diff options
Diffstat (limited to '3.2.71/1060_linux-3.2.61.patch')
-rw-r--r-- | 3.2.71/1060_linux-3.2.61.patch | 5945 |
1 files changed, 0 insertions, 5945 deletions
diff --git a/3.2.71/1060_linux-3.2.61.patch b/3.2.71/1060_linux-3.2.61.patch deleted file mode 100644 index a1bf580..0000000 --- a/3.2.71/1060_linux-3.2.61.patch +++ /dev/null @@ -1,5945 +0,0 @@ -diff --git a/Documentation/ja_JP/HOWTO b/Documentation/ja_JP/HOWTO -index 050d37f..46ed735 100644 ---- a/Documentation/ja_JP/HOWTO -+++ b/Documentation/ja_JP/HOWTO -@@ -315,7 +315,7 @@ Andrew Morton が Linux-kernel メーリングリストにカーネルリリー - もし、2.6.x.y カーネルが存在しない場合には、番号が一番大きい 2.6.x が - 最新の安定版カーネルです。 - --2.6.x.y は "stable" チーム <stable@kernel.org> でメンテされており、必 -+2.6.x.y は "stable" チーム <stable@vger.kernel.org> でメンテされており、必 - 要に応じてリリースされます。通常のリリース期間は 2週間毎ですが、差し迫っ - た問題がなければもう少し長くなることもあります。セキュリティ関連の問題 - の場合はこれに対してだいたいの場合、すぐにリリースがされます。 -diff --git a/Documentation/ja_JP/stable_kernel_rules.txt b/Documentation/ja_JP/stable_kernel_rules.txt -index 1426583..9dbda9b 100644 ---- a/Documentation/ja_JP/stable_kernel_rules.txt -+++ b/Documentation/ja_JP/stable_kernel_rules.txt -@@ -50,16 +50,16 @@ linux-2.6.29/Documentation/stable_kernel_rules.txt - - -stable ツリーにパッチを送付する手続き- - -- - 上記の規則に従っているかを確認した後に、stable@kernel.org にパッチ -+ - 上記の規則に従っているかを確認した後に、stable@vger.kernel.org にパッチ - を送る。 - - 送信者はパッチがキューに受け付けられた際には ACK を、却下された場合 - には NAK を受け取る。この反応は開発者たちのスケジュールによって、数 - 日かかる場合がある。 - - もし受け取られたら、パッチは他の開発者たちと関連するサブシステムの - メンテナーによるレビューのために -stable キューに追加される。 -- - パッチに stable@kernel.org のアドレスが付加されているときには、それ -+ - パッチに stable@vger.kernel.org のアドレスが付加されているときには、それ - が Linus のツリーに入る時に自動的に stable チームに email される。 -- - セキュリティパッチはこのエイリアス (stable@kernel.org) に送られるべ -+ - セキュリティパッチはこのエイリアス (stable@vger.kernel.org) に送られるべ - きではなく、代わりに security@kernel.org のアドレスに送られる。 - - レビューサイクル- -diff --git a/Documentation/zh_CN/HOWTO b/Documentation/zh_CN/HOWTO -index faf976c..56ceb05 100644 ---- a/Documentation/zh_CN/HOWTO -+++ b/Documentation/zh_CN/HOWTO -@@ -237,7 +237,7 @@ kernel.org网站的pub/linux/kernel/v2.6/目录下找到它。它的开发遵循 - 如果没有2.6.x.y版本内核存在,那么最新的2.6.x版本内核就相当于是当前的稳定 - 版内核。 - --2.6.x.y版本由“稳定版”小组(邮件地址<stable@kernel.org>)维护,一般隔周发 -+2.6.x.y版本由“稳定版”小组(邮件地址<stable@vger.kernel.org>)维护,一般隔周发 - 布新版本。 - - 内核源码中的Documentation/stable_kernel_rules.txt文件具体描述了可被稳定 -diff --git a/Documentation/zh_CN/stable_kernel_rules.txt b/Documentation/zh_CN/stable_kernel_rules.txt -index b5b9b0a..26ea5ed 100644 ---- a/Documentation/zh_CN/stable_kernel_rules.txt -+++ b/Documentation/zh_CN/stable_kernel_rules.txt -@@ -42,7 +42,7 @@ Documentation/stable_kernel_rules.txt 的中文翻译 - - 向稳定版代码树提交补丁的过程: - -- - 在确认了补丁符合以上的规则后,将补丁发送到stable@kernel.org。 -+ - 在确认了补丁符合以上的规则后,将补丁发送到stable@vger.kernel.org。 - - 如果补丁被接受到队列里,发送者会收到一个ACK回复,如果没有被接受,收 - 到的是NAK回复。回复需要几天的时间,这取决于开发者的时间安排。 - - 被接受的补丁会被加到稳定版本队列里,等待其他开发者的审查。 -diff --git a/Makefile b/Makefile -index 317d5ea..f8b642d 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 2 --SUBLEVEL = 60 -+SUBLEVEL = 61 - EXTRAVERSION = - NAME = Saber-toothed Squirrel - -diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 292c3f8..18a2858 100644 ---- a/arch/arm/include/asm/uaccess.h -+++ b/arch/arm/include/asm/uaccess.h -@@ -158,8 +158,9 @@ extern int __put_user_8(void *, unsigned long long); - #define put_user(x,p) \ - ({ \ - unsigned long __limit = current_thread_info()->addr_limit - 1; \ -+ const typeof(*(p)) __user *__tmp_p = (p); \ - register const typeof(*(p)) __r2 asm("r2") = (x); \ -- register const typeof(*(p)) __user *__p asm("r0") = (p);\ -+ register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \ - register unsigned long __l asm("r1") = __limit; \ - register int __e asm("r0"); \ - switch (sizeof(*(__p))) { \ -diff --git a/arch/arm/kernel/crash_dump.c b/arch/arm/kernel/crash_dump.c -index 90c50d4..5d1286d 100644 ---- a/arch/arm/kernel/crash_dump.c -+++ b/arch/arm/kernel/crash_dump.c -@@ -39,7 +39,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, - if (!csize) - return 0; - -- vaddr = ioremap(pfn << PAGE_SHIFT, PAGE_SIZE); -+ vaddr = ioremap(__pfn_to_phys(pfn), PAGE_SIZE); - if (!vaddr) - return -ENOMEM; - -diff --git a/arch/arm/plat-mxc/devices/platform-ipu-core.c b/arch/arm/plat-mxc/devices/platform-ipu-core.c -index 79d340a..15f3421 100644 ---- a/arch/arm/plat-mxc/devices/platform-ipu-core.c -+++ b/arch/arm/plat-mxc/devices/platform-ipu-core.c -@@ -77,7 +77,7 @@ struct platform_device *__init imx_alloc_mx3_camera( - - pdev = platform_device_alloc("mx3-camera", 0); - if (!pdev) -- goto err; -+ return ERR_PTR(-ENOMEM); - - pdev->dev.dma_mask = kmalloc(sizeof(*pdev->dev.dma_mask), GFP_KERNEL); - if (!pdev->dev.dma_mask) -diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h -index adda036..35d1b47 100644 ---- a/arch/mips/include/asm/thread_info.h -+++ b/arch/mips/include/asm/thread_info.h -@@ -149,6 +149,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); - #define _TIF_FPUBOUND (1<<TIF_FPUBOUND) - #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH) - -+#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SECCOMP) -+ - /* work to do in syscall_trace_leave() */ - #define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) - -diff --git a/arch/mips/kernel/irq-msc01.c b/arch/mips/kernel/irq-msc01.c -index 14ac52c..884de34 100644 ---- a/arch/mips/kernel/irq-msc01.c -+++ b/arch/mips/kernel/irq-msc01.c -@@ -131,7 +131,7 @@ void __init init_msc_irqs(unsigned long icubase, unsigned int irqbase, msc_irqma - - board_bind_eic_interrupt = &msc_bind_eic_interrupt; - -- for (; nirq >= 0; nirq--, imp++) { -+ for (; nirq > 0; nirq--, imp++) { - int n = imp->im_irq; - - switch (imp->im_type) { -diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S -index a632bc1..1d39bea 100644 ---- a/arch/mips/kernel/scall32-o32.S -+++ b/arch/mips/kernel/scall32-o32.S -@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp) - - stack_done: - lw t0, TI_FLAGS($28) # syscall tracing enabled? -- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT -+ li t1, _TIF_WORK_SYSCALL_ENTRY - and t0, t1 - bnez t0, syscall_trace_entry # -> yes - -diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S -index 3b5a5e9..53e65ff 100644 ---- a/arch/mips/kernel/scall64-64.S -+++ b/arch/mips/kernel/scall64-64.S -@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp) - - sd a3, PT_R26(sp) # save a3 for syscall restarting - -- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT -+ li t1, _TIF_WORK_SYSCALL_ENTRY - LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? - and t0, t1, t0 - bnez t0, syscall_trace_entry -diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S -index 6be6f70..5476ce4 100644 ---- a/arch/mips/kernel/scall64-n32.S -+++ b/arch/mips/kernel/scall64-n32.S -@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp) - - sd a3, PT_R26(sp) # save a3 for syscall restarting - -- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT -+ li t1, _TIF_WORK_SYSCALL_ENTRY - LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? - and t0, t1, t0 - bnez t0, n32_syscall_trace_entry -diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S -index 5422855..a56175b 100644 ---- a/arch/mips/kernel/scall64-o32.S -+++ b/arch/mips/kernel/scall64-o32.S -@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp) - PTR 4b, bad_stack - .previous - -- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT -+ li t1, _TIF_WORK_SYSCALL_ENTRY - LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? - and t0, t1, t0 - bnez t0, trace_a_syscall -diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile -index 70ba0c0..9a980b3 100644 ---- a/arch/powerpc/Makefile -+++ b/arch/powerpc/Makefile -@@ -69,7 +69,9 @@ LDFLAGS_vmlinux := $(LDFLAGS_vmlinux-yy) - - CFLAGS-$(CONFIG_PPC64) := -mminimal-toc -mtraceback=no -mcall-aixdesc - CFLAGS-$(CONFIG_PPC32) := -ffixed-r2 -mmultiple --KBUILD_CPPFLAGS += -Iarch/$(ARCH) -+asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1) -+ -+KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr) - KBUILD_AFLAGS += -Iarch/$(ARCH) - KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y) - CPP = $(CC) -E $(KBUILD_CFLAGS) -diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h -index 368f72f..0f3a740 100644 ---- a/arch/powerpc/include/asm/ppc_asm.h -+++ b/arch/powerpc/include/asm/ppc_asm.h -@@ -292,11 +292,16 @@ n: - * ld rY,ADDROFF(name)(rX) - */ - #ifdef __powerpc64__ -+#ifdef HAVE_AS_ATHIGH -+#define __AS_ATHIGH high -+#else -+#define __AS_ATHIGH h -+#endif - #define LOAD_REG_IMMEDIATE(reg,expr) \ - lis (reg),(expr)@highest; \ - ori (reg),(reg),(expr)@higher; \ - rldicr (reg),(reg),32,31; \ -- oris (reg),(reg),(expr)@h; \ -+ oris reg,reg,(expr)@__AS_ATHIGH; \ - ori (reg),(reg),(expr)@l; - - #define LOAD_REG_ADDR(reg,name) \ -diff --git a/arch/powerpc/kernel/legacy_serial.c b/arch/powerpc/kernel/legacy_serial.c -index c7b5afe..c77159d 100644 ---- a/arch/powerpc/kernel/legacy_serial.c -+++ b/arch/powerpc/kernel/legacy_serial.c -@@ -48,6 +48,9 @@ static struct __initdata of_device_id legacy_serial_parents[] = { - static unsigned int legacy_serial_count; - static int legacy_serial_console = -1; - -+static const upf_t legacy_port_flags = UPF_BOOT_AUTOCONF | UPF_SKIP_TEST | -+ UPF_SHARE_IRQ | UPF_FIXED_PORT; -+ - static unsigned int tsi_serial_in(struct uart_port *p, int offset) - { - unsigned int tmp; -@@ -153,8 +156,6 @@ static int __init add_legacy_soc_port(struct device_node *np, - { - u64 addr; - const u32 *addrp; -- upf_t flags = UPF_BOOT_AUTOCONF | UPF_SKIP_TEST | UPF_SHARE_IRQ -- | UPF_FIXED_PORT; - struct device_node *tsi = of_get_parent(np); - - /* We only support ports that have a clock frequency properly -@@ -185,9 +186,11 @@ static int __init add_legacy_soc_port(struct device_node *np, - * IO port value. It will be fixed up later along with the irq - */ - if (tsi && !strcmp(tsi->type, "tsi-bridge")) -- return add_legacy_port(np, -1, UPIO_TSI, addr, addr, NO_IRQ, flags, 0); -+ return add_legacy_port(np, -1, UPIO_TSI, addr, addr, -+ NO_IRQ, legacy_port_flags, 0); - else -- return add_legacy_port(np, -1, UPIO_MEM, addr, addr, NO_IRQ, flags, 0); -+ return add_legacy_port(np, -1, UPIO_MEM, addr, addr, -+ NO_IRQ, legacy_port_flags, 0); - } - - static int __init add_legacy_isa_port(struct device_node *np, -@@ -228,7 +231,7 @@ static int __init add_legacy_isa_port(struct device_node *np, - - /* Add port, irq will be dealt with later */ - return add_legacy_port(np, index, UPIO_PORT, be32_to_cpu(reg[1]), taddr, -- NO_IRQ, UPF_BOOT_AUTOCONF, 0); -+ NO_IRQ, legacy_port_flags, 0); - - } - -@@ -301,7 +304,7 @@ static int __init add_legacy_pci_port(struct device_node *np, - * IO port value. It will be fixed up later along with the irq - */ - return add_legacy_port(np, index, iotype, base, addr, NO_IRQ, -- UPF_BOOT_AUTOCONF, np != pci_dev); -+ legacy_port_flags, np != pci_dev); - } - #endif - -diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c -index 77bb77d..82288e9 100644 ---- a/arch/powerpc/kernel/setup-common.c -+++ b/arch/powerpc/kernel/setup-common.c -@@ -449,7 +449,7 @@ void __init smp_setup_cpu_maps(void) - for (j = 0; j < nthreads && cpu < nr_cpu_ids; j++) { - DBG(" thread %d -> cpu %d (hard id %d)\n", - j, cpu, intserv[j]); -- set_cpu_present(cpu, true); -+ set_cpu_present(cpu, of_device_is_available(dn)); - set_hard_smp_processor_id(cpu, intserv[j]); - set_cpu_possible(cpu, true); - cpu++; -diff --git a/arch/s390/include/asm/lowcore.h b/arch/s390/include/asm/lowcore.h -index 9e13c7d..454564b 100644 ---- a/arch/s390/include/asm/lowcore.h -+++ b/arch/s390/include/asm/lowcore.h -@@ -140,9 +140,9 @@ struct _lowcore { - __u8 pad_0x02e8[0x0300-0x02e8]; /* 0x02e8 */ - - /* Interrupt response block */ -- __u8 irb[64]; /* 0x0300 */ -+ __u8 irb[96]; /* 0x0300 */ - -- __u8 pad_0x0340[0x0e00-0x0340]; /* 0x0340 */ -+ __u8 pad_0x0360[0x0e00-0x0360]; /* 0x0360 */ - - /* - * 0xe00 contains the address of the IPL Parameter Information -@@ -274,12 +274,13 @@ struct _lowcore { - __u64 cmf_hpp; /* 0x0378 */ - - /* Interrupt response block. */ -- __u8 irb[64]; /* 0x0380 */ -+ __u8 irb[96]; /* 0x0380 */ -+ __u8 pad_0x03e0[0x0400-0x03e0]; /* 0x03e0 */ - - /* Per cpu primary space access list */ -- __u32 paste[16]; /* 0x03c0 */ -+ __u32 paste[16]; /* 0x0400 */ - -- __u8 pad_0x0400[0x0e00-0x0400]; /* 0x0400 */ -+ __u8 pad_0x0440[0x0e00-0x0440]; /* 0x0440 */ - - /* - * 0xe00 contains the address of the IPL Parameter Information -diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h -index 3b96fd4..0581a85 100644 ---- a/arch/x86/include/asm/ptrace.h -+++ b/arch/x86/include/asm/ptrace.h -@@ -287,6 +287,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, - - #define ARCH_HAS_USER_SINGLE_STEP_INFO - -+/* -+ * When hitting ptrace_stop(), we cannot return using SYSRET because -+ * that does not restore the full CPU state, only a minimal set. The -+ * ptracer can change arbitrary register values, which is usually okay -+ * because the usual ptrace stops run off the signal delivery path which -+ * forces IRET; however, ptrace_event() stops happen in arbitrary places -+ * in the kernel and don't force IRET path. -+ * -+ * So force IRET path after a ptrace stop. -+ */ -+#define arch_ptrace_stop_needed(code, info) \ -+({ \ -+ set_thread_flag(TIF_NOTIFY_RESUME); \ -+ false; \ -+}) -+ - struct user_desc; - extern int do_get_thread_area(struct task_struct *p, int idx, - struct user_desc __user *info); -diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index d2d488b8..db090f6 100644 ---- a/arch/x86/kernel/entry_32.S -+++ b/arch/x86/kernel/entry_32.S -@@ -427,9 +427,10 @@ sysenter_past_esp: - jnz sysenter_audit - sysenter_do_call: - cmpl $(nr_syscalls), %eax -- jae syscall_badsys -+ jae sysenter_badsys - call *sys_call_table(,%eax,4) - movl %eax,PT_EAX(%esp) -+sysenter_after_call: - LOCKDEP_SYS_EXIT - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF -@@ -681,7 +682,12 @@ END(syscall_fault) - - syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) -- jmp resume_userspace -+ jmp syscall_exit -+END(syscall_badsys) -+ -+sysenter_badsys: -+ movl $-ENOSYS,PT_EAX(%esp) -+ jmp sysenter_after_call - END(syscall_badsys) - CFI_ENDPROC - /* -diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c -index f324429..3a0e92a 100644 ---- a/drivers/acpi/bus.c -+++ b/drivers/acpi/bus.c -@@ -57,6 +57,12 @@ EXPORT_SYMBOL(acpi_root_dir); - - - #ifdef CONFIG_X86 -+#ifdef CONFIG_ACPI_CUSTOM_DSDT -+static inline int set_copy_dsdt(const struct dmi_system_id *id) -+{ -+ return 0; -+} -+#else - static int set_copy_dsdt(const struct dmi_system_id *id) - { - printk(KERN_NOTICE "%s detected - " -@@ -64,6 +70,7 @@ static int set_copy_dsdt(const struct dmi_system_id *id) - acpi_gbl_copy_dsdt_locally = 1; - return 0; - } -+#endif - - static struct dmi_system_id dsdt_dmi_table[] __initdata = { - /* -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 0feffc3..44a4434 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -452,10 +452,14 @@ static const struct pci_device_id ahci_pci_tbl[] = { - .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9192), - .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ -+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0), -+ .driver_data = board_ahci_yes_fbs }, - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3), - .driver_data = board_ahci_yes_fbs }, - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), - .driver_data = board_ahci_yes_fbs }, -+ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), -+ .driver_data = board_ahci_yes_fbs }, - - /* Promise */ - { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ -diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c -index 8f3d6db..08bbc48 100644 ---- a/drivers/bluetooth/hci_ldisc.c -+++ b/drivers/bluetooth/hci_ldisc.c -@@ -120,10 +120,6 @@ static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu) - - int hci_uart_tx_wakeup(struct hci_uart *hu) - { -- struct tty_struct *tty = hu->tty; -- struct hci_dev *hdev = hu->hdev; -- struct sk_buff *skb; -- - if (test_and_set_bit(HCI_UART_SENDING, &hu->tx_state)) { - set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); - return 0; -@@ -131,6 +127,22 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) - - BT_DBG(""); - -+ schedule_work(&hu->write_work); -+ -+ return 0; -+} -+ -+static void hci_uart_write_work(struct work_struct *work) -+{ -+ struct hci_uart *hu = container_of(work, struct hci_uart, write_work); -+ struct tty_struct *tty = hu->tty; -+ struct hci_dev *hdev = hu->hdev; -+ struct sk_buff *skb; -+ -+ /* REVISIT: should we cope with bad skbs or ->write() returning -+ * and error value ? -+ */ -+ - restart: - clear_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); - -@@ -155,7 +167,6 @@ restart: - goto restart; - - clear_bit(HCI_UART_SENDING, &hu->tx_state); -- return 0; - } - - /* ------- Interface to HCI layer ------ */ -@@ -274,6 +285,8 @@ static int hci_uart_tty_open(struct tty_struct *tty) - hu->tty = tty; - tty->receive_room = 65536; - -+ INIT_WORK(&hu->write_work, hci_uart_write_work); -+ - spin_lock_init(&hu->rx_lock); - - /* Flush any pending characters in the driver and line discipline. */ -@@ -308,6 +321,8 @@ static void hci_uart_tty_close(struct tty_struct *tty) - if (hdev) - hci_uart_close(hdev); - -+ cancel_work_sync(&hu->write_work); -+ - if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) { - if (hdev) { - hci_unregister_dev(hdev); -diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h -index 99fb352..ff40400 100644 ---- a/drivers/bluetooth/hci_uart.h -+++ b/drivers/bluetooth/hci_uart.h -@@ -64,6 +64,8 @@ struct hci_uart { - unsigned long flags; - unsigned long hdev_flags; - -+ struct work_struct write_work; -+ - struct hci_uart_proto *proto; - void *priv; - -diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c -index acfe567..0731d43 100644 ---- a/drivers/gpu/drm/drm_drv.c -+++ b/drivers/gpu/drm/drm_drv.c -@@ -456,8 +456,9 @@ long drm_ioctl(struct file *filp, - retcode = -EFAULT; - goto err_i1; - } -- } else -+ } else if (cmd & IOC_OUT) { - memset(kdata, 0, usize); -+ } - - if (ioctl->flags & DRM_UNLOCKED) - retcode = func(dev, kdata, file_priv); -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index b1bb734..a0b69ae 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -287,14 +287,14 @@ i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj, - * exec_object list, so it should have a GTT space bound by now. - */ - if (unlikely(target_offset == 0)) { -- DRM_ERROR("No GTT space found for object %d\n", -+ DRM_DEBUG("No GTT space found for object %d\n", - reloc->target_handle); - return ret; - } - - /* Validate that the target is in a valid r/w GPU domain */ - if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) { -- DRM_ERROR("reloc with multiple write domains: " -+ DRM_DEBUG("reloc with multiple write domains: " - "obj %p target %d offset %d " - "read %08x write %08x", - obj, reloc->target_handle, -@@ -304,7 +304,7 @@ i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj, - return ret; - } - if (unlikely((reloc->write_domain | reloc->read_domains) & I915_GEM_DOMAIN_CPU)) { -- DRM_ERROR("reloc with read/write CPU domains: " -+ DRM_DEBUG("reloc with read/write CPU domains: " - "obj %p target %d offset %d " - "read %08x write %08x", - obj, reloc->target_handle, -@@ -315,7 +315,7 @@ i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj, - } - if (unlikely(reloc->write_domain && target_obj->pending_write_domain && - reloc->write_domain != target_obj->pending_write_domain)) { -- DRM_ERROR("Write domain conflict: " -+ DRM_DEBUG("Write domain conflict: " - "obj %p target %d offset %d " - "new %08x old %08x\n", - obj, reloc->target_handle, -@@ -336,7 +336,7 @@ i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj, - - /* Check that the relocation address is valid... */ - if (unlikely(reloc->offset > obj->base.size - 4)) { -- DRM_ERROR("Relocation beyond object bounds: " -+ DRM_DEBUG("Relocation beyond object bounds: " - "obj %p target %d offset %d size %d.\n", - obj, reloc->target_handle, - (int) reloc->offset, -@@ -344,7 +344,7 @@ i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj, - return ret; - } - if (unlikely(reloc->offset & 3)) { -- DRM_ERROR("Relocation not 4-byte aligned: " -+ DRM_DEBUG("Relocation not 4-byte aligned: " - "obj %p target %d offset %d.\n", - obj, reloc->target_handle, - (int) reloc->offset); -@@ -679,9 +679,9 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, - * relocations were valid. - */ - for (j = 0; j < exec[i].relocation_count; j++) { -- if (copy_to_user(&user_relocs[j].presumed_offset, -- &invalid_offset, -- sizeof(invalid_offset))) { -+ if (__copy_to_user(&user_relocs[j].presumed_offset, -+ &invalid_offset, -+ sizeof(invalid_offset))) { - ret = -EFAULT; - mutex_lock(&dev->struct_mutex); - goto err; -@@ -704,7 +704,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, - obj = to_intel_bo(drm_gem_object_lookup(dev, file, - exec[i].handle)); - if (&obj->base == NULL) { -- DRM_ERROR("Invalid object handle %d at index %d\n", -+ DRM_DEBUG("Invalid object handle %d at index %d\n", - exec[i].handle, i); - ret = -ENOENT; - goto err; -@@ -1015,7 +1015,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - int ret, mode, i; - - if (!i915_gem_check_execbuffer(args)) { -- DRM_ERROR("execbuf with invalid offset/length\n"); -+ DRM_DEBUG("execbuf with invalid offset/length\n"); - return -EINVAL; - } - -@@ -1030,20 +1030,20 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - break; - case I915_EXEC_BSD: - if (!HAS_BSD(dev)) { -- DRM_ERROR("execbuf with invalid ring (BSD)\n"); -+ DRM_DEBUG("execbuf with invalid ring (BSD)\n"); - return -EINVAL; - } - ring = &dev_priv->ring[VCS]; - break; - case I915_EXEC_BLT: - if (!HAS_BLT(dev)) { -- DRM_ERROR("execbuf with invalid ring (BLT)\n"); -+ DRM_DEBUG("execbuf with invalid ring (BLT)\n"); - return -EINVAL; - } - ring = &dev_priv->ring[BCS]; - break; - default: -- DRM_ERROR("execbuf with unknown ring: %d\n", -+ DRM_DEBUG("execbuf with unknown ring: %d\n", - (int)(args->flags & I915_EXEC_RING_MASK)); - return -EINVAL; - } -@@ -1069,18 +1069,18 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - } - break; - default: -- DRM_ERROR("execbuf with unknown constants: %d\n", mode); -+ DRM_DEBUG("execbuf with unknown constants: %d\n", mode); - return -EINVAL; - } - - if (args->buffer_count < 1) { -- DRM_ERROR("execbuf with %d buffers\n", args->buffer_count); -+ DRM_DEBUG("execbuf with %d buffers\n", args->buffer_count); - return -EINVAL; - } - - if (args->num_cliprects != 0) { - if (ring != &dev_priv->ring[RCS]) { -- DRM_ERROR("clip rectangles are only valid with the render ring\n"); -+ DRM_DEBUG("clip rectangles are only valid with the render ring\n"); - return -EINVAL; - } - -@@ -1130,7 +1130,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - obj = to_intel_bo(drm_gem_object_lookup(dev, file, - exec[i].handle)); - if (&obj->base == NULL) { -- DRM_ERROR("Invalid object handle %d at index %d\n", -+ DRM_DEBUG("Invalid object handle %d at index %d\n", - exec[i].handle, i); - /* prevent error path from reading uninitialized data */ - ret = -ENOENT; -@@ -1138,7 +1138,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - } - - if (!list_empty(&obj->exec_list)) { -- DRM_ERROR("Object %p [handle %d, index %d] appears more than once in object list\n", -+ DRM_DEBUG("Object %p [handle %d, index %d] appears more than once in object list\n", - obj, exec[i].handle, i); - ret = -EINVAL; - goto err; -@@ -1176,7 +1176,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - - /* Set the pending read domains for the batch buffer to COMMAND */ - if (batch_obj->base.pending_write_domain) { -- DRM_ERROR("Attempting to use self-modifying batch buffer\n"); -+ DRM_DEBUG("Attempting to use self-modifying batch buffer\n"); - ret = -EINVAL; - goto err; - } -@@ -1275,7 +1275,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, - int ret, i; - - if (args->buffer_count < 1) { -- DRM_ERROR("execbuf with %d buffers\n", args->buffer_count); -+ DRM_DEBUG("execbuf with %d buffers\n", args->buffer_count); - return -EINVAL; - } - -@@ -1283,7 +1283,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, - exec_list = drm_malloc_ab(sizeof(*exec_list), args->buffer_count); - exec2_list = drm_malloc_ab(sizeof(*exec2_list), args->buffer_count); - if (exec_list == NULL || exec2_list == NULL) { -- DRM_ERROR("Failed to allocate exec list for %d buffers\n", -+ DRM_DEBUG("Failed to allocate exec list for %d buffers\n", - args->buffer_count); - drm_free_large(exec_list); - drm_free_large(exec2_list); -@@ -1294,7 +1294,7 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, - (uintptr_t) args->buffers_ptr, - sizeof(*exec_list) * args->buffer_count); - if (ret != 0) { -- DRM_ERROR("copy %d exec entries failed %d\n", -+ DRM_DEBUG("copy %d exec entries failed %d\n", - args->buffer_count, ret); - drm_free_large(exec_list); - drm_free_large(exec2_list); -@@ -1325,19 +1325,21 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, - - ret = i915_gem_do_execbuffer(dev, data, file, &exec2, exec2_list); - if (!ret) { -+ struct drm_i915_gem_exec_object __user *user_exec_list = -+ (void __user *)(uintptr_t)args->buffers_ptr; -+ - /* Copy the new buffer offsets back to the user's exec list. */ -- for (i = 0; i < args->buffer_count; i++) -- exec_list[i].offset = exec2_list[i].offset; -- /* ... and back out to userspace */ -- ret = copy_to_user((struct drm_i915_relocation_entry __user *) -- (uintptr_t) args->buffers_ptr, -- exec_list, -- sizeof(*exec_list) * args->buffer_count); -- if (ret) { -- ret = -EFAULT; -- DRM_ERROR("failed to copy %d exec entries " -- "back to user (%d)\n", -- args->buffer_count, ret); -+ for (i = 0; i < args->buffer_count; i++) { -+ ret = __copy_to_user(&user_exec_list[i].offset, -+ &exec2_list[i].offset, -+ sizeof(user_exec_list[i].offset)); -+ if (ret) { -+ ret = -EFAULT; -+ DRM_DEBUG("failed to copy %d exec entries " -+ "back to user (%d)\n", -+ args->buffer_count, ret); -+ break; -+ } - } - } - -@@ -1356,7 +1358,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - - if (args->buffer_count < 1 || - args->buffer_count > UINT_MAX / sizeof(*exec2_list)) { -- DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count); -+ DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count); - return -EINVAL; - } - -@@ -1366,7 +1368,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - exec2_list = drm_malloc_ab(sizeof(*exec2_list), - args->buffer_count); - if (exec2_list == NULL) { -- DRM_ERROR("Failed to allocate exec list for %d buffers\n", -+ DRM_DEBUG("Failed to allocate exec list for %d buffers\n", - args->buffer_count); - return -ENOMEM; - } -@@ -1375,7 +1377,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - (uintptr_t) args->buffers_ptr, - sizeof(*exec2_list) * args->buffer_count); - if (ret != 0) { -- DRM_ERROR("copy %d exec entries failed %d\n", -+ DRM_DEBUG("copy %d exec entries failed %d\n", - args->buffer_count, ret); - drm_free_large(exec2_list); - return -EFAULT; -@@ -1384,15 +1386,21 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - ret = i915_gem_do_execbuffer(dev, data, file, args, exec2_list); - if (!ret) { - /* Copy the new buffer offsets back to the user's exec list. */ -- ret = copy_to_user((struct drm_i915_relocation_entry __user *) -- (uintptr_t) args->buffers_ptr, -- exec2_list, -- sizeof(*exec2_list) * args->buffer_count); -- if (ret) { -- ret = -EFAULT; -- DRM_ERROR("failed to copy %d exec entries " -- "back to user (%d)\n", -- args->buffer_count, ret); -+ struct drm_i915_gem_exec_object2 __user *user_exec_list = -+ (void __user *)(uintptr_t)args->buffers_ptr; -+ int i; -+ -+ for (i = 0; i < args->buffer_count; i++) { -+ ret = __copy_to_user(&user_exec_list[i].offset, -+ &exec2_list[i].offset, -+ sizeof(user_exec_list[i].offset)); -+ if (ret) { -+ ret = -EFAULT; -+ DRM_DEBUG("failed to copy %d exec entries " -+ "back to user\n", -+ args->buffer_count); -+ break; -+ } - } - } - -diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c -index cd98c06..927d170 100644 ---- a/drivers/gpu/drm/radeon/atombios_crtc.c -+++ b/drivers/gpu/drm/radeon/atombios_crtc.c -@@ -830,14 +830,16 @@ static void atombios_crtc_program_pll(struct drm_crtc *crtc, - args.v5.ucMiscInfo = 0; /* HDMI depth, etc. */ - if (ss_enabled && (ss->type & ATOM_EXTERNAL_SS_MASK)) - args.v5.ucMiscInfo |= PIXEL_CLOCK_V5_MISC_REF_DIV_SRC; -- switch (bpc) { -- case 8: -- default: -- args.v5.ucMiscInfo |= PIXEL_CLOCK_V5_MISC_HDMI_24BPP; -- break; -- case 10: -- args.v5.ucMiscInfo |= PIXEL_CLOCK_V5_MISC_HDMI_30BPP; -- break; -+ if (encoder_mode == ATOM_ENCODER_MODE_HDMI) { -+ switch (bpc) { -+ case 8: -+ default: -+ args.v5.ucMiscInfo |= PIXEL_CLOCK_V5_MISC_HDMI_24BPP; -+ break; -+ case 10: -+ args.v5.ucMiscInfo |= PIXEL_CLOCK_V5_MISC_HDMI_30BPP; -+ break; -+ } - } - args.v5.ucTransmitterID = encoder_id; - args.v5.ucEncoderMode = encoder_mode; -@@ -852,20 +854,22 @@ static void atombios_crtc_program_pll(struct drm_crtc *crtc, - args.v6.ucMiscInfo = 0; /* HDMI depth, etc. */ - if (ss_enabled && (ss->type & ATOM_EXTERNAL_SS_MASK)) - args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_REF_DIV_SRC; -- switch (bpc) { -- case 8: -- default: -- args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_24BPP; -- break; -- case 10: -- args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_30BPP; -- break; -- case 12: -- args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_36BPP; -- break; -- case 16: -- args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_48BPP; -- break; -+ if (encoder_mode == ATOM_ENCODER_MODE_HDMI) { -+ switch (bpc) { -+ case 8: -+ default: -+ args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_24BPP; -+ break; -+ case 10: -+ args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_30BPP; -+ break; -+ case 12: -+ args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_36BPP; -+ break; -+ case 16: -+ args.v6.ucMiscInfo |= PIXEL_CLOCK_V6_MISC_HDMI_48BPP; -+ break; -+ } - } - args.v6.ucTransmitterID = encoder_id; - args.v6.ucEncoderMode = encoder_mode; -diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c -index 475a275..286f1fa 100644 ---- a/drivers/gpu/drm/radeon/atombios_encoders.c -+++ b/drivers/gpu/drm/radeon/atombios_encoders.c -@@ -1626,8 +1626,11 @@ atombios_set_encoder_crtc_source(struct drm_encoder *encoder) - args.v2.ucEncodeMode = ATOM_ENCODER_MODE_CRT; - else - args.v2.ucEncodeMode = atombios_get_encoder_mode(encoder); -- } else -+ } else if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { -+ args.v2.ucEncodeMode = ATOM_ENCODER_MODE_LVDS; -+ } else { - args.v2.ucEncodeMode = atombios_get_encoder_mode(encoder); -+ } - switch (radeon_encoder->encoder_id) { - case ENCODER_OBJECT_ID_INTERNAL_UNIPHY: - case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1: -diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c -index b101843..683cede 100644 ---- a/drivers/gpu/drm/radeon/radeon_connectors.c -+++ b/drivers/gpu/drm/radeon/radeon_connectors.c -@@ -1246,7 +1246,7 @@ bool radeon_connector_is_dp12_capable(struct drm_connector *connector) - struct radeon_device *rdev = dev->dev_private; - - if (ASIC_IS_DCE5(rdev) && -- (rdev->clock.dp_extclk >= 53900) && -+ (rdev->clock.default_dispclk >= 53900) && - radeon_connector_encoder_is_hbr2(connector)) { - return true; - } -diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c -index cea482a..dc00155 100644 ---- a/drivers/gpu/drm/radeon/rs600.c -+++ b/drivers/gpu/drm/radeon/rs600.c -@@ -529,8 +529,11 @@ int rs600_gart_set_page(struct radeon_device *rdev, int i, uint64_t addr) - return -EINVAL; - } - addr = addr & 0xFFFFFFFFFFFFF000ULL; -- addr |= R600_PTE_VALID | R600_PTE_SYSTEM | R600_PTE_SNOOPED; -- addr |= R600_PTE_READABLE | R600_PTE_WRITEABLE; -+ if (addr == rdev->dummy_page.addr) -+ addr |= R600_PTE_SYSTEM | R600_PTE_SNOOPED; -+ else -+ addr |= (R600_PTE_VALID | R600_PTE_SYSTEM | R600_PTE_SNOOPED | -+ R600_PTE_READABLE | R600_PTE_WRITEABLE); - writeq(addr, ptr + (i * 8)); - return 0; - } -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 9ac4389..64d79d2 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -754,7 +754,17 @@ struct hid_report *hid_validate_values(struct hid_device *hid, - * ->numbered being checked, which may not always be the case when - * drivers go to access report values. - */ -- report = hid->report_enum[type].report_id_hash[id]; -+ if (id == 0) { -+ /* -+ * Validating on id 0 means we should examine the first -+ * report in the list. -+ */ -+ report = list_entry( -+ hid->report_enum[type].report_list.next, -+ struct hid_report, list); -+ } else { -+ report = hid->report_enum[type].report_id_hash[id]; -+ } - if (!report) { - hid_err(hid, "missing %s %u\n", hid_report_names[type], id); - return NULL; -diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c -index 07db229..c685881 100644 ---- a/drivers/infiniband/core/user_mad.c -+++ b/drivers/infiniband/core/user_mad.c -@@ -780,27 +780,19 @@ static int ib_umad_open(struct inode *inode, struct file *filp) - { - struct ib_umad_port *port; - struct ib_umad_file *file; -- int ret; -+ int ret = -ENXIO; - - port = container_of(inode->i_cdev, struct ib_umad_port, cdev); -- if (port) -- kref_get(&port->umad_dev->ref); -- else -- return -ENXIO; - - mutex_lock(&port->file_mutex); - -- if (!port->ib_dev) { -- ret = -ENXIO; -+ if (!port->ib_dev) - goto out; -- } - -+ ret = -ENOMEM; - file = kzalloc(sizeof *file, GFP_KERNEL); -- if (!file) { -- kref_put(&port->umad_dev->ref, ib_umad_release_dev); -- ret = -ENOMEM; -+ if (!file) - goto out; -- } - - mutex_init(&file->mutex); - spin_lock_init(&file->send_lock); -@@ -814,6 +806,13 @@ static int ib_umad_open(struct inode *inode, struct file *filp) - list_add_tail(&file->port_list, &port->file_list); - - ret = nonseekable_open(inode, filp); -+ if (ret) { -+ list_del(&file->port_list); -+ kfree(file); -+ goto out; -+ } -+ -+ kref_get(&port->umad_dev->ref); - - out: - mutex_unlock(&port->file_mutex); -@@ -880,10 +879,6 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp) - int ret; - - port = container_of(inode->i_cdev, struct ib_umad_port, sm_cdev); -- if (port) -- kref_get(&port->umad_dev->ref); -- else -- return -ENXIO; - - if (filp->f_flags & O_NONBLOCK) { - if (down_trylock(&port->sm_sem)) { -@@ -898,17 +893,27 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp) - } - - ret = ib_modify_port(port->ib_dev, port->port_num, 0, &props); -- if (ret) { -- up(&port->sm_sem); -- goto fail; -- } -+ if (ret) -+ goto err_up_sem; - - filp->private_data = port; - -- return nonseekable_open(inode, filp); -+ ret = nonseekable_open(inode, filp); -+ if (ret) -+ goto err_clr_sm_cap; -+ -+ kref_get(&port->umad_dev->ref); -+ -+ return 0; -+ -+err_clr_sm_cap: -+ swap(props.set_port_cap_mask, props.clr_port_cap_mask); -+ ib_modify_port(port->ib_dev, port->port_num, 0, &props); -+ -+err_up_sem: -+ up(&port->sm_sem); - - fail: -- kref_put(&port->umad_dev->ref, ib_umad_release_dev); - return ret; - } - -diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c -index 0f1607c..3bd6b69 100644 ---- a/drivers/infiniband/hw/cxgb4/cq.c -+++ b/drivers/infiniband/hw/cxgb4/cq.c -@@ -843,7 +843,8 @@ struct ib_cq *c4iw_create_cq(struct ib_device *ibdev, int entries, - uresp.gts_key = ucontext->key; - ucontext->key += PAGE_SIZE; - spin_unlock(&ucontext->mmap_lock); -- ret = ib_copy_to_udata(udata, &uresp, sizeof uresp); -+ ret = ib_copy_to_udata(udata, &uresp, -+ sizeof(uresp) - sizeof(uresp.reserved)); - if (ret) - goto err5; - -diff --git a/drivers/infiniband/hw/cxgb4/user.h b/drivers/infiniband/hw/cxgb4/user.h -index e6669d5..06e8938 100644 ---- a/drivers/infiniband/hw/cxgb4/user.h -+++ b/drivers/infiniband/hw/cxgb4/user.h -@@ -48,6 +48,7 @@ struct c4iw_create_cq_resp { - __u32 cqid; - __u32 size; - __u32 qid_mask; -+ __u32 reserved; /* explicit padding (optional for i386) */ - }; - - -diff --git a/drivers/infiniband/hw/ipath/ipath_diag.c b/drivers/infiniband/hw/ipath/ipath_diag.c -index e2f9a51..45802e9 100644 ---- a/drivers/infiniband/hw/ipath/ipath_diag.c -+++ b/drivers/infiniband/hw/ipath/ipath_diag.c -@@ -346,6 +346,10 @@ static ssize_t ipath_diagpkt_write(struct file *fp, - ret = -EFAULT; - goto bail; - } -+ dp.len = odp.len; -+ dp.unit = odp.unit; -+ dp.data = odp.data; -+ dp.pbc_wd = 0; - } else { - ret = -EINVAL; - goto bail; -diff --git a/drivers/infiniband/hw/qib/qib_mad.c b/drivers/infiniband/hw/qib/qib_mad.c -index 3b3745f..dd2ad6d3 100644 ---- a/drivers/infiniband/hw/qib/qib_mad.c -+++ b/drivers/infiniband/hw/qib/qib_mad.c -@@ -1007,7 +1007,7 @@ static int set_pkeys(struct qib_devdata *dd, u8 port, u16 *pkeys) - - event.event = IB_EVENT_PKEY_CHANGE; - event.device = &dd->verbs_dev.ibdev; -- event.element.port_num = 1; -+ event.element.port_num = port; - ib_dispatch_event(&event); - } - return 0; -diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c -index 4ec049d..8770d44 100644 ---- a/drivers/infiniband/ulp/srp/ib_srp.c -+++ b/drivers/infiniband/ulp/srp/ib_srp.c -@@ -1353,6 +1353,12 @@ err_unmap: - err_iu: - srp_put_tx_iu(target, iu, SRP_IU_CMD); - -+ /* -+ * Avoid that the loops that iterate over the request ring can -+ * encounter a dangling SCSI command pointer. -+ */ -+ req->scmnd = NULL; -+ - spin_lock_irqsave(&target->lock, flags); - list_add(&req->list, &target->free_reqs); - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 342a059..70423dc 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -455,8 +455,15 @@ static void elantech_report_absolute_v3(struct psmouse *psmouse, - input_report_key(dev, BTN_TOOL_FINGER, fingers == 1); - input_report_key(dev, BTN_TOOL_DOUBLETAP, fingers == 2); - input_report_key(dev, BTN_TOOL_TRIPLETAP, fingers == 3); -- input_report_key(dev, BTN_LEFT, packet[0] & 0x01); -- input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); -+ -+ /* For clickpads map both buttons to BTN_LEFT */ -+ if (etd->fw_version & 0x001000) { -+ input_report_key(dev, BTN_LEFT, packet[0] & 0x03); -+ } else { -+ input_report_key(dev, BTN_LEFT, packet[0] & 0x01); -+ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); -+ } -+ - input_report_abs(dev, ABS_PRESSURE, pres); - input_report_abs(dev, ABS_TOOL_WIDTH, width); - -@@ -466,10 +473,17 @@ static void elantech_report_absolute_v3(struct psmouse *psmouse, - static void elantech_input_sync_v4(struct psmouse *psmouse) - { - struct input_dev *dev = psmouse->dev; -+ struct elantech_data *etd = psmouse->private; - unsigned char *packet = psmouse->packet; - -- input_report_key(dev, BTN_LEFT, packet[0] & 0x01); -- input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); -+ /* For clickpads map both buttons to BTN_LEFT */ -+ if (etd->fw_version & 0x001000) { -+ input_report_key(dev, BTN_LEFT, packet[0] & 0x03); -+ } else { -+ input_report_key(dev, BTN_LEFT, packet[0] & 0x01); -+ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); -+ } -+ - input_mt_report_pointer_emulation(dev, true); - input_sync(dev); - } -@@ -787,7 +801,7 @@ static int elantech_set_absolute_mode(struct psmouse *psmouse) - if (etd->set_hw_resolution) - etd->reg_10 = 0x0b; - else -- etd->reg_10 = 0x03; -+ etd->reg_10 = 0x01; - - if (elantech_write_reg(psmouse, 0x10, etd->reg_10)) - rc = -1; -@@ -1211,7 +1225,8 @@ static int elantech_reconnect(struct psmouse *psmouse) - } - - /* -- * Some hw_version 3 models go into error state when we try to set bit 3 of r10 -+ * Some hw_version 3 models go into error state when we try to set -+ * bit 3 and/or bit 1 of r10. - */ - static const struct dmi_system_id no_hw_res_dmi_table[] = { - #if defined(CONFIG_DMI) && defined(CONFIG_X86) -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 8a39807..df8b72b 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -245,14 +245,6 @@ static int synaptics_resolution(struct psmouse *psmouse) - struct synaptics_data *priv = psmouse->private; - unsigned char resp[3]; - -- if (quirk_min_max) { -- priv->x_min = quirk_min_max[0]; -- priv->x_max = quirk_min_max[1]; -- priv->y_min = quirk_min_max[2]; -- priv->y_max = quirk_min_max[3]; -- return 0; -- } -- - if (SYN_ID_MAJOR(priv->identity) < 4) - return 0; - -@@ -263,6 +255,14 @@ static int synaptics_resolution(struct psmouse *psmouse) - } - } - -+ if (quirk_min_max) { -+ priv->x_min = quirk_min_max[0]; -+ priv->x_max = quirk_min_max[1]; -+ priv->y_min = quirk_min_max[2]; -+ priv->y_max = quirk_min_max[3]; -+ return 0; -+ } -+ - if (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 5 && - SYN_CAP_MAX_DIMENSIONS(priv->ext_cap_0c)) { - if (synaptics_send_cmd(psmouse, SYN_QUE_EXT_MAX_COORDS, resp)) { -@@ -1431,7 +1431,7 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), - DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T540"), - }, -- .driver_data = (int []){1024, 5056, 2058, 4832}, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, - }, - { - /* Lenovo ThinkPad L540 */ -@@ -1442,6 +1442,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - .driver_data = (int []){1024, 5112, 2024, 4832}, - }, - { -+ /* Lenovo ThinkPad W540 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W540"), -+ }, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, -+ }, -+ { - /* Lenovo Yoga S1 */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index 1a51b3d..bb1e579 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -4070,7 +4070,7 @@ static int intel_iommu_unmap(struct iommu_domain *domain, - { - struct dmar_domain *dmar_domain = domain->priv; - size_t size = PAGE_SIZE << gfp_order; -- int order; -+ int order, iommu_id; - - order = dma_pte_clear_range(dmar_domain, iova >> VTD_PAGE_SHIFT, - (iova + size - 1) >> VTD_PAGE_SHIFT); -@@ -4078,6 +4078,22 @@ static int intel_iommu_unmap(struct iommu_domain *domain, - if (dmar_domain->max_addr == iova + size) - dmar_domain->max_addr = iova; - -+ for_each_set_bit(iommu_id, &dmar_domain->iommu_bmp, g_num_of_iommus) { -+ struct intel_iommu *iommu = g_iommus[iommu_id]; -+ int num, ndomains; -+ -+ /* -+ * find bit position of dmar_domain -+ */ -+ ndomains = cap_ndoms(iommu->cap); -+ for_each_set_bit(num, iommu->domain_ids, ndomains) { -+ if (iommu->domains[num] == dmar_domain) -+ iommu_flush_iotlb_psi(iommu, num, -+ iova >> VTD_PAGE_SHIFT, -+ 1 << order, 0); -+ } -+ } -+ - return order; - } - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index db4b4a8..30a7b52 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -7035,8 +7035,10 @@ void md_do_sync(struct mddev *mddev) - /* just incase thread restarts... */ - if (test_bit(MD_RECOVERY_DONE, &mddev->recovery)) - return; -- if (mddev->ro) /* never try to sync a read-only array */ -+ if (mddev->ro) {/* never try to sync a read-only array */ -+ set_bit(MD_RECOVERY_INTR, &mddev->recovery); - return; -+ } - - if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery)) { - if (test_bit(MD_RECOVERY_CHECK, &mddev->recovery)) -diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c -index 94bbc85..b02adbc 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/main.c -+++ b/drivers/net/ethernet/mellanox/mlx4/main.c -@@ -1220,7 +1220,7 @@ static void mlx4_clear_steering(struct mlx4_dev *dev) - kfree(priv->steer); - } - --static int __mlx4_init_one(struct pci_dev *pdev, const struct pci_device_id *id) -+static int __mlx4_init_one(struct pci_dev *pdev, int pci_dev_data) - { - struct mlx4_priv *priv; - struct mlx4_dev *dev; -@@ -1283,15 +1283,8 @@ static int __mlx4_init_one(struct pci_dev *pdev, const struct pci_device_id *id) - /* Allow large DMA segments, up to the firmware limit of 1 GB */ - dma_set_max_seg_size(&pdev->dev, 1024 * 1024 * 1024); - -- priv = kzalloc(sizeof *priv, GFP_KERNEL); -- if (!priv) { -- dev_err(&pdev->dev, "Device struct alloc failed, " -- "aborting.\n"); -- err = -ENOMEM; -- goto err_release_regions; -- } -- -- dev = &priv->dev; -+ dev = pci_get_drvdata(pdev); -+ priv = mlx4_priv(dev); - dev->pdev = pdev; - INIT_LIST_HEAD(&priv->ctx_list); - spin_lock_init(&priv->ctx_lock); -@@ -1362,7 +1355,7 @@ static int __mlx4_init_one(struct pci_dev *pdev, const struct pci_device_id *id) - mlx4_sense_init(dev); - mlx4_start_sense(dev); - -- pci_set_drvdata(pdev, dev); -+ priv->removed = 0; - - return 0; - -@@ -1412,59 +1405,90 @@ err_disable_pdev: - static int __devinit mlx4_init_one(struct pci_dev *pdev, - const struct pci_device_id *id) - { -+ struct mlx4_priv *priv; -+ struct mlx4_dev *dev; -+ - printk_once(KERN_INFO "%s", mlx4_version); - -- return __mlx4_init_one(pdev, id); -+ priv = kzalloc(sizeof(*priv), GFP_KERNEL); -+ if (!priv) -+ return -ENOMEM; -+ -+ dev = &priv->dev; -+ pci_set_drvdata(pdev, dev); -+ priv->pci_dev_data = id->driver_data; -+ -+ return __mlx4_init_one(pdev, id->driver_data); - } - --static void mlx4_remove_one(struct pci_dev *pdev) -+static void __mlx4_remove_one(struct pci_dev *pdev) - { - struct mlx4_dev *dev = pci_get_drvdata(pdev); - struct mlx4_priv *priv = mlx4_priv(dev); -+ int pci_dev_data; - int p; - -- if (dev) { -- mlx4_stop_sense(dev); -- mlx4_unregister_device(dev); -+ if (priv->removed) -+ return; - -- for (p = 1; p <= dev->caps.num_ports; p++) { -- mlx4_cleanup_port_info(&priv->port[p]); -- mlx4_CLOSE_PORT(dev, p); -- } -+ pci_dev_data = priv->pci_dev_data; - -- mlx4_cleanup_counters_table(dev); -- mlx4_cleanup_mcg_table(dev); -- mlx4_cleanup_qp_table(dev); -- mlx4_cleanup_srq_table(dev); -- mlx4_cleanup_cq_table(dev); -- mlx4_cmd_use_polling(dev); -- mlx4_cleanup_eq_table(dev); -- mlx4_cleanup_mr_table(dev); -- mlx4_cleanup_xrcd_table(dev); -- mlx4_cleanup_pd_table(dev); -- -- iounmap(priv->kar); -- mlx4_uar_free(dev, &priv->driver_uar); -- mlx4_cleanup_uar_table(dev); -- mlx4_clear_steering(dev); -- mlx4_free_eq_table(dev); -- mlx4_close_hca(dev); -- mlx4_cmd_cleanup(dev); -- -- if (dev->flags & MLX4_FLAG_MSI_X) -- pci_disable_msix(pdev); -- -- kfree(priv); -- pci_release_regions(pdev); -- pci_disable_device(pdev); -- pci_set_drvdata(pdev, NULL); -+ mlx4_stop_sense(dev); -+ mlx4_unregister_device(dev); -+ -+ for (p = 1; p <= dev->caps.num_ports; p++) { -+ mlx4_cleanup_port_info(&priv->port[p]); -+ mlx4_CLOSE_PORT(dev, p); - } -+ -+ mlx4_cleanup_counters_table(dev); -+ mlx4_cleanup_mcg_table(dev); -+ mlx4_cleanup_qp_table(dev); -+ mlx4_cleanup_srq_table(dev); -+ mlx4_cleanup_cq_table(dev); -+ mlx4_cmd_use_polling(dev); -+ mlx4_cleanup_eq_table(dev); -+ mlx4_cleanup_mr_table(dev); -+ mlx4_cleanup_xrcd_table(dev); -+ mlx4_cleanup_pd_table(dev); -+ -+ iounmap(priv->kar); -+ mlx4_uar_free(dev, &priv->driver_uar); -+ mlx4_cleanup_uar_table(dev); -+ mlx4_clear_steering(dev); -+ mlx4_free_eq_table(dev); -+ mlx4_close_hca(dev); -+ mlx4_cmd_cleanup(dev); -+ -+ if (dev->flags & MLX4_FLAG_MSI_X) -+ pci_disable_msix(pdev); -+ -+ pci_release_regions(pdev); -+ pci_disable_device(pdev); -+ memset(priv, 0, sizeof(*priv)); -+ priv->pci_dev_data = pci_dev_data; -+ priv->removed = 1; -+} -+ -+static void mlx4_remove_one(struct pci_dev *pdev) -+{ -+ struct mlx4_dev *dev = pci_get_drvdata(pdev); -+ struct mlx4_priv *priv = mlx4_priv(dev); -+ -+ __mlx4_remove_one(pdev); -+ kfree(priv); -+ pci_set_drvdata(pdev, NULL); - } - - int mlx4_restart_one(struct pci_dev *pdev) - { -- mlx4_remove_one(pdev); -- return __mlx4_init_one(pdev, NULL); -+ struct mlx4_dev *dev = pci_get_drvdata(pdev); -+ struct mlx4_priv *priv = mlx4_priv(dev); -+ int pci_dev_data; -+ -+ pci_dev_data = priv->pci_dev_data; -+ __mlx4_remove_one(pdev); -+ return __mlx4_init_one(pdev, pci_dev_data); - } - - static DEFINE_PCI_DEVICE_TABLE(mlx4_pci_table) = { -diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4.h b/drivers/net/ethernet/mellanox/mlx4/mlx4.h -index 5dfa68f..169853d 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h -+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h -@@ -328,6 +328,9 @@ struct mlx4_priv { - struct list_head ctx_list; - spinlock_t ctx_lock; - -+ int pci_dev_data; -+ int removed; -+ - struct list_head pgdir_list; - struct mutex pgdir_mutex; - -diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c -index c6c34bf..e8afd35 100644 ---- a/drivers/net/wireless/b43/xmit.c -+++ b/drivers/net/wireless/b43/xmit.c -@@ -808,9 +808,13 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) - break; - case B43_PHYTYPE_G: - status.band = IEEE80211_BAND_2GHZ; -- /* chanid is the radio channel cookie value as used -- * to tune the radio. */ -- status.freq = chanid + 2400; -+ /* Somewhere between 478.104 and 508.1084 firmware for G-PHY -+ * has been modified to be compatible with N-PHY and others. -+ */ -+ if (dev->fw.rev >= 508) -+ status.freq = ieee80211_channel_to_frequency(chanid, status.band); -+ else -+ status.freq = chanid + 2400; - break; - case B43_PHYTYPE_N: - case B43_PHYTYPE_LP: -diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c -index 1d4c579..ab19949 100644 ---- a/drivers/net/wireless/rt2x00/rt2x00mac.c -+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c -@@ -517,6 +517,8 @@ int rt2x00mac_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, - crypto.cipher = rt2x00crypto_key_to_cipher(key); - if (crypto.cipher == CIPHER_NONE) - return -EOPNOTSUPP; -+ if (crypto.cipher == CIPHER_TKIP && rt2x00_is_usb(rt2x00dev)) -+ return -EOPNOTSUPP; - - crypto.cmd = cmd; - -diff --git a/drivers/rtc/rtc-at91rm9200.c b/drivers/rtc/rtc-at91rm9200.c -index 15406d5..feab697 100644 ---- a/drivers/rtc/rtc-at91rm9200.c -+++ b/drivers/rtc/rtc-at91rm9200.c -@@ -36,6 +36,7 @@ - #define AT91_RTC_EPOCH 1900UL /* just like arch/arm/common/rtctime.c */ - - static DECLARE_COMPLETION(at91_rtc_updated); -+static DECLARE_COMPLETION(at91_rtc_upd_rdy); - static unsigned int at91_alarm_year = AT91_RTC_EPOCH; - - /* -@@ -97,6 +98,8 @@ static int at91_rtc_settime(struct device *dev, struct rtc_time *tm) - 1900 + tm->tm_year, tm->tm_mon, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec); - -+ wait_for_completion(&at91_rtc_upd_rdy); -+ - /* Stop Time/Calendar from counting */ - cr = at91_sys_read(AT91_RTC_CR); - at91_sys_write(AT91_RTC_CR, cr | AT91_RTC_UPDCAL | AT91_RTC_UPDTIM); -@@ -119,7 +122,9 @@ static int at91_rtc_settime(struct device *dev, struct rtc_time *tm) - - /* Restart Time/Calendar */ - cr = at91_sys_read(AT91_RTC_CR); -+ at91_sys_write(AT91_RTC_SCCR, AT91_RTC_SECEV); - at91_sys_write(AT91_RTC_CR, cr & ~(AT91_RTC_UPDCAL | AT91_RTC_UPDTIM)); -+ at91_sys_write(AT91_RTC_IER, AT91_RTC_SECEV); - - return 0; - } -@@ -226,8 +231,10 @@ static irqreturn_t at91_rtc_interrupt(int irq, void *dev_id) - if (rtsr) { /* this interrupt is shared! Is it ours? */ - if (rtsr & AT91_RTC_ALARM) - events |= (RTC_AF | RTC_IRQF); -- if (rtsr & AT91_RTC_SECEV) -- events |= (RTC_UF | RTC_IRQF); -+ if (rtsr & AT91_RTC_SECEV) { -+ complete(&at91_rtc_upd_rdy); -+ at91_sys_write(AT91_RTC_IDR, AT91_RTC_SECEV); -+ } - if (rtsr & AT91_RTC_ACKUPD) - complete(&at91_rtc_updated); - -@@ -291,6 +298,11 @@ static int __init at91_rtc_probe(struct platform_device *pdev) - } - platform_set_drvdata(pdev, rtc); - -+ /* enable SECEV interrupt in order to initialize at91_rtc_upd_rdy -+ * completion. -+ */ -+ at91_sys_write(AT91_RTC_IER, AT91_RTC_SECEV); -+ - printk(KERN_INFO "AT91 Real Time Clock driver.\n"); - return 0; - } -diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h -index dd94c7d..049c22f 100644 ---- a/drivers/scsi/megaraid/megaraid_sas.h -+++ b/drivers/scsi/megaraid/megaraid_sas.h -@@ -1295,7 +1295,6 @@ struct megasas_instance { - u32 *reply_queue; - dma_addr_t reply_queue_h; - -- unsigned long base_addr; - struct megasas_register_set __iomem *reg_set; - - struct megasas_pd_list pd_list[MEGASAS_MAX_PD]; -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index b018997..e45c865 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -3499,6 +3499,7 @@ static int megasas_init_fw(struct megasas_instance *instance) - u32 max_sectors_1; - u32 max_sectors_2; - u32 tmp_sectors, msix_enable; -+ resource_size_t base_addr; - struct megasas_register_set __iomem *reg_set; - struct megasas_ctrl_info *ctrl_info; - unsigned long bar_list; -@@ -3507,14 +3508,14 @@ static int megasas_init_fw(struct megasas_instance *instance) - /* Find first memory bar */ - bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); - instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); -- instance->base_addr = pci_resource_start(instance->pdev, instance->bar); - if (pci_request_selected_regions(instance->pdev, instance->bar, - "megasas: LSI")) { - printk(KERN_DEBUG "megasas: IO memory region busy!\n"); - return -EBUSY; - } - -- instance->reg_set = ioremap_nocache(instance->base_addr, 8192); -+ base_addr = pci_resource_start(instance->pdev, instance->bar); -+ instance->reg_set = ioremap_nocache(base_addr, 8192); - - if (!instance->reg_set) { - printk(KERN_DEBUG "megasas: Failed to map IO mem\n"); -diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c -index c83571e..d2f8061 100644 ---- a/drivers/scsi/scsi_error.c -+++ b/drivers/scsi/scsi_error.c -@@ -902,6 +902,15 @@ int scsi_eh_get_sense(struct list_head *work_q, - SCSI_SENSE_VALID(scmd)) - continue; - -+ if (status_byte(scmd->result) != CHECK_CONDITION) -+ /* -+ * don't request sense if there's no check condition -+ * status because the error we're processing isn't one -+ * that has a sense code (and some devices get -+ * confused by sense requests out of the blue) -+ */ -+ continue; -+ - SCSI_LOG_ERROR_RECOVERY(2, scmd_printk(KERN_INFO, scmd, - "%s: requesting sense\n", - current->comm)); -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 6c4b620..cd4ac38 100644 ---- a/drivers/scsi/scsi_lib.c -+++ b/drivers/scsi/scsi_lib.c -@@ -155,13 +155,14 @@ static int __scsi_queue_insert(struct scsi_cmnd *cmd, int reason, int unbusy) - - /* - * Requeue this command. It will go before all other commands -- * that are already in the queue. -+ * that are already in the queue. Schedule requeue work under -+ * lock such that the kblockd_schedule_work() call happens -+ * before blk_cleanup_queue() finishes. - */ - spin_lock_irqsave(q->queue_lock, flags); - blk_requeue_request(q, cmd->request); -- spin_unlock_irqrestore(q->queue_lock, flags); -- - kblockd_schedule_work(q, &device->requeue_work); -+ spin_unlock_irqrestore(q->queue_lock, flags); - - return 0; - } -diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c -index c6c80c9..29f5751 100644 ---- a/drivers/scsi/scsi_scan.c -+++ b/drivers/scsi/scsi_scan.c -@@ -332,6 +332,7 @@ static void scsi_target_destroy(struct scsi_target *starget) - struct Scsi_Host *shost = dev_to_shost(dev->parent); - unsigned long flags; - -+ starget->state = STARGET_DEL; - transport_destroy_device(dev); - spin_lock_irqsave(shost->host_lock, flags); - if (shost->hostt->target_destroy) -@@ -383,6 +384,37 @@ static struct scsi_target *__scsi_find_target(struct device *parent, - } - - /** -+ * scsi_target_reap_ref_release - remove target from visibility -+ * @kref: the reap_ref in the target being released -+ * -+ * Called on last put of reap_ref, which is the indication that no device -+ * under this target is visible anymore, so render the target invisible in -+ * sysfs. Note: we have to be in user context here because the target reaps -+ * should be done in places where the scsi device visibility is being removed. -+ */ -+static void scsi_target_reap_ref_release(struct kref *kref) -+{ -+ struct scsi_target *starget -+ = container_of(kref, struct scsi_target, reap_ref); -+ -+ /* -+ * if we get here and the target is still in the CREATED state that -+ * means it was allocated but never made visible (because a scan -+ * turned up no LUNs), so don't call device_del() on it. -+ */ -+ if (starget->state != STARGET_CREATED) { -+ transport_remove_device(&starget->dev); -+ device_del(&starget->dev); -+ } -+ scsi_target_destroy(starget); -+} -+ -+static void scsi_target_reap_ref_put(struct scsi_target *starget) -+{ -+ kref_put(&starget->reap_ref, scsi_target_reap_ref_release); -+} -+ -+/** - * scsi_alloc_target - allocate a new or find an existing target - * @parent: parent of the target (need not be a scsi host) - * @channel: target channel number (zero if no channels) -@@ -404,7 +436,7 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, - + shost->transportt->target_size; - struct scsi_target *starget; - struct scsi_target *found_target; -- int error; -+ int error, ref_got; - - starget = kzalloc(size, GFP_KERNEL); - if (!starget) { -@@ -413,7 +445,7 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, - } - dev = &starget->dev; - device_initialize(dev); -- starget->reap_ref = 1; -+ kref_init(&starget->reap_ref); - dev->parent = get_device(parent); - dev_set_name(dev, "target%d:%d:%d", shost->host_no, channel, id); - dev->bus = &scsi_bus_type; -@@ -453,29 +485,36 @@ static struct scsi_target *scsi_alloc_target(struct device *parent, - return starget; - - found: -- found_target->reap_ref++; -+ /* -+ * release routine already fired if kref is zero, so if we can still -+ * take the reference, the target must be alive. If we can't, it must -+ * be dying and we need to wait for a new target -+ */ -+ ref_got = kref_get_unless_zero(&found_target->reap_ref); -+ - spin_unlock_irqrestore(shost->host_lock, flags); -- if (found_target->state != STARGET_DEL) { -+ if (ref_got) { - put_device(dev); - return found_target; - } -- /* Unfortunately, we found a dying target; need to -- * wait until it's dead before we can get a new one */ -+ /* -+ * Unfortunately, we found a dying target; need to wait until it's -+ * dead before we can get a new one. There is an anomaly here. We -+ * *should* call scsi_target_reap() to balance the kref_get() of the -+ * reap_ref above. However, since the target being released, it's -+ * already invisible and the reap_ref is irrelevant. If we call -+ * scsi_target_reap() we might spuriously do another device_del() on -+ * an already invisible target. -+ */ - put_device(&found_target->dev); -- flush_scheduled_work(); -+ /* -+ * length of time is irrelevant here, we just want to yield the CPU -+ * for a tick to avoid busy waiting for the target to die. -+ */ -+ msleep(1); - goto retry; - } - --static void scsi_target_reap_usercontext(struct work_struct *work) --{ -- struct scsi_target *starget = -- container_of(work, struct scsi_target, ew.work); -- -- transport_remove_device(&starget->dev); -- device_del(&starget->dev); -- scsi_target_destroy(starget); --} -- - /** - * scsi_target_reap - check to see if target is in use and destroy if not - * @starget: target to be checked -@@ -486,28 +525,13 @@ static void scsi_target_reap_usercontext(struct work_struct *work) - */ - void scsi_target_reap(struct scsi_target *starget) - { -- struct Scsi_Host *shost = dev_to_shost(starget->dev.parent); -- unsigned long flags; -- enum scsi_target_state state; -- int empty = 0; -- -- spin_lock_irqsave(shost->host_lock, flags); -- state = starget->state; -- if (--starget->reap_ref == 0 && list_empty(&starget->devices)) { -- empty = 1; -- starget->state = STARGET_DEL; -- } -- spin_unlock_irqrestore(shost->host_lock, flags); -- -- if (!empty) -- return; -- -- BUG_ON(state == STARGET_DEL); -- if (state == STARGET_CREATED) -- scsi_target_destroy(starget); -- else -- execute_in_process_context(scsi_target_reap_usercontext, -- &starget->ew); -+ /* -+ * serious problem if this triggers: STARGET_DEL is only set in the if -+ * the reap_ref drops to zero, so we're trying to do another final put -+ * on an already released kref -+ */ -+ BUG_ON(starget->state == STARGET_DEL); -+ scsi_target_reap_ref_put(starget); - } - - /** -@@ -1532,6 +1556,10 @@ struct scsi_device *__scsi_add_device(struct Scsi_Host *shost, uint channel, - } - mutex_unlock(&shost->scan_mutex); - scsi_autopm_put_target(starget); -+ /* -+ * paired with scsi_alloc_target(). Target will be destroyed unless -+ * scsi_probe_and_add_lun made an underlying device visible -+ */ - scsi_target_reap(starget); - put_device(&starget->dev); - -@@ -1612,8 +1640,10 @@ static void __scsi_scan_target(struct device *parent, unsigned int channel, - - out_reap: - scsi_autopm_put_target(starget); -- /* now determine if the target has any children at all -- * and if not, nuke it */ -+ /* -+ * paired with scsi_alloc_target(): determine if the target has -+ * any children at all and if not, nuke it -+ */ - scsi_target_reap(starget); - - put_device(&starget->dev); -diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c -index 72ca515..88bc82e 100644 ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -331,17 +331,14 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) - { - struct scsi_device *sdev; - struct device *parent; -- struct scsi_target *starget; - struct list_head *this, *tmp; - unsigned long flags; - - sdev = container_of(work, struct scsi_device, ew.work); - - parent = sdev->sdev_gendev.parent; -- starget = to_scsi_target(parent); - - spin_lock_irqsave(sdev->host->host_lock, flags); -- starget->reap_ref++; - list_del(&sdev->siblings); - list_del(&sdev->same_target_siblings); - list_del(&sdev->starved_entry); -@@ -361,8 +358,6 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work) - /* NULL queue means the device can't be used */ - sdev->request_queue = NULL; - -- scsi_target_reap(scsi_target(sdev)); -- - kfree(sdev->inquiry); - kfree(sdev); - -@@ -963,13 +958,27 @@ void __scsi_remove_device(struct scsi_device *sdev) - device_del(dev); - } else - put_device(&sdev->sdev_dev); -+ -+ /* -+ * Stop accepting new requests and wait until all queuecommand() and -+ * scsi_run_queue() invocations have finished before tearing down the -+ * device. -+ */ - scsi_device_set_state(sdev, SDEV_DEL); -+ blk_cleanup_queue(sdev->request_queue); -+ cancel_work_sync(&sdev->requeue_work); -+ - if (sdev->host->hostt->slave_destroy) - sdev->host->hostt->slave_destroy(sdev); - transport_destroy_device(dev); - -- /* Freeing the queue signals to block that we're done */ -- blk_cleanup_queue(sdev->request_queue); -+ /* -+ * Paired with the kref_get() in scsi_sysfs_initialize(). We have -+ * remoed sysfs visibility from the device, so make the target -+ * invisible if this was the last device underneath it. -+ */ -+ scsi_target_reap(scsi_target(sdev)); -+ - put_device(dev); - } - -@@ -1032,7 +1041,7 @@ void scsi_remove_target(struct device *dev) - continue; - if (starget->dev.parent == dev || &starget->dev == dev) { - /* assuming new targets arrive at the end */ -- starget->reap_ref++; -+ kref_get(&starget->reap_ref); - spin_unlock_irqrestore(shost->host_lock, flags); - if (last) - scsi_target_reap(last); -@@ -1116,6 +1125,12 @@ void scsi_sysfs_device_initialize(struct scsi_device *sdev) - list_add_tail(&sdev->same_target_siblings, &starget->devices); - list_add_tail(&sdev->siblings, &shost->__devices); - spin_unlock_irqrestore(shost->host_lock, flags); -+ /* -+ * device can now only be removed via __scsi_remove_device() so hold -+ * the target. Target will be held in CREATED state until something -+ * beneath it becomes visible (in which case it moves to RUNNING) -+ */ -+ kref_get(&starget->reap_ref); - } - - int scsi_is_sdev_device(const struct device *dev) -diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c -index 59e7378..32eb6b4 100644 ---- a/drivers/target/iscsi/iscsi_target_auth.c -+++ b/drivers/target/iscsi/iscsi_target_auth.c -@@ -337,6 +337,16 @@ static int chap_server_compute_md5( - goto out; - } - /* -+ * During mutual authentication, the CHAP_C generated by the -+ * initiator must not match the original CHAP_C generated by -+ * the target. -+ */ -+ if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { -+ pr_err("initiator CHAP_C matches target CHAP_C, failing" -+ " login attempt\n"); -+ goto out; -+ } -+ /* - * Generate CHAP_N and CHAP_R for mutual authentication. - */ - tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); -diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 5def359..6993961 100644 ---- a/drivers/target/target_core_device.c -+++ b/drivers/target/target_core_device.c -@@ -646,6 +646,7 @@ void core_dev_unexport( - spin_unlock(&dev->se_port_lock); - - se_dev_stop(dev); -+ lun->lun_sep = NULL; - lun->lun_se_dev = NULL; - } - -diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c -index 02e51fa..6c7886b 100644 ---- a/drivers/target/target_core_rd.c -+++ b/drivers/target/target_core_rd.c -@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev) - - 1; - - for (j = 0; j < sg_per_table; j++) { -- pg = alloc_pages(GFP_KERNEL, 0); -+ pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0); - if (!pg) { - pr_err("Unable to allocate scatterlist" - " pages for struct rd_dev_sg_table\n"); -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index 320db2a..29e76be 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -72,13 +72,23 @@ static const struct tty_port_operations acm_port_ops = { - static int acm_ctrl_msg(struct acm *acm, int request, int value, - void *buf, int len) - { -- int retval = usb_control_msg(acm->dev, usb_sndctrlpipe(acm->dev, 0), -+ int retval; -+ -+ retval = usb_autopm_get_interface(acm->control); -+ if (retval) -+ return retval; -+ -+ retval = usb_control_msg(acm->dev, usb_sndctrlpipe(acm->dev, 0), - request, USB_RT_ACM, value, - acm->control->altsetting[0].desc.bInterfaceNumber, - buf, len, 5000); -+ - dev_dbg(&acm->control->dev, - "%s - rq 0x%02x, val %#x, len %#x, result %d\n", - __func__, request, value, len, retval); -+ -+ usb_autopm_put_interface(acm->control); -+ - return retval < 0 ? retval : 0; - } - -@@ -181,14 +191,17 @@ static int acm_write_start(struct acm *acm, int wbn) - - dev_vdbg(&acm->data->dev, "%s - susp_count %d\n", __func__, - acm->susp_count); -- usb_autopm_get_interface_async(acm->control); -+ rc = usb_autopm_get_interface_async(acm->control); -+ if (rc) { -+ wb->use = 0; -+ spin_unlock_irqrestore(&acm->write_lock, flags); -+ return rc; -+ } -+ - if (acm->susp_count) { -- if (!acm->delayed_wb) -- acm->delayed_wb = wb; -- else -- usb_autopm_put_interface_async(acm->control); -+ usb_anchor_urb(wb->urb, &acm->delayed); - spin_unlock_irqrestore(&acm->write_lock, flags); -- return 0; /* A white lie */ -+ return 0; - } - usb_mark_last_busy(acm->dev); - -@@ -545,11 +558,23 @@ static void acm_tty_unregister(struct acm *acm) - - static void acm_port_down(struct acm *acm) - { -+ struct urb *urb; -+ struct acm_wb *wb; - int i; - - if (acm->dev) { - usb_autopm_get_interface(acm->control); - acm_set_control(acm, acm->ctrlout = 0); -+ -+ for (;;) { -+ urb = usb_get_from_anchor(&acm->delayed); -+ if (!urb) -+ break; -+ wb = urb->context; -+ wb->use = 0; -+ usb_autopm_put_interface_async(acm->control); -+ } -+ - usb_kill_urb(acm->ctrlurb); - for (i = 0; i < ACM_NW; i++) - usb_kill_urb(acm->wb[i].urb); -@@ -1112,6 +1137,7 @@ made_compressed_probe: - acm->bInterval = epread->bInterval; - tty_port_init(&acm->port); - acm->port.ops = &acm_port_ops; -+ init_usb_anchor(&acm->delayed); - - buf = usb_alloc_coherent(usb_dev, ctrlsize, GFP_KERNEL, &acm->ctrl_dma); - if (!buf) { -@@ -1338,18 +1364,15 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message) - struct acm *acm = usb_get_intfdata(intf); - int cnt; - -+ spin_lock_irq(&acm->read_lock); -+ spin_lock(&acm->write_lock); - if (PMSG_IS_AUTO(message)) { -- int b; -- -- spin_lock_irq(&acm->write_lock); -- b = acm->transmitting; -- spin_unlock_irq(&acm->write_lock); -- if (b) -+ if (acm->transmitting) { -+ spin_unlock(&acm->write_lock); -+ spin_unlock_irq(&acm->read_lock); - return -EBUSY; -+ } - } -- -- spin_lock_irq(&acm->read_lock); -- spin_lock(&acm->write_lock); - cnt = acm->susp_count++; - spin_unlock(&acm->write_lock); - spin_unlock_irq(&acm->read_lock); -@@ -1372,30 +1395,25 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message) - static int acm_resume(struct usb_interface *intf) - { - struct acm *acm = usb_get_intfdata(intf); -- struct acm_wb *wb; -+ struct urb *urb; - int rv = 0; -- int cnt; - -+ mutex_lock(&acm->mutex); - spin_lock_irq(&acm->read_lock); -- acm->susp_count -= 1; -- cnt = acm->susp_count; -- spin_unlock_irq(&acm->read_lock); -+ spin_lock(&acm->write_lock); - -- if (cnt) -- return 0; -+ if (--acm->susp_count) -+ goto out; - -- mutex_lock(&acm->mutex); - if (acm->port.count) { -- rv = usb_submit_urb(acm->ctrlurb, GFP_NOIO); -- -- spin_lock_irq(&acm->write_lock); -- if (acm->delayed_wb) { -- wb = acm->delayed_wb; -- acm->delayed_wb = NULL; -- spin_unlock_irq(&acm->write_lock); -- acm_start_wb(acm, wb); -- } else { -- spin_unlock_irq(&acm->write_lock); -+ rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC); -+ -+ for (;;) { -+ urb = usb_get_from_anchor(&acm->delayed); -+ if (!urb) -+ break; -+ -+ acm_start_wb(acm, urb->context); - } - - /* -@@ -1403,13 +1421,15 @@ static int acm_resume(struct usb_interface *intf) - * do the write path at all cost - */ - if (rv < 0) -- goto err_out; -+ goto out; - -- rv = acm_submit_read_urbs(acm, GFP_NOIO); -+ rv = acm_submit_read_urbs(acm, GFP_ATOMIC); - } -- --err_out: -+out: -+ spin_unlock(&acm->write_lock); -+ spin_unlock_irq(&acm->read_lock); - mutex_unlock(&acm->mutex); -+ - return rv; - } - -diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h -index ca7937f..c3f1b36 100644 ---- a/drivers/usb/class/cdc-acm.h -+++ b/drivers/usb/class/cdc-acm.h -@@ -116,7 +116,7 @@ struct acm { - unsigned int throttled:1; /* actually throttled */ - unsigned int throttle_req:1; /* throttle requested */ - u8 bInterval; -- struct acm_wb *delayed_wb; /* write queued for a device about to be woken */ -+ struct usb_anchor delayed; /* writes queued for a device about to be woken */ - }; - - #define CDC_DATA_INTERFACE_TYPE 0x0a -diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c -index 9f3003e..cc13abf 100644 ---- a/drivers/usb/core/driver.c -+++ b/drivers/usb/core/driver.c -@@ -1686,10 +1686,13 @@ int usb_runtime_suspend(struct device *dev) - if (status == -EAGAIN || status == -EBUSY) - usb_mark_last_busy(udev); - -- /* The PM core reacts badly unless the return code is 0, -- * -EAGAIN, or -EBUSY, so always return -EBUSY on an error. -+ /* -+ * The PM core reacts badly unless the return code is 0, -+ * -EAGAIN, or -EBUSY, so always return -EBUSY on an error -+ * (except for root hubs, because they don't suspend through -+ * an upstream port like other USB devices). - */ -- if (status != 0) -+ if (status != 0 && udev->parent) - return -EBUSY; - return status; - } -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 7013165..12f3a37 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -1370,14 +1370,24 @@ static int hub_probe(struct usb_interface *intf, const struct usb_device_id *id) - desc = intf->cur_altsetting; - hdev = interface_to_usbdev(intf); - -- /* Hubs have proper suspend/resume support. USB 3.0 device suspend is -+ /* -+ * Hubs have proper suspend/resume support, except for root hubs -+ * where the controller driver doesn't have bus_suspend and -+ * bus_resume methods. Also, USB 3.0 device suspend is - * different from USB 2.0/1.1 device suspend, and unfortunately we - * don't support it yet. So leave autosuspend disabled for USB 3.0 - * external hubs for now. Enable autosuspend for USB 3.0 roothubs, - * since that isn't a "real" hub. - */ -- if (!hub_is_superspeed(hdev) || !hdev->parent) -- usb_enable_autosuspend(hdev); -+ if (hdev->parent) { /* normal device */ -+ if (!hub_is_superspeed(hdev)) -+ usb_enable_autosuspend(hdev); -+ } else { /* root hub */ -+ const struct hc_driver *drv = bus_to_hcd(hdev->bus)->driver; -+ -+ if (drv->bus_suspend && drv->bus_resume) -+ usb_enable_autosuspend(hdev); -+ } - - if (hdev->level == MAX_TOPO_LEVEL) { - dev_err(&intf->dev, -diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c -index c7cfbce..eae35c1 100644 ---- a/drivers/usb/host/pci-quirks.c -+++ b/drivers/usb/host/pci-quirks.c -@@ -555,6 +555,14 @@ static const struct dmi_system_id __devinitconst ehci_dmi_nohandoff_table[] = { - DMI_MATCH(DMI_BIOS_VERSION, "Lucid-"), - }, - }, -+ { -+ /* HASEE E200 */ -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "HASEE"), -+ DMI_MATCH(DMI_BOARD_NAME, "E210"), -+ DMI_MATCH(DMI_BIOS_VERSION, "6.00"), -+ }, -+ }, - { } - }; - -@@ -564,9 +572,14 @@ static void __devinit ehci_bios_handoff(struct pci_dev *pdev, - { - int try_handoff = 1, tried_handoff = 0; - -- /* The Pegatron Lucid tablet sporadically waits for 98 seconds trying -- * the handoff on its unused controller. Skip it. */ -- if (pdev->vendor == 0x8086 && pdev->device == 0x283a) { -+ /* -+ * The Pegatron Lucid tablet sporadically waits for 98 seconds trying -+ * the handoff on its unused controller. Skip it. -+ * -+ * The HASEE E200 hangs when the semaphore is set (bugzilla #77021). -+ */ -+ if (pdev->vendor == 0x8086 && (pdev->device == 0x283a || -+ pdev->device == 0x27cc)) { - if (dmi_check_system(ehci_dmi_nohandoff_table)) - try_handoff = 0; - } -diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c -index ec73541..74922b9 100644 ---- a/drivers/usb/host/xhci-mem.c -+++ b/drivers/usb/host/xhci-mem.c -@@ -1722,6 +1722,16 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) - kfree(cur_cd); - } - -+ num_ports = HCS_MAX_PORTS(xhci->hcs_params1); -+ for (i = 0; i < num_ports; i++) { -+ struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table; -+ for (j = 0; j < XHCI_MAX_INTERVAL; j++) { -+ struct list_head *ep = &bwt->interval_bw[j].endpoints; -+ while (!list_empty(ep)) -+ list_del_init(ep->next); -+ } -+ } -+ - for (i = 1; i < MAX_HC_SLOTS; ++i) - xhci_free_virt_device(xhci, i); - -@@ -1762,16 +1772,6 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) - if (!xhci->rh_bw) - goto no_bw; - -- num_ports = HCS_MAX_PORTS(xhci->hcs_params1); -- for (i = 0; i < num_ports; i++) { -- struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table; -- for (j = 0; j < XHCI_MAX_INTERVAL; j++) { -- struct list_head *ep = &bwt->interval_bw[j].endpoints; -- while (!list_empty(ep)) -- list_del_init(ep->next); -- } -- } -- - for (i = 0; i < num_ports; i++) { - struct xhci_tt_bw_info *tt, *n; - list_for_each_entry_safe(tt, n, &xhci->rh_bw[i].tts, tt_list) { -diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c -index b9ac9a3..2a38a17 100644 ---- a/drivers/usb/misc/usbtest.c -+++ b/drivers/usb/misc/usbtest.c -@@ -1132,6 +1132,11 @@ static int unlink1(struct usbtest_dev *dev, int pipe, int size, int async) - urb->context = &completion; - urb->complete = unlink1_callback; - -+ if (usb_pipeout(urb->pipe)) { -+ simple_fill_buf(urb); -+ urb->transfer_flags |= URB_ZERO_PACKET; -+ } -+ - /* keep the endpoint busy. there are lots of hc/hcd-internal - * states, and testing should get to all of them over time. - * -@@ -1262,6 +1267,11 @@ static int unlink_queued(struct usbtest_dev *dev, int pipe, unsigned num, - unlink_queued_callback, &ctx); - ctx.urbs[i]->transfer_dma = buf_dma; - ctx.urbs[i]->transfer_flags = URB_NO_TRANSFER_DMA_MAP; -+ -+ if (usb_pipeout(ctx.urbs[i]->pipe)) { -+ simple_fill_buf(ctx.urbs[i]); -+ ctx.urbs[i]->transfer_flags |= URB_ZERO_PACKET; -+ } - } - - /* Submit all the URBs and then unlink URBs num - 4 and num - 2. */ -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c -index 332f04d..6e08639 100644 ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -591,6 +591,8 @@ static struct usb_device_id id_table_combined [] = { - { USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) }, - { USB_DEVICE(FTDI_VID, FTDI_TIAO_UMPA_PID), - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, -+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), -+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, - /* - * ELV devices: - */ -diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h -index 83a440f..677cf49 100644 ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -538,6 +538,11 @@ - */ - #define FTDI_TIAO_UMPA_PID 0x8a98 /* TIAO/DIYGADGET USB Multi-Protocol Adapter */ - -+/* -+ * NovaTech product ids (FTDI_VID) -+ */ -+#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ -+ - - /********************************/ - /** third-party VID/PID combos **/ -diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c -index c575e0a..438138f 100644 ---- a/drivers/usb/serial/io_ti.c -+++ b/drivers/usb/serial/io_ti.c -@@ -923,7 +923,7 @@ static int build_i2c_fw_hdr(__u8 *header, struct device *dev) - firmware_rec = (struct ti_i2c_firmware_rec*)i2c_header->Data; - - i2c_header->Type = I2C_DESC_TYPE_FIRMWARE_BLANK; -- i2c_header->Size = (__u16)buffer_size; -+ i2c_header->Size = cpu_to_le16(buffer_size); - i2c_header->CheckSum = cs; - firmware_rec->Ver_Major = OperationalMajorVersion; - firmware_rec->Ver_Minor = OperationalMinorVersion; -diff --git a/drivers/usb/serial/io_usbvend.h b/drivers/usb/serial/io_usbvend.h -index 51f83fb..6f6a856 100644 ---- a/drivers/usb/serial/io_usbvend.h -+++ b/drivers/usb/serial/io_usbvend.h -@@ -594,7 +594,7 @@ struct edge_boot_descriptor { - - struct ti_i2c_desc { - __u8 Type; // Type of descriptor -- __u16 Size; // Size of data only not including header -+ __le16 Size; // Size of data only not including header - __u8 CheckSum; // Checksum (8 bit sum of data only) - __u8 Data[0]; // Data starts here - } __attribute__((packed)); -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 9823e79..a0f47d5 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -161,6 +161,7 @@ static void option_instat_callback(struct urb *urb); - #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_FULLSPEED 0x9000 - #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001 - #define NOVATELWIRELESS_PRODUCT_E362 0x9010 -+#define NOVATELWIRELESS_PRODUCT_E371 0x9011 - #define NOVATELWIRELESS_PRODUCT_G2 0xA010 - #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 - -@@ -1025,6 +1026,7 @@ static const struct usb_device_id option_ids[] = { - /* Novatel Ovation MC551 a.k.a. Verizon USB551L */ - { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) }, - - { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) }, - { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) }, -@@ -1955,6 +1957,7 @@ static int option_send_setup(struct usb_serial_port *port) - struct usb_wwan_port_private *portdata; - int ifNum = serial->interface->cur_altsetting->desc.bInterfaceNumber; - int val = 0; -+ int res; - dbg("%s", __func__); - - if (is_blacklisted(ifNum, OPTION_BLACKLIST_SENDSETUP, -@@ -1970,9 +1973,16 @@ static int option_send_setup(struct usb_serial_port *port) - if (portdata->rts_state) - val |= 0x02; - -- return usb_control_msg(serial->dev, -- usb_rcvctrlpipe(serial->dev, 0), -+ res = usb_autopm_get_interface(serial->interface); -+ if (res) -+ return res; -+ -+ res = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), - 0x22, 0x21, val, ifNum, NULL, 0, USB_CTRL_SET_TIMEOUT); -+ -+ usb_autopm_put_interface(serial->interface); -+ -+ return res; - } - - MODULE_AUTHOR(DRIVER_AUTHOR); -diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c -index dbdfeb4..0d26ab6 100644 ---- a/drivers/usb/serial/sierra.c -+++ b/drivers/usb/serial/sierra.c -@@ -59,6 +59,7 @@ struct sierra_intf_private { - spinlock_t susp_lock; - unsigned int suspended:1; - int in_flight; -+ unsigned int open_ports; - }; - - static int sierra_set_power_state(struct usb_device *udev, __u16 swiState) -@@ -802,6 +803,7 @@ static void sierra_close(struct usb_serial_port *port) - struct usb_serial *serial = port->serial; - struct sierra_port_private *portdata; - struct sierra_intf_private *intfdata = port->serial->private; -+ struct urb *urb; - - - dev_dbg(&port->dev, "%s\n", __func__); -@@ -813,7 +815,6 @@ static void sierra_close(struct usb_serial_port *port) - if (serial->dev) { - mutex_lock(&serial->disc_mutex); - if (!serial->disconnected) { -- serial->interface->needs_remote_wakeup = 0; - /* odd error handling due to pm counters */ - if (!usb_autopm_get_interface(serial->interface)) - sierra_send_setup(port); -@@ -824,8 +825,21 @@ static void sierra_close(struct usb_serial_port *port) - mutex_unlock(&serial->disc_mutex); - spin_lock_irq(&intfdata->susp_lock); - portdata->opened = 0; -+ if (--intfdata->open_ports == 0) -+ serial->interface->needs_remote_wakeup = 0; - spin_unlock_irq(&intfdata->susp_lock); - -+ for (;;) { -+ urb = usb_get_from_anchor(&portdata->delayed); -+ if (!urb) -+ break; -+ kfree(urb->transfer_buffer); -+ usb_free_urb(urb); -+ usb_autopm_put_interface_async(serial->interface); -+ spin_lock(&portdata->lock); -+ portdata->outstanding_urbs--; -+ spin_unlock(&portdata->lock); -+ } - - /* Stop reading urbs */ - sierra_stop_rx_urbs(port); -@@ -868,23 +882,29 @@ static int sierra_open(struct tty_struct *tty, struct usb_serial_port *port) - usb_sndbulkpipe(serial->dev, endpoint) | USB_DIR_IN); - - err = sierra_submit_rx_urbs(port, GFP_KERNEL); -- if (err) { -- /* get rid of everything as in close */ -- sierra_close(port); -- /* restore balance for autopm */ -- if (!serial->disconnected) -- usb_autopm_put_interface(serial->interface); -- return err; -- } -+ if (err) -+ goto err_submit; -+ - sierra_send_setup(port); - -- serial->interface->needs_remote_wakeup = 1; - spin_lock_irq(&intfdata->susp_lock); - portdata->opened = 1; -+ if (++intfdata->open_ports == 1) -+ serial->interface->needs_remote_wakeup = 1; - spin_unlock_irq(&intfdata->susp_lock); - usb_autopm_put_interface(serial->interface); - - return 0; -+ -+err_submit: -+ sierra_stop_rx_urbs(port); -+ -+ for (i = 0; i < portdata->num_in_urbs; i++) { -+ sierra_release_urb(portdata->in_urbs[i]); -+ portdata->in_urbs[i] = NULL; -+ } -+ -+ return err; - } - - -@@ -1060,8 +1080,12 @@ static int sierra_resume(struct usb_serial *serial) - if (err < 0) { - intfdata->in_flight--; - usb_unanchor_urb(urb); -- usb_scuttle_anchored_urbs(&portdata->delayed); -- break; -+ kfree(urb->transfer_buffer); -+ usb_free_urb(urb); -+ spin_lock(&portdata->lock); -+ portdata->outstanding_urbs--; -+ spin_unlock(&portdata->lock); -+ continue; - } - } - -diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c -index 6c92301..b38994e 100644 ---- a/drivers/usb/serial/usb_wwan.c -+++ b/drivers/usb/serial/usb_wwan.c -@@ -236,8 +236,10 @@ int usb_wwan_write(struct tty_struct *tty, struct usb_serial_port *port, - usb_pipeendpoint(this_urb->pipe), i); - - err = usb_autopm_get_interface_async(port->serial->interface); -- if (err < 0) -+ if (err < 0) { -+ clear_bit(i, &portdata->out_busy); - break; -+ } - - /* send the data */ - memcpy(this_urb->transfer_buffer, buf, todo); -@@ -432,12 +434,26 @@ int usb_wwan_open(struct tty_struct *tty, struct usb_serial_port *port) - } - EXPORT_SYMBOL(usb_wwan_open); - -+static void unbusy_queued_urb(struct urb *urb, -+ struct usb_wwan_port_private *portdata) -+{ -+ int i; -+ -+ for (i = 0; i < N_OUT_URB; i++) { -+ if (urb == portdata->out_urbs[i]) { -+ clear_bit(i, &portdata->out_busy); -+ break; -+ } -+ } -+} -+ - void usb_wwan_close(struct usb_serial_port *port) - { - int i; - struct usb_serial *serial = port->serial; - struct usb_wwan_port_private *portdata; - struct usb_wwan_intf_private *intfdata = port->serial->private; -+ struct urb *urb; - - dbg("%s", __func__); - portdata = usb_get_serial_port_data(port); -@@ -448,6 +464,14 @@ void usb_wwan_close(struct usb_serial_port *port) - portdata->opened = 0; - spin_unlock_irq(&intfdata->susp_lock); - -+ for (;;) { -+ urb = usb_get_from_anchor(&portdata->delayed); -+ if (!urb) -+ break; -+ unbusy_queued_urb(urb, portdata); -+ usb_autopm_put_interface_async(serial->interface); -+ } -+ - for (i = 0; i < N_IN_URB; i++) - usb_kill_urb(portdata->in_urbs[i]); - for (i = 0; i < N_OUT_URB; i++) -@@ -645,46 +669,31 @@ EXPORT_SYMBOL(usb_wwan_release); - int usb_wwan_suspend(struct usb_serial *serial, pm_message_t message) - { - struct usb_wwan_intf_private *intfdata = serial->private; -- int b; - - dbg("%s entered", __func__); - -+ spin_lock_irq(&intfdata->susp_lock); - if (PMSG_IS_AUTO(message)) { -- spin_lock_irq(&intfdata->susp_lock); -- b = intfdata->in_flight; -- spin_unlock_irq(&intfdata->susp_lock); -- -- if (b) -+ if (intfdata->in_flight) { -+ spin_unlock_irq(&intfdata->susp_lock); - return -EBUSY; -+ } - } -- -- spin_lock_irq(&intfdata->susp_lock); - intfdata->suspended = 1; - spin_unlock_irq(&intfdata->susp_lock); -+ - stop_read_write_urbs(serial); - - return 0; - } - EXPORT_SYMBOL(usb_wwan_suspend); - --static void unbusy_queued_urb(struct urb *urb, struct usb_wwan_port_private *portdata) --{ -- int i; -- -- for (i = 0; i < N_OUT_URB; i++) { -- if (urb == portdata->out_urbs[i]) { -- clear_bit(i, &portdata->out_busy); -- break; -- } -- } --} -- --static void play_delayed(struct usb_serial_port *port) -+static int play_delayed(struct usb_serial_port *port) - { - struct usb_wwan_intf_private *data; - struct usb_wwan_port_private *portdata; - struct urb *urb; -- int err; -+ int err = 0; - - portdata = usb_get_serial_port_data(port); - data = port->serial->private; -@@ -701,6 +710,8 @@ static void play_delayed(struct usb_serial_port *port) - break; - } - } -+ -+ return err; - } - - int usb_wwan_resume(struct usb_serial *serial) -@@ -710,7 +721,8 @@ int usb_wwan_resume(struct usb_serial *serial) - struct usb_wwan_intf_private *intfdata = serial->private; - struct usb_wwan_port_private *portdata; - struct urb *urb; -- int err = 0; -+ int err; -+ int err_count = 0; - - dbg("%s entered", __func__); - /* get the interrupt URBs resubmitted unconditionally */ -@@ -725,21 +737,23 @@ int usb_wwan_resume(struct usb_serial *serial) - if (err < 0) { - err("%s: Error %d for interrupt URB of port%d", - __func__, err, i); -- goto err_out; -+ err_count++; - } - } - -+ spin_lock_irq(&intfdata->susp_lock); - for (i = 0; i < serial->num_ports; i++) { - /* walk all ports */ - port = serial->port[i]; - portdata = usb_get_serial_port_data(port); - - /* skip closed ports */ -- spin_lock_irq(&intfdata->susp_lock); -- if (!portdata->opened) { -- spin_unlock_irq(&intfdata->susp_lock); -+ if (!portdata->opened) - continue; -- } -+ -+ err = play_delayed(port); -+ if (err) -+ err_count++; - - for (j = 0; j < N_IN_URB; j++) { - urb = portdata->in_urbs[j]; -@@ -747,18 +761,17 @@ int usb_wwan_resume(struct usb_serial *serial) - if (err < 0) { - err("%s: Error %d for bulk URB %d", - __func__, err, i); -- spin_unlock_irq(&intfdata->susp_lock); -- goto err_out; -+ err_count++; - } - } -- play_delayed(port); -- spin_unlock_irq(&intfdata->susp_lock); - } -- spin_lock_irq(&intfdata->susp_lock); - intfdata->suspended = 0; - spin_unlock_irq(&intfdata->susp_lock); --err_out: -- return err; -+ -+ if (err_count) -+ return -EIO; -+ -+ return 0; - } - EXPORT_SYMBOL(usb_wwan_resume); - #endif -diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h -index 556d96c..89a8a89a 100644 ---- a/drivers/video/matrox/matroxfb_base.h -+++ b/drivers/video/matrox/matroxfb_base.h -@@ -698,7 +698,7 @@ void matroxfb_unregister_driver(struct matroxfb_driver* drv); - - #define mga_fifo(n) do {} while ((mga_inl(M_FIFOSTATUS) & 0xFF) < (n)) - --#define WaitTillIdle() do {} while (mga_inl(M_STATUS) & 0x10000) -+#define WaitTillIdle() do { mga_inl(M_STATUS); do {} while (mga_inl(M_STATUS) & 0x10000); } while (0) - - /* code speedup */ - #ifdef CONFIG_FB_MATROX_MILLENIUM -diff --git a/drivers/watchdog/ath79_wdt.c b/drivers/watchdog/ath79_wdt.c -index 725c84b..d256ca7 100644 ---- a/drivers/watchdog/ath79_wdt.c -+++ b/drivers/watchdog/ath79_wdt.c -@@ -18,6 +18,7 @@ - */ - - #include <linux/bitops.h> -+#include <linux/delay.h> - #include <linux/errno.h> - #include <linux/fs.h> - #include <linux/init.h> -@@ -73,6 +74,15 @@ static inline void ath79_wdt_keepalive(void) - static inline void ath79_wdt_enable(void) - { - ath79_wdt_keepalive(); -+ -+ /* -+ * Updating the TIMER register requires a few microseconds -+ * on the AR934x SoCs at least. Use a small delay to ensure -+ * that the TIMER register is updated within the hardware -+ * before enabling the watchdog. -+ */ -+ udelay(2); -+ - ath79_reset_wr(AR71XX_RESET_REG_WDOG_CTRL, WDOG_CTRL_ACTION_FCR); - } - -diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c -index 73e4cbc..05937a8 100644 ---- a/fs/btrfs/extent_io.c -+++ b/fs/btrfs/extent_io.c -@@ -1523,6 +1523,7 @@ again: - * shortening the size of the delalloc range we're searching - */ - free_extent_state(cached_state); -+ cached_state = NULL; - if (!loops) { - unsigned long offset = (*start) & (PAGE_CACHE_SIZE - 1); - max_bytes = PAGE_CACHE_SIZE - offset; -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 81feb17..7168eeb 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -3067,7 +3067,7 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, - } - BUG_ON(start + size <= ac->ac_o_ex.fe_logical && - start > ac->ac_o_ex.fe_logical); -- BUG_ON(size <= 0 || size > EXT4_CLUSTERS_PER_GROUP(ac->ac_sb)); -+ BUG_ON(size <= 0 || size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb)); - - /* now prepare goal request */ - -diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c -index b46a675..dc72ebf 100644 ---- a/fs/ext4/page-io.c -+++ b/fs/ext4/page-io.c -@@ -386,24 +386,24 @@ int ext4_bio_write_page(struct ext4_io_submit *io, - set_page_writeback(page); - ClearPageError(page); - -+ /* -+ * Comments copied from block_write_full_page_endio: -+ * -+ * The page straddles i_size. It must be zeroed out on each and every -+ * writepage invocation because it may be mmapped. "A file is mapped -+ * in multiples of the page size. For a file that is not a multiple of -+ * the page size, the remaining memory is zeroed when mapped, and -+ * writes to that region are not written out to the file." -+ */ -+ if (len < PAGE_CACHE_SIZE) -+ zero_user_segment(page, len, PAGE_CACHE_SIZE); -+ - for (bh = head = page_buffers(page), block_start = 0; - bh != head || !block_start; - block_start = block_end, bh = bh->b_this_page) { - - block_end = block_start + blocksize; - if (block_start >= len) { -- /* -- * Comments copied from block_write_full_page_endio: -- * -- * The page straddles i_size. It must be zeroed out on -- * each and every writepage invocation because it may -- * be mmapped. "A file is mapped in multiples of the -- * page size. For a file that is not a multiple of -- * the page size, the remaining memory is zeroed when -- * mapped, and writes to that region are not written -- * out to the file." -- */ -- zero_user_segment(page, block_start, block_end); - clear_buffer_dirty(bh); - set_buffer_uptodate(bh); - continue; -diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c -index b2e0a55..6e91f8b 100644 ---- a/fs/nfsd/nfs4state.c -+++ b/fs/nfsd/nfs4state.c -@@ -337,13 +337,22 @@ static void unhash_stid(struct nfs4_stid *s) - idr_remove(stateids, s->sc_stateid.si_opaque.so_id); - } - -+static void -+hash_delegation_locked(struct nfs4_delegation *dp, struct nfs4_file *fp) -+{ -+ lockdep_assert_held(&recall_lock); -+ -+ list_add(&dp->dl_perfile, &fp->fi_delegations); -+ list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); -+} -+ - /* Called under the state lock. */ - static void - unhash_delegation(struct nfs4_delegation *dp) - { - unhash_stid(&dp->dl_stid); -- list_del_init(&dp->dl_perclnt); - spin_lock(&recall_lock); -+ list_del_init(&dp->dl_perclnt); - list_del_init(&dp->dl_perfile); - list_del_init(&dp->dl_recall_lru); - spin_unlock(&recall_lock); -@@ -2810,10 +2819,8 @@ static int nfs4_setlease(struct nfs4_delegation *dp, int flag) - if (!fl) - return -ENOMEM; - fl->fl_file = find_readable_file(fp); -- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); - status = vfs_setlease(fl->fl_file, fl->fl_type, &fl); - if (status) { -- list_del_init(&dp->dl_perclnt); - locks_free_lock(fl); - return -ENOMEM; - } -@@ -2821,7 +2828,9 @@ static int nfs4_setlease(struct nfs4_delegation *dp, int flag) - fp->fi_deleg_file = fl->fl_file; - get_file(fp->fi_deleg_file); - atomic_set(&fp->fi_delegees, 1); -- list_add(&dp->dl_perfile, &fp->fi_delegations); -+ spin_lock(&recall_lock); -+ hash_delegation_locked(dp, fp); -+ spin_unlock(&recall_lock); - return 0; - } - -@@ -2837,9 +2846,8 @@ static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag) - return -EAGAIN; - } - atomic_inc(&fp->fi_delegees); -- list_add(&dp->dl_perfile, &fp->fi_delegations); -+ hash_delegation_locked(dp, fp); - spin_unlock(&recall_lock); -- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); - return 0; - } - -@@ -3385,7 +3393,7 @@ nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp) - * correspondance, and we have to delete the lockowner when we - * delete the lock stateid: - */ -- unhash_lockowner(lo); -+ release_lockowner(lo); - return nfs_ok; - } - -diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 4835b90..a7933dd 100644 ---- a/fs/nfsd/nfs4xdr.c -+++ b/fs/nfsd/nfs4xdr.c -@@ -2035,8 +2035,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp, - err = vfs_getattr(exp->ex_path.mnt, dentry, &stat); - if (err) - goto out_nfserr; -- if ((bmval0 & (FATTR4_WORD0_FILES_FREE | FATTR4_WORD0_FILES_TOTAL | -- FATTR4_WORD0_MAXNAME)) || -+ if ((bmval0 & (FATTR4_WORD0_FILES_AVAIL | FATTR4_WORD0_FILES_FREE | -+ FATTR4_WORD0_FILES_TOTAL | FATTR4_WORD0_MAXNAME)) || - (bmval1 & (FATTR4_WORD1_SPACE_AVAIL | FATTR4_WORD1_SPACE_FREE | - FATTR4_WORD1_SPACE_TOTAL))) { - err = vfs_statfs(&path, &statfs); -diff --git a/fs/reiserfs/file.c b/fs/reiserfs/file.c -index ace6350..f011185 100644 ---- a/fs/reiserfs/file.c -+++ b/fs/reiserfs/file.c -@@ -126,7 +126,7 @@ static int reiserfs_file_open(struct inode *inode, struct file *file) - return err; - } - --static void reiserfs_vfs_truncate_file(struct inode *inode) -+void reiserfs_vfs_truncate_file(struct inode *inode) - { - mutex_lock(&(REISERFS_I(inode)->tailpack)); - reiserfs_truncate_file(inode, 1); -@@ -312,7 +312,6 @@ const struct file_operations reiserfs_file_operations = { - }; - - const struct inode_operations reiserfs_file_inode_operations = { -- .truncate = reiserfs_vfs_truncate_file, - .setattr = reiserfs_setattr, - .setxattr = reiserfs_setxattr, - .getxattr = reiserfs_getxattr, -diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c -index fe677c0..fcb07e5 100644 ---- a/fs/reiserfs/inode.c -+++ b/fs/reiserfs/inode.c -@@ -3091,8 +3091,10 @@ static ssize_t reiserfs_direct_IO(int rw, struct kiocb *iocb, - loff_t isize = i_size_read(inode); - loff_t end = offset + iov_length(iov, nr_segs); - -- if (end > isize) -- vmtruncate(inode, isize); -+ if ((end > isize) && inode_newsize_ok(inode, isize) == 0) { -+ truncate_setsize(inode, isize); -+ reiserfs_vfs_truncate_file(inode); -+ } - } - - return ret; -@@ -3206,8 +3208,19 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr) - */ - reiserfs_write_unlock_once(inode->i_sb, depth); - if ((attr->ia_valid & ATTR_SIZE) && -- attr->ia_size != i_size_read(inode)) -- error = vmtruncate(inode, attr->ia_size); -+ attr->ia_size != i_size_read(inode)) { -+ error = inode_newsize_ok(inode, attr->ia_size); -+ if (!error) { -+ /* -+ * Could race against reiserfs_file_release -+ * if called from NFS, so take tailpack mutex. -+ */ -+ mutex_lock(&REISERFS_I(inode)->tailpack); -+ truncate_setsize(inode, attr->ia_size); -+ reiserfs_truncate_file(inode, 1); -+ mutex_unlock(&REISERFS_I(inode)->tailpack); -+ } -+ } - - if (!error) { - setattr_copy(inode, attr); -diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c -index f9c234b..6589006 100644 ---- a/fs/ubifs/file.c -+++ b/fs/ubifs/file.c -@@ -1522,8 +1522,7 @@ static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, - ubifs_release_dirty_inode_budget(c, ui); - } - -- unlock_page(page); -- return 0; -+ return VM_FAULT_LOCKED; - - out_unlock: - unlock_page(page); -diff --git a/fs/ubifs/shrinker.c b/fs/ubifs/shrinker.c -index 9e1d056..e0a7a76 100644 ---- a/fs/ubifs/shrinker.c -+++ b/fs/ubifs/shrinker.c -@@ -128,7 +128,6 @@ static int shrink_tnc(struct ubifs_info *c, int nr, int age, int *contention) - freed = ubifs_destroy_tnc_subtree(znode); - atomic_long_sub(freed, &ubifs_clean_zn_cnt); - atomic_long_sub(freed, &c->clean_zn_cnt); -- ubifs_assert(atomic_long_read(&c->clean_zn_cnt) >= 0); - total_freed += freed; - znode = zprev; - } -diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h -index f1e2527..e2e1ab5 100644 ---- a/include/linux/irqdesc.h -+++ b/include/linux/irqdesc.h -@@ -27,6 +27,8 @@ struct module; - * @irq_count: stats field to detect stalled irqs - * @last_unhandled: aging timer for unhandled count - * @irqs_unhandled: stats field for spurious unhandled interrupts -+ * @threads_handled: stats field for deferred spurious detection of threaded handlers -+ * @threads_handled_last: comparator field for deferred spurious detection of theraded handlers - * @lock: locking for SMP - * @affinity_hint: hint to user space for preferred irq affinity - * @affinity_notify: context for notification of affinity changes -@@ -53,6 +55,8 @@ struct irq_desc { - unsigned int irq_count; /* For detecting broken IRQs */ - unsigned long last_unhandled; /* Aging timer for unhandled count */ - unsigned int irqs_unhandled; -+ atomic_t threads_handled; -+ int threads_handled_last; - raw_spinlock_t lock; - struct cpumask *percpu_enabled; - #ifdef CONFIG_SMP -diff --git a/include/linux/lzo.h b/include/linux/lzo.h -index d793497..a0848d9 100644 ---- a/include/linux/lzo.h -+++ b/include/linux/lzo.h -@@ -4,28 +4,28 @@ - * LZO Public Kernel Interface - * A mini subset of the LZO real-time data compression library - * -- * Copyright (C) 1996-2005 Markus F.X.J. Oberhumer <markus@oberhumer.com> -+ * Copyright (C) 1996-2012 Markus F.X.J. Oberhumer <markus@oberhumer.com> - * - * The full LZO package can be found at: - * http://www.oberhumer.com/opensource/lzo/ - * -- * Changed for kernel use by: -+ * Changed for Linux kernel use by: - * Nitin Gupta <nitingupta910@gmail.com> - * Richard Purdie <rpurdie@openedhand.com> - */ - --#define LZO1X_MEM_COMPRESS (16384 * sizeof(unsigned char *)) --#define LZO1X_1_MEM_COMPRESS LZO1X_MEM_COMPRESS -+#define LZO1X_1_MEM_COMPRESS (8192 * sizeof(unsigned short)) -+#define LZO1X_MEM_COMPRESS LZO1X_1_MEM_COMPRESS - - #define lzo1x_worst_compress(x) ((x) + ((x) / 16) + 64 + 3) - --/* This requires 'workmem' of size LZO1X_1_MEM_COMPRESS */ -+/* This requires 'wrkmem' of size LZO1X_1_MEM_COMPRESS */ - int lzo1x_1_compress(const unsigned char *src, size_t src_len, -- unsigned char *dst, size_t *dst_len, void *wrkmem); -+ unsigned char *dst, size_t *dst_len, void *wrkmem); - - /* safe decompression with overrun testing */ - int lzo1x_decompress_safe(const unsigned char *src, size_t src_len, -- unsigned char *dst, size_t *dst_len); -+ unsigned char *dst, size_t *dst_len); - - /* - * Return values (< 0 = Error) -@@ -40,5 +40,6 @@ int lzo1x_decompress_safe(const unsigned char *src, size_t src_len, - #define LZO_E_EOF_NOT_FOUND (-7) - #define LZO_E_INPUT_NOT_CONSUMED (-8) - #define LZO_E_NOT_YET_IMPLEMENTED (-9) -+#define LZO_E_INVALID_ARGUMENT (-10) - - #endif -diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h -index 800f113..e49240b 100644 ---- a/include/linux/ptrace.h -+++ b/include/linux/ptrace.h -@@ -112,6 +112,7 @@ - - #include <linux/compiler.h> /* For unlikely. */ - #include <linux/sched.h> /* For struct task_struct. */ -+#include <linux/pid_namespace.h> /* For task_active_pid_ns. */ - - - extern long arch_ptrace(struct task_struct *child, long request, -@@ -204,6 +205,37 @@ static inline void ptrace_event(int event, unsigned long message) - } - - /** -+ * ptrace_event_pid - possibly stop for a ptrace event notification -+ * @event: %PTRACE_EVENT_* value to report -+ * @pid: process identifier for %PTRACE_GETEVENTMSG to return -+ * -+ * Check whether @event is enabled and, if so, report @event and @pid -+ * to the ptrace parent. @pid is reported as the pid_t seen from the -+ * the ptrace parent's pid namespace. -+ * -+ * Called without locks. -+ */ -+static inline void ptrace_event_pid(int event, struct pid *pid) -+{ -+ /* -+ * FIXME: There's a potential race if a ptracer in a different pid -+ * namespace than parent attaches between computing message below and -+ * when we acquire tasklist_lock in ptrace_stop(). If this happens, -+ * the ptracer will get a bogus pid from PTRACE_GETEVENTMSG. -+ */ -+ unsigned long message = 0; -+ struct pid_namespace *ns; -+ -+ rcu_read_lock(); -+ ns = task_active_pid_ns(rcu_dereference(current->parent)); -+ if (ns) -+ message = pid_nr_ns(pid, ns); -+ rcu_read_unlock(); -+ -+ ptrace_event(event, message); -+} -+ -+/** - * ptrace_init_task - initialize ptrace state for a new child - * @child: new child task - * @ptrace: true if child should be ptrace'd by parent's tracer -@@ -371,6 +403,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk, - * calling arch_ptrace_stop() when it would be superfluous. For example, - * if the thread has not been back to user mode since the last stop, the - * thread state might indicate that nothing needs to be done. -+ * -+ * This is guaranteed to be invoked once before a task stops for ptrace and -+ * may include arch-specific operations necessary prior to a ptrace stop. - */ - #define arch_ptrace_stop_needed(code, info) (0) - #endif -diff --git a/include/linux/reiserfs_fs.h b/include/linux/reiserfs_fs.h -index 96d465f..43c7251 100644 ---- a/include/linux/reiserfs_fs.h -+++ b/include/linux/reiserfs_fs.h -@@ -1882,6 +1882,7 @@ struct reiserfs_transaction_handle *reiserfs_persistent_transaction(struct - *, - int count); - int reiserfs_end_persistent_transaction(struct reiserfs_transaction_handle *); -+void reiserfs_vfs_truncate_file(struct inode *inode); - int reiserfs_commit_page(struct inode *inode, struct page *page, - unsigned from, unsigned to); - int reiserfs_flush_old_commits(struct super_block *); -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index c445e52..40c2726 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -1633,6 +1633,22 @@ static inline void skb_orphan(struct sk_buff *skb) - } - - /** -+ * skb_orphan_frags - orphan the frags contained in a buffer -+ * @skb: buffer to orphan frags from -+ * @gfp_mask: allocation mask for replacement pages -+ * -+ * For each frag in the SKB which needs a destructor (i.e. has an -+ * owner) create a copy of that frag and release the original -+ * page by calling the destructor. -+ */ -+static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t gfp_mask) -+{ -+ if (likely(!(skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY))) -+ return 0; -+ return skb_copy_ubufs(skb, gfp_mask); -+} -+ -+/** - * __skb_queue_purge - empty a list - * @list: list to empty - * -diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 34b06da..ba0ddb0 100644 ---- a/include/net/inetpeer.h -+++ b/include/net/inetpeer.h -@@ -115,16 +115,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) - /* can be called with or without local BH being disabled */ - static inline int inet_getid(struct inet_peer *p, int more) - { -- int old, new; - more++; - inet_peer_refcheck(p); -- do { -- old = atomic_read(&p->ip_id_count); -- new = old + more; -- if (!new) -- new = 1; -- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old); -- return new; -+ return atomic_add_return(more, &p->ip_id_count) - more; - } - - #endif /* _NET_INETPEER_H */ -diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h -index 5591ed5..3152cc3 100644 ---- a/include/scsi/scsi_device.h -+++ b/include/scsi/scsi_device.h -@@ -239,7 +239,7 @@ struct scsi_target { - struct list_head siblings; - struct list_head devices; - struct device dev; -- unsigned int reap_ref; /* protected by the host lock */ -+ struct kref reap_ref; /* last put renders target invisible */ - unsigned int channel; - unsigned int id; /* target id ... replace - * scsi_device.id eventually */ -@@ -261,7 +261,6 @@ struct scsi_target { - #define SCSI_DEFAULT_TARGET_BLOCKED 3 - - char scsi_level; -- struct execute_work ew; - enum scsi_target_state state; - void *hostdata; /* available to low-level driver */ - unsigned long starget_data[0]; /* for the transport */ -diff --git a/include/sound/core.h b/include/sound/core.h -index 222f11e..6a3b03a 100644 ---- a/include/sound/core.h -+++ b/include/sound/core.h -@@ -120,6 +120,8 @@ struct snd_card { - int user_ctl_count; /* count of all user controls */ - struct list_head controls; /* all controls for this card */ - struct list_head ctl_files; /* active control files */ -+ struct mutex user_ctl_lock; /* protects user controls against -+ concurrent access */ - - struct snd_info_entry *proc_root; /* root for soundcard specific files */ - struct snd_info_entry *proc_id; /* the card id */ -diff --git a/include/trace/syscall.h b/include/trace/syscall.h -index 31966a4..51b72d8 100644 ---- a/include/trace/syscall.h -+++ b/include/trace/syscall.h -@@ -4,6 +4,7 @@ - #include <linux/tracepoint.h> - #include <linux/unistd.h> - #include <linux/ftrace_event.h> -+#include <linux/thread_info.h> - - #include <asm/ptrace.h> - -@@ -54,4 +55,18 @@ int perf_sysexit_enable(struct ftrace_event_call *call); - void perf_sysexit_disable(struct ftrace_event_call *call); - #endif - -+#if defined(CONFIG_TRACEPOINTS) && defined(CONFIG_HAVE_SYSCALL_TRACEPOINTS) -+static inline void syscall_tracepoint_update(struct task_struct *p) -+{ -+ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) -+ set_tsk_thread_flag(p, TIF_SYSCALL_TRACEPOINT); -+ else -+ clear_tsk_thread_flag(p, TIF_SYSCALL_TRACEPOINT); -+} -+#else -+static inline void syscall_tracepoint_update(struct task_struct *p) -+{ -+} -+#endif -+ - #endif /* _TRACE_SYSCALL_H */ -diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index aeac7cc..d1d2843 100644 ---- a/kernel/auditsc.c -+++ b/kernel/auditsc.c -@@ -688,6 +688,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) - return AUDIT_BUILD_CONTEXT; - } - -+static int audit_in_mask(const struct audit_krule *rule, unsigned long val) -+{ -+ int word, bit; -+ -+ if (val > 0xffffffff) -+ return false; -+ -+ word = AUDIT_WORD(val); -+ if (word >= AUDIT_BITMASK_SIZE) -+ return false; -+ -+ bit = AUDIT_BIT(val); -+ -+ return rule->mask[word] & bit; -+} -+ - /* At syscall entry and exit time, this filter is called if the - * audit_state is not low enough that auditing cannot take place, but is - * also not high enough that we already know we have to write an audit -@@ -705,11 +721,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, - - rcu_read_lock(); - if (!list_empty(list)) { -- int word = AUDIT_WORD(ctx->major); -- int bit = AUDIT_BIT(ctx->major); -- - list_for_each_entry_rcu(e, list, list) { -- if ((e->rule.mask[word] & bit) == bit && -+ if (audit_in_mask(&e->rule, ctx->major) && - audit_filter_rules(tsk, &e->rule, ctx, NULL, - &state, false)) { - rcu_read_unlock(); -@@ -738,8 +751,6 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) - - rcu_read_lock(); - for (i = 0; i < ctx->name_count; i++) { -- int word = AUDIT_WORD(ctx->major); -- int bit = AUDIT_BIT(ctx->major); - struct audit_names *n = &ctx->names[i]; - int h = audit_hash_ino((u32)n->ino); - struct list_head *list = &audit_inode_hash[h]; -@@ -748,7 +759,7 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) - continue; - - list_for_each_entry_rcu(e, list, list) { -- if ((e->rule.mask[word] & bit) == bit && -+ if (audit_in_mask(&e->rule, ctx->major) && - audit_filter_rules(tsk, &e->rule, ctx, n, - &state, false)) { - rcu_read_unlock(); -diff --git a/kernel/events/core.c b/kernel/events/core.c -index 1d1edcb..14c111c 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -1180,6 +1180,11 @@ group_sched_out(struct perf_event *group_event, - cpuctx->exclusive = 0; - } - -+struct remove_event { -+ struct perf_event *event; -+ bool detach_group; -+}; -+ - /* - * Cross CPU call to remove a performance event - * -@@ -1188,12 +1193,15 @@ group_sched_out(struct perf_event *group_event, - */ - static int __perf_remove_from_context(void *info) - { -- struct perf_event *event = info; -+ struct remove_event *re = info; -+ struct perf_event *event = re->event; - struct perf_event_context *ctx = event->ctx; - struct perf_cpu_context *cpuctx = __get_cpu_context(ctx); - - raw_spin_lock(&ctx->lock); - event_sched_out(event, cpuctx, ctx); -+ if (re->detach_group) -+ perf_group_detach(event); - list_del_event(event, ctx); - if (!ctx->nr_events && cpuctx->task_ctx == ctx) { - ctx->is_active = 0; -@@ -1218,10 +1226,14 @@ static int __perf_remove_from_context(void *info) - * When called from perf_event_exit_task, it's OK because the - * context has been detached from its task. - */ --static void perf_remove_from_context(struct perf_event *event) -+static void perf_remove_from_context(struct perf_event *event, bool detach_group) - { - struct perf_event_context *ctx = event->ctx; - struct task_struct *task = ctx->task; -+ struct remove_event re = { -+ .event = event, -+ .detach_group = detach_group, -+ }; - - lockdep_assert_held(&ctx->mutex); - -@@ -1230,12 +1242,12 @@ static void perf_remove_from_context(struct perf_event *event) - * Per cpu events are removed via an smp call and - * the removal is always successful. - */ -- cpu_function_call(event->cpu, __perf_remove_from_context, event); -+ cpu_function_call(event->cpu, __perf_remove_from_context, &re); - return; - } - - retry: -- if (!task_function_call(task, __perf_remove_from_context, event)) -+ if (!task_function_call(task, __perf_remove_from_context, &re)) - return; - - raw_spin_lock_irq(&ctx->lock); -@@ -1252,6 +1264,8 @@ retry: - * Since the task isn't running, its safe to remove the event, us - * holding the ctx->lock ensures the task won't get scheduled in. - */ -+ if (detach_group) -+ perf_group_detach(event); - list_del_event(event, ctx); - raw_spin_unlock_irq(&ctx->lock); - } -@@ -3046,10 +3060,7 @@ int perf_event_release_kernel(struct perf_event *event) - * to trigger the AB-BA case. - */ - mutex_lock_nested(&ctx->mutex, SINGLE_DEPTH_NESTING); -- raw_spin_lock_irq(&ctx->lock); -- perf_group_detach(event); -- raw_spin_unlock_irq(&ctx->lock); -- perf_remove_from_context(event); -+ perf_remove_from_context(event, true); - mutex_unlock(&ctx->mutex); - - free_event(event); -@@ -6459,7 +6470,7 @@ SYSCALL_DEFINE5(perf_event_open, - struct perf_event_context *gctx = group_leader->ctx; - - mutex_lock(&gctx->mutex); -- perf_remove_from_context(group_leader); -+ perf_remove_from_context(group_leader, false); - - /* - * Removing from the context ends up with disabled -@@ -6469,7 +6480,7 @@ SYSCALL_DEFINE5(perf_event_open, - perf_event__state_init(group_leader); - list_for_each_entry(sibling, &group_leader->sibling_list, - group_entry) { -- perf_remove_from_context(sibling); -+ perf_remove_from_context(sibling, false); - perf_event__state_init(sibling); - put_ctx(gctx); - } -@@ -6622,13 +6633,7 @@ __perf_event_exit_task(struct perf_event *child_event, - struct perf_event_context *child_ctx, - struct task_struct *child) - { -- if (child_event->parent) { -- raw_spin_lock_irq(&child_ctx->lock); -- perf_group_detach(child_event); -- raw_spin_unlock_irq(&child_ctx->lock); -- } -- -- perf_remove_from_context(child_event); -+ perf_remove_from_context(child_event, !!child_event->parent); - - /* - * It can happen that the parent exits first, and has events -@@ -7113,14 +7118,14 @@ static void perf_pmu_rotate_stop(struct pmu *pmu) - - static void __perf_event_exit_context(void *__info) - { -+ struct remove_event re = { .detach_group = false }; - struct perf_event_context *ctx = __info; -- struct perf_event *event; - - perf_pmu_rotate_stop(ctx->pmu); - - rcu_read_lock(); -- list_for_each_entry_rcu(event, &ctx->event_list, event_entry) -- __perf_remove_from_context(event); -+ list_for_each_entry_rcu(re.event, &ctx->event_list, event_entry) -+ __perf_remove_from_context(&re); - rcu_read_unlock(); - } - -diff --git a/kernel/fork.c b/kernel/fork.c -index ce0c182..13bba30 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -1370,7 +1370,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, - - total_forks++; - spin_unlock(¤t->sighand->siglock); -+ syscall_tracepoint_update(p); - write_unlock_irq(&tasklist_lock); -+ - proc_fork_connector(p); - cgroup_post_fork(p); - if (clone_flags & CLONE_THREAD) -@@ -1513,10 +1515,12 @@ long do_fork(unsigned long clone_flags, - */ - if (!IS_ERR(p)) { - struct completion vfork; -+ struct pid *pid; - - trace_sched_process_fork(current, p); - -- nr = task_pid_vnr(p); -+ pid = get_task_pid(p, PIDTYPE_PID); -+ nr = pid_vnr(pid); - - if (clone_flags & CLONE_PARENT_SETTID) - put_user(nr, parent_tidptr); -@@ -1540,14 +1544,16 @@ long do_fork(unsigned long clone_flags, - - /* forking complete and child started to run, tell ptracer */ - if (unlikely(trace)) -- ptrace_event(trace, nr); -+ ptrace_event_pid(trace, pid); - - if (clone_flags & CLONE_VFORK) { - freezer_do_not_count(); - wait_for_completion(&vfork); - freezer_count(); -- ptrace_event(PTRACE_EVENT_VFORK_DONE, nr); -+ ptrace_event_pid(PTRACE_EVENT_VFORK_DONE, pid); - } -+ -+ put_pid(pid); - } else { - nr = PTR_ERR(p); - } -diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c -index 4775229..127a32e 100644 ---- a/kernel/irq/manage.c -+++ b/kernel/irq/manage.c -@@ -813,8 +813,8 @@ static int irq_thread(void *data) - - raw_spin_unlock_irq(&desc->lock); - action_ret = handler_fn(desc, action); -- if (!noirqdebug) -- note_interrupt(action->irq, desc, action_ret); -+ if (action_ret == IRQ_HANDLED) -+ atomic_inc(&desc->threads_handled); - } - - wake = atomic_dec_and_test(&desc->threads_active); -diff --git a/kernel/irq/spurious.c b/kernel/irq/spurious.c -index 63633a3..6d426eb 100644 ---- a/kernel/irq/spurious.c -+++ b/kernel/irq/spurious.c -@@ -265,21 +265,119 @@ try_misrouted_irq(unsigned int irq, struct irq_desc *desc, - return action && (action->flags & IRQF_IRQPOLL); - } - -+#define SPURIOUS_DEFERRED 0x80000000 -+ - void note_interrupt(unsigned int irq, struct irq_desc *desc, - irqreturn_t action_ret) - { - if (desc->istate & IRQS_POLL_INPROGRESS) - return; - -- /* we get here again via the threaded handler */ -- if (action_ret == IRQ_WAKE_THREAD) -- return; -- - if (bad_action_ret(action_ret)) { - report_bad_irq(irq, desc, action_ret); - return; - } - -+ /* -+ * We cannot call note_interrupt from the threaded handler -+ * because we need to look at the compound of all handlers -+ * (primary and threaded). Aside of that in the threaded -+ * shared case we have no serialization against an incoming -+ * hardware interrupt while we are dealing with a threaded -+ * result. -+ * -+ * So in case a thread is woken, we just note the fact and -+ * defer the analysis to the next hardware interrupt. -+ * -+ * The threaded handlers store whether they sucessfully -+ * handled an interrupt and we check whether that number -+ * changed versus the last invocation. -+ * -+ * We could handle all interrupts with the delayed by one -+ * mechanism, but for the non forced threaded case we'd just -+ * add pointless overhead to the straight hardirq interrupts -+ * for the sake of a few lines less code. -+ */ -+ if (action_ret & IRQ_WAKE_THREAD) { -+ /* -+ * There is a thread woken. Check whether one of the -+ * shared primary handlers returned IRQ_HANDLED. If -+ * not we defer the spurious detection to the next -+ * interrupt. -+ */ -+ if (action_ret == IRQ_WAKE_THREAD) { -+ int handled; -+ /* -+ * We use bit 31 of thread_handled_last to -+ * denote the deferred spurious detection -+ * active. No locking necessary as -+ * thread_handled_last is only accessed here -+ * and we have the guarantee that hard -+ * interrupts are not reentrant. -+ */ -+ if (!(desc->threads_handled_last & SPURIOUS_DEFERRED)) { -+ desc->threads_handled_last |= SPURIOUS_DEFERRED; -+ return; -+ } -+ /* -+ * Check whether one of the threaded handlers -+ * returned IRQ_HANDLED since the last -+ * interrupt happened. -+ * -+ * For simplicity we just set bit 31, as it is -+ * set in threads_handled_last as well. So we -+ * avoid extra masking. And we really do not -+ * care about the high bits of the handled -+ * count. We just care about the count being -+ * different than the one we saw before. -+ */ -+ handled = atomic_read(&desc->threads_handled); -+ handled |= SPURIOUS_DEFERRED; -+ if (handled != desc->threads_handled_last) { -+ action_ret = IRQ_HANDLED; -+ /* -+ * Note: We keep the SPURIOUS_DEFERRED -+ * bit set. We are handling the -+ * previous invocation right now. -+ * Keep it for the current one, so the -+ * next hardware interrupt will -+ * account for it. -+ */ -+ desc->threads_handled_last = handled; -+ } else { -+ /* -+ * None of the threaded handlers felt -+ * responsible for the last interrupt -+ * -+ * We keep the SPURIOUS_DEFERRED bit -+ * set in threads_handled_last as we -+ * need to account for the current -+ * interrupt as well. -+ */ -+ action_ret = IRQ_NONE; -+ } -+ } else { -+ /* -+ * One of the primary handlers returned -+ * IRQ_HANDLED. So we don't care about the -+ * threaded handlers on the same line. Clear -+ * the deferred detection bit. -+ * -+ * In theory we could/should check whether the -+ * deferred bit is set and take the result of -+ * the previous run into account here as -+ * well. But it's really not worth the -+ * trouble. If every other interrupt is -+ * handled we never trigger the spurious -+ * detector. And if this is just the one out -+ * of 100k unhandled ones which is handled -+ * then we merily delay the spurious detection -+ * by one hard interrupt. Not a real problem. -+ */ -+ desc->threads_handled_last &= ~SPURIOUS_DEFERRED; -+ } -+ } -+ - if (unlikely(action_ret == IRQ_NONE)) { - /* - * If we are seeing only the odd spurious IRQ caused by -diff --git a/kernel/rtmutex-debug.h b/kernel/rtmutex-debug.h -index 14193d5..ab29b6a 100644 ---- a/kernel/rtmutex-debug.h -+++ b/kernel/rtmutex-debug.h -@@ -31,3 +31,8 @@ static inline int debug_rt_mutex_detect_deadlock(struct rt_mutex_waiter *waiter, - { - return (waiter != NULL); - } -+ -+static inline void rt_mutex_print_deadlock(struct rt_mutex_waiter *w) -+{ -+ debug_rt_mutex_print_deadlock(w); -+} -diff --git a/kernel/rtmutex.c b/kernel/rtmutex.c -index f9d8482..1928f3d 100644 ---- a/kernel/rtmutex.c -+++ b/kernel/rtmutex.c -@@ -81,6 +81,47 @@ static inline void mark_rt_mutex_waiters(struct rt_mutex *lock) - owner = *p; - } while (cmpxchg(p, owner, owner | RT_MUTEX_HAS_WAITERS) != owner); - } -+ -+/* -+ * Safe fastpath aware unlock: -+ * 1) Clear the waiters bit -+ * 2) Drop lock->wait_lock -+ * 3) Try to unlock the lock with cmpxchg -+ */ -+static inline bool unlock_rt_mutex_safe(struct rt_mutex *lock) -+ __releases(lock->wait_lock) -+{ -+ struct task_struct *owner = rt_mutex_owner(lock); -+ -+ clear_rt_mutex_waiters(lock); -+ raw_spin_unlock(&lock->wait_lock); -+ /* -+ * If a new waiter comes in between the unlock and the cmpxchg -+ * we have two situations: -+ * -+ * unlock(wait_lock); -+ * lock(wait_lock); -+ * cmpxchg(p, owner, 0) == owner -+ * mark_rt_mutex_waiters(lock); -+ * acquire(lock); -+ * or: -+ * -+ * unlock(wait_lock); -+ * lock(wait_lock); -+ * mark_rt_mutex_waiters(lock); -+ * -+ * cmpxchg(p, owner, 0) != owner -+ * enqueue_waiter(); -+ * unlock(wait_lock); -+ * lock(wait_lock); -+ * wake waiter(); -+ * unlock(wait_lock); -+ * lock(wait_lock); -+ * acquire(lock); -+ */ -+ return rt_mutex_cmpxchg(lock, owner, NULL); -+} -+ - #else - # define rt_mutex_cmpxchg(l,c,n) (0) - static inline void mark_rt_mutex_waiters(struct rt_mutex *lock) -@@ -88,6 +129,17 @@ static inline void mark_rt_mutex_waiters(struct rt_mutex *lock) - lock->owner = (struct task_struct *) - ((unsigned long)lock->owner | RT_MUTEX_HAS_WAITERS); - } -+ -+/* -+ * Simple slow path only version: lock->owner is protected by lock->wait_lock. -+ */ -+static inline bool unlock_rt_mutex_safe(struct rt_mutex *lock) -+ __releases(lock->wait_lock) -+{ -+ lock->owner = NULL; -+ raw_spin_unlock(&lock->wait_lock); -+ return true; -+} - #endif - - /* -@@ -141,14 +193,36 @@ static void rt_mutex_adjust_prio(struct task_struct *task) - */ - int max_lock_depth = 1024; - -+static inline struct rt_mutex *task_blocked_on_lock(struct task_struct *p) -+{ -+ return p->pi_blocked_on ? p->pi_blocked_on->lock : NULL; -+} -+ - /* - * Adjust the priority chain. Also used for deadlock detection. - * Decreases task's usage by one - may thus free the task. -+ * -+ * @task: the task owning the mutex (owner) for which a chain walk is -+ * probably needed -+ * @deadlock_detect: do we have to carry out deadlock detection? -+ * @orig_lock: the mutex (can be NULL if we are walking the chain to recheck -+ * things for a task that has just got its priority adjusted, and -+ * is waiting on a mutex) -+ * @next_lock: the mutex on which the owner of @orig_lock was blocked before -+ * we dropped its pi_lock. Is never dereferenced, only used for -+ * comparison to detect lock chain changes. -+ * @orig_waiter: rt_mutex_waiter struct for the task that has just donated -+ * its priority to the mutex owner (can be NULL in the case -+ * depicted above or if the top waiter is gone away and we are -+ * actually deboosting the owner) -+ * @top_task: the current top waiter -+ * - * Returns 0 or -EDEADLK. - */ - static int rt_mutex_adjust_prio_chain(struct task_struct *task, - int deadlock_detect, - struct rt_mutex *orig_lock, -+ struct rt_mutex *next_lock, - struct rt_mutex_waiter *orig_waiter, - struct task_struct *top_task) - { -@@ -182,7 +256,7 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task, - } - put_task_struct(task); - -- return deadlock_detect ? -EDEADLK : 0; -+ return -EDEADLK; - } - retry: - /* -@@ -207,13 +281,32 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task, - goto out_unlock_pi; - - /* -+ * We dropped all locks after taking a refcount on @task, so -+ * the task might have moved on in the lock chain or even left -+ * the chain completely and blocks now on an unrelated lock or -+ * on @orig_lock. -+ * -+ * We stored the lock on which @task was blocked in @next_lock, -+ * so we can detect the chain change. -+ */ -+ if (next_lock != waiter->lock) -+ goto out_unlock_pi; -+ -+ /* - * Drop out, when the task has no waiters. Note, - * top_waiter can be NULL, when we are in the deboosting - * mode! - */ -- if (top_waiter && (!task_has_pi_waiters(task) || -- top_waiter != task_top_pi_waiter(task))) -- goto out_unlock_pi; -+ if (top_waiter) { -+ if (!task_has_pi_waiters(task)) -+ goto out_unlock_pi; -+ /* -+ * If deadlock detection is off, we stop here if we -+ * are not the top pi waiter of the task. -+ */ -+ if (!detect_deadlock && top_waiter != task_top_pi_waiter(task)) -+ goto out_unlock_pi; -+ } - - /* - * When deadlock detection is off then we check, if further -@@ -229,11 +322,16 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task, - goto retry; - } - -- /* Deadlock detection */ -+ /* -+ * Deadlock detection. If the lock is the same as the original -+ * lock which caused us to walk the lock chain or if the -+ * current lock is owned by the task which initiated the chain -+ * walk, we detected a deadlock. -+ */ - if (lock == orig_lock || rt_mutex_owner(lock) == top_task) { - debug_rt_mutex_deadlock(deadlock_detect, orig_waiter, lock); - raw_spin_unlock(&lock->wait_lock); -- ret = deadlock_detect ? -EDEADLK : 0; -+ ret = -EDEADLK; - goto out_unlock_pi; - } - -@@ -280,11 +378,26 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task, - __rt_mutex_adjust_prio(task); - } - -+ /* -+ * Check whether the task which owns the current lock is pi -+ * blocked itself. If yes we store a pointer to the lock for -+ * the lock chain change detection above. After we dropped -+ * task->pi_lock next_lock cannot be dereferenced anymore. -+ */ -+ next_lock = task_blocked_on_lock(task); -+ - raw_spin_unlock_irqrestore(&task->pi_lock, flags); - - top_waiter = rt_mutex_top_waiter(lock); - raw_spin_unlock(&lock->wait_lock); - -+ /* -+ * We reached the end of the lock chain. Stop right here. No -+ * point to go back just to figure that out. -+ */ -+ if (!next_lock) -+ goto out_put_task; -+ - if (!detect_deadlock && waiter != top_waiter) - goto out_put_task; - -@@ -395,8 +508,21 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock, - { - struct task_struct *owner = rt_mutex_owner(lock); - struct rt_mutex_waiter *top_waiter = waiter; -- unsigned long flags; -+ struct rt_mutex *next_lock; - int chain_walk = 0, res; -+ unsigned long flags; -+ -+ /* -+ * Early deadlock detection. We really don't want the task to -+ * enqueue on itself just to untangle the mess later. It's not -+ * only an optimization. We drop the locks, so another waiter -+ * can come in before the chain walk detects the deadlock. So -+ * the other will detect the deadlock and return -EDEADLOCK, -+ * which is wrong, as the other waiter is not in a deadlock -+ * situation. -+ */ -+ if (owner == task) -+ return -EDEADLK; - - raw_spin_lock_irqsave(&task->pi_lock, flags); - __rt_mutex_adjust_prio(task); -@@ -417,20 +543,28 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock, - if (!owner) - return 0; - -+ raw_spin_lock_irqsave(&owner->pi_lock, flags); - if (waiter == rt_mutex_top_waiter(lock)) { -- raw_spin_lock_irqsave(&owner->pi_lock, flags); - plist_del(&top_waiter->pi_list_entry, &owner->pi_waiters); - plist_add(&waiter->pi_list_entry, &owner->pi_waiters); - - __rt_mutex_adjust_prio(owner); - if (owner->pi_blocked_on) - chain_walk = 1; -- raw_spin_unlock_irqrestore(&owner->pi_lock, flags); -- } -- else if (debug_rt_mutex_detect_deadlock(waiter, detect_deadlock)) -+ } else if (debug_rt_mutex_detect_deadlock(waiter, detect_deadlock)) { - chain_walk = 1; -+ } -+ -+ /* Store the lock on which owner is blocked or NULL */ -+ next_lock = task_blocked_on_lock(owner); - -- if (!chain_walk) -+ raw_spin_unlock_irqrestore(&owner->pi_lock, flags); -+ /* -+ * Even if full deadlock detection is on, if the owner is not -+ * blocked itself, we can avoid finding this out in the chain -+ * walk. -+ */ -+ if (!chain_walk || !next_lock) - return 0; - - /* -@@ -442,8 +576,8 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock, - - raw_spin_unlock(&lock->wait_lock); - -- res = rt_mutex_adjust_prio_chain(owner, detect_deadlock, lock, waiter, -- task); -+ res = rt_mutex_adjust_prio_chain(owner, detect_deadlock, lock, -+ next_lock, waiter, task); - - raw_spin_lock(&lock->wait_lock); - -@@ -453,7 +587,8 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock, - /* - * Wake up the next waiter on the lock. - * -- * Remove the top waiter from the current tasks waiter list and wake it up. -+ * Remove the top waiter from the current tasks pi waiter list and -+ * wake it up. - * - * Called with lock->wait_lock held. - */ -@@ -474,10 +609,23 @@ static void wakeup_next_waiter(struct rt_mutex *lock) - */ - plist_del(&waiter->pi_list_entry, ¤t->pi_waiters); - -- rt_mutex_set_owner(lock, NULL); -+ /* -+ * As we are waking up the top waiter, and the waiter stays -+ * queued on the lock until it gets the lock, this lock -+ * obviously has waiters. Just set the bit here and this has -+ * the added benefit of forcing all new tasks into the -+ * slow path making sure no task of lower priority than -+ * the top waiter can steal this lock. -+ */ -+ lock->owner = (void *) RT_MUTEX_HAS_WAITERS; - - raw_spin_unlock_irqrestore(¤t->pi_lock, flags); - -+ /* -+ * It's safe to dereference waiter as it cannot go away as -+ * long as we hold lock->wait_lock. The waiter task needs to -+ * acquire it in order to dequeue the waiter. -+ */ - wake_up_process(waiter->task); - } - -@@ -492,8 +640,8 @@ static void remove_waiter(struct rt_mutex *lock, - { - int first = (waiter == rt_mutex_top_waiter(lock)); - struct task_struct *owner = rt_mutex_owner(lock); -+ struct rt_mutex *next_lock = NULL; - unsigned long flags; -- int chain_walk = 0; - - raw_spin_lock_irqsave(¤t->pi_lock, flags); - plist_del(&waiter->list_entry, &lock->wait_list); -@@ -517,15 +665,15 @@ static void remove_waiter(struct rt_mutex *lock, - } - __rt_mutex_adjust_prio(owner); - -- if (owner->pi_blocked_on) -- chain_walk = 1; -+ /* Store the lock on which owner is blocked or NULL */ -+ next_lock = task_blocked_on_lock(owner); - - raw_spin_unlock_irqrestore(&owner->pi_lock, flags); - } - - WARN_ON(!plist_node_empty(&waiter->pi_list_entry)); - -- if (!chain_walk) -+ if (!next_lock) - return; - - /* gets dropped in rt_mutex_adjust_prio_chain()! */ -@@ -533,7 +681,7 @@ static void remove_waiter(struct rt_mutex *lock, - - raw_spin_unlock(&lock->wait_lock); - -- rt_mutex_adjust_prio_chain(owner, 0, lock, NULL, current); -+ rt_mutex_adjust_prio_chain(owner, 0, lock, next_lock, NULL, current); - - raw_spin_lock(&lock->wait_lock); - } -@@ -546,6 +694,7 @@ static void remove_waiter(struct rt_mutex *lock, - void rt_mutex_adjust_pi(struct task_struct *task) - { - struct rt_mutex_waiter *waiter; -+ struct rt_mutex *next_lock; - unsigned long flags; - - raw_spin_lock_irqsave(&task->pi_lock, flags); -@@ -555,12 +704,13 @@ void rt_mutex_adjust_pi(struct task_struct *task) - raw_spin_unlock_irqrestore(&task->pi_lock, flags); - return; - } -- -+ next_lock = waiter->lock; - raw_spin_unlock_irqrestore(&task->pi_lock, flags); - - /* gets dropped in rt_mutex_adjust_prio_chain()! */ - get_task_struct(task); -- rt_mutex_adjust_prio_chain(task, 0, NULL, NULL, task); -+ -+ rt_mutex_adjust_prio_chain(task, 0, NULL, next_lock, NULL, task); - } - - /** -@@ -620,6 +770,26 @@ __rt_mutex_slowlock(struct rt_mutex *lock, int state, - return ret; - } - -+static void rt_mutex_handle_deadlock(int res, int detect_deadlock, -+ struct rt_mutex_waiter *w) -+{ -+ /* -+ * If the result is not -EDEADLOCK or the caller requested -+ * deadlock detection, nothing to do here. -+ */ -+ if (res != -EDEADLOCK || detect_deadlock) -+ return; -+ -+ /* -+ * Yell lowdly and stop the task right here. -+ */ -+ rt_mutex_print_deadlock(w); -+ while (1) { -+ set_current_state(TASK_INTERRUPTIBLE); -+ schedule(); -+ } -+} -+ - /* - * Slow path lock function: - */ -@@ -657,8 +827,10 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state, - - set_current_state(TASK_RUNNING); - -- if (unlikely(ret)) -+ if (unlikely(ret)) { - remove_waiter(lock, &waiter); -+ rt_mutex_handle_deadlock(ret, detect_deadlock, &waiter); -+ } - - /* - * try_to_take_rt_mutex() sets the waiter bit -@@ -714,12 +886,49 @@ rt_mutex_slowunlock(struct rt_mutex *lock) - - rt_mutex_deadlock_account_unlock(current); - -- if (!rt_mutex_has_waiters(lock)) { -- lock->owner = NULL; -- raw_spin_unlock(&lock->wait_lock); -- return; -+ /* -+ * We must be careful here if the fast path is enabled. If we -+ * have no waiters queued we cannot set owner to NULL here -+ * because of: -+ * -+ * foo->lock->owner = NULL; -+ * rtmutex_lock(foo->lock); <- fast path -+ * free = atomic_dec_and_test(foo->refcnt); -+ * rtmutex_unlock(foo->lock); <- fast path -+ * if (free) -+ * kfree(foo); -+ * raw_spin_unlock(foo->lock->wait_lock); -+ * -+ * So for the fastpath enabled kernel: -+ * -+ * Nothing can set the waiters bit as long as we hold -+ * lock->wait_lock. So we do the following sequence: -+ * -+ * owner = rt_mutex_owner(lock); -+ * clear_rt_mutex_waiters(lock); -+ * raw_spin_unlock(&lock->wait_lock); -+ * if (cmpxchg(&lock->owner, owner, 0) == owner) -+ * return; -+ * goto retry; -+ * -+ * The fastpath disabled variant is simple as all access to -+ * lock->owner is serialized by lock->wait_lock: -+ * -+ * lock->owner = NULL; -+ * raw_spin_unlock(&lock->wait_lock); -+ */ -+ while (!rt_mutex_has_waiters(lock)) { -+ /* Drops lock->wait_lock ! */ -+ if (unlock_rt_mutex_safe(lock) == true) -+ return; -+ /* Relock the rtmutex and try again */ -+ raw_spin_lock(&lock->wait_lock); - } - -+ /* -+ * The wakeup next waiter path does not suffer from the above -+ * race. See the comments there. -+ */ - wakeup_next_waiter(lock); - - raw_spin_unlock(&lock->wait_lock); -@@ -966,7 +1175,8 @@ int rt_mutex_start_proxy_lock(struct rt_mutex *lock, - return 1; - } - -- ret = task_blocks_on_rt_mutex(lock, waiter, task, detect_deadlock); -+ /* We enforce deadlock detection for futexes */ -+ ret = task_blocks_on_rt_mutex(lock, waiter, task, 1); - - if (ret && !rt_mutex_owner(lock)) { - /* -diff --git a/kernel/rtmutex.h b/kernel/rtmutex.h -index a1a1dd0..f6a1f3c 100644 ---- a/kernel/rtmutex.h -+++ b/kernel/rtmutex.h -@@ -24,3 +24,8 @@ - #define debug_rt_mutex_print_deadlock(w) do { } while (0) - #define debug_rt_mutex_detect_deadlock(w,d) (d) - #define debug_rt_mutex_reset_waiter(w) do { } while (0) -+ -+static inline void rt_mutex_print_deadlock(struct rt_mutex_waiter *w) -+{ -+ WARN(1, "rtmutex deadlock detected\n"); -+} -diff --git a/lib/decompress_unlzo.c b/lib/decompress_unlzo.c -index 5a7a2ad..26f89ad 100644 ---- a/lib/decompress_unlzo.c -+++ b/lib/decompress_unlzo.c -@@ -31,7 +31,7 @@ - */ - - #ifdef STATIC --#include "lzo/lzo1x_decompress.c" -+#include "lzo/lzo1x_decompress_safe.c" - #else - #include <linux/decompress/unlzo.h> - #endif -diff --git a/lib/idr.c b/lib/idr.c -index aadc525..2d3879b 100644 ---- a/lib/idr.c -+++ b/lib/idr.c -@@ -167,7 +167,7 @@ static int sub_alloc(struct idr *idp, int *starting_id, struct idr_layer **pa) - id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1; - - /* if already at the top layer, we need to grow */ -- if (id >= 1 << (idp->layers * IDR_BITS)) { -+ if (id > idr_max(idp->layers)) { - *starting_id = id; - return IDR_NEED_TO_GROW; - } -@@ -672,14 +672,12 @@ void *idr_replace(struct idr *idp, void *ptr, int id) - if (!p) - return ERR_PTR(-EINVAL); - -- n = (p->layer+1) * IDR_BITS; -- - id &= MAX_ID_MASK; - -- if (id >= (1 << n)) -+ if (id > idr_max(p->layer + 1)) - return ERR_PTR(-EINVAL); - -- n -= IDR_BITS; -+ n = p->layer * IDR_BITS; - while ((n > 0) && p) { - p = p->ary[(id >> n) & IDR_MASK]; - n -= IDR_BITS; -diff --git a/lib/lzo/Makefile b/lib/lzo/Makefile -index e764116..f0f7d7c 100644 ---- a/lib/lzo/Makefile -+++ b/lib/lzo/Makefile -@@ -1,5 +1,5 @@ - lzo_compress-objs := lzo1x_compress.o --lzo_decompress-objs := lzo1x_decompress.o -+lzo_decompress-objs := lzo1x_decompress_safe.o - - obj-$(CONFIG_LZO_COMPRESS) += lzo_compress.o - obj-$(CONFIG_LZO_DECOMPRESS) += lzo_decompress.o -diff --git a/lib/lzo/lzo1x_compress.c b/lib/lzo/lzo1x_compress.c -index a604099..236eb21 100644 ---- a/lib/lzo/lzo1x_compress.c -+++ b/lib/lzo/lzo1x_compress.c -@@ -1,194 +1,243 @@ - /* -- * LZO1X Compressor from MiniLZO -+ * LZO1X Compressor from LZO - * -- * Copyright (C) 1996-2005 Markus F.X.J. Oberhumer <markus@oberhumer.com> -+ * Copyright (C) 1996-2012 Markus F.X.J. Oberhumer <markus@oberhumer.com> - * - * The full LZO package can be found at: - * http://www.oberhumer.com/opensource/lzo/ - * -- * Changed for kernel use by: -+ * Changed for Linux kernel use by: - * Nitin Gupta <nitingupta910@gmail.com> - * Richard Purdie <rpurdie@openedhand.com> - */ - - #include <linux/module.h> - #include <linux/kernel.h> --#include <linux/lzo.h> - #include <asm/unaligned.h> -+#include <linux/lzo.h> - #include "lzodefs.h" - - static noinline size_t --_lzo1x_1_do_compress(const unsigned char *in, size_t in_len, -- unsigned char *out, size_t *out_len, void *wrkmem) -+lzo1x_1_do_compress(const unsigned char *in, size_t in_len, -+ unsigned char *out, size_t *out_len, -+ size_t ti, void *wrkmem) - { -+ const unsigned char *ip; -+ unsigned char *op; - const unsigned char * const in_end = in + in_len; -- const unsigned char * const ip_end = in + in_len - M2_MAX_LEN - 5; -- const unsigned char ** const dict = wrkmem; -- const unsigned char *ip = in, *ii = ip; -- const unsigned char *end, *m, *m_pos; -- size_t m_off, m_len, dindex; -- unsigned char *op = out; -+ const unsigned char * const ip_end = in + in_len - 20; -+ const unsigned char *ii; -+ lzo_dict_t * const dict = (lzo_dict_t *) wrkmem; - -- ip += 4; -+ op = out; -+ ip = in; -+ ii = ip; -+ ip += ti < 4 ? 4 - ti : 0; - - for (;;) { -- dindex = ((size_t)(0x21 * DX3(ip, 5, 5, 6)) >> 5) & D_MASK; -- m_pos = dict[dindex]; -- -- if (m_pos < in) -- goto literal; -- -- if (ip == m_pos || ((size_t)(ip - m_pos) > M4_MAX_OFFSET)) -- goto literal; -- -- m_off = ip - m_pos; -- if (m_off <= M2_MAX_OFFSET || m_pos[3] == ip[3]) -- goto try_match; -- -- dindex = (dindex & (D_MASK & 0x7ff)) ^ (D_HIGH | 0x1f); -- m_pos = dict[dindex]; -- -- if (m_pos < in) -- goto literal; -- -- if (ip == m_pos || ((size_t)(ip - m_pos) > M4_MAX_OFFSET)) -- goto literal; -- -- m_off = ip - m_pos; -- if (m_off <= M2_MAX_OFFSET || m_pos[3] == ip[3]) -- goto try_match; -- -- goto literal; -- --try_match: -- if (get_unaligned((const unsigned short *)m_pos) -- == get_unaligned((const unsigned short *)ip)) { -- if (likely(m_pos[2] == ip[2])) -- goto match; -- } -- -+ const unsigned char *m_pos; -+ size_t t, m_len, m_off; -+ u32 dv; - literal: -- dict[dindex] = ip; -- ++ip; -+ ip += 1 + ((ip - ii) >> 5); -+next: - if (unlikely(ip >= ip_end)) - break; -- continue; -- --match: -- dict[dindex] = ip; -- if (ip != ii) { -- size_t t = ip - ii; -+ dv = get_unaligned_le32(ip); -+ t = ((dv * 0x1824429d) >> (32 - D_BITS)) & D_MASK; -+ m_pos = in + dict[t]; -+ dict[t] = (lzo_dict_t) (ip - in); -+ if (unlikely(dv != get_unaligned_le32(m_pos))) -+ goto literal; - -+ ii -= ti; -+ ti = 0; -+ t = ip - ii; -+ if (t != 0) { - if (t <= 3) { - op[-2] |= t; -- } else if (t <= 18) { -+ COPY4(op, ii); -+ op += t; -+ } else if (t <= 16) { - *op++ = (t - 3); -+ COPY8(op, ii); -+ COPY8(op + 8, ii + 8); -+ op += t; - } else { -- size_t tt = t - 18; -- -- *op++ = 0; -- while (tt > 255) { -- tt -= 255; -+ if (t <= 18) { -+ *op++ = (t - 3); -+ } else { -+ size_t tt = t - 18; - *op++ = 0; -+ while (unlikely(tt > 255)) { -+ tt -= 255; -+ *op++ = 0; -+ } -+ *op++ = tt; - } -- *op++ = tt; -+ do { -+ COPY8(op, ii); -+ COPY8(op + 8, ii + 8); -+ op += 16; -+ ii += 16; -+ t -= 16; -+ } while (t >= 16); -+ if (t > 0) do { -+ *op++ = *ii++; -+ } while (--t > 0); - } -- do { -- *op++ = *ii++; -- } while (--t > 0); - } - -- ip += 3; -- if (m_pos[3] != *ip++ || m_pos[4] != *ip++ -- || m_pos[5] != *ip++ || m_pos[6] != *ip++ -- || m_pos[7] != *ip++ || m_pos[8] != *ip++) { -- --ip; -- m_len = ip - ii; -+ m_len = 4; -+ { -+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && defined(LZO_USE_CTZ64) -+ u64 v; -+ v = get_unaligned((const u64 *) (ip + m_len)) ^ -+ get_unaligned((const u64 *) (m_pos + m_len)); -+ if (unlikely(v == 0)) { -+ do { -+ m_len += 8; -+ v = get_unaligned((const u64 *) (ip + m_len)) ^ -+ get_unaligned((const u64 *) (m_pos + m_len)); -+ if (unlikely(ip + m_len >= ip_end)) -+ goto m_len_done; -+ } while (v == 0); -+ } -+# if defined(__LITTLE_ENDIAN) -+ m_len += (unsigned) __builtin_ctzll(v) / 8; -+# elif defined(__BIG_ENDIAN) -+ m_len += (unsigned) __builtin_clzll(v) / 8; -+# else -+# error "missing endian definition" -+# endif -+#elif defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && defined(LZO_USE_CTZ32) -+ u32 v; -+ v = get_unaligned((const u32 *) (ip + m_len)) ^ -+ get_unaligned((const u32 *) (m_pos + m_len)); -+ if (unlikely(v == 0)) { -+ do { -+ m_len += 4; -+ v = get_unaligned((const u32 *) (ip + m_len)) ^ -+ get_unaligned((const u32 *) (m_pos + m_len)); -+ if (v != 0) -+ break; -+ m_len += 4; -+ v = get_unaligned((const u32 *) (ip + m_len)) ^ -+ get_unaligned((const u32 *) (m_pos + m_len)); -+ if (unlikely(ip + m_len >= ip_end)) -+ goto m_len_done; -+ } while (v == 0); -+ } -+# if defined(__LITTLE_ENDIAN) -+ m_len += (unsigned) __builtin_ctz(v) / 8; -+# elif defined(__BIG_ENDIAN) -+ m_len += (unsigned) __builtin_clz(v) / 8; -+# else -+# error "missing endian definition" -+# endif -+#else -+ if (unlikely(ip[m_len] == m_pos[m_len])) { -+ do { -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (ip[m_len] != m_pos[m_len]) -+ break; -+ m_len += 1; -+ if (unlikely(ip + m_len >= ip_end)) -+ goto m_len_done; -+ } while (ip[m_len] == m_pos[m_len]); -+ } -+#endif -+ } -+m_len_done: - -- if (m_off <= M2_MAX_OFFSET) { -- m_off -= 1; -- *op++ = (((m_len - 1) << 5) -- | ((m_off & 7) << 2)); -- *op++ = (m_off >> 3); -- } else if (m_off <= M3_MAX_OFFSET) { -- m_off -= 1; -+ m_off = ip - m_pos; -+ ip += m_len; -+ ii = ip; -+ if (m_len <= M2_MAX_LEN && m_off <= M2_MAX_OFFSET) { -+ m_off -= 1; -+ *op++ = (((m_len - 1) << 5) | ((m_off & 7) << 2)); -+ *op++ = (m_off >> 3); -+ } else if (m_off <= M3_MAX_OFFSET) { -+ m_off -= 1; -+ if (m_len <= M3_MAX_LEN) - *op++ = (M3_MARKER | (m_len - 2)); -- goto m3_m4_offset; -- } else { -- m_off -= 0x4000; -- -- *op++ = (M4_MARKER | ((m_off & 0x4000) >> 11) -- | (m_len - 2)); -- goto m3_m4_offset; -+ else { -+ m_len -= M3_MAX_LEN; -+ *op++ = M3_MARKER | 0; -+ while (unlikely(m_len > 255)) { -+ m_len -= 255; -+ *op++ = 0; -+ } -+ *op++ = (m_len); - } -+ *op++ = (m_off << 2); -+ *op++ = (m_off >> 6); - } else { -- end = in_end; -- m = m_pos + M2_MAX_LEN + 1; -- -- while (ip < end && *m == *ip) { -- m++; -- ip++; -- } -- m_len = ip - ii; -- -- if (m_off <= M3_MAX_OFFSET) { -- m_off -= 1; -- if (m_len <= 33) { -- *op++ = (M3_MARKER | (m_len - 2)); -- } else { -- m_len -= 33; -- *op++ = M3_MARKER | 0; -- goto m3_m4_len; -- } -- } else { -- m_off -= 0x4000; -- if (m_len <= M4_MAX_LEN) { -- *op++ = (M4_MARKER -- | ((m_off & 0x4000) >> 11) -+ m_off -= 0x4000; -+ if (m_len <= M4_MAX_LEN) -+ *op++ = (M4_MARKER | ((m_off >> 11) & 8) - | (m_len - 2)); -- } else { -- m_len -= M4_MAX_LEN; -- *op++ = (M4_MARKER -- | ((m_off & 0x4000) >> 11)); --m3_m4_len: -- while (m_len > 255) { -- m_len -= 255; -- *op++ = 0; -- } -- -- *op++ = (m_len); -+ else { -+ m_len -= M4_MAX_LEN; -+ *op++ = (M4_MARKER | ((m_off >> 11) & 8)); -+ while (unlikely(m_len > 255)) { -+ m_len -= 255; -+ *op++ = 0; - } -+ *op++ = (m_len); - } --m3_m4_offset: -- *op++ = ((m_off & 63) << 2); -+ *op++ = (m_off << 2); - *op++ = (m_off >> 6); - } -- -- ii = ip; -- if (unlikely(ip >= ip_end)) -- break; -+ goto next; - } -- - *out_len = op - out; -- return in_end - ii; -+ return in_end - (ii - ti); - } - --int lzo1x_1_compress(const unsigned char *in, size_t in_len, unsigned char *out, -- size_t *out_len, void *wrkmem) -+int lzo1x_1_compress(const unsigned char *in, size_t in_len, -+ unsigned char *out, size_t *out_len, -+ void *wrkmem) - { -- const unsigned char *ii; -+ const unsigned char *ip = in; - unsigned char *op = out; -- size_t t; -+ size_t l = in_len; -+ size_t t = 0; - -- if (unlikely(in_len <= M2_MAX_LEN + 5)) { -- t = in_len; -- } else { -- t = _lzo1x_1_do_compress(in, in_len, op, out_len, wrkmem); -+ while (l > 20) { -+ size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1); -+ uintptr_t ll_end = (uintptr_t) ip + ll; -+ if ((ll_end + ((t + ll) >> 5)) <= ll_end) -+ break; -+ BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > LZO1X_1_MEM_COMPRESS); -+ memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t)); -+ t = lzo1x_1_do_compress(ip, ll, op, out_len, t, wrkmem); -+ ip += ll; - op += *out_len; -+ l -= ll; - } -+ t += l; - - if (t > 0) { -- ii = in + in_len - t; -+ const unsigned char *ii = in + in_len - t; - - if (op == out && t <= 238) { - *op++ = (17 + t); -@@ -198,16 +247,21 @@ int lzo1x_1_compress(const unsigned char *in, size_t in_len, unsigned char *out, - *op++ = (t - 3); - } else { - size_t tt = t - 18; -- - *op++ = 0; - while (tt > 255) { - tt -= 255; - *op++ = 0; - } -- - *op++ = tt; - } -- do { -+ if (t >= 16) do { -+ COPY8(op, ii); -+ COPY8(op + 8, ii + 8); -+ op += 16; -+ ii += 16; -+ t -= 16; -+ } while (t >= 16); -+ if (t > 0) do { - *op++ = *ii++; - } while (--t > 0); - } -@@ -223,4 +277,3 @@ EXPORT_SYMBOL_GPL(lzo1x_1_compress); - - MODULE_LICENSE("GPL"); - MODULE_DESCRIPTION("LZO1X-1 Compressor"); -- -diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c -deleted file mode 100644 -index f2fd098..0000000 ---- a/lib/lzo/lzo1x_decompress.c -+++ /dev/null -@@ -1,255 +0,0 @@ --/* -- * LZO1X Decompressor from MiniLZO -- * -- * Copyright (C) 1996-2005 Markus F.X.J. Oberhumer <markus@oberhumer.com> -- * -- * The full LZO package can be found at: -- * http://www.oberhumer.com/opensource/lzo/ -- * -- * Changed for kernel use by: -- * Nitin Gupta <nitingupta910@gmail.com> -- * Richard Purdie <rpurdie@openedhand.com> -- */ -- --#ifndef STATIC --#include <linux/module.h> --#include <linux/kernel.h> --#endif -- --#include <asm/unaligned.h> --#include <linux/lzo.h> --#include "lzodefs.h" -- --#define HAVE_IP(x, ip_end, ip) ((size_t)(ip_end - ip) < (x)) --#define HAVE_OP(x, op_end, op) ((size_t)(op_end - op) < (x)) --#define HAVE_LB(m_pos, out, op) (m_pos < out || m_pos >= op) -- --#define COPY4(dst, src) \ -- put_unaligned(get_unaligned((const u32 *)(src)), (u32 *)(dst)) -- --int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, -- unsigned char *out, size_t *out_len) --{ -- const unsigned char * const ip_end = in + in_len; -- unsigned char * const op_end = out + *out_len; -- const unsigned char *ip = in, *m_pos; -- unsigned char *op = out; -- size_t t; -- -- *out_len = 0; -- -- if (*ip > 17) { -- t = *ip++ - 17; -- if (t < 4) -- goto match_next; -- if (HAVE_OP(t, op_end, op)) -- goto output_overrun; -- if (HAVE_IP(t + 1, ip_end, ip)) -- goto input_overrun; -- do { -- *op++ = *ip++; -- } while (--t > 0); -- goto first_literal_run; -- } -- -- while ((ip < ip_end)) { -- t = *ip++; -- if (t >= 16) -- goto match; -- if (t == 0) { -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- while (*ip == 0) { -- t += 255; -- ip++; -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- } -- t += 15 + *ip++; -- } -- if (HAVE_OP(t + 3, op_end, op)) -- goto output_overrun; -- if (HAVE_IP(t + 4, ip_end, ip)) -- goto input_overrun; -- -- COPY4(op, ip); -- op += 4; -- ip += 4; -- if (--t > 0) { -- if (t >= 4) { -- do { -- COPY4(op, ip); -- op += 4; -- ip += 4; -- t -= 4; -- } while (t >= 4); -- if (t > 0) { -- do { -- *op++ = *ip++; -- } while (--t > 0); -- } -- } else { -- do { -- *op++ = *ip++; -- } while (--t > 0); -- } -- } -- --first_literal_run: -- t = *ip++; -- if (t >= 16) -- goto match; -- m_pos = op - (1 + M2_MAX_OFFSET); -- m_pos -= t >> 2; -- m_pos -= *ip++ << 2; -- -- if (HAVE_LB(m_pos, out, op)) -- goto lookbehind_overrun; -- -- if (HAVE_OP(3, op_end, op)) -- goto output_overrun; -- *op++ = *m_pos++; -- *op++ = *m_pos++; -- *op++ = *m_pos; -- -- goto match_done; -- -- do { --match: -- if (t >= 64) { -- m_pos = op - 1; -- m_pos -= (t >> 2) & 7; -- m_pos -= *ip++ << 3; -- t = (t >> 5) - 1; -- if (HAVE_LB(m_pos, out, op)) -- goto lookbehind_overrun; -- if (HAVE_OP(t + 3 - 1, op_end, op)) -- goto output_overrun; -- goto copy_match; -- } else if (t >= 32) { -- t &= 31; -- if (t == 0) { -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- while (*ip == 0) { -- t += 255; -- ip++; -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- } -- t += 31 + *ip++; -- } -- m_pos = op - 1; -- m_pos -= get_unaligned_le16(ip) >> 2; -- ip += 2; -- } else if (t >= 16) { -- m_pos = op; -- m_pos -= (t & 8) << 11; -- -- t &= 7; -- if (t == 0) { -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- while (*ip == 0) { -- t += 255; -- ip++; -- if (HAVE_IP(1, ip_end, ip)) -- goto input_overrun; -- } -- t += 7 + *ip++; -- } -- m_pos -= get_unaligned_le16(ip) >> 2; -- ip += 2; -- if (m_pos == op) -- goto eof_found; -- m_pos -= 0x4000; -- } else { -- m_pos = op - 1; -- m_pos -= t >> 2; -- m_pos -= *ip++ << 2; -- -- if (HAVE_LB(m_pos, out, op)) -- goto lookbehind_overrun; -- if (HAVE_OP(2, op_end, op)) -- goto output_overrun; -- -- *op++ = *m_pos++; -- *op++ = *m_pos; -- goto match_done; -- } -- -- if (HAVE_LB(m_pos, out, op)) -- goto lookbehind_overrun; -- if (HAVE_OP(t + 3 - 1, op_end, op)) -- goto output_overrun; -- -- if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) { -- COPY4(op, m_pos); -- op += 4; -- m_pos += 4; -- t -= 4 - (3 - 1); -- do { -- COPY4(op, m_pos); -- op += 4; -- m_pos += 4; -- t -= 4; -- } while (t >= 4); -- if (t > 0) -- do { -- *op++ = *m_pos++; -- } while (--t > 0); -- } else { --copy_match: -- *op++ = *m_pos++; -- *op++ = *m_pos++; -- do { -- *op++ = *m_pos++; -- } while (--t > 0); -- } --match_done: -- t = ip[-2] & 3; -- if (t == 0) -- break; --match_next: -- if (HAVE_OP(t, op_end, op)) -- goto output_overrun; -- if (HAVE_IP(t + 1, ip_end, ip)) -- goto input_overrun; -- -- *op++ = *ip++; -- if (t > 1) { -- *op++ = *ip++; -- if (t > 2) -- *op++ = *ip++; -- } -- -- t = *ip++; -- } while (ip < ip_end); -- } -- -- *out_len = op - out; -- return LZO_E_EOF_NOT_FOUND; -- --eof_found: -- *out_len = op - out; -- return (ip == ip_end ? LZO_E_OK : -- (ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN)); --input_overrun: -- *out_len = op - out; -- return LZO_E_INPUT_OVERRUN; -- --output_overrun: -- *out_len = op - out; -- return LZO_E_OUTPUT_OVERRUN; -- --lookbehind_overrun: -- *out_len = op - out; -- return LZO_E_LOOKBEHIND_OVERRUN; --} --#ifndef STATIC --EXPORT_SYMBOL_GPL(lzo1x_decompress_safe); -- --MODULE_LICENSE("GPL"); --MODULE_DESCRIPTION("LZO1X Decompressor"); -- --#endif -diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c -new file mode 100644 -index 0000000..8563081 ---- /dev/null -+++ b/lib/lzo/lzo1x_decompress_safe.c -@@ -0,0 +1,257 @@ -+/* -+ * LZO1X Decompressor from LZO -+ * -+ * Copyright (C) 1996-2012 Markus F.X.J. Oberhumer <markus@oberhumer.com> -+ * -+ * The full LZO package can be found at: -+ * http://www.oberhumer.com/opensource/lzo/ -+ * -+ * Changed for Linux kernel use by: -+ * Nitin Gupta <nitingupta910@gmail.com> -+ * Richard Purdie <rpurdie@openedhand.com> -+ */ -+ -+#ifndef STATIC -+#include <linux/module.h> -+#include <linux/kernel.h> -+#endif -+#include <asm/unaligned.h> -+#include <linux/lzo.h> -+#include "lzodefs.h" -+ -+#define HAVE_IP(t, x) \ -+ (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \ -+ (((t + x) >= t) && ((t + x) >= x))) -+ -+#define HAVE_OP(t, x) \ -+ (((size_t)(op_end - op) >= (size_t)(t + x)) && \ -+ (((t + x) >= t) && ((t + x) >= x))) -+ -+#define NEED_IP(t, x) \ -+ do { \ -+ if (!HAVE_IP(t, x)) \ -+ goto input_overrun; \ -+ } while (0) -+ -+#define NEED_OP(t, x) \ -+ do { \ -+ if (!HAVE_OP(t, x)) \ -+ goto output_overrun; \ -+ } while (0) -+ -+#define TEST_LB(m_pos) \ -+ do { \ -+ if ((m_pos) < out) \ -+ goto lookbehind_overrun; \ -+ } while (0) -+ -+int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, -+ unsigned char *out, size_t *out_len) -+{ -+ unsigned char *op; -+ const unsigned char *ip; -+ size_t t, next; -+ size_t state = 0; -+ const unsigned char *m_pos; -+ const unsigned char * const ip_end = in + in_len; -+ unsigned char * const op_end = out + *out_len; -+ -+ op = out; -+ ip = in; -+ -+ if (unlikely(in_len < 3)) -+ goto input_overrun; -+ if (*ip > 17) { -+ t = *ip++ - 17; -+ if (t < 4) { -+ next = t; -+ goto match_next; -+ } -+ goto copy_literal_run; -+ } -+ -+ for (;;) { -+ t = *ip++; -+ if (t < 16) { -+ if (likely(state == 0)) { -+ if (unlikely(t == 0)) { -+ while (unlikely(*ip == 0)) { -+ t += 255; -+ ip++; -+ NEED_IP(1, 0); -+ } -+ t += 15 + *ip++; -+ } -+ t += 3; -+copy_literal_run: -+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -+ if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) { -+ const unsigned char *ie = ip + t; -+ unsigned char *oe = op + t; -+ do { -+ COPY8(op, ip); -+ op += 8; -+ ip += 8; -+ COPY8(op, ip); -+ op += 8; -+ ip += 8; -+ } while (ip < ie); -+ ip = ie; -+ op = oe; -+ } else -+#endif -+ { -+ NEED_OP(t, 0); -+ NEED_IP(t, 3); -+ do { -+ *op++ = *ip++; -+ } while (--t > 0); -+ } -+ state = 4; -+ continue; -+ } else if (state != 4) { -+ next = t & 3; -+ m_pos = op - 1; -+ m_pos -= t >> 2; -+ m_pos -= *ip++ << 2; -+ TEST_LB(m_pos); -+ NEED_OP(2, 0); -+ op[0] = m_pos[0]; -+ op[1] = m_pos[1]; -+ op += 2; -+ goto match_next; -+ } else { -+ next = t & 3; -+ m_pos = op - (1 + M2_MAX_OFFSET); -+ m_pos -= t >> 2; -+ m_pos -= *ip++ << 2; -+ t = 3; -+ } -+ } else if (t >= 64) { -+ next = t & 3; -+ m_pos = op - 1; -+ m_pos -= (t >> 2) & 7; -+ m_pos -= *ip++ << 3; -+ t = (t >> 5) - 1 + (3 - 1); -+ } else if (t >= 32) { -+ t = (t & 31) + (3 - 1); -+ if (unlikely(t == 2)) { -+ while (unlikely(*ip == 0)) { -+ t += 255; -+ ip++; -+ NEED_IP(1, 0); -+ } -+ t += 31 + *ip++; -+ NEED_IP(2, 0); -+ } -+ m_pos = op - 1; -+ next = get_unaligned_le16(ip); -+ ip += 2; -+ m_pos -= next >> 2; -+ next &= 3; -+ } else { -+ m_pos = op; -+ m_pos -= (t & 8) << 11; -+ t = (t & 7) + (3 - 1); -+ if (unlikely(t == 2)) { -+ while (unlikely(*ip == 0)) { -+ t += 255; -+ ip++; -+ NEED_IP(1, 0); -+ } -+ t += 7 + *ip++; -+ NEED_IP(2, 0); -+ } -+ next = get_unaligned_le16(ip); -+ ip += 2; -+ m_pos -= next >> 2; -+ next &= 3; -+ if (m_pos == op) -+ goto eof_found; -+ m_pos -= 0x4000; -+ } -+ TEST_LB(m_pos); -+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -+ if (op - m_pos >= 8) { -+ unsigned char *oe = op + t; -+ if (likely(HAVE_OP(t, 15))) { -+ do { -+ COPY8(op, m_pos); -+ op += 8; -+ m_pos += 8; -+ COPY8(op, m_pos); -+ op += 8; -+ m_pos += 8; -+ } while (op < oe); -+ op = oe; -+ if (HAVE_IP(6, 0)) { -+ state = next; -+ COPY4(op, ip); -+ op += next; -+ ip += next; -+ continue; -+ } -+ } else { -+ NEED_OP(t, 0); -+ do { -+ *op++ = *m_pos++; -+ } while (op < oe); -+ } -+ } else -+#endif -+ { -+ unsigned char *oe = op + t; -+ NEED_OP(t, 0); -+ op[0] = m_pos[0]; -+ op[1] = m_pos[1]; -+ op += 2; -+ m_pos += 2; -+ do { -+ *op++ = *m_pos++; -+ } while (op < oe); -+ } -+match_next: -+ state = next; -+ t = next; -+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -+ if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) { -+ COPY4(op, ip); -+ op += t; -+ ip += t; -+ } else -+#endif -+ { -+ NEED_IP(t, 3); -+ NEED_OP(t, 0); -+ while (t > 0) { -+ *op++ = *ip++; -+ t--; -+ } -+ } -+ } -+ -+eof_found: -+ *out_len = op - out; -+ return (t != 3 ? LZO_E_ERROR : -+ ip == ip_end ? LZO_E_OK : -+ ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN); -+ -+input_overrun: -+ *out_len = op - out; -+ return LZO_E_INPUT_OVERRUN; -+ -+output_overrun: -+ *out_len = op - out; -+ return LZO_E_OUTPUT_OVERRUN; -+ -+lookbehind_overrun: -+ *out_len = op - out; -+ return LZO_E_LOOKBEHIND_OVERRUN; -+} -+#ifndef STATIC -+EXPORT_SYMBOL_GPL(lzo1x_decompress_safe); -+ -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("LZO1X Decompressor"); -+ -+#endif -diff --git a/lib/lzo/lzodefs.h b/lib/lzo/lzodefs.h -index b6d482c..6710b83 100644 ---- a/lib/lzo/lzodefs.h -+++ b/lib/lzo/lzodefs.h -@@ -1,19 +1,37 @@ - /* - * lzodefs.h -- architecture, OS and compiler specific defines - * -- * Copyright (C) 1996-2005 Markus F.X.J. Oberhumer <markus@oberhumer.com> -+ * Copyright (C) 1996-2012 Markus F.X.J. Oberhumer <markus@oberhumer.com> - * - * The full LZO package can be found at: - * http://www.oberhumer.com/opensource/lzo/ - * -- * Changed for kernel use by: -+ * Changed for Linux kernel use by: - * Nitin Gupta <nitingupta910@gmail.com> - * Richard Purdie <rpurdie@openedhand.com> - */ - --#define LZO_VERSION 0x2020 --#define LZO_VERSION_STRING "2.02" --#define LZO_VERSION_DATE "Oct 17 2005" -+ -+#define COPY4(dst, src) \ -+ put_unaligned(get_unaligned((const u32 *)(src)), (u32 *)(dst)) -+#if defined(__x86_64__) -+#define COPY8(dst, src) \ -+ put_unaligned(get_unaligned((const u64 *)(src)), (u64 *)(dst)) -+#else -+#define COPY8(dst, src) \ -+ COPY4(dst, src); COPY4((dst) + 4, (src) + 4) -+#endif -+ -+#if defined(__BIG_ENDIAN) && defined(__LITTLE_ENDIAN) -+#error "conflicting endian definitions" -+#elif defined(__x86_64__) -+#define LZO_USE_CTZ64 1 -+#define LZO_USE_CTZ32 1 -+#elif defined(__i386__) || defined(__powerpc__) -+#define LZO_USE_CTZ32 1 -+#elif defined(__arm__) && (__LINUX_ARM_ARCH__ >= 5) -+#define LZO_USE_CTZ32 1 -+#endif - - #define M1_MAX_OFFSET 0x0400 - #define M2_MAX_OFFSET 0x0800 -@@ -34,10 +52,8 @@ - #define M3_MARKER 32 - #define M4_MARKER 16 - --#define D_BITS 14 --#define D_MASK ((1u << D_BITS) - 1) -+#define lzo_dict_t unsigned short -+#define D_BITS 13 -+#define D_SIZE (1u << D_BITS) -+#define D_MASK (D_SIZE - 1) - #define D_HIGH ((D_MASK >> 1) + 1) -- --#define DX2(p, s1, s2) (((((size_t)((p)[2]) << (s2)) ^ (p)[1]) \ -- << (s1)) ^ (p)[0]) --#define DX3(p, s1, s2, s3) ((DX2((p)+1, s2, s3) << (s1)) ^ (p)[0]) -diff --git a/lib/nlattr.c b/lib/nlattr.c -index 190ae10..be25e35 100644 ---- a/lib/nlattr.c -+++ b/lib/nlattr.c -@@ -12,6 +12,8 @@ - #include <linux/netdevice.h> - #include <linux/skbuff.h> - #include <linux/string.h> -+#include <linux/ratelimit.h> -+#include <linux/sched.h> - #include <linux/types.h> - #include <net/netlink.h> - -@@ -197,8 +199,8 @@ int nla_parse(struct nlattr **tb, int maxtype, const struct nlattr *head, - } - - if (unlikely(rem > 0)) -- printk(KERN_WARNING "netlink: %d bytes leftover after parsing " -- "attributes.\n", rem); -+ pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n", -+ rem, current->comm); - - err = 0; - errout: -diff --git a/mm/highmem.c b/mm/highmem.c -index 2a07f97..09fc744 100644 ---- a/mm/highmem.c -+++ b/mm/highmem.c -@@ -98,7 +98,7 @@ struct page *kmap_to_page(void *vaddr) - { - unsigned long addr = (unsigned long)vaddr; - -- if (addr >= PKMAP_ADDR(0) && addr <= PKMAP_ADDR(LAST_PKMAP)) { -+ if (addr >= PKMAP_ADDR(0) && addr < PKMAP_ADDR(LAST_PKMAP)) { - int i = (addr - PKMAP_ADDR(0)) >> PAGE_SHIFT; - return pte_page(pkmap_page_table[i]); - } -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index cac2441..6f886d9 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -2272,6 +2272,31 @@ static void set_huge_ptep_writable(struct vm_area_struct *vma, - update_mmu_cache(vma, address, ptep); - } - -+static int is_hugetlb_entry_migration(pte_t pte) -+{ -+ swp_entry_t swp; -+ -+ if (huge_pte_none(pte) || pte_present(pte)) -+ return 0; -+ swp = pte_to_swp_entry(pte); -+ if (non_swap_entry(swp) && is_migration_entry(swp)) -+ return 1; -+ else -+ return 0; -+} -+ -+static int is_hugetlb_entry_hwpoisoned(pte_t pte) -+{ -+ swp_entry_t swp; -+ -+ if (huge_pte_none(pte) || pte_present(pte)) -+ return 0; -+ swp = pte_to_swp_entry(pte); -+ if (non_swap_entry(swp) && is_hwpoison_entry(swp)) -+ return 1; -+ else -+ return 0; -+} - - int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, - struct vm_area_struct *vma) -@@ -2299,10 +2324,26 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, - - spin_lock(&dst->page_table_lock); - spin_lock_nested(&src->page_table_lock, SINGLE_DEPTH_NESTING); -- if (!huge_pte_none(huge_ptep_get(src_pte))) { -+ entry = huge_ptep_get(src_pte); -+ if (huge_pte_none(entry)) { /* skip none entry */ -+ ; -+ } else if (unlikely(is_hugetlb_entry_migration(entry) || -+ is_hugetlb_entry_hwpoisoned(entry))) { -+ swp_entry_t swp_entry = pte_to_swp_entry(entry); -+ -+ if (is_write_migration_entry(swp_entry) && cow) { -+ /* -+ * COW mappings require pages in both -+ * parent and child to be set to read. -+ */ -+ make_migration_entry_read(&swp_entry); -+ entry = swp_entry_to_pte(swp_entry); -+ set_huge_pte_at(src, addr, src_pte, entry); -+ } -+ set_huge_pte_at(dst, addr, dst_pte, entry); -+ } else { - if (cow) - huge_ptep_set_wrprotect(src, addr, src_pte); -- entry = huge_ptep_get(src_pte); - ptepage = pte_page(entry); - get_page(ptepage); - page_dup_rmap(ptepage); -@@ -2317,32 +2358,6 @@ nomem: - return -ENOMEM; - } - --static int is_hugetlb_entry_migration(pte_t pte) --{ -- swp_entry_t swp; -- -- if (huge_pte_none(pte) || pte_present(pte)) -- return 0; -- swp = pte_to_swp_entry(pte); -- if (non_swap_entry(swp) && is_migration_entry(swp)) -- return 1; -- else -- return 0; --} -- --static int is_hugetlb_entry_hwpoisoned(pte_t pte) --{ -- swp_entry_t swp; -- -- if (huge_pte_none(pte) || pte_present(pte)) -- return 0; -- swp = pte_to_swp_entry(pte); -- if (non_swap_entry(swp) && is_hwpoison_entry(swp)) -- return 1; -- else -- return 0; --} -- - void __unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, - unsigned long end, struct page *ref_page) - { -diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 4d1e637..2b5bcc9 100644 ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -566,24 +566,23 @@ static inline int check_pgd_range(struct vm_area_struct *vma, - * If pagelist != NULL then isolate pages from the LRU and - * put them on the pagelist. - */ --static struct vm_area_struct * -+static int - check_range(struct mm_struct *mm, unsigned long start, unsigned long end, - const nodemask_t *nodes, unsigned long flags, void *private) - { -- int err; -- struct vm_area_struct *first, *vma, *prev; -- -+ int err = 0; -+ struct vm_area_struct *vma, *prev; - -- first = find_vma(mm, start); -- if (!first) -- return ERR_PTR(-EFAULT); -+ vma = find_vma(mm, start); -+ if (!vma) -+ return -EFAULT; - prev = NULL; -- for (vma = first; vma && vma->vm_start < end; vma = vma->vm_next) { -+ for (; vma && vma->vm_start < end; vma = vma->vm_next) { - if (!(flags & MPOL_MF_DISCONTIG_OK)) { - if (!vma->vm_next && vma->vm_end < end) -- return ERR_PTR(-EFAULT); -+ return -EFAULT; - if (prev && prev->vm_end < vma->vm_start) -- return ERR_PTR(-EFAULT); -+ return -EFAULT; - } - if (!is_vm_hugetlb_page(vma) && - ((flags & MPOL_MF_STRICT) || -@@ -597,14 +596,12 @@ check_range(struct mm_struct *mm, unsigned long start, unsigned long end, - start = vma->vm_start; - err = check_pgd_range(vma, start, endvma, nodes, - flags, private); -- if (err) { -- first = ERR_PTR(err); -+ if (err) - break; -- } - } - prev = vma; - } -- return first; -+ return err; - } - - /* -@@ -945,15 +942,18 @@ static int migrate_to_node(struct mm_struct *mm, int source, int dest, - nodemask_t nmask; - LIST_HEAD(pagelist); - int err = 0; -- struct vm_area_struct *vma; - - nodes_clear(nmask); - node_set(source, nmask); - -- vma = check_range(mm, mm->mmap->vm_start, mm->task_size, &nmask, -+ /* -+ * This does not "check" the range but isolates all pages that -+ * need migration. Between passing in the full user address -+ * space range and MPOL_MF_DISCONTIG_OK, this call can not fail. -+ */ -+ VM_BUG_ON(!(flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL))); -+ check_range(mm, mm->mmap->vm_start, mm->task_size, &nmask, - flags | MPOL_MF_DISCONTIG_OK, &pagelist); -- if (IS_ERR(vma)) -- return PTR_ERR(vma); - - if (!list_empty(&pagelist)) { - err = migrate_pages(&pagelist, new_node_page, dest, -@@ -1057,16 +1057,17 @@ out: - - /* - * Allocate a new page for page migration based on vma policy. -- * Start assuming that page is mapped by vma pointed to by @private. -+ * Start by assuming the page is mapped by the same vma as contains @start. - * Search forward from there, if not. N.B., this assumes that the - * list of pages handed to migrate_pages()--which is how we get here-- - * is in virtual address order. - */ --static struct page *new_vma_page(struct page *page, unsigned long private, int **x) -+static struct page *new_page(struct page *page, unsigned long start, int **x) - { -- struct vm_area_struct *vma = (struct vm_area_struct *)private; -+ struct vm_area_struct *vma; - unsigned long uninitialized_var(address); - -+ vma = find_vma(current->mm, start); - while (vma) { - address = page_address_in_vma(page, vma); - if (address != -EFAULT) -@@ -1092,7 +1093,7 @@ int do_migrate_pages(struct mm_struct *mm, - return -ENOSYS; - } - --static struct page *new_vma_page(struct page *page, unsigned long private, int **x) -+static struct page *new_page(struct page *page, unsigned long start, int **x) - { - return NULL; - } -@@ -1102,7 +1103,6 @@ static long do_mbind(unsigned long start, unsigned long len, - unsigned short mode, unsigned short mode_flags, - nodemask_t *nmask, unsigned long flags) - { -- struct vm_area_struct *vma; - struct mm_struct *mm = current->mm; - struct mempolicy *new; - unsigned long end; -@@ -1166,19 +1166,16 @@ static long do_mbind(unsigned long start, unsigned long len, - if (err) - goto mpol_out; - -- vma = check_range(mm, start, end, nmask, -+ err = check_range(mm, start, end, nmask, - flags | MPOL_MF_INVERT, &pagelist); -- -- err = PTR_ERR(vma); -- if (!IS_ERR(vma)) { -+ if (!err) { - int nr_failed = 0; - - err = mbind_range(mm, start, end, new); - - if (!list_empty(&pagelist)) { -- nr_failed = migrate_pages(&pagelist, new_vma_page, -- (unsigned long)vma, -- false, true); -+ nr_failed = migrate_pages(&pagelist, new_page, -+ start, false, true); - if (nr_failed) - putback_lru_pages(&pagelist); - } -diff --git a/mm/rmap.c b/mm/rmap.c -index 9ac405b..f3f6fd3 100644 ---- a/mm/rmap.c -+++ b/mm/rmap.c -@@ -103,6 +103,7 @@ static inline void anon_vma_free(struct anon_vma *anon_vma) - * LOCK should suffice since the actual taking of the lock must - * happen _before_ what follows. - */ -+ might_sleep(); - if (mutex_is_locked(&anon_vma->root->mutex)) { - anon_vma_lock(anon_vma); - anon_vma_unlock(anon_vma); -@@ -434,8 +435,9 @@ struct anon_vma *page_get_anon_vma(struct page *page) - * above cannot corrupt). - */ - if (!page_mapped(page)) { -+ rcu_read_unlock(); - put_anon_vma(anon_vma); -- anon_vma = NULL; -+ return NULL; - } - out: - rcu_read_unlock(); -@@ -485,9 +487,9 @@ struct anon_vma *page_lock_anon_vma(struct page *page) - } - - if (!page_mapped(page)) { -+ rcu_read_unlock(); - put_anon_vma(anon_vma); -- anon_vma = NULL; -- goto out; -+ return NULL; - } - - /* we pinned the anon_vma, its safe to sleep */ -@@ -1669,10 +1671,9 @@ void __put_anon_vma(struct anon_vma *anon_vma) - { - struct anon_vma *root = anon_vma->root; - -+ anon_vma_free(anon_vma); - if (root != anon_vma && atomic_dec_and_test(&root->refcount)) - anon_vma_free(root); -- -- anon_vma_free(anon_vma); - } - - #ifdef CONFIG_MIGRATION -diff --git a/mm/vmscan.c b/mm/vmscan.c -index 313381c..ab98dc6 100644 ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -3016,7 +3016,10 @@ static int kswapd(void *p) - } - } - -+ tsk->flags &= ~(PF_MEMALLOC | PF_SWAPWRITE | PF_KSWAPD); - current->reclaim_state = NULL; -+ lockdep_clear_current_reclaim_state(); -+ - return 0; - } - -diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index 4d99d42..f456645 100644 ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -617,7 +617,7 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) - /* If we're already encrypted set the REAUTH_PEND flag, - * otherwise set the ENCRYPT_PEND. - */ -- if (conn->key_type != 0xff) -+ if (conn->link_mode & HCI_LM_ENCRYPT) - set_bit(HCI_CONN_REAUTH_PEND, &conn->pend); - else - set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); -diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c -index 7a157b3..d99075a 100644 ---- a/net/bluetooth/hci_event.c -+++ b/net/bluetooth/hci_event.c -@@ -2690,8 +2690,11 @@ static inline void hci_user_confirm_request_evt(struct hci_dev *hdev, - - /* If we're not the initiators request authorization to - * proceed from user space (mgmt_user_confirm with -- * confirm_hint set to 1). */ -- if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) { -+ * confirm_hint set to 1). The exception is if neither -+ * side had MITM in which case we do auto-accept. -+ */ -+ if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend) && -+ (loc_mitm || rem_mitm)) { - BT_DBG("Confirming auto-accept as acceptor"); - confirm_hint = 1; - goto confirm; -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 9204d9b..7121d9b 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -655,7 +655,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask) - skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY; - return 0; - } -- -+EXPORT_SYMBOL_GPL(skb_copy_ubufs); - - /** - * skb_clone - duplicate an sk_buff -@@ -2698,6 +2698,9 @@ struct sk_buff *skb_segment(struct sk_buff *skb, u32 features) - skb_put(nskb, hsize), hsize); - - while (pos < offset + len && i < nfrags) { -+ if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) -+ goto err; -+ - *frag = skb_shinfo(skb)->frags[i]; - __skb_frag_ref(frag); - size = skb_frag_size(frag); -diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c -index 5dc5137..7ce6d9f 100644 ---- a/net/ipv4/ipip.c -+++ b/net/ipv4/ipip.c -@@ -909,4 +909,5 @@ static void __exit ipip_fini(void) - module_init(ipip_init); - module_exit(ipip_fini); - MODULE_LICENSE("GPL"); -+MODULE_ALIAS_RTNL_LINK("ipip"); - MODULE_ALIAS_NETDEV("tunl0"); -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 7871cc6..14753d3 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -612,7 +612,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - { - static atomic_t ipv6_fragmentation_id; -- int old, new; -+ int ident; - - if (rt && !(rt->dst.flags & DST_NOPEER)) { - struct inet_peer *peer; -@@ -625,13 +625,8 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - return; - } - } -- do { -- old = atomic_read(&ipv6_fragmentation_id); -- new = old + 1; -- if (!new) -- new = 1; -- } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old); -- fhdr->identification = htonl(new); -+ ident = atomic_inc_return(&ipv6_fragmentation_id); -+ fhdr->identification = htonl(ident); - } - - int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index d19f499..ae32ff7 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -57,6 +57,7 @@ - MODULE_AUTHOR("Ville Nuorvala"); - MODULE_DESCRIPTION("IPv6 tunneling device"); - MODULE_LICENSE("GPL"); -+MODULE_ALIAS_RTNL_LINK("ip6tnl"); - MODULE_ALIAS_NETDEV("ip6tnl0"); - - #ifdef IP6_TNL_DEBUG -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 72a939d..52ce196 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -1293,4 +1293,5 @@ static int __init sit_init(void) - module_init(sit_init); - module_exit(sit_cleanup); - MODULE_LICENSE("GPL"); -+MODULE_ALIAS_RTNL_LINK("sit"); - MODULE_ALIAS_NETDEV("sit0"); -diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c -index 9352819..880a55d 100644 ---- a/net/mac80211/debugfs_netdev.c -+++ b/net/mac80211/debugfs_netdev.c -@@ -33,8 +33,7 @@ static ssize_t ieee80211_if_read( - ssize_t ret = -EINVAL; - - read_lock(&dev_base_lock); -- if (sdata->dev->reg_state == NETREG_REGISTERED) -- ret = (*format)(sdata, buf, sizeof(buf)); -+ ret = (*format)(sdata, buf, sizeof(buf)); - read_unlock(&dev_base_lock); - - if (ret >= 0) -@@ -62,8 +61,7 @@ static ssize_t ieee80211_if_write( - - ret = -ENODEV; - rtnl_lock(); -- if (sdata->dev->reg_state == NETREG_REGISTERED) -- ret = (*write)(sdata, buf, count); -+ ret = (*write)(sdata, buf, count); - rtnl_unlock(); - - freebuf: -diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c -index 9e20cb8..1c018d1 100644 ---- a/net/mac80211/ibss.c -+++ b/net/mac80211/ibss.c -@@ -914,6 +914,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata, - - sdata->u.ibss.privacy = params->privacy; - sdata->u.ibss.basic_rates = params->basic_rates; -+ sdata->u.ibss.last_scan_completed = jiffies; - memcpy(sdata->vif.bss_conf.mcast_rate, params->mcast_rate, - sizeof(params->mcast_rate)); - -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index 3c04692..25b207b 100644 ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -389,7 +389,7 @@ void sctp_association_free(struct sctp_association *asoc) - /* Only real associations count against the endpoint, so - * don't bother for if this is a temporary association. - */ -- if (!asoc->temp) { -+ if (!list_empty(&asoc->asocs)) { - list_del(&asoc->asocs); - - /* Decrement the backlog value for a TCP-style listening -diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h -index 54e35c1..5e29610 100644 ---- a/scripts/recordmcount.h -+++ b/scripts/recordmcount.h -@@ -163,11 +163,11 @@ static int mcount_adjust = 0; - - static int MIPS_is_fake_mcount(Elf_Rel const *rp) - { -- static Elf_Addr old_r_offset; -+ static Elf_Addr old_r_offset = ~(Elf_Addr)0; - Elf_Addr current_r_offset = _w(rp->r_offset); - int is_fake; - -- is_fake = old_r_offset && -+ is_fake = (old_r_offset != ~(Elf_Addr)0) && - (current_r_offset - old_r_offset == MIPS_FAKEMCOUNT_OFFSET); - old_r_offset = current_r_offset; - -diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c -index 92d3d99..3439872 100644 ---- a/security/integrity/evm/evm_main.c -+++ b/security/integrity/evm/evm_main.c -@@ -207,12 +207,20 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, - * @xattr_value: pointer to the new extended attribute value - * @xattr_value_len: pointer to the new extended attribute value length - * -- * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that -- * the current value is valid. -+ * Before allowing the 'security.evm' protected xattr to be updated, -+ * verify the existing value is valid. As only the kernel should have -+ * access to the EVM encrypted key needed to calculate the HMAC, prevent -+ * userspace from writing HMAC value. Writing 'security.evm' requires -+ * requires CAP_SYS_ADMIN privileges. - */ - int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) - { -+ const struct evm_ima_xattr_data *xattr_data = xattr_value; -+ -+ if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) -+ && (xattr_data->type == EVM_XATTR_HMAC)) -+ return -EPERM; - return evm_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); - } -diff --git a/sound/core/control.c b/sound/core/control.c -index 5511307..9210594 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -288,6 +288,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card, - { - struct snd_kcontrol *kctl; - -+ /* Make sure that the ids assigned to the control do not wrap around */ -+ if (card->last_numid >= UINT_MAX - count) -+ card->last_numid = 0; -+ - list_for_each_entry(kctl, &card->controls, list) { - if (kctl->id.numid < card->last_numid + 1 + count && - kctl->id.numid + kctl->count > card->last_numid + 1) { -@@ -329,6 +333,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - { - struct snd_ctl_elem_id id; - unsigned int idx; -+ unsigned int count; - int err = -EINVAL; - - if (! kcontrol) -@@ -336,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - if (snd_BUG_ON(!card || !kcontrol->info)) - goto error; - id = kcontrol->id; -+ if (id.index > UINT_MAX - kcontrol->count) -+ goto error; -+ - down_write(&card->controls_rwsem); - if (snd_ctl_find_id(card, &id)) { - up_write(&card->controls_rwsem); -@@ -357,8 +365,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - card->controls_count += kcontrol->count; - kcontrol->id.numid = card->last_numid + 1; - card->last_numid += kcontrol->count; -+ count = kcontrol->count; - up_write(&card->controls_rwsem); -- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++) -+ for (idx = 0; idx < count; idx++, id.index++, id.numid++) - snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); - return 0; - -@@ -387,6 +396,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol, - bool add_on_replace) - { - struct snd_ctl_elem_id id; -+ unsigned int count; - unsigned int idx; - struct snd_kcontrol *old; - int ret; -@@ -422,8 +432,9 @@ add: - card->controls_count += kcontrol->count; - kcontrol->id.numid = card->last_numid + 1; - card->last_numid += kcontrol->count; -+ count = kcontrol->count; - up_write(&card->controls_rwsem); -- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++) -+ for (idx = 0; idx < count; idx++, id.index++, id.numid++) - snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); - return 0; - -@@ -894,9 +905,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file, - result = kctl->put(kctl, control); - } - if (result > 0) { -+ struct snd_ctl_elem_id id = control->id; - up_read(&card->controls_rwsem); -- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, -- &control->id); -+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id); - return 0; - } - } -@@ -988,6 +999,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file, - - struct user_element { - struct snd_ctl_elem_info info; -+ struct snd_card *card; - void *elem_data; /* element data */ - unsigned long elem_data_size; /* size of element data in bytes */ - void *tlv_data; /* TLV data */ -@@ -1031,7 +1043,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol, - { - struct user_element *ue = kcontrol->private_data; - -+ mutex_lock(&ue->card->user_ctl_lock); - memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size); -+ mutex_unlock(&ue->card->user_ctl_lock); - return 0; - } - -@@ -1040,10 +1054,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol, - { - int change; - struct user_element *ue = kcontrol->private_data; -- -+ -+ mutex_lock(&ue->card->user_ctl_lock); - change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0; - if (change) - memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size); -+ mutex_unlock(&ue->card->user_ctl_lock); - return change; - } - -@@ -1063,19 +1079,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol, - new_data = memdup_user(tlv, size); - if (IS_ERR(new_data)) - return PTR_ERR(new_data); -+ mutex_lock(&ue->card->user_ctl_lock); - change = ue->tlv_data_size != size; - if (!change) - change = memcmp(ue->tlv_data, new_data, size); - kfree(ue->tlv_data); - ue->tlv_data = new_data; - ue->tlv_data_size = size; -+ mutex_unlock(&ue->card->user_ctl_lock); - } else { -- if (! ue->tlv_data_size || ! ue->tlv_data) -- return -ENXIO; -- if (size < ue->tlv_data_size) -- return -ENOSPC; -+ int ret = 0; -+ -+ mutex_lock(&ue->card->user_ctl_lock); -+ if (!ue->tlv_data_size || !ue->tlv_data) { -+ ret = -ENXIO; -+ goto err_unlock; -+ } -+ if (size < ue->tlv_data_size) { -+ ret = -ENOSPC; -+ goto err_unlock; -+ } - if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size)) -- return -EFAULT; -+ ret = -EFAULT; -+err_unlock: -+ mutex_unlock(&ue->card->user_ctl_lock); -+ if (ret) -+ return ret; - } - return change; - } -@@ -1133,8 +1162,6 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, - struct user_element *ue; - int idx, err; - -- if (!replace && card->user_ctl_count >= MAX_USER_CONTROLS) -- return -ENOMEM; - if (info->count < 1) - return -EINVAL; - access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE : -@@ -1143,21 +1170,16 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, - SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE)); - info->id.numid = 0; - memset(&kctl, 0, sizeof(kctl)); -- down_write(&card->controls_rwsem); -- _kctl = snd_ctl_find_id(card, &info->id); -- err = 0; -- if (_kctl) { -- if (replace) -- err = snd_ctl_remove(card, _kctl); -- else -- err = -EBUSY; -- } else { -- if (replace) -- err = -ENOENT; -+ -+ if (replace) { -+ err = snd_ctl_remove_user_ctl(file, &info->id); -+ if (err) -+ return err; - } -- up_write(&card->controls_rwsem); -- if (err < 0) -- return err; -+ -+ if (card->user_ctl_count >= MAX_USER_CONTROLS) -+ return -ENOMEM; -+ - memcpy(&kctl.id, &info->id, sizeof(info->id)); - kctl.count = info->owner ? info->owner : 1; - access |= SNDRV_CTL_ELEM_ACCESS_USER; -@@ -1207,6 +1229,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, - ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL); - if (ue == NULL) - return -ENOMEM; -+ ue->card = card; - ue->info = *info; - ue->info.access = 0; - ue->elem_data = (char *)ue + sizeof(*ue); -@@ -1318,8 +1341,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, - } - err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv); - if (err > 0) { -+ struct snd_ctl_elem_id id = kctl->id; - up_read(&card->controls_rwsem); -- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id); -+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id); - return 0; - } - } else { -diff --git a/sound/core/init.c b/sound/core/init.c -index fa0f35b..6333f8b 100644 ---- a/sound/core/init.c -+++ b/sound/core/init.c -@@ -207,6 +207,7 @@ int snd_card_create(int idx, const char *xid, - INIT_LIST_HEAD(&card->devices); - init_rwsem(&card->controls_rwsem); - rwlock_init(&card->ctl_files_rwlock); -+ mutex_init(&card->user_ctl_lock); - INIT_LIST_HEAD(&card->controls); - INIT_LIST_HEAD(&card->ctl_files); - spin_lock_init(&card->files_lock); -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index d307adb..400168e 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4920,6 +4920,7 @@ enum { - ALC269_FIXUP_STEREO_DMIC, - ALC269_FIXUP_QUANTA_MUTE, - ALC269_FIXUP_LIFEBOOK, -+ ALC269_FIXUP_LIFEBOOK_EXTMIC, - ALC269_FIXUP_AMIC, - ALC269_FIXUP_DMIC, - ALC269VB_FIXUP_AMIC, -@@ -5008,6 +5009,13 @@ static const struct alc_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC269_FIXUP_QUANTA_MUTE - }, -+ [ALC269_FIXUP_LIFEBOOK_EXTMIC] = { -+ .type = ALC_FIXUP_PINS, -+ .v.pins = (const struct alc_pincfg[]) { -+ { 0x19, 0x01a1903c }, /* headset mic, with jack detect */ -+ { } -+ }, -+ }, - [ALC269_FIXUP_AMIC] = { - .type = ALC_FIXUP_PINS, - .v.pins = (const struct alc_pincfg[]) { -@@ -5079,6 +5087,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), - SND_PCI_QUIRK_VENDOR(0x1025, "Acer Aspire", ALC271_FIXUP_DMIC), - SND_PCI_QUIRK(0x10cf, 0x1475, "Lifebook", ALC269_FIXUP_LIFEBOOK), -+ SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), - SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE), - SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE), - SND_PCI_QUIRK(0x17aa, 0x21b8, "Thinkpad Edge 14", ALC269_FIXUP_SKU_IGNORE), -@@ -6056,6 +6065,7 @@ static const struct hda_codec_preset snd_hda_preset_realtek[] = { - { .id = 0x10ec0670, .name = "ALC670", .patch = patch_alc662 }, - { .id = 0x10ec0671, .name = "ALC671", .patch = patch_alc662 }, - { .id = 0x10ec0680, .name = "ALC680", .patch = patch_alc680 }, -+ { .id = 0x10ec0867, .name = "ALC891", .patch = patch_alc882 }, - { .id = 0x10ec0880, .name = "ALC880", .patch = patch_alc880 }, - { .id = 0x10ec0882, .name = "ALC882", .patch = patch_alc882 }, - { .id = 0x10ec0883, .name = "ALC883", .patch = patch_alc882 }, |