summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-08-22 06:16:29 -0400
committerAnthony G. Basile <blueness@gentoo.org>2016-08-22 06:16:29 -0400
commit24d63fa83065992427eade5014909b9f40767798 (patch)
tree4c9d0e84ef62d60673646a616ebba818bfc493bd
parentgrsecurity-3.1-4.7.1-201608161813 (diff)
downloadhardened-patchset-24d63fa83065992427eade5014909b9f40767798.tar.gz
hardened-patchset-24d63fa83065992427eade5014909b9f40767798.tar.bz2
hardened-patchset-24d63fa83065992427eade5014909b9f40767798.zip
grsecurity-3.1-4.7.2-20160821182920160821
-rw-r--r--4.7.2/0000_README (renamed from 4.7.1/0000_README)6
-rw-r--r--4.7.2/1000_linux-4.7.1.patch (renamed from 4.7.1/1000_linux-4.7.1.patch)0
-rw-r--r--4.7.2/1001_linux-4.7.2.patch7668
-rw-r--r--4.7.2/4420_grsecurity-3.1-4.7.2-201608211829.patch (renamed from 4.7.1/4420_grsecurity-3.1-4.7.1-201608161813.patch)344
-rw-r--r--4.7.2/4425_grsec_remove_EI_PAX.patch (renamed from 4.7.1/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.7.2/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.7.1/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.7.2/4430_grsec-remove-localversion-grsec.patch (renamed from 4.7.1/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.7.2/4435_grsec-mute-warnings.patch (renamed from 4.7.1/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.7.2/4440_grsec-remove-protected-paths.patch (renamed from 4.7.1/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.7.2/4450_grsec-kconfig-default-gids.patch (renamed from 4.7.1/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.7.2/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.7.1/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.7.2/4470_disable-compat_vdso.patch (renamed from 4.7.1/4470_disable-compat_vdso.patch)0
-rw-r--r--4.7.2/4475_emutramp_default_on.patch (renamed from 4.7.1/4475_emutramp_default_on.patch)0
13 files changed, 7841 insertions, 177 deletions
diff --git a/4.7.1/0000_README b/4.7.2/0000_README
index a9a1b4e..0fbc43d 100644
--- a/4.7.1/0000_README
+++ b/4.7.2/0000_README
@@ -6,7 +6,11 @@ Patch: 1000_linux-4.7.1.patch
From: http://www.kernel.org
Desc: Linux 4.7.1
-Patch: 4420_grsecurity-3.1-4.7.1-201608161813.patch
+Patch: 1001_linux-4.7.2.patch
+From: http://www.kernel.org
+Desc: Linux 4.7.2
+
+Patch: 4420_grsecurity-3.1-4.7.2-201608211829.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.7.1/1000_linux-4.7.1.patch b/4.7.2/1000_linux-4.7.1.patch
index 79c652a..79c652a 100644
--- a/4.7.1/1000_linux-4.7.1.patch
+++ b/4.7.2/1000_linux-4.7.1.patch
diff --git a/4.7.2/1001_linux-4.7.2.patch b/4.7.2/1001_linux-4.7.2.patch
new file mode 100644
index 0000000..d0ef798
--- /dev/null
+++ b/4.7.2/1001_linux-4.7.2.patch
@@ -0,0 +1,7668 @@
+diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
+index 696d5ca..f0e3361 100644
+--- a/Documentation/module-signing.txt
++++ b/Documentation/module-signing.txt
+@@ -271,3 +271,9 @@ Since the private key is used to sign modules, viruses and malware could use
+ the private key to sign modules and compromise the operating system. The
+ private key must be either destroyed or moved to a secure location and not kept
+ in the root node of the kernel source tree.
++
++If you use the same private key to sign modules for multiple kernel
++configurations, you must ensure that the module version information is
++sufficient to prevent loading a module into a different kernel. Either
++set CONFIG_MODVERSIONS=y or ensure that each configuration has a different
++kernel release string by changing EXTRAVERSION or CONFIG_LOCALVERSION.
+diff --git a/Makefile b/Makefile
+index 84335c0..bb98f1c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 1
++SUBLEVEL = 2
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h
+index 858f98e..0f92d97 100644
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -110,7 +110,7 @@
+ #define ___DEF (_PAGE_PRESENT | _PAGE_CACHEABLE)
+
+ /* Set of bits not changed in pte_modify */
+-#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)
++#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL)
+
+ /* More Abbrevaited helpers */
+ #define PAGE_U_NONE __pgprot(___DEF)
+diff --git a/arch/arc/mm/dma.c b/arch/arc/mm/dma.c
+index 73d7e4c..ab74b5d 100644
+--- a/arch/arc/mm/dma.c
++++ b/arch/arc/mm/dma.c
+@@ -92,7 +92,8 @@ static void *arc_dma_alloc(struct device *dev, size_t size,
+ static void arc_dma_free(struct device *dev, size_t size, void *vaddr,
+ dma_addr_t dma_handle, struct dma_attrs *attrs)
+ {
+- struct page *page = virt_to_page(dma_handle);
++ phys_addr_t paddr = plat_dma_to_phys(dev, dma_handle);
++ struct page *page = virt_to_page(paddr);
+ int is_non_coh = 1;
+
+ is_non_coh = dma_get_attr(DMA_ATTR_NON_CONSISTENT, attrs) ||
+diff --git a/arch/arm/boot/dts/arm-realview-pbx-a9.dts b/arch/arm/boot/dts/arm-realview-pbx-a9.dts
+index db808f9..90d00b4 100644
+--- a/arch/arm/boot/dts/arm-realview-pbx-a9.dts
++++ b/arch/arm/boot/dts/arm-realview-pbx-a9.dts
+@@ -70,13 +70,12 @@
+ * associativity as these may be erroneously set
+ * up by boot loader(s).
+ */
+- cache-size = <1048576>; // 1MB
+- cache-sets = <4096>;
++ cache-size = <131072>; // 128KB
++ cache-sets = <512>;
+ cache-line-size = <32>;
+ arm,parity-disable;
+- arm,tag-latency = <1>;
+- arm,data-latency = <1 1>;
+- arm,dirty-latency = <1>;
++ arm,tag-latency = <1 1 1>;
++ arm,data-latency = <1 1 1>;
+ };
+
+ scu: scu@1f000000 {
+diff --git a/arch/arm/boot/dts/sun4i-a10-a1000.dts b/arch/arm/boot/dts/sun4i-a10-a1000.dts
+index c92a1ae..fa70b8f 100644
+--- a/arch/arm/boot/dts/sun4i-a10-a1000.dts
++++ b/arch/arm/boot/dts/sun4i-a10-a1000.dts
+@@ -84,6 +84,7 @@
+ regulator-name = "emac-3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
++ startup-delay-us = <20000>;
+ enable-active-high;
+ gpio = <&pio 7 15 GPIO_ACTIVE_HIGH>;
+ };
+diff --git a/arch/arm/boot/dts/sun4i-a10-hackberry.dts b/arch/arm/boot/dts/sun4i-a10-hackberry.dts
+index 2b17c51..6de83a6 100644
+--- a/arch/arm/boot/dts/sun4i-a10-hackberry.dts
++++ b/arch/arm/boot/dts/sun4i-a10-hackberry.dts
+@@ -66,6 +66,7 @@
+ regulator-name = "emac-3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
++ startup-delay-us = <20000>;
+ enable-active-high;
+ gpio = <&pio 7 19 GPIO_ACTIVE_HIGH>;
+ };
+diff --git a/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts b/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts
+index 7afc7a6..e28f080 100644
+--- a/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts
++++ b/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts
+@@ -80,6 +80,7 @@
+ regulator-name = "emac-3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
++ startup-delay-us = <20000>;
+ enable-active-high;
+ gpio = <&pio 7 19 GPIO_ACTIVE_HIGH>; /* PH19 */
+ };
+diff --git a/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts b/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts
+index 9fea918..39731a7 100644
+--- a/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts
++++ b/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts
+@@ -79,6 +79,7 @@
+ regulator-name = "emac-3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
++ startup-delay-us = <20000>;
+ enable-active-high;
+ gpio = <&pio 0 2 GPIO_ACTIVE_HIGH>;
+ };
+diff --git a/arch/arm/boot/dts/tegra124-jetson-tk1.dts b/arch/arm/boot/dts/tegra124-jetson-tk1.dts
+index 941f362..f4d8125 100644
+--- a/arch/arm/boot/dts/tegra124-jetson-tk1.dts
++++ b/arch/arm/boot/dts/tegra124-jetson-tk1.dts
+@@ -1386,7 +1386,7 @@
+ * Pin 41: BR_UART1_TXD
+ * Pin 44: BR_UART1_RXD
+ */
+- serial@70006000 {
++ serial@0,70006000 {
+ compatible = "nvidia,tegra124-hsuart", "nvidia,tegra30-hsuart";
+ status = "okay";
+ };
+@@ -1398,7 +1398,7 @@
+ * Pin 71: UART2_CTS_L
+ * Pin 74: UART2_RTS_L
+ */
+- serial@70006040 {
++ serial@0,70006040 {
+ compatible = "nvidia,tegra124-hsuart", "nvidia,tegra30-hsuart";
+ status = "okay";
+ };
+diff --git a/arch/arm/configs/aspeed_g4_defconfig b/arch/arm/configs/aspeed_g4_defconfig
+index b6e54ee..ca39c04 100644
+--- a/arch/arm/configs/aspeed_g4_defconfig
++++ b/arch/arm/configs/aspeed_g4_defconfig
+@@ -58,7 +58,7 @@ CONFIG_SERIAL_OF_PLATFORM=y
+ # CONFIG_IOMMU_SUPPORT is not set
+ CONFIG_FIRMWARE_MEMMAP=y
+ CONFIG_FANOTIFY=y
+-CONFIG_PRINTK_TIME=1
++CONFIG_PRINTK_TIME=y
+ CONFIG_DYNAMIC_DEBUG=y
+ CONFIG_STRIP_ASM_SYMS=y
+ CONFIG_PAGE_POISONING=y
+diff --git a/arch/arm/configs/aspeed_g5_defconfig b/arch/arm/configs/aspeed_g5_defconfig
+index 8926051..4f366b0 100644
+--- a/arch/arm/configs/aspeed_g5_defconfig
++++ b/arch/arm/configs/aspeed_g5_defconfig
+@@ -59,7 +59,7 @@ CONFIG_SERIAL_OF_PLATFORM=y
+ # CONFIG_IOMMU_SUPPORT is not set
+ CONFIG_FIRMWARE_MEMMAP=y
+ CONFIG_FANOTIFY=y
+-CONFIG_PRINTK_TIME=1
++CONFIG_PRINTK_TIME=y
+ CONFIG_DYNAMIC_DEBUG=y
+ CONFIG_STRIP_ASM_SYMS=y
+ CONFIG_PAGE_POISONING=y
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index ff7ed56..d2485c7 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -49,6 +49,7 @@ struct arm_dma_alloc_args {
+ pgprot_t prot;
+ const void *caller;
+ bool want_vaddr;
++ int coherent_flag;
+ };
+
+ struct arm_dma_free_args {
+@@ -59,6 +60,9 @@ struct arm_dma_free_args {
+ bool want_vaddr;
+ };
+
++#define NORMAL 0
++#define COHERENT 1
++
+ struct arm_dma_allocator {
+ void *(*alloc)(struct arm_dma_alloc_args *args,
+ struct page **ret_page);
+@@ -272,7 +276,7 @@ static u64 get_coherent_dma_mask(struct device *dev)
+ return mask;
+ }
+
+-static void __dma_clear_buffer(struct page *page, size_t size)
++static void __dma_clear_buffer(struct page *page, size_t size, int coherent_flag)
+ {
+ /*
+ * Ensure that the allocated pages are zeroed, and that any data
+@@ -284,17 +288,21 @@ static void __dma_clear_buffer(struct page *page, size_t size)
+ while (size > 0) {
+ void *ptr = kmap_atomic(page);
+ memset(ptr, 0, PAGE_SIZE);
+- dmac_flush_range(ptr, ptr + PAGE_SIZE);
++ if (coherent_flag != COHERENT)
++ dmac_flush_range(ptr, ptr + PAGE_SIZE);
+ kunmap_atomic(ptr);
+ page++;
+ size -= PAGE_SIZE;
+ }
+- outer_flush_range(base, end);
++ if (coherent_flag != COHERENT)
++ outer_flush_range(base, end);
+ } else {
+ void *ptr = page_address(page);
+ memset(ptr, 0, size);
+- dmac_flush_range(ptr, ptr + size);
+- outer_flush_range(__pa(ptr), __pa(ptr) + size);
++ if (coherent_flag != COHERENT) {
++ dmac_flush_range(ptr, ptr + size);
++ outer_flush_range(__pa(ptr), __pa(ptr) + size);
++ }
+ }
+ }
+
+@@ -302,7 +310,8 @@ static void __dma_clear_buffer(struct page *page, size_t size)
+ * Allocate a DMA buffer for 'dev' of size 'size' using the
+ * specified gfp mask. Note that 'size' must be page aligned.
+ */
+-static struct page *__dma_alloc_buffer(struct device *dev, size_t size, gfp_t gfp)
++static struct page *__dma_alloc_buffer(struct device *dev, size_t size,
++ gfp_t gfp, int coherent_flag)
+ {
+ unsigned long order = get_order(size);
+ struct page *page, *p, *e;
+@@ -318,7 +327,7 @@ static struct page *__dma_alloc_buffer(struct device *dev, size_t size, gfp_t gf
+ for (p = page + (size >> PAGE_SHIFT), e = page + (1 << order); p < e; p++)
+ __free_page(p);
+
+- __dma_clear_buffer(page, size);
++ __dma_clear_buffer(page, size, coherent_flag);
+
+ return page;
+ }
+@@ -340,7 +349,8 @@ static void __dma_free_buffer(struct page *page, size_t size)
+
+ static void *__alloc_from_contiguous(struct device *dev, size_t size,
+ pgprot_t prot, struct page **ret_page,
+- const void *caller, bool want_vaddr);
++ const void *caller, bool want_vaddr,
++ int coherent_flag);
+
+ static void *__alloc_remap_buffer(struct device *dev, size_t size, gfp_t gfp,
+ pgprot_t prot, struct page **ret_page,
+@@ -405,10 +415,13 @@ static int __init atomic_pool_init(void)
+ atomic_pool = gen_pool_create(PAGE_SHIFT, -1);
+ if (!atomic_pool)
+ goto out;
+-
++ /*
++ * The atomic pool is only used for non-coherent allocations
++ * so we must pass NORMAL for coherent_flag.
++ */
+ if (dev_get_cma_area(NULL))
+ ptr = __alloc_from_contiguous(NULL, atomic_pool_size, prot,
+- &page, atomic_pool_init, true);
++ &page, atomic_pool_init, true, NORMAL);
+ else
+ ptr = __alloc_remap_buffer(NULL, atomic_pool_size, gfp, prot,
+ &page, atomic_pool_init, true);
+@@ -522,7 +535,11 @@ static void *__alloc_remap_buffer(struct device *dev, size_t size, gfp_t gfp,
+ {
+ struct page *page;
+ void *ptr = NULL;
+- page = __dma_alloc_buffer(dev, size, gfp);
++ /*
++ * __alloc_remap_buffer is only called when the device is
++ * non-coherent
++ */
++ page = __dma_alloc_buffer(dev, size, gfp, NORMAL);
+ if (!page)
+ return NULL;
+ if (!want_vaddr)
+@@ -577,7 +594,8 @@ static int __free_from_pool(void *start, size_t size)
+
+ static void *__alloc_from_contiguous(struct device *dev, size_t size,
+ pgprot_t prot, struct page **ret_page,
+- const void *caller, bool want_vaddr)
++ const void *caller, bool want_vaddr,
++ int coherent_flag)
+ {
+ unsigned long order = get_order(size);
+ size_t count = size >> PAGE_SHIFT;
+@@ -588,7 +606,7 @@ static void *__alloc_from_contiguous(struct device *dev, size_t size,
+ if (!page)
+ return NULL;
+
+- __dma_clear_buffer(page, size);
++ __dma_clear_buffer(page, size, coherent_flag);
+
+ if (!want_vaddr)
+ goto out;
+@@ -638,7 +656,7 @@ static inline pgprot_t __get_dma_pgprot(struct dma_attrs *attrs, pgprot_t prot)
+ #define __get_dma_pgprot(attrs, prot) __pgprot(0)
+ #define __alloc_remap_buffer(dev, size, gfp, prot, ret, c, wv) NULL
+ #define __alloc_from_pool(size, ret_page) NULL
+-#define __alloc_from_contiguous(dev, size, prot, ret, c, wv) NULL
++#define __alloc_from_contiguous(dev, size, prot, ret, c, wv, coherent_flag) NULL
+ #define __free_from_pool(cpu_addr, size) do { } while (0)
+ #define __free_from_contiguous(dev, page, cpu_addr, size, wv) do { } while (0)
+ #define __dma_free_remap(cpu_addr, size) do { } while (0)
+@@ -649,7 +667,8 @@ static void *__alloc_simple_buffer(struct device *dev, size_t size, gfp_t gfp,
+ struct page **ret_page)
+ {
+ struct page *page;
+- page = __dma_alloc_buffer(dev, size, gfp);
++ /* __alloc_simple_buffer is only called when the device is coherent */
++ page = __dma_alloc_buffer(dev, size, gfp, COHERENT);
+ if (!page)
+ return NULL;
+
+@@ -679,7 +698,7 @@ static void *cma_allocator_alloc(struct arm_dma_alloc_args *args,
+ {
+ return __alloc_from_contiguous(args->dev, args->size, args->prot,
+ ret_page, args->caller,
+- args->want_vaddr);
++ args->want_vaddr, args->coherent_flag);
+ }
+
+ static void cma_allocator_free(struct arm_dma_free_args *args)
+@@ -746,6 +765,7 @@ static void *__dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
+ .prot = prot,
+ .caller = caller,
+ .want_vaddr = !dma_get_attr(DMA_ATTR_NO_KERNEL_MAPPING, attrs),
++ .coherent_flag = is_coherent ? COHERENT : NORMAL,
+ };
+
+ #ifdef CONFIG_DMA_API_DEBUG
+@@ -1253,7 +1273,8 @@ static inline void __free_iova(struct dma_iommu_mapping *mapping,
+ static const int iommu_order_array[] = { 9, 8, 4, 0 };
+
+ static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
+- gfp_t gfp, struct dma_attrs *attrs)
++ gfp_t gfp, struct dma_attrs *attrs,
++ int coherent_flag)
+ {
+ struct page **pages;
+ int count = size >> PAGE_SHIFT;
+@@ -1277,7 +1298,7 @@ static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
+ if (!page)
+ goto error;
+
+- __dma_clear_buffer(page, size);
++ __dma_clear_buffer(page, size, coherent_flag);
+
+ for (i = 0; i < count; i++)
+ pages[i] = page + i;
+@@ -1327,7 +1348,7 @@ static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
+ pages[i + j] = pages[i] + j;
+ }
+
+- __dma_clear_buffer(pages[i], PAGE_SIZE << order);
++ __dma_clear_buffer(pages[i], PAGE_SIZE << order, coherent_flag);
+ i += 1 << order;
+ count -= 1 << order;
+ }
+@@ -1505,7 +1526,8 @@ static void *arm_iommu_alloc_attrs(struct device *dev, size_t size,
+ */
+ gfp &= ~(__GFP_COMP);
+
+- pages = __iommu_alloc_buffer(dev, size, gfp, attrs);
++ /* For now always consider we are in a non-coherent case */
++ pages = __iommu_alloc_buffer(dev, size, gfp, attrs, NORMAL);
+ if (!pages)
+ return NULL;
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 5a0a691..2038492 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -872,7 +872,7 @@ config RELOCATABLE
+
+ config RANDOMIZE_BASE
+ bool "Randomize the address of the kernel image"
+- select ARM64_MODULE_PLTS
++ select ARM64_MODULE_PLTS if MODULES
+ select RELOCATABLE
+ help
+ Randomizes the virtual address at which the kernel image is
+diff --git a/arch/arm64/boot/dts/rockchip/rk3368.dtsi b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
+index 8b4a7c9..080203e 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
+@@ -670,7 +670,7 @@
+ #address-cells = <0>;
+
+ reg = <0x0 0xffb71000 0x0 0x1000>,
+- <0x0 0xffb72000 0x0 0x1000>,
++ <0x0 0xffb72000 0x0 0x2000>,
+ <0x0 0xffb74000 0x0 0x2000>,
+ <0x0 0xffb76000 0x0 0x2000>;
+ interrupts = <GIC_PPI 9
+diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
+index 4fbf3c5..0800d23 100644
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -151,7 +151,6 @@ static int debug_monitors_init(void)
+ /* Clear the OS lock. */
+ on_each_cpu(clear_os_lock, NULL, 1);
+ isb();
+- local_dbg_enable();
+
+ /* Register hotplug handler. */
+ __register_cpu_notifier(&os_lock_nb);
+diff --git a/arch/arm64/kernel/hibernate.c b/arch/arm64/kernel/hibernate.c
+index 21ab5df..65d81f9 100644
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -35,6 +35,7 @@
+ #include <asm/sections.h>
+ #include <asm/smp.h>
+ #include <asm/suspend.h>
++#include <asm/sysreg.h>
+ #include <asm/virt.h>
+
+ /*
+@@ -217,12 +218,22 @@ static int create_safe_exec_page(void *src_start, size_t length,
+ set_pte(pte, __pte(virt_to_phys((void *)dst) |
+ pgprot_val(PAGE_KERNEL_EXEC)));
+
+- /* Load our new page tables */
+- asm volatile("msr ttbr0_el1, %0;"
+- "isb;"
+- "tlbi vmalle1is;"
+- "dsb ish;"
+- "isb" : : "r"(virt_to_phys(pgd)));
++ /*
++ * Load our new page tables. A strict BBM approach requires that we
++ * ensure that TLBs are free of any entries that may overlap with the
++ * global mappings we are about to install.
++ *
++ * For a real hibernate/resume cycle TTBR0 currently points to a zero
++ * page, but TLBs may contain stale ASID-tagged entries (e.g. for EFI
++ * runtime services), while for a userspace-driven test_resume cycle it
++ * points to userspace page tables (and we must point it at a zero page
++ * ourselves). Elsewhere we only (un)install the idmap with preemption
++ * disabled, so T0SZ should be as required regardless.
++ */
++ cpu_set_reserved_ttbr0();
++ local_flush_tlb_all();
++ write_sysreg(virt_to_phys(pgd), ttbr0_el1);
++ isb();
+
+ *phys_dst_addr = virt_to_phys((void *)dst);
+
+@@ -394,6 +405,38 @@ int swsusp_arch_resume(void)
+ void *, phys_addr_t, phys_addr_t);
+
+ /*
++ * Restoring the memory image will overwrite the ttbr1 page tables.
++ * Create a second copy of just the linear map, and use this when
++ * restoring.
++ */
++ tmp_pg_dir = (pgd_t *)get_safe_page(GFP_ATOMIC);
++ if (!tmp_pg_dir) {
++ pr_err("Failed to allocate memory for temporary page tables.");
++ rc = -ENOMEM;
++ goto out;
++ }
++ rc = copy_page_tables(tmp_pg_dir, PAGE_OFFSET, 0);
++ if (rc)
++ goto out;
++
++ /*
++ * Since we only copied the linear map, we need to find restore_pblist's
++ * linear map address.
++ */
++ lm_restore_pblist = LMADDR(restore_pblist);
++
++ /*
++ * We need a zero page that is zero before & after resume in order to
++ * to break before make on the ttbr1 page tables.
++ */
++ zero_page = (void *)get_safe_page(GFP_ATOMIC);
++ if (!zero_page) {
++ pr_err("Failed to allocate zero page.");
++ rc = -ENOMEM;
++ goto out;
++ }
++
++ /*
+ * Locate the exit code in the bottom-but-one page, so that *NULL
+ * still has disastrous affects.
+ */
+@@ -419,27 +462,6 @@ int swsusp_arch_resume(void)
+ __flush_dcache_area(hibernate_exit, exit_size);
+
+ /*
+- * Restoring the memory image will overwrite the ttbr1 page tables.
+- * Create a second copy of just the linear map, and use this when
+- * restoring.
+- */
+- tmp_pg_dir = (pgd_t *)get_safe_page(GFP_ATOMIC);
+- if (!tmp_pg_dir) {
+- pr_err("Failed to allocate memory for temporary page tables.");
+- rc = -ENOMEM;
+- goto out;
+- }
+- rc = copy_page_tables(tmp_pg_dir, PAGE_OFFSET, 0);
+- if (rc)
+- goto out;
+-
+- /*
+- * Since we only copied the linear map, we need to find restore_pblist's
+- * linear map address.
+- */
+- lm_restore_pblist = LMADDR(restore_pblist);
+-
+- /*
+ * KASLR will cause the el2 vectors to be in a different location in
+ * the resumed kernel. Load hibernate's temporary copy into el2.
+ *
+@@ -453,12 +475,6 @@ int swsusp_arch_resume(void)
+ __hyp_set_vectors(el2_vectors);
+ }
+
+- /*
+- * We need a zero page that is zero before & after resume in order to
+- * to break before make on the ttbr1 page tables.
+- */
+- zero_page = (void *)get_safe_page(GFP_ATOMIC);
+-
+ hibernate_exit(virt_to_phys(tmp_pg_dir), resume_hdr.ttbr1_el1,
+ resume_hdr.reenter_kernel, lm_restore_pblist,
+ resume_hdr.__hyp_stub_vectors, virt_to_phys(zero_page));
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index 62ff3c0..490db85 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -267,7 +267,6 @@ asmlinkage void secondary_start_kernel(void)
+ set_cpu_online(cpu, true);
+ complete(&cpu_running);
+
+- local_dbg_enable();
+ local_irq_enable();
+ local_async_enable();
+
+@@ -437,9 +436,9 @@ void __init smp_cpus_done(unsigned int max_cpus)
+
+ void __init smp_prepare_boot_cpu(void)
+ {
++ set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
+ cpuinfo_store_boot_cpu();
+ save_boot_cpu_run_el();
+- set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
+ }
+
+ static u64 __init of_get_cpu_mpidr(struct device_node *dn)
+@@ -694,6 +693,13 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
+ smp_store_cpu_info(smp_processor_id());
+
+ /*
++ * If UP is mandated by "nosmp" (which implies "maxcpus=0"), don't set
++ * secondary CPUs present.
++ */
++ if (max_cpus == 0)
++ return;
++
++ /*
+ * Initialise the present map (which describes the set of CPUs
+ * actually populated at the present time) and release the
+ * secondaries from the bootloader.
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 435e820..e564d45 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -181,9 +181,9 @@ SECTIONS
+ *(.hash)
+ }
+
+- __rela_offset = ADDR(.rela) - KIMAGE_VADDR;
++ __rela_offset = ABSOLUTE(ADDR(.rela) - KIMAGE_VADDR);
+ __rela_size = SIZEOF(.rela);
+- __dynsym_offset = ADDR(.dynsym) - KIMAGE_VADDR;
++ __dynsym_offset = ABSOLUTE(ADDR(.dynsym) - KIMAGE_VADDR);
+
+ . = ALIGN(SEGMENT_ALIGN);
+ __init_end = .;
+diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c
+index 0f7c40e..9341376 100644
+--- a/arch/arm64/kvm/hyp/sysreg-sr.c
++++ b/arch/arm64/kvm/hyp/sysreg-sr.c
+@@ -27,8 +27,8 @@ static void __hyp_text __sysreg_do_nothing(struct kvm_cpu_context *ctxt) { }
+ /*
+ * Non-VHE: Both host and guest must save everything.
+ *
+- * VHE: Host must save tpidr*_el[01], actlr_el1, sp0, pc, pstate, and
+- * guest must save everything.
++ * VHE: Host must save tpidr*_el[01], actlr_el1, mdscr_el1, sp0, pc,
++ * pstate, and guest must save everything.
+ */
+
+ static void __hyp_text __sysreg_save_common_state(struct kvm_cpu_context *ctxt)
+@@ -37,6 +37,7 @@ static void __hyp_text __sysreg_save_common_state(struct kvm_cpu_context *ctxt)
+ ctxt->sys_regs[TPIDR_EL0] = read_sysreg(tpidr_el0);
+ ctxt->sys_regs[TPIDRRO_EL0] = read_sysreg(tpidrro_el0);
+ ctxt->sys_regs[TPIDR_EL1] = read_sysreg(tpidr_el1);
++ ctxt->sys_regs[MDSCR_EL1] = read_sysreg(mdscr_el1);
+ ctxt->gp_regs.regs.sp = read_sysreg(sp_el0);
+ ctxt->gp_regs.regs.pc = read_sysreg_el2(elr);
+ ctxt->gp_regs.regs.pstate = read_sysreg_el2(spsr);
+@@ -61,7 +62,6 @@ static void __hyp_text __sysreg_save_state(struct kvm_cpu_context *ctxt)
+ ctxt->sys_regs[AMAIR_EL1] = read_sysreg_el1(amair);
+ ctxt->sys_regs[CNTKCTL_EL1] = read_sysreg_el1(cntkctl);
+ ctxt->sys_regs[PAR_EL1] = read_sysreg(par_el1);
+- ctxt->sys_regs[MDSCR_EL1] = read_sysreg(mdscr_el1);
+
+ ctxt->gp_regs.sp_el1 = read_sysreg(sp_el1);
+ ctxt->gp_regs.elr_el1 = read_sysreg_el1(elr);
+@@ -90,6 +90,7 @@ static void __hyp_text __sysreg_restore_common_state(struct kvm_cpu_context *ctx
+ write_sysreg(ctxt->sys_regs[TPIDR_EL0], tpidr_el0);
+ write_sysreg(ctxt->sys_regs[TPIDRRO_EL0], tpidrro_el0);
+ write_sysreg(ctxt->sys_regs[TPIDR_EL1], tpidr_el1);
++ write_sysreg(ctxt->sys_regs[MDSCR_EL1], mdscr_el1);
+ write_sysreg(ctxt->gp_regs.regs.sp, sp_el0);
+ write_sysreg_el2(ctxt->gp_regs.regs.pc, elr);
+ write_sysreg_el2(ctxt->gp_regs.regs.pstate, spsr);
+@@ -114,7 +115,6 @@ static void __hyp_text __sysreg_restore_state(struct kvm_cpu_context *ctxt)
+ write_sysreg_el1(ctxt->sys_regs[AMAIR_EL1], amair);
+ write_sysreg_el1(ctxt->sys_regs[CNTKCTL_EL1], cntkctl);
+ write_sysreg(ctxt->sys_regs[PAR_EL1], par_el1);
+- write_sysreg(ctxt->sys_regs[MDSCR_EL1], mdscr_el1);
+
+ write_sysreg(ctxt->gp_regs.sp_el1, sp_el1);
+ write_sysreg_el1(ctxt->gp_regs.elr_el1, elr);
+diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
+index e9e0e6d..898c0e6 100644
+--- a/arch/arm64/kvm/inject_fault.c
++++ b/arch/arm64/kvm/inject_fault.c
+@@ -132,16 +132,14 @@ static u64 get_except_vector(struct kvm_vcpu *vcpu, enum exception_type type)
+ static void inject_abt64(struct kvm_vcpu *vcpu, bool is_iabt, unsigned long addr)
+ {
+ unsigned long cpsr = *vcpu_cpsr(vcpu);
+- bool is_aarch32;
++ bool is_aarch32 = vcpu_mode_is_32bit(vcpu);
+ u32 esr = 0;
+
+- is_aarch32 = vcpu_mode_is_32bit(vcpu);
+-
+- *vcpu_spsr(vcpu) = cpsr;
+ *vcpu_elr_el1(vcpu) = *vcpu_pc(vcpu);
+-
+ *vcpu_pc(vcpu) = get_except_vector(vcpu, except_type_sync);
++
+ *vcpu_cpsr(vcpu) = PSTATE_FAULT_BITS_64;
++ *vcpu_spsr(vcpu) = cpsr;
+
+ vcpu_sys_reg(vcpu, FAR_EL1) = addr;
+
+@@ -172,11 +170,11 @@ static void inject_undef64(struct kvm_vcpu *vcpu)
+ unsigned long cpsr = *vcpu_cpsr(vcpu);
+ u32 esr = (ESR_ELx_EC_UNKNOWN << ESR_ELx_EC_SHIFT);
+
+- *vcpu_spsr(vcpu) = cpsr;
+ *vcpu_elr_el1(vcpu) = *vcpu_pc(vcpu);
+-
+ *vcpu_pc(vcpu) = get_except_vector(vcpu, except_type_sync);
++
+ *vcpu_cpsr(vcpu) = PSTATE_FAULT_BITS_64;
++ *vcpu_spsr(vcpu) = cpsr;
+
+ /*
+ * Build an unknown exception, depending on the instruction
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index 0f85a46..3e90a2c 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -748,9 +748,9 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
+ /*
+ * Check whether the physical FDT address is set and meets the minimum
+ * alignment requirement. Since we are relying on MIN_FDT_ALIGN to be
+- * at least 8 bytes so that we can always access the size field of the
+- * FDT header after mapping the first chunk, double check here if that
+- * is indeed the case.
++ * at least 8 bytes so that we can always access the magic and size
++ * fields of the FDT header after mapping the first chunk, double check
++ * here if that is indeed the case.
+ */
+ BUILD_BUG_ON(MIN_FDT_ALIGN < 8);
+ if (!dt_phys || dt_phys % MIN_FDT_ALIGN)
+@@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
+ create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
+ dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
+
+- if (fdt_check_header(dt_virt) != 0)
++ if (fdt_magic(dt_virt) != FDT_MAGIC)
+ return NULL;
+
+ *size = fdt_totalsize(dt_virt);
+diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
+index c431787..5bb61de 100644
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -180,6 +180,8 @@ ENTRY(__cpu_setup)
+ msr cpacr_el1, x0 // Enable FP/ASIMD
+ mov x0, #1 << 12 // Reset mdscr_el1 and disable
+ msr mdscr_el1, x0 // access to the DCC from EL0
++ isb // Unmask debug exceptions now,
++ enable_dbg // since this is per-cpu
+ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
+ /*
+ * Memory region attributes for LPAE:
+diff --git a/arch/metag/include/asm/cmpxchg_lnkget.h b/arch/metag/include/asm/cmpxchg_lnkget.h
+index 0154e28..2369ad3 100644
+--- a/arch/metag/include/asm/cmpxchg_lnkget.h
++++ b/arch/metag/include/asm/cmpxchg_lnkget.h
+@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u32(volatile int *m, unsigned long old,
+ " DCACHE [%2], %0\n"
+ #endif
+ "2:\n"
+- : "=&d" (temp), "=&da" (retval)
++ : "=&d" (temp), "=&d" (retval)
+ : "da" (m), "bd" (old), "da" (new)
+ : "cc"
+ );
+diff --git a/arch/mips/kernel/cevt-r4k.c b/arch/mips/kernel/cevt-r4k.c
+index e4c21bb..804d2a2 100644
+--- a/arch/mips/kernel/cevt-r4k.c
++++ b/arch/mips/kernel/cevt-r4k.c
+@@ -276,12 +276,7 @@ int r4k_clockevent_init(void)
+ CLOCK_EVT_FEAT_C3STOP |
+ CLOCK_EVT_FEAT_PERCPU;
+
+- clockevent_set_clock(cd, mips_hpt_frequency);
+-
+- /* Calculate the min / max delta */
+- cd->max_delta_ns = clockevent_delta2ns(0x7fffffff, cd);
+ min_delta = calculate_min_delta();
+- cd->min_delta_ns = clockevent_delta2ns(min_delta, cd);
+
+ cd->rating = 300;
+ cd->irq = irq;
+@@ -289,7 +284,7 @@ int r4k_clockevent_init(void)
+ cd->set_next_event = mips_next_event;
+ cd->event_handler = mips_event_handler;
+
+- clockevents_register_device(cd);
++ clockevents_config_and_register(cd, mips_hpt_frequency, min_delta, 0x7fffffff);
+
+ if (cp0_timer_irq_installed)
+ return 0;
+diff --git a/arch/mips/kernel/csrc-r4k.c b/arch/mips/kernel/csrc-r4k.c
+index 1f91056..d76275d 100644
+--- a/arch/mips/kernel/csrc-r4k.c
++++ b/arch/mips/kernel/csrc-r4k.c
+@@ -23,7 +23,7 @@ static struct clocksource clocksource_mips = {
+ .flags = CLOCK_SOURCE_IS_CONTINUOUS,
+ };
+
+-static u64 notrace r4k_read_sched_clock(void)
++static u64 __maybe_unused notrace r4k_read_sched_clock(void)
+ {
+ return read_c0_count();
+ }
+@@ -82,7 +82,9 @@ int __init init_r4k_clocksource(void)
+
+ clocksource_register_hz(&clocksource_mips, mips_hpt_frequency);
+
++#ifndef CONFIG_CPU_FREQ
+ sched_clock_register(r4k_read_sched_clock, 32, mips_hpt_frequency);
++#endif
+
+ return 0;
+ }
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index 645c8a1..2b42a74 100644
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -1615,8 +1615,14 @@ enum emulation_result kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc,
+
+ preempt_disable();
+ if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
+- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0)
+- kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
++ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
++ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
++ kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n",
++ __func__, va, vcpu, read_c0_entryhi());
++ er = EMULATE_FAIL;
++ preempt_enable();
++ goto done;
++ }
+ } else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
+ KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
+ int index;
+@@ -1654,14 +1660,19 @@ enum emulation_result kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc,
+ run, vcpu);
+ preempt_enable();
+ goto dont_update_pc;
+- } else {
+- /*
+- * We fault an entry from the guest tlb to the
+- * shadow host TLB
+- */
+- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+- NULL,
+- NULL);
++ }
++ /*
++ * We fault an entry from the guest tlb to the
++ * shadow host TLB
++ */
++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
++ NULL, NULL)) {
++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
++ __func__, va, index, vcpu,
++ read_c0_entryhi());
++ er = EMULATE_FAIL;
++ preempt_enable();
++ goto done;
+ }
+ }
+ } else {
+@@ -2625,8 +2636,13 @@ enum emulation_result kvm_mips_handle_tlbmiss(unsigned long cause,
+ * OK we have a Guest TLB entry, now inject it into the
+ * shadow host TLB
+ */
+- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL,
+- NULL);
++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
++ NULL, NULL)) {
++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
++ __func__, va, index, vcpu,
++ read_c0_entryhi());
++ er = EMULATE_FAIL;
++ }
+ }
+ }
+
+diff --git a/arch/mips/kvm/tlb.c b/arch/mips/kvm/tlb.c
+index ed021ae..ad2270f 100644
+--- a/arch/mips/kvm/tlb.c
++++ b/arch/mips/kvm/tlb.c
+@@ -284,7 +284,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsigned long badvaddr,
+ }
+
+ gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
+- if (gfn >= kvm->arch.guest_pmap_npages) {
++ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
+ kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
+ gfn, badvaddr);
+ kvm_mips_dump_host_tlbs();
+@@ -373,26 +373,40 @@ int kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
+ unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
+ struct kvm *kvm = vcpu->kvm;
+ kvm_pfn_t pfn0, pfn1;
++ gfn_t gfn0, gfn1;
++ long tlb_lo[2];
+ int ret;
+
+- if ((tlb->tlb_hi & VPN2_MASK) == 0) {
+- pfn0 = 0;
+- pfn1 = 0;
+- } else {
+- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0)
+- >> PAGE_SHIFT) < 0)
+- return -1;
+-
+- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1)
+- >> PAGE_SHIFT) < 0)
+- return -1;
+-
+- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0)
+- >> PAGE_SHIFT];
+- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1)
+- >> PAGE_SHIFT];
++ tlb_lo[0] = tlb->tlb_lo0;
++ tlb_lo[1] = tlb->tlb_lo1;
++
++ /*
++ * The commpage address must not be mapped to anything else if the guest
++ * TLB contains entries nearby, or commpage accesses will break.
++ */
++ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
++ VPN2_MASK & (PAGE_MASK << 1)))
++ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
++
++ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
++ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
++ if (gfn0 >= kvm->arch.guest_pmap_npages ||
++ gfn1 >= kvm->arch.guest_pmap_npages) {
++ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
++ __func__, gfn0, gfn1, tlb->tlb_hi);
++ kvm_mips_dump_guest_tlbs(vcpu);
++ return -1;
+ }
+
++ if (kvm_mips_map_page(kvm, gfn0) < 0)
++ return -1;
++
++ if (kvm_mips_map_page(kvm, gfn1) < 0)
++ return -1;
++
++ pfn0 = kvm->arch.guest_pmap[gfn0];
++ pfn1 = kvm->arch.guest_pmap[gfn1];
++
+ if (hpa0)
+ *hpa0 = pfn0 << PAGE_SHIFT;
+
+@@ -401,9 +415,9 @@ int kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
+
+ /* Get attributes from the Guest TLB */
+ entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) |
+- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V);
++ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V);
+ entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) |
+- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V);
++ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V);
+
+ kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
+ tlb->tlb_lo0, tlb->tlb_lo1);
+@@ -776,10 +790,16 @@ uint32_t kvm_get_inst(uint32_t *opc, struct kvm_vcpu *vcpu)
+ local_irq_restore(flags);
+ return KVM_INVALID_INST;
+ }
+- kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
+- &vcpu->arch.
+- guest_tlb[index],
+- NULL, NULL);
++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
++ &vcpu->arch.guest_tlb[index],
++ NULL, NULL)) {
++ kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n",
++ __func__, opc, index, vcpu,
++ read_c0_entryhi());
++ kvm_mips_dump_guest_tlbs(vcpu);
++ local_irq_restore(flags);
++ return KVM_INVALID_INST;
++ }
+ inst = *(opc);
+ }
+ local_irq_restore(flags);
+diff --git a/arch/mips/loongson64/loongson-3/hpet.c b/arch/mips/loongson64/loongson-3/hpet.c
+index 249039a..4788bea 100644
+--- a/arch/mips/loongson64/loongson-3/hpet.c
++++ b/arch/mips/loongson64/loongson-3/hpet.c
+@@ -13,8 +13,8 @@
+ #define SMBUS_PCI_REG64 0x64
+ #define SMBUS_PCI_REGB4 0xb4
+
+-#define HPET_MIN_CYCLES 64
+-#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1))
++#define HPET_MIN_CYCLES 16
++#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES * 12)
+
+ static DEFINE_SPINLOCK(hpet_lock);
+ DEFINE_PER_CPU(struct clock_event_device, hpet_clockevent_device);
+@@ -157,14 +157,14 @@ static int hpet_tick_resume(struct clock_event_device *evt)
+ static int hpet_next_event(unsigned long delta,
+ struct clock_event_device *evt)
+ {
+- unsigned int cnt;
+- int res;
++ u32 cnt;
++ s32 res;
+
+ cnt = hpet_read(HPET_COUNTER);
+- cnt += delta;
++ cnt += (u32) delta;
+ hpet_write(HPET_T0_CMP, cnt);
+
+- res = (int)(cnt - hpet_read(HPET_COUNTER));
++ res = (s32)(cnt - hpet_read(HPET_COUNTER));
+
+ return res < HPET_MIN_CYCLES ? -ETIME : 0;
+ }
+@@ -230,7 +230,7 @@ void __init setup_hpet_timer(void)
+
+ cd = &per_cpu(hpet_clockevent_device, cpu);
+ cd->name = "hpet";
+- cd->rating = 320;
++ cd->rating = 100;
+ cd->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT;
+ cd->set_state_shutdown = hpet_set_state_shutdown;
+ cd->set_state_periodic = hpet_set_state_periodic;
+diff --git a/arch/mips/mm/uasm-mips.c b/arch/mips/mm/uasm-mips.c
+index 9c2220a..45e3b87 100644
+--- a/arch/mips/mm/uasm-mips.c
++++ b/arch/mips/mm/uasm-mips.c
+@@ -65,7 +65,7 @@ static struct insn insn_table[] = {
+ #ifndef CONFIG_CPU_MIPSR6
+ { insn_cache, M(cache_op, 0, 0, 0, 0, 0), RS | RT | SIMM },
+ #else
+- { insn_cache, M6(cache_op, 0, 0, 0, cache6_op), RS | RT | SIMM9 },
++ { insn_cache, M6(spec3_op, 0, 0, 0, cache6_op), RS | RT | SIMM9 },
+ #endif
+ { insn_daddiu, M(daddiu_op, 0, 0, 0, 0, 0), RS | RT | SIMM },
+ { insn_daddu, M(spec_op, 0, 0, 0, 0, daddu_op), RS | RT | RD },
+diff --git a/arch/powerpc/kernel/tm.S b/arch/powerpc/kernel/tm.S
+index b7019b5..298afcf 100644
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -338,8 +338,6 @@ _GLOBAL(__tm_recheckpoint)
+ */
+ subi r7, r7, STACK_FRAME_OVERHEAD
+
+- SET_SCRATCH0(r1)
+-
+ mfmsr r6
+ /* R4 = original MSR to indicate whether thread used FP/Vector etc. */
+
+@@ -468,6 +466,7 @@ restore_gprs:
+ * until we turn MSR RI back on.
+ */
+
++ SET_SCRATCH0(r1)
+ ld r5, -8(r1)
+ ld r1, -16(r1)
+
+diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+index e571ad2..38e108e 100644
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -655,112 +655,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ BEGIN_FTR_SECTION
+- b skip_tm
+-END_FTR_SECTION_IFCLR(CPU_FTR_TM)
+-
+- /* Turn on TM/FP/VSX/VMX so we can restore them. */
+- mfmsr r5
+- li r6, MSR_TM >> 32
+- sldi r6, r6, 32
+- or r5, r5, r6
+- ori r5, r5, MSR_FP
+- oris r5, r5, (MSR_VEC | MSR_VSX)@h
+- mtmsrd r5
+-
+- /*
+- * The user may change these outside of a transaction, so they must
+- * always be context switched.
+- */
+- ld r5, VCPU_TFHAR(r4)
+- ld r6, VCPU_TFIAR(r4)
+- ld r7, VCPU_TEXASR(r4)
+- mtspr SPRN_TFHAR, r5
+- mtspr SPRN_TFIAR, r6
+- mtspr SPRN_TEXASR, r7
+-
+- ld r5, VCPU_MSR(r4)
+- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
+- beq skip_tm /* TM not active in guest */
+-
+- /* Make sure the failure summary is set, otherwise we'll program check
+- * when we trechkpt. It's possible that this might have been not set
+- * on a kvmppc_set_one_reg() call but we shouldn't let this crash the
+- * host.
+- */
+- oris r7, r7, (TEXASR_FS)@h
+- mtspr SPRN_TEXASR, r7
+-
+- /*
+- * We need to load up the checkpointed state for the guest.
+- * We need to do this early as it will blow away any GPRs, VSRs and
+- * some SPRs.
+- */
+-
+- mr r31, r4
+- addi r3, r31, VCPU_FPRS_TM
+- bl load_fp_state
+- addi r3, r31, VCPU_VRS_TM
+- bl load_vr_state
+- mr r4, r31
+- lwz r7, VCPU_VRSAVE_TM(r4)
+- mtspr SPRN_VRSAVE, r7
+-
+- ld r5, VCPU_LR_TM(r4)
+- lwz r6, VCPU_CR_TM(r4)
+- ld r7, VCPU_CTR_TM(r4)
+- ld r8, VCPU_AMR_TM(r4)
+- ld r9, VCPU_TAR_TM(r4)
+- mtlr r5
+- mtcr r6
+- mtctr r7
+- mtspr SPRN_AMR, r8
+- mtspr SPRN_TAR, r9
+-
+- /*
+- * Load up PPR and DSCR values but don't put them in the actual SPRs
+- * till the last moment to avoid running with userspace PPR and DSCR for
+- * too long.
+- */
+- ld r29, VCPU_DSCR_TM(r4)
+- ld r30, VCPU_PPR_TM(r4)
+-
+- std r2, PACATMSCRATCH(r13) /* Save TOC */
+-
+- /* Clear the MSR RI since r1, r13 are all going to be foobar. */
+- li r5, 0
+- mtmsrd r5, 1
+-
+- /* Load GPRs r0-r28 */
+- reg = 0
+- .rept 29
+- ld reg, VCPU_GPRS_TM(reg)(r31)
+- reg = reg + 1
+- .endr
+-
+- mtspr SPRN_DSCR, r29
+- mtspr SPRN_PPR, r30
+-
+- /* Load final GPRs */
+- ld 29, VCPU_GPRS_TM(29)(r31)
+- ld 30, VCPU_GPRS_TM(30)(r31)
+- ld 31, VCPU_GPRS_TM(31)(r31)
+-
+- /* TM checkpointed state is now setup. All GPRs are now volatile. */
+- TRECHKPT
+-
+- /* Now let's get back the state we need. */
+- HMT_MEDIUM
+- GET_PACA(r13)
+- ld r29, HSTATE_DSCR(r13)
+- mtspr SPRN_DSCR, r29
+- ld r4, HSTATE_KVM_VCPU(r13)
+- ld r1, HSTATE_HOST_R1(r13)
+- ld r2, PACATMSCRATCH(r13)
+-
+- /* Set the MSR RI since we have our registers back. */
+- li r5, MSR_RI
+- mtmsrd r5, 1
+-skip_tm:
++ bl kvmppc_restore_tm
++END_FTR_SECTION_IFSET(CPU_FTR_TM)
+ #endif
+
+ /* Load guest PMU registers */
+@@ -841,12 +737,6 @@ BEGIN_FTR_SECTION
+ /* Skip next section on POWER7 */
+ b 8f
+ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
+- /* Turn on TM so we can access TFHAR/TFIAR/TEXASR */
+- mfmsr r8
+- li r0, 1
+- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
+- mtmsrd r8
+-
+ /* Load up POWER8-specific registers */
+ ld r5, VCPU_IAMR(r4)
+ lwz r6, VCPU_PSPB(r4)
+@@ -1436,106 +1326,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ BEGIN_FTR_SECTION
+- b 2f
+-END_FTR_SECTION_IFCLR(CPU_FTR_TM)
+- /* Turn on TM. */
+- mfmsr r8
+- li r0, 1
+- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
+- mtmsrd r8
+-
+- ld r5, VCPU_MSR(r9)
+- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
+- beq 1f /* TM not active in guest. */
+-
+- li r3, TM_CAUSE_KVM_RESCHED
+-
+- /* Clear the MSR RI since r1, r13 are all going to be foobar. */
+- li r5, 0
+- mtmsrd r5, 1
+-
+- /* All GPRs are volatile at this point. */
+- TRECLAIM(R3)
+-
+- /* Temporarily store r13 and r9 so we have some regs to play with */
+- SET_SCRATCH0(r13)
+- GET_PACA(r13)
+- std r9, PACATMSCRATCH(r13)
+- ld r9, HSTATE_KVM_VCPU(r13)
+-
+- /* Get a few more GPRs free. */
+- std r29, VCPU_GPRS_TM(29)(r9)
+- std r30, VCPU_GPRS_TM(30)(r9)
+- std r31, VCPU_GPRS_TM(31)(r9)
+-
+- /* Save away PPR and DSCR soon so don't run with user values. */
+- mfspr r31, SPRN_PPR
+- HMT_MEDIUM
+- mfspr r30, SPRN_DSCR
+- ld r29, HSTATE_DSCR(r13)
+- mtspr SPRN_DSCR, r29
+-
+- /* Save all but r9, r13 & r29-r31 */
+- reg = 0
+- .rept 29
+- .if (reg != 9) && (reg != 13)
+- std reg, VCPU_GPRS_TM(reg)(r9)
+- .endif
+- reg = reg + 1
+- .endr
+- /* ... now save r13 */
+- GET_SCRATCH0(r4)
+- std r4, VCPU_GPRS_TM(13)(r9)
+- /* ... and save r9 */
+- ld r4, PACATMSCRATCH(r13)
+- std r4, VCPU_GPRS_TM(9)(r9)
+-
+- /* Reload stack pointer and TOC. */
+- ld r1, HSTATE_HOST_R1(r13)
+- ld r2, PACATOC(r13)
+-
+- /* Set MSR RI now we have r1 and r13 back. */
+- li r5, MSR_RI
+- mtmsrd r5, 1
+-
+- /* Save away checkpinted SPRs. */
+- std r31, VCPU_PPR_TM(r9)
+- std r30, VCPU_DSCR_TM(r9)
+- mflr r5
+- mfcr r6
+- mfctr r7
+- mfspr r8, SPRN_AMR
+- mfspr r10, SPRN_TAR
+- std r5, VCPU_LR_TM(r9)
+- stw r6, VCPU_CR_TM(r9)
+- std r7, VCPU_CTR_TM(r9)
+- std r8, VCPU_AMR_TM(r9)
+- std r10, VCPU_TAR_TM(r9)
+-
+- /* Restore r12 as trap number. */
+- lwz r12, VCPU_TRAP(r9)
+-
+- /* Save FP/VSX. */
+- addi r3, r9, VCPU_FPRS_TM
+- bl store_fp_state
+- addi r3, r9, VCPU_VRS_TM
+- bl store_vr_state
+- mfspr r6, SPRN_VRSAVE
+- stw r6, VCPU_VRSAVE_TM(r9)
+-1:
+- /*
+- * We need to save these SPRs after the treclaim so that the software
+- * error code is recorded correctly in the TEXASR. Also the user may
+- * change these outside of a transaction, so they must always be
+- * context switched.
+- */
+- mfspr r5, SPRN_TFHAR
+- mfspr r6, SPRN_TFIAR
+- mfspr r7, SPRN_TEXASR
+- std r5, VCPU_TFHAR(r9)
+- std r6, VCPU_TFIAR(r9)
+- std r7, VCPU_TEXASR(r9)
+-2:
++ bl kvmppc_save_tm
++END_FTR_SECTION_IFSET(CPU_FTR_TM)
+ #endif
+
+ /* Increment yield count if they have a VPA */
+@@ -2245,6 +2037,13 @@ _GLOBAL(kvmppc_h_cede) /* r3 = vcpu pointer, r11 = msr, r13 = paca */
+ /* save FP state */
+ bl kvmppc_save_fp
+
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++BEGIN_FTR_SECTION
++ ld r9, HSTATE_KVM_VCPU(r13)
++ bl kvmppc_save_tm
++END_FTR_SECTION_IFSET(CPU_FTR_TM)
++#endif
++
+ /*
+ * Set DEC to the smaller of DEC and HDEC, so that we wake
+ * no later than the end of our timeslice (HDEC interrupts
+@@ -2321,6 +2120,12 @@ kvm_end_cede:
+ bl kvmhv_accumulate_time
+ #endif
+
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++BEGIN_FTR_SECTION
++ bl kvmppc_restore_tm
++END_FTR_SECTION_IFSET(CPU_FTR_TM)
++#endif
++
+ /* load up FP state */
+ bl kvmppc_load_fp
+
+@@ -2631,6 +2436,239 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
+ mr r4,r31
+ blr
+
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++/*
++ * Save transactional state and TM-related registers.
++ * Called with r9 pointing to the vcpu struct.
++ * This can modify all checkpointed registers, but
++ * restores r1, r2 and r9 (vcpu pointer) before exit.
++ */
++kvmppc_save_tm:
++ mflr r0
++ std r0, PPC_LR_STKOFF(r1)
++
++ /* Turn on TM. */
++ mfmsr r8
++ li r0, 1
++ rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
++ mtmsrd r8
++
++ ld r5, VCPU_MSR(r9)
++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
++ beq 1f /* TM not active in guest. */
++
++ std r1, HSTATE_HOST_R1(r13)
++ li r3, TM_CAUSE_KVM_RESCHED
++
++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */
++ li r5, 0
++ mtmsrd r5, 1
++
++ /* All GPRs are volatile at this point. */
++ TRECLAIM(R3)
++
++ /* Temporarily store r13 and r9 so we have some regs to play with */
++ SET_SCRATCH0(r13)
++ GET_PACA(r13)
++ std r9, PACATMSCRATCH(r13)
++ ld r9, HSTATE_KVM_VCPU(r13)
++
++ /* Get a few more GPRs free. */
++ std r29, VCPU_GPRS_TM(29)(r9)
++ std r30, VCPU_GPRS_TM(30)(r9)
++ std r31, VCPU_GPRS_TM(31)(r9)
++
++ /* Save away PPR and DSCR soon so don't run with user values. */
++ mfspr r31, SPRN_PPR
++ HMT_MEDIUM
++ mfspr r30, SPRN_DSCR
++ ld r29, HSTATE_DSCR(r13)
++ mtspr SPRN_DSCR, r29
++
++ /* Save all but r9, r13 & r29-r31 */
++ reg = 0
++ .rept 29
++ .if (reg != 9) && (reg != 13)
++ std reg, VCPU_GPRS_TM(reg)(r9)
++ .endif
++ reg = reg + 1
++ .endr
++ /* ... now save r13 */
++ GET_SCRATCH0(r4)
++ std r4, VCPU_GPRS_TM(13)(r9)
++ /* ... and save r9 */
++ ld r4, PACATMSCRATCH(r13)
++ std r4, VCPU_GPRS_TM(9)(r9)
++
++ /* Reload stack pointer and TOC. */
++ ld r1, HSTATE_HOST_R1(r13)
++ ld r2, PACATOC(r13)
++
++ /* Set MSR RI now we have r1 and r13 back. */
++ li r5, MSR_RI
++ mtmsrd r5, 1
++
++ /* Save away checkpinted SPRs. */
++ std r31, VCPU_PPR_TM(r9)
++ std r30, VCPU_DSCR_TM(r9)
++ mflr r5
++ mfcr r6
++ mfctr r7
++ mfspr r8, SPRN_AMR
++ mfspr r10, SPRN_TAR
++ std r5, VCPU_LR_TM(r9)
++ stw r6, VCPU_CR_TM(r9)
++ std r7, VCPU_CTR_TM(r9)
++ std r8, VCPU_AMR_TM(r9)
++ std r10, VCPU_TAR_TM(r9)
++
++ /* Restore r12 as trap number. */
++ lwz r12, VCPU_TRAP(r9)
++
++ /* Save FP/VSX. */
++ addi r3, r9, VCPU_FPRS_TM
++ bl store_fp_state
++ addi r3, r9, VCPU_VRS_TM
++ bl store_vr_state
++ mfspr r6, SPRN_VRSAVE
++ stw r6, VCPU_VRSAVE_TM(r9)
++1:
++ /*
++ * We need to save these SPRs after the treclaim so that the software
++ * error code is recorded correctly in the TEXASR. Also the user may
++ * change these outside of a transaction, so they must always be
++ * context switched.
++ */
++ mfspr r5, SPRN_TFHAR
++ mfspr r6, SPRN_TFIAR
++ mfspr r7, SPRN_TEXASR
++ std r5, VCPU_TFHAR(r9)
++ std r6, VCPU_TFIAR(r9)
++ std r7, VCPU_TEXASR(r9)
++
++ ld r0, PPC_LR_STKOFF(r1)
++ mtlr r0
++ blr
++
++/*
++ * Restore transactional state and TM-related registers.
++ * Called with r4 pointing to the vcpu struct.
++ * This potentially modifies all checkpointed registers.
++ * It restores r1, r2, r4 from the PACA.
++ */
++kvmppc_restore_tm:
++ mflr r0
++ std r0, PPC_LR_STKOFF(r1)
++
++ /* Turn on TM/FP/VSX/VMX so we can restore them. */
++ mfmsr r5
++ li r6, MSR_TM >> 32
++ sldi r6, r6, 32
++ or r5, r5, r6
++ ori r5, r5, MSR_FP
++ oris r5, r5, (MSR_VEC | MSR_VSX)@h
++ mtmsrd r5
++
++ /*
++ * The user may change these outside of a transaction, so they must
++ * always be context switched.
++ */
++ ld r5, VCPU_TFHAR(r4)
++ ld r6, VCPU_TFIAR(r4)
++ ld r7, VCPU_TEXASR(r4)
++ mtspr SPRN_TFHAR, r5
++ mtspr SPRN_TFIAR, r6
++ mtspr SPRN_TEXASR, r7
++
++ ld r5, VCPU_MSR(r4)
++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
++ beqlr /* TM not active in guest */
++ std r1, HSTATE_HOST_R1(r13)
++
++ /* Make sure the failure summary is set, otherwise we'll program check
++ * when we trechkpt. It's possible that this might have been not set
++ * on a kvmppc_set_one_reg() call but we shouldn't let this crash the
++ * host.
++ */
++ oris r7, r7, (TEXASR_FS)@h
++ mtspr SPRN_TEXASR, r7
++
++ /*
++ * We need to load up the checkpointed state for the guest.
++ * We need to do this early as it will blow away any GPRs, VSRs and
++ * some SPRs.
++ */
++
++ mr r31, r4
++ addi r3, r31, VCPU_FPRS_TM
++ bl load_fp_state
++ addi r3, r31, VCPU_VRS_TM
++ bl load_vr_state
++ mr r4, r31
++ lwz r7, VCPU_VRSAVE_TM(r4)
++ mtspr SPRN_VRSAVE, r7
++
++ ld r5, VCPU_LR_TM(r4)
++ lwz r6, VCPU_CR_TM(r4)
++ ld r7, VCPU_CTR_TM(r4)
++ ld r8, VCPU_AMR_TM(r4)
++ ld r9, VCPU_TAR_TM(r4)
++ mtlr r5
++ mtcr r6
++ mtctr r7
++ mtspr SPRN_AMR, r8
++ mtspr SPRN_TAR, r9
++
++ /*
++ * Load up PPR and DSCR values but don't put them in the actual SPRs
++ * till the last moment to avoid running with userspace PPR and DSCR for
++ * too long.
++ */
++ ld r29, VCPU_DSCR_TM(r4)
++ ld r30, VCPU_PPR_TM(r4)
++
++ std r2, PACATMSCRATCH(r13) /* Save TOC */
++
++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */
++ li r5, 0
++ mtmsrd r5, 1
++
++ /* Load GPRs r0-r28 */
++ reg = 0
++ .rept 29
++ ld reg, VCPU_GPRS_TM(reg)(r31)
++ reg = reg + 1
++ .endr
++
++ mtspr SPRN_DSCR, r29
++ mtspr SPRN_PPR, r30
++
++ /* Load final GPRs */
++ ld 29, VCPU_GPRS_TM(29)(r31)
++ ld 30, VCPU_GPRS_TM(30)(r31)
++ ld 31, VCPU_GPRS_TM(31)(r31)
++
++ /* TM checkpointed state is now setup. All GPRs are now volatile. */
++ TRECHKPT
++
++ /* Now let's get back the state we need. */
++ HMT_MEDIUM
++ GET_PACA(r13)
++ ld r29, HSTATE_DSCR(r13)
++ mtspr SPRN_DSCR, r29
++ ld r4, HSTATE_KVM_VCPU(r13)
++ ld r1, HSTATE_HOST_R1(r13)
++ ld r2, PACATMSCRATCH(r13)
++
++ /* Set the MSR RI since we have our registers back. */
++ li r5, MSR_RI
++ mtmsrd r5, 1
++
++ ld r0, PPC_LR_STKOFF(r1)
++ mtlr r0
++ blr
++#endif
++
+ /*
+ * We come here if we get any exception or interrupt while we are
+ * executing host real mode code while in guest MMU context.
+diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h
+index 18d2beb..42b968a8 100644
+--- a/arch/s390/include/asm/pgtable.h
++++ b/arch/s390/include/asm/pgtable.h
+@@ -893,7 +893,7 @@ void ptep_zap_key(struct mm_struct *mm, unsigned long addr, pte_t *ptep);
+ bool test_and_clear_guest_dirty(struct mm_struct *mm, unsigned long address);
+ int set_guest_storage_key(struct mm_struct *mm, unsigned long addr,
+ unsigned char key, bool nq);
+-unsigned char get_guest_storage_key(struct mm_struct *mm, unsigned long addr);
++unsigned long get_guest_storage_key(struct mm_struct *mm, unsigned long addr);
+
+ /*
+ * Certain architectures need to do special things when PTEs
+diff --git a/arch/s390/include/asm/tlbflush.h b/arch/s390/include/asm/tlbflush.h
+index a2e6ef3..0a20316 100644
+--- a/arch/s390/include/asm/tlbflush.h
++++ b/arch/s390/include/asm/tlbflush.h
+@@ -81,7 +81,8 @@ static inline void __tlb_flush_full(struct mm_struct *mm)
+ }
+
+ /*
+- * Flush TLB entries for a specific ASCE on all CPUs.
++ * Flush TLB entries for a specific ASCE on all CPUs. Should never be used
++ * when more than one asce (e.g. gmap) ran on this mm.
+ */
+ static inline void __tlb_flush_asce(struct mm_struct *mm, unsigned long asce)
+ {
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index cace818..313c3b8 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -85,7 +85,7 @@ EXPORT_SYMBOL_GPL(gmap_alloc);
+ static void gmap_flush_tlb(struct gmap *gmap)
+ {
+ if (MACHINE_HAS_IDTE)
+- __tlb_flush_asce(gmap->mm, gmap->asce);
++ __tlb_flush_idte(gmap->asce);
+ else
+ __tlb_flush_global();
+ }
+@@ -124,7 +124,7 @@ void gmap_free(struct gmap *gmap)
+
+ /* Flush tlb. */
+ if (MACHINE_HAS_IDTE)
+- __tlb_flush_asce(gmap->mm, gmap->asce);
++ __tlb_flush_idte(gmap->asce);
+ else
+ __tlb_flush_global();
+
+diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
+index 9f0ce0e..ebb4f87 100644
+--- a/arch/s390/mm/pgtable.c
++++ b/arch/s390/mm/pgtable.c
+@@ -543,7 +543,7 @@ int set_guest_storage_key(struct mm_struct *mm, unsigned long addr,
+ }
+ EXPORT_SYMBOL(set_guest_storage_key);
+
+-unsigned char get_guest_storage_key(struct mm_struct *mm, unsigned long addr)
++unsigned long get_guest_storage_key(struct mm_struct *mm, unsigned long addr)
+ {
+ unsigned char key;
+ spinlock_t *ptl;
+diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
+index 8acaf4e..a86d7cc 100644
+--- a/arch/um/os-Linux/signal.c
++++ b/arch/um/os-Linux/signal.c
+@@ -15,6 +15,7 @@
+ #include <kern_util.h>
+ #include <os.h>
+ #include <sysdep/mcontext.h>
++#include <um_malloc.h>
+
+ void (*sig_info[NSIG])(int, struct siginfo *, struct uml_pt_regs *) = {
+ [SIGTRAP] = relay_signal,
+@@ -32,7 +33,7 @@ static void sig_handler_common(int sig, struct siginfo *si, mcontext_t *mc)
+ struct uml_pt_regs *r;
+ int save_errno = errno;
+
+- r = malloc(sizeof(struct uml_pt_regs));
++ r = uml_kmalloc(sizeof(struct uml_pt_regs), UM_GFP_ATOMIC);
+ if (!r)
+ panic("out of memory");
+
+@@ -91,7 +92,7 @@ static void timer_real_alarm_handler(mcontext_t *mc)
+ {
+ struct uml_pt_regs *regs;
+
+- regs = malloc(sizeof(struct uml_pt_regs));
++ regs = uml_kmalloc(sizeof(struct uml_pt_regs), UM_GFP_ATOMIC);
+ if (!regs)
+ panic("out of memory");
+
+diff --git a/arch/unicore32/include/asm/mmu_context.h b/arch/unicore32/include/asm/mmu_context.h
+index e35632e..62dfc64 100644
+--- a/arch/unicore32/include/asm/mmu_context.h
++++ b/arch/unicore32/include/asm/mmu_context.h
+@@ -98,7 +98,7 @@ static inline void arch_bprm_mm_init(struct mm_struct *mm,
+ }
+
+ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
+- bool write, bool foreign)
++ bool write, bool execute, bool foreign)
+ {
+ /* by default, allow everything */
+ return true;
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 874e8bd..bd136ac 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -2546,7 +2546,7 @@ void hswep_uncore_cpu_init(void)
+
+ static struct intel_uncore_type hswep_uncore_ha = {
+ .name = "ha",
+- .num_counters = 5,
++ .num_counters = 4,
+ .num_boxes = 2,
+ .perf_ctr_bits = 48,
+ SNBEP_UNCORE_PCI_COMMON_INIT(),
+@@ -2565,7 +2565,7 @@ static struct uncore_event_desc hswep_uncore_imc_events[] = {
+
+ static struct intel_uncore_type hswep_uncore_imc = {
+ .name = "imc",
+- .num_counters = 5,
++ .num_counters = 4,
+ .num_boxes = 8,
+ .perf_ctr_bits = 48,
+ .fixed_ctr_bits = 48,
+@@ -2611,7 +2611,7 @@ static struct intel_uncore_type hswep_uncore_irp = {
+
+ static struct intel_uncore_type hswep_uncore_qpi = {
+ .name = "qpi",
+- .num_counters = 5,
++ .num_counters = 4,
+ .num_boxes = 3,
+ .perf_ctr_bits = 48,
+ .perf_ctr = SNBEP_PCI_PMON_CTR0,
+@@ -2693,7 +2693,7 @@ static struct event_constraint hswep_uncore_r3qpi_constraints[] = {
+
+ static struct intel_uncore_type hswep_uncore_r3qpi = {
+ .name = "r3qpi",
+- .num_counters = 4,
++ .num_counters = 3,
+ .num_boxes = 3,
+ .perf_ctr_bits = 44,
+ .constraints = hswep_uncore_r3qpi_constraints,
+@@ -2892,7 +2892,7 @@ static struct intel_uncore_type bdx_uncore_ha = {
+
+ static struct intel_uncore_type bdx_uncore_imc = {
+ .name = "imc",
+- .num_counters = 5,
++ .num_counters = 4,
+ .num_boxes = 8,
+ .perf_ctr_bits = 48,
+ .fixed_ctr_bits = 48,
+diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
+index c146f3c..0149ac5 100644
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -539,6 +539,7 @@ static void mtrr_lookup_var_start(struct mtrr_iter *iter)
+
+ iter->fixed = false;
+ iter->start_max = iter->start;
++ iter->range = NULL;
+ iter->range = list_prepare_entry(iter->range, &mtrr_state->head, node);
+
+ __mtrr_lookup_var_next(iter);
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 64a79f2..8326d68 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8224,6 +8224,7 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+ if ((vectoring_info & VECTORING_INFO_VALID_MASK) &&
+ (exit_reason != EXIT_REASON_EXCEPTION_NMI &&
+ exit_reason != EXIT_REASON_EPT_VIOLATION &&
++ exit_reason != EXIT_REASON_PML_FULL &&
+ exit_reason != EXIT_REASON_TASK_SWITCH)) {
+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_DELIVERY_EV;
+@@ -8854,6 +8855,22 @@ static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
+ put_cpu();
+ }
+
++/*
++ * Ensure that the current vmcs of the logical processor is the
++ * vmcs01 of the vcpu before calling free_nested().
++ */
++static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
++{
++ struct vcpu_vmx *vmx = to_vmx(vcpu);
++ int r;
++
++ r = vcpu_load(vcpu);
++ BUG_ON(r);
++ vmx_load_vmcs01(vcpu);
++ free_nested(vmx);
++ vcpu_put(vcpu);
++}
++
+ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -8862,8 +8879,7 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
+ vmx_destroy_pml_buffer(vmx);
+ free_vpid(vmx->vpid);
+ leave_guest_mode(vcpu);
+- vmx_load_vmcs01(vcpu);
+- free_nested(vmx);
++ vmx_free_vcpu_nested(vcpu);
+ free_loaded_vmcs(vmx->loaded_vmcs);
+ kfree(vmx->guest_msrs);
+ kvm_vcpu_uninit(vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 7da5dd2..fea2c57 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -91,6 +91,7 @@ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
+
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu);
+ static void process_nmi(struct kvm_vcpu *vcpu);
++static void process_smi(struct kvm_vcpu *vcpu);
+ static void __kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags);
+
+ struct kvm_x86_ops *kvm_x86_ops __read_mostly;
+@@ -5296,13 +5297,8 @@ static void kvm_smm_changed(struct kvm_vcpu *vcpu)
+ /* This is a good place to trace that we are exiting SMM. */
+ trace_kvm_enter_smm(vcpu->vcpu_id, vcpu->arch.smbase, false);
+
+- if (unlikely(vcpu->arch.smi_pending)) {
+- kvm_make_request(KVM_REQ_SMI, vcpu);
+- vcpu->arch.smi_pending = 0;
+- } else {
+- /* Process a latched INIT, if any. */
+- kvm_make_request(KVM_REQ_EVENT, vcpu);
+- }
++ /* Process a latched INIT or SMI, if any. */
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
+
+ kvm_mmu_reset_context(vcpu);
+@@ -6102,7 +6098,10 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool req_int_win)
+ }
+
+ /* try to inject new event if pending */
+- if (vcpu->arch.nmi_pending && kvm_x86_ops->nmi_allowed(vcpu)) {
++ if (vcpu->arch.smi_pending && !is_smm(vcpu)) {
++ vcpu->arch.smi_pending = false;
++ process_smi(vcpu);
++ } else if (vcpu->arch.nmi_pending && kvm_x86_ops->nmi_allowed(vcpu)) {
+ --vcpu->arch.nmi_pending;
+ vcpu->arch.nmi_injected = true;
+ kvm_x86_ops->set_nmi(vcpu);
+@@ -6312,11 +6311,6 @@ static void process_smi(struct kvm_vcpu *vcpu)
+ char buf[512];
+ u32 cr0;
+
+- if (is_smm(vcpu)) {
+- vcpu->arch.smi_pending = true;
+- return;
+- }
+-
+ trace_kvm_enter_smm(vcpu->vcpu_id, vcpu->arch.smbase, true);
+ vcpu->arch.hflags |= HF_SMM_MASK;
+ memset(buf, 0, 512);
+@@ -6379,6 +6373,12 @@ static void process_smi(struct kvm_vcpu *vcpu)
+ kvm_mmu_reset_context(vcpu);
+ }
+
++static void process_smi_request(struct kvm_vcpu *vcpu)
++{
++ vcpu->arch.smi_pending = true;
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
++}
++
+ void kvm_make_scan_ioapic_request(struct kvm *kvm)
+ {
+ kvm_make_all_cpus_request(kvm, KVM_REQ_SCAN_IOAPIC);
+@@ -6500,7 +6500,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
+ if (kvm_check_request(KVM_REQ_STEAL_UPDATE, vcpu))
+ record_steal_time(vcpu);
+ if (kvm_check_request(KVM_REQ_SMI, vcpu))
+- process_smi(vcpu);
++ process_smi_request(vcpu);
+ if (kvm_check_request(KVM_REQ_NMI, vcpu))
+ process_nmi(vcpu);
+ if (kvm_check_request(KVM_REQ_PMU, vcpu))
+@@ -6573,8 +6573,18 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
+
+ if (inject_pending_event(vcpu, req_int_win) != 0)
+ req_immediate_exit = true;
+- /* enable NMI/IRQ window open exits if needed */
+ else {
++ /* Enable NMI/IRQ window open exits if needed.
++ *
++ * SMIs have two cases: 1) they can be nested, and
++ * then there is nothing to do here because RSM will
++ * cause a vmexit anyway; 2) or the SMI can be pending
++ * because inject_pending_event has completed the
++ * injection of an IRQ or NMI from the previous vmexit,
++ * and then we request an immediate exit to inject the SMI.
++ */
++ if (vcpu->arch.smi_pending && !is_smm(vcpu))
++ req_immediate_exit = true;
+ if (vcpu->arch.nmi_pending)
+ kvm_x86_ops->enable_nmi_window(vcpu);
+ if (kvm_cpu_has_injectable_intr(vcpu) || req_int_win)
+@@ -6625,8 +6635,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
+
+ kvm_load_guest_xcr0(vcpu);
+
+- if (req_immediate_exit)
++ if (req_immediate_exit) {
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ smp_send_reschedule(vcpu->cpu);
++ }
+
+ trace_kvm_entry(vcpu->vcpu_id);
+ wait_lapic_expire(vcpu);
+@@ -7427,6 +7439,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
+ {
+ vcpu->arch.hflags = 0;
+
++ vcpu->arch.smi_pending = 0;
+ atomic_set(&vcpu->arch.nmi_queued, 0);
+ vcpu->arch.nmi_pending = 0;
+ vcpu->arch.nmi_injected = false;
+diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c
+index 8b93e63..ae97f24 100644
+--- a/arch/x86/pci/intel_mid_pci.c
++++ b/arch/x86/pci/intel_mid_pci.c
+@@ -37,6 +37,7 @@
+
+ /* Quirks for the listed devices */
+ #define PCI_DEVICE_ID_INTEL_MRFL_MMC 0x1190
++#define PCI_DEVICE_ID_INTEL_MRFL_HSU 0x1191
+
+ /* Fixed BAR fields */
+ #define PCIE_VNDR_CAP_ID_FIXED_BAR 0x00 /* Fixed BAR (TBD) */
+@@ -225,13 +226,20 @@ static int intel_mid_pci_irq_enable(struct pci_dev *dev)
+ /* Special treatment for IRQ0 */
+ if (dev->irq == 0) {
+ /*
++ * Skip HS UART common registers device since it has
++ * IRQ0 assigned and not used by the kernel.
++ */
++ if (dev->device == PCI_DEVICE_ID_INTEL_MRFL_HSU)
++ return -EBUSY;
++ /*
+ * TNG has IRQ0 assigned to eMMC controller. But there
+ * are also other devices with bogus PCI configuration
+ * that have IRQ0 assigned. This check ensures that
+- * eMMC gets it.
++ * eMMC gets it. The rest of devices still could be
++ * enabled without interrupt line being allocated.
+ */
+ if (dev->device != PCI_DEVICE_ID_INTEL_MRFL_MMC)
+- return -EBUSY;
++ return 0;
+ }
+ break;
+ default:
+diff --git a/block/bio.c b/block/bio.c
+index 0e4aa42..4623869 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -579,6 +579,8 @@ void __bio_clone_fast(struct bio *bio, struct bio *bio_src)
+ bio->bi_rw = bio_src->bi_rw;
+ bio->bi_iter = bio_src->bi_iter;
+ bio->bi_io_vec = bio_src->bi_io_vec;
++
++ bio_clone_blkcg_association(bio, bio_src);
+ }
+ EXPORT_SYMBOL(__bio_clone_fast);
+
+@@ -684,6 +686,8 @@ integrity_clone:
+ }
+ }
+
++ bio_clone_blkcg_association(bio, bio_src);
++
+ return bio;
+ }
+ EXPORT_SYMBOL(bio_clone_bioset);
+@@ -2005,6 +2009,17 @@ void bio_disassociate_task(struct bio *bio)
+ }
+ }
+
++/**
++ * bio_clone_blkcg_association - clone blkcg association from src to dst bio
++ * @dst: destination bio
++ * @src: source bio
++ */
++void bio_clone_blkcg_association(struct bio *dst, struct bio *src)
++{
++ if (src->bi_css)
++ WARN_ON(bio_associate_blkcg(dst, src->bi_css));
++}
++
+ #endif /* CONFIG_BLK_CGROUP */
+
+ static void __init biovec_init_slabs(void)
+diff --git a/block/genhd.c b/block/genhd.c
+index 3eebd25..086f1a3 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -613,7 +613,7 @@ void add_disk(struct gendisk *disk)
+
+ /* Register BDI before referencing it from bdev */
+ bdi = &disk->queue->backing_dev_info;
+- bdi_register_dev(bdi, disk_devt(disk));
++ bdi_register_owner(bdi, disk_to_dev(disk));
+
+ blk_register_region(disk_devt(disk), disk->minors, NULL,
+ exact_match, exact_lock, disk);
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index 290d6f5..f4218df 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -101,6 +101,7 @@ enum ec_command {
+ #define ACPI_EC_UDELAY_POLL 550 /* Wait 1ms for EC transaction polling */
+ #define ACPI_EC_CLEAR_MAX 100 /* Maximum number of events to query
+ * when trying to clear the EC */
++#define ACPI_EC_MAX_QUERIES 16 /* Maximum number of parallel queries */
+
+ enum {
+ EC_FLAGS_QUERY_PENDING, /* Query is pending */
+@@ -121,6 +122,10 @@ static unsigned int ec_delay __read_mostly = ACPI_EC_DELAY;
+ module_param(ec_delay, uint, 0644);
+ MODULE_PARM_DESC(ec_delay, "Timeout(ms) waited until an EC command completes");
+
++static unsigned int ec_max_queries __read_mostly = ACPI_EC_MAX_QUERIES;
++module_param(ec_max_queries, uint, 0644);
++MODULE_PARM_DESC(ec_max_queries, "Maximum parallel _Qxx evaluations");
++
+ static bool ec_busy_polling __read_mostly;
+ module_param(ec_busy_polling, bool, 0644);
+ MODULE_PARM_DESC(ec_busy_polling, "Use busy polling to advance EC transaction");
+@@ -174,6 +179,7 @@ static void acpi_ec_event_processor(struct work_struct *work);
+
+ struct acpi_ec *boot_ec, *first_ec;
+ EXPORT_SYMBOL(first_ec);
++static struct workqueue_struct *ec_query_wq;
+
+ static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */
+ static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */
+@@ -1098,7 +1104,7 @@ static int acpi_ec_query(struct acpi_ec *ec, u8 *data)
+ * work queue execution.
+ */
+ ec_dbg_evt("Query(0x%02x) scheduled", value);
+- if (!schedule_work(&q->work)) {
++ if (!queue_work(ec_query_wq, &q->work)) {
+ ec_dbg_evt("Query(0x%02x) overlapped", value);
+ result = -EBUSY;
+ }
+@@ -1660,15 +1666,41 @@ static struct acpi_driver acpi_ec_driver = {
+ },
+ };
+
++static inline int acpi_ec_query_init(void)
++{
++ if (!ec_query_wq) {
++ ec_query_wq = alloc_workqueue("kec_query", 0,
++ ec_max_queries);
++ if (!ec_query_wq)
++ return -ENODEV;
++ }
++ return 0;
++}
++
++static inline void acpi_ec_query_exit(void)
++{
++ if (ec_query_wq) {
++ destroy_workqueue(ec_query_wq);
++ ec_query_wq = NULL;
++ }
++}
++
+ int __init acpi_ec_init(void)
+ {
+- int result = 0;
++ int result;
+
++ /* register workqueue for _Qxx evaluations */
++ result = acpi_ec_query_init();
++ if (result)
++ goto err_exit;
+ /* Now register the driver for the EC */
+ result = acpi_bus_register_driver(&acpi_ec_driver);
+- if (result < 0)
+- return -ENODEV;
++ if (result)
++ goto err_exit;
+
++err_exit:
++ if (result)
++ acpi_ec_query_exit();
+ return result;
+ }
+
+@@ -1678,5 +1710,6 @@ static void __exit acpi_ec_exit(void)
+ {
+
+ acpi_bus_unregister_driver(&acpi_ec_driver);
++ acpi_ec_query_exit();
+ }
+ #endif /* 0 */
+diff --git a/drivers/bcma/host_pci.c b/drivers/bcma/host_pci.c
+index cae5385..bd46569 100644
+--- a/drivers/bcma/host_pci.c
++++ b/drivers/bcma/host_pci.c
+@@ -295,6 +295,7 @@ static const struct pci_device_id bcma_pci_bridge_tbl[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4359) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4360) },
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_DELL, 0x0016) },
++ { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_FOXCONN, 0xe092) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a0) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a9) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43aa) },
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 84708a5..a1dcf12 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3663,11 +3663,6 @@ static int floppy_open(struct block_device *bdev, fmode_t mode)
+
+ opened_bdev[drive] = bdev;
+
+- if (!(mode & (FMODE_READ|FMODE_WRITE))) {
+- res = -EINVAL;
+- goto out;
+- }
+-
+ res = -ENXIO;
+
+ if (!floppy_track_buffer) {
+@@ -3711,13 +3706,15 @@ static int floppy_open(struct block_device *bdev, fmode_t mode)
+ if (UFDCS->rawcmd == 1)
+ UFDCS->rawcmd = 2;
+
+- UDRS->last_checked = 0;
+- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags);
+- check_disk_change(bdev);
+- if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags))
+- goto out;
+- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags))
+- goto out;
++ if (mode & (FMODE_READ|FMODE_WRITE)) {
++ UDRS->last_checked = 0;
++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags);
++ check_disk_change(bdev);
++ if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags))
++ goto out;
++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags))
++ goto out;
++ }
+
+ res = -EROFS;
+
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 2589468..fadba88 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -123,6 +123,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x13d3, 0x3472) },
+ { USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },
++ { USB_DEVICE(0x13d3, 0x3490) },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE02C) },
+@@ -190,6 +191,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU22 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index a3be65e..9f40c34 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -237,6 +237,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 87ab9f6..d72c6d1 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -949,6 +949,7 @@ void add_interrupt_randomness(int irq, int irq_flags)
+ /* award one bit for the contents of the fast pool */
+ credit_entropy_bits(r, credit + 1);
+ }
++EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
+ #ifdef CONFIG_BLOCK
+ void add_disk_randomness(struct gendisk *disk)
+@@ -1461,12 +1462,16 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
+ static ssize_t
+ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
+ {
++ static int maxwarn = 10;
+ int ret;
+
+- if (unlikely(nonblocking_pool.initialized == 0))
+- printk_once(KERN_NOTICE "random: %s urandom read "
+- "with %d bits of entropy available\n",
+- current->comm, nonblocking_pool.entropy_total);
++ if (unlikely(nonblocking_pool.initialized == 0) &&
++ maxwarn > 0) {
++ maxwarn--;
++ printk(KERN_NOTICE "random: %s: uninitialized urandom read "
++ "(%zd bytes read, %d bits of entropy available)\n",
++ current->comm, nbytes, nonblocking_pool.entropy_total);
++ }
+
+ nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
+ ret = extract_entropy_user(&nonblocking_pool, buf, nbytes);
+@@ -1774,13 +1779,15 @@ int random_int_secret_init(void)
+ return 0;
+ }
+
++static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash)
++ __aligned(sizeof(unsigned long));
++
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+ * with the goal of minimal entropy pool depletion. As a result, the random
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
+-static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+ __u32 *hash;
+@@ -1850,12 +1857,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
+ {
+ struct entropy_store *poolp = &input_pool;
+
+- /* Suspend writing if we're above the trickle threshold.
+- * We'll be woken up again once below random_write_wakeup_thresh,
+- * or when the calling thread is about to terminate.
+- */
+- wait_event_interruptible(random_write_wait, kthread_should_stop() ||
++ if (unlikely(nonblocking_pool.initialized == 0))
++ poolp = &nonblocking_pool;
++ else {
++ /* Suspend writing if we're above the trickle
++ * threshold. We'll be woken up again once below
++ * random_write_wakeup_thresh, or when the calling
++ * thread is about to terminate.
++ */
++ wait_event_interruptible(random_write_wait,
++ kthread_should_stop() ||
+ ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
++ }
+ mix_pool_bytes(poolp, buffer, count);
+ credit_entropy_bits(poolp, entropy);
+ }
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index a12b319..e9fd1d8 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -246,7 +246,7 @@ static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
+
+ /* Detect a 64 bit address on a 32 bit system */
+ if (start != new_res.start)
+- return ERR_PTR(-EINVAL);
++ return (void __iomem *) ERR_PTR(-EINVAL);
+
+ if (!resource_contains(&priv->res, &new_res))
+ return devm_ioremap_resource(dev, &new_res);
+diff --git a/drivers/clk/rockchip/clk-rk3399.c b/drivers/clk/rockchip/clk-rk3399.c
+index 8059a8d..31b77f7 100644
+--- a/drivers/clk/rockchip/clk-rk3399.c
++++ b/drivers/clk/rockchip/clk-rk3399.c
+@@ -586,7 +586,7 @@ static struct rockchip_clk_branch rk3399_clk_branches[] __initdata = {
+ RK3399_CLKGATE_CON(8), 15, GFLAGS),
+
+ COMPOSITE(SCLK_SPDIF_REC_DPTX, "clk_spdif_rec_dptx", mux_pll_src_cpll_gpll_p, 0,
+- RK3399_CLKSEL_CON(32), 15, 1, MFLAGS, 0, 5, DFLAGS,
++ RK3399_CLKSEL_CON(32), 15, 1, MFLAGS, 8, 5, DFLAGS,
+ RK3399_CLKGATE_CON(10), 6, GFLAGS),
+ /* i2s */
+ COMPOSITE(0, "clk_i2s0_div", mux_pll_src_cpll_gpll_p, 0,
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 1fa1a32..1b15917 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -944,7 +944,7 @@ static int core_get_max_pstate(void)
+ if (err)
+ goto skip_tar;
+
+- tdp_msr = MSR_CONFIG_TDP_NOMINAL + tdp_ctrl;
++ tdp_msr = MSR_CONFIG_TDP_NOMINAL + (tdp_ctrl & 0x3);
+ err = rdmsrl_safe(tdp_msr, &tdp_ratio);
+ if (err)
+ goto skip_tar;
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 10c305b..4e0f8e7 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -313,7 +313,6 @@ static struct device_type csrow_attr_type = {
+ * possible dynamic channel DIMM Label attribute files
+ *
+ */
+-
+ DEVICE_CHANNEL(ch0_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 0);
+ DEVICE_CHANNEL(ch1_dimm_label, S_IRUGO | S_IWUSR,
+@@ -326,6 +325,10 @@ DEVICE_CHANNEL(ch4_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 4);
+ DEVICE_CHANNEL(ch5_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 5);
++DEVICE_CHANNEL(ch6_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 6);
++DEVICE_CHANNEL(ch7_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 7);
+
+ /* Total possible dynamic DIMM Label attribute file table */
+ static struct attribute *dynamic_csrow_dimm_attr[] = {
+@@ -335,6 +338,8 @@ static struct attribute *dynamic_csrow_dimm_attr[] = {
+ &dev_attr_legacy_ch3_dimm_label.attr.attr,
+ &dev_attr_legacy_ch4_dimm_label.attr.attr,
+ &dev_attr_legacy_ch5_dimm_label.attr.attr,
++ &dev_attr_legacy_ch6_dimm_label.attr.attr,
++ &dev_attr_legacy_ch7_dimm_label.attr.attr,
+ NULL
+ };
+
+@@ -351,6 +356,10 @@ DEVICE_CHANNEL(ch4_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 4);
+ DEVICE_CHANNEL(ch5_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 5);
++DEVICE_CHANNEL(ch6_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 6);
++DEVICE_CHANNEL(ch7_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 7);
+
+ /* Total possible dynamic ce_count attribute file table */
+ static struct attribute *dynamic_csrow_ce_count_attr[] = {
+@@ -360,6 +369,8 @@ static struct attribute *dynamic_csrow_ce_count_attr[] = {
+ &dev_attr_legacy_ch3_ce_count.attr.attr,
+ &dev_attr_legacy_ch4_ce_count.attr.attr,
+ &dev_attr_legacy_ch5_ce_count.attr.attr,
++ &dev_attr_legacy_ch6_ce_count.attr.attr,
++ &dev_attr_legacy_ch7_ce_count.attr.attr,
+ NULL
+ };
+
+@@ -371,9 +382,16 @@ static umode_t csrow_dev_is_visible(struct kobject *kobj,
+
+ if (idx >= csrow->nr_channels)
+ return 0;
++
++ if (idx >= ARRAY_SIZE(dynamic_csrow_ce_count_attr) - 1) {
++ WARN_ONCE(1, "idx: %d\n", idx);
++ return 0;
++ }
++
+ /* Only expose populated DIMMs */
+ if (!csrow->channels[idx]->dimm->nr_pages)
+ return 0;
++
+ return attr->mode;
+ }
+
+diff --git a/drivers/gpio/gpio-intel-mid.c b/drivers/gpio/gpio-intel-mid.c
+index cdaba13..c0f7cce 100644
+--- a/drivers/gpio/gpio-intel-mid.c
++++ b/drivers/gpio/gpio-intel-mid.c
+@@ -17,7 +17,6 @@
+ * Moorestown platform Langwell chip.
+ * Medfield platform Penwell chip.
+ * Clovertrail platform Cloverview chip.
+- * Merrifield platform Tangier chip.
+ */
+
+ #include <linux/module.h>
+@@ -64,10 +63,6 @@ enum GPIO_REG {
+ /* intel_mid gpio driver data */
+ struct intel_mid_gpio_ddata {
+ u16 ngpio; /* number of gpio pins */
+- u32 gplr_offset; /* offset of first GPLR register from base */
+- u32 flis_base; /* base address of FLIS registers */
+- u32 flis_len; /* length of FLIS registers */
+- u32 (*get_flis_offset)(int gpio);
+ u32 chip_irq_type; /* chip interrupt type */
+ };
+
+@@ -252,15 +247,6 @@ static const struct intel_mid_gpio_ddata gpio_cloverview_core = {
+ .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
+ };
+
+-static const struct intel_mid_gpio_ddata gpio_tangier = {
+- .ngpio = 192,
+- .gplr_offset = 4,
+- .flis_base = 0xff0c0000,
+- .flis_len = 0x8000,
+- .get_flis_offset = NULL,
+- .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
+-};
+-
+ static const struct pci_device_id intel_gpio_ids[] = {
+ {
+ /* Lincroft */
+@@ -287,11 +273,6 @@ static const struct pci_device_id intel_gpio_ids[] = {
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x08f7),
+ .driver_data = (kernel_ulong_t)&gpio_cloverview_core,
+ },
+- {
+- /* Tangier */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1199),
+- .driver_data = (kernel_ulong_t)&gpio_tangier,
+- },
+ { 0 }
+ };
+ MODULE_DEVICE_TABLE(pci, intel_gpio_ids);
+@@ -401,7 +382,7 @@ static int intel_gpio_probe(struct pci_dev *pdev,
+ spin_lock_init(&priv->lock);
+
+ pci_set_drvdata(pdev, priv);
+- retval = gpiochip_add_data(&priv->chip, priv);
++ retval = devm_gpiochip_add_data(&pdev->dev, &priv->chip, priv);
+ if (retval) {
+ dev_err(&pdev->dev, "gpiochip_add error %d\n", retval);
+ return retval;
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 5e3be32..3745de6 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -90,7 +90,7 @@ MODULE_DEVICE_TABLE(acpi, pca953x_acpi_ids);
+ #define MAX_BANK 5
+ #define BANK_SZ 8
+
+-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ)
++#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ)
+
+ struct pca953x_chip {
+ unsigned gpio_start;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+index 9df1bcb..9831753 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -551,28 +551,19 @@ int amdgpu_atombios_get_clock_info(struct amdgpu_device *adev)
+ le16_to_cpu(firmware_info->info.usReferenceClock);
+ ppll->reference_div = 0;
+
+- if (crev < 2)
+- ppll->pll_out_min =
+- le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
+- else
+- ppll->pll_out_min =
+- le32_to_cpu(firmware_info->info_12.ulMinPixelClockPLL_Output);
++ ppll->pll_out_min =
++ le32_to_cpu(firmware_info->info_12.ulMinPixelClockPLL_Output);
+ ppll->pll_out_max =
+ le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
+
+- if (crev >= 4) {
+- ppll->lcd_pll_out_min =
+- le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
+- if (ppll->lcd_pll_out_min == 0)
+- ppll->lcd_pll_out_min = ppll->pll_out_min;
+- ppll->lcd_pll_out_max =
+- le16_to_cpu(firmware_info->info_14.usLcdMaxPixelClockPLL_Output) * 100;
+- if (ppll->lcd_pll_out_max == 0)
+- ppll->lcd_pll_out_max = ppll->pll_out_max;
+- } else {
++ ppll->lcd_pll_out_min =
++ le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
++ if (ppll->lcd_pll_out_min == 0)
+ ppll->lcd_pll_out_min = ppll->pll_out_min;
++ ppll->lcd_pll_out_max =
++ le16_to_cpu(firmware_info->info_14.usLcdMaxPixelClockPLL_Output) * 100;
++ if (ppll->lcd_pll_out_max == 0)
+ ppll->lcd_pll_out_max = ppll->pll_out_max;
+- }
+
+ if (ppll->pll_out_min == 0)
+ ppll->pll_out_min = 64800;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+index 35a1248..1b4c069 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -10,6 +10,7 @@
+ #include <linux/slab.h>
+ #include <linux/acpi.h>
+ #include <linux/pci.h>
++#include <linux/delay.h>
+
+ #include "amd_acpi.h"
+
+@@ -259,6 +260,10 @@ static int amdgpu_atpx_set_discrete_state(struct amdgpu_atpx *atpx, u8 state)
+ if (!info)
+ return -EIO;
+ kfree(info);
++
++ /* 200ms delay is required after off */
++ if (state == 0)
++ msleep(200);
+ }
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index cb07da4..ff0b55a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -1690,7 +1690,6 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ DRM_MODE_SCALE_NONE);
+ /* no HPD on analog connectors */
+ amdgpu_connector->hpd.hpd = AMDGPU_HPD_NONE;
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ connector->interlace_allowed = true;
+ connector->doublescan_allowed = true;
+ break;
+@@ -1893,8 +1892,10 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ }
+
+ if (amdgpu_connector->hpd.hpd == AMDGPU_HPD_NONE) {
+- if (i2c_bus->valid)
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
++ if (i2c_bus->valid) {
++ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
++ DRM_CONNECTOR_POLL_DISCONNECT;
++ }
+ } else
+ connector->polled = DRM_CONNECTOR_POLL_HPD;
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 6e92008..b7f5650 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -1841,7 +1841,23 @@ int amdgpu_resume_kms(struct drm_device *dev, bool resume, bool fbcon)
+ }
+
+ drm_kms_helper_poll_enable(dev);
++
++ /*
++ * Most of the connector probing functions try to acquire runtime pm
++ * refs to ensure that the GPU is powered on when connector polling is
++ * performed. Since we're calling this from a runtime PM callback,
++ * trying to acquire rpm refs will cause us to deadlock.
++ *
++ * Since we're guaranteed to be holding the rpm lock, it's safe to
++ * temporarily disable the rpm helpers so this doesn't deadlock us.
++ */
++#ifdef CONFIG_PM
++ dev->dev->power.disable_depth++;
++#endif
+ drm_helper_hpd_irq_event(dev);
++#ifdef CONFIG_PM
++ dev->dev->power.disable_depth--;
++#endif
+
+ if (fbcon) {
+ amdgpu_fbdev_set_suspend(adev, 0);
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+index 48b6bd6..c32eca2 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+@@ -98,6 +98,7 @@ amdgpu_atombios_encoder_set_backlight_level(struct amdgpu_encoder *amdgpu_encode
+ case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
++ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3:
+ if (dig->backlight_level == 0)
+ amdgpu_atombios_encoder_setup_dig_transmitter(encoder,
+ ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0);
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
+index 1feb643..9269548 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
+@@ -167,6 +167,7 @@ static int gmc_v7_0_init_microcode(struct amdgpu_device *adev)
+ break;
+ case CHIP_KAVERI:
+ case CHIP_KABINI:
++ case CHIP_MULLINS:
+ return 0;
+ default: BUG();
+ }
+diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/powerplay/hwmgr/ppatomctrl.c
+index 90b35c5..ffc7c0d 100644
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/ppatomctrl.c
+@@ -592,12 +592,12 @@ bool atomctrl_get_pp_assign_pin(
+ const uint32_t pinId,
+ pp_atomctrl_gpio_pin_assignment *gpio_pin_assignment)
+ {
+- bool bRet = 0;
++ bool bRet = false;
+ ATOM_GPIO_PIN_LUT *gpio_lookup_table =
+ get_gpio_lookup_table(hwmgr->device);
+
+ PP_ASSERT_WITH_CODE((NULL != gpio_lookup_table),
+- "Could not find GPIO lookup Table in BIOS.", return -1);
++ "Could not find GPIO lookup Table in BIOS.", return false);
+
+ bRet = atomctrl_lookup_gpio_pin(gpio_lookup_table, pinId,
+ gpio_pin_assignment);
+diff --git a/drivers/gpu/drm/drm_cache.c b/drivers/gpu/drm/drm_cache.c
+index 059f7c3..a7916e5 100644
+--- a/drivers/gpu/drm/drm_cache.c
++++ b/drivers/gpu/drm/drm_cache.c
+@@ -136,6 +136,7 @@ drm_clflush_virt_range(void *addr, unsigned long length)
+ mb();
+ for (; addr < end; addr += size)
+ clflushopt(addr);
++ clflushopt(end - 1); /* force serialisation */
+ mb();
+ return;
+ }
+diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
+index eeaf5a7..67b28f8 100644
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -203,7 +203,7 @@ static int drm_dp_dpcd_access(struct drm_dp_aux *aux, u8 request,
+
+ ret = aux->transfer(aux, &msg);
+
+- if (ret > 0) {
++ if (ret >= 0) {
+ native_reply = msg.reply & DP_AUX_NATIVE_REPLY_MASK;
+ if (native_reply == DP_AUX_NATIVE_REPLY_ACK) {
+ if (ret == size)
+diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
+index 7df26d4..2cb472b 100644
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -74,6 +74,8 @@
+ #define EDID_QUIRK_FORCE_8BPC (1 << 8)
+ /* Force 12bpc */
+ #define EDID_QUIRK_FORCE_12BPC (1 << 9)
++/* Force 6bpc */
++#define EDID_QUIRK_FORCE_6BPC (1 << 10)
+
+ struct detailed_mode_closure {
+ struct drm_connector *connector;
+@@ -100,6 +102,9 @@ static struct edid_quirk {
+ /* Unknown Acer */
+ { "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },
+
++ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
++ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
++
+ /* Belinea 10 15 55 */
+ { "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
+ { "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
+@@ -4082,6 +4087,9 @@ int drm_add_edid_modes(struct drm_connector *connector, struct edid *edid)
+
+ drm_add_display_info(edid, &connector->display_info, connector);
+
++ if (quirks & EDID_QUIRK_FORCE_6BPC)
++ connector->display_info.bpc = 6;
++
+ if (quirks & EDID_QUIRK_FORCE_8BPC)
+ connector->display_info.bpc = 8;
+
+diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
+index bc3f2e6..227a63e 100644
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -2591,6 +2591,8 @@ struct drm_i915_cmd_table {
+ #define SKL_REVID_D0 0x3
+ #define SKL_REVID_E0 0x4
+ #define SKL_REVID_F0 0x5
++#define SKL_REVID_G0 0x6
++#define SKL_REVID_H0 0x7
+
+ #define IS_SKL_REVID(p, since, until) (IS_SKYLAKE(p) && IS_REVID(p, since, until))
+
+diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
+index 3fcf7dd..bc3b6dd 100644
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1672,6 +1672,9 @@ enum skl_disp_power_wells {
+
+ #define GEN7_TLB_RD_ADDR _MMIO(0x4700)
+
++#define GEN9_GAMT_ECO_REG_RW_IA _MMIO(0x4ab0)
++#define GAMT_ECO_ENABLE_IN_PLACE_DECOMPRESS (1<<18)
++
+ #define GAMT_CHKN_BIT_REG _MMIO(0x4ab8)
+ #define GAMT_CHKN_DISABLE_DYNAMIC_CREDIT_SHARING (1<<28)
+
+@@ -7538,6 +7541,8 @@ enum skl_disp_power_wells {
+
+ #define CDCLK_FREQ _MMIO(0x46200)
+
++#define CDCLK_FREQ _MMIO(0x46200)
++
+ #define _TRANSA_MSA_MISC 0x60410
+ #define _TRANSB_MSA_MISC 0x61410
+ #define _TRANSC_MSA_MISC 0x62410
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index 3074c56..3289319 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -9700,6 +9700,8 @@ static void broadwell_set_cdclk(struct drm_device *dev, int cdclk)
+
+ I915_WRITE(CDCLK_FREQ, DIV_ROUND_CLOSEST(cdclk, 1000) - 1);
+
++ I915_WRITE(CDCLK_FREQ, DIV_ROUND_CLOSEST(cdclk, 1000) - 1);
++
+ intel_update_cdclk(dev);
+
+ WARN(cdclk != dev_priv->cdclk_freq,
+@@ -12095,21 +12097,11 @@ connected_sink_compute_bpp(struct intel_connector *connector,
+ pipe_config->pipe_bpp = connector->base.display_info.bpc*3;
+ }
+
+- /* Clamp bpp to default limit on screens without EDID 1.4 */
+- if (connector->base.display_info.bpc == 0) {
+- int type = connector->base.connector_type;
+- int clamp_bpp = 24;
+-
+- /* Fall back to 18 bpp when DP sink capability is unknown. */
+- if (type == DRM_MODE_CONNECTOR_DisplayPort ||
+- type == DRM_MODE_CONNECTOR_eDP)
+- clamp_bpp = 18;
+-
+- if (bpp > clamp_bpp) {
+- DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of %d\n",
+- bpp, clamp_bpp);
+- pipe_config->pipe_bpp = clamp_bpp;
+- }
++ /* Clamp bpp to 8 on screens without EDID 1.4 */
++ if (connector->base.display_info.bpc == 0 && bpp > 24) {
++ DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of 24\n",
++ bpp);
++ pipe_config->pipe_bpp = 24;
+ }
+ }
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index 2863b92..c1ca5a7 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -4563,7 +4563,8 @@ void gen6_rps_idle(struct drm_i915_private *dev_priv)
+ else
+ gen6_set_rps(dev_priv->dev, dev_priv->rps.idle_freq);
+ dev_priv->rps.last_adj = 0;
+- I915_WRITE(GEN6_PMINTRMSK, 0xffffffff);
++ I915_WRITE(GEN6_PMINTRMSK,
++ gen6_sanitize_rps_pm_mask(dev_priv, ~0));
+ }
+ mutex_unlock(&dev_priv->rps.hw_lock);
+
+diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
+index 68c5af0..9d778f3 100644
+--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
+@@ -1135,6 +1135,11 @@ static int skl_init_workarounds(struct intel_engine_cs *engine)
+ /* WaDisableGafsUnitClkGating:skl */
+ WA_SET_BIT(GEN7_UCGCTL4, GEN8_EU_GAUNIT_CLOCK_GATE_DISABLE);
+
++ /* WaInPlaceDecompressionHang:skl */
++ if (IS_SKL_REVID(dev_priv, SKL_REVID_H0, REVID_FOREVER))
++ WA_SET_BIT(GEN9_GAMT_ECO_REG_RW_IA,
++ GAMT_ECO_ENABLE_IN_PLACE_DECOMPRESS);
++
+ /* WaDisableLSQCROPERFforOCL:skl */
+ ret = wa_ring_whitelist_reg(engine, GEN8_L3SQCREG4);
+ if (ret)
+@@ -1194,6 +1199,11 @@ static int bxt_init_workarounds(struct intel_engine_cs *engine)
+ WA_SET_BIT_MASKED(COMMON_SLICE_CHICKEN2,
+ GEN8_SBE_DISABLE_REPLAY_BUF_OPTIMIZATION);
+
++ /* WaInPlaceDecompressionHang:bxt */
++ if (IS_BXT_REVID(dev_priv, BXT_REVID_C0, REVID_FOREVER))
++ WA_SET_BIT(GEN9_GAMT_ECO_REG_RW_IA,
++ GAMT_ECO_ENABLE_IN_PLACE_DECOMPRESS);
++
+ return 0;
+ }
+
+@@ -1241,6 +1251,10 @@ static int kbl_init_workarounds(struct intel_engine_cs *engine)
+ GEN7_HALF_SLICE_CHICKEN1,
+ GEN7_SBE_SS_CACHE_DISPATCH_PORT_SHARING_DISABLE);
+
++ /* WaInPlaceDecompressionHang:kbl */
++ WA_SET_BIT(GEN9_GAMT_ECO_REG_RW_IA,
++ GAMT_ECO_ENABLE_IN_PLACE_DECOMPRESS);
++
+ /* WaDisableLSQCROPERFforOCL:kbl */
+ ret = wa_ring_whitelist_reg(engine, GEN8_L3SQCREG4);
+ if (ret)
+diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
+index 11f8dd9..d6c134b 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -324,7 +324,16 @@ static int nouveau_drm_probe(struct pci_dev *pdev,
+ !vga_switcheroo_handler_flags())
+ return -EPROBE_DEFER;
+
+- /* remove conflicting drivers (vesafb, efifb etc) */
++ /* We need to check that the chipset is supported before booting
++ * fbdev off the hardware, as there's no way to put it back.
++ */
++ ret = nvkm_device_pci_new(pdev, NULL, "error", true, false, 0, &device);
++ if (ret)
++ return ret;
++
++ nvkm_device_del(&device);
++
++ /* Remove conflicting drivers (vesafb, efifb etc). */
+ aper = alloc_apertures(3);
+ if (!aper)
+ return -ENOMEM;
+diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c
+index 7d9248b..da8fd5f 100644
+--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
+@@ -107,11 +107,11 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
+ ((image->dx + image->width) & 0xffff));
+ OUT_RING(chan, bg);
+ OUT_RING(chan, fg);
+- OUT_RING(chan, (image->height << 16) | image->width);
++ OUT_RING(chan, (image->height << 16) | ALIGN(image->width, 8));
+ OUT_RING(chan, (image->height << 16) | image->width);
+ OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
+
+- dsize = ALIGN(image->width * image->height, 32) >> 5;
++ dsize = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ while (dsize) {
+ int iter_len = dsize > 128 ? 128 : dsize;
+
+diff --git a/drivers/gpu/drm/nouveau/nv50_fbcon.c b/drivers/gpu/drm/nouveau/nv50_fbcon.c
+index 1aeb698..af3d3c4 100644
+--- a/drivers/gpu/drm/nouveau/nv50_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c
+@@ -125,7 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
+ OUT_RING(chan, 0);
+ OUT_RING(chan, image->dy);
+
+- dwords = ALIGN(image->width * image->height, 32) >> 5;
++ dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ while (dwords) {
+ int push = dwords > 2047 ? 2047 : dwords;
+
+diff --git a/drivers/gpu/drm/nouveau/nvc0_fbcon.c b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
+index 839f4c8..054b6a0 100644
+--- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
+@@ -125,7 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image)
+ OUT_RING (chan, 0);
+ OUT_RING (chan, image->dy);
+
+- dwords = ALIGN(image->width * image->height, 32) >> 5;
++ dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ while (dwords) {
+ int push = dwords > 2047 ? 2047 : dwords;
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv30.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv30.c
+index 69de8c6..f1e15a4 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv30.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv30.c
+@@ -76,8 +76,8 @@ nv30_gr_chan_new(struct nvkm_gr *base, struct nvkm_fifo_chan *fifoch,
+ nvkm_wo32(chan->inst, i, 0x00040004);
+ for (i = 0x1f18; i <= 0x3088 ; i += 16) {
+ nvkm_wo32(chan->inst, i + 0, 0x10700ff9);
+- nvkm_wo32(chan->inst, i + 1, 0x0436086c);
+- nvkm_wo32(chan->inst, i + 2, 0x000c001b);
++ nvkm_wo32(chan->inst, i + 4, 0x0436086c);
++ nvkm_wo32(chan->inst, i + 8, 0x000c001b);
+ }
+ for (i = 0x30b8; i < 0x30c8; i += 4)
+ nvkm_wo32(chan->inst, i, 0x0000ffff);
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv34.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv34.c
+index 2207dac2..300f5ed 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv34.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv34.c
+@@ -75,8 +75,8 @@ nv34_gr_chan_new(struct nvkm_gr *base, struct nvkm_fifo_chan *fifoch,
+ nvkm_wo32(chan->inst, i, 0x00040004);
+ for (i = 0x15ac; i <= 0x271c ; i += 16) {
+ nvkm_wo32(chan->inst, i + 0, 0x10700ff9);
+- nvkm_wo32(chan->inst, i + 1, 0x0436086c);
+- nvkm_wo32(chan->inst, i + 2, 0x000c001b);
++ nvkm_wo32(chan->inst, i + 4, 0x0436086c);
++ nvkm_wo32(chan->inst, i + 8, 0x000c001b);
+ }
+ for (i = 0x274c; i < 0x275c; i += 4)
+ nvkm_wo32(chan->inst, i, 0x0000ffff);
+diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
+index 587cae4..56bb758 100644
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -120,6 +120,7 @@ atombios_set_backlight_level(struct radeon_encoder *radeon_encoder, u8 level)
+ case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
++ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3:
+ if (dig->backlight_level == 0)
+ atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0);
+ else {
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index f8097a0..5df3ec7 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1155,7 +1155,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
+ le16_to_cpu(firmware_info->info.usReferenceClock);
+ p1pll->reference_div = 0;
+
+- if (crev < 2)
++ if ((frev < 2) && (crev < 2))
+ p1pll->pll_out_min =
+ le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
+ else
+@@ -1164,7 +1164,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
+ p1pll->pll_out_max =
+ le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
+
+- if (crev >= 4) {
++ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
+ p1pll->lcd_pll_out_min =
+ le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
+ if (p1pll->lcd_pll_out_min == 0)
+diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+index 95f4fea..1b3f4e5 100644
+--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+@@ -10,6 +10,7 @@
+ #include <linux/slab.h>
+ #include <linux/acpi.h>
+ #include <linux/pci.h>
++#include <linux/delay.h>
+
+ #include "radeon_acpi.h"
+
+@@ -258,6 +259,10 @@ static int radeon_atpx_set_discrete_state(struct radeon_atpx *atpx, u8 state)
+ if (!info)
+ return -EIO;
+ kfree(info);
++
++ /* 200ms delay is required after off */
++ if (state == 0)
++ msleep(200);
+ }
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
+index 81a63d7..b79f3b0 100644
+--- a/drivers/gpu/drm/radeon/radeon_connectors.c
++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
+@@ -2064,7 +2064,6 @@ radeon_add_atom_connector(struct drm_device *dev,
+ RADEON_OUTPUT_CSC_BYPASS);
+ /* no HPD on analog connectors */
+ radeon_connector->hpd.hpd = RADEON_HPD_NONE;
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ connector->interlace_allowed = true;
+ connector->doublescan_allowed = true;
+ break;
+@@ -2314,8 +2313,10 @@ radeon_add_atom_connector(struct drm_device *dev,
+ }
+
+ if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
+- if (i2c_bus->valid)
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
++ if (i2c_bus->valid) {
++ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
++ DRM_CONNECTOR_POLL_DISCONNECT;
++ }
+ } else
+ connector->polled = DRM_CONNECTOR_POLL_HPD;
+
+@@ -2391,7 +2392,6 @@ radeon_add_legacy_connector(struct drm_device *dev,
+ 1);
+ /* no HPD on analog connectors */
+ radeon_connector->hpd.hpd = RADEON_HPD_NONE;
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ connector->interlace_allowed = true;
+ connector->doublescan_allowed = true;
+ break;
+@@ -2476,10 +2476,13 @@ radeon_add_legacy_connector(struct drm_device *dev,
+ }
+
+ if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
+- if (i2c_bus->valid)
+- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
++ if (i2c_bus->valid) {
++ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
++ DRM_CONNECTOR_POLL_DISCONNECT;
++ }
+ } else
+ connector->polled = DRM_CONNECTOR_POLL_HPD;
++
+ connector->display_info.subpixel_order = subpixel_order;
+ drm_connector_register(connector);
+ }
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index 1c4d5b5..b167323 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -1048,6 +1048,17 @@ static void vop_crtc_destroy(struct drm_crtc *crtc)
+ drm_crtc_cleanup(crtc);
+ }
+
++static void vop_crtc_reset(struct drm_crtc *crtc)
++{
++ if (crtc->state)
++ __drm_atomic_helper_crtc_destroy_state(crtc->state);
++ kfree(crtc->state);
++
++ crtc->state = kzalloc(sizeof(struct rockchip_crtc_state), GFP_KERNEL);
++ if (crtc->state)
++ crtc->state->crtc = crtc;
++}
++
+ static struct drm_crtc_state *vop_crtc_duplicate_state(struct drm_crtc *crtc)
+ {
+ struct rockchip_crtc_state *rockchip_state;
+@@ -1073,7 +1084,7 @@ static const struct drm_crtc_funcs vop_crtc_funcs = {
+ .set_config = drm_atomic_helper_set_config,
+ .page_flip = drm_atomic_helper_page_flip,
+ .destroy = vop_crtc_destroy,
+- .reset = drm_atomic_helper_crtc_reset,
++ .reset = vop_crtc_reset,
+ .atomic_duplicate_state = vop_crtc_duplicate_state,
+ .atomic_destroy_state = vop_crtc_destroy_state,
+ };
+diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
+index 16b6f11..99ec3ff 100644
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -51,10 +51,26 @@ struct uhid_device {
+ u32 report_id;
+ u32 report_type;
+ struct uhid_event report_buf;
++ struct work_struct worker;
+ };
+
+ static struct miscdevice uhid_misc;
+
++static void uhid_device_add_worker(struct work_struct *work)
++{
++ struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
++ int ret;
++
++ ret = hid_add_device(uhid->hid);
++ if (ret) {
++ hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
++
++ hid_destroy_device(uhid->hid);
++ uhid->hid = NULL;
++ uhid->running = false;
++ }
++}
++
+ static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+ __u8 newhead;
+@@ -498,18 +514,14 @@ static int uhid_dev_create2(struct uhid_device *uhid,
+ uhid->hid = hid;
+ uhid->running = true;
+
+- ret = hid_add_device(hid);
+- if (ret) {
+- hid_err(hid, "Cannot register HID device\n");
+- goto err_hid;
+- }
++ /* Adding of a HID device is done through a worker, to allow HID drivers
++ * which use feature requests during .probe to work, without they would
++ * be blocked on devlock, which is held by uhid_char_write.
++ */
++ schedule_work(&uhid->worker);
+
+ return 0;
+
+-err_hid:
+- hid_destroy_device(hid);
+- uhid->hid = NULL;
+- uhid->running = false;
+ err_free:
+ kfree(uhid->rd_data);
+ uhid->rd_data = NULL;
+@@ -550,6 +562,8 @@ static int uhid_dev_destroy(struct uhid_device *uhid)
+ uhid->running = false;
+ wake_up_interruptible(&uhid->report_wait);
+
++ cancel_work_sync(&uhid->worker);
++
+ hid_destroy_device(uhid->hid);
+ kfree(uhid->rd_data);
+
+@@ -612,6 +626,7 @@ static int uhid_char_open(struct inode *inode, struct file *file)
+ init_waitqueue_head(&uhid->waitq);
+ init_waitqueue_head(&uhid->report_wait);
+ uhid->running = false;
++ INIT_WORK(&uhid->worker, uhid_device_add_worker);
+
+ file->private_data = uhid;
+ nonseekable_open(inode, file);
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 952f20f..e82f7e1 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -42,6 +42,7 @@
+ #include <linux/screen_info.h>
+ #include <linux/kdebug.h>
+ #include <linux/efi.h>
++#include <linux/random.h>
+ #include "hyperv_vmbus.h"
+
+ static struct acpi_device *hv_acpi_dev;
+@@ -806,6 +807,8 @@ static void vmbus_isr(void)
+ else
+ tasklet_schedule(hv_context.msg_dpc[cpu]);
+ }
++
++ add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0);
+ }
+
+
+diff --git a/drivers/i2c/busses/i2c-efm32.c b/drivers/i2c/busses/i2c-efm32.c
+index 8eff627..e253598 100644
+--- a/drivers/i2c/busses/i2c-efm32.c
++++ b/drivers/i2c/busses/i2c-efm32.c
+@@ -433,7 +433,7 @@ static int efm32_i2c_probe(struct platform_device *pdev)
+ ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to request irq (%d)\n", ret);
+- return ret;
++ goto err_disable_clk;
+ }
+
+ ret = i2c_add_adapter(&ddata->adapter);
+diff --git a/drivers/infiniband/core/rw.c b/drivers/infiniband/core/rw.c
+index 1eb9b12..dbfd854 100644
+--- a/drivers/infiniband/core/rw.c
++++ b/drivers/infiniband/core/rw.c
+@@ -58,19 +58,13 @@ static inline bool rdma_rw_io_needs_mr(struct ib_device *dev, u8 port_num,
+ return false;
+ }
+
+-static inline u32 rdma_rw_max_sge(struct ib_device *dev,
+- enum dma_data_direction dir)
+-{
+- return dir == DMA_TO_DEVICE ?
+- dev->attrs.max_sge : dev->attrs.max_sge_rd;
+-}
+-
+ static inline u32 rdma_rw_fr_page_list_len(struct ib_device *dev)
+ {
+ /* arbitrary limit to avoid allocating gigantic resources */
+ return min_t(u32, dev->attrs.max_fast_reg_page_list_len, 256);
+ }
+
++/* Caller must have zero-initialized *reg. */
+ static int rdma_rw_init_one_mr(struct ib_qp *qp, u8 port_num,
+ struct rdma_rw_reg_ctx *reg, struct scatterlist *sg,
+ u32 sg_cnt, u32 offset)
+@@ -114,6 +108,7 @@ static int rdma_rw_init_mr_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ u8 port_num, struct scatterlist *sg, u32 sg_cnt, u32 offset,
+ u64 remote_addr, u32 rkey, enum dma_data_direction dir)
+ {
++ struct rdma_rw_reg_ctx *prev = NULL;
+ u32 pages_per_mr = rdma_rw_fr_page_list_len(qp->pd->device);
+ int i, j, ret = 0, count = 0;
+
+@@ -125,7 +120,6 @@ static int rdma_rw_init_mr_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ }
+
+ for (i = 0; i < ctx->nr_ops; i++) {
+- struct rdma_rw_reg_ctx *prev = i ? &ctx->reg[i - 1] : NULL;
+ struct rdma_rw_reg_ctx *reg = &ctx->reg[i];
+ u32 nents = min(sg_cnt, pages_per_mr);
+
+@@ -162,9 +156,13 @@ static int rdma_rw_init_mr_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ sg_cnt -= nents;
+ for (j = 0; j < nents; j++)
+ sg = sg_next(sg);
++ prev = reg;
+ offset = 0;
+ }
+
++ if (prev)
++ prev->wr.wr.next = NULL;
++
+ ctx->type = RDMA_RW_MR;
+ return count;
+
+@@ -181,7 +179,8 @@ static int rdma_rw_init_map_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ u64 remote_addr, u32 rkey, enum dma_data_direction dir)
+ {
+ struct ib_device *dev = qp->pd->device;
+- u32 max_sge = rdma_rw_max_sge(dev, dir);
++ u32 max_sge = dir == DMA_TO_DEVICE ? qp->max_write_sge :
++ qp->max_read_sge;
+ struct ib_sge *sge;
+ u32 total_len = 0, i, j;
+
+@@ -205,11 +204,10 @@ static int rdma_rw_init_map_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ rdma_wr->wr.opcode = IB_WR_RDMA_READ;
+ rdma_wr->remote_addr = remote_addr + total_len;
+ rdma_wr->rkey = rkey;
++ rdma_wr->wr.num_sge = nr_sge;
+ rdma_wr->wr.sg_list = sge;
+
+ for (j = 0; j < nr_sge; j++, sg = sg_next(sg)) {
+- rdma_wr->wr.num_sge++;
+-
+ sge->addr = ib_sg_dma_address(dev, sg) + offset;
+ sge->length = ib_sg_dma_len(dev, sg) - offset;
+ sge->lkey = qp->pd->local_dma_lkey;
+@@ -220,8 +218,8 @@ static int rdma_rw_init_map_wrs(struct rdma_rw_ctx *ctx, struct ib_qp *qp,
+ offset = 0;
+ }
+
+- if (i + 1 < ctx->nr_ops)
+- rdma_wr->wr.next = &ctx->map.wrs[i + 1].wr;
++ rdma_wr->wr.next = i + 1 < ctx->nr_ops ?
++ &ctx->map.wrs[i + 1].wr : NULL;
+ }
+
+ ctx->type = RDMA_RW_MULTI_WR;
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 6298f54..e39a0b5 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -814,6 +814,15 @@ struct ib_qp *ib_create_qp(struct ib_pd *pd,
+ }
+ }
+
++ /*
++ * Note: all hw drivers guarantee that max_send_sge is lower than
++ * the device RDMA WRITE SGE limit but not all hw drivers ensure that
++ * max_send_sge <= max_sge_rd.
++ */
++ qp->max_write_sge = qp_init_attr->cap.max_send_sge;
++ qp->max_read_sge = min_t(u32, qp_init_attr->cap.max_send_sge,
++ device->attrs.max_sge_rd);
++
+ return qp;
+ }
+ EXPORT_SYMBOL(ib_create_qp);
+diff --git a/drivers/infiniband/hw/mlx5/gsi.c b/drivers/infiniband/hw/mlx5/gsi.c
+index 53e03c8..79e6309 100644
+--- a/drivers/infiniband/hw/mlx5/gsi.c
++++ b/drivers/infiniband/hw/mlx5/gsi.c
+@@ -69,15 +69,6 @@ static bool mlx5_ib_deth_sqpn_cap(struct mlx5_ib_dev *dev)
+ return MLX5_CAP_GEN(dev->mdev, set_deth_sqpn);
+ }
+
+-static u32 next_outstanding(struct mlx5_ib_gsi_qp *gsi, u32 index)
+-{
+- return ++index % gsi->cap.max_send_wr;
+-}
+-
+-#define for_each_outstanding_wr(gsi, index) \
+- for (index = gsi->outstanding_ci; index != gsi->outstanding_pi; \
+- index = next_outstanding(gsi, index))
+-
+ /* Call with gsi->lock locked */
+ static void generate_completions(struct mlx5_ib_gsi_qp *gsi)
+ {
+@@ -85,8 +76,9 @@ static void generate_completions(struct mlx5_ib_gsi_qp *gsi)
+ struct mlx5_ib_gsi_wr *wr;
+ u32 index;
+
+- for_each_outstanding_wr(gsi, index) {
+- wr = &gsi->outstanding_wrs[index];
++ for (index = gsi->outstanding_ci; index != gsi->outstanding_pi;
++ index++) {
++ wr = &gsi->outstanding_wrs[index % gsi->cap.max_send_wr];
+
+ if (!wr->completed)
+ break;
+@@ -430,8 +422,9 @@ static int mlx5_ib_add_outstanding_wr(struct mlx5_ib_gsi_qp *gsi,
+ return -ENOMEM;
+ }
+
+- gsi_wr = &gsi->outstanding_wrs[gsi->outstanding_pi];
+- gsi->outstanding_pi = next_outstanding(gsi, gsi->outstanding_pi);
++ gsi_wr = &gsi->outstanding_wrs[gsi->outstanding_pi %
++ gsi->cap.max_send_wr];
++ gsi->outstanding_pi++;
+
+ if (!wc) {
+ memset(&gsi_wr->wc, 0, sizeof(gsi_wr->wc));
+diff --git a/drivers/infiniband/sw/rdmavt/Kconfig b/drivers/infiniband/sw/rdmavt/Kconfig
+index 11aa6a3..1da8d01 100644
+--- a/drivers/infiniband/sw/rdmavt/Kconfig
++++ b/drivers/infiniband/sw/rdmavt/Kconfig
+@@ -1,6 +1,5 @@
+ config INFINIBAND_RDMAVT
+ tristate "RDMA verbs transport library"
+ depends on 64BIT
+- default m
+ ---help---
+ This is a common software verbs provider for RDMA networks.
+diff --git a/drivers/infiniband/sw/rdmavt/cq.c b/drivers/infiniband/sw/rdmavt/cq.c
+index 6ca6fa8..f2f229e 100644
+--- a/drivers/infiniband/sw/rdmavt/cq.c
++++ b/drivers/infiniband/sw/rdmavt/cq.c
+@@ -510,6 +510,7 @@ int rvt_driver_cq_init(struct rvt_dev_info *rdi)
+
+ if (rdi->worker)
+ return 0;
++ spin_lock_init(&rdi->n_cqs_lock);
+ rdi->worker = kzalloc(sizeof(*rdi->worker), GFP_KERNEL);
+ if (!rdi->worker)
+ return -ENOMEM;
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 4a41556..9a3b954 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -1601,6 +1601,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
+ struct ib_qp_init_attr *qp_init;
+ struct srpt_port *sport = ch->sport;
+ struct srpt_device *sdev = sport->sdev;
++ const struct ib_device_attr *attrs = &sdev->device->attrs;
+ u32 srp_sq_size = sport->port_attrib.srp_sq_size;
+ int ret;
+
+@@ -1638,7 +1639,7 @@ retry:
+ */
+ qp_init->cap.max_send_wr = srp_sq_size / 2;
+ qp_init->cap.max_rdma_ctxs = srp_sq_size / 2;
+- qp_init->cap.max_send_sge = SRPT_DEF_SG_PER_WQE;
++ qp_init->cap.max_send_sge = min(attrs->max_sge, SRPT_MAX_SG_PER_WQE);
+ qp_init->port_num = ch->sport->port;
+
+ ch->qp = ib_create_qp(sdev->pd, qp_init);
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.h b/drivers/infiniband/ulp/srpt/ib_srpt.h
+index 3890304..5818787 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
+@@ -106,7 +106,11 @@ enum {
+ SRP_LOGIN_RSP_MULTICHAN_MAINTAINED = 0x2,
+
+ SRPT_DEF_SG_TABLESIZE = 128,
+- SRPT_DEF_SG_PER_WQE = 16,
++ /*
++ * An experimentally determined value that avoids that QP creation
++ * fails due to "swiotlb buffer is full" on systems using the swiotlb.
++ */
++ SRPT_MAX_SG_PER_WQE = 16,
+
+ MIN_SRPT_SQ_SIZE = 16,
+ DEF_SRPT_SQ_SIZE = 4096,
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 2f58985..d15b338 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -4,7 +4,8 @@
+ * Copyright (c) 2013 ELAN Microelectronics Corp.
+ *
+ * Author: 林政維 (Duson Lin) <dusonlin@emc.com.tw>
+- * Version: 1.6.0
++ * Author: KT Liao <kt.liao@emc.com.tw>
++ * Version: 1.6.2
+ *
+ * Based on cyapa driver:
+ * copyright (c) 2011-2012 Cypress Semiconductor, Inc.
+@@ -40,7 +41,7 @@
+ #include "elan_i2c.h"
+
+ #define DRIVER_NAME "elan_i2c"
+-#define ELAN_DRIVER_VERSION "1.6.1"
++#define ELAN_DRIVER_VERSION "1.6.2"
+ #define ELAN_VENDOR_ID 0x04f3
+ #define ETP_MAX_PRESSURE 255
+ #define ETP_FWIDTH_REDUCE 90
+@@ -199,9 +200,41 @@ static int elan_sleep(struct elan_tp_data *data)
+ return error;
+ }
+
++static int elan_query_product(struct elan_tp_data *data)
++{
++ int error;
++
++ error = data->ops->get_product_id(data->client, &data->product_id);
++ if (error)
++ return error;
++
++ error = data->ops->get_sm_version(data->client, &data->ic_type,
++ &data->sm_version);
++ if (error)
++ return error;
++
++ return 0;
++}
++
++static int elan_check_ASUS_special_fw(struct elan_tp_data *data)
++{
++ if (data->ic_type != 0x0E)
++ return false;
++
++ switch (data->product_id) {
++ case 0x05 ... 0x07:
++ case 0x09:
++ case 0x13:
++ return true;
++ default:
++ return false;
++ }
++}
++
+ static int __elan_initialize(struct elan_tp_data *data)
+ {
+ struct i2c_client *client = data->client;
++ bool woken_up = false;
+ int error;
+
+ error = data->ops->initialize(client);
+@@ -210,6 +243,27 @@ static int __elan_initialize(struct elan_tp_data *data)
+ return error;
+ }
+
++ error = elan_query_product(data);
++ if (error)
++ return error;
++
++ /*
++ * Some ASUS devices were shipped with firmware that requires
++ * touchpads to be woken up first, before attempting to switch
++ * them into absolute reporting mode.
++ */
++ if (elan_check_ASUS_special_fw(data)) {
++ error = data->ops->sleep_control(client, false);
++ if (error) {
++ dev_err(&client->dev,
++ "failed to wake device up: %d\n", error);
++ return error;
++ }
++
++ msleep(200);
++ woken_up = true;
++ }
++
+ data->mode |= ETP_ENABLE_ABS;
+ error = data->ops->set_mode(client, data->mode);
+ if (error) {
+@@ -218,11 +272,13 @@ static int __elan_initialize(struct elan_tp_data *data)
+ return error;
+ }
+
+- error = data->ops->sleep_control(client, false);
+- if (error) {
+- dev_err(&client->dev,
+- "failed to wake device up: %d\n", error);
+- return error;
++ if (!woken_up) {
++ error = data->ops->sleep_control(client, false);
++ if (error) {
++ dev_err(&client->dev,
++ "failed to wake device up: %d\n", error);
++ return error;
++ }
+ }
+
+ return 0;
+@@ -248,10 +304,6 @@ static int elan_query_device_info(struct elan_tp_data *data)
+ {
+ int error;
+
+- error = data->ops->get_product_id(data->client, &data->product_id);
+- if (error)
+- return error;
+-
+ error = data->ops->get_version(data->client, false, &data->fw_version);
+ if (error)
+ return error;
+@@ -261,11 +313,6 @@ static int elan_query_device_info(struct elan_tp_data *data)
+ if (error)
+ return error;
+
+- error = data->ops->get_sm_version(data->client, &data->ic_type,
+- &data->sm_version);
+- if (error)
+- return error;
+-
+ error = data->ops->get_version(data->client, true, &data->iap_version);
+ if (error)
+ return error;
+diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c
+index 880c40b..b7e8c11 100644
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -126,7 +126,7 @@ struct sur40_image_header {
+ #define VIDEO_PACKET_SIZE 16384
+
+ /* polling interval (ms) */
+-#define POLL_INTERVAL 4
++#define POLL_INTERVAL 1
+
+ /* maximum number of contacts FIXME: this is a guess? */
+ #define MAX_CONTACTS 64
+@@ -448,7 +448,7 @@ static void sur40_process_video(struct sur40_state *sur40)
+
+ /* return error if streaming was stopped in the meantime */
+ if (sur40->sequence == -1)
+- goto err_poll;
++ return;
+
+ /* mark as finished */
+ new_buf->vb.vb2_buf.timestamp = ktime_get_ns();
+@@ -736,6 +736,7 @@ static int sur40_start_streaming(struct vb2_queue *vq, unsigned int count)
+ static void sur40_stop_streaming(struct vb2_queue *vq)
+ {
+ struct sur40_state *sur40 = vb2_get_drv_priv(vq);
++ vb2_wait_for_all_buffers(vq);
+ sur40->sequence = -1;
+
+ /* Release all active buffers */
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 634f636..2511c8b 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -466,9 +466,11 @@ static void init_iommu_group(struct device *dev)
+ if (!domain)
+ goto out;
+
+- dma_domain = to_pdomain(domain)->priv;
++ if (to_pdomain(domain)->flags == PD_DMA_OPS_MASK) {
++ dma_domain = to_pdomain(domain)->priv;
++ init_unity_mappings_for_device(dev, dma_domain);
++ }
+
+- init_unity_mappings_for_device(dev, dma_domain);
+ out:
+ iommu_group_put(group);
+ }
+@@ -2512,8 +2514,15 @@ static void update_device_table(struct protection_domain *domain)
+ {
+ struct iommu_dev_data *dev_data;
+
+- list_for_each_entry(dev_data, &domain->dev_list, list)
++ list_for_each_entry(dev_data, &domain->dev_list, list) {
+ set_dte_entry(dev_data->devid, domain, dev_data->ats.enabled);
++
++ if (dev_data->devid == dev_data->alias)
++ continue;
++
++ /* There is an alias, update device table entry for it */
++ set_dte_entry(dev_data->alias, domain, dev_data->ats.enabled);
++ }
+ }
+
+ static void update_domain(struct protection_domain *domain)
+@@ -3103,9 +3112,7 @@ static struct iommu_domain *amd_iommu_domain_alloc(unsigned type)
+ static void amd_iommu_domain_free(struct iommu_domain *dom)
+ {
+ struct protection_domain *domain;
+-
+- if (!dom)
+- return;
++ struct dma_ops_domain *dma_dom;
+
+ domain = to_pdomain(dom);
+
+@@ -3114,13 +3121,24 @@ static void amd_iommu_domain_free(struct iommu_domain *dom)
+
+ BUG_ON(domain->dev_cnt != 0);
+
+- if (domain->mode != PAGE_MODE_NONE)
+- free_pagetable(domain);
++ if (!dom)
++ return;
++
++ switch (dom->type) {
++ case IOMMU_DOMAIN_DMA:
++ dma_dom = domain->priv;
++ dma_ops_domain_free(dma_dom);
++ break;
++ default:
++ if (domain->mode != PAGE_MODE_NONE)
++ free_pagetable(domain);
+
+- if (domain->flags & PD_IOMMUV2_MASK)
+- free_gcr3_table(domain);
++ if (domain->flags & PD_IOMMUV2_MASK)
++ free_gcr3_table(domain);
+
+- protection_domain_free(domain);
++ protection_domain_free(domain);
++ break;
++ }
+ }
+
+ static void amd_iommu_detach_device(struct iommu_domain *dom,
+diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/exynos-iommu.c
+index 5ecc86c..e27e3b7df 100644
+--- a/drivers/iommu/exynos-iommu.c
++++ b/drivers/iommu/exynos-iommu.c
+@@ -709,6 +709,7 @@ static struct platform_driver exynos_sysmmu_driver __refdata = {
+ .name = "exynos-sysmmu",
+ .of_match_table = sysmmu_of_match,
+ .pm = &sysmmu_pm_ops,
++ .suppress_bind_attrs = true,
+ }
+ };
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index 323dac9..d416242 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2076,7 +2076,7 @@ out_unlock:
+ spin_unlock(&iommu->lock);
+ spin_unlock_irqrestore(&device_domain_lock, flags);
+
+- return 0;
++ return ret;
+ }
+
+ struct domain_context_mapping_data {
+diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
+index a1ed1b7..f5c90e1 100644
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -576,7 +576,7 @@ static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable_ops *ops,
+ return 0;
+
+ found_translation:
+- iova &= (ARM_LPAE_GRANULE(data) - 1);
++ iova &= (ARM_LPAE_BLOCK_SIZE(lvl, data) - 1);
+ return ((phys_addr_t)iopte_to_pfn(pte,data) << data->pg_shift) | iova;
+ }
+
+diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
+index b7341de..4bb49cd 100644
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -289,10 +289,16 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
+ pb->bio_submitted = true;
+
+ /*
+- * Map reads as normal.
++ * Map reads as normal only if corrupt_bio_byte set.
+ */
+- if (bio_data_dir(bio) == READ)
+- goto map_bio;
++ if (bio_data_dir(bio) == READ) {
++ /* If flags were specified, only corrupt those that match. */
++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
++ all_corrupt_bio_flags_match(bio, fc))
++ goto map_bio;
++ else
++ return -EIO;
++ }
+
+ /*
+ * Drop writes?
+@@ -330,12 +336,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error)
+
+ /*
+ * Corrupt successful READs while in down state.
+- * If flags were specified, only corrupt those that match.
+ */
+- if (fc->corrupt_bio_byte && !error && pb->bio_submitted &&
+- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
+- all_corrupt_bio_flags_match(bio, fc))
+- corrupt_bio_data(bio, fc);
++ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
++ if (fc->corrupt_bio_byte)
++ corrupt_bio_data(bio, fc);
++ else
++ return -EIO;
++ }
+
+ return error;
+ }
+diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c
+index 459a9f8..0f0eb8a 100644
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -453,9 +453,7 @@ int verity_fec_decode(struct dm_verity *v, struct dm_verity_io *io,
+ */
+
+ offset = block << v->data_dev_block_bits;
+-
+- res = offset;
+- div64_u64(res, v->fec->rounds << v->data_dev_block_bits);
++ res = div64_u64(offset, v->fec->rounds << v->data_dev_block_bits);
+
+ /*
+ * The base RS block we can feed to the interleaver to find out all
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 1b2f962..fd40bcb 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2175,7 +2175,7 @@ static void dm_request_fn(struct request_queue *q)
+ md_in_flight(md) && rq->bio && rq->bio->bi_vcnt == 1 &&
+ md->last_rq_pos == pos && md->last_rq_rw == rq_data_dir(rq)) ||
+ (ti->type->busy && ti->type->busy(ti))) {
+- blk_delay_queue(q, HZ / 100);
++ blk_delay_queue(q, 10);
+ return;
+ }
+
+@@ -3128,7 +3128,8 @@ static void unlock_fs(struct mapped_device *md)
+ * Caller must hold md->suspend_lock
+ */
+ static int __dm_suspend(struct mapped_device *md, struct dm_table *map,
+- unsigned suspend_flags, int interruptible)
++ unsigned suspend_flags, int interruptible,
++ int dmf_suspended_flag)
+ {
+ bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG;
+ bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG;
+@@ -3195,6 +3196,8 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map,
+ * to finish.
+ */
+ r = dm_wait_for_completion(md, interruptible);
++ if (!r)
++ set_bit(dmf_suspended_flag, &md->flags);
+
+ if (noflush)
+ clear_bit(DMF_NOFLUSH_SUSPENDING, &md->flags);
+@@ -3256,12 +3259,10 @@ retry:
+
+ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+
+- r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE);
++ r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE, DMF_SUSPENDED);
+ if (r)
+ goto out_unlock;
+
+- set_bit(DMF_SUSPENDED, &md->flags);
+-
+ dm_table_postsuspend_targets(map);
+
+ out_unlock:
+@@ -3355,9 +3356,8 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla
+ * would require changing .presuspend to return an error -- avoid this
+ * until there is a need for more elaborate variants of internal suspend.
+ */
+- (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE);
+-
+- set_bit(DMF_SUSPENDED_INTERNALLY, &md->flags);
++ (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE,
++ DMF_SUSPENDED_INTERNALLY);
+
+ dm_table_postsuspend_targets(map);
+ }
+diff --git a/drivers/media/dvb-core/dvb_ringbuffer.c b/drivers/media/dvb-core/dvb_ringbuffer.c
+index 1100e98..7df7fb3 100644
+--- a/drivers/media/dvb-core/dvb_ringbuffer.c
++++ b/drivers/media/dvb-core/dvb_ringbuffer.c
+@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ringbuffer *rbuf, void *data, size_t len)
+
+ int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf)
+ {
+- return (rbuf->pread==rbuf->pwrite);
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ *
++ * for memory barriers also see Documentation/circular-buffers.txt
++ */
++ return (rbuf->pread == smp_load_acquire(&rbuf->pwrite));
+ }
+
+
+@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_ringbuffer *rbuf)
+ {
+ ssize_t free;
+
+- free = rbuf->pread - rbuf->pwrite;
++ /* ACCESS_ONCE() to load read pointer on writer side
++ * this pairs with smp_store_release() in dvb_ringbuffer_read(),
++ * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(),
++ * or dvb_ringbuffer_reset()
++ */
++ free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite;
+ if (free <= 0)
+ free += rbuf->size;
+ return free-1;
+@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_ringbuffer *rbuf)
+ {
+ ssize_t avail;
+
+- avail = rbuf->pwrite - rbuf->pread;
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ */
++ avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread;
+ if (avail < 0)
+ avail += rbuf->size;
+ return avail;
+@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_ringbuffer *rbuf)
+
+ void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite;
++ /* dvb_ringbuffer_flush() counts as read operation
++ * smp_load_acquire() to load write pointer
++ * smp_store_release() to update read pointer, this ensures that the
++ * correct pointer is visible for subsequent dvb_ringbuffer_free()
++ * calls on other cpu cores
++ */
++ smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite));
+ rbuf->error = 0;
+ }
+ EXPORT_SYMBOL(dvb_ringbuffer_flush);
+
+ void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite = 0;
++ /* dvb_ringbuffer_reset() counts as read and write operation
++ * smp_store_release() to update read pointer
++ */
++ smp_store_release(&rbuf->pread, 0);
++ /* smp_store_release() to update write pointer */
++ smp_store_release(&rbuf->pwrite, 0);
+ rbuf->error = 0;
+ }
+
+@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct dvb_ringbuffer *rbuf, u8 __user *buf, si
+ return -EFAULT;
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ if (copy_to_user(buf, rbuf->data+rbuf->pread, todo))
+ return -EFAULT;
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ringbuffer *rbuf, u8 *buf, size_t len)
+ memcpy(buf, rbuf->data+rbuf->pread, split);
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ memcpy(buf, rbuf->data+rbuf->pread, todo);
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+ }
+
+
+@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_ringbuffer *rbuf, const u8 *buf, size_t
+ memcpy(rbuf->data+rbuf->pwrite, buf, split);
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ memcpy(rbuf->data+rbuf->pwrite, buf, todo);
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct dvb_ringbuffer *rbuf,
+ return len - todo;
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
+ if (status)
+ return len - todo;
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index b16466f..beb4fd5 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1050,6 +1050,11 @@ static int match_child(struct device *dev, void *data)
+ return !strcmp(dev_name(dev), (char *)data);
+ }
+
++static void s5p_mfc_memdev_release(struct device *dev)
++{
++ dma_release_declared_memory(dev);
++}
++
+ static void *mfc_get_drv_data(struct platform_device *pdev);
+
+ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
+@@ -1062,6 +1067,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
++ dev->mem_dev_l->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_l);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-l", mem_info, 2);
+@@ -1079,6 +1087,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
++ dev->mem_dev_r->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_r);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-r", mem_info, 2);
+diff --git a/drivers/media/rc/ir-rc5-decoder.c b/drivers/media/rc/ir-rc5-decoder.c
+index 6ffe776..a0fd4e6 100644
+--- a/drivers/media/rc/ir-rc5-decoder.c
++++ b/drivers/media/rc/ir-rc5-decoder.c
+@@ -29,7 +29,7 @@
+ #define RC5_BIT_START (1 * RC5_UNIT)
+ #define RC5_BIT_END (1 * RC5_UNIT)
+ #define RC5X_SPACE (4 * RC5_UNIT)
+-#define RC5_TRAILER (10 * RC5_UNIT) /* In reality, approx 100 */
++#define RC5_TRAILER (6 * RC5_UNIT) /* In reality, approx 100 */
+
+ enum rc5_state {
+ STATE_INACTIVE,
+diff --git a/drivers/media/rc/nuvoton-cir.c b/drivers/media/rc/nuvoton-cir.c
+index 99b303b..e8ceb0e 100644
+--- a/drivers/media/rc/nuvoton-cir.c
++++ b/drivers/media/rc/nuvoton-cir.c
+@@ -401,6 +401,7 @@ static int nvt_hw_detect(struct nvt_dev *nvt)
+ /* Check if we're wired for the alternate EFER setup */
+ nvt->chip_major = nvt_cr_read(nvt, CR_CHIP_ID_HI);
+ if (nvt->chip_major == 0xff) {
++ nvt_efm_disable(nvt);
+ nvt->cr_efir = CR_EFIR2;
+ nvt->cr_efdr = CR_EFDR2;
+ nvt_efm_enable(nvt);
+diff --git a/drivers/media/usb/usbtv/usbtv-audio.c b/drivers/media/usb/usbtv/usbtv-audio.c
+index 78c12d2..5dab024 100644
+--- a/drivers/media/usb/usbtv/usbtv-audio.c
++++ b/drivers/media/usb/usbtv/usbtv-audio.c
+@@ -278,6 +278,9 @@ static void snd_usbtv_trigger(struct work_struct *work)
+ {
+ struct usbtv *chip = container_of(work, struct usbtv, snd_trigger);
+
++ if (!chip->snd)
++ return;
++
+ if (atomic_read(&chip->snd_stream))
+ usbtv_audio_start(chip);
+ else
+@@ -378,6 +381,8 @@ err:
+
+ void usbtv_audio_free(struct usbtv *usbtv)
+ {
++ cancel_work_sync(&usbtv->snd_trigger);
++
+ if (usbtv->snd && usbtv->udev) {
+ snd_card_free(usbtv->snd);
+ usbtv->snd = NULL;
+diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
+index 9fbcb67..633fc1a 100644
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1648,7 +1648,7 @@ static int __vb2_get_done_vb(struct vb2_queue *q, struct vb2_buffer **vb,
+ void *pb, int nonblocking)
+ {
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /*
+ * Wait for at least one buffer to become available on the done_list.
+@@ -1664,10 +1664,12 @@ static int __vb2_get_done_vb(struct vb2_queue *q, struct vb2_buffer **vb,
+ spin_lock_irqsave(&q->done_lock, flags);
+ *vb = list_first_entry(&q->done_list, struct vb2_buffer, done_entry);
+ /*
+- * Only remove the buffer from done_list if v4l2_buffer can handle all
+- * the planes.
++ * Only remove the buffer from done_list if all planes can be
++ * handled. Some cases such as V4L2 file I/O and DVB have pb
++ * == NULL; skip the check then as there's nothing to verify.
+ */
+- ret = call_bufop(q, verify_planes_array, *vb, pb);
++ if (pb)
++ ret = call_bufop(q, verify_planes_array, *vb, pb);
+ if (!ret)
+ list_del(&(*vb)->done_entry);
+ spin_unlock_irqrestore(&q->done_lock, flags);
+diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
+index 0b1b8c7..7f366f1 100644
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
+ return 0;
+ }
+
++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
++{
++ return __verify_planes_array(vb, pb);
++}
++
+ /**
+ * __verify_length() - Verify that the bytesused value for each plane fits in
+ * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
+ }
+
+ static const struct vb2_buf_ops v4l2_buf_ops = {
++ .verify_planes_array = __verify_planes_array_core,
+ .fill_user_buffer = __fill_v4l2_buffer,
+ .fill_vb2_buffer = __fill_vb2_buffer,
+ .copy_timestamp = __copy_timestamp,
+diff --git a/drivers/mfd/qcom_rpm.c b/drivers/mfd/qcom_rpm.c
+index 1be47ad..880d469 100644
+--- a/drivers/mfd/qcom_rpm.c
++++ b/drivers/mfd/qcom_rpm.c
+@@ -34,7 +34,13 @@ struct qcom_rpm_resource {
+ struct qcom_rpm_data {
+ u32 version;
+ const struct qcom_rpm_resource *resource_table;
+- unsigned n_resources;
++ unsigned int n_resources;
++ unsigned int req_ctx_off;
++ unsigned int req_sel_off;
++ unsigned int ack_ctx_off;
++ unsigned int ack_sel_off;
++ unsigned int req_sel_size;
++ unsigned int ack_sel_size;
+ };
+
+ struct qcom_rpm {
+@@ -61,11 +67,7 @@ struct qcom_rpm {
+
+ #define RPM_REQUEST_TIMEOUT (5 * HZ)
+
+-#define RPM_REQUEST_CONTEXT 3
+-#define RPM_REQ_SELECT 11
+-#define RPM_ACK_CONTEXT 15
+-#define RPM_ACK_SELECTOR 23
+-#define RPM_SELECT_SIZE 7
++#define RPM_MAX_SEL_SIZE 7
+
+ #define RPM_NOTIFICATION BIT(30)
+ #define RPM_REJECTED BIT(31)
+@@ -157,6 +159,12 @@ static const struct qcom_rpm_data apq8064_template = {
+ .version = 3,
+ .resource_table = apq8064_rpm_resource_table,
+ .n_resources = ARRAY_SIZE(apq8064_rpm_resource_table),
++ .req_ctx_off = 3,
++ .req_sel_off = 11,
++ .ack_ctx_off = 15,
++ .ack_sel_off = 23,
++ .req_sel_size = 4,
++ .ack_sel_size = 7,
+ };
+
+ static const struct qcom_rpm_resource msm8660_rpm_resource_table[] = {
+@@ -240,6 +248,12 @@ static const struct qcom_rpm_data msm8660_template = {
+ .version = 2,
+ .resource_table = msm8660_rpm_resource_table,
+ .n_resources = ARRAY_SIZE(msm8660_rpm_resource_table),
++ .req_ctx_off = 3,
++ .req_sel_off = 11,
++ .ack_ctx_off = 19,
++ .ack_sel_off = 27,
++ .req_sel_size = 7,
++ .ack_sel_size = 7,
+ };
+
+ static const struct qcom_rpm_resource msm8960_rpm_resource_table[] = {
+@@ -322,6 +336,12 @@ static const struct qcom_rpm_data msm8960_template = {
+ .version = 3,
+ .resource_table = msm8960_rpm_resource_table,
+ .n_resources = ARRAY_SIZE(msm8960_rpm_resource_table),
++ .req_ctx_off = 3,
++ .req_sel_off = 11,
++ .ack_ctx_off = 15,
++ .ack_sel_off = 23,
++ .req_sel_size = 4,
++ .ack_sel_size = 7,
+ };
+
+ static const struct qcom_rpm_resource ipq806x_rpm_resource_table[] = {
+@@ -362,6 +382,12 @@ static const struct qcom_rpm_data ipq806x_template = {
+ .version = 3,
+ .resource_table = ipq806x_rpm_resource_table,
+ .n_resources = ARRAY_SIZE(ipq806x_rpm_resource_table),
++ .req_ctx_off = 3,
++ .req_sel_off = 11,
++ .ack_ctx_off = 15,
++ .ack_sel_off = 23,
++ .req_sel_size = 4,
++ .ack_sel_size = 7,
+ };
+
+ static const struct of_device_id qcom_rpm_of_match[] = {
+@@ -380,7 +406,7 @@ int qcom_rpm_write(struct qcom_rpm *rpm,
+ {
+ const struct qcom_rpm_resource *res;
+ const struct qcom_rpm_data *data = rpm->data;
+- u32 sel_mask[RPM_SELECT_SIZE] = { 0 };
++ u32 sel_mask[RPM_MAX_SEL_SIZE] = { 0 };
+ int left;
+ int ret = 0;
+ int i;
+@@ -398,12 +424,12 @@ int qcom_rpm_write(struct qcom_rpm *rpm,
+ writel_relaxed(buf[i], RPM_REQ_REG(rpm, res->target_id + i));
+
+ bitmap_set((unsigned long *)sel_mask, res->select_id, 1);
+- for (i = 0; i < ARRAY_SIZE(sel_mask); i++) {
++ for (i = 0; i < rpm->data->req_sel_size; i++) {
+ writel_relaxed(sel_mask[i],
+- RPM_CTRL_REG(rpm, RPM_REQ_SELECT + i));
++ RPM_CTRL_REG(rpm, rpm->data->req_sel_off + i));
+ }
+
+- writel_relaxed(BIT(state), RPM_CTRL_REG(rpm, RPM_REQUEST_CONTEXT));
++ writel_relaxed(BIT(state), RPM_CTRL_REG(rpm, rpm->data->req_ctx_off));
+
+ reinit_completion(&rpm->ack);
+ regmap_write(rpm->ipc_regmap, rpm->ipc_offset, BIT(rpm->ipc_bit));
+@@ -426,10 +452,11 @@ static irqreturn_t qcom_rpm_ack_interrupt(int irq, void *dev)
+ u32 ack;
+ int i;
+
+- ack = readl_relaxed(RPM_CTRL_REG(rpm, RPM_ACK_CONTEXT));
+- for (i = 0; i < RPM_SELECT_SIZE; i++)
+- writel_relaxed(0, RPM_CTRL_REG(rpm, RPM_ACK_SELECTOR + i));
+- writel(0, RPM_CTRL_REG(rpm, RPM_ACK_CONTEXT));
++ ack = readl_relaxed(RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off));
++ for (i = 0; i < rpm->data->ack_sel_size; i++)
++ writel_relaxed(0,
++ RPM_CTRL_REG(rpm, rpm->data->ack_sel_off + i));
++ writel(0, RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off));
+
+ if (ack & RPM_NOTIFICATION) {
+ dev_warn(rpm->dev, "ignoring notification!\n");
+diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
+index 0b0dc29..77533f7 100644
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
+ int cached = writelen > bytes && page != blockmask;
+ uint8_t *wbuf = buf;
+ int use_bufpoi;
+- int part_pagewr = (column || writelen < (mtd->writesize - 1));
++ int part_pagewr = (column || writelen < mtd->writesize);
+
+ if (part_pagewr)
+ use_bufpoi = 1;
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index ef36182..0680516 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -874,7 +874,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ for (i = 0; i < UBI_MAX_DEVICES; i++) {
+ ubi = ubi_devices[i];
+ if (ubi && mtd->index == ubi->mtd->index) {
+- ubi_err(ubi, "mtd%d is already attached to ubi%d",
++ pr_err("ubi: mtd%d is already attached to ubi%d",
+ mtd->index, i);
+ return -EEXIST;
+ }
+@@ -889,7 +889,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ * no sense to attach emulated MTD devices, so we prohibit this.
+ */
+ if (mtd->type == MTD_UBIVOLUME) {
+- ubi_err(ubi, "refuse attaching mtd%d - it is already emulated on top of UBI",
++ pr_err("ubi: refuse attaching mtd%d - it is already emulated on top of UBI",
+ mtd->index);
+ return -EINVAL;
+ }
+@@ -900,7 +900,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ if (!ubi_devices[ubi_num])
+ break;
+ if (ubi_num == UBI_MAX_DEVICES) {
+- ubi_err(ubi, "only %d UBI devices may be created",
++ pr_err("ubi: only %d UBI devices may be created",
+ UBI_MAX_DEVICES);
+ return -ENFILE;
+ }
+@@ -910,7 +910,7 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+
+ /* Make sure ubi_num is not busy */
+ if (ubi_devices[ubi_num]) {
+- ubi_err(ubi, "already exists");
++ pr_err("ubi: ubi%i already exists", ubi_num);
+ return -EEXIST;
+ }
+ }
+@@ -992,6 +992,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ goto out_detach;
+ }
+
++ /* Make device "available" before it becomes accessible via sysfs */
++ ubi_devices[ubi_num] = ubi;
++
+ err = uif_init(ubi, &ref);
+ if (err)
+ goto out_detach;
+@@ -1036,7 +1039,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ wake_up_process(ubi->bgt_thread);
+ spin_unlock(&ubi->wl_lock);
+
+- ubi_devices[ubi_num] = ubi;
+ ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
+ return ubi_num;
+
+@@ -1047,6 +1049,7 @@ out_uif:
+ ubi_assert(ref);
+ uif_close(ubi);
+ out_detach:
++ ubi_devices[ubi_num] = NULL;
+ ubi_wl_close(ubi);
+ ubi_free_internal_volumes(ubi);
+ vfree(ubi->vtbl);
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 10059df..0138f52 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -488,13 +488,6 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ spin_unlock(&ubi->volumes_lock);
+ }
+
+- /* Change volume table record */
+- vtbl_rec = ubi->vtbl[vol_id];
+- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
+- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
+- if (err)
+- goto out_acc;
+-
+ if (pebs < 0) {
+ for (i = 0; i < -pebs; i++) {
+ err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
+@@ -512,6 +505,24 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ spin_unlock(&ubi->volumes_lock);
+ }
+
++ /*
++ * When we shrink a volume we have to flush all pending (erase) work.
++ * Otherwise it can happen that upon next attach UBI finds a LEB with
++ * lnum > highest_lnum and refuses to attach.
++ */
++ if (pebs < 0) {
++ err = ubi_wl_flush(ubi, vol_id, UBI_ALL);
++ if (err)
++ goto out_acc;
++ }
++
++ /* Change volume table record */
++ vtbl_rec = ubi->vtbl[vol_id];
++ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
++ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
++ if (err)
++ goto out_acc;
++
+ vol->reserved_pebs = reserved_pebs;
+ if (vol->vol_type == UBI_DYNAMIC_VOLUME) {
+ vol->used_ebs = reserved_pebs;
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+index 5b30922..2ce3199 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -2469,10 +2469,22 @@ void brcmf_fws_bustxfail(struct brcmf_fws_info *fws, struct sk_buff *skb)
+ void brcmf_fws_bus_blocked(struct brcmf_pub *drvr, bool flow_blocked)
+ {
+ struct brcmf_fws_info *fws = drvr->fws;
++ struct brcmf_if *ifp;
++ int i;
+
+- fws->bus_flow_blocked = flow_blocked;
+- if (!flow_blocked)
+- brcmf_fws_schedule_deq(fws);
+- else
+- fws->stats.bus_flow_block++;
++ if (fws->avoid_queueing) {
++ for (i = 0; i < BRCMF_MAX_IFS; i++) {
++ ifp = drvr->iflist[i];
++ if (!ifp || !ifp->ndev)
++ continue;
++ brcmf_txflowblock_if(ifp, BRCMF_NETIF_STOP_REASON_FLOW,
++ flow_blocked);
++ }
++ } else {
++ fws->bus_flow_blocked = flow_blocked;
++ if (!flow_blocked)
++ brcmf_fws_schedule_deq(fws);
++ else
++ fws->stats.bus_flow_block++;
++ }
+ }
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index a588b05..6f020e4 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -433,6 +433,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x10B0, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)},
+@@ -454,6 +455,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x24F3, 0xD010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0xD0B0, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0xB0B0, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)},
+@@ -481,6 +484,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x24FD, 0x0010, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0110, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x1110, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x1130, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0130, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x1010, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0050, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0150, iwl8265_2ac_cfg)},
+@@ -491,6 +496,10 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x24FD, 0x0810, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x9110, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x8130, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0910, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0930, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0950, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0850, iwl8265_2ac_cfg)},
+
+ /* 9000 Series */
+ {IWL_PCI_DEVICE(0x2526, 0x0000, iwl9260_2ac_cfg)},
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+index de6974f..2d8cce2 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -496,7 +496,7 @@ void iwl_pcie_dump_csr(struct iwl_trans *trans);
+ /*****************************************************
+ * Helpers
+ ******************************************************/
+-static inline void iwl_disable_interrupts(struct iwl_trans *trans)
++static inline void _iwl_disable_interrupts(struct iwl_trans *trans)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+
+@@ -519,7 +519,16 @@ static inline void iwl_disable_interrupts(struct iwl_trans *trans)
+ IWL_DEBUG_ISR(trans, "Disabled interrupts\n");
+ }
+
+-static inline void iwl_enable_interrupts(struct iwl_trans *trans)
++static inline void iwl_disable_interrupts(struct iwl_trans *trans)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++
++ spin_lock(&trans_pcie->irq_lock);
++ _iwl_disable_interrupts(trans);
++ spin_unlock(&trans_pcie->irq_lock);
++}
++
++static inline void _iwl_enable_interrupts(struct iwl_trans *trans)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+
+@@ -542,6 +551,14 @@ static inline void iwl_enable_interrupts(struct iwl_trans *trans)
+ }
+ }
+
++static inline void iwl_enable_interrupts(struct iwl_trans *trans)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++
++ spin_lock(&trans_pcie->irq_lock);
++ _iwl_enable_interrupts(trans);
++ spin_unlock(&trans_pcie->irq_lock);
++}
+ static inline void iwl_enable_hw_int_msk_msix(struct iwl_trans *trans, u32 msk)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+index 0a4a3c5..aaaf2ad 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1507,7 +1507,7 @@ irqreturn_t iwl_pcie_irq_handler(int irq, void *dev_id)
+ * have anything to service
+ */
+ if (test_bit(STATUS_INT_ENABLED, &trans->status))
+- iwl_enable_interrupts(trans);
++ _iwl_enable_interrupts(trans);
+ spin_unlock(&trans_pcie->irq_lock);
+ lock_map_release(&trans->sync_cmd_lockdep_map);
+ return IRQ_NONE;
+@@ -1699,15 +1699,17 @@ irqreturn_t iwl_pcie_irq_handler(int irq, void *dev_id)
+ inta & ~trans_pcie->inta_mask);
+ }
+
++ spin_lock(&trans_pcie->irq_lock);
++ /* only Re-enable all interrupt if disabled by irq */
++ if (test_bit(STATUS_INT_ENABLED, &trans->status))
++ _iwl_enable_interrupts(trans);
+ /* we are loading the firmware, enable FH_TX interrupt only */
+- if (handled & CSR_INT_BIT_FH_TX)
++ else if (handled & CSR_INT_BIT_FH_TX)
+ iwl_enable_fw_load_int(trans);
+- /* only Re-enable all interrupt if disabled by irq */
+- else if (test_bit(STATUS_INT_ENABLED, &trans->status))
+- iwl_enable_interrupts(trans);
+ /* Re-enable RF_KILL if it occurred */
+ else if (handled & CSR_INT_BIT_RF_KILL)
+ iwl_enable_rfkill_int(trans);
++ spin_unlock(&trans_pcie->irq_lock);
+
+ out:
+ lock_map_release(&trans->sync_cmd_lockdep_map);
+@@ -1771,7 +1773,7 @@ void iwl_pcie_reset_ict(struct iwl_trans *trans)
+ return;
+
+ spin_lock(&trans_pcie->irq_lock);
+- iwl_disable_interrupts(trans);
++ _iwl_disable_interrupts(trans);
+
+ memset(trans_pcie->ict_tbl, 0, ICT_SIZE);
+
+@@ -1787,7 +1789,7 @@ void iwl_pcie_reset_ict(struct iwl_trans *trans)
+ trans_pcie->use_ict = true;
+ trans_pcie->ict_index = 0;
+ iwl_write32(trans, CSR_INT, trans_pcie->inta_mask);
+- iwl_enable_interrupts(trans);
++ _iwl_enable_interrupts(trans);
+ spin_unlock(&trans_pcie->irq_lock);
+ }
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index f603d78..d9f1394 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -801,6 +801,8 @@ static int iwl_pcie_load_cpu_sections_8000(struct iwl_trans *trans,
+
+ *first_ucode_section = last_read_idx;
+
++ iwl_enable_interrupts(trans);
++
+ if (cpu == 1)
+ iwl_write_direct32(trans, FH_UCODE_LOAD_STATUS, 0xFFFF);
+ else
+@@ -980,6 +982,8 @@ static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
+ iwl_pcie_apply_destination(trans);
+ }
+
++ iwl_enable_interrupts(trans);
++
+ /* release CPU reset */
+ iwl_write32(trans, CSR_RESET, 0);
+
+@@ -1033,9 +1037,7 @@ static void _iwl_trans_pcie_stop_device(struct iwl_trans *trans, bool low_power)
+ was_hw_rfkill = iwl_is_rfkill_set(trans);
+
+ /* tell the device to stop sending interrupts */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ /* device going down, Stop using ICT table */
+ iwl_pcie_disable_ict(trans);
+@@ -1079,9 +1081,7 @@ static void _iwl_trans_pcie_stop_device(struct iwl_trans *trans, bool low_power)
+ * the time, unless the interrupt is ACKed even if the interrupt
+ * should be masked. Re-ACK all the interrupts here.
+ */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ /* clear all status bits */
+ clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status);
+@@ -1215,7 +1215,6 @@ static int iwl_trans_pcie_start_fw(struct iwl_trans *trans,
+ ret = iwl_pcie_load_given_ucode_8000(trans, fw);
+ else
+ ret = iwl_pcie_load_given_ucode(trans, fw);
+- iwl_enable_interrupts(trans);
+
+ /* re-check RF-Kill state since we may have missed the interrupt */
+ hw_rfkill = iwl_is_rfkill_set(trans);
+@@ -1567,15 +1566,11 @@ static void iwl_trans_pcie_op_mode_leave(struct iwl_trans *trans)
+ mutex_lock(&trans_pcie->mutex);
+
+ /* disable interrupts - don't enable HW RF kill interrupt */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ iwl_pcie_apm_stop(trans, true);
+
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ iwl_pcie_disable_ict(trans);
+
+diff --git a/drivers/of/base.c b/drivers/of/base.c
+index ebf84e3..8bb3d1a 100644
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -112,6 +112,7 @@ static ssize_t of_node_property_read(struct file *filp, struct kobject *kobj,
+ return memory_read_from_buffer(buf, count, &offset, pp->value, pp->length);
+ }
+
++/* always return newly allocated name, caller must free after use */
+ static const char *safe_name(struct kobject *kobj, const char *orig_name)
+ {
+ const char *name = orig_name;
+@@ -126,9 +127,12 @@ static const char *safe_name(struct kobject *kobj, const char *orig_name)
+ name = kasprintf(GFP_KERNEL, "%s#%i", orig_name, ++i);
+ }
+
+- if (name != orig_name)
++ if (name == orig_name) {
++ name = kstrdup(orig_name, GFP_KERNEL);
++ } else {
+ pr_warn("device-tree: Duplicate name in %s, renamed to \"%s\"\n",
+ kobject_name(kobj), name);
++ }
+ return name;
+ }
+
+@@ -159,6 +163,7 @@ int __of_add_property_sysfs(struct device_node *np, struct property *pp)
+ int __of_attach_node_sysfs(struct device_node *np)
+ {
+ const char *name;
++ struct kobject *parent;
+ struct property *pp;
+ int rc;
+
+@@ -171,15 +176,16 @@ int __of_attach_node_sysfs(struct device_node *np)
+ np->kobj.kset = of_kset;
+ if (!np->parent) {
+ /* Nodes without parents are new top level trees */
+- rc = kobject_add(&np->kobj, NULL, "%s",
+- safe_name(&of_kset->kobj, "base"));
++ name = safe_name(&of_kset->kobj, "base");
++ parent = NULL;
+ } else {
+ name = safe_name(&np->parent->kobj, kbasename(np->full_name));
+- if (!name || !name[0])
+- return -EINVAL;
+-
+- rc = kobject_add(&np->kobj, &np->parent->kobj, "%s", name);
++ parent = &np->parent->kobj;
+ }
++ if (!name)
++ return -ENOMEM;
++ rc = kobject_add(&np->kobj, parent, "%s", name);
++ kfree(name);
+ if (rc)
+ return rc;
+
+@@ -1815,6 +1821,12 @@ int __of_remove_property(struct device_node *np, struct property *prop)
+ return 0;
+ }
+
++void __of_sysfs_remove_bin_file(struct device_node *np, struct property *prop)
++{
++ sysfs_remove_bin_file(&np->kobj, &prop->attr);
++ kfree(prop->attr.attr.name);
++}
++
+ void __of_remove_property_sysfs(struct device_node *np, struct property *prop)
+ {
+ if (!IS_ENABLED(CONFIG_SYSFS))
+@@ -1822,7 +1834,7 @@ void __of_remove_property_sysfs(struct device_node *np, struct property *prop)
+
+ /* at early boot, bail here and defer setup to of_init() */
+ if (of_kset && of_node_is_attached(np))
+- sysfs_remove_bin_file(&np->kobj, &prop->attr);
++ __of_sysfs_remove_bin_file(np, prop);
+ }
+
+ /**
+@@ -1895,7 +1907,7 @@ void __of_update_property_sysfs(struct device_node *np, struct property *newprop
+ return;
+
+ if (oldprop)
+- sysfs_remove_bin_file(&np->kobj, &oldprop->attr);
++ __of_sysfs_remove_bin_file(np, oldprop);
+ __of_add_property_sysfs(np, newprop);
+ }
+
+diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c
+index 3033fa3..a201559 100644
+--- a/drivers/of/dynamic.c
++++ b/drivers/of/dynamic.c
+@@ -55,7 +55,7 @@ void __of_detach_node_sysfs(struct device_node *np)
+ /* only remove properties if on sysfs */
+ if (of_node_is_attached(np)) {
+ for_each_property_of_node(np, pp)
+- sysfs_remove_bin_file(&np->kobj, &pp->attr);
++ __of_sysfs_remove_bin_file(np, pp);
+ kobject_del(&np->kobj);
+ }
+
+diff --git a/drivers/of/of_private.h b/drivers/of/of_private.h
+index 829469f..18bbb451 100644
+--- a/drivers/of/of_private.h
++++ b/drivers/of/of_private.h
+@@ -83,6 +83,9 @@ extern int __of_attach_node_sysfs(struct device_node *np);
+ extern void __of_detach_node(struct device_node *np);
+ extern void __of_detach_node_sysfs(struct device_node *np);
+
++extern void __of_sysfs_remove_bin_file(struct device_node *np,
++ struct property *prop);
++
+ /* iterators for transactions, used for overlays */
+ /* forward iterator */
+ #define for_each_transaction_entry(_oft, _te) \
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index ee72ebe..7902fbf 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3189,13 +3189,15 @@ static void quirk_no_bus_reset(struct pci_dev *dev)
+ }
+
+ /*
+- * Atheros AR93xx chips do not behave after a bus reset. The device will
+- * throw a Link Down error on AER-capable systems and regardless of AER,
+- * config space of the device is never accessible again and typically
+- * causes the system to hang or reset when access is attempted.
++ * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset.
++ * The device will throw a Link Down error on AER-capable systems and
++ * regardless of AER, config space of the device is never accessible again
++ * and typically causes the system to hang or reset when access is attempted.
+ * http://www.spinics.net/lists/linux-pci/msg34797.html
+ */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
+
+ static void quirk_no_pm_reset(struct pci_dev *dev)
+ {
+diff --git a/drivers/phy/phy-rcar-gen3-usb2.c b/drivers/phy/phy-rcar-gen3-usb2.c
+index 4be3f5d..31156c9 100644
+--- a/drivers/phy/phy-rcar-gen3-usb2.c
++++ b/drivers/phy/phy-rcar-gen3-usb2.c
+@@ -21,6 +21,7 @@
+ #include <linux/phy/phy.h>
+ #include <linux/platform_device.h>
+ #include <linux/regulator/consumer.h>
++#include <linux/workqueue.h>
+
+ /******* USB2.0 Host registers (original offset is +0x200) *******/
+ #define USB2_INT_ENABLE 0x000
+@@ -81,9 +82,25 @@ struct rcar_gen3_chan {
+ struct extcon_dev *extcon;
+ struct phy *phy;
+ struct regulator *vbus;
++ struct work_struct work;
++ bool extcon_host;
+ bool has_otg;
+ };
+
++static void rcar_gen3_phy_usb2_work(struct work_struct *work)
++{
++ struct rcar_gen3_chan *ch = container_of(work, struct rcar_gen3_chan,
++ work);
++
++ if (ch->extcon_host) {
++ extcon_set_cable_state_(ch->extcon, EXTCON_USB_HOST, true);
++ extcon_set_cable_state_(ch->extcon, EXTCON_USB, false);
++ } else {
++ extcon_set_cable_state_(ch->extcon, EXTCON_USB_HOST, false);
++ extcon_set_cable_state_(ch->extcon, EXTCON_USB, true);
++ }
++}
++
+ static void rcar_gen3_set_host_mode(struct rcar_gen3_chan *ch, int host)
+ {
+ void __iomem *usb2_base = ch->base;
+@@ -130,8 +147,8 @@ static void rcar_gen3_init_for_host(struct rcar_gen3_chan *ch)
+ rcar_gen3_set_host_mode(ch, 1);
+ rcar_gen3_enable_vbus_ctrl(ch, 1);
+
+- extcon_set_cable_state_(ch->extcon, EXTCON_USB_HOST, true);
+- extcon_set_cable_state_(ch->extcon, EXTCON_USB, false);
++ ch->extcon_host = true;
++ schedule_work(&ch->work);
+ }
+
+ static void rcar_gen3_init_for_peri(struct rcar_gen3_chan *ch)
+@@ -140,8 +157,8 @@ static void rcar_gen3_init_for_peri(struct rcar_gen3_chan *ch)
+ rcar_gen3_set_host_mode(ch, 0);
+ rcar_gen3_enable_vbus_ctrl(ch, 0);
+
+- extcon_set_cable_state_(ch->extcon, EXTCON_USB_HOST, false);
+- extcon_set_cable_state_(ch->extcon, EXTCON_USB, true);
++ ch->extcon_host = false;
++ schedule_work(&ch->work);
+ }
+
+ static bool rcar_gen3_check_id(struct rcar_gen3_chan *ch)
+@@ -301,6 +318,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev)
+ if (irq >= 0) {
+ int ret;
+
++ INIT_WORK(&channel->work, rcar_gen3_phy_usb2_work);
+ irq = devm_request_irq(dev, irq, rcar_gen3_phy_usb2_irq,
+ IRQF_SHARED, dev_name(dev), channel);
+ if (irq < 0)
+diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
+index ac4f564..bf65c94 100644
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -160,7 +160,6 @@ struct chv_pin_context {
+ * @pctldev: Pointer to the pin controller device
+ * @chip: GPIO chip in this pin controller
+ * @regs: MMIO registers
+- * @lock: Lock to serialize register accesses
+ * @intr_lines: Stores mapping between 16 HW interrupt wires and GPIO
+ * offset (in GPIO number space)
+ * @community: Community this pinctrl instance represents
+@@ -174,7 +173,6 @@ struct chv_pinctrl {
+ struct pinctrl_dev *pctldev;
+ struct gpio_chip chip;
+ void __iomem *regs;
+- raw_spinlock_t lock;
+ unsigned intr_lines[16];
+ const struct chv_community *community;
+ u32 saved_intmask;
+@@ -657,6 +655,17 @@ static const struct chv_community *chv_communities[] = {
+ &southeast_community,
+ };
+
++/*
++ * Lock to serialize register accesses
++ *
++ * Due to a silicon issue, a shared lock must be used to prevent
++ * concurrent accesses across the 4 GPIO controllers.
++ *
++ * See Intel Atom Z8000 Processor Series Specification Update (Rev. 005),
++ * errata #CHT34, for further information.
++ */
++static DEFINE_RAW_SPINLOCK(chv_lock);
++
+ static void __iomem *chv_padreg(struct chv_pinctrl *pctrl, unsigned offset,
+ unsigned reg)
+ {
+@@ -718,13 +727,13 @@ static void chv_pin_dbg_show(struct pinctrl_dev *pctldev, struct seq_file *s,
+ u32 ctrl0, ctrl1;
+ bool locked;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ ctrl0 = readl(chv_padreg(pctrl, offset, CHV_PADCTRL0));
+ ctrl1 = readl(chv_padreg(pctrl, offset, CHV_PADCTRL1));
+ locked = chv_pad_locked(pctrl, offset);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ if (ctrl0 & CHV_PADCTRL0_GPIOEN) {
+ seq_puts(s, "GPIO ");
+@@ -787,14 +796,14 @@ static int chv_pinmux_set_mux(struct pinctrl_dev *pctldev, unsigned function,
+
+ grp = &pctrl->community->groups[group];
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ /* Check first that the pad is not locked */
+ for (i = 0; i < grp->npins; i++) {
+ if (chv_pad_locked(pctrl, grp->pins[i])) {
+ dev_warn(pctrl->dev, "unable to set mode for locked pin %u\n",
+ grp->pins[i]);
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ return -EBUSY;
+ }
+ }
+@@ -837,7 +846,7 @@ static int chv_pinmux_set_mux(struct pinctrl_dev *pctldev, unsigned function,
+ pin, altfunc->mode, altfunc->invert_oe ? "" : "not ");
+ }
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ return 0;
+ }
+@@ -851,13 +860,13 @@ static int chv_gpio_request_enable(struct pinctrl_dev *pctldev,
+ void __iomem *reg;
+ u32 value;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ if (chv_pad_locked(pctrl, offset)) {
+ value = readl(chv_padreg(pctrl, offset, CHV_PADCTRL0));
+ if (!(value & CHV_PADCTRL0_GPIOEN)) {
+ /* Locked so cannot enable */
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ return -EBUSY;
+ }
+ } else {
+@@ -897,7 +906,7 @@ static int chv_gpio_request_enable(struct pinctrl_dev *pctldev,
+ chv_writel(value, reg);
+ }
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ return 0;
+ }
+@@ -911,13 +920,13 @@ static void chv_gpio_disable_free(struct pinctrl_dev *pctldev,
+ void __iomem *reg;
+ u32 value;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ reg = chv_padreg(pctrl, offset, CHV_PADCTRL0);
+ value = readl(reg) & ~CHV_PADCTRL0_GPIOEN;
+ chv_writel(value, reg);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ }
+
+ static int chv_gpio_set_direction(struct pinctrl_dev *pctldev,
+@@ -929,7 +938,7 @@ static int chv_gpio_set_direction(struct pinctrl_dev *pctldev,
+ unsigned long flags;
+ u32 ctrl0;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ ctrl0 = readl(reg) & ~CHV_PADCTRL0_GPIOCFG_MASK;
+ if (input)
+@@ -938,7 +947,7 @@ static int chv_gpio_set_direction(struct pinctrl_dev *pctldev,
+ ctrl0 |= CHV_PADCTRL0_GPIOCFG_GPO << CHV_PADCTRL0_GPIOCFG_SHIFT;
+ chv_writel(ctrl0, reg);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ return 0;
+ }
+@@ -963,10 +972,10 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin,
+ u16 arg = 0;
+ u32 term;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+ ctrl1 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL1));
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ term = (ctrl0 & CHV_PADCTRL0_TERM_MASK) >> CHV_PADCTRL0_TERM_SHIFT;
+
+@@ -1040,7 +1049,7 @@ static int chv_config_set_pull(struct chv_pinctrl *pctrl, unsigned pin,
+ unsigned long flags;
+ u32 ctrl0, pull;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ ctrl0 = readl(reg);
+
+ switch (param) {
+@@ -1063,7 +1072,7 @@ static int chv_config_set_pull(struct chv_pinctrl *pctrl, unsigned pin,
+ pull = CHV_PADCTRL0_TERM_20K << CHV_PADCTRL0_TERM_SHIFT;
+ break;
+ default:
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ return -EINVAL;
+ }
+
+@@ -1081,7 +1090,7 @@ static int chv_config_set_pull(struct chv_pinctrl *pctrl, unsigned pin,
+ pull = CHV_PADCTRL0_TERM_20K << CHV_PADCTRL0_TERM_SHIFT;
+ break;
+ default:
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ return -EINVAL;
+ }
+
+@@ -1089,12 +1098,12 @@ static int chv_config_set_pull(struct chv_pinctrl *pctrl, unsigned pin,
+ break;
+
+ default:
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ return -EINVAL;
+ }
+
+ chv_writel(ctrl0, reg);
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ return 0;
+ }
+@@ -1160,9 +1169,9 @@ static int chv_gpio_get(struct gpio_chip *chip, unsigned offset)
+ unsigned long flags;
+ u32 ctrl0, cfg;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ cfg = ctrl0 & CHV_PADCTRL0_GPIOCFG_MASK;
+ cfg >>= CHV_PADCTRL0_GPIOCFG_SHIFT;
+@@ -1180,7 +1189,7 @@ static void chv_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+ void __iomem *reg;
+ u32 ctrl0;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ reg = chv_padreg(pctrl, pin, CHV_PADCTRL0);
+ ctrl0 = readl(reg);
+@@ -1192,7 +1201,7 @@ static void chv_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+
+ chv_writel(ctrl0, reg);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ }
+
+ static int chv_gpio_get_direction(struct gpio_chip *chip, unsigned offset)
+@@ -1202,9 +1211,9 @@ static int chv_gpio_get_direction(struct gpio_chip *chip, unsigned offset)
+ u32 ctrl0, direction;
+ unsigned long flags;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ direction = ctrl0 & CHV_PADCTRL0_GPIOCFG_MASK;
+ direction >>= CHV_PADCTRL0_GPIOCFG_SHIFT;
+@@ -1242,14 +1251,14 @@ static void chv_gpio_irq_ack(struct irq_data *d)
+ int pin = chv_gpio_offset_to_pin(pctrl, irqd_to_hwirq(d));
+ u32 intr_line;
+
+- raw_spin_lock(&pctrl->lock);
++ raw_spin_lock(&chv_lock);
+
+ intr_line = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+ intr_line &= CHV_PADCTRL0_INTSEL_MASK;
+ intr_line >>= CHV_PADCTRL0_INTSEL_SHIFT;
+ chv_writel(BIT(intr_line), pctrl->regs + CHV_INTSTAT);
+
+- raw_spin_unlock(&pctrl->lock);
++ raw_spin_unlock(&chv_lock);
+ }
+
+ static void chv_gpio_irq_mask_unmask(struct irq_data *d, bool mask)
+@@ -1260,7 +1269,7 @@ static void chv_gpio_irq_mask_unmask(struct irq_data *d, bool mask)
+ u32 value, intr_line;
+ unsigned long flags;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ intr_line = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+ intr_line &= CHV_PADCTRL0_INTSEL_MASK;
+@@ -1273,7 +1282,7 @@ static void chv_gpio_irq_mask_unmask(struct irq_data *d, bool mask)
+ value |= BIT(intr_line);
+ chv_writel(value, pctrl->regs + CHV_INTMASK);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ }
+
+ static void chv_gpio_irq_mask(struct irq_data *d)
+@@ -1307,7 +1316,7 @@ static unsigned chv_gpio_irq_startup(struct irq_data *d)
+ unsigned long flags;
+ u32 intsel, value;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+ intsel = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0));
+ intsel &= CHV_PADCTRL0_INTSEL_MASK;
+ intsel >>= CHV_PADCTRL0_INTSEL_SHIFT;
+@@ -1322,7 +1331,7 @@ static unsigned chv_gpio_irq_startup(struct irq_data *d)
+ irq_set_handler_locked(d, handler);
+ pctrl->intr_lines[intsel] = offset;
+ }
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+ }
+
+ chv_gpio_irq_unmask(d);
+@@ -1338,7 +1347,7 @@ static int chv_gpio_irq_type(struct irq_data *d, unsigned type)
+ unsigned long flags;
+ u32 value;
+
+- raw_spin_lock_irqsave(&pctrl->lock, flags);
++ raw_spin_lock_irqsave(&chv_lock, flags);
+
+ /*
+ * Pins which can be used as shared interrupt are configured in
+@@ -1387,7 +1396,7 @@ static int chv_gpio_irq_type(struct irq_data *d, unsigned type)
+ else if (type & IRQ_TYPE_LEVEL_MASK)
+ irq_set_handler_locked(d, handle_level_irq);
+
+- raw_spin_unlock_irqrestore(&pctrl->lock, flags);
++ raw_spin_unlock_irqrestore(&chv_lock, flags);
+
+ return 0;
+ }
+@@ -1499,7 +1508,6 @@ static int chv_pinctrl_probe(struct platform_device *pdev)
+ if (i == ARRAY_SIZE(chv_communities))
+ return -ENODEV;
+
+- raw_spin_lock_init(&pctrl->lock);
+ pctrl->dev = &pdev->dev;
+
+ #ifdef CONFIG_PM_SLEEP
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index 6f145f2..96ffda4 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -718,6 +718,11 @@ static int __init hp_wmi_rfkill_setup(struct platform_device *device)
+ if (err)
+ return err;
+
++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
++ sizeof(wireless), 0);
++ if (err)
++ return err;
++
+ if (wireless & 0x1) {
+ wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
+ RFKILL_TYPE_WLAN,
+@@ -882,7 +887,7 @@ static int __init hp_wmi_bios_setup(struct platform_device *device)
+ wwan_rfkill = NULL;
+ rfkill2_count = 0;
+
+- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
++ if (hp_wmi_rfkill_setup(device))
+ hp_wmi_rfkill2_setup(device);
+
+ err = device_create_file(&device->dev, &dev_attr_display);
+diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c
+index 02fb6b4..d838e77 100644
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -750,7 +750,7 @@ static const struct regulator_linear_range s2mps15_ldo_voltage_ranges3[] = {
+
+ /* voltage range for s2mps15 LDO 7, 8, 9 and 10 */
+ static const struct regulator_linear_range s2mps15_ldo_voltage_ranges4[] = {
+- REGULATOR_LINEAR_RANGE(700000, 0xc, 0x18, 25000),
++ REGULATOR_LINEAR_RANGE(700000, 0x10, 0x20, 25000),
+ };
+
+ /* voltage range for s2mps15 LDO 1 */
+@@ -760,12 +760,12 @@ static const struct regulator_linear_range s2mps15_ldo_voltage_ranges5[] = {
+
+ /* voltage range for s2mps15 BUCK 1, 2, 3, 4, 5, 6 and 7 */
+ static const struct regulator_linear_range s2mps15_buck_voltage_ranges1[] = {
+- REGULATOR_LINEAR_RANGE(500000, 0x20, 0xb0, 6250),
++ REGULATOR_LINEAR_RANGE(500000, 0x20, 0xc0, 6250),
+ };
+
+ /* voltage range for s2mps15 BUCK 8, 9 and 10 */
+ static const struct regulator_linear_range s2mps15_buck_voltage_ranges2[] = {
+- REGULATOR_LINEAR_RANGE(1000000, 0x20, 0xc0, 12500),
++ REGULATOR_LINEAR_RANGE(1000000, 0x20, 0x78, 12500),
+ };
+
+ static const struct regulator_desc s2mps15_regulators[] = {
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index db3958b..fe0539e 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1264,11 +1264,6 @@ int rproc_add(struct rproc *rproc)
+ if (ret < 0)
+ return ret;
+
+- /* expose to rproc_get_by_phandle users */
+- mutex_lock(&rproc_list_mutex);
+- list_add(&rproc->node, &rproc_list);
+- mutex_unlock(&rproc_list_mutex);
+-
+ dev_info(dev, "%s is available\n", rproc->name);
+
+ dev_info(dev, "Note: remoteproc is still under development and considered experimental.\n");
+@@ -1276,8 +1271,16 @@ int rproc_add(struct rproc *rproc)
+
+ /* create debugfs entries */
+ rproc_create_debug_dir(rproc);
++ ret = rproc_add_virtio_devices(rproc);
++ if (ret < 0)
++ return ret;
+
+- return rproc_add_virtio_devices(rproc);
++ /* expose to rproc_get_by_phandle users */
++ mutex_lock(&rproc_list_mutex);
++ list_add(&rproc->node, &rproc_list);
++ mutex_unlock(&rproc_list_mutex);
++
++ return 0;
+ }
+ EXPORT_SYMBOL(rproc_add);
+
+diff --git a/drivers/rtc/rtc-s3c.c b/drivers/rtc/rtc-s3c.c
+index d01ad7e..4e823c4 100644
+--- a/drivers/rtc/rtc-s3c.c
++++ b/drivers/rtc/rtc-s3c.c
+@@ -149,12 +149,14 @@ static int s3c_rtc_setfreq(struct s3c_rtc *info, int freq)
+ if (!is_power_of_2(freq))
+ return -EINVAL;
+
++ s3c_rtc_enable_clk(info);
+ spin_lock_irq(&info->pie_lock);
+
+ if (info->data->set_freq)
+ info->data->set_freq(info, freq);
+
+ spin_unlock_irq(&info->pie_lock);
++ s3c_rtc_disable_clk(info);
+
+ return 0;
+ }
+diff --git a/drivers/s390/cio/cmf.c b/drivers/s390/cio/cmf.c
+index b2afad5..2a34eb5 100644
+--- a/drivers/s390/cio/cmf.c
++++ b/drivers/s390/cio/cmf.c
+@@ -753,6 +753,17 @@ static void reset_cmb(struct ccw_device *cdev)
+ cmf_generic_reset(cdev);
+ }
+
++static int cmf_enabled(struct ccw_device *cdev)
++{
++ int enabled;
++
++ spin_lock_irq(cdev->ccwlock);
++ enabled = !!cdev->private->cmb;
++ spin_unlock_irq(cdev->ccwlock);
++
++ return enabled;
++}
++
+ static struct attribute_group cmf_attr_group;
+
+ static struct cmb_operations cmbops_basic = {
+@@ -1153,13 +1164,8 @@ static ssize_t cmb_enable_show(struct device *dev,
+ char *buf)
+ {
+ struct ccw_device *cdev = to_ccwdev(dev);
+- int enabled;
+
+- spin_lock_irq(cdev->ccwlock);
+- enabled = !!cdev->private->cmb;
+- spin_unlock_irq(cdev->ccwlock);
+-
+- return sprintf(buf, "%d\n", enabled);
++ return sprintf(buf, "%d\n", cmf_enabled(cdev));
+ }
+
+ static ssize_t cmb_enable_store(struct device *dev,
+@@ -1199,15 +1205,20 @@ int ccw_set_cmf(struct ccw_device *cdev, int enable)
+ * @cdev: The ccw device to be enabled
+ *
+ * Returns %0 for success or a negative error value.
+- *
++ * Note: If this is called on a device for which channel measurement is already
++ * enabled a reset of the measurement data is triggered.
+ * Context:
+ * non-atomic
+ */
+ int enable_cmf(struct ccw_device *cdev)
+ {
+- int ret;
++ int ret = 0;
+
+ device_lock(&cdev->dev);
++ if (cmf_enabled(cdev)) {
++ cmbops->reset(cdev);
++ goto out_unlock;
++ }
+ get_device(&cdev->dev);
+ ret = cmbops->alloc(cdev);
+ if (ret)
+@@ -1226,7 +1237,7 @@ int enable_cmf(struct ccw_device *cdev)
+ out:
+ if (ret)
+ put_device(&cdev->dev);
+-
++out_unlock:
+ device_unlock(&cdev->dev);
+ return ret;
+ }
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index 3bd0be6..c7e5695 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -3874,7 +3874,7 @@ int lpfc_sli4_scmd_to_wqidx_distr(struct lpfc_hba *phba,
+ uint32_t tag;
+ uint16_t hwq;
+
+- if (shost_use_blk_mq(cmnd->device->host)) {
++ if (cmnd && shost_use_blk_mq(cmnd->device->host)) {
+ tag = blk_mq_unique_tag(cmnd->request);
+ hwq = blk_mq_unique_tag_to_hwq(tag);
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index f4b0690..2dab3dc 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -4079,6 +4079,12 @@ megasas_get_pd_list(struct megasas_instance *instance)
+ struct MR_PD_ADDRESS *pd_addr;
+ dma_addr_t ci_h = 0;
+
++ if (instance->pd_list_not_supported) {
++ dev_info(&instance->pdev->dev, "MR_DCMD_PD_LIST_QUERY "
++ "not supported by firmware\n");
++ return ret;
++ }
++
+ cmd = megasas_get_cmd(instance);
+
+ if (!cmd) {
+diff --git a/drivers/soc/qcom/smp2p.c b/drivers/soc/qcom/smp2p.c
+index f1eed7f..9c2788b 100644
+--- a/drivers/soc/qcom/smp2p.c
++++ b/drivers/soc/qcom/smp2p.c
+@@ -344,11 +344,12 @@ static int qcom_smp2p_outbound_entry(struct qcom_smp2p *smp2p,
+ /* Allocate an entry from the smem item */
+ strlcpy(buf, entry->name, SMP2P_MAX_ENTRY_NAME);
+ memcpy_toio(out->entries[out->valid_entries].name, buf, SMP2P_MAX_ENTRY_NAME);
+- out->valid_entries++;
+
+ /* Make the logical entry reference the physical value */
+ entry->value = &out->entries[out->valid_entries].value;
+
++ out->valid_entries++;
++
+ entry->state = qcom_smem_state_register(node, &smp2p_state_ops, entry);
+ if (IS_ERR(entry->state)) {
+ dev_err(smp2p->dev, "failed to register qcom_smem_state\n");
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index fe07c05..daf2844 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -585,7 +585,14 @@ static void reset_sccr1(struct driver_data *drv_data)
+ u32 sccr1_reg;
+
+ sccr1_reg = pxa2xx_spi_read(drv_data, SSCR1) & ~drv_data->int_cr1;
+- sccr1_reg &= ~SSCR1_RFT;
++ switch (drv_data->ssp_type) {
++ case QUARK_X1000_SSP:
++ sccr1_reg &= ~QUARK_X1000_SSCR1_RFT;
++ break;
++ default:
++ sccr1_reg &= ~SSCR1_RFT;
++ break;
++ }
+ sccr1_reg |= chip->threshold;
+ pxa2xx_spi_write(drv_data, SSCR1, sccr1_reg);
+ }
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 50f3d3a..39b928c 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -492,7 +492,8 @@ void iscsit_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd)
+ bool scsi_cmd = (cmd->iscsi_opcode == ISCSI_OP_SCSI_CMD);
+
+ spin_lock_bh(&conn->cmd_lock);
+- if (!list_empty(&cmd->i_conn_node))
++ if (!list_empty(&cmd->i_conn_node) &&
++ !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP))
+ list_del_init(&cmd->i_conn_node);
+ spin_unlock_bh(&conn->cmd_lock);
+
+@@ -4034,6 +4035,7 @@ int iscsi_target_rx_thread(void *arg)
+
+ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn)
+ {
++ LIST_HEAD(tmp_list);
+ struct iscsi_cmd *cmd = NULL, *cmd_tmp = NULL;
+ struct iscsi_session *sess = conn->sess;
+ /*
+@@ -4042,18 +4044,26 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn)
+ * has been reset -> returned sleeping pre-handler state.
+ */
+ spin_lock_bh(&conn->cmd_lock);
+- list_for_each_entry_safe(cmd, cmd_tmp, &conn->conn_cmd_list, i_conn_node) {
++ list_splice_init(&conn->conn_cmd_list, &tmp_list);
+
++ list_for_each_entry(cmd, &tmp_list, i_conn_node) {
++ struct se_cmd *se_cmd = &cmd->se_cmd;
++
++ if (se_cmd->se_tfo != NULL) {
++ spin_lock(&se_cmd->t_state_lock);
++ se_cmd->transport_state |= CMD_T_FABRIC_STOP;
++ spin_unlock(&se_cmd->t_state_lock);
++ }
++ }
++ spin_unlock_bh(&conn->cmd_lock);
++
++ list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) {
+ list_del_init(&cmd->i_conn_node);
+- spin_unlock_bh(&conn->cmd_lock);
+
+ iscsit_increment_maxcmdsn(cmd, sess);
+-
+ iscsit_free_cmd(cmd, true);
+
+- spin_lock_bh(&conn->cmd_lock);
+ }
+- spin_unlock_bh(&conn->cmd_lock);
+ }
+
+ static void iscsit_stop_timers_for_cmds(
+diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
+index b5212f0..adf419f 100644
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1371,8 +1371,9 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ }
+ login->zero_tsih = zero_tsih;
+
+- conn->sess->se_sess->sup_prot_ops =
+- conn->conn_transport->iscsit_get_sup_prot_ops(conn);
++ if (conn->sess)
++ conn->sess->se_sess->sup_prot_ops =
++ conn->conn_transport->iscsit_get_sup_prot_ops(conn);
+
+ tpg = conn->tpg;
+ if (!tpg) {
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index a4046ca..6b42348 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -821,13 +821,15 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+ * in ATA and we need to set TPE=1
+ */
+ bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib,
+- struct request_queue *q, int block_size)
++ struct request_queue *q)
+ {
++ int block_size = queue_logical_block_size(q);
++
+ if (!blk_queue_discard(q))
+ return false;
+
+- attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9) /
+- block_size;
++ attrib->max_unmap_lba_count =
++ q->limits.max_discard_sectors >> (ilog2(block_size) - 9);
+ /*
+ * Currently hardcoded to 1 in Linux/SCSI code..
+ */
+diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
+index 75f0f08..7929186 100644
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -161,8 +161,7 @@ static int fd_configure_device(struct se_device *dev)
+ dev_size, div_u64(dev_size, fd_dev->fd_block_size),
+ fd_dev->fd_block_size);
+
+- if (target_configure_unmap_from_queue(&dev->dev_attrib, q,
+- fd_dev->fd_block_size))
++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q))
+ pr_debug("IFILE: BLOCK Discard support available,"
+ " disabled by default\n");
+ /*
+diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c
+index 7c4efb4..2077bc2 100644
+--- a/drivers/target/target_core_iblock.c
++++ b/drivers/target/target_core_iblock.c
+@@ -121,8 +121,7 @@ static int iblock_configure_device(struct se_device *dev)
+ dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q);
+ dev->dev_attrib.hw_queue_depth = q->nr_requests;
+
+- if (target_configure_unmap_from_queue(&dev->dev_attrib, q,
+- dev->dev_attrib.hw_block_size))
++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q))
+ pr_debug("IBLOCK: BLOCK Discard support available,"
+ " disabled by default\n");
+
+diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
+index fc91e85..e2c970a 100644
+--- a/drivers/target/target_core_internal.h
++++ b/drivers/target/target_core_internal.h
+@@ -146,6 +146,7 @@ sense_reason_t target_cmd_size_check(struct se_cmd *cmd, unsigned int size);
+ void target_qf_do_work(struct work_struct *work);
+ bool target_check_wce(struct se_device *dev);
+ bool target_check_fua(struct se_device *dev);
++void __target_execute_cmd(struct se_cmd *, bool);
+
+ /* target_core_stat.c */
+ void target_stat_setup_dev_default_groups(struct se_device *);
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index a9057aa..04f616b 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -602,7 +602,7 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool succes
+ cmd->transport_state |= CMD_T_ACTIVE|CMD_T_BUSY|CMD_T_SENT;
+ spin_unlock_irq(&cmd->t_state_lock);
+
+- __target_execute_cmd(cmd);
++ __target_execute_cmd(cmd, false);
+
+ kfree(buf);
+ return ret;
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 5ab3967..42c2a44 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1303,23 +1303,6 @@ target_setup_cmd_from_cdb(struct se_cmd *cmd, unsigned char *cdb)
+
+ trace_target_sequencer_start(cmd);
+
+- /*
+- * Check for an existing UNIT ATTENTION condition
+- */
+- ret = target_scsi3_ua_check(cmd);
+- if (ret)
+- return ret;
+-
+- ret = target_alua_state_check(cmd);
+- if (ret)
+- return ret;
+-
+- ret = target_check_reservation(cmd);
+- if (ret) {
+- cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT;
+- return ret;
+- }
+-
+ ret = dev->transport->parse_cdb(cmd);
+ if (ret == TCM_UNSUPPORTED_SCSI_OPCODE)
+ pr_warn_ratelimited("%s/%s: Unsupported SCSI Opcode 0x%02x, sending CHECK_CONDITION.\n",
+@@ -1761,20 +1744,45 @@ queue_full:
+ }
+ EXPORT_SYMBOL(transport_generic_request_failure);
+
+-void __target_execute_cmd(struct se_cmd *cmd)
++void __target_execute_cmd(struct se_cmd *cmd, bool do_checks)
+ {
+ sense_reason_t ret;
+
+- if (cmd->execute_cmd) {
+- ret = cmd->execute_cmd(cmd);
+- if (ret) {
+- spin_lock_irq(&cmd->t_state_lock);
+- cmd->transport_state &= ~(CMD_T_BUSY|CMD_T_SENT);
+- spin_unlock_irq(&cmd->t_state_lock);
++ if (!cmd->execute_cmd) {
++ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
++ goto err;
++ }
++ if (do_checks) {
++ /*
++ * Check for an existing UNIT ATTENTION condition after
++ * target_handle_task_attr() has done SAM task attr
++ * checking, and possibly have already defered execution
++ * out to target_restart_delayed_cmds() context.
++ */
++ ret = target_scsi3_ua_check(cmd);
++ if (ret)
++ goto err;
++
++ ret = target_alua_state_check(cmd);
++ if (ret)
++ goto err;
+
+- transport_generic_request_failure(cmd, ret);
++ ret = target_check_reservation(cmd);
++ if (ret) {
++ cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT;
++ goto err;
+ }
+ }
++
++ ret = cmd->execute_cmd(cmd);
++ if (!ret)
++ return;
++err:
++ spin_lock_irq(&cmd->t_state_lock);
++ cmd->transport_state &= ~(CMD_T_BUSY|CMD_T_SENT);
++ spin_unlock_irq(&cmd->t_state_lock);
++
++ transport_generic_request_failure(cmd, ret);
+ }
+
+ static int target_write_prot_action(struct se_cmd *cmd)
+@@ -1819,6 +1827,8 @@ static bool target_handle_task_attr(struct se_cmd *cmd)
+ if (dev->transport->transport_flags & TRANSPORT_FLAG_PASSTHROUGH)
+ return false;
+
++ cmd->se_cmd_flags |= SCF_TASK_ATTR_SET;
++
+ /*
+ * Check for the existence of HEAD_OF_QUEUE, and if true return 1
+ * to allow the passed struct se_cmd list of tasks to the front of the list.
+@@ -1899,7 +1909,7 @@ void target_execute_cmd(struct se_cmd *cmd)
+ return;
+ }
+
+- __target_execute_cmd(cmd);
++ __target_execute_cmd(cmd, true);
+ }
+ EXPORT_SYMBOL(target_execute_cmd);
+
+@@ -1923,7 +1933,7 @@ static void target_restart_delayed_cmds(struct se_device *dev)
+ list_del(&cmd->se_delayed_node);
+ spin_unlock(&dev->delayed_cmd_lock);
+
+- __target_execute_cmd(cmd);
++ __target_execute_cmd(cmd, true);
+
+ if (cmd->sam_task_attr == TCM_ORDERED_TAG)
+ break;
+@@ -1941,6 +1951,9 @@ static void transport_complete_task_attr(struct se_cmd *cmd)
+ if (dev->transport->transport_flags & TRANSPORT_FLAG_PASSTHROUGH)
+ return;
+
++ if (!(cmd->se_cmd_flags & SCF_TASK_ATTR_SET))
++ goto restart;
++
+ if (cmd->sam_task_attr == TCM_SIMPLE_TAG) {
+ atomic_dec_mb(&dev->simple_cmds);
+ dev->dev_cur_ordered_id++;
+@@ -1957,7 +1970,7 @@ static void transport_complete_task_attr(struct se_cmd *cmd)
+ pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n",
+ dev->dev_cur_ordered_id);
+ }
+-
++restart:
+ target_restart_delayed_cmds(dev);
+ }
+
+@@ -2557,15 +2570,10 @@ static void target_release_cmd_kref(struct kref *kref)
+ bool fabric_stop;
+
+ spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
+- if (list_empty(&se_cmd->se_cmd_list)) {
+- spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+- target_free_cmd_mem(se_cmd);
+- se_cmd->se_tfo->release_cmd(se_cmd);
+- return;
+- }
+
+ spin_lock(&se_cmd->t_state_lock);
+- fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP);
++ fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP) &&
++ (se_cmd->transport_state & CMD_T_ABORTED);
+ spin_unlock(&se_cmd->t_state_lock);
+
+ if (se_cmd->cmd_wait_set || fabric_stop) {
+diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
+index 954941d..f9c798c 100644
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -482,19 +482,21 @@ static void atmel_start_tx(struct uart_port *port)
+ {
+ struct atmel_uart_port *atmel_port = to_atmel_uart_port(port);
+
+- if (atmel_use_pdc_tx(port)) {
+- if (atmel_uart_readl(port, ATMEL_PDC_PTSR) & ATMEL_PDC_TXTEN)
+- /* The transmitter is already running. Yes, we
+- really need this.*/
+- return;
++ if (atmel_use_pdc_tx(port) && (atmel_uart_readl(port, ATMEL_PDC_PTSR)
++ & ATMEL_PDC_TXTEN))
++ /* The transmitter is already running. Yes, we
++ really need this.*/
++ return;
+
++ if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port))
+ if ((port->rs485.flags & SER_RS485_ENABLED) &&
+ !(port->rs485.flags & SER_RS485_RX_DURING_TX))
+ atmel_stop_rx(port);
+
++ if (atmel_use_pdc_tx(port))
+ /* re-enable PDC transmit */
+ atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTEN);
+- }
++
+ /* Enable interrupts */
+ atmel_uart_writel(port, ATMEL_US_IER, atmel_port->tx_done_mask);
+ }
+diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
+index b7d80bd..7d62610 100644
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -726,7 +726,7 @@ static void msm_handle_tx(struct uart_port *port)
+ return;
+ }
+
+- pio_count = CIRC_CNT(xmit->head, xmit->tail, UART_XMIT_SIZE);
++ pio_count = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE);
+ dma_count = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE);
+
+ dma_min = 1; /* Always DMA */
+diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
+index 99bb231..f0bd2ec 100644
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1684,7 +1684,7 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+ return -ENODEV;
+
+ if (port->mapbase != 0)
+- return 0;
++ return -EINVAL;
+
+ /* setup info for port */
+ port->dev = &platdev->dev;
+@@ -1738,22 +1738,25 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+ ourport->dma = devm_kzalloc(port->dev,
+ sizeof(*ourport->dma),
+ GFP_KERNEL);
+- if (!ourport->dma)
+- return -ENOMEM;
++ if (!ourport->dma) {
++ ret = -ENOMEM;
++ goto err;
++ }
+ }
+
+ ourport->clk = clk_get(&platdev->dev, "uart");
+ if (IS_ERR(ourport->clk)) {
+ pr_err("%s: Controller clock not found\n",
+ dev_name(&platdev->dev));
+- return PTR_ERR(ourport->clk);
++ ret = PTR_ERR(ourport->clk);
++ goto err;
+ }
+
+ ret = clk_prepare_enable(ourport->clk);
+ if (ret) {
+ pr_err("uart: clock failed to prepare+enable: %d\n", ret);
+ clk_put(ourport->clk);
+- return ret;
++ goto err;
+ }
+
+ /* Keep all interrupts masked and cleared */
+@@ -1769,7 +1772,12 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+
+ /* reset the fifos (and setup the uart) */
+ s3c24xx_serial_resetport(port, cfg);
++
+ return 0;
++
++err:
++ port->mapbase = 0;
++ return ret;
+ }
+
+ /* Device driver serial port probe */
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 944a6dc..d2e50a2 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -128,6 +128,9 @@ static const struct usb_device_id usb_quirk_list[] = {
+ { USB_DEVICE(0x04f3, 0x016f), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
++ { USB_DEVICE(0x04f3, 0x0381), .driver_info =
++ USB_QUIRK_NO_LPM },
++
+ { USB_DEVICE(0x04f3, 0x21b8), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 07248ff..716f4f0 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -258,11 +258,13 @@ int dwc3_send_gadget_ep_cmd(struct dwc3 *dwc, unsigned ep,
+ * We will also set SUSPHY bit to what it was before returning as stated
+ * by the same section on Synopsys databook.
+ */
+- reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0));
+- if (unlikely(reg & DWC3_GUSB2PHYCFG_SUSPHY)) {
+- susphy = true;
+- reg &= ~DWC3_GUSB2PHYCFG_SUSPHY;
+- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
++ if (dwc->gadget.speed <= USB_SPEED_HIGH) {
++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0));
++ if (unlikely(reg & DWC3_GUSB2PHYCFG_SUSPHY)) {
++ susphy = true;
++ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY;
++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
++ }
+ }
+
+ if (cmd == DWC3_DEPCMD_STARTTRANSFER) {
+@@ -2023,6 +2025,10 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
+ return 1;
+ }
+
++ if (usb_endpoint_xfer_isoc(dep->endpoint.desc))
++ if ((event->status & DEPEVT_STATUS_IOC) &&
++ (trb->ctrl & DWC3_TRB_CTRL_IOC))
++ return 0;
+ return 1;
+ }
+
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 18569de..bb1f6c8 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -1920,6 +1920,8 @@ static struct usba_ep * atmel_udc_of_init(struct platform_device *pdev,
+
+ udc->errata = match->data;
+ udc->pmc = syscon_regmap_lookup_by_compatible("atmel,at91sam9g45-pmc");
++ if (IS_ERR(udc->pmc))
++ udc->pmc = syscon_regmap_lookup_by_compatible("atmel,at91sam9x5-pmc");
+ if (udc->errata && IS_ERR(udc->pmc))
+ return ERR_CAST(udc->pmc);
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index ebc51ec..7175142 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1477,11 +1477,11 @@ static void complete_req(struct pch_udc_ep *ep, struct pch_udc_request *req,
+ req->dma_mapped = 0;
+ }
+ ep->halted = 1;
+- spin_lock(&dev->lock);
++ spin_unlock(&dev->lock);
+ if (!ep->in)
+ pch_udc_ep_clear_rrdy(ep);
+ usb_gadget_giveback_request(&ep->ep, &req->req);
+- spin_unlock(&dev->lock);
++ spin_lock(&dev->lock);
+ ep->halted = halted;
+ }
+
+@@ -2573,9 +2573,9 @@ static void pch_udc_svc_ur_interrupt(struct pch_udc_dev *dev)
+ empty_req_queue(ep);
+ }
+ if (dev->driver) {
+- spin_lock(&dev->lock);
+- usb_gadget_udc_reset(&dev->gadget, dev->driver);
+ spin_unlock(&dev->lock);
++ usb_gadget_udc_reset(&dev->gadget, dev->driver);
++ spin_lock(&dev->lock);
+ }
+ }
+
+@@ -2654,9 +2654,9 @@ static void pch_udc_svc_intf_interrupt(struct pch_udc_dev *dev)
+ dev->ep[i].halted = 0;
+ }
+ dev->stall = 0;
+- spin_lock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+ spin_unlock(&dev->lock);
++ dev->driver->setup(&dev->gadget, &dev->setup_data);
++ spin_lock(&dev->lock);
+ }
+
+ /**
+@@ -2691,9 +2691,9 @@ static void pch_udc_svc_cfg_interrupt(struct pch_udc_dev *dev)
+ dev->stall = 0;
+
+ /* call gadget zero with setup data received */
+- spin_lock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+ spin_unlock(&dev->lock);
++ dev->driver->setup(&dev->gadget, &dev->setup_data);
++ spin_lock(&dev->lock);
+ }
+
+ /**
+diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
+index 7be4e7d..280ed5f 100644
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -810,20 +810,27 @@ static void xfer_work(struct work_struct *work)
+ {
+ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
+ struct usbhs_pipe *pipe = pkt->pipe;
+- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
++ struct usbhs_fifo *fifo;
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+ struct dma_async_tx_descriptor *desc;
+- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
++ struct dma_chan *chan;
+ struct device *dev = usbhs_priv_to_dev(priv);
+ enum dma_transfer_direction dir;
++ unsigned long flags;
+
++ usbhs_lock(priv, flags);
++ fifo = usbhs_pipe_to_fifo(pipe);
++ if (!fifo)
++ goto xfer_work_end;
++
++ chan = usbhsf_dma_chan_get(fifo, pkt);
+ dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
+
+ desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual,
+ pkt->trans, dir,
+ DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+ if (!desc)
+- return;
++ goto xfer_work_end;
+
+ desc->callback = usbhsf_dma_complete;
+ desc->callback_param = pipe;
+@@ -831,7 +838,7 @@ static void xfer_work(struct work_struct *work)
+ pkt->cookie = dmaengine_submit(desc);
+ if (pkt->cookie < 0) {
+ dev_err(dev, "Failed to submit dma descriptor\n");
+- return;
++ goto xfer_work_end;
+ }
+
+ dev_dbg(dev, " %s %d (%d/ %d)\n",
+@@ -842,6 +849,9 @@ static void xfer_work(struct work_struct *work)
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
+ dma_async_issue_pending(chan);
+ usbhs_pipe_enable(pipe);
++
++xfer_work_end:
++ usbhs_unlock(priv, flags);
+ }
+
+ /*
+diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
+index 30345c2..50f3363 100644
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -585,6 +585,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
+ struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
+ struct usbhs_pipe *pipe;
+ int ret = -EIO;
++ unsigned long flags;
++
++ usbhs_lock(priv, flags);
+
+ /*
+ * if it already have pipe,
+@@ -593,7 +596,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
+ if (uep->pipe) {
+ usbhs_pipe_clear(uep->pipe);
+ usbhs_pipe_sequence_data0(uep->pipe);
+- return 0;
++ ret = 0;
++ goto usbhsg_ep_enable_end;
+ }
+
+ pipe = usbhs_pipe_malloc(priv,
+@@ -621,6 +625,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
+ ret = 0;
+ }
+
++usbhsg_ep_enable_end:
++ usbhs_unlock(priv, flags);
++
+ return ret;
+ }
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index d96d423..8e07536 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -273,6 +273,7 @@ static void option_instat_callback(struct urb *urb);
+ #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
+ #define TELIT_PRODUCT_LE920 0x1200
+ #define TELIT_PRODUCT_LE910 0x1201
++#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
+
+ /* ZTE PRODUCTS */
+ #define ZTE_VENDOR_ID 0x19d2
+@@ -1198,6 +1199,8 @@ static const struct usb_device_id option_ids[] = {
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
+ .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
+diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
+index 476c0e3..f6ea8f4 100644
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -202,6 +202,8 @@ static unsigned leak_balloon(struct virtio_balloon *vb, size_t num)
+ num = min(num, ARRAY_SIZE(vb->pfns));
+
+ mutex_lock(&vb->balloon_lock);
++ /* We can't release more pages than taken */
++ num = min(num, (size_t)vb->num_pages);
+ for (vb->num_pfns = 0; vb->num_pfns < num;
+ vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
+ page = balloon_page_dequeue(vb_dev_info);
+diff --git a/drivers/w1/masters/omap_hdq.c b/drivers/w1/masters/omap_hdq.c
+index a2eec97..bb09de6 100644
+--- a/drivers/w1/masters/omap_hdq.c
++++ b/drivers/w1/masters/omap_hdq.c
+@@ -390,8 +390,6 @@ static int hdq_read_byte(struct hdq_data *hdq_data, u8 *val)
+ goto out;
+ }
+
+- hdq_data->hdq_irqstatus = 0;
+-
+ if (!(hdq_data->hdq_irqstatus & OMAP_HDQ_INT_STATUS_RXCOMPLETE)) {
+ hdq_reg_merge(hdq_data, OMAP_HDQ_CTRL_STATUS,
+ OMAP_HDQ_CTRL_STATUS_DIR | OMAP_HDQ_CTRL_STATUS_GO,
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 75533ad..92fe3f8 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2696,12 +2696,6 @@ struct bio *btrfs_bio_clone(struct bio *bio, gfp_t gfp_mask)
+ btrfs_bio->csum = NULL;
+ btrfs_bio->csum_allocated = NULL;
+ btrfs_bio->end_io = NULL;
+-
+-#ifdef CONFIG_BLK_CGROUP
+- /* FIXME, put this into bio_clone_bioset */
+- if (bio->bi_css)
+- bio_associate_blkcg(new, bio->bi_css);
+-#endif
+ }
+ return new;
+ }
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index 2234e88..b56887b 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -1629,13 +1629,11 @@ again:
+ * managed to copy.
+ */
+ if (num_sectors > dirty_sectors) {
+- /*
+- * we round down because we don't want to count
+- * any partial blocks actually sent through the
+- * IO machines
+- */
+- release_bytes = round_down(release_bytes - copied,
+- root->sectorsize);
++
++ /* release everything except the sectors we dirtied */
++ release_bytes -= dirty_sectors <<
++ root->fs_info->sb->s_blocksize_bits;
++
+ if (copied > 0) {
+ spin_lock(&BTRFS_I(inode)->lock);
+ BTRFS_I(inode)->outstanding_extents++;
+diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
+index 4ae7500..3f7c2cd 100644
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -263,6 +263,8 @@ requeue:
+ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+ struct cachefiles_object *object)
+ {
++ blkcnt_t i_blocks = d_backing_inode(object->dentry)->i_blocks;
++
+ write_lock(&cache->active_lock);
+ rb_erase(&object->active_node, &cache->active_nodes);
+ clear_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags);
+@@ -273,8 +275,7 @@ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+ /* This object can now be culled, so we need to let the daemon know
+ * that there is something it can remove if it needs to.
+ */
+- atomic_long_add(d_backing_inode(object->dentry)->i_blocks,
+- &cache->b_released);
++ atomic_long_add(i_blocks, &cache->b_released);
+ if (atomic_inc_return(&cache->f_released))
+ cachefiles_state_changed(cache);
+ }
+diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h
+index 3182273..1418daa 100644
+--- a/fs/cifs/cifs_fs_sb.h
++++ b/fs/cifs/cifs_fs_sb.h
+@@ -46,6 +46,9 @@
+ #define CIFS_MOUNT_CIFS_BACKUPUID 0x200000 /* backup intent bit for a user */
+ #define CIFS_MOUNT_CIFS_BACKUPGID 0x400000 /* backup intent bit for a group */
+ #define CIFS_MOUNT_MAP_SFM_CHR 0x800000 /* SFM/MAC mapping for illegal chars */
++#define CIFS_MOUNT_USE_PREFIX_PATH 0x1000000 /* make subpath with unaccessible
++ * root mountable
++ */
+
+ struct cifs_sb_info {
+ struct rb_root tlink_tree;
+@@ -67,5 +70,6 @@ struct cifs_sb_info {
+ struct backing_dev_info bdi;
+ struct delayed_work prune_tlinks;
+ struct rcu_head rcu;
++ char *prepath;
+ };
+ #endif /* _CIFS_FS_SB_H */
+diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
+index 6aeb8d4..8347c90 100644
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -743,24 +743,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+
+ memcpy(ses->auth_key.response + baselen, tiblob, tilen);
+
++ mutex_lock(&ses->server->srv_mutex);
++
+ rc = crypto_hmacmd5_alloc(ses->server);
+ if (rc) {
+ cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ /* calculate ntlmv2_hash */
+ rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp);
+ if (rc) {
+ cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ /* calculate first part of the client response (CR1) */
+ rc = CalcNTLMv2_response(ses, ntlmv2_hash);
+ if (rc) {
+ cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ /* now calculate the session key for NTLMv2 */
+@@ -769,13 +771,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+ if (rc) {
+ cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n",
+ __func__);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash);
+ if (rc) {
+ cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
+@@ -783,7 +785,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+ CIFS_HMAC_MD5_HASH_SIZE);
+ if (rc) {
+ cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
+- goto setup_ntlmv2_rsp_ret;
++ goto unlock;
+ }
+
+ rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash,
+@@ -791,6 +793,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+ if (rc)
+ cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+
++unlock:
++ mutex_unlock(&ses->server->srv_mutex);
+ setup_ntlmv2_rsp_ret:
+ kfree(tiblob);
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index 5d841f3..6bbec5e 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -689,6 +689,14 @@ cifs_do_mount(struct file_system_type *fs_type,
+ goto out_cifs_sb;
+ }
+
++ if (volume_info->prepath) {
++ cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
++ if (cifs_sb->prepath == NULL) {
++ root = ERR_PTR(-ENOMEM);
++ goto out_cifs_sb;
++ }
++ }
++
+ cifs_setup_cifs_sb(volume_info, cifs_sb);
+
+ rc = cifs_mount(cifs_sb, volume_info);
+@@ -727,7 +735,11 @@ cifs_do_mount(struct file_system_type *fs_type,
+ sb->s_flags |= MS_ACTIVE;
+ }
+
+- root = cifs_get_root(volume_info, sb);
++ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
++ root = dget(sb->s_root);
++ else
++ root = cifs_get_root(volume_info, sb);
++
+ if (IS_ERR(root))
+ goto out_super;
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 7d2b15c..7ae0328 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1228,6 +1228,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
+ vol->ops = &smb1_operations;
+ vol->vals = &smb1_values;
+
++ vol->echo_interval = SMB_ECHO_INTERVAL_DEFAULT;
++
+ if (!mountdata)
+ goto cifs_parse_mount_err;
+
+@@ -2049,7 +2051,7 @@ static int match_server(struct TCP_Server_Info *server, struct smb_vol *vol)
+ if (!match_security(server, vol))
+ return 0;
+
+- if (server->echo_interval != vol->echo_interval)
++ if (server->echo_interval != vol->echo_interval * HZ)
+ return 0;
+
+ return 1;
+@@ -3483,6 +3485,44 @@ cifs_get_volume_info(char *mount_data, const char *devname)
+ return volume_info;
+ }
+
++static int
++cifs_are_all_path_components_accessible(struct TCP_Server_Info *server,
++ unsigned int xid,
++ struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb,
++ char *full_path)
++{
++ int rc;
++ char *s;
++ char sep, tmp;
++
++ sep = CIFS_DIR_SEP(cifs_sb);
++ s = full_path;
++
++ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb, "");
++ while (rc == 0) {
++ /* skip separators */
++ while (*s == sep)
++ s++;
++ if (!*s)
++ break;
++ /* next separator */
++ while (*s && *s != sep)
++ s++;
++
++ /*
++ * temporarily null-terminate the path at the end of
++ * the current component
++ */
++ tmp = *s;
++ *s = 0;
++ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb,
++ full_path);
++ *s = tmp;
++ }
++ return rc;
++}
++
+ int
+ cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info)
+ {
+@@ -3620,6 +3660,16 @@ remote_path_check:
+ kfree(full_path);
+ goto mount_fail_check;
+ }
++
++ rc = cifs_are_all_path_components_accessible(server,
++ xid, tcon, cifs_sb,
++ full_path);
++ if (rc != 0) {
++ cifs_dbg(VFS, "cannot query dirs between root and final path, "
++ "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
++ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
++ rc = 0;
++ }
+ kfree(full_path);
+ }
+
+@@ -3889,6 +3939,7 @@ cifs_umount(struct cifs_sb_info *cifs_sb)
+
+ bdi_destroy(&cifs_sb->bdi);
+ kfree(cifs_sb->mountdata);
++ kfree(cifs_sb->prepath);
+ call_rcu(&cifs_sb->rcu, delayed_free);
+ }
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index fb0903f..6f7333d 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -84,6 +84,7 @@ build_path_from_dentry(struct dentry *direntry)
+ struct dentry *temp;
+ int namelen;
+ int dfsplen;
++ int pplen = 0;
+ char *full_path;
+ char dirsep;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
+@@ -95,8 +96,12 @@ build_path_from_dentry(struct dentry *direntry)
+ dfsplen = strnlen(tcon->treeName, MAX_TREE_SIZE + 1);
+ else
+ dfsplen = 0;
++
++ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
++ pplen = cifs_sb->prepath ? strlen(cifs_sb->prepath) + 1 : 0;
++
+ cifs_bp_rename_retry:
+- namelen = dfsplen;
++ namelen = dfsplen + pplen;
+ seq = read_seqbegin(&rename_lock);
+ rcu_read_lock();
+ for (temp = direntry; !IS_ROOT(temp);) {
+@@ -137,7 +142,7 @@ cifs_bp_rename_retry:
+ }
+ }
+ rcu_read_unlock();
+- if (namelen != dfsplen || read_seqretry(&rename_lock, seq)) {
++ if (namelen != dfsplen + pplen || read_seqretry(&rename_lock, seq)) {
+ cifs_dbg(FYI, "did not end path lookup where expected. namelen=%ddfsplen=%d\n",
+ namelen, dfsplen);
+ /* presumably this is only possible if racing with a rename
+@@ -153,6 +158,17 @@ cifs_bp_rename_retry:
+ those safely to '/' if any are found in the middle of the prepath */
+ /* BB test paths to Windows with '/' in the midst of prepath */
+
++ if (pplen) {
++ int i;
++
++ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
++ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
++ full_path[dfsplen] = '\\';
++ for (i = 0; i < pplen-1; i++)
++ if (full_path[dfsplen+1+i] == '/')
++ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
++ }
++
+ if (dfsplen) {
+ strncpy(full_path, tcon->treeName, dfsplen);
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
+@@ -229,6 +245,13 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+ goto cifs_create_get_file_info;
+ }
+
++ if (S_ISDIR(newinode->i_mode)) {
++ CIFSSMBClose(xid, tcon, fid->netfid);
++ iput(newinode);
++ rc = -EISDIR;
++ goto out;
++ }
++
+ if (!S_ISREG(newinode->i_mode)) {
+ /*
+ * The server may allow us to open things like
+@@ -399,10 +422,14 @@ cifs_create_set_dentry:
+ if (rc != 0) {
+ cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
+ rc);
+- if (server->ops->close)
+- server->ops->close(xid, tcon, fid);
+- goto out;
++ goto out_err;
+ }
++
++ if (S_ISDIR(newinode->i_mode)) {
++ rc = -EISDIR;
++ goto out_err;
++ }
++
+ d_drop(direntry);
+ d_add(direntry, newinode);
+
+@@ -410,6 +437,13 @@ out:
+ kfree(buf);
+ kfree(full_path);
+ return rc;
++
++out_err:
++ if (server->ops->close)
++ server->ops->close(xid, tcon, fid);
++ if (newinode)
++ iput(newinode);
++ goto out;
+ }
+
+ int
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 514dadb..b87efd0 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -1002,10 +1002,26 @@ struct inode *cifs_root_iget(struct super_block *sb)
+ struct inode *inode = NULL;
+ long rc;
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
++ char *path = NULL;
++ int len;
++
++ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
++ && cifs_sb->prepath) {
++ len = strlen(cifs_sb->prepath);
++ path = kzalloc(len + 2 /* leading sep + null */, GFP_KERNEL);
++ if (path == NULL)
++ return ERR_PTR(-ENOMEM);
++ path[0] = '/';
++ memcpy(path+1, cifs_sb->prepath, len);
++ } else {
++ path = kstrdup("", GFP_KERNEL);
++ if (path == NULL)
++ return ERR_PTR(-ENOMEM);
++ }
+
+ xid = get_xid();
+ if (tcon->unix_ext) {
+- rc = cifs_get_inode_info_unix(&inode, "", sb, xid);
++ rc = cifs_get_inode_info_unix(&inode, path, sb, xid);
+ /* some servers mistakenly claim POSIX support */
+ if (rc != -EOPNOTSUPP)
+ goto iget_no_retry;
+@@ -1013,7 +1029,8 @@ struct inode *cifs_root_iget(struct super_block *sb)
+ tcon->unix_ext = false;
+ }
+
+- rc = cifs_get_inode_info(&inode, "", NULL, sb, xid, NULL);
++ convert_delimiter(path, CIFS_DIR_SEP(cifs_sb));
++ rc = cifs_get_inode_info(&inode, path, NULL, sb, xid, NULL);
+
+ iget_no_retry:
+ if (!inode) {
+@@ -1042,6 +1059,7 @@ iget_no_retry:
+ }
+
+ out:
++ kfree(path);
+ /* can not call macro free_xid here since in a void func
+ * TODO: This is no longer true
+ */
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 3525ed7..505e6d6 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1044,6 +1044,9 @@ smb2_new_lease_key(struct cifs_fid *fid)
+ get_random_bytes(fid->lease_key, SMB2_LEASE_KEY_SIZE);
+ }
+
++#define SMB2_SYMLINK_STRUCT_SIZE \
++ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
++
+ static int
+ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ const char *full_path, char **target_path,
+@@ -1056,7 +1059,10 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_fid fid;
+ struct smb2_err_rsp *err_buf = NULL;
+ struct smb2_symlink_err_rsp *symlink;
+- unsigned int sub_len, sub_offset;
++ unsigned int sub_len;
++ unsigned int sub_offset;
++ unsigned int print_len;
++ unsigned int print_offset;
+
+ cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+
+@@ -1077,11 +1083,33 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ kfree(utf16_path);
+ return -ENOENT;
+ }
++
++ if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) ||
++ get_rfc1002_length(err_buf) + 4 < SMB2_SYMLINK_STRUCT_SIZE) {
++ kfree(utf16_path);
++ return -ENOENT;
++ }
++
+ /* open must fail on symlink - reset rc */
+ rc = 0;
+ symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData;
+ sub_len = le16_to_cpu(symlink->SubstituteNameLength);
+ sub_offset = le16_to_cpu(symlink->SubstituteNameOffset);
++ print_len = le16_to_cpu(symlink->PrintNameLength);
++ print_offset = le16_to_cpu(symlink->PrintNameOffset);
++
++ if (get_rfc1002_length(err_buf) + 4 <
++ SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
++ kfree(utf16_path);
++ return -ENOENT;
++ }
++
++ if (get_rfc1002_length(err_buf) + 4 <
++ SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
++ kfree(utf16_path);
++ return -ENOENT;
++ }
++
+ *target_path = cifs_strndup_from_utf16(
+ (char *)symlink->PathBuffer + sub_offset,
+ sub_len, true, cifs_sb->local_nls);
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 7007809..78313ad 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -124,7 +124,7 @@ static int journal_submit_commit_record(journal_t *journal,
+ struct commit_header *tmp;
+ struct buffer_head *bh;
+ int ret;
+- struct timespec now = current_kernel_time();
++ struct timespec64 now = current_kernel_time64();
+
+ *cbh = NULL;
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index ff416d0..7796bea 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -427,6 +427,7 @@ static int nfs4_do_handle_exception(struct nfs_server *server,
+ case -NFS4ERR_DELAY:
+ nfs_inc_server_stats(server, NFSIOS_DELAY);
+ case -NFS4ERR_GRACE:
++ case -NFS4ERR_LAYOUTTRYLATER:
+ case -NFS4ERR_RECALLCONFLICT:
+ exception->delay = 1;
+ return 0;
+@@ -7869,11 +7870,13 @@ nfs4_layoutget_handle_exception(struct rpc_task *task,
+ struct inode *inode = lgp->args.inode;
+ struct nfs_server *server = NFS_SERVER(inode);
+ struct pnfs_layout_hdr *lo;
+- int status = task->tk_status;
++ int nfs4err = task->tk_status;
++ int err, status = 0;
++ LIST_HEAD(head);
+
+ dprintk("--> %s tk_status => %d\n", __func__, -task->tk_status);
+
+- switch (status) {
++ switch (nfs4err) {
+ case 0:
+ goto out;
+
+@@ -7905,45 +7908,43 @@ nfs4_layoutget_handle_exception(struct rpc_task *task,
+ status = -EOVERFLOW;
+ goto out;
+ }
+- /* Fallthrough */
++ status = -EBUSY;
++ break;
+ case -NFS4ERR_RECALLCONFLICT:
+- nfs4_handle_exception(server, -NFS4ERR_RECALLCONFLICT,
+- exception);
+ status = -ERECALLCONFLICT;
+- goto out;
++ break;
+ case -NFS4ERR_EXPIRED:
+ case -NFS4ERR_BAD_STATEID:
+ exception->timeout = 0;
+ spin_lock(&inode->i_lock);
+- if (nfs4_stateid_match(&lgp->args.stateid,
++ lo = NFS_I(inode)->layout;
++ /* If the open stateid was bad, then recover it. */
++ if (!lo || test_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags) ||
++ nfs4_stateid_match_other(&lgp->args.stateid,
+ &lgp->args.ctx->state->stateid)) {
+ spin_unlock(&inode->i_lock);
+- /* If the open stateid was bad, then recover it. */
+ exception->state = lgp->args.ctx->state;
+ break;
+ }
+- lo = NFS_I(inode)->layout;
+- if (lo && !test_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags) &&
+- nfs4_stateid_match_other(&lgp->args.stateid, &lo->plh_stateid)) {
+- LIST_HEAD(head);
+-
+- /*
+- * Mark the bad layout state as invalid, then retry
+- * with the current stateid.
+- */
+- set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
+- pnfs_mark_matching_lsegs_invalid(lo, &head, NULL, 0);
+- spin_unlock(&inode->i_lock);
+- pnfs_free_lseg_list(&head);
+- status = -EAGAIN;
+- goto out;
+- } else
+- spin_unlock(&inode->i_lock);
+- }
+
+- status = nfs4_handle_exception(server, status, exception);
+- if (exception->retry)
++ /*
++ * Mark the bad layout state as invalid, then retry
++ */
++ set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
++ pnfs_mark_matching_lsegs_invalid(lo, &head, NULL, 0);
++ spin_unlock(&inode->i_lock);
++ pnfs_free_lseg_list(&head);
+ status = -EAGAIN;
++ goto out;
++ }
++
++ err = nfs4_handle_exception(server, nfs4err, exception);
++ if (!status) {
++ if (exception->retry)
++ status = -EAGAIN;
++ else
++ status = err;
++ }
+ out:
+ dprintk("<-- %s\n", __func__);
+ return status;
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 0fbe734..7d99236 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1505,7 +1505,7 @@ pnfs_update_layout(struct inode *ino,
+ struct pnfs_layout_segment *lseg = NULL;
+ nfs4_stateid stateid;
+ long timeout = 0;
+- unsigned long giveup = jiffies + rpc_get_timeout(server->client);
++ unsigned long giveup = jiffies + (clp->cl_lease_time << 1);
+ bool first;
+
+ if (!pnfs_enabled_sb(NFS_SERVER(ino))) {
+@@ -1645,33 +1645,44 @@ lookup_again:
+ lseg = send_layoutget(lo, ctx, &stateid, &arg, &timeout, gfp_flags);
+ trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
+ PNFS_UPDATE_LAYOUT_SEND_LAYOUTGET);
++ atomic_dec(&lo->plh_outstanding);
+ if (IS_ERR(lseg)) {
+ switch(PTR_ERR(lseg)) {
+- case -ERECALLCONFLICT:
++ case -EBUSY:
+ if (time_after(jiffies, giveup))
+ lseg = NULL;
+- /* Fallthrough */
+- case -EAGAIN:
+- pnfs_put_layout_hdr(lo);
+- if (first)
+- pnfs_clear_first_layoutget(lo);
+- if (lseg) {
+- trace_pnfs_update_layout(ino, pos, count,
+- iomode, lo, lseg, PNFS_UPDATE_LAYOUT_RETRY);
+- goto lookup_again;
++ break;
++ case -ERECALLCONFLICT:
++ /* Huh? We hold no layouts, how is there a recall? */
++ if (first) {
++ lseg = NULL;
++ break;
+ }
++ /* Destroy the existing layout and start over */
++ if (time_after(jiffies, giveup))
++ pnfs_destroy_layout(NFS_I(ino));
+ /* Fallthrough */
++ case -EAGAIN:
++ break;
+ default:
+ if (!nfs_error_is_fatal(PTR_ERR(lseg))) {
+ pnfs_layout_clear_fail_bit(lo, pnfs_iomode_to_fail_bit(iomode));
+ lseg = NULL;
+ }
++ goto out_put_layout_hdr;
++ }
++ if (lseg) {
++ if (first)
++ pnfs_clear_first_layoutget(lo);
++ trace_pnfs_update_layout(ino, pos, count,
++ iomode, lo, lseg, PNFS_UPDATE_LAYOUT_RETRY);
++ pnfs_put_layout_hdr(lo);
++ goto lookup_again;
+ }
+ } else {
+ pnfs_layout_clear_fail_bit(lo, pnfs_iomode_to_fail_bit(iomode));
+ }
+
+- atomic_dec(&lo->plh_outstanding);
+ out_put_layout_hdr:
+ if (first)
+ pnfs_clear_first_layoutget(lo);
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index e1c74d3..649fa5e 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1289,6 +1289,9 @@ int nfs_updatepage(struct file *file, struct page *page,
+ dprintk("NFS: nfs_updatepage(%pD2 %d@%lld)\n",
+ file, count, (long long)(page_file_offset(page) + offset));
+
++ if (!count)
++ goto out;
++
+ if (nfs_can_extend_write(file, page, inode)) {
+ count = max(count + offset, nfs_page_length(page));
+ offset = 0;
+@@ -1299,7 +1302,7 @@ int nfs_updatepage(struct file *file, struct page *page,
+ nfs_set_pageerror(page);
+ else
+ __set_page_dirty_nobuffers(page);
+-
++out:
+ dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
+ status, (long long)i_size_read(inode));
+ return status;
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 70d0b9b..806eda1 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4906,6 +4906,32 @@ nfsd4_test_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ return nfs_ok;
+ }
+
++static __be32
++nfsd4_free_lock_stateid(stateid_t *stateid, struct nfs4_stid *s)
++{
++ struct nfs4_ol_stateid *stp = openlockstateid(s);
++ __be32 ret;
++
++ mutex_lock(&stp->st_mutex);
++
++ ret = check_stateid_generation(stateid, &s->sc_stateid, 1);
++ if (ret)
++ goto out;
++
++ ret = nfserr_locks_held;
++ if (check_for_locks(stp->st_stid.sc_file,
++ lockowner(stp->st_stateowner)))
++ goto out;
++
++ release_lock_stateid(stp);
++ ret = nfs_ok;
++
++out:
++ mutex_unlock(&stp->st_mutex);
++ nfs4_put_stid(s);
++ return ret;
++}
++
+ __be32
+ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ struct nfsd4_free_stateid *free_stateid)
+@@ -4913,7 +4939,6 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ stateid_t *stateid = &free_stateid->fr_stateid;
+ struct nfs4_stid *s;
+ struct nfs4_delegation *dp;
+- struct nfs4_ol_stateid *stp;
+ struct nfs4_client *cl = cstate->session->se_client;
+ __be32 ret = nfserr_bad_stateid;
+
+@@ -4932,18 +4957,9 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ ret = nfserr_locks_held;
+ break;
+ case NFS4_LOCK_STID:
+- ret = check_stateid_generation(stateid, &s->sc_stateid, 1);
+- if (ret)
+- break;
+- stp = openlockstateid(s);
+- ret = nfserr_locks_held;
+- if (check_for_locks(stp->st_stid.sc_file,
+- lockowner(stp->st_stateowner)))
+- break;
+- WARN_ON(!unhash_lock_stateid(stp));
++ atomic_inc(&s->sc_count);
+ spin_unlock(&cl->cl_lock);
+- nfs4_put_stid(s);
+- ret = nfs_ok;
++ ret = nfsd4_free_lock_stateid(stateid, s);
+ goto out;
+ case NFS4_REVOKED_DELEG_STID:
+ dp = delegstateid(s);
+@@ -5510,7 +5526,7 @@ static __be32
+ lookup_or_create_lock_state(struct nfsd4_compound_state *cstate,
+ struct nfs4_ol_stateid *ost,
+ struct nfsd4_lock *lock,
+- struct nfs4_ol_stateid **lst, bool *new)
++ struct nfs4_ol_stateid **plst, bool *new)
+ {
+ __be32 status;
+ struct nfs4_file *fi = ost->st_stid.sc_file;
+@@ -5518,7 +5534,9 @@ lookup_or_create_lock_state(struct nfsd4_compound_state *cstate,
+ struct nfs4_client *cl = oo->oo_owner.so_client;
+ struct inode *inode = d_inode(cstate->current_fh.fh_dentry);
+ struct nfs4_lockowner *lo;
++ struct nfs4_ol_stateid *lst;
+ unsigned int strhashval;
++ bool hashed;
+
+ lo = find_lockowner_str(cl, &lock->lk_new_owner);
+ if (!lo) {
+@@ -5534,12 +5552,27 @@ lookup_or_create_lock_state(struct nfsd4_compound_state *cstate,
+ goto out;
+ }
+
+- *lst = find_or_create_lock_stateid(lo, fi, inode, ost, new);
+- if (*lst == NULL) {
++retry:
++ lst = find_or_create_lock_stateid(lo, fi, inode, ost, new);
++ if (lst == NULL) {
+ status = nfserr_jukebox;
+ goto out;
+ }
++
++ mutex_lock(&lst->st_mutex);
++
++ /* See if it's still hashed to avoid race with FREE_STATEID */
++ spin_lock(&cl->cl_lock);
++ hashed = !list_empty(&lst->st_perfile);
++ spin_unlock(&cl->cl_lock);
++
++ if (!hashed) {
++ mutex_unlock(&lst->st_mutex);
++ nfs4_put_stid(&lst->st_stid);
++ goto retry;
++ }
+ status = nfs_ok;
++ *plst = lst;
+ out:
+ nfs4_put_stateowner(&lo->lo_owner);
+ return status;
+@@ -5606,8 +5639,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ goto out;
+ status = lookup_or_create_lock_state(cstate, open_stp, lock,
+ &lock_stp, &new);
+- if (status == nfs_ok)
+- mutex_lock(&lock_stp->st_mutex);
+ } else {
+ status = nfs4_preprocess_seqid_op(cstate,
+ lock->lk_old_lock_seqid,
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 9a7693d..6db75cb 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -404,7 +404,8 @@ static struct ovl_entry *ovl_alloc_entry(unsigned int numlower)
+ static bool ovl_dentry_remote(struct dentry *dentry)
+ {
+ return dentry->d_flags &
+- (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE);
++ (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE |
++ DCACHE_OP_REAL);
+ }
+
+ static bool ovl_dentry_weird(struct dentry *dentry)
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 4c463b9..a36a5a4 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -87,6 +87,12 @@ xfs_find_bdev_for_inode(
+ * We're now finished for good with this page. Update the page state via the
+ * associated buffer_heads, paying attention to the start and end offsets that
+ * we need to process on the page.
++ *
++ * Landmine Warning: bh->b_end_io() will call end_page_writeback() on the last
++ * buffer in the IO. Once it does this, it is unsafe to access the bufferhead or
++ * the page at all, as we may be racing with memory reclaim and it can free both
++ * the bufferhead chain and the page as it will see the page as clean and
++ * unused.
+ */
+ static void
+ xfs_finish_page_writeback(
+@@ -95,8 +101,9 @@ xfs_finish_page_writeback(
+ int error)
+ {
+ unsigned int end = bvec->bv_offset + bvec->bv_len - 1;
+- struct buffer_head *head, *bh;
++ struct buffer_head *head, *bh, *next;
+ unsigned int off = 0;
++ unsigned int bsize;
+
+ ASSERT(bvec->bv_offset < PAGE_SIZE);
+ ASSERT((bvec->bv_offset & ((1 << inode->i_blkbits) - 1)) == 0);
+@@ -105,15 +112,17 @@ xfs_finish_page_writeback(
+
+ bh = head = page_buffers(bvec->bv_page);
+
++ bsize = bh->b_size;
+ do {
++ next = bh->b_this_page;
+ if (off < bvec->bv_offset)
+ goto next_bh;
+ if (off > end)
+ break;
+ bh->b_end_io(bh, !error);
+ next_bh:
+- off += bh->b_size;
+- } while ((bh = bh->b_this_page) != head);
++ off += bsize;
++ } while ((bh = next) != head);
+ }
+
+ /*
+diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h
+index 3f10307..c357f27 100644
+--- a/include/linux/backing-dev-defs.h
++++ b/include/linux/backing-dev-defs.h
+@@ -163,6 +163,7 @@ struct backing_dev_info {
+ wait_queue_head_t wb_waitq;
+
+ struct device *dev;
++ struct device *owner;
+
+ struct timer_list laptop_mode_wb_timer;
+
+diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
+index c82794f..89d3de3 100644
+--- a/include/linux/backing-dev.h
++++ b/include/linux/backing-dev.h
+@@ -24,6 +24,7 @@ __printf(3, 4)
+ int bdi_register(struct backing_dev_info *bdi, struct device *parent,
+ const char *fmt, ...);
+ int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev);
++int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner);
+ void bdi_unregister(struct backing_dev_info *bdi);
+
+ int __must_check bdi_setup_and_register(struct backing_dev_info *, char *);
+diff --git a/include/linux/bio.h b/include/linux/bio.h
+index 9faebf7..75fadd2 100644
+--- a/include/linux/bio.h
++++ b/include/linux/bio.h
+@@ -527,11 +527,14 @@ extern unsigned int bvec_nr_vecs(unsigned short idx);
+ int bio_associate_blkcg(struct bio *bio, struct cgroup_subsys_state *blkcg_css);
+ int bio_associate_current(struct bio *bio);
+ void bio_disassociate_task(struct bio *bio);
++void bio_clone_blkcg_association(struct bio *dst, struct bio *src);
+ #else /* CONFIG_BLK_CGROUP */
+ static inline int bio_associate_blkcg(struct bio *bio,
+ struct cgroup_subsys_state *blkcg_css) { return 0; }
+ static inline int bio_associate_current(struct bio *bio) { return -ENOENT; }
+ static inline void bio_disassociate_task(struct bio *bio) { }
++static inline void bio_clone_blkcg_association(struct bio *dst,
++ struct bio *src) { }
+ #endif /* CONFIG_BLK_CGROUP */
+
+ #ifdef CONFIG_HIGHMEM
+diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h
+index ab31081..7879bf4 100644
+--- a/include/linux/mlx5/qp.h
++++ b/include/linux/mlx5/qp.h
+@@ -556,9 +556,9 @@ struct mlx5_destroy_qp_mbox_out {
+ struct mlx5_modify_qp_mbox_in {
+ struct mlx5_inbox_hdr hdr;
+ __be32 qpn;
+- u8 rsvd1[4];
+- __be32 optparam;
+ u8 rsvd0[4];
++ __be32 optparam;
++ u8 rsvd1[4];
+ struct mlx5_qp_context ctx;
+ u8 rsvd2[16];
+ };
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index 7e440d4..e694f02 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -1428,6 +1428,10 @@ struct ib_srq {
+ } ext;
+ };
+
++/*
++ * @max_write_sge: Maximum SGE elements per RDMA WRITE request.
++ * @max_read_sge: Maximum SGE elements per RDMA READ request.
++ */
+ struct ib_qp {
+ struct ib_device *device;
+ struct ib_pd *pd;
+@@ -1449,6 +1453,8 @@ struct ib_qp {
+ void (*event_handler)(struct ib_event *, void *);
+ void *qp_context;
+ u32 qp_num;
++ u32 max_write_sge;
++ u32 max_read_sge;
+ enum ib_qp_type qp_type;
+ };
+
+diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h
+index d8ab510..f6f3bc5 100644
+--- a/include/target/target_core_backend.h
++++ b/include/target/target_core_backend.h
+@@ -95,6 +95,6 @@ sense_reason_t passthrough_parse_cdb(struct se_cmd *cmd,
+ bool target_sense_desc_format(struct se_device *dev);
+ sector_t target_to_linux_sector(struct se_device *dev, sector_t lb);
+ bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib,
+- struct request_queue *q, int block_size);
++ struct request_queue *q);
+
+ #endif /* TARGET_CORE_BACKEND_H */
+diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
+index b316b44..fb8e3b6 100644
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -142,6 +142,7 @@ enum se_cmd_flags_table {
+ SCF_PASSTHROUGH_PROT_SG_TO_MEM_NOALLOC = 0x00200000,
+ SCF_ACK_KREF = 0x00400000,
+ SCF_USE_CPUID = 0x00800000,
++ SCF_TASK_ATTR_SET = 0x01000000,
+ };
+
+ /*
+diff --git a/include/target/target_core_fabric.h b/include/target/target_core_fabric.h
+index de44462..5cd6faa 100644
+--- a/include/target/target_core_fabric.h
++++ b/include/target/target_core_fabric.h
+@@ -163,7 +163,6 @@ int core_tmr_alloc_req(struct se_cmd *, void *, u8, gfp_t);
+ void core_tmr_release_req(struct se_tmr_req *);
+ int transport_generic_handle_tmr(struct se_cmd *);
+ void transport_generic_request_failure(struct se_cmd *, sense_reason_t);
+-void __target_execute_cmd(struct se_cmd *);
+ int transport_lookup_tmr_lun(struct se_cmd *, u64);
+ void core_allocate_nexus_loss_ua(struct se_node_acl *acl);
+
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 003dca9..5664ca0 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -529,20 +529,27 @@ TRACE_EVENT(svc_xprt_do_enqueue,
+
+ TP_STRUCT__entry(
+ __field(struct svc_xprt *, xprt)
+- __field_struct(struct sockaddr_storage, ss)
+ __field(int, pid)
+ __field(unsigned long, flags)
++ __dynamic_array(unsigned char, addr, xprt != NULL ?
++ xprt->xpt_remotelen : 0)
+ ),
+
+ TP_fast_assign(
+ __entry->xprt = xprt;
+- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss));
+ __entry->pid = rqst? rqst->rq_task->pid : 0;
+- __entry->flags = xprt ? xprt->xpt_flags : 0;
++ if (xprt) {
++ memcpy(__get_dynamic_array(addr),
++ &xprt->xpt_remote,
++ xprt->xpt_remotelen);
++ __entry->flags = xprt->xpt_flags;
++ } else
++ __entry->flags = 0;
+ ),
+
+ TP_printk("xprt=0x%p addr=%pIScp pid=%d flags=%s", __entry->xprt,
+- (struct sockaddr *)&__entry->ss,
++ __get_dynamic_array_len(addr) != 0 ?
++ (struct sockaddr *)__get_dynamic_array(addr) : NULL,
+ __entry->pid, show_svc_xprt_flags(__entry->flags))
+ );
+
+@@ -553,18 +560,25 @@ TRACE_EVENT(svc_xprt_dequeue,
+
+ TP_STRUCT__entry(
+ __field(struct svc_xprt *, xprt)
+- __field_struct(struct sockaddr_storage, ss)
+ __field(unsigned long, flags)
++ __dynamic_array(unsigned char, addr, xprt != NULL ?
++ xprt->xpt_remotelen : 0)
+ ),
+
+ TP_fast_assign(
+- __entry->xprt = xprt,
+- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss));
+- __entry->flags = xprt ? xprt->xpt_flags : 0;
++ __entry->xprt = xprt;
++ if (xprt) {
++ memcpy(__get_dynamic_array(addr),
++ &xprt->xpt_remote,
++ xprt->xpt_remotelen);
++ __entry->flags = xprt->xpt_flags;
++ } else
++ __entry->flags = 0;
+ ),
+
+ TP_printk("xprt=0x%p addr=%pIScp flags=%s", __entry->xprt,
+- (struct sockaddr *)&__entry->ss,
++ __get_dynamic_array_len(addr) != 0 ?
++ (struct sockaddr *)__get_dynamic_array(addr) : NULL,
+ show_svc_xprt_flags(__entry->flags))
+ );
+
+@@ -592,19 +606,26 @@ TRACE_EVENT(svc_handle_xprt,
+ TP_STRUCT__entry(
+ __field(struct svc_xprt *, xprt)
+ __field(int, len)
+- __field_struct(struct sockaddr_storage, ss)
+ __field(unsigned long, flags)
++ __dynamic_array(unsigned char, addr, xprt != NULL ?
++ xprt->xpt_remotelen : 0)
+ ),
+
+ TP_fast_assign(
+ __entry->xprt = xprt;
+- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss));
+ __entry->len = len;
+- __entry->flags = xprt ? xprt->xpt_flags : 0;
++ if (xprt) {
++ memcpy(__get_dynamic_array(addr),
++ &xprt->xpt_remote,
++ xprt->xpt_remotelen);
++ __entry->flags = xprt->xpt_flags;
++ } else
++ __entry->flags = 0;
+ ),
+
+ TP_printk("xprt=0x%p addr=%pIScp len=%d flags=%s", __entry->xprt,
+- (struct sockaddr *)&__entry->ss,
++ __get_dynamic_array_len(addr) != 0 ?
++ (struct sockaddr *)__get_dynamic_array(addr) : NULL,
+ __entry->len, show_svc_xprt_flags(__entry->flags))
+ );
+ #endif /* _TRACE_SUNRPC_H */
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 2672d10..b334128 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -72,6 +72,7 @@
+ #include <linux/compat.h>
+ #include <linux/ctype.h>
+ #include <linux/string.h>
++#include <linux/uaccess.h>
+ #include <uapi/linux/limits.h>
+
+ #include "audit.h"
+@@ -81,7 +82,8 @@
+ #define AUDITSC_SUCCESS 1
+ #define AUDITSC_FAILURE 2
+
+-/* no execve audit message should be longer than this (userspace limits) */
++/* no execve audit message should be longer than this (userspace limits),
++ * see the note near the top of audit_log_execve_info() about this value */
+ #define MAX_EXECVE_AUDIT_LEN 7500
+
+ /* max length to print of cmdline/proctitle value during audit */
+@@ -987,184 +989,178 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+ return rc;
+ }
+
+-/*
+- * to_send and len_sent accounting are very loose estimates. We aren't
+- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
+- * within about 500 bytes (next page boundary)
+- *
+- * why snprintf? an int is up to 12 digits long. if we just assumed when
+- * logging that a[%d]= was going to be 16 characters long we would be wasting
+- * space in every audit message. In one 7500 byte message we can log up to
+- * about 1000 min size arguments. That comes down to about 50% waste of space
+- * if we didn't do the snprintf to find out how long arg_num_len was.
+- */
+-static int audit_log_single_execve_arg(struct audit_context *context,
+- struct audit_buffer **ab,
+- int arg_num,
+- size_t *len_sent,
+- const char __user *p,
+- char *buf)
++static void audit_log_execve_info(struct audit_context *context,
++ struct audit_buffer **ab)
+ {
+- char arg_num_len_buf[12];
+- const char __user *tmp_p = p;
+- /* how many digits are in arg_num? 5 is the length of ' a=""' */
+- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
+- size_t len, len_left, to_send;
+- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
+- unsigned int i, has_cntl = 0, too_long = 0;
+- int ret;
+-
+- /* strnlen_user includes the null we don't want to send */
+- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
+-
+- /*
+- * We just created this mm, if we can't find the strings
+- * we just copied into it something is _very_ wrong. Similar
+- * for strings that are too long, we should not have created
+- * any.
+- */
+- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
+- send_sig(SIGKILL, current, 0);
+- return -1;
++ long len_max;
++ long len_rem;
++ long len_full;
++ long len_buf;
++ long len_abuf;
++ long len_tmp;
++ bool require_data;
++ bool encode;
++ unsigned int iter;
++ unsigned int arg;
++ char *buf_head;
++ char *buf;
++ const char __user *p = (const char __user *)current->mm->arg_start;
++
++ /* NOTE: this buffer needs to be large enough to hold all the non-arg
++ * data we put in the audit record for this argument (see the
++ * code below) ... at this point in time 96 is plenty */
++ char abuf[96];
++
++ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
++ * current value of 7500 is not as important as the fact that it
++ * is less than 8k, a setting of 7500 gives us plenty of wiggle
++ * room if we go over a little bit in the logging below */
++ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
++ len_max = MAX_EXECVE_AUDIT_LEN;
++
++ /* scratch buffer to hold the userspace args */
++ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
++ if (!buf_head) {
++ audit_panic("out of memory for argv string");
++ return;
+ }
++ buf = buf_head;
+
+- /* walk the whole argument looking for non-ascii chars */
++ audit_log_format(*ab, "argc=%d", context->execve.argc);
++
++ len_rem = len_max;
++ len_buf = 0;
++ len_full = 0;
++ require_data = true;
++ encode = false;
++ iter = 0;
++ arg = 0;
+ do {
+- if (len_left > MAX_EXECVE_AUDIT_LEN)
+- to_send = MAX_EXECVE_AUDIT_LEN;
+- else
+- to_send = len_left;
+- ret = copy_from_user(buf, tmp_p, to_send);
+- /*
+- * There is no reason for this copy to be short. We just
+- * copied them here, and the mm hasn't been exposed to user-
+- * space yet.
+- */
+- if (ret) {
+- WARN_ON(1);
+- send_sig(SIGKILL, current, 0);
+- return -1;
+- }
+- buf[to_send] = '\0';
+- has_cntl = audit_string_contains_control(buf, to_send);
+- if (has_cntl) {
+- /*
+- * hex messages get logged as 2 bytes, so we can only
+- * send half as much in each message
+- */
+- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
+- break;
+- }
+- len_left -= to_send;
+- tmp_p += to_send;
+- } while (len_left > 0);
+-
+- len_left = len;
+-
+- if (len > max_execve_audit_len)
+- too_long = 1;
+-
+- /* rewalk the argument actually logging the message */
+- for (i = 0; len_left > 0; i++) {
+- int room_left;
+-
+- if (len_left > max_execve_audit_len)
+- to_send = max_execve_audit_len;
+- else
+- to_send = len_left;
+-
+- /* do we have space left to send this argument in this ab? */
+- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
+- if (has_cntl)
+- room_left -= (to_send * 2);
+- else
+- room_left -= to_send;
+- if (room_left < 0) {
+- *len_sent = 0;
+- audit_log_end(*ab);
+- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
+- if (!*ab)
+- return 0;
+- }
++ /* NOTE: we don't ever want to trust this value for anything
++ * serious, but the audit record format insists we
++ * provide an argument length for really long arguments,
++ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
++ * to use strncpy_from_user() to obtain this value for
++ * recording in the log, although we don't use it
++ * anywhere here to avoid a double-fetch problem */
++ if (len_full == 0)
++ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
++
++ /* read more data from userspace */
++ if (require_data) {
++ /* can we make more room in the buffer? */
++ if (buf != buf_head) {
++ memmove(buf_head, buf, len_buf);
++ buf = buf_head;
++ }
++
++ /* fetch as much as we can of the argument */
++ len_tmp = strncpy_from_user(&buf_head[len_buf], p,
++ len_max - len_buf);
++ if (len_tmp == -EFAULT) {
++ /* unable to copy from userspace */
++ send_sig(SIGKILL, current, 0);
++ goto out;
++ } else if (len_tmp == (len_max - len_buf)) {
++ /* buffer is not large enough */
++ require_data = true;
++ /* NOTE: if we are going to span multiple
++ * buffers force the encoding so we stand
++ * a chance at a sane len_full value and
++ * consistent record encoding */
++ encode = true;
++ len_full = len_full * 2;
++ p += len_tmp;
++ } else {
++ require_data = false;
++ if (!encode)
++ encode = audit_string_contains_control(
++ buf, len_tmp);
++ /* try to use a trusted value for len_full */
++ if (len_full < len_max)
++ len_full = (encode ?
++ len_tmp * 2 : len_tmp);
++ p += len_tmp + 1;
++ }
++ len_buf += len_tmp;
++ buf_head[len_buf] = '\0';
+
+- /*
+- * first record needs to say how long the original string was
+- * so we can be sure nothing was lost.
+- */
+- if ((i == 0) && (too_long))
+- audit_log_format(*ab, " a%d_len=%zu", arg_num,
+- has_cntl ? 2*len : len);
+-
+- /*
+- * normally arguments are small enough to fit and we already
+- * filled buf above when we checked for control characters
+- * so don't bother with another copy_from_user
+- */
+- if (len >= max_execve_audit_len)
+- ret = copy_from_user(buf, p, to_send);
+- else
+- ret = 0;
+- if (ret) {
+- WARN_ON(1);
+- send_sig(SIGKILL, current, 0);
+- return -1;
++ /* length of the buffer in the audit record? */
++ len_abuf = (encode ? len_buf * 2 : len_buf + 2);
+ }
+- buf[to_send] = '\0';
+-
+- /* actually log it */
+- audit_log_format(*ab, " a%d", arg_num);
+- if (too_long)
+- audit_log_format(*ab, "[%d]", i);
+- audit_log_format(*ab, "=");
+- if (has_cntl)
+- audit_log_n_hex(*ab, buf, to_send);
+- else
+- audit_log_string(*ab, buf);
+-
+- p += to_send;
+- len_left -= to_send;
+- *len_sent += arg_num_len;
+- if (has_cntl)
+- *len_sent += to_send * 2;
+- else
+- *len_sent += to_send;
+- }
+- /* include the null we didn't log */
+- return len + 1;
+-}
+
+-static void audit_log_execve_info(struct audit_context *context,
+- struct audit_buffer **ab)
+-{
+- int i, len;
+- size_t len_sent = 0;
+- const char __user *p;
+- char *buf;
++ /* write as much as we can to the audit log */
++ if (len_buf > 0) {
++ /* NOTE: some magic numbers here - basically if we
++ * can't fit a reasonable amount of data into the
++ * existing audit buffer, flush it and start with
++ * a new buffer */
++ if ((sizeof(abuf) + 8) > len_rem) {
++ len_rem = len_max;
++ audit_log_end(*ab);
++ *ab = audit_log_start(context,
++ GFP_KERNEL, AUDIT_EXECVE);
++ if (!*ab)
++ goto out;
++ }
+
+- p = (const char __user *)current->mm->arg_start;
++ /* create the non-arg portion of the arg record */
++ len_tmp = 0;
++ if (require_data || (iter > 0) ||
++ ((len_abuf + sizeof(abuf)) > len_rem)) {
++ if (iter == 0) {
++ len_tmp += snprintf(&abuf[len_tmp],
++ sizeof(abuf) - len_tmp,
++ " a%d_len=%lu",
++ arg, len_full);
++ }
++ len_tmp += snprintf(&abuf[len_tmp],
++ sizeof(abuf) - len_tmp,
++ " a%d[%d]=", arg, iter++);
++ } else
++ len_tmp += snprintf(&abuf[len_tmp],
++ sizeof(abuf) - len_tmp,
++ " a%d=", arg);
++ WARN_ON(len_tmp >= sizeof(abuf));
++ abuf[sizeof(abuf) - 1] = '\0';
++
++ /* log the arg in the audit record */
++ audit_log_format(*ab, "%s", abuf);
++ len_rem -= len_tmp;
++ len_tmp = len_buf;
++ if (encode) {
++ if (len_abuf > len_rem)
++ len_tmp = len_rem / 2; /* encoding */
++ audit_log_n_hex(*ab, buf, len_tmp);
++ len_rem -= len_tmp * 2;
++ len_abuf -= len_tmp * 2;
++ } else {
++ if (len_abuf > len_rem)
++ len_tmp = len_rem - 2; /* quotes */
++ audit_log_n_string(*ab, buf, len_tmp);
++ len_rem -= len_tmp + 2;
++ /* don't subtract the "2" because we still need
++ * to add quotes to the remaining string */
++ len_abuf -= len_tmp;
++ }
++ len_buf -= len_tmp;
++ buf += len_tmp;
++ }
+
+- audit_log_format(*ab, "argc=%d", context->execve.argc);
++ /* ready to move to the next argument? */
++ if ((len_buf == 0) && !require_data) {
++ arg++;
++ iter = 0;
++ len_full = 0;
++ require_data = true;
++ encode = false;
++ }
++ } while (arg < context->execve.argc);
+
+- /*
+- * we need some kernel buffer to hold the userspace args. Just
+- * allocate one big one rather than allocating one of the right size
+- * for every single argument inside audit_log_single_execve_arg()
+- * should be <8k allocation so should be pretty safe.
+- */
+- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
+- if (!buf) {
+- audit_panic("out of memory for argv string");
+- return;
+- }
++ /* NOTE: the caller handles the final audit_log_end() call */
+
+- for (i = 0; i < context->execve.argc; i++) {
+- len = audit_log_single_execve_arg(context, ab, i,
+- &len_sent, p, buf);
+- if (len <= 0)
+- break;
+- p += len;
+- }
+- kfree(buf);
++out:
++ kfree(buf_head);
+ }
+
+ static void show_special(struct audit_context *context, int *call_panic)
+diff --git a/kernel/cgroup.c b/kernel/cgroup.c
+index 75c0ff0..e0be49f 100644
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -2215,12 +2215,8 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
+ goto out_unlock;
+ }
+
+- /*
+- * We know this subsystem has not yet been bound. Users in a non-init
+- * user namespace may only mount hierarchies with no bound subsystems,
+- * i.e. 'none,name=user1'
+- */
+- if (!opts.none && !capable(CAP_SYS_ADMIN)) {
++ /* Hierarchies may only be created in the initial cgroup namespace. */
++ if (ns != &init_cgroup_ns) {
+ ret = -EPERM;
+ goto out_unlock;
+ }
+@@ -2962,6 +2958,7 @@ int cgroup_attach_task_all(struct task_struct *from, struct task_struct *tsk)
+ int retval = 0;
+
+ mutex_lock(&cgroup_mutex);
++ percpu_down_write(&cgroup_threadgroup_rwsem);
+ for_each_root(root) {
+ struct cgroup *from_cgrp;
+
+@@ -2976,6 +2973,7 @@ int cgroup_attach_task_all(struct task_struct *from, struct task_struct *tsk)
+ if (retval)
+ break;
+ }
++ percpu_up_write(&cgroup_threadgroup_rwsem);
+ mutex_unlock(&cgroup_mutex);
+
+ return retval;
+@@ -4343,6 +4341,8 @@ int cgroup_transfer_tasks(struct cgroup *to, struct cgroup *from)
+
+ mutex_lock(&cgroup_mutex);
+
++ percpu_down_write(&cgroup_threadgroup_rwsem);
++
+ /* all tasks in @from are being moved, all csets are source */
+ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(link, &from->cset_links, cset_link)
+@@ -4371,6 +4371,7 @@ int cgroup_transfer_tasks(struct cgroup *to, struct cgroup *from)
+ } while (task && !ret);
+ out_err:
+ cgroup_migrate_finish(&preloaded_csets);
++ percpu_up_write(&cgroup_threadgroup_rwsem);
+ mutex_unlock(&cgroup_mutex);
+ return ret;
+ }
+@@ -6309,14 +6310,11 @@ struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
+- mutex_lock(&cgroup_mutex);
++ /* It is not safe to take cgroup_mutex here */
+ spin_lock_irq(&css_set_lock);
+-
+ cset = task_css_set(current);
+ get_css_set(cset);
+-
+ spin_unlock_irq(&css_set_lock);
+- mutex_unlock(&cgroup_mutex);
+
+ new_ns = alloc_cgroup_ns();
+ if (IS_ERR(new_ns)) {
+diff --git a/kernel/module.c b/kernel/module.c
+index 5f71aa6..6458a2f 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2687,13 +2687,18 @@ static inline void kmemleak_load_module(const struct module *mod,
+ #endif
+
+ #ifdef CONFIG_MODULE_SIG
+-static int module_sig_check(struct load_info *info)
++static int module_sig_check(struct load_info *info, int flags)
+ {
+ int err = -ENOKEY;
+ const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const void *mod = info->hdr;
+
+- if (info->len > markerlen &&
++ /*
++ * Require flags == 0, as a module with version information
++ * removed is no longer the module that was signed
++ */
++ if (flags == 0 &&
++ info->len > markerlen &&
+ memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ /* We truncate the module to discard the signature */
+ info->len -= markerlen;
+@@ -2712,7 +2717,7 @@ static int module_sig_check(struct load_info *info)
+ return err;
+ }
+ #else /* !CONFIG_MODULE_SIG */
+-static int module_sig_check(struct load_info *info)
++static int module_sig_check(struct load_info *info, int flags)
+ {
+ return 0;
+ }
+@@ -3498,7 +3503,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
+ long err;
+ char *after_dashes;
+
+- err = module_sig_check(info);
++ err = module_sig_check(info, flags);
+ if (err)
+ goto free_copy;
+
+diff --git a/mm/backing-dev.c b/mm/backing-dev.c
+index ed173b8..9269911 100644
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -825,6 +825,20 @@ int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev)
+ }
+ EXPORT_SYMBOL(bdi_register_dev);
+
++int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner)
++{
++ int rc;
++
++ rc = bdi_register(bdi, NULL, "%u:%u", MAJOR(owner->devt),
++ MINOR(owner->devt));
++ if (rc)
++ return rc;
++ bdi->owner = owner;
++ get_device(owner);
++ return 0;
++}
++EXPORT_SYMBOL(bdi_register_owner);
++
+ /*
+ * Remove bdi from bdi_list, and ensure that it is no longer visible
+ */
+@@ -849,6 +863,11 @@ void bdi_unregister(struct backing_dev_info *bdi)
+ device_unregister(bdi->dev);
+ bdi->dev = NULL;
+ }
++
++ if (bdi->owner) {
++ put_device(bdi->owner);
++ bdi->owner = NULL;
++ }
+ }
+
+ void bdi_exit(struct backing_dev_info *bdi)
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index addfe4ac..d9ec1a5 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2214,6 +2214,10 @@ static unsigned long set_max_huge_pages(struct hstate *h, unsigned long count,
+ * and reducing the surplus.
+ */
+ spin_unlock(&hugetlb_lock);
++
++ /* yield cpu to avoid soft lockup */
++ cond_resched();
++
+ if (hstate_is_gigantic(h))
+ ret = alloc_fresh_gigantic_page(h, nodes_allowed);
+ else
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 388ee8b..1842141 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -927,7 +927,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- if (get_user(opt, (u32 __user *) optval)) {
++ if (get_user(opt, (u16 __user *) optval)) {
+ err = -EFAULT;
+ break;
+ }
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 1325776..bd007a9 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -824,7 +824,11 @@ socket_setattr_return:
+ */
+ void netlbl_sock_delattr(struct sock *sk)
+ {
+- cipso_v4_sock_delattr(sk);
++ switch (sk->sk_family) {
++ case AF_INET:
++ cipso_v4_sock_delattr(sk);
++ break;
++ }
+ }
+
+ /**
+@@ -987,7 +991,11 @@ req_setattr_return:
+ */
+ void netlbl_req_delattr(struct request_sock *req)
+ {
+- cipso_v4_req_delattr(req);
++ switch (req->rsk_ops->family) {
++ case AF_INET:
++ cipso_v4_req_delattr(req);
++ break;
++ }
+ }
+
+ /**
+diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
+index e1675927..42396a7 100644
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -33,10 +33,17 @@
+ #include <string.h>
+ #include <unistd.h>
+
++/*
++ * glibc synced up and added the metag number but didn't add the relocations.
++ * Work around this in a crude manner for now.
++ */
+ #ifndef EM_METAG
+-/* Remove this when these make it to the standard system elf.h. */
+ #define EM_METAG 174
++#endif
++#ifndef R_METAG_ADDR32
+ #define R_METAG_ADDR32 2
++#endif
++#ifndef R_METAG_NONE
+ #define R_METAG_NONE 3
+ #endif
+
+diff --git a/sound/hda/array.c b/sound/hda/array.c
+index 516795b..5dfa610 100644
+--- a/sound/hda/array.c
++++ b/sound/hda/array.c
+@@ -21,13 +21,15 @@ void *snd_array_new(struct snd_array *array)
+ return NULL;
+ if (array->used >= array->alloced) {
+ int num = array->alloced + array->alloc_align;
++ int oldsize = array->alloced * array->elem_size;
+ int size = (num + 1) * array->elem_size;
+ void *nlist;
+ if (snd_BUG_ON(num >= 4096))
+ return NULL;
+- nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO);
++ nlist = krealloc(array->list, size, GFP_KERNEL);
+ if (!nlist)
+ return NULL;
++ memset(nlist + oldsize, 0, size - oldsize);
+ array->list = nlist;
+ array->alloced = num;
+ }
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 6f8ea13..89dacf9 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2265,6 +2265,8 @@ static const struct pci_device_id azx_ids[] = {
+ { PCI_DEVICE(0x1022, 0x780d),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* ATI HDMI */
++ { PCI_DEVICE(0x1002, 0x0002),
++ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
+ { PCI_DEVICE(0x1002, 0x1308),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
+ { PCI_DEVICE(0x1002, 0x157a),
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index abcb5a6..f25479b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4674,6 +4674,22 @@ static void alc290_fixup_mono_speakers(struct hda_codec *codec,
+ }
+ }
+
++static void alc298_fixup_speaker_volume(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ /* The speaker is routed to the Node 0x06 by a mistake, as a result
++ we can't adjust the speaker's volume since this node does not has
++ Amp-out capability. we change the speaker's route to:
++ Node 0x02 (Audio Output) -> Node 0x0c (Audio Mixer) -> Node 0x17 (
++ Pin Complex), since Node 0x02 has Amp-out caps, we can adjust
++ speaker's volume now. */
++
++ hda_nid_t conn1[1] = { 0x0c };
++ snd_hda_override_conn_list(codec, 0x17, 1, conn1);
++ }
++}
++
+ /* Hook to update amp GPIO4 for automute */
+ static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
+ struct hda_jack_callback *jack)
+@@ -4823,6 +4839,7 @@ enum {
+ ALC280_FIXUP_HP_HEADSET_MIC,
+ ALC221_FIXUP_HP_FRONT_MIC,
+ ALC292_FIXUP_TPT460,
++ ALC298_FIXUP_SPK_VOLUME,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -5478,6 +5495,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC293_FIXUP_LENOVO_SPK_NOISE,
+ },
++ [ALC298_FIXUP_SPK_VOLUME] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc298_fixup_speaker_volume,
++ .chained = true,
++ .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -5524,6 +5547,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13 9350", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
++ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+@@ -5799,6 +5823,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
+ {0x1b, 0x01014020},
+ {0x21, 0x0221103f}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x14, 0x90170130},
++ {0x1b, 0x02011020},
++ {0x21, 0x0221103f}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x14, 0x90170150},
+ {0x1b, 0x02011020},
+ {0x21, 0x0221105f}),
+diff --git a/tools/objtool/.gitignore b/tools/objtool/.gitignore
+index a0b3128..d3102c8 100644
+--- a/tools/objtool/.gitignore
++++ b/tools/objtool/.gitignore
+@@ -1,2 +1,3 @@
+ arch/x86/insn/inat-tables.c
+ objtool
++fixdep
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 48bd520..dd25346 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -148,6 +148,7 @@ int vcpu_load(struct kvm_vcpu *vcpu)
+ put_cpu();
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(vcpu_load);
+
+ void vcpu_put(struct kvm_vcpu *vcpu)
+ {
+@@ -157,6 +158,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
+ preempt_enable();
+ mutex_unlock(&vcpu->mutex);
+ }
++EXPORT_SYMBOL_GPL(vcpu_put);
+
+ static void ack_flush(void *_completed)
+ {
diff --git a/4.7.1/4420_grsecurity-3.1-4.7.1-201608161813.patch b/4.7.2/4420_grsecurity-3.1-4.7.2-201608211829.patch
index d01aa5c..6aabc5c 100644
--- a/4.7.1/4420_grsecurity-3.1-4.7.1-201608161813.patch
+++ b/4.7.2/4420_grsecurity-3.1-4.7.2-201608211829.patch
@@ -420,7 +420,7 @@ index a3683ce..5ec8bf4 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 84335c0..6cb42d3 100644
+index bb98f1c..eca0654 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -4775,7 +4775,7 @@ index a5bc92d..0bb4730 100644
+ pax_close_kernel();
}
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
-index 5a0a691..658577c 100644
+index 2038492..b81b162 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -76,6 +76,7 @@ config ARM64
@@ -31946,7 +31946,7 @@ index 16ef31b..23496f1 100644
.disabled_by_bios = is_disabled,
.hardware_setup = svm_hardware_setup,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 64a79f2..d392b19 100644
+index 8326d68..3cc3895 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1589,14 +1589,14 @@ static __always_inline void vmcs_writel(unsigned long field, unsigned long value
@@ -32051,7 +32051,7 @@ index 64a79f2..d392b19 100644
}
kvm_set_posted_intr_wakeup_handler(wakeup_handler);
-@@ -8718,6 +8737,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8719,6 +8738,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -32064,7 +32064,7 @@ index 64a79f2..d392b19 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -8770,6 +8795,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8771,6 +8796,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -32076,7 +32076,7 @@ index 64a79f2..d392b19 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -8783,7 +8813,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8784,7 +8814,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -32085,7 +32085,7 @@ index 64a79f2..d392b19 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -8792,8 +8822,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8793,8 +8823,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -32106,7 +32106,7 @@ index 64a79f2..d392b19 100644
#endif
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
-@@ -10905,7 +10945,7 @@ out:
+@@ -10921,7 +10961,7 @@ out:
return ret;
}
@@ -32116,10 +32116,10 @@ index 64a79f2..d392b19 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 7da5dd2..b667a94 100644
+index fea2c57..19b3e60 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1940,8 +1940,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1941,8 +1941,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -32130,7 +32130,7 @@ index 7da5dd2..b667a94 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2646,6 +2646,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2647,6 +2647,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -32139,7 +32139,7 @@ index 7da5dd2..b667a94 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -3054,7 +3056,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
+@@ -3055,7 +3057,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
{
@@ -32148,7 +32148,7 @@ index 7da5dd2..b667a94 100644
u64 xstate_bv = xsave->header.xfeatures;
u64 valid;
-@@ -3090,7 +3092,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
+@@ -3091,7 +3093,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
{
@@ -32157,7 +32157,7 @@ index 7da5dd2..b667a94 100644
u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
u64 valid;
-@@ -3134,7 +3136,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
+@@ -3135,7 +3137,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
fill_xsave((u8 *) guest_xsave->region, vcpu);
} else {
memcpy(guest_xsave->region,
@@ -32166,7 +32166,7 @@ index 7da5dd2..b667a94 100644
sizeof(struct fxregs_state));
*(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
XFEATURE_MASK_FPSSE;
-@@ -3159,7 +3161,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+@@ -3160,7 +3162,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
} else {
if (xstate_bv & ~XFEATURE_MASK_FPSSE)
return -EINVAL;
@@ -32183,7 +32183,7 @@ index 7da5dd2..b667a94 100644
static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
{
int r;
-@@ -6720,6 +6723,7 @@ out:
+@@ -6732,6 +6735,7 @@ out:
return r;
}
@@ -32191,7 +32191,7 @@ index 7da5dd2..b667a94 100644
static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu)
{
if (!kvm_arch_vcpu_runnable(vcpu) &&
-@@ -7267,7 +7271,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
+@@ -7279,7 +7283,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -32200,7 +32200,7 @@ index 7da5dd2..b667a94 100644
memcpy(fpu->fpr, fxsave->st_space, 128);
fpu->fcw = fxsave->cwd;
-@@ -7284,7 +7288,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -7296,7 +7300,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -32209,7 +32209,7 @@ index 7da5dd2..b667a94 100644
memcpy(fxsave->st_space, fpu->fpr, 128);
fxsave->cwd = fpu->fcw;
-@@ -7300,9 +7304,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -7312,9 +7316,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
static void fx_init(struct kvm_vcpu *vcpu)
{
@@ -32221,7 +32221,7 @@ index 7da5dd2..b667a94 100644
host_xcr0 | XSTATE_COMPACTION_ENABLED;
/*
-@@ -7325,7 +7329,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
+@@ -7337,7 +7341,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
*/
vcpu->guest_fpu_loaded = 1;
__kernel_fpu_begin();
@@ -32230,7 +32230,7 @@ index 7da5dd2..b667a94 100644
trace_kvm_fpu(1);
}
-@@ -7627,6 +7631,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
+@@ -7640,6 +7644,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
struct static_key kvm_no_apic_vcpu __read_mostly;
EXPORT_SYMBOL_GPL(kvm_no_apic_vcpu);
@@ -32239,7 +32239,7 @@ index 7da5dd2..b667a94 100644
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
{
struct page *page;
-@@ -7644,11 +7650,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+@@ -7657,11 +7663,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
else
vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
@@ -32258,7 +32258,7 @@ index 7da5dd2..b667a94 100644
vcpu->arch.pio_data = page_address(page);
kvm_set_tsc_khz(vcpu, max_tsc_khz);
-@@ -7706,6 +7715,9 @@ fail_mmu_destroy:
+@@ -7719,6 +7728,9 @@ fail_mmu_destroy:
kvm_mmu_destroy(vcpu);
fail_free_pio_data:
free_page((unsigned long)vcpu->arch.pio_data);
@@ -32268,7 +32268,7 @@ index 7da5dd2..b667a94 100644
fail:
return r;
}
-@@ -7724,6 +7736,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
+@@ -7737,6 +7749,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
free_page((unsigned long)vcpu->arch.pio_data);
if (!lapic_in_kernel(vcpu))
static_key_slow_dec(&kvm_no_apic_vcpu);
@@ -38100,10 +38100,10 @@ index 71e8a67..6a313bb 100644
struct op_counter_config;
diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c
-index 8b93e63..9cf21c3 100644
+index ae97f24..d042e97 100644
--- a/arch/x86/pci/intel_mid_pci.c
+++ b/arch/x86/pci/intel_mid_pci.c
-@@ -280,7 +280,7 @@ int __init intel_mid_pci_init(void)
+@@ -288,7 +288,7 @@ int __init intel_mid_pci_init(void)
pci_mmcfg_late_init();
pcibios_enable_irq = intel_mid_pci_irq_enable;
pcibios_disable_irq = intel_mid_pci_irq_disable;
@@ -39565,10 +39565,10 @@ index 2f33760..835e50a 100644
#define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
#define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
diff --git a/block/bio.c b/block/bio.c
-index 0e4aa42..a05fa6e 100644
+index 4623869..7acfd5c 100644
--- a/block/bio.c
+++ b/block/bio.c
-@@ -1138,7 +1138,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+@@ -1142,7 +1142,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
/*
* Overflow, abort
*/
@@ -39577,7 +39577,7 @@ index 0e4aa42..a05fa6e 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
-@@ -1263,7 +1263,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
+@@ -1267,7 +1267,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
/*
* Overflow, abort
*/
@@ -39735,7 +39735,7 @@ index 556826a..4e7c5fd 100644
err = -EFAULT;
goto out;
diff --git a/block/genhd.c b/block/genhd.c
-index 3eebd25..e8524d8 100644
+index 086f1a3..ee669cd 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -471,21 +471,24 @@ static char *bdevt_str(dev_t devt, char *buf)
@@ -40287,10 +40287,10 @@ index 993fd31..cc15d14 100644
}
EXPORT_SYMBOL_GPL(acpi_dev_pm_attach);
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
-index 290d6f5..888bde8 100644
+index f4218df..0d3109e 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
-@@ -1536,7 +1536,7 @@ static int ec_correct_ecdt(const struct dmi_system_id *id)
+@@ -1542,7 +1542,7 @@ static int ec_correct_ecdt(const struct dmi_system_id *id)
return 0;
}
@@ -40299,7 +40299,7 @@ index 290d6f5..888bde8 100644
{
ec_correct_ecdt, "Asus L4R", {
DMI_MATCH(DMI_BIOS_VERSION, "1008.006"),
-@@ -1613,7 +1613,7 @@ error:
+@@ -1619,7 +1619,7 @@ error:
return ret;
}
@@ -40308,7 +40308,7 @@ index 290d6f5..888bde8 100644
{
int result = 0;
-@@ -1631,7 +1631,7 @@ static int param_set_event_clearing(const char *val, struct kernel_param *kp)
+@@ -1637,7 +1637,7 @@ static int param_set_event_clearing(const char *val, struct kernel_param *kp)
return result;
}
@@ -42613,7 +42613,7 @@ index 4d87499..1e2bcce 100644
device->rs_last_events =
(int)part_stat_read(&disk->part0, sectors[0]) +
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
-index 84708a5..95c0e55 100644
+index a1dcf12..3e2ccbd 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -961,6 +961,10 @@ static void empty(void)
@@ -43318,7 +43318,7 @@ index d28922d..3c343d6 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 87ab9f6..4ce0b84 100644
+index d72c6d1..b85990a 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -290,9 +290,6 @@
@@ -43353,7 +43353,7 @@ index 87ab9f6..4ce0b84 100644
unsigned int add =
((pool_size - entropy_count)*anfrac*3) >> s;
-@@ -1231,7 +1228,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1232,7 +1229,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -43362,7 +43362,7 @@ index 87ab9f6..4ce0b84 100644
ret = -EFAULT;
break;
}
-@@ -1650,7 +1647,7 @@ static char sysctl_bootid[16];
+@@ -1655,7 +1652,7 @@ static char sysctl_bootid[16];
static int proc_do_uuid(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -43371,7 +43371,7 @@ index 87ab9f6..4ce0b84 100644
unsigned char buf[64], tmp_uuid[16], *uuid;
uuid = table->data;
-@@ -1680,7 +1677,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
+@@ -1685,7 +1682,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
static int proc_do_entropy(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -43912,7 +43912,7 @@ index 3001634..911f7d1 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 1fa1a32..0f3e23e 100644
+index 1b15917..14b4b83 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -276,13 +276,13 @@ struct pstate_funcs {
@@ -44537,7 +44537,7 @@ index 93da1a4..5e2c149 100644
goto err_out;
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
-index 10c305b..4e92041 100644
+index 4e0f8e7..0eb9499 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -50,7 +50,7 @@ int edac_mc_get_poll_msec(void)
@@ -45202,10 +45202,10 @@ index e055d5be..45982ec 100644
int (*request_smu_specific_fw)(struct amdgpu_device *adev, uint32_t fwtype);
};
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
-index 35a1248..fd2510a 100644
+index 1b4c069..4cb9768 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
-@@ -496,7 +496,7 @@ static int amdgpu_atpx_init(void)
+@@ -501,7 +501,7 @@ static int amdgpu_atpx_init(void)
* look up whether we are the integrated or discrete GPU (all asics).
* Returns the client id.
*/
@@ -45311,7 +45311,7 @@ index cf6f49f..dffb8ab 100644
struct cgs_device *amdgpu_cgs_create_device(struct amdgpu_device *adev)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
-index cb07da4..e7cd288 100644
+index ff0b55a..c58880e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -701,7 +701,7 @@ static int amdgpu_connector_lvds_get_modes(struct drm_connector *connector)
@@ -45351,7 +45351,7 @@ index cb07da4..e7cd288 100644
{
struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(connector);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
-index 6e92008..6051afc 100644
+index b7f5650..1f1f11a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -1054,7 +1054,7 @@ static bool amdgpu_switcheroo_can_switch(struct pci_dev *pdev)
@@ -46963,10 +46963,10 @@ index 85c4deb..1b6fe7d 100644
return drm_pci_init(&driver, &i915_pci_driver);
}
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index bc3f2e6..f8e9150 100644
+index 227a63e..705363d 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
-@@ -2747,7 +2747,7 @@ struct drm_i915_cmd_table {
+@@ -2749,7 +2749,7 @@ struct drm_i915_cmd_table {
#include "i915_trace.h"
extern const struct drm_ioctl_desc i915_ioctls[];
@@ -47197,10 +47197,10 @@ index aab47f7..28aabbe 100644
/**
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 3074c56..2f67a37 100644
+index 3289319..c42af93 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -15190,13 +15190,13 @@ struct intel_quirk {
+@@ -15182,13 +15182,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
@@ -47217,7 +47217,7 @@ index 3074c56..2f67a37 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
-@@ -15204,18 +15204,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -15196,18 +15196,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
@@ -47248,7 +47248,7 @@ index 3074c56..2f67a37 100644
.hook = quirk_invert_brightness,
},
};
-@@ -15298,7 +15300,7 @@ static void intel_init_quirks(struct drm_device *dev)
+@@ -15290,7 +15292,7 @@ static void intel_init_quirks(struct drm_device *dev)
q->hook(dev);
}
for (i = 0; i < ARRAY_SIZE(intel_dmi_quirks); i++) {
@@ -47467,7 +47467,7 @@ index c108408..575750a 100644
struct drm_display_mode *mode)
{
diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
-index 11f8dd9..8efc333 100644
+index d6c134b..57fa370 100644
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -82,9 +82,8 @@ MODULE_PARM_DESC(runpm, "disable (0), force enable (1), optimus only default (-1
@@ -47481,7 +47481,7 @@ index 11f8dd9..8efc333 100644
static u64
nouveau_pci_name(struct pci_dev *pdev)
-@@ -931,7 +930,7 @@ nouveau_driver_fops = {
+@@ -940,7 +939,7 @@ nouveau_driver_fops = {
};
static struct drm_driver
@@ -47490,7 +47490,7 @@ index 11f8dd9..8efc333 100644
.driver_features =
DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER |
DRIVER_KMS_LEGACY_CONTEXT,
-@@ -943,6 +942,8 @@ driver_stub = {
+@@ -952,6 +951,8 @@ driver_stub = {
.postclose = nouveau_drm_postclose,
.lastclose = nouveau_vga_lastclose,
@@ -47499,7 +47499,7 @@ index 11f8dd9..8efc333 100644
#if defined(CONFIG_DEBUG_FS)
.debugfs_init = nouveau_drm_debugfs_init,
.debugfs_cleanup = nouveau_drm_debugfs_cleanup,
-@@ -1075,10 +1076,10 @@ err_free:
+@@ -1084,10 +1085,10 @@ err_free:
static int __init
nouveau_drm_init(void)
{
@@ -48133,10 +48133,10 @@ index b928c17..e5d9400 100644
if (regcomp
(&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
-index 95f4fea..acecfdf 100644
+index 1b3f4e5..fb17055 100644
--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
-@@ -494,7 +494,7 @@ static int radeon_atpx_init(void)
+@@ -499,7 +499,7 @@ static int radeon_atpx_init(void)
* look up whether we are the integrated or discrete GPU (all asics).
* Returns the client id.
*/
@@ -48146,7 +48146,7 @@ index 95f4fea..acecfdf 100644
if (radeon_atpx_priv.dhandle == ACPI_HANDLE(&pdev->dev))
return VGA_SWITCHEROO_IGD;
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
-index 81a63d7..5c7f8e7 100644
+index b79f3b0..a1fd177 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -857,7 +857,7 @@ static int radeon_lvds_get_modes(struct drm_connector *connector)
@@ -51340,7 +51340,7 @@ index cdc7df4..a2fdfdb 100644
.maxtype = IFLA_IPOIB_MAX,
.policy = ipoib_policy,
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
-index 4a41556..8fcf256 100644
+index 9a3b954..8cd0080 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -80,7 +80,7 @@ module_param(srpt_srq_size, int, 0444);
@@ -51363,7 +51363,7 @@ index 4a41556..8fcf256 100644
pr_debug("QP event %d on cm_id=%p sess_name=%s state=%d\n",
event->event, ch->cm_id, ch->sess_name, ch->state);
-@@ -1622,8 +1623,7 @@ retry:
+@@ -1623,8 +1624,7 @@ retry:
}
qp_init->qp_context = (void *)ch;
@@ -51547,10 +51547,10 @@ index 92e2243..8fd9092 100644
.ident = "Shift",
.matches = {
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
-index 634f6363..cfe6f70 100644
+index 2511c8b..e069daf 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
-@@ -825,11 +825,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
+@@ -827,11 +827,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
{
@@ -52005,7 +52005,7 @@ index 8c61399..a141537 100644
selftest_running = false;
diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
-index a1ed1b7..3df0f22 100644
+index f5c90e1..90a737c 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -39,9 +39,6 @@
@@ -55810,7 +55810,7 @@ index 43824d7..fb6a7b0 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 1b2f962..e2efabd 100644
+index fd40bcb..13b3f293 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -170,8 +170,8 @@ struct mapped_device {
@@ -59540,10 +59540,10 @@ index 3692dd5..b731a9b 100644
struct sm_sysfs_attribute *vendor_attribute;
char *vendor;
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
-index ef36182..d5736e4 100644
+index 0680516..eb890f3 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
-@@ -1386,7 +1386,7 @@ static int __init bytes_str_to_int(const char *str)
+@@ -1389,7 +1389,7 @@ static int __init bytes_str_to_int(const char *str)
* This function returns zero in case of success and a negative error code in
* case of error.
*/
@@ -66288,10 +66288,10 @@ index 779bafc..6ec6ea1 100644
ieee80211_get_tkip_p2k(keyconf, skb_frag, tx_cmd->key);
break;
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
-index f603d78..4a66baa 100644
+index d9f1394..ba6ee91 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
-@@ -2299,7 +2299,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
+@@ -2294,7 +2294,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
char buf[8];
@@ -66300,7 +66300,7 @@ index f603d78..4a66baa 100644
u32 reset_flag;
memset(buf, 0, sizeof(buf));
-@@ -2320,7 +2320,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
+@@ -2315,7 +2315,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
{
struct iwl_trans *trans = file->private_data;
char buf[8];
@@ -70316,7 +70316,7 @@ index 0d17c92..ce5897e 100644
mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
-index db3958b..4d1f2ae 100644
+index fe0539e..247590f 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -329,9 +329,10 @@ void rproc_free_vring(struct rproc_vring *rvring)
@@ -72882,7 +72882,7 @@ index b43f7ac..a635694 100644
lpfc_transport_template =
fc_attach_transport(&lpfc_transport_functions);
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
-index 3bd0be6..f9b0725e 100644
+index c7e5695..ea80cbc 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -261,7 +261,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba)
@@ -77687,7 +77687,7 @@ index a260cde..604fce9 100644
/* This is only available if kgdboc is a built in for early debugging */
static int __init kgdboc_early_init(char *opt)
diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
-index b7d80bd..50fc855 100644
+index 7d62610..0d0981b 100644
--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -1561,7 +1561,7 @@ static struct uart_driver msm_uart_driver = {
@@ -77709,7 +77709,7 @@ index b7d80bd..50fc855 100644
if (unlikely(line < 0 || line >= UART_NR))
return -ENXIO;
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
-index 99bb231..ba80b07 100644
+index f0bd2ec..da28e78 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -978,11 +978,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
@@ -97230,10 +97230,10 @@ index e0715fc..76857e9 100644
RB_CLEAR_NODE(&merge->rb_node);
em->mod_len = (merge->mod_start + merge->mod_len) - em->mod_start;
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
-index 2234e88..6f43c26 100644
+index b56887b..d032076 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
-@@ -1937,7 +1937,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
+@@ -1935,7 +1935,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
return ret;
inode_lock(inode);
@@ -97242,7 +97242,7 @@ index 2234e88..6f43c26 100644
full_sync = test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
&BTRFS_I(inode)->runtime_flags);
/*
-@@ -1991,7 +1991,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
+@@ -1989,7 +1989,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
inode_unlock(inode);
goto out;
}
@@ -97791,22 +97791,21 @@ index 2fcde1a..5986a27 100644
#else
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
-index 4ae7500..fef2d10 100644
+index 3f7c2cd..6014026 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
-@@ -273,9 +273,9 @@ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+@@ -275,8 +275,8 @@ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
/* This object can now be culled, so we need to let the daemon know
* that there is something it can remove if it needs to.
*/
-- atomic_long_add(d_backing_inode(object->dentry)->i_blocks,
-+ atomic_long_add_unchecked(d_backing_inode(object->dentry)->i_blocks,
- &cache->b_released);
+- atomic_long_add(i_blocks, &cache->b_released);
- if (atomic_inc_return(&cache->f_released))
++ atomic_long_add_unchecked(i_blocks, &cache->b_released);
+ if (atomic_inc_return_unchecked(&cache->f_released))
cachefiles_state_changed(cache);
}
-@@ -334,7 +334,7 @@ try_again:
+@@ -335,7 +335,7 @@ try_again:
/* first step is to make up a grave dentry in the graveyard */
sprintf(nbuffer, "%08x%08x",
(uint32_t) get_seconds(),
@@ -97936,10 +97935,10 @@ index 788e191..ca209d6 100644
server->ops->print_stats(m, tcon);
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index 5d841f3..761ed68 100644
+index 6bbec5e..fc3f5cd 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -1143,7 +1143,7 @@ cifs_init_request_bufs(void)
+@@ -1155,7 +1155,7 @@ cifs_init_request_bufs(void)
*/
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize + max_hdr_size, 0,
@@ -97948,7 +97947,7 @@ index 5d841f3..761ed68 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1170,7 +1170,7 @@ cifs_init_request_bufs(void)
+@@ -1182,7 +1182,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -97957,7 +97956,7 @@ index 5d841f3..761ed68 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1255,8 +1255,8 @@ init_cifs(void)
+@@ -1267,8 +1267,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -98224,7 +98223,7 @@ index fc537c2..47d654c 100644
}
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
-index 3525ed7..ac8afb7 100644
+index 505e6d6..7ef9511 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -427,8 +427,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
@@ -102458,7 +102457,7 @@ index 9ea4219..68587e2 100644
put_cpu_var(last_ino);
return res;
diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
-index 7007809..8b69fb9 100644
+index 78313ad..3f7bce4 100644
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -1077,7 +1077,7 @@ restart_loop:
@@ -109966,7 +109965,7 @@ index de1ff1d..bd4c347 100644
.pc_ressize = sizeof(struct nfsd4_compoundres),
.pc_release = nfsd4_release_compoundargs,
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
-index 70d0b9b..351c298 100644
+index 806eda1..125792c 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2362,8 +2362,9 @@ static bool client_has_state(struct nfs4_client *clp)
@@ -110101,7 +110100,7 @@ index 70d0b9b..351c298 100644
struct nfsd4_test_stateid_id *stateid;
struct nfs4_client *cl = cstate->session->se_client;
-@@ -4908,8 +4920,9 @@ nfsd4_test_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+@@ -4934,8 +4946,9 @@ out:
__be32
nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110112,7 +110111,7 @@ index 70d0b9b..351c298 100644
stateid_t *stateid = &free_stateid->fr_stateid;
struct nfs4_stid *s;
struct nfs4_delegation *dp;
-@@ -5047,8 +5060,9 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs
+@@ -5063,8 +5076,9 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs
__be32
nfsd4_open_confirm(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110123,7 +110122,7 @@ index 70d0b9b..351c298 100644
__be32 status;
struct nfs4_openowner *oo;
struct nfs4_ol_stateid *stp;
-@@ -5116,8 +5130,9 @@ static inline void nfs4_stateid_downgrade(struct nfs4_ol_stateid *stp, u32 to_ac
+@@ -5132,8 +5146,9 @@ static inline void nfs4_stateid_downgrade(struct nfs4_ol_stateid *stp, u32 to_ac
__be32
nfsd4_open_downgrade(struct svc_rqst *rqstp,
struct nfsd4_compound_state *cstate,
@@ -110134,7 +110133,7 @@ index 70d0b9b..351c298 100644
__be32 status;
struct nfs4_ol_stateid *stp;
struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
-@@ -5185,8 +5200,9 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
+@@ -5201,8 +5216,9 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
*/
__be32
nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110145,7 +110144,7 @@ index 70d0b9b..351c298 100644
__be32 status;
struct nfs4_ol_stateid *stp;
struct net *net = SVC_NET(rqstp);
-@@ -5215,8 +5231,9 @@ out:
+@@ -5231,8 +5247,9 @@ out:
__be32
nfsd4_delegreturn(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110156,7 +110155,7 @@ index 70d0b9b..351c298 100644
struct nfs4_delegation *dp;
stateid_t *stateid = &dr->dr_stateid;
struct nfs4_stid *s;
-@@ -5550,8 +5567,9 @@ out:
+@@ -5583,8 +5600,9 @@ out:
*/
__be32
nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110167,7 +110166,7 @@ index 70d0b9b..351c298 100644
struct nfs4_openowner *open_sop = NULL;
struct nfs4_lockowner *lock_sop = NULL;
struct nfs4_ol_stateid *lock_stp = NULL;
-@@ -5754,8 +5772,9 @@ static __be32 nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct
+@@ -5785,8 +5803,9 @@ static __be32 nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct
*/
__be32
nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110178,7 +110177,7 @@ index 70d0b9b..351c298 100644
struct file_lock *file_lock = NULL;
struct nfs4_lockowner *lo = NULL;
__be32 status;
-@@ -5827,8 +5846,9 @@ out:
+@@ -5858,8 +5877,9 @@ out:
__be32
nfsd4_locku(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
@@ -110189,7 +110188,7 @@ index 70d0b9b..351c298 100644
struct nfs4_ol_stateid *stp;
struct file *filp = NULL;
struct file_lock *file_lock = NULL;
-@@ -5934,8 +5954,9 @@ check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner)
+@@ -5965,8 +5985,9 @@ check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner)
__be32
nfsd4_release_lockowner(struct svc_rqst *rqstp,
struct nfsd4_compound_state *cstate,
@@ -110200,7 +110199,7 @@ index 70d0b9b..351c298 100644
clientid_t *clid = &rlockowner->rl_clientid;
struct nfs4_stateowner *sop;
struct nfs4_lockowner *lo = NULL;
-@@ -6879,26 +6900,34 @@ clear_current_stateid(struct nfsd4_compound_state *cstate)
+@@ -6910,26 +6931,34 @@ clear_current_stateid(struct nfsd4_compound_state *cstate)
* functions to set current state id
*/
void
@@ -110239,7 +110238,7 @@ index 70d0b9b..351c298 100644
put_stateid(cstate, &lock->lk_resp_stateid);
}
-@@ -6907,49 +6936,65 @@ nfsd4_set_lockstateid(struct nfsd4_compound_state *cstate, struct nfsd4_lock *lo
+@@ -6938,49 +6967,65 @@ nfsd4_set_lockstateid(struct nfsd4_compound_state *cstate, struct nfsd4_lock *lo
*/
void
@@ -113383,7 +113382,7 @@ index d1cdc60..38f2608 100644
if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
err = ovl_want_write(dentry);
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index 9a7693d..ca30875 100644
+index 6db75cb..b2fe139 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -196,7 +196,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
@@ -113395,7 +113394,7 @@ index 9a7693d..ca30875 100644
}
int ovl_want_write(struct dentry *dentry)
-@@ -952,8 +952,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
+@@ -953,8 +953,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
static int ovl_fill_super(struct super_block *sb, void *data, int silent)
{
@@ -137888,7 +137887,7 @@ index 92a7d85..1779570 100644
const void *private_data,
u8 private_data_len);
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
-index 7e440d4..2fc0a83 100644
+index e694f02..ea3d1e4 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1187,7 +1187,7 @@ struct ib_sge {
@@ -139353,19 +139352,10 @@ index 8d528f9..ec997a7 100644
.exit = audit_net_exit,
.id = &audit_net_id,
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 2672d10..63bd1ca 100644
+index b334128..579016e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
-@@ -1023,7 +1023,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
- * for strings that are too long, we should not have created
- * any.
- */
-- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
-+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
- send_sig(SIGKILL, current, 0);
- return -1;
- }
-@@ -1954,7 +1954,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
+@@ -1950,7 +1950,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
}
/* global counter which is incremented every time something logs in */
@@ -139374,7 +139364,7 @@ index 2672d10..63bd1ca 100644
static int audit_set_loginuid_perm(kuid_t loginuid)
{
-@@ -2026,7 +2026,7 @@ int audit_set_loginuid(kuid_t loginuid)
+@@ -2022,7 +2022,7 @@ int audit_set_loginuid(kuid_t loginuid)
/* are we setting or clearing? */
if (uid_valid(loginuid))
@@ -139583,10 +139573,10 @@ index 45432b5..7d860f7 100644
+}
+EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog);
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 75c0ff0..bf4be97 100644
+index e0be49f..d599a0e 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
-@@ -3634,7 +3634,7 @@ static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp,
+@@ -3632,7 +3632,7 @@ static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp,
key = &cft->lockdep_key;
#endif
kn = __kernfs_create_file(cgrp->kn, cgroup_file_name(cgrp, cft, name),
@@ -139595,7 +139585,7 @@ index 75c0ff0..bf4be97 100644
NULL, key);
if (IS_ERR(kn))
return PTR_ERR(kn);
-@@ -3738,11 +3738,14 @@ static void cgroup_exit_cftypes(struct cftype *cfts)
+@@ -3736,11 +3736,14 @@ static void cgroup_exit_cftypes(struct cftype *cfts)
/* free copy for custom atomic_write_len, see init_cftypes() */
if (cft->max_write_len && cft->max_write_len != PAGE_SIZE)
kfree(cft->kf_ops);
@@ -139613,7 +139603,7 @@ index 75c0ff0..bf4be97 100644
}
}
-@@ -3773,8 +3776,10 @@ static int cgroup_init_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
+@@ -3771,8 +3774,10 @@ static int cgroup_init_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
kf_ops->atomic_write_len = cft->max_write_len;
}
@@ -139626,7 +139616,7 @@ index 75c0ff0..bf4be97 100644
}
return 0;
-@@ -3787,7 +3792,7 @@ static int cgroup_rm_cftypes_locked(struct cftype *cfts)
+@@ -3785,7 +3790,7 @@ static int cgroup_rm_cftypes_locked(struct cftype *cfts)
if (!cfts || !cfts[0].ss)
return -ENOENT;
@@ -139635,7 +139625,7 @@ index 75c0ff0..bf4be97 100644
cgroup_apply_cftypes(cfts, false);
cgroup_exit_cftypes(cfts);
return 0;
-@@ -3844,7 +3849,7 @@ static int cgroup_add_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
+@@ -3842,7 +3847,7 @@ static int cgroup_add_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
mutex_lock(&cgroup_mutex);
@@ -139644,7 +139634,7 @@ index 75c0ff0..bf4be97 100644
ret = cgroup_apply_cftypes(cfts, true);
if (ret)
cgroup_rm_cftypes_locked(cfts);
-@@ -3865,8 +3870,10 @@ int cgroup_add_dfl_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
+@@ -3863,8 +3868,10 @@ int cgroup_add_dfl_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
{
struct cftype *cft;
@@ -139656,7 +139646,7 @@ index 75c0ff0..bf4be97 100644
return cgroup_add_cftypes(ss, cfts);
}
-@@ -3882,8 +3889,10 @@ int cgroup_add_legacy_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
+@@ -3880,8 +3887,10 @@ int cgroup_add_legacy_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
{
struct cftype *cft;
@@ -139668,7 +139658,7 @@ index 75c0ff0..bf4be97 100644
return cgroup_add_cftypes(ss, cfts);
}
-@@ -6048,6 +6057,9 @@ static void cgroup_release_agent(struct work_struct *work)
+@@ -6049,6 +6058,9 @@ static void cgroup_release_agent(struct work_struct *work)
if (!pathbuf || !agentbuf)
goto out;
@@ -139678,7 +139668,7 @@ index 75c0ff0..bf4be97 100644
spin_lock_irq(&css_set_lock);
path = cgroup_path_ns_locked(cgrp, pathbuf, PATH_MAX, &init_cgroup_ns);
spin_unlock_irq(&css_set_lock);
-@@ -6467,7 +6479,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
+@@ -6465,7 +6477,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
struct task_struct *task;
int count = 0;
@@ -141658,7 +141648,7 @@ index a0f61ef..b6aef3c 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 5f71aa6..cae0865 100644
+index 6458a2f..ebdeb641 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -60,6 +60,7 @@
@@ -142212,7 +142202,7 @@ index 5f71aa6..cae0865 100644
}
#else
static inline void layout_symtab(struct module *mod, struct load_info *info)
-@@ -2888,7 +2976,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2893,7 +2981,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
mod = (void *)info->sechdrs[info->index.mod].sh_addr;
if (info->index.sym == 0) {
@@ -142228,7 +142218,7 @@ index 5f71aa6..cae0865 100644
return ERR_PTR(-ENOEXEC);
}
-@@ -2904,8 +3000,16 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2909,8 +3005,16 @@ static struct module *setup_load_info(struct load_info *info, int flags)
static int check_modinfo(struct module *mod, struct load_info *info, int flags)
{
const char *modmagic = get_modinfo(info, "vermagic");
@@ -142245,7 +142235,7 @@ index 5f71aa6..cae0865 100644
if (flags & MODULE_INIT_IGNORE_VERMAGIC)
modmagic = NULL;
-@@ -2934,7 +3038,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+@@ -2939,7 +3043,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
return err;
/* Set up license info based on the info section */
@@ -142254,7 +142244,7 @@ index 5f71aa6..cae0865 100644
return 0;
}
-@@ -3031,7 +3135,7 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -3036,7 +3140,7 @@ static int move_module(struct module *mod, struct load_info *info)
void *ptr;
/* Do the allocs. */
@@ -142263,7 +142253,7 @@ index 5f71aa6..cae0865 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. Just mark it as not being a
-@@ -3041,11 +3145,11 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -3046,11 +3150,11 @@ static int move_module(struct module *mod, struct load_info *info)
if (!ptr)
return -ENOMEM;
@@ -142279,7 +142269,7 @@ index 5f71aa6..cae0865 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. This block doesn't need to be
-@@ -3054,13 +3158,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -3059,13 +3163,45 @@ static int move_module(struct module *mod, struct load_info *info)
*/
kmemleak_ignore(ptr);
if (!ptr) {
@@ -142329,7 +142319,7 @@ index 5f71aa6..cae0865 100644
/* Transfer each section which specifies SHF_ALLOC */
pr_debug("final section addresses:\n");
-@@ -3071,16 +3207,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -3076,16 +3212,45 @@ static int move_module(struct module *mod, struct load_info *info)
if (!(shdr->sh_flags & SHF_ALLOC))
continue;
@@ -142382,7 +142372,7 @@ index 5f71aa6..cae0865 100644
pr_debug("\t0x%lx %s\n",
(long)shdr->sh_addr, info->secstrings + shdr->sh_name);
}
-@@ -3137,12 +3302,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -3142,12 +3307,12 @@ static void flush_module_icache(const struct module *mod)
* Do it before processing of module parameters, so the module
* can provide parameter accessor functions of its own.
*/
@@ -142401,7 +142391,7 @@ index 5f71aa6..cae0865 100644
set_fs(old_fs);
}
-@@ -3200,8 +3365,10 @@ static void module_deallocate(struct module *mod, struct load_info *info)
+@@ -3205,8 +3370,10 @@ static void module_deallocate(struct module *mod, struct load_info *info)
{
percpu_modfree(mod);
module_arch_freeing_init(mod);
@@ -142414,7 +142404,7 @@ index 5f71aa6..cae0865 100644
}
int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -3214,7 +3381,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -3219,7 +3386,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
static int post_relocation(struct module *mod, const struct load_info *info)
{
/* Sort exception table now relocations are done. */
@@ -142424,7 +142414,7 @@ index 5f71aa6..cae0865 100644
/* Copy relocated percpu area over. */
percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -3262,13 +3431,15 @@ static void do_mod_ctors(struct module *mod)
+@@ -3267,13 +3436,15 @@ static void do_mod_ctors(struct module *mod)
/* For freeing module_init on success, in case kallsyms traversing */
struct mod_initfree {
struct rcu_head rcu;
@@ -142442,7 +142432,7 @@ index 5f71aa6..cae0865 100644
kfree(m);
}
-@@ -3288,7 +3459,8 @@ static noinline int do_init_module(struct module *mod)
+@@ -3293,7 +3464,8 @@ static noinline int do_init_module(struct module *mod)
ret = -ENOMEM;
goto fail;
}
@@ -142452,7 +142442,7 @@ index 5f71aa6..cae0865 100644
/*
* We want to find out whether @mod uses async during init. Clear
-@@ -3347,10 +3519,10 @@ static noinline int do_init_module(struct module *mod)
+@@ -3352,10 +3524,10 @@ static noinline int do_init_module(struct module *mod)
mod_tree_remove_init(mod);
disable_ro_nx(&mod->init_layout);
module_arch_freeing_init(mod);
@@ -142467,7 +142457,7 @@ index 5f71aa6..cae0865 100644
/*
* We want to free module_init, but be aware that kallsyms may be
* walking this with preempt disabled. In all the failure paths, we
-@@ -3550,9 +3722,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3555,9 +3727,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
if (err)
goto free_unload;
@@ -142506,7 +142496,7 @@ index 5f71aa6..cae0865 100644
/* Fix up syms, so that st_value is a pointer to location. */
err = simplify_symbols(mod, info);
if (err < 0)
-@@ -3568,13 +3769,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3573,13 +3774,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
flush_module_icache(mod);
@@ -142520,7 +142510,7 @@ index 5f71aa6..cae0865 100644
dynamic_debug_setup(info->debug, info->num_debug);
/* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
-@@ -3639,11 +3833,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3644,11 +3838,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
ddebug_cleanup:
dynamic_debug_remove(info->debug);
synchronize_sched();
@@ -142533,7 +142523,7 @@ index 5f71aa6..cae0865 100644
free_unload:
module_unload_free(mod);
unlink_mod:
-@@ -3663,7 +3856,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3668,7 +3861,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
*/
ftrace_release_mod(mod);
/* Free lock-classes; relies on the preceding sync_rcu() */
@@ -142543,7 +142533,7 @@ index 5f71aa6..cae0865 100644
module_deallocate(mod, info);
free_copy:
-@@ -3751,10 +3945,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3756,10 +3950,16 @@ static const char *get_ksymbol(struct module *mod,
struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms);
/* At worse, next value is at end of module */
@@ -142563,7 +142553,7 @@ index 5f71aa6..cae0865 100644
/* Scan for closest preceding symbol, and next symbol. (ELF
starts real symbols at 1). */
-@@ -4007,7 +4207,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -4012,7 +4212,7 @@ static int m_show(struct seq_file *m, void *p)
return 0;
seq_printf(m, "%s %u",
@@ -142572,7 +142562,7 @@ index 5f71aa6..cae0865 100644
print_unload_info(m, mod);
/* Informative for users. */
-@@ -4016,7 +4216,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -4021,7 +4221,7 @@ static int m_show(struct seq_file *m, void *p)
mod->state == MODULE_STATE_COMING ? "Loading" :
"Live");
/* Used by oprofile and other similar tools. */
@@ -142581,7 +142571,7 @@ index 5f71aa6..cae0865 100644
/* Taints info */
if (mod->taints)
-@@ -4052,7 +4252,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -4057,7 +4257,17 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
@@ -142599,7 +142589,7 @@ index 5f71aa6..cae0865 100644
return 0;
}
module_init(proc_modules_init);
-@@ -4113,7 +4323,8 @@ struct module *__module_address(unsigned long addr)
+@@ -4118,7 +4328,8 @@ struct module *__module_address(unsigned long addr)
{
struct module *mod;
@@ -142609,7 +142599,7 @@ index 5f71aa6..cae0865 100644
return NULL;
module_assert_mutex_or_preempt();
-@@ -4156,11 +4367,21 @@ bool is_module_text_address(unsigned long addr)
+@@ -4161,11 +4372,21 @@ bool is_module_text_address(unsigned long addr)
*/
struct module *__module_text_address(unsigned long addr)
{
@@ -147557,7 +147547,7 @@ index 22f4cd9..402f316 100644
depends on !KMEMCHECK
select PAGE_EXTENSION
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
-index ed173b8..df5f896 100644
+index 9269911..f53557a 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -12,7 +12,7 @@
@@ -147569,7 +147559,7 @@ index ed173b8..df5f896 100644
struct backing_dev_info noop_backing_dev_info = {
.name = "noop",
-@@ -879,7 +879,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name)
+@@ -898,7 +898,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name)
return err;
err = bdi_register(bdi, NULL, "%.28s-%ld", name,
@@ -147718,7 +147708,7 @@ index 50b4ca6..cf64608 100644
pkmap_count[last_pkmap_nr] = 1;
set_page_address(page, (void *)vaddr);
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index addfe4ac..bc76631 100644
+index d9ec1a5..70615e1 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -38,7 +38,72 @@ int hugepages_treat_as_movable;
@@ -147795,7 +147785,7 @@ index addfe4ac..bc76631 100644
/*
* Minimum page order among possible hugepage sizes, set to a proper value
* at boot time.
-@@ -2800,6 +2865,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
+@@ -2804,6 +2869,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
struct ctl_table *table, int write,
void __user *buffer, size_t *length, loff_t *ppos)
{
@@ -147803,7 +147793,7 @@ index addfe4ac..bc76631 100644
struct hstate *h = &default_hstate;
unsigned long tmp = h->max_huge_pages;
int ret;
-@@ -2807,9 +2873,10 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
+@@ -2811,9 +2877,10 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
if (!hugepages_supported())
return -EOPNOTSUPP;
@@ -147817,7 +147807,7 @@ index addfe4ac..bc76631 100644
if (ret)
goto out;
-@@ -2844,6 +2911,7 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
+@@ -2848,6 +2915,7 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
struct hstate *h = &default_hstate;
unsigned long tmp;
int ret;
@@ -147825,7 +147815,7 @@ index addfe4ac..bc76631 100644
if (!hugepages_supported())
return -EOPNOTSUPP;
-@@ -2853,9 +2921,10 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
+@@ -2857,9 +2925,10 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
if (write && hstate_is_gigantic(h))
return -EINVAL;
@@ -147839,7 +147829,7 @@ index addfe4ac..bc76631 100644
if (ret)
goto out;
-@@ -3361,6 +3430,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3365,6 +3434,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
i_mmap_unlock_write(mapping);
}
@@ -147867,7 +147857,7 @@ index addfe4ac..bc76631 100644
/*
* Hugetlb_cow() should be called with page lock of the original hugepage held.
* Called with hugetlb_instantiation_mutex held and pte_page locked so we
-@@ -3474,6 +3564,11 @@ retry_avoidcopy:
+@@ -3478,6 +3568,11 @@ retry_avoidcopy:
make_huge_pte(vma, new_page, 1));
page_remove_rmap(old_page, true);
hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -147879,7 +147869,7 @@ index addfe4ac..bc76631 100644
/* Make the old page be freed below */
new_page = old_page;
}
-@@ -3647,6 +3742,10 @@ retry:
+@@ -3651,6 +3746,10 @@ retry:
&& (vma->vm_flags & VM_SHARED)));
set_huge_pte_at(mm, address, ptep, new_pte);
@@ -147890,7 +147880,7 @@ index addfe4ac..bc76631 100644
hugetlb_count_add(pages_per_huge_page(h), mm);
if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
/* Optimization, do the COW without a second fault */
-@@ -3715,6 +3814,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3719,6 +3818,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
struct address_space *mapping;
int need_wait_lock = 0;
@@ -147901,7 +147891,7 @@ index addfe4ac..bc76631 100644
address &= huge_page_mask(h);
ptep = huge_pte_offset(mm, address);
-@@ -3732,6 +3835,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3736,6 +3839,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
return VM_FAULT_OOM;
}
@@ -153892,7 +153882,7 @@ index eb4f5f2..2cc4c50 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
-index 388ee8b..9edb2bc 100644
+index 1842141..1562f36 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -633,7 +633,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
@@ -185457,10 +185447,10 @@ index 0000000..00c7430
+}
diff --git a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..d64cc64
+index 0000000..9d7e744
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,22254 @@
+@@ -0,0 +1,22256 @@
+enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
+enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
+enable_so_v9fs_xattr_get_acl_fndecl_4 v9fs_xattr_get_acl fndecl 5 4 NULL
@@ -198490,7 +198480,8 @@ index 0000000..d64cc64
+enable_so__osd_req_cdb_len_fndecl_38259 _osd_req_cdb_len fndecl 0 38259 NULL
+enable_so_security_set_fndecl_38262 security_set fndecl 5 38262 NULL
+enable_so_i2c2_debugfs_read_fndecl_38270 i2c2_debugfs_read fndecl 3 38270 NULL
-+enable_so_prepare_header100_fndecl_38275 prepare_header100 fndecl 3-0 38275 NULL
++enable_so_prepare_header100_fndecl_38275 prepare_header100 fndecl 3-0 38275 NULL nohasharray
++enable_so_max_read_sge_ib_qp_38275 max_read_sge ib_qp 0 38275 &enable_so_prepare_header100_fndecl_38275
+enable_so_min_pnp_port_38276 min pnp_port 0 38276 NULL
+enable_so_numpmkid_host_if_pmkid_attr_38277 numpmkid host_if_pmkid_attr 0 38277 NULL nohasharray
+enable_so_irnet_connect_confirm_fndecl_38277 irnet_connect_confirm fndecl 5 38277 &enable_so_numpmkid_host_if_pmkid_attr_38277
@@ -202841,6 +202832,7 @@ index 0000000..d64cc64
+enable_so_new_read_fndecl_51123 new_read fndecl 2 51123 NULL
+enable_so_adau1373_set_pll_fndecl_51130 adau1373_set_pll fndecl 4-5 51130 NULL
+enable_so_igb_pci_enable_sriov_fndecl_51131 igb_pci_enable_sriov fndecl 2 51131 NULL
++enable_so_max_write_sge_ib_qp_51132 max_write_sge ib_qp 0 51132 NULL
+enable_so_wqe_cnt_mlx4_ib_wq_51135 wqe_cnt mlx4_ib_wq 0 51135 NULL
+enable_so_cachelsz_ath_common_51138 cachelsz ath_common 0 51138 NULL
+enable_so_length_sky2_status_le_51139 length sky2_status_le 0 51139 NULL
@@ -216037,7 +216029,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 48bd520..88f2088 100644
+index dd25346..cf22106 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -93,12 +93,17 @@ LIST_HEAD(vm_list);
@@ -216060,7 +216052,7 @@ index 48bd520..88f2088 100644
struct dentry *kvm_debugfs_dir;
EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
-@@ -902,7 +907,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+@@ -904,7 +909,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
/* We can read the guest memory with __xxx_user() later on. */
if ((id < KVM_USER_MEM_SLOTS) &&
((mem->userspace_addr & (PAGE_SIZE - 1)) ||
@@ -216069,7 +216061,7 @@ index 48bd520..88f2088 100644
(void __user *)(unsigned long)mem->userspace_addr,
mem->memory_size)))
goto out;
-@@ -1964,9 +1969,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
+@@ -1966,9 +1971,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len)
{
@@ -216089,7 +216081,7 @@ index 48bd520..88f2088 100644
}
EXPORT_SYMBOL_GPL(kvm_clear_guest_page);
-@@ -2317,7 +2330,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
+@@ -2319,7 +2332,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
return 0;
}
@@ -216098,7 +216090,7 @@ index 48bd520..88f2088 100644
.release = kvm_vcpu_release,
.unlocked_ioctl = kvm_vcpu_ioctl,
#ifdef CONFIG_KVM_COMPAT
-@@ -3035,7 +3048,7 @@ out:
+@@ -3037,7 +3050,7 @@ out:
}
#endif
@@ -216107,7 +216099,7 @@ index 48bd520..88f2088 100644
.release = kvm_vm_release,
.unlocked_ioctl = kvm_vm_ioctl,
#ifdef CONFIG_KVM_COMPAT
-@@ -3113,7 +3126,7 @@ out:
+@@ -3115,7 +3128,7 @@ out:
return r;
}
@@ -216116,7 +216108,7 @@ index 48bd520..88f2088 100644
.unlocked_ioctl = kvm_dev_ioctl,
.compat_ioctl = kvm_dev_ioctl,
.llseek = noop_llseek,
-@@ -3139,7 +3152,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -3141,7 +3154,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {
cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -216125,7 +216117,7 @@ index 48bd520..88f2088 100644
pr_info("kvm: enabling virtualization on CPU%d failed\n", cpu);
}
}
-@@ -3194,10 +3207,10 @@ static int hardware_enable_all(void)
+@@ -3196,10 +3209,10 @@ static int hardware_enable_all(void)
kvm_usage_count++;
if (kvm_usage_count == 1) {
@@ -216138,7 +216130,7 @@ index 48bd520..88f2088 100644
hardware_disable_all_nolock();
r = -EBUSY;
}
-@@ -3752,7 +3765,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3754,7 +3767,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
if (!vcpu_align)
vcpu_align = __alignof__(struct kvm_vcpu);
kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -216147,7 +216139,7 @@ index 48bd520..88f2088 100644
if (!kvm_vcpu_cache) {
r = -ENOMEM;
goto out_free_3;
-@@ -3762,9 +3775,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3764,9 +3777,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
if (r)
goto out_free;
@@ -216159,7 +216151,7 @@ index 48bd520..88f2088 100644
r = misc_register(&kvm_dev);
if (r) {
-@@ -3774,9 +3789,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3776,9 +3791,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
register_syscore_ops(&kvm_syscore_ops);
diff --git a/4.7.1/4425_grsec_remove_EI_PAX.patch b/4.7.2/4425_grsec_remove_EI_PAX.patch
index ba92792..ba92792 100644
--- a/4.7.1/4425_grsec_remove_EI_PAX.patch
+++ b/4.7.2/4425_grsec_remove_EI_PAX.patch
diff --git a/4.7.1/4427_force_XATTR_PAX_tmpfs.patch b/4.7.2/4427_force_XATTR_PAX_tmpfs.patch
index b4714fc..b4714fc 100644
--- a/4.7.1/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.7.2/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.7.1/4430_grsec-remove-localversion-grsec.patch b/4.7.2/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.7.1/4430_grsec-remove-localversion-grsec.patch
+++ b/4.7.2/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.7.1/4435_grsec-mute-warnings.patch b/4.7.2/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.7.1/4435_grsec-mute-warnings.patch
+++ b/4.7.2/4435_grsec-mute-warnings.patch
diff --git a/4.7.1/4440_grsec-remove-protected-paths.patch b/4.7.2/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.7.1/4440_grsec-remove-protected-paths.patch
+++ b/4.7.2/4440_grsec-remove-protected-paths.patch
diff --git a/4.7.1/4450_grsec-kconfig-default-gids.patch b/4.7.2/4450_grsec-kconfig-default-gids.patch
index e892c8a..e892c8a 100644
--- a/4.7.1/4450_grsec-kconfig-default-gids.patch
+++ b/4.7.2/4450_grsec-kconfig-default-gids.patch
diff --git a/4.7.1/4465_selinux-avc_audit-log-curr_ip.patch b/4.7.2/4465_selinux-avc_audit-log-curr_ip.patch
index 7248385..7248385 100644
--- a/4.7.1/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.7.2/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.7.1/4470_disable-compat_vdso.patch b/4.7.2/4470_disable-compat_vdso.patch
index 0f82d7e..0f82d7e 100644
--- a/4.7.1/4470_disable-compat_vdso.patch
+++ b/4.7.2/4470_disable-compat_vdso.patch
diff --git a/4.7.1/4475_emutramp_default_on.patch b/4.7.2/4475_emutramp_default_on.patch
index 2db58ab..2db58ab 100644
--- a/4.7.1/4475_emutramp_default_on.patch
+++ b/4.7.2/4475_emutramp_default_on.patch