diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2019-09-21 11:56:25 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2019-09-21 11:56:25 -0400 |
| commit | 49e769a53303da6d649610b2d4e1c4690776ef65 (patch) | |
| tree | f97ca23cf44593cabfd6fd08b4801edffa808c16 | |
| parent | Add FILE_LOCKING to GENTOO_LINUX config. See bug #694688. (diff) | |
| download | linux-patches-49e769a53303da6d649610b2d4e1c4690776ef65.tar.gz linux-patches-49e769a53303da6d649610b2d4e1c4690776ef65.tar.bz2 linux-patches-49e769a53303da6d649610b2d4e1c4690776ef65.zip | |
Linux patch 4.4.1944.4-195
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1193_linux-4.4.194.patch | 1406 |
2 files changed, 1410 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 7541a4ee..ba810058 100644 --- a/0000_README +++ b/0000_README @@ -815,6 +815,10 @@ Patch: 1192_linux-4.4.193.patch From: http://www.kernel.org Desc: Linux 4.4.193 +Patch: 1193_linux-4.4.194.patch +From: http://www.kernel.org +Desc: Linux 4.4.194 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1193_linux-4.4.194.patch b/1193_linux-4.4.194.patch new file mode 100644 index 00000000..e6d98d15 --- /dev/null +++ b/1193_linux-4.4.194.patch @@ -0,0 +1,1406 @@ +diff --git a/Makefile b/Makefile +index 34d2be9c8459..bea8f3f591c4 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 193 ++SUBLEVEL = 194 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/configs/axs101_defconfig b/arch/arc/configs/axs101_defconfig +index 3023f91c77c2..9843e52bbb13 100644 +--- a/arch/arc/configs/axs101_defconfig ++++ b/arch/arc/configs/axs101_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +diff --git a/arch/arc/configs/axs103_defconfig b/arch/arc/configs/axs103_defconfig +index f18107185f53..27c6cb573686 100644 +--- a/arch/arc/configs/axs103_defconfig ++++ b/arch/arc/configs/axs103_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +diff --git a/arch/arc/configs/axs103_smp_defconfig b/arch/arc/configs/axs103_smp_defconfig +index 6e1dd8521d2a..72f34534983f 100644 +--- a/arch/arc/configs/axs103_smp_defconfig ++++ b/arch/arc/configs/axs103_smp_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +diff --git a/arch/arc/configs/nsim_700_defconfig b/arch/arc/configs/nsim_700_defconfig +index 86e5a62556a8..c93370cc840a 100644 +--- a/arch/arc/configs/nsim_700_defconfig ++++ b/arch/arc/configs/nsim_700_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + # CONFIG_SLUB_DEBUG is not set +diff --git a/arch/arc/configs/nsim_hs_defconfig b/arch/arc/configs/nsim_hs_defconfig +index f68838e8068a..27c73028b798 100644 +--- a/arch/arc/configs/nsim_hs_defconfig ++++ b/arch/arc/configs/nsim_hs_defconfig +@@ -12,7 +12,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + # CONFIG_SLUB_DEBUG is not set +diff --git a/arch/arc/configs/nsim_hs_smp_defconfig b/arch/arc/configs/nsim_hs_smp_defconfig +index 96bd1c20fb0b..c3605874487b 100644 +--- a/arch/arc/configs/nsim_hs_smp_defconfig ++++ b/arch/arc/configs/nsim_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + # CONFIG_SLUB_DEBUG is not set +diff --git a/arch/arc/configs/nsimosci_defconfig b/arch/arc/configs/nsimosci_defconfig +index a4d7b919224a..b7dbb20cd28b 100644 +--- a/arch/arc/configs/nsimosci_defconfig ++++ b/arch/arc/configs/nsimosci_defconfig +@@ -12,7 +12,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + # CONFIG_SLUB_DEBUG is not set +diff --git a/arch/arc/configs/nsimosci_hs_defconfig b/arch/arc/configs/nsimosci_hs_defconfig +index b3fb49c8bd14..ce22594bb0c7 100644 +--- a/arch/arc/configs/nsimosci_hs_defconfig ++++ b/arch/arc/configs/nsimosci_hs_defconfig +@@ -12,7 +12,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + # CONFIG_SLUB_DEBUG is not set +diff --git a/arch/arc/configs/nsimosci_hs_smp_defconfig b/arch/arc/configs/nsimosci_hs_smp_defconfig +index 710c167bbdd8..f9e5aef7e04e 100644 +--- a/arch/arc/configs/nsimosci_hs_smp_defconfig ++++ b/arch/arc/configs/nsimosci_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_IKCONFIG_PROC=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + # CONFIG_COMPAT_BRK is not set + CONFIG_KPROBES=y + CONFIG_MODULES=y +diff --git a/arch/arc/kernel/traps.c b/arch/arc/kernel/traps.c +index 2fb0cd39a31c..cd6e3615e3d1 100644 +--- a/arch/arc/kernel/traps.c ++++ b/arch/arc/kernel/traps.c +@@ -163,3 +163,4 @@ void abort(void) + { + __asm__ __volatile__("trap_s 5\n"); + } ++EXPORT_SYMBOL(abort); +diff --git a/arch/arm/mach-omap2/omap4-common.c b/arch/arm/mach-omap2/omap4-common.c +index 949696b6f17b..511fd08c784b 100644 +--- a/arch/arm/mach-omap2/omap4-common.c ++++ b/arch/arm/mach-omap2/omap4-common.c +@@ -131,6 +131,9 @@ static int __init omap4_sram_init(void) + struct device_node *np; + struct gen_pool *sram_pool; + ++ if (!soc_is_omap44xx() && !soc_is_omap54xx()) ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, "ti,omap4-mpu"); + if (!np) + pr_warn("%s:Unable to allocate sram needed to handle errata I688\n", +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index a9f6705aea23..731b7e64715b 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -691,7 +691,8 @@ static void update_sections_early(struct section_perm perms[], int n) + if (t->flags & PF_KTHREAD) + continue; + for_each_thread(t, s) +- set_section_perms(perms, n, true, s->mm); ++ if (s->mm) ++ set_section_perms(perms, n, true, s->mm); + } + read_unlock(&tasklist_lock); + set_section_perms(perms, n, true, current->active_mm); +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 687a3eb8d4d9..422624ca0132 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -761,7 +761,6 @@ config SIBYTE_SWARM + select SYS_SUPPORTS_HIGHMEM + select SYS_SUPPORTS_LITTLE_ENDIAN + select ZONE_DMA32 if 64BIT +- select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SIBYTE_LITTLESUR + bool "Sibyte BCM91250C2-LittleSur" +@@ -784,7 +783,6 @@ config SIBYTE_SENTOSA + select SYS_HAS_CPU_SB1 + select SYS_SUPPORTS_BIG_ENDIAN + select SYS_SUPPORTS_LITTLE_ENDIAN +- select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SIBYTE_BIGSUR + bool "Sibyte BCM91480B-BigSur" +@@ -798,7 +796,6 @@ config SIBYTE_BIGSUR + select SYS_SUPPORTS_HIGHMEM + select SYS_SUPPORTS_LITTLE_ENDIAN + select ZONE_DMA32 if 64BIT +- select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SNI_RM + bool "SNI RM200/300/400" +diff --git a/arch/mips/include/asm/netlogic/xlr/fmn.h b/arch/mips/include/asm/netlogic/xlr/fmn.h +index 5604db3d1836..d79c68fa78d9 100644 +--- a/arch/mips/include/asm/netlogic/xlr/fmn.h ++++ b/arch/mips/include/asm/netlogic/xlr/fmn.h +@@ -301,8 +301,6 @@ static inline int nlm_fmn_send(unsigned int size, unsigned int code, + for (i = 0; i < 8; i++) { + nlm_msgsnd(dest); + status = nlm_read_c2_status0(); +- if ((status & 0x2) == 1) +- pr_info("Send pending fail!\n"); + if ((status & 0x4) == 0) + return 0; + } +diff --git a/arch/mips/include/asm/smp.h b/arch/mips/include/asm/smp.h +index 03722d4326a1..82852dfd8dab 100644 +--- a/arch/mips/include/asm/smp.h ++++ b/arch/mips/include/asm/smp.h +@@ -25,7 +25,17 @@ extern cpumask_t cpu_sibling_map[]; + extern cpumask_t cpu_core_map[]; + extern cpumask_t cpu_foreign_map; + +-#define raw_smp_processor_id() (current_thread_info()->cpu) ++static inline int raw_smp_processor_id(void) ++{ ++#if defined(__VDSO__) ++ extern int vdso_smp_processor_id(void) ++ __compiletime_error("VDSO should not call smp_processor_id()"); ++ return vdso_smp_processor_id(); ++#else ++ return current_thread_info()->cpu; ++#endif ++} ++#define raw_smp_processor_id raw_smp_processor_id + + /* Map from cpu id to sequential logical cpu number. This will only + not be idempotent when cpus failed to come on-line. */ +diff --git a/arch/mips/sibyte/common/Makefile b/arch/mips/sibyte/common/Makefile +index 3ef3fb658136..b3d6bf23a662 100644 +--- a/arch/mips/sibyte/common/Makefile ++++ b/arch/mips/sibyte/common/Makefile +@@ -1,5 +1,4 @@ + obj-y := cfe.o +-obj-$(CONFIG_SWIOTLB) += dma.o + obj-$(CONFIG_SIBYTE_BUS_WATCHER) += bus_watcher.o + obj-$(CONFIG_SIBYTE_CFE_CONSOLE) += cfe_console.o + obj-$(CONFIG_SIBYTE_TBPROF) += sb_tbprof.o +diff --git a/arch/mips/sibyte/common/dma.c b/arch/mips/sibyte/common/dma.c +deleted file mode 100644 +index eb47a94f3583..000000000000 +--- a/arch/mips/sibyte/common/dma.c ++++ /dev/null +@@ -1,14 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0+ +-/* +- * DMA support for Broadcom SiByte platforms. +- * +- * Copyright (c) 2018 Maciej W. Rozycki +- */ +- +-#include <linux/swiotlb.h> +-#include <asm/bootinfo.h> +- +-void __init plat_swiotlb_setup(void) +-{ +- swiotlb_init(1); +-} +diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile +index 886005b1e87d..dfd082eb86f8 100644 +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -6,7 +6,9 @@ ccflags-vdso := \ + $(filter -I%,$(KBUILD_CFLAGS)) \ + $(filter -E%,$(KBUILD_CFLAGS)) \ + $(filter -mmicromips,$(KBUILD_CFLAGS)) \ +- $(filter -march=%,$(KBUILD_CFLAGS)) ++ $(filter -march=%,$(KBUILD_CFLAGS)) \ ++ $(filter -m%-float,$(KBUILD_CFLAGS)) \ ++ -D__VDSO__ + cflags-vdso := $(ccflags-vdso) \ + $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \ + -O2 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \ +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 6a75352f453c..950b0c00a092 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1487,6 +1487,16 @@ int s390int_to_s390irq(struct kvm_s390_interrupt *s390int, + case KVM_S390_MCHK: + irq->u.mchk.mcic = s390int->parm64; + break; ++ case KVM_S390_INT_PFAULT_INIT: ++ irq->u.ext.ext_params = s390int->parm; ++ irq->u.ext.ext_params2 = s390int->parm64; ++ break; ++ case KVM_S390_RESTART: ++ case KVM_S390_INT_CLOCK_COMP: ++ case KVM_S390_INT_CPU_TIMER: ++ break; ++ default: ++ return -EINVAL; + } + return 0; + } +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 23911ecfbad6..14d2ca9c779e 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -2541,7 +2541,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + } + case KVM_S390_INTERRUPT: { + struct kvm_s390_interrupt s390int; +- struct kvm_s390_irq s390irq; ++ struct kvm_s390_irq s390irq = {}; + + r = -EFAULT; + if (copy_from_user(&s390int, argp, sizeof(s390int))) +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 727693e283da..bcf409997d6d 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -886,7 +886,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + break; + case BPF_ALU64 | BPF_NEG: /* dst = -dst */ + /* lcgr %dst,%dst */ +- EMIT4(0xb9130000, dst_reg, dst_reg); ++ EMIT4(0xb9030000, dst_reg, dst_reg); + break; + /* + * BPF_FROM_BE/LE +@@ -1067,8 +1067,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* llgf %w1,map.max_entries(%b2) */ + EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, + offsetof(struct bpf_array, map.max_entries)); +- /* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */ +- EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3, ++ /* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */ ++ EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3, + REG_W1, 0, 0xa); + + /* +@@ -1094,8 +1094,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + * goto out; + */ + +- /* sllg %r1,%b3,3: %r1 = index * 8 */ +- EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3); ++ /* llgfr %r1,%b3: %r1 = (u32) index */ ++ EMIT4(0xb9160000, REG_1, BPF_REG_3); ++ /* sllg %r1,%r1,3: %r1 *= 8 */ ++ EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3); + /* lg %r1,prog(%b2,%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2, + REG_1, offsetof(struct bpf_array, ptrs)); +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 00e0226634fa..8b4d022ce0cb 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -38,6 +38,7 @@ REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \ + + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector) ++REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4)) + export REALMODE_CFLAGS + +diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h +index 0232b5a2a2d9..588d8fbd1e6d 100644 +--- a/arch/x86/include/asm/bootparam_utils.h ++++ b/arch/x86/include/asm/bootparam_utils.h +@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct boot_params *boot_params) + BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries), + BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer), + BOOT_PARAM_PRESERVE(hdr), ++ BOOT_PARAM_PRESERVE(e820_map), + BOOT_PARAM_PRESERVE(eddbuf), + }; + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index fd945099fc95..4d5e8ff3b5e5 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2344,7 +2344,13 @@ unsigned int arch_dynirq_lower_bound(unsigned int from) + * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use + * gsi_top if ioapic_dynirq_base hasn't been initialized yet. + */ +- return ioapic_initialized ? ioapic_dynirq_base : gsi_top; ++ if (!ioapic_initialized) ++ return gsi_top; ++ /* ++ * For DT enabled machines ioapic_dynirq_base is irrelevant and not ++ * updated. So simply return @from if ioapic_dynirq_base == 0. ++ */ ++ return ioapic_dynirq_base ? : from; + } + + #ifdef CONFIG_X86_32 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 098be61a6b4c..343c8ddad86a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7247,6 +7247,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); + u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); + gva_t gva = 0; ++ struct x86_exception e; + + if (!nested_vmx_check_permission(vcpu) || + !nested_vmx_check_vmcs12(vcpu)) +@@ -7273,8 +7274,10 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + vmx_instruction_info, true, &gva)) + return 1; + /* _system ok, as nested_vmx_check_permission verified cpl=0 */ +- kvm_write_guest_virt_system(vcpu, gva, &field_value, +- (is_long_mode(vcpu) ? 8 : 4), NULL); ++ if (kvm_write_guest_virt_system(vcpu, gva, &field_value, ++ (is_long_mode(vcpu) ? 8 : 4), ++ NULL)) ++ kvm_inject_page_fault(vcpu, &e); + } + + nested_vmx_succeed(vcpu); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 9f70de2ca0e2..74674a6e4827 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4337,6 +4337,13 @@ static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *v + if (!system && kvm_x86_ops->get_cpl(vcpu) == 3) + access |= PFERR_USER_MASK; + ++ /* ++ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED ++ * is returned, but our callers are not ready for that and they blindly ++ * call kvm_inject_page_fault. Ensure that they at least do not leak ++ * uninitialized kernel stack memory into cr2 and error code. ++ */ ++ memset(exception, 0, sizeof(*exception)); + return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, + access, exception); + } +diff --git a/drivers/atm/Kconfig b/drivers/atm/Kconfig +index 31c60101a69a..7fa840170151 100644 +--- a/drivers/atm/Kconfig ++++ b/drivers/atm/Kconfig +@@ -199,7 +199,7 @@ config ATM_NICSTAR_USE_SUNI + make the card work). + + config ATM_NICSTAR_USE_IDT77105 +- bool "Use IDT77015 PHY driver (25Mbps)" ++ bool "Use IDT77105 PHY driver (25Mbps)" + depends on ATM_NICSTAR + help + Support for the PHYsical layer chip in ForeRunner LE25 cards. In +diff --git a/drivers/base/core.c b/drivers/base/core.c +index cb5718d2669e..af948fedd232 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -857,12 +857,63 @@ static inline struct kobject *get_glue_dir(struct device *dev) + */ + static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) + { ++ unsigned int ref; ++ + /* see if we live in a "glue" directory */ + if (!live_in_glue_dir(glue_dir, dev)) + return; + + mutex_lock(&gdp_mutex); +- if (!kobject_has_children(glue_dir)) ++ /** ++ * There is a race condition between removing glue directory ++ * and adding a new device under the glue directory. ++ * ++ * CPU1: CPU2: ++ * ++ * device_add() ++ * get_device_parent() ++ * class_dir_create_and_add() ++ * kobject_add_internal() ++ * create_dir() // create glue_dir ++ * ++ * device_add() ++ * get_device_parent() ++ * kobject_get() // get glue_dir ++ * ++ * device_del() ++ * cleanup_glue_dir() ++ * kobject_del(glue_dir) ++ * ++ * kobject_add() ++ * kobject_add_internal() ++ * create_dir() // in glue_dir ++ * sysfs_create_dir_ns() ++ * kernfs_create_dir_ns(sd) ++ * ++ * sysfs_remove_dir() // glue_dir->sd=NULL ++ * sysfs_put() // free glue_dir->sd ++ * ++ * // sd is freed ++ * kernfs_new_node(sd) ++ * kernfs_get(glue_dir) ++ * kernfs_add_one() ++ * kernfs_put() ++ * ++ * Before CPU1 remove last child device under glue dir, if CPU2 add ++ * a new device under glue dir, the glue_dir kobject reference count ++ * will be increase to 2 in kobject_get(k). And CPU2 has been called ++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() ++ * and sysfs_put(). This result in glue_dir->sd is freed. ++ * ++ * Then the CPU2 will see a stale "empty" but still potentially used ++ * glue dir around in kernfs_new_node(). ++ * ++ * In order to avoid this happening, we also should make sure that ++ * kernfs_node for glue_dir is released in CPU1 only when refcount ++ * for glue_dir kobj is 1. ++ */ ++ ref = atomic_read(&glue_dir->kref.refcount); ++ if (!kobject_has_children(glue_dir) && !--ref) + kobject_del(glue_dir); + kobject_put(glue_dir); + mutex_unlock(&gdp_mutex); +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a04810837234..a12a163c6e6d 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3784,7 +3784,7 @@ static int compat_getdrvprm(int drive, + v.native_format = UDP->native_format; + mutex_unlock(&floppy_mutex); + +- if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_params))) ++ if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_params))) + return -EFAULT; + return 0; + } +@@ -3820,7 +3820,7 @@ static int compat_getdrvstat(int drive, bool poll, + v.bufblocks = UDRS->bufblocks; + mutex_unlock(&floppy_mutex); + +- if (copy_from_user(arg, &v, sizeof(struct compat_floppy_drive_struct))) ++ if (copy_to_user(arg, &v, sizeof(struct compat_floppy_drive_struct))) + return -EFAULT; + return 0; + Eintr: +diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c +index b840e4ace623..2b289581d570 100644 +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw) + u32 delay_num = 0; + + /* See the comment for rockchip_mmc_set_phase below */ +- if (!rate) { +- pr_err("%s: invalid clk rate\n", __func__); ++ if (!rate) + return -EINVAL; +- } + + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index a000c2667392..014745271bb4 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1426,6 +1426,18 @@ static void unmap_sg_talitos_ptr(struct device *dev, struct scatterlist *src, + } + } + ++static int ablkcipher_aes_setkey(struct crypto_ablkcipher *cipher, ++ const u8 *key, unsigned int keylen) ++{ ++ if (keylen == AES_KEYSIZE_128 || keylen == AES_KEYSIZE_192 || ++ keylen == AES_KEYSIZE_256) ++ return ablkcipher_setkey(cipher, key, keylen); ++ ++ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ ++ return -EINVAL; ++} ++ + static void common_nonsnoop_unmap(struct device *dev, + struct talitos_edesc *edesc, + struct ablkcipher_request *areq) +@@ -1629,6 +1641,14 @@ static int ablkcipher_encrypt(struct ablkcipher_request *areq) + struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); + struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); + struct talitos_edesc *edesc; ++ unsigned int blocksize = ++ crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); ++ ++ if (!areq->nbytes) ++ return 0; ++ ++ if (areq->nbytes % blocksize) ++ return -EINVAL; + + /* allocate extended descriptor */ + edesc = ablkcipher_edesc_alloc(areq, true); +@@ -1646,6 +1666,14 @@ static int ablkcipher_decrypt(struct ablkcipher_request *areq) + struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); + struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); + struct talitos_edesc *edesc; ++ unsigned int blocksize = ++ crypto_tfm_alg_blocksize(crypto_ablkcipher_tfm(cipher)); ++ ++ if (!areq->nbytes) ++ return 0; ++ ++ if (areq->nbytes % blocksize) ++ return -EINVAL; + + /* allocate extended descriptor */ + edesc = ablkcipher_edesc_alloc(areq, false); +@@ -2379,6 +2407,7 @@ static struct talitos_alg_template driver_algs[] = { + .min_keysize = AES_MIN_KEY_SIZE, + .max_keysize = AES_MAX_KEY_SIZE, + .ivsize = AES_BLOCK_SIZE, ++ .setkey = ablkcipher_aes_setkey, + } + }, + .desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU | +diff --git a/drivers/dma/omap-dma.c b/drivers/dma/omap-dma.c +index 1dfc71c90123..57b6e6ca14a8 100644 +--- a/drivers/dma/omap-dma.c ++++ b/drivers/dma/omap-dma.c +@@ -1199,8 +1199,10 @@ static int omap_dma_probe(struct platform_device *pdev) + + rc = devm_request_irq(&pdev->dev, irq, omap_dma_irq, + IRQF_SHARED, "omap-dma-engine", od); +- if (rc) ++ if (rc) { ++ omap_dma_free(od); + return rc; ++ } + } + + rc = dma_async_device_register(&od->ddev); +diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c +index 6a2df3297e77..691ad069444d 100644 +--- a/drivers/isdn/capi/capi.c ++++ b/drivers/isdn/capi/capi.c +@@ -687,6 +687,9 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos + if (!cdev->ap.applid) + return -ENODEV; + ++ if (count < CAPIMSG_BASELEN) ++ return -EINVAL; ++ + skb = alloc_skb(count, GFP_USER); + if (!skb) + return -ENOMEM; +@@ -697,7 +700,8 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos + } + mlen = CAPIMSG_LEN(skb->data); + if (CAPIMSG_CMD(skb->data) == CAPI_DATA_B3_REQ) { +- if ((size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { ++ if (count < CAPI_DATA_B3_REQ_LEN || ++ (size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) { + kfree_skb(skb); + return -EINVAL; + } +@@ -710,6 +714,10 @@ capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos + CAPIMSG_SETAPPID(skb->data, cdev->ap.applid); + + if (CAPIMSG_CMD(skb->data) == CAPI_DISCONNECT_B3_RESP) { ++ if (count < CAPI_DISCONNECT_B3_RESP_LEN) { ++ kfree_skb(skb); ++ return -EINVAL; ++ } + mutex_lock(&cdev->lock); + capincci_free(cdev, CAPIMSG_NCCI(skb->data)); + mutex_unlock(&cdev->lock); +diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c +index 6c3c47722955..30a8c21ed736 100644 +--- a/drivers/media/usb/dvb-usb/technisat-usb2.c ++++ b/drivers/media/usb/dvb-usb/technisat-usb2.c +@@ -594,9 +594,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a) + + static int technisat_usb2_get_ir(struct dvb_usb_device *d) + { +- u8 buf[62], *b; +- int ret; ++ u8 buf[62]; + struct ir_raw_event ev; ++ int i, ret; + + buf[0] = GET_IR_DATA_VENDOR_REQUEST; + buf[1] = 0x08; +@@ -632,26 +632,25 @@ unlock: + return 0; /* no key pressed */ + + /* decoding */ +- b = buf+1; + + #if 0 + deb_rc("RC: %d ", ret); +- debug_dump(b, ret, deb_rc); ++ debug_dump(buf + 1, ret, deb_rc); + #endif + + ev.pulse = 0; +- while (1) { +- ev.pulse = !ev.pulse; +- ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; +- ir_raw_event_store(d->rc_dev, &ev); +- +- b++; +- if (*b == 0xff) { ++ for (i = 1; i < ARRAY_SIZE(buf); i++) { ++ if (buf[i] == 0xff) { + ev.pulse = 0; + ev.duration = 888888*2; + ir_raw_event_store(d->rc_dev, &ev); + break; + } ++ ++ ev.pulse = !ev.pulse; ++ ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR * ++ FIRMWARE_CLOCK_TICK) / 1000; ++ ir_raw_event_store(d->rc_dev, &ev); + } + + ir_raw_event_handle(d->rc_dev); +diff --git a/drivers/media/usb/tm6000/tm6000-dvb.c b/drivers/media/usb/tm6000/tm6000-dvb.c +index 4f317e2686e9..87401b18d85a 100644 +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -111,6 +111,7 @@ static void tm6000_urb_received(struct urb *urb) + printk(KERN_ERR "tm6000: error %s\n", __func__); + kfree(urb->transfer_buffer); + usb_free_urb(urb); ++ dev->dvb->bulk_urb = NULL; + } + } + } +@@ -143,6 +144,7 @@ static int tm6000_start_stream(struct tm6000_core *dev) + dvb->bulk_urb->transfer_buffer = kzalloc(size, GFP_KERNEL); + if (dvb->bulk_urb->transfer_buffer == NULL) { + usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + printk(KERN_ERR "tm6000: couldn't allocate transfer buffer!\n"); + return -ENOMEM; + } +@@ -170,6 +172,7 @@ static int tm6000_start_stream(struct tm6000_core *dev) + + kfree(dvb->bulk_urb->transfer_buffer); + usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return ret; + } + +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index dcd72b2a3715..8ba9eadc2079 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4946,6 +4946,13 @@ static const struct dmi_system_id msi_blacklist[] = { + DMI_MATCH(DMI_BOARD_NAME, "P6T"), + }, + }, ++ { ++ .ident = "ASUS P6X", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6X"), ++ }, ++ }, + {} + }; + +diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c +index ca7336605748..2e5f7bbd30bf 100644 +--- a/drivers/net/ethernet/seeq/sgiseeq.c ++++ b/drivers/net/ethernet/seeq/sgiseeq.c +@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform_device *pdev) + printk(KERN_ERR "Sgiseeq: Cannot register net device, " + "aborting.\n"); + err = -ENODEV; +- goto err_out_free_page; ++ goto err_out_free_attrs; + } + + printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr); + + return 0; + +-err_out_free_page: +- free_page((unsigned long) sp->srings); ++err_out_free_attrs: ++ dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings, ++ sp->srings_dma, DMA_ATTR_NON_CONSISTENT); + err_out_free_dev: + free_netdev(dev); + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index fd9ff9eff237..2b7a3631b882 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -597,7 +597,8 @@ static void tun_detach_all(struct net_device *dev) + module_put(THIS_MODULE); + } + +-static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filter) ++static int tun_attach(struct tun_struct *tun, struct file *file, ++ bool skip_filter, bool publish_tun) + { + struct tun_file *tfile = file->private_data; + int err; +@@ -630,7 +631,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte + } + tfile->queue_index = tun->numqueues; + tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN; +- rcu_assign_pointer(tfile->tun, tun); ++ if (publish_tun) ++ rcu_assign_pointer(tfile->tun, tun); + rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); + tun->numqueues++; + +@@ -1641,7 +1643,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + if (err < 0) + return err; + +- err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER); ++ err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER, true); + if (err < 0) + return err; + +@@ -1722,13 +1724,17 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + NETIF_F_HW_VLAN_STAG_TX); + + INIT_LIST_HEAD(&tun->disabled); +- err = tun_attach(tun, file, false); ++ err = tun_attach(tun, file, false, false); + if (err < 0) + goto err_free_flow; + + err = register_netdevice(tun->dev); + if (err < 0) + goto err_detach; ++ /* free_netdev() won't check refcnt, to aovid race ++ * with dev_put() we need publish tun after registration. ++ */ ++ rcu_assign_pointer(tfile->tun, tun); + } + + netif_carrier_on(tun->dev); +@@ -1867,7 +1873,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) + ret = security_tun_dev_attach_queue(tun->security); + if (ret < 0) + goto unlock; +- ret = tun_attach(tun, file, false); ++ ret = tun_attach(tun, file, false, true); + } else if (ifr->ifr_flags & IFF_DETACH_QUEUE) { + tun = rtnl_dereference(tfile->tun); + if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached) +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index f71abe50ea6f..3707aab2423b 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -212,9 +212,16 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) + goto bad_desc; + } + skip: +- if ( rndis && +- header.usb_cdc_acm_descriptor && +- header.usb_cdc_acm_descriptor->bmCapabilities) { ++ /* Communcation class functions with bmCapabilities are not ++ * RNDIS. But some Wireless class RNDIS functions use ++ * bmCapabilities for their own purpose. The failsafe is ++ * therefore applied only to Communication class RNDIS ++ * functions. The rndis test is redundant, but a cheap ++ * optimization. ++ */ ++ if (rndis && is_rndis(&intf->cur_altsetting->desc) && ++ header.usb_cdc_acm_descriptor && ++ header.usb_cdc_acm_descriptor->bmCapabilities) { + dev_dbg(&intf->dev, + "ACM capabilities %02x, not really RNDIS?\n", + header.usb_cdc_acm_descriptor->bmCapabilities); +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 2d83689374bb..10dd307593e8 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -671,8 +671,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, + value, index, tmp, size, 500); ++ if (ret < 0) ++ memset(data, 0xff, size); ++ else ++ memcpy(data, tmp, size); + +- memcpy(data, tmp, size); + kfree(tmp); + + return ret; +diff --git a/drivers/net/wireless/mwifiex/ie.c b/drivers/net/wireless/mwifiex/ie.c +index de8435709735..4255fb8dd58a 100644 +--- a/drivers/net/wireless/mwifiex/ie.c ++++ b/drivers/net/wireless/mwifiex/ie.c +@@ -240,6 +240,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len, + } + + vs_ie = (struct ieee_types_header *)vendor_ie; ++ if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 > ++ IEEE_MAX_IE_SIZE) ++ return -EINVAL; + memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length), + vs_ie, vs_ie->len + 2); + le16_add_cpu(&ie->ie_length, vs_ie->len + 2); +diff --git a/drivers/net/wireless/mwifiex/uap_cmd.c b/drivers/net/wireless/mwifiex/uap_cmd.c +index 759a6ada5b0f..60bba1ca24e6 100644 +--- a/drivers/net/wireless/mwifiex/uap_cmd.c ++++ b/drivers/net/wireless/mwifiex/uap_cmd.c +@@ -286,6 +286,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg, + + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); + if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES) ++ return; + memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); + rate_len = rate_ie->len; + } +@@ -293,8 +295,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg, + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, + params->beacon.tail, + params->beacon.tail_len); +- if (rate_ie) ++ if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len) ++ return; + memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len); ++ } + + return; + } +@@ -412,6 +417,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv, + params->beacon.tail_len); + if (vendor_ie) { + wmm_ie = (struct ieee_types_header *)vendor_ie; ++ if (*(vendor_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) ++ return; + memcpy(&bss_cfg->wmm_info, wmm_ie + 1, + sizeof(bss_cfg->wmm_info)); + priv->wmm_enabled = 1; +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 6f55ab4f7959..574c93a24180 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -893,7 +893,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + } + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { +- queue->rx.rsp_cons = ++cons; ++ queue->rx.rsp_cons = ++cons + skb_queue_len(list); + kfree_skb(nskb); + return ~0U; + } +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index fc46c8cf5fcd..3bd19de7df71 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1275,7 +1275,6 @@ atmel_handle_transmit(struct uart_port *port, unsigned int pending) + + atmel_port->hd_start_rx = false; + atmel_start_rx(port); +- return; + } + + tasklet_schedule(&atmel_port->tasklet); +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index c894eca57e73..82e00ac6f7e3 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -240,7 +240,7 @@ static inline void sprd_rx(struct uart_port *port) + + if (lsr & (SPRD_LSR_BI | SPRD_LSR_PE | + SPRD_LSR_FE | SPRD_LSR_OE)) +- if (handle_lsr_errors(port, &lsr, &flag)) ++ if (handle_lsr_errors(port, &flag, &lsr)) + continue; + if (uart_handle_sysrq_char(port, ch)) + continue; +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index aef208585544..5abc4e5434ec 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -891,7 +891,7 @@ int usb_get_bos_descriptor(struct usb_device *dev) + struct usb_bos_descriptor *bos; + struct usb_dev_cap_header *cap; + struct usb_ssp_cap_descriptor *ssp_cap; +- unsigned char *buffer; ++ unsigned char *buffer, *buffer0; + int length, total_len, num, i, ssac; + __u8 cap_type; + int ret; +@@ -936,10 +936,12 @@ int usb_get_bos_descriptor(struct usb_device *dev) + ret = -ENOMSG; + goto err; + } ++ ++ buffer0 = buffer; + total_len -= length; ++ buffer += length; + + for (i = 0; i < num; i++) { +- buffer += length; + cap = (struct usb_dev_cap_header *)buffer; + + if (total_len < sizeof(*cap) || total_len < cap->bLength) { +@@ -953,8 +955,6 @@ int usb_get_bos_descriptor(struct usb_device *dev) + break; + } + +- total_len -= length; +- + if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { + dev_warn(ddev, "descriptor type invalid, skip\n"); + continue; +@@ -989,7 +989,11 @@ int usb_get_bos_descriptor(struct usb_device *dev) + default: + break; + } ++ ++ total_len -= length; ++ buffer += length; + } ++ dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0); + + return 0; + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 57a46093656a..f9c3907bf159 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5133,7 +5133,7 @@ process_leaf: + } + + if (btrfs_inode_in_log(di_inode, trans->transid)) { +- iput(di_inode); ++ btrfs_add_delayed_iput(di_inode); + continue; + } + +@@ -5143,7 +5143,7 @@ process_leaf: + btrfs_release_path(path); + ret = btrfs_log_inode(trans, root, di_inode, + log_mode, 0, LLONG_MAX, ctx); +- iput(di_inode); ++ btrfs_add_delayed_iput(di_inode); + if (ret) + goto next_dir_inode; + if (ctx->log_new_dentries) { +@@ -5281,7 +5281,7 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans, + + ret = btrfs_log_inode(trans, root, dir_inode, + LOG_INODE_ALL, 0, LLONG_MAX, ctx); +- iput(dir_inode); ++ btrfs_add_delayed_iput(dir_inode); + if (ret) + goto out; + } +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 9cb72fd40eff..63108343124a 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2466,6 +2466,7 @@ static int + cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + { + int rc = 0; ++ int is_domain = 0; + const char *delim, *payload; + char *desc; + ssize_t len; +@@ -2513,6 +2514,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = PTR_ERR(key); + goto out_err; + } ++ is_domain = 1; + } + + down_read(&key->sem); +@@ -2570,6 +2572,26 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + goto out_key_put; + } + ++ /* ++ * If we have a domain key then we must set the domainName in the ++ * for the request. ++ */ ++ if (is_domain && ses->domainName) { ++ vol->domainname = kstrndup(ses->domainName, ++ strlen(ses->domainName), ++ GFP_KERNEL); ++ if (!vol->domainname) { ++ cifs_dbg(FYI, "Unable to allocate %zd bytes for " ++ "domain\n", len); ++ rc = -ENOMEM; ++ kfree(vol->username); ++ vol->username = NULL; ++ kzfree(vol->password); ++ vol->password = NULL; ++ goto out_key_put; ++ } ++ } ++ + out_key_put: + up_read(&key->sem); + key_put(key); +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index d3e3761eacfa..c5e884585c23 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -73,13 +73,13 @@ nfs4_file_open(struct inode *inode, struct file *filp) + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + switch (err) { +- case -EPERM: +- case -EACCES: +- case -EDQUOT: +- case -ENOSPC: +- case -EROFS: +- goto out_put_ctx; + default: ++ goto out_put_ctx; ++ case -ENOENT: ++ case -ESTALE: ++ case -EISDIR: ++ case -ENOTDIR: ++ case -ELOOP: + goto out_drop; + } + } +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 8a2077408ab0..af1bb7353792 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -593,7 +593,7 @@ static void nfs_pgio_rpcsetup(struct nfs_pgio_header *hdr, + } + + hdr->res.fattr = &hdr->fattr; +- hdr->res.count = count; ++ hdr->res.count = 0; + hdr->res.eof = 0; + hdr->res.verf = &hdr->verf; + nfs_fattr_init(&hdr->fattr); +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index b417bbcd9704..b83e14ad13c4 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -588,7 +588,8 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + /* Emulate the eof flag, which isn't normally needed in NFSv2 + * as it is guaranteed to always return the file attributes + */ +- if (hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) ++ if ((hdr->res.count == 0 && hdr->args.count > 0) || ++ hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) + hdr->res.eof = 1; + } + return 0; +@@ -609,8 +610,10 @@ static int nfs_proc_pgio_rpc_prepare(struct rpc_task *task, + + static int nfs_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + { +- if (task->tk_status >= 0) ++ if (task->tk_status >= 0) { ++ hdr->res.count = hdr->args.count; + nfs_writeback_update_inode(hdr); ++ } + return 0; + } + +diff --git a/include/uapi/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h +index b58635f722da..ae1e1fba2e13 100644 +--- a/include/uapi/linux/isdn/capicmd.h ++++ b/include/uapi/linux/isdn/capicmd.h +@@ -15,6 +15,7 @@ + #define CAPI_MSG_BASELEN 8 + #define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2) + #define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2) ++#define CAPI_DISCONNECT_B3_RESP_LEN (CAPI_MSG_BASELEN+4) + + /*----- CAPI commands -----*/ + #define CAPI_ALERT 0x01 +diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c +index b86886beee4f..867fb0ed4aa6 100644 +--- a/kernel/irq/resend.c ++++ b/kernel/irq/resend.c +@@ -37,6 +37,8 @@ static void resend_irqs(unsigned long arg) + irq = find_first_bit(irqs_resend, nr_irqs); + clear_bit(irq, irqs_resend); + desc = irq_to_desc(irq); ++ if (!desc) ++ continue; + local_irq_disable(); + desc->handle_irq(desc); + local_irq_enable(); +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index cd8deea2d074..db6b65a5f811 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -256,7 +256,7 @@ static int nlmsg_populate_rtr_fill(struct sk_buff *skb, + struct nlmsghdr *nlh; + struct nlattr *nest; + +- nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), NLM_F_MULTI); ++ nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), 0); + if (!nlh) + return -EMSGSIZE; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 152e1e6316e6..18a5154e2f25 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6837,6 +6837,8 @@ int register_netdevice(struct net_device *dev) + ret = notifier_to_errno(ret); + if (ret) { + rollback_registered(dev); ++ rcu_barrier(); ++ + dev->reg_state = NETREG_UNREGISTERED; + } + /* +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 30c5500b0899..b0677b265b48 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -225,7 +225,7 @@ static void tcp_ecn_accept_cwr(struct tcp_sock *tp, const struct sk_buff *skb) + + static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp) + { +- tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR; ++ tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR; + } + + static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb) +diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c +index a830b68e63c9..c846cff26933 100644 +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -234,7 +234,7 @@ static int __net_init ping_v6_proc_init_net(struct net *net) + return ping_proc_register(net, &ping_v6_seq_afinfo); + } + +-static void __net_init ping_v6_proc_exit_net(struct net *net) ++static void __net_exit ping_v6_proc_exit_net(struct net *net) + { + return ping_proc_unregister(net, &ping_v6_seq_afinfo); + } +diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c +index b666959f17c0..b7c13179fa40 100644 +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -334,7 +334,7 @@ static int find_pattern(const char *data, size_t dlen, + i++; + } + +- pr_debug("Skipped up to `%c'!\n", skip); ++ pr_debug("Skipped up to 0x%hhx delimiter!\n", skip); + + *numoff = i; + *numlen = getnum(data + i, dlen - i, cmd, term, numoff); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index aa4725038f94..eec6dc2d3152 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -671,7 +671,11 @@ static void qdisc_rcu_free(struct rcu_head *head) + + void qdisc_destroy(struct Qdisc *qdisc) + { +- const struct Qdisc_ops *ops = qdisc->ops; ++ const struct Qdisc_ops *ops; ++ ++ if (!qdisc) ++ return; ++ ops = qdisc->ops; + + if (qdisc->flags & TCQ_F_BUILTIN || + !atomic_dec_and_test(&qdisc->refcnt)) +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index aff2a1b46f7f..dc68dccc6b0c 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -552,7 +552,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt) + new_hhf_non_hh_weight = nla_get_u32(tb[TCA_HHF_NON_HH_WEIGHT]); + + non_hh_quantum = (u64)new_quantum * new_hhf_non_hh_weight; +- if (non_hh_quantum > INT_MAX) ++ if (non_hh_quantum == 0 || non_hh_quantum > INT_MAX) + return -EINVAL; + + sch_tree_lock(sch); +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 247d1888c386..07c54b212cd7 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -1331,7 +1331,7 @@ static int __net_init sctp_ctrlsock_init(struct net *net) + return status; + } + +-static void __net_init sctp_ctrlsock_exit(struct net *net) ++static void __net_exit sctp_ctrlsock_exit(struct net *net) + { + /* Free the control endpoint. */ + inet_ctl_sock_destroy(net->sctp.ctl_sock); +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c +index e5cd14307aa5..7c220e905168 100644 +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -505,7 +505,7 @@ static void sctp_do_8_2_transport_strike(sctp_cmd_seq_t *commands, + */ + if ((transport->state == SCTP_ACTIVE) && + (transport->error_count < transport->pathmaxrxt) && +- (transport->error_count > asoc->pf_retrans)) { ++ (transport->error_count > transport->pf_retrans)) { + + sctp_assoc_control_transport(asoc, transport, + SCTP_TRANSPORT_PF, +diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c +index c4c151bc000c..b57675f81ceb 100644 +--- a/net/tipc/name_distr.c ++++ b/net/tipc/name_distr.c +@@ -284,7 +284,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) + publ->key); + } + +- kfree_rcu(p, rcu); ++ if (p) ++ kfree_rcu(p, rcu); + } + + void tipc_publ_notify(struct net *net, struct list_head *nsub_list, u32 addr) +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 8882b729924d..976deea0569e 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key, + { + struct request_key_auth *rka = key->payload.data[0]; + ++ if (!rka) ++ return; ++ + seq_puts(m, "key:"); + seq_puts(m, key->description); + if (key_is_positive(key)) +@@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key, + size_t datalen; + long ret; + ++ if (!rka) ++ return -EKEYREVOKED; ++ + datalen = rka->callout_len; + ret = datalen; + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 532e7bf06868..58cf16188722 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3014,7 +3014,7 @@ int initialize_counters(int cpu_id) + + void allocate_output_buffer() + { +- output_buffer = calloc(1, (1 + topo.num_cpus) * 1024); ++ output_buffer = calloc(1, (1 + topo.num_cpus) * 2048); + outp = output_buffer; + if (outp == NULL) + err(-1, "calloc output buffer"); +diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c +index 571c1ce37d15..5c1efb869df2 100644 +--- a/virt/kvm/coalesced_mmio.c ++++ b/virt/kvm/coalesced_mmio.c +@@ -39,7 +39,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, + return 1; + } + +-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) ++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) + { + struct kvm_coalesced_mmio_ring *ring; + unsigned avail; +@@ -51,7 +51,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) + * there is always one unused entry in the buffer + */ + ring = dev->kvm->coalesced_mmio_ring; +- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; ++ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX; + if (avail == 0) { + /* full */ + return 0; +@@ -66,24 +66,27 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu, + { + struct kvm_coalesced_mmio_dev *dev = to_mmio(this); + struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; ++ __u32 insert; + + if (!coalesced_mmio_in_range(dev, addr, len)) + return -EOPNOTSUPP; + + spin_lock(&dev->kvm->ring_lock); + +- if (!coalesced_mmio_has_room(dev)) { ++ insert = READ_ONCE(ring->last); ++ if (!coalesced_mmio_has_room(dev, insert) || ++ insert >= KVM_COALESCED_MMIO_MAX) { + spin_unlock(&dev->kvm->ring_lock); + return -EOPNOTSUPP; + } + + /* copy data in first free entry of the ring */ + +- ring->coalesced_mmio[ring->last].phys_addr = addr; +- ring->coalesced_mmio[ring->last].len = len; +- memcpy(ring->coalesced_mmio[ring->last].data, val, len); ++ ring->coalesced_mmio[insert].phys_addr = addr; ++ ring->coalesced_mmio[insert].len = len; ++ memcpy(ring->coalesced_mmio[insert].data, val, len); + smp_wmb(); +- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX; ++ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX; + spin_unlock(&dev->kvm->ring_lock); + return 0; + } |