summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '4.7.6/1005_linux-4.7.6.patch')
-rw-r--r--4.7.6/1005_linux-4.7.6.patch2572
1 files changed, 2572 insertions, 0 deletions
diff --git a/4.7.6/1005_linux-4.7.6.patch b/4.7.6/1005_linux-4.7.6.patch
new file mode 100644
index 0000000..5699974
--- /dev/null
+++ b/4.7.6/1005_linux-4.7.6.patch
@@ -0,0 +1,2572 @@
+diff --git a/Makefile b/Makefile
+index dd755d1..48b0120 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 5
++SUBLEVEL = 6
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+@@ -370,7 +370,7 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
++CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
+ CFLAGS_KCOV = -fsanitize-coverage=trace-pc
+
+
+@@ -619,12 +619,13 @@ ARCH_CFLAGS :=
+ include arch/$(SRCARCH)/Makefile
+
+ KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
++KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
+
+ ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
+-KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,)
++KBUILD_CFLAGS += -Os
+ else
+ ifdef CONFIG_PROFILE_ALL_BRANCHES
+-KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,)
++KBUILD_CFLAGS += -O2
+ else
+ KBUILD_CFLAGS += -O2
+ endif
+diff --git a/arch/arc/Makefile b/arch/arc/Makefile
+index 85814e7..601ed17 100644
+--- a/arch/arc/Makefile
++++ b/arch/arc/Makefile
+@@ -74,9 +74,7 @@ endif
+ ifndef CONFIG_CC_OPTIMIZE_FOR_SIZE
+ # Generic build system uses -O2, we want -O3
+ # Note: No need to add to cflags-y as that happens anyways
+-#
+-# Disable the false maybe-uninitialized warings gcc spits out at -O3
+-ARCH_CFLAGS += -O3 $(call cc-disable-warning,maybe-uninitialized,)
++ARCH_CFLAGS += -O3
+ endif
+
+ # small data is default for elf32 tool-chain. If not usable, disable it
+diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c
+index da3c042..aef022a 100644
+--- a/arch/arm/crypto/aes-ce-glue.c
++++ b/arch/arm/crypto/aes-ce-glue.c
+@@ -284,7 +284,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
+ err = blkcipher_walk_done(desc, &walk,
+ walk.nbytes % AES_BLOCK_SIZE);
+ }
+- if (nbytes) {
++ if (walk.nbytes % AES_BLOCK_SIZE) {
+ u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
+ u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
+ u8 __aligned(8) tail[AES_BLOCK_SIZE];
+diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
+index 5c88804..6b2aa0f 100644
+--- a/arch/arm64/crypto/aes-glue.c
++++ b/arch/arm64/crypto/aes-glue.c
+@@ -216,7 +216,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
+ err = blkcipher_walk_done(desc, &walk,
+ walk.nbytes % AES_BLOCK_SIZE);
+ }
+- if (nbytes) {
++ if (walk.nbytes % AES_BLOCK_SIZE) {
+ u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
+ u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
+ u8 __aligned(8) tail[AES_BLOCK_SIZE];
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index 490db85..95e32d9 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -201,12 +201,6 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
+ return ret;
+ }
+
+-static void smp_store_cpu_info(unsigned int cpuid)
+-{
+- store_cpu_topology(cpuid);
+- numa_store_cpu_info(cpuid);
+-}
+-
+ /*
+ * This is the secondary CPU boot entry. We're using this CPUs
+ * idle thread stack, but a set of temporary page tables.
+@@ -254,7 +248,7 @@ asmlinkage void secondary_start_kernel(void)
+ */
+ notify_cpu_starting(cpu);
+
+- smp_store_cpu_info(cpu);
++ store_cpu_topology(cpu);
+
+ /*
+ * OK, now it's safe to let the boot CPU continue. Wait for
+@@ -687,10 +681,13 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
+ {
+ int err;
+ unsigned int cpu;
++ unsigned int this_cpu;
+
+ init_cpu_topology();
+
+- smp_store_cpu_info(smp_processor_id());
++ this_cpu = smp_processor_id();
++ store_cpu_topology(this_cpu);
++ numa_store_cpu_info(this_cpu);
+
+ /*
+ * If UP is mandated by "nosmp" (which implies "maxcpus=0"), don't set
+@@ -717,6 +714,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
+ continue;
+
+ set_cpu_present(cpu, true);
++ numa_store_cpu_info(cpu);
+ }
+ }
+
+diff --git a/arch/mips/Kconfig.debug b/arch/mips/Kconfig.debug
+index f0e314c..7f975b2 100644
+--- a/arch/mips/Kconfig.debug
++++ b/arch/mips/Kconfig.debug
+@@ -113,42 +113,6 @@ config SPINLOCK_TEST
+ help
+ Add several files to the debugfs to test spinlock speed.
+
+-if CPU_MIPSR6
+-
+-choice
+- prompt "Compact branch policy"
+- default MIPS_COMPACT_BRANCHES_OPTIMAL
+-
+-config MIPS_COMPACT_BRANCHES_NEVER
+- bool "Never (force delay slot branches)"
+- help
+- Pass the -mcompact-branches=never flag to the compiler in order to
+- force it to always emit branches with delay slots, and make no use
+- of the compact branch instructions introduced by MIPSr6. This is
+- useful if you suspect there may be an issue with compact branches in
+- either the compiler or the CPU.
+-
+-config MIPS_COMPACT_BRANCHES_OPTIMAL
+- bool "Optimal (use where beneficial)"
+- help
+- Pass the -mcompact-branches=optimal flag to the compiler in order for
+- it to make use of compact branch instructions where it deems them
+- beneficial, and use branches with delay slots elsewhere. This is the
+- default compiler behaviour, and should be used unless you have a
+- reason to choose otherwise.
+-
+-config MIPS_COMPACT_BRANCHES_ALWAYS
+- bool "Always (force compact branches)"
+- help
+- Pass the -mcompact-branches=always flag to the compiler in order to
+- force it to always emit compact branches, making no use of branch
+- instructions with delay slots. This can result in more compact code
+- which may be beneficial in some scenarios.
+-
+-endchoice
+-
+-endif # CPU_MIPSR6
+-
+ config SCACHE_DEBUGFS
+ bool "L2 cache debugfs entries"
+ depends on DEBUG_FS
+diff --git a/arch/mips/Makefile b/arch/mips/Makefile
+index efd7a9d..598ab29 100644
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -203,10 +203,6 @@ endif
+ toolchain-virt := $(call cc-option-yn,$(mips-cflags) -mvirt)
+ cflags-$(toolchain-virt) += -DTOOLCHAIN_SUPPORTS_VIRT
+
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_NEVER) += -mcompact-branches=never
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_OPTIMAL) += -mcompact-branches=optimal
+-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_ALWAYS) += -mcompact-branches=always
+-
+ #
+ # Firmware support
+ #
+diff --git a/arch/mips/include/asm/asmmacro.h b/arch/mips/include/asm/asmmacro.h
+index 56584a6..83054f7 100644
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -157,6 +157,7 @@
+ ldc1 $f28, THREAD_FPR28(\thread)
+ ldc1 $f30, THREAD_FPR30(\thread)
+ ctc1 \tmp, fcr31
++ .set pop
+ .endm
+
+ .macro fpu_restore_16odd thread
+diff --git a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+index 2f82bfa..c9f5769 100644
+--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+@@ -11,11 +11,13 @@
+ #define CP0_EBASE $15, 1
+
+ .macro kernel_entry_setup
++#ifdef CONFIG_SMP
+ mfc0 t0, CP0_EBASE
+ andi t0, t0, 0x3ff # CPUNum
+ beqz t0, 1f
+ # CPUs other than zero goto smp_bootstrap
+ j smp_bootstrap
++#endif /* CONFIG_SMP */
+
+ 1:
+ .endm
+diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
+index 7ff2a55..ae77575 100644
+--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
+@@ -1164,7 +1164,9 @@ fpu_emul:
+ regs->regs[31] = r31;
+ regs->cp0_epc = epc;
+ if (!used_math()) { /* First time FPU user. */
++ preempt_disable();
+ err = init_fpu();
++ preempt_enable();
+ set_used_math();
+ }
+ lose_fpu(1); /* Save FPU state for the emulator. */
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index 813ed78..45cff9f 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -591,14 +591,14 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
+ return -EOPNOTSUPP;
+
+ /* Avoid inadvertently triggering emulation */
+- if ((value & PR_FP_MODE_FR) && cpu_has_fpu &&
+- !(current_cpu_data.fpu_id & MIPS_FPIR_F64))
++ if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu &&
++ !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64))
+ return -EOPNOTSUPP;
+- if ((value & PR_FP_MODE_FRE) && cpu_has_fpu && !cpu_has_fre)
++ if ((value & PR_FP_MODE_FRE) && raw_cpu_has_fpu && !cpu_has_fre)
+ return -EOPNOTSUPP;
+
+ /* FR = 0 not supported in MIPS R6 */
+- if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6)
++ if (!(value & PR_FP_MODE_FR) && raw_cpu_has_fpu && cpu_has_mips_r6)
+ return -EOPNOTSUPP;
+
+ /* Proceed with the mode switch */
+diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c
+index f9d01e9..dcf4a23 100644
+--- a/arch/mips/kernel/smp.c
++++ b/arch/mips/kernel/smp.c
+@@ -320,6 +320,9 @@ asmlinkage void start_secondary(void)
+ cpumask_set_cpu(cpu, &cpu_coherent_mask);
+ notify_cpu_starting(cpu);
+
++ cpumask_set_cpu(cpu, &cpu_callin_map);
++ synchronise_count_slave(cpu);
++
+ set_cpu_online(cpu, true);
+
+ set_cpu_sibling_map(cpu);
+@@ -327,10 +330,6 @@ asmlinkage void start_secondary(void)
+
+ calculate_cpu_foreign_map();
+
+- cpumask_set_cpu(cpu, &cpu_callin_map);
+-
+- synchronise_count_slave(cpu);
+-
+ /*
+ * irq will be enabled in ->smp_finish(), enabling it too early
+ * is dangerous.
+diff --git a/arch/mips/kernel/vdso.c b/arch/mips/kernel/vdso.c
+index 54e1663..0b30c02 100644
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -39,16 +39,16 @@ static struct vm_special_mapping vdso_vvar_mapping = {
+ static void __init init_vdso_image(struct mips_vdso_image *image)
+ {
+ unsigned long num_pages, i;
++ unsigned long data_pfn;
+
+ BUG_ON(!PAGE_ALIGNED(image->data));
+ BUG_ON(!PAGE_ALIGNED(image->size));
+
+ num_pages = image->size / PAGE_SIZE;
+
+- for (i = 0; i < num_pages; i++) {
+- image->mapping.pages[i] =
+- virt_to_page(image->data + (i * PAGE_SIZE));
+- }
++ data_pfn = __phys_to_pfn(__pa_symbol(image->data));
++ for (i = 0; i < num_pages; i++)
++ image->mapping.pages[i] = pfn_to_page(data_pfn + i);
+ }
+
+ static int __init init_vdso(void)
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index 7a1f7bb..b2659b9 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -932,11 +932,11 @@ static void populate_pte(struct cpa_data *cpa,
+ }
+ }
+
+-static int populate_pmd(struct cpa_data *cpa,
+- unsigned long start, unsigned long end,
+- unsigned num_pages, pud_t *pud, pgprot_t pgprot)
++static long populate_pmd(struct cpa_data *cpa,
++ unsigned long start, unsigned long end,
++ unsigned num_pages, pud_t *pud, pgprot_t pgprot)
+ {
+- unsigned int cur_pages = 0;
++ long cur_pages = 0;
+ pmd_t *pmd;
+ pgprot_t pmd_pgprot;
+
+@@ -1006,12 +1006,12 @@ static int populate_pmd(struct cpa_data *cpa,
+ return num_pages;
+ }
+
+-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+- pgprot_t pgprot)
++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
++ pgprot_t pgprot)
+ {
+ pud_t *pud;
+ unsigned long end;
+- int cur_pages = 0;
++ long cur_pages = 0;
+ pgprot_t pud_pgprot;
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+@@ -1067,7 +1067,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+
+ /* Map trailing leftover */
+ if (start < end) {
+- int tmp;
++ long tmp;
+
+ pud = pud_offset(pgd, start);
+ if (pud_none(*pud))
+@@ -1093,7 +1093,7 @@ static int populate_pgd(struct cpa_data *cpa, unsigned long addr)
+ pgprot_t pgprot = __pgprot(_KERNPG_TABLE);
+ pud_t *pud = NULL; /* shut up gcc */
+ pgd_t *pgd_entry;
+- int ret;
++ long ret;
+
+ pgd_entry = cpa->pgd + pgd_index(addr);
+
+@@ -1336,7 +1336,8 @@ static int cpa_process_alias(struct cpa_data *cpa)
+
+ static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias)
+ {
+- int ret, numpages = cpa->numpages;
++ unsigned long numpages = cpa->numpages;
++ int ret;
+
+ while (numpages) {
+ /*
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index b226b3f..964c702 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -244,7 +244,7 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
+ * text and allocate a new stack because we can't rely on the
+ * stack pointer being < 4GB.
+ */
+- if (!IS_ENABLED(CONFIG_EFI_MIXED))
++ if (!IS_ENABLED(CONFIG_EFI_MIXED) || efi_is_native())
+ return 0;
+
+ /*
+diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
+index 8cc1622..dca7bc8 100644
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -234,6 +234,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
+ return blkcipher_walk_done(desc, walk, -EINVAL);
+ }
+
++ bsize = min(walk->walk_blocksize, n);
++
+ walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
+ BLKCIPHER_WALK_DIFF);
+ if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
+@@ -246,7 +248,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
+ }
+ }
+
+- bsize = min(walk->walk_blocksize, n);
+ n = scatterwalk_clamp(&walk->in, n);
+ n = scatterwalk_clamp(&walk->out, n);
+
+diff --git a/crypto/echainiv.c b/crypto/echainiv.c
+index b96a8456..343a74e 100644
+--- a/crypto/echainiv.c
++++ b/crypto/echainiv.c
+@@ -1,8 +1,8 @@
+ /*
+ * echainiv: Encrypted Chain IV Generator
+ *
+- * This generator generates an IV based on a sequence number by xoring it
+- * with a salt and then encrypting it with the same key as used to encrypt
++ * This generator generates an IV based on a sequence number by multiplying
++ * it with a salt and then encrypting it with the same key as used to encrypt
+ * the plain text. This algorithm requires that the block size be equal
+ * to the IV size. It is mainly useful for CBC.
+ *
+@@ -23,81 +23,17 @@
+ #include <linux/err.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+-#include <linux/mm.h>
+ #include <linux/module.h>
+-#include <linux/percpu.h>
+-#include <linux/spinlock.h>
++#include <linux/slab.h>
+ #include <linux/string.h>
+
+-#define MAX_IV_SIZE 16
+-
+-static DEFINE_PER_CPU(u32 [MAX_IV_SIZE / sizeof(u32)], echainiv_iv);
+-
+-/* We don't care if we get preempted and read/write IVs from the next CPU. */
+-static void echainiv_read_iv(u8 *dst, unsigned size)
+-{
+- u32 *a = (u32 *)dst;
+- u32 __percpu *b = echainiv_iv;
+-
+- for (; size >= 4; size -= 4) {
+- *a++ = this_cpu_read(*b);
+- b++;
+- }
+-}
+-
+-static void echainiv_write_iv(const u8 *src, unsigned size)
+-{
+- const u32 *a = (const u32 *)src;
+- u32 __percpu *b = echainiv_iv;
+-
+- for (; size >= 4; size -= 4) {
+- this_cpu_write(*b, *a);
+- a++;
+- b++;
+- }
+-}
+-
+-static void echainiv_encrypt_complete2(struct aead_request *req, int err)
+-{
+- struct aead_request *subreq = aead_request_ctx(req);
+- struct crypto_aead *geniv;
+- unsigned int ivsize;
+-
+- if (err == -EINPROGRESS)
+- return;
+-
+- if (err)
+- goto out;
+-
+- geniv = crypto_aead_reqtfm(req);
+- ivsize = crypto_aead_ivsize(geniv);
+-
+- echainiv_write_iv(subreq->iv, ivsize);
+-
+- if (req->iv != subreq->iv)
+- memcpy(req->iv, subreq->iv, ivsize);
+-
+-out:
+- if (req->iv != subreq->iv)
+- kzfree(subreq->iv);
+-}
+-
+-static void echainiv_encrypt_complete(struct crypto_async_request *base,
+- int err)
+-{
+- struct aead_request *req = base->data;
+-
+- echainiv_encrypt_complete2(req, err);
+- aead_request_complete(req, err);
+-}
+-
+ static int echainiv_encrypt(struct aead_request *req)
+ {
+ struct crypto_aead *geniv = crypto_aead_reqtfm(req);
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+- crypto_completion_t compl;
+- void *data;
++ __be64 nseqno;
++ u64 seqno;
+ u8 *info;
+ unsigned int ivsize = crypto_aead_ivsize(geniv);
+ int err;
+@@ -107,8 +43,6 @@ static int echainiv_encrypt(struct aead_request *req)
+
+ aead_request_set_tfm(subreq, ctx->child);
+
+- compl = echainiv_encrypt_complete;
+- data = req;
+ info = req->iv;
+
+ if (req->src != req->dst) {
+@@ -123,29 +57,30 @@ static int echainiv_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
+- info = kmalloc(ivsize, req->base.flags &
+- CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL:
+- GFP_ATOMIC);
+- if (!info)
+- return -ENOMEM;
+-
+- memcpy(info, req->iv, ivsize);
+- }
+-
+- aead_request_set_callback(subreq, req->base.flags, compl, data);
++ aead_request_set_callback(subreq, req->base.flags,
++ req->base.complete, req->base.data);
+ aead_request_set_crypt(subreq, req->dst, req->dst,
+ req->cryptlen, info);
+ aead_request_set_ad(subreq, req->assoclen);
+
+- crypto_xor(info, ctx->salt, ivsize);
++ memcpy(&nseqno, info + ivsize - 8, 8);
++ seqno = be64_to_cpu(nseqno);
++ memset(info, 0, ivsize);
++
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+- echainiv_read_iv(info, ivsize);
+
+- err = crypto_aead_encrypt(subreq);
+- echainiv_encrypt_complete2(req, err);
+- return err;
++ do {
++ u64 a;
++
++ memcpy(&a, ctx->salt + ivsize - 8, 8);
++
++ a |= 1;
++ a *= seqno;
++
++ memcpy(info + ivsize - 8, &a, 8);
++ } while ((ivsize -= 8));
++
++ return crypto_aead_encrypt(subreq);
+ }
+
+ static int echainiv_decrypt(struct aead_request *req)
+@@ -192,8 +127,7 @@ static int echainiv_aead_create(struct crypto_template *tmpl,
+ alg = crypto_spawn_aead_alg(spawn);
+
+ err = -EINVAL;
+- if (inst->alg.ivsize & (sizeof(u32) - 1) ||
+- inst->alg.ivsize > MAX_IV_SIZE)
++ if (inst->alg.ivsize & (sizeof(u64) - 1) || !inst->alg.ivsize)
+ goto free_inst;
+
+ inst->alg.encrypt = echainiv_encrypt;
+@@ -202,7 +136,6 @@ static int echainiv_aead_create(struct crypto_template *tmpl,
+ inst->alg.init = aead_init_geniv;
+ inst->alg.exit = aead_exit_geniv;
+
+- inst->alg.base.cra_alignmask |= __alignof__(u32) - 1;
+ inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx);
+ inst->alg.base.cra_ctxsize += inst->alg.ivsize;
+
+diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c
+index 56e1d63..6e6c760 100644
+--- a/drivers/gpu/drm/qxl/qxl_draw.c
++++ b/drivers/gpu/drm/qxl/qxl_draw.c
+@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struct qxl_bo *palette_bo,
+ * correctly globaly, since that would require
+ * tracking all of our palettes. */
+ ret = qxl_bo_kmap(palette_bo, (void **)&pal);
++ if (ret)
++ return ret;
+ pal->num_ents = 2;
+ pal->unique = unique++;
+ if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) {
+diff --git a/drivers/i2c/busses/i2c-eg20t.c b/drivers/i2c/busses/i2c-eg20t.c
+index 137125b..5ce71ce 100644
+--- a/drivers/i2c/busses/i2c-eg20t.c
++++ b/drivers/i2c/busses/i2c-eg20t.c
+@@ -773,13 +773,6 @@ static int pch_i2c_probe(struct pci_dev *pdev,
+ /* Set the number of I2C channel instance */
+ adap_info->ch_num = id->driver_data;
+
+- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+- KBUILD_MODNAME, adap_info);
+- if (ret) {
+- pch_pci_err(pdev, "request_irq FAILED\n");
+- goto err_request_irq;
+- }
+-
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;
+ adap_info->pch_i2c_suspended = false;
+@@ -797,6 +790,17 @@ static int pch_i2c_probe(struct pci_dev *pdev,
+
+ pch_adap->dev.of_node = pdev->dev.of_node;
+ pch_adap->dev.parent = &pdev->dev;
++ }
++
++ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
++ KBUILD_MODNAME, adap_info);
++ if (ret) {
++ pch_pci_err(pdev, "request_irq FAILED\n");
++ goto err_request_irq;
++ }
++
++ for (i = 0; i < adap_info->ch_num; i++) {
++ pch_adap = &adap_info->pch_data[i].pch_adapter;
+
+ pch_i2c_init(&adap_info->pch_data[i]);
+
+diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c
+index 041050e..57256bb 100644
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -1610,7 +1610,8 @@ static int qup_i2c_pm_resume_runtime(struct device *device)
+ #ifdef CONFIG_PM_SLEEP
+ static int qup_i2c_suspend(struct device *device)
+ {
+- qup_i2c_pm_suspend_runtime(device);
++ if (!pm_runtime_suspended(device))
++ return qup_i2c_pm_suspend_runtime(device);
+ return 0;
+ }
+
+diff --git a/drivers/i2c/muxes/i2c-mux-pca954x.c b/drivers/i2c/muxes/i2c-mux-pca954x.c
+index 528e755..3278ebf 100644
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -164,7 +164,7 @@ static int pca954x_select_chan(struct i2c_mux_core *muxc, u32 chan)
+ /* Only select the channel if its different from the last channel */
+ if (data->last_chan != regval) {
+ ret = pca954x_reg_write(muxc->parent, client, regval);
+- data->last_chan = regval;
++ data->last_chan = ret ? 0 : regval;
+ }
+
+ return ret;
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index a3a6721..be00c4b 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -3011,9 +3011,9 @@ static int fw4_ack(struct c4iw_dev *dev, struct sk_buff *skb)
+ PDBG("%s last streaming msg ack ep %p tid %u state %u "
+ "initiator %u freeing skb\n", __func__, ep, ep->hwtid,
+ state_read(&ep->com), ep->mpa_attr.initiator ? 1 : 0);
++ mutex_lock(&ep->com.mutex);
+ kfree_skb(ep->mpa_skb);
+ ep->mpa_skb = NULL;
+- mutex_lock(&ep->com.mutex);
+ if (test_bit(STOP_MPA_TIMER, &ep->com.flags))
+ stop_ep_timer(ep);
+ mutex_unlock(&ep->com.mutex);
+@@ -3582,6 +3582,16 @@ int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp)
+ ep->com.state = ABORTING;
+ else {
+ ep->com.state = CLOSING;
++
++ /*
++ * if we close before we see the fw4_ack() then we fix
++ * up the timer state since we're reusing it.
++ */
++ if (ep->mpa_skb &&
++ test_bit(STOP_MPA_TIMER, &ep->com.flags)) {
++ clear_bit(STOP_MPA_TIMER, &ep->com.flags);
++ stop_ep_timer(ep);
++ }
+ start_ep_timer(ep);
+ }
+ set_bit(CLOSE_SENT, &ep->com.flags);
+diff --git a/drivers/irqchip/irq-mips-gic.c b/drivers/irqchip/irq-mips-gic.c
+index d3ef0fc..6acf69e 100644
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -638,27 +638,6 @@ static int gic_local_irq_domain_map(struct irq_domain *d, unsigned int virq,
+ if (!gic_local_irq_is_routable(intr))
+ return -EPERM;
+
+- /*
+- * HACK: These are all really percpu interrupts, but the rest
+- * of the MIPS kernel code does not use the percpu IRQ API for
+- * the CP0 timer and performance counter interrupts.
+- */
+- switch (intr) {
+- case GIC_LOCAL_INT_TIMER:
+- case GIC_LOCAL_INT_PERFCTR:
+- case GIC_LOCAL_INT_FDC:
+- irq_set_chip_and_handler(virq,
+- &gic_all_vpes_local_irq_controller,
+- handle_percpu_irq);
+- break;
+- default:
+- irq_set_chip_and_handler(virq,
+- &gic_local_irq_controller,
+- handle_percpu_devid_irq);
+- irq_set_percpu_devid(virq);
+- break;
+- }
+-
+ spin_lock_irqsave(&gic_lock, flags);
+ for (i = 0; i < gic_vpes; i++) {
+ u32 val = GIC_MAP_TO_PIN_MSK | gic_cpu_pin;
+@@ -724,16 +703,42 @@ static int gic_shared_irq_domain_map(struct irq_domain *d, unsigned int virq,
+ return 0;
+ }
+
+-static int gic_irq_domain_map(struct irq_domain *d, unsigned int virq,
+- irq_hw_number_t hw)
++static int gic_setup_dev_chip(struct irq_domain *d, unsigned int virq,
++ unsigned int hwirq)
+ {
+- if (GIC_HWIRQ_TO_LOCAL(hw) < GIC_NUM_LOCAL_INTRS)
+- return gic_local_irq_domain_map(d, virq, hw);
++ struct irq_chip *chip;
++ int err;
++
++ if (hwirq >= GIC_SHARED_HWIRQ_BASE) {
++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq,
++ &gic_level_irq_controller,
++ NULL);
++ } else {
++ switch (GIC_HWIRQ_TO_LOCAL(hwirq)) {
++ case GIC_LOCAL_INT_TIMER:
++ case GIC_LOCAL_INT_PERFCTR:
++ case GIC_LOCAL_INT_FDC:
++ /*
++ * HACK: These are all really percpu interrupts, but
++ * the rest of the MIPS kernel code does not use the
++ * percpu IRQ API for them.
++ */
++ chip = &gic_all_vpes_local_irq_controller;
++ irq_set_handler(virq, handle_percpu_irq);
++ break;
++
++ default:
++ chip = &gic_local_irq_controller;
++ irq_set_handler(virq, handle_percpu_devid_irq);
++ irq_set_percpu_devid(virq);
++ break;
++ }
+
+- irq_set_chip_and_handler(virq, &gic_level_irq_controller,
+- handle_level_irq);
++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq,
++ chip, NULL);
++ }
+
+- return gic_shared_irq_domain_map(d, virq, hw, 0);
++ return err;
+ }
+
+ static int gic_irq_domain_alloc(struct irq_domain *d, unsigned int virq,
+@@ -744,15 +749,12 @@ static int gic_irq_domain_alloc(struct irq_domain *d, unsigned int virq,
+ int cpu, ret, i;
+
+ if (spec->type == GIC_DEVICE) {
+- /* verify that it doesn't conflict with an IPI irq */
+- if (test_bit(spec->hwirq, ipi_resrv))
++ /* verify that shared irqs don't conflict with an IPI irq */
++ if ((spec->hwirq >= GIC_SHARED_HWIRQ_BASE) &&
++ test_bit(GIC_HWIRQ_TO_SHARED(spec->hwirq), ipi_resrv))
+ return -EBUSY;
+
+- hwirq = GIC_SHARED_TO_HWIRQ(spec->hwirq);
+-
+- return irq_domain_set_hwirq_and_chip(d, virq, hwirq,
+- &gic_level_irq_controller,
+- NULL);
++ return gic_setup_dev_chip(d, virq, spec->hwirq);
+ } else {
+ base_hwirq = find_first_bit(ipi_resrv, gic_shared_intrs);
+ if (base_hwirq == gic_shared_intrs) {
+@@ -821,7 +823,6 @@ int gic_irq_domain_match(struct irq_domain *d, struct device_node *node,
+ }
+
+ static const struct irq_domain_ops gic_irq_domain_ops = {
+- .map = gic_irq_domain_map,
+ .alloc = gic_irq_domain_alloc,
+ .free = gic_irq_domain_free,
+ .match = gic_irq_domain_match,
+@@ -852,29 +853,20 @@ static int gic_dev_domain_alloc(struct irq_domain *d, unsigned int virq,
+ struct irq_fwspec *fwspec = arg;
+ struct gic_irq_spec spec = {
+ .type = GIC_DEVICE,
+- .hwirq = fwspec->param[1],
+ };
+ int i, ret;
+- bool is_shared = fwspec->param[0] == GIC_SHARED;
+
+- if (is_shared) {
+- ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec);
+- if (ret)
+- return ret;
+- }
+-
+- for (i = 0; i < nr_irqs; i++) {
+- irq_hw_number_t hwirq;
++ if (fwspec->param[0] == GIC_SHARED)
++ spec.hwirq = GIC_SHARED_TO_HWIRQ(fwspec->param[1]);
++ else
++ spec.hwirq = GIC_LOCAL_TO_HWIRQ(fwspec->param[1]);
+
+- if (is_shared)
+- hwirq = GIC_SHARED_TO_HWIRQ(spec.hwirq + i);
+- else
+- hwirq = GIC_LOCAL_TO_HWIRQ(spec.hwirq + i);
++ ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec);
++ if (ret)
++ return ret;
+
+- ret = irq_domain_set_hwirq_and_chip(d, virq + i,
+- hwirq,
+- &gic_level_irq_controller,
+- NULL);
++ for (i = 0; i < nr_irqs; i++) {
++ ret = gic_setup_dev_chip(d, virq + i, spec.hwirq + i);
+ if (ret)
+ goto error;
+ }
+@@ -896,7 +888,10 @@ void gic_dev_domain_free(struct irq_domain *d, unsigned int virq,
+ static void gic_dev_domain_activate(struct irq_domain *domain,
+ struct irq_data *d)
+ {
+- gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0);
++ if (GIC_HWIRQ_TO_LOCAL(d->hwirq) < GIC_NUM_LOCAL_INTRS)
++ gic_local_irq_domain_map(domain, d->irq, d->hwirq);
++ else
++ gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0);
+ }
+
+ static struct irq_domain_ops gic_dev_domain_ops = {
+diff --git a/drivers/mtd/maps/pmcmsp-flash.c b/drivers/mtd/maps/pmcmsp-flash.c
+index 744ca5c..f9fa3fa 100644
+--- a/drivers/mtd/maps/pmcmsp-flash.c
++++ b/drivers/mtd/maps/pmcmsp-flash.c
+@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)
+
+ printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);
+
+- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
++ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
+ if (!msp_flash)
+ return -ENOMEM;
+
+- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
++ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
+ if (!msp_parts)
+ goto free_msp_flash;
+
+- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
++ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
+ if (!msp_maps)
+ goto free_msp_parts;
+
+diff --git a/drivers/mtd/maps/sa1100-flash.c b/drivers/mtd/maps/sa1100-flash.c
+index 142fc3d..784c6e1 100644
+--- a/drivers/mtd/maps/sa1100-flash.c
++++ b/drivers/mtd/maps/sa1100-flash.c
+@@ -230,8 +230,10 @@ static struct sa_info *sa1100_setup_mtd(struct platform_device *pdev,
+
+ info->mtd = mtd_concat_create(cdev, info->num_subdev,
+ plat->name);
+- if (info->mtd == NULL)
++ if (info->mtd == NULL) {
+ ret = -ENXIO;
++ goto err;
++ }
+ }
+ info->mtd->dev.parent = &pdev->dev;
+
+diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c
+index 5173fad..57cbe2b 100644
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -943,7 +943,7 @@ static int mxc_v2_ooblayout_free(struct mtd_info *mtd, int section,
+ struct nand_chip *nand_chip = mtd_to_nand(mtd);
+ int stepsize = nand_chip->ecc.bytes == 9 ? 16 : 26;
+
+- if (section > nand_chip->ecc.steps)
++ if (section >= nand_chip->ecc.steps)
+ return -ERANGE;
+
+ if (!section) {
+diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
+index c52e455..a6adb27 100644
+--- a/drivers/mtd/spi-nor/spi-nor.c
++++ b/drivers/mtd/spi-nor/spi-nor.c
+@@ -661,7 +661,7 @@ static int stm_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len)
+ status_new = (status_old & ~mask & ~SR_TB) | val;
+
+ /* Don't protect status register if we're fully unlocked */
+- if (lock_len == mtd->size)
++ if (lock_len == 0)
+ status_new &= ~SR_SRWD;
+
+ if (!use_top)
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index 41c0fc9..16f7cad 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1268,11 +1268,10 @@ static int __maybe_unused flexcan_suspend(struct device *device)
+ struct flexcan_priv *priv = netdev_priv(dev);
+ int err;
+
+- err = flexcan_chip_disable(priv);
+- if (err)
+- return err;
+-
+ if (netif_running(dev)) {
++ err = flexcan_chip_disable(priv);
++ if (err)
++ return err;
+ netif_stop_queue(dev);
+ netif_device_detach(dev);
+ }
+@@ -1285,13 +1284,17 @@ static int __maybe_unused flexcan_resume(struct device *device)
+ {
+ struct net_device *dev = dev_get_drvdata(device);
+ struct flexcan_priv *priv = netdev_priv(dev);
++ int err;
+
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+ if (netif_running(dev)) {
+ netif_device_attach(dev);
+ netif_start_queue(dev);
++ err = flexcan_chip_enable(priv);
++ if (err)
++ return err;
+ }
+- return flexcan_chip_enable(priv);
++ return 0;
+ }
+
+ static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
+diff --git a/drivers/net/can/ifi_canfd/ifi_canfd.c b/drivers/net/can/ifi_canfd/ifi_canfd.c
+index 2d1d22e..368bb07 100644
+--- a/drivers/net/can/ifi_canfd/ifi_canfd.c
++++ b/drivers/net/can/ifi_canfd/ifi_canfd.c
+@@ -81,6 +81,10 @@
+ #define IFI_CANFD_TIME_SET_TIMEA_4_12_6_6 BIT(15)
+
+ #define IFI_CANFD_TDELAY 0x1c
++#define IFI_CANFD_TDELAY_DEFAULT 0xb
++#define IFI_CANFD_TDELAY_MASK 0x3fff
++#define IFI_CANFD_TDELAY_ABS BIT(14)
++#define IFI_CANFD_TDELAY_EN BIT(15)
+
+ #define IFI_CANFD_ERROR 0x20
+ #define IFI_CANFD_ERROR_TX_OFFSET 0
+@@ -641,7 +645,7 @@ static void ifi_canfd_set_bittiming(struct net_device *ndev)
+ struct ifi_canfd_priv *priv = netdev_priv(ndev);
+ const struct can_bittiming *bt = &priv->can.bittiming;
+ const struct can_bittiming *dbt = &priv->can.data_bittiming;
+- u16 brp, sjw, tseg1, tseg2;
++ u16 brp, sjw, tseg1, tseg2, tdc;
+
+ /* Configure bit timing */
+ brp = bt->brp - 2;
+@@ -664,6 +668,11 @@ static void ifi_canfd_set_bittiming(struct net_device *ndev)
+ (brp << IFI_CANFD_TIME_PRESCALE_OFF) |
+ (sjw << IFI_CANFD_TIME_SJW_OFF_7_9_8_8),
+ priv->base + IFI_CANFD_FTIME);
++
++ /* Configure transmitter delay */
++ tdc = (dbt->brp * (dbt->phase_seg1 + 1)) & IFI_CANFD_TDELAY_MASK;
++ writel(IFI_CANFD_TDELAY_EN | IFI_CANFD_TDELAY_ABS | tdc,
++ priv->base + IFI_CANFD_TDELAY);
+ }
+
+ static void ifi_canfd_set_filter(struct net_device *ndev, const u32 id,
+diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
+index f097c5a..3c7bcdf 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -743,7 +743,8 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter)
+ }
+ }
+
+- shhwtstamps.hwtstamp = ktime_sub_ns(shhwtstamps.hwtstamp, adjust);
++ shhwtstamps.hwtstamp =
++ ktime_add_ns(shhwtstamps.hwtstamp, adjust);
+
+ skb_tstamp_tx(adapter->ptp_tx_skb, &shhwtstamps);
+ dev_kfree_skb_any(adapter->ptp_tx_skb);
+@@ -766,13 +767,32 @@ void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector,
+ struct sk_buff *skb)
+ {
+ __le64 *regval = (__le64 *)va;
++ struct igb_adapter *adapter = q_vector->adapter;
++ int adjust = 0;
+
+ /* The timestamp is recorded in little endian format.
+ * DWORD: 0 1 2 3
+ * Field: Reserved Reserved SYSTIML SYSTIMH
+ */
+- igb_ptp_systim_to_hwtstamp(q_vector->adapter, skb_hwtstamps(skb),
++ igb_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb),
+ le64_to_cpu(regval[1]));
++
++ /* adjust timestamp for the RX latency based on link speed */
++ if (adapter->hw.mac.type == e1000_i210) {
++ switch (adapter->link_speed) {
++ case SPEED_10:
++ adjust = IGB_I210_RX_LATENCY_10;
++ break;
++ case SPEED_100:
++ adjust = IGB_I210_RX_LATENCY_100;
++ break;
++ case SPEED_1000:
++ adjust = IGB_I210_RX_LATENCY_1000;
++ break;
++ }
++ }
++ skb_hwtstamps(skb)->hwtstamp =
++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
+ }
+
+ /**
+@@ -824,7 +844,7 @@ void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector,
+ }
+ }
+ skb_hwtstamps(skb)->hwtstamp =
+- ktime_add_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
+
+ /* Update the last_rx_timestamp timer in order to enable watchdog check
+ * for error case of latched timestamp on a dropped packet.
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 8bebd86..58153e8 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -4100,6 +4100,8 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter)
+ struct ixgbe_hw *hw = &adapter->hw;
+ u32 vlnctrl, i;
+
++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
++
+ switch (hw->mac.type) {
+ case ixgbe_mac_82599EB:
+ case ixgbe_mac_X540:
+@@ -4112,8 +4114,7 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter)
+ /* fall through */
+ case ixgbe_mac_82598EB:
+ /* legacy case, we can just disable VLAN filtering */
+- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
+- vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
++ vlnctrl &= ~IXGBE_VLNCTRL_VFE;
+ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
+ return;
+ }
+@@ -4125,6 +4126,10 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter)
+ /* Set flag so we don't redo unnecessary work */
+ adapter->flags2 |= IXGBE_FLAG2_VLAN_PROMISC;
+
++ /* For VMDq and SR-IOV we must leave VLAN filtering enabled */
++ vlnctrl |= IXGBE_VLNCTRL_VFE;
++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
++
+ /* Add PF to all active pools */
+ for (i = IXGBE_VLVF_ENTRIES; --i;) {
+ u32 reg_offset = IXGBE_VLVFB(i * 2 + VMDQ_P(0) / 32);
+@@ -4191,6 +4196,11 @@ static void ixgbe_vlan_promisc_disable(struct ixgbe_adapter *adapter)
+ struct ixgbe_hw *hw = &adapter->hw;
+ u32 vlnctrl, i;
+
++ /* Set VLAN filtering to enabled */
++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
++ vlnctrl |= IXGBE_VLNCTRL_VFE;
++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
++
+ switch (hw->mac.type) {
+ case ixgbe_mac_82599EB:
+ case ixgbe_mac_X540:
+@@ -4202,10 +4212,6 @@ static void ixgbe_vlan_promisc_disable(struct ixgbe_adapter *adapter)
+ break;
+ /* fall through */
+ case ixgbe_mac_82598EB:
+- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
+- vlnctrl &= ~IXGBE_VLNCTRL_CFIEN;
+- vlnctrl |= IXGBE_VLNCTRL_VFE;
+- IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
+ return;
+ }
+
+@@ -9496,6 +9502,7 @@ skip_sriov:
+
+ /* copy netdev features into list of user selectable features */
+ netdev->hw_features |= netdev->features |
++ NETIF_F_HW_VLAN_CTAG_FILTER |
+ NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_RXALL |
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 779bafc..b92b75f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -501,6 +501,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
+ int hdrlen = ieee80211_hdrlen(hdr->frame_control);
+ int queue;
+
++ /* IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used
++ * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel
++ * queue. STATION (HS2.0) uses the auxiliary context of the FW,
++ * and hence needs to be sent on the aux queue
++ */
++ if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE &&
++ skb_info->control.vif->type == NL80211_IFTYPE_STATION)
++ IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue;
++
+ memcpy(&info, skb->cb, sizeof(info));
+
+ if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU))
+@@ -514,16 +523,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
+ /* This holds the amsdu headers length */
+ skb_info->driver_data[0] = (void *)(uintptr_t)0;
+
+- /*
+- * IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used
+- * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel
+- * queue. STATION (HS2.0) uses the auxiliary context of the FW,
+- * and hence needs to be sent on the aux queue
+- */
+- if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE &&
+- info.control.vif->type == NL80211_IFTYPE_STATION)
+- IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue;
+-
+ queue = info.hw_queue;
+
+ /*
+diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c
+index 9c65f13..da7a75f 100644
+--- a/drivers/power/max17042_battery.c
++++ b/drivers/power/max17042_battery.c
+@@ -457,13 +457,16 @@ static inline void max17042_write_model_data(struct max17042_chip *chip,
+ }
+
+ static inline void max17042_read_model_data(struct max17042_chip *chip,
+- u8 addr, u32 *data, int size)
++ u8 addr, u16 *data, int size)
+ {
+ struct regmap *map = chip->regmap;
+ int i;
++ u32 tmp;
+
+- for (i = 0; i < size; i++)
+- regmap_read(map, addr + i, &data[i]);
++ for (i = 0; i < size; i++) {
++ regmap_read(map, addr + i, &tmp);
++ data[i] = (u16)tmp;
++ }
+ }
+
+ static inline int max17042_model_data_compare(struct max17042_chip *chip,
+@@ -486,7 +489,7 @@ static int max17042_init_model(struct max17042_chip *chip)
+ {
+ int ret;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
+ if (!temp_data)
+@@ -501,7 +504,7 @@ static int max17042_init_model(struct max17042_chip *chip)
+ ret = max17042_model_data_compare(
+ chip,
+ chip->pdata->config_data->cell_char_tbl,
+- (u16 *)temp_data,
++ temp_data,
+ table_size);
+
+ max10742_lock_model(chip);
+@@ -514,7 +517,7 @@ static int max17042_verify_model_lock(struct max17042_chip *chip)
+ {
+ int i;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+ int ret = 0;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
+diff --git a/drivers/power/reset/hisi-reboot.c b/drivers/power/reset/hisi-reboot.c
+index 9ab7f56..f69387e 100644
+--- a/drivers/power/reset/hisi-reboot.c
++++ b/drivers/power/reset/hisi-reboot.c
+@@ -53,13 +53,16 @@ static int hisi_reboot_probe(struct platform_device *pdev)
+
+ if (of_property_read_u32(np, "reboot-offset", &reboot_offset) < 0) {
+ pr_err("failed to find reboot-offset property\n");
++ iounmap(base);
+ return -EINVAL;
+ }
+
+ err = register_restart_handler(&hisi_restart_nb);
+- if (err)
++ if (err) {
+ dev_err(&pdev->dev, "cannot register restart handler (err=%d)\n",
+ err);
++ iounmap(base);
++ }
+
+ return err;
+ }
+diff --git a/drivers/power/tps65217_charger.c b/drivers/power/tps65217_charger.c
+index 73dfae4..4c56e54 100644
+--- a/drivers/power/tps65217_charger.c
++++ b/drivers/power/tps65217_charger.c
+@@ -206,6 +206,7 @@ static int tps65217_charger_probe(struct platform_device *pdev)
+ if (!charger)
+ return -ENOMEM;
+
++ platform_set_drvdata(pdev, charger);
+ charger->tps = tps;
+ charger->dev = &pdev->dev;
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 821d9c0..f25f7dc 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -602,6 +602,8 @@ static const struct rtc_class_ops ds13xx_rtc_ops = {
+ * Alarm support for mcp794xx devices.
+ */
+
++#define MCP794XX_REG_WEEKDAY 0x3
++#define MCP794XX_REG_WEEKDAY_WDAY_MASK 0x7
+ #define MCP794XX_REG_CONTROL 0x07
+ # define MCP794XX_BIT_ALM0_EN 0x10
+ # define MCP794XX_BIT_ALM1_EN 0x20
+@@ -1231,13 +1233,16 @@ static int ds1307_probe(struct i2c_client *client,
+ {
+ struct ds1307 *ds1307;
+ int err = -ENODEV;
+- int tmp;
++ int tmp, wday;
+ struct chip_desc *chip = &chips[id->driver_data];
+ struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
+ bool want_irq = false;
+ bool ds1307_can_wakeup_device = false;
+ unsigned char *buf;
+ struct ds1307_platform_data *pdata = dev_get_platdata(&client->dev);
++ struct rtc_time tm;
++ unsigned long timestamp;
++
+ irq_handler_t irq_handler = ds1307_irq;
+
+ static const int bbsqi_bitpos[] = {
+@@ -1526,6 +1531,27 @@ read_rtc:
+ bin2bcd(tmp));
+ }
+
++ /*
++ * Some IPs have weekday reset value = 0x1 which might not correct
++ * hence compute the wday using the current date/month/year values
++ */
++ ds1307_get_time(&client->dev, &tm);
++ wday = tm.tm_wday;
++ timestamp = rtc_tm_to_time64(&tm);
++ rtc_time64_to_tm(timestamp, &tm);
++
++ /*
++ * Check if reset wday is different from the computed wday
++ * If different then set the wday which we computed using
++ * timestamp
++ */
++ if (wday != tm.tm_wday) {
++ wday = i2c_smbus_read_byte_data(client, MCP794XX_REG_WEEKDAY);
++ wday = wday & ~MCP794XX_REG_WEEKDAY_WDAY_MASK;
++ wday = wday | (tm.tm_wday + 1);
++ i2c_smbus_write_byte_data(client, MCP794XX_REG_WEEKDAY, wday);
++ }
++
+ if (want_irq) {
+ device_set_wakeup_capable(&client->dev, true);
+ set_bit(HAS_ALARM, &ds1307->flags);
+diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
+index bb17345..5031c89 100644
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -1205,6 +1205,14 @@ static int tegra_pmc_probe(struct platform_device *pdev)
+ struct resource *res;
+ int err;
+
++ /*
++ * Early initialisation should have configured an initial
++ * register mapping and setup the soc data pointer. If these
++ * are not valid then something went badly wrong!
++ */
++ if (WARN_ON(!pmc->base || !pmc->soc))
++ return -ENODEV;
++
+ err = tegra_pmc_parse_dt(pmc, pdev->dev.of_node);
+ if (err < 0)
+ return err;
+diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
+index b493909..d8e6d42 100644
+--- a/fs/autofs4/expire.c
++++ b/fs/autofs4/expire.c
+@@ -417,6 +417,7 @@ static struct dentry *should_expire(struct dentry *dentry,
+ }
+ return NULL;
+ }
++
+ /*
+ * Find an eligible tree to time-out
+ * A tree is eligible if :-
+@@ -432,6 +433,7 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
+ struct dentry *root = sb->s_root;
+ struct dentry *dentry;
+ struct dentry *expired;
++ struct dentry *found;
+ struct autofs_info *ino;
+
+ if (!root)
+@@ -442,31 +444,46 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
+
+ dentry = NULL;
+ while ((dentry = get_next_positive_subdir(dentry, root))) {
++ int flags = how;
++
+ spin_lock(&sbi->fs_lock);
+ ino = autofs4_dentry_ino(dentry);
+- if (ino->flags & AUTOFS_INF_WANT_EXPIRE)
+- expired = NULL;
+- else
+- expired = should_expire(dentry, mnt, timeout, how);
+- if (!expired) {
++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE) {
+ spin_unlock(&sbi->fs_lock);
+ continue;
+ }
++ spin_unlock(&sbi->fs_lock);
++
++ expired = should_expire(dentry, mnt, timeout, flags);
++ if (!expired)
++ continue;
++
++ spin_lock(&sbi->fs_lock);
+ ino = autofs4_dentry_ino(expired);
+ ino->flags |= AUTOFS_INF_WANT_EXPIRE;
+ spin_unlock(&sbi->fs_lock);
+ synchronize_rcu();
+- spin_lock(&sbi->fs_lock);
+- if (should_expire(expired, mnt, timeout, how)) {
+- if (expired != dentry)
+- dput(dentry);
+- goto found;
+- }
+
++ /* Make sure a reference is not taken on found if
++ * things have changed.
++ */
++ flags &= ~AUTOFS_EXP_LEAVES;
++ found = should_expire(expired, mnt, timeout, how);
++ if (!found || found != expired)
++ /* Something has changed, continue */
++ goto next;
++
++ if (expired != dentry)
++ dput(dentry);
++
++ spin_lock(&sbi->fs_lock);
++ goto found;
++next:
++ spin_lock(&sbi->fs_lock);
+ ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
++ spin_unlock(&sbi->fs_lock);
+ if (expired != dentry)
+ dput(expired);
+- spin_unlock(&sbi->fs_lock);
+ }
+ return NULL;
+
+@@ -483,6 +500,7 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk)
+ struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb);
+ struct autofs_info *ino = autofs4_dentry_ino(dentry);
+ int status;
++ int state;
+
+ /* Block on any pending expire */
+ if (!(ino->flags & AUTOFS_INF_WANT_EXPIRE))
+@@ -490,8 +508,19 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk)
+ if (rcu_walk)
+ return -ECHILD;
+
++retry:
+ spin_lock(&sbi->fs_lock);
+- if (ino->flags & AUTOFS_INF_EXPIRING) {
++ state = ino->flags & (AUTOFS_INF_WANT_EXPIRE | AUTOFS_INF_EXPIRING);
++ if (state == AUTOFS_INF_WANT_EXPIRE) {
++ spin_unlock(&sbi->fs_lock);
++ /*
++ * Possibly being selected for expire, wait until
++ * it's selected or not.
++ */
++ schedule_timeout_uninterruptible(HZ/10);
++ goto retry;
++ }
++ if (state & AUTOFS_INF_EXPIRING) {
+ spin_unlock(&sbi->fs_lock);
+
+ pr_debug("waiting for expire %p name=%pd\n", dentry, dentry);
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 3722a1f..4ffcf0c 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1634,6 +1634,9 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file,
+ int namelen;
+ int ret = 0;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ ret = mnt_want_write_file(file);
+ if (ret)
+ goto out;
+@@ -1691,6 +1694,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
+ struct btrfs_ioctl_vol_args *vol_args;
+ int ret;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
+@@ -1714,6 +1720,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct file *file,
+ bool readonly = false;
+ struct btrfs_qgroup_inherit *inherit = NULL;
+
++ if (!S_ISDIR(file_inode(file)->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
+@@ -2358,6 +2367,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
+ int ret;
+ int err = 0;
+
++ if (!S_ISDIR(dir->i_mode))
++ return -ENOTDIR;
++
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+ if (IS_ERR(vol_args))
+ return PTR_ERR(vol_args);
+diff --git a/fs/ceph/file.c b/fs/ceph/file.c
+index 0daaf7c..b1b9b48 100644
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1448,16 +1448,14 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence)
+ {
+ struct inode *inode = file->f_mapping->host;
+ loff_t i_size;
+- int ret;
++ loff_t ret;
+
+ inode_lock(inode);
+
+ if (whence == SEEK_END || whence == SEEK_DATA || whence == SEEK_HOLE) {
+ ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE, false);
+- if (ret < 0) {
+- offset = ret;
++ if (ret < 0)
+ goto out;
+- }
+ }
+
+ i_size = i_size_read(inode);
+@@ -1473,7 +1471,7 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence)
+ * write() or lseek() might have altered it
+ */
+ if (offset == 0) {
+- offset = file->f_pos;
++ ret = file->f_pos;
+ goto out;
+ }
+ offset += file->f_pos;
+@@ -1493,11 +1491,11 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence)
+ break;
+ }
+
+- offset = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
++ ret = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
+
+ out:
+ inode_unlock(inode);
+- return offset;
++ return ret;
+ }
+
+ static inline void ceph_zero_partial_page(
+diff --git a/fs/ceph/ioctl.c b/fs/ceph/ioctl.c
+index be6b165..0946f2d 100644
+--- a/fs/ceph/ioctl.c
++++ b/fs/ceph/ioctl.c
+@@ -183,7 +183,7 @@ static long ceph_ioctl_get_dataloc(struct file *file, void __user *arg)
+ struct ceph_osd_client *osdc =
+ &ceph_sb_to_client(inode->i_sb)->client->osdc;
+ struct ceph_object_locator oloc;
+- struct ceph_object_id oid;
++ CEPH_DEFINE_OID_ONSTACK(oid);
+ u64 len = 1, olen;
+ u64 tmp;
+ struct ceph_pg pgid;
+diff --git a/fs/configfs/file.c b/fs/configfs/file.c
+index bbc1252..2ddfa05 100644
+--- a/fs/configfs/file.c
++++ b/fs/configfs/file.c
+@@ -333,6 +333,7 @@ configfs_write_bin_file(struct file *file, const char __user *buf,
+ if (bin_attr->cb_max_size &&
+ *ppos + count > bin_attr->cb_max_size) {
+ len = -EFBIG;
++ goto out;
+ }
+
+ tbuf = vmalloc(*ppos + count);
+diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
+index 5c57654..90e46cd 100644
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -959,10 +959,11 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
+
+ if (S_ISLNK(root_inode->i_mode)) {
+ char *name = follow_link(host_root_path);
+- if (IS_ERR(name))
++ if (IS_ERR(name)) {
+ err = PTR_ERR(name);
+- else
+- err = read_name(root_inode, name);
++ goto out_put;
++ }
++ err = read_name(root_inode, name);
+ kfree(name);
+ if (err)
+ goto out_put;
+diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
+index d2f97ec..e0e5f7c 100644
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -67,18 +67,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
+
+ pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+
+- wait_event(group->fanotify_data.access_waitq, event->response ||
+- atomic_read(&group->fanotify_data.bypass_perm));
+-
+- if (!event->response) { /* bypass_perm set */
+- /*
+- * Event was canceled because group is being destroyed. Remove
+- * it from group's event list because we are responsible for
+- * freeing the permission event.
+- */
+- fsnotify_remove_event(group, &event->fae.fse);
+- return 0;
+- }
++ wait_event(group->fanotify_data.access_waitq, event->response);
+
+ /* userspace responded, convert to something usable */
+ switch (event->response) {
+diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
+index 8e8e6bc..a643138 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -358,16 +358,20 @@ static int fanotify_release(struct inode *ignored, struct file *file)
+
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ struct fanotify_perm_event_info *event, *next;
++ struct fsnotify_event *fsn_event;
+
+ /*
+- * There may be still new events arriving in the notification queue
+- * but since userspace cannot use fanotify fd anymore, no event can
+- * enter or leave access_list by now.
++ * Stop new events from arriving in the notification queue. since
++ * userspace cannot use fanotify fd anymore, no event can enter or
++ * leave access_list by now either.
+ */
+- spin_lock(&group->fanotify_data.access_lock);
+-
+- atomic_inc(&group->fanotify_data.bypass_perm);
++ fsnotify_group_stop_queueing(group);
+
++ /*
++ * Process all permission events on access_list and notification queue
++ * and simulate reply from userspace.
++ */
++ spin_lock(&group->fanotify_data.access_lock);
+ list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
+ fae.fse.list) {
+ pr_debug("%s: found group=%p event=%p\n", __func__, group,
+@@ -379,12 +383,21 @@ static int fanotify_release(struct inode *ignored, struct file *file)
+ spin_unlock(&group->fanotify_data.access_lock);
+
+ /*
+- * Since bypass_perm is set, newly queued events will not wait for
+- * access response. Wake up the already sleeping ones now.
+- * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+- * processes sleeping in fanotify_handle_event() waiting for access
+- * response and thus also for all permission events to be freed.
++ * Destroy all non-permission events. For permission events just
++ * dequeue them and set the response. They will be freed once the
++ * response is consumed and fanotify_get_response() returns.
+ */
++ mutex_lock(&group->notification_mutex);
++ while (!fsnotify_notify_queue_is_empty(group)) {
++ fsn_event = fsnotify_remove_first_event(group);
++ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
++ fsnotify_destroy_event(group, fsn_event);
++ else
++ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
++ }
++ mutex_unlock(&group->notification_mutex);
++
++ /* Response for all permission events it set, wakeup waiters */
+ wake_up(&group->fanotify_data.access_waitq);
+ #endif
+
+@@ -755,7 +768,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
+ spin_lock_init(&group->fanotify_data.access_lock);
+ init_waitqueue_head(&group->fanotify_data.access_waitq);
+ INIT_LIST_HEAD(&group->fanotify_data.access_list);
+- atomic_set(&group->fanotify_data.bypass_perm, 0);
+ #endif
+ switch (flags & FAN_ALL_CLASS_BITS) {
+ case FAN_CLASS_NOTIF:
+diff --git a/fs/notify/group.c b/fs/notify/group.c
+index 3e2dd85..b47f7cf 100644
+--- a/fs/notify/group.c
++++ b/fs/notify/group.c
+@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
+ }
+
+ /*
++ * Stop queueing new events for this group. Once this function returns
++ * fsnotify_add_event() will not add any new events to the group's queue.
++ */
++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
++{
++ mutex_lock(&group->notification_mutex);
++ group->shutdown = true;
++ mutex_unlock(&group->notification_mutex);
++}
++
++/*
+ * Trying to get rid of a group. Remove all marks, flush all events and release
+ * the group reference.
+ * Note that another thread calling fsnotify_clear_marks_by_group() may still
+@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
+ */
+ void fsnotify_destroy_group(struct fsnotify_group *group)
+ {
++ /*
++ * Stop queueing new events. The code below is careful enough to not
++ * require this but fanotify needs to stop queuing events even before
++ * fsnotify_destroy_group() is called and this makes the other callers
++ * of fsnotify_destroy_group() to see the same behavior.
++ */
++ fsnotify_group_stop_queueing(group);
++
+ /* clear all inode marks for this group, attach them to destroy_list */
+ fsnotify_detach_group_marks(group);
+
+diff --git a/fs/notify/notification.c b/fs/notify/notification.c
+index a95d8e0..e455e83 100644
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
+ * Add an event to the group notification queue. The group can later pull this
+ * event off the queue to deal with. The function returns 0 if the event was
+ * added to the queue, 1 if the event was merged with some other queued event,
+- * 2 if the queue of events has overflown.
++ * 2 if the event was not queued - either the queue of events has overflown
++ * or the group is shutting down.
+ */
+ int fsnotify_add_event(struct fsnotify_group *group,
+ struct fsnotify_event *event,
+@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_group *group,
+
+ mutex_lock(&group->notification_mutex);
+
++ if (group->shutdown) {
++ mutex_unlock(&group->notification_mutex);
++ return 2;
++ }
++
+ if (group->q_len >= group->max_events) {
+ ret = 2;
+ /* Queue overflow event only if it isn't already queued */
+@@ -126,21 +132,6 @@ queue:
+ }
+
+ /*
+- * Remove @event from group's notification queue. It is the responsibility of
+- * the caller to destroy the event.
+- */
+-void fsnotify_remove_event(struct fsnotify_group *group,
+- struct fsnotify_event *event)
+-{
+- mutex_lock(&group->notification_mutex);
+- if (!list_empty(&event->list)) {
+- list_del_init(&event->list);
+- group->q_len--;
+- }
+- mutex_unlock(&group->notification_mutex);
+-}
+-
+-/*
+ * Remove and return the first event from the notification list. It is the
+ * responsibility of the caller to destroy the obtained event
+ */
+diff --git a/fs/ocfs2/cluster/tcp_internal.h b/fs/ocfs2/cluster/tcp_internal.h
+index 94b1836..b95e7df 100644
+--- a/fs/ocfs2/cluster/tcp_internal.h
++++ b/fs/ocfs2/cluster/tcp_internal.h
+@@ -44,9 +44,6 @@
+ * version here in tcp_internal.h should not need to be bumped for
+ * filesystem locking changes.
+ *
+- * New in version 12
+- * - Negotiate hb timeout when storage is down.
+- *
+ * New in version 11
+ * - Negotiation of filesystem locking in the dlm join.
+ *
+@@ -78,7 +75,7 @@
+ * - full 64 bit i_size in the metadata lock lvbs
+ * - introduction of "rw" lock and pushing meta/data locking down
+ */
+-#define O2NET_PROTOCOL_VERSION 12ULL
++#define O2NET_PROTOCOL_VERSION 11ULL
+ struct o2net_handshake {
+ __be64 protocol_version;
+ __be64 connector_id;
+diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
+index cdeafb4..0bb1286 100644
+--- a/fs/ocfs2/dlm/dlmconvert.c
++++ b/fs/ocfs2/dlm/dlmconvert.c
+@@ -268,7 +268,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+ struct dlm_lock *lock, int flags, int type)
+ {
+ enum dlm_status status;
+- u8 old_owner = res->owner;
+
+ mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
+ lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
+@@ -335,7 +334,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+
+ spin_lock(&res->spinlock);
+ res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
+- lock->convert_pending = 0;
+ /* if it failed, move it back to granted queue.
+ * if master returns DLM_NORMAL and then down before sending ast,
+ * it may have already been moved to granted queue, reset to
+@@ -344,12 +342,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+ if (status != DLM_NOTQUEUED)
+ dlm_error(status);
+ dlm_revert_pending_convert(res, lock);
+- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
+- (old_owner != res->owner)) {
+- mlog(0, "res %.*s is in recovering or has been recovered.\n",
+- res->lockname.len, res->lockname.name);
++ } else if (!lock->convert_pending) {
++ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
++ "to granted list, retry convert.\n",
++ dlm->name, res->lockname.len, res->lockname.name);
+ status = DLM_RECOVERING;
+ }
++
++ lock->convert_pending = 0;
+ bail:
+ spin_unlock(&res->spinlock);
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 4e7b0dc..0b055bf 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1506,7 +1506,8 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
+ u64 start, u64 len)
+ {
+ int ret = 0;
+- u64 tmpend, end = start + len;
++ u64 tmpend = 0;
++ u64 end = start + len;
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ unsigned int csize = osb->s_clustersize;
+ handle_t *handle;
+@@ -1538,18 +1539,31 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
+ }
+
+ /*
+- * We want to get the byte offset of the end of the 1st cluster.
++ * If start is on a cluster boundary and end is somewhere in another
++ * cluster, we have not COWed the cluster starting at start, unless
++ * end is also within the same cluster. So, in this case, we skip this
++ * first call to ocfs2_zero_range_for_truncate() truncate and move on
++ * to the next one.
+ */
+- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
+- if (tmpend > end)
+- tmpend = end;
++ if ((start & (csize - 1)) != 0) {
++ /*
++ * We want to get the byte offset of the end of the 1st
++ * cluster.
++ */
++ tmpend = (u64)osb->s_clustersize +
++ (start & ~(osb->s_clustersize - 1));
++ if (tmpend > end)
++ tmpend = end;
+
+- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
+- (unsigned long long)tmpend);
++ trace_ocfs2_zero_partial_clusters_range1(
++ (unsigned long long)start,
++ (unsigned long long)tmpend);
+
+- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
+- if (ret)
+- mlog_errno(ret);
++ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
++ tmpend);
++ if (ret)
++ mlog_errno(ret);
++ }
+
+ if (tmpend < end) {
+ /*
+diff --git a/fs/reiserfs/ibalance.c b/fs/reiserfs/ibalance.c
+index b751eea..5db6f45 100644
+--- a/fs/reiserfs/ibalance.c
++++ b/fs/reiserfs/ibalance.c
+@@ -1153,8 +1153,9 @@ int balance_internal(struct tree_balance *tb,
+ insert_ptr);
+ }
+
+- memcpy(new_insert_key_addr, &new_insert_key, KEY_SIZE);
+ insert_ptr[0] = new_insert_ptr;
++ if (new_insert_ptr)
++ memcpy(new_insert_key_addr, &new_insert_key, KEY_SIZE);
+
+ return order;
+ }
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index e71cfbd..41c20b6 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1531,7 +1531,7 @@ xfs_wait_buftarg(
+ * ensure here that all reference counts have been dropped before we
+ * start walking the LRU list.
+ */
+- drain_workqueue(btp->bt_mount->m_buf_workqueue);
++ flush_workqueue(btp->bt_mount->m_buf_workqueue);
+
+ /* loop until there is nothing left on the lru list. */
+ while (list_lru_count(&btp->bt_lru)) {
+diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
+index 690985d..6b79a6b 100644
+--- a/include/linux/ceph/libceph.h
++++ b/include/linux/ceph/libceph.h
+@@ -214,8 +214,9 @@ static void erase_##name(struct rb_root *root, type *t) \
+ }
+
+ #define DEFINE_RB_LOOKUP_FUNC(name, type, keyfld, nodefld) \
++extern type __lookup_##name##_key; \
+ static type *lookup_##name(struct rb_root *root, \
+- typeof(((type *)0)->keyfld) key) \
++ typeof(__lookup_##name##_key.keyfld) key) \
+ { \
+ struct rb_node *n = root->rb_node; \
+ \
+diff --git a/include/linux/ceph/osdmap.h b/include/linux/ceph/osdmap.h
+index 9ccf4db..21d7f04 100644
+--- a/include/linux/ceph/osdmap.h
++++ b/include/linux/ceph/osdmap.h
+@@ -115,6 +115,11 @@ static inline void ceph_oid_init(struct ceph_object_id *oid)
+ oid->name_len = 0;
+ }
+
++#define CEPH_OID_INIT_ONSTACK(oid) \
++ ({ ceph_oid_init(&oid); oid; })
++#define CEPH_DEFINE_OID_ONSTACK(oid) \
++ struct ceph_object_id oid = CEPH_OID_INIT_ONSTACK(oid)
++
+ static inline bool ceph_oid_empty(const struct ceph_object_id *oid)
+ {
+ return oid->name == oid->inline_name && !oid->name_len;
+diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
+index 29f9175..16af670 100644
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -148,6 +148,7 @@ struct fsnotify_group {
+ #define FS_PRIO_1 1 /* fanotify content based access control */
+ #define FS_PRIO_2 2 /* fanotify pre-content access */
+ unsigned int priority;
++ bool shutdown; /* group is being shut down, don't queue more events */
+
+ /* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
+ struct mutex mark_mutex; /* protect marks_list */
+@@ -179,7 +180,6 @@ struct fsnotify_group {
+ spinlock_t access_lock;
+ struct list_head access_list;
+ wait_queue_head_t access_waitq;
+- atomic_t bypass_perm;
+ #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
+ int f_flags;
+ unsigned int max_marks;
+@@ -303,6 +303,8 @@ extern struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *op
+ extern void fsnotify_get_group(struct fsnotify_group *group);
+ /* drop reference on a group from fsnotify_alloc_group */
+ extern void fsnotify_put_group(struct fsnotify_group *group);
++/* group destruction begins, stop queuing new events */
++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
+ /* destroy group */
+ extern void fsnotify_destroy_group(struct fsnotify_group *group);
+ /* fasync handler function */
+@@ -315,8 +317,6 @@ extern int fsnotify_add_event(struct fsnotify_group *group,
+ struct fsnotify_event *event,
+ int (*merge)(struct list_head *,
+ struct fsnotify_event *));
+-/* Remove passed event from groups notification queue */
+-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
+ /* true if the group notification queue is empty */
+ extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
+ /* return, but do not dequeue the first event on the notification queue */
+diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
+index 9735410..1f94053 100644
+--- a/include/linux/pagemap.h
++++ b/include/linux/pagemap.h
+@@ -571,56 +571,56 @@ static inline int fault_in_pages_readable(const char __user *uaddr, int size)
+ */
+ static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
+ {
+- int ret = 0;
+ char __user *end = uaddr + size - 1;
+
+ if (unlikely(size == 0))
+- return ret;
++ return 0;
+
++ if (unlikely(uaddr > end))
++ return -EFAULT;
+ /*
+ * Writing zeroes into userspace here is OK, because we know that if
+ * the zero gets there, we'll be overwriting it.
+ */
+- while (uaddr <= end) {
+- ret = __put_user(0, uaddr);
+- if (ret != 0)
+- return ret;
++ do {
++ if (unlikely(__put_user(0, uaddr) != 0))
++ return -EFAULT;
+ uaddr += PAGE_SIZE;
+- }
++ } while (uaddr <= end);
+
+ /* Check whether the range spilled into the next page. */
+ if (((unsigned long)uaddr & PAGE_MASK) ==
+ ((unsigned long)end & PAGE_MASK))
+- ret = __put_user(0, end);
++ return __put_user(0, end);
+
+- return ret;
++ return 0;
+ }
+
+ static inline int fault_in_multipages_readable(const char __user *uaddr,
+ int size)
+ {
+ volatile char c;
+- int ret = 0;
+ const char __user *end = uaddr + size - 1;
+
+ if (unlikely(size == 0))
+- return ret;
++ return 0;
+
+- while (uaddr <= end) {
+- ret = __get_user(c, uaddr);
+- if (ret != 0)
+- return ret;
++ if (unlikely(uaddr > end))
++ return -EFAULT;
++
++ do {
++ if (unlikely(__get_user(c, uaddr) != 0))
++ return -EFAULT;
+ uaddr += PAGE_SIZE;
+- }
++ } while (uaddr <= end);
+
+ /* Check whether the range spilled into the next page. */
+ if (((unsigned long)uaddr & PAGE_MASK) ==
+ ((unsigned long)end & PAGE_MASK)) {
+- ret = __get_user(c, end);
+- (void)c;
++ return __get_user(c, end);
+ }
+
+- return ret;
++ return 0;
+ }
+
+ int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
+diff --git a/include/linux/reset.h b/include/linux/reset.h
+index 45a4abe..5daff15 100644
+--- a/include/linux/reset.h
++++ b/include/linux/reset.h
+@@ -71,14 +71,14 @@ static inline struct reset_control *__of_reset_control_get(
+ struct device_node *node,
+ const char *id, int index, int shared)
+ {
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(-ENOTSUPP);
+ }
+
+ static inline struct reset_control *__devm_reset_control_get(
+ struct device *dev,
+ const char *id, int index, int shared)
+ {
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(-ENOTSUPP);
+ }
+
+ #endif /* CONFIG_RESET_CONTROLLER */
+diff --git a/kernel/cgroup.c b/kernel/cgroup.c
+index e0be49f..129a7ca 100644
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -6240,6 +6240,12 @@ void cgroup_sk_alloc(struct sock_cgroup_data *skcd)
+ if (cgroup_sk_alloc_disabled)
+ return;
+
++ /* Socket clone path */
++ if (skcd->val) {
++ cgroup_get(sock_cgroup_ptr(skcd));
++ return;
++ }
++
+ rcu_read_lock();
+
+ while (true) {
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index fca9254..2fc1177 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -299,12 +299,12 @@ static int create_image(int platform_mode)
+ save_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
+ error = swsusp_arch_suspend();
++ /* Restore control flow magically appears here */
++ restore_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
+ if (error)
+ printk(KERN_ERR "PM: Error %d creating hibernation image\n",
+ error);
+- /* Restore control flow magically appears here */
+- restore_processor_state();
+ if (!in_suspend)
+ events_check_enabled = false;
+
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index 3a97060..f155c62 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -765,9 +765,9 @@ static bool memory_bm_pfn_present(struct memory_bitmap *bm, unsigned long pfn)
+ */
+ static bool rtree_next_node(struct memory_bitmap *bm)
+ {
+- bm->cur.node = list_entry(bm->cur.node->list.next,
+- struct rtree_node, list);
+- if (&bm->cur.node->list != &bm->cur.zone->leaves) {
++ if (!list_is_last(&bm->cur.node->list, &bm->cur.zone->leaves)) {
++ bm->cur.node = list_entry(bm->cur.node->list.next,
++ struct rtree_node, list);
+ bm->cur.node_pfn += BM_BITS_PER_BLOCK;
+ bm->cur.node_bit = 0;
+ touch_softlockup_watchdog();
+@@ -775,9 +775,9 @@ static bool rtree_next_node(struct memory_bitmap *bm)
+ }
+
+ /* No more nodes, goto next zone */
+- bm->cur.zone = list_entry(bm->cur.zone->list.next,
++ if (!list_is_last(&bm->cur.zone->list, &bm->zones)) {
++ bm->cur.zone = list_entry(bm->cur.zone->list.next,
+ struct mem_zone_bm_rtree, list);
+- if (&bm->cur.zone->list != &bm->zones) {
+ bm->cur.node = list_entry(bm->cur.zone->leaves.next,
+ struct rtree_node, list);
+ bm->cur.node_pfn = 0;
+diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile
+index 979e7bf..d0a1617 100644
+--- a/kernel/trace/Makefile
++++ b/kernel/trace/Makefile
+@@ -1,4 +1,8 @@
+
++# We are fully aware of the dangers of __builtin_return_address()
++FRAME_CFLAGS := $(call cc-disable-warning,frame-address)
++KBUILD_CFLAGS += $(FRAME_CFLAGS)
++
+ # Do not instrument the tracer itself:
+
+ ifdef CONFIG_FUNCTION_TRACER
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 8a4bd6b..77eeab2 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4890,19 +4890,20 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
+ struct trace_iterator *iter = filp->private_data;
+ ssize_t sret;
+
+- /* return any leftover data */
+- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+- if (sret != -EBUSY)
+- return sret;
+-
+- trace_seq_init(&iter->seq);
+-
+ /*
+ * Avoid more than one consumer on a single file descriptor
+ * This is just a matter of traces coherency, the ring buffer itself
+ * is protected.
+ */
+ mutex_lock(&iter->mutex);
++
++ /* return any leftover data */
++ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
++ if (sret != -EBUSY)
++ goto out;
++
++ trace_seq_init(&iter->seq);
++
+ if (iter->trace->read) {
+ sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
+ if (sret)
+@@ -5929,9 +5930,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
+ return -EBUSY;
+ #endif
+
+- if (splice_grow_spd(pipe, &spd))
+- return -ENOMEM;
+-
+ if (*ppos & (PAGE_SIZE - 1))
+ return -EINVAL;
+
+@@ -5941,6 +5939,9 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
+ len &= PAGE_MASK;
+ }
+
++ if (splice_grow_spd(pipe, &spd))
++ return -ENOMEM;
++
+ again:
+ trace_access_lock(iter->cpu_file);
+ entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file);
+@@ -5998,19 +5999,21 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
+ /* did we read anything? */
+ if (!spd.nr_pages) {
+ if (ret)
+- return ret;
++ goto out;
+
++ ret = -EAGAIN;
+ if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK))
+- return -EAGAIN;
++ goto out;
+
+ ret = wait_on_pipe(iter, true);
+ if (ret)
+- return ret;
++ goto out;
+
+ goto again;
+ }
+
+ ret = splice_to_pipe(pipe, &spd);
++out:
+ splice_shrink_spd(&spd);
+
+ return ret;
+diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
+index 6845f92..50e92c5 100644
+--- a/mm/kasan/kasan.c
++++ b/mm/kasan/kasan.c
+@@ -562,7 +562,7 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size,
+ unsigned long redzone_start;
+ unsigned long redzone_end;
+
+- if (flags & __GFP_RECLAIM)
++ if (gfpflags_allow_blocking(flags))
+ quarantine_reduce();
+
+ if (unlikely(object == NULL))
+@@ -595,7 +595,7 @@ void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags)
+ unsigned long redzone_start;
+ unsigned long redzone_end;
+
+- if (flags & __GFP_RECLAIM)
++ if (gfpflags_allow_blocking(flags))
+ quarantine_reduce();
+
+ if (unlikely(ptr == NULL))
+diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c
+index 65793f1..a04887c 100644
+--- a/mm/kasan/quarantine.c
++++ b/mm/kasan/quarantine.c
+@@ -196,7 +196,7 @@ void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache)
+
+ void quarantine_reduce(void)
+ {
+- size_t new_quarantine_size;
++ size_t new_quarantine_size, percpu_quarantines;
+ unsigned long flags;
+ struct qlist_head to_free = QLIST_INIT;
+ size_t size_to_free = 0;
+@@ -214,7 +214,12 @@ void quarantine_reduce(void)
+ */
+ new_quarantine_size = (READ_ONCE(totalram_pages) << PAGE_SHIFT) /
+ QUARANTINE_FRACTION;
+- new_quarantine_size -= QUARANTINE_PERCPU_SIZE * num_online_cpus();
++ percpu_quarantines = QUARANTINE_PERCPU_SIZE * num_online_cpus();
++ if (WARN_ONCE(new_quarantine_size < percpu_quarantines,
++ "Too little memory, disabling global KASAN quarantine.\n"))
++ new_quarantine_size = 0;
++ else
++ new_quarantine_size -= percpu_quarantines;
+ WRITE_ONCE(quarantine_size, new_quarantine_size);
+
+ last = global_quarantine.head;
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index ca847d9..fcb5b8c 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1797,17 +1797,22 @@ static DEFINE_MUTEX(percpu_charge_mutex);
+ static bool consume_stock(struct mem_cgroup *memcg, unsigned int nr_pages)
+ {
+ struct memcg_stock_pcp *stock;
++ unsigned long flags;
+ bool ret = false;
+
+ if (nr_pages > CHARGE_BATCH)
+ return ret;
+
+- stock = &get_cpu_var(memcg_stock);
++ local_irq_save(flags);
++
++ stock = this_cpu_ptr(&memcg_stock);
+ if (memcg == stock->cached && stock->nr_pages >= nr_pages) {
+ stock->nr_pages -= nr_pages;
+ ret = true;
+ }
+- put_cpu_var(memcg_stock);
++
++ local_irq_restore(flags);
++
+ return ret;
+ }
+
+@@ -1828,15 +1833,18 @@ static void drain_stock(struct memcg_stock_pcp *stock)
+ stock->cached = NULL;
+ }
+
+-/*
+- * This must be called under preempt disabled or must be called by
+- * a thread which is pinned to local cpu.
+- */
+ static void drain_local_stock(struct work_struct *dummy)
+ {
+- struct memcg_stock_pcp *stock = this_cpu_ptr(&memcg_stock);
++ struct memcg_stock_pcp *stock;
++ unsigned long flags;
++
++ local_irq_save(flags);
++
++ stock = this_cpu_ptr(&memcg_stock);
+ drain_stock(stock);
+ clear_bit(FLUSHING_CACHED_CHARGE, &stock->flags);
++
++ local_irq_restore(flags);
+ }
+
+ /*
+@@ -1845,14 +1853,19 @@ static void drain_local_stock(struct work_struct *dummy)
+ */
+ static void refill_stock(struct mem_cgroup *memcg, unsigned int nr_pages)
+ {
+- struct memcg_stock_pcp *stock = &get_cpu_var(memcg_stock);
++ struct memcg_stock_pcp *stock;
++ unsigned long flags;
++
++ local_irq_save(flags);
+
++ stock = this_cpu_ptr(&memcg_stock);
+ if (stock->cached != memcg) { /* reset if necessary */
+ drain_stock(stock);
+ stock->cached = memcg;
+ }
+ stock->nr_pages += nr_pages;
+- put_cpu_var(memcg_stock);
++
++ local_irq_restore(flags);
+ }
+
+ /*
+diff --git a/mm/page_io.c b/mm/page_io.c
+index 242dba0..dc1af1e 100644
+--- a/mm/page_io.c
++++ b/mm/page_io.c
+@@ -262,6 +262,7 @@ int __swap_writepage(struct page *page, struct writeback_control *wbc,
+ int ret, rw = WRITE;
+ struct swap_info_struct *sis = page_swap_info(page);
+
++ BUG_ON(!PageSwapCache(page));
+ if (sis->flags & SWP_FILE) {
+ struct kiocb kiocb;
+ struct file *swap_file = sis->swap_file;
+@@ -333,6 +334,7 @@ int swap_readpage(struct page *page)
+ int ret = 0;
+ struct swap_info_struct *sis = page_swap_info(page);
+
++ BUG_ON(!PageSwapCache(page));
+ VM_BUG_ON_PAGE(!PageLocked(page), page);
+ VM_BUG_ON_PAGE(PageUptodate(page), page);
+ if (frontswap_load(page) == 0) {
+@@ -381,6 +383,7 @@ int swap_set_page_dirty(struct page *page)
+
+ if (sis->flags & SWP_FILE) {
+ struct address_space *mapping = sis->swap_file->f_mapping;
++ BUG_ON(!PageSwapCache(page));
+ return mapping->a_ops->set_page_dirty(page);
+ } else {
+ return __set_page_dirty_no_writeback(page);
+diff --git a/mm/swapfile.c b/mm/swapfile.c
+index 031713ab..46502f5 100644
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2724,7 +2724,6 @@ int swapcache_prepare(swp_entry_t entry)
+ struct swap_info_struct *page_swap_info(struct page *page)
+ {
+ swp_entry_t swap = { .val = page_private(page) };
+- BUG_ON(!PageSwapCache(page));
+ return swap_info[swp_type(swap)];
+ }
+
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index c4a2f45..38a2691 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2150,23 +2150,6 @@ out:
+ }
+ }
+
+-#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
+-static void init_tlb_ubc(void)
+-{
+- /*
+- * This deliberately does not clear the cpumask as it's expensive
+- * and unnecessary. If there happens to be data in there then the
+- * first SWAP_CLUSTER_MAX pages will send an unnecessary IPI and
+- * then will be cleared.
+- */
+- current->tlb_ubc.flush_required = false;
+-}
+-#else
+-static inline void init_tlb_ubc(void)
+-{
+-}
+-#endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */
+-
+ /*
+ * This is a basic per-zone page freer. Used by both kswapd and direct reclaim.
+ */
+@@ -2202,8 +2185,6 @@ static void shrink_zone_memcg(struct zone *zone, struct mem_cgroup *memcg,
+ scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() &&
+ sc->priority == DEF_PRIORITY);
+
+- init_tlb_ubc();
+-
+ blk_start_plug(&plug);
+ while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] ||
+ nr[LRU_INACTIVE_FILE]) {
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index 8946959..aee117f 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4187,7 +4187,7 @@ static struct ceph_msg *alloc_msg_with_page_vector(struct ceph_msg_header *hdr)
+
+ pages = ceph_alloc_page_vector(calc_pages_for(0, data_len),
+ GFP_NOIO);
+- if (!pages) {
++ if (IS_ERR(pages)) {
+ ceph_msg_put(m);
+ return NULL;
+ }
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 25dab8b..fd7b41e 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1362,7 +1362,6 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
+ if (!try_module_get(prot->owner))
+ goto out_free_sec;
+ sk_tx_queue_clear(sk);
+- cgroup_sk_alloc(&sk->sk_cgrp_data);
+ }
+
+ return sk;
+@@ -1422,6 +1421,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
+ sock_net_set(sk, net);
+ atomic_set(&sk->sk_wmem_alloc, 1);
+
++ cgroup_sk_alloc(&sk->sk_cgrp_data);
+ sock_update_classid(&sk->sk_cgrp_data);
+ sock_update_netprioidx(&sk->sk_cgrp_data);
+ }
+@@ -1566,6 +1566,9 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
+ newsk->sk_priority = 0;
+ newsk->sk_incoming_cpu = raw_smp_processor_id();
+ atomic64_set(&newsk->sk_cookie, 0);
++
++ cgroup_sk_alloc(&newsk->sk_cgrp_data);
++
+ /*
+ * Before updating sk_refcnt, we must commit prior changes to memory
+ * (Documentation/RCU/rculist_nulls.txt for details)
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index 3a8f881..0a7305a 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -261,10 +261,16 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
+ .timeout = timeout,
+ .ssn = start_seq_num,
+ };
+-
+ int i, ret = -EOPNOTSUPP;
+ u16 status = WLAN_STATUS_REQUEST_DECLINED;
+
++ if (tid >= IEEE80211_FIRST_TSPEC_TSID) {
++ ht_dbg(sta->sdata,
++ "STA %pM requests BA session on unsupported tid %d\n",
++ sta->sta.addr, tid);
++ goto end_no_lock;
++ }
++
+ if (!sta->sta.ht_cap.ht_supported) {
+ ht_dbg(sta->sdata,
+ "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 42fa810..744ad1c 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -580,6 +580,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
+ ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW))
+ return -EINVAL;
+
++ if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID))
++ return -EINVAL;
++
+ ht_dbg(sdata, "Open BA session requested for %pM tid %u\n",
+ pubsta->addr, tid);
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 7d72283..7d38dd6 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -6811,7 +6811,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
+
+ params.n_counter_offsets_presp = len / sizeof(u16);
+ if (rdev->wiphy.max_num_csa_counters &&
+- (params.n_counter_offsets_beacon >
++ (params.n_counter_offsets_presp >
+ rdev->wiphy.max_num_csa_counters))
+ return -EINVAL;
+
+diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
+index 77ce538..8ab6867 100644
+--- a/scripts/Makefile.ubsan
++++ b/scripts/Makefile.ubsan
+@@ -14,8 +14,4 @@ ifdef CONFIG_UBSAN
+ ifdef CONFIG_UBSAN_ALIGNMENT
+ CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment)
+ endif
+-
+- # -fsanitize=* options makes GCC less smart than usual and
+- # increase number of 'maybe-uninitialized false-positives
+- CFLAGS_UBSAN += $(call cc-option, -Wno-maybe-uninitialized)
+ endif
+diff --git a/scripts/package/builddeb b/scripts/package/builddeb
+index 86e56fe..202d6e7 100755
+--- a/scripts/package/builddeb
++++ b/scripts/package/builddeb
+@@ -322,12 +322,12 @@ fi
+
+ # Build kernel header package
+ (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles"
+-if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then
+- (cd $srctree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrsrcfiles"
+-fi
+ (cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles"
++if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then
++ (cd $objtree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrobjfiles"
++fi
+ (cd $objtree; find arch/$SRCARCH/include Module.symvers include scripts -type f) >> "$objtree/debian/hdrobjfiles"
+ destdir=$kernel_headers_dir/usr/src/linux-headers-$version
+ mkdir -p "$destdir"
+diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
+index 5adbfc3..17a0610 100644
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -29,6 +29,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/scatterlist.h>
+ #include <linux/ctype.h>
++#include <crypto/aes.h>
+ #include <crypto/hash.h>
+ #include <crypto/sha.h>
+ #include <crypto/skcipher.h>
+@@ -478,6 +479,7 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload,
+ struct crypto_skcipher *tfm;
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
++ u8 iv[AES_BLOCK_SIZE];
+ unsigned int padlen;
+ char pad[16];
+ int ret;
+@@ -500,8 +502,8 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload,
+ sg_init_table(sg_out, 1);
+ sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
+
+- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
+- epayload->iv);
++ memcpy(iv, epayload->iv, sizeof(iv));
++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
+ ret = crypto_skcipher_encrypt(req);
+ tfm = crypto_skcipher_reqtfm(req);
+ skcipher_request_free(req);
+@@ -581,6 +583,7 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload,
+ struct crypto_skcipher *tfm;
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
++ u8 iv[AES_BLOCK_SIZE];
+ char pad[16];
+ int ret;
+
+@@ -599,8 +602,8 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload,
+ epayload->decrypted_datalen);
+ sg_set_buf(&sg_out[1], pad, sizeof pad);
+
+- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
+- epayload->iv);
++ memcpy(iv, epayload->iv, sizeof(iv));
++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
+ ret = crypto_skcipher_decrypt(req);
+ tfm = crypto_skcipher_reqtfm(req);
+ skcipher_request_free(req);