diff options
Diffstat (limited to '3.2.71/1053_linux-3.2.54.patch')
| -rw-r--r-- | 3.2.71/1053_linux-3.2.54.patch | 6825 |
1 files changed, 0 insertions, 6825 deletions
diff --git a/3.2.71/1053_linux-3.2.54.patch b/3.2.71/1053_linux-3.2.54.patch deleted file mode 100644 index a907496..0000000 --- a/3.2.71/1053_linux-3.2.54.patch +++ /dev/null @@ -1,6825 +0,0 @@ -diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt -index 1f24636..2a68089 100644 ---- a/Documentation/sysctl/kernel.txt -+++ b/Documentation/sysctl/kernel.txt -@@ -283,13 +283,24 @@ Default value is "/sbin/hotplug". - kptr_restrict: - - This toggle indicates whether restrictions are placed on --exposing kernel addresses via /proc and other interfaces. When --kptr_restrict is set to (0), there are no restrictions. When --kptr_restrict is set to (1), the default, kernel pointers --printed using the %pK format specifier will be replaced with 0's --unless the user has CAP_SYSLOG. When kptr_restrict is set to --(2), kernel pointers printed using %pK will be replaced with 0's --regardless of privileges. -+exposing kernel addresses via /proc and other interfaces. -+ -+When kptr_restrict is set to (0), the default, there are no restrictions. -+ -+When kptr_restrict is set to (1), kernel pointers printed using the %pK -+format specifier will be replaced with 0's unless the user has CAP_SYSLOG -+and effective user and group ids are equal to the real ids. This is -+because %pK checks are done at read() time rather than open() time, so -+if permissions are elevated between the open() and the read() (e.g via -+a setuid binary) then %pK will not leak kernel pointers to unprivileged -+users. Note, this is a temporary solution only. The correct long-term -+solution is to do the permission checks at open() time. Consider removing -+world read permissions from files that use %pK, and using dmesg_restrict -+to protect against uses of %pK in dmesg(8) if leaking kernel pointer -+values to unprivileged users is a concern. -+ -+When kptr_restrict is set to (2), kernel pointers printed using -+%pK will be replaced with 0's regardless of privileges. - - ============================================================== - -diff --git a/Makefile b/Makefile -index 90f57dc..848be26 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 2 --SUBLEVEL = 53 -+SUBLEVEL = 54 - EXTRAVERSION = - NAME = Saber-toothed Squirrel - -diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h -index 7bb8bf9..b7c5d5d 100644 ---- a/arch/arm/include/asm/assembler.h -+++ b/arch/arm/include/asm/assembler.h -@@ -307,4 +307,12 @@ - .size \name , . - \name - .endm - -+ .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req -+#ifndef CONFIG_CPU_USE_DOMAINS -+ adds \tmp, \addr, #\size - 1 -+ sbcccs \tmp, \tmp, \limit -+ bcs \bad -+#endif -+ .endm -+ - #endif /* __ASM_ASSEMBLER_H__ */ -diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index b293616..292c3f8 100644 ---- a/arch/arm/include/asm/uaccess.h -+++ b/arch/arm/include/asm/uaccess.h -@@ -101,28 +101,39 @@ extern int __get_user_1(void *); - extern int __get_user_2(void *); - extern int __get_user_4(void *); - --#define __get_user_x(__r2,__p,__e,__s,__i...) \ -+#define __GUP_CLOBBER_1 "lr", "cc" -+#ifdef CONFIG_CPU_USE_DOMAINS -+#define __GUP_CLOBBER_2 "ip", "lr", "cc" -+#else -+#define __GUP_CLOBBER_2 "lr", "cc" -+#endif -+#define __GUP_CLOBBER_4 "lr", "cc" -+ -+#define __get_user_x(__r2,__p,__e,__l,__s) \ - __asm__ __volatile__ ( \ - __asmeq("%0", "r0") __asmeq("%1", "r2") \ -+ __asmeq("%3", "r1") \ - "bl __get_user_" #__s \ - : "=&r" (__e), "=r" (__r2) \ -- : "0" (__p) \ -- : __i, "cc") -+ : "0" (__p), "r" (__l) \ -+ : __GUP_CLOBBER_##__s) - - #define get_user(x,p) \ - ({ \ -+ unsigned long __limit = current_thread_info()->addr_limit - 1; \ - register const typeof(*(p)) __user *__p asm("r0") = (p);\ - register unsigned long __r2 asm("r2"); \ -+ register unsigned long __l asm("r1") = __limit; \ - register int __e asm("r0"); \ - switch (sizeof(*(__p))) { \ - case 1: \ -- __get_user_x(__r2, __p, __e, 1, "lr"); \ -- break; \ -+ __get_user_x(__r2, __p, __e, __l, 1); \ -+ break; \ - case 2: \ -- __get_user_x(__r2, __p, __e, 2, "r3", "lr"); \ -+ __get_user_x(__r2, __p, __e, __l, 2); \ - break; \ - case 4: \ -- __get_user_x(__r2, __p, __e, 4, "lr"); \ -+ __get_user_x(__r2, __p, __e, __l, 4); \ - break; \ - default: __e = __get_user_bad(); break; \ - } \ -@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int); - extern int __put_user_4(void *, unsigned int); - extern int __put_user_8(void *, unsigned long long); - --#define __put_user_x(__r2,__p,__e,__s) \ -+#define __put_user_x(__r2,__p,__e,__l,__s) \ - __asm__ __volatile__ ( \ - __asmeq("%0", "r0") __asmeq("%2", "r2") \ -+ __asmeq("%3", "r1") \ - "bl __put_user_" #__s \ - : "=&r" (__e) \ -- : "0" (__p), "r" (__r2) \ -+ : "0" (__p), "r" (__r2), "r" (__l) \ - : "ip", "lr", "cc") - - #define put_user(x,p) \ - ({ \ -+ unsigned long __limit = current_thread_info()->addr_limit - 1; \ - register const typeof(*(p)) __r2 asm("r2") = (x); \ - register const typeof(*(p)) __user *__p asm("r0") = (p);\ -+ register unsigned long __l asm("r1") = __limit; \ - register int __e asm("r0"); \ - switch (sizeof(*(__p))) { \ - case 1: \ -- __put_user_x(__r2, __p, __e, 1); \ -+ __put_user_x(__r2, __p, __e, __l, 1); \ - break; \ - case 2: \ -- __put_user_x(__r2, __p, __e, 2); \ -+ __put_user_x(__r2, __p, __e, __l, 2); \ - break; \ - case 4: \ -- __put_user_x(__r2, __p, __e, 4); \ -+ __put_user_x(__r2, __p, __e, __l, 4); \ - break; \ - case 8: \ -- __put_user_x(__r2, __p, __e, 8); \ -+ __put_user_x(__r2, __p, __e, __l, 8); \ - break; \ - default: __e = __put_user_bad(); break; \ - } \ -diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index e68d251..d9e3c61 100644 ---- a/arch/arm/kernel/process.c -+++ b/arch/arm/kernel/process.c -@@ -468,6 +468,7 @@ EXPORT_SYMBOL(kernel_thread); - unsigned long get_wchan(struct task_struct *p) - { - struct stackframe frame; -+ unsigned long stack_page; - int count = 0; - if (!p || p == current || p->state == TASK_RUNNING) - return 0; -@@ -476,9 +477,11 @@ unsigned long get_wchan(struct task_struct *p) - frame.sp = thread_saved_sp(p); - frame.lr = 0; /* recovered from the stack */ - frame.pc = thread_saved_pc(p); -+ stack_page = (unsigned long)task_stack_page(p); - do { -- int ret = unwind_frame(&frame); -- if (ret < 0) -+ if (frame.sp < stack_page || -+ frame.sp >= stack_page + THREAD_SIZE || -+ unwind_frame(&frame) < 0) - return 0; - if (!in_sched_functions(frame.pc)) - return frame.pc; -diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c -index 00f79e5..af4e8c8 100644 ---- a/arch/arm/kernel/stacktrace.c -+++ b/arch/arm/kernel/stacktrace.c -@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackframe *frame) - high = ALIGN(low, THREAD_SIZE); - - /* check current frame pointer is within bounds */ -- if (fp < (low + 12) || fp + 4 >= high) -+ if (fp < low + 12 || fp > high - 4) - return -EINVAL; - - /* restore the registers from the stack frame */ -diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S -index 1b049cd..4306fbf 100644 ---- a/arch/arm/lib/getuser.S -+++ b/arch/arm/lib/getuser.S -@@ -16,8 +16,9 @@ - * __get_user_X - * - * Inputs: r0 contains the address -+ * r1 contains the address limit, which must be preserved - * Outputs: r0 is the error code -- * r2, r3 contains the zero-extended value -+ * r2 contains the zero-extended value - * lr corrupted - * - * No other registers must be altered. (see <asm/uaccess.h> -@@ -27,33 +28,39 @@ - * Note also that it is intended that __get_user_bad is not global. - */ - #include <linux/linkage.h> -+#include <asm/assembler.h> - #include <asm/errno.h> - #include <asm/domain.h> - - ENTRY(__get_user_1) -+ check_uaccess r0, 1, r1, r2, __get_user_bad - 1: T(ldrb) r2, [r0] - mov r0, #0 - mov pc, lr - ENDPROC(__get_user_1) - - ENTRY(__get_user_2) --#ifdef CONFIG_THUMB2_KERNEL --2: T(ldrb) r2, [r0] --3: T(ldrb) r3, [r0, #1] -+ check_uaccess r0, 2, r1, r2, __get_user_bad -+#ifdef CONFIG_CPU_USE_DOMAINS -+rb .req ip -+2: ldrbt r2, [r0], #1 -+3: ldrbt rb, [r0], #0 - #else --2: T(ldrb) r2, [r0], #1 --3: T(ldrb) r3, [r0] -+rb .req r0 -+2: ldrb r2, [r0] -+3: ldrb rb, [r0, #1] - #endif - #ifndef __ARMEB__ -- orr r2, r2, r3, lsl #8 -+ orr r2, r2, rb, lsl #8 - #else -- orr r2, r3, r2, lsl #8 -+ orr r2, rb, r2, lsl #8 - #endif - mov r0, #0 - mov pc, lr - ENDPROC(__get_user_2) - - ENTRY(__get_user_4) -+ check_uaccess r0, 4, r1, r2, __get_user_bad - 4: T(ldr) r2, [r0] - mov r0, #0 - mov pc, lr -diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S -index c023fc1..9a897fa 100644 ---- a/arch/arm/lib/putuser.S -+++ b/arch/arm/lib/putuser.S -@@ -16,6 +16,7 @@ - * __put_user_X - * - * Inputs: r0 contains the address -+ * r1 contains the address limit, which must be preserved - * r2, r3 contains the value - * Outputs: r0 is the error code - * lr corrupted -@@ -27,16 +28,19 @@ - * Note also that it is intended that __put_user_bad is not global. - */ - #include <linux/linkage.h> -+#include <asm/assembler.h> - #include <asm/errno.h> - #include <asm/domain.h> - - ENTRY(__put_user_1) -+ check_uaccess r0, 1, r1, ip, __put_user_bad - 1: T(strb) r2, [r0] - mov r0, #0 - mov pc, lr - ENDPROC(__put_user_1) - - ENTRY(__put_user_2) -+ check_uaccess r0, 2, r1, ip, __put_user_bad - mov ip, r2, lsr #8 - #ifdef CONFIG_THUMB2_KERNEL - #ifndef __ARMEB__ -@@ -60,12 +64,14 @@ ENTRY(__put_user_2) - ENDPROC(__put_user_2) - - ENTRY(__put_user_4) -+ check_uaccess r0, 4, r1, ip, __put_user_bad - 4: T(str) r2, [r0] - mov r0, #0 - mov pc, lr - ENDPROC(__put_user_4) - - ENTRY(__put_user_8) -+ check_uaccess r0, 8, r1, ip, __put_user_bad - #ifdef CONFIG_THUMB2_KERNEL - 5: T(str) r2, [r0] - 6: T(str) r3, [r0, #4] -diff --git a/arch/arm/mach-footbridge/common.c b/arch/arm/mach-footbridge/common.c -index 38a44f9..5b91e45 100644 ---- a/arch/arm/mach-footbridge/common.c -+++ b/arch/arm/mach-footbridge/common.c -@@ -15,6 +15,7 @@ - #include <linux/init.h> - #include <linux/io.h> - #include <linux/spinlock.h> -+#include <video/vga.h> - - #include <asm/pgtable.h> - #include <asm/page.h> -@@ -197,6 +198,8 @@ void __init footbridge_map_io(void) - */ - if (footbridge_cfn_mode()) - iotable_init(ebsa285_host_io_desc, ARRAY_SIZE(ebsa285_host_io_desc)); -+ -+ vga_base = PCIMEM_BASE; - } - - #ifdef CONFIG_FOOTBRIDGE_ADDIN -diff --git a/arch/arm/mach-footbridge/dc21285.c b/arch/arm/mach-footbridge/dc21285.c -index 18c32a5..a8dfa00 100644 ---- a/arch/arm/mach-footbridge/dc21285.c -+++ b/arch/arm/mach-footbridge/dc21285.c -@@ -18,7 +18,6 @@ - #include <linux/irq.h> - #include <linux/io.h> - #include <linux/spinlock.h> --#include <video/vga.h> - - #include <asm/irq.h> - #include <asm/system.h> -@@ -297,7 +296,6 @@ void __init dc21285_preinit(void) - int cfn_mode; - - pcibios_min_mem = 0x81000000; -- vga_base = PCIMEM_BASE; - - mem_size = (unsigned int)high_memory - PAGE_OFFSET; - for (mem_mask = 0x00100000; mem_mask < 0x10000000; mem_mask <<= 1) -diff --git a/arch/arm/mach-integrator/integrator_cp.c b/arch/arm/mach-integrator/integrator_cp.c -index 5de49c3..892d0d6 100644 ---- a/arch/arm/mach-integrator/integrator_cp.c -+++ b/arch/arm/mach-integrator/integrator_cp.c -@@ -384,7 +384,8 @@ static struct amba_device aaci_device = { - static void cp_clcd_enable(struct clcd_fb *fb) - { - struct fb_var_screeninfo *var = &fb->fb.var; -- u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2; -+ u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2 -+ | CM_CTRL_LCDEN0 | CM_CTRL_LCDEN1; - - if (var->bits_per_pixel <= 8 || - (var->bits_per_pixel == 16 && var->green.length == 5)) -diff --git a/arch/arm/mach-pxa/reset.c b/arch/arm/mach-pxa/reset.c -index 01e9d64..0e25348 100644 ---- a/arch/arm/mach-pxa/reset.c -+++ b/arch/arm/mach-pxa/reset.c -@@ -12,6 +12,7 @@ - - #include <mach/regs-ost.h> - #include <mach/reset.h> -+#include <mach/smemc.h> - - unsigned int reset_status; - EXPORT_SYMBOL(reset_status); -@@ -79,6 +80,12 @@ static void do_hw_reset(void) - OWER = OWER_WME; - OSSR = OSSR_M3; - OSMR3 = OSCR + 368640; /* ... in 100 ms */ -+ /* -+ * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71) -+ * we put SDRAM into self-refresh to prevent that -+ */ -+ while (1) -+ writel_relaxed(MDREFR_SLFRSH, MDREFR); - } - - void arch_reset(char mode, const char *cmd) -@@ -99,4 +106,3 @@ void arch_reset(char mode, const char *cmd) - break; - } - } -- -diff --git a/arch/arm/mach-pxa/tosa.c b/arch/arm/mach-pxa/tosa.c -index 402b0c96..33dd57c 100644 ---- a/arch/arm/mach-pxa/tosa.c -+++ b/arch/arm/mach-pxa/tosa.c -@@ -424,57 +424,57 @@ static struct platform_device tosa_power_device = { - * Tosa Keyboard - */ - static const uint32_t tosakbd_keymap[] = { -- KEY(0, 2, KEY_W), -- KEY(0, 6, KEY_K), -- KEY(0, 7, KEY_BACKSPACE), -- KEY(0, 8, KEY_P), -- KEY(1, 1, KEY_Q), -- KEY(1, 2, KEY_E), -- KEY(1, 3, KEY_T), -- KEY(1, 4, KEY_Y), -- KEY(1, 6, KEY_O), -- KEY(1, 7, KEY_I), -- KEY(1, 8, KEY_COMMA), -- KEY(2, 1, KEY_A), -- KEY(2, 2, KEY_D), -- KEY(2, 3, KEY_G), -- KEY(2, 4, KEY_U), -- KEY(2, 6, KEY_L), -- KEY(2, 7, KEY_ENTER), -- KEY(2, 8, KEY_DOT), -- KEY(3, 1, KEY_Z), -- KEY(3, 2, KEY_C), -- KEY(3, 3, KEY_V), -- KEY(3, 4, KEY_J), -- KEY(3, 5, TOSA_KEY_ADDRESSBOOK), -- KEY(3, 6, TOSA_KEY_CANCEL), -- KEY(3, 7, TOSA_KEY_CENTER), -- KEY(3, 8, TOSA_KEY_OK), -- KEY(3, 9, KEY_LEFTSHIFT), -- KEY(4, 1, KEY_S), -- KEY(4, 2, KEY_R), -- KEY(4, 3, KEY_B), -- KEY(4, 4, KEY_N), -- KEY(4, 5, TOSA_KEY_CALENDAR), -- KEY(4, 6, TOSA_KEY_HOMEPAGE), -- KEY(4, 7, KEY_LEFTCTRL), -- KEY(4, 8, TOSA_KEY_LIGHT), -- KEY(4, 10, KEY_RIGHTSHIFT), -- KEY(5, 1, KEY_TAB), -- KEY(5, 2, KEY_SLASH), -- KEY(5, 3, KEY_H), -- KEY(5, 4, KEY_M), -- KEY(5, 5, TOSA_KEY_MENU), -- KEY(5, 7, KEY_UP), -- KEY(5, 11, TOSA_KEY_FN), -- KEY(6, 1, KEY_X), -- KEY(6, 2, KEY_F), -- KEY(6, 3, KEY_SPACE), -- KEY(6, 4, KEY_APOSTROPHE), -- KEY(6, 5, TOSA_KEY_MAIL), -- KEY(6, 6, KEY_LEFT), -- KEY(6, 7, KEY_DOWN), -- KEY(6, 8, KEY_RIGHT), -+ KEY(0, 1, KEY_W), -+ KEY(0, 5, KEY_K), -+ KEY(0, 6, KEY_BACKSPACE), -+ KEY(0, 7, KEY_P), -+ KEY(1, 0, KEY_Q), -+ KEY(1, 1, KEY_E), -+ KEY(1, 2, KEY_T), -+ KEY(1, 3, KEY_Y), -+ KEY(1, 5, KEY_O), -+ KEY(1, 6, KEY_I), -+ KEY(1, 7, KEY_COMMA), -+ KEY(2, 0, KEY_A), -+ KEY(2, 1, KEY_D), -+ KEY(2, 2, KEY_G), -+ KEY(2, 3, KEY_U), -+ KEY(2, 5, KEY_L), -+ KEY(2, 6, KEY_ENTER), -+ KEY(2, 7, KEY_DOT), -+ KEY(3, 0, KEY_Z), -+ KEY(3, 1, KEY_C), -+ KEY(3, 2, KEY_V), -+ KEY(3, 3, KEY_J), -+ KEY(3, 4, TOSA_KEY_ADDRESSBOOK), -+ KEY(3, 5, TOSA_KEY_CANCEL), -+ KEY(3, 6, TOSA_KEY_CENTER), -+ KEY(3, 7, TOSA_KEY_OK), -+ KEY(3, 8, KEY_LEFTSHIFT), -+ KEY(4, 0, KEY_S), -+ KEY(4, 1, KEY_R), -+ KEY(4, 2, KEY_B), -+ KEY(4, 3, KEY_N), -+ KEY(4, 4, TOSA_KEY_CALENDAR), -+ KEY(4, 5, TOSA_KEY_HOMEPAGE), -+ KEY(4, 6, KEY_LEFTCTRL), -+ KEY(4, 7, TOSA_KEY_LIGHT), -+ KEY(4, 9, KEY_RIGHTSHIFT), -+ KEY(5, 0, KEY_TAB), -+ KEY(5, 1, KEY_SLASH), -+ KEY(5, 2, KEY_H), -+ KEY(5, 3, KEY_M), -+ KEY(5, 4, TOSA_KEY_MENU), -+ KEY(5, 6, KEY_UP), -+ KEY(5, 10, TOSA_KEY_FN), -+ KEY(6, 0, KEY_X), -+ KEY(6, 1, KEY_F), -+ KEY(6, 2, KEY_SPACE), -+ KEY(6, 3, KEY_APOSTROPHE), -+ KEY(6, 4, TOSA_KEY_MAIL), -+ KEY(6, 5, KEY_LEFT), -+ KEY(6, 6, KEY_DOWN), -+ KEY(6, 7, KEY_RIGHT), - }; - - static struct matrix_keymap_data tosakbd_keymap_data = { -diff --git a/arch/arm/mach-sa1100/assabet.c b/arch/arm/mach-sa1100/assabet.c -index 3dd133f..ef8d9d8 100644 ---- a/arch/arm/mach-sa1100/assabet.c -+++ b/arch/arm/mach-sa1100/assabet.c -@@ -411,6 +411,9 @@ static void __init assabet_map_io(void) - * Its called GPCLKR0 in my SA1110 manual. - */ - Ser1SDCR0 |= SDCR0_SUS; -+ MSC1 = (MSC1 & ~0xffff) | -+ MSC_NonBrst | MSC_32BitStMem | -+ MSC_RdAcc(2) | MSC_WrAcc(2) | MSC_Rec(0); - - if (machine_has_neponset()) { - #ifdef CONFIG_ASSABET_NEPONSET -diff --git a/arch/avr32/boot/u-boot/head.S b/arch/avr32/boot/u-boot/head.S -index 4488fa2..2ffc298 100644 ---- a/arch/avr32/boot/u-boot/head.S -+++ b/arch/avr32/boot/u-boot/head.S -@@ -8,6 +8,8 @@ - * published by the Free Software Foundation. - */ - #include <asm/setup.h> -+#include <asm/thread_info.h> -+#include <asm/sysreg.h> - - /* - * The kernel is loaded where we want it to be and all caches -@@ -20,11 +22,6 @@ - .section .init.text,"ax" - .global _start - _start: -- /* Check if the boot loader actually provided a tag table */ -- lddpc r0, magic_number -- cp.w r12, r0 -- brne no_tag_table -- - /* Initialize .bss */ - lddpc r2, bss_start_addr - lddpc r3, end_addr -@@ -34,6 +31,25 @@ _start: - cp r2, r3 - brlo 1b - -+ /* Initialize status register */ -+ lddpc r0, init_sr -+ mtsr SYSREG_SR, r0 -+ -+ /* Set initial stack pointer */ -+ lddpc sp, stack_addr -+ sub sp, -THREAD_SIZE -+ -+#ifdef CONFIG_FRAME_POINTER -+ /* Mark last stack frame */ -+ mov lr, 0 -+ mov r7, 0 -+#endif -+ -+ /* Check if the boot loader actually provided a tag table */ -+ lddpc r0, magic_number -+ cp.w r12, r0 -+ brne no_tag_table -+ - /* - * Save the tag table address for later use. This must be done - * _after_ .bss has been initialized... -@@ -53,8 +69,15 @@ bss_start_addr: - .long __bss_start - end_addr: - .long _end -+init_sr: -+ .long 0x007f0000 /* Supervisor mode, everything masked */ -+stack_addr: -+ .long init_thread_union -+panic_addr: -+ .long panic - - no_tag_table: - sub r12, pc, (. - 2f) -- bral panic -+ /* branch to panic() which can be far away with that construct */ -+ lddpc pc, panic_addr - 2: .asciz "Boot loader didn't provide correct magic number\n" -diff --git a/arch/avr32/kernel/entry-avr32b.S b/arch/avr32/kernel/entry-avr32b.S -index 169268c..a91e898 100644 ---- a/arch/avr32/kernel/entry-avr32b.S -+++ b/arch/avr32/kernel/entry-avr32b.S -@@ -399,9 +399,10 @@ handle_critical: - /* We should never get here... */ - bad_return: - sub r12, pc, (. - 1f) -- bral panic -+ lddpc pc, 2f - .align 2 - 1: .asciz "Return from critical exception!" -+2: .long panic - - .align 1 - do_bus_error_write: -diff --git a/arch/avr32/kernel/head.S b/arch/avr32/kernel/head.S -index 6163bd0..59eae6d 100644 ---- a/arch/avr32/kernel/head.S -+++ b/arch/avr32/kernel/head.S -@@ -10,33 +10,13 @@ - #include <linux/linkage.h> - - #include <asm/page.h> --#include <asm/thread_info.h> --#include <asm/sysreg.h> - - .section .init.text,"ax" - .global kernel_entry - kernel_entry: -- /* Initialize status register */ -- lddpc r0, init_sr -- mtsr SYSREG_SR, r0 -- -- /* Set initial stack pointer */ -- lddpc sp, stack_addr -- sub sp, -THREAD_SIZE -- --#ifdef CONFIG_FRAME_POINTER -- /* Mark last stack frame */ -- mov lr, 0 -- mov r7, 0 --#endif -- - /* Start the show */ - lddpc pc, kernel_start_addr - - .align 2 --init_sr: -- .long 0x007f0000 /* Supervisor mode, everything masked */ --stack_addr: -- .long init_thread_union - kernel_start_addr: - .long start_kernel -diff --git a/arch/cris/include/asm/io.h b/arch/cris/include/asm/io.h -index ac12ae2..db9a16c 100644 ---- a/arch/cris/include/asm/io.h -+++ b/arch/cris/include/asm/io.h -@@ -3,6 +3,7 @@ - - #include <asm/page.h> /* for __va, __pa */ - #include <arch/io.h> -+#include <asm-generic/iomap.h> - #include <linux/kernel.h> - - struct cris_io_operations -diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h -index d9f397f..fba7696 100644 ---- a/arch/ia64/include/asm/processor.h -+++ b/arch/ia64/include/asm/processor.h -@@ -320,7 +320,7 @@ struct thread_struct { - regs->loadrs = 0; \ - regs->r8 = get_dumpable(current->mm); /* set "don't zap registers" flag */ \ - regs->r12 = new_sp - 16; /* allocate 16 byte scratch area */ \ -- if (unlikely(!get_dumpable(current->mm))) { \ -+ if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) { \ - /* \ - * Zap scratch regs to avoid leaking bits between processes with different \ - * uid/privileges. \ -diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 836a5a1..fa1e56b 100644 ---- a/arch/powerpc/kernel/signal_32.c -+++ b/arch/powerpc/kernel/signal_32.c -@@ -445,6 +445,12 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame, - #endif /* CONFIG_ALTIVEC */ - if (copy_fpr_to_user(&frame->mc_fregs, current)) - return 1; -+ -+ /* -+ * Clear the MSR VSX bit to indicate there is no valid state attached -+ * to this context, except in the specific case below where we set it. -+ */ -+ msr &= ~MSR_VSX; - #ifdef CONFIG_VSX - /* - * Copy VSR 0-31 upper half from thread_struct to local -diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index a50b5ec..60d1f75 100644 ---- a/arch/powerpc/kernel/signal_64.c -+++ b/arch/powerpc/kernel/signal_64.c -@@ -116,6 +116,12 @@ static long setup_sigcontext(struct sigcontext __user *sc, struct pt_regs *regs, - flush_fp_to_thread(current); - /* copy fpr regs and fpscr */ - err |= copy_fpr_to_user(&sc->fp_regs, current); -+ -+ /* -+ * Clear the MSR VSX bit to indicate there is no valid state attached -+ * to this context, except in the specific case below where we set it. -+ */ -+ msr &= ~MSR_VSX; - #ifdef CONFIG_VSX - /* - * Copy VSX low doubleword to local buffer for formatting, -diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c -index e74f86e..304680a 100644 ---- a/arch/powerpc/kernel/time.c -+++ b/arch/powerpc/kernel/time.c -@@ -235,8 +235,6 @@ static u64 scan_dispatch_log(u64 stop_tb) - if (i == vpa->dtl_idx) - return 0; - while (i < vpa->dtl_idx) { -- if (dtl_consumer) -- dtl_consumer(dtl, i); - dtb = dtl->timebase; - tb_delta = dtl->enqueue_to_dispatch_time + - dtl->ready_to_enqueue_time; -@@ -249,6 +247,8 @@ static u64 scan_dispatch_log(u64 stop_tb) - } - if (dtb > stop_tb) - break; -+ if (dtl_consumer) -+ dtl_consumer(dtl, i); - stolen += tb_delta; - ++i; - ++dtl; -diff --git a/arch/powerpc/kernel/vio.c b/arch/powerpc/kernel/vio.c -index f65af61..dfb1c19 100644 ---- a/arch/powerpc/kernel/vio.c -+++ b/arch/powerpc/kernel/vio.c -@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, - const char *cp; - - dn = dev->of_node; -- if (!dn) -- return -ENODEV; -+ if (!dn) { -+ strcpy(buf, "\n"); -+ return strlen(buf); -+ } - cp = of_get_property(dn, "compatible", NULL); -- if (!cp) -- return -ENODEV; -+ if (!cp) { -+ strcpy(buf, "\n"); -+ return strlen(buf); -+ } - - return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp); - } -diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c -index a9ce135..3ec8b39 100644 ---- a/arch/s390/crypto/aes_s390.c -+++ b/arch/s390/crypto/aes_s390.c -@@ -35,7 +35,6 @@ static u8 *ctrblk; - static char keylen_flag; - - struct s390_aes_ctx { -- u8 iv[AES_BLOCK_SIZE]; - u8 key[AES_MAX_KEY_SIZE]; - long enc; - long dec; -@@ -56,8 +55,7 @@ struct pcc_param { - - struct s390_xts_ctx { - u8 key[32]; -- u8 xts_param[16]; -- struct pcc_param pcc; -+ u8 pcc_key[32]; - long enc; - long dec; - int key_len; -@@ -442,29 +440,35 @@ static int cbc_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, - return aes_set_key(tfm, in_key, key_len); - } - --static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, void *param, -+static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, - struct blkcipher_walk *walk) - { -+ struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm); - int ret = blkcipher_walk_virt(desc, walk); - unsigned int nbytes = walk->nbytes; -+ struct { -+ u8 iv[AES_BLOCK_SIZE]; -+ u8 key[AES_MAX_KEY_SIZE]; -+ } param; - - if (!nbytes) - goto out; - -- memcpy(param, walk->iv, AES_BLOCK_SIZE); -+ memcpy(param.iv, walk->iv, AES_BLOCK_SIZE); -+ memcpy(param.key, sctx->key, sctx->key_len); - do { - /* only use complete blocks */ - unsigned int n = nbytes & ~(AES_BLOCK_SIZE - 1); - u8 *out = walk->dst.virt.addr; - u8 *in = walk->src.virt.addr; - -- ret = crypt_s390_kmc(func, param, out, in, n); -+ ret = crypt_s390_kmc(func, ¶m, out, in, n); - BUG_ON((ret < 0) || (ret != n)); - - nbytes &= AES_BLOCK_SIZE - 1; - ret = blkcipher_walk_done(desc, walk, nbytes); - } while ((nbytes = walk->nbytes)); -- memcpy(walk->iv, param, AES_BLOCK_SIZE); -+ memcpy(walk->iv, param.iv, AES_BLOCK_SIZE); - - out: - return ret; -@@ -481,7 +485,7 @@ static int cbc_aes_encrypt(struct blkcipher_desc *desc, - return fallback_blk_enc(desc, dst, src, nbytes); - - blkcipher_walk_init(&walk, dst, src, nbytes); -- return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk); -+ return cbc_aes_crypt(desc, sctx->enc, &walk); - } - - static int cbc_aes_decrypt(struct blkcipher_desc *desc, -@@ -495,7 +499,7 @@ static int cbc_aes_decrypt(struct blkcipher_desc *desc, - return fallback_blk_dec(desc, dst, src, nbytes); - - blkcipher_walk_init(&walk, dst, src, nbytes); -- return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk); -+ return cbc_aes_crypt(desc, sctx->dec, &walk); - } - - static struct crypto_alg cbc_aes_alg = { -@@ -587,7 +591,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, - xts_ctx->enc = KM_XTS_128_ENCRYPT; - xts_ctx->dec = KM_XTS_128_DECRYPT; - memcpy(xts_ctx->key + 16, in_key, 16); -- memcpy(xts_ctx->pcc.key + 16, in_key + 16, 16); -+ memcpy(xts_ctx->pcc_key + 16, in_key + 16, 16); - break; - case 48: - xts_ctx->enc = 0; -@@ -598,7 +602,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, - xts_ctx->enc = KM_XTS_256_ENCRYPT; - xts_ctx->dec = KM_XTS_256_DECRYPT; - memcpy(xts_ctx->key, in_key, 32); -- memcpy(xts_ctx->pcc.key, in_key + 32, 32); -+ memcpy(xts_ctx->pcc_key, in_key + 32, 32); - break; - default: - *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; -@@ -617,28 +621,32 @@ static int xts_aes_crypt(struct blkcipher_desc *desc, long func, - unsigned int nbytes = walk->nbytes; - unsigned int n; - u8 *in, *out; -- void *param; -+ struct pcc_param pcc_param; -+ struct { -+ u8 key[32]; -+ u8 init[16]; -+ } xts_param; - - if (!nbytes) - goto out; - -- memset(xts_ctx->pcc.block, 0, sizeof(xts_ctx->pcc.block)); -- memset(xts_ctx->pcc.bit, 0, sizeof(xts_ctx->pcc.bit)); -- memset(xts_ctx->pcc.xts, 0, sizeof(xts_ctx->pcc.xts)); -- memcpy(xts_ctx->pcc.tweak, walk->iv, sizeof(xts_ctx->pcc.tweak)); -- param = xts_ctx->pcc.key + offset; -- ret = crypt_s390_pcc(func, param); -+ memset(pcc_param.block, 0, sizeof(pcc_param.block)); -+ memset(pcc_param.bit, 0, sizeof(pcc_param.bit)); -+ memset(pcc_param.xts, 0, sizeof(pcc_param.xts)); -+ memcpy(pcc_param.tweak, walk->iv, sizeof(pcc_param.tweak)); -+ memcpy(pcc_param.key, xts_ctx->pcc_key, 32); -+ ret = crypt_s390_pcc(func, &pcc_param.key[offset]); - BUG_ON(ret < 0); - -- memcpy(xts_ctx->xts_param, xts_ctx->pcc.xts, 16); -- param = xts_ctx->key + offset; -+ memcpy(xts_param.key, xts_ctx->key, 32); -+ memcpy(xts_param.init, pcc_param.xts, 16); - do { - /* only use complete blocks */ - n = nbytes & ~(AES_BLOCK_SIZE - 1); - out = walk->dst.virt.addr; - in = walk->src.virt.addr; - -- ret = crypt_s390_km(func, param, out, in, n); -+ ret = crypt_s390_km(func, &xts_param.key[offset], out, in, n); - BUG_ON(ret < 0 || ret != n); - - nbytes &= AES_BLOCK_SIZE - 1; -diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c -index 425162e..2f53b89 100644 ---- a/arch/um/os-Linux/start_up.c -+++ b/arch/um/os-Linux/start_up.c -@@ -15,6 +15,8 @@ - #include <sys/mman.h> - #include <sys/stat.h> - #include <sys/wait.h> -+#include <sys/time.h> -+#include <sys/resource.h> - #include <asm/unistd.h> - #include "init.h" - #include "os.h" -diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 95365a8..e80542b 100644 ---- a/arch/x86/boot/Makefile -+++ b/arch/x86/boot/Makefile -@@ -51,18 +51,18 @@ $(obj)/cpustr.h: $(obj)/mkcpustr FORCE - - # How to compile the 16-bit code. Note we always compile for -march=i386, - # that way we can complain to the user if the CPU is insufficient. --KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \ -+KBUILD_CFLAGS := $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ \ - -DDISABLE_BRANCH_PROFILING \ - -Wall -Wstrict-prototypes \ - -march=i386 -mregparm=3 \ - -include $(srctree)/$(src)/code16gcc.h \ - -fno-strict-aliasing -fomit-frame-pointer \ -+ -mno-mmx -mno-sse \ - $(call cc-option, -ffreestanding) \ - $(call cc-option, -fno-toplevel-reorder,\ -- $(call cc-option, -fno-unit-at-a-time)) \ -+ $(call cc-option, -fno-unit-at-a-time)) \ - $(call cc-option, -fno-stack-protector) \ - $(call cc-option, -mpreferred-stack-boundary=2) --KBUILD_CFLAGS += $(call cc-option, -m32) - KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ - GCOV_PROFILE := n - -diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index 77453c6..cda5cef 100644 ---- a/arch/x86/boot/compressed/Makefile -+++ b/arch/x86/boot/compressed/Makefile -@@ -12,6 +12,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING - cflags-$(CONFIG_X86_32) := -march=i386 - cflags-$(CONFIG_X86_64) := -mcmodel=small - KBUILD_CFLAGS += $(cflags-y) -+KBUILD_CFLAGS += -mno-mmx -mno-sse - KBUILD_CFLAGS += $(call cc-option,-ffreestanding) - KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) - -diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c -index 13ad899..69e231b 100644 ---- a/arch/x86/kernel/crash.c -+++ b/arch/x86/kernel/crash.c -@@ -95,10 +95,10 @@ void native_machine_crash_shutdown(struct pt_regs *regs) - cpu_emergency_vmxoff(); - cpu_emergency_svm_disable(); - -- lapic_shutdown(); - #if defined(CONFIG_X86_IO_APIC) - disable_IO_APIC(); - #endif -+ lapic_shutdown(); - #ifdef CONFIG_HPET_TIMER - hpet_disable(); - #endif -diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c -index 1ef962b..f9b9eaa 100644 ---- a/arch/x86/kernel/microcode_amd.c -+++ b/arch/x86/kernel/microcode_amd.c -@@ -331,7 +331,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device) - snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); - - if (request_firmware(&fw, (const char *)fw_name, device)) { -- pr_err("failed to load file %s\n", fw_name); -+ pr_debug("failed to load file %s\n", fw_name); - goto out; - } - -diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index a4e1b4b..f411aca 100644 ---- a/arch/x86/kernel/reboot.c -+++ b/arch/x86/kernel/reboot.c -@@ -652,6 +652,13 @@ void native_machine_shutdown(void) - - /* The boot cpu is always logical cpu 0 */ - int reboot_cpu_id = 0; -+#endif -+ -+#ifdef CONFIG_X86_IO_APIC -+ disable_IO_APIC(); -+#endif -+ -+#ifdef CONFIG_SMP - - #ifdef CONFIG_X86_32 - /* See if there has been given a command line override */ -@@ -675,10 +682,6 @@ void native_machine_shutdown(void) - - lapic_shutdown(); - --#ifdef CONFIG_X86_IO_APIC -- disable_IO_APIC(); --#endif -- - #ifdef CONFIG_HPET_TIMER - hpet_disable(); - #endif -diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 54abb40..43e7753 100644 ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -537,7 +537,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) - ASSERT(apic != NULL); - - /* if initial count is 0, current count should also be 0 */ -- if (apic_get_reg(apic, APIC_TMICT) == 0) -+ if (apic_get_reg(apic, APIC_TMICT) == 0 || -+ apic->lapic_timer.period == 0) - return 0; - - remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index a18d20d..bee75a6 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -614,11 +614,6 @@ void __init efi_init(void) - - set_bit(EFI_MEMMAP, &x86_efi_facility); - --#ifdef CONFIG_X86_32 -- x86_platform.get_wallclock = efi_get_time; -- x86_platform.set_wallclock = efi_set_rtc_mmss; --#endif -- - #if EFI_DEBUG - print_efi_memmap(); - #endif -diff --git a/block/blk-core.c b/block/blk-core.c -index 49d9e91..a219c89 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -483,6 +483,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id) - } - - if (blk_throtl_init(q)) { -+ bdi_destroy(&q->backing_dev_info); - kmem_cache_free(blk_requestq_cachep, q); - return NULL; - } -@@ -2015,6 +2016,7 @@ void blk_start_request(struct request *req) - if (unlikely(blk_bidi_rq(req))) - req->next_rq->resid_len = blk_rq_bytes(req->next_rq); - -+ BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags)); - blk_add_timer(req); - } - EXPORT_SYMBOL(blk_start_request); -diff --git a/block/blk-timeout.c b/block/blk-timeout.c -index 7803548..b1182ea 100644 ---- a/block/blk-timeout.c -+++ b/block/blk-timeout.c -@@ -90,8 +90,8 @@ static void blk_rq_timed_out(struct request *req) - __blk_complete_request(req); - break; - case BLK_EH_RESET_TIMER: -- blk_clear_rq_complete(req); - blk_add_timer(req); -+ blk_clear_rq_complete(req); - break; - case BLK_EH_NOT_HANDLED: - /* -@@ -173,7 +173,6 @@ void blk_add_timer(struct request *req) - return; - - BUG_ON(!list_empty(&req->timeout_list)); -- BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags)); - - /* - * Some LLDs, like scsi, peek at the timeout to prevent a -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index 0262210..8502462 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -114,6 +114,9 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, - struct hash_ctx *ctx = ask->private; - int err; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - lock_sock(sk); - sg_init_table(ctx->sgl.sg, 1); - sg_set_page(ctx->sgl.sg, page, size, offset); -@@ -161,8 +164,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, - else if (len < ds) - msg->msg_flags |= MSG_TRUNC; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - if (ctx->more) { - ctx->more = 0; -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index a1c4f0a..a19c027 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -378,6 +378,9 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page, - struct skcipher_sg_list *sgl; - int err = -EINVAL; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - lock_sock(sk); - if (!ctx->more && ctx->used) - goto unlock; -@@ -432,7 +435,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, - long copied = 0; - - lock_sock(sk); -- msg->msg_namelen = 0; - for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; - iovlen--, iov++) { - unsigned long seglen = iov->iov_len; -diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c -index ffa0245..6056178 100644 ---- a/crypto/ansi_cprng.c -+++ b/crypto/ansi_cprng.c -@@ -230,11 +230,11 @@ remainder: - */ - if (byte_count < DEFAULT_BLK_SZ) { - empty_rbuf: -- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; -- ctx->rand_data_valid++) { -+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { - *ptr = ctx->rand_data[ctx->rand_data_valid]; - ptr++; - byte_count--; -+ ctx->rand_data_valid++; - if (byte_count == 0) - goto done; - } -diff --git a/crypto/authenc.c b/crypto/authenc.c -index 5ef7ba6..d21da2f 100644 ---- a/crypto/authenc.c -+++ b/crypto/authenc.c -@@ -368,9 +368,10 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req, - if (!err) { - struct crypto_aead *authenc = crypto_aead_reqtfm(areq); - struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); -- struct ablkcipher_request *abreq = aead_request_ctx(areq); -- u8 *iv = (u8 *)(abreq + 1) + -- crypto_ablkcipher_reqsize(ctx->enc); -+ struct authenc_request_ctx *areq_ctx = aead_request_ctx(areq); -+ struct ablkcipher_request *abreq = (void *)(areq_ctx->tail -+ + ctx->reqoff); -+ u8 *iv = (u8 *)abreq - crypto_ablkcipher_ivsize(ctx->enc); - - err = crypto_authenc_genicv(areq, iv, 0); - } -diff --git a/crypto/ccm.c b/crypto/ccm.c -index c36d654..2002ca7 100644 ---- a/crypto/ccm.c -+++ b/crypto/ccm.c -@@ -271,7 +271,8 @@ static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, - } - - /* compute plaintext into mac */ -- get_data_to_compute(cipher, pctx, plain, cryptlen); -+ if (cryptlen) -+ get_data_to_compute(cipher, pctx, plain, cryptlen); - - out: - return err; -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 0445f52..d29f6d5 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -303,6 +303,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */ - { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */ - { PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */ -+ { PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */ -+ { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ -+ { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ -+ { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ - - /* JMicron 360/1/3/5/6, match class to avoid IDE function */ - { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, -@@ -437,6 +441,8 @@ static const struct pci_device_id ahci_pci_tbl[] = { - .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ - { PCI_DEVICE(0x1b4b, 0x91a3), - .driver_data = board_ahci_yes_fbs }, -+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), -+ .driver_data = board_ahci_yes_fbs }, - - /* Promise */ - { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ -diff --git a/drivers/ata/ahci_platform.c b/drivers/ata/ahci_platform.c -index 43b8758..6692108 100644 ---- a/drivers/ata/ahci_platform.c -+++ b/drivers/ata/ahci_platform.c -@@ -204,6 +204,7 @@ static int __devexit ahci_remove(struct platform_device *pdev) - - static const struct of_device_id ahci_of_match[] = { - { .compatible = "calxeda,hb-ahci", }, -+ { .compatible = "ibm,476gtr-ahci", }, - {}, - }; - MODULE_DEVICE_TABLE(of, ahci_of_match); -diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index 60def03..de2802c 100644 ---- a/drivers/ata/libahci.c -+++ b/drivers/ata/libahci.c -@@ -1247,9 +1247,11 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, - { - struct ata_port *ap = link->ap; - struct ahci_host_priv *hpriv = ap->host->private_data; -+ struct ahci_port_priv *pp = ap->private_data; - const char *reason = NULL; - unsigned long now, msecs; - struct ata_taskfile tf; -+ bool fbs_disabled = false; - int rc; - - DPRINTK("ENTER\n"); -@@ -1259,6 +1261,16 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, - if (rc && rc != -EOPNOTSUPP) - ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc); - -+ /* -+ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall -+ * clear PxFBS.EN to '0' prior to issuing software reset to devices -+ * that is attached to port multiplier. -+ */ -+ if (!ata_is_host_link(link) && pp->fbs_enabled) { -+ ahci_disable_fbs(ap); -+ fbs_disabled = true; -+ } -+ - ata_tf_init(link->device, &tf); - - /* issue the first D2H Register FIS */ -@@ -1299,6 +1311,10 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class, - } else - *class = ahci_dev_classify(ap); - -+ /* re-enable FBS if disabled before */ -+ if (fbs_disabled) -+ ahci_enable_fbs(ap); -+ - DPRINTK("EXIT, class=%u\n", *class); - return 0; - -diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index d54b7d6..a0a3987 100644 ---- a/drivers/ata/libata-core.c -+++ b/drivers/ata/libata-core.c -@@ -4067,6 +4067,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { - { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, - { "QUANTUM DAT DAT72-000", NULL, ATA_HORKAGE_ATAPI_MOD16_DMA }, - { "Slimtype DVD A DS8A8SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, -+ { "Slimtype DVD A DS8A9SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, - - /* Devices we expect to fail diagnostics */ - -diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c -index ce9dc62..c01f040 100644 ---- a/drivers/ata/libata-transport.c -+++ b/drivers/ata/libata-transport.c -@@ -312,25 +312,25 @@ int ata_tport_add(struct device *parent, - /* - * ATA link attributes - */ -+static int noop(int x) { return x; } - -- --#define ata_link_show_linkspeed(field) \ -+#define ata_link_show_linkspeed(field, format) \ - static ssize_t \ - show_ata_link_##field(struct device *dev, \ - struct device_attribute *attr, char *buf) \ - { \ - struct ata_link *link = transport_class_to_link(dev); \ - \ -- return sprintf(buf,"%s\n", sata_spd_string(fls(link->field))); \ -+ return sprintf(buf, "%s\n", sata_spd_string(format(link->field))); \ - } - --#define ata_link_linkspeed_attr(field) \ -- ata_link_show_linkspeed(field) \ -+#define ata_link_linkspeed_attr(field, format) \ -+ ata_link_show_linkspeed(field, format) \ - static DEVICE_ATTR(field, S_IRUGO, show_ata_link_##field, NULL) - --ata_link_linkspeed_attr(hw_sata_spd_limit); --ata_link_linkspeed_attr(sata_spd_limit); --ata_link_linkspeed_attr(sata_spd); -+ata_link_linkspeed_attr(hw_sata_spd_limit, fls); -+ata_link_linkspeed_attr(sata_spd_limit, fls); -+ata_link_linkspeed_attr(sata_spd, noop); - - - static DECLARE_TRANSPORT_CLASS(ata_link_class, -diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c -index 1c05212..b0e75ce 100644 ---- a/drivers/atm/idt77252.c -+++ b/drivers/atm/idt77252.c -@@ -3513,7 +3513,7 @@ init_card(struct atm_dev *dev) - tmp = dev_get_by_name(&init_net, tname); /* jhs: was "tmp = dev_get(tname);" */ - if (tmp) { - memcpy(card->atmdev->esi, tmp->dev_addr, 6); -- -+ dev_put(tmp); - printk("%s: ESI %pM\n", card->name, card->atmdev->esi); - } - /* -diff --git a/drivers/block/brd.c b/drivers/block/brd.c -index 968a0d4..f35975f 100644 ---- a/drivers/block/brd.c -+++ b/drivers/block/brd.c -@@ -547,7 +547,7 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data) - - mutex_lock(&brd_devices_mutex); - brd = brd_init_one(MINOR(dev) >> part_shift); -- kobj = brd ? get_disk(brd->brd_disk) : ERR_PTR(-ENOMEM); -+ kobj = brd ? get_disk(brd->brd_disk) : NULL; - mutex_unlock(&brd_devices_mutex); - - *part = 0; -diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index a365562..d659135 100644 ---- a/drivers/block/loop.c -+++ b/drivers/block/loop.c -@@ -1635,7 +1635,7 @@ static int loop_add(struct loop_device **l, int i) - - lo->lo_queue = blk_alloc_queue(GFP_KERNEL); - if (!lo->lo_queue) -- goto out_free_dev; -+ goto out_free_idr; - - disk = lo->lo_disk = alloc_disk(1 << part_shift); - if (!disk) -@@ -1679,6 +1679,8 @@ static int loop_add(struct loop_device **l, int i) - - out_free_queue: - blk_cleanup_queue(lo->lo_queue); -+out_free_idr: -+ idr_remove(&loop_index_idr, i); - out_free_dev: - kfree(lo); - out: -@@ -1742,7 +1744,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) - if (err < 0) - err = loop_add(&lo, MINOR(dev) >> part_shift); - if (err < 0) -- kobj = ERR_PTR(err); -+ kobj = NULL; - else - kobj = get_disk(lo->lo_disk); - mutex_unlock(&loop_index_mutex); -diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c -index 6e40072..51efcbc 100644 ---- a/drivers/char/i8k.c -+++ b/drivers/char/i8k.c -@@ -664,6 +664,13 @@ static struct dmi_system_id __initdata i8k_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "Vostro"), - }, - }, -+ { -+ .ident = "Dell XPS421", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "XPS L421X"), -+ }, -+ }, - { } - }; - -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index 66d5384..094a710 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -31,11 +31,23 @@ - #include <linux/ptrace.h> - #include <linux/atomic.h> - --#include <asm/unaligned.h> -- - #include <linux/cn_proc.h> - --#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event)) -+/* -+ * Size of a cn_msg followed by a proc_event structure. Since the -+ * sizeof struct cn_msg is a multiple of 4 bytes, but not 8 bytes, we -+ * add one 4-byte word to the size here, and then start the actual -+ * cn_msg structure 4 bytes into the stack buffer. The result is that -+ * the immediately following proc_event structure is aligned to 8 bytes. -+ */ -+#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event) + 4) -+ -+/* See comment above; we test our assumption about sizeof struct cn_msg here. */ -+static inline struct cn_msg *buffer_to_cn_msg(__u8 *buffer) -+{ -+ BUILD_BUG_ON(sizeof(struct cn_msg) != 20); -+ return (struct cn_msg *)(buffer + 4); -+} - - static atomic_t proc_event_num_listeners = ATOMIC_INIT(0); - static struct cb_id cn_proc_event_id = { CN_IDX_PROC, CN_VAL_PROC }; -@@ -55,19 +67,19 @@ void proc_fork_connector(struct task_struct *task) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - struct task_struct *parent; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg*)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event*)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_FORK; - rcu_read_lock(); - parent = rcu_dereference(task->real_parent); -@@ -90,17 +102,17 @@ void proc_exec_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg*)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event*)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_EXEC; - ev->event_data.exec.process_pid = task->pid; - ev->event_data.exec.process_tgid = task->tgid; -@@ -116,14 +128,14 @@ void proc_id_connector(struct task_struct *task, int which_id) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - const struct cred *cred; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg*)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event*)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - ev->what = which_id; -@@ -144,7 +156,7 @@ void proc_id_connector(struct task_struct *task, int which_id) - rcu_read_unlock(); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ -@@ -158,17 +170,17 @@ void proc_sid_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_SID; - ev->event_data.sid.process_pid = task->pid; - ev->event_data.sid.process_tgid = task->tgid; -@@ -185,17 +197,17 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_PTRACE; - ev->event_data.ptrace.process_pid = task->pid; - ev->event_data.ptrace.process_tgid = task->tgid; -@@ -220,17 +232,17 @@ void proc_comm_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_COMM; - ev->event_data.comm.process_pid = task->pid; - ev->event_data.comm.process_tgid = task->tgid; -@@ -247,18 +259,18 @@ void proc_exit_connector(struct task_struct *task) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg*)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event*)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_EXIT; - ev->event_data.exit.process_pid = task->pid; - ev->event_data.exit.process_tgid = task->tgid; -@@ -284,18 +296,18 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg*)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event*)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - msg->seq = rcvd_seq; - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->cpu = -1; - ev->what = PROC_EVENT_NONE; - ev->event_data.ack.err = err; -diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c -index edcffd6..34be13b 100644 ---- a/drivers/gpio/gpio-mpc8xxx.c -+++ b/drivers/gpio/gpio-mpc8xxx.c -@@ -69,10 +69,14 @@ static int mpc8572_gpio_get(struct gpio_chip *gc, unsigned int gpio) - u32 val; - struct of_mm_gpio_chip *mm = to_of_mm_gpio_chip(gc); - struct mpc8xxx_gpio_chip *mpc8xxx_gc = to_mpc8xxx_gpio_chip(mm); -+ u32 out_mask, out_shadow; - -- val = in_be32(mm->regs + GPIO_DAT) & ~in_be32(mm->regs + GPIO_DIR); -+ out_mask = in_be32(mm->regs + GPIO_DIR); - -- return (val | mpc8xxx_gc->data) & mpc8xxx_gpio2mask(gpio); -+ val = in_be32(mm->regs + GPIO_DAT) & ~out_mask; -+ out_shadow = mpc8xxx_gc->data & out_mask; -+ -+ return (val | out_shadow) & mpc8xxx_gpio2mask(gpio); - } - - static int mpc8xxx_gpio_get(struct gpio_chip *gc, unsigned int gpio) -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index ee29c1f..6d36695 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -6063,7 +6063,9 @@ static void i9xx_update_cursor(struct drm_crtc *crtc, u32 base) - intel_crtc->cursor_visible = visible; - } - /* and commit changes on next vblank */ -+ POSTING_READ(CURCNTR(pipe)); - I915_WRITE(CURBASE(pipe), base); -+ POSTING_READ(CURBASE(pipe)); - } - - static void ivb_update_cursor(struct drm_crtc *crtc, u32 base) -@@ -6088,7 +6090,9 @@ static void ivb_update_cursor(struct drm_crtc *crtc, u32 base) - intel_crtc->cursor_visible = visible; - } - /* and commit changes on next vblank */ -+ POSTING_READ(CURCNTR_IVB(pipe)); - I915_WRITE(CURBASE_IVB(pipe), base); -+ POSTING_READ(CURBASE_IVB(pipe)); - } - - /* If no-part of the cursor is visible on the framebuffer, then the GPU may hang... */ -diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index 7ce3fde..bd0b1fc 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_gem.c -+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c -@@ -281,7 +281,8 @@ validate_fini_list(struct list_head *list, struct nouveau_fence *fence) - list_for_each_safe(entry, tmp, list) { - nvbo = list_entry(entry, struct nouveau_bo, entry); - -- nouveau_bo_fence(nvbo, fence); -+ if (likely(fence)) -+ nouveau_bo_fence(nvbo, fence); - - if (unlikely(nvbo->validate_mapped)) { - ttm_bo_kunmap(&nvbo->kmap); -diff --git a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c -index daadf21..a9238b0 100644 ---- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c -+++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c -@@ -416,12 +416,40 @@ int radeon_crtc_do_set_base(struct drm_crtc *crtc, - /* Pin framebuffer & get tilling informations */ - obj = radeon_fb->obj; - rbo = gem_to_radeon_bo(obj); -+retry: - r = radeon_bo_reserve(rbo, false); - if (unlikely(r != 0)) - return r; - r = radeon_bo_pin(rbo, RADEON_GEM_DOMAIN_VRAM, &base); - if (unlikely(r != 0)) { - radeon_bo_unreserve(rbo); -+ -+ /* On old GPU like RN50 with little vram pining can fails because -+ * current fb is taking all space needed. So instead of unpining -+ * the old buffer after pining the new one, first unpin old one -+ * and then retry pining new one. -+ * -+ * As only master can set mode only master can pin and it is -+ * unlikely the master client will race with itself especialy -+ * on those old gpu with single crtc. -+ * -+ * We don't shutdown the display controller because new buffer -+ * will end up in same spot. -+ */ -+ if (!atomic && fb && fb != crtc->fb) { -+ struct radeon_bo *old_rbo; -+ unsigned long nsize, osize; -+ -+ old_rbo = gem_to_radeon_bo(to_radeon_framebuffer(fb)->obj); -+ osize = radeon_bo_size(old_rbo); -+ nsize = radeon_bo_size(rbo); -+ if (nsize <= osize && !radeon_bo_reserve(old_rbo, false)) { -+ radeon_bo_unpin(old_rbo); -+ radeon_bo_unreserve(old_rbo); -+ fb = NULL; -+ goto retry; -+ } -+ } - return -EINVAL; - } - radeon_bo_get_tiling_flags(rbo, &tiling_flags, NULL); -diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c -index 0d27bff..22a89cd 100644 ---- a/drivers/gpu/drm/ttm/ttm_bo.c -+++ b/drivers/gpu/drm/ttm/ttm_bo.c -@@ -1101,24 +1101,32 @@ out_unlock: - return ret; - } - --static int ttm_bo_mem_compat(struct ttm_placement *placement, -- struct ttm_mem_reg *mem) -+static bool ttm_bo_mem_compat(struct ttm_placement *placement, -+ struct ttm_mem_reg *mem, -+ uint32_t *new_flags) - { - int i; - - if (mem->mm_node && placement->lpfn != 0 && - (mem->start < placement->fpfn || - mem->start + mem->num_pages > placement->lpfn)) -- return -1; -+ return false; - - for (i = 0; i < placement->num_placement; i++) { -- if ((placement->placement[i] & mem->placement & -- TTM_PL_MASK_CACHING) && -- (placement->placement[i] & mem->placement & -- TTM_PL_MASK_MEM)) -- return i; -+ *new_flags = placement->placement[i]; -+ if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) && -+ (*new_flags & mem->placement & TTM_PL_MASK_MEM)) -+ return true; -+ } -+ -+ for (i = 0; i < placement->num_busy_placement; i++) { -+ *new_flags = placement->busy_placement[i]; -+ if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) && -+ (*new_flags & mem->placement & TTM_PL_MASK_MEM)) -+ return true; - } -- return -1; -+ -+ return false; - } - - int ttm_bo_validate(struct ttm_buffer_object *bo, -@@ -1127,6 +1135,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, - bool no_wait_gpu) - { - int ret; -+ uint32_t new_flags; - - BUG_ON(!atomic_read(&bo->reserved)); - /* Check that range is valid */ -@@ -1137,8 +1146,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, - /* - * Check whether we need to move buffer. - */ -- ret = ttm_bo_mem_compat(placement, &bo->mem); -- if (ret < 0) { -+ if (!ttm_bo_mem_compat(placement, &bo->mem, &new_flags)) { - ret = ttm_bo_move_buffer(bo, placement, interruptible, no_wait_reserve, no_wait_gpu); - if (ret) - return ret; -@@ -1147,7 +1155,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo, - * Use the access and other non-mapping-related flag bits from - * the compatible memory placement flags to the active flags - */ -- ttm_flag_masked(&bo->mem.placement, placement->placement[ret], -+ ttm_flag_masked(&bo->mem.placement, new_flags, - ~TTM_PL_MASK_MEMTYPE); - } - /* -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index 13af0f1..a605ba1 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -66,7 +66,7 @@ struct mt_device { - unsigned last_field_index; /* last field index of the report */ - unsigned last_slot_field; /* the last field of a slot */ - int last_mt_collection; /* last known mt-related collection */ -- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ -+ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ - __u8 num_received; /* how many contacts we received */ - __u8 num_expected; /* expected last contact index */ - __u8 maxcontacts; -diff --git a/drivers/hwmon/lm78.c b/drivers/hwmon/lm78.c -index 6df0b46..a42a7b0 100644 ---- a/drivers/hwmon/lm78.c -+++ b/drivers/hwmon/lm78.c -@@ -90,6 +90,8 @@ static inline u8 FAN_TO_REG(long rpm, int div) - { - if (rpm <= 0) - return 255; -+ if (rpm > 1350000) -+ return 1; - return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254); - } - -diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c -index 615bc4f..6d5ece1 100644 ---- a/drivers/hwmon/lm90.c -+++ b/drivers/hwmon/lm90.c -@@ -268,7 +268,7 @@ static const struct lm90_params lm90_params[] = { - [max6696] = { - .flags = LM90_HAVE_EMERGENCY - | LM90_HAVE_EMERGENCY_ALARM | LM90_HAVE_TEMP3, -- .alert_alarms = 0x187c, -+ .alert_alarms = 0x1c7c, - .max_convrate = 6, - .reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL, - }, -@@ -1474,19 +1474,22 @@ static void lm90_alert(struct i2c_client *client, unsigned int flag) - if ((alarms & 0x7f) == 0 && (alarms2 & 0xfe) == 0) { - dev_info(&client->dev, "Everything OK\n"); - } else { -- if (alarms & 0x61) -+ if ((alarms & 0x61) || (alarms2 & 0x80)) - dev_warn(&client->dev, - "temp%d out of range, please check!\n", 1); -- if (alarms & 0x1a) -+ if ((alarms & 0x1a) || (alarms2 & 0x20)) - dev_warn(&client->dev, - "temp%d out of range, please check!\n", 2); - if (alarms & 0x04) - dev_warn(&client->dev, - "temp%d diode open, please check!\n", 2); - -- if (alarms2 & 0x18) -+ if (alarms2 & 0x5a) - dev_warn(&client->dev, - "temp%d out of range, please check!\n", 3); -+ if (alarms2 & 0x04) -+ dev_warn(&client->dev, -+ "temp%d diode open, please check!\n", 3); - - /* Disable ALERT# output, because these chips don't implement - SMBus alert correctly; they should only hold the alert line -diff --git a/drivers/hwmon/sis5595.c b/drivers/hwmon/sis5595.c -index 47d7ce9..5ab6953 100644 ---- a/drivers/hwmon/sis5595.c -+++ b/drivers/hwmon/sis5595.c -@@ -133,6 +133,8 @@ static inline u8 FAN_TO_REG(long rpm, int div) - { - if (rpm <= 0) - return 255; -+ if (rpm > 1350000) -+ return 1; - return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254); - } - -diff --git a/drivers/hwmon/vt8231.c b/drivers/hwmon/vt8231.c -index db3b2e8..6df67a9 100644 ---- a/drivers/hwmon/vt8231.c -+++ b/drivers/hwmon/vt8231.c -@@ -139,7 +139,7 @@ static const u8 regtempmin[] = { 0x3a, 0x3e, 0x2c, 0x2e, 0x30, 0x32 }; - */ - static inline u8 FAN_TO_REG(long rpm, int div) - { -- if (rpm == 0) -+ if (rpm <= 0 || rpm > 1310720) - return 0; - return SENSORS_LIMIT(1310720 / (rpm * div), 1, 255); - } -diff --git a/drivers/hwmon/w83l786ng.c b/drivers/hwmon/w83l786ng.c -index 0254e18..b9c0a7f 100644 ---- a/drivers/hwmon/w83l786ng.c -+++ b/drivers/hwmon/w83l786ng.c -@@ -447,8 +447,11 @@ store_pwm(struct device *dev, struct device_attribute *attr, - struct w83l786ng_data *data = i2c_get_clientdata(client); - u32 val = SENSORS_LIMIT(simple_strtoul(buf, NULL, 10), 0, 255); - -+ val = DIV_ROUND_CLOSEST(val, 0x11); -+ - mutex_lock(&data->update_lock); -- data->pwm[nr] = val; -+ data->pwm[nr] = val * 0x11; -+ val |= w83l786ng_read_value(client, W83L786NG_REG_PWM[nr]) & 0xf0; - w83l786ng_write_value(client, W83L786NG_REG_PWM[nr], val); - mutex_unlock(&data->update_lock); - return count; -@@ -471,7 +474,7 @@ store_pwm_enable(struct device *dev, struct device_attribute *attr, - mutex_lock(&data->update_lock); - reg = w83l786ng_read_value(client, W83L786NG_REG_FAN_CFG); - data->pwm_enable[nr] = val; -- reg &= ~(0x02 << W83L786NG_PWM_ENABLE_SHIFT[nr]); -+ reg &= ~(0x03 << W83L786NG_PWM_ENABLE_SHIFT[nr]); - reg |= (val - 1) << W83L786NG_PWM_ENABLE_SHIFT[nr]; - w83l786ng_write_value(client, W83L786NG_REG_FAN_CFG, reg); - mutex_unlock(&data->update_lock); -@@ -740,9 +743,10 @@ static struct w83l786ng_data *w83l786ng_update_device(struct device *dev) - ((pwmcfg >> W83L786NG_PWM_MODE_SHIFT[i]) & 1) - ? 0 : 1; - data->pwm_enable[i] = -- ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 2) + 1; -- data->pwm[i] = w83l786ng_read_value(client, -- W83L786NG_REG_PWM[i]); -+ ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 3) + 1; -+ data->pwm[i] = -+ (w83l786ng_read_value(client, W83L786NG_REG_PWM[i]) -+ & 0x0f) * 0x11; - } - - -diff --git a/drivers/infiniband/hw/ipath/ipath_user_sdma.c b/drivers/infiniband/hw/ipath/ipath_user_sdma.c -index f5cb13b..cc04b7b 100644 ---- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c -+++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c -@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(const struct ipath_devdata *dd, - int j; - int ret; - -- ret = get_user_pages(current, current->mm, addr, -- npages, 0, 1, pages, NULL); -- -+ ret = get_user_pages_fast(addr, npages, 0, pages); - if (ret != npages) { - int i; - -@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_devdata *dd, - while (dim) { - const int mxp = 8; - -- down_write(¤t->mm->mmap_sem); - ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); -- up_write(¤t->mm->mmap_sem); -- - if (ret <= 0) - goto done_unlock; - else { -diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c -index 8244208..573b460 100644 ---- a/drivers/infiniband/hw/qib/qib_user_sdma.c -+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c -@@ -284,8 +284,7 @@ static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, - int j; - int ret; - -- ret = get_user_pages(current, current->mm, addr, -- npages, 0, 1, pages, NULL); -+ ret = get_user_pages_fast(addr, npages, 0, pages); - - if (ret != npages) { - int i; -@@ -830,10 +829,7 @@ int qib_user_sdma_writev(struct qib_ctxtdata *rcd, - while (dim) { - const int mxp = 8; - -- down_write(¤t->mm->mmap_sem); - ret = qib_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); -- up_write(¤t->mm->mmap_sem); -- - if (ret <= 0) - goto done_unlock; - else { -diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c -index 509135f..4df80fb 100644 ---- a/drivers/isdn/isdnloop/isdnloop.c -+++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) - spin_unlock_irqrestore(&card->isdnloop_lock, flags); - return -ENOMEM; - } -- for (i = 0; i < 3; i++) -- strcpy(card->s0num[i], sdef.num[i]); -+ for (i = 0; i < 3; i++) { -+ strlcpy(card->s0num[i], sdef.num[i], -+ sizeof(card->s0num[0])); -+ } - break; - case ISDN_PTYPE_1TR6: - if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95", -@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) - spin_unlock_irqrestore(&card->isdnloop_lock, flags); - return -ENOMEM; - } -- strcpy(card->s0num[0], sdef.num[0]); -+ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0])); - card->s0num[1][0] = '\0'; - card->s0num[2][0] = '\0'; - break; -diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c -index 738ea8d..98e8274 100644 ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sk_buff *skb; - struct sock *sk = sock->sk; -- struct sockaddr_mISDN *maddr; - - int copied, err; - -@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) { -- msg->msg_namelen = sizeof(struct sockaddr_mISDN); -- maddr = (struct sockaddr_mISDN *)msg->msg_name; -+ if (msg->msg_name) { -+ struct sockaddr_mISDN *maddr = msg->msg_name; -+ - maddr->family = AF_ISDN; - maddr->dev = _pms(sk)->dev->id; - if ((sk->sk_protocol == ISDN_P_LAPD_TE) || -@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - maddr->sapi = _pms(sk)->ch.addr & 0xFF; - maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF; - } -- } else { -- if (msg->msg_namelen) -- printk(KERN_WARNING "%s: too small namelen %d\n", -- __func__, msg->msg_namelen); -- msg->msg_namelen = 0; -+ msg->msg_namelen = sizeof(*maddr); - } - - copied = skb->len + MISDN_HEADER_LEN; -diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c -index a5dfcc0..910d2f8 100644 ---- a/drivers/md/dm-bufio.c -+++ b/drivers/md/dm-bufio.c -@@ -1611,6 +1611,11 @@ static int __init dm_bufio_init(void) - { - __u64 mem; - -+ dm_bufio_allocated_kmem_cache = 0; -+ dm_bufio_allocated_get_free_pages = 0; -+ dm_bufio_allocated_vmalloc = 0; -+ dm_bufio_current_allocated = 0; -+ - memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches); - memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names); - -diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c -index 11431ac..3f123f1 100644 ---- a/drivers/md/dm-delay.c -+++ b/drivers/md/dm-delay.c -@@ -20,6 +20,7 @@ - struct delay_c { - struct timer_list delay_timer; - struct mutex timer_lock; -+ struct workqueue_struct *kdelayd_wq; - struct work_struct flush_expired_bios; - struct list_head delayed_bios; - atomic_t may_delay; -@@ -45,14 +46,13 @@ struct dm_delay_info { - - static DEFINE_MUTEX(delayed_bios_lock); - --static struct workqueue_struct *kdelayd_wq; - static struct kmem_cache *delayed_cache; - - static void handle_delayed_timer(unsigned long data) - { - struct delay_c *dc = (struct delay_c *)data; - -- queue_work(kdelayd_wq, &dc->flush_expired_bios); -+ queue_work(dc->kdelayd_wq, &dc->flush_expired_bios); - } - - static void queue_timeout(struct delay_c *dc, unsigned long expires) -@@ -190,6 +190,12 @@ out: - goto bad_dev_write; - } - -+ dc->kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0); -+ if (!dc->kdelayd_wq) { -+ DMERR("Couldn't start kdelayd"); -+ goto bad_queue; -+ } -+ - setup_timer(&dc->delay_timer, handle_delayed_timer, (unsigned long)dc); - - INIT_WORK(&dc->flush_expired_bios, flush_expired_bios); -@@ -202,6 +208,8 @@ out: - ti->private = dc; - return 0; - -+bad_queue: -+ mempool_destroy(dc->delayed_pool); - bad_dev_write: - if (dc->dev_write) - dm_put_device(ti, dc->dev_write); -@@ -216,7 +224,7 @@ static void delay_dtr(struct dm_target *ti) - { - struct delay_c *dc = ti->private; - -- flush_workqueue(kdelayd_wq); -+ destroy_workqueue(dc->kdelayd_wq); - - dm_put_device(ti, dc->dev_read); - -@@ -350,12 +358,6 @@ static int __init dm_delay_init(void) - { - int r = -ENOMEM; - -- kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0); -- if (!kdelayd_wq) { -- DMERR("Couldn't start kdelayd"); -- goto bad_queue; -- } -- - delayed_cache = KMEM_CACHE(dm_delay_info, 0); - if (!delayed_cache) { - DMERR("Couldn't create delayed bio cache."); -@@ -373,8 +375,6 @@ static int __init dm_delay_init(void) - bad_register: - kmem_cache_destroy(delayed_cache); - bad_memcache: -- destroy_workqueue(kdelayd_wq); --bad_queue: - return r; - } - -@@ -382,7 +382,6 @@ static void __exit dm_delay_exit(void) - { - dm_unregister_target(&delay_target); - kmem_cache_destroy(delayed_cache); -- destroy_workqueue(kdelayd_wq); - } - - /* Module hooks */ -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c -index 7e766f92..84ad530 100644 ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -84,6 +84,7 @@ struct multipath { - unsigned queue_io; /* Must we queue all I/O? */ - unsigned queue_if_no_path; /* Queue I/O if last path fails? */ - unsigned saved_queue_if_no_path;/* Saved state during suspension */ -+ unsigned pg_init_disabled:1; /* pg_init is not currently allowed */ - unsigned pg_init_retries; /* Number of times to retry pg_init */ - unsigned pg_init_count; /* Number of times pg_init called */ - unsigned pg_init_delay_msecs; /* Number of msecs before pg_init retry */ -@@ -473,7 +474,8 @@ static void process_queued_ios(struct work_struct *work) - (!pgpath && !m->queue_if_no_path)) - must_queue = 0; - -- if (m->pg_init_required && !m->pg_init_in_progress && pgpath) -+ if (m->pg_init_required && !m->pg_init_in_progress && pgpath && -+ !m->pg_init_disabled) - __pg_init_all_paths(m); - - out: -@@ -887,10 +889,20 @@ static void multipath_wait_for_pg_init_completion(struct multipath *m) - - static void flush_multipath_work(struct multipath *m) - { -+ unsigned long flags; -+ -+ spin_lock_irqsave(&m->lock, flags); -+ m->pg_init_disabled = 1; -+ spin_unlock_irqrestore(&m->lock, flags); -+ - flush_workqueue(kmpath_handlerd); - multipath_wait_for_pg_init_completion(m); - flush_workqueue(kmultipathd); - flush_work_sync(&m->trigger_event); -+ -+ spin_lock_irqsave(&m->lock, flags); -+ m->pg_init_disabled = 0; -+ spin_unlock_irqrestore(&m->lock, flags); - } - - static void multipath_dtr(struct dm_target *ti) -@@ -1111,7 +1123,7 @@ static int pg_init_limit_reached(struct multipath *m, struct pgpath *pgpath) - - spin_lock_irqsave(&m->lock, flags); - -- if (m->pg_init_count <= m->pg_init_retries) -+ if (m->pg_init_count <= m->pg_init_retries && !m->pg_init_disabled) - m->pg_init_required = 1; - else - limit_reached = 1; -@@ -1621,7 +1633,7 @@ out: - *---------------------------------------------------------------*/ - static struct target_type multipath_target = { - .name = "multipath", -- .version = {1, 3, 1}, -+ .version = {1, 3, 2}, - .module = THIS_MODULE, - .ctr = multipath_ctr, - .dtr = multipath_dtr, -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c -index 5c30316..fec79e7 100644 ---- a/drivers/md/dm-snap.c -+++ b/drivers/md/dm-snap.c -@@ -66,6 +66,18 @@ struct dm_snapshot { - - atomic_t pending_exceptions_count; - -+ /* Protected by "lock" */ -+ sector_t exception_start_sequence; -+ -+ /* Protected by kcopyd single-threaded callback */ -+ sector_t exception_complete_sequence; -+ -+ /* -+ * A list of pending exceptions that completed out of order. -+ * Protected by kcopyd single-threaded callback. -+ */ -+ struct list_head out_of_order_list; -+ - mempool_t *pending_pool; - - struct dm_exception_table pending; -@@ -171,6 +183,14 @@ struct dm_snap_pending_exception { - */ - int started; - -+ /* There was copying error. */ -+ int copy_error; -+ -+ /* A sequence number, it is used for in-order completion. */ -+ sector_t exception_sequence; -+ -+ struct list_head out_of_order_entry; -+ - /* - * For writing a complete chunk, bypassing the copy. - */ -@@ -1090,6 +1110,9 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) - s->valid = 1; - s->active = 0; - atomic_set(&s->pending_exceptions_count, 0); -+ s->exception_start_sequence = 0; -+ s->exception_complete_sequence = 0; -+ INIT_LIST_HEAD(&s->out_of_order_list); - init_rwsem(&s->lock); - INIT_LIST_HEAD(&s->list); - spin_lock_init(&s->pe_lock); -@@ -1448,6 +1471,19 @@ static void commit_callback(void *context, int success) - pending_complete(pe, success); - } - -+static void complete_exception(struct dm_snap_pending_exception *pe) -+{ -+ struct dm_snapshot *s = pe->snap; -+ -+ if (unlikely(pe->copy_error)) -+ pending_complete(pe, 0); -+ -+ else -+ /* Update the metadata if we are persistent */ -+ s->store->type->commit_exception(s->store, &pe->e, -+ commit_callback, pe); -+} -+ - /* - * Called when the copy I/O has finished. kcopyd actually runs - * this code so don't block. -@@ -1457,13 +1493,32 @@ static void copy_callback(int read_err, unsigned long write_err, void *context) - struct dm_snap_pending_exception *pe = context; - struct dm_snapshot *s = pe->snap; - -- if (read_err || write_err) -- pending_complete(pe, 0); -+ pe->copy_error = read_err || write_err; - -- else -- /* Update the metadata if we are persistent */ -- s->store->type->commit_exception(s->store, &pe->e, -- commit_callback, pe); -+ if (pe->exception_sequence == s->exception_complete_sequence) { -+ s->exception_complete_sequence++; -+ complete_exception(pe); -+ -+ while (!list_empty(&s->out_of_order_list)) { -+ pe = list_entry(s->out_of_order_list.next, -+ struct dm_snap_pending_exception, out_of_order_entry); -+ if (pe->exception_sequence != s->exception_complete_sequence) -+ break; -+ s->exception_complete_sequence++; -+ list_del(&pe->out_of_order_entry); -+ complete_exception(pe); -+ } -+ } else { -+ struct list_head *lh; -+ struct dm_snap_pending_exception *pe2; -+ -+ list_for_each_prev(lh, &s->out_of_order_list) { -+ pe2 = list_entry(lh, struct dm_snap_pending_exception, out_of_order_entry); -+ if (pe2->exception_sequence < pe->exception_sequence) -+ break; -+ } -+ list_add(&pe->out_of_order_entry, lh); -+ } - } - - /* -@@ -1558,6 +1613,8 @@ __find_pending_exception(struct dm_snapshot *s, - return NULL; - } - -+ pe->exception_sequence = s->exception_start_sequence++; -+ - dm_insert_exception(&s->pending, &pe->e); - - return pe; -@@ -2200,7 +2257,7 @@ static struct target_type origin_target = { - - static struct target_type snapshot_target = { - .name = "snapshot", -- .version = {1, 10, 1}, -+ .version = {1, 10, 2}, - .module = THIS_MODULE, - .ctr = snapshot_ctr, - .dtr = snapshot_dtr, -diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c -index 52848ab..5c52582 100644 ---- a/drivers/md/dm-table.c -+++ b/drivers/md/dm-table.c -@@ -215,6 +215,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode, - - num_targets = dm_round_up(num_targets, KEYS_PER_NODE); - -+ if (!num_targets) { -+ kfree(t); -+ return -ENOMEM; -+ } -+ - if (alloc_targets(t, num_targets)) { - kfree(t); - t = NULL; -@@ -581,14 +586,28 @@ static int adjoin(struct dm_table *table, struct dm_target *ti) - - /* - * Used to dynamically allocate the arg array. -+ * -+ * We do first allocation with GFP_NOIO because dm-mpath and dm-thin must -+ * process messages even if some device is suspended. These messages have a -+ * small fixed number of arguments. -+ * -+ * On the other hand, dm-switch needs to process bulk data using messages and -+ * excessive use of GFP_NOIO could cause trouble. - */ - static char **realloc_argv(unsigned *array_size, char **old_argv) - { - char **argv; - unsigned new_size; -+ gfp_t gfp; - -- new_size = *array_size ? *array_size * 2 : 64; -- argv = kmalloc(new_size * sizeof(*argv), GFP_KERNEL); -+ if (*array_size) { -+ new_size = *array_size * 2; -+ gfp = GFP_KERNEL; -+ } else { -+ new_size = 8; -+ gfp = GFP_NOIO; -+ } -+ argv = kmalloc(new_size * sizeof(*argv), gfp); - if (argv) { - memcpy(argv, old_argv, *array_size * sizeof(*argv)); - *array_size = new_size; -diff --git a/drivers/media/video/saa7164/saa7164-core.c b/drivers/media/video/saa7164/saa7164-core.c -index 3b7d7b4..8f3c47e 100644 ---- a/drivers/media/video/saa7164/saa7164-core.c -+++ b/drivers/media/video/saa7164/saa7164-core.c -@@ -1386,9 +1386,11 @@ static int __devinit saa7164_initdev(struct pci_dev *pci_dev, - if (fw_debug) { - dev->kthread = kthread_run(saa7164_thread_function, dev, - "saa7164 debug"); -- if (!dev->kthread) -+ if (IS_ERR(dev->kthread)) { -+ dev->kthread = NULL; - printk(KERN_ERR "%s() Failed to create " - "debug kernel thread\n", __func__); -+ } - } - - } /* != BOARD_UNKNOWN */ -diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c -index 00e5fcac8..cbee842 100644 ---- a/drivers/misc/enclosure.c -+++ b/drivers/misc/enclosure.c -@@ -198,6 +198,13 @@ static void enclosure_remove_links(struct enclosure_component *cdev) - { - char name[ENCLOSURE_NAME_SIZE]; - -+ /* -+ * In odd circumstances, like multipath devices, something else may -+ * already have removed the links, so check for this condition first. -+ */ -+ if (!cdev->dev->kobj.sd) -+ return; -+ - enclosure_link_name(cdev, name); - sysfs_remove_link(&cdev->dev->kobj, name); - sysfs_remove_link(&cdev->cdev.kobj, "device"); -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index 74793af..4802f7f 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -634,7 +634,7 @@ static int mmc_blk_cmd_error(struct request *req, const char *name, int error, - * Otherwise we don't understand what happened, so abort. - */ - static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, -- struct mmc_blk_request *brq, int *ecc_err) -+ struct mmc_blk_request *brq, int *ecc_err, int *gen_err) - { - bool prev_cmd_status_valid = true; - u32 status, stop_status = 0; -@@ -665,6 +665,16 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, - (brq->cmd.resp[0] & R1_CARD_ECC_FAILED)) - *ecc_err = 1; - -+ /* Flag General errors */ -+ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) -+ if ((status & R1_ERROR) || -+ (brq->stop.resp[0] & R1_ERROR)) { -+ pr_err("%s: %s: general error sending stop or status command, stop cmd response %#x, card status %#x\n", -+ req->rq_disk->disk_name, __func__, -+ brq->stop.resp[0], status); -+ *gen_err = 1; -+ } -+ - /* - * Check the current card state. If it is in some data transfer - * mode, tell it to stop (and hopefully transition back to TRAN.) -@@ -684,6 +694,13 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, - return ERR_ABORT; - if (stop_status & R1_CARD_ECC_FAILED) - *ecc_err = 1; -+ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) -+ if (stop_status & R1_ERROR) { -+ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", -+ req->rq_disk->disk_name, __func__, -+ stop_status); -+ *gen_err = 1; -+ } - } - - /* Check for set block count errors */ -@@ -933,7 +950,7 @@ static int mmc_blk_err_check(struct mmc_card *card, - mmc_active); - struct mmc_blk_request *brq = &mq_mrq->brq; - struct request *req = mq_mrq->req; -- int ecc_err = 0; -+ int ecc_err = 0, gen_err = 0; - - /* - * sbc.error indicates a problem with the set block count -@@ -947,7 +964,7 @@ static int mmc_blk_err_check(struct mmc_card *card, - */ - if (brq->sbc.error || brq->cmd.error || brq->stop.error || - brq->data.error) { -- switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err)) { -+ switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err, &gen_err)) { - case ERR_RETRY: - return MMC_BLK_RETRY; - case ERR_ABORT: -@@ -975,6 +992,15 @@ static int mmc_blk_err_check(struct mmc_card *card, - */ - if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) { - u32 status; -+ -+ /* Check stop command response */ -+ if (brq->stop.resp[0] & R1_ERROR) { -+ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", -+ req->rq_disk->disk_name, __func__, -+ brq->stop.resp[0]); -+ gen_err = 1; -+ } -+ - do { - int err = get_card_status(card, &status, 5); - if (err) { -@@ -982,6 +1008,14 @@ static int mmc_blk_err_check(struct mmc_card *card, - req->rq_disk->disk_name, err); - return MMC_BLK_CMD_ERR; - } -+ -+ if (status & R1_ERROR) { -+ pr_err("%s: %s: general error sending status command, card status %#x\n", -+ req->rq_disk->disk_name, __func__, -+ status); -+ gen_err = 1; -+ } -+ - /* - * Some cards mishandle the status bits, - * so make sure to check both the busy -@@ -991,6 +1025,13 @@ static int mmc_blk_err_check(struct mmc_card *card, - (R1_CURRENT_STATE(status) == R1_STATE_PRG)); - } - -+ /* if general error occurs, retry the write operation. */ -+ if (gen_err) { -+ pr_warning("%s: retrying write for general error\n", -+ req->rq_disk->disk_name); -+ return MMC_BLK_RETRY; -+ } -+ - if (brq->data.error) { - pr_err("%s: error %d transferring data, sector %u, nr %u, cmd response %#x, card status %#x\n", - req->rq_disk->disk_name, brq->data.error, -diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c -index 9f9982f..3d6beb7 100644 ---- a/drivers/mtd/devices/m25p80.c -+++ b/drivers/mtd/devices/m25p80.c -@@ -71,7 +71,7 @@ - - /* Define max times to check status register before we give up. */ - #define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ --#define MAX_CMD_SIZE 5 -+#define MAX_CMD_SIZE 6 - - #ifdef CONFIG_M25PXX_USE_FAST_READ - #define OPCODE_READ OPCODE_FAST_READ -@@ -874,14 +874,13 @@ static int __devinit m25p_probe(struct spi_device *spi) - } - } - -- flash = kzalloc(sizeof *flash, GFP_KERNEL); -+ flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL); - if (!flash) - return -ENOMEM; -- flash->command = kmalloc(MAX_CMD_SIZE + FAST_READ_DUMMY_BYTE, GFP_KERNEL); -- if (!flash->command) { -- kfree(flash); -+ -+ flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL); -+ if (!flash->command) - return -ENOMEM; -- } - - flash->spi = spi; - mutex_init(&flash->lock); -@@ -978,14 +977,10 @@ static int __devinit m25p_probe(struct spi_device *spi) - static int __devexit m25p_remove(struct spi_device *spi) - { - struct m25p *flash = dev_get_drvdata(&spi->dev); -- int status; - - /* Clean up MTD stuff. */ -- status = mtd_device_unregister(&flash->mtd); -- if (status == 0) { -- kfree(flash->command); -- kfree(flash); -- } -+ mtd_device_unregister(&flash->mtd); -+ - return 0; - } - -diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c -index f39f83e..d6a7764 100644 ---- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c -+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c -@@ -227,8 +227,6 @@ static void dma_irq_callback(void *param) - struct gpmi_nand_data *this = param; - struct completion *dma_c = &this->dma_done; - -- complete(dma_c); -- - switch (this->dma_type) { - case DMA_FOR_COMMAND: - dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE); -@@ -253,6 +251,8 @@ static void dma_irq_callback(void *param) - default: - pr_err("in wrong DMA operation.\n"); - } -+ -+ complete(dma_c); - } - - int start_dma_without_bch_irq(struct gpmi_nand_data *this, -diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c -index daed698..46ed296 100644 ---- a/drivers/mtd/nand/nand_base.c -+++ b/drivers/mtd/nand/nand_base.c -@@ -2895,10 +2895,22 @@ static int nand_flash_detect_onfi(struct mtd_info *mtd, struct nand_chip *chip, - sanitize_string(p->model, sizeof(p->model)); - if (!mtd->name) - mtd->name = p->model; -+ - mtd->writesize = le32_to_cpu(p->byte_per_page); -- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize; -+ -+ /* -+ * pages_per_block and blocks_per_lun may not be a power-of-2 size -+ * (don't ask me who thought of this...). MTD assumes that these -+ * dimensions will be power-of-2, so just truncate the remaining area. -+ */ -+ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1); -+ mtd->erasesize *= mtd->writesize; -+ - mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page); -- chip->chipsize = (uint64_t)le32_to_cpu(p->blocks_per_lun) * mtd->erasesize; -+ -+ /* See erasesize comment */ -+ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1); -+ chip->chipsize *= (uint64_t)mtd->erasesize; - *busw = 0; - if (le16_to_cpu(p->features) & 1) - *busw = NAND_BUSWIDTH_16; -diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c -index 8ed48c2..cf95bd8 100644 ---- a/drivers/net/bonding/bond_sysfs.c -+++ b/drivers/net/bonding/bond_sysfs.c -@@ -534,8 +534,9 @@ static ssize_t bonding_store_arp_interval(struct device *d, - goto out; - } - if (bond->params.mode == BOND_MODE_ALB || -- bond->params.mode == BOND_MODE_TLB) { -- pr_info("%s: ARP monitoring cannot be used with ALB/TLB. Only MII monitoring is supported on %s.\n", -+ bond->params.mode == BOND_MODE_TLB || -+ bond->params.mode == BOND_MODE_8023AD) { -+ pr_info("%s: ARP monitoring cannot be used with ALB/TLB/802.3ad. Only MII monitoring is supported on %s.\n", - bond->dev->name, bond->dev->name); - ret = -EINVAL; - goto out; -@@ -693,6 +694,8 @@ static ssize_t bonding_store_downdelay(struct device *d, - int new_value, ret = count; - struct bonding *bond = to_bond(d); - -+ if (!rtnl_trylock()) -+ return restart_syscall(); - if (!(bond->params.miimon)) { - pr_err("%s: Unable to set down delay as MII monitoring is disabled\n", - bond->dev->name); -@@ -726,6 +729,7 @@ static ssize_t bonding_store_downdelay(struct device *d, - } - - out: -+ rtnl_unlock(); - return ret; - } - static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR, -@@ -748,6 +752,8 @@ static ssize_t bonding_store_updelay(struct device *d, - int new_value, ret = count; - struct bonding *bond = to_bond(d); - -+ if (!rtnl_trylock()) -+ return restart_syscall(); - if (!(bond->params.miimon)) { - pr_err("%s: Unable to set up delay as MII monitoring is disabled\n", - bond->dev->name); -@@ -781,6 +787,7 @@ static ssize_t bonding_store_updelay(struct device *d, - } - - out: -+ rtnl_unlock(); - return ret; - } - static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR, -diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c -index 64647d4..91d1b5a 100644 ---- a/drivers/net/can/c_can/c_can.c -+++ b/drivers/net/can/c_can/c_can.c -@@ -764,9 +764,6 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota) - msg_ctrl_save = priv->read_reg(priv, - &priv->regs->ifregs[0].msg_cntrl); - -- if (msg_ctrl_save & IF_MCONT_EOB) -- return num_rx_pkts; -- - if (msg_ctrl_save & IF_MCONT_MSGLST) { - c_can_handle_lost_msg_obj(dev, 0, msg_obj); - num_rx_pkts++; -@@ -774,6 +771,9 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota) - continue; - } - -+ if (msg_ctrl_save & IF_MCONT_EOB) -+ return num_rx_pkts; -+ - if (!(msg_ctrl_save & IF_MCONT_NEWDAT)) - continue; - -diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c -index 6a1acfe..568b821 100644 ---- a/drivers/net/can/sja1000/sja1000.c -+++ b/drivers/net/can/sja1000/sja1000.c -@@ -488,19 +488,19 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) - uint8_t isrc, status; - int n = 0; - -- /* Shared interrupts and IRQ off? */ -- if (priv->read_reg(priv, REG_IER) == IRQ_OFF) -- return IRQ_NONE; -- - if (priv->pre_irq) - priv->pre_irq(priv); - -+ /* Shared interrupts and IRQ off? */ -+ if (priv->read_reg(priv, REG_IER) == IRQ_OFF) -+ goto out; -+ - while ((isrc = priv->read_reg(priv, REG_IR)) && (n < SJA1000_MAX_IRQ)) { -- n++; -+ - status = priv->read_reg(priv, SJA1000_REG_SR); - /* check for absent controller due to hw unplug */ - if (status == 0xFF && sja1000_is_absent(priv)) -- return IRQ_NONE; -+ goto out; - - if (isrc & IRQ_WUI) - dev_warn(dev->dev.parent, "wakeup interrupt\n"); -@@ -519,7 +519,7 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) - status = priv->read_reg(priv, SJA1000_REG_SR); - /* check for absent controller */ - if (status == 0xFF && sja1000_is_absent(priv)) -- return IRQ_NONE; -+ goto out; - } - } - if (isrc & (IRQ_DOI | IRQ_EI | IRQ_BEI | IRQ_EPI | IRQ_ALI)) { -@@ -527,8 +527,9 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id) - if (sja1000_err(dev, isrc, status)) - break; - } -+ n++; - } -- -+out: - if (priv->post_irq) - priv->post_irq(priv); - -diff --git a/drivers/net/ethernet/smsc/smc91x.h b/drivers/net/ethernet/smsc/smc91x.h -index 5f53fbb..ff1af41 100644 ---- a/drivers/net/ethernet/smsc/smc91x.h -+++ b/drivers/net/ethernet/smsc/smc91x.h -@@ -46,7 +46,8 @@ - defined(CONFIG_MACH_LITTLETON) ||\ - defined(CONFIG_MACH_ZYLONITE2) ||\ - defined(CONFIG_ARCH_VIPER) ||\ -- defined(CONFIG_MACH_STARGATE2) -+ defined(CONFIG_MACH_STARGATE2) ||\ -+ defined(CONFIG_ARCH_VERSATILE) - - #include <asm/mach-types.h> - -@@ -154,6 +155,8 @@ static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg) - #define SMC_outl(v, a, r) writel(v, (a) + (r)) - #define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) - #define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) -+#define SMC_insw(a, r, p, l) readsw((a) + (r), p, l) -+#define SMC_outsw(a, r, p, l) writesw((a) + (r), p, l) - #define SMC_IRQ_FLAGS (-1) /* from resource */ - - /* We actually can't write halfwords properly if not word aligned */ -@@ -206,23 +209,6 @@ SMC_outw(u16 val, void __iomem *ioaddr, int reg) - #define RPC_LSA_DEFAULT RPC_LED_TX_RX - #define RPC_LSB_DEFAULT RPC_LED_100_10 - --#elif defined(CONFIG_ARCH_VERSATILE) -- --#define SMC_CAN_USE_8BIT 1 --#define SMC_CAN_USE_16BIT 1 --#define SMC_CAN_USE_32BIT 1 --#define SMC_NOWAIT 1 -- --#define SMC_inb(a, r) readb((a) + (r)) --#define SMC_inw(a, r) readw((a) + (r)) --#define SMC_inl(a, r) readl((a) + (r)) --#define SMC_outb(v, a, r) writeb(v, (a) + (r)) --#define SMC_outw(v, a, r) writew(v, (a) + (r)) --#define SMC_outl(v, a, r) writel(v, (a) + (r)) --#define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) --#define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) --#define SMC_IRQ_FLAGS (-1) /* from resource */ -- - #elif defined(CONFIG_MN10300) - - /* -diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 1161584..2f319d1 100644 ---- a/drivers/net/ppp/pppoe.c -+++ b/drivers/net/ppp/pppoe.c -@@ -985,8 +985,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock, - if (error < 0) - goto end; - -- m->msg_namelen = 0; -- - if (skb) { - total_len = min_t(size_t, total_len, skb->len); - error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len); -diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c -index d8d8f0d..35d86fa 100644 ---- a/drivers/net/wireless/libertas/debugfs.c -+++ b/drivers/net/wireless/libertas/debugfs.c -@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - char *p2; - struct debug_data *d = f->private_data; - -- pdata = kmalloc(cnt, GFP_KERNEL); -+ if (cnt == 0) -+ return 0; -+ -+ pdata = kmalloc(cnt + 1, GFP_KERNEL); - if (pdata == NULL) - return 0; - -@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - kfree(pdata); - return 0; - } -+ pdata[cnt] = '\0'; - - p0 = pdata; - for (i = 0; i < num_of_items; i++) { -diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c -index 17f8720..72b253d2 100644 ---- a/drivers/net/wireless/mwifiex/sdio.c -+++ b/drivers/net/wireless/mwifiex/sdio.c -@@ -936,7 +936,10 @@ static int mwifiex_decode_rx_packet(struct mwifiex_adapter *adapter, - struct sk_buff *skb, u32 upld_typ) - { - u8 *cmd_buf; -+ __le16 *curr_ptr = (__le16 *)skb->data; -+ u16 pkt_len = le16_to_cpu(*curr_ptr); - -+ skb_trim(skb, pkt_len); - skb_pull(skb, INTF_HEADER_LEN); - - switch (upld_typ) { -diff --git a/drivers/net/wireless/prism54/islpci_dev.c b/drivers/net/wireless/prism54/islpci_dev.c -index 5d0f615..e2fa538 100644 ---- a/drivers/net/wireless/prism54/islpci_dev.c -+++ b/drivers/net/wireless/prism54/islpci_dev.c -@@ -812,6 +812,10 @@ static const struct net_device_ops islpci_netdev_ops = { - .ndo_validate_addr = eth_validate_addr, - }; - -+static struct device_type wlan_type = { -+ .name = "wlan", -+}; -+ - struct net_device * - islpci_setup(struct pci_dev *pdev) - { -@@ -822,9 +826,8 @@ islpci_setup(struct pci_dev *pdev) - return ndev; - - pci_set_drvdata(pdev, ndev); --#if defined(SET_NETDEV_DEV) - SET_NETDEV_DEV(ndev, &pdev->dev); --#endif -+ SET_NETDEV_DEVTYPE(ndev, &wlan_type); - - /* setup the structure members */ - ndev->base_addr = pci_resource_start(pdev, 0); -diff --git a/drivers/net/wireless/rt2x00/rt2400pci.c b/drivers/net/wireless/rt2x00/rt2400pci.c -index 0ea85f4..131b22b 100644 ---- a/drivers/net/wireless/rt2x00/rt2400pci.c -+++ b/drivers/net/wireless/rt2x00/rt2400pci.c -@@ -1253,7 +1253,7 @@ static void rt2400pci_fill_rxdone(struct queue_entry *entry, - */ - rxdesc->timestamp = ((u64)rx_high << 32) | rx_low; - rxdesc->signal = rt2x00_get_field32(word2, RXD_W2_SIGNAL) & ~0x08; -- rxdesc->rssi = rt2x00_get_field32(word2, RXD_W3_RSSI) - -+ rxdesc->rssi = rt2x00_get_field32(word3, RXD_W3_RSSI) - - entry->queue->rt2x00dev->rssi_offset; - rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); - -diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c -index 921da9a..5c38281 100644 ---- a/drivers/net/wireless/rt2x00/rt2x00mac.c -+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c -@@ -771,6 +771,9 @@ void rt2x00mac_flush(struct ieee80211_hw *hw, bool drop) - struct rt2x00_dev *rt2x00dev = hw->priv; - struct data_queue *queue; - -+ if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) -+ return; -+ - tx_queue_for_each(rt2x00dev, queue) - rt2x00queue_flush_queue(queue, drop); - } -diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c -index b4ce934..a917a22 100644 ---- a/drivers/net/wireless/rtlwifi/base.c -+++ b/drivers/net/wireless/rtlwifi/base.c -@@ -31,6 +31,7 @@ - - #include <linux/ip.h> - #include <linux/module.h> -+#include <linux/udp.h> - #include "wifi.h" - #include "rc.h" - #include "base.h" -@@ -956,60 +957,51 @@ u8 rtl_is_special_data(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) - if (!ieee80211_is_data(fc)) - return false; - -+ ip = (const struct iphdr *)(skb->data + mac_hdr_len + -+ SNAP_SIZE + PROTOC_TYPE_SIZE); -+ ether_type = be16_to_cpup((__be16 *) -+ (skb->data + mac_hdr_len + SNAP_SIZE)); - -- ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len + -- SNAP_SIZE + PROTOC_TYPE_SIZE); -- ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE); -- /* ether_type = ntohs(ether_type); */ -- -- if (ETH_P_IP == ether_type) { -- if (IPPROTO_UDP == ip->protocol) { -- struct udphdr *udp = (struct udphdr *)((u8 *) ip + -- (ip->ihl << 2)); -- if (((((u8 *) udp)[1] == 68) && -- (((u8 *) udp)[3] == 67)) || -- ((((u8 *) udp)[1] == 67) && -- (((u8 *) udp)[3] == 68))) { -- /* -- * 68 : UDP BOOTP client -- * 67 : UDP BOOTP server -- */ -- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), -- DBG_DMESG, ("dhcp %s !!\n", -- (is_tx) ? "Tx" : "Rx")); -- -- if (is_tx) { -- rtl_lps_leave(hw); -- ppsc->last_delaylps_stamp_jiffies = -- jiffies; -- } -- -- return true; -- } -- } -- } else if (ETH_P_ARP == ether_type) { -- if (is_tx) { -- rtl_lps_leave(hw); -- ppsc->last_delaylps_stamp_jiffies = jiffies; -- } -+ switch (ether_type) { -+ case ETH_P_IP: { -+ struct udphdr *udp; -+ u16 src; -+ u16 dst; - -- return true; -- } else if (ETH_P_PAE == ether_type) { -- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, -- ("802.1X %s EAPOL pkt!!\n", (is_tx) ? "Tx" : "Rx")); -+ if (ip->protocol != IPPROTO_UDP) -+ return false; -+ udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2)); -+ src = be16_to_cpu(udp->source); -+ dst = be16_to_cpu(udp->dest); - -- if (is_tx) { -- rtl_lps_leave(hw); -- ppsc->last_delaylps_stamp_jiffies = jiffies; -- } -+ /* If this case involves port 68 (UDP BOOTP client) connecting -+ * with port 67 (UDP BOOTP server), then return true so that -+ * the lowest speed is used. -+ */ -+ if (!((src == 68 && dst == 67) || (src == 67 && dst == 68))) -+ return false; - -- return true; -- } else if (ETH_P_IPV6 == ether_type) { -- /* IPv6 */ -- return true; -+ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, -+ ("dhcp %s !!\n", is_tx ? "Tx" : "Rx")); -+ break; - } -- -- return false; -+ case ETH_P_ARP: -+ break; -+ case ETH_P_PAE: -+ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, -+ ("802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx")); -+ break; -+ case ETH_P_IPV6: -+ /* TODO: Is this right? */ -+ return false; -+ default: -+ return false; -+ } -+ if (is_tx) { -+ rtl_lps_leave(hw); -+ ppsc->last_delaylps_stamp_jiffies = jiffies; -+ } -+ return true; - } - - /********************************************************* -diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c -index 060a06f..5515215 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c -@@ -782,7 +782,7 @@ static long _rtl92c_signal_scale_mapping(struct ieee80211_hw *hw, - - static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, - struct rtl_stats *pstats, -- struct rx_desc_92c *pdesc, -+ struct rx_desc_92c *p_desc, - struct rx_fwinfo_92c *p_drvinfo, - bool packet_match_bssid, - bool packet_toself, -@@ -797,11 +797,11 @@ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, - u32 rssi, total_rssi = 0; - bool in_powersavemode = false; - bool is_cck_rate; -+ u8 *pdesc = (u8 *)p_desc; - -- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc); -+ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc); - pstats->packet_matchbssid = packet_match_bssid; - pstats->packet_toself = packet_toself; -- pstats->is_cck = is_cck_rate; - pstats->packet_beacon = packet_beacon; - pstats->is_cck = is_cck_rate; - pstats->RX_SIGQ[0] = -1; -diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c -index a7e1a2c..a6ea2d9 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c -@@ -303,10 +303,10 @@ out: - bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, - struct rtl_stats *stats, - struct ieee80211_rx_status *rx_status, -- u8 *p_desc, struct sk_buff *skb) -+ u8 *pdesc, struct sk_buff *skb) - { - struct rx_fwinfo_92c *p_drvinfo; -- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; -+ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc; - u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc); - - stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc); -@@ -345,11 +345,11 @@ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, - if (phystatus) { - p_drvinfo = (struct rx_fwinfo_92c *)(skb->data + - stats->rx_bufshift); -- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc, -+ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc, - p_drvinfo); - } - /*rx_status->qual = stats->signal; */ -- rx_status->signal = stats->rssi + 10; -+ rx_status->signal = stats->recvsignalpower + 10; - /*rx_status->noise = -stats->noise; */ - return true; - } -diff --git a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -index 3637c0c..639b57b 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -@@ -529,7 +529,7 @@ bool rtl92de_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats, - p_drvinfo); - } - /*rx_status->qual = stats->signal; */ -- rx_status->signal = stats->rssi + 10; -+ rx_status->signal = stats->recvsignalpower + 10; - /*rx_status->noise = -stats->noise; */ - return true; - } -diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c -index 0ad50fe..13081d9 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c -@@ -274,7 +274,7 @@ static void _rtl92s_get_txpower_writeval_byregulatory(struct ieee80211_hw *hw, - rtlefuse->pwrgroup_ht40 - [RF90_PATH_A][chnl - 1]) { - pwrdiff_limit[i] = -- rtlefuse->pwrgroup_ht20 -+ rtlefuse->pwrgroup_ht40 - [RF90_PATH_A][chnl - 1]; - } - } else { -diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c -index fbebe3e..542a871 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c -@@ -582,7 +582,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats, - } - - /*rx_status->qual = stats->signal; */ -- rx_status->signal = stats->rssi + 10; -+ rx_status->signal = stats->recvsignalpower + 10; - /*rx_status->noise = -stats->noise; */ - - return true; -diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h -index 82baaa2..5764ef7 100644 ---- a/drivers/net/wireless/rtlwifi/wifi.h -+++ b/drivers/net/wireless/rtlwifi/wifi.h -@@ -73,11 +73,7 @@ - #define RTL_SLOT_TIME_9 9 - #define RTL_SLOT_TIME_20 20 - --/*related with tcp/ip. */ --/*if_ehther.h*/ --#define ETH_P_PAE 0x888E /*Port Access Entity (IEEE 802.1X) */ --#define ETH_P_IP 0x0800 /*Internet Protocol packet */ --#define ETH_P_ARP 0x0806 /*Address Resolution packet */ -+/*related to tcp/ip. */ - #define SNAP_SIZE 6 - #define PROTOC_TYPE_SIZE 2 - -diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c -index e0610bd..7e41b70 100644 ---- a/drivers/pci/pcie/portdrv_pci.c -+++ b/drivers/pci/pcie/portdrv_pci.c -@@ -151,7 +151,6 @@ static int __devinit pcie_portdrv_probe(struct pci_dev *dev, - static void pcie_portdrv_remove(struct pci_dev *dev) - { - pcie_port_device_remove(dev); -- pci_disable_device(dev); - } - - static int error_detected_iter(struct device *device, void *data) -diff --git a/drivers/rtc/rtc-at91rm9200.c b/drivers/rtc/rtc-at91rm9200.c -index e39b77a..15406d5 100644 ---- a/drivers/rtc/rtc-at91rm9200.c -+++ b/drivers/rtc/rtc-at91rm9200.c -@@ -156,6 +156,8 @@ static int at91_rtc_setalarm(struct device *dev, struct rtc_wkalrm *alrm) - - at91_alarm_year = tm.tm_year; - -+ tm.tm_mon = alrm->time.tm_mon; -+ tm.tm_mday = alrm->time.tm_mday; - tm.tm_hour = alrm->time.tm_hour; - tm.tm_min = alrm->time.tm_min; - tm.tm_sec = alrm->time.tm_sec; -diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c -index fff57de..55f6488 100644 ---- a/drivers/s390/net/qeth_core_main.c -+++ b/drivers/s390/net/qeth_core_main.c -@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) - struct qeth_cmd_buffer *iob; - struct qeth_ipa_cmd *cmd; - struct qeth_snmp_ureq *ureq; -- int req_len; -+ unsigned int req_len; - struct qeth_arp_query_info qinfo = {0, }; - int rc = 0; - -@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) - /* skip 4 bytes (data_len struct member) to get req_len */ - if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int))) - return -EFAULT; -+ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE - -+ sizeof(struct qeth_ipacmd_hdr) - -+ sizeof(struct qeth_ipacmd_setadpparms_hdr))) -+ return -EINVAL; - ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr)); - if (IS_ERR(ureq)) { - QETH_CARD_TEXT(card, 2, "snmpnome"); -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index 8a0b330..1254431 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) - goto cleanup; - } - -- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { -+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || -+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { - rcode = -EINVAL; - goto cleanup; - } -diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c -index 0f48550..5b7e1bf 100644 ---- a/drivers/scsi/hpsa.c -+++ b/drivers/scsi/hpsa.c -@@ -1186,7 +1186,7 @@ static void complete_scsi_command(struct CommandList *cp) - "has check condition: aborted command: " - "ASC: 0x%x, ASCQ: 0x%x\n", - cp, asc, ascq); -- cmd->result = DID_SOFT_ERROR << 16; -+ cmd->result |= DID_SOFT_ERROR << 16; - break; - } - /* Must be some other type of check condition */ -@@ -4465,7 +4465,7 @@ reinit_after_soft_reset: - hpsa_hba_inquiry(h); - hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */ - start_controller_lockup_detector(h); -- return 1; -+ return 0; - - clean4: - hpsa_free_sg_chain_blocks(h); -diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c -index 4868fc9..5e170e3 100644 ---- a/drivers/scsi/libsas/sas_ata.c -+++ b/drivers/scsi/libsas/sas_ata.c -@@ -197,7 +197,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc) - qc->tf.nsect = 0; - } - -- ata_tf_to_fis(&qc->tf, 1, 0, (u8*)&task->ata_task.fis); -+ ata_tf_to_fis(&qc->tf, qc->dev->link->pmp, 1, (u8 *)&task->ata_task.fis); - task->uldd_task = qc; - if (ata_is_atapi(qc->tf.protocol)) { - memcpy(task->ata_task.atapi_packet, qc->cdb, qc->dev->cdb_len); -diff --git a/drivers/staging/tidspbridge/Kconfig b/drivers/staging/tidspbridge/Kconfig -index 93de4f2..b27d9aa 100644 ---- a/drivers/staging/tidspbridge/Kconfig -+++ b/drivers/staging/tidspbridge/Kconfig -@@ -4,7 +4,7 @@ - - menuconfig TIDSPBRIDGE - tristate "DSP Bridge driver" -- depends on ARCH_OMAP3 -+ depends on ARCH_OMAP3 && BROKEN - select OMAP_MBOX_FWK - help - DSP/BIOS Bridge is designed for platforms that contain a GPP and -diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c -index 1fae1e9..fc552d8 100644 ---- a/drivers/staging/zram/zram_sysfs.c -+++ b/drivers/staging/zram/zram_sysfs.c -@@ -95,20 +95,27 @@ static ssize_t reset_store(struct device *dev, - zram = dev_to_zram(dev); - bdev = bdget_disk(zram->disk, 0); - -+ if (!bdev) -+ return -ENOMEM; -+ - /* Do not reset an active device! */ -- if (bdev->bd_holders) -- return -EBUSY; -+ if (bdev->bd_holders) { -+ ret = -EBUSY; -+ goto out; -+ } - - ret = strict_strtoul(buf, 10, &do_reset); - if (ret) -- return ret; -+ goto out; - -- if (!do_reset) -- return -EINVAL; -+ if (!do_reset) { -+ ret = -EINVAL; -+ goto out; -+ } - - /* Make sure all pending I/O is finished */ -- if (bdev) -- fsync_bdev(bdev); -+ fsync_bdev(bdev); -+ bdput(bdev); - - down_write(&zram->init_lock); - if (zram->init_done) -@@ -116,6 +123,10 @@ static ssize_t reset_store(struct device *dev, - up_write(&zram->init_lock); - - return len; -+ -+out: -+ bdput(bdev); -+ return ret; - } - - static ssize_t num_reads_show(struct device *dev, -diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c -index 1cd6ce3..59e7378 100644 ---- a/drivers/target/iscsi/iscsi_target_auth.c -+++ b/drivers/target/iscsi/iscsi_target_auth.c -@@ -172,6 +172,7 @@ static int chap_server_compute_md5( - unsigned char client_digest[MD5_SIGNATURE_SIZE]; - unsigned char server_digest[MD5_SIGNATURE_SIZE]; - unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; -+ size_t compare_len; - struct iscsi_chap *chap = (struct iscsi_chap *) conn->auth_protocol; - struct crypto_hash *tfm; - struct hash_desc desc; -@@ -210,7 +211,9 @@ static int chap_server_compute_md5( - goto out; - } - -- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) { -+ /* Include the terminating NULL in the compare */ -+ compare_len = strlen(auth->userid) + 1; -+ if (strncmp(chap_n, auth->userid, compare_len) != 0) { - pr_err("CHAP_N values do not match!\n"); - goto out; - } -diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c -index 7d85f88..3486d12 100644 ---- a/drivers/target/iscsi/iscsi_target_nego.c -+++ b/drivers/target/iscsi/iscsi_target_nego.c -@@ -89,7 +89,7 @@ int extract_param( - if (len < 0) - return -1; - -- if (len > max_length) { -+ if (len >= max_length) { - pr_err("Length of input: %d exeeds max_length:" - " %d\n", len, max_length); - return -1; -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index 0cdff38..636ee9e 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1448,6 +1448,8 @@ static int acm_reset_resume(struct usb_interface *intf) - - static const struct usb_device_id acm_ids[] = { - /* quirky and broken devices */ -+ { USB_DEVICE(0x17ef, 0x7000), /* Lenovo USB modem */ -+ .driver_info = NO_UNION_NORMAL, },/* has no union descriptor */ - { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ - .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ - }, -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index a5ea85f..7013165 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -900,6 +900,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) - clear_port_feature(hub->hdev, port1, - USB_PORT_FEAT_C_PORT_LINK_STATE); - } -+ if (portchange & USB_PORT_STAT_C_RESET) { -+ need_debounce_delay = true; -+ clear_port_feature(hub->hdev, port1, -+ USB_PORT_FEAT_C_RESET); -+ } - - if ((portchange & USB_PORT_STAT_C_BH_RESET) && - hub_is_superspeed(hub->hdev)) { -@@ -3749,8 +3754,9 @@ static void hub_events(void) - hub->hdev->children[i - 1]; - - dev_dbg(hub_dev, "warm reset port %d\n", i); -- if (!udev || !(portstatus & -- USB_PORT_STAT_CONNECTION)) { -+ if (!udev || -+ !(portstatus & USB_PORT_STAT_CONNECTION) || -+ udev->state == USB_STATE_NOTATTACHED) { - status = hub_port_reset(hub, i, - NULL, HUB_BH_RESET_TIME, - true); -@@ -4018,6 +4024,12 @@ static int usb_reset_and_verify_device(struct usb_device *udev) - } - parent_hub = hdev_to_hub(parent_hdev); - -+ /* Disable USB2 hardware LPM. -+ * It will be re-enabled by the enumeration process. -+ */ -+ if (udev->usb2_hw_lpm_enabled == 1) -+ usb_set_usb2_hardware_lpm(udev, 0); -+ - set_bit(port1, parent_hub->busy_bits); - for (i = 0; i < SET_CONFIG_TRIES; ++i) { - -diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c -index c0dcf69..c4134e8 100644 ---- a/drivers/usb/dwc3/ep0.c -+++ b/drivers/usb/dwc3/ep0.c -@@ -394,6 +394,8 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc, - dep = dwc3_wIndex_to_dep(dwc, ctrl->wIndex); - if (!dep) - return -EINVAL; -+ if (set == 0 && (dep->flags & DWC3_EP_WEDGE)) -+ break; - ret = __dwc3_gadget_ep_set_halt(dep, set); - if (ret) - return -EINVAL; -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 619ee19..5f2e3d0 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -903,9 +903,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) - else - dep->flags |= DWC3_EP_STALL; - } else { -- if (dep->flags & DWC3_EP_WEDGE) -- return 0; -- - ret = dwc3_send_gadget_ep_cmd(dwc, dep->number, - DWC3_DEPCMD_CLEARSTALL, ¶ms); - if (ret) -@@ -913,7 +910,7 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) - value ? "set" : "clear", - dep->name); - else -- dep->flags &= ~DWC3_EP_STALL; -+ dep->flags &= ~(DWC3_EP_STALL | DWC3_EP_WEDGE); - } - - return ret; -diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c -index f71b078..4484ef1 100644 ---- a/drivers/usb/gadget/composite.c -+++ b/drivers/usb/gadget/composite.c -@@ -585,6 +585,7 @@ static void reset_config(struct usb_composite_dev *cdev) - bitmap_zero(f->endpoints, 32); - } - cdev->config = NULL; -+ cdev->delayed_status = 0; - } - - static int set_config(struct usb_composite_dev *cdev, -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c -index a3f6fe0..85504bb 100644 ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -2192,6 +2192,20 @@ static void ftdi_set_termios(struct tty_struct *tty, - termios->c_cflag |= CRTSCTS; - } - -+ /* -+ * All FTDI UART chips are limited to CS7/8. We won't pretend to -+ * support CS5/6 and revert the CSIZE setting instead. -+ */ -+ if ((C_CSIZE(tty) != CS8) && (C_CSIZE(tty) != CS7)) { -+ dev_warn(&port->dev, "requested CSIZE setting not supported\n"); -+ -+ termios->c_cflag &= ~CSIZE; -+ if (old_termios) -+ termios->c_cflag |= old_termios->c_cflag & CSIZE; -+ else -+ termios->c_cflag |= CS8; -+ } -+ - cflag = termios->c_cflag; - - if (!old_termios) -@@ -2228,13 +2242,16 @@ no_skip: - } else { - urb_value |= FTDI_SIO_SET_DATA_PARITY_NONE; - } -- if (cflag & CSIZE) { -- switch (cflag & CSIZE) { -- case CS7: urb_value |= 7; dbg("Setting CS7"); break; -- case CS8: urb_value |= 8; dbg("Setting CS8"); break; -- default: -- dev_err(&port->dev, "CSIZE was set but not CS7-CS8\n"); -- } -+ switch (cflag & CSIZE) { -+ case CS7: -+ urb_value |= 7; -+ dev_dbg(&port->dev, "Setting CS7\n"); -+ break; -+ default: -+ case CS8: -+ urb_value |= 8; -+ dev_dbg(&port->dev, "Setting CS8\n"); -+ break; - } - - /* This is needed by the break command since it uses the same command -diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c -index 9f0b2bf..c0e6486 100644 ---- a/drivers/usb/serial/generic.c -+++ b/drivers/usb/serial/generic.c -@@ -228,14 +228,7 @@ retry: - return result; - } - -- /* Try sending off another urb, unless in irq context (in which case -- * there will be no free urb). */ -- if (!in_irq()) -- goto retry; -- -- clear_bit_unlock(USB_SERIAL_WRITE_BUSY, &port->flags); -- -- return 0; -+ goto retry; /* try sending off another urb */ - } - - /** -diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c -index 5d2501e..80fc40a 100644 ---- a/drivers/usb/serial/mos7840.c -+++ b/drivers/usb/serial/mos7840.c -@@ -1689,7 +1689,11 @@ static int mos7840_tiocmget(struct tty_struct *tty) - return -ENODEV; - - status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr); -+ if (status != 1) -+ return -EIO; - status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr); -+ if (status != 1) -+ return -EIO; - result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0) - | ((mcr & MCR_RTS) ? TIOCM_RTS : 0) - | ((mcr & MCR_LOOPBACK) ? TIOCM_LOOP : 0) -@@ -1983,25 +1987,25 @@ static void mos7840_change_port_settings(struct tty_struct *tty, - iflag = tty->termios->c_iflag; - - /* Change the number of bits */ -- if (cflag & CSIZE) { -- switch (cflag & CSIZE) { -- case CS5: -- lData = LCR_BITS_5; -- break; -+ switch (cflag & CSIZE) { -+ case CS5: -+ lData = LCR_BITS_5; -+ break; - -- case CS6: -- lData = LCR_BITS_6; -- break; -+ case CS6: -+ lData = LCR_BITS_6; -+ break; - -- case CS7: -- lData = LCR_BITS_7; -- break; -- default: -- case CS8: -- lData = LCR_BITS_8; -- break; -- } -+ case CS7: -+ lData = LCR_BITS_7; -+ break; -+ -+ default: -+ case CS8: -+ lData = LCR_BITS_8; -+ break; - } -+ - /* Change the Parity bit */ - if (cflag & PARENB) { - if (cflag & PARODD) { -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index d8ace82..d6d0fb4 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -85,6 +85,7 @@ static void option_instat_callback(struct urb *urb); - #define HUAWEI_PRODUCT_K4505 0x1464 - #define HUAWEI_PRODUCT_K3765 0x1465 - #define HUAWEI_PRODUCT_K4605 0x14C6 -+#define HUAWEI_PRODUCT_E173S6 0x1C07 - - #define QUANTA_VENDOR_ID 0x0408 - #define QUANTA_PRODUCT_Q101 0xEA02 -@@ -586,6 +587,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), - .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, -+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173S6, 0xff, 0xff, 0xff), -+ .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff), - .driver_info = (kernel_ulong_t) &net_intf2_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, -@@ -648,6 +651,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x7A) }, -@@ -702,6 +709,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7A) }, -@@ -756,6 +767,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7A) }, -@@ -810,6 +825,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7A) }, -@@ -864,6 +883,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7A) }, -@@ -918,6 +941,10 @@ static const struct usb_device_id option_ids[] = { - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6D) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6E) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6F) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x72) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x73) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x74) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x75) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x78) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x79) }, - { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7A) }, -@@ -1391,6 +1418,23 @@ static const struct usb_device_id option_ids[] = { - .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff), /* ZTE MF91 */ - .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1545, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1546, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1547, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1565, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1566, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1567, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1589, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1590, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1591, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1592, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1594, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1596, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1598, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1600, 0xff, 0xff, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, - 0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_k3765_z_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) }, -diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c -index 317e503..e3936c1 100644 ---- a/drivers/usb/serial/pl2303.c -+++ b/drivers/usb/serial/pl2303.c -@@ -290,24 +290,21 @@ static void pl2303_set_termios(struct tty_struct *tty, - dbg("0xa1:0x21:0:0 %d - %x %x %x %x %x %x %x", i, - buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6]); - -- if (cflag & CSIZE) { -- switch (cflag & CSIZE) { -- case CS5: -- buf[6] = 5; -- break; -- case CS6: -- buf[6] = 6; -- break; -- case CS7: -- buf[6] = 7; -- break; -- default: -- case CS8: -- buf[6] = 8; -- break; -- } -- dbg("%s - data bits = %d", __func__, buf[6]); -+ switch (C_CSIZE(tty)) { -+ case CS5: -+ buf[6] = 5; -+ break; -+ case CS6: -+ buf[6] = 6; -+ break; -+ case CS7: -+ buf[6] = 7; -+ break; -+ default: -+ case CS8: -+ buf[6] = 8; - } -+ dev_dbg(&port->dev, "data bits = %d\n", buf[6]); - - /* For reference buf[0]:buf[3] baud rate value */ - /* NOTE: Only the values defined in baud_sup are supported ! -diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c -index f3179b0..2f67b99 100644 ---- a/drivers/usb/serial/spcp8x5.c -+++ b/drivers/usb/serial/spcp8x5.c -@@ -394,22 +394,20 @@ static void spcp8x5_set_termios(struct tty_struct *tty, - } - - /* Set Data Length : 00:5bit, 01:6bit, 10:7bit, 11:8bit */ -- if (cflag & CSIZE) { -- switch (cflag & CSIZE) { -- case CS5: -- buf[1] |= SET_UART_FORMAT_SIZE_5; -- break; -- case CS6: -- buf[1] |= SET_UART_FORMAT_SIZE_6; -- break; -- case CS7: -- buf[1] |= SET_UART_FORMAT_SIZE_7; -- break; -- default: -- case CS8: -- buf[1] |= SET_UART_FORMAT_SIZE_8; -- break; -- } -+ switch (cflag & CSIZE) { -+ case CS5: -+ buf[1] |= SET_UART_FORMAT_SIZE_5; -+ break; -+ case CS6: -+ buf[1] |= SET_UART_FORMAT_SIZE_6; -+ break; -+ case CS7: -+ buf[1] |= SET_UART_FORMAT_SIZE_7; -+ break; -+ default: -+ case CS8: -+ buf[1] |= SET_UART_FORMAT_SIZE_8; -+ break; - } - - /* Set Stop bit2 : 0:1bit 1:2bit */ -diff --git a/drivers/usb/wusbcore/wa-rpipe.c b/drivers/usb/wusbcore/wa-rpipe.c -index f0d546c..ca1031b 100644 ---- a/drivers/usb/wusbcore/wa-rpipe.c -+++ b/drivers/usb/wusbcore/wa-rpipe.c -@@ -332,7 +332,10 @@ static int rpipe_aim(struct wa_rpipe *rpipe, struct wahc *wa, - /* FIXME: compute so seg_size > ep->maxpktsize */ - rpipe->descr.wBlocks = cpu_to_le16(16); /* given */ - /* ep0 maxpktsize is 0x200 (WUSB1.0[4.8.1]) */ -- rpipe->descr.wMaxPacketSize = cpu_to_le16(ep->desc.wMaxPacketSize); -+ if (usb_endpoint_xfer_isoc(&ep->desc)) -+ rpipe->descr.wMaxPacketSize = epcd->wOverTheAirPacketSize; -+ else -+ rpipe->descr.wMaxPacketSize = ep->desc.wMaxPacketSize; - rpipe->descr.bHSHubAddress = 0; /* reserved: zero */ - rpipe->descr.bHSHubPort = wusb_port_no_to_idx(urb->dev->portnum); - /* FIXME: use maximum speed as supported or recommended by device */ -diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c -index 57c01ab..5f6df6e 100644 ---- a/drivers/usb/wusbcore/wa-xfer.c -+++ b/drivers/usb/wusbcore/wa-xfer.c -@@ -90,7 +90,8 @@ - #include "wusbhc.h" - - enum { -- WA_SEGS_MAX = 255, -+ /* [WUSB] section 8.3.3 allocates 7 bits for the segment index. */ -+ WA_SEGS_MAX = 128, - }; - - enum wa_seg_status { -@@ -444,7 +445,7 @@ static ssize_t __wa_xfer_setup_sizes(struct wa_xfer *xfer, - xfer->seg_size = (xfer->seg_size / maxpktsize) * maxpktsize; - xfer->segs = (urb->transfer_buffer_length + xfer->seg_size - 1) - / xfer->seg_size; -- if (xfer->segs >= WA_SEGS_MAX) { -+ if (xfer->segs > WA_SEGS_MAX) { - dev_err(dev, "BUG? ops, number of segments %d bigger than %d\n", - (int)(urb->transfer_buffer_length / xfer->seg_size), - WA_SEGS_MAX); -diff --git a/drivers/video/backlight/atmel-pwm-bl.c b/drivers/video/backlight/atmel-pwm-bl.c -index 0443a4f..dab3a0c 100644 ---- a/drivers/video/backlight/atmel-pwm-bl.c -+++ b/drivers/video/backlight/atmel-pwm-bl.c -@@ -70,7 +70,7 @@ static int atmel_pwm_bl_set_intensity(struct backlight_device *bd) - static int atmel_pwm_bl_get_intensity(struct backlight_device *bd) - { - struct atmel_pwm_bl *pwmbl = bl_get_data(bd); -- u8 intensity; -+ u32 intensity; - - if (pwmbl->pdata->pwm_active_low) { - intensity = pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY) - -@@ -80,7 +80,7 @@ static int atmel_pwm_bl_get_intensity(struct backlight_device *bd) - pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY); - } - -- return intensity; -+ return intensity & 0xffff; - } - - static int atmel_pwm_bl_init_pwm(struct atmel_pwm_bl *pwmbl) -@@ -211,7 +211,8 @@ static int __exit atmel_pwm_bl_remove(struct platform_device *pdev) - struct atmel_pwm_bl *pwmbl = platform_get_drvdata(pdev); - - if (pwmbl->gpio_on != -1) { -- gpio_set_value(pwmbl->gpio_on, 0); -+ gpio_set_value(pwmbl->gpio_on, -+ 0 ^ pwmbl->pdata->on_active_low); - gpio_free(pwmbl->gpio_on); - } - pwm_channel_disable(&pwmbl->pwmc); -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c -index c858a29..969f74f 100644 ---- a/fs/cifs/cifssmb.c -+++ b/fs/cifs/cifssmb.c -@@ -3437,11 +3437,13 @@ static __u16 ACL_to_cifs_posix(char *parm_data, const char *pACL, - return 0; - } - cifs_acl->version = cpu_to_le16(1); -- if (acl_type == ACL_TYPE_ACCESS) -+ if (acl_type == ACL_TYPE_ACCESS) { - cifs_acl->access_entry_count = cpu_to_le16(count); -- else if (acl_type == ACL_TYPE_DEFAULT) -+ cifs_acl->default_entry_count = __constant_cpu_to_le16(0xFFFF); -+ } else if (acl_type == ACL_TYPE_DEFAULT) { - cifs_acl->default_entry_count = cpu_to_le16(count); -- else { -+ cifs_acl->access_entry_count = __constant_cpu_to_le16(0xFFFF); -+ } else { - cFYI(1, "unknown ACL type %d", acl_type); - return 0; - } -diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c -index 9a37a9b..5ef72c8 100644 ---- a/fs/configfs/dir.c -+++ b/fs/configfs/dir.c -@@ -56,10 +56,19 @@ static void configfs_d_iput(struct dentry * dentry, - struct configfs_dirent *sd = dentry->d_fsdata; - - if (sd) { -- BUG_ON(sd->s_dentry != dentry); - /* Coordinate with configfs_readdir */ - spin_lock(&configfs_dirent_lock); -- sd->s_dentry = NULL; -+ /* Coordinate with configfs_attach_attr where will increase -+ * sd->s_count and update sd->s_dentry to new allocated one. -+ * Only set sd->dentry to null when this dentry is the only -+ * sd owner. -+ * If not do so, configfs_d_iput may run just after -+ * configfs_attach_attr and set sd->s_dentry to null -+ * even it's still in use. -+ */ -+ if (atomic_read(&sd->s_count) <= 2) -+ sd->s_dentry = NULL; -+ - spin_unlock(&configfs_dirent_lock); - configfs_put(sd); - } -@@ -436,8 +445,11 @@ static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * den - struct configfs_attribute * attr = sd->s_element; - int error; - -+ spin_lock(&configfs_dirent_lock); - dentry->d_fsdata = configfs_get(sd); - sd->s_dentry = dentry; -+ spin_unlock(&configfs_dirent_lock); -+ - error = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG, - configfs_init_file); - if (error) { -diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c -index d5d5297..2a95047 100644 ---- a/fs/devpts/inode.c -+++ b/fs/devpts/inode.c -@@ -413,6 +413,7 @@ static void devpts_kill_sb(struct super_block *sb) - { - struct pts_fs_info *fsi = DEVPTS_SB(sb); - -+ ida_destroy(&fsi->allocated_ptys); - kfree(fsi); - kill_litter_super(sb); - } -diff --git a/fs/exec.c b/fs/exec.c -index a2d0e51..78199eb 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -2032,6 +2032,12 @@ static int __get_dumpable(unsigned long mm_flags) - return (ret >= 2) ? 2 : ret; - } - -+/* -+ * This returns the actual value of the suid_dumpable flag. For things -+ * that are using this for checking for privilege transitions, it must -+ * test against SUID_DUMP_USER rather than treating it as a boolean -+ * value. -+ */ - int get_dumpable(struct mm_struct *mm) - { - return __get_dumpable(mm->flags); -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index b4e9f3f..05617bd 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1271,6 +1271,7 @@ retry: - new_extra_isize = s_min_extra_isize; - kfree(is); is = NULL; - kfree(bs); bs = NULL; -+ brelse(bh); - goto retry; - } - error = -1; -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 5639efd..3d02931 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -3764,8 +3764,7 @@ nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server, - dprintk("%s ERROR %d, Reset session\n", __func__, - task->tk_status); - nfs4_schedule_session_recovery(clp->cl_session); -- task->tk_status = 0; -- return -EAGAIN; -+ goto wait_on_recovery; - #endif /* CONFIG_NFS_V4_1 */ - case -NFS4ERR_DELAY: - nfs_inc_server_stats(server, NFSIOS_DELAY); -@@ -3887,11 +3886,17 @@ static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata) - return; - - switch (task->tk_status) { -- case -NFS4ERR_STALE_STATEID: -- case -NFS4ERR_EXPIRED: - case 0: - renew_lease(data->res.server, data->timestamp); - break; -+ case -NFS4ERR_ADMIN_REVOKED: -+ case -NFS4ERR_DELEG_REVOKED: -+ case -NFS4ERR_BAD_STATEID: -+ case -NFS4ERR_OLD_STATEID: -+ case -NFS4ERR_STALE_STATEID: -+ case -NFS4ERR_EXPIRED: -+ task->tk_status = 0; -+ break; - default: - if (nfs4_async_handle_error(task, data->res.server, NULL) == - -EAGAIN) { -@@ -4052,6 +4057,7 @@ static int _nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock - status = 0; - } - request->fl_ops->fl_release_private(request); -+ request->fl_ops = NULL; - out: - return status; - } -diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 99625b8..ade5316 100644 ---- a/fs/nfsd/nfs4xdr.c -+++ b/fs/nfsd/nfs4xdr.c -@@ -177,8 +177,8 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes) - */ - memcpy(p, argp->p, avail); - /* step to next page */ -- argp->pagelist++; - argp->p = page_address(argp->pagelist[0]); -+ argp->pagelist++; - if (argp->pagelen < PAGE_SIZE) { - argp->end = argp->p + (argp->pagelen>>2); - argp->pagelen = 0; -diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 61b697e..6a66fc0 100644 ---- a/fs/nfsd/vfs.c -+++ b/fs/nfsd/vfs.c -@@ -297,41 +297,12 @@ commit_metadata(struct svc_fh *fhp) - } - - /* -- * Set various file attributes. -- * N.B. After this call fhp needs an fh_put -+ * Go over the attributes and take care of the small differences between -+ * NFS semantics and what Linux expects. - */ --__be32 --nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, -- int check_guard, time_t guardtime) -+static void -+nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap) - { -- struct dentry *dentry; -- struct inode *inode; -- int accmode = NFSD_MAY_SATTR; -- int ftype = 0; -- __be32 err; -- int host_err; -- int size_change = 0; -- -- if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) -- accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; -- if (iap->ia_valid & ATTR_SIZE) -- ftype = S_IFREG; -- -- /* Get inode */ -- err = fh_verify(rqstp, fhp, ftype, accmode); -- if (err) -- goto out; -- -- dentry = fhp->fh_dentry; -- inode = dentry->d_inode; -- -- /* Ignore any mode updates on symlinks */ -- if (S_ISLNK(inode->i_mode)) -- iap->ia_valid &= ~ATTR_MODE; -- -- if (!iap->ia_valid) -- goto out; -- - /* - * NFSv2 does not differentiate between "set-[ac]time-to-now" - * which only requires access, and "set-[ac]time-to-X" which -@@ -341,8 +312,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, - * convert to "set to now" instead of "set to explicit time" - * - * We only call inode_change_ok as the last test as technically -- * it is not an interface that we should be using. It is only -- * valid if the filesystem does not define it's own i_op->setattr. -+ * it is not an interface that we should be using. - */ - #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET) - #define MAX_TOUCH_TIME_ERROR (30*60) -@@ -368,30 +338,6 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, - iap->ia_valid &= ~BOTH_TIME_SET; - } - } -- -- /* -- * The size case is special. -- * It changes the file as well as the attributes. -- */ -- if (iap->ia_valid & ATTR_SIZE) { -- if (iap->ia_size < inode->i_size) { -- err = nfsd_permission(rqstp, fhp->fh_export, dentry, -- NFSD_MAY_TRUNC|NFSD_MAY_OWNER_OVERRIDE); -- if (err) -- goto out; -- } -- -- host_err = get_write_access(inode); -- if (host_err) -- goto out_nfserr; -- -- size_change = 1; -- host_err = locks_verify_truncate(inode, NULL, iap->ia_size); -- if (host_err) { -- put_write_access(inode); -- goto out_nfserr; -- } -- } - - /* sanitize the mode change */ - if (iap->ia_valid & ATTR_MODE) { -@@ -414,32 +360,111 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, - iap->ia_valid |= (ATTR_KILL_SUID | ATTR_KILL_SGID); - } - } -+} - -- /* Change the attributes. */ -+static __be32 -+nfsd_get_write_access(struct svc_rqst *rqstp, struct svc_fh *fhp, -+ struct iattr *iap) -+{ -+ struct inode *inode = fhp->fh_dentry->d_inode; -+ int host_err; - -- iap->ia_valid |= ATTR_CTIME; -+ if (iap->ia_size < inode->i_size) { -+ __be32 err; - -- err = nfserr_notsync; -- if (!check_guard || guardtime == inode->i_ctime.tv_sec) { -- host_err = nfsd_break_lease(inode); -- if (host_err) -- goto out_nfserr; -- fh_lock(fhp); -+ err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry, -+ NFSD_MAY_TRUNC | NFSD_MAY_OWNER_OVERRIDE); -+ if (err) -+ return err; -+ } - -- host_err = notify_change(dentry, iap); -- err = nfserrno(host_err); -- fh_unlock(fhp); -+ host_err = get_write_access(inode); -+ if (host_err) -+ goto out_nfserrno; -+ -+ host_err = locks_verify_truncate(inode, NULL, iap->ia_size); -+ if (host_err) -+ goto out_put_write_access; -+ return 0; -+ -+out_put_write_access: -+ put_write_access(inode); -+out_nfserrno: -+ return nfserrno(host_err); -+} -+ -+/* -+ * Set various file attributes. After this call fhp needs an fh_put. -+ */ -+__be32 -+nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, -+ int check_guard, time_t guardtime) -+{ -+ struct dentry *dentry; -+ struct inode *inode; -+ int accmode = NFSD_MAY_SATTR; -+ int ftype = 0; -+ __be32 err; -+ int host_err; -+ int size_change = 0; -+ -+ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) -+ accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; -+ if (iap->ia_valid & ATTR_SIZE) -+ ftype = S_IFREG; -+ -+ /* Get inode */ -+ err = fh_verify(rqstp, fhp, ftype, accmode); -+ if (err) -+ goto out; -+ -+ dentry = fhp->fh_dentry; -+ inode = dentry->d_inode; -+ -+ /* Ignore any mode updates on symlinks */ -+ if (S_ISLNK(inode->i_mode)) -+ iap->ia_valid &= ~ATTR_MODE; -+ -+ if (!iap->ia_valid) -+ goto out; -+ -+ nfsd_sanitize_attrs(inode, iap); -+ -+ /* -+ * The size case is special, it changes the file in addition to the -+ * attributes. -+ */ -+ if (iap->ia_valid & ATTR_SIZE) { -+ err = nfsd_get_write_access(rqstp, fhp, iap); -+ if (err) -+ goto out; -+ size_change = 1; - } -+ -+ iap->ia_valid |= ATTR_CTIME; -+ -+ if (check_guard && guardtime != inode->i_ctime.tv_sec) { -+ err = nfserr_notsync; -+ goto out_put_write_access; -+ } -+ -+ host_err = nfsd_break_lease(inode); -+ if (host_err) -+ goto out_put_write_access_nfserror; -+ -+ fh_lock(fhp); -+ host_err = notify_change(dentry, iap); -+ fh_unlock(fhp); -+ -+out_put_write_access_nfserror: -+ err = nfserrno(host_err); -+out_put_write_access: - if (size_change) - put_write_access(inode); - if (!err) - commit_metadata(fhp); - out: - return err; -- --out_nfserr: -- err = nfserrno(host_err); -- goto out; - } - - #if defined(CONFIG_NFSD_V2_ACL) || \ -diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c -index d99a905..eb519de 100644 ---- a/fs/xfs/xfs_ioctl.c -+++ b/fs/xfs/xfs_ioctl.c -@@ -404,7 +404,8 @@ xfs_attrlist_by_handle( - return -XFS_ERROR(EPERM); - if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* -diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c -index 54e623b..0d685b3 100644 ---- a/fs/xfs/xfs_ioctl32.c -+++ b/fs/xfs/xfs_ioctl32.c -@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle( - if (copy_from_user(&al_hreq, arg, - sizeof(compat_xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* -diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h -index 4fd95a3..0532279 100644 ---- a/include/crypto/scatterwalk.h -+++ b/include/crypto/scatterwalk.h -@@ -58,6 +58,7 @@ static inline void scatterwalk_sg_chain(struct scatterlist *sg1, int num, - { - sg_set_page(&sg1[num - 1], (void *)sg2, 0, 0); - sg1[num - 1].page_link &= ~0x02; -+ sg1[num - 1].page_link |= 0x01; - } - - static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg) -@@ -65,7 +66,7 @@ static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg) - if (sg_is_last(sg)) - return NULL; - -- return (++sg)->length ? sg : (void *)sg_page(sg); -+ return (++sg)->length ? sg : sg_chain_ptr(sg); - } - - static inline void scatterwalk_crypto_chain(struct scatterlist *head, -diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index acd8d4b..d337419 100644 ---- a/include/linux/binfmts.h -+++ b/include/linux/binfmts.h -@@ -112,9 +112,6 @@ extern void setup_new_exec(struct linux_binprm * bprm); - extern void would_dump(struct linux_binprm *, struct file *); - - extern int suid_dumpable; --#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ --#define SUID_DUMP_USER 1 /* Dump as user of process */ --#define SUID_DUMP_ROOT 2 /* Dump as root */ - - /* Stack area protections */ - #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ -diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h -index d8e636e..cba9593 100644 ---- a/include/linux/compiler-intel.h -+++ b/include/linux/compiler-intel.h -@@ -27,5 +27,3 @@ - #define __must_be_array(a) 0 - - #endif -- --#define uninitialized_var(x) x -diff --git a/include/linux/msg.h b/include/linux/msg.h -index 56abf155..70fc369 100644 ---- a/include/linux/msg.h -+++ b/include/linux/msg.h -@@ -76,9 +76,9 @@ struct msginfo { - - /* one msg_msg structure for each message */ - struct msg_msg { -- struct list_head m_list; -- long m_type; -- int m_ts; /* message text size */ -+ struct list_head m_list; -+ long m_type; -+ size_t m_ts; /* message text size */ - struct msg_msgseg* next; - void *security; - /* the actual message follows immediately */ -diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h -index daad4e6..3887901 100644 ---- a/include/linux/mtd/map.h -+++ b/include/linux/mtd/map.h -@@ -361,7 +361,7 @@ static inline map_word map_word_load_partial(struct map_info *map, map_word orig - bitpos = (map_bankwidth(map)-1-i)*8; - #endif - orig.x[0] &= ~(0xff << bitpos); -- orig.x[0] |= buf[i-start] << bitpos; -+ orig.x[0] |= (unsigned long)buf[i-start] << bitpos; - } - } - return orig; -@@ -380,7 +380,7 @@ static inline map_word map_word_ff(struct map_info *map) - - if (map_bankwidth(map) < MAP_FF_LIMIT) { - int bw = 8 * map_bankwidth(map); -- r.x[0] = (1 << bw) - 1; -+ r.x[0] = (1UL << bw) - 1; - } else { - for (i=0; i<map_words(map); i++) - r.x[i] = ~0UL; -diff --git a/include/linux/net.h b/include/linux/net.h -index b7ca08e..bd4f6c7 100644 ---- a/include/linux/net.h -+++ b/include/linux/net.h -@@ -197,6 +197,14 @@ struct proto_ops { - #endif - int (*sendmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len); -+ /* Notes for implementing recvmsg: -+ * =============================== -+ * msg->msg_namelen should get updated by the recvmsg handlers -+ * iff msg_name != NULL. It is by default 0 to prevent -+ * returning uninitialized memory to user space. The recvfrom -+ * handlers can assume that msg.msg_name is either NULL or has -+ * a minimum size of sizeof(struct sockaddr_storage). -+ */ - int (*recvmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len, - int flags); -diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h -index 3db3da1..d93f417 100644 ---- a/include/linux/pci_ids.h -+++ b/include/linux/pci_ids.h -@@ -1579,6 +1579,7 @@ - #define PCI_SUBDEVICE_ID_KEYSPAN_SX2 0x5334 - - #define PCI_VENDOR_ID_MARVELL 0x11ab -+#define PCI_VENDOR_ID_MARVELL_EXT 0x1b4b - #define PCI_DEVICE_ID_MARVELL_GT64111 0x4146 - #define PCI_DEVICE_ID_MARVELL_GT64260 0x6430 - #define PCI_DEVICE_ID_MARVELL_MV64360 0x6460 -diff --git a/include/linux/random.h b/include/linux/random.h -index 7e77cee..f5e1311 100644 ---- a/include/linux/random.h -+++ b/include/linux/random.h -@@ -89,9 +89,9 @@ static inline void prandom32_seed(struct rnd_state *state, u64 seed) - { - u32 i = (seed >> 32) ^ (seed << 10) ^ seed; - -- state->s1 = __seed(i, 1); -- state->s2 = __seed(i, 7); -- state->s3 = __seed(i, 15); -+ state->s1 = __seed(i, 2); -+ state->s2 = __seed(i, 8); -+ state->s3 = __seed(i, 16); - } - - #ifdef CONFIG_ARCH_RANDOM -diff --git a/include/linux/sched.h b/include/linux/sched.h -index 8204898..312d047 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -403,6 +403,10 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} - extern void set_dumpable(struct mm_struct *mm, int value); - extern int get_dumpable(struct mm_struct *mm); - -+#define SUID_DUMP_DISABLE 0 /* No setuid dumping */ -+#define SUID_DUMP_USER 1 /* Dump as user of process */ -+#define SUID_DUMP_ROOT 2 /* Dump as root */ -+ - /* mm flags */ - /* dumpable bits */ - #define MMF_DUMPABLE 0 /* core dump is permitted */ -diff --git a/include/net/ip.h b/include/net/ip.h -index 06aed72..b935e6c 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -466,7 +466,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level, - int optname, char __user *optval, int __user *optlen); - extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *)); - --extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len); -+extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); - extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, - __be16 port, u32 info, u8 *payload); - extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport, -diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index 4d549cf..0580673 100644 ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -602,8 +602,10 @@ extern int compat_ipv6_getsockopt(struct sock *sk, - extern int ip6_datagram_connect(struct sock *sk, - struct sockaddr *addr, int addr_len); - --extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len); --extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len); -+extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); -+extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); - extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, - u32 info, u8 *payload); - extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); -diff --git a/include/sound/memalloc.h b/include/sound/memalloc.h -index c425062..ab240bb 100644 ---- a/include/sound/memalloc.h -+++ b/include/sound/memalloc.h -@@ -101,7 +101,7 @@ static inline unsigned int snd_sgbuf_aligned_pages(size_t size) - static inline dma_addr_t snd_sgbuf_get_addr(struct snd_sg_buf *sgbuf, size_t offset) - { - dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr; -- addr &= PAGE_MASK; -+ addr &= ~((dma_addr_t)PAGE_SIZE - 1); - return addr + offset % PAGE_SIZE; - } - -diff --git a/include/trace/ftrace.h b/include/trace/ftrace.h -index 7697249..763bf05 100644 ---- a/include/trace/ftrace.h -+++ b/include/trace/ftrace.h -@@ -379,7 +379,8 @@ ftrace_define_fields_##call(struct ftrace_event_call *event_call) \ - __data_size += (len) * sizeof(type); - - #undef __string --#define __string(item, src) __dynamic_array(char, item, strlen(src) + 1) -+#define __string(item, src) __dynamic_array(char, item, \ -+ strlen((src) ? (const char *)(src) : "(null)") + 1) - - #undef DECLARE_EVENT_CLASS - #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \ -@@ -504,7 +505,7 @@ static inline notrace int ftrace_get_offsets_##call( \ - - #undef __assign_str - #define __assign_str(dst, src) \ -- strcpy(__get_str(dst), src); -+ strcpy(__get_str(dst), (src) ? (const char *)(src) : "(null)"); - - #undef TP_fast_assign - #define TP_fast_assign(args...) args -diff --git a/ipc/msgutil.c b/ipc/msgutil.c -index 5652101..fc6fded 100644 ---- a/ipc/msgutil.c -+++ b/ipc/msgutil.c -@@ -37,15 +37,15 @@ struct msg_msgseg { - /* the next part of the message follows immediately */ - }; - --#define DATALEN_MSG (PAGE_SIZE-sizeof(struct msg_msg)) --#define DATALEN_SEG (PAGE_SIZE-sizeof(struct msg_msgseg)) -+#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) -+#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) - --struct msg_msg *load_msg(const void __user *src, int len) -+struct msg_msg *load_msg(const void __user *src, size_t len) - { - struct msg_msg *msg; - struct msg_msgseg **pseg; - int err; -- int alen; -+ size_t alen; - - alen = len; - if (alen > DATALEN_MSG) -@@ -99,9 +99,9 @@ out_err: - return ERR_PTR(err); - } - --int store_msg(void __user *dest, struct msg_msg *msg, int len) -+int store_msg(void __user *dest, struct msg_msg *msg, size_t len) - { -- int alen; -+ size_t alen; - struct msg_msgseg *seg; - - alen = len; -diff --git a/ipc/util.h b/ipc/util.h -index 6f5c20b..0bfc934 100644 ---- a/ipc/util.h -+++ b/ipc/util.h -@@ -138,8 +138,8 @@ int ipc_parse_version (int *cmd); - #endif - - extern void free_msg(struct msg_msg *msg); --extern struct msg_msg *load_msg(const void __user *src, int len); --extern int store_msg(void __user *dest, struct msg_msg *msg, int len); -+extern struct msg_msg *load_msg(const void __user *src, size_t len); -+extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len); - - extern void recompute_msgmni(struct ipc_namespace *); - -diff --git a/kernel/audit.c b/kernel/audit.c -index d4bc594..e14bc74 100644 ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, - char *ctx = NULL; - u32 len; - -- if (!audit_enabled) { -+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) { - *ab = NULL; - return rc; - } -@@ -684,6 +684,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - - switch (msg_type) { - case AUDIT_GET: -+ status_set.mask = 0; - status_set.enabled = audit_enabled; - status_set.failure = audit_failure; - status_set.pid = audit_pid; -@@ -695,7 +696,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - &status_set, sizeof(status_set)); - break; - case AUDIT_SET: -- if (nlh->nlmsg_len < sizeof(struct audit_status)) -+ if (nlmsg_len(nlh) < sizeof(struct audit_status)) - return -EINVAL; - status_get = (struct audit_status *)data; - if (status_get->mask & AUDIT_STATUS_ENABLED) { -@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - struct task_struct *tsk; - unsigned long flags; - -- if (nlh->nlmsg_len < sizeof(struct audit_tty_status)) -+ if (nlmsg_len(nlh) < sizeof(struct audit_tty_status)) - return -EINVAL; - s = data; - if (s->enabled != 0 && s->enabled != 1) -diff --git a/kernel/cpuset.c b/kernel/cpuset.c -index 835eee6..57eb98d 100644 ---- a/kernel/cpuset.c -+++ b/kernel/cpuset.c -@@ -983,8 +983,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk, - need_loop = task_has_mempolicy(tsk) || - !nodes_intersects(*newmems, tsk->mems_allowed); - -- if (need_loop) -+ if (need_loop) { -+ local_irq_disable(); - write_seqcount_begin(&tsk->mems_allowed_seq); -+ } - - nodes_or(tsk->mems_allowed, tsk->mems_allowed, *newmems); - mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP1); -@@ -992,8 +994,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk, - mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP2); - tsk->mems_allowed = *newmems; - -- if (need_loop) -+ if (need_loop) { - write_seqcount_end(&tsk->mems_allowed_seq); -+ local_irq_enable(); -+ } - - task_unlock(tsk); - } -diff --git a/kernel/futex.c b/kernel/futex.c -index 1d0538e..8888815 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -285,7 +285,7 @@ again: - put_page(page); - /* serialize against __split_huge_page_splitting() */ - local_irq_disable(); -- if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) { -+ if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) { - page_head = compound_head(page); - /* - * page_head is valid pointer but we must pin -diff --git a/kernel/irq/pm.c b/kernel/irq/pm.c -index 15e53b1..dcd3f97 100644 ---- a/kernel/irq/pm.c -+++ b/kernel/irq/pm.c -@@ -50,7 +50,7 @@ static void resume_irqs(bool want_early) - bool is_early = desc->action && - desc->action->flags & IRQF_EARLY_RESUME; - -- if (is_early != want_early) -+ if (!is_early && want_early) - continue; - - raw_spin_lock_irqsave(&desc->lock, flags); -diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c -index cbe2c14..380291e 100644 ---- a/kernel/power/snapshot.c -+++ b/kernel/power/snapshot.c -@@ -1390,7 +1390,11 @@ int hibernate_preallocate_memory(void) - * highmem and non-highmem zones separately. - */ - pages_highmem = preallocate_image_highmem(highmem / 2); -- alloc = (count - max_size) - pages_highmem; -+ alloc = count - max_size; -+ if (alloc > pages_highmem) -+ alloc -= pages_highmem; -+ else -+ alloc = 0; - pages = preallocate_image_memory(alloc, avail_normal); - if (pages < alloc) { - /* We have exhausted non-highmem pages, try highmem. */ -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 67fedad..f79803a 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -246,7 +246,8 @@ ok: - smp_rmb(); - if (task->mm) - dumpable = get_dumpable(task->mm); -- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE)) -+ if (dumpable != SUID_DUMP_USER && -+ !task_ns_capable(task, CAP_SYS_PTRACE)) - return -EPERM; - - return security_ptrace_access_check(task, mode); -diff --git a/kernel/sched_debug.c b/kernel/sched_debug.c -index a6710a1..f4010e2 100644 ---- a/kernel/sched_debug.c -+++ b/kernel/sched_debug.c -@@ -213,6 +213,14 @@ void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq) - SEQ_printf(m, " .%-30s: %d\n", "load_tg", - atomic_read(&cfs_rq->tg->load_weight)); - #endif -+#ifdef CONFIG_CFS_BANDWIDTH -+ SEQ_printf(m, " .%-30s: %d\n", "tg->cfs_bandwidth.timer_active", -+ cfs_rq->tg->cfs_bandwidth.timer_active); -+ SEQ_printf(m, " .%-30s: %d\n", "throttled", -+ cfs_rq->throttled); -+ SEQ_printf(m, " .%-30s: %d\n", "throttle_count", -+ cfs_rq->throttle_count); -+#endif - - print_cfs_group_stats(m, cpu, cfs_rq->tg); - #endif -diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c -index c261da7..5b9e456 100644 ---- a/kernel/sched_fair.c -+++ b/kernel/sched_fair.c -@@ -1527,6 +1527,8 @@ static void throttle_cfs_rq(struct cfs_rq *cfs_rq) - cfs_rq->throttled_timestamp = rq->clock; - raw_spin_lock(&cfs_b->lock); - list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); -+ if (!cfs_b->timer_active) -+ __start_cfs_bandwidth(cfs_b); - raw_spin_unlock(&cfs_b->lock); - } - -diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index 8a46f5d..0907e43 100644 ---- a/kernel/time/alarmtimer.c -+++ b/kernel/time/alarmtimer.c -@@ -468,7 +468,7 @@ static int alarm_clock_getres(const clockid_t which_clock, struct timespec *tp) - clockid_t baseid = alarm_bases[clock2alarm(which_clock)].base_clockid; - - if (!alarmtimer_get_rtcdev()) -- return -ENOTSUPP; -+ return -EINVAL; - - return hrtimer_get_res(baseid, tp); - } -@@ -485,7 +485,7 @@ static int alarm_clock_get(clockid_t which_clock, struct timespec *tp) - struct alarm_base *base = &alarm_bases[clock2alarm(which_clock)]; - - if (!alarmtimer_get_rtcdev()) -- return -ENOTSUPP; -+ return -EINVAL; - - *tp = ktime_to_timespec(base->gettime()); - return 0; -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 226776b..d40d7f6 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -259,9 +259,6 @@ static int remove_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops) - - static int __register_ftrace_function(struct ftrace_ops *ops) - { -- if (ftrace_disabled) -- return -ENODEV; -- - if (FTRACE_WARN_ON(ops == &global_ops)) - return -EINVAL; - -@@ -290,9 +287,6 @@ static int __unregister_ftrace_function(struct ftrace_ops *ops) - { - int ret; - -- if (ftrace_disabled) -- return -ENODEV; -- - if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED))) - return -EBUSY; - -@@ -1017,6 +1011,11 @@ static struct ftrace_page *ftrace_pages; - - static struct dyn_ftrace *ftrace_free_records; - -+static bool ftrace_hash_empty(struct ftrace_hash *hash) -+{ -+ return !hash || !hash->count; -+} -+ - static struct ftrace_func_entry * - ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip) - { -@@ -1025,7 +1024,7 @@ ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip) - struct hlist_head *hhd; - struct hlist_node *n; - -- if (!hash->count) -+ if (ftrace_hash_empty(hash)) - return NULL; - - if (hash->size_bits > 0) -@@ -1169,7 +1168,7 @@ alloc_and_copy_ftrace_hash(int size_bits, struct ftrace_hash *hash) - return NULL; - - /* Empty hash? */ -- if (!hash || !hash->count) -+ if (ftrace_hash_empty(hash)) - return new_hash; - - size = 1 << hash->size_bits; -@@ -1294,9 +1293,9 @@ ftrace_ops_test(struct ftrace_ops *ops, unsigned long ip) - filter_hash = rcu_dereference_raw(ops->filter_hash); - notrace_hash = rcu_dereference_raw(ops->notrace_hash); - -- if ((!filter_hash || !filter_hash->count || -+ if ((ftrace_hash_empty(filter_hash) || - ftrace_lookup_ip(filter_hash, ip)) && -- (!notrace_hash || !notrace_hash->count || -+ (ftrace_hash_empty(notrace_hash) || - !ftrace_lookup_ip(notrace_hash, ip))) - ret = 1; - else -@@ -1348,7 +1347,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, - if (filter_hash) { - hash = ops->filter_hash; - other_hash = ops->notrace_hash; -- if (!hash || !hash->count) -+ if (ftrace_hash_empty(hash)) - all = 1; - } else { - inc = !inc; -@@ -1358,7 +1357,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, - * If the notrace hash has no items, - * then there's nothing to do. - */ -- if (hash && !hash->count) -+ if (ftrace_hash_empty(hash)) - return; - } - -@@ -1375,8 +1374,8 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, - if (!other_hash || !ftrace_lookup_ip(other_hash, rec->ip)) - match = 1; - } else { -- in_hash = hash && !!ftrace_lookup_ip(hash, rec->ip); -- in_other_hash = other_hash && !!ftrace_lookup_ip(other_hash, rec->ip); -+ in_hash = !!ftrace_lookup_ip(hash, rec->ip); -+ in_other_hash = !!ftrace_lookup_ip(other_hash, rec->ip); - - /* - * -@@ -1384,7 +1383,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops, - if (filter_hash && in_hash && !in_other_hash) - match = 1; - else if (!filter_hash && in_hash && -- (in_other_hash || !other_hash->count)) -+ (in_other_hash || ftrace_hash_empty(other_hash))) - match = 1; - } - if (!match) -@@ -1698,10 +1697,15 @@ static void ftrace_startup_enable(int command) - static int ftrace_startup(struct ftrace_ops *ops, int command) - { - bool hash_enable = true; -+ int ret; - - if (unlikely(ftrace_disabled)) - return -ENODEV; - -+ ret = __register_ftrace_function(ops); -+ if (ret) -+ return ret; -+ - ftrace_start_up++; - command |= FTRACE_UPDATE_CALLS; - -@@ -1723,12 +1727,17 @@ static int ftrace_startup(struct ftrace_ops *ops, int command) - return 0; - } - --static void ftrace_shutdown(struct ftrace_ops *ops, int command) -+static int ftrace_shutdown(struct ftrace_ops *ops, int command) - { - bool hash_disable = true; -+ int ret; - - if (unlikely(ftrace_disabled)) -- return; -+ return -ENODEV; -+ -+ ret = __unregister_ftrace_function(ops); -+ if (ret) -+ return ret; - - ftrace_start_up--; - /* -@@ -1763,9 +1772,10 @@ static void ftrace_shutdown(struct ftrace_ops *ops, int command) - } - - if (!command || !ftrace_enabled) -- return; -+ return 0; - - ftrace_run_update_code(command); -+ return 0; - } - - static void ftrace_startup_sysctl(void) -@@ -1794,12 +1804,57 @@ static cycle_t ftrace_update_time; - static unsigned long ftrace_update_cnt; - unsigned long ftrace_update_tot_cnt; - --static int ops_traces_mod(struct ftrace_ops *ops) -+static inline int ops_traces_mod(struct ftrace_ops *ops) - { -- struct ftrace_hash *hash; -+ /* -+ * Filter_hash being empty will default to trace module. -+ * But notrace hash requires a test of individual module functions. -+ */ -+ return ftrace_hash_empty(ops->filter_hash) && -+ ftrace_hash_empty(ops->notrace_hash); -+} - -- hash = ops->filter_hash; -- return !!(!hash || !hash->count); -+/* -+ * Check if the current ops references the record. -+ * -+ * If the ops traces all functions, then it was already accounted for. -+ * If the ops does not trace the current record function, skip it. -+ * If the ops ignores the function via notrace filter, skip it. -+ */ -+static inline bool -+ops_references_rec(struct ftrace_ops *ops, struct dyn_ftrace *rec) -+{ -+ /* If ops isn't enabled, ignore it */ -+ if (!(ops->flags & FTRACE_OPS_FL_ENABLED)) -+ return 0; -+ -+ /* If ops traces all mods, we already accounted for it */ -+ if (ops_traces_mod(ops)) -+ return 0; -+ -+ /* The function must be in the filter */ -+ if (!ftrace_hash_empty(ops->filter_hash) && -+ !ftrace_lookup_ip(ops->filter_hash, rec->ip)) -+ return 0; -+ -+ /* If in notrace hash, we ignore it too */ -+ if (ftrace_lookup_ip(ops->notrace_hash, rec->ip)) -+ return 0; -+ -+ return 1; -+} -+ -+static int referenced_filters(struct dyn_ftrace *rec) -+{ -+ struct ftrace_ops *ops; -+ int cnt = 0; -+ -+ for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { -+ if (ops_references_rec(ops, rec)) -+ cnt++; -+ } -+ -+ return cnt; - } - - static int ftrace_update_code(struct module *mod) -@@ -1807,6 +1862,7 @@ static int ftrace_update_code(struct module *mod) - struct dyn_ftrace *p; - cycle_t start, stop; - unsigned long ref = 0; -+ bool test = false; - - /* - * When adding a module, we need to check if tracers are -@@ -1819,9 +1875,12 @@ static int ftrace_update_code(struct module *mod) - - for (ops = ftrace_ops_list; - ops != &ftrace_list_end; ops = ops->next) { -- if (ops->flags & FTRACE_OPS_FL_ENABLED && -- ops_traces_mod(ops)) -- ref++; -+ if (ops->flags & FTRACE_OPS_FL_ENABLED) { -+ if (ops_traces_mod(ops)) -+ ref++; -+ else -+ test = true; -+ } - } - } - -@@ -1829,6 +1888,7 @@ static int ftrace_update_code(struct module *mod) - ftrace_update_cnt = 0; - - while (ftrace_new_addrs) { -+ int cnt = ref; - - /* If something went wrong, bail without enabling anything */ - if (unlikely(ftrace_disabled)) -@@ -1836,7 +1896,9 @@ static int ftrace_update_code(struct module *mod) - - p = ftrace_new_addrs; - ftrace_new_addrs = p->newlist; -- p->flags = ref; -+ if (test) -+ cnt += referenced_filters(p); -+ p->flags = cnt; - - /* - * Do the initial record conversion from mcount jump -@@ -1859,7 +1921,7 @@ static int ftrace_update_code(struct module *mod) - * conversion puts the module to the correct state, thus - * passing the ftrace_make_call check. - */ -- if (ftrace_start_up && ref) { -+ if (ftrace_start_up && cnt) { - int failed = __ftrace_replace_code(p, 1); - if (failed) { - ftrace_bug(failed, p->ip); -@@ -2112,7 +2174,8 @@ static void *t_start(struct seq_file *m, loff_t *pos) - * off, we can short cut and just print out that all - * functions are enabled. - */ -- if (iter->flags & FTRACE_ITER_FILTER && !ops->filter_hash->count) { -+ if (iter->flags & FTRACE_ITER_FILTER && -+ ftrace_hash_empty(ops->filter_hash)) { - if (*pos > 0) - return t_hash_start(m, pos); - iter->flags |= FTRACE_ITER_PRINTALL; -@@ -2564,16 +2627,13 @@ static void __enable_ftrace_function_probe(void) - if (i == FTRACE_FUNC_HASHSIZE) - return; - -- ret = __register_ftrace_function(&trace_probe_ops); -- if (!ret) -- ret = ftrace_startup(&trace_probe_ops, 0); -+ ret = ftrace_startup(&trace_probe_ops, 0); - - ftrace_probe_registered = 1; - } - - static void __disable_ftrace_function_probe(void) - { -- int ret; - int i; - - if (!ftrace_probe_registered) -@@ -2586,9 +2646,7 @@ static void __disable_ftrace_function_probe(void) - } - - /* no more funcs left */ -- ret = __unregister_ftrace_function(&trace_probe_ops); -- if (!ret) -- ftrace_shutdown(&trace_probe_ops, 0); -+ ftrace_shutdown(&trace_probe_ops, 0); - - ftrace_probe_registered = 0; - } -@@ -3561,12 +3619,15 @@ device_initcall(ftrace_nodyn_init); - static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; } - static inline void ftrace_startup_enable(int command) { } - /* Keep as macros so we do not need to define the commands */ --# define ftrace_startup(ops, command) \ -- ({ \ -- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ -- 0; \ -+# define ftrace_startup(ops, command) \ -+ ({ \ -+ int ___ret = __register_ftrace_function(ops); \ -+ if (!___ret) \ -+ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ -+ ___ret; \ - }) --# define ftrace_shutdown(ops, command) do { } while (0) -+# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops) -+ - # define ftrace_startup_sysctl() do { } while (0) - # define ftrace_shutdown_sysctl() do { } while (0) - -@@ -3906,15 +3967,8 @@ int register_ftrace_function(struct ftrace_ops *ops) - - mutex_lock(&ftrace_lock); - -- if (unlikely(ftrace_disabled)) -- goto out_unlock; -- -- ret = __register_ftrace_function(ops); -- if (!ret) -- ret = ftrace_startup(ops, 0); -- -+ ret = ftrace_startup(ops, 0); - -- out_unlock: - mutex_unlock(&ftrace_lock); - return ret; - } -@@ -3931,9 +3985,7 @@ int unregister_ftrace_function(struct ftrace_ops *ops) - int ret; - - mutex_lock(&ftrace_lock); -- ret = __unregister_ftrace_function(ops); -- if (!ret) -- ftrace_shutdown(ops, 0); -+ ret = ftrace_shutdown(ops, 0); - mutex_unlock(&ftrace_lock); - - return ret; -@@ -4127,6 +4179,12 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, - return NOTIFY_DONE; - } - -+/* Just a place holder for function graph */ -+static struct ftrace_ops fgraph_ops __read_mostly = { -+ .func = ftrace_stub, -+ .flags = FTRACE_OPS_FL_GLOBAL, -+}; -+ - int register_ftrace_graph(trace_func_graph_ret_t retfunc, - trace_func_graph_ent_t entryfunc) - { -@@ -4153,7 +4211,7 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, - ftrace_graph_return = retfunc; - ftrace_graph_entry = entryfunc; - -- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET); -+ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET); - - out: - mutex_unlock(&ftrace_lock); -@@ -4170,7 +4228,7 @@ void unregister_ftrace_graph(void) - ftrace_graph_active--; - ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub; - ftrace_graph_entry = ftrace_graph_entry_stub; -- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET); -+ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET); - unregister_pm_notifier(&ftrace_suspend_notifier); - unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL); - -diff --git a/lib/random32.c b/lib/random32.c -index fc3545a..1f44bdc 100644 ---- a/lib/random32.c -+++ b/lib/random32.c -@@ -92,7 +92,7 @@ void srandom32(u32 entropy) - */ - for_each_possible_cpu (i) { - struct rnd_state *state = &per_cpu(net_rand_state, i); -- state->s1 = __seed(state->s1 ^ entropy, 1); -+ state->s1 = __seed(state->s1 ^ entropy, 2); - } - } - EXPORT_SYMBOL(srandom32); -@@ -109,9 +109,9 @@ static int __init random32_init(void) - struct rnd_state *state = &per_cpu(net_rand_state,i); - - #define LCG(x) ((x) * 69069) /* super-duper LCG */ -- state->s1 = __seed(LCG(i + jiffies), 1); -- state->s2 = __seed(LCG(state->s1), 7); -- state->s3 = __seed(LCG(state->s2), 15); -+ state->s1 = __seed(LCG(i + jiffies), 2); -+ state->s2 = __seed(LCG(state->s1), 8); -+ state->s3 = __seed(LCG(state->s2), 16); - - /* "warm it up" */ - prandom32(state); -@@ -138,9 +138,9 @@ static int __init random32_reseed(void) - u32 seeds[3]; - - get_random_bytes(&seeds, sizeof(seeds)); -- state->s1 = __seed(seeds[0], 1); -- state->s2 = __seed(seeds[1], 7); -- state->s3 = __seed(seeds[2], 15); -+ state->s1 = __seed(seeds[0], 2); -+ state->s2 = __seed(seeds[1], 8); -+ state->s3 = __seed(seeds[2], 16); - - /* mix it in */ - prandom32(state); -diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index d74c317..ae02e42 100644 ---- a/lib/vsprintf.c -+++ b/lib/vsprintf.c -@@ -25,6 +25,7 @@ - #include <linux/kallsyms.h> - #include <linux/uaccess.h> - #include <linux/ioport.h> -+#include <linux/cred.h> - #include <net/addrconf.h> - - #include <asm/page.h> /* for PAGE_SIZE */ -@@ -892,10 +893,35 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, - spec.field_width = 2 * sizeof(void *); - return string(buf, end, "pK-error", spec); - } -- if (!((kptr_restrict == 0) || -- (kptr_restrict == 1 && -- has_capability_noaudit(current, CAP_SYSLOG)))) -+ -+ switch (kptr_restrict) { -+ case 0: -+ /* Always print %pK values */ -+ break; -+ case 1: { -+ /* -+ * Only print the real pointer value if the current -+ * process has CAP_SYSLOG and is running with the -+ * same credentials it started with. This is because -+ * access to files is checked at open() time, but %pK -+ * checks permission at read() time. We don't want to -+ * leak pointer values if a binary opens a file using -+ * %pK and then elevates privileges before reading it. -+ */ -+ const struct cred *cred = current_cred(); -+ -+ if (!has_capability_noaudit(current, CAP_SYSLOG) || -+ cred->euid != cred->uid || -+ cred->egid != cred->gid) -+ ptr = NULL; -+ break; -+ } -+ case 2: -+ default: -+ /* Always print 0's for %pK */ - ptr = NULL; -+ break; -+ } - break; - } - spec.flags |= SMALL; -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index bfa9ab93..334d4cd 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1740,7 +1740,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - size_t size, int flags) - { - struct sock *sk = sock->sk; -- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name; - struct ddpehdr *ddp; - int copied = 0; - int offset = 0; -@@ -1769,14 +1768,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - } - err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied); - -- if (!err) { -- if (sat) { -- sat->sat_family = AF_APPLETALK; -- sat->sat_port = ddp->deh_sport; -- sat->sat_addr.s_node = ddp->deh_snode; -- sat->sat_addr.s_net = ddp->deh_snet; -- } -- msg->msg_namelen = sizeof(*sat); -+ if (!err && msg->msg_name) { -+ struct sockaddr_at *sat = msg->msg_name; -+ sat->sat_family = AF_APPLETALK; -+ sat->sat_port = ddp->deh_sport; -+ sat->sat_addr.s_node = ddp->deh_snode; -+ sat->sat_addr.s_net = ddp->deh_snet; -+ msg->msg_namelen = sizeof(*sat); - } - - skb_free_datagram(sk, skb); /* Free the datagram. */ -diff --git a/net/atm/common.c b/net/atm/common.c -index 43b6bfe..0ca06e8 100644 ---- a/net/atm/common.c -+++ b/net/atm/common.c -@@ -500,8 +500,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - struct sk_buff *skb; - int copied, error = -EINVAL; - -- msg->msg_namelen = 0; -- - if (sock->state != SS_CONNECTED) - return -ENOTCONN; - if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */ -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index 86ac37f..7b8db0e 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -1635,11 +1635,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (msg->msg_namelen != 0) { -- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name; -+ if (msg->msg_name) { - ax25_digi digi; - ax25_address src; - const unsigned char *mac = skb_mac_header(skb); -+ struct sockaddr_ax25 *sax = msg->msg_name; - - memset(sax, 0, sizeof(struct full_sockaddr_ax25)); - ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, -diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c -index 838f113..0938f6b 100644 ---- a/net/bluetooth/af_bluetooth.c -+++ b/net/bluetooth/af_bluetooth.c -@@ -245,8 +245,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & (MSG_OOB)) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) { - if (sk->sk_shutdown & RCV_SHUTDOWN) -@@ -311,8 +309,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - BT_DBG("sk %p size %zu", sk, size); - - lock_sock(sk); -diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index 8361ee4..bb78c75 100644 ---- a/net/bluetooth/hci_sock.c -+++ b/net/bluetooth/hci_sock.c -@@ -448,8 +448,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 82ce164..14c4864 100644 ---- a/net/bluetooth/rfcomm/sock.c -+++ b/net/bluetooth/rfcomm/sock.c -@@ -627,7 +627,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - - if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { - rfcomm_dlc_accept(d); -- msg->msg_namelen = 0; - return 0; - } - -diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c -index f3f75ad..56693c3 100644 ---- a/net/bridge/br_if.c -+++ b/net/bridge/br_if.c -@@ -170,6 +170,8 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) - del_nbp(p); - } - -+ br_fdb_delete_by_port(br, NULL, 1); -+ - del_timer_sync(&br->gc_timer); - - br_sysfs_delbr(br->dev); -diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 53a8e37..7fac75f 100644 ---- a/net/caif/caif_socket.c -+++ b/net/caif/caif_socket.c -@@ -320,8 +320,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, - if (m->msg_flags&MSG_OOB) - goto read_error; - -- m->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, 0 , &ret); - if (!skb) - goto read_error; -@@ -395,8 +393,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - /* - * Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg -diff --git a/net/compat.c b/net/compat.c -index 3139ef2..41724c9 100644 ---- a/net/compat.c -+++ b/net/compat.c -@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - __get_user(kmsg->msg_flags, &umsg->msg_flags)) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); -@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, - if (err < 0) - return err; - } -- kern_msg->msg_name = kern_address; -+ if (kern_msg->msg_name) -+ kern_msg->msg_name = kern_address; - } else - kern_msg->msg_name = NULL; - -diff --git a/net/core/dev.c b/net/core/dev.c -index 8e455b8..7bcf37d 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -2609,6 +2609,8 @@ ip: - goto done; - - ip = (const struct iphdr *) (skb->data + nhoff); -+ if (ip->ihl < 5) -+ goto done; - if (ip_is_fragment(ip)) - ip_proto = 0; - else -@@ -4515,7 +4517,7 @@ static void dev_change_rx_flags(struct net_device *dev, int flags) - { - const struct net_device_ops *ops = dev->netdev_ops; - -- if ((dev->flags & IFF_UP) && ops->ndo_change_rx_flags) -+ if (ops->ndo_change_rx_flags) - ops->ndo_change_rx_flags(dev, flags); - } - -diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c -index c02e63c..c0c21b1 100644 ---- a/net/core/fib_rules.c -+++ b/net/core/fib_rules.c -@@ -443,7 +443,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) - if (frh->action && (frh->action != rule->action)) - continue; - -- if (frh->table && (frh_get_table(frh, tb) != rule->table)) -+ if (frh_get_table(frh, tb) && -+ (frh_get_table(frh, tb) != rule->table)) - continue; - - if (tb[FRA_PRIORITY] && -diff --git a/net/core/iovec.c b/net/core/iovec.c -index c40f27e..139ef93 100644 ---- a/net/core/iovec.c -+++ b/net/core/iovec.c -@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, - if (err < 0) - return err; - } -- m->msg_name = address; -+ if (m->msg_name) -+ m->msg_name = address; - } else { - m->msg_name = NULL; - } -diff --git a/net/core/pktgen.c b/net/core/pktgen.c -index 2ef7da0..80aeac9 100644 ---- a/net/core/pktgen.c -+++ b/net/core/pktgen.c -@@ -2524,6 +2524,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, - if (x) { - int ret; - __u8 *eth; -+ struct iphdr *iph; -+ - nhead = x->props.header_len - skb_headroom(skb); - if (nhead > 0) { - ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC); -@@ -2545,6 +2547,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, - eth = (__u8 *) skb_push(skb, ETH_HLEN); - memcpy(eth, pkt_dev->hh, 12); - *(u16 *) ð[12] = protocol; -+ -+ /* Update IPv4 header len as well as checksum value */ -+ iph = ip_hdr(skb); -+ iph->tot_len = htons(skb->len - ETH_HLEN); -+ ip_send_check(iph); - } - } - return 1; -diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c -index 19d6aef..5d42df2 100644 ---- a/net/ieee802154/6lowpan.c -+++ b/net/ieee802154/6lowpan.c -@@ -563,7 +563,7 @@ lowpan_process_data(struct sk_buff *skb) - * Traffic class carried in-line - * ECN + DSCP (1 byte), Flow Label is elided - */ -- case 1: /* 10b */ -+ case 2: /* 10b */ - if (!skb->len) - goto drop; - tmp = lowpan_fetch_skb_u8(skb); -@@ -576,7 +576,7 @@ lowpan_process_data(struct sk_buff *skb) - * Flow Label carried in-line - * ECN + 2-bit Pad + Flow Label (3 bytes), DSCP is elided - */ -- case 2: /* 01b */ -+ case 1: /* 01b */ - if (!skb->len) - goto drop; - tmp = lowpan_fetch_skb_u8(skb); -diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c -index 424fafb..ec07510 100644 ---- a/net/ipv4/datagram.c -+++ b/net/ipv4/datagram.c -@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (IS_ERR(rt)) { - err = PTR_ERR(rt); - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 3b36002..542a9c1 100644 ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -374,7 +374,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf - /* - * Handle MSG_ERRQUEUE - */ --int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct sock_exterr_skb *serr; - struct sk_buff *skb, *skb2; -@@ -411,6 +411,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) - serr->addr_offset); - sin->sin_port = serr->port; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 294a380..00975b6 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -567,7 +567,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - err = PTR_ERR(rt); - rt = NULL; - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -@@ -623,7 +623,6 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - size_t len, int noblock, int flags, int *addr_len) - { - struct inet_sock *isk = inet_sk(sk); -- struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; - struct sk_buff *skb; - int copied, err; - -@@ -632,11 +631,8 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) -@@ -656,11 +652,14 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - sock_recv_timestamp(msg, sk, skb); - - /* Copy the address. */ -- if (sin) { -+ if (msg->msg_name) { -+ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; -+ - sin->sin_family = AF_INET; - sin->sin_port = 0 /* skb->h.uh->source */; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (isk->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 2815014..cfded93 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -686,11 +686,8 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) { -- err = ip_recv_error(sk, msg, len); -+ err = ip_recv_error(sk, msg, len, addr_len); - goto out; - } - -@@ -716,6 +713,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a97c9ad..92d7138 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -182,7 +182,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (IS_ERR(rt)) { - err = PTR_ERR(rt); - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); - return err; - } - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 5decc93..8c2e259 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -937,7 +937,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - err = PTR_ERR(rt); - rt = NULL; - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -@@ -1036,6 +1036,9 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset, - struct udp_sock *up = udp_sk(sk); - int ret; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - if (!up->pending) { - struct msghdr msg = { .msg_flags = flags|MSG_MORE }; - -@@ -1171,14 +1174,8 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - int is_udplite = IS_UDPLITE(sk); - bool slow; - -- /* -- * Check any passed addresses -- */ -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -@@ -1231,6 +1228,7 @@ try_again: - sin->sin_port = udp_hdr(skb)->source; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index e248069..3c7c948 100644 ---- a/net/ipv6/datagram.c -+++ b/net/ipv6/datagram.c -@@ -315,7 +315,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) - /* - * Handle MSG_ERRQUEUE - */ --int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sock_exterr_skb *serr; -@@ -366,6 +366,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) - ipv6_addr_set_v4mapped(*(__be32 *)(nh + serr->addr_offset), - &sin->sin6_addr); - } -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -@@ -374,6 +375,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) - if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { - sin->sin6_family = AF_INET6; - sin->sin6_flowinfo = 0; -+ sin->sin6_port = 0; - sin->sin6_scope_id = 0; - if (skb->protocol == htons(ETH_P_IPV6)) { - ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr); -@@ -418,7 +420,8 @@ out: - /* - * Handle IPV6_RECVPATHMTU - */ --int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sk_buff *skb; -@@ -452,6 +455,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) - sin->sin6_port = 0; - sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id; - ipv6_addr_copy(&sin->sin6_addr, &mtu_info.ip6m_addr.sin6_addr); -+ *addr_len = sizeof(*sin); - } - - put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info); -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 97675bf..d3fde7e 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -144,8 +144,8 @@ static int ip6_finish_output2(struct sk_buff *skb) - return res; - } - rcu_read_unlock(); -- IP6_INC_STATS_BH(dev_net(dst->dev), -- ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); -+ IP6_INC_STATS(dev_net(dst->dev), -+ ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); - kfree_skb(skb); - return -EINVAL; - } -diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index 6e6c2c4..9ecbc84 100644 ---- a/net/ipv6/raw.c -+++ b/net/ipv6/raw.c -@@ -456,14 +456,11 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- if (addr_len) -- *addr_len=sizeof(*sin6); -- - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) -@@ -498,6 +495,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - sin6->sin6_scope_id = 0; - if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL) - sin6->sin6_scope_id = IP6CB(skb)->iif; -+ *addr_len = sizeof(*sin6); - } - - sock_recv_ts_and_drops(msg, sk, skb); -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index bc9103d..1768238 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -592,8 +592,11 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len, - prefix = &prefix_buf; - } - -- rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, gwaddr, -- dev->ifindex); -+ if (rinfo->prefix_len == 0) -+ rt = rt6_get_dflt_router(gwaddr, dev); -+ else -+ rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, -+ gwaddr, dev->ifindex); - - if (rt && !lifetime) { - ip6_del_rt(rt); -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index f9e496b..f8bec1e 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -347,14 +347,11 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, - int is_udp4; - bool slow; - -- if (addr_len) -- *addr_len=sizeof(struct sockaddr_in6); -- - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -@@ -423,7 +420,7 @@ try_again: - if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL) - sin6->sin6_scope_id = IP6CB(skb)->iif; - } -- -+ *addr_len = sizeof(*sin6); - } - if (is_udp4) { - if (inet->cmsg_flags) -diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c -index 9680226..8c06a50 100644 ---- a/net/ipx/af_ipx.c -+++ b/net/ipx/af_ipx.c -@@ -1835,8 +1835,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - if (skb->tstamp.tv64) - sk->sk_stamp = skb->tstamp; - -- msg->msg_namelen = sizeof(*sipx); -- - if (sipx) { - sipx->sipx_family = AF_IPX; - sipx->sipx_port = ipx->ipx_source.sock; -@@ -1844,6 +1842,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net; - sipx->sipx_type = ipx->ipx_type; - sipx->sipx_zero = 0; -+ msg->msg_namelen = sizeof(*sipx); - } - rc = copied; - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 91821e9..f5d011a 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1386,8 +1386,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, - - IRDA_DEBUG(4, "%s()\n", __func__); - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); - if (!skb) -@@ -1452,8 +1450,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, noblock); - -- msg->msg_namelen = 0; -- - do { - int chunk; - struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue); -diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index e836140..cf98d62 100644 ---- a/net/iucv/af_iucv.c -+++ b/net/iucv/af_iucv.c -@@ -1356,8 +1356,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - int blen; - int err = 0; - -- msg->msg_namelen = 0; -- - if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) && - skb_queue_empty(&iucv->backlog_skb_q) && - skb_queue_empty(&sk->sk_receive_queue) && -diff --git a/net/key/af_key.c b/net/key/af_key.c -index 8dbdb8e..dc8d7ef 100644 ---- a/net/key/af_key.c -+++ b/net/key/af_key.c -@@ -3595,7 +3595,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb, - if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) - goto out; - -- msg->msg_namelen = 0; - skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err); - if (skb == NULL) - goto out; -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index 6c7e609..334a93d 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -568,9 +568,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) - goto out; -@@ -593,6 +590,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 8570079..969cd3e 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -200,8 +200,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sk->sk_state & PPPOX_BOUND) - goto end; - -- msg->msg_namelen = 0; -- - err = 0; - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index e5565c7..99a60d5 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, - int target; /* Read at least this many bytes */ - long timeo; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - copied = -ENOTCONN; - if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c -index db01d02..71d8564 100644 ---- a/net/mac80211/rx.c -+++ b/net/mac80211/rx.c -@@ -764,7 +764,8 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx) - u16 sc; - int tid; - -- if (!ieee80211_is_data_qos(hdr->frame_control)) -+ if (!ieee80211_is_data_qos(hdr->frame_control) || -+ is_multicast_ether_addr(hdr->addr1)) - goto dont_reorder; - - /* -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 3d1d55d..2369e96 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -1445,8 +1445,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, - } - #endif - -- msg->msg_namelen = 0; -- - copied = data_skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c -index 3df7c5a..b4d889b 100644 ---- a/net/netrom/af_netrom.c -+++ b/net/netrom/af_netrom.c -@@ -1182,10 +1182,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, - sax->sax25_family = AF_NETROM; - skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, - AX25_ADDR_LEN); -+ msg->msg_namelen = sizeof(*sax); - } - -- msg->msg_namelen = sizeof(*sax); -- - skb_free_datagram(sk, skb); - - release_sock(sk); -diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c -index 7a167fc..0d570d3 100644 ---- a/net/nfc/rawsock.c -+++ b/net/nfc/rawsock.c -@@ -248,8 +248,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return rc; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index a2ac2c3..4f19bf2 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -295,6 +295,7 @@ struct packet_sock { - unsigned int tp_reserve; - unsigned int tp_loss:1; - unsigned int tp_tstamp; -+ struct net_device __rcu *cached_dev; - struct packet_type prot_hook ____cacheline_aligned_in_smp; - }; - -@@ -350,11 +351,15 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po); - static void register_prot_hook(struct sock *sk) - { - struct packet_sock *po = pkt_sk(sk); -+ - if (!po->running) { -- if (po->fanout) -+ if (po->fanout) { - __fanout_link(sk, po); -- else -+ } else { - dev_add_pack(&po->prot_hook); -+ rcu_assign_pointer(po->cached_dev, po->prot_hook.dev); -+ } -+ - sock_hold(sk); - po->running = 1; - } -@@ -372,10 +377,13 @@ static void __unregister_prot_hook(struct sock *sk, bool sync) - struct packet_sock *po = pkt_sk(sk); - - po->running = 0; -- if (po->fanout) -+ if (po->fanout) { - __fanout_unlink(sk, po); -- else -+ } else { - __dev_remove_pack(&po->prot_hook); -+ RCU_INIT_POINTER(po->cached_dev, NULL); -+ } -+ - __sock_put(sk); - - if (sync) { -@@ -497,9 +505,9 @@ static void prb_shutdown_retire_blk_timer(struct packet_sock *po, - - pkc = tx_ring ? &po->tx_ring.prb_bdqc : &po->rx_ring.prb_bdqc; - -- spin_lock(&rb_queue->lock); -+ spin_lock_bh(&rb_queue->lock); - pkc->delete_blk_timer = 1; -- spin_unlock(&rb_queue->lock); -+ spin_unlock_bh(&rb_queue->lock); - - prb_del_retire_blk_timer(pkc); - } -@@ -2032,12 +2040,24 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, - return tp_len; - } - -+static struct net_device *packet_cached_dev_get(struct packet_sock *po) -+{ -+ struct net_device *dev; -+ -+ rcu_read_lock(); -+ dev = rcu_dereference(po->cached_dev); -+ if (dev) -+ dev_hold(dev); -+ rcu_read_unlock(); -+ -+ return dev; -+} -+ - static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - { - struct sk_buff *skb; - struct net_device *dev; - __be16 proto; -- bool need_rls_dev = false; - int err, reserve = 0; - void *ph; - struct sockaddr_ll *saddr = (struct sockaddr_ll *)msg->msg_name; -@@ -2050,7 +2070,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - - err = -EBUSY; - if (saddr == NULL) { -- dev = po->prot_hook.dev; -+ dev = packet_cached_dev_get(po); - proto = po->num; - addr = NULL; - } else { -@@ -2064,19 +2084,17 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - proto = saddr->sll_protocol; - addr = saddr->sll_addr; - dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); -- need_rls_dev = true; - } - - err = -ENXIO; - if (unlikely(dev == NULL)) - goto out; -- -- reserve = dev->hard_header_len; -- - err = -ENETDOWN; - if (unlikely(!(dev->flags & IFF_UP))) - goto out_put; - -+ reserve = dev->hard_header_len; -+ - size_max = po->tx_ring.frame_size - - (po->tp_hdrlen - sizeof(struct sockaddr_ll)); - -@@ -2152,8 +2170,7 @@ out_status: - __packet_set_status(po, ph, status); - kfree_skb(skb); - out_put: -- if (need_rls_dev) -- dev_put(dev); -+ dev_put(dev); - out: - mutex_unlock(&po->pg_vec_lock); - return err; -@@ -2191,7 +2208,6 @@ static int packet_snd(struct socket *sock, - struct sk_buff *skb; - struct net_device *dev; - __be16 proto; -- bool need_rls_dev = false; - unsigned char *addr; - int err, reserve = 0; - struct virtio_net_hdr vnet_hdr = { 0 }; -@@ -2205,7 +2221,7 @@ static int packet_snd(struct socket *sock, - */ - - if (saddr == NULL) { -- dev = po->prot_hook.dev; -+ dev = packet_cached_dev_get(po); - proto = po->num; - addr = NULL; - } else { -@@ -2217,19 +2233,17 @@ static int packet_snd(struct socket *sock, - proto = saddr->sll_protocol; - addr = saddr->sll_addr; - dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); -- need_rls_dev = true; - } - - err = -ENXIO; -- if (dev == NULL) -+ if (unlikely(dev == NULL)) - goto out_unlock; -- if (sock->type == SOCK_RAW) -- reserve = dev->hard_header_len; -- - err = -ENETDOWN; -- if (!(dev->flags & IFF_UP)) -+ if (unlikely(!(dev->flags & IFF_UP))) - goto out_unlock; - -+ if (sock->type == SOCK_RAW) -+ reserve = dev->hard_header_len; - if (po->has_vnet_hdr) { - vnet_hdr_len = sizeof(vnet_hdr); - -@@ -2350,15 +2364,14 @@ static int packet_snd(struct socket *sock, - if (err > 0 && (err = net_xmit_errno(err)) != 0) - goto out_unlock; - -- if (need_rls_dev) -- dev_put(dev); -+ dev_put(dev); - - return len; - - out_free: - kfree_skb(skb); - out_unlock: -- if (dev && need_rls_dev) -+ if (dev) - dev_put(dev); - out: - return err; -@@ -2575,6 +2588,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, - po = pkt_sk(sk); - sk->sk_family = PF_PACKET; - po->num = proto; -+ RCU_INIT_POINTER(po->cached_dev, NULL); - - sk->sk_destruct = packet_sock_destruct; - sk_refcnt_debug_inc(sk); -@@ -2663,7 +2677,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - struct sock *sk = sock->sk; - struct sk_buff *skb; - int copied, err; -- struct sockaddr_ll *sll; - int vnet_hdr_len = 0; - - err = -EINVAL; -@@ -2746,22 +2759,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - goto out_free; - } - -- /* -- * If the address length field is there to be filled in, we fill -- * it in now. -+ /* You lose any data beyond the buffer you gave. If it worries -+ * a user program they can ask the device for its MTU -+ * anyway. - */ -- -- sll = &PACKET_SKB_CB(skb)->sa.ll; -- if (sock->type == SOCK_PACKET) -- msg->msg_namelen = sizeof(struct sockaddr_pkt); -- else -- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr); -- -- /* -- * You lose any data beyond the buffer you gave. If it worries a -- * user program they can ask the device for its MTU anyway. -- */ -- - copied = skb->len; - if (copied > len) { - copied = len; -@@ -2774,9 +2775,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - - sock_recv_ts_and_drops(msg, sk, skb); - -- if (msg->msg_name) -+ if (msg->msg_name) { -+ /* If the address length field is there to be filled -+ * in, we fill it in now. -+ */ -+ if (sock->type == SOCK_PACKET) { -+ msg->msg_namelen = sizeof(struct sockaddr_pkt); -+ } else { -+ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; -+ msg->msg_namelen = sll->sll_halen + -+ offsetof(struct sockaddr_ll, sll_addr); -+ } - memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, - msg->msg_namelen); -+ } - - if (pkt_sk(sk)->auxdata) { - struct tpacket_auxdata aux; -diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c -index bf35b4e..b25f2d3 100644 ---- a/net/phonet/datagram.c -+++ b/net/phonet/datagram.c -@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - MSG_CMSG_COMPAT)) - goto out_nofree; - -- if (addr_len) -- *addr_len = sizeof(sa); -- - skb = skb_recv_datagram(sk, flags, noblock, &rval); - if (skb == NULL) - goto out_nofree; -@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - - rval = (flags & MSG_TRUNC) ? skb->len : copylen; - -- if (msg->msg_name != NULL) -- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); -+ if (msg->msg_name != NULL) { -+ memcpy(msg->msg_name, &sa, sizeof(sa)); -+ *addr_len = sizeof(sa); -+ } - - out: - skb_free_datagram(sk, skb); -diff --git a/net/rds/recv.c b/net/rds/recv.c -index fc57d31..96a1239 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - - rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); - -- msg->msg_namelen = 0; -- - if (msg_flags & MSG_OOB) - goto out; - -diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c -index 1f96fb9..bf76dec7 100644 ---- a/net/rose/af_rose.c -+++ b/net/rose/af_rose.c -@@ -1221,7 +1221,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sock *sk = sock->sk; - struct rose_sock *rose = rose_sk(sk); -- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name; - size_t copied; - unsigned char *asmptr; - struct sk_buff *skb; -@@ -1257,8 +1256,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (srose != NULL) { -- memset(srose, 0, msg->msg_namelen); -+ if (msg->msg_name) { -+ struct sockaddr_rose *srose; -+ -+ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); -+ srose = msg->msg_name; - srose->srose_family = AF_ROSE; - srose->srose_addr = rose->dest_addr; - srose->srose_call = rose->dest_call; -diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c -index 4b48687..898492a 100644 ---- a/net/rxrpc/ar-recvmsg.c -+++ b/net/rxrpc/ar-recvmsg.c -@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, - - /* copy the peer address and timestamp */ - if (!continue_call) { -- if (msg->msg_name && msg->msg_namelen > 0) -+ if (msg->msg_name) { -+ size_t len = -+ sizeof(call->conn->trans->peer->srx); - memcpy(msg->msg_name, -- &call->conn->trans->peer->srx, -- sizeof(call->conn->trans->peer->srx)); -+ &call->conn->trans->peer->srx, len); -+ msg->msg_namelen = len; -+ } - sock_recv_ts_and_drops(msg, &rx->sk, skb); - } - -diff --git a/net/socket.c b/net/socket.c -index bf7adaa..d4faade 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -215,12 +215,13 @@ static int move_addr_to_user(struct sockaddr *kaddr, int klen, - int err; - int len; - -+ BUG_ON(klen > sizeof(struct sockaddr_storage)); - err = get_user(len, ulen); - if (err) - return err; - if (len > klen) - len = klen; -- if (len < 0 || len > sizeof(struct sockaddr_storage)) -+ if (len < 0) - return -EINVAL; - if (len) { - if (audit_sockaddr(klen, kaddr)) -@@ -1752,8 +1753,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - msg.msg_iov = &iov; - iov.iov_len = size; - iov.iov_base = ubuf; -- msg.msg_name = (struct sockaddr *)&address; -- msg.msg_namelen = sizeof(address); -+ /* Save some cycles and don't copy the address if not needed */ -+ msg.msg_name = addr ? (struct sockaddr *)&address : NULL; -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg.msg_namelen = 0; - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = sock_recvmsg(sock, &msg, size, flags); -@@ -1882,7 +1885,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, - if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - return 0; - } - -@@ -2142,18 +2145,16 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - goto out; - } - -- /* -- * Save the user-mode address (verify_iovec will change the -- * kernel msghdr to use the kernel address space) -+ /* Save the user-mode address (verify_iovec will change the -+ * kernel msghdr to use the kernel address space) - */ -- - uaddr = (__force void __user *)msg_sys->msg_name; - uaddr_len = COMPAT_NAMELEN(msg); -- if (MSG_CMSG_COMPAT & flags) { -+ if (MSG_CMSG_COMPAT & flags) - err = verify_compat_iovec(msg_sys, iov, - (struct sockaddr *)&addr, - VERIFY_WRITE); -- } else -+ else - err = verify_iovec(msg_sys, iov, - (struct sockaddr *)&addr, - VERIFY_WRITE); -@@ -2164,6 +2165,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - cmsg_ptr = (unsigned long)msg_sys->msg_control; - msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT); - -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg_sys->msg_namelen = 0; -+ - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, -diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c -index 65fe23b..bfb78fa 100644 ---- a/net/sunrpc/xprtsock.c -+++ b/net/sunrpc/xprtsock.c -@@ -390,8 +390,10 @@ static int xs_send_kvec(struct socket *sock, struct sockaddr *addr, int addrlen, - return kernel_sendmsg(sock, &msg, NULL, 0, 0); - } - --static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more) -+static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more, bool zerocopy) - { -+ ssize_t (*do_sendpage)(struct socket *sock, struct page *page, -+ int offset, size_t size, int flags); - struct page **ppage; - unsigned int remainder; - int err, sent = 0; -@@ -400,6 +402,9 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i - base += xdr->page_base; - ppage = xdr->pages + (base >> PAGE_SHIFT); - base &= ~PAGE_MASK; -+ do_sendpage = sock->ops->sendpage; -+ if (!zerocopy) -+ do_sendpage = sock_no_sendpage; - for(;;) { - unsigned int len = min_t(unsigned int, PAGE_SIZE - base, remainder); - int flags = XS_SENDMSG_FLAGS; -@@ -407,7 +412,7 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i - remainder -= len; - if (remainder != 0 || more) - flags |= MSG_MORE; -- err = sock->ops->sendpage(sock, *ppage, base, len, flags); -+ err = do_sendpage(sock, *ppage, base, len, flags); - if (remainder == 0 || err != len) - break; - sent += err; -@@ -428,9 +433,10 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i - * @addrlen: UDP only -- length of destination address - * @xdr: buffer containing this request - * @base: starting position in the buffer -+ * @zerocopy: true if it is safe to use sendpage() - * - */ --static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base) -+static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base, bool zerocopy) - { - unsigned int remainder = xdr->len - base; - int err, sent = 0; -@@ -458,7 +464,7 @@ static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, - if (base < xdr->page_len) { - unsigned int len = xdr->page_len - base; - remainder -= len; -- err = xs_send_pagedata(sock, xdr, base, remainder != 0); -+ err = xs_send_pagedata(sock, xdr, base, remainder != 0, zerocopy); - if (remainder == 0 || err != len) - goto out; - sent += err; -@@ -561,7 +567,7 @@ static int xs_local_send_request(struct rpc_task *task) - req->rq_svec->iov_base, req->rq_svec->iov_len); - - status = xs_sendpages(transport->sock, NULL, 0, -- xdr, req->rq_bytes_sent); -+ xdr, req->rq_bytes_sent, true); - dprintk("RPC: %s(%u) = %d\n", - __func__, xdr->len - req->rq_bytes_sent, status); - if (likely(status >= 0)) { -@@ -617,7 +623,7 @@ static int xs_udp_send_request(struct rpc_task *task) - status = xs_sendpages(transport->sock, - xs_addr(xprt), - xprt->addrlen, xdr, -- req->rq_bytes_sent); -+ req->rq_bytes_sent, true); - - dprintk("RPC: xs_udp_send_request(%u) = %d\n", - xdr->len - req->rq_bytes_sent, status); -@@ -688,6 +694,7 @@ static int xs_tcp_send_request(struct rpc_task *task) - struct rpc_xprt *xprt = req->rq_xprt; - struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt); - struct xdr_buf *xdr = &req->rq_snd_buf; -+ bool zerocopy = true; - int status; - - xs_encode_stream_record_marker(&req->rq_snd_buf); -@@ -695,13 +702,20 @@ static int xs_tcp_send_request(struct rpc_task *task) - xs_pktdump("packet data:", - req->rq_svec->iov_base, - req->rq_svec->iov_len); -+ /* Don't use zero copy if this is a resend. If the RPC call -+ * completes while the socket holds a reference to the pages, -+ * then we may end up resending corrupted data. -+ */ -+ if (task->tk_flags & RPC_TASK_SENT) -+ zerocopy = false; - - /* Continue transmitting the packet/record. We must be careful - * to cope with writespace callbacks arriving _after_ we have - * called sendmsg(). */ - while (1) { - status = xs_sendpages(transport->sock, -- NULL, 0, xdr, req->rq_bytes_sent); -+ NULL, 0, xdr, req->rq_bytes_sent, -+ zerocopy); - - dprintk("RPC: xs_tcp_send_request(%u) = %d\n", - xdr->len - req->rq_bytes_sent, status); -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index fdf34af..058941e 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -949,9 +949,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - restart: - -@@ -1078,9 +1075,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - restart: -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 5122b22..9338ccc 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1744,7 +1744,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk) - { - struct unix_sock *u = unix_sk(sk); - -- msg->msg_namelen = 0; - if (u->addr) { - msg->msg_namelen = u->addr->len; - memcpy(msg->msg_name, u->addr->name, u->addr->len); -@@ -1767,8 +1766,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - err = mutex_lock_interruptible(&u->readlock); - if (err) { - err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); -@@ -1902,8 +1899,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); - -- msg->msg_namelen = 0; -- - /* Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg - */ -diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c -index dc24ba9..07b9973 100644 ---- a/net/x25/af_x25.c -+++ b/net/x25/af_x25.c -@@ -1343,10 +1343,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sx25) { - sx25->sx25_family = AF_X25; - sx25->sx25_addr = x25->dest_addr; -+ msg->msg_namelen = sizeof(*sx25); - } - -- msg->msg_namelen = sizeof(struct sockaddr_x25); -- - x25_check_rbuf(sk); - rc = copied; - out_free_dgram: -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1126c10..5898f34 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -53,6 +53,7 @@ - #include <net/icmp.h> - #include <net/ip.h> /* for local_port_range[] */ - #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ -+#include <net/inet_connection_sock.h> - #include <net/net_namespace.h> - #include <net/netlabel.h> - #include <linux/uaccess.h> -@@ -3704,6 +3705,30 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) - return 0; - } - -+/** -+ * selinux_conn_sid - Determine the child socket label for a connection -+ * @sk_sid: the parent socket's SID -+ * @skb_sid: the packet's SID -+ * @conn_sid: the resulting connection SID -+ * -+ * If @skb_sid is valid then the user:role:type information from @sk_sid is -+ * combined with the MLS information from @skb_sid in order to create -+ * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy -+ * of @sk_sid. Returns zero on success, negative values on failure. -+ * -+ */ -+static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) -+{ -+ int err = 0; -+ -+ if (skb_sid != SECSID_NULL) -+ err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); -+ else -+ *conn_sid = sk_sid; -+ -+ return err; -+} -+ - /* socket security operations */ - - static int socket_sockcreate_sid(const struct task_security_struct *tsec, -@@ -4295,7 +4320,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, - struct sk_security_struct *sksec = sk->sk_security; - int err; - u16 family = sk->sk_family; -- u32 newsid; -+ u32 connsid; - u32 peersid; - - /* handle mapped IPv4 packets arriving via IPv6 sockets */ -@@ -4305,16 +4330,11 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, - err = selinux_skb_peerlbl_sid(skb, family, &peersid); - if (err) - return err; -- if (peersid == SECSID_NULL) { -- req->secid = sksec->sid; -- req->peer_secid = SECSID_NULL; -- } else { -- err = security_sid_mls_copy(sksec->sid, peersid, &newsid); -- if (err) -- return err; -- req->secid = newsid; -- req->peer_secid = peersid; -- } -+ err = selinux_conn_sid(sksec->sid, peersid, &connsid); -+ if (err) -+ return err; -+ req->secid = connsid; -+ req->peer_secid = peersid; - - return selinux_netlbl_inet_conn_request(req, family); - } -@@ -4542,6 +4562,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum, - static unsigned int selinux_ip_output(struct sk_buff *skb, - u16 family) - { -+ struct sock *sk; - u32 sid; - - if (!netlbl_enabled()) -@@ -4550,8 +4571,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, - /* we do this in the LOCAL_OUT path and not the POST_ROUTING path - * because we want to make sure we apply the necessary labeling - * before IPsec is applied so we can leverage AH protection */ -- if (skb->sk) { -- struct sk_security_struct *sksec = skb->sk->sk_security; -+ sk = skb->sk; -+ if (sk) { -+ struct sk_security_struct *sksec; -+ -+ if (sk->sk_state == TCP_LISTEN) -+ /* if the socket is the listening state then this -+ * packet is a SYN-ACK packet which means it needs to -+ * be labeled based on the connection/request_sock and -+ * not the parent socket. unfortunately, we can't -+ * lookup the request_sock yet as it isn't queued on -+ * the parent socket until after the SYN-ACK is sent. -+ * the "solution" is to simply pass the packet as-is -+ * as any IP option based labeling should be copied -+ * from the initial connection request (in the IP -+ * layer). it is far from ideal, but until we get a -+ * security label in the packet itself this is the -+ * best we can do. */ -+ return NF_ACCEPT; -+ -+ /* standard practice, label using the parent socket */ -+ sksec = sk->sk_security; - sid = sksec->sid; - } else - sid = SECINITSID_KERNEL; -@@ -4633,12 +4673,12 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, - if (!secmark_active && !peerlbl_active) - return NF_ACCEPT; - -- /* if the packet is being forwarded then get the peer label from the -- * packet itself; otherwise check to see if it is from a local -- * application or the kernel, if from an application get the peer label -- * from the sending socket, otherwise use the kernel's sid */ - sk = skb->sk; - if (sk == NULL) { -+ /* Without an associated socket the packet is either coming -+ * from the kernel or it is being forwarded; check the packet -+ * to determine which and if the packet is being forwarded -+ * query the packet directly to determine the security label. */ - if (skb->skb_iif) { - secmark_perm = PACKET__FORWARD_OUT; - if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) -@@ -4647,7 +4687,26 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, - secmark_perm = PACKET__SEND; - peer_sid = SECINITSID_KERNEL; - } -+ } else if (sk->sk_state == TCP_LISTEN) { -+ /* Locally generated packet but the associated socket is in the -+ * listening state which means this is a SYN-ACK packet. In -+ * this particular case the correct security label is assigned -+ * to the connection/request_sock but unfortunately we can't -+ * query the request_sock as it isn't queued on the parent -+ * socket until after the SYN-ACK packet is sent; the only -+ * viable choice is to regenerate the label like we do in -+ * selinux_inet_conn_request(). See also selinux_ip_output() -+ * for similar problems. */ -+ u32 skb_sid; -+ struct sk_security_struct *sksec = sk->sk_security; -+ if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) -+ return NF_DROP; -+ if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) -+ return NF_DROP; -+ secmark_perm = PACKET__SEND; - } else { -+ /* Locally generated packet, fetch the security label from the -+ * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; - peer_sid = sksec->sid; - secmark_perm = PACKET__SEND; -diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c -index da4b8b2..6235d05 100644 ---- a/security/selinux/netlabel.c -+++ b/security/selinux/netlabel.c -@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) - sksec->nlbl_state != NLBL_CONNLABELED) - return 0; - -- local_bh_disable(); -- bh_lock_sock_nested(sk); -+ lock_sock(sk); - - /* connected sockets are allowed to disconnect when the address family - * is set to AF_UNSPEC, if that is what is happening we want to reset -@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) - sksec->nlbl_state = NLBL_CONNLABELED; - - socket_connect_return: -- bh_unlock_sock(sk); -- local_bh_enable(); -+ release_sock(sk); - return rc; - } -diff --git a/sound/drivers/pcsp/pcsp.c b/sound/drivers/pcsp/pcsp.c -index 946a0cb..e6ad8d4 100644 ---- a/sound/drivers/pcsp/pcsp.c -+++ b/sound/drivers/pcsp/pcsp.c -@@ -187,8 +187,8 @@ static int __devinit pcsp_probe(struct platform_device *dev) - static int __devexit pcsp_remove(struct platform_device *dev) - { - struct snd_pcsp *chip = platform_get_drvdata(dev); -- alsa_card_pcsp_exit(chip); - pcspkr_input_remove(chip->input_dev); -+ alsa_card_pcsp_exit(chip); - platform_set_drvdata(dev, NULL); - return 0; - } -diff --git a/sound/isa/msnd/msnd_pinnacle.c b/sound/isa/msnd/msnd_pinnacle.c -index 0961e2c..a9cc687 100644 ---- a/sound/isa/msnd/msnd_pinnacle.c -+++ b/sound/isa/msnd/msnd_pinnacle.c -@@ -73,9 +73,11 @@ - #ifdef MSND_CLASSIC - # include "msnd_classic.h" - # define LOGNAME "msnd_classic" -+# define DEV_NAME "msnd-classic" - #else - # include "msnd_pinnacle.h" - # define LOGNAME "snd_msnd_pinnacle" -+# define DEV_NAME "msnd-pinnacle" - #endif - - static void __devinit set_default_audio_parameters(struct snd_msnd *chip) -@@ -1068,8 +1070,6 @@ static int __devexit snd_msnd_isa_remove(struct device *pdev, unsigned int dev) - return 0; - } - --#define DEV_NAME "msnd-pinnacle" -- - static struct isa_driver snd_msnd_driver = { - .match = snd_msnd_isa_match, - .probe = snd_msnd_isa_probe, -diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c -index 984b5b1..843d9f3 100644 ---- a/sound/pci/hda/patch_conexant.c -+++ b/sound/pci/hda/patch_conexant.c -@@ -4610,6 +4610,8 @@ static const struct hda_codec_preset snd_hda_preset_conexant[] = { - .patch = patch_conexant_auto }, - { .id = 0x14f15115, .name = "CX20757", - .patch = patch_conexant_auto }, -+ { .id = 0x14f151d7, .name = "CX20952", -+ .patch = patch_conexant_auto }, - {} /* terminator */ - }; - -@@ -4636,6 +4638,7 @@ MODULE_ALIAS("snd-hda-codec-id:14f15111"); - MODULE_ALIAS("snd-hda-codec-id:14f15113"); - MODULE_ALIAS("snd-hda-codec-id:14f15114"); - MODULE_ALIAS("snd-hda-codec-id:14f15115"); -+MODULE_ALIAS("snd-hda-codec-id:14f151d7"); - - MODULE_LICENSE("GPL"); - MODULE_DESCRIPTION("Conexant HD-audio codec"); -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 92c913d..1f78ca6 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5943,6 +5943,7 @@ static int patch_alc662(struct hda_codec *codec) - case 0x10ec0272: - case 0x10ec0663: - case 0x10ec0665: -+ case 0x10ec0668: - set_beep_amp(spec, 0x0b, 0x04, HDA_INPUT); - break; - case 0x10ec0273: -@@ -6019,6 +6020,7 @@ static int patch_alc680(struct hda_codec *codec) - */ - static const struct hda_codec_preset snd_hda_preset_realtek[] = { - { .id = 0x10ec0221, .name = "ALC221", .patch = patch_alc269 }, -+ { .id = 0x10ec0231, .name = "ALC231", .patch = patch_alc269 }, - { .id = 0x10ec0260, .name = "ALC260", .patch = patch_alc260 }, - { .id = 0x10ec0262, .name = "ALC262", .patch = patch_alc262 }, - { .id = 0x10ec0267, .name = "ALC267", .patch = patch_alc268 }, -diff --git a/sound/soc/codecs/ak4642.c b/sound/soc/codecs/ak4642.c -index 1c4999d..f2dac5c 100644 ---- a/sound/soc/codecs/ak4642.c -+++ b/sound/soc/codecs/ak4642.c -@@ -214,7 +214,7 @@ static int ak4642_dai_startup(struct snd_pcm_substream *substream, - * This operation came from example code of - * "ASAHI KASEI AK4642" (japanese) manual p94. - */ -- snd_soc_write(codec, SG_SL1, PMMP | MGAIN0); -+ snd_soc_update_bits(codec, SG_SL1, PMMP | MGAIN0, PMMP | MGAIN0); - snd_soc_write(codec, TIMER, ZTM(0x3) | WTM(0x3)); - snd_soc_write(codec, ALC_CTL1, ALC | LMTH0); - snd_soc_update_bits(codec, PW_MGMT1, PMVCM | PMADL, -diff --git a/sound/soc/codecs/wm8731.c b/sound/soc/codecs/wm8731.c -index a7c9ae1..6cfd4f7 100644 ---- a/sound/soc/codecs/wm8731.c -+++ b/sound/soc/codecs/wm8731.c -@@ -392,10 +392,10 @@ static int wm8731_set_dai_fmt(struct snd_soc_dai *codec_dai, - iface |= 0x0001; - break; - case SND_SOC_DAIFMT_DSP_A: -- iface |= 0x0003; -+ iface |= 0x0013; - break; - case SND_SOC_DAIFMT_DSP_B: -- iface |= 0x0013; -+ iface |= 0x0003; - break; - default: - return -EINVAL; -diff --git a/sound/soc/codecs/wm8990.c b/sound/soc/codecs/wm8990.c -index d29a962..cfa5bea 100644 ---- a/sound/soc/codecs/wm8990.c -+++ b/sound/soc/codecs/wm8990.c -@@ -1266,6 +1266,8 @@ static int wm8990_set_bias_level(struct snd_soc_codec *codec, - - /* disable POBCTRL, SOFT_ST and BUFDCOPEN */ - snd_soc_write(codec, WM8990_ANTIPOP2, 0x0); -+ -+ codec->cache_sync = 1; - break; - } - -diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c -index c7dca7b..46a2816 100644 ---- a/sound/usb/6fire/chip.c -+++ b/sound/usb/6fire/chip.c -@@ -102,7 +102,7 @@ static int __devinit usb6fire_chip_probe(struct usb_interface *intf, - usb_set_intfdata(intf, chips[i]); - mutex_unlock(®ister_mutex); - return 0; -- } else if (regidx < 0) -+ } else if (!devices[i] && regidx < 0) - regidx = i; - } - if (regidx < 0) { -diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c -index 533db33..5dbb35d 100644 ---- a/virt/kvm/iommu.c -+++ b/virt/kvm/iommu.c -@@ -101,6 +101,10 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - while ((gfn << PAGE_SHIFT) & (page_size - 1)) - page_size >>= 1; - -+ /* Make sure hva is aligned to the page size we want to map */ -+ while (gfn_to_hva_memslot(slot, gfn) & (page_size - 1)) -+ page_size >>= 1; -+ - /* - * Pin all pages we are about to map in memory. This is - * important because we unmap and unpin in 4kb steps later. -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 8bf05f0..d83aa5e 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -774,7 +774,7 @@ skip_lpage: - new.userspace_addr = mem->userspace_addr; - #endif /* not defined CONFIG_S390 */ - -- if (!npages) { -+ if (!npages || base_gfn != old.base_gfn) { - r = -ENOMEM; - slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); - if (!slots) -@@ -788,8 +788,10 @@ skip_lpage: - old_memslots = kvm->memslots; - rcu_assign_pointer(kvm->memslots, slots); - synchronize_srcu_expedited(&kvm->srcu); -- /* From this point no new shadow pages pointing to a deleted -- * memslot will be created. -+ /* slot was deleted or moved, clear iommu mapping */ -+ kvm_iommu_unmap_pages(kvm, &old); -+ /* From this point no new shadow pages pointing to a deleted, -+ * or moved, memslot will be created. - * - * validation of sp->gfn happens in: - * - gfn_to_hva (kvm_read_guest, gfn_to_pfn) -@@ -803,14 +805,6 @@ skip_lpage: - if (r) - goto out_free; - -- /* map/unmap the pages in iommu page table */ -- if (npages) { -- r = kvm_iommu_map_pages(kvm, &new); -- if (r) -- goto out_free; -- } else -- kvm_iommu_unmap_pages(kvm, &old); -- - r = -ENOMEM; - slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); - if (!slots) -@@ -820,6 +814,13 @@ skip_lpage: - slots->nmemslots = mem->slot + 1; - slots->generation++; - -+ /* map new memory slot into the iommu */ -+ if (npages) { -+ r = kvm_iommu_map_pages(kvm, &new); -+ if (r) -+ goto out_slots; -+ } -+ - /* actual memory is freed via old in kvm_free_physmem_slot below */ - if (!npages) { - new.rmap = NULL; -@@ -847,6 +848,8 @@ skip_lpage: - - return 0; - -+out_slots: -+ kfree(slots); - out_free: - kvm_free_physmem_slot(&new, &old); - out: -@@ -1683,6 +1686,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) - int r; - struct kvm_vcpu *vcpu, *v; - -+ if (id >= KVM_MAX_VCPUS) -+ return -EINVAL; -+ - vcpu = kvm_arch_vcpu_create(kvm, id); - if (IS_ERR(vcpu)) - return PTR_ERR(vcpu); |