From a082ecb204150d898171dcd87bf5e993ce03768e Mon Sep 17 00:00:00 2001 From: Stephan Raue Date: Sat, 22 Nov 2014 19:39:42 +0100 Subject: [PATCH] projects/imx6/patches/linux: add upstream patches Signed-off-by: Stephan Raue --- .../linux/linux-000-patch-3.14.20-21.patch | 2520 ++++++ .../linux/linux-000-patch-3.14.21-22.patch | 1795 ++++ .../linux/linux-000-patch-3.14.22-23.patch | 5877 +++++++++++++ .../linux/linux-000-patch-3.14.23-24.patch | 7091 ++++++++++++++++ .../linux/linux-000-patch-3.14.24-25.patch | 7549 +++++++++++++++++ 5 files changed, 24832 insertions(+) create mode 100644 projects/imx6/patches/linux/linux-000-patch-3.14.20-21.patch create mode 100644 projects/imx6/patches/linux/linux-000-patch-3.14.21-22.patch create mode 100644 projects/imx6/patches/linux/linux-000-patch-3.14.22-23.patch create mode 100644 projects/imx6/patches/linux/linux-000-patch-3.14.23-24.patch create mode 100644 projects/imx6/patches/linux/linux-000-patch-3.14.24-25.patch diff --git a/projects/imx6/patches/linux/linux-000-patch-3.14.20-21.patch b/projects/imx6/patches/linux/linux-000-patch-3.14.20-21.patch new file mode 100644 index 0000000000..a8ab18d36d --- /dev/null +++ b/projects/imx6/patches/linux/linux-000-patch-3.14.20-21.patch @@ -0,0 +1,2520 @@ +diff --git a/Makefile b/Makefile +index beb7e6f0803b..41e6e19fe2e9 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 20 ++SUBLEVEL = 21 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/unicore32/include/asm/mmu_context.h b/arch/unicore32/include/asm/mmu_context.h +index fb5e4c658f7a..ef470a7a3d0f 100644 +--- a/arch/unicore32/include/asm/mmu_context.h ++++ b/arch/unicore32/include/asm/mmu_context.h +@@ -14,6 +14,8 @@ + + #include + #include ++#include ++#include + #include + + #include +@@ -73,7 +75,7 @@ do { \ + else \ + mm->mmap = NULL; \ + rb_erase(&high_vma->vm_rb, &mm->mm_rb); \ +- mm->mmap_cache = NULL; \ ++ vmacache_invalidate(mm); \ + mm->map_count--; \ + remove_vma(high_vma); \ + } \ +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index c706d50a8b06..8c16c2f97026 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -525,6 +525,12 @@ void conn_try_outdate_peer_async(struct drbd_tconn *tconn) + struct task_struct *opa; + + kref_get(&tconn->kref); ++ /* We may just have force_sig()'ed this thread ++ * to get it out of some blocking network function. ++ * Clear signals; otherwise kthread_run(), which internally uses ++ * wait_on_completion_killable(), will mistake our pending signal ++ * for a new fatal signal and fail. */ ++ flush_signals(current); + opa = kthread_run(_try_outdate_peer_async, tconn, "drbd_async_h"); + if (IS_ERR(opa)) { + conn_err(tconn, "out of mem, failed to invoke fence-peer helper\n"); +diff --git a/drivers/cpufreq/integrator-cpufreq.c b/drivers/cpufreq/integrator-cpufreq.c +index 0e27844e8c2d..8089dd2cd9d8 100644 +--- a/drivers/cpufreq/integrator-cpufreq.c ++++ b/drivers/cpufreq/integrator-cpufreq.c +@@ -213,9 +213,9 @@ static int __init integrator_cpufreq_probe(struct platform_device *pdev) + return cpufreq_register_driver(&integrator_driver); + } + +-static void __exit integrator_cpufreq_remove(struct platform_device *pdev) ++static int __exit integrator_cpufreq_remove(struct platform_device *pdev) + { +- cpufreq_unregister_driver(&integrator_driver); ++ return cpufreq_unregister_driver(&integrator_driver); + } + + static const struct of_device_id integrator_cpufreq_match[] = { +diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c +index d278be110805..1855cdca39cd 100644 +--- a/drivers/gpu/drm/i915/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c +@@ -827,6 +827,16 @@ void i915_check_and_clear_faults(struct drm_device *dev) + POSTING_READ(RING_FAULT_REG(&dev_priv->ring[RCS])); + } + ++static void i915_ggtt_flush(struct drm_i915_private *dev_priv) ++{ ++ if (INTEL_INFO(dev_priv->dev)->gen < 6) { ++ intel_gtt_chipset_flush(); ++ } else { ++ I915_WRITE(GFX_FLSH_CNTL_GEN6, GFX_FLSH_CNTL_EN); ++ POSTING_READ(GFX_FLSH_CNTL_GEN6); ++ } ++} ++ + void i915_gem_suspend_gtt_mappings(struct drm_device *dev) + { + struct drm_i915_private *dev_priv = dev->dev_private; +@@ -843,6 +853,8 @@ void i915_gem_suspend_gtt_mappings(struct drm_device *dev) + dev_priv->gtt.base.start / PAGE_SIZE, + dev_priv->gtt.base.total / PAGE_SIZE, + true); ++ ++ i915_ggtt_flush(dev_priv); + } + + void i915_gem_restore_gtt_mappings(struct drm_device *dev) +@@ -863,7 +875,7 @@ void i915_gem_restore_gtt_mappings(struct drm_device *dev) + i915_gem_gtt_bind_object(obj, obj->cache_level); + } + +- i915_gem_chipset_flush(dev); ++ i915_ggtt_flush(dev_priv); + } + + int i915_gem_gtt_prepare_object(struct drm_i915_gem_object *obj) +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 18cda77b4f79..4913c0690872 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -64,6 +64,10 @@ + #define cpu_to_group(cpu) cpu_to_node(cpu) + #define ANY_GROUP NUMA_NO_NODE + ++static bool devices_handle_discard_safely = false; ++module_param(devices_handle_discard_safely, bool, 0644); ++MODULE_PARM_DESC(devices_handle_discard_safely, ++ "Set to Y if all devices in each array reliably return zeroes on reads from discarded regions"); + static struct workqueue_struct *raid5_wq; + /* + * Stripe cache +@@ -6117,7 +6121,7 @@ static int run(struct mddev *mddev) + mddev->queue->limits.discard_granularity = stripe; + /* + * unaligned part of discard request will be ignored, so can't +- * guarantee discard_zerors_data ++ * guarantee discard_zeroes_data + */ + mddev->queue->limits.discard_zeroes_data = 0; + +@@ -6142,6 +6146,18 @@ static int run(struct mddev *mddev) + !bdev_get_queue(rdev->bdev)-> + limits.discard_zeroes_data) + discard_supported = false; ++ /* Unfortunately, discard_zeroes_data is not currently ++ * a guarantee - just a hint. So we only allow DISCARD ++ * if the sysadmin has confirmed that only safe devices ++ * are in use by setting a module parameter. ++ */ ++ if (!devices_handle_discard_safely) { ++ if (discard_supported) { ++ pr_info("md/raid456: discard support disabled due to uncertainty.\n"); ++ pr_info("Set raid456.devices_handle_discard_safely=Y to override.\n"); ++ } ++ discard_supported = false; ++ } + } + + if (discard_supported && +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c +index a127925c9d61..06faea4d60ee 100644 +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -745,6 +745,7 @@ static int __reqbufs(struct vb2_queue *q, struct v4l2_requestbuffers *req) + * to the userspace. + */ + req->count = allocated_buffers; ++ q->waiting_for_buffers = !V4L2_TYPE_IS_OUTPUT(q->type); + + return 0; + } +@@ -793,6 +794,7 @@ static int __create_bufs(struct vb2_queue *q, struct v4l2_create_buffers *create + memset(q->plane_sizes, 0, sizeof(q->plane_sizes)); + memset(q->alloc_ctx, 0, sizeof(q->alloc_ctx)); + q->memory = create->memory; ++ q->waiting_for_buffers = !V4L2_TYPE_IS_OUTPUT(q->type); + } + + num_buffers = min(create->count, VIDEO_MAX_FRAME - q->num_buffers); +@@ -1447,6 +1449,7 @@ static int vb2_internal_qbuf(struct vb2_queue *q, struct v4l2_buffer *b) + * dequeued in dqbuf. + */ + list_add_tail(&vb->queued_entry, &q->queued_list); ++ q->waiting_for_buffers = false; + vb->state = VB2_BUF_STATE_QUEUED; + + /* +@@ -1841,6 +1844,7 @@ static int vb2_internal_streamoff(struct vb2_queue *q, enum v4l2_buf_type type) + * and videobuf, effectively returning control over them to userspace. + */ + __vb2_queue_cancel(q); ++ q->waiting_for_buffers = !V4L2_TYPE_IS_OUTPUT(q->type); + + dprintk(3, "Streamoff successful\n"); + return 0; +@@ -2150,9 +2154,16 @@ unsigned int vb2_poll(struct vb2_queue *q, struct file *file, poll_table *wait) + } + + /* +- * There is nothing to wait for if no buffers have already been queued. ++ * There is nothing to wait for if the queue isn't streaming. + */ +- if (list_empty(&q->queued_list)) ++ if (!vb2_is_streaming(q)) ++ return res | POLLERR; ++ /* ++ * For compatibility with vb1: if QBUF hasn't been called yet, then ++ * return POLLERR as well. This only affects capture queues, output ++ * queues will always initialize waiting_for_buffers to false. ++ */ ++ if (q->waiting_for_buffers) + return res | POLLERR; + + if (list_empty(&q->done_list)) +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index f15d4353f30f..5d12d69e2045 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -399,6 +399,8 @@ struct smb_version_operations { + const struct cifs_fid *, u32 *); + int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *, + int); ++ /* check if we need to issue closedir */ ++ bool (*dir_needs_close)(struct cifsFileInfo *); + }; + + struct smb_version_values { +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 8175b18df819..d375322b6cec 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -762,7 +762,7 @@ int cifs_closedir(struct inode *inode, struct file *file) + + cifs_dbg(FYI, "Freeing private data in close dir\n"); + spin_lock(&cifs_file_list_lock); +- if (!cfile->srch_inf.endOfSearch && !cfile->invalidHandle) { ++ if (server->ops->dir_needs_close(cfile)) { + cfile->invalidHandle = true; + spin_unlock(&cifs_file_list_lock); + if (server->ops->close_dir) +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index 2bbf11b09214..b334a89d6a66 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -593,7 +593,7 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, + /* close and restart search */ + cifs_dbg(FYI, "search backing up - close and restart search\n"); + spin_lock(&cifs_file_list_lock); +- if (!cfile->srch_inf.endOfSearch && !cfile->invalidHandle) { ++ if (server->ops->dir_needs_close(cfile)) { + cfile->invalidHandle = true; + spin_unlock(&cifs_file_list_lock); + if (server->ops->close_dir) +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index d1fdfa848703..e9ad8d37bb00 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -586,7 +586,7 @@ cifs_query_path_info(const unsigned int xid, struct cifs_tcon *tcon, + tmprc = CIFS_open(xid, &oparms, &oplock, NULL); + if (tmprc == -EOPNOTSUPP) + *symlink = true; +- else ++ else if (tmprc == 0) + CIFSSMBClose(xid, tcon, fid.netfid); + } + +@@ -1009,6 +1009,12 @@ cifs_is_read_op(__u32 oplock) + return oplock == OPLOCK_READ; + } + ++static bool ++cifs_dir_needs_close(struct cifsFileInfo *cfile) ++{ ++ return !cfile->srch_inf.endOfSearch && !cfile->invalidHandle; ++} ++ + struct smb_version_operations smb1_operations = { + .send_cancel = send_nt_cancel, + .compare_fids = cifs_compare_fids, +@@ -1078,6 +1084,7 @@ struct smb_version_operations smb1_operations = { + .query_mf_symlink = cifs_query_mf_symlink, + .create_mf_symlink = cifs_create_mf_symlink, + .is_read_op = cifs_is_read_op, ++ .dir_needs_close = cifs_dir_needs_close, + #ifdef CONFIG_CIFS_XATTR + .query_all_EAs = CIFSSMBQAllEAs, + .set_EA = CIFSSMBSetEA, +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index e31a9dfdcd39..a491814cb2c0 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -214,7 +214,7 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_BREAKPOINT, -EIO, "STATUS_BREAKPOINT"}, + {STATUS_SINGLE_STEP, -EIO, "STATUS_SINGLE_STEP"}, + {STATUS_BUFFER_OVERFLOW, -EIO, "STATUS_BUFFER_OVERFLOW"}, +- {STATUS_NO_MORE_FILES, -EIO, "STATUS_NO_MORE_FILES"}, ++ {STATUS_NO_MORE_FILES, -ENODATA, "STATUS_NO_MORE_FILES"}, + {STATUS_WAKE_SYSTEM_DEBUGGER, -EIO, "STATUS_WAKE_SYSTEM_DEBUGGER"}, + {STATUS_HANDLES_CLOSED, -EIO, "STATUS_HANDLES_CLOSED"}, + {STATUS_NO_INHERITANCE, -EIO, "STATUS_NO_INHERITANCE"}, +@@ -256,6 +256,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_DLL_MIGHT_BE_INCOMPATIBLE, -EIO, + "STATUS_DLL_MIGHT_BE_INCOMPATIBLE"}, + {STATUS_STOPPED_ON_SYMLINK, -EOPNOTSUPP, "STATUS_STOPPED_ON_SYMLINK"}, ++ {STATUS_IO_REPARSE_TAG_NOT_HANDLED, -EOPNOTSUPP, ++ "STATUS_REPARSE_NOT_HANDLED"}, + {STATUS_DEVICE_REQUIRES_CLEANING, -EIO, + "STATUS_DEVICE_REQUIRES_CLEANING"}, + {STATUS_DEVICE_DOOR_OPEN, -EIO, "STATUS_DEVICE_DOOR_OPEN"}, +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index f8977b2d9187..34a17d425be6 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1102,6 +1102,12 @@ smb3_parse_lease_buf(void *buf, unsigned int *epoch) + return le32_to_cpu(lc->lcontext.LeaseState); + } + ++static bool ++smb2_dir_needs_close(struct cifsFileInfo *cfile) ++{ ++ return !cfile->invalidHandle; ++} ++ + struct smb_version_operations smb20_operations = { + .compare_fids = smb2_compare_fids, + .setup_request = smb2_setup_request, +@@ -1175,6 +1181,7 @@ struct smb_version_operations smb20_operations = { + .create_lease_buf = smb2_create_lease_buf, + .parse_lease_buf = smb2_parse_lease_buf, + .clone_range = smb2_clone_range, ++ .dir_needs_close = smb2_dir_needs_close, + }; + + struct smb_version_operations smb21_operations = { +@@ -1250,6 +1257,7 @@ struct smb_version_operations smb21_operations = { + .create_lease_buf = smb2_create_lease_buf, + .parse_lease_buf = smb2_parse_lease_buf, + .clone_range = smb2_clone_range, ++ .dir_needs_close = smb2_dir_needs_close, + }; + + struct smb_version_operations smb30_operations = { +@@ -1328,6 +1336,7 @@ struct smb_version_operations smb30_operations = { + .parse_lease_buf = smb3_parse_lease_buf, + .clone_range = smb2_clone_range, + .validate_negotiate = smb3_validate_negotiate, ++ .dir_needs_close = smb2_dir_needs_close, + }; + + struct smb_version_values smb20_values = { +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 9aab8fe0e508..348792911e1f 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2136,6 +2136,10 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, + rsp = (struct smb2_query_directory_rsp *)iov[0].iov_base; + + if (rc) { ++ if (rc == -ENODATA && rsp->hdr.Status == STATUS_NO_MORE_FILES) { ++ srch_inf->endOfSearch = true; ++ rc = 0; ++ } + cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE); + goto qdir_exit; + } +@@ -2173,11 +2177,6 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, + else + cifs_dbg(VFS, "illegal search buffer type\n"); + +- if (rsp->hdr.Status == STATUS_NO_MORE_FILES) +- srch_inf->endOfSearch = 1; +- else +- srch_inf->endOfSearch = 0; +- + return rc; + + qdir_exit: +diff --git a/fs/exec.c b/fs/exec.c +index 31e46b1b358b..ea4449d0536a 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -820,7 +821,7 @@ EXPORT_SYMBOL(read_code); + static int exec_mmap(struct mm_struct *mm) + { + struct task_struct *tsk; +- struct mm_struct * old_mm, *active_mm; ++ struct mm_struct *old_mm, *active_mm; + + /* Notify parent that we're no longer interested in the old VM */ + tsk = current; +@@ -846,6 +847,8 @@ static int exec_mmap(struct mm_struct *mm) + tsk->mm = mm; + tsk->active_mm = mm; + activate_mm(active_mm, mm); ++ tsk->mm->vmacache_seqnum = 0; ++ vmacache_flush(tsk); + task_unlock(tsk); + if (old_mm) { + up_read(&old_mm->mmap_sem); +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index d19b30ababf1..a4a8ed56e438 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -1017,6 +1017,11 @@ static int __init init_hugetlbfs_fs(void) + int error; + int i; + ++ if (!hugepages_supported()) { ++ pr_info("hugetlbfs: disabling because there are no supported hugepage sizes\n"); ++ return -ENOTSUPP; ++ } ++ + error = bdi_init(&hugetlbfs_backing_dev_info); + if (error) + return error; +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 8f788193e3d4..c4b2646b6d7c 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -152,7 +153,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) + + /* + * We remember last_addr rather than next_addr to hit with +- * mmap_cache most of the time. We have zero last_addr at ++ * vmacache most of the time. We have zero last_addr at + * the beginning and also after lseek. We will have -1 last_addr + * after the end of the vmas. + */ +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 982ce05c87ed..287cd5f23421 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1271,13 +1271,22 @@ update_time: + return 0; + } + ++/* ++ * Maximum length of linked list formed by ICB hierarchy. The chosen number is ++ * arbitrary - just that we hopefully don't limit any real use of rewritten ++ * inode on write-once media but avoid looping for too long on corrupted media. ++ */ ++#define UDF_MAX_ICB_NESTING 1024 ++ + static void __udf_read_inode(struct inode *inode) + { + struct buffer_head *bh = NULL; + struct fileEntry *fe; + uint16_t ident; + struct udf_inode_info *iinfo = UDF_I(inode); ++ unsigned int indirections = 0; + ++reread: + /* + * Set defaults, but the inode is still incomplete! + * Note: get_new_inode() sets the following on a new inode: +@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inode *inode) + ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, + &ident); + if (ident == TAG_IDENT_IE && ibh) { +- struct buffer_head *nbh = NULL; + struct kernel_lb_addr loc; + struct indirectEntry *ie; + + ie = (struct indirectEntry *)ibh->b_data; + loc = lelb_to_cpu(ie->indirectICB.extLocation); + +- if (ie->indirectICB.extLength && +- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0, +- &ident))) { +- if (ident == TAG_IDENT_FE || +- ident == TAG_IDENT_EFE) { +- memcpy(&iinfo->i_location, +- &loc, +- sizeof(struct kernel_lb_addr)); +- brelse(bh); +- brelse(ibh); +- brelse(nbh); +- __udf_read_inode(inode); ++ if (ie->indirectICB.extLength) { ++ brelse(bh); ++ brelse(ibh); ++ memcpy(&iinfo->i_location, &loc, ++ sizeof(struct kernel_lb_addr)); ++ if (++indirections > UDF_MAX_ICB_NESTING) { ++ udf_err(inode->i_sb, ++ "too many ICBs in ICB hierarchy" ++ " (max %d supported)\n", ++ UDF_MAX_ICB_NESTING); ++ make_bad_inode(inode); + return; + } +- brelse(nbh); ++ goto reread; + } + } + brelse(ibh); +diff --git a/include/linux/cpuset.h b/include/linux/cpuset.h +index 3fe661fe96d1..b19d3dc2e651 100644 +--- a/include/linux/cpuset.h ++++ b/include/linux/cpuset.h +@@ -87,25 +87,26 @@ extern void rebuild_sched_domains(void); + extern void cpuset_print_task_mems_allowed(struct task_struct *p); + + /* +- * get_mems_allowed is required when making decisions involving mems_allowed +- * such as during page allocation. mems_allowed can be updated in parallel +- * and depending on the new value an operation can fail potentially causing +- * process failure. A retry loop with get_mems_allowed and put_mems_allowed +- * prevents these artificial failures. ++ * read_mems_allowed_begin is required when making decisions involving ++ * mems_allowed such as during page allocation. mems_allowed can be updated in ++ * parallel and depending on the new value an operation can fail potentially ++ * causing process failure. A retry loop with read_mems_allowed_begin and ++ * read_mems_allowed_retry prevents these artificial failures. + */ +-static inline unsigned int get_mems_allowed(void) ++static inline unsigned int read_mems_allowed_begin(void) + { + return read_seqcount_begin(¤t->mems_allowed_seq); + } + + /* +- * If this returns false, the operation that took place after get_mems_allowed +- * may have failed. It is up to the caller to retry the operation if ++ * If this returns true, the operation that took place after ++ * read_mems_allowed_begin may have failed artificially due to a concurrent ++ * update of mems_allowed. It is up to the caller to retry the operation if + * appropriate. + */ +-static inline bool put_mems_allowed(unsigned int seq) ++static inline bool read_mems_allowed_retry(unsigned int seq) + { +- return !read_seqcount_retry(¤t->mems_allowed_seq, seq); ++ return read_seqcount_retry(¤t->mems_allowed_seq, seq); + } + + static inline void set_mems_allowed(nodemask_t nodemask) +@@ -225,14 +226,14 @@ static inline void set_mems_allowed(nodemask_t nodemask) + { + } + +-static inline unsigned int get_mems_allowed(void) ++static inline unsigned int read_mems_allowed_begin(void) + { + return 0; + } + +-static inline bool put_mems_allowed(unsigned int seq) ++static inline bool read_mems_allowed_retry(unsigned int seq) + { +- return true; ++ return false; + } + + #endif /* !CONFIG_CPUSETS */ +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index bd1e9bcec547..42b05c4c53e5 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -400,6 +400,16 @@ static inline spinlock_t *huge_pte_lockptr(struct hstate *h, + return &mm->page_table_lock; + } + ++static inline bool hugepages_supported(void) ++{ ++ /* ++ * Some platform decide whether they support huge pages at boot ++ * time. On these, such as powerpc, HPAGE_SHIFT is set to 0 when ++ * there is no such support ++ */ ++ return HPAGE_SHIFT != 0; ++} ++ + #else /* CONFIG_HUGETLB_PAGE */ + struct hstate {}; + #define alloc_huge_page_node(h, nid) NULL +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h +index 1f44466c1e9d..c367cbdf73ab 100644 +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -258,23 +258,11 @@ extern unsigned long preset_lpj; + #define SEC_JIFFIE_SC (32 - SHIFT_HZ) + #endif + #define NSEC_JIFFIE_SC (SEC_JIFFIE_SC + 29) +-#define USEC_JIFFIE_SC (SEC_JIFFIE_SC + 19) + #define SEC_CONVERSION ((unsigned long)((((u64)NSEC_PER_SEC << SEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) + + #define NSEC_CONVERSION ((unsigned long)((((u64)1 << NSEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) +-#define USEC_CONVERSION \ +- ((unsigned long)((((u64)NSEC_PER_USEC << USEC_JIFFIE_SC) +\ +- TICK_NSEC -1) / (u64)TICK_NSEC)) +-/* +- * USEC_ROUND is used in the timeval to jiffie conversion. See there +- * for more details. It is the scaled resolution rounding value. Note +- * that it is a 64-bit value. Since, when it is applied, we are already +- * in jiffies (albit scaled), it is nothing but the bits we will shift +- * off. +- */ +-#define USEC_ROUND (u64)(((u64)1 << USEC_JIFFIE_SC) - 1) + /* + * The maximum jiffie value is (MAX_INT >> 1). Here we translate that + * into seconds. The 64-bit case will overflow if we are not careful, +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index 290901a8c1de..2b58d192ea24 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -342,9 +342,9 @@ struct mm_rss_stat { + + struct kioctx_table; + struct mm_struct { +- struct vm_area_struct * mmap; /* list of VMAs */ ++ struct vm_area_struct *mmap; /* list of VMAs */ + struct rb_root mm_rb; +- struct vm_area_struct * mmap_cache; /* last find_vma result */ ++ u32 vmacache_seqnum; /* per-thread vmacache */ + #ifdef CONFIG_MMU + unsigned long (*get_unmapped_area) (struct file *filp, + unsigned long addr, unsigned long len, +diff --git a/include/linux/plist.h b/include/linux/plist.h +index aa0fb390bd29..8b6c970cff6c 100644 +--- a/include/linux/plist.h ++++ b/include/linux/plist.h +@@ -98,6 +98,13 @@ struct plist_node { + } + + /** ++ * PLIST_HEAD - declare and init plist_head ++ * @head: name for struct plist_head variable ++ */ ++#define PLIST_HEAD(head) \ ++ struct plist_head head = PLIST_HEAD_INIT(head) ++ ++/** + * PLIST_NODE_INIT - static struct plist_node initializer + * @node: struct plist_node variable name + * @__prio: initial node priority +@@ -134,6 +141,8 @@ static inline void plist_node_init(struct plist_node *node, int prio) + extern void plist_add(struct plist_node *node, struct plist_head *head); + extern void plist_del(struct plist_node *node, struct plist_head *head); + ++extern void plist_requeue(struct plist_node *node, struct plist_head *head); ++ + /** + * plist_for_each - iterate over the plist + * @pos: the type * to use as a loop counter +@@ -143,6 +152,16 @@ extern void plist_del(struct plist_node *node, struct plist_head *head); + list_for_each_entry(pos, &(head)->node_list, node_list) + + /** ++ * plist_for_each_continue - continue iteration over the plist ++ * @pos: the type * to use as a loop cursor ++ * @head: the head for your list ++ * ++ * Continue to iterate over plist, continuing after the current position. ++ */ ++#define plist_for_each_continue(pos, head) \ ++ list_for_each_entry_continue(pos, &(head)->node_list, node_list) ++ ++/** + * plist_for_each_safe - iterate safely over a plist of given type + * @pos: the type * to use as a loop counter + * @n: another type * to use as temporary storage +@@ -163,6 +182,18 @@ extern void plist_del(struct plist_node *node, struct plist_head *head); + list_for_each_entry(pos, &(head)->node_list, mem.node_list) + + /** ++ * plist_for_each_entry_continue - continue iteration over list of given type ++ * @pos: the type * to use as a loop cursor ++ * @head: the head for your list ++ * @m: the name of the list_struct within the struct ++ * ++ * Continue to iterate over list of given type, continuing after ++ * the current position. ++ */ ++#define plist_for_each_entry_continue(pos, head, m) \ ++ list_for_each_entry_continue(pos, &(head)->node_list, m.node_list) ++ ++/** + * plist_for_each_entry_safe - iterate safely over list of given type + * @pos: the type * to use as a loop counter + * @n: another type * to use as temporary storage +@@ -229,6 +260,20 @@ static inline int plist_node_empty(const struct plist_node *node) + #endif + + /** ++ * plist_next - get the next entry in list ++ * @pos: the type * to cursor ++ */ ++#define plist_next(pos) \ ++ list_next_entry(pos, node_list) ++ ++/** ++ * plist_prev - get the prev entry in list ++ * @pos: the type * to cursor ++ */ ++#define plist_prev(pos) \ ++ list_prev_entry(pos, node_list) ++ ++/** + * plist_first - return the first node (and thus, highest priority) + * @head: the &struct plist_head pointer + * +diff --git a/include/linux/sched.h b/include/linux/sched.h +index ccd0c6f24f2c..d7ca410ace93 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -59,6 +59,10 @@ struct sched_param { + + #define SCHED_ATTR_SIZE_VER0 48 /* sizeof first published struct */ + ++#define VMACACHE_BITS 2 ++#define VMACACHE_SIZE (1U << VMACACHE_BITS) ++#define VMACACHE_MASK (VMACACHE_SIZE - 1) ++ + /* + * Extended scheduling parameters data structure. + * +@@ -1228,6 +1232,9 @@ struct task_struct { + #ifdef CONFIG_COMPAT_BRK + unsigned brk_randomized:1; + #endif ++ /* per-thread vma caching */ ++ u32 vmacache_seqnum; ++ struct vm_area_struct *vmacache[VMACACHE_SIZE]; + #if defined(SPLIT_RSS_COUNTING) + struct task_rss_stat rss_stat; + #endif +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 46ba0c6c219f..789324976801 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -214,8 +214,9 @@ struct percpu_cluster { + struct swap_info_struct { + unsigned long flags; /* SWP_USED etc: see above */ + signed short prio; /* swap priority of this type */ ++ struct plist_node list; /* entry in swap_active_head */ ++ struct plist_node avail_list; /* entry in swap_avail_head */ + signed char type; /* strange name for an index */ +- signed char next; /* next type on the swap list */ + unsigned int max; /* extent of the swap_map */ + unsigned char *swap_map; /* vmalloc'ed array of usage counts */ + struct swap_cluster_info *cluster_info; /* cluster info. Only for SSD */ +@@ -255,11 +256,6 @@ struct swap_info_struct { + struct swap_cluster_info discard_cluster_tail; /* list tail of discard clusters */ + }; + +-struct swap_list_t { +- int head; /* head of priority-ordered swapfile list */ +- int next; /* swapfile to be used next */ +-}; +- + /* linux/mm/page_alloc.c */ + extern unsigned long totalram_pages; + extern unsigned long totalreserve_pages; +diff --git a/include/linux/swapfile.h b/include/linux/swapfile.h +index e282624e8c10..388293a91e8c 100644 +--- a/include/linux/swapfile.h ++++ b/include/linux/swapfile.h +@@ -6,7 +6,7 @@ + * want to expose them to the dozens of source files that include swap.h + */ + extern spinlock_t swap_lock; +-extern struct swap_list_t swap_list; ++extern struct plist_head swap_active_head; + extern struct swap_info_struct *swap_info[]; + extern int try_to_unuse(unsigned int, bool, unsigned long); + +diff --git a/include/linux/vmacache.h b/include/linux/vmacache.h +new file mode 100644 +index 000000000000..c3fa0fd43949 +--- /dev/null ++++ b/include/linux/vmacache.h +@@ -0,0 +1,38 @@ ++#ifndef __LINUX_VMACACHE_H ++#define __LINUX_VMACACHE_H ++ ++#include ++#include ++ ++/* ++ * Hash based on the page number. Provides a good hit rate for ++ * workloads with good locality and those with random accesses as well. ++ */ ++#define VMACACHE_HASH(addr) ((addr >> PAGE_SHIFT) & VMACACHE_MASK) ++ ++static inline void vmacache_flush(struct task_struct *tsk) ++{ ++ memset(tsk->vmacache, 0, sizeof(tsk->vmacache)); ++} ++ ++extern void vmacache_flush_all(struct mm_struct *mm); ++extern void vmacache_update(unsigned long addr, struct vm_area_struct *newvma); ++extern struct vm_area_struct *vmacache_find(struct mm_struct *mm, ++ unsigned long addr); ++ ++#ifndef CONFIG_MMU ++extern struct vm_area_struct *vmacache_find_exact(struct mm_struct *mm, ++ unsigned long start, ++ unsigned long end); ++#endif ++ ++static inline void vmacache_invalidate(struct mm_struct *mm) ++{ ++ mm->vmacache_seqnum++; ++ ++ /* deal with overflows */ ++ if (unlikely(mm->vmacache_seqnum == 0)) ++ vmacache_flush_all(mm); ++} ++ ++#endif /* __LINUX_VMACACHE_H */ +diff --git a/include/media/videobuf2-core.h b/include/media/videobuf2-core.h +index bef53ce555d2..b10682cb138c 100644 +--- a/include/media/videobuf2-core.h ++++ b/include/media/videobuf2-core.h +@@ -329,6 +329,9 @@ struct v4l2_fh; + * @retry_start_streaming: start_streaming() was called, but there were not enough + * buffers queued. If set, then retry calling start_streaming when + * queuing a new buffer. ++ * @waiting_for_buffers: used in poll() to check if vb2 is still waiting for ++ * buffers. Only set for capture queues if qbuf has not yet been ++ * called since poll() needs to return POLLERR in that situation. + * @fileio: file io emulator internal data, used only if emulator is active + */ + struct vb2_queue { +@@ -362,6 +365,7 @@ struct vb2_queue { + + unsigned int streaming:1; + unsigned int retry_start_streaming:1; ++ unsigned int waiting_for_buffers:1; + + struct vb2_fileio_data *fileio; + }; +diff --git a/init/Kconfig b/init/Kconfig +index 93c5ef0c5210..8b9521a2d2c1 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1389,6 +1389,7 @@ config FUTEX + + config HAVE_FUTEX_CMPXCHG + bool ++ depends on FUTEX + help + Architectures should select this if futex_atomic_cmpxchg_inatomic() + is implemented and always working. This removes a couple of runtime +diff --git a/kernel/cpuset.c b/kernel/cpuset.c +index 6b27e5c0cd86..15b3ea693225 100644 +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -1022,7 +1022,7 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk, + task_lock(tsk); + /* + * Determine if a loop is necessary if another thread is doing +- * get_mems_allowed(). If at least one node remains unchanged and ++ * read_mems_allowed_begin(). If at least one node remains unchanged and + * tsk does not have a mempolicy, then an empty nodemask will not be + * possible when mems_allowed is larger than a word. + */ +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 334b3980ffc1..8865caec45fb 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -224,10 +225,17 @@ static void kgdb_flush_swbreak_addr(unsigned long addr) + if (!CACHE_FLUSH_IS_SAFE) + return; + +- if (current->mm && current->mm->mmap_cache) { +- flush_cache_range(current->mm->mmap_cache, +- addr, addr + BREAK_INSTR_SIZE); ++ if (current->mm) { ++ int i; ++ ++ for (i = 0; i < VMACACHE_SIZE; i++) { ++ if (!current->vmacache[i]) ++ continue; ++ flush_cache_range(current->vmacache[i], ++ addr, addr + BREAK_INSTR_SIZE); ++ } + } ++ + /* Force flush instruction cache if it was outside the mm */ + flush_icache_range(addr, addr + BREAK_INSTR_SIZE); + } +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 3a140ca37777..4ced342f1ba9 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7836,8 +7836,10 @@ int perf_event_init_task(struct task_struct *child) + + for_each_task_context_nr(ctxn) { + ret = perf_event_init_context(child, ctxn); +- if (ret) ++ if (ret) { ++ perf_event_free_task(child); + return ret; ++ } + } + + return 0; +diff --git a/kernel/fork.c b/kernel/fork.c +index c44bff8097f5..e2c685396295 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -28,6 +28,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -363,7 +365,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + + mm->locked_vm = 0; + mm->mmap = NULL; +- mm->mmap_cache = NULL; ++ mm->vmacache_seqnum = 0; + mm->map_count = 0; + cpumask_clear(mm_cpumask(mm)); + mm->mm_rb = RB_ROOT; +@@ -876,6 +878,9 @@ static int copy_mm(unsigned long clone_flags, struct task_struct *tsk) + if (!oldmm) + return 0; + ++ /* initialize the new vmacache entries */ ++ vmacache_flush(tsk); ++ + if (clone_flags & CLONE_VM) { + atomic_inc(&oldmm->mm_users); + mm = oldmm; +@@ -1323,7 +1328,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, + goto bad_fork_cleanup_policy; + retval = audit_alloc(p); + if (retval) +- goto bad_fork_cleanup_policy; ++ goto bad_fork_cleanup_perf; + /* copy all the process information */ + retval = copy_semundo(clone_flags, p); + if (retval) +@@ -1522,8 +1527,9 @@ bad_fork_cleanup_semundo: + exit_sem(p); + bad_fork_cleanup_audit: + audit_free(p); +-bad_fork_cleanup_policy: ++bad_fork_cleanup_perf: + perf_event_free_task(p); ++bad_fork_cleanup_policy: + #ifdef CONFIG_NUMA + mpol_put(p->mempolicy); + bad_fork_cleanup_cgroup: +diff --git a/kernel/time.c b/kernel/time.c +index 7c7964c33ae7..3c49ab45f822 100644 +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -496,17 +496,20 @@ EXPORT_SYMBOL(usecs_to_jiffies); + * that a remainder subtract here would not do the right thing as the + * resolution values don't fall on second boundries. I.e. the line: + * nsec -= nsec % TICK_NSEC; is NOT a correct resolution rounding. ++ * Note that due to the small error in the multiplier here, this ++ * rounding is incorrect for sufficiently large values of tv_nsec, but ++ * well formed timespecs should have tv_nsec < NSEC_PER_SEC, so we're ++ * OK. + * + * Rather, we just shift the bits off the right. + * + * The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec + * value to a scaled second value. + */ +-unsigned long +-timespec_to_jiffies(const struct timespec *value) ++static unsigned long ++__timespec_to_jiffies(unsigned long sec, long nsec) + { +- unsigned long sec = value->tv_sec; +- long nsec = value->tv_nsec + TICK_NSEC - 1; ++ nsec = nsec + TICK_NSEC - 1; + + if (sec >= MAX_SEC_IN_JIFFIES){ + sec = MAX_SEC_IN_JIFFIES; +@@ -517,6 +520,13 @@ timespec_to_jiffies(const struct timespec *value) + (NSEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; + + } ++ ++unsigned long ++timespec_to_jiffies(const struct timespec *value) ++{ ++ return __timespec_to_jiffies(value->tv_sec, value->tv_nsec); ++} ++ + EXPORT_SYMBOL(timespec_to_jiffies); + + void +@@ -533,31 +543,27 @@ jiffies_to_timespec(const unsigned long jiffies, struct timespec *value) + } + EXPORT_SYMBOL(jiffies_to_timespec); + +-/* Same for "timeval" ++/* ++ * We could use a similar algorithm to timespec_to_jiffies (with a ++ * different multiplier for usec instead of nsec). But this has a ++ * problem with rounding: we can't exactly add TICK_NSEC - 1 to the ++ * usec value, since it's not necessarily integral. + * +- * Well, almost. The problem here is that the real system resolution is +- * in nanoseconds and the value being converted is in micro seconds. +- * Also for some machines (those that use HZ = 1024, in-particular), +- * there is a LARGE error in the tick size in microseconds. +- +- * The solution we use is to do the rounding AFTER we convert the +- * microsecond part. Thus the USEC_ROUND, the bits to be shifted off. +- * Instruction wise, this should cost only an additional add with carry +- * instruction above the way it was done above. ++ * We could instead round in the intermediate scaled representation ++ * (i.e. in units of 1/2^(large scale) jiffies) but that's also ++ * perilous: the scaling introduces a small positive error, which ++ * combined with a division-rounding-upward (i.e. adding 2^(scale) - 1 ++ * units to the intermediate before shifting) leads to accidental ++ * overflow and overestimates. ++ * ++ * At the cost of one additional multiplication by a constant, just ++ * use the timespec implementation. + */ + unsigned long + timeval_to_jiffies(const struct timeval *value) + { +- unsigned long sec = value->tv_sec; +- long usec = value->tv_usec; +- +- if (sec >= MAX_SEC_IN_JIFFIES){ +- sec = MAX_SEC_IN_JIFFIES; +- usec = 0; +- } +- return (((u64)sec * SEC_CONVERSION) + +- (((u64)usec * USEC_CONVERSION + USEC_ROUND) >> +- (USEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; ++ return __timespec_to_jiffies(value->tv_sec, ++ value->tv_usec * NSEC_PER_USEC); + } + EXPORT_SYMBOL(timeval_to_jiffies); + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 773aba836e81..774a0807fe81 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3372,7 +3372,7 @@ static void rb_iter_reset(struct ring_buffer_iter *iter) + iter->head = cpu_buffer->reader_page->read; + + iter->cache_reader_page = iter->head_page; +- iter->cache_read = iter->head; ++ iter->cache_read = cpu_buffer->read; + + if (iter->head) + iter->read_stamp = cpu_buffer->read_stamp; +diff --git a/lib/plist.c b/lib/plist.c +index 1ebc95f7a46f..0f2084d30798 100644 +--- a/lib/plist.c ++++ b/lib/plist.c +@@ -134,6 +134,46 @@ void plist_del(struct plist_node *node, struct plist_head *head) + plist_check_head(head); + } + ++/** ++ * plist_requeue - Requeue @node at end of same-prio entries. ++ * ++ * This is essentially an optimized plist_del() followed by ++ * plist_add(). It moves an entry already in the plist to ++ * after any other same-priority entries. ++ * ++ * @node: &struct plist_node pointer - entry to be moved ++ * @head: &struct plist_head pointer - list head ++ */ ++void plist_requeue(struct plist_node *node, struct plist_head *head) ++{ ++ struct plist_node *iter; ++ struct list_head *node_next = &head->node_list; ++ ++ plist_check_head(head); ++ BUG_ON(plist_head_empty(head)); ++ BUG_ON(plist_node_empty(node)); ++ ++ if (node == plist_last(head)) ++ return; ++ ++ iter = plist_next(node); ++ ++ if (node->prio != iter->prio) ++ return; ++ ++ plist_del(node, head); ++ ++ plist_for_each_continue(iter, head) { ++ if (node->prio != iter->prio) { ++ node_next = &iter->node_list; ++ break; ++ } ++ } ++ list_add_tail(&node->node_list, node_next); ++ ++ plist_check_head(head); ++} ++ + #ifdef CONFIG_DEBUG_PI_LIST + #include + #include +@@ -170,6 +210,14 @@ static void __init plist_test_check(int nr_expect) + BUG_ON(prio_pos->prio_list.next != &first->prio_list); + } + ++static void __init plist_test_requeue(struct plist_node *node) ++{ ++ plist_requeue(node, &test_head); ++ ++ if (node != plist_last(&test_head)) ++ BUG_ON(node->prio == plist_next(node)->prio); ++} ++ + static int __init plist_test(void) + { + int nr_expect = 0, i, loop; +@@ -193,6 +241,10 @@ static int __init plist_test(void) + nr_expect--; + } + plist_test_check(nr_expect); ++ if (!plist_node_empty(test_node + i)) { ++ plist_test_requeue(test_node + i); ++ plist_test_check(nr_expect); ++ } + } + + for (i = 0; i < ARRAY_SIZE(test_node); i++) { +diff --git a/mm/Makefile b/mm/Makefile +index 310c90a09264..c561f1f6bca0 100644 +--- a/mm/Makefile ++++ b/mm/Makefile +@@ -16,7 +16,7 @@ obj-y := filemap.o mempool.o oom_kill.o fadvise.o \ + readahead.o swap.o truncate.o vmscan.o shmem.o \ + util.o mmzone.o vmstat.o backing-dev.o \ + mm_init.o mmu_context.o percpu.o slab_common.o \ +- compaction.o balloon_compaction.o \ ++ compaction.o balloon_compaction.o vmacache.o \ + interval_tree.o list_lru.o $(mmu-y) + + obj-y += init-mm.o +diff --git a/mm/compaction.c b/mm/compaction.c +index 5f702ef0a65f..5e38e5706f62 100644 +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -217,21 +217,12 @@ static inline bool compact_trylock_irqsave(spinlock_t *lock, + /* Returns true if the page is within a block suitable for migration to */ + static bool suitable_migration_target(struct page *page) + { +- int migratetype = get_pageblock_migratetype(page); +- +- /* Don't interfere with memory hot-remove or the min_free_kbytes blocks */ +- if (migratetype == MIGRATE_RESERVE) +- return false; +- +- if (is_migrate_isolate(migratetype)) +- return false; +- +- /* If the page is a large free page, then allow migration */ ++ /* If the page is a large free page, then disallow migration */ + if (PageBuddy(page) && page_order(page) >= pageblock_order) +- return true; ++ return false; + + /* If the block is MIGRATE_MOVABLE or MIGRATE_CMA, allow migration */ +- if (migrate_async_suitable(migratetype)) ++ if (migrate_async_suitable(get_pageblock_migratetype(page))) + return true; + + /* Otherwise skip the block */ +@@ -253,6 +244,7 @@ static unsigned long isolate_freepages_block(struct compact_control *cc, + struct page *cursor, *valid_page = NULL; + unsigned long flags; + bool locked = false; ++ bool checked_pageblock = false; + + cursor = pfn_to_page(blockpfn); + +@@ -284,8 +276,16 @@ static unsigned long isolate_freepages_block(struct compact_control *cc, + break; + + /* Recheck this is a suitable migration target under lock */ +- if (!strict && !suitable_migration_target(page)) +- break; ++ if (!strict && !checked_pageblock) { ++ /* ++ * We need to check suitability of pageblock only once ++ * and this isolate_freepages_block() is called with ++ * pageblock range, so just check once is sufficient. ++ */ ++ checked_pageblock = true; ++ if (!suitable_migration_target(page)) ++ break; ++ } + + /* Recheck this is a buddy page under lock */ + if (!PageBuddy(page)) +@@ -460,12 +460,13 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + unsigned long last_pageblock_nr = 0, pageblock_nr; + unsigned long nr_scanned = 0, nr_isolated = 0; + struct list_head *migratelist = &cc->migratepages; +- isolate_mode_t mode = 0; + struct lruvec *lruvec; + unsigned long flags; + bool locked = false; + struct page *page = NULL, *valid_page = NULL; + bool skipped_async_unsuitable = false; ++ const isolate_mode_t mode = (!cc->sync ? ISOLATE_ASYNC_MIGRATE : 0) | ++ (unevictable ? ISOLATE_UNEVICTABLE : 0); + + /* + * Ensure that there are not too many pages isolated from the LRU +@@ -487,7 +488,7 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + cond_resched(); + for (; low_pfn < end_pfn; low_pfn++) { + /* give a chance to irqs before checking need_resched() */ +- if (locked && !((low_pfn+1) % SWAP_CLUSTER_MAX)) { ++ if (locked && !(low_pfn % SWAP_CLUSTER_MAX)) { + if (should_release_lock(&zone->lru_lock)) { + spin_unlock_irqrestore(&zone->lru_lock, flags); + locked = false; +@@ -526,8 +527,25 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + + /* If isolation recently failed, do not retry */ + pageblock_nr = low_pfn >> pageblock_order; +- if (!isolation_suitable(cc, page)) +- goto next_pageblock; ++ if (last_pageblock_nr != pageblock_nr) { ++ int mt; ++ ++ last_pageblock_nr = pageblock_nr; ++ if (!isolation_suitable(cc, page)) ++ goto next_pageblock; ++ ++ /* ++ * For async migration, also only scan in MOVABLE ++ * blocks. Async migration is optimistic to see if ++ * the minimum amount of work satisfies the allocation ++ */ ++ mt = get_pageblock_migratetype(page); ++ if (!cc->sync && !migrate_async_suitable(mt)) { ++ cc->finished_update_migrate = true; ++ skipped_async_unsuitable = true; ++ goto next_pageblock; ++ } ++ } + + /* + * Skip if free. page_order cannot be used without zone->lock +@@ -537,18 +555,6 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + continue; + + /* +- * For async migration, also only scan in MOVABLE blocks. Async +- * migration is optimistic to see if the minimum amount of work +- * satisfies the allocation +- */ +- if (!cc->sync && last_pageblock_nr != pageblock_nr && +- !migrate_async_suitable(get_pageblock_migratetype(page))) { +- cc->finished_update_migrate = true; +- skipped_async_unsuitable = true; +- goto next_pageblock; +- } +- +- /* + * Check may be lockless but that's ok as we recheck later. + * It's possible to migrate LRU pages and balloon pages + * Skip any other type of page +@@ -557,11 +563,7 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + if (unlikely(balloon_page_movable(page))) { + if (locked && balloon_page_isolate(page)) { + /* Successfully isolated */ +- cc->finished_update_migrate = true; +- list_add(&page->lru, migratelist); +- cc->nr_migratepages++; +- nr_isolated++; +- goto check_compact_cluster; ++ goto isolate_success; + } + } + continue; +@@ -584,6 +586,15 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + continue; + } + ++ /* ++ * Migration will fail if an anonymous page is pinned in memory, ++ * so avoid taking lru_lock and isolating it unnecessarily in an ++ * admittedly racy check. ++ */ ++ if (!page_mapping(page) && ++ page_count(page) > page_mapcount(page)) ++ continue; ++ + /* Check if it is ok to still hold the lock */ + locked = compact_checklock_irqsave(&zone->lru_lock, &flags, + locked, cc); +@@ -598,12 +609,6 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + continue; + } + +- if (!cc->sync) +- mode |= ISOLATE_ASYNC_MIGRATE; +- +- if (unevictable) +- mode |= ISOLATE_UNEVICTABLE; +- + lruvec = mem_cgroup_page_lruvec(page, zone); + + /* Try isolate the page */ +@@ -613,13 +618,14 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + VM_BUG_ON_PAGE(PageTransCompound(page), page); + + /* Successfully isolated */ +- cc->finished_update_migrate = true; + del_page_from_lru_list(page, lruvec, page_lru(page)); ++ ++isolate_success: ++ cc->finished_update_migrate = true; + list_add(&page->lru, migratelist); + cc->nr_migratepages++; + nr_isolated++; + +-check_compact_cluster: + /* Avoid isolating too much */ + if (cc->nr_migratepages == COMPACT_CLUSTER_MAX) { + ++low_pfn; +@@ -630,7 +636,6 @@ check_compact_cluster: + + next_pageblock: + low_pfn = ALIGN(low_pfn + 1, pageblock_nr_pages) - 1; +- last_pageblock_nr = pageblock_nr; + } + + acct_isolated(zone, locked, cc); +@@ -1188,6 +1193,7 @@ static void compact_node(int nid) + struct compact_control cc = { + .order = -1, + .sync = true, ++ .ignore_skip_hint = true, + }; + + __compact_pgdat(NODE_DATA(nid), &cc); +diff --git a/mm/filemap.c b/mm/filemap.c +index 7a13f6ac5421..c2cc7c95eff1 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -192,9 +192,11 @@ static int filemap_check_errors(struct address_space *mapping) + { + int ret = 0; + /* Check for outstanding write errors */ +- if (test_and_clear_bit(AS_ENOSPC, &mapping->flags)) ++ if (test_bit(AS_ENOSPC, &mapping->flags) && ++ test_and_clear_bit(AS_ENOSPC, &mapping->flags)) + ret = -ENOSPC; +- if (test_and_clear_bit(AS_EIO, &mapping->flags)) ++ if (test_bit(AS_EIO, &mapping->flags) && ++ test_and_clear_bit(AS_EIO, &mapping->flags)) + ret = -EIO; + return ret; + } +@@ -520,10 +522,10 @@ struct page *__page_cache_alloc(gfp_t gfp) + if (cpuset_do_page_mem_spread()) { + unsigned int cpuset_mems_cookie; + do { +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + n = cpuset_mem_spread_node(); + page = alloc_pages_exact_node(n, gfp, 0); +- } while (!put_mems_allowed(cpuset_mems_cookie) && !page); ++ } while (!page && read_mems_allowed_retry(cpuset_mems_cookie)); + + return page; + } +diff --git a/mm/frontswap.c b/mm/frontswap.c +index 1b24bdcb3197..c30eec536f03 100644 +--- a/mm/frontswap.c ++++ b/mm/frontswap.c +@@ -327,15 +327,12 @@ EXPORT_SYMBOL(__frontswap_invalidate_area); + + static unsigned long __frontswap_curr_pages(void) + { +- int type; + unsigned long totalpages = 0; + struct swap_info_struct *si = NULL; + + assert_spin_locked(&swap_lock); +- for (type = swap_list.head; type >= 0; type = si->next) { +- si = swap_info[type]; ++ plist_for_each_entry(si, &swap_active_head, list) + totalpages += atomic_read(&si->frontswap_pages); +- } + return totalpages; + } + +@@ -347,11 +344,9 @@ static int __frontswap_unuse_pages(unsigned long total, unsigned long *unused, + int si_frontswap_pages; + unsigned long total_pages_to_unuse = total; + unsigned long pages = 0, pages_to_unuse = 0; +- int type; + + assert_spin_locked(&swap_lock); +- for (type = swap_list.head; type >= 0; type = si->next) { +- si = swap_info[type]; ++ plist_for_each_entry(si, &swap_active_head, list) { + si_frontswap_pages = atomic_read(&si->frontswap_pages); + if (total_pages_to_unuse < si_frontswap_pages) { + pages = pages_to_unuse = total_pages_to_unuse; +@@ -366,7 +361,7 @@ static int __frontswap_unuse_pages(unsigned long total, unsigned long *unused, + } + vm_unacct_memory(pages); + *unused = pages_to_unuse; +- *swapid = type; ++ *swapid = si->type; + ret = 0; + break; + } +@@ -413,7 +408,7 @@ void frontswap_shrink(unsigned long target_pages) + /* + * we don't want to hold swap_lock while doing a very + * lengthy try_to_unuse, but swap_list may change +- * so restart scan from swap_list.head each time ++ * so restart scan from swap_active_head each time + */ + spin_lock(&swap_lock); + ret = __frontswap_shrink(target_pages, &pages_to_unuse, &type); +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 1c42d0c36d0b..718bfa16a36f 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1819,21 +1819,24 @@ static int __split_huge_page_map(struct page *page, + if (pmd) { + pgtable = pgtable_trans_huge_withdraw(mm, pmd); + pmd_populate(mm, &_pmd, pgtable); ++ if (pmd_write(*pmd)) ++ BUG_ON(page_mapcount(page) != 1); + + haddr = address; + for (i = 0; i < HPAGE_PMD_NR; i++, haddr += PAGE_SIZE) { + pte_t *pte, entry; + BUG_ON(PageCompound(page+i)); ++ /* ++ * Note that pmd_numa is not transferred deliberately ++ * to avoid any possibility that pte_numa leaks to ++ * a PROT_NONE VMA by accident. ++ */ + entry = mk_pte(page + i, vma->vm_page_prot); + entry = maybe_mkwrite(pte_mkdirty(entry), vma); + if (!pmd_write(*pmd)) + entry = pte_wrprotect(entry); +- else +- BUG_ON(page_mapcount(page) != 1); + if (!pmd_young(*pmd)) + entry = pte_mkold(entry); +- if (pmd_numa(*pmd)) +- entry = pte_mknuma(entry); + pte = pte_offset_map(&_pmd, haddr); + BUG_ON(!pte_none(*pte)); + set_pte_at(mm, haddr, pte, entry); +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 923f38e62bcf..67d0c175efcf 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -540,7 +540,7 @@ static struct page *dequeue_huge_page_vma(struct hstate *h, + goto err; + + retry_cpuset: +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + zonelist = huge_zonelist(vma, address, + htlb_alloc_mask(h), &mpol, &nodemask); + +@@ -562,7 +562,7 @@ retry_cpuset: + } + + mpol_cond_put(mpol); +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !page)) ++ if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + return page; + +@@ -2071,6 +2071,9 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + unsigned long tmp; + int ret; + ++ if (!hugepages_supported()) ++ return -ENOTSUPP; ++ + tmp = h->max_huge_pages; + + if (write && h->order >= MAX_ORDER) +@@ -2124,6 +2127,9 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, + unsigned long tmp; + int ret; + ++ if (!hugepages_supported()) ++ return -ENOTSUPP; ++ + tmp = h->nr_overcommit_huge_pages; + + if (write && h->order >= MAX_ORDER) +@@ -2149,6 +2155,8 @@ out: + void hugetlb_report_meminfo(struct seq_file *m) + { + struct hstate *h = &default_hstate; ++ if (!hugepages_supported()) ++ return; + seq_printf(m, + "HugePages_Total: %5lu\n" + "HugePages_Free: %5lu\n" +@@ -2165,6 +2173,8 @@ void hugetlb_report_meminfo(struct seq_file *m) + int hugetlb_report_node_meminfo(int nid, char *buf) + { + struct hstate *h = &default_hstate; ++ if (!hugepages_supported()) ++ return 0; + return sprintf(buf, + "Node %d HugePages_Total: %5u\n" + "Node %d HugePages_Free: %5u\n" +@@ -2179,6 +2189,9 @@ void hugetlb_show_meminfo(void) + struct hstate *h; + int nid; + ++ if (!hugepages_supported()) ++ return; ++ + for_each_node_state(nid, N_MEMORY) + for_each_hstate(h) + pr_info("Node %d hugepages_total=%u hugepages_free=%u hugepages_surp=%u hugepages_size=%lukB\n", +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 15a8ea031526..796c7e6cf93b 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1897,7 +1897,7 @@ int node_random(const nodemask_t *maskp) + * If the effective policy is 'BIND, returns a pointer to the mempolicy's + * @nodemask for filtering the zonelist. + * +- * Must be protected by get_mems_allowed() ++ * Must be protected by read_mems_allowed_begin() + */ + struct zonelist *huge_zonelist(struct vm_area_struct *vma, unsigned long addr, + gfp_t gfp_flags, struct mempolicy **mpol, +@@ -2061,7 +2061,7 @@ alloc_pages_vma(gfp_t gfp, int order, struct vm_area_struct *vma, + + retry_cpuset: + pol = get_vma_policy(current, vma, addr); +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + + if (unlikely(pol->mode == MPOL_INTERLEAVE)) { + unsigned nid; +@@ -2069,7 +2069,7 @@ retry_cpuset: + nid = interleave_nid(pol, vma, addr, PAGE_SHIFT + order); + mpol_cond_put(pol); + page = alloc_page_interleave(gfp, order, nid); +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !page)) ++ if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + + return page; +@@ -2079,7 +2079,7 @@ retry_cpuset: + policy_nodemask(gfp, pol)); + if (unlikely(mpol_needs_cond_ref(pol))) + __mpol_put(pol); +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !page)) ++ if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + return page; + } +@@ -2113,7 +2113,7 @@ struct page *alloc_pages_current(gfp_t gfp, unsigned order) + pol = &default_policy; + + retry_cpuset: +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + + /* + * No reference counting needed for current->mempolicy +@@ -2126,7 +2126,7 @@ retry_cpuset: + policy_zonelist(gfp, pol, numa_node_id()), + policy_nodemask(gfp, pol)); + +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !page)) ++ if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + + return page; +diff --git a/mm/migrate.c b/mm/migrate.c +index bed48809e5d0..13f47fbe3550 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -148,8 +148,11 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, + pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); + if (pte_swp_soft_dirty(*ptep)) + pte = pte_mksoft_dirty(pte); ++ ++ /* Recheck VMA as permissions can change since migration started */ + if (is_write_migration_entry(entry)) +- pte = pte_mkwrite(pte); ++ pte = maybe_mkwrite(pte, vma); ++ + #ifdef CONFIG_HUGETLB_PAGE + if (PageHuge(new)) { + pte = pte_mkhuge(pte); +diff --git a/mm/mmap.c b/mm/mmap.c +index 20ff0c33274c..dfe90657a6db 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -681,8 +682,9 @@ __vma_unlink(struct mm_struct *mm, struct vm_area_struct *vma, + prev->vm_next = next = vma->vm_next; + if (next) + next->vm_prev = prev; +- if (mm->mmap_cache == vma) +- mm->mmap_cache = prev; ++ ++ /* Kill the cache */ ++ vmacache_invalidate(mm); + } + + /* +@@ -1989,34 +1991,33 @@ EXPORT_SYMBOL(get_unmapped_area); + /* Look up the first VMA which satisfies addr < vm_end, NULL if none. */ + struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) + { +- struct vm_area_struct *vma = NULL; ++ struct rb_node *rb_node; ++ struct vm_area_struct *vma; + + /* Check the cache first. */ +- /* (Cache hit rate is typically around 35%.) */ +- vma = ACCESS_ONCE(mm->mmap_cache); +- if (!(vma && vma->vm_end > addr && vma->vm_start <= addr)) { +- struct rb_node *rb_node; ++ vma = vmacache_find(mm, addr); ++ if (likely(vma)) ++ return vma; + +- rb_node = mm->mm_rb.rb_node; +- vma = NULL; ++ rb_node = mm->mm_rb.rb_node; ++ vma = NULL; + +- while (rb_node) { +- struct vm_area_struct *vma_tmp; +- +- vma_tmp = rb_entry(rb_node, +- struct vm_area_struct, vm_rb); +- +- if (vma_tmp->vm_end > addr) { +- vma = vma_tmp; +- if (vma_tmp->vm_start <= addr) +- break; +- rb_node = rb_node->rb_left; +- } else +- rb_node = rb_node->rb_right; +- } +- if (vma) +- mm->mmap_cache = vma; ++ while (rb_node) { ++ struct vm_area_struct *tmp; ++ ++ tmp = rb_entry(rb_node, struct vm_area_struct, vm_rb); ++ ++ if (tmp->vm_end > addr) { ++ vma = tmp; ++ if (tmp->vm_start <= addr) ++ break; ++ rb_node = rb_node->rb_left; ++ } else ++ rb_node = rb_node->rb_right; + } ++ ++ if (vma) ++ vmacache_update(addr, vma); + return vma; + } + +@@ -2388,7 +2389,9 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + } else + mm->highest_vm_end = prev ? prev->vm_end : 0; + tail_vma->vm_next = NULL; +- mm->mmap_cache = NULL; /* Kill the cache. */ ++ ++ /* Kill the cache */ ++ vmacache_invalidate(mm); + } + + /* +diff --git a/mm/nommu.c b/mm/nommu.c +index 8740213b1647..3ee4f74fbfbe 100644 +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -15,6 +15,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -768,16 +769,23 @@ static void add_vma_to_mm(struct mm_struct *mm, struct vm_area_struct *vma) + */ + static void delete_vma_from_mm(struct vm_area_struct *vma) + { ++ int i; + struct address_space *mapping; + struct mm_struct *mm = vma->vm_mm; ++ struct task_struct *curr = current; + + kenter("%p", vma); + + protect_vma(vma, 0); + + mm->map_count--; +- if (mm->mmap_cache == vma) +- mm->mmap_cache = NULL; ++ for (i = 0; i < VMACACHE_SIZE; i++) { ++ /* if the vma is cached, invalidate the entire cache */ ++ if (curr->vmacache[i] == vma) { ++ vmacache_invalidate(curr->mm); ++ break; ++ } ++ } + + /* remove the VMA from the mapping */ + if (vma->vm_file) { +@@ -825,8 +833,8 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) + struct vm_area_struct *vma; + + /* check the cache first */ +- vma = ACCESS_ONCE(mm->mmap_cache); +- if (vma && vma->vm_start <= addr && vma->vm_end > addr) ++ vma = vmacache_find(mm, addr); ++ if (likely(vma)) + return vma; + + /* trawl the list (there may be multiple mappings in which addr +@@ -835,7 +843,7 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) + if (vma->vm_start > addr) + return NULL; + if (vma->vm_end > addr) { +- mm->mmap_cache = vma; ++ vmacache_update(addr, vma); + return vma; + } + } +@@ -874,8 +882,8 @@ static struct vm_area_struct *find_vma_exact(struct mm_struct *mm, + unsigned long end = addr + len; + + /* check the cache first */ +- vma = mm->mmap_cache; +- if (vma && vma->vm_start == addr && vma->vm_end == end) ++ vma = vmacache_find_exact(mm, addr, end); ++ if (vma) + return vma; + + /* trawl the list (there may be multiple mappings in which addr +@@ -886,7 +894,7 @@ static struct vm_area_struct *find_vma_exact(struct mm_struct *mm, + if (vma->vm_start > addr) + return NULL; + if (vma->vm_end == end) { +- mm->mmap_cache = vma; ++ vmacache_update(addr, vma); + return vma; + } + } +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 62e400d00e3f..ff0f6b13f32f 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1869,7 +1869,7 @@ static void __paginginit init_zone_allows_reclaim(int nid) + { + int i; + +- for_each_online_node(i) ++ for_each_node_state(i, N_MEMORY) + if (node_distance(nid, i) <= RECLAIM_DISTANCE) + node_set(i, NODE_DATA(nid)->reclaim_nodes); + else +@@ -2736,7 +2736,7 @@ __alloc_pages_nodemask(gfp_t gfp_mask, unsigned int order, + return NULL; + + retry_cpuset: +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + + /* The preferred zone is used for statistics later */ + first_zones_zonelist(zonelist, high_zoneidx, +@@ -2791,7 +2791,7 @@ out: + * the mask is being updated. If a page allocation is about to fail, + * check if the cpuset changed during allocation and if so, retry. + */ +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !page)) ++ if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + + memcg_kmem_commit_charge(page, memcg, order); +@@ -3059,9 +3059,9 @@ bool skip_free_areas_node(unsigned int flags, int nid) + goto out; + + do { +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + ret = !node_isset(nid, cpuset_current_mems_allowed); +- } while (!put_mems_allowed(cpuset_mems_cookie)); ++ } while (read_mems_allowed_retry(cpuset_mems_cookie)); + out: + return ret; + } +@@ -4933,7 +4933,8 @@ void __paginginit free_area_init_node(int nid, unsigned long *zones_size, + + pgdat->node_id = nid; + pgdat->node_start_pfn = node_start_pfn; +- init_zone_allows_reclaim(nid); ++ if (node_state(nid, N_MEMORY)) ++ init_zone_allows_reclaim(nid); + #ifdef CONFIG_HAVE_MEMBLOCK_NODE_MAP + get_pfn_range_for_nid(nid, &start_pfn, &end_pfn); + #endif +diff --git a/mm/readahead.c b/mm/readahead.c +index 0de2360d65f3..1fa0d6fca556 100644 +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -233,14 +233,14 @@ int force_page_cache_readahead(struct address_space *mapping, struct file *filp, + return 0; + } + ++#define MAX_READAHEAD ((512*4096)/PAGE_CACHE_SIZE) + /* + * Given a desired number of PAGE_CACHE_SIZE readahead pages, return a + * sensible upper limit. + */ + unsigned long max_sane_readahead(unsigned long nr) + { +- return min(nr, (node_page_state(numa_node_id(), NR_INACTIVE_FILE) +- + node_page_state(numa_node_id(), NR_FREE_PAGES)) / 2); ++ return min(nr, MAX_READAHEAD); + } + + /* +diff --git a/mm/slab.c b/mm/slab.c +index ea854eb2388c..0b1c2a58559d 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -3122,7 +3122,7 @@ static void *fallback_alloc(struct kmem_cache *cache, gfp_t flags) + local_flags = flags & (GFP_CONSTRAINT_MASK|GFP_RECLAIM_MASK); + + retry_cpuset: +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + zonelist = node_zonelist(slab_node(), flags); + + retry: +@@ -3180,7 +3180,7 @@ retry: + } + } + +- if (unlikely(!put_mems_allowed(cpuset_mems_cookie) && !obj)) ++ if (unlikely(!obj && read_mems_allowed_retry(cpuset_mems_cookie))) + goto retry_cpuset; + return obj; + } +diff --git a/mm/slub.c b/mm/slub.c +index 25f14ad8f817..7611f148ee81 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1684,7 +1684,7 @@ static void *get_any_partial(struct kmem_cache *s, gfp_t flags, + return NULL; + + do { +- cpuset_mems_cookie = get_mems_allowed(); ++ cpuset_mems_cookie = read_mems_allowed_begin(); + zonelist = node_zonelist(slab_node(), flags); + for_each_zone_zonelist(zone, z, zonelist, high_zoneidx) { + struct kmem_cache_node *n; +@@ -1696,19 +1696,17 @@ static void *get_any_partial(struct kmem_cache *s, gfp_t flags, + object = get_partial_node(s, n, c, flags); + if (object) { + /* +- * Return the object even if +- * put_mems_allowed indicated that +- * the cpuset mems_allowed was +- * updated in parallel. It's a +- * harmless race between the alloc +- * and the cpuset update. ++ * Don't check read_mems_allowed_retry() ++ * here - if mems_allowed was updated in ++ * parallel, that was a harmless race ++ * between allocation and the cpuset ++ * update + */ +- put_mems_allowed(cpuset_mems_cookie); + return object; + } + } + } +- } while (!put_mems_allowed(cpuset_mems_cookie)); ++ } while (read_mems_allowed_retry(cpuset_mems_cookie)); + #endif + return NULL; + } +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 4a7f7e6992b6..beeeef8a1b2d 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -51,14 +51,32 @@ atomic_long_t nr_swap_pages; + /* protected with swap_lock. reading in vm_swap_full() doesn't need lock */ + long total_swap_pages; + static int least_priority; +-static atomic_t highest_priority_index = ATOMIC_INIT(-1); + + static const char Bad_file[] = "Bad swap file entry "; + static const char Unused_file[] = "Unused swap file entry "; + static const char Bad_offset[] = "Bad swap offset entry "; + static const char Unused_offset[] = "Unused swap offset entry "; + +-struct swap_list_t swap_list = {-1, -1}; ++/* ++ * all active swap_info_structs ++ * protected with swap_lock, and ordered by priority. ++ */ ++PLIST_HEAD(swap_active_head); ++ ++/* ++ * all available (active, not full) swap_info_structs ++ * protected with swap_avail_lock, ordered by priority. ++ * This is used by get_swap_page() instead of swap_active_head ++ * because swap_active_head includes all swap_info_structs, ++ * but get_swap_page() doesn't need to look at full ones. ++ * This uses its own lock instead of swap_lock because when a ++ * swap_info_struct changes between not-full/full, it needs to ++ * add/remove itself to/from this list, but the swap_info_struct->lock ++ * is held and the locking order requires swap_lock to be taken ++ * before any swap_info_struct->lock. ++ */ ++static PLIST_HEAD(swap_avail_head); ++static DEFINE_SPINLOCK(swap_avail_lock); + + struct swap_info_struct *swap_info[MAX_SWAPFILES]; + +@@ -591,6 +609,9 @@ checks: + if (si->inuse_pages == si->pages) { + si->lowest_bit = si->max; + si->highest_bit = 0; ++ spin_lock(&swap_avail_lock); ++ plist_del(&si->avail_list, &swap_avail_head); ++ spin_unlock(&swap_avail_lock); + } + si->swap_map[offset] = usage; + inc_cluster_info_page(si, si->cluster_info, offset); +@@ -640,71 +661,65 @@ no_page: + + swp_entry_t get_swap_page(void) + { +- struct swap_info_struct *si; ++ struct swap_info_struct *si, *next; + pgoff_t offset; +- int type, next; +- int wrapped = 0; +- int hp_index; + +- spin_lock(&swap_lock); + if (atomic_long_read(&nr_swap_pages) <= 0) + goto noswap; + atomic_long_dec(&nr_swap_pages); + +- for (type = swap_list.next; type >= 0 && wrapped < 2; type = next) { +- hp_index = atomic_xchg(&highest_priority_index, -1); +- /* +- * highest_priority_index records current highest priority swap +- * type which just frees swap entries. If its priority is +- * higher than that of swap_list.next swap type, we use it. It +- * isn't protected by swap_lock, so it can be an invalid value +- * if the corresponding swap type is swapoff. We double check +- * the flags here. It's even possible the swap type is swapoff +- * and swapon again and its priority is changed. In such rare +- * case, low prority swap type might be used, but eventually +- * high priority swap will be used after several rounds of +- * swap. +- */ +- if (hp_index != -1 && hp_index != type && +- swap_info[type]->prio < swap_info[hp_index]->prio && +- (swap_info[hp_index]->flags & SWP_WRITEOK)) { +- type = hp_index; +- swap_list.next = type; +- } +- +- si = swap_info[type]; +- next = si->next; +- if (next < 0 || +- (!wrapped && si->prio != swap_info[next]->prio)) { +- next = swap_list.head; +- wrapped++; +- } ++ spin_lock(&swap_avail_lock); + ++start_over: ++ plist_for_each_entry_safe(si, next, &swap_avail_head, avail_list) { ++ /* requeue si to after same-priority siblings */ ++ plist_requeue(&si->avail_list, &swap_avail_head); ++ spin_unlock(&swap_avail_lock); + spin_lock(&si->lock); +- if (!si->highest_bit) { ++ if (!si->highest_bit || !(si->flags & SWP_WRITEOK)) { ++ spin_lock(&swap_avail_lock); ++ if (plist_node_empty(&si->avail_list)) { ++ spin_unlock(&si->lock); ++ goto nextsi; ++ } ++ WARN(!si->highest_bit, ++ "swap_info %d in list but !highest_bit\n", ++ si->type); ++ WARN(!(si->flags & SWP_WRITEOK), ++ "swap_info %d in list but !SWP_WRITEOK\n", ++ si->type); ++ plist_del(&si->avail_list, &swap_avail_head); + spin_unlock(&si->lock); +- continue; ++ goto nextsi; + } +- if (!(si->flags & SWP_WRITEOK)) { +- spin_unlock(&si->lock); +- continue; +- } +- +- swap_list.next = next; + +- spin_unlock(&swap_lock); + /* This is called for allocating swap entry for cache */ + offset = scan_swap_map(si, SWAP_HAS_CACHE); + spin_unlock(&si->lock); + if (offset) +- return swp_entry(type, offset); +- spin_lock(&swap_lock); +- next = swap_list.next; ++ return swp_entry(si->type, offset); ++ pr_debug("scan_swap_map of si %d failed to find offset\n", ++ si->type); ++ spin_lock(&swap_avail_lock); ++nextsi: ++ /* ++ * if we got here, it's likely that si was almost full before, ++ * and since scan_swap_map() can drop the si->lock, multiple ++ * callers probably all tried to get a page from the same si ++ * and it filled up before we could get one; or, the si filled ++ * up between us dropping swap_avail_lock and taking si->lock. ++ * Since we dropped the swap_avail_lock, the swap_avail_head ++ * list may have been modified; so if next is still in the ++ * swap_avail_head list then try it, otherwise start over. ++ */ ++ if (plist_node_empty(&next->avail_list)) ++ goto start_over; + } + ++ spin_unlock(&swap_avail_lock); ++ + atomic_long_inc(&nr_swap_pages); + noswap: +- spin_unlock(&swap_lock); + return (swp_entry_t) {0}; + } + +@@ -766,27 +781,6 @@ out: + return NULL; + } + +-/* +- * This swap type frees swap entry, check if it is the highest priority swap +- * type which just frees swap entry. get_swap_page() uses +- * highest_priority_index to search highest priority swap type. The +- * swap_info_struct.lock can't protect us if there are multiple swap types +- * active, so we use atomic_cmpxchg. +- */ +-static void set_highest_priority_index(int type) +-{ +- int old_hp_index, new_hp_index; +- +- do { +- old_hp_index = atomic_read(&highest_priority_index); +- if (old_hp_index != -1 && +- swap_info[old_hp_index]->prio >= swap_info[type]->prio) +- break; +- new_hp_index = type; +- } while (atomic_cmpxchg(&highest_priority_index, +- old_hp_index, new_hp_index) != old_hp_index); +-} +- + static unsigned char swap_entry_free(struct swap_info_struct *p, + swp_entry_t entry, unsigned char usage) + { +@@ -828,9 +822,18 @@ static unsigned char swap_entry_free(struct swap_info_struct *p, + dec_cluster_info_page(p, p->cluster_info, offset); + if (offset < p->lowest_bit) + p->lowest_bit = offset; +- if (offset > p->highest_bit) ++ if (offset > p->highest_bit) { ++ bool was_full = !p->highest_bit; + p->highest_bit = offset; +- set_highest_priority_index(p->type); ++ if (was_full && (p->flags & SWP_WRITEOK)) { ++ spin_lock(&swap_avail_lock); ++ WARN_ON(!plist_node_empty(&p->avail_list)); ++ if (plist_node_empty(&p->avail_list)) ++ plist_add(&p->avail_list, ++ &swap_avail_head); ++ spin_unlock(&swap_avail_lock); ++ } ++ } + atomic_long_inc(&nr_swap_pages); + p->inuse_pages--; + frontswap_invalidate_page(p->type, offset); +@@ -1765,30 +1768,37 @@ static void _enable_swap_info(struct swap_info_struct *p, int prio, + unsigned char *swap_map, + struct swap_cluster_info *cluster_info) + { +- int i, prev; +- + if (prio >= 0) + p->prio = prio; + else + p->prio = --least_priority; ++ /* ++ * the plist prio is negated because plist ordering is ++ * low-to-high, while swap ordering is high-to-low ++ */ ++ p->list.prio = -p->prio; ++ p->avail_list.prio = -p->prio; + p->swap_map = swap_map; + p->cluster_info = cluster_info; + p->flags |= SWP_WRITEOK; + atomic_long_add(p->pages, &nr_swap_pages); + total_swap_pages += p->pages; + +- /* insert swap space into swap_list: */ +- prev = -1; +- for (i = swap_list.head; i >= 0; i = swap_info[i]->next) { +- if (p->prio >= swap_info[i]->prio) +- break; +- prev = i; +- } +- p->next = i; +- if (prev < 0) +- swap_list.head = swap_list.next = p->type; +- else +- swap_info[prev]->next = p->type; ++ assert_spin_locked(&swap_lock); ++ /* ++ * both lists are plists, and thus priority ordered. ++ * swap_active_head needs to be priority ordered for swapoff(), ++ * which on removal of any swap_info_struct with an auto-assigned ++ * (i.e. negative) priority increments the auto-assigned priority ++ * of any lower-priority swap_info_structs. ++ * swap_avail_head needs to be priority ordered for get_swap_page(), ++ * which allocates swap pages from the highest available priority ++ * swap_info_struct. ++ */ ++ plist_add(&p->list, &swap_active_head); ++ spin_lock(&swap_avail_lock); ++ plist_add(&p->avail_list, &swap_avail_head); ++ spin_unlock(&swap_avail_lock); + } + + static void enable_swap_info(struct swap_info_struct *p, int prio, +@@ -1823,8 +1833,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + struct address_space *mapping; + struct inode *inode; + struct filename *pathname; +- int i, type, prev; +- int err; ++ int err, found = 0; + unsigned int old_block_size; + + if (!capable(CAP_SYS_ADMIN)) +@@ -1842,17 +1851,16 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + goto out; + + mapping = victim->f_mapping; +- prev = -1; + spin_lock(&swap_lock); +- for (type = swap_list.head; type >= 0; type = swap_info[type]->next) { +- p = swap_info[type]; ++ plist_for_each_entry(p, &swap_active_head, list) { + if (p->flags & SWP_WRITEOK) { +- if (p->swap_file->f_mapping == mapping) ++ if (p->swap_file->f_mapping == mapping) { ++ found = 1; + break; ++ } + } +- prev = type; + } +- if (type < 0) { ++ if (!found) { + err = -EINVAL; + spin_unlock(&swap_lock); + goto out_dput; +@@ -1864,20 +1872,21 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + spin_unlock(&swap_lock); + goto out_dput; + } +- if (prev < 0) +- swap_list.head = p->next; +- else +- swap_info[prev]->next = p->next; +- if (type == swap_list.next) { +- /* just pick something that's safe... */ +- swap_list.next = swap_list.head; +- } ++ spin_lock(&swap_avail_lock); ++ plist_del(&p->avail_list, &swap_avail_head); ++ spin_unlock(&swap_avail_lock); + spin_lock(&p->lock); + if (p->prio < 0) { +- for (i = p->next; i >= 0; i = swap_info[i]->next) +- swap_info[i]->prio = p->prio--; ++ struct swap_info_struct *si = p; ++ ++ plist_for_each_entry_continue(si, &swap_active_head, list) { ++ si->prio++; ++ si->list.prio--; ++ si->avail_list.prio--; ++ } + least_priority++; + } ++ plist_del(&p->list, &swap_active_head); + atomic_long_sub(p->pages, &nr_swap_pages); + total_swap_pages -= p->pages; + p->flags &= ~SWP_WRITEOK; +@@ -1885,7 +1894,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + spin_unlock(&swap_lock); + + set_current_oom_origin(); +- err = try_to_unuse(type, false, 0); /* force all pages to be unused */ ++ err = try_to_unuse(p->type, false, 0); /* force unuse all pages */ + clear_current_oom_origin(); + + if (err) { +@@ -1926,7 +1935,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + frontswap_map = frontswap_map_get(p); + spin_unlock(&p->lock); + spin_unlock(&swap_lock); +- frontswap_invalidate_area(type); ++ frontswap_invalidate_area(p->type); + frontswap_map_set(p, NULL); + mutex_unlock(&swapon_mutex); + free_percpu(p->percpu_cluster); +@@ -1935,7 +1944,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + vfree(cluster_info); + vfree(frontswap_map); + /* Destroy swap account information */ +- swap_cgroup_swapoff(type); ++ swap_cgroup_swapoff(p->type); + + inode = mapping->host; + if (S_ISBLK(inode->i_mode)) { +@@ -2142,8 +2151,9 @@ static struct swap_info_struct *alloc_swap_info(void) + */ + } + INIT_LIST_HEAD(&p->first_swap_extent.list); ++ plist_node_init(&p->list, 0); ++ plist_node_init(&p->avail_list, 0); + p->flags = SWP_USED; +- p->next = -1; + spin_unlock(&swap_lock); + spin_lock_init(&p->lock); + +diff --git a/mm/vmacache.c b/mm/vmacache.c +new file mode 100644 +index 000000000000..1037a3bab505 +--- /dev/null ++++ b/mm/vmacache.c +@@ -0,0 +1,114 @@ ++/* ++ * Copyright (C) 2014 Davidlohr Bueso. ++ */ ++#include ++#include ++#include ++ ++/* ++ * Flush vma caches for threads that share a given mm. ++ * ++ * The operation is safe because the caller holds the mmap_sem ++ * exclusively and other threads accessing the vma cache will ++ * have mmap_sem held at least for read, so no extra locking ++ * is required to maintain the vma cache. ++ */ ++void vmacache_flush_all(struct mm_struct *mm) ++{ ++ struct task_struct *g, *p; ++ ++ rcu_read_lock(); ++ for_each_process_thread(g, p) { ++ /* ++ * Only flush the vmacache pointers as the ++ * mm seqnum is already set and curr's will ++ * be set upon invalidation when the next ++ * lookup is done. ++ */ ++ if (mm == p->mm) ++ vmacache_flush(p); ++ } ++ rcu_read_unlock(); ++} ++ ++/* ++ * This task may be accessing a foreign mm via (for example) ++ * get_user_pages()->find_vma(). The vmacache is task-local and this ++ * task's vmacache pertains to a different mm (ie, its own). There is ++ * nothing we can do here. ++ * ++ * Also handle the case where a kernel thread has adopted this mm via use_mm(). ++ * That kernel thread's vmacache is not applicable to this mm. ++ */ ++static bool vmacache_valid_mm(struct mm_struct *mm) ++{ ++ return current->mm == mm && !(current->flags & PF_KTHREAD); ++} ++ ++void vmacache_update(unsigned long addr, struct vm_area_struct *newvma) ++{ ++ if (vmacache_valid_mm(newvma->vm_mm)) ++ current->vmacache[VMACACHE_HASH(addr)] = newvma; ++} ++ ++static bool vmacache_valid(struct mm_struct *mm) ++{ ++ struct task_struct *curr; ++ ++ if (!vmacache_valid_mm(mm)) ++ return false; ++ ++ curr = current; ++ if (mm->vmacache_seqnum != curr->vmacache_seqnum) { ++ /* ++ * First attempt will always be invalid, initialize ++ * the new cache for this task here. ++ */ ++ curr->vmacache_seqnum = mm->vmacache_seqnum; ++ vmacache_flush(curr); ++ return false; ++ } ++ return true; ++} ++ ++struct vm_area_struct *vmacache_find(struct mm_struct *mm, unsigned long addr) ++{ ++ int i; ++ ++ if (!vmacache_valid(mm)) ++ return NULL; ++ ++ for (i = 0; i < VMACACHE_SIZE; i++) { ++ struct vm_area_struct *vma = current->vmacache[i]; ++ ++ if (!vma) ++ continue; ++ if (WARN_ON_ONCE(vma->vm_mm != mm)) ++ break; ++ if (vma->vm_start <= addr && vma->vm_end > addr) ++ return vma; ++ } ++ ++ return NULL; ++} ++ ++#ifndef CONFIG_MMU ++struct vm_area_struct *vmacache_find_exact(struct mm_struct *mm, ++ unsigned long start, ++ unsigned long end) ++{ ++ int i; ++ ++ if (!vmacache_valid(mm)) ++ return NULL; ++ ++ for (i = 0; i < VMACACHE_SIZE; i++) { ++ struct vm_area_struct *vma = current->vmacache[i]; ++ ++ if (vma && vma->vm_start == start && vma->vm_end == end) ++ return vma; ++ } ++ ++ return NULL; ++} ++#endif +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 6ef484f0777f..0c0b36e5b4f8 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -224,15 +224,15 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker, + unsigned long freed = 0; + unsigned long long delta; + long total_scan; +- long max_pass; ++ long freeable; + long nr; + long new_nr; + int nid = shrinkctl->nid; + long batch_size = shrinker->batch ? shrinker->batch + : SHRINK_BATCH; + +- max_pass = shrinker->count_objects(shrinker, shrinkctl); +- if (max_pass == 0) ++ freeable = shrinker->count_objects(shrinker, shrinkctl); ++ if (freeable == 0) + return 0; + + /* +@@ -244,14 +244,14 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker, + + total_scan = nr; + delta = (4 * nr_pages_scanned) / shrinker->seeks; +- delta *= max_pass; ++ delta *= freeable; + do_div(delta, lru_pages + 1); + total_scan += delta; + if (total_scan < 0) { + printk(KERN_ERR + "shrink_slab: %pF negative objects to delete nr=%ld\n", + shrinker->scan_objects, total_scan); +- total_scan = max_pass; ++ total_scan = freeable; + } + + /* +@@ -260,26 +260,26 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker, + * shrinkers to return -1 all the time. This results in a large + * nr being built up so when a shrink that can do some work + * comes along it empties the entire cache due to nr >>> +- * max_pass. This is bad for sustaining a working set in ++ * freeable. This is bad for sustaining a working set in + * memory. + * + * Hence only allow the shrinker to scan the entire cache when + * a large delta change is calculated directly. + */ +- if (delta < max_pass / 4) +- total_scan = min(total_scan, max_pass / 2); ++ if (delta < freeable / 4) ++ total_scan = min(total_scan, freeable / 2); + + /* + * Avoid risking looping forever due to too large nr value: + * never try to free more than twice the estimate number of + * freeable entries. + */ +- if (total_scan > max_pass * 2) +- total_scan = max_pass * 2; ++ if (total_scan > freeable * 2) ++ total_scan = freeable * 2; + + trace_mm_shrink_slab_start(shrinker, shrinkctl, nr, + nr_pages_scanned, lru_pages, +- max_pass, delta, total_scan); ++ freeable, delta, total_scan); + + /* + * Normally, we should not scan less than batch_size objects in one +@@ -292,12 +292,12 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker, + * + * We detect the "tight on memory" situations by looking at the total + * number of objects we want to scan (total_scan). If it is greater +- * than the total number of objects on slab (max_pass), we must be ++ * than the total number of objects on slab (freeable), we must be + * scanning at high prio and therefore should try to reclaim as much as + * possible. + */ + while (total_scan >= batch_size || +- total_scan >= max_pass) { ++ total_scan >= freeable) { + unsigned long ret; + unsigned long nr_to_scan = min(batch_size, total_scan); + +@@ -1144,7 +1144,7 @@ unsigned long reclaim_clean_pages_from_list(struct zone *zone, + TTU_UNMAP|TTU_IGNORE_ACCESS, + &dummy1, &dummy2, &dummy3, &dummy4, &dummy5, true); + list_splice(&clean_pages, page_list); +- __mod_zone_page_state(zone, NR_ISOLATED_FILE, -ret); ++ mod_zone_page_state(zone, NR_ISOLATED_FILE, -ret); + return ret; + } + +@@ -2424,8 +2424,8 @@ static unsigned long do_try_to_free_pages(struct zonelist *zonelist, + unsigned long lru_pages = 0; + + nodes_clear(shrink->nodes_to_scan); +- for_each_zone_zonelist(zone, z, zonelist, +- gfp_zone(sc->gfp_mask)) { ++ for_each_zone_zonelist_nodemask(zone, z, zonelist, ++ gfp_zone(sc->gfp_mask), sc->nodemask) { + if (!cpuset_zone_allowed_hardwall(zone, GFP_KERNEL)) + continue; + diff --git a/projects/imx6/patches/linux/linux-000-patch-3.14.21-22.patch b/projects/imx6/patches/linux/linux-000-patch-3.14.21-22.patch new file mode 100644 index 0000000000..23599bd341 --- /dev/null +++ b/projects/imx6/patches/linux/linux-000-patch-3.14.21-22.patch @@ -0,0 +1,1795 @@ +diff --git a/Makefile b/Makefile +index 41e6e19fe2e9..a59980eb4557 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 21 ++SUBLEVEL = 22 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c +index 0378328f47a7..a4127453baae 100644 +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -1348,9 +1348,9 @@ static int ahash_update_first(struct ahash_request *req) + struct device *jrdev = ctx->jrdev; + gfp_t flags = (req->base.flags & (CRYPTO_TFM_REQ_MAY_BACKLOG | + CRYPTO_TFM_REQ_MAY_SLEEP)) ? GFP_KERNEL : GFP_ATOMIC; +- u8 *next_buf = state->buf_0 + state->current_buf * +- CAAM_MAX_HASH_BLOCK_SIZE; +- int *next_buflen = &state->buflen_0 + state->current_buf; ++ u8 *next_buf = state->current_buf ? state->buf_1 : state->buf_0; ++ int *next_buflen = state->current_buf ? ++ &state->buflen_1 : &state->buflen_0; + int to_hash; + u32 *sh_desc = ctx->sh_desc_update_first, *desc; + dma_addr_t ptr = ctx->sh_desc_update_first_dma; +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a95b322f0924..cc38948cf65d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3624,8 +3624,14 @@ static int bond_xmit_roundrobin(struct sk_buff *skb, struct net_device *bond_dev + else + bond_xmit_slave_id(bond, skb, 0); + } else { +- slave_id = bond_rr_gen_slave_id(bond); +- bond_xmit_slave_id(bond, skb, slave_id % bond->slave_cnt); ++ int slave_cnt = ACCESS_ONCE(bond->slave_cnt); ++ ++ if (likely(slave_cnt)) { ++ slave_id = bond_rr_gen_slave_id(bond); ++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt); ++ } else { ++ dev_kfree_skb_any(skb); ++ } + } + + return NETDEV_TX_OK; +@@ -3656,8 +3662,13 @@ static int bond_xmit_activebackup(struct sk_buff *skb, struct net_device *bond_d + static int bond_xmit_xor(struct sk_buff *skb, struct net_device *bond_dev) + { + struct bonding *bond = netdev_priv(bond_dev); ++ int slave_cnt = ACCESS_ONCE(bond->slave_cnt); + +- bond_xmit_slave_id(bond, skb, bond_xmit_hash(bond, skb, bond->slave_cnt)); ++ if (likely(slave_cnt)) ++ bond_xmit_slave_id(bond, skb, ++ bond_xmit_hash(bond, skb, bond->slave_cnt)); ++ else ++ dev_kfree_skb_any(skb); + + return NETDEV_TX_OK; + } +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index a210766279d3..9373f1f59605 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -6923,7 +6923,8 @@ static int tg3_rx(struct tg3_napi *tnapi, int budget) + skb->protocol = eth_type_trans(skb, tp->dev); + + if (len > (tp->dev->mtu + ETH_HLEN) && +- skb->protocol != htons(ETH_P_8021Q)) { ++ skb->protocol != htons(ETH_P_8021Q) && ++ skb->protocol != htons(ETH_P_8021AD)) { + dev_kfree_skb(skb); + goto drop_it_no_recycle; + } +@@ -7915,8 +7916,6 @@ static netdev_tx_t tg3_start_xmit(struct sk_buff *skb, struct net_device *dev) + + entry = tnapi->tx_prod; + base_flags = 0; +- if (skb->ip_summed == CHECKSUM_PARTIAL) +- base_flags |= TXD_FLAG_TCPUDP_CSUM; + + mss = skb_shinfo(skb)->gso_size; + if (mss) { +@@ -7932,6 +7931,13 @@ static netdev_tx_t tg3_start_xmit(struct sk_buff *skb, struct net_device *dev) + + hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb) - ETH_HLEN; + ++ /* HW/FW can not correctly segment packets that have been ++ * vlan encapsulated. ++ */ ++ if (skb->protocol == htons(ETH_P_8021Q) || ++ skb->protocol == htons(ETH_P_8021AD)) ++ return tg3_tso_bug(tp, skb); ++ + if (!skb_is_gso_v6(skb)) { + iph->check = 0; + iph->tot_len = htons(mss + hdr_len); +@@ -7978,6 +7984,17 @@ static netdev_tx_t tg3_start_xmit(struct sk_buff *skb, struct net_device *dev) + base_flags |= tsflags << 12; + } + } ++ } else if (skb->ip_summed == CHECKSUM_PARTIAL) { ++ /* HW/FW can not correctly checksum packets that have been ++ * vlan encapsulated. ++ */ ++ if (skb->protocol == htons(ETH_P_8021Q) || ++ skb->protocol == htons(ETH_P_8021AD)) { ++ if (skb_checksum_help(skb)) ++ goto drop; ++ } else { ++ base_flags |= TXD_FLAG_TCPUDP_CSUM; ++ } + } + + if (tg3_flag(tp, USE_JUMBO_BDFLAG) && +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c +index d0c38e01e99f..0085476a0258 100644 +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -30,7 +30,6 @@ + #include + #include + #include +-#include + + #include "macb.h" + +@@ -1810,7 +1809,6 @@ static int __init macb_probe(struct platform_device *pdev) + struct phy_device *phydev; + u32 config; + int err = -ENXIO; +- struct pinctrl *pinctrl; + const char *mac; + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -1819,15 +1817,6 @@ static int __init macb_probe(struct platform_device *pdev) + goto err_out; + } + +- pinctrl = devm_pinctrl_get_select_default(&pdev->dev); +- if (IS_ERR(pinctrl)) { +- err = PTR_ERR(pinctrl); +- if (err == -EPROBE_DEFER) +- goto err_out; +- +- dev_warn(&pdev->dev, "No pinctrl provided\n"); +- } +- + err = -ENOMEM; + dev = alloc_etherdev(sizeof(*bp)); + if (!dev) +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index b901371ca361..5d3206d5cb07 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -4024,6 +4024,9 @@ static int i40e_init_pf_dcb(struct i40e_pf *pf) + DCB_CAP_DCBX_VER_IEEE; + pf->flags |= I40E_FLAG_DCB_ENABLED; + } ++ } else { ++ dev_info(&pf->pdev->dev, "AQ Querying DCB configuration failed: %d\n", ++ pf->hw.aq.asq_last_status); + } + + out: +@@ -8003,7 +8006,7 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (err) { + dev_info(&pdev->dev, "init_pf_dcb failed: %d\n", err); + pf->flags &= ~I40E_FLAG_DCB_ENABLED; +- goto err_init_dcb; ++ /* Continue without DCB enabled */ + } + #endif /* CONFIG_I40E_DCB */ + +@@ -8119,9 +8122,6 @@ err_vsis: + err_switch_setup: + i40e_reset_interrupt_capability(pf); + del_timer_sync(&pf->service_timer); +-#ifdef CONFIG_I40E_DCB +-err_init_dcb: +-#endif /* CONFIG_I40E_DCB */ + err_mac_addr: + err_configure_lan_hmc: + (void)i40e_shutdown_lan_hmc(hw); +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index 68026f7e8ba3..4a474dd9c910 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -872,6 +872,10 @@ static int myri10ge_dma_test(struct myri10ge_priv *mgp, int test_type) + return -ENOMEM; + dmatest_bus = pci_map_page(mgp->pdev, dmatest_page, 0, PAGE_SIZE, + DMA_BIDIRECTIONAL); ++ if (unlikely(pci_dma_mapping_error(mgp->pdev, dmatest_bus))) { ++ __free_page(dmatest_page); ++ return -ENOMEM; ++ } + + /* Run a small DMA test. + * The magic multipliers to the length tell the firmware +@@ -1293,6 +1297,7 @@ myri10ge_alloc_rx_pages(struct myri10ge_priv *mgp, struct myri10ge_rx_buf *rx, + int bytes, int watchdog) + { + struct page *page; ++ dma_addr_t bus; + int idx; + #if MYRI10GE_ALLOC_SIZE > 4096 + int end_offset; +@@ -1317,11 +1322,21 @@ myri10ge_alloc_rx_pages(struct myri10ge_priv *mgp, struct myri10ge_rx_buf *rx, + rx->watchdog_needed = 1; + return; + } ++ ++ bus = pci_map_page(mgp->pdev, page, 0, ++ MYRI10GE_ALLOC_SIZE, ++ PCI_DMA_FROMDEVICE); ++ if (unlikely(pci_dma_mapping_error(mgp->pdev, bus))) { ++ __free_pages(page, MYRI10GE_ALLOC_ORDER); ++ if (rx->fill_cnt - rx->cnt < 16) ++ rx->watchdog_needed = 1; ++ return; ++ } ++ + rx->page = page; + rx->page_offset = 0; +- rx->bus = pci_map_page(mgp->pdev, page, 0, +- MYRI10GE_ALLOC_SIZE, +- PCI_DMA_FROMDEVICE); ++ rx->bus = bus; ++ + } + rx->info[idx].page = rx->page; + rx->info[idx].page_offset = rx->page_offset; +@@ -2765,6 +2780,35 @@ myri10ge_submit_req(struct myri10ge_tx_buf *tx, struct mcp_kreq_ether_send *src, + mb(); + } + ++static void myri10ge_unmap_tx_dma(struct myri10ge_priv *mgp, ++ struct myri10ge_tx_buf *tx, int idx) ++{ ++ unsigned int len; ++ int last_idx; ++ ++ /* Free any DMA resources we've alloced and clear out the skb slot */ ++ last_idx = (idx + 1) & tx->mask; ++ idx = tx->req & tx->mask; ++ do { ++ len = dma_unmap_len(&tx->info[idx], len); ++ if (len) { ++ if (tx->info[idx].skb != NULL) ++ pci_unmap_single(mgp->pdev, ++ dma_unmap_addr(&tx->info[idx], ++ bus), len, ++ PCI_DMA_TODEVICE); ++ else ++ pci_unmap_page(mgp->pdev, ++ dma_unmap_addr(&tx->info[idx], ++ bus), len, ++ PCI_DMA_TODEVICE); ++ dma_unmap_len_set(&tx->info[idx], len, 0); ++ tx->info[idx].skb = NULL; ++ } ++ idx = (idx + 1) & tx->mask; ++ } while (idx != last_idx); ++} ++ + /* + * Transmit a packet. We need to split the packet so that a single + * segment does not cross myri10ge->tx_boundary, so this makes segment +@@ -2788,7 +2832,7 @@ static netdev_tx_t myri10ge_xmit(struct sk_buff *skb, + u32 low; + __be32 high_swapped; + unsigned int len; +- int idx, last_idx, avail, frag_cnt, frag_idx, count, mss, max_segments; ++ int idx, avail, frag_cnt, frag_idx, count, mss, max_segments; + u16 pseudo_hdr_offset, cksum_offset, queue; + int cum_len, seglen, boundary, rdma_count; + u8 flags, odd_flag; +@@ -2885,9 +2929,12 @@ again: + + /* map the skb for DMA */ + len = skb_headlen(skb); ++ bus = pci_map_single(mgp->pdev, skb->data, len, PCI_DMA_TODEVICE); ++ if (unlikely(pci_dma_mapping_error(mgp->pdev, bus))) ++ goto drop; ++ + idx = tx->req & tx->mask; + tx->info[idx].skb = skb; +- bus = pci_map_single(mgp->pdev, skb->data, len, PCI_DMA_TODEVICE); + dma_unmap_addr_set(&tx->info[idx], bus, bus); + dma_unmap_len_set(&tx->info[idx], len, len); + +@@ -2986,12 +3033,16 @@ again: + break; + + /* map next fragment for DMA */ +- idx = (count + tx->req) & tx->mask; + frag = &skb_shinfo(skb)->frags[frag_idx]; + frag_idx++; + len = skb_frag_size(frag); + bus = skb_frag_dma_map(&mgp->pdev->dev, frag, 0, len, + DMA_TO_DEVICE); ++ if (unlikely(pci_dma_mapping_error(mgp->pdev, bus))) { ++ myri10ge_unmap_tx_dma(mgp, tx, idx); ++ goto drop; ++ } ++ idx = (count + tx->req) & tx->mask; + dma_unmap_addr_set(&tx->info[idx], bus, bus); + dma_unmap_len_set(&tx->info[idx], len, len); + } +@@ -3022,31 +3073,8 @@ again: + return NETDEV_TX_OK; + + abort_linearize: +- /* Free any DMA resources we've alloced and clear out the skb +- * slot so as to not trip up assertions, and to avoid a +- * double-free if linearizing fails */ ++ myri10ge_unmap_tx_dma(mgp, tx, idx); + +- last_idx = (idx + 1) & tx->mask; +- idx = tx->req & tx->mask; +- tx->info[idx].skb = NULL; +- do { +- len = dma_unmap_len(&tx->info[idx], len); +- if (len) { +- if (tx->info[idx].skb != NULL) +- pci_unmap_single(mgp->pdev, +- dma_unmap_addr(&tx->info[idx], +- bus), len, +- PCI_DMA_TODEVICE); +- else +- pci_unmap_page(mgp->pdev, +- dma_unmap_addr(&tx->info[idx], +- bus), len, +- PCI_DMA_TODEVICE); +- dma_unmap_len_set(&tx->info[idx], len, 0); +- tx->info[idx].skb = NULL; +- } +- idx = (idx + 1) & tx->mask; +- } while (idx != last_idx); + if (skb_is_gso(skb)) { + netdev_err(mgp->dev, "TSO but wanted to linearize?!?!?\n"); + goto drop; +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index d6fce9750b95..3c1c33ceffba 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -146,6 +146,7 @@ static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net) + struct hv_netvsc_packet *packet; + int ret; + unsigned int i, num_pages, npg_data; ++ u32 skb_length = skb->len; + + /* Add multipages for skb->data and additional 2 for RNDIS */ + npg_data = (((unsigned long)skb->data + skb_headlen(skb) - 1) +@@ -216,7 +217,7 @@ static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net) + ret = rndis_filter_send(net_device_ctx->device_ctx, + packet); + if (ret == 0) { +- net->stats.tx_bytes += skb->len; ++ net->stats.tx_bytes += skb_length; + net->stats.tx_packets++; + } else { + kfree(packet); +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 7f1abb7c18f2..fbf7dcdc22b0 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -709,6 +709,7 @@ static netdev_features_t macvlan_fix_features(struct net_device *dev, + features, + mask); + features |= ALWAYS_ON_FEATURES; ++ features &= ~NETIF_F_NETNS_LOCAL; + + return features; + } +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 3381c4f91a8c..0c6adaaf898c 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -112,17 +112,15 @@ out: + return err; + } + ++/* Requires RTNL */ + static int macvtap_set_queue(struct net_device *dev, struct file *file, + struct macvtap_queue *q) + { + struct macvlan_dev *vlan = netdev_priv(dev); +- int err = -EBUSY; + +- rtnl_lock(); + if (vlan->numqueues == MAX_MACVTAP_QUEUES) +- goto out; ++ return -EBUSY; + +- err = 0; + rcu_assign_pointer(q->vlan, vlan); + rcu_assign_pointer(vlan->taps[vlan->numvtaps], q); + sock_hold(&q->sk); +@@ -136,9 +134,7 @@ static int macvtap_set_queue(struct net_device *dev, struct file *file, + vlan->numvtaps++; + vlan->numqueues++; + +-out: +- rtnl_unlock(); +- return err; ++ return 0; + } + + static int macvtap_disable_queue(struct macvtap_queue *q) +@@ -454,11 +450,12 @@ static void macvtap_sock_destruct(struct sock *sk) + static int macvtap_open(struct inode *inode, struct file *file) + { + struct net *net = current->nsproxy->net_ns; +- struct net_device *dev = dev_get_by_macvtap_minor(iminor(inode)); ++ struct net_device *dev; + struct macvtap_queue *q; +- int err; ++ int err = -ENODEV; + +- err = -ENODEV; ++ rtnl_lock(); ++ dev = dev_get_by_macvtap_minor(iminor(inode)); + if (!dev) + goto out; + +@@ -498,6 +495,7 @@ out: + if (dev) + dev_put(dev); + ++ rtnl_unlock(); + return err; + } + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 26d8c29b59de..979fe433278c 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -647,7 +647,7 @@ static void team_notify_peers(struct team *team) + { + if (!team->notify_peers.count || !netif_running(team->dev)) + return; +- atomic_set(&team->notify_peers.count_pending, team->notify_peers.count); ++ atomic_add(team->notify_peers.count, &team->notify_peers.count_pending); + schedule_delayed_work(&team->notify_peers.dw, 0); + } + +@@ -687,7 +687,7 @@ static void team_mcast_rejoin(struct team *team) + { + if (!team->mcast_rejoin.count || !netif_running(team->dev)) + return; +- atomic_set(&team->mcast_rejoin.count_pending, team->mcast_rejoin.count); ++ atomic_add(team->mcast_rejoin.count, &team->mcast_rejoin.count_pending); + schedule_delayed_work(&team->mcast_rejoin.dw, 0); + } + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 40ad25d7f28b..9b40532041cb 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1334,7 +1334,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb) + } else if (vxlan->flags & VXLAN_F_L3MISS) { + union vxlan_addr ipa = { + .sin.sin_addr.s_addr = tip, +- .sa.sa_family = AF_INET, ++ .sin.sin_family = AF_INET, + }; + + vxlan_ip_miss(dev, &ipa); +@@ -1495,7 +1495,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb) + } else if (vxlan->flags & VXLAN_F_L3MISS) { + union vxlan_addr ipa = { + .sin6.sin6_addr = msg->target, +- .sa.sa_family = AF_INET6, ++ .sin6.sin6_family = AF_INET6, + }; + + vxlan_ip_miss(dev, &ipa); +@@ -1528,7 +1528,7 @@ static bool route_shortcircuit(struct net_device *dev, struct sk_buff *skb) + if (!n && (vxlan->flags & VXLAN_F_L3MISS)) { + union vxlan_addr ipa = { + .sin.sin_addr.s_addr = pip->daddr, +- .sa.sa_family = AF_INET, ++ .sin.sin_family = AF_INET, + }; + + vxlan_ip_miss(dev, &ipa); +@@ -1549,7 +1549,7 @@ static bool route_shortcircuit(struct net_device *dev, struct sk_buff *skb) + if (!n && (vxlan->flags & VXLAN_F_L3MISS)) { + union vxlan_addr ipa = { + .sin6.sin6_addr = pip6->daddr, +- .sa.sa_family = AF_INET6, ++ .sin6.sin6_family = AF_INET6, + }; + + vxlan_ip_miss(dev, &ipa); +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 0ff3e3624d4c..feda34404ed0 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1766,6 +1766,7 @@ pci_wch_ch353_setup(struct serial_private *priv, + #define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e ++#define PCI_DEVICE_ID_INTEL_QRK_UART 0x0936 + + #define PCI_VENDOR_ID_SUNIX 0x1fd4 + #define PCI_DEVICE_ID_SUNIX_1999 0x1999 +@@ -1876,6 +1877,13 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = { + .subdevice = PCI_ANY_ID, + .setup = byt_serial_setup, + }, ++ { ++ .vendor = PCI_VENDOR_ID_INTEL, ++ .device = PCI_DEVICE_ID_INTEL_QRK_UART, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_default_setup, ++ }, + /* + * ITE + */ +@@ -2710,6 +2718,7 @@ enum pci_board_num_t { + pbn_ADDIDATA_PCIe_8_3906250, + pbn_ce4100_1_115200, + pbn_byt, ++ pbn_qrk, + pbn_omegapci, + pbn_NETMOS9900_2s_115200, + pbn_brcm_trumanage, +@@ -3456,6 +3465,12 @@ static struct pciserial_board pci_boards[] = { + .uart_offset = 0x80, + .reg_shift = 2, + }, ++ [pbn_qrk] = { ++ .flags = FL_BASE0, ++ .num_ports = 1, ++ .base_baud = 2764800, ++ .reg_shift = 2, ++ }, + [pbn_omegapci] = { + .flags = FL_BASE0, + .num_ports = 8, +@@ -5150,6 +5165,12 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_byt }, + + /* ++ * Intel Quark x1000 ++ */ ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QRK_UART, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_qrk }, ++ /* + * Cronyx Omega PCI + */ + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_CRONYX_OMEGA, +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 263612ce1f62..445d62a4316a 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1948,8 +1948,10 @@ void usb_set_device_state(struct usb_device *udev, + || new_state == USB_STATE_SUSPENDED) + ; /* No change to wakeup settings */ + else if (new_state == USB_STATE_CONFIGURED) +- wakeup = udev->actconfig->desc.bmAttributes +- & USB_CONFIG_ATT_WAKEUP; ++ wakeup = (udev->quirks & ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP) ? 0 : ++ udev->actconfig->desc.bmAttributes & ++ USB_CONFIG_ATT_WAKEUP; + else + wakeup = 0; + } +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 739ee8e8bdfd..5144d11d032c 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -160,6 +160,10 @@ static const struct usb_device_id usb_interface_quirk_list[] = { + { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), + .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* ASUS Base Station(T100) */ ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info = ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP }, ++ + { } /* terminating entry must be last */ + }; + +diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c +index 7a109eae9b9a..85f5215871de 100644 +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -707,6 +707,7 @@ static int dsps_suspend(struct device *dev) + struct musb *musb = platform_get_drvdata(glue->musb); + void __iomem *mbase = musb->ctrl_base; + ++ del_timer_sync(&glue->timer); + glue->context.control = dsps_readl(mbase, wrp->control); + glue->context.epintr = dsps_readl(mbase, wrp->epintr_set); + glue->context.coreintr = dsps_readl(mbase, wrp->coreintr_set); +@@ -732,6 +733,7 @@ static int dsps_resume(struct device *dev) + dsps_writel(mbase, wrp->mode, glue->context.mode); + dsps_writel(mbase, wrp->tx_mode, glue->context.tx_mode); + dsps_writel(mbase, wrp->rx_mode, glue->context.rx_mode); ++ setup_timer(&glue->timer, otg_timer, (unsigned long) musb); + + return 0; + } +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 330df5ce435b..63b2af2a87c0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -122,6 +122,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */ + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ ++ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ +@@ -155,6 +156,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ ++ { USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */ + { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */ + { USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */ + { USB_DEVICE(0x1FB9, 0x0100) }, /* Lake Shore Model 121 Current Source */ +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 72ba6f5cbc8d..2abe67bd4df8 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -186,7 +186,6 @@ vlan_dev_get_egress_qos_mask(struct net_device *dev, u32 skprio) + } + + extern bool vlan_do_receive(struct sk_buff **skb); +-extern struct sk_buff *vlan_untag(struct sk_buff *skb); + + extern int vlan_vid_add(struct net_device *dev, __be16 proto, u16 vid); + extern void vlan_vid_del(struct net_device *dev, __be16 proto, u16 vid); +@@ -228,11 +227,6 @@ static inline bool vlan_do_receive(struct sk_buff **skb) + return false; + } + +-static inline struct sk_buff *vlan_untag(struct sk_buff *skb) +-{ +- return skb; +-} +- + static inline int vlan_vid_add(struct net_device *dev, __be16 proto, u16 vid) + { + return 0; +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 15ede6a823a6..ad8f85908a56 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2458,6 +2458,7 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen); + void skb_scrub_packet(struct sk_buff *skb, bool xnet); + unsigned int skb_gso_transport_seglen(const struct sk_buff *skb); + struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features); ++struct sk_buff *skb_vlan_untag(struct sk_buff *skb); + + struct skb_checksum_ops { + __wsum (*update)(const void *mem, int len, __wsum wsum); +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h +index 52f944dfe2fd..49587dc22f5d 100644 +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -30,4 +30,7 @@ + descriptor */ + #define USB_QUIRK_DELAY_INIT 0x00000040 + ++/* device generates spurious wakeup, ignore remote wakeup capability */ ++#define USB_QUIRK_IGNORE_REMOTE_WAKEUP 0x00000200 ++ + #endif /* __LINUX_USB_QUIRKS_H */ +diff --git a/include/net/dst.h b/include/net/dst.h +index 77eb53fabfb0..909032821c37 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -466,6 +466,7 @@ void dst_init(void); + /* Flags for xfrm_lookup flags argument. */ + enum { + XFRM_LOOKUP_ICMP = 1 << 0, ++ XFRM_LOOKUP_QUEUE = 1 << 1, + }; + + struct flowi; +@@ -476,7 +477,16 @@ static inline struct dst_entry *xfrm_lookup(struct net *net, + int flags) + { + return dst_orig; +-} ++} ++ ++static inline struct dst_entry *xfrm_lookup_route(struct net *net, ++ struct dst_entry *dst_orig, ++ const struct flowi *fl, ++ struct sock *sk, ++ int flags) ++{ ++ return dst_orig; ++} + + static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) + { +@@ -488,6 +498,10 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, + const struct flowi *fl, struct sock *sk, + int flags); + ++struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, ++ const struct flowi *fl, struct sock *sk, ++ int flags); ++ + /* skb attached with this dst needs transformation if dst->xfrm is valid */ + static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) + { +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index c55aeed41ace..cf9272807788 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -62,6 +62,7 @@ struct inet_connection_sock_af_ops { + void (*addr2sockaddr)(struct sock *sk, struct sockaddr *); + int (*bind_conflict)(const struct sock *sk, + const struct inet_bind_bucket *tb, bool relax); ++ void (*mtu_reduced)(struct sock *sk); + }; + + /** inet_connection_sock - INET connection oriented sock +diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h +index 4b7cd695e431..cfcbc3f627bd 100644 +--- a/include/net/sctp/command.h ++++ b/include/net/sctp/command.h +@@ -115,7 +115,7 @@ typedef enum { + * analysis of the state functions, but in reality just taken from + * thin air in the hopes othat we don't trigger a kernel panic. + */ +-#define SCTP_MAX_NUM_COMMANDS 14 ++#define SCTP_MAX_NUM_COMMANDS 20 + + typedef union { + __s32 i32; +diff --git a/include/net/sock.h b/include/net/sock.h +index 2f7bc435c93d..f66b2b19a6e4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -969,7 +969,6 @@ struct proto { + struct sk_buff *skb); + + void (*release_cb)(struct sock *sk); +- void (*mtu_reduced)(struct sock *sk); + + /* Keeping track of sk's, looking them up, and port selection methods. */ + void (*hash)(struct sock *sk); +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 743accec6c76..1f0d8479e15f 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -453,6 +453,7 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); + */ + + void tcp_v4_send_check(struct sock *sk, struct sk_buff *skb); ++void tcp_v4_mtu_reduced(struct sock *sk); + int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb); + struct sock *tcp_create_openreq_child(struct sock *sk, + struct request_sock *req, +@@ -720,8 +721,10 @@ struct tcp_skb_cb { + #define TCPCB_SACKED_RETRANS 0x02 /* SKB retransmitted */ + #define TCPCB_LOST 0x04 /* SKB is lost */ + #define TCPCB_TAGBITS 0x07 /* All tag bits */ ++#define TCPCB_REPAIRED 0x10 /* SKB repaired (no skb_mstamp) */ + #define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */ +-#define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS) ++#define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS| \ ++ TCPCB_REPAIRED) + + __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */ + /* 1 byte hole */ +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 7e57135c7cc4..5d56e05d83dd 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -106,59 +106,6 @@ u16 vlan_dev_vlan_id(const struct net_device *dev) + } + EXPORT_SYMBOL(vlan_dev_vlan_id); + +-static struct sk_buff *vlan_reorder_header(struct sk_buff *skb) +-{ +- if (skb_cow(skb, skb_headroom(skb)) < 0) { +- kfree_skb(skb); +- return NULL; +- } +- +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); +- skb->mac_header += VLAN_HLEN; +- return skb; +-} +- +-struct sk_buff *vlan_untag(struct sk_buff *skb) +-{ +- struct vlan_hdr *vhdr; +- u16 vlan_tci; +- +- if (unlikely(vlan_tx_tag_present(skb))) { +- /* vlan_tci is already set-up so leave this for another time */ +- return skb; +- } +- +- skb = skb_share_check(skb, GFP_ATOMIC); +- if (unlikely(!skb)) +- goto err_free; +- +- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) +- goto err_free; +- +- vhdr = (struct vlan_hdr *) skb->data; +- vlan_tci = ntohs(vhdr->h_vlan_TCI); +- __vlan_hwaccel_put_tag(skb, skb->protocol, vlan_tci); +- +- skb_pull_rcsum(skb, VLAN_HLEN); +- vlan_set_encap_proto(skb, vhdr); +- +- skb = vlan_reorder_header(skb); +- if (unlikely(!skb)) +- goto err_free; +- +- skb_reset_network_header(skb); +- skb_reset_transport_header(skb); +- skb_reset_mac_len(skb); +- +- return skb; +- +-err_free: +- kfree_skb(skb); +- return NULL; +-} +-EXPORT_SYMBOL(vlan_untag); +- +- + /* + * vlan info and vid list + */ +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index f2d254b69353..4acfc3eef56a 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -302,6 +302,9 @@ struct br_input_skb_cb { + int igmp; + int mrouters_only; + #endif ++#ifdef CONFIG_BRIDGE_VLAN_FILTERING ++ bool vlan_filtered; ++#endif + }; + + #define BR_INPUT_SKB_CB(__skb) ((struct br_input_skb_cb *)(__skb)->cb) +diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c +index b1c637208497..e1bd2539f9dc 100644 +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -125,7 +125,8 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br, + { + u16 vid; + +- if (!br->vlan_enabled) ++ /* If this packet was not filtered at input, let it pass */ ++ if (!BR_INPUT_SKB_CB(skb)->vlan_filtered) + goto out; + + /* Vlan filter table must be configured at this point. The +@@ -163,8 +164,10 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, + /* If VLAN filtering is disabled on the bridge, all packets are + * permitted. + */ +- if (!br->vlan_enabled) ++ if (!br->vlan_enabled) { ++ BR_INPUT_SKB_CB(skb)->vlan_filtered = false; + return true; ++ } + + /* If there are no vlan in the permitted list, all packets are + * rejected. +@@ -172,6 +175,8 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, + if (!v) + goto drop; + ++ BR_INPUT_SKB_CB(skb)->vlan_filtered = true; ++ + /* If vlan tx offload is disabled on bridge device and frame was + * sent from vlan device on the bridge device, it does not have + * HW accelerated vlan tag. +@@ -179,7 +184,7 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, + if (unlikely(!vlan_tx_tag_present(skb) && + (skb->protocol == htons(ETH_P_8021Q) || + skb->protocol == htons(ETH_P_8021AD)))) { +- skb = vlan_untag(skb); ++ skb = skb_vlan_untag(skb); + if (unlikely(!skb)) + return false; + } +@@ -228,7 +233,8 @@ bool br_allowed_egress(struct net_bridge *br, + { + u16 vid; + +- if (!br->vlan_enabled) ++ /* If this packet was not filtered at input, let it pass */ ++ if (!BR_INPUT_SKB_CB(skb)->vlan_filtered) + return true; + + if (!v) +@@ -247,6 +253,7 @@ bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid) + struct net_bridge *br = p->br; + struct net_port_vlans *v; + ++ /* If filtering was disabled at input, let it pass. */ + if (!br->vlan_enabled) + return true; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 37bddf729e77..3ed11a555834 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3554,7 +3554,7 @@ another_round: + + if (skb->protocol == cpu_to_be16(ETH_P_8021Q) || + skb->protocol == cpu_to_be16(ETH_P_8021AD)) { +- skb = vlan_untag(skb); ++ skb = skb_vlan_untag(skb); + if (unlikely(!skb)) + goto unlock; + } +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index df9e6b1a9759..723fa7da8025 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -788,7 +788,7 @@ int __netpoll_rx(struct sk_buff *skb, struct netpoll_info *npinfo) + } + + if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) { +- skb = vlan_untag(skb); ++ skb = skb_vlan_untag(skb); + if (unlikely(!skb)) + goto out; + } +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index aef1500ebc05..b0db904f083d 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -799,7 +799,8 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + (nla_total_size(sizeof(struct ifla_vf_mac)) + + nla_total_size(sizeof(struct ifla_vf_vlan)) + + nla_total_size(sizeof(struct ifla_vf_tx_rate)) + +- nla_total_size(sizeof(struct ifla_vf_spoofchk))); ++ nla_total_size(sizeof(struct ifla_vf_spoofchk)) + ++ nla_total_size(sizeof(struct ifla_vf_link_state))); + return size; + } else + return 0; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 8f6391bbf509..baf6fc457df9 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -62,6 +62,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -3139,6 +3140,9 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb) + NAPI_GRO_CB(skb)->free = NAPI_GRO_FREE_STOLEN_HEAD; + goto done; + } ++ /* switch back to head shinfo */ ++ pinfo = skb_shinfo(p); ++ + if (pinfo->frag_list) + goto merge; + if (skb_gro_len(p) != pinfo->gso_size) +@@ -3963,3 +3967,55 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) + return shinfo->gso_size; + } + EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); ++ ++static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) ++{ ++ if (skb_cow(skb, skb_headroom(skb)) < 0) { ++ kfree_skb(skb); ++ return NULL; ++ } ++ ++ memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ skb->mac_header += VLAN_HLEN; ++ return skb; ++} ++ ++struct sk_buff *skb_vlan_untag(struct sk_buff *skb) ++{ ++ struct vlan_hdr *vhdr; ++ u16 vlan_tci; ++ ++ if (unlikely(vlan_tx_tag_present(skb))) { ++ /* vlan_tci is already set-up so leave this for another time */ ++ return skb; ++ } ++ ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (unlikely(!skb)) ++ goto err_free; ++ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) ++ goto err_free; ++ ++ vhdr = (struct vlan_hdr *)skb->data; ++ vlan_tci = ntohs(vhdr->h_vlan_TCI); ++ __vlan_hwaccel_put_tag(skb, skb->protocol, vlan_tci); ++ ++ skb_pull_rcsum(skb, VLAN_HLEN); ++ vlan_set_encap_proto(skb, vhdr); ++ ++ skb = skb_reorder_vlan_header(skb); ++ if (unlikely(!skb)) ++ goto err_free; ++ ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ skb_reset_mac_len(skb); ++ ++ return skb; ++ ++err_free: ++ kfree_skb(skb); ++ return NULL; ++} ++EXPORT_SYMBOL(skb_vlan_untag); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index ca5a01ed8ed6..487bb6252520 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2268,9 +2268,9 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4, + return rt; + + if (flp4->flowi4_proto) +- rt = (struct rtable *) xfrm_lookup(net, &rt->dst, +- flowi4_to_flowi(flp4), +- sk, 0); ++ rt = (struct rtable *)xfrm_lookup_route(net, &rt->dst, ++ flowi4_to_flowi(flp4), ++ sk, 0); + + return rt; + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b48fba0aaa92..f7d71ec72a47 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1175,13 +1175,6 @@ new_segment: + goto wait_for_memory; + + /* +- * All packets are restored as if they have +- * already been sent. +- */ +- if (tp->repair) +- TCP_SKB_CB(skb)->when = tcp_time_stamp; +- +- /* + * Check whether we can use HW checksum. + */ + if (sk->sk_route_caps & NETIF_F_ALL_CSUM) +@@ -1190,6 +1183,13 @@ new_segment: + skb_entail(sk, skb); + copy = size_goal; + max = size_goal; ++ ++ /* All packets are restored as if they have ++ * already been sent. skb_mstamp isn't set to ++ * avoid wrong rtt estimation. ++ */ ++ if (tp->repair) ++ TCP_SKB_CB(skb)->sacked |= TCPCB_REPAIRED; + } + + /* Try to append data to the end of skb. */ +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 3898694d0300..22917918fa80 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2678,7 +2678,6 @@ static void tcp_enter_recovery(struct sock *sk, bool ece_ack) + */ + static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack) + { +- struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + bool recovered = !before(tp->snd_una, tp->high_seq); + +@@ -2704,12 +2703,9 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack) + + if (recovered) { + /* F-RTO RFC5682 sec 3.1 step 2.a and 1st part of step 3.a */ +- icsk->icsk_retransmits = 0; + tcp_try_undo_recovery(sk); + return; + } +- if (flag & FLAG_DATA_ACKED) +- icsk->icsk_retransmits = 0; + if (tcp_is_reno(tp)) { + /* A Reno DUPACK means new data in F-RTO step 2.b above are + * delivered. Lower inflight to clock out (re)tranmissions. +@@ -3398,8 +3394,10 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) + tcp_rearm_rto(sk); + +- if (after(ack, prior_snd_una)) ++ if (after(ack, prior_snd_una)) { + flag |= FLAG_SND_UNA_ADVANCED; ++ icsk->icsk_retransmits = 0; ++ } + + prior_fackets = tp->fackets_out; + prior_in_flight = tcp_packets_in_flight(tp); +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 1e4eac779f51..a782d5be132e 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -269,7 +269,7 @@ EXPORT_SYMBOL(tcp_v4_connect); + * It can be called through tcp_release_cb() if socket was owned by user + * at the time tcp_v4_err() was called to handle ICMP message. + */ +-static void tcp_v4_mtu_reduced(struct sock *sk) ++void tcp_v4_mtu_reduced(struct sock *sk) + { + struct dst_entry *dst; + struct inet_sock *inet = inet_sk(sk); +@@ -300,6 +300,7 @@ static void tcp_v4_mtu_reduced(struct sock *sk) + tcp_simple_retransmit(sk); + } /* else let the usual retransmit timer handle it */ + } ++EXPORT_SYMBOL(tcp_v4_mtu_reduced); + + static void do_redirect(struct sk_buff *skb, struct sock *sk) + { +@@ -2117,6 +2118,7 @@ const struct inet_connection_sock_af_ops ipv4_specific = { + .compat_setsockopt = compat_ip_setsockopt, + .compat_getsockopt = compat_ip_getsockopt, + #endif ++ .mtu_reduced = tcp_v4_mtu_reduced, + }; + EXPORT_SYMBOL(ipv4_specific); + +@@ -2736,7 +2738,6 @@ struct proto tcp_prot = { + .sendpage = tcp_sendpage, + .backlog_rcv = tcp_v4_do_rcv, + .release_cb = tcp_release_cb, +- .mtu_reduced = tcp_v4_mtu_reduced, + .hash = inet_hash, + .unhash = inet_unhash, + .get_port = inet_csk_get_port, +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index b3d1addd816b..91b98e5a17aa 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -787,7 +787,7 @@ void tcp_release_cb(struct sock *sk) + __sock_put(sk); + } + if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) { +- sk->sk_prot->mtu_reduced(sk); ++ inet_csk(sk)->icsk_af_ops->mtu_reduced(sk); + __sock_put(sk); + } + } +@@ -1876,8 +1876,11 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, + tso_segs = tcp_init_tso_segs(sk, skb, mss_now); + BUG_ON(!tso_segs); + +- if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE) ++ if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE) { ++ /* "when" is used as a start point for the retransmit timer */ ++ TCP_SKB_CB(skb)->when = tcp_time_stamp; + goto repair; /* Skip network transmission */ ++ } + + cwnd_quota = tcp_cwnd_test(tp, skb); + if (!cwnd_quota) { +@@ -2066,9 +2069,7 @@ void tcp_send_loss_probe(struct sock *sk) + if (WARN_ON(!skb || !tcp_skb_pcount(skb))) + goto rearm_timer; + +- /* Probe with zero data doesn't trigger fast recovery. */ +- if (skb->len > 0) +- err = __tcp_retransmit_skb(sk, skb); ++ err = __tcp_retransmit_skb(sk, skb); + + /* Record snd_nxt for loss detection. */ + if (likely(!err)) +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 6c7fa0853fc7..3f0ec063d7f8 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1684,14 +1684,12 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp) + addrconf_mod_dad_work(ifp, 0); + } + +-/* Join to solicited addr multicast group. */ +- ++/* Join to solicited addr multicast group. ++ * caller must hold RTNL */ + void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr) + { + struct in6_addr maddr; + +- ASSERT_RTNL(); +- + if (dev->flags&(IFF_LOOPBACK|IFF_NOARP)) + return; + +@@ -1699,12 +1697,11 @@ void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr) + ipv6_dev_mc_inc(dev, &maddr); + } + ++/* caller must hold RTNL */ + void addrconf_leave_solict(struct inet6_dev *idev, const struct in6_addr *addr) + { + struct in6_addr maddr; + +- ASSERT_RTNL(); +- + if (idev->dev->flags&(IFF_LOOPBACK|IFF_NOARP)) + return; + +@@ -1712,12 +1709,11 @@ void addrconf_leave_solict(struct inet6_dev *idev, const struct in6_addr *addr) + __ipv6_dev_mc_dec(idev, &maddr); + } + ++/* caller must hold RTNL */ + static void addrconf_join_anycast(struct inet6_ifaddr *ifp) + { + struct in6_addr addr; + +- ASSERT_RTNL(); +- + if (ifp->prefix_len >= 127) /* RFC 6164 */ + return; + ipv6_addr_prefix(&addr, &ifp->addr, ifp->prefix_len); +@@ -1726,12 +1722,11 @@ static void addrconf_join_anycast(struct inet6_ifaddr *ifp) + ipv6_dev_ac_inc(ifp->idev->dev, &addr); + } + ++/* caller must hold RTNL */ + static void addrconf_leave_anycast(struct inet6_ifaddr *ifp) + { + struct in6_addr addr; + +- ASSERT_RTNL(); +- + if (ifp->prefix_len >= 127) /* RFC 6164 */ + return; + ipv6_addr_prefix(&addr, &ifp->addr, ifp->prefix_len); +diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c +index 210183244689..ff2de7d9d8e6 100644 +--- a/net/ipv6/anycast.c ++++ b/net/ipv6/anycast.c +@@ -77,6 +77,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + pac->acl_next = NULL; + pac->acl_addr = *addr; + ++ rtnl_lock(); + rcu_read_lock(); + if (ifindex == 0) { + struct rt6_info *rt; +@@ -137,6 +138,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + + error: + rcu_read_unlock(); ++ rtnl_unlock(); + if (pac) + sock_kfree_s(sk, pac, sizeof(*pac)); + return err; +@@ -171,11 +173,13 @@ int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) + + spin_unlock_bh(&ipv6_sk_ac_lock); + ++ rtnl_lock(); + rcu_read_lock(); + dev = dev_get_by_index_rcu(net, pac->acl_ifindex); + if (dev) + ipv6_dev_ac_dec(dev, &pac->acl_addr); + rcu_read_unlock(); ++ rtnl_unlock(); + + sock_kfree_s(sk, pac, sizeof(*pac)); + return 0; +@@ -198,6 +202,7 @@ void ipv6_sock_ac_close(struct sock *sk) + spin_unlock_bh(&ipv6_sk_ac_lock); + + prev_index = 0; ++ rtnl_lock(); + rcu_read_lock(); + while (pac) { + struct ipv6_ac_socklist *next = pac->acl_next; +@@ -212,6 +217,7 @@ void ipv6_sock_ac_close(struct sock *sk) + pac = next; + } + rcu_read_unlock(); ++ rtnl_unlock(); + } + + static void aca_put(struct ifacaddr6 *ac) +@@ -233,6 +239,8 @@ int ipv6_dev_ac_inc(struct net_device *dev, const struct in6_addr *addr) + struct rt6_info *rt; + int err; + ++ ASSERT_RTNL(); ++ + idev = in6_dev_get(dev); + + if (idev == NULL) +@@ -302,6 +310,8 @@ int __ipv6_dev_ac_dec(struct inet6_dev *idev, const struct in6_addr *addr) + { + struct ifacaddr6 *aca, *prev_aca; + ++ ASSERT_RTNL(); ++ + write_lock_bh(&idev->lock); + prev_aca = NULL; + for (aca = idev->ac_list; aca; aca = aca->aca_next) { +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 2465d18e8a26..cb57aa862177 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -787,7 +787,7 @@ static inline int ip6gre_xmit_ipv4(struct sk_buff *skb, struct net_device *dev) + encap_limit = t->parms.encap_limit; + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); +- fl6.flowi6_proto = IPPROTO_IPIP; ++ fl6.flowi6_proto = IPPROTO_GRE; + + dsfield = ipv4_get_dsfield(iph); + +@@ -837,7 +837,7 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev) + encap_limit = t->parms.encap_limit; + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); +- fl6.flowi6_proto = IPPROTO_IPV6; ++ fl6.flowi6_proto = IPPROTO_GRE; + + dsfield = ipv6_get_dsfield(ipv6h); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 073e5a6fc631..12f7ef0f243a 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1008,7 +1008,7 @@ struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6, + if (final_dst) + fl6->daddr = *final_dst; + +- return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0); ++ return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0); + } + EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow); + +@@ -1040,7 +1040,7 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6, + if (final_dst) + fl6->daddr = *final_dst; + +- return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0); ++ return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0); + } + EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow); + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 08b367c6b9cf..761e4586ab5f 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -172,6 +172,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + mc_lst->next = NULL; + mc_lst->addr = *addr; + ++ rtnl_lock(); + rcu_read_lock(); + if (ifindex == 0) { + struct rt6_info *rt; +@@ -185,6 +186,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + + if (dev == NULL) { + rcu_read_unlock(); ++ rtnl_unlock(); + sock_kfree_s(sk, mc_lst, sizeof(*mc_lst)); + return -ENODEV; + } +@@ -202,6 +204,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + + if (err) { + rcu_read_unlock(); ++ rtnl_unlock(); + sock_kfree_s(sk, mc_lst, sizeof(*mc_lst)); + return err; + } +@@ -212,6 +215,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr) + spin_unlock(&ipv6_sk_mc_lock); + + rcu_read_unlock(); ++ rtnl_unlock(); + + return 0; + } +@@ -229,6 +233,7 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) + if (!ipv6_addr_is_multicast(addr)) + return -EINVAL; + ++ rtnl_lock(); + spin_lock(&ipv6_sk_mc_lock); + for (lnk = &np->ipv6_mc_list; + (mc_lst = rcu_dereference_protected(*lnk, +@@ -252,12 +257,15 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) + } else + (void) ip6_mc_leave_src(sk, mc_lst, NULL); + rcu_read_unlock(); ++ rtnl_unlock(); ++ + atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc); + kfree_rcu(mc_lst, rcu); + return 0; + } + } + spin_unlock(&ipv6_sk_mc_lock); ++ rtnl_unlock(); + + return -EADDRNOTAVAIL; + } +@@ -302,6 +310,7 @@ void ipv6_sock_mc_close(struct sock *sk) + if (!rcu_access_pointer(np->ipv6_mc_list)) + return; + ++ rtnl_lock(); + spin_lock(&ipv6_sk_mc_lock); + while ((mc_lst = rcu_dereference_protected(np->ipv6_mc_list, + lockdep_is_held(&ipv6_sk_mc_lock))) != NULL) { +@@ -328,6 +337,7 @@ void ipv6_sock_mc_close(struct sock *sk) + spin_lock(&ipv6_sk_mc_lock); + } + spin_unlock(&ipv6_sk_mc_lock); ++ rtnl_unlock(); + } + + int ip6_mc_source(int add, int omode, struct sock *sk, +@@ -845,6 +855,8 @@ int ipv6_dev_mc_inc(struct net_device *dev, const struct in6_addr *addr) + struct ifmcaddr6 *mc; + struct inet6_dev *idev; + ++ ASSERT_RTNL(); ++ + /* we need to take a reference on idev */ + idev = in6_dev_get(dev); + +@@ -916,6 +928,8 @@ int __ipv6_dev_mc_dec(struct inet6_dev *idev, const struct in6_addr *addr) + { + struct ifmcaddr6 *ma, **map; + ++ ASSERT_RTNL(); ++ + write_lock_bh(&idev->lock); + for (map = &idev->mc_list; (ma=*map) != NULL; map = &ma->next) { + if (ipv6_addr_equal(&ma->mca_addr, addr)) { +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index fe548ba72687..b12b11b123ff 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -101,19 +101,19 @@ static struct ip_tunnel *ipip6_tunnel_lookup(struct net *net, + for_each_ip_tunnel_rcu(t, sitn->tunnels_r_l[h0 ^ h1]) { + if (local == t->parms.iph.saddr && + remote == t->parms.iph.daddr && +- (!dev || !t->parms.link || dev->iflink == t->parms.link) && ++ (!dev || !t->parms.link || dev->ifindex == t->parms.link) && + (t->dev->flags & IFF_UP)) + return t; + } + for_each_ip_tunnel_rcu(t, sitn->tunnels_r[h0]) { + if (remote == t->parms.iph.daddr && +- (!dev || !t->parms.link || dev->iflink == t->parms.link) && ++ (!dev || !t->parms.link || dev->ifindex == t->parms.link) && + (t->dev->flags & IFF_UP)) + return t; + } + for_each_ip_tunnel_rcu(t, sitn->tunnels_l[h1]) { + if (local == t->parms.iph.saddr && +- (!dev || !t->parms.link || dev->iflink == t->parms.link) && ++ (!dev || !t->parms.link || dev->ifindex == t->parms.link) && + (t->dev->flags & IFF_UP)) + return t; + } +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 889079b2ea85..a4f890dd223a 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1668,6 +1668,7 @@ static const struct inet_connection_sock_af_ops ipv6_specific = { + .compat_setsockopt = compat_ipv6_setsockopt, + .compat_getsockopt = compat_ipv6_getsockopt, + #endif ++ .mtu_reduced = tcp_v6_mtu_reduced, + }; + + #ifdef CONFIG_TCP_MD5SIG +@@ -1699,6 +1700,7 @@ static const struct inet_connection_sock_af_ops ipv6_mapped = { + .compat_setsockopt = compat_ipv6_setsockopt, + .compat_getsockopt = compat_ipv6_getsockopt, + #endif ++ .mtu_reduced = tcp_v4_mtu_reduced, + }; + + #ifdef CONFIG_TCP_MD5SIG +@@ -1935,7 +1937,6 @@ struct proto tcpv6_prot = { + .sendpage = tcp_sendpage, + .backlog_rcv = tcp_v6_do_rcv, + .release_cb = tcp_release_cb, +- .mtu_reduced = tcp_v6_mtu_reduced, + .hash = tcp_v6_hash, + .unhash = inet_unhash, + .get_port = inet_csk_get_port, +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 1e05bbde47ba..da8d067d6107 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -758,7 +758,8 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, + /* If PMTU discovery was enabled, use the MTU that was discovered */ + dst = sk_dst_get(tunnel->sock); + if (dst != NULL) { +- u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock)); ++ u32 pmtu = dst_mtu(dst); ++ + if (pmtu != 0) + session->mtu = session->mru = pmtu - + PPPOL2TP_HEADER_OVERHEAD; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 0dfe894afd48..c375d731587f 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -205,7 +205,7 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, + nskb->protocol = htons((u16) sk->sk_protocol); + nskb->pkt_type = netlink_is_kernel(sk) ? + PACKET_KERNEL : PACKET_USER; +- ++ skb_reset_network_header(nskb); + ret = dev_queue_xmit(nskb); + if (unlikely(ret > 0)) + ret = net_xmit_errno(ret); +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 2c77e7b1a913..600c7646b3d3 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -42,6 +42,9 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb, + + static int make_writable(struct sk_buff *skb, int write_len) + { ++ if (!pskb_may_pull(skb, write_len)) ++ return -ENOMEM; ++ + if (!skb_cloned(skb) || skb_clone_writable(skb, write_len)) + return 0; + +@@ -70,6 +73,8 @@ static int __pop_vlan_tci(struct sk_buff *skb, __be16 *current_tci) + + vlan_set_encap_proto(skb, vhdr); + skb->mac_header += VLAN_HLEN; ++ if (skb_network_offset(skb) < ETH_HLEN) ++ skb_set_network_header(skb, ETH_HLEN); + skb_reset_mac_len(skb); + + return 0; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 48a6a93db296..48b181797d7b 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -635,6 +635,7 @@ static void init_prb_bdqc(struct packet_sock *po, + p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); + p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; + ++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv); + prb_init_ft_ops(p1, req_u); + prb_setup_retire_blk_timer(po, tx_ring); + prb_open_block(p1, pbd); +@@ -1946,6 +1947,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if ((int)snaplen < 0) + snaplen = 0; + } ++ } else if (unlikely(macoff + snaplen > ++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) { ++ u32 nval; ++ ++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff; ++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n", ++ snaplen, nval, macoff); ++ snaplen = nval; ++ if (unlikely((int)snaplen < 0)) { ++ snaplen = 0; ++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len; ++ } + } + spin_lock(&sk->sk_receive_queue.lock); + h.raw = packet_current_rx_frame(po, skb, +@@ -3779,6 +3792,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) + goto out; ++ if (po->tp_version >= TPACKET_V3 && ++ (int)(req->tp_block_size - ++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) + goto out; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index eb9580a6b25f..cdddf6a30399 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -29,6 +29,7 @@ struct tpacket_kbdq_core { + char *pkblk_start; + char *pkblk_end; + int kblk_size; ++ unsigned int max_frame_len; + unsigned int knum_blocks; + uint64_t knxt_seq_num; + char *prev; +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 5170a1ff95a1..7194fe8589b0 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1775,9 +1775,22 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net, + /* Update the content of current association. */ + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); +- sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, +- SCTP_STATE(SCTP_STATE_ESTABLISHED)); +- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); ++ if (sctp_state(asoc, SHUTDOWN_PENDING) && ++ (sctp_sstate(asoc->base.sk, CLOSING) || ++ sock_flag(asoc->base.sk, SOCK_DEAD))) { ++ /* if were currently in SHUTDOWN_PENDING, but the socket ++ * has been closed by user, don't transition to ESTABLISHED. ++ * Instead trigger SHUTDOWN bundled with COOKIE_ACK. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); ++ return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, ++ SCTP_ST_CHUNK(0), NULL, ++ commands); ++ } else { ++ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, ++ SCTP_STATE(SCTP_STATE_ESTABLISHED)); ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); ++ } + return SCTP_DISPOSITION_CONSUME; + + nomem_ev: +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 1d5c7bf29938..59cf325f2772 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -41,6 +41,11 @@ + + static struct dst_entry *xfrm_policy_sk_bundles; + ++struct xfrm_flo { ++ struct dst_entry *dst_orig; ++ u8 flags; ++}; ++ + static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock); + static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO] + __read_mostly; +@@ -1889,13 +1894,14 @@ static int xdst_queue_output(struct sk_buff *skb) + } + + static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net, +- struct dst_entry *dst, ++ struct xfrm_flo *xflo, + const struct flowi *fl, + int num_xfrms, + u16 family) + { + int err; + struct net_device *dev; ++ struct dst_entry *dst; + struct dst_entry *dst1; + struct xfrm_dst *xdst; + +@@ -1903,9 +1909,12 @@ static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net, + if (IS_ERR(xdst)) + return xdst; + +- if (net->xfrm.sysctl_larval_drop || num_xfrms <= 0) ++ if (!(xflo->flags & XFRM_LOOKUP_QUEUE) || ++ net->xfrm.sysctl_larval_drop || ++ num_xfrms <= 0) + return xdst; + ++ dst = xflo->dst_orig; + dst1 = &xdst->u.dst; + dst_hold(dst); + xdst->route = dst; +@@ -1947,7 +1956,7 @@ static struct flow_cache_object * + xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir, + struct flow_cache_object *oldflo, void *ctx) + { +- struct dst_entry *dst_orig = (struct dst_entry *)ctx; ++ struct xfrm_flo *xflo = (struct xfrm_flo *)ctx; + struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; + struct xfrm_dst *xdst, *new_xdst; + int num_pols = 0, num_xfrms = 0, i, err, pol_dead; +@@ -1988,7 +1997,8 @@ xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir, + goto make_dummy_bundle; + } + +- new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, dst_orig); ++ new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, ++ xflo->dst_orig); + if (IS_ERR(new_xdst)) { + err = PTR_ERR(new_xdst); + if (err != -EAGAIN) +@@ -2022,7 +2032,7 @@ make_dummy_bundle: + /* We found policies, but there's no bundles to instantiate: + * either because the policy blocks, has no transformations or + * we could not build template (no xfrm_states).*/ +- xdst = xfrm_create_dummy_bundle(net, dst_orig, fl, num_xfrms, family); ++ xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family); + if (IS_ERR(xdst)) { + xfrm_pols_put(pols, num_pols); + return ERR_CAST(xdst); +@@ -2121,13 +2131,18 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, + } + + if (xdst == NULL) { ++ struct xfrm_flo xflo; ++ ++ xflo.dst_orig = dst_orig; ++ xflo.flags = flags; ++ + /* To accelerate a bit... */ + if ((dst_orig->flags & DST_NOXFRM) || + !net->xfrm.policy_count[XFRM_POLICY_OUT]) + goto nopol; + + flo = flow_cache_lookup(net, fl, family, dir, +- xfrm_bundle_lookup, dst_orig); ++ xfrm_bundle_lookup, &xflo); + if (flo == NULL) + goto nopol; + if (IS_ERR(flo)) { +@@ -2155,7 +2170,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, + xfrm_pols_put(pols, drop_pols); + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); + +- return make_blackhole(net, family, dst_orig); ++ return ERR_PTR(-EREMOTE); + } + + err = -EAGAIN; +@@ -2212,6 +2227,23 @@ dropdst: + } + EXPORT_SYMBOL(xfrm_lookup); + ++/* Callers of xfrm_lookup_route() must ensure a call to dst_output(). ++ * Otherwise we may send out blackholed packets. ++ */ ++struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, ++ const struct flowi *fl, ++ struct sock *sk, int flags) ++{ ++ struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk, ++ flags | XFRM_LOOKUP_QUEUE); ++ ++ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) ++ return make_blackhole(net, dst_orig->ops->family, dst_orig); ++ ++ return dst; ++} ++EXPORT_SYMBOL(xfrm_lookup_route); ++ + static inline int + xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) + { +@@ -2477,7 +2509,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) + + skb_dst_force(skb); + +- dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0); ++ dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); + if (IS_ERR(dst)) { + res = 0; + dst = NULL; diff --git a/projects/imx6/patches/linux/linux-000-patch-3.14.22-23.patch b/projects/imx6/patches/linux/linux-000-patch-3.14.22-23.patch new file mode 100644 index 0000000000..62db8b47c1 --- /dev/null +++ b/projects/imx6/patches/linux/linux-000-patch-3.14.22-23.patch @@ -0,0 +1,5877 @@ +diff --git a/Documentation/lzo.txt b/Documentation/lzo.txt +new file mode 100644 +index 000000000000..ea45dd3901e3 +--- /dev/null ++++ b/Documentation/lzo.txt +@@ -0,0 +1,164 @@ ++ ++LZO stream format as understood by Linux's LZO decompressor ++=========================================================== ++ ++Introduction ++ ++ This is not a specification. No specification seems to be publicly available ++ for the LZO stream format. This document describes what input format the LZO ++ decompressor as implemented in the Linux kernel understands. The file subject ++ of this analysis is lib/lzo/lzo1x_decompress_safe.c. No analysis was made on ++ the compressor nor on any other implementations though it seems likely that ++ the format matches the standard one. The purpose of this document is to ++ better understand what the code does in order to propose more efficient fixes ++ for future bug reports. ++ ++Description ++ ++ The stream is composed of a series of instructions, operands, and data. The ++ instructions consist in a few bits representing an opcode, and bits forming ++ the operands for the instruction, whose size and position depend on the ++ opcode and on the number of literals copied by previous instruction. The ++ operands are used to indicate : ++ ++ - a distance when copying data from the dictionary (past output buffer) ++ - a length (number of bytes to copy from dictionary) ++ - the number of literals to copy, which is retained in variable "state" ++ as a piece of information for next instructions. ++ ++ Optionally depending on the opcode and operands, extra data may follow. These ++ extra data can be a complement for the operand (eg: a length or a distance ++ encoded on larger values), or a literal to be copied to the output buffer. ++ ++ The first byte of the block follows a different encoding from other bytes, it ++ seems to be optimized for literal use only, since there is no dictionary yet ++ prior to that byte. ++ ++ Lengths are always encoded on a variable size starting with a small number ++ of bits in the operand. If the number of bits isn't enough to represent the ++ length, up to 255 may be added in increments by consuming more bytes with a ++ rate of at most 255 per extra byte (thus the compression ratio cannot exceed ++ around 255:1). The variable length encoding using #bits is always the same : ++ ++ length = byte & ((1 << #bits) - 1) ++ if (!length) { ++ length = ((1 << #bits) - 1) ++ length += 255*(number of zero bytes) ++ length += first-non-zero-byte ++ } ++ length += constant (generally 2 or 3) ++ ++ For references to the dictionary, distances are relative to the output ++ pointer. Distances are encoded using very few bits belonging to certain ++ ranges, resulting in multiple copy instructions using different encodings. ++ Certain encodings involve one extra byte, others involve two extra bytes ++ forming a little-endian 16-bit quantity (marked LE16 below). ++ ++ After any instruction except the large literal copy, 0, 1, 2 or 3 literals ++ are copied before starting the next instruction. The number of literals that ++ were copied may change the meaning and behaviour of the next instruction. In ++ practice, only one instruction needs to know whether 0, less than 4, or more ++ literals were copied. This is the information stored in the variable ++ in this implementation. This number of immediate literals to be copied is ++ generally encoded in the last two bits of the instruction but may also be ++ taken from the last two bits of an extra operand (eg: distance). ++ ++ End of stream is declared when a block copy of distance 0 is seen. Only one ++ instruction may encode this distance (0001HLLL), it takes one LE16 operand ++ for the distance, thus requiring 3 bytes. ++ ++ IMPORTANT NOTE : in the code some length checks are missing because certain ++ instructions are called under the assumption that a certain number of bytes ++ follow because it has already been garanteed before parsing the instructions. ++ They just have to "refill" this credit if they consume extra bytes. This is ++ an implementation design choice independant on the algorithm or encoding. ++ ++Byte sequences ++ ++ First byte encoding : ++ ++ 0..17 : follow regular instruction encoding, see below. It is worth ++ noting that codes 16 and 17 will represent a block copy from ++ the dictionary which is empty, and that they will always be ++ invalid at this place. ++ ++ 18..21 : copy 0..3 literals ++ state = (byte - 17) = 0..3 [ copy literals ] ++ skip byte ++ ++ 22..255 : copy literal string ++ length = (byte - 17) = 4..238 ++ state = 4 [ don't copy extra literals ] ++ skip byte ++ ++ Instruction encoding : ++ ++ 0 0 0 0 X X X X (0..15) ++ Depends on the number of literals copied by the last instruction. ++ If last instruction did not copy any literal (state == 0), this ++ encoding will be a copy of 4 or more literal, and must be interpreted ++ like this : ++ ++ 0 0 0 0 L L L L (0..15) : copy long literal string ++ length = 3 + (L ?: 15 + (zero_bytes * 255) + non_zero_byte) ++ state = 4 (no extra literals are copied) ++ ++ If last instruction used to copy between 1 to 3 literals (encoded in ++ the instruction's opcode or distance), the instruction is a copy of a ++ 2-byte block from the dictionary within a 1kB distance. It is worth ++ noting that this instruction provides little savings since it uses 2 ++ bytes to encode a copy of 2 other bytes but it encodes the number of ++ following literals for free. It must be interpreted like this : ++ ++ 0 0 0 0 D D S S (0..15) : copy 2 bytes from <= 1kB distance ++ length = 2 ++ state = S (copy S literals after this block) ++ Always followed by exactly one byte : H H H H H H H H ++ distance = (H << 2) + D + 1 ++ ++ If last instruction used to copy 4 or more literals (as detected by ++ state == 4), the instruction becomes a copy of a 3-byte block from the ++ dictionary from a 2..3kB distance, and must be interpreted like this : ++ ++ 0 0 0 0 D D S S (0..15) : copy 3 bytes from 2..3 kB distance ++ length = 3 ++ state = S (copy S literals after this block) ++ Always followed by exactly one byte : H H H H H H H H ++ distance = (H << 2) + D + 2049 ++ ++ 0 0 0 1 H L L L (16..31) ++ Copy of a block within 16..48kB distance (preferably less than 10B) ++ length = 2 + (L ?: 7 + (zero_bytes * 255) + non_zero_byte) ++ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S ++ distance = 16384 + (H << 14) + D ++ state = S (copy S literals after this block) ++ End of stream is reached if distance == 16384 ++ ++ 0 0 1 L L L L L (32..63) ++ Copy of small block within 16kB distance (preferably less than 34B) ++ length = 2 + (L ?: 31 + (zero_bytes * 255) + non_zero_byte) ++ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S ++ distance = D + 1 ++ state = S (copy S literals after this block) ++ ++ 0 1 L D D D S S (64..127) ++ Copy 3-4 bytes from block within 2kB distance ++ state = S (copy S literals after this block) ++ length = 3 + L ++ Always followed by exactly one byte : H H H H H H H H ++ distance = (H << 3) + D + 1 ++ ++ 1 L L D D D S S (128..255) ++ Copy 5-8 bytes from block within 2kB distance ++ state = S (copy S literals after this block) ++ length = 5 + L ++ Always followed by exactly one byte : H H H H H H H H ++ distance = (H << 3) + D + 1 ++ ++Authors ++ ++ This document was written by Willy Tarreau on 2014/07/19 during an ++ analysis of the decompression code available in Linux 3.16-rc5. The code is ++ tricky, it is possible that this document contains mistakes or that a few ++ corner cases were overlooked. In any case, please report any doubt, fix, or ++ proposed updates to the author(s) so that the document can be updated. +diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt +index 290894176142..53838d9c6295 100644 +--- a/Documentation/virtual/kvm/mmu.txt ++++ b/Documentation/virtual/kvm/mmu.txt +@@ -425,6 +425,20 @@ fault through the slow path. + Since only 19 bits are used to store generation-number on mmio spte, all + pages are zapped when there is an overflow. + ++Unfortunately, a single memory access might access kvm_memslots(kvm) multiple ++times, the last one happening when the generation number is retrieved and ++stored into the MMIO spte. Thus, the MMIO spte might be created based on ++out-of-date information, but with an up-to-date generation number. ++ ++To avoid this, the generation number is incremented again after synchronize_srcu ++returns; thus, the low bit of kvm_memslots(kvm)->generation is only 1 during a ++memslot update, while some SRCU readers might be using the old copy. We do not ++want to use an MMIO sptes created with an odd generation number, and we can do ++this without losing a bit in the MMIO spte. The low bit of the generation ++is not stored in MMIO spte, and presumed zero when it is extracted out of the ++spte. If KVM is unlucky and creates an MMIO spte while the low bit is 1, ++the next access to the spte will always be a cache miss. ++ + + Further reading + =============== +diff --git a/Makefile b/Makefile +index a59980eb4557..135a04a26076 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 22 ++SUBLEVEL = 23 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/boot/dts/armada-370-netgear-rn102.dts b/arch/arm/boot/dts/armada-370-netgear-rn102.dts +index 651aeb5ef439..f3188e953de4 100644 +--- a/arch/arm/boot/dts/armada-370-netgear-rn102.dts ++++ b/arch/arm/boot/dts/armada-370-netgear-rn102.dts +@@ -144,6 +144,10 @@ + marvell,nand-enable-arbiter; + nand-on-flash-bbt; + ++ /* Use Hardware BCH ECC */ ++ nand-ecc-strength = <4>; ++ nand-ecc-step-size = <512>; ++ + partition@0 { + label = "u-boot"; + reg = <0x0000000 0x180000>; /* 1.5MB */ +diff --git a/arch/arm/boot/dts/armada-370-netgear-rn104.dts b/arch/arm/boot/dts/armada-370-netgear-rn104.dts +index 4e27587667bf..da406c1c726a 100644 +--- a/arch/arm/boot/dts/armada-370-netgear-rn104.dts ++++ b/arch/arm/boot/dts/armada-370-netgear-rn104.dts +@@ -146,6 +146,10 @@ + marvell,nand-enable-arbiter; + nand-on-flash-bbt; + ++ /* Use Hardware BCH ECC */ ++ nand-ecc-strength = <4>; ++ nand-ecc-step-size = <512>; ++ + partition@0 { + label = "u-boot"; + reg = <0x0000000 0x180000>; /* 1.5MB */ +diff --git a/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts b/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts +index ff049ee862eb..b4aba09de911 100644 +--- a/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts ++++ b/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts +@@ -224,6 +224,10 @@ + marvell,nand-enable-arbiter; + nand-on-flash-bbt; + ++ /* Use Hardware BCH ECC */ ++ nand-ecc-strength = <4>; ++ nand-ecc-step-size = <512>; ++ + partition@0 { + label = "u-boot"; + reg = <0x0000000 0x180000>; /* 1.5MB */ +diff --git a/arch/arm/boot/dts/at91sam9263.dtsi b/arch/arm/boot/dts/at91sam9263.dtsi +index fece8665fb63..b8f234bf7de8 100644 +--- a/arch/arm/boot/dts/at91sam9263.dtsi ++++ b/arch/arm/boot/dts/at91sam9263.dtsi +@@ -535,6 +535,7 @@ + compatible = "atmel,hsmci"; + reg = <0xfff80000 0x600>; + interrupts = <10 IRQ_TYPE_LEVEL_HIGH 0>; ++ pinctrl-names = "default"; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -544,6 +545,7 @@ + compatible = "atmel,hsmci"; + reg = <0xfff84000 0x600>; + interrupts = <11 IRQ_TYPE_LEVEL_HIGH 0>; ++ pinctrl-names = "default"; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +diff --git a/arch/arm/boot/dts/sama5d3_can.dtsi b/arch/arm/boot/dts/sama5d3_can.dtsi +index a0775851cce5..eaf41451ad0c 100644 +--- a/arch/arm/boot/dts/sama5d3_can.dtsi ++++ b/arch/arm/boot/dts/sama5d3_can.dtsi +@@ -40,7 +40,7 @@ + atmel,clk-output-range = <0 66000000>; + }; + +- can1_clk: can0_clk { ++ can1_clk: can1_clk { + #clock-cells = <0>; + reg = <41>; + atmel,clk-output-range = <0 66000000>; +diff --git a/arch/arm/mach-at91/clock.c b/arch/arm/mach-at91/clock.c +index 034529d801b2..d66f102c352a 100644 +--- a/arch/arm/mach-at91/clock.c ++++ b/arch/arm/mach-at91/clock.c +@@ -962,6 +962,7 @@ static int __init at91_clock_reset(void) + } + + at91_pmc_write(AT91_PMC_SCDR, scdr); ++ at91_pmc_write(AT91_PMC_PCDR, pcdr); + if (cpu_is_sama5d3()) + at91_pmc_write(AT91_PMC_PCDR1, pcdr1); + +diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h +index fda2704b3f9f..e72289a97367 100644 +--- a/arch/arm64/include/asm/compat.h ++++ b/arch/arm64/include/asm/compat.h +@@ -37,8 +37,8 @@ typedef s32 compat_ssize_t; + typedef s32 compat_time_t; + typedef s32 compat_clock_t; + typedef s32 compat_pid_t; +-typedef u32 __compat_uid_t; +-typedef u32 __compat_gid_t; ++typedef u16 __compat_uid_t; ++typedef u16 __compat_gid_t; + typedef u16 __compat_uid16_t; + typedef u16 __compat_gid16_t; + typedef u32 __compat_uid32_t; +diff --git a/arch/m68k/mm/hwtest.c b/arch/m68k/mm/hwtest.c +index 2c7dde3c6430..2a5259fd23eb 100644 +--- a/arch/m68k/mm/hwtest.c ++++ b/arch/m68k/mm/hwtest.c +@@ -28,9 +28,11 @@ + int hwreg_present( volatile void *regp ) + { + int ret = 0; ++ unsigned long flags; + long save_sp, save_vbr; + long tmp_vectors[3]; + ++ local_irq_save(flags); + __asm__ __volatile__ + ( "movec %/vbr,%2\n\t" + "movel #Lberr1,%4@(8)\n\t" +@@ -46,6 +48,7 @@ int hwreg_present( volatile void *regp ) + : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr) + : "a" (regp), "a" (tmp_vectors) + ); ++ local_irq_restore(flags); + + return( ret ); + } +@@ -58,9 +61,11 @@ EXPORT_SYMBOL(hwreg_present); + int hwreg_write( volatile void *regp, unsigned short val ) + { + int ret; ++ unsigned long flags; + long save_sp, save_vbr; + long tmp_vectors[3]; + ++ local_irq_save(flags); + __asm__ __volatile__ + ( "movec %/vbr,%2\n\t" + "movel #Lberr2,%4@(8)\n\t" +@@ -78,6 +83,7 @@ int hwreg_write( volatile void *regp, unsigned short val ) + : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr) + : "a" (regp), "a" (tmp_vectors), "g" (val) + ); ++ local_irq_restore(flags); + + return( ret ); + } +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index 4642d6a4d356..de1ec54a2a57 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -329,16 +329,16 @@ struct direct_window { + + /* Dynamic DMA Window support */ + struct ddw_query_response { +- __be32 windows_available; +- __be32 largest_available_block; +- __be32 page_size; +- __be32 migration_capable; ++ u32 windows_available; ++ u32 largest_available_block; ++ u32 page_size; ++ u32 migration_capable; + }; + + struct ddw_create_response { +- __be32 liobn; +- __be32 addr_hi; +- __be32 addr_lo; ++ u32 liobn; ++ u32 addr_hi; ++ u32 addr_lo; + }; + + static LIST_HEAD(direct_window_list); +@@ -725,16 +725,18 @@ static void remove_ddw(struct device_node *np, bool remove_prop) + { + struct dynamic_dma_window_prop *dwp; + struct property *win64; +- const u32 *ddw_avail; ++ u32 ddw_avail[3]; + u64 liobn; +- int len, ret = 0; ++ int ret = 0; ++ ++ ret = of_property_read_u32_array(np, "ibm,ddw-applicable", ++ &ddw_avail[0], 3); + +- ddw_avail = of_get_property(np, "ibm,ddw-applicable", &len); + win64 = of_find_property(np, DIRECT64_PROPNAME, NULL); + if (!win64) + return; + +- if (!ddw_avail || len < 3 * sizeof(u32) || win64->length < sizeof(*dwp)) ++ if (ret || win64->length < sizeof(*dwp)) + goto delprop; + + dwp = win64->value; +@@ -872,8 +874,9 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, + + do { + /* extra outputs are LIOBN and dma-addr (hi, lo) */ +- ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, cfg_addr, +- BUID_HI(buid), BUID_LO(buid), page_shift, window_shift); ++ ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, ++ cfg_addr, BUID_HI(buid), BUID_LO(buid), ++ page_shift, window_shift); + } while (rtas_busy_delay(ret)); + dev_info(&dev->dev, + "ibm,create-pe-dma-window(%x) %x %x %x %x %x returned %d " +@@ -910,7 +913,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + int page_shift; + u64 dma_addr, max_addr; + struct device_node *dn; +- const u32 *uninitialized_var(ddw_avail); ++ u32 ddw_avail[3]; + struct direct_window *window; + struct property *win64; + struct dynamic_dma_window_prop *ddwprop; +@@ -942,8 +945,9 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + * for the given node in that order. + * the property is actually in the parent, not the PE + */ +- ddw_avail = of_get_property(pdn, "ibm,ddw-applicable", &len); +- if (!ddw_avail || len < 3 * sizeof(u32)) ++ ret = of_property_read_u32_array(pdn, "ibm,ddw-applicable", ++ &ddw_avail[0], 3); ++ if (ret) + goto out_failed; + + /* +@@ -966,11 +970,11 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + dev_dbg(&dev->dev, "no free dynamic windows"); + goto out_failed; + } +- if (be32_to_cpu(query.page_size) & 4) { ++ if (query.page_size & 4) { + page_shift = 24; /* 16MB */ +- } else if (be32_to_cpu(query.page_size) & 2) { ++ } else if (query.page_size & 2) { + page_shift = 16; /* 64kB */ +- } else if (be32_to_cpu(query.page_size) & 1) { ++ } else if (query.page_size & 1) { + page_shift = 12; /* 4kB */ + } else { + dev_dbg(&dev->dev, "no supported direct page size in mask %x", +@@ -980,7 +984,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + /* verify the window * number of ptes will map the partition */ + /* check largest block * page size > max memory hotplug addr */ + max_addr = memory_hotplug_max(); +- if (be32_to_cpu(query.largest_available_block) < (max_addr >> page_shift)) { ++ if (query.largest_available_block < (max_addr >> page_shift)) { + dev_dbg(&dev->dev, "can't map partiton max 0x%llx with %u " + "%llu-sized pages\n", max_addr, query.largest_available_block, + 1ULL << page_shift); +@@ -1006,8 +1010,9 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + if (ret != 0) + goto out_free_prop; + +- ddwprop->liobn = create.liobn; +- ddwprop->dma_base = cpu_to_be64(of_read_number(&create.addr_hi, 2)); ++ ddwprop->liobn = cpu_to_be32(create.liobn); ++ ddwprop->dma_base = cpu_to_be64(((u64)create.addr_hi << 32) | ++ create.addr_lo); + ddwprop->tce_shift = cpu_to_be32(page_shift); + ddwprop->window_shift = cpu_to_be32(len); + +@@ -1039,7 +1044,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) + list_add(&window->list, &direct_window_list); + spin_unlock(&direct_window_list_lock); + +- dma_addr = of_read_number(&create.addr_hi, 2); ++ dma_addr = be64_to_cpu(ddwprop->dma_base); + goto out_unlock; + + out_free_window: +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 5f79d2d79ca7..f1ba119878ec 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -71,6 +71,7 @@ static int __interrupt_is_deliverable(struct kvm_vcpu *vcpu, + return 0; + if (vcpu->arch.sie_block->gcr[0] & 0x2000ul) + return 1; ++ return 0; + case KVM_S390_INT_EMERGENCY: + if (psw_extint_disabled(vcpu)) + return 0; +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index b398c68b2713..a38513c33a62 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -67,6 +67,7 @@ config SPARC64 + select HAVE_SYSCALL_TRACEPOINTS + select HAVE_CONTEXT_TRACKING + select HAVE_DEBUG_KMEMLEAK ++ select SPARSE_IRQ + select RTC_DRV_CMOS + select RTC_DRV_BQ4802 + select RTC_DRV_SUN4V +diff --git a/arch/sparc/include/asm/hypervisor.h b/arch/sparc/include/asm/hypervisor.h +index ca121f0fa3ec..17be9d618335 100644 +--- a/arch/sparc/include/asm/hypervisor.h ++++ b/arch/sparc/include/asm/hypervisor.h +@@ -2944,6 +2944,16 @@ extern unsigned long sun4v_vt_set_perfreg(unsigned long reg_num, + unsigned long reg_val); + #endif + ++#define HV_FAST_T5_GET_PERFREG 0x1a8 ++#define HV_FAST_T5_SET_PERFREG 0x1a9 ++ ++#ifndef __ASSEMBLY__ ++unsigned long sun4v_t5_get_perfreg(unsigned long reg_num, ++ unsigned long *reg_val); ++unsigned long sun4v_t5_set_perfreg(unsigned long reg_num, ++ unsigned long reg_val); ++#endif ++ + /* Function numbers for HV_CORE_TRAP. */ + #define HV_CORE_SET_VER 0x00 + #define HV_CORE_PUTCHAR 0x01 +@@ -2975,6 +2985,7 @@ extern unsigned long sun4v_vt_set_perfreg(unsigned long reg_num, + #define HV_GRP_VF_CPU 0x0205 + #define HV_GRP_KT_CPU 0x0209 + #define HV_GRP_VT_CPU 0x020c ++#define HV_GRP_T5_CPU 0x0211 + #define HV_GRP_DIAG 0x0300 + + #ifndef __ASSEMBLY__ +diff --git a/arch/sparc/include/asm/irq_64.h b/arch/sparc/include/asm/irq_64.h +index abf6afe82ca8..3deb07ff1e00 100644 +--- a/arch/sparc/include/asm/irq_64.h ++++ b/arch/sparc/include/asm/irq_64.h +@@ -37,7 +37,7 @@ + * + * ino_bucket->irq allocation is made during {sun4v_,}build_irq(). + */ +-#define NR_IRQS 255 ++#define NR_IRQS (2048) + + extern void irq_install_pre_handler(int irq, + void (*func)(unsigned int, void *, void *), +@@ -57,11 +57,8 @@ extern unsigned int sun4u_build_msi(u32 portid, unsigned int *irq_p, + unsigned long iclr_base); + extern void sun4u_destroy_msi(unsigned int irq); + +-extern unsigned char irq_alloc(unsigned int dev_handle, +- unsigned int dev_ino); +-#ifdef CONFIG_PCI_MSI +-extern void irq_free(unsigned int irq); +-#endif ++unsigned int irq_alloc(unsigned int dev_handle, unsigned int dev_ino); ++void irq_free(unsigned int irq); + + extern void __init init_IRQ(void); + extern void fixup_irqs(void); +diff --git a/arch/sparc/include/asm/ldc.h b/arch/sparc/include/asm/ldc.h +index bdb524a7b814..8732ed391aff 100644 +--- a/arch/sparc/include/asm/ldc.h ++++ b/arch/sparc/include/asm/ldc.h +@@ -53,13 +53,14 @@ struct ldc_channel; + /* Allocate state for a channel. */ + extern struct ldc_channel *ldc_alloc(unsigned long id, + const struct ldc_channel_config *cfgp, +- void *event_arg); ++ void *event_arg, ++ const char *name); + + /* Shut down and free state for a channel. */ + extern void ldc_free(struct ldc_channel *lp); + + /* Register TX and RX queues of the link with the hypervisor. */ +-extern int ldc_bind(struct ldc_channel *lp, const char *name); ++extern int ldc_bind(struct ldc_channel *lp); + + /* For non-RAW protocols we need to complete a handshake before + * communication can proceed. ldc_connect() does that, if the +diff --git a/arch/sparc/include/asm/oplib_64.h b/arch/sparc/include/asm/oplib_64.h +index a12dbe3b7762..e48fdf4e16ff 100644 +--- a/arch/sparc/include/asm/oplib_64.h ++++ b/arch/sparc/include/asm/oplib_64.h +@@ -62,7 +62,8 @@ struct linux_mem_p1275 { + /* You must call prom_init() before using any of the library services, + * preferably as early as possible. Pass it the romvec pointer. + */ +-extern void prom_init(void *cif_handler, void *cif_stack); ++extern void prom_init(void *cif_handler); ++extern void prom_init_report(void); + + /* Boot argument acquisition, returns the boot command line string. */ + extern char *prom_getbootargs(void); +diff --git a/arch/sparc/include/asm/page_64.h b/arch/sparc/include/asm/page_64.h +index aac53fcea807..b18e602fcac4 100644 +--- a/arch/sparc/include/asm/page_64.h ++++ b/arch/sparc/include/asm/page_64.h +@@ -57,18 +57,21 @@ extern void copy_user_page(void *to, void *from, unsigned long vaddr, struct pag + typedef struct { unsigned long pte; } pte_t; + typedef struct { unsigned long iopte; } iopte_t; + typedef struct { unsigned long pmd; } pmd_t; ++typedef struct { unsigned long pud; } pud_t; + typedef struct { unsigned long pgd; } pgd_t; + typedef struct { unsigned long pgprot; } pgprot_t; + + #define pte_val(x) ((x).pte) + #define iopte_val(x) ((x).iopte) + #define pmd_val(x) ((x).pmd) ++#define pud_val(x) ((x).pud) + #define pgd_val(x) ((x).pgd) + #define pgprot_val(x) ((x).pgprot) + + #define __pte(x) ((pte_t) { (x) } ) + #define __iopte(x) ((iopte_t) { (x) } ) + #define __pmd(x) ((pmd_t) { (x) } ) ++#define __pud(x) ((pud_t) { (x) } ) + #define __pgd(x) ((pgd_t) { (x) } ) + #define __pgprot(x) ((pgprot_t) { (x) } ) + +@@ -77,18 +80,21 @@ typedef struct { unsigned long pgprot; } pgprot_t; + typedef unsigned long pte_t; + typedef unsigned long iopte_t; + typedef unsigned long pmd_t; ++typedef unsigned long pud_t; + typedef unsigned long pgd_t; + typedef unsigned long pgprot_t; + + #define pte_val(x) (x) + #define iopte_val(x) (x) + #define pmd_val(x) (x) ++#define pud_val(x) (x) + #define pgd_val(x) (x) + #define pgprot_val(x) (x) + + #define __pte(x) (x) + #define __iopte(x) (x) + #define __pmd(x) (x) ++#define __pud(x) (x) + #define __pgd(x) (x) + #define __pgprot(x) (x) + +@@ -96,21 +102,14 @@ typedef unsigned long pgprot_t; + + typedef pte_t *pgtable_t; + +-/* These two values define the virtual address space range in which we +- * must forbid 64-bit user processes from making mappings. It used to +- * represent precisely the virtual address space hole present in most +- * early sparc64 chips including UltraSPARC-I. But now it also is +- * further constrained by the limits of our page tables, which is +- * 43-bits of virtual address. +- */ +-#define SPARC64_VA_HOLE_TOP _AC(0xfffffc0000000000,UL) +-#define SPARC64_VA_HOLE_BOTTOM _AC(0x0000040000000000,UL) ++extern unsigned long sparc64_va_hole_top; ++extern unsigned long sparc64_va_hole_bottom; + + /* The next two defines specify the actual exclusion region we + * enforce, wherein we use a 4GB red zone on each side of the VA hole. + */ +-#define VA_EXCLUDE_START (SPARC64_VA_HOLE_BOTTOM - (1UL << 32UL)) +-#define VA_EXCLUDE_END (SPARC64_VA_HOLE_TOP + (1UL << 32UL)) ++#define VA_EXCLUDE_START (sparc64_va_hole_bottom - (1UL << 32UL)) ++#define VA_EXCLUDE_END (sparc64_va_hole_top + (1UL << 32UL)) + + #define TASK_UNMAPPED_BASE (test_thread_flag(TIF_32BIT) ? \ + _AC(0x0000000070000000,UL) : \ +@@ -118,20 +117,16 @@ typedef pte_t *pgtable_t; + + #include + +-#define PAGE_OFFSET_BY_BITS(X) (-(_AC(1,UL) << (X))) + extern unsigned long PAGE_OFFSET; + + #endif /* !(__ASSEMBLY__) */ + +-/* The maximum number of physical memory address bits we support, this +- * is used to size various tables used to manage kernel TLB misses and +- * also the sparsemem code. ++/* The maximum number of physical memory address bits we support. The ++ * largest value we can support is whatever "KPGD_SHIFT + KPTE_BITS" ++ * evaluates to. + */ +-#define MAX_PHYS_ADDRESS_BITS 47 ++#define MAX_PHYS_ADDRESS_BITS 53 + +-/* These two shift counts are used when indexing sparc64_valid_addr_bitmap +- * and kpte_linear_bitmap. +- */ + #define ILOG2_4MB 22 + #define ILOG2_256MB 28 + +diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h +index bcfe063bce23..2c8d41fb13a4 100644 +--- a/arch/sparc/include/asm/pgalloc_64.h ++++ b/arch/sparc/include/asm/pgalloc_64.h +@@ -15,6 +15,13 @@ + + extern struct kmem_cache *pgtable_cache; + ++static inline void __pgd_populate(pgd_t *pgd, pud_t *pud) ++{ ++ pgd_set(pgd, pud); ++} ++ ++#define pgd_populate(MM, PGD, PUD) __pgd_populate(PGD, PUD) ++ + static inline pgd_t *pgd_alloc(struct mm_struct *mm) + { + return kmem_cache_alloc(pgtable_cache, GFP_KERNEL); +@@ -25,7 +32,23 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) + kmem_cache_free(pgtable_cache, pgd); + } + +-#define pud_populate(MM, PUD, PMD) pud_set(PUD, PMD) ++static inline void __pud_populate(pud_t *pud, pmd_t *pmd) ++{ ++ pud_set(pud, pmd); ++} ++ ++#define pud_populate(MM, PUD, PMD) __pud_populate(PUD, PMD) ++ ++static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) ++{ ++ return kmem_cache_alloc(pgtable_cache, ++ GFP_KERNEL|__GFP_REPEAT); ++} ++ ++static inline void pud_free(struct mm_struct *mm, pud_t *pud) ++{ ++ kmem_cache_free(pgtable_cache, pud); ++} + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr) + { +@@ -91,4 +114,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pte_t *pte, + #define __pmd_free_tlb(tlb, pmd, addr) \ + pgtable_free_tlb(tlb, pmd, false) + ++#define __pud_free_tlb(tlb, pud, addr) \ ++ pgtable_free_tlb(tlb, pud, false) ++ + #endif /* _SPARC64_PGALLOC_H */ +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h +index 1a49ffdf9da9..e8dfabf156c7 100644 +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -20,8 +20,6 @@ + #include + #include + +-#include +- + /* The kernel image occupies 0x4000000 to 0x6000000 (4MB --> 96MB). + * The page copy blockops can use 0x6000000 to 0x8000000. + * The 8K TSB is mapped in the 0x8000000 to 0x8400000 range. +@@ -42,10 +40,7 @@ + #define LOW_OBP_ADDRESS _AC(0x00000000f0000000,UL) + #define HI_OBP_ADDRESS _AC(0x0000000100000000,UL) + #define VMALLOC_START _AC(0x0000000100000000,UL) +-#define VMALLOC_END _AC(0x0000010000000000,UL) +-#define VMEMMAP_BASE _AC(0x0000010000000000,UL) +- +-#define vmemmap ((struct page *)VMEMMAP_BASE) ++#define VMEMMAP_BASE VMALLOC_END + + /* PMD_SHIFT determines the size of the area a second-level page + * table can map +@@ -55,13 +50,25 @@ + #define PMD_MASK (~(PMD_SIZE-1)) + #define PMD_BITS (PAGE_SHIFT - 3) + +-/* PGDIR_SHIFT determines what a third-level page table entry can map */ +-#define PGDIR_SHIFT (PAGE_SHIFT + (PAGE_SHIFT-3) + PMD_BITS) ++/* PUD_SHIFT determines the size of the area a third-level page ++ * table can map ++ */ ++#define PUD_SHIFT (PMD_SHIFT + PMD_BITS) ++#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT) ++#define PUD_MASK (~(PUD_SIZE-1)) ++#define PUD_BITS (PAGE_SHIFT - 3) ++ ++/* PGDIR_SHIFT determines what a fourth-level page table entry can map */ ++#define PGDIR_SHIFT (PUD_SHIFT + PUD_BITS) + #define PGDIR_SIZE (_AC(1,UL) << PGDIR_SHIFT) + #define PGDIR_MASK (~(PGDIR_SIZE-1)) + #define PGDIR_BITS (PAGE_SHIFT - 3) + +-#if (PGDIR_SHIFT + PGDIR_BITS) != 43 ++#if (MAX_PHYS_ADDRESS_BITS > PGDIR_SHIFT + PGDIR_BITS) ++#error MAX_PHYS_ADDRESS_BITS exceeds what kernel page tables can support ++#endif ++ ++#if (PGDIR_SHIFT + PGDIR_BITS) != 53 + #error Page table parameters do not cover virtual address space properly. + #endif + +@@ -71,28 +78,18 @@ + + #ifndef __ASSEMBLY__ + +-#include +- +-extern unsigned long sparc64_valid_addr_bitmap[]; ++extern unsigned long VMALLOC_END; + +-/* Needs to be defined here and not in linux/mm.h, as it is arch dependent */ +-static inline bool __kern_addr_valid(unsigned long paddr) +-{ +- if ((paddr >> MAX_PHYS_ADDRESS_BITS) != 0UL) +- return false; +- return test_bit(paddr >> ILOG2_4MB, sparc64_valid_addr_bitmap); +-} ++#define vmemmap ((struct page *)VMEMMAP_BASE) + +-static inline bool kern_addr_valid(unsigned long addr) +-{ +- unsigned long paddr = __pa(addr); ++#include + +- return __kern_addr_valid(paddr); +-} ++bool kern_addr_valid(unsigned long addr); + + /* Entries per page directory level. */ + #define PTRS_PER_PTE (1UL << (PAGE_SHIFT-3)) + #define PTRS_PER_PMD (1UL << PMD_BITS) ++#define PTRS_PER_PUD (1UL << PUD_BITS) + #define PTRS_PER_PGD (1UL << PGDIR_BITS) + + /* Kernel has a separate 44bit address space. */ +@@ -101,6 +98,9 @@ static inline bool kern_addr_valid(unsigned long addr) + #define pmd_ERROR(e) \ + pr_err("%s:%d: bad pmd %p(%016lx) seen at (%pS)\n", \ + __FILE__, __LINE__, &(e), pmd_val(e), __builtin_return_address(0)) ++#define pud_ERROR(e) \ ++ pr_err("%s:%d: bad pud %p(%016lx) seen at (%pS)\n", \ ++ __FILE__, __LINE__, &(e), pud_val(e), __builtin_return_address(0)) + #define pgd_ERROR(e) \ + pr_err("%s:%d: bad pgd %p(%016lx) seen at (%pS)\n", \ + __FILE__, __LINE__, &(e), pgd_val(e), __builtin_return_address(0)) +@@ -112,6 +112,7 @@ static inline bool kern_addr_valid(unsigned long addr) + #define _PAGE_R _AC(0x8000000000000000,UL) /* Keep ref bit uptodate*/ + #define _PAGE_SPECIAL _AC(0x0200000000000000,UL) /* Special page */ + #define _PAGE_PMD_HUGE _AC(0x0100000000000000,UL) /* Huge page */ ++#define _PAGE_PUD_HUGE _PAGE_PMD_HUGE + + /* Advertise support for _PAGE_SPECIAL */ + #define __HAVE_ARCH_PTE_SPECIAL +@@ -658,26 +659,26 @@ static inline unsigned long pmd_large(pmd_t pmd) + return pte_val(pte) & _PAGE_PMD_HUGE; + } + +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +-static inline unsigned long pmd_young(pmd_t pmd) ++static inline unsigned long pmd_pfn(pmd_t pmd) + { + pte_t pte = __pte(pmd_val(pmd)); + +- return pte_young(pte); ++ return pte_pfn(pte); + } + +-static inline unsigned long pmd_write(pmd_t pmd) ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++static inline unsigned long pmd_young(pmd_t pmd) + { + pte_t pte = __pte(pmd_val(pmd)); + +- return pte_write(pte); ++ return pte_young(pte); + } + +-static inline unsigned long pmd_pfn(pmd_t pmd) ++static inline unsigned long pmd_write(pmd_t pmd) + { + pte_t pte = __pte(pmd_val(pmd)); + +- return pte_pfn(pte); ++ return pte_write(pte); + } + + static inline unsigned long pmd_trans_huge(pmd_t pmd) +@@ -771,13 +772,15 @@ static inline int pmd_present(pmd_t pmd) + * the top bits outside of the range of any physical address size we + * support are clear as well. We also validate the physical itself. + */ +-#define pmd_bad(pmd) ((pmd_val(pmd) & ~PAGE_MASK) || \ +- !__kern_addr_valid(pmd_val(pmd))) ++#define pmd_bad(pmd) (pmd_val(pmd) & ~PAGE_MASK) + + #define pud_none(pud) (!pud_val(pud)) + +-#define pud_bad(pud) ((pud_val(pud) & ~PAGE_MASK) || \ +- !__kern_addr_valid(pud_val(pud))) ++#define pud_bad(pud) (pud_val(pud) & ~PAGE_MASK) ++ ++#define pgd_none(pgd) (!pgd_val(pgd)) ++ ++#define pgd_bad(pgd) (pgd_val(pgd) & ~PAGE_MASK) + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE + extern void set_pmd_at(struct mm_struct *mm, unsigned long addr, +@@ -815,10 +818,31 @@ static inline unsigned long __pmd_page(pmd_t pmd) + #define pmd_clear(pmdp) (pmd_val(*(pmdp)) = 0UL) + #define pud_present(pud) (pud_val(pud) != 0U) + #define pud_clear(pudp) (pud_val(*(pudp)) = 0UL) ++#define pgd_page_vaddr(pgd) \ ++ ((unsigned long) __va(pgd_val(pgd))) ++#define pgd_present(pgd) (pgd_val(pgd) != 0U) ++#define pgd_clear(pgdp) (pgd_val(*(pgd)) = 0UL) ++ ++static inline unsigned long pud_large(pud_t pud) ++{ ++ pte_t pte = __pte(pud_val(pud)); ++ ++ return pte_val(pte) & _PAGE_PMD_HUGE; ++} ++ ++static inline unsigned long pud_pfn(pud_t pud) ++{ ++ pte_t pte = __pte(pud_val(pud)); ++ ++ return pte_pfn(pte); ++} + + /* Same in both SUN4V and SUN4U. */ + #define pte_none(pte) (!pte_val(pte)) + ++#define pgd_set(pgdp, pudp) \ ++ (pgd_val(*(pgdp)) = (__pa((unsigned long) (pudp)))) ++ + /* to find an entry in a page-table-directory. */ + #define pgd_index(address) (((address) >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1)) + #define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) +@@ -826,6 +850,11 @@ static inline unsigned long __pmd_page(pmd_t pmd) + /* to find an entry in a kernel page-table-directory */ + #define pgd_offset_k(address) pgd_offset(&init_mm, address) + ++/* Find an entry in the third-level page table.. */ ++#define pud_index(address) (((address) >> PUD_SHIFT) & (PTRS_PER_PUD - 1)) ++#define pud_offset(pgdp, address) \ ++ ((pud_t *) pgd_page_vaddr(*(pgdp)) + pud_index(address)) ++ + /* Find an entry in the second-level page table.. */ + #define pmd_offset(pudp, address) \ + ((pmd_t *) pud_page_vaddr(*(pudp)) + \ +@@ -898,7 +927,6 @@ static inline void __set_pte_at(struct mm_struct *mm, unsigned long addr, + #endif + + extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; +-extern pmd_t swapper_low_pmd_dir[PTRS_PER_PMD]; + + extern void paging_init(void); + extern unsigned long find_ecache_flush_span(unsigned long size); +diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h +index 5e35e0517318..acd614668ec1 100644 +--- a/arch/sparc/include/asm/setup.h ++++ b/arch/sparc/include/asm/setup.h +@@ -24,6 +24,10 @@ static inline int con_is_present(void) + } + #endif + ++#ifdef CONFIG_SPARC64 ++extern void __init start_early_boot(void); ++#endif ++ + extern void sun_do_break(void); + extern int stop_a_enabled; + extern int scons_pwroff; +diff --git a/arch/sparc/include/asm/spitfire.h b/arch/sparc/include/asm/spitfire.h +index 6b67e50fb9b4..69424d48cbb7 100644 +--- a/arch/sparc/include/asm/spitfire.h ++++ b/arch/sparc/include/asm/spitfire.h +@@ -45,6 +45,8 @@ + #define SUN4V_CHIP_NIAGARA3 0x03 + #define SUN4V_CHIP_NIAGARA4 0x04 + #define SUN4V_CHIP_NIAGARA5 0x05 ++#define SUN4V_CHIP_SPARC_M6 0x06 ++#define SUN4V_CHIP_SPARC_M7 0x07 + #define SUN4V_CHIP_SPARC64X 0x8a + #define SUN4V_CHIP_UNKNOWN 0xff + +diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h +index a5f01ac6d0f1..cc6275c931a5 100644 +--- a/arch/sparc/include/asm/thread_info_64.h ++++ b/arch/sparc/include/asm/thread_info_64.h +@@ -63,7 +63,8 @@ struct thread_info { + struct pt_regs *kern_una_regs; + unsigned int kern_una_insn; + +- unsigned long fpregs[0] __attribute__ ((aligned(64))); ++ unsigned long fpregs[(7 * 256) / sizeof(unsigned long)] ++ __attribute__ ((aligned(64))); + }; + + #endif /* !(__ASSEMBLY__) */ +@@ -102,6 +103,7 @@ struct thread_info { + #define FAULT_CODE_ITLB 0x04 /* Miss happened in I-TLB */ + #define FAULT_CODE_WINFIXUP 0x08 /* Miss happened during spill/fill */ + #define FAULT_CODE_BLKCOMMIT 0x10 /* Use blk-commit ASI in copy_page */ ++#define FAULT_CODE_BAD_RA 0x20 /* Bad RA for sun4v */ + + #if PAGE_SHIFT == 13 + #define THREAD_SIZE (2*PAGE_SIZE) +diff --git a/arch/sparc/include/asm/tsb.h b/arch/sparc/include/asm/tsb.h +index 90916f955cac..ecb49cfa3be9 100644 +--- a/arch/sparc/include/asm/tsb.h ++++ b/arch/sparc/include/asm/tsb.h +@@ -133,9 +133,24 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + sub TSB, 0x8, TSB; \ + TSB_STORE(TSB, TAG); + +- /* Do a kernel page table walk. Leaves physical PTE pointer in +- * REG1. Jumps to FAIL_LABEL on early page table walk termination. +- * VADDR will not be clobbered, but REG2 will. ++ /* Do a kernel page table walk. Leaves valid PTE value in ++ * REG1. Jumps to FAIL_LABEL on early page table walk ++ * termination. VADDR will not be clobbered, but REG2 will. ++ * ++ * There are two masks we must apply to propagate bits from ++ * the virtual address into the PTE physical address field ++ * when dealing with huge pages. This is because the page ++ * table boundaries do not match the huge page size(s) the ++ * hardware supports. ++ * ++ * In these cases we propagate the bits that are below the ++ * page table level where we saw the huge page mapping, but ++ * are still within the relevant physical bits for the huge ++ * page size in question. So for PMD mappings (which fall on ++ * bit 23, for 8MB per PMD) we must propagate bit 22 for a ++ * 4MB huge page. For huge PUDs (which fall on bit 33, for ++ * 8GB per PUD), we have to accomodate 256MB and 2GB huge ++ * pages. So for those we propagate bits 32 to 28. + */ + #define KERN_PGTABLE_WALK(VADDR, REG1, REG2, FAIL_LABEL) \ + sethi %hi(swapper_pg_dir), REG1; \ +@@ -145,15 +160,40 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + andn REG2, 0x7, REG2; \ + ldx [REG1 + REG2], REG1; \ + brz,pn REG1, FAIL_LABEL; \ +- sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ ++ sllx VADDR, 64 - (PUD_SHIFT + PUD_BITS), REG2; \ + srlx REG2, 64 - PAGE_SHIFT, REG2; \ + andn REG2, 0x7, REG2; \ + ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ + brz,pn REG1, FAIL_LABEL; \ +- sllx VADDR, 64 - PMD_SHIFT, REG2; \ ++ sethi %uhi(_PAGE_PUD_HUGE), REG2; \ ++ brz,pn REG1, FAIL_LABEL; \ ++ sllx REG2, 32, REG2; \ ++ andcc REG1, REG2, %g0; \ ++ sethi %hi(0xf8000000), REG2; \ ++ bne,pt %xcc, 697f; \ ++ sllx REG2, 1, REG2; \ ++ sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ + srlx REG2, 64 - PAGE_SHIFT, REG2; \ + andn REG2, 0x7, REG2; \ +- add REG1, REG2, REG1; ++ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ ++ sethi %uhi(_PAGE_PMD_HUGE), REG2; \ ++ brz,pn REG1, FAIL_LABEL; \ ++ sllx REG2, 32, REG2; \ ++ andcc REG1, REG2, %g0; \ ++ be,pn %xcc, 698f; \ ++ sethi %hi(0x400000), REG2; \ ++697: brgez,pn REG1, FAIL_LABEL; \ ++ andn REG1, REG2, REG1; \ ++ and VADDR, REG2, REG2; \ ++ ba,pt %xcc, 699f; \ ++ or REG1, REG2, REG1; \ ++698: sllx VADDR, 64 - PMD_SHIFT, REG2; \ ++ srlx REG2, 64 - PAGE_SHIFT, REG2; \ ++ andn REG2, 0x7, REG2; \ ++ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ ++ brgez,pn REG1, FAIL_LABEL; \ ++ nop; \ ++699: + + /* PMD has been loaded into REG1, interpret the value, seeing + * if it is a HUGE PMD or a normal one. If it is not valid +@@ -198,6 +238,11 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + andn REG2, 0x7, REG2; \ + ldxa [PHYS_PGD + REG2] ASI_PHYS_USE_EC, REG1; \ + brz,pn REG1, FAIL_LABEL; \ ++ sllx VADDR, 64 - (PUD_SHIFT + PUD_BITS), REG2; \ ++ srlx REG2, 64 - PAGE_SHIFT, REG2; \ ++ andn REG2, 0x7, REG2; \ ++ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ ++ brz,pn REG1, FAIL_LABEL; \ + sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ + srlx REG2, 64 - PAGE_SHIFT, REG2; \ + andn REG2, 0x7, REG2; \ +@@ -246,8 +291,6 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + (KERNEL_TSB_SIZE_BYTES / 16) + #define KERNEL_TSB4M_NENTRIES 4096 + +-#define KTSB_PHYS_SHIFT 15 +- + /* Do a kernel TSB lookup at tl>0 on VADDR+TAG, branch to OK_LABEL + * on TSB hit. REG1, REG2, REG3, and REG4 are used as temporaries + * and the found TTE will be left in REG1. REG3 and REG4 must +@@ -256,17 +299,15 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + * VADDR and TAG will be preserved and not clobbered by this macro. + */ + #define KERN_TSB_LOOKUP_TL1(VADDR, TAG, REG1, REG2, REG3, REG4, OK_LABEL) \ +-661: sethi %hi(swapper_tsb), REG1; \ +- or REG1, %lo(swapper_tsb), REG1; \ ++661: sethi %uhi(swapper_tsb), REG1; \ ++ sethi %hi(swapper_tsb), REG2; \ ++ or REG1, %ulo(swapper_tsb), REG1; \ ++ or REG2, %lo(swapper_tsb), REG2; \ + .section .swapper_tsb_phys_patch, "ax"; \ + .word 661b; \ + .previous; \ +-661: nop; \ +- .section .tsb_ldquad_phys_patch, "ax"; \ +- .word 661b; \ +- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ +- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ +- .previous; \ ++ sllx REG1, 32, REG1; \ ++ or REG1, REG2, REG1; \ + srlx VADDR, PAGE_SHIFT, REG2; \ + and REG2, (KERNEL_TSB_NENTRIES - 1), REG2; \ + sllx REG2, 4, REG2; \ +@@ -281,17 +322,15 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; + * we can make use of that for the index computation. + */ + #define KERN_TSB4M_LOOKUP_TL1(TAG, REG1, REG2, REG3, REG4, OK_LABEL) \ +-661: sethi %hi(swapper_4m_tsb), REG1; \ +- or REG1, %lo(swapper_4m_tsb), REG1; \ ++661: sethi %uhi(swapper_4m_tsb), REG1; \ ++ sethi %hi(swapper_4m_tsb), REG2; \ ++ or REG1, %ulo(swapper_4m_tsb), REG1; \ ++ or REG2, %lo(swapper_4m_tsb), REG2; \ + .section .swapper_4m_tsb_phys_patch, "ax"; \ + .word 661b; \ + .previous; \ +-661: nop; \ +- .section .tsb_ldquad_phys_patch, "ax"; \ +- .word 661b; \ +- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ +- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ +- .previous; \ ++ sllx REG1, 32, REG1; \ ++ or REG1, REG2, REG1; \ + and TAG, (KERNEL_TSB4M_NENTRIES - 1), REG2; \ + sllx REG2, 4, REG2; \ + add REG1, REG2, REG2; \ +diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h +index 39ca301920db..11fdf0ef50bb 100644 +--- a/arch/sparc/include/asm/visasm.h ++++ b/arch/sparc/include/asm/visasm.h +@@ -39,6 +39,14 @@ + 297: wr %o5, FPRS_FEF, %fprs; \ + 298: + ++#define VISEntryHalfFast(fail_label) \ ++ rd %fprs, %o5; \ ++ andcc %o5, FPRS_FEF, %g0; \ ++ be,pt %icc, 297f; \ ++ nop; \ ++ ba,a,pt %xcc, fail_label; \ ++297: wr %o5, FPRS_FEF, %fprs; ++ + #define VISExitHalf \ + wr %o5, 0, %fprs; + +diff --git a/arch/sparc/kernel/cpu.c b/arch/sparc/kernel/cpu.c +index 5c5125895db8..52e10defedc4 100644 +--- a/arch/sparc/kernel/cpu.c ++++ b/arch/sparc/kernel/cpu.c +@@ -493,6 +493,18 @@ static void __init sun4v_cpu_probe(void) + sparc_pmu_type = "niagara5"; + break; + ++ case SUN4V_CHIP_SPARC_M6: ++ sparc_cpu_type = "SPARC-M6"; ++ sparc_fpu_type = "SPARC-M6 integrated FPU"; ++ sparc_pmu_type = "sparc-m6"; ++ break; ++ ++ case SUN4V_CHIP_SPARC_M7: ++ sparc_cpu_type = "SPARC-M7"; ++ sparc_fpu_type = "SPARC-M7 integrated FPU"; ++ sparc_pmu_type = "sparc-m7"; ++ break; ++ + case SUN4V_CHIP_SPARC64X: + sparc_cpu_type = "SPARC64-X"; + sparc_fpu_type = "SPARC64-X integrated FPU"; +diff --git a/arch/sparc/kernel/cpumap.c b/arch/sparc/kernel/cpumap.c +index de1c844dfabc..e69ec0e3f155 100644 +--- a/arch/sparc/kernel/cpumap.c ++++ b/arch/sparc/kernel/cpumap.c +@@ -326,6 +326,8 @@ static int iterate_cpu(struct cpuinfo_tree *t, unsigned int root_index) + case SUN4V_CHIP_NIAGARA3: + case SUN4V_CHIP_NIAGARA4: + case SUN4V_CHIP_NIAGARA5: ++ case SUN4V_CHIP_SPARC_M6: ++ case SUN4V_CHIP_SPARC_M7: + case SUN4V_CHIP_SPARC64X: + rover_inc_table = niagara_iterate_method; + break; +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index dff60abbea01..f87a55d77094 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -1200,14 +1200,14 @@ static int ds_probe(struct vio_dev *vdev, const struct vio_device_id *id) + ds_cfg.tx_irq = vdev->tx_irq; + ds_cfg.rx_irq = vdev->rx_irq; + +- lp = ldc_alloc(vdev->channel_id, &ds_cfg, dp); ++ lp = ldc_alloc(vdev->channel_id, &ds_cfg, dp, "DS"); + if (IS_ERR(lp)) { + err = PTR_ERR(lp); + goto out_free_ds_states; + } + dp->lp = lp; + +- err = ldc_bind(lp, "DS"); ++ err = ldc_bind(lp); + if (err) + goto out_free_ldc; + +diff --git a/arch/sparc/kernel/dtlb_prot.S b/arch/sparc/kernel/dtlb_prot.S +index b2c2c5be281c..d668ca149e64 100644 +--- a/arch/sparc/kernel/dtlb_prot.S ++++ b/arch/sparc/kernel/dtlb_prot.S +@@ -24,11 +24,11 @@ + mov TLB_TAG_ACCESS, %g4 ! For reload of vaddr + + /* PROT ** ICACHE line 2: More real fault processing */ ++ ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 + bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup +- ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 +- ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault + mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4 +- nop ++ ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault ++ nop + nop + nop + nop +diff --git a/arch/sparc/kernel/entry.h b/arch/sparc/kernel/entry.h +index 140966fbd303..c88ffb9ee482 100644 +--- a/arch/sparc/kernel/entry.h ++++ b/arch/sparc/kernel/entry.h +@@ -66,13 +66,10 @@ struct pause_patch_entry { + extern struct pause_patch_entry __pause_3insn_patch, + __pause_3insn_patch_end; + +-extern void __init per_cpu_patch(void); + extern void sun4v_patch_1insn_range(struct sun4v_1insn_patch_entry *, + struct sun4v_1insn_patch_entry *); + extern void sun4v_patch_2insn_range(struct sun4v_2insn_patch_entry *, + struct sun4v_2insn_patch_entry *); +-extern void __init sun4v_patch(void); +-extern void __init boot_cpu_id_too_large(int cpu); + extern unsigned int dcache_parity_tl1_occurred; + extern unsigned int icache_parity_tl1_occurred; + +diff --git a/arch/sparc/kernel/head_64.S b/arch/sparc/kernel/head_64.S +index 452f04fe8da6..3d61fcae7ee3 100644 +--- a/arch/sparc/kernel/head_64.S ++++ b/arch/sparc/kernel/head_64.S +@@ -427,6 +427,12 @@ sun4v_chip_type: + cmp %g2, '5' + be,pt %xcc, 5f + mov SUN4V_CHIP_NIAGARA5, %g4 ++ cmp %g2, '6' ++ be,pt %xcc, 5f ++ mov SUN4V_CHIP_SPARC_M6, %g4 ++ cmp %g2, '7' ++ be,pt %xcc, 5f ++ mov SUN4V_CHIP_SPARC_M7, %g4 + ba,pt %xcc, 49f + nop + +@@ -585,6 +591,12 @@ niagara_tlb_fixup: + cmp %g1, SUN4V_CHIP_NIAGARA5 + be,pt %xcc, niagara4_patch + nop ++ cmp %g1, SUN4V_CHIP_SPARC_M6 ++ be,pt %xcc, niagara4_patch ++ nop ++ cmp %g1, SUN4V_CHIP_SPARC_M7 ++ be,pt %xcc, niagara4_patch ++ nop + + call generic_patch_copyops + nop +@@ -660,14 +672,12 @@ tlb_fixup_done: + sethi %hi(init_thread_union), %g6 + or %g6, %lo(init_thread_union), %g6 + ldx [%g6 + TI_TASK], %g4 +- mov %sp, %l6 + + wr %g0, ASI_P, %asi + mov 1, %g1 + sllx %g1, THREAD_SHIFT, %g1 + sub %g1, (STACKFRAME_SZ + STACK_BIAS), %g1 + add %g6, %g1, %sp +- mov 0, %fp + + /* Set per-cpu pointer initially to zero, this makes + * the boot-cpu use the in-kernel-image per-cpu areas +@@ -694,44 +704,14 @@ tlb_fixup_done: + nop + #endif + +- mov %l6, %o1 ! OpenPROM stack + call prom_init + mov %l7, %o0 ! OpenPROM cif handler + +- /* Initialize current_thread_info()->cpu as early as possible. +- * In order to do that accurately we have to patch up the get_cpuid() +- * assembler sequences. And that, in turn, requires that we know +- * if we are on a Starfire box or not. While we're here, patch up +- * the sun4v sequences as well. ++ /* To create a one-register-window buffer between the kernel's ++ * initial stack and the last stack frame we use from the firmware, ++ * do the rest of the boot from a C helper function. + */ +- call check_if_starfire +- nop +- call per_cpu_patch +- nop +- call sun4v_patch +- nop +- +-#ifdef CONFIG_SMP +- call hard_smp_processor_id +- nop +- cmp %o0, NR_CPUS +- blu,pt %xcc, 1f +- nop +- call boot_cpu_id_too_large +- nop +- /* Not reached... */ +- +-1: +-#else +- mov 0, %o0 +-#endif +- sth %o0, [%g6 + TI_CPU] +- +- call prom_init_report +- nop +- +- /* Off we go.... */ +- call start_kernel ++ call start_early_boot + nop + /* Not reached... */ + +diff --git a/arch/sparc/kernel/hvapi.c b/arch/sparc/kernel/hvapi.c +index c0a2de0fd624..5c55145bfbf0 100644 +--- a/arch/sparc/kernel/hvapi.c ++++ b/arch/sparc/kernel/hvapi.c +@@ -46,6 +46,7 @@ static struct api_info api_table[] = { + { .group = HV_GRP_VF_CPU, }, + { .group = HV_GRP_KT_CPU, }, + { .group = HV_GRP_VT_CPU, }, ++ { .group = HV_GRP_T5_CPU, }, + { .group = HV_GRP_DIAG, .flags = FLAG_PRE_API }, + }; + +diff --git a/arch/sparc/kernel/hvcalls.S b/arch/sparc/kernel/hvcalls.S +index f3ab509b76a8..caedf8320416 100644 +--- a/arch/sparc/kernel/hvcalls.S ++++ b/arch/sparc/kernel/hvcalls.S +@@ -821,3 +821,19 @@ ENTRY(sun4v_vt_set_perfreg) + retl + nop + ENDPROC(sun4v_vt_set_perfreg) ++ ++ENTRY(sun4v_t5_get_perfreg) ++ mov %o1, %o4 ++ mov HV_FAST_T5_GET_PERFREG, %o5 ++ ta HV_FAST_TRAP ++ stx %o1, [%o4] ++ retl ++ nop ++ENDPROC(sun4v_t5_get_perfreg) ++ ++ENTRY(sun4v_t5_set_perfreg) ++ mov HV_FAST_T5_SET_PERFREG, %o5 ++ ta HV_FAST_TRAP ++ retl ++ nop ++ENDPROC(sun4v_t5_set_perfreg) +diff --git a/arch/sparc/kernel/hvtramp.S b/arch/sparc/kernel/hvtramp.S +index b7ddcdd1dea9..cdbfec299f2f 100644 +--- a/arch/sparc/kernel/hvtramp.S ++++ b/arch/sparc/kernel/hvtramp.S +@@ -109,7 +109,6 @@ hv_cpu_startup: + sllx %g5, THREAD_SHIFT, %g5 + sub %g5, (STACKFRAME_SZ + STACK_BIAS), %g5 + add %g6, %g5, %sp +- mov 0, %fp + + call init_irqwork_curcpu + nop +diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c +index e7e215dfa866..c2d81ad62e78 100644 +--- a/arch/sparc/kernel/ioport.c ++++ b/arch/sparc/kernel/ioport.c +@@ -278,7 +278,8 @@ static void *sbus_alloc_coherent(struct device *dev, size_t len, + } + + order = get_order(len_total); +- if ((va = __get_free_pages(GFP_KERNEL|__GFP_COMP, order)) == 0) ++ va = __get_free_pages(gfp, order); ++ if (va == 0) + goto err_nopages; + + if ((res = kzalloc(sizeof(struct resource), GFP_KERNEL)) == NULL) +@@ -443,7 +444,7 @@ static void *pci32_alloc_coherent(struct device *dev, size_t len, + } + + order = get_order(len_total); +- va = (void *) __get_free_pages(GFP_KERNEL, order); ++ va = (void *) __get_free_pages(gfp, order); + if (va == NULL) { + printk("pci_alloc_consistent: no %ld pages\n", len_total>>PAGE_SHIFT); + goto err_nopages; +diff --git a/arch/sparc/kernel/irq_64.c b/arch/sparc/kernel/irq_64.c +index 666193f4e8bb..4033c23bdfa6 100644 +--- a/arch/sparc/kernel/irq_64.c ++++ b/arch/sparc/kernel/irq_64.c +@@ -47,8 +47,6 @@ + #include "cpumap.h" + #include "kstack.h" + +-#define NUM_IVECS (IMAP_INR + 1) +- + struct ino_bucket *ivector_table; + unsigned long ivector_table_pa; + +@@ -107,55 +105,196 @@ static void bucket_set_irq(unsigned long bucket_pa, unsigned int irq) + + #define irq_work_pa(__cpu) &(trap_block[(__cpu)].irq_worklist_pa) + +-static struct { +- unsigned int dev_handle; +- unsigned int dev_ino; +- unsigned int in_use; +-} irq_table[NR_IRQS]; +-static DEFINE_SPINLOCK(irq_alloc_lock); ++static unsigned long hvirq_major __initdata; ++static int __init early_hvirq_major(char *p) ++{ ++ int rc = kstrtoul(p, 10, &hvirq_major); ++ ++ return rc; ++} ++early_param("hvirq", early_hvirq_major); ++ ++static int hv_irq_version; ++ ++/* Major version 2.0 of HV_GRP_INTR added support for the VIRQ cookie ++ * based interfaces, but: ++ * ++ * 1) Several OSs, Solaris and Linux included, use them even when only ++ * negotiating version 1.0 (or failing to negotiate at all). So the ++ * hypervisor has a workaround that provides the VIRQ interfaces even ++ * when only verion 1.0 of the API is in use. ++ * ++ * 2) Second, and more importantly, with major version 2.0 these VIRQ ++ * interfaces only were actually hooked up for LDC interrupts, even ++ * though the Hypervisor specification clearly stated: ++ * ++ * The new interrupt API functions will be available to a guest ++ * when it negotiates version 2.0 in the interrupt API group 0x2. When ++ * a guest negotiates version 2.0, all interrupt sources will only ++ * support using the cookie interface, and any attempt to use the ++ * version 1.0 interrupt APIs numbered 0xa0 to 0xa6 will result in the ++ * ENOTSUPPORTED error being returned. ++ * ++ * with an emphasis on "all interrupt sources". ++ * ++ * To correct this, major version 3.0 was created which does actually ++ * support VIRQs for all interrupt sources (not just LDC devices). So ++ * if we want to move completely over the cookie based VIRQs we must ++ * negotiate major version 3.0 or later of HV_GRP_INTR. ++ */ ++static bool sun4v_cookie_only_virqs(void) ++{ ++ if (hv_irq_version >= 3) ++ return true; ++ return false; ++} + +-unsigned char irq_alloc(unsigned int dev_handle, unsigned int dev_ino) ++static void __init irq_init_hv(void) + { +- unsigned long flags; +- unsigned char ent; ++ unsigned long hv_error, major, minor = 0; ++ ++ if (tlb_type != hypervisor) ++ return; + +- BUILD_BUG_ON(NR_IRQS >= 256); ++ if (hvirq_major) ++ major = hvirq_major; ++ else ++ major = 3; + +- spin_lock_irqsave(&irq_alloc_lock, flags); ++ hv_error = sun4v_hvapi_register(HV_GRP_INTR, major, &minor); ++ if (!hv_error) ++ hv_irq_version = major; ++ else ++ hv_irq_version = 1; + +- for (ent = 1; ent < NR_IRQS; ent++) { +- if (!irq_table[ent].in_use) ++ pr_info("SUN4V: Using IRQ API major %d, cookie only virqs %s\n", ++ hv_irq_version, ++ sun4v_cookie_only_virqs() ? "enabled" : "disabled"); ++} ++ ++/* This function is for the timer interrupt.*/ ++int __init arch_probe_nr_irqs(void) ++{ ++ return 1; ++} ++ ++#define DEFAULT_NUM_IVECS (0xfffU) ++static unsigned int nr_ivec = DEFAULT_NUM_IVECS; ++#define NUM_IVECS (nr_ivec) ++ ++static unsigned int __init size_nr_ivec(void) ++{ ++ if (tlb_type == hypervisor) { ++ switch (sun4v_chip_type) { ++ /* Athena's devhandle|devino is large.*/ ++ case SUN4V_CHIP_SPARC64X: ++ nr_ivec = 0xffff; + break; ++ } + } +- if (ent >= NR_IRQS) { +- printk(KERN_ERR "IRQ: Out of virtual IRQs.\n"); +- ent = 0; +- } else { +- irq_table[ent].dev_handle = dev_handle; +- irq_table[ent].dev_ino = dev_ino; +- irq_table[ent].in_use = 1; +- } ++ return nr_ivec; ++} ++ ++struct irq_handler_data { ++ union { ++ struct { ++ unsigned int dev_handle; ++ unsigned int dev_ino; ++ }; ++ unsigned long sysino; ++ }; ++ struct ino_bucket bucket; ++ unsigned long iclr; ++ unsigned long imap; ++}; ++ ++static inline unsigned int irq_data_to_handle(struct irq_data *data) ++{ ++ struct irq_handler_data *ihd = data->handler_data; ++ ++ return ihd->dev_handle; ++} ++ ++static inline unsigned int irq_data_to_ino(struct irq_data *data) ++{ ++ struct irq_handler_data *ihd = data->handler_data; + +- spin_unlock_irqrestore(&irq_alloc_lock, flags); ++ return ihd->dev_ino; ++} ++ ++static inline unsigned long irq_data_to_sysino(struct irq_data *data) ++{ ++ struct irq_handler_data *ihd = data->handler_data; + +- return ent; ++ return ihd->sysino; + } + +-#ifdef CONFIG_PCI_MSI + void irq_free(unsigned int irq) + { +- unsigned long flags; ++ void *data = irq_get_handler_data(irq); + +- if (irq >= NR_IRQS) +- return; ++ kfree(data); ++ irq_set_handler_data(irq, NULL); ++ irq_free_descs(irq, 1); ++} + +- spin_lock_irqsave(&irq_alloc_lock, flags); ++unsigned int irq_alloc(unsigned int dev_handle, unsigned int dev_ino) ++{ ++ int irq; + +- irq_table[irq].in_use = 0; ++ irq = __irq_alloc_descs(-1, 1, 1, numa_node_id(), NULL); ++ if (irq <= 0) ++ goto out; + +- spin_unlock_irqrestore(&irq_alloc_lock, flags); ++ return irq; ++out: ++ return 0; ++} ++ ++static unsigned int cookie_exists(u32 devhandle, unsigned int devino) ++{ ++ unsigned long hv_err, cookie; ++ struct ino_bucket *bucket; ++ unsigned int irq = 0U; ++ ++ hv_err = sun4v_vintr_get_cookie(devhandle, devino, &cookie); ++ if (hv_err) { ++ pr_err("HV get cookie failed hv_err = %ld\n", hv_err); ++ goto out; ++ } ++ ++ if (cookie & ((1UL << 63UL))) { ++ cookie = ~cookie; ++ bucket = (struct ino_bucket *) __va(cookie); ++ irq = bucket->__irq; ++ } ++out: ++ return irq; ++} ++ ++static unsigned int sysino_exists(u32 devhandle, unsigned int devino) ++{ ++ unsigned long sysino = sun4v_devino_to_sysino(devhandle, devino); ++ struct ino_bucket *bucket; ++ unsigned int irq; ++ ++ bucket = &ivector_table[sysino]; ++ irq = bucket_get_irq(__pa(bucket)); ++ ++ return irq; ++} ++ ++void ack_bad_irq(unsigned int irq) ++{ ++ pr_crit("BAD IRQ ack %d\n", irq); ++} ++ ++void irq_install_pre_handler(int irq, ++ void (*func)(unsigned int, void *, void *), ++ void *arg1, void *arg2) ++{ ++ pr_warn("IRQ pre handler NOT supported.\n"); + } +-#endif + + /* + * /proc/interrupts printing: +@@ -206,15 +345,6 @@ static unsigned int sun4u_compute_tid(unsigned long imap, unsigned long cpuid) + return tid; + } + +-struct irq_handler_data { +- unsigned long iclr; +- unsigned long imap; +- +- void (*pre_handler)(unsigned int, void *, void *); +- void *arg1; +- void *arg2; +-}; +- + #ifdef CONFIG_SMP + static int irq_choose_cpu(unsigned int irq, const struct cpumask *affinity) + { +@@ -316,8 +446,8 @@ static void sun4u_irq_eoi(struct irq_data *data) + + static void sun4v_irq_enable(struct irq_data *data) + { +- unsigned int ino = irq_table[data->irq].dev_ino; + unsigned long cpuid = irq_choose_cpu(data->irq, data->affinity); ++ unsigned int ino = irq_data_to_sysino(data); + int err; + + err = sun4v_intr_settarget(ino, cpuid); +@@ -337,8 +467,8 @@ static void sun4v_irq_enable(struct irq_data *data) + static int sun4v_set_affinity(struct irq_data *data, + const struct cpumask *mask, bool force) + { +- unsigned int ino = irq_table[data->irq].dev_ino; + unsigned long cpuid = irq_choose_cpu(data->irq, mask); ++ unsigned int ino = irq_data_to_sysino(data); + int err; + + err = sun4v_intr_settarget(ino, cpuid); +@@ -351,7 +481,7 @@ static int sun4v_set_affinity(struct irq_data *data, + + static void sun4v_irq_disable(struct irq_data *data) + { +- unsigned int ino = irq_table[data->irq].dev_ino; ++ unsigned int ino = irq_data_to_sysino(data); + int err; + + err = sun4v_intr_setenabled(ino, HV_INTR_DISABLED); +@@ -362,7 +492,7 @@ static void sun4v_irq_disable(struct irq_data *data) + + static void sun4v_irq_eoi(struct irq_data *data) + { +- unsigned int ino = irq_table[data->irq].dev_ino; ++ unsigned int ino = irq_data_to_sysino(data); + int err; + + err = sun4v_intr_setstate(ino, HV_INTR_STATE_IDLE); +@@ -373,14 +503,13 @@ static void sun4v_irq_eoi(struct irq_data *data) + + static void sun4v_virq_enable(struct irq_data *data) + { +- unsigned long cpuid, dev_handle, dev_ino; ++ unsigned long dev_handle = irq_data_to_handle(data); ++ unsigned long dev_ino = irq_data_to_ino(data); ++ unsigned long cpuid; + int err; + + cpuid = irq_choose_cpu(data->irq, data->affinity); + +- dev_handle = irq_table[data->irq].dev_handle; +- dev_ino = irq_table[data->irq].dev_ino; +- + err = sun4v_vintr_set_target(dev_handle, dev_ino, cpuid); + if (err != HV_EOK) + printk(KERN_ERR "sun4v_vintr_set_target(%lx,%lx,%lu): " +@@ -403,14 +532,13 @@ static void sun4v_virq_enable(struct irq_data *data) + static int sun4v_virt_set_affinity(struct irq_data *data, + const struct cpumask *mask, bool force) + { +- unsigned long cpuid, dev_handle, dev_ino; ++ unsigned long dev_handle = irq_data_to_handle(data); ++ unsigned long dev_ino = irq_data_to_ino(data); ++ unsigned long cpuid; + int err; + + cpuid = irq_choose_cpu(data->irq, mask); + +- dev_handle = irq_table[data->irq].dev_handle; +- dev_ino = irq_table[data->irq].dev_ino; +- + err = sun4v_vintr_set_target(dev_handle, dev_ino, cpuid); + if (err != HV_EOK) + printk(KERN_ERR "sun4v_vintr_set_target(%lx,%lx,%lu): " +@@ -422,11 +550,10 @@ static int sun4v_virt_set_affinity(struct irq_data *data, + + static void sun4v_virq_disable(struct irq_data *data) + { +- unsigned long dev_handle, dev_ino; ++ unsigned long dev_handle = irq_data_to_handle(data); ++ unsigned long dev_ino = irq_data_to_ino(data); + int err; + +- dev_handle = irq_table[data->irq].dev_handle; +- dev_ino = irq_table[data->irq].dev_ino; + + err = sun4v_vintr_set_valid(dev_handle, dev_ino, + HV_INTR_DISABLED); +@@ -438,12 +565,10 @@ static void sun4v_virq_disable(struct irq_data *data) + + static void sun4v_virq_eoi(struct irq_data *data) + { +- unsigned long dev_handle, dev_ino; ++ unsigned long dev_handle = irq_data_to_handle(data); ++ unsigned long dev_ino = irq_data_to_ino(data); + int err; + +- dev_handle = irq_table[data->irq].dev_handle; +- dev_ino = irq_table[data->irq].dev_ino; +- + err = sun4v_vintr_set_state(dev_handle, dev_ino, + HV_INTR_STATE_IDLE); + if (err != HV_EOK) +@@ -479,31 +604,10 @@ static struct irq_chip sun4v_virq = { + .flags = IRQCHIP_EOI_IF_HANDLED, + }; + +-static void pre_flow_handler(struct irq_data *d) +-{ +- struct irq_handler_data *handler_data = irq_data_get_irq_handler_data(d); +- unsigned int ino = irq_table[d->irq].dev_ino; +- +- handler_data->pre_handler(ino, handler_data->arg1, handler_data->arg2); +-} +- +-void irq_install_pre_handler(int irq, +- void (*func)(unsigned int, void *, void *), +- void *arg1, void *arg2) +-{ +- struct irq_handler_data *handler_data = irq_get_handler_data(irq); +- +- handler_data->pre_handler = func; +- handler_data->arg1 = arg1; +- handler_data->arg2 = arg2; +- +- __irq_set_preflow_handler(irq, pre_flow_handler); +-} +- + unsigned int build_irq(int inofixup, unsigned long iclr, unsigned long imap) + { +- struct ino_bucket *bucket; + struct irq_handler_data *handler_data; ++ struct ino_bucket *bucket; + unsigned int irq; + int ino; + +@@ -537,119 +641,166 @@ out: + return irq; + } + +-static unsigned int sun4v_build_common(unsigned long sysino, +- struct irq_chip *chip) ++static unsigned int sun4v_build_common(u32 devhandle, unsigned int devino, ++ void (*handler_data_init)(struct irq_handler_data *data, ++ u32 devhandle, unsigned int devino), ++ struct irq_chip *chip) + { +- struct ino_bucket *bucket; +- struct irq_handler_data *handler_data; ++ struct irq_handler_data *data; + unsigned int irq; + +- BUG_ON(tlb_type != hypervisor); ++ irq = irq_alloc(devhandle, devino); ++ if (!irq) ++ goto out; + +- bucket = &ivector_table[sysino]; +- irq = bucket_get_irq(__pa(bucket)); +- if (!irq) { +- irq = irq_alloc(0, sysino); +- bucket_set_irq(__pa(bucket), irq); +- irq_set_chip_and_handler_name(irq, chip, handle_fasteoi_irq, +- "IVEC"); ++ data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); ++ if (unlikely(!data)) { ++ pr_err("IRQ handler data allocation failed.\n"); ++ irq_free(irq); ++ irq = 0; ++ goto out; + } + +- handler_data = irq_get_handler_data(irq); +- if (unlikely(handler_data)) +- goto out; ++ irq_set_handler_data(irq, data); ++ handler_data_init(data, devhandle, devino); ++ irq_set_chip_and_handler_name(irq, chip, handle_fasteoi_irq, "IVEC"); ++ data->imap = ~0UL; ++ data->iclr = ~0UL; ++out: ++ return irq; ++} + +- handler_data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); +- if (unlikely(!handler_data)) { +- prom_printf("IRQ: kzalloc(irq_handler_data) failed.\n"); +- prom_halt(); +- } +- irq_set_handler_data(irq, handler_data); ++static unsigned long cookie_assign(unsigned int irq, u32 devhandle, ++ unsigned int devino) ++{ ++ struct irq_handler_data *ihd = irq_get_handler_data(irq); ++ unsigned long hv_error, cookie; + +- /* Catch accidental accesses to these things. IMAP/ICLR handling +- * is done by hypervisor calls on sun4v platforms, not by direct +- * register accesses. ++ /* handler_irq needs to find the irq. cookie is seen signed in ++ * sun4v_dev_mondo and treated as a non ivector_table delivery. + */ +- handler_data->imap = ~0UL; +- handler_data->iclr = ~0UL; ++ ihd->bucket.__irq = irq; ++ cookie = ~__pa(&ihd->bucket); + +-out: +- return irq; ++ hv_error = sun4v_vintr_set_cookie(devhandle, devino, cookie); ++ if (hv_error) ++ pr_err("HV vintr set cookie failed = %ld\n", hv_error); ++ ++ return hv_error; + } + +-unsigned int sun4v_build_irq(u32 devhandle, unsigned int devino) ++static void cookie_handler_data(struct irq_handler_data *data, ++ u32 devhandle, unsigned int devino) + { +- unsigned long sysino = sun4v_devino_to_sysino(devhandle, devino); ++ data->dev_handle = devhandle; ++ data->dev_ino = devino; ++} + +- return sun4v_build_common(sysino, &sun4v_irq); ++static unsigned int cookie_build_irq(u32 devhandle, unsigned int devino, ++ struct irq_chip *chip) ++{ ++ unsigned long hv_error; ++ unsigned int irq; ++ ++ irq = sun4v_build_common(devhandle, devino, cookie_handler_data, chip); ++ ++ hv_error = cookie_assign(irq, devhandle, devino); ++ if (hv_error) { ++ irq_free(irq); ++ irq = 0; ++ } ++ ++ return irq; + } + +-unsigned int sun4v_build_virq(u32 devhandle, unsigned int devino) ++static unsigned int sun4v_build_cookie(u32 devhandle, unsigned int devino) + { +- struct irq_handler_data *handler_data; +- unsigned long hv_err, cookie; +- struct ino_bucket *bucket; + unsigned int irq; + +- bucket = kzalloc(sizeof(struct ino_bucket), GFP_ATOMIC); +- if (unlikely(!bucket)) +- return 0; ++ irq = cookie_exists(devhandle, devino); ++ if (irq) ++ goto out; + +- /* The only reference we store to the IRQ bucket is +- * by physical address which kmemleak can't see, tell +- * it that this object explicitly is not a leak and +- * should be scanned. +- */ +- kmemleak_not_leak(bucket); ++ irq = cookie_build_irq(devhandle, devino, &sun4v_virq); + +- __flush_dcache_range((unsigned long) bucket, +- ((unsigned long) bucket + +- sizeof(struct ino_bucket))); ++out: ++ return irq; ++} + +- irq = irq_alloc(devhandle, devino); ++static void sysino_set_bucket(unsigned int irq) ++{ ++ struct irq_handler_data *ihd = irq_get_handler_data(irq); ++ struct ino_bucket *bucket; ++ unsigned long sysino; ++ ++ sysino = sun4v_devino_to_sysino(ihd->dev_handle, ihd->dev_ino); ++ BUG_ON(sysino >= nr_ivec); ++ bucket = &ivector_table[sysino]; + bucket_set_irq(__pa(bucket), irq); ++} + +- irq_set_chip_and_handler_name(irq, &sun4v_virq, handle_fasteoi_irq, +- "IVEC"); ++static void sysino_handler_data(struct irq_handler_data *data, ++ u32 devhandle, unsigned int devino) ++{ ++ unsigned long sysino; + +- handler_data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); +- if (unlikely(!handler_data)) +- return 0; ++ sysino = sun4v_devino_to_sysino(devhandle, devino); ++ data->sysino = sysino; ++} + +- /* In order to make the LDC channel startup sequence easier, +- * especially wrt. locking, we do not let request_irq() enable +- * the interrupt. +- */ +- irq_set_status_flags(irq, IRQ_NOAUTOEN); +- irq_set_handler_data(irq, handler_data); ++static unsigned int sysino_build_irq(u32 devhandle, unsigned int devino, ++ struct irq_chip *chip) ++{ ++ unsigned int irq; + +- /* Catch accidental accesses to these things. IMAP/ICLR handling +- * is done by hypervisor calls on sun4v platforms, not by direct +- * register accesses. +- */ +- handler_data->imap = ~0UL; +- handler_data->iclr = ~0UL; ++ irq = sun4v_build_common(devhandle, devino, sysino_handler_data, chip); ++ if (!irq) ++ goto out; + +- cookie = ~__pa(bucket); +- hv_err = sun4v_vintr_set_cookie(devhandle, devino, cookie); +- if (hv_err) { +- prom_printf("IRQ: Fatal, cannot set cookie for [%x:%x] " +- "err=%lu\n", devhandle, devino, hv_err); +- prom_halt(); +- } ++ sysino_set_bucket(irq); ++out: ++ return irq; ++} + ++static int sun4v_build_sysino(u32 devhandle, unsigned int devino) ++{ ++ int irq; ++ ++ irq = sysino_exists(devhandle, devino); ++ if (irq) ++ goto out; ++ ++ irq = sysino_build_irq(devhandle, devino, &sun4v_irq); ++out: + return irq; + } + +-void ack_bad_irq(unsigned int irq) ++unsigned int sun4v_build_irq(u32 devhandle, unsigned int devino) + { +- unsigned int ino = irq_table[irq].dev_ino; ++ unsigned int irq; + +- if (!ino) +- ino = 0xdeadbeef; ++ if (sun4v_cookie_only_virqs()) ++ irq = sun4v_build_cookie(devhandle, devino); ++ else ++ irq = sun4v_build_sysino(devhandle, devino); + +- printk(KERN_CRIT "Unexpected IRQ from ino[%x] irq[%u]\n", +- ino, irq); ++ return irq; ++} ++ ++unsigned int sun4v_build_virq(u32 devhandle, unsigned int devino) ++{ ++ int irq; ++ ++ irq = cookie_build_irq(devhandle, devino, &sun4v_virq); ++ if (!irq) ++ goto out; ++ ++ /* This is borrowed from the original function. ++ */ ++ irq_set_status_flags(irq, IRQ_NOAUTOEN); ++ ++out: ++ return irq; + } + + void *hardirq_stack[NR_CPUS]; +@@ -720,9 +871,12 @@ void fixup_irqs(void) + + for (irq = 0; irq < NR_IRQS; irq++) { + struct irq_desc *desc = irq_to_desc(irq); +- struct irq_data *data = irq_desc_get_irq_data(desc); ++ struct irq_data *data; + unsigned long flags; + ++ if (!desc) ++ continue; ++ data = irq_desc_get_irq_data(desc); + raw_spin_lock_irqsave(&desc->lock, flags); + if (desc->action && !irqd_is_per_cpu(data)) { + if (data->chip->irq_set_affinity) +@@ -922,16 +1076,22 @@ static struct irqaction timer_irq_action = { + .name = "timer", + }; + +-/* Only invoked on boot processor. */ +-void __init init_IRQ(void) ++static void __init irq_ivector_init(void) + { +- unsigned long size; ++ unsigned long size, order; ++ unsigned int ivecs; + +- map_prom_timers(); +- kill_prom_timer(); ++ /* If we are doing cookie only VIRQs then we do not need the ivector ++ * table to process interrupts. ++ */ ++ if (sun4v_cookie_only_virqs()) ++ return; + +- size = sizeof(struct ino_bucket) * NUM_IVECS; +- ivector_table = kzalloc(size, GFP_KERNEL); ++ ivecs = size_nr_ivec(); ++ size = sizeof(struct ino_bucket) * ivecs; ++ order = get_order(size); ++ ivector_table = (struct ino_bucket *) ++ __get_free_pages(GFP_KERNEL | __GFP_ZERO, order); + if (!ivector_table) { + prom_printf("Fatal error, cannot allocate ivector_table\n"); + prom_halt(); +@@ -940,6 +1100,15 @@ void __init init_IRQ(void) + ((unsigned long) ivector_table) + size); + + ivector_table_pa = __pa(ivector_table); ++} ++ ++/* Only invoked on boot processor.*/ ++void __init init_IRQ(void) ++{ ++ irq_init_hv(); ++ irq_ivector_init(); ++ map_prom_timers(); ++ kill_prom_timer(); + + if (tlb_type == hypervisor) + sun4v_init_mondo_queues(); +diff --git a/arch/sparc/kernel/ktlb.S b/arch/sparc/kernel/ktlb.S +index 605d49204580..ef0d8e9e1210 100644 +--- a/arch/sparc/kernel/ktlb.S ++++ b/arch/sparc/kernel/ktlb.S +@@ -47,14 +47,6 @@ kvmap_itlb_vmalloc_addr: + KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_itlb_longpath) + + TSB_LOCK_TAG(%g1, %g2, %g7) +- +- /* Load and check PTE. */ +- ldxa [%g5] ASI_PHYS_USE_EC, %g5 +- mov 1, %g7 +- sllx %g7, TSB_TAG_INVALID_BIT, %g7 +- brgez,a,pn %g5, kvmap_itlb_longpath +- TSB_STORE(%g1, %g7) +- + TSB_WRITE(%g1, %g5, %g6) + + /* fallthrough to TLB load */ +@@ -118,6 +110,12 @@ kvmap_dtlb_obp: + ba,pt %xcc, kvmap_dtlb_load + nop + ++kvmap_linear_early: ++ sethi %hi(kern_linear_pte_xor), %g7 ++ ldx [%g7 + %lo(kern_linear_pte_xor)], %g2 ++ ba,pt %xcc, kvmap_dtlb_tsb4m_load ++ xor %g2, %g4, %g5 ++ + .align 32 + kvmap_dtlb_tsb4m_load: + TSB_LOCK_TAG(%g1, %g2, %g7) +@@ -146,105 +144,17 @@ kvmap_dtlb_4v: + /* Correct TAG_TARGET is already in %g6, check 4mb TSB. */ + KERN_TSB4M_LOOKUP_TL1(%g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) + #endif +- /* TSB entry address left in %g1, lookup linear PTE. +- * Must preserve %g1 and %g6 (TAG). +- */ +-kvmap_dtlb_tsb4m_miss: +- /* Clear the PAGE_OFFSET top virtual bits, shift +- * down to get PFN, and make sure PFN is in range. +- */ +-661: sllx %g4, 0, %g5 +- .section .page_offset_shift_patch, "ax" +- .word 661b +- .previous +- +- /* Check to see if we know about valid memory at the 4MB +- * chunk this physical address will reside within. ++ /* Linear mapping TSB lookup failed. Fallthrough to kernel ++ * page table based lookup. + */ +-661: srlx %g5, MAX_PHYS_ADDRESS_BITS, %g2 +- .section .page_offset_shift_patch, "ax" +- .word 661b +- .previous +- +- brnz,pn %g2, kvmap_dtlb_longpath +- nop +- +- /* This unconditional branch and delay-slot nop gets patched +- * by the sethi sequence once the bitmap is properly setup. +- */ +- .globl valid_addr_bitmap_insn +-valid_addr_bitmap_insn: +- ba,pt %xcc, 2f +- nop +- .subsection 2 +- .globl valid_addr_bitmap_patch +-valid_addr_bitmap_patch: +- sethi %hi(sparc64_valid_addr_bitmap), %g7 +- or %g7, %lo(sparc64_valid_addr_bitmap), %g7 +- .previous +- +-661: srlx %g5, ILOG2_4MB, %g2 +- .section .page_offset_shift_patch, "ax" +- .word 661b +- .previous +- +- srlx %g2, 6, %g5 +- and %g2, 63, %g2 +- sllx %g5, 3, %g5 +- ldx [%g7 + %g5], %g5 +- mov 1, %g7 +- sllx %g7, %g2, %g7 +- andcc %g5, %g7, %g0 +- be,pn %xcc, kvmap_dtlb_longpath +- +-2: sethi %hi(kpte_linear_bitmap), %g2 +- +- /* Get the 256MB physical address index. */ +-661: sllx %g4, 0, %g5 +- .section .page_offset_shift_patch, "ax" +- .word 661b +- .previous +- +- or %g2, %lo(kpte_linear_bitmap), %g2 +- +-661: srlx %g5, ILOG2_256MB, %g5 +- .section .page_offset_shift_patch, "ax" +- .word 661b +- .previous +- +- and %g5, (32 - 1), %g7 +- +- /* Divide by 32 to get the offset into the bitmask. */ +- srlx %g5, 5, %g5 +- add %g7, %g7, %g7 +- sllx %g5, 3, %g5 +- +- /* kern_linear_pte_xor[(mask >> shift) & 3)] */ +- ldx [%g2 + %g5], %g2 +- srlx %g2, %g7, %g7 +- sethi %hi(kern_linear_pte_xor), %g5 +- and %g7, 3, %g7 +- or %g5, %lo(kern_linear_pte_xor), %g5 +- sllx %g7, 3, %g7 +- ldx [%g5 + %g7], %g2 +- + .globl kvmap_linear_patch + kvmap_linear_patch: +- ba,pt %xcc, kvmap_dtlb_tsb4m_load +- xor %g2, %g4, %g5 ++ ba,a,pt %xcc, kvmap_linear_early + + kvmap_dtlb_vmalloc_addr: + KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_dtlb_longpath) + + TSB_LOCK_TAG(%g1, %g2, %g7) +- +- /* Load and check PTE. */ +- ldxa [%g5] ASI_PHYS_USE_EC, %g5 +- mov 1, %g7 +- sllx %g7, TSB_TAG_INVALID_BIT, %g7 +- brgez,a,pn %g5, kvmap_dtlb_longpath +- TSB_STORE(%g1, %g7) +- + TSB_WRITE(%g1, %g5, %g6) + + /* fallthrough to TLB load */ +@@ -276,13 +186,8 @@ kvmap_dtlb_load: + + #ifdef CONFIG_SPARSEMEM_VMEMMAP + kvmap_vmemmap: +- sub %g4, %g5, %g5 +- srlx %g5, ILOG2_4MB, %g5 +- sethi %hi(vmemmap_table), %g1 +- sllx %g5, 3, %g5 +- or %g1, %lo(vmemmap_table), %g1 +- ba,pt %xcc, kvmap_dtlb_load +- ldx [%g1 + %g5], %g5 ++ KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_dtlb_longpath) ++ ba,a,pt %xcc, kvmap_dtlb_load + #endif + + kvmap_dtlb_nonlinear: +@@ -294,8 +199,8 @@ kvmap_dtlb_nonlinear: + + #ifdef CONFIG_SPARSEMEM_VMEMMAP + /* Do not use the TSB for vmemmap. */ +- mov (VMEMMAP_BASE >> 40), %g5 +- sllx %g5, 40, %g5 ++ sethi %hi(VMEMMAP_BASE), %g5 ++ ldx [%g5 + %lo(VMEMMAP_BASE)], %g5 + cmp %g4,%g5 + bgeu,pn %xcc, kvmap_vmemmap + nop +@@ -307,8 +212,8 @@ kvmap_dtlb_tsbmiss: + sethi %hi(MODULES_VADDR), %g5 + cmp %g4, %g5 + blu,pn %xcc, kvmap_dtlb_longpath +- mov (VMALLOC_END >> 40), %g5 +- sllx %g5, 40, %g5 ++ sethi %hi(VMALLOC_END), %g5 ++ ldx [%g5 + %lo(VMALLOC_END)], %g5 + cmp %g4, %g5 + bgeu,pn %xcc, kvmap_dtlb_longpath + nop +diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c +index 66dacd56bb10..27bb55485472 100644 +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -1078,7 +1078,8 @@ static void ldc_iommu_release(struct ldc_channel *lp) + + struct ldc_channel *ldc_alloc(unsigned long id, + const struct ldc_channel_config *cfgp, +- void *event_arg) ++ void *event_arg, ++ const char *name) + { + struct ldc_channel *lp; + const struct ldc_mode_ops *mops; +@@ -1093,6 +1094,8 @@ struct ldc_channel *ldc_alloc(unsigned long id, + err = -EINVAL; + if (!cfgp) + goto out_err; ++ if (!name) ++ goto out_err; + + switch (cfgp->mode) { + case LDC_MODE_RAW: +@@ -1185,6 +1188,21 @@ struct ldc_channel *ldc_alloc(unsigned long id, + + INIT_HLIST_HEAD(&lp->mh_list); + ++ snprintf(lp->rx_irq_name, LDC_IRQ_NAME_MAX, "%s RX", name); ++ snprintf(lp->tx_irq_name, LDC_IRQ_NAME_MAX, "%s TX", name); ++ ++ err = request_irq(lp->cfg.rx_irq, ldc_rx, 0, ++ lp->rx_irq_name, lp); ++ if (err) ++ goto out_free_txq; ++ ++ err = request_irq(lp->cfg.tx_irq, ldc_tx, 0, ++ lp->tx_irq_name, lp); ++ if (err) { ++ free_irq(lp->cfg.rx_irq, lp); ++ goto out_free_txq; ++ } ++ + return lp; + + out_free_txq: +@@ -1237,31 +1255,14 @@ EXPORT_SYMBOL(ldc_free); + * state. This does not initiate a handshake, ldc_connect() does + * that. + */ +-int ldc_bind(struct ldc_channel *lp, const char *name) ++int ldc_bind(struct ldc_channel *lp) + { + unsigned long hv_err, flags; + int err = -EINVAL; + +- if (!name || +- (lp->state != LDC_STATE_INIT)) ++ if (lp->state != LDC_STATE_INIT) + return -EINVAL; + +- snprintf(lp->rx_irq_name, LDC_IRQ_NAME_MAX, "%s RX", name); +- snprintf(lp->tx_irq_name, LDC_IRQ_NAME_MAX, "%s TX", name); +- +- err = request_irq(lp->cfg.rx_irq, ldc_rx, 0, +- lp->rx_irq_name, lp); +- if (err) +- return err; +- +- err = request_irq(lp->cfg.tx_irq, ldc_tx, 0, +- lp->tx_irq_name, lp); +- if (err) { +- free_irq(lp->cfg.rx_irq, lp); +- return err; +- } +- +- + spin_lock_irqsave(&lp->lock, flags); + + enable_irq(lp->cfg.rx_irq); +diff --git a/arch/sparc/kernel/nmi.c b/arch/sparc/kernel/nmi.c +index 6479256fd5a4..fce8ab17bcbb 100644 +--- a/arch/sparc/kernel/nmi.c ++++ b/arch/sparc/kernel/nmi.c +@@ -141,7 +141,6 @@ static inline unsigned int get_nmi_count(int cpu) + + static __init void nmi_cpu_busy(void *data) + { +- local_irq_enable_in_hardirq(); + while (endflag == 0) + mb(); + } +diff --git a/arch/sparc/kernel/pcr.c b/arch/sparc/kernel/pcr.c +index 269af58497aa..7e967c8018c8 100644 +--- a/arch/sparc/kernel/pcr.c ++++ b/arch/sparc/kernel/pcr.c +@@ -191,12 +191,41 @@ static const struct pcr_ops n4_pcr_ops = { + .pcr_nmi_disable = PCR_N4_PICNPT, + }; + ++static u64 n5_pcr_read(unsigned long reg_num) ++{ ++ unsigned long val; ++ ++ (void) sun4v_t5_get_perfreg(reg_num, &val); ++ ++ return val; ++} ++ ++static void n5_pcr_write(unsigned long reg_num, u64 val) ++{ ++ (void) sun4v_t5_set_perfreg(reg_num, val); ++} ++ ++static const struct pcr_ops n5_pcr_ops = { ++ .read_pcr = n5_pcr_read, ++ .write_pcr = n5_pcr_write, ++ .read_pic = n4_pic_read, ++ .write_pic = n4_pic_write, ++ .nmi_picl_value = n4_picl_value, ++ .pcr_nmi_enable = (PCR_N4_PICNPT | PCR_N4_STRACE | ++ PCR_N4_UTRACE | PCR_N4_TOE | ++ (26 << PCR_N4_SL_SHIFT)), ++ .pcr_nmi_disable = PCR_N4_PICNPT, ++}; ++ ++ + static unsigned long perf_hsvc_group; + static unsigned long perf_hsvc_major; + static unsigned long perf_hsvc_minor; + + static int __init register_perf_hsvc(void) + { ++ unsigned long hverror; ++ + if (tlb_type == hypervisor) { + switch (sun4v_chip_type) { + case SUN4V_CHIP_NIAGARA1: +@@ -215,6 +244,10 @@ static int __init register_perf_hsvc(void) + perf_hsvc_group = HV_GRP_VT_CPU; + break; + ++ case SUN4V_CHIP_NIAGARA5: ++ perf_hsvc_group = HV_GRP_T5_CPU; ++ break; ++ + default: + return -ENODEV; + } +@@ -222,10 +255,12 @@ static int __init register_perf_hsvc(void) + + perf_hsvc_major = 1; + perf_hsvc_minor = 0; +- if (sun4v_hvapi_register(perf_hsvc_group, +- perf_hsvc_major, +- &perf_hsvc_minor)) { +- printk("perfmon: Could not register hvapi.\n"); ++ hverror = sun4v_hvapi_register(perf_hsvc_group, ++ perf_hsvc_major, ++ &perf_hsvc_minor); ++ if (hverror) { ++ pr_err("perfmon: Could not register hvapi(0x%lx).\n", ++ hverror); + return -ENODEV; + } + } +@@ -254,6 +289,10 @@ static int __init setup_sun4v_pcr_ops(void) + pcr_ops = &n4_pcr_ops; + break; + ++ case SUN4V_CHIP_NIAGARA5: ++ pcr_ops = &n5_pcr_ops; ++ break; ++ + default: + ret = -ENODEV; + break; +diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c +index b5c38faa4ead..617b9fe33771 100644 +--- a/arch/sparc/kernel/perf_event.c ++++ b/arch/sparc/kernel/perf_event.c +@@ -1662,7 +1662,8 @@ static bool __init supported_pmu(void) + sparc_pmu = &niagara2_pmu; + return true; + } +- if (!strcmp(sparc_pmu_type, "niagara4")) { ++ if (!strcmp(sparc_pmu_type, "niagara4") || ++ !strcmp(sparc_pmu_type, "niagara5")) { + sparc_pmu = &niagara4_pmu; + return true; + } +@@ -1671,9 +1672,12 @@ static bool __init supported_pmu(void) + + int __init init_hw_perf_events(void) + { ++ int err; ++ + pr_info("Performance events: "); + +- if (!supported_pmu()) { ++ err = pcr_arch_init(); ++ if (err || !supported_pmu()) { + pr_cont("No support for PMU type '%s'\n", sparc_pmu_type); + return 0; + } +@@ -1685,7 +1689,7 @@ int __init init_hw_perf_events(void) + + return 0; + } +-early_initcall(init_hw_perf_events); ++pure_initcall(init_hw_perf_events); + + void perf_callchain_kernel(struct perf_callchain_entry *entry, + struct pt_regs *regs) +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index d7b4967f8fa6..c6f7113b6e2f 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -306,6 +306,9 @@ static void __global_pmu_self(int this_cpu) + struct global_pmu_snapshot *pp; + int i, num; + ++ if (!pcr_ops) ++ return; ++ + pp = &global_cpu_snapshot[this_cpu].pmu; + + num = 1; +diff --git a/arch/sparc/kernel/setup_64.c b/arch/sparc/kernel/setup_64.c +index 3fdb455e3318..61a519808cb7 100644 +--- a/arch/sparc/kernel/setup_64.c ++++ b/arch/sparc/kernel/setup_64.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -174,7 +175,7 @@ char reboot_command[COMMAND_LINE_SIZE]; + + static struct pt_regs fake_swapper_regs = { { 0, }, 0, 0, 0, 0 }; + +-void __init per_cpu_patch(void) ++static void __init per_cpu_patch(void) + { + struct cpuid_patch_entry *p; + unsigned long ver; +@@ -266,7 +267,7 @@ void sun4v_patch_2insn_range(struct sun4v_2insn_patch_entry *start, + } + } + +-void __init sun4v_patch(void) ++static void __init sun4v_patch(void) + { + extern void sun4v_hvapi_init(void); + +@@ -335,14 +336,25 @@ static void __init pause_patch(void) + } + } + +-#ifdef CONFIG_SMP +-void __init boot_cpu_id_too_large(int cpu) ++void __init start_early_boot(void) + { +- prom_printf("Serious problem, boot cpu id (%d) >= NR_CPUS (%d)\n", +- cpu, NR_CPUS); +- prom_halt(); ++ int cpu; ++ ++ check_if_starfire(); ++ per_cpu_patch(); ++ sun4v_patch(); ++ ++ cpu = hard_smp_processor_id(); ++ if (cpu >= NR_CPUS) { ++ prom_printf("Serious problem, boot cpu id (%d) >= NR_CPUS (%d)\n", ++ cpu, NR_CPUS); ++ prom_halt(); ++ } ++ current_thread_info()->cpu = cpu; ++ ++ prom_init_report(); ++ start_kernel(); + } +-#endif + + /* On Ultra, we support all of the v8 capabilities. */ + unsigned long sparc64_elf_hwcap = (HWCAP_SPARC_FLUSH | HWCAP_SPARC_STBAR | +@@ -500,12 +512,16 @@ static void __init init_sparc64_elf_hwcap(void) + sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || + sun4v_chip_type == SUN4V_CHIP_SPARC64X) + cap |= HWCAP_SPARC_BLKINIT; + if (sun4v_chip_type == SUN4V_CHIP_NIAGARA2 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || + sun4v_chip_type == SUN4V_CHIP_SPARC64X) + cap |= HWCAP_SPARC_N2; + } +@@ -533,6 +549,8 @@ static void __init init_sparc64_elf_hwcap(void) + sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || + sun4v_chip_type == SUN4V_CHIP_SPARC64X) + cap |= (AV_SPARC_VIS | AV_SPARC_VIS2 | + AV_SPARC_ASI_BLK_INIT | +@@ -540,6 +558,8 @@ static void __init init_sparc64_elf_hwcap(void) + if (sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || + sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || ++ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || + sun4v_chip_type == SUN4V_CHIP_SPARC64X) + cap |= (AV_SPARC_VIS3 | AV_SPARC_HPC | + AV_SPARC_FMAF); +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index 8416d7fadcce..50c3dd03be31 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -1395,7 +1395,6 @@ void __cpu_die(unsigned int cpu) + + void __init smp_cpus_done(unsigned int max_cpus) + { +- pcr_arch_init(); + } + + void smp_send_reschedule(int cpu) +@@ -1480,6 +1479,13 @@ static void __init pcpu_populate_pte(unsigned long addr) + pud_t *pud; + pmd_t *pmd; + ++ if (pgd_none(*pgd)) { ++ pud_t *new; ++ ++ new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); ++ pgd_populate(&init_mm, pgd, new); ++ } ++ + pud = pud_offset(pgd, addr); + if (pud_none(*pud)) { + pmd_t *new; +diff --git a/arch/sparc/kernel/sun4v_tlb_miss.S b/arch/sparc/kernel/sun4v_tlb_miss.S +index e0c09bf85610..6179e19bc9b9 100644 +--- a/arch/sparc/kernel/sun4v_tlb_miss.S ++++ b/arch/sparc/kernel/sun4v_tlb_miss.S +@@ -195,6 +195,11 @@ sun4v_tsb_miss_common: + ldx [%g2 + TRAP_PER_CPU_PGD_PADDR], %g7 + + sun4v_itlb_error: ++ rdpr %tl, %g1 ++ cmp %g1, 1 ++ ble,pt %icc, sun4v_bad_ra ++ or %g0, FAULT_CODE_BAD_RA | FAULT_CODE_ITLB, %g1 ++ + sethi %hi(sun4v_err_itlb_vaddr), %g1 + stx %g4, [%g1 + %lo(sun4v_err_itlb_vaddr)] + sethi %hi(sun4v_err_itlb_ctx), %g1 +@@ -206,15 +211,10 @@ sun4v_itlb_error: + sethi %hi(sun4v_err_itlb_error), %g1 + stx %o0, [%g1 + %lo(sun4v_err_itlb_error)] + ++ sethi %hi(1f), %g7 + rdpr %tl, %g4 +- cmp %g4, 1 +- ble,pt %icc, 1f +- sethi %hi(2f), %g7 + ba,pt %xcc, etraptl1 +- or %g7, %lo(2f), %g7 +- +-1: ba,pt %xcc, etrap +-2: or %g7, %lo(2b), %g7 ++1: or %g7, %lo(1f), %g7 + mov %l4, %o1 + call sun4v_itlb_error_report + add %sp, PTREGS_OFF, %o0 +@@ -222,6 +222,11 @@ sun4v_itlb_error: + /* NOTREACHED */ + + sun4v_dtlb_error: ++ rdpr %tl, %g1 ++ cmp %g1, 1 ++ ble,pt %icc, sun4v_bad_ra ++ or %g0, FAULT_CODE_BAD_RA | FAULT_CODE_DTLB, %g1 ++ + sethi %hi(sun4v_err_dtlb_vaddr), %g1 + stx %g4, [%g1 + %lo(sun4v_err_dtlb_vaddr)] + sethi %hi(sun4v_err_dtlb_ctx), %g1 +@@ -233,21 +238,23 @@ sun4v_dtlb_error: + sethi %hi(sun4v_err_dtlb_error), %g1 + stx %o0, [%g1 + %lo(sun4v_err_dtlb_error)] + ++ sethi %hi(1f), %g7 + rdpr %tl, %g4 +- cmp %g4, 1 +- ble,pt %icc, 1f +- sethi %hi(2f), %g7 + ba,pt %xcc, etraptl1 +- or %g7, %lo(2f), %g7 +- +-1: ba,pt %xcc, etrap +-2: or %g7, %lo(2b), %g7 ++1: or %g7, %lo(1f), %g7 + mov %l4, %o1 + call sun4v_dtlb_error_report + add %sp, PTREGS_OFF, %o0 + + /* NOTREACHED */ + ++sun4v_bad_ra: ++ or %g0, %g4, %g5 ++ ba,pt %xcc, sparc64_realfault_common ++ or %g1, %g0, %g4 ++ ++ /* NOTREACHED */ ++ + /* Instruction Access Exception, tl0. */ + sun4v_iacc: + ldxa [%g0] ASI_SCRATCHPAD, %g2 +diff --git a/arch/sparc/kernel/trampoline_64.S b/arch/sparc/kernel/trampoline_64.S +index 737f8cbc7d56..88ede1d53b4c 100644 +--- a/arch/sparc/kernel/trampoline_64.S ++++ b/arch/sparc/kernel/trampoline_64.S +@@ -109,10 +109,13 @@ startup_continue: + brnz,pn %g1, 1b + nop + +- sethi %hi(p1275buf), %g2 +- or %g2, %lo(p1275buf), %g2 +- ldx [%g2 + 0x10], %l2 +- add %l2, -(192 + 128), %sp ++ /* Get onto temporary stack which will be in the locked ++ * kernel image. ++ */ ++ sethi %hi(tramp_stack), %g1 ++ or %g1, %lo(tramp_stack), %g1 ++ add %g1, TRAMP_STACK_SIZE, %g1 ++ sub %g1, STACKFRAME_SZ + STACK_BIAS + 256, %sp + flushw + + /* Setup the loop variables: +@@ -394,7 +397,6 @@ after_lock_tlb: + sllx %g5, THREAD_SHIFT, %g5 + sub %g5, (STACKFRAME_SZ + STACK_BIAS), %g5 + add %g6, %g5, %sp +- mov 0, %fp + + rdpr %pstate, %o1 + or %o1, PSTATE_IE, %o1 +diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c +index 4ced92f05358..25d0c7ece9cc 100644 +--- a/arch/sparc/kernel/traps_64.c ++++ b/arch/sparc/kernel/traps_64.c +@@ -2102,6 +2102,11 @@ void sun4v_nonresum_overflow(struct pt_regs *regs) + atomic_inc(&sun4v_nonresum_oflow_cnt); + } + ++static void sun4v_tlb_error(struct pt_regs *regs) ++{ ++ die_if_kernel("TLB/TSB error", regs); ++} ++ + unsigned long sun4v_err_itlb_vaddr; + unsigned long sun4v_err_itlb_ctx; + unsigned long sun4v_err_itlb_pte; +@@ -2109,8 +2114,7 @@ unsigned long sun4v_err_itlb_error; + + void sun4v_itlb_error_report(struct pt_regs *regs, int tl) + { +- if (tl > 1) +- dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); ++ dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); + + printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", + regs->tpc, tl); +@@ -2123,7 +2127,7 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl) + sun4v_err_itlb_vaddr, sun4v_err_itlb_ctx, + sun4v_err_itlb_pte, sun4v_err_itlb_error); + +- prom_halt(); ++ sun4v_tlb_error(regs); + } + + unsigned long sun4v_err_dtlb_vaddr; +@@ -2133,8 +2137,7 @@ unsigned long sun4v_err_dtlb_error; + + void sun4v_dtlb_error_report(struct pt_regs *regs, int tl) + { +- if (tl > 1) +- dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); ++ dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); + + printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n", + regs->tpc, tl); +@@ -2147,7 +2150,7 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl) + sun4v_err_dtlb_vaddr, sun4v_err_dtlb_ctx, + sun4v_err_dtlb_pte, sun4v_err_dtlb_error); + +- prom_halt(); ++ sun4v_tlb_error(regs); + } + + void hypervisor_tlbop_error(unsigned long err, unsigned long op) +diff --git a/arch/sparc/kernel/tsb.S b/arch/sparc/kernel/tsb.S +index 14158d40ba76..be98685c14c6 100644 +--- a/arch/sparc/kernel/tsb.S ++++ b/arch/sparc/kernel/tsb.S +@@ -162,10 +162,10 @@ tsb_miss_page_table_walk_sun4v_fastpath: + nop + .previous + +- rdpr %tl, %g3 +- cmp %g3, 1 ++ rdpr %tl, %g7 ++ cmp %g7, 1 + bne,pn %xcc, winfix_trampoline +- nop ++ mov %g3, %g4 + ba,pt %xcc, etrap + rd %pc, %g7 + call hugetlb_setup +diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c +index f8e7dd53e1c7..9c5fbd0b8a04 100644 +--- a/arch/sparc/kernel/viohs.c ++++ b/arch/sparc/kernel/viohs.c +@@ -714,7 +714,7 @@ int vio_ldc_alloc(struct vio_driver_state *vio, + cfg.tx_irq = vio->vdev->tx_irq; + cfg.rx_irq = vio->vdev->rx_irq; + +- lp = ldc_alloc(vio->vdev->channel_id, &cfg, event_arg); ++ lp = ldc_alloc(vio->vdev->channel_id, &cfg, event_arg, vio->name); + if (IS_ERR(lp)) + return PTR_ERR(lp); + +@@ -746,7 +746,7 @@ void vio_port_up(struct vio_driver_state *vio) + + err = 0; + if (state == LDC_STATE_INIT) { +- err = ldc_bind(vio->lp, vio->name); ++ err = ldc_bind(vio->lp); + if (err) + printk(KERN_WARNING "%s: Port %lu bind failed, " + "err=%d\n", +diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S +index 932ff90fd760..09243057cb0b 100644 +--- a/arch/sparc/kernel/vmlinux.lds.S ++++ b/arch/sparc/kernel/vmlinux.lds.S +@@ -35,8 +35,9 @@ jiffies = jiffies_64; + + SECTIONS + { +- /* swapper_low_pmd_dir is sparc64 only */ +- swapper_low_pmd_dir = 0x0000000000402000; ++#ifdef CONFIG_SPARC64 ++ swapper_pg_dir = 0x0000000000402000; ++#endif + . = INITIAL_ADDRESS; + .text TEXTSTART : + { +@@ -122,11 +123,6 @@ SECTIONS + *(.swapper_4m_tsb_phys_patch) + __swapper_4m_tsb_phys_patch_end = .; + } +- .page_offset_shift_patch : { +- __page_offset_shift_patch = .; +- *(.page_offset_shift_patch) +- __page_offset_shift_patch_end = .; +- } + .popc_3insn_patch : { + __popc_3insn_patch = .; + *(.popc_3insn_patch) +diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S +index 9cf2ee01cee3..140527a20e7d 100644 +--- a/arch/sparc/lib/NG4memcpy.S ++++ b/arch/sparc/lib/NG4memcpy.S +@@ -41,6 +41,10 @@ + #endif + #endif + ++#if !defined(EX_LD) && !defined(EX_ST) ++#define NON_USER_COPY ++#endif ++ + #ifndef EX_LD + #define EX_LD(x) x + #endif +@@ -197,9 +201,13 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ + mov EX_RETVAL(%o3), %o0 + + .Llarge_src_unaligned: ++#ifdef NON_USER_COPY ++ VISEntryHalfFast(.Lmedium_vis_entry_fail) ++#else ++ VISEntryHalf ++#endif + andn %o2, 0x3f, %o4 + sub %o2, %o4, %o2 +- VISEntryHalf + alignaddr %o1, %g0, %g1 + add %o1, %o4, %o1 + EX_LD(LOAD(ldd, %g1 + 0x00, %f0)) +@@ -240,6 +248,10 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ + nop + ba,a,pt %icc, .Lmedium_unaligned + ++#ifdef NON_USER_COPY ++.Lmedium_vis_entry_fail: ++ or %o0, %o1, %g2 ++#endif + .Lmedium: + LOAD(prefetch, %o1 + 0x40, #n_reads_strong) + andcc %g2, 0x7, %g0 +diff --git a/arch/sparc/lib/memset.S b/arch/sparc/lib/memset.S +index 99c017be8719..f75e6906df14 100644 +--- a/arch/sparc/lib/memset.S ++++ b/arch/sparc/lib/memset.S +@@ -3,8 +3,9 @@ + * Copyright (C) 1996,1997 Jakub Jelinek (jj@sunsite.mff.cuni.cz) + * Copyright (C) 1996 David S. Miller (davem@caip.rutgers.edu) + * +- * Returns 0, if ok, and number of bytes not yet set if exception +- * occurs and we were called as clear_user. ++ * Calls to memset returns initial %o0. Calls to bzero returns 0, if ok, and ++ * number of bytes not yet set if exception occurs and we were called as ++ * clear_user. + */ + + #include +@@ -65,6 +66,8 @@ __bzero_begin: + .globl __memset_start, __memset_end + __memset_start: + memset: ++ mov %o0, %g1 ++ mov 1, %g4 + and %o1, 0xff, %g3 + sll %g3, 8, %g2 + or %g3, %g2, %g3 +@@ -89,6 +92,7 @@ memset: + sub %o0, %o2, %o0 + + __bzero: ++ clr %g4 + mov %g0, %g3 + 1: + cmp %o1, 7 +@@ -151,8 +155,8 @@ __bzero: + bne,a 8f + EX(stb %g3, [%o0], and %o1, 1) + 8: +- retl +- clr %o0 ++ b 0f ++ nop + 7: + be 13b + orcc %o1, 0, %g0 +@@ -164,6 +168,12 @@ __bzero: + bne 8b + EX(stb %g3, [%o0 - 1], add %o1, 1) + 0: ++ andcc %g4, 1, %g0 ++ be 5f ++ nop ++ retl ++ mov %g1, %o0 ++5: + retl + clr %o0 + __memset_end: +diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c +index 4ced3fc66130..45a413e4380a 100644 +--- a/arch/sparc/mm/fault_64.c ++++ b/arch/sparc/mm/fault_64.c +@@ -348,6 +348,9 @@ retry: + down_read(&mm->mmap_sem); + } + ++ if (fault_code & FAULT_CODE_BAD_RA) ++ goto do_sigbus; ++ + vma = find_vma(mm, address); + if (!vma) + goto bad_area; +diff --git a/arch/sparc/mm/gup.c b/arch/sparc/mm/gup.c +index 1aed0432c64b..ae6ce383d4df 100644 +--- a/arch/sparc/mm/gup.c ++++ b/arch/sparc/mm/gup.c +@@ -160,6 +160,36 @@ static int gup_pud_range(pgd_t pgd, unsigned long addr, unsigned long end, + return 1; + } + ++int __get_user_pages_fast(unsigned long start, int nr_pages, int write, ++ struct page **pages) ++{ ++ struct mm_struct *mm = current->mm; ++ unsigned long addr, len, end; ++ unsigned long next, flags; ++ pgd_t *pgdp; ++ int nr = 0; ++ ++ start &= PAGE_MASK; ++ addr = start; ++ len = (unsigned long) nr_pages << PAGE_SHIFT; ++ end = start + len; ++ ++ local_irq_save(flags); ++ pgdp = pgd_offset(mm, addr); ++ do { ++ pgd_t pgd = *pgdp; ++ ++ next = pgd_addr_end(addr, end); ++ if (pgd_none(pgd)) ++ break; ++ if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) ++ break; ++ } while (pgdp++, addr = next, addr != end); ++ local_irq_restore(flags); ++ ++ return nr; ++} ++ + int get_user_pages_fast(unsigned long start, int nr_pages, int write, + struct page **pages) + { +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c +index 96862241b342..34506f292533 100644 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -73,7 +73,6 @@ unsigned long kern_linear_pte_xor[4] __read_mostly; + * 'cpu' properties, but we need to have this table setup before the + * MDESC is initialized. + */ +-unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + + #ifndef CONFIG_DEBUG_PAGEALLOC + /* A special kernel TSB for 4MB, 256MB, 2GB and 16GB linear mappings. +@@ -82,10 +81,11 @@ unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + */ + extern struct tsb swapper_4m_tsb[KERNEL_TSB4M_NENTRIES]; + #endif ++extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; + + static unsigned long cpu_pgsz_mask; + +-#define MAX_BANKS 32 ++#define MAX_BANKS 1024 + + static struct linux_prom64_registers pavail[MAX_BANKS]; + static int pavail_ents; +@@ -163,10 +163,6 @@ static void __init read_obp_memory(const char *property, + cmp_p64, NULL); + } + +-unsigned long sparc64_valid_addr_bitmap[VALID_ADDR_BITMAP_BYTES / +- sizeof(unsigned long)]; +-EXPORT_SYMBOL(sparc64_valid_addr_bitmap); +- + /* Kernel physical address base and size in bytes. */ + unsigned long kern_base __read_mostly; + unsigned long kern_size __read_mostly; +@@ -838,7 +834,10 @@ static int find_node(unsigned long addr) + if ((addr & p->mask) == p->val) + return i; + } +- return -1; ++ /* The following condition has been observed on LDOM guests.*/ ++ WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node" ++ " rule. Some physical memory will be owned by node 0."); ++ return 0; + } + + static u64 memblock_nid_range(u64 start, u64 end, int *nid) +@@ -1360,9 +1359,144 @@ static unsigned long __init bootmem_init(unsigned long phys_base) + static struct linux_prom64_registers pall[MAX_BANKS] __initdata; + static int pall_ents __initdata; + +-#ifdef CONFIG_DEBUG_PAGEALLOC ++static unsigned long max_phys_bits = 40; ++ ++bool kern_addr_valid(unsigned long addr) ++{ ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; ++ pte_t *pte; ++ ++ if ((long)addr < 0L) { ++ unsigned long pa = __pa(addr); ++ ++ if ((addr >> max_phys_bits) != 0UL) ++ return false; ++ ++ return pfn_valid(pa >> PAGE_SHIFT); ++ } ++ ++ if (addr >= (unsigned long) KERNBASE && ++ addr < (unsigned long)&_end) ++ return true; ++ ++ pgd = pgd_offset_k(addr); ++ if (pgd_none(*pgd)) ++ return 0; ++ ++ pud = pud_offset(pgd, addr); ++ if (pud_none(*pud)) ++ return 0; ++ ++ if (pud_large(*pud)) ++ return pfn_valid(pud_pfn(*pud)); ++ ++ pmd = pmd_offset(pud, addr); ++ if (pmd_none(*pmd)) ++ return 0; ++ ++ if (pmd_large(*pmd)) ++ return pfn_valid(pmd_pfn(*pmd)); ++ ++ pte = pte_offset_kernel(pmd, addr); ++ if (pte_none(*pte)) ++ return 0; ++ ++ return pfn_valid(pte_pfn(*pte)); ++} ++EXPORT_SYMBOL(kern_addr_valid); ++ ++static unsigned long __ref kernel_map_hugepud(unsigned long vstart, ++ unsigned long vend, ++ pud_t *pud) ++{ ++ const unsigned long mask16gb = (1UL << 34) - 1UL; ++ u64 pte_val = vstart; ++ ++ /* Each PUD is 8GB */ ++ if ((vstart & mask16gb) || ++ (vend - vstart <= mask16gb)) { ++ pte_val ^= kern_linear_pte_xor[2]; ++ pud_val(*pud) = pte_val | _PAGE_PUD_HUGE; ++ ++ return vstart + PUD_SIZE; ++ } ++ ++ pte_val ^= kern_linear_pte_xor[3]; ++ pte_val |= _PAGE_PUD_HUGE; ++ ++ vend = vstart + mask16gb + 1UL; ++ while (vstart < vend) { ++ pud_val(*pud) = pte_val; ++ ++ pte_val += PUD_SIZE; ++ vstart += PUD_SIZE; ++ pud++; ++ } ++ return vstart; ++} ++ ++static bool kernel_can_map_hugepud(unsigned long vstart, unsigned long vend, ++ bool guard) ++{ ++ if (guard && !(vstart & ~PUD_MASK) && (vend - vstart) >= PUD_SIZE) ++ return true; ++ ++ return false; ++} ++ ++static unsigned long __ref kernel_map_hugepmd(unsigned long vstart, ++ unsigned long vend, ++ pmd_t *pmd) ++{ ++ const unsigned long mask256mb = (1UL << 28) - 1UL; ++ const unsigned long mask2gb = (1UL << 31) - 1UL; ++ u64 pte_val = vstart; ++ ++ /* Each PMD is 8MB */ ++ if ((vstart & mask256mb) || ++ (vend - vstart <= mask256mb)) { ++ pte_val ^= kern_linear_pte_xor[0]; ++ pmd_val(*pmd) = pte_val | _PAGE_PMD_HUGE; ++ ++ return vstart + PMD_SIZE; ++ } ++ ++ if ((vstart & mask2gb) || ++ (vend - vstart <= mask2gb)) { ++ pte_val ^= kern_linear_pte_xor[1]; ++ pte_val |= _PAGE_PMD_HUGE; ++ vend = vstart + mask256mb + 1UL; ++ } else { ++ pte_val ^= kern_linear_pte_xor[2]; ++ pte_val |= _PAGE_PMD_HUGE; ++ vend = vstart + mask2gb + 1UL; ++ } ++ ++ while (vstart < vend) { ++ pmd_val(*pmd) = pte_val; ++ ++ pte_val += PMD_SIZE; ++ vstart += PMD_SIZE; ++ pmd++; ++ } ++ ++ return vstart; ++} ++ ++static bool kernel_can_map_hugepmd(unsigned long vstart, unsigned long vend, ++ bool guard) ++{ ++ if (guard && !(vstart & ~PMD_MASK) && (vend - vstart) >= PMD_SIZE) ++ return true; ++ ++ return false; ++} ++ + static unsigned long __ref kernel_map_range(unsigned long pstart, +- unsigned long pend, pgprot_t prot) ++ unsigned long pend, pgprot_t prot, ++ bool use_huge) + { + unsigned long vstart = PAGE_OFFSET + pstart; + unsigned long vend = PAGE_OFFSET + pend; +@@ -1381,19 +1515,34 @@ static unsigned long __ref kernel_map_range(unsigned long pstart, + pmd_t *pmd; + pte_t *pte; + ++ if (pgd_none(*pgd)) { ++ pud_t *new; ++ ++ new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); ++ alloc_bytes += PAGE_SIZE; ++ pgd_populate(&init_mm, pgd, new); ++ } + pud = pud_offset(pgd, vstart); + if (pud_none(*pud)) { + pmd_t *new; + ++ if (kernel_can_map_hugepud(vstart, vend, use_huge)) { ++ vstart = kernel_map_hugepud(vstart, vend, pud); ++ continue; ++ } + new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); + alloc_bytes += PAGE_SIZE; + pud_populate(&init_mm, pud, new); + } + + pmd = pmd_offset(pud, vstart); +- if (!pmd_present(*pmd)) { ++ if (pmd_none(*pmd)) { + pte_t *new; + ++ if (kernel_can_map_hugepmd(vstart, vend, use_huge)) { ++ vstart = kernel_map_hugepmd(vstart, vend, pmd); ++ continue; ++ } + new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); + alloc_bytes += PAGE_SIZE; + pmd_populate_kernel(&init_mm, pmd, new); +@@ -1416,100 +1565,34 @@ static unsigned long __ref kernel_map_range(unsigned long pstart, + return alloc_bytes; + } + +-extern unsigned int kvmap_linear_patch[1]; +-#endif /* CONFIG_DEBUG_PAGEALLOC */ +- +-static void __init kpte_set_val(unsigned long index, unsigned long val) ++static void __init flush_all_kernel_tsbs(void) + { +- unsigned long *ptr = kpte_linear_bitmap; +- +- val <<= ((index % (BITS_PER_LONG / 2)) * 2); +- ptr += (index / (BITS_PER_LONG / 2)); +- +- *ptr |= val; +-} +- +-static const unsigned long kpte_shift_min = 28; /* 256MB */ +-static const unsigned long kpte_shift_max = 34; /* 16GB */ +-static const unsigned long kpte_shift_incr = 3; +- +-static unsigned long kpte_mark_using_shift(unsigned long start, unsigned long end, +- unsigned long shift) +-{ +- unsigned long size = (1UL << shift); +- unsigned long mask = (size - 1UL); +- unsigned long remains = end - start; +- unsigned long val; +- +- if (remains < size || (start & mask)) +- return start; +- +- /* VAL maps: +- * +- * shift 28 --> kern_linear_pte_xor index 1 +- * shift 31 --> kern_linear_pte_xor index 2 +- * shift 34 --> kern_linear_pte_xor index 3 +- */ +- val = ((shift - kpte_shift_min) / kpte_shift_incr) + 1; +- +- remains &= ~mask; +- if (shift != kpte_shift_max) +- remains = size; +- +- while (remains) { +- unsigned long index = start >> kpte_shift_min; ++ int i; + +- kpte_set_val(index, val); ++ for (i = 0; i < KERNEL_TSB_NENTRIES; i++) { ++ struct tsb *ent = &swapper_tsb[i]; + +- start += 1UL << kpte_shift_min; +- remains -= 1UL << kpte_shift_min; ++ ent->tag = (1UL << TSB_TAG_INVALID_BIT); + } ++#ifndef CONFIG_DEBUG_PAGEALLOC ++ for (i = 0; i < KERNEL_TSB4M_NENTRIES; i++) { ++ struct tsb *ent = &swapper_4m_tsb[i]; + +- return start; +-} +- +-static void __init mark_kpte_bitmap(unsigned long start, unsigned long end) +-{ +- unsigned long smallest_size, smallest_mask; +- unsigned long s; +- +- smallest_size = (1UL << kpte_shift_min); +- smallest_mask = (smallest_size - 1UL); +- +- while (start < end) { +- unsigned long orig_start = start; +- +- for (s = kpte_shift_max; s >= kpte_shift_min; s -= kpte_shift_incr) { +- start = kpte_mark_using_shift(start, end, s); +- +- if (start != orig_start) +- break; +- } +- +- if (start == orig_start) +- start = (start + smallest_size) & ~smallest_mask; ++ ent->tag = (1UL << TSB_TAG_INVALID_BIT); + } ++#endif + } + +-static void __init init_kpte_bitmap(void) +-{ +- unsigned long i; +- +- for (i = 0; i < pall_ents; i++) { +- unsigned long phys_start, phys_end; +- +- phys_start = pall[i].phys_addr; +- phys_end = phys_start + pall[i].reg_size; +- +- mark_kpte_bitmap(phys_start, phys_end); +- } +-} ++extern unsigned int kvmap_linear_patch[1]; + + static void __init kernel_physical_mapping_init(void) + { +-#ifdef CONFIG_DEBUG_PAGEALLOC + unsigned long i, mem_alloced = 0UL; ++ bool use_huge = true; + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ use_huge = false; ++#endif + for (i = 0; i < pall_ents; i++) { + unsigned long phys_start, phys_end; + +@@ -1517,7 +1600,7 @@ static void __init kernel_physical_mapping_init(void) + phys_end = phys_start + pall[i].reg_size; + + mem_alloced += kernel_map_range(phys_start, phys_end, +- PAGE_KERNEL); ++ PAGE_KERNEL, use_huge); + } + + printk("Allocated %ld bytes for kernel page tables.\n", +@@ -1526,8 +1609,9 @@ static void __init kernel_physical_mapping_init(void) + kvmap_linear_patch[0] = 0x01000000; /* nop */ + flushi(&kvmap_linear_patch[0]); + ++ flush_all_kernel_tsbs(); ++ + __flush_tlb_all(); +-#endif + } + + #ifdef CONFIG_DEBUG_PAGEALLOC +@@ -1537,7 +1621,7 @@ void kernel_map_pages(struct page *page, int numpages, int enable) + unsigned long phys_end = phys_start + (numpages * PAGE_SIZE); + + kernel_map_range(phys_start, phys_end, +- (enable ? PAGE_KERNEL : __pgprot(0))); ++ (enable ? PAGE_KERNEL : __pgprot(0)), false); + + flush_tsb_kernel_range(PAGE_OFFSET + phys_start, + PAGE_OFFSET + phys_end); +@@ -1565,76 +1649,56 @@ unsigned long __init find_ecache_flush_span(unsigned long size) + unsigned long PAGE_OFFSET; + EXPORT_SYMBOL(PAGE_OFFSET); + +-static void __init page_offset_shift_patch_one(unsigned int *insn, unsigned long phys_bits) +-{ +- unsigned long final_shift; +- unsigned int val = *insn; +- unsigned int cnt; +- +- /* We are patching in ilog2(max_supported_phys_address), and +- * we are doing so in a manner similar to a relocation addend. +- * That is, we are adding the shift value to whatever value +- * is in the shift instruction count field already. +- */ +- cnt = (val & 0x3f); +- val &= ~0x3f; +- +- /* If we are trying to shift >= 64 bits, clear the destination +- * register. This can happen when phys_bits ends up being equal +- * to MAX_PHYS_ADDRESS_BITS. +- */ +- final_shift = (cnt + (64 - phys_bits)); +- if (final_shift >= 64) { +- unsigned int rd = (val >> 25) & 0x1f; +- +- val = 0x80100000 | (rd << 25); +- } else { +- val |= final_shift; +- } +- *insn = val; +- +- __asm__ __volatile__("flush %0" +- : /* no outputs */ +- : "r" (insn)); +-} +- +-static void __init page_offset_shift_patch(unsigned long phys_bits) +-{ +- extern unsigned int __page_offset_shift_patch; +- extern unsigned int __page_offset_shift_patch_end; +- unsigned int *p; +- +- p = &__page_offset_shift_patch; +- while (p < &__page_offset_shift_patch_end) { +- unsigned int *insn = (unsigned int *)(unsigned long)*p; ++unsigned long VMALLOC_END = 0x0000010000000000UL; ++EXPORT_SYMBOL(VMALLOC_END); + +- page_offset_shift_patch_one(insn, phys_bits); +- +- p++; +- } +-} ++unsigned long sparc64_va_hole_top = 0xfffff80000000000UL; ++unsigned long sparc64_va_hole_bottom = 0x0000080000000000UL; + + static void __init setup_page_offset(void) + { +- unsigned long max_phys_bits = 40; +- + if (tlb_type == cheetah || tlb_type == cheetah_plus) { ++ /* Cheetah/Panther support a full 64-bit virtual ++ * address, so we can use all that our page tables ++ * support. ++ */ ++ sparc64_va_hole_top = 0xfff0000000000000UL; ++ sparc64_va_hole_bottom = 0x0010000000000000UL; ++ + max_phys_bits = 42; + } else if (tlb_type == hypervisor) { + switch (sun4v_chip_type) { + case SUN4V_CHIP_NIAGARA1: + case SUN4V_CHIP_NIAGARA2: ++ /* T1 and T2 support 48-bit virtual addresses. */ ++ sparc64_va_hole_top = 0xffff800000000000UL; ++ sparc64_va_hole_bottom = 0x0000800000000000UL; ++ + max_phys_bits = 39; + break; + case SUN4V_CHIP_NIAGARA3: ++ /* T3 supports 48-bit virtual addresses. */ ++ sparc64_va_hole_top = 0xffff800000000000UL; ++ sparc64_va_hole_bottom = 0x0000800000000000UL; ++ + max_phys_bits = 43; + break; + case SUN4V_CHIP_NIAGARA4: + case SUN4V_CHIP_NIAGARA5: + case SUN4V_CHIP_SPARC64X: +- default: ++ case SUN4V_CHIP_SPARC_M6: ++ /* T4 and later support 52-bit virtual addresses. */ ++ sparc64_va_hole_top = 0xfff8000000000000UL; ++ sparc64_va_hole_bottom = 0x0008000000000000UL; + max_phys_bits = 47; + break; ++ case SUN4V_CHIP_SPARC_M7: ++ default: ++ /* M7 and later support 52-bit virtual addresses. */ ++ sparc64_va_hole_top = 0xfff8000000000000UL; ++ sparc64_va_hole_bottom = 0x0008000000000000UL; ++ max_phys_bits = 49; ++ break; + } + } + +@@ -1644,12 +1708,16 @@ static void __init setup_page_offset(void) + prom_halt(); + } + +- PAGE_OFFSET = PAGE_OFFSET_BY_BITS(max_phys_bits); ++ PAGE_OFFSET = sparc64_va_hole_top; ++ VMALLOC_END = ((sparc64_va_hole_bottom >> 1) + ++ (sparc64_va_hole_bottom >> 2)); + +- pr_info("PAGE_OFFSET is 0x%016lx (max_phys_bits == %lu)\n", ++ pr_info("MM: PAGE_OFFSET is 0x%016lx (max_phys_bits == %lu)\n", + PAGE_OFFSET, max_phys_bits); +- +- page_offset_shift_patch(max_phys_bits); ++ pr_info("MM: VMALLOC [0x%016lx --> 0x%016lx]\n", ++ VMALLOC_START, VMALLOC_END); ++ pr_info("MM: VMEMMAP [0x%016lx --> 0x%016lx]\n", ++ VMEMMAP_BASE, VMEMMAP_BASE << 1); + } + + static void __init tsb_phys_patch(void) +@@ -1694,21 +1762,42 @@ static void __init tsb_phys_patch(void) + #define NUM_KTSB_DESCR 1 + #endif + static struct hv_tsb_descr ktsb_descr[NUM_KTSB_DESCR]; +-extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; ++ ++/* The swapper TSBs are loaded with a base sequence of: ++ * ++ * sethi %uhi(SYMBOL), REG1 ++ * sethi %hi(SYMBOL), REG2 ++ * or REG1, %ulo(SYMBOL), REG1 ++ * or REG2, %lo(SYMBOL), REG2 ++ * sllx REG1, 32, REG1 ++ * or REG1, REG2, REG1 ++ * ++ * When we use physical addressing for the TSB accesses, we patch the ++ * first four instructions in the above sequence. ++ */ + + static void patch_one_ktsb_phys(unsigned int *start, unsigned int *end, unsigned long pa) + { +- pa >>= KTSB_PHYS_SHIFT; ++ unsigned long high_bits, low_bits; ++ ++ high_bits = (pa >> 32) & 0xffffffff; ++ low_bits = (pa >> 0) & 0xffffffff; + + while (start < end) { + unsigned int *ia = (unsigned int *)(unsigned long)*start; + +- ia[0] = (ia[0] & ~0x3fffff) | (pa >> 10); ++ ia[0] = (ia[0] & ~0x3fffff) | (high_bits >> 10); + __asm__ __volatile__("flush %0" : : "r" (ia)); + +- ia[1] = (ia[1] & ~0x3ff) | (pa & 0x3ff); ++ ia[1] = (ia[1] & ~0x3fffff) | (low_bits >> 10); + __asm__ __volatile__("flush %0" : : "r" (ia + 1)); + ++ ia[2] = (ia[2] & ~0x1fff) | (high_bits & 0x3ff); ++ __asm__ __volatile__("flush %0" : : "r" (ia + 2)); ++ ++ ia[3] = (ia[3] & ~0x1fff) | (low_bits & 0x3ff); ++ __asm__ __volatile__("flush %0" : : "r" (ia + 3)); ++ + start++; + } + } +@@ -1847,7 +1936,6 @@ static void __init sun4v_linear_pte_xor_finalize(void) + /* paging_init() sets up the page tables */ + + static unsigned long last_valid_pfn; +-pgd_t swapper_pg_dir[PTRS_PER_PGD]; + + static void sun4u_pgprot_init(void); + static void sun4v_pgprot_init(void); +@@ -1950,16 +2038,10 @@ void __init paging_init(void) + */ + init_mm.pgd += ((shift) / (sizeof(pgd_t))); + +- memset(swapper_low_pmd_dir, 0, sizeof(swapper_low_pmd_dir)); ++ memset(swapper_pg_dir, 0, sizeof(swapper_pg_dir)); + +- /* Now can init the kernel/bad page tables. */ +- pud_set(pud_offset(&swapper_pg_dir[0], 0), +- swapper_low_pmd_dir + (shift / sizeof(pgd_t))); +- + inherit_prom_mappings(); + +- init_kpte_bitmap(); +- + /* Ok, we can use our TLB miss and window trap handlers safely. */ + setup_tba(); + +@@ -2066,70 +2148,6 @@ int page_in_phys_avail(unsigned long paddr) + return 0; + } + +-static struct linux_prom64_registers pavail_rescan[MAX_BANKS] __initdata; +-static int pavail_rescan_ents __initdata; +- +-/* Certain OBP calls, such as fetching "available" properties, can +- * claim physical memory. So, along with initializing the valid +- * address bitmap, what we do here is refetch the physical available +- * memory list again, and make sure it provides at least as much +- * memory as 'pavail' does. +- */ +-static void __init setup_valid_addr_bitmap_from_pavail(unsigned long *bitmap) +-{ +- int i; +- +- read_obp_memory("available", &pavail_rescan[0], &pavail_rescan_ents); +- +- for (i = 0; i < pavail_ents; i++) { +- unsigned long old_start, old_end; +- +- old_start = pavail[i].phys_addr; +- old_end = old_start + pavail[i].reg_size; +- while (old_start < old_end) { +- int n; +- +- for (n = 0; n < pavail_rescan_ents; n++) { +- unsigned long new_start, new_end; +- +- new_start = pavail_rescan[n].phys_addr; +- new_end = new_start + +- pavail_rescan[n].reg_size; +- +- if (new_start <= old_start && +- new_end >= (old_start + PAGE_SIZE)) { +- set_bit(old_start >> ILOG2_4MB, bitmap); +- goto do_next_page; +- } +- } +- +- prom_printf("mem_init: Lost memory in pavail\n"); +- prom_printf("mem_init: OLD start[%lx] size[%lx]\n", +- pavail[i].phys_addr, +- pavail[i].reg_size); +- prom_printf("mem_init: NEW start[%lx] size[%lx]\n", +- pavail_rescan[i].phys_addr, +- pavail_rescan[i].reg_size); +- prom_printf("mem_init: Cannot continue, aborting.\n"); +- prom_halt(); +- +- do_next_page: +- old_start += PAGE_SIZE; +- } +- } +-} +- +-static void __init patch_tlb_miss_handler_bitmap(void) +-{ +- extern unsigned int valid_addr_bitmap_insn[]; +- extern unsigned int valid_addr_bitmap_patch[]; +- +- valid_addr_bitmap_insn[1] = valid_addr_bitmap_patch[1]; +- mb(); +- valid_addr_bitmap_insn[0] = valid_addr_bitmap_patch[0]; +- flushi(&valid_addr_bitmap_insn[0]); +-} +- + static void __init register_page_bootmem_info(void) + { + #ifdef CONFIG_NEED_MULTIPLE_NODES +@@ -2142,18 +2160,6 @@ static void __init register_page_bootmem_info(void) + } + void __init mem_init(void) + { +- unsigned long addr, last; +- +- addr = PAGE_OFFSET + kern_base; +- last = PAGE_ALIGN(kern_size) + addr; +- while (addr < last) { +- set_bit(__pa(addr) >> ILOG2_4MB, sparc64_valid_addr_bitmap); +- addr += PAGE_SIZE; +- } +- +- setup_valid_addr_bitmap_from_pavail(sparc64_valid_addr_bitmap); +- patch_tlb_miss_handler_bitmap(); +- + high_memory = __va(last_valid_pfn << PAGE_SHIFT); + + register_page_bootmem_info(); +@@ -2243,18 +2249,9 @@ unsigned long _PAGE_CACHE __read_mostly; + EXPORT_SYMBOL(_PAGE_CACHE); + + #ifdef CONFIG_SPARSEMEM_VMEMMAP +-unsigned long vmemmap_table[VMEMMAP_SIZE]; +- +-static long __meminitdata addr_start, addr_end; +-static int __meminitdata node_start; +- + int __meminit vmemmap_populate(unsigned long vstart, unsigned long vend, + int node) + { +- unsigned long phys_start = (vstart - VMEMMAP_BASE); +- unsigned long phys_end = (vend - VMEMMAP_BASE); +- unsigned long addr = phys_start & VMEMMAP_CHUNK_MASK; +- unsigned long end = VMEMMAP_ALIGN(phys_end); + unsigned long pte_base; + + pte_base = (_PAGE_VALID | _PAGE_SZ4MB_4U | +@@ -2265,47 +2262,52 @@ int __meminit vmemmap_populate(unsigned long vstart, unsigned long vend, + _PAGE_CP_4V | _PAGE_CV_4V | + _PAGE_P_4V | _PAGE_W_4V); + +- for (; addr < end; addr += VMEMMAP_CHUNK) { +- unsigned long *vmem_pp = +- vmemmap_table + (addr >> VMEMMAP_CHUNK_SHIFT); +- void *block; ++ pte_base |= _PAGE_PMD_HUGE; + +- if (!(*vmem_pp & _PAGE_VALID)) { +- block = vmemmap_alloc_block(1UL << ILOG2_4MB, node); +- if (!block) ++ vstart = vstart & PMD_MASK; ++ vend = ALIGN(vend, PMD_SIZE); ++ for (; vstart < vend; vstart += PMD_SIZE) { ++ pgd_t *pgd = pgd_offset_k(vstart); ++ unsigned long pte; ++ pud_t *pud; ++ pmd_t *pmd; ++ ++ if (pgd_none(*pgd)) { ++ pud_t *new = vmemmap_alloc_block(PAGE_SIZE, node); ++ ++ if (!new) + return -ENOMEM; ++ pgd_populate(&init_mm, pgd, new); ++ } + +- *vmem_pp = pte_base | __pa(block); ++ pud = pud_offset(pgd, vstart); ++ if (pud_none(*pud)) { ++ pmd_t *new = vmemmap_alloc_block(PAGE_SIZE, node); + +- /* check to see if we have contiguous blocks */ +- if (addr_end != addr || node_start != node) { +- if (addr_start) +- printk(KERN_DEBUG " [%lx-%lx] on node %d\n", +- addr_start, addr_end-1, node_start); +- addr_start = addr; +- node_start = node; +- } +- addr_end = addr + VMEMMAP_CHUNK; ++ if (!new) ++ return -ENOMEM; ++ pud_populate(&init_mm, pud, new); + } +- } +- return 0; +-} + +-void __meminit vmemmap_populate_print_last(void) +-{ +- if (addr_start) { +- printk(KERN_DEBUG " [%lx-%lx] on node %d\n", +- addr_start, addr_end-1, node_start); +- addr_start = 0; +- addr_end = 0; +- node_start = 0; ++ pmd = pmd_offset(pud, vstart); ++ ++ pte = pmd_val(*pmd); ++ if (!(pte & _PAGE_VALID)) { ++ void *block = vmemmap_alloc_block(PMD_SIZE, node); ++ ++ if (!block) ++ return -ENOMEM; ++ ++ pmd_val(*pmd) = pte_base | __pa(block); ++ } + } ++ ++ return 0; + } + + void vmemmap_free(unsigned long start, unsigned long end) + { + } +- + #endif /* CONFIG_SPARSEMEM_VMEMMAP */ + + static void prot_init_common(unsigned long page_none, +@@ -2717,8 +2719,8 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) + do_flush_tlb_kernel_range(start, LOW_OBP_ADDRESS); + } + if (end > HI_OBP_ADDRESS) { +- flush_tsb_kernel_range(end, HI_OBP_ADDRESS); +- do_flush_tlb_kernel_range(end, HI_OBP_ADDRESS); ++ flush_tsb_kernel_range(HI_OBP_ADDRESS, end); ++ do_flush_tlb_kernel_range(HI_OBP_ADDRESS, end); + } + } else { + flush_tsb_kernel_range(start, end); +diff --git a/arch/sparc/mm/init_64.h b/arch/sparc/mm/init_64.h +index 5d3782deb403..ac491193cb54 100644 +--- a/arch/sparc/mm/init_64.h ++++ b/arch/sparc/mm/init_64.h +@@ -8,15 +8,8 @@ + */ + + #define MAX_PHYS_ADDRESS (1UL << MAX_PHYS_ADDRESS_BITS) +-#define KPTE_BITMAP_CHUNK_SZ (256UL * 1024UL * 1024UL) +-#define KPTE_BITMAP_BYTES \ +- ((MAX_PHYS_ADDRESS / KPTE_BITMAP_CHUNK_SZ) / 4) +-#define VALID_ADDR_BITMAP_CHUNK_SZ (4UL * 1024UL * 1024UL) +-#define VALID_ADDR_BITMAP_BYTES \ +- ((MAX_PHYS_ADDRESS / VALID_ADDR_BITMAP_CHUNK_SZ) / 8) + + extern unsigned long kern_linear_pte_xor[4]; +-extern unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + extern unsigned int sparc64_highest_unlocked_tlb_ent; + extern unsigned long sparc64_kern_pri_context; + extern unsigned long sparc64_kern_pri_nuc_bits; +@@ -38,15 +31,4 @@ extern unsigned long kern_locked_tte_data; + + extern void prom_world(int enter); + +-#ifdef CONFIG_SPARSEMEM_VMEMMAP +-#define VMEMMAP_CHUNK_SHIFT 22 +-#define VMEMMAP_CHUNK (1UL << VMEMMAP_CHUNK_SHIFT) +-#define VMEMMAP_CHUNK_MASK ~(VMEMMAP_CHUNK - 1UL) +-#define VMEMMAP_ALIGN(x) (((x)+VMEMMAP_CHUNK-1UL)&VMEMMAP_CHUNK_MASK) +- +-#define VMEMMAP_SIZE ((((1UL << MAX_PHYSADDR_BITS) >> PAGE_SHIFT) * \ +- sizeof(struct page)) >> VMEMMAP_CHUNK_SHIFT) +-extern unsigned long vmemmap_table[VMEMMAP_SIZE]; +-#endif +- + #endif /* _SPARC64_MM_INIT_H */ +diff --git a/arch/sparc/power/hibernate_asm.S b/arch/sparc/power/hibernate_asm.S +index 79942166df84..d7d9017dcb15 100644 +--- a/arch/sparc/power/hibernate_asm.S ++++ b/arch/sparc/power/hibernate_asm.S +@@ -54,8 +54,8 @@ ENTRY(swsusp_arch_resume) + nop + + /* Write PAGE_OFFSET to %g7 */ +- sethi %uhi(PAGE_OFFSET), %g7 +- sllx %g7, 32, %g7 ++ sethi %hi(PAGE_OFFSET), %g7 ++ ldx [%g7 + %lo(PAGE_OFFSET)], %g7 + + setuw (PAGE_SIZE-8), %g3 + +diff --git a/arch/sparc/prom/bootstr_64.c b/arch/sparc/prom/bootstr_64.c +index ab9ccc63b388..7149e77714a4 100644 +--- a/arch/sparc/prom/bootstr_64.c ++++ b/arch/sparc/prom/bootstr_64.c +@@ -14,7 +14,10 @@ + * the .bss section or it will break things. + */ + +-#define BARG_LEN 256 ++/* We limit BARG_LEN to 1024 because this is the size of the ++ * 'barg_out' command line buffer in the SILO bootloader. ++ */ ++#define BARG_LEN 1024 + struct { + int bootstr_len; + int bootstr_valid; +diff --git a/arch/sparc/prom/cif.S b/arch/sparc/prom/cif.S +index 9c86b4b7d429..8050f381f518 100644 +--- a/arch/sparc/prom/cif.S ++++ b/arch/sparc/prom/cif.S +@@ -11,11 +11,10 @@ + .text + .globl prom_cif_direct + prom_cif_direct: ++ save %sp, -192, %sp + sethi %hi(p1275buf), %o1 + or %o1, %lo(p1275buf), %o1 +- ldx [%o1 + 0x0010], %o2 ! prom_cif_stack +- save %o2, -192, %sp +- ldx [%i1 + 0x0008], %l2 ! prom_cif_handler ++ ldx [%o1 + 0x0008], %l2 ! prom_cif_handler + mov %g4, %l0 + mov %g5, %l1 + mov %g6, %l3 +diff --git a/arch/sparc/prom/init_64.c b/arch/sparc/prom/init_64.c +index d95db755828f..110b0d78b864 100644 +--- a/arch/sparc/prom/init_64.c ++++ b/arch/sparc/prom/init_64.c +@@ -26,13 +26,13 @@ phandle prom_chosen_node; + * It gets passed the pointer to the PROM vector. + */ + +-extern void prom_cif_init(void *, void *); ++extern void prom_cif_init(void *); + +-void __init prom_init(void *cif_handler, void *cif_stack) ++void __init prom_init(void *cif_handler) + { + phandle node; + +- prom_cif_init(cif_handler, cif_stack); ++ prom_cif_init(cif_handler); + + prom_chosen_node = prom_finddevice(prom_chosen_path); + if (!prom_chosen_node || (s32)prom_chosen_node == -1) +diff --git a/arch/sparc/prom/p1275.c b/arch/sparc/prom/p1275.c +index e58b81726319..545d8bb79b65 100644 +--- a/arch/sparc/prom/p1275.c ++++ b/arch/sparc/prom/p1275.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -19,7 +20,6 @@ + struct { + long prom_callback; /* 0x00 */ + void (*prom_cif_handler)(long *); /* 0x08 */ +- unsigned long prom_cif_stack; /* 0x10 */ + } p1275buf; + + extern void prom_world(int); +@@ -36,8 +36,8 @@ void p1275_cmd_direct(unsigned long *args) + { + unsigned long flags; + +- raw_local_save_flags(flags); +- raw_local_irq_restore((unsigned long)PIL_NMI); ++ local_save_flags(flags); ++ local_irq_restore((unsigned long)PIL_NMI); + raw_spin_lock(&prom_entry_lock); + + prom_world(1); +@@ -45,11 +45,10 @@ void p1275_cmd_direct(unsigned long *args) + prom_world(0); + + raw_spin_unlock(&prom_entry_lock); +- raw_local_irq_restore(flags); ++ local_irq_restore(flags); + } + + void prom_cif_init(void *cif_handler, void *cif_stack) + { + p1275buf.prom_cif_handler = (void (*)(long *))cif_handler; +- p1275buf.prom_cif_stack = (unsigned long)cif_stack; + } +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index d71d5ac78e42..ac63ea4af5b0 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -480,6 +480,7 @@ struct kvm_vcpu_arch { + u64 mmio_gva; + unsigned access; + gfn_t mmio_gfn; ++ u64 mmio_gen; + + struct kvm_pmu pmu; + +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index 5cd9bfabd645..c1a07d33e67e 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -153,6 +153,21 @@ static void early_init_intel(struct cpuinfo_x86 *c) + setup_clear_cpu_cap(X86_FEATURE_ERMS); + } + } ++ ++ /* ++ * Intel Quark Core DevMan_001.pdf section 6.4.11 ++ * "The operating system also is required to invalidate (i.e., flush) ++ * the TLB when any changes are made to any of the page table entries. ++ * The operating system must reload CR3 to cause the TLB to be flushed" ++ * ++ * As a result cpu_has_pge() in arch/x86/include/asm/tlbflush.h should ++ * be false so that __flush_tlb_all() causes CR3 insted of CR4.PGE ++ * to be modified ++ */ ++ if (c->x86 == 5 && c->x86_model == 9) { ++ pr_info("Disabling PGE capability bit\n"); ++ setup_clear_cpu_cap(X86_FEATURE_PGE); ++ } + } + + #ifdef CONFIG_X86_32 +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index 9b531351a587..49088b8a3ee3 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -198,16 +198,20 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask) + EXPORT_SYMBOL_GPL(kvm_mmu_set_mmio_spte_mask); + + /* +- * spte bits of bit 3 ~ bit 11 are used as low 9 bits of generation number, +- * the bits of bits 52 ~ bit 61 are used as high 10 bits of generation +- * number. ++ * the low bit of the generation number is always presumed to be zero. ++ * This disables mmio caching during memslot updates. The concept is ++ * similar to a seqcount but instead of retrying the access we just punt ++ * and ignore the cache. ++ * ++ * spte bits 3-11 are used as bits 1-9 of the generation number, ++ * the bits 52-61 are used as bits 10-19 of the generation number. + */ +-#define MMIO_SPTE_GEN_LOW_SHIFT 3 ++#define MMIO_SPTE_GEN_LOW_SHIFT 2 + #define MMIO_SPTE_GEN_HIGH_SHIFT 52 + +-#define MMIO_GEN_SHIFT 19 +-#define MMIO_GEN_LOW_SHIFT 9 +-#define MMIO_GEN_LOW_MASK ((1 << MMIO_GEN_LOW_SHIFT) - 1) ++#define MMIO_GEN_SHIFT 20 ++#define MMIO_GEN_LOW_SHIFT 10 ++#define MMIO_GEN_LOW_MASK ((1 << MMIO_GEN_LOW_SHIFT) - 2) + #define MMIO_GEN_MASK ((1 << MMIO_GEN_SHIFT) - 1) + #define MMIO_MAX_GEN ((1 << MMIO_GEN_SHIFT) - 1) + +@@ -3157,7 +3161,7 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu) + if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) + return; + +- vcpu_clear_mmio_info(vcpu, ~0ul); ++ vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY); + kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC); + if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) { + hpa_t root = vcpu->arch.mmu.root_hpa; +@@ -4379,7 +4383,7 @@ void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm) + * The very rare case: if the generation-number is round, + * zap all shadow pages. + */ +- if (unlikely(kvm_current_mmio_generation(kvm) >= MMIO_MAX_GEN)) { ++ if (unlikely(kvm_current_mmio_generation(kvm) == 0)) { + printk_ratelimited(KERN_INFO "kvm: zapping shadow pages for mmio generation wraparound\n"); + kvm_mmu_invalidate_zap_all_pages(kvm); + } +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h +index 8da5823bcde6..21ea4fc91b5b 100644 +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -78,15 +78,23 @@ static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu, + vcpu->arch.mmio_gva = gva & PAGE_MASK; + vcpu->arch.access = access; + vcpu->arch.mmio_gfn = gfn; ++ vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation; ++} ++ ++static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu) ++{ ++ return vcpu->arch.mmio_gen == kvm_memslots(vcpu->kvm)->generation; + } + + /* +- * Clear the mmio cache info for the given gva, +- * specially, if gva is ~0ul, we clear all mmio cache info. ++ * Clear the mmio cache info for the given gva. If gva is MMIO_GVA_ANY, we ++ * clear all mmio cache info. + */ ++#define MMIO_GVA_ANY (~(gva_t)0) ++ + static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva) + { +- if (gva != (~0ul) && vcpu->arch.mmio_gva != (gva & PAGE_MASK)) ++ if (gva != MMIO_GVA_ANY && vcpu->arch.mmio_gva != (gva & PAGE_MASK)) + return; + + vcpu->arch.mmio_gva = 0; +@@ -94,7 +102,8 @@ static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva) + + static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva) + { +- if (vcpu->arch.mmio_gva && vcpu->arch.mmio_gva == (gva & PAGE_MASK)) ++ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gva && ++ vcpu->arch.mmio_gva == (gva & PAGE_MASK)) + return true; + + return false; +@@ -102,7 +111,8 @@ static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva) + + static inline bool vcpu_match_mmio_gpa(struct kvm_vcpu *vcpu, gpa_t gpa) + { +- if (vcpu->arch.mmio_gfn && vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT) ++ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gfn && ++ vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT) + return true; + + return false; +diff --git a/crypto/async_tx/async_xor.c b/crypto/async_tx/async_xor.c +index 3c562f5a60bb..e1bce26cd4f9 100644 +--- a/crypto/async_tx/async_xor.c ++++ b/crypto/async_tx/async_xor.c +@@ -78,8 +78,6 @@ do_async_xor(struct dma_chan *chan, struct dmaengine_unmap_data *unmap, + tx = dma->device_prep_dma_xor(chan, dma_dest, src_list, + xor_src_cnt, unmap->len, + dma_flags); +- src_list[0] = tmp; +- + + if (unlikely(!tx)) + async_tx_quiesce(&submit->depend_tx); +@@ -92,6 +90,7 @@ do_async_xor(struct dma_chan *chan, struct dmaengine_unmap_data *unmap, + xor_src_cnt, unmap->len, + dma_flags); + } ++ src_list[0] = tmp; + + dma_set_unmap(tx, unmap); + async_tx_submit(chan, tx, submit); +diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c +index c30df50e4440..2495ee577a64 100644 +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -1081,6 +1081,9 @@ _request_firmware(const struct firmware **firmware_p, const char *name, + if (!firmware_p) + return -EINVAL; + ++ if (!name || name[0] == '\0') ++ return -EINVAL; ++ + ret = _request_firmware_prepare(&fw, name, device); + if (ret <= 0) /* error or already assigned */ + goto out; +diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c +index c5471cd6ebb7..d39fd610aa3b 100644 +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -473,6 +473,7 @@ void regmap_debugfs_init(struct regmap *map, const char *name) + { + struct rb_node *next; + struct regmap_range_node *range_node; ++ const char *devname = "dummy"; + + /* If we don't have the debugfs root yet, postpone init */ + if (!regmap_debugfs_root) { +@@ -491,12 +492,15 @@ void regmap_debugfs_init(struct regmap *map, const char *name) + INIT_LIST_HEAD(&map->debugfs_off_cache); + mutex_init(&map->cache_lock); + ++ if (map->dev) ++ devname = dev_name(map->dev); ++ + if (name) { + map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s", +- dev_name(map->dev), name); ++ devname, name); + name = map->debugfs_name; + } else { +- name = dev_name(map->dev); ++ name = devname; + } + + map->debugfs = debugfs_create_dir(name, regmap_debugfs_root); +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 2ea056c09aeb..f6cff3be0ed7 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1308,7 +1308,7 @@ int _regmap_write(struct regmap *map, unsigned int reg, + } + + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x <= %x\n", reg, val); + #endif + +@@ -1557,6 +1557,9 @@ int regmap_bulk_write(struct regmap *map, unsigned int reg, const void *val, + } else { + void *wval; + ++ if (!val_count) ++ return -EINVAL; ++ + wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL); + if (!wval) { + ret = -ENOMEM; +@@ -1739,7 +1742,7 @@ static int _regmap_read(struct regmap *map, unsigned int reg, + ret = map->reg_read(context, reg, val); + if (ret == 0) { + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x => %x\n", reg, *val); + #endif + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 1c7b5040d921..e00c3f84a4cf 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -309,6 +309,9 @@ static void btusb_intr_complete(struct urb *urb) + BT_ERR("%s corrupted event packet", hdev->name); + hdev->stat.err_rx++; + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) +@@ -397,6 +400,9 @@ static void btusb_bulk_complete(struct urb *urb) + BT_ERR("%s corrupted ACL packet", hdev->name); + hdev->stat.err_rx++; + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) +@@ -491,6 +497,9 @@ static void btusb_isoc_complete(struct urb *urb) + hdev->stat.err_rx++; + } + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index e36a0245f2c1..56519927479f 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -237,7 +237,7 @@ static void h5_pkt_cull(struct h5 *h5) + break; + + to_remove--; +- seq = (seq - 1) % 8; ++ seq = (seq - 1) & 0x07; + } + + if (seq != h5->rx_ack) +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index 69ea36f07b4d..e99e71a6ea59 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -164,8 +164,10 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size, + ret = vmbus_post_msg(open_msg, + sizeof(struct vmbus_channel_open_channel)); + +- if (ret != 0) ++ if (ret != 0) { ++ err = ret; + goto error1; ++ } + + t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ); + if (t == 0) { +@@ -362,7 +364,6 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, + u32 next_gpadl_handle; + unsigned long flags; + int ret = 0; +- int t; + + next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle); + atomic_inc(&vmbus_connection.next_gpadl_handle); +@@ -409,9 +410,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, + + } + } +- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ); +- BUG_ON(t == 0); +- ++ wait_for_completion(&msginfo->waitevent); + + /* At this point, we received the gpadl created msg */ + *gpadl_handle = gpadlmsg->gpadl; +@@ -434,7 +433,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) + struct vmbus_channel_gpadl_teardown *msg; + struct vmbus_channel_msginfo *info; + unsigned long flags; +- int ret, t; ++ int ret; + + info = kmalloc(sizeof(*info) + + sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL); +@@ -456,11 +455,12 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) + ret = vmbus_post_msg(msg, + sizeof(struct vmbus_channel_gpadl_teardown)); + +- BUG_ON(ret != 0); +- t = wait_for_completion_timeout(&info->waitevent, 5*HZ); +- BUG_ON(t == 0); ++ if (ret) ++ goto post_msg_err; ++ ++ wait_for_completion(&info->waitevent); + +- /* Received a torndown response */ ++post_msg_err: + spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags); + list_del(&info->msglistentry); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); +@@ -470,7 +470,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) + } + EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); + +-static void vmbus_close_internal(struct vmbus_channel *channel) ++static int vmbus_close_internal(struct vmbus_channel *channel) + { + struct vmbus_channel_close_channel *msg; + int ret; +@@ -492,11 +492,28 @@ static void vmbus_close_internal(struct vmbus_channel *channel) + + ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel)); + +- BUG_ON(ret != 0); ++ if (ret) { ++ pr_err("Close failed: close post msg return is %d\n", ret); ++ /* ++ * If we failed to post the close msg, ++ * it is perhaps better to leak memory. ++ */ ++ return ret; ++ } ++ + /* Tear down the gpadl for the channel's ring buffer */ +- if (channel->ringbuffer_gpadlhandle) +- vmbus_teardown_gpadl(channel, +- channel->ringbuffer_gpadlhandle); ++ if (channel->ringbuffer_gpadlhandle) { ++ ret = vmbus_teardown_gpadl(channel, ++ channel->ringbuffer_gpadlhandle); ++ if (ret) { ++ pr_err("Close failed: teardown gpadl return %d\n", ret); ++ /* ++ * If we failed to teardown gpadl, ++ * it is perhaps better to leak memory. ++ */ ++ return ret; ++ } ++ } + + /* Cleanup the ring buffers for this channel */ + hv_ringbuffer_cleanup(&channel->outbound); +@@ -505,7 +522,7 @@ static void vmbus_close_internal(struct vmbus_channel *channel) + free_pages((unsigned long)channel->ringbuffer_pages, + get_order(channel->ringbuffer_pagecount * PAGE_SIZE)); + +- ++ return ret; + } + + /* +diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c +index ce5a9f2584f3..d8fd95cb0456 100644 +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -408,10 +408,21 @@ int vmbus_post_msg(void *buffer, size_t buflen) + * insufficient resources. Retry the operation a couple of + * times before giving up. + */ +- while (retries < 3) { +- ret = hv_post_message(conn_id, 1, buffer, buflen); +- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS) ++ while (retries < 10) { ++ ret = hv_post_message(conn_id, 1, buffer, buflen); ++ ++ switch (ret) { ++ case HV_STATUS_INSUFFICIENT_BUFFERS: ++ ret = -ENOMEM; ++ case -ENOMEM: ++ break; ++ case HV_STATUS_SUCCESS: + return ret; ++ default: ++ pr_err("hv_post_msg() failed; error code:%d\n", ret); ++ return -EINVAL; ++ } ++ + retries++; + msleep(100); + } +diff --git a/drivers/message/fusion/mptspi.c b/drivers/message/fusion/mptspi.c +index 5653e505f91f..424f51d1e2ce 100644 +--- a/drivers/message/fusion/mptspi.c ++++ b/drivers/message/fusion/mptspi.c +@@ -1422,6 +1422,11 @@ mptspi_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto out_mptspi_probe; + } + ++ /* VMWare emulation doesn't properly implement WRITE_SAME ++ */ ++ if (pdev->subsystem_vendor == 0x15AD) ++ sh->no_write_same = 1; ++ + spin_lock_irqsave(&ioc->FreeQlock, flags); + + /* Attach the SCSI Host to the IOC structure +diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c +index 4bc7d620d695..9a07bba3ade4 100644 +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -71,7 +71,7 @@ static int mei_cl_device_probe(struct device *dev) + + dev_dbg(dev, "Device probe\n"); + +- strncpy(id.name, dev_name(dev), sizeof(id.name)); ++ strlcpy(id.name, dev_name(dev), sizeof(id.name)); + + return driver->probe(device, &id); + } +diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c +index df1f5e732ab5..1ac33d9cd396 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -272,6 +272,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { + {IWL_PCI_DEVICE(0x08B1, 0x4070, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4072, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4170, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0x4C60, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0x4C70, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4060, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x406A, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4160, iwl7260_2n_cfg)}, +@@ -315,6 +317,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { + {IWL_PCI_DEVICE(0x08B1, 0xC770, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0xC760, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC270, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0xCC70, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0xCC60, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC272, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC260, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC26A, iwl7260_n_cfg)}, +diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h +index a394a9a95919..7cf6081a05a1 100644 +--- a/drivers/net/wireless/rt2x00/rt2800.h ++++ b/drivers/net/wireless/rt2x00/rt2800.h +@@ -2039,7 +2039,7 @@ struct mac_iveiv_entry { + * 2 - drop tx power by 12dBm, + * 3 - increase tx power by 6dBm + */ +-#define BBP1_TX_POWER_CTRL FIELD8(0x07) ++#define BBP1_TX_POWER_CTRL FIELD8(0x03) + #define BBP1_TX_ANTENNA FIELD8(0x18) + + /* +diff --git a/drivers/pci/host/pci-mvebu.c b/drivers/pci/host/pci-mvebu.c +index 483d9ad89705..97736674ddcd 100644 +--- a/drivers/pci/host/pci-mvebu.c ++++ b/drivers/pci/host/pci-mvebu.c +@@ -855,7 +855,7 @@ static int mvebu_get_tgt_attr(struct device_node *np, int devfn, + rangesz = pna + na + ns; + nranges = rlen / sizeof(__be32) / rangesz; + +- for (i = 0; i < nranges; i++) { ++ for (i = 0; i < nranges; i++, range += rangesz) { + u32 flags = of_read_number(range, 1); + u32 slot = of_read_number(range + 1, 1); + u64 cpuaddr = of_read_number(range + na, pna); +@@ -865,14 +865,14 @@ static int mvebu_get_tgt_attr(struct device_node *np, int devfn, + rtype = IORESOURCE_IO; + else if (DT_FLAGS_TO_TYPE(flags) == DT_TYPE_MEM32) + rtype = IORESOURCE_MEM; ++ else ++ continue; + + if (slot == PCI_SLOT(devfn) && type == rtype) { + *tgt = DT_CPUADDR_TO_TARGET(cpuaddr); + *attr = DT_CPUADDR_TO_ATTR(cpuaddr); + return 0; + } +- +- range += rangesz; + } + + return -ENOENT; +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 276ef9c18802..39a207abaa10 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -178,7 +178,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + { + struct pci_dev *pci_dev = to_pci_dev(dev); + +- return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x\n", ++ return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n", + pci_dev->vendor, pci_dev->device, + pci_dev->subsystem_vendor, pci_dev->subsystem_device, + (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8), +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 813f437f3ee8..6e8776b59a2c 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include /* isa_dma_bridge_buggy */ + #include "pci.h" + +@@ -287,6 +288,25 @@ static void quirk_citrine(struct pci_dev *dev) + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine); + ++/* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */ ++static void quirk_extend_bar_to_page(struct pci_dev *dev) ++{ ++ int i; ++ ++ for (i = 0; i < PCI_STD_RESOURCE_END; i++) { ++ struct resource *r = &dev->resource[i]; ++ ++ if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) { ++ r->end = PAGE_SIZE - 1; ++ r->start = 0; ++ r->flags |= IORESOURCE_UNSET; ++ dev_info(&dev->dev, "expanded BAR %d to page size: %pR\n", ++ i, r); ++ } ++ } ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, 0x034a, quirk_extend_bar_to_page); ++ + /* + * S3 868 and 968 chips report region size equal to 32M, but they decode 64M. + * If it's needed, re-allocate the region. +diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c +index b2fcac78feaa..5bb9406688c9 100644 +--- a/drivers/scsi/be2iscsi/be_mgmt.c ++++ b/drivers/scsi/be2iscsi/be_mgmt.c +@@ -897,17 +897,20 @@ mgmt_static_ip_modify(struct beiscsi_hba *phba, + + if (ip_action == IP_ACTION_ADD) { + memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, +- ip_param->len); ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + if (subnet_param) + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- subnet_param->value, subnet_param->len); ++ subnet_param->value, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } else { + memcpy(req->ip_params.ip_record.ip_addr.addr, +- if_info->ip_addr.addr, ip_param->len); ++ if_info->ip_addr.addr, ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- if_info->ip_addr.subnet_mask, ip_param->len); ++ if_info->ip_addr.subnet_mask, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } + + rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); +@@ -935,7 +938,7 @@ static int mgmt_modify_gateway(struct beiscsi_hba *phba, uint8_t *gt_addr, + req->action = gtway_action; + req->ip_addr.ip_type = BE2_IPV4; + +- memcpy(req->ip_addr.addr, gt_addr, param_len); ++ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); + + return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); + } +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 83cb61266979..23c1b0cd3074 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3039,10 +3039,8 @@ qla2x00_unmap_iobases(struct qla_hw_data *ha) + } + + static void +-qla2x00_clear_drv_active(scsi_qla_host_t *vha) ++qla2x00_clear_drv_active(struct qla_hw_data *ha) + { +- struct qla_hw_data *ha = vha->hw; +- + if (IS_QLA8044(ha)) { + qla8044_idc_lock(ha); + qla8044_clear_drv_active(ha); +@@ -3111,7 +3109,7 @@ qla2x00_remove_one(struct pci_dev *pdev) + + scsi_host_put(base_vha->host); + +- qla2x00_clear_drv_active(base_vha); ++ qla2x00_clear_drv_active(ha); + + qla2x00_unmap_iobases(ha); + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 0cb73074c199..2f264ac79546 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1382,12 +1382,10 @@ static inline void qlt_unmap_sg(struct scsi_qla_host *vha, + static int qlt_check_reserve_free_req(struct scsi_qla_host *vha, + uint32_t req_cnt) + { +- struct qla_hw_data *ha = vha->hw; +- device_reg_t __iomem *reg = ha->iobase; + uint32_t cnt; + + if (vha->req->cnt < (req_cnt + 2)) { +- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out); ++ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out); + + ql_dbg(ql_dbg_tgt, vha, 0xe00a, + "Request ring circled: cnt=%d, vha->->ring_index=%d, " +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index 6d207afec8cb..a4c45ea8f688 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -89,7 +89,13 @@ err_exit: + + static void mid_spi_dma_exit(struct dw_spi *dws) + { ++ if (!dws->dma_inited) ++ return; ++ ++ dmaengine_terminate_all(dws->txchan); + dma_release_channel(dws->txchan); ++ ++ dmaengine_terminate_all(dws->rxchan); + dma_release_channel(dws->rxchan); + } + +@@ -136,7 +142,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change) + txconf.dst_addr = dws->dma_addr; + txconf.dst_maxburst = LNW_DMA_MSIZE_16; + txconf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +- txconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES; ++ txconf.dst_addr_width = dws->dma_width; + txconf.device_fc = false; + + txchan->device->device_control(txchan, DMA_SLAVE_CONFIG, +@@ -159,7 +165,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change) + rxconf.src_addr = dws->dma_addr; + rxconf.src_maxburst = LNW_DMA_MSIZE_16; + rxconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +- rxconf.src_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES; ++ rxconf.src_addr_width = dws->dma_width; + rxconf.device_fc = false; + + rxchan->device->device_control(rxchan, DMA_SLAVE_CONFIG, +diff --git a/drivers/tty/serial/omap-serial.c b/drivers/tty/serial/omap-serial.c +index db8434d3def9..f4e68b3fc39d 100644 +--- a/drivers/tty/serial/omap-serial.c ++++ b/drivers/tty/serial/omap-serial.c +@@ -260,8 +260,16 @@ serial_omap_baud_is_mode16(struct uart_port *port, unsigned int baud) + { + unsigned int n13 = port->uartclk / (13 * baud); + unsigned int n16 = port->uartclk / (16 * baud); +- int baudAbsDiff13 = baud - (port->uartclk / (13 * n13)); +- int baudAbsDiff16 = baud - (port->uartclk / (16 * n16)); ++ int baudAbsDiff13; ++ int baudAbsDiff16; ++ ++ if (n13 == 0) ++ n13 = 1; ++ if (n16 == 0) ++ n16 = 1; ++ ++ baudAbsDiff13 = baud - (port->uartclk / (13 * n13)); ++ baudAbsDiff16 = baud - (port->uartclk / (16 * n16)); + if (baudAbsDiff13 < 0) + baudAbsDiff13 = -baudAbsDiff13; + if (baudAbsDiff16 < 0) +diff --git a/drivers/usb/gadget/Kconfig b/drivers/usb/gadget/Kconfig +index 8154165aa601..fd13ef0a96c9 100644 +--- a/drivers/usb/gadget/Kconfig ++++ b/drivers/usb/gadget/Kconfig +@@ -445,7 +445,7 @@ config USB_GOKU + gadget drivers to also be dynamically linked. + + config USB_EG20T +- tristate "Intel EG20T PCH/LAPIS Semiconductor IOH(ML7213/ML7831) UDC" ++ tristate "Intel QUARK X1000/EG20T PCH/LAPIS Semiconductor IOH(ML7213/ML7831) UDC" + depends on PCI + help + This is a USB device driver for EG20T PCH. +@@ -466,6 +466,7 @@ config USB_EG20T + ML7213/ML7831 is companion chip for Intel Atom E6xx series. + ML7213/ML7831 is completely compatible for Intel EG20T PCH. + ++ This driver can be used with Intel's Quark X1000 SOC platform + # + # LAST -- dummy/emulated controller + # +diff --git a/drivers/usb/gadget/pch_udc.c b/drivers/usb/gadget/pch_udc.c +index eb8c3bedb57a..460d953c91b6 100644 +--- a/drivers/usb/gadget/pch_udc.c ++++ b/drivers/usb/gadget/pch_udc.c +@@ -343,6 +343,7 @@ struct pch_vbus_gpio_data { + * @setup_data: Received setup data + * @phys_addr: of device memory + * @base_addr: for mapped device memory ++ * @bar: Indicates which PCI BAR for USB regs + * @irq: IRQ line for the device + * @cfg_data: current cfg, intf, and alt in use + * @vbus_gpio: GPIO informaton for detecting VBUS +@@ -370,14 +371,17 @@ struct pch_udc_dev { + struct usb_ctrlrequest setup_data; + unsigned long phys_addr; + void __iomem *base_addr; ++ unsigned bar; + unsigned irq; + struct pch_udc_cfg_data cfg_data; + struct pch_vbus_gpio_data vbus_gpio; + }; + #define to_pch_udc(g) (container_of((g), struct pch_udc_dev, gadget)) + ++#define PCH_UDC_PCI_BAR_QUARK_X1000 0 + #define PCH_UDC_PCI_BAR 1 + #define PCI_DEVICE_ID_INTEL_EG20T_UDC 0x8808 ++#define PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC 0x0939 + #define PCI_VENDOR_ID_ROHM 0x10DB + #define PCI_DEVICE_ID_ML7213_IOH_UDC 0x801D + #define PCI_DEVICE_ID_ML7831_IOH_UDC 0x8808 +@@ -3076,7 +3080,7 @@ static void pch_udc_remove(struct pci_dev *pdev) + iounmap(dev->base_addr); + if (dev->mem_region) + release_mem_region(dev->phys_addr, +- pci_resource_len(pdev, PCH_UDC_PCI_BAR)); ++ pci_resource_len(pdev, dev->bar)); + if (dev->active) + pci_disable_device(pdev); + kfree(dev); +@@ -3144,9 +3148,15 @@ static int pch_udc_probe(struct pci_dev *pdev, + dev->active = 1; + pci_set_drvdata(pdev, dev); + ++ /* Determine BAR based on PCI ID */ ++ if (id->device == PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC) ++ dev->bar = PCH_UDC_PCI_BAR_QUARK_X1000; ++ else ++ dev->bar = PCH_UDC_PCI_BAR; ++ + /* PCI resource allocation */ +- resource = pci_resource_start(pdev, 1); +- len = pci_resource_len(pdev, 1); ++ resource = pci_resource_start(pdev, dev->bar); ++ len = pci_resource_len(pdev, dev->bar); + + if (!request_mem_region(resource, len, KBUILD_MODNAME)) { + dev_err(&pdev->dev, "%s: pci device used already\n", __func__); +@@ -3212,6 +3222,12 @@ finished: + + static const struct pci_device_id pch_udc_pcidev_id[] = { + { ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, ++ PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC), ++ .class = (PCI_CLASS_SERIAL_USB << 8) | 0xfe, ++ .class_mask = 0xffffffff, ++ }, ++ { + PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EG20T_UDC), + .class = (PCI_CLASS_SERIAL_USB << 8) | 0xfe, + .class_mask = 0xffffffff, +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 0165b8672f09..a9a881ed8cbe 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2510,23 +2510,28 @@ static int find_desired_extent(struct inode *inode, loff_t *offset, int whence) + struct btrfs_root *root = BTRFS_I(inode)->root; + struct extent_map *em = NULL; + struct extent_state *cached_state = NULL; +- u64 lockstart = *offset; +- u64 lockend = i_size_read(inode); +- u64 start = *offset; +- u64 len = i_size_read(inode); ++ u64 lockstart; ++ u64 lockend; ++ u64 start; ++ u64 len; + int ret = 0; + +- lockend = max_t(u64, root->sectorsize, lockend); ++ if (inode->i_size == 0) ++ return -ENXIO; ++ ++ /* ++ * *offset can be negative, in this case we start finding DATA/HOLE from ++ * the very start of the file. ++ */ ++ start = max_t(loff_t, 0, *offset); ++ ++ lockstart = round_down(start, root->sectorsize); ++ lockend = round_up(i_size_read(inode), root->sectorsize); + if (lockend <= lockstart) + lockend = lockstart + root->sectorsize; +- + lockend--; + len = lockend - lockstart + 1; + +- len = max_t(u64, len, root->sectorsize); +- if (inode->i_size == 0) +- return -ENXIO; +- + lock_extent_bits(&BTRFS_I(inode)->io_tree, lockstart, lockend, 0, + &cached_state); + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index c69c76351f12..d68a7250f00b 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3596,7 +3596,8 @@ noinline int btrfs_update_inode(struct btrfs_trans_handle *trans, + * without delay + */ + if (!btrfs_is_free_space_inode(inode) +- && root->root_key.objectid != BTRFS_DATA_RELOC_TREE_OBJECTID) { ++ && root->root_key.objectid != BTRFS_DATA_RELOC_TREE_OBJECTID ++ && !root->fs_info->log_root_recovering) { + btrfs_update_root_times(trans, root); + + ret = btrfs_delayed_update_inode(trans, root, inode); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index a6d8efa46bfe..0b72006aecbe 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -302,6 +302,9 @@ static int btrfs_ioctl_setflags(struct file *file, void __user *arg) + goto out_drop; + + } else { ++ ret = btrfs_set_prop(inode, "btrfs.compression", NULL, 0, 0); ++ if (ret && ret != -ENODATA) ++ goto out_drop; + ip->flags &= ~(BTRFS_INODE_COMPRESS | BTRFS_INODE_NOCOMPRESS); + } + +@@ -4750,6 +4753,12 @@ long btrfs_ioctl(struct file *file, unsigned int + if (ret) + return ret; + ret = btrfs_sync_fs(file->f_dentry->d_sb, 1); ++ /* ++ * The transaction thread may want to do more work, ++ * namely it pokes the cleaner ktread that will start ++ * processing uncleaned subvols. ++ */ ++ wake_up_process(root->fs_info->transaction_kthread); + return ret; + } + case BTRFS_IOC_START_SYNC: +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 07b3b36f40ee..01f977e3ce09 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -736,7 +736,8 @@ again: + err = ret; + goto out; + } +- BUG_ON(!ret || !path1->slots[0]); ++ ASSERT(ret); ++ ASSERT(path1->slots[0]); + + path1->slots[0]--; + +@@ -746,10 +747,10 @@ again: + * the backref was added previously when processing + * backref of type BTRFS_TREE_BLOCK_REF_KEY + */ +- BUG_ON(!list_is_singular(&cur->upper)); ++ ASSERT(list_is_singular(&cur->upper)); + edge = list_entry(cur->upper.next, struct backref_edge, + list[LOWER]); +- BUG_ON(!list_empty(&edge->list[UPPER])); ++ ASSERT(list_empty(&edge->list[UPPER])); + exist = edge->node[UPPER]; + /* + * add the upper level block to pending list if we need +@@ -831,7 +832,7 @@ again: + cur->cowonly = 1; + } + #else +- BUG_ON(key.type == BTRFS_EXTENT_REF_V0_KEY); ++ ASSERT(key.type != BTRFS_EXTENT_REF_V0_KEY); + if (key.type == BTRFS_SHARED_BLOCK_REF_KEY) { + #endif + if (key.objectid == key.offset) { +@@ -840,7 +841,7 @@ again: + * backref of this type. + */ + root = find_reloc_root(rc, cur->bytenr); +- BUG_ON(!root); ++ ASSERT(root); + cur->root = root; + break; + } +@@ -868,7 +869,7 @@ again: + } else { + upper = rb_entry(rb_node, struct backref_node, + rb_node); +- BUG_ON(!upper->checked); ++ ASSERT(upper->checked); + INIT_LIST_HEAD(&edge->list[UPPER]); + } + list_add_tail(&edge->list[LOWER], &cur->upper); +@@ -892,7 +893,7 @@ again: + + if (btrfs_root_level(&root->root_item) == cur->level) { + /* tree root */ +- BUG_ON(btrfs_root_bytenr(&root->root_item) != ++ ASSERT(btrfs_root_bytenr(&root->root_item) == + cur->bytenr); + if (should_ignore_root(root)) + list_add(&cur->list, &useless); +@@ -927,7 +928,7 @@ again: + need_check = true; + for (; level < BTRFS_MAX_LEVEL; level++) { + if (!path2->nodes[level]) { +- BUG_ON(btrfs_root_bytenr(&root->root_item) != ++ ASSERT(btrfs_root_bytenr(&root->root_item) == + lower->bytenr); + if (should_ignore_root(root)) + list_add(&lower->list, &useless); +@@ -976,12 +977,15 @@ again: + need_check = false; + list_add_tail(&edge->list[UPPER], + &list); +- } else ++ } else { ++ if (upper->checked) ++ need_check = true; + INIT_LIST_HEAD(&edge->list[UPPER]); ++ } + } else { + upper = rb_entry(rb_node, struct backref_node, + rb_node); +- BUG_ON(!upper->checked); ++ ASSERT(upper->checked); + INIT_LIST_HEAD(&edge->list[UPPER]); + if (!upper->owner) + upper->owner = btrfs_header_owner(eb); +@@ -1025,7 +1029,7 @@ next: + * everything goes well, connect backref nodes and insert backref nodes + * into the cache. + */ +- BUG_ON(!node->checked); ++ ASSERT(node->checked); + cowonly = node->cowonly; + if (!cowonly) { + rb_node = tree_insert(&cache->rb_root, node->bytenr, +@@ -1061,8 +1065,21 @@ next: + continue; + } + +- BUG_ON(!upper->checked); +- BUG_ON(cowonly != upper->cowonly); ++ if (!upper->checked) { ++ /* ++ * Still want to blow up for developers since this is a ++ * logic bug. ++ */ ++ ASSERT(0); ++ err = -EINVAL; ++ goto out; ++ } ++ if (cowonly != upper->cowonly) { ++ ASSERT(0); ++ err = -EINVAL; ++ goto out; ++ } ++ + if (!cowonly) { + rb_node = tree_insert(&cache->rb_root, upper->bytenr, + &upper->rb_node); +@@ -1085,7 +1102,7 @@ next: + while (!list_empty(&useless)) { + upper = list_entry(useless.next, struct backref_node, list); + list_del_init(&upper->list); +- BUG_ON(!list_empty(&upper->upper)); ++ ASSERT(list_empty(&upper->upper)); + if (upper == node) + node = NULL; + if (upper->lowest) { +@@ -1118,29 +1135,45 @@ out: + if (err) { + while (!list_empty(&useless)) { + lower = list_entry(useless.next, +- struct backref_node, upper); +- list_del_init(&lower->upper); ++ struct backref_node, list); ++ list_del_init(&lower->list); + } +- upper = node; +- INIT_LIST_HEAD(&list); +- while (upper) { +- if (RB_EMPTY_NODE(&upper->rb_node)) { +- list_splice_tail(&upper->upper, &list); +- free_backref_node(cache, upper); +- } +- +- if (list_empty(&list)) +- break; +- +- edge = list_entry(list.next, struct backref_edge, +- list[LOWER]); ++ while (!list_empty(&list)) { ++ edge = list_first_entry(&list, struct backref_edge, ++ list[UPPER]); ++ list_del(&edge->list[UPPER]); + list_del(&edge->list[LOWER]); ++ lower = edge->node[LOWER]; + upper = edge->node[UPPER]; + free_backref_edge(cache, edge); ++ ++ /* ++ * Lower is no longer linked to any upper backref nodes ++ * and isn't in the cache, we can free it ourselves. ++ */ ++ if (list_empty(&lower->upper) && ++ RB_EMPTY_NODE(&lower->rb_node)) ++ list_add(&lower->list, &useless); ++ ++ if (!RB_EMPTY_NODE(&upper->rb_node)) ++ continue; ++ ++ /* Add this guy's upper edges to the list to proces */ ++ list_for_each_entry(edge, &upper->upper, list[LOWER]) ++ list_add_tail(&edge->list[UPPER], &list); ++ if (list_empty(&upper->upper)) ++ list_add(&upper->list, &useless); ++ } ++ ++ while (!list_empty(&useless)) { ++ lower = list_entry(useless.next, ++ struct backref_node, list); ++ list_del_init(&lower->list); ++ free_backref_node(cache, lower); + } + return ERR_PTR(err); + } +- BUG_ON(node && node->detached); ++ ASSERT(!node || !node->detached); + return node; + } + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index a65ed4cb436b..20d793542096 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4728,7 +4728,9 @@ static int finish_inode_if_needed(struct send_ctx *sctx, int at_end) + + if (S_ISREG(sctx->cur_inode_mode)) { + if (need_send_hole(sctx)) { +- if (sctx->cur_inode_last_extent == (u64)-1) { ++ if (sctx->cur_inode_last_extent == (u64)-1 || ++ sctx->cur_inode_last_extent < ++ sctx->cur_inode_size) { + ret = get_last_extent(sctx, (u64)-1); + if (ret) + goto out; +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index b05bf58b9395..a0b65a01fed7 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -592,7 +592,6 @@ int btrfs_wait_for_commit(struct btrfs_root *root, u64 transid) + if (transid <= root->fs_info->last_trans_committed) + goto out; + +- ret = -EINVAL; + /* find specified transaction */ + spin_lock(&root->fs_info->trans_lock); + list_for_each_entry(t, &root->fs_info->trans_list, list) { +@@ -608,9 +607,16 @@ int btrfs_wait_for_commit(struct btrfs_root *root, u64 transid) + } + } + spin_unlock(&root->fs_info->trans_lock); +- /* The specified transaction doesn't exist */ +- if (!cur_trans) ++ ++ /* ++ * The specified transaction doesn't exist, or we ++ * raced with btrfs_commit_transaction ++ */ ++ if (!cur_trans) { ++ if (transid > root->fs_info->last_trans_committed) ++ ret = -EINVAL; + goto out; ++ } + } else { + /* find newest transaction that is committing | committed */ + spin_lock(&root->fs_info->trans_lock); +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c +index b167ca48b8ee..a85ceb7c91bc 100644 +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -1039,7 +1039,7 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value, + } + + rc = vfs_setxattr(lower_dentry, name, value, size, flags); +- if (!rc) ++ if (!rc && dentry->d_inode) + fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode); + out: + return rc; +diff --git a/fs/namespace.c b/fs/namespace.c +index 75536db4b69b..c7d4a0ae2c65 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1365,6 +1365,8 @@ static int do_umount(struct mount *mnt, int flags) + * Special case for "unmounting" root ... + * we just try to remount it readonly. + */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + down_write(&sb->s_umount); + if (!(sb->s_flags & MS_RDONLY)) + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 2e9662ea5451..da657b7804a5 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7242,7 +7242,7 @@ static int nfs41_proc_async_sequence(struct nfs_client *clp, struct rpc_cred *cr + int ret = 0; + + if ((renew_flags & NFS4_RENEW_TIMEOUT) == 0) +- return 0; ++ return -EAGAIN; + task = _nfs41_proc_sequence(clp, cred, false); + if (IS_ERR(task)) + ret = PTR_ERR(task); +diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c +index 1720d32ffa54..e1ba58c3d1ad 100644 +--- a/fs/nfs/nfs4renewd.c ++++ b/fs/nfs/nfs4renewd.c +@@ -88,10 +88,18 @@ nfs4_renew_state(struct work_struct *work) + } + nfs_expire_all_delegations(clp); + } else { ++ int ret; ++ + /* Queue an asynchronous RENEW. */ +- ops->sched_state_renewal(clp, cred, renew_flags); ++ ret = ops->sched_state_renewal(clp, cred, renew_flags); + put_rpccred(cred); +- goto out_exp; ++ switch (ret) { ++ default: ++ goto out_exp; ++ case -EAGAIN: ++ case -ENOMEM: ++ break; ++ } + } + } else { + dprintk("%s: failed to call renewd. Reason: lease not expired \n", +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 27f5f858502b..b4f177f1d405 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1732,7 +1732,8 @@ restart: + if (status < 0) { + set_bit(ops->owner_flag_bit, &sp->so_flags); + nfs4_put_state_owner(sp); +- return nfs4_recovery_handle_error(clp, status); ++ status = nfs4_recovery_handle_error(clp, status); ++ return (status != 0) ? status : -EAGAIN; + } + + nfs4_put_state_owner(sp); +@@ -1741,7 +1742,7 @@ restart: + spin_unlock(&clp->cl_lock); + } + rcu_read_unlock(); +- return status; ++ return 0; + } + + static int nfs4_check_lease(struct nfs_client *clp) +@@ -1788,7 +1789,6 @@ static int nfs4_handle_reclaim_lease_error(struct nfs_client *clp, int status) + break; + case -NFS4ERR_STALE_CLIENTID: + clear_bit(NFS4CLNT_LEASE_CONFIRM, &clp->cl_state); +- nfs4_state_clear_reclaim_reboot(clp); + nfs4_state_start_reclaim_reboot(clp); + break; + case -NFS4ERR_CLID_INUSE: +@@ -2370,6 +2370,7 @@ static void nfs4_state_manager(struct nfs_client *clp) + status = nfs4_check_lease(clp); + if (status < 0) + goto out_error; ++ continue; + } + + if (test_and_clear_bit(NFS4CLNT_MOVED, &clp->cl_state)) { +@@ -2391,14 +2392,11 @@ static void nfs4_state_manager(struct nfs_client *clp) + section = "reclaim reboot"; + status = nfs4_do_reclaim(clp, + clp->cl_mvops->reboot_recovery_ops); +- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) || +- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state)) +- continue; +- nfs4_state_end_reclaim_reboot(clp); +- if (test_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state)) ++ if (status == -EAGAIN) + continue; + if (status < 0) + goto out_error; ++ nfs4_state_end_reclaim_reboot(clp); + } + + /* Now recover expired state... */ +@@ -2406,9 +2404,7 @@ static void nfs4_state_manager(struct nfs_client *clp) + section = "reclaim nograce"; + status = nfs4_do_reclaim(clp, + clp->cl_mvops->nograce_recovery_ops); +- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) || +- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state) || +- test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) ++ if (status == -EAGAIN) + continue; + if (status < 0) + goto out_error; +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 287a22c04149..de6323eb0113 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -71,7 +71,7 @@ static int create_fd(struct fsnotify_group *group, + + pr_debug("%s: group=%p event=%p\n", __func__, group, event); + +- client_fd = get_unused_fd(); ++ client_fd = get_unused_fd_flags(group->fanotify_data.f_flags); + if (client_fd < 0) + return client_fd; + +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index 5d2518b24cea..0461fbe405b7 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -434,10 +434,22 @@ xfs_start_page_writeback( + { + ASSERT(PageLocked(page)); + ASSERT(!PageWriteback(page)); +- if (clear_dirty) ++ ++ /* ++ * if the page was not fully cleaned, we need to ensure that the higher ++ * layers come back to it correctly. That means we need to keep the page ++ * dirty, and for WB_SYNC_ALL writeback we need to ensure the ++ * PAGECACHE_TAG_TOWRITE index mark is not removed so another attempt to ++ * write this page in this writeback sweep will be made. ++ */ ++ if (clear_dirty) { + clear_page_dirty_for_io(page); +- set_page_writeback(page); ++ set_page_writeback(page); ++ } else ++ set_page_writeback_keepwrite(page); ++ + unlock_page(page); ++ + /* If no buffers on the page are to be written, finish it here */ + if (!buffers) + end_page_writeback(page); +diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h +new file mode 100644 +index 000000000000..cdd1cc202d51 +--- /dev/null ++++ b/include/linux/compiler-gcc5.h +@@ -0,0 +1,66 @@ ++#ifndef __LINUX_COMPILER_H ++#error "Please don't include directly, include instead." ++#endif ++ ++#define __used __attribute__((__used__)) ++#define __must_check __attribute__((warn_unused_result)) ++#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) ++ ++/* Mark functions as cold. gcc will assume any path leading to a call ++ to them will be unlikely. This means a lot of manual unlikely()s ++ are unnecessary now for any paths leading to the usual suspects ++ like BUG(), printk(), panic() etc. [but let's keep them for now for ++ older compilers] ++ ++ Early snapshots of gcc 4.3 don't support this and we can't detect this ++ in the preprocessor, but we can live with this because they're unreleased. ++ Maketime probing would be overkill here. ++ ++ gcc also has a __attribute__((__hot__)) to move hot functions into ++ a special section, but I don't see any sense in this right now in ++ the kernel context */ ++#define __cold __attribute__((__cold__)) ++ ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) ++ ++#ifndef __CHECKER__ ++# define __compiletime_warning(message) __attribute__((warning(message))) ++# define __compiletime_error(message) __attribute__((error(message))) ++#endif /* __CHECKER__ */ ++ ++/* ++ * Mark a position in code as unreachable. This can be used to ++ * suppress control flow warnings after asm blocks that transfer ++ * control elsewhere. ++ * ++ * Early snapshots of gcc 4.5 don't support this and we can't detect ++ * this in the preprocessor, but we can live with this because they're ++ * unreleased. Really, we need to have autoconf for the kernel. ++ */ ++#define unreachable() __builtin_unreachable() ++ ++/* Mark a function definition as prohibited from being cloned. */ ++#define __noclone __attribute__((__noclone__)) ++ ++/* ++ * Tell the optimizer that something else uses this function or variable. ++ */ ++#define __visible __attribute__((externally_visible)) ++ ++/* ++ * GCC 'asm goto' miscompiles certain code sequences: ++ * ++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 ++ * ++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. ++ * Fixed in GCC 4.8.2 and later versions. ++ * ++ * (asm goto is automatically volatile - the naming reflects this.) ++ */ ++#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ++ ++#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP ++#define __HAVE_BUILTIN_BSWAP32__ ++#define __HAVE_BUILTIN_BSWAP64__ ++#define __HAVE_BUILTIN_BSWAP16__ ++#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 97fbecdd7a40..057c1d8c77e5 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2551,6 +2551,7 @@ + #define PCI_DEVICE_ID_INTEL_MFD_EMMC0 0x0823 + #define PCI_DEVICE_ID_INTEL_MFD_EMMC1 0x0824 + #define PCI_DEVICE_ID_INTEL_MRST_SD2 0x084F ++#define PCI_DEVICE_ID_INTEL_QUARK_X1000_ILB 0x095E + #define PCI_DEVICE_ID_INTEL_I960 0x0960 + #define PCI_DEVICE_ID_INTEL_I960RM 0x0962 + #define PCI_DEVICE_ID_INTEL_CENTERTON_ILB 0x0c60 +diff --git a/include/linux/sched.h b/include/linux/sched.h +index d7ca410ace93..218b058060f1 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1876,11 +1876,13 @@ extern void thread_group_cputime_adjusted(struct task_struct *p, cputime_t *ut, + #define tsk_used_math(p) ((p)->flags & PF_USED_MATH) + #define used_math() tsk_used_math(current) + +-/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags */ ++/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags ++ * __GFP_FS is also cleared as it implies __GFP_IO. ++ */ + static inline gfp_t memalloc_noio_flags(gfp_t flags) + { + if (unlikely(current->flags & PF_MEMALLOC_NOIO)) +- flags &= ~__GFP_IO; ++ flags &= ~(__GFP_IO | __GFP_FS); + return flags; + } + +diff --git a/kernel/futex.c b/kernel/futex.c +index 0b0dc02aabce..fda2950f2ce4 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -329,6 +329,8 @@ static void get_futex_key_refs(union futex_key *key) + case FUT_OFF_MMSHARED: + futex_get_mm(key); /* implies MB (B) */ + break; ++ default: ++ smp_mb(); /* explicit MB (B) */ + } + } + +diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c +index 8563081e8da3..a1c387f6afba 100644 +--- a/lib/lzo/lzo1x_decompress_safe.c ++++ b/lib/lzo/lzo1x_decompress_safe.c +@@ -19,31 +19,21 @@ + #include + #include "lzodefs.h" + +-#define HAVE_IP(t, x) \ +- (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \ +- (((t + x) >= t) && ((t + x) >= x))) ++#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x)) ++#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x)) ++#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun ++#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun ++#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun + +-#define HAVE_OP(t, x) \ +- (((size_t)(op_end - op) >= (size_t)(t + x)) && \ +- (((t + x) >= t) && ((t + x) >= x))) +- +-#define NEED_IP(t, x) \ +- do { \ +- if (!HAVE_IP(t, x)) \ +- goto input_overrun; \ +- } while (0) +- +-#define NEED_OP(t, x) \ +- do { \ +- if (!HAVE_OP(t, x)) \ +- goto output_overrun; \ +- } while (0) +- +-#define TEST_LB(m_pos) \ +- do { \ +- if ((m_pos) < out) \ +- goto lookbehind_overrun; \ +- } while (0) ++/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base ++ * count without overflowing an integer. The multiply will overflow when ++ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier ++ * depending on the base count. Since the base count is taken from a u8 ++ * and a few bits, it is safe to assume that it will always be lower than ++ * or equal to 2*255, thus we can always prevent any overflow by accepting ++ * two less 255 steps. See Documentation/lzo.txt for more information. ++ */ ++#define MAX_255_COUNT ((((size_t)~0) / 255) - 2) + + int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, + unsigned char *out, size_t *out_len) +@@ -75,17 +65,24 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, + if (t < 16) { + if (likely(state == 0)) { + if (unlikely(t == 0)) { ++ size_t offset; ++ const unsigned char *ip_last = ip; ++ + while (unlikely(*ip == 0)) { +- t += 255; + ip++; +- NEED_IP(1, 0); ++ NEED_IP(1); + } +- t += 15 + *ip++; ++ offset = ip - ip_last; ++ if (unlikely(offset > MAX_255_COUNT)) ++ return LZO_E_ERROR; ++ ++ offset = (offset << 8) - offset; ++ t += offset + 15 + *ip++; + } + t += 3; + copy_literal_run: + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) +- if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) { ++ if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { + const unsigned char *ie = ip + t; + unsigned char *oe = op + t; + do { +@@ -101,8 +98,8 @@ copy_literal_run: + } else + #endif + { +- NEED_OP(t, 0); +- NEED_IP(t, 3); ++ NEED_OP(t); ++ NEED_IP(t + 3); + do { + *op++ = *ip++; + } while (--t > 0); +@@ -115,7 +112,7 @@ copy_literal_run: + m_pos -= t >> 2; + m_pos -= *ip++ << 2; + TEST_LB(m_pos); +- NEED_OP(2, 0); ++ NEED_OP(2); + op[0] = m_pos[0]; + op[1] = m_pos[1]; + op += 2; +@@ -136,13 +133,20 @@ copy_literal_run: + } else if (t >= 32) { + t = (t & 31) + (3 - 1); + if (unlikely(t == 2)) { ++ size_t offset; ++ const unsigned char *ip_last = ip; ++ + while (unlikely(*ip == 0)) { +- t += 255; + ip++; +- NEED_IP(1, 0); ++ NEED_IP(1); + } +- t += 31 + *ip++; +- NEED_IP(2, 0); ++ offset = ip - ip_last; ++ if (unlikely(offset > MAX_255_COUNT)) ++ return LZO_E_ERROR; ++ ++ offset = (offset << 8) - offset; ++ t += offset + 31 + *ip++; ++ NEED_IP(2); + } + m_pos = op - 1; + next = get_unaligned_le16(ip); +@@ -154,13 +158,20 @@ copy_literal_run: + m_pos -= (t & 8) << 11; + t = (t & 7) + (3 - 1); + if (unlikely(t == 2)) { ++ size_t offset; ++ const unsigned char *ip_last = ip; ++ + while (unlikely(*ip == 0)) { +- t += 255; + ip++; +- NEED_IP(1, 0); ++ NEED_IP(1); + } +- t += 7 + *ip++; +- NEED_IP(2, 0); ++ offset = ip - ip_last; ++ if (unlikely(offset > MAX_255_COUNT)) ++ return LZO_E_ERROR; ++ ++ offset = (offset << 8) - offset; ++ t += offset + 7 + *ip++; ++ NEED_IP(2); + } + next = get_unaligned_le16(ip); + ip += 2; +@@ -174,7 +185,7 @@ copy_literal_run: + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) + if (op - m_pos >= 8) { + unsigned char *oe = op + t; +- if (likely(HAVE_OP(t, 15))) { ++ if (likely(HAVE_OP(t + 15))) { + do { + COPY8(op, m_pos); + op += 8; +@@ -184,7 +195,7 @@ copy_literal_run: + m_pos += 8; + } while (op < oe); + op = oe; +- if (HAVE_IP(6, 0)) { ++ if (HAVE_IP(6)) { + state = next; + COPY4(op, ip); + op += next; +@@ -192,7 +203,7 @@ copy_literal_run: + continue; + } + } else { +- NEED_OP(t, 0); ++ NEED_OP(t); + do { + *op++ = *m_pos++; + } while (op < oe); +@@ -201,7 +212,7 @@ copy_literal_run: + #endif + { + unsigned char *oe = op + t; +- NEED_OP(t, 0); ++ NEED_OP(t); + op[0] = m_pos[0]; + op[1] = m_pos[1]; + op += 2; +@@ -214,15 +225,15 @@ match_next: + state = next; + t = next; + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) +- if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) { ++ if (likely(HAVE_IP(6) && HAVE_OP(4))) { + COPY4(op, ip); + op += t; + ip += t; + } else + #endif + { +- NEED_IP(t, 3); +- NEED_OP(t, 0); ++ NEED_IP(t + 3); ++ NEED_OP(t); + while (t > 0) { + *op++ = *ip++; + t--; +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 6afa3b45f25a..0007c9e9853a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2608,12 +2608,8 @@ static int l2cap_segment_le_sdu(struct l2cap_chan *chan, + + BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); + +- pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE; +- +- pdu_len = min_t(size_t, pdu_len, chan->remote_mps); +- + sdu_len = len; +- pdu_len -= L2CAP_SDULEN_SIZE; ++ pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; + + while (len > 0) { + if (len <= pdu_len) +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 734e9468aca0..6df1b2527d02 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -194,8 +194,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, + goto out; + + cause = "missing-hash"; +- status = +- (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; ++ status = INTEGRITY_NOLABEL; ++ if (inode->i_size == 0) { ++ iint->flags |= IMA_NEW_FILE; ++ status = INTEGRITY_PASS; ++ } + goto out; + } + +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 76d8aad146a8..9f70efd08058 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -131,11 +131,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, + return; + + mutex_lock(&inode->i_mutex); +- if (atomic_read(&inode->i_writecount) == 1 && +- iint->version != inode->i_version) { +- iint->flags &= ~IMA_DONE_MASK; +- if (iint->flags & IMA_APPRAISE) +- ima_update_xattr(iint, file); ++ if (atomic_read(&inode->i_writecount) == 1) { ++ if ((iint->version != inode->i_version) || ++ (iint->flags & IMA_NEW_FILE)) { ++ iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); ++ if (iint->flags & IMA_APPRAISE) ++ ima_update_xattr(iint, file); ++ } + } + mutex_unlock(&inode->i_mutex); + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 33c0a70f6b15..2f8715d77a5a 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -31,6 +31,7 @@ + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 ++#define IMA_NEW_FILE 0x08000000 + + #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ + IMA_APPRAISE_SUBMASK) +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 01a5e05ede95..566b0f69d628 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3189,7 +3189,7 @@ static const struct vm_operations_struct snd_pcm_vm_ops_data_fault = { + + #ifndef ARCH_HAS_DMA_MMAP_COHERENT + /* This should be defined / handled globally! */ +-#ifdef CONFIG_ARM ++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64) + #define ARCH_HAS_DMA_MMAP_COHERENT + #endif + #endif +diff --git a/sound/pci/emu10k1/emu10k1_callback.c b/sound/pci/emu10k1/emu10k1_callback.c +index cae36597aa71..0a34b5f1c475 100644 +--- a/sound/pci/emu10k1/emu10k1_callback.c ++++ b/sound/pci/emu10k1/emu10k1_callback.c +@@ -85,6 +85,8 @@ snd_emu10k1_ops_setup(struct snd_emux *emux) + * get more voice for pcm + * + * terminate most inactive voice and give it as a pcm voice. ++ * ++ * voice_lock is already held. + */ + int + snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) +@@ -92,12 +94,10 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) + struct snd_emux *emu; + struct snd_emux_voice *vp; + struct best_voice best[V_END]; +- unsigned long flags; + int i; + + emu = hw->synth; + +- spin_lock_irqsave(&emu->voice_lock, flags); + lookup_voices(emu, hw, best, 1); /* no OFF voices */ + for (i = 0; i < V_END; i++) { + if (best[i].voice >= 0) { +@@ -113,11 +113,9 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) + vp->emu->num_voices--; + vp->ch = -1; + vp->state = SNDRV_EMUX_ST_OFF; +- spin_unlock_irqrestore(&emu->voice_lock, flags); + return ch; + } + } +- spin_unlock_irqrestore(&emu->voice_lock, flags); + + /* not found */ + return -ENOMEM; +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index d135c906caff..8253b48a435b 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1557,19 +1557,22 @@ static bool hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll) + } + } + +- if (pin_eld->eld_valid && !eld->eld_valid) { +- update_eld = true; ++ if (pin_eld->eld_valid != eld->eld_valid) + eld_changed = true; +- } ++ ++ if (pin_eld->eld_valid && !eld->eld_valid) ++ update_eld = true; ++ + if (update_eld) { + bool old_eld_valid = pin_eld->eld_valid; + pin_eld->eld_valid = eld->eld_valid; +- eld_changed = pin_eld->eld_size != eld->eld_size || ++ if (pin_eld->eld_size != eld->eld_size || + memcmp(pin_eld->eld_buffer, eld->eld_buffer, +- eld->eld_size) != 0; +- if (eld_changed) ++ eld->eld_size) != 0) { + memcpy(pin_eld->eld_buffer, eld->eld_buffer, + eld->eld_size); ++ eld_changed = true; ++ } + pin_eld->eld_size = eld->eld_size; + pin_eld->info = eld->info; + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5d0058bd6259..4c826a40705c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2926,6 +2926,9 @@ static void alc283_shutup(struct hda_codec *codec) + + alc_write_coef_idx(codec, 0x43, 0x9004); + ++ /*depop hp during suspend*/ ++ alc_write_coef_idx(codec, 0x06, 0x2100); ++ + snd_hda_codec_write(codec, hp_pin, 0, + AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 223c47b33ba3..c657752a420c 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -385,6 +385,36 @@ YAMAHA_DEVICE(0x105d, NULL), + } + }, + { ++ USB_DEVICE(0x0499, 0x1509), ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { ++ /* .vendor_name = "Yamaha", */ ++ /* .product_name = "Steinberg UR22", */ ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 3, ++ .type = QUIRK_MIDI_YAMAHA ++ }, ++ { ++ .ifnum = 4, ++ .type = QUIRK_IGNORE_INTERFACE ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, ++{ + USB_DEVICE(0x0499, 0x150a), + .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { + /* .vendor_name = "Yamaha", */ +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 03a0381b1cb7..66112533b1e9 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -52,6 +52,7 @@ + + #include + #include ++#include + #include + #include + +@@ -95,8 +96,6 @@ static int hardware_enable_all(void); + static void hardware_disable_all(void); + + static void kvm_io_bus_destroy(struct kvm_io_bus *bus); +-static void update_memslots(struct kvm_memslots *slots, +- struct kvm_memory_slot *new, u64 last_generation); + + static void kvm_release_pfn_dirty(pfn_t pfn); + static void mark_page_dirty_in_slot(struct kvm *kvm, +@@ -682,8 +681,7 @@ static void sort_memslots(struct kvm_memslots *slots) + } + + static void update_memslots(struct kvm_memslots *slots, +- struct kvm_memory_slot *new, +- u64 last_generation) ++ struct kvm_memory_slot *new) + { + if (new) { + int id = new->id; +@@ -694,8 +692,6 @@ static void update_memslots(struct kvm_memslots *slots, + if (new->npages != npages) + sort_memslots(slots); + } +- +- slots->generation = last_generation + 1; + } + + static int check_memory_region_flags(struct kvm_userspace_memory_region *mem) +@@ -717,10 +713,24 @@ static struct kvm_memslots *install_new_memslots(struct kvm *kvm, + { + struct kvm_memslots *old_memslots = kvm->memslots; + +- update_memslots(slots, new, kvm->memslots->generation); ++ /* ++ * Set the low bit in the generation, which disables SPTE caching ++ * until the end of synchronize_srcu_expedited. ++ */ ++ WARN_ON(old_memslots->generation & 1); ++ slots->generation = old_memslots->generation + 1; ++ ++ update_memslots(slots, new); + rcu_assign_pointer(kvm->memslots, slots); + synchronize_srcu_expedited(&kvm->srcu); + ++ /* ++ * Increment the new memslot generation a second time. This prevents ++ * vm exits that race with memslot updates from caching a memslot ++ * generation that will (potentially) be valid forever. ++ */ ++ slots->generation++; ++ + kvm_arch_memslots_updated(kvm); + + return old_memslots; +@@ -1970,6 +1980,9 @@ static long kvm_vcpu_ioctl(struct file *filp, + if (vcpu->kvm->mm != current->mm) + return -EIO; + ++ if (unlikely(_IOC_TYPE(ioctl) != KVMIO)) ++ return -EINVAL; ++ + #if defined(CONFIG_S390) || defined(CONFIG_PPC) || defined(CONFIG_MIPS) + /* + * Special cases: vcpu ioctls that are asynchronous to vcpu execution, diff --git a/projects/imx6/patches/linux/linux-000-patch-3.14.23-24.patch b/projects/imx6/patches/linux/linux-000-patch-3.14.23-24.patch new file mode 100644 index 0000000000..0e862921c3 --- /dev/null +++ b/projects/imx6/patches/linux/linux-000-patch-3.14.23-24.patch @@ -0,0 +1,7091 @@ +diff --git a/Makefile b/Makefile +index 135a04a26076..8fd06101c482 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 23 ++SUBLEVEL = 24 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arc/boot/dts/nsimosci.dts b/arch/arc/boot/dts/nsimosci.dts +index 4f31b2eb5cdf..398064cef746 100644 +--- a/arch/arc/boot/dts/nsimosci.dts ++++ b/arch/arc/boot/dts/nsimosci.dts +@@ -20,7 +20,7 @@ + /* this is for console on PGU */ + /* bootargs = "console=tty0 consoleblank=0"; */ + /* this is for console on serial */ +- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; ++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug"; + }; + + aliases { +diff --git a/arch/arc/include/asm/cache.h b/arch/arc/include/asm/cache.h +index 2fd3162ec4df..c1d3d2da1191 100644 +--- a/arch/arc/include/asm/cache.h ++++ b/arch/arc/include/asm/cache.h +@@ -55,4 +55,31 @@ extern void read_decode_cache_bcr(void); + + #endif /* !__ASSEMBLY__ */ + ++/* Instruction cache related Auxiliary registers */ ++#define ARC_REG_IC_BCR 0x77 /* Build Config reg */ ++#define ARC_REG_IC_IVIC 0x10 ++#define ARC_REG_IC_CTRL 0x11 ++#define ARC_REG_IC_IVIL 0x19 ++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4) ++#define ARC_REG_IC_PTAG 0x1E ++#endif ++ ++/* Bit val in IC_CTRL */ ++#define IC_CTRL_CACHE_DISABLE 0x1 ++ ++/* Data cache related Auxiliary registers */ ++#define ARC_REG_DC_BCR 0x72 /* Build Config reg */ ++#define ARC_REG_DC_IVDC 0x47 ++#define ARC_REG_DC_CTRL 0x48 ++#define ARC_REG_DC_IVDL 0x4A ++#define ARC_REG_DC_FLSH 0x4B ++#define ARC_REG_DC_FLDL 0x4C ++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4) ++#define ARC_REG_DC_PTAG 0x5C ++#endif ++ ++/* Bit val in DC_CTRL */ ++#define DC_CTRL_INV_MODE_FLUSH 0x40 ++#define DC_CTRL_FLUSH_STATUS 0x100 ++ + #endif /* _ASM_CACHE_H */ +diff --git a/arch/arc/include/asm/kgdb.h b/arch/arc/include/asm/kgdb.h +index b65fca7ffeb5..fea931634136 100644 +--- a/arch/arc/include/asm/kgdb.h ++++ b/arch/arc/include/asm/kgdb.h +@@ -19,7 +19,7 @@ + * register API yet */ + #undef DBG_MAX_REG_NUM + +-#define GDB_MAX_REGS 39 ++#define GDB_MAX_REGS 87 + + #define BREAK_INSTR_SIZE 2 + #define CACHE_FLUSH_IS_SAFE 1 +@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint(void) + + extern void kgdb_trap(struct pt_regs *regs); + +-enum arc700_linux_regnums { ++/* This is the numbering of registers according to the GDB. See GDB's ++ * arc-tdep.h for details. ++ * ++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */ ++enum arc_linux_regnums { + _R0 = 0, + _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13, + _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24, + _R25, _R26, +- _BTA = 27, +- _LP_START = 28, +- _LP_END = 29, +- _LP_COUNT = 30, +- _STATUS32 = 31, +- _BLINK = 32, +- _FP = 33, +- __SP = 34, +- _EFA = 35, +- _RET = 36, +- _ORIG_R8 = 37, +- _STOP_PC = 38 ++ _FP = 27, ++ __SP = 28, ++ _R30 = 30, ++ _BLINK = 31, ++ _LP_COUNT = 60, ++ _STOP_PC = 64, ++ _RET = 64, ++ _LP_START = 65, ++ _LP_END = 66, ++ _STATUS32 = 67, ++ _ECR = 76, ++ _BTA = 82, + }; + + #else +diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S +index 991997269d02..07a58f2d3077 100644 +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -12,10 +12,42 @@ + * to skip certain things during boot on simulator + */ + ++#include + #include + #include +-#include + #include ++#include ++ ++.macro CPU_EARLY_SETUP ++ ++ ; Setting up Vectror Table (in case exception happens in early boot ++ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ ++ ; Disable I-cache/D-cache if kernel so configured ++ lr r5, [ARC_REG_IC_BCR] ++ breq r5, 0, 1f ; I$ doesn't exist ++ lr r5, [ARC_REG_IC_CTRL] ++#ifdef CONFIG_ARC_HAS_ICACHE ++ bclr r5, r5, 0 ; 0 - Enable, 1 is Disable ++#else ++ bset r5, r5, 0 ; I$ exists, but is not used ++#endif ++ sr r5, [ARC_REG_IC_CTRL] ++ ++1: ++ lr r5, [ARC_REG_DC_BCR] ++ breq r5, 0, 1f ; D$ doesn't exist ++ lr r5, [ARC_REG_DC_CTRL] ++ bclr r5, r5, 6 ; Invalidate (discard w/o wback) ++#ifdef CONFIG_ARC_HAS_DCACHE ++ bclr r5, r5, 0 ; Enable (+Inv) ++#else ++ bset r5, r5, 0 ; Disable (+Inv) ++#endif ++ sr r5, [ARC_REG_DC_CTRL] ++ ++1: ++.endm + + .cpu A7 + +@@ -24,13 +56,13 @@ + .globl stext + stext: + ;------------------------------------------------------------------- +- ; Don't clobber r0-r4 yet. It might have bootloader provided info ++ ; Don't clobber r0-r2 yet. It might have bootloader provided info + ;------------------------------------------------------------------- + +- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ CPU_EARLY_SETUP + + #ifdef CONFIG_SMP +- ; Only Boot (Master) proceeds. Others wait in platform dependent way ++ ; Ensure Boot (Master) proceeds. Others wait in platform dependent way + ; IDENTITY Reg [ 3 2 1 0 ] + ; (cpu-id) ^^^ => Zero for UP ARC700 + ; => #Core-ID if SMP (Master 0) +@@ -39,7 +71,8 @@ stext: + ; need to make sure only boot cpu takes this path. + GET_CPU_ID r5 + cmp r5, 0 +- jnz arc_platform_smp_wait_to_boot ++ mov.ne r0, r5 ++ jne arc_platform_smp_wait_to_boot + #endif + ; Clear BSS before updating any globals + ; XXX: use ZOL here +@@ -89,7 +122,7 @@ stext: + + first_lines_of_secondary: + +- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ CPU_EARLY_SETUP + + ; setup per-cpu idle task as "current" on this CPU + ld r0, [@secondary_idle_tsk] +diff --git a/arch/arc/mm/cache_arc700.c b/arch/arc/mm/cache_arc700.c +index 400c663b21c2..1f676c4794e0 100644 +--- a/arch/arc/mm/cache_arc700.c ++++ b/arch/arc/mm/cache_arc700.c +@@ -73,37 +73,9 @@ + #include + #include + +-/* Instruction cache related Auxiliary registers */ +-#define ARC_REG_IC_BCR 0x77 /* Build Config reg */ +-#define ARC_REG_IC_IVIC 0x10 +-#define ARC_REG_IC_CTRL 0x11 +-#define ARC_REG_IC_IVIL 0x19 +-#if (CONFIG_ARC_MMU_VER > 2) +-#define ARC_REG_IC_PTAG 0x1E +-#endif +- +-/* Bit val in IC_CTRL */ +-#define IC_CTRL_CACHE_DISABLE 0x1 +- +-/* Data cache related Auxiliary registers */ +-#define ARC_REG_DC_BCR 0x72 /* Build Config reg */ +-#define ARC_REG_DC_IVDC 0x47 +-#define ARC_REG_DC_CTRL 0x48 +-#define ARC_REG_DC_IVDL 0x4A +-#define ARC_REG_DC_FLSH 0x4B +-#define ARC_REG_DC_FLDL 0x4C +-#if (CONFIG_ARC_MMU_VER > 2) +-#define ARC_REG_DC_PTAG 0x5C +-#endif +- +-/* Bit val in DC_CTRL */ +-#define DC_CTRL_INV_MODE_FLUSH 0x40 +-#define DC_CTRL_FLUSH_STATUS 0x100 +- +-char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len) ++char *arc_cache_mumbojumbo(int c, char *buf, int len) + { + int n = 0; +- unsigned int c = smp_processor_id(); + + #define PR_CACHE(p, enb, str) \ + { \ +@@ -169,72 +141,43 @@ void read_decode_cache_bcr(void) + */ + void arc_cache_init(void) + { +- unsigned int cpu = smp_processor_id(); +- struct cpuinfo_arc_cache *ic = &cpuinfo_arc700[cpu].icache; +- struct cpuinfo_arc_cache *dc = &cpuinfo_arc700[cpu].dcache; +- unsigned int dcache_does_alias, temp; ++ unsigned int __maybe_unused cpu = smp_processor_id(); ++ struct cpuinfo_arc_cache __maybe_unused *ic, __maybe_unused *dc; + char str[256]; + + printk(arc_cache_mumbojumbo(0, str, sizeof(str))); + +- if (!ic->ver) +- goto chk_dc; +- +-#ifdef CONFIG_ARC_HAS_ICACHE +- /* 1. Confirm some of I-cache params which Linux assumes */ +- if (ic->line_len != L1_CACHE_BYTES) +- panic("Cache H/W doesn't match kernel Config"); +- +- if (ic->ver != CONFIG_ARC_MMU_VER) +- panic("Cache ver doesn't match MMU ver\n"); +-#endif +- +- /* Enable/disable I-Cache */ +- temp = read_aux_reg(ARC_REG_IC_CTRL); +- + #ifdef CONFIG_ARC_HAS_ICACHE +- temp &= ~IC_CTRL_CACHE_DISABLE; +-#else +- temp |= IC_CTRL_CACHE_DISABLE; ++ ic = &cpuinfo_arc700[cpu].icache; ++ if (ic->ver) { ++ if (ic->line_len != L1_CACHE_BYTES) ++ panic("ICache line [%d] != kernel Config [%d]", ++ ic->line_len, L1_CACHE_BYTES); ++ ++ if (ic->ver != CONFIG_ARC_MMU_VER) ++ panic("Cache ver [%d] doesn't match MMU ver [%d]\n", ++ ic->ver, CONFIG_ARC_MMU_VER); ++ } + #endif + +- write_aux_reg(ARC_REG_IC_CTRL, temp); +- +-chk_dc: +- if (!dc->ver) +- return; +- + #ifdef CONFIG_ARC_HAS_DCACHE +- if (dc->line_len != L1_CACHE_BYTES) +- panic("Cache H/W doesn't match kernel Config"); ++ dc = &cpuinfo_arc700[cpu].dcache; ++ if (dc->ver) { ++ unsigned int dcache_does_alias; + +- /* check for D-Cache aliasing */ +- dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE; ++ if (dc->line_len != L1_CACHE_BYTES) ++ panic("DCache line [%d] != kernel Config [%d]", ++ dc->line_len, L1_CACHE_BYTES); + +- if (dcache_does_alias && !cache_is_vipt_aliasing()) +- panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n"); +- else if (!dcache_does_alias && cache_is_vipt_aliasing()) +- panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n"); +-#endif +- +- /* Set the default Invalidate Mode to "simpy discard dirty lines" +- * as this is more frequent then flush before invalidate +- * Ofcourse we toggle this default behviour when desired +- */ +- temp = read_aux_reg(ARC_REG_DC_CTRL); +- temp &= ~DC_CTRL_INV_MODE_FLUSH; ++ /* check for D-Cache aliasing */ ++ dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE; + +-#ifdef CONFIG_ARC_HAS_DCACHE +- /* Enable D-Cache: Clear Bit 0 */ +- write_aux_reg(ARC_REG_DC_CTRL, temp & ~IC_CTRL_CACHE_DISABLE); +-#else +- /* Flush D cache */ +- write_aux_reg(ARC_REG_DC_FLSH, 0x1); +- /* Disable D cache */ +- write_aux_reg(ARC_REG_DC_CTRL, temp | IC_CTRL_CACHE_DISABLE); ++ if (dcache_does_alias && !cache_is_vipt_aliasing()) ++ panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n"); ++ else if (!dcache_does_alias && cache_is_vipt_aliasing()) ++ panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n"); ++ } + #endif +- +- return; + } + + #define OP_INV 0x1 +@@ -254,12 +197,16 @@ static inline void __cache_line_loop(unsigned long paddr, unsigned long vaddr, + + if (cacheop == OP_INV_IC) { + aux_cmd = ARC_REG_IC_IVIL; ++#if (CONFIG_ARC_MMU_VER > 2) + aux_tag = ARC_REG_IC_PTAG; ++#endif + } + else { + /* d$ cmd: INV (discard or wback-n-discard) OR FLUSH (wback) */ + aux_cmd = cacheop & OP_INV ? ARC_REG_DC_IVDL : ARC_REG_DC_FLDL; ++#if (CONFIG_ARC_MMU_VER > 2) + aux_tag = ARC_REG_DC_PTAG; ++#endif + } + + /* Ensure we properly floor/ceil the non-line aligned/sized requests +diff --git a/arch/mips/include/asm/ftrace.h b/arch/mips/include/asm/ftrace.h +index 992aaba603b5..b463f2aa5a61 100644 +--- a/arch/mips/include/asm/ftrace.h ++++ b/arch/mips/include/asm/ftrace.h +@@ -24,7 +24,7 @@ do { \ + asm volatile ( \ + "1: " load " %[tmp_dst], 0(%[tmp_src])\n" \ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ +@@ -46,7 +46,7 @@ do { \ + asm volatile ( \ + "1: " store " %[tmp_src], 0(%[tmp_dst])\n"\ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 65d452aa1fda..dd012c599ad1 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1057,6 +1057,7 @@ static void build_update_entries(u32 **p, unsigned int tmp, unsigned int ptep) + struct mips_huge_tlb_info { + int huge_pte; + int restore_scratch; ++ bool need_reload_pte; + }; + + static struct mips_huge_tlb_info +@@ -1071,6 +1072,7 @@ build_fast_tlb_refill_handler (u32 **p, struct uasm_label **l, + + rv.huge_pte = scratch; + rv.restore_scratch = 0; ++ rv.need_reload_pte = false; + + if (check_for_high_segbits) { + UASM_i_MFC0(p, tmp, C0_BADVADDR); +@@ -1259,6 +1261,7 @@ static void build_r4000_tlb_refill_handler(void) + } else { + htlb_info.huge_pte = K0; + htlb_info.restore_scratch = 0; ++ htlb_info.need_reload_pte = true; + vmalloc_mode = refill_noscratch; + /* + * create the plain linear handler +@@ -1295,7 +1298,8 @@ static void build_r4000_tlb_refill_handler(void) + } + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT + uasm_l_tlb_huge_update(&l, p); +- UASM_i_LW(&p, K0, 0, K1); ++ if (htlb_info.need_reload_pte) ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); + build_huge_update_entries(&p, htlb_info.huge_pte, K1); + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, + htlb_info.restore_scratch); +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index a8fe5aa3d34f..3b46eed1dcf6 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -380,7 +380,7 @@ static int dlpar_online_cpu(struct device_node *dn) + BUG_ON(get_cpu_current_state(cpu) + != CPU_STATE_OFFLINE); + cpu_maps_update_done(); +- rc = cpu_up(cpu); ++ rc = device_online(get_cpu_device(cpu)); + if (rc) + goto out; + cpu_maps_update_begin(); +@@ -463,7 +463,7 @@ static int dlpar_offline_cpu(struct device_node *dn) + if (get_cpu_current_state(cpu) == CPU_STATE_ONLINE) { + set_preferred_offline_state(cpu, CPU_STATE_OFFLINE); + cpu_maps_update_done(); +- rc = cpu_down(cpu); ++ rc = device_offline(get_cpu_device(cpu)); + if (rc) + goto out; + cpu_maps_update_begin(); +diff --git a/arch/sh/kernel/cpu/sh3/setup-sh770x.c b/arch/sh/kernel/cpu/sh3/setup-sh770x.c +index ff1465c0519c..5acf89c1afc5 100644 +--- a/arch/sh/kernel/cpu/sh3/setup-sh770x.c ++++ b/arch/sh/kernel/cpu/sh3/setup-sh770x.c +@@ -118,7 +118,7 @@ static struct plat_sci_port scif0_platform_data = { + }; + + static struct resource scif0_resources[] = { +- DEFINE_RES_MEM(0xfffffe80, 0x100), ++ DEFINE_RES_MEM(0xfffffe80, 0x10), + DEFINE_RES_IRQ(evt2irq(0x4e0)), + }; + +@@ -143,7 +143,7 @@ static struct plat_sci_port scif1_platform_data = { + }; + + static struct resource scif1_resources[] = { +- DEFINE_RES_MEM(0xa4000150, 0x100), ++ DEFINE_RES_MEM(0xa4000150, 0x10), + DEFINE_RES_IRQ(evt2irq(0x900)), + }; + +@@ -169,7 +169,7 @@ static struct plat_sci_port scif2_platform_data = { + }; + + static struct resource scif2_resources[] = { +- DEFINE_RES_MEM(0xa4000140, 0x100), ++ DEFINE_RES_MEM(0xa4000140, 0x10), + DEFINE_RES_IRQ(evt2irq(0x880)), + }; + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 3716e6952554..e8ab93c3e638 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1277,7 +1277,7 @@ static void do_ubd_request(struct request_queue *q) + + while(1){ + struct ubd *dev = q->queuedata; +- if(dev->end_sg == 0){ ++ if(dev->request == NULL){ + struct request *req = blk_fetch_request(q); + if(req == NULL) + return; +@@ -1299,7 +1299,8 @@ static void do_ubd_request(struct request_queue *q) + return; + } + prepare_flush_request(req, io_req); +- submit_request(io_req, dev); ++ if (submit_request(io_req, dev) == false) ++ return; + } + + while(dev->start_sg < dev->end_sg){ +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index e4098912fef2..98aa930230ec 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2436,12 +2436,9 @@ config X86_DMA_REMAP + depends on STA2X11 + + config IOSF_MBI +- bool ++ tristate ++ default m + depends on PCI +- ---help--- +- To be selected by modules requiring access to the Intel OnChip System +- Fabric (IOSF) Sideband MailBox Interface (MBI). For MBI platforms +- enumerable by PCI. + + source "net/Kconfig" + +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 4299eb05023c..92a2e9333620 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -151,6 +151,16 @@ ENTRY(ia32_sysenter_target) + 1: movl (%rbp),%ebp + _ASM_EXTABLE(1b,ia32_badarg) + ASM_CLAC ++ ++ /* ++ * Sysenter doesn't filter flags, so we need to clear NT ++ * ourselves. To save a few cycles, we can check whether ++ * NT was set instead of doing an unconditional popfq. ++ */ ++ testl $X86_EFLAGS_NT,EFLAGS-ARGOFFSET(%rsp) ++ jnz sysenter_fix_flags ++sysenter_flags_fixed: ++ + orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) + CFI_REMEMBER_STATE +@@ -184,6 +194,8 @@ sysexit_from_sys_call: + TRACE_IRQS_ON + ENABLE_INTERRUPTS_SYSEXIT32 + ++ CFI_RESTORE_STATE ++ + #ifdef CONFIG_AUDITSYSCALL + .macro auditsys_entry_common + movl %esi,%r9d /* 6th arg: 4th syscall arg */ +@@ -226,7 +238,6 @@ sysexit_from_sys_call: + .endm + + sysenter_auditsys: +- CFI_RESTORE_STATE + auditsys_entry_common + movl %ebp,%r9d /* reload 6th syscall arg */ + jmp sysenter_dispatch +@@ -235,6 +246,11 @@ sysexit_audit: + auditsys_exit sysexit_from_sys_call + #endif + ++sysenter_fix_flags: ++ pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED) ++ popfq_cfi ++ jmp sysenter_flags_fixed ++ + sysenter_tracesys: + #ifdef CONFIG_AUDITSYSCALL + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 9c999c1674fa..01f15b227d7e 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -155,8 +155,9 @@ do { \ + #define elf_check_arch(x) \ + ((x)->e_machine == EM_X86_64) + +-#define compat_elf_check_arch(x) \ +- (elf_check_arch_ia32(x) || (x)->e_machine == EM_X86_64) ++#define compat_elf_check_arch(x) \ ++ (elf_check_arch_ia32(x) || \ ++ (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64)) + + #if __USER32_DS != __USER_DS + # error "The following code assumes __USER32_DS == __USER_DS" +diff --git a/arch/x86/include/asm/iosf_mbi.h b/arch/x86/include/asm/iosf_mbi.h +index 8e71c7941767..57995f0596a6 100644 +--- a/arch/x86/include/asm/iosf_mbi.h ++++ b/arch/x86/include/asm/iosf_mbi.h +@@ -50,6 +50,32 @@ + #define BT_MBI_PCIE_READ 0x00 + #define BT_MBI_PCIE_WRITE 0x01 + ++/* Quark available units */ ++#define QRK_MBI_UNIT_HBA 0x00 ++#define QRK_MBI_UNIT_HB 0x03 ++#define QRK_MBI_UNIT_RMU 0x04 ++#define QRK_MBI_UNIT_MM 0x05 ++#define QRK_MBI_UNIT_MMESRAM 0x05 ++#define QRK_MBI_UNIT_SOC 0x31 ++ ++/* Quark read/write opcodes */ ++#define QRK_MBI_HBA_READ 0x10 ++#define QRK_MBI_HBA_WRITE 0x11 ++#define QRK_MBI_HB_READ 0x10 ++#define QRK_MBI_HB_WRITE 0x11 ++#define QRK_MBI_RMU_READ 0x10 ++#define QRK_MBI_RMU_WRITE 0x11 ++#define QRK_MBI_MM_READ 0x10 ++#define QRK_MBI_MM_WRITE 0x11 ++#define QRK_MBI_MMESRAM_READ 0x12 ++#define QRK_MBI_MMESRAM_WRITE 0x13 ++#define QRK_MBI_SOC_READ 0x06 ++#define QRK_MBI_SOC_WRITE 0x07 ++ ++#if IS_ENABLED(CONFIG_IOSF_MBI) ++ ++bool iosf_mbi_available(void); ++ + /** + * iosf_mbi_read() - MailBox Interface read command + * @port: port indicating subunit being accessed +@@ -87,4 +113,33 @@ int iosf_mbi_write(u8 port, u8 opcode, u32 offset, u32 mdr); + */ + int iosf_mbi_modify(u8 port, u8 opcode, u32 offset, u32 mdr, u32 mask); + ++#else /* CONFIG_IOSF_MBI is not enabled */ ++static inline ++bool iosf_mbi_available(void) ++{ ++ return false; ++} ++ ++static inline ++int iosf_mbi_read(u8 port, u8 opcode, u32 offset, u32 *mdr) ++{ ++ WARN(1, "IOSF_MBI driver not available"); ++ return -EPERM; ++} ++ ++static inline ++int iosf_mbi_write(u8 port, u8 opcode, u32 offset, u32 mdr) ++{ ++ WARN(1, "IOSF_MBI driver not available"); ++ return -EPERM; ++} ++ ++static inline ++int iosf_mbi_modify(u8 port, u8 opcode, u32 offset, u32 mdr, u32 mask) ++{ ++ WARN(1, "IOSF_MBI driver not available"); ++ return -EPERM; ++} ++#endif /* CONFIG_IOSF_MBI */ ++ + #endif /* IOSF_MBI_SYMS_H */ +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index ac63ea4af5b0..e9dc02968cf8 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -984,6 +984,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code) + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +@@ -1042,7 +1056,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcpu *v); + void kvm_vcpu_reset(struct kvm_vcpu *vcpu); + + void kvm_define_shared_msr(unsigned index, u32 msr); +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); + +diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h +index 0e79420376eb..990a2fe1588d 100644 +--- a/arch/x86/include/uapi/asm/vmx.h ++++ b/arch/x86/include/uapi/asm/vmx.h +@@ -67,6 +67,7 @@ + #define EXIT_REASON_EPT_MISCONFIG 49 + #define EXIT_REASON_INVEPT 50 + #define EXIT_REASON_PREEMPTION_TIMER 52 ++#define EXIT_REASON_INVVPID 53 + #define EXIT_REASON_WBINVD 54 + #define EXIT_REASON_XSETBV 55 + #define EXIT_REASON_APIC_WRITE 56 +@@ -114,6 +115,7 @@ + { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \ + { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \ + { EXIT_REASON_INVD, "INVD" }, \ ++ { EXIT_REASON_INVVPID, "INVVPID" }, \ + { EXIT_REASON_INVPCID, "INVPCID" } + + #endif /* _UAPIVMX_H */ +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 7f26c9a70a9e..523f147b2470 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1290,7 +1290,7 @@ void setup_local_APIC(void) + unsigned int value, queued; + int i, j, acked = 0; + unsigned long long tsc = 0, ntsc; +- long long max_loops = cpu_khz; ++ long long max_loops = cpu_khz ? cpu_khz : 1000000; + + if (cpu_has_tsc) + rdtscll(tsc); +@@ -1387,7 +1387,7 @@ void setup_local_APIC(void) + break; + } + if (queued) { +- if (cpu_has_tsc) { ++ if (cpu_has_tsc && cpu_khz) { + rdtscll(ntsc); + max_loops = (cpu_khz << 10) - (ntsc - tsc); + } else +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 8e28bf2fc3ef..3f27f5fd0847 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1141,7 +1141,7 @@ void syscall_init(void) + /* Flags to clear on syscall */ + wrmsrl(MSR_SYSCALL_MASK, + X86_EFLAGS_TF|X86_EFLAGS_DF|X86_EFLAGS_IF| +- X86_EFLAGS_IOPL|X86_EFLAGS_AC); ++ X86_EFLAGS_IOPL|X86_EFLAGS_AC|X86_EFLAGS_NT); + } + + /* +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index c1a07d33e67e..66746a880dec 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -383,6 +383,13 @@ static void init_intel(struct cpuinfo_x86 *c) + detect_extended_topology(c); + + l2 = init_intel_cacheinfo(c); ++ ++ /* Detect legacy cache sizes if init_intel_cacheinfo did not */ ++ if (l2 == 0) { ++ cpu_detect_cache_sizes(c); ++ l2 = c->x86_cache_size; ++ } ++ + if (c->cpuid_level > 9) { + unsigned eax = cpuid_eax(10); + /* Check for version and the number of counters */ +@@ -497,6 +504,13 @@ static unsigned int intel_size_cache(struct cpuinfo_x86 *c, unsigned int size) + */ + if ((c->x86 == 6) && (c->x86_model == 11) && (size == 0)) + size = 256; ++ ++ /* ++ * Intel Quark SoC X1000 contains a 4-way set associative ++ * 16K cache with a 16 byte cache line and 256 lines per tag ++ */ ++ if ((c->x86 == 5) && (c->x86_model == 9)) ++ size = 16; + return size; + } + #endif +@@ -724,7 +738,8 @@ static const struct cpu_dev intel_cpu_dev = { + [3] = "OverDrive PODP5V83", + [4] = "Pentium MMX", + [7] = "Mobile Pentium 75 - 200", +- [8] = "Mobile Pentium MMX" ++ [8] = "Mobile Pentium MMX", ++ [9] = "Quark SoC X1000", + } + }, + { .family = 6, .model_names = +diff --git a/arch/x86/kernel/iosf_mbi.c b/arch/x86/kernel/iosf_mbi.c +index c3aae6672843..2e97b3cfa6c7 100644 +--- a/arch/x86/kernel/iosf_mbi.c ++++ b/arch/x86/kernel/iosf_mbi.c +@@ -25,6 +25,10 @@ + + #include + ++#define PCI_DEVICE_ID_BAYTRAIL 0x0F00 ++#define PCI_DEVICE_ID_BRASWELL 0x2280 ++#define PCI_DEVICE_ID_QUARK_X1000 0x0958 ++ + static DEFINE_SPINLOCK(iosf_mbi_lock); + + static inline u32 iosf_mbi_form_mcr(u8 op, u8 port, u8 offset) +@@ -177,6 +181,13 @@ int iosf_mbi_modify(u8 port, u8 opcode, u32 offset, u32 mdr, u32 mask) + } + EXPORT_SYMBOL(iosf_mbi_modify); + ++bool iosf_mbi_available(void) ++{ ++ /* Mbi isn't hot-pluggable. No remove routine is provided */ ++ return mbi_pdev; ++} ++EXPORT_SYMBOL(iosf_mbi_available); ++ + static int iosf_mbi_probe(struct pci_dev *pdev, + const struct pci_device_id *unused) + { +@@ -193,7 +204,9 @@ static int iosf_mbi_probe(struct pci_dev *pdev, + } + + static DEFINE_PCI_DEVICE_TABLE(iosf_mbi_pci_ids) = { +- { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0F00) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_BAYTRAIL) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_BRASWELL) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_QUARK_X1000) }, + { 0, }, + }; + MODULE_DEVICE_TABLE(pci, iosf_mbi_pci_ids); +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c +index 9e5de6813e1f..b88fc86309bc 100644 +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -673,6 +673,11 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) + * handler too. + */ + regs->flags &= ~(X86_EFLAGS_DF|X86_EFLAGS_RF|X86_EFLAGS_TF); ++ /* ++ * Ensure the signal handler starts with the new fpu state. ++ */ ++ if (used_math()) ++ drop_init_fpu(current); + } + signal_setup_done(failed, ksig, test_thread_flag(TIF_SINGLESTEP)); + } +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index e0d1d7a8354e..de0290605903 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1173,14 +1173,17 @@ void __init tsc_init(void) + + x86_init.timers.tsc_pre_init(); + +- if (!cpu_has_tsc) ++ if (!cpu_has_tsc) { ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; ++ } + + tsc_khz = x86_platform.calibrate_tsc(); + cpu_khz = tsc_khz; + + if (!tsc_khz) { + mark_tsc_unstable("could not calculate TSC khz"); ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; + } + +diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c +index a4b451c6addf..dd50e26c58f6 100644 +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -268,8 +268,6 @@ int save_xstate_sig(void __user *buf, void __user *buf_fx, int size) + if (use_fxsr() && save_xstate_epilog(buf_fx, ia32_fxstate)) + return -1; + +- drop_init_fpu(tsk); /* trigger finit */ +- + return 0; + } + +@@ -399,8 +397,11 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + set_used_math(); + } + +- if (use_eager_fpu()) ++ if (use_eager_fpu()) { ++ preempt_disable(); + math_state_restore(); ++ preempt_enable(); ++ } + + return err; + } else { +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 7bff3e2a7a11..38d3751472e4 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -498,11 +498,6 @@ static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc) + masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -576,6 +571,38 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++ case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst & ~(u32)-1))) ++ return emulate_gp(ctxt, 0); ++ ctxt->_eip = dst; ++ break; ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); ++} ++ ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ return assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; +@@ -1958,13 +1985,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -1996,10 +2025,14 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt) + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) +@@ -2277,7 +2310,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + { + const struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2293,6 +2326,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = reg_read(ctxt, VCPU_REGS_RCX); ++ rdx = reg_read(ctxt, VCPU_REGS_RDX); ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2310,6 +2346,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2318,8 +2357,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); +- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); ++ ctxt->_eip = rdx; ++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; + } +@@ -2858,10 +2897,13 @@ static int em_aad(struct x86_emulate_ctxt *ctxt) + + static int em_call(struct x86_emulate_ctxt *ctxt) + { ++ int rc; + long rel = ctxt->src.val; + + ctxt->src.val = (unsigned long)ctxt->_eip; +- jmp_rel(ctxt, rel); ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + return em_push(ctxt); + } + +@@ -2893,11 +2935,12 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + rsp_increment(ctxt, ctxt->src.val); +@@ -3227,20 +3270,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); + if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_in(struct x86_emulate_ctxt *ctxt) +@@ -4637,7 +4684,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -4666,7 +4713,7 @@ special_insn: + break; + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xf4: /* hlt */ +@@ -4786,7 +4833,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 518d86471b76..298781d4cfb4 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) + return; + + timer = &pit->pit_state.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2de1bc09a8d4..9643eda60a52 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3213,7 +3213,7 @@ static int wrmsr_interception(struct vcpu_svm *svm) + msr.host_initiated = false; + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, &msr)) { ++ if (kvm_set_msr(&svm->vcpu, &msr)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +@@ -3495,9 +3495,9 @@ static int handle_exit(struct kvm_vcpu *vcpu) + + if (exit_code >= ARRAY_SIZE(svm_exit_handlers) + || !svm_exit_handlers[exit_code]) { +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN; +- kvm_run->hw.hardware_exit_reason = exit_code; +- return 0; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } + + return svm_exit_handlers[exit_code](svm); +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 392752834751..0c90f4b3f835 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2582,12 +2582,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + default: + msr = find_msr_entry(vmx, msr_index); + if (msr) { ++ u64 old_msr_data = msr->data; + msr->data = data; + if (msr - vmx->guest_msrs < vmx->save_nmsrs) { + preempt_disable(); +- kvm_set_shared_msr(msr->index, msr->data, +- msr->mask); ++ ret = kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); + preempt_enable(); ++ if (ret) ++ msr->data = old_msr_data; + } + break; + } +@@ -5169,7 +5172,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu) + msr.data = data; + msr.index = ecx; + msr.host_initiated = false; +- if (vmx_set_msr(vcpu, &msr) != 0) { ++ if (kvm_set_msr(vcpu, &msr) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +@@ -6441,6 +6444,12 @@ static int handle_invept(struct kvm_vcpu *vcpu) + return 1; + } + ++static int handle_invvpid(struct kvm_vcpu *vcpu) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ + /* + * The exit handlers return 1 if the exit was handled fully and guest execution + * may resume. Otherwise they set the kvm_run parameter to indicate what needs +@@ -6486,6 +6495,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = { + [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op, + [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op, + [EXIT_REASON_INVEPT] = handle_invept, ++ [EXIT_REASON_INVVPID] = handle_invvpid, + }; + + static const int kvm_vmx_max_exit_handlers = +@@ -6719,7 +6729,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) + case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: + case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: + case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: +- case EXIT_REASON_INVEPT: ++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: + /* + * VMX instructions trap unconditionally. This allows L1 to + * emulate them for its L2 guest, i.e., allows 3-level nesting! +@@ -6884,10 +6894,10 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu) + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); + else { +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; +- vcpu->run->hw.hardware_exit_reason = exit_reason; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } +- return 0; + } + + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 8fbd1a772272..51c2851ca243 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(void) + shared_msr_update(i, shared_msrs_global.msrs[i]); + } + +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) + { + unsigned int cpu = smp_processor_id(); + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); ++ int err; + + if (((value ^ smsr->values[slot].curr) & mask) == 0) +- return; ++ return 0; + smsr->values[slot].curr = value; +- wrmsrl(shared_msrs_global.msrs[slot], value); ++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); ++ if (err) ++ return 1; ++ + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); + smsr->registered = true; + } ++ return 0; + } + EXPORT_SYMBOL_GPL(kvm_set_shared_msr); + +@@ -946,7 +951,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -954,8 +958,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + { ++ switch (msr->index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(msr->data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ msr->data = get_canonical(msr->data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index a3488689e301..fed892de9baf 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -405,7 +405,7 @@ phys_addr_t slow_virt_to_phys(void *__virt_addr) + psize = page_level_size(level); + pmask = page_level_mask(level); + offset = virt_addr & ~pmask; +- phys_addr = pte_pfn(*pte) << PAGE_SHIFT; ++ phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT; + return (phys_addr | offset); + } + EXPORT_SYMBOL_GPL(slow_virt_to_phys); +diff --git a/block/blk-settings.c b/block/blk-settings.c +index 5d21239bc859..95138e9d0ad5 100644 +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -553,7 +553,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + bottom = max(b->physical_block_size, b->io_min) + alignment; + + /* Verify that top and bottom intervals line up */ +- if (max(top, bottom) & (min(top, bottom) - 1)) { ++ if (max(top, bottom) % min(top, bottom)) { + t->misaligned = 1; + ret = -1; + } +@@ -598,7 +598,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + + /* Find lowest common alignment_offset */ + t->alignment_offset = lcm(t->alignment_offset, alignment) +- & (max(t->physical_block_size, t->io_min) - 1); ++ % max(t->physical_block_size, t->io_min); + + /* Verify that new alignment_offset is on a logical block boundary */ + if (t->alignment_offset & (t->logical_block_size - 1)) { +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index 26487972ac54..4044cf789c7a 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -489,7 +489,7 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + + if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) { + err = DRIVER_ERROR << 24; +- goto out; ++ goto error; + } + + memset(sense, 0, sizeof(sense)); +@@ -499,7 +499,6 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + + blk_execute_rq(q, disk, rq, 0); + +-out: + err = rq->errors & 0xff; /* only 8 bit SCSI status */ + if (err) { + if (rq->sense_len && rq->sense) { +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index a19c027b29bd..83187f497c7c 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -49,7 +49,7 @@ struct skcipher_ctx { + struct ablkcipher_request req; + }; + +-#define MAX_SGL_ENTS ((PAGE_SIZE - sizeof(struct skcipher_sg_list)) / \ ++#define MAX_SGL_ENTS ((4096 - sizeof(struct skcipher_sg_list)) / \ + sizeof(struct scatterlist) - 1) + + static inline int skcipher_sndbuf(struct sock *sk) +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index b603720b877d..37acda6fa7e4 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -2008,13 +2008,15 @@ static int ata_bus_softreset(struct ata_port *ap, unsigned int devmask, + + DPRINTK("ata%u: bus reset via SRST\n", ap->print_id); + +- /* software reset. causes dev0 to be selected */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- ap->last_ctl = ap->ctl; ++ if (ap->ioaddr.ctl_addr) { ++ /* software reset. causes dev0 to be selected */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ ap->last_ctl = ap->ctl; ++ } + + /* wait the port to become ready */ + return ata_sff_wait_after_reset(&ap->link, devmask, deadline); +@@ -2215,10 +2217,6 @@ void ata_sff_error_handler(struct ata_port *ap) + + spin_unlock_irqrestore(ap->lock, flags); + +- /* ignore ata_sff_softreset if ctl isn't accessible */ +- if (softreset == ata_sff_softreset && !ap->ioaddr.ctl_addr) +- softreset = NULL; +- + /* ignore built-in hardresets if SCR access is not available */ + if ((hardreset == sata_std_hardreset || + hardreset == sata_sff_hardreset) && !sata_scr_valid(&ap->link)) +diff --git a/drivers/ata/pata_serverworks.c b/drivers/ata/pata_serverworks.c +index 96c6a79ef606..79dedbae282c 100644 +--- a/drivers/ata/pata_serverworks.c ++++ b/drivers/ata/pata_serverworks.c +@@ -252,12 +252,18 @@ static void serverworks_set_dmamode(struct ata_port *ap, struct ata_device *adev + pci_write_config_byte(pdev, 0x54, ultra_cfg); + } + +-static struct scsi_host_template serverworks_sht = { ++static struct scsi_host_template serverworks_osb4_sht = { ++ ATA_BMDMA_SHT(DRV_NAME), ++ .sg_tablesize = LIBATA_DUMB_MAX_PRD, ++}; ++ ++static struct scsi_host_template serverworks_csb_sht = { + ATA_BMDMA_SHT(DRV_NAME), + }; + + static struct ata_port_operations serverworks_osb4_port_ops = { + .inherits = &ata_bmdma_port_ops, ++ .qc_prep = ata_bmdma_dumb_qc_prep, + .cable_detect = serverworks_cable_detect, + .mode_filter = serverworks_osb4_filter, + .set_piomode = serverworks_set_piomode, +@@ -266,6 +272,7 @@ static struct ata_port_operations serverworks_osb4_port_ops = { + + static struct ata_port_operations serverworks_csb_port_ops = { + .inherits = &serverworks_osb4_port_ops, ++ .qc_prep = ata_bmdma_qc_prep, + .mode_filter = serverworks_csb_filter, + }; + +@@ -405,6 +412,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + } + }; + const struct ata_port_info *ppi[] = { &info[id->driver_data], NULL }; ++ struct scsi_host_template *sht = &serverworks_csb_sht; + int rc; + + rc = pcim_enable_device(pdev); +@@ -418,6 +426,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + /* Select non UDMA capable OSB4 if we can't do fixups */ + if (rc < 0) + ppi[0] = &info[1]; ++ sht = &serverworks_osb4_sht; + } + /* setup CSB5/CSB6 : South Bridge and IDE option RAID */ + else if ((pdev->device == PCI_DEVICE_ID_SERVERWORKS_CSB5IDE) || +@@ -434,7 +443,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id + ppi[1] = &ata_dummy_port_info; + } + +- return ata_pci_bmdma_init_one(pdev, ppi, &serverworks_sht, NULL, 0); ++ return ata_pci_bmdma_init_one(pdev, ppi, sht, NULL, 0); + } + + #ifdef CONFIG_PM +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 2b567177ef78..6a8955e78610 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -741,12 +741,12 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) + return &dir->kobj; + } + ++static DEFINE_MUTEX(gdp_mutex); + + static struct kobject *get_device_parent(struct device *dev, + struct device *parent) + { + if (dev->class) { +- static DEFINE_MUTEX(gdp_mutex); + struct kobject *kobj = NULL; + struct kobject *parent_kobj; + struct kobject *k; +@@ -810,7 +810,9 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) + glue_dir->kset != &dev->class->p->glue_dirs) + return; + ++ mutex_lock(&gdp_mutex); + kobject_put(glue_dir); ++ mutex_unlock(&gdp_mutex); + } + + static void cleanup_device_parent(struct device *dev) +diff --git a/drivers/block/drbd/drbd_interval.c b/drivers/block/drbd/drbd_interval.c +index 89c497c630b4..04a14e0f8878 100644 +--- a/drivers/block/drbd/drbd_interval.c ++++ b/drivers/block/drbd/drbd_interval.c +@@ -79,6 +79,7 @@ bool + drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + { + struct rb_node **new = &root->rb_node, *parent = NULL; ++ sector_t this_end = this->sector + (this->size >> 9); + + BUG_ON(!IS_ALIGNED(this->size, 512)); + +@@ -87,6 +88,8 @@ drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + rb_entry(*new, struct drbd_interval, rb); + + parent = *new; ++ if (here->end < this_end) ++ here->end = this_end; + if (this->sector < here->sector) + new = &(*new)->rb_left; + else if (this->sector > here->sector) +@@ -99,6 +102,7 @@ drbd_insert_interval(struct rb_root *root, struct drbd_interval *this) + return false; + } + ++ this->end = this_end; + rb_link_node(&this->rb, parent, new); + rb_insert_augmented(&this->rb, root, &augment_callbacks); + return true; +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 7296c7f074bd..255ca232ecc7 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3217,7 +3217,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, + page_count = (u32) calc_pages_for(offset, length); + pages = ceph_alloc_page_vector(page_count, GFP_KERNEL); + if (IS_ERR(pages)) +- ret = PTR_ERR(pages); ++ return PTR_ERR(pages); + + ret = -ENOMEM; + obj_request = rbd_obj_request_create(object_name, offset, length, +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index 64c60edcdfbc..63fc7f06a014 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -763,6 +763,7 @@ again: + BUG_ON(new_map_idx >= segs_to_map); + if (unlikely(map[new_map_idx].status != 0)) { + pr_debug(DRV_PFX "invalid buffer -- could not remap it\n"); ++ put_free_pages(blkif, &pages[seg_idx]->page, 1); + pages[seg_idx]->handle = BLKBACK_INVALID_HANDLE; + ret |= 1; + goto next; +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 429b75bb60e8..8a64dbeae7b1 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1063,8 +1063,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + * pool while mixing, and hash one final time. + */ + sha_transform(hash.w, extract, workspace); +- memset(extract, 0, sizeof(extract)); +- memset(workspace, 0, sizeof(workspace)); ++ memzero_explicit(extract, sizeof(extract)); ++ memzero_explicit(workspace, sizeof(workspace)); + + /* + * In case the hash function has some recognizable output +@@ -1076,7 +1076,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + hash.w[2] ^= rol32(hash.w[2], 16); + + memcpy(out, &hash, EXTRACT_SIZE); +- memset(&hash, 0, sizeof(hash)); ++ memzero_explicit(&hash, sizeof(hash)); + } + + static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -1124,7 +1124,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + } + + /* Wipe data just returned from memory */ +- memset(tmp, 0, sizeof(tmp)); ++ memzero_explicit(tmp, sizeof(tmp)); + + return ret; + } +@@ -1162,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, + } + + /* Wipe data just returned from memory */ +- memset(tmp, 0, sizeof(tmp)); ++ memzero_explicit(tmp, sizeof(tmp)); + + return ret; + } +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 415923606164..4854f81d038b 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -460,7 +460,18 @@ show_one(cpuinfo_max_freq, cpuinfo.max_freq); + show_one(cpuinfo_transition_latency, cpuinfo.transition_latency); + show_one(scaling_min_freq, min); + show_one(scaling_max_freq, max); +-show_one(scaling_cur_freq, cur); ++ ++static ssize_t show_scaling_cur_freq( ++ struct cpufreq_policy *policy, char *buf) ++{ ++ ssize_t ret; ++ ++ if (cpufreq_driver && cpufreq_driver->setpolicy && cpufreq_driver->get) ++ ret = sprintf(buf, "%u\n", cpufreq_driver->get(policy->cpu)); ++ else ++ ret = sprintf(buf, "%u\n", policy->cur); ++ return ret; ++} + + static int cpufreq_set_policy(struct cpufreq_policy *policy, + struct cpufreq_policy *new_policy); +@@ -854,11 +865,11 @@ static int cpufreq_add_dev_interface(struct cpufreq_policy *policy, + if (ret) + goto err_out_kobj_put; + } +- if (has_target()) { +- ret = sysfs_create_file(&policy->kobj, &scaling_cur_freq.attr); +- if (ret) +- goto err_out_kobj_put; +- } ++ ++ ret = sysfs_create_file(&policy->kobj, &scaling_cur_freq.attr); ++ if (ret) ++ goto err_out_kobj_put; ++ + if (cpufreq_driver->bios_limit) { + ret = sysfs_create_file(&policy->kobj, &bios_limit.attr); + if (ret) +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index ae52c777339d..533a509439ca 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -55,6 +55,17 @@ static inline int32_t div_fp(int32_t x, int32_t y) + return div_s64((int64_t)x << FRAC_BITS, (int64_t)y); + } + ++static inline int ceiling_fp(int32_t x) ++{ ++ int mask, ret; ++ ++ ret = fp_toint(x); ++ mask = (1 << FRAC_BITS) - 1; ++ if (x & mask) ++ ret += 1; ++ return ret; ++} ++ + struct sample { + int32_t core_pct_busy; + u64 aperf; +@@ -67,6 +78,7 @@ struct pstate_data { + int current_pstate; + int min_pstate; + int max_pstate; ++ int scaling; + int turbo_pstate; + }; + +@@ -118,6 +130,7 @@ struct pstate_funcs { + int (*get_max)(void); + int (*get_min)(void); + int (*get_turbo)(void); ++ int (*get_scaling)(void); + void (*set)(struct cpudata*, int pstate); + void (*get_vid)(struct cpudata *); + }; +@@ -397,7 +410,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate) + cpudata->vid.ratio); + + vid_fp = clamp_t(int32_t, vid_fp, cpudata->vid.min, cpudata->vid.max); +- vid = fp_toint(vid_fp); ++ vid = ceiling_fp(vid_fp); + + if (pstate > cpudata->pstate.max_pstate) + vid = cpudata->vid.turbo; +@@ -407,6 +420,22 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate) + wrmsrl(MSR_IA32_PERF_CTL, val); + } + ++#define BYT_BCLK_FREQS 5 ++static int byt_freq_table[BYT_BCLK_FREQS] = { 833, 1000, 1333, 1167, 800}; ++ ++static int byt_get_scaling(void) ++{ ++ u64 value; ++ int i; ++ ++ rdmsrl(MSR_FSB_FREQ, value); ++ i = value & 0x3; ++ ++ BUG_ON(i > BYT_BCLK_FREQS); ++ ++ return byt_freq_table[i] * 100; ++} ++ + static void byt_get_vid(struct cpudata *cpudata) + { + u64 value; +@@ -451,6 +480,11 @@ static int core_get_turbo_pstate(void) + return ret; + } + ++static inline int core_get_scaling(void) ++{ ++ return 100000; ++} ++ + static void core_set_pstate(struct cpudata *cpudata, int pstate) + { + u64 val; +@@ -475,6 +509,7 @@ static struct cpu_defaults core_params = { + .get_max = core_get_max_pstate, + .get_min = core_get_min_pstate, + .get_turbo = core_get_turbo_pstate, ++ .get_scaling = core_get_scaling, + .set = core_set_pstate, + }, + }; +@@ -493,6 +528,7 @@ static struct cpu_defaults byt_params = { + .get_min = byt_get_min_pstate, + .get_turbo = byt_get_turbo_pstate, + .set = byt_set_pstate, ++ .get_scaling = byt_get_scaling, + .get_vid = byt_get_vid, + }, + }; +@@ -526,7 +562,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) + if (pstate == cpu->pstate.current_pstate) + return; + +- trace_cpu_frequency(pstate * 100000, cpu->cpu); ++ trace_cpu_frequency(pstate * cpu->pstate.scaling, cpu->cpu); + + cpu->pstate.current_pstate = pstate; + +@@ -555,6 +591,7 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) + cpu->pstate.min_pstate = pstate_funcs.get_min(); + cpu->pstate.max_pstate = pstate_funcs.get_max(); + cpu->pstate.turbo_pstate = pstate_funcs.get_turbo(); ++ cpu->pstate.scaling = pstate_funcs.get_scaling(); + + if (pstate_funcs.get_vid) + pstate_funcs.get_vid(cpu); +@@ -574,7 +611,9 @@ static inline void intel_pstate_calc_busy(struct cpudata *cpu, + core_pct += 1; + + sample->freq = fp_toint( +- mul_fp(int_tofp(cpu->pstate.max_pstate * 1000), core_pct)); ++ mul_fp(int_tofp( ++ cpu->pstate.max_pstate * cpu->pstate.scaling / 100), ++ core_pct)); + + sample->core_pct_busy = (int32_t)core_pct; + } +@@ -685,10 +724,14 @@ static const struct x86_cpu_id intel_pstate_cpu_ids[] = { + ICPU(0x37, byt_params), + ICPU(0x3a, core_params), + ICPU(0x3c, core_params), ++ ICPU(0x3d, core_params), + ICPU(0x3e, core_params), + ICPU(0x3f, core_params), + ICPU(0x45, core_params), + ICPU(0x46, core_params), ++ ICPU(0x4c, byt_params), ++ ICPU(0x4f, core_params), ++ ICPU(0x56, core_params), + {} + }; + MODULE_DEVICE_TABLE(x86cpu, intel_pstate_cpu_ids); +@@ -751,6 +794,7 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy) + if (policy->policy == CPUFREQ_POLICY_PERFORMANCE) { + limits.min_perf_pct = 100; + limits.min_perf = int_tofp(1); ++ limits.max_policy_pct = 100; + limits.max_perf_pct = 100; + limits.max_perf = int_tofp(1); + limits.no_turbo = limits.turbo_disabled; +@@ -812,12 +856,13 @@ static int intel_pstate_cpu_init(struct cpufreq_policy *policy) + else + policy->policy = CPUFREQ_POLICY_POWERSAVE; + +- policy->min = cpu->pstate.min_pstate * 100000; +- policy->max = cpu->pstate.turbo_pstate * 100000; ++ policy->min = cpu->pstate.min_pstate * cpu->pstate.scaling; ++ policy->max = cpu->pstate.turbo_pstate * cpu->pstate.scaling; + + /* cpuinfo and default policy values */ +- policy->cpuinfo.min_freq = cpu->pstate.min_pstate * 100000; +- policy->cpuinfo.max_freq = cpu->pstate.turbo_pstate * 100000; ++ policy->cpuinfo.min_freq = cpu->pstate.min_pstate * cpu->pstate.scaling; ++ policy->cpuinfo.max_freq = ++ cpu->pstate.turbo_pstate * cpu->pstate.scaling; + policy->cpuinfo.transition_latency = CPUFREQ_ETERNAL; + cpumask_set_cpu(policy->cpu, policy->cpus); + +@@ -875,6 +920,7 @@ static void copy_cpu_funcs(struct pstate_funcs *funcs) + pstate_funcs.get_max = funcs->get_max; + pstate_funcs.get_min = funcs->get_min; + pstate_funcs.get_turbo = funcs->get_turbo; ++ pstate_funcs.get_scaling = funcs->get_scaling; + pstate_funcs.set = funcs->set; + pstate_funcs.get_vid = funcs->get_vid; + } +diff --git a/drivers/edac/cpc925_edac.c b/drivers/edac/cpc925_edac.c +index df6575f1430d..682288ced4ac 100644 +--- a/drivers/edac/cpc925_edac.c ++++ b/drivers/edac/cpc925_edac.c +@@ -562,7 +562,7 @@ static void cpc925_mc_check(struct mem_ctl_info *mci) + + if (apiexcp & UECC_EXCP_DETECTED) { + cpc925_mc_printk(mci, KERN_INFO, "DRAM UECC Fault\n"); +- edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, + pfn, offset, 0, + csrow, -1, -1, + mci->ctl_name, ""); +diff --git a/drivers/edac/e7xxx_edac.c b/drivers/edac/e7xxx_edac.c +index 3cda79bc8b00..ece3aef16bb1 100644 +--- a/drivers/edac/e7xxx_edac.c ++++ b/drivers/edac/e7xxx_edac.c +@@ -226,7 +226,7 @@ static void process_ce(struct mem_ctl_info *mci, struct e7xxx_error_info *info) + static void process_ce_no_info(struct mem_ctl_info *mci) + { + edac_dbg(3, "\n"); +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, + "e7xxx CE log register overflow", ""); + } + +diff --git a/drivers/edac/i3200_edac.c b/drivers/edac/i3200_edac.c +index fa1326e5a4b0..ad76f10865c6 100644 +--- a/drivers/edac/i3200_edac.c ++++ b/drivers/edac/i3200_edac.c +@@ -242,11 +242,11 @@ static void i3200_process_error_info(struct mem_ctl_info *mci, + -1, -1, + "i3000 UE", ""); + } else if (log & I3200_ECCERRLOG_CE) { +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + 0, 0, eccerrlog_syndrome(log), + eccerrlog_row(channel, log), + -1, -1, +- "i3000 UE", ""); ++ "i3000 CE", ""); + } + } + } +diff --git a/drivers/edac/i82860_edac.c b/drivers/edac/i82860_edac.c +index 3382f6344e42..4382343a7c60 100644 +--- a/drivers/edac/i82860_edac.c ++++ b/drivers/edac/i82860_edac.c +@@ -124,7 +124,7 @@ static int i82860_process_error_info(struct mem_ctl_info *mci, + dimm->location[0], dimm->location[1], -1, + "i82860 UE", ""); + else +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + info->eap, 0, info->derrsyn, + dimm->location[0], dimm->location[1], -1, + "i82860 CE", ""); +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index cca063b11083..d2e56e95d886 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -1012,8 +1012,8 @@ static u32 copy_cursor_image(u8 *src, u8 *dst, int width, int height) + srcdata32[1].ul = *((u32 *)(srcxor + 4)) & 0xf0f0f0f0; + data32.b[0] = srcdata32[0].b[1] | (srcdata32[0].b[0] >> 4); + data32.b[1] = srcdata32[0].b[3] | (srcdata32[0].b[2] >> 4); +- data32.b[2] = srcdata32[0].b[1] | (srcdata32[1].b[0] >> 4); +- data32.b[3] = srcdata32[0].b[3] | (srcdata32[1].b[2] >> 4); ++ data32.b[2] = srcdata32[1].b[1] | (srcdata32[1].b[0] >> 4); ++ data32.b[3] = srcdata32[1].b[3] | (srcdata32[1].b[2] >> 4); + + writel(data32.ul, dstxor); + csum += data32.ul; +diff --git a/drivers/gpu/drm/cirrus/cirrus_drv.c b/drivers/gpu/drm/cirrus/cirrus_drv.c +index 08ce520f61a5..faa1f421f1b8 100644 +--- a/drivers/gpu/drm/cirrus/cirrus_drv.c ++++ b/drivers/gpu/drm/cirrus/cirrus_drv.c +@@ -32,6 +32,8 @@ static struct drm_driver driver; + static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { + { PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_5446, 0x1af4, 0x1100, 0, + 0, 0 }, ++ { PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_5446, PCI_VENDOR_ID_XEN, ++ 0x0001, 0, 0, 0 }, + {0,} + }; + +diff --git a/drivers/gpu/drm/i915/intel_panel.c b/drivers/gpu/drm/i915/intel_panel.c +index fd98bec78816..c6d9777bdb45 100644 +--- a/drivers/gpu/drm/i915/intel_panel.c ++++ b/drivers/gpu/drm/i915/intel_panel.c +@@ -645,7 +645,7 @@ static void pch_enable_backlight(struct intel_connector *connector) + + cpu_ctl2 = I915_READ(BLC_PWM_CPU_CTL2); + if (cpu_ctl2 & BLM_PWM_ENABLE) { +- WARN(1, "cpu backlight already enabled\n"); ++ DRM_DEBUG_KMS("cpu backlight already enabled\n"); + cpu_ctl2 &= ~BLM_PWM_ENABLE; + I915_WRITE(BLC_PWM_CPU_CTL2, cpu_ctl2); + } +@@ -693,7 +693,7 @@ static void i9xx_enable_backlight(struct intel_connector *connector) + + ctl = I915_READ(BLC_PWM_CTL); + if (ctl & BACKLIGHT_DUTY_CYCLE_MASK_PNV) { +- WARN(1, "backlight already enabled\n"); ++ DRM_DEBUG_KMS("backlight already enabled\n"); + I915_WRITE(BLC_PWM_CTL, 0); + } + +@@ -724,7 +724,7 @@ static void i965_enable_backlight(struct intel_connector *connector) + + ctl2 = I915_READ(BLC_PWM_CTL2); + if (ctl2 & BLM_PWM_ENABLE) { +- WARN(1, "backlight already enabled\n"); ++ DRM_DEBUG_KMS("backlight already enabled\n"); + ctl2 &= ~BLM_PWM_ENABLE; + I915_WRITE(BLC_PWM_CTL2, ctl2); + } +@@ -758,7 +758,7 @@ static void vlv_enable_backlight(struct intel_connector *connector) + + ctl2 = I915_READ(VLV_BLC_PWM_CTL2(pipe)); + if (ctl2 & BLM_PWM_ENABLE) { +- WARN(1, "backlight already enabled\n"); ++ DRM_DEBUG_KMS("backlight already enabled\n"); + ctl2 &= ~BLM_PWM_ENABLE; + I915_WRITE(VLV_BLC_PWM_CTL2(pipe), ctl2); + } +diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c b/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c +index 2d9b9d7a7992..f3edd2841f2d 100644 +--- a/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c ++++ b/drivers/gpu/drm/nouveau/core/subdev/bios/dcb.c +@@ -124,6 +124,7 @@ dcb_outp_parse(struct nouveau_bios *bios, u8 idx, u8 *ver, u8 *len, + struct dcb_output *outp) + { + u16 dcb = dcb_outp(bios, idx, ver, len); ++ memset(outp, 0x00, sizeof(*outp)); + if (dcb) { + if (*ver >= 0x20) { + u32 conn = nv_ro32(bios, dcb + 0x00); +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 798bde2e5881..c39c414c7751 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -523,7 +523,6 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + struct qxl_framebuffer *qfb; + struct qxl_bo *bo, *old_bo = NULL; + struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); +- uint32_t width, height, base_offset; + bool recreate_primary = false; + int ret; + int surf_id; +@@ -553,9 +552,10 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + if (qcrtc->index == 0) + recreate_primary = true; + +- width = mode->hdisplay; +- height = mode->vdisplay; +- base_offset = 0; ++ if (bo->surf.stride * bo->surf.height > qdev->vram_size) { ++ DRM_ERROR("Mode doesn't fit in vram size (vgamem)"); ++ return -EINVAL; ++ } + + ret = qxl_bo_reserve(bo, false); + if (ret != 0) +@@ -569,10 +569,10 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + if (recreate_primary) { + qxl_io_destroy_primary(qdev); + qxl_io_log(qdev, +- "recreate primary: %dx%d (was %dx%d,%d,%d)\n", +- width, height, bo->surf.width, +- bo->surf.height, bo->surf.stride, bo->surf.format); +- qxl_io_create_primary(qdev, base_offset, bo); ++ "recreate primary: %dx%d,%d,%d\n", ++ bo->surf.width, bo->surf.height, ++ bo->surf.stride, bo->surf.format); ++ qxl_io_create_primary(qdev, 0, bo); + bo->is_primary = true; + surf_id = 0; + } else { +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index 0a2f5b4bca43..879e62844b2b 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -6200,7 +6200,7 @@ static void si_parse_pplib_clock_info(struct radeon_device *rdev, + if ((rps->class2 & ATOM_PPLIB_CLASSIFICATION2_ULV) && + index == 0) { + /* XXX disable for A0 tahiti */ +- si_pi->ulv.supported = true; ++ si_pi->ulv.supported = false; + si_pi->ulv.pl = *pl; + si_pi->ulv.one_pcie_lane_in_ulv = false; + si_pi->ulv.volt_change_delay = SISLANDS_ULVVOLTAGECHANGEDELAY_DFLT; +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.c b/drivers/gpu/drm/tilcdc/tilcdc_drv.c +index 0644429f8559..52b47115b5cb 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c +@@ -84,6 +84,7 @@ static int modeset_init(struct drm_device *dev) + if ((priv->num_encoders == 0) || (priv->num_connectors == 0)) { + /* oh nos! */ + dev_err(dev->dev, "no encoders/connectors found\n"); ++ drm_mode_config_cleanup(dev); + return -ENXIO; + } + +@@ -178,33 +179,37 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + dev->dev_private = priv; + + priv->wq = alloc_ordered_workqueue("tilcdc", 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto fail_free_priv; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { + dev_err(dev->dev, "failed to get memory resource\n"); + ret = -EINVAL; +- goto fail; ++ goto fail_free_wq; + } + + priv->mmio = ioremap_nocache(res->start, resource_size(res)); + if (!priv->mmio) { + dev_err(dev->dev, "failed to ioremap\n"); + ret = -ENOMEM; +- goto fail; ++ goto fail_free_wq; + } + + priv->clk = clk_get(dev->dev, "fck"); + if (IS_ERR(priv->clk)) { + dev_err(dev->dev, "failed to get functional clock\n"); + ret = -ENODEV; +- goto fail; ++ goto fail_iounmap; + } + + priv->disp_clk = clk_get(dev->dev, "dpll_disp_ck"); + if (IS_ERR(priv->clk)) { + dev_err(dev->dev, "failed to get display clock\n"); + ret = -ENODEV; +- goto fail; ++ goto fail_put_clk; + } + + #ifdef CONFIG_CPU_FREQ +@@ -214,7 +219,7 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + CPUFREQ_TRANSITION_NOTIFIER); + if (ret) { + dev_err(dev->dev, "failed to register cpufreq notifier\n"); +- goto fail; ++ goto fail_put_disp_clk; + } + #endif + +@@ -259,13 +264,13 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + ret = modeset_init(dev); + if (ret < 0) { + dev_err(dev->dev, "failed to initialize mode setting\n"); +- goto fail; ++ goto fail_cpufreq_unregister; + } + + ret = drm_vblank_init(dev, 1); + if (ret < 0) { + dev_err(dev->dev, "failed to initialize vblank\n"); +- goto fail; ++ goto fail_mode_config_cleanup; + } + + pm_runtime_get_sync(dev->dev); +@@ -273,7 +278,7 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + pm_runtime_put_sync(dev->dev); + if (ret < 0) { + dev_err(dev->dev, "failed to install IRQ handler\n"); +- goto fail; ++ goto fail_vblank_cleanup; + } + + platform_set_drvdata(pdev, dev); +@@ -289,13 +294,48 @@ static int tilcdc_load(struct drm_device *dev, unsigned long flags) + priv->fbdev = drm_fbdev_cma_init(dev, bpp, + dev->mode_config.num_crtc, + dev->mode_config.num_connector); ++ if (IS_ERR(priv->fbdev)) { ++ ret = PTR_ERR(priv->fbdev); ++ goto fail_irq_uninstall; ++ } + + drm_kms_helper_poll_init(dev); + + return 0; + +-fail: +- tilcdc_unload(dev); ++fail_irq_uninstall: ++ pm_runtime_get_sync(dev->dev); ++ drm_irq_uninstall(dev); ++ pm_runtime_put_sync(dev->dev); ++ ++fail_vblank_cleanup: ++ drm_vblank_cleanup(dev); ++ ++fail_mode_config_cleanup: ++ drm_mode_config_cleanup(dev); ++ ++fail_cpufreq_unregister: ++ pm_runtime_disable(dev->dev); ++#ifdef CONFIG_CPU_FREQ ++ cpufreq_unregister_notifier(&priv->freq_transition, ++ CPUFREQ_TRANSITION_NOTIFIER); ++fail_put_disp_clk: ++ clk_put(priv->disp_clk); ++#endif ++ ++fail_put_clk: ++ clk_put(priv->clk); ++ ++fail_iounmap: ++ iounmap(priv->mmio); ++ ++fail_free_wq: ++ flush_workqueue(priv->wq); ++ destroy_workqueue(priv->wq); ++ ++fail_free_priv: ++ dev->dev_private = NULL; ++ kfree(priv); + return ret; + } + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index 0083cbf99edf..fb7c36e93fd4 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -688,7 +688,11 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_err0; + } + +- if (unlikely(dev_priv->prim_bb_mem < dev_priv->vram_size)) ++ /* ++ * Limit back buffer size to VRAM size. Remove this once ++ * screen targets are implemented. ++ */ ++ if (dev_priv->prim_bb_mem > dev_priv->vram_size) + dev_priv->prim_bb_mem = dev_priv->vram_size; + + mutex_unlock(&dev_priv->hw_mutex); +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 8a650413dea5..c8f8ecf7b282 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1954,6 +1954,14 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector, + DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC) + }; + int i; ++ u32 assumed_bpp = 2; ++ ++ /* ++ * If using screen objects, then assume 32-bpp because that's what the ++ * SVGA device is assuming ++ */ ++ if (dev_priv->sou_priv) ++ assumed_bpp = 4; + + /* Add preferred mode */ + { +@@ -1964,8 +1972,9 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector, + mode->vdisplay = du->pref_height; + vmw_guess_mode_timing(mode); + +- if (vmw_kms_validate_mode_vram(dev_priv, mode->hdisplay * 2, +- mode->vdisplay)) { ++ if (vmw_kms_validate_mode_vram(dev_priv, ++ mode->hdisplay * assumed_bpp, ++ mode->vdisplay)) { + drm_mode_probed_add(connector, mode); + } else { + drm_mode_destroy(dev, mode); +@@ -1987,7 +1996,8 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector, + bmode->vdisplay > max_height) + continue; + +- if (!vmw_kms_validate_mode_vram(dev_priv, bmode->hdisplay * 2, ++ if (!vmw_kms_validate_mode_vram(dev_priv, ++ bmode->hdisplay * assumed_bpp, + bmode->vdisplay)) + continue; + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 6e12cd0317f6..91bc66b4b151 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -292,6 +292,11 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_73F7 0x73f7 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + ++#define USB_VENDOR_ID_ELAN 0x04f3 ++#define USB_DEVICE_ID_ELAN_TOUCHSCREEN 0x0089 ++#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B 0x009b ++#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F 0x016f ++ + #define USB_VENDOR_ID_ELECOM 0x056e + #define USB_DEVICE_ID_ELECOM_BM084 0x0061 + +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index 44df131d390a..617c47f9ebe6 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -82,7 +82,7 @@ static int hid_start_in(struct hid_device *hid) + struct usbhid_device *usbhid = hid->driver_data; + + spin_lock_irqsave(&usbhid->lock, flags); +- if (hid->open > 0 && ++ if ((hid->open > 0 || hid->quirks & HID_QUIRK_ALWAYS_POLL) && + !test_bit(HID_DISCONNECTED, &usbhid->iofl) && + !test_bit(HID_SUSPENDED, &usbhid->iofl) && + !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) { +@@ -292,6 +292,8 @@ static void hid_irq_in(struct urb *urb) + case 0: /* success */ + usbhid_mark_busy(usbhid); + usbhid->retry_delay = 0; ++ if ((hid->quirks & HID_QUIRK_ALWAYS_POLL) && !hid->open) ++ break; + hid_input_report(urb->context, HID_INPUT_REPORT, + urb->transfer_buffer, + urb->actual_length, 1); +@@ -734,8 +736,10 @@ void usbhid_close(struct hid_device *hid) + if (!--hid->open) { + spin_unlock_irq(&usbhid->lock); + hid_cancel_delayed_stuff(usbhid); +- usb_kill_urb(usbhid->urbin); +- usbhid->intf->needs_remote_wakeup = 0; ++ if (!(hid->quirks & HID_QUIRK_ALWAYS_POLL)) { ++ usb_kill_urb(usbhid->urbin); ++ usbhid->intf->needs_remote_wakeup = 0; ++ } + } else { + spin_unlock_irq(&usbhid->lock); + } +@@ -1119,6 +1123,19 @@ static int usbhid_start(struct hid_device *hid) + + set_bit(HID_STARTED, &usbhid->iofl); + ++ if (hid->quirks & HID_QUIRK_ALWAYS_POLL) { ++ ret = usb_autopm_get_interface(usbhid->intf); ++ if (ret) ++ goto fail; ++ usbhid->intf->needs_remote_wakeup = 1; ++ ret = hid_start_in(hid); ++ if (ret) { ++ dev_err(&hid->dev, ++ "failed to start in urb: %d\n", ret); ++ } ++ usb_autopm_put_interface(usbhid->intf); ++ } ++ + /* Some keyboards don't work until their LEDs have been set. + * Since BIOSes do set the LEDs, it must be safe for any device + * that supports the keyboard boot protocol. +@@ -1151,6 +1168,9 @@ static void usbhid_stop(struct hid_device *hid) + if (WARN_ON(!usbhid)) + return; + ++ if (hid->quirks & HID_QUIRK_ALWAYS_POLL) ++ usbhid->intf->needs_remote_wakeup = 0; ++ + clear_bit(HID_STARTED, &usbhid->iofl); + spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ + set_bit(HID_DISCONNECTED, &usbhid->iofl); +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index 8e4ddb369883..deb364306636 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -69,6 +69,9 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, +diff --git a/drivers/i2c/busses/i2c-at91.c b/drivers/i2c/busses/i2c-at91.c +index 11e9c7f9bf9b..8873d84e1d4f 100644 +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -434,7 +434,7 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev) + } + } + +- ret = wait_for_completion_io_timeout(&dev->cmd_complete, ++ ret = wait_for_completion_timeout(&dev->cmd_complete, + dev->adapter.timeout); + if (ret == 0) { + dev_err(dev->dev, "controller timed out\n"); +diff --git a/drivers/iio/common/st_sensors/st_sensors_buffer.c b/drivers/iio/common/st_sensors/st_sensors_buffer.c +index 1665c8e4b62b..e18bc6782256 100644 +--- a/drivers/iio/common/st_sensors/st_sensors_buffer.c ++++ b/drivers/iio/common/st_sensors/st_sensors_buffer.c +@@ -71,7 +71,7 @@ int st_sensors_get_buffer_element(struct iio_dev *indio_dev, u8 *buf) + goto st_sensors_free_memory; + } + +- for (i = 0; i < n * num_data_channels; i++) { ++ for (i = 0; i < n * byte_for_channel; i++) { + if (i < n) + buf[i] = rx_array[i]; + else +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index f1da362c3e65..8fca488fdc15 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -101,6 +101,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { + }, + { + .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"), ++ }, ++ }, ++ { ++ .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Compaq"), + DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"), + DMI_MATCH(DMI_PRODUCT_VERSION, "8500"), +@@ -609,6 +615,22 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { + }, + }, + { ++ /* Fujitsu A544 laptop */ ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"), ++ }, ++ }, ++ { ++ /* Fujitsu AH544 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"), ++ }, ++ }, ++ { + /* Fujitsu U574 laptop */ + /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ + .matches = { +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index 0e722c103562..ca1621b49453 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -465,6 +465,7 @@ static void __relink_lru(struct dm_buffer *b, int dirty) + c->n_buffers[dirty]++; + b->list_mode = dirty; + list_move(&b->lru_list, &c->lru[dirty]); ++ b->last_accessed = jiffies; + } + + /*---------------------------------------------------------------- +@@ -1485,9 +1486,9 @@ static long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan, + list_for_each_entry_safe_reverse(b, tmp, &c->lru[l], lru_list) { + freed += __cleanup_old_buffer(b, gfp_mask, 0); + if (!--nr_to_scan) +- break; ++ return freed; ++ dm_bufio_cond_resched(); + } +- dm_bufio_cond_resched(); + } + return freed; + } +diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-log-userspace-transfer.c +index 08d9a207259a..c69d0b787746 100644 +--- a/drivers/md/dm-log-userspace-transfer.c ++++ b/drivers/md/dm-log-userspace-transfer.c +@@ -272,7 +272,7 @@ int dm_ulog_tfr_init(void) + + r = cn_add_callback(&ulog_cn_id, "dmlogusr", cn_ulog_callback); + if (r) { +- cn_del_callback(&ulog_cn_id); ++ kfree(prealloced_cn_msg); + return r; + } + +diff --git a/drivers/media/dvb-frontends/ds3000.c b/drivers/media/dvb-frontends/ds3000.c +index 1e344b033277..22e8c2032f6d 100644 +--- a/drivers/media/dvb-frontends/ds3000.c ++++ b/drivers/media/dvb-frontends/ds3000.c +@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const struct ds3000_config *config, + memcpy(&state->frontend.ops, &ds3000_ops, + sizeof(struct dvb_frontend_ops)); + state->frontend.demodulator_priv = state; ++ ++ /* ++ * Some devices like T480 starts with voltage on. Be sure ++ * to turn voltage off during init, as this can otherwise ++ * interfere with Unicable SCR systems. ++ */ ++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF); + return &state->frontend; + + error3: +diff --git a/drivers/media/i2c/tda7432.c b/drivers/media/i2c/tda7432.c +index 72af644fa051..cf93021a6500 100644 +--- a/drivers/media/i2c/tda7432.c ++++ b/drivers/media/i2c/tda7432.c +@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ctrl *ctrl) + if (t->mute->val) { + lf |= TDA7432_MUTE; + lr |= TDA7432_MUTE; +- lf |= TDA7432_MUTE; ++ rf |= TDA7432_MUTE; + rr |= TDA7432_MUTE; + } + /* Mute & update balance*/ +diff --git a/drivers/media/tuners/m88ts2022.c b/drivers/media/tuners/m88ts2022.c +index 40c42dec721b..7a62097aa9ea 100644 +--- a/drivers/media/tuners/m88ts2022.c ++++ b/drivers/media/tuners/m88ts2022.c +@@ -314,7 +314,7 @@ static int m88ts2022_set_params(struct dvb_frontend *fe) + div_min = gdiv28 * 78 / 100; + div_max = clamp_val(div_max, 0U, 63U); + +- f_3db_hz = c->symbol_rate * 135UL / 200UL; ++ f_3db_hz = mult_frac(c->symbol_rate, 135, 200); + f_3db_hz += 2000000U + (frequency_offset_khz * 1000U); + f_3db_hz = clamp(f_3db_hz, 7000000U, 40000000U); + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index 4d97a76cc3b0..c1a3f8f95750 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -2993,16 +2993,6 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + } + } + +- if (dev->chip_id == CHIP_ID_EM2870 || +- dev->chip_id == CHIP_ID_EM2874 || +- dev->chip_id == CHIP_ID_EM28174 || +- dev->chip_id == CHIP_ID_EM28178) { +- /* Digital only device - don't load any alsa module */ +- dev->audio_mode.has_audio = false; +- dev->has_audio_class = false; +- dev->has_alsa_audio = false; +- } +- + if (chip_name != default_chip_name) + printk(KERN_INFO DRIVER_NAME + ": chip ID is %s\n", chip_name); +@@ -3272,7 +3262,6 @@ static int em28xx_usb_probe(struct usb_interface *interface, + dev->alt = -1; + dev->is_audio_only = has_audio && !(has_video || has_dvb); + dev->has_alsa_audio = has_audio; +- dev->audio_mode.has_audio = has_audio; + dev->has_video = has_video; + dev->ifnum = ifnum; + +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c +index 898fb9bd88a2..97fd881a4e7b 100644 +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -506,8 +506,18 @@ int em28xx_audio_setup(struct em28xx *dev) + int vid1, vid2, feat, cfg; + u32 vid; + +- if (!dev->audio_mode.has_audio) ++ if (dev->chip_id == CHIP_ID_EM2870 || ++ dev->chip_id == CHIP_ID_EM2874 || ++ dev->chip_id == CHIP_ID_EM28174 || ++ dev->chip_id == CHIP_ID_EM28178) { ++ /* Digital only device - don't load any alsa module */ ++ dev->audio_mode.has_audio = false; ++ dev->has_audio_class = false; ++ dev->has_alsa_audio = false; + return 0; ++ } ++ ++ dev->audio_mode.has_audio = true; + + /* See how this device is configured */ + cfg = em28xx_read_reg(dev, EM28XX_R00_CHIPCFG); +diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c +index c3c928937dcd..e24ee08e634e 100644 +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -953,13 +953,16 @@ static int em28xx_stop_streaming(struct vb2_queue *vq) + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vid_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vid_buf = NULL; ++ } + while (!list_empty(&vidq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vidq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vid_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +@@ -981,13 +984,16 @@ int em28xx_stop_vbi_streaming(struct vb2_queue *vq) + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vbi_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vbi_buf = NULL; ++ } + while (!list_empty(&vbiq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vbiq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vbi_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index c3bb2502225b..753ad4cfc118 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2210,6 +2210,15 @@ static struct usb_device_id uvc_ids[] = { + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = UVC_QUIRK_PROBE_DEF }, ++ /* Dell XPS M1330 (OmniVision OV7670 webcam) */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x05a9, ++ .idProduct = 0x7670, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_QUIRK_PROBE_DEF }, + /* Apple Built-In iSight */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c +index 433d6d77942e..c5521cec933b 100644 +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -431,16 +431,13 @@ static unsigned int clamp_align(unsigned int x, unsigned int min, + /* Bits that must be zero to be aligned */ + unsigned int mask = ~((1 << align) - 1); + ++ /* Clamp to aligned min and max */ ++ x = clamp(x, (min + ~mask) & mask, max & mask); ++ + /* Round to nearest aligned value */ + if (align) + x = (x + (1 << (align - 1))) & mask; + +- /* Clamp to aligned value of min and max */ +- if (x < min) +- x = (min + ~mask) & mask; +- else if (x > max) +- x = max & mask; +- + return x; + } + +diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c +index 1d15735f9ef9..89b4c4216d0c 100644 +--- a/drivers/mfd/rtsx_pcr.c ++++ b/drivers/mfd/rtsx_pcr.c +@@ -1177,7 +1177,7 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + pcr->msi_en = msi_en; + if (pcr->msi_en) { + ret = pci_enable_msi(pcidev); +- if (ret < 0) ++ if (ret) + pcr->msi_en = false; + } + +diff --git a/drivers/mfd/ti_am335x_tscadc.c b/drivers/mfd/ti_am335x_tscadc.c +index d4e860413bb5..e87a2485468f 100644 +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -54,11 +54,11 @@ void am335x_tsc_se_set_cache(struct ti_tscadc_dev *tsadc, u32 val) + unsigned long flags; + + spin_lock_irqsave(&tsadc->reg_lock, flags); +- tsadc->reg_se_cache = val; ++ tsadc->reg_se_cache |= val; + if (tsadc->adc_waiting) + wake_up(&tsadc->reg_se_wait); + else if (!tsadc->adc_in_use) +- tscadc_writel(tsadc, REG_SE, val); ++ tscadc_writel(tsadc, REG_SE, tsadc->reg_se_cache); + + spin_unlock_irqrestore(&tsadc->reg_lock, flags); + } +@@ -97,6 +97,7 @@ static void am335x_tscadc_need_adc(struct ti_tscadc_dev *tsadc) + void am335x_tsc_se_set_once(struct ti_tscadc_dev *tsadc, u32 val) + { + spin_lock_irq(&tsadc->reg_lock); ++ tsadc->reg_se_cache |= val; + am335x_tscadc_need_adc(tsadc); + + tscadc_writel(tsadc, REG_SE, val); +diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c +index 7e1866175e7b..ca297d741207 100644 +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -342,6 +342,13 @@ static void sd_send_cmd_get_rsp(struct realtek_pci_sdmmc *host, + } + + if (rsp_type == SD_RSP_TYPE_R2) { ++ /* ++ * The controller offloads the last byte {CRC-7, end bit 1'b1} ++ * of response type R2. Assign dummy CRC, 0, and end bit to the ++ * byte(ptr[16], goes into the LSB of resp[3] later). ++ */ ++ ptr[16] = 1; ++ + for (i = 0; i < 4; i++) { + cmd->resp[i] = get_unaligned_be32(ptr + 1 + i * 4); + dev_dbg(sdmmc_dev(host), "cmd->resp[%d] = 0x%08x\n", +diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c +index 0955777b6c7e..19bfa0ad70c4 100644 +--- a/drivers/mmc/host/sdhci-pci.c ++++ b/drivers/mmc/host/sdhci-pci.c +@@ -103,6 +103,10 @@ static const struct sdhci_pci_fixes sdhci_cafe = { + SDHCI_QUIRK_BROKEN_TIMEOUT_VAL, + }; + ++static const struct sdhci_pci_fixes sdhci_intel_qrk = { ++ .quirks = SDHCI_QUIRK_NO_HISPD_BIT, ++}; ++ + static int mrst_hc_probe_slot(struct sdhci_pci_slot *slot) + { + slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA; +@@ -733,6 +737,14 @@ static const struct pci_device_id pci_ids[] = { + + { + .vendor = PCI_VENDOR_ID_INTEL, ++ .device = PCI_DEVICE_ID_INTEL_QRK_SD, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .driver_data = (kernel_ulong_t)&sdhci_intel_qrk, ++ }, ++ ++ { ++ .vendor = PCI_VENDOR_ID_INTEL, + .device = PCI_DEVICE_ID_INTEL_MRST_SD0, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, +diff --git a/drivers/mmc/host/sdhci-pci.h b/drivers/mmc/host/sdhci-pci.h +index 6d718719659e..c101477ef3be 100644 +--- a/drivers/mmc/host/sdhci-pci.h ++++ b/drivers/mmc/host/sdhci-pci.h +@@ -17,6 +17,7 @@ + #define PCI_DEVICE_ID_INTEL_CLV_SDIO2 0x08fb + #define PCI_DEVICE_ID_INTEL_CLV_EMMC0 0x08e5 + #define PCI_DEVICE_ID_INTEL_CLV_EMMC1 0x08e6 ++#define PCI_DEVICE_ID_INTEL_QRK_SD 0x08A7 + + /* + * PCI registers +diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c +index c5dad652614d..904b4517fc1e 100644 +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -330,6 +330,7 @@ static int process_pool_aeb(struct ubi_device *ubi, struct ubi_attach_info *ai, + av = tmp_av; + else { + ubi_err("orphaned volume in fastmap pool!"); ++ kmem_cache_free(ai->aeb_slab_cache, new_aeb); + return UBI_BAD_FASTMAP; + } + +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig +index 494b888a6568..7e5c6a8b89e7 100644 +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -135,6 +135,7 @@ config MACVLAN + config MACVTAP + tristate "MAC-VLAN based tap driver" + depends on MACVLAN ++ depends on INET + help + This adds a specialized tap character device driver that is based + on the MAC-VLAN network interface, called macvtap. A macvtap device +@@ -205,6 +206,7 @@ config RIONET_RX_SIZE + + config TUN + tristate "Universal TUN/TAP device driver support" ++ depends on INET + select CRC32 + ---help--- + TUN/TAP provides packet reception and transmission for user space +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 0c6adaaf898c..f30ceb17d5fc 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -16,6 +16,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -65,7 +66,7 @@ static struct cdev macvtap_cdev; + static const struct proto_ops macvtap_socket_ops; + + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ +- NETIF_F_TSO6 | NETIF_F_UFO) ++ NETIF_F_TSO6) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) + #define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) + +@@ -569,7 +570,11 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb, + gso_type = SKB_GSO_TCPV6; + break; + case VIRTIO_NET_HDR_GSO_UDP: ++ pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n", ++ current->comm); + gso_type = SKB_GSO_UDP; ++ if (skb->protocol == htons(ETH_P_IPV6)) ++ ipv6_proxy_select_ident(skb); + break; + default: + return -EINVAL; +@@ -614,8 +619,6 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, + vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (sinfo->gso_type & SKB_GSO_TCPV6) + vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6; +- else if (sinfo->gso_type & SKB_GSO_UDP) +- vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP; + else + BUG(); + if (sinfo->gso_type & SKB_GSO_TCP_ECN) +@@ -950,9 +953,6 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg) + if (arg & TUN_F_TSO6) + feature_mask |= NETIF_F_TSO6; + } +- +- if (arg & TUN_F_UFO) +- feature_mask |= NETIF_F_UFO; + } + + /* tun/tap driver inverts the usage for TSO offloads, where +@@ -963,7 +963,7 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg) + * When user space turns off TSO, we turn off GSO/LRO so that + * user-space will not receive TSO frames. + */ +- if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_UFO)) ++ if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6)) + features |= RX_OFFLOADS; + else + features &= ~RX_OFFLOADS; +@@ -1064,7 +1064,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, + case TUNSETOFFLOAD: + /* let the user check for future flags */ + if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 | +- TUN_F_TSO_ECN | TUN_F_UFO)) ++ TUN_F_TSO_ECN)) + return -EINVAL; + + rtnl_lock(); +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 72ff14b811c6..5a1897d86e94 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -601,7 +601,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (file == ppp->owner) + ppp_shutdown_interface(ppp); + } +- if (atomic_long_read(&file->f_count) <= 2) { ++ if (atomic_long_read(&file->f_count) < 2) { + ppp_release(NULL, file); + err = 0; + } else +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 26f8635b027d..2c8b1c21c452 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -65,6 +65,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -174,7 +175,7 @@ struct tun_struct { + struct net_device *dev; + netdev_features_t set_features; + #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \ +- NETIF_F_TSO6|NETIF_F_UFO) ++ NETIF_F_TSO6) + + int vnet_hdr_sz; + int sndbuf; +@@ -1140,6 +1141,8 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + break; + } + ++ skb_reset_network_header(skb); ++ + if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) { + pr_debug("GSO!\n"); + switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { +@@ -1150,8 +1153,20 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; + break; + case VIRTIO_NET_HDR_GSO_UDP: ++ { ++ static bool warned; ++ ++ if (!warned) { ++ warned = true; ++ netdev_warn(tun->dev, ++ "%s: using disabled UFO feature; please fix this program\n", ++ current->comm); ++ } + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; ++ if (skb->protocol == htons(ETH_P_IPV6)) ++ ipv6_proxy_select_ident(skb); + break; ++ } + default: + tun->dev->stats.rx_frame_errors++; + kfree_skb(skb); +@@ -1180,7 +1195,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG; + } + +- skb_reset_network_header(skb); + skb_probe_transport_header(skb, 0); + + rxhash = skb_get_hash(skb); +@@ -1252,8 +1266,6 @@ static ssize_t tun_put_user(struct tun_struct *tun, + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (sinfo->gso_type & SKB_GSO_TCPV6) + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; +- else if (sinfo->gso_type & SKB_GSO_UDP) +- gso.gso_type = VIRTIO_NET_HDR_GSO_UDP; + else { + pr_err("unexpected GSO type: " + "0x%x, gso_size %d, hdr_len %d\n", +@@ -1783,11 +1795,6 @@ static int set_offload(struct tun_struct *tun, unsigned long arg) + features |= NETIF_F_TSO6; + arg &= ~(TUN_F_TSO4|TUN_F_TSO6); + } +- +- if (arg & TUN_F_UFO) { +- features |= NETIF_F_UFO; +- arg &= ~TUN_F_UFO; +- } + } + + /* This gives the user a way to test for new features in future by +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 054e59ca6946..8cee173eefb2 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -696,6 +696,7 @@ static int ax88179_set_mac_addr(struct net_device *net, void *p) + { + struct usbnet *dev = netdev_priv(net); + struct sockaddr *addr = p; ++ int ret; + + if (netif_running(net)) + return -EBUSY; +@@ -705,8 +706,12 @@ static int ax88179_set_mac_addr(struct net_device *net, void *p) + memcpy(net->dev_addr, addr->sa_data, ETH_ALEN); + + /* Set the MAC address */ +- return ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN, ++ ret = ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN, + ETH_ALEN, net->dev_addr); ++ if (ret < 0) ++ return ret; ++ ++ return 0; + } + + static const struct net_device_ops ax88179_netdev_ops = { +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 841b60831df1..07a3255fd3cc 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -496,8 +496,17 @@ static void receive_buf(struct receive_queue *rq, void *buf, unsigned int len) + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4; + break; + case VIRTIO_NET_HDR_GSO_UDP: ++ { ++ static bool warned; ++ ++ if (!warned) { ++ warned = true; ++ netdev_warn(dev, ++ "host using disabled UFO feature; please fix it\n"); ++ } + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; + break; ++ } + case VIRTIO_NET_HDR_GSO_TCPV6: + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; + break; +@@ -836,8 +845,6 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb) + hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) + hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; +- else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP) +- hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_UDP; + else + BUG(); + if (skb_shinfo(skb)->gso_type & SKB_GSO_TCP_ECN) +@@ -1657,7 +1664,7 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { +- dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO ++ dev->hw_features |= NETIF_F_TSO + | NETIF_F_TSO_ECN | NETIF_F_TSO6; + } + /* Individual feature bits: what can host handle? */ +@@ -1667,11 +1674,9 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->hw_features |= NETIF_F_TSO6; + if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_ECN)) + dev->hw_features |= NETIF_F_TSO_ECN; +- if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_UFO)) +- dev->hw_features |= NETIF_F_UFO; + + if (gso) +- dev->features |= dev->hw_features & (NETIF_F_ALL_TSO|NETIF_F_UFO); ++ dev->features |= dev->hw_features & NETIF_F_ALL_TSO; + /* (!csum && gso) case will be fixed by register_netdev() */ + } + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) +@@ -1711,8 +1716,7 @@ static int virtnet_probe(struct virtio_device *vdev) + /* If we can receive ANY GSO packets, we must allocate large ones. */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) || +- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) || +- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO)) ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN)) + vi->big_packets = true; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF)) +@@ -1903,9 +1907,9 @@ static struct virtio_device_id id_table[] = { + static unsigned int features[] = { + VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM, + VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC, +- VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6, ++ VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_TSO6, + VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6, +- VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO, ++ VIRTIO_NET_F_GUEST_ECN, + VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ, + VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN, + VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ, +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 9b40532041cb..0704a0402897 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1447,9 +1447,6 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb) + if (!in6_dev) + goto out; + +- if (!pskb_may_pull(skb, skb->len)) +- goto out; +- + iphdr = ipv6_hdr(skb); + saddr = &iphdr->saddr; + daddr = &iphdr->daddr; +@@ -1770,6 +1767,8 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan, + struct pcpu_sw_netstats *tx_stats, *rx_stats; + union vxlan_addr loopback; + union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip; ++ struct net_device *dev = skb->dev; ++ int len = skb->len; + + tx_stats = this_cpu_ptr(src_vxlan->dev->tstats); + rx_stats = this_cpu_ptr(dst_vxlan->dev->tstats); +@@ -1793,16 +1792,16 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan, + + u64_stats_update_begin(&tx_stats->syncp); + tx_stats->tx_packets++; +- tx_stats->tx_bytes += skb->len; ++ tx_stats->tx_bytes += len; + u64_stats_update_end(&tx_stats->syncp); + + if (netif_rx(skb) == NET_RX_SUCCESS) { + u64_stats_update_begin(&rx_stats->syncp); + rx_stats->rx_packets++; +- rx_stats->rx_bytes += skb->len; ++ rx_stats->rx_bytes += len; + u64_stats_update_end(&rx_stats->syncp); + } else { +- skb->dev->stats.rx_dropped++; ++ dev->stats.rx_dropped++; + } + } + +@@ -1977,7 +1976,8 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + return arp_reduce(dev, skb); + #if IS_ENABLED(CONFIG_IPV6) + else if (ntohs(eth->h_proto) == ETH_P_IPV6 && +- skb->len >= sizeof(struct ipv6hdr) + sizeof(struct nd_msg) && ++ pskb_may_pull(skb, sizeof(struct ipv6hdr) ++ + sizeof(struct nd_msg)) && + ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) { + struct nd_msg *msg; + +@@ -1986,6 +1986,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + msg->icmph.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION) + return neigh_reduce(dev, skb); + } ++ eth = eth_hdr(skb); + #endif + } + +diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c +index 2ca62af3f81b..76ee486039d7 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c +@@ -173,14 +173,10 @@ static void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm, + + /* + * for data packets, rate info comes from the table inside the fw. This +- * table is controlled by LINK_QUALITY commands. Exclude ctrl port +- * frames like EAPOLs which should be treated as mgmt frames. This +- * avoids them being sent initially in high rates which increases the +- * chances for completion of the 4-Way handshake. ++ * table is controlled by LINK_QUALITY commands + */ + +- if (ieee80211_is_data(fc) && sta && +- !(info->control.flags & IEEE80211_TX_CTRL_PORT_CTRL_PROTO)) { ++ if (ieee80211_is_data(fc) && sta) { + tx_cmd->initial_rate_index = 0; + tx_cmd->tx_flags |= cpu_to_le32(TX_CMD_FLG_STA_RATE); + return; +diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h +index 7cf6081a05a1..ebd5625d13f1 100644 +--- a/drivers/net/wireless/rt2x00/rt2800.h ++++ b/drivers/net/wireless/rt2x00/rt2800.h +@@ -52,6 +52,7 @@ + * RF5592 2.4G/5G 2T2R + * RF3070 2.4G 1T1R + * RF5360 2.4G 1T1R ++ * RF5362 2.4G 1T1R + * RF5370 2.4G 1T1R + * RF5390 2.4G 1T1R + */ +@@ -72,6 +73,7 @@ + #define RF3070 0x3070 + #define RF3290 0x3290 + #define RF5360 0x5360 ++#define RF5362 0x5362 + #define RF5370 0x5370 + #define RF5372 0x5372 + #define RF5390 0x5390 +@@ -2145,7 +2147,7 @@ struct mac_iveiv_entry { + /* Bits [7-4] for RF3320 (RT3370/RT3390), on other chipsets reserved */ + #define RFCSR3_PA1_BIAS_CCK FIELD8(0x70) + #define RFCSR3_PA2_CASCODE_BIAS_CCKK FIELD8(0x80) +-/* Bits for RF3290/RF5360/RF5370/RF5372/RF5390/RF5392 */ ++/* Bits for RF3290/RF5360/RF5362/RF5370/RF5372/RF5390/RF5392 */ + #define RFCSR3_VCOCAL_EN FIELD8(0x80) + /* Bits for RF3050 */ + #define RFCSR3_BIT1 FIELD8(0x02) +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 41d4a8167dc3..4e16d4da9d82 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -3142,6 +3142,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + break; + case RF3070: + case RF5360: ++ case RF5362: + case RF5370: + case RF5372: + case RF5390: +@@ -3159,6 +3160,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + rt2x00_rf(rt2x00dev, RF3290) || + rt2x00_rf(rt2x00dev, RF3322) || + rt2x00_rf(rt2x00dev, RF5360) || ++ rt2x00_rf(rt2x00dev, RF5362) || + rt2x00_rf(rt2x00dev, RF5370) || + rt2x00_rf(rt2x00dev, RF5372) || + rt2x00_rf(rt2x00dev, RF5390) || +@@ -4273,6 +4275,7 @@ void rt2800_vco_calibration(struct rt2x00_dev *rt2x00dev) + case RF3070: + case RF3290: + case RF5360: ++ case RF5362: + case RF5370: + case RF5372: + case RF5390: +@@ -7073,6 +7076,7 @@ static int rt2800_init_eeprom(struct rt2x00_dev *rt2x00dev) + case RF3320: + case RF3322: + case RF5360: ++ case RF5362: + case RF5370: + case RF5372: + case RF5390: +@@ -7529,6 +7533,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + case RF3320: + case RF3322: + case RF5360: ++ case RF5362: + case RF5370: + case RF5372: + case RF5390: +@@ -7658,6 +7663,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + case RF3070: + case RF3290: + case RF5360: ++ case RF5362: + case RF5370: + case RF5372: + case RF5390: +diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c +index caddc1b427a9..57d3967de32f 100644 +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -1062,6 +1062,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + /* Ovislink */ + { USB_DEVICE(0x1b75, 0x3071) }, + { USB_DEVICE(0x1b75, 0x3072) }, ++ { USB_DEVICE(0x1b75, 0xa200) }, + /* Para */ + { USB_DEVICE(0x20b8, 0x8888) }, + /* Pegatron */ +@@ -1235,6 +1236,8 @@ static struct usb_device_id rt2800usb_device_table[] = { + /* Arcadyan */ + { USB_DEVICE(0x043e, 0x7a12) }, + { USB_DEVICE(0x043e, 0x7a32) }, ++ /* ASUS */ ++ { USB_DEVICE(0x0b05, 0x17e8) }, + /* Azurewave */ + { USB_DEVICE(0x13d3, 0x3329) }, + { USB_DEVICE(0x13d3, 0x3365) }, +@@ -1271,6 +1274,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x057c, 0x8501) }, + /* Buffalo */ + { USB_DEVICE(0x0411, 0x0241) }, ++ { USB_DEVICE(0x0411, 0x0253) }, + /* D-Link */ + { USB_DEVICE(0x2001, 0x3c1a) }, + { USB_DEVICE(0x2001, 0x3c21) }, +@@ -1361,6 +1365,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x0df6, 0x0053) }, + { USB_DEVICE(0x0df6, 0x0069) }, + { USB_DEVICE(0x0df6, 0x006f) }, ++ { USB_DEVICE(0x0df6, 0x0078) }, + /* SMC */ + { USB_DEVICE(0x083a, 0xa512) }, + { USB_DEVICE(0x083a, 0xc522) }, +diff --git a/drivers/of/base.c b/drivers/of/base.c +index 89e888a78899..3935614274eb 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1117,52 +1117,6 @@ int of_property_read_string(struct device_node *np, const char *propname, + EXPORT_SYMBOL_GPL(of_property_read_string); + + /** +- * of_property_read_string_index - Find and read a string from a multiple +- * strings property. +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @index: index of the string in the list of strings +- * @out_string: pointer to null terminated return string, modified only if +- * return value is 0. +- * +- * Search for a property in a device tree node and retrieve a null +- * terminated string value (pointer to data, not a copy) in the list of strings +- * contained in that property. +- * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if +- * property does not have a value, and -EILSEQ if the string is not +- * null-terminated within the length of the property data. +- * +- * The out_string pointer is modified only if a valid string can be decoded. +- */ +-int of_property_read_string_index(struct device_node *np, const char *propname, +- int index, const char **output) +-{ +- struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; +- +- if (!prop) +- return -EINVAL; +- if (!prop->value) +- return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- +- p = prop->value; +- +- for (i = 0; total < prop->length; total += l, p += l) { +- l = strlen(p) + 1; +- if (i++ == index) { +- *output = p; +- return 0; +- } +- } +- return -ENODATA; +-} +-EXPORT_SYMBOL_GPL(of_property_read_string_index); +- +-/** + * of_property_match_string() - Find string in a list and return index + * @np: pointer to node containing string list property + * @propname: string list property name +@@ -1188,7 +1142,7 @@ int of_property_match_string(struct device_node *np, const char *propname, + end = p + prop->length; + + for (i = 0; p < end; i++, p += l) { +- l = strlen(p) + 1; ++ l = strnlen(p, end - p) + 1; + if (p + l > end) + return -EILSEQ; + pr_debug("comparing %s with %s\n", string, p); +@@ -1200,39 +1154,41 @@ int of_property_match_string(struct device_node *np, const char *propname, + EXPORT_SYMBOL_GPL(of_property_match_string); + + /** +- * of_property_count_strings - Find and return the number of strings from a +- * multiple strings property. ++ * of_property_read_string_util() - Utility helper for parsing string properties + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * @skip: Number of strings to skip over at beginning of list. + * +- * Search for a property in a device tree node and retrieve the number of null +- * terminated string contain in it. Returns the number of strings on +- * success, -EINVAL if the property does not exist, -ENODATA if property +- * does not have a value, and -EILSEQ if the string is not null-terminated +- * within the length of the property data. ++ * Don't call this function directly. It is a utility helper for the ++ * of_property_read_string*() family of functions. + */ +-int of_property_count_strings(struct device_node *np, const char *propname) ++int of_property_read_string_helper(struct device_node *np, const char *propname, ++ const char **out_strs, size_t sz, int skip) + { + struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; ++ int l = 0, i = 0; ++ const char *p, *end; + + if (!prop) + return -EINVAL; + if (!prop->value) + return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- + p = prop->value; ++ end = p + prop->length; + +- for (i = 0; total < prop->length; total += l, p += l, i++) +- l = strlen(p) + 1; +- +- return i; ++ for (i = 0; p < end && (!out_strs || i < skip + sz); i++, p += l) { ++ l = strnlen(p, end - p) + 1; ++ if (p + l > end) ++ return -EILSEQ; ++ if (out_strs && i >= skip) ++ *out_strs++ = p; ++ } ++ i -= skip; ++ return i <= 0 ? -ENODATA : i; + } +-EXPORT_SYMBOL_GPL(of_property_count_strings); ++EXPORT_SYMBOL_GPL(of_property_read_string_helper); + + void of_print_phandle_args(const char *msg, const struct of_phandle_args *args) + { +diff --git a/drivers/of/selftest.c b/drivers/of/selftest.c +index 6643d1920985..70c61d75b75e 100644 +--- a/drivers/of/selftest.c ++++ b/drivers/of/selftest.c +@@ -132,8 +132,9 @@ static void __init of_selftest_parse_phandle_with_args(void) + selftest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); + } + +-static void __init of_selftest_property_match_string(void) ++static void __init of_selftest_property_string(void) + { ++ const char *strings[4]; + struct device_node *np; + int rc; + +@@ -150,13 +151,66 @@ static void __init of_selftest_property_match_string(void) + rc = of_property_match_string(np, "phandle-list-names", "third"); + selftest(rc == 2, "third expected:0 got:%i\n", rc); + rc = of_property_match_string(np, "phandle-list-names", "fourth"); +- selftest(rc == -ENODATA, "unmatched string; rc=%i", rc); ++ selftest(rc == -ENODATA, "unmatched string; rc=%i\n", rc); + rc = of_property_match_string(np, "missing-property", "blah"); +- selftest(rc == -EINVAL, "missing property; rc=%i", rc); ++ selftest(rc == -EINVAL, "missing property; rc=%i\n", rc); + rc = of_property_match_string(np, "empty-property", "blah"); +- selftest(rc == -ENODATA, "empty property; rc=%i", rc); ++ selftest(rc == -ENODATA, "empty property; rc=%i\n", rc); + rc = of_property_match_string(np, "unterminated-string", "blah"); +- selftest(rc == -EILSEQ, "unterminated string; rc=%i", rc); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ ++ /* of_property_count_strings() tests */ ++ rc = of_property_count_strings(np, "string-property"); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "phandle-list-names"); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string"); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string-list"); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ ++ /* of_property_read_string_index() tests */ ++ rc = of_property_read_string_index(np, "string-property", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "foobar"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "string-property", 1, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 1, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "second"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 2, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "third"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "phandle-list-names", 3, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string", 0, strings); ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "unterminated-string-list", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string-list", 2, strings); /* should fail */ ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ ++ /* of_property_read_string_array() tests */ ++ rc = of_property_read_string_array(np, "string-property", strings, 4); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 4); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "unterminated-string", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ /* -- An incorrectly formed string should cause a failure */ ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ /* -- parsing the correctly formed strings should still work: */ ++ strings[2] = NULL; ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 2); ++ selftest(rc == 2 && strings[2] == NULL, "of_property_read_string_array() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 1); ++ selftest(rc == 1 && strings[1] == NULL, "Overwrote end of string array; rc=%i, str='%s'\n", rc, strings[1]); + } + + static void __init of_selftest_parse_interrupts(void) +@@ -379,7 +433,7 @@ static int __init of_selftest(void) + + pr_info("start of selftest - you will see error messages\n"); + of_selftest_parse_phandle_with_args(); +- of_selftest_property_match_string(); ++ of_selftest_property_string(); + of_selftest_parse_interrupts(); + of_selftest_parse_interrupts_extended(); + of_selftest_match_node(); +diff --git a/drivers/of/testcase-data/tests-phandle.dtsi b/drivers/of/testcase-data/tests-phandle.dtsi +index 0007d3cd7dc2..eedee37d70d7 100644 +--- a/drivers/of/testcase-data/tests-phandle.dtsi ++++ b/drivers/of/testcase-data/tests-phandle.dtsi +@@ -32,7 +32,9 @@ + phandle-list-bad-args = <&provider2 1 0>, + <&provider3 0>; + empty-property; ++ string-property = "foobar"; + unterminated-string = [40 41 42 43]; ++ unterminated-string-list = "first", "second", [40 41 42 43]; + }; + }; + }; +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 39a207abaa10..a943c6c0f206 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -186,9 +186,9 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + } + static DEVICE_ATTR_RO(modalias); + +-static ssize_t enabled_store(struct device *dev, +- struct device_attribute *attr, const char *buf, +- size_t count) ++static ssize_t enable_store(struct device *dev, ++ struct device_attribute *attr, const char *buf, ++ size_t count) + { + struct pci_dev *pdev = to_pci_dev(dev); + unsigned long val; +@@ -212,15 +212,15 @@ static ssize_t enabled_store(struct device *dev, + return result < 0 ? result : count; + } + +-static ssize_t enabled_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++static ssize_t enable_show(struct device *dev, ++ struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev; + + pdev = to_pci_dev (dev); + return sprintf (buf, "%u\n", atomic_read(&pdev->enable_cnt)); + } +-static DEVICE_ATTR_RW(enabled); ++static DEVICE_ATTR_RW(enable); + + #ifdef CONFIG_NUMA + static ssize_t +@@ -526,7 +526,7 @@ static struct attribute *pci_dev_attrs[] = { + #endif + &dev_attr_dma_mask_bits.attr, + &dev_attr_consistent_dma_mask_bits.attr, +- &dev_attr_enabled.attr, ++ &dev_attr_enable.attr, + &dev_attr_broken_parity_status.attr, + &dev_attr_msi_bus.attr, + #if defined(CONFIG_PM_RUNTIME) && defined(CONFIG_ACPI) +diff --git a/drivers/pinctrl/pinctrl-baytrail.c b/drivers/pinctrl/pinctrl-baytrail.c +index 665b96bc0c3a..eb9f1906952a 100644 +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -263,7 +263,7 @@ static int byt_gpio_direction_output(struct gpio_chip *chip, + spin_lock_irqsave(&vg->lock, flags); + + reg_val = readl(reg) | BYT_DIR_MASK; +- reg_val &= ~BYT_OUTPUT_EN; ++ reg_val &= ~(BYT_OUTPUT_EN | BYT_INPUT_EN); + + if (value) + writel(reg_val | BYT_LEVEL, reg); +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c +index c91f69b39db4..dcfcaea76048 100644 +--- a/drivers/platform/x86/acer-wmi.c ++++ b/drivers/platform/x86/acer-wmi.c +@@ -570,6 +570,17 @@ static const struct dmi_system_id video_vendor_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5750"), + }, + }, ++ { ++ /* ++ * Note no video_set_backlight_video_vendor, we must use the ++ * acer interface, as there is no native backlight interface. ++ */ ++ .ident = "Acer KAV80", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "KAV80"), ++ }, ++ }, + {} + }; + +diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c +index 9e4dab46eefd..ef1f4c928431 100644 +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -1720,6 +1720,11 @@ static int charger_manager_probe(struct platform_device *pdev) + return -EINVAL; + } + ++ if (!desc->psy_fuel_gauge) { ++ dev_err(&pdev->dev, "No fuel gauge power supply defined\n"); ++ return -EINVAL; ++ } ++ + /* Counting index only */ + while (desc->psy_charger_stat[i]) + i++; +diff --git a/drivers/regulator/max77693.c b/drivers/regulator/max77693.c +index 5fb899f461d0..24c926bfe6d4 100644 +--- a/drivers/regulator/max77693.c ++++ b/drivers/regulator/max77693.c +@@ -232,7 +232,7 @@ static int max77693_pmic_probe(struct platform_device *pdev) + struct max77693_pmic_dev *max77693_pmic; + struct max77693_regulator_data *rdata = NULL; + int num_rdata, i; +- struct regulator_config config; ++ struct regulator_config config = { }; + + num_rdata = max77693_pmic_init_rdata(&pdev->dev, &rdata); + if (!rdata || num_rdata <= 0) { +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index 788c4fe2b0c9..9d81f7693f99 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -707,7 +707,16 @@ static void tcm_qla2xxx_clear_nacl_from_fcport_map(struct qla_tgt_sess *sess) + pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id); + + node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id); +- WARN_ON(node && (node != se_nacl)); ++ if (WARN_ON(node && (node != se_nacl))) { ++ /* ++ * The nacl no longer matches what we think it should be. ++ * Most likely a new dynamic acl has been added while ++ * someone dropped the hardware lock. It clearly is a ++ * bug elsewhere, but this bit can't make things worse. ++ */ ++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id, ++ node, GFP_ATOMIC); ++ } + + pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n", + se_nacl, nacl->nport_wwnn, nacl->nport_id); +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index a25392065d9b..a5db6f930fa3 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -45,7 +45,7 @@ + + #define SPI_TCR 0x08 + +-#define SPI_CTAR(x) (0x0c + (x * 4)) ++#define SPI_CTAR(x) (0x0c + (((x) & 0x3) * 4)) + #define SPI_CTAR_FMSZ(x) (((x) & 0x0000000f) << 27) + #define SPI_CTAR_CPOL(x) ((x) << 26) + #define SPI_CTAR_CPHA(x) ((x) << 25) +@@ -69,7 +69,7 @@ + + #define SPI_PUSHR 0x34 + #define SPI_PUSHR_CONT (1 << 31) +-#define SPI_PUSHR_CTAS(x) (((x) & 0x00000007) << 28) ++#define SPI_PUSHR_CTAS(x) (((x) & 0x00000003) << 28) + #define SPI_PUSHR_EOQ (1 << 27) + #define SPI_PUSHR_CTCNT (1 << 26) + #define SPI_PUSHR_PCS(x) (((1 << x) & 0x0000003f) << 16) +diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c +index 2789b452e711..971855e859c7 100644 +--- a/drivers/spi/spi-pl022.c ++++ b/drivers/spi/spi-pl022.c +@@ -1075,7 +1075,7 @@ err_rxdesc: + pl022->sgt_tx.nents, DMA_TO_DEVICE); + err_tx_sgmap: + dma_unmap_sg(rxchan->device->dev, pl022->sgt_rx.sgl, +- pl022->sgt_tx.nents, DMA_FROM_DEVICE); ++ pl022->sgt_rx.nents, DMA_FROM_DEVICE); + err_rx_sgmap: + sg_free_table(&pl022->sgt_tx); + err_alloc_tx_sg: +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index ced9ecffa163..7ab3ccb592eb 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1280,7 +1280,9 @@ static int pxa2xx_spi_suspend(struct device *dev) + if (status != 0) + return status; + write_SSCR0(0, drv_data->ioaddr); +- clk_disable_unprepare(ssp->clk); ++ ++ if (!pm_runtime_suspended(dev)) ++ clk_disable_unprepare(ssp->clk); + + return 0; + } +@@ -1294,7 +1296,8 @@ static int pxa2xx_spi_resume(struct device *dev) + pxa2xx_spi_dma_resume(drv_data); + + /* Enable the SSP clock */ +- clk_prepare_enable(ssp->clk); ++ if (!pm_runtime_suspended(dev)) ++ clk_prepare_enable(ssp->clk); + + /* Restore LPSS private register bits */ + lpss_ssp_setup(drv_data); +diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c +index 2b96665da8a2..97d4b3fb7e95 100644 +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -115,6 +115,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .channel = 0, + .info_mask_separate = BIT(IIO_CHAN_INFO_PROCESSED), + .address = AD5933_REG_TEMP_DATA, ++ .scan_index = -1, + .scan_type = { + .sign = 's', + .realbits = 14, +@@ -124,9 +125,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "real_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "real", + .address = AD5933_REG_REAL_DATA, + .scan_index = 0, + .scan_type = { +@@ -138,9 +137,7 @@ static const struct iio_chan_spec ad5933_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "imag_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "imag", + .address = AD5933_REG_IMAG_DATA, + .scan_index = 1, + .scan_type = { +@@ -748,14 +745,14 @@ static int ad5933_probe(struct i2c_client *client, + indio_dev->name = id->name; + indio_dev->modes = INDIO_DIRECT_MODE; + indio_dev->channels = ad5933_channels; +- indio_dev->num_channels = 1; /* only register temp0_input */ ++ indio_dev->num_channels = ARRAY_SIZE(ad5933_channels); + + ret = ad5933_register_ring_funcs_and_init(indio_dev); + if (ret) + goto error_disable_reg; + +- /* skip temp0_input, register in0_(real|imag)_raw */ +- ret = iio_buffer_register(indio_dev, &ad5933_channels[1], 2); ++ ret = iio_buffer_register(indio_dev, ad5933_channels, ++ ARRAY_SIZE(ad5933_channels)); + if (ret) + goto error_unreg_ring; + +diff --git a/drivers/staging/iio/meter/ade7758.h b/drivers/staging/iio/meter/ade7758.h +index 07318203a836..e8c98cf57070 100644 +--- a/drivers/staging/iio/meter/ade7758.h ++++ b/drivers/staging/iio/meter/ade7758.h +@@ -119,7 +119,6 @@ struct ade7758_state { + u8 *tx; + u8 *rx; + struct mutex buf_lock; +- const struct iio_chan_spec *ade7758_ring_channels; + struct spi_transfer ring_xfer[4]; + struct spi_message ring_msg; + /* +diff --git a/drivers/staging/iio/meter/ade7758_core.c b/drivers/staging/iio/meter/ade7758_core.c +index cba183e24838..94d9914a602c 100644 +--- a/drivers/staging/iio/meter/ade7758_core.c ++++ b/drivers/staging/iio/meter/ade7758_core.c +@@ -630,9 +630,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 0, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_A, AD7758_VOLTAGE), + .scan_index = 0, + .scan_type = { +@@ -644,9 +641,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 0, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_A, AD7758_CURRENT), + .scan_index = 1, + .scan_type = { +@@ -658,9 +652,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_APP_PWR), + .scan_index = 2, + .scan_type = { +@@ -672,9 +664,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_ACT_PWR), + .scan_index = 3, + .scan_type = { +@@ -686,9 +676,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 0, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_A, AD7758_REACT_PWR), + .scan_index = 4, + .scan_type = { +@@ -700,9 +688,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 1, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_B, AD7758_VOLTAGE), + .scan_index = 5, + .scan_type = { +@@ -714,9 +699,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 1, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_B, AD7758_CURRENT), + .scan_index = 6, + .scan_type = { +@@ -728,9 +710,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_APP_PWR), + .scan_index = 7, + .scan_type = { +@@ -742,9 +722,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_ACT_PWR), + .scan_index = 8, + .scan_type = { +@@ -756,9 +734,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 1, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_B, AD7758_REACT_PWR), + .scan_index = 9, + .scan_type = { +@@ -770,9 +746,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_VOLTAGE, + .indexed = 1, + .channel = 2, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_C, AD7758_VOLTAGE), + .scan_index = 10, + .scan_type = { +@@ -784,9 +757,6 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_CURRENT, + .indexed = 1, + .channel = 2, +- .extend_name = "raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .address = AD7758_WT(AD7758_PHASE_C, AD7758_CURRENT), + .scan_index = 11, + .scan_type = { +@@ -798,9 +768,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "apparent_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "apparent", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_APP_PWR), + .scan_index = 12, + .scan_type = { +@@ -812,9 +780,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "active_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "active", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_ACT_PWR), + .scan_index = 13, + .scan_type = { +@@ -826,9 +792,7 @@ static const struct iio_chan_spec ade7758_channels[] = { + .type = IIO_POWER, + .indexed = 1, + .channel = 2, +- .extend_name = "reactive_raw", +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), ++ .extend_name = "reactive", + .address = AD7758_WT(AD7758_PHASE_C, AD7758_REACT_PWR), + .scan_index = 14, + .scan_type = { +@@ -869,13 +833,14 @@ static int ade7758_probe(struct spi_device *spi) + goto error_free_rx; + } + st->us = spi; +- st->ade7758_ring_channels = &ade7758_channels[0]; + mutex_init(&st->buf_lock); + + indio_dev->name = spi->dev.driver->name; + indio_dev->dev.parent = &spi->dev; + indio_dev->info = &ade7758_info; + indio_dev->modes = INDIO_DIRECT_MODE; ++ indio_dev->channels = ade7758_channels; ++ indio_dev->num_channels = ARRAY_SIZE(ade7758_channels); + + ret = ade7758_configure_ring(indio_dev); + if (ret) +diff --git a/drivers/staging/iio/meter/ade7758_ring.c b/drivers/staging/iio/meter/ade7758_ring.c +index c0accf8cce93..6e9006490742 100644 +--- a/drivers/staging/iio/meter/ade7758_ring.c ++++ b/drivers/staging/iio/meter/ade7758_ring.c +@@ -85,17 +85,16 @@ static irqreturn_t ade7758_trigger_handler(int irq, void *p) + **/ + static int ade7758_ring_preenable(struct iio_dev *indio_dev) + { +- struct ade7758_state *st = iio_priv(indio_dev); + unsigned channel; + +- if (!bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength)) ++ if (bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength)) + return -EINVAL; + + channel = find_first_bit(indio_dev->active_scan_mask, + indio_dev->masklength); + + ade7758_write_waveform_type(&indio_dev->dev, +- st->ade7758_ring_channels[channel].address); ++ indio_dev->channels[channel].address); + + return 0; + } +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 6ea95d216eb8..38b4be24d13f 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1409,7 +1409,8 @@ int core_dev_add_initiator_node_lun_acl( + * Check to see if there are any existing persistent reservation APTPL + * pre-registrations that need to be enabled for this LUN ACL.. + */ +- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl); ++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl, ++ lacl->mapped_lun); + return 0; + } + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 3013287a2aaa..1205dbd4f83d 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -944,10 +944,10 @@ int core_scsi3_check_aptpl_registration( + struct se_device *dev, + struct se_portal_group *tpg, + struct se_lun *lun, +- struct se_lun_acl *lun_acl) ++ struct se_node_acl *nacl, ++ u32 mapped_lun) + { +- struct se_node_acl *nacl = lun_acl->se_lun_nacl; +- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun]; ++ struct se_dev_entry *deve = nacl->device_list[mapped_lun]; + + if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS) + return 0; +diff --git a/drivers/target/target_core_pr.h b/drivers/target/target_core_pr.h +index 2ee2936fa0bd..749fd7bb7510 100644 +--- a/drivers/target/target_core_pr.h ++++ b/drivers/target/target_core_pr.h +@@ -60,7 +60,7 @@ extern int core_scsi3_alloc_aptpl_registration( + unsigned char *, u16, u32, int, int, u8); + extern int core_scsi3_check_aptpl_registration(struct se_device *, + struct se_portal_group *, struct se_lun *, +- struct se_lun_acl *); ++ struct se_node_acl *, u32); + extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *, + struct se_node_acl *); + extern void core_scsi3_free_all_registrations(struct se_device *); +diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c +index c036595b17cf..fb8a1a12dda9 100644 +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -40,6 +40,7 @@ + #include + + #include "target_core_internal.h" ++#include "target_core_pr.h" + + extern struct se_device *g_lun0_dev; + +@@ -166,6 +167,13 @@ void core_tpg_add_node_to_devs( + + core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun, + lun_access, acl, tpg); ++ /* ++ * Check to see if there are any existing persistent reservation ++ * APTPL pre-registrations that need to be enabled for this dynamic ++ * LUN ACL now.. ++ */ ++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl, ++ lun->unpacked_lun); + spin_lock(&tpg->tpg_lun_lock); + } + spin_unlock(&tpg->tpg_lun_lock); +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 24f527977ddb..9232c7738ed1 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1855,8 +1855,7 @@ static void transport_complete_qf(struct se_cmd *cmd) + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) { + trace_target_cmd_complete(cmd); + ret = cmd->se_tfo->queue_status(cmd); +- if (ret) +- goto out; ++ goto out; + } + + switch (cmd->data_direction) { +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 25b8f6868788..27b5554e20d9 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -353,7 +353,7 @@ uart_get_baud_rate(struct uart_port *port, struct ktermios *termios, + * The spd_hi, spd_vhi, spd_shi, spd_warp kludge... + * Die! Die! Die! + */ +- if (baud == 38400) ++ if (try == 0 && baud == 38400) + baud = altbaud; + + /* +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index d3448a90f0f9..25d07412e08e 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1701,6 +1701,7 @@ int tty_release(struct inode *inode, struct file *filp) + int pty_master, tty_closing, o_tty_closing, do_sleep; + int idx; + char buf[64]; ++ long timeout = 0; + + if (tty_paranoia_check(tty, inode, __func__)) + return 0; +@@ -1785,7 +1786,11 @@ int tty_release(struct inode *inode, struct file *filp) + __func__, tty_name(tty, buf)); + tty_unlock_pair(tty, o_tty); + mutex_unlock(&tty_mutex); +- schedule(); ++ schedule_timeout_killable(timeout); ++ if (timeout < 120 * HZ) ++ timeout = 2 * timeout + 1; ++ else ++ timeout = MAX_SCHEDULE_TIMEOUT; + } + + /* +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index eabccd45f4e8..331f06a91cc3 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -965,11 +965,12 @@ static void acm_tty_set_termios(struct tty_struct *tty, + /* FIXME: Needs to clear unsupported bits in the termios */ + acm->clocal = ((termios->c_cflag & CLOCAL) != 0); + +- if (!newline.dwDTERate) { ++ if (C_BAUD(tty) == B0) { + newline.dwDTERate = acm->line.dwDTERate; + newctrl &= ~ACM_CTRL_DTR; +- } else ++ } else if (termios_old && (termios_old->c_cflag & CBAUD) == B0) { + newctrl |= ACM_CTRL_DTR; ++ } + + if (newctrl != acm->ctrlout) + acm_set_control(acm, acm->ctrlout = newctrl); +@@ -1672,6 +1673,7 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */ + { USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */ + }, + /* Motorola H24 HSPA module: */ +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 2518c3250750..ef6ec13b6ae5 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2057,6 +2057,8 @@ int usb_alloc_streams(struct usb_interface *interface, + return -EINVAL; + if (dev->speed != USB_SPEED_SUPER) + return -EINVAL; ++ if (dev->state < USB_STATE_CONFIGURED) ++ return -ENODEV; + + /* Streams only apply to bulk endpoints. */ + for (i = 0; i < num_eps; i++) +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 445d62a4316a..d2bd9d7c8f4b 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4378,6 +4378,9 @@ check_highspeed (struct usb_hub *hub, struct usb_device *udev, int port1) + struct usb_qualifier_descriptor *qual; + int status; + ++ if (udev->quirks & USB_QUIRK_DEVICE_QUALIFIER) ++ return; ++ + qual = kmalloc (sizeof *qual, GFP_KERNEL); + if (qual == NULL) + return; +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 5144d11d032c..c85459338991 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -93,6 +93,16 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x04e8, 0x6601), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* Elan Touchscreen */ ++ { USB_DEVICE(0x04f3, 0x0089), .driver_info = ++ USB_QUIRK_DEVICE_QUALIFIER }, ++ ++ { USB_DEVICE(0x04f3, 0x009b), .driver_info = ++ USB_QUIRK_DEVICE_QUALIFIER }, ++ ++ { USB_DEVICE(0x04f3, 0x016f), .driver_info = ++ USB_QUIRK_DEVICE_QUALIFIER }, ++ + /* Roland SC-8820 */ + { USB_DEVICE(0x0582, 0x0007), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c +index 21a352079bc2..0985ff715c0c 100644 +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -251,7 +251,7 @@ static void dwc3_ep0_stall_and_restart(struct dwc3 *dwc) + + /* stall is always issued on EP0 */ + dep = dwc->eps[0]; +- __dwc3_gadget_ep_set_halt(dep, 1); ++ __dwc3_gadget_ep_set_halt(dep, 1, false); + dep->flags = DWC3_EP_ENABLED; + dwc->delayed_status = false; + +@@ -461,7 +461,7 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc, + return -EINVAL; + if (set == 0 && (dep->flags & DWC3_EP_WEDGE)) + break; +- ret = __dwc3_gadget_ep_set_halt(dep, set); ++ ret = __dwc3_gadget_ep_set_halt(dep, set, true); + if (ret) + return -EINVAL; + break; +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 09e9619ae381..d90c70c23adb 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -532,12 +532,11 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, + if (!usb_endpoint_xfer_isoc(desc)) + return 0; + +- memset(&trb_link, 0, sizeof(trb_link)); +- + /* Link TRB for ISOC. The HWO bit is never reset */ + trb_st_hw = &dep->trb_pool[0]; + + trb_link = &dep->trb_pool[DWC3_TRB_NUM - 1]; ++ memset(trb_link, 0, sizeof(*trb_link)); + + trb_link->bpl = lower_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw)); + trb_link->bph = upper_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw)); +@@ -588,7 +587,7 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) + + /* make sure HW endpoint isn't stalled */ + if (dep->flags & DWC3_EP_STALL) +- __dwc3_gadget_ep_set_halt(dep, 0); ++ __dwc3_gadget_ep_set_halt(dep, 0, false); + + reg = dwc3_readl(dwc->regs, DWC3_DALEPENA); + reg &= ~DWC3_DALEPENA_EP(dep->number); +@@ -1186,7 +1185,7 @@ out0: + return ret; + } + +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol) + { + struct dwc3_gadget_ep_cmd_params params; + struct dwc3 *dwc = dep->dwc; +@@ -1195,6 +1194,14 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value) + memset(¶ms, 0x00, sizeof(params)); + + if (value) { ++ if (!protocol && ((dep->direction && dep->flags & DWC3_EP_BUSY) || ++ (!list_empty(&dep->req_queued) || ++ !list_empty(&dep->request_list)))) { ++ dev_dbg(dwc->dev, "%s: pending request, cannot halt\n", ++ dep->name); ++ return -EAGAIN; ++ } ++ + ret = dwc3_send_gadget_ep_cmd(dwc, dep->number, + DWC3_DEPCMD_SETSTALL, ¶ms); + if (ret) +@@ -1234,7 +1241,7 @@ static int dwc3_gadget_ep_set_halt(struct usb_ep *ep, int value) + goto out; + } + +- ret = __dwc3_gadget_ep_set_halt(dep, value); ++ ret = __dwc3_gadget_ep_set_halt(dep, value, false); + out: + spin_unlock_irqrestore(&dwc->lock, flags); + +@@ -1254,7 +1261,7 @@ static int dwc3_gadget_ep_set_wedge(struct usb_ep *ep) + if (dep->number == 0 || dep->number == 1) + return dwc3_gadget_ep0_set_halt(ep, 1); + else +- return dwc3_gadget_ep_set_halt(ep, 1); ++ return __dwc3_gadget_ep_set_halt(dep, 1, false); + } + + /* -------------------------------------------------------------------------- */ +diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h +index a0ee75b68a80..ac62558231be 100644 +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -85,7 +85,7 @@ void dwc3_ep0_out_start(struct dwc3 *dwc); + int dwc3_gadget_ep0_set_halt(struct usb_ep *ep, int value); + int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request, + gfp_t gfp_flags); +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value); ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol); + + /** + * dwc3_gadget_ep_get_transfer_index - Gets transfer index from HW +diff --git a/drivers/usb/gadget/f_acm.c b/drivers/usb/gadget/f_acm.c +index ab1065afbbd0..3384486c2884 100644 +--- a/drivers/usb/gadget/f_acm.c ++++ b/drivers/usb/gadget/f_acm.c +@@ -430,11 +430,12 @@ static int acm_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + if (acm->notify->driver_data) { + VDBG(cdev, "reset acm control interface %d\n", intf); + usb_ep_disable(acm->notify); +- } else { +- VDBG(cdev, "init acm ctrl interface %d\n", intf); ++ } ++ ++ if (!acm->notify->desc) + if (config_ep_by_speed(cdev->gadget, f, acm->notify)) + return -EINVAL; +- } ++ + usb_ep_enable(acm->notify); + acm->notify->driver_data = acm; + +diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c +index 5bcf7d001259..afd0a159fe61 100644 +--- a/drivers/usb/gadget/f_fs.c ++++ b/drivers/usb/gadget/f_fs.c +@@ -1995,8 +1995,6 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f, + func->conf = c; + func->gadget = c->cdev->gadget; + +- ffs_data_get(func->ffs); +- + /* + * in drivers/usb/gadget/configfs.c:configfs_composite_bind() + * configurations are bound in sequence with list_for_each_entry, +diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c +index 27768a7d986a..9ce0b135c8c8 100644 +--- a/drivers/usb/gadget/udc-core.c ++++ b/drivers/usb/gadget/udc-core.c +@@ -456,6 +456,11 @@ static ssize_t usb_udc_softconn_store(struct device *dev, + { + struct usb_udc *udc = container_of(dev, struct usb_udc, dev); + ++ if (!udc->driver) { ++ dev_err(dev, "soft-connect without a gadget driver\n"); ++ return -EOPNOTSUPP; ++ } ++ + if (sysfs_streq(buf, "connect")) { + usb_gadget_udc_start(udc->gadget, udc->driver); + usb_gadget_connect(udc->gadget); +diff --git a/drivers/usb/musb/musb_cppi41.c b/drivers/usb/musb/musb_cppi41.c +index c2d5afc57e22..1d29bbfeb9d5 100644 +--- a/drivers/usb/musb/musb_cppi41.c ++++ b/drivers/usb/musb/musb_cppi41.c +@@ -190,7 +190,8 @@ static enum hrtimer_restart cppi41_recheck_tx_req(struct hrtimer *timer) + } + } + +- if (!list_empty(&controller->early_tx_list)) { ++ if (!list_empty(&controller->early_tx_list) && ++ !hrtimer_is_queued(&controller->early_tx)) { + ret = HRTIMER_RESTART; + hrtimer_forward_now(&controller->early_tx, + ktime_set(0, 150 * NSEC_PER_USEC)); +diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c +index 85f5215871de..865243e818b7 100644 +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -733,7 +733,9 @@ static int dsps_resume(struct device *dev) + dsps_writel(mbase, wrp->mode, glue->context.mode); + dsps_writel(mbase, wrp->tx_mode, glue->context.tx_mode); + dsps_writel(mbase, wrp->rx_mode, glue->context.rx_mode); +- setup_timer(&glue->timer, otg_timer, (unsigned long) musb); ++ if (musb->xceiv->state == OTG_STATE_B_IDLE && ++ musb->port_mode == MUSB_PORT_MODE_DUAL_ROLE) ++ mod_timer(&glue->timer, jiffies + wrp->poll_seconds * HZ); + + return 0; + } +diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c +index 8afa813d690b..0180eef05656 100644 +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -229,6 +229,9 @@ struct usb_phy *usb_get_phy_dev(struct device *dev, u8 index) + phy = __usb_find_phy_dev(dev, &phy_bind_list, index); + if (IS_ERR(phy) || !try_module_get(phy->dev->driver->owner)) { + dev_dbg(dev, "unable to find transceiver\n"); ++ if (!IS_ERR(phy)) ++ phy = ERR_PTR(-ENODEV); ++ + goto err0; + } + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 63b2af2a87c0..3beae723ad3a 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -155,6 +155,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ ++ { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ + { USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */ + { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 3614620e09e1..a523adad6380 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -145,6 +145,7 @@ static struct ftdi_sio_quirk ftdi_8u2232c_quirk = { + * /sys/bus/usb-serial/drivers/ftdi_sio/new_id and send a patch or report. + */ + static const struct usb_device_id id_table_combined[] = { ++ { USB_DEVICE(FTDI_VID, FTDI_BRICK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) }, +@@ -674,6 +675,8 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_5_PID) }, + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_6_PID) }, + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_7_PID) }, ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_DONGLE_PID) }, ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_MTW_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_OMNI1509) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 5937b2d242f2..6786b705ccf6 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -30,6 +30,12 @@ + + /*** third-party PIDs (using FTDI_VID) ***/ + ++/* ++ * Certain versions of the official Windows FTDI driver reprogrammed ++ * counterfeit FTDI devices to PID 0. Support these devices anyway. ++ */ ++#define FTDI_BRICK_PID 0x0000 ++ + #define FTDI_LUMEL_PD12_PID 0x6002 + + /* +@@ -143,8 +149,12 @@ + * Xsens Technologies BV products (http://www.xsens.com). + */ + #define XSENS_VID 0x2639 +-#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */ ++#define XSENS_AWINDA_STATION_PID 0x0101 ++#define XSENS_AWINDA_DONGLE_PID 0x0102 + #define XSENS_MTW_PID 0x0200 /* Xsens MTw */ ++#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */ ++ ++/* Xsens devices using FTDI VID */ + #define XSENS_CONVERTER_0_PID 0xD388 /* Xsens USB converter */ + #define XSENS_CONVERTER_1_PID 0xD389 /* Xsens Wireless Receiver */ + #define XSENS_CONVERTER_2_PID 0xD38A +diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c +index 618c1c1f227e..5cdb32b37e85 100644 +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -335,7 +335,8 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port, + port->interrupt_out_urb->transfer_buffer_length = length; + + priv->cur_pos = priv->cur_pos + length; +- result = usb_submit_urb(port->interrupt_out_urb, GFP_NOIO); ++ result = usb_submit_urb(port->interrupt_out_urb, ++ GFP_ATOMIC); + dev_dbg(&port->dev, "%s - Send write URB returns: %i\n", __func__, result); + todo = priv->filled - priv->cur_pos; + +@@ -350,7 +351,7 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port, + if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID || + priv->device_type == KOBIL_ADAPTER_K_PRODUCT_ID) { + result = usb_submit_urb(port->interrupt_in_urb, +- GFP_NOIO); ++ GFP_ATOMIC); + dev_dbg(&port->dev, "%s - Send read URB returns: %i\n", __func__, result); + } + } +diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c +index 4856fb7e637e..4b7bfb394a32 100644 +--- a/drivers/usb/serial/opticon.c ++++ b/drivers/usb/serial/opticon.c +@@ -215,7 +215,7 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port, + + /* The connected devices do not have a bulk write endpoint, + * to transmit data to de barcode device the control endpoint is used */ +- dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO); ++ dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_ATOMIC); + if (!dr) { + count = -ENOMEM; + goto error_no_dr; +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index e47aabe0c760..8b3484134ab0 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -269,6 +269,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_DE910_DUAL 0x1010 + #define TELIT_PRODUCT_UE910_V2 0x1012 + #define TELIT_PRODUCT_LE920 0x1200 ++#define TELIT_PRODUCT_LE910 0x1201 + + /* ZTE PRODUCTS */ + #define ZTE_VENDOR_ID 0x19d2 +@@ -361,6 +362,7 @@ static void option_instat_callback(struct urb *urb); + + /* Haier products */ + #define HAIER_VENDOR_ID 0x201e ++#define HAIER_PRODUCT_CE81B 0x10f8 + #define HAIER_PRODUCT_CE100 0x2009 + + /* Cinterion (formerly Siemens) products */ +@@ -588,6 +590,11 @@ static const struct option_blacklist_info zte_1255_blacklist = { + .reserved = BIT(3) | BIT(4), + }; + ++static const struct option_blacklist_info telit_le910_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1) | BIT(2), ++}; ++ + static const struct option_blacklist_info telit_le920_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(5), +@@ -1137,6 +1144,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), ++ .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), + .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ +@@ -1612,6 +1621,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, + { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HAIER_VENDOR_ID, HAIER_PRODUCT_CE81B, 0xff, 0xff, 0xff) }, + /* Pirelli */ + { USB_DEVICE_INTERFACE_CLASS(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_1, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_2, 0xff) }, +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c +index 22c7d4360fa2..b1d815eb6d0b 100644 +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -1118,6 +1118,31 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us) + */ + if (result == USB_STOR_XFER_LONG) + fake_sense = 1; ++ ++ /* ++ * Sometimes a device will mistakenly skip the data phase ++ * and go directly to the status phase without sending a ++ * zero-length packet. If we get a 13-byte response here, ++ * check whether it really is a CSW. ++ */ ++ if (result == USB_STOR_XFER_SHORT && ++ srb->sc_data_direction == DMA_FROM_DEVICE && ++ transfer_length - scsi_get_resid(srb) == ++ US_BULK_CS_WRAP_LEN) { ++ struct scatterlist *sg = NULL; ++ unsigned int offset = 0; ++ ++ if (usb_stor_access_xfer_buf((unsigned char *) bcs, ++ US_BULK_CS_WRAP_LEN, srb, &sg, ++ &offset, FROM_XFER_BUF) == ++ US_BULK_CS_WRAP_LEN && ++ bcs->Signature == ++ cpu_to_le32(US_BULK_CS_SIGN)) { ++ usb_stor_dbg(us, "Device skipped data phase\n"); ++ scsi_set_resid(srb, transfer_length); ++ goto skipped_data_phase; ++ } ++ } + } + + /* See flow chart on pg 15 of the Bulk Only Transport spec for +@@ -1153,6 +1178,7 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us) + if (result != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; + ++ skipped_data_phase: + /* check bulk status */ + residue = le32_to_cpu(bcs->Residue); + usb_stor_dbg(us, "Bulk Status S 0x%x T 0x%x R %u Stat 0x%x\n", +diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c +index 61b182bf32a2..dbfe4eecf12e 100644 +--- a/drivers/video/console/bitblit.c ++++ b/drivers/video/console/bitblit.c +@@ -205,7 +205,6 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, + static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + int bottom_only) + { +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + unsigned int cw = vc->vc_font.width; + unsigned int ch = vc->vc_font.height; + unsigned int rw = info->var.xres - (vc->vc_cols*cw); +@@ -214,7 +213,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bs = info->var.yres - bh; + struct fb_fillrect region; + +- region.color = attr_bgcol_ec(bgshift, vc, info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c +index 41b32ae23dac..5a3cbf6dff4d 100644 +--- a/drivers/video/console/fbcon_ccw.c ++++ b/drivers/video/console/fbcon_ccw.c +@@ -197,9 +197,8 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bh = info->var.xres - (vc->vc_rows*ch); + unsigned int bs = vc->vc_rows*ch; + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c +index a93670ef7f89..e7ee44db4e98 100644 +--- a/drivers/video/console/fbcon_cw.c ++++ b/drivers/video/console/fbcon_cw.c +@@ -180,9 +180,8 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int bh = info->var.xres - (vc->vc_rows*ch); + unsigned int rs = info->var.yres - rw; + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c +index ff0872c0498b..19e3714abfe8 100644 +--- a/drivers/video/console/fbcon_ud.c ++++ b/drivers/video/console/fbcon_ud.c +@@ -227,9 +227,8 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info, + unsigned int rw = info->var.xres - (vc->vc_cols*cw); + unsigned int bh = info->var.yres - (vc->vc_rows*ch); + struct fb_fillrect region; +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; + +- region.color = attr_bgcol_ec(bgshift,vc,info); ++ region.color = 0; + region.rop = ROP_COPY; + + if (rw && !bottom_only) { +diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c +index a416f9b2a7f6..827b5f8e6297 100644 +--- a/drivers/virtio/virtio_pci.c ++++ b/drivers/virtio/virtio_pci.c +@@ -791,6 +791,7 @@ static int virtio_pci_restore(struct device *dev) + struct pci_dev *pci_dev = to_pci_dev(dev); + struct virtio_pci_device *vp_dev = pci_get_drvdata(pci_dev); + struct virtio_driver *drv; ++ unsigned status = 0; + int ret; + + drv = container_of(vp_dev->vdev.dev.driver, +@@ -801,14 +802,40 @@ static int virtio_pci_restore(struct device *dev) + return ret; + + pci_set_master(pci_dev); ++ /* We always start by resetting the device, in case a previous ++ * driver messed it up. */ ++ vp_reset(&vp_dev->vdev); ++ ++ /* Acknowledge that we've seen the device. */ ++ status |= VIRTIO_CONFIG_S_ACKNOWLEDGE; ++ vp_set_status(&vp_dev->vdev, status); ++ ++ /* Maybe driver failed before freeze. ++ * Restore the failed status, for debugging. */ ++ status |= vp_dev->saved_status & VIRTIO_CONFIG_S_FAILED; ++ vp_set_status(&vp_dev->vdev, status); ++ ++ if (!drv) ++ return 0; ++ ++ /* We have a driver! */ ++ status |= VIRTIO_CONFIG_S_DRIVER; ++ vp_set_status(&vp_dev->vdev, status); ++ + vp_finalize_features(&vp_dev->vdev); + +- if (drv && drv->restore) ++ if (drv->restore) { + ret = drv->restore(&vp_dev->vdev); ++ if (ret) { ++ status |= VIRTIO_CONFIG_S_FAILED; ++ vp_set_status(&vp_dev->vdev, status); ++ return ret; ++ } ++ } + + /* Finally, tell the device we're all set */ +- if (!ret) +- vp_set_status(&vp_dev->vdev, vp_dev->saved_status); ++ status |= VIRTIO_CONFIG_S_DRIVER_OK; ++ vp_set_status(&vp_dev->vdev, status); + + return ret; + } +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index ca248b0687f4..196b089b0052 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -423,7 +423,7 @@ int btrfs_lookup_csums_range(struct btrfs_root *root, u64 start, u64 end, + ret = 0; + fail: + while (ret < 0 && !list_empty(&tmplist)) { +- sums = list_entry(&tmplist, struct btrfs_ordered_sum, list); ++ sums = list_entry(tmplist.next, struct btrfs_ordered_sum, list); + list_del(&sums->list); + kfree(sums); + } +diff --git a/fs/buffer.c b/fs/buffer.c +index 71e2d0ed8530..4d06a573d199 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2077,6 +2077,7 @@ int generic_write_end(struct file *file, struct address_space *mapping, + struct page *page, void *fsdata) + { + struct inode *inode = mapping->host; ++ loff_t old_size = inode->i_size; + int i_size_changed = 0; + + copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); +@@ -2096,6 +2097,8 @@ int generic_write_end(struct file *file, struct address_space *mapping, + unlock_page(page); + page_cache_release(page); + ++ if (old_size < pos) ++ pagecache_isize_extended(inode, old_size, pos); + /* + * Don't mark the inode dirty under page lock. First, it unnecessarily + * makes the holding time of page lock longer. Second, it forces lock +@@ -2313,6 +2316,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping, + err = 0; + + balance_dirty_pages_ratelimited(mapping); ++ ++ if (unlikely(fatal_signal_pending(current))) { ++ err = -EINTR; ++ goto out; ++ } + } + + /* page covers the boundary, find the boundary offset */ +diff --git a/fs/dcache.c b/fs/dcache.c +index 58d57da91d2a..436612777203 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2824,6 +2824,9 @@ static int prepend(char **buffer, int *buflen, const char *str, int namelen) + * the beginning of the name. The sequence number check at the caller will + * retry it again when a d_move() does happen. So any garbage in the buffer + * due to mismatched pointer and length will be discarded. ++ * ++ * Data dependency barrier is needed to make sure that we see that terminating ++ * NUL. Alpha strikes again, film at 11... + */ + static int prepend_name(char **buffer, int *buflen, struct qstr *name) + { +@@ -2831,6 +2834,8 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name) + u32 dlen = ACCESS_ONCE(name->len); + char *p; + ++ smp_read_barrier_depends(); ++ + *buflen -= dlen + 1; + if (*buflen < 0) + return -ENAMETOOLONG; +diff --git a/fs/ext3/super.c b/fs/ext3/super.c +index 37fd31ed16e7..0498390f309e 100644 +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -1354,13 +1354,6 @@ set_qf_format: + "not specified."); + return 0; + } +- } else { +- if (sbi->s_jquota_fmt) { +- ext3_msg(sb, KERN_ERR, "error: journaled quota format " +- "specified with no journaling " +- "enabled."); +- return 0; +- } + } + #endif + return 1; +diff --git a/fs/ext4/bitmap.c b/fs/ext4/bitmap.c +index 3285aa5a706a..b610779a958c 100644 +--- a/fs/ext4/bitmap.c ++++ b/fs/ext4/bitmap.c +@@ -24,8 +24,7 @@ int ext4_inode_bitmap_csum_verify(struct super_block *sb, ext4_group_t group, + __u32 provided, calculated; + struct ext4_sb_info *sbi = EXT4_SB(sb); + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return 1; + + provided = le16_to_cpu(gdp->bg_inode_bitmap_csum_lo); +@@ -46,8 +45,7 @@ void ext4_inode_bitmap_csum_set(struct super_block *sb, ext4_group_t group, + __u32 csum; + struct ext4_sb_info *sbi = EXT4_SB(sb); + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return; + + csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)bh->b_data, sz); +@@ -65,8 +63,7 @@ int ext4_block_bitmap_csum_verify(struct super_block *sb, ext4_group_t group, + struct ext4_sb_info *sbi = EXT4_SB(sb); + int sz = EXT4_CLUSTERS_PER_GROUP(sb) / 8; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return 1; + + provided = le16_to_cpu(gdp->bg_block_bitmap_csum_lo); +@@ -91,8 +88,7 @@ void ext4_block_bitmap_csum_set(struct super_block *sb, ext4_group_t group, + __u32 csum; + struct ext4_sb_info *sbi = EXT4_SB(sb); + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return; + + csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)bh->b_data, sz); +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 62f024c051ce..2a6830a7af33 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2110,6 +2110,7 @@ int do_journal_get_write_access(handle_t *handle, + #define CONVERT_INLINE_DATA 2 + + extern struct inode *ext4_iget(struct super_block *, unsigned long); ++extern struct inode *ext4_iget_normal(struct super_block *, unsigned long); + extern int ext4_write_inode(struct inode *, struct writeback_control *); + extern int ext4_setattr(struct dentry *, struct iattr *); + extern int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, +@@ -2340,10 +2341,18 @@ extern int ext4_register_li_request(struct super_block *sb, + static inline int ext4_has_group_desc_csum(struct super_block *sb) + { + return EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_GDT_CSUM | +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM); ++ EXT4_FEATURE_RO_COMPAT_GDT_CSUM) || ++ (EXT4_SB(sb)->s_chksum_driver != NULL); + } + ++static inline int ext4_has_metadata_csum(struct super_block *sb) ++{ ++ WARN_ON_ONCE(EXT4_HAS_RO_COMPAT_FEATURE(sb, ++ EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) && ++ !EXT4_SB(sb)->s_chksum_driver); ++ ++ return (EXT4_SB(sb)->s_chksum_driver != NULL); ++} + static inline ext4_fsblk_t ext4_blocks_count(struct ext4_super_block *es) + { + return ((ext4_fsblk_t)le32_to_cpu(es->s_blocks_count_hi) << 32) | +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 47188916dd8d..96a1ce159f51 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -74,8 +74,7 @@ static int ext4_extent_block_csum_verify(struct inode *inode, + { + struct ext4_extent_tail *et; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return 1; + + et = find_ext4_extent_tail(eh); +@@ -89,8 +88,7 @@ static void ext4_extent_block_csum_set(struct inode *inode, + { + struct ext4_extent_tail *et; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return; + + et = find_ext4_extent_tail(eh); +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 64bb32f17903..a8d1a64d8cb0 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -864,6 +864,10 @@ got: + struct buffer_head *block_bitmap_bh; + + block_bitmap_bh = ext4_read_block_bitmap(sb, group); ++ if (!block_bitmap_bh) { ++ err = -EIO; ++ goto out; ++ } + BUFFER_TRACE(block_bitmap_bh, "get block bitmap access"); + err = ext4_journal_get_write_access(handle, block_bitmap_bh); + if (err) { +@@ -988,8 +992,7 @@ got: + spin_unlock(&sbi->s_next_gen_lock); + + /* Precompute checksum seed for inode metadata */ +- if (EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) { ++ if (ext4_has_metadata_csum(sb)) { + __u32 csum; + __le32 inum = cpu_to_le32(inode->i_ino); + __le32 gen = cpu_to_le32(inode->i_generation); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 82edf5b93352..8c03b747021b 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1128,8 +1128,7 @@ static int ext4_finish_convert_inline_dir(handle_t *handle, + memcpy((void *)de, buf + EXT4_INLINE_DOTDOT_SIZE, + inline_size - EXT4_INLINE_DOTDOT_SIZE); + +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(inode->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + inode->i_size = inode->i_sb->s_blocksize; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b56062dc8b62..3a7e0341447f 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -83,8 +83,7 @@ static int ext4_inode_csum_verify(struct inode *inode, struct ext4_inode *raw, + + if (EXT4_SB(inode->i_sb)->s_es->s_creator_os != + cpu_to_le32(EXT4_OS_LINUX) || +- !EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ !ext4_has_metadata_csum(inode->i_sb)) + return 1; + + provided = le16_to_cpu(raw->i_checksum_lo); +@@ -105,8 +104,7 @@ static void ext4_inode_csum_set(struct inode *inode, struct ext4_inode *raw, + + if (EXT4_SB(inode->i_sb)->s_es->s_creator_os != + cpu_to_le32(EXT4_OS_LINUX) || +- !EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ !ext4_has_metadata_csum(inode->i_sb)) + return; + + csum = ext4_inode_csum(inode, raw, ei); +@@ -2633,6 +2631,20 @@ static int ext4_nonda_switch(struct super_block *sb) + return 0; + } + ++/* We always reserve for an inode update; the superblock could be there too */ ++static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len) ++{ ++ if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, ++ EXT4_FEATURE_RO_COMPAT_LARGE_FILE))) ++ return 1; ++ ++ if (pos + len <= 0x7fffffffULL) ++ return 1; ++ ++ /* We might need to update the superblock to set LARGE_FILE */ ++ return 2; ++} ++ + static int ext4_da_write_begin(struct file *file, struct address_space *mapping, + loff_t pos, unsigned len, unsigned flags, + struct page **pagep, void **fsdata) +@@ -2683,7 +2695,8 @@ retry_grab: + * of file which has an already mapped buffer. + */ + retry_journal: +- handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, 1); ++ handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, ++ ext4_da_write_credits(inode, pos, len)); + if (IS_ERR(handle)) { + page_cache_release(page); + return PTR_ERR(handle); +@@ -4061,8 +4074,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + ei->i_extra_isize = 0; + + /* Precompute checksum seed for inode metadata */ +- if (EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) { ++ if (ext4_has_metadata_csum(sb)) { + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + __u32 csum; + __le32 inum = cpu_to_le32(inode->i_ino); +@@ -4250,6 +4262,13 @@ bad_inode: + return ERR_PTR(ret); + } + ++struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino) ++{ ++ if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO) ++ return ERR_PTR(-EIO); ++ return ext4_iget(sb, ino); ++} ++ + static int ext4_inode_blocks_set(handle_t *handle, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) +@@ -4645,8 +4664,12 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr) + ext4_orphan_del(NULL, inode); + goto err_out; + } +- } else ++ } else { ++ loff_t oldsize = inode->i_size; ++ + i_size_write(inode, attr->ia_size); ++ pagecache_isize_extended(inode, oldsize, inode->i_size); ++ } + + /* + * Blocks are going to be removed from the inode. Wait +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index a2a837f00407..dfe982dee0b3 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -343,8 +343,7 @@ flags_out: + if (!inode_owner_or_capable(inode)) + return -EPERM; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) { ++ if (ext4_has_metadata_csum(inode->i_sb)) { + ext4_warning(sb, "Setting inode version is not " + "supported with metadata_csum enabled."); + return -ENOTTY; +@@ -544,9 +543,17 @@ group_add_out: + } + + case EXT4_IOC_SWAP_BOOT: ++ { ++ int err; + if (!(filp->f_mode & FMODE_WRITE)) + return -EBADF; +- return swap_inode_boot_loader(sb, inode); ++ err = mnt_want_write_file(filp); ++ if (err) ++ return err; ++ err = swap_inode_boot_loader(sb, inode); ++ mnt_drop_write_file(filp); ++ return err; ++ } + + case EXT4_IOC_RESIZE_FS: { + ext4_fsblk_t n_blocks_count; +diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c +index 04434ad3e8e0..1268a1b5afa9 100644 +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -20,8 +20,7 @@ static __le32 ext4_mmp_csum(struct super_block *sb, struct mmp_struct *mmp) + + int ext4_mmp_csum_verify(struct super_block *sb, struct mmp_struct *mmp) + { +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return 1; + + return mmp->mmp_checksum == ext4_mmp_csum(sb, mmp); +@@ -29,8 +28,7 @@ int ext4_mmp_csum_verify(struct super_block *sb, struct mmp_struct *mmp) + + void ext4_mmp_csum_set(struct super_block *sb, struct mmp_struct *mmp) + { +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return; + + mmp->mmp_checksum = ext4_mmp_csum(sb, mmp); +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index d050e043e884..2dcbfb6245d8 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -123,8 +123,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, + "directory leaf block found instead of index block"); + return ERR_PTR(-EIO); + } +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) || ++ if (!ext4_has_metadata_csum(inode->i_sb) || + buffer_verified(bh)) + return bh; + +@@ -339,8 +338,7 @@ int ext4_dirent_csum_verify(struct inode *inode, struct ext4_dir_entry *dirent) + { + struct ext4_dir_entry_tail *t; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return 1; + + t = get_dirent_tail(inode, dirent); +@@ -361,8 +359,7 @@ static void ext4_dirent_csum_set(struct inode *inode, + { + struct ext4_dir_entry_tail *t; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return; + + t = get_dirent_tail(inode, dirent); +@@ -437,8 +434,7 @@ static int ext4_dx_csum_verify(struct inode *inode, + struct dx_tail *t; + int count_offset, limit, count; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return 1; + + c = get_dx_countlimit(inode, dirent, &count_offset); +@@ -467,8 +463,7 @@ static void ext4_dx_csum_set(struct inode *inode, struct ext4_dir_entry *dirent) + struct dx_tail *t; + int count_offset, limit, count; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return; + + c = get_dx_countlimit(inode, dirent, &count_offset); +@@ -556,8 +551,7 @@ static inline unsigned dx_root_limit(struct inode *dir, unsigned infosize) + unsigned entry_space = dir->i_sb->s_blocksize - EXT4_DIR_REC_LEN(1) - + EXT4_DIR_REC_LEN(2) - infosize; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(dir->i_sb)) + entry_space -= sizeof(struct dx_tail); + return entry_space / sizeof(struct dx_entry); + } +@@ -566,8 +560,7 @@ static inline unsigned dx_node_limit(struct inode *dir) + { + unsigned entry_space = dir->i_sb->s_blocksize - EXT4_DIR_REC_LEN(0); + +- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(dir->i_sb)) + entry_space -= sizeof(struct dx_tail); + return entry_space / sizeof(struct dx_entry); + } +@@ -1429,7 +1422,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, unsi + dentry); + return ERR_PTR(-EIO); + } +- inode = ext4_iget(dir->i_sb, ino); ++ inode = ext4_iget_normal(dir->i_sb, ino); + if (inode == ERR_PTR(-ESTALE)) { + EXT4_ERROR_INODE(dir, + "deleted inode referenced: %u", +@@ -1460,7 +1453,7 @@ struct dentry *ext4_get_parent(struct dentry *child) + return ERR_PTR(-EIO); + } + +- return d_obtain_alias(ext4_iget(child->d_inode->i_sb, ino)); ++ return d_obtain_alias(ext4_iget_normal(child->d_inode->i_sb, ino)); + } + + /* +@@ -1534,8 +1527,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + int csum_size = 0; + int err = 0, i; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(dir->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + bh2 = ext4_append(handle, dir, &newblock); +@@ -1704,8 +1696,7 @@ static int add_dirent_to_buf(handle_t *handle, struct dentry *dentry, + int csum_size = 0; + int err; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(inode->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + if (!de) { +@@ -1772,8 +1763,7 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, + struct fake_dirent *fde; + int csum_size = 0; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(inode->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + blocksize = dir->i_sb->s_blocksize; +@@ -1889,8 +1879,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + ext4_lblk_t block, blocks; + int csum_size = 0; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(inode->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + sb = dir->i_sb; +@@ -2152,8 +2141,7 @@ static int ext4_delete_entry(handle_t *handle, + return err; + } + +- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(dir->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + BUFFER_TRACE(bh, "get_write_access"); +@@ -2372,8 +2360,7 @@ static int ext4_init_new_dir(handle_t *handle, struct inode *dir, + int csum_size = 0; + int err; + +- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(dir->i_sb)) + csum_size = sizeof(struct ext4_dir_entry_tail); + + if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) { +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index f3b84cd9de56..2400ad1c3d12 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1071,7 +1071,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, + break; + + if (meta_bg == 0) +- backup_block = group * bpg + blk_off; ++ backup_block = ((ext4_fsblk_t)group) * bpg + blk_off; + else + backup_block = (ext4_group_first_block_no(sb, group) + + ext4_bg_has_super(sb, group)); +@@ -1200,8 +1200,7 @@ static int ext4_set_bitmap_checksums(struct super_block *sb, + { + struct buffer_head *bh; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return 0; + + bh = ext4_get_bitmap(sb, group_data->inode_bitmap); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index a46030d6b4af..9fb3e6c0c578 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -140,8 +140,7 @@ static __le32 ext4_superblock_csum(struct super_block *sb, + int ext4_superblock_csum_verify(struct super_block *sb, + struct ext4_super_block *es) + { +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return 1; + + return es->s_checksum == ext4_superblock_csum(sb, es); +@@ -151,8 +150,7 @@ void ext4_superblock_csum_set(struct super_block *sb) + { + struct ext4_super_block *es = EXT4_SB(sb)->s_es; + +- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(sb)) + return; + + es->s_checksum = ext4_superblock_csum(sb, es); +@@ -996,7 +994,7 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb, + * Currently we don't know the generation for parent directory, so + * a generation of 0 means "accept any" + */ +- inode = ext4_iget(sb, ino); ++ inode = ext4_iget_normal(sb, ino); + if (IS_ERR(inode)) + return ERR_CAST(inode); + if (generation && inode->i_generation != generation) { +@@ -1706,13 +1704,6 @@ static int parse_options(char *options, struct super_block *sb, + "not specified"); + return 0; + } +- } else { +- if (sbi->s_jquota_fmt) { +- ext4_msg(sb, KERN_ERR, "journaled quota format " +- "specified with no journaling " +- "enabled"); +- return 0; +- } + } + #endif + if (test_opt(sb, DIOREAD_NOLOCK)) { +@@ -2010,8 +2001,7 @@ static __le16 ext4_group_desc_csum(struct ext4_sb_info *sbi, __u32 block_group, + __u16 crc = 0; + __le32 le_group = cpu_to_le32(block_group); + +- if ((sbi->s_es->s_feature_ro_compat & +- cpu_to_le32(EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))) { ++ if (ext4_has_metadata_csum(sbi->s_sb)) { + /* Use new metadata_csum algorithm */ + __le16 save_csum; + __u32 csum32; +@@ -2029,6 +2019,10 @@ static __le16 ext4_group_desc_csum(struct ext4_sb_info *sbi, __u32 block_group, + } + + /* old crc16 code */ ++ if (!(sbi->s_es->s_feature_ro_compat & ++ cpu_to_le32(EXT4_FEATURE_RO_COMPAT_GDT_CSUM))) ++ return 0; ++ + offset = offsetof(struct ext4_group_desc, bg_checksum); + + crc = crc16(~0, sbi->s_es->s_uuid, sizeof(sbi->s_es->s_uuid)); +@@ -3167,8 +3161,7 @@ static int set_journal_csum_feature_set(struct super_block *sb) + int compat, incompat; + struct ext4_sb_info *sbi = EXT4_SB(sb); + +- if (EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) { ++ if (ext4_has_metadata_csum(sb)) { + /* journal checksum v3 */ + compat = 0; + incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3; +@@ -3475,8 +3468,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } + + /* Precompute checksum seed for all metadata */ +- if (EXT4_HAS_RO_COMPAT_FEATURE(sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (ext4_has_metadata_csum(sb)) + sbi->s_csum_seed = ext4_chksum(sbi, ~0, es->s_uuid, + sizeof(es->s_uuid)); + +@@ -3494,6 +3486,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + #ifdef CONFIG_EXT4_FS_POSIX_ACL + set_opt(sb, POSIX_ACL); + #endif ++ /* don't forget to enable journal_csum when metadata_csum is enabled. */ ++ if (ext4_has_metadata_csum(sb)) ++ set_opt(sb, JOURNAL_CHECKSUM); ++ + if ((def_mount_opts & EXT4_DEFM_JMODE) == EXT4_DEFM_JMODE_DATA) + set_opt(sb, JOURNAL_DATA); + else if ((def_mount_opts & EXT4_DEFM_JMODE) == EXT4_DEFM_JMODE_ORDERED) +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 55e611c1513c..8825154b20b6 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -141,8 +141,7 @@ static int ext4_xattr_block_csum_verify(struct inode *inode, + sector_t block_nr, + struct ext4_xattr_header *hdr) + { +- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) && ++ if (ext4_has_metadata_csum(inode->i_sb) && + (hdr->h_checksum != ext4_xattr_block_csum(inode, block_nr, hdr))) + return 0; + return 1; +@@ -152,8 +151,7 @@ static void ext4_xattr_block_csum_set(struct inode *inode, + sector_t block_nr, + struct ext4_xattr_header *hdr) + { +- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb, +- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) ++ if (!ext4_has_metadata_csum(inode->i_sb)) + return; + + hdr->h_checksum = ext4_xattr_block_csum(inode, block_nr, hdr); +@@ -189,14 +187,28 @@ ext4_listxattr(struct dentry *dentry, char *buffer, size_t size) + } + + static int +-ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end) ++ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end, ++ void *value_start) + { +- while (!IS_LAST_ENTRY(entry)) { +- struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(entry); ++ struct ext4_xattr_entry *e = entry; ++ ++ while (!IS_LAST_ENTRY(e)) { ++ struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); + if ((void *)next >= end) + return -EIO; +- entry = next; ++ e = next; + } ++ ++ while (!IS_LAST_ENTRY(entry)) { ++ if (entry->e_value_size != 0 && ++ (value_start + le16_to_cpu(entry->e_value_offs) < ++ (void *)e + sizeof(__u32) || ++ value_start + le16_to_cpu(entry->e_value_offs) + ++ le32_to_cpu(entry->e_value_size) > end)) ++ return -EIO; ++ entry = EXT4_XATTR_NEXT(entry); ++ } ++ + return 0; + } + +@@ -213,7 +225,8 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh) + return -EIO; + if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh))) + return -EIO; +- error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size); ++ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size, ++ bh->b_data); + if (!error) + set_buffer_verified(bh); + return error; +@@ -329,7 +342,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, + header = IHDR(inode, raw_inode); + entry = IFIRST(header); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(entry, end); ++ error = ext4_xattr_check_names(entry, end, entry); + if (error) + goto cleanup; + error = ext4_xattr_find_entry(&entry, name_index, name, +@@ -457,7 +470,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size) + raw_inode = ext4_raw_inode(&iloc); + header = IHDR(inode, raw_inode); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(IFIRST(header), end); ++ error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); + if (error) + goto cleanup; + error = ext4_xattr_list_entries(dentry, IFIRST(header), +@@ -972,7 +985,8 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i, + is->s.here = is->s.first; + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { +- error = ext4_xattr_check_names(IFIRST(header), is->s.end); ++ error = ext4_xattr_check_names(IFIRST(header), is->s.end, ++ IFIRST(header)); + if (error) + return error; + /* Find the named attribute. */ +diff --git a/fs/jbd2/recovery.c b/fs/jbd2/recovery.c +index 9b329b55ffe3..bcbef08a4d8f 100644 +--- a/fs/jbd2/recovery.c ++++ b/fs/jbd2/recovery.c +@@ -525,6 +525,7 @@ static int do_one_pass(journal_t *journal, + !jbd2_descr_block_csum_verify(journal, + bh->b_data)) { + err = -EIO; ++ brelse(bh); + goto failed; + } + +diff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h +index 413ef89c2d1b..046fee8b6e9b 100644 +--- a/fs/jffs2/jffs2_fs_sb.h ++++ b/fs/jffs2/jffs2_fs_sb.h +@@ -134,8 +134,6 @@ struct jffs2_sb_info { + struct rw_semaphore wbuf_sem; /* Protects the write buffer */ + + struct delayed_work wbuf_dwork; /* write-buffer write-out work */ +- int wbuf_queued; /* non-zero delayed work is queued */ +- spinlock_t wbuf_dwork_lock; /* protects wbuf_dwork and and wbuf_queued */ + + unsigned char *oobbuf; + int oobavail; /* How many bytes are available for JFFS2 in OOB */ +diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c +index a6597d60d76d..09ed55190ee2 100644 +--- a/fs/jffs2/wbuf.c ++++ b/fs/jffs2/wbuf.c +@@ -1162,10 +1162,6 @@ static void delayed_wbuf_sync(struct work_struct *work) + struct jffs2_sb_info *c = work_to_sb(work); + struct super_block *sb = OFNI_BS_2SFFJ(c); + +- spin_lock(&c->wbuf_dwork_lock); +- c->wbuf_queued = 0; +- spin_unlock(&c->wbuf_dwork_lock); +- + if (!(sb->s_flags & MS_RDONLY)) { + jffs2_dbg(1, "%s()\n", __func__); + jffs2_flush_wbuf_gc(c, 0); +@@ -1180,14 +1176,9 @@ void jffs2_dirty_trigger(struct jffs2_sb_info *c) + if (sb->s_flags & MS_RDONLY) + return; + +- spin_lock(&c->wbuf_dwork_lock); +- if (!c->wbuf_queued) { ++ delay = msecs_to_jiffies(dirty_writeback_interval * 10); ++ if (queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay)) + jffs2_dbg(1, "%s()\n", __func__); +- delay = msecs_to_jiffies(dirty_writeback_interval * 10); +- queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay); +- c->wbuf_queued = 1; +- } +- spin_unlock(&c->wbuf_dwork_lock); + } + + int jffs2_nand_flash_setup(struct jffs2_sb_info *c) +@@ -1211,7 +1202,6 @@ int jffs2_nand_flash_setup(struct jffs2_sb_info *c) + + /* Initialise write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + c->wbuf_pagesize = c->mtd->writesize; + c->wbuf_ofs = 0xFFFFFFFF; +@@ -1251,7 +1241,6 @@ int jffs2_dataflash_setup(struct jffs2_sb_info *c) { + + /* Initialize write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + c->wbuf_pagesize = c->mtd->erasesize; + +@@ -1311,7 +1300,6 @@ int jffs2_nor_wbuf_flash_setup(struct jffs2_sb_info *c) { + + /* Initialize write buffer */ + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + + c->wbuf_pagesize = c->mtd->writesize; +@@ -1346,7 +1334,6 @@ int jffs2_ubivol_setup(struct jffs2_sb_info *c) { + return 0; + + init_rwsem(&c->wbuf_sem); +- spin_lock_init(&c->wbuf_dwork_lock); + INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync); + + c->wbuf_pagesize = c->mtd->writesize; +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 1812f026960c..6ae664b489af 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -159,6 +159,12 @@ static int nsm_mon_unmon(struct nsm_handle *nsm, u32 proc, struct nsm_res *res, + + msg.rpc_proc = &clnt->cl_procinfo[proc]; + status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ if (status == -ECONNREFUSED) { ++ dprintk("lockd: NSM upcall RPC failed, status=%d, forcing rebind\n", ++ status); ++ rpc_force_rebind(clnt); ++ status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ } + if (status < 0) + dprintk("lockd: NSM upcall RPC failed, status=%d\n", + status); +diff --git a/fs/namei.c b/fs/namei.c +index dd2f2c5bda55..0dd72c8e65fd 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3128,7 +3128,8 @@ static int do_tmpfile(int dfd, struct filename *pathname, + if (error) + goto out2; + audit_inode(pathname, nd->path.dentry, 0); +- error = may_open(&nd->path, op->acc_mode, op->open_flag); ++ /* Don't check for other permissions, the inode was just created */ ++ error = may_open(&nd->path, MAY_OPEN, op->open_flag); + if (error) + goto out2; + file->f_path.mnt = nd->path.mnt; +diff --git a/fs/namespace.c b/fs/namespace.c +index c7d4a0ae2c65..d9bf3efbf040 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2831,6 +2831,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make sure we can reach put_old from new_root */ + if (!is_path_reachable(old_mnt, old.dentry, &new)) + goto out4; ++ /* make certain new is below the root */ ++ if (!is_path_reachable(new_mnt, new.dentry, &root)) ++ goto out4; + root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); + detach_mnt(new_mnt, &parent_path); +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index f23a6ca37504..86f5d3e474bf 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1243,7 +1243,8 @@ static bool need_wrongsec_check(struct svc_rqst *rqstp) + */ + if (argp->opcnt == resp->opcnt) + return false; +- ++ if (next->opnum == OP_ILLEGAL) ++ return false; + nextd = OPDESC(next); + /* + * Rest of 2.6.3.1.1: certain operations will return WRONGSEC +diff --git a/fs/pstore/inode.c b/fs/pstore/inode.c +index 12823845d324..14120a3c6195 100644 +--- a/fs/pstore/inode.c ++++ b/fs/pstore/inode.c +@@ -319,10 +319,10 @@ int pstore_mkfile(enum pstore_type_id type, char *psname, u64 id, int count, + compressed ? ".enc.z" : ""); + break; + case PSTORE_TYPE_CONSOLE: +- sprintf(name, "console-%s", psname); ++ sprintf(name, "console-%s-%lld", psname, id); + break; + case PSTORE_TYPE_FTRACE: +- sprintf(name, "ftrace-%s", psname); ++ sprintf(name, "ftrace-%s-%lld", psname, id); + break; + case PSTORE_TYPE_MCE: + sprintf(name, "mce-%s-%lld", psname, id); +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index ce87c9007b0f..89da95700c69 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -637,7 +637,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + dqstats_inc(DQST_LOOKUPS); + err = sb->dq_op->write_dquot(dquot); + if (!ret && err) +- err = ret; ++ ret = err; + dqput(dquot); + spin_lock(&dq_list_lock); + } +diff --git a/fs/super.c b/fs/super.c +index 7624267b2043..88a6bc6e3cc9 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -81,6 +81,8 @@ static unsigned long super_cache_scan(struct shrinker *shrink, + inodes = list_lru_count_node(&sb->s_inode_lru, sc->nid); + dentries = list_lru_count_node(&sb->s_dentry_lru, sc->nid); + total_objects = dentries + inodes + fs_objects + 1; ++ if (!total_objects) ++ total_objects = 1; + + /* proportion the scan between the caches */ + dentries = mult_frac(sc->nr_to_scan, dentries, total_objects); +diff --git a/fs/ubifs/commit.c b/fs/ubifs/commit.c +index ff8229340cd5..26b69b2d4a45 100644 +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -166,15 +166,10 @@ static int do_commit(struct ubifs_info *c) + err = ubifs_orphan_end_commit(c); + if (err) + goto out; +- old_ltail_lnum = c->ltail_lnum; +- err = ubifs_log_end_commit(c, new_ltail_lnum); +- if (err) +- goto out; + err = dbg_check_old_index(c, &zroot); + if (err) + goto out; + +- mutex_lock(&c->mst_mutex); + c->mst_node->cmt_no = cpu_to_le64(c->cmt_no); + c->mst_node->log_lnum = cpu_to_le32(new_ltail_lnum); + c->mst_node->root_lnum = cpu_to_le32(zroot.lnum); +@@ -203,8 +198,9 @@ static int do_commit(struct ubifs_info *c) + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); + else + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS); +- err = ubifs_write_master(c); +- mutex_unlock(&c->mst_mutex); ++ ++ old_ltail_lnum = c->ltail_lnum; ++ err = ubifs_log_end_commit(c, new_ltail_lnum); + if (err) + goto out; + +diff --git a/fs/ubifs/log.c b/fs/ubifs/log.c +index a902c5919e42..8d59de86dc9a 100644 +--- a/fs/ubifs/log.c ++++ b/fs/ubifs/log.c +@@ -106,10 +106,14 @@ static inline long long empty_log_bytes(const struct ubifs_info *c) + h = (long long)c->lhead_lnum * c->leb_size + c->lhead_offs; + t = (long long)c->ltail_lnum * c->leb_size; + +- if (h >= t) ++ if (h > t) + return c->log_bytes - h + t; +- else ++ else if (h != t) + return t - h; ++ else if (c->lhead_lnum != c->ltail_lnum) ++ return 0; ++ else ++ return c->log_bytes; + } + + /** +@@ -447,9 +451,9 @@ out: + * @ltail_lnum: new log tail LEB number + * + * This function is called on when the commit operation was finished. It +- * moves log tail to new position and unmaps LEBs which contain obsolete data. +- * Returns zero in case of success and a negative error code in case of +- * failure. ++ * moves log tail to new position and updates the master node so that it stores ++ * the new log tail LEB number. Returns zero in case of success and a negative ++ * error code in case of failure. + */ + int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum) + { +@@ -477,7 +481,12 @@ int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum) + spin_unlock(&c->buds_lock); + + err = dbg_check_bud_bytes(c); ++ if (err) ++ goto out; + ++ err = ubifs_write_master(c); ++ ++out: + mutex_unlock(&c->log_mutex); + return err; + } +diff --git a/fs/ubifs/master.c b/fs/ubifs/master.c +index ab83ace9910a..1a4bb9e8b3b8 100644 +--- a/fs/ubifs/master.c ++++ b/fs/ubifs/master.c +@@ -352,10 +352,9 @@ int ubifs_read_master(struct ubifs_info *c) + * ubifs_write_master - write master node. + * @c: UBIFS file-system description object + * +- * This function writes the master node. The caller has to take the +- * @c->mst_mutex lock before calling this function. Returns zero in case of +- * success and a negative error code in case of failure. The master node is +- * written twice to enable recovery. ++ * This function writes the master node. Returns zero in case of success and a ++ * negative error code in case of failure. The master node is written twice to ++ * enable recovery. + */ + int ubifs_write_master(struct ubifs_info *c) + { +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 5ded8490c0c6..94d9a64287b7 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1957,7 +1957,6 @@ static struct ubifs_info *alloc_ubifs_info(struct ubi_volume_desc *ubi) + mutex_init(&c->lp_mutex); + mutex_init(&c->tnc_mutex); + mutex_init(&c->log_mutex); +- mutex_init(&c->mst_mutex); + mutex_init(&c->umount_mutex); + mutex_init(&c->bu_mutex); + mutex_init(&c->write_reserve_mutex); +diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h +index e8c8cfe1435c..7ab9c710c749 100644 +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -1042,7 +1042,6 @@ struct ubifs_debug_info; + * + * @mst_node: master node + * @mst_offs: offset of valid master node +- * @mst_mutex: protects the master node area, @mst_node, and @mst_offs + * + * @max_bu_buf_len: maximum bulk-read buffer length + * @bu_mutex: protects the pre-allocated bulk-read buffer and @c->bu +@@ -1282,7 +1281,6 @@ struct ubifs_info { + + struct ubifs_mst_node *mst_node; + int mst_offs; +- struct mutex mst_mutex; + + int max_bu_buf_len; + struct mutex bu_mutex; +diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c +index c6ff3cf5a5bb..0eaaa2d296f0 100644 +--- a/fs/xfs/xfs_mount.c ++++ b/fs/xfs/xfs_mount.c +@@ -321,7 +321,6 @@ reread: + * Initialize the mount structure from the superblock. + */ + xfs_sb_from_disk(sbp, XFS_BUF_TO_SBP(bp)); +- xfs_sb_quota_from_disk(sbp); + + /* + * If we haven't validated the superblock, do so now before we try +diff --git a/fs/xfs/xfs_sb.c b/fs/xfs/xfs_sb.c +index 1e116794bb66..4afd393846d3 100644 +--- a/fs/xfs/xfs_sb.c ++++ b/fs/xfs/xfs_sb.c +@@ -397,10 +397,11 @@ xfs_sb_quota_from_disk(struct xfs_sb *sbp) + } + } + +-void +-xfs_sb_from_disk( ++static void ++__xfs_sb_from_disk( + struct xfs_sb *to, +- xfs_dsb_t *from) ++ xfs_dsb_t *from, ++ bool convert_xquota) + { + to->sb_magicnum = be32_to_cpu(from->sb_magicnum); + to->sb_blocksize = be32_to_cpu(from->sb_blocksize); +@@ -456,6 +457,17 @@ xfs_sb_from_disk( + to->sb_pad = 0; + to->sb_pquotino = be64_to_cpu(from->sb_pquotino); + to->sb_lsn = be64_to_cpu(from->sb_lsn); ++ /* Convert on-disk flags to in-memory flags? */ ++ if (convert_xquota) ++ xfs_sb_quota_from_disk(to); ++} ++ ++void ++xfs_sb_from_disk( ++ struct xfs_sb *to, ++ xfs_dsb_t *from) ++{ ++ __xfs_sb_from_disk(to, from, true); + } + + static inline void +@@ -571,7 +583,11 @@ xfs_sb_verify( + struct xfs_mount *mp = bp->b_target->bt_mount; + struct xfs_sb sb; + +- xfs_sb_from_disk(&sb, XFS_BUF_TO_SBP(bp)); ++ /* ++ * Use call variant which doesn't convert quota flags from disk ++ * format, because xfs_mount_validate_sb checks the on-disk flags. ++ */ ++ __xfs_sb_from_disk(&sb, XFS_BUF_TO_SBP(bp), false); + + /* + * Only check the in progress field for the primary superblock as +diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h +index bcec4c46cc2e..ca52de5a5c97 100644 +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -74,7 +74,6 @@ + {0x1002, 0x4C64, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4C66, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4C67, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \ +- {0x1002, 0x4C6E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV280|RADEON_IS_MOBILITY}, \ + {0x1002, 0x4E44, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ + {0x1002, 0x4E45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ + {0x1002, 0x4E46, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \ +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 4afa4f8f6090..a693c6d29328 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1232,10 +1232,9 @@ static inline int queue_alignment_offset(struct request_queue *q) + static inline int queue_limit_alignment_offset(struct queue_limits *lim, sector_t sector) + { + unsigned int granularity = max(lim->physical_block_size, lim->io_min); +- unsigned int alignment = (sector << 9) & (granularity - 1); ++ unsigned int alignment = sector_div(sector, granularity >> 9) << 9; + +- return (granularity + lim->alignment_offset - alignment) +- & (granularity - 1); ++ return (granularity + lim->alignment_offset - alignment) % granularity; + } + + static inline int bdev_alignment_offset(struct block_device *bdev) +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 31b9d299ef6c..00c88fccd162 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -286,6 +286,7 @@ struct hid_item { + #define HID_QUIRK_HIDINPUT_FORCE 0x00000080 + #define HID_QUIRK_NO_EMPTY_INPUT 0x00000100 + #define HID_QUIRK_NO_INIT_INPUT_REPORTS 0x00000200 ++#define HID_QUIRK_ALWAYS_POLL 0x00000400 + #define HID_QUIRK_SKIP_OUTPUT_REPORTS 0x00010000 + #define HID_QUIRK_FULLSPEED_INTERVAL 0x10000000 + #define HID_QUIRK_NO_INIT_REPORTS 0x20000000 +diff --git a/include/linux/mm.h b/include/linux/mm.h +index c1b7414c7bef..0a0b024ec7e8 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1123,6 +1123,7 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping, + + extern void truncate_pagecache(struct inode *inode, loff_t new); + extern void truncate_setsize(struct inode *inode, loff_t newsize); ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to); + void truncate_pagecache_range(struct inode *inode, loff_t offset, loff_t end); + int truncate_inode_page(struct address_space *mapping, struct page *page); + int generic_error_remove_page(struct address_space *mapping, struct page *page); +diff --git a/include/linux/of.h b/include/linux/of.h +index 435cb995904d..3f8144dadaef 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -215,14 +215,12 @@ extern int of_property_read_u64(const struct device_node *np, + extern int of_property_read_string(struct device_node *np, + const char *propname, + const char **out_string); +-extern int of_property_read_string_index(struct device_node *np, +- const char *propname, +- int index, const char **output); + extern int of_property_match_string(struct device_node *np, + const char *propname, + const char *string); +-extern int of_property_count_strings(struct device_node *np, +- const char *propname); ++extern int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index); + extern int of_device_is_compatible(const struct device_node *device, + const char *); + extern int of_device_is_available(const struct device_node *device); +@@ -422,15 +420,9 @@ static inline int of_property_read_string(struct device_node *np, + return -ENOSYS; + } + +-static inline int of_property_read_string_index(struct device_node *np, +- const char *propname, int index, +- const char **out_string) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_count_strings(struct device_node *np, +- const char *propname) ++static inline int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index) + { + return -ENOSYS; + } +@@ -536,6 +528,70 @@ static inline struct device_node *of_find_matching_node( + } + + /** ++ * of_property_read_string_array() - Read an array of strings from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * ++ * Search for a property in a device tree node and retrieve a list of ++ * terminated string values (pointer to data, not a copy) in that property. ++ * ++ * If @out_strs is NULL, the number of strings in the property is returned. ++ */ ++static inline int of_property_read_string_array(struct device_node *np, ++ const char *propname, const char **out_strs, ++ size_t sz) ++{ ++ return of_property_read_string_helper(np, propname, out_strs, sz, 0); ++} ++ ++/** ++ * of_property_count_strings() - Find and return the number of strings from a ++ * multiple strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * ++ * Search for a property in a device tree node and retrieve the number of null ++ * terminated string contain in it. Returns the number of strings on ++ * success, -EINVAL if the property does not exist, -ENODATA if property ++ * does not have a value, and -EILSEQ if the string is not null-terminated ++ * within the length of the property data. ++ */ ++static inline int of_property_count_strings(struct device_node *np, ++ const char *propname) ++{ ++ return of_property_read_string_helper(np, propname, NULL, 0, 0); ++} ++ ++/** ++ * of_property_read_string_index() - Find and read a string from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @index: index of the string in the list of strings ++ * @out_string: pointer to null terminated return string, modified only if ++ * return value is 0. ++ * ++ * Search for a property in a device tree node and retrieve a null ++ * terminated string value (pointer to data, not a copy) in the list of strings ++ * contained in that property. ++ * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if ++ * property does not have a value, and -EILSEQ if the string is not ++ * null-terminated within the length of the property data. ++ * ++ * The out_string pointer is modified only if a valid string can be decoded. ++ */ ++static inline int of_property_read_string_index(struct device_node *np, ++ const char *propname, ++ int index, const char **output) ++{ ++ int rc = of_property_read_string_helper(np, propname, output, 1, index); ++ return rc < 0 ? rc : 0; ++} ++ ++/** + * of_property_read_bool - Findfrom a property + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. +diff --git a/include/linux/oom.h b/include/linux/oom.h +index 4cd62677feb9..17f0949bd822 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -50,6 +50,9 @@ static inline bool oom_task_origin(const struct task_struct *p) + extern unsigned long oom_badness(struct task_struct *p, + struct mem_cgroup *memcg, const nodemask_t *nodemask, + unsigned long totalpages); ++ ++extern int oom_kills_count(void); ++extern void note_oom_kill(void); + extern void oom_kill_process(struct task_struct *p, gfp_t gfp_mask, int order, + unsigned int points, unsigned long totalpages, + struct mem_cgroup *memcg, nodemask_t *nodemask, +diff --git a/include/linux/string.h b/include/linux/string.h +index ac889c5ea11b..0ed878d0465c 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -129,7 +129,7 @@ int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4); + #endif + + extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos, +- const void *from, size_t available); ++ const void *from, size_t available); + + /** + * strstarts - does @str start with @prefix? +@@ -141,7 +141,8 @@ static inline bool strstarts(const char *str, const char *prefix) + return strncmp(str, prefix, strlen(prefix)) == 0; + } + +-extern size_t memweight(const void *ptr, size_t bytes); ++size_t memweight(const void *ptr, size_t bytes); ++void memzero_explicit(void *s, size_t count); + + /** + * kbasename - return the last part of a pathname. +diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h +index 8097b9df6773..51009d280ac7 100644 +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -340,6 +340,7 @@ int xs_swapper(struct rpc_xprt *xprt, int enable); + #define XPRT_CONNECTION_ABORT (7) + #define XPRT_CONNECTION_CLOSE (8) + #define XPRT_CONGESTED (9) ++#define XPRT_CONNECTION_REUSE (10) + + static inline void xprt_set_connected(struct rpc_xprt *xprt) + { +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h +index 49587dc22f5d..8b96ae2a38fe 100644 +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -33,4 +33,7 @@ + /* device generates spurious wakeup, ignore remote wakeup capability */ + #define USB_QUIRK_IGNORE_REMOTE_WAKEUP 0x00000200 + ++/* device can't handle device_qualifier descriptor requests */ ++#define USB_QUIRK_DEVICE_QUALIFIER 0x00000100 ++ + #endif /* __LINUX_USB_QUIRKS_H */ +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 9ac65781d44b..a60948d7bcea 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -660,6 +660,8 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + ++void ipv6_proxy_select_ident(struct sk_buff *skb); ++ + int ip6_dst_hoplimit(struct dst_entry *dst); + + /* +diff --git a/include/uapi/drm/vmwgfx_drm.h b/include/uapi/drm/vmwgfx_drm.h +index 87792a5fee3b..33b739522840 100644 +--- a/include/uapi/drm/vmwgfx_drm.h ++++ b/include/uapi/drm/vmwgfx_drm.h +@@ -29,7 +29,7 @@ + #define __VMWGFX_DRM_H__ + + #ifndef __KERNEL__ +-#include ++#include + #endif + + #define DRM_VMW_MAX_SURFACE_FACES 6 +diff --git a/kernel/freezer.c b/kernel/freezer.c +index aa6a8aadb911..8f9279b9c6d7 100644 +--- a/kernel/freezer.c ++++ b/kernel/freezer.c +@@ -42,6 +42,9 @@ bool freezing_slow_path(struct task_struct *p) + if (p->flags & (PF_NOFREEZE | PF_SUSPEND_TASK)) + return false; + ++ if (test_thread_flag(TIF_MEMDIE)) ++ return false; ++ + if (pm_nosig_freezing || cgroup_freezing(p)) + return true; + +diff --git a/kernel/module.c b/kernel/module.c +index 6716a1fa618b..1d679a6c942f 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1841,7 +1841,9 @@ static void free_module(struct module *mod) + + /* We leave it in list to prevent duplicate loads, but make sure + * that noone uses it while it's being deconstructed. */ ++ mutex_lock(&module_mutex); + mod->state = MODULE_STATE_UNFORMED; ++ mutex_unlock(&module_mutex); + + /* Remove dynamic debug info */ + ddebug_remove_module(mod->name); +diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c +index 424c2d4265c9..77e6b83c0431 100644 +--- a/kernel/posix-timers.c ++++ b/kernel/posix-timers.c +@@ -634,6 +634,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock, + goto out; + } + } else { ++ memset(&event.sigev_value, 0, sizeof(event.sigev_value)); + event.sigev_notify = SIGEV_SIGNAL; + event.sigev_signo = SIGALRM; + event.sigev_value.sival_int = new_timer->it_id; +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 37170d4dd9a6..126586a31408 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -492,8 +492,14 @@ int hibernation_restore(int platform_mode) + error = dpm_suspend_start(PMSG_QUIESCE); + if (!error) { + error = resume_target_kernel(platform_mode); +- dpm_resume_end(PMSG_RECOVER); ++ /* ++ * The above should either succeed and jump to the new kernel, ++ * or return with an error. Otherwise things are just ++ * undefined, so let's be paranoid. ++ */ ++ BUG_ON(!error); + } ++ dpm_resume_end(PMSG_RECOVER); + pm_restore_gfp_mask(); + ftrace_start(); + resume_console(); +diff --git a/kernel/power/process.c b/kernel/power/process.c +index 14f9a8d4725d..f1fe7ec110bb 100644 +--- a/kernel/power/process.c ++++ b/kernel/power/process.c +@@ -107,6 +107,28 @@ static int try_to_freeze_tasks(bool user_only) + return todo ? -EBUSY : 0; + } + ++/* ++ * Returns true if all freezable tasks (except for current) are frozen already ++ */ ++static bool check_frozen_processes(void) ++{ ++ struct task_struct *g, *p; ++ bool ret = true; ++ ++ read_lock(&tasklist_lock); ++ for_each_process_thread(g, p) { ++ if (p != current && !freezer_should_skip(p) && ++ !frozen(p)) { ++ ret = false; ++ goto done; ++ } ++ } ++done: ++ read_unlock(&tasklist_lock); ++ ++ return ret; ++} ++ + /** + * freeze_processes - Signal user space processes to enter the refrigerator. + * The current thread will not be frozen. The same process that calls +@@ -117,6 +139,7 @@ static int try_to_freeze_tasks(bool user_only) + int freeze_processes(void) + { + int error; ++ int oom_kills_saved; + + error = __usermodehelper_disable(UMH_FREEZING); + if (error) +@@ -130,12 +153,27 @@ int freeze_processes(void) + + printk("Freezing user space processes ... "); + pm_freezing = true; ++ oom_kills_saved = oom_kills_count(); + error = try_to_freeze_tasks(true); + if (!error) { +- printk("done."); + __usermodehelper_set_disable_depth(UMH_DISABLED); + oom_killer_disable(); ++ ++ /* ++ * There might have been an OOM kill while we were ++ * freezing tasks and the killed task might be still ++ * on the way out so we have to double check for race. ++ */ ++ if (oom_kills_count() != oom_kills_saved && ++ !check_frozen_processes()) { ++ __usermodehelper_set_disable_depth(UMH_ENABLED); ++ printk("OOM in progress."); ++ error = -EBUSY; ++ goto done; ++ } ++ printk("done."); + } ++done: + printk("\n"); + BUG_ON(in_atomic()); + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 677ebad70ce1..9a3f3c4e1f5a 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1895,6 +1895,8 @@ unsigned long to_ratio(u64 period, u64 runtime) + #ifdef CONFIG_SMP + inline struct dl_bw *dl_bw_of(int i) + { ++ rcu_lockdep_assert(rcu_read_lock_sched_held(), ++ "sched RCU must be held"); + return &cpu_rq(i)->rd->dl_bw; + } + +@@ -1903,6 +1905,8 @@ static inline int dl_bw_cpus(int i) + struct root_domain *rd = cpu_rq(i)->rd; + int cpus = 0; + ++ rcu_lockdep_assert(rcu_read_lock_sched_held(), ++ "sched RCU must be held"); + for_each_cpu_and(i, rd->span, cpu_active_mask) + cpus++; + +@@ -3937,13 +3941,14 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) + * root_domain. + */ + #ifdef CONFIG_SMP +- if (task_has_dl_policy(p)) { +- const struct cpumask *span = task_rq(p)->rd->span; +- +- if (dl_bandwidth_enabled() && !cpumask_subset(span, new_mask)) { ++ if (task_has_dl_policy(p) && dl_bandwidth_enabled()) { ++ rcu_read_lock(); ++ if (!cpumask_subset(task_rq(p)->rd->span, new_mask)) { + retval = -EBUSY; ++ rcu_read_unlock(); + goto out_unlock; + } ++ rcu_read_unlock(); + } + #endif + again: +@@ -7458,6 +7463,8 @@ static int sched_dl_global_constraints(void) + int cpu, ret = 0; + unsigned long flags; + ++ rcu_read_lock(); ++ + /* + * Here we want to check the bandwidth not being set to some + * value smaller than the currently allocated bandwidth in +@@ -7479,6 +7486,8 @@ static int sched_dl_global_constraints(void) + break; + } + ++ rcu_read_unlock(); ++ + return ret; + } + +@@ -7494,6 +7503,7 @@ static void sched_dl_do_global(void) + if (global_rt_runtime() != RUNTIME_INF) + new_bw = to_ratio(global_rt_period(), global_rt_runtime()); + ++ rcu_read_lock(); + /* + * FIXME: As above... + */ +@@ -7504,6 +7514,7 @@ static void sched_dl_do_global(void) + dl_b->bw = new_bw; + raw_spin_unlock_irqrestore(&dl_b->lock, flags); + } ++ rcu_read_unlock(); + } + + static int sched_rt_global_validate(void) +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c +index 759d5e004517..7e3cd7aaec83 100644 +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -313,7 +313,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE) */ +@@ -360,7 +360,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret) + int syscall_nr; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE()) */ +@@ -567,7 +567,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) + return; +@@ -641,7 +641,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) + return; +diff --git a/lib/bitmap.c b/lib/bitmap.c +index 06f7e4fe8d2d..e5c4ebe586ba 100644 +--- a/lib/bitmap.c ++++ b/lib/bitmap.c +@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long *dst, + lower = src[off + k]; + if (left && off + k == lim - 1) + lower &= mask; +- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem; ++ dst[k] = lower >> rem; ++ if (rem) ++ dst[k] |= upper << (BITS_PER_LONG - rem); + if (left && k == lim - 1) + dst[k] &= mask; + } +@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long *dst, + upper = src[k]; + if (left && k == lim - 1) + upper &= (1UL << left) - 1; +- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem; ++ dst[k + off] = upper << rem; ++ if (rem) ++ dst[k + off] |= lower >> (BITS_PER_LONG - rem); + if (left && k + off == lim - 1) + dst[k + off] &= (1UL << left) - 1; + } +diff --git a/lib/string.c b/lib/string.c +index e5878de4f101..43d0781daf47 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -586,6 +586,22 @@ void *memset(void *s, int c, size_t count) + EXPORT_SYMBOL(memset); + #endif + ++/** ++ * memzero_explicit - Fill a region of memory (e.g. sensitive ++ * keying data) with 0s. ++ * @s: Pointer to the start of the area. ++ * @count: The size of the area. ++ * ++ * memzero_explicit() doesn't need an arch-specific version as ++ * it just invokes the one of memset() implicitly. ++ */ ++void memzero_explicit(void *s, size_t count) ++{ ++ memset(s, 0, count); ++ OPTIMIZER_HIDE_VAR(s); ++} ++EXPORT_SYMBOL(memzero_explicit); ++ + #ifndef __HAVE_ARCH_MEMCPY + /** + * memcpy - Copy one area of memory to another +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 718bfa16a36f..331faa5c0d5e 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -199,7 +199,7 @@ retry: + preempt_disable(); + if (cmpxchg(&huge_zero_page, NULL, zero_page)) { + preempt_enable(); +- __free_page(zero_page); ++ __free_pages(zero_page, compound_order(zero_page)); + goto retry; + } + +@@ -231,7 +231,7 @@ static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink, + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) { + struct page *zero_page = xchg(&huge_zero_page, NULL); + BUG_ON(zero_page == NULL); +- __free_page(zero_page); ++ __free_pages(zero_page, compound_order(zero_page)); + return HPAGE_PMD_NR; + } + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 9b35da28b587..b58d4fbe6c48 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -292,6 +292,9 @@ struct mem_cgroup { + /* vmpressure notifications */ + struct vmpressure vmpressure; + ++ /* css_online() has been completed */ ++ int initialized; ++ + /* + * the counter to account for mem+swap usage. + */ +@@ -1127,9 +1130,21 @@ skip_node: + * skipping css reference should be safe. + */ + if (next_css) { +- if ((next_css == &root->css) || +- ((next_css->flags & CSS_ONLINE) && css_tryget(next_css))) +- return mem_cgroup_from_css(next_css); ++ struct mem_cgroup *memcg = mem_cgroup_from_css(next_css); ++ ++ if (next_css == &root->css) ++ return memcg; ++ ++ if (css_tryget(next_css)) { ++ /* ++ * Make sure the memcg is initialized: ++ * mem_cgroup_css_online() orders the the ++ * initialization against setting the flag. ++ */ ++ if (smp_load_acquire(&memcg->initialized)) ++ return memcg; ++ css_put(next_css); ++ } + + prev_css = next_css; + goto skip_node; +@@ -6538,6 +6553,7 @@ mem_cgroup_css_online(struct cgroup_subsys_state *css) + { + struct mem_cgroup *memcg = mem_cgroup_from_css(css); + struct mem_cgroup *parent = mem_cgroup_from_css(css_parent(css)); ++ int ret; + + if (css->cgroup->id > MEM_CGROUP_ID_MAX) + return -ENOSPC; +@@ -6574,7 +6590,18 @@ mem_cgroup_css_online(struct cgroup_subsys_state *css) + } + mutex_unlock(&memcg_create_mutex); + +- return memcg_init_kmem(memcg, &mem_cgroup_subsys); ++ ret = memcg_init_kmem(memcg, &mem_cgroup_subsys); ++ if (ret) ++ return ret; ++ ++ /* ++ * Make sure the memcg is initialized: mem_cgroup_iter() ++ * orders reading memcg->initialized against its callers ++ * reading the memcg members. ++ */ ++ smp_store_release(&memcg->initialized, 1); ++ ++ return 0; + } + + /* +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 3291e82d4352..171c00f2e495 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -406,6 +406,23 @@ static void dump_header(struct task_struct *p, gfp_t gfp_mask, int order, + dump_tasks(memcg, nodemask); + } + ++/* ++ * Number of OOM killer invocations (including memcg OOM killer). ++ * Primarily used by PM freezer to check for potential races with ++ * OOM killed frozen task. ++ */ ++static atomic_t oom_kills = ATOMIC_INIT(0); ++ ++int oom_kills_count(void) ++{ ++ return atomic_read(&oom_kills); ++} ++ ++void note_oom_kill(void) ++{ ++ atomic_inc(&oom_kills); ++} ++ + #define K(x) ((x) << (PAGE_SHIFT-10)) + /* + * Must be called while holding a reference to p, which will be released upon +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index ff0f6b13f32f..7b2611a055a7 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1957,7 +1957,7 @@ zonelist_scan: + if (alloc_flags & ALLOC_FAIR) { + if (!zone_local(preferred_zone, zone)) + continue; +- if (zone_page_state(zone, NR_ALLOC_BATCH) <= 0) ++ if (atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0) + continue; + } + /* +@@ -2196,6 +2196,14 @@ __alloc_pages_may_oom(gfp_t gfp_mask, unsigned int order, + } + + /* ++ * PM-freezer should be notified that there might be an OOM killer on ++ * its way to kill and wake somebody up. This is too early and we might ++ * end up not killing anything but false positives are acceptable. ++ * See freeze_processes. ++ */ ++ note_oom_kill(); ++ ++ /* + * Go through the zonelist yet one more time, keep very high watermark + * here, this is only to catch a parallel oom killing, we must fail if + * we're still under heavy pressure. +@@ -5662,9 +5670,8 @@ static void __setup_per_zone_wmarks(void) + zone->watermark[WMARK_HIGH] = min_wmark_pages(zone) + (tmp >> 1); + + __mod_zone_page_state(zone, NR_ALLOC_BATCH, +- high_wmark_pages(zone) - +- low_wmark_pages(zone) - +- zone_page_state(zone, NR_ALLOC_BATCH)); ++ high_wmark_pages(zone) - low_wmark_pages(zone) - ++ atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH])); + + setup_zone_migrate_reserve(zone); + spin_unlock_irqrestore(&zone->lock, flags); +diff --git a/mm/page_cgroup.c b/mm/page_cgroup.c +index cfd162882c00..0e9a319d5f8d 100644 +--- a/mm/page_cgroup.c ++++ b/mm/page_cgroup.c +@@ -171,6 +171,7 @@ static void free_page_cgroup(void *addr) + sizeof(struct page_cgroup) * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +diff --git a/mm/percpu.c b/mm/percpu.c +index 8cd4308471c3..a2a54a85f691 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1917,8 +1917,6 @@ void __init setup_per_cpu_areas(void) + + if (pcpu_setup_first_chunk(ai, fc) < 0) + panic("Failed to initialize percpu areas."); +- +- pcpu_free_alloc_info(ai); + } + + #endif /* CONFIG_SMP */ +diff --git a/mm/truncate.c b/mm/truncate.c +index 353b683afd6e..ac18edc30649 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -20,6 +20,7 @@ + #include /* grr. try_to_release_page, + do_invalidatepage */ + #include ++#include + #include "internal.h" + + +@@ -613,12 +614,67 @@ EXPORT_SYMBOL(truncate_pagecache); + */ + void truncate_setsize(struct inode *inode, loff_t newsize) + { ++ loff_t oldsize = inode->i_size; ++ + i_size_write(inode, newsize); ++ if (newsize > oldsize) ++ pagecache_isize_extended(inode, oldsize, newsize); + truncate_pagecache(inode, newsize); + } + EXPORT_SYMBOL(truncate_setsize); + + /** ++ * pagecache_isize_extended - update pagecache after extension of i_size ++ * @inode: inode for which i_size was extended ++ * @from: original inode size ++ * @to: new inode size ++ * ++ * Handle extension of inode size either caused by extending truncate or by ++ * write starting after current i_size. We mark the page straddling current ++ * i_size RO so that page_mkwrite() is called on the nearest write access to ++ * the page. This way filesystem can be sure that page_mkwrite() is called on ++ * the page before user writes to the page via mmap after the i_size has been ++ * changed. ++ * ++ * The function must be called after i_size is updated so that page fault ++ * coming after we unlock the page will already see the new i_size. ++ * The function must be called while we still hold i_mutex - this not only ++ * makes sure i_size is stable but also that userspace cannot observe new ++ * i_size value before we are prepared to store mmap writes at new inode size. ++ */ ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to) ++{ ++ int bsize = 1 << inode->i_blkbits; ++ loff_t rounded_from; ++ struct page *page; ++ pgoff_t index; ++ ++ WARN_ON(to > inode->i_size); ++ ++ if (from >= to || bsize == PAGE_CACHE_SIZE) ++ return; ++ /* Page straddling @from will not have any hole block created? */ ++ rounded_from = round_up(from, bsize); ++ if (to <= rounded_from || !(rounded_from & (PAGE_CACHE_SIZE - 1))) ++ return; ++ ++ index = from >> PAGE_CACHE_SHIFT; ++ page = find_lock_page(inode->i_mapping, index); ++ /* Page not cached? Nothing to do */ ++ if (!page) ++ return; ++ /* ++ * See clear_page_dirty_for_io() for details why set_page_dirty() ++ * is needed. ++ */ ++ if (page_mkclean(page)) ++ set_page_dirty(page); ++ unlock_page(page); ++ page_cache_release(page); ++} ++EXPORT_SYMBOL(pagecache_isize_extended); ++ ++/** + * truncate_pagecache_range - unmap and remove pagecache that is hole-punched + * @inode: inode + * @lstart: offset of beginning of hole +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 0a31298737ac..2e87eecec8f6 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -291,7 +291,11 @@ int ceph_msgr_init(void) + if (ceph_msgr_slab_init()) + return -ENOMEM; + +- ceph_msgr_wq = alloc_workqueue("ceph-msgr", 0, 0); ++ /* ++ * The number of active work items is limited by the number of ++ * connections, so leave @max_active at default. ++ */ ++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_MEM_RECLAIM, 0); + if (ceph_msgr_wq) + return 0; + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 9d43468722ed..017fa5e17594 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -535,7 +535,7 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi) + return 1; + + attrlen = rtnh_attrlen(rtnh); +- if (attrlen < 0) { ++ if (attrlen > 0) { + struct nlattr *nla, *attrs = rtnh_attrs(rtnh); + + nla = nla_find(attrs, attrlen, RTA_GATEWAY); +diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c +index 2d24f293f977..8c8493ea6b1c 100644 +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -50,7 +50,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, + + greh = (struct gre_base_hdr *)skb_transport_header(skb); + +- ghl = skb_inner_network_header(skb) - skb_transport_header(skb); ++ ghl = skb_inner_mac_header(skb) - skb_transport_header(skb); + if (unlikely(ghl < sizeof(*greh))) + goto out; + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index ed88d781248f..844323b6cfb9 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1487,6 +1487,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + struct sk_buff *nskb; + struct sock *sk; + struct inet_sock *inet; ++ int err; + + if (ip_options_echo(&replyopts.opt.opt, skb)) + return; +@@ -1525,8 +1526,13 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + sock_net_set(sk, net); + __skb_queue_head_init(&sk->sk_write_queue); + sk->sk_sndbuf = sysctl_wmem_default; +- ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0, +- &ipc, &rt, MSG_DONTWAIT); ++ err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, ++ len, 0, &ipc, &rt, MSG_DONTWAIT); ++ if (unlikely(err)) { ++ ip_flush_pending_frames(sk); ++ goto out; ++ } ++ + nskb = skb_peek(&sk->sk_write_queue); + if (nskb) { + if (arg->csumoffset >= 0) +@@ -1538,7 +1544,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr, + skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb)); + ip_push_pending_frames(sk, &fl4); + } +- ++out: + put_cpu_var(unicast_sock); + + ip_rt_put(rt); +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 65b664d30fa1..791a419f0699 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -91,11 +91,12 @@ int iptunnel_pull_header(struct sk_buff *skb, int hdr_len, __be16 inner_proto) + skb_pull_rcsum(skb, hdr_len); + + if (inner_proto == htons(ETH_P_TEB)) { +- struct ethhdr *eh = (struct ethhdr *)skb->data; ++ struct ethhdr *eh; + + if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) + return -ENOMEM; + ++ eh = (struct ethhdr *)skb->data; + if (likely(ntohs(eh->h_proto) >= ETH_P_802_3_MIN)) + skb->protocol = eh->h_proto; + else +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f7d71ec72a47..29d240b87af1 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2954,61 +2954,42 @@ EXPORT_SYMBOL(compat_tcp_getsockopt); + #endif + + #ifdef CONFIG_TCP_MD5SIG +-static struct tcp_md5sig_pool __percpu *tcp_md5sig_pool __read_mostly; ++static DEFINE_PER_CPU(struct tcp_md5sig_pool, tcp_md5sig_pool); + static DEFINE_MUTEX(tcp_md5sig_mutex); +- +-static void __tcp_free_md5sig_pool(struct tcp_md5sig_pool __percpu *pool) +-{ +- int cpu; +- +- for_each_possible_cpu(cpu) { +- struct tcp_md5sig_pool *p = per_cpu_ptr(pool, cpu); +- +- if (p->md5_desc.tfm) +- crypto_free_hash(p->md5_desc.tfm); +- } +- free_percpu(pool); +-} ++static bool tcp_md5sig_pool_populated = false; + + static void __tcp_alloc_md5sig_pool(void) + { + int cpu; +- struct tcp_md5sig_pool __percpu *pool; +- +- pool = alloc_percpu(struct tcp_md5sig_pool); +- if (!pool) +- return; + + for_each_possible_cpu(cpu) { +- struct crypto_hash *hash; +- +- hash = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); +- if (IS_ERR_OR_NULL(hash)) +- goto out_free; ++ if (!per_cpu(tcp_md5sig_pool, cpu).md5_desc.tfm) { ++ struct crypto_hash *hash; + +- per_cpu_ptr(pool, cpu)->md5_desc.tfm = hash; ++ hash = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); ++ if (IS_ERR_OR_NULL(hash)) ++ return; ++ per_cpu(tcp_md5sig_pool, cpu).md5_desc.tfm = hash; ++ } + } +- /* before setting tcp_md5sig_pool, we must commit all writes +- * to memory. See ACCESS_ONCE() in tcp_get_md5sig_pool() ++ /* before setting tcp_md5sig_pool_populated, we must commit all writes ++ * to memory. See smp_rmb() in tcp_get_md5sig_pool() + */ + smp_wmb(); +- tcp_md5sig_pool = pool; +- return; +-out_free: +- __tcp_free_md5sig_pool(pool); ++ tcp_md5sig_pool_populated = true; + } + + bool tcp_alloc_md5sig_pool(void) + { +- if (unlikely(!tcp_md5sig_pool)) { ++ if (unlikely(!tcp_md5sig_pool_populated)) { + mutex_lock(&tcp_md5sig_mutex); + +- if (!tcp_md5sig_pool) ++ if (!tcp_md5sig_pool_populated) + __tcp_alloc_md5sig_pool(); + + mutex_unlock(&tcp_md5sig_mutex); + } +- return tcp_md5sig_pool != NULL; ++ return tcp_md5sig_pool_populated; + } + EXPORT_SYMBOL(tcp_alloc_md5sig_pool); + +@@ -3022,13 +3003,13 @@ EXPORT_SYMBOL(tcp_alloc_md5sig_pool); + */ + struct tcp_md5sig_pool *tcp_get_md5sig_pool(void) + { +- struct tcp_md5sig_pool __percpu *p; +- + local_bh_disable(); +- p = ACCESS_ONCE(tcp_md5sig_pool); +- if (p) +- return __this_cpu_ptr(p); + ++ if (tcp_md5sig_pool_populated) { ++ /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */ ++ smp_rmb(); ++ return this_cpu_ptr(&tcp_md5sig_pool); ++ } + local_bh_enable(); + return NULL; + } +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index 798eb0f79078..ae4a06be14df 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -3,10 +3,43 @@ + * not configured or static. These functions are needed by GSO/GRO implementation. + */ + #include ++#include + #include + #include + #include + ++/* This function exists only for tap drivers that must support broken ++ * clients requesting UFO without specifying an IPv6 fragment ID. ++ * ++ * This is similar to ipv6_select_ident() but we use an independent hash ++ * seed to limit information leakage. ++ * ++ * The network header must be set before calling this. ++ */ ++void ipv6_proxy_select_ident(struct sk_buff *skb) ++{ ++ static u32 ip6_proxy_idents_hashrnd __read_mostly; ++ struct in6_addr buf[2]; ++ struct in6_addr *addrs; ++ u32 hash, id; ++ ++ addrs = skb_header_pointer(skb, ++ skb_network_offset(skb) + ++ offsetof(struct ipv6hdr, saddr), ++ sizeof(buf), buf); ++ if (!addrs) ++ return; ++ ++ net_get_random_once(&ip6_proxy_idents_hashrnd, ++ sizeof(ip6_proxy_idents_hashrnd)); ++ ++ hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd); ++ hash = __ipv6_addr_jhash(&addrs[0], hash); ++ ++ id = ip_idents_reserve(hash, 1); ++ skb_shinfo(skb)->ip6_frag_id = htonl(id); ++} ++EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index 22b223f13c9f..74350c3863b8 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -462,7 +462,7 @@ static void rate_fixup_ratelist(struct ieee80211_vif *vif, + */ + if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) { + u32 basic_rates = vif->bss_conf.basic_rates; +- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0; ++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0; + + rate = &sband->bitrates[rates[0].idx]; + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index c375d731587f..7c177bc43806 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -707,7 +707,7 @@ static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg, + * after validation, the socket and the ring may only be used by a + * single process, otherwise we fall back to copying. + */ +- if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 || ++ if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 || + atomic_read(&nlk->mapped) > 1) + excl = false; + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 3ea5cda787c7..5ff8b87c3d04 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -533,6 +533,8 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) + + if (args->flags & RPC_CLNT_CREATE_AUTOBIND) + clnt->cl_autobind = 1; ++ if (args->flags & RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT) ++ clnt->cl_noretranstimeo = 1; + if (args->flags & RPC_CLNT_CREATE_DISCRTRY) + clnt->cl_discrtry = 1; + if (!(args->flags & RPC_CLNT_CREATE_QUIET)) +@@ -571,6 +573,7 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args, + /* Turn off autobind on clones */ + new->cl_autobind = 0; + new->cl_softrtry = clnt->cl_softrtry; ++ new->cl_noretranstimeo = clnt->cl_noretranstimeo; + new->cl_discrtry = clnt->cl_discrtry; + new->cl_chatty = clnt->cl_chatty; + return new; +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 0addefca8e77..41c2f9d7a148 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -842,6 +842,8 @@ static void xs_error_report(struct sock *sk) + dprintk("RPC: xs_error_report client %p, error=%d...\n", + xprt, -err); + trace_rpc_socket_error(xprt, sk->sk_socket, err); ++ if (test_bit(XPRT_CONNECTION_REUSE, &xprt->state)) ++ goto out; + xprt_wake_pending_tasks(xprt, err); + out: + read_unlock_bh(&sk->sk_callback_lock); +@@ -2251,7 +2253,9 @@ static void xs_tcp_setup_socket(struct work_struct *work) + abort_and_exit = test_and_clear_bit(XPRT_CONNECTION_ABORT, + &xprt->state); + /* "close" the socket, preserving the local port */ ++ set_bit(XPRT_CONNECTION_REUSE, &xprt->state); + xs_tcp_reuse_connection(transport); ++ clear_bit(XPRT_CONNECTION_REUSE, &xprt->state); + + if (abort_and_exit) + goto out_eagain; +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 3c5cbb977254..7e71e066198f 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -269,6 +269,13 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, + goto out; + } + evm_status = evm_verify_current_integrity(dentry); ++ if (evm_status == INTEGRITY_NOXATTRS) { ++ struct integrity_iint_cache *iint; ++ ++ iint = integrity_iint_find(dentry->d_inode); ++ if (iint && (iint->flags & IMA_NEW_FILE)) ++ return 0; ++ } + out: + if (evm_status != INTEGRITY_PASS) + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, +@@ -296,9 +303,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, + { + const struct evm_ima_xattr_data *xattr_data = xattr_value; + +- if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) +- && (xattr_data->type == EVM_XATTR_HMAC)) +- return -EPERM; ++ if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { ++ if (!xattr_value_len) ++ return -EINVAL; ++ if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) ++ return -EPERM; ++ } + return evm_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + } +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index e294b86c8d88..47b5c69e4605 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -470,6 +470,7 @@ next_inode: + list_entry(sbsec->isec_head.next, + struct inode_security_struct, list); + struct inode *inode = isec->inode; ++ list_del_init(&isec->list); + spin_unlock(&sbsec->isec_lock); + inode = igrab(inode); + if (inode) { +@@ -478,7 +479,6 @@ next_inode: + iput(inode); + } + spin_lock(&sbsec->isec_lock); +- list_del_init(&isec->list); + goto next_inode; + } + spin_unlock(&sbsec->isec_lock); +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index af49721ba0e3..c4ac3c1e19af 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -206,6 +206,8 @@ static int snd_pcm_status_user_compat(struct snd_pcm_substream *substream, + if (err < 0) + return err; + ++ if (clear_user(src, sizeof(*src))) ++ return -EFAULT; + if (put_user(status.state, &src->state) || + compat_put_timespec(&status.trigger_tstamp, &src->trigger_tstamp) || + compat_put_timespec(&status.tstamp, &src->tstamp) || +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 7ec91424ba22..103e85a13f35 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -4027,6 +4027,9 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = { + /* BayTrail */ + { PCI_DEVICE(0x8086, 0x0f04), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH_NOPM }, ++ /* Braswell */ ++ { PCI_DEVICE(0x8086, 0x2284), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, + /* ICH */ + { PCI_DEVICE(0x8086, 0x2668), + .driver_data = AZX_DRIVER_ICH | AZX_DCAPS_OLD_SSYNC | +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 8253b48a435b..611110a3f1a4 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -3317,6 +3317,7 @@ static const struct hda_codec_preset snd_hda_preset_hdmi[] = { + { .id = 0x80862808, .name = "Broadwell HDMI", .patch = patch_generic_hdmi }, + { .id = 0x80862880, .name = "CedarTrail HDMI", .patch = patch_generic_hdmi }, + { .id = 0x80862882, .name = "Valleyview2 HDMI", .patch = patch_generic_hdmi }, ++{ .id = 0x80862883, .name = "Braswell HDMI", .patch = patch_generic_hdmi }, + { .id = 0x808629fb, .name = "Crestline HDMI", .patch = patch_generic_hdmi }, + {} /* terminator */ + }; +@@ -3373,6 +3374,7 @@ MODULE_ALIAS("snd-hda-codec-id:80862807"); + MODULE_ALIAS("snd-hda-codec-id:80862808"); + MODULE_ALIAS("snd-hda-codec-id:80862880"); + MODULE_ALIAS("snd-hda-codec-id:80862882"); ++MODULE_ALIAS("snd-hda-codec-id:80862883"); + MODULE_ALIAS("snd-hda-codec-id:808629fb"); + + MODULE_LICENSE("GPL"); +diff --git a/sound/soc/codecs/tlv320aic3x.c b/sound/soc/codecs/tlv320aic3x.c +index eb241c6571a9..fd53d37e1181 100644 +--- a/sound/soc/codecs/tlv320aic3x.c ++++ b/sound/soc/codecs/tlv320aic3x.c +@@ -1121,6 +1121,7 @@ static int aic3x_regulator_event(struct notifier_block *nb, + static int aic3x_set_power(struct snd_soc_codec *codec, int power) + { + struct aic3x_priv *aic3x = snd_soc_codec_get_drvdata(codec); ++ unsigned int pll_c, pll_d; + int ret; + + if (power) { +@@ -1138,6 +1139,18 @@ static int aic3x_set_power(struct snd_soc_codec *codec, int power) + /* Sync reg_cache with the hardware */ + regcache_cache_only(aic3x->regmap, false); + regcache_sync(aic3x->regmap); ++ ++ /* Rewrite paired PLL D registers in case cached sync skipped ++ * writing one of them and thus caused other one also not ++ * being written ++ */ ++ pll_c = snd_soc_read(codec, AIC3X_PLL_PROGC_REG); ++ pll_d = snd_soc_read(codec, AIC3X_PLL_PROGD_REG); ++ if (pll_c == aic3x_reg[AIC3X_PLL_PROGC_REG].def || ++ pll_d == aic3x_reg[AIC3X_PLL_PROGD_REG].def) { ++ snd_soc_write(codec, AIC3X_PLL_PROGC_REG, pll_c); ++ snd_soc_write(codec, AIC3X_PLL_PROGD_REG, pll_d); ++ } + } else { + /* + * Do soft reset to this codec instance in order to clear +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 731d47b64daa..e4da224d7253 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -689,9 +689,9 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, + int shared; + struct snd_kcontrol *kcontrol; + bool wname_in_long_name, kcname_in_long_name; +- char *long_name; ++ char *long_name = NULL; + const char *name; +- int ret; ++ int ret = 0; + + if (dapm->codec) + prefix = dapm->codec->name_prefix; +@@ -756,15 +756,17 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, + + kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name, + prefix); +- kfree(long_name); +- if (!kcontrol) +- return -ENOMEM; ++ if (!kcontrol) { ++ ret = -ENOMEM; ++ goto exit_free; ++ } ++ + kcontrol->private_free = dapm_kcontrol_free; + + ret = dapm_kcontrol_data_alloc(w, kcontrol); + if (ret) { + snd_ctl_free_one(kcontrol); +- return ret; ++ goto exit_free; + } + + ret = snd_ctl_add(card, kcontrol); +@@ -772,17 +774,18 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, + dev_err(dapm->dev, + "ASoC: failed to add widget %s dapm kcontrol %s: %d\n", + w->name, name, ret); +- return ret; ++ goto exit_free; + } + } + + ret = dapm_kcontrol_add_widget(kcontrol, w); +- if (ret) +- return ret; ++ if (ret == 0) ++ w->kcontrols[kci] = kcontrol; + +- w->kcontrols[kci] = kcontrol; ++exit_free: ++ kfree(long_name); + +- return 0; ++ return ret; + } + + /* create new dapm mixer control */ +diff --git a/sound/usb/card.c b/sound/usb/card.c +index af1956042c9e..ab433a02dbf1 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -586,18 +586,19 @@ static void snd_usb_audio_disconnect(struct usb_device *dev, + { + struct snd_card *card; + struct list_head *p; ++ bool was_shutdown; + + if (chip == (void *)-1L) + return; + + card = chip->card; + down_write(&chip->shutdown_rwsem); ++ was_shutdown = chip->shutdown; + chip->shutdown = 1; + up_write(&chip->shutdown_rwsem); + + mutex_lock(®ister_mutex); +- chip->num_interfaces--; +- if (chip->num_interfaces <= 0) { ++ if (!was_shutdown) { + struct snd_usb_endpoint *ep; + + snd_card_disconnect(card); +@@ -617,6 +618,10 @@ static void snd_usb_audio_disconnect(struct usb_device *dev, + list_for_each(p, &chip->mixer_list) { + snd_usb_mixer_disconnect(p); + } ++ } ++ ++ chip->num_interfaces--; ++ if (chip->num_interfaces <= 0) { + usb_chip[chip->index] = NULL; + mutex_unlock(®ister_mutex); + snd_card_free_when_closed(card); +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index 714b94932312..1f0dc1e5f1f0 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm, + gfn_t base_gfn, unsigned long npages); + + static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, +- unsigned long size) ++ unsigned long npages) + { + gfn_t end_gfn; + pfn_t pfn; + + pfn = gfn_to_pfn_memslot(slot, gfn); +- end_gfn = gfn + (size >> PAGE_SHIFT); ++ end_gfn = gfn + npages; + gfn += 1; + + if (is_error_noslot_pfn(pfn)) +@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. + */ +- pfn = kvm_pin_pages(slot, gfn, page_size); ++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); + if (is_error_noslot_pfn(pfn)) { + gfn += 1; + continue; +@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) + if (r) { + printk(KERN_ERR "kvm_iommu_map_address:" + "iommu failed to map pfn=%llx\n", pfn); +- kvm_unpin_pages(kvm, pfn, page_size); ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); + goto unmap_pages; + } + diff --git a/projects/imx6/patches/linux/linux-000-patch-3.14.24-25.patch b/projects/imx6/patches/linux/linux-000-patch-3.14.24-25.patch new file mode 100644 index 0000000000..03df3d2b23 --- /dev/null +++ b/projects/imx6/patches/linux/linux-000-patch-3.14.24-25.patch @@ -0,0 +1,7549 @@ +diff --git a/Documentation/devicetree/bindings/ata/sata_rcar.txt b/Documentation/devicetree/bindings/ata/sata_rcar.txt +index 1e6111333fa8..7dd32d321a34 100644 +--- a/Documentation/devicetree/bindings/ata/sata_rcar.txt ++++ b/Documentation/devicetree/bindings/ata/sata_rcar.txt +@@ -3,7 +3,8 @@ + Required properties: + - compatible : should contain one of the following: + - "renesas,sata-r8a7779" for R-Car H1 +- - "renesas,sata-r8a7790" for R-Car H2 ++ - "renesas,sata-r8a7790-es1" for R-Car H2 ES1 ++ - "renesas,sata-r8a7790" for R-Car H2 other than ES1 + - "renesas,sata-r8a7791" for R-Car M2 + - reg : address and length of the SATA registers; + - interrupts : must consist of one interrupt specifier. +diff --git a/Makefile b/Makefile +index 8fd06101c482..eb96e40238f7 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 24 ++SUBLEVEL = 25 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index 066b03480b63..8017cde13648 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -400,8 +400,7 @@ dtb_check_done: + add sp, sp, r6 + #endif + +- tst r4, #1 +- bleq cache_clean_flush ++ bl cache_clean_flush + + adr r0, BSYM(restart) + add r0, r0, r6 +@@ -1050,6 +1049,8 @@ cache_clean_flush: + b call_cache_fn + + __armv4_mpu_cache_flush: ++ tst r4, #1 ++ movne pc, lr + mov r2, #1 + mov r3, #0 + mcr p15, 0, ip, c7, c6, 0 @ invalidate D cache +@@ -1067,6 +1068,8 @@ __armv4_mpu_cache_flush: + mov pc, lr + + __fa526_cache_flush: ++ tst r4, #1 ++ movne pc, lr + mov r1, #0 + mcr p15, 0, r1, c7, c14, 0 @ clean and invalidate D cache + mcr p15, 0, r1, c7, c5, 0 @ flush I cache +@@ -1075,13 +1078,16 @@ __fa526_cache_flush: + + __armv6_mmu_cache_flush: + mov r1, #0 +- mcr p15, 0, r1, c7, c14, 0 @ clean+invalidate D ++ tst r4, #1 ++ mcreq p15, 0, r1, c7, c14, 0 @ clean+invalidate D + mcr p15, 0, r1, c7, c5, 0 @ invalidate I+BTB +- mcr p15, 0, r1, c7, c15, 0 @ clean+invalidate unified ++ mcreq p15, 0, r1, c7, c15, 0 @ clean+invalidate unified + mcr p15, 0, r1, c7, c10, 4 @ drain WB + mov pc, lr + + __armv7_mmu_cache_flush: ++ tst r4, #1 ++ bne iflush + mrc p15, 0, r10, c0, c1, 5 @ read ID_MMFR1 + tst r10, #0xf << 16 @ hierarchical cache (ARMv7) + mov r10, #0 +@@ -1142,6 +1148,8 @@ iflush: + mov pc, lr + + __armv5tej_mmu_cache_flush: ++ tst r4, #1 ++ movne pc, lr + 1: mrc p15, 0, r15, c7, c14, 3 @ test,clean,invalidate D cache + bne 1b + mcr p15, 0, r0, c7, c5, 0 @ flush I cache +@@ -1149,6 +1157,8 @@ __armv5tej_mmu_cache_flush: + mov pc, lr + + __armv4_mmu_cache_flush: ++ tst r4, #1 ++ movne pc, lr + mov r2, #64*1024 @ default: 32K dcache size (*2) + mov r11, #32 @ default: 32 byte line size + mrc p15, 0, r3, c0, c0, 1 @ read cache type +@@ -1182,6 +1192,8 @@ no_cache_id: + + __armv3_mmu_cache_flush: + __armv3_mpu_cache_flush: ++ tst r4, #1 ++ movne pc, lr + mov r1, #0 + mcr p15, 0, r1, c7, c0, 0 @ invalidate whole cache v3 + mov pc, lr +diff --git a/arch/arm/kernel/kprobes-common.c b/arch/arm/kernel/kprobes-common.c +index 18a76282970e..380c20fb9c85 100644 +--- a/arch/arm/kernel/kprobes-common.c ++++ b/arch/arm/kernel/kprobes-common.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "kprobes.h" + +@@ -305,7 +306,8 @@ kprobe_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi) + + if (handler) { + /* We can emulate the instruction in (possibly) modified form */ +- asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist; ++ asi->insn[0] = __opcode_to_mem_arm((insn & 0xfff00000) | ++ (rn << 16) | reglist); + asi->insn_handler = handler; + return INSN_GOOD; + } +@@ -334,13 +336,14 @@ prepare_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi, + #ifdef CONFIG_THUMB2_KERNEL + if (thumb) { + u16 *thumb_insn = (u16 *)asi->insn; +- thumb_insn[1] = 0x4770; /* Thumb bx lr */ +- thumb_insn[2] = 0x4770; /* Thumb bx lr */ ++ /* Thumb bx lr */ ++ thumb_insn[1] = __opcode_to_mem_thumb16(0x4770); ++ thumb_insn[2] = __opcode_to_mem_thumb16(0x4770); + return insn; + } +- asi->insn[1] = 0xe12fff1e; /* ARM bx lr */ ++ asi->insn[1] = __opcode_to_mem_arm(0xe12fff1e); /* ARM bx lr */ + #else +- asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */ ++ asi->insn[1] = __opcode_to_mem_arm(0xe1a0f00e); /* mov pc, lr */ + #endif + /* Make an ARM instruction unconditional */ + if (insn < 0xe0000000) +@@ -360,12 +363,12 @@ set_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi, + if (thumb) { + u16 *ip = (u16 *)asi->insn; + if (is_wide_instruction(insn)) +- *ip++ = insn >> 16; +- *ip++ = insn; ++ *ip++ = __opcode_to_mem_thumb16(insn >> 16); ++ *ip++ = __opcode_to_mem_thumb16(insn); + return; + } + #endif +- asi->insn[0] = insn; ++ asi->insn[0] = __opcode_to_mem_arm(insn); + } + + /* +diff --git a/arch/arm/kernel/kprobes-thumb.c b/arch/arm/kernel/kprobes-thumb.c +index 6123daf397a7..241222c66a13 100644 +--- a/arch/arm/kernel/kprobes-thumb.c ++++ b/arch/arm/kernel/kprobes-thumb.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "kprobes.h" + +@@ -163,9 +164,9 @@ t32_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi) + enum kprobe_insn ret = kprobe_decode_ldmstm(insn, asi); + + /* Fixup modified instruction to have halfwords in correct order...*/ +- insn = asi->insn[0]; +- ((u16 *)asi->insn)[0] = insn >> 16; +- ((u16 *)asi->insn)[1] = insn & 0xffff; ++ insn = __mem_to_opcode_arm(asi->insn[0]); ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn >> 16); ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0xffff); + + return ret; + } +@@ -1153,7 +1154,7 @@ t16_decode_hiregs(kprobe_opcode_t insn, struct arch_specific_insn *asi) + { + insn &= ~0x00ff; + insn |= 0x001; /* Set Rdn = R1 and Rm = R0 */ +- ((u16 *)asi->insn)[0] = insn; ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn); + asi->insn_handler = t16_emulate_hiregs; + return INSN_GOOD; + } +@@ -1182,8 +1183,10 @@ t16_decode_push(kprobe_opcode_t insn, struct arch_specific_insn *asi) + * and call it with R9=SP and LR in the register list represented + * by R8. + */ +- ((u16 *)asi->insn)[0] = 0xe929; /* 1st half STMDB R9!,{} */ +- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */ ++ /* 1st half STMDB R9!,{} */ ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe929); ++ /* 2nd half (register list) */ ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff); + asi->insn_handler = t16_emulate_push; + return INSN_GOOD; + } +@@ -1232,8 +1235,10 @@ t16_decode_pop(kprobe_opcode_t insn, struct arch_specific_insn *asi) + * and call it with R9=SP and PC in the register list represented + * by R8. + */ +- ((u16 *)asi->insn)[0] = 0xe8b9; /* 1st half LDMIA R9!,{} */ +- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */ ++ /* 1st half LDMIA R9!,{} */ ++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe8b9); ++ /* 2nd half (register list) */ ++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff); + asi->insn_handler = insn & 0x100 ? t16_emulate_pop_pc + : t16_emulate_pop_nopc; + return INSN_GOOD; +diff --git a/arch/arm/kernel/kprobes.c b/arch/arm/kernel/kprobes.c +index a7b621ece23d..49a87b6d0bf3 100644 +--- a/arch/arm/kernel/kprobes.c ++++ b/arch/arm/kernel/kprobes.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "kprobes.h" +@@ -62,10 +63,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + #ifdef CONFIG_THUMB2_KERNEL + thumb = true; + addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */ +- insn = ((u16 *)addr)[0]; ++ insn = __mem_to_opcode_thumb16(((u16 *)addr)[0]); + if (is_wide_instruction(insn)) { +- insn <<= 16; +- insn |= ((u16 *)addr)[1]; ++ u16 inst2 = __mem_to_opcode_thumb16(((u16 *)addr)[1]); ++ insn = __opcode_thumb32_compose(insn, inst2); + decode_insn = thumb32_kprobe_decode_insn; + } else + decode_insn = thumb16_kprobe_decode_insn; +@@ -73,7 +74,7 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + thumb = false; + if (addr & 0x3) + return -EINVAL; +- insn = *p->addr; ++ insn = __mem_to_opcode_arm(*p->addr); + decode_insn = arm_kprobe_decode_insn; + #endif + +diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig +index ca8ecdee47d8..e9c290c21744 100644 +--- a/arch/arm/mm/Kconfig ++++ b/arch/arm/mm/Kconfig +@@ -798,6 +798,7 @@ config NEED_KUSER_HELPERS + + config KUSER_HELPERS + bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS ++ depends on MMU + default y + help + Warning: disabling this option may break user programs. +diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c +index 92f36835486b..565e26f23f31 100644 +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -156,9 +156,10 @@ static int __kprobes aarch64_insn_patch_text_cb(void *arg) + * which ends with "dsb; isb" pair guaranteeing global + * visibility. + */ +- atomic_set(&pp->cpu_count, -1); ++ /* Notify other processors with an additional increment. */ ++ atomic_inc(&pp->cpu_count); + } else { +- while (atomic_read(&pp->cpu_count) != -1) ++ while (atomic_read(&pp->cpu_count) <= num_online_cpus()) + cpu_relax(); + isb(); + } +diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S +index 6e0ed93d51fe..c17967fdf5f6 100644 +--- a/arch/arm64/lib/clear_user.S ++++ b/arch/arm64/lib/clear_user.S +@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 ) + sub x1, x1, #2 + 4: adds x1, x1, #1 + b.mi 5f +- strb wzr, [x0] ++USER(9f, strb wzr, [x0] ) + 5: mov x0, #0 + ret + ENDPROC(__clear_user) +diff --git a/arch/parisc/include/uapi/asm/shmbuf.h b/arch/parisc/include/uapi/asm/shmbuf.h +index 0a3eada1863b..f395cde7b593 100644 +--- a/arch/parisc/include/uapi/asm/shmbuf.h ++++ b/arch/parisc/include/uapi/asm/shmbuf.h +@@ -36,23 +36,16 @@ struct shmid64_ds { + unsigned int __unused2; + }; + +-#ifdef CONFIG_64BIT +-/* The 'unsigned int' (formerly 'unsigned long') data types below will +- * ensure that a 32-bit app calling shmctl(*,IPC_INFO,*) will work on +- * a wide kernel, but if some of these values are meant to contain pointers +- * they may need to be 'long long' instead. -PB XXX FIXME +- */ +-#endif + struct shminfo64 { +- unsigned int shmmax; +- unsigned int shmmin; +- unsigned int shmmni; +- unsigned int shmseg; +- unsigned int shmall; +- unsigned int __unused1; +- unsigned int __unused2; +- unsigned int __unused3; +- unsigned int __unused4; ++ unsigned long shmmax; ++ unsigned long shmmin; ++ unsigned long shmmni; ++ unsigned long shmseg; ++ unsigned long shmall; ++ unsigned long __unused1; ++ unsigned long __unused2; ++ unsigned long __unused3; ++ unsigned long __unused4; + }; + + #endif /* _PARISC_SHMBUF_H */ +diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S +index 7dd8a3b22147..fc77d53e2ca5 100644 +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -286,11 +286,11 @@ + ENTRY_COMP(msgsnd) + ENTRY_COMP(msgrcv) + ENTRY_SAME(msgget) /* 190 */ +- ENTRY_SAME(msgctl) +- ENTRY_SAME(shmat) ++ ENTRY_COMP(msgctl) ++ ENTRY_COMP(shmat) + ENTRY_SAME(shmdt) + ENTRY_SAME(shmget) +- ENTRY_SAME(shmctl) /* 195 */ ++ ENTRY_COMP(shmctl) /* 195 */ + ENTRY_SAME(ni_syscall) /* streams1 */ + ENTRY_SAME(ni_syscall) /* streams2 */ + ENTRY_SAME(lstat64) +@@ -323,7 +323,7 @@ + ENTRY_SAME(epoll_ctl) /* 225 */ + ENTRY_SAME(epoll_wait) + ENTRY_SAME(remap_file_pages) +- ENTRY_SAME(semtimedop) ++ ENTRY_COMP(semtimedop) + ENTRY_COMP(mq_open) + ENTRY_SAME(mq_unlink) /* 230 */ + ENTRY_COMP(mq_timedsend) +diff --git a/arch/sparc/include/asm/atomic_32.h b/arch/sparc/include/asm/atomic_32.h +index 905832aa9e9e..a0ed182ae73c 100644 +--- a/arch/sparc/include/asm/atomic_32.h ++++ b/arch/sparc/include/asm/atomic_32.h +@@ -21,7 +21,7 @@ + + extern int __atomic_add_return(int, atomic_t *); + extern int atomic_cmpxchg(atomic_t *, int, int); +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++extern int atomic_xchg(atomic_t *, int); + extern int __atomic_add_unless(atomic_t *, int, int); + extern void atomic_set(atomic_t *, int); + +diff --git a/arch/sparc/include/asm/cmpxchg_32.h b/arch/sparc/include/asm/cmpxchg_32.h +index 1fae1a02e3c2..ae0f9a7a314d 100644 +--- a/arch/sparc/include/asm/cmpxchg_32.h ++++ b/arch/sparc/include/asm/cmpxchg_32.h +@@ -11,22 +11,14 @@ + #ifndef __ARCH_SPARC_CMPXCHG__ + #define __ARCH_SPARC_CMPXCHG__ + +-static inline unsigned long xchg_u32(__volatile__ unsigned long *m, unsigned long val) +-{ +- __asm__ __volatile__("swap [%2], %0" +- : "=&r" (val) +- : "0" (val), "r" (m) +- : "memory"); +- return val; +-} +- ++extern unsigned long __xchg_u32(volatile u32 *m, u32 new); + extern void __xchg_called_with_bad_pointer(void); + + static inline unsigned long __xchg(unsigned long x, __volatile__ void * ptr, int size) + { + switch (size) { + case 4: +- return xchg_u32(ptr, x); ++ return __xchg_u32(ptr, x); + } + __xchg_called_with_bad_pointer(); + return x; +diff --git a/arch/sparc/include/asm/vio.h b/arch/sparc/include/asm/vio.h +index 432afa838861..55841c184e6d 100644 +--- a/arch/sparc/include/asm/vio.h ++++ b/arch/sparc/include/asm/vio.h +@@ -118,12 +118,18 @@ struct vio_disk_attr_info { + u8 vdisk_type; + #define VD_DISK_TYPE_SLICE 0x01 /* Slice in block device */ + #define VD_DISK_TYPE_DISK 0x02 /* Entire block device */ +- u16 resv1; ++ u8 vdisk_mtype; /* v1.1 */ ++#define VD_MEDIA_TYPE_FIXED 0x01 /* Fixed device */ ++#define VD_MEDIA_TYPE_CD 0x02 /* CD Device */ ++#define VD_MEDIA_TYPE_DVD 0x03 /* DVD Device */ ++ u8 resv1; + u32 vdisk_block_size; + u64 operations; +- u64 vdisk_size; ++ u64 vdisk_size; /* v1.1 */ + u64 max_xfer_size; +- u64 resv2[2]; ++ u32 phys_block_size; /* v1.2 */ ++ u32 resv2; ++ u64 resv3[1]; + }; + + struct vio_disk_desc { +@@ -259,7 +265,7 @@ static inline u32 vio_dring_avail(struct vio_dring_state *dr, + unsigned int ring_size) + { + return (dr->pending - +- ((dr->prod - dr->cons) & (ring_size - 1))); ++ ((dr->prod - dr->cons) & (ring_size - 1)) - 1); + } + + #define VIO_MAX_TYPE_LEN 32 +diff --git a/arch/sparc/kernel/pci_schizo.c b/arch/sparc/kernel/pci_schizo.c +index 8f76f23dac38..f9c6813c132d 100644 +--- a/arch/sparc/kernel/pci_schizo.c ++++ b/arch/sparc/kernel/pci_schizo.c +@@ -581,7 +581,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm) + { + unsigned long csr_reg, csr, csr_error_bits; + irqreturn_t ret = IRQ_NONE; +- u16 stat; ++ u32 stat; + + csr_reg = pbm->pbm_regs + SCHIZO_PCI_CTRL; + csr = upa_readq(csr_reg); +@@ -617,7 +617,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm) + pbm->name); + ret = IRQ_HANDLED; + } +- pci_read_config_word(pbm->pci_bus->self, PCI_STATUS, &stat); ++ pbm->pci_ops->read(pbm->pci_bus, 0, PCI_STATUS, 2, &stat); + if (stat & (PCI_STATUS_PARITY | + PCI_STATUS_SIG_TARGET_ABORT | + PCI_STATUS_REC_TARGET_ABORT | +@@ -625,7 +625,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm) + PCI_STATUS_SIG_SYSTEM_ERROR)) { + printk("%s: PCI bus error, PCI_STATUS[%04x]\n", + pbm->name, stat); +- pci_write_config_word(pbm->pci_bus->self, PCI_STATUS, 0xffff); ++ pbm->pci_ops->write(pbm->pci_bus, 0, PCI_STATUS, 2, 0xffff); + ret = IRQ_HANDLED; + } + return ret; +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index 50c3dd03be31..9af0a5dbb36d 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -823,13 +823,17 @@ void arch_send_call_function_single_ipi(int cpu) + void __irq_entry smp_call_function_client(int irq, struct pt_regs *regs) + { + clear_softint(1 << irq); ++ irq_enter(); + generic_smp_call_function_interrupt(); ++ irq_exit(); + } + + void __irq_entry smp_call_function_single_client(int irq, struct pt_regs *regs) + { + clear_softint(1 << irq); ++ irq_enter(); + generic_smp_call_function_single_interrupt(); ++ irq_exit(); + } + + static void tsb_sync(void *info) +diff --git a/arch/sparc/lib/atomic32.c b/arch/sparc/lib/atomic32.c +index 1d32b54089aa..8f2f94d53434 100644 +--- a/arch/sparc/lib/atomic32.c ++++ b/arch/sparc/lib/atomic32.c +@@ -40,6 +40,19 @@ int __atomic_add_return(int i, atomic_t *v) + } + EXPORT_SYMBOL(__atomic_add_return); + ++int atomic_xchg(atomic_t *v, int new) ++{ ++ int ret; ++ unsigned long flags; ++ ++ spin_lock_irqsave(ATOMIC_HASH(v), flags); ++ ret = v->counter; ++ v->counter = new; ++ spin_unlock_irqrestore(ATOMIC_HASH(v), flags); ++ return ret; ++} ++EXPORT_SYMBOL(atomic_xchg); ++ + int atomic_cmpxchg(atomic_t *v, int old, int new) + { + int ret; +@@ -132,3 +145,17 @@ unsigned long __cmpxchg_u32(volatile u32 *ptr, u32 old, u32 new) + return (unsigned long)prev; + } + EXPORT_SYMBOL(__cmpxchg_u32); ++ ++unsigned long __xchg_u32(volatile u32 *ptr, u32 new) ++{ ++ unsigned long flags; ++ u32 prev; ++ ++ spin_lock_irqsave(ATOMIC_HASH(ptr), flags); ++ prev = *ptr; ++ *ptr = new; ++ spin_unlock_irqrestore(ATOMIC_HASH(ptr), flags); ++ ++ return (unsigned long)prev; ++} ++EXPORT_SYMBOL(__xchg_u32); +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 0fcd9133790c..14fe7cba21d1 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -75,8 +75,10 @@ suffix-$(CONFIG_KERNEL_XZ) := xz + suffix-$(CONFIG_KERNEL_LZO) := lzo + suffix-$(CONFIG_KERNEL_LZ4) := lz4 + ++RUN_SIZE = $(shell objdump -h vmlinux | \ ++ perl $(srctree)/arch/x86/tools/calc_run_size.pl) + quiet_cmd_mkpiggy = MKPIGGY $@ +- cmd_mkpiggy = $(obj)/mkpiggy $< > $@ || ( rm -f $@ ; false ) ++ cmd_mkpiggy = $(obj)/mkpiggy $< $(RUN_SIZE) > $@ || ( rm -f $@ ; false ) + + targets += piggy.S + $(obj)/piggy.S: $(obj)/vmlinux.bin.$(suffix-y) $(obj)/mkpiggy FORCE +diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S +index f45ab7a36fb6..c5b56ed10aff 100644 +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -186,7 +186,8 @@ relocated: + * Do the decompression, and jump to the new kernel.. + */ + /* push arguments for decompress_kernel: */ +- pushl $z_output_len /* decompressed length */ ++ pushl $z_run_size /* size of kernel with .bss and .brk */ ++ pushl $z_output_len /* decompressed length, end of relocs */ + leal z_extract_offset_negative(%ebx), %ebp + pushl %ebp /* output address */ + pushl $z_input_len /* input_len */ +@@ -196,7 +197,7 @@ relocated: + pushl %eax /* heap area */ + pushl %esi /* real mode pointer */ + call decompress_kernel /* returns kernel location in %eax */ +- addl $24, %esp ++ addl $28, %esp + + /* + * Jump to the decompressed kernel. +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index b10fa66a2540..34bbc0911b7c 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -334,13 +334,16 @@ relocated: + * Do the decompression, and jump to the new kernel.. + */ + pushq %rsi /* Save the real mode argument */ ++ movq $z_run_size, %r9 /* size of kernel with .bss and .brk */ ++ pushq %r9 + movq %rsi, %rdi /* real mode address */ + leaq boot_heap(%rip), %rsi /* malloc area for uncompression */ + leaq input_data(%rip), %rdx /* input_data */ + movl $z_input_len, %ecx /* input_len */ + movq %rbp, %r8 /* output target address */ +- movq $z_output_len, %r9 /* decompressed length */ ++ movq $z_output_len, %r9 /* decompressed length, end of relocs */ + call decompress_kernel /* returns kernel location in %rax */ ++ popq %r9 + popq %rsi + + /* +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index 196eaf373a06..eb25ca1eb6da 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -393,7 +393,8 @@ asmlinkage void *decompress_kernel(void *rmode, memptr heap, + unsigned char *input_data, + unsigned long input_len, + unsigned char *output, +- unsigned long output_len) ++ unsigned long output_len, ++ unsigned long run_size) + { + real_mode = rmode; + +@@ -416,8 +417,14 @@ asmlinkage void *decompress_kernel(void *rmode, memptr heap, + free_mem_ptr = heap; /* Heap */ + free_mem_end_ptr = heap + BOOT_HEAP_SIZE; + +- output = choose_kernel_location(input_data, input_len, +- output, output_len); ++ /* ++ * The memory hole needed for the kernel is the larger of either ++ * the entire decompressed kernel plus relocation table, or the ++ * entire decompressed kernel plus .bss and .brk sections. ++ */ ++ output = choose_kernel_location(input_data, input_len, output, ++ output_len > run_size ? output_len ++ : run_size); + + /* Validate memory location choices. */ + if ((unsigned long)output & (MIN_KERNEL_ALIGN - 1)) +diff --git a/arch/x86/boot/compressed/mkpiggy.c b/arch/x86/boot/compressed/mkpiggy.c +index b669ab65bf6c..d8222f213182 100644 +--- a/arch/x86/boot/compressed/mkpiggy.c ++++ b/arch/x86/boot/compressed/mkpiggy.c +@@ -36,11 +36,13 @@ int main(int argc, char *argv[]) + uint32_t olen; + long ilen; + unsigned long offs; ++ unsigned long run_size; + FILE *f = NULL; + int retval = 1; + +- if (argc < 2) { +- fprintf(stderr, "Usage: %s compressed_file\n", argv[0]); ++ if (argc < 3) { ++ fprintf(stderr, "Usage: %s compressed_file run_size\n", ++ argv[0]); + goto bail; + } + +@@ -74,6 +76,7 @@ int main(int argc, char *argv[]) + offs += olen >> 12; /* Add 8 bytes for each 32K block */ + offs += 64*1024 + 128; /* Add 64K + 128 bytes slack */ + offs = (offs+4095) & ~4095; /* Round to a 4K boundary */ ++ run_size = atoi(argv[2]); + + printf(".section \".rodata..compressed\",\"a\",@progbits\n"); + printf(".globl z_input_len\n"); +@@ -85,6 +88,8 @@ int main(int argc, char *argv[]) + /* z_extract_offset_negative allows simplification of head_32.S */ + printf(".globl z_extract_offset_negative\n"); + printf("z_extract_offset_negative = -0x%lx\n", offs); ++ printf(".globl z_run_size\n"); ++ printf("z_run_size = %lu\n", run_size); + + printf(".globl input_data, input_data_end\n"); + printf("input_data:\n"); +diff --git a/arch/x86/kernel/cpu/microcode/amd_early.c b/arch/x86/kernel/cpu/microcode/amd_early.c +index 617a9e284245..b63773ba1646 100644 +--- a/arch/x86/kernel/cpu/microcode/amd_early.c ++++ b/arch/x86/kernel/cpu/microcode/amd_early.c +@@ -108,12 +108,13 @@ static size_t compute_container_size(u8 *data, u32 total_size) + * load_microcode_amd() to save equivalent cpu table and microcode patches in + * kernel heap memory. + */ +-static void apply_ucode_in_initrd(void *ucode, size_t size) ++static void apply_ucode_in_initrd(void *ucode, size_t size, bool save_patch) + { + struct equiv_cpu_entry *eq; + size_t *cont_sz; + u32 *header; + u8 *data, **cont; ++ u8 (*patch)[PATCH_MAX_SIZE]; + u16 eq_id = 0; + int offset, left; + u32 rev, eax, ebx, ecx, edx; +@@ -123,10 +124,12 @@ static void apply_ucode_in_initrd(void *ucode, size_t size) + new_rev = (u32 *)__pa_nodebug(&ucode_new_rev); + cont_sz = (size_t *)__pa_nodebug(&container_size); + cont = (u8 **)__pa_nodebug(&container); ++ patch = (u8 (*)[PATCH_MAX_SIZE])__pa_nodebug(&amd_ucode_patch); + #else + new_rev = &ucode_new_rev; + cont_sz = &container_size; + cont = &container; ++ patch = &amd_ucode_patch; + #endif + + data = ucode; +@@ -213,9 +216,9 @@ static void apply_ucode_in_initrd(void *ucode, size_t size) + rev = mc->hdr.patch_id; + *new_rev = rev; + +- /* save ucode patch */ +- memcpy(amd_ucode_patch, mc, +- min_t(u32, header[1], PATCH_MAX_SIZE)); ++ if (save_patch) ++ memcpy(patch, mc, ++ min_t(u32, header[1], PATCH_MAX_SIZE)); + } + } + +@@ -246,7 +249,7 @@ void __init load_ucode_amd_bsp(void) + *data = cp.data; + *size = cp.size; + +- apply_ucode_in_initrd(cp.data, cp.size); ++ apply_ucode_in_initrd(cp.data, cp.size, true); + } + + #ifdef CONFIG_X86_32 +@@ -263,7 +266,7 @@ void load_ucode_amd_ap(void) + size_t *usize; + void **ucode; + +- mc = (struct microcode_amd *)__pa(amd_ucode_patch); ++ mc = (struct microcode_amd *)__pa_nodebug(amd_ucode_patch); + if (mc->hdr.patch_id && mc->hdr.processor_rev_id) { + __apply_microcode_amd(mc); + return; +@@ -275,7 +278,7 @@ void load_ucode_amd_ap(void) + if (!*ucode || !*usize) + return; + +- apply_ucode_in_initrd(*ucode, *usize); ++ apply_ucode_in_initrd(*ucode, *usize, false); + } + + static void __init collect_cpu_sig_on_bsp(void *arg) +@@ -339,7 +342,7 @@ void load_ucode_amd_ap(void) + * AP has a different equivalence ID than BSP, looks like + * mixed-steppings silicon so go through the ucode blob anew. + */ +- apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size); ++ apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size, false); + } + } + #endif +@@ -347,7 +350,9 @@ void load_ucode_amd_ap(void) + int __init save_microcode_in_initrd_amd(void) + { + unsigned long cont; ++ int retval = 0; + enum ucode_state ret; ++ u8 *cont_va; + u32 eax; + + if (!container) +@@ -355,13 +360,15 @@ int __init save_microcode_in_initrd_amd(void) + + #ifdef CONFIG_X86_32 + get_bsp_sig(); +- cont = (unsigned long)container; ++ cont = (unsigned long)container; ++ cont_va = __va(container); + #else + /* + * We need the physical address of the container for both bitness since + * boot_params.hdr.ramdisk_image is a physical address. + */ +- cont = __pa(container); ++ cont = __pa(container); ++ cont_va = container; + #endif + + /* +@@ -372,6 +379,8 @@ int __init save_microcode_in_initrd_amd(void) + if (relocated_ramdisk) + container = (u8 *)(__va(relocated_ramdisk) + + (cont - boot_params.hdr.ramdisk_image)); ++ else ++ container = cont_va; + + if (ucode_new_rev) + pr_info("microcode: updated early to new patch_level=0x%08x\n", +@@ -382,7 +391,7 @@ int __init save_microcode_in_initrd_amd(void) + + ret = load_microcode_amd(eax, container, container_size); + if (ret != UCODE_OK) +- return -EINVAL; ++ retval = -EINVAL; + + /* + * This will be freed any msec now, stash patches for the current +@@ -391,5 +400,5 @@ int __init save_microcode_in_initrd_amd(void) + container = NULL; + container_size = 0; + +- return 0; ++ return retval; + } +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c +index 1340ebfcb467..5ee8064bd1d2 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2475,6 +2475,9 @@ __init int intel_pmu_init(void) + case 62: /* IvyBridge EP */ + memcpy(hw_cache_event_ids, snb_hw_cache_event_ids, + sizeof(hw_cache_event_ids)); ++ /* dTLB-load-misses on IVB is different than SNB */ ++ hw_cache_event_ids[C(DTLB)][C(OP_READ)][C(RESULT_MISS)] = 0x8108; /* DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK */ ++ + memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs, + sizeof(hw_cache_extra_regs)); + +diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c +index 7461f50d5bb1..0686fe313b3b 100644 +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -1441,15 +1441,6 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + force_sig_info(SIGTRAP, &info, tsk); + } + +- +-#ifdef CONFIG_X86_32 +-# define IS_IA32 1 +-#elif defined CONFIG_IA32_EMULATION +-# define IS_IA32 is_compat_task() +-#else +-# define IS_IA32 0 +-#endif +- + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1487,7 +1478,7 @@ long syscall_trace_enter(struct pt_regs *regs) + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) + trace_sys_enter(regs, regs->orig_ax); + +- if (IS_IA32) ++ if (is_ia32_task()) + audit_syscall_entry(AUDIT_ARCH_I386, + regs->orig_ax, + regs->bx, regs->cx, +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 51c2851ca243..fab97ade0fc8 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4911,7 +4911,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu) + + ++vcpu->stat.insn_emulation_fail; + trace_kvm_emulate_insn_failed(vcpu); +- if (!is_guest_mode(vcpu)) { ++ if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) { + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 0; +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index c96314abd144..0004ac72dbdd 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -399,13 +399,20 @@ int pmdp_test_and_clear_young(struct vm_area_struct *vma, + int ptep_clear_flush_young(struct vm_area_struct *vma, + unsigned long address, pte_t *ptep) + { +- int young; +- +- young = ptep_test_and_clear_young(vma, address, ptep); +- if (young) +- flush_tlb_page(vma, address); +- +- return young; ++ /* ++ * On x86 CPUs, clearing the accessed bit without a TLB flush ++ * doesn't cause data corruption. [ It could cause incorrect ++ * page aging and the (mistaken) reclaim of hot pages, but the ++ * chance of that should be relatively low. ] ++ * ++ * So as a performance optimization don't flush the TLB when ++ * clearing the accessed bit, it will eventually be flushed by ++ * a context switch or a VM operation anyway. [ In the rare ++ * event of it not getting flushed for a long time the delay ++ * shouldn't really matter because there's no real memory ++ * pressure for swapout to react to. ] ++ */ ++ return ptep_test_and_clear_young(vma, address, ptep); + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +diff --git a/arch/x86/tools/calc_run_size.pl b/arch/x86/tools/calc_run_size.pl +new file mode 100644 +index 000000000000..0b0b124d3ece +--- /dev/null ++++ b/arch/x86/tools/calc_run_size.pl +@@ -0,0 +1,30 @@ ++#!/usr/bin/perl ++# ++# Calculate the amount of space needed to run the kernel, including room for ++# the .bss and .brk sections. ++# ++# Usage: ++# objdump -h a.out | perl calc_run_size.pl ++use strict; ++ ++my $mem_size = 0; ++my $file_offset = 0; ++ ++my $sections=" *[0-9]+ \.(?:bss|brk) +"; ++while (<>) { ++ if (/^$sections([0-9a-f]+) +(?:[0-9a-f]+ +){2}([0-9a-f]+)/) { ++ my $size = hex($1); ++ my $offset = hex($2); ++ $mem_size += $size; ++ if ($file_offset == 0) { ++ $file_offset = $offset; ++ } elsif ($file_offset != $offset) { ++ die ".bss and .brk lack common file offset\n"; ++ } ++ } ++} ++ ++if ($file_offset == 0) { ++ die "Never found .bss or .brk file offset\n"; ++} ++printf("%d\n", $mem_size + $file_offset); +diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h +index b9395529f02d..50084f7c01c8 100644 +--- a/arch/xtensa/include/uapi/asm/unistd.h ++++ b/arch/xtensa/include/uapi/asm/unistd.h +@@ -384,7 +384,8 @@ __SYSCALL(174, sys_chroot, 1) + #define __NR_pivot_root 175 + __SYSCALL(175, sys_pivot_root, 2) + #define __NR_umount 176 +-__SYSCALL(176, sys_umount, 2) ++__SYSCALL(176, sys_oldumount, 1) ++#define __ARCH_WANT_SYS_OLDUMOUNT + #define __NR_swapoff 177 + __SYSCALL(177, sys_swapoff, 1) + #define __NR_sync 178 +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 00663d60f6d4..e662f147d436 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -61,6 +61,7 @@ enum board_ids { + /* board IDs by feature in alphabetical order */ + board_ahci, + board_ahci_ign_iferr, ++ board_ahci_nomsi, + board_ahci_noncq, + board_ahci_nosntf, + board_ahci_yes_fbs, +@@ -122,6 +123,13 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_ops, + }, ++ [board_ahci_nomsi] = { ++ AHCI_HFLAGS (AHCI_HFLAG_NO_MSI), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_noncq] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_NCQ), + .flags = AHCI_FLAG_COMMON, +@@ -314,6 +322,11 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */ + { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */ + { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */ ++ { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H RAID */ ++ { PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */ ++ { PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */ ++ { PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, +@@ -476,10 +489,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci }, /* ASM1062 */ + + /* +- * Samsung SSDs found on some macbooks. NCQ times out. +- * https://bugzilla.kernel.org/show_bug.cgi?id=60731 ++ * Samsung SSDs found on some macbooks. NCQ times out if MSI is ++ * enabled. https://bugzilla.kernel.org/show_bug.cgi?id=60731 + */ +- { PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_noncq }, ++ { PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_nomsi }, + + /* Enmotus */ + { PCI_DEVICE(0x1c44, 0x8000), board_ahci }, +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index 2b25bd83fc9d..c1ea780fca07 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -146,6 +146,7 @@ + enum sata_rcar_type { + RCAR_GEN1_SATA, + RCAR_GEN2_SATA, ++ RCAR_R8A7790_ES1_SATA, + }; + + struct sata_rcar_priv { +@@ -763,6 +764,9 @@ static void sata_rcar_setup_port(struct ata_host *host) + ap->udma_mask = ATA_UDMA6; + ap->flags |= ATA_FLAG_SATA; + ++ if (priv->type == RCAR_R8A7790_ES1_SATA) ++ ap->flags |= ATA_FLAG_NO_DIPM; ++ + ioaddr->cmd_addr = base + SDATA_REG; + ioaddr->ctl_addr = base + SSDEVCON_REG; + ioaddr->scr_addr = base + SCRSSTS_REG; +@@ -792,6 +796,7 @@ static void sata_rcar_init_controller(struct ata_host *host) + sata_rcar_gen1_phy_init(priv); + break; + case RCAR_GEN2_SATA: ++ case RCAR_R8A7790_ES1_SATA: + sata_rcar_gen2_phy_init(priv); + break; + default: +@@ -838,6 +843,10 @@ static struct of_device_id sata_rcar_match[] = { + .data = (void *)RCAR_GEN2_SATA + }, + { ++ .compatible = "renesas,sata-r8a7790-es1", ++ .data = (void *)RCAR_R8A7790_ES1_SATA ++ }, ++ { + .compatible = "renesas,sata-r8a7791", + .data = (void *)RCAR_GEN2_SATA + }, +@@ -849,6 +858,7 @@ static const struct platform_device_id sata_rcar_id_table[] = { + { "sata_rcar", RCAR_GEN1_SATA }, /* Deprecated by "sata-r8a7779" */ + { "sata-r8a7779", RCAR_GEN1_SATA }, + { "sata-r8a7790", RCAR_GEN2_SATA }, ++ { "sata-r8a7790-es1", RCAR_R8A7790_ES1_SATA }, + { "sata-r8a7791", RCAR_GEN2_SATA }, + { }, + }; +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index f6cff3be0ed7..2f9a3d8ecbbf 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1557,8 +1557,10 @@ int regmap_bulk_write(struct regmap *map, unsigned int reg, const void *val, + } else { + void *wval; + +- if (!val_count) +- return -EINVAL; ++ if (!val_count) { ++ ret = -EINVAL; ++ goto out; ++ } + + wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL); + if (!wval) { +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index 5814deb6963d..0ebadf93b6c5 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -22,8 +23,8 @@ + + #define DRV_MODULE_NAME "sunvdc" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "1.0" +-#define DRV_MODULE_RELDATE "June 25, 2007" ++#define DRV_MODULE_VERSION "1.1" ++#define DRV_MODULE_RELDATE "February 13, 2013" + + static char version[] = + DRV_MODULE_NAME ".c:v" DRV_MODULE_VERSION " (" DRV_MODULE_RELDATE ")\n"; +@@ -32,7 +33,7 @@ MODULE_DESCRIPTION("Sun LDOM virtual disk client driver"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(DRV_MODULE_VERSION); + +-#define VDC_TX_RING_SIZE 256 ++#define VDC_TX_RING_SIZE 512 + + #define WAITING_FOR_LINK_UP 0x01 + #define WAITING_FOR_TX_SPACE 0x02 +@@ -65,11 +66,9 @@ struct vdc_port { + u64 operations; + u32 vdisk_size; + u8 vdisk_type; ++ u8 vdisk_mtype; + + char disk_name[32]; +- +- struct vio_disk_geom geom; +- struct vio_disk_vtoc label; + }; + + static inline struct vdc_port *to_vdc_port(struct vio_driver_state *vio) +@@ -79,9 +78,16 @@ static inline struct vdc_port *to_vdc_port(struct vio_driver_state *vio) + + /* Ordered from largest major to lowest */ + static struct vio_version vdc_versions[] = { ++ { .major = 1, .minor = 1 }, + { .major = 1, .minor = 0 }, + }; + ++static inline int vdc_version_supported(struct vdc_port *port, ++ u16 major, u16 minor) ++{ ++ return port->vio.ver.major == major && port->vio.ver.minor >= minor; ++} ++ + #define VDCBLK_NAME "vdisk" + static int vdc_major; + #define PARTITION_SHIFT 3 +@@ -94,18 +100,54 @@ static inline u32 vdc_tx_dring_avail(struct vio_dring_state *dr) + static int vdc_getgeo(struct block_device *bdev, struct hd_geometry *geo) + { + struct gendisk *disk = bdev->bd_disk; +- struct vdc_port *port = disk->private_data; ++ sector_t nsect = get_capacity(disk); ++ sector_t cylinders = nsect; + +- geo->heads = (u8) port->geom.num_hd; +- geo->sectors = (u8) port->geom.num_sec; +- geo->cylinders = port->geom.num_cyl; ++ geo->heads = 0xff; ++ geo->sectors = 0x3f; ++ sector_div(cylinders, geo->heads * geo->sectors); ++ geo->cylinders = cylinders; ++ if ((sector_t)(geo->cylinders + 1) * geo->heads * geo->sectors < nsect) ++ geo->cylinders = 0xffff; + + return 0; + } + ++/* Add ioctl/CDROM_GET_CAPABILITY to support cdrom_id in udev ++ * when vdisk_mtype is VD_MEDIA_TYPE_CD or VD_MEDIA_TYPE_DVD. ++ * Needed to be able to install inside an ldom from an iso image. ++ */ ++static int vdc_ioctl(struct block_device *bdev, fmode_t mode, ++ unsigned command, unsigned long argument) ++{ ++ int i; ++ struct gendisk *disk; ++ ++ switch (command) { ++ case CDROMMULTISESSION: ++ pr_debug(PFX "Multisession CDs not supported\n"); ++ for (i = 0; i < sizeof(struct cdrom_multisession); i++) ++ if (put_user(0, (char __user *)(argument + i))) ++ return -EFAULT; ++ return 0; ++ ++ case CDROM_GET_CAPABILITY: ++ disk = bdev->bd_disk; ++ ++ if (bdev->bd_disk && (disk->flags & GENHD_FL_CD)) ++ return 0; ++ return -EINVAL; ++ ++ default: ++ pr_debug(PFX "ioctl %08x not supported\n", command); ++ return -EINVAL; ++ } ++} ++ + static const struct block_device_operations vdc_fops = { + .owner = THIS_MODULE, + .getgeo = vdc_getgeo, ++ .ioctl = vdc_ioctl, + }; + + static void vdc_finish(struct vio_driver_state *vio, int err, int waiting_for) +@@ -165,9 +207,9 @@ static int vdc_handle_attr(struct vio_driver_state *vio, void *arg) + struct vio_disk_attr_info *pkt = arg; + + viodbg(HS, "GOT ATTR stype[0x%x] ops[%llx] disk_size[%llu] disk_type[%x] " +- "xfer_mode[0x%x] blksz[%u] max_xfer[%llu]\n", ++ "mtype[0x%x] xfer_mode[0x%x] blksz[%u] max_xfer[%llu]\n", + pkt->tag.stype, pkt->operations, +- pkt->vdisk_size, pkt->vdisk_type, ++ pkt->vdisk_size, pkt->vdisk_type, pkt->vdisk_mtype, + pkt->xfer_mode, pkt->vdisk_block_size, + pkt->max_xfer_size); + +@@ -192,8 +234,11 @@ static int vdc_handle_attr(struct vio_driver_state *vio, void *arg) + } + + port->operations = pkt->operations; +- port->vdisk_size = pkt->vdisk_size; + port->vdisk_type = pkt->vdisk_type; ++ if (vdc_version_supported(port, 1, 1)) { ++ port->vdisk_size = pkt->vdisk_size; ++ port->vdisk_mtype = pkt->vdisk_mtype; ++ } + if (pkt->max_xfer_size < port->max_xfer_size) + port->max_xfer_size = pkt->max_xfer_size; + port->vdisk_block_size = pkt->vdisk_block_size; +@@ -236,7 +281,9 @@ static void vdc_end_one(struct vdc_port *port, struct vio_dring_state *dr, + + __blk_end_request(req, (desc->status ? -EIO : 0), desc->size); + +- if (blk_queue_stopped(port->disk->queue)) ++ /* restart blk queue when ring is half emptied */ ++ if (blk_queue_stopped(port->disk->queue) && ++ vdc_tx_dring_avail(dr) * 100 / VDC_TX_RING_SIZE >= 50) + blk_start_queue(port->disk->queue); + } + +@@ -388,12 +435,6 @@ static int __send_request(struct request *req) + for (i = 0; i < nsg; i++) + len += sg[i].length; + +- if (unlikely(vdc_tx_dring_avail(dr) < 1)) { +- blk_stop_queue(port->disk->queue); +- err = -ENOMEM; +- goto out; +- } +- + desc = vio_dring_cur(dr); + + err = ldc_map_sg(port->vio.lp, sg, nsg, +@@ -433,21 +474,32 @@ static int __send_request(struct request *req) + port->req_id++; + dr->prod = (dr->prod + 1) & (VDC_TX_RING_SIZE - 1); + } +-out: + + return err; + } + +-static void do_vdc_request(struct request_queue *q) ++static void do_vdc_request(struct request_queue *rq) + { +- while (1) { +- struct request *req = blk_fetch_request(q); ++ struct request *req; + +- if (!req) +- break; ++ while ((req = blk_peek_request(rq)) != NULL) { ++ struct vdc_port *port; ++ struct vio_dring_state *dr; + +- if (__send_request(req) < 0) +- __blk_end_request_all(req, -EIO); ++ port = req->rq_disk->private_data; ++ dr = &port->vio.drings[VIO_DRIVER_TX_RING]; ++ if (unlikely(vdc_tx_dring_avail(dr) < 1)) ++ goto wait; ++ ++ blk_start_request(req); ++ ++ if (__send_request(req) < 0) { ++ blk_requeue_request(rq, req); ++wait: ++ /* Avoid pointless unplugs. */ ++ blk_stop_queue(rq); ++ break; ++ } + } + } + +@@ -656,25 +708,27 @@ static int probe_disk(struct vdc_port *port) + if (comp.err) + return comp.err; + +- err = generic_request(port, VD_OP_GET_VTOC, +- &port->label, sizeof(port->label)); +- if (err < 0) { +- printk(KERN_ERR PFX "VD_OP_GET_VTOC returns error %d\n", err); +- return err; +- } +- +- err = generic_request(port, VD_OP_GET_DISKGEOM, +- &port->geom, sizeof(port->geom)); +- if (err < 0) { +- printk(KERN_ERR PFX "VD_OP_GET_DISKGEOM returns " +- "error %d\n", err); +- return err; ++ if (vdc_version_supported(port, 1, 1)) { ++ /* vdisk_size should be set during the handshake, if it wasn't ++ * then the underlying disk is reserved by another system ++ */ ++ if (port->vdisk_size == -1) ++ return -ENODEV; ++ } else { ++ struct vio_disk_geom geom; ++ ++ err = generic_request(port, VD_OP_GET_DISKGEOM, ++ &geom, sizeof(geom)); ++ if (err < 0) { ++ printk(KERN_ERR PFX "VD_OP_GET_DISKGEOM returns " ++ "error %d\n", err); ++ return err; ++ } ++ port->vdisk_size = ((u64)geom.num_cyl * ++ (u64)geom.num_hd * ++ (u64)geom.num_sec); + } + +- port->vdisk_size = ((u64)port->geom.num_cyl * +- (u64)port->geom.num_hd * +- (u64)port->geom.num_sec); +- + q = blk_init_queue(do_vdc_request, &port->vio.lock); + if (!q) { + printk(KERN_ERR PFX "%s: Could not allocate queue.\n", +@@ -691,6 +745,10 @@ static int probe_disk(struct vdc_port *port) + + port->disk = g; + ++ /* Each segment in a request is up to an aligned page in size. */ ++ blk_queue_segment_boundary(q, PAGE_SIZE - 1); ++ blk_queue_max_segment_size(q, PAGE_SIZE); ++ + blk_queue_max_segments(q, port->ring_cookies); + blk_queue_max_hw_sectors(q, port->max_xfer_size); + g->major = vdc_major; +@@ -704,9 +762,32 @@ static int probe_disk(struct vdc_port *port) + + set_capacity(g, port->vdisk_size); + +- printk(KERN_INFO PFX "%s: %u sectors (%u MB)\n", ++ if (vdc_version_supported(port, 1, 1)) { ++ switch (port->vdisk_mtype) { ++ case VD_MEDIA_TYPE_CD: ++ pr_info(PFX "Virtual CDROM %s\n", port->disk_name); ++ g->flags |= GENHD_FL_CD; ++ g->flags |= GENHD_FL_REMOVABLE; ++ set_disk_ro(g, 1); ++ break; ++ ++ case VD_MEDIA_TYPE_DVD: ++ pr_info(PFX "Virtual DVD %s\n", port->disk_name); ++ g->flags |= GENHD_FL_CD; ++ g->flags |= GENHD_FL_REMOVABLE; ++ set_disk_ro(g, 1); ++ break; ++ ++ case VD_MEDIA_TYPE_FIXED: ++ pr_info(PFX "Virtual Hard disk %s\n", port->disk_name); ++ break; ++ } ++ } ++ ++ pr_info(PFX "%s: %u sectors (%u MB) protocol %d.%d\n", + g->disk_name, +- port->vdisk_size, (port->vdisk_size >> (20 - 9))); ++ port->vdisk_size, (port->vdisk_size >> (20 - 9)), ++ port->vio.ver.major, port->vio.ver.minor); + + add_disk(g); + +@@ -765,6 +846,7 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) + else + snprintf(port->disk_name, sizeof(port->disk_name), + VDCBLK_NAME "%c", 'a' + ((int)vdev->dev_no % 26)); ++ port->vdisk_size = -1; + + err = vio_driver_init(&port->vio, vdev, VDEV_DISK, + vdc_versions, ARRAY_SIZE(vdc_versions), +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index 51c557cfd92b..d8ddb8e2adc1 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -447,7 +447,8 @@ static int zram_bvec_write(struct zram *zram, struct bio_vec *bvec, u32 index, + } + + if (page_zero_filled(uncmem)) { +- kunmap_atomic(user_mem); ++ if (user_mem) ++ kunmap_atomic(user_mem); + /* Free memory associated with this sector now. */ + write_lock(&zram->meta->tb_lock); + zram_free_page(zram, index); +diff --git a/drivers/char/hw_random/pseries-rng.c b/drivers/char/hw_random/pseries-rng.c +index ab7ffdec0ec3..f38f2c13e79c 100644 +--- a/drivers/char/hw_random/pseries-rng.c ++++ b/drivers/char/hw_random/pseries-rng.c +@@ -25,18 +25,21 @@ + #include + + +-static int pseries_rng_data_read(struct hwrng *rng, u32 *data) ++static int pseries_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + { ++ u64 buffer[PLPAR_HCALL_BUFSIZE]; ++ size_t size = max < 8 ? max : 8; + int rc; + +- rc = plpar_hcall(H_RANDOM, (unsigned long *)data); ++ rc = plpar_hcall(H_RANDOM, (unsigned long *)buffer); + if (rc != H_SUCCESS) { + pr_err_ratelimited("H_RANDOM call failed %d\n", rc); + return -EIO; + } ++ memcpy(data, buffer, size); + + /* The hypervisor interface returns 64 bits */ +- return 8; ++ return size; + } + + /** +@@ -55,7 +58,7 @@ static unsigned long pseries_rng_get_desired_dma(struct vio_dev *vdev) + + static struct hwrng pseries_rng = { + .name = KBUILD_MODNAME, +- .data_read = pseries_rng_data_read, ++ .read = pseries_rng_read, + }; + + static int __init pseries_rng_probe(struct vio_dev *dev, +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c +index a4127453baae..d97a03dbf42c 100644 +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -835,8 +835,9 @@ static int ahash_update_ctx(struct ahash_request *req) + edesc->sec4_sg + sec4_sg_src_index, + chained); + if (*next_buflen) { +- sg_copy_part(next_buf, req->src, to_hash - +- *buflen, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, ++ to_hash - *buflen, ++ *next_buflen, 0); + state->current_buf = !state->current_buf; + } + } else { +@@ -869,7 +870,8 @@ static int ahash_update_ctx(struct ahash_request *req) + kfree(edesc); + } + } else if (*next_buflen) { +- sg_copy(buf + *buflen, req->src, req->nbytes); ++ scatterwalk_map_and_copy(buf + *buflen, req->src, 0, ++ req->nbytes, 0); + *buflen = *next_buflen; + *next_buflen = last_buflen; + } +@@ -1216,8 +1218,9 @@ static int ahash_update_no_ctx(struct ahash_request *req) + src_map_to_sec4_sg(jrdev, req->src, src_nents, + edesc->sec4_sg + 1, chained); + if (*next_buflen) { +- sg_copy_part(next_buf, req->src, to_hash - *buflen, +- req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, ++ to_hash - *buflen, ++ *next_buflen, 0); + state->current_buf = !state->current_buf; + } + +@@ -1248,7 +1251,8 @@ static int ahash_update_no_ctx(struct ahash_request *req) + kfree(edesc); + } + } else if (*next_buflen) { +- sg_copy(buf + *buflen, req->src, req->nbytes); ++ scatterwalk_map_and_copy(buf + *buflen, req->src, 0, ++ req->nbytes, 0); + *buflen = *next_buflen; + *next_buflen = 0; + } +@@ -1405,7 +1409,8 @@ static int ahash_update_first(struct ahash_request *req) + } + + if (*next_buflen) +- sg_copy_part(next_buf, req->src, to_hash, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, to_hash, ++ *next_buflen, 0); + + sh_len = desc_len(sh_desc); + desc = edesc->hw_desc; +@@ -1438,7 +1443,8 @@ static int ahash_update_first(struct ahash_request *req) + state->update = ahash_update_no_ctx; + state->finup = ahash_finup_no_ctx; + state->final = ahash_final_no_ctx; +- sg_copy(next_buf, req->src, req->nbytes); ++ scatterwalk_map_and_copy(next_buf, req->src, 0, ++ req->nbytes, 0); + } + #ifdef DEBUG + print_hex_dump(KERN_ERR, "next buf@"__stringify(__LINE__)": ", +diff --git a/drivers/crypto/caam/key_gen.c b/drivers/crypto/caam/key_gen.c +index ea2e406610eb..b872eed2957b 100644 +--- a/drivers/crypto/caam/key_gen.c ++++ b/drivers/crypto/caam/key_gen.c +@@ -51,23 +51,29 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len, + u32 *desc; + struct split_key_result result; + dma_addr_t dma_addr_in, dma_addr_out; +- int ret = 0; ++ int ret = -ENOMEM; + + desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA); + if (!desc) { + dev_err(jrdev, "unable to allocate key input memory\n"); +- return -ENOMEM; ++ return ret; + } + +- init_job_desc(desc, 0); +- + dma_addr_in = dma_map_single(jrdev, (void *)key_in, keylen, + DMA_TO_DEVICE); + if (dma_mapping_error(jrdev, dma_addr_in)) { + dev_err(jrdev, "unable to map key input memory\n"); +- kfree(desc); +- return -ENOMEM; ++ goto out_free; + } ++ ++ dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len, ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(jrdev, dma_addr_out)) { ++ dev_err(jrdev, "unable to map key output memory\n"); ++ goto out_unmap_in; ++ } ++ ++ init_job_desc(desc, 0); + append_key(desc, dma_addr_in, keylen, CLASS_2 | KEY_DEST_CLASS_REG); + + /* Sets MDHA up into an HMAC-INIT */ +@@ -84,13 +90,6 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len, + * FIFO_STORE with the explicit split-key content store + * (0x26 output type) + */ +- dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len, +- DMA_FROM_DEVICE); +- if (dma_mapping_error(jrdev, dma_addr_out)) { +- dev_err(jrdev, "unable to map key output memory\n"); +- kfree(desc); +- return -ENOMEM; +- } + append_fifo_store(desc, dma_addr_out, split_key_len, + LDST_CLASS_2_CCB | FIFOST_TYPE_SPLIT_KEK); + +@@ -118,10 +117,10 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len, + + dma_unmap_single(jrdev, dma_addr_out, split_key_pad_len, + DMA_FROM_DEVICE); ++out_unmap_in: + dma_unmap_single(jrdev, dma_addr_in, keylen, DMA_TO_DEVICE); +- ++out_free: + kfree(desc); +- + return ret; + } + EXPORT_SYMBOL(gen_split_key); +diff --git a/drivers/crypto/caam/sg_sw_sec4.h b/drivers/crypto/caam/sg_sw_sec4.h +index b12ff85f4241..ce28a563effc 100644 +--- a/drivers/crypto/caam/sg_sw_sec4.h ++++ b/drivers/crypto/caam/sg_sw_sec4.h +@@ -116,57 +116,3 @@ static int dma_unmap_sg_chained(struct device *dev, struct scatterlist *sg, + } + return nents; + } +- +-/* Map SG page in kernel virtual address space and copy */ +-static inline void sg_map_copy(u8 *dest, struct scatterlist *sg, +- int len, int offset) +-{ +- u8 *mapped_addr; +- +- /* +- * Page here can be user-space pinned using get_user_pages +- * Same must be kmapped before use and kunmapped subsequently +- */ +- mapped_addr = kmap_atomic(sg_page(sg)); +- memcpy(dest, mapped_addr + offset, len); +- kunmap_atomic(mapped_addr); +-} +- +-/* Copy from len bytes of sg to dest, starting from beginning */ +-static inline void sg_copy(u8 *dest, struct scatterlist *sg, unsigned int len) +-{ +- struct scatterlist *current_sg = sg; +- int cpy_index = 0, next_cpy_index = current_sg->length; +- +- while (next_cpy_index < len) { +- sg_map_copy(dest + cpy_index, current_sg, current_sg->length, +- current_sg->offset); +- current_sg = scatterwalk_sg_next(current_sg); +- cpy_index = next_cpy_index; +- next_cpy_index += current_sg->length; +- } +- if (cpy_index < len) +- sg_map_copy(dest + cpy_index, current_sg, len-cpy_index, +- current_sg->offset); +-} +- +-/* Copy sg data, from to_skip to end, to dest */ +-static inline void sg_copy_part(u8 *dest, struct scatterlist *sg, +- int to_skip, unsigned int end) +-{ +- struct scatterlist *current_sg = sg; +- int sg_index, cpy_index, offset; +- +- sg_index = current_sg->length; +- while (sg_index <= to_skip) { +- current_sg = scatterwalk_sg_next(current_sg); +- sg_index += current_sg->length; +- } +- cpy_index = sg_index - to_skip; +- offset = current_sg->offset + current_sg->length - cpy_index; +- sg_map_copy(dest, current_sg, cpy_index, offset); +- if (end - sg_index) { +- current_sg = scatterwalk_sg_next(current_sg); +- sg_copy(dest + cpy_index, current_sg, end - sg_index); +- } +-} +diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c +index d7d5c8af92b9..6d4456898007 100644 +--- a/drivers/firewire/core-cdev.c ++++ b/drivers/firewire/core-cdev.c +@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client *client, + _IOC_SIZE(cmd) > sizeof(buffer)) + return -ENOTTY; + +- if (_IOC_DIR(cmd) == _IOC_READ) +- memset(&buffer, 0, _IOC_SIZE(cmd)); ++ memset(&buffer, 0, sizeof(buffer)); + + if (_IOC_DIR(cmd) & _IOC_WRITE) + if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd))) +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index ab5c26575622..ddf70d6c0270 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -3936,8 +3936,8 @@ static int cik_cp_gfx_start(struct radeon_device *rdev) + /* init the CE partitions. CE only used for gfx on CIK */ + radeon_ring_write(ring, PACKET3(PACKET3_SET_BASE, 2)); + radeon_ring_write(ring, PACKET3_BASE_INDEX(CE_PARTITION_BASE)); +- radeon_ring_write(ring, 0xc000); +- radeon_ring_write(ring, 0xc000); ++ radeon_ring_write(ring, 0x8000); ++ radeon_ring_write(ring, 0x8000); + + /* setup clear context state */ + radeon_ring_write(ring, PACKET3(PACKET3_PREAMBLE_CNTL, 0)); +@@ -8893,6 +8893,9 @@ void dce8_bandwidth_update(struct radeon_device *rdev) + u32 num_heads = 0, lb_size; + int i; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + for (i = 0; i < rdev->num_crtc; i++) { +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 4b3c5f7ae63b..7138f3e31b7c 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -2362,6 +2362,9 @@ void evergreen_bandwidth_update(struct radeon_device *rdev) + u32 num_heads = 0, lb_size; + int i; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + for (i = 0; i < rdev->num_crtc; i++) { +@@ -2570,6 +2573,7 @@ void evergreen_mc_stop(struct radeon_device *rdev, struct evergreen_mc_save *sav + WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 1); + tmp |= EVERGREEN_CRTC_BLANK_DATA_EN; + WREG32(EVERGREEN_CRTC_BLANK_CONTROL + crtc_offsets[i], tmp); ++ WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 0); + } + } else { + tmp = RREG32(EVERGREEN_CRTC_CONTROL + crtc_offsets[i]); +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 3cc78bb66042..07620e198a6d 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -3219,6 +3219,9 @@ void r100_bandwidth_update(struct radeon_device *rdev) + uint32_t pixel_bytes1 = 0; + uint32_t pixel_bytes2 = 0; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + if (rdev->mode_info.crtcs[0]->base.enabled) { +diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c +index 95b693c11640..e5619d5e2a30 100644 +--- a/drivers/gpu/drm/radeon/rs600.c ++++ b/drivers/gpu/drm/radeon/rs600.c +@@ -890,6 +890,9 @@ void rs600_bandwidth_update(struct radeon_device *rdev) + u32 d1mode_priority_a_cnt, d2mode_priority_a_cnt; + /* FIXME: implement full support */ + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + if (rdev->mode_info.crtcs[0]->base.enabled) +diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c +index 3462b64369bf..0a2d36e81108 100644 +--- a/drivers/gpu/drm/radeon/rs690.c ++++ b/drivers/gpu/drm/radeon/rs690.c +@@ -579,6 +579,9 @@ void rs690_bandwidth_update(struct radeon_device *rdev) + u32 d1mode_priority_a_cnt, d1mode_priority_b_cnt; + u32 d2mode_priority_a_cnt, d2mode_priority_b_cnt; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + if (rdev->mode_info.crtcs[0]->base.enabled) +diff --git a/drivers/gpu/drm/radeon/rv515.c b/drivers/gpu/drm/radeon/rv515.c +index 237dd29d9f1c..b49965a21a2d 100644 +--- a/drivers/gpu/drm/radeon/rv515.c ++++ b/drivers/gpu/drm/radeon/rv515.c +@@ -1276,6 +1276,9 @@ void rv515_bandwidth_update(struct radeon_device *rdev) + struct drm_display_mode *mode0 = NULL; + struct drm_display_mode *mode1 = NULL; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + if (rdev->mode_info.crtcs[0]->base.enabled) +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 559564c1dc97..52b64ad285d6 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -2227,6 +2227,9 @@ void dce6_bandwidth_update(struct radeon_device *rdev) + u32 num_heads = 0, lb_size; + int i; + ++ if (!rdev->mode_info.mode_config_initialized) ++ return; ++ + radeon_update_display_priority(rdev); + + for (i = 0; i < rdev->num_crtc; i++) { +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index ea6203ee7bcc..23467a2abd62 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2425,6 +2425,8 @@ ssize_t ib_uverbs_create_ah(struct ib_uverbs_file *file, + attr.grh.sgid_index = cmd.attr.grh.sgid_index; + attr.grh.hop_limit = cmd.attr.grh.hop_limit; + attr.grh.traffic_class = cmd.attr.grh.traffic_class; ++ attr.vlan_id = 0; ++ memset(&attr.dmac, 0, sizeof(attr.dmac)); + memcpy(attr.grh.dgid.raw, cmd.attr.grh.dgid, 16); + + ah = ib_create_ah(pd, &attr); +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c +index fb15c64ffb95..4979b00fbf04 100644 +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -1047,7 +1047,13 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse) + { + struct alps_data *priv = psmouse->private; + +- if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */ ++ /* ++ * Check if we are dealing with a bare PS/2 packet, presumably from ++ * a device connected to the external PS/2 port. Because bare PS/2 ++ * protocol does not have enough constant bits to self-synchronize ++ * properly we only do this if the device is fully synchronized. ++ */ ++ if (!psmouse->out_of_sync_cnt && (psmouse->packet[0] & 0xc8) == 0x08) { + if (psmouse->pktcnt == 3) { + alps_report_bare_ps2_packet(psmouse, psmouse->packet, + true); +@@ -1071,12 +1077,27 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse) + } + + /* Bytes 2 - pktsize should have 0 in the highest bit */ +- if ((priv->proto_version < ALPS_PROTO_V5) && ++ if (priv->proto_version < ALPS_PROTO_V5 && + psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize && + (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) { + psmouse_dbg(psmouse, "refusing packet[%i] = %x\n", + psmouse->pktcnt - 1, + psmouse->packet[psmouse->pktcnt - 1]); ++ ++ if (priv->proto_version == ALPS_PROTO_V3 && ++ psmouse->pktcnt == psmouse->pktsize) { ++ /* ++ * Some Dell boxes, such as Latitude E6440 or E7440 ++ * with closed lid, quite often smash last byte of ++ * otherwise valid packet with 0xff. Given that the ++ * next packet is very likely to be valid let's ++ * report PSMOUSE_FULL_PACKET but not process data, ++ * rather than reporting PSMOUSE_BAD_DATA and ++ * filling the logs. ++ */ ++ return PSMOUSE_FULL_PACKET; ++ } ++ + return PSMOUSE_BAD_DATA; + } + +@@ -2148,6 +2169,9 @@ int alps_init(struct psmouse *psmouse) + /* We are having trouble resyncing ALPS touchpads so disable it for now */ + psmouse->resync_time = 0; + ++ /* Allow 2 invalid packets without resetting device */ ++ psmouse->resetafter = psmouse->pktsize * 2; ++ + return 0; + + init_fail: +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index a50a2a7a43f7..1e76eb8f06c7 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -132,8 +132,8 @@ static const struct min_max_quirk min_max_pnpid_table[] = { + 1232, 5710, 1156, 4696 + }, + { +- (const char * const []){"LEN0034", "LEN0036", "LEN2002", +- "LEN2004", NULL}, ++ (const char * const []){"LEN0034", "LEN0036", "LEN0039", ++ "LEN2002", "LEN2004", NULL}, + 1024, 5112, 2024, 4832 + }, + { +@@ -160,6 +160,7 @@ static const char * const topbuttonpad_pnp_ids[] = { + "LEN0036", /* T440 */ + "LEN0037", + "LEN0038", ++ "LEN0039", /* T440s */ + "LEN0041", + "LEN0042", /* Yoga */ + "LEN0045", +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index ca1621b49453..a1cebf745b22 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1448,9 +1448,9 @@ static void drop_buffers(struct dm_bufio_client *c) + + /* + * Test if the buffer is unused and too old, and commit it. +- * At if noio is set, we must not do any I/O because we hold +- * dm_bufio_clients_lock and we would risk deadlock if the I/O gets rerouted to +- * different bufio client. ++ * And if GFP_NOFS is used, we must not do any I/O because we hold ++ * dm_bufio_clients_lock and we would risk deadlock if the I/O gets ++ * rerouted to different bufio client. + */ + static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp, + unsigned long max_jiffies) +@@ -1458,7 +1458,7 @@ static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp, + if (jiffies - b->last_accessed < max_jiffies) + return 0; + +- if (!(gfp & __GFP_IO)) { ++ if (!(gfp & __GFP_FS)) { + if (test_bit(B_READING, &b->state) || + test_bit(B_WRITING, &b->state) || + test_bit(B_DIRTY, &b->state)) +@@ -1500,7 +1500,7 @@ dm_bufio_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) + unsigned long freed; + + c = container_of(shrink, struct dm_bufio_client, shrinker); +- if (sc->gfp_mask & __GFP_IO) ++ if (sc->gfp_mask & __GFP_FS) + dm_bufio_lock(c); + else if (!dm_bufio_trylock(c)) + return SHRINK_STOP; +@@ -1517,7 +1517,7 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) + unsigned long count; + + c = container_of(shrink, struct dm_bufio_client, shrinker); +- if (sc->gfp_mask & __GFP_IO) ++ if (sc->gfp_mask & __GFP_FS) + dm_bufio_lock(c); + else if (!dm_bufio_trylock(c)) + return 0; +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 4880b69e2e9e..59715389b3cf 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -785,8 +785,7 @@ struct dm_raid_superblock { + __le32 layout; + __le32 stripe_sectors; + +- __u8 pad[452]; /* Round struct to 512 bytes. */ +- /* Always set to 0 when writing. */ ++ /* Remainder of a logical block is zero-filled when writing (see super_sync()). */ + } __packed; + + static int read_disk_sb(struct md_rdev *rdev, int size) +@@ -823,7 +822,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev) + test_bit(Faulty, &(rs->dev[i].rdev.flags))) + failed_devices |= (1ULL << i); + +- memset(sb, 0, sizeof(*sb)); ++ memset(sb + 1, 0, rdev->sb_size - sizeof(*sb)); + + sb->magic = cpu_to_le32(DM_RAID_MAGIC); + sb->features = cpu_to_le32(0); /* No features yet */ +@@ -858,7 +857,11 @@ static int super_load(struct md_rdev *rdev, struct md_rdev *refdev) + uint64_t events_sb, events_refsb; + + rdev->sb_start = 0; +- rdev->sb_size = sizeof(*sb); ++ rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev); ++ if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) { ++ DMERR("superblock size of a logical block is no longer valid"); ++ return -EINVAL; ++ } + + ret = read_disk_sb(rdev, rdev->sb_size); + if (ret) +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 359af3a519b5..37f2648c112b 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1704,6 +1704,14 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio) + return DM_MAPIO_SUBMITTED; + } + ++ /* ++ * We must hold the virtual cell before doing the lookup, otherwise ++ * there's a race with discard. ++ */ ++ build_virtual_key(tc->td, block, &key); ++ if (dm_bio_detain(tc->pool->prison, &key, bio, &cell1, &cell_result)) ++ return DM_MAPIO_SUBMITTED; ++ + r = dm_thin_find_block(td, block, 0, &result); + + /* +@@ -1727,13 +1735,10 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio) + * shared flag will be set in their case. + */ + thin_defer_bio(tc, bio); ++ cell_defer_no_holder_no_free(tc, &cell1); + return DM_MAPIO_SUBMITTED; + } + +- build_virtual_key(tc->td, block, &key); +- if (dm_bio_detain(tc->pool->prison, &key, bio, &cell1, &cell_result)) +- return DM_MAPIO_SUBMITTED; +- + build_data_key(tc->td, result.block, &key); + if (dm_bio_detain(tc->pool->prison, &key, bio, &cell2, &cell_result)) { + cell_defer_no_holder_no_free(tc, &cell1); +@@ -1754,6 +1759,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio) + * of doing so. + */ + handle_unserviceable_bio(tc->pool, bio); ++ cell_defer_no_holder_no_free(tc, &cell1); + return DM_MAPIO_SUBMITTED; + } + /* fall through */ +@@ -1764,6 +1770,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio) + * provide the hint to load the metadata into cache. + */ + thin_defer_bio(tc, bio); ++ cell_defer_no_holder_no_free(tc, &cell1); + return DM_MAPIO_SUBMITTED; + + default: +@@ -1773,6 +1780,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio) + * pool is switched to fail-io mode. + */ + bio_io_error(bio); ++ cell_defer_no_holder_no_free(tc, &cell1); + return DM_MAPIO_SUBMITTED; + } + } +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 73aedcb639c0..40959ee73583 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5333,6 +5333,7 @@ static int md_set_readonly(struct mddev *mddev, struct block_device *bdev) + printk("md: %s still in use.\n",mdname(mddev)); + if (did_freeze) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); ++ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); + md_wakeup_thread(mddev->thread); + } + err = -EBUSY; +@@ -5347,6 +5348,8 @@ static int md_set_readonly(struct mddev *mddev, struct block_device *bdev) + mddev->ro = 1; + set_disk_ro(mddev->gendisk, 1); + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); ++ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); ++ md_wakeup_thread(mddev->thread); + sysfs_notify_dirent_safe(mddev->sysfs_state); + err = 0; + } +@@ -5390,6 +5393,7 @@ static int do_md_stop(struct mddev * mddev, int mode, + mutex_unlock(&mddev->open_mutex); + if (did_freeze) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); ++ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); + md_wakeup_thread(mddev->thread); + } + return -EBUSY; +diff --git a/drivers/md/persistent-data/dm-btree-internal.h b/drivers/md/persistent-data/dm-btree-internal.h +index 37d367bb9aa8..bf2b80d5c470 100644 +--- a/drivers/md/persistent-data/dm-btree-internal.h ++++ b/drivers/md/persistent-data/dm-btree-internal.h +@@ -42,6 +42,12 @@ struct btree_node { + } __packed; + + ++/* ++ * Locks a block using the btree node validator. ++ */ ++int bn_read_lock(struct dm_btree_info *info, dm_block_t b, ++ struct dm_block **result); ++ + void inc_children(struct dm_transaction_manager *tm, struct btree_node *n, + struct dm_btree_value_type *vt); + +diff --git a/drivers/md/persistent-data/dm-btree-spine.c b/drivers/md/persistent-data/dm-btree-spine.c +index cf9fd676ae44..1b5e13ec7f96 100644 +--- a/drivers/md/persistent-data/dm-btree-spine.c ++++ b/drivers/md/persistent-data/dm-btree-spine.c +@@ -92,7 +92,7 @@ struct dm_block_validator btree_node_validator = { + + /*----------------------------------------------------------------*/ + +-static int bn_read_lock(struct dm_btree_info *info, dm_block_t b, ++int bn_read_lock(struct dm_btree_info *info, dm_block_t b, + struct dm_block **result) + { + return dm_tm_read_lock(info->tm, b, &btree_node_validator, result); +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index 416060c25709..200ac12a1d40 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -847,22 +847,26 @@ EXPORT_SYMBOL_GPL(dm_btree_find_lowest_key); + * FIXME: We shouldn't use a recursive algorithm when we have limited stack + * space. Also this only works for single level trees. + */ +-static int walk_node(struct ro_spine *s, dm_block_t block, ++static int walk_node(struct dm_btree_info *info, dm_block_t block, + int (*fn)(void *context, uint64_t *keys, void *leaf), + void *context) + { + int r; + unsigned i, nr; ++ struct dm_block *node; + struct btree_node *n; + uint64_t keys; + +- r = ro_step(s, block); +- n = ro_node(s); ++ r = bn_read_lock(info, block, &node); ++ if (r) ++ return r; ++ ++ n = dm_block_data(node); + + nr = le32_to_cpu(n->header.nr_entries); + for (i = 0; i < nr; i++) { + if (le32_to_cpu(n->header.flags) & INTERNAL_NODE) { +- r = walk_node(s, value64(n, i), fn, context); ++ r = walk_node(info, value64(n, i), fn, context); + if (r) + goto out; + } else { +@@ -874,7 +878,7 @@ static int walk_node(struct ro_spine *s, dm_block_t block, + } + + out: +- ro_pop(s); ++ dm_tm_unlock(info->tm, node); + return r; + } + +@@ -882,15 +886,7 @@ int dm_btree_walk(struct dm_btree_info *info, dm_block_t root, + int (*fn)(void *context, uint64_t *keys, void *leaf), + void *context) + { +- int r; +- struct ro_spine spine; +- + BUG_ON(info->levels > 1); +- +- init_ro_spine(&spine, info); +- r = walk_node(&spine, root, fn, context); +- exit_ro_spine(&spine); +- +- return r; ++ return walk_node(info, root, fn, context); + } + EXPORT_SYMBOL_GPL(dm_btree_walk); +diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c +index 5c45c9d0712d..9c29552aedec 100644 +--- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c ++++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c +@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc + 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00 }; + ++ if (cmd->msg_len > sizeof(b) - 4) ++ return -EINVAL; ++ + memcpy(&b[4], cmd->msg, cmd->msg_len); + + state->config->send_command(fe, 0x72, +diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c +index 6382b7c416f4..e10f5ed26181 100644 +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -1341,6 +1341,42 @@ static void smsc911x_rx_multicast_update_workaround(struct smsc911x_data *pdata) + spin_unlock(&pdata->mac_lock); + } + ++static int smsc911x_phy_general_power_up(struct smsc911x_data *pdata) ++{ ++ int rc = 0; ++ ++ if (!pdata->phy_dev) ++ return rc; ++ ++ /* If the internal PHY is in General Power-Down mode, all, except the ++ * management interface, is powered-down and stays in that condition as ++ * long as Phy register bit 0.11 is HIGH. ++ * ++ * In that case, clear the bit 0.11, so the PHY powers up and we can ++ * access to the phy registers. ++ */ ++ rc = phy_read(pdata->phy_dev, MII_BMCR); ++ if (rc < 0) { ++ SMSC_WARN(pdata, drv, "Failed reading PHY control reg"); ++ return rc; ++ } ++ ++ /* If the PHY general power-down bit is not set is not necessary to ++ * disable the general power down-mode. ++ */ ++ if (rc & BMCR_PDOWN) { ++ rc = phy_write(pdata->phy_dev, MII_BMCR, rc & ~BMCR_PDOWN); ++ if (rc < 0) { ++ SMSC_WARN(pdata, drv, "Failed writing PHY control reg"); ++ return rc; ++ } ++ ++ usleep_range(1000, 1500); ++ } ++ ++ return 0; ++} ++ + static int smsc911x_phy_disable_energy_detect(struct smsc911x_data *pdata) + { + int rc = 0; +@@ -1414,6 +1450,16 @@ static int smsc911x_soft_reset(struct smsc911x_data *pdata) + int ret; + + /* ++ * Make sure to power-up the PHY chip before doing a reset, otherwise ++ * the reset fails. ++ */ ++ ret = smsc911x_phy_general_power_up(pdata); ++ if (ret) { ++ SMSC_WARN(pdata, drv, "Failed to power-up the PHY chip"); ++ return ret; ++ } ++ ++ /* + * LAN9210/LAN9211/LAN9220/LAN9221 chips have an internal PHY that + * are initialized in a Energy Detect Power-Down mode that prevents + * the MAC chip to be software reseted. So we have to wakeup the PHY +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index fd411d6e19a2..03ae9def0e0c 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -656,7 +656,7 @@ static int vnet_start_xmit(struct sk_buff *skb, struct net_device *dev) + spin_lock_irqsave(&port->vio.lock, flags); + + dr = &port->vio.drings[VIO_DRIVER_TX_RING]; +- if (unlikely(vnet_tx_dring_avail(dr) < 2)) { ++ if (unlikely(vnet_tx_dring_avail(dr) < 1)) { + if (!netif_queue_stopped(dev)) { + netif_stop_queue(dev); + +@@ -704,7 +704,7 @@ static int vnet_start_xmit(struct sk_buff *skb, struct net_device *dev) + dev->stats.tx_bytes += skb->len; + + dr->prod = (dr->prod + 1) & (VNET_TX_RING_SIZE - 1); +- if (unlikely(vnet_tx_dring_avail(dr) < 2)) { ++ if (unlikely(vnet_tx_dring_avail(dr) < 1)) { + netif_stop_queue(dev); + if (vnet_tx_dring_avail(dr) > VNET_TX_WAKEUP_THRESH(dr)) + netif_wake_queue(dev); +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index f30ceb17d5fc..07c942b6ae01 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -66,7 +66,7 @@ static struct cdev macvtap_cdev; + static const struct proto_ops macvtap_socket_ops; + + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ +- NETIF_F_TSO6) ++ NETIF_F_TSO6 | NETIF_F_UFO) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) + #define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) + +@@ -570,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb, + gso_type = SKB_GSO_TCPV6; + break; + case VIRTIO_NET_HDR_GSO_UDP: +- pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n", +- current->comm); + gso_type = SKB_GSO_UDP; + if (skb->protocol == htons(ETH_P_IPV6)) + ipv6_proxy_select_ident(skb); +@@ -619,6 +617,8 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, + vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (sinfo->gso_type & SKB_GSO_TCPV6) + vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6; ++ else if (sinfo->gso_type & SKB_GSO_UDP) ++ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP; + else + BUG(); + if (sinfo->gso_type & SKB_GSO_TCP_ECN) +@@ -629,6 +629,8 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, + if (skb->ip_summed == CHECKSUM_PARTIAL) { + vnet_hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; + vnet_hdr->csum_start = skb_checksum_start_offset(skb); ++ if (vlan_tx_tag_present(skb)) ++ vnet_hdr->csum_start += VLAN_HLEN; + vnet_hdr->csum_offset = skb->csum_offset; + } else if (skb->ip_summed == CHECKSUM_UNNECESSARY) { + vnet_hdr->flags = VIRTIO_NET_HDR_F_DATA_VALID; +@@ -953,6 +955,9 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg) + if (arg & TUN_F_TSO6) + feature_mask |= NETIF_F_TSO6; + } ++ ++ if (arg & TUN_F_UFO) ++ feature_mask |= NETIF_F_UFO; + } + + /* tun/tap driver inverts the usage for TSO offloads, where +@@ -963,7 +968,7 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg) + * When user space turns off TSO, we turn off GSO/LRO so that + * user-space will not receive TSO frames. + */ +- if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6)) ++ if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_UFO)) + features |= RX_OFFLOADS; + else + features &= ~RX_OFFLOADS; +@@ -1064,7 +1069,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, + case TUNSETOFFLOAD: + /* let the user check for future flags */ + if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 | +- TUN_F_TSO_ECN)) ++ TUN_F_TSO_ECN | TUN_F_UFO)) + return -EINVAL; + + rtnl_lock(); +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 2c8b1c21c452..ec63314d6480 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -175,7 +175,7 @@ struct tun_struct { + struct net_device *dev; + netdev_features_t set_features; + #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \ +- NETIF_F_TSO6) ++ NETIF_F_TSO6|NETIF_F_UFO) + + int vnet_hdr_sz; + int sndbuf; +@@ -1153,20 +1153,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; + break; + case VIRTIO_NET_HDR_GSO_UDP: +- { +- static bool warned; +- +- if (!warned) { +- warned = true; +- netdev_warn(tun->dev, +- "%s: using disabled UFO feature; please fix this program\n", +- current->comm); +- } + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; + if (skb->protocol == htons(ETH_P_IPV6)) + ipv6_proxy_select_ident(skb); + break; +- } + default: + tun->dev->stats.rx_frame_errors++; + kfree_skb(skb); +@@ -1236,6 +1226,10 @@ static ssize_t tun_put_user(struct tun_struct *tun, + struct tun_pi pi = { 0, skb->protocol }; + ssize_t total = 0; + int vlan_offset = 0, copied; ++ int vlan_hlen = 0; ++ ++ if (vlan_tx_tag_present(skb)) ++ vlan_hlen = VLAN_HLEN; + + if (!(tun->flags & TUN_NO_PI)) { + if ((len -= sizeof(pi)) < 0) +@@ -1266,6 +1260,8 @@ static ssize_t tun_put_user(struct tun_struct *tun, + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (sinfo->gso_type & SKB_GSO_TCPV6) + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; ++ else if (sinfo->gso_type & SKB_GSO_UDP) ++ gso.gso_type = VIRTIO_NET_HDR_GSO_UDP; + else { + pr_err("unexpected GSO type: " + "0x%x, gso_size %d, hdr_len %d\n", +@@ -1285,7 +1281,8 @@ static ssize_t tun_put_user(struct tun_struct *tun, + + if (skb->ip_summed == CHECKSUM_PARTIAL) { + gso.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; +- gso.csum_start = skb_checksum_start_offset(skb); ++ gso.csum_start = skb_checksum_start_offset(skb) + ++ vlan_hlen; + gso.csum_offset = skb->csum_offset; + } else if (skb->ip_summed == CHECKSUM_UNNECESSARY) { + gso.flags = VIRTIO_NET_HDR_F_DATA_VALID; +@@ -1298,10 +1295,9 @@ static ssize_t tun_put_user(struct tun_struct *tun, + } + + copied = total; +- total += skb->len; +- if (!vlan_tx_tag_present(skb)) { +- len = min_t(int, skb->len, len); +- } else { ++ len = min_t(int, skb->len + vlan_hlen, len); ++ total += skb->len + vlan_hlen; ++ if (vlan_hlen) { + int copy, ret; + struct { + __be16 h_vlan_proto; +@@ -1312,8 +1308,6 @@ static ssize_t tun_put_user(struct tun_struct *tun, + veth.h_vlan_TCI = htons(vlan_tx_tag_get(skb)); + + vlan_offset = offsetof(struct vlan_ethhdr, h_vlan_proto); +- len = min_t(int, skb->len + VLAN_HLEN, len); +- total += VLAN_HLEN; + + copy = min_t(int, vlan_offset, len); + ret = skb_copy_datagram_const_iovec(skb, 0, iv, copied, copy); +@@ -1795,6 +1789,11 @@ static int set_offload(struct tun_struct *tun, unsigned long arg) + features |= NETIF_F_TSO6; + arg &= ~(TUN_F_TSO4|TUN_F_TSO6); + } ++ ++ if (arg & TUN_F_UFO) { ++ features |= NETIF_F_UFO; ++ arg &= ~TUN_F_UFO; ++ } + } + + /* This gives the user a way to test for new features in future by +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 07a3255fd3cc..841b60831df1 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -496,17 +496,8 @@ static void receive_buf(struct receive_queue *rq, void *buf, unsigned int len) + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4; + break; + case VIRTIO_NET_HDR_GSO_UDP: +- { +- static bool warned; +- +- if (!warned) { +- warned = true; +- netdev_warn(dev, +- "host using disabled UFO feature; please fix it\n"); +- } + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; + break; +- } + case VIRTIO_NET_HDR_GSO_TCPV6: + skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; + break; +@@ -845,6 +836,8 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb) + hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) + hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; ++ else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP) ++ hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_UDP; + else + BUG(); + if (skb_shinfo(skb)->gso_type & SKB_GSO_TCP_ECN) +@@ -1664,7 +1657,7 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { +- dev->hw_features |= NETIF_F_TSO ++ dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO + | NETIF_F_TSO_ECN | NETIF_F_TSO6; + } + /* Individual feature bits: what can host handle? */ +@@ -1674,9 +1667,11 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->hw_features |= NETIF_F_TSO6; + if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_ECN)) + dev->hw_features |= NETIF_F_TSO_ECN; ++ if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_UFO)) ++ dev->hw_features |= NETIF_F_UFO; + + if (gso) +- dev->features |= dev->hw_features & NETIF_F_ALL_TSO; ++ dev->features |= dev->hw_features & (NETIF_F_ALL_TSO|NETIF_F_UFO); + /* (!csum && gso) case will be fixed by register_netdev() */ + } + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) +@@ -1716,7 +1711,8 @@ static int virtnet_probe(struct virtio_device *vdev) + /* If we can receive ANY GSO packets, we must allocate large ones. */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) || +- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN)) ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) || ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO)) + vi->big_packets = true; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF)) +@@ -1907,9 +1903,9 @@ static struct virtio_device_id id_table[] = { + static unsigned int features[] = { + VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM, + VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC, +- VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_TSO6, ++ VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6, + VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6, +- VIRTIO_NET_F_GUEST_ECN, ++ VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO, + VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ, + VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN, + VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ, +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 0704a0402897..5441b49ef89d 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -279,13 +279,15 @@ static inline struct vxlan_rdst *first_remote_rtnl(struct vxlan_fdb *fdb) + return list_first_entry(&fdb->remotes, struct vxlan_rdst, list); + } + +-/* Find VXLAN socket based on network namespace and UDP port */ +-static struct vxlan_sock *vxlan_find_sock(struct net *net, __be16 port) ++/* Find VXLAN socket based on network namespace, address family and UDP port */ ++static struct vxlan_sock *vxlan_find_sock(struct net *net, ++ sa_family_t family, __be16 port) + { + struct vxlan_sock *vs; + + hlist_for_each_entry_rcu(vs, vs_head(net, port), hlist) { +- if (inet_sk(vs->sock->sk)->inet_sport == port) ++ if (inet_sk(vs->sock->sk)->inet_sport == port && ++ inet_sk(vs->sock->sk)->sk.sk_family == family) + return vs; + } + return NULL; +@@ -304,11 +306,12 @@ static struct vxlan_dev *vxlan_vs_find_vni(struct vxlan_sock *vs, u32 id) + } + + /* Look up VNI in a per net namespace table */ +-static struct vxlan_dev *vxlan_find_vni(struct net *net, u32 id, __be16 port) ++static struct vxlan_dev *vxlan_find_vni(struct net *net, u32 id, ++ sa_family_t family, __be16 port) + { + struct vxlan_sock *vs; + +- vs = vxlan_find_sock(net, port); ++ vs = vxlan_find_sock(net, family, port); + if (!vs) + return NULL; + +@@ -1872,7 +1875,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + struct vxlan_dev *dst_vxlan; + + ip_rt_put(rt); +- dst_vxlan = vxlan_find_vni(dev_net(dev), vni, dst_port); ++ dst_vxlan = vxlan_find_vni(dev_net(dev), vni, ++ dst->sa.sa_family, dst_port); + if (!dst_vxlan) + goto tx_error; + vxlan_encap_bypass(skb, vxlan, dst_vxlan); +@@ -1925,7 +1929,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + struct vxlan_dev *dst_vxlan; + + dst_release(ndst); +- dst_vxlan = vxlan_find_vni(dev_net(dev), vni, dst_port); ++ dst_vxlan = vxlan_find_vni(dev_net(dev), vni, ++ dst->sa.sa_family, dst_port); + if (!dst_vxlan) + goto tx_error; + vxlan_encap_bypass(skb, vxlan, dst_vxlan); +@@ -2083,6 +2088,7 @@ static int vxlan_init(struct net_device *dev) + { + struct vxlan_dev *vxlan = netdev_priv(dev); + struct vxlan_net *vn = net_generic(dev_net(dev), vxlan_net_id); ++ bool ipv6 = vxlan->flags & VXLAN_F_IPV6; + struct vxlan_sock *vs; + int i; + +@@ -2098,7 +2104,8 @@ static int vxlan_init(struct net_device *dev) + + + spin_lock(&vn->sock_lock); +- vs = vxlan_find_sock(dev_net(dev), vxlan->dst_port); ++ vs = vxlan_find_sock(dev_net(dev), ipv6 ? AF_INET6 : AF_INET, ++ vxlan->dst_port); + if (vs) { + /* If we have a socket with same port already, reuse it */ + atomic_inc(&vs->refcnt); +@@ -2566,7 +2573,7 @@ struct vxlan_sock *vxlan_sock_add(struct net *net, __be16 port, + return vs; + + spin_lock(&vn->sock_lock); +- vs = vxlan_find_sock(net, port); ++ vs = vxlan_find_sock(net, ipv6 ? AF_INET6 : AF_INET, port); + if (vs) { + if (vs->rcv == rcv) + atomic_inc(&vs->refcnt); +@@ -2712,7 +2719,8 @@ static int vxlan_newlink(struct net *net, struct net_device *dev, + if (data[IFLA_VXLAN_PORT]) + vxlan->dst_port = nla_get_be16(data[IFLA_VXLAN_PORT]); + +- if (vxlan_find_vni(net, vni, vxlan->dst_port)) { ++ if (vxlan_find_vni(net, vni, use_ipv6 ? AF_INET6 : AF_INET, ++ vxlan->dst_port)) { + pr_info("duplicate VNI %u\n", vni); + return -EEXIST; + } +diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h +index 1f065cf4a4ba..d090ed79ada0 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-trans.h ++++ b/drivers/net/wireless/iwlwifi/iwl-trans.h +@@ -514,6 +514,7 @@ enum iwl_trans_state { + * Set during transport allocation. + * @hw_id_str: a string with info about HW ID. Set during transport allocation. + * @pm_support: set to true in start_hw if link pm is supported ++ * @ltr_enabled: set to true if the LTR is enabled + * @dev_cmd_pool: pool for Tx cmd allocation - for internal use only. + * The user should use iwl_trans_{alloc,free}_tx_cmd. + * @dev_cmd_headroom: room needed for the transport's private use before the +@@ -539,6 +540,7 @@ struct iwl_trans { + u8 rx_mpdu_cmd, rx_mpdu_cmd_hdr_size; + + bool pm_support; ++ bool ltr_enabled; + + /* The following fields are internal only */ + struct kmem_cache *dev_cmd_pool; +diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h +index 884c08725308..fa66471283d9 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h ++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h +@@ -66,13 +66,46 @@ + + /* Power Management Commands, Responses, Notifications */ + ++/** ++ * enum iwl_ltr_config_flags - masks for LTR config command flags ++ * @LTR_CFG_FLAG_FEATURE_ENABLE: Feature operational status ++ * @LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS: allow LTR change on shadow ++ * memory access ++ * @LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH: allow LTR msg send on ANY LTR ++ * reg change ++ * @LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3: allow LTR msg send on transition from ++ * D0 to D3 ++ * @LTR_CFG_FLAG_SW_SET_SHORT: fixed static short LTR register ++ * @LTR_CFG_FLAG_SW_SET_LONG: fixed static short LONG register ++ * @LTR_CFG_FLAG_DENIE_C10_ON_PD: allow going into C10 on PD ++ */ ++enum iwl_ltr_config_flags { ++ LTR_CFG_FLAG_FEATURE_ENABLE = BIT(0), ++ LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS = BIT(1), ++ LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH = BIT(2), ++ LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3 = BIT(3), ++ LTR_CFG_FLAG_SW_SET_SHORT = BIT(4), ++ LTR_CFG_FLAG_SW_SET_LONG = BIT(5), ++ LTR_CFG_FLAG_DENIE_C10_ON_PD = BIT(6), ++}; ++ ++/** ++ * struct iwl_ltr_config_cmd - configures the LTR ++ * @flags: See %enum iwl_ltr_config_flags ++ */ ++struct iwl_ltr_config_cmd { ++ __le32 flags; ++ __le32 static_long; ++ __le32 static_short; ++} __packed; ++ + /* Radio LP RX Energy Threshold measured in dBm */ + #define POWER_LPRX_RSSI_THRESHOLD 75 + #define POWER_LPRX_RSSI_THRESHOLD_MAX 94 + #define POWER_LPRX_RSSI_THRESHOLD_MIN 30 + + /** +- * enum iwl_scan_flags - masks for power table command flags ++ * enum iwl_power_flags - masks for power table command flags + * @POWER_FLAGS_POWER_SAVE_ENA_MSK: '1' Allow to save power by turning off + * receiver and transmitter. '0' - does not allow. + * @POWER_FLAGS_POWER_MANAGEMENT_ENA_MSK: '0' Driver disables power management, +diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api.h b/drivers/net/wireless/iwlwifi/mvm/fw-api.h +index d0a04779d734..d8948aa9c2d2 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/fw-api.h ++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api.h +@@ -142,6 +142,7 @@ enum { + /* Power - legacy power table command */ + POWER_TABLE_CMD = 0x77, + PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION = 0x78, ++ LTR_CONFIG = 0xee, + + /* Thermal Throttling*/ + REPLY_THERMAL_MNG_BACKOFF = 0x7e, +diff --git a/drivers/net/wireless/iwlwifi/mvm/fw.c b/drivers/net/wireless/iwlwifi/mvm/fw.c +index c03d39541f9e..2ef344fc0acb 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c +@@ -439,6 +439,15 @@ int iwl_mvm_up(struct iwl_mvm *mvm) + goto error; + } + ++ if (mvm->trans->ltr_enabled) { ++ struct iwl_ltr_config_cmd cmd = { ++ .flags = cpu_to_le32(LTR_CFG_FLAG_FEATURE_ENABLE), ++ }; ++ ++ WARN_ON(iwl_mvm_send_cmd_pdu(mvm, LTR_CONFIG, 0, ++ sizeof(cmd), &cmd)); ++ } ++ + ret = iwl_mvm_power_update_device_mode(mvm); + if (ret) + goto error; +diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c +index a3d43de342d7..dbff7f0bc6a8 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c +@@ -313,6 +313,7 @@ static const char *iwl_mvm_cmd_strings[REPLY_MAX] = { + CMD(REPLY_BEACON_FILTERING_CMD), + CMD(REPLY_THERMAL_MNG_BACKOFF), + CMD(MAC_PM_POWER_TABLE), ++ CMD(LTR_CONFIG), + CMD(BT_COEX_CI), + CMD(PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION), + }; +diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c +index 16be0c07c64a..fb62927ca44d 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -94,6 +94,7 @@ static void iwl_pcie_apm_config(struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + u16 lctl; ++ u16 cap; + + /* + * HW bug W/A for instability in PCIe bus L0S->L1 transition. +@@ -104,16 +105,17 @@ static void iwl_pcie_apm_config(struct iwl_trans *trans) + * power savings, even without L1. + */ + pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { +- /* L1-ASPM enabled; disable(!) L0S */ ++ if (lctl & PCI_EXP_LNKCTL_ASPM_L1) + iwl_set_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED); +- dev_info(trans->dev, "L1 Enabled; Disabling L0S\n"); +- } else { +- /* L1-ASPM disabled; enable(!) L0S */ ++ else + iwl_clear_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED); +- dev_info(trans->dev, "L1 Disabled; Enabling L0S\n"); +- } + trans->pm_support = !(lctl & PCI_EXP_LNKCTL_ASPM_L0S); ++ ++ pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_DEVCTL2, &cap); ++ trans->ltr_enabled = cap & PCI_EXP_DEVCTL2_LTR_EN; ++ dev_info(trans->dev, "L1 %sabled - LTR %sabled\n", ++ (lctl & PCI_EXP_LNKCTL_ASPM_L1) ? "En" : "Dis", ++ trans->ltr_enabled ? "En" : "Dis"); + } + + /* +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 69d4c3179d04..505ff601d9f4 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1974,7 +1974,7 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2, + if (err != 0) { + printk(KERN_DEBUG "mac80211_hwsim: device_bind_driver failed (%d)\n", + err); +- goto failed_hw; ++ goto failed_bind; + } + + skb_queue_head_init(&data->pending); +@@ -2157,6 +2157,8 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2, + return idx; + + failed_hw: ++ device_release_driver(data->dev); ++failed_bind: + device_unregister(data->dev); + failed_drvdata: + ieee80211_free_hw(hw); +diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c +index 390e8e33d5e3..25721bf20092 100644 +--- a/drivers/platform/x86/dell-wmi.c ++++ b/drivers/platform/x86/dell-wmi.c +@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) + const struct key_entry *key; + int reported_key; + u16 *buffer_entry = (u16 *)obj->buffer.pointer; ++ int buffer_size = obj->buffer.length/2; + +- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { ++ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { + pr_info("Received unknown WMI event (0x%x)\n", + buffer_entry[1]); + kfree(obj); + return; + } + +- if (dell_new_hk_type || buffer_entry[1] == 0x0) ++ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) + reported_key = (int)buffer_entry[2]; +- else ++ else if (buffer_size >= 2) + reported_key = (int)buffer_entry[1] & 0xffff; ++ else { ++ pr_info("Received unknown WMI event\n"); ++ kfree(obj); ++ return; ++ } + + key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, + reported_key); +diff --git a/drivers/power/bq2415x_charger.c b/drivers/power/bq2415x_charger.c +index e384844a1ae1..1f49986fc605 100644 +--- a/drivers/power/bq2415x_charger.c ++++ b/drivers/power/bq2415x_charger.c +@@ -1579,8 +1579,15 @@ static int bq2415x_probe(struct i2c_client *client, + if (np) { + bq->notify_psy = power_supply_get_by_phandle(np, "ti,usb-charger-detection"); + +- if (!bq->notify_psy) +- return -EPROBE_DEFER; ++ if (IS_ERR(bq->notify_psy)) { ++ dev_info(&client->dev, ++ "no 'ti,usb-charger-detection' property (err=%ld)\n", ++ PTR_ERR(bq->notify_psy)); ++ bq->notify_psy = NULL; ++ } else if (!bq->notify_psy) { ++ ret = -EPROBE_DEFER; ++ goto error_2; ++ } + } + else if (pdata->notify_device) + bq->notify_psy = power_supply_get_by_name(pdata->notify_device); +@@ -1602,27 +1609,27 @@ static int bq2415x_probe(struct i2c_client *client, + ret = of_property_read_u32(np, "ti,current-limit", + &bq->init_data.current_limit); + if (ret) +- return ret; ++ goto error_2; + ret = of_property_read_u32(np, "ti,weak-battery-voltage", + &bq->init_data.weak_battery_voltage); + if (ret) +- return ret; ++ goto error_2; + ret = of_property_read_u32(np, "ti,battery-regulation-voltage", + &bq->init_data.battery_regulation_voltage); + if (ret) +- return ret; ++ goto error_2; + ret = of_property_read_u32(np, "ti,charge-current", + &bq->init_data.charge_current); + if (ret) +- return ret; ++ goto error_2; + ret = of_property_read_u32(np, "ti,termination-current", + &bq->init_data.termination_current); + if (ret) +- return ret; ++ goto error_2; + ret = of_property_read_u32(np, "ti,resistor-sense", + &bq->init_data.resistor_sense); + if (ret) +- return ret; ++ goto error_2; + } else { + memcpy(&bq->init_data, pdata, sizeof(bq->init_data)); + } +diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c +index ef1f4c928431..03bfac3655ef 100644 +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -97,6 +97,7 @@ static struct charger_global_desc *g_desc; /* init with setup_charger_manager */ + static bool is_batt_present(struct charger_manager *cm) + { + union power_supply_propval val; ++ struct power_supply *psy; + bool present = false; + int i, ret; + +@@ -107,16 +108,27 @@ static bool is_batt_present(struct charger_manager *cm) + case CM_NO_BATTERY: + break; + case CM_FUEL_GAUGE: +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ psy = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!psy) ++ break; ++ ++ ret = psy->get_property(psy, + POWER_SUPPLY_PROP_PRESENT, &val); + if (ret == 0 && val.intval) + present = true; + break; + case CM_CHARGER_STAT: +- for (i = 0; cm->charger_stat[i]; i++) { +- ret = cm->charger_stat[i]->get_property( +- cm->charger_stat[i], +- POWER_SUPPLY_PROP_PRESENT, &val); ++ for (i = 0; cm->desc->psy_charger_stat[i]; i++) { ++ psy = power_supply_get_by_name( ++ cm->desc->psy_charger_stat[i]); ++ if (!psy) { ++ dev_err(cm->dev, "Cannot find power supply \"%s\"\n", ++ cm->desc->psy_charger_stat[i]); ++ continue; ++ } ++ ++ ret = psy->get_property(psy, POWER_SUPPLY_PROP_PRESENT, ++ &val); + if (ret == 0 && val.intval) { + present = true; + break; +@@ -139,14 +151,20 @@ static bool is_batt_present(struct charger_manager *cm) + static bool is_ext_pwr_online(struct charger_manager *cm) + { + union power_supply_propval val; ++ struct power_supply *psy; + bool online = false; + int i, ret; + + /* If at least one of them has one, it's yes. */ +- for (i = 0; cm->charger_stat[i]; i++) { +- ret = cm->charger_stat[i]->get_property( +- cm->charger_stat[i], +- POWER_SUPPLY_PROP_ONLINE, &val); ++ for (i = 0; cm->desc->psy_charger_stat[i]; i++) { ++ psy = power_supply_get_by_name(cm->desc->psy_charger_stat[i]); ++ if (!psy) { ++ dev_err(cm->dev, "Cannot find power supply \"%s\"\n", ++ cm->desc->psy_charger_stat[i]); ++ continue; ++ } ++ ++ ret = psy->get_property(psy, POWER_SUPPLY_PROP_ONLINE, &val); + if (ret == 0 && val.intval) { + online = true; + break; +@@ -167,12 +185,14 @@ static bool is_ext_pwr_online(struct charger_manager *cm) + static int get_batt_uV(struct charger_manager *cm, int *uV) + { + union power_supply_propval val; ++ struct power_supply *fuel_gauge; + int ret; + +- if (!cm->fuel_gauge) ++ fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) + return -ENODEV; + +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_VOLTAGE_NOW, &val); + if (ret) + return ret; +@@ -189,6 +209,7 @@ static bool is_charging(struct charger_manager *cm) + { + int i, ret; + bool charging = false; ++ struct power_supply *psy; + union power_supply_propval val; + + /* If there is no battery, it cannot be charged */ +@@ -196,17 +217,22 @@ static bool is_charging(struct charger_manager *cm) + return false; + + /* If at least one of the charger is charging, return yes */ +- for (i = 0; cm->charger_stat[i]; i++) { ++ for (i = 0; cm->desc->psy_charger_stat[i]; i++) { + /* 1. The charger sholuld not be DISABLED */ + if (cm->emergency_stop) + continue; + if (!cm->charger_enabled) + continue; + ++ psy = power_supply_get_by_name(cm->desc->psy_charger_stat[i]); ++ if (!psy) { ++ dev_err(cm->dev, "Cannot find power supply \"%s\"\n", ++ cm->desc->psy_charger_stat[i]); ++ continue; ++ } ++ + /* 2. The charger should be online (ext-power) */ +- ret = cm->charger_stat[i]->get_property( +- cm->charger_stat[i], +- POWER_SUPPLY_PROP_ONLINE, &val); ++ ret = psy->get_property(psy, POWER_SUPPLY_PROP_ONLINE, &val); + if (ret) { + dev_warn(cm->dev, "Cannot read ONLINE value from %s\n", + cm->desc->psy_charger_stat[i]); +@@ -219,9 +245,7 @@ static bool is_charging(struct charger_manager *cm) + * 3. The charger should not be FULL, DISCHARGING, + * or NOT_CHARGING. + */ +- ret = cm->charger_stat[i]->get_property( +- cm->charger_stat[i], +- POWER_SUPPLY_PROP_STATUS, &val); ++ ret = psy->get_property(psy, POWER_SUPPLY_PROP_STATUS, &val); + if (ret) { + dev_warn(cm->dev, "Cannot read STATUS value from %s\n", + cm->desc->psy_charger_stat[i]); +@@ -248,6 +272,7 @@ static bool is_full_charged(struct charger_manager *cm) + { + struct charger_desc *desc = cm->desc; + union power_supply_propval val; ++ struct power_supply *fuel_gauge; + int ret = 0; + int uV; + +@@ -255,11 +280,15 @@ static bool is_full_charged(struct charger_manager *cm) + if (!is_batt_present(cm)) + return false; + +- if (cm->fuel_gauge && desc->fullbatt_full_capacity > 0) { ++ fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) ++ return false; ++ ++ if (desc->fullbatt_full_capacity > 0) { + val.intval = 0; + + /* Not full if capacity of fuel gauge isn't full */ +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CHARGE_FULL, &val); + if (!ret && val.intval > desc->fullbatt_full_capacity) + return true; +@@ -273,10 +302,10 @@ static bool is_full_charged(struct charger_manager *cm) + } + + /* Full, if the capacity is more than fullbatt_soc */ +- if (cm->fuel_gauge && desc->fullbatt_soc > 0) { ++ if (desc->fullbatt_soc > 0) { + val.intval = 0; + +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CAPACITY, &val); + if (!ret && val.intval >= desc->fullbatt_soc) + return true; +@@ -551,6 +580,20 @@ static int check_charging_duration(struct charger_manager *cm) + return ret; + } + ++static int cm_get_battery_temperature_by_psy(struct charger_manager *cm, ++ int *temp) ++{ ++ struct power_supply *fuel_gauge; ++ ++ fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) ++ return -ENODEV; ++ ++ return fuel_gauge->get_property(fuel_gauge, ++ POWER_SUPPLY_PROP_TEMP, ++ (union power_supply_propval *)temp); ++} ++ + static int cm_get_battery_temperature(struct charger_manager *cm, + int *temp) + { +@@ -560,15 +603,18 @@ static int cm_get_battery_temperature(struct charger_manager *cm, + return -ENODEV; + + #ifdef CONFIG_THERMAL +- ret = thermal_zone_get_temp(cm->tzd_batt, (unsigned long *)temp); +- if (!ret) +- /* Calibrate temperature unit */ +- *temp /= 100; +-#else +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, +- POWER_SUPPLY_PROP_TEMP, +- (union power_supply_propval *)temp); ++ if (cm->tzd_batt) { ++ ret = thermal_zone_get_temp(cm->tzd_batt, (unsigned long *)temp); ++ if (!ret) ++ /* Calibrate temperature unit */ ++ *temp /= 100; ++ } else + #endif ++ { ++ /* if-else continued from CONFIG_THERMAL */ ++ ret = cm_get_battery_temperature_by_psy(cm, temp); ++ } ++ + return ret; + } + +@@ -827,6 +873,7 @@ static int charger_get_property(struct power_supply *psy, + struct charger_manager *cm = container_of(psy, + struct charger_manager, charger_psy); + struct charger_desc *desc = cm->desc; ++ struct power_supply *fuel_gauge; + int ret = 0; + int uV; + +@@ -857,14 +904,20 @@ static int charger_get_property(struct power_supply *psy, + ret = get_batt_uV(cm, &val->intval); + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) { ++ ret = -ENODEV; ++ break; ++ } ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CURRENT_NOW, val); + break; + case POWER_SUPPLY_PROP_TEMP: + case POWER_SUPPLY_PROP_TEMP_AMBIENT: + return cm_get_battery_temperature(cm, &val->intval); + case POWER_SUPPLY_PROP_CAPACITY: +- if (!cm->fuel_gauge) { ++ fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) { + ret = -ENODEV; + break; + } +@@ -875,7 +928,7 @@ static int charger_get_property(struct power_supply *psy, + break; + } + +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CAPACITY, val); + if (ret) + break; +@@ -924,7 +977,14 @@ static int charger_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CHARGE_NOW: + if (is_charging(cm)) { +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ fuel_gauge = power_supply_get_by_name( ++ cm->desc->psy_fuel_gauge); ++ if (!fuel_gauge) { ++ ret = -ENODEV; ++ break; ++ } ++ ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CHARGE_NOW, + val); + if (ret) { +@@ -1485,14 +1545,15 @@ err: + return ret; + } + +-static int cm_init_thermal_data(struct charger_manager *cm) ++static int cm_init_thermal_data(struct charger_manager *cm, ++ struct power_supply *fuel_gauge) + { + struct charger_desc *desc = cm->desc; + union power_supply_propval val; + int ret; + + /* Verify whether fuel gauge provides battery temperature */ +- ret = cm->fuel_gauge->get_property(cm->fuel_gauge, ++ ret = fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_TEMP, &val); + + if (!ret) { +@@ -1502,8 +1563,6 @@ static int cm_init_thermal_data(struct charger_manager *cm) + cm->desc->measure_battery_temp = true; + } + #ifdef CONFIG_THERMAL +- cm->tzd_batt = cm->fuel_gauge->tzd; +- + if (ret && desc->thermal_zone) { + cm->tzd_batt = + thermal_zone_get_zone_by_name(desc->thermal_zone); +@@ -1666,6 +1725,7 @@ static int charger_manager_probe(struct platform_device *pdev) + int ret = 0, i = 0; + int j = 0; + union power_supply_propval val; ++ struct power_supply *fuel_gauge; + + if (g_desc && !rtc_dev && g_desc->rtc_name) { + rtc_dev = rtc_class_open(g_desc->rtc_name); +@@ -1729,23 +1789,20 @@ static int charger_manager_probe(struct platform_device *pdev) + while (desc->psy_charger_stat[i]) + i++; + +- cm->charger_stat = devm_kzalloc(&pdev->dev, +- sizeof(struct power_supply *) * i, GFP_KERNEL); +- if (!cm->charger_stat) +- return -ENOMEM; +- ++ /* Check if charger's supplies are present at probe */ + for (i = 0; desc->psy_charger_stat[i]; i++) { +- cm->charger_stat[i] = power_supply_get_by_name( +- desc->psy_charger_stat[i]); +- if (!cm->charger_stat[i]) { ++ struct power_supply *psy; ++ ++ psy = power_supply_get_by_name(desc->psy_charger_stat[i]); ++ if (!psy) { + dev_err(&pdev->dev, "Cannot find power supply \"%s\"\n", + desc->psy_charger_stat[i]); + return -ENODEV; + } + } + +- cm->fuel_gauge = power_supply_get_by_name(desc->psy_fuel_gauge); +- if (!cm->fuel_gauge) { ++ fuel_gauge = power_supply_get_by_name(desc->psy_fuel_gauge); ++ if (!fuel_gauge) { + dev_err(&pdev->dev, "Cannot find power supply \"%s\"\n", + desc->psy_fuel_gauge); + return -ENODEV; +@@ -1788,13 +1845,13 @@ static int charger_manager_probe(struct platform_device *pdev) + cm->charger_psy.num_properties = psy_default.num_properties; + + /* Find which optional psy-properties are available */ +- if (!cm->fuel_gauge->get_property(cm->fuel_gauge, ++ if (!fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CHARGE_NOW, &val)) { + cm->charger_psy.properties[cm->charger_psy.num_properties] = + POWER_SUPPLY_PROP_CHARGE_NOW; + cm->charger_psy.num_properties++; + } +- if (!cm->fuel_gauge->get_property(cm->fuel_gauge, ++ if (!fuel_gauge->get_property(fuel_gauge, + POWER_SUPPLY_PROP_CURRENT_NOW, + &val)) { + cm->charger_psy.properties[cm->charger_psy.num_properties] = +@@ -1802,7 +1859,7 @@ static int charger_manager_probe(struct platform_device *pdev) + cm->charger_psy.num_properties++; + } + +- ret = cm_init_thermal_data(cm); ++ ret = cm_init_thermal_data(cm, fuel_gauge); + if (ret) { + dev_err(&pdev->dev, "Failed to initialize thermal data\n"); + cm->desc->measure_battery_temp = false; +@@ -2059,8 +2116,8 @@ static bool find_power_supply(struct charger_manager *cm, + int i; + bool found = false; + +- for (i = 0; cm->charger_stat[i]; i++) { +- if (psy == cm->charger_stat[i]) { ++ for (i = 0; cm->desc->psy_charger_stat[i]; i++) { ++ if (!strcmp(psy->name, cm->desc->psy_charger_stat[i])) { + found = true; + break; + } +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index edb4d46fa874..96b6664bb1cf 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1984,8 +1984,10 @@ static void scsi_restart_operations(struct Scsi_Host *shost) + * is no point trying to lock the door of an off-line device. + */ + shost_for_each_device(sdev, shost) { +- if (scsi_device_online(sdev) && sdev->locked) ++ if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) { + scsi_eh_lock_door(sdev); ++ sdev->was_reset = 0; ++ } + } + + /* +diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c +index b01fb6c527e3..d43c544d3b68 100644 +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -472,7 +472,7 @@ static noinline int add_ra_bio_pages(struct inode *inode, + rcu_read_lock(); + page = radix_tree_lookup(&mapping->page_tree, pg_index); + rcu_read_unlock(); +- if (page) { ++ if (page && !radix_tree_exceptional_entry(page)) { + misses++; + if (misses > 4) + break; +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index a9a881ed8cbe..f6d00df99a8c 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -425,13 +425,8 @@ static noinline int btrfs_copy_from_user(loff_t pos, int num_pages, + struct page *page = prepared_pages[pg]; + /* + * Copy data from userspace to the current page +- * +- * Disable pagefault to avoid recursive lock since +- * the pages are already locked + */ +- pagefault_disable(); + copied = iov_iter_copy_from_user_atomic(page, i, offset, count); +- pagefault_enable(); + + /* Flush processor's dcache for this page */ + flush_dcache_page(page); +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index 06610cf94d57..a1f801c14fbc 100644 +--- a/fs/cramfs/inode.c ++++ b/fs/cramfs/inode.c +@@ -195,8 +195,7 @@ static void *cramfs_read(struct super_block *sb, unsigned int offset, unsigned i + struct page *page = NULL; + + if (blocknr + i < devsize) { +- page = read_mapping_page_async(mapping, blocknr + i, +- NULL); ++ page = read_mapping_page(mapping, blocknr + i, NULL); + /* synchronous error? */ + if (IS_ERR(page)) + page = NULL; +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 77bcc303c3ae..a91d3b4d32f3 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1003,9 +1003,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, + if (mapping_writably_mapped(mapping)) + flush_dcache_page(page); + +- pagefault_disable(); + tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes); +- pagefault_enable(); + flush_dcache_page(page); + + mark_page_accessed(page); +diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c +index c7f24690ed05..b82a9c99e18b 100644 +--- a/fs/gfs2/meta_io.c ++++ b/fs/gfs2/meta_io.c +@@ -97,6 +97,11 @@ const struct address_space_operations gfs2_meta_aops = { + .releasepage = gfs2_releasepage, + }; + ++const struct address_space_operations gfs2_rgrp_aops = { ++ .writepage = gfs2_aspace_writepage, ++ .releasepage = gfs2_releasepage, ++}; ++ + /** + * gfs2_getbuf - Get a buffer with a given address space + * @gl: the glock +diff --git a/fs/gfs2/meta_io.h b/fs/gfs2/meta_io.h +index 4823b934208a..ac5d8027d335 100644 +--- a/fs/gfs2/meta_io.h ++++ b/fs/gfs2/meta_io.h +@@ -38,12 +38,15 @@ static inline void gfs2_buffer_copy_tail(struct buffer_head *to_bh, + } + + extern const struct address_space_operations gfs2_meta_aops; ++extern const struct address_space_operations gfs2_rgrp_aops; + + static inline struct gfs2_sbd *gfs2_mapping2sbd(struct address_space *mapping) + { + struct inode *inode = mapping->host; + if (mapping->a_ops == &gfs2_meta_aops) + return (((struct gfs2_glock *)mapping) - 1)->gl_sbd; ++ else if (mapping->a_ops == &gfs2_rgrp_aops) ++ return container_of(mapping, struct gfs2_sbd, sd_aspace); + else + return inode->i_sb->s_fs_info; + } +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index c6872d09561a..f6c9d83aa39b 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -104,7 +104,7 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb) + mapping = &sdp->sd_aspace; + + address_space_init_once(mapping); +- mapping->a_ops = &gfs2_meta_aops; ++ mapping->a_ops = &gfs2_rgrp_aops; + mapping->host = sb->s_bdev->bd_inode; + mapping->flags = 0; + mapping_set_gfp_mask(mapping, GFP_NOFS); +diff --git a/fs/ioprio.c b/fs/ioprio.c +index e50170ca7c33..31666c92b46a 100644 +--- a/fs/ioprio.c ++++ b/fs/ioprio.c +@@ -157,14 +157,16 @@ out: + + int ioprio_best(unsigned short aprio, unsigned short bprio) + { +- unsigned short aclass = IOPRIO_PRIO_CLASS(aprio); +- unsigned short bclass = IOPRIO_PRIO_CLASS(bprio); ++ unsigned short aclass; ++ unsigned short bclass; + +- if (aclass == IOPRIO_CLASS_NONE) +- aclass = IOPRIO_CLASS_BE; +- if (bclass == IOPRIO_CLASS_NONE) +- bclass = IOPRIO_CLASS_BE; ++ if (!ioprio_valid(aprio)) ++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM); ++ if (!ioprio_valid(bprio)) ++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM); + ++ aclass = IOPRIO_PRIO_CLASS(aprio); ++ bclass = IOPRIO_PRIO_CLASS(bprio); + if (aclass == bclass) + return min(aprio, bprio); + if (aclass > bclass) +diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c +index a69e426435dd..5b234db85854 100644 +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -687,7 +687,7 @@ unsigned char *jffs2_gc_fetch_page(struct jffs2_sb_info *c, + struct inode *inode = OFNI_EDONI_2SFFJ(f); + struct page *pg; + +- pg = read_cache_page_async(inode->i_mapping, offset >> PAGE_CACHE_SHIFT, ++ pg = read_cache_page(inode->i_mapping, offset >> PAGE_CACHE_SHIFT, + (void *)jffs2_do_readpage_unlock, inode); + if (IS_ERR(pg)) + return (void *)pg; +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index 56ff823ca82e..65d849bdf77a 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -1213,7 +1213,7 @@ static u64 pnfs_num_cont_bytes(struct inode *inode, pgoff_t idx) + end = DIV_ROUND_UP(i_size_read(inode), PAGE_CACHE_SIZE); + if (end != NFS_I(inode)->npages) { + rcu_read_lock(); +- end = radix_tree_next_hole(&mapping->page_tree, idx + 1, ULONG_MAX); ++ end = page_cache_next_hole(mapping, idx + 1, ULONG_MAX); + rcu_read_unlock(); + } + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index 5d8ccecf5f5c..3ed1be9aade3 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -109,6 +109,8 @@ again: + continue; + if (!test_bit(NFS_DELEGATED_STATE, &state->flags)) + continue; ++ if (!nfs4_valid_open_stateid(state)) ++ continue; + if (!nfs4_stateid_match(&state->stateid, stateid)) + continue; + get_nfs_open_context(ctx); +@@ -177,7 +179,11 @@ static int nfs_do_return_delegation(struct inode *inode, struct nfs_delegation * + { + int res = 0; + +- res = nfs4_proc_delegreturn(inode, delegation->cred, &delegation->stateid, issync); ++ if (!test_bit(NFS_DELEGATION_REVOKED, &delegation->flags)) ++ res = nfs4_proc_delegreturn(inode, ++ delegation->cred, ++ &delegation->stateid, ++ issync); + nfs_free_delegation(delegation); + return res; + } +@@ -364,11 +370,13 @@ static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation + { + struct nfs_client *clp = NFS_SERVER(inode)->nfs_client; + struct nfs_inode *nfsi = NFS_I(inode); +- int err; ++ int err = 0; + + if (delegation == NULL) + return 0; + do { ++ if (test_bit(NFS_DELEGATION_REVOKED, &delegation->flags)) ++ break; + err = nfs_delegation_claim_opens(inode, &delegation->stateid); + if (!issync || err != -EAGAIN) + break; +@@ -589,10 +597,23 @@ static void nfs_client_mark_return_unused_delegation_types(struct nfs_client *cl + rcu_read_unlock(); + } + ++static void nfs_revoke_delegation(struct inode *inode) ++{ ++ struct nfs_delegation *delegation; ++ rcu_read_lock(); ++ delegation = rcu_dereference(NFS_I(inode)->delegation); ++ if (delegation != NULL) { ++ set_bit(NFS_DELEGATION_REVOKED, &delegation->flags); ++ nfs_mark_return_delegation(NFS_SERVER(inode), delegation); ++ } ++ rcu_read_unlock(); ++} ++ + void nfs_remove_bad_delegation(struct inode *inode) + { + struct nfs_delegation *delegation; + ++ nfs_revoke_delegation(inode); + delegation = nfs_inode_detach_delegation(inode); + if (delegation) { + nfs_inode_find_state_and_recover(inode, &delegation->stateid); +diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h +index 9a79c7a99d6d..e02b090ab9da 100644 +--- a/fs/nfs/delegation.h ++++ b/fs/nfs/delegation.h +@@ -31,6 +31,7 @@ enum { + NFS_DELEGATION_RETURN_IF_CLOSED, + NFS_DELEGATION_REFERENCED, + NFS_DELEGATION_RETURNING, ++ NFS_DELEGATION_REVOKED, + }; + + int nfs_inode_set_delegation(struct inode *inode, struct rpc_cred *cred, struct nfs_openres *res); +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index b8797ae6831f..de2543d3c283 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -178,6 +178,7 @@ static void nfs_direct_req_free(struct kref *kref) + { + struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref); + ++ nfs_free_pnfs_ds_cinfo(&dreq->ds_cinfo); + if (dreq->l_ctx != NULL) + nfs_put_lock_context(dreq->l_ctx); + if (dreq->ctx != NULL) +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 15f9d98627a4..6659ce545f15 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -592,7 +592,7 @@ int nfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) + { + struct inode *inode = dentry->d_inode; + int need_atime = NFS_I(inode)->cache_validity & NFS_INO_INVALID_ATIME; +- int err; ++ int err = 0; + + trace_nfs_getattr_enter(inode); + /* Flush out writes to the server in order to update c/mtime. */ +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index da657b7804a5..bd01803d0656 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1587,7 +1587,7 @@ static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct + nfs_inode_find_state_and_recover(state->inode, + stateid); + nfs4_schedule_stateid_recovery(server, state); +- return 0; ++ return -EAGAIN; + case -NFS4ERR_DELAY: + case -NFS4ERR_GRACE: + set_bit(NFS_DELEGATED_STATE, &state->flags); +@@ -2034,46 +2034,60 @@ static int nfs4_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *sta + return ret; + } + ++static void nfs_finish_clear_delegation_stateid(struct nfs4_state *state) ++{ ++ nfs_remove_bad_delegation(state->inode); ++ write_seqlock(&state->seqlock); ++ nfs4_stateid_copy(&state->stateid, &state->open_stateid); ++ write_sequnlock(&state->seqlock); ++ clear_bit(NFS_DELEGATED_STATE, &state->flags); ++} ++ ++static void nfs40_clear_delegation_stateid(struct nfs4_state *state) ++{ ++ if (rcu_access_pointer(NFS_I(state->inode)->delegation) != NULL) ++ nfs_finish_clear_delegation_stateid(state); ++} ++ ++static int nfs40_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state) ++{ ++ /* NFSv4.0 doesn't allow for delegation recovery on open expire */ ++ nfs40_clear_delegation_stateid(state); ++ return nfs4_open_expired(sp, state); ++} ++ + #if defined(CONFIG_NFS_V4_1) +-static void nfs41_clear_delegation_stateid(struct nfs4_state *state) ++static void nfs41_check_delegation_stateid(struct nfs4_state *state) + { + struct nfs_server *server = NFS_SERVER(state->inode); +- nfs4_stateid *stateid = &state->stateid; ++ nfs4_stateid stateid; + struct nfs_delegation *delegation; +- struct rpc_cred *cred = NULL; +- int status = -NFS4ERR_BAD_STATEID; +- +- /* If a state reset has been done, test_stateid is unneeded */ +- if (test_bit(NFS_DELEGATED_STATE, &state->flags) == 0) +- return; ++ struct rpc_cred *cred; ++ int status; + + /* Get the delegation credential for use by test/free_stateid */ + rcu_read_lock(); + delegation = rcu_dereference(NFS_I(state->inode)->delegation); +- if (delegation != NULL && +- nfs4_stateid_match(&delegation->stateid, stateid)) { +- cred = get_rpccred(delegation->cred); +- rcu_read_unlock(); +- status = nfs41_test_stateid(server, stateid, cred); +- trace_nfs4_test_delegation_stateid(state, NULL, status); +- } else ++ if (delegation == NULL) { + rcu_read_unlock(); ++ return; ++ } ++ ++ nfs4_stateid_copy(&stateid, &delegation->stateid); ++ cred = get_rpccred(delegation->cred); ++ rcu_read_unlock(); ++ status = nfs41_test_stateid(server, &stateid, cred); ++ trace_nfs4_test_delegation_stateid(state, NULL, status); + + if (status != NFS_OK) { + /* Free the stateid unless the server explicitly + * informs us the stateid is unrecognized. */ + if (status != -NFS4ERR_BAD_STATEID) +- nfs41_free_stateid(server, stateid, cred); +- nfs_remove_bad_delegation(state->inode); +- +- write_seqlock(&state->seqlock); +- nfs4_stateid_copy(&state->stateid, &state->open_stateid); +- write_sequnlock(&state->seqlock); +- clear_bit(NFS_DELEGATED_STATE, &state->flags); ++ nfs41_free_stateid(server, &stateid, cred); ++ nfs_finish_clear_delegation_stateid(state); + } + +- if (cred != NULL) +- put_rpccred(cred); ++ put_rpccred(cred); + } + + /** +@@ -2117,7 +2131,7 @@ static int nfs41_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *st + { + int status; + +- nfs41_clear_delegation_stateid(state); ++ nfs41_check_delegation_stateid(state); + status = nfs41_check_open_stateid(state); + if (status != NFS_OK) + status = nfs4_open_expired(sp, state); +@@ -8255,7 +8269,7 @@ static const struct nfs4_state_recovery_ops nfs41_reboot_recovery_ops = { + static const struct nfs4_state_recovery_ops nfs40_nograce_recovery_ops = { + .owner_flag_bit = NFS_OWNER_RECLAIM_NOGRACE, + .state_flag_bit = NFS_STATE_RECLAIM_NOGRACE, +- .recover_open = nfs4_open_expired, ++ .recover_open = nfs40_open_expired, + .recover_lock = nfs4_lock_expired, + .establish_clid = nfs4_init_clientid, + }; +diff --git a/fs/super.c b/fs/super.c +index 88a6bc6e3cc9..440ef51cd696 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -114,9 +114,14 @@ static unsigned long super_cache_count(struct shrinker *shrink, + + sb = container_of(shrink, struct super_block, s_shrink); + +- if (!grab_super_passive(sb)) +- return 0; +- ++ /* ++ * Don't call grab_super_passive as it is a potential ++ * scalability bottleneck. The counts could get updated ++ * between super_cache_count and super_cache_scan anyway. ++ * Call to super_cache_count with shrinker_rwsem held ++ * ensures the safety of call to list_lru_count_node() and ++ * s_op->nr_cached_objects(). ++ */ + if (sb->s_op && sb->s_op->nr_cached_objects) + total_objects = sb->s_op->nr_cached_objects(sb, + sc->nid); +@@ -127,7 +132,6 @@ static unsigned long super_cache_count(struct shrinker *shrink, + sc->nid); + + total_objects = vfs_pressure_ratio(total_objects); +- drop_super(sb); + return total_objects; + } + +@@ -278,10 +282,8 @@ void deactivate_locked_super(struct super_block *s) + struct file_system_type *fs = s->s_type; + if (atomic_dec_and_test(&s->s_active)) { + cleancache_invalidate_fs(s); +- fs->kill_sb(s); +- +- /* caches are now gone, we can safely kill the shrinker now */ + unregister_shrinker(&s->s_shrink); ++ fs->kill_sb(s); + + put_filesystem(fs); + put_super(s); +diff --git a/include/dt-bindings/pinctrl/dra.h b/include/dt-bindings/pinctrl/dra.h +index 3d33794e4f3e..7448edff4723 100644 +--- a/include/dt-bindings/pinctrl/dra.h ++++ b/include/dt-bindings/pinctrl/dra.h +@@ -40,8 +40,8 @@ + + /* Active pin states */ + #define PIN_OUTPUT (0 | PULL_DIS) +-#define PIN_OUTPUT_PULLUP (PIN_OUTPUT | PULL_ENA | PULL_UP) +-#define PIN_OUTPUT_PULLDOWN (PIN_OUTPUT | PULL_ENA) ++#define PIN_OUTPUT_PULLUP (PULL_UP) ++#define PIN_OUTPUT_PULLDOWN (0) + #define PIN_INPUT (INPUT_EN | PULL_DIS) + #define PIN_INPUT_SLEW (INPUT_EN | SLEWCONTROL) + #define PIN_INPUT_PULLUP (PULL_ENA | INPUT_EN | PULL_UP) +diff --git a/include/linux/clocksource.h b/include/linux/clocksource.h +index 67301a405712..879065d8d208 100644 +--- a/include/linux/clocksource.h ++++ b/include/linux/clocksource.h +@@ -289,7 +289,7 @@ extern struct clocksource* clocksource_get_next(void); + extern void clocksource_change_rating(struct clocksource *cs, int rating); + extern void clocksource_suspend(void); + extern void clocksource_resume(void); +-extern struct clocksource * __init __weak clocksource_default_clock(void); ++extern struct clocksource * __init clocksource_default_clock(void); + extern void clocksource_mark_unstable(struct clocksource *cs); + + extern u64 +diff --git a/include/linux/compaction.h b/include/linux/compaction.h +index 7e1c76e3cd68..01e3132820da 100644 +--- a/include/linux/compaction.h ++++ b/include/linux/compaction.h +@@ -22,7 +22,7 @@ extern int sysctl_extfrag_handler(struct ctl_table *table, int write, + extern int fragmentation_index(struct zone *zone, unsigned int order); + extern unsigned long try_to_compact_pages(struct zonelist *zonelist, + int order, gfp_t gfp_mask, nodemask_t *mask, +- bool sync, bool *contended); ++ enum migrate_mode mode, bool *contended); + extern void compact_pgdat(pg_data_t *pgdat, int order); + extern void reset_isolation_suitable(pg_data_t *pgdat); + extern unsigned long compaction_suitable(struct zone *zone, int order); +@@ -91,7 +91,7 @@ static inline bool compaction_restarting(struct zone *zone, int order) + #else + static inline unsigned long try_to_compact_pages(struct zonelist *zonelist, + int order, gfp_t gfp_mask, nodemask_t *nodemask, +- bool sync, bool *contended) ++ enum migrate_mode mode, bool *contended) + { + return COMPACT_CONTINUE; + } +diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h +index 7032518f8542..60023e5d3169 100644 +--- a/include/linux/crash_dump.h ++++ b/include/linux/crash_dump.h +@@ -14,14 +14,13 @@ + extern unsigned long long elfcorehdr_addr; + extern unsigned long long elfcorehdr_size; + +-extern int __weak elfcorehdr_alloc(unsigned long long *addr, +- unsigned long long *size); +-extern void __weak elfcorehdr_free(unsigned long long addr); +-extern ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64 *ppos); +-extern ssize_t __weak elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos); +-extern int __weak remap_oldmem_pfn_range(struct vm_area_struct *vma, +- unsigned long from, unsigned long pfn, +- unsigned long size, pgprot_t prot); ++extern int elfcorehdr_alloc(unsigned long long *addr, unsigned long long *size); ++extern void elfcorehdr_free(unsigned long long addr); ++extern ssize_t elfcorehdr_read(char *buf, size_t count, u64 *ppos); ++extern ssize_t elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos); ++extern int remap_oldmem_pfn_range(struct vm_area_struct *vma, ++ unsigned long from, unsigned long pfn, ++ unsigned long size, pgprot_t prot); + + extern ssize_t copy_oldmem_page(unsigned long, char *, size_t, + unsigned long, int); +diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h +index 6b06d378f3df..e465bb15912d 100644 +--- a/include/linux/kgdb.h ++++ b/include/linux/kgdb.h +@@ -283,7 +283,7 @@ struct kgdb_io { + + extern struct kgdb_arch arch_kgdb_ops; + +-extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs); ++extern unsigned long kgdb_arch_pc(int exception, struct pt_regs *regs); + + #ifdef CONFIG_SERIAL_KGDB_NMI + extern int kgdb_register_nmi_console(void); +diff --git a/include/linux/memory.h b/include/linux/memory.h +index bb7384e3c3d8..8b8d8d12348e 100644 +--- a/include/linux/memory.h ++++ b/include/linux/memory.h +@@ -35,7 +35,7 @@ struct memory_block { + }; + + int arch_get_memory_phys_device(unsigned long start_pfn); +-unsigned long __weak memory_block_size_bytes(void); ++unsigned long memory_block_size_bytes(void); + + /* These states are exposed to userspace as text strings in sysfs */ + #define MEM_ONLINE (1<<0) /* exposed to userspace */ +diff --git a/include/linux/migrate.h b/include/linux/migrate.h +index 84a31ad0b791..a2901c414664 100644 +--- a/include/linux/migrate.h ++++ b/include/linux/migrate.h +@@ -5,7 +5,9 @@ + #include + #include + +-typedef struct page *new_page_t(struct page *, unsigned long private, int **); ++typedef struct page *new_page_t(struct page *page, unsigned long private, ++ int **reason); ++typedef void free_page_t(struct page *page, unsigned long private); + + /* + * Return values from addresss_space_operations.migratepage(): +@@ -38,7 +40,7 @@ enum migrate_reason { + extern void putback_movable_pages(struct list_head *l); + extern int migrate_page(struct address_space *, + struct page *, struct page *, enum migrate_mode); +-extern int migrate_pages(struct list_head *l, new_page_t x, ++extern int migrate_pages(struct list_head *l, new_page_t new, free_page_t free, + unsigned long private, enum migrate_mode mode, int reason); + + extern int migrate_prep(void); +@@ -56,8 +58,9 @@ extern int migrate_page_move_mapping(struct address_space *mapping, + #else + + static inline void putback_movable_pages(struct list_head *l) {} +-static inline int migrate_pages(struct list_head *l, new_page_t x, +- unsigned long private, enum migrate_mode mode, int reason) ++static inline int migrate_pages(struct list_head *l, new_page_t new, ++ free_page_t free, unsigned long private, enum migrate_mode mode, ++ int reason) + { return -ENOSYS; } + + static inline int migrate_prep(void) { return -ENOSYS; } +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 0a0b024ec7e8..d5039daf1e1c 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1041,6 +1041,14 @@ extern void show_free_areas(unsigned int flags); + extern bool skip_free_areas_node(unsigned int flags, int nid); + + int shmem_zero_setup(struct vm_area_struct *); ++#ifdef CONFIG_SHMEM ++bool shmem_mapping(struct address_space *mapping); ++#else ++static inline bool shmem_mapping(struct address_space *mapping) ++{ ++ return false; ++} ++#endif + + extern int can_do_mlock(void); + extern int user_shm_lock(size_t, struct user_struct *); +@@ -1848,9 +1856,6 @@ void page_cache_async_readahead(struct address_space *mapping, + unsigned long size); + + unsigned long max_sane_readahead(unsigned long nr); +-unsigned long ra_submit(struct file_ra_state *ra, +- struct address_space *mapping, +- struct file *filp); + + /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */ + extern int expand_stack(struct vm_area_struct *vma, unsigned long address); +diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h +index e6800f0c0d7b..18843532a0c9 100644 +--- a/include/linux/mmzone.h ++++ b/include/linux/mmzone.h +@@ -361,9 +361,10 @@ struct zone { + /* Set to true when the PG_migrate_skip bits should be cleared */ + bool compact_blockskip_flush; + +- /* pfns where compaction scanners should start */ ++ /* pfn where compaction free scanner should start */ + unsigned long compact_cached_free_pfn; +- unsigned long compact_cached_migrate_pfn; ++ /* pfn where async and sync compaction migration scanner should start */ ++ unsigned long compact_cached_migrate_pfn[2]; + #endif + #ifdef CONFIG_MEMORY_HOTPLUG + /* see spanned/present_pages for more description */ +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index 5624e4e2763c..53988cb3c05a 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1247,11 +1247,22 @@ struct nfs41_free_stateid_res { + unsigned int status; + }; + ++static inline void ++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo) ++{ ++ kfree(cinfo->buckets); ++} ++ + #else + + struct pnfs_ds_commit_info { + }; + ++static inline void ++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo) ++{ ++} ++ + #endif /* CONFIG_NFS_V4_1 */ + + struct nfs_page; +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index 1710d1b060ba..09c1b03867d9 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -243,12 +243,20 @@ static inline struct page *page_cache_alloc_readahead(struct address_space *x) + + typedef int filler_t(void *, struct page *); + +-extern struct page * find_get_page(struct address_space *mapping, +- pgoff_t index); +-extern struct page * find_lock_page(struct address_space *mapping, +- pgoff_t index); +-extern struct page * find_or_create_page(struct address_space *mapping, +- pgoff_t index, gfp_t gfp_mask); ++pgoff_t page_cache_next_hole(struct address_space *mapping, ++ pgoff_t index, unsigned long max_scan); ++pgoff_t page_cache_prev_hole(struct address_space *mapping, ++ pgoff_t index, unsigned long max_scan); ++ ++struct page *find_get_entry(struct address_space *mapping, pgoff_t offset); ++struct page *find_get_page(struct address_space *mapping, pgoff_t offset); ++struct page *find_lock_entry(struct address_space *mapping, pgoff_t offset); ++struct page *find_lock_page(struct address_space *mapping, pgoff_t offset); ++struct page *find_or_create_page(struct address_space *mapping, pgoff_t index, ++ gfp_t gfp_mask); ++unsigned find_get_entries(struct address_space *mapping, pgoff_t start, ++ unsigned int nr_entries, struct page **entries, ++ pgoff_t *indices); + unsigned find_get_pages(struct address_space *mapping, pgoff_t start, + unsigned int nr_pages, struct page **pages); + unsigned find_get_pages_contig(struct address_space *mapping, pgoff_t start, +@@ -270,8 +278,6 @@ static inline struct page *grab_cache_page(struct address_space *mapping, + + extern struct page * grab_cache_page_nowait(struct address_space *mapping, + pgoff_t index); +-extern struct page * read_cache_page_async(struct address_space *mapping, +- pgoff_t index, filler_t *filler, void *data); + extern struct page * read_cache_page(struct address_space *mapping, + pgoff_t index, filler_t *filler, void *data); + extern struct page * read_cache_page_gfp(struct address_space *mapping, +@@ -279,14 +285,6 @@ extern struct page * read_cache_page_gfp(struct address_space *mapping, + extern int read_cache_pages(struct address_space *mapping, + struct list_head *pages, filler_t *filler, void *data); + +-static inline struct page *read_mapping_page_async( +- struct address_space *mapping, +- pgoff_t index, void *data) +-{ +- filler_t *filler = (filler_t *)mapping->a_ops->readpage; +- return read_cache_page_async(mapping, index, filler, data); +-} +- + static inline struct page *read_mapping_page(struct address_space *mapping, + pgoff_t index, void *data) + { +diff --git a/include/linux/pagevec.h b/include/linux/pagevec.h +index e4dbfab37729..b45d391b4540 100644 +--- a/include/linux/pagevec.h ++++ b/include/linux/pagevec.h +@@ -22,6 +22,11 @@ struct pagevec { + + void __pagevec_release(struct pagevec *pvec); + void __pagevec_lru_add(struct pagevec *pvec); ++unsigned pagevec_lookup_entries(struct pagevec *pvec, ++ struct address_space *mapping, ++ pgoff_t start, unsigned nr_entries, ++ pgoff_t *indices); ++void pagevec_remove_exceptionals(struct pagevec *pvec); + unsigned pagevec_lookup(struct pagevec *pvec, struct address_space *mapping, + pgoff_t start, unsigned nr_pages); + unsigned pagevec_lookup_tag(struct pagevec *pvec, +diff --git a/include/linux/power/charger-manager.h b/include/linux/power/charger-manager.h +index 07e7945a1ff2..e97fc656a058 100644 +--- a/include/linux/power/charger-manager.h ++++ b/include/linux/power/charger-manager.h +@@ -253,9 +253,6 @@ struct charger_manager { + struct device *dev; + struct charger_desc *desc; + +- struct power_supply *fuel_gauge; +- struct power_supply **charger_stat; +- + #ifdef CONFIG_THERMAL + struct thermal_zone_device *tzd_batt; + #endif +diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h +index 403940787be1..e8be53ecfc45 100644 +--- a/include/linux/radix-tree.h ++++ b/include/linux/radix-tree.h +@@ -219,6 +219,7 @@ static inline void radix_tree_replace_slot(void **pslot, void *item) + int radix_tree_insert(struct radix_tree_root *, unsigned long, void *); + void *radix_tree_lookup(struct radix_tree_root *, unsigned long); + void **radix_tree_lookup_slot(struct radix_tree_root *, unsigned long); ++void *radix_tree_delete_item(struct radix_tree_root *, unsigned long, void *); + void *radix_tree_delete(struct radix_tree_root *, unsigned long); + unsigned int + radix_tree_gang_lookup(struct radix_tree_root *root, void **results, +@@ -226,10 +227,6 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results, + unsigned int radix_tree_gang_lookup_slot(struct radix_tree_root *root, + void ***results, unsigned long *indices, + unsigned long first_index, unsigned int max_items); +-unsigned long radix_tree_next_hole(struct radix_tree_root *root, +- unsigned long index, unsigned long max_scan); +-unsigned long radix_tree_prev_hole(struct radix_tree_root *root, +- unsigned long index, unsigned long max_scan); + int radix_tree_preload(gfp_t gfp_mask); + int radix_tree_maybe_preload(gfp_t gfp_mask); + void radix_tree_init(void); +diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h +index 9d55438bc4ad..4d1771c2d29f 100644 +--- a/include/linux/shmem_fs.h ++++ b/include/linux/shmem_fs.h +@@ -51,6 +51,7 @@ extern struct file *shmem_kernel_file_setup(const char *name, loff_t size, + unsigned long flags); + extern int shmem_zero_setup(struct vm_area_struct *); + extern int shmem_lock(struct file *file, int lock, struct user_struct *user); ++extern bool shmem_mapping(struct address_space *mapping); + extern void shmem_unlock_mapping(struct address_space *mapping); + extern struct page *shmem_read_mapping_page_gfp(struct address_space *mapping, + pgoff_t index, gfp_t gfp_mask); +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index a3353f45ef94..ba41e01ebc54 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -433,6 +433,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat + asoc->pmtu_pending = 0; + } + ++static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk) ++{ ++ return !list_empty(&chunk->list); ++} ++ + /* Walk through a list of TLV parameters. Don't trust the + * individual parameter lengths and instead depend on + * the chunk length to indicate when to stop. Make sure +diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h +index 7f4eeb340a54..72a31db47ded 100644 +--- a/include/net/sctp/sm.h ++++ b/include/net/sctp/sm.h +@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *, + int, __be16); + struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, + union sctp_addr *addr); +-int sctp_verify_asconf(const struct sctp_association *asoc, +- struct sctp_paramhdr *param_hdr, void *chunk_end, +- struct sctp_paramhdr **errp); ++bool sctp_verify_asconf(const struct sctp_association *asoc, ++ struct sctp_chunk *chunk, bool addr_param_needed, ++ struct sctp_paramhdr **errp); + struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + struct sctp_chunk *asconf); + int sctp_process_asconf_ack(struct sctp_association *asoc, +diff --git a/include/trace/events/compaction.h b/include/trace/events/compaction.h +index 06f544ef2f6f..c6814b917bdf 100644 +--- a/include/trace/events/compaction.h ++++ b/include/trace/events/compaction.h +@@ -5,6 +5,7 @@ + #define _TRACE_COMPACTION_H + + #include ++#include + #include + #include + +@@ -47,10 +48,11 @@ DEFINE_EVENT(mm_compaction_isolate_template, mm_compaction_isolate_freepages, + + TRACE_EVENT(mm_compaction_migratepages, + +- TP_PROTO(unsigned long nr_migrated, +- unsigned long nr_failed), ++ TP_PROTO(unsigned long nr_all, ++ int migrate_rc, ++ struct list_head *migratepages), + +- TP_ARGS(nr_migrated, nr_failed), ++ TP_ARGS(nr_all, migrate_rc, migratepages), + + TP_STRUCT__entry( + __field(unsigned long, nr_migrated) +@@ -58,7 +60,22 @@ TRACE_EVENT(mm_compaction_migratepages, + ), + + TP_fast_assign( +- __entry->nr_migrated = nr_migrated; ++ unsigned long nr_failed = 0; ++ struct list_head *page_lru; ++ ++ /* ++ * migrate_pages() returns either a non-negative number ++ * with the number of pages that failed migration, or an ++ * error code, in which case we need to count the remaining ++ * pages manually ++ */ ++ if (migrate_rc >= 0) ++ nr_failed = migrate_rc; ++ else ++ list_for_each(page_lru, migratepages) ++ nr_failed++; ++ ++ __entry->nr_migrated = nr_all - nr_failed; + __entry->nr_failed = nr_failed; + ), + +diff --git a/include/uapi/linux/netfilter/xt_bpf.h b/include/uapi/linux/netfilter/xt_bpf.h +index 5dda450eb55b..2ec9fbcd06f9 100644 +--- a/include/uapi/linux/netfilter/xt_bpf.h ++++ b/include/uapi/linux/netfilter/xt_bpf.h +@@ -6,6 +6,8 @@ + + #define XT_BPF_MAX_NUM_INSTR 64 + ++struct sk_filter; ++ + struct xt_bpf_info { + __u16 bpf_program_num_elem; + struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR]; +diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c +index 17028648cfeb..cadddc8388f3 100644 +--- a/ipc/ipc_sysctl.c ++++ b/ipc/ipc_sysctl.c +@@ -123,7 +123,6 @@ static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { + struct ctl_table ipc_table; +- size_t lenp_bef = *lenp; + int oldval; + int rc; + +@@ -133,7 +132,7 @@ static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write, + + rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos); + +- if (write && !rc && lenp_bef == *lenp) { ++ if (write && !rc) { + int newval = *((int *)(ipc_table.data)); + /* + * The file "auto_msgmni" has correctly been set. +diff --git a/kernel/audit.c b/kernel/audit.c +index 2c0ecd1753de..b45b2daa9f92 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -687,7 +687,7 @@ static int audit_get_feature(struct sk_buff *skb) + + seq = nlmsg_hdr(skb)->nlmsg_seq; + +- audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); ++ audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af)); + + return 0; + } +@@ -702,7 +702,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); + audit_log_task_info(ab, current); +- audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", ++ audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, + !!old_lock, !!new_lock, res); + audit_log_end(ab); +diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c +index 135944a7b28a..a79db03990db 100644 +--- a/kernel/audit_tree.c ++++ b/kernel/audit_tree.c +@@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(int count) + chunk->owners[i].index = i; + } + fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch); ++ chunk->mark.mask = FS_IN_IGNORED; + return chunk; + } + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 4ced342f1ba9..4bbb27adf23d 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -3693,6 +3694,26 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + return 0; + } + ++#ifdef CONFIG_COMPAT ++static long perf_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (_IOC_NR(cmd)) { ++ case _IOC_NR(PERF_EVENT_IOC_SET_FILTER): ++ case _IOC_NR(PERF_EVENT_IOC_ID): ++ /* Fix up pointer size (usually 4 -> 8 in 32-on-64-bit case */ ++ if (_IOC_SIZE(cmd) == sizeof(compat_uptr_t)) { ++ cmd &= ~IOCSIZE_MASK; ++ cmd |= sizeof(void *) << IOCSIZE_SHIFT; ++ } ++ break; ++ } ++ return perf_ioctl(file, cmd, arg); ++} ++#else ++# define perf_compat_ioctl NULL ++#endif ++ + int perf_event_task_enable(void) + { + struct perf_event *event; +@@ -4185,7 +4206,7 @@ static const struct file_operations perf_fops = { + .read = perf_read, + .poll = perf_poll, + .unlocked_ioctl = perf_ioctl, +- .compat_ioctl = perf_ioctl, ++ .compat_ioctl = perf_compat_ioctl, + .mmap = perf_mmap, + .fasync = perf_fasync, + }; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index b3d116cd072d..6705d947ef14 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -1228,6 +1228,22 @@ static int rcu_future_gp_cleanup(struct rcu_state *rsp, struct rcu_node *rnp) + } + + /* ++ * Awaken the grace-period kthread for the specified flavor of RCU. ++ * Don't do a self-awaken, and don't bother awakening when there is ++ * nothing for the grace-period kthread to do (as in several CPUs ++ * raced to awaken, and we lost), and finally don't try to awaken ++ * a kthread that has not yet been created. ++ */ ++static void rcu_gp_kthread_wake(struct rcu_state *rsp) ++{ ++ if (current == rsp->gp_kthread || ++ !ACCESS_ONCE(rsp->gp_flags) || ++ !rsp->gp_kthread) ++ return; ++ wake_up(&rsp->gp_wq); ++} ++ ++/* + * If there is room, assign a ->completed number to any callbacks on + * this CPU that have not already been assigned. Also accelerate any + * callbacks that were previously assigned a ->completed number that has +@@ -1670,7 +1686,7 @@ static void rsp_wakeup(struct irq_work *work) + struct rcu_state *rsp = container_of(work, struct rcu_state, wakeup_work); + + /* Wake up rcu_gp_kthread() to start the grace period. */ +- wake_up(&rsp->gp_wq); ++ rcu_gp_kthread_wake(rsp); + } + + /* +@@ -1746,7 +1762,7 @@ static void rcu_report_qs_rsp(struct rcu_state *rsp, unsigned long flags) + { + WARN_ON_ONCE(!rcu_gp_in_progress(rsp)); + raw_spin_unlock_irqrestore(&rcu_get_root(rsp)->lock, flags); +- wake_up(&rsp->gp_wq); /* Memory barrier implied by wake_up() path. */ ++ rcu_gp_kthread_wake(rsp); + } + + /* +@@ -2322,7 +2338,7 @@ static void force_quiescent_state(struct rcu_state *rsp) + } + rsp->gp_flags |= RCU_GP_FLAG_FQS; + raw_spin_unlock_irqrestore(&rnp_old->lock, flags); +- wake_up(&rsp->gp_wq); /* Memory barrier implied by wake_up() path. */ ++ rcu_gp_kthread_wake(rsp); + } + + /* +diff --git a/lib/radix-tree.c b/lib/radix-tree.c +index bd4a8dfdf0b8..7e30d2a7f346 100644 +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -946,81 +946,6 @@ next: + } + EXPORT_SYMBOL(radix_tree_range_tag_if_tagged); + +- +-/** +- * radix_tree_next_hole - find the next hole (not-present entry) +- * @root: tree root +- * @index: index key +- * @max_scan: maximum range to search +- * +- * Search the set [index, min(index+max_scan-1, MAX_INDEX)] for the lowest +- * indexed hole. +- * +- * Returns: the index of the hole if found, otherwise returns an index +- * outside of the set specified (in which case 'return - index >= max_scan' +- * will be true). In rare cases of index wrap-around, 0 will be returned. +- * +- * radix_tree_next_hole may be called under rcu_read_lock. However, like +- * radix_tree_gang_lookup, this will not atomically search a snapshot of +- * the tree at a single point in time. For example, if a hole is created +- * at index 5, then subsequently a hole is created at index 10, +- * radix_tree_next_hole covering both indexes may return 10 if called +- * under rcu_read_lock. +- */ +-unsigned long radix_tree_next_hole(struct radix_tree_root *root, +- unsigned long index, unsigned long max_scan) +-{ +- unsigned long i; +- +- for (i = 0; i < max_scan; i++) { +- if (!radix_tree_lookup(root, index)) +- break; +- index++; +- if (index == 0) +- break; +- } +- +- return index; +-} +-EXPORT_SYMBOL(radix_tree_next_hole); +- +-/** +- * radix_tree_prev_hole - find the prev hole (not-present entry) +- * @root: tree root +- * @index: index key +- * @max_scan: maximum range to search +- * +- * Search backwards in the range [max(index-max_scan+1, 0), index] +- * for the first hole. +- * +- * Returns: the index of the hole if found, otherwise returns an index +- * outside of the set specified (in which case 'index - return >= max_scan' +- * will be true). In rare cases of wrap-around, ULONG_MAX will be returned. +- * +- * radix_tree_next_hole may be called under rcu_read_lock. However, like +- * radix_tree_gang_lookup, this will not atomically search a snapshot of +- * the tree at a single point in time. For example, if a hole is created +- * at index 10, then subsequently a hole is created at index 5, +- * radix_tree_prev_hole covering both indexes may return 5 if called under +- * rcu_read_lock. +- */ +-unsigned long radix_tree_prev_hole(struct radix_tree_root *root, +- unsigned long index, unsigned long max_scan) +-{ +- unsigned long i; +- +- for (i = 0; i < max_scan; i++) { +- if (!radix_tree_lookup(root, index)) +- break; +- index--; +- if (index == ULONG_MAX) +- break; +- } +- +- return index; +-} +-EXPORT_SYMBOL(radix_tree_prev_hole); +- + /** + * radix_tree_gang_lookup - perform multiple lookup on a radix tree + * @root: radix tree root +@@ -1337,15 +1262,18 @@ static inline void radix_tree_shrink(struct radix_tree_root *root) + } + + /** +- * radix_tree_delete - delete an item from a radix tree ++ * radix_tree_delete_item - delete an item from a radix tree + * @root: radix tree root + * @index: index key ++ * @item: expected item + * +- * Remove the item at @index from the radix tree rooted at @root. ++ * Remove @item at @index from the radix tree rooted at @root. + * +- * Returns the address of the deleted item, or NULL if it was not present. ++ * Returns the address of the deleted item, or NULL if it was not present ++ * or the entry at the given @index was not @item. + */ +-void *radix_tree_delete(struct radix_tree_root *root, unsigned long index) ++void *radix_tree_delete_item(struct radix_tree_root *root, ++ unsigned long index, void *item) + { + struct radix_tree_node *node = NULL; + struct radix_tree_node *slot = NULL; +@@ -1380,6 +1308,11 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index) + if (slot == NULL) + goto out; + ++ if (item && slot != item) { ++ slot = NULL; ++ goto out; ++ } ++ + /* + * Clear all tags associated with the item to be deleted. + * This way of doing it would be inefficient, but seldom is any set. +@@ -1424,6 +1357,21 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index) + out: + return slot; + } ++EXPORT_SYMBOL(radix_tree_delete_item); ++ ++/** ++ * radix_tree_delete - delete an item from a radix tree ++ * @root: radix tree root ++ * @index: index key ++ * ++ * Remove the item at @index from the radix tree rooted at @root. ++ * ++ * Returns the address of the deleted item, or NULL if it was not present. ++ */ ++void *radix_tree_delete(struct radix_tree_root *root, unsigned long index) ++{ ++ return radix_tree_delete_item(root, index, NULL); ++} + EXPORT_SYMBOL(radix_tree_delete); + + /** +diff --git a/mm/compaction.c b/mm/compaction.c +index 5e38e5706f62..4229fc22a477 100644 +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -89,7 +89,8 @@ static void __reset_isolation_suitable(struct zone *zone) + unsigned long end_pfn = zone_end_pfn(zone); + unsigned long pfn; + +- zone->compact_cached_migrate_pfn = start_pfn; ++ zone->compact_cached_migrate_pfn[0] = start_pfn; ++ zone->compact_cached_migrate_pfn[1] = start_pfn; + zone->compact_cached_free_pfn = end_pfn; + zone->compact_blockskip_flush = false; + +@@ -131,9 +132,10 @@ void reset_isolation_suitable(pg_data_t *pgdat) + */ + static void update_pageblock_skip(struct compact_control *cc, + struct page *page, unsigned long nr_isolated, +- bool migrate_scanner) ++ bool set_unsuitable, bool migrate_scanner) + { + struct zone *zone = cc->zone; ++ unsigned long pfn; + + if (cc->ignore_skip_hint) + return; +@@ -141,20 +143,32 @@ static void update_pageblock_skip(struct compact_control *cc, + if (!page) + return; + +- if (!nr_isolated) { +- unsigned long pfn = page_to_pfn(page); ++ if (nr_isolated) ++ return; ++ ++ /* ++ * Only skip pageblocks when all forms of compaction will be known to ++ * fail in the near future. ++ */ ++ if (set_unsuitable) + set_pageblock_skip(page); + +- /* Update where compaction should restart */ +- if (migrate_scanner) { +- if (!cc->finished_update_migrate && +- pfn > zone->compact_cached_migrate_pfn) +- zone->compact_cached_migrate_pfn = pfn; +- } else { +- if (!cc->finished_update_free && +- pfn < zone->compact_cached_free_pfn) +- zone->compact_cached_free_pfn = pfn; +- } ++ pfn = page_to_pfn(page); ++ ++ /* Update where async and sync compaction should restart */ ++ if (migrate_scanner) { ++ if (cc->finished_update_migrate) ++ return; ++ if (pfn > zone->compact_cached_migrate_pfn[0]) ++ zone->compact_cached_migrate_pfn[0] = pfn; ++ if (cc->mode != MIGRATE_ASYNC && ++ pfn > zone->compact_cached_migrate_pfn[1]) ++ zone->compact_cached_migrate_pfn[1] = pfn; ++ } else { ++ if (cc->finished_update_free) ++ return; ++ if (pfn < zone->compact_cached_free_pfn) ++ zone->compact_cached_free_pfn = pfn; + } + } + #else +@@ -166,7 +180,7 @@ static inline bool isolation_suitable(struct compact_control *cc, + + static void update_pageblock_skip(struct compact_control *cc, + struct page *page, unsigned long nr_isolated, +- bool migrate_scanner) ++ bool set_unsuitable, bool migrate_scanner) + { + } + #endif /* CONFIG_COMPACTION */ +@@ -195,7 +209,7 @@ static bool compact_checklock_irqsave(spinlock_t *lock, unsigned long *flags, + } + + /* async aborts if taking too long or contended */ +- if (!cc->sync) { ++ if (cc->mode == MIGRATE_ASYNC) { + cc->contended = true; + return false; + } +@@ -208,10 +222,28 @@ static bool compact_checklock_irqsave(spinlock_t *lock, unsigned long *flags, + return true; + } + +-static inline bool compact_trylock_irqsave(spinlock_t *lock, +- unsigned long *flags, struct compact_control *cc) ++/* ++ * Aside from avoiding lock contention, compaction also periodically checks ++ * need_resched() and either schedules in sync compaction or aborts async ++ * compaction. This is similar to what compact_checklock_irqsave() does, but ++ * is used where no lock is concerned. ++ * ++ * Returns false when no scheduling was needed, or sync compaction scheduled. ++ * Returns true when async compaction should abort. ++ */ ++static inline bool compact_should_abort(struct compact_control *cc) + { +- return compact_checklock_irqsave(lock, flags, false, cc); ++ /* async compaction aborts if contended */ ++ if (need_resched()) { ++ if (cc->mode == MIGRATE_ASYNC) { ++ cc->contended = true; ++ return true; ++ } ++ ++ cond_resched(); ++ } ++ ++ return false; + } + + /* Returns true if the page is within a block suitable for migration to */ +@@ -329,7 +361,8 @@ isolate_fail: + + /* Update the pageblock-skip if the whole pageblock was scanned */ + if (blockpfn == end_pfn) +- update_pageblock_skip(cc, valid_page, total_isolated, false); ++ update_pageblock_skip(cc, valid_page, total_isolated, true, ++ false); + + count_compact_events(COMPACTFREE_SCANNED, nr_scanned); + if (total_isolated) +@@ -464,8 +497,9 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + unsigned long flags; + bool locked = false; + struct page *page = NULL, *valid_page = NULL; +- bool skipped_async_unsuitable = false; +- const isolate_mode_t mode = (!cc->sync ? ISOLATE_ASYNC_MIGRATE : 0) | ++ bool set_unsuitable = true; ++ const isolate_mode_t mode = (cc->mode == MIGRATE_ASYNC ? ++ ISOLATE_ASYNC_MIGRATE : 0) | + (unevictable ? ISOLATE_UNEVICTABLE : 0); + + /* +@@ -475,7 +509,7 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + */ + while (unlikely(too_many_isolated(zone))) { + /* async migration should just abort */ +- if (!cc->sync) ++ if (cc->mode == MIGRATE_ASYNC) + return 0; + + congestion_wait(BLK_RW_ASYNC, HZ/10); +@@ -484,8 +518,10 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + return 0; + } + ++ if (compact_should_abort(cc)) ++ return 0; ++ + /* Time to isolate some pages for migration */ +- cond_resched(); + for (; low_pfn < end_pfn; low_pfn++) { + /* give a chance to irqs before checking need_resched() */ + if (locked && !(low_pfn % SWAP_CLUSTER_MAX)) { +@@ -540,9 +576,9 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc, + * the minimum amount of work satisfies the allocation + */ + mt = get_pageblock_migratetype(page); +- if (!cc->sync && !migrate_async_suitable(mt)) { +- cc->finished_update_migrate = true; +- skipped_async_unsuitable = true; ++ if (cc->mode == MIGRATE_ASYNC && ++ !migrate_async_suitable(mt)) { ++ set_unsuitable = false; + goto next_pageblock; + } + } +@@ -646,11 +682,10 @@ next_pageblock: + /* + * Update the pageblock-skip information and cached scanner pfn, + * if the whole pageblock was scanned without isolating any page. +- * This is not done when pageblock was skipped due to being unsuitable +- * for async compaction, so that eventual sync compaction can try. + */ +- if (low_pfn == end_pfn && !skipped_async_unsuitable) +- update_pageblock_skip(cc, valid_page, nr_isolated, true); ++ if (low_pfn == end_pfn) ++ update_pageblock_skip(cc, valid_page, nr_isolated, ++ set_unsuitable, true); + + trace_mm_compaction_isolate_migratepages(nr_scanned, nr_isolated); + +@@ -671,7 +706,9 @@ static void isolate_freepages(struct zone *zone, + struct compact_control *cc) + { + struct page *page; +- unsigned long high_pfn, low_pfn, pfn, z_end_pfn; ++ unsigned long block_start_pfn; /* start of current pageblock */ ++ unsigned long block_end_pfn; /* end of current pageblock */ ++ unsigned long low_pfn; /* lowest pfn scanner is able to scan */ + int nr_freepages = cc->nr_freepages; + struct list_head *freelist = &cc->freepages; + +@@ -679,41 +716,38 @@ static void isolate_freepages(struct zone *zone, + * Initialise the free scanner. The starting point is where we last + * successfully isolated from, zone-cached value, or the end of the + * zone when isolating for the first time. We need this aligned to +- * the pageblock boundary, because we do pfn -= pageblock_nr_pages +- * in the for loop. ++ * the pageblock boundary, because we do ++ * block_start_pfn -= pageblock_nr_pages in the for loop. ++ * For ending point, take care when isolating in last pageblock of a ++ * a zone which ends in the middle of a pageblock. + * The low boundary is the end of the pageblock the migration scanner + * is using. + */ +- pfn = cc->free_pfn & ~(pageblock_nr_pages-1); ++ block_start_pfn = cc->free_pfn & ~(pageblock_nr_pages-1); ++ block_end_pfn = min(block_start_pfn + pageblock_nr_pages, ++ zone_end_pfn(zone)); + low_pfn = ALIGN(cc->migrate_pfn + 1, pageblock_nr_pages); + + /* +- * Take care that if the migration scanner is at the end of the zone +- * that the free scanner does not accidentally move to the next zone +- * in the next isolation cycle. +- */ +- high_pfn = min(low_pfn, pfn); +- +- z_end_pfn = zone_end_pfn(zone); +- +- /* + * Isolate free pages until enough are available to migrate the + * pages on cc->migratepages. We stop searching if the migrate + * and free page scanners meet or enough free pages are isolated. + */ +- for (; pfn >= low_pfn && cc->nr_migratepages > nr_freepages; +- pfn -= pageblock_nr_pages) { ++ for (; block_start_pfn >= low_pfn && cc->nr_migratepages > nr_freepages; ++ block_end_pfn = block_start_pfn, ++ block_start_pfn -= pageblock_nr_pages) { + unsigned long isolated; +- unsigned long end_pfn; + + /* + * This can iterate a massively long zone without finding any + * suitable migration targets, so periodically check if we need +- * to schedule. ++ * to schedule, or even abort async compaction. + */ +- cond_resched(); ++ if (!(block_start_pfn % (SWAP_CLUSTER_MAX * pageblock_nr_pages)) ++ && compact_should_abort(cc)) ++ break; + +- if (!pfn_valid(pfn)) ++ if (!pfn_valid(block_start_pfn)) + continue; + + /* +@@ -723,7 +757,7 @@ static void isolate_freepages(struct zone *zone, + * i.e. it's possible that all pages within a zones range of + * pages do not belong to a single zone. + */ +- page = pfn_to_page(pfn); ++ page = pfn_to_page(block_start_pfn); + if (page_zone(page) != zone) + continue; + +@@ -736,26 +770,26 @@ static void isolate_freepages(struct zone *zone, + continue; + + /* Found a block suitable for isolating free pages from */ +- isolated = 0; ++ cc->free_pfn = block_start_pfn; ++ isolated = isolate_freepages_block(cc, block_start_pfn, ++ block_end_pfn, freelist, false); ++ nr_freepages += isolated; + + /* +- * Take care when isolating in last pageblock of a zone which +- * ends in the middle of a pageblock. ++ * Set a flag that we successfully isolated in this pageblock. ++ * In the next loop iteration, zone->compact_cached_free_pfn ++ * will not be updated and thus it will effectively contain the ++ * highest pageblock we isolated pages from. + */ +- end_pfn = min(pfn + pageblock_nr_pages, z_end_pfn); +- isolated = isolate_freepages_block(cc, pfn, end_pfn, +- freelist, false); +- nr_freepages += isolated; ++ if (isolated) ++ cc->finished_update_free = true; + + /* +- * Record the highest PFN we isolated pages from. When next +- * looking for free pages, the search will restart here as +- * page migration may have returned some pages to the allocator ++ * isolate_freepages_block() might have aborted due to async ++ * compaction being contended + */ +- if (isolated) { +- cc->finished_update_free = true; +- high_pfn = max(high_pfn, pfn); +- } ++ if (cc->contended) ++ break; + } + + /* split_free_page does not map the pages */ +@@ -765,10 +799,9 @@ static void isolate_freepages(struct zone *zone, + * If we crossed the migrate scanner, we want to keep it that way + * so that compact_finished() may detect this + */ +- if (pfn < low_pfn) +- cc->free_pfn = max(pfn, zone->zone_start_pfn); +- else +- cc->free_pfn = high_pfn; ++ if (block_start_pfn < low_pfn) ++ cc->free_pfn = cc->migrate_pfn; ++ + cc->nr_freepages = nr_freepages; + } + +@@ -783,9 +816,13 @@ static struct page *compaction_alloc(struct page *migratepage, + struct compact_control *cc = (struct compact_control *)data; + struct page *freepage; + +- /* Isolate free pages if necessary */ ++ /* ++ * Isolate free pages if necessary, and if we are not aborting due to ++ * contention. ++ */ + if (list_empty(&cc->freepages)) { +- isolate_freepages(cc->zone, cc); ++ if (!cc->contended) ++ isolate_freepages(cc->zone, cc); + + if (list_empty(&cc->freepages)) + return NULL; +@@ -799,23 +836,16 @@ static struct page *compaction_alloc(struct page *migratepage, + } + + /* +- * We cannot control nr_migratepages and nr_freepages fully when migration is +- * running as migrate_pages() has no knowledge of compact_control. When +- * migration is complete, we count the number of pages on the lists by hand. ++ * This is a migrate-callback that "frees" freepages back to the isolated ++ * freelist. All pages on the freelist are from the same zone, so there is no ++ * special handling needed for NUMA. + */ +-static void update_nr_listpages(struct compact_control *cc) ++static void compaction_free(struct page *page, unsigned long data) + { +- int nr_migratepages = 0; +- int nr_freepages = 0; +- struct page *page; +- +- list_for_each_entry(page, &cc->migratepages, lru) +- nr_migratepages++; +- list_for_each_entry(page, &cc->freepages, lru) +- nr_freepages++; ++ struct compact_control *cc = (struct compact_control *)data; + +- cc->nr_migratepages = nr_migratepages; +- cc->nr_freepages = nr_freepages; ++ list_add(&page->lru, &cc->freepages); ++ cc->nr_freepages++; + } + + /* possible outcome of isolate_migratepages */ +@@ -862,13 +892,14 @@ static int compact_finished(struct zone *zone, + unsigned int order; + unsigned long watermark; + +- if (fatal_signal_pending(current)) ++ if (cc->contended || fatal_signal_pending(current)) + return COMPACT_PARTIAL; + + /* Compaction run completes if the migrate and free scanner meet */ + if (cc->free_pfn <= cc->migrate_pfn) { + /* Let the next compaction start anew. */ +- zone->compact_cached_migrate_pfn = zone->zone_start_pfn; ++ zone->compact_cached_migrate_pfn[0] = zone->zone_start_pfn; ++ zone->compact_cached_migrate_pfn[1] = zone->zone_start_pfn; + zone->compact_cached_free_pfn = zone_end_pfn(zone); + + /* +@@ -968,6 +999,7 @@ static int compact_zone(struct zone *zone, struct compact_control *cc) + int ret; + unsigned long start_pfn = zone->zone_start_pfn; + unsigned long end_pfn = zone_end_pfn(zone); ++ const bool sync = cc->mode != MIGRATE_ASYNC; + + ret = compaction_suitable(zone, cc->order); + switch (ret) { +@@ -993,7 +1025,7 @@ static int compact_zone(struct zone *zone, struct compact_control *cc) + * information on where the scanners should start but check that it + * is initialised by ensuring the values are within zone boundaries. + */ +- cc->migrate_pfn = zone->compact_cached_migrate_pfn; ++ cc->migrate_pfn = zone->compact_cached_migrate_pfn[sync]; + cc->free_pfn = zone->compact_cached_free_pfn; + if (cc->free_pfn < start_pfn || cc->free_pfn > end_pfn) { + cc->free_pfn = end_pfn & ~(pageblock_nr_pages-1); +@@ -1001,7 +1033,8 @@ static int compact_zone(struct zone *zone, struct compact_control *cc) + } + if (cc->migrate_pfn < start_pfn || cc->migrate_pfn > end_pfn) { + cc->migrate_pfn = start_pfn; +- zone->compact_cached_migrate_pfn = cc->migrate_pfn; ++ zone->compact_cached_migrate_pfn[0] = cc->migrate_pfn; ++ zone->compact_cached_migrate_pfn[1] = cc->migrate_pfn; + } + + trace_mm_compaction_begin(start_pfn, cc->migrate_pfn, cc->free_pfn, end_pfn); +@@ -1009,7 +1042,6 @@ static int compact_zone(struct zone *zone, struct compact_control *cc) + migrate_prep_local(); + + while ((ret = compact_finished(zone, cc)) == COMPACT_CONTINUE) { +- unsigned long nr_migrate, nr_remaining; + int err; + + switch (isolate_migratepages(zone, cc)) { +@@ -1024,21 +1056,20 @@ static int compact_zone(struct zone *zone, struct compact_control *cc) + ; + } + +- nr_migrate = cc->nr_migratepages; ++ if (!cc->nr_migratepages) ++ continue; ++ + err = migrate_pages(&cc->migratepages, compaction_alloc, +- (unsigned long)cc, +- cc->sync ? MIGRATE_SYNC_LIGHT : MIGRATE_ASYNC, ++ compaction_free, (unsigned long)cc, cc->mode, + MR_COMPACTION); +- update_nr_listpages(cc); +- nr_remaining = cc->nr_migratepages; + +- trace_mm_compaction_migratepages(nr_migrate - nr_remaining, +- nr_remaining); ++ trace_mm_compaction_migratepages(cc->nr_migratepages, err, ++ &cc->migratepages); + +- /* Release isolated pages not migrated */ ++ /* All pages were either migrated or will be released */ ++ cc->nr_migratepages = 0; + if (err) { + putback_movable_pages(&cc->migratepages); +- cc->nr_migratepages = 0; + /* + * migrate_pages() may return -ENOMEM when scanners meet + * and we want compact_finished() to detect it +@@ -1060,9 +1091,8 @@ out: + return ret; + } + +-static unsigned long compact_zone_order(struct zone *zone, +- int order, gfp_t gfp_mask, +- bool sync, bool *contended) ++static unsigned long compact_zone_order(struct zone *zone, int order, ++ gfp_t gfp_mask, enum migrate_mode mode, bool *contended) + { + unsigned long ret; + struct compact_control cc = { +@@ -1071,7 +1101,7 @@ static unsigned long compact_zone_order(struct zone *zone, + .order = order, + .migratetype = allocflags_to_migratetype(gfp_mask), + .zone = zone, +- .sync = sync, ++ .mode = mode, + }; + INIT_LIST_HEAD(&cc.freepages); + INIT_LIST_HEAD(&cc.migratepages); +@@ -1093,7 +1123,7 @@ int sysctl_extfrag_threshold = 500; + * @order: The order of the current allocation + * @gfp_mask: The GFP mask of the current allocation + * @nodemask: The allowed nodes to allocate from +- * @sync: Whether migration is synchronous or not ++ * @mode: The migration mode for async, sync light, or sync migration + * @contended: Return value that is true if compaction was aborted due to lock contention + * @page: Optionally capture a free page of the requested order during compaction + * +@@ -1101,7 +1131,7 @@ int sysctl_extfrag_threshold = 500; + */ + unsigned long try_to_compact_pages(struct zonelist *zonelist, + int order, gfp_t gfp_mask, nodemask_t *nodemask, +- bool sync, bool *contended) ++ enum migrate_mode mode, bool *contended) + { + enum zone_type high_zoneidx = gfp_zone(gfp_mask); + int may_enter_fs = gfp_mask & __GFP_FS; +@@ -1126,7 +1156,7 @@ unsigned long try_to_compact_pages(struct zonelist *zonelist, + nodemask) { + int status; + +- status = compact_zone_order(zone, order, gfp_mask, sync, ++ status = compact_zone_order(zone, order, gfp_mask, mode, + contended); + rc = max(status, rc); + +@@ -1165,9 +1195,6 @@ static void __compact_pgdat(pg_data_t *pgdat, struct compact_control *cc) + if (zone_watermark_ok(zone, cc->order, + low_wmark_pages(zone), 0, 0)) + compaction_defer_reset(zone, cc->order, false); +- /* Currently async compaction is never deferred. */ +- else if (cc->sync) +- defer_compaction(zone, cc->order); + } + + VM_BUG_ON(!list_empty(&cc->freepages)); +@@ -1179,7 +1206,7 @@ void compact_pgdat(pg_data_t *pgdat, int order) + { + struct compact_control cc = { + .order = order, +- .sync = false, ++ .mode = MIGRATE_ASYNC, + }; + + if (!order) +@@ -1192,7 +1219,7 @@ static void compact_node(int nid) + { + struct compact_control cc = { + .order = -1, +- .sync = true, ++ .mode = MIGRATE_SYNC, + .ignore_skip_hint = true, + }; + +diff --git a/mm/filemap.c b/mm/filemap.c +index c2cc7c95eff1..bdaa21555abe 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -448,6 +448,29 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask) + } + EXPORT_SYMBOL_GPL(replace_page_cache_page); + ++static int page_cache_tree_insert(struct address_space *mapping, ++ struct page *page) ++{ ++ void **slot; ++ int error; ++ ++ slot = radix_tree_lookup_slot(&mapping->page_tree, page->index); ++ if (slot) { ++ void *p; ++ ++ p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock); ++ if (!radix_tree_exceptional_entry(p)) ++ return -EEXIST; ++ radix_tree_replace_slot(slot, page); ++ mapping->nrpages++; ++ return 0; ++ } ++ error = radix_tree_insert(&mapping->page_tree, page->index, page); ++ if (!error) ++ mapping->nrpages++; ++ return error; ++} ++ + /** + * add_to_page_cache_locked - add a locked page to the pagecache + * @page: page to add +@@ -482,11 +505,10 @@ int add_to_page_cache_locked(struct page *page, struct address_space *mapping, + page->index = offset; + + spin_lock_irq(&mapping->tree_lock); +- error = radix_tree_insert(&mapping->page_tree, offset, page); ++ error = page_cache_tree_insert(mapping, page); + radix_tree_preload_end(); + if (unlikely(error)) + goto err_insert; +- mapping->nrpages++; + __inc_zone_page_state(page, NR_FILE_PAGES); + spin_unlock_irq(&mapping->tree_lock); + trace_mm_filemap_add_to_page_cache(page); +@@ -688,14 +710,101 @@ int __lock_page_or_retry(struct page *page, struct mm_struct *mm, + } + + /** +- * find_get_page - find and get a page reference ++ * page_cache_next_hole - find the next hole (not-present entry) ++ * @mapping: mapping ++ * @index: index ++ * @max_scan: maximum range to search ++ * ++ * Search the set [index, min(index+max_scan-1, MAX_INDEX)] for the ++ * lowest indexed hole. ++ * ++ * Returns: the index of the hole if found, otherwise returns an index ++ * outside of the set specified (in which case 'return - index >= ++ * max_scan' will be true). In rare cases of index wrap-around, 0 will ++ * be returned. ++ * ++ * page_cache_next_hole may be called under rcu_read_lock. However, ++ * like radix_tree_gang_lookup, this will not atomically search a ++ * snapshot of the tree at a single point in time. For example, if a ++ * hole is created at index 5, then subsequently a hole is created at ++ * index 10, page_cache_next_hole covering both indexes may return 10 ++ * if called under rcu_read_lock. ++ */ ++pgoff_t page_cache_next_hole(struct address_space *mapping, ++ pgoff_t index, unsigned long max_scan) ++{ ++ unsigned long i; ++ ++ for (i = 0; i < max_scan; i++) { ++ struct page *page; ++ ++ page = radix_tree_lookup(&mapping->page_tree, index); ++ if (!page || radix_tree_exceptional_entry(page)) ++ break; ++ index++; ++ if (index == 0) ++ break; ++ } ++ ++ return index; ++} ++EXPORT_SYMBOL(page_cache_next_hole); ++ ++/** ++ * page_cache_prev_hole - find the prev hole (not-present entry) ++ * @mapping: mapping ++ * @index: index ++ * @max_scan: maximum range to search ++ * ++ * Search backwards in the range [max(index-max_scan+1, 0), index] for ++ * the first hole. ++ * ++ * Returns: the index of the hole if found, otherwise returns an index ++ * outside of the set specified (in which case 'index - return >= ++ * max_scan' will be true). In rare cases of wrap-around, ULONG_MAX ++ * will be returned. ++ * ++ * page_cache_prev_hole may be called under rcu_read_lock. However, ++ * like radix_tree_gang_lookup, this will not atomically search a ++ * snapshot of the tree at a single point in time. For example, if a ++ * hole is created at index 10, then subsequently a hole is created at ++ * index 5, page_cache_prev_hole covering both indexes may return 5 if ++ * called under rcu_read_lock. ++ */ ++pgoff_t page_cache_prev_hole(struct address_space *mapping, ++ pgoff_t index, unsigned long max_scan) ++{ ++ unsigned long i; ++ ++ for (i = 0; i < max_scan; i++) { ++ struct page *page; ++ ++ page = radix_tree_lookup(&mapping->page_tree, index); ++ if (!page || radix_tree_exceptional_entry(page)) ++ break; ++ index--; ++ if (index == ULONG_MAX) ++ break; ++ } ++ ++ return index; ++} ++EXPORT_SYMBOL(page_cache_prev_hole); ++ ++/** ++ * find_get_entry - find and get a page cache entry + * @mapping: the address_space to search +- * @offset: the page index ++ * @offset: the page cache index + * +- * Is there a pagecache struct page at the given (mapping, offset) tuple? +- * If yes, increment its refcount and return it; if no, return NULL. ++ * Looks up the page cache slot at @mapping & @offset. If there is a ++ * page cache page, it is returned with an increased refcount. ++ * ++ * If the slot holds a shadow entry of a previously evicted page, it ++ * is returned. ++ * ++ * Otherwise, %NULL is returned. + */ +-struct page *find_get_page(struct address_space *mapping, pgoff_t offset) ++struct page *find_get_entry(struct address_space *mapping, pgoff_t offset) + { + void **pagep; + struct page *page; +@@ -736,24 +845,50 @@ out: + + return page; + } +-EXPORT_SYMBOL(find_get_page); ++EXPORT_SYMBOL(find_get_entry); + + /** +- * find_lock_page - locate, pin and lock a pagecache page ++ * find_get_page - find and get a page reference + * @mapping: the address_space to search + * @offset: the page index + * +- * Locates the desired pagecache page, locks it, increments its reference +- * count and returns its address. ++ * Looks up the page cache slot at @mapping & @offset. If there is a ++ * page cache page, it is returned with an increased refcount. + * +- * Returns zero if the page was not present. find_lock_page() may sleep. ++ * Otherwise, %NULL is returned. + */ +-struct page *find_lock_page(struct address_space *mapping, pgoff_t offset) ++struct page *find_get_page(struct address_space *mapping, pgoff_t offset) ++{ ++ struct page *page = find_get_entry(mapping, offset); ++ ++ if (radix_tree_exceptional_entry(page)) ++ page = NULL; ++ return page; ++} ++EXPORT_SYMBOL(find_get_page); ++ ++/** ++ * find_lock_entry - locate, pin and lock a page cache entry ++ * @mapping: the address_space to search ++ * @offset: the page cache index ++ * ++ * Looks up the page cache slot at @mapping & @offset. If there is a ++ * page cache page, it is returned locked and with an increased ++ * refcount. ++ * ++ * If the slot holds a shadow entry of a previously evicted page, it ++ * is returned. ++ * ++ * Otherwise, %NULL is returned. ++ * ++ * find_lock_entry() may sleep. ++ */ ++struct page *find_lock_entry(struct address_space *mapping, pgoff_t offset) + { + struct page *page; + + repeat: +- page = find_get_page(mapping, offset); ++ page = find_get_entry(mapping, offset); + if (page && !radix_tree_exception(page)) { + lock_page(page); + /* Has the page been truncated? */ +@@ -766,6 +901,29 @@ repeat: + } + return page; + } ++EXPORT_SYMBOL(find_lock_entry); ++ ++/** ++ * find_lock_page - locate, pin and lock a pagecache page ++ * @mapping: the address_space to search ++ * @offset: the page index ++ * ++ * Looks up the page cache slot at @mapping & @offset. If there is a ++ * page cache page, it is returned locked and with an increased ++ * refcount. ++ * ++ * Otherwise, %NULL is returned. ++ * ++ * find_lock_page() may sleep. ++ */ ++struct page *find_lock_page(struct address_space *mapping, pgoff_t offset) ++{ ++ struct page *page = find_lock_entry(mapping, offset); ++ ++ if (radix_tree_exceptional_entry(page)) ++ page = NULL; ++ return page; ++} + EXPORT_SYMBOL(find_lock_page); + + /** +@@ -774,16 +932,18 @@ EXPORT_SYMBOL(find_lock_page); + * @index: the page's index into the mapping + * @gfp_mask: page allocation mode + * +- * Locates a page in the pagecache. If the page is not present, a new page +- * is allocated using @gfp_mask and is added to the pagecache and to the VM's +- * LRU list. The returned page is locked and has its reference count +- * incremented. ++ * Looks up the page cache slot at @mapping & @offset. If there is a ++ * page cache page, it is returned locked and with an increased ++ * refcount. ++ * ++ * If the page is not present, a new page is allocated using @gfp_mask ++ * and added to the page cache and the VM's LRU list. The page is ++ * returned locked and with an increased refcount. + * +- * find_or_create_page() may sleep, even if @gfp_flags specifies an atomic +- * allocation! ++ * On memory exhaustion, %NULL is returned. + * +- * find_or_create_page() returns the desired page's address, or zero on +- * memory exhaustion. ++ * find_or_create_page() may sleep, even if @gfp_flags specifies an ++ * atomic allocation! + */ + struct page *find_or_create_page(struct address_space *mapping, + pgoff_t index, gfp_t gfp_mask) +@@ -816,6 +976,76 @@ repeat: + EXPORT_SYMBOL(find_or_create_page); + + /** ++ * find_get_entries - gang pagecache lookup ++ * @mapping: The address_space to search ++ * @start: The starting page cache index ++ * @nr_entries: The maximum number of entries ++ * @entries: Where the resulting entries are placed ++ * @indices: The cache indices corresponding to the entries in @entries ++ * ++ * find_get_entries() will search for and return a group of up to ++ * @nr_entries entries in the mapping. The entries are placed at ++ * @entries. find_get_entries() takes a reference against any actual ++ * pages it returns. ++ * ++ * The search returns a group of mapping-contiguous page cache entries ++ * with ascending indexes. There may be holes in the indices due to ++ * not-present pages. ++ * ++ * Any shadow entries of evicted pages are included in the returned ++ * array. ++ * ++ * find_get_entries() returns the number of pages and shadow entries ++ * which were found. ++ */ ++unsigned find_get_entries(struct address_space *mapping, ++ pgoff_t start, unsigned int nr_entries, ++ struct page **entries, pgoff_t *indices) ++{ ++ void **slot; ++ unsigned int ret = 0; ++ struct radix_tree_iter iter; ++ ++ if (!nr_entries) ++ return 0; ++ ++ rcu_read_lock(); ++restart: ++ radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, start) { ++ struct page *page; ++repeat: ++ page = radix_tree_deref_slot(slot); ++ if (unlikely(!page)) ++ continue; ++ if (radix_tree_exception(page)) { ++ if (radix_tree_deref_retry(page)) ++ goto restart; ++ /* ++ * Otherwise, we must be storing a swap entry ++ * here as an exceptional entry: so return it ++ * without attempting to raise page count. ++ */ ++ goto export; ++ } ++ if (!page_cache_get_speculative(page)) ++ goto repeat; ++ ++ /* Has the page moved? */ ++ if (unlikely(page != *slot)) { ++ page_cache_release(page); ++ goto repeat; ++ } ++export: ++ indices[ret] = iter.index; ++ entries[ret] = page; ++ if (++ret == nr_entries) ++ break; ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++/** + * find_get_pages - gang pagecache lookup + * @mapping: The address_space to search + * @start: The starting page index +@@ -1797,6 +2027,18 @@ int generic_file_readonly_mmap(struct file * file, struct vm_area_struct * vma) + EXPORT_SYMBOL(generic_file_mmap); + EXPORT_SYMBOL(generic_file_readonly_mmap); + ++static struct page *wait_on_page_read(struct page *page) ++{ ++ if (!IS_ERR(page)) { ++ wait_on_page_locked(page); ++ if (!PageUptodate(page)) { ++ page_cache_release(page); ++ page = ERR_PTR(-EIO); ++ } ++ } ++ return page; ++} ++ + static struct page *__read_cache_page(struct address_space *mapping, + pgoff_t index, + int (*filler)(void *, struct page *), +@@ -1823,6 +2065,8 @@ repeat: + if (err < 0) { + page_cache_release(page); + page = ERR_PTR(err); ++ } else { ++ page = wait_on_page_read(page); + } + } + return page; +@@ -1859,6 +2103,10 @@ retry: + if (err < 0) { + page_cache_release(page); + return ERR_PTR(err); ++ } else { ++ page = wait_on_page_read(page); ++ if (IS_ERR(page)) ++ return page; + } + out: + mark_page_accessed(page); +@@ -1866,40 +2114,25 @@ out: + } + + /** +- * read_cache_page_async - read into page cache, fill it if needed ++ * read_cache_page - read into page cache, fill it if needed + * @mapping: the page's address_space + * @index: the page index + * @filler: function to perform the read + * @data: first arg to filler(data, page) function, often left as NULL + * +- * Same as read_cache_page, but don't wait for page to become unlocked +- * after submitting it to the filler. +- * + * Read into the page cache. If a page already exists, and PageUptodate() is +- * not set, try to fill the page but don't wait for it to become unlocked. ++ * not set, try to fill the page and wait for it to become unlocked. + * + * If the page does not get brought uptodate, return -EIO. + */ +-struct page *read_cache_page_async(struct address_space *mapping, ++struct page *read_cache_page(struct address_space *mapping, + pgoff_t index, + int (*filler)(void *, struct page *), + void *data) + { + return do_read_cache_page(mapping, index, filler, data, mapping_gfp_mask(mapping)); + } +-EXPORT_SYMBOL(read_cache_page_async); +- +-static struct page *wait_on_page_read(struct page *page) +-{ +- if (!IS_ERR(page)) { +- wait_on_page_locked(page); +- if (!PageUptodate(page)) { +- page_cache_release(page); +- page = ERR_PTR(-EIO); +- } +- } +- return page; +-} ++EXPORT_SYMBOL(read_cache_page); + + /** + * read_cache_page_gfp - read into page cache, using specified page allocation flags. +@@ -1918,31 +2151,10 @@ struct page *read_cache_page_gfp(struct address_space *mapping, + { + filler_t *filler = (filler_t *)mapping->a_ops->readpage; + +- return wait_on_page_read(do_read_cache_page(mapping, index, filler, NULL, gfp)); ++ return do_read_cache_page(mapping, index, filler, NULL, gfp); + } + EXPORT_SYMBOL(read_cache_page_gfp); + +-/** +- * read_cache_page - read into page cache, fill it if needed +- * @mapping: the page's address_space +- * @index: the page index +- * @filler: function to perform the read +- * @data: first arg to filler(data, page) function, often left as NULL +- * +- * Read into the page cache. If a page already exists, and PageUptodate() is +- * not set, try to fill the page then wait for it to become unlocked. +- * +- * If the page does not get brought uptodate, return -EIO. +- */ +-struct page *read_cache_page(struct address_space *mapping, +- pgoff_t index, +- int (*filler)(void *, struct page *), +- void *data) +-{ +- return wait_on_page_read(read_cache_page_async(mapping, index, filler, data)); +-} +-EXPORT_SYMBOL(read_cache_page); +- + static size_t __iovec_copy_from_user_inatomic(char *vaddr, + const struct iovec *iov, size_t base, size_t bytes) + { +@@ -1976,7 +2188,6 @@ size_t iov_iter_copy_from_user_atomic(struct page *page, + char *kaddr; + size_t copied; + +- BUG_ON(!in_atomic()); + kaddr = kmap_atomic(page); + if (likely(i->nr_segs == 1)) { + int left; +@@ -2350,9 +2561,7 @@ again: + if (mapping_writably_mapped(mapping)) + flush_dcache_page(page); + +- pagefault_disable(); + copied = iov_iter_copy_from_user_atomic(page, i, offset, bytes); +- pagefault_enable(); + flush_dcache_page(page); + + mark_page_accessed(page); +diff --git a/mm/internal.h b/mm/internal.h +index 3e910000fda4..1a8a0d4b687a 100644 +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -11,6 +11,7 @@ + #ifndef __MM_INTERNAL_H + #define __MM_INTERNAL_H + ++#include + #include + + void free_pgtables(struct mmu_gather *tlb, struct vm_area_struct *start_vma, +@@ -21,6 +22,20 @@ static inline void set_page_count(struct page *page, int v) + atomic_set(&page->_count, v); + } + ++extern int __do_page_cache_readahead(struct address_space *mapping, ++ struct file *filp, pgoff_t offset, unsigned long nr_to_read, ++ unsigned long lookahead_size); ++ ++/* ++ * Submit IO for the read-ahead request in file_ra_state. ++ */ ++static inline unsigned long ra_submit(struct file_ra_state *ra, ++ struct address_space *mapping, struct file *filp) ++{ ++ return __do_page_cache_readahead(mapping, filp, ++ ra->start, ra->size, ra->async_size); ++} ++ + /* + * Turn a non-refcounted page (->_count == 0) into refcounted with + * a count of one. +@@ -119,7 +134,7 @@ struct compact_control { + unsigned long nr_migratepages; /* Number of pages to migrate */ + unsigned long free_pfn; /* isolate_freepages search base */ + unsigned long migrate_pfn; /* isolate_migratepages search base */ +- bool sync; /* Synchronous migration */ ++ enum migrate_mode mode; /* Async or sync migration mode */ + bool ignore_skip_hint; /* Scan blocks even if marked skip */ + bool finished_update_free; /* True when the zone cached pfns are + * no longer being updated +@@ -129,7 +144,10 @@ struct compact_control { + int order; /* order a direct compactor needs */ + int migratetype; /* MOVABLE, RECLAIMABLE etc */ + struct zone *zone; +- bool contended; /* True if a lock was contended */ ++ bool contended; /* True if a lock was contended, or ++ * need_resched() true during async ++ * compaction ++ */ + }; + + unsigned long +diff --git a/mm/madvise.c b/mm/madvise.c +index 539eeb96b323..a402f8fdc68e 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -195,7 +195,7 @@ static void force_shm_swapin_readahead(struct vm_area_struct *vma, + for (; start < end; start += PAGE_SIZE) { + index = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; + +- page = find_get_page(mapping, index); ++ page = find_get_entry(mapping, index); + if (!radix_tree_exceptional_entry(page)) { + if (page) + page_cache_release(page); +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 33365e9ce6a7..a98c7fce470a 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1540,7 +1540,7 @@ static int soft_offline_huge_page(struct page *page, int flags) + + /* Keep page count to indicate a given hugepage is isolated. */ + list_move(&hpage->lru, &pagelist); +- ret = migrate_pages(&pagelist, new_page, MPOL_MF_MOVE_ALL, ++ ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL, + MIGRATE_SYNC, MR_MEMORY_FAILURE); + if (ret) { + pr_info("soft offline: %#lx: migration failed %d, type %lx\n", +@@ -1621,7 +1621,7 @@ static int __soft_offline_page(struct page *page, int flags) + inc_zone_page_state(page, NR_ISOLATED_ANON + + page_is_file_cache(page)); + list_add(&page->lru, &pagelist); +- ret = migrate_pages(&pagelist, new_page, MPOL_MF_MOVE_ALL, ++ ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL, + MIGRATE_SYNC, MR_MEMORY_FAILURE); + if (ret) { + if (!list_empty(&pagelist)) { +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index a650db29606f..f6f23833de44 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1332,7 +1332,7 @@ do_migrate_range(unsigned long start_pfn, unsigned long end_pfn) + * alloc_migrate_target should be improooooved!! + * migrate_pages returns # of failed pages. + */ +- ret = migrate_pages(&source, alloc_migrate_target, 0, ++ ret = migrate_pages(&source, alloc_migrate_target, NULL, 0, + MIGRATE_SYNC, MR_MEMORY_HOTPLUG); + if (ret) + putback_movable_pages(&source); +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 796c7e6cf93b..e8fff0fa1202 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1060,7 +1060,7 @@ static int migrate_to_node(struct mm_struct *mm, int source, int dest, + flags | MPOL_MF_DISCONTIG_OK, &pagelist); + + if (!list_empty(&pagelist)) { +- err = migrate_pages(&pagelist, new_node_page, dest, ++ err = migrate_pages(&pagelist, new_node_page, NULL, dest, + MIGRATE_SYNC, MR_SYSCALL); + if (err) + putback_movable_pages(&pagelist); +@@ -1306,7 +1306,7 @@ static long do_mbind(unsigned long start, unsigned long len, + + if (!list_empty(&pagelist)) { + WARN_ON_ONCE(flags & MPOL_MF_LAZY); +- nr_failed = migrate_pages(&pagelist, new_page, ++ nr_failed = migrate_pages(&pagelist, new_page, NULL, + start, MIGRATE_SYNC, MR_MEMPOLICY_MBIND); + if (nr_failed) + putback_movable_pages(&pagelist); +diff --git a/mm/migrate.c b/mm/migrate.c +index 13f47fbe3550..3acac4a62c4b 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -941,8 +941,9 @@ out: + * Obtain the lock on page, remove all ptes and migrate the page + * to the newly allocated page in newpage. + */ +-static int unmap_and_move(new_page_t get_new_page, unsigned long private, +- struct page *page, int force, enum migrate_mode mode) ++static int unmap_and_move(new_page_t get_new_page, free_page_t put_new_page, ++ unsigned long private, struct page *page, int force, ++ enum migrate_mode mode) + { + int rc = 0; + int *result = NULL; +@@ -986,11 +987,18 @@ out: + page_is_file_cache(page)); + putback_lru_page(page); + } ++ + /* +- * Move the new page to the LRU. If migration was not successful +- * then this will free the page. ++ * If migration was not successful and there's a freeing callback, use ++ * it. Otherwise, putback_lru_page() will drop the reference grabbed ++ * during isolation. + */ +- putback_lru_page(newpage); ++ if (rc != MIGRATEPAGE_SUCCESS && put_new_page) { ++ ClearPageSwapBacked(newpage); ++ put_new_page(newpage, private); ++ } else ++ putback_lru_page(newpage); ++ + if (result) { + if (rc) + *result = rc; +@@ -1019,8 +1027,9 @@ out: + * will wait in the page fault for migration to complete. + */ + static int unmap_and_move_huge_page(new_page_t get_new_page, +- unsigned long private, struct page *hpage, +- int force, enum migrate_mode mode) ++ free_page_t put_new_page, unsigned long private, ++ struct page *hpage, int force, ++ enum migrate_mode mode) + { + int rc = 0; + int *result = NULL; +@@ -1059,20 +1068,30 @@ static int unmap_and_move_huge_page(new_page_t get_new_page, + if (!page_mapped(hpage)) + rc = move_to_new_page(new_hpage, hpage, 1, mode); + +- if (rc) ++ if (rc != MIGRATEPAGE_SUCCESS) + remove_migration_ptes(hpage, hpage); + + if (anon_vma) + put_anon_vma(anon_vma); + +- if (!rc) ++ if (rc == MIGRATEPAGE_SUCCESS) + hugetlb_cgroup_migrate(hpage, new_hpage); + + unlock_page(hpage); + out: + if (rc != -EAGAIN) + putback_active_hugepage(hpage); +- put_page(new_hpage); ++ ++ /* ++ * If migration was not successful and there's a freeing callback, use ++ * it. Otherwise, put_page() will drop the reference grabbed during ++ * isolation. ++ */ ++ if (rc != MIGRATEPAGE_SUCCESS && put_new_page) ++ put_new_page(new_hpage, private); ++ else ++ put_page(new_hpage); ++ + if (result) { + if (rc) + *result = rc; +@@ -1089,6 +1108,8 @@ out: + * @from: The list of pages to be migrated. + * @get_new_page: The function used to allocate free pages to be used + * as the target of the page migration. ++ * @put_new_page: The function used to free target pages if migration ++ * fails, or NULL if no special handling is necessary. + * @private: Private data to be passed on to get_new_page() + * @mode: The migration mode that specifies the constraints for + * page migration, if any. +@@ -1102,7 +1123,8 @@ out: + * Returns the number of pages that were not migrated, or an error code. + */ + int migrate_pages(struct list_head *from, new_page_t get_new_page, +- unsigned long private, enum migrate_mode mode, int reason) ++ free_page_t put_new_page, unsigned long private, ++ enum migrate_mode mode, int reason) + { + int retry = 1; + int nr_failed = 0; +@@ -1124,10 +1146,11 @@ int migrate_pages(struct list_head *from, new_page_t get_new_page, + + if (PageHuge(page)) + rc = unmap_and_move_huge_page(get_new_page, +- private, page, pass > 2, mode); ++ put_new_page, private, page, ++ pass > 2, mode); + else +- rc = unmap_and_move(get_new_page, private, +- page, pass > 2, mode); ++ rc = unmap_and_move(get_new_page, put_new_page, ++ private, page, pass > 2, mode); + + switch(rc) { + case -ENOMEM: +@@ -1276,7 +1299,7 @@ set_status: + + err = 0; + if (!list_empty(&pagelist)) { +- err = migrate_pages(&pagelist, new_page_node, ++ err = migrate_pages(&pagelist, new_page_node, NULL, + (unsigned long)pm, MIGRATE_SYNC, MR_SYSCALL); + if (err) + putback_movable_pages(&pagelist); +@@ -1732,7 +1755,8 @@ int migrate_misplaced_page(struct page *page, struct vm_area_struct *vma, + + list_add(&page->lru, &migratepages); + nr_remaining = migrate_pages(&migratepages, alloc_misplaced_dst_page, +- node, MIGRATE_ASYNC, MR_NUMA_MISPLACED); ++ NULL, node, MIGRATE_ASYNC, ++ MR_NUMA_MISPLACED); + if (nr_remaining) { + if (!list_empty(&migratepages)) { + list_del(&page->lru); +diff --git a/mm/mincore.c b/mm/mincore.c +index 101623378fbf..725c80961048 100644 +--- a/mm/mincore.c ++++ b/mm/mincore.c +@@ -70,13 +70,21 @@ static unsigned char mincore_page(struct address_space *mapping, pgoff_t pgoff) + * any other file mapping (ie. marked !present and faulted in with + * tmpfs's .fault). So swapped out tmpfs mappings are tested here. + */ +- page = find_get_page(mapping, pgoff); + #ifdef CONFIG_SWAP +- /* shmem/tmpfs may return swap: account for swapcache page too. */ +- if (radix_tree_exceptional_entry(page)) { +- swp_entry_t swap = radix_to_swp_entry(page); +- page = find_get_page(swap_address_space(swap), swap.val); +- } ++ if (shmem_mapping(mapping)) { ++ page = find_get_entry(mapping, pgoff); ++ /* ++ * shmem/tmpfs may return swap: account for swapcache ++ * page too. ++ */ ++ if (radix_tree_exceptional_entry(page)) { ++ swp_entry_t swp = radix_to_swp_entry(page); ++ page = find_get_page(swap_address_space(swp), swp.val); ++ } ++ } else ++ page = find_get_page(mapping, pgoff); ++#else ++ page = find_get_page(mapping, pgoff); + #endif + if (page) { + present = PageUptodate(page); +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 7b2611a055a7..4b258297cc7c 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -943,6 +943,7 @@ struct page *__rmqueue_smallest(struct zone *zone, unsigned int order, + rmv_page_order(page); + area->nr_free--; + expand(zone, page, order, current_order, area, migratetype); ++ set_freepage_migratetype(page, migratetype); + return page; + } + +@@ -1069,7 +1070,9 @@ static int try_to_steal_freepages(struct zone *zone, struct page *page, + + /* + * When borrowing from MIGRATE_CMA, we need to release the excess +- * buddy pages to CMA itself. ++ * buddy pages to CMA itself. We also ensure the freepage_migratetype ++ * is set to CMA so it is returned to the correct freelist in case ++ * the page ends up being not actually allocated from the pcp lists. + */ + if (is_migrate_cma(fallback_type)) + return fallback_type; +@@ -1137,6 +1140,12 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype) + + expand(zone, page, order, current_order, area, + new_type); ++ /* The freepage_migratetype may differ from pageblock's ++ * migratetype depending on the decisions in ++ * try_to_steal_freepages. This is OK as long as it does ++ * not differ for MIGRATE_CMA type. ++ */ ++ set_freepage_migratetype(page, new_type); + + trace_mm_page_alloc_extfrag(page, order, current_order, + start_migratetype, migratetype, new_type); +@@ -1187,7 +1196,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, + unsigned long count, struct list_head *list, + int migratetype, int cold) + { +- int mt = migratetype, i; ++ int i; + + spin_lock(&zone->lock); + for (i = 0; i < count; ++i) { +@@ -1208,14 +1217,8 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, + list_add(&page->lru, list); + else + list_add_tail(&page->lru, list); +- if (IS_ENABLED(CONFIG_CMA)) { +- mt = get_pageblock_migratetype(page); +- if (!is_migrate_cma(mt) && !is_migrate_isolate(mt)) +- mt = migratetype; +- } +- set_freepage_migratetype(page, mt); + list = &page->lru; +- if (is_migrate_cma(mt)) ++ if (is_migrate_cma(get_freepage_migratetype(page))) + __mod_zone_page_state(zone, NR_FREE_CMA_PAGES, + -(1 << order)); + } +@@ -1584,7 +1587,7 @@ again: + if (!page) + goto failed; + __mod_zone_freepage_state(zone, -(1 << order), +- get_pageblock_migratetype(page)); ++ get_freepage_migratetype(page)); + } + + __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order)); +@@ -2246,7 +2249,7 @@ static struct page * + __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, + struct zonelist *zonelist, enum zone_type high_zoneidx, + nodemask_t *nodemask, int alloc_flags, struct zone *preferred_zone, +- int migratetype, bool sync_migration, ++ int migratetype, enum migrate_mode mode, + bool *contended_compaction, bool *deferred_compaction, + unsigned long *did_some_progress) + { +@@ -2260,7 +2263,7 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, + + current->flags |= PF_MEMALLOC; + *did_some_progress = try_to_compact_pages(zonelist, order, gfp_mask, +- nodemask, sync_migration, ++ nodemask, mode, + contended_compaction); + current->flags &= ~PF_MEMALLOC; + +@@ -2293,7 +2296,7 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, + * As async compaction considers a subset of pageblocks, only + * defer if the failure was a sync compaction failure. + */ +- if (sync_migration) ++ if (mode != MIGRATE_ASYNC) + defer_compaction(preferred_zone, order); + + cond_resched(); +@@ -2306,9 +2309,8 @@ static inline struct page * + __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, + struct zonelist *zonelist, enum zone_type high_zoneidx, + nodemask_t *nodemask, int alloc_flags, struct zone *preferred_zone, +- int migratetype, bool sync_migration, +- bool *contended_compaction, bool *deferred_compaction, +- unsigned long *did_some_progress) ++ int migratetype, enum migrate_mode mode, bool *contended_compaction, ++ bool *deferred_compaction, unsigned long *did_some_progress) + { + return NULL; + } +@@ -2503,7 +2505,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order, + int alloc_flags; + unsigned long pages_reclaimed = 0; + unsigned long did_some_progress; +- bool sync_migration = false; ++ enum migrate_mode migration_mode = MIGRATE_ASYNC; + bool deferred_compaction = false; + bool contended_compaction = false; + +@@ -2597,17 +2599,15 @@ rebalance: + * Try direct compaction. The first pass is asynchronous. Subsequent + * attempts after direct reclaim are synchronous + */ +- page = __alloc_pages_direct_compact(gfp_mask, order, +- zonelist, high_zoneidx, +- nodemask, +- alloc_flags, preferred_zone, +- migratetype, sync_migration, +- &contended_compaction, ++ page = __alloc_pages_direct_compact(gfp_mask, order, zonelist, ++ high_zoneidx, nodemask, alloc_flags, ++ preferred_zone, migratetype, ++ migration_mode, &contended_compaction, + &deferred_compaction, + &did_some_progress); + if (page) + goto got_pg; +- sync_migration = true; ++ migration_mode = MIGRATE_SYNC_LIGHT; + + /* + * If compaction is deferred for high-order allocations, it is because +@@ -2682,12 +2682,10 @@ rebalance: + * direct reclaim and reclaim/compaction depends on compaction + * being called after reclaim so call directly if necessary + */ +- page = __alloc_pages_direct_compact(gfp_mask, order, +- zonelist, high_zoneidx, +- nodemask, +- alloc_flags, preferred_zone, +- migratetype, sync_migration, +- &contended_compaction, ++ page = __alloc_pages_direct_compact(gfp_mask, order, zonelist, ++ high_zoneidx, nodemask, alloc_flags, ++ preferred_zone, migratetype, ++ migration_mode, &contended_compaction, + &deferred_compaction, + &did_some_progress); + if (page) +@@ -6261,7 +6259,7 @@ static int __alloc_contig_migrate_range(struct compact_control *cc, + cc->nr_migratepages -= nr_reclaimed; + + ret = migrate_pages(&cc->migratepages, alloc_migrate_target, +- 0, MIGRATE_SYNC, MR_CMA); ++ NULL, 0, cc->mode, MR_CMA); + } + if (ret < 0) { + putback_movable_pages(&cc->migratepages); +@@ -6300,7 +6298,7 @@ int alloc_contig_range(unsigned long start, unsigned long end, + .nr_migratepages = 0, + .order = -1, + .zone = page_zone(pfn_to_page(start)), +- .sync = true, ++ .mode = MIGRATE_SYNC, + .ignore_skip_hint = true, + }; + INIT_LIST_HEAD(&cc.migratepages); +diff --git a/mm/readahead.c b/mm/readahead.c +index 1fa0d6fca556..0ca36a7770b1 100644 +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -8,9 +8,7 @@ + */ + + #include +-#include + #include +-#include + #include + #include + #include +@@ -20,6 +18,8 @@ + #include + #include + ++#include "internal.h" ++ + /* + * Initialise a struct file's readahead state. Assumes that the caller has + * memset *ra to zero. +@@ -149,8 +149,7 @@ out: + * + * Returns the number of pages requested, or the maximum amount of I/O allowed. + */ +-static int +-__do_page_cache_readahead(struct address_space *mapping, struct file *filp, ++int __do_page_cache_readahead(struct address_space *mapping, struct file *filp, + pgoff_t offset, unsigned long nr_to_read, + unsigned long lookahead_size) + { +@@ -179,7 +178,7 @@ __do_page_cache_readahead(struct address_space *mapping, struct file *filp, + rcu_read_lock(); + page = radix_tree_lookup(&mapping->page_tree, page_offset); + rcu_read_unlock(); +- if (page) ++ if (page && !radix_tree_exceptional_entry(page)) + continue; + + page = page_cache_alloc_readahead(mapping); +@@ -244,20 +243,6 @@ unsigned long max_sane_readahead(unsigned long nr) + } + + /* +- * Submit IO for the read-ahead request in file_ra_state. +- */ +-unsigned long ra_submit(struct file_ra_state *ra, +- struct address_space *mapping, struct file *filp) +-{ +- int actual; +- +- actual = __do_page_cache_readahead(mapping, filp, +- ra->start, ra->size, ra->async_size); +- +- return actual; +-} +- +-/* + * Set the initial window size, round to next power of 2 and square + * for small size, x 4 for medium, and x 2 for large + * for 128k (32 page) max ra +@@ -347,7 +332,7 @@ static pgoff_t count_history_pages(struct address_space *mapping, + pgoff_t head; + + rcu_read_lock(); +- head = radix_tree_prev_hole(&mapping->page_tree, offset - 1, max); ++ head = page_cache_prev_hole(mapping, offset - 1, max); + rcu_read_unlock(); + + return offset - 1 - head; +@@ -427,7 +412,7 @@ ondemand_readahead(struct address_space *mapping, + pgoff_t start; + + rcu_read_lock(); +- start = radix_tree_next_hole(&mapping->page_tree, offset+1,max); ++ start = page_cache_next_hole(mapping, offset + 1, max); + rcu_read_unlock(); + + if (!start || start - offset > max) +diff --git a/mm/shmem.c b/mm/shmem.c +index f0d698ba7d0f..0f1447563f17 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -243,19 +243,17 @@ static int shmem_radix_tree_replace(struct address_space *mapping, + pgoff_t index, void *expected, void *replacement) + { + void **pslot; +- void *item = NULL; ++ void *item; + + VM_BUG_ON(!expected); ++ VM_BUG_ON(!replacement); + pslot = radix_tree_lookup_slot(&mapping->page_tree, index); +- if (pslot) +- item = radix_tree_deref_slot_protected(pslot, +- &mapping->tree_lock); ++ if (!pslot) ++ return -ENOENT; ++ item = radix_tree_deref_slot_protected(pslot, &mapping->tree_lock); + if (item != expected) + return -ENOENT; +- if (replacement) +- radix_tree_replace_slot(pslot, replacement); +- else +- radix_tree_delete(&mapping->page_tree, index); ++ radix_tree_replace_slot(pslot, replacement); + return 0; + } + +@@ -332,84 +330,20 @@ static void shmem_delete_from_page_cache(struct page *page, void *radswap) + } + + /* +- * Like find_get_pages, but collecting swap entries as well as pages. +- */ +-static unsigned shmem_find_get_pages_and_swap(struct address_space *mapping, +- pgoff_t start, unsigned int nr_pages, +- struct page **pages, pgoff_t *indices) +-{ +- void **slot; +- unsigned int ret = 0; +- struct radix_tree_iter iter; +- +- if (!nr_pages) +- return 0; +- +- rcu_read_lock(); +-restart: +- radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, start) { +- struct page *page; +-repeat: +- page = radix_tree_deref_slot(slot); +- if (unlikely(!page)) +- continue; +- if (radix_tree_exception(page)) { +- if (radix_tree_deref_retry(page)) +- goto restart; +- /* +- * Otherwise, we must be storing a swap entry +- * here as an exceptional entry: so return it +- * without attempting to raise page count. +- */ +- goto export; +- } +- if (!page_cache_get_speculative(page)) +- goto repeat; +- +- /* Has the page moved? */ +- if (unlikely(page != *slot)) { +- page_cache_release(page); +- goto repeat; +- } +-export: +- indices[ret] = iter.index; +- pages[ret] = page; +- if (++ret == nr_pages) +- break; +- } +- rcu_read_unlock(); +- return ret; +-} +- +-/* + * Remove swap entry from radix tree, free the swap and its page cache. + */ + static int shmem_free_swap(struct address_space *mapping, + pgoff_t index, void *radswap) + { +- int error; ++ void *old; + + spin_lock_irq(&mapping->tree_lock); +- error = shmem_radix_tree_replace(mapping, index, radswap, NULL); ++ old = radix_tree_delete_item(&mapping->page_tree, index, radswap); + spin_unlock_irq(&mapping->tree_lock); +- if (!error) +- free_swap_and_cache(radix_to_swp_entry(radswap)); +- return error; +-} +- +-/* +- * Pagevec may contain swap entries, so shuffle up pages before releasing. +- */ +-static void shmem_deswap_pagevec(struct pagevec *pvec) +-{ +- int i, j; +- +- for (i = 0, j = 0; i < pagevec_count(pvec); i++) { +- struct page *page = pvec->pages[i]; +- if (!radix_tree_exceptional_entry(page)) +- pvec->pages[j++] = page; +- } +- pvec->nr = j; ++ if (old != radswap) ++ return -ENOENT; ++ free_swap_and_cache(radix_to_swp_entry(radswap)); ++ return 0; + } + + /* +@@ -430,12 +364,12 @@ void shmem_unlock_mapping(struct address_space *mapping) + * Avoid pagevec_lookup(): find_get_pages() returns 0 as if it + * has finished, if it hits a row of PAGEVEC_SIZE swap entries. + */ +- pvec.nr = shmem_find_get_pages_and_swap(mapping, index, +- PAGEVEC_SIZE, pvec.pages, indices); ++ pvec.nr = find_get_entries(mapping, index, ++ PAGEVEC_SIZE, pvec.pages, indices); + if (!pvec.nr) + break; + index = indices[pvec.nr - 1] + 1; +- shmem_deswap_pagevec(&pvec); ++ pagevec_remove_exceptionals(&pvec); + check_move_unevictable_pages(pvec.pages, pvec.nr); + pagevec_release(&pvec); + cond_resched(); +@@ -467,9 +401,9 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + pagevec_init(&pvec, 0); + index = start; + while (index < end) { +- pvec.nr = shmem_find_get_pages_and_swap(mapping, index, +- min(end - index, (pgoff_t)PAGEVEC_SIZE), +- pvec.pages, indices); ++ pvec.nr = find_get_entries(mapping, index, ++ min(end - index, (pgoff_t)PAGEVEC_SIZE), ++ pvec.pages, indices); + if (!pvec.nr) + break; + mem_cgroup_uncharge_start(); +@@ -498,7 +432,7 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + } + unlock_page(page); + } +- shmem_deswap_pagevec(&pvec); ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + cond_resched(); +@@ -536,9 +470,10 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + index = start; + while (index < end) { + cond_resched(); +- pvec.nr = shmem_find_get_pages_and_swap(mapping, index, ++ ++ pvec.nr = find_get_entries(mapping, index, + min(end - index, (pgoff_t)PAGEVEC_SIZE), +- pvec.pages, indices); ++ pvec.pages, indices); + if (!pvec.nr) { + /* If all gone or hole-punch or unfalloc, we're done */ + if (index == start || end != -1) +@@ -581,7 +516,7 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + } + unlock_page(page); + } +- shmem_deswap_pagevec(&pvec); ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + index++; +@@ -1088,7 +1023,7 @@ static int shmem_getpage_gfp(struct inode *inode, pgoff_t index, + return -EFBIG; + repeat: + swap.val = 0; +- page = find_lock_page(mapping, index); ++ page = find_lock_entry(mapping, index); + if (radix_tree_exceptional_entry(page)) { + swap = radix_to_swp_entry(page); + page = NULL; +@@ -1483,6 +1418,11 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode + return inode; + } + ++bool shmem_mapping(struct address_space *mapping) ++{ ++ return mapping->backing_dev_info == &shmem_backing_dev_info; ++} ++ + #ifdef CONFIG_TMPFS + static const struct inode_operations shmem_symlink_inode_operations; + static const struct inode_operations shmem_short_symlink_operations; +@@ -1795,7 +1735,7 @@ static pgoff_t shmem_seek_hole_data(struct address_space *mapping, + pagevec_init(&pvec, 0); + pvec.nr = 1; /* start small: we may be there already */ + while (!done) { +- pvec.nr = shmem_find_get_pages_and_swap(mapping, index, ++ pvec.nr = find_get_entries(mapping, index, + pvec.nr, pvec.pages, indices); + if (!pvec.nr) { + if (whence == SEEK_DATA) +@@ -1822,7 +1762,7 @@ static pgoff_t shmem_seek_hole_data(struct address_space *mapping, + break; + } + } +- shmem_deswap_pagevec(&pvec); ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + pvec.nr = PAGEVEC_SIZE; + cond_resched(); +diff --git a/mm/swap.c b/mm/swap.c +index 0092097b3f4c..c8048d71c642 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -948,6 +948,57 @@ void __pagevec_lru_add(struct pagevec *pvec) + EXPORT_SYMBOL(__pagevec_lru_add); + + /** ++ * pagevec_lookup_entries - gang pagecache lookup ++ * @pvec: Where the resulting entries are placed ++ * @mapping: The address_space to search ++ * @start: The starting entry index ++ * @nr_entries: The maximum number of entries ++ * @indices: The cache indices corresponding to the entries in @pvec ++ * ++ * pagevec_lookup_entries() will search for and return a group of up ++ * to @nr_entries pages and shadow entries in the mapping. All ++ * entries are placed in @pvec. pagevec_lookup_entries() takes a ++ * reference against actual pages in @pvec. ++ * ++ * The search returns a group of mapping-contiguous entries with ++ * ascending indexes. There may be holes in the indices due to ++ * not-present entries. ++ * ++ * pagevec_lookup_entries() returns the number of entries which were ++ * found. ++ */ ++unsigned pagevec_lookup_entries(struct pagevec *pvec, ++ struct address_space *mapping, ++ pgoff_t start, unsigned nr_pages, ++ pgoff_t *indices) ++{ ++ pvec->nr = find_get_entries(mapping, start, nr_pages, ++ pvec->pages, indices); ++ return pagevec_count(pvec); ++} ++ ++/** ++ * pagevec_remove_exceptionals - pagevec exceptionals pruning ++ * @pvec: The pagevec to prune ++ * ++ * pagevec_lookup_entries() fills both pages and exceptional radix ++ * tree entries into the pagevec. This function prunes all ++ * exceptionals from @pvec without leaving holes, so that it can be ++ * passed on to page-only pagevec operations. ++ */ ++void pagevec_remove_exceptionals(struct pagevec *pvec) ++{ ++ int i, j; ++ ++ for (i = 0, j = 0; i < pagevec_count(pvec); i++) { ++ struct page *page = pvec->pages[i]; ++ if (!radix_tree_exceptional_entry(page)) ++ pvec->pages[j++] = page; ++ } ++ pvec->nr = j; ++} ++ ++/** + * pagevec_lookup - gang pagecache lookup + * @pvec: Where the resulting pages are placed + * @mapping: The address_space to search +diff --git a/mm/truncate.c b/mm/truncate.c +index ac18edc30649..827ad8d2b5cd 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -23,6 +23,22 @@ + #include + #include "internal.h" + ++static void clear_exceptional_entry(struct address_space *mapping, ++ pgoff_t index, void *entry) ++{ ++ /* Handled by shmem itself */ ++ if (shmem_mapping(mapping)) ++ return; ++ ++ spin_lock_irq(&mapping->tree_lock); ++ /* ++ * Regular page slots are stabilized by the page lock even ++ * without the tree itself locked. These unlocked entries ++ * need verification under the tree lock. ++ */ ++ radix_tree_delete_item(&mapping->page_tree, index, entry); ++ spin_unlock_irq(&mapping->tree_lock); ++} + + /** + * do_invalidatepage - invalidate part or all of a page +@@ -209,6 +225,7 @@ void truncate_inode_pages_range(struct address_space *mapping, + unsigned int partial_start; /* inclusive */ + unsigned int partial_end; /* exclusive */ + struct pagevec pvec; ++ pgoff_t indices[PAGEVEC_SIZE]; + pgoff_t index; + int i; + +@@ -239,17 +256,23 @@ void truncate_inode_pages_range(struct address_space *mapping, + + pagevec_init(&pvec, 0); + index = start; +- while (index < end && pagevec_lookup(&pvec, mapping, index, +- min(end - index, (pgoff_t)PAGEVEC_SIZE))) { ++ while (index < end && pagevec_lookup_entries(&pvec, mapping, index, ++ min(end - index, (pgoff_t)PAGEVEC_SIZE), ++ indices)) { + mem_cgroup_uncharge_start(); + for (i = 0; i < pagevec_count(&pvec); i++) { + struct page *page = pvec.pages[i]; + + /* We rely upon deletion not changing page->index */ +- index = page->index; ++ index = indices[i]; + if (index >= end) + break; + ++ if (radix_tree_exceptional_entry(page)) { ++ clear_exceptional_entry(mapping, index, page); ++ continue; ++ } ++ + if (!trylock_page(page)) + continue; + WARN_ON(page->index != index); +@@ -260,6 +283,7 @@ void truncate_inode_pages_range(struct address_space *mapping, + truncate_inode_page(mapping, page); + unlock_page(page); + } ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + cond_resched(); +@@ -308,14 +332,16 @@ void truncate_inode_pages_range(struct address_space *mapping, + index = start; + for ( ; ; ) { + cond_resched(); +- if (!pagevec_lookup(&pvec, mapping, index, +- min(end - index, (pgoff_t)PAGEVEC_SIZE))) { ++ if (!pagevec_lookup_entries(&pvec, mapping, index, ++ min(end - index, (pgoff_t)PAGEVEC_SIZE), ++ indices)) { + if (index == start) + break; + index = start; + continue; + } +- if (index == start && pvec.pages[0]->index >= end) { ++ if (index == start && indices[0] >= end) { ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + break; + } +@@ -324,16 +350,22 @@ void truncate_inode_pages_range(struct address_space *mapping, + struct page *page = pvec.pages[i]; + + /* We rely upon deletion not changing page->index */ +- index = page->index; ++ index = indices[i]; + if (index >= end) + break; + ++ if (radix_tree_exceptional_entry(page)) { ++ clear_exceptional_entry(mapping, index, page); ++ continue; ++ } ++ + lock_page(page); + WARN_ON(page->index != index); + wait_on_page_writeback(page); + truncate_inode_page(mapping, page); + unlock_page(page); + } ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + index++; +@@ -376,6 +408,7 @@ EXPORT_SYMBOL(truncate_inode_pages); + unsigned long invalidate_mapping_pages(struct address_space *mapping, + pgoff_t start, pgoff_t end) + { ++ pgoff_t indices[PAGEVEC_SIZE]; + struct pagevec pvec; + pgoff_t index = start; + unsigned long ret; +@@ -391,17 +424,23 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping, + */ + + pagevec_init(&pvec, 0); +- while (index <= end && pagevec_lookup(&pvec, mapping, index, +- min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1)) { ++ while (index <= end && pagevec_lookup_entries(&pvec, mapping, index, ++ min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1, ++ indices)) { + mem_cgroup_uncharge_start(); + for (i = 0; i < pagevec_count(&pvec); i++) { + struct page *page = pvec.pages[i]; + + /* We rely upon deletion not changing page->index */ +- index = page->index; ++ index = indices[i]; + if (index > end) + break; + ++ if (radix_tree_exceptional_entry(page)) { ++ clear_exceptional_entry(mapping, index, page); ++ continue; ++ } ++ + if (!trylock_page(page)) + continue; + WARN_ON(page->index != index); +@@ -415,6 +454,7 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping, + deactivate_page(page); + count += ret; + } ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + cond_resched(); +@@ -482,6 +522,7 @@ static int do_launder_page(struct address_space *mapping, struct page *page) + int invalidate_inode_pages2_range(struct address_space *mapping, + pgoff_t start, pgoff_t end) + { ++ pgoff_t indices[PAGEVEC_SIZE]; + struct pagevec pvec; + pgoff_t index; + int i; +@@ -492,17 +533,23 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + cleancache_invalidate_inode(mapping); + pagevec_init(&pvec, 0); + index = start; +- while (index <= end && pagevec_lookup(&pvec, mapping, index, +- min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1)) { ++ while (index <= end && pagevec_lookup_entries(&pvec, mapping, index, ++ min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1, ++ indices)) { + mem_cgroup_uncharge_start(); + for (i = 0; i < pagevec_count(&pvec); i++) { + struct page *page = pvec.pages[i]; + + /* We rely upon deletion not changing page->index */ +- index = page->index; ++ index = indices[i]; + if (index > end) + break; + ++ if (radix_tree_exceptional_entry(page)) { ++ clear_exceptional_entry(mapping, index, page); ++ continue; ++ } ++ + lock_page(page); + WARN_ON(page->index != index); + if (page->mapping != mapping) { +@@ -540,6 +587,7 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + ret = ret2; + unlock_page(page); + } ++ pagevec_remove_exceptionals(&pvec); + pagevec_release(&pvec); + mem_cgroup_uncharge_end(); + cond_resched(); +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 0c0b36e5b4f8..deb139e6b8ed 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2018,13 +2018,27 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc) + unsigned long nr_reclaimed = 0; + unsigned long nr_to_reclaim = sc->nr_to_reclaim; + struct blk_plug plug; +- bool scan_adjusted = false; ++ bool scan_adjusted; + + get_scan_count(lruvec, sc, nr); + + /* Record the original scan target for proportional adjustments later */ + memcpy(targets, nr, sizeof(nr)); + ++ /* ++ * Global reclaiming within direct reclaim at DEF_PRIORITY is a normal ++ * event that can occur when there is little memory pressure e.g. ++ * multiple streaming readers/writers. Hence, we do not abort scanning ++ * when the requested number of pages are reclaimed when scanning at ++ * DEF_PRIORITY on the assumption that the fact we are direct ++ * reclaiming implies that kswapd is not keeping up and it is best to ++ * do a batch of work at once. For memcg reclaim one check is made to ++ * abort proportional reclaim if either the file or anon lru has already ++ * dropped to zero at the first pass. ++ */ ++ scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() && ++ sc->priority == DEF_PRIORITY); ++ + blk_start_plug(&plug); + while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] || + nr[LRU_INACTIVE_FILE]) { +@@ -2045,17 +2059,8 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc) + continue; + + /* +- * For global direct reclaim, reclaim only the number of pages +- * requested. Less care is taken to scan proportionally as it +- * is more important to minimise direct reclaim stall latency +- * than it is to properly age the LRU lists. +- */ +- if (global_reclaim(sc) && !current_is_kswapd()) +- break; +- +- /* + * For kswapd and memcg, reclaim at least the number of pages +- * requested. Ensure that the anon and file LRUs shrink ++ * requested. Ensure that the anon and file LRUs are scanned + * proportionally what was requested by get_scan_count(). We + * stop reclaiming one LRU and reduce the amount scanning + * proportional to the original scan target. +@@ -2063,6 +2068,15 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc) + nr_file = nr[LRU_INACTIVE_FILE] + nr[LRU_ACTIVE_FILE]; + nr_anon = nr[LRU_INACTIVE_ANON] + nr[LRU_ACTIVE_ANON]; + ++ /* ++ * It's just vindictive to attack the larger once the smaller ++ * has gone to zero. And given the way we stop scanning the ++ * smaller below, this makes sure that we only make one nudge ++ * towards proportionality once we've got nr_to_reclaim. ++ */ ++ if (!nr_file || !nr_anon) ++ break; ++ + if (nr_file > nr_anon) { + unsigned long scan_target = targets[LRU_INACTIVE_ANON] + + targets[LRU_ACTIVE_ANON] + 1; +diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c +index 6e7a236525b6..06f19b9e159a 100644 +--- a/net/ceph/crypto.c ++++ b/net/ceph/crypto.c +@@ -89,11 +89,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void) + + static const u8 *aes_iv = (u8 *)CEPH_AES_IV; + ++/* ++ * Should be used for buffers allocated with ceph_kvmalloc(). ++ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt ++ * in-buffer (msg front). ++ * ++ * Dispose of @sgt with teardown_sgtable(). ++ * ++ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table() ++ * in cases where a single sg is sufficient. No attempt to reduce the ++ * number of sgs by squeezing physically contiguous pages together is ++ * made though, for simplicity. ++ */ ++static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg, ++ const void *buf, unsigned int buf_len) ++{ ++ struct scatterlist *sg; ++ const bool is_vmalloc = is_vmalloc_addr(buf); ++ unsigned int off = offset_in_page(buf); ++ unsigned int chunk_cnt = 1; ++ unsigned int chunk_len = PAGE_ALIGN(off + buf_len); ++ int i; ++ int ret; ++ ++ if (buf_len == 0) { ++ memset(sgt, 0, sizeof(*sgt)); ++ return -EINVAL; ++ } ++ ++ if (is_vmalloc) { ++ chunk_cnt = chunk_len >> PAGE_SHIFT; ++ chunk_len = PAGE_SIZE; ++ } ++ ++ if (chunk_cnt > 1) { ++ ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS); ++ if (ret) ++ return ret; ++ } else { ++ WARN_ON(chunk_cnt != 1); ++ sg_init_table(prealloc_sg, 1); ++ sgt->sgl = prealloc_sg; ++ sgt->nents = sgt->orig_nents = 1; ++ } ++ ++ for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) { ++ struct page *page; ++ unsigned int len = min(chunk_len - off, buf_len); ++ ++ if (is_vmalloc) ++ page = vmalloc_to_page(buf); ++ else ++ page = virt_to_page(buf); ++ ++ sg_set_page(sg, page, len, off); ++ ++ off = 0; ++ buf += len; ++ buf_len -= len; ++ } ++ WARN_ON(buf_len != 0); ++ ++ return 0; ++} ++ ++static void teardown_sgtable(struct sg_table *sgt) ++{ ++ if (sgt->orig_nents > 1) ++ sg_free_table(sgt); ++} ++ + static int ceph_aes_encrypt(const void *key, int key_len, + void *dst, size_t *dst_len, + const void *src, size_t src_len) + { +- struct scatterlist sg_in[2], sg_out[1]; ++ struct scatterlist sg_in[2], prealloc_sg; ++ struct sg_table sg_out; + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher(); + struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 }; + int ret; +@@ -109,16 +180,18 @@ static int ceph_aes_encrypt(const void *key, int key_len, + + *dst_len = src_len + zero_padding; + +- crypto_blkcipher_setkey((void *)tfm, key, key_len); + sg_init_table(sg_in, 2); + sg_set_buf(&sg_in[0], src, src_len); + sg_set_buf(&sg_in[1], pad, zero_padding); +- sg_init_table(sg_out, 1); +- sg_set_buf(sg_out, dst, *dst_len); ++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len); ++ if (ret) ++ goto out_tfm; ++ ++ crypto_blkcipher_setkey((void *)tfm, key, key_len); + iv = crypto_blkcipher_crt(tfm)->iv; + ivsize = crypto_blkcipher_ivsize(tfm); +- + memcpy(iv, aes_iv, ivsize); ++ + /* + print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1, + key, key_len, 1); +@@ -127,16 +200,22 @@ static int ceph_aes_encrypt(const void *key, int key_len, + print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1, + pad, zero_padding, 1); + */ +- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in, ++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in, + src_len + zero_padding); +- crypto_free_blkcipher(tfm); +- if (ret < 0) ++ if (ret < 0) { + pr_err("ceph_aes_crypt failed %d\n", ret); ++ goto out_sg; ++ } + /* + print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1, + dst, *dst_len, 1); + */ +- return 0; ++ ++out_sg: ++ teardown_sgtable(&sg_out); ++out_tfm: ++ crypto_free_blkcipher(tfm); ++ return ret; + } + + static int ceph_aes_encrypt2(const void *key, int key_len, void *dst, +@@ -144,7 +223,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst, + const void *src1, size_t src1_len, + const void *src2, size_t src2_len) + { +- struct scatterlist sg_in[3], sg_out[1]; ++ struct scatterlist sg_in[3], prealloc_sg; ++ struct sg_table sg_out; + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher(); + struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 }; + int ret; +@@ -160,17 +240,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst, + + *dst_len = src1_len + src2_len + zero_padding; + +- crypto_blkcipher_setkey((void *)tfm, key, key_len); + sg_init_table(sg_in, 3); + sg_set_buf(&sg_in[0], src1, src1_len); + sg_set_buf(&sg_in[1], src2, src2_len); + sg_set_buf(&sg_in[2], pad, zero_padding); +- sg_init_table(sg_out, 1); +- sg_set_buf(sg_out, dst, *dst_len); ++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len); ++ if (ret) ++ goto out_tfm; ++ ++ crypto_blkcipher_setkey((void *)tfm, key, key_len); + iv = crypto_blkcipher_crt(tfm)->iv; + ivsize = crypto_blkcipher_ivsize(tfm); +- + memcpy(iv, aes_iv, ivsize); ++ + /* + print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1, + key, key_len, 1); +@@ -181,23 +263,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst, + print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1, + pad, zero_padding, 1); + */ +- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in, ++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in, + src1_len + src2_len + zero_padding); +- crypto_free_blkcipher(tfm); +- if (ret < 0) ++ if (ret < 0) { + pr_err("ceph_aes_crypt2 failed %d\n", ret); ++ goto out_sg; ++ } + /* + print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1, + dst, *dst_len, 1); + */ +- return 0; ++ ++out_sg: ++ teardown_sgtable(&sg_out); ++out_tfm: ++ crypto_free_blkcipher(tfm); ++ return ret; + } + + static int ceph_aes_decrypt(const void *key, int key_len, + void *dst, size_t *dst_len, + const void *src, size_t src_len) + { +- struct scatterlist sg_in[1], sg_out[2]; ++ struct sg_table sg_in; ++ struct scatterlist sg_out[2], prealloc_sg; + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher(); + struct blkcipher_desc desc = { .tfm = tfm }; + char pad[16]; +@@ -209,16 +298,16 @@ static int ceph_aes_decrypt(const void *key, int key_len, + if (IS_ERR(tfm)) + return PTR_ERR(tfm); + +- crypto_blkcipher_setkey((void *)tfm, key, key_len); +- sg_init_table(sg_in, 1); + sg_init_table(sg_out, 2); +- sg_set_buf(sg_in, src, src_len); + sg_set_buf(&sg_out[0], dst, *dst_len); + sg_set_buf(&sg_out[1], pad, sizeof(pad)); ++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len); ++ if (ret) ++ goto out_tfm; + ++ crypto_blkcipher_setkey((void *)tfm, key, key_len); + iv = crypto_blkcipher_crt(tfm)->iv; + ivsize = crypto_blkcipher_ivsize(tfm); +- + memcpy(iv, aes_iv, ivsize); + + /* +@@ -227,12 +316,10 @@ static int ceph_aes_decrypt(const void *key, int key_len, + print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1, + src, src_len, 1); + */ +- +- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len); +- crypto_free_blkcipher(tfm); ++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len); + if (ret < 0) { + pr_err("ceph_aes_decrypt failed %d\n", ret); +- return ret; ++ goto out_sg; + } + + if (src_len <= *dst_len) +@@ -250,7 +337,12 @@ static int ceph_aes_decrypt(const void *key, int key_len, + print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1, + dst, *dst_len, 1); + */ +- return 0; ++ ++out_sg: ++ teardown_sgtable(&sg_in); ++out_tfm: ++ crypto_free_blkcipher(tfm); ++ return ret; + } + + static int ceph_aes_decrypt2(const void *key, int key_len, +@@ -258,7 +350,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len, + void *dst2, size_t *dst2_len, + const void *src, size_t src_len) + { +- struct scatterlist sg_in[1], sg_out[3]; ++ struct sg_table sg_in; ++ struct scatterlist sg_out[3], prealloc_sg; + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher(); + struct blkcipher_desc desc = { .tfm = tfm }; + char pad[16]; +@@ -270,17 +363,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len, + if (IS_ERR(tfm)) + return PTR_ERR(tfm); + +- sg_init_table(sg_in, 1); +- sg_set_buf(sg_in, src, src_len); + sg_init_table(sg_out, 3); + sg_set_buf(&sg_out[0], dst1, *dst1_len); + sg_set_buf(&sg_out[1], dst2, *dst2_len); + sg_set_buf(&sg_out[2], pad, sizeof(pad)); ++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len); ++ if (ret) ++ goto out_tfm; + + crypto_blkcipher_setkey((void *)tfm, key, key_len); + iv = crypto_blkcipher_crt(tfm)->iv; + ivsize = crypto_blkcipher_ivsize(tfm); +- + memcpy(iv, aes_iv, ivsize); + + /* +@@ -289,12 +382,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len, + print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1, + src, src_len, 1); + */ +- +- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len); +- crypto_free_blkcipher(tfm); ++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len); + if (ret < 0) { + pr_err("ceph_aes_decrypt failed %d\n", ret); +- return ret; ++ goto out_sg; + } + + if (src_len <= *dst1_len) +@@ -324,7 +415,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len, + dst2, *dst2_len, 1); + */ + +- return 0; ++out_sg: ++ teardown_sgtable(&sg_in); ++out_tfm: ++ crypto_free_blkcipher(tfm); ++ return ret; + } + + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index cb57aa862177..b27f6d34762b 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -962,8 +962,6 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu) + else + dev->flags &= ~IFF_POINTOPOINT; + +- dev->iflink = p->link; +- + /* Precalculate GRE options length */ + if (t->parms.o_flags&(GRE_CSUM|GRE_KEY|GRE_SEQ)) { + if (t->parms.o_flags&GRE_CSUM) +@@ -1273,6 +1271,7 @@ static int ip6gre_tunnel_init(struct net_device *dev) + u64_stats_init(&ip6gre_tunnel_stats->syncp); + } + ++ dev->iflink = tunnel->parms.link; + + return 0; + } +@@ -1474,6 +1473,8 @@ static int ip6gre_tap_init(struct net_device *dev) + u64_stats_init(&ip6gre_tap_stats->syncp); + } + ++ dev->iflink = tunnel->parms.link; ++ + return 0; + } + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 912033957ad3..657639d39f70 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -272,9 +272,6 @@ static int ip6_tnl_create2(struct net_device *dev) + int err; + + t = netdev_priv(dev); +- err = ip6_tnl_dev_init(dev); +- if (err < 0) +- goto out; + + err = register_netdevice(dev); + if (err < 0) +@@ -1456,6 +1453,7 @@ ip6_tnl_change_mtu(struct net_device *dev, int new_mtu) + + + static const struct net_device_ops ip6_tnl_netdev_ops = { ++ .ndo_init = ip6_tnl_dev_init, + .ndo_uninit = ip6_tnl_dev_uninit, + .ndo_start_xmit = ip6_tnl_xmit, + .ndo_do_ioctl = ip6_tnl_ioctl, +@@ -1547,16 +1545,10 @@ static int __net_init ip6_fb_tnl_dev_init(struct net_device *dev) + struct ip6_tnl *t = netdev_priv(dev); + struct net *net = dev_net(dev); + struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); +- int err = ip6_tnl_dev_init_gen(dev); +- +- if (err) +- return err; + + t->parms.proto = IPPROTO_IPV6; + dev_hold(dev); + +- ip6_tnl_link_config(t); +- + rcu_assign_pointer(ip6n->tnls_wc[0], t); + return 0; + } +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 2d19272b8cee..9a5339fcb450 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -172,10 +172,6 @@ static int vti6_tnl_create2(struct net_device *dev) + struct vti6_net *ip6n = net_generic(net, vti6_net_id); + int err; + +- err = vti6_dev_init(dev); +- if (err < 0) +- goto out; +- + err = register_netdevice(dev); + if (err < 0) + goto out; +@@ -693,6 +689,7 @@ static int vti6_change_mtu(struct net_device *dev, int new_mtu) + } + + static const struct net_device_ops vti6_netdev_ops = { ++ .ndo_init = vti6_dev_init, + .ndo_uninit = vti6_dev_uninit, + .ndo_start_xmit = vti6_tnl_xmit, + .ndo_do_ioctl = vti6_ioctl, +@@ -772,16 +769,10 @@ static int __net_init vti6_fb_tnl_dev_init(struct net_device *dev) + struct ip6_tnl *t = netdev_priv(dev); + struct net *net = dev_net(dev); + struct vti6_net *ip6n = net_generic(net, vti6_net_id); +- int err = vti6_dev_init_gen(dev); +- +- if (err) +- return err; + + t->parms.proto = IPPROTO_IPV6; + dev_hold(dev); + +- vti6_link_config(t); +- + rcu_assign_pointer(ip6n->tnls_wc[0], t); + return 0; + } +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index b12b11b123ff..317b6dbf3190 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -195,10 +195,8 @@ static int ipip6_tunnel_create(struct net_device *dev) + struct sit_net *sitn = net_generic(net, sit_net_id); + int err; + +- err = ipip6_tunnel_init(dev); +- if (err < 0) +- goto out; +- ipip6_tunnel_clone_6rd(dev, sitn); ++ memcpy(dev->dev_addr, &t->parms.iph.saddr, 4); ++ memcpy(dev->broadcast, &t->parms.iph.daddr, 4); + + if ((__force u16)t->parms.i_flags & SIT_ISATAP) + dev->priv_flags |= IFF_ISATAP; +@@ -207,7 +205,8 @@ static int ipip6_tunnel_create(struct net_device *dev) + if (err < 0) + goto out; + +- strcpy(t->parms.name, dev->name); ++ ipip6_tunnel_clone_6rd(dev, sitn); ++ + dev->rtnl_link_ops = &sit_link_ops; + + dev_hold(dev); +@@ -1321,6 +1320,7 @@ static int ipip6_tunnel_change_mtu(struct net_device *dev, int new_mtu) + } + + static const struct net_device_ops ipip6_netdev_ops = { ++ .ndo_init = ipip6_tunnel_init, + .ndo_uninit = ipip6_tunnel_uninit, + .ndo_start_xmit = sit_tunnel_xmit, + .ndo_do_ioctl = ipip6_tunnel_ioctl, +@@ -1367,9 +1367,7 @@ static int ipip6_tunnel_init(struct net_device *dev) + + tunnel->dev = dev; + tunnel->net = dev_net(dev); +- +- memcpy(dev->dev_addr, &tunnel->parms.iph.saddr, 4); +- memcpy(dev->broadcast, &tunnel->parms.iph.daddr, 4); ++ strcpy(tunnel->parms.name, dev->name); + + ipip6_tunnel_bind_dev(dev); + dev->tstats = alloc_percpu(struct pcpu_sw_netstats); +@@ -1401,7 +1399,6 @@ static int __net_init ipip6_fb_tunnel_init(struct net_device *dev) + + tunnel->dev = dev; + tunnel->net = dev_net(dev); +- strcpy(tunnel->parms.name, dev->name); + + iph->version = 4; + iph->protocol = IPPROTO_IPV6; +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c +index ea7013cb7e52..3f076b9c9308 100644 +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -815,7 +815,7 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata, + + memset(¶ms, 0, sizeof(params)); + memset(&csa_ie, 0, sizeof(csa_ie)); +- err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, ++ err = ieee80211_parse_ch_switch_ie(sdata, elems, + ifibss->chandef.chan->band, + sta_flags, ifibss->bssid, &csa_ie); + /* can't switch to destination channel, fail */ +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index b127902361f4..bf7a1bbb975f 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1569,7 +1569,6 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata, + * ieee80211_parse_ch_switch_ie - parses channel switch IEs + * @sdata: the sdata of the interface which has received the frame + * @elems: parsed 802.11 elements received with the frame +- * @beacon: indicates if the frame was a beacon or probe response + * @current_band: indicates the current band + * @sta_flags: contains information about own capabilities and restrictions + * to decide which channel switch announcements can be accepted. Only the +@@ -1583,7 +1582,7 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata, + * Return: 0 on success, <0 on error and >0 if there is nothing to parse. + */ + int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata, +- struct ieee802_11_elems *elems, bool beacon, ++ struct ieee802_11_elems *elems, + enum ieee80211_band current_band, + u32 sta_flags, u8 *bssid, + struct ieee80211_csa_ie *csa_ie); +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 8f7fabc46c97..06f5de4e4fbb 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -760,10 +760,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + int i, flushed; + struct ps_data *ps; + struct cfg80211_chan_def chandef; ++ bool cancel_scan; + + clear_bit(SDATA_STATE_RUNNING, &sdata->state); + +- if (rcu_access_pointer(local->scan_sdata) == sdata) ++ cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata; ++ if (cancel_scan) + ieee80211_scan_cancel(local); + + /* +@@ -973,6 +975,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + + ieee80211_recalc_ps(local, -1); + ++ if (cancel_scan) ++ flush_delayed_work(&local->scan_work); ++ + if (local->open_count == 0) { + ieee80211_stop_device(local); + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 5b919cab1de0..3d52d1d68431 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -885,7 +885,7 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata, + + memset(¶ms, 0, sizeof(params)); + memset(&csa_ie, 0, sizeof(csa_ie)); +- err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, band, ++ err = ieee80211_parse_ch_switch_ie(sdata, elems, band, + sta_flags, sdata->vif.addr, + &csa_ie); + if (err < 0) +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 189eef014c4f..c9535a976b56 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1001,7 +1001,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, + + current_band = cbss->channel->band; + memset(&csa_ie, 0, sizeof(csa_ie)); +- res = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, current_band, ++ res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band, + ifmgd->flags, + ifmgd->associated->bssid, &csa_ie); + if (res < 0) +@@ -1086,7 +1086,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, + ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work); + else + mod_timer(&ifmgd->chswitch_timer, +- TU_TO_EXP_TIME(csa_ie.count * cbss->beacon_interval)); ++ TU_TO_EXP_TIME((csa_ie.count - 1) * ++ cbss->beacon_interval)); + } + + static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata, +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 3e57f96c9666..095c16037bc5 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1679,11 +1679,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || +- is_multicast_ether_addr(hdr->addr1))) { +- /* not fragmented */ ++ if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) ++ goto out; ++ ++ if (is_multicast_ether_addr(hdr->addr1)) { ++ rx->local->dot11MulticastReceivedFrameCount++; + goto out; + } ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -1776,10 +1779,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + out: + if (rx->sta) + rx->sta->rx_packets++; +- if (is_multicast_ether_addr(hdr->addr1)) +- rx->local->dot11MulticastReceivedFrameCount++; +- else +- ieee80211_led_rx(rx->local); ++ ieee80211_led_rx(rx->local); + return RX_CONTINUE; + } + +diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c +index 6ab009070084..efeba56c913b 100644 +--- a/net/mac80211/spectmgmt.c ++++ b/net/mac80211/spectmgmt.c +@@ -22,7 +22,7 @@ + #include "wme.h" + + int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata, +- struct ieee802_11_elems *elems, bool beacon, ++ struct ieee802_11_elems *elems, + enum ieee80211_band current_band, + u32 sta_flags, u8 *bssid, + struct ieee80211_csa_ie *csa_ie) +@@ -91,19 +91,13 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata, + return -EINVAL; + } + +- if (!beacon && sec_chan_offs) { ++ if (sec_chan_offs) { + secondary_channel_offset = sec_chan_offs->sec_chan_offs; +- } else if (beacon && ht_oper) { +- secondary_channel_offset = +- ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET; + } else if (!(sta_flags & IEEE80211_STA_DISABLE_HT)) { +- /* If it's not a beacon, HT is enabled and the IE not present, +- * it's 20 MHz, 802.11-2012 8.5.2.6: +- * This element [the Secondary Channel Offset Element] is +- * present when switching to a 40 MHz channel. It may be +- * present when switching to a 20 MHz channel (in which +- * case the secondary channel offset is set to SCN). +- */ ++ /* If the secondary channel offset IE is not present, ++ * we can't know what's the post-CSA offset, so the ++ * best we can do is use 20MHz. ++ */ + secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE; + } + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index de770ec39e51..cf9937743abb 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -636,7 +636,7 @@ ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index) + struct ip_set *set; + struct ip_set_net *inst = ip_set_pernet(net); + +- if (index > inst->ip_set_max) ++ if (index >= inst->ip_set_max) + return IPSET_INVALID_ID; + + nfnl_lock(NFNL_SUBSYS_IPSET); +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index a155d19a225e..6ff12a191400 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -45,7 +45,8 @@ + #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE + #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ + #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ +-#define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */ ++/* max packet size is limited by 16-bit struct nfattr nfa_len field */ ++#define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN) + + #define PRINTR(x, args...) do { if (net_ratelimit()) \ + printk(x, ## args); } while (0); +@@ -255,6 +256,8 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, + + case NFULNL_COPY_PACKET: + inst->copy_mode = mode; ++ if (range == 0) ++ range = NFULNL_COPY_RANGE_MAX; + inst->copy_range = min_t(unsigned int, + range, NFULNL_COPY_RANGE_MAX); + break; +@@ -346,26 +349,25 @@ nfulnl_alloc_skb(struct net *net, u32 peer_portid, unsigned int inst_size, + return skb; + } + +-static int ++static void + __nfulnl_send(struct nfulnl_instance *inst) + { +- int status = -1; +- + if (inst->qlen > 1) { + struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, + NLMSG_DONE, + sizeof(struct nfgenmsg), + 0); +- if (!nlh) ++ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", ++ inst->skb->len, skb_tailroom(inst->skb))) { ++ kfree_skb(inst->skb); + goto out; ++ } + } +- status = nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, +- MSG_DONTWAIT); +- ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, ++ MSG_DONTWAIT); ++out: + inst->qlen = 0; + inst->skb = NULL; +-out: +- return status; + } + + static void +@@ -652,7 +654,8 @@ nfulnl_log_packet(struct net *net, + + nla_total_size(sizeof(u_int32_t)) /* gid */ + + nla_total_size(plen) /* prefix */ + + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) +- + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)); ++ + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)) ++ + nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */ + + if (in && skb_mac_header_was_set(skb)) { + size += nla_total_size(skb->dev->hard_header_len) +@@ -681,8 +684,7 @@ nfulnl_log_packet(struct net *net, + break; + + case NFULNL_COPY_PACKET: +- if (inst->copy_range == 0 +- || inst->copy_range > skb->len) ++ if (inst->copy_range > skb->len) + data_len = skb->len; + else + data_len = inst->copy_range; +@@ -695,8 +697,7 @@ nfulnl_log_packet(struct net *net, + goto unlock_and_release; + } + +- if (inst->skb && +- size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) { ++ if (inst->skb && size > skb_tailroom(inst->skb)) { + /* either the queue len is too high or we don't have + * enough room in the skb left. flush to userspace. */ + __nfulnl_flush(inst); +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 82cb8236f8a1..ad979612238a 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -678,7 +678,7 @@ nft_target_select_ops(const struct nft_ctx *ctx, + family = ctx->afi->family; + + /* Re-use the existing target if it's already loaded. */ +- list_for_each_entry(nft_target, &nft_match_list, head) { ++ list_for_each_entry(nft_target, &nft_target_list, head) { + struct xt_target *target = nft_target->ops.data; + + if (strcmp(target->name, tg_name) == 0 && +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 5d97d8fe4be7..d477d476714d 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1627,6 +1627,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack( + * ack chunk whose serial number matches that of the request. + */ + list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) { ++ if (sctp_chunk_pending(ack)) ++ continue; + if (ack->subh.addip_hdr->serial == serial) { + sctp_chunk_hold(ack); + return ack; +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 0e8529113dc5..fb7976aee61c 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + list_add(&cur_key->key_list, sh_keys); + + cur_key->key = key; +- sctp_auth_key_hold(key); +- + return 0; + nomem: + if (!replace) +diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c +index 4de12afa13d4..7e8a16c77039 100644 +--- a/net/sctp/inqueue.c ++++ b/net/sctp/inqueue.c +@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) + } else { + /* Nothing to do. Next chunk in the packet, please. */ + ch = (sctp_chunkhdr_t *) chunk->chunk_end; +- + /* Force chunk->skb->data to chunk->chunk_end. */ +- skb_pull(chunk->skb, +- chunk->chunk_end - chunk->skb->data); +- +- /* Verify that we have at least chunk headers +- * worth of buffer left. +- */ +- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { +- sctp_chunk_free(chunk); +- chunk = queue->in_progress = NULL; +- } ++ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); ++ /* We are guaranteed to pull a SCTP header. */ + } + } + +@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) + skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); + chunk->subh.v = NULL; /* Subheader is no longer valid. */ + +- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) { ++ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < ++ skb_tail_pointer(chunk->skb)) { + /* This is not a singleton */ + chunk->singleton = 0; + } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) { +- /* RFC 2960, Section 6.10 Bundling +- * +- * Partial chunks MUST NOT be placed in an SCTP packet. +- * If the receiver detects a partial chunk, it MUST drop +- * the chunk. +- * +- * Since the end of the chunk is past the end of our buffer +- * (which contains the whole packet, we can freely discard +- * the whole packet. +- */ +- sctp_chunk_free(chunk); +- chunk = queue->in_progress = NULL; +- +- return NULL; ++ /* Discard inside state machine. */ ++ chunk->pdiscard = 1; ++ chunk->chunk_end = skb_tail_pointer(chunk->skb); + } else { + /* We are at the end of the packet, so mark the chunk + * in case we need to send a SACK. +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index fee5552ddf92..43abb643f3a1 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2609,6 +2609,9 @@ do_addr_param: + addr_param = param.v + sizeof(sctp_addip_param_t); + + af = sctp_get_af_specific(param_type2af(param.p->type)); ++ if (af == NULL) ++ break; ++ + af->from_addr_param(&addr, addr_param, + htons(asoc->peer.port), 0); + +@@ -3110,50 +3113,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + return SCTP_ERROR_NO_ERROR; + } + +-/* Verify the ASCONF packet before we process it. */ +-int sctp_verify_asconf(const struct sctp_association *asoc, +- struct sctp_paramhdr *param_hdr, void *chunk_end, +- struct sctp_paramhdr **errp) { +- sctp_addip_param_t *asconf_param; ++/* Verify the ASCONF packet before we process it. */ ++bool sctp_verify_asconf(const struct sctp_association *asoc, ++ struct sctp_chunk *chunk, bool addr_param_needed, ++ struct sctp_paramhdr **errp) ++{ ++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr; + union sctp_params param; +- int length, plen; ++ bool addr_param_seen = false; + +- param.v = (sctp_paramhdr_t *) param_hdr; +- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { +- length = ntohs(param.p->length); +- *errp = param.p; +- +- if (param.v > chunk_end - length || +- length < sizeof(sctp_paramhdr_t)) +- return 0; ++ sctp_walk_params(param, addip, addip_hdr.params) { ++ size_t length = ntohs(param.p->length); + ++ *errp = param.p; + switch (param.p->type) { ++ case SCTP_PARAM_ERR_CAUSE: ++ break; ++ case SCTP_PARAM_IPV4_ADDRESS: ++ if (length != sizeof(sctp_ipv4addr_param_t)) ++ return false; ++ addr_param_seen = true; ++ break; ++ case SCTP_PARAM_IPV6_ADDRESS: ++ if (length != sizeof(sctp_ipv6addr_param_t)) ++ return false; ++ addr_param_seen = true; ++ break; + case SCTP_PARAM_ADD_IP: + case SCTP_PARAM_DEL_IP: + case SCTP_PARAM_SET_PRIMARY: +- asconf_param = (sctp_addip_param_t *)param.v; +- plen = ntohs(asconf_param->param_hdr.length); +- if (plen < sizeof(sctp_addip_param_t) + +- sizeof(sctp_paramhdr_t)) +- return 0; ++ /* In ASCONF chunks, these need to be first. */ ++ if (addr_param_needed && !addr_param_seen) ++ return false; ++ length = ntohs(param.addip->param_hdr.length); ++ if (length < sizeof(sctp_addip_param_t) + ++ sizeof(sctp_paramhdr_t)) ++ return false; + break; + case SCTP_PARAM_SUCCESS_REPORT: + case SCTP_PARAM_ADAPTATION_LAYER_IND: + if (length != sizeof(sctp_addip_param_t)) +- return 0; +- ++ return false; + break; + default: +- break; ++ /* This is unkown to us, reject! */ ++ return false; + } +- +- param.v += WORD_ROUND(length); + } + +- if (param.v != chunk_end) +- return 0; ++ /* Remaining sanity checks. */ ++ if (addr_param_needed && !addr_param_seen) ++ return false; ++ if (!addr_param_needed && addr_param_seen) ++ return false; ++ if (param.v != chunk->chunk_end) ++ return false; + +- return 1; ++ return true; + } + + /* Process an incoming ASCONF chunk with the next expected serial no. and +@@ -3162,16 +3178,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc, + struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + struct sctp_chunk *asconf) + { ++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr; ++ bool all_param_pass = true; ++ union sctp_params param; + sctp_addiphdr_t *hdr; + union sctp_addr_param *addr_param; + sctp_addip_param_t *asconf_param; + struct sctp_chunk *asconf_ack; +- + __be16 err_code; + int length = 0; + int chunk_len; + __u32 serial; +- int all_param_pass = 1; + + chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); + hdr = (sctp_addiphdr_t *)asconf->skb->data; +@@ -3199,9 +3216,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + goto done; + + /* Process the TLVs contained within the ASCONF chunk. */ +- while (chunk_len > 0) { ++ sctp_walk_params(param, addip, addip_hdr.params) { ++ /* Skip preceeding address parameters. */ ++ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS || ++ param.p->type == SCTP_PARAM_IPV6_ADDRESS) ++ continue; ++ + err_code = sctp_process_asconf_param(asoc, asconf, +- asconf_param); ++ param.addip); + /* ADDIP 4.1 A7) + * If an error response is received for a TLV parameter, + * all TLVs with no response before the failed TLV are +@@ -3209,28 +3231,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + * the failed response are considered unsuccessful unless + * a specific success indication is present for the parameter. + */ +- if (SCTP_ERROR_NO_ERROR != err_code) +- all_param_pass = 0; +- ++ if (err_code != SCTP_ERROR_NO_ERROR) ++ all_param_pass = false; + if (!all_param_pass) +- sctp_add_asconf_response(asconf_ack, +- asconf_param->crr_id, err_code, +- asconf_param); ++ sctp_add_asconf_response(asconf_ack, param.addip->crr_id, ++ err_code, param.addip); + + /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add + * an IP address sends an 'Out of Resource' in its response, it + * MUST also fail any subsequent add or delete requests bundled + * in the ASCONF. + */ +- if (SCTP_ERROR_RSRC_LOW == err_code) ++ if (err_code == SCTP_ERROR_RSRC_LOW) + goto done; +- +- /* Move to the next ASCONF param. */ +- length = ntohs(asconf_param->param_hdr.length); +- asconf_param = (void *)asconf_param + length; +- chunk_len -= length; + } +- + done: + asoc->peer.addip_serial++; + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 7194fe8589b0..3e287a3fa03b 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk, + { + __u16 chunk_length = ntohs(chunk->chunk_hdr->length); + ++ /* Previously already marked? */ ++ if (unlikely(chunk->pdiscard)) ++ return 0; + if (unlikely(chunk_length < required_length)) + return 0; + +@@ -3591,9 +3594,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, + struct sctp_chunk *asconf_ack = NULL; + struct sctp_paramhdr *err_param = NULL; + sctp_addiphdr_t *hdr; +- union sctp_addr_param *addr_param; + __u32 serial; +- int length; + + if (!sctp_vtag_verify(chunk, asoc)) { + sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, +@@ -3618,17 +3619,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, + hdr = (sctp_addiphdr_t *)chunk->skb->data; + serial = ntohl(hdr->serial); + +- addr_param = (union sctp_addr_param *)hdr->params; +- length = ntohs(addr_param->p.length); +- if (length < sizeof(sctp_paramhdr_t)) +- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, +- (void *)addr_param, commands); +- + /* Verify the ASCONF chunk before processing it. */ +- if (!sctp_verify_asconf(asoc, +- (sctp_paramhdr_t *)((void *)addr_param + length), +- (void *)chunk->chunk_end, +- &err_param)) ++ if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) + return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, + (void *)err_param, commands); + +@@ -3745,10 +3737,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net, + rcvd_serial = ntohl(addip_hdr->serial); + + /* Verify the ASCONF-ACK chunk before processing it. */ +- if (!sctp_verify_asconf(asoc, +- (sctp_paramhdr_t *)addip_hdr->params, +- (void *)asconf_ack->chunk_end, +- &err_param)) ++ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) + return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, + (void *)err_param, commands); + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index f4b12c216f1c..5a723df670b4 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -885,6 +885,11 @@ static int snd_ftu_eff_switch_put(struct snd_kcontrol *kctl, + return changed; + } + ++static void kctl_private_value_free(struct snd_kcontrol *kctl) ++{ ++ kfree((void *)kctl->private_value); ++} ++ + static int snd_ftu_create_effect_switch(struct usb_mixer_interface *mixer, + int validx, int bUnitID) + { +@@ -919,6 +924,7 @@ static int snd_ftu_create_effect_switch(struct usb_mixer_interface *mixer, + return -ENOMEM; + } + ++ kctl->private_free = kctl_private_value_free; + err = snd_ctl_add(mixer->chip->card, kctl); + if (err < 0) + return err;