diff options
Diffstat (limited to '3.2.71/1063_linux-3.2.64.patch')
| -rw-r--r-- | 3.2.71/1063_linux-3.2.64.patch | 3821 |
1 files changed, 0 insertions, 3821 deletions
diff --git a/3.2.71/1063_linux-3.2.64.patch b/3.2.71/1063_linux-3.2.64.patch deleted file mode 100644 index 862b4f0..0000000 --- a/3.2.71/1063_linux-3.2.64.patch +++ /dev/null @@ -1,3821 +0,0 @@ -diff --git a/Makefile b/Makefile -index 6d3f2d4..2b58ffc 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 2 --SUBLEVEL = 63 -+SUBLEVEL = 64 - EXTRAVERSION = - NAME = Saber-toothed Squirrel - -diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index a125c4b..6e39bf1 100644 ---- a/arch/arm/mm/alignment.c -+++ b/arch/arm/mm/alignment.c -@@ -38,6 +38,7 @@ - * This code is not portable to processors with late data abort handling. - */ - #define CODING_BITS(i) (i & 0x0e000000) -+#define COND_BITS(i) (i & 0xf0000000) - - #define LDST_I_BIT(i) (i & (1 << 26)) /* Immediate constant */ - #define LDST_P_BIT(i) (i & (1 << 24)) /* Preindex */ -@@ -812,6 +813,8 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - break; - - case 0x04000000: /* ldr or str immediate */ -+ if (COND_BITS(instr) == 0xf0000000) /* NEON VLDn, VSTn */ -+ goto bad; - offset.un = OFFSET_BITS(instr); - handler = do_alignment_ldrstr; - break; -diff --git a/arch/mips/boot/compressed/decompress.c b/arch/mips/boot/compressed/decompress.c -index 5cad0fa..ca51d69 100644 ---- a/arch/mips/boot/compressed/decompress.c -+++ b/arch/mips/boot/compressed/decompress.c -@@ -13,6 +13,7 @@ - - #include <linux/types.h> - #include <linux/kernel.h> -+#include <linux/string.h> - - #include <asm/addrspace.h> - -diff --git a/arch/mips/kernel/mcount.S b/arch/mips/kernel/mcount.S -index 4c968e7..55eca41 100644 ---- a/arch/mips/kernel/mcount.S -+++ b/arch/mips/kernel/mcount.S -@@ -119,7 +119,11 @@ NESTED(_mcount, PT_SIZE, ra) - nop - #endif - b ftrace_stub -+#ifdef CONFIG_32BIT -+ addiu sp, sp, 8 -+#else - nop -+#endif - - static_trace: - MCOUNT_SAVE_REGS -@@ -129,6 +133,9 @@ static_trace: - move a1, AT /* arg2: parent's return address */ - - MCOUNT_RESTORE_REGS -+#ifdef CONFIG_32BIT -+ addiu sp, sp, 8 -+#endif - .globl ftrace_stub - ftrace_stub: - RETURN_BACK -@@ -177,6 +184,11 @@ NESTED(ftrace_graph_caller, PT_SIZE, ra) - jal prepare_ftrace_return - nop - MCOUNT_RESTORE_REGS -+#ifndef CONFIG_DYNAMIC_FTRACE -+#ifdef CONFIG_32BIT -+ addiu sp, sp, 8 -+#endif -+#endif - RETURN_BACK - END(ftrace_graph_caller) - -diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c -index fe425bb..228a205 100644 ---- a/arch/mips/mm/c-r4k.c -+++ b/arch/mips/mm/c-r4k.c -@@ -606,6 +606,7 @@ static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size) - r4k_blast_scache(); - else - blast_scache_range(addr, addr + size); -+ preempt_enable(); - __sync(); - return; - } -@@ -647,6 +648,7 @@ static void r4k_dma_cache_inv(unsigned long addr, unsigned long size) - */ - blast_inv_scache_range(addr, addr + size); - } -+ preempt_enable(); - __sync(); - return; - } -diff --git a/arch/parisc/Makefile b/arch/parisc/Makefile -index 55cca1d..75947e0 100644 ---- a/arch/parisc/Makefile -+++ b/arch/parisc/Makefile -@@ -47,7 +47,12 @@ cflags-y := -pipe - - # These flags should be implied by an hppa-linux configuration, but they - # are not in gcc 3.2. --cflags-y += -mno-space-regs -mfast-indirect-calls -+cflags-y += -mno-space-regs -+ -+# -mfast-indirect-calls is only relevant for 32-bit kernels. -+ifndef CONFIG_64BIT -+cflags-y += -mfast-indirect-calls -+endif - - # Currently we save and restore fpregs on all kernel entry/interruption paths. - # If that gets optimized, we might need to disable the use of fpregs in the -diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c -index dd072b1..f6f41dd 100644 ---- a/arch/s390/kvm/kvm-s390.c -+++ b/arch/s390/kvm/kvm-s390.c -@@ -516,16 +516,6 @@ rerun_vcpu: - - BUG_ON(vcpu->kvm->arch.float_int.local_int[vcpu->vcpu_id] == NULL); - -- switch (kvm_run->exit_reason) { -- case KVM_EXIT_S390_SIEIC: -- case KVM_EXIT_UNKNOWN: -- case KVM_EXIT_INTR: -- case KVM_EXIT_S390_RESET: -- break; -- default: -- BUG(); -- } -- - vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; - vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index b3eb9a7..15d24cb 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -821,6 +821,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code) - kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); - } - -+static inline u64 get_canonical(u64 la) -+{ -+ return ((int64_t)la << 16) >> 16; -+} -+ -+static inline bool is_noncanonical_address(u64 la) -+{ -+#ifdef CONFIG_X86_64 -+ return get_canonical(la) != la; -+#else -+ return false; -+#endif -+} -+ - #define TSS_IOPB_BASE_OFFSET 0x66 - #define TSS_BASE_SIZE 0x68 - #define TSS_IOPB_SIZE (65536 / 8) -diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h -index 31f180c..36cbe2a 100644 ---- a/arch/x86/include/asm/vmx.h -+++ b/arch/x86/include/asm/vmx.h -@@ -279,6 +279,8 @@ enum vmcs_field { - #define EXIT_REASON_APIC_ACCESS 44 - #define EXIT_REASON_EPT_VIOLATION 48 - #define EXIT_REASON_EPT_MISCONFIG 49 -+#define EXIT_REASON_INVEPT 50 -+#define EXIT_REASON_INVVPID 53 - #define EXIT_REASON_WBINVD 54 - #define EXIT_REASON_XSETBV 55 - -diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 6e68bd9..bb28f2ca 100644 ---- a/arch/x86/kernel/smpboot.c -+++ b/arch/x86/kernel/smpboot.c -@@ -1252,6 +1252,9 @@ static void remove_siblinginfo(int cpu) - - for_each_cpu(sibling, cpu_sibling_mask(cpu)) - cpumask_clear_cpu(cpu, cpu_sibling_mask(sibling)); -+ for_each_cpu(sibling, cpu_llc_shared_mask(cpu)) -+ cpumask_clear_cpu(cpu, cpu_llc_shared_mask(sibling)); -+ cpumask_clear(cpu_llc_shared_mask(cpu)); - cpumask_clear(cpu_sibling_mask(cpu)); - cpumask_clear(cpu_core_mask(cpu)); - c->phys_proc_id = 0; -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 638cab5..f0ac042 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -456,11 +456,6 @@ register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, in - *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt)); - } - --static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) --{ -- register_address_increment(ctxt, &ctxt->_eip, rel); --} -- - static u32 desc_limit_scaled(struct desc_struct *desc) - { - u32 limit = get_desc_limit(desc); -@@ -534,6 +529,40 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) - return emulate_exception(ctxt, NM_VECTOR, 0, false); - } - -+static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, -+ int cs_l) -+{ -+ switch (ctxt->op_bytes) { -+ case 2: -+ ctxt->_eip = (u16)dst; -+ break; -+ case 4: -+ ctxt->_eip = (u32)dst; -+ break; -+#ifdef CONFIG_X86_64 -+ case 8: -+ if ((cs_l && is_noncanonical_address(dst)) || -+ (!cs_l && (dst >> 32) != 0)) -+ return emulate_gp(ctxt, 0); -+ ctxt->_eip = dst; -+ break; -+#endif -+ default: -+ WARN(1, "unsupported eip assignment size\n"); -+ } -+ return X86EMUL_CONTINUE; -+} -+ -+static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) -+{ -+ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); -+} -+ -+static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) -+{ -+ return assign_eip_near(ctxt, ctxt->_eip + rel); -+} -+ - static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) - { - u16 selector; -@@ -1206,11 +1235,12 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, - } - - /* Does not support long mode */ --static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, -- u16 selector, int seg) -+static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, -+ u16 selector, int seg, u8 cpl, -+ struct desc_struct *desc) - { - struct desc_struct seg_desc; -- u8 dpl, rpl, cpl; -+ u8 dpl, rpl; - unsigned err_vec = GP_VECTOR; - u32 err_code = 0; - bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */ -@@ -1259,7 +1289,6 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - - rpl = selector & 3; - dpl = seg_desc.dpl; -- cpl = ctxt->ops->cpl(ctxt); - - switch (seg) { - case VCPU_SREG_SS: -@@ -1316,12 +1345,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - } - load: - ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg); -+ if (desc) -+ *desc = seg_desc; - return X86EMUL_CONTINUE; - exception: - emulate_exception(ctxt, err_vec, err_code, true); - return X86EMUL_PROPAGATE_FAULT; - } - -+static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, -+ u16 selector, int seg) -+{ -+ u8 cpl = ctxt->ops->cpl(ctxt); -+ return __load_segment_descriptor(ctxt, selector, seg, cpl, NULL); -+} -+ - static void write_register_operand(struct operand *op) - { - /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */ -@@ -1661,17 +1699,31 @@ static int em_iret(struct x86_emulate_ctxt *ctxt) - static int em_jmp_far(struct x86_emulate_ctxt *ctxt) - { - int rc; -- unsigned short sel; -+ unsigned short sel, old_sel; -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; -+ u8 cpl = ctxt->ops->cpl(ctxt); -+ -+ /* Assignment of RIP may only fail in 64-bit mode */ -+ if (ctxt->mode == X86EMUL_MODE_PROT64) -+ ops->get_segment(ctxt, &old_sel, &old_desc, NULL, -+ VCPU_SREG_CS); - - memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); - -- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS); -+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, -+ &new_desc); - if (rc != X86EMUL_CONTINUE) - return rc; - -- ctxt->_eip = 0; -- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); -- return X86EMUL_CONTINUE; -+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); -+ /* assigning eip failed; restore the old cs */ -+ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); -+ return rc; -+ } -+ return rc; - } - - static int em_grp1a(struct x86_emulate_ctxt *ctxt) -@@ -1770,13 +1822,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) - case 2: /* call near abs */ { - long int old_eip; - old_eip = ctxt->_eip; -- ctxt->_eip = ctxt->src.val; -+ rc = assign_eip_near(ctxt, ctxt->src.val); -+ if (rc != X86EMUL_CONTINUE) -+ break; - ctxt->src.val = old_eip; - rc = em_push(ctxt); - break; - } - case 4: /* jmp abs */ -- ctxt->_eip = ctxt->src.val; -+ rc = assign_eip_near(ctxt, ctxt->src.val); - break; - case 5: /* jmp far */ - rc = em_jmp_far(ctxt); -@@ -1808,30 +1862,47 @@ static int em_grp9(struct x86_emulate_ctxt *ctxt) - - static int em_ret(struct x86_emulate_ctxt *ctxt) - { -- ctxt->dst.type = OP_REG; -- ctxt->dst.addr.reg = &ctxt->_eip; -- ctxt->dst.bytes = ctxt->op_bytes; -- return em_pop(ctxt); -+ int rc; -+ unsigned long eip; -+ -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ -+ return assign_eip_near(ctxt, eip); - } - - static int em_ret_far(struct x86_emulate_ctxt *ctxt) - { - int rc; -- unsigned long cs; -+ unsigned long eip, cs; -+ u16 old_cs; - int cpl = ctxt->ops->cpl(ctxt); -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; - -- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes); -+ if (ctxt->mode == X86EMUL_MODE_PROT64) -+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, -+ VCPU_SREG_CS); -+ -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); - if (rc != X86EMUL_CONTINUE) - return rc; -- if (ctxt->op_bytes == 4) -- ctxt->_eip = (u32)ctxt->_eip; - rc = emulate_pop(ctxt, &cs, ctxt->op_bytes); - if (rc != X86EMUL_CONTINUE) - return rc; - /* Outer-privilege level return is not implemented */ - if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl) - return X86EMUL_UNHANDLEABLE; -- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS); -+ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, -+ &new_desc); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ rc = assign_eip_far(ctxt, eip, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); -+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); -+ } - return rc; - } - -@@ -2043,7 +2114,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) - { - struct x86_emulate_ops *ops = ctxt->ops; - struct desc_struct cs, ss; -- u64 msr_data; -+ u64 msr_data, rcx, rdx; - int usermode; - u16 cs_sel = 0, ss_sel = 0; - -@@ -2059,6 +2130,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) - else - usermode = X86EMUL_MODE_PROT32; - -+ rcx = ctxt->regs[VCPU_REGS_RCX]; -+ rdx = ctxt->regs[VCPU_REGS_RDX]; -+ - cs.dpl = 3; - ss.dpl = 3; - ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); -@@ -2076,6 +2150,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) - ss_sel = cs_sel + 8; - cs.d = 0; - cs.l = 1; -+ if (is_noncanonical_address(rcx) || -+ is_noncanonical_address(rdx)) -+ return emulate_gp(ctxt, 0); - break; - } - cs_sel |= SELECTOR_RPL_MASK; -@@ -2084,8 +2161,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) - ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); - ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); - -- ctxt->_eip = ctxt->regs[VCPU_REGS_RDX]; -- ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX]; -+ ctxt->_eip = rdx; -+ ctxt->regs[VCPU_REGS_RSP] = rcx; - - return X86EMUL_CONTINUE; - } -@@ -2174,6 +2251,7 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, - struct tss_segment_16 *tss) - { - int ret; -+ u8 cpl; - - ctxt->_eip = tss->ip; - ctxt->eflags = tss->flag | 2; -@@ -2196,23 +2274,30 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, - set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS); - set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS); - -+ cpl = tss->cs & 3; -+ - /* - * Now load segment descriptors. If fault happenes at this stage - * it is handled in a context of new task - */ -- ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR); -+ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES); -+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS); -+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS); -+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS); -+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; - -@@ -2291,6 +2376,7 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, - struct tss_segment_32 *tss) - { - int ret; -+ u8 cpl; - - if (ctxt->ops->set_cr(ctxt, 3, tss->cr3)) - return emulate_gp(ctxt, 0); -@@ -2307,7 +2393,8 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, - - /* - * SDM says that segment selectors are loaded before segment -- * descriptors -+ * descriptors. This is important because CPL checks will -+ * use CS.RPL. - */ - set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR); - set_segment_selector(ctxt, tss->es, VCPU_SREG_ES); -@@ -2317,29 +2404,38 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, - set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS); - set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS); - -+ cpl = tss->cs & 3; -+ - /* - * Now load segment descriptors. If fault happenes at this stage - * it is handled in a context of new task - */ -- ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR); -+ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, -+ cpl, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES); -+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS); -+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS); -+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS); -+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS); -+ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS); -+ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, -+ NULL); - if (ret != X86EMUL_CONTINUE) - return ret; - -@@ -2536,39 +2632,67 @@ static int em_das(struct x86_emulate_ctxt *ctxt) - return X86EMUL_CONTINUE; - } - -+static int em_call(struct x86_emulate_ctxt *ctxt) -+{ -+ int rc; -+ long rel = ctxt->src.val; -+ -+ ctxt->src.val = (unsigned long)ctxt->_eip; -+ rc = jmp_rel(ctxt, rel); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ return em_push(ctxt); -+} -+ - static int em_call_far(struct x86_emulate_ctxt *ctxt) - { - u16 sel, old_cs; - ulong old_eip; - int rc; -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; -+ int cpl = ctxt->ops->cpl(ctxt); - -- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS); - old_eip = ctxt->_eip; -+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS); - - memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); -- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS)) -+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, -+ &new_desc); -+ if (rc != X86EMUL_CONTINUE) - return X86EMUL_CONTINUE; - -- ctxt->_eip = 0; -- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); -+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) -+ goto fail; - - ctxt->src.val = old_cs; - rc = em_push(ctxt); - if (rc != X86EMUL_CONTINUE) -- return rc; -+ goto fail; - - ctxt->src.val = old_eip; -- return em_push(ctxt); -+ rc = em_push(ctxt); -+ /* If we failed, we tainted the memory, but the very least we should -+ restore cs */ -+ if (rc != X86EMUL_CONTINUE) -+ goto fail; -+ return rc; -+fail: -+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); -+ return rc; -+ - } - - static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) - { - int rc; -+ unsigned long eip; - -- ctxt->dst.type = OP_REG; -- ctxt->dst.addr.reg = &ctxt->_eip; -- ctxt->dst.bytes = ctxt->op_bytes; -- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ rc = assign_eip_near(ctxt, eip); - if (rc != X86EMUL_CONTINUE) - return rc; - register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val); -@@ -2814,20 +2938,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) - - static int em_loop(struct x86_emulate_ctxt *ctxt) - { -+ int rc = X86EMUL_CONTINUE; -+ - register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1); - if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) && - (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - -- return X86EMUL_CONTINUE; -+ return rc; - } - - static int em_jcxz(struct x86_emulate_ctxt *ctxt) - { -+ int rc = X86EMUL_CONTINUE; -+ - if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - -- return X86EMUL_CONTINUE; -+ return rc; - } - - static int em_cli(struct x86_emulate_ctxt *ctxt) -@@ -3271,7 +3399,7 @@ static struct opcode opcode_table[256] = { - D2bvIP(SrcImmUByte | DstAcc, in, check_perm_in), - D2bvIP(SrcAcc | DstImmUByte, out, check_perm_out), - /* 0xE8 - 0xEF */ -- D(SrcImm | Stack), D(SrcImm | ImplicitOps), -+ I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps), - I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps), - D2bvIP(SrcDX | DstAcc, in, check_perm_in), - D2bvIP(SrcAcc | DstDX, out, check_perm_out), -@@ -3920,7 +4048,7 @@ special_insn: - break; - case 0x70 ... 0x7f: /* jcc (short) */ - if (test_cc(ctxt->b, ctxt->eflags)) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - break; - case 0x8d: /* lea r16/r32, m */ - ctxt->dst.val = ctxt->src.addr.mem.ea; -@@ -3966,16 +4094,9 @@ special_insn: - case 0xe6: /* outb */ - case 0xe7: /* out */ - goto do_io_out; -- case 0xe8: /* call (near) */ { -- long int rel = ctxt->src.val; -- ctxt->src.val = (unsigned long) ctxt->_eip; -- jmp_rel(ctxt, rel); -- rc = em_push(ctxt); -- break; -- } - case 0xe9: /* jmp rel */ - case 0xeb: /* jmp rel short */ -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - ctxt->dst.type = OP_NONE; /* Disable writeback. */ - break; - case 0xec: /* in al,dx */ -@@ -4141,7 +4262,7 @@ twobyte_insn: - break; - case 0x80 ... 0x8f: /* jnz rel, etc*/ - if (test_cc(ctxt->b, ctxt->eflags)) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - break; - case 0x90 ... 0x9f: /* setcc r/m8 */ - ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); -diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c -index 139415e..cced57f 100644 ---- a/arch/x86/kvm/i8254.c -+++ b/arch/x86/kvm/i8254.c -@@ -264,8 +264,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) - return; - - timer = &pit->pit_state.pit_timer.timer; -+ mutex_lock(&pit->pit_state.lock); - if (hrtimer_cancel(timer)) - hrtimer_start_expires(timer, HRTIMER_MODE_ABS); -+ mutex_unlock(&pit->pit_state.lock); - } - - static void destroy_pit_timer(struct kvm_pit *pit) -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 2102a17..82f97a5 100644 ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -3109,7 +3109,7 @@ static int wrmsr_interception(struct vcpu_svm *svm) - - - svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; -- if (svm_set_msr(&svm->vcpu, ecx, data)) { -+ if (kvm_set_msr(&svm->vcpu, ecx, data)) { - trace_kvm_msr_write_ex(ecx, data); - kvm_inject_gp(&svm->vcpu, 0); - } else { -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index a4f6bda..578b1c6 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -390,6 +390,7 @@ struct vcpu_vmx { - u16 fs_sel, gs_sel, ldt_sel; - int gs_ldt_reload_needed; - int fs_reload_needed; -+ unsigned long vmcs_host_cr4; /* May not match real cr4 */ - } host_state; - struct { - int vm86_active; -@@ -3629,16 +3630,21 @@ static void vmx_disable_intercept_for_msr(u32 msr, bool longmode_only) - * Note that host-state that does change is set elsewhere. E.g., host-state - * that is set differently for each CPU is set in vmx_vcpu_load(), not here. - */ --static void vmx_set_constant_host_state(void) -+static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) - { - u32 low32, high32; - unsigned long tmpl; - struct desc_ptr dt; -+ unsigned long cr4; - - vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */ -- vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ - vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ - -+ /* Save the most likely value for this task's CR4 in the VMCS. */ -+ cr4 = read_cr4(); -+ vmcs_writel(HOST_CR4, cr4); /* 22.2.3, 22.2.5 */ -+ vmx->host_state.vmcs_host_cr4 = cr4; -+ - vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ - vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ - vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ -@@ -3760,7 +3766,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx) - - vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */ - vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */ -- vmx_set_constant_host_state(); -+ vmx_set_constant_host_state(vmx); - #ifdef CONFIG_X86_64 - rdmsrl(MSR_FS_BASE, a); - vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */ -@@ -4544,7 +4550,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu) - u64 data = (vcpu->arch.regs[VCPU_REGS_RAX] & -1u) - | ((u64)(vcpu->arch.regs[VCPU_REGS_RDX] & -1u) << 32); - -- if (vmx_set_msr(vcpu, ecx, data) != 0) { -+ if (kvm_set_msr(vcpu, ecx, data) != 0) { - trace_kvm_msr_write_ex(ecx, data); - kvm_inject_gp(vcpu, 0); - return 1; -@@ -5550,6 +5556,18 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) - return 1; - } - -+static int handle_invept(struct kvm_vcpu *vcpu) -+{ -+ kvm_queue_exception(vcpu, UD_VECTOR); -+ return 1; -+} -+ -+static int handle_invvpid(struct kvm_vcpu *vcpu) -+{ -+ kvm_queue_exception(vcpu, UD_VECTOR); -+ return 1; -+} -+ - /* - * The exit handlers return 1 if the exit was handled fully and guest execution - * may resume. Otherwise they set the kvm_run parameter to indicate what needs -@@ -5591,6 +5609,8 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = { - [EXIT_REASON_PAUSE_INSTRUCTION] = handle_pause, - [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op, - [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op, -+ [EXIT_REASON_INVEPT] = handle_invept, -+ [EXIT_REASON_INVVPID] = handle_invvpid, - }; - - static const int kvm_vmx_max_exit_handlers = -@@ -5775,6 +5795,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) - case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: - case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: - case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: -+ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: - /* - * VMX instructions trap unconditionally. This allows L1 to - * emulate them for its L2 guest, i.e., allows 3-level nesting! -@@ -6093,6 +6114,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx) - static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) - { - struct vcpu_vmx *vmx = to_vmx(vcpu); -+ unsigned long cr4; - - if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) { - struct vmcs12 *vmcs12 = get_vmcs12(vcpu); -@@ -6123,6 +6145,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) - if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty)) - vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]); - -+ cr4 = read_cr4(); -+ if (unlikely(cr4 != vmx->host_state.vmcs_host_cr4)) { -+ vmcs_writel(HOST_CR4, cr4); -+ vmx->host_state.vmcs_host_cr4 = cr4; -+ } -+ - /* When single-stepping over STI and MOV SS, we must clear the - * corresponding interruptibility bits in the guest state. Otherwise - * vmentry fails as it then expects bit 14 (BS) in pending debug -@@ -6581,7 +6609,7 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) - * Other fields are different per CPU, and will be set later when - * vmx_vcpu_load() is called, and when vmx_save_host_state() is called. - */ -- vmx_set_constant_host_state(); -+ vmx_set_constant_host_state(vmx); - - /* - * HOST_RSP is normally set correctly in vmx_vcpu_run() just before -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index b9fefaf..2d7d0df 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -893,7 +893,6 @@ void kvm_enable_efer_bits(u64 mask) - } - EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); - -- - /* - * Writes msr value into into the appropriate "register". - * Returns 0 on success, non-0 otherwise. -@@ -901,8 +900,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); - */ - int kvm_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) - { -+ switch (msr_index) { -+ case MSR_FS_BASE: -+ case MSR_GS_BASE: -+ case MSR_KERNEL_GS_BASE: -+ case MSR_CSTAR: -+ case MSR_LSTAR: -+ if (is_noncanonical_address(data)) -+ return 1; -+ break; -+ case MSR_IA32_SYSENTER_EIP: -+ case MSR_IA32_SYSENTER_ESP: -+ /* -+ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if -+ * non-canonical address is written on Intel but not on -+ * AMD (which ignores the top 32-bits, because it does -+ * not implement 64-bit SYSENTER). -+ * -+ * 64-bit code should hence be able to write a non-canonical -+ * value on AMD. Making the address canonical ensures that -+ * vmentry does not fail on Intel after writing a non-canonical -+ * value, and that something deterministic happens if the guest -+ * invokes 64-bit SYSENTER. -+ */ -+ data = get_canonical(data); -+ } - return kvm_x86_ops->set_msr(vcpu, msr_index, data); - } -+EXPORT_SYMBOL_GPL(kvm_set_msr); - - /* - * Adapt set_msr() to msr_io()'s calling convention -diff --git a/block/genhd.c b/block/genhd.c -index 8bd4ef2..41b0435 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -28,10 +28,10 @@ struct kobject *block_depr; - /* for extended dynamic devt allocation, currently only one major is used */ - #define NR_EXT_DEVT (1 << MINORBITS) - --/* For extended devt allocation. ext_devt_mutex prevents look up -+/* For extended devt allocation. ext_devt_lock prevents look up - * results from going away underneath its user. - */ --static DEFINE_MUTEX(ext_devt_mutex); -+static DEFINE_SPINLOCK(ext_devt_lock); - static DEFINE_IDR(ext_devt_idr); - - static struct device_type disk_type; -@@ -421,13 +421,13 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt) - do { - if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL)) - return -ENOMEM; -- mutex_lock(&ext_devt_mutex); -+ spin_lock(&ext_devt_lock); - rc = idr_get_new(&ext_devt_idr, part, &idx); - if (!rc && idx >= NR_EXT_DEVT) { - idr_remove(&ext_devt_idr, idx); - rc = -EBUSY; - } -- mutex_unlock(&ext_devt_mutex); -+ spin_unlock(&ext_devt_lock); - } while (rc == -EAGAIN); - - if (rc) -@@ -448,15 +448,13 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt) - */ - void blk_free_devt(dev_t devt) - { -- might_sleep(); -- - if (devt == MKDEV(0, 0)) - return; - - if (MAJOR(devt) == BLOCK_EXT_MAJOR) { -- mutex_lock(&ext_devt_mutex); -+ spin_lock(&ext_devt_lock); - idr_remove(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); -- mutex_unlock(&ext_devt_mutex); -+ spin_unlock(&ext_devt_lock); - } - } - -@@ -663,7 +661,6 @@ void del_gendisk(struct gendisk *disk) - if (!sysfs_deprecated) - sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk))); - device_del(disk_to_dev(disk)); -- blk_free_devt(disk_to_dev(disk)->devt); - } - EXPORT_SYMBOL(del_gendisk); - -@@ -688,13 +685,13 @@ struct gendisk *get_gendisk(dev_t devt, int *partno) - } else { - struct hd_struct *part; - -- mutex_lock(&ext_devt_mutex); -+ spin_lock(&ext_devt_lock); - part = idr_find(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); - if (part && get_disk(part_to_disk(part))) { - *partno = part->partno; - disk = part_to_disk(part); - } -- mutex_unlock(&ext_devt_mutex); -+ spin_unlock(&ext_devt_lock); - } - - return disk; -@@ -1102,6 +1099,7 @@ static void disk_release(struct device *dev) - { - struct gendisk *disk = dev_to_disk(dev); - -+ blk_free_devt(dev->devt); - disk_release_events(disk); - kfree(disk->random); - disk_replace_part_tbl(disk, NULL); -diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c -index de0791c..388ba10 100644 ---- a/drivers/acpi/processor_idle.c -+++ b/drivers/acpi/processor_idle.c -@@ -1165,9 +1165,9 @@ int acpi_processor_cst_has_changed(struct acpi_processor *pr) - if (smp_processor_id() == 0 && - cpuidle_get_driver() == &acpi_idle_driver) { - -- cpuidle_pause_and_lock(); - /* Protect against cpu-hotplug */ - get_online_cpus(); -+ cpuidle_pause_and_lock(); - - /* Disable all cpuidle devices */ - for_each_online_cpu(cpu) { -@@ -1192,8 +1192,8 @@ int acpi_processor_cst_has_changed(struct acpi_processor *pr) - cpuidle_enable_device(&_pr->power.dev); - } - } -- put_online_cpus(); - cpuidle_resume_and_unlock(); -+ put_online_cpus(); - } - - return 0; -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 43b0acf..4007f62 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -315,6 +315,14 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ - { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ - { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c82), board_ahci }, /* 9 Series AHCI */ -+ { PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series AHCI */ -+ { PCI_VDEVICE(INTEL, 0x8c84), board_ahci }, /* 9 Series RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c86), board_ahci }, /* 9 Series RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */ -+ { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */ - - /* JMicron 360/1/3/5/6, match class to avoid IDE function */ - { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, -@@ -449,6 +457,8 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x917a), - .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9172), -+ .driver_data = board_ahci_yes_fbs }, /* 88se9182 */ -+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9182), - .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ - { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9192), - .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ -diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c -index 5b0b5f7..b1e8e11 100644 ---- a/drivers/ata/ata_piix.c -+++ b/drivers/ata/ata_piix.c -@@ -362,6 +362,14 @@ static const struct pci_device_id piix_pci_tbl[] = { - { 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt }, - /* SATA Controller IDE (Coleto Creek) */ - { 0x8086, 0x23a6, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, -+ /* SATA Controller IDE (9 Series) */ -+ { 0x8086, 0x8c88, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, -+ /* SATA Controller IDE (9 Series) */ -+ { 0x8086, 0x8c89, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, -+ /* SATA Controller IDE (9 Series) */ -+ { 0x8086, 0x8c80, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, -+ /* SATA Controller IDE (9 Series) */ -+ { 0x8086, 0x8c81, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, - - { } /* terminate list */ - }; -diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c -index bf441db..ea78bc46 100644 ---- a/drivers/base/regmap/regmap.c -+++ b/drivers/base/regmap/regmap.c -@@ -36,6 +36,9 @@ bool regmap_readable(struct regmap *map, unsigned int reg) - if (map->max_register && reg > map->max_register) - return false; - -+ if (map->format.format_write) -+ return false; -+ - if (map->readable_reg) - return map->readable_reg(map->dev, reg); - -@@ -44,7 +47,7 @@ bool regmap_readable(struct regmap *map, unsigned int reg) - - bool regmap_volatile(struct regmap *map, unsigned int reg) - { -- if (map->max_register && reg > map->max_register) -+ if (!map->format.format_write && !regmap_readable(map, reg)) - return false; - - if (map->volatile_reg) -@@ -55,7 +58,7 @@ bool regmap_volatile(struct regmap *map, unsigned int reg) - - bool regmap_precious(struct regmap *map, unsigned int reg) - { -- if (map->max_register && reg > map->max_register) -+ if (!regmap_readable(map, reg)) - return false; - - if (map->precious_reg) -diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c -index 0016fee..96d5cfc 100644 ---- a/drivers/gpu/drm/i915/intel_bios.c -+++ b/drivers/gpu/drm/i915/intel_bios.c -@@ -651,7 +651,7 @@ init_vbt_defaults(struct drm_i915_private *dev_priv) - DRM_DEBUG_KMS("Set default to SSC at %dMHz\n", dev_priv->lvds_ssc_freq); - } - --static int __init intel_no_opregion_vbt_callback(const struct dmi_system_id *id) -+static int intel_no_opregion_vbt_callback(const struct dmi_system_id *id) - { - DRM_DEBUG_KMS("Falling back to manually reading VBT from " - "VBIOS ROM for %s\n", -diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c -index 74d312f..fadd021 100644 ---- a/drivers/gpu/drm/i915/intel_lvds.c -+++ b/drivers/gpu/drm/i915/intel_lvds.c -@@ -613,7 +613,7 @@ static const struct drm_encoder_funcs intel_lvds_enc_funcs = { - .destroy = intel_encoder_destroy, - }; - --static int __init intel_no_lvds_dmi_callback(const struct dmi_system_id *id) -+static int intel_no_lvds_dmi_callback(const struct dmi_system_id *id) - { - DRM_DEBUG_KMS("Skipping LVDS initialization for %s\n", id->ident); - return 1; -diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c -index 6d9c32b..24e9756 100644 ---- a/drivers/gpu/drm/radeon/radeon_atombios.c -+++ b/drivers/gpu/drm/radeon/radeon_atombios.c -@@ -457,6 +457,13 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, - } - } - -+ /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ -+ if ((dev->pdev->device == 0x9805) && -+ (dev->pdev->subsystem_vendor == 0x1734) && -+ (dev->pdev->subsystem_device == 0x11bd)) { -+ if (*connector_type == DRM_MODE_CONNECTOR_VGA) -+ return false; -+ } - - return true; - } -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c -index a0c2f12..decca82 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c -@@ -163,8 +163,9 @@ void vmw_fifo_release(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo) - - mutex_lock(&dev_priv->hw_mutex); - -+ vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); - while (vmw_read(dev_priv, SVGA_REG_BUSY) != 0) -- vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); -+ ; - - dev_priv->last_read_seqno = ioread32(fifo_mem + SVGA_FIFO_FENCE); - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 70423dc..2d5bb5b 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -1130,6 +1130,13 @@ static bool elantech_is_signature_valid(const unsigned char *param) - if (param[1] == 0) - return true; - -+ /* -+ * Some models have a revision higher then 20. Meaning param[2] may -+ * be 10 or 20, skip the rates check for these. -+ */ -+ if (param[0] == 0x46 && (param[1] & 0xef) == 0x0f && param[2] < 40) -+ return true; -+ - for (i = 0; i < ARRAY_SIZE(rates); i++) - if (param[2] == rates[i]) - return false; -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index df8b72b..a50e121 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -506,10 +506,61 @@ static int synaptics_parse_hw_state(const unsigned char buf[], - ((buf[0] & 0x04) >> 1) | - ((buf[3] & 0x04) >> 2)); - -+ if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || -+ SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && -+ hw->w == 2) { -+ synaptics_parse_agm(buf, priv, hw); -+ return 1; -+ } -+ -+ hw->x = (((buf[3] & 0x10) << 8) | -+ ((buf[1] & 0x0f) << 8) | -+ buf[4]); -+ hw->y = (((buf[3] & 0x20) << 7) | -+ ((buf[1] & 0xf0) << 4) | -+ buf[5]); -+ hw->z = buf[2]; -+ - hw->left = (buf[0] & 0x01) ? 1 : 0; - hw->right = (buf[0] & 0x02) ? 1 : 0; - -- if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { -+ if (SYN_CAP_FORCEPAD(priv->ext_cap_0c)) { -+ /* -+ * ForcePads, like Clickpads, use middle button -+ * bits to report primary button clicks. -+ * Unfortunately they report primary button not -+ * only when user presses on the pad above certain -+ * threshold, but also when there are more than one -+ * finger on the touchpad, which interferes with -+ * out multi-finger gestures. -+ */ -+ if (hw->z == 0) { -+ /* No contacts */ -+ priv->press = priv->report_press = false; -+ } else if (hw->w >= 4 && ((buf[0] ^ buf[3]) & 0x01)) { -+ /* -+ * Single-finger touch with pressure above -+ * the threshold. If pressure stays long -+ * enough, we'll start reporting primary -+ * button. We rely on the device continuing -+ * sending data even if finger does not -+ * move. -+ */ -+ if (!priv->press) { -+ priv->press_start = jiffies; -+ priv->press = true; -+ } else if (time_after(jiffies, -+ priv->press_start + -+ msecs_to_jiffies(50))) { -+ priv->report_press = true; -+ } -+ } else { -+ priv->press = false; -+ } -+ -+ hw->left = priv->report_press; -+ -+ } else if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { - /* - * Clickpad's button is transmitted as middle button, - * however, since it is primary button, we will report -@@ -528,21 +579,6 @@ static int synaptics_parse_hw_state(const unsigned char buf[], - hw->down = ((buf[0] ^ buf[3]) & 0x02) ? 1 : 0; - } - -- if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || -- SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && -- hw->w == 2) { -- synaptics_parse_agm(buf, priv, hw); -- return 1; -- } -- -- hw->x = (((buf[3] & 0x10) << 8) | -- ((buf[1] & 0x0f) << 8) | -- buf[4]); -- hw->y = (((buf[3] & 0x20) << 7) | -- ((buf[1] & 0xf0) << 4) | -- buf[5]); -- hw->z = buf[2]; -- - if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) && - ((buf[0] ^ buf[3]) & 0x02)) { - switch (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) & ~0x01) { -diff --git a/drivers/input/mouse/synaptics.h b/drivers/input/mouse/synaptics.h -index 622aea8..908d167 100644 ---- a/drivers/input/mouse/synaptics.h -+++ b/drivers/input/mouse/synaptics.h -@@ -77,6 +77,11 @@ - * 2 0x08 image sensor image sensor tracks 5 fingers, but only - * reports 2. - * 2 0x20 report min query 0x0f gives min coord reported -+ * 2 0x80 forcepad forcepad is a variant of clickpad that -+ * does not have physical buttons but rather -+ * uses pressure above certain threshold to -+ * report primary clicks. Forcepads also have -+ * clickpad bit set. - */ - #define SYN_CAP_CLICKPAD(ex0c) ((ex0c) & 0x100000) /* 1-button ClickPad */ - #define SYN_CAP_CLICKPAD2BTN(ex0c) ((ex0c) & 0x000100) /* 2-button ClickPad */ -@@ -85,6 +90,7 @@ - #define SYN_CAP_ADV_GESTURE(ex0c) ((ex0c) & 0x080000) - #define SYN_CAP_REDUCED_FILTERING(ex0c) ((ex0c) & 0x000400) - #define SYN_CAP_IMAGE_SENSOR(ex0c) ((ex0c) & 0x000800) -+#define SYN_CAP_FORCEPAD(ex0c) ((ex0c) & 0x008000) - - /* synaptics modes query bits */ - #define SYN_MODE_ABSOLUTE(m) ((m) & (1 << 7)) -@@ -170,6 +176,11 @@ struct synaptics_data { - */ - struct synaptics_hw_state agm; - bool agm_pending; /* new AGM packet received */ -+ -+ /* ForcePad handling */ -+ unsigned long press_start; -+ bool press; -+ bool report_press; - }; - - void synaptics_module_init(void); -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h -index 031270c..bab8238 100644 ---- a/drivers/input/serio/i8042-x86ia64io.h -+++ b/drivers/input/serio/i8042-x86ia64io.h -@@ -458,6 +458,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), - }, - }, -+ { -+ /* Avatar AVIU-145A6 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), -+ }, -+ }, - { } - }; - -@@ -594,6 +601,14 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), - }, - }, -+ { -+ /* Fujitsu U574 laptop */ -+ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), -+ }, -+ }, - { } - }; - -diff --git a/drivers/input/serio/serport.c b/drivers/input/serio/serport.c -index 8755f5f..e4ecf3b 100644 ---- a/drivers/input/serio/serport.c -+++ b/drivers/input/serio/serport.c -@@ -21,6 +21,7 @@ - #include <linux/init.h> - #include <linux/serio.h> - #include <linux/tty.h> -+#include <linux/compat.h> - - MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>"); - MODULE_DESCRIPTION("Input device TTY line discipline"); -@@ -196,28 +197,55 @@ static ssize_t serport_ldisc_read(struct tty_struct * tty, struct file * file, u - return 0; - } - -+static void serport_set_type(struct tty_struct *tty, unsigned long type) -+{ -+ struct serport *serport = tty->disc_data; -+ -+ serport->id.proto = type & 0x000000ff; -+ serport->id.id = (type & 0x0000ff00) >> 8; -+ serport->id.extra = (type & 0x00ff0000) >> 16; -+} -+ - /* - * serport_ldisc_ioctl() allows to set the port protocol, and device ID - */ - --static int serport_ldisc_ioctl(struct tty_struct * tty, struct file * file, unsigned int cmd, unsigned long arg) -+static int serport_ldisc_ioctl(struct tty_struct *tty, struct file *file, -+ unsigned int cmd, unsigned long arg) - { -- struct serport *serport = (struct serport*) tty->disc_data; -- unsigned long type; -- - if (cmd == SPIOCSTYPE) { -+ unsigned long type; -+ - if (get_user(type, (unsigned long __user *) arg)) - return -EFAULT; - -- serport->id.proto = type & 0x000000ff; -- serport->id.id = (type & 0x0000ff00) >> 8; -- serport->id.extra = (type & 0x00ff0000) >> 16; -+ serport_set_type(tty, type); -+ return 0; -+ } -+ -+ return -EINVAL; -+} -+ -+#ifdef CONFIG_COMPAT -+#define COMPAT_SPIOCSTYPE _IOW('q', 0x01, compat_ulong_t) -+static long serport_ldisc_compat_ioctl(struct tty_struct *tty, -+ struct file *file, -+ unsigned int cmd, unsigned long arg) -+{ -+ if (cmd == COMPAT_SPIOCSTYPE) { -+ void __user *uarg = compat_ptr(arg); -+ compat_ulong_t compat_type; -+ -+ if (get_user(compat_type, (compat_ulong_t __user *)uarg)) -+ return -EFAULT; - -+ serport_set_type(tty, compat_type); - return 0; - } - - return -EINVAL; - } -+#endif - - static void serport_ldisc_write_wakeup(struct tty_struct * tty) - { -@@ -241,6 +269,9 @@ static struct tty_ldisc_ops serport_ldisc = { - .close = serport_ldisc_close, - .read = serport_ldisc_read, - .ioctl = serport_ldisc_ioctl, -+#ifdef CONFIG_COMPAT -+ .compat_ioctl = serport_ldisc_compat_ioctl, -+#endif - .receive_buf = serport_ldisc_receive, - .write_wakeup = serport_ldisc_write_wakeup - }; -diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c -index aa142f9..4878d91 100644 ---- a/drivers/md/dm-crypt.c -+++ b/drivers/md/dm-crypt.c -@@ -1565,6 +1565,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) - unsigned int key_size, opt_params; - unsigned long long tmpll; - int ret; -+ size_t iv_size_padding; - struct dm_arg_set as; - const char *opt_string; - -@@ -1600,12 +1601,23 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) - - cc->dmreq_start = sizeof(struct ablkcipher_request); - cc->dmreq_start += crypto_ablkcipher_reqsize(any_tfm(cc)); -- cc->dmreq_start = ALIGN(cc->dmreq_start, crypto_tfm_ctx_alignment()); -- cc->dmreq_start += crypto_ablkcipher_alignmask(any_tfm(cc)) & -- ~(crypto_tfm_ctx_alignment() - 1); -+ cc->dmreq_start = ALIGN(cc->dmreq_start, __alignof__(struct dm_crypt_request)); -+ -+ if (crypto_ablkcipher_alignmask(any_tfm(cc)) < CRYPTO_MINALIGN) { -+ /* Allocate the padding exactly */ -+ iv_size_padding = -(cc->dmreq_start + sizeof(struct dm_crypt_request)) -+ & crypto_ablkcipher_alignmask(any_tfm(cc)); -+ } else { -+ /* -+ * If the cipher requires greater alignment than kmalloc -+ * alignment, we don't know the exact position of the -+ * initialization vector. We must assume worst case. -+ */ -+ iv_size_padding = crypto_ablkcipher_alignmask(any_tfm(cc)); -+ } - - cc->req_pool = mempool_create_kmalloc_pool(MIN_IOS, cc->dmreq_start + -- sizeof(struct dm_crypt_request) + cc->iv_size); -+ sizeof(struct dm_crypt_request) + iv_size_padding + cc->iv_size); - if (!cc->req_pool) { - ti->error = "Cannot allocate crypt request mempool"; - goto bad; -diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c -index 044ea06..ab411c3 100644 ---- a/drivers/net/can/at91_can.c -+++ b/drivers/net/can/at91_can.c -@@ -1115,7 +1115,9 @@ static int at91_open(struct net_device *dev) - struct at91_priv *priv = netdev_priv(dev); - int err; - -- clk_enable(priv->clk); -+ err = clk_prepare_enable(priv->clk); -+ if (err) -+ return err; - - /* check or determine and set bittime */ - err = open_candev(dev); -@@ -1139,7 +1141,7 @@ static int at91_open(struct net_device *dev) - out_close: - close_candev(dev); - out: -- clk_disable(priv->clk); -+ clk_disable_unprepare(priv->clk); - - return err; - } -@@ -1156,7 +1158,7 @@ static int at91_close(struct net_device *dev) - at91_chip_stop(dev, CAN_STATE_STOPPED); - - free_irq(dev->irq, dev); -- clk_disable(priv->clk); -+ clk_disable_unprepare(priv->clk); - - close_candev(dev); - -diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c -index 7c6bb5a..b1f354f 100644 ---- a/drivers/net/can/flexcan.c -+++ b/drivers/net/can/flexcan.c -@@ -120,7 +120,9 @@ - (FLEXCAN_ESR_ERR_BUS | FLEXCAN_ESR_ERR_STATE) - - /* FLEXCAN interrupt flag register (IFLAG) bits */ --#define FLEXCAN_TX_BUF_ID 8 -+/* Errata ERR005829 step7: Reserve first valid MB */ -+#define FLEXCAN_TX_BUF_RESERVED 8 -+#define FLEXCAN_TX_BUF_ID 9 - #define FLEXCAN_IFLAG_BUF(x) BIT(x) - #define FLEXCAN_IFLAG_RX_FIFO_OVERFLOW BIT(7) - #define FLEXCAN_IFLAG_RX_FIFO_WARN BIT(6) -@@ -131,6 +133,17 @@ - - /* FLEXCAN message buffers */ - #define FLEXCAN_MB_CNT_CODE(x) (((x) & 0xf) << 24) -+#define FLEXCAN_MB_CODE_RX_INACTIVE (0x0 << 24) -+#define FLEXCAN_MB_CODE_RX_EMPTY (0x4 << 24) -+#define FLEXCAN_MB_CODE_RX_FULL (0x2 << 24) -+#define FLEXCAN_MB_CODE_RX_OVERRRUN (0x6 << 24) -+#define FLEXCAN_MB_CODE_RX_RANSWER (0xa << 24) -+ -+#define FLEXCAN_MB_CODE_TX_INACTIVE (0x8 << 24) -+#define FLEXCAN_MB_CODE_TX_ABORT (0x9 << 24) -+#define FLEXCAN_MB_CODE_TX_DATA (0xc << 24) -+#define FLEXCAN_MB_CODE_TX_TANSWER (0xe << 24) -+ - #define FLEXCAN_MB_CNT_SRR BIT(22) - #define FLEXCAN_MB_CNT_IDE BIT(21) - #define FLEXCAN_MB_CNT_RTR BIT(20) -@@ -302,6 +315,14 @@ static int flexcan_start_xmit(struct sk_buff *skb, struct net_device *dev) - flexcan_write(can_id, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_id); - flexcan_write(ctrl, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); - -+ /* Errata ERR005829 step8: -+ * Write twice INACTIVE(0x8) code to first MB. -+ */ -+ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, -+ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); -+ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, -+ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); -+ - kfree_skb(skb); - - /* tx_packets is incremented in flexcan_irq */ -@@ -611,6 +632,9 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id) - if (reg_iflag1 & (1 << FLEXCAN_TX_BUF_ID)) { - /* tx_bytes is incremented in flexcan_start_xmit */ - stats->tx_packets++; -+ /* after sending a RTR frame mailbox is in RX mode */ -+ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, -+ ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); - flexcan_write((1 << FLEXCAN_TX_BUF_ID), ®s->iflag1); - netif_wake_queue(dev); - } -@@ -668,6 +692,7 @@ static int flexcan_chip_start(struct net_device *dev) - struct flexcan_regs __iomem *regs = priv->base; - int err; - u32 reg_mcr, reg_ctrl; -+ int i; - - /* enable module */ - flexcan_chip_enable(priv); -@@ -733,8 +758,18 @@ static int flexcan_chip_start(struct net_device *dev) - dev_dbg(dev->dev.parent, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); - flexcan_write(reg_ctrl, ®s->ctrl); - -- /* Abort any pending TX, mark Mailbox as INACTIVE */ -- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), -+ /* clear and invalidate all mailboxes first */ -+ for (i = FLEXCAN_TX_BUF_ID; i < ARRAY_SIZE(regs->cantxfg); i++) { -+ flexcan_write(FLEXCAN_MB_CODE_RX_INACTIVE, -+ ®s->cantxfg[i].can_ctrl); -+ } -+ -+ /* Errata ERR005829: mark first TX mailbox as INACTIVE */ -+ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, -+ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); -+ -+ /* mark TX mailbox as INACTIVE */ -+ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, - ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); - - /* acceptance mask/acceptance code (accept everything) */ -diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c -index d696536..d552fa3 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c -+++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c -@@ -440,6 +440,14 @@ int iwlagn_commit_rxon(struct iwl_priv *priv, struct iwl_rxon_context *ctx) - /* always get timestamp with Rx frame */ - ctx->staging.flags |= RXON_FLG_TSF2HOST_MSK; - -+ /* -+ * force CTS-to-self frames protection if RTS-CTS is not preferred -+ * one aggregation protection method -+ */ -+ if (!(priv->cfg->ht_params && -+ priv->cfg->ht_params->use_rts_for_aggregation)) -+ ctx->staging.flags |= RXON_FLG_SELF_CTS_EN; -+ - if ((ctx->vif && ctx->vif->bss_conf.use_short_slot) || - !(ctx->staging.flags & RXON_FLG_BAND_24G_MSK)) - ctx->staging.flags |= RXON_FLG_SHORT_SLOT_MSK; -@@ -872,6 +880,11 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw, - else - ctx->staging.flags &= ~RXON_FLG_TGG_PROTECT_MSK; - -+ if (bss_conf->use_cts_prot) -+ ctx->staging.flags |= RXON_FLG_SELF_CTS_EN; -+ else -+ ctx->staging.flags &= ~RXON_FLG_SELF_CTS_EN; -+ - memcpy(ctx->staging.bssid_addr, bss_conf->bssid, ETH_ALEN); - - if (vif->type == NL80211_IFTYPE_AP || -diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c -index c184253..1644b1f 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c -@@ -316,6 +316,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { - {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ - {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ - {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ -+ {RTL_USB_DEVICE(0x0df6, 0x0070, rtl92cu_hal_cfg)}, /*Sitecom - 150N */ - {RTL_USB_DEVICE(0x0df6, 0x0077, rtl92cu_hal_cfg)}, /*Sitecom-WLA2100V2*/ - {RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/ - {RTL_USB_DEVICE(0x4856, 0x0091, rtl92cu_hal_cfg)}, /*NetweeN - Feixun*/ -diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c -index 143bbe4..2794a30 100644 ---- a/drivers/scsi/libiscsi.c -+++ b/drivers/scsi/libiscsi.c -@@ -718,11 +718,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, - return NULL; - } - -+ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { -+ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); -+ return NULL; -+ } -+ - task = conn->login_task; - } else { - if (session->state != ISCSI_STATE_LOGGED_IN) - return NULL; - -+ if (data_size != 0) { -+ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); -+ return NULL; -+ } -+ - BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); - BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED); - -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index ab5dd16..ae4e7da 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -4306,6 +4306,7 @@ static void iscsit_logout_post_handler_diffcid( - { - struct iscsi_conn *l_conn; - struct iscsi_session *sess = conn->sess; -+ bool conn_found = false; - - if (!sess) - return; -@@ -4314,12 +4315,13 @@ static void iscsit_logout_post_handler_diffcid( - list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { - if (l_conn->cid == cid) { - iscsit_inc_conn_usage_count(l_conn); -+ conn_found = true; - break; - } - } - spin_unlock_bh(&sess->conn_lock); - -- if (!l_conn) -+ if (!conn_found) - return; - - if (l_conn->sock) -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index db313ba..e5f5bff 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -552,7 +552,7 @@ int iscsi_copy_param_list( - param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); - if (!param_list) { - pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); -- goto err_out; -+ return -1; - } - INIT_LIST_HEAD(¶m_list->param_list); - INIT_LIST_HEAD(¶m_list->extra_response_list); -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index f08732b..10aec1a 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -3651,9 +3651,10 @@ static void hub_events(void) - - hub = list_entry(tmp, struct usb_hub, event_list); - kref_get(&hub->kref); -+ hdev = hub->hdev; -+ usb_get_dev(hdev); - spin_unlock_irq(&hub_event_lock); - -- hdev = hub->hdev; - hub_dev = hub->intfdev; - intf = to_usb_interface(hub_dev); - dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n", -@@ -3888,6 +3889,7 @@ static void hub_events(void) - usb_autopm_put_interface(intf); - loop_disconnected: - usb_unlock_device(hdev); -+ usb_put_dev(hdev); - kref_put(&hub->kref, hub_release); - - } /* end while (1) */ -diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c -index 600d823..3d9b57e 100644 ---- a/drivers/usb/dwc3/core.c -+++ b/drivers/usb/dwc3/core.c -@@ -427,9 +427,6 @@ static int __devexit dwc3_remove(struct platform_device *pdev) - - res = platform_get_resource(pdev, IORESOURCE_MEM, 0); - -- pm_runtime_put(&pdev->dev); -- pm_runtime_disable(&pdev->dev); -- - dwc3_debugfs_exit(dwc); - - if (features & DWC3_HAS_PERIPHERAL) -@@ -440,6 +437,9 @@ static int __devexit dwc3_remove(struct platform_device *pdev) - iounmap(dwc->regs); - kfree(dwc->mem); - -+ pm_runtime_put_sync(&pdev->dev); -+ pm_runtime_disable(&pdev->dev); -+ - return 0; - } - -diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c -index 517cadb..a3b569f 100644 ---- a/drivers/usb/host/xhci-hub.c -+++ b/drivers/usb/host/xhci-hub.c -@@ -440,7 +440,8 @@ void xhci_test_and_clear_bit(struct xhci_hcd *xhci, __le32 __iomem **port_array, - } - - /* Updates Link Status for super Speed port */ --static void xhci_hub_report_link_state(u32 *status, u32 status_reg) -+static void xhci_hub_report_link_state(struct xhci_hcd *xhci, -+ u32 *status, u32 status_reg) - { - u32 pls = status_reg & PORT_PLS_MASK; - -@@ -479,7 +480,8 @@ static void xhci_hub_report_link_state(u32 *status, u32 status_reg) - * in which sometimes the port enters compliance mode - * caused by a delay on the host-device negotiation. - */ -- if (pls == USB_SS_PORT_LS_COMP_MOD) -+ if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && -+ (pls == USB_SS_PORT_LS_COMP_MOD)) - pls |= USB_PORT_STAT_CONNECTION; - } - -@@ -655,7 +657,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, - } - /* Update Port Link State for super speed ports*/ - if (hcd->speed == HCD_USB3) { -- xhci_hub_report_link_state(&status, temp); -+ xhci_hub_report_link_state(xhci, &status, temp); - /* - * Verify if all USB3 Ports Have entered U0 already. - * Delete Compliance Mode Timer if so. -diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c -index 74922b9..0f4a41d 100644 ---- a/drivers/usb/host/xhci-mem.c -+++ b/drivers/usb/host/xhci-mem.c -@@ -1723,7 +1723,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) - } - - num_ports = HCS_MAX_PORTS(xhci->hcs_params1); -- for (i = 0; i < num_ports; i++) { -+ for (i = 0; i < num_ports && xhci->rh_bw; i++) { - struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table; - for (j = 0; j < XHCI_MAX_INTERVAL; j++) { - struct list_head *ep = &bwt->interval_bw[j].endpoints; -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c -index 0d34f85..8fe5c13 100644 ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -752,6 +752,7 @@ static struct usb_device_id id_table_combined [] = { - { USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID), - .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, - { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, -+ { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, - { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, - { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, - { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, -@@ -961,6 +962,8 @@ static struct usb_device_id id_table_combined [] = { - { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) }, - /* ekey Devices */ - { USB_DEVICE(FTDI_VID, FTDI_EKEY_CONV_USB_PID) }, -+ /* GE Healthcare devices */ -+ { USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) }, - { }, /* Optional parameter entry */ - { } /* Terminating entry */ - }; -diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h -index cbcb1e6..bd509de 100644 ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -831,6 +831,12 @@ - #define TELLDUS_TELLSTICK_PID 0x0C30 /* RF control dongle 433 MHz using FT232RL */ - - /* -+ * NOVITUS printers -+ */ -+#define NOVITUS_VID 0x1a28 -+#define NOVITUS_BONO_E_PID 0x6010 -+ -+/* - * RT Systems programming cables for various ham radios - */ - #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ -@@ -1379,3 +1385,9 @@ - * ekey biometric systems GmbH (http://ekey.net/) - */ - #define FTDI_EKEY_CONV_USB_PID 0xCB08 /* Converter USB */ -+ -+/* -+ * GE Healthcare devices -+ */ -+#define GE_HEALTHCARE_VID 0x1901 -+#define GE_HEALTHCARE_NEMO_TRACKER_PID 0x0015 -diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c -index 0d26ab6..db9e54a 100644 ---- a/drivers/usb/serial/sierra.c -+++ b/drivers/usb/serial/sierra.c -@@ -296,14 +296,19 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x1199, 0x68A2), /* Sierra Wireless MC77xx in QMI mode */ - .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist - }, -- { USB_DEVICE(0x1199, 0x68A3), /* Sierra Wireless Direct IP modems */ -+ /* Sierra Wireless Direct IP modems */ -+ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68A3, 0xFF, 0xFF, 0xFF), -+ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist -+ }, -+ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), - .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist - }, - /* AT&T Direct IP LTE modems */ - { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), - .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist - }, -- { USB_DEVICE(0x0f3d, 0x68A3), /* Airprime/Sierra Wireless Direct IP modems */ -+ /* Airprime/Sierra Wireless Direct IP modems */ -+ { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68A3, 0xFF, 0xFF, 0xFF), - .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist - }, - -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h -index e588a11..a6c4c7d 100644 ---- a/drivers/usb/storage/unusual_devs.h -+++ b/drivers/usb/storage/unusual_devs.h -@@ -93,6 +93,12 @@ UNUSUAL_DEV( 0x03f0, 0x4002, 0x0001, 0x0001, - "PhotoSmart R707", - USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_FIX_CAPACITY), - -+UNUSUAL_DEV( 0x03f3, 0x0001, 0x0000, 0x9999, -+ "Adaptec", -+ "USBConnect 2000", -+ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, -+ US_FL_SCM_MULT_TARG ), -+ - /* Reported by Sebastian Kapfer <sebastian_kapfer@gmx.net> - * and Olaf Hering <olh@suse.de> (different bcd's, same vendor/product) - * for USB floppies that need the SINGLE_LUN enforcement. -@@ -733,6 +739,12 @@ UNUSUAL_DEV( 0x059b, 0x0001, 0x0100, 0x0100, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_SINGLE_LUN ), - -+UNUSUAL_DEV( 0x059b, 0x0040, 0x0100, 0x0100, -+ "Iomega", -+ "Jaz USB Adapter", -+ USB_SC_DEVICE, USB_PR_DEVICE, NULL, -+ US_FL_SINGLE_LUN ), -+ - /* Reported by <Hendryk.Pfeiffer@gmx.de> */ - UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x0000, - "LaCie", -@@ -1105,6 +1117,18 @@ UNUSUAL_DEV( 0x0851, 0x1543, 0x0200, 0x0200, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_NOT_LOCKABLE), - -+UNUSUAL_DEV( 0x085a, 0x0026, 0x0100, 0x0133, -+ "Xircom", -+ "PortGear USB-SCSI (Mac USB Dock)", -+ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, -+ US_FL_SCM_MULT_TARG ), -+ -+UNUSUAL_DEV( 0x085a, 0x0028, 0x0100, 0x0133, -+ "Xircom", -+ "PortGear USB to SCSI Converter", -+ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, -+ US_FL_SCM_MULT_TARG ), -+ - /* Submitted by Jan De Luyck <lkml@kcore.org> */ - UNUSUAL_DEV( 0x08bd, 0x1100, 0x0000, 0x0000, - "CITIZEN", -@@ -1932,6 +1956,14 @@ UNUSUAL_DEV( 0x152d, 0x2329, 0x0100, 0x0100, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_IGNORE_RESIDUE | US_FL_SANE_SENSE ), - -+/* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI) -+ * and Mac USB Dock USB-SCSI */ -+UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133, -+ "Entrega Technologies", -+ "USB to SCSI Converter", -+ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, -+ US_FL_SCM_MULT_TARG ), -+ - /* Reported by Robert Schedel <r.schedel@yahoo.de> - * Note: this is a 'super top' device like the above 14cd/6600 device */ - UNUSUAL_DEV( 0x1652, 0x6600, 0x0201, 0x0201, -@@ -1947,6 +1979,12 @@ UNUSUAL_DEV( 0x177f, 0x0400, 0x0000, 0x0000, - USB_SC_DEVICE, USB_PR_DEVICE, NULL, - US_FL_BULK_IGNORE_TAG | US_FL_MAX_SECTORS_64 ), - -+UNUSUAL_DEV( 0x1822, 0x0001, 0x0000, 0x9999, -+ "Ariston Technologies", -+ "iConnect USB to SCSI adapter", -+ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, -+ US_FL_SCM_MULT_TARG ), -+ - /* Reported by Hans de Goede <hdegoede@redhat.com> - * These Appotech controllers are found in Picture Frames, they provide a - * (buggy) emulation of a cdrom drive which contains the windows software -diff --git a/drivers/uwb/lc-dev.c b/drivers/uwb/lc-dev.c -index 5241f1d..3c9e929 100644 ---- a/drivers/uwb/lc-dev.c -+++ b/drivers/uwb/lc-dev.c -@@ -441,16 +441,19 @@ void uwbd_dev_onair(struct uwb_rc *rc, struct uwb_beca_e *bce) - uwb_dev->mac_addr = *bce->mac_addr; - uwb_dev->dev_addr = bce->dev_addr; - dev_set_name(&uwb_dev->dev, macbuf); -+ -+ /* plug the beacon cache */ -+ bce->uwb_dev = uwb_dev; -+ uwb_dev->bce = bce; -+ uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ -+ - result = uwb_dev_add(uwb_dev, &rc->uwb_dev.dev, rc); - if (result < 0) { - dev_err(dev, "new device %s: cannot instantiate device\n", - macbuf); - goto error_dev_add; - } -- /* plug the beacon cache */ -- bce->uwb_dev = uwb_dev; -- uwb_dev->bce = bce; -- uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ -+ - dev_info(dev, "uwb device (mac %s dev %s) connected to %s %s\n", - macbuf, devbuf, rc->uwb_dev.dev.parent->bus->name, - dev_name(rc->uwb_dev.dev.parent)); -@@ -458,6 +461,8 @@ void uwbd_dev_onair(struct uwb_rc *rc, struct uwb_beca_e *bce) - return; - - error_dev_add: -+ bce->uwb_dev = NULL; -+ uwb_bce_put(bce); - kfree(uwb_dev); - return; - } -diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c -index c8af7e5..6548417 100644 ---- a/drivers/xen/manage.c -+++ b/drivers/xen/manage.c -@@ -108,16 +108,11 @@ static void do_suspend(void) - - shutting_down = SHUTDOWN_SUSPEND; - --#ifdef CONFIG_PREEMPT -- /* If the kernel is preemptible, we need to freeze all the processes -- to prevent them from being in the middle of a pagetable update -- during suspend. */ - err = freeze_processes(); - if (err) { - printk(KERN_ERR "xen suspend: freeze failed %d\n", err); - goto out; - } --#endif - - err = dpm_suspend_start(PMSG_FREEZE); - if (err) { -@@ -172,10 +167,8 @@ out_resume: - clock_was_set(); - - out_thaw: --#ifdef CONFIG_PREEMPT - thaw_processes(); - out: --#endif - shutting_down = SHUTDOWN_INVALID; - } - #endif /* CONFIG_HIBERNATE_CALLBACKS */ -diff --git a/fs/aio.c b/fs/aio.c -index 8cdd8ea..9acfd07 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1102,6 +1102,13 @@ static int aio_read_evt(struct kioctx *ioctx, struct io_event *ent) - head = ring->head % info->nr; - if (head != ring->tail) { - struct io_event *evp = aio_ring_event(info, head, KM_USER1); -+ -+ /* -+ * Ensure that once we've read the current tail pointer, that -+ * we also see the events that were stored up to the tail. -+ */ -+ smp_rmb(); -+ - *ent = *evp; - head = (head + 1) % info->nr; - smp_mb(); /* finish reading the event before updatng the head */ -diff --git a/fs/buffer.c b/fs/buffer.c -index 5f4bde2..59496e7 100644 ---- a/fs/buffer.c -+++ b/fs/buffer.c -@@ -1021,7 +1021,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, - bh = page_buffers(page); - if (bh->b_size == size) { - end_block = init_page_buffers(page, bdev, -- index << sizebits, size); -+ (sector_t)index << sizebits, -+ size); - goto done; - } - if (!try_to_free_buffers(page)) -@@ -1042,7 +1043,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, - */ - spin_lock(&inode->i_mapping->private_lock); - link_dev_buffers(page, bh); -- end_block = init_page_buffers(page, bdev, index << sizebits, size); -+ end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits, -+ size); - spin_unlock(&inode->i_mapping->private_lock); - done: - ret = (block < end_block) ? 1 : -ENXIO; -diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c -index 91a6945..5a45b8f 100644 ---- a/fs/ext2/inode.c -+++ b/fs/ext2/inode.c -@@ -619,6 +619,8 @@ static int ext2_get_blocks(struct inode *inode, - int count = 0; - ext2_fsblk_t first_block = 0; - -+ BUG_ON(maxblocks == 0); -+ - depth = ext2_block_to_path(inode,iblock,offsets,&blocks_to_boundary); - - if (depth == 0) -diff --git a/fs/ext2/xip.c b/fs/ext2/xip.c -index 322a56b..af014bb 100644 ---- a/fs/ext2/xip.c -+++ b/fs/ext2/xip.c -@@ -37,6 +37,7 @@ __ext2_get_block(struct inode *inode, pgoff_t pgoff, int create, - int rc; - - memset(&tmp, 0, sizeof(struct buffer_head)); -+ tmp.b_size = 1 << inode->i_blkbits; - rc = ext2_get_block(inode, pgoff, &tmp, create); - *result = tmp.b_blocknr; - -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 818b43e..5baa7ba 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -1312,6 +1312,8 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, - void *buddy2; - struct super_block *sb = e4b->bd_sb; - -+ if (WARN_ON(count == 0)) -+ return; - BUG_ON(first + count > (sb->s_blocksize << 3)); - assert_spin_locked(ext4_group_lock_ptr(sb, e4b->bd_group)); - mb_check_buddy(e4b); -@@ -3132,6 +3134,8 @@ static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac) - int err; - - if (pa == NULL) { -+ if (ac->ac_f_ex.fe_len == 0) -+ return; - err = ext4_mb_load_buddy(ac->ac_sb, ac->ac_f_ex.fe_group, &e4b); - if (err) { - /* -@@ -3146,6 +3150,7 @@ static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac) - mb_free_blocks(ac->ac_inode, &e4b, ac->ac_f_ex.fe_start, - ac->ac_f_ex.fe_len); - ext4_unlock_group(ac->ac_sb, ac->ac_f_ex.fe_group); -+ ext4_mb_unload_buddy(&e4b); - return; - } - if (pa->pa_type == MB_INODE_PA) -diff --git a/fs/namei.c b/fs/namei.c -index 9680cef..dea2dab 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -554,24 +554,22 @@ static int complete_walk(struct nameidata *nd) - - static __always_inline void set_root(struct nameidata *nd) - { -- if (!nd->root.mnt) -- get_fs_root(current->fs, &nd->root); -+ get_fs_root(current->fs, &nd->root); - } - - static int link_path_walk(const char *, struct nameidata *); - --static __always_inline void set_root_rcu(struct nameidata *nd) -+static __always_inline unsigned set_root_rcu(struct nameidata *nd) - { -- if (!nd->root.mnt) { -- struct fs_struct *fs = current->fs; -- unsigned seq; -+ struct fs_struct *fs = current->fs; -+ unsigned seq, res; - -- do { -- seq = read_seqcount_begin(&fs->seq); -- nd->root = fs->root; -- nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq); -- } while (read_seqcount_retry(&fs->seq, seq)); -- } -+ do { -+ seq = read_seqcount_begin(&fs->seq); -+ nd->root = fs->root; -+ res = __read_seqcount_begin(&nd->root.dentry->d_seq); -+ } while (read_seqcount_retry(&fs->seq, seq)); -+ return res; - } - - static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *link) -@@ -582,7 +580,8 @@ static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *l - goto fail; - - if (*link == '/') { -- set_root(nd); -+ if (!nd->root.mnt) -+ set_root(nd); - path_put(&nd->path); - nd->path = nd->root; - path_get(&nd->root); -@@ -912,22 +911,11 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, - return true; - } - --static void follow_mount_rcu(struct nameidata *nd) --{ -- while (d_mountpoint(nd->path.dentry)) { -- struct vfsmount *mounted; -- mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry, 1); -- if (!mounted) -- break; -- nd->path.mnt = mounted; -- nd->path.dentry = mounted->mnt_root; -- nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); -- } --} -- - static int follow_dotdot_rcu(struct nameidata *nd) - { -- set_root_rcu(nd); -+ struct inode *inode = nd->inode; -+ if (!nd->root.mnt) -+ set_root_rcu(nd); - - while (1) { - if (nd->path.dentry == nd->root.dentry && -@@ -939,6 +927,7 @@ static int follow_dotdot_rcu(struct nameidata *nd) - struct dentry *parent = old->d_parent; - unsigned seq; - -+ inode = parent->d_inode; - seq = read_seqcount_begin(&parent->d_seq); - if (read_seqcount_retry(&old->d_seq, nd->seq)) - goto failed; -@@ -948,10 +937,20 @@ static int follow_dotdot_rcu(struct nameidata *nd) - } - if (!follow_up_rcu(&nd->path)) - break; -+ inode = nd->path.dentry->d_inode; - nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); - } -- follow_mount_rcu(nd); -- nd->inode = nd->path.dentry->d_inode; -+ while (d_mountpoint(nd->path.dentry)) { -+ struct vfsmount *mounted; -+ mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry, 1); -+ if (!mounted) -+ break; -+ nd->path.mnt = mounted; -+ nd->path.dentry = mounted->mnt_root; -+ inode = nd->path.dentry->d_inode; -+ nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); -+ } -+ nd->inode = inode; - return 0; - - failed: -@@ -1030,7 +1029,8 @@ static void follow_mount(struct path *path) - - static void follow_dotdot(struct nameidata *nd) - { -- set_root(nd); -+ if (!nd->root.mnt) -+ set_root(nd); - - while(1) { - struct dentry *old = nd->path.dentry; -@@ -1504,7 +1504,7 @@ static int path_init(int dfd, const char *name, unsigned int flags, - if (flags & LOOKUP_RCU) { - br_read_lock(vfsmount_lock); - rcu_read_lock(); -- set_root_rcu(nd); -+ nd->seq = set_root_rcu(nd); - } else { - set_root(nd); - path_get(&nd->root); -@@ -1560,7 +1560,14 @@ static int path_init(int dfd, const char *name, unsigned int flags, - } - - nd->inode = nd->path.dentry->d_inode; -- return 0; -+ if (!(flags & LOOKUP_RCU)) -+ return 0; -+ if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq))) -+ return 0; -+ if (!(nd->flags & LOOKUP_ROOT)) -+ nd->root.mnt = NULL; -+ rcu_read_unlock(); -+ return -ECHILD; - - fput_fail: - fput_light(file, fput_needed); -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index c4a2a68..61a1303 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -2015,23 +2015,23 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) - is_rdwr = test_bit(NFS_O_RDWR_STATE, &state->flags); - is_rdonly = test_bit(NFS_O_RDONLY_STATE, &state->flags); - is_wronly = test_bit(NFS_O_WRONLY_STATE, &state->flags); -- /* Calculate the current open share mode */ -- calldata->arg.fmode = 0; -- if (is_rdonly || is_rdwr) -- calldata->arg.fmode |= FMODE_READ; -- if (is_wronly || is_rdwr) -- calldata->arg.fmode |= FMODE_WRITE; - /* Calculate the change in open mode */ -+ calldata->arg.fmode = 0; - if (state->n_rdwr == 0) { -- if (state->n_rdonly == 0) { -- call_close |= is_rdonly || is_rdwr; -- calldata->arg.fmode &= ~FMODE_READ; -- } -- if (state->n_wronly == 0) { -- call_close |= is_wronly || is_rdwr; -- calldata->arg.fmode &= ~FMODE_WRITE; -- } -- } -+ if (state->n_rdonly == 0) -+ call_close |= is_rdonly; -+ else if (is_rdonly) -+ calldata->arg.fmode |= FMODE_READ; -+ if (state->n_wronly == 0) -+ call_close |= is_wronly; -+ else if (is_wronly) -+ calldata->arg.fmode |= FMODE_WRITE; -+ } else if (is_rdwr) -+ calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; -+ -+ if (calldata->arg.fmode == 0) -+ call_close |= is_rdwr; -+ - spin_unlock(&state->owner->so_lock); - - if (!call_close) { -diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 11e1888..e2e7914 100644 ---- a/fs/nfsd/vfs.c -+++ b/fs/nfsd/vfs.c -@@ -508,6 +508,9 @@ set_nfsv4_acl_one(struct dentry *dentry, struct posix_acl *pacl, char *key) - char *buf = NULL; - int error = 0; - -+ if (!pacl) -+ return vfs_setxattr(dentry, key, NULL, 0, 0); -+ - buflen = posix_acl_xattr_size(pacl->a_count); - buf = kmalloc(buflen, GFP_KERNEL); - error = -ENOMEM; -diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c -index edeb239..b2d8a96 100644 ---- a/fs/nilfs2/inode.c -+++ b/fs/nilfs2/inode.c -@@ -24,6 +24,7 @@ - #include <linux/buffer_head.h> - #include <linux/gfp.h> - #include <linux/mpage.h> -+#include <linux/pagemap.h> - #include <linux/writeback.h> - #include <linux/uio.h> - #include "nilfs.h" -@@ -195,10 +196,10 @@ static int nilfs_writepage(struct page *page, struct writeback_control *wbc) - - static int nilfs_set_page_dirty(struct page *page) - { -+ struct inode *inode = page->mapping->host; - int ret = __set_page_dirty_nobuffers(page); - - if (page_has_buffers(page)) { -- struct inode *inode = page->mapping->host; - unsigned nr_dirty = 0; - struct buffer_head *bh, *head; - -@@ -221,6 +222,10 @@ static int nilfs_set_page_dirty(struct page *page) - - if (nr_dirty) - nilfs_set_file_dirty(inode, nr_dirty); -+ } else if (ret) { -+ unsigned nr_dirty = 1 << (PAGE_CACHE_SHIFT - inode->i_blkbits); -+ -+ nilfs_set_file_dirty(inode, nr_dirty); - } - return ret; - } -diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c -index 005261c..dbc372e 100644 ---- a/fs/ocfs2/dlm/dlmmaster.c -+++ b/fs/ocfs2/dlm/dlmmaster.c -@@ -653,12 +653,9 @@ void dlm_lockres_clear_refmap_bit(struct dlm_ctxt *dlm, - clear_bit(bit, res->refmap); - } - -- --void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, -+static void __dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, - struct dlm_lock_resource *res) - { -- assert_spin_locked(&res->spinlock); -- - res->inflight_locks++; - - mlog(0, "%s: res %.*s, inflight++: now %u, %ps()\n", dlm->name, -@@ -666,6 +663,13 @@ void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, - __builtin_return_address(0)); - } - -+void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, -+ struct dlm_lock_resource *res) -+{ -+ assert_spin_locked(&res->spinlock); -+ __dlm_lockres_grab_inflight_ref(dlm, res); -+} -+ - void dlm_lockres_drop_inflight_ref(struct dlm_ctxt *dlm, - struct dlm_lock_resource *res) - { -@@ -855,10 +859,8 @@ lookup: - /* finally add the lockres to its hash bucket */ - __dlm_insert_lockres(dlm, res); - -- /* Grab inflight ref to pin the resource */ -- spin_lock(&res->spinlock); -- dlm_lockres_grab_inflight_ref(dlm, res); -- spin_unlock(&res->spinlock); -+ /* since this lockres is new it doesn't not require the spinlock */ -+ __dlm_lockres_grab_inflight_ref(dlm, res); - - /* get an extra ref on the mle in case this is a BLOCK - * if so, the creator of the BLOCK may try to put the last -diff --git a/fs/partitions/check.c b/fs/partitions/check.c -index 1ef15cc..18c58e5 100644 ---- a/fs/partitions/check.c -+++ b/fs/partitions/check.c -@@ -361,6 +361,7 @@ static const struct attribute_group *part_attr_groups[] = { - static void part_release(struct device *dev) - { - struct hd_struct *p = dev_to_part(dev); -+ blk_free_devt(dev->devt); - free_part_stats(p); - free_part_info(p); - kfree(p); -@@ -403,7 +404,6 @@ void delete_partition(struct gendisk *disk, int partno) - rcu_assign_pointer(ptbl->last_lookup, NULL); - kobject_put(part->holder_dir); - device_del(part_to_dev(part)); -- blk_free_devt(part_devt(part)); - - hd_struct_put(part); - } -diff --git a/include/linux/alarmtimer.h b/include/linux/alarmtimer.h -index 975009e..9a9838a 100644 ---- a/include/linux/alarmtimer.h -+++ b/include/linux/alarmtimer.h -@@ -48,6 +48,7 @@ int alarm_try_to_cancel(struct alarm *alarm); - int alarm_cancel(struct alarm *alarm); - - u64 alarm_forward(struct alarm *alarm, ktime_t now, ktime_t interval); -+ktime_t alarm_expires_remaining(const struct alarm *alarm); - - /* - * A alarmtimer is active, when it is enqueued into timerqueue or the -diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h -index ffbeb2c..5b6efef 100644 ---- a/include/linux/ceph/messenger.h -+++ b/include/linux/ceph/messenger.h -@@ -92,7 +92,7 @@ struct ceph_msg { - bool front_is_vmalloc; - bool more_to_follow; - bool needs_out_seq; -- int front_max; -+ int front_alloc_len; - unsigned long ack_stamp; /* tx: when we were acked */ - - struct ceph_msgpool *pool; -diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h -index f5df3dc..f4e8578 100644 ---- a/include/linux/jiffies.h -+++ b/include/linux/jiffies.h -@@ -259,23 +259,11 @@ extern unsigned long preset_lpj; - #define SEC_JIFFIE_SC (32 - SHIFT_HZ) - #endif - #define NSEC_JIFFIE_SC (SEC_JIFFIE_SC + 29) --#define USEC_JIFFIE_SC (SEC_JIFFIE_SC + 19) - #define SEC_CONVERSION ((unsigned long)((((u64)NSEC_PER_SEC << SEC_JIFFIE_SC) +\ - TICK_NSEC -1) / (u64)TICK_NSEC)) - - #define NSEC_CONVERSION ((unsigned long)((((u64)1 << NSEC_JIFFIE_SC) +\ - TICK_NSEC -1) / (u64)TICK_NSEC)) --#define USEC_CONVERSION \ -- ((unsigned long)((((u64)NSEC_PER_USEC << USEC_JIFFIE_SC) +\ -- TICK_NSEC -1) / (u64)TICK_NSEC)) --/* -- * USEC_ROUND is used in the timeval to jiffie conversion. See there -- * for more details. It is the scaled resolution rounding value. Note -- * that it is a 64-bit value. Since, when it is applied, we are already -- * in jiffies (albit scaled), it is nothing but the bits we will shift -- * off. -- */ --#define USEC_ROUND (u64)(((u64)1 << USEC_JIFFIE_SC) - 1) - /* - * The maximum jiffie value is (MAX_INT >> 1). Here we translate that - * into seconds. The 64-bit case will overflow if we are not careful, -diff --git a/include/net/regulatory.h b/include/net/regulatory.h -index eb7d3c2..c3c22e0 100644 ---- a/include/net/regulatory.h -+++ b/include/net/regulatory.h -@@ -92,7 +92,7 @@ struct ieee80211_reg_rule { - - struct ieee80211_regdomain { - u32 n_reg_rules; -- char alpha2[2]; -+ char alpha2[3]; - struct ieee80211_reg_rule reg_rules[]; - }; - -diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h -index ad03988..e0f1c91 100644 ---- a/include/net/sctp/sctp.h -+++ b/include/net/sctp/sctp.h -@@ -523,6 +523,11 @@ static inline void sctp_assoc_pending_pmtu(struct sctp_association *asoc) - asoc->pmtu_pending = 0; - } - -+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk) -+{ -+ return !list_empty(&chunk->list); -+} -+ - /* Walk through a list of TLV parameters. Don't trust the - * individual parameter lengths and instead depend on - * the chunk length to indicate when to stop. Make sure -diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h -index 9148632..4d1be75 100644 ---- a/include/net/sctp/sm.h -+++ b/include/net/sctp/sm.h -@@ -251,9 +251,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *, - int, __be16); - struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, - union sctp_addr *addr); --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp); -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp); - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf); - int sctp_process_asconf_ack(struct sctp_association *asoc, -diff --git a/init/Kconfig b/init/Kconfig -index 43298f9..b8dc1de 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -555,6 +555,7 @@ config LOG_BUF_SHIFT - int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" - range 12 21 - default 17 -+ depends on PRINTK - help - Select kernel log buffer size as a power of 2. - Examples: -diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 93fc15e..ffcf896 100644 ---- a/kernel/cgroup.c -+++ b/kernel/cgroup.c -@@ -3871,6 +3871,11 @@ static int cgroup_mkdir(struct inode *dir, struct dentry *dentry, int mode) - { - struct cgroup *c_parent = dentry->d_parent->d_fsdata; - -+ /* Do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable. -+ */ -+ if (strchr(dentry->d_name.name, '\n')) -+ return -EINVAL; -+ - /* the vfs holds inode->i_mutex already */ - return cgroup_create(c_parent, dentry, mode | S_IFDIR); - } -diff --git a/kernel/events/core.c b/kernel/events/core.c -index 14c111c..4a14895 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -1683,6 +1683,16 @@ retry: - */ - if (ctx->is_active) { - raw_spin_unlock_irq(&ctx->lock); -+ /* -+ * Reload the task pointer, it might have been changed by -+ * a concurrent perf_event_context_sched_out(). -+ */ -+ task = ctx->task; -+ /* -+ * Reload the task pointer, it might have been changed by -+ * a concurrent perf_event_context_sched_out(). -+ */ -+ task = ctx->task; - goto retry; - } - -@@ -7071,8 +7081,10 @@ int perf_event_init_task(struct task_struct *child) - - for_each_task_context_nr(ctxn) { - ret = perf_event_init_context(child, ctxn); -- if (ret) -+ if (ret) { -+ perf_event_free_task(child); - return ret; -+ } - } - - return 0; -diff --git a/kernel/fork.c b/kernel/fork.c -index 13bba30..29b4604 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -1221,7 +1221,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, - goto bad_fork_cleanup_policy; - retval = audit_alloc(p); - if (retval) -- goto bad_fork_cleanup_policy; -+ goto bad_fork_cleanup_perf; - /* copy all the process information */ - retval = copy_semundo(clone_flags, p); - if (retval) -@@ -1406,8 +1406,9 @@ bad_fork_cleanup_semundo: - exit_sem(p); - bad_fork_cleanup_audit: - audit_free(p); --bad_fork_cleanup_policy: -+bad_fork_cleanup_perf: - perf_event_free_task(p); -+bad_fork_cleanup_policy: - #ifdef CONFIG_NUMA - mpol_put(p->mempolicy); - bad_fork_cleanup_cgroup: -diff --git a/kernel/futex.c b/kernel/futex.c -index 1bb37d0..f31f190 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -2460,6 +2460,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - * shared futexes. We need to compare the keys: - */ - if (match_futex(&q.key, &key2)) { -+ queue_unlock(&q, hb); - ret = -EINVAL; - goto out_put_keys; - } -diff --git a/kernel/time.c b/kernel/time.c -index 73e416d..060f961 100644 ---- a/kernel/time.c -+++ b/kernel/time.c -@@ -493,17 +493,20 @@ EXPORT_SYMBOL(usecs_to_jiffies); - * that a remainder subtract here would not do the right thing as the - * resolution values don't fall on second boundries. I.e. the line: - * nsec -= nsec % TICK_NSEC; is NOT a correct resolution rounding. -+ * Note that due to the small error in the multiplier here, this -+ * rounding is incorrect for sufficiently large values of tv_nsec, but -+ * well formed timespecs should have tv_nsec < NSEC_PER_SEC, so we're -+ * OK. - * - * Rather, we just shift the bits off the right. - * - * The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec - * value to a scaled second value. - */ --unsigned long --timespec_to_jiffies(const struct timespec *value) -+static unsigned long -+__timespec_to_jiffies(unsigned long sec, long nsec) - { -- unsigned long sec = value->tv_sec; -- long nsec = value->tv_nsec + TICK_NSEC - 1; -+ nsec = nsec + TICK_NSEC - 1; - - if (sec >= MAX_SEC_IN_JIFFIES){ - sec = MAX_SEC_IN_JIFFIES; -@@ -514,6 +517,13 @@ timespec_to_jiffies(const struct timespec *value) - (NSEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; - - } -+ -+unsigned long -+timespec_to_jiffies(const struct timespec *value) -+{ -+ return __timespec_to_jiffies(value->tv_sec, value->tv_nsec); -+} -+ - EXPORT_SYMBOL(timespec_to_jiffies); - - void -@@ -530,31 +540,27 @@ jiffies_to_timespec(const unsigned long jiffies, struct timespec *value) - } - EXPORT_SYMBOL(jiffies_to_timespec); - --/* Same for "timeval" -+/* -+ * We could use a similar algorithm to timespec_to_jiffies (with a -+ * different multiplier for usec instead of nsec). But this has a -+ * problem with rounding: we can't exactly add TICK_NSEC - 1 to the -+ * usec value, since it's not necessarily integral. - * -- * Well, almost. The problem here is that the real system resolution is -- * in nanoseconds and the value being converted is in micro seconds. -- * Also for some machines (those that use HZ = 1024, in-particular), -- * there is a LARGE error in the tick size in microseconds. -- -- * The solution we use is to do the rounding AFTER we convert the -- * microsecond part. Thus the USEC_ROUND, the bits to be shifted off. -- * Instruction wise, this should cost only an additional add with carry -- * instruction above the way it was done above. -+ * We could instead round in the intermediate scaled representation -+ * (i.e. in units of 1/2^(large scale) jiffies) but that's also -+ * perilous: the scaling introduces a small positive error, which -+ * combined with a division-rounding-upward (i.e. adding 2^(scale) - 1 -+ * units to the intermediate before shifting) leads to accidental -+ * overflow and overestimates. -+ * -+ * At the cost of one additional multiplication by a constant, just -+ * use the timespec implementation. - */ - unsigned long - timeval_to_jiffies(const struct timeval *value) - { -- unsigned long sec = value->tv_sec; -- long usec = value->tv_usec; -- -- if (sec >= MAX_SEC_IN_JIFFIES){ -- sec = MAX_SEC_IN_JIFFIES; -- usec = 0; -- } -- return (((u64)sec * SEC_CONVERSION) + -- (((u64)usec * USEC_CONVERSION + USEC_ROUND) >> -- (USEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; -+ return __timespec_to_jiffies(value->tv_sec, -+ value->tv_usec * NSEC_PER_USEC); - } - EXPORT_SYMBOL(timeval_to_jiffies); - -diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index eb198a3..7eaf162 100644 ---- a/kernel/time/alarmtimer.c -+++ b/kernel/time/alarmtimer.c -@@ -226,6 +226,12 @@ static enum hrtimer_restart alarmtimer_fired(struct hrtimer *timer) - - } - -+ktime_t alarm_expires_remaining(const struct alarm *alarm) -+{ -+ struct alarm_base *base = &alarm_bases[alarm->type]; -+ return ktime_sub(alarm->node.expires, base->gettime()); -+} -+ - #ifdef CONFIG_RTC_CLASS - /** - * alarmtimer_suspend - Suspend time callback -@@ -442,18 +448,26 @@ static enum alarmtimer_type clock2alarm(clockid_t clockid) - static enum alarmtimer_restart alarm_handle_timer(struct alarm *alarm, - ktime_t now) - { -+ unsigned long flags; - struct k_itimer *ptr = container_of(alarm, struct k_itimer, - it.alarm.alarmtimer); -- if (posix_timer_event(ptr, 0) != 0) -- ptr->it_overrun++; -+ enum alarmtimer_restart result = ALARMTIMER_NORESTART; -+ -+ spin_lock_irqsave(&ptr->it_lock, flags); -+ if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { -+ if (posix_timer_event(ptr, 0) != 0) -+ ptr->it_overrun++; -+ } - - /* Re-add periodic timers */ - if (ptr->it.alarm.interval.tv64) { - ptr->it_overrun += alarm_forward(alarm, now, - ptr->it.alarm.interval); -- return ALARMTIMER_RESTART; -+ result = ALARMTIMER_RESTART; - } -- return ALARMTIMER_NORESTART; -+ spin_unlock_irqrestore(&ptr->it_lock, flags); -+ -+ return result; - } - - /** -@@ -519,18 +533,22 @@ static int alarm_timer_create(struct k_itimer *new_timer) - * @new_timer: k_itimer pointer - * @cur_setting: itimerspec data to fill - * -- * Copies the itimerspec data out from the k_itimer -+ * Copies out the current itimerspec data - */ - static void alarm_timer_get(struct k_itimer *timr, - struct itimerspec *cur_setting) - { -- memset(cur_setting, 0, sizeof(struct itimerspec)); -+ ktime_t relative_expiry_time = -+ alarm_expires_remaining(&(timr->it.alarm.alarmtimer)); -+ -+ if (ktime_to_ns(relative_expiry_time) > 0) { -+ cur_setting->it_value = ktime_to_timespec(relative_expiry_time); -+ } else { -+ cur_setting->it_value.tv_sec = 0; -+ cur_setting->it_value.tv_nsec = 0; -+ } - -- cur_setting->it_interval = -- ktime_to_timespec(timr->it.alarm.interval); -- cur_setting->it_value = -- ktime_to_timespec(timr->it.alarm.alarmtimer.node.expires); -- return; -+ cur_setting->it_interval = ktime_to_timespec(timr->it.alarm.interval); - } - - /** -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index 4babd77..b252661 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -2847,7 +2847,7 @@ static void rb_iter_reset(struct ring_buffer_iter *iter) - iter->head = cpu_buffer->reader_page->read; - - iter->cache_reader_page = iter->head_page; -- iter->cache_read = iter->head; -+ iter->cache_read = cpu_buffer->read; - - if (iter->head) - iter->read_stamp = cpu_buffer->read_stamp; -diff --git a/mm/migrate.c b/mm/migrate.c -index 09d6a9d..7d26ea5 100644 ---- a/mm/migrate.c -+++ b/mm/migrate.c -@@ -141,8 +141,11 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, - - get_page(new); - pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); -+ -+ /* Recheck VMA as permissions can change since migration started */ - if (is_write_migration_entry(entry)) -- pte = pte_mkwrite(pte); -+ pte = maybe_mkwrite(pte, vma); -+ - #ifdef CONFIG_HUGETLB_PAGE - if (PageHuge(new)) - pte = pte_mkhuge(pte); -diff --git a/mm/percpu-vm.c b/mm/percpu-vm.c -index 12a48a88..0539f6a 100644 ---- a/mm/percpu-vm.c -+++ b/mm/percpu-vm.c -@@ -108,7 +108,7 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, - int page_start, int page_end) - { - const gfp_t gfp = GFP_KERNEL | __GFP_HIGHMEM | __GFP_COLD; -- unsigned int cpu; -+ unsigned int cpu, tcpu; - int i; - - for_each_possible_cpu(cpu) { -@@ -116,14 +116,23 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, - struct page **pagep = &pages[pcpu_page_idx(cpu, i)]; - - *pagep = alloc_pages_node(cpu_to_node(cpu), gfp, 0); -- if (!*pagep) { -- pcpu_free_pages(chunk, pages, populated, -- page_start, page_end); -- return -ENOMEM; -- } -+ if (!*pagep) -+ goto err; - } - } - return 0; -+ -+err: -+ while (--i >= page_start) -+ __free_page(pages[pcpu_page_idx(cpu, i)]); -+ -+ for_each_possible_cpu(tcpu) { -+ if (tcpu == cpu) -+ break; -+ for (i = page_start; i < page_end; i++) -+ __free_page(pages[pcpu_page_idx(tcpu, i)]); -+ } -+ return -ENOMEM; - } - - /** -@@ -264,6 +273,7 @@ err: - __pcpu_unmap_pages(pcpu_chunk_addr(chunk, tcpu, page_start), - page_end - page_start); - } -+ pcpu_post_unmap_tlb_flush(chunk, page_start, page_end); - return err; - } - -diff --git a/mm/percpu.c b/mm/percpu.c -index 5c29750..e29a1c4 100644 ---- a/mm/percpu.c -+++ b/mm/percpu.c -@@ -1895,6 +1895,8 @@ void __init setup_per_cpu_areas(void) - - if (pcpu_setup_first_chunk(ai, fc) < 0) - panic("Failed to initialize percpu areas."); -+ -+ pcpu_free_alloc_info(ai); - } - - #endif /* CONFIG_SMP */ -diff --git a/mm/shmem.c b/mm/shmem.c -index 1371021..83efac6 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -1719,8 +1719,10 @@ static int shmem_rename(struct inode *old_dir, struct dentry *old_dentry, struct - - if (new_dentry->d_inode) { - (void) shmem_unlink(new_dir, new_dentry); -- if (they_are_dirs) -+ if (they_are_dirs) { -+ drop_nlink(new_dentry->d_inode); - drop_nlink(old_dir); -+ } - } else if (they_are_dirs) { - drop_nlink(old_dir); - inc_nlink(new_dir); -diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c -index 1587dc6..9898d1f 100644 ---- a/net/ceph/auth_x.c -+++ b/net/ceph/auth_x.c -@@ -13,8 +13,6 @@ - #include "auth_x.h" - #include "auth_x_protocol.h" - --#define TEMP_TICKET_BUF_LEN 256 -- - static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); - - static int ceph_x_is_authenticated(struct ceph_auth_client *ac) -@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, - } - - static int ceph_x_decrypt(struct ceph_crypto_key *secret, -- void **p, void *end, void *obuf, size_t olen) -+ void **p, void *end, void **obuf, size_t olen) - { - struct ceph_x_encrypt_header head; - size_t head_len = sizeof(head); -@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret, - return -EINVAL; - - dout("ceph_x_decrypt len %d\n", len); -- ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, -- *p, len); -+ if (*obuf == NULL) { -+ *obuf = kmalloc(len, GFP_NOFS); -+ if (!*obuf) -+ return -ENOMEM; -+ olen = len; -+ } -+ -+ ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); - if (ret) - return ret; - if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) -@@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac, - kfree(th); - } - --static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, -- struct ceph_crypto_key *secret, -- void *buf, void *end) -+static int process_one_ticket(struct ceph_auth_client *ac, -+ struct ceph_crypto_key *secret, -+ void **p, void *end) - { - struct ceph_x_info *xi = ac->private; -- int num; -- void *p = buf; -+ int type; -+ u8 tkt_struct_v, blob_struct_v; -+ struct ceph_x_ticket_handler *th; -+ void *dbuf = NULL; -+ void *dp, *dend; -+ int dlen; -+ char is_enc; -+ struct timespec validity; -+ struct ceph_crypto_key old_key; -+ void *ticket_buf = NULL; -+ void *tp, *tpend; -+ struct ceph_timespec new_validity; -+ struct ceph_crypto_key new_session_key; -+ struct ceph_buffer *new_ticket_blob; -+ unsigned long new_expires, new_renew_after; -+ u64 new_secret_id; - int ret; -- char *dbuf; -- char *ticket_buf; -- u8 reply_struct_v; - -- dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!dbuf) -- return -ENOMEM; -+ ceph_decode_need(p, end, sizeof(u32) + 1, bad); - -- ret = -ENOMEM; -- ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!ticket_buf) -- goto out_dbuf; -+ type = ceph_decode_32(p); -+ dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); - -- ceph_decode_need(&p, end, 1 + sizeof(u32), bad); -- reply_struct_v = ceph_decode_8(&p); -- if (reply_struct_v != 1) -+ tkt_struct_v = ceph_decode_8(p); -+ if (tkt_struct_v != 1) - goto bad; -- num = ceph_decode_32(&p); -- dout("%d tickets\n", num); -- while (num--) { -- int type; -- u8 tkt_struct_v, blob_struct_v; -- struct ceph_x_ticket_handler *th; -- void *dp, *dend; -- int dlen; -- char is_enc; -- struct timespec validity; -- struct ceph_crypto_key old_key; -- void *tp, *tpend; -- struct ceph_timespec new_validity; -- struct ceph_crypto_key new_session_key; -- struct ceph_buffer *new_ticket_blob; -- unsigned long new_expires, new_renew_after; -- u64 new_secret_id; -- -- ceph_decode_need(&p, end, sizeof(u32) + 1, bad); -- -- type = ceph_decode_32(&p); -- dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); -- -- tkt_struct_v = ceph_decode_8(&p); -- if (tkt_struct_v != 1) -- goto bad; -- -- th = get_ticket_handler(ac, type); -- if (IS_ERR(th)) { -- ret = PTR_ERR(th); -- goto out; -- } - -- /* blob for me */ -- dlen = ceph_x_decrypt(secret, &p, end, dbuf, -- TEMP_TICKET_BUF_LEN); -- if (dlen <= 0) { -- ret = dlen; -- goto out; -- } -- dout(" decrypted %d bytes\n", dlen); -- dend = dbuf + dlen; -- dp = dbuf; -+ th = get_ticket_handler(ac, type); -+ if (IS_ERR(th)) { -+ ret = PTR_ERR(th); -+ goto out; -+ } - -- tkt_struct_v = ceph_decode_8(&dp); -- if (tkt_struct_v != 1) -- goto bad; -+ /* blob for me */ -+ dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); -+ if (dlen <= 0) { -+ ret = dlen; -+ goto out; -+ } -+ dout(" decrypted %d bytes\n", dlen); -+ dp = dbuf; -+ dend = dp + dlen; - -- memcpy(&old_key, &th->session_key, sizeof(old_key)); -- ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -- if (ret) -- goto out; -+ tkt_struct_v = ceph_decode_8(&dp); -+ if (tkt_struct_v != 1) -+ goto bad; - -- ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -- ceph_decode_timespec(&validity, &new_validity); -- new_expires = get_seconds() + validity.tv_sec; -- new_renew_after = new_expires - (validity.tv_sec / 4); -- dout(" expires=%lu renew_after=%lu\n", new_expires, -- new_renew_after); -+ memcpy(&old_key, &th->session_key, sizeof(old_key)); -+ ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -+ if (ret) -+ goto out; - -- /* ticket blob for service */ -- ceph_decode_8_safe(&p, end, is_enc, bad); -- tp = ticket_buf; -- if (is_enc) { -- /* encrypted */ -- dout(" encrypted ticket\n"); -- dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, -- TEMP_TICKET_BUF_LEN); -- if (dlen < 0) { -- ret = dlen; -- goto out; -- } -- dlen = ceph_decode_32(&tp); -- } else { -- /* unencrypted */ -- ceph_decode_32_safe(&p, end, dlen, bad); -- ceph_decode_need(&p, end, dlen, bad); -- ceph_decode_copy(&p, ticket_buf, dlen); -+ ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -+ ceph_decode_timespec(&validity, &new_validity); -+ new_expires = get_seconds() + validity.tv_sec; -+ new_renew_after = new_expires - (validity.tv_sec / 4); -+ dout(" expires=%lu renew_after=%lu\n", new_expires, -+ new_renew_after); -+ -+ /* ticket blob for service */ -+ ceph_decode_8_safe(p, end, is_enc, bad); -+ if (is_enc) { -+ /* encrypted */ -+ dout(" encrypted ticket\n"); -+ dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); -+ if (dlen < 0) { -+ ret = dlen; -+ goto out; - } -- tpend = tp + dlen; -- dout(" ticket blob is %d bytes\n", dlen); -- ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -- blob_struct_v = ceph_decode_8(&tp); -- new_secret_id = ceph_decode_64(&tp); -- ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -- if (ret) -+ tp = ticket_buf; -+ dlen = ceph_decode_32(&tp); -+ } else { -+ /* unencrypted */ -+ ceph_decode_32_safe(p, end, dlen, bad); -+ ticket_buf = kmalloc(dlen, GFP_NOFS); -+ if (!ticket_buf) { -+ ret = -ENOMEM; - goto out; -- -- /* all is well, update our ticket */ -- ceph_crypto_key_destroy(&th->session_key); -- if (th->ticket_blob) -- ceph_buffer_put(th->ticket_blob); -- th->session_key = new_session_key; -- th->ticket_blob = new_ticket_blob; -- th->validity = new_validity; -- th->secret_id = new_secret_id; -- th->expires = new_expires; -- th->renew_after = new_renew_after; -- dout(" got ticket service %d (%s) secret_id %lld len %d\n", -- type, ceph_entity_type_name(type), th->secret_id, -- (int)th->ticket_blob->vec.iov_len); -- xi->have_keys |= th->service; -+ } -+ tp = ticket_buf; -+ ceph_decode_need(p, end, dlen, bad); -+ ceph_decode_copy(p, ticket_buf, dlen); - } -+ tpend = tp + dlen; -+ dout(" ticket blob is %d bytes\n", dlen); -+ ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -+ blob_struct_v = ceph_decode_8(&tp); -+ new_secret_id = ceph_decode_64(&tp); -+ ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -+ if (ret) -+ goto out; -+ -+ /* all is well, update our ticket */ -+ ceph_crypto_key_destroy(&th->session_key); -+ if (th->ticket_blob) -+ ceph_buffer_put(th->ticket_blob); -+ th->session_key = new_session_key; -+ th->ticket_blob = new_ticket_blob; -+ th->validity = new_validity; -+ th->secret_id = new_secret_id; -+ th->expires = new_expires; -+ th->renew_after = new_renew_after; -+ dout(" got ticket service %d (%s) secret_id %lld len %d\n", -+ type, ceph_entity_type_name(type), th->secret_id, -+ (int)th->ticket_blob->vec.iov_len); -+ xi->have_keys |= th->service; - -- ret = 0; - out: - kfree(ticket_buf); --out_dbuf: - kfree(dbuf); - return ret; - -@@ -270,6 +255,34 @@ bad: - goto out; - } - -+static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, -+ struct ceph_crypto_key *secret, -+ void *buf, void *end) -+{ -+ void *p = buf; -+ u8 reply_struct_v; -+ u32 num; -+ int ret; -+ -+ ceph_decode_8_safe(&p, end, reply_struct_v, bad); -+ if (reply_struct_v != 1) -+ return -EINVAL; -+ -+ ceph_decode_32_safe(&p, end, num, bad); -+ dout("%d tickets\n", num); -+ -+ while (num--) { -+ ret = process_one_ticket(ac, secret, &p, end); -+ if (ret) -+ return ret; -+ } -+ -+ return 0; -+ -+bad: -+ return -EINVAL; -+} -+ - static int ceph_x_build_authorizer(struct ceph_auth_client *ac, - struct ceph_x_ticket_handler *th, - struct ceph_x_authorizer *au) -@@ -563,13 +576,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, - struct ceph_x_ticket_handler *th; - int ret = 0; - struct ceph_x_authorize_reply reply; -+ void *preply = &reply; - void *p = au->reply_buf; - void *end = p + sizeof(au->reply_buf); - - th = get_ticket_handler(ac, au->service); - if (IS_ERR(th)) - return PTR_ERR(th); -- ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); -+ ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); - if (ret < 0) - return ret; - if (ret != sizeof(reply)) -diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index 20ba2d5..7a239f0 100644 ---- a/net/ceph/messenger.c -+++ b/net/ceph/messenger.c -@@ -2423,7 +2423,7 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags, - m->footer.middle_crc = 0; - m->footer.data_crc = 0; - m->footer.flags = 0; -- m->front_max = front_len; -+ m->front_alloc_len = front_len; - m->front_is_vmalloc = false; - m->more_to_follow = false; - m->ack_stamp = 0; -@@ -2594,8 +2594,8 @@ EXPORT_SYMBOL(ceph_msg_last_put); - - void ceph_msg_dump(struct ceph_msg *msg) - { -- pr_debug("msg_dump %p (front_max %d nr_pages %d)\n", msg, -- msg->front_max, msg->nr_pages); -+ pr_debug("msg_dump %p (front_alloc_len %d nr_pages %d)\n", msg, -+ msg->front_alloc_len, msg->nr_pages); - print_hex_dump(KERN_DEBUG, "header: ", - DUMP_PREFIX_OFFSET, 16, 1, - &msg->hdr, sizeof(msg->hdr), true); -diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c -index 0b62dea..0c0859b 100644 ---- a/net/ceph/mon_client.c -+++ b/net/ceph/mon_client.c -@@ -150,7 +150,7 @@ static int __open_session(struct ceph_mon_client *monc) - /* initiatiate authentication handshake */ - ret = ceph_auth_build_hello(monc->auth, - monc->m_auth->front.iov_base, -- monc->m_auth->front_max); -+ monc->m_auth->front_alloc_len); - __send_prepared_auth_request(monc, ret); - } else { - dout("open_session mon%d already open\n", monc->cur_mon); -@@ -194,7 +194,7 @@ static void __send_subscribe(struct ceph_mon_client *monc) - int num; - - p = msg->front.iov_base; -- end = p + msg->front_max; -+ end = p + msg->front_alloc_len; - - num = 1 + !!monc->want_next_osdmap + !!monc->want_mdsmap; - ceph_encode_32(&p, num); -@@ -860,7 +860,7 @@ static void handle_auth_reply(struct ceph_mon_client *monc, - ret = ceph_handle_auth_reply(monc->auth, msg->front.iov_base, - msg->front.iov_len, - monc->m_auth->front.iov_base, -- monc->m_auth->front_max); -+ monc->m_auth->front_alloc_len); - if (ret < 0) { - monc->client->auth_err = ret; - wake_up_all(&monc->client->auth_wq); -@@ -887,7 +887,7 @@ static int __validate_auth(struct ceph_mon_client *monc) - return 0; - - ret = ceph_build_auth(monc->auth, monc->m_auth->front.iov_base, -- monc->m_auth->front_max); -+ monc->m_auth->front_alloc_len); - if (ret <= 0) - return ret; /* either an error, or no need to authenticate */ - __send_prepared_auth_request(monc, ret); -@@ -987,7 +987,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con, - if (!m) { - pr_info("alloc_msg unknown type %d\n", type); - *skip = 1; -+ } else if (front_len > m->front_alloc_len) { -+ pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", -+ front_len, m->front_alloc_len, -+ (unsigned int)con->peer_name.type, -+ le64_to_cpu(con->peer_name.num)); -+ ceph_msg_put(m); -+ m = ceph_msg_new(type, front_len, GFP_NOFS, false); - } -+ - return m; - } - -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index d361dc0..8e79a9e 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -151,6 +151,9 @@ static void ipv4_link_failure(struct sk_buff *skb); - static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu); - static int rt_garbage_collect(struct dst_ops *ops); - -+static void __rt_garbage_collect(struct work_struct *w); -+static DECLARE_WORK(rt_gc_worker, __rt_garbage_collect); -+ - static void ipv4_dst_ifdown(struct dst_entry *dst, struct net_device *dev, - int how) - { -@@ -979,12 +982,13 @@ static void rt_emergency_hash_rebuild(struct net *net) - and when load increases it reduces to limit cache size. - */ - --static int rt_garbage_collect(struct dst_ops *ops) -+static void __do_rt_garbage_collect(int elasticity, int min_interval) - { - static unsigned long expire = RT_GC_TIMEOUT; - static unsigned long last_gc; - static int rover; - static int equilibrium; -+ static DEFINE_SPINLOCK(rt_gc_lock); - struct rtable *rth; - struct rtable __rcu **rthp; - unsigned long now = jiffies; -@@ -996,9 +1000,11 @@ static int rt_garbage_collect(struct dst_ops *ops) - * do not make it too frequently. - */ - -+ spin_lock_bh(&rt_gc_lock); -+ - RT_CACHE_STAT_INC(gc_total); - -- if (now - last_gc < ip_rt_gc_min_interval && -+ if (now - last_gc < min_interval && - entries < ip_rt_max_size) { - RT_CACHE_STAT_INC(gc_ignored); - goto out; -@@ -1006,7 +1012,7 @@ static int rt_garbage_collect(struct dst_ops *ops) - - entries = dst_entries_get_slow(&ipv4_dst_ops); - /* Calculate number of entries, which we want to expire now. */ -- goal = entries - (ip_rt_gc_elasticity << rt_hash_log); -+ goal = entries - (elasticity << rt_hash_log); - if (goal <= 0) { - if (equilibrium < ipv4_dst_ops.gc_thresh) - equilibrium = ipv4_dst_ops.gc_thresh; -@@ -1023,7 +1029,7 @@ static int rt_garbage_collect(struct dst_ops *ops) - equilibrium = entries - goal; - } - -- if (now - last_gc >= ip_rt_gc_min_interval) -+ if (now - last_gc >= min_interval) - last_gc = now; - - if (goal <= 0) { -@@ -1088,15 +1094,34 @@ static int rt_garbage_collect(struct dst_ops *ops) - if (net_ratelimit()) - printk(KERN_WARNING "dst cache overflow\n"); - RT_CACHE_STAT_INC(gc_dst_overflow); -- return 1; -+ goto out; - - work_done: -- expire += ip_rt_gc_min_interval; -+ expire += min_interval; - if (expire > ip_rt_gc_timeout || - dst_entries_get_fast(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh || - dst_entries_get_slow(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh) - expire = ip_rt_gc_timeout; --out: return 0; -+out: -+ spin_unlock_bh(&rt_gc_lock); -+} -+ -+static void __rt_garbage_collect(struct work_struct *w) -+{ -+ __do_rt_garbage_collect(ip_rt_gc_elasticity, ip_rt_gc_min_interval); -+} -+ -+static int rt_garbage_collect(struct dst_ops *ops) -+{ -+ if (!work_pending(&rt_gc_worker)) -+ schedule_work(&rt_gc_worker); -+ -+ if (dst_entries_get_fast(&ipv4_dst_ops) >= ip_rt_max_size || -+ dst_entries_get_slow(&ipv4_dst_ops) >= ip_rt_max_size) { -+ RT_CACHE_STAT_INC(gc_dst_overflow); -+ return 1; -+ } -+ return 0; - } - - /* -@@ -1153,7 +1178,7 @@ static struct rtable *rt_intern_hash(unsigned hash, struct rtable *rt, - unsigned long now; - u32 min_score; - int chain_length; -- int attempts = !in_softirq(); -+ int attempts = 1; - - restart: - chain_length = 0; -@@ -1290,14 +1315,15 @@ restart: - can be released. Try to shrink route cache, - it is most likely it holds some neighbour records. - */ -- if (attempts-- > 0) { -- int saved_elasticity = ip_rt_gc_elasticity; -- int saved_int = ip_rt_gc_min_interval; -- ip_rt_gc_elasticity = 1; -- ip_rt_gc_min_interval = 0; -- rt_garbage_collect(&ipv4_dst_ops); -- ip_rt_gc_min_interval = saved_int; -- ip_rt_gc_elasticity = saved_elasticity; -+ if (!in_softirq() && attempts-- > 0) { -+ static DEFINE_SPINLOCK(lock); -+ -+ if (spin_trylock(&lock)) { -+ __do_rt_garbage_collect(1, 0); -+ spin_unlock(&lock); -+ } else { -+ spin_unlock_wait(&lock); -+ } - goto restart; - } - -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index b9edff0..3afdd78 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -2443,8 +2443,18 @@ static void init_loopback(struct net_device *dev) - if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE)) - continue; - -- if (sp_ifa->rt) -- continue; -+ if (sp_ifa->rt) { -+ /* This dst has been added to garbage list when -+ * lo device down, release this obsolete dst and -+ * reallocate a new router for ifa. -+ */ -+ if (sp_ifa->rt->dst.obsolete > 0) { -+ dst_release(&sp_ifa->rt->dst); -+ sp_ifa->rt = NULL; -+ } else { -+ continue; -+ } -+ } - - sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0); - -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index f8bec1e..d131a95 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -1362,7 +1362,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) - fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); - fptr->nexthdr = nexthdr; - fptr->reserved = 0; -- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); -+ fptr->identification = skb_shinfo(skb)->ip6_frag_id; - - /* Fragment the skb. ipv6 header and the remaining fields of the - * fragment header are updated in ipv6_gso_segment() -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 437fb59..767bf4a 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -774,7 +774,8 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, - /* If PMTU discovery was enabled, use the MTU that was discovered */ - dst = sk_dst_get(tunnel->sock); - if (dst != NULL) { -- u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock)); -+ u32 pmtu = dst_mtu(dst); -+ - if (pmtu != 0) - session->mtu = session->mru = pmtu - - PPPOL2TP_HEADER_OVERHEAD; -diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c -index 29fa5ba..6422845 100644 ---- a/net/netfilter/ipvs/ip_vs_conn.c -+++ b/net/netfilter/ipvs/ip_vs_conn.c -@@ -777,7 +777,6 @@ static void ip_vs_conn_expire(unsigned long data) - ip_vs_control_del(cp); - - if (cp->flags & IP_VS_CONN_F_NFCT) { -- ip_vs_conn_drop_conntrack(cp); - /* Do not access conntracks during subsys cleanup - * because nf_conntrack_find_get can not be used after - * conntrack cleanup for the net. -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index da54d29..5b2d8e6 100644 ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -1638,6 +1638,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack( - * ack chunk whose serial number matches that of the request. - */ - list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) { -+ if (sctp_chunk_pending(ack)) -+ continue; - if (ack->subh.addip_hdr->serial == serial) { - sctp_chunk_hold(ack); - return ack; -diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c -index 397296f..32421ae 100644 ---- a/net/sctp/inqueue.c -+++ b/net/sctp/inqueue.c -@@ -152,18 +152,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - } else { - /* Nothing to do. Next chunk in the packet, please. */ - ch = (sctp_chunkhdr_t *) chunk->chunk_end; -- - /* Force chunk->skb->data to chunk->chunk_end. */ -- skb_pull(chunk->skb, -- chunk->chunk_end - chunk->skb->data); -- -- /* Verify that we have at least chunk headers -- * worth of buffer left. -- */ -- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- } -+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); -+ /* We are guaranteed to pull a SCTP header. */ - } - } - -@@ -199,24 +190,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); - chunk->subh.v = NULL; /* Subheader is no longer valid. */ - -- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) { -+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < -+ skb_tail_pointer(chunk->skb)) { - /* This is not a singleton */ - chunk->singleton = 0; - } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) { -- /* RFC 2960, Section 6.10 Bundling -- * -- * Partial chunks MUST NOT be placed in an SCTP packet. -- * If the receiver detects a partial chunk, it MUST drop -- * the chunk. -- * -- * Since the end of the chunk is past the end of our buffer -- * (which contains the whole packet, we can freely discard -- * the whole packet. -- */ -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- -- return NULL; -+ /* Discard inside state machine. */ -+ chunk->pdiscard = 1; -+ chunk->chunk_end = skb_tail_pointer(chunk->skb); - } else { - /* We are at the end of the packet, so mark the chunk - * in case we need to send a SACK. -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index c95a3f2..d8d4704 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -3068,50 +3068,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, - return SCTP_ERROR_NO_ERROR; - } - --/* Verify the ASCONF packet before we process it. */ --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp) { -- sctp_addip_param_t *asconf_param; -+/* Verify the ASCONF packet before we process it. */ -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp) -+{ -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr; - union sctp_params param; -- int length, plen; -- -- param.v = (sctp_paramhdr_t *) param_hdr; -- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { -- length = ntohs(param.p->length); -- *errp = param.p; -+ bool addr_param_seen = false; - -- if (param.v > chunk_end - length || -- length < sizeof(sctp_paramhdr_t)) -- return 0; -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ size_t length = ntohs(param.p->length); - -+ *errp = param.p; - switch (param.p->type) { -+ case SCTP_PARAM_ERR_CAUSE: -+ break; -+ case SCTP_PARAM_IPV4_ADDRESS: -+ if (length != sizeof(sctp_ipv4addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; -+ case SCTP_PARAM_IPV6_ADDRESS: -+ if (length != sizeof(sctp_ipv6addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; - case SCTP_PARAM_ADD_IP: - case SCTP_PARAM_DEL_IP: - case SCTP_PARAM_SET_PRIMARY: -- asconf_param = (sctp_addip_param_t *)param.v; -- plen = ntohs(asconf_param->param_hdr.length); -- if (plen < sizeof(sctp_addip_param_t) + -- sizeof(sctp_paramhdr_t)) -- return 0; -+ /* In ASCONF chunks, these need to be first. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ length = ntohs(param.addip->param_hdr.length); -+ if (length < sizeof(sctp_addip_param_t) + -+ sizeof(sctp_paramhdr_t)) -+ return false; - break; - case SCTP_PARAM_SUCCESS_REPORT: - case SCTP_PARAM_ADAPTATION_LAYER_IND: - if (length != sizeof(sctp_addip_param_t)) -- return 0; -- -+ return false; - break; - default: -- break; -+ /* This is unkown to us, reject! */ -+ return false; - } -- -- param.v += WORD_ROUND(length); - } - -- if (param.v != chunk_end) -- return 0; -+ /* Remaining sanity checks. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ if (!addr_param_needed && addr_param_seen) -+ return false; -+ if (param.v != chunk->chunk_end) -+ return false; - -- return 1; -+ return true; - } - - /* Process an incoming ASCONF chunk with the next expected serial no. and -@@ -3120,16 +3133,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc, - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf) - { -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr; -+ bool all_param_pass = true; -+ union sctp_params param; - sctp_addiphdr_t *hdr; - union sctp_addr_param *addr_param; - sctp_addip_param_t *asconf_param; - struct sctp_chunk *asconf_ack; -- - __be16 err_code; - int length = 0; - int chunk_len; - __u32 serial; -- int all_param_pass = 1; - - chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); - hdr = (sctp_addiphdr_t *)asconf->skb->data; -@@ -3157,9 +3171,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - goto done; - - /* Process the TLVs contained within the ASCONF chunk. */ -- while (chunk_len > 0) { -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ /* Skip preceeding address parameters. */ -+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS || -+ param.p->type == SCTP_PARAM_IPV6_ADDRESS) -+ continue; -+ - err_code = sctp_process_asconf_param(asoc, asconf, -- asconf_param); -+ param.addip); - /* ADDIP 4.1 A7) - * If an error response is received for a TLV parameter, - * all TLVs with no response before the failed TLV are -@@ -3167,28 +3186,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - * the failed response are considered unsuccessful unless - * a specific success indication is present for the parameter. - */ -- if (SCTP_ERROR_NO_ERROR != err_code) -- all_param_pass = 0; -- -+ if (err_code != SCTP_ERROR_NO_ERROR) -+ all_param_pass = false; - if (!all_param_pass) -- sctp_add_asconf_response(asconf_ack, -- asconf_param->crr_id, err_code, -- asconf_param); -+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id, -+ err_code, param.addip); - - /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add - * an IP address sends an 'Out of Resource' in its response, it - * MUST also fail any subsequent add or delete requests bundled - * in the ASCONF. - */ -- if (SCTP_ERROR_RSRC_LOW == err_code) -+ if (err_code == SCTP_ERROR_RSRC_LOW) - goto done; -- -- /* Move to the next ASCONF param. */ -- length = ntohs(asconf_param->param_hdr.length); -- asconf_param = (void *)asconf_param + length; -- chunk_len -= length; - } -- - done: - asoc->peer.addip_serial++; - -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index 5ac33b6..d02dd3c 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -163,6 +163,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk, - { - __u16 chunk_length = ntohs(chunk->chunk_hdr->length); - -+ /* Previously already marked? */ -+ if (unlikely(chunk->pdiscard)) -+ return 0; - if (unlikely(chunk_length < required_length)) - return 0; - -@@ -3516,9 +3519,7 @@ sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, - struct sctp_chunk *asconf_ack = NULL; - struct sctp_paramhdr *err_param = NULL; - sctp_addiphdr_t *hdr; -- union sctp_addr_param *addr_param; - __u32 serial; -- int length; - - if (!sctp_vtag_verify(chunk, asoc)) { - sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, -@@ -3543,17 +3544,8 @@ sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, - hdr = (sctp_addiphdr_t *)chunk->skb->data; - serial = ntohl(hdr->serial); - -- addr_param = (union sctp_addr_param *)hdr->params; -- length = ntohs(addr_param->p.length); -- if (length < sizeof(sctp_paramhdr_t)) -- return sctp_sf_violation_paramlen(ep, asoc, type, arg, -- (void *)addr_param, commands); -- - /* Verify the ASCONF chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)((void *)addr_param + length), -- (void *)chunk->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) - return sctp_sf_violation_paramlen(ep, asoc, type, arg, - (void *)err_param, commands); - -@@ -3670,10 +3662,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, - rcvd_serial = ntohl(addip_hdr->serial); - - /* Verify the ASCONF-ACK chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)addip_hdr->params, -- (void *)asconf_ack->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) - return sctp_sf_violation_paramlen(ep, asoc, type, arg, - (void *)err_param, commands); - -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index 6d4d263..cdf77a2 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -4804,6 +4804,9 @@ int cfg80211_testmode_reply(struct sk_buff *skb) - void *hdr = ((void **)skb->cb)[1]; - struct nlattr *data = ((void **)skb->cb)[2]; - -+ /* clear CB data for netlink core to own from now on */ -+ memset(skb->cb, 0, sizeof(skb->cb)); -+ - if (WARN_ON(!rdev->testmode_info)) { - kfree_skb(skb); - return -EINVAL; -@@ -4830,6 +4833,9 @@ void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp) - void *hdr = ((void **)skb->cb)[1]; - struct nlattr *data = ((void **)skb->cb)[2]; - -+ /* clear CB data for netlink core to own from now on */ -+ memset(skb->cb, 0, sizeof(skb->cb)); -+ - nla_nest_end(skb, data); - genlmsg_end(skb, hdr); - genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0, -diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c -index cf0d46e..7f00d34 100644 ---- a/sound/core/pcm_lib.c -+++ b/sound/core/pcm_lib.c -@@ -1692,14 +1692,16 @@ static int snd_pcm_lib_ioctl_fifo_size(struct snd_pcm_substream *substream, - { - struct snd_pcm_hw_params *params = arg; - snd_pcm_format_t format; -- int channels, width; -+ int channels; -+ ssize_t frame_size; - - params->fifo_size = substream->runtime->hw.fifo_size; - if (!(substream->runtime->hw.info & SNDRV_PCM_INFO_FIFO_IN_FRAMES)) { - format = params_format(params); - channels = params_channels(params); -- width = snd_pcm_format_physical_width(format); -- params->fifo_size /= width * channels; -+ frame_size = snd_pcm_format_size(format, channels); -+ if (frame_size > 0) -+ params->fifo_size /= (unsigned)frame_size; - } - return 0; - } -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 491cdf0..d10a6ef 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -789,6 +789,7 @@ static void alc_auto_init_amp(struct hda_codec *codec, int type) - case 0x10ec0885: - case 0x10ec0887: - /*case 0x10ec0889:*/ /* this causes an SPDIF problem */ -+ case 0x10ec0900: - alc889_coef_init(codec); - break; - case 0x10ec0888: -@@ -4343,6 +4344,7 @@ static int patch_alc882(struct hda_codec *codec) - switch (codec->vendor_id) { - case 0x10ec0882: - case 0x10ec0885: -+ case 0x10ec0900: - break; - default: - /* ALC883 and variants */ |