diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2020-10-01 14:59:31 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2020-10-01 14:59:31 -0400 |
| commit | e032640bc9855a93b6cccdb01e27044c4bf6551c (patch) | |
| tree | 9317864965bac31c13738c8323a1ca2d2112158a | |
| parent | Add CONFIG_USER_NS to GENTOO_LINUX_INIT_SYSTEMD (diff) | |
| download | linux-patches-e032640b.tar.gz linux-patches-e032640b.tar.bz2 linux-patches-e032640b.zip | |
Linux patch 4.9.238
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1237_linux-4.9.238.patch | 4359 |
2 files changed, 4363 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 2b5f2bf1..c39cf2ba 100644 --- a/0000_README +++ b/0000_README @@ -991,6 +991,10 @@ Patch: 1236_linux-4.9.237.patch From: http://www.kernel.org Desc: Linux 4.9.237 +Patch: 1237_linux-4.9.238.patch +From: http://www.kernel.org +Desc: Linux 4.9.238 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1237_linux-4.9.238.patch b/1237_linux-4.9.238.patch new file mode 100644 index 00000000..2a0fbe43 --- /dev/null +++ b/1237_linux-4.9.238.patch @@ -0,0 +1,4359 @@ +diff --git a/Documentation/DocBook/libata.tmpl b/Documentation/DocBook/libata.tmpl +index d7fcdc5a43792..9b55778ab024f 100644 +--- a/Documentation/DocBook/libata.tmpl ++++ b/Documentation/DocBook/libata.tmpl +@@ -324,7 +324,7 @@ Many legacy IDE drivers use ata_bmdma_status() as the bmdma_status() hook. + + <sect2><title>High-level taskfile hooks</title> + <programlisting> +-void (*qc_prep) (struct ata_queued_cmd *qc); ++enum ata_completion_errors (*qc_prep) (struct ata_queued_cmd *qc); + int (*qc_issue) (struct ata_queued_cmd *qc); + </programlisting> + +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt +index 68c4e8d96bed6..b309de00cd836 100644 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt +@@ -14,9 +14,15 @@ Required properties: + - #gpio-cells : Must be 2. The first cell is the pin number and the + second cell is used to specify optional parameters (currently unused). + +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply, +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered +- in Documentation/devicetree/bindings/regulator/regulator.txt ++ - power supplies for the device, as covered in ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending ++ on compatible: ++ - for wlf,wm1811 and wlf,wm8958: ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply ++ - for wlf,wm8994: ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply, ++ SPKVDD1-supply, SPKVDD2-supply + + Optional properties: + +@@ -68,11 +74,11 @@ codec: wm8994@1a { + + lineout1-se; + ++ AVDD1-supply = <®ulator>; + AVDD2-supply = <®ulator>; + CPVDD-supply = <®ulator>; +- DBVDD1-supply = <®ulator>; +- DBVDD2-supply = <®ulator>; +- DBVDD3-supply = <®ulator>; ++ DBVDD-supply = <®ulator>; ++ DCVDD-supply = <®ulator>; + SPKVDD1-supply = <®ulator>; + SPKVDD2-supply = <®ulator>; + }; +diff --git a/Makefile b/Makefile +index 3c78b28c6a0da..41a7d6626e354 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 237 ++SUBLEVEL = 238 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c +index ea89a24f46000..cc0f924bbdd2d 100644 +--- a/arch/m68k/q40/config.c ++++ b/arch/m68k/q40/config.c +@@ -303,6 +303,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll) + { + int tmp = Q40_RTC_CTRL; + ++ pll->pll_ctrl = 0; + pll->pll_value = tmp & Q40_RTC_PLL_MASK; + if (tmp & Q40_RTC_PLL_SIGN) + pll->pll_value = -pll->pll_value; +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index bdd6dc18e65c6..941efd8783344 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index a559908d180ec..ce49c2b9db7ee 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -529,7 +529,7 @@ static struct notifier_block kdump_mem_nb = { + /* + * Make sure that the area behind memory_end is protected + */ +-static void reserve_memory_end(void) ++static void __init reserve_memory_end(void) + { + #ifdef CONFIG_CRASH_DUMP + if (ipl_info.type == IPL_TYPE_FCP_DUMP && +@@ -547,7 +547,7 @@ static void reserve_memory_end(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void reserve_oldmem(void) ++static void __init reserve_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +@@ -559,7 +559,7 @@ static void reserve_oldmem(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void remove_oldmem(void) ++static void __init remove_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 4af16acc001a3..204a5ce65afda 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -321,7 +321,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear); + * combination with microcode which triggers a CPU buffer flush when the + * instruction is executed. + */ +-static inline void mds_clear_cpu_buffers(void) ++static __always_inline void mds_clear_cpu_buffers(void) + { + static const u16 ds = __KERNEL_DS; + +@@ -342,7 +342,7 @@ static inline void mds_clear_cpu_buffers(void) + * + * Clear CPU buffers if the corresponding static key is enabled + */ +-static inline void mds_user_clear_cpu_buffers(void) ++static __always_inline void mds_user_clear_cpu_buffers(void) + { + if (static_branch_likely(&mds_user_clear)) + mds_clear_cpu_buffers(); +diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h +index c50d6dcf4a227..4e7273e176cb7 100644 +--- a/arch/x86/include/asm/pkeys.h ++++ b/arch/x86/include/asm/pkeys.h +@@ -3,6 +3,11 @@ + + #define ARCH_DEFAULT_PKEY 0 + ++/* ++ * If more than 16 keys are ever supported, a thorough audit ++ * will be necessary to ensure that the types that store key ++ * numbers and masks have sufficient capacity. ++ */ + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1) + + extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index e9d7f461b7fa5..dbd396c913488 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -871,8 +871,6 @@ const void *get_xsave_field_ptr(int xsave_state) + + #ifdef CONFIG_ARCH_HAS_PKEYS + +-#define NR_VALID_PKRU_BITS (CONFIG_NR_PROTECTION_KEYS * 2) +-#define PKRU_VALID_MASK (NR_VALID_PKRU_BITS - 1) + /* + * This will go out and modify PKRU register to set the access + * rights for @pkey to @init_val. +@@ -891,6 +889,13 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, + if (!boot_cpu_has(X86_FEATURE_OSPKE)) + return -EINVAL; + ++ /* ++ * This code should only be called with valid 'pkey' ++ * values originating from in-kernel users. Complain ++ * if a bad value is observed. ++ */ ++ WARN_ON_ONCE(pkey >= arch_max_pkey()); ++ + /* Set the bits we need in PKRU: */ + if (init_val & PKEY_DISABLE_ACCESS) + new_pkru_bits |= PKRU_AD_BIT; +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h +index 756b14ecc957a..df1076b0eabf3 100644 +--- a/arch/x86/kvm/mmutrace.h ++++ b/arch/x86/kvm/mmutrace.h +@@ -336,7 +336,7 @@ TRACE_EVENT( + /* These depend on page entry type, so compute them now. */ + __field(bool, r) + __field(bool, x) +- __field(u8, u) ++ __field(signed char, u) + ), + + TP_fast_assign( +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 6b7faa14c27bb..3c0f9be107e42 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4263,10 +4263,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps, argp, sizeof u.ps)) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit_out; + r = kvm_vm_ioctl_set_pit(kvm, &u.ps); ++set_pit_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_GET_PIT2: { +@@ -4286,10 +4289,13 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2))) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit2_out; + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2); ++set_pit2_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_REINJECT_CONTROL: { +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 307b3e28f34ce..8781b5dc97f1c 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1049,29 +1049,21 @@ void acpi_ec_unblock_transactions(void) + /* -------------------------------------------------------------------------- + Event Management + -------------------------------------------------------------------------- */ +-static struct acpi_ec_query_handler * +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler) +-{ +- if (handler) +- kref_get(&handler->kref); +- return handler; +-} +- + static struct acpi_ec_query_handler * + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value) + { + struct acpi_ec_query_handler *handler; +- bool found = false; + + mutex_lock(&ec->mutex); + list_for_each_entry(handler, &ec->list, node) { + if (value == handler->query_bit) { +- found = true; +- break; ++ kref_get(&handler->kref); ++ mutex_unlock(&ec->mutex); ++ return handler; + } + } + mutex_unlock(&ec->mutex); +- return found ? acpi_ec_get_query_handler(handler) : NULL; ++ return NULL; + } + + static void acpi_ec_query_handler_release(struct kref *kref) +diff --git a/drivers/ata/acard-ahci.c b/drivers/ata/acard-ahci.c +index ed6a30cd681a0..98581ae397c12 100644 +--- a/drivers/ata/acard-ahci.c ++++ b/drivers/ata/acard-ahci.c +@@ -72,7 +72,7 @@ struct acard_sg { + __le32 size; /* bit 31 (EOT) max==0x10000 (64k) */ + }; + +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc); + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc); + static int acard_ahci_port_start(struct ata_port *ap); + static int acard_ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); +@@ -257,7 +257,7 @@ static unsigned int acard_ahci_fill_sg(struct ata_queued_cmd *qc, void *cmd_tbl) + return si; + } + +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct ahci_port_priv *pp = ap->private_data; +@@ -295,6 +295,8 @@ static void acard_ahci_qc_prep(struct ata_queued_cmd *qc) + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH; + + ahci_fill_cmd_slot(pp, qc->tag, opts); ++ ++ return AC_ERR_OK; + } + + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index 1610fff19bb39..984260902d0be 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -73,7 +73,7 @@ static int ahci_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc); + static int ahci_port_start(struct ata_port *ap); + static void ahci_port_stop(struct ata_port *ap); +-static void ahci_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc); + static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc); + static void ahci_freeze(struct ata_port *ap); + static void ahci_thaw(struct ata_port *ap); +@@ -1607,7 +1607,7 @@ static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc) + return sata_pmp_qc_defer_cmd_switch(qc); + } + +-static void ahci_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct ahci_port_priv *pp = ap->private_data; +@@ -1643,6 +1643,8 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc) + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH; + + ahci_fill_cmd_slot(pp, qc->tag, opts); ++ ++ return AC_ERR_OK; + } + + static void ahci_fbs_dec_intr(struct ata_port *ap) +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 2aa10cd4c5b75..228a4cfb0e7d2 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4895,7 +4895,10 @@ int ata_std_qc_defer(struct ata_queued_cmd *qc) + return ATA_DEFER_LINK; + } + +-void ata_noop_qc_prep(struct ata_queued_cmd *qc) { } ++enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc) ++{ ++ return AC_ERR_OK; ++} + + /** + * ata_sg_init - Associate command with scatter-gather table. +@@ -5313,7 +5316,9 @@ void ata_qc_issue(struct ata_queued_cmd *qc) + return; + } + +- ap->ops->qc_prep(qc); ++ qc->err_mask |= ap->ops->qc_prep(qc); ++ if (unlikely(qc->err_mask)) ++ goto err; + trace_ata_qc_issue(qc); + qc->err_mask |= ap->ops->qc_issue(qc); + if (unlikely(qc->err_mask)) +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 0e2bc5b9a78c1..0edd83cae0fd0 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -2742,12 +2742,14 @@ static void ata_bmdma_fill_sg_dumb(struct ata_queued_cmd *qc) + * LOCKING: + * spin_lock_irqsave(host lock) + */ +-void ata_bmdma_qc_prep(struct ata_queued_cmd *qc) ++enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + ata_bmdma_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep); + +@@ -2760,12 +2762,14 @@ EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep); + * LOCKING: + * spin_lock_irqsave(host lock) + */ +-void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc) ++enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + ata_bmdma_fill_sg_dumb(qc); ++ ++ return AC_ERR_OK; + } + EXPORT_SYMBOL_GPL(ata_bmdma_dumb_qc_prep); + +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c +index e347e7acd8edb..d8000bbd1e11d 100644 +--- a/drivers/ata/pata_macio.c ++++ b/drivers/ata/pata_macio.c +@@ -507,7 +507,7 @@ static int pata_macio_cable_detect(struct ata_port *ap) + return ATA_CBL_PATA40; + } + +-static void pata_macio_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + { + unsigned int write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; +@@ -520,7 +520,7 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc) + __func__, qc, qc->flags, write, qc->dev->devno); + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + table = (struct dbdma_cmd *) priv->dma_table_cpu; + +@@ -565,6 +565,8 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc) + table->command = cpu_to_le16(DBDMA_STOP); + + dev_dbgdma(priv->dev, "%s: %d DMA list entries\n", __func__, pi); ++ ++ return AC_ERR_OK; + } + + +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c +index f6c46e9a4dc0f..d7186a503e358 100644 +--- a/drivers/ata/pata_pxa.c ++++ b/drivers/ata/pata_pxa.c +@@ -59,25 +59,27 @@ static void pxa_ata_dma_irq(void *d) + /* + * Prepare taskfile for submission. + */ +-static void pxa_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pxa_qc_prep(struct ata_queued_cmd *qc) + { + struct pata_pxa_data *pd = qc->ap->private_data; + struct dma_async_tx_descriptor *tx; + enum dma_transfer_direction dir; + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + dir = (qc->dma_dir == DMA_TO_DEVICE ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM); + tx = dmaengine_prep_slave_sg(pd->dma_chan, qc->sg, qc->n_elem, dir, + DMA_PREP_INTERRUPT); + if (!tx) { + ata_dev_err(qc->dev, "prep_slave_sg() failed\n"); +- return; ++ return AC_ERR_OK; + } + tx->callback = pxa_ata_dma_irq; + tx->callback_param = pd; + pd->dma_cookie = dmaengine_submit(tx); ++ ++ return AC_ERR_OK; + } + + /* +diff --git a/drivers/ata/pdc_adma.c b/drivers/ata/pdc_adma.c +index 64d682c6ee57e..11da13bea2c93 100644 +--- a/drivers/ata/pdc_adma.c ++++ b/drivers/ata/pdc_adma.c +@@ -132,7 +132,7 @@ static int adma_ata_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent); + static int adma_port_start(struct ata_port *ap); + static void adma_port_stop(struct ata_port *ap); +-static void adma_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc); + static unsigned int adma_qc_issue(struct ata_queued_cmd *qc); + static int adma_check_atapi_dma(struct ata_queued_cmd *qc); + static void adma_freeze(struct ata_port *ap); +@@ -311,7 +311,7 @@ static int adma_fill_sg(struct ata_queued_cmd *qc) + return i; + } + +-static void adma_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc) + { + struct adma_port_priv *pp = qc->ap->private_data; + u8 *buf = pp->pkt; +@@ -322,7 +322,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc) + + adma_enter_reg_mode(qc->ap); + if (qc->tf.protocol != ATA_PROT_DMA) +- return; ++ return AC_ERR_OK; + + buf[i++] = 0; /* Response flags */ + buf[i++] = 0; /* reserved */ +@@ -387,6 +387,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc) + printk("%s\n", obuf); + } + #endif ++ return AC_ERR_OK; + } + + static inline void adma_packet_start(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c +index a723ae9297831..100b5a3621ef3 100644 +--- a/drivers/ata/sata_fsl.c ++++ b/drivers/ata/sata_fsl.c +@@ -513,7 +513,7 @@ static unsigned int sata_fsl_fill_sg(struct ata_queued_cmd *qc, void *cmd_desc, + return num_prde; + } + +-static void sata_fsl_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct sata_fsl_port_priv *pp = ap->private_data; +@@ -559,6 +559,8 @@ static void sata_fsl_qc_prep(struct ata_queued_cmd *qc) + + VPRINTK("SATA FSL : xx_qc_prep, di = 0x%x, ttl = %d, num_prde = %d\n", + desc_info, ttl_dwords, num_prde); ++ ++ return AC_ERR_OK; + } + + static unsigned int sata_fsl_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c +index e81a8217f1ff7..349a175f02675 100644 +--- a/drivers/ata/sata_inic162x.c ++++ b/drivers/ata/sata_inic162x.c +@@ -472,7 +472,7 @@ static void inic_fill_sg(struct inic_prd *prd, struct ata_queued_cmd *qc) + prd[-1].flags |= PRD_END; + } + +-static void inic_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors inic_qc_prep(struct ata_queued_cmd *qc) + { + struct inic_port_priv *pp = qc->ap->private_data; + struct inic_pkt *pkt = pp->pkt; +@@ -532,6 +532,8 @@ static void inic_qc_prep(struct ata_queued_cmd *qc) + inic_fill_sg(prd, qc); + + pp->cpb_tbl[0] = pp->pkt_dma; ++ ++ return AC_ERR_OK; + } + + static unsigned int inic_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index 2f32782cea6d9..513ef298dd960 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -605,8 +605,8 @@ static int mv5_scr_write(struct ata_link *link, unsigned int sc_reg_in, u32 val) + static int mv_port_start(struct ata_port *ap); + static void mv_port_stop(struct ata_port *ap); + static int mv_qc_defer(struct ata_queued_cmd *qc); +-static void mv_qc_prep(struct ata_queued_cmd *qc); +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc); ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc); + static unsigned int mv_qc_issue(struct ata_queued_cmd *qc); + static int mv_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); +@@ -2044,7 +2044,7 @@ static void mv_rw_multi_errata_sata24(struct ata_queued_cmd *qc) + * LOCKING: + * Inherited from caller. + */ +-static void mv_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct mv_port_priv *pp = ap->private_data; +@@ -2056,15 +2056,15 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + switch (tf->protocol) { + case ATA_PROT_DMA: + if (tf->command == ATA_CMD_DSM) +- return; ++ return AC_ERR_OK; + /* fall-thru */ + case ATA_PROT_NCQ: + break; /* continue below */ + case ATA_PROT_PIO: + mv_rw_multi_errata_sata24(qc); +- return; ++ return AC_ERR_OK; + default: +- return; ++ return AC_ERR_OK; + } + + /* Fill in command request block +@@ -2111,12 +2111,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none + * of which are defined/used by Linux. If we get here, this + * driver needs work. +- * +- * FIXME: modify libata to give qc_prep a return value and +- * return error here. + */ +- BUG_ON(tf->command); +- break; ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__, ++ tf->command); ++ return AC_ERR_INVALID; + } + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0); + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0); +@@ -2129,8 +2127,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + mv_crqb_pack_cmd(cw++, tf->command, ATA_REG_CMD, 1); /* last */ + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + mv_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + /** +@@ -2145,7 +2145,7 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * LOCKING: + * Inherited from caller. + */ +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc) ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct mv_port_priv *pp = ap->private_data; +@@ -2156,9 +2156,9 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc) + + if ((tf->protocol != ATA_PROT_DMA) && + (tf->protocol != ATA_PROT_NCQ)) +- return; ++ return AC_ERR_OK; + if (tf->command == ATA_CMD_DSM) +- return; /* use bmdma for this */ ++ return AC_ERR_OK; /* use bmdma for this */ + + /* Fill in Gen IIE command request block */ + if (!(tf->flags & ATA_TFLAG_WRITE)) +@@ -2199,8 +2199,10 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc) + ); + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + mv_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + /** +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c +index 734f563b8d37b..bb098c4ae1775 100644 +--- a/drivers/ata/sata_nv.c ++++ b/drivers/ata/sata_nv.c +@@ -313,7 +313,7 @@ static void nv_ck804_freeze(struct ata_port *ap); + static void nv_ck804_thaw(struct ata_port *ap); + static int nv_adma_slave_config(struct scsi_device *sdev); + static int nv_adma_check_atapi_dma(struct ata_queued_cmd *qc); +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc); + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc); + static irqreturn_t nv_adma_interrupt(int irq, void *dev_instance); + static void nv_adma_irq_clear(struct ata_port *ap); +@@ -335,7 +335,7 @@ static void nv_mcp55_freeze(struct ata_port *ap); + static void nv_swncq_error_handler(struct ata_port *ap); + static int nv_swncq_slave_config(struct scsi_device *sdev); + static int nv_swncq_port_start(struct ata_port *ap); +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc); + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc); + static unsigned int nv_swncq_qc_issue(struct ata_queued_cmd *qc); + static void nv_swncq_irq_clear(struct ata_port *ap, u16 fis); +@@ -1382,7 +1382,7 @@ static int nv_adma_use_reg_mode(struct ata_queued_cmd *qc) + return 1; + } + +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc) + { + struct nv_adma_port_priv *pp = qc->ap->private_data; + struct nv_adma_cpb *cpb = &pp->cpb[qc->tag]; +@@ -1394,7 +1394,7 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc) + (qc->flags & ATA_QCFLAG_DMAMAP)); + nv_adma_register_mode(qc->ap); + ata_bmdma_qc_prep(qc); +- return; ++ return AC_ERR_OK; + } + + cpb->resp_flags = NV_CPB_RESP_DONE; +@@ -1426,6 +1426,8 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc) + cpb->ctl_flags = ctl_flags; + wmb(); + cpb->resp_flags = 0; ++ ++ return AC_ERR_OK; + } + + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc) +@@ -1989,17 +1991,19 @@ static int nv_swncq_port_start(struct ata_port *ap) + return 0; + } + +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc) + { + if (qc->tf.protocol != ATA_PROT_NCQ) { + ata_bmdma_qc_prep(qc); +- return; ++ return AC_ERR_OK; + } + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + nv_swncq_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_promise.c b/drivers/ata/sata_promise.c +index 0fa211e2831cd..8ad8b376a642c 100644 +--- a/drivers/ata/sata_promise.c ++++ b/drivers/ata/sata_promise.c +@@ -155,7 +155,7 @@ static int pdc_sata_scr_write(struct ata_link *link, unsigned int sc_reg, u32 va + static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static int pdc_common_port_start(struct ata_port *ap); + static int pdc_sata_port_start(struct ata_port *ap); +-static void pdc_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc); + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static int pdc_check_atapi_dma(struct ata_queued_cmd *qc); +@@ -649,7 +649,7 @@ static void pdc_fill_sg(struct ata_queued_cmd *qc) + prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT); + } + +-static void pdc_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc) + { + struct pdc_port_priv *pp = qc->ap->private_data; + unsigned int i; +@@ -681,6 +681,8 @@ static void pdc_qc_prep(struct ata_queued_cmd *qc) + default: + break; + } ++ ++ return AC_ERR_OK; + } + + static int pdc_is_sataii_tx4(unsigned long flags) +diff --git a/drivers/ata/sata_qstor.c b/drivers/ata/sata_qstor.c +index af987a4f33d19..80ff3bbfc8269 100644 +--- a/drivers/ata/sata_qstor.c ++++ b/drivers/ata/sata_qstor.c +@@ -116,7 +116,7 @@ static int qs_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static int qs_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static int qs_port_start(struct ata_port *ap); + static void qs_host_stop(struct ata_host *host); +-static void qs_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc); + static unsigned int qs_qc_issue(struct ata_queued_cmd *qc); + static int qs_check_atapi_dma(struct ata_queued_cmd *qc); + static void qs_freeze(struct ata_port *ap); +@@ -276,7 +276,7 @@ static unsigned int qs_fill_sg(struct ata_queued_cmd *qc) + return si; + } + +-static void qs_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc) + { + struct qs_port_priv *pp = qc->ap->private_data; + u8 dflags = QS_DF_PORD, *buf = pp->pkt; +@@ -288,7 +288,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) + + qs_enter_reg_mode(qc->ap); + if (qc->tf.protocol != ATA_PROT_DMA) +- return; ++ return AC_ERR_OK; + + nelem = qs_fill_sg(qc); + +@@ -311,6 +311,8 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) + + /* frame information structure (FIS) */ + ata_tf_to_fis(&qc->tf, 0, 1, &buf[32]); ++ ++ return AC_ERR_OK; + } + + static inline void qs_packet_start(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index 07e146b772ead..301419325b975 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -551,12 +551,14 @@ static void sata_rcar_bmdma_fill_sg(struct ata_queued_cmd *qc) + prd[si - 1].addr |= cpu_to_le32(SATA_RCAR_DTEND); + } + +-static void sata_rcar_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sata_rcar_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + sata_rcar_bmdma_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static void sata_rcar_bmdma_setup(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index 29bcff086bced..73156a301912f 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -119,7 +119,7 @@ static void sil_dev_config(struct ata_device *dev); + static int sil_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val); + static int sil_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static int sil_set_mode(struct ata_link *link, struct ata_device **r_failed); +-static void sil_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc); + static void sil_bmdma_setup(struct ata_queued_cmd *qc); + static void sil_bmdma_start(struct ata_queued_cmd *qc); + static void sil_bmdma_stop(struct ata_queued_cmd *qc); +@@ -333,12 +333,14 @@ static void sil_fill_sg(struct ata_queued_cmd *qc) + last_prd->flags_len |= cpu_to_le32(ATA_PRD_EOT); + } + +-static void sil_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + sil_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static unsigned char sil_get_device_cache_line(struct pci_dev *pdev) +diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c +index 4b1995e2d044b..ffa3bf724054d 100644 +--- a/drivers/ata/sata_sil24.c ++++ b/drivers/ata/sata_sil24.c +@@ -336,7 +336,7 @@ static void sil24_dev_config(struct ata_device *dev); + static int sil24_scr_read(struct ata_link *link, unsigned sc_reg, u32 *val); + static int sil24_scr_write(struct ata_link *link, unsigned sc_reg, u32 val); + static int sil24_qc_defer(struct ata_queued_cmd *qc); +-static void sil24_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc); + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc); + static bool sil24_qc_fill_rtf(struct ata_queued_cmd *qc); + static void sil24_pmp_attach(struct ata_port *ap); +@@ -840,7 +840,7 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc) + return ata_std_qc_defer(qc); + } + +-static void sil24_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct sil24_port_priv *pp = ap->private_data; +@@ -884,6 +884,8 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc) + + if (qc->flags & ATA_QCFLAG_DMAMAP) + sil24_fill_sg(qc, sge); ++ ++ return AC_ERR_OK; + } + + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index 48301cb3a3165..043953200b52a 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -218,7 +218,7 @@ static void pdc_error_handler(struct ata_port *ap); + static void pdc_freeze(struct ata_port *ap); + static void pdc_thaw(struct ata_port *ap); + static int pdc_port_start(struct ata_port *ap); +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc); + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static unsigned int pdc20621_dimm_init(struct ata_host *host); +@@ -546,7 +546,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc) + VPRINTK("ata pkt buf ofs %u, mmio copied\n", i); + } + +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc) + { + switch (qc->tf.protocol) { + case ATA_PROT_DMA: +@@ -558,6 +558,8 @@ static void pdc20621_qc_prep(struct ata_queued_cmd *qc) + default: + break; + } ++ ++ return AC_ERR_OK; + } + + static void __pdc20621_push_hdma(struct ata_queued_cmd *qc, +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 88819409e0beb..9d16743c49178 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2243,7 +2243,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c +index 100cd1de9939d..59e1e94d12c01 100644 +--- a/drivers/char/tlclk.c ++++ b/drivers/char/tlclk.c +@@ -777,17 +777,21 @@ static int __init tlclk_init(void) + { + int ret; + ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); ++ ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); ++ if (!alarm_events) { ++ ret = -ENOMEM; ++ goto out1; ++ } ++ + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops); + if (ret < 0) { + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); ++ kfree(alarm_events); + return ret; + } + tlclk_major = ret; +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); +- if (!alarm_events) { +- ret = -ENOMEM; +- goto out1; +- } + + /* Read telecom clock IRQ number (Set by BIOS) */ + if (!request_region(TLCLK_BASE, 8, "telco_clock")) { +@@ -796,7 +800,6 @@ static int __init tlclk_init(void) + ret = -EBUSY; + goto out2; + } +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); + + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */ + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n", +@@ -837,8 +840,8 @@ out3: + release_region(TLCLK_BASE, 8); + out2: + kfree(alarm_events); +-out1: + unregister_chrdev(tlclk_major, "telco_clock"); ++out1: + return ret; + } + +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index 84eca4f93b828..0fad6cf37bab4 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -550,6 +550,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance) + */ + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) { + ibmvtpm_crq_process(crq, ibmvtpm); ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq); + crq->valid = 0; + smp_wmb(); + } +@@ -596,6 +597,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + } + + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr); ++ init_waitqueue_head(&crq_q->wq); + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr, + CRQ_RES_BUF_SIZE, + DMA_BIDIRECTIONAL); +@@ -648,6 +650,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + if (rc) + goto init_irq_cleanup; + ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq, ++ ibmvtpm->rtce_buf != NULL, ++ HZ)) { ++ dev_err(dev, "CRQ response timed out\n"); ++ goto init_irq_cleanup; ++ } ++ + return tpm_chip_register(chip); + init_irq_cleanup: + do { +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index 91dfe766d0800..4f6a124601db4 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue { + struct ibmvtpm_crq *crq_addr; + u32 index; + u32 num_entry; ++ wait_queue_head_t wq; + }; + + struct ibmvtpm_dev { +diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c +index 255cafb18336a..9345eaf00938e 100644 +--- a/drivers/clk/ti/adpll.c ++++ b/drivers/clk/ti/adpll.c +@@ -193,15 +193,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d, + if (err) + return NULL; + } else { +- const char *base_name = "adpll"; +- char *buf; +- +- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + +- strlen(postfix), GFP_KERNEL); +- if (!buf) +- return NULL; +- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); +- name = buf; ++ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s", ++ d->pa, postfix); + } + + return name; +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c +index 546bb180f5a44..8202e49ac64cd 100644 +--- a/drivers/clocksource/h8300_timer8.c ++++ b/drivers/clocksource/h8300_timer8.c +@@ -176,7 +176,7 @@ static int __init h8300_8timer_init(struct device_node *node) + return PTR_ERR(clk); + } + +- ret = ENXIO; ++ ret = -ENXIO; + base = of_iomap(node, 0); + if (!base) { + pr_err("failed to map registers for clockevent\n"); +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index b4fc65512aad3..c3b05676e0dbe 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -802,6 +802,7 @@ static struct notifier_block powernv_cpufreq_reboot_nb = { + void powernv_cpufreq_work_fn(struct work_struct *work) + { + struct chip *chip = container_of(work, struct chip, throttle); ++ struct cpufreq_policy *policy; + unsigned int cpu; + cpumask_t mask; + +@@ -816,12 +817,14 @@ void powernv_cpufreq_work_fn(struct work_struct *work) + chip->restore = false; + for_each_cpu(cpu, &mask) { + int index; +- struct cpufreq_policy policy; + +- cpufreq_get_policy(&policy, cpu); +- index = cpufreq_table_find_index_c(&policy, policy.cur); +- powernv_cpufreq_target_index(&policy, index); +- cpumask_andnot(&mask, &mask, policy.cpus); ++ policy = cpufreq_cpu_get(cpu); ++ if (!policy) ++ continue; ++ index = cpufreq_table_find_index_c(policy, policy->cur); ++ powernv_cpufreq_target_index(policy, index); ++ cpumask_andnot(&mask, &mask, policy->cpus); ++ cpufreq_cpu_put(policy); + } + out: + put_online_cpus(); +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c +index fe9dce0245bf0..a20267d93f8a4 100644 +--- a/drivers/devfreq/tegra-devfreq.c ++++ b/drivers/devfreq/tegra-devfreq.c +@@ -79,6 +79,8 @@ + + #define KHZ 1000 + ++#define KHZ_MAX (ULONG_MAX / KHZ) ++ + /* Assume that the bus is saturated if the utilization is 25% */ + #define BUS_SATURATION_RATIO 25 + +@@ -179,7 +181,7 @@ struct tegra_actmon_emc_ratio { + }; + + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = { +- { 1400000, ULONG_MAX }, ++ { 1400000, KHZ_MAX }, + { 1200000, 750000 }, + { 1100000, 600000 }, + { 1000000, 500000 }, +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index 4eaf92b2b8868..909739426f78c 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -1208,8 +1208,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc) + + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id); + +- if (tdc->busy) +- tegra_dma_terminate_all(dc); ++ tegra_dma_terminate_all(dc); + + spin_lock_irqsave(&tdc->lock, flags); + list_splice_init(&tdc->pending_sg_req, &sg_req_list); +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index 9069fb8543196..514763dcc3758 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -125,10 +125,12 @@ + /* Max transfer size per descriptor */ + #define ZYNQMP_DMA_MAX_TRANS_LEN 0x40000000 + ++/* Max burst lengths */ ++#define ZYNQMP_DMA_MAX_DST_BURST_LEN 32768U ++#define ZYNQMP_DMA_MAX_SRC_BURST_LEN 32768U ++ + /* Reset values for data attributes */ + #define ZYNQMP_DMA_AXCACHE_VAL 0xF +-#define ZYNQMP_DMA_ARLEN_RST_VAL 0xF +-#define ZYNQMP_DMA_AWLEN_RST_VAL 0xF + + #define ZYNQMP_DMA_SRC_ISSUE_RST_VAL 0x1F + +@@ -527,17 +529,19 @@ static void zynqmp_dma_handle_ovfl_int(struct zynqmp_dma_chan *chan, u32 status) + + static void zynqmp_dma_config(struct zynqmp_dma_chan *chan) + { +- u32 val; ++ u32 val, burst_val; + + val = readl(chan->regs + ZYNQMP_DMA_CTRL0); + val |= ZYNQMP_DMA_POINT_TYPE_SG; + writel(val, chan->regs + ZYNQMP_DMA_CTRL0); + + val = readl(chan->regs + ZYNQMP_DMA_DATA_ATTR); ++ burst_val = __ilog2_u32(chan->src_burst_len); + val = (val & ~ZYNQMP_DMA_ARLEN) | +- (chan->src_burst_len << ZYNQMP_DMA_ARLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_ARLEN_OFST) & ZYNQMP_DMA_ARLEN); ++ burst_val = __ilog2_u32(chan->dst_burst_len); + val = (val & ~ZYNQMP_DMA_AWLEN) | +- (chan->dst_burst_len << ZYNQMP_DMA_AWLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_AWLEN_OFST) & ZYNQMP_DMA_AWLEN); + writel(val, chan->regs + ZYNQMP_DMA_DATA_ATTR); + } + +@@ -551,8 +555,10 @@ static int zynqmp_dma_device_config(struct dma_chan *dchan, + { + struct zynqmp_dma_chan *chan = to_chan(dchan); + +- chan->src_burst_len = config->src_maxburst; +- chan->dst_burst_len = config->dst_maxburst; ++ chan->src_burst_len = clamp(config->src_maxburst, 1U, ++ ZYNQMP_DMA_MAX_SRC_BURST_LEN); ++ chan->dst_burst_len = clamp(config->dst_maxburst, 1U, ++ ZYNQMP_DMA_MAX_DST_BURST_LEN); + + return 0; + } +@@ -968,8 +974,8 @@ static int zynqmp_dma_chan_probe(struct zynqmp_dma_device *zdev, + return PTR_ERR(chan->regs); + + chan->bus_width = ZYNQMP_DMA_BUS_WIDTH_64; +- chan->dst_burst_len = ZYNQMP_DMA_AWLEN_RST_VAL; +- chan->src_burst_len = ZYNQMP_DMA_ARLEN_RST_VAL; ++ chan->dst_burst_len = ZYNQMP_DMA_MAX_DST_BURST_LEN; ++ chan->src_burst_len = ZYNQMP_DMA_MAX_SRC_BURST_LEN; + err = of_property_read_u32(node, "xlnx,bus-width", &chan->bus_width); + if (err < 0) { + dev_err(&pdev->dev, "missing xlnx,bus-width property\n"); +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index 1b50e6c13fb3f..5fbf99d600587 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -748,8 +748,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg) + cjiffies = jiffies; + if (time_after(cjiffies, ctx->last_jump_jiffies)) { + cjiffies -= ctx->last_jump_jiffies; +- if ((jiffies_to_msecs(cjiffies) > 5000)) { +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n"); ++ if ((jiffies_to_msecs(cjiffies) > 10000)) { ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n"); + ctx->abort = true; + } + } else { +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c +index 17db4b4749d5a..2e8479744ca4a 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c +@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit, + struct gma_crtc *gma_crtc = to_gma_crtc(crtc); + struct gma_clock_t clock; + ++ memset(&clock, 0, sizeof(clock)); ++ + switch (refclk) { + case 27000: + if (target < 200000) { +diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +index 136d30484d023..46111e9ee9a25 100644 +--- a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c ++++ b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +@@ -194,7 +194,7 @@ static int __init omapdss_boot_init(void) + dss = of_find_matching_node(NULL, omapdss_of_match); + + if (dss == NULL || !of_device_is_available(dss)) +- return 0; ++ goto put_node; + + omapdss_walk_device(dss, true); + +@@ -219,6 +219,8 @@ static int __init omapdss_boot_init(void) + kfree(n); + } + ++put_node: ++ of_node_put(dss); + return 0; + } + +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index 80d82c6792d8d..4fd7bfda2f9de 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -1858,8 +1858,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap) + + /* create pre-declared device nodes */ + of_i2c_register_devices(adap); +- i2c_acpi_register_devices(adap); + i2c_acpi_install_space_handler(adap); ++ i2c_acpi_register_devices(adap); + + if (adap->nr < __i2c_first_dynamic_bus_num) + i2c_scan_static_board_info(adap); +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index a4f4cd4932657..bb0d728f4b76f 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1296,13 +1296,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) +- return -EINVAL; +- + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a04a53acb24ff..a60e1c1b4b5e8 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3245,7 +3245,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (raddr->sin_addr.s_addr == htonl(INADDR_ANY)) { + err = pick_local_ipaddrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +@@ -3267,7 +3267,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (ipv6_addr_type(&raddr6->sin6_addr) == IPV6_ADDR_ANY) { + err = pick_local_ip6addrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index 282a726351c81..ce1a4817ab923 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2036,9 +2036,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev, + dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr); + if (!dst || dst->error) { + if (dst) { +- dst_release(dst); + i40iw_pr_err("ip6_route_output returned dst->error = %d\n", + dst->error); ++ dst_release(dst); + } + return rc; + } +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index d6672127808b7..186da467060cc 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -597,15 +597,16 @@ int rxe_qp_from_attr(struct rxe_qp *qp, struct ib_qp_attr *attr, int mask, + struct ib_gid_attr sgid_attr; + + if (mask & IB_QP_MAX_QP_RD_ATOMIC) { +- int max_rd_atomic = __roundup_pow_of_two(attr->max_rd_atomic); ++ int max_rd_atomic = attr->max_rd_atomic ? ++ roundup_pow_of_two(attr->max_rd_atomic) : 0; + + qp->attr.max_rd_atomic = max_rd_atomic; + atomic_set(&qp->req.rd_atomic, max_rd_atomic); + } + + if (mask & IB_QP_MAX_DEST_RD_ATOMIC) { +- int max_dest_rd_atomic = +- __roundup_pow_of_two(attr->max_dest_rd_atomic); ++ int max_dest_rd_atomic = attr->max_dest_rd_atomic ? ++ roundup_pow_of_two(attr->max_dest_rd_atomic) : 0; + + qp->attr.max_dest_rd_atomic = max_dest_rd_atomic; + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 7fe7df56fa334..f0939fc1cfe55 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -547,6 +547,7 @@ struct cache_set { + */ + wait_queue_head_t btree_cache_wait; + struct task_struct *btree_cache_alloc_lock; ++ spinlock_t btree_cannibalize_lock; + + /* + * When we free a btree node, we increment the gen of the bucket the +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 764d519a7f1c6..26e56a9952d09 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -836,15 +836,17 @@ out: + + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op) + { +- struct task_struct *old; +- +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current); +- if (old && old != current) { ++ spin_lock(&c->btree_cannibalize_lock); ++ if (likely(c->btree_cache_alloc_lock == NULL)) { ++ c->btree_cache_alloc_lock = current; ++ } else if (c->btree_cache_alloc_lock != current) { + if (op) + prepare_to_wait(&c->btree_cache_wait, &op->wait, + TASK_UNINTERRUPTIBLE); ++ spin_unlock(&c->btree_cannibalize_lock); + return -EINTR; + } ++ spin_unlock(&c->btree_cannibalize_lock); + + return 0; + } +@@ -879,10 +881,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, + */ + static void bch_cannibalize_unlock(struct cache_set *c) + { ++ spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { + c->btree_cache_alloc_lock = NULL; + wake_up(&c->btree_cache_wait); + } ++ spin_unlock(&c->btree_cannibalize_lock); + } + + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 95e9a33de06a2..263c0d987929e 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1510,6 +1510,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + sema_init(&c->sb_write_mutex, 1); + mutex_init(&c->bucket_lock); + init_waitqueue_head(&c->btree_cache_wait); ++ spin_lock_init(&c->btree_cannibalize_lock); + init_waitqueue_head(&c->bucket_wait); + init_waitqueue_head(&c->gc_wait); + sema_init(&c->uuid_write_mutex, 1); +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c +index 37ebeef2bbd0b..43343091ea93e 100644 +--- a/drivers/media/dvb-frontends/tda10071.c ++++ b/drivers/media/dvb-frontends/tda10071.c +@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status) + goto error; + + if (dev->delivery_system == SYS_DVBS) { +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 | ++ buf[2] << 8 | buf[3] << 0; ++ ++ dev->dvbv3_ber = bit_error; ++ dev->post_bit_error += bit_error; + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER; + c->post_bit_error.stat[0].uvalue = dev->post_bit_error; + dev->block_error += buf[4] << 8 | buf[5] << 0; +diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c +index 563b9636ab63b..803e0794ca131 100644 +--- a/drivers/media/platform/ti-vpe/cal.c ++++ b/drivers/media/platform/ti-vpe/cal.c +@@ -690,12 +690,13 @@ static void pix_proc_config(struct cal_ctx *ctx) + } + + static void cal_wr_dma_config(struct cal_ctx *ctx, +- unsigned int width) ++ unsigned int width, unsigned int height) + { + u32 val; + + val = reg_read(ctx->dev, CAL_WR_DMA_CTRL(ctx->csi2_port)); + set_field(&val, ctx->csi2_port, CAL_WR_DMA_CTRL_CPORT_MASK); ++ set_field(&val, height, CAL_WR_DMA_CTRL_YSIZE_MASK); + set_field(&val, CAL_WR_DMA_CTRL_DTAG_PIX_DAT, + CAL_WR_DMA_CTRL_DTAG_MASK); + set_field(&val, CAL_WR_DMA_CTRL_MODE_CONST, +@@ -1321,7 +1322,8 @@ static int cal_start_streaming(struct vb2_queue *vq, unsigned int count) + csi2_lane_config(ctx); + csi2_ctx_config(ctx); + pix_proc_config(ctx); +- cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline); ++ cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline, ++ ctx->v_fmt.fmt.pix.height); + cal_wr_dma_addr(ctx, addr); + csi2_ppi_enable(ctx); + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index ed9bcaf08d5ec..ddfaabd4c0813 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf, + struct go7007_usb *usb; + const struct go7007_usb_board *board; + struct usb_device *usbdev = interface_to_usbdev(intf); ++ struct usb_host_endpoint *ep; + unsigned num_i2c_devs; + char *name; + int video_pipe, i, v_urb_len; +@@ -1147,7 +1148,8 @@ static int go7007_usb_probe(struct usb_interface *intf, + if (usb->intr_urb->transfer_buffer == NULL) + goto allocfail; + +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250) ++ ep = usb->usbdev->ep_in[4]; ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, + usb_rcvbulkpipe(usb->usbdev, 4), + usb->intr_urb->transfer_buffer, 2*sizeof(u16), +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 5c8ed2150c8bf..fb687368ac98c 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -32,6 +32,11 @@ int mfd_cell_enable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->enable) { ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n"); ++ return 0; ++ } ++ + /* only call enable hook if the cell wasn't previously enabled */ + if (atomic_inc_return(cell->usage_count) == 1) + err = cell->enable(pdev); +@@ -49,6 +54,11 @@ int mfd_cell_disable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->disable) { ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n"); ++ return 0; ++ } ++ + /* only disable if no other clients are using it */ + if (atomic_dec_return(cell->usage_count) == 0) + err = cell->disable(pdev); +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 00ba09fa6f16d..3c4819a05bf03 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -722,7 +722,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd) + kfree(mtd->eraseregions); + kfree(mtd); + kfree(cfi->cmdset_priv); +- kfree(cfi->cfiq); + return NULL; + } + +diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c +index fbd5affc0acfe..04fd845de05fb 100644 +--- a/drivers/mtd/cmdlinepart.c ++++ b/drivers/mtd/cmdlinepart.c +@@ -228,12 +228,29 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id; ++ char *p, *mtd_id, *semicol; ++ ++ /* ++ * Replace the first ';' by a NULL char so strrchr can work ++ * properly. ++ */ ++ semicol = strchr(s, ';'); ++ if (semicol) ++ *semicol = '\0'; + + mtd_id = s; + +- /* fetch <mtd-id> */ +- p = strchr(s, ':'); ++ /* ++ * fetch <mtd-id>. We use strrchr to ignore all ':' that could ++ * be present in the MTD name, only the last one is interpreted ++ * as an <mtd-id>/<part-definition> separator. ++ */ ++ p = strrchr(s, ':'); ++ ++ /* Restore the ';' now. */ ++ if (semicol) ++ *semicol = ';'; ++ + if (!p) { + pr_err("no mtd-id\n"); + return -EINVAL; +diff --git a/drivers/mtd/nand/omap_elm.c b/drivers/mtd/nand/omap_elm.c +index a3f32f939cc17..6736777a41567 100644 +--- a/drivers/mtd/nand/omap_elm.c ++++ b/drivers/mtd/nand/omap_elm.c +@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + if (pm_runtime_get_sync(&pdev->dev) < 0) { + ret = -EINVAL; ++ pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + dev_err(&pdev->dev, "can't enable clock\n"); + return ret; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index ac03bba10e4fd..8634337e1a99d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1000,9 +1000,12 @@ static int bnxt_set_pauseparam(struct net_device *dev, + if (!BNXT_SINGLE_PF(bp)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); + if (epause->autoneg) { +- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) +- return -EINVAL; ++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { ++ rc = -EINVAL; ++ goto pause_exit; ++ } + + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL; + if (bp->hwrm_spec_code >= 0x10201) +@@ -1023,11 +1026,11 @@ static int bnxt_set_pauseparam(struct net_device *dev, + if (epause->tx_pause) + link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX; + +- if (netif_running(dev)) { +- mutex_lock(&bp->link_lock); ++ if (netif_running(dev)) + rc = bnxt_hwrm_set_pause(bp); +- mutex_unlock(&bp->link_lock); +- } ++ ++pause_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +@@ -1671,8 +1674,7 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata) + struct bnxt *bp = netdev_priv(dev); + struct ethtool_eee *eee = &bp->eee; + struct bnxt_link_info *link_info = &bp->link_info; +- u32 advertising = +- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); ++ u32 advertising; + int rc = 0; + + if (!BNXT_SINGLE_PF(bp)) +@@ -1681,19 +1683,23 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata) + if (!(bp->flags & BNXT_FLAG_EEE_CAP)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); ++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); + if (!edata->eee_enabled) + goto eee_ok; + + if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { + netdev_warn(dev, "EEE requires autoneg\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + if (edata->tx_lpi_enabled) { + if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi || + edata->tx_lpi_timer < bp->lpi_tmr_lo)) { + netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n", + bp->lpi_tmr_lo, bp->lpi_tmr_hi); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } else if (!bp->lpi_tmr_hi) { + edata->tx_lpi_timer = eee->tx_lpi_timer; + } +@@ -1703,7 +1709,8 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata) + } else if (edata->advertised & ~advertising) { + netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n", + edata->advertised, advertising); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + + eee->advertised = edata->advertised; +@@ -1715,6 +1722,8 @@ eee_ok: + if (netif_running(dev)) + rc = bnxt_hwrm_set_link_setting(bp, false, true); + ++eee_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 3b16ee0de246e..c30792b761ee3 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -568,8 +568,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter) + WARN_ON(in_interrupt()); + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags)) + msleep(1); +- e1000_down(adapter); +- e1000_up(adapter); ++ ++ /* only run the task if not already down */ ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) { ++ e1000_down(adapter); ++ e1000_up(adapter); ++ } ++ + clear_bit(__E1000_RESETTING, &adapter->flags); + } + +@@ -1456,10 +1461,15 @@ int e1000_close(struct net_device *netdev) + struct e1000_hw *hw = &adapter->hw; + int count = E1000_CHECK_RESET_COUNT; + +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--) ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--) + usleep_range(10000, 20000); + +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags)); ++ WARN_ON(count < 0); ++ ++ /* signal that we're down so that the reset task will no longer run */ ++ set_bit(__E1000_DOWN, &adapter->flags); ++ clear_bit(__E1000_RESETTING, &adapter->flags); ++ + e1000_down(adapter); + e1000_power_down_phy(adapter); + e1000_free_irq(adapter); +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 1b980f12663af..a605dfb15bb75 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -834,7 +834,9 @@ static int adf7242_rx(struct adf7242_local *lp) + int ret; + u8 lqi, len_u8, *data; + +- adf7242_read_reg(lp, 0, &len_u8); ++ ret = adf7242_read_reg(lp, 0, &len_u8); ++ if (ret) ++ return ret; + + len = len_u8; + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 2f55873060220..a3ba95e96695e 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1013,7 +1013,8 @@ void phy_detach(struct phy_device *phydev) + phydev->attached_dev = NULL; + phy_suspend(phydev); + +- module_put(phydev->mdio.dev.driver->owner); ++ if (phydev->mdio.dev.driver) ++ module_put(phydev->mdio.dev.driver->owner); + + /* If the device had no specific driver before (i.e. - it + * was using the generic driver), we unbind the device +diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c +index 8a9aced850be3..63546d1317982 100644 +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id, + } + + for (opt = data; len; len -= opt[1], opt += opt[1]) { +- if (len < 2 || len < opt[1]) { +- dev->stats.rx_errors++; +- kfree(out); +- return; /* bad packet, drop silently */ +- } ++ if (len < 2 || opt[1] < 2 || len < opt[1]) ++ goto err_out; + + if (pid == PID_LCP) + switch (opt[0]) { +@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id, + continue; /* MRU always OK and > 1500 bytes? */ + + case LCP_OPTION_ACCM: /* async control character map */ ++ if (opt[1] < sizeof(valid_accm)) ++ goto err_out; + if (!memcmp(opt, valid_accm, + sizeof(valid_accm))) + continue; +@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id, + } + break; + case LCP_OPTION_MAGIC: ++ if (len < 6) ++ goto err_out; + if (opt[1] != 6 || (!opt[2] && !opt[3] && + !opt[4] && !opt[5])) + break; /* reject invalid magic number */ +@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id, + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data); + + kfree(out); ++ return; ++ ++err_out: ++ dev->stats.rx_errors++; ++ kfree(out); + } + + static int ppp_rx(struct sk_buff *skb) +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index e492c7f0d311a..9f4ee1d125b68 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1769,6 +1769,8 @@ static struct usb_device_id ar5523_id_table[] = { + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */ + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */ + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */ ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect ++ SMCWUSBT-G2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */ + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */ +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 395d6ece2cacb..341f6ed5b3556 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -921,7 +921,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 1e26936c0d727..aa84fdb709830 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -625,7 +625,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -641,7 +641,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +diff --git a/drivers/phy/phy-s5pv210-usb2.c b/drivers/phy/phy-s5pv210-usb2.c +index 004d320767e4d..bb36cfd4e3e90 100644 +--- a/drivers/phy/phy-s5pv210-usb2.c ++++ b/drivers/phy/phy-s5pv210-usb2.c +@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on) + udelay(10); + rst &= ~rstbits; + writel(rst, drv->reg_phy + S5PV210_UPHYRST); ++ /* The following delay is necessary for the reset sequence to be ++ * completed ++ */ ++ udelay(80); + } else { + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR); + pwr |= phypwr; +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +index 065f11a1964d4..39deea8601d68 100644 +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -1929,13 +1929,13 @@ static int aac_read(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n", +@@ -2023,13 +2023,13 @@ static int aac_write(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n", +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 52afbcff362f9..b7940fffca637 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1541,8 +1541,8 @@ lpfc_fdmi_hba_attr_wwnn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -1558,8 +1558,8 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* This string MUST be consistent with other FC platforms + * supported by Broadcom. +@@ -1583,8 +1583,8 @@ lpfc_fdmi_hba_attr_sn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->SerialNumber, + sizeof(ae->un.AttrString)); +@@ -1605,8 +1605,8 @@ lpfc_fdmi_hba_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -1626,8 +1626,8 @@ lpfc_fdmi_hba_attr_description(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelDesc, + sizeof(ae->un.AttrString)); +@@ -1649,8 +1649,8 @@ lpfc_fdmi_hba_attr_hdw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t i, j, incr, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* Convert JEDEC ID to ascii for hardware version */ + incr = vp->rev.biuRev; +@@ -1679,8 +1679,8 @@ lpfc_fdmi_hba_attr_drvr_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, lpfc_release_version, + sizeof(ae->un.AttrString)); +@@ -1701,8 +1701,8 @@ lpfc_fdmi_hba_attr_rom_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); +@@ -1726,8 +1726,8 @@ lpfc_fdmi_hba_attr_fmw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); + len = strnlen(ae->un.AttrString, +@@ -1746,8 +1746,8 @@ lpfc_fdmi_hba_attr_os_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s %s %s", + init_utsname()->sysname, +@@ -1769,7 +1769,7 @@ lpfc_fdmi_hba_attr_ct_len(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = cpu_to_be32(LPFC_MAX_CT_SIZE); + size = FOURBYTES + sizeof(uint32_t); +@@ -1785,8 +1785,8 @@ lpfc_fdmi_hba_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_node_name(vport, + ae->un.AttrString, 256); +@@ -1804,7 +1804,7 @@ lpfc_fdmi_hba_attr_vendor_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Nothing is defined for this currently */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -1821,7 +1821,7 @@ lpfc_fdmi_hba_attr_num_ports(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Each driver instance corresponds to a single port */ + ae->un.AttrInt = cpu_to_be32(1); +@@ -1838,8 +1838,8 @@ lpfc_fdmi_hba_attr_fabric_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_nodename, + sizeof(struct lpfc_name)); +@@ -1857,8 +1857,8 @@ lpfc_fdmi_hba_attr_bios_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); + len = strnlen(ae->un.AttrString, +@@ -1877,7 +1877,7 @@ lpfc_fdmi_hba_attr_bios_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Driver doesn't have access to this information */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -1894,8 +1894,8 @@ lpfc_fdmi_hba_attr_vendor_id(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "EMULEX", + sizeof(ae->un.AttrString)); +@@ -1916,8 +1916,8 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +@@ -1936,7 +1936,7 @@ lpfc_fdmi_port_attr_support_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = 0; + if (!(phba->hba_flag & HBA_FCOE_MODE)) { +@@ -1986,7 +1986,7 @@ lpfc_fdmi_port_attr_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + if (!(phba->hba_flag & HBA_FCOE_MODE)) { + switch (phba->fc_linkspeed) { +@@ -2050,7 +2050,7 @@ lpfc_fdmi_port_attr_max_frame(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + hsp = (struct serv_parm *)&vport->fc_sparam; + ae->un.AttrInt = (((uint32_t) hsp->cmn.bbRcvSizeMsb) << 8) | +@@ -2070,8 +2070,8 @@ lpfc_fdmi_port_attr_os_devname(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), + "/sys/class/scsi_host/host%d", shost->host_no); +@@ -2091,8 +2091,8 @@ lpfc_fdmi_port_attr_host_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s", + init_utsname()->nodename); +@@ -2112,8 +2112,8 @@ lpfc_fdmi_port_attr_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2130,8 +2130,8 @@ lpfc_fdmi_port_attr_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName, + sizeof(struct lpfc_name)); +@@ -2148,8 +2148,8 @@ lpfc_fdmi_port_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_port_name(vport, ae->un.AttrString, 256); + len += (len & 3) ? (4 - (len & 3)) : 4; +@@ -2167,7 +2167,7 @@ lpfc_fdmi_port_attr_port_type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + if (phba->fc_topology == LPFC_TOPOLOGY_LOOP) + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTTYPE_NLPORT); + else +@@ -2185,7 +2185,7 @@ lpfc_fdmi_port_attr_class(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(FC_COS_CLASS2 | FC_COS_CLASS3); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2200,8 +2200,8 @@ lpfc_fdmi_port_attr_fabric_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_portname, + sizeof(struct lpfc_name)); +@@ -2218,8 +2218,8 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +@@ -2237,7 +2237,7 @@ lpfc_fdmi_port_attr_port_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + /* Link Up - operational */ + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTSTATE_ONLINE); + size = FOURBYTES + sizeof(uint32_t); +@@ -2253,7 +2253,7 @@ lpfc_fdmi_port_attr_num_disc(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + vport->fdmi_num_disc = lpfc_find_map_node(vport); + ae->un.AttrInt = cpu_to_be32(vport->fdmi_num_disc); + size = FOURBYTES + sizeof(uint32_t); +@@ -2269,7 +2269,7 @@ lpfc_fdmi_port_attr_nportid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(vport->fc_myDID); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2284,8 +2284,8 @@ lpfc_fdmi_smart_attr_service(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Initiator", + sizeof(ae->un.AttrString)); +@@ -2305,8 +2305,8 @@ lpfc_fdmi_smart_attr_guid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrString, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2326,8 +2326,8 @@ lpfc_fdmi_smart_attr_version(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Version 2.0", + sizeof(ae->un.AttrString)); +@@ -2348,8 +2348,8 @@ lpfc_fdmi_smart_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -2368,7 +2368,7 @@ lpfc_fdmi_smart_attr_port_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* SRIOV (type 3) is not supported */ + if (vport->vpi) +@@ -2388,7 +2388,7 @@ lpfc_fdmi_smart_attr_qos(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(0); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2403,7 +2403,7 @@ lpfc_fdmi_smart_attr_security(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(1); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2551,7 +2551,8 @@ lpfc_fdmi_cmd(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Registered Port List */ + /* One entry (port) per adapter */ + rh->rpl.EntryCnt = cpu_to_be32(1); +- memcpy(&rh->rpl.pe, &phba->pport->fc_sparam.portName, ++ memcpy(&rh->rpl.pe.PortName, ++ &phba->pport->fc_sparam.portName, + sizeof(struct lpfc_name)); + + /* point to the HBA attribute block */ +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index 3b970d3706008..daab21f940fb8 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -1289,25 +1289,8 @@ struct fc_rdp_res_frame { + /* lpfc_sli_ct_request defines the CT_IU preamble for FDMI commands */ + #define SLI_CT_FDMI_Subtypes 0x10 /* Management Service Subtype */ + +-/* +- * Registered Port List Format +- */ +-struct lpfc_fdmi_reg_port_list { +- uint32_t EntryCnt; +- uint32_t pe; /* Variable-length array */ +-}; +- +- + /* Definitions for HBA / Port attribute entries */ + +-struct lpfc_fdmi_attr_def { /* Defined in TLV format */ +- /* Structure is in Big Endian format */ +- uint32_t AttrType:16; +- uint32_t AttrLen:16; +- uint32_t AttrValue; /* Marks start of Value (ATTRIBUTE_ENTRY) */ +-}; +- +- + /* Attribute Entry */ + struct lpfc_fdmi_attr_entry { + union { +@@ -1318,7 +1301,13 @@ struct lpfc_fdmi_attr_entry { + } un; + }; + +-#define LPFC_FDMI_MAX_AE_SIZE sizeof(struct lpfc_fdmi_attr_entry) ++struct lpfc_fdmi_attr_def { /* Defined in TLV format */ ++ /* Structure is in Big Endian format */ ++ uint32_t AttrType:16; ++ uint32_t AttrLen:16; ++ /* Marks start of Value (ATTRIBUTE_ENTRY) */ ++ struct lpfc_fdmi_attr_entry AttrValue; ++} __packed; + + /* + * HBA Attribute Block +@@ -1342,13 +1331,20 @@ struct lpfc_fdmi_hba_ident { + struct lpfc_name PortName; + }; + ++/* ++ * Registered Port List Format ++ */ ++struct lpfc_fdmi_reg_port_list { ++ uint32_t EntryCnt; ++ struct lpfc_fdmi_port_entry pe; ++} __packed; ++ + /* + * Register HBA(RHBA) + */ + struct lpfc_fdmi_reg_hba { + struct lpfc_fdmi_hba_ident hi; +- struct lpfc_fdmi_reg_port_list rpl; /* variable-length array */ +-/* struct lpfc_fdmi_attr_block ab; */ ++ struct lpfc_fdmi_reg_port_list rpl; + }; + + /* +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 1c34dc3355498..08c76c361e8dc 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -15648,6 +15648,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf) + list_add_tail(&iocbq->list, &first_iocbq->list); + } + } ++ /* Free the sequence's header buffer */ ++ if (!first_iocbq) ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf); ++ + return first_iocbq; + } + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index 6624cc07ac044..8dbfd4ffd6355 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -1046,8 +1046,10 @@ int serial8250_register_8250_port(struct uart_8250_port *up) + + ret = uart_add_one_port(&serial8250_reg, + &uart->port); +- if (ret == 0) +- ret = uart->port.line; ++ if (ret) ++ goto err; ++ ++ ret = uart->port.line; + } else { + dev_info(uart->port.dev, + "skipping CIR port at 0x%lx / 0x%llx, IRQ %d\n", +@@ -1061,6 +1063,11 @@ int serial8250_register_8250_port(struct uart_8250_port *up) + mutex_unlock(&serial_mutex); + + return ret; ++ ++err: ++ uart->port.dev = NULL; ++ mutex_unlock(&serial_mutex); ++ return ret; + } + EXPORT_SYMBOL(serial8250_register_8250_port); + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index a3adf21f9dcec..d41be02abced2 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -773,7 +773,10 @@ static void __dma_rx_do_complete(struct uart_8250_port *p) + dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state); + + count = dma->rx_size - state.residue; +- ++ if (count < dma->rx_size) ++ dmaengine_terminate_async(dma->rxchan); ++ if (!count) ++ goto unlock; + ret = tty_insert_flip_string(tty_port, dma->rx_buf, count); + + p->port.icount.rx += ret; +@@ -811,7 +814,6 @@ static void omap_8250_rx_dma_flush(struct uart_8250_port *p) + spin_unlock_irqrestore(&priv->rx_dma_lock, flags); + + __dma_rx_do_complete(p); +- dmaengine_terminate_all(dma->rxchan); + } + + static int omap_8250_rx_dma(struct uart_8250_port *p) +@@ -1194,11 +1196,11 @@ static int omap8250_probe(struct platform_device *pdev) + spin_lock_init(&priv->rx_dma_lock); + + device_init_wakeup(&pdev->dev, true); ++ pm_runtime_enable(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, -1); + + pm_runtime_irq_safe(&pdev->dev); +- pm_runtime_enable(&pdev->dev); + + pm_runtime_get_sync(&pdev->dev); + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 5641b877dca53..827a641ac336e 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1806,6 +1806,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + unsigned char status; + unsigned long flags; + struct uart_8250_port *up = up_to_u8250p(port); ++ bool skip_rx = false; + + if (iir & UART_IIR_NO_INT) + return 0; +@@ -1814,7 +1815,20 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ /* ++ * If port is stopped and there are no error conditions in the ++ * FIFO, then don't drain the FIFO, as this may lead to TTY buffer ++ * overflow. Not servicing, RX FIFO would trigger auto HW flow ++ * control when FIFO occupancy reaches preset threshold, thus ++ * halting RX. This only works when auto HW flow control is ++ * available. ++ */ ++ if (!(status & (UART_LSR_FIFOE | UART_LSR_BRK_ERROR_BITS)) && ++ (port->status & (UPSTAT_AUTOCTS | UPSTAT_AUTORTS)) && ++ !(port->read_status_mask & UART_LSR_DR)) ++ skip_rx = true; ++ ++ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 4dfdb59061bea..8c89697c53573 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1157,14 +1157,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport, + struct s3c24xx_uart_info *info = ourport->info; + struct clk *clk; + unsigned long rate; +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0; ++ unsigned int cnt, baud, quot, best_quot = 0; + char clkname[MAX_CLK_NAME_LENGTH]; + int calc_deviation, deviation = (1 << 30) - 1; + +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel : +- ourport->info->def_clk_sel; + for (cnt = 0; cnt < info->num_clks; cnt++) { +- if (!(clk_sel & (1 << cnt))) ++ /* Keep selected clock if provided */ ++ if (ourport->cfg->clk_sel && ++ !(ourport->cfg->clk_sel & (1 << cnt))) + continue; + + sprintf(clkname, "clk_uart_baud%d", cnt); +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 849806a75f1ce..b29610899c9f6 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -196,12 +196,10 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->rsrc_len = resource_size(r); + hcd->regs = ehci_mv->op_regs; + +- hcd->irq = platform_get_irq(pdev, 0); +- if (!hcd->irq) { +- dev_err(&pdev->dev, "Cannot get irq."); +- retval = -ENODEV; ++ retval = platform_get_irq(pdev, 0); ++ if (retval < 0) + goto err_disable_clk; +- } ++ hcd->irq = retval; + + ehci = hcd_to_ehci(hcd); + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs; +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 2254c281cc766..237d5aceb302d 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -392,6 +392,19 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ mutex_lock(&vdev->igate); ++ if (vdev->err_trigger) { ++ eventfd_ctx_put(vdev->err_trigger); ++ vdev->err_trigger = NULL; ++ } ++ mutex_unlock(&vdev->igate); ++ ++ mutex_lock(&vdev->igate); ++ if (vdev->req_trigger) { ++ eventfd_ctx_put(vdev->req_trigger); ++ vdev->req_trigger = NULL; ++ } ++ mutex_unlock(&vdev->igate); + } + + mutex_unlock(&driver_lock); +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 06f7cbe201326..98b37e77683d3 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1586,6 +1586,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part) + struct gendisk *disk = bdev->bd_disk; + struct block_device *victim = NULL; + ++ /* ++ * Sync early if it looks like we're the last one. If someone else ++ * opens the block device between now and the decrement of bd_openers ++ * then we did a sync that we didn't need to, but that's not the end ++ * of the world and we want to avoid long (could be several minute) ++ * syncs while holding the mutex. ++ */ ++ if (bdev->bd_openers == 1) ++ sync_blockdev(bdev); ++ + mutex_lock_nested(&bdev->bd_mutex, for_part); + if (for_part) + bdev->bd_part_count--; +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index c0033a0d00787..b5bff1e760a34 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -9435,8 +9435,6 @@ out: + */ + if (!for_reloc && root_dropped == false) + btrfs_add_dead_root(root); +- if (err && err != -EAGAIN) +- btrfs_handle_fs_error(fs_info, err, NULL); + return err; + } + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index e11aacb35d6b5..cbd92dd89de16 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1807,12 +1807,24 @@ ack: + if (mutex_trylock(&session->s_mutex) == 0) { + dout("inverting session/ino locks on %p\n", + session); ++ session = ceph_get_mds_session(session); + spin_unlock(&ci->i_ceph_lock); + if (took_snap_rwsem) { + up_read(&mdsc->snap_rwsem); + took_snap_rwsem = 0; + } +- mutex_lock(&session->s_mutex); ++ if (session) { ++ mutex_lock(&session->s_mutex); ++ ceph_put_mds_session(session); ++ } else { ++ /* ++ * Because we take the reference while ++ * holding the i_ceph_lock, it should ++ * never be NULL. Throw a warning if it ++ * ever is. ++ */ ++ WARN_ON_ONCE(true); ++ } + goto retry; + } + } +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 7ae21ad420fbf..a12258c32e8a3 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -242,8 +242,9 @@ struct smb_version_operations { + int (*check_message)(char *, unsigned int, struct TCP_Server_Info *); + bool (*is_oplock_break)(char *, struct TCP_Server_Info *); + int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *); +- void (*downgrade_oplock)(struct TCP_Server_Info *, +- struct cifsInodeInfo *, bool); ++ void (*downgrade_oplock)(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); + /* process transaction2 response */ + bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *, + char *, int); +@@ -1080,6 +1081,8 @@ struct cifsFileInfo { + unsigned int f_flags; + bool invalidHandle:1; /* file closed via session abend */ + bool oplock_break_cancelled:1; ++ unsigned int oplock_epoch; /* epoch from the lease break */ ++ __u32 oplock_level; /* oplock/lease level from the lease break */ + int count; + spinlock_t file_info_lock; /* protects four flag/count fields above */ + struct mutex fh_mutex; /* prevents reopen race after dead ses*/ +@@ -1191,7 +1194,7 @@ struct cifsInodeInfo { + unsigned int epoch; /* used to track lease state changes */ + #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */ + #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */ +-#define CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2 (2) /* Downgrade oplock to L2 */ ++#define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */ + #define CIFS_INO_DELETE_PENDING (3) /* delete pending on server */ + #define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */ + #define CIFS_INO_LOCK (5) /* lock bit for synchronization */ +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index b2919166855f5..24508b69e78b7 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3531,7 +3531,8 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list, + break; + + __SetPageLocked(page); +- if (add_to_page_cache_locked(page, mapping, page->index, gfp)) { ++ rc = add_to_page_cache_locked(page, mapping, page->index, gfp); ++ if (rc) { + __ClearPageLocked(page); + break; + } +@@ -3547,6 +3548,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + struct list_head *page_list, unsigned num_pages) + { + int rc; ++ int err = 0; + struct list_head tmplist; + struct cifsFileInfo *open_file = file->private_data; + struct cifs_sb_info *cifs_sb = CIFS_FILE_SB(file); +@@ -3587,7 +3589,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + * the order of declining indexes. When we put the pages in + * the rdata->pages, then we want them in increasing order. + */ +- while (!list_empty(page_list)) { ++ while (!list_empty(page_list) && !err) { + unsigned int i, nr_pages, bytes, rsize; + loff_t offset; + struct page *page, *tpage; +@@ -3610,9 +3612,10 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + return 0; + } + +- rc = readpages_get_pages(mapping, page_list, rsize, &tmplist, ++ nr_pages = 0; ++ err = readpages_get_pages(mapping, page_list, rsize, &tmplist, + &nr_pages, &offset, &bytes); +- if (rc) { ++ if (!nr_pages) { + add_credits_and_wake_if(server, credits, 0); + break; + } +@@ -3912,12 +3915,13 @@ void cifs_oplock_break(struct work_struct *work) + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; ++ bool purge_cache = false; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); + +- server->ops->downgrade_oplock(server, cinode, +- test_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, &cinode->flags)); ++ server->ops->downgrade_oplock(server, cinode, cfile->oplock_level, ++ cfile->oplock_epoch, &purge_cache); + + if (!CIFS_CACHE_WRITE(cinode) && CIFS_CACHE_READ(cinode) && + cifs_has_mand_locks(cinode)) { +@@ -3932,18 +3936,21 @@ void cifs_oplock_break(struct work_struct *work) + else + break_lease(inode, O_WRONLY); + rc = filemap_fdatawrite(inode->i_mapping); +- if (!CIFS_CACHE_READ(cinode)) { ++ if (!CIFS_CACHE_READ(cinode) || purge_cache) { + rc = filemap_fdatawait(inode->i_mapping); + mapping_set_error(inode->i_mapping, rc); + cifs_zap_mapping(inode); + } + cifs_dbg(FYI, "Oplock flush inode %p rc %d\n", inode, rc); ++ if (CIFS_CACHE_WRITE(cinode)) ++ goto oplock_break_ack; + } + + rc = cifs_push_locks(cfile); + if (rc) + cifs_dbg(VFS, "Push locks rc = %d\n", rc); + ++oplock_break_ack: + /* + * releasing stale oplock after recent reconnect of smb session using + * a now incorrect file handle is not a data integrity issue but do +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 5e75df69062d8..bdf151e949166 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -481,21 +481,10 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &pCifsInode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (pSMB->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- +- cifs_queue_oplock_break(netfile); ++ netfile->oplock_epoch = 0; ++ netfile->oplock_level = pSMB->OplockLevel; + netfile->oplock_break_cancelled = false; ++ cifs_queue_oplock_break(netfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index 6f5d78b172bac..9a1f01c2f0209 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -378,12 +378,10 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + + static void + cifs_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- cifs_set_oplock_level(cinode, OPLOCK_READ); +- else +- cifs_set_oplock_level(cinode, 0); ++ cifs_set_oplock_level(cinode, oplock); + } + + static bool +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 7b7b47e26dbd4..bddb2d7b39824 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -491,7 +491,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + cifs_dbg(FYI, "found in the open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + if (ack_req) + cfile->oplock_break_cancelled = false; +@@ -500,17 +500,8 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); + +- /* +- * Set or clear flags depending on the lease state being READ. +- * HANDLE caching flag should be added when the client starts +- * to defer closing remote file handles with HANDLE leases. +- */ +- if (lease_state & SMB2_LEASE_READ_CACHING_HE) +- set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); ++ cfile->oplock_level = lease_state; + + cifs_queue_oplock_break(cfile); + kfree(lw); +@@ -533,7 +524,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + + cifs_dbg(FYI, "found in the pending open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + open->oplock = lease_state; + } +@@ -645,18 +636,9 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &cinode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (rsp->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = 0; ++ cfile->oplock_level = rsp->OplockLevel; ++ + spin_unlock(&cfile->file_info_lock); + + cifs_queue_oplock_break(cfile); +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index edd4c7292be00..67edd6e03f803 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1379,22 +1379,38 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode, + + static void + smb2_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- server->ops->set_oplock_level(cinode, SMB2_OPLOCK_LEVEL_II, +- 0, NULL); +- else +- server->ops->set_oplock_level(cinode, 0, 0, NULL); ++ server->ops->set_oplock_level(cinode, oplock, 0, NULL); + } + + static void +-smb21_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); ++ ++static void ++smb3_downgrade_oplock(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- server->ops->set_oplock_level(cinode, +- set_level2 ? SMB2_LEASE_READ_CACHING_HE : +- 0, 0, NULL); ++ unsigned int old_state = cinode->oplock; ++ unsigned int old_epoch = cinode->epoch; ++ unsigned int new_state; ++ ++ if (epoch > old_epoch) { ++ smb21_set_oplock_level(cinode, oplock, 0, NULL); ++ cinode->epoch = epoch; ++ } ++ ++ new_state = cinode->oplock; ++ *purge_cache = false; ++ ++ if ((old_state & CIFS_CACHE_READ_FLG) != 0 && ++ (new_state & CIFS_CACHE_READ_FLG) == 0) ++ *purge_cache = true; ++ else if (old_state == new_state && (epoch - old_epoch > 1)) ++ *purge_cache = true; + } + + static void +@@ -1709,7 +1725,7 @@ struct smb_version_operations smb21_operations = { + .print_stats = smb2_print_stats, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb2_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +@@ -1793,7 +1809,7 @@ struct smb_version_operations smb30_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +@@ -1883,7 +1899,7 @@ struct smb_version_operations smb311_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index 1af7afae3ad18..1a0c480745738 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -1025,7 +1025,7 @@ struct smb2_oplock_break { + struct smb2_lease_break { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 44 */ +- __le16 Reserved; ++ __le16 Epoch; + __le32 Flags; + __u8 LeaseKey[16]; + __le32 CurrentLeaseState; +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index b99225e117120..f0129c033bd66 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -825,7 +825,6 @@ static int fuse_check_page(struct page *page) + { + if (page_mapcount(page) || + page->mapping != NULL || +- page_count(page) != 1 || + (page->flags & PAGE_FLAGS_CHECK_AT_PREP & + ~(1 << PG_locked | + 1 << PG_referenced | +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c +index 97be412153328..9213a9e046ae0 100644 +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + int offs, int quiet, int must_chk_crc) + { +- int err = -EINVAL, type, node_len; ++ int err = -EINVAL, type, node_len, dump_node = 1; + uint32_t crc, node_crc, magic; + const struct ubifs_ch *ch = buf; + +@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + out_len: + if (!quiet) + ubifs_err(c, "bad node length %d", node_len); ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) ++ dump_node = 0; + out: + if (!quiet) { + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); +- ubifs_dump_node(c, buf); ++ if (dump_node) { ++ ubifs_dump_node(c, buf); ++ } else { ++ int safe_len = min3(node_len, c->leb_size - offs, ++ (int)UBIFS_MAX_DATA_NODE_SZ); ++ pr_err("\tprevent out-of-bounds memory access\n"); ++ pr_err("\ttruncated data node length %d\n", safe_len); ++ pr_err("\tcorrupted data node:\n"); ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, ++ buf, safe_len, 0); ++ } + dump_stack(); + } + return err; +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index 7b9dd76403bfd..537acde2c497b 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -1332,7 +1332,9 @@ xfs_attr3_leaf_add_work( + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { + if (ichdr->freemap[i].base == tmp) { + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); ++ ichdr->freemap[i].size -= ++ min_t(uint16_t, ichdr->freemap[i].size, ++ sizeof(xfs_attr_leaf_entry_t)); + } + } + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); +diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c +index bbd1238852b3c..df7f33e60a4f6 100644 +--- a/fs/xfs/libxfs/xfs_dir2_node.c ++++ b/fs/xfs/libxfs/xfs_dir2_node.c +@@ -212,6 +212,7 @@ __xfs_dir3_free_read( + xfs_buf_ioerror(*bpp, -EFSCORRUPTED); + xfs_verifier_error(*bpp); + xfs_trans_brelse(tp, *bpp); ++ *bpp = NULL; + return -EFSCORRUPTED; + } + +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h +index b20a0945b5500..7aea750538840 100644 +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -77,6 +77,8 @@ static const struct file_operations __fops = { \ + .llseek = generic_file_llseek, \ + } + ++typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); ++ + #if defined(CONFIG_DEBUG_FS) + + struct dentry *debugfs_create_file(const char *name, umode_t mode, +@@ -96,7 +98,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent); + struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, + const char *dest); + +-typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); + struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, + debugfs_automount_t f, +@@ -211,7 +212,7 @@ static inline struct dentry *debugfs_create_symlink(const char *name, + + static inline struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, +- struct vfsmount *(*f)(void *), ++ debugfs_automount_t f, + void *data) + { + return ERR_PTR(-ENODEV); +diff --git a/include/linux/libata.h b/include/linux/libata.h +index e2dac33eae964..3fabf57fd6e0d 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -499,6 +499,7 @@ enum hsm_task_states { + }; + + enum ata_completion_errors { ++ AC_ERR_OK = 0, /* no error */ + AC_ERR_DEV = (1 << 0), /* device reported error */ + AC_ERR_HSM = (1 << 1), /* host state machine violation */ + AC_ERR_TIMEOUT = (1 << 2), /* timeout */ +@@ -903,9 +904,9 @@ struct ata_port_operations { + /* + * Command execution + */ +- int (*qc_defer)(struct ata_queued_cmd *qc); +- int (*check_atapi_dma)(struct ata_queued_cmd *qc); +- void (*qc_prep)(struct ata_queued_cmd *qc); ++ int (*qc_defer)(struct ata_queued_cmd *qc); ++ int (*check_atapi_dma)(struct ata_queued_cmd *qc); ++ enum ata_completion_errors (*qc_prep)(struct ata_queued_cmd *qc); + unsigned int (*qc_issue)(struct ata_queued_cmd *qc); + bool (*qc_fill_rtf)(struct ata_queued_cmd *qc); + +@@ -1168,7 +1169,7 @@ extern int ata_xfer_mode2shift(unsigned long xfer_mode); + extern const char *ata_mode_string(unsigned long xfer_mask); + extern unsigned long ata_id_xfermask(const u16 *id); + extern int ata_std_qc_defer(struct ata_queued_cmd *qc); +-extern void ata_noop_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc); + extern void ata_sg_init(struct ata_queued_cmd *qc, struct scatterlist *sg, + unsigned int n_elem); + extern unsigned int ata_dev_classify(const struct ata_taskfile *tf); +@@ -1881,9 +1882,9 @@ extern const struct ata_port_operations ata_bmdma_port_ops; + .sg_tablesize = LIBATA_MAX_PRD, \ + .dma_boundary = ATA_DMA_BOUNDARY + +-extern void ata_bmdma_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc); + extern unsigned int ata_bmdma_qc_issue(struct ata_queued_cmd *qc); +-extern void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc); + extern unsigned int ata_bmdma_port_intr(struct ata_port *ap, + struct ata_queued_cmd *qc); + extern irqreturn_t ata_bmdma_interrupt(int irq, void *dev_instance); +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index b5b43f94f3116..01b990e4b228a 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd); + ({ \ + int i, ret = 1; \ + for (i = 0; i < map_words(map); i++) { \ +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \ + ret = 0; \ + break; \ + } \ +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index ead97654c4e9a..1613fe5c668e1 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -242,6 +242,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * usual consistency guarantee. It is one wmb cheaper, because we can + * collapse the two back-to-back wmb()s. + * ++ * Note that, writes surrounding the barrier should be declared atomic (e.g. ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads ++ * atomically, avoiding compiler optimizations; b) to document which writes are ++ * meant to propagate to the reader critical section. This is necessary because ++ * neither writes before and after the barrier are enclosed in a seq-writer ++ * critical section that would ensure readers are aware of ongoing writes. ++ * + * seqcount_t seq; + * bool X = true, Y = false; + * +@@ -261,11 +268,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * + * void write(void) + * { +- * Y = true; ++ * WRITE_ONCE(Y, true); + * + * raw_write_seqcount_barrier(seq); + * +- * X = false; ++ * WRITE_ONCE(X, false); + * } + */ + static inline void raw_write_seqcount_barrier(seqcount_t *s) +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index e37112ac332f7..67b798b7115d8 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1549,6 +1549,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_) + return list_->qlen; + } + ++/** ++ * skb_queue_len_lockless - get queue length ++ * @list_: list to measure ++ * ++ * Return the length of an &sk_buff queue. ++ * This variant can be used in lockless contexts. ++ */ ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_) ++{ ++ return READ_ONCE(list_->qlen); ++} ++ + /** + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head + * @list: queue to initialize +@@ -1752,7 +1764,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list) + { + struct sk_buff *next, *prev; + +- list->qlen--; ++ WRITE_ONCE(list->qlen, list->qlen - 1); + next = skb->next; + prev = skb->prev; + skb->next = skb->prev = NULL; +@@ -2795,7 +2807,7 @@ static inline int skb_padto(struct sk_buff *skb, unsigned int len) + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error. + */ +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len) ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len) + { + unsigned int size = skb->len; + +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c +index 712469a3103ac..54b30c9bd8b13 100644 +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent, + if (oentry->rule.exe) + audit_remove_mark(oentry->rule.exe); + +- audit_watch_log_rule_change(r, owatch, "updated_rules"); +- + call_rcu(&oentry->rcu, audit_free_rule_rcu); + } + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 8648d7d297081..1253261fdb3ba 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -427,15 +427,7 @@ static void htab_elem_free_rcu(struct rcu_head *head) + struct htab_elem *l = container_of(head, struct htab_elem, rcu); + struct bpf_htab *htab = l->htab; + +- /* must increment bpf_prog_active to avoid kprobe+bpf triggering while +- * we're calling kfree, otherwise deadlock is possible if kprobes +- * are placed somewhere inside of slub +- */ +- preempt_disable(); +- __this_cpu_inc(bpf_prog_active); + htab_elem_free(htab, l); +- __this_cpu_dec(bpf_prog_active); +- preempt_enable(); + } + + static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 9aa2dbe6a4568..3938e4670b89b 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p) + { + struct kprobe *kp; + ++ if (WARN_ON_ONCE(kprobe_gone(p))) ++ return; ++ + p->flags |= KPROBE_FLAG_GONE; + if (kprobe_aggrprobe(p)) { + /* +@@ -2032,9 +2035,10 @@ static void kill_kprobe(struct kprobe *p) + + /* + * The module is going away. We should disarm the kprobe which +- * is using ftrace. ++ * is using ftrace, because ftrace framework is still available at ++ * MODULE_STATE_GOING notification. + */ +- if (kprobe_ftrace(p)) ++ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed) + disarm_kprobe_ftrace(p); + } + +@@ -2154,7 +2158,10 @@ static int kprobes_module_callback(struct notifier_block *nb, + mutex_lock(&kprobe_mutex); + for (i = 0; i < KPROBE_TABLE_SIZE; i++) { + head = &kprobe_table[i]; +- hlist_for_each_entry_rcu(p, head, hlist) ++ hlist_for_each_entry_rcu(p, head, hlist) { ++ if (kprobe_gone(p)) ++ continue; ++ + if (within_module_init((unsigned long)p->addr, mod) || + (checkcore && + within_module_core((unsigned long)p->addr, mod))) { +@@ -2165,6 +2172,7 @@ static int kprobes_module_callback(struct notifier_block *nb, + */ + kill_kprobe(p); + } ++ } + } + mutex_unlock(&kprobe_mutex); + return NOTIFY_DONE; +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index c1873d325ebda..7acae2f2478d9 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2035,6 +2035,9 @@ static int __init console_setup(char *str) + char *s, *options, *brl_options = NULL; + int idx; + ++ if (str[0] == 0) ++ return 1; ++ + if (_braille_console_setup(&str, &brl_options)) + return 1; + +diff --git a/kernel/sys.c b/kernel/sys.c +index 157277cbf83aa..546cdc911dad4 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1183,11 +1183,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- struct oldold_utsname tmp = {}; ++ struct oldold_utsname tmp; + + if (!name) + return -EFAULT; + ++ memset(&tmp, 0, sizeof(tmp)); ++ + down_read(&uts_sem); + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index e24e1f0c56906..e21b4d8b72405 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -950,9 +950,8 @@ static int scale64_check_overflow(u64 mult, u64 div, u64 *base) + ((int)sizeof(u64)*8 - fls64(mult) < fls64(rem))) + return -EOVERFLOW; + tmp *= mult; +- rem *= mult; + +- do_div(rem, div); ++ rem = div64_u64(rem * mult, div); + *base = tmp + rem; + return 0; + } +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index b2fb25aefb2fc..2388fb50d1885 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2600,6 +2600,9 @@ int trace_array_printk(struct trace_array *tr, + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK)) + return 0; + ++ if (!tr) ++ return -ENOENT; ++ + va_start(ap, fmt); + ret = trace_array_vprintk(tr, ip, fmt, ap); + va_end(ap); +@@ -7693,7 +7696,7 @@ __init static int tracer_alloc_buffers(void) + goto out_free_buffer_mask; + + /* Only allocate trace_printk buffers if a trace_printk exists */ +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt) + /* Must be called before global_trace.buffer is allocated */ + trace_printk_init_buffers(); + +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h +index d1cc37e78f997..1430f6bbb1a07 100644 +--- a/kernel/trace/trace_entries.h ++++ b/kernel/trace/trace_entries.h +@@ -178,7 +178,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry, + + F_STRUCT( + __field( int, size ) +- __dynamic_array(unsigned long, caller ) ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES ) + ), + + F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n" +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index af969f753e5e9..5bf072e437c41 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -790,6 +790,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + char *event = NULL, *sub = NULL, *match; + int ret; + ++ if (!tr) ++ return -ENOENT; + /* + * The buf format can be <subsystem>:<event-name> + * *:<event-name> means any event by that name. +diff --git a/lib/string.c b/lib/string.c +index 8f1a2a04e22f5..d099762a9bd60 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -235,6 +235,30 @@ ssize_t strscpy(char *dest, const char *src, size_t count) + EXPORT_SYMBOL(strscpy); + #endif + ++/** ++ * stpcpy - copy a string from src to dest returning a pointer to the new end ++ * of dest, including src's %NUL-terminator. May overrun dest. ++ * @dest: pointer to end of string being copied into. Must be large enough ++ * to receive copy. ++ * @src: pointer to the beginning of string being copied from. Must not overlap ++ * dest. ++ * ++ * stpcpy differs from strcpy in a key way: the return value is a pointer ++ * to the new %NUL-terminating character in @dest. (For strcpy, the return ++ * value is a pointer to the start of @dest). This interface is considered ++ * unsafe as it doesn't perform bounds checking of the inputs. As such it's ++ * not recommended for usage. Instead, its definition is provided in case ++ * the compiler lowers other libcalls to stpcpy. ++ */ ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src); ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src) ++{ ++ while ((*dest++ = *src++) != '\0') ++ /* nothing */; ++ return --dest; ++} ++EXPORT_SYMBOL(stpcpy); ++ + #ifndef __HAVE_ARCH_STRCAT + /** + * strcat - Append one %NUL-terminated string to another +diff --git a/mm/filemap.c b/mm/filemap.c +index b046d8f147e20..05af91f495f53 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2474,6 +2474,14 @@ filler: + unlock_page(page); + goto out; + } ++ ++ /* ++ * A previous I/O error may have been due to temporary ++ * failures. ++ * Clear page error before actual read, PG_error will be ++ * set again if read page fails. ++ */ ++ ClearPageError(page); + goto filler; + + out: +diff --git a/mm/mmap.c b/mm/mmap.c +index 7109f886e739e..7c8815636c482 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2028,6 +2028,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.low_limit = mm->mmap_base; + info.high_limit = TASK_SIZE; + info.align_mask = 0; ++ info.align_offset = 0; + return vm_unmapped_area(&info); + } + #endif +@@ -2069,6 +2070,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = mm->mmap_base; + info.align_mask = 0; ++ info.align_offset = 0; + addr = vm_unmapped_area(&info); + + /* +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index d95341cffc2f6..8d6290502631a 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -14,9 +14,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk); + if (err) + break; +- addr += PAGE_SIZE; +- if (addr == end) ++ if (addr >= end - PAGE_SIZE) + break; ++ addr += PAGE_SIZE; + pte++; + } + +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 704892d79bf19..756429c95e859 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry) + entry->vcc = NULL; + } + if (entry->recv_vcc) { ++ struct atm_vcc *vcc = entry->recv_vcc; ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); ++ ++ kfree(vpriv); ++ vcc->user_back = NULL; ++ + entry->recv_vcc->push = entry->old_recv_push; + vcc_release_async(entry->recv_vcc, -EPIPE); + entry->recv_vcc = NULL; +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index e545b42ab0b98..516c45771d59b 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -36,6 +36,7 @@ + #include <linux/lockdep.h> + #include <linux/netdevice.h> + #include <linux/netlink.h> ++#include <linux/preempt.h> + #include <linux/rculist.h> + #include <linux/rcupdate.h> + #include <linux/seq_file.h> +@@ -95,11 +96,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +@@ -1820,7 +1822,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the frame to be checked + * @vid: the VLAN ID of the frame +- * @is_bcast: the packet came in a broadcast packet type. ++ * @packet_type: the batman packet type this frame came in + * + * batadv_bla_rx avoidance checks if: + * * we have to race for a claim +@@ -1832,7 +1834,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * further process the skb. + */ + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast) ++ unsigned short vid, int packet_type) + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; +@@ -1854,9 +1856,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto handled; + + if (unlikely(atomic_read(&bat_priv->bla.num_requests))) +- /* don't allow broadcasts while requests are in flight */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) +- goto handled; ++ /* don't allow multicast packets while requests are in flight */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ /* Both broadcast flooding or multicast-via-unicasts ++ * delivery might send to multiple backbone gateways ++ * sharing the same LAN and therefore need to coordinate ++ * which backbone gateway forwards into the LAN, ++ * by claiming the payload source address. ++ * ++ * Broadcast flooding and multicast-via-unicasts ++ * delivery use the following two batman packet types. ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR, ++ * as the DHCP gateway feature will send explicitly ++ * to only one BLA gateway, so the claiming process ++ * should be avoided there. ++ */ ++ if (packet_type == BATADV_BCAST || ++ packet_type == BATADV_UNICAST) ++ goto handled; + + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; +@@ -1884,13 +1901,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto allow; + } + +- /* if it is a broadcast ... */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) { ++ /* if it is a multicast ... */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) { + /* ... drop it. the responsible gateway is in charge. + * +- * We need to check is_bcast because with the gateway ++ * We need to check packet type because with the gateway + * feature, broadcasts (like DHCP requests) may be sent +- * using a unicast packet type. ++ * using a unicast 4 address packet type. See comment above. + */ + goto handled; + } else { +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h +index 1ae93e46fb984..40b8ec9d4b1b5 100644 +--- a/net/batman-adv/bridge_loop_avoidance.h ++++ b/net/batman-adv/bridge_loop_avoidance.h +@@ -29,7 +29,7 @@ struct sk_buff; + + #ifdef CONFIG_BATMAN_ADV_BLA + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast); ++ unsigned short vid, int packet_type); + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + bool batadv_bla_is_backbone_gw(struct sk_buff *skb, +@@ -56,7 +56,7 @@ int batadv_bla_claim_dump(struct sk_buff *msg, struct netlink_callback *cb); + + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv, + struct sk_buff *skb, unsigned short vid, +- bool is_bcast) ++ int packet_type) + { + return false; + } +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index 19059ae26e519..1ba205c3ea9fa 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -803,6 +803,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 99d2c453c8722..af0a8439cf08a 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -415,10 +415,10 @@ void batadv_interface_rx(struct net_device *soft_iface, + struct vlan_ethhdr *vhdr; + struct ethhdr *ethhdr; + unsigned short vid; +- bool is_bcast; ++ int packet_type; + + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data; +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST); ++ packet_type = batadv_bcast_packet->packet_type; + + skb_pull_rcsum(skb, hdr_size); + skb_reset_mac_header(skb); +@@ -463,7 +463,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + /* Let the bridge loop avoidance check the packet. If will + * not handle it, we can safely push it up. + */ +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast)) ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type)) + goto out; + + if (orig_node) +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 757977c54d9ef..d6da119f5082e 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -41,12 +41,27 @@ + + /* Handle HCI Event packets */ + +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, ++ u8 *new_status) + { + __u8 status = *((__u8 *) skb->data); + + BT_DBG("%s status 0x%2.2x", hdev->name, status); + ++ /* It is possible that we receive Inquiry Complete event right ++ * before we receive Inquiry Cancel Command Complete event, in ++ * which case the latter event should have status of Command ++ * Disallowed (0x0c). This should not be treated as error, since ++ * we actually achieve what Inquiry Cancel wants to achieve, ++ * which is to end the last Inquiry session. ++ */ ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); ++ status = 0x00; ++ } ++ ++ *new_status = status; ++ + if (status) + return; + +@@ -2772,7 +2787,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, + + switch (*opcode) { + case HCI_OP_INQUIRY_CANCEL: +- hci_cc_inquiry_cancel(hdev, skb); ++ hci_cc_inquiry_cancel(hdev, skb, status); + break; + + case HCI_OP_PERIODIC_INQ: +@@ -5257,6 +5272,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + u8 status = 0, event = hdr->evt, req_evt = 0; + u16 opcode = HCI_OP_NOP; + ++ if (!event) { ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); ++ goto done; ++ } ++ + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; + opcode = __le16_to_cpu(cmd_hdr->opcode); +@@ -5468,6 +5488,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + req_complete_skb(hdev, status, opcode, orig_skb); + } + ++done: + kfree_skb(orig_skb); + kfree_skb(skb); + hdev->stat.evt_rx++; +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 11012a5090708..5e3f5c1ba07d6 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -414,6 +414,9 @@ static void l2cap_chan_timeout(struct work_struct *work) + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + mutex_lock(&conn->chan_lock); ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling ++ * this work. No need to call l2cap_chan_hold(chan) here again. ++ */ + l2cap_chan_lock(chan); + + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) +@@ -426,12 +429,12 @@ static void l2cap_chan_timeout(struct work_struct *work) + + l2cap_chan_close(chan, reason); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); +- mutex_unlock(&conn->chan_lock); + ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); ++ ++ mutex_unlock(&conn->chan_lock); + } + + struct l2cap_chan *l2cap_chan_create(void) +@@ -1725,9 +1728,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + + l2cap_chan_del(chan, err); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + } + +@@ -4104,7 +4107,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + return 0; + } + +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) { ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && ++ chan->state != BT_CONNECTED) { + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, + chan->dcid); + goto unlock; +@@ -4327,6 +4331,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + rsp.dcid = cpu_to_le16(chan->scid); +@@ -4335,12 +4340,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + chan->ops->set_shutdown(chan); + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, ECONNRESET); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +@@ -4372,20 +4376,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index a8ba752732c98..bbf08c6092f4a 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1038,7 +1038,7 @@ done: + } + + /* Kill socket (only if zapped and orphan) +- * Must be called on unlocked socket. ++ * Must be called on unlocked socket, with l2cap channel lock. + */ + static void l2cap_sock_kill(struct sock *sk) + { +@@ -1189,6 +1189,7 @@ static int l2cap_sock_release(struct socket *sock) + { + struct sock *sk = sock->sk; + int err; ++ struct l2cap_chan *chan; + + BT_DBG("sock %p, sk %p", sock, sk); + +@@ -1198,9 +1199,17 @@ static int l2cap_sock_release(struct socket *sock) + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, 2); ++ chan = l2cap_pi(sk)->chan; ++ ++ l2cap_chan_hold(chan); ++ l2cap_chan_lock(chan); + + sock_orphan(sk); + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); ++ + return err; + } + +@@ -1218,12 +1227,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent) + BT_DBG("child chan %p state %s", chan, + state_to_string(chan->state)); + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); ++ + __clear_chan_timer(chan); + l2cap_chan_close(chan, ECONNRESET); +- l2cap_chan_unlock(chan); +- + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + } + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 6578d1f8e6c4a..d267dc04d9f74 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2797,6 +2797,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return per_cpu_ptr(tbl->stats, cpu); + } ++ (*pos)++; + return NULL; + } + +diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c +index aead5ac4dbf68..ea07c91ab3488 100644 +--- a/net/hsr/hsr_device.c ++++ b/net/hsr/hsr_device.c +@@ -315,7 +315,8 @@ static void send_hsr_supervision_frame(struct hsr_port *master, + hsr_sp = (typeof(hsr_sp)) skb_put(skb, sizeof(struct hsr_sup_payload)); + ether_addr_copy(hsr_sp->MacAddressA, master->dev->dev_addr); + +- skb_put_padto(skb, ETH_ZLEN + HSR_HLEN); ++ if (skb_put_padto(skb, ETH_ZLEN + HSR_HLEN)) ++ return; + + hsr_forward_skb(skb, master); + return; +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 4f3decbe6a3a5..c37e9598262e5 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -73,6 +73,7 @@ + #include <net/icmp.h> + #include <net/checksum.h> + #include <net/inetpeer.h> ++#include <net/inet_ecn.h> + #include <net/lwtunnel.h> + #include <linux/igmp.h> + #include <linux/netfilter_ipv4.h> +@@ -1611,7 +1612,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + if (IS_ERR(rt)) + return; + +- inet_sk(sk)->tos = arg->tos; ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK; + + sk->sk_priority = skb->priority; + sk->sk_protocol = ip_hdr(skb)->protocol; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index c8c51bd2d695b..e9aae4686536a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return &per_cpu(rt_cache_stat, cpu); + } ++ (*pos)++; + return NULL; + + } +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d2ec620319d76..76a008b1cbe5f 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1873,6 +1873,13 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms + if (ext_hdrs[SADB_X_EXT_FILTER - 1]) { + struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1]; + ++ if ((xfilter->sadb_x_filter_splen >= ++ (sizeof(xfrm_address_t) << 3)) || ++ (xfilter->sadb_x_filter_dplen >= ++ (sizeof(xfrm_address_t) << 3))) { ++ mutex_unlock(&pfk->dump_lock); ++ return -EINVAL; ++ } + filter = kmalloc(sizeof(*filter), GFP_KERNEL); + if (filter == NULL) { + mutex_unlock(&pfk->dump_lock); +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index bcd1a5e6ebf42..2f873a0dc5836 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -42,11 +42,11 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- ieee802154_xmit_complete(&local->hw, skb, false); +- + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + ++ ieee802154_xmit_complete(&local->hw, skb, false); ++ + return; + + err_tx: +@@ -86,6 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + + /* async is priority, otherwise sync is fallback */ + if (local->ops->xmit_async) { ++ unsigned int len = skb->len; ++ + ret = drv_xmit_async(local, skb); + if (ret) { + ieee802154_wake_queue(&local->hw); +@@ -93,7 +95,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + } + + dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ dev->stats.tx_bytes += len; + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 42ce3ed216376..56e4ac8e2e994 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -103,8 +103,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl) + } + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class); + +-/* +- * Format the transport list for printing ++/** ++ * svc_print_xprts - Format the transport list for printing ++ * @buf: target buffer for formatted address ++ * @maxlen: length of target buffer ++ * ++ * Fills in @buf with a string containing a list of transport names, each name ++ * terminated with '\n'. If the buffer is too small, some entries may be ++ * missing, but it is guaranteed that all lines in the output buffer are ++ * complete. ++ * ++ * Returns positive length of the filled-in string. + */ + int svc_print_xprts(char *buf, int maxlen) + { +@@ -117,9 +126,9 @@ int svc_print_xprts(char *buf, int maxlen) + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) { + int slen; + +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload); +- slen = strlen(tmpstr); +- if (len + slen > maxlen) ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n", ++ xcl->xcl_name, xcl->xcl_max_payload); ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen) + break; + len += slen; + strcat(buf, tmpstr); +diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +index 6035c5a380a6b..b3d48c6243c80 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -277,6 +277,7 @@ xprt_rdma_bc_put(struct rpc_xprt *xprt) + { + dprintk("svcrdma: %s: xprt %p\n", __func__, xprt); + ++ xprt_rdma_free_addresses(xprt); + xprt_free(xprt); + module_put(THIS_MODULE); + } +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 912f1fb97c06d..ea554756a786d 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- if (unlikely(skb_unclone(frag, GFP_ATOMIC))) ++ frag = skb_unshare(frag, GFP_ATOMIC); ++ if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + *buf = NULL; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 32ae82a5596d9..bcd6ed6e7e25c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -191,11 +191,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) + return unix_peer(osk) == NULL || unix_our_peer(sk, osk); + } + +-static inline int unix_recvq_full(struct sock const *sk) ++static inline int unix_recvq_full(const struct sock *sk) + { + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; + } + ++static inline int unix_recvq_full_lockless(const struct sock *sk) ++{ ++ return skb_queue_len_lockless(&sk->sk_receive_queue) > ++ READ_ONCE(sk->sk_max_ack_backlog); ++} ++ + struct sock *unix_peer_get(struct sock *s) + { + struct sock *peer; +@@ -1793,7 +1799,8 @@ restart_locked: + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ unlikely(unix_peer(other) != sk && ++ unix_recvq_full_lockless(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 72c145dd799f1..ef1226c1c3add 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1416,6 +1416,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) + *idx = cpu + 1; + return &per_cpu(avc_cache_stats, cpu); + } ++ (*idx)++; + return NULL; + } + +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c +index 0e81ea89a5965..e3f68a76d90eb 100644 +--- a/sound/hda/hdac_bus.c ++++ b/sound/hda/hdac_bus.c +@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work) + struct hdac_driver *drv; + unsigned int rp, caddr, res; + ++ spin_lock_irq(&bus->reg_lock); + while (bus->unsol_rp != bus->unsol_wp) { + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE; + bus->unsol_rp = rp; +@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work) + codec = bus->caddr_tbl[caddr & 0x0f]; + if (!codec || !codec->dev.driver) + continue; ++ spin_unlock_irq(&bus->reg_lock); + drv = drv_to_hdac_driver(codec->dev.driver); + if (drv->unsol_event) + drv->unsol_event(codec, res); ++ spin_lock_irq(&bus->reg_lock); + } ++ spin_unlock_irq(&bus->reg_lock); + } + + /** +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 3ef9af53ef497..0d5ff00cdabca 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -346,7 +346,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -502,7 +502,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index bd0e4710d15d7..79043b481d7b6 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1158,16 +1158,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id) + if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update)) + active = true; + +- /* clear rirb int */ + status = azx_readb(chip, RIRBSTS); + if (status & RIRB_INT_MASK) { ++ /* ++ * Clearing the interrupt status here ensures that no ++ * interrupt gets masked after the RIRB wp is read in ++ * snd_hdac_bus_update_rirb. This avoids a possible ++ * race condition where codec response in RIRB may ++ * remain unserviced by IRQ, eventually falling back ++ * to polling mode in azx_rirb_get_response. ++ */ ++ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + active = true; + if (status & RIRB_INT_RESPONSE) { + if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND) + udelay(80); + snd_hdac_bus_update_rirb(bus); + } +- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + } + } while (active && ++repeat < 10); + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index dafd22e874e99..e655425e4819e 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream) + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED, + "kirkwood-i2s", priv); + if (err) +- return -EBUSY; ++ return err; + + /* + * Enable Error interrupts. We're only ack'ing them but +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 0676e7d485def..b8d4b5b3e54a1 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1805,6 +1805,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi, + return 0; + } + ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor( ++ struct usb_host_endpoint *hostep) ++{ ++ unsigned char *extra = hostep->extra; ++ int extralen = hostep->extralen; ++ ++ while (extralen > 3) { ++ struct usb_ms_endpoint_descriptor *ms_ep = ++ (struct usb_ms_endpoint_descriptor *)extra; ++ ++ if (ms_ep->bLength > 3 && ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT && ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL) ++ return ms_ep; ++ if (!extra[0]) ++ break; ++ extralen -= extra[0]; ++ extra += extra[0]; ++ } ++ return NULL; ++} ++ + /* + * Returns MIDIStreaming device capabilities. + */ +@@ -1842,11 +1864,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, + ep = get_ep_desc(hostep); + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep)) + continue; +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra; +- if (hostep->extralen < 4 || +- ms_ep->bLength < 4 || +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT || +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL) ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep); ++ if (!ms_ep) + continue; + if (usb_endpoint_dir_out(ep)) { + if (endpoints[epidx].out_ep) { +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 08e1af85af384..66b7ccb33c7b1 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1320,12 +1320,13 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +- /* Zoom R16/24, Logitech H650e, Jabra 550a, Kingston HyperX needs a tiny +- * delay here, otherwise requests like get/set frequency return as +- * failed despite actually succeeding. ++ /* Zoom R16/24, Logitech H650e/H570e, Jabra 550a, Kingston HyperX ++ * needs a tiny delay here, otherwise requests like get/set ++ * frequency return as failed despite actually succeeding. + */ + if ((chip->usb_id == USB_ID(0x1686, 0x00dd) || + chip->usb_id == USB_ID(0x046d, 0x0a46) || ++ chip->usb_id == USB_ID(0x046d, 0x0a56) || + chip->usb_id == USB_ID(0x0b0e, 0x0349) || + chip->usb_id == USB_ID(0x0951, 0x16ad)) && + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) +diff --git a/tools/gpio/gpio-hammer.c b/tools/gpio/gpio-hammer.c +index 37b3f141053df..85f45800f881f 100644 +--- a/tools/gpio/gpio-hammer.c ++++ b/tools/gpio/gpio-hammer.c +@@ -171,7 +171,14 @@ int main(int argc, char **argv) + device_name = optarg; + break; + case 'o': +- lines[i] = strtoul(optarg, NULL, 10); ++ /* ++ * Avoid overflow. Do not immediately error, we want to ++ * be able to accurately report on the amount of times ++ * '-o' was given to give an accurate error message ++ */ ++ if (i < GPIOHANDLES_MAX) ++ lines[i] = strtoul(optarg, NULL, 10); ++ + i++; + break; + case '?': +@@ -179,6 +186,14 @@ int main(int argc, char **argv) + return -1; + } + } ++ ++ if (i >= GPIOHANDLES_MAX) { ++ fprintf(stderr, ++ "Only %d occurences of '-o' are allowed, %d were found\n", ++ GPIOHANDLES_MAX, i + 1); ++ return -1; ++ } ++ + nlines = i; + + if (!device_name || !nlines) { +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index c7399d7f4bc77..31c512f19662e 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -502,7 +502,7 @@ static int add_jump_destinations(struct objtool_file *file) + insn->type != INSN_JUMP_UNCONDITIONAL) + continue; + +- if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET) ++ if (insn->offset == FAKE_JUMP_OFFSET) + continue; + + rela = find_rela_by_dest_range(insn->sec, insn->offset, +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 031e64ce71564..013e3f5102258 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -2532,7 +2532,7 @@ static char *prefix_if_not_in(const char *pre, char *str) + return str; + + if (asprintf(&n, "%s,%s", pre, str) < 0) +- return NULL; ++ n = NULL; + + free(str); + return n; +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 5a50326c8158f..e155783c601ab 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1421,6 +1421,7 @@ struct kcore_copy_info { + u64 first_symbol; + u64 last_symbol; + u64 first_module; ++ u64 first_module_symbol; + u64 last_module_symbol; + struct phdr_data kernel_map; + struct phdr_data modules_map; +@@ -1435,6 +1436,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type, + return 0; + + if (strchr(name, '[')) { ++ if (!kci->first_module_symbol || start < kci->first_module_symbol) ++ kci->first_module_symbol = start; + if (start > kci->last_module_symbol) + kci->last_module_symbol = start; + return 0; +@@ -1559,6 +1562,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir, + kci->etext += page_size; + } + ++ if (kci->first_module_symbol && ++ (!kci->first_module || kci->first_module_symbol < kci->first_module)) ++ kci->first_module = kci->first_module_symbol; ++ + kci->first_module = round_down(kci->first_module, page_size); + + if (kci->last_module_symbol) { +diff --git a/tools/testing/selftests/x86/syscall_nt.c b/tools/testing/selftests/x86/syscall_nt.c +index 43fcab367fb0a..74e6b3fc2d09e 100644 +--- a/tools/testing/selftests/x86/syscall_nt.c ++++ b/tools/testing/selftests/x86/syscall_nt.c +@@ -67,6 +67,7 @@ static void do_it(unsigned long extraflags) + set_eflags(get_eflags() | extraflags); + syscall(SYS_getpid); + flags = get_eflags(); ++ set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED); + if ((flags & extraflags) == extraflags) { + printf("[OK]\tThe syscall worked and flags are still set\n"); + } else { +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 4e4bb5dd2dcd5..5bddabb3de7c3 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -154,6 +154,7 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn) + */ + if (pfn_valid(pfn)) + return PageReserved(pfn_to_page(pfn)) && ++ !is_zero_pfn(pfn) && + !kvm_is_zone_device_pfn(pfn); + + return true; +@@ -3639,7 +3640,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + struct kvm_io_device *dev) + { +- int i; ++ int i, j; + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; +@@ -3656,17 +3657,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) * + sizeof(struct kvm_io_range)), GFP_KERNEL); +- if (!new_bus) { ++ if (new_bus) { ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); ++ new_bus->dev_count--; ++ memcpy(new_bus->range + i, bus->range + i + 1, ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); ++ } else { + pr_err("kvm: failed to shrink bus, removing it completely\n"); +- goto broken; ++ for (j = 0; j < bus->dev_count; j++) { ++ if (j == i) ++ continue; ++ kvm_iodevice_destructor(bus->range[j].dev); ++ } + } + +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); +- new_bus->dev_count--; +- memcpy(new_bus->range + i, bus->range + i + 1, +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); +- +-broken: + rcu_assign_pointer(kvm->buses[bus_idx], new_bus); + synchronize_srcu_expedited(&kvm->srcu); + kfree(bus); |