diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2022-01-27 06:41:33 -0500 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2022-01-27 06:41:33 -0500 |
| commit | 6e79f651605de012d8a78a3dde1bab966017a0cb (patch) | |
| tree | 56c9bb1c53348bb09be1e5e401bde623f294de48 | |
| parent | Linux patch 4.9.297 (diff) | |
| download | linux-patches-6e79f651.tar.gz linux-patches-6e79f651.tar.bz2 linux-patches-6e79f651.zip | |
Linux patch 4.9.2984.9-302
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1297_linux-4.9.298.patch | 4800 |
2 files changed, 4804 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 124bfa64..52cd88fb 100644 --- a/0000_README +++ b/0000_README @@ -1231,6 +1231,10 @@ Patch: 1296_linux-4.9.297.patch From: http://www.kernel.org Desc: Linux 4.9.297 +Patch: 1297_linux-4.9.298.patch +From: http://www.kernel.org +Desc: Linux 4.9.298 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1297_linux-4.9.298.patch b/1297_linux-4.9.298.patch new file mode 100644 index 00000000..26807c93 --- /dev/null +++ b/1297_linux-4.9.298.patch @@ -0,0 +1,4800 @@ +diff --git a/Documentation/rbtree.txt b/Documentation/rbtree.txt +index b9d9cc57be189..9fedfedfd85fc 100644 +--- a/Documentation/rbtree.txt ++++ b/Documentation/rbtree.txt +@@ -190,6 +190,39 @@ Example: + for (node = rb_first(&mytree); node; node = rb_next(node)) + printk("key=%s\n", rb_entry(node, struct mytype, node)->keystring); + ++Cached rbtrees ++-------------- ++ ++Computing the leftmost (smallest) node is quite a common task for binary ++search trees, such as for traversals or users relying on a the particular ++order for their own logic. To this end, users can use 'struct rb_root_cached' ++to optimize O(logN) rb_first() calls to a simple pointer fetch avoiding ++potentially expensive tree iterations. This is done at negligible runtime ++overhead for maintanence; albeit larger memory footprint. ++ ++Similar to the rb_root structure, cached rbtrees are initialized to be ++empty via: ++ ++ struct rb_root_cached mytree = RB_ROOT_CACHED; ++ ++Cached rbtree is simply a regular rb_root with an extra pointer to cache the ++leftmost node. This allows rb_root_cached to exist wherever rb_root does, ++which permits augmented trees to be supported as well as only a few extra ++interfaces: ++ ++ struct rb_node *rb_first_cached(struct rb_root_cached *tree); ++ void rb_insert_color_cached(struct rb_node *, struct rb_root_cached *, bool); ++ void rb_erase_cached(struct rb_node *node, struct rb_root_cached *); ++ ++Both insert and erase calls have their respective counterpart of augmented ++trees: ++ ++ void rb_insert_augmented_cached(struct rb_node *node, struct rb_root_cached *, ++ bool, struct rb_augment_callbacks *); ++ void rb_erase_augmented_cached(struct rb_node *, struct rb_root_cached *, ++ struct rb_augment_callbacks *); ++ ++ + Support for Augmented rbtrees + ----------------------------- + +diff --git a/Makefile b/Makefile +index 70a11157b2404..b0f683f18df71 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 297 ++SUBLEVEL = 298 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index c2557cf43b3dc..d8bf83d732be3 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -25,8 +25,8 @@ + #size-cells = <2>; + + aliases { +- sdhc1 = &sdhc_1; /* SDC1 eMMC slot */ +- sdhc2 = &sdhc_2; /* SDC2 SD card slot */ ++ mmc0 = &sdhc_1; /* SDC1 eMMC slot */ ++ mmc1 = &sdhc_2; /* SDC2 SD card slot */ + }; + + chosen { }; +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index 4f375050ab8e9..3be875a45c834 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -342,6 +342,12 @@ struct clk *clk_get_parent(struct clk *clk) + } + EXPORT_SYMBOL(clk_get_parent); + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + unsigned long clk_get_rate(struct clk *clk) + { + return clk->rate; +diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +index 62787765575ef..ce6e5fddce0bf 100644 +--- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h ++++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +@@ -315,7 +315,7 @@ enum cvmx_chip_types_enum { + + /* Functions to return string based on type */ + #define ENUM_BRD_TYPE_CASE(x) \ +- case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ ++ case x: return (&#x[16]); /* Skip CVMX_BOARD_TYPE_ */ + static inline const char *cvmx_board_type_to_string(enum + cvmx_board_types_enum type) + { +@@ -404,7 +404,7 @@ static inline const char *cvmx_board_type_to_string(enum + } + + #define ENUM_CHIP_TYPE_CASE(x) \ +- case x: return(#x + 15); /* Skip CVMX_CHIP_TYPE */ ++ case x: return (&#x[15]); /* Skip CVMX_CHIP_TYPE */ + static inline const char *cvmx_chip_type_to_string(enum + cvmx_chip_types_enum type) + { +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 149f0513c4f5d..d1de57b86683c 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -165,6 +165,12 @@ struct clk *of_clk_get_from_provider(struct of_phandle_args *clkspec) + return NULL; + } + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + static inline u32 get_counter_resolution(void) + { + u32 res; +diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c +index d8c3c159289a2..71a19d20bbb7a 100644 +--- a/arch/mips/mm/gup.c ++++ b/arch/mips/mm/gup.c +@@ -271,7 +271,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + next = pgd_addr_end(addr, end); + if (pgd_none(pgd)) + goto slow; +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr)) + goto slow; + } while (pgdp++, addr = next, addr != end); + local_irq_enable(); +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 11c91697d5f9e..5b41779de2337 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -793,7 +793,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + * unless pagefault_disable() was called before. + */ + +- if (fault_space == 0 && !faulthandler_disabled()) ++ if (faulthandler_disabled() || fault_space == 0) + { + /* Clean up and return if in exception table. */ + if (fixup_exception(regs)) +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi +index 7f60b60601764..39b1c1fa0c81f 100644 +--- a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi +@@ -78,6 +78,7 @@ fman0: fman@400000 { + #size-cells = <0>; + compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; + reg = <0xfc000 0x1000>; ++ fsl,erratum-a009885; + }; + + xmdio0: mdio@fd000 { +@@ -85,6 +86,7 @@ fman0: fman@400000 { + #size-cells = <0>; + compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; + reg = <0xfd000 0x1000>; ++ fsl,erratum-a009885; + }; + + ptp_timer0: ptp-timer@fe000 { +diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c +index 8275858a434d9..2d91ba38b4524 100644 +--- a/arch/powerpc/kernel/btext.c ++++ b/arch/powerpc/kernel/btext.c +@@ -257,8 +257,10 @@ int __init btext_find_display(int allow_nonstdout) + rc = btext_initialize(np); + printk("result: %d\n", rc); + } +- if (rc == 0) ++ if (rc == 0) { ++ of_node_put(np); + break; ++ } + } + return rc; + } +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 1e8c57207346e..df3af10b8cc95 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2528,7 +2528,7 @@ static void __init fixup_device_tree_efika_add_phy(void) + + /* Check if the phy-handle property exists - bail if it does */ + rv = prom_getprop(node, "phy-handle", prop, sizeof(prop)); +- if (!rv) ++ if (rv <= 0) + return; + + /* +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index 9c6f3fd580597..31675c1d678b6 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -759,10 +759,12 @@ void start_secondary(void *unused) + BUG(); + } + ++#ifdef CONFIG_PROFILING + int setup_profiling_timer(unsigned int multiplier) + { + return 0; + } ++#endif + + #ifdef CONFIG_SCHED_SMT + /* cpumask of CPUs with asymetric SMT dependancy */ +diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c +index 7ff51f96a00e8..8df43781f5db9 100644 +--- a/arch/powerpc/platforms/cell/iommu.c ++++ b/arch/powerpc/platforms/cell/iommu.c +@@ -1107,6 +1107,7 @@ static int __init cell_iommu_fixed_mapping_init(void) + if (hbase < dbase || (hend > (dbase + dsize))) { + pr_debug("iommu: hash window doesn't fit in" + "real DMA window\n"); ++ of_node_put(np); + return -1; + } + } +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +index bf4a125faec66..db2ea6b6889de 100644 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -220,6 +220,7 @@ void hlwd_pic_probe(void) + irq_set_chained_handler(cascade_virq, + hlwd_pic_irq_cascade); + hlwd_irq_host = host; ++ of_node_put(np); + break; + } + } +diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c +index e4169d68cb328..d28c4a9269c38 100644 +--- a/arch/powerpc/platforms/powernv/opal-lpc.c ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c +@@ -401,6 +401,7 @@ void opal_lpc_init(void) + if (!of_get_property(np, "primary", NULL)) + continue; + opal_lpc_chip_id = of_get_ibm_chip_id(np); ++ of_node_put(np); + break; + } + if (opal_lpc_chip_id < 0) +diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c +index cf045f56581e3..be1e2ed6405d3 100644 +--- a/arch/s390/mm/gup.c ++++ b/arch/s390/mm/gup.c +@@ -261,7 +261,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + + might_sleep(); + start &= PAGE_MASK; +- nr = __get_user_pages_fast(start, nr_pages, write, pages); ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ nr = __get_user_pages_fast(start, nr_pages, 1, pages); + if (nr == nr_pages) + return nr; + +diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c +index 063c298ba56cc..7fec66e34af06 100644 +--- a/arch/sh/mm/gup.c ++++ b/arch/sh/mm/gup.c +@@ -239,7 +239,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + next = pgd_addr_end(addr, end); + if (pgd_none(pgd)) + goto slow; +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr)) + goto slow; + } while (pgdp++, addr = next, addr != end); + local_irq_enable(); +diff --git a/arch/sparc/mm/gup.c b/arch/sparc/mm/gup.c +index cd0e32bbcb1de..685679f879888 100644 +--- a/arch/sparc/mm/gup.c ++++ b/arch/sparc/mm/gup.c +@@ -218,7 +218,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + next = pgd_addr_end(addr, end); + if (pgd_none(pgd)) + goto slow; +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr)) + goto slow; + } while (pgdp++, addr = next, addr != end); + +diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h +index a74449b5b0e31..12ad7c435e97f 100644 +--- a/arch/um/include/shared/registers.h ++++ b/arch/um/include/shared/registers.h +@@ -16,8 +16,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs); + extern int save_fpx_registers(int pid, unsigned long *fp_regs); + extern int restore_fpx_registers(int pid, unsigned long *fp_regs); + extern int save_registers(int pid, struct uml_pt_regs *regs); +-extern int restore_registers(int pid, struct uml_pt_regs *regs); +-extern int init_registers(int pid); ++extern int restore_pid_registers(int pid, struct uml_pt_regs *regs); ++extern int init_pid_registers(int pid); + extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs); + extern unsigned long get_thread_reg(int reg, jmp_buf *buf); + extern int get_fp_registers(int pid, unsigned long *regs); +diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c +index 2ff8d4fe83c4f..34a5963bd7efd 100644 +--- a/arch/um/os-Linux/registers.c ++++ b/arch/um/os-Linux/registers.c +@@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs) + return 0; + } + +-int restore_registers(int pid, struct uml_pt_regs *regs) ++int restore_pid_registers(int pid, struct uml_pt_regs *regs) + { + int err; + +@@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs) + static unsigned long exec_regs[MAX_REG_NR]; + static unsigned long exec_fp_regs[FP_SIZE]; + +-int init_registers(int pid) ++int init_pid_registers(int pid) + { + int err; + +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c +index 22a358ef1b0cd..dc06933ba63d9 100644 +--- a/arch/um/os-Linux/start_up.c ++++ b/arch/um/os-Linux/start_up.c +@@ -334,7 +334,7 @@ void __init os_early_checks(void) + check_tmpexec(); + + pid = start_ptraced_child(); +- if (init_registers(pid)) ++ if (init_pid_registers(pid)) + fatal("Failed to initialize default registers"); + stop_ptraced_child(pid, 1, 1); + } +diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c +index 82f727fbbbd2c..549f89fb3abc9 100644 +--- a/arch/x86/mm/gup.c ++++ b/arch/x86/mm/gup.c +@@ -454,7 +454,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + next = pgd_addr_end(addr, end); + if (pgd_none(pgd)) + goto slow; +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr)) + goto slow; + } while (pgdp++, addr = next, addr != end); + local_irq_enable(); +diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c +index e6552275320bc..40ecacb2c54b3 100644 +--- a/arch/x86/um/syscalls_64.c ++++ b/arch/x86/um/syscalls_64.c +@@ -9,6 +9,7 @@ + #include <linux/uaccess.h> + #include <asm/prctl.h> /* XXX This should get the constants from libc */ + #include <os.h> ++#include <registers.h> + + long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr) + { +@@ -32,7 +33,7 @@ long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr) + switch (code) { + case ARCH_SET_FS: + case ARCH_SET_GS: +- ret = restore_registers(pid, ¤t->thread.regs.regs); ++ ret = restore_pid_registers(pid, ¤t->thread.regs.regs); + if (ret) + return ret; + break; +diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c +index 007300433cdea..1cea26a741474 100644 +--- a/drivers/acpi/acpica/exoparg1.c ++++ b/drivers/acpi/acpica/exoparg1.c +@@ -1029,7 +1029,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state) + (walk_state, return_desc, + &temp_desc); + if (ACPI_FAILURE(status)) { +- goto cleanup; ++ return_ACPI_STATUS ++ (status); + } + + return_desc = temp_desc; +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 03a2282ceb9ca..81a9c47973ce8 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -440,6 +440,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action) + ACPI_WARNING((AE_INFO, + "Obj %p, Reference Count is already zero, cannot decrement\n", + object)); ++ return; + } + + ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS, +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 4496e7a492352..7164be9710e51 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -994,7 +994,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn); + static void cancel_activity(void) + { + do_floppy = NULL; +- cancel_delayed_work_sync(&fd_timer); ++ cancel_delayed_work(&fd_timer); + cancel_work_sync(&floppy_work); + } + +@@ -3116,6 +3116,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr) + } + } + ++#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT) ++ + static int raw_cmd_copyin(int cmd, void __user *param, + struct floppy_raw_cmd **rcmd) + { +@@ -3153,7 +3155,7 @@ loop: + ptr->resultcode = 0; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { +- if (ptr->length <= 0) ++ if (ptr->length <= 0 || ptr->length >= MAX_LEN) + return -EINVAL; + ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length); + fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length); +diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c +index 3bf4ec60e0736..cee2de027e5ad 100644 +--- a/drivers/bluetooth/bfusb.c ++++ b/drivers/bluetooth/bfusb.c +@@ -644,6 +644,9 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i + data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; + data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); + ++ if (!data->bulk_pkt_size) ++ goto done; ++ + rwlock_init(&data->lock); + + data->reassembly = NULL; +diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h +index 9ccb6b270b071..95164246afd1a 100644 +--- a/drivers/char/mwave/3780i.h ++++ b/drivers/char/mwave/3780i.h +@@ -68,7 +68,7 @@ typedef struct { + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */ + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */ + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */ +- unsigned char Reserved:5; /* 0: Reserved */ ++ unsigned short Reserved:13; /* 0: Reserved */ + } DSP_ISA_SLAVE_CONTROL; + + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 2184d87623272..70ee86e034fcd 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -845,8 +845,8 @@ static void do_numa_crng_init(struct work_struct *work) + crng_initialize(crng); + pool[i] = crng; + } +- mb(); +- if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ /* pairs with READ_ONCE() in select_crng() */ ++ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { + for_each_node(i) + kfree(pool[i]); + kfree(pool); +@@ -859,8 +859,26 @@ static void numa_crng_init(void) + { + schedule_work(&numa_crng_init_work); + } ++ ++static struct crng_state *select_crng(void) ++{ ++ struct crng_state **pool; ++ int nid = numa_node_id(); ++ ++ /* pairs with cmpxchg_release() in do_numa_crng_init() */ ++ pool = READ_ONCE(crng_node_pool); ++ if (pool && pool[nid]) ++ return pool[nid]; ++ ++ return &primary_crng; ++} + #else + static void numa_crng_init(void) {} ++ ++static struct crng_state *select_crng(void) ++{ ++ return &primary_crng; ++} + #endif + + static void crng_reseed(struct crng_state *crng, struct entropy_store *r) +@@ -890,7 +908,7 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r) + crng->state[i+4] ^= buf.key[i] ^ rv; + } + memzero_explicit(&buf, sizeof(buf)); +- crng->init_time = jiffies; ++ WRITE_ONCE(crng->init_time, jiffies); + if (crng == &primary_crng && crng_init < 2) { + numa_crng_init(); + crng_init = 2; +@@ -928,12 +946,15 @@ static inline void crng_wait_ready(void) + static void _extract_crng(struct crng_state *crng, + __u8 out[CHACHA20_BLOCK_SIZE]) + { +- unsigned long v, flags; +- +- if (crng_ready() && +- (time_after(crng_global_init_time, crng->init_time) || +- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) +- crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); ++ unsigned long v, flags, init_time; ++ ++ if (crng_ready()) { ++ init_time = READ_ONCE(crng->init_time); ++ if (time_after(READ_ONCE(crng_global_init_time), init_time) || ++ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL)) ++ crng_reseed(crng, crng == &primary_crng ? ++ &input_pool : NULL); ++ } + spin_lock_irqsave(&crng->lock, flags); + if (arch_get_random_long(&v)) + crng->state[14] ^= v; +@@ -945,15 +966,7 @@ static void _extract_crng(struct crng_state *crng, + + static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE]) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _extract_crng(crng, out); ++ _extract_crng(select_crng(), out); + } + + /* +@@ -982,15 +995,7 @@ static void _crng_backtrack_protect(struct crng_state *crng, + + static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used) + { +- struct crng_state *crng = NULL; +- +-#ifdef CONFIG_NUMA +- if (crng_node_pool) +- crng = crng_node_pool[numa_node_id()]; +- if (crng == NULL) +-#endif +- crng = &primary_crng; +- _crng_backtrack_protect(crng, tmp, used); ++ _crng_backtrack_protect(select_crng(), tmp, used); + } + + static ssize_t extract_crng_user(void __user *buf, size_t nbytes) +@@ -1914,7 +1919,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + if (crng_init < 2) + return -ENODATA; + crng_reseed(&primary_crng, &input_pool); +- crng_global_init_time = jiffies - 1; ++ WRITE_ONCE(crng_global_init_time, jiffies - 1); + return 0; + default: + return -EINVAL; +diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +index 47e114ac09d01..ff1e788f92767 100644 +--- a/drivers/crypto/qce/sha.c ++++ b/drivers/crypto/qce/sha.c +@@ -544,8 +544,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + + ret = crypto_register_ahash(alg); + if (ret) { +- kfree(tmpl); + dev_err(qce->dev, "%s registration failed\n", base->cra_name); ++ kfree(tmpl); + return ret; + } + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index a505be9ef96da..c15ca560fe60d 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -100,6 +100,7 @@ + #define AT_XDMAC_CNDC_NDE (0x1 << 0) /* Channel x Next Descriptor Enable */ + #define AT_XDMAC_CNDC_NDSUP (0x1 << 1) /* Channel x Next Descriptor Source Update */ + #define AT_XDMAC_CNDC_NDDUP (0x1 << 2) /* Channel x Next Descriptor Destination Update */ ++#define AT_XDMAC_CNDC_NDVIEW_MASK GENMASK(28, 27) + #define AT_XDMAC_CNDC_NDVIEW_NDV0 (0x0 << 3) /* Channel x Next Descriptor View 0 */ + #define AT_XDMAC_CNDC_NDVIEW_NDV1 (0x1 << 3) /* Channel x Next Descriptor View 1 */ + #define AT_XDMAC_CNDC_NDVIEW_NDV2 (0x2 << 3) /* Channel x Next Descriptor View 2 */ +@@ -232,15 +233,15 @@ struct at_xdmac { + + /* Linked List Descriptor */ + struct at_xdmac_lld { +- dma_addr_t mbr_nda; /* Next Descriptor Member */ +- u32 mbr_ubc; /* Microblock Control Member */ +- dma_addr_t mbr_sa; /* Source Address Member */ +- dma_addr_t mbr_da; /* Destination Address Member */ +- u32 mbr_cfg; /* Configuration Register */ +- u32 mbr_bc; /* Block Control Register */ +- u32 mbr_ds; /* Data Stride Register */ +- u32 mbr_sus; /* Source Microblock Stride Register */ +- u32 mbr_dus; /* Destination Microblock Stride Register */ ++ u32 mbr_nda; /* Next Descriptor Member */ ++ u32 mbr_ubc; /* Microblock Control Member */ ++ u32 mbr_sa; /* Source Address Member */ ++ u32 mbr_da; /* Destination Address Member */ ++ u32 mbr_cfg; /* Configuration Register */ ++ u32 mbr_bc; /* Block Control Register */ ++ u32 mbr_ds; /* Data Stride Register */ ++ u32 mbr_sus; /* Source Microblock Stride Register */ ++ u32 mbr_dus; /* Destination Microblock Stride Register */ + }; + + /* 64-bit alignment needed to update CNDA and CUBC registers in an atomic way. */ +@@ -345,9 +346,6 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan, + + dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, first); + +- if (at_xdmac_chan_is_enabled(atchan)) +- return; +- + /* Set transfer as active to not try to start it again. */ + first->active_xfer = true; + +@@ -363,7 +361,8 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan, + */ + if (at_xdmac_chan_is_cyclic(atchan)) + reg = AT_XDMAC_CNDC_NDVIEW_NDV1; +- else if (first->lld.mbr_ubc & AT_XDMAC_MBR_UBC_NDV3) ++ else if ((first->lld.mbr_ubc & ++ AT_XDMAC_CNDC_NDVIEW_MASK) == AT_XDMAC_MBR_UBC_NDV3) + reg = AT_XDMAC_CNDC_NDVIEW_NDV3; + else + reg = AT_XDMAC_CNDC_NDVIEW_NDV2; +@@ -428,13 +427,12 @@ static dma_cookie_t at_xdmac_tx_submit(struct dma_async_tx_descriptor *tx) + spin_lock_irqsave(&atchan->lock, irqflags); + cookie = dma_cookie_assign(tx); + ++ list_add_tail(&desc->xfer_node, &atchan->xfers_list); ++ spin_unlock_irqrestore(&atchan->lock, irqflags); ++ + dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n", + __func__, atchan, desc); +- list_add_tail(&desc->xfer_node, &atchan->xfers_list); +- if (list_is_singular(&atchan->xfers_list)) +- at_xdmac_start_xfer(atchan, desc); + +- spin_unlock_irqrestore(&atchan->lock, irqflags); + return cookie; + } + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index eb3a1f42ab065..e8b2d3e31de80 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -722,12 +722,6 @@ static int mmp_pdma_config(struct dma_chan *dchan, + + chan->dir = cfg->direction; + chan->dev_addr = addr; +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (cfg->slave_id) +- chan->drcmr = cfg->slave_id; + + return 0; + } +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 3f56f9ca44824..5bd1ade187d3f 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -975,13 +975,6 @@ static void pxad_get_config(struct pxad_chan *chan, + *dcmd |= PXA_DCMD_BURST16; + else if (maxburst == 32) + *dcmd |= PXA_DCMD_BURST32; +- +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (chan->cfg.slave_id) +- chan->drcmr = chan->cfg.slave_id; + } + + static struct dma_async_tx_descriptor * +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index 986248f7011aa..c479280590e42 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -675,10 +675,17 @@ int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index) + irq_flags = acpi_dev_get_irq_type(info.triggering, + info.polarity); + +- /* Set type if specified and different than the current one */ +- if (irq_flags != IRQ_TYPE_NONE && +- irq_flags != irq_get_trigger_type(irq)) +- irq_set_irq_type(irq, irq_flags); ++ /* ++ * If the IRQ is not already in use then set type ++ * if specified and different than the current one. ++ */ ++ if (can_request_irq(irq, irq_flags)) { ++ if (irq_flags != IRQ_TYPE_NONE && ++ irq_flags != irq_get_trigger_type(irq)) ++ irq_set_irq_type(irq, irq_flags); ++ } else { ++ dev_dbg(&adev->dev, "IRQ %d already in use\n", irq); ++ } + + return irq; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index eb79d0d3d34f1..7264169d5f2a7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -404,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -418,6 +421,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 07d2a8e7f78c3..202c00b17df2d 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2274,9 +2274,9 @@ static void snb_wm_latency_quirk(struct drm_device *dev) + * The BIOS provided WM memory latency values are often + * inadequate for high resolution displays. Adjust them. + */ +- changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12) | +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12) | +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12); ++ changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12); ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12); ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12); + + if (!changed) + return; +diff --git a/drivers/gpu/drm/nouveau/nouveau_sgdma.c b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +index db35ab5883acd..d3bfd7912a994 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c ++++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +@@ -105,12 +105,9 @@ nouveau_sgdma_create_ttm(struct ttm_bo_device *bdev, + else + nvbe->ttm.ttm.func = &nv50_sgdma_backend; + +- if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) +- /* +- * A failing ttm_dma_tt_init() will call ttm_tt_destroy() +- * and thus our nouveau_sgdma_destroy() hook, so we don't need +- * to free nvbe here. +- */ ++ if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) { ++ kfree(nvbe); + return NULL; ++ } + return &nvbe->ttm.ttm; + } +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 61000e3b2e793..b55403c99d804 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -630,6 +630,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev) + int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + { + struct radeon_device *rdev = dev->dev_private; ++ struct radeon_fpriv *fpriv; ++ struct radeon_vm *vm; + int r; + + file_priv->driver_priv = NULL; +@@ -642,48 +644,52 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +- struct radeon_fpriv *fpriv; +- struct radeon_vm *vm; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { + r = -ENOMEM; +- goto out_suspend; ++ goto err_suspend; + } + + if (rdev->accel_working) { + vm = &fpriv->vm; + r = radeon_vm_init(rdev, vm); +- if (r) { +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto err_fpriv; + + r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto err_vm_fini; + + /* map the ib pool buffer read only into + * virtual address space */ + vm->ib_bo_va = radeon_vm_bo_add(rdev, vm, + rdev->ring_tmp_bo.bo); ++ if (!vm->ib_bo_va) { ++ r = -ENOMEM; ++ goto err_vm_fini; ++ } ++ + r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va, + RADEON_VA_IB_OFFSET, + RADEON_VM_PAGE_READABLE | + RADEON_VM_PAGE_SNOOPED); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto err_vm_fini; + } + file_priv->driver_priv = fpriv; + } + +-out_suspend: ++ pm_runtime_mark_last_busy(dev->dev); ++ pm_runtime_put_autosuspend(dev->dev); ++ return 0; ++ ++err_vm_fini: ++ radeon_vm_fini(rdev, vm); ++err_fpriv: ++ kfree(fpriv); ++ ++err_suspend: + pm_runtime_mark_last_busy(dev->dev); + pm_runtime_put_autosuspend(dev->dev); + return r; +diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c +index aee3c00f836e7..e4e24be523533 100644 +--- a/drivers/gpu/drm/ttm/ttm_tt.c ++++ b/drivers/gpu/drm/ttm/ttm_tt.c +@@ -195,7 +195,6 @@ int ttm_tt_init(struct ttm_tt *ttm, struct ttm_bo_device *bdev, + + ttm_tt_alloc_page_directory(ttm); + if (!ttm->pages) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -228,7 +227,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_bo_device *bdev, + INIT_LIST_HEAD(&ttm_dma->pages_list); + ttm_dma_tt_alloc_page_directory(ttm_dma); + if (!ttm->pages) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c +index 149902619cbc8..0074091c27aa2 100644 +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -390,7 +390,7 @@ static int apple_input_configured(struct hid_device *hdev, + + if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) { + hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n"); +- asc->quirks = 0; ++ asc->quirks &= ~APPLE_HAS_FN; + } + + return 0; +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c +index e60e41e775020..f7705a057f0f4 100644 +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -33,11 +33,22 @@ + + struct uhid_device { + struct mutex devlock; ++ ++ /* This flag tracks whether the HID device is usable for commands from ++ * userspace. The flag is already set before hid_add_device(), which ++ * runs in workqueue context, to allow hid_add_device() to communicate ++ * with userspace. ++ * However, if hid_add_device() fails, the flag is cleared without ++ * holding devlock. ++ * We guarantee that if @running changes from true to false while you're ++ * holding @devlock, it's still fine to access @hid. ++ */ + bool running; + + __u8 *rd_data; + uint rd_size; + ++ /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */ + struct hid_device *hid; + struct uhid_event input_buf; + +@@ -68,9 +79,18 @@ static void uhid_device_add_worker(struct work_struct *work) + if (ret) { + hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret); + +- hid_destroy_device(uhid->hid); +- uhid->hid = NULL; ++ /* We used to call hid_destroy_device() here, but that's really ++ * messy to get right because we have to coordinate with ++ * concurrent writes from userspace that might be in the middle ++ * of using uhid->hid. ++ * Just leave uhid->hid as-is for now, and clean it up when ++ * userspace tries to close or reinitialize the uhid instance. ++ * ++ * However, we do have to clear the ->running flag and do a ++ * wakeup to make sure userspace knows that the device is gone. ++ */ + uhid->running = false; ++ wake_up_interruptible(&uhid->report_wait); + } + } + +@@ -479,7 +499,7 @@ static int uhid_dev_create2(struct uhid_device *uhid, + void *rd_data; + int ret; + +- if (uhid->running) ++ if (uhid->hid) + return -EALREADY; + + rd_size = ev->u.create2.rd_size; +@@ -560,7 +580,7 @@ static int uhid_dev_create(struct uhid_device *uhid, + + static int uhid_dev_destroy(struct uhid_device *uhid) + { +- if (!uhid->running) ++ if (!uhid->hid) + return -EINVAL; + + uhid->running = false; +@@ -569,6 +589,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid) + cancel_work_sync(&uhid->worker); + + hid_destroy_device(uhid->hid); ++ uhid->hid = NULL; + kfree(uhid->rd_data); + + return 0; +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index fbf14a14bdd43..bfce62dbe0ace 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1693,6 +1693,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev, + struct hid_data* hid_data = &wacom_wac->hid_data; + int i; + ++ hid_data->cc_report = 0; ++ hid_data->cc_index = -1; ++ hid_data->cc_value_index = -1; ++ + for (i = 0; i < report->maxfield; i++) { + struct hid_field *field = report->field[i]; + int j; +diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c +index e9d63b966caff..4a9fd745b8cb4 100644 +--- a/drivers/hsi/hsi_core.c ++++ b/drivers/hsi/hsi_core.c +@@ -115,6 +115,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port, + if (device_register(&cl->device) < 0) { + pr_err("hsi: failed to register client: %s\n", info->name); + put_device(&cl->device); ++ goto err; + } + + return cl; +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index 96f8230cd2d33..5c32a7ef476da 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -49,10 +49,10 @@ enum dw_pci_ctl_id_t { + }; + + struct dw_scl_sda_cfg { +- u32 ss_hcnt; +- u32 fs_hcnt; +- u32 ss_lcnt; +- u32 fs_lcnt; ++ u16 ss_hcnt; ++ u16 fs_hcnt; ++ u16 ss_lcnt; ++ u16 fs_lcnt; + u32 sda_hold; + }; + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 0e04b27e3158d..b577c64f3b3ec 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -762,6 +762,11 @@ static int i801_block_transaction(struct i801_priv *priv, + int result = 0; + unsigned char hostc; + ++ if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA) ++ data->block[0] = I2C_SMBUS_BLOCK_MAX; ++ else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EPROTO; ++ + if (command == I2C_SMBUS_I2C_BLOCK_DATA) { + if (read_write == I2C_SMBUS_WRITE) { + /* set I2C_EN bit in configuration register */ +@@ -775,16 +780,6 @@ static int i801_block_transaction(struct i801_priv *priv, + } + } + +- if (read_write == I2C_SMBUS_WRITE +- || command == I2C_SMBUS_I2C_BLOCK_DATA) { +- if (data->block[0] < 1) +- data->block[0] = 1; +- if (data->block[0] > I2C_SMBUS_BLOCK_MAX) +- data->block[0] = I2C_SMBUS_BLOCK_MAX; +- } else { +- data->block[0] = 32; /* max for SMBus block reads */ +- } +- + /* Experience has shown that the block buffer can only be used for + SMBus (not I2C) block transactions, even though the datasheet + doesn't mention this limitation. */ +diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c +index 90e4f839eb1cb..d153fc28e6bfb 100644 +--- a/drivers/i2c/busses/i2c-mpc.c ++++ b/drivers/i2c/busses/i2c-mpc.c +@@ -107,23 +107,30 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id) + /* Sometimes 9th clock pulse isn't generated, and slave doesn't release + * the bus, because it wants to send ACK. + * Following sequence of enabling/disabling and sending start/stop generates +- * the 9 pulses, so it's all OK. ++ * the 9 pulses, each with a START then ending with STOP, so it's all OK. + */ + static void mpc_i2c_fixup(struct mpc_i2c *i2c) + { + int k; +- u32 delay_val = 1000000 / i2c->real_clk + 1; +- +- if (delay_val < 2) +- delay_val = 2; ++ unsigned long flags; + + for (k = 9; k; k--) { + writeccr(i2c, 0); +- writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN); ++ writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */ ++ readb(i2c->base + MPC_I2C_DR); /* init xfer */ ++ udelay(15); /* let it hit the bus */ ++ local_irq_save(flags); /* should not be delayed further */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */ + readb(i2c->base + MPC_I2C_DR); +- writeccr(i2c, CCR_MEN); +- udelay(delay_val << 1); ++ if (k != 1) ++ udelay(5); ++ local_irq_restore(flags); + } ++ writeccr(i2c, CCR_MEN); /* Initiate STOP */ ++ readb(i2c->base + MPC_I2C_DR); ++ udelay(15); /* Let STOP propagate */ ++ writeccr(i2c, 0); + } + + static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing) +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 4b947d5cafe28..c5c175b72f21e 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -870,7 +870,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid, + for (i = 0; i < device->port_immutable[port].gid_tbl_len; ++i) { + ret = ib_query_gid(device, port, i, &tmp_gid, NULL); + if (ret) +- return ret; ++ continue; ++ + if (!memcmp(&tmp_gid, gid, sizeof *gid)) { + *port_num = port; + if (index) +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 87bc7b0db892b..2eeac8401c927 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -1974,6 +1974,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + memset(attr, 0, sizeof *attr); + memset(init_attr, 0, sizeof *init_attr); + attr->qp_state = to_ib_qp_state(qhp->attr.state); ++ attr->cur_qp_state = to_ib_qp_state(qhp->attr.state); + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries; + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries; + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges; +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 764e35a54457e..0aa2400db8fa0 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -475,6 +475,9 @@ static int hns_roce_query_gid(struct ib_device *ib_dev, u8 port_num, int index, + static int hns_roce_query_pkey(struct ib_device *ib_dev, u8 port, u16 index, + u16 *pkey) + { ++ if (index > 0) ++ return -EINVAL; ++ + *pkey = PKEY_ID; + + return 0; +@@ -553,7 +556,7 @@ static int hns_roce_mmap(struct ib_ucontext *context, + return -EINVAL; + + if (vma->vm_pgoff == 0) { +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); ++ vma->vm_page_prot = pgprot_device(vma->vm_page_prot); + if (io_remap_pfn_range(vma, vma->vm_start, + to_hr_ucontext(context)->uar.pfn, + PAGE_SIZE, vma->vm_page_prot)) +diff --git a/drivers/infiniband/sw/rxe/rxe_opcode.c b/drivers/infiniband/sw/rxe/rxe_opcode.c +index 61927c165b598..e67ed9141cd8a 100644 +--- a/drivers/infiniband/sw/rxe/rxe_opcode.c ++++ b/drivers/infiniband/sw/rxe/rxe_opcode.c +@@ -137,7 +137,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NUM_OPCODE] = { + } + }, + [IB_OPCODE_RC_SEND_MIDDLE] = { +- .name = "IB_OPCODE_RC_SEND_MIDDLE]", ++ .name = "IB_OPCODE_RC_SEND_MIDDLE", + .mask = RXE_PAYLOAD_MASK | RXE_REQ_MASK | RXE_SEND_MASK + | RXE_MIDDLE_MASK, + .length = RXE_BTH_BYTES, +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index 386215245dfe2..85273da5da206 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -83,14 +83,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n, + } + + static int insert_at(size_t value_size, struct btree_node *node, unsigned index, +- uint64_t key, void *value) +- __dm_written_to_disk(value) ++ uint64_t key, void *value) ++ __dm_written_to_disk(value) + { + uint32_t nr_entries = le32_to_cpu(node->header.nr_entries); ++ uint32_t max_entries = le32_to_cpu(node->header.max_entries); + __le64 key_le = cpu_to_le64(key); + + if (index > nr_entries || +- index >= le32_to_cpu(node->header.max_entries)) { ++ index >= max_entries || ++ nr_entries >= max_entries) { + DMERR("too many entries in btree node for insert"); + __dm_unbless_for_disk(value); + return -ENOMEM; +diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c +index ca09ad2a639c4..6fa4a68e78b0d 100644 +--- a/drivers/md/persistent-data/dm-space-map-common.c ++++ b/drivers/md/persistent-data/dm-space-map-common.c +@@ -279,6 +279,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result) + struct disk_index_entry ie_disk; + struct dm_block *blk; + ++ if (b >= ll->nr_blocks) { ++ DMERR_LIMIT("metadata block out of bounds"); ++ return -EINVAL; ++ } ++ + b = do_div(index, ll->entries_per_block); + r = ll->load_ie(ll, index, &ie_disk); + if (r < 0) +diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c +index 930d2c94d5d30..2c9365a39270a 100644 +--- a/drivers/media/common/saa7146/saa7146_fops.c ++++ b/drivers/media/common/saa7146/saa7146_fops.c +@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv) + ERR("out of memory. aborting.\n"); + kfree(vv); + v4l2_ctrl_handler_free(hdl); +- return -1; ++ return -ENOMEM; + } + + saa7146_video_uops.init(dev,vv); +diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c +index 0418b5a0fb645..32a2e6ffdb097 100644 +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -1225,7 +1225,7 @@ static const struct dvb_device dvbdev_dvr = { + }; + int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + { +- int i; ++ int i, ret; + + if (dmxdev->demux->open(dmxdev->demux) < 0) + return -EUSERS; +@@ -1243,14 +1243,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + DMXDEV_STATE_FREE); + } + +- dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, + DVB_DEVICE_DEMUX, dmxdev->filternum); +- dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, ++ if (ret < 0) ++ goto err_register_dvbdev; ++ ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, + dmxdev, DVB_DEVICE_DVR, dmxdev->filternum); ++ if (ret < 0) ++ goto err_register_dvr_dvbdev; + + dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192); + + return 0; ++ ++err_register_dvr_dvbdev: ++ dvb_unregister_device(dmxdev->dvbdev); ++err_register_dvbdev: ++ vfree(dmxdev->filter); ++ dmxdev->filter = NULL; ++ return ret; + } + + EXPORT_SYMBOL(dvb_dmxdev_init); +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index ddf9c44877a25..ea2eab2d5be91 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4462,8 +4462,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c +index 4cac1fc233f28..98e94cd8bfad7 100644 +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -184,6 +184,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + dma_addr_t cur_addr = + fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2; + u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0; ++ if (cur_pos > fc_pci->dma[0].size * 2) ++ goto error; + + deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, " + "last_cur_pos: %08x ", +@@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + ret = IRQ_NONE; + } + ++error: + spin_unlock_irqrestore(&fc_pci->irq_lock, flags); + return ret; + } +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c +index be85a2c4318e7..be91a2de81dcc 100644 +--- a/drivers/media/pci/saa7146/hexium_gemini.c ++++ b/drivers/media/pci/saa7146/hexium_gemini.c +@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d + hexium_set_input(hexium, 0); + hexium->cur_input = 0; + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ i2c_del_adapter(&hexium->i2c_adapter); ++ kfree(hexium); ++ return ret; ++ } + + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c +index dc07ca37ebd06..e8e96c7a57844 100644 +--- a/drivers/media/pci/saa7146/hexium_orion.c ++++ b/drivers/media/pci/saa7146/hexium_orion.c +@@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data; + static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct hexium *hexium = (struct hexium *) dev->ext_priv; ++ int ret; + + DEB_EE("\n"); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ pr_err("Error in saa7146_vv_init()\n"); ++ return ret; ++ } ++ + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; + vv_data.vid_ops.vidioc_s_input = vidioc_s_input; +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 3e8753c9e1e47..849c2a1d09f99 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -694,10 +694,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c +index 5cf983be07a20..0f4c4c39bf6da 100644 +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -73,9 +73,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len) + if (start >= len) { + dev_err(ir->dev, "receive overflow invalid: %u", overflow); + } else { +- if (overflow > 0) ++ if (overflow > 0) { + dev_warn(ir->dev, "receive overflow, at least %u lost", + overflow); ++ ir_raw_event_reset(ir->rc); ++ } + + do { + rawir.duration = ir->buf_in[i] * 85333; +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index b78d70685b1c3..49122f442b872 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1129,7 +1129,7 @@ static void mceusb_gen1_init(struct mceusb_dev *ir) + */ + ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0), + USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0, +- data, USB_CTRL_MSG_SZ, HZ * 3); ++ data, USB_CTRL_MSG_SZ, 3000); + dev_dbg(dev, "set address - ret = %d", ret); + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d", + data[0], data[1]); +@@ -1137,20 +1137,20 @@ static void mceusb_gen1_init(struct mceusb_dev *ir) + /* set feature: bit rate 38400 bps */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, +- 0xc04e, 0x0000, NULL, 0, HZ * 3); ++ 0xc04e, 0x0000, NULL, 0, 3000); + + dev_dbg(dev, "set feature - ret = %d", ret); + + /* bRequest 4: set char length to 8 bits */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 4, USB_TYPE_VENDOR, +- 0x0808, 0x0000, NULL, 0, HZ * 3); ++ 0x0808, 0x0000, NULL, 0, 3000); + dev_dbg(dev, "set char length - retB = %d", ret); + + /* bRequest 2: set handshaking to use DTR/DSR */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 2, USB_TYPE_VENDOR, +- 0x0000, 0x0100, NULL, 0, HZ * 3); ++ 0x0000, 0x0100, NULL, 0, 3000); + dev_dbg(dev, "set handshake - retC = %d", ret); + + /* device resume */ +diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c +index 05ba47bc0b613..5f3c1c204f643 100644 +--- a/drivers/media/rc/redrat3.c ++++ b/drivers/media/rc/redrat3.c +@@ -427,7 +427,7 @@ static int redrat3_send_cmd(int cmd, struct redrat3_dev *rr3) + udev = rr3->udev; + res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0x0000, 0x0000, data, sizeof(u8), HZ * 10); ++ 0x0000, 0x0000, data, sizeof(u8), 10000); + + if (res < 0) { + dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d", +@@ -493,7 +493,7 @@ static u32 redrat3_get_timeout(struct redrat3_dev *rr3) + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5); ++ RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000); + if (ret != len) + dev_warn(rr3->dev, "Failed to read timeout from hardware\n"); + else { +@@ -523,7 +523,7 @@ static int redrat3_set_timeout(struct rc_dev *rc_dev, unsigned int timeoutns) + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout), +- HZ * 25); ++ 25000); + dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n", + be32_to_cpu(*timeout), ret); + +@@ -557,32 +557,32 @@ static void redrat3_reset(struct redrat3_dev *rr3) + *val = 0x01; + rc = usb_control_msg(udev, rxpipe, RR3_RESET, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25); ++ RR3_CPUCS_REG_ADDR, 0, val, len, 25000); + dev_dbg(dev, "reset returned 0x%02x\n", rc); + + *val = length_fuzz; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25); ++ RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000); + dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc); + + *val = (65536 - (minimum_pause * 2000)) / 256; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25); ++ RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000); + dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc); + + *val = periods_measure_carrier; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25); ++ RR3_IR_IO_PERIODS_MF, 0, val, len, 25000); + dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val, + rc); + + *val = RR3_DRIVER_MAXLENS; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25); ++ RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000); + dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc); + + kfree(val); +@@ -602,7 +602,7 @@ static void redrat3_get_firmware_rev(struct redrat3_dev *rr3) + rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0), + RR3_FW_VERSION, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5); ++ 0, 0, buffer, RR3_FW_VERSION_LEN, 5000); + + if (rc >= 0) + dev_info(rr3->dev, "Firmware rev: %s", buffer); +@@ -842,14 +842,14 @@ static int redrat3_transmit_ir(struct rc_dev *rcdev, unsigned *txbuf, + + pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress); + ret = usb_bulk_msg(rr3->udev, pipe, irdata, +- sendbuf_len, &ret_len, 10 * HZ); ++ sendbuf_len, &ret_len, 10000); + dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret); + + /* now tell the hardware to transmit what we sent it */ + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, irdata, 2, HZ * 10); ++ 0, 0, irdata, 2, 10000); + + if (ret < 0) + dev_err(dev, "Error: control msg send failed, rc %d\n", ret); +diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c +index 3a12ef35682b5..64d98517f470f 100644 +--- a/drivers/media/tuners/msi001.c ++++ b/drivers/media/tuners/msi001.c +@@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi) + V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1); + dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000); ++ if (dev->hdl.error) { ++ ret = dev->hdl.error; ++ dev_err(&spi->dev, "Could not initialize controls\n"); ++ /* control init failed, free handler */ ++ goto err_ctrl_handler_free; ++ } ++ + v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false); + dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1); +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index 72a47da0db2ae..e56837414e2c7 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -89,7 +89,7 @@ static int si2157_init(struct dvb_frontend *fe) + dev_dbg(&client->dev, "\n"); + + /* Try to get Xtal trim property, to verify tuner still running */ +- memcpy(cmd.args, "\x15\x00\x04\x02", 4); ++ memcpy(cmd.args, "\x15\x00\x02\x04", 4); + cmd.wlen = 4; + cmd.rlen = 4; + ret = si2157_cmd_execute(client, &cmd); +diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c +index a93fc1839e139..3d6e991df9261 100644 +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(struct flexcop_device *fc, u16 wRegOffsPCI, + 0, + fc_usb->data, + sizeof(u32), +- B2C2_WAIT_FOR_OPERATION_RDW * HZ); ++ B2C2_WAIT_FOR_OPERATION_RDW); + + if (ret != sizeof(u32)) { + err("error while %s dword from %d (%d).", read ? "reading" : +@@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(struct flexcop_usb *fc_usb, + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + if (ret != buflen) + ret = -EIO; + +@@ -249,13 +249,13 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c, + /* DKT 020208 - add this to support special case of DiSEqC */ + case USB_FUNC_I2C_CHECKWRITE: + pipe = B2C2_USB_CTRL_PIPE_OUT; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_OUT; + break; + case USB_FUNC_I2C_READ: + case USB_FUNC_I2C_REPEATREAD: + pipe = B2C2_USB_CTRL_PIPE_IN; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_IN; + break; + default: +@@ -282,7 +282,7 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c, + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + + if (ret != buflen) + ret = -EIO; +diff --git a/drivers/media/usb/b2c2/flexcop-usb.h b/drivers/media/usb/b2c2/flexcop-usb.h +index 25ad43166e78c..247c7dbc8a619 100644 +--- a/drivers/media/usb/b2c2/flexcop-usb.h ++++ b/drivers/media/usb/b2c2/flexcop-usb.h +@@ -90,13 +90,13 @@ typedef enum { + UTILITY_SRAM_TESTVERIFY = 0x16, + } flexcop_usb_utility_function_t; + +-#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ) +-#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ) ++#define B2C2_WAIT_FOR_OPERATION_RW 1000 ++#define B2C2_WAIT_FOR_OPERATION_RDW 3000 ++#define B2C2_WAIT_FOR_OPERATION_WDW 1000 + +-#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ) ++#define B2C2_WAIT_FOR_OPERATION_V8READ 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000 + + typedef enum { + V8_MEMORY_PAGE_DVB_CI = 0x20, +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c +index 4f4a130f17af3..447d6a52af3b8 100644 +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -565,7 +565,7 @@ static int write_packet(struct usb_device *udev, + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + kfree(buf); + return ret; +@@ -597,7 +597,7 @@ static int read_packet(struct usb_device *udev, + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + if (ret >= 0) + memcpy(registers, buf, size); +diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c +index 4a5ea74c91d45..1b56824fbe51e 100644 +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -610,8 +610,6 @@ int dib0700_streaming_ctrl(struct dvb_usb_adapter *adap, int onoff) + deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint); + if (onoff) + st->channel_state |= 1 << (adap->id); +- else +- st->channel_state |= 1 << ~(adap->id); + } else { + if (onoff) + st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2); +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index eafc5c82467f4..5b806779e2106 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + /* Should check for ack here, if we knew how. */ + } + if (msg[i].flags & I2C_M_RD) { ++ char *read = kmalloc(1, GFP_KERNEL); ++ if (!read) { ++ ret = -ENOMEM; ++ kfree(read); ++ goto unlock; ++ } ++ + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? + * Send STOP, otherwise send ACK. */ +@@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- &msg[i].buf[j], 1)) != 0) ++ read, 1)) != 0) + goto unlock; ++ msg[i].buf[j] = read[0]; + } ++ ++ kfree(read); + } else { + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? Then send STOP. */ +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c +index eebd5d7088d00..fb3008a7233fe 100644 +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -99,7 +99,7 @@ int em28xx_read_reg_req_len(struct em28xx *dev, u8 req, u16 reg, + mutex_lock(&dev->ctrl_urb_lock); + ret = usb_control_msg(dev->udev, pipe, req, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + if (ret < 0) { + if (reg_debug) + printk(" failed!\n"); +@@ -182,7 +182,7 @@ int em28xx_write_regs_req(struct em28xx *dev, u8 req, u16 reg, char *buf, + memcpy(dev->urb_buf, buf, len); + ret = usb_control_msg(dev->udev, pipe, req, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + mutex_unlock(&dev->ctrl_urb_lock); + + if (ret < 0) +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index 0cb8dd5852357..40535db585a0e 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -1488,7 +1488,7 @@ static int pvr2_upload_firmware1(struct pvr2_hdw *hdw) + for (address = 0; address < fwsize; address += 0x800) { + memcpy(fw_ptr, fw_entry->data + address, 0x800); + ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address, +- 0, fw_ptr, 0x800, HZ); ++ 0, fw_ptr, 0x800, 1000); + } + + trace_firmware("Upload done, releasing device's CPU"); +@@ -1627,7 +1627,7 @@ int pvr2_upload_firmware2(struct pvr2_hdw *hdw) + ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]); + + ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt, +- &actual_length, HZ); ++ &actual_length, 1000); + ret |= (actual_length != bcnt); + if (ret) break; + fw_done += bcnt; +@@ -3486,7 +3486,7 @@ void pvr2_hdw_cpufw_set_enabled(struct pvr2_hdw *hdw, + 0xa0,0xc0, + address,0, + hdw->fw_buffer+address, +- 0x800,HZ); ++ 0x800,1000); + if (ret < 0) break; + } + +@@ -4011,7 +4011,7 @@ void pvr2_hdw_cpureset_assert(struct pvr2_hdw *hdw,int val) + /* Write the CPUCS register on the 8051. The lsb of the register + is the reset bit; a 1 asserts reset while a 0 clears it. */ + pipe = usb_sndctrlpipe(hdw->usb_dev, 0); +- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ); ++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000); + if (ret < 0) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, + "cpureset_assert(%d) error=%d",val,ret); +diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c +index f7bb78c1873c9..fb5636f07e7eb 100644 +--- a/drivers/media/usb/s2255/s2255drv.c ++++ b/drivers/media/usb/s2255/s2255drv.c +@@ -1913,7 +1913,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + + if (r >= 0) + memcpy(TransferBuffer, buf, TransferBufferLength); +@@ -1922,7 +1922,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request, + r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + } + kfree(buf); + return r; +diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c +index bc029478065a0..a526ea2fe587a 100644 +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -76,7 +76,7 @@ int stk1160_read_reg(struct stk1160 *dev, u16 reg, u8 *value) + return -ENOMEM; + ret = usb_control_msg(dev->udev, pipe, 0x00, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x00, reg, buf, sizeof(u8), HZ); ++ 0x00, reg, buf, sizeof(u8), 1000); + if (ret < 0) { + stk1160_err("read failed on reg 0x%x (%d)\n", + reg, ret); +@@ -96,7 +96,7 @@ int stk1160_write_reg(struct stk1160 *dev, u16 reg, u16 value) + + ret = usb_control_msg(dev->udev, pipe, 0x01, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, reg, NULL, 0, HZ); ++ value, reg, NULL, 0, 1000); + if (ret < 0) { + stk1160_err("write failed on reg 0x%x (%d)\n", + reg, ret); +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 1d724e86f3780..2a7d178a9d069 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1716,6 +1716,10 @@ static int uvc_init_video(struct uvc_streaming *stream, gfp_t gfp_flags) + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c +index 6bf8d643d9428..31fbfd9c4b11c 100644 +--- a/drivers/mfd/intel-lpss-acpi.c ++++ b/drivers/mfd/intel-lpss-acpi.c +@@ -84,6 +84,7 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + { + struct intel_lpss_platform_info *info; + const struct acpi_device_id *id; ++ int ret; + + id = acpi_match_device(intel_lpss_acpi_ids, &pdev->dev); + if (!id) +@@ -97,10 +98,14 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + info->irq = platform_get_irq(pdev, 0); + ++ ret = intel_lpss_probe(&pdev->dev, info); ++ if (ret) ++ return ret; ++ + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); + +- return intel_lpss_probe(&pdev->dev, info); ++ return 0; + } + + static int intel_lpss_acpi_remove(struct platform_device *pdev) +diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c +index 626fdcaf25101..645d26536114f 100644 +--- a/drivers/misc/lattice-ecp3-config.c ++++ b/drivers/misc/lattice-ecp3-config.c +@@ -81,12 +81,12 @@ static void firmware_load(const struct firmware *fw, void *context) + + if (fw == NULL) { + dev_err(&spi->dev, "Cannot load firmware, aborting\n"); +- return; ++ goto out; + } + + if (fw->size == 0) { + dev_err(&spi->dev, "Error: Firmware size is 0!\n"); +- return; ++ goto out; + } + + /* Fill dummy data (24 stuffing bits for commands) */ +@@ -108,7 +108,7 @@ static void firmware_load(const struct firmware *fw, void *context) + dev_err(&spi->dev, + "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n", + jedec_id); +- return; ++ goto out; + } + + dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name); +@@ -121,7 +121,7 @@ static void firmware_load(const struct firmware *fw, void *context) + buffer = kzalloc(fw->size + 8, GFP_KERNEL); + if (!buffer) { + dev_err(&spi->dev, "Error: Can't allocate memory!\n"); +- return; ++ goto out; + } + + /* +@@ -160,7 +160,7 @@ static void firmware_load(const struct firmware *fw, void *context) + "Error: Timeout waiting for FPGA to clear (status=%08x)!\n", + status); + kfree(buffer); +- return; ++ goto out; + } + + dev_info(&spi->dev, "Configuring the FPGA...\n"); +@@ -186,7 +186,7 @@ static void firmware_load(const struct firmware *fw, void *context) + release_firmware(fw); + + kfree(buffer); +- ++out: + complete(&data->fw_loaded); + } + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 2b721ed392adb..0d9226bdf6614 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -782,14 +782,14 @@ static bool bond_should_notify_peers(struct bonding *bond) + slave = rcu_dereference(bond->curr_active_slave); + rcu_read_unlock(); + +- netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", +- slave ? slave->dev->name : "NULL"); +- + if (!slave || !bond->send_peer_notif || + !netif_carrier_ok(bond->dev) || + test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state)) + return false; + ++ netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", ++ slave ? slave->dev->name : "NULL"); ++ + return true; + } + +diff --git a/drivers/net/can/softing/softing_cs.c b/drivers/net/can/softing/softing_cs.c +index cdc0c7433a4b5..9fbed88d6c821 100644 +--- a/drivers/net/can/softing/softing_cs.c ++++ b/drivers/net/can/softing/softing_cs.c +@@ -304,7 +304,7 @@ static int softingcs_probe(struct pcmcia_device *pcmcia) + return 0; + + platform_failed: +- kfree(dev); ++ platform_device_put(pdev); + mem_failed: + pcmcia_bad: + pcmcia_failed: +diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c +index 52fe50725d749..a74c779feb90e 100644 +--- a/drivers/net/can/softing/softing_fw.c ++++ b/drivers/net/can/softing/softing_fw.c +@@ -576,18 +576,19 @@ int softing_startstop(struct net_device *dev, int up) + if (ret < 0) + goto failed; + } +- /* enable_error_frame */ +- /* ++ ++ /* enable_error_frame ++ * + * Error reporting is switched off at the moment since + * the receiving of them is not yet 100% verified + * This should be enabled sooner or later +- * +- if (error_reporting) { ++ */ ++ if (0 && error_reporting) { + ret = softing_fct_cmd(card, 51, "enable_error_frame"); + if (ret < 0) + goto failed; + } +- */ ++ + /* initialize interface */ + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]); + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]); +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index d21c68882e867..75399aa1ba951 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -328,7 +328,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* device reports out of range channel id */ + if (hf->channel >= GS_MAX_INTF) +- goto resubmit_urb; ++ goto device_detach; + + dev = usbcan->canch[hf->channel]; + +@@ -413,6 +413,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { ++ device_detach: + for (rc = 0; rc < GS_MAX_INTF; rc++) { + if (usbcan->canch[rc]) + netif_device_detach(usbcan->canch[rc]->netdev); +@@ -514,6 +515,8 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, + + hf->echo_id = idx; + hf->channel = dev->channel; ++ hf->flags = 0; ++ hf->reserved = 0; + + cf = (struct can_frame *)skb->data; + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index e680bab27dd7e..ef24b619e0e57 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1302,7 +1302,12 @@ static int xcan_probe(struct platform_device *pdev) + spin_lock_init(&priv->tx_lock); + + /* Get IRQ for the device */ +- ndev->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err_free; ++ ++ ndev->irq = ret; ++ + ndev->flags |= IFF_ECHO; /* We support local echo */ + + platform_set_drvdata(pdev, ndev); +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index fae5517770834..6676924d5f3e7 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3358,10 +3358,12 @@ static int bcmgenet_probe(struct platform_device *pdev) + + /* Request the WOL interrupt and advertise suspend if available */ + priv->wol_irq_disabled = true; +- err = devm_request_irq(&pdev->dev, priv->wol_irq, bcmgenet_wol_isr, 0, +- dev->name, priv); +- if (!err) +- device_set_wakeup_capable(&pdev->dev, 1); ++ if (priv->wol_irq > 0) { ++ err = devm_request_irq(&pdev->dev, priv->wol_irq, ++ bcmgenet_wol_isr, 0, dev->name, priv); ++ if (!err) ++ device_set_wakeup_capable(&pdev->dev, 1); ++ } + + /* Set the needed headroom to account for any possible + * features enabling/disabling at runtime +diff --git a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c +index d04a6c1634452..da8d10475a08e 100644 +--- a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c ++++ b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c +@@ -32,6 +32,7 @@ + + #include <linux/tcp.h> + #include <linux/ipv6.h> ++#include <net/inet_ecn.h> + #include <net/route.h> + #include <net/ip6_route.h> + +@@ -99,7 +100,7 @@ cxgb_find_route(struct cxgb4_lld_info *lldi, + + rt = ip_route_output_ports(&init_net, &fl4, NULL, peer_ip, local_ip, + peer_port, local_port, IPPROTO_TCP, +- tos, 0); ++ tos & ~INET_ECN_MASK, 0); + if (IS_ERR(rt)) + return NULL; + n = dst_neigh_lookup(&rt->dst, &peer_ip); +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c +index 81021f87e4f39..93b7ed361b82e 100644 +--- a/drivers/net/ethernet/freescale/fman/mac.c ++++ b/drivers/net/ethernet/freescale/fman/mac.c +@@ -96,14 +96,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex) + __func__, ex); + } + +-static void set_fman_mac_params(struct mac_device *mac_dev, +- struct fman_mac_params *params) ++static int set_fman_mac_params(struct mac_device *mac_dev, ++ struct fman_mac_params *params) + { + struct mac_priv_s *priv = mac_dev->priv; + + params->base_addr = (typeof(params->base_addr)) + devm_ioremap(priv->dev, mac_dev->res->start, + resource_size(mac_dev->res)); ++ if (!params->base_addr) ++ return -ENOMEM; ++ + memcpy(¶ms->addr, mac_dev->addr, sizeof(mac_dev->addr)); + params->max_speed = priv->max_speed; + params->phy_if = priv->phy_if; +@@ -114,6 +117,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev, + params->event_cb = mac_exception; + params->dev_id = mac_dev; + params->internal_phy_node = priv->internal_phy_node; ++ ++ return 0; + } + + static int tgec_initialization(struct mac_device *mac_dev) +@@ -125,7 +130,9 @@ static int tgec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = tgec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -171,7 +178,9 @@ static int dtsec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = dtsec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -220,7 +229,9 @@ static int memac_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + if (priv->max_speed == SPEED_10000) + params.phy_if = PHY_INTERFACE_MODE_XGMII; +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 9fd68cfdd9734..fc721a59a4086 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2939,29 +2939,21 @@ static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus, + { + int size = lstatus & BD_LENGTH_MASK; + struct page *page = rxb->page; +- bool last = !!(lstatus & BD_LFLAG(RXBD_LAST)); +- +- /* Remove the FCS from the packet length */ +- if (last) +- size -= ETH_FCS_LEN; + + if (likely(first)) { + skb_put(skb, size); + } else { + /* the last fragments' length contains the full frame length */ +- if (last) ++ if (lstatus & BD_LFLAG(RXBD_LAST)) + size -= skb->len; + +- /* Add the last fragment if it contains something other than +- * the FCS, otherwise drop it and trim off any part of the FCS +- * that was already received. +- */ +- if (size > 0) +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, +- rxb->page_offset + RXBUF_ALIGNMENT, +- size, GFAR_RXB_TRUESIZE); +- else if (size < 0) +- pskb_trim(skb, skb->len + size); ++ WARN(size < 0, "gianfar: rx fragment size underflow"); ++ if (size < 0) ++ return false; ++ ++ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, ++ rxb->page_offset + RXBUF_ALIGNMENT, ++ size, GFAR_RXB_TRUESIZE); + } + + /* try reuse page */ +@@ -3074,6 +3066,9 @@ static void gfar_process_frame(struct net_device *ndev, struct sk_buff *skb) + if (priv->padding) + skb_pull(skb, priv->padding); + ++ /* Trim off the FCS */ ++ pskb_trim(skb, skb->len - ETH_FCS_LEN); ++ + if (ndev->features & NETIF_F_RXCSUM) + gfar_rx_checksum(skb, fcb); + +@@ -3117,6 +3112,17 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit) + if (lstatus & BD_LFLAG(RXBD_EMPTY)) + break; + ++ /* lost RXBD_LAST descriptor due to overrun */ ++ if (skb && ++ (lstatus & BD_LFLAG(RXBD_FIRST))) { ++ /* discard faulty buffer */ ++ dev_kfree_skb(skb); ++ skb = NULL; ++ rx_queue->stats.rx_dropped++; ++ ++ /* can continue normally */ ++ } ++ + /* order rx buffer descriptor reads */ + rmb(); + +diff --git a/drivers/net/ethernet/freescale/xgmac_mdio.c b/drivers/net/ethernet/freescale/xgmac_mdio.c +index c82c85ef5fb34..c37aea7ba8502 100644 +--- a/drivers/net/ethernet/freescale/xgmac_mdio.c ++++ b/drivers/net/ethernet/freescale/xgmac_mdio.c +@@ -301,9 +301,10 @@ err_ioremap: + static int xgmac_mdio_remove(struct platform_device *pdev) + { + struct mii_bus *bus = platform_get_drvdata(pdev); ++ struct mdio_fsl_priv *priv = bus->priv; + + mdiobus_unregister(bus); +- iounmap(bus->priv); ++ iounmap(priv->mdio_base); + mdiobus_free(bus); + + return 0; +diff --git a/drivers/net/ethernet/i825xx/sni_82596.c b/drivers/net/ethernet/i825xx/sni_82596.c +index 2af7f77345fbd..e4128e151b854 100644 +--- a/drivers/net/ethernet/i825xx/sni_82596.c ++++ b/drivers/net/ethernet/i825xx/sni_82596.c +@@ -122,9 +122,10 @@ static int sni_82596_probe(struct platform_device *dev) + netdevice->dev_addr[5] = readb(eth_addr + 0x06); + iounmap(eth_addr); + +- if (!netdevice->irq) { ++ if (netdevice->irq < 0) { + printk(KERN_ERR "%s: IRQ not found for i82596 at 0x%lx\n", + __FILE__, netdevice->base_addr); ++ retval = netdevice->irq; + goto probe_failed; + } + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 46fcf3ec2caf7..46998a58e3d96 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -278,6 +278,16 @@ static int axienet_dma_bd_init(struct net_device *ndev) + axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, + cr | XAXIDMA_CR_RUNSTOP_MASK); + ++ /* Wait for PhyRstCmplt bit to be set, indicating the PHY reset has finished */ ++ ret = read_poll_timeout(axienet_ior, value, ++ value & XAE_INT_PHYRSTCMPLT_MASK, ++ DELAY_OF_ONE_MILLISEC, 50000, false, lp, ++ XAE_IS_OFFSET); ++ if (ret) { ++ dev_err(lp->dev, "%s: timeout waiting for PhyRstCmplt\n", __func__); ++ return ret; ++ } ++ + return 0; + out: + axienet_dma_bd_release(ndev); +@@ -670,7 +680,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + num_frag = skb_shinfo(skb)->nr_frags; + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + +- if (axienet_check_tx_bd_space(lp, num_frag)) { ++ if (axienet_check_tx_bd_space(lp, num_frag + 1)) { + if (netif_queue_stopped(ndev)) + return NETDEV_TX_BUSY; + +@@ -680,7 +690,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + smp_mb(); + + /* Space might have just been freed - check again */ +- if (axienet_check_tx_bd_space(lp, num_frag)) ++ if (axienet_check_tx_bd_space(lp, num_frag + 1)) + return NETDEV_TX_BUSY; + + netif_wake_queue(ndev); +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 92fb664b56fbb..0fa6e2da4b5a2 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -347,7 +347,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + } + + bus->state = MDIOBUS_REGISTERED; +- pr_info("%s: probed\n", bus->name); ++ dev_dbg(&bus->dev, "probed\n"); + return 0; + + error: +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 0a29844676f92..6287d2ad77c6d 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -71,6 +71,8 @@ + #define MPHDRLEN 6 /* multilink protocol header length */ + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ + ++#define PPP_PROTO_LEN 2 ++ + /* + * An instance of /dev/ppp can be associated with either a ppp + * interface unit or a ppp channel. In both cases, file->private_data +@@ -500,6 +502,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, + + if (!pf) + return -ENXIO; ++ /* All PPP packets should start with the 2-byte protocol */ ++ if (count < PPP_PROTO_LEN) ++ return -EINVAL; + ret = -ENOMEM; + skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL); + if (!skb) +@@ -1563,7 +1568,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + } + + ++ppp->stats64.tx_packets; +- ppp->stats64.tx_bytes += skb->len - 2; ++ ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN; + + switch (proto) { + case PPP_IP: +diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c +index 4f345bd4e6e29..95151b46f2001 100644 +--- a/drivers/net/usb/mcs7830.c ++++ b/drivers/net/usb/mcs7830.c +@@ -121,8 +121,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver"; + + static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data) + { +- return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, +- 0x0000, index, data, size); ++ int ret; ++ ++ ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, ++ 0x0000, index, data, size); ++ if (ret < 0) ++ return ret; ++ else if (ret < size) ++ return -ENODATA; ++ ++ return ret; + } + + static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data) +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 9f4ee1d125b68..0c6b33c464cd9 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb) + ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START"); + return; + } ++ if (!cmd->odata) { ++ ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply"); ++ return; ++ } + memcpy(cmd->odata, hdr + 1, sizeof(u32)); + cmd->olen = sizeof(u32); + cmd->res = 0; +diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c +index ae5b33fe5ba82..374ce35940d07 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_tx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c +@@ -158,6 +158,9 @@ void ath10k_htt_tx_dec_pending(struct ath10k_htt *htt) + htt->num_pending_tx--; + if (htt->num_pending_tx == htt->max_num_pending_tx - 1) + ath10k_mac_tx_unlock(htt->ar, ATH10K_TX_PAUSE_Q_FULL); ++ ++ if (htt->num_pending_tx == 0) ++ wake_up(&htt->empty_tx_wq); + } + + int ath10k_htt_tx_inc_pending(struct ath10k_htt *htt) +diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c +index beeb6be06939b..b6c050452b757 100644 +--- a/drivers/net/wireless/ath/ath10k/txrx.c ++++ b/drivers/net/wireless/ath/ath10k/txrx.c +@@ -89,8 +89,6 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt, + + ath10k_htt_tx_free_msdu_id(htt, tx_done->msdu_id); + ath10k_htt_tx_dec_pending(htt); +- if (htt->num_pending_tx == 0) +- wake_up(&htt->empty_tx_wq); + spin_unlock_bh(&htt->tx_lock); + + dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 7c409cd43b709..33a6be0f21cac 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -588,6 +588,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + return; + } + ++ if (pkt_len > 2 * MAX_RX_BUF_SIZE) { ++ dev_err(&hif_dev->udev->dev, ++ "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); ++ RX_STAT_INC(skb_dropped); ++ return; ++ } ++ + pad_len = 4 - (pkt_len & 0x3); + if (pad_len == 4) + pad_len = 0; +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 914c210c9e605..da2f442cab271 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -2052,7 +2052,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + tmp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + } + return 0; + } +@@ -2067,7 +2067,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + rsp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + return 0; + } + } +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index d46efa8d70732..f8c225a726bd4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -1599,6 +1599,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + struct iwl_mvm_mc_iter_data iter_data = { + .mvm = mvm, + }; ++ int ret; + + lockdep_assert_held(&mvm->mutex); + +@@ -1608,6 +1609,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + ieee80211_iterate_active_interfaces_atomic( + mvm->hw, IEEE80211_IFACE_ITER_NORMAL, + iwl_mvm_mc_iface_iterator, &iter_data); ++ ++ /* ++ * Send a (synchronous) ech command so that we wait for the ++ * multiple asynchronous MCAST_FILTER_CMD commands sent by ++ * the interface iterator. Otherwise, we might get here over ++ * and over again (by userspace just sending a lot of these) ++ * and the CPU can send them faster than the firmware can ++ * process them. ++ * Note that the CPU is still faster - but with this we'll ++ * actually send fewer commands overall because the CPU will ++ * not schedule the work in mac80211 as frequently if it's ++ * still running when rescheduled (possibly multiple times). ++ */ ++ ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL); ++ if (ret) ++ IWL_ERR(mvm, "Failed to synchronize multicast groups update\n"); + } + + static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw, +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index fa97432054912..a8470817689cf 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -1260,7 +1260,7 @@ static int iwl_mvm_check_running_scans(struct iwl_mvm *mvm, int type) + return -EIO; + } + +-#define SCAN_TIMEOUT 20000 ++#define SCAN_TIMEOUT 30000 + + void iwl_mvm_scan_timeout_wk(struct work_struct *work) + { +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c +index 2c4225e57c396..3a26add665ca0 100644 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -132,7 +132,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, + default: + mwifiex_dbg(adapter, ERROR, + "unknown recv_type %#x\n", recv_type); +- return -1; ++ ret = -1; ++ goto exit_restore_skb; + } + break; + case MWIFIEX_USB_EP_DATA: +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +index 39a6bd314ca3b..264c1d57e10bc 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1037,6 +1037,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw) + _InitPABias(hw); + rtl92c_dm_init(hw); + exit: ++ local_irq_disable(); + local_irq_restore(flags); + return err; + } +diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c +index 3651c3871d5b4..1b4aacf2ff9a5 100644 +--- a/drivers/parisc/pdc_stable.c ++++ b/drivers/parisc/pdc_stable.c +@@ -992,8 +992,10 @@ pdcs_register_pathentries(void) + entry->kobj.kset = paths_kset; + err = kobject_init_and_add(&entry->kobj, &ktype_pdcspath, NULL, + "%s", entry->name); +- if (err) ++ if (err) { ++ kobject_put(&entry->kobj); + return err; ++ } + + /* kobject is now registered */ + write_lock(&entry->rw_lock); +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 3ff2971102b61..8d34c6d0de796 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3916,6 +3916,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9120, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, + quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index c3b615c94b4bf..a92cbc952b70b 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -665,18 +665,16 @@ static int pccardd(void *__skt) + if (events || sysfs_events) + continue; + ++ set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + +- set_current_state(TASK_INTERRUPTIBLE); +- + schedule(); + +- /* make sure we are running */ +- __set_current_state(TASK_RUNNING); +- + try_to_freeze(); + } ++ /* make sure we are running before we exit */ ++ __set_current_state(TASK_RUNNING); + + /* shut down socket, if a device is still present */ + if (skt->state & SOCKET_PRESENT) { +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 5ef7b46a25786..2e96d9273b780 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -693,6 +693,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s, + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + data.map = &s_data->io_db; +@@ -812,6 +815,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num, + unsigned long min, max; + int ret, i, j; + ++ if (!res) ++ return NULL; ++ + low = low || !(s->features & SS_CAP_PAGE_REGS); + + data.mask = align - 1; +diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c +index f993a55cde20f..faf2a62435674 100644 +--- a/drivers/power/supply/bq25890_charger.c ++++ b/drivers/power/supply/bq25890_charger.c +@@ -521,12 +521,12 @@ static void bq25890_handle_state_change(struct bq25890_device *bq, + + if (!new_state->online) { /* power removed */ + /* disable ADC */ +- ret = bq25890_field_write(bq, F_CONV_START, 0); ++ ret = bq25890_field_write(bq, F_CONV_RATE, 0); + if (ret < 0) + goto error; + } else if (!old_state.online) { /* power inserted */ + /* enable ADC, to have control of charge current/voltage */ +- ret = bq25890_field_write(bq, F_CONV_START, 1); ++ ret = bq25890_field_write(bq, F_CONV_RATE, 1); + if (ret < 0) + goto error; + } +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index b962dbe51750d..1dbd8419df7d7 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -342,7 +342,10 @@ static int cmos_set_alarm(struct device *dev, struct rtc_wkalrm *t) + min = t->time.tm_min; + sec = t->time.tm_sec; + ++ spin_lock_irq(&rtc_lock); + rtc_control = CMOS_READ(RTC_CONTROL); ++ spin_unlock_irq(&rtc_lock); ++ + if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) { + /* Writing 0xff means "don't care" or "match all". */ + mon = (mon <= 12) ? bin2bcd(mon) : 0xff; +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 9b63e46edffcc..a2a4c6e22c68d 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -882,7 +882,7 @@ static void get_capabilities(struct scsi_cd *cd) + + + /* allocate transfer buffer */ +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) { + sr_printk(KERN_ERR, cd, "out of memory.\n"); + return; +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c +index 11a238cb22223..629bfe1b20263 100644 +--- a/drivers/scsi/sr_vendor.c ++++ b/drivers/scsi/sr_vendor.c +@@ -118,7 +118,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength) + density = (blocklength > 2048) ? 0x81 : 0x83; + #endif + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +@@ -166,7 +166,7 @@ int sr_cd_check(struct cdrom_device_info *cdi) + if (cd->cdi.mask & CDC_MULTI_SESSION) + return 0; + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +diff --git a/drivers/scsi/ufs/tc-dwc-g210-pci.c b/drivers/scsi/ufs/tc-dwc-g210-pci.c +index c09a0fef0fe60..a1785b0239667 100644 +--- a/drivers/scsi/ufs/tc-dwc-g210-pci.c ++++ b/drivers/scsi/ufs/tc-dwc-g210-pci.c +@@ -140,7 +140,6 @@ tc_dwc_g210_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return err; + } + +- pci_set_drvdata(pdev, hba); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_allow(&pdev->dev); + +diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c +index b47decc1fb5ba..e9b0cc4cbb4d2 100644 +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c +@@ -350,8 +350,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev, + goto dealloc_host; + } + +- platform_set_drvdata(pdev, hba); +- + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index a767d942bfca5..cf7946c840165 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6766,6 +6766,13 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + struct Scsi_Host *host = hba->host; + struct device *dev = hba->dev; + ++ /* ++ * dev_set_drvdata() must be called before any callbacks are registered ++ * that use dev_get_drvdata() (frequency scaling, clock scaling, hwmon, ++ * sysfs). ++ */ ++ dev_set_drvdata(dev, hba); ++ + if (!mmio_base) { + dev_err(hba->dev, + "Invalid memory reference for mmio_base is NULL\n"); +diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c +index 616566e793c62..28975b6f054fa 100644 +--- a/drivers/spi/spi-meson-spifc.c ++++ b/drivers/spi/spi-meson-spifc.c +@@ -357,6 +357,7 @@ static int meson_spifc_probe(struct platform_device *pdev) + return 0; + out_clk: + clk_disable_unprepare(spifc->clk); ++ pm_runtime_disable(spifc->dev); + out_err: + spi_master_put(master); + return ret; +diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c +index 9d4e3b0d366f4..fbaf3c407989d 100644 +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -3848,18 +3848,18 @@ static void hfa384x_usb_throttlefn(unsigned long data) + + spin_lock_irqsave(&hw->ctlxq.lock, flags); + +- /* +- * We need to check BOTH the RX and the TX throttle controls, +- * so we use the bitwise OR instead of the logical OR. +- */ + pr_debug("flags=0x%lx\n", hw->usb_flags); +- if (!hw->wlandev->hwremoved && +- ((test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) && +- !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags)) | +- (test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) && +- !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags)) +- )) { +- schedule_work(&hw->usb_work); ++ if (!hw->wlandev->hwremoved) { ++ bool rx_throttle = test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) && ++ !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags); ++ bool tx_throttle = test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) && ++ !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags); ++ /* ++ * We need to check BOTH the RX and the TX throttle controls, ++ * so we use the bitwise OR instead of the logical OR. ++ */ ++ if (rx_throttle | tx_throttle) ++ schedule_work(&hw->usb_work); + } + + spin_unlock_irqrestore(&hw->ctlxq.lock, flags); +diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c +index 5d41d5b92619a..7f4ba92739663 100644 +--- a/drivers/tty/serial/amba-pl010.c ++++ b/drivers/tty/serial/amba-pl010.c +@@ -465,14 +465,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios, + if ((termios->c_cflag & CREAD) == 0) + uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX; + +- /* first, disable everything */ + old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE; + + if (UART_ENABLE_MS(port, termios->c_cflag)) + old_cr |= UART010_CR_MSIE; + +- writel(0, uap->port.membase + UART010_CR); +- + /* Set baud rate */ + quot -= 1; + writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM); +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index e91bdd7d4c054..ad1d665e9962f 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2090,32 +2090,13 @@ static const char *pl011_type(struct uart_port *port) + return uap->port.type == PORT_AMBA ? uap->type : NULL; + } + +-/* +- * Release the memory region(s) being used by 'port' +- */ +-static void pl011_release_port(struct uart_port *port) +-{ +- release_mem_region(port->mapbase, SZ_4K); +-} +- +-/* +- * Request the memory region(s) being used by 'port' +- */ +-static int pl011_request_port(struct uart_port *port) +-{ +- return request_mem_region(port->mapbase, SZ_4K, "uart-pl011") +- != NULL ? 0 : -EBUSY; +-} +- + /* + * Configure/autoconfigure the port. + */ + static void pl011_config_port(struct uart_port *port, int flags) + { +- if (flags & UART_CONFIG_TYPE) { ++ if (flags & UART_CONFIG_TYPE) + port->type = PORT_AMBA; +- pl011_request_port(port); +- } + } + + /* +@@ -2130,6 +2111,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser) + ret = -EINVAL; + if (ser->baud_base < 9600) + ret = -EINVAL; ++ if (port->mapbase != (unsigned long) ser->iomem_base) ++ ret = -EINVAL; + return ret; + } + +@@ -2147,8 +2130,6 @@ static struct uart_ops amba_pl011_pops = { + .flush_buffer = pl011_dma_flush_buffer, + .set_termios = pl011_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +@@ -2178,8 +2159,6 @@ static const struct uart_ops sbsa_uart_pops = { + .shutdown = sbsa_uart_shutdown, + .set_termios = sbsa_uart_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 4a7eb85f7c857..5dd04a1145b40 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -928,6 +928,13 @@ static void atmel_tx_dma(struct uart_port *port) + desc->callback = atmel_complete_tx_dma; + desc->callback_param = atmel_port; + atmel_port->cookie_tx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_tx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_tx); ++ return; ++ } ++ ++ dma_async_issue_pending(chan); + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1186,6 +1193,13 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + desc->callback_param = port; + atmel_port->desc_rx = desc; + atmel_port->cookie_rx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_rx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_rx); ++ goto chan_err; ++ } ++ ++ dma_async_issue_pending(atmel_port->chan_rx); + + return 0; + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index e97961dc3622d..ec458add38833 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2349,7 +2349,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state, + * We probably don't need a spinlock around this, but + */ + spin_lock_irqsave(&port->lock, flags); +- port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR); ++ port->mctrl &= TIOCM_DTR; ++ port->ops->set_mctrl(port, port->mctrl); + spin_unlock_irqrestore(&port->lock, flags); + + /* +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 1dd4c65e9188a..2246731d96b0e 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -760,6 +760,7 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + { + struct urb *urb; + int length; ++ int status; + unsigned long flags; + char buffer[6]; /* Any root hubs with > 31 ports? */ + +@@ -777,11 +778,17 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd) + if (urb) { + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); + hcd->status_urb = NULL; ++ if (urb->transfer_buffer_length >= length) { ++ status = 0; ++ } else { ++ status = -EOVERFLOW; ++ length = urb->transfer_buffer_length; ++ } + urb->actual_length = length; + memcpy(urb->transfer_buffer, buffer, length); + + usb_hcd_unlink_urb_from_ep(hcd, urb); +- usb_hcd_giveback_urb(hcd, urb, 0); ++ usb_hcd_giveback_urb(hcd, urb, status); + } else { + length = 0; + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 0abcf8bbb73fe..33bf5ba438397 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1070,7 +1070,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + } else { + hub_power_on(hub, true); + } +- } ++ /* Give some time on remote wakeup to let links to transit to U0 */ ++ } else if (hub_is_superspeed(hub->hdev)) ++ msleep(20); ++ + init2: + + /* +@@ -1185,7 +1188,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + */ + if (portchange || (hub_is_superspeed(hub->hdev) && + port_resumed)) +- set_bit(port1, hub->change_bits); ++ set_bit(port1, hub->event_bits); + + } else if (udev->persist_enabled) { + #ifdef CONFIG_PM +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 0336392686935..e4826454de1a7 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -608,7 +608,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file) + file->private_data = ffs; + ffs_data_opened(ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_ep0_release(struct inode *inode, struct file *file) +@@ -1071,7 +1071,7 @@ ffs_epfile_open(struct inode *inode, struct file *file) + file->private_data = epfile; + ffs_data_opened(epfile->ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_aio_cancel(struct kiocb *kiocb) +diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c +index 9a82f8308ad7f..0738078fe8b82 100644 +--- a/drivers/usb/misc/ftdi-elan.c ++++ b/drivers/usb/misc/ftdi-elan.c +@@ -206,6 +206,7 @@ static void ftdi_elan_delete(struct kref *kref) + mutex_unlock(&ftdi_module_lock); + kfree(ftdi->bulk_in_buffer); + ftdi->bulk_in_buffer = NULL; ++ kfree(ftdi); + } + + static void ftdi_elan_put_kref(struct usb_ftdi *ftdi) +diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c +index 5e348d38ec5c9..f4cf54c256fd8 100644 +--- a/drivers/w1/slaves/w1_ds28e04.c ++++ b/drivers/w1/slaves/w1_ds28e04.c +@@ -39,7 +39,7 @@ static int w1_strong_pullup = 1; + module_param_named(strong_pullup, w1_strong_pullup, int, 0); + + /* enable/disable CRC checking on DS28E04-100 memory accesses */ +-static char w1_enable_crccheck = 1; ++static bool w1_enable_crccheck = true; + + #define W1_EEPROM_SIZE 512 + #define W1_PAGE_COUNT 16 +@@ -346,32 +346,18 @@ static BIN_ATTR_RW(pio, 1); + static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- if (put_user(w1_enable_crccheck + 0x30, buf)) +- return -EFAULT; +- +- return sizeof(w1_enable_crccheck); ++ return sysfs_emit(buf, "%d\n", w1_enable_crccheck); + } + + static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- char val; +- +- if (count != 1 || !buf) +- return -EINVAL; ++ int err = kstrtobool(buf, &w1_enable_crccheck); + +- if (get_user(val, buf)) +- return -EFAULT; ++ if (err) ++ return err; + +- /* convert to decimal */ +- val = val - 0x30; +- if (val != 0 && val != 1) +- return -EINVAL; +- +- /* set the new value */ +- w1_enable_crccheck = val; +- +- return sizeof(w1_enable_crccheck); ++ return count; + } + + static DEVICE_ATTR_RW(crccheck); +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index bb008ac507fe3..16169b35ab6e5 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1271,7 +1271,12 @@ again: + ret = btrfs_search_slot(trans, fs_info->extent_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* This shouldn't happen, indicates a bug or fs corruption. */ ++ ASSERT(ret != 0); ++ ret = -EUCLEAN; ++ goto out; ++ } + + #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS + if (trans && likely(trans->type != __TRANS_DUMMY) && +@@ -1432,10 +1437,18 @@ again: + goto out; + if (!ret && extent_item_pos) { + /* +- * we've recorded that parent, so we must extend +- * its inode list here ++ * We've recorded that parent, so we must extend ++ * its inode list here. ++ * ++ * However if there was corruption we may not ++ * have found an eie, return an error in this ++ * case. + */ +- BUG_ON(!eie); ++ ASSERT(eie); ++ if (!eie) { ++ ret = -EUCLEAN; ++ goto out; ++ } + while (eie->next) + eie = eie->next; + eie->next = ref->inode_list; +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 3a7f401e943c1..ffab7dc881574 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -3975,6 +3975,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + int from = ms->m_header.h_nodeid; + int error = 0; + ++ /* currently mixing of user/kernel locks are not supported */ ++ if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) { ++ log_error(lkb->lkb_resource->res_ls, ++ "got user dlm message for a kernel lock"); ++ error = -EINVAL; ++ goto out; ++ } ++ + switch (ms->m_type) { + case DLM_MSG_CONVERT: + case DLM_MSG_UNLOCK: +@@ -4003,6 +4011,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + error = -EINVAL; + } + ++out: + if (error) + log_error(lkb->lkb_resource->res_ls, + "ignore invalid message %d from %d %x %x %x %d", +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 75fff707beb6a..e7384a6e6a083 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -760,8 +760,6 @@ resizefs_out: + sizeof(range))) + return -EFAULT; + +- range.minlen = max((unsigned int)range.minlen, +- q->limits.discard_granularity); + ret = ext4_trim_fs(sb, &range); + if (ret < 0) + return ret; +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 807331da9dfc1..2a7fb2cf19b81 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5224,6 +5224,7 @@ out: + */ + int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + { ++ struct request_queue *q = bdev_get_queue(sb->s_bdev); + struct ext4_group_info *grp; + ext4_group_t group, first_group, last_group; + ext4_grpblk_t cnt = 0, first_cluster, last_cluster; +@@ -5242,6 +5243,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + start >= max_blks || + range->len < sb->s_blocksize) + return -EINVAL; ++ /* No point to try to trim less than discard granularity */ ++ if (range->minlen < q->limits.discard_granularity) { ++ minlen = EXT4_NUM_B2C(EXT4_SB(sb), ++ q->limits.discard_granularity >> sb->s_blocksize_bits); ++ if (minlen > EXT4_CLUSTERS_PER_GROUP(sb)) ++ goto out; ++ } + if (end >= max_blks) + end = max_blks - 1; + if (end <= first_data_blk) +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index bce2d696d6b9c..6967ab3306e7d 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -462,12 +462,12 @@ int ext4_ext_migrate(struct inode *inode) + percpu_down_write(&sbi->s_writepages_rwsem); + + /* +- * Worst case we can touch the allocation bitmaps, a bgd +- * block, and a block to link in the orphan list. We do need +- * need to worry about credits for modifying the quota inode. ++ * Worst case we can touch the allocation bitmaps and a block ++ * group descriptor block. We do need need to worry about ++ * credits for modifying the quota inode. + */ + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, +- 4 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb)); ++ 3 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb)); + + if (IS_ERR(handle)) { + retval = PTR_ERR(handle); +@@ -484,6 +484,13 @@ int ext4_ext_migrate(struct inode *inode) + ext4_journal_stop(handle); + goto out_unlock; + } ++ /* ++ * Use the correct seed for checksum (i.e. the seed from 'inode'). This ++ * is so that the metadata blocks will have the correct checksum after ++ * the migration. ++ */ ++ ei = EXT4_I(inode); ++ EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed; + i_size_write(tmp_inode, i_size_read(inode)); + /* + * Set the i_nlink to zero so it will be deleted later +@@ -492,7 +499,6 @@ int ext4_ext_migrate(struct inode *inode) + clear_nlink(tmp_inode); + + ext4_ext_tree_init(handle, tmp_inode); +- ext4_orphan_add(handle, tmp_inode); + ext4_journal_stop(handle); + + /* +@@ -517,17 +523,10 @@ int ext4_ext_migrate(struct inode *inode) + + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) { +- /* +- * It is impossible to update on-disk structures without +- * a handle, so just rollback in-core changes and live other +- * work to orphan_list_cleanup() +- */ +- ext4_orphan_del(NULL, tmp_inode); + retval = PTR_ERR(handle); + goto out_tmp_inode; + } + +- ei = EXT4_I(inode); + i_data = ei->i_data; + memset(&lb, 0, sizeof(lb)); + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index ca89590d1df57..e17a6396bde6c 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5602,7 +5602,7 @@ static ssize_t ext4_quota_write(struct super_block *sb, int type, + struct buffer_head *bh; + handle_t *handle = journal_current_handle(); + +- if (EXT4_SB(sb)->s_journal && !handle) { ++ if (!handle) { + ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)" + " cancelled because transaction is not started", + (unsigned long long)off, (unsigned long long)len); +diff --git a/fs/fuse/acl.c b/fs/fuse/acl.c +index ec85765502f1f..990529da5354d 100644 +--- a/fs/fuse/acl.c ++++ b/fs/fuse/acl.c +@@ -19,6 +19,9 @@ struct posix_acl *fuse_get_acl(struct inode *inode, int type) + void *value = NULL; + struct posix_acl *acl; + ++ if (fuse_is_bad(inode)) ++ return ERR_PTR(-EIO); ++ + if (!fc->posix_acl || fc->no_getxattr) + return NULL; + +@@ -53,6 +56,9 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type) + const char *name; + int ret; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!fc->posix_acl || fc->no_setxattr) + return -EOPNOTSUPP; + +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c +index b41cc537eb311..c40bdfab0a859 100644 +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -187,7 +187,7 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags) + int ret; + + inode = d_inode_rcu(entry); +- if (inode && is_bad_inode(inode)) ++ if (inode && fuse_is_bad(inode)) + goto invalid; + else if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) || + (flags & LOOKUP_REVAL)) { +@@ -364,6 +364,9 @@ static struct dentry *fuse_lookup(struct inode *dir, struct dentry *entry, + bool outarg_valid = true; + bool locked; + ++ if (fuse_is_bad(dir)) ++ return ERR_PTR(-EIO); ++ + locked = fuse_lock_inode(dir); + err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name, + &outarg, &inode); +@@ -504,6 +507,9 @@ static int fuse_atomic_open(struct inode *dir, struct dentry *entry, + struct fuse_conn *fc = get_fuse_conn(dir); + struct dentry *res = NULL; + ++ if (fuse_is_bad(dir)) ++ return -EIO; ++ + if (d_in_lookup(entry)) { + res = fuse_lookup(dir, entry, 0); + if (IS_ERR(res)) +@@ -551,6 +557,9 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args, + int err; + struct fuse_forget_link *forget; + ++ if (fuse_is_bad(dir)) ++ return -EIO; ++ + forget = fuse_alloc_forget(); + if (!forget) + return -ENOMEM; +@@ -672,6 +681,9 @@ static int fuse_unlink(struct inode *dir, struct dentry *entry) + struct fuse_conn *fc = get_fuse_conn(dir); + FUSE_ARGS(args); + ++ if (fuse_is_bad(dir)) ++ return -EIO; ++ + args.in.h.opcode = FUSE_UNLINK; + args.in.h.nodeid = get_node_id(dir); + args.in.numargs = 1; +@@ -708,6 +720,9 @@ static int fuse_rmdir(struct inode *dir, struct dentry *entry) + struct fuse_conn *fc = get_fuse_conn(dir); + FUSE_ARGS(args); + ++ if (fuse_is_bad(dir)) ++ return -EIO; ++ + args.in.h.opcode = FUSE_RMDIR; + args.in.h.nodeid = get_node_id(dir); + args.in.numargs = 1; +@@ -786,6 +801,9 @@ static int fuse_rename2(struct inode *olddir, struct dentry *oldent, + struct fuse_conn *fc = get_fuse_conn(olddir); + int err; + ++ if (fuse_is_bad(olddir)) ++ return -EIO; ++ + if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE)) + return -EINVAL; + +@@ -921,7 +939,7 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat, + if (!err) { + if (fuse_invalid_attr(&outarg.attr) || + (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { +- make_bad_inode(inode); ++ fuse_make_bad(inode); + err = -EIO; + } else { + fuse_change_attributes(inode, &outarg.attr, +@@ -1114,6 +1132,9 @@ static int fuse_permission(struct inode *inode, int mask) + bool refreshed = false; + int err = 0; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!fuse_allow_current_process(fc)) + return -EACCES; + +@@ -1251,7 +1272,7 @@ retry: + dput(dentry); + goto retry; + } +- if (is_bad_inode(inode)) { ++ if (fuse_is_bad(inode)) { + dput(dentry); + return -EIO; + } +@@ -1349,7 +1370,7 @@ static int fuse_readdir(struct file *file, struct dir_context *ctx) + u64 attr_version = 0; + bool locked; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + req = fuse_get_req(fc, 1); +@@ -1409,6 +1430,9 @@ static const char *fuse_get_link(struct dentry *dentry, + if (!dentry) + return ERR_PTR(-ECHILD); + ++ if (fuse_is_bad(inode)) ++ return ERR_PTR(-EIO); ++ + link = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!link) + return ERR_PTR(-ENOMEM); +@@ -1707,7 +1731,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr, + + if (fuse_invalid_attr(&outarg.attr) || + (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { +- make_bad_inode(inode); ++ fuse_make_bad(inode); + err = -EIO; + goto error; + } +@@ -1763,6 +1787,9 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr) + struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL; + int ret; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!fuse_allow_current_process(get_fuse_conn(inode))) + return -EACCES; + +@@ -1821,6 +1848,9 @@ static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry, + struct inode *inode = d_inode(entry); + struct fuse_conn *fc = get_fuse_conn(inode); + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!fuse_allow_current_process(fc)) + return -EACCES; + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index cea2317e01380..8aef8e56eb1b6 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -206,6 +206,9 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir) + fc->atomic_o_trunc && + fc->writeback_cache; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + err = generic_file_open(inode, file); + if (err) + return err; +@@ -411,7 +414,7 @@ static int fuse_flush(struct file *file, fl_owner_t id) + struct fuse_flush_in inarg; + int err; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + if (fc->no_flush) +@@ -459,7 +462,7 @@ int fuse_fsync_common(struct file *file, loff_t start, loff_t end, + struct fuse_fsync_in inarg; + int err; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + inode_lock(inode); +@@ -771,7 +774,7 @@ static int fuse_readpage(struct file *file, struct page *page) + int err; + + err = -EIO; +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + goto out; + + err = fuse_do_readpage(file, page); +@@ -898,7 +901,7 @@ static int fuse_readpages(struct file *file, struct address_space *mapping, + int nr_alloc = min_t(unsigned, nr_pages, FUSE_MAX_PAGES_PER_REQ); + + err = -EIO; +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + goto out; + + data.file = file; +@@ -928,6 +931,9 @@ static ssize_t fuse_file_read_iter(struct kiocb *iocb, struct iov_iter *to) + struct inode *inode = iocb->ki_filp->f_mapping->host; + struct fuse_conn *fc = get_fuse_conn(inode); + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + /* + * In auto invalidate mode, always update attributes on read. + * Otherwise, only update if we attempt to read past EOF (to ensure +@@ -1123,7 +1129,7 @@ static ssize_t fuse_perform_write(struct file *file, + int err = 0; + ssize_t res = 0; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + if (inode->i_size < pos + iov_iter_count(ii)) +@@ -1180,6 +1186,9 @@ static ssize_t fuse_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + ssize_t err; + loff_t endbyte = 0; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (get_fuse_conn(inode)->writeback_cache) { + /* Update size (EOF optimization) and mode (SUID clearing) */ + err = fuse_update_attributes(mapping->host, NULL, file, NULL); +@@ -1415,7 +1424,7 @@ static ssize_t __fuse_direct_read(struct fuse_io_priv *io, + struct file *file = io->file; + struct inode *inode = file_inode(file); + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + res = fuse_direct_io(io, iter, ppos, 0); +@@ -1438,7 +1447,7 @@ static ssize_t fuse_direct_write_iter(struct kiocb *iocb, struct iov_iter *from) + struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file); + ssize_t res; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + /* Don't allow parallel writes to the same file */ +@@ -1911,7 +1920,7 @@ static int fuse_writepages(struct address_space *mapping, + int err; + + err = -EIO; +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + goto out; + + data.inode = inode; +@@ -2687,7 +2696,7 @@ long fuse_ioctl_common(struct file *file, unsigned int cmd, + if (!fuse_allow_current_process(fc)) + return -EACCES; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + return fuse_do_ioctl(file, cmd, arg, flags); +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h +index f84dd6d87d90f..7e4b0e298bc73 100644 +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -115,6 +115,8 @@ enum { + FUSE_I_INIT_RDPLUS, + /** An operation changing file size is in progress */ + FUSE_I_SIZE_UNSTABLE, ++ /* Bad inode */ ++ FUSE_I_BAD, + }; + + struct fuse_conn; +@@ -688,6 +690,17 @@ static inline u64 get_node_id(struct inode *inode) + return get_fuse_inode(inode)->nodeid; + } + ++static inline void fuse_make_bad(struct inode *inode) ++{ ++ remove_inode_hash(inode); ++ set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state); ++} ++ ++static inline bool fuse_is_bad(struct inode *inode) ++{ ++ return unlikely(test_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state)); ++} ++ + /** Device operations */ + extern const struct file_operations fuse_dev_operations; + +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index 7a9b1069d267b..77b8f0f264078 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -316,7 +316,7 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid, + unlock_new_inode(inode); + } else if ((inode->i_mode ^ attr->mode) & S_IFMT) { + /* Inode has changed type, any I/O on the old should fail */ +- make_bad_inode(inode); ++ fuse_make_bad(inode); + iput(inode); + goto retry; + } +diff --git a/fs/fuse/xattr.c b/fs/fuse/xattr.c +index 3caac46b08b0e..134bbc432ae60 100644 +--- a/fs/fuse/xattr.c ++++ b/fs/fuse/xattr.c +@@ -113,6 +113,9 @@ ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size) + struct fuse_getxattr_out outarg; + ssize_t ret; + ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!fuse_allow_current_process(fc)) + return -EACCES; + +@@ -178,6 +181,9 @@ static int fuse_xattr_get(const struct xattr_handler *handler, + struct dentry *dentry, struct inode *inode, + const char *name, void *value, size_t size) + { ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + return fuse_getxattr(inode, name, value, size); + } + +@@ -186,6 +192,9 @@ static int fuse_xattr_set(const struct xattr_handler *handler, + const char *name, const void *value, size_t size, + int flags) + { ++ if (fuse_is_bad(inode)) ++ return -EIO; ++ + if (!value) + return fuse_removexattr(inode, name); + +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index c12476e309c67..eb4e4d784d26e 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -135,20 +135,15 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct page *pg; + struct inode *inode = mapping->host; + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + pgoff_t index = pos >> PAGE_SHIFT; + uint32_t pageofs = index << PAGE_SHIFT; + int ret = 0; + +- pg = grab_cache_page_write_begin(mapping, index, flags); +- if (!pg) +- return -ENOMEM; +- *pagep = pg; +- + jffs2_dbg(1, "%s()\n", __func__); + + if (pageofs > inode->i_size) { + /* Make new hole frag from old EOF to new page */ +- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; + uint32_t alloc_len; +@@ -159,7 +154,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, + ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); + if (ret) +- goto out_page; ++ goto out_err; + + mutex_lock(&f->sem); + memset(&ri, 0, sizeof(ri)); +@@ -189,7 +184,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ret = PTR_ERR(fn); + jffs2_complete_reservation(c); + mutex_unlock(&f->sem); +- goto out_page; ++ goto out_err; + } + ret = jffs2_add_full_dnode_to_inode(c, f, fn); + if (f->metadata) { +@@ -204,13 +199,26 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + jffs2_free_full_dnode(fn); + jffs2_complete_reservation(c); + mutex_unlock(&f->sem); +- goto out_page; ++ goto out_err; + } + jffs2_complete_reservation(c); + inode->i_size = pageofs; + mutex_unlock(&f->sem); + } + ++ /* ++ * While getting a page and reading data in, lock c->alloc_sem until ++ * the page is Uptodate. Otherwise GC task may attempt to read the same ++ * page in read_cache_page(), which causes a deadlock. ++ */ ++ mutex_lock(&c->alloc_sem); ++ pg = grab_cache_page_write_begin(mapping, index, flags); ++ if (!pg) { ++ ret = -ENOMEM; ++ goto release_sem; ++ } ++ *pagep = pg; ++ + /* + * Read in the page if it wasn't already present. Cannot optimize away + * the whole page write case until jffs2_write_end can handle the +@@ -220,15 +228,17 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + mutex_lock(&f->sem); + ret = jffs2_do_readpage_nolock(inode, pg); + mutex_unlock(&f->sem); +- if (ret) +- goto out_page; ++ if (ret) { ++ unlock_page(pg); ++ put_page(pg); ++ goto release_sem; ++ } + } + jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); +- return ret; + +-out_page: +- unlock_page(pg); +- put_page(pg); ++release_sem: ++ mutex_unlock(&c->alloc_sem); ++out_err: + return ret; + } + +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 727a9e3fa806f..ce58e857ae3bc 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1695,7 +1695,6 @@ out: + kthread_stop(c->bgt); + c->bgt = NULL; + } +- free_wbufs(c); + kfree(c->write_reserve_buf); + c->write_reserve_buf = NULL; + vfree(c->ileb_buf); +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 7a4c035b187f3..81ee5d0b26424 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1269,6 +1269,8 @@ int copy_page_range(struct mm_struct *dst, struct mm_struct *src, + struct vm_area_struct *vma); + void unmap_mapping_range(struct address_space *mapping, + loff_t const holebegin, loff_t const holelen, int even_cows); ++int follow_pte_pmd(struct mm_struct *mm, unsigned long address, ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp); + int follow_pfn(struct vm_area_struct *vma, unsigned long address, + unsigned long *pfn); + int follow_phys(struct vm_area_struct *vma, unsigned long address, +diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h +index e585018498d59..d574361943ea8 100644 +--- a/include/linux/rbtree.h ++++ b/include/linux/rbtree.h +@@ -44,10 +44,25 @@ struct rb_root { + struct rb_node *rb_node; + }; + ++/* ++ * Leftmost-cached rbtrees. ++ * ++ * We do not cache the rightmost node based on footprint ++ * size vs number of potential users that could benefit ++ * from O(1) rb_last(). Just not worth it, users that want ++ * this feature can always implement the logic explicitly. ++ * Furthermore, users that want to cache both pointers may ++ * find it a bit asymmetric, but that's ok. ++ */ ++struct rb_root_cached { ++ struct rb_root rb_root; ++ struct rb_node *rb_leftmost; ++}; + + #define rb_parent(r) ((struct rb_node *)((r)->__rb_parent_color & ~3)) + + #define RB_ROOT (struct rb_root) { NULL, } ++#define RB_ROOT_CACHED (struct rb_root_cached) { {NULL, }, NULL } + #define rb_entry(ptr, type, member) container_of(ptr, type, member) + + #define RB_EMPTY_ROOT(root) (READ_ONCE((root)->rb_node) == NULL) +@@ -69,6 +84,12 @@ extern struct rb_node *rb_prev(const struct rb_node *); + extern struct rb_node *rb_first(const struct rb_root *); + extern struct rb_node *rb_last(const struct rb_root *); + ++extern void rb_insert_color_cached(struct rb_node *, ++ struct rb_root_cached *, bool); ++extern void rb_erase_cached(struct rb_node *node, struct rb_root_cached *); ++/* Same as rb_first(), but O(1) */ ++#define rb_first_cached(root) (root)->rb_leftmost ++ + /* Postorder iteration - always visit the parent after its children */ + extern struct rb_node *rb_first_postorder(const struct rb_root *); + extern struct rb_node *rb_next_postorder(const struct rb_node *); +diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h +index d076183e49bec..023d64657e956 100644 +--- a/include/linux/rbtree_augmented.h ++++ b/include/linux/rbtree_augmented.h +@@ -41,7 +41,9 @@ struct rb_augment_callbacks { + void (*rotate)(struct rb_node *old, struct rb_node *new); + }; + +-extern void __rb_insert_augmented(struct rb_node *node, struct rb_root *root, ++extern void __rb_insert_augmented(struct rb_node *node, ++ struct rb_root *root, ++ bool newleft, struct rb_node **leftmost, + void (*augment_rotate)(struct rb_node *old, struct rb_node *new)); + /* + * Fixup the rbtree and update the augmented information when rebalancing. +@@ -57,7 +59,16 @@ static inline void + rb_insert_augmented(struct rb_node *node, struct rb_root *root, + const struct rb_augment_callbacks *augment) + { +- __rb_insert_augmented(node, root, augment->rotate); ++ __rb_insert_augmented(node, root, false, NULL, augment->rotate); ++} ++ ++static inline void ++rb_insert_augmented_cached(struct rb_node *node, ++ struct rb_root_cached *root, bool newleft, ++ const struct rb_augment_callbacks *augment) ++{ ++ __rb_insert_augmented(node, &root->rb_root, ++ newleft, &root->rb_leftmost, augment->rotate); + } + + #define RB_DECLARE_CALLBACKS(rbstatic, rbname, rbstruct, rbfield, \ +@@ -148,6 +159,7 @@ extern void __rb_erase_color(struct rb_node *parent, struct rb_root *root, + + static __always_inline struct rb_node * + __rb_erase_augmented(struct rb_node *node, struct rb_root *root, ++ struct rb_node **leftmost, + const struct rb_augment_callbacks *augment) + { + struct rb_node *child = node->rb_right; +@@ -155,6 +167,9 @@ __rb_erase_augmented(struct rb_node *node, struct rb_root *root, + struct rb_node *parent, *rebalance; + unsigned long pc; + ++ if (leftmost && node == *leftmost) ++ *leftmost = rb_next(node); ++ + if (!tmp) { + /* + * Case 1: node to erase has no more than 1 child (easy!) +@@ -254,9 +269,21 @@ static __always_inline void + rb_erase_augmented(struct rb_node *node, struct rb_root *root, + const struct rb_augment_callbacks *augment) + { +- struct rb_node *rebalance = __rb_erase_augmented(node, root, augment); ++ struct rb_node *rebalance = __rb_erase_augmented(node, root, ++ NULL, augment); + if (rebalance) + __rb_erase_color(rebalance, root, augment->rotate); + } + ++static __always_inline void ++rb_erase_augmented_cached(struct rb_node *node, struct rb_root_cached *root, ++ const struct rb_augment_callbacks *augment) ++{ ++ struct rb_node *rebalance = __rb_erase_augmented(node, &root->rb_root, ++ &root->rb_leftmost, ++ augment); ++ if (rebalance) ++ __rb_erase_color(rebalance, &root->rb_root, augment->rotate); ++} ++ + #endif /* _LINUX_RBTREE_AUGMENTED_H */ +diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h +index 7eec17ad7fa19..42868a9b43657 100644 +--- a/include/linux/timerqueue.h ++++ b/include/linux/timerqueue.h +@@ -11,8 +11,7 @@ struct timerqueue_node { + }; + + struct timerqueue_head { +- struct rb_root head; +- struct timerqueue_node *next; ++ struct rb_root_cached rb_root; + }; + + +@@ -28,13 +27,14 @@ extern struct timerqueue_node *timerqueue_iterate_next( + * + * @head: head of timerqueue + * +- * Returns a pointer to the timer node that has the +- * earliest expiration time. ++ * Returns a pointer to the timer node that has the earliest expiration time. + */ + static inline + struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head) + { +- return head->next; ++ struct rb_node *leftmost = rb_first_cached(&head->rb_root); ++ ++ return rb_entry(leftmost, struct timerqueue_node, node); + } + + static inline void timerqueue_init(struct timerqueue_node *node) +@@ -44,7 +44,6 @@ static inline void timerqueue_init(struct timerqueue_node *node) + + static inline void timerqueue_init_head(struct timerqueue_head *head) + { +- head->head = RB_ROOT; +- head->next = NULL; ++ head->rb_root = RB_ROOT_CACHED; + } + #endif /* _LINUX_TIMERQUEUE_H */ +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 5d5a137b9067f..7ec889291dc48 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -837,6 +837,7 @@ struct psched_ratecfg { + u64 rate_bytes_ps; /* bytes per second */ + u32 mult; + u16 overhead; ++ u16 mpu; + u8 linklayer; + u8 shift; + }; +@@ -846,6 +847,9 @@ static inline u64 psched_l2t_ns(const struct psched_ratecfg *r, + { + len += r->overhead; + ++ if (len < r->mpu) ++ len = r->mpu; ++ + if (unlikely(r->linklayer == TC_LINKLAYER_ATM)) + return ((u64)(DIV_ROUND_UP(len,48)*53) * r->mult) >> r->shift; + +@@ -868,6 +872,7 @@ static inline void psched_ratecfg_getrate(struct tc_ratespec *res, + res->rate = min_t(u64, r->rate_bytes_ps, ~0U); + + res->overhead = r->overhead; ++ res->mpu = r->mpu; + res->linklayer = (r->linklayer & TC_LINKLAYER_MASK); + } + +diff --git a/lib/rbtree.c b/lib/rbtree.c +index eb8a19fee1100..53746be42903b 100644 +--- a/lib/rbtree.c ++++ b/lib/rbtree.c +@@ -95,10 +95,14 @@ __rb_rotate_set_parents(struct rb_node *old, struct rb_node *new, + + static __always_inline void + __rb_insert(struct rb_node *node, struct rb_root *root, ++ bool newleft, struct rb_node **leftmost, + void (*augment_rotate)(struct rb_node *old, struct rb_node *new)) + { + struct rb_node *parent = rb_red_parent(node), *gparent, *tmp; + ++ if (newleft) ++ *leftmost = node; ++ + while (true) { + /* + * Loop invariant: node is red +@@ -417,19 +421,38 @@ static const struct rb_augment_callbacks dummy_callbacks = { + + void rb_insert_color(struct rb_node *node, struct rb_root *root) + { +- __rb_insert(node, root, dummy_rotate); ++ __rb_insert(node, root, false, NULL, dummy_rotate); + } + EXPORT_SYMBOL(rb_insert_color); + + void rb_erase(struct rb_node *node, struct rb_root *root) + { + struct rb_node *rebalance; +- rebalance = __rb_erase_augmented(node, root, &dummy_callbacks); ++ rebalance = __rb_erase_augmented(node, root, ++ NULL, &dummy_callbacks); + if (rebalance) + ____rb_erase_color(rebalance, root, dummy_rotate); + } + EXPORT_SYMBOL(rb_erase); + ++void rb_insert_color_cached(struct rb_node *node, ++ struct rb_root_cached *root, bool leftmost) ++{ ++ __rb_insert(node, &root->rb_root, leftmost, ++ &root->rb_leftmost, dummy_rotate); ++} ++EXPORT_SYMBOL(rb_insert_color_cached); ++ ++void rb_erase_cached(struct rb_node *node, struct rb_root_cached *root) ++{ ++ struct rb_node *rebalance; ++ rebalance = __rb_erase_augmented(node, &root->rb_root, ++ &root->rb_leftmost, &dummy_callbacks); ++ if (rebalance) ++ ____rb_erase_color(rebalance, &root->rb_root, dummy_rotate); ++} ++EXPORT_SYMBOL(rb_erase_cached); ++ + /* + * Augmented rbtree manipulation functions. + * +@@ -438,9 +461,10 @@ EXPORT_SYMBOL(rb_erase); + */ + + void __rb_insert_augmented(struct rb_node *node, struct rb_root *root, ++ bool newleft, struct rb_node **leftmost, + void (*augment_rotate)(struct rb_node *old, struct rb_node *new)) + { +- __rb_insert(node, root, augment_rotate); ++ __rb_insert(node, root, newleft, leftmost, augment_rotate); + } + EXPORT_SYMBOL(__rb_insert_augmented); + +@@ -485,7 +509,7 @@ struct rb_node *rb_next(const struct rb_node *node) + * as we can. + */ + if (node->rb_right) { +- node = node->rb_right; ++ node = node->rb_right; + while (node->rb_left) + node=node->rb_left; + return (struct rb_node *)node; +@@ -517,7 +541,7 @@ struct rb_node *rb_prev(const struct rb_node *node) + * as we can. + */ + if (node->rb_left) { +- node = node->rb_left; ++ node = node->rb_left; + while (node->rb_right) + node=node->rb_right; + return (struct rb_node *)node; +diff --git a/lib/timerqueue.c b/lib/timerqueue.c +index 782ae8ca2c06f..4f99b5c3ac0ec 100644 +--- a/lib/timerqueue.c ++++ b/lib/timerqueue.c +@@ -38,9 +38,10 @@ + */ + bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node) + { +- struct rb_node **p = &head->head.rb_node; ++ struct rb_node **p = &head->rb_root.rb_root.rb_node; + struct rb_node *parent = NULL; +- struct timerqueue_node *ptr; ++ struct timerqueue_node *ptr; ++ bool leftmost = true; + + /* Make sure we don't add nodes that are already added */ + WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node)); +@@ -48,19 +49,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node) + while (*p) { + parent = *p; + ptr = rb_entry(parent, struct timerqueue_node, node); +- if (node->expires.tv64 < ptr->expires.tv64) ++ if (node->expires.tv64 < ptr->expires.tv64) { + p = &(*p)->rb_left; +- else ++ } else { + p = &(*p)->rb_right; ++ leftmost = false; ++ } + } + rb_link_node(&node->node, parent, p); +- rb_insert_color(&node->node, &head->head); ++ rb_insert_color_cached(&node->node, &head->rb_root, leftmost); + +- if (!head->next || node->expires.tv64 < head->next->expires.tv64) { +- head->next = node; +- return true; +- } +- return false; ++ return leftmost; + } + EXPORT_SYMBOL_GPL(timerqueue_add); + +@@ -76,16 +75,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node) + { + WARN_ON_ONCE(RB_EMPTY_NODE(&node->node)); + +- /* update next pointer */ +- if (head->next == node) { +- struct rb_node *rbn = rb_next(&node->node); +- +- head->next = rbn ? +- rb_entry(rbn, struct timerqueue_node, node) : NULL; +- } +- rb_erase(&node->node, &head->head); ++ rb_erase_cached(&node->node, &head->rb_root); + RB_CLEAR_NODE(&node->node); +- return head->next != NULL; ++ ++ return !RB_EMPTY_ROOT(&head->rb_root.rb_root); + } + EXPORT_SYMBOL_GPL(timerqueue_del); + +diff --git a/mm/gup.c b/mm/gup.c +index 301dd96ef176c..0b80bf3878dcf 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1567,22 +1567,15 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write, + next = pgd_addr_end(addr, end); + if (pgd_none(pgd)) + break; +- /* +- * The FAST_GUP case requires FOLL_WRITE even for pure reads, +- * because get_user_pages() may need to cause an early COW in +- * order to avoid confusing the normal COW routines. So only +- * targets that are already writable are safe to do by just +- * looking at the page tables. +- */ + if (unlikely(pgd_huge(pgd))) { +- if (!gup_huge_pgd(pgd, pgdp, addr, next, 1, ++ if (!gup_huge_pgd(pgd, pgdp, addr, next, write, + pages, &nr)) + break; + } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) { + if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr, +- PGDIR_SHIFT, next, 1, pages, &nr)) ++ PGDIR_SHIFT, next, write, pages, &nr)) + break; +- } else if (!gup_pud_range(pgd, addr, next, 1, pages, &nr)) ++ } else if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) + break; + } while (pgdp++, addr = next, addr != end); + local_irq_restore(flags); +@@ -1612,7 +1605,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + int nr, ret; + + start &= PAGE_MASK; +- nr = __get_user_pages_fast(start, nr_pages, write, pages); ++ /* ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads, ++ * because get_user_pages() may need to cause an early COW in ++ * order to avoid confusing the normal COW routines. So only ++ * targets that are already writable are safe to do by just ++ * looking at the page tables. ++ */ ++ nr = __get_user_pages_fast(start, nr_pages, 1, pages); + ret = nr; + + if (nr < nr_pages) { +diff --git a/mm/memory.c b/mm/memory.c +index c2890dc104d9e..2b2cc69ddccef 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3780,8 +3780,8 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) + } + #endif /* __PAGETABLE_PMD_FOLDED */ + +-static int __follow_pte(struct mm_struct *mm, unsigned long address, +- pte_t **ptepp, spinlock_t **ptlp) ++static int __follow_pte_pmd(struct mm_struct *mm, unsigned long address, ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp) + { + pgd_t *pgd; + pud_t *pud; +@@ -3798,11 +3798,20 @@ static int __follow_pte(struct mm_struct *mm, unsigned long address, + + pmd = pmd_offset(pud, address); + VM_BUG_ON(pmd_trans_huge(*pmd)); +- if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd))) +- goto out; + +- /* We cannot handle huge page PFN maps. Luckily they don't exist. */ +- if (pmd_huge(*pmd)) ++ if (pmd_huge(*pmd)) { ++ if (!pmdpp) ++ goto out; ++ ++ *ptlp = pmd_lock(mm, pmd); ++ if (pmd_huge(*pmd)) { ++ *pmdpp = pmd; ++ return 0; ++ } ++ spin_unlock(*ptlp); ++ } ++ ++ if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd))) + goto out; + + ptep = pte_offset_map_lock(mm, pmd, address, ptlp); +@@ -3825,9 +3834,23 @@ static inline int follow_pte(struct mm_struct *mm, unsigned long address, + + /* (void) is needed to make gcc happy */ + (void) __cond_lock(*ptlp, +- !(res = __follow_pte(mm, address, ptepp, ptlp))); ++ !(res = __follow_pte_pmd(mm, address, ptepp, NULL, ++ ptlp))); ++ return res; ++} ++ ++int follow_pte_pmd(struct mm_struct *mm, unsigned long address, ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp) ++{ ++ int res; ++ ++ /* (void) is needed to make gcc happy */ ++ (void) __cond_lock(*ptlp, ++ !(res = __follow_pte_pmd(mm, address, ptepp, pmdpp, ++ ptlp))); + return res; + } ++EXPORT_SYMBOL(follow_pte_pmd); + + /** + * follow_pfn - look up PFN at a user virtual address +diff --git a/mm/shmem.c b/mm/shmem.c +index 31b0c09fe6c60..51aa13f596220 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -436,7 +436,7 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo, + struct shmem_inode_info *info; + struct page *page; + unsigned long batch = sc ? sc->nr_to_scan : 128; +- int removed = 0, split = 0; ++ int split = 0; + + if (list_empty(&sbinfo->shrinklist)) + return SHRINK_STOP; +@@ -451,7 +451,6 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo, + /* inode is about to be evicted */ + if (!inode) { + list_del_init(&info->shrinklist); +- removed++; + goto next; + } + +@@ -459,12 +458,12 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo, + if (round_up(inode->i_size, PAGE_SIZE) == + round_up(inode->i_size, HPAGE_PMD_SIZE)) { + list_move(&info->shrinklist, &to_remove); +- removed++; + goto next; + } + + list_move(&info->shrinklist, &list); + next: ++ sbinfo->shrinklist_len--; + if (!--batch) + break; + } +@@ -484,7 +483,7 @@ next: + inode = &info->vfs_inode; + + if (nr_to_split && split >= nr_to_split) +- goto leave; ++ goto move_back; + + page = find_get_page(inode->i_mapping, + (inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT); +@@ -498,38 +497,44 @@ next: + } + + /* +- * Leave the inode on the list if we failed to lock +- * the page at this time. ++ * Move the inode on the list back to shrinklist if we failed ++ * to lock the page at this time. + * + * Waiting for the lock may lead to deadlock in the + * reclaim path. + */ + if (!trylock_page(page)) { + put_page(page); +- goto leave; ++ goto move_back; + } + + ret = split_huge_page(page); + unlock_page(page); + put_page(page); + +- /* If split failed leave the inode on the list */ ++ /* If split failed move the inode on the list back to shrinklist */ + if (ret) +- goto leave; ++ goto move_back; + + split++; + drop: + list_del_init(&info->shrinklist); +- removed++; +-leave: ++ goto put; ++move_back: ++ /* ++ * Make sure the inode is either on the global list or deleted ++ * from any local list before iput() since it could be deleted ++ * in another thread once we put the inode (then the local list ++ * is corrupted). ++ */ ++ spin_lock(&sbinfo->shrinklist_lock); ++ list_move(&info->shrinklist, &sbinfo->shrinklist); ++ sbinfo->shrinklist_len++; ++ spin_unlock(&sbinfo->shrinklist_lock); ++put: + iput(inode); + } + +- spin_lock(&sbinfo->shrinklist_lock); +- list_splice_tail(&list, &sbinfo->shrinklist); +- sbinfo->shrinklist_len -= removed; +- spin_unlock(&sbinfo->shrinklist_lock); +- + return split; + } + +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c +index 0bb150e68c53f..e2e580c747f4b 100644 +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -499,9 +499,7 @@ static int __init cmtp_init(void) + { + BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION); + +- cmtp_init_sockets(); +- +- return 0; ++ return cmtp_init_sockets(); + } + + static void __exit cmtp_exit(void) +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index b43f31203a430..40e6e5feb1e06 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3148,6 +3148,7 @@ int hci_register_dev(struct hci_dev *hdev) + return id; + + err_wqueue: ++ debugfs_remove_recursive(hdev->debugfs); + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + err: +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index f9484755a9baf..17cfd9f8e98e0 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4967,7 +4967,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + +- if (ev->length <= HCI_MAX_AD_LENGTH) { ++ if (ev->length <= HCI_MAX_AD_LENGTH && ++ ev->data + ev->length <= skb_tail_pointer(skb)) { + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +@@ -4977,6 +4978,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + ptr += sizeof(*ev) + ev->length + 1; ++ ++ if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { ++ bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); ++ break; ++ } + } + + hci_dev_unlock(hdev); +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 7104d5e64abb3..11d4d18012fed 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -724,6 +724,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) + mtu = nf_bridge->frag_max_size; + ++ nf_bridge_update_protocol(skb); ++ nf_bridge_push_encap_header(skb); ++ + if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { + nf_bridge_info_free(skb); + return br_dev_queue_push_xmit(net, sk, skb); +@@ -741,8 +744,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + + data->vlan_tci = skb->vlan_tci; +@@ -765,8 +766,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + data->encap_size = nf_bridge_encap_header_len(skb); + data->size = ETH_HLEN + data->encap_size; +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 7630fa80db92a..48854eae294fd 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -132,8 +132,10 @@ static void ops_exit_list(const struct pernet_operations *ops, + { + struct net *net; + if (ops->exit) { +- list_for_each_entry(net, net_exit_list, exit_list) ++ list_for_each_entry(net, net_exit_list, exit_list) { + ops->exit(net); ++ cond_resched(); ++ } + } + if (ops->exit_batch) + ops->exit_batch(net_exit_list); +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 553cda6f887ad..b7dc20a65b649 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -534,16 +534,10 @@ int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info) + ret_val = -ENOENT; + goto doi_remove_return; + } +- if (!atomic_dec_and_test(&doi_def->refcount)) { +- spin_unlock(&cipso_v4_doi_list_lock); +- ret_val = -EBUSY; +- goto doi_remove_return; +- } + list_del_rcu(&doi_def->list); + spin_unlock(&cipso_v4_doi_list_lock); + +- cipso_v4_cache_invalidate(); +- call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); ++ cipso_v4_doi_putdef(doi_def); + ret_val = 0; + + doi_remove_return: +@@ -600,9 +594,6 @@ void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def) + + if (!atomic_dec_and_test(&doi_def->refcount)) + return; +- spin_lock(&cipso_v4_doi_list_lock); +- list_del_rcu(&doi_def->list); +- spin_unlock(&cipso_v4_doi_list_lock); + + cipso_v4_cache_invalidate(); + call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index b206415bbde74..7628963ddacc3 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -97,6 +97,9 @@ struct calipso_map_cache_entry { + + static struct calipso_map_cache_bkt *calipso_cache; + ++static void calipso_cache_invalidate(void); ++static void calipso_doi_putdef(struct calipso_doi *doi_def); ++ + /* Label Mapping Cache Functions + */ + +@@ -458,15 +461,10 @@ static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info) + ret_val = -ENOENT; + goto doi_remove_return; + } +- if (!atomic_dec_and_test(&doi_def->refcount)) { +- spin_unlock(&calipso_doi_list_lock); +- ret_val = -EBUSY; +- goto doi_remove_return; +- } + list_del_rcu(&doi_def->list); + spin_unlock(&calipso_doi_list_lock); + +- call_rcu(&doi_def->rcu, calipso_doi_free_rcu); ++ calipso_doi_putdef(doi_def); + ret_val = 0; + + doi_remove_return: +@@ -522,10 +520,8 @@ static void calipso_doi_putdef(struct calipso_doi *doi_def) + + if (!atomic_dec_and_test(&doi_def->refcount)) + return; +- spin_lock(&calipso_doi_list_lock); +- list_del_rcu(&doi_def->list); +- spin_unlock(&calipso_doi_list_lock); + ++ calipso_cache_invalidate(); + call_rcu(&doi_def->rcu, calipso_doi_free_rcu); + } + +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index 422fac2a4a3c8..9a256d0fb957a 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -587,6 +587,7 @@ list_start: + + break; + } ++ cipso_v4_doi_putdef(doi_def); + rcu_read_unlock(); + + genlmsg_end(ans_skb, data); +@@ -595,12 +596,14 @@ list_start: + list_retry: + /* XXX - this limit is a guesstimate */ + if (nlsze_mult < 4) { ++ cipso_v4_doi_putdef(doi_def); + rcu_read_unlock(); + kfree_skb(ans_skb); + nlsze_mult *= 2; + goto list_start; + } + list_failure_lock: ++ cipso_v4_doi_putdef(doi_def); + rcu_read_unlock(); + list_failure: + kfree_skb(ans_skb); +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 92c6fbfd51f79..bc59b2b5f9836 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -796,6 +796,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg, + + lock_sock(sk); + ++ if (!llcp_sock->local) { ++ release_sock(sk); ++ return -ENODEV; ++ } ++ + if (sk->sk_type == SOCK_DGRAM) { + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, + msg->msg_name); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 04ca08f852209..daa24ec7db278 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -996,6 +996,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r, + { + memset(r, 0, sizeof(*r)); + r->overhead = conf->overhead; ++ r->mpu = conf->mpu; + r->rate_bytes_ps = max_t(u64, conf->rate, rate64); + r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK); + r->mult = 1; +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 8bbe1b8e4ff7f..4d283e26d8162 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -197,8 +197,11 @@ void wait_for_unix_gc(void) + { + /* If number of inflight sockets is insane, + * force a garbage collect right now. ++ * Paired with the WRITE_ONCE() in unix_inflight(), ++ * unix_notinflight() and gc_in_progress(). + */ +- if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress) ++ if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC && ++ !READ_ONCE(gc_in_progress)) + unix_gc(); + wait_event(unix_gc_wait, gc_in_progress == false); + } +@@ -218,7 +221,9 @@ void unix_gc(void) + if (gc_in_progress) + goto out; + +- gc_in_progress = true; ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */ ++ WRITE_ONCE(gc_in_progress, true); ++ + /* First, select candidates for garbage collection. Only + * in-flight sockets are considered, and from those only ones + * which don't have any external reference. +@@ -304,7 +309,10 @@ void unix_gc(void) + + /* All candidates should have been detached by now. */ + BUG_ON(!list_empty(&gc_candidates)); +- gc_in_progress = false; ++ ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */ ++ WRITE_ONCE(gc_in_progress, false); ++ + wake_up(&unix_gc_wait); + + out: +diff --git a/net/unix/scm.c b/net/unix/scm.c +index df8f636ab1d8c..bf1a8fa8c4f1d 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -56,7 +56,8 @@ void unix_inflight(struct user_struct *user, struct file *fp) + } else { + BUG_ON(list_empty(&u->link)); + } +- unix_tot_inflight++; ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */ ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } + user->unix_inflight++; + spin_unlock(&unix_gc_lock); +@@ -76,7 +77,8 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + + if (atomic_long_dec_and_test(&u->inflight)) + list_del_init(&u->link); +- unix_tot_inflight--; ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */ ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } + user->unix_inflight--; + spin_unlock(&unix_gc_lock); +diff --git a/scripts/dtc/dtx_diff b/scripts/dtc/dtx_diff +index ec47f95991a3a..971e74f408a77 100755 +--- a/scripts/dtc/dtx_diff ++++ b/scripts/dtc/dtx_diff +@@ -56,12 +56,8 @@ Otherwise DTx is treated as a dts source file (aka .dts). + or '/include/' to be processed. + + If DTx_1 and DTx_2 are in different architectures, then this script +- may not work since \${ARCH} is part of the include path. Two possible +- workarounds: +- +- `basename $0` \\ +- <(ARCH=arch_of_dtx_1 `basename $0` DTx_1) \\ +- <(ARCH=arch_of_dtx_2 `basename $0` DTx_2) ++ may not work since \${ARCH} is part of the include path. The following ++ workaround can be used: + + `basename $0` ARCH=arch_of_dtx_1 DTx_1 >tmp_dtx_1.dts + `basename $0` ARCH=arch_of_dtx_2 DTx_2 >tmp_dtx_2.dts +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 5ddf81f091fa9..36cfe1c54109d 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -68,10 +68,13 @@ static int snd_jack_dev_free(struct snd_device *device) + struct snd_card *card = device->card; + struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl; + ++ down_write(&card->controls_rwsem); + list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) { + list_del_init(&jack_kctl->list); + snd_ctl_remove(card, jack_kctl->kctl); + } ++ up_write(&card->controls_rwsem); ++ + if (jack->private_free) + jack->private_free(jack); + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 0ce3f42721c4d..440c16e0d0713 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2122,7 +2122,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + int err, cmd; + + #ifdef OSS_DEBUG +- pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); ++ pr_debug("pcm_oss: trigger = 0x%x\n", trigger); + #endif + + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK]; +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index cdff5f9764808..6ae28dcd79945 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -857,7 +857,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal); + static void free_chmap(struct snd_pcm_str *pstr) + { + if (pstr->chmap_kctl) { +- snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl); ++ struct snd_card *card = pstr->pcm->card; ++ ++ down_write(&card->controls_rwsem); ++ snd_ctl_remove(card, pstr->chmap_kctl); ++ up_write(&card->controls_rwsem); + pstr->chmap_kctl = NULL; + } + } +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index ea1aa07962761..b923059a22276 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -257,12 +257,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name) + + /* -------------------------------------------------------- */ + ++#define MAX_CELL_PROCESSES_IN_QUEUE 1000 ++ + void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + { + unsigned long flags; + struct snd_seq_event_cell *cell; + snd_seq_tick_time_t cur_tick; + snd_seq_real_time_t cur_time; ++ int processed = 0; + + if (q == NULL) + return; +@@ -285,6 +288,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + + /* Process time queue... */ +@@ -294,14 +299,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + ++ out: + /* free lock */ + spin_lock_irqsave(&q->check_lock, flags); + if (q->check_again) { + q->check_again = 0; +- spin_unlock_irqrestore(&q->check_lock, flags); +- goto __again; ++ if (processed < MAX_CELL_PROCESSES_IN_QUEUE) { ++ spin_unlock_irqrestore(&q->check_lock, flags); ++ goto __again; ++ } + } + q->check_blocked = 0; + spin_unlock_irqrestore(&q->check_lock, flags); +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 4e67614f15f8e..8976da3e1e288 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1608,8 +1608,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec) + { + int i; + struct hda_nid_item *items = codec->mixers.list; ++ ++ down_write(&codec->card->controls_rwsem); + for (i = 0; i < codec->mixers.used; i++) + snd_ctl_remove(codec->card, items[i].kctl); ++ up_write(&codec->card->controls_rwsem); + snd_array_free(&codec->mixers); + snd_array_free(&codec->nids); + } +diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c +index 5524a2c727ec7..cab30cb48366d 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c ++++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c +@@ -183,6 +183,9 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(codec_node); ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c +index 467f7049a2886..52fdd766ee82c 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c +@@ -228,6 +228,8 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +index 1b8b2a7788450..5d75b04f074fe 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +@@ -285,6 +285,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +index ba65f4157a7e0..d02a90201b13b 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +@@ -317,6 +317,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c +index 3e408158625db..72014dea75422 100644 +--- a/sound/soc/samsung/idma.c ++++ b/sound/soc/samsung/idma.c +@@ -369,6 +369,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream) + buf->addr = idma.lp_tx_addr; + buf->bytes = idma_hardware.buffer_bytes_max; + buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes); ++ if (!buf->area) ++ return -ENOMEM; + + return 0; + } +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index db859b595dba1..d9b7001227e3c 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1513,15 +1513,24 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, bool *writable, + kvm_pfn_t *p_pfn) + { +- unsigned long pfn; ++ kvm_pfn_t pfn; ++ pte_t *ptep; ++ spinlock_t *ptl; + int r; + +- r = follow_pfn(vma, addr, &pfn); ++ r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl); + if (r) { + /* + * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does +@@ -1536,14 +1545,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + if (r) + return r; + +- r = follow_pfn(vma, addr, &pfn); ++ r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl); + if (r) + return r; ++ } + ++ if (write_fault && !pte_write(*ptep)) { ++ pfn = KVM_PFN_ERR_RO_FAULT; ++ goto out; + } + + if (writable) +- *writable = true; ++ *writable = pte_write(*ptep); ++ pfn = pte_pfn(*ptep); + + /* + * Get a reference here because callers of *hva_to_pfn* and +@@ -1555,11 +1569,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. + */ +- kvm_get_pfn(pfn); ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + ++out: ++ pte_unmap_unlock(ptep, ptl); + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /* |