *,
+ 		      struct scatterlist *, struct scatterlist *, unsigned int *,
+diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c
+index 1dc5b0a..34139a8 100644
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -73,7 +73,8 @@
+ 				       ICP_QAT_HW_CIPHER_KEY_CONVERT, \
+ 				       ICP_QAT_HW_CIPHER_DECRYPT)
+ 
+-static atomic_t active_dev;
++static DEFINE_MUTEX(algs_lock);
++static unsigned int active_devs;
+ 
+ struct qat_alg_buf {
+ 	uint32_t len;
+@@ -1271,7 +1272,10 @@ static struct crypto_alg qat_algs[] = { {
+ 
+ int qat_algs_register(void)
+ {
+-	if (atomic_add_return(1, &active_dev) == 1) {
++	int ret = 0;
++
++	mutex_lock(&algs_lock);
++	if (++active_devs == 1) {
+ 		int i;
+ 
+ 		for (i = 0; i < ARRAY_SIZE(qat_algs); i++)
+@@ -1280,21 +1284,25 @@ int qat_algs_register(void)
+ 				CRYPTO_ALG_TYPE_AEAD | CRYPTO_ALG_ASYNC :
+ 				CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC;
+ 
+-		return crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs));
++		ret = crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs));
+ 	}
+-	return 0;
++	mutex_unlock(&algs_lock);
++	return ret;
+ }
+ 
+ int qat_algs_unregister(void)
+ {
+-	if (atomic_sub_return(1, &active_dev) == 0)
+-		return crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs));
+-	return 0;
++	int ret = 0;
++
++	mutex_lock(&algs_lock);
++	if (--active_devs == 0)
++		ret = crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs));
++	mutex_unlock(&algs_lock);
++	return ret;
+ }
+ 
+ int qat_algs_init(void)
+ {
+-	atomic_set(&active_dev, 0);
+ 	crypto_get_default_rng();
+ 	return 0;
+ }
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 7992164e..c89a7ab 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -648,16 +648,17 @@ at_xdmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
+ 			desc->lld.mbr_sa = mem;
+ 			desc->lld.mbr_da = atchan->sconfig.dst_addr;
+ 		}
+-		desc->lld.mbr_cfg = atchan->cfg;
+-		dwidth = at_xdmac_get_dwidth(desc->lld.mbr_cfg);
++		dwidth = at_xdmac_get_dwidth(atchan->cfg);
+ 		fixed_dwidth = IS_ALIGNED(len, 1 << dwidth)
+-			       ? at_xdmac_get_dwidth(desc->lld.mbr_cfg)
++			       ? dwidth
+ 			       : AT_XDMAC_CC_DWIDTH_BYTE;
+ 		desc->lld.mbr_ubc = AT_XDMAC_MBR_UBC_NDV2			/* next descriptor view */
+ 			| AT_XDMAC_MBR_UBC_NDEN					/* next descriptor dst parameter update */
+ 			| AT_XDMAC_MBR_UBC_NSEN					/* next descriptor src parameter update */
+ 			| (i == sg_len - 1 ? 0 : AT_XDMAC_MBR_UBC_NDE)		/* descriptor fetch */
+ 			| (len >> fixed_dwidth);				/* microblock length */
++		desc->lld.mbr_cfg = (atchan->cfg & ~AT_XDMAC_CC_DWIDTH_MASK) |
++				    AT_XDMAC_CC_DWIDTH(fixed_dwidth);
+ 		dev_dbg(chan2dev(chan),
+ 			 "%s: lld: mbr_sa=%pad, mbr_da=%pad, mbr_ubc=0x%08x\n",
+ 			 __func__, &desc->lld.mbr_sa, &desc->lld.mbr_da, desc->lld.mbr_ubc);
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index 340f9e6..3dabc52 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2328,7 +2328,7 @@ static dma_cookie_t pl330_tx_submit(struct dma_async_tx_descriptor *tx)
+ 			desc->txd.callback = last->txd.callback;
+ 			desc->txd.callback_param = last->txd.callback_param;
+ 		}
+-		last->last = false;
++		desc->last = false;
+ 
+ 		dma_cookie_assign(&desc->txd);
+ 
+@@ -2621,6 +2621,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
+ 		desc->rqcfg.brst_len = 1;
+ 
+ 	desc->rqcfg.brst_len = get_burst_len(desc, len);
++	desc->bytes_requested = len;
+ 
+ 	desc->txd.flags = flags;
+ 
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index 778bbb6..b0487c9f 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -1294,7 +1294,6 @@ retry:
+ 				goto retry;
+ 			}
+ 			DRM_DEBUG_KMS("failed to dpcd write %d %d\n", tosend, ret);
+-			WARN(1, "fail\n");
+ 
+ 			return -EIO;
+ 		}
+diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
+index 8ae6f7f..683a9b0 100644
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -3190,15 +3190,14 @@ int intel_freq_opcode(struct drm_i915_private *dev_priv, int val);
+ #define I915_READ64(reg)	dev_priv->uncore.funcs.mmio_readq(dev_priv, (reg), true)
+ 
+ #define I915_READ64_2x32(lower_reg, upper_reg) ({			\
+-		u32 upper = I915_READ(upper_reg);			\
+-		u32 lower = I915_READ(lower_reg);			\
+-		u32 tmp = I915_READ(upper_reg);				\
+-		if (upper != tmp) {					\
+-			upper = tmp;					\
+-			lower = I915_READ(lower_reg);			\
+-			WARN_ON(I915_READ(upper_reg) != upper);		\
+-		}							\
+-		(u64)upper << 32 | lower; })
++	u32 upper, lower, tmp;						\
++	tmp = I915_READ(upper_reg);					\
++	do {								\
++		upper = tmp;						\
++		lower = I915_READ(lower_reg);				\
++		tmp = I915_READ(upper_reg);				\
++	} while (upper != tmp);						\
++	(u64)upper << 32 | lower; })
+ 
+ #define POSTING_READ(reg)	(void)I915_READ_NOTRACE(reg)
+ #define POSTING_READ16(reg)	(void)I915_READ16_NOTRACE(reg)
+diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c
+index 6377b22..7ee23d1 100644
+--- a/drivers/gpu/drm/i915/i915_gem_tiling.c
++++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
+@@ -464,7 +464,10 @@ i915_gem_get_tiling(struct drm_device *dev, void *data,
+ 	}
+ 
+ 	/* Hide bit 17 from the user -- see comment in i915_gem_set_tiling */
+-	args->phys_swizzle_mode = args->swizzle_mode;
++	if (dev_priv->quirks & QUIRK_PIN_SWIZZLED_PAGES)
++		args->phys_swizzle_mode = I915_BIT_6_SWIZZLE_UNKNOWN;
++	else
++		args->phys_swizzle_mode = args->swizzle_mode;
+ 	if (args->swizzle_mode == I915_BIT_6_SWIZZLE_9_17)
+ 		args->swizzle_mode = I915_BIT_6_SWIZZLE_9;
+ 	if (args->swizzle_mode == I915_BIT_6_SWIZZLE_9_10_17)
+diff --git a/drivers/gpu/drm/radeon/dce6_afmt.c b/drivers/gpu/drm/radeon/dce6_afmt.c
+index 68fd9fc..44480c1 100644
+--- a/drivers/gpu/drm/radeon/dce6_afmt.c
++++ b/drivers/gpu/drm/radeon/dce6_afmt.c
+@@ -93,30 +93,26 @@ void dce6_afmt_select_pin(struct drm_encoder *encoder)
+ 	struct radeon_device *rdev = encoder->dev->dev_private;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+-	u32 offset;
+ 
+-	if (!dig || !dig->afmt || !dig->afmt->pin)
++	if (!dig || !dig->afmt || !dig->pin)
+ 		return;
+ 
+-	offset = dig->afmt->offset;
+-
+-	WREG32(AFMT_AUDIO_SRC_CONTROL + offset,
+-	       AFMT_AUDIO_SRC_SELECT(dig->afmt->pin->id));
++	WREG32(AFMT_AUDIO_SRC_CONTROL +  dig->afmt->offset,
++	       AFMT_AUDIO_SRC_SELECT(dig->pin->id));
+ }
+ 
+ void dce6_afmt_write_latency_fields(struct drm_encoder *encoder,
+-		struct drm_connector *connector, struct drm_display_mode *mode)
++				    struct drm_connector *connector,
++				    struct drm_display_mode *mode)
+ {
+ 	struct radeon_device *rdev = encoder->dev->dev_private;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+-	u32 tmp = 0, offset;
++	u32 tmp = 0;
+ 
+-	if (!dig || !dig->afmt || !dig->afmt->pin)
++	if (!dig || !dig->afmt || !dig->pin)
+ 		return;
+ 
+-	offset = dig->afmt->pin->offset;
+-
+ 	if (mode->flags & DRM_MODE_FLAG_INTERLACE) {
+ 		if (connector->latency_present[1])
+ 			tmp = VIDEO_LIPSYNC(connector->video_latency[1]) |
+@@ -130,24 +126,24 @@ void dce6_afmt_write_latency_fields(struct drm_encoder *encoder,
+ 		else
+ 			tmp = VIDEO_LIPSYNC(0) | AUDIO_LIPSYNC(0);
+ 	}
+-	WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_RESPONSE_LIPSYNC, tmp);
++	WREG32_ENDPOINT(dig->pin->offset,
++			AZ_F0_CODEC_PIN_CONTROL_RESPONSE_LIPSYNC, tmp);
+ }
+ 
+ void dce6_afmt_hdmi_write_speaker_allocation(struct drm_encoder *encoder,
+-	u8 *sadb, int sad_count)
++					     u8 *sadb, int sad_count)
+ {
+ 	struct radeon_device *rdev = encoder->dev->dev_private;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+-	u32 offset, tmp;
++	u32 tmp;
+ 
+-	if (!dig || !dig->afmt || !dig->afmt->pin)
++	if (!dig || !dig->afmt || !dig->pin)
+ 		return;
+ 
+-	offset = dig->afmt->pin->offset;
+-
+ 	/* program the speaker allocation */
+-	tmp = RREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER);
++	tmp = RREG32_ENDPOINT(dig->pin->offset,
++			      AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER);
+ 	tmp &= ~(DP_CONNECTION | SPEAKER_ALLOCATION_MASK);
+ 	/* set HDMI mode */
+ 	tmp |= HDMI_CONNECTION;
+@@ -155,24 +151,24 @@ void dce6_afmt_hdmi_write_speaker_allocation(struct drm_encoder *encoder,
+ 		tmp |= SPEAKER_ALLOCATION(sadb[0]);
+ 	else
+ 		tmp |= SPEAKER_ALLOCATION(5); /* stereo */
+-	WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp);
++	WREG32_ENDPOINT(dig->pin->offset,
++			AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp);
+ }
+ 
+ void dce6_afmt_dp_write_speaker_allocation(struct drm_encoder *encoder,
+-	u8 *sadb, int sad_count)
++					   u8 *sadb, int sad_count)
+ {
+ 	struct radeon_device *rdev = encoder->dev->dev_private;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+-	u32 offset, tmp;
++	u32 tmp;
+ 
+-	if (!dig || !dig->afmt || !dig->afmt->pin)
++	if (!dig || !dig->afmt || !dig->pin)
+ 		return;
+ 
+-	offset = dig->afmt->pin->offset;
+-
+ 	/* program the speaker allocation */
+-	tmp = RREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER);
++	tmp = RREG32_ENDPOINT(dig->pin->offset,
++			      AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER);
+ 	tmp &= ~(HDMI_CONNECTION | SPEAKER_ALLOCATION_MASK);
+ 	/* set DP mode */
+ 	tmp |= DP_CONNECTION;
+@@ -180,13 +176,13 @@ void dce6_afmt_dp_write_speaker_allocation(struct drm_encoder *encoder,
+ 		tmp |= SPEAKER_ALLOCATION(sadb[0]);
+ 	else
+ 		tmp |= SPEAKER_ALLOCATION(5); /* stereo */
+-	WREG32_ENDPOINT(offset, AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp);
++	WREG32_ENDPOINT(dig->pin->offset,
++			AZ_F0_CODEC_PIN_CONTROL_CHANNEL_SPEAKER, tmp);
+ }
+ 
+ void dce6_afmt_write_sad_regs(struct drm_encoder *encoder,
+-	struct cea_sad *sads, int sad_count)
++			      struct cea_sad *sads, int sad_count)
+ {
+-	u32 offset;
+ 	int i;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+@@ -206,11 +202,9 @@ void dce6_afmt_write_sad_regs(struct drm_encoder *encoder,
+ 		{ AZ_F0_CODEC_PIN_CONTROL_AUDIO_DESCRIPTOR13, HDMI_AUDIO_CODING_TYPE_WMA_PRO },
+ 	};
+ 
+-	if (!dig || !dig->afmt || !dig->afmt->pin)
++	if (!dig || !dig->afmt || !dig->pin)
+ 		return;
+ 
+-	offset = dig->afmt->pin->offset;
+-
+ 	for (i = 0; i < ARRAY_SIZE(eld_reg_to_type); i++) {
+ 		u32 value = 0;
+ 		u8 stereo_freqs = 0;
+@@ -237,7 +231,7 @@ void dce6_afmt_write_sad_regs(struct drm_encoder *encoder,
+ 
+ 		value |= SUPPORTED_FREQUENCIES_STEREO(stereo_freqs);
+ 
+-		WREG32_ENDPOINT(offset, eld_reg_to_type[i][0], value);
++		WREG32_ENDPOINT(dig->pin->offset, eld_reg_to_type[i][0], value);
+ 	}
+ }
+ 
+@@ -253,7 +247,7 @@ void dce6_audio_enable(struct radeon_device *rdev,
+ }
+ 
+ void dce6_hdmi_audio_set_dto(struct radeon_device *rdev,
+-	struct radeon_crtc *crtc, unsigned int clock)
++			     struct radeon_crtc *crtc, unsigned int clock)
+ {
+ 	/* Two dtos; generally use dto0 for HDMI */
+ 	u32 value = 0;
+@@ -272,7 +266,7 @@ void dce6_hdmi_audio_set_dto(struct radeon_device *rdev,
+ }
+ 
+ void dce6_dp_audio_set_dto(struct radeon_device *rdev,
+-	struct radeon_crtc *crtc, unsigned int clock)
++			   struct radeon_crtc *crtc, unsigned int clock)
+ {
+ 	/* Two dtos; generally use dto1 for DP */
+ 	u32 value = 0;
+diff --git a/drivers/gpu/drm/radeon/radeon_audio.c b/drivers/gpu/drm/radeon/radeon_audio.c
+index fa719c5..59b3d32 100644
+--- a/drivers/gpu/drm/radeon/radeon_audio.c
++++ b/drivers/gpu/drm/radeon/radeon_audio.c
+@@ -245,6 +245,28 @@ static struct radeon_audio_funcs dce6_dp_funcs = {
+ static void radeon_audio_enable(struct radeon_device *rdev,
+ 				struct r600_audio_pin *pin, u8 enable_mask)
+ {
++	struct drm_encoder *encoder;
++	struct radeon_encoder *radeon_encoder;
++	struct radeon_encoder_atom_dig *dig;
++	int pin_count = 0;
++
++	if (!pin)
++		return;
++
++	if (rdev->mode_info.mode_config_initialized) {
++		list_for_each_entry(encoder, &rdev->ddev->mode_config.encoder_list, head) {
++			if (radeon_encoder_is_digital(encoder)) {
++				radeon_encoder = to_radeon_encoder(encoder);
++				dig = radeon_encoder->enc_priv;
++				if (dig->pin == pin)
++					pin_count++;
++			}
++		}
++
++		if ((pin_count > 1) && (enable_mask == 0))
++			return;
++	}
++
+ 	if (rdev->audio.funcs->enable)
+ 		rdev->audio.funcs->enable(rdev, pin, enable_mask);
+ }
+@@ -336,24 +358,13 @@ void radeon_audio_endpoint_wreg(struct radeon_device *rdev, u32 offset,
+ 
+ static void radeon_audio_write_sad_regs(struct drm_encoder *encoder)
+ {
+-	struct radeon_encoder *radeon_encoder;
+-	struct drm_connector *connector;
+-	struct radeon_connector *radeon_connector = NULL;
++	struct drm_connector *connector = radeon_get_connector_for_encoder(encoder);
++	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct cea_sad *sads;
+ 	int sad_count;
+ 
+-	list_for_each_entry(connector,
+-		&encoder->dev->mode_config.connector_list, head) {
+-		if (connector->encoder == encoder) {
+-			radeon_connector = to_radeon_connector(connector);
+-			break;
+-		}
+-	}
+-
+-	if (!radeon_connector) {
+-		DRM_ERROR("Couldn't find encoder's connector\n");
++	if (!connector)
+ 		return;
+-	}
+ 
+ 	sad_count = drm_edid_to_sad(radeon_connector_edid(connector), &sads);
+ 	if (sad_count <= 0) {
+@@ -362,8 +373,6 @@ static void radeon_audio_write_sad_regs(struct drm_encoder *encoder)
+ 	}
+ 	BUG_ON(!sads);
+ 
+-	radeon_encoder = to_radeon_encoder(encoder);
+-
+ 	if (radeon_encoder->audio && radeon_encoder->audio->write_sad_regs)
+ 		radeon_encoder->audio->write_sad_regs(encoder, sads, sad_count);
+ 
+@@ -372,27 +381,16 @@ static void radeon_audio_write_sad_regs(struct drm_encoder *encoder)
+ 
+ static void radeon_audio_write_speaker_allocation(struct drm_encoder *encoder)
+ {
++	struct drm_connector *connector = radeon_get_connector_for_encoder(encoder);
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+-	struct drm_connector *connector;
+-	struct radeon_connector *radeon_connector = NULL;
+ 	u8 *sadb = NULL;
+ 	int sad_count;
+ 
+-	list_for_each_entry(connector,
+-			    &encoder->dev->mode_config.connector_list, head) {
+-		if (connector->encoder == encoder) {
+-			radeon_connector = to_radeon_connector(connector);
+-			break;
+-		}
+-	}
+-
+-	if (!radeon_connector) {
+-		DRM_ERROR("Couldn't find encoder's connector\n");
++	if (!connector)
+ 		return;
+-	}
+ 
+-	sad_count = drm_edid_to_speaker_allocation(
+-		radeon_connector_edid(connector), &sadb);
++	sad_count = drm_edid_to_speaker_allocation(radeon_connector_edid(connector),
++						   &sadb);
+ 	if (sad_count < 0) {
+ 		DRM_DEBUG("Couldn't read Speaker Allocation Data Block: %d\n",
+ 			  sad_count);
+@@ -406,26 +404,13 @@ static void radeon_audio_write_speaker_allocation(struct drm_encoder *encoder)
+ }
+ 
+ static void radeon_audio_write_latency_fields(struct drm_encoder *encoder,
+-	struct drm_display_mode *mode)
++					      struct drm_display_mode *mode)
+ {
+-	struct radeon_encoder *radeon_encoder;
+-	struct drm_connector *connector;
+-	struct radeon_connector *radeon_connector = 0;
+-
+-	list_for_each_entry(connector,
+-		&encoder->dev->mode_config.connector_list, head) {
+-		if (connector->encoder == encoder) {
+-			radeon_connector = to_radeon_connector(connector);
+-			break;
+-		}
+-	}
++	struct drm_connector *connector = radeon_get_connector_for_encoder(encoder);
++	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 
+-	if (!radeon_connector) {
+-		DRM_ERROR("Couldn't find encoder's connector\n");
++	if (!connector)
+ 		return;
+-	}
+-
+-	radeon_encoder = to_radeon_encoder(encoder);
+ 
+ 	if (radeon_encoder->audio && radeon_encoder->audio->write_latency_fields)
+ 		radeon_encoder->audio->write_latency_fields(encoder, connector, mode);
+@@ -451,29 +436,23 @@ static void radeon_audio_select_pin(struct drm_encoder *encoder)
+ }
+ 
+ void radeon_audio_detect(struct drm_connector *connector,
++			 struct drm_encoder *encoder,
+ 			 enum drm_connector_status status)
+ {
+-	struct radeon_device *rdev;
+-	struct radeon_encoder *radeon_encoder;
++	struct drm_device *dev = connector->dev;
++	struct radeon_device *rdev = dev->dev_private;
++	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig;
+ 
+-	if (!connector || !connector->encoder)
++	if (!radeon_audio_chipset_supported(rdev))
+ 		return;
+ 
+-	rdev = connector->encoder->dev->dev_private;
+-
+-	if (!radeon_audio_chipset_supported(rdev))
++	if (!radeon_encoder_is_digital(encoder))
+ 		return;
+ 
+-	radeon_encoder = to_radeon_encoder(connector->encoder);
+ 	dig = radeon_encoder->enc_priv;
+ 
+ 	if (status == connector_status_connected) {
+-		if (!drm_detect_monitor_audio(radeon_connector_edid(connector))) {
+-			radeon_encoder->audio = NULL;
+-			return;
+-		}
+-
+ 		if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort) {
+ 			struct radeon_connector *radeon_connector = to_radeon_connector(connector);
+ 
+@@ -486,11 +465,17 @@ void radeon_audio_detect(struct drm_connector *connector,
+ 			radeon_encoder->audio = rdev->audio.hdmi_funcs;
+ 		}
+ 
+-		dig->afmt->pin = radeon_audio_get_pin(connector->encoder);
+-		radeon_audio_enable(rdev, dig->afmt->pin, 0xf);
++		if (drm_detect_monitor_audio(radeon_connector_edid(connector))) {
++			if (!dig->pin)
++				dig->pin = radeon_audio_get_pin(encoder);
++			radeon_audio_enable(rdev, dig->pin, 0xf);
++		} else {
++			radeon_audio_enable(rdev, dig->pin, 0);
++			dig->pin = NULL;
++		}
+ 	} else {
+-		radeon_audio_enable(rdev, dig->afmt->pin, 0);
+-		dig->afmt->pin = NULL;
++		radeon_audio_enable(rdev, dig->pin, 0);
++		dig->pin = NULL;
+ 	}
+ }
+ 
+@@ -518,29 +503,18 @@ static void radeon_audio_set_dto(struct drm_encoder *encoder, unsigned int clock
+ }
+ 
+ static int radeon_audio_set_avi_packet(struct drm_encoder *encoder,
+-	struct drm_display_mode *mode)
++				       struct drm_display_mode *mode)
+ {
+ 	struct radeon_device *rdev = encoder->dev->dev_private;
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 	struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+-	struct drm_connector *connector;
+-	struct radeon_connector *radeon_connector = NULL;
++	struct drm_connector *connector = radeon_get_connector_for_encoder(encoder);
+ 	u8 buffer[HDMI_INFOFRAME_HEADER_SIZE + HDMI_AVI_INFOFRAME_SIZE];
+ 	struct hdmi_avi_infoframe frame;
+ 	int err;
+ 
+-	list_for_each_entry(connector,
+-		&encoder->dev->mode_config.connector_list, head) {
+-		if (connector->encoder == encoder) {
+-			radeon_connector = to_radeon_connector(connector);
+-			break;
+-		}
+-	}
+-
+-	if (!radeon_connector) {
+-		DRM_ERROR("Couldn't find encoder's connector\n");
+-		return -ENOENT;
+-	}
++	if (!connector)
++		return -EINVAL;
+ 
+ 	err = drm_hdmi_avi_infoframe_from_display_mode(&frame, mode);
+ 	if (err < 0) {
+@@ -563,8 +537,8 @@ static int radeon_audio_set_avi_packet(struct drm_encoder *encoder,
+ 		return err;
+ 	}
+ 
+-	if (dig && dig->afmt &&
+-		radeon_encoder->audio && radeon_encoder->audio->set_avi_packet)
++	if (dig && dig->afmt && radeon_encoder->audio &&
++	    radeon_encoder->audio->set_avi_packet)
+ 		radeon_encoder->audio->set_avi_packet(rdev, dig->afmt->offset,
+ 			buffer, sizeof(buffer));
+ 
+@@ -745,7 +719,7 @@ static void radeon_audio_hdmi_mode_set(struct drm_encoder *encoder,
+ }
+ 
+ static void radeon_audio_dp_mode_set(struct drm_encoder *encoder,
+-	struct drm_display_mode *mode)
++				     struct drm_display_mode *mode)
+ {
+ 	struct drm_device *dev = encoder->dev;
+ 	struct radeon_device *rdev = dev->dev_private;
+@@ -756,6 +730,9 @@ static void radeon_audio_dp_mode_set(struct drm_encoder *encoder,
+ 	struct radeon_connector_atom_dig *dig_connector =
+ 		radeon_connector->con_priv;
+ 
++	if (!connector)
++		return;
++
+ 	if (!dig || !dig->afmt)
+ 		return;
+ 
+@@ -774,7 +751,7 @@ static void radeon_audio_dp_mode_set(struct drm_encoder *encoder,
+ }
+ 
+ void radeon_audio_mode_set(struct drm_encoder *encoder,
+-	struct drm_display_mode *mode)
++			   struct drm_display_mode *mode)
+ {
+ 	struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ 
+diff --git a/drivers/gpu/drm/radeon/radeon_audio.h b/drivers/gpu/drm/radeon/radeon_audio.h
+index 8438304..059cc30 100644
+--- a/drivers/gpu/drm/radeon/radeon_audio.h
++++ b/drivers/gpu/drm/radeon/radeon_audio.h
+@@ -68,7 +68,8 @@ struct radeon_audio_funcs
+ 
+ int radeon_audio_init(struct radeon_device *rdev);
+ void radeon_audio_detect(struct drm_connector *connector,
+-	enum drm_connector_status status);
++			 struct drm_encoder *encoder,
++			 enum drm_connector_status status);
+ u32 radeon_audio_endpoint_rreg(struct radeon_device *rdev,
+ 	u32 offset, u32 reg);
+ void radeon_audio_endpoint_wreg(struct radeon_device *rdev,
+diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
+index 3e5f6b7..c097d3a 100644
+--- a/drivers/gpu/drm/radeon/radeon_combios.c
++++ b/drivers/gpu/drm/radeon/radeon_combios.c
+@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combios_get_lvds_info(struct radeon_encoder
+ 
+ 			if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) &&
+ 			    (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) {
++				u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++
++				if (hss > lvds->native_mode.hdisplay)
++					hss = (10 - 1) * 8;
++
+ 				lvds->native_mode.htotal = lvds->native_mode.hdisplay +
+ 					(RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8;
+ 				lvds->native_mode.hsync_start = lvds->native_mode.hdisplay +
+-					(RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++					hss;
+ 				lvds->native_mode.hsync_end = lvds->native_mode.hsync_start +
+ 					(RBIOS8(tmp + 23) * 8);
+ 
+diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
+index cebb65e..94b21ae 100644
+--- a/drivers/gpu/drm/radeon/radeon_connectors.c
++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
+@@ -1379,8 +1379,16 @@ out:
+ 	/* updated in get modes as well since we need to know if it's analog or digital */
+ 	radeon_connector_update_scratch_regs(connector, ret);
+ 
+-	if (radeon_audio != 0)
+-		radeon_audio_detect(connector, ret);
++	if ((radeon_audio != 0) && radeon_connector->use_digital) {
++		const struct drm_connector_helper_funcs *connector_funcs =
++			connector->helper_private;
++
++		encoder = connector_funcs->best_encoder(connector);
++		if (encoder && (encoder->encoder_type == DRM_MODE_ENCODER_TMDS)) {
++			radeon_connector_get_edid(connector);
++			radeon_audio_detect(connector, encoder, ret);
++		}
++	}
+ 
+ exit:
+ 	pm_runtime_mark_last_busy(connector->dev->dev);
+@@ -1717,8 +1725,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force)
+ 
+ 	radeon_connector_update_scratch_regs(connector, ret);
+ 
+-	if (radeon_audio != 0)
+-		radeon_audio_detect(connector, ret);
++	if ((radeon_audio != 0) && encoder) {
++		radeon_connector_get_edid(connector);
++		radeon_audio_detect(connector, encoder, ret);
++	}
+ 
+ out:
+ 	pm_runtime_mark_last_busy(connector->dev->dev);
+diff --git a/drivers/gpu/drm/radeon/radeon_mode.h b/drivers/gpu/drm/radeon/radeon_mode.h
+index f01c797..9af2d83 100644
+--- a/drivers/gpu/drm/radeon/radeon_mode.h
++++ b/drivers/gpu/drm/radeon/radeon_mode.h
+@@ -237,7 +237,6 @@ struct radeon_afmt {
+ 	int offset;
+ 	bool last_buffer_filled_status;
+ 	int id;
+-	struct r600_audio_pin *pin;
+ };
+ 
+ struct radeon_mode_info {
+@@ -439,6 +438,7 @@ struct radeon_encoder_atom_dig {
+ 	uint8_t backlight_level;
+ 	int panel_mode;
+ 	struct radeon_afmt *afmt;
++	struct r600_audio_pin *pin;
+ 	int active_mst_links;
+ };
+ 
+diff --git a/drivers/hwmon/nct7904.c b/drivers/hwmon/nct7904.c
+index 6153df73..08ff89d 100644
+--- a/drivers/hwmon/nct7904.c
++++ b/drivers/hwmon/nct7904.c
+@@ -575,6 +575,7 @@ static const struct i2c_device_id nct7904_id[] = {
+ 	{"nct7904", 0},
+ 	{}
+ };
++MODULE_DEVICE_TABLE(i2c, nct7904_id);
+ 
+ static struct i2c_driver nct7904_driver = {
+ 	.class = I2C_CLASS_HWMON,
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index a353b7d..bc7eed6 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -20,6 +20,7 @@
+ #include <linux/input/mt.h>
+ #include <linux/serio.h>
+ #include <linux/libps2.h>
++#include <linux/dmi.h>
+ 
+ #include "psmouse.h"
+ #include "alps.h"
+@@ -99,6 +100,7 @@ static const struct alps_nibble_commands alps_v6_nibble_commands[] = {
+ #define ALPS_FOUR_BUTTONS	0x40	/* 4 direction button present */
+ #define ALPS_PS2_INTERLEAVED	0x80	/* 3-byte PS/2 packet interleaved with
+ 					   6-byte ALPS packet */
++#define ALPS_DELL		0x100	/* device is a Dell laptop */
+ #define ALPS_BUTTONPAD		0x200	/* device is a clickpad */
+ 
+ static const struct alps_model_info alps_model_data[] = {
+@@ -251,9 +253,9 @@ static void alps_process_packet_v1_v2(struct psmouse *psmouse)
+ 		return;
+ 	}
+ 
+-	/* Non interleaved V2 dualpoint has separate stick button bits */
++	/* Dell non interleaved V2 dualpoint has separate stick button bits */
+ 	if (priv->proto_version == ALPS_PROTO_V2 &&
+-	    priv->flags == (ALPS_PASS | ALPS_DUALPOINT)) {
++	    priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) {
+ 		left |= packet[0] & 1;
+ 		right |= packet[0] & 2;
+ 		middle |= packet[0] & 4;
+@@ -2542,6 +2544,8 @@ static int alps_set_protocol(struct psmouse *psmouse,
+ 	priv->byte0 = protocol->byte0;
+ 	priv->mask0 = protocol->mask0;
+ 	priv->flags = protocol->flags;
++	if (dmi_name_in_vendors("Dell"))
++		priv->flags |= ALPS_DELL;
+ 
+ 	priv->x_max = 2000;
+ 	priv->y_max = 1400;
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index e8d8456..697f34f 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1719,7 +1719,8 @@ static int dm_merge_bvec(struct request_queue *q,
+ 	struct mapped_device *md = q->queuedata;
+ 	struct dm_table *map = dm_get_live_table_fast(md);
+ 	struct dm_target *ti;
+-	sector_t max_sectors, max_size = 0;
++	sector_t max_sectors;
++	int max_size = 0;
+ 
+ 	if (unlikely(!map))
+ 		goto out;
+@@ -1732,18 +1733,10 @@ static int dm_merge_bvec(struct request_queue *q,
+ 	 * Find maximum amount of I/O that won't need splitting
+ 	 */
+ 	max_sectors = min(max_io_len(bvm->bi_sector, ti),
+-			  (sector_t) queue_max_sectors(q));
++			  (sector_t) BIO_MAX_SECTORS);
+ 	max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size;
+-
+-	/*
+-	 * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t
+-	 * to the targets' merge function since it holds sectors not bytes).
+-	 * Just doing this as an interim fix for stable@ because the more
+-	 * comprehensive cleanup of switching to sector_t will impact every
+-	 * DM target that implements a ->merge hook.
+-	 */
+-	if (max_size > INT_MAX)
+-		max_size = INT_MAX;
++	if (max_size < 0)
++		max_size = 0;
+ 
+ 	/*
+ 	 * merge_bvec_fn() returns number of bytes
+@@ -1751,13 +1744,13 @@ static int dm_merge_bvec(struct request_queue *q,
+ 	 * max is precomputed maximal io size
+ 	 */
+ 	if (max_size && ti->type->merge)
+-		max_size = ti->type->merge(ti, bvm, biovec, (int) max_size);
++		max_size = ti->type->merge(ti, bvm, biovec, max_size);
+ 	/*
+ 	 * If the target doesn't support merge method and some of the devices
+-	 * provided their merge_bvec method (we know this by looking for the
+-	 * max_hw_sectors that dm_set_device_limits may set), then we can't
+-	 * allow bios with multiple vector entries.  So always set max_size
+-	 * to 0, and the code below allows just one page.
++	 * provided their merge_bvec method (we know this by looking at
++	 * queue_max_hw_sectors), then we can't allow bios with multiple vector
++	 * entries.  So always set max_size to 0, and the code below allows
++	 * just one page.
+ 	 */
+ 	else if (queue_max_hw_sectors(q) <= PAGE_SIZE >> 9)
+ 		max_size = 0;
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b920028..e462151 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+ 	char *ptr;
+ 	int err;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		return -ENOMEM;
+ 
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index cd7b0c1..5ce3cd5 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1475,6 +1475,7 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
+ {
+ 	char b[BDEVNAME_SIZE];
+ 	struct r1conf *conf = mddev->private;
++	unsigned long flags;
+ 
+ 	/*
+ 	 * If it is not operational, then we have already marked it as dead
+@@ -1494,14 +1495,13 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
+ 		return;
+ 	}
+ 	set_bit(Blocked, &rdev->flags);
++	spin_lock_irqsave(&conf->device_lock, flags);
+ 	if (test_and_clear_bit(In_sync, &rdev->flags)) {
+-		unsigned long flags;
+-		spin_lock_irqsave(&conf->device_lock, flags);
+ 		mddev->degraded++;
+ 		set_bit(Faulty, &rdev->flags);
+-		spin_unlock_irqrestore(&conf->device_lock, flags);
+ 	} else
+ 		set_bit(Faulty, &rdev->flags);
++	spin_unlock_irqrestore(&conf->device_lock, flags);
+ 	/*
+ 	 * if recovery is running, make sure it aborts.
+ 	 */
+@@ -1567,7 +1567,10 @@ static int raid1_spare_active(struct mddev *mddev)
+ 	 * Find all failed disks within the RAID1 configuration
+ 	 * and mark them readable.
+ 	 * Called under mddev lock, so rcu protection not needed.
++	 * device_lock used to avoid races with raid1_end_read_request
++	 * which expects 'In_sync' flags and ->degraded to be consistent.
+ 	 */
++	spin_lock_irqsave(&conf->device_lock, flags);
+ 	for (i = 0; i < conf->raid_disks; i++) {
+ 		struct md_rdev *rdev = conf->mirrors[i].rdev;
+ 		struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
+@@ -1598,7 +1601,6 @@ static int raid1_spare_active(struct mddev *mddev)
+ 			sysfs_notify_dirent_safe(rdev->sysfs_state);
+ 		}
+ 	}
+-	spin_lock_irqsave(&conf->device_lock, flags);
+ 	mddev->degraded -= count;
+ 	spin_unlock_irqrestore(&conf->device_lock, flags);
+ 
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index 7681237..ead5432 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -1524,12 +1524,11 @@ static int ath10k_pci_get_num_banks(struct ath10k *ar)
+ 		switch (MS(ar->chip_id, SOC_CHIP_ID_REV)) {
+ 		case QCA6174_HW_1_0_CHIP_ID_REV:
+ 		case QCA6174_HW_1_1_CHIP_ID_REV:
++		case QCA6174_HW_2_1_CHIP_ID_REV:
++		case QCA6174_HW_2_2_CHIP_ID_REV:
+ 			return 3;
+ 		case QCA6174_HW_1_3_CHIP_ID_REV:
+ 			return 2;
+-		case QCA6174_HW_2_1_CHIP_ID_REV:
+-		case QCA6174_HW_2_2_CHIP_ID_REV:
+-			return 6;
+ 		case QCA6174_HW_3_0_CHIP_ID_REV:
+ 		case QCA6174_HW_3_1_CHIP_ID_REV:
+ 		case QCA6174_HW_3_2_CHIP_ID_REV:
+diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c
+index 8882afb..6285f46 100644
+--- a/drivers/phy/phy-twl4030-usb.c
++++ b/drivers/phy/phy-twl4030-usb.c
+@@ -144,6 +144,16 @@
+ #define PMBR1				0x0D
+ #define GPIO_USB_4PIN_ULPI_2430C	(3 << 0)
+ 
++/*
++ * If VBUS is valid or ID is ground, then we know a
++ * cable is present and we need to be runtime-enabled
++ */
++static inline bool cable_present(enum omap_musb_vbus_id_status stat)
++{
++	return stat == OMAP_MUSB_VBUS_VALID ||
++		stat == OMAP_MUSB_ID_GROUND;
++}
++
+ struct twl4030_usb {
+ 	struct usb_phy		phy;
+ 	struct device		*dev;
+@@ -536,8 +546,10 @@ static irqreturn_t twl4030_usb_irq(int irq, void *_twl)
+ 
+ 	mutex_lock(&twl->lock);
+ 	if (status >= 0 && status != twl->linkstat) {
++		status_changed =
++			cable_present(twl->linkstat) !=
++			cable_present(status);
+ 		twl->linkstat = status;
+-		status_changed = true;
+ 	}
+ 	mutex_unlock(&twl->lock);
+ 
+@@ -553,15 +565,11 @@ static irqreturn_t twl4030_usb_irq(int irq, void *_twl)
+ 		 * USB_LINK_VBUS state.  musb_hdrc won't care until it
+ 		 * starts to handle softconnect right.
+ 		 */
+-		if ((status == OMAP_MUSB_VBUS_VALID) ||
+-		    (status == OMAP_MUSB_ID_GROUND)) {
+-			if (pm_runtime_suspended(twl->dev))
+-				pm_runtime_get_sync(twl->dev);
++		if (cable_present(status)) {
++			pm_runtime_get_sync(twl->dev);
+ 		} else {
+-			if (pm_runtime_active(twl->dev)) {
+-				pm_runtime_mark_last_busy(twl->dev);
+-				pm_runtime_put_autosuspend(twl->dev);
+-			}
++			pm_runtime_mark_last_busy(twl->dev);
++			pm_runtime_put_autosuspend(twl->dev);
+ 		}
+ 		omap_musb_mailbox(status);
+ 	}
+@@ -766,6 +774,9 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+ 
+ 	/* disable complete OTG block */
+ 	twl4030_usb_clear_bits(twl, POWER_CTRL, POWER_CTRL_OTG_ENAB);
++
++	if (cable_present(twl->linkstat))
++		pm_runtime_put_noidle(twl->dev);
+ 	pm_runtime_mark_last_busy(twl->dev);
+ 	pm_runtime_put(twl->dev);
+ 
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index 8827448..a9aa389 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -599,9 +599,10 @@ static void ipr_trc_hook(struct ipr_cmnd *ipr_cmd,
+ {
+ 	struct ipr_trace_entry *trace_entry;
+ 	struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
++	unsigned int trace_index;
+ 
+-	trace_entry = &ioa_cfg->trace[atomic_add_return
+-			(1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES];
++	trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK;
++	trace_entry = &ioa_cfg->trace[trace_index];
+ 	trace_entry->time = jiffies;
+ 	trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0];
+ 	trace_entry->type = type;
+@@ -1051,10 +1052,15 @@ static void ipr_send_blocking_cmd(struct ipr_cmnd *ipr_cmd,
+ 
+ static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg)
+ {
++	unsigned int hrrq;
++
+ 	if (ioa_cfg->hrrq_num == 1)
+-		return 0;
+-	else
+-		return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1;
++		hrrq = 0;
++	else {
++		hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index);
++		hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1;
++	}
++	return hrrq;
+ }
+ 
+ /**
+@@ -6263,21 +6269,23 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd)
+ 	struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
+ 	struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd;
+ 	u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc);
+-	unsigned long hrrq_flags;
++	unsigned long lock_flags;
+ 
+ 	scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len));
+ 
+ 	if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) {
+ 		scsi_dma_unmap(scsi_cmd);
+ 
+-		spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
+ 		list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
+ 		scsi_cmd->scsi_done(scsi_cmd);
+-		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
+ 	} else {
+-		spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++		spin_lock(&ipr_cmd->hrrq->_lock);
+ 		ipr_erp_start(ioa_cfg, ipr_cmd);
+-		spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++		spin_unlock(&ipr_cmd->hrrq->_lock);
++		spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+ 	}
+ }
+ 
+diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h
+index 73790a1..6b97ee4 100644
+--- a/drivers/scsi/ipr.h
++++ b/drivers/scsi/ipr.h
+@@ -1486,6 +1486,7 @@ struct ipr_ioa_cfg {
+ 
+ #define IPR_NUM_TRACE_INDEX_BITS	8
+ #define IPR_NUM_TRACE_ENTRIES		(1 << IPR_NUM_TRACE_INDEX_BITS)
++#define IPR_TRACE_INDEX_MASK		(IPR_NUM_TRACE_ENTRIES - 1)
+ #define IPR_TRACE_SIZE	(sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES)
+ 	char trace_start[8];
+ #define IPR_TRACE_START_LABEL			"trace"
+diff --git a/drivers/staging/lustre/lustre/obdclass/debug.c b/drivers/staging/lustre/lustre/obdclass/debug.c
+index 9c934e6..c61add4 100644
+--- a/drivers/staging/lustre/lustre/obdclass/debug.c
++++ b/drivers/staging/lustre/lustre/obdclass/debug.c
+@@ -40,7 +40,7 @@
+ 
+ #define DEBUG_SUBSYSTEM D_OTHER
+ 
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+ 
+ #include "../include/obd_support.h"
+ #include "../include/lustre_debug.h"
+diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
+index 15baacb..376e4a0 100644
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -1486,8 +1486,9 @@ static void vnt_bss_info_changed(struct ieee80211_hw *hw,
+ 		}
+ 	}
+ 
+-	if (changed & BSS_CHANGED_ASSOC && priv->op_mode != NL80211_IFTYPE_AP) {
+-		if (conf->assoc) {
++	if (changed & (BSS_CHANGED_ASSOC | BSS_CHANGED_BEACON_INFO) &&
++	    priv->op_mode != NL80211_IFTYPE_AP) {
++		if (conf->assoc && conf->beacon_rate) {
+ 			CARDbUpdateTSF(priv, conf->beacon_rate->hw_value,
+ 				       conf->sync_tsf);
+ 
+diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c
+index 1d30b09..67098a8 100644
+--- a/drivers/thermal/samsung/exynos_tmu.c
++++ b/drivers/thermal/samsung/exynos_tmu.c
+@@ -1209,6 +1209,8 @@ err_clk_sec:
+ 	if (!IS_ERR(data->clk_sec))
+ 		clk_unprepare(data->clk_sec);
+ err_sensor:
++	if (!IS_ERR_OR_NULL(data->regulator))
++		regulator_disable(data->regulator);
+ 	thermal_zone_of_sensor_unregister(&pdev->dev, data->tzd);
+ 
+ 	return ret;
+diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
+index 74fea4f..3ad48e1 100644
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -1024,7 +1024,18 @@ static struct platform_driver ci_hdrc_driver = {
+ 	},
+ };
+ 
+-module_platform_driver(ci_hdrc_driver);
++static int __init ci_hdrc_platform_register(void)
++{
++	ci_hdrc_host_driver_init();
++	return platform_driver_register(&ci_hdrc_driver);
++}
++module_init(ci_hdrc_platform_register);
++
++static void __exit ci_hdrc_platform_unregister(void)
++{
++	platform_driver_unregister(&ci_hdrc_driver);
++}
++module_exit(ci_hdrc_platform_unregister);
+ 
+ MODULE_ALIAS("platform:ci_hdrc");
+ MODULE_LICENSE("GPL v2");
+diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
+index 21fe1a3..2f8af40 100644
+--- a/drivers/usb/chipidea/host.c
++++ b/drivers/usb/chipidea/host.c
+@@ -237,9 +237,12 @@ int ci_hdrc_host_init(struct ci_hdrc *ci)
+ 	rdrv->name	= "host";
+ 	ci->roles[CI_ROLE_HOST] = rdrv;
+ 
++	return 0;
++}
++
++void ci_hdrc_host_driver_init(void)
++{
+ 	ehci_init_driver(&ci_ehci_hc_driver, &ehci_ci_overrides);
+ 	orig_bus_suspend = ci_ehci_hc_driver.bus_suspend;
+ 	ci_ehci_hc_driver.bus_suspend = ci_ehci_bus_suspend;
+-
+-	return 0;
+ }
+diff --git a/drivers/usb/chipidea/host.h b/drivers/usb/chipidea/host.h
+index 5707bf3..0f12f13 100644
+--- a/drivers/usb/chipidea/host.h
++++ b/drivers/usb/chipidea/host.h
+@@ -5,6 +5,7 @@
+ 
+ int ci_hdrc_host_init(struct ci_hdrc *ci);
+ void ci_hdrc_host_destroy(struct ci_hdrc *ci);
++void ci_hdrc_host_driver_init(void);
+ 
+ #else
+ 
+@@ -18,6 +19,11 @@ static inline void ci_hdrc_host_destroy(struct ci_hdrc *ci)
+ 
+ }
+ 
++static void ci_hdrc_host_driver_init(void)
++{
++
++}
++
+ #endif
+ 
+ #endif /* __DRIVERS_USB_CHIPIDEA_HOST_H */
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 6d3eb8b..5318615 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -1162,14 +1162,14 @@ afunc_set_alt(struct usb_function *fn, unsigned intf, unsigned alt)
+ 			factor = 1000;
+ 		} else {
+ 			ep_desc = &hs_epin_desc;
+-			factor = 125;
++			factor = 8000;
+ 		}
+ 
+ 		/* pre-compute some values for iso_complete() */
+ 		uac2->p_framesize = opts->p_ssize *
+ 				    num_channels(opts->p_chmask);
+ 		rate = opts->p_srate * uac2->p_framesize;
+-		uac2->p_interval = (1 << (ep_desc->bInterval - 1)) * factor;
++		uac2->p_interval = factor / (1 << (ep_desc->bInterval - 1));
+ 		uac2->p_pktsize = min_t(unsigned int, rate / uac2->p_interval,
+ 					prm->max_psize);
+ 
+diff --git a/drivers/usb/gadget/udc/udc-core.c b/drivers/usb/gadget/udc/udc-core.c
+index d69c355..7d69931 100644
+--- a/drivers/usb/gadget/udc/udc-core.c
++++ b/drivers/usb/gadget/udc/udc-core.c
+@@ -321,6 +321,7 @@ err4:
+ 
+ err3:
+ 	put_device(&udc->dev);
++	device_del(&gadget->dev);
+ 
+ err2:
+ 	put_device(&gadget->dev);
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 3e442f7..9a8c936 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1792,7 +1792,8 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 	int size;
+ 	int i, j, num_ports;
+ 
+-	del_timer_sync(&xhci->cmd_timer);
++	if (timer_pending(&xhci->cmd_timer))
++		del_timer_sync(&xhci->cmd_timer);
+ 
+ 	/* Free the Event Ring Segment Table and the actual Event Ring */
+ 	size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index d095677..b3a0a22 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -82,7 +82,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
+ 		return 0;
+ 	/* offset in TRBs */
+ 	segment_offset = trb - seg->trbs;
+-	if (segment_offset > TRBS_PER_SEGMENT)
++	if (segment_offset >= TRBS_PER_SEGMENT)
+ 		return 0;
+ 	return seg->dma + (segment_offset * sizeof(*trb));
+ }
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 19b85ee..876423b 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1099,6 +1099,8 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
+ 	{ USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x68c0, 0xff),
+ 	  .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC73xx */
++	{ USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x9041, 0xff),
++	  .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC7305/MC7355 */
+ 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
+ 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index 9c63897..d156545 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -145,7 +145,6 @@ static const struct usb_device_id id_table[] = {
+ 	{DEVICE_SWI(0x1199, 0x901c)},	/* Sierra Wireless EM7700 */
+ 	{DEVICE_SWI(0x1199, 0x901f)},	/* Sierra Wireless EM7355 */
+ 	{DEVICE_SWI(0x1199, 0x9040)},	/* Sierra Wireless Modem */
+-	{DEVICE_SWI(0x1199, 0x9041)},	/* Sierra Wireless MC7305/MC7355 */
+ 	{DEVICE_SWI(0x1199, 0x9051)},	/* Netgear AirCard 340U */
+ 	{DEVICE_SWI(0x1199, 0x9053)},	/* Sierra Wireless Modem */
+ 	{DEVICE_SWI(0x1199, 0x9054)},	/* Sierra Wireless Modem */
+@@ -158,6 +157,7 @@ static const struct usb_device_id id_table[] = {
+ 	{DEVICE_SWI(0x413c, 0x81a4)},	/* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
+ 	{DEVICE_SWI(0x413c, 0x81a8)},	/* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
+ 	{DEVICE_SWI(0x413c, 0x81a9)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
++	{DEVICE_SWI(0x413c, 0x81b1)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
+ 
+ 	/* Huawei devices */
+ 	{DEVICE_HWI(0x03f0, 0x581d)},	/* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
+diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
+index 46179a0..07d1ecd 100644
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -289,6 +289,7 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF),
+ 	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+ 	},
++	{ USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */
+ 	/* AT&T Direct IP LTE modems */
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF),
+ 	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index 8927485..4bd23bb 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -568,12 +568,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
+ 
+ 	pr_debug("priv %p\n", priv);
+ 
++	mutex_lock(&priv->lock);
+ 	while (!list_empty(&priv->maps)) {
+ 		map = list_entry(priv->maps.next, struct grant_map, next);
+ 		list_del(&map->next);
+ 		gntdev_put_map(NULL /* already removed */, map);
+ 	}
+ 	WARN_ON(!list_empty(&priv->freeable_maps));
++	mutex_unlock(&priv->lock);
+ 
+ 	if (use_ptemod)
+ 		mmu_notifier_unregister(&priv->mn, priv->mm);
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 039f9c8a..6e13504 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laundry)
+ 	queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ);
+ }
+ 
+-static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp)
++static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp)
+ {
+-	if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle))
++	if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle))
+ 		return nfserr_bad_stateid;
+ 	return nfs_ok;
+ }
+@@ -4574,20 +4574,48 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
+ 	return nfs_ok;
+ }
+ 
++static struct file *
++nfs4_find_file(struct nfs4_stid *s, int flags)
++{
++	switch (s->sc_type) {
++	case NFS4_DELEG_STID:
++		if (WARN_ON_ONCE(!s->sc_file->fi_deleg_file))
++			return NULL;
++		return get_file(s->sc_file->fi_deleg_file);
++	case NFS4_OPEN_STID:
++	case NFS4_LOCK_STID:
++		if (flags & RD_STATE)
++			return find_readable_file(s->sc_file);
++		else
++			return find_writeable_file(s->sc_file);
++		break;
++	}
++
++	return NULL;
++}
++
++static __be32
++nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags)
++{
++	__be32 status;
++
++	status = nfsd4_check_openowner_confirmed(ols);
++	if (status)
++		return status;
++	return nfs4_check_openmode(ols, flags);
++}
++
+ /*
+-* Checks for stateid operations
+-*/
++ * Checks for stateid operations
++ */
+ __be32
+ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate,
+ 			   stateid_t *stateid, int flags, struct file **filpp)
+ {
+-	struct nfs4_stid *s;
+-	struct nfs4_ol_stateid *stp = NULL;
+-	struct nfs4_delegation *dp = NULL;
+-	struct svc_fh *current_fh = &cstate->current_fh;
+-	struct inode *ino = d_inode(current_fh->fh_dentry);
++	struct svc_fh *fhp = &cstate->current_fh;
++	struct inode *ino = d_inode(fhp->fh_dentry);
+ 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+-	struct file *file = NULL;
++	struct nfs4_stid *s;
+ 	__be32 status;
+ 
+ 	if (filpp)
+@@ -4597,60 +4625,39 @@ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate,
+ 		return nfserr_grace;
+ 
+ 	if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+-		return check_special_stateids(net, current_fh, stateid, flags);
++		return check_special_stateids(net, fhp, stateid, flags);
+ 
+ 	status = nfsd4_lookup_stateid(cstate, stateid,
+ 				NFS4_DELEG_STID|NFS4_OPEN_STID|NFS4_LOCK_STID,
+ 				&s, nn);
+ 	if (status)
+ 		return status;
+-	status = check_stateid_generation(stateid, &s->sc_stateid, nfsd4_has_session(cstate));
++	status = check_stateid_generation(stateid, &s->sc_stateid,
++			nfsd4_has_session(cstate));
+ 	if (status)
+ 		goto out;
++
+ 	switch (s->sc_type) {
+ 	case NFS4_DELEG_STID:
+-		dp = delegstateid(s);
+-		status = nfs4_check_delegmode(dp, flags);
+-		if (status)
+-			goto out;
+-		if (filpp) {
+-			file = dp->dl_stid.sc_file->fi_deleg_file;
+-			if (!file) {
+-				WARN_ON_ONCE(1);
+-				status = nfserr_serverfault;
+-				goto out;
+-			}
+-			get_file(file);
+-		}
++		status = nfs4_check_delegmode(delegstateid(s), flags);
+ 		break;
+ 	case NFS4_OPEN_STID:
+ 	case NFS4_LOCK_STID:
+-		stp = openlockstateid(s);
+-		status = nfs4_check_fh(current_fh, stp);
+-		if (status)
+-			goto out;
+-		status = nfsd4_check_openowner_confirmed(stp);
+-		if (status)
+-			goto out;
+-		status = nfs4_check_openmode(stp, flags);
+-		if (status)
+-			goto out;
+-		if (filpp) {
+-			struct nfs4_file *fp = stp->st_stid.sc_file;
+-
+-			if (flags & RD_STATE)
+-				file = find_readable_file(fp);
+-			else
+-				file = find_writeable_file(fp);
+-		}
++		status = nfs4_check_olstateid(fhp, openlockstateid(s), flags);
+ 		break;
+ 	default:
+ 		status = nfserr_bad_stateid;
++		break;
++	}
++	if (status)
+ 		goto out;
++	status = nfs4_check_fh(fhp, s);
++
++	if (!status && filpp) {
++		*filpp = nfs4_find_file(s, flags);
++		if (!*filpp)
++			status = nfserr_serverfault;
+ 	}
+-	status = nfs_ok;
+-	if (file)
+-		*filpp = file;
+ out:
+ 	nfs4_put_stid(s);
+ 	return status;
+@@ -4754,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
+ 	status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
+ 	if (status)
+ 		return status;
+-	return nfs4_check_fh(current_fh, stp);
++	return nfs4_check_fh(current_fh, &stp->st_stid);
+ }
+ 
+ /* 
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 158badf..d4d8445 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2142,6 +2142,7 @@ nfsd4_encode_aclname(struct xdr_stream *xdr, struct svc_rqst *rqstp,
+ #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \
+ 			      FATTR4_WORD0_RDATTR_ERROR)
+ #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
++#define WORD2_ABSENT_FS_ATTRS 0
+ 
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+ static inline __be32
+@@ -2170,7 +2171,7 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp,
+ { return 0; }
+ #endif
+ 
+-static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
++static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *bmval2, u32 *rdattr_err)
+ {
+ 	/* As per referral draft:  */
+ 	if (*bmval0 & ~WORD0_ABSENT_FS_ATTRS ||
+@@ -2183,6 +2184,7 @@ static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
+ 	}
+ 	*bmval0 &= WORD0_ABSENT_FS_ATTRS;
+ 	*bmval1 &= WORD1_ABSENT_FS_ATTRS;
++	*bmval2 &= WORD2_ABSENT_FS_ATTRS;
+ 	return 0;
+ }
+ 
+@@ -2246,8 +2248,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
+ 	BUG_ON(bmval2 & ~nfsd_suppattrs2(minorversion));
+ 
+ 	if (exp->ex_fslocs.migrated) {
+-		BUG_ON(bmval[2]);
+-		status = fattr_handle_absent_fs(&bmval0, &bmval1, &rdattr_err);
++		status = fattr_handle_absent_fs(&bmval0, &bmval1, &bmval2, &rdattr_err);
+ 		if (status)
+ 			goto out;
+ 	}
+@@ -2290,8 +2291,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
+ 	}
+ 
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+-	if ((bmval[2] & FATTR4_WORD2_SECURITY_LABEL) ||
+-			bmval[0] & FATTR4_WORD0_SUPPORTED_ATTRS) {
++	if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) ||
++	     bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
+ 		err = security_inode_getsecctx(d_inode(dentry),
+ 						&context, &contextlen);
+ 		contextsupport = (err == 0);
+diff --git a/fs/notify/mark.c b/fs/notify/mark.c
+index 92e48c7..39ddcaf 100644
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -412,16 +412,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group,
+ 					 unsigned int flags)
+ {
+ 	struct fsnotify_mark *lmark, *mark;
++	LIST_HEAD(to_free);
+ 
++	/*
++	 * We have to be really careful here. Anytime we drop mark_mutex, e.g.
++	 * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
++	 * to_free list so we have to use mark_mutex even when accessing that
++	 * list. And freeing mark requires us to drop mark_mutex. So we can
++	 * reliably free only the first mark in the list. That's why we first
++	 * move marks to free to to_free list in one go and then free marks in
++	 * to_free list one by one.
++	 */
+ 	mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+ 	list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
+-		if (mark->flags & flags) {
+-			fsnotify_get_mark(mark);
+-			fsnotify_destroy_mark_locked(mark, group);
+-			fsnotify_put_mark(mark);
+-		}
++		if (mark->flags & flags)
++			list_move(&mark->g_list, &to_free);
+ 	}
+ 	mutex_unlock(&group->mark_mutex);
++
++	while (1) {
++		mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
++		if (list_empty(&to_free)) {
++			mutex_unlock(&group->mark_mutex);
++			break;
++		}
++		mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
++		fsnotify_get_mark(mark);
++		fsnotify_destroy_mark_locked(mark, group);
++		mutex_unlock(&group->mark_mutex);
++		fsnotify_put_mark(mark);
++	}
+ }
+ 
+ /*
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index f906a25..9ea7012 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -686,7 +686,7 @@ static int ocfs2_direct_IO_zero_extend(struct ocfs2_super *osb,
+ 
+ 	if (p_cpos && !(ext_flags & OCFS2_EXT_UNWRITTEN)) {
+ 		u64 s = i_size_read(inode);
+-		sector_t sector = (p_cpos << (osb->s_clustersize_bits - 9)) +
++		sector_t sector = ((u64)p_cpos << (osb->s_clustersize_bits - 9)) +
+ 			(do_div(s, osb->s_clustersize) >> 9);
+ 
+ 		ret = blkdev_issue_zeroout(osb->sb->s_bdev, sector,
+@@ -911,7 +911,7 @@ static ssize_t ocfs2_direct_IO_write(struct kiocb *iocb,
+ 		BUG_ON(!p_cpos || (ext_flags & OCFS2_EXT_UNWRITTEN));
+ 
+ 		ret = blkdev_issue_zeroout(osb->sb->s_bdev,
+-				p_cpos << (osb->s_clustersize_bits - 9),
++				(u64)p_cpos << (osb->s_clustersize_bits - 9),
+ 				zero_len_head >> 9, GFP_NOFS, false);
+ 		if (ret < 0)
+ 			mlog_errno(ret);
+diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
+index 8b23aa2..23157e4 100644
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -4025,9 +4025,13 @@ static void ocfs2_downconvert_thread_do_work(struct ocfs2_super *osb)
+ 	osb->dc_work_sequence = osb->dc_wake_sequence;
+ 
+ 	processed = osb->blocked_lock_count;
+-	while (processed) {
+-		BUG_ON(list_empty(&osb->blocked_lock_list));
+-
++	/*
++	 * blocked lock processing in this loop might call iput which can
++	 * remove items off osb->blocked_lock_list. Downconvert up to
++	 * 'processed' number of locks, but stop short if we had some
++	 * removed in ocfs2_mark_lockres_freeing when downconverting.
++	 */
++	while (processed && !list_empty(&osb->blocked_lock_list)) {
+ 		lockres = list_entry(osb->blocked_lock_list.next,
+ 				     struct ocfs2_lock_res, l_blocked_list);
+ 		list_del_init(&lockres->l_blocked_list);
+diff --git a/fs/signalfd.c b/fs/signalfd.c
+index 7e412ad..270221f 100644
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct signalfd_siginfo __user *uinfo,
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitly for the right codes here.
+ 		 */
+-		if (kinfo->si_code == BUS_MCEERR_AR ||
+-		    kinfo->si_code == BUS_MCEERR_AO)
++		if (kinfo->si_signo == SIGBUS &&
++		    (kinfo->si_code == BUS_MCEERR_AR ||
++		     kinfo->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user((short) kinfo->si_addr_lsb,
+ 					  &uinfo->ssi_addr_lsb);
+ #endif
+diff --git a/include/linux/mtd/nand.h b/include/linux/mtd/nand.h
+index 3d4ea7e..12b75f3 100644
+--- a/include/linux/mtd/nand.h
++++ b/include/linux/mtd/nand.h
+@@ -176,17 +176,17 @@ typedef enum {
+ /* Chip may not exist, so silence any errors in scan */
+ #define NAND_SCAN_SILENT_NODEV	0x00040000
+ /*
+- * This option could be defined by controller drivers to protect against
+- * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers
+- */
+-#define NAND_USE_BOUNCE_BUFFER	0x00080000
+-/*
+  * Autodetect nand buswidth with readid/onfi.
+  * This suppose the driver will configure the hardware in 8 bits mode
+  * when calling nand_scan_ident, and update its configuration
+  * before calling nand_scan_tail.
+  */
+ #define NAND_BUSWIDTH_AUTO      0x00080000
++/*
++ * This option could be defined by controller drivers to protect against
++ * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers
++ */
++#define NAND_USE_BOUNCE_BUFFER	0x00100000
+ 
+ /* Options set by nand scan */
+ /* Nand scan has allocated controller struct */
+diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
+index efe3443..413417f 100644
+--- a/include/uapi/linux/pci_regs.h
++++ b/include/uapi/linux/pci_regs.h
+@@ -319,6 +319,7 @@
+ #define PCI_MSIX_PBA		8	/* Pending Bit Array offset */
+ #define  PCI_MSIX_PBA_BIR	0x00000007 /* BAR index */
+ #define  PCI_MSIX_PBA_OFFSET	0xfffffff8 /* Offset into specified BAR */
++#define PCI_MSIX_FLAGS_BIRMASK	PCI_MSIX_PBA_BIR /* deprecated */
+ #define PCI_CAP_MSIX_SIZEOF	12	/* size of MSIX registers */
+ 
+ /* MSI-X Table entry format */
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index 3aaea7f..c3fc5c2 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info)
+ 		if (!leaf)
+ 			return -ENOMEM;
+ 		INIT_LIST_HEAD(&leaf->msg_list);
+-		info->qsize += sizeof(*leaf);
+ 	}
+ 	leaf->priority = msg->m_type;
+ 	rb_link_node(&leaf->rb_node, parent, p);
+@@ -188,7 +187,6 @@ try_again:
+ 			     "lazy leaf delete!\n");
+ 		rb_erase(&leaf->rb_node, &info->msg_tree);
+ 		if (info->node_cache) {
+-			info->qsize -= sizeof(*leaf);
+ 			kfree(leaf);
+ 		} else {
+ 			info->node_cache = leaf;
+@@ -201,7 +199,6 @@ try_again:
+ 		if (list_empty(&leaf->msg_list)) {
+ 			rb_erase(&leaf->rb_node, &info->msg_tree);
+ 			if (info->node_cache) {
+-				info->qsize -= sizeof(*leaf);
+ 				kfree(leaf);
+ 			} else {
+ 				info->node_cache = leaf;
+@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr,
+ 		/* Save our speculative allocation into the cache */
+ 		INIT_LIST_HEAD(&new_leaf->msg_list);
+ 		info->node_cache = new_leaf;
+-		info->qsize += sizeof(*new_leaf);
+ 		new_leaf = NULL;
+ 	} else {
+ 		kfree(new_leaf);
+@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr,
+ 		/* Save our speculative allocation into the cache */
+ 		INIT_LIST_HEAD(&new_leaf->msg_list);
+ 		info->node_cache = new_leaf;
+-		info->qsize += sizeof(*new_leaf);
+ 	} else {
+ 		kfree(new_leaf);
+ 	}
+diff --git a/kernel/signal.c b/kernel/signal.c
+index d51c5dd..0206be7 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2753,12 +2753,15 @@ int copy_siginfo_to_user(siginfo_t __user *to, const siginfo_t *from)
+ 		 * Other callers might not initialize the si_lsb field,
+ 		 * so check explicitly for the right codes here.
+ 		 */
+-		if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)
++		if (from->si_signo == SIGBUS &&
++		    (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO))
+ 			err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb);
+ #endif
+ #ifdef SEGV_BNDERR
+-		err |= __put_user(from->si_lower, &to->si_lower);
+-		err |= __put_user(from->si_upper, &to->si_upper);
++		if (from->si_signo == SIGSEGV && from->si_code == SEGV_BNDERR) {
++			err |= __put_user(from->si_lower, &to->si_lower);
++			err |= __put_user(from->si_upper, &to->si_upper);
++		}
+ #endif
+ 		break;
+ 	case __SI_CHLD:
+@@ -3022,7 +3025,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,
+ 			int, sig,
+ 			struct compat_siginfo __user *, uinfo)
+ {
+-	siginfo_t info;
++	siginfo_t info = {};
+ 	int ret = copy_siginfo_from_user32(&info, uinfo);
+ 	if (unlikely(ret))
+ 		return ret;
+@@ -3066,7 +3069,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo,
+ 			int, sig,
+ 			struct compat_siginfo __user *, uinfo)
+ {
+-	siginfo_t info;
++	siginfo_t info = {};
+ 
+ 	if (copy_siginfo_from_user32(&info, uinfo))
+ 		return -EFAULT;
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index 5e8eadd..0d024fc 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -937,21 +937,17 @@ static unsigned long shrink_page_list(struct list_head *page_list,
+ 		 *
+ 		 * 2) Global reclaim encounters a page, memcg encounters a
+ 		 *    page that is not marked for immediate reclaim or
+-		 *    the caller does not have __GFP_IO. In this case mark
++		 *    the caller does not have __GFP_FS (or __GFP_IO if it's
++		 *    simply going to swap, not to fs). In this case mark
+ 		 *    the page for immediate reclaim and continue scanning.
+ 		 *
+-		 *    __GFP_IO is checked  because a loop driver thread might
++		 *    Require may_enter_fs because we would wait on fs, which
++		 *    may not have submitted IO yet. And the loop driver might
+ 		 *    enter reclaim, and deadlock if it waits on a page for
+ 		 *    which it is needed to do the write (loop masks off
+ 		 *    __GFP_IO|__GFP_FS for this reason); but more thought
+ 		 *    would probably show more reasons.
+ 		 *
+-		 *    Don't require __GFP_FS, since we're not going into the
+-		 *    FS, just waiting on its writeback completion. Worryingly,
+-		 *    ext4 gfs2 and xfs allocate pages with
+-		 *    grab_cache_page_write_begin(,,AOP_FLAG_NOFS), so testing
+-		 *    may_enter_fs here is liable to OOM on them.
+-		 *
+ 		 * 3) memcg encounters a page that is not already marked
+ 		 *    PageReclaim. memcg does not have any dirty pages
+ 		 *    throttling so we could easily OOM just because too many
+@@ -968,7 +964,7 @@ static unsigned long shrink_page_list(struct list_head *page_list,
+ 
+ 			/* Case 2 above */
+ 			} else if (global_reclaim(sc) ||
+-			    !PageReclaim(page) || !(sc->gfp_mask & __GFP_IO)) {
++			    !PageReclaim(page) || !may_enter_fs) {
+ 				/*
+ 				 * This is slightly racy - end_page_writeback()
+ 				 * might have just cleared PageReclaim, then
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 1ab3dc9..7b815bc 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2295,6 +2295,10 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
+ 		return 1;
+ 
+ 	chan = conn->smp;
++	if (!chan) {
++		BT_ERR("SMP security requested but not available");
++		return 1;
++	}
+ 
+ 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
+ 		return 1;
+diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c
+index e061355..bf20593 100644
+--- a/sound/firewire/amdtp.c
++++ b/sound/firewire/amdtp.c
+@@ -730,8 +730,9 @@ static void handle_in_packet(struct amdtp_stream *s,
+ 	    s->data_block_counter != UINT_MAX)
+ 		data_block_counter = s->data_block_counter;
+ 
+-	if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) && data_block_counter == 0) ||
+-	    (s->data_block_counter == UINT_MAX)) {
++	if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) &&
++	     data_block_counter == s->tx_first_dbc) ||
++	    s->data_block_counter == UINT_MAX) {
+ 		lost = false;
+ 	} else if (!(s->flags & CIP_DBC_IS_END_EVENT)) {
+ 		lost = data_block_counter != s->data_block_counter;
+diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h
+index 8a03a91..25c9055 100644
+--- a/sound/firewire/amdtp.h
++++ b/sound/firewire/amdtp.h
+@@ -153,6 +153,8 @@ struct amdtp_stream {
+ 
+ 	/* quirk: fixed interval of dbc between previos/current packets. */
+ 	unsigned int tx_dbc_interval;
++	/* quirk: indicate the value of dbc field in a first packet. */
++	unsigned int tx_first_dbc;
+ 
+ 	bool callbacked;
+ 	wait_queue_head_t callback_wait;
+diff --git a/sound/firewire/fireworks/fireworks.c b/sound/firewire/fireworks/fireworks.c
+index 2682e7e..c94a432 100644
+--- a/sound/firewire/fireworks/fireworks.c
++++ b/sound/firewire/fireworks/fireworks.c
+@@ -248,8 +248,16 @@ efw_probe(struct fw_unit *unit,
+ 	err = get_hardware_info(efw);
+ 	if (err < 0)
+ 		goto error;
++	/* AudioFire8 (since 2009) and AudioFirePre8 */
+ 	if (entry->model_id == MODEL_ECHO_AUDIOFIRE_9)
+ 		efw->is_af9 = true;
++	/* These models uses the same firmware. */
++	if (entry->model_id == MODEL_ECHO_AUDIOFIRE_2 ||
++	    entry->model_id == MODEL_ECHO_AUDIOFIRE_4 ||
++	    entry->model_id == MODEL_ECHO_AUDIOFIRE_9 ||
++	    entry->model_id == MODEL_GIBSON_RIP ||
++	    entry->model_id == MODEL_GIBSON_GOLDTOP)
++		efw->is_fireworks3 = true;
+ 
+ 	snd_efw_proc_init(efw);
+ 
+diff --git a/sound/firewire/fireworks/fireworks.h b/sound/firewire/fireworks/fireworks.h
+index 4f0201a..084d414 100644
+--- a/sound/firewire/fireworks/fireworks.h
++++ b/sound/firewire/fireworks/fireworks.h
+@@ -71,6 +71,7 @@ struct snd_efw {
+ 
+ 	/* for quirks */
+ 	bool is_af9;
++	bool is_fireworks3;
+ 	u32 firmware_version;
+ 
+ 	unsigned int midi_in_ports;
+diff --git a/sound/firewire/fireworks/fireworks_stream.c b/sound/firewire/fireworks/fireworks_stream.c
+index c55db1b..7e353f1 100644
+--- a/sound/firewire/fireworks/fireworks_stream.c
++++ b/sound/firewire/fireworks/fireworks_stream.c
+@@ -172,6 +172,15 @@ int snd_efw_stream_init_duplex(struct snd_efw *efw)
+ 	efw->tx_stream.flags |= CIP_DBC_IS_END_EVENT;
+ 	/* Fireworks reset dbc at bus reset. */
+ 	efw->tx_stream.flags |= CIP_SKIP_DBC_ZERO_CHECK;
++	/*
++	 * But Recent firmwares starts packets with non-zero dbc.
++	 * Driver version 5.7.6 installs firmware version 5.7.3.
++	 */
++	if (efw->is_fireworks3 &&
++	    (efw->firmware_version == 0x5070000 ||
++	     efw->firmware_version == 0x5070300 ||
++	     efw->firmware_version == 0x5080000))
++		efw->tx_stream.tx_first_dbc = 0x02;
+ 	/* AudioFire9 always reports wrong dbs. */
+ 	if (efw->is_af9)
+ 		efw->tx_stream.flags |= CIP_WRONG_DBS;
+diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
+index 50e9dd6..3a24f77 100644
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -1001,9 +1001,7 @@ static void cs4210_spdif_automute(struct hda_codec *codec,
+ 
+ 	spec->spdif_present = spdif_present;
+ 	/* SPDIF TX on/off */
+-	if (spdif_present)
+-		snd_hda_set_pin_ctl(codec, spdif_pin,
+-				    spdif_present ? PIN_OUT : 0);
++	snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0);
+ 
+ 	cs_automute(codec);
+ }
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 590bcfb0..1e99f07 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5118,6 +5118,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ 	SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
++	SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
+ 	SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+diff --git a/sound/soc/codecs/pcm1681.c b/sound/soc/codecs/pcm1681.c
+index 477e13d..e7ba557 100644
+--- a/sound/soc/codecs/pcm1681.c
++++ b/sound/soc/codecs/pcm1681.c
+@@ -102,7 +102,7 @@ static int pcm1681_set_deemph(struct snd_soc_codec *codec)
+ 
+ 	if (val != -1) {
+ 		regmap_update_bits(priv->regmap, PCM1681_DEEMPH_CONTROL,
+-					PCM1681_DEEMPH_RATE_MASK, val);
++				   PCM1681_DEEMPH_RATE_MASK, val << 3);
+ 		enable = 1;
+ 	} else
+ 		enable = 0;
+diff --git a/sound/soc/codecs/ssm4567.c b/sound/soc/codecs/ssm4567.c
+index a984485..f7549cc 100644
+--- a/sound/soc/codecs/ssm4567.c
++++ b/sound/soc/codecs/ssm4567.c
+@@ -315,7 +315,13 @@ static int ssm4567_set_dai_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+ 	if (invert_fclk)
+ 		ctrl1 |= SSM4567_SAI_CTRL_1_FSYNC;
+ 
+-	return regmap_write(ssm4567->regmap, SSM4567_REG_SAI_CTRL_1, ctrl1);
++	return regmap_update_bits(ssm4567->regmap, SSM4567_REG_SAI_CTRL_1,
++			SSM4567_SAI_CTRL_1_BCLK |
++			SSM4567_SAI_CTRL_1_FSYNC |
++			SSM4567_SAI_CTRL_1_LJ |
++			SSM4567_SAI_CTRL_1_TDM |
++			SSM4567_SAI_CTRL_1_PDM,
++			ctrl1);
+ }
+ 
+ static int ssm4567_set_power(struct ssm4567 *ssm4567, bool enable)
+diff --git a/sound/soc/intel/atom/sst/sst_drv_interface.c b/sound/soc/intel/atom/sst/sst_drv_interface.c
+index 7b50a9d..edc1869 100644
+--- a/sound/soc/intel/atom/sst/sst_drv_interface.c
++++ b/sound/soc/intel/atom/sst/sst_drv_interface.c
+@@ -42,6 +42,11 @@
+ #define MIN_FRAGMENT_SIZE (50 * 1024)
+ #define MAX_FRAGMENT_SIZE (1024 * 1024)
+ #define SST_GET_BYTES_PER_SAMPLE(pcm_wd_sz)  (((pcm_wd_sz + 15) >> 4) << 1)
++#ifdef CONFIG_PM
++#define GET_USAGE_COUNT(dev) (atomic_read(&dev->power.usage_count))
++#else
++#define GET_USAGE_COUNT(dev) 1
++#endif
+ 
+ int free_stream_context(struct intel_sst_drv *ctx, unsigned int str_id)
+ {
+@@ -141,15 +146,9 @@ static int sst_power_control(struct device *dev, bool state)
+ 	int ret = 0;
+ 	int usage_count = 0;
+ 
+-#ifdef CONFIG_PM
+-	usage_count = atomic_read(&dev->power.usage_count);
+-#else
+-	usage_count = 1;
+-#endif
+-
+ 	if (state == true) {
+ 		ret = pm_runtime_get_sync(dev);
+-
++		usage_count = GET_USAGE_COUNT(dev);
+ 		dev_dbg(ctx->dev, "Enable: pm usage count: %d\n", usage_count);
+ 		if (ret < 0) {
+ 			dev_err(ctx->dev, "Runtime get failed with err: %d\n", ret);
+@@ -164,6 +163,7 @@ static int sst_power_control(struct device *dev, bool state)
+ 			}
+ 		}
+ 	} else {
++		usage_count = GET_USAGE_COUNT(dev);
+ 		dev_dbg(ctx->dev, "Disable: pm usage count: %d\n", usage_count);
+ 		return sst_pm_runtime_put(ctx);
+ 	}
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 158204d..b6c12dc 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1811,6 +1811,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
+ 					   size_t count, loff_t *ppos)
+ {
+ 	struct snd_soc_dapm_widget *w = file->private_data;
++	struct snd_soc_card *card = w->dapm->card;
+ 	char *buf;
+ 	int in, out;
+ 	ssize_t ret;
+@@ -1820,6 +1821,8 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
+ 	if (!buf)
+ 		return -ENOMEM;
+ 
++	mutex_lock(&card->dapm_mutex);
++
+ 	/* Supply widgets are not handled by is_connected_{input,output}_ep() */
+ 	if (w->is_supply) {
+ 		in = 0;
+@@ -1866,6 +1869,8 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
+ 					p->sink->name);
+ 	}
+ 
++	mutex_unlock(&card->dapm_mutex);
++
+ 	ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
+ 
+ 	kfree(buf);
+@@ -2140,11 +2145,15 @@ static ssize_t dapm_widget_show(struct device *dev,
+ 	struct snd_soc_pcm_runtime *rtd = dev_get_drvdata(dev);
+ 	int i, count = 0;
+ 
++	mutex_lock(&rtd->card->dapm_mutex);
++
+ 	for (i = 0; i < rtd->num_codecs; i++) {
+ 		struct snd_soc_codec *codec = rtd->codec_dais[i]->codec;
+ 		count += dapm_widget_show_codec(codec, buf + count);
+ 	}
+ 
++	mutex_unlock(&rtd->card->dapm_mutex);
++
+ 	return count;
+ }
+ 
+@@ -3100,16 +3109,10 @@ snd_soc_dapm_new_control(struct snd_soc_dapm_context *dapm,
+ 	}
+ 
+ 	prefix = soc_dapm_prefix(dapm);
+-	if (prefix) {
++	if (prefix)
+ 		w->name = kasprintf(GFP_KERNEL, "%s %s", prefix, widget->name);
+-		if (widget->sname)
+-			w->sname = kasprintf(GFP_KERNEL, "%s %s", prefix,
+-					     widget->sname);
+-	} else {
++	else
+ 		w->name = kasprintf(GFP_KERNEL, "%s", widget->name);
+-		if (widget->sname)
+-			w->sname = kasprintf(GFP_KERNEL, "%s", widget->sname);
+-	}
+ 	if (w->name == NULL) {
+ 		kfree(w);
+ 		return NULL;
+@@ -3557,7 +3560,7 @@ int snd_soc_dapm_link_dai_widgets(struct snd_soc_card *card)
+ 				break;
+ 			}
+ 
+-			if (!w->sname || !strstr(w->sname, dai_w->name))
++			if (!w->sname || !strstr(w->sname, dai_w->sname))
+ 				continue;
+ 
+ 			if (dai_w->id == snd_soc_dapm_dai_in) {
diff --git a/4.1.5/4420_grsecurity-3.1-4.1.5-201508142233.patch b/4.1.6/4420_grsecurity-3.1-4.1.6-201508181953.patch
index 5e56e38..ddef976 100644
--- a/4.1.5/4420_grsecurity-3.1-4.1.5-201508142233.patch
+++ b/4.1.6/4420_grsecurity-3.1-4.1.6-201508181953.patch
@@ -406,7 +406,7 @@ index c831001..1bfbbf6 100644
  
  A toggle value indicating if modules are allowed to be loaded
 diff --git a/Makefile b/Makefile
-index 068dd69..e4ad6b7 100644
+index 838dabc..90df77d 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -299,7 +299,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3643,7 +3643,7 @@ index 78c02b3..c94109a 100644
  struct omap_device *omap_device_alloc(struct platform_device *pdev,
  				      struct omap_hwmod **ohs, int oh_cnt);
 diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index 752969f..a34b446 100644
+index 5286e77..fdd234c 100644
 --- a/arch/arm/mach-omap2/omap_hwmod.c
 +++ b/arch/arm/mach-omap2/omap_hwmod.c
 @@ -199,10 +199,10 @@ struct omap_hwmod_soc_ops {
@@ -6588,7 +6588,7 @@ index b336037..5b874cc 100644
  
  /*
 diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
-index 819af9d..439839d 100644
+index 70f6e7f..11f4ada 100644
 --- a/arch/mips/include/asm/pgtable.h
 +++ b/arch/mips/include/asm/pgtable.h
 @@ -20,6 +20,9 @@
@@ -6892,10 +6892,10 @@ index 2242bdd..b284048 100644
  	}
  	/* Arrange for an interrupt in a short while */
 diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
-index d2d1c19..3e21d8d 100644
+index 5f5f44e..cf10625 100644
 --- a/arch/mips/kernel/traps.c
 +++ b/arch/mips/kernel/traps.c
-@@ -689,7 +689,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
+@@ -696,7 +696,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
  	siginfo_t info;
  
  	prev_state = exception_enter();
@@ -9056,10 +9056,10 @@ index f21897b..28c0428 100644
  
  	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index d3a831a..3a33123 100644
+index da50e0c..5ff6307 100644
 --- a/arch/powerpc/kernel/signal_32.c
 +++ b/arch/powerpc/kernel/signal_32.c
-@@ -1011,7 +1011,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+@@ -1009,7 +1009,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
  	/* Save user registers on the stack */
  	frame = &rt_sf->uc.uc_mcontext;
  	addr = frame;
@@ -10470,40 +10470,6 @@ index a35194b..47dabc0d 100644
  	if (unlikely(ret))
  		ret = copy_to_user_fixup(to, from, size);
  	return ret;
-diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h
-index 1f0aa20..6424249 100644
---- a/arch/sparc/include/asm/visasm.h
-+++ b/arch/sparc/include/asm/visasm.h
-@@ -28,16 +28,10 @@
-  * Must preserve %o5 between VISEntryHalf and VISExitHalf */
- 
- #define VISEntryHalf					\
--	rd		%fprs, %o5;			\
--	andcc		%o5, FPRS_FEF, %g0;		\
--	be,pt		%icc, 297f;			\
--	 sethi		%hi(298f), %g7;			\
--	sethi		%hi(VISenterhalf), %g1;		\
--	jmpl		%g1 + %lo(VISenterhalf), %g0;	\
--	 or		%g7, %lo(298f), %g7;		\
--	clr		%o5;				\
--297:	wr		%o5, FPRS_FEF, %fprs;		\
--298:
-+	VISEntry
-+
-+#define VISExitHalf					\
-+	VISExit
- 
- #define VISEntryHalfFast(fail_label)			\
- 	rd		%fprs, %o5;			\
-@@ -47,7 +41,7 @@
- 	ba,a,pt		%xcc, fail_label;		\
- 297:	wr		%o5, FPRS_FEF, %fprs;
- 
--#define VISExitHalf					\
-+#define VISExitHalfFast					\
- 	wr		%o5, 0, %fprs;
- 
- #ifndef __ASSEMBLY__
 diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
 index 7cf9c6e..6206648 100644
 --- a/arch/sparc/kernel/Makefile
@@ -11154,105 +11120,6 @@ index 3269b02..64f5231 100644
  
  lib-$(CONFIG_SPARC32) += ashrdi3.o
  lib-$(CONFIG_SPARC32) += memcpy.o memset.o
-diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
-index 140527a..83aeeb1 100644
---- a/arch/sparc/lib/NG4memcpy.S
-+++ b/arch/sparc/lib/NG4memcpy.S
-@@ -240,8 +240,11 @@ FUNC_NAME:	/* %o0=dst, %o1=src, %o2=len */
- 	add		%o0, 0x40, %o0
- 	bne,pt		%icc, 1b
- 	 LOAD(prefetch, %g1 + 0x200, #n_reads_strong)
-+#ifdef NON_USER_COPY
-+	VISExitHalfFast
-+#else
- 	VISExitHalf
--
-+#endif
- 	brz,pn		%o2, .Lexit
- 	 cmp		%o2, 19
- 	ble,pn		%icc, .Lsmall_unaligned
-diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S
-index b320ae9..a063d84 100644
---- a/arch/sparc/lib/VISsave.S
-+++ b/arch/sparc/lib/VISsave.S
-@@ -44,9 +44,8 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
- 
- 	 stx		%g3, [%g6 + TI_GSR]
- 2:	add		%g6, %g1, %g3
--	cmp		%o5, FPRS_DU
--	be,pn		%icc, 6f
--	 sll		%g1, 3, %g1
-+	mov		FPRS_DU | FPRS_DL | FPRS_FEF, %o5
-+	sll		%g1, 3, %g1
- 	stb		%o5, [%g3 + TI_FPSAVED]
- 	rd		%gsr, %g2
- 	add		%g6, %g1, %g3
-@@ -80,65 +79,3 @@ vis1:	ldub		[%g6 + TI_FPSAVED], %g3
- 	.align		32
- 80:	jmpl		%g7 + %g0, %g0
- 	 nop
--
--6:	ldub		[%g3 + TI_FPSAVED], %o5
--	or		%o5, FPRS_DU, %o5
--	add		%g6, TI_FPREGS+0x80, %g2
--	stb		%o5, [%g3 + TI_FPSAVED]
--
--	sll		%g1, 5, %g1
--	add		%g6, TI_FPREGS+0xc0, %g3
--	wr		%g0, FPRS_FEF, %fprs
--	membar		#Sync
--	stda		%f32, [%g2 + %g1] ASI_BLK_P
--	stda		%f48, [%g3 + %g1] ASI_BLK_P
--	membar		#Sync
--	ba,pt		%xcc, 80f
--	 nop
--
--	.align		32
--80:	jmpl		%g7 + %g0, %g0
--	 nop
--
--	.align		32
--VISenterhalf:
--	ldub		[%g6 + TI_FPDEPTH], %g1
--	brnz,a,pn	%g1, 1f
--	 cmp		%g1, 1
--	stb		%g0, [%g6 + TI_FPSAVED]
--	stx		%fsr, [%g6 + TI_XFSR]
--	clr		%o5
--	jmpl		%g7 + %g0, %g0
--	 wr		%g0, FPRS_FEF, %fprs
--
--1:	bne,pn		%icc, 2f
--	 srl		%g1, 1, %g1
--	ba,pt		%xcc, vis1
--	 sub		%g7, 8, %g7
--2:	addcc		%g6, %g1, %g3
--	sll		%g1, 3, %g1
--	andn		%o5, FPRS_DU, %g2
--	stb		%g2, [%g3 + TI_FPSAVED]
--
--	rd		%gsr, %g2
--	add		%g6, %g1, %g3
--	stx		%g2, [%g3 + TI_GSR]
--	add		%g6, %g1, %g2
--	stx		%fsr, [%g2 + TI_XFSR]
--	sll		%g1, 5, %g1
--3:	andcc		%o5, FPRS_DL, %g0
--	be,pn		%icc, 4f
--	 add		%g6, TI_FPREGS, %g2
--
--	add		%g6, TI_FPREGS+0x40, %g3
--	membar		#Sync
--	stda		%f0, [%g2 + %g1] ASI_BLK_P
--	stda		%f16, [%g3 + %g1] ASI_BLK_P
--	membar		#Sync
--	ba,pt		%xcc, 4f
--	 nop
--
--	.align		32
--4:	and		%o5, FPRS_DU, %o5
--	jmpl		%g7 + %g0, %g0
--	 wr		%o5, FPRS_FEF, %fprs
 diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
 index 05dac43..76f8ed4 100644
 --- a/arch/sparc/lib/atomic_64.S
@@ -11375,7 +11242,7 @@ index 05dac43..76f8ed4 100644
  ENTRY(atomic64_dec_if_positive) /* %o0 = atomic_ptr */
  	BACKOFF_SETUP(%o2)
 diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
-index 1d649a9..c2e23c4 100644
+index 8069ce1..c2e23c4 100644
 --- a/arch/sparc/lib/ksyms.c
 +++ b/arch/sparc/lib/ksyms.c
 @@ -101,7 +101,9 @@ EXPORT_SYMBOL(__clear_user);
@@ -11398,17 +11265,6 @@ index 1d649a9..c2e23c4 100644
  ATOMIC_OPS(sub)
  
  #undef ATOMIC_OPS
-@@ -135,10 +139,6 @@ EXPORT_SYMBOL(copy_user_page);
- void VISenter(void);
- EXPORT_SYMBOL(VISenter);
- 
--/* CRYPTO code needs this */
--void VISenterhalf(void);
--EXPORT_SYMBOL(VISenterhalf);
--
- extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *);
- extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *,
- 		unsigned long *);
 diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
 index 30c3ecc..736f015 100644
 --- a/arch/sparc/mm/Makefile
@@ -12608,7 +12464,7 @@ index ad8f795..2c7eec6 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 226d569..d420edc 100644
+index 226d569..297bf74 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -32,7 +32,7 @@ config X86
@@ -12679,7 +12535,15 @@ index 226d569..d420edc 100644
  	default 0x40000000 if VMSPLIT_1G
  	default 0xC0000000
  	depends on X86_32
-@@ -1717,6 +1721,7 @@ source kernel/Kconfig.hz
+@@ -1286,7 +1290,6 @@ config X86_PAE
+ 
+ config ARCH_PHYS_ADDR_T_64BIT
+ 	def_bool y
+-	depends on X86_64 || X86_PAE
+ 
+ config ARCH_DMA_ADDR_T_64BIT
+ 	def_bool y
+@@ -1717,6 +1720,7 @@ source kernel/Kconfig.hz
  
  config KEXEC
  	bool "kexec system call"
@@ -12687,7 +12551,7 @@ index 226d569..d420edc 100644
  	---help---
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
-@@ -1899,7 +1904,9 @@ config X86_NEED_RELOCS
+@@ -1899,7 +1903,9 @@ config X86_NEED_RELOCS
  
  config PHYSICAL_ALIGN
  	hex "Alignment value to which kernel should be aligned"
@@ -12698,7 +12562,7 @@ index 226d569..d420edc 100644
  	range 0x2000 0x1000000 if X86_32
  	range 0x200000 0x1000000 if X86_64
  	---help---
-@@ -1982,6 +1989,7 @@ config COMPAT_VDSO
+@@ -1982,6 +1988,7 @@ config COMPAT_VDSO
  	def_bool n
  	prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
  	depends on X86_32 || IA32_EMULATION
@@ -12706,7 +12570,7 @@ index 226d569..d420edc 100644
  	---help---
  	  Certain buggy versions of glibc will crash if they are
  	  presented with a 32-bit vDSO that is not mapped at the address
-@@ -2046,6 +2054,22 @@ config CMDLINE_OVERRIDE
+@@ -2046,6 +2053,22 @@ config CMDLINE_OVERRIDE
  	  This is used to work around broken boot loaders.  This should
  	  be set to 'N' under normal conditions.
  
@@ -17786,8 +17650,33 @@ index 802dde3..9183e68 100644
  #endif	/* __ASSEMBLY__ */
  
  #include <asm-generic/memory_model.h>
+diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h
+index 904f528..b4d0d24 100644
+--- a/arch/x86/include/asm/page_32.h
++++ b/arch/x86/include/asm/page_32.h
+@@ -7,11 +7,17 @@
+ 
+ #define __phys_addr_nodebug(x)	((x) - PAGE_OFFSET)
+ #ifdef CONFIG_DEBUG_VIRTUAL
+-extern unsigned long __phys_addr(unsigned long);
++extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
+ #else
+-#define __phys_addr(x)		__phys_addr_nodebug(x)
++static inline unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
++{
++	return __phys_addr_nodebug(x);
++}
+ #endif
+-#define __phys_addr_symbol(x)	__phys_addr(x)
++static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
++{
++	return __phys_addr(x);
++}
+ #define __phys_reloc_hide(x)	RELOC_HIDE((x), 0)
+ 
+ #ifdef CONFIG_FLATMEM
 diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
-index b3bebf9..13ac22e 100644
+index b3bebf9..b7e1204 100644
 --- a/arch/x86/include/asm/page_64.h
 +++ b/arch/x86/include/asm/page_64.h
 @@ -7,9 +7,9 @@
@@ -17802,7 +17691,7 @@ index b3bebf9..13ac22e 100644
  {
  	unsigned long y = x - __START_KERNEL_map;
  
-@@ -20,8 +20,8 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x)
+@@ -20,12 +20,14 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x)
  }
  
  #ifdef CONFIG_DEBUG_VIRTUAL
@@ -17812,7 +17701,15 @@ index b3bebf9..13ac22e 100644
 +extern unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long);
  #else
  #define __phys_addr(x)		__phys_addr_nodebug(x)
- #define __phys_addr_symbol(x) \
+-#define __phys_addr_symbol(x) \
+-	((unsigned long)(x) - __START_KERNEL_map + phys_base)
++static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(const void *x)
++{
++	return (unsigned long)x - __START_KERNEL_map + phys_base;
++}
+ #endif
+ 
+ #define __phys_reloc_hide(x)	(x)
 diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
 index 8957810..f34efb4 100644
 --- a/arch/x86/include/asm/paravirt.h
@@ -19466,10 +19363,10 @@ index b4bdec3..e8af9bc 100644
  #endif
  #endif /* _ASM_X86_THREAD_INFO_H */
 diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index cd79194..c72ad3f 100644
+index cd79194..6a9956f 100644
 --- a/arch/x86/include/asm/tlbflush.h
 +++ b/arch/x86/include/asm/tlbflush.h
-@@ -86,18 +86,45 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
+@@ -86,18 +86,44 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
  
  static inline void __native_flush_tlb(void)
  {
@@ -19492,7 +19389,6 @@ index cd79194..c72ad3f 100644
 +	}
 +#endif
 +
-+
  	native_write_cr3(native_read_cr3());
  }
  
@@ -19521,7 +19417,7 @@ index cd79194..c72ad3f 100644
  }
  
  static inline void __native_flush_tlb_global(void)
-@@ -118,6 +145,43 @@ static inline void __native_flush_tlb_global(void)
+@@ -118,6 +144,43 @@ static inline void __native_flush_tlb_global(void)
  
  static inline void __native_flush_tlb_single(unsigned long addr)
  {
@@ -20681,7 +20577,7 @@ index 665c6b7..eae4d56 100644
  bogus_magic:
  	jmp	bogus_magic
 diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
-index aef6531..2044b66 100644
+index aef6531..d7ca83a 100644
 --- a/arch/x86/kernel/alternative.c
 +++ b/arch/x86/kernel/alternative.c
 @@ -248,7 +248,9 @@ static void __init_or_module add_nops(void *insns, unsigned int len)
@@ -20694,55 +20590,115 @@ index aef6531..2044b66 100644
  		insns += noplen;
  		len -= noplen;
  	}
-@@ -276,6 +278,11 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
+@@ -276,6 +278,13 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
  	if (a->replacementlen != 5)
  		return;
  
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
 +	if (orig_insn < (u8 *)_text || (u8 *)_einittext <= orig_insn)
 +		orig_insn = ktva_ktla(orig_insn);
++	else
++		orig_insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
 +#endif
 +
  	o_dspl = *(s32 *)(insnbuf + 1);
  
  	/* next_rip of the replacement JMP */
-@@ -362,7 +369,23 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
+@@ -346,6 +355,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
+ {
+ 	struct alt_instr *a;
+ 	u8 *instr, *replacement;
++	u8 *vinstr, *vreplacement;
+ 	u8 insnbuf[MAX_PATCH_LEN];
+ 
+ 	DPRINTK("alt table %p -> %p", start, end);
+@@ -361,46 +371,71 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
+ 	for (a = start; a < end; a++) {
  		int insnbuf_sz = 0;
  
- 		instr = (u8 *)&a->instr_offset + a->instr_offset;
+-		instr = (u8 *)&a->instr_offset + a->instr_offset;
+-		replacement = (u8 *)&a->repl_offset + a->repl_offset;
++		vinstr = instr = (u8 *)&a->instr_offset + a->instr_offset;
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
-+		if ((u8 *)_text <= instr && instr < (u8 *)_einittext) {
++		if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= instr &&
++		    instr < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
 +			instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
-+			instr = ktla_ktva(instr);
++			vinstr = ktla_ktva(instr);
++		} else if ((u8 *)_text <= instr && instr < (u8 *)_einittext) {
++			vinstr = ktla_ktva(instr);
++		} else {
++			instr = ktva_ktla(instr);
 +		}
 +#endif
 +
- 		replacement = (u8 *)&a->repl_offset + a->repl_offset;
++		vreplacement = replacement = (u8 *)&a->repl_offset + a->repl_offset;
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
-+		if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) {
++		if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= replacement &&
++		    replacement < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
 +			replacement += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
-+			replacement = ktla_ktva(replacement);
-+		}
++			vreplacement = ktla_ktva(replacement);
++		} else if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) {
++			vreplacement = ktla_ktva(replacement);
++		} else
++			replacement = ktva_ktla(replacement);
 +#endif
 +
  		BUG_ON(a->instrlen > sizeof(insnbuf));
  		BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
  		if (!boot_cpu_has(a->cpuid)) {
-@@ -402,6 +425,11 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
+ 			if (a->padlen > 1)
+-				optimize_nops(a, instr);
++				optimize_nops(a, vinstr);
+ 
+ 			continue;
  		}
- 		DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
  
-+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
-+		if (instr < (u8 *)_text || (u8 *)_einittext <= instr)
-+			instr = ktva_ktla(instr);
-+#endif
-+
+-		DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d",
++		DPRINTK("feat: %d*32+%d, old: (%p/%p, len: %d), repl: (%p, len: %d), pad: %d",
+ 			a->cpuid >> 5,
+ 			a->cpuid & 0x1f,
+-			instr, a->instrlen,
+-			replacement, a->replacementlen, a->padlen);
++			instr, vinstr, a->instrlen,
++			vreplacement, a->replacementlen, a->padlen);
+ 
+-		DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr);
+-		DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement);
++		DUMP_BYTES(vinstr, a->instrlen, "%p: old_insn: ", vinstr);
++		DUMP_BYTES(vreplacement, a->replacementlen, "%p: rpl_insn: ", vreplacement);
+ 
+-		memcpy(insnbuf, replacement, a->replacementlen);
++		memcpy(insnbuf, vreplacement, a->replacementlen);
+ 		insnbuf_sz = a->replacementlen;
+ 
+ 		/* 0xe8 is a relative jump; fix the offset. */
+ 		if (*insnbuf == 0xe8 && a->replacementlen == 5) {
+-			*(s32 *)(insnbuf + 1) += replacement - instr;
++			*(s32 *)(insnbuf + 1) += vreplacement - vinstr;
+ 			DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
+ 				*(s32 *)(insnbuf + 1),
+-				(unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
++				(unsigned long)vinstr + *(s32 *)(insnbuf + 1) + 5);
+ 		}
+ 
+-		if (a->replacementlen && is_jmp(replacement[0]))
+-			recompute_jump(a, instr, replacement, insnbuf);
++		if (a->replacementlen && is_jmp(vreplacement[0]))
++			recompute_jump(a, instr, vreplacement, insnbuf);
+ 
+ 		if (a->instrlen > a->replacementlen) {
+ 			add_nops(insnbuf + a->replacementlen,
+ 				 a->instrlen - a->replacementlen);
+ 			insnbuf_sz += a->instrlen - a->replacementlen;
+ 		}
+-		DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
++		DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", vinstr);
+ 
  		text_poke_early(instr, insnbuf, insnbuf_sz);
  	}
- }
-@@ -416,10 +444,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
+@@ -416,10 +451,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
  	for (poff = start; poff < end; poff++) {
  		u8 *ptr = (u8 *)poff + *poff;
  
@@ -20760,7 +20716,7 @@ index aef6531..2044b66 100644
  			text_poke(ptr, ((unsigned char []){0xf0}), 1);
  	}
  	mutex_unlock(&text_mutex);
-@@ -434,10 +468,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
+@@ -434,10 +475,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
  	for (poff = start; poff < end; poff++) {
  		u8 *ptr = (u8 *)poff + *poff;
  
@@ -20778,7 +20734,7 @@ index aef6531..2044b66 100644
  			text_poke(ptr, ((unsigned char []){0x3E}), 1);
  	}
  	mutex_unlock(&text_mutex);
-@@ -574,7 +614,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
+@@ -574,7 +621,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
  
  		BUG_ON(p->len > MAX_PATCH_LEN);
  		/* prep the buffer with the original instructions */
@@ -20787,7 +20743,7 @@ index aef6531..2044b66 100644
  		used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
  					 (unsigned long)p->instr, p->len);
  
-@@ -621,7 +661,7 @@ void __init alternative_instructions(void)
+@@ -621,7 +668,7 @@ void __init alternative_instructions(void)
  	if (!uniproc_patched || num_possible_cpus() == 1)
  		free_init_pages("SMP alternatives",
  				(unsigned long)__smp_locks,
@@ -20796,7 +20752,7 @@ index aef6531..2044b66 100644
  #endif
  
  	apply_paravirt(__parainstructions, __parainstructions_end);
-@@ -641,13 +681,17 @@ void __init alternative_instructions(void)
+@@ -641,13 +688,17 @@ void __init alternative_instructions(void)
   * instructions. And on the local CPU you need to be protected again NMI or MCE
   * handlers seeing an inconsistent instruction while you patch.
   */
@@ -20816,7 +20772,7 @@ index aef6531..2044b66 100644
  	local_irq_restore(flags);
  	/* Could also do a CLFLUSH here to speed up CPU recovery; but
  	   that causes hangs on some VIA CPUs. */
-@@ -669,36 +713,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
+@@ -669,36 +720,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
   */
  void *text_poke(void *addr, const void *opcode, size_t len)
  {
@@ -20861,7 +20817,7 @@ index aef6531..2044b66 100644
  	return addr;
  }
  
-@@ -752,7 +782,7 @@ int poke_int3_handler(struct pt_regs *regs)
+@@ -752,7 +789,7 @@ int poke_int3_handler(struct pt_regs *regs)
   */
  void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler)
  {
@@ -23222,7 +23178,7 @@ index 1c30976..71b41b9 100644
  #endif
  
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 02c2eff..9c9ea72 100644
+index 4bd6c19..a0eba01 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -46,6 +46,8 @@
@@ -23234,7 +23190,7 @@ index 02c2eff..9c9ea72 100644
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
  #include <linux/elf-em.h>
-@@ -64,6 +66,402 @@ ENTRY(native_usergs_sysret64)
+@@ -64,6 +66,401 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -23263,7 +23219,6 @@ index 02c2eff..9c9ea72 100644
 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
 +	call pax_exit_kernel
 +#endif
-+
 +	.endm
 +
 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
@@ -23637,7 +23592,7 @@ index 02c2eff..9c9ea72 100644
  
  .macro TRACE_IRQS_IRETQ
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -100,7 +498,7 @@ ENDPROC(native_usergs_sysret64)
+@@ -100,7 +497,7 @@ ENDPROC(native_usergs_sysret64)
  .endm
  
  .macro TRACE_IRQS_IRETQ_DEBUG
@@ -23646,7 +23601,7 @@ index 02c2eff..9c9ea72 100644
  	jnc  1f
  	TRACE_IRQS_ON_DEBUG
  1:
-@@ -221,14 +619,6 @@ GLOBAL(system_call_after_swapgs)
+@@ -221,14 +618,6 @@ GLOBAL(system_call_after_swapgs)
  	/* Construct struct pt_regs on stack */
  	pushq_cfi $__USER_DS			/* pt_regs->ss */
  	pushq_cfi PER_CPU_VAR(rsp_scratch)	/* pt_regs->sp */
@@ -23661,7 +23616,7 @@ index 02c2eff..9c9ea72 100644
  	pushq_cfi	%r11			/* pt_regs->flags */
  	pushq_cfi	$__USER_CS		/* pt_regs->cs */
  	pushq_cfi	%rcx			/* pt_regs->ip */
-@@ -246,7 +636,27 @@ GLOBAL(system_call_after_swapgs)
+@@ -246,7 +635,27 @@ GLOBAL(system_call_after_swapgs)
  	sub	$(6*8),%rsp /* pt_regs->bp,bx,r12-15 not saved */
  	CFI_ADJUST_CFA_OFFSET 6*8
  
@@ -23690,7 +23645,7 @@ index 02c2eff..9c9ea72 100644
  	jnz tracesys
  system_call_fastpath:
  #if __SYSCALL_MASK == ~0
-@@ -279,10 +689,13 @@ system_call_fastpath:
+@@ -279,10 +688,13 @@ system_call_fastpath:
  	 * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
  	 * very bad.
  	 */
@@ -23705,7 +23660,7 @@ index 02c2eff..9c9ea72 100644
  
  	RESTORE_C_REGS_EXCEPT_RCX_R11
  	movq	RIP(%rsp),%rcx
-@@ -316,6 +729,9 @@ tracesys:
+@@ -316,6 +728,9 @@ tracesys:
  	call syscall_trace_enter_phase1
  	test %rax, %rax
  	jnz tracesys_phase2		/* if needed, run the slow path */
@@ -23715,7 +23670,7 @@ index 02c2eff..9c9ea72 100644
  	RESTORE_C_REGS_EXCEPT_RAX	/* else restore clobbered regs */
  	movq ORIG_RAX(%rsp), %rax
  	jmp system_call_fastpath	/*      and return to the fast path */
-@@ -327,6 +743,8 @@ tracesys_phase2:
+@@ -327,6 +742,8 @@ tracesys_phase2:
  	movq %rax,%rdx
  	call syscall_trace_enter_phase2
  
@@ -23724,7 +23679,7 @@ index 02c2eff..9c9ea72 100644
  	/*
  	 * Reload registers from stack in case ptrace changed them.
  	 * We don't reload %rax because syscall_trace_entry_phase2() returned
-@@ -364,6 +782,8 @@ GLOBAL(int_with_check)
+@@ -364,6 +781,8 @@ GLOBAL(int_with_check)
  	andl %edi,%edx
  	jnz   int_careful
  	andl	$~TS_COMPAT,TI_status(%rcx)
@@ -23733,7 +23688,7 @@ index 02c2eff..9c9ea72 100644
  	jmp	syscall_return
  
  	/* Either reschedule or signal or syscall exit tracking needed. */
-@@ -485,7 +905,7 @@ opportunistic_sysret_failed:
+@@ -485,7 +904,7 @@ opportunistic_sysret_failed:
  	SWAPGS
  	jmp	restore_c_regs_and_iret
  	CFI_ENDPROC
@@ -23742,7 +23697,7 @@ index 02c2eff..9c9ea72 100644
  
  
  	.macro FORK_LIKE func
-@@ -495,7 +915,7 @@ ENTRY(stub_\func)
+@@ -495,7 +914,7 @@ ENTRY(stub_\func)
  	SAVE_EXTRA_REGS 8
  	jmp sys_\func
  	CFI_ENDPROC
@@ -23751,7 +23706,7 @@ index 02c2eff..9c9ea72 100644
  	.endm
  
  	FORK_LIKE  clone
-@@ -519,7 +939,7 @@ return_from_execve:
+@@ -519,7 +938,7 @@ return_from_execve:
  	movq	%rax,RAX(%rsp)
  	jmp	int_ret_from_sys_call
  	CFI_ENDPROC
@@ -23760,7 +23715,7 @@ index 02c2eff..9c9ea72 100644
  /*
   * Remaining execve stubs are only 7 bytes long.
   * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
-@@ -531,7 +951,7 @@ GLOBAL(stub_execveat)
+@@ -531,7 +950,7 @@ GLOBAL(stub_execveat)
  	call	sys_execveat
  	jmp	return_from_execve
  	CFI_ENDPROC
@@ -23769,7 +23724,7 @@ index 02c2eff..9c9ea72 100644
  
  #ifdef CONFIG_X86_X32_ABI
  	.align	8
-@@ -541,7 +961,7 @@ GLOBAL(stub_x32_execve)
+@@ -541,7 +960,7 @@ GLOBAL(stub_x32_execve)
  	call	compat_sys_execve
  	jmp	return_from_execve
  	CFI_ENDPROC
@@ -23778,7 +23733,7 @@ index 02c2eff..9c9ea72 100644
  	.align	8
  GLOBAL(stub_x32_execveat)
  	CFI_STARTPROC
-@@ -549,7 +969,7 @@ GLOBAL(stub_x32_execveat)
+@@ -549,7 +968,7 @@ GLOBAL(stub_x32_execveat)
  	call	compat_sys_execveat
  	jmp	return_from_execve
  	CFI_ENDPROC
@@ -23787,7 +23742,7 @@ index 02c2eff..9c9ea72 100644
  #endif
  
  #ifdef CONFIG_IA32_EMULATION
-@@ -592,7 +1012,7 @@ return_from_stub:
+@@ -592,7 +1011,7 @@ return_from_stub:
  	movq %rax,RAX(%rsp)
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -23796,7 +23751,7 @@ index 02c2eff..9c9ea72 100644
  
  #ifdef CONFIG_X86_X32_ABI
  ENTRY(stub_x32_rt_sigreturn)
-@@ -602,7 +1022,7 @@ ENTRY(stub_x32_rt_sigreturn)
+@@ -602,7 +1021,7 @@ ENTRY(stub_x32_rt_sigreturn)
  	call sys32_x32_rt_sigreturn
  	jmp  return_from_stub
  	CFI_ENDPROC
@@ -23805,7 +23760,7 @@ index 02c2eff..9c9ea72 100644
  #endif
  
  /*
-@@ -622,7 +1042,7 @@ ENTRY(ret_from_fork)
+@@ -622,7 +1041,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_EXTRA_REGS
  
@@ -23814,7 +23769,7 @@ index 02c2eff..9c9ea72 100644
  
  	/*
  	 * By the time we get here, we have no idea whether our pt_regs,
-@@ -641,7 +1061,7 @@ ENTRY(ret_from_fork)
+@@ -641,7 +1060,7 @@ ENTRY(ret_from_fork)
  	RESTORE_EXTRA_REGS
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -23823,7 +23778,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * Build the entry stubs with some assembler magic.
-@@ -659,7 +1079,7 @@ ENTRY(irq_entries_start)
+@@ -659,7 +1078,7 @@ ENTRY(irq_entries_start)
  	.align	8
      .endr
  	CFI_ENDPROC
@@ -23832,7 +23787,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * Interrupt entry/exit.
-@@ -672,21 +1092,13 @@ END(irq_entries_start)
+@@ -672,21 +1091,13 @@ END(irq_entries_start)
  /* 0(%rsp): ~(interrupt number) */
  	.macro interrupt func
  	cld
@@ -23859,7 +23814,7 @@ index 02c2eff..9c9ea72 100644
  	je 1f
  	SWAPGS
  1:
-@@ -709,8 +1121,20 @@ END(irq_entries_start)
+@@ -709,8 +1120,20 @@ END(irq_entries_start)
  	CFI_ESCAPE	0x0f /* DW_CFA_def_cfa_expression */, 6, \
  			0x77 /* DW_OP_breg7 (rsp) */, 0, \
  			0x06 /* DW_OP_deref */, \
@@ -23881,7 +23836,7 @@ index 02c2eff..9c9ea72 100644
  	/* We entered an interrupt context - irqs are off: */
  	TRACE_IRQS_OFF
  
-@@ -735,13 +1159,12 @@ ret_from_intr:
+@@ -735,13 +1158,12 @@ ret_from_intr:
  
  	/* Restore saved previous stack */
  	popq %rsi
@@ -23899,7 +23854,7 @@ index 02c2eff..9c9ea72 100644
  	je retint_kernel
  	/* Interrupt came from user space */
  
-@@ -763,6 +1186,8 @@ retint_swapgs:		/* return to user-space */
+@@ -763,6 +1185,8 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -23908,7 +23863,7 @@ index 02c2eff..9c9ea72 100644
  	TRACE_IRQS_IRETQ
  
  	SWAPGS
-@@ -781,6 +1206,21 @@ retint_kernel:
+@@ -781,6 +1205,21 @@ retint_kernel:
  	jmp	0b
  1:
  #endif
@@ -23930,16 +23885,7 @@ index 02c2eff..9c9ea72 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -793,8 +1233,6 @@ retint_kernel:
- restore_c_regs_and_iret:
- 	RESTORE_C_REGS
- 	REMOVE_PT_GPREGS_FROM_STACK 8
--
--irq_return:
- 	INTERRUPT_RETURN
- 
- ENTRY(native_iret)
-@@ -824,15 +1262,15 @@ native_irq_return_ldt:
+@@ -822,15 +1261,15 @@ native_irq_return_ldt:
  	SWAPGS
  	movq PER_CPU_VAR(espfix_waddr),%rdi
  	movq %rax,(0*8)(%rdi)	/* RAX */
@@ -23960,7 +23906,7 @@ index 02c2eff..9c9ea72 100644
  	movq %rax,(4*8)(%rdi)
  	andl $0xffff0000,%eax
  	popq_cfi %rdi
-@@ -875,7 +1313,7 @@ retint_signal:
+@@ -873,7 +1312,7 @@ retint_signal:
  	jmp retint_with_reschedule
  
  	CFI_ENDPROC
@@ -23969,7 +23915,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * APIC interrupts.
-@@ -889,7 +1327,7 @@ ENTRY(\sym)
+@@ -887,7 +1326,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -23978,7 +23924,7 @@ index 02c2eff..9c9ea72 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -962,7 +1400,7 @@ apicinterrupt IRQ_WORK_VECTOR \
+@@ -960,7 +1399,7 @@ apicinterrupt IRQ_WORK_VECTOR \
  /*
   * Exception entry points.
   */
@@ -23987,7 +23933,7 @@ index 02c2eff..9c9ea72 100644
  
  .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
  ENTRY(\sym)
-@@ -1018,6 +1456,12 @@ ENTRY(\sym)
+@@ -1016,6 +1455,12 @@ ENTRY(\sym)
  	.endif
  
  	.if \shift_ist != -1
@@ -24000,7 +23946,7 @@ index 02c2eff..9c9ea72 100644
  	subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
  	.endif
  
-@@ -1065,7 +1509,7 @@ ENTRY(\sym)
+@@ -1063,7 +1508,7 @@ ENTRY(\sym)
  	.endif
  
  	CFI_ENDPROC
@@ -24009,7 +23955,7 @@ index 02c2eff..9c9ea72 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -1106,9 +1550,10 @@ gs_change:
+@@ -1104,9 +1549,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -24021,7 +23967,7 @@ index 02c2eff..9c9ea72 100644
  
  	_ASM_EXTABLE(gs_change,bad_gs)
  	.section .fixup,"ax"
-@@ -1136,9 +1581,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1134,9 +1580,10 @@ ENTRY(do_softirq_own_stack)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -24033,7 +23979,7 @@ index 02c2eff..9c9ea72 100644
  
  #ifdef CONFIG_XEN
  idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
-@@ -1179,7 +1625,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1177,7 +1624,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  #endif
  	jmp  error_exit
  	CFI_ENDPROC
@@ -24042,7 +23988,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1240,7 +1686,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1238,7 +1685,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_EXTRA_REGS
  	jmp error_exit
  	CFI_ENDPROC
@@ -24051,7 +23997,7 @@ index 02c2eff..9c9ea72 100644
  
  apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1286,9 +1732,39 @@ ENTRY(paranoid_entry)
+@@ -1284,9 +1731,39 @@ ENTRY(paranoid_entry)
  	js 1f	/* negative -> in kernel */
  	SWAPGS
  	xorl %ebx,%ebx
@@ -24093,7 +24039,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * "Paranoid" exit path from exception stack.  This is invoked
-@@ -1305,20 +1781,27 @@ ENTRY(paranoid_exit)
+@@ -1303,20 +1780,27 @@ ENTRY(paranoid_exit)
  	DEFAULT_FRAME
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF_DEBUG
@@ -24123,7 +24069,7 @@ index 02c2eff..9c9ea72 100644
  
  /*
   * Save all registers in pt_regs, and switch gs if needed.
-@@ -1330,12 +1813,23 @@ ENTRY(error_entry)
+@@ -1328,12 +1812,23 @@ ENTRY(error_entry)
  	SAVE_C_REGS 8
  	SAVE_EXTRA_REGS 8
  	xorl %ebx,%ebx
@@ -24148,7 +24094,7 @@ index 02c2eff..9c9ea72 100644
  	ret
  
  	/*
-@@ -1370,7 +1864,7 @@ error_bad_iret:
+@@ -1368,7 +1863,7 @@ error_bad_iret:
  	decl %ebx	/* Return to usergs */
  	jmp error_sti
  	CFI_ENDPROC
@@ -24157,7 +24103,7 @@ index 02c2eff..9c9ea72 100644
  
  
  /* On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) */
-@@ -1381,7 +1875,7 @@ ENTRY(error_exit)
+@@ -1379,7 +1874,7 @@ ENTRY(error_exit)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
  	GET_THREAD_INFO(%rcx)
@@ -24166,7 +24112,7 @@ index 02c2eff..9c9ea72 100644
  	jne retint_kernel
  	LOCKDEP_SYS_EXIT_IRQ
  	movl TI_flags(%rcx),%edx
-@@ -1390,7 +1884,7 @@ ENTRY(error_exit)
+@@ -1388,7 +1883,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -24175,74 +24121,10 @@ index 02c2eff..9c9ea72 100644
  
  /* Runs on exception stack */
  ENTRY(nmi)
-@@ -1413,11 +1907,12 @@ ENTRY(nmi)
- 	 *  If the variable is not set and the stack is not the NMI
- 	 *  stack then:
- 	 *    o Set the special variable on the stack
--	 *    o Copy the interrupt frame into a "saved" location on the stack
--	 *    o Copy the interrupt frame into a "copy" location on the stack
-+	 *    o Copy the interrupt frame into an "outermost" location on the
-+	 *      stack
-+	 *    o Copy the interrupt frame into an "iret" location on the stack
- 	 *    o Continue processing the NMI
- 	 *  If the variable is set or the previous stack is the NMI stack:
--	 *    o Modify the "copy" location to jump to the repeate_nmi
-+	 *    o Modify the "iret" location to jump to the repeat_nmi
- 	 *    o return back to the first NMI
- 	 *
- 	 * Now on exit of the first NMI, we first clear the stack variable
-@@ -1426,32 +1921,185 @@ ENTRY(nmi)
- 	 * a nested NMI that updated the copy interrupt stack frame, a
- 	 * jump will be made to the repeat_nmi code that will handle the second
- 	 * NMI.
-+	 *
-+	 * However, espfix prevents us from directly returning to userspace
-+	 * with a single IRET instruction.  Similarly, IRET to user mode
-+	 * can fault.  We therefore handle NMIs from user space like
-+	 * other IST entries.
- 	 */
+@@ -1473,6 +1968,12 @@ ENTRY(nmi)
+ 	pushq	%r14		/* pt_regs->r14 */
+ 	pushq	%r15		/* pt_regs->r15 */
  
- 	/* Use %rdx as our temp variable throughout */
- 	pushq_cfi %rdx
- 	CFI_REL_OFFSET rdx, 0
- 
-+	testb	$3, CS-RIP+8(%rsp)
-+	jz	.Lnmi_from_kernel
-+
-+	/*
-+	 * NMI from user mode.  We need to run on the thread stack, but we
-+	 * can't go through the normal entry paths: NMIs are masked, and
-+	 * we don't want to enable interrupts, because then we'll end
-+	 * up in an awkward situation in which IRQs are on but NMIs
-+	 * are off.
-+	 */
-+
-+	SWAPGS
-+	cld
-+	movq	%rsp, %rdx
-+	movq	PER_CPU_VAR(kernel_stack), %rsp
-+	pushq	5*8(%rdx)	/* pt_regs->ss */
-+	pushq	4*8(%rdx)	/* pt_regs->rsp */
-+	pushq	3*8(%rdx)	/* pt_regs->flags */
-+	pushq	2*8(%rdx)	/* pt_regs->cs */
-+	pushq	1*8(%rdx)	/* pt_regs->rip */
-+	pushq	$-1		/* pt_regs->orig_ax */
-+	pushq	%rdi		/* pt_regs->di */
-+	pushq	%rsi		/* pt_regs->si */
-+	pushq	(%rdx)		/* pt_regs->dx */
-+	pushq	%rcx		/* pt_regs->cx */
-+	pushq	%rax		/* pt_regs->ax */
-+	pushq	%r8		/* pt_regs->r8 */
-+	pushq	%r9		/* pt_regs->r9 */
-+	pushq	%r10		/* pt_regs->r10 */
-+	pushq	%r11		/* pt_regs->r11 */
-+	pushq	%rbx		/* pt_regs->rbx */
-+	pushq	%rbp		/* pt_regs->rbp */
-+	pushq	%r12		/* pt_regs->r12 */
-+	pushq	%r13		/* pt_regs->r13 */
-+	pushq	%r14		/* pt_regs->r14 */
-+	pushq	%r15		/* pt_regs->r15 */
-+
 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
 +	xorl %ebx,%ebx
 +#endif
@@ -24250,297 +24132,47 @@ index 02c2eff..9c9ea72 100644
 +	pax_enter_kernel_nmi
 +
  	/*
--	 * If %cs was not the kernel segment, then the NMI triggered in user
--	 * space, which means it is definitely not nested.
-+	 * At this point we no longer need to worry about stack damage
-+	 * due to nesting -- we're on the normal thread stack and we're
-+	 * done with the NMI stack.
- 	 */
--	cmpl $__KERNEL_CS, 16(%rsp)
--	jne first_nmi
-+
-+	movq	%rsp, %rdi
-+	movq	$-1, %rsi
-+	call	do_nmi
-+
+ 	 * At this point we no longer need to worry about stack damage
+ 	 * due to nesting -- we're on the normal thread stack and we're
+@@ -1482,12 +1983,19 @@ ENTRY(nmi)
+ 	movq	$-1, %rsi
+ 	call	do_nmi
+ 
 +	pax_exit_kernel_nmi
 +
-+	/*
-+	 * Return back to user mode.  We must *not* do the normal exit
-+	 * work, because we don't want to enable interrupts.  Fortunately,
-+	 * do_nmi doesn't modify pt_regs.
-+	 */
-+	SWAPGS
-+
-+	/*
-+	 * Open-code the entire return process for compatibility with varying
-+	 * register layouts across different kernel versions.
-+	 */
-+
-+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
-+	movq	RBX(%rsp), %rbx	/* pt_regs->rbx*/
-+#endif
-+
-+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
-+	movq	R12(%rsp), %r12	/* pt_regs->r12*/
-+#endif
-+
-+	addq	$6*8, %rsp	/* skip bx, bp, and r12-r15 */
-+	popq	%r11		/* pt_regs->r11 */
-+	popq	%r10		/* pt_regs->r10 */
-+	popq	%r9		/* pt_regs->r9 */
-+	popq	%r8		/* pt_regs->r8 */
-+	popq	%rax		/* pt_regs->ax */
-+	popq	%rcx		/* pt_regs->cx */
-+	popq	%rdx		/* pt_regs->dx */
-+	popq	%rsi		/* pt_regs->si */
-+	popq	%rdi		/* pt_regs->di */
-+	addq	$8, %rsp	/* skip orig_ax */
-+	INTERRUPT_RETURN
-+
-+.Lnmi_from_kernel:
-+	/*
-+	 * Here's what our stack frame will look like:
-+	 * +---------------------------------------------------------+
-+	 * | original SS                                             |
-+	 * | original Return RSP                                     |
-+	 * | original RFLAGS                                         |
-+	 * | original CS                                             |
-+	 * | original RIP                                            |
-+	 * +---------------------------------------------------------+
-+	 * | temp storage for rdx                                    |
-+	 * +---------------------------------------------------------+
-+	 * | "NMI executing" variable                                |
-+	 * +---------------------------------------------------------+
-+	 * | iret SS          } Copied from "outermost" frame        |
-+	 * | iret Return RSP  } on each loop iteration; overwritten  |
-+	 * | iret RFLAGS      } by a nested NMI to force another     |
-+	 * | iret CS          } iteration if needed.                 |
-+	 * | iret RIP         }                                      |
-+	 * +---------------------------------------------------------+
-+	 * | outermost SS          } initialized in first_nmi;       |
-+	 * | outermost Return RSP  } will not be changed before      |
-+	 * | outermost RFLAGS      } NMI processing is done.         |
-+	 * | outermost CS          } Copied to "iret" frame on each  |
-+	 * | outermost RIP         } iteration.                      |
-+	 * +---------------------------------------------------------+
-+	 * | pt_regs                                                 |
-+	 * +---------------------------------------------------------+
-+	 *
-+	 * The "original" frame is used by hardware.  Before re-enabling
-+	 * NMIs, we need to be done with it, and we need to leave enough
-+	 * space for the asm code here.
-+	 *
-+	 * We return by executing IRET while RSP points to the "iret" frame.
-+	 * That will either return for real or it will loop back into NMI
-+	 * processing.
-+	 *
-+	 * The "outermost" frame is copied to the "iret" frame on each
-+	 * iteration of the loop, so each iteration starts with the "iret"
-+	 * frame pointing to the final return target.
-+	 */
-+
-+	/*
-+	 * If we interrupted kernel code between repeat_nmi and
-+	 * end_repeat_nmi, then we are a nested NMI.  We must not
-+	 * modify the "iret" frame because it's being written by
-+	 * the outer NMI.  That's okay: the outer NMI handler is
-+	 * about to about to call do_nmi anyway, so we can just
-+	 * resume the outer NMI.
-+	 */
-+
-+	movq	$repeat_nmi, %rdx
-+	cmpq	8(%rsp), %rdx
-+	ja	1f
-+	movq	$end_repeat_nmi, %rdx
-+	cmpq	8(%rsp), %rdx
-+	ja	nested_nmi_out
-+1:
- 
  	/*
--	 * Check the special variable on the stack to see if NMIs are
--	 * executing.
-+	 * Now check "NMI executing".  If it's set, then we're nested.
-+	 *
-+	 * First check "NMI executing".  If it's set, then we're nested.
-+	 * This will not detect if we interrupted an outer NMI just
-+	 * before IRET.
+ 	 * Return back to user mode.  We must *not* do the normal exit
+ 	 * work, because we don't want to enable interrupts.  Fortunately,
+ 	 * do_nmi doesn't modify pt_regs.
  	 */
- 	cmpl $1, -8(%rsp)
- 	je nested_nmi
- 
- 	/*
--	 * Now test if the previous stack was an NMI stack.
--	 * We need the double check. We check the NMI stack to satisfy the
--	 * race when the first NMI clears the variable before returning.
--	 * We check the variable because the first NMI could be in a
--	 * breakpoint routine using a breakpoint stack.
-+	 * Now test if the previous stack was an NMI stack.  This covers
-+	 * the case where we interrupt an outer NMI after it clears
-+	 * "NMI executing" but before IRET.  We need to be careful, though:
-+	 * there is one case in which RSP could point to the NMI stack
-+	 * despite there being no NMI active: naughty userspace controls
-+	 * RSP at the very beginning of the SYSCALL targets.  We can
-+	 * pull a fast one on naughty userspace, though: we program
-+	 * SYSCALL to mask DF, so userspace cannot cause DF to be set
-+	 * if it controls the kernel's RSP.  We set DF before we clear
-+	 * "NMI executing".
- 	 */
- 	lea	6*8(%rsp), %rdx
- 	/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1462,27 +2110,22 @@ ENTRY(nmi)
- 	cmpq	%rdx, 4*8(%rsp)
- 	/* If it is below the NMI stack, it is a normal NMI */
- 	jb	first_nmi
--	/* Ah, it is within the NMI stack, treat it as nested */
+ 	SWAPGS
 +
-+	/* Ah, it is within the NMI stack. */
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++	movq_cfi_restore RBX, rbx
++#endif
 +
-+	testb	$(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
-+	jz	first_nmi	/* RSP was user controlled. */
- 
- 	CFI_REMEMBER_STATE
+ 	jmp	restore_c_regs_and_iret
  
-+	/* This is a nested NMI. */
-+
- nested_nmi:
- 	/*
--	 * Do nothing if we interrupted the fixup in repeat_nmi.
--	 * It's about to repeat the NMI handler, so we are fine
--	 * with ignoring this one.
-+	 * Modify the "iret" frame to point to repeat_nmi, forcing another
-+	 * iteration of NMI handling.
+ .Lnmi_from_kernel:
+@@ -1595,8 +2103,7 @@ nested_nmi:
+ 	 * Modify the "iret" frame to point to repeat_nmi, forcing another
+ 	 * iteration of NMI handling.
  	 */
--	movq $repeat_nmi, %rdx
--	cmpq 8(%rsp), %rdx
--	ja 1f
--	movq $end_repeat_nmi, %rdx
--	cmpq 8(%rsp), %rdx
--	ja nested_nmi_out
--
--1:
--	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
 -	leaq -1*8(%rsp), %rdx
 -	movq %rdx, %rsp
 +	subq $8, %rsp
  	CFI_ADJUST_CFA_OFFSET 1*8
  	leaq -10*8(%rsp), %rdx
  	pushq_cfi $__KERNEL_DS
-@@ -1499,60 +2142,24 @@ nested_nmi_out:
- 	popq_cfi %rdx
+@@ -1614,6 +2121,7 @@ nested_nmi_out:
  	CFI_RESTORE rdx
  
--	/* No need to check faults here */
-+	/* We are returning to kernel mode, so this cannot result in a fault. */
+ 	/* We are returning to kernel mode, so this cannot result in a fault. */
 +#	pax_force_retaddr_bts
  	INTERRUPT_RETURN
  
  	CFI_RESTORE_STATE
- first_nmi:
--	/*
--	 * Because nested NMIs will use the pushed location that we
--	 * stored in rdx, we must keep that space available.
--	 * Here's what our stack frame will look like:
--	 * +-------------------------+
--	 * | original SS             |
--	 * | original Return RSP     |
--	 * | original RFLAGS         |
--	 * | original CS             |
--	 * | original RIP            |
--	 * +-------------------------+
--	 * | temp storage for rdx    |
--	 * +-------------------------+
--	 * | NMI executing variable  |
--	 * +-------------------------+
--	 * | copied SS               |
--	 * | copied Return RSP       |
--	 * | copied RFLAGS           |
--	 * | copied CS               |
--	 * | copied RIP              |
--	 * +-------------------------+
--	 * | Saved SS                |
--	 * | Saved Return RSP        |
--	 * | Saved RFLAGS            |
--	 * | Saved CS                |
--	 * | Saved RIP               |
--	 * +-------------------------+
--	 * | pt_regs                 |
--	 * +-------------------------+
--	 *
--	 * The saved stack frame is used to fix up the copied stack frame
--	 * that a nested NMI may change to make the interrupted NMI iret jump
--	 * to the repeat_nmi. The original stack frame and the temp storage
--	 * is also used by nested NMIs and can not be trusted on exit.
--	 */
--	/* Do not pop rdx, nested NMIs will corrupt that part of the stack */
-+	/* Restore rdx. */
- 	movq (%rsp), %rdx
- 	CFI_RESTORE rdx
- 
- 	/* Set the NMI executing variable on the stack. */
- 	pushq_cfi $1
- 
--	/*
--	 * Leave room for the "copied" frame
--	 */
-+	/* Leave room for the "iret" frame */
- 	subq $(5*8), %rsp
- 	CFI_ADJUST_CFA_OFFSET 5*8
- 
--	/* Copy the stack frame to the Saved frame */
-+	/* Copy the "original" frame to the "outermost" frame */
- 	.rept 5
- 	pushq_cfi 11*8(%rsp)
- 	.endr
-@@ -1560,6 +2167,7 @@ first_nmi:
- 
- 	/* Everything up to here is safe from nested NMIs */
- 
-+repeat_nmi:
- 	/*
- 	 * If there was a nested NMI, the first NMI's iret will return
- 	 * here. But NMIs are still enabled and we can take another
-@@ -1568,16 +2176,21 @@ first_nmi:
- 	 * it will just return, as we are about to repeat an NMI anyway.
- 	 * This makes it safe to copy to the stack frame that a nested
- 	 * NMI will update.
--	 */
--repeat_nmi:
--	/*
--	 * Update the stack variable to say we are still in NMI (the update
--	 * is benign for the non-repeat case, where 1 was pushed just above
--	 * to this very stack slot).
-+	 *
-+	 * RSP is pointing to "outermost RIP".  gsbase is unknown, but, if
-+	 * we're repeating an NMI, gsbase has the same value that it had on
-+	 * the first iteration.  paranoid_entry will load the kernel
-+	 * gsbase if needed before we call do_nmi.
-+	 *
-+	 * Set "NMI executing" in case we came back here via IRET.
- 	 */
- 	movq $1, 10*8(%rsp)
- 
--	/* Make another copy, this one may be modified by nested NMIs */
-+	/*
-+	 * Copy the "outermost" frame to the "iret" frame.  NMIs that nest
-+	 * here must not modify the "iret" frame while we're writing to
-+	 * it or it will end up containing garbage.
-+	 */
- 	addq $(10*8), %rsp
- 	CFI_ADJUST_CFA_OFFSET -10*8
- 	.rept 5
-@@ -1588,66 +2201,66 @@ repeat_nmi:
- end_repeat_nmi:
- 
- 	/*
--	 * Everything below this point can be preempted by a nested
--	 * NMI if the first NMI took an exception and reset our iret stack
--	 * so that we repeat another NMI.
-+	 * Everything below this point can be preempted by a nested NMI.
-+	 * If this happens, then the inner NMI will change the "iret"
-+	 * frame to point back to repeat_nmi.
- 	 */
- 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
+@@ -1679,13 +2187,13 @@ end_repeat_nmi:
  	ALLOC_PT_GPREGS_ON_STACK
  
  	/*
@@ -24555,29 +24187,11 @@ index 02c2eff..9c9ea72 100644
 +	call paranoid_entry_nmi
  	DEFAULT_FRAME 0
  
--	/*
--	 * Save off the CR2 register. If we take a page fault in the NMI then
--	 * it could corrupt the CR2 value. If the NMI preempts a page fault
--	 * handler before it was able to read the CR2 register, and then the
--	 * NMI itself takes a page fault, the page fault that was preempted
--	 * will read the information from the NMI page fault and not the
--	 * origin fault. Save it off and restore it if it changes.
--	 * Use the r12 callee-saved register.
--	 */
--	movq %cr2, %r12
--
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
- 	movq %rsp,%rdi
+@@ -1693,7 +2201,9 @@ end_repeat_nmi:
  	movq $-1,%rsi
  	call do_nmi
  
--	/* Did the NMI take a page fault? Restore cr2 if it did */
--	movq %cr2, %rcx
--	cmpq %rcx, %r12
--	je 1f
--	movq %r12, %cr2
--1:
--	
 -	testl %ebx,%ebx				/* swapgs needed? */
 +	pax_exit_kernel_nmi
 +
@@ -24585,35 +24199,18 @@ index 02c2eff..9c9ea72 100644
  	jnz nmi_restore
  nmi_swapgs:
  	SWAPGS_UNSAFE_STACK
- nmi_restore:
- 	RESTORE_EXTRA_REGS
- 	RESTORE_C_REGS
--	/* Pop the extra iret frame at once */
-+
+@@ -1704,6 +2214,8 @@ nmi_restore:
+ 	/* Point RSP at the "iret" frame. */
  	REMOVE_PT_GPREGS_FROM_STACK 6*8
  
--	/* Clear the NMI executing stack variable */
--	movq $0, 5*8(%rsp)
--	jmp irq_return
 +	pax_force_retaddr_bts
 +
-+	/*
-+	 * Clear "NMI executing".  Set DF first so that we can easily
-+	 * distinguish the remaining code between here and IRET from
-+	 * the SYSCALL entry and exit paths.  On a native kernel, we
-+	 * could just inspect RIP, but, on paravirt kernels,
-+	 * INTERRUPT_RETURN can translate into a jump into a
-+	 * hypercall page.
-+	 */
-+	std
-+	movq	$0, 5*8(%rsp)		/* clear "NMI executing" */
-+
-+	/*
-+	 * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
-+	 * stack in a single instruction.  We are returning to kernel
-+	 * mode, so this cannot result in a fault.
-+	 */
-+	INTERRUPT_RETURN
+ 	/*
+ 	 * Clear "NMI executing".  Set DF first so that we can easily
+ 	 * distinguish the remaining code between here and IRET from
+@@ -1722,12 +2234,12 @@ nmi_restore:
+ 	 */
+ 	INTERRUPT_RETURN
  	CFI_ENDPROC
 -END(nmi)
 +ENDPROC(nmi)
@@ -25826,10 +25423,19 @@ index 394e643..824fce8 100644
  		panic("low stack detected by irq handler - check messages\n");
  #endif
 diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
-index 26d5a55..a01160a 100644
+index 26d5a55..bf8b49b 100644
 --- a/arch/x86/kernel/jump_label.c
 +++ b/arch/x86/kernel/jump_label.c
-@@ -51,7 +51,7 @@ static void __jump_label_transform(struct jump_entry *entry,
+@@ -31,6 +31,8 @@ static void bug_at(unsigned char *ip, int line)
+ 	 * Something went wrong. Crash the box, as something could be
+ 	 * corrupting the kernel.
+ 	 */
++	ip = ktla_ktva(ip);
++	pr_warning("Unexpected op at %pS [%p] %s:%d\n", ip, ip, __FILE__, line);
+ 	pr_warning("Unexpected op at %pS [%p] (%02x %02x %02x %02x %02x) %s:%d\n",
+ 	       ip, ip, ip[0], ip[1], ip[2], ip[3], ip[4], __FILE__, line);
+ 	BUG();
+@@ -51,7 +53,7 @@ static void __jump_label_transform(struct jump_entry *entry,
  			 * Jump label is enabled for the first time.
  			 * So we expect a default_nop...
  			 */
@@ -25838,7 +25444,7 @@ index 26d5a55..a01160a 100644
  				     != 0))
  				bug_at((void *)entry->code, __LINE__);
  		} else {
-@@ -59,7 +59,7 @@ static void __jump_label_transform(struct jump_entry *entry,
+@@ -59,7 +61,7 @@ static void __jump_label_transform(struct jump_entry *entry,
  			 * ...otherwise expect an ideal_nop. Otherwise
  			 * something went horribly wrong.
  			 */
@@ -25847,7 +25453,7 @@ index 26d5a55..a01160a 100644
  				     != 0))
  				bug_at((void *)entry->code, __LINE__);
  		}
-@@ -75,13 +75,13 @@ static void __jump_label_transform(struct jump_entry *entry,
+@@ -75,13 +77,13 @@ static void __jump_label_transform(struct jump_entry *entry,
  		 * are converting the default nop to the ideal nop.
  		 */
  		if (init) {
@@ -26583,7 +26189,7 @@ index 113e707..0a690e1 100644
  };
  
 diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
-index c3e985d..f690edd 100644
+index d05bd2e..f690edd 100644
 --- a/arch/x86/kernel/nmi.c
 +++ b/arch/x86/kernel/nmi.c
 @@ -98,16 +98,16 @@ fs_initcall(nmi_warning_debugfs);
@@ -26661,116 +26267,9 @@ index c3e985d..f690edd 100644
  			break;
  		}
  	}
-@@ -408,15 +409,15 @@ static void default_do_nmi(struct pt_regs *regs)
- NOKPROBE_SYMBOL(default_do_nmi);
- 
- /*
-- * NMIs can hit breakpoints which will cause it to lose its
-- * NMI context with the CPU when the breakpoint does an iret.
-- */
--#ifdef CONFIG_X86_32
--/*
-- * For i386, NMIs use the same stack as the kernel, and we can
-- * add a workaround to the iret problem in C (preventing nested
-- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
-- * can be in:
-+ * NMIs can page fault or hit breakpoints which will cause it to lose
-+ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
-+ *
-+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
-+ * NMI processing.  On x86_64, the asm glue protects us from nested NMIs
-+ * if the outer NMI came from kernel mode, but we can still nest if the
-+ * outer NMI came from user mode.
-+ *
-+ * To handle these nested NMIs, we have three states:
-  *
-  *  1) not running
-  *  2) executing
-@@ -430,15 +431,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
-  * (Note, the latch is binary, thus multiple NMIs triggering,
-  *  when one is running, are ignored. Only one NMI is restarted.)
-  *
-- * If an NMI hits a breakpoint that executes an iret, another
-- * NMI can preempt it. We do not want to allow this new NMI
-- * to run, but we want to execute it when the first one finishes.
-- * We set the state to "latched", and the exit of the first NMI will
-- * perform a dec_return, if the result is zero (NOT_RUNNING), then
-- * it will simply exit the NMI handler. If not, the dec_return
-- * would have set the state to NMI_EXECUTING (what we want it to
-- * be when we are running). In this case, we simply jump back
-- * to rerun the NMI handler again, and restart the 'latched' NMI.
-+ * If an NMI executes an iret, another NMI can preempt it. We do not
-+ * want to allow this new NMI to run, but we want to execute it when the
-+ * first one finishes.  We set the state to "latched", and the exit of
-+ * the first NMI will perform a dec_return, if the result is zero
-+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
-+ * dec_return would have set the state to NMI_EXECUTING (what we want it
-+ * to be when we are running). In this case, we simply jump back to
-+ * rerun the NMI handler again, and restart the 'latched' NMI.
-  *
-  * No trap (breakpoint or page fault) should be hit before nmi_restart,
-  * thus there is no race between the first check of state for NOT_RUNNING
-@@ -461,49 +461,47 @@ enum nmi_states {
- static DEFINE_PER_CPU(enum nmi_states, nmi_state);
- static DEFINE_PER_CPU(unsigned long, nmi_cr2);
- 
--#define nmi_nesting_preprocess(regs)					\
--	do {								\
--		if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {	\
--			this_cpu_write(nmi_state, NMI_LATCHED);		\
--			return;						\
--		}							\
--		this_cpu_write(nmi_state, NMI_EXECUTING);		\
--		this_cpu_write(nmi_cr2, read_cr2());			\
--	} while (0);							\
--	nmi_restart:
--
--#define nmi_nesting_postprocess()					\
--	do {								\
--		if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))	\
--			write_cr2(this_cpu_read(nmi_cr2));		\
--		if (this_cpu_dec_return(nmi_state))			\
--			goto nmi_restart;				\
--	} while (0)
--#else /* x86_64 */
-+#ifdef CONFIG_X86_64
- /*
-- * In x86_64 things are a bit more difficult. This has the same problem
-- * where an NMI hitting a breakpoint that calls iret will remove the
-- * NMI context, allowing a nested NMI to enter. What makes this more
-- * difficult is that both NMIs and breakpoints have their own stack.
-- * When a new NMI or breakpoint is executed, the stack is set to a fixed
-- * point. If an NMI is nested, it will have its stack set at that same
-- * fixed address that the first NMI had, and will start corrupting the
-- * stack. This is handled in entry_64.S, but the same problem exists with
-- * the breakpoint stack.
-+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint.  Without
-+ * some care, the inner breakpoint will clobber the outer breakpoint's
-+ * stack.
-  *
-- * If a breakpoint is being processed, and the debug stack is being used,
-- * if an NMI comes in and also hits a breakpoint, the stack pointer
-- * will be set to the same fixed address as the breakpoint that was
-- * interrupted, causing that stack to be corrupted. To handle this case,
-- * check if the stack that was interrupted is the debug stack, and if
-- * so, change the IDT so that new breakpoints will use the current stack
-- * and not switch to the fixed address. On return of the NMI, switch back
-- * to the original IDT.
-+ * If a breakpoint is being processed, and the debug stack is being
-+ * used, if an NMI comes in and also hits a breakpoint, the stack
-+ * pointer will be set to the same fixed address as the breakpoint that
-+ * was interrupted, causing that stack to be corrupted. To handle this
-+ * case, check if the stack that was interrupted is the debug stack, and
-+ * if so, change the IDT so that new breakpoints will use the current
-+ * stack and not switch to the fixed address. On return of the NMI,
-+ * switch back to the original IDT.
-  */
- static DEFINE_PER_CPU(int, update_debug_stack);
-+#endif
- 
--static inline void nmi_nesting_preprocess(struct pt_regs *regs)
-+dotraplinkage notrace void
-+do_nmi(struct pt_regs *regs, long error_code)
+@@ -481,6 +482,17 @@ static DEFINE_PER_CPU(int, update_debug_stack);
+ dotraplinkage notrace void
+ do_nmi(struct pt_regs *regs, long error_code)
  {
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -26783,61 +26282,9 @@ index c3e985d..f690edd 100644
 +	}
 +#endif
 +
-+	if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
-+		this_cpu_write(nmi_state, NMI_LATCHED);
-+		return;
-+	}
-+	this_cpu_write(nmi_state, NMI_EXECUTING);
-+	this_cpu_write(nmi_cr2, read_cr2());
-+nmi_restart:
-+
-+#ifdef CONFIG_X86_64
- 	/*
- 	 * If we interrupted a breakpoint, it is possible that
- 	 * the nmi handler will have breakpoints too. We need to
-@@ -514,22 +512,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs)
- 		debug_stack_set_zero();
- 		this_cpu_write(update_debug_stack, 1);
- 	}
--}
--
--static inline void nmi_nesting_postprocess(void)
--{
--	if (unlikely(this_cpu_read(update_debug_stack))) {
--		debug_stack_reset();
--		this_cpu_write(update_debug_stack, 0);
--	}
--}
- #endif
- 
--dotraplinkage notrace void
--do_nmi(struct pt_regs *regs, long error_code)
--{
--	nmi_nesting_preprocess(regs);
--
- 	nmi_enter();
- 
- 	inc_irq_stat(__nmi_count);
-@@ -539,8 +523,17 @@ do_nmi(struct pt_regs *regs, long error_code)
- 
- 	nmi_exit();
- 
--	/* On i386, may loop back to preprocess */
--	nmi_nesting_postprocess();
-+#ifdef CONFIG_X86_64
-+	if (unlikely(this_cpu_read(update_debug_stack))) {
-+		debug_stack_reset();
-+		this_cpu_write(update_debug_stack, 0);
-+	}
-+#endif
-+
-+	if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
-+		write_cr2(this_cpu_read(nmi_cr2));
-+	if (this_cpu_dec_return(nmi_state))
-+		goto nmi_restart;
- }
- NOKPROBE_SYMBOL(do_nmi);
- 
+ 	if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
+ 		this_cpu_write(nmi_state, NMI_LATCHED);
+ 		return;
 diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c
 index 6d9582e..f746287 100644
 --- a/arch/x86/kernel/nmi_selftest.c
@@ -27698,7 +27145,7 @@ index 98111b3..73ca125 100644
  identity_mapped:
  	/* set return address to 0 if not preserving context */
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d74ac33..d9efe04 100644
+index d74ac33..6d14941 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -111,6 +111,7 @@
@@ -27743,20 +27190,18 @@ index d74ac33..d9efe04 100644
  	u64 size = __pa_symbol(_end) - start;
  
  	/*
-@@ -860,8 +863,12 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
+@@ -860,8 +863,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
  
  void __init setup_arch(char **cmdline_p)
  {
-+#ifdef CONFIG_X86_32
-+	memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR);
-+#else
- 	memblock_reserve(__pa_symbol(_text),
- 			 (unsigned long)__bss_stop - (unsigned long)_text);
-+#endif
+-	memblock_reserve(__pa_symbol(_text),
+-			 (unsigned long)__bss_stop - (unsigned long)_text);
++	memblock_reserve(__pa_symbol(ktla_ktva((unsigned long)_text)),
++			 (unsigned long)__bss_stop - ktla_ktva((unsigned long)_text));
  
  	early_reserve_initrd();
  
-@@ -959,16 +966,16 @@ void __init setup_arch(char **cmdline_p)
+@@ -959,16 +962,16 @@ void __init setup_arch(char **cmdline_p)
  
  	if (!boot_params.hdr.root_flags)
  		root_mountflags &= ~MS_RDONLY;
@@ -29278,19 +28723,6 @@ index 67d07e0..10769d5 100644
  
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
-diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
-index 9d28383..c4ea87e 100644
---- a/arch/x86/kvm/lapic.h
-+++ b/arch/x86/kvm/lapic.h
-@@ -150,7 +150,7 @@ static inline bool kvm_apic_vid_enabled(struct kvm *kvm)
- 
- static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
- {
--	return vcpu->arch.apic->pending_events;
-+	return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
- }
- 
- bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
 diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
 index 6e6d115..43fecbf 100644
 --- a/arch/x86/kvm/paging_tmpl.h
@@ -36264,7 +35696,7 @@ index e88fda8..76ce7ce 100644
  	  This is the Linux Xen port.  Enabling this will allow the
  	  kernel to boot in a paravirtualized environment under the
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 46957ea..a9dc1d9 100644
+index a671e83..a9dc1d9 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
 @@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36276,75 +35708,7 @@ index 46957ea..a9dc1d9 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -483,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 	pte_t pte;
- 	unsigned long pfn;
- 	struct page *page;
-+	unsigned char dummy;
- 
- 	ptep = lookup_address((unsigned long)v, &level);
- 	BUG_ON(ptep == NULL);
-@@ -492,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 
- 	pte = pfn_pte(pfn, prot);
- 
-+	/*
-+	 * Careful: update_va_mapping() will fail if the virtual address
-+	 * we're poking isn't populated in the page tables.  We don't
-+	 * need to worry about the direct map (that's always in the page
-+	 * tables), but we need to be careful about vmap space.  In
-+	 * particular, the top level page table can lazily propagate
-+	 * entries between processes, so if we've switched mms since we
-+	 * vmapped the target in the first place, we might not have the
-+	 * top-level page table entry populated.
-+	 *
-+	 * We disable preemption because we want the same mm active when
-+	 * we probe the target and when we issue the hypercall.  We'll
-+	 * have the same nominal mm, but if we're a kernel thread, lazy
-+	 * mm dropping could change our pgd.
-+	 *
-+	 * Out of an abundance of caution, this uses __get_user() to fault
-+	 * in the target address just in case there's some obscure case
-+	 * in which the target address isn't readable.
-+	 */
-+
-+	preempt_disable();
-+
-+	pagefault_disable();	/* Avoid warnings due to being atomic. */
-+	__get_user(dummy, (unsigned char __user __force *)v);
-+	pagefault_enable();
-+
- 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
- 		BUG();
- 
-@@ -503,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
- 				BUG();
- 	} else
- 		kmap_flush_unused();
-+
-+	preempt_enable();
- }
- 
- static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
-@@ -510,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
- 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
- 	int i;
- 
-+	/*
-+	 * We need to mark the all aliases of the LDT pages RO.  We
-+	 * don't need to call vm_flush_aliases(), though, since that's
-+	 * only responsible for flushing aliases out the TLBs, not the
-+	 * page tables, and Xen will flush the TLB for us if needed.
-+	 *
-+	 * To avoid confusing future readers: none of this is necessary
-+	 * to load the LDT.  The hypervisor only checks this when the
-+	 * LDT is faulted in due to subsequent descriptor access.
-+	 */
-+
- 	for(i = 0; i < entries; i += entries_per_page)
- 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
- }
-@@ -544,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -584,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36354,7 +35718,7 @@ index 46957ea..a9dc1d9 100644
  	int f;
  
  	/*
-@@ -593,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -633,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36364,7 +35728,7 @@ index 46957ea..a9dc1d9 100644
  	int f;
  
  	/*
-@@ -602,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -642,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  	 * 8-byte entries, or 16 4k pages..
  	 */
  
@@ -36373,7 +35737,7 @@ index 46957ea..a9dc1d9 100644
  	BUG_ON(va & ~PAGE_MASK);
  
  	for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -1223,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1263,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -36411,7 +35775,7 @@ index 46957ea..a9dc1d9 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1399,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1439,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu)
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
  	pv_cpu_ops.load_gdt = xen_load_gdt_boot;
  
@@ -36425,7 +35789,7 @@ index 46957ea..a9dc1d9 100644
  
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
  	pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1515,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1555,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -36444,7 +35808,7 @@ index 46957ea..a9dc1d9 100644
  
  	/* Get mfn list */
  	xen_build_dynamic_phys_to_machine();
-@@ -1543,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1583,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -39135,7 +38499,7 @@ index 09e628da..7607aaa 100644
  	if (ti.nwa_v) {
  		pd->nwa = be32_to_cpu(ti.next_writable);
 diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
-index 53f2535..b8a9ce0 100644
+index 010ce0b..7c0049e 100644
 --- a/drivers/block/rbd.c
 +++ b/drivers/block/rbd.c
 @@ -64,7 +64,7 @@
@@ -39377,7 +38741,7 @@ index 5c0baa9..44011b1 100644
  {
  	struct hpet_timer __iomem *timer;
 diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c
-index a43048b..14724d5 100644
+index 3c1a123..a33c99f 100644
 --- a/drivers/char/i8k.c
 +++ b/drivers/char/i8k.c
 @@ -790,7 +790,7 @@ static const struct i8k_config_data i8k_config_data[] = {
@@ -45963,7 +45327,7 @@ index 79f6941..b33b4e0 100644
  	pmd->bl_info.value_type.inc = data_block_inc;
  	pmd->bl_info.value_type.dec = data_block_dec;
 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index e8d8456..d04a41a 100644
+index 697f34f..8301900 100644
 --- a/drivers/md/dm.c
 +++ b/drivers/md/dm.c
 @@ -191,9 +191,9 @@ struct mapped_device {
@@ -45978,7 +45342,7 @@ index e8d8456..d04a41a 100644
  	struct list_head uevent_list;
  	spinlock_t uevent_lock; /* Protect access to uevent_list */
  
-@@ -2294,8 +2294,8 @@ static struct mapped_device *alloc_dev(int minor)
+@@ -2287,8 +2287,8 @@ static struct mapped_device *alloc_dev(int minor)
  	spin_lock_init(&md->deferred_lock);
  	atomic_set(&md->holders, 1);
  	atomic_set(&md->open_count, 0);
@@ -45989,7 +45353,7 @@ index e8d8456..d04a41a 100644
  	INIT_LIST_HEAD(&md->uevent_list);
  	INIT_LIST_HEAD(&md->table_devices);
  	spin_lock_init(&md->uevent_lock);
-@@ -2462,7 +2462,7 @@ static void event_callback(void *context)
+@@ -2455,7 +2455,7 @@ static void event_callback(void *context)
  
  	dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
  
@@ -45998,7 +45362,7 @@ index e8d8456..d04a41a 100644
  	wake_up(&md->eventq);
  }
  
-@@ -3461,18 +3461,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -3454,18 +3454,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
  
  uint32_t dm_next_uevent_seq(struct mapped_device *md)
  {
@@ -46021,7 +45385,7 @@ index e8d8456..d04a41a 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index b920028..8ac9655 100644
+index e462151..8ac9655 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -46093,14 +45457,7 @@ index b920028..8ac9655 100644
  
  	INIT_LIST_HEAD(&rdev->same_set);
  	init_waitqueue_head(&rdev->blocked_wait);
-@@ -5740,22 +5740,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
- 	char *ptr;
- 	int err;
- 
--	file = kmalloc(sizeof(*file), GFP_NOIO);
-+	file = kzalloc(sizeof(*file), GFP_NOIO);
- 	if (!file)
- 		return -ENOMEM;
+@@ -5746,16 +5746,16 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
  
  	err = 0;
  	spin_lock(&mddev->lock);
@@ -46227,10 +45584,10 @@ index 3e6d115..ffecdeb 100644
  /*----------------------------------------------------------------*/
  
 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index cd7b0c1..377cd70 100644
+index 5ce3cd5c..f147017 100644
 --- a/drivers/md/raid1.c
 +++ b/drivers/md/raid1.c
-@@ -1934,7 +1934,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1936,7 +1936,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
  			if (r1_sync_page_io(rdev, sect, s,
  					    bio->bi_io_vec[idx].bv_page,
  					    READ) != 0)
@@ -46239,7 +45596,7 @@ index cd7b0c1..377cd70 100644
  		}
  		sectors -= s;
  		sect += s;
-@@ -2167,7 +2167,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -2169,7 +2169,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
  			    !test_bit(Faulty, &rdev->flags)) {
  				if (r1_sync_page_io(rdev, sect, s,
  						    conf->tmppage, READ)) {
@@ -53694,7 +53051,7 @@ index 9d7b7db..33ecc51 100644
  		return blk_trace_startstop(sdp->device->request_queue, 1);
  	case BLKTRACESTOP:
 diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
-index 8bd54a6..dd037a5 100644
+index 8bd54a6..58fa0d6 100644
 --- a/drivers/scsi/sr.c
 +++ b/drivers/scsi/sr.c
 @@ -80,7 +80,7 @@ static DEFINE_MUTEX(sr_mutex);
@@ -53706,7 +53063,7 @@ index 8bd54a6..dd037a5 100644
  static int sr_runtime_suspend(struct device *dev);
  
  static struct dev_pm_ops sr_pm_ops = {
-@@ -312,11 +312,11 @@ do_tur:
+@@ -312,13 +312,13 @@ do_tur:
   * It will be notified on the end of a SCSI read / write, and will take one
   * of several actions based on success or failure.
   */
@@ -53716,11 +53073,31 @@ index 8bd54a6..dd037a5 100644
  	int result = SCpnt->result;
 -	int this_count = scsi_bufflen(SCpnt);
 -	int good_bytes = (result == 0 ? this_count : 0);
+-	int block_sectors = 0;
+-	long error_sector;
 +	unsigned int this_count = scsi_bufflen(SCpnt);
 +	unsigned int good_bytes = (result == 0 ? this_count : 0);
- 	int block_sectors = 0;
- 	long error_sector;
++	unsigned int block_sectors = 0;
++	sector_t error_sector;
  	struct scsi_cd *cd = scsi_cd(SCpnt->request->rq_disk);
+ 
+ #ifdef DEBUG
+@@ -351,9 +351,12 @@ static int sr_done(struct scsi_cmnd *SCpnt)
+ 			if (cd->device->sector_size == 2048)
+ 				error_sector <<= 2;
+ 			error_sector &= ~(block_sectors - 1);
+-			good_bytes = (error_sector -
+-				      blk_rq_pos(SCpnt->request)) << 9;
+-			if (good_bytes < 0 || good_bytes >= this_count)
++			if (error_sector >= blk_rq_pos(SCpnt->request)) {
++				good_bytes = (error_sector -
++					      blk_rq_pos(SCpnt->request)) << 9;
++				if (good_bytes >= this_count)
++					good_bytes = 0;
++			} else
+ 				good_bytes = 0;
+ 			/*
+ 			 * The SCSI specification allows for the value
 diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
 index c0d660f..24a5854 100644
 --- a/drivers/soc/tegra/fuse/fuse-tegra.c
@@ -79416,7 +78793,7 @@ index 864e200..357c255 100644
  static struct nfsd4_operation nfsd4_ops[];
  
 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 158badf..f7132ea 100644
+index d4d8445..36ae1a1 100644
 --- a/fs/nfsd/nfs4xdr.c
 +++ b/fs/nfsd/nfs4xdr.c
 @@ -1703,7 +1703,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -103349,10 +102726,10 @@ index 68d4e95..1477ded 100644
  	mq_table.data = get_mq(table);
  
 diff --git a/ipc/mqueue.c b/ipc/mqueue.c
-index 3aaea7f..e8a13d6 100644
+index c3fc5c2..1f32fe2 100644
 --- a/ipc/mqueue.c
 +++ b/ipc/mqueue.c
-@@ -278,6 +278,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
+@@ -275,6 +275,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
  		mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
  					  info->attr.mq_msgsize);
  
@@ -108344,7 +107721,7 @@ index e0e1299..e1e896b 100644
  static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
  {
 diff --git a/kernel/signal.c b/kernel/signal.c
-index d51c5dd..065c4c8 100644
+index 0206be7..6445784 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -108453,7 +107830,7 @@ index d51c5dd..065c4c8 100644
  
  	return ret;
  }
-@@ -2915,7 +2938,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2918,7 +2941,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
  	int error = -ESRCH;
  
  	rcu_read_lock();
@@ -108470,7 +107847,7 @@ index d51c5dd..065c4c8 100644
  	if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
  		error = check_kill_permission(sig, info, p);
  		/*
-@@ -3244,8 +3275,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3247,8 +3278,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
  	}
  	seg = get_fs();
  	set_fs(KERNEL_DS);
@@ -117008,21 +116385,6 @@ index 8e385a0..a5bdd8e 100644
  
  	tty_port_close(&dev->port, tty, filp);
  }
-diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
-index 1ab3dc9..7b815bc 100644
---- a/net/bluetooth/smp.c
-+++ b/net/bluetooth/smp.c
-@@ -2295,6 +2295,10 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
- 		return 1;
- 
- 	chan = conn->smp;
-+	if (!chan) {
-+		BT_ERR("SMP security requested but not available");
-+		return 1;
-+	}
- 
- 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
- 		return 1;
 diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
 index e29ad70b..cc00066 100644
 --- a/net/bridge/br_mdb.c
@@ -126206,7 +125568,7 @@ index 464385a..46ab3f6 100644
  	struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
  };
 diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c
-index e061355..baed278 100644
+index bf20593..dec8a14 100644
 --- a/sound/firewire/amdtp.c
 +++ b/sound/firewire/amdtp.c
 @@ -573,7 +573,7 @@ static void update_pcm_pointers(struct amdtp_stream *s,
@@ -126218,7 +125580,7 @@ index e061355..baed278 100644
  
  	s->pcm_period_pointer += frames;
  	if (s->pcm_period_pointer >= pcm->runtime->period_size) {
-@@ -1013,7 +1013,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer);
+@@ -1014,7 +1014,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer);
   */
  void amdtp_stream_update(struct amdtp_stream *s)
  {
@@ -126228,10 +125590,10 @@ index e061355..baed278 100644
  }
  EXPORT_SYMBOL(amdtp_stream_update);
 diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h
-index 8a03a91..aaacc0c 100644
+index 25c9055..e861b6a 100644
 --- a/sound/firewire/amdtp.h
 +++ b/sound/firewire/amdtp.h
-@@ -231,7 +231,7 @@ static inline bool amdtp_stream_pcm_running(struct amdtp_stream *s)
+@@ -233,7 +233,7 @@ static inline bool amdtp_stream_pcm_running(struct amdtp_stream *s)
  static inline void amdtp_stream_pcm_trigger(struct amdtp_stream *s,
  					    struct snd_pcm_substream *pcm)
  {
@@ -126240,7 +125602,7 @@ index 8a03a91..aaacc0c 100644
  }
  
  /**
-@@ -249,7 +249,7 @@ static inline void amdtp_stream_midi_trigger(struct amdtp_stream *s,
+@@ -251,7 +251,7 @@ static inline void amdtp_stream_midi_trigger(struct amdtp_stream *s,
  					     struct snd_rawmidi_substream *midi)
  {
  	if (port < s->midi_ports)
diff --git a/4.1.5/4425_grsec_remove_EI_PAX.patch b/4.1.6/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/4.1.5/4425_grsec_remove_EI_PAX.patch
+++ b/4.1.6/4425_grsec_remove_EI_PAX.patch
diff --git a/4.1.5/4427_force_XATTR_PAX_tmpfs.patch b/4.1.6/4427_force_XATTR_PAX_tmpfs.patch
index a789f0b..a789f0b 100644
--- a/4.1.5/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.1.6/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.1.5/4430_grsec-remove-localversion-grsec.patch b/4.1.6/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.1.5/4430_grsec-remove-localversion-grsec.patch
+++ b/4.1.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.1.5/4435_grsec-mute-warnings.patch b/4.1.6/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.1.5/4435_grsec-mute-warnings.patch
+++ b/4.1.6/4435_grsec-mute-warnings.patch
diff --git a/4.1.5/4440_grsec-remove-protected-paths.patch b/4.1.6/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.1.5/4440_grsec-remove-protected-paths.patch
+++ b/4.1.6/4440_grsec-remove-protected-paths.patch
diff --git a/4.1.5/4450_grsec-kconfig-default-gids.patch b/4.1.6/4450_grsec-kconfig-default-gids.patch
index 61d903e..61d903e 100644
--- a/4.1.5/4450_grsec-kconfig-default-gids.patch
+++ b/4.1.6/4450_grsec-kconfig-default-gids.patch
diff --git a/4.1.5/4465_selinux-avc_audit-log-curr_ip.patch b/4.1.6/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/4.1.5/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.1.6/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.1.5/4470_disable-compat_vdso.patch b/4.1.6/4470_disable-compat_vdso.patch
index 7aefa02..7aefa02 100644
--- a/4.1.5/4470_disable-compat_vdso.patch
+++ b/4.1.6/4470_disable-compat_vdso.patch
diff --git a/4.1.5/4475_emutramp_default_on.patch b/4.1.6/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/4.1.5/4475_emutramp_default_on.patch
+++ b/4.1.6/4475_emutramp_default_on.patch