Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2016-08-17 08:18:38 -0400
committerMike Pagano <mpagano@gentoo.org>2016-08-17 08:18:38 -0400
commitaba7a281b34f5ad3024d4b32b0c638239712124d (patch)
treea49badd80d73380d8d5cb5188c0d432b9264c0f9
parentLinux patch 3.14.75 (diff)
downloadlinux-patches-aba7a281b34f5ad3024d4b32b0c638239712124d.tar.gz
linux-patches-aba7a281b34f5ad3024d4b32b0c638239712124d.tar.bz2
linux-patches-aba7a281b34f5ad3024d4b32b0c638239712124d.zip
Linux patch 3.14.763.14-83
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1075_linux-3.14.76.patch1346
2 files changed, 1350 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index dd554cdf..bd2e9583 100644
--- a/0000_README
+++ b/0000_README
@@ -342,6 +342,10 @@ Patch: 1074_linux-3.14.75.patch
From: http://www.kernel.org
Desc: Linux 3.14.75
+Patch: 1075_linux-3.14.76.patch
+From: http://www.kernel.org
+Desc: Linux 3.14.76
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1075_linux-3.14.76.patch b/1075_linux-3.14.76.patch
new file mode 100644
index 00000000..6ff6b53f
--- /dev/null
+++ b/1075_linux-3.14.76.patch
@@ -0,0 +1,1346 @@
+diff --git a/Makefile b/Makefile
+index 9e6e6131e986..306fd306906b 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 75
++SUBLEVEL = 76
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
+index 3e94811690ce..a0aee80b608d 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
+ mm_segment_t fs;
+ long ret, err, i;
+
+- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++ if (maxevents <= 0 ||
++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
++ maxevents > (INT_MAX/sizeof(*events)))
+ return -EINVAL;
++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++ return -EFAULT;
+ kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
+@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+
+ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++ return -EFAULT;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
+ return -ENOMEM;
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index f7e5b72cf481..79747b85777a 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -350,7 +350,7 @@ EXPORT(sysn32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key
+ PTR sys_request_key
+- PTR sys_keyctl /* 6245 */
++ PTR compat_sys_keyctl /* 6245 */
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 6788727d91af..af499022f3fb 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -474,7 +474,7 @@ EXPORT(sys32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key /* 4280 */
+ PTR sys_request_key
+- PTR sys_keyctl
++ PTR compat_sys_keyctl
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch /* 4285 */
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
+index be12c534fd59..29a3d1b00ca9 100644
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -42,7 +42,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ #endif
+ cpumask_set_cpu(cpu, mm_cpumask(next));
+
+- /* Re-load page tables */
++ /*
++ * Re-load page tables.
++ *
++ * This logic has an ordering constraint:
++ *
++ * CPU 0: Write to a PTE for 'next'
++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
++ * CPU 1: set bit 1 in next's mm_cpumask
++ * CPU 1: load from the PTE that CPU 0 writes (implicit)
++ *
++ * We need to prevent an outcome in which CPU 1 observes
++ * the new PTE value and CPU 0 observes bit 1 clear in
++ * mm_cpumask. (If that occurs, then the IPI will never
++ * be sent, and CPU 0's TLB will contain a stale entry.)
++ *
++ * The bad outcome can occur if either CPU's load is
++ * reordered before that CPU's store, so both CPUs must
++ * execute full barriers to prevent this from happening.
++ *
++ * Thus, switch_mm needs a full barrier between the
++ * store to mm_cpumask and any operation that could load
++ * from next->pgd. TLB fills are special and can happen
++ * due to instruction fetches or for no reason at all,
++ * and neither LOCK nor MFENCE orders them.
++ * Fortunately, load_cr3() is serializing and gives the
++ * ordering guarantee we need.
++ *
++ */
+ load_cr3(next->pgd);
+
+ /* Stop flush ipis for the previous mm */
+@@ -65,10 +92,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ * schedule, protecting us from simultaneous changes.
+ */
+ cpumask_set_cpu(cpu, mm_cpumask(next));
++
+ /*
+ * We were in lazy tlb mode and leave_mm disabled
+ * tlb flush IPI delivery. We must reload CR3
+ * to make sure to use no freed page tables.
++ *
++ * As above, load_cr3() is serializing and orders TLB
++ * fills with respect to the mm_cpumask write.
+ */
+ load_cr3(next->pgd);
+ load_LDT_nolock(&next->context);
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index dd8dda167a24..46e82e75192e 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -152,7 +152,10 @@ void flush_tlb_current_task(void)
+ preempt_disable();
+
+ count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
++
++ /* This is an implicit full barrier that synchronizes with switch_mm. */
+ local_flush_tlb();
++
+ if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
+ flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
+ preempt_enable();
+@@ -166,11 +169,19 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
+ unsigned long nr_base_pages;
+
+ preempt_disable();
+- if (current->active_mm != mm)
++ if (current->active_mm != mm) {
++ /* Synchronize with switch_mm. */
++ smp_mb();
++
+ goto flush_all;
++ }
+
+ if (!current->mm) {
+ leave_mm(smp_processor_id());
++
++ /* Synchronize with switch_mm. */
++ smp_mb();
++
+ goto flush_all;
+ }
+
+@@ -222,10 +233,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
+ preempt_disable();
+
+ if (current->active_mm == mm) {
+- if (current->mm)
++ if (current->mm) {
++ /*
++ * Implicit full barrier (INVLPG) that synchronizes
++ * with switch_mm.
++ */
+ __flush_tlb_one(start);
+- else
++ } else {
+ leave_mm(smp_processor_id());
++
++ /* Synchronize with switch_mm. */
++ smp_mb();
++ }
+ }
+
+ if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
+diff --git a/block/genhd.c b/block/genhd.c
+index 9316f5fd416f..38d4ba122a43 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
+ if (iter) {
+ class_dev_iter_exit(iter);
+ kfree(iter);
++ seqf->private = NULL;
+ }
+ }
+
+diff --git a/crypto/gcm.c b/crypto/gcm.c
+index f0bd00b15f26..d2a0f7371cf0 100644
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb,
+
+ ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
+ CRYPTO_ALG_TYPE_HASH,
+- CRYPTO_ALG_TYPE_AHASH_MASK);
++ CRYPTO_ALG_TYPE_AHASH_MASK |
++ crypto_requires_sync(algt->type,
++ algt->mask));
+ if (IS_ERR(ghash_alg))
+ return ERR_CAST(ghash_alg);
+
+diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
+index 79ca2278c2a3..0ec7a6fa3d4d 100644
+--- a/crypto/scatterwalk.c
++++ b/crypto/scatterwalk.c
+@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out,
+
+ void scatterwalk_done(struct scatter_walk *walk, int out, int more)
+ {
+- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
++ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
++ !(walk->offset & (PAGE_SIZE - 1)))
+ scatterwalk_pagedone(walk, out, more);
+ }
+ EXPORT_SYMBOL_GPL(scatterwalk_done);
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 8a64dbeae7b1..d20ac1997886 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -698,15 +698,18 @@ retry:
+ }
+ }
+
+-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+ const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+
++ if (nbits < 0)
++ return -EINVAL;
++
+ /* Cap the value to avoid overflows */
+ nbits = min(nbits, nbits_max);
+- nbits = max(nbits, -nbits_max);
+
+ credit_entropy_bits(r, nbits);
++ return 0;
+ }
+
+ /*********************************************************************
+@@ -1420,8 +1423,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1435,8 +1437,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+ size);
+ if (retval < 0)
+ return retval;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
+diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
+index f2f63933e8a9..5befec118a18 100644
+--- a/drivers/infiniband/core/ucm.c
++++ b/drivers/infiniband/core/ucm.c
+@@ -48,6 +48,7 @@
+
+ #include <asm/uaccess.h>
+
++#include <rdma/ib.h>
+ #include <rdma/ib_cm.h>
+ #include <rdma/ib_user_cm.h>
+ #include <rdma/ib_marshall.h>
+@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
+ struct ib_ucm_cmd_hdr hdr;
+ ssize_t result;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
++ return -EACCES;
++
+ if (len < sizeof(hdr))
+ return -EINVAL;
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index 45d67e9228d7..81dd84d0b68b 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1487,6 +1487,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
+ struct rdma_ucm_cmd_hdr hdr;
+ ssize_t ret;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
++ return -EACCES;
++
+ if (len < sizeof(hdr))
+ return -EINVAL;
+
+diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
+index 8802d5ccd93d..f3ecfe4b9571 100644
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -48,6 +48,8 @@
+
+ #include <asm/uaccess.h>
+
++#include <rdma/ib.h>
++
+ #include "uverbs.h"
+
+ MODULE_AUTHOR("Roland Dreier");
+@@ -605,6 +607,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
+ struct ib_uverbs_cmd_hdr hdr;
+ __u32 flags;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
++ return -EACCES;
++
+ if (count < sizeof hdr)
+ return -EINVAL;
+
+diff --git a/drivers/infiniband/hw/ipath/ipath_file_ops.c b/drivers/infiniband/hw/ipath/ipath_file_ops.c
+index 6d7f453b4d05..34aeb14f486a 100644
+--- a/drivers/infiniband/hw/ipath/ipath_file_ops.c
++++ b/drivers/infiniband/hw/ipath/ipath_file_ops.c
+@@ -45,6 +45,8 @@
+ #include <linux/cpu.h>
+ #include <asm/pgtable.h>
+
++#include "rdma/ib.h"
++
+ #include "ipath_kernel.h"
+ #include "ipath_common.h"
+ #include "ipath_user_sdma.h"
+@@ -2240,6 +2242,9 @@ static ssize_t ipath_write(struct file *fp, const char __user *data,
+ ssize_t ret = 0;
+ void *dest;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
++ return -EACCES;
++
+ if (count < sizeof(cmd.type)) {
+ ret = -EINVAL;
+ goto bail;
+diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
+index 2023cd61b897..3c089ca85c64 100644
+--- a/drivers/infiniband/hw/qib/qib_file_ops.c
++++ b/drivers/infiniband/hw/qib/qib_file_ops.c
+@@ -45,6 +45,8 @@
+ #include <linux/delay.h>
+ #include <linux/export.h>
+
++#include <rdma/ib.h>
++
+ #include "qib.h"
+ #include "qib_common.h"
+ #include "qib_user_sdma.h"
+@@ -2058,6 +2060,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data,
+ ssize_t ret = 0;
+ void *dest;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
++ return -EACCES;
++
+ if (count < sizeof(cmd.type)) {
+ ret = -EINVAL;
+ goto bail;
+diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
+index 70651f8e8e3b..e6fc358add9f 100644
+--- a/drivers/net/bonding/bond_netlink.c
++++ b/drivers/net/bonding/bond_netlink.c
+@@ -360,7 +360,11 @@ static int bond_newlink(struct net *src_net, struct net_device *bond_dev,
+ if (err < 0)
+ return err;
+
+- return register_netdevice(bond_dev);
++ err = register_netdevice(bond_dev);
++
++ netif_carrier_off(bond_dev);
++
++ return err;
+ }
+
+ static size_t bond_get_size(const struct net_device *bond_dev)
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 584504e6e95c..df544c93735b 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -571,24 +571,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
+
+ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+- int ret;
+-
+ /* MBIM backwards compatible function? */
+ cdc_ncm_select_altsetting(dev, intf);
+ if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
+ return -ENODEV;
+
+ /* NCM data altsetting is always 1 */
+- ret = cdc_ncm_bind_common(dev, intf, 1);
+-
+- /*
+- * We should get an event when network connection is "connected" or
+- * "disconnected". Set network connection in "disconnected" state
+- * (carrier is OFF) during attach, so the IP network stack does not
+- * start IPv6 negotiation and more.
+- */
+- usbnet_link_change(dev, 0, 0);
+- return ret;
++ return cdc_ncm_bind_common(dev, intf, 1);
+ }
+
+ static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
+@@ -1117,7 +1106,8 @@ static int cdc_ncm_check_connect(struct usbnet *dev)
+
+ static const struct driver_info cdc_ncm_info = {
+ .description = "CDC NCM",
+- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
++ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
++ | FLAG_LINK_INTR,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
+@@ -1131,7 +1121,7 @@ static const struct driver_info cdc_ncm_info = {
+ static const struct driver_info wwan_info = {
+ .description = "Mobile Broadband Network Device",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_WWAN,
++ | FLAG_LINK_INTR | FLAG_WWAN,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
+@@ -1145,7 +1135,7 @@ static const struct driver_info wwan_info = {
+ static const struct driver_info wwan_noarp_info = {
+ .description = "Mobile Broadband Network Device (NO ARP)",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_WWAN | FLAG_NOARP,
++ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 719bd8257520..293155e0571d 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -540,66 +540,6 @@ void scsi_run_host_queues(struct Scsi_Host *shost)
+
+ static void __scsi_release_buffers(struct scsi_cmnd *, int);
+
+-/*
+- * Function: scsi_end_request()
+- *
+- * Purpose: Post-processing of completed commands (usually invoked at end
+- * of upper level post-processing and scsi_io_completion).
+- *
+- * Arguments: cmd - command that is complete.
+- * error - 0 if I/O indicates success, < 0 for I/O error.
+- * bytes - number of bytes of completed I/O
+- * requeue - indicates whether we should requeue leftovers.
+- *
+- * Lock status: Assumed that lock is not held upon entry.
+- *
+- * Returns: cmd if requeue required, NULL otherwise.
+- *
+- * Notes: This is called for block device requests in order to
+- * mark some number of sectors as complete.
+- *
+- * We are guaranteeing that the request queue will be goosed
+- * at some point during this call.
+- * Notes: If cmd was requeued, upon return it will be a stale pointer.
+- */
+-static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error,
+- int bytes, int requeue)
+-{
+- struct request_queue *q = cmd->device->request_queue;
+- struct request *req = cmd->request;
+-
+- /*
+- * If there are blocks left over at the end, set up the command
+- * to queue the remainder of them.
+- */
+- if (blk_end_request(req, error, bytes)) {
+- /* kill remainder if no retrys */
+- if (error && scsi_noretry_cmd(cmd))
+- blk_end_request_all(req, error);
+- else {
+- if (requeue) {
+- /*
+- * Bleah. Leftovers again. Stick the
+- * leftovers in the front of the
+- * queue, and goose the queue again.
+- */
+- scsi_release_buffers(cmd);
+- scsi_requeue_command(q, cmd);
+- cmd = NULL;
+- }
+- return cmd;
+- }
+- }
+-
+- /*
+- * This will goose the queue request function at the end, so we don't
+- * need to worry about launching another command.
+- */
+- __scsi_release_buffers(cmd, 0);
+- scsi_next_command(cmd);
+- return NULL;
+-}
+-
+ static inline unsigned int scsi_sgtable_index(unsigned short nents)
+ {
+ unsigned int index;
+@@ -751,16 +691,9 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result)
+ *
+ * Returns: Nothing
+ *
+- * Notes: This function is matched in terms of capabilities to
+- * the function that created the scatter-gather list.
+- * In other words, if there are no bounce buffers
+- * (the normal case for most drivers), we don't need
+- * the logic to deal with cleaning up afterwards.
+- *
+- * We must call scsi_end_request(). This will finish off
+- * the specified number of sectors. If we are done, the
+- * command block will be released and the queue function
+- * will be goosed. If we are not done then we have to
++ * Notes: We will finish off the specified number of sectors. If we
++ * are done, the command block will be released and the queue
++ * function will be goosed. If we are not done then we have to
+ * figure out what to do next:
+ *
+ * a) We can call scsi_requeue_command(). The request
+@@ -769,7 +702,7 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result)
+ * be used if we made forward progress, or if we want
+ * to switch from READ(10) to READ(6) for example.
+ *
+- * b) We can call scsi_queue_insert(). The request will
++ * b) We can call __scsi_queue_insert(). The request will
+ * be put back on the queue and retried using the same
+ * command as before, possibly after a delay.
+ *
+@@ -873,12 +806,28 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
+ }
+
+ /*
+- * A number of bytes were successfully read. If there
+- * are leftovers and there is some kind of error
+- * (result != 0), retry the rest.
++ * special case: failed zero length commands always need to
++ * drop down into the retry code. Otherwise, if we finished
++ * all bytes in the request we are done now.
+ */
+- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL)
+- return;
++ if (!(blk_rq_bytes(req) == 0 && error) &&
++ !blk_end_request(req, error, good_bytes))
++ goto next_command;
++
++ /*
++ * Kill remainder if no retrys.
++ */
++ if (error && scsi_noretry_cmd(cmd)) {
++ blk_end_request_all(req, error);
++ goto next_command;
++ }
++
++ /*
++ * If there had been no error, but we have leftover bytes in the
++ * requeues just queue the command up again.
++ */
++ if (result == 0)
++ goto requeue;
+
+ error = __scsi_error_from_host_byte(cmd, result);
+
+@@ -1000,7 +949,6 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
+ switch (action) {
+ case ACTION_FAIL:
+ /* Give up and fail the remainder of the request */
+- scsi_release_buffers(cmd);
+ if (!(req->cmd_flags & REQ_QUIET)) {
+ if (description)
+ scmd_printk(KERN_INFO, cmd, "%s\n",
+@@ -1010,12 +958,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
+ scsi_print_sense("", cmd);
+ scsi_print_command(cmd);
+ }
+- if (blk_end_request_err(req, error))
+- scsi_requeue_command(q, cmd);
+- else
+- scsi_next_command(cmd);
+- break;
++ if (!blk_end_request_err(req, error))
++ goto next_command;
++ /*FALLTHRU*/
+ case ACTION_REPREP:
++ requeue:
+ /* Unprep the request and put it back at the head of the queue.
+ * A new command will be prepared and issued.
+ */
+@@ -1031,6 +978,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
+ __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0);
+ break;
+ }
++ return;
++
++next_command:
++ __scsi_release_buffers(cmd, 0);
++ scsi_next_command(cmd);
+ }
+
+ static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb,
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index dcee3f09793d..f46ac929ef8a 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -106,6 +106,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
+ #define HUB_DEBOUNCE_STEP 25
+ #define HUB_DEBOUNCE_STABLE 100
+
++static void hub_release(struct kref *kref);
+ static int usb_reset_and_verify_device(struct usb_device *udev);
+
+ static inline char *portspeed(struct usb_hub *hub, int portstatus)
+@@ -1023,10 +1024,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ unsigned delay;
+
+ /* Continue a partial initialization */
+- if (type == HUB_INIT2)
+- goto init2;
+- if (type == HUB_INIT3)
++ if (type == HUB_INIT2 || type == HUB_INIT3) {
++ device_lock(hub->intfdev);
++
++ /* Was the hub disconnected while we were waiting? */
++ if (hub->disconnected) {
++ device_unlock(hub->intfdev);
++ kref_put(&hub->kref, hub_release);
++ return;
++ }
++ if (type == HUB_INIT2)
++ goto init2;
+ goto init3;
++ }
++ kref_get(&hub->kref);
+
+ /* The superspeed hub except for root hub has to use Hub Depth
+ * value as an offset into the route string to locate the bits
+@@ -1220,6 +1231,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3);
+ schedule_delayed_work(&hub->init_work,
+ msecs_to_jiffies(delay));
++ device_unlock(hub->intfdev);
+ return; /* Continues at init3: below */
+ } else {
+ msleep(delay);
+@@ -1240,6 +1252,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ /* Allow autosuspend if it was suppressed */
+ if (type <= HUB_INIT3)
+ usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
++
++ if (type == HUB_INIT2 || type == HUB_INIT3)
++ device_unlock(hub->intfdev);
++
++ kref_put(&hub->kref, hub_release);
+ }
+
+ /* Implement the continuations for the delays above */
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index b6c85fbd0a14..24af5b0b8d81 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -164,6 +164,10 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* MAYA44USB sound device */
+ { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* ASUS Base Station(T100) */
++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
++ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
++
+ /* Action Semiconductor flash disk */
+ { USB_DEVICE(0x10d6, 0x2200), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+@@ -186,10 +190,6 @@ static const struct usb_device_id usb_interface_quirk_list[] = {
+ { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
+ .driver_info = USB_QUIRK_RESET_RESUME },
+
+- /* ASUS Base Station(T100) */
+- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ { } /* terminating entry must be last */
+ };
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index a3be02e03021..0bffd9a0fbf2 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
+ ext4_fsblk_t block = ext4_ext_pblock(ext);
+ int len = ext4_ext_get_actual_len(ext);
+ ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
+- ext4_lblk_t last = lblock + len - 1;
+
+- if (len == 0 || lblock > last)
++ /*
++ * We allow neither:
++ * - zero length
++ * - overflow/wrap-around
++ */
++ if (lblock + len <= lblock)
+ return 0;
+ return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 58001fcff037..774cb09519cb 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -204,9 +204,9 @@ void ext4_evict_inode(struct inode *inode)
+ * Note that directories do not have this problem because they
+ * don't use page cache.
+ */
+- if (ext4_should_journal_data(inode) &&
+- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
+- inode->i_ino != EXT4_JOURNAL_INO) {
++ if (inode->i_ino != EXT4_JOURNAL_INO &&
++ ext4_should_journal_data(inode) &&
++ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+ tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
+
+@@ -2579,13 +2579,36 @@ retry:
+ done = true;
+ }
+ }
+- ext4_journal_stop(handle);
++ /*
++ * Caution: If the handle is synchronous,
++ * ext4_journal_stop() can wait for transaction commit
++ * to finish which may depend on writeback of pages to
++ * complete or on page lock to be released. In that
++ * case, we have to wait until after after we have
++ * submitted all the IO, released page locks we hold,
++ * and dropped io_end reference (for extent conversion
++ * to be able to complete) before stopping the handle.
++ */
++ if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
++ ext4_journal_stop(handle);
++ handle = NULL;
++ }
+ /* Submit prepared bio */
+ ext4_io_submit(&mpd.io_submit);
+ /* Unlock pages we didn't use */
+ mpage_release_unused_pages(&mpd, give_up_on_write);
+- /* Drop our io_end reference we got from init */
+- ext4_put_io_end(mpd.io_submit.io_end);
++ /*
++ * Drop our io_end reference we got from init. We have
++ * to be careful and use deferred io_end finishing if
++ * we are still holding the transaction as we can
++ * release the last reference to io_end which may end
++ * up doing unwritten extent conversion.
++ */
++ if (handle) {
++ ext4_put_io_end_defer(mpd.io_submit.io_end);
++ ext4_journal_stop(handle);
++ } else
++ ext4_put_io_end(mpd.io_submit.io_end);
+
+ if (ret == -ENOSPC && sbi->s_journal) {
+ /*
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 4a79ce1ecaa1..fcb205f69ed6 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2897,7 +2897,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
+ ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
+ "fs metadata", block, block+len);
+ /* File system mounted not to panic on error
+- * Fix the bitmap and repeat the block allocation
++ * Fix the bitmap and return EUCLEAN
+ * We leak some of the blocks here.
+ */
+ ext4_lock_group(sb, ac->ac_b_ex.fe_group);
+@@ -2906,7 +2906,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
+ ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
+ err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
+ if (!err)
+- err = -EAGAIN;
++ err = -EUCLEAN;
+ goto out_err;
+ }
+
+@@ -4476,18 +4476,7 @@ repeat:
+ }
+ if (likely(ac->ac_status == AC_STATUS_FOUND)) {
+ *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
+- if (*errp == -EAGAIN) {
+- /*
+- * drop the reference that we took
+- * in ext4_mb_use_best_found
+- */
+- ext4_mb_release_context(ac);
+- ac->ac_b_ex.fe_group = 0;
+- ac->ac_b_ex.fe_start = 0;
+- ac->ac_b_ex.fe_len = 0;
+- ac->ac_status = AC_STATUS_CONTINUE;
+- goto repeat;
+- } else if (*errp) {
++ if (*errp) {
+ ext4_discard_allocated_blocks(ac);
+ goto errout;
+ } else {
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 64cd8114f75d..4ce824197b81 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2222,6 +2222,16 @@ static void ext4_orphan_cleanup(struct super_block *sb,
+ while (es->s_last_orphan) {
+ struct inode *inode;
+
++ /*
++ * We may have encountered an error during cleanup; if
++ * so, skip the rest.
++ */
++ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
++ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
++ es->s_last_orphan = 0;
++ break;
++ }
++
+ inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
+ if (IS_ERR(inode)) {
+ es->s_last_orphan = 0;
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index faf00af7f3d7..58737550a3f4 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -911,7 +911,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req)
+ arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
+ FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
+ FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
+- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
++ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
+ FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO;
+ req->in.h.opcode = FUSE_INIT;
+ req->in.numargs = 1;
+diff --git a/include/linux/console.h b/include/linux/console.h
+index 7571a16bd653..ac1599bda9fc 100644
+--- a/include/linux/console.h
++++ b/include/linux/console.h
+@@ -150,6 +150,7 @@ extern int console_trylock(void);
+ extern void console_unlock(void);
+ extern void console_conditional_schedule(void);
+ extern void console_unblank(void);
++extern void console_flush_on_panic(void);
+ extern struct tty_driver *console_device(int *);
+ extern void console_stop(struct console *);
+ extern void console_start(struct console *);
+diff --git a/include/rdma/ib.h b/include/rdma/ib.h
+index cf8f9e700e48..a6b93706b0fc 100644
+--- a/include/rdma/ib.h
++++ b/include/rdma/ib.h
+@@ -34,6 +34,7 @@
+ #define _RDMA_IB_H
+
+ #include <linux/types.h>
++#include <linux/sched.h>
+
+ struct ib_addr {
+ union {
+@@ -86,4 +87,19 @@ struct sockaddr_ib {
+ __u64 sib_scope_id;
+ };
+
++/*
++ * The IB interfaces that use write() as bi-directional ioctl() are
++ * fundamentally unsafe, since there are lots of ways to trigger "write()"
++ * calls from various contexts with elevated privileges. That includes the
++ * traditional suid executable error message writes, but also various kernel
++ * interfaces that can write to file descriptors.
++ *
++ * This function provides protection for the legacy API by restricting the
++ * calling context.
++ */
++static inline bool ib_safe_file_access(struct file *filp)
++{
++ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
++}
++
+ #endif /* _RDMA_IB_H */
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 4a036c619607..0d1449551e06 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -745,7 +745,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ rcu_read_lock();
+ ipc_lock_object(&msq->q_perm);
+
+- ipc_rcu_putref(msq, ipc_rcu_free);
++ ipc_rcu_putref(msq, msg_rcu_free);
+ /* raced with RMID? */
+ if (!ipc_valid_object(&msq->q_perm)) {
+ err = -EIDRM;
+diff --git a/ipc/sem.c b/ipc/sem.c
+index e53c96f7db42..bd8cbb071166 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -441,7 +441,7 @@ static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns
+ static inline void sem_lock_and_putref(struct sem_array *sma)
+ {
+ sem_lock(sma, NULL, -1);
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ }
+
+ static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
+@@ -1371,7 +1371,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ rcu_read_unlock();
+ sem_io = ipc_alloc(sizeof(ushort)*nsems);
+ if (sem_io == NULL) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return -ENOMEM;
+ }
+
+@@ -1405,20 +1405,20 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ if (nsems > SEMMSL_FAST) {
+ sem_io = ipc_alloc(sizeof(ushort)*nsems);
+ if (sem_io == NULL) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return -ENOMEM;
+ }
+ }
+
+ if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ err = -EFAULT;
+ goto out_free;
+ }
+
+ for (i = 0; i < nsems; i++) {
+ if (sem_io[i] > SEMVMX) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ err = -ERANGE;
+ goto out_free;
+ }
+@@ -1708,7 +1708,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid)
+ /* step 2: allocate new undo structure */
+ new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
+ if (!new) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return ERR_PTR(-ENOMEM);
+ }
+
+diff --git a/kernel/panic.c b/kernel/panic.c
+index 6d6300375090..16458b37fadc 100644
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -23,6 +23,7 @@
+ #include <linux/sysrq.h>
+ #include <linux/init.h>
+ #include <linux/nmi.h>
++#include <linux/console.h>
+
+ #define PANIC_TIMER_STEP 100
+ #define PANIC_BLINK_SPD 18
+@@ -133,6 +134,8 @@ void panic(const char *fmt, ...)
+
+ bust_spinlocks(0);
+
++ console_flush_on_panic();
++
+ if (!panic_blink)
+ panic_blink = no_blink;
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 02e7fb4edb93..2e0406fe1105 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -2011,13 +2011,24 @@ void console_unlock(void)
+ static u64 seen_seq;
+ unsigned long flags;
+ bool wake_klogd = false;
+- bool retry;
++ bool do_cond_resched, retry;
+
+ if (console_suspended) {
+ up(&console_sem);
+ return;
+ }
+
++ /*
++ * Console drivers are called under logbuf_lock, so
++ * @console_may_schedule should be cleared before; however, we may
++ * end up dumping a lot of lines, for example, if called from
++ * console registration path, and should invoke cond_resched()
++ * between lines if allowable. Not doing so can cause a very long
++ * scheduling stall on a slow console leading to RCU stall and
++ * softlockup warnings which exacerbate the issue with more
++ * messages practically incapacitating the system.
++ */
++ do_cond_resched = console_may_schedule;
+ console_may_schedule = 0;
+
+ /* flush buffered message fragment immediately to console */
+@@ -2074,6 +2085,9 @@ skip:
+ call_console_drivers(level, text, len);
+ start_critical_timings();
+ local_irq_restore(flags);
++
++ if (do_cond_resched)
++ cond_resched();
+ }
+ console_locked = 0;
+ mutex_release(&console_lock_dep_map, 1, _RET_IP_);
+@@ -2142,6 +2156,25 @@ void console_unblank(void)
+ console_unlock();
+ }
+
++/**
++ * console_flush_on_panic - flush console content on panic
++ *
++ * Immediately output all pending messages no matter what.
++ */
++void console_flush_on_panic(void)
++{
++ /*
++ * If someone else is holding the console lock, trylock will fail
++ * and may_schedule may be set. Ignore and proceed to unlock so
++ * that messages are flushed out. As this can be called from any
++ * context and we don't want to get preempted while flushing,
++ * ensure may_schedule is cleared.
++ */
++ console_trylock();
++ console_may_schedule = 0;
++ console_unlock();
++}
++
+ /*
+ * Return the console tty driver structure and its associated index
+ */
+diff --git a/mm/migrate.c b/mm/migrate.c
+index 23ca861c93e9..ae10044bdfa5 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -30,6 +30,7 @@
+ #include <linux/mempolicy.h>
+ #include <linux/vmalloc.h>
+ #include <linux/security.h>
++#include <linux/backing-dev.h>
+ #include <linux/memcontrol.h>
+ #include <linux/syscalls.h>
+ #include <linux/hugetlb.h>
+@@ -344,6 +345,8 @@ int migrate_page_move_mapping(struct address_space *mapping,
+ struct buffer_head *head, enum migrate_mode mode,
+ int extra_count)
+ {
++ struct zone *oldzone, *newzone;
++ int dirty;
+ int expected_count = 1 + extra_count;
+ void **pslot;
+
+@@ -354,6 +357,9 @@ int migrate_page_move_mapping(struct address_space *mapping,
+ return MIGRATEPAGE_SUCCESS;
+ }
+
++ oldzone = page_zone(page);
++ newzone = page_zone(newpage);
++
+ spin_lock_irq(&mapping->tree_lock);
+
+ pslot = radix_tree_lookup_slot(&mapping->page_tree,
+@@ -394,6 +400,13 @@ int migrate_page_move_mapping(struct address_space *mapping,
+ set_page_private(newpage, page_private(page));
+ }
+
++ /* Move dirty while page refs frozen and newpage not yet exposed */
++ dirty = PageDirty(page);
++ if (dirty) {
++ ClearPageDirty(page);
++ SetPageDirty(newpage);
++ }
++
+ radix_tree_replace_slot(pslot, newpage);
+
+ /*
+@@ -403,6 +416,9 @@ int migrate_page_move_mapping(struct address_space *mapping,
+ */
+ page_unfreeze_refs(page, expected_count - 1);
+
++ spin_unlock(&mapping->tree_lock);
++ /* Leave irq disabled to prevent preemption while updating stats */
++
+ /*
+ * If moved to a different zone then also account
+ * the page for that zone. Other VM counters will be
+@@ -413,13 +429,19 @@ int migrate_page_move_mapping(struct address_space *mapping,
+ * via NR_FILE_PAGES and NR_ANON_PAGES if they
+ * are mapped to swap space.
+ */
+- __dec_zone_page_state(page, NR_FILE_PAGES);
+- __inc_zone_page_state(newpage, NR_FILE_PAGES);
+- if (!PageSwapCache(page) && PageSwapBacked(page)) {
+- __dec_zone_page_state(page, NR_SHMEM);
+- __inc_zone_page_state(newpage, NR_SHMEM);
++ if (newzone != oldzone) {
++ __dec_zone_state(oldzone, NR_FILE_PAGES);
++ __inc_zone_state(newzone, NR_FILE_PAGES);
++ if (PageSwapBacked(page) && !PageSwapCache(page)) {
++ __dec_zone_state(oldzone, NR_SHMEM);
++ __inc_zone_state(newzone, NR_SHMEM);
++ }
++ if (dirty && mapping_cap_account_dirty(mapping)) {
++ __dec_zone_state(oldzone, NR_FILE_DIRTY);
++ __inc_zone_state(newzone, NR_FILE_DIRTY);
++ }
+ }
+- spin_unlock_irq(&mapping->tree_lock);
++ local_irq_enable();
+
+ return MIGRATEPAGE_SUCCESS;
+ }
+@@ -544,20 +566,9 @@ void migrate_page_copy(struct page *newpage, struct page *page)
+ if (PageMappedToDisk(page))
+ SetPageMappedToDisk(newpage);
+
+- if (PageDirty(page)) {
+- clear_page_dirty_for_io(page);
+- /*
+- * Want to mark the page and the radix tree as dirty, and
+- * redo the accounting that clear_page_dirty_for_io undid,
+- * but we can't use set_page_dirty because that function
+- * is actually a signal that all of the page has become dirty.
+- * Whereas only part of our page may be dirty.
+- */
+- if (PageSwapBacked(page))
+- SetPageDirty(newpage);
+- else
+- __set_page_dirty_nobuffers(newpage);
+- }
++ /* Move dirty on pages not done by migrate_page_move_mapping() */
++ if (PageDirty(page))
++ SetPageDirty(newpage);
+
+ /*
+ * Copy NUMA information to the new page, to prevent over-eager
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 5b10c59ba8a9..90f9d00a3fbc 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+
+ /* rfc5961 challenge ack rate limiting */
+-int sysctl_tcp_challenge_ack_limit = 100;
++int sysctl_tcp_challenge_ack_limit = 1000;
+
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+@@ -3293,12 +3293,18 @@ static void tcp_send_challenge_ack(struct sock *sk)
+ static u32 challenge_timestamp;
+ static unsigned int challenge_count;
+ u32 now = jiffies / HZ;
++ u32 count;
+
+ if (now != challenge_timestamp) {
++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
++
+ challenge_timestamp = now;
+- challenge_count = 0;
++ challenge_count = half +
++ prandom_u32_max(sysctl_tcp_challenge_ack_limit);
+ }
+- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++ count = challenge_count;
++ if (count > 0) {
++ challenge_count = count - 1;
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ tcp_send_ack(sk);
+ }
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index a68cd7100349..99d89783d1e6 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -242,7 +242,8 @@ void tcp_select_initial_window(int __space, __u32 mss,
+ /* Set window scaling on max possible window
+ * See RFC1323 for an explanation of the limit to 14
+ */
+- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
++ space = max_t(u32, space, sysctl_tcp_rmem[2]);
++ space = max_t(u32, space, sysctl_rmem_max);
+ space = min_t(u32, space, *window_clamp);
+ while (space > 65535 && (*rcv_wscale) < 14) {
+ space >>= 1;
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index f945293c17f0..033a7af5914e 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1037,8 +1037,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr,
+ }
+
+ /* Check if we have opened a local TSAP */
+- if (!self->tsap)
+- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++ if (!self->tsap) {
++ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++ if (err)
++ goto out;
++ }
+
+ /* Move to connecting socket, start sending Connect Requests */
+ sock->state = SS_CONNECTING;
+diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
+index fef2acdf4a2e..ecae5561b912 100644
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -244,12 +244,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
+ int error;
+ struct sctp_transport *transport = (struct sctp_transport *) peer;
+ struct sctp_association *asoc = transport->asoc;
+- struct net *net = sock_net(asoc->base.sk);
++ struct sock *sk = asoc->base.sk;
++ struct net *net = sock_net(sk);
+
+ /* Check whether a task is in the sock. */
+
+- bh_lock_sock(asoc->base.sk);
+- if (sock_owned_by_user(asoc->base.sk)) {
++ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
+ pr_debug("%s: sock is busy\n", __func__);
+
+ /* Try again later. */
+@@ -272,10 +273,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
+ transport, GFP_ATOMIC);
+
+ if (error)
+- asoc->base.sk->sk_err = -error;
++ sk->sk_err = -error;
+
+ out_unlock:
+- bh_unlock_sock(asoc->base.sk);
++ bh_unlock_sock(sk);
+ sctp_transport_put(transport);
+ }
+
+@@ -285,11 +286,12 @@ out_unlock:
+ static void sctp_generate_timeout_event(struct sctp_association *asoc,
+ sctp_event_timeout_t timeout_type)
+ {
+- struct net *net = sock_net(asoc->base.sk);
++ struct sock *sk = asoc->base.sk;
++ struct net *net = sock_net(sk);
+ int error = 0;
+
+- bh_lock_sock(asoc->base.sk);
+- if (sock_owned_by_user(asoc->base.sk)) {
++ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
+ pr_debug("%s: sock is busy: timer %d\n", __func__,
+ timeout_type);
+
+@@ -312,10 +314,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc,
+ (void *)timeout_type, GFP_ATOMIC);
+
+ if (error)
+- asoc->base.sk->sk_err = -error;
++ sk->sk_err = -error;
+
+ out_unlock:
+- bh_unlock_sock(asoc->base.sk);
++ bh_unlock_sock(sk);
+ sctp_association_put(asoc);
+ }
+
+@@ -365,10 +367,11 @@ void sctp_generate_heartbeat_event(unsigned long data)
+ int error = 0;
+ struct sctp_transport *transport = (struct sctp_transport *) data;
+ struct sctp_association *asoc = transport->asoc;
+- struct net *net = sock_net(asoc->base.sk);
++ struct sock *sk = asoc->base.sk;
++ struct net *net = sock_net(sk);
+
+- bh_lock_sock(asoc->base.sk);
+- if (sock_owned_by_user(asoc->base.sk)) {
++ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
+ pr_debug("%s: sock is busy\n", __func__);
+
+ /* Try again later. */
+@@ -389,10 +392,10 @@ void sctp_generate_heartbeat_event(unsigned long data)
+ transport, GFP_ATOMIC);
+
+ if (error)
+- asoc->base.sk->sk_err = -error;
++ sk->sk_err = -error;
+
+ out_unlock:
+- bh_unlock_sock(asoc->base.sk);
++ bh_unlock_sock(sk);
+ sctp_transport_put(transport);
+ }
+
+@@ -403,10 +406,11 @@ void sctp_generate_proto_unreach_event(unsigned long data)
+ {
+ struct sctp_transport *transport = (struct sctp_transport *) data;
+ struct sctp_association *asoc = transport->asoc;
+- struct net *net = sock_net(asoc->base.sk);
++ struct sock *sk = asoc->base.sk;
++ struct net *net = sock_net(sk);
+
+- bh_lock_sock(asoc->base.sk);
+- if (sock_owned_by_user(asoc->base.sk)) {
++ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
+ pr_debug("%s: sock is busy\n", __func__);
+
+ /* Try again later. */
+@@ -427,7 +431,7 @@ void sctp_generate_proto_unreach_event(unsigned long data)
+ asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
+
+ out_unlock:
+- bh_unlock_sock(asoc->base.sk);
++ bh_unlock_sock(sk);
+ sctp_association_put(asoc);
+ }
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 7db9954f1af2..b30489856741 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
+ seq_printf(seq, "%.2x", profile->hash[i]);
+ seq_puts(seq, "\n");
+ }
++ aa_put_profile(profile);
+
+ return 0;
+ }