Grsec/PaX: 3.0-{3.2.65,3.14.26,3.17.6}-20141214204520141214

69 files changed, 7153 insertions, 11078 deletions

diff --git a/3.14.26/0000_README b/3.14.26/0000_README
index f652b8f..e231525 100644
--- a/3.14.26/0000_README
+++ b/3.14.26/0000_README
@@ -2,15 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	1024_linux-3.14.25.patch
-From:	http://www.kernel.org
-Desc:	Linux 3.14.25
-
-Patch:	1025_linux-3.14.26.patch
-From:	http://www.kernel.org
-Desc:	Linux 3.14.26
-
-Patch:	4420_grsecurity-3.0-3.14.26-201412071005.patch
+Patch:	4420_grsecurity-3.0-3.14.26-201412142109.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.26/1024_linux-3.14.25.patch b/3.14.26/1024_linux-3.14.25.patch
deleted file mode 100644
index 5ae0660..0000000
--- a/3.14.26/1024_linux-3.14.25.patch
+++ /dev/null
@@ -1,7549 +0,0 @@
-diff --git a/Documentation/devicetree/bindings/ata/sata_rcar.txt b/Documentation/devicetree/bindings/ata/sata_rcar.txt
-index 1e61113..7dd32d3 100644
---- a/Documentation/devicetree/bindings/ata/sata_rcar.txt
-+++ b/Documentation/devicetree/bindings/ata/sata_rcar.txt
-@@ -3,7 +3,8 @@
- Required properties:
- - compatible		: should contain one of the following:
- 			  - "renesas,sata-r8a7779" for R-Car H1
--			  - "renesas,sata-r8a7790" for R-Car H2
-+			  - "renesas,sata-r8a7790-es1" for R-Car H2 ES1
-+			  - "renesas,sata-r8a7790" for R-Car H2 other than ES1
- 			  - "renesas,sata-r8a7791" for R-Car M2
- - reg			: address and length of the SATA registers;
- - interrupts		: must consist of one interrupt specifier.
-diff --git a/Makefile b/Makefile
-index 8fd0610..eb96e40 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 24
-+SUBLEVEL = 25
- EXTRAVERSION =
- NAME = Remembering Coco
- 
-diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
-index 066b034..8017cde 100644
---- a/arch/arm/boot/compressed/head.S
-+++ b/arch/arm/boot/compressed/head.S
-@@ -400,8 +400,7 @@ dtb_check_done:
- 		add	sp, sp, r6
- #endif
- 
--		tst	r4, #1
--		bleq	cache_clean_flush
-+		bl	cache_clean_flush
- 
- 		adr	r0, BSYM(restart)
- 		add	r0, r0, r6
-@@ -1050,6 +1049,8 @@ cache_clean_flush:
- 		b	call_cache_fn
- 
- __armv4_mpu_cache_flush:
-+		tst	r4, #1
-+		movne	pc, lr
- 		mov	r2, #1
- 		mov	r3, #0
- 		mcr	p15, 0, ip, c7, c6, 0	@ invalidate D cache
-@@ -1067,6 +1068,8 @@ __armv4_mpu_cache_flush:
- 		mov	pc, lr
- 		
- __fa526_cache_flush:
-+		tst	r4, #1
-+		movne	pc, lr
- 		mov	r1, #0
- 		mcr	p15, 0, r1, c7, c14, 0	@ clean and invalidate D cache
- 		mcr	p15, 0, r1, c7, c5, 0	@ flush I cache
-@@ -1075,13 +1078,16 @@ __fa526_cache_flush:
- 
- __armv6_mmu_cache_flush:
- 		mov	r1, #0
--		mcr	p15, 0, r1, c7, c14, 0	@ clean+invalidate D
-+		tst	r4, #1
-+		mcreq	p15, 0, r1, c7, c14, 0	@ clean+invalidate D
- 		mcr	p15, 0, r1, c7, c5, 0	@ invalidate I+BTB
--		mcr	p15, 0, r1, c7, c15, 0	@ clean+invalidate unified
-+		mcreq	p15, 0, r1, c7, c15, 0	@ clean+invalidate unified
- 		mcr	p15, 0, r1, c7, c10, 4	@ drain WB
- 		mov	pc, lr
- 
- __armv7_mmu_cache_flush:
-+		tst	r4, #1
-+		bne	iflush
- 		mrc	p15, 0, r10, c0, c1, 5	@ read ID_MMFR1
- 		tst	r10, #0xf << 16		@ hierarchical cache (ARMv7)
- 		mov	r10, #0
-@@ -1142,6 +1148,8 @@ iflush:
- 		mov	pc, lr
- 
- __armv5tej_mmu_cache_flush:
-+		tst	r4, #1
-+		movne	pc, lr
- 1:		mrc	p15, 0, r15, c7, c14, 3	@ test,clean,invalidate D cache
- 		bne	1b
- 		mcr	p15, 0, r0, c7, c5, 0	@ flush I cache
-@@ -1149,6 +1157,8 @@ __armv5tej_mmu_cache_flush:
- 		mov	pc, lr
- 
- __armv4_mmu_cache_flush:
-+		tst	r4, #1
-+		movne	pc, lr
- 		mov	r2, #64*1024		@ default: 32K dcache size (*2)
- 		mov	r11, #32		@ default: 32 byte line size
- 		mrc	p15, 0, r3, c0, c0, 1	@ read cache type
-@@ -1182,6 +1192,8 @@ no_cache_id:
- 
- __armv3_mmu_cache_flush:
- __armv3_mpu_cache_flush:
-+		tst	r4, #1
-+		movne	pc, lr
- 		mov	r1, #0
- 		mcr	p15, 0, r1, c7, c0, 0	@ invalidate whole cache v3
- 		mov	pc, lr
-diff --git a/arch/arm/kernel/kprobes-common.c b/arch/arm/kernel/kprobes-common.c
-index 18a7628..380c20f 100644
---- a/arch/arm/kernel/kprobes-common.c
-+++ b/arch/arm/kernel/kprobes-common.c
-@@ -14,6 +14,7 @@
- #include <linux/kernel.h>
- #include <linux/kprobes.h>
- #include <asm/system_info.h>
-+#include <asm/opcodes.h>
- 
- #include "kprobes.h"
- 
-@@ -305,7 +306,8 @@ kprobe_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi)
- 
- 	if (handler) {
- 		/* We can emulate the instruction in (possibly) modified form */
--		asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist;
-+		asi->insn[0] = __opcode_to_mem_arm((insn & 0xfff00000) |
-+						   (rn << 16) | reglist);
- 		asi->insn_handler = handler;
- 		return INSN_GOOD;
- 	}
-@@ -334,13 +336,14 @@ prepare_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
- #ifdef CONFIG_THUMB2_KERNEL
- 	if (thumb) {
- 		u16 *thumb_insn = (u16 *)asi->insn;
--		thumb_insn[1] = 0x4770; /* Thumb bx lr */
--		thumb_insn[2] = 0x4770; /* Thumb bx lr */
-+		/* Thumb bx lr */
-+		thumb_insn[1] = __opcode_to_mem_thumb16(0x4770);
-+		thumb_insn[2] = __opcode_to_mem_thumb16(0x4770);
- 		return insn;
- 	}
--	asi->insn[1] = 0xe12fff1e; /* ARM bx lr */
-+	asi->insn[1] = __opcode_to_mem_arm(0xe12fff1e); /* ARM bx lr */
- #else
--	asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */
-+	asi->insn[1] = __opcode_to_mem_arm(0xe1a0f00e); /* mov pc, lr */
- #endif
- 	/* Make an ARM instruction unconditional */
- 	if (insn < 0xe0000000)
-@@ -360,12 +363,12 @@ set_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
- 	if (thumb) {
- 		u16 *ip = (u16 *)asi->insn;
- 		if (is_wide_instruction(insn))
--			*ip++ = insn >> 16;
--		*ip++ = insn;
-+			*ip++ = __opcode_to_mem_thumb16(insn >> 16);
-+		*ip++ = __opcode_to_mem_thumb16(insn);
- 		return;
- 	}
- #endif
--	asi->insn[0] = insn;
-+	asi->insn[0] = __opcode_to_mem_arm(insn);
- }
- 
- /*
-diff --git a/arch/arm/kernel/kprobes-thumb.c b/arch/arm/kernel/kprobes-thumb.c
-index 6123daf..241222c 100644
---- a/arch/arm/kernel/kprobes-thumb.c
-+++ b/arch/arm/kernel/kprobes-thumb.c
-@@ -11,6 +11,7 @@
- #include <linux/kernel.h>
- #include <linux/kprobes.h>
- #include <linux/module.h>
-+#include <asm/opcodes.h>
- 
- #include "kprobes.h"
- 
-@@ -163,9 +164,9 @@ t32_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi)
- 	enum kprobe_insn ret = kprobe_decode_ldmstm(insn, asi);
- 
- 	/* Fixup modified instruction to have halfwords in correct order...*/
--	insn = asi->insn[0];
--	((u16 *)asi->insn)[0] = insn >> 16;
--	((u16 *)asi->insn)[1] = insn & 0xffff;
-+	insn = __mem_to_opcode_arm(asi->insn[0]);
-+	((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn >> 16);
-+	((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0xffff);
- 
- 	return ret;
- }
-@@ -1153,7 +1154,7 @@ t16_decode_hiregs(kprobe_opcode_t insn, struct arch_specific_insn *asi)
- {
- 	insn &= ~0x00ff;
- 	insn |= 0x001; /* Set Rdn = R1 and Rm = R0 */
--	((u16 *)asi->insn)[0] = insn;
-+	((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn);
- 	asi->insn_handler = t16_emulate_hiregs;
- 	return INSN_GOOD;
- }
-@@ -1182,8 +1183,10 @@ t16_decode_push(kprobe_opcode_t insn, struct arch_specific_insn *asi)
- 	 * and call it with R9=SP and LR in the register list represented
- 	 * by R8.
- 	 */
--	((u16 *)asi->insn)[0] = 0xe929;		/* 1st half STMDB R9!,{} */
--	((u16 *)asi->insn)[1] = insn & 0x1ff;	/* 2nd half (register list) */
-+	/* 1st half STMDB R9!,{} */
-+	((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe929);
-+	/* 2nd half (register list) */
-+	((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff);
- 	asi->insn_handler = t16_emulate_push;
- 	return INSN_GOOD;
- }
-@@ -1232,8 +1235,10 @@ t16_decode_pop(kprobe_opcode_t insn, struct arch_specific_insn *asi)
- 	 * and call it with R9=SP and PC in the register list represented
- 	 * by R8.
- 	 */
--	((u16 *)asi->insn)[0] = 0xe8b9;		/* 1st half LDMIA R9!,{} */
--	((u16 *)asi->insn)[1] = insn & 0x1ff;	/* 2nd half (register list) */
-+	/* 1st half LDMIA R9!,{} */
-+	((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe8b9);
-+	/* 2nd half (register list) */
-+	((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff);
- 	asi->insn_handler = insn & 0x100 ? t16_emulate_pop_pc
- 					 : t16_emulate_pop_nopc;
- 	return INSN_GOOD;
-diff --git a/arch/arm/kernel/kprobes.c b/arch/arm/kernel/kprobes.c
-index a7b621e..49a87b6 100644
---- a/arch/arm/kernel/kprobes.c
-+++ b/arch/arm/kernel/kprobes.c
-@@ -26,6 +26,7 @@
- #include <linux/stop_machine.h>
- #include <linux/stringify.h>
- #include <asm/traps.h>
-+#include <asm/opcodes.h>
- #include <asm/cacheflush.h>
- 
- #include "kprobes.h"
-@@ -62,10 +63,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
- #ifdef CONFIG_THUMB2_KERNEL
- 	thumb = true;
- 	addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */
--	insn = ((u16 *)addr)[0];
-+	insn = __mem_to_opcode_thumb16(((u16 *)addr)[0]);
- 	if (is_wide_instruction(insn)) {
--		insn <<= 16;
--		insn |= ((u16 *)addr)[1];
-+		u16 inst2 = __mem_to_opcode_thumb16(((u16 *)addr)[1]);
-+		insn = __opcode_thumb32_compose(insn, inst2);
- 		decode_insn = thumb32_kprobe_decode_insn;
- 	} else
- 		decode_insn = thumb16_kprobe_decode_insn;
-@@ -73,7 +74,7 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
- 	thumb = false;
- 	if (addr & 0x3)
- 		return -EINVAL;
--	insn = *p->addr;
-+	insn = __mem_to_opcode_arm(*p->addr);
- 	decode_insn = arm_kprobe_decode_insn;
- #endif
- 
-diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
-index ca8ecde..e9c290c 100644
---- a/arch/arm/mm/Kconfig
-+++ b/arch/arm/mm/Kconfig
-@@ -798,6 +798,7 @@ config NEED_KUSER_HELPERS
- 
- config KUSER_HELPERS
- 	bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
-+	depends on MMU
- 	default y
- 	help
- 	  Warning: disabling this option may break user programs.
-diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
-index 92f3683..565e26f 100644
---- a/arch/arm64/kernel/insn.c
-+++ b/arch/arm64/kernel/insn.c
-@@ -156,9 +156,10 @@ static int __kprobes aarch64_insn_patch_text_cb(void *arg)
- 		 * which ends with "dsb; isb" pair guaranteeing global
- 		 * visibility.
- 		 */
--		atomic_set(&pp->cpu_count, -1);
-+		/* Notify other processors with an additional increment. */
-+		atomic_inc(&pp->cpu_count);
- 	} else {
--		while (atomic_read(&pp->cpu_count) != -1)
-+		while (atomic_read(&pp->cpu_count) <= num_online_cpus())
- 			cpu_relax();
- 		isb();
- 	}
-diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
-index 6e0ed93..c17967f 100644
---- a/arch/arm64/lib/clear_user.S
-+++ b/arch/arm64/lib/clear_user.S
-@@ -46,7 +46,7 @@ USER(9f, strh	wzr, [x0], #2	)
- 	sub	x1, x1, #2
- 4:	adds	x1, x1, #1
- 	b.mi	5f
--	strb	wzr, [x0]
-+USER(9f, strb	wzr, [x0]	)
- 5:	mov	x0, #0
- 	ret
- ENDPROC(__clear_user)
-diff --git a/arch/parisc/include/uapi/asm/shmbuf.h b/arch/parisc/include/uapi/asm/shmbuf.h
-index 0a3eada..f395cde 100644
---- a/arch/parisc/include/uapi/asm/shmbuf.h
-+++ b/arch/parisc/include/uapi/asm/shmbuf.h
-@@ -36,23 +36,16 @@ struct shmid64_ds {
- 	unsigned int		__unused2;
- };
- 
--#ifdef CONFIG_64BIT
--/* The 'unsigned int' (formerly 'unsigned long') data types below will
-- * ensure that a 32-bit app calling shmctl(*,IPC_INFO,*) will work on
-- * a wide kernel, but if some of these values are meant to contain pointers
-- * they may need to be 'long long' instead. -PB XXX FIXME
-- */
--#endif
- struct shminfo64 {
--	unsigned int	shmmax;
--	unsigned int	shmmin;
--	unsigned int	shmmni;
--	unsigned int	shmseg;
--	unsigned int	shmall;
--	unsigned int	__unused1;
--	unsigned int	__unused2;
--	unsigned int	__unused3;
--	unsigned int	__unused4;
-+	unsigned long	shmmax;
-+	unsigned long	shmmin;
-+	unsigned long	shmmni;
-+	unsigned long	shmseg;
-+	unsigned long	shmall;
-+	unsigned long	__unused1;
-+	unsigned long	__unused2;
-+	unsigned long	__unused3;
-+	unsigned long	__unused4;
- };
- 
- #endif /* _PARISC_SHMBUF_H */
-diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S
-index 7dd8a3b..fc77d53 100644
---- a/arch/parisc/kernel/syscall_table.S
-+++ b/arch/parisc/kernel/syscall_table.S
-@@ -286,11 +286,11 @@
- 	ENTRY_COMP(msgsnd)
- 	ENTRY_COMP(msgrcv)
- 	ENTRY_SAME(msgget)		/* 190 */
--	ENTRY_SAME(msgctl)
--	ENTRY_SAME(shmat)
-+	ENTRY_COMP(msgctl)
-+	ENTRY_COMP(shmat)
- 	ENTRY_SAME(shmdt)
- 	ENTRY_SAME(shmget)
--	ENTRY_SAME(shmctl)		/* 195 */
-+	ENTRY_COMP(shmctl)		/* 195 */
- 	ENTRY_SAME(ni_syscall)		/* streams1 */
- 	ENTRY_SAME(ni_syscall)		/* streams2 */
- 	ENTRY_SAME(lstat64)
-@@ -323,7 +323,7 @@
- 	ENTRY_SAME(epoll_ctl)		/* 225 */
- 	ENTRY_SAME(epoll_wait)
-  	ENTRY_SAME(remap_file_pages)
--	ENTRY_SAME(semtimedop)
-+	ENTRY_COMP(semtimedop)
- 	ENTRY_COMP(mq_open)
- 	ENTRY_SAME(mq_unlink)		/* 230 */
- 	ENTRY_COMP(mq_timedsend)
-diff --git a/arch/sparc/include/asm/atomic_32.h b/arch/sparc/include/asm/atomic_32.h
-index 905832a..a0ed182 100644
---- a/arch/sparc/include/asm/atomic_32.h
-+++ b/arch/sparc/include/asm/atomic_32.h
-@@ -21,7 +21,7 @@
- 
- extern int __atomic_add_return(int, atomic_t *);
- extern int atomic_cmpxchg(atomic_t *, int, int);
--#define atomic_xchg(v, new) (xchg(&((v)->counter), new))
-+extern int atomic_xchg(atomic_t *, int);
- extern int __atomic_add_unless(atomic_t *, int, int);
- extern void atomic_set(atomic_t *, int);
- 
-diff --git a/arch/sparc/include/asm/cmpxchg_32.h b/arch/sparc/include/asm/cmpxchg_32.h
-index 1fae1a0..ae0f9a7 100644
---- a/arch/sparc/include/asm/cmpxchg_32.h
-+++ b/arch/sparc/include/asm/cmpxchg_32.h
-@@ -11,22 +11,14 @@
- #ifndef __ARCH_SPARC_CMPXCHG__
- #define __ARCH_SPARC_CMPXCHG__
- 
--static inline unsigned long xchg_u32(__volatile__ unsigned long *m, unsigned long val)
--{
--	__asm__ __volatile__("swap [%2], %0"
--			     : "=&r" (val)
--			     : "0" (val), "r" (m)
--			     : "memory");
--	return val;
--}
--
-+extern unsigned long __xchg_u32(volatile u32 *m, u32 new);
- extern void __xchg_called_with_bad_pointer(void);
- 
- static inline unsigned long __xchg(unsigned long x, __volatile__ void * ptr, int size)
- {
- 	switch (size) {
- 	case 4:
--		return xchg_u32(ptr, x);
-+		return __xchg_u32(ptr, x);
- 	}
- 	__xchg_called_with_bad_pointer();
- 	return x;
-diff --git a/arch/sparc/include/asm/vio.h b/arch/sparc/include/asm/vio.h
-index 432afa8..55841c1 100644
---- a/arch/sparc/include/asm/vio.h
-+++ b/arch/sparc/include/asm/vio.h
-@@ -118,12 +118,18 @@ struct vio_disk_attr_info {
- 	u8			vdisk_type;
- #define VD_DISK_TYPE_SLICE	0x01 /* Slice in block device	*/
- #define VD_DISK_TYPE_DISK	0x02 /* Entire block device	*/
--	u16			resv1;
-+	u8			vdisk_mtype;		/* v1.1 */
-+#define VD_MEDIA_TYPE_FIXED	0x01 /* Fixed device */
-+#define VD_MEDIA_TYPE_CD	0x02 /* CD Device    */
-+#define VD_MEDIA_TYPE_DVD	0x03 /* DVD Device   */
-+	u8			resv1;
- 	u32			vdisk_block_size;
- 	u64			operations;
--	u64			vdisk_size;
-+	u64			vdisk_size;		/* v1.1 */
- 	u64			max_xfer_size;
--	u64			resv2[2];
-+	u32			phys_block_size;	/* v1.2 */
-+	u32			resv2;
-+	u64			resv3[1];
- };
- 
- struct vio_disk_desc {
-@@ -259,7 +265,7 @@ static inline u32 vio_dring_avail(struct vio_dring_state *dr,
- 				  unsigned int ring_size)
- {
- 	return (dr->pending -
--		((dr->prod - dr->cons) & (ring_size - 1)));
-+		((dr->prod - dr->cons) & (ring_size - 1)) - 1);
- }
- 
- #define VIO_MAX_TYPE_LEN	32
-diff --git a/arch/sparc/kernel/pci_schizo.c b/arch/sparc/kernel/pci_schizo.c
-index 8f76f23..f9c6813 100644
---- a/arch/sparc/kernel/pci_schizo.c
-+++ b/arch/sparc/kernel/pci_schizo.c
-@@ -581,7 +581,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm)
- {
- 	unsigned long csr_reg, csr, csr_error_bits;
- 	irqreturn_t ret = IRQ_NONE;
--	u16 stat;
-+	u32 stat;
- 
- 	csr_reg = pbm->pbm_regs + SCHIZO_PCI_CTRL;
- 	csr = upa_readq(csr_reg);
-@@ -617,7 +617,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm)
- 			       pbm->name);
- 		ret = IRQ_HANDLED;
- 	}
--	pci_read_config_word(pbm->pci_bus->self, PCI_STATUS, &stat);
-+	pbm->pci_ops->read(pbm->pci_bus, 0, PCI_STATUS, 2, &stat);
- 	if (stat & (PCI_STATUS_PARITY |
- 		    PCI_STATUS_SIG_TARGET_ABORT |
- 		    PCI_STATUS_REC_TARGET_ABORT |
-@@ -625,7 +625,7 @@ static irqreturn_t schizo_pcierr_intr_other(struct pci_pbm_info *pbm)
- 		    PCI_STATUS_SIG_SYSTEM_ERROR)) {
- 		printk("%s: PCI bus error, PCI_STATUS[%04x]\n",
- 		       pbm->name, stat);
--		pci_write_config_word(pbm->pci_bus->self, PCI_STATUS, 0xffff);
-+		pbm->pci_ops->write(pbm->pci_bus, 0, PCI_STATUS, 2, 0xffff);
- 		ret = IRQ_HANDLED;
- 	}
- 	return ret;
-diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
-index 50c3dd03..9af0a5d 100644
---- a/arch/sparc/kernel/smp_64.c
-+++ b/arch/sparc/kernel/smp_64.c
-@@ -823,13 +823,17 @@ void arch_send_call_function_single_ipi(int cpu)
- void __irq_entry smp_call_function_client(int irq, struct pt_regs *regs)
- {
- 	clear_softint(1 << irq);
-+	irq_enter();
- 	generic_smp_call_function_interrupt();
-+	irq_exit();
- }
- 
- void __irq_entry smp_call_function_single_client(int irq, struct pt_regs *regs)
- {
- 	clear_softint(1 << irq);
-+	irq_enter();
- 	generic_smp_call_function_single_interrupt();
-+	irq_exit();
- }
- 
- static void tsb_sync(void *info)
-diff --git a/arch/sparc/lib/atomic32.c b/arch/sparc/lib/atomic32.c
-index 1d32b54..8f2f94d 100644
---- a/arch/sparc/lib/atomic32.c
-+++ b/arch/sparc/lib/atomic32.c
-@@ -40,6 +40,19 @@ int __atomic_add_return(int i, atomic_t *v)
- }
- EXPORT_SYMBOL(__atomic_add_return);
- 
-+int atomic_xchg(atomic_t *v, int new)
-+{
-+	int ret;
-+	unsigned long flags;
-+
-+	spin_lock_irqsave(ATOMIC_HASH(v), flags);
-+	ret = v->counter;
-+	v->counter = new;
-+	spin_unlock_irqrestore(ATOMIC_HASH(v), flags);
-+	return ret;
-+}
-+EXPORT_SYMBOL(atomic_xchg);
-+
- int atomic_cmpxchg(atomic_t *v, int old, int new)
- {
- 	int ret;
-@@ -132,3 +145,17 @@ unsigned long __cmpxchg_u32(volatile u32 *ptr, u32 old, u32 new)
- 	return (unsigned long)prev;
- }
- EXPORT_SYMBOL(__cmpxchg_u32);
-+
-+unsigned long __xchg_u32(volatile u32 *ptr, u32 new)
-+{
-+	unsigned long flags;
-+	u32 prev;
-+
-+	spin_lock_irqsave(ATOMIC_HASH(ptr), flags);
-+	prev = *ptr;
-+	*ptr = new;
-+	spin_unlock_irqrestore(ATOMIC_HASH(ptr), flags);
-+
-+	return (unsigned long)prev;
-+}
-+EXPORT_SYMBOL(__xchg_u32);
-diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index 0fcd913..14fe7cb 100644
---- a/arch/x86/boot/compressed/Makefile
-+++ b/arch/x86/boot/compressed/Makefile
-@@ -75,8 +75,10 @@ suffix-$(CONFIG_KERNEL_XZ)	:= xz
- suffix-$(CONFIG_KERNEL_LZO) 	:= lzo
- suffix-$(CONFIG_KERNEL_LZ4) 	:= lz4
- 
-+RUN_SIZE = $(shell objdump -h vmlinux | \
-+	     perl $(srctree)/arch/x86/tools/calc_run_size.pl)
- quiet_cmd_mkpiggy = MKPIGGY $@
--      cmd_mkpiggy = $(obj)/mkpiggy $< > $@ || ( rm -f $@ ; false )
-+      cmd_mkpiggy = $(obj)/mkpiggy $< $(RUN_SIZE) > $@ || ( rm -f $@ ; false )
- 
- targets += piggy.S
- $(obj)/piggy.S: $(obj)/vmlinux.bin.$(suffix-y) $(obj)/mkpiggy FORCE
-diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
-index f45ab7a..c5b56ed 100644
---- a/arch/x86/boot/compressed/head_32.S
-+++ b/arch/x86/boot/compressed/head_32.S
-@@ -186,7 +186,8 @@ relocated:
-  * Do the decompression, and jump to the new kernel..
-  */
- 				/* push arguments for decompress_kernel: */
--	pushl	$z_output_len	/* decompressed length */
-+	pushl	$z_run_size	/* size of kernel with .bss and .brk */
-+	pushl	$z_output_len	/* decompressed length, end of relocs */
- 	leal	z_extract_offset_negative(%ebx), %ebp
- 	pushl	%ebp		/* output address */
- 	pushl	$z_input_len	/* input_len */
-@@ -196,7 +197,7 @@ relocated:
- 	pushl	%eax		/* heap area */
- 	pushl	%esi		/* real mode pointer */
- 	call	decompress_kernel /* returns kernel location in %eax */
--	addl	$24, %esp
-+	addl	$28, %esp
- 
- /*
-  * Jump to the decompressed kernel.
-diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
-index b10fa66..34bbc09 100644
---- a/arch/x86/boot/compressed/head_64.S
-+++ b/arch/x86/boot/compressed/head_64.S
-@@ -334,13 +334,16 @@ relocated:
-  * Do the decompression, and jump to the new kernel..
-  */
- 	pushq	%rsi			/* Save the real mode argument */
-+	movq	$z_run_size, %r9	/* size of kernel with .bss and .brk */
-+	pushq	%r9
- 	movq	%rsi, %rdi		/* real mode address */
- 	leaq	boot_heap(%rip), %rsi	/* malloc area for uncompression */
- 	leaq	input_data(%rip), %rdx  /* input_data */
- 	movl	$z_input_len, %ecx	/* input_len */
- 	movq	%rbp, %r8		/* output target address */
--	movq	$z_output_len, %r9	/* decompressed length */
-+	movq	$z_output_len, %r9	/* decompressed length, end of relocs */
- 	call	decompress_kernel	/* returns kernel location in %rax */
-+	popq	%r9
- 	popq	%rsi
- 
- /*
-diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
-index 196eaf3..eb25ca1 100644
---- a/arch/x86/boot/compressed/misc.c
-+++ b/arch/x86/boot/compressed/misc.c
-@@ -393,7 +393,8 @@ asmlinkage void *decompress_kernel(void *rmode, memptr heap,
- 				  unsigned char *input_data,
- 				  unsigned long input_len,
- 				  unsigned char *output,
--				  unsigned long output_len)
-+				  unsigned long output_len,
-+				  unsigned long run_size)
- {
- 	real_mode = rmode;
- 
-@@ -416,8 +417,14 @@ asmlinkage void *decompress_kernel(void *rmode, memptr heap,
- 	free_mem_ptr     = heap;	/* Heap */
- 	free_mem_end_ptr = heap + BOOT_HEAP_SIZE;
- 
--	output = choose_kernel_location(input_data, input_len,
--					output, output_len);
-+	/*
-+	 * The memory hole needed for the kernel is the larger of either
-+	 * the entire decompressed kernel plus relocation table, or the
-+	 * entire decompressed kernel plus .bss and .brk sections.
-+	 */
-+	output = choose_kernel_location(input_data, input_len, output,
-+					output_len > run_size ? output_len
-+							      : run_size);
- 
- 	/* Validate memory location choices. */
- 	if ((unsigned long)output & (MIN_KERNEL_ALIGN - 1))
-diff --git a/arch/x86/boot/compressed/mkpiggy.c b/arch/x86/boot/compressed/mkpiggy.c
-index b669ab6..d8222f2 100644
---- a/arch/x86/boot/compressed/mkpiggy.c
-+++ b/arch/x86/boot/compressed/mkpiggy.c
-@@ -36,11 +36,13 @@ int main(int argc, char *argv[])
- 	uint32_t olen;
- 	long ilen;
- 	unsigned long offs;
-+	unsigned long run_size;
- 	FILE *f = NULL;
- 	int retval = 1;
- 
--	if (argc < 2) {
--		fprintf(stderr, "Usage: %s compressed_file\n", argv[0]);
-+	if (argc < 3) {
-+		fprintf(stderr, "Usage: %s compressed_file run_size\n",
-+				argv[0]);
- 		goto bail;
- 	}
- 
-@@ -74,6 +76,7 @@ int main(int argc, char *argv[])
- 	offs += olen >> 12;	/* Add 8 bytes for each 32K block */
- 	offs += 64*1024 + 128;	/* Add 64K + 128 bytes slack */
- 	offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
-+	run_size = atoi(argv[2]);
- 
- 	printf(".section \".rodata..compressed\",\"a\",@progbits\n");
- 	printf(".globl z_input_len\n");
-@@ -85,6 +88,8 @@ int main(int argc, char *argv[])
- 	/* z_extract_offset_negative allows simplification of head_32.S */
- 	printf(".globl z_extract_offset_negative\n");
- 	printf("z_extract_offset_negative = -0x%lx\n", offs);
-+	printf(".globl z_run_size\n");
-+	printf("z_run_size = %lu\n", run_size);
- 
- 	printf(".globl input_data, input_data_end\n");
- 	printf("input_data:\n");
-diff --git a/arch/x86/kernel/cpu/microcode/amd_early.c b/arch/x86/kernel/cpu/microcode/amd_early.c
-index 617a9e2..b63773b 100644
---- a/arch/x86/kernel/cpu/microcode/amd_early.c
-+++ b/arch/x86/kernel/cpu/microcode/amd_early.c
-@@ -108,12 +108,13 @@ static size_t compute_container_size(u8 *data, u32 total_size)
-  * load_microcode_amd() to save equivalent cpu table and microcode patches in
-  * kernel heap memory.
-  */
--static void apply_ucode_in_initrd(void *ucode, size_t size)
-+static void apply_ucode_in_initrd(void *ucode, size_t size, bool save_patch)
- {
- 	struct equiv_cpu_entry *eq;
- 	size_t *cont_sz;
- 	u32 *header;
- 	u8  *data, **cont;
-+	u8 (*patch)[PATCH_MAX_SIZE];
- 	u16 eq_id = 0;
- 	int offset, left;
- 	u32 rev, eax, ebx, ecx, edx;
-@@ -123,10 +124,12 @@ static void apply_ucode_in_initrd(void *ucode, size_t size)
- 	new_rev = (u32 *)__pa_nodebug(&ucode_new_rev);
- 	cont_sz = (size_t *)__pa_nodebug(&container_size);
- 	cont	= (u8 **)__pa_nodebug(&container);
-+	patch	= (u8 (*)[PATCH_MAX_SIZE])__pa_nodebug(&amd_ucode_patch);
- #else
- 	new_rev = &ucode_new_rev;
- 	cont_sz = &container_size;
- 	cont	= &container;
-+	patch	= &amd_ucode_patch;
- #endif
- 
- 	data   = ucode;
-@@ -213,9 +216,9 @@ static void apply_ucode_in_initrd(void *ucode, size_t size)
- 				rev = mc->hdr.patch_id;
- 				*new_rev = rev;
- 
--				/* save ucode patch */
--				memcpy(amd_ucode_patch, mc,
--				       min_t(u32, header[1], PATCH_MAX_SIZE));
-+				if (save_patch)
-+					memcpy(patch, mc,
-+					       min_t(u32, header[1], PATCH_MAX_SIZE));
- 			}
- 		}
- 
-@@ -246,7 +249,7 @@ void __init load_ucode_amd_bsp(void)
- 	*data = cp.data;
- 	*size = cp.size;
- 
--	apply_ucode_in_initrd(cp.data, cp.size);
-+	apply_ucode_in_initrd(cp.data, cp.size, true);
- }
- 
- #ifdef CONFIG_X86_32
-@@ -263,7 +266,7 @@ void load_ucode_amd_ap(void)
- 	size_t *usize;
- 	void **ucode;
- 
--	mc = (struct microcode_amd *)__pa(amd_ucode_patch);
-+	mc = (struct microcode_amd *)__pa_nodebug(amd_ucode_patch);
- 	if (mc->hdr.patch_id && mc->hdr.processor_rev_id) {
- 		__apply_microcode_amd(mc);
- 		return;
-@@ -275,7 +278,7 @@ void load_ucode_amd_ap(void)
- 	if (!*ucode || !*usize)
- 		return;
- 
--	apply_ucode_in_initrd(*ucode, *usize);
-+	apply_ucode_in_initrd(*ucode, *usize, false);
- }
- 
- static void __init collect_cpu_sig_on_bsp(void *arg)
-@@ -339,7 +342,7 @@ void load_ucode_amd_ap(void)
- 		 * AP has a different equivalence ID than BSP, looks like
- 		 * mixed-steppings silicon so go through the ucode blob anew.
- 		 */
--		apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size);
-+		apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size, false);
- 	}
- }
- #endif
-@@ -347,7 +350,9 @@ void load_ucode_amd_ap(void)
- int __init save_microcode_in_initrd_amd(void)
- {
- 	unsigned long cont;
-+	int retval = 0;
- 	enum ucode_state ret;
-+	u8 *cont_va;
- 	u32 eax;
- 
- 	if (!container)
-@@ -355,13 +360,15 @@ int __init save_microcode_in_initrd_amd(void)
- 
- #ifdef CONFIG_X86_32
- 	get_bsp_sig();
--	cont = (unsigned long)container;
-+	cont	= (unsigned long)container;
-+	cont_va = __va(container);
- #else
- 	/*
- 	 * We need the physical address of the container for both bitness since
- 	 * boot_params.hdr.ramdisk_image is a physical address.
- 	 */
--	cont = __pa(container);
-+	cont    = __pa(container);
-+	cont_va = container;
- #endif
- 
- 	/*
-@@ -372,6 +379,8 @@ int __init save_microcode_in_initrd_amd(void)
- 	if (relocated_ramdisk)
- 		container = (u8 *)(__va(relocated_ramdisk) +
- 			     (cont - boot_params.hdr.ramdisk_image));
-+	else
-+		container = cont_va;
- 
- 	if (ucode_new_rev)
- 		pr_info("microcode: updated early to new patch_level=0x%08x\n",
-@@ -382,7 +391,7 @@ int __init save_microcode_in_initrd_amd(void)
- 
- 	ret = load_microcode_amd(eax, container, container_size);
- 	if (ret != UCODE_OK)
--		return -EINVAL;
-+		retval = -EINVAL;
- 
- 	/*
- 	 * This will be freed any msec now, stash patches for the current
-@@ -391,5 +400,5 @@ int __init save_microcode_in_initrd_amd(void)
- 	container = NULL;
- 	container_size = 0;
- 
--	return 0;
-+	return retval;
- }
-diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
-index 1340ebf..5ee8064 100644
---- a/arch/x86/kernel/cpu/perf_event_intel.c
-+++ b/arch/x86/kernel/cpu/perf_event_intel.c
-@@ -2475,6 +2475,9 @@ __init int intel_pmu_init(void)
- 	case 62: /* IvyBridge EP */
- 		memcpy(hw_cache_event_ids, snb_hw_cache_event_ids,
- 		       sizeof(hw_cache_event_ids));
-+		/* dTLB-load-misses on IVB is different than SNB */
-+		hw_cache_event_ids[C(DTLB)][C(OP_READ)][C(RESULT_MISS)] = 0x8108; /* DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK */
-+
- 		memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs,
- 		       sizeof(hw_cache_extra_regs));
- 
-diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 7461f50..0686fe3 100644
---- a/arch/x86/kernel/ptrace.c
-+++ b/arch/x86/kernel/ptrace.c
-@@ -1441,15 +1441,6 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
- 	force_sig_info(SIGTRAP, &info, tsk);
- }
- 
--
--#ifdef CONFIG_X86_32
--# define IS_IA32	1
--#elif defined CONFIG_IA32_EMULATION
--# define IS_IA32	is_compat_task()
--#else
--# define IS_IA32	0
--#endif
--
- /*
-  * We must return the syscall number to actually look up in the table.
-  * This can be -1L to skip running any syscall at all.
-@@ -1487,7 +1478,7 @@ long syscall_trace_enter(struct pt_regs *regs)
- 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
- 		trace_sys_enter(regs, regs->orig_ax);
- 
--	if (IS_IA32)
-+	if (is_ia32_task())
- 		audit_syscall_entry(AUDIT_ARCH_I386,
- 				    regs->orig_ax,
- 				    regs->bx, regs->cx,
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 51c2851..fab97ad 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4911,7 +4911,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
- 
- 	++vcpu->stat.insn_emulation_fail;
- 	trace_kvm_emulate_insn_failed(vcpu);
--	if (!is_guest_mode(vcpu)) {
-+	if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
- 		vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
- 		vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
- 		vcpu->run->internal.ndata = 0;
-diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index c96314a..0004ac7 100644
---- a/arch/x86/mm/pgtable.c
-+++ b/arch/x86/mm/pgtable.c
-@@ -399,13 +399,20 @@ int pmdp_test_and_clear_young(struct vm_area_struct *vma,
- int ptep_clear_flush_young(struct vm_area_struct *vma,
- 			   unsigned long address, pte_t *ptep)
- {
--	int young;
--
--	young = ptep_test_and_clear_young(vma, address, ptep);
--	if (young)
--		flush_tlb_page(vma, address);
--
--	return young;
-+	/*
-+	 * On x86 CPUs, clearing the accessed bit without a TLB flush
-+	 * doesn't cause data corruption. [ It could cause incorrect
-+	 * page aging and the (mistaken) reclaim of hot pages, but the
-+	 * chance of that should be relatively low. ]
-+	 *
-+	 * So as a performance optimization don't flush the TLB when
-+	 * clearing the accessed bit, it will eventually be flushed by
-+	 * a context switch or a VM operation anyway. [ In the rare
-+	 * event of it not getting flushed for a long time the delay
-+	 * shouldn't really matter because there's no real memory
-+	 * pressure for swapout to react to. ]
-+	 */
-+	return ptep_test_and_clear_young(vma, address, ptep);
- }
- 
- #ifdef CONFIG_TRANSPARENT_HUGEPAGE
-diff --git a/arch/x86/tools/calc_run_size.pl b/arch/x86/tools/calc_run_size.pl
-new file mode 100644
-index 0000000..0b0b124
---- /dev/null
-+++ b/arch/x86/tools/calc_run_size.pl
-@@ -0,0 +1,30 @@
-+#!/usr/bin/perl
-+#
-+# Calculate the amount of space needed to run the kernel, including room for
-+# the .bss and .brk sections.
-+#
-+# Usage:
-+# objdump -h a.out | perl calc_run_size.pl
-+use strict;
-+
-+my $mem_size = 0;
-+my $file_offset = 0;
-+
-+my $sections=" *[0-9]+ \.(?:bss|brk) +";
-+while (<>) {
-+	if (/^$sections([0-9a-f]+) +(?:[0-9a-f]+ +){2}([0-9a-f]+)/) {
-+		my $size = hex($1);
-+		my $offset = hex($2);
-+		$mem_size += $size;
-+		if ($file_offset == 0) {
-+			$file_offset = $offset;
-+		} elsif ($file_offset != $offset) {
-+			die ".bss and .brk lack common file offset\n";
-+		}
-+	}
-+}
-+
-+if ($file_offset == 0) {
-+	die "Never found .bss or .brk file offset\n";
-+}
-+printf("%d\n", $mem_size + $file_offset);
-diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h
-index b939552..50084f7 100644
---- a/arch/xtensa/include/uapi/asm/unistd.h
-+++ b/arch/xtensa/include/uapi/asm/unistd.h
-@@ -384,7 +384,8 @@ __SYSCALL(174, sys_chroot, 1)
- #define __NR_pivot_root 			175
- __SYSCALL(175, sys_pivot_root, 2)
- #define __NR_umount 				176
--__SYSCALL(176, sys_umount, 2)
-+__SYSCALL(176, sys_oldumount, 1)
-+#define __ARCH_WANT_SYS_OLDUMOUNT
- #define __NR_swapoff 				177
- __SYSCALL(177, sys_swapoff, 1)
- #define __NR_sync 				178
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 00663d6..e662f14 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -61,6 +61,7 @@ enum board_ids {
- 	/* board IDs by feature in alphabetical order */
- 	board_ahci,
- 	board_ahci_ign_iferr,
-+	board_ahci_nomsi,
- 	board_ahci_noncq,
- 	board_ahci_nosntf,
- 	board_ahci_yes_fbs,
-@@ -122,6 +123,13 @@ static const struct ata_port_info ahci_port_info[] = {
- 		.udma_mask	= ATA_UDMA6,
- 		.port_ops	= &ahci_ops,
- 	},
-+	[board_ahci_nomsi] = {
-+		AHCI_HFLAGS	(AHCI_HFLAG_NO_MSI),
-+		.flags		= AHCI_FLAG_COMMON,
-+		.pio_mask	= ATA_PIO4,
-+		.udma_mask	= ATA_UDMA6,
-+		.port_ops	= &ahci_ops,
-+	},
- 	[board_ahci_noncq] = {
- 		AHCI_HFLAGS	(AHCI_HFLAG_NO_NCQ),
- 		.flags		= AHCI_FLAG_COMMON,
-@@ -314,6 +322,11 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */
-+	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
-+	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H RAID */
-+	{ PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
-+	{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
-+	{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
- 
- 	/* JMicron 360/1/3/5/6, match class to avoid IDE function */
- 	{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
-@@ -476,10 +489,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci },	/* ASM1062 */
- 
- 	/*
--	 * Samsung SSDs found on some macbooks.  NCQ times out.
--	 * https://bugzilla.kernel.org/show_bug.cgi?id=60731
-+	 * Samsung SSDs found on some macbooks.  NCQ times out if MSI is
-+	 * enabled.  https://bugzilla.kernel.org/show_bug.cgi?id=60731
- 	 */
--	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_noncq },
-+	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_nomsi },
- 
- 	/* Enmotus */
- 	{ PCI_DEVICE(0x1c44, 0x8000), board_ahci },
-diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
-index 2b25bd8..c1ea780 100644
---- a/drivers/ata/sata_rcar.c
-+++ b/drivers/ata/sata_rcar.c
-@@ -146,6 +146,7 @@
- enum sata_rcar_type {
- 	RCAR_GEN1_SATA,
- 	RCAR_GEN2_SATA,
-+	RCAR_R8A7790_ES1_SATA,
- };
- 
- struct sata_rcar_priv {
-@@ -763,6 +764,9 @@ static void sata_rcar_setup_port(struct ata_host *host)
- 	ap->udma_mask	= ATA_UDMA6;
- 	ap->flags	|= ATA_FLAG_SATA;
- 
-+	if (priv->type == RCAR_R8A7790_ES1_SATA)
-+		ap->flags	|= ATA_FLAG_NO_DIPM;
-+
- 	ioaddr->cmd_addr = base + SDATA_REG;
- 	ioaddr->ctl_addr = base + SSDEVCON_REG;
- 	ioaddr->scr_addr = base + SCRSSTS_REG;
-@@ -792,6 +796,7 @@ static void sata_rcar_init_controller(struct ata_host *host)
- 		sata_rcar_gen1_phy_init(priv);
- 		break;
- 	case RCAR_GEN2_SATA:
-+	case RCAR_R8A7790_ES1_SATA:
- 		sata_rcar_gen2_phy_init(priv);
- 		break;
- 	default:
-@@ -838,6 +843,10 @@ static struct of_device_id sata_rcar_match[] = {
- 		.data = (void *)RCAR_GEN2_SATA
- 	},
- 	{
-+		.compatible = "renesas,sata-r8a7790-es1",
-+		.data = (void *)RCAR_R8A7790_ES1_SATA
-+	},
-+	{
- 		.compatible = "renesas,sata-r8a7791",
- 		.data = (void *)RCAR_GEN2_SATA
- 	},
-@@ -849,6 +858,7 @@ static const struct platform_device_id sata_rcar_id_table[] = {
- 	{ "sata_rcar", RCAR_GEN1_SATA }, /* Deprecated by "sata-r8a7779" */
- 	{ "sata-r8a7779", RCAR_GEN1_SATA },
- 	{ "sata-r8a7790", RCAR_GEN2_SATA },
-+	{ "sata-r8a7790-es1", RCAR_R8A7790_ES1_SATA },
- 	{ "sata-r8a7791", RCAR_GEN2_SATA },
- 	{ },
- };
-diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
-index f6cff3b..2f9a3d8 100644
---- a/drivers/base/regmap/regmap.c
-+++ b/drivers/base/regmap/regmap.c
-@@ -1557,8 +1557,10 @@ int regmap_bulk_write(struct regmap *map, unsigned int reg, const void *val,
- 	} else {
- 		void *wval;
- 
--		if (!val_count)
--			return -EINVAL;
-+		if (!val_count) {
-+			ret = -EINVAL;
-+			goto out;
-+		}
- 
- 		wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL);
- 		if (!wval) {
-diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
-index 5814deb..0ebadf9 100644
---- a/drivers/block/sunvdc.c
-+++ b/drivers/block/sunvdc.c
-@@ -9,6 +9,7 @@
- #include <linux/blkdev.h>
- #include <linux/hdreg.h>
- #include <linux/genhd.h>
-+#include <linux/cdrom.h>
- #include <linux/slab.h>
- #include <linux/spinlock.h>
- #include <linux/completion.h>
-@@ -22,8 +23,8 @@
- 
- #define DRV_MODULE_NAME		"sunvdc"
- #define PFX DRV_MODULE_NAME	": "
--#define DRV_MODULE_VERSION	"1.0"
--#define DRV_MODULE_RELDATE	"June 25, 2007"
-+#define DRV_MODULE_VERSION	"1.1"
-+#define DRV_MODULE_RELDATE	"February 13, 2013"
- 
- static char version[] =
- 	DRV_MODULE_NAME ".c:v" DRV_MODULE_VERSION " (" DRV_MODULE_RELDATE ")\n";
-@@ -32,7 +33,7 @@ MODULE_DESCRIPTION("Sun LDOM virtual disk client driver");
- MODULE_LICENSE("GPL");
- MODULE_VERSION(DRV_MODULE_VERSION);
- 
--#define VDC_TX_RING_SIZE	256
-+#define VDC_TX_RING_SIZE	512
- 
- #define WAITING_FOR_LINK_UP	0x01
- #define WAITING_FOR_TX_SPACE	0x02
-@@ -65,11 +66,9 @@ struct vdc_port {
- 	u64			operations;
- 	u32			vdisk_size;
- 	u8			vdisk_type;
-+	u8			vdisk_mtype;
- 
- 	char			disk_name[32];
--
--	struct vio_disk_geom	geom;
--	struct vio_disk_vtoc	label;
- };
- 
- static inline struct vdc_port *to_vdc_port(struct vio_driver_state *vio)
-@@ -79,9 +78,16 @@ static inline struct vdc_port *to_vdc_port(struct vio_driver_state *vio)
- 
- /* Ordered from largest major to lowest */
- static struct vio_version vdc_versions[] = {
-+	{ .major = 1, .minor = 1 },
- 	{ .major = 1, .minor = 0 },
- };
- 
-+static inline int vdc_version_supported(struct vdc_port *port,
-+					u16 major, u16 minor)
-+{
-+	return port->vio.ver.major == major && port->vio.ver.minor >= minor;
-+}
-+
- #define VDCBLK_NAME	"vdisk"
- static int vdc_major;
- #define PARTITION_SHIFT	3
-@@ -94,18 +100,54 @@ static inline u32 vdc_tx_dring_avail(struct vio_dring_state *dr)
- static int vdc_getgeo(struct block_device *bdev, struct hd_geometry *geo)
- {
- 	struct gendisk *disk = bdev->bd_disk;
--	struct vdc_port *port = disk->private_data;
-+	sector_t nsect = get_capacity(disk);
-+	sector_t cylinders = nsect;
- 
--	geo->heads = (u8) port->geom.num_hd;
--	geo->sectors = (u8) port->geom.num_sec;
--	geo->cylinders = port->geom.num_cyl;
-+	geo->heads = 0xff;
-+	geo->sectors = 0x3f;
-+	sector_div(cylinders, geo->heads * geo->sectors);
-+	geo->cylinders = cylinders;
-+	if ((sector_t)(geo->cylinders + 1) * geo->heads * geo->sectors < nsect)
-+		geo->cylinders = 0xffff;
- 
- 	return 0;
- }
- 
-+/* Add ioctl/CDROM_GET_CAPABILITY to support cdrom_id in udev
-+ * when vdisk_mtype is VD_MEDIA_TYPE_CD or VD_MEDIA_TYPE_DVD.
-+ * Needed to be able to install inside an ldom from an iso image.
-+ */
-+static int vdc_ioctl(struct block_device *bdev, fmode_t mode,
-+		     unsigned command, unsigned long argument)
-+{
-+	int i;
-+	struct gendisk *disk;
-+
-+	switch (command) {
-+	case CDROMMULTISESSION:
-+		pr_debug(PFX "Multisession CDs not supported\n");
-+		for (i = 0; i < sizeof(struct cdrom_multisession); i++)
-+			if (put_user(0, (char __user *)(argument + i)))
-+				return -EFAULT;
-+		return 0;
-+
-+	case CDROM_GET_CAPABILITY:
-+		disk = bdev->bd_disk;
-+
-+		if (bdev->bd_disk && (disk->flags & GENHD_FL_CD))
-+			return 0;
-+		return -EINVAL;
-+
-+	default:
-+		pr_debug(PFX "ioctl %08x not supported\n", command);
-+		return -EINVAL;
-+	}
-+}
-+
- static const struct block_device_operations vdc_fops = {
- 	.owner		= THIS_MODULE,
- 	.getgeo		= vdc_getgeo,
-+	.ioctl		= vdc_ioctl,
- };
- 
- static void vdc_finish(struct vio_driver_state *vio, int err, int waiting_for)
-@@ -165,9 +207,9 @@ static int vdc_handle_attr(struct vio_driver_state *vio, void *arg)
- 	struct vio_disk_attr_info *pkt = arg;
- 
- 	viodbg(HS, "GOT ATTR stype[0x%x] ops[%llx] disk_size[%llu] disk_type[%x] "
--	       "xfer_mode[0x%x] blksz[%u] max_xfer[%llu]\n",
-+	       "mtype[0x%x] xfer_mode[0x%x] blksz[%u] max_xfer[%llu]\n",
- 	       pkt->tag.stype, pkt->operations,
--	       pkt->vdisk_size, pkt->vdisk_type,
-+	       pkt->vdisk_size, pkt->vdisk_type, pkt->vdisk_mtype,
- 	       pkt->xfer_mode, pkt->vdisk_block_size,
- 	       pkt->max_xfer_size);
- 
-@@ -192,8 +234,11 @@ static int vdc_handle_attr(struct vio_driver_state *vio, void *arg)
- 		}
- 
- 		port->operations = pkt->operations;
--		port->vdisk_size = pkt->vdisk_size;
- 		port->vdisk_type = pkt->vdisk_type;
-+		if (vdc_version_supported(port, 1, 1)) {
-+			port->vdisk_size = pkt->vdisk_size;
-+			port->vdisk_mtype = pkt->vdisk_mtype;
-+		}
- 		if (pkt->max_xfer_size < port->max_xfer_size)
- 			port->max_xfer_size = pkt->max_xfer_size;
- 		port->vdisk_block_size = pkt->vdisk_block_size;
-@@ -236,7 +281,9 @@ static void vdc_end_one(struct vdc_port *port, struct vio_dring_state *dr,
- 
- 	__blk_end_request(req, (desc->status ? -EIO : 0), desc->size);
- 
--	if (blk_queue_stopped(port->disk->queue))
-+	/* restart blk queue when ring is half emptied */
-+	if (blk_queue_stopped(port->disk->queue) &&
-+	    vdc_tx_dring_avail(dr) * 100 / VDC_TX_RING_SIZE >= 50)
- 		blk_start_queue(port->disk->queue);
- }
- 
-@@ -388,12 +435,6 @@ static int __send_request(struct request *req)
- 	for (i = 0; i < nsg; i++)
- 		len += sg[i].length;
- 
--	if (unlikely(vdc_tx_dring_avail(dr) < 1)) {
--		blk_stop_queue(port->disk->queue);
--		err = -ENOMEM;
--		goto out;
--	}
--
- 	desc = vio_dring_cur(dr);
- 
- 	err = ldc_map_sg(port->vio.lp, sg, nsg,
-@@ -433,21 +474,32 @@ static int __send_request(struct request *req)
- 		port->req_id++;
- 		dr->prod = (dr->prod + 1) & (VDC_TX_RING_SIZE - 1);
- 	}
--out:
- 
- 	return err;
- }
- 
--static void do_vdc_request(struct request_queue *q)
-+static void do_vdc_request(struct request_queue *rq)
- {
--	while (1) {
--		struct request *req = blk_fetch_request(q);
-+	struct request *req;
- 
--		if (!req)
--			break;
-+	while ((req = blk_peek_request(rq)) != NULL) {
-+		struct vdc_port *port;
-+		struct vio_dring_state *dr;
- 
--		if (__send_request(req) < 0)
--			__blk_end_request_all(req, -EIO);
-+		port = req->rq_disk->private_data;
-+		dr = &port->vio.drings[VIO_DRIVER_TX_RING];
-+		if (unlikely(vdc_tx_dring_avail(dr) < 1))
-+			goto wait;
-+
-+		blk_start_request(req);
-+
-+		if (__send_request(req) < 0) {
-+			blk_requeue_request(rq, req);
-+wait:
-+			/* Avoid pointless unplugs. */
-+			blk_stop_queue(rq);
-+			break;
-+		}
- 	}
- }
- 
-@@ -656,25 +708,27 @@ static int probe_disk(struct vdc_port *port)
- 	if (comp.err)
- 		return comp.err;
- 
--	err = generic_request(port, VD_OP_GET_VTOC,
--			      &port->label, sizeof(port->label));
--	if (err < 0) {
--		printk(KERN_ERR PFX "VD_OP_GET_VTOC returns error %d\n", err);
--		return err;
--	}
--
--	err = generic_request(port, VD_OP_GET_DISKGEOM,
--			      &port->geom, sizeof(port->geom));
--	if (err < 0) {
--		printk(KERN_ERR PFX "VD_OP_GET_DISKGEOM returns "
--		       "error %d\n", err);
--		return err;
-+	if (vdc_version_supported(port, 1, 1)) {
-+		/* vdisk_size should be set during the handshake, if it wasn't
-+		 * then the underlying disk is reserved by another system
-+		 */
-+		if (port->vdisk_size == -1)
-+			return -ENODEV;
-+	} else {
-+		struct vio_disk_geom geom;
-+
-+		err = generic_request(port, VD_OP_GET_DISKGEOM,
-+				      &geom, sizeof(geom));
-+		if (err < 0) {
-+			printk(KERN_ERR PFX "VD_OP_GET_DISKGEOM returns "
-+			       "error %d\n", err);
-+			return err;
-+		}
-+		port->vdisk_size = ((u64)geom.num_cyl *
-+				    (u64)geom.num_hd *
-+				    (u64)geom.num_sec);
- 	}
- 
--	port->vdisk_size = ((u64)port->geom.num_cyl *
--			    (u64)port->geom.num_hd *
--			    (u64)port->geom.num_sec);
--
- 	q = blk_init_queue(do_vdc_request, &port->vio.lock);
- 	if (!q) {
- 		printk(KERN_ERR PFX "%s: Could not allocate queue.\n",
-@@ -691,6 +745,10 @@ static int probe_disk(struct vdc_port *port)
- 
- 	port->disk = g;
- 
-+	/* Each segment in a request is up to an aligned page in size. */
-+	blk_queue_segment_boundary(q, PAGE_SIZE - 1);
-+	blk_queue_max_segment_size(q, PAGE_SIZE);
-+
- 	blk_queue_max_segments(q, port->ring_cookies);
- 	blk_queue_max_hw_sectors(q, port->max_xfer_size);
- 	g->major = vdc_major;
-@@ -704,9 +762,32 @@ static int probe_disk(struct vdc_port *port)
- 
- 	set_capacity(g, port->vdisk_size);
- 
--	printk(KERN_INFO PFX "%s: %u sectors (%u MB)\n",
-+	if (vdc_version_supported(port, 1, 1)) {
-+		switch (port->vdisk_mtype) {
-+		case VD_MEDIA_TYPE_CD:
-+			pr_info(PFX "Virtual CDROM %s\n", port->disk_name);
-+			g->flags |= GENHD_FL_CD;
-+			g->flags |= GENHD_FL_REMOVABLE;
-+			set_disk_ro(g, 1);
-+			break;
-+
-+		case VD_MEDIA_TYPE_DVD:
-+			pr_info(PFX "Virtual DVD %s\n", port->disk_name);
-+			g->flags |= GENHD_FL_CD;
-+			g->flags |= GENHD_FL_REMOVABLE;
-+			set_disk_ro(g, 1);
-+			break;
-+
-+		case VD_MEDIA_TYPE_FIXED:
-+			pr_info(PFX "Virtual Hard disk %s\n", port->disk_name);
-+			break;
-+		}
-+	}
-+
-+	pr_info(PFX "%s: %u sectors (%u MB) protocol %d.%d\n",
- 	       g->disk_name,
--	       port->vdisk_size, (port->vdisk_size >> (20 - 9)));
-+	       port->vdisk_size, (port->vdisk_size >> (20 - 9)),
-+	       port->vio.ver.major, port->vio.ver.minor);
- 
- 	add_disk(g);
- 
-@@ -765,6 +846,7 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
- 	else
- 		snprintf(port->disk_name, sizeof(port->disk_name),
- 			 VDCBLK_NAME "%c", 'a' + ((int)vdev->dev_no % 26));
-+	port->vdisk_size = -1;
- 
- 	err = vio_driver_init(&port->vio, vdev, VDEV_DISK,
- 			      vdc_versions, ARRAY_SIZE(vdc_versions),
-diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
-index 51c557c..d8ddb8e 100644
---- a/drivers/block/zram/zram_drv.c
-+++ b/drivers/block/zram/zram_drv.c
-@@ -447,7 +447,8 @@ static int zram_bvec_write(struct zram *zram, struct bio_vec *bvec, u32 index,
- 	}
- 
- 	if (page_zero_filled(uncmem)) {
--		kunmap_atomic(user_mem);
-+		if (user_mem)
-+			kunmap_atomic(user_mem);
- 		/* Free memory associated with this sector now. */
- 		write_lock(&zram->meta->tb_lock);
- 		zram_free_page(zram, index);
-diff --git a/drivers/char/hw_random/pseries-rng.c b/drivers/char/hw_random/pseries-rng.c
-index ab7ffde..f38f2c1 100644
---- a/drivers/char/hw_random/pseries-rng.c
-+++ b/drivers/char/hw_random/pseries-rng.c
-@@ -25,18 +25,21 @@
- #include <asm/vio.h>
- 
- 
--static int pseries_rng_data_read(struct hwrng *rng, u32 *data)
-+static int pseries_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
- {
-+	u64 buffer[PLPAR_HCALL_BUFSIZE];
-+	size_t size = max < 8 ? max : 8;
- 	int rc;
- 
--	rc = plpar_hcall(H_RANDOM, (unsigned long *)data);
-+	rc = plpar_hcall(H_RANDOM, (unsigned long *)buffer);
- 	if (rc != H_SUCCESS) {
- 		pr_err_ratelimited("H_RANDOM call failed %d\n", rc);
- 		return -EIO;
- 	}
-+	memcpy(data, buffer, size);
- 
- 	/* The hypervisor interface returns 64 bits */
--	return 8;
-+	return size;
- }
- 
- /**
-@@ -55,7 +58,7 @@ static unsigned long pseries_rng_get_desired_dma(struct vio_dev *vdev)
- 
- static struct hwrng pseries_rng = {
- 	.name		= KBUILD_MODNAME,
--	.data_read	= pseries_rng_data_read,
-+	.read		= pseries_rng_read,
- };
- 
- static int __init pseries_rng_probe(struct vio_dev *dev,
-diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
-index a412745..d97a03d 100644
---- a/drivers/crypto/caam/caamhash.c
-+++ b/drivers/crypto/caam/caamhash.c
-@@ -835,8 +835,9 @@ static int ahash_update_ctx(struct ahash_request *req)
- 					   edesc->sec4_sg + sec4_sg_src_index,
- 					   chained);
- 			if (*next_buflen) {
--				sg_copy_part(next_buf, req->src, to_hash -
--					     *buflen, req->nbytes);
-+				scatterwalk_map_and_copy(next_buf, req->src,
-+							 to_hash - *buflen,
-+							 *next_buflen, 0);
- 				state->current_buf = !state->current_buf;
- 			}
- 		} else {
-@@ -869,7 +870,8 @@ static int ahash_update_ctx(struct ahash_request *req)
- 			kfree(edesc);
- 		}
- 	} else if (*next_buflen) {
--		sg_copy(buf + *buflen, req->src, req->nbytes);
-+		scatterwalk_map_and_copy(buf + *buflen, req->src, 0,
-+					 req->nbytes, 0);
- 		*buflen = *next_buflen;
- 		*next_buflen = last_buflen;
- 	}
-@@ -1216,8 +1218,9 @@ static int ahash_update_no_ctx(struct ahash_request *req)
- 		src_map_to_sec4_sg(jrdev, req->src, src_nents,
- 				   edesc->sec4_sg + 1, chained);
- 		if (*next_buflen) {
--			sg_copy_part(next_buf, req->src, to_hash - *buflen,
--				    req->nbytes);
-+			scatterwalk_map_and_copy(next_buf, req->src,
-+						 to_hash - *buflen,
-+						 *next_buflen, 0);
- 			state->current_buf = !state->current_buf;
- 		}
- 
-@@ -1248,7 +1251,8 @@ static int ahash_update_no_ctx(struct ahash_request *req)
- 			kfree(edesc);
- 		}
- 	} else if (*next_buflen) {
--		sg_copy(buf + *buflen, req->src, req->nbytes);
-+		scatterwalk_map_and_copy(buf + *buflen, req->src, 0,
-+					 req->nbytes, 0);
- 		*buflen = *next_buflen;
- 		*next_buflen = 0;
- 	}
-@@ -1405,7 +1409,8 @@ static int ahash_update_first(struct ahash_request *req)
- 		}
- 
- 		if (*next_buflen)
--			sg_copy_part(next_buf, req->src, to_hash, req->nbytes);
-+			scatterwalk_map_and_copy(next_buf, req->src, to_hash,
-+						 *next_buflen, 0);
- 
- 		sh_len = desc_len(sh_desc);
- 		desc = edesc->hw_desc;
-@@ -1438,7 +1443,8 @@ static int ahash_update_first(struct ahash_request *req)
- 		state->update = ahash_update_no_ctx;
- 		state->finup = ahash_finup_no_ctx;
- 		state->final = ahash_final_no_ctx;
--		sg_copy(next_buf, req->src, req->nbytes);
-+		scatterwalk_map_and_copy(next_buf, req->src, 0,
-+					 req->nbytes, 0);
- 	}
- #ifdef DEBUG
- 	print_hex_dump(KERN_ERR, "next buf@"__stringify(__LINE__)": ",
-diff --git a/drivers/crypto/caam/key_gen.c b/drivers/crypto/caam/key_gen.c
-index ea2e406..b872eed 100644
---- a/drivers/crypto/caam/key_gen.c
-+++ b/drivers/crypto/caam/key_gen.c
-@@ -51,23 +51,29 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len,
- 	u32 *desc;
- 	struct split_key_result result;
- 	dma_addr_t dma_addr_in, dma_addr_out;
--	int ret = 0;
-+	int ret = -ENOMEM;
- 
- 	desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA);
- 	if (!desc) {
- 		dev_err(jrdev, "unable to allocate key input memory\n");
--		return -ENOMEM;
-+		return ret;
- 	}
- 
--	init_job_desc(desc, 0);
--
- 	dma_addr_in = dma_map_single(jrdev, (void *)key_in, keylen,
- 				     DMA_TO_DEVICE);
- 	if (dma_mapping_error(jrdev, dma_addr_in)) {
- 		dev_err(jrdev, "unable to map key input memory\n");
--		kfree(desc);
--		return -ENOMEM;
-+		goto out_free;
- 	}
-+
-+	dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len,
-+				      DMA_FROM_DEVICE);
-+	if (dma_mapping_error(jrdev, dma_addr_out)) {
-+		dev_err(jrdev, "unable to map key output memory\n");
-+		goto out_unmap_in;
-+	}
-+
-+	init_job_desc(desc, 0);
- 	append_key(desc, dma_addr_in, keylen, CLASS_2 | KEY_DEST_CLASS_REG);
- 
- 	/* Sets MDHA up into an HMAC-INIT */
-@@ -84,13 +90,6 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len,
- 	 * FIFO_STORE with the explicit split-key content store
- 	 * (0x26 output type)
- 	 */
--	dma_addr_out = dma_map_single(jrdev, key_out, split_key_pad_len,
--				      DMA_FROM_DEVICE);
--	if (dma_mapping_error(jrdev, dma_addr_out)) {
--		dev_err(jrdev, "unable to map key output memory\n");
--		kfree(desc);
--		return -ENOMEM;
--	}
- 	append_fifo_store(desc, dma_addr_out, split_key_len,
- 			  LDST_CLASS_2_CCB | FIFOST_TYPE_SPLIT_KEK);
- 
-@@ -118,10 +117,10 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len,
- 
- 	dma_unmap_single(jrdev, dma_addr_out, split_key_pad_len,
- 			 DMA_FROM_DEVICE);
-+out_unmap_in:
- 	dma_unmap_single(jrdev, dma_addr_in, keylen, DMA_TO_DEVICE);
--
-+out_free:
- 	kfree(desc);
--
- 	return ret;
- }
- EXPORT_SYMBOL(gen_split_key);
-diff --git a/drivers/crypto/caam/sg_sw_sec4.h b/drivers/crypto/caam/sg_sw_sec4.h
-index b12ff85..ce28a56 100644
---- a/drivers/crypto/caam/sg_sw_sec4.h
-+++ b/drivers/crypto/caam/sg_sw_sec4.h
-@@ -116,57 +116,3 @@ static int dma_unmap_sg_chained(struct device *dev, struct scatterlist *sg,
- 	}
- 	return nents;
- }
--
--/* Map SG page in kernel virtual address space and copy */
--static inline void sg_map_copy(u8 *dest, struct scatterlist *sg,
--			       int len, int offset)
--{
--	u8 *mapped_addr;
--
--	/*
--	 * Page here can be user-space pinned using get_user_pages
--	 * Same must be kmapped before use and kunmapped subsequently
--	 */
--	mapped_addr = kmap_atomic(sg_page(sg));
--	memcpy(dest, mapped_addr + offset, len);
--	kunmap_atomic(mapped_addr);
--}
--
--/* Copy from len bytes of sg to dest, starting from beginning */
--static inline void sg_copy(u8 *dest, struct scatterlist *sg, unsigned int len)
--{
--	struct scatterlist *current_sg = sg;
--	int cpy_index = 0, next_cpy_index = current_sg->length;
--
--	while (next_cpy_index < len) {
--		sg_map_copy(dest + cpy_index, current_sg, current_sg->length,
--			    current_sg->offset);
--		current_sg = scatterwalk_sg_next(current_sg);
--		cpy_index = next_cpy_index;
--		next_cpy_index += current_sg->length;
--	}
--	if (cpy_index < len)
--		sg_map_copy(dest + cpy_index, current_sg, len-cpy_index,
--			    current_sg->offset);
--}
--
--/* Copy sg data, from to_skip to end, to dest */
--static inline void sg_copy_part(u8 *dest, struct scatterlist *sg,
--				      int to_skip, unsigned int end)
--{
--	struct scatterlist *current_sg = sg;
--	int sg_index, cpy_index, offset;
--
--	sg_index = current_sg->length;
--	while (sg_index <= to_skip) {
--		current_sg = scatterwalk_sg_next(current_sg);
--		sg_index += current_sg->length;
--	}
--	cpy_index = sg_index - to_skip;
--	offset = current_sg->offset + current_sg->length - cpy_index;
--	sg_map_copy(dest, current_sg, cpy_index, offset);
--	if (end - sg_index) {
--		current_sg = scatterwalk_sg_next(current_sg);
--		sg_copy(dest + cpy_index, current_sg, end - sg_index);
--	}
--}
-diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
-index d7d5c8a..6d44568 100644
---- a/drivers/firewire/core-cdev.c
-+++ b/drivers/firewire/core-cdev.c
-@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client *client,
- 	    _IOC_SIZE(cmd) > sizeof(buffer))
- 		return -ENOTTY;
- 
--	if (_IOC_DIR(cmd) == _IOC_READ)
--		memset(&buffer, 0, _IOC_SIZE(cmd));
-+	memset(&buffer, 0, sizeof(buffer));
- 
- 	if (_IOC_DIR(cmd) & _IOC_WRITE)
- 		if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
-diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
-index ab5c265..ddf70d6 100644
---- a/drivers/gpu/drm/radeon/cik.c
-+++ b/drivers/gpu/drm/radeon/cik.c
-@@ -3936,8 +3936,8 @@ static int cik_cp_gfx_start(struct radeon_device *rdev)
- 	/* init the CE partitions.  CE only used for gfx on CIK */
- 	radeon_ring_write(ring, PACKET3(PACKET3_SET_BASE, 2));
- 	radeon_ring_write(ring, PACKET3_BASE_INDEX(CE_PARTITION_BASE));
--	radeon_ring_write(ring, 0xc000);
--	radeon_ring_write(ring, 0xc000);
-+	radeon_ring_write(ring, 0x8000);
-+	radeon_ring_write(ring, 0x8000);
- 
- 	/* setup clear context state */
- 	radeon_ring_write(ring, PACKET3(PACKET3_PREAMBLE_CNTL, 0));
-@@ -8893,6 +8893,9 @@ void dce8_bandwidth_update(struct radeon_device *rdev)
- 	u32 num_heads = 0, lb_size;
- 	int i;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	for (i = 0; i < rdev->num_crtc; i++) {
-diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
-index 4b3c5f7..7138f3e 100644
---- a/drivers/gpu/drm/radeon/evergreen.c
-+++ b/drivers/gpu/drm/radeon/evergreen.c
-@@ -2362,6 +2362,9 @@ void evergreen_bandwidth_update(struct radeon_device *rdev)
- 	u32 num_heads = 0, lb_size;
- 	int i;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	for (i = 0; i < rdev->num_crtc; i++) {
-@@ -2570,6 +2573,7 @@ void evergreen_mc_stop(struct radeon_device *rdev, struct evergreen_mc_save *sav
- 					WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 1);
- 					tmp |= EVERGREEN_CRTC_BLANK_DATA_EN;
- 					WREG32(EVERGREEN_CRTC_BLANK_CONTROL + crtc_offsets[i], tmp);
-+					WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 0);
- 				}
- 			} else {
- 				tmp = RREG32(EVERGREEN_CRTC_CONTROL + crtc_offsets[i]);
-diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
-index 3cc78bb..07620e1 100644
---- a/drivers/gpu/drm/radeon/r100.c
-+++ b/drivers/gpu/drm/radeon/r100.c
-@@ -3219,6 +3219,9 @@ void r100_bandwidth_update(struct radeon_device *rdev)
- 	uint32_t pixel_bytes1 = 0;
- 	uint32_t pixel_bytes2 = 0;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	if (rdev->mode_info.crtcs[0]->base.enabled) {
-diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
-index 95b693c..e5619d5 100644
---- a/drivers/gpu/drm/radeon/rs600.c
-+++ b/drivers/gpu/drm/radeon/rs600.c
-@@ -890,6 +890,9 @@ void rs600_bandwidth_update(struct radeon_device *rdev)
- 	u32 d1mode_priority_a_cnt, d2mode_priority_a_cnt;
- 	/* FIXME: implement full support */
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	if (rdev->mode_info.crtcs[0]->base.enabled)
-diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index 3462b64..0a2d36e 100644
---- a/drivers/gpu/drm/radeon/rs690.c
-+++ b/drivers/gpu/drm/radeon/rs690.c
-@@ -579,6 +579,9 @@ void rs690_bandwidth_update(struct radeon_device *rdev)
- 	u32 d1mode_priority_a_cnt, d1mode_priority_b_cnt;
- 	u32 d2mode_priority_a_cnt, d2mode_priority_b_cnt;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	if (rdev->mode_info.crtcs[0]->base.enabled)
-diff --git a/drivers/gpu/drm/radeon/rv515.c b/drivers/gpu/drm/radeon/rv515.c
-index 237dd29..b49965a 100644
---- a/drivers/gpu/drm/radeon/rv515.c
-+++ b/drivers/gpu/drm/radeon/rv515.c
-@@ -1276,6 +1276,9 @@ void rv515_bandwidth_update(struct radeon_device *rdev)
- 	struct drm_display_mode *mode0 = NULL;
- 	struct drm_display_mode *mode1 = NULL;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	if (rdev->mode_info.crtcs[0]->base.enabled)
-diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
-index 559564c..52b64ad 100644
---- a/drivers/gpu/drm/radeon/si.c
-+++ b/drivers/gpu/drm/radeon/si.c
-@@ -2227,6 +2227,9 @@ void dce6_bandwidth_update(struct radeon_device *rdev)
- 	u32 num_heads = 0, lb_size;
- 	int i;
- 
-+	if (!rdev->mode_info.mode_config_initialized)
-+		return;
-+
- 	radeon_update_display_priority(rdev);
- 
- 	for (i = 0; i < rdev->num_crtc; i++) {
-diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
-index ea6203e..23467a2 100644
---- a/drivers/infiniband/core/uverbs_cmd.c
-+++ b/drivers/infiniband/core/uverbs_cmd.c
-@@ -2425,6 +2425,8 @@ ssize_t ib_uverbs_create_ah(struct ib_uverbs_file *file,
- 	attr.grh.sgid_index    = cmd.attr.grh.sgid_index;
- 	attr.grh.hop_limit     = cmd.attr.grh.hop_limit;
- 	attr.grh.traffic_class = cmd.attr.grh.traffic_class;
-+	attr.vlan_id           = 0;
-+	memset(&attr.dmac, 0, sizeof(attr.dmac));
- 	memcpy(attr.grh.dgid.raw, cmd.attr.grh.dgid, 16);
- 
- 	ah = ib_create_ah(pd, &attr);
-diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
-index fb15c64..4979b00 100644
---- a/drivers/input/mouse/alps.c
-+++ b/drivers/input/mouse/alps.c
-@@ -1047,7 +1047,13 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
- {
- 	struct alps_data *priv = psmouse->private;
- 
--	if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */
-+	/*
-+	 * Check if we are dealing with a bare PS/2 packet, presumably from
-+	 * a device connected to the external PS/2 port. Because bare PS/2
-+	 * protocol does not have enough constant bits to self-synchronize
-+	 * properly we only do this if the device is fully synchronized.
-+	 */
-+	if (!psmouse->out_of_sync_cnt && (psmouse->packet[0] & 0xc8) == 0x08) {
- 		if (psmouse->pktcnt == 3) {
- 			alps_report_bare_ps2_packet(psmouse, psmouse->packet,
- 						    true);
-@@ -1071,12 +1077,27 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
- 	}
- 
- 	/* Bytes 2 - pktsize should have 0 in the highest bit */
--	if ((priv->proto_version < ALPS_PROTO_V5) &&
-+	if (priv->proto_version < ALPS_PROTO_V5 &&
- 	    psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
- 	    (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) {
- 		psmouse_dbg(psmouse, "refusing packet[%i] = %x\n",
- 			    psmouse->pktcnt - 1,
- 			    psmouse->packet[psmouse->pktcnt - 1]);
-+
-+		if (priv->proto_version == ALPS_PROTO_V3 &&
-+		    psmouse->pktcnt == psmouse->pktsize) {
-+			/*
-+			 * Some Dell boxes, such as Latitude E6440 or E7440
-+			 * with closed lid, quite often smash last byte of
-+			 * otherwise valid packet with 0xff. Given that the
-+			 * next packet is very likely to be valid let's
-+			 * report PSMOUSE_FULL_PACKET but not process data,
-+			 * rather than reporting PSMOUSE_BAD_DATA and
-+			 * filling the logs.
-+			 */
-+			return PSMOUSE_FULL_PACKET;
-+		}
-+
- 		return PSMOUSE_BAD_DATA;
- 	}
- 
-@@ -2148,6 +2169,9 @@ int alps_init(struct psmouse *psmouse)
- 	/* We are having trouble resyncing ALPS touchpads so disable it for now */
- 	psmouse->resync_time = 0;
- 
-+	/* Allow 2 invalid packets without resetting device */
-+	psmouse->resetafter = psmouse->pktsize * 2;
-+
- 	return 0;
- 
- init_fail:
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index a50a2a7..1e76eb8 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -132,8 +132,8 @@ static const struct min_max_quirk min_max_pnpid_table[] = {
- 		1232, 5710, 1156, 4696
- 	},
- 	{
--		(const char * const []){"LEN0034", "LEN0036", "LEN2002",
--					"LEN2004", NULL},
-+		(const char * const []){"LEN0034", "LEN0036", "LEN0039",
-+					"LEN2002", "LEN2004", NULL},
- 		1024, 5112, 2024, 4832
- 	},
- 	{
-@@ -160,6 +160,7 @@ static const char * const topbuttonpad_pnp_ids[] = {
- 	"LEN0036", /* T440 */
- 	"LEN0037",
- 	"LEN0038",
-+	"LEN0039", /* T440s */
- 	"LEN0041",
- 	"LEN0042", /* Yoga */
- 	"LEN0045",
-diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
-index ca1621b..a1cebf7 100644
---- a/drivers/md/dm-bufio.c
-+++ b/drivers/md/dm-bufio.c
-@@ -1448,9 +1448,9 @@ static void drop_buffers(struct dm_bufio_client *c)
- 
- /*
-  * Test if the buffer is unused and too old, and commit it.
-- * At if noio is set, we must not do any I/O because we hold
-- * dm_bufio_clients_lock and we would risk deadlock if the I/O gets rerouted to
-- * different bufio client.
-+ * And if GFP_NOFS is used, we must not do any I/O because we hold
-+ * dm_bufio_clients_lock and we would risk deadlock if the I/O gets
-+ * rerouted to different bufio client.
-  */
- static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
- 				unsigned long max_jiffies)
-@@ -1458,7 +1458,7 @@ static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
- 	if (jiffies - b->last_accessed < max_jiffies)
- 		return 0;
- 
--	if (!(gfp & __GFP_IO)) {
-+	if (!(gfp & __GFP_FS)) {
- 		if (test_bit(B_READING, &b->state) ||
- 		    test_bit(B_WRITING, &b->state) ||
- 		    test_bit(B_DIRTY, &b->state))
-@@ -1500,7 +1500,7 @@ dm_bufio_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
- 	unsigned long freed;
- 
- 	c = container_of(shrink, struct dm_bufio_client, shrinker);
--	if (sc->gfp_mask & __GFP_IO)
-+	if (sc->gfp_mask & __GFP_FS)
- 		dm_bufio_lock(c);
- 	else if (!dm_bufio_trylock(c))
- 		return SHRINK_STOP;
-@@ -1517,7 +1517,7 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
- 	unsigned long count;
- 
- 	c = container_of(shrink, struct dm_bufio_client, shrinker);
--	if (sc->gfp_mask & __GFP_IO)
-+	if (sc->gfp_mask & __GFP_FS)
- 		dm_bufio_lock(c);
- 	else if (!dm_bufio_trylock(c))
- 		return 0;
-diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
-index 4880b69..5971538 100644
---- a/drivers/md/dm-raid.c
-+++ b/drivers/md/dm-raid.c
-@@ -785,8 +785,7 @@ struct dm_raid_superblock {
- 	__le32 layout;
- 	__le32 stripe_sectors;
- 
--	__u8 pad[452];		/* Round struct to 512 bytes. */
--				/* Always set to 0 when writing. */
-+	/* Remainder of a logical block is zero-filled when writing (see super_sync()). */
- } __packed;
- 
- static int read_disk_sb(struct md_rdev *rdev, int size)
-@@ -823,7 +822,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
- 		    test_bit(Faulty, &(rs->dev[i].rdev.flags)))
- 			failed_devices |= (1ULL << i);
- 
--	memset(sb, 0, sizeof(*sb));
-+	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
- 
- 	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
- 	sb->features = cpu_to_le32(0);	/* No features yet */
-@@ -858,7 +857,11 @@ static int super_load(struct md_rdev *rdev, struct md_rdev *refdev)
- 	uint64_t events_sb, events_refsb;
- 
- 	rdev->sb_start = 0;
--	rdev->sb_size = sizeof(*sb);
-+	rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
-+	if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
-+		DMERR("superblock size of a logical block is no longer valid");
-+		return -EINVAL;
-+	}
- 
- 	ret = read_disk_sb(rdev, rdev->sb_size);
- 	if (ret)
-diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
-index 359af3a..37f2648 100644
---- a/drivers/md/dm-thin.c
-+++ b/drivers/md/dm-thin.c
-@@ -1704,6 +1704,14 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio)
- 		return DM_MAPIO_SUBMITTED;
- 	}
- 
-+	/*
-+	 * We must hold the virtual cell before doing the lookup, otherwise
-+	 * there's a race with discard.
-+	 */
-+	build_virtual_key(tc->td, block, &key);
-+	if (dm_bio_detain(tc->pool->prison, &key, bio, &cell1, &cell_result))
-+		return DM_MAPIO_SUBMITTED;
-+
- 	r = dm_thin_find_block(td, block, 0, &result);
- 
- 	/*
-@@ -1727,13 +1735,10 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio)
- 			 * shared flag will be set in their case.
- 			 */
- 			thin_defer_bio(tc, bio);
-+			cell_defer_no_holder_no_free(tc, &cell1);
- 			return DM_MAPIO_SUBMITTED;
- 		}
- 
--		build_virtual_key(tc->td, block, &key);
--		if (dm_bio_detain(tc->pool->prison, &key, bio, &cell1, &cell_result))
--			return DM_MAPIO_SUBMITTED;
--
- 		build_data_key(tc->td, result.block, &key);
- 		if (dm_bio_detain(tc->pool->prison, &key, bio, &cell2, &cell_result)) {
- 			cell_defer_no_holder_no_free(tc, &cell1);
-@@ -1754,6 +1759,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio)
- 			 * of doing so.
- 			 */
- 			handle_unserviceable_bio(tc->pool, bio);
-+			cell_defer_no_holder_no_free(tc, &cell1);
- 			return DM_MAPIO_SUBMITTED;
- 		}
- 		/* fall through */
-@@ -1764,6 +1770,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio)
- 		 * provide the hint to load the metadata into cache.
- 		 */
- 		thin_defer_bio(tc, bio);
-+		cell_defer_no_holder_no_free(tc, &cell1);
- 		return DM_MAPIO_SUBMITTED;
- 
- 	default:
-@@ -1773,6 +1780,7 @@ static int thin_bio_map(struct dm_target *ti, struct bio *bio)
- 		 * pool is switched to fail-io mode.
- 		 */
- 		bio_io_error(bio);
-+		cell_defer_no_holder_no_free(tc, &cell1);
- 		return DM_MAPIO_SUBMITTED;
- 	}
- }
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 73aedcb..40959ee 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5333,6 +5333,7 @@ static int md_set_readonly(struct mddev *mddev, struct block_device *bdev)
- 		printk("md: %s still in use.\n",mdname(mddev));
- 		if (did_freeze) {
- 			clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery);
-+			set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
- 			md_wakeup_thread(mddev->thread);
- 		}
- 		err = -EBUSY;
-@@ -5347,6 +5348,8 @@ static int md_set_readonly(struct mddev *mddev, struct block_device *bdev)
- 		mddev->ro = 1;
- 		set_disk_ro(mddev->gendisk, 1);
- 		clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery);
-+		set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
-+		md_wakeup_thread(mddev->thread);
- 		sysfs_notify_dirent_safe(mddev->sysfs_state);
- 		err = 0;
- 	}
-@@ -5390,6 +5393,7 @@ static int do_md_stop(struct mddev * mddev, int mode,
- 		mutex_unlock(&mddev->open_mutex);
- 		if (did_freeze) {
- 			clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery);
-+			set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
- 			md_wakeup_thread(mddev->thread);
- 		}
- 		return -EBUSY;
-diff --git a/drivers/md/persistent-data/dm-btree-internal.h b/drivers/md/persistent-data/dm-btree-internal.h
-index 37d367b..bf2b80d 100644
---- a/drivers/md/persistent-data/dm-btree-internal.h
-+++ b/drivers/md/persistent-data/dm-btree-internal.h
-@@ -42,6 +42,12 @@ struct btree_node {
- } __packed;
- 
- 
-+/*
-+ * Locks a block using the btree node validator.
-+ */
-+int bn_read_lock(struct dm_btree_info *info, dm_block_t b,
-+		 struct dm_block **result);
-+
- void inc_children(struct dm_transaction_manager *tm, struct btree_node *n,
- 		  struct dm_btree_value_type *vt);
- 
-diff --git a/drivers/md/persistent-data/dm-btree-spine.c b/drivers/md/persistent-data/dm-btree-spine.c
-index cf9fd67..1b5e13e 100644
---- a/drivers/md/persistent-data/dm-btree-spine.c
-+++ b/drivers/md/persistent-data/dm-btree-spine.c
-@@ -92,7 +92,7 @@ struct dm_block_validator btree_node_validator = {
- 
- /*----------------------------------------------------------------*/
- 
--static int bn_read_lock(struct dm_btree_info *info, dm_block_t b,
-+int bn_read_lock(struct dm_btree_info *info, dm_block_t b,
- 		 struct dm_block **result)
- {
- 	return dm_tm_read_lock(info->tm, b, &btree_node_validator, result);
-diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
-index 416060c..200ac12 100644
---- a/drivers/md/persistent-data/dm-btree.c
-+++ b/drivers/md/persistent-data/dm-btree.c
-@@ -847,22 +847,26 @@ EXPORT_SYMBOL_GPL(dm_btree_find_lowest_key);
-  * FIXME: We shouldn't use a recursive algorithm when we have limited stack
-  * space.  Also this only works for single level trees.
-  */
--static int walk_node(struct ro_spine *s, dm_block_t block,
-+static int walk_node(struct dm_btree_info *info, dm_block_t block,
- 		     int (*fn)(void *context, uint64_t *keys, void *leaf),
- 		     void *context)
- {
- 	int r;
- 	unsigned i, nr;
-+	struct dm_block *node;
- 	struct btree_node *n;
- 	uint64_t keys;
- 
--	r = ro_step(s, block);
--	n = ro_node(s);
-+	r = bn_read_lock(info, block, &node);
-+	if (r)
-+		return r;
-+
-+	n = dm_block_data(node);
- 
- 	nr = le32_to_cpu(n->header.nr_entries);
- 	for (i = 0; i < nr; i++) {
- 		if (le32_to_cpu(n->header.flags) & INTERNAL_NODE) {
--			r = walk_node(s, value64(n, i), fn, context);
-+			r = walk_node(info, value64(n, i), fn, context);
- 			if (r)
- 				goto out;
- 		} else {
-@@ -874,7 +878,7 @@ static int walk_node(struct ro_spine *s, dm_block_t block,
- 	}
- 
- out:
--	ro_pop(s);
-+	dm_tm_unlock(info->tm, node);
- 	return r;
- }
- 
-@@ -882,15 +886,7 @@ int dm_btree_walk(struct dm_btree_info *info, dm_block_t root,
- 		  int (*fn)(void *context, uint64_t *keys, void *leaf),
- 		  void *context)
- {
--	int r;
--	struct ro_spine spine;
--
- 	BUG_ON(info->levels > 1);
--
--	init_ro_spine(&spine, info);
--	r = walk_node(&spine, root, fn, context);
--	exit_ro_spine(&spine);
--
--	return r;
-+	return walk_node(info, root, fn, context);
- }
- EXPORT_SYMBOL_GPL(dm_btree_walk);
-diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
-index 5c45c9d..9c29552 100644
---- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c
-+++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
-@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
- 		   0x00, 0x00, 0x00, 0x00,
- 		   0x00, 0x00 };
- 
-+	if (cmd->msg_len > sizeof(b) - 4)
-+		return -EINVAL;
-+
- 	memcpy(&b[4], cmd->msg, cmd->msg_len);
- 
- 	state->config->send_command(fe, 0x72,
-diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c
-index 6382b7c..e10f5ed 100644
---- a/drivers/net/ethernet/smsc/smsc911x.c
-+++ b/drivers/net/ethernet/smsc/smsc911x.c
-@@ -1341,6 +1341,42 @@ static void smsc911x_rx_multicast_update_workaround(struct smsc911x_data *pdata)
- 	spin_unlock(&pdata->mac_lock);
- }
- 
-+static int smsc911x_phy_general_power_up(struct smsc911x_data *pdata)
-+{
-+	int rc = 0;
-+
-+	if (!pdata->phy_dev)
-+		return rc;
-+
-+	/* If the internal PHY is in General Power-Down mode, all, except the
-+	 * management interface, is powered-down and stays in that condition as
-+	 * long as Phy register bit 0.11 is HIGH.
-+	 *
-+	 * In that case, clear the bit 0.11, so the PHY powers up and we can
-+	 * access to the phy registers.
-+	 */
-+	rc = phy_read(pdata->phy_dev, MII_BMCR);
-+	if (rc < 0) {
-+		SMSC_WARN(pdata, drv, "Failed reading PHY control reg");
-+		return rc;
-+	}
-+
-+	/* If the PHY general power-down bit is not set is not necessary to
-+	 * disable the general power down-mode.
-+	 */
-+	if (rc & BMCR_PDOWN) {
-+		rc = phy_write(pdata->phy_dev, MII_BMCR, rc & ~BMCR_PDOWN);
-+		if (rc < 0) {
-+			SMSC_WARN(pdata, drv, "Failed writing PHY control reg");
-+			return rc;
-+		}
-+
-+		usleep_range(1000, 1500);
-+	}
-+
-+	return 0;
-+}
-+
- static int smsc911x_phy_disable_energy_detect(struct smsc911x_data *pdata)
- {
- 	int rc = 0;
-@@ -1414,6 +1450,16 @@ static int smsc911x_soft_reset(struct smsc911x_data *pdata)
- 	int ret;
- 
- 	/*
-+	 * Make sure to power-up the PHY chip before doing a reset, otherwise
-+	 * the reset fails.
-+	 */
-+	ret = smsc911x_phy_general_power_up(pdata);
-+	if (ret) {
-+		SMSC_WARN(pdata, drv, "Failed to power-up the PHY chip");
-+		return ret;
-+	}
-+
-+	/*
- 	 * LAN9210/LAN9211/LAN9220/LAN9221 chips have an internal PHY that
- 	 * are initialized in a Energy Detect Power-Down mode that prevents
- 	 * the MAC chip to be software reseted. So we have to wakeup the PHY
-diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
-index fd411d6..03ae9de 100644
---- a/drivers/net/ethernet/sun/sunvnet.c
-+++ b/drivers/net/ethernet/sun/sunvnet.c
-@@ -656,7 +656,7 @@ static int vnet_start_xmit(struct sk_buff *skb, struct net_device *dev)
- 	spin_lock_irqsave(&port->vio.lock, flags);
- 
- 	dr = &port->vio.drings[VIO_DRIVER_TX_RING];
--	if (unlikely(vnet_tx_dring_avail(dr) < 2)) {
-+	if (unlikely(vnet_tx_dring_avail(dr) < 1)) {
- 		if (!netif_queue_stopped(dev)) {
- 			netif_stop_queue(dev);
- 
-@@ -704,7 +704,7 @@ static int vnet_start_xmit(struct sk_buff *skb, struct net_device *dev)
- 	dev->stats.tx_bytes += skb->len;
- 
- 	dr->prod = (dr->prod + 1) & (VNET_TX_RING_SIZE - 1);
--	if (unlikely(vnet_tx_dring_avail(dr) < 2)) {
-+	if (unlikely(vnet_tx_dring_avail(dr) < 1)) {
- 		netif_stop_queue(dev);
- 		if (vnet_tx_dring_avail(dr) > VNET_TX_WAKEUP_THRESH(dr))
- 			netif_wake_queue(dev);
-diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index f30ceb1..07c942b 100644
---- a/drivers/net/macvtap.c
-+++ b/drivers/net/macvtap.c
-@@ -66,7 +66,7 @@ static struct cdev macvtap_cdev;
- static const struct proto_ops macvtap_socket_ops;
- 
- #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \
--		      NETIF_F_TSO6)
-+		      NETIF_F_TSO6 | NETIF_F_UFO)
- #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO)
- #define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG)
- 
-@@ -570,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
- 			gso_type = SKB_GSO_TCPV6;
- 			break;
- 		case VIRTIO_NET_HDR_GSO_UDP:
--			pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
--				     current->comm);
- 			gso_type = SKB_GSO_UDP;
- 			if (skb->protocol == htons(ETH_P_IPV6))
- 				ipv6_proxy_select_ident(skb);
-@@ -619,6 +617,8 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
- 			vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
- 		else if (sinfo->gso_type & SKB_GSO_TCPV6)
- 			vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
-+		else if (sinfo->gso_type & SKB_GSO_UDP)
-+			vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP;
- 		else
- 			BUG();
- 		if (sinfo->gso_type & SKB_GSO_TCP_ECN)
-@@ -629,6 +629,8 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
- 	if (skb->ip_summed == CHECKSUM_PARTIAL) {
- 		vnet_hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
- 		vnet_hdr->csum_start = skb_checksum_start_offset(skb);
-+		if (vlan_tx_tag_present(skb))
-+			vnet_hdr->csum_start += VLAN_HLEN;
- 		vnet_hdr->csum_offset = skb->csum_offset;
- 	} else if (skb->ip_summed == CHECKSUM_UNNECESSARY) {
- 		vnet_hdr->flags = VIRTIO_NET_HDR_F_DATA_VALID;
-@@ -953,6 +955,9 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg)
- 			if (arg & TUN_F_TSO6)
- 				feature_mask |= NETIF_F_TSO6;
- 		}
-+
-+		if (arg & TUN_F_UFO)
-+			feature_mask |= NETIF_F_UFO;
- 	}
- 
- 	/* tun/tap driver inverts the usage for TSO offloads, where
-@@ -963,7 +968,7 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg)
- 	 * When user space turns off TSO, we turn off GSO/LRO so that
- 	 * user-space will not receive TSO frames.
- 	 */
--	if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6))
-+	if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_UFO))
- 		features |= RX_OFFLOADS;
- 	else
- 		features &= ~RX_OFFLOADS;
-@@ -1064,7 +1069,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
- 	case TUNSETOFFLOAD:
- 		/* let the user check for future flags */
- 		if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 |
--			    TUN_F_TSO_ECN))
-+			    TUN_F_TSO_ECN | TUN_F_UFO))
- 			return -EINVAL;
- 
- 		rtnl_lock();
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 2c8b1c2..ec63314 100644
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -175,7 +175,7 @@ struct tun_struct {
- 	struct net_device	*dev;
- 	netdev_features_t	set_features;
- #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \
--			  NETIF_F_TSO6)
-+			  NETIF_F_TSO6|NETIF_F_UFO)
- 
- 	int			vnet_hdr_sz;
- 	int			sndbuf;
-@@ -1153,20 +1153,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
- 			skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
- 			break;
- 		case VIRTIO_NET_HDR_GSO_UDP:
--		{
--			static bool warned;
--
--			if (!warned) {
--				warned = true;
--				netdev_warn(tun->dev,
--					    "%s: using disabled UFO feature; please fix this program\n",
--					    current->comm);
--			}
- 			skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
- 			if (skb->protocol == htons(ETH_P_IPV6))
- 				ipv6_proxy_select_ident(skb);
- 			break;
--		}
- 		default:
- 			tun->dev->stats.rx_frame_errors++;
- 			kfree_skb(skb);
-@@ -1236,6 +1226,10 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- 	struct tun_pi pi = { 0, skb->protocol };
- 	ssize_t total = 0;
- 	int vlan_offset = 0, copied;
-+	int vlan_hlen = 0;
-+
-+	if (vlan_tx_tag_present(skb))
-+		vlan_hlen = VLAN_HLEN;
- 
- 	if (!(tun->flags & TUN_NO_PI)) {
- 		if ((len -= sizeof(pi)) < 0)
-@@ -1266,6 +1260,8 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- 				gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
- 			else if (sinfo->gso_type & SKB_GSO_TCPV6)
- 				gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
-+			else if (sinfo->gso_type & SKB_GSO_UDP)
-+				gso.gso_type = VIRTIO_NET_HDR_GSO_UDP;
- 			else {
- 				pr_err("unexpected GSO type: "
- 				       "0x%x, gso_size %d, hdr_len %d\n",
-@@ -1285,7 +1281,8 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- 
- 		if (skb->ip_summed == CHECKSUM_PARTIAL) {
- 			gso.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
--			gso.csum_start = skb_checksum_start_offset(skb);
-+			gso.csum_start = skb_checksum_start_offset(skb) +
-+					 vlan_hlen;
- 			gso.csum_offset = skb->csum_offset;
- 		} else if (skb->ip_summed == CHECKSUM_UNNECESSARY) {
- 			gso.flags = VIRTIO_NET_HDR_F_DATA_VALID;
-@@ -1298,10 +1295,9 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- 	}
- 
- 	copied = total;
--	total += skb->len;
--	if (!vlan_tx_tag_present(skb)) {
--		len = min_t(int, skb->len, len);
--	} else {
-+	len = min_t(int, skb->len + vlan_hlen, len);
-+	total += skb->len + vlan_hlen;
-+	if (vlan_hlen) {
- 		int copy, ret;
- 		struct {
- 			__be16 h_vlan_proto;
-@@ -1312,8 +1308,6 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- 		veth.h_vlan_TCI = htons(vlan_tx_tag_get(skb));
- 
- 		vlan_offset = offsetof(struct vlan_ethhdr, h_vlan_proto);
--		len = min_t(int, skb->len + VLAN_HLEN, len);
--		total += VLAN_HLEN;
- 
- 		copy = min_t(int, vlan_offset, len);
- 		ret = skb_copy_datagram_const_iovec(skb, 0, iv, copied, copy);
-@@ -1795,6 +1789,11 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
- 				features |= NETIF_F_TSO6;
- 			arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
- 		}
-+
-+		if (arg & TUN_F_UFO) {
-+			features |= NETIF_F_UFO;
-+			arg &= ~TUN_F_UFO;
-+		}
- 	}
- 
- 	/* This gives the user a way to test for new features in future by
-diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index 07a3255..841b608 100644
---- a/drivers/net/virtio_net.c
-+++ b/drivers/net/virtio_net.c
-@@ -496,17 +496,8 @@ static void receive_buf(struct receive_queue *rq, void *buf, unsigned int len)
- 			skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
- 			break;
- 		case VIRTIO_NET_HDR_GSO_UDP:
--		{
--			static bool warned;
--
--			if (!warned) {
--				warned = true;
--				netdev_warn(dev,
--					    "host using disabled UFO feature; please fix it\n");
--			}
- 			skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
- 			break;
--		}
- 		case VIRTIO_NET_HDR_GSO_TCPV6:
- 			skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
- 			break;
-@@ -845,6 +836,8 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
- 			hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
- 		else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
- 			hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
-+		else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
-+			hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_UDP;
- 		else
- 			BUG();
- 		if (skb_shinfo(skb)->gso_type & SKB_GSO_TCP_ECN)
-@@ -1664,7 +1657,7 @@ static int virtnet_probe(struct virtio_device *vdev)
- 			dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
- 
- 		if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
--			dev->hw_features |= NETIF_F_TSO
-+			dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
- 				| NETIF_F_TSO_ECN | NETIF_F_TSO6;
- 		}
- 		/* Individual feature bits: what can host handle? */
-@@ -1674,9 +1667,11 @@ static int virtnet_probe(struct virtio_device *vdev)
- 			dev->hw_features |= NETIF_F_TSO6;
- 		if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_ECN))
- 			dev->hw_features |= NETIF_F_TSO_ECN;
-+		if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_UFO))
-+			dev->hw_features |= NETIF_F_UFO;
- 
- 		if (gso)
--			dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
-+			dev->features |= dev->hw_features & (NETIF_F_ALL_TSO|NETIF_F_UFO);
- 		/* (!csum && gso) case will be fixed by register_netdev() */
- 	}
- 	if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
-@@ -1716,7 +1711,8 @@ static int virtnet_probe(struct virtio_device *vdev)
- 	/* If we can receive ANY GSO packets, we must allocate large ones. */
- 	if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
- 	    virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) ||
--	    virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN))
-+	    virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) ||
-+	    virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO))
- 		vi->big_packets = true;
- 
- 	if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF))
-@@ -1907,9 +1903,9 @@ static struct virtio_device_id id_table[] = {
- static unsigned int features[] = {
- 	VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM,
- 	VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC,
--	VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_TSO6,
-+	VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6,
- 	VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6,
--	VIRTIO_NET_F_GUEST_ECN,
-+	VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO,
- 	VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ,
- 	VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN,
- 	VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ,
-diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 0704a04..5441b49 100644
---- a/drivers/net/vxlan.c
-+++ b/drivers/net/vxlan.c
-@@ -279,13 +279,15 @@ static inline struct vxlan_rdst *first_remote_rtnl(struct vxlan_fdb *fdb)
- 	return list_first_entry(&fdb->remotes, struct vxlan_rdst, list);
- }
- 
--/* Find VXLAN socket based on network namespace and UDP port */
--static struct vxlan_sock *vxlan_find_sock(struct net *net, __be16 port)
-+/* Find VXLAN socket based on network namespace, address family and UDP port */
-+static struct vxlan_sock *vxlan_find_sock(struct net *net,
-+					  sa_family_t family, __be16 port)
- {
- 	struct vxlan_sock *vs;
- 
- 	hlist_for_each_entry_rcu(vs, vs_head(net, port), hlist) {
--		if (inet_sk(vs->sock->sk)->inet_sport == port)
-+		if (inet_sk(vs->sock->sk)->inet_sport == port &&
-+		    inet_sk(vs->sock->sk)->sk.sk_family == family)
- 			return vs;
- 	}
- 	return NULL;
-@@ -304,11 +306,12 @@ static struct vxlan_dev *vxlan_vs_find_vni(struct vxlan_sock *vs, u32 id)
- }
- 
- /* Look up VNI in a per net namespace table */
--static struct vxlan_dev *vxlan_find_vni(struct net *net, u32 id, __be16 port)
-+static struct vxlan_dev *vxlan_find_vni(struct net *net, u32 id,
-+					sa_family_t family, __be16 port)
- {
- 	struct vxlan_sock *vs;
- 
--	vs = vxlan_find_sock(net, port);
-+	vs = vxlan_find_sock(net, family, port);
- 	if (!vs)
- 		return NULL;
- 
-@@ -1872,7 +1875,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
- 			struct vxlan_dev *dst_vxlan;
- 
- 			ip_rt_put(rt);
--			dst_vxlan = vxlan_find_vni(dev_net(dev), vni, dst_port);
-+			dst_vxlan = vxlan_find_vni(dev_net(dev), vni,
-+						   dst->sa.sa_family, dst_port);
- 			if (!dst_vxlan)
- 				goto tx_error;
- 			vxlan_encap_bypass(skb, vxlan, dst_vxlan);
-@@ -1925,7 +1929,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
- 			struct vxlan_dev *dst_vxlan;
- 
- 			dst_release(ndst);
--			dst_vxlan = vxlan_find_vni(dev_net(dev), vni, dst_port);
-+			dst_vxlan = vxlan_find_vni(dev_net(dev), vni,
-+						   dst->sa.sa_family, dst_port);
- 			if (!dst_vxlan)
- 				goto tx_error;
- 			vxlan_encap_bypass(skb, vxlan, dst_vxlan);
-@@ -2083,6 +2088,7 @@ static int vxlan_init(struct net_device *dev)
- {
- 	struct vxlan_dev *vxlan = netdev_priv(dev);
- 	struct vxlan_net *vn = net_generic(dev_net(dev), vxlan_net_id);
-+	bool ipv6 = vxlan->flags & VXLAN_F_IPV6;
- 	struct vxlan_sock *vs;
- 	int i;
- 
-@@ -2098,7 +2104,8 @@ static int vxlan_init(struct net_device *dev)
- 
- 
- 	spin_lock(&vn->sock_lock);
--	vs = vxlan_find_sock(dev_net(dev), vxlan->dst_port);
-+	vs = vxlan_find_sock(dev_net(dev), ipv6 ? AF_INET6 : AF_INET,
-+			     vxlan->dst_port);
- 	if (vs) {
- 		/* If we have a socket with same port already, reuse it */
- 		atomic_inc(&vs->refcnt);
-@@ -2566,7 +2573,7 @@ struct vxlan_sock *vxlan_sock_add(struct net *net, __be16 port,
- 		return vs;
- 
- 	spin_lock(&vn->sock_lock);
--	vs = vxlan_find_sock(net, port);
-+	vs = vxlan_find_sock(net, ipv6 ? AF_INET6 : AF_INET, port);
- 	if (vs) {
- 		if (vs->rcv == rcv)
- 			atomic_inc(&vs->refcnt);
-@@ -2712,7 +2719,8 @@ static int vxlan_newlink(struct net *net, struct net_device *dev,
- 	if (data[IFLA_VXLAN_PORT])
- 		vxlan->dst_port = nla_get_be16(data[IFLA_VXLAN_PORT]);
- 
--	if (vxlan_find_vni(net, vni, vxlan->dst_port)) {
-+	if (vxlan_find_vni(net, vni, use_ipv6 ? AF_INET6 : AF_INET,
-+			   vxlan->dst_port)) {
- 		pr_info("duplicate VNI %u\n", vni);
- 		return -EEXIST;
- 	}
-diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h
-index 1f065cf..d090ed7 100644
---- a/drivers/net/wireless/iwlwifi/iwl-trans.h
-+++ b/drivers/net/wireless/iwlwifi/iwl-trans.h
-@@ -514,6 +514,7 @@ enum iwl_trans_state {
-  *	Set during transport allocation.
-  * @hw_id_str: a string with info about HW ID. Set during transport allocation.
-  * @pm_support: set to true in start_hw if link pm is supported
-+ * @ltr_enabled: set to true if the LTR is enabled
-  * @dev_cmd_pool: pool for Tx cmd allocation - for internal use only.
-  *	The user should use iwl_trans_{alloc,free}_tx_cmd.
-  * @dev_cmd_headroom: room needed for the transport's private use before the
-@@ -539,6 +540,7 @@ struct iwl_trans {
- 	u8 rx_mpdu_cmd, rx_mpdu_cmd_hdr_size;
- 
- 	bool pm_support;
-+	bool ltr_enabled;
- 
- 	/* The following fields are internal only */
- 	struct kmem_cache *dev_cmd_pool;
-diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
-index 884c087..fa66471 100644
---- a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
-+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
-@@ -66,13 +66,46 @@
- 
- /* Power Management Commands, Responses, Notifications */
- 
-+/**
-+ * enum iwl_ltr_config_flags - masks for LTR config command flags
-+ * @LTR_CFG_FLAG_FEATURE_ENABLE: Feature operational status
-+ * @LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS: allow LTR change on shadow
-+ *	memory access
-+ * @LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH: allow LTR msg send on ANY LTR
-+ *	reg change
-+ * @LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3: allow LTR msg send on transition from
-+ *	D0 to D3
-+ * @LTR_CFG_FLAG_SW_SET_SHORT: fixed static short LTR register
-+ * @LTR_CFG_FLAG_SW_SET_LONG: fixed static short LONG register
-+ * @LTR_CFG_FLAG_DENIE_C10_ON_PD: allow going into C10 on PD
-+ */
-+enum iwl_ltr_config_flags {
-+	LTR_CFG_FLAG_FEATURE_ENABLE = BIT(0),
-+	LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS = BIT(1),
-+	LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH = BIT(2),
-+	LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3 = BIT(3),
-+	LTR_CFG_FLAG_SW_SET_SHORT = BIT(4),
-+	LTR_CFG_FLAG_SW_SET_LONG = BIT(5),
-+	LTR_CFG_FLAG_DENIE_C10_ON_PD = BIT(6),
-+};
-+
-+/**
-+ * struct iwl_ltr_config_cmd - configures the LTR
-+ * @flags: See %enum iwl_ltr_config_flags
-+ */
-+struct iwl_ltr_config_cmd {
-+	__le32 flags;
-+	__le32 static_long;
-+	__le32 static_short;
-+} __packed;
-+
- /* Radio LP RX Energy Threshold measured in dBm */
- #define POWER_LPRX_RSSI_THRESHOLD	75
- #define POWER_LPRX_RSSI_THRESHOLD_MAX	94
- #define POWER_LPRX_RSSI_THRESHOLD_MIN	30
- 
- /**
-- * enum iwl_scan_flags - masks for power table command flags
-+ * enum iwl_power_flags - masks for power table command flags
-  * @POWER_FLAGS_POWER_SAVE_ENA_MSK: '1' Allow to save power by turning off
-  *		receiver and transmitter. '0' - does not allow.
-  * @POWER_FLAGS_POWER_MANAGEMENT_ENA_MSK: '0' Driver disables power management,
-diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api.h b/drivers/net/wireless/iwlwifi/mvm/fw-api.h
-index d0a0477..d8948aa 100644
---- a/drivers/net/wireless/iwlwifi/mvm/fw-api.h
-+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api.h
-@@ -142,6 +142,7 @@ enum {
- 	/* Power - legacy power table command */
- 	POWER_TABLE_CMD = 0x77,
- 	PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION = 0x78,
-+	LTR_CONFIG = 0xee,
- 
- 	/* Thermal Throttling*/
- 	REPLY_THERMAL_MNG_BACKOFF = 0x7e,
-diff --git a/drivers/net/wireless/iwlwifi/mvm/fw.c b/drivers/net/wireless/iwlwifi/mvm/fw.c
-index c03d395..2ef344f 100644
---- a/drivers/net/wireless/iwlwifi/mvm/fw.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/fw.c
-@@ -439,6 +439,15 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
- 			goto error;
- 	}
- 
-+	if (mvm->trans->ltr_enabled) {
-+		struct iwl_ltr_config_cmd cmd = {
-+			.flags = cpu_to_le32(LTR_CFG_FLAG_FEATURE_ENABLE),
-+		};
-+
-+		WARN_ON(iwl_mvm_send_cmd_pdu(mvm, LTR_CONFIG, 0,
-+					     sizeof(cmd), &cmd));
-+	}
-+
- 	ret = iwl_mvm_power_update_device_mode(mvm);
- 	if (ret)
- 		goto error;
-diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c
-index a3d43de..dbff7f0 100644
---- a/drivers/net/wireless/iwlwifi/mvm/ops.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/ops.c
-@@ -313,6 +313,7 @@ static const char *iwl_mvm_cmd_strings[REPLY_MAX] = {
- 	CMD(REPLY_BEACON_FILTERING_CMD),
- 	CMD(REPLY_THERMAL_MNG_BACKOFF),
- 	CMD(MAC_PM_POWER_TABLE),
-+	CMD(LTR_CONFIG),
- 	CMD(BT_COEX_CI),
- 	CMD(PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION),
- };
-diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
-index 16be0c0..fb62927 100644
---- a/drivers/net/wireless/iwlwifi/pcie/trans.c
-+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
-@@ -94,6 +94,7 @@ static void iwl_pcie_apm_config(struct iwl_trans *trans)
- {
- 	struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
- 	u16 lctl;
-+	u16 cap;
- 
- 	/*
- 	 * HW bug W/A for instability in PCIe bus L0S->L1 transition.
-@@ -104,16 +105,17 @@ static void iwl_pcie_apm_config(struct iwl_trans *trans)
- 	 *    power savings, even without L1.
- 	 */
- 	pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_LNKCTL, &lctl);
--	if (lctl & PCI_EXP_LNKCTL_ASPM_L1) {
--		/* L1-ASPM enabled; disable(!) L0S */
-+	if (lctl & PCI_EXP_LNKCTL_ASPM_L1)
- 		iwl_set_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED);
--		dev_info(trans->dev, "L1 Enabled; Disabling L0S\n");
--	} else {
--		/* L1-ASPM disabled; enable(!) L0S */
-+	else
- 		iwl_clear_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED);
--		dev_info(trans->dev, "L1 Disabled; Enabling L0S\n");
--	}
- 	trans->pm_support = !(lctl & PCI_EXP_LNKCTL_ASPM_L0S);
-+
-+	pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_DEVCTL2, &cap);
-+	trans->ltr_enabled = cap & PCI_EXP_DEVCTL2_LTR_EN;
-+	dev_info(trans->dev, "L1 %sabled - LTR %sabled\n",
-+		 (lctl & PCI_EXP_LNKCTL_ASPM_L1) ? "En" : "Dis",
-+		 trans->ltr_enabled ? "En" : "Dis");
- }
- 
- /*
-diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
-index 69d4c31..505ff60 100644
---- a/drivers/net/wireless/mac80211_hwsim.c
-+++ b/drivers/net/wireless/mac80211_hwsim.c
-@@ -1974,7 +1974,7 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
- 	if (err != 0) {
- 		printk(KERN_DEBUG "mac80211_hwsim: device_bind_driver failed (%d)\n",
- 		       err);
--		goto failed_hw;
-+		goto failed_bind;
- 	}
- 
- 	skb_queue_head_init(&data->pending);
-@@ -2157,6 +2157,8 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
- 	return idx;
- 
- failed_hw:
-+	device_release_driver(data->dev);
-+failed_bind:
- 	device_unregister(data->dev);
- failed_drvdata:
- 	ieee80211_free_hw(hw);
-diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
-index 390e8e3..25721bf 100644
---- a/drivers/platform/x86/dell-wmi.c
-+++ b/drivers/platform/x86/dell-wmi.c
-@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context)
- 		const struct key_entry *key;
- 		int reported_key;
- 		u16 *buffer_entry = (u16 *)obj->buffer.pointer;
-+		int buffer_size = obj->buffer.length/2;
- 
--		if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
-+		if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
- 			pr_info("Received unknown WMI event (0x%x)\n",
- 				buffer_entry[1]);
- 			kfree(obj);
- 			return;
- 		}
- 
--		if (dell_new_hk_type || buffer_entry[1] == 0x0)
-+		if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
- 			reported_key = (int)buffer_entry[2];
--		else
-+		else if (buffer_size >= 2)
- 			reported_key = (int)buffer_entry[1] & 0xffff;
-+		else {
-+			pr_info("Received unknown WMI event\n");
-+			kfree(obj);
-+			return;
-+		}
- 
- 		key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
- 							reported_key);
-diff --git a/drivers/power/bq2415x_charger.c b/drivers/power/bq2415x_charger.c
-index e384844..1f49986 100644
---- a/drivers/power/bq2415x_charger.c
-+++ b/drivers/power/bq2415x_charger.c
-@@ -1579,8 +1579,15 @@ static int bq2415x_probe(struct i2c_client *client,
- 	if (np) {
- 		bq->notify_psy = power_supply_get_by_phandle(np, "ti,usb-charger-detection");
- 
--		if (!bq->notify_psy)
--			return -EPROBE_DEFER;
-+		if (IS_ERR(bq->notify_psy)) {
-+			dev_info(&client->dev,
-+				"no 'ti,usb-charger-detection' property (err=%ld)\n",
-+				PTR_ERR(bq->notify_psy));
-+			bq->notify_psy = NULL;
-+		} else if (!bq->notify_psy) {
-+			ret = -EPROBE_DEFER;
-+			goto error_2;
-+		}
- 	}
- 	else if (pdata->notify_device)
- 		bq->notify_psy = power_supply_get_by_name(pdata->notify_device);
-@@ -1602,27 +1609,27 @@ static int bq2415x_probe(struct i2c_client *client,
- 		ret = of_property_read_u32(np, "ti,current-limit",
- 				&bq->init_data.current_limit);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 		ret = of_property_read_u32(np, "ti,weak-battery-voltage",
- 				&bq->init_data.weak_battery_voltage);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 		ret = of_property_read_u32(np, "ti,battery-regulation-voltage",
- 				&bq->init_data.battery_regulation_voltage);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 		ret = of_property_read_u32(np, "ti,charge-current",
- 				&bq->init_data.charge_current);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 		ret = of_property_read_u32(np, "ti,termination-current",
- 				&bq->init_data.termination_current);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 		ret = of_property_read_u32(np, "ti,resistor-sense",
- 				&bq->init_data.resistor_sense);
- 		if (ret)
--			return ret;
-+			goto error_2;
- 	} else {
- 		memcpy(&bq->init_data, pdata, sizeof(bq->init_data));
- 	}
-diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c
-index ef1f4c9..03bfac3 100644
---- a/drivers/power/charger-manager.c
-+++ b/drivers/power/charger-manager.c
-@@ -97,6 +97,7 @@ static struct charger_global_desc *g_desc; /* init with setup_charger_manager */
- static bool is_batt_present(struct charger_manager *cm)
- {
- 	union power_supply_propval val;
-+	struct power_supply *psy;
- 	bool present = false;
- 	int i, ret;
- 
-@@ -107,16 +108,27 @@ static bool is_batt_present(struct charger_manager *cm)
- 	case CM_NO_BATTERY:
- 		break;
- 	case CM_FUEL_GAUGE:
--		ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+		psy = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+		if (!psy)
-+			break;
-+
-+		ret = psy->get_property(psy,
- 				POWER_SUPPLY_PROP_PRESENT, &val);
- 		if (ret == 0 && val.intval)
- 			present = true;
- 		break;
- 	case CM_CHARGER_STAT:
--		for (i = 0; cm->charger_stat[i]; i++) {
--			ret = cm->charger_stat[i]->get_property(
--					cm->charger_stat[i],
--					POWER_SUPPLY_PROP_PRESENT, &val);
-+		for (i = 0; cm->desc->psy_charger_stat[i]; i++) {
-+			psy = power_supply_get_by_name(
-+					cm->desc->psy_charger_stat[i]);
-+			if (!psy) {
-+				dev_err(cm->dev, "Cannot find power supply \"%s\"\n",
-+					cm->desc->psy_charger_stat[i]);
-+				continue;
-+			}
-+
-+			ret = psy->get_property(psy, POWER_SUPPLY_PROP_PRESENT,
-+					&val);
- 			if (ret == 0 && val.intval) {
- 				present = true;
- 				break;
-@@ -139,14 +151,20 @@ static bool is_batt_present(struct charger_manager *cm)
- static bool is_ext_pwr_online(struct charger_manager *cm)
- {
- 	union power_supply_propval val;
-+	struct power_supply *psy;
- 	bool online = false;
- 	int i, ret;
- 
- 	/* If at least one of them has one, it's yes. */
--	for (i = 0; cm->charger_stat[i]; i++) {
--		ret = cm->charger_stat[i]->get_property(
--				cm->charger_stat[i],
--				POWER_SUPPLY_PROP_ONLINE, &val);
-+	for (i = 0; cm->desc->psy_charger_stat[i]; i++) {
-+		psy = power_supply_get_by_name(cm->desc->psy_charger_stat[i]);
-+		if (!psy) {
-+			dev_err(cm->dev, "Cannot find power supply \"%s\"\n",
-+					cm->desc->psy_charger_stat[i]);
-+			continue;
-+		}
-+
-+		ret = psy->get_property(psy, POWER_SUPPLY_PROP_ONLINE, &val);
- 		if (ret == 0 && val.intval) {
- 			online = true;
- 			break;
-@@ -167,12 +185,14 @@ static bool is_ext_pwr_online(struct charger_manager *cm)
- static int get_batt_uV(struct charger_manager *cm, int *uV)
- {
- 	union power_supply_propval val;
-+	struct power_supply *fuel_gauge;
- 	int ret;
- 
--	if (!cm->fuel_gauge)
-+	fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+	if (!fuel_gauge)
- 		return -ENODEV;
- 
--	ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+	ret = fuel_gauge->get_property(fuel_gauge,
- 				POWER_SUPPLY_PROP_VOLTAGE_NOW, &val);
- 	if (ret)
- 		return ret;
-@@ -189,6 +209,7 @@ static bool is_charging(struct charger_manager *cm)
- {
- 	int i, ret;
- 	bool charging = false;
-+	struct power_supply *psy;
- 	union power_supply_propval val;
- 
- 	/* If there is no battery, it cannot be charged */
-@@ -196,17 +217,22 @@ static bool is_charging(struct charger_manager *cm)
- 		return false;
- 
- 	/* If at least one of the charger is charging, return yes */
--	for (i = 0; cm->charger_stat[i]; i++) {
-+	for (i = 0; cm->desc->psy_charger_stat[i]; i++) {
- 		/* 1. The charger sholuld not be DISABLED */
- 		if (cm->emergency_stop)
- 			continue;
- 		if (!cm->charger_enabled)
- 			continue;
- 
-+		psy = power_supply_get_by_name(cm->desc->psy_charger_stat[i]);
-+		if (!psy) {
-+			dev_err(cm->dev, "Cannot find power supply \"%s\"\n",
-+					cm->desc->psy_charger_stat[i]);
-+			continue;
-+		}
-+
- 		/* 2. The charger should be online (ext-power) */
--		ret = cm->charger_stat[i]->get_property(
--				cm->charger_stat[i],
--				POWER_SUPPLY_PROP_ONLINE, &val);
-+		ret = psy->get_property(psy, POWER_SUPPLY_PROP_ONLINE, &val);
- 		if (ret) {
- 			dev_warn(cm->dev, "Cannot read ONLINE value from %s\n",
- 				 cm->desc->psy_charger_stat[i]);
-@@ -219,9 +245,7 @@ static bool is_charging(struct charger_manager *cm)
- 		 * 3. The charger should not be FULL, DISCHARGING,
- 		 * or NOT_CHARGING.
- 		 */
--		ret = cm->charger_stat[i]->get_property(
--				cm->charger_stat[i],
--				POWER_SUPPLY_PROP_STATUS, &val);
-+		ret = psy->get_property(psy, POWER_SUPPLY_PROP_STATUS, &val);
- 		if (ret) {
- 			dev_warn(cm->dev, "Cannot read STATUS value from %s\n",
- 				 cm->desc->psy_charger_stat[i]);
-@@ -248,6 +272,7 @@ static bool is_full_charged(struct charger_manager *cm)
- {
- 	struct charger_desc *desc = cm->desc;
- 	union power_supply_propval val;
-+	struct power_supply *fuel_gauge;
- 	int ret = 0;
- 	int uV;
- 
-@@ -255,11 +280,15 @@ static bool is_full_charged(struct charger_manager *cm)
- 	if (!is_batt_present(cm))
- 		return false;
- 
--	if (cm->fuel_gauge && desc->fullbatt_full_capacity > 0) {
-+	fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+	if (!fuel_gauge)
-+		return false;
-+
-+	if (desc->fullbatt_full_capacity > 0) {
- 		val.intval = 0;
- 
- 		/* Not full if capacity of fuel gauge isn't full */
--		ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+		ret = fuel_gauge->get_property(fuel_gauge,
- 				POWER_SUPPLY_PROP_CHARGE_FULL, &val);
- 		if (!ret && val.intval > desc->fullbatt_full_capacity)
- 			return true;
-@@ -273,10 +302,10 @@ static bool is_full_charged(struct charger_manager *cm)
- 	}
- 
- 	/* Full, if the capacity is more than fullbatt_soc */
--	if (cm->fuel_gauge && desc->fullbatt_soc > 0) {
-+	if (desc->fullbatt_soc > 0) {
- 		val.intval = 0;
- 
--		ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+		ret = fuel_gauge->get_property(fuel_gauge,
- 				POWER_SUPPLY_PROP_CAPACITY, &val);
- 		if (!ret && val.intval >= desc->fullbatt_soc)
- 			return true;
-@@ -551,6 +580,20 @@ static int check_charging_duration(struct charger_manager *cm)
- 	return ret;
- }
- 
-+static int cm_get_battery_temperature_by_psy(struct charger_manager *cm,
-+					int *temp)
-+{
-+	struct power_supply *fuel_gauge;
-+
-+	fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+	if (!fuel_gauge)
-+		return -ENODEV;
-+
-+	return fuel_gauge->get_property(fuel_gauge,
-+				POWER_SUPPLY_PROP_TEMP,
-+				(union power_supply_propval *)temp);
-+}
-+
- static int cm_get_battery_temperature(struct charger_manager *cm,
- 					int *temp)
- {
-@@ -560,15 +603,18 @@ static int cm_get_battery_temperature(struct charger_manager *cm,
- 		return -ENODEV;
- 
- #ifdef CONFIG_THERMAL
--	ret = thermal_zone_get_temp(cm->tzd_batt, (unsigned long *)temp);
--	if (!ret)
--		/* Calibrate temperature unit */
--		*temp /= 100;
--#else
--	ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
--				POWER_SUPPLY_PROP_TEMP,
--				(union power_supply_propval *)temp);
-+	if (cm->tzd_batt) {
-+		ret = thermal_zone_get_temp(cm->tzd_batt, (unsigned long *)temp);
-+		if (!ret)
-+			/* Calibrate temperature unit */
-+			*temp /= 100;
-+	} else
- #endif
-+	{
-+		/* if-else continued from CONFIG_THERMAL */
-+		ret = cm_get_battery_temperature_by_psy(cm, temp);
-+	}
-+
- 	return ret;
- }
- 
-@@ -827,6 +873,7 @@ static int charger_get_property(struct power_supply *psy,
- 	struct charger_manager *cm = container_of(psy,
- 			struct charger_manager, charger_psy);
- 	struct charger_desc *desc = cm->desc;
-+	struct power_supply *fuel_gauge;
- 	int ret = 0;
- 	int uV;
- 
-@@ -857,14 +904,20 @@ static int charger_get_property(struct power_supply *psy,
- 		ret = get_batt_uV(cm, &val->intval);
- 		break;
- 	case POWER_SUPPLY_PROP_CURRENT_NOW:
--		ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+		fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+		if (!fuel_gauge) {
-+			ret = -ENODEV;
-+			break;
-+		}
-+		ret = fuel_gauge->get_property(fuel_gauge,
- 				POWER_SUPPLY_PROP_CURRENT_NOW, val);
- 		break;
- 	case POWER_SUPPLY_PROP_TEMP:
- 	case POWER_SUPPLY_PROP_TEMP_AMBIENT:
- 		return cm_get_battery_temperature(cm, &val->intval);
- 	case POWER_SUPPLY_PROP_CAPACITY:
--		if (!cm->fuel_gauge) {
-+		fuel_gauge = power_supply_get_by_name(cm->desc->psy_fuel_gauge);
-+		if (!fuel_gauge) {
- 			ret = -ENODEV;
- 			break;
- 		}
-@@ -875,7 +928,7 @@ static int charger_get_property(struct power_supply *psy,
- 			break;
- 		}
- 
--		ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+		ret = fuel_gauge->get_property(fuel_gauge,
- 					POWER_SUPPLY_PROP_CAPACITY, val);
- 		if (ret)
- 			break;
-@@ -924,7 +977,14 @@ static int charger_get_property(struct power_supply *psy,
- 		break;
- 	case POWER_SUPPLY_PROP_CHARGE_NOW:
- 		if (is_charging(cm)) {
--			ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+			fuel_gauge = power_supply_get_by_name(
-+					cm->desc->psy_fuel_gauge);
-+			if (!fuel_gauge) {
-+				ret = -ENODEV;
-+				break;
-+			}
-+
-+			ret = fuel_gauge->get_property(fuel_gauge,
- 						POWER_SUPPLY_PROP_CHARGE_NOW,
- 						val);
- 			if (ret) {
-@@ -1485,14 +1545,15 @@ err:
- 	return ret;
- }
- 
--static int cm_init_thermal_data(struct charger_manager *cm)
-+static int cm_init_thermal_data(struct charger_manager *cm,
-+		struct power_supply *fuel_gauge)
- {
- 	struct charger_desc *desc = cm->desc;
- 	union power_supply_propval val;
- 	int ret;
- 
- 	/* Verify whether fuel gauge provides battery temperature */
--	ret = cm->fuel_gauge->get_property(cm->fuel_gauge,
-+	ret = fuel_gauge->get_property(fuel_gauge,
- 					POWER_SUPPLY_PROP_TEMP, &val);
- 
- 	if (!ret) {
-@@ -1502,8 +1563,6 @@ static int cm_init_thermal_data(struct charger_manager *cm)
- 		cm->desc->measure_battery_temp = true;
- 	}
- #ifdef CONFIG_THERMAL
--	cm->tzd_batt = cm->fuel_gauge->tzd;
--
- 	if (ret && desc->thermal_zone) {
- 		cm->tzd_batt =
- 			thermal_zone_get_zone_by_name(desc->thermal_zone);
-@@ -1666,6 +1725,7 @@ static int charger_manager_probe(struct platform_device *pdev)
- 	int ret = 0, i = 0;
- 	int j = 0;
- 	union power_supply_propval val;
-+	struct power_supply *fuel_gauge;
- 
- 	if (g_desc && !rtc_dev && g_desc->rtc_name) {
- 		rtc_dev = rtc_class_open(g_desc->rtc_name);
-@@ -1729,23 +1789,20 @@ static int charger_manager_probe(struct platform_device *pdev)
- 	while (desc->psy_charger_stat[i])
- 		i++;
- 
--	cm->charger_stat = devm_kzalloc(&pdev->dev,
--				sizeof(struct power_supply *) * i, GFP_KERNEL);
--	if (!cm->charger_stat)
--		return -ENOMEM;
--
-+	/* Check if charger's supplies are present at probe */
- 	for (i = 0; desc->psy_charger_stat[i]; i++) {
--		cm->charger_stat[i] = power_supply_get_by_name(
--					desc->psy_charger_stat[i]);
--		if (!cm->charger_stat[i]) {
-+		struct power_supply *psy;
-+
-+		psy = power_supply_get_by_name(desc->psy_charger_stat[i]);
-+		if (!psy) {
- 			dev_err(&pdev->dev, "Cannot find power supply \"%s\"\n",
- 				desc->psy_charger_stat[i]);
- 			return -ENODEV;
- 		}
- 	}
- 
--	cm->fuel_gauge = power_supply_get_by_name(desc->psy_fuel_gauge);
--	if (!cm->fuel_gauge) {
-+	fuel_gauge = power_supply_get_by_name(desc->psy_fuel_gauge);
-+	if (!fuel_gauge) {
- 		dev_err(&pdev->dev, "Cannot find power supply \"%s\"\n",
- 			desc->psy_fuel_gauge);
- 		return -ENODEV;
-@@ -1788,13 +1845,13 @@ static int charger_manager_probe(struct platform_device *pdev)
- 	cm->charger_psy.num_properties = psy_default.num_properties;
- 
- 	/* Find which optional psy-properties are available */
--	if (!cm->fuel_gauge->get_property(cm->fuel_gauge,
-+	if (!fuel_gauge->get_property(fuel_gauge,
- 					  POWER_SUPPLY_PROP_CHARGE_NOW, &val)) {
- 		cm->charger_psy.properties[cm->charger_psy.num_properties] =
- 				POWER_SUPPLY_PROP_CHARGE_NOW;
- 		cm->charger_psy.num_properties++;
- 	}
--	if (!cm->fuel_gauge->get_property(cm->fuel_gauge,
-+	if (!fuel_gauge->get_property(fuel_gauge,
- 					  POWER_SUPPLY_PROP_CURRENT_NOW,
- 					  &val)) {
- 		cm->charger_psy.properties[cm->charger_psy.num_properties] =
-@@ -1802,7 +1859,7 @@ static int charger_manager_probe(struct platform_device *pdev)
- 		cm->charger_psy.num_properties++;
- 	}
- 
--	ret = cm_init_thermal_data(cm);
-+	ret = cm_init_thermal_data(cm, fuel_gauge);
- 	if (ret) {
- 		dev_err(&pdev->dev, "Failed to initialize thermal data\n");
- 		cm->desc->measure_battery_temp = false;
-@@ -2059,8 +2116,8 @@ static bool find_power_supply(struct charger_manager *cm,
- 	int i;
- 	bool found = false;
- 
--	for (i = 0; cm->charger_stat[i]; i++) {
--		if (psy == cm->charger_stat[i]) {
-+	for (i = 0; cm->desc->psy_charger_stat[i]; i++) {
-+		if (!strcmp(psy->name, cm->desc->psy_charger_stat[i])) {
- 			found = true;
- 			break;
- 		}
-diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
-index edb4d46..96b6664 100644
---- a/drivers/scsi/scsi_error.c
-+++ b/drivers/scsi/scsi_error.c
-@@ -1984,8 +1984,10 @@ static void scsi_restart_operations(struct Scsi_Host *shost)
- 	 * is no point trying to lock the door of an off-line device.
- 	 */
- 	shost_for_each_device(sdev, shost) {
--		if (scsi_device_online(sdev) && sdev->locked)
-+		if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) {
- 			scsi_eh_lock_door(sdev);
-+			sdev->was_reset = 0;
-+		}
- 	}
- 
- 	/*
-diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
-index b01fb6c..d43c544 100644
---- a/fs/btrfs/compression.c
-+++ b/fs/btrfs/compression.c
-@@ -472,7 +472,7 @@ static noinline int add_ra_bio_pages(struct inode *inode,
- 		rcu_read_lock();
- 		page = radix_tree_lookup(&mapping->page_tree, pg_index);
- 		rcu_read_unlock();
--		if (page) {
-+		if (page && !radix_tree_exceptional_entry(page)) {
- 			misses++;
- 			if (misses > 4)
- 				break;
-diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
-index a9a881e..f6d00df 100644
---- a/fs/btrfs/file.c
-+++ b/fs/btrfs/file.c
-@@ -425,13 +425,8 @@ static noinline int btrfs_copy_from_user(loff_t pos, int num_pages,
- 		struct page *page = prepared_pages[pg];
- 		/*
- 		 * Copy data from userspace to the current page
--		 *
--		 * Disable pagefault to avoid recursive lock since
--		 * the pages are already locked
- 		 */
--		pagefault_disable();
- 		copied = iov_iter_copy_from_user_atomic(page, i, offset, count);
--		pagefault_enable();
- 
- 		/* Flush processor's dcache for this page */
- 		flush_dcache_page(page);
-diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
-index 06610cf..a1f801c 100644
---- a/fs/cramfs/inode.c
-+++ b/fs/cramfs/inode.c
-@@ -195,8 +195,7 @@ static void *cramfs_read(struct super_block *sb, unsigned int offset, unsigned i
- 		struct page *page = NULL;
- 
- 		if (blocknr + i < devsize) {
--			page = read_mapping_page_async(mapping, blocknr + i,
--									NULL);
-+			page = read_mapping_page(mapping, blocknr + i, NULL);
- 			/* synchronous error? */
- 			if (IS_ERR(page))
- 				page = NULL;
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index 77bcc30..a91d3b4 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -1003,9 +1003,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
- 		if (mapping_writably_mapped(mapping))
- 			flush_dcache_page(page);
- 
--		pagefault_disable();
- 		tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
--		pagefault_enable();
- 		flush_dcache_page(page);
- 
- 		mark_page_accessed(page);
-diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c
-index c7f2469..b82a9c9 100644
---- a/fs/gfs2/meta_io.c
-+++ b/fs/gfs2/meta_io.c
-@@ -97,6 +97,11 @@ const struct address_space_operations gfs2_meta_aops = {
- 	.releasepage = gfs2_releasepage,
- };
- 
-+const struct address_space_operations gfs2_rgrp_aops = {
-+	.writepage = gfs2_aspace_writepage,
-+	.releasepage = gfs2_releasepage,
-+};
-+
- /**
-  * gfs2_getbuf - Get a buffer with a given address space
-  * @gl: the glock
-diff --git a/fs/gfs2/meta_io.h b/fs/gfs2/meta_io.h
-index 4823b93..ac5d802 100644
---- a/fs/gfs2/meta_io.h
-+++ b/fs/gfs2/meta_io.h
-@@ -38,12 +38,15 @@ static inline void gfs2_buffer_copy_tail(struct buffer_head *to_bh,
- }
- 
- extern const struct address_space_operations gfs2_meta_aops;
-+extern const struct address_space_operations gfs2_rgrp_aops;
- 
- static inline struct gfs2_sbd *gfs2_mapping2sbd(struct address_space *mapping)
- {
- 	struct inode *inode = mapping->host;
- 	if (mapping->a_ops == &gfs2_meta_aops)
- 		return (((struct gfs2_glock *)mapping) - 1)->gl_sbd;
-+	else if (mapping->a_ops == &gfs2_rgrp_aops)
-+		return container_of(mapping, struct gfs2_sbd, sd_aspace);
- 	else
- 		return inode->i_sb->s_fs_info;
- }
-diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
-index c6872d0..f6c9d83 100644
---- a/fs/gfs2/ops_fstype.c
-+++ b/fs/gfs2/ops_fstype.c
-@@ -104,7 +104,7 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb)
- 	mapping = &sdp->sd_aspace;
- 
- 	address_space_init_once(mapping);
--	mapping->a_ops = &gfs2_meta_aops;
-+	mapping->a_ops = &gfs2_rgrp_aops;
- 	mapping->host = sb->s_bdev->bd_inode;
- 	mapping->flags = 0;
- 	mapping_set_gfp_mask(mapping, GFP_NOFS);
-diff --git a/fs/ioprio.c b/fs/ioprio.c
-index e50170c..31666c9 100644
---- a/fs/ioprio.c
-+++ b/fs/ioprio.c
-@@ -157,14 +157,16 @@ out:
- 
- int ioprio_best(unsigned short aprio, unsigned short bprio)
- {
--	unsigned short aclass = IOPRIO_PRIO_CLASS(aprio);
--	unsigned short bclass = IOPRIO_PRIO_CLASS(bprio);
-+	unsigned short aclass;
-+	unsigned short bclass;
- 
--	if (aclass == IOPRIO_CLASS_NONE)
--		aclass = IOPRIO_CLASS_BE;
--	if (bclass == IOPRIO_CLASS_NONE)
--		bclass = IOPRIO_CLASS_BE;
-+	if (!ioprio_valid(aprio))
-+		aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
-+	if (!ioprio_valid(bprio))
-+		bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
- 
-+	aclass = IOPRIO_PRIO_CLASS(aprio);
-+	bclass = IOPRIO_PRIO_CLASS(bprio);
- 	if (aclass == bclass)
- 		return min(aprio, bprio);
- 	if (aclass > bclass)
-diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
-index a69e426..5b234db 100644
---- a/fs/jffs2/fs.c
-+++ b/fs/jffs2/fs.c
-@@ -687,7 +687,7 @@ unsigned char *jffs2_gc_fetch_page(struct jffs2_sb_info *c,
- 	struct inode *inode = OFNI_EDONI_2SFFJ(f);
- 	struct page *pg;
- 
--	pg = read_cache_page_async(inode->i_mapping, offset >> PAGE_CACHE_SHIFT,
-+	pg = read_cache_page(inode->i_mapping, offset >> PAGE_CACHE_SHIFT,
- 			     (void *)jffs2_do_readpage_unlock, inode);
- 	if (IS_ERR(pg))
- 		return (void *)pg;
-diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
-index 56ff823..65d849b 100644
---- a/fs/nfs/blocklayout/blocklayout.c
-+++ b/fs/nfs/blocklayout/blocklayout.c
-@@ -1213,7 +1213,7 @@ static u64 pnfs_num_cont_bytes(struct inode *inode, pgoff_t idx)
- 	end = DIV_ROUND_UP(i_size_read(inode), PAGE_CACHE_SIZE);
- 	if (end != NFS_I(inode)->npages) {
- 		rcu_read_lock();
--		end = radix_tree_next_hole(&mapping->page_tree, idx + 1, ULONG_MAX);
-+		end = page_cache_next_hole(mapping, idx + 1, ULONG_MAX);
- 		rcu_read_unlock();
- 	}
- 
-diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
-index 5d8ccec..3ed1be9 100644
---- a/fs/nfs/delegation.c
-+++ b/fs/nfs/delegation.c
-@@ -109,6 +109,8 @@ again:
- 			continue;
- 		if (!test_bit(NFS_DELEGATED_STATE, &state->flags))
- 			continue;
-+		if (!nfs4_valid_open_stateid(state))
-+			continue;
- 		if (!nfs4_stateid_match(&state->stateid, stateid))
- 			continue;
- 		get_nfs_open_context(ctx);
-@@ -177,7 +179,11 @@ static int nfs_do_return_delegation(struct inode *inode, struct nfs_delegation *
- {
- 	int res = 0;
- 
--	res = nfs4_proc_delegreturn(inode, delegation->cred, &delegation->stateid, issync);
-+	if (!test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
-+		res = nfs4_proc_delegreturn(inode,
-+				delegation->cred,
-+				&delegation->stateid,
-+				issync);
- 	nfs_free_delegation(delegation);
- 	return res;
- }
-@@ -364,11 +370,13 @@ static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation
- {
- 	struct nfs_client *clp = NFS_SERVER(inode)->nfs_client;
- 	struct nfs_inode *nfsi = NFS_I(inode);
--	int err;
-+	int err = 0;
- 
- 	if (delegation == NULL)
- 		return 0;
- 	do {
-+		if (test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
-+			break;
- 		err = nfs_delegation_claim_opens(inode, &delegation->stateid);
- 		if (!issync || err != -EAGAIN)
- 			break;
-@@ -589,10 +597,23 @@ static void nfs_client_mark_return_unused_delegation_types(struct nfs_client *cl
- 	rcu_read_unlock();
- }
- 
-+static void nfs_revoke_delegation(struct inode *inode)
-+{
-+	struct nfs_delegation *delegation;
-+	rcu_read_lock();
-+	delegation = rcu_dereference(NFS_I(inode)->delegation);
-+	if (delegation != NULL) {
-+		set_bit(NFS_DELEGATION_REVOKED, &delegation->flags);
-+		nfs_mark_return_delegation(NFS_SERVER(inode), delegation);
-+	}
-+	rcu_read_unlock();
-+}
-+
- void nfs_remove_bad_delegation(struct inode *inode)
- {
- 	struct nfs_delegation *delegation;
- 
-+	nfs_revoke_delegation(inode);
- 	delegation = nfs_inode_detach_delegation(inode);
- 	if (delegation) {
- 		nfs_inode_find_state_and_recover(inode, &delegation->stateid);
-diff --git a/fs/nfs/delegation.h b/fs/nfs/delegation.h
-index 9a79c7a..e02b090 100644
---- a/fs/nfs/delegation.h
-+++ b/fs/nfs/delegation.h
-@@ -31,6 +31,7 @@ enum {
- 	NFS_DELEGATION_RETURN_IF_CLOSED,
- 	NFS_DELEGATION_REFERENCED,
- 	NFS_DELEGATION_RETURNING,
-+	NFS_DELEGATION_REVOKED,
- };
- 
- int nfs_inode_set_delegation(struct inode *inode, struct rpc_cred *cred, struct nfs_openres *res);
-diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
-index b8797ae..de2543d 100644
---- a/fs/nfs/direct.c
-+++ b/fs/nfs/direct.c
-@@ -178,6 +178,7 @@ static void nfs_direct_req_free(struct kref *kref)
- {
- 	struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref);
- 
-+	nfs_free_pnfs_ds_cinfo(&dreq->ds_cinfo);
- 	if (dreq->l_ctx != NULL)
- 		nfs_put_lock_context(dreq->l_ctx);
- 	if (dreq->ctx != NULL)
-diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index 15f9d98..6659ce5 100644
---- a/fs/nfs/inode.c
-+++ b/fs/nfs/inode.c
-@@ -592,7 +592,7 @@ int nfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
- {
- 	struct inode *inode = dentry->d_inode;
- 	int need_atime = NFS_I(inode)->cache_validity & NFS_INO_INVALID_ATIME;
--	int err;
-+	int err = 0;
- 
- 	trace_nfs_getattr_enter(inode);
- 	/* Flush out writes to the server in order to update c/mtime.  */
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index da657b7..bd01803 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -1587,7 +1587,7 @@ static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct
- 			nfs_inode_find_state_and_recover(state->inode,
- 					stateid);
- 			nfs4_schedule_stateid_recovery(server, state);
--			return 0;
-+			return -EAGAIN;
- 		case -NFS4ERR_DELAY:
- 		case -NFS4ERR_GRACE:
- 			set_bit(NFS_DELEGATED_STATE, &state->flags);
-@@ -2034,46 +2034,60 @@ static int nfs4_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *sta
- 	return ret;
- }
- 
-+static void nfs_finish_clear_delegation_stateid(struct nfs4_state *state)
-+{
-+	nfs_remove_bad_delegation(state->inode);
-+	write_seqlock(&state->seqlock);
-+	nfs4_stateid_copy(&state->stateid, &state->open_stateid);
-+	write_sequnlock(&state->seqlock);
-+	clear_bit(NFS_DELEGATED_STATE, &state->flags);
-+}
-+
-+static void nfs40_clear_delegation_stateid(struct nfs4_state *state)
-+{
-+	if (rcu_access_pointer(NFS_I(state->inode)->delegation) != NULL)
-+		nfs_finish_clear_delegation_stateid(state);
-+}
-+
-+static int nfs40_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state)
-+{
-+	/* NFSv4.0 doesn't allow for delegation recovery on open expire */
-+	nfs40_clear_delegation_stateid(state);
-+	return nfs4_open_expired(sp, state);
-+}
-+
- #if defined(CONFIG_NFS_V4_1)
--static void nfs41_clear_delegation_stateid(struct nfs4_state *state)
-+static void nfs41_check_delegation_stateid(struct nfs4_state *state)
- {
- 	struct nfs_server *server = NFS_SERVER(state->inode);
--	nfs4_stateid *stateid = &state->stateid;
-+	nfs4_stateid stateid;
- 	struct nfs_delegation *delegation;
--	struct rpc_cred *cred = NULL;
--	int status = -NFS4ERR_BAD_STATEID;
--
--	/* If a state reset has been done, test_stateid is unneeded */
--	if (test_bit(NFS_DELEGATED_STATE, &state->flags) == 0)
--		return;
-+	struct rpc_cred *cred;
-+	int status;
- 
- 	/* Get the delegation credential for use by test/free_stateid */
- 	rcu_read_lock();
- 	delegation = rcu_dereference(NFS_I(state->inode)->delegation);
--	if (delegation != NULL &&
--	    nfs4_stateid_match(&delegation->stateid, stateid)) {
--		cred = get_rpccred(delegation->cred);
--		rcu_read_unlock();
--		status = nfs41_test_stateid(server, stateid, cred);
--		trace_nfs4_test_delegation_stateid(state, NULL, status);
--	} else
-+	if (delegation == NULL) {
- 		rcu_read_unlock();
-+		return;
-+	}
-+
-+	nfs4_stateid_copy(&stateid, &delegation->stateid);
-+	cred = get_rpccred(delegation->cred);
-+	rcu_read_unlock();
-+	status = nfs41_test_stateid(server, &stateid, cred);
-+	trace_nfs4_test_delegation_stateid(state, NULL, status);
- 
- 	if (status != NFS_OK) {
- 		/* Free the stateid unless the server explicitly
- 		 * informs us the stateid is unrecognized. */
- 		if (status != -NFS4ERR_BAD_STATEID)
--			nfs41_free_stateid(server, stateid, cred);
--		nfs_remove_bad_delegation(state->inode);
--
--		write_seqlock(&state->seqlock);
--		nfs4_stateid_copy(&state->stateid, &state->open_stateid);
--		write_sequnlock(&state->seqlock);
--		clear_bit(NFS_DELEGATED_STATE, &state->flags);
-+			nfs41_free_stateid(server, &stateid, cred);
-+		nfs_finish_clear_delegation_stateid(state);
- 	}
- 
--	if (cred != NULL)
--		put_rpccred(cred);
-+	put_rpccred(cred);
- }
- 
- /**
-@@ -2117,7 +2131,7 @@ static int nfs41_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *st
- {
- 	int status;
- 
--	nfs41_clear_delegation_stateid(state);
-+	nfs41_check_delegation_stateid(state);
- 	status = nfs41_check_open_stateid(state);
- 	if (status != NFS_OK)
- 		status = nfs4_open_expired(sp, state);
-@@ -8255,7 +8269,7 @@ static const struct nfs4_state_recovery_ops nfs41_reboot_recovery_ops = {
- static const struct nfs4_state_recovery_ops nfs40_nograce_recovery_ops = {
- 	.owner_flag_bit = NFS_OWNER_RECLAIM_NOGRACE,
- 	.state_flag_bit	= NFS_STATE_RECLAIM_NOGRACE,
--	.recover_open	= nfs4_open_expired,
-+	.recover_open	= nfs40_open_expired,
- 	.recover_lock	= nfs4_lock_expired,
- 	.establish_clid = nfs4_init_clientid,
- };
-diff --git a/fs/super.c b/fs/super.c
-index 88a6bc6..440ef51 100644
---- a/fs/super.c
-+++ b/fs/super.c
-@@ -114,9 +114,14 @@ static unsigned long super_cache_count(struct shrinker *shrink,
- 
- 	sb = container_of(shrink, struct super_block, s_shrink);
- 
--	if (!grab_super_passive(sb))
--		return 0;
--
-+	/*
-+	 * Don't call grab_super_passive as it is a potential
-+	 * scalability bottleneck. The counts could get updated
-+	 * between super_cache_count and super_cache_scan anyway.
-+	 * Call to super_cache_count with shrinker_rwsem held
-+	 * ensures the safety of call to list_lru_count_node() and
-+	 * s_op->nr_cached_objects().
-+	 */
- 	if (sb->s_op && sb->s_op->nr_cached_objects)
- 		total_objects = sb->s_op->nr_cached_objects(sb,
- 						 sc->nid);
-@@ -127,7 +132,6 @@ static unsigned long super_cache_count(struct shrinker *shrink,
- 						 sc->nid);
- 
- 	total_objects = vfs_pressure_ratio(total_objects);
--	drop_super(sb);
- 	return total_objects;
- }
- 
-@@ -278,10 +282,8 @@ void deactivate_locked_super(struct super_block *s)
- 	struct file_system_type *fs = s->s_type;
- 	if (atomic_dec_and_test(&s->s_active)) {
- 		cleancache_invalidate_fs(s);
--		fs->kill_sb(s);
--
--		/* caches are now gone, we can safely kill the shrinker now */
- 		unregister_shrinker(&s->s_shrink);
-+		fs->kill_sb(s);
- 
- 		put_filesystem(fs);
- 		put_super(s);
-diff --git a/include/dt-bindings/pinctrl/dra.h b/include/dt-bindings/pinctrl/dra.h
-index 3d33794..7448edf 100644
---- a/include/dt-bindings/pinctrl/dra.h
-+++ b/include/dt-bindings/pinctrl/dra.h
-@@ -40,8 +40,8 @@
- 
- /* Active pin states */
- #define PIN_OUTPUT		(0 | PULL_DIS)
--#define PIN_OUTPUT_PULLUP	(PIN_OUTPUT | PULL_ENA | PULL_UP)
--#define PIN_OUTPUT_PULLDOWN	(PIN_OUTPUT | PULL_ENA)
-+#define PIN_OUTPUT_PULLUP	(PULL_UP)
-+#define PIN_OUTPUT_PULLDOWN	(0)
- #define PIN_INPUT		(INPUT_EN | PULL_DIS)
- #define PIN_INPUT_SLEW		(INPUT_EN | SLEWCONTROL)
- #define PIN_INPUT_PULLUP	(PULL_ENA | INPUT_EN | PULL_UP)
-diff --git a/include/linux/clocksource.h b/include/linux/clocksource.h
-index 67301a4..879065d 100644
---- a/include/linux/clocksource.h
-+++ b/include/linux/clocksource.h
-@@ -289,7 +289,7 @@ extern struct clocksource* clocksource_get_next(void);
- extern void clocksource_change_rating(struct clocksource *cs, int rating);
- extern void clocksource_suspend(void);
- extern void clocksource_resume(void);
--extern struct clocksource * __init __weak clocksource_default_clock(void);
-+extern struct clocksource * __init clocksource_default_clock(void);
- extern void clocksource_mark_unstable(struct clocksource *cs);
- 
- extern u64
-diff --git a/include/linux/compaction.h b/include/linux/compaction.h
-index 7e1c76e..01e3132 100644
---- a/include/linux/compaction.h
-+++ b/include/linux/compaction.h
-@@ -22,7 +22,7 @@ extern int sysctl_extfrag_handler(struct ctl_table *table, int write,
- extern int fragmentation_index(struct zone *zone, unsigned int order);
- extern unsigned long try_to_compact_pages(struct zonelist *zonelist,
- 			int order, gfp_t gfp_mask, nodemask_t *mask,
--			bool sync, bool *contended);
-+			enum migrate_mode mode, bool *contended);
- extern void compact_pgdat(pg_data_t *pgdat, int order);
- extern void reset_isolation_suitable(pg_data_t *pgdat);
- extern unsigned long compaction_suitable(struct zone *zone, int order);
-@@ -91,7 +91,7 @@ static inline bool compaction_restarting(struct zone *zone, int order)
- #else
- static inline unsigned long try_to_compact_pages(struct zonelist *zonelist,
- 			int order, gfp_t gfp_mask, nodemask_t *nodemask,
--			bool sync, bool *contended)
-+			enum migrate_mode mode, bool *contended)
- {
- 	return COMPACT_CONTINUE;
- }
-diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h
-index 7032518..60023e5 100644
---- a/include/linux/crash_dump.h
-+++ b/include/linux/crash_dump.h
-@@ -14,14 +14,13 @@
- extern unsigned long long elfcorehdr_addr;
- extern unsigned long long elfcorehdr_size;
- 
--extern int __weak elfcorehdr_alloc(unsigned long long *addr,
--				   unsigned long long *size);
--extern void __weak elfcorehdr_free(unsigned long long addr);
--extern ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64 *ppos);
--extern ssize_t __weak elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos);
--extern int __weak remap_oldmem_pfn_range(struct vm_area_struct *vma,
--					 unsigned long from, unsigned long pfn,
--					 unsigned long size, pgprot_t prot);
-+extern int elfcorehdr_alloc(unsigned long long *addr, unsigned long long *size);
-+extern void elfcorehdr_free(unsigned long long addr);
-+extern ssize_t elfcorehdr_read(char *buf, size_t count, u64 *ppos);
-+extern ssize_t elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos);
-+extern int remap_oldmem_pfn_range(struct vm_area_struct *vma,
-+				  unsigned long from, unsigned long pfn,
-+				  unsigned long size, pgprot_t prot);
- 
- extern ssize_t copy_oldmem_page(unsigned long, char *, size_t,
- 						unsigned long, int);
-diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
-index 6b06d37..e465bb1 100644
---- a/include/linux/kgdb.h
-+++ b/include/linux/kgdb.h
-@@ -283,7 +283,7 @@ struct kgdb_io {
- 
- extern struct kgdb_arch		arch_kgdb_ops;
- 
--extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
-+extern unsigned long kgdb_arch_pc(int exception, struct pt_regs *regs);
- 
- #ifdef CONFIG_SERIAL_KGDB_NMI
- extern int kgdb_register_nmi_console(void);
-diff --git a/include/linux/memory.h b/include/linux/memory.h
-index bb7384e..8b8d8d1 100644
---- a/include/linux/memory.h
-+++ b/include/linux/memory.h
-@@ -35,7 +35,7 @@ struct memory_block {
- };
- 
- int arch_get_memory_phys_device(unsigned long start_pfn);
--unsigned long __weak memory_block_size_bytes(void);
-+unsigned long memory_block_size_bytes(void);
- 
- /* These states are exposed to userspace as text strings in sysfs */
- #define	MEM_ONLINE		(1<<0) /* exposed to userspace */
-diff --git a/include/linux/migrate.h b/include/linux/migrate.h
-index 84a31ad..a2901c4 100644
---- a/include/linux/migrate.h
-+++ b/include/linux/migrate.h
-@@ -5,7 +5,9 @@
- #include <linux/mempolicy.h>
- #include <linux/migrate_mode.h>
- 
--typedef struct page *new_page_t(struct page *, unsigned long private, int **);
-+typedef struct page *new_page_t(struct page *page, unsigned long private,
-+				int **reason);
-+typedef void free_page_t(struct page *page, unsigned long private);
- 
- /*
-  * Return values from addresss_space_operations.migratepage():
-@@ -38,7 +40,7 @@ enum migrate_reason {
- extern void putback_movable_pages(struct list_head *l);
- extern int migrate_page(struct address_space *,
- 			struct page *, struct page *, enum migrate_mode);
--extern int migrate_pages(struct list_head *l, new_page_t x,
-+extern int migrate_pages(struct list_head *l, new_page_t new, free_page_t free,
- 		unsigned long private, enum migrate_mode mode, int reason);
- 
- extern int migrate_prep(void);
-@@ -56,8 +58,9 @@ extern int migrate_page_move_mapping(struct address_space *mapping,
- #else
- 
- static inline void putback_movable_pages(struct list_head *l) {}
--static inline int migrate_pages(struct list_head *l, new_page_t x,
--		unsigned long private, enum migrate_mode mode, int reason)
-+static inline int migrate_pages(struct list_head *l, new_page_t new,
-+		free_page_t free, unsigned long private, enum migrate_mode mode,
-+		int reason)
- 	{ return -ENOSYS; }
- 
- static inline int migrate_prep(void) { return -ENOSYS; }
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 0a0b024..d5039da 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1041,6 +1041,14 @@ extern void show_free_areas(unsigned int flags);
- extern bool skip_free_areas_node(unsigned int flags, int nid);
- 
- int shmem_zero_setup(struct vm_area_struct *);
-+#ifdef CONFIG_SHMEM
-+bool shmem_mapping(struct address_space *mapping);
-+#else
-+static inline bool shmem_mapping(struct address_space *mapping)
-+{
-+	return false;
-+}
-+#endif
- 
- extern int can_do_mlock(void);
- extern int user_shm_lock(size_t, struct user_struct *);
-@@ -1848,9 +1856,6 @@ void page_cache_async_readahead(struct address_space *mapping,
- 				unsigned long size);
- 
- unsigned long max_sane_readahead(unsigned long nr);
--unsigned long ra_submit(struct file_ra_state *ra,
--			struct address_space *mapping,
--			struct file *filp);
- 
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
-diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
-index e6800f0..1884353 100644
---- a/include/linux/mmzone.h
-+++ b/include/linux/mmzone.h
-@@ -361,9 +361,10 @@ struct zone {
- 	/* Set to true when the PG_migrate_skip bits should be cleared */
- 	bool			compact_blockskip_flush;
- 
--	/* pfns where compaction scanners should start */
-+	/* pfn where compaction free scanner should start */
- 	unsigned long		compact_cached_free_pfn;
--	unsigned long		compact_cached_migrate_pfn;
-+	/* pfn where async and sync compaction migration scanner should start */
-+	unsigned long		compact_cached_migrate_pfn[2];
- #endif
- #ifdef CONFIG_MEMORY_HOTPLUG
- 	/* see spanned/present_pages for more description */
-diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
-index 5624e4e..53988cb 100644
---- a/include/linux/nfs_xdr.h
-+++ b/include/linux/nfs_xdr.h
-@@ -1247,11 +1247,22 @@ struct nfs41_free_stateid_res {
- 	unsigned int			status;
- };
- 
-+static inline void
-+nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
-+{
-+	kfree(cinfo->buckets);
-+}
-+
- #else
- 
- struct pnfs_ds_commit_info {
- };
- 
-+static inline void
-+nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
-+{
-+}
-+
- #endif /* CONFIG_NFS_V4_1 */
- 
- struct nfs_page;
-diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
-index 1710d1b..09c1b03 100644
---- a/include/linux/pagemap.h
-+++ b/include/linux/pagemap.h
-@@ -243,12 +243,20 @@ static inline struct page *page_cache_alloc_readahead(struct address_space *x)
- 
- typedef int filler_t(void *, struct page *);
- 
--extern struct page * find_get_page(struct address_space *mapping,
--				pgoff_t index);
--extern struct page * find_lock_page(struct address_space *mapping,
--				pgoff_t index);
--extern struct page * find_or_create_page(struct address_space *mapping,
--				pgoff_t index, gfp_t gfp_mask);
-+pgoff_t page_cache_next_hole(struct address_space *mapping,
-+			     pgoff_t index, unsigned long max_scan);
-+pgoff_t page_cache_prev_hole(struct address_space *mapping,
-+			     pgoff_t index, unsigned long max_scan);
-+
-+struct page *find_get_entry(struct address_space *mapping, pgoff_t offset);
-+struct page *find_get_page(struct address_space *mapping, pgoff_t offset);
-+struct page *find_lock_entry(struct address_space *mapping, pgoff_t offset);
-+struct page *find_lock_page(struct address_space *mapping, pgoff_t offset);
-+struct page *find_or_create_page(struct address_space *mapping, pgoff_t index,
-+				 gfp_t gfp_mask);
-+unsigned find_get_entries(struct address_space *mapping, pgoff_t start,
-+			  unsigned int nr_entries, struct page **entries,
-+			  pgoff_t *indices);
- unsigned find_get_pages(struct address_space *mapping, pgoff_t start,
- 			unsigned int nr_pages, struct page **pages);
- unsigned find_get_pages_contig(struct address_space *mapping, pgoff_t start,
-@@ -270,8 +278,6 @@ static inline struct page *grab_cache_page(struct address_space *mapping,
- 
- extern struct page * grab_cache_page_nowait(struct address_space *mapping,
- 				pgoff_t index);
--extern struct page * read_cache_page_async(struct address_space *mapping,
--				pgoff_t index, filler_t *filler, void *data);
- extern struct page * read_cache_page(struct address_space *mapping,
- 				pgoff_t index, filler_t *filler, void *data);
- extern struct page * read_cache_page_gfp(struct address_space *mapping,
-@@ -279,14 +285,6 @@ extern struct page * read_cache_page_gfp(struct address_space *mapping,
- extern int read_cache_pages(struct address_space *mapping,
- 		struct list_head *pages, filler_t *filler, void *data);
- 
--static inline struct page *read_mapping_page_async(
--				struct address_space *mapping,
--				pgoff_t index, void *data)
--{
--	filler_t *filler = (filler_t *)mapping->a_ops->readpage;
--	return read_cache_page_async(mapping, index, filler, data);
--}
--
- static inline struct page *read_mapping_page(struct address_space *mapping,
- 				pgoff_t index, void *data)
- {
-diff --git a/include/linux/pagevec.h b/include/linux/pagevec.h
-index e4dbfab..b45d391 100644
---- a/include/linux/pagevec.h
-+++ b/include/linux/pagevec.h
-@@ -22,6 +22,11 @@ struct pagevec {
- 
- void __pagevec_release(struct pagevec *pvec);
- void __pagevec_lru_add(struct pagevec *pvec);
-+unsigned pagevec_lookup_entries(struct pagevec *pvec,
-+				struct address_space *mapping,
-+				pgoff_t start, unsigned nr_entries,
-+				pgoff_t *indices);
-+void pagevec_remove_exceptionals(struct pagevec *pvec);
- unsigned pagevec_lookup(struct pagevec *pvec, struct address_space *mapping,
- 		pgoff_t start, unsigned nr_pages);
- unsigned pagevec_lookup_tag(struct pagevec *pvec,
-diff --git a/include/linux/power/charger-manager.h b/include/linux/power/charger-manager.h
-index 07e7945..e97fc65 100644
---- a/include/linux/power/charger-manager.h
-+++ b/include/linux/power/charger-manager.h
-@@ -253,9 +253,6 @@ struct charger_manager {
- 	struct device *dev;
- 	struct charger_desc *desc;
- 
--	struct power_supply *fuel_gauge;
--	struct power_supply **charger_stat;
--
- #ifdef CONFIG_THERMAL
- 	struct thermal_zone_device *tzd_batt;
- #endif
-diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
-index 4039407..e8be53e 100644
---- a/include/linux/radix-tree.h
-+++ b/include/linux/radix-tree.h
-@@ -219,6 +219,7 @@ static inline void radix_tree_replace_slot(void **pslot, void *item)
- int radix_tree_insert(struct radix_tree_root *, unsigned long, void *);
- void *radix_tree_lookup(struct radix_tree_root *, unsigned long);
- void **radix_tree_lookup_slot(struct radix_tree_root *, unsigned long);
-+void *radix_tree_delete_item(struct radix_tree_root *, unsigned long, void *);
- void *radix_tree_delete(struct radix_tree_root *, unsigned long);
- unsigned int
- radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
-@@ -226,10 +227,6 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
- unsigned int radix_tree_gang_lookup_slot(struct radix_tree_root *root,
- 			void ***results, unsigned long *indices,
- 			unsigned long first_index, unsigned int max_items);
--unsigned long radix_tree_next_hole(struct radix_tree_root *root,
--				unsigned long index, unsigned long max_scan);
--unsigned long radix_tree_prev_hole(struct radix_tree_root *root,
--				unsigned long index, unsigned long max_scan);
- int radix_tree_preload(gfp_t gfp_mask);
- int radix_tree_maybe_preload(gfp_t gfp_mask);
- void radix_tree_init(void);
-diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
-index 9d55438..4d1771c 100644
---- a/include/linux/shmem_fs.h
-+++ b/include/linux/shmem_fs.h
-@@ -51,6 +51,7 @@ extern struct file *shmem_kernel_file_setup(const char *name, loff_t size,
- 					    unsigned long flags);
- extern int shmem_zero_setup(struct vm_area_struct *);
- extern int shmem_lock(struct file *file, int lock, struct user_struct *user);
-+extern bool shmem_mapping(struct address_space *mapping);
- extern void shmem_unlock_mapping(struct address_space *mapping);
- extern struct page *shmem_read_mapping_page_gfp(struct address_space *mapping,
- 					pgoff_t index, gfp_t gfp_mask);
-diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
-index a3353f4..ba41e01 100644
---- a/include/net/sctp/sctp.h
-+++ b/include/net/sctp/sctp.h
-@@ -433,6 +433,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
- 	asoc->pmtu_pending = 0;
- }
- 
-+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
-+{
-+	return !list_empty(&chunk->list);
-+}
-+
- /* Walk through a list of TLV parameters.  Don't trust the
-  * individual parameter lengths and instead depend on
-  * the chunk length to indicate when to stop.  Make sure
-diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
-index 7f4eeb3..72a31db 100644
---- a/include/net/sctp/sm.h
-+++ b/include/net/sctp/sm.h
-@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
- 					      int, __be16);
- struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
- 					     union sctp_addr *addr);
--int sctp_verify_asconf(const struct sctp_association *asoc,
--		       struct sctp_paramhdr *param_hdr, void *chunk_end,
--		       struct sctp_paramhdr **errp);
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+			struct sctp_chunk *chunk, bool addr_param_needed,
-+			struct sctp_paramhdr **errp);
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 				       struct sctp_chunk *asconf);
- int sctp_process_asconf_ack(struct sctp_association *asoc,
-diff --git a/include/trace/events/compaction.h b/include/trace/events/compaction.h
-index 06f544e..c6814b9 100644
---- a/include/trace/events/compaction.h
-+++ b/include/trace/events/compaction.h
-@@ -5,6 +5,7 @@
- #define _TRACE_COMPACTION_H
- 
- #include <linux/types.h>
-+#include <linux/list.h>
- #include <linux/tracepoint.h>
- #include <trace/events/gfpflags.h>
- 
-@@ -47,10 +48,11 @@ DEFINE_EVENT(mm_compaction_isolate_template, mm_compaction_isolate_freepages,
- 
- TRACE_EVENT(mm_compaction_migratepages,
- 
--	TP_PROTO(unsigned long nr_migrated,
--		unsigned long nr_failed),
-+	TP_PROTO(unsigned long nr_all,
-+		int migrate_rc,
-+		struct list_head *migratepages),
- 
--	TP_ARGS(nr_migrated, nr_failed),
-+	TP_ARGS(nr_all, migrate_rc, migratepages),
- 
- 	TP_STRUCT__entry(
- 		__field(unsigned long, nr_migrated)
-@@ -58,7 +60,22 @@ TRACE_EVENT(mm_compaction_migratepages,
- 	),
- 
- 	TP_fast_assign(
--		__entry->nr_migrated = nr_migrated;
-+		unsigned long nr_failed = 0;
-+		struct list_head *page_lru;
-+
-+		/*
-+		 * migrate_pages() returns either a non-negative number
-+		 * with the number of pages that failed migration, or an
-+		 * error code, in which case we need to count the remaining
-+		 * pages manually
-+		 */
-+		if (migrate_rc >= 0)
-+			nr_failed = migrate_rc;
-+		else
-+			list_for_each(page_lru, migratepages)
-+				nr_failed++;
-+
-+		__entry->nr_migrated = nr_all - nr_failed;
- 		__entry->nr_failed = nr_failed;
- 	),
- 
-diff --git a/include/uapi/linux/netfilter/xt_bpf.h b/include/uapi/linux/netfilter/xt_bpf.h
-index 5dda450..2ec9fbc 100644
---- a/include/uapi/linux/netfilter/xt_bpf.h
-+++ b/include/uapi/linux/netfilter/xt_bpf.h
-@@ -6,6 +6,8 @@
- 
- #define XT_BPF_MAX_NUM_INSTR	64
- 
-+struct sk_filter;
-+
- struct xt_bpf_info {
- 	__u16 bpf_program_num_elem;
- 	struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR];
-diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
-index 1702864..cadddc8 100644
---- a/ipc/ipc_sysctl.c
-+++ b/ipc/ipc_sysctl.c
-@@ -123,7 +123,6 @@ static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write,
- 	void __user *buffer, size_t *lenp, loff_t *ppos)
- {
- 	struct ctl_table ipc_table;
--	size_t lenp_bef = *lenp;
- 	int oldval;
- 	int rc;
- 
-@@ -133,7 +132,7 @@ static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write,
- 
- 	rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);
- 
--	if (write && !rc && lenp_bef == *lenp) {
-+	if (write && !rc) {
- 		int newval = *((int *)(ipc_table.data));
- 		/*
- 		 * The file "auto_msgmni" has correctly been set.
-diff --git a/kernel/audit.c b/kernel/audit.c
-index 2c0ecd1..b45b2da 100644
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -687,7 +687,7 @@ static int audit_get_feature(struct sk_buff *skb)
- 
- 	seq = nlmsg_hdr(skb)->nlmsg_seq;
- 
--	audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af));
-+	audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
- 
- 	return 0;
- }
-@@ -702,7 +702,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
- 
- 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
- 	audit_log_task_info(ab, current);
--	audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
-+	audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
- 			 audit_feature_names[which], !!old_feature, !!new_feature,
- 			 !!old_lock, !!new_lock, res);
- 	audit_log_end(ab);
-diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
-index 135944a..a79db03 100644
---- a/kernel/audit_tree.c
-+++ b/kernel/audit_tree.c
-@@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(int count)
- 		chunk->owners[i].index = i;
- 	}
- 	fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch);
-+	chunk->mark.mask = FS_IN_IGNORED;
- 	return chunk;
- }
- 
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 4ced342f..4bbb27a 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -39,6 +39,7 @@
- #include <linux/hw_breakpoint.h>
- #include <linux/mm_types.h>
- #include <linux/cgroup.h>
-+#include <linux/compat.h>
- 
- #include "internal.h"
- 
-@@ -3693,6 +3694,26 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 	return 0;
- }
- 
-+#ifdef CONFIG_COMPAT
-+static long perf_compat_ioctl(struct file *file, unsigned int cmd,
-+				unsigned long arg)
-+{
-+	switch (_IOC_NR(cmd)) {
-+	case _IOC_NR(PERF_EVENT_IOC_SET_FILTER):
-+	case _IOC_NR(PERF_EVENT_IOC_ID):
-+		/* Fix up pointer size (usually 4 -> 8 in 32-on-64-bit case */
-+		if (_IOC_SIZE(cmd) == sizeof(compat_uptr_t)) {
-+			cmd &= ~IOCSIZE_MASK;
-+			cmd |= sizeof(void *) << IOCSIZE_SHIFT;
-+		}
-+		break;
-+	}
-+	return perf_ioctl(file, cmd, arg);
-+}
-+#else
-+# define perf_compat_ioctl NULL
-+#endif
-+
- int perf_event_task_enable(void)
- {
- 	struct perf_event *event;
-@@ -4185,7 +4206,7 @@ static const struct file_operations perf_fops = {
- 	.read			= perf_read,
- 	.poll			= perf_poll,
- 	.unlocked_ioctl		= perf_ioctl,
--	.compat_ioctl		= perf_ioctl,
-+	.compat_ioctl		= perf_compat_ioctl,
- 	.mmap			= perf_mmap,
- 	.fasync			= perf_fasync,
- };
-diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
-index b3d116c..6705d94 100644
---- a/kernel/rcu/tree.c
-+++ b/kernel/rcu/tree.c
-@@ -1228,6 +1228,22 @@ static int rcu_future_gp_cleanup(struct rcu_state *rsp, struct rcu_node *rnp)
- }
- 
- /*
-+ * Awaken the grace-period kthread for the specified flavor of RCU.
-+ * Don't do a self-awaken, and don't bother awakening when there is
-+ * nothing for the grace-period kthread to do (as in several CPUs
-+ * raced to awaken, and we lost), and finally don't try to awaken
-+ * a kthread that has not yet been created.
-+ */
-+static void rcu_gp_kthread_wake(struct rcu_state *rsp)
-+{
-+	if (current == rsp->gp_kthread ||
-+	    !ACCESS_ONCE(rsp->gp_flags) ||
-+	    !rsp->gp_kthread)
-+		return;
-+	wake_up(&rsp->gp_wq);
-+}
-+
-+/*
-  * If there is room, assign a ->completed number to any callbacks on
-  * this CPU that have not already been assigned.  Also accelerate any
-  * callbacks that were previously assigned a ->completed number that has
-@@ -1670,7 +1686,7 @@ static void rsp_wakeup(struct irq_work *work)
- 	struct rcu_state *rsp = container_of(work, struct rcu_state, wakeup_work);
- 
- 	/* Wake up rcu_gp_kthread() to start the grace period. */
--	wake_up(&rsp->gp_wq);
-+	rcu_gp_kthread_wake(rsp);
- }
- 
- /*
-@@ -1746,7 +1762,7 @@ static void rcu_report_qs_rsp(struct rcu_state *rsp, unsigned long flags)
- {
- 	WARN_ON_ONCE(!rcu_gp_in_progress(rsp));
- 	raw_spin_unlock_irqrestore(&rcu_get_root(rsp)->lock, flags);
--	wake_up(&rsp->gp_wq);  /* Memory barrier implied by wake_up() path. */
-+	rcu_gp_kthread_wake(rsp);
- }
- 
- /*
-@@ -2322,7 +2338,7 @@ static void force_quiescent_state(struct rcu_state *rsp)
- 	}
- 	rsp->gp_flags |= RCU_GP_FLAG_FQS;
- 	raw_spin_unlock_irqrestore(&rnp_old->lock, flags);
--	wake_up(&rsp->gp_wq);  /* Memory barrier implied by wake_up() path. */
-+	rcu_gp_kthread_wake(rsp);
- }
- 
- /*
-diff --git a/lib/radix-tree.c b/lib/radix-tree.c
-index bd4a8df..7e30d2a 100644
---- a/lib/radix-tree.c
-+++ b/lib/radix-tree.c
-@@ -946,81 +946,6 @@ next:
- }
- EXPORT_SYMBOL(radix_tree_range_tag_if_tagged);
- 
--
--/**
-- *	radix_tree_next_hole    -    find the next hole (not-present entry)
-- *	@root:		tree root
-- *	@index:		index key
-- *	@max_scan:	maximum range to search
-- *
-- *	Search the set [index, min(index+max_scan-1, MAX_INDEX)] for the lowest
-- *	indexed hole.
-- *
-- *	Returns: the index of the hole if found, otherwise returns an index
-- *	outside of the set specified (in which case 'return - index >= max_scan'
-- *	will be true). In rare cases of index wrap-around, 0 will be returned.
-- *
-- *	radix_tree_next_hole may be called under rcu_read_lock. However, like
-- *	radix_tree_gang_lookup, this will not atomically search a snapshot of
-- *	the tree at a single point in time. For example, if a hole is created
-- *	at index 5, then subsequently a hole is created at index 10,
-- *	radix_tree_next_hole covering both indexes may return 10 if called
-- *	under rcu_read_lock.
-- */
--unsigned long radix_tree_next_hole(struct radix_tree_root *root,
--				unsigned long index, unsigned long max_scan)
--{
--	unsigned long i;
--
--	for (i = 0; i < max_scan; i++) {
--		if (!radix_tree_lookup(root, index))
--			break;
--		index++;
--		if (index == 0)
--			break;
--	}
--
--	return index;
--}
--EXPORT_SYMBOL(radix_tree_next_hole);
--
--/**
-- *	radix_tree_prev_hole    -    find the prev hole (not-present entry)
-- *	@root:		tree root
-- *	@index:		index key
-- *	@max_scan:	maximum range to search
-- *
-- *	Search backwards in the range [max(index-max_scan+1, 0), index]
-- *	for the first hole.
-- *
-- *	Returns: the index of the hole if found, otherwise returns an index
-- *	outside of the set specified (in which case 'index - return >= max_scan'
-- *	will be true). In rare cases of wrap-around, ULONG_MAX will be returned.
-- *
-- *	radix_tree_next_hole may be called under rcu_read_lock. However, like
-- *	radix_tree_gang_lookup, this will not atomically search a snapshot of
-- *	the tree at a single point in time. For example, if a hole is created
-- *	at index 10, then subsequently a hole is created at index 5,
-- *	radix_tree_prev_hole covering both indexes may return 5 if called under
-- *	rcu_read_lock.
-- */
--unsigned long radix_tree_prev_hole(struct radix_tree_root *root,
--				   unsigned long index, unsigned long max_scan)
--{
--	unsigned long i;
--
--	for (i = 0; i < max_scan; i++) {
--		if (!radix_tree_lookup(root, index))
--			break;
--		index--;
--		if (index == ULONG_MAX)
--			break;
--	}
--
--	return index;
--}
--EXPORT_SYMBOL(radix_tree_prev_hole);
--
- /**
-  *	radix_tree_gang_lookup - perform multiple lookup on a radix tree
-  *	@root:		radix tree root
-@@ -1337,15 +1262,18 @@ static inline void radix_tree_shrink(struct radix_tree_root *root)
- }
- 
- /**
-- *	radix_tree_delete    -    delete an item from a radix tree
-+ *	radix_tree_delete_item    -    delete an item from a radix tree
-  *	@root:		radix tree root
-  *	@index:		index key
-+ *	@item:		expected item
-  *
-- *	Remove the item at @index from the radix tree rooted at @root.
-+ *	Remove @item at @index from the radix tree rooted at @root.
-  *
-- *	Returns the address of the deleted item, or NULL if it was not present.
-+ *	Returns the address of the deleted item, or NULL if it was not present
-+ *	or the entry at the given @index was not @item.
-  */
--void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
-+void *radix_tree_delete_item(struct radix_tree_root *root,
-+			     unsigned long index, void *item)
- {
- 	struct radix_tree_node *node = NULL;
- 	struct radix_tree_node *slot = NULL;
-@@ -1380,6 +1308,11 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
- 	if (slot == NULL)
- 		goto out;
- 
-+	if (item && slot != item) {
-+		slot = NULL;
-+		goto out;
-+	}
-+
- 	/*
- 	 * Clear all tags associated with the item to be deleted.
- 	 * This way of doing it would be inefficient, but seldom is any set.
-@@ -1424,6 +1357,21 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
- out:
- 	return slot;
- }
-+EXPORT_SYMBOL(radix_tree_delete_item);
-+
-+/**
-+ *	radix_tree_delete    -    delete an item from a radix tree
-+ *	@root:		radix tree root
-+ *	@index:		index key
-+ *
-+ *	Remove the item at @index from the radix tree rooted at @root.
-+ *
-+ *	Returns the address of the deleted item, or NULL if it was not present.
-+ */
-+void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
-+{
-+	return radix_tree_delete_item(root, index, NULL);
-+}
- EXPORT_SYMBOL(radix_tree_delete);
- 
- /**
-diff --git a/mm/compaction.c b/mm/compaction.c
-index 5e38e57..4229fc2 100644
---- a/mm/compaction.c
-+++ b/mm/compaction.c
-@@ -89,7 +89,8 @@ static void __reset_isolation_suitable(struct zone *zone)
- 	unsigned long end_pfn = zone_end_pfn(zone);
- 	unsigned long pfn;
- 
--	zone->compact_cached_migrate_pfn = start_pfn;
-+	zone->compact_cached_migrate_pfn[0] = start_pfn;
-+	zone->compact_cached_migrate_pfn[1] = start_pfn;
- 	zone->compact_cached_free_pfn = end_pfn;
- 	zone->compact_blockskip_flush = false;
- 
-@@ -131,9 +132,10 @@ void reset_isolation_suitable(pg_data_t *pgdat)
-  */
- static void update_pageblock_skip(struct compact_control *cc,
- 			struct page *page, unsigned long nr_isolated,
--			bool migrate_scanner)
-+			bool set_unsuitable, bool migrate_scanner)
- {
- 	struct zone *zone = cc->zone;
-+	unsigned long pfn;
- 
- 	if (cc->ignore_skip_hint)
- 		return;
-@@ -141,20 +143,32 @@ static void update_pageblock_skip(struct compact_control *cc,
- 	if (!page)
- 		return;
- 
--	if (!nr_isolated) {
--		unsigned long pfn = page_to_pfn(page);
-+	if (nr_isolated)
-+		return;
-+
-+	/*
-+	 * Only skip pageblocks when all forms of compaction will be known to
-+	 * fail in the near future.
-+	 */
-+	if (set_unsuitable)
- 		set_pageblock_skip(page);
- 
--		/* Update where compaction should restart */
--		if (migrate_scanner) {
--			if (!cc->finished_update_migrate &&
--			    pfn > zone->compact_cached_migrate_pfn)
--				zone->compact_cached_migrate_pfn = pfn;
--		} else {
--			if (!cc->finished_update_free &&
--			    pfn < zone->compact_cached_free_pfn)
--				zone->compact_cached_free_pfn = pfn;
--		}
-+	pfn = page_to_pfn(page);
-+
-+	/* Update where async and sync compaction should restart */
-+	if (migrate_scanner) {
-+		if (cc->finished_update_migrate)
-+			return;
-+		if (pfn > zone->compact_cached_migrate_pfn[0])
-+			zone->compact_cached_migrate_pfn[0] = pfn;
-+		if (cc->mode != MIGRATE_ASYNC &&
-+		    pfn > zone->compact_cached_migrate_pfn[1])
-+			zone->compact_cached_migrate_pfn[1] = pfn;
-+	} else {
-+		if (cc->finished_update_free)
-+			return;
-+		if (pfn < zone->compact_cached_free_pfn)
-+			zone->compact_cached_free_pfn = pfn;
- 	}
- }
- #else
-@@ -166,7 +180,7 @@ static inline bool isolation_suitable(struct compact_control *cc,
- 
- static void update_pageblock_skip(struct compact_control *cc,
- 			struct page *page, unsigned long nr_isolated,
--			bool migrate_scanner)
-+			bool set_unsuitable, bool migrate_scanner)
- {
- }
- #endif /* CONFIG_COMPACTION */
-@@ -195,7 +209,7 @@ static bool compact_checklock_irqsave(spinlock_t *lock, unsigned long *flags,
- 		}
- 
- 		/* async aborts if taking too long or contended */
--		if (!cc->sync) {
-+		if (cc->mode == MIGRATE_ASYNC) {
- 			cc->contended = true;
- 			return false;
- 		}
-@@ -208,10 +222,28 @@ static bool compact_checklock_irqsave(spinlock_t *lock, unsigned long *flags,
- 	return true;
- }
- 
--static inline bool compact_trylock_irqsave(spinlock_t *lock,
--			unsigned long *flags, struct compact_control *cc)
-+/*
-+ * Aside from avoiding lock contention, compaction also periodically checks
-+ * need_resched() and either schedules in sync compaction or aborts async
-+ * compaction. This is similar to what compact_checklock_irqsave() does, but
-+ * is used where no lock is concerned.
-+ *
-+ * Returns false when no scheduling was needed, or sync compaction scheduled.
-+ * Returns true when async compaction should abort.
-+ */
-+static inline bool compact_should_abort(struct compact_control *cc)
- {
--	return compact_checklock_irqsave(lock, flags, false, cc);
-+	/* async compaction aborts if contended */
-+	if (need_resched()) {
-+		if (cc->mode == MIGRATE_ASYNC) {
-+			cc->contended = true;
-+			return true;
-+		}
-+
-+		cond_resched();
-+	}
-+
-+	return false;
- }
- 
- /* Returns true if the page is within a block suitable for migration to */
-@@ -329,7 +361,8 @@ isolate_fail:
- 
- 	/* Update the pageblock-skip if the whole pageblock was scanned */
- 	if (blockpfn == end_pfn)
--		update_pageblock_skip(cc, valid_page, total_isolated, false);
-+		update_pageblock_skip(cc, valid_page, total_isolated, true,
-+				      false);
- 
- 	count_compact_events(COMPACTFREE_SCANNED, nr_scanned);
- 	if (total_isolated)
-@@ -464,8 +497,9 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc,
- 	unsigned long flags;
- 	bool locked = false;
- 	struct page *page = NULL, *valid_page = NULL;
--	bool skipped_async_unsuitable = false;
--	const isolate_mode_t mode = (!cc->sync ? ISOLATE_ASYNC_MIGRATE : 0) |
-+	bool set_unsuitable = true;
-+	const isolate_mode_t mode = (cc->mode == MIGRATE_ASYNC ?
-+					ISOLATE_ASYNC_MIGRATE : 0) |
- 				    (unevictable ? ISOLATE_UNEVICTABLE : 0);
- 
- 	/*
-@@ -475,7 +509,7 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc,
- 	 */
- 	while (unlikely(too_many_isolated(zone))) {
- 		/* async migration should just abort */
--		if (!cc->sync)
-+		if (cc->mode == MIGRATE_ASYNC)
- 			return 0;
- 
- 		congestion_wait(BLK_RW_ASYNC, HZ/10);
-@@ -484,8 +518,10 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc,
- 			return 0;
- 	}
- 
-+	if (compact_should_abort(cc))
-+		return 0;
-+
- 	/* Time to isolate some pages for migration */
--	cond_resched();
- 	for (; low_pfn < end_pfn; low_pfn++) {
- 		/* give a chance to irqs before checking need_resched() */
- 		if (locked && !(low_pfn % SWAP_CLUSTER_MAX)) {
-@@ -540,9 +576,9 @@ isolate_migratepages_range(struct zone *zone, struct compact_control *cc,
- 			 * the minimum amount of work satisfies the allocation
- 			 */
- 			mt = get_pageblock_migratetype(page);
--			if (!cc->sync && !migrate_async_suitable(mt)) {
--				cc->finished_update_migrate = true;
--				skipped_async_unsuitable = true;
-+			if (cc->mode == MIGRATE_ASYNC &&
-+			    !migrate_async_suitable(mt)) {
-+				set_unsuitable = false;
- 				goto next_pageblock;
- 			}
- 		}
-@@ -646,11 +682,10 @@ next_pageblock:
- 	/*
- 	 * Update the pageblock-skip information and cached scanner pfn,
- 	 * if the whole pageblock was scanned without isolating any page.
--	 * This is not done when pageblock was skipped due to being unsuitable
--	 * for async compaction, so that eventual sync compaction can try.
- 	 */
--	if (low_pfn == end_pfn && !skipped_async_unsuitable)
--		update_pageblock_skip(cc, valid_page, nr_isolated, true);
-+	if (low_pfn == end_pfn)
-+		update_pageblock_skip(cc, valid_page, nr_isolated,
-+				      set_unsuitable, true);
- 
- 	trace_mm_compaction_isolate_migratepages(nr_scanned, nr_isolated);
- 
-@@ -671,7 +706,9 @@ static void isolate_freepages(struct zone *zone,
- 				struct compact_control *cc)
- {
- 	struct page *page;
--	unsigned long high_pfn, low_pfn, pfn, z_end_pfn;
-+	unsigned long block_start_pfn;	/* start of current pageblock */
-+	unsigned long block_end_pfn;	/* end of current pageblock */
-+	unsigned long low_pfn;	     /* lowest pfn scanner is able to scan */
- 	int nr_freepages = cc->nr_freepages;
- 	struct list_head *freelist = &cc->freepages;
- 
-@@ -679,41 +716,38 @@ static void isolate_freepages(struct zone *zone,
- 	 * Initialise the free scanner. The starting point is where we last
- 	 * successfully isolated from, zone-cached value, or the end of the
- 	 * zone when isolating for the first time. We need this aligned to
--	 * the pageblock boundary, because we do pfn -= pageblock_nr_pages
--	 * in the for loop.
-+	 * the pageblock boundary, because we do
-+	 * block_start_pfn -= pageblock_nr_pages in the for loop.
-+	 * For ending point, take care when isolating in last pageblock of a
-+	 * a zone which ends in the middle of a pageblock.
- 	 * The low boundary is the end of the pageblock the migration scanner
- 	 * is using.
- 	 */
--	pfn = cc->free_pfn & ~(pageblock_nr_pages-1);
-+	block_start_pfn = cc->free_pfn & ~(pageblock_nr_pages-1);
-+	block_end_pfn = min(block_start_pfn + pageblock_nr_pages,
-+						zone_end_pfn(zone));
- 	low_pfn = ALIGN(cc->migrate_pfn + 1, pageblock_nr_pages);
- 
- 	/*
--	 * Take care that if the migration scanner is at the end of the zone
--	 * that the free scanner does not accidentally move to the next zone
--	 * in the next isolation cycle.
--	 */
--	high_pfn = min(low_pfn, pfn);
--
--	z_end_pfn = zone_end_pfn(zone);
--
--	/*
- 	 * Isolate free pages until enough are available to migrate the
- 	 * pages on cc->migratepages. We stop searching if the migrate
- 	 * and free page scanners meet or enough free pages are isolated.
- 	 */
--	for (; pfn >= low_pfn && cc->nr_migratepages > nr_freepages;
--					pfn -= pageblock_nr_pages) {
-+	for (; block_start_pfn >= low_pfn && cc->nr_migratepages > nr_freepages;
-+				block_end_pfn = block_start_pfn,
-+				block_start_pfn -= pageblock_nr_pages) {
- 		unsigned long isolated;
--		unsigned long end_pfn;
- 
- 		/*
- 		 * This can iterate a massively long zone without finding any
- 		 * suitable migration targets, so periodically check if we need
--		 * to schedule.
-+		 * to schedule, or even abort async compaction.
- 		 */
--		cond_resched();
-+		if (!(block_start_pfn % (SWAP_CLUSTER_MAX * pageblock_nr_pages))
-+						&& compact_should_abort(cc))
-+			break;
- 
--		if (!pfn_valid(pfn))
-+		if (!pfn_valid(block_start_pfn))
- 			continue;
- 
- 		/*
-@@ -723,7 +757,7 @@ static void isolate_freepages(struct zone *zone,
- 		 * i.e. it's possible that all pages within a zones range of
- 		 * pages do not belong to a single zone.
- 		 */
--		page = pfn_to_page(pfn);
-+		page = pfn_to_page(block_start_pfn);
- 		if (page_zone(page) != zone)
- 			continue;
- 
-@@ -736,26 +770,26 @@ static void isolate_freepages(struct zone *zone,
- 			continue;
- 
- 		/* Found a block suitable for isolating free pages from */
--		isolated = 0;
-+		cc->free_pfn = block_start_pfn;
-+		isolated = isolate_freepages_block(cc, block_start_pfn,
-+					block_end_pfn, freelist, false);
-+		nr_freepages += isolated;
- 
- 		/*
--		 * Take care when isolating in last pageblock of a zone which
--		 * ends in the middle of a pageblock.
-+		 * Set a flag that we successfully isolated in this pageblock.
-+		 * In the next loop iteration, zone->compact_cached_free_pfn
-+		 * will not be updated and thus it will effectively contain the
-+		 * highest pageblock we isolated pages from.
- 		 */
--		end_pfn = min(pfn + pageblock_nr_pages, z_end_pfn);
--		isolated = isolate_freepages_block(cc, pfn, end_pfn,
--						   freelist, false);
--		nr_freepages += isolated;
-+		if (isolated)
-+			cc->finished_update_free = true;
- 
- 		/*
--		 * Record the highest PFN we isolated pages from. When next
--		 * looking for free pages, the search will restart here as
--		 * page migration may have returned some pages to the allocator
-+		 * isolate_freepages_block() might have aborted due to async
-+		 * compaction being contended
- 		 */
--		if (isolated) {
--			cc->finished_update_free = true;
--			high_pfn = max(high_pfn, pfn);
--		}
-+		if (cc->contended)
-+			break;
- 	}
- 
- 	/* split_free_page does not map the pages */
-@@ -765,10 +799,9 @@ static void isolate_freepages(struct zone *zone,
- 	 * If we crossed the migrate scanner, we want to keep it that way
- 	 * so that compact_finished() may detect this
- 	 */
--	if (pfn < low_pfn)
--		cc->free_pfn = max(pfn, zone->zone_start_pfn);
--	else
--		cc->free_pfn = high_pfn;
-+	if (block_start_pfn < low_pfn)
-+		cc->free_pfn = cc->migrate_pfn;
-+
- 	cc->nr_freepages = nr_freepages;
- }
- 
-@@ -783,9 +816,13 @@ static struct page *compaction_alloc(struct page *migratepage,
- 	struct compact_control *cc = (struct compact_control *)data;
- 	struct page *freepage;
- 
--	/* Isolate free pages if necessary */
-+	/*
-+	 * Isolate free pages if necessary, and if we are not aborting due to
-+	 * contention.
-+	 */
- 	if (list_empty(&cc->freepages)) {
--		isolate_freepages(cc->zone, cc);
-+		if (!cc->contended)
-+			isolate_freepages(cc->zone, cc);
- 
- 		if (list_empty(&cc->freepages))
- 			return NULL;
-@@ -799,23 +836,16 @@ static struct page *compaction_alloc(struct page *migratepage,
- }
- 
- /*
-- * We cannot control nr_migratepages and nr_freepages fully when migration is
-- * running as migrate_pages() has no knowledge of compact_control. When
-- * migration is complete, we count the number of pages on the lists by hand.
-+ * This is a migrate-callback that "frees" freepages back to the isolated
-+ * freelist.  All pages on the freelist are from the same zone, so there is no
-+ * special handling needed for NUMA.
-  */
--static void update_nr_listpages(struct compact_control *cc)
-+static void compaction_free(struct page *page, unsigned long data)
- {
--	int nr_migratepages = 0;
--	int nr_freepages = 0;
--	struct page *page;
--
--	list_for_each_entry(page, &cc->migratepages, lru)
--		nr_migratepages++;
--	list_for_each_entry(page, &cc->freepages, lru)
--		nr_freepages++;
-+	struct compact_control *cc = (struct compact_control *)data;
- 
--	cc->nr_migratepages = nr_migratepages;
--	cc->nr_freepages = nr_freepages;
-+	list_add(&page->lru, &cc->freepages);
-+	cc->nr_freepages++;
- }
- 
- /* possible outcome of isolate_migratepages */
-@@ -862,13 +892,14 @@ static int compact_finished(struct zone *zone,
- 	unsigned int order;
- 	unsigned long watermark;
- 
--	if (fatal_signal_pending(current))
-+	if (cc->contended || fatal_signal_pending(current))
- 		return COMPACT_PARTIAL;
- 
- 	/* Compaction run completes if the migrate and free scanner meet */
- 	if (cc->free_pfn <= cc->migrate_pfn) {
- 		/* Let the next compaction start anew. */
--		zone->compact_cached_migrate_pfn = zone->zone_start_pfn;
-+		zone->compact_cached_migrate_pfn[0] = zone->zone_start_pfn;
-+		zone->compact_cached_migrate_pfn[1] = zone->zone_start_pfn;
- 		zone->compact_cached_free_pfn = zone_end_pfn(zone);
- 
- 		/*
-@@ -968,6 +999,7 @@ static int compact_zone(struct zone *zone, struct compact_control *cc)
- 	int ret;
- 	unsigned long start_pfn = zone->zone_start_pfn;
- 	unsigned long end_pfn = zone_end_pfn(zone);
-+	const bool sync = cc->mode != MIGRATE_ASYNC;
- 
- 	ret = compaction_suitable(zone, cc->order);
- 	switch (ret) {
-@@ -993,7 +1025,7 @@ static int compact_zone(struct zone *zone, struct compact_control *cc)
- 	 * information on where the scanners should start but check that it
- 	 * is initialised by ensuring the values are within zone boundaries.
- 	 */
--	cc->migrate_pfn = zone->compact_cached_migrate_pfn;
-+	cc->migrate_pfn = zone->compact_cached_migrate_pfn[sync];
- 	cc->free_pfn = zone->compact_cached_free_pfn;
- 	if (cc->free_pfn < start_pfn || cc->free_pfn > end_pfn) {
- 		cc->free_pfn = end_pfn & ~(pageblock_nr_pages-1);
-@@ -1001,7 +1033,8 @@ static int compact_zone(struct zone *zone, struct compact_control *cc)
- 	}
- 	if (cc->migrate_pfn < start_pfn || cc->migrate_pfn > end_pfn) {
- 		cc->migrate_pfn = start_pfn;
--		zone->compact_cached_migrate_pfn = cc->migrate_pfn;
-+		zone->compact_cached_migrate_pfn[0] = cc->migrate_pfn;
-+		zone->compact_cached_migrate_pfn[1] = cc->migrate_pfn;
- 	}
- 
- 	trace_mm_compaction_begin(start_pfn, cc->migrate_pfn, cc->free_pfn, end_pfn);
-@@ -1009,7 +1042,6 @@ static int compact_zone(struct zone *zone, struct compact_control *cc)
- 	migrate_prep_local();
- 
- 	while ((ret = compact_finished(zone, cc)) == COMPACT_CONTINUE) {
--		unsigned long nr_migrate, nr_remaining;
- 		int err;
- 
- 		switch (isolate_migratepages(zone, cc)) {
-@@ -1024,21 +1056,20 @@ static int compact_zone(struct zone *zone, struct compact_control *cc)
- 			;
- 		}
- 
--		nr_migrate = cc->nr_migratepages;
-+		if (!cc->nr_migratepages)
-+			continue;
-+
- 		err = migrate_pages(&cc->migratepages, compaction_alloc,
--				(unsigned long)cc,
--				cc->sync ? MIGRATE_SYNC_LIGHT : MIGRATE_ASYNC,
-+				compaction_free, (unsigned long)cc, cc->mode,
- 				MR_COMPACTION);
--		update_nr_listpages(cc);
--		nr_remaining = cc->nr_migratepages;
- 
--		trace_mm_compaction_migratepages(nr_migrate - nr_remaining,
--						nr_remaining);
-+		trace_mm_compaction_migratepages(cc->nr_migratepages, err,
-+							&cc->migratepages);
- 
--		/* Release isolated pages not migrated */
-+		/* All pages were either migrated or will be released */
-+		cc->nr_migratepages = 0;
- 		if (err) {
- 			putback_movable_pages(&cc->migratepages);
--			cc->nr_migratepages = 0;
- 			/*
- 			 * migrate_pages() may return -ENOMEM when scanners meet
- 			 * and we want compact_finished() to detect it
-@@ -1060,9 +1091,8 @@ out:
- 	return ret;
- }
- 
--static unsigned long compact_zone_order(struct zone *zone,
--				 int order, gfp_t gfp_mask,
--				 bool sync, bool *contended)
-+static unsigned long compact_zone_order(struct zone *zone, int order,
-+		gfp_t gfp_mask, enum migrate_mode mode, bool *contended)
- {
- 	unsigned long ret;
- 	struct compact_control cc = {
-@@ -1071,7 +1101,7 @@ static unsigned long compact_zone_order(struct zone *zone,
- 		.order = order,
- 		.migratetype = allocflags_to_migratetype(gfp_mask),
- 		.zone = zone,
--		.sync = sync,
-+		.mode = mode,
- 	};
- 	INIT_LIST_HEAD(&cc.freepages);
- 	INIT_LIST_HEAD(&cc.migratepages);
-@@ -1093,7 +1123,7 @@ int sysctl_extfrag_threshold = 500;
-  * @order: The order of the current allocation
-  * @gfp_mask: The GFP mask of the current allocation
-  * @nodemask: The allowed nodes to allocate from
-- * @sync: Whether migration is synchronous or not
-+ * @mode: The migration mode for async, sync light, or sync migration
-  * @contended: Return value that is true if compaction was aborted due to lock contention
-  * @page: Optionally capture a free page of the requested order during compaction
-  *
-@@ -1101,7 +1131,7 @@ int sysctl_extfrag_threshold = 500;
-  */
- unsigned long try_to_compact_pages(struct zonelist *zonelist,
- 			int order, gfp_t gfp_mask, nodemask_t *nodemask,
--			bool sync, bool *contended)
-+			enum migrate_mode mode, bool *contended)
- {
- 	enum zone_type high_zoneidx = gfp_zone(gfp_mask);
- 	int may_enter_fs = gfp_mask & __GFP_FS;
-@@ -1126,7 +1156,7 @@ unsigned long try_to_compact_pages(struct zonelist *zonelist,
- 								nodemask) {
- 		int status;
- 
--		status = compact_zone_order(zone, order, gfp_mask, sync,
-+		status = compact_zone_order(zone, order, gfp_mask, mode,
- 						contended);
- 		rc = max(status, rc);
- 
-@@ -1165,9 +1195,6 @@ static void __compact_pgdat(pg_data_t *pgdat, struct compact_control *cc)
- 			if (zone_watermark_ok(zone, cc->order,
- 						low_wmark_pages(zone), 0, 0))
- 				compaction_defer_reset(zone, cc->order, false);
--			/* Currently async compaction is never deferred. */
--			else if (cc->sync)
--				defer_compaction(zone, cc->order);
- 		}
- 
- 		VM_BUG_ON(!list_empty(&cc->freepages));
-@@ -1179,7 +1206,7 @@ void compact_pgdat(pg_data_t *pgdat, int order)
- {
- 	struct compact_control cc = {
- 		.order = order,
--		.sync = false,
-+		.mode = MIGRATE_ASYNC,
- 	};
- 
- 	if (!order)
-@@ -1192,7 +1219,7 @@ static void compact_node(int nid)
- {
- 	struct compact_control cc = {
- 		.order = -1,
--		.sync = true,
-+		.mode = MIGRATE_SYNC,
- 		.ignore_skip_hint = true,
- 	};
- 
-diff --git a/mm/filemap.c b/mm/filemap.c
-index c2cc7c9..bdaa215 100644
---- a/mm/filemap.c
-+++ b/mm/filemap.c
-@@ -448,6 +448,29 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
- }
- EXPORT_SYMBOL_GPL(replace_page_cache_page);
- 
-+static int page_cache_tree_insert(struct address_space *mapping,
-+				  struct page *page)
-+{
-+	void **slot;
-+	int error;
-+
-+	slot = radix_tree_lookup_slot(&mapping->page_tree, page->index);
-+	if (slot) {
-+		void *p;
-+
-+		p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock);
-+		if (!radix_tree_exceptional_entry(p))
-+			return -EEXIST;
-+		radix_tree_replace_slot(slot, page);
-+		mapping->nrpages++;
-+		return 0;
-+	}
-+	error = radix_tree_insert(&mapping->page_tree, page->index, page);
-+	if (!error)
-+		mapping->nrpages++;
-+	return error;
-+}
-+
- /**
-  * add_to_page_cache_locked - add a locked page to the pagecache
-  * @page:	page to add
-@@ -482,11 +505,10 @@ int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
- 	page->index = offset;
- 
- 	spin_lock_irq(&mapping->tree_lock);
--	error = radix_tree_insert(&mapping->page_tree, offset, page);
-+	error = page_cache_tree_insert(mapping, page);
- 	radix_tree_preload_end();
- 	if (unlikely(error))
- 		goto err_insert;
--	mapping->nrpages++;
- 	__inc_zone_page_state(page, NR_FILE_PAGES);
- 	spin_unlock_irq(&mapping->tree_lock);
- 	trace_mm_filemap_add_to_page_cache(page);
-@@ -688,14 +710,101 @@ int __lock_page_or_retry(struct page *page, struct mm_struct *mm,
- }
- 
- /**
-- * find_get_page - find and get a page reference
-+ * page_cache_next_hole - find the next hole (not-present entry)
-+ * @mapping: mapping
-+ * @index: index
-+ * @max_scan: maximum range to search
-+ *
-+ * Search the set [index, min(index+max_scan-1, MAX_INDEX)] for the
-+ * lowest indexed hole.
-+ *
-+ * Returns: the index of the hole if found, otherwise returns an index
-+ * outside of the set specified (in which case 'return - index >=
-+ * max_scan' will be true). In rare cases of index wrap-around, 0 will
-+ * be returned.
-+ *
-+ * page_cache_next_hole may be called under rcu_read_lock. However,
-+ * like radix_tree_gang_lookup, this will not atomically search a
-+ * snapshot of the tree at a single point in time. For example, if a
-+ * hole is created at index 5, then subsequently a hole is created at
-+ * index 10, page_cache_next_hole covering both indexes may return 10
-+ * if called under rcu_read_lock.
-+ */
-+pgoff_t page_cache_next_hole(struct address_space *mapping,
-+			     pgoff_t index, unsigned long max_scan)
-+{
-+	unsigned long i;
-+
-+	for (i = 0; i < max_scan; i++) {
-+		struct page *page;
-+
-+		page = radix_tree_lookup(&mapping->page_tree, index);
-+		if (!page || radix_tree_exceptional_entry(page))
-+			break;
-+		index++;
-+		if (index == 0)
-+			break;
-+	}
-+
-+	return index;
-+}
-+EXPORT_SYMBOL(page_cache_next_hole);
-+
-+/**
-+ * page_cache_prev_hole - find the prev hole (not-present entry)
-+ * @mapping: mapping
-+ * @index: index
-+ * @max_scan: maximum range to search
-+ *
-+ * Search backwards in the range [max(index-max_scan+1, 0), index] for
-+ * the first hole.
-+ *
-+ * Returns: the index of the hole if found, otherwise returns an index
-+ * outside of the set specified (in which case 'index - return >=
-+ * max_scan' will be true). In rare cases of wrap-around, ULONG_MAX
-+ * will be returned.
-+ *
-+ * page_cache_prev_hole may be called under rcu_read_lock. However,
-+ * like radix_tree_gang_lookup, this will not atomically search a
-+ * snapshot of the tree at a single point in time. For example, if a
-+ * hole is created at index 10, then subsequently a hole is created at
-+ * index 5, page_cache_prev_hole covering both indexes may return 5 if
-+ * called under rcu_read_lock.
-+ */
-+pgoff_t page_cache_prev_hole(struct address_space *mapping,
-+			     pgoff_t index, unsigned long max_scan)
-+{
-+	unsigned long i;
-+
-+	for (i = 0; i < max_scan; i++) {
-+		struct page *page;
-+
-+		page = radix_tree_lookup(&mapping->page_tree, index);
-+		if (!page || radix_tree_exceptional_entry(page))
-+			break;
-+		index--;
-+		if (index == ULONG_MAX)
-+			break;
-+	}
-+
-+	return index;
-+}
-+EXPORT_SYMBOL(page_cache_prev_hole);
-+
-+/**
-+ * find_get_entry - find and get a page cache entry
-  * @mapping: the address_space to search
-- * @offset: the page index
-+ * @offset: the page cache index
-  *
-- * Is there a pagecache struct page at the given (mapping, offset) tuple?
-- * If yes, increment its refcount and return it; if no, return NULL.
-+ * Looks up the page cache slot at @mapping & @offset.  If there is a
-+ * page cache page, it is returned with an increased refcount.
-+ *
-+ * If the slot holds a shadow entry of a previously evicted page, it
-+ * is returned.
-+ *
-+ * Otherwise, %NULL is returned.
-  */
--struct page *find_get_page(struct address_space *mapping, pgoff_t offset)
-+struct page *find_get_entry(struct address_space *mapping, pgoff_t offset)
- {
- 	void **pagep;
- 	struct page *page;
-@@ -736,24 +845,50 @@ out:
- 
- 	return page;
- }
--EXPORT_SYMBOL(find_get_page);
-+EXPORT_SYMBOL(find_get_entry);
- 
- /**
-- * find_lock_page - locate, pin and lock a pagecache page
-+ * find_get_page - find and get a page reference
-  * @mapping: the address_space to search
-  * @offset: the page index
-  *
-- * Locates the desired pagecache page, locks it, increments its reference
-- * count and returns its address.
-+ * Looks up the page cache slot at @mapping & @offset.  If there is a
-+ * page cache page, it is returned with an increased refcount.
-  *
-- * Returns zero if the page was not present. find_lock_page() may sleep.
-+ * Otherwise, %NULL is returned.
-  */
--struct page *find_lock_page(struct address_space *mapping, pgoff_t offset)
-+struct page *find_get_page(struct address_space *mapping, pgoff_t offset)
-+{
-+	struct page *page = find_get_entry(mapping, offset);
-+
-+	if (radix_tree_exceptional_entry(page))
-+		page = NULL;
-+	return page;
-+}
-+EXPORT_SYMBOL(find_get_page);
-+
-+/**
-+ * find_lock_entry - locate, pin and lock a page cache entry
-+ * @mapping: the address_space to search
-+ * @offset: the page cache index
-+ *
-+ * Looks up the page cache slot at @mapping & @offset.  If there is a
-+ * page cache page, it is returned locked and with an increased
-+ * refcount.
-+ *
-+ * If the slot holds a shadow entry of a previously evicted page, it
-+ * is returned.
-+ *
-+ * Otherwise, %NULL is returned.
-+ *
-+ * find_lock_entry() may sleep.
-+ */
-+struct page *find_lock_entry(struct address_space *mapping, pgoff_t offset)
- {
- 	struct page *page;
- 
- repeat:
--	page = find_get_page(mapping, offset);
-+	page = find_get_entry(mapping, offset);
- 	if (page && !radix_tree_exception(page)) {
- 		lock_page(page);
- 		/* Has the page been truncated? */
-@@ -766,6 +901,29 @@ repeat:
- 	}
- 	return page;
- }
-+EXPORT_SYMBOL(find_lock_entry);
-+
-+/**
-+ * find_lock_page - locate, pin and lock a pagecache page
-+ * @mapping: the address_space to search
-+ * @offset: the page index
-+ *
-+ * Looks up the page cache slot at @mapping & @offset.  If there is a
-+ * page cache page, it is returned locked and with an increased
-+ * refcount.
-+ *
-+ * Otherwise, %NULL is returned.
-+ *
-+ * find_lock_page() may sleep.
-+ */
-+struct page *find_lock_page(struct address_space *mapping, pgoff_t offset)
-+{
-+	struct page *page = find_lock_entry(mapping, offset);
-+
-+	if (radix_tree_exceptional_entry(page))
-+		page = NULL;
-+	return page;
-+}
- EXPORT_SYMBOL(find_lock_page);
- 
- /**
-@@ -774,16 +932,18 @@ EXPORT_SYMBOL(find_lock_page);
-  * @index: the page's index into the mapping
-  * @gfp_mask: page allocation mode
-  *
-- * Locates a page in the pagecache.  If the page is not present, a new page
-- * is allocated using @gfp_mask and is added to the pagecache and to the VM's
-- * LRU list.  The returned page is locked and has its reference count
-- * incremented.
-+ * Looks up the page cache slot at @mapping & @offset.  If there is a
-+ * page cache page, it is returned locked and with an increased
-+ * refcount.
-+ *
-+ * If the page is not present, a new page is allocated using @gfp_mask
-+ * and added to the page cache and the VM's LRU list.  The page is
-+ * returned locked and with an increased refcount.
-  *
-- * find_or_create_page() may sleep, even if @gfp_flags specifies an atomic
-- * allocation!
-+ * On memory exhaustion, %NULL is returned.
-  *
-- * find_or_create_page() returns the desired page's address, or zero on
-- * memory exhaustion.
-+ * find_or_create_page() may sleep, even if @gfp_flags specifies an
-+ * atomic allocation!
-  */
- struct page *find_or_create_page(struct address_space *mapping,
- 		pgoff_t index, gfp_t gfp_mask)
-@@ -816,6 +976,76 @@ repeat:
- EXPORT_SYMBOL(find_or_create_page);
- 
- /**
-+ * find_get_entries - gang pagecache lookup
-+ * @mapping:	The address_space to search
-+ * @start:	The starting page cache index
-+ * @nr_entries:	The maximum number of entries
-+ * @entries:	Where the resulting entries are placed
-+ * @indices:	The cache indices corresponding to the entries in @entries
-+ *
-+ * find_get_entries() will search for and return a group of up to
-+ * @nr_entries entries in the mapping.  The entries are placed at
-+ * @entries.  find_get_entries() takes a reference against any actual
-+ * pages it returns.
-+ *
-+ * The search returns a group of mapping-contiguous page cache entries
-+ * with ascending indexes.  There may be holes in the indices due to
-+ * not-present pages.
-+ *
-+ * Any shadow entries of evicted pages are included in the returned
-+ * array.
-+ *
-+ * find_get_entries() returns the number of pages and shadow entries
-+ * which were found.
-+ */
-+unsigned find_get_entries(struct address_space *mapping,
-+			  pgoff_t start, unsigned int nr_entries,
-+			  struct page **entries, pgoff_t *indices)
-+{
-+	void **slot;
-+	unsigned int ret = 0;
-+	struct radix_tree_iter iter;
-+
-+	if (!nr_entries)
-+		return 0;
-+
-+	rcu_read_lock();
-+restart:
-+	radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, start) {
-+		struct page *page;
-+repeat:
-+		page = radix_tree_deref_slot(slot);
-+		if (unlikely(!page))
-+			continue;
-+		if (radix_tree_exception(page)) {
-+			if (radix_tree_deref_retry(page))
-+				goto restart;
-+			/*
-+			 * Otherwise, we must be storing a swap entry
-+			 * here as an exceptional entry: so return it
-+			 * without attempting to raise page count.
-+			 */
-+			goto export;
-+		}
-+		if (!page_cache_get_speculative(page))
-+			goto repeat;
-+
-+		/* Has the page moved? */
-+		if (unlikely(page != *slot)) {
-+			page_cache_release(page);
-+			goto repeat;
-+		}
-+export:
-+		indices[ret] = iter.index;
-+		entries[ret] = page;
-+		if (++ret == nr_entries)
-+			break;
-+	}
-+	rcu_read_unlock();
-+	return ret;
-+}
-+
-+/**
-  * find_get_pages - gang pagecache lookup
-  * @mapping:	The address_space to search
-  * @start:	The starting page index
-@@ -1797,6 +2027,18 @@ int generic_file_readonly_mmap(struct file * file, struct vm_area_struct * vma)
- EXPORT_SYMBOL(generic_file_mmap);
- EXPORT_SYMBOL(generic_file_readonly_mmap);
- 
-+static struct page *wait_on_page_read(struct page *page)
-+{
-+	if (!IS_ERR(page)) {
-+		wait_on_page_locked(page);
-+		if (!PageUptodate(page)) {
-+			page_cache_release(page);
-+			page = ERR_PTR(-EIO);
-+		}
-+	}
-+	return page;
-+}
-+
- static struct page *__read_cache_page(struct address_space *mapping,
- 				pgoff_t index,
- 				int (*filler)(void *, struct page *),
-@@ -1823,6 +2065,8 @@ repeat:
- 		if (err < 0) {
- 			page_cache_release(page);
- 			page = ERR_PTR(err);
-+		} else {
-+			page = wait_on_page_read(page);
- 		}
- 	}
- 	return page;
-@@ -1859,6 +2103,10 @@ retry:
- 	if (err < 0) {
- 		page_cache_release(page);
- 		return ERR_PTR(err);
-+	} else {
-+		page = wait_on_page_read(page);
-+		if (IS_ERR(page))
-+			return page;
- 	}
- out:
- 	mark_page_accessed(page);
-@@ -1866,40 +2114,25 @@ out:
- }
- 
- /**
-- * read_cache_page_async - read into page cache, fill it if needed
-+ * read_cache_page - read into page cache, fill it if needed
-  * @mapping:	the page's address_space
-  * @index:	the page index
-  * @filler:	function to perform the read
-  * @data:	first arg to filler(data, page) function, often left as NULL
-  *
-- * Same as read_cache_page, but don't wait for page to become unlocked
-- * after submitting it to the filler.
-- *
-  * Read into the page cache. If a page already exists, and PageUptodate() is
-- * not set, try to fill the page but don't wait for it to become unlocked.
-+ * not set, try to fill the page and wait for it to become unlocked.
-  *
-  * If the page does not get brought uptodate, return -EIO.
-  */
--struct page *read_cache_page_async(struct address_space *mapping,
-+struct page *read_cache_page(struct address_space *mapping,
- 				pgoff_t index,
- 				int (*filler)(void *, struct page *),
- 				void *data)
- {
- 	return do_read_cache_page(mapping, index, filler, data, mapping_gfp_mask(mapping));
- }
--EXPORT_SYMBOL(read_cache_page_async);
--
--static struct page *wait_on_page_read(struct page *page)
--{
--	if (!IS_ERR(page)) {
--		wait_on_page_locked(page);
--		if (!PageUptodate(page)) {
--			page_cache_release(page);
--			page = ERR_PTR(-EIO);
--		}
--	}
--	return page;
--}
-+EXPORT_SYMBOL(read_cache_page);
- 
- /**
-  * read_cache_page_gfp - read into page cache, using specified page allocation flags.
-@@ -1918,31 +2151,10 @@ struct page *read_cache_page_gfp(struct address_space *mapping,
- {
- 	filler_t *filler = (filler_t *)mapping->a_ops->readpage;
- 
--	return wait_on_page_read(do_read_cache_page(mapping, index, filler, NULL, gfp));
-+	return do_read_cache_page(mapping, index, filler, NULL, gfp);
- }
- EXPORT_SYMBOL(read_cache_page_gfp);
- 
--/**
-- * read_cache_page - read into page cache, fill it if needed
-- * @mapping:	the page's address_space
-- * @index:	the page index
-- * @filler:	function to perform the read
-- * @data:	first arg to filler(data, page) function, often left as NULL
-- *
-- * Read into the page cache. If a page already exists, and PageUptodate() is
-- * not set, try to fill the page then wait for it to become unlocked.
-- *
-- * If the page does not get brought uptodate, return -EIO.
-- */
--struct page *read_cache_page(struct address_space *mapping,
--				pgoff_t index,
--				int (*filler)(void *, struct page *),
--				void *data)
--{
--	return wait_on_page_read(read_cache_page_async(mapping, index, filler, data));
--}
--EXPORT_SYMBOL(read_cache_page);
--
- static size_t __iovec_copy_from_user_inatomic(char *vaddr,
- 			const struct iovec *iov, size_t base, size_t bytes)
- {
-@@ -1976,7 +2188,6 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
- 	char *kaddr;
- 	size_t copied;
- 
--	BUG_ON(!in_atomic());
- 	kaddr = kmap_atomic(page);
- 	if (likely(i->nr_segs == 1)) {
- 		int left;
-@@ -2350,9 +2561,7 @@ again:
- 		if (mapping_writably_mapped(mapping))
- 			flush_dcache_page(page);
- 
--		pagefault_disable();
- 		copied = iov_iter_copy_from_user_atomic(page, i, offset, bytes);
--		pagefault_enable();
- 		flush_dcache_page(page);
- 
- 		mark_page_accessed(page);
-diff --git a/mm/internal.h b/mm/internal.h
-index 3e91000..1a8a0d4 100644
---- a/mm/internal.h
-+++ b/mm/internal.h
-@@ -11,6 +11,7 @@
- #ifndef __MM_INTERNAL_H
- #define __MM_INTERNAL_H
- 
-+#include <linux/fs.h>
- #include <linux/mm.h>
- 
- void free_pgtables(struct mmu_gather *tlb, struct vm_area_struct *start_vma,
-@@ -21,6 +22,20 @@ static inline void set_page_count(struct page *page, int v)
- 	atomic_set(&page->_count, v);
- }
- 
-+extern int __do_page_cache_readahead(struct address_space *mapping,
-+		struct file *filp, pgoff_t offset, unsigned long nr_to_read,
-+		unsigned long lookahead_size);
-+
-+/*
-+ * Submit IO for the read-ahead request in file_ra_state.
-+ */
-+static inline unsigned long ra_submit(struct file_ra_state *ra,
-+		struct address_space *mapping, struct file *filp)
-+{
-+	return __do_page_cache_readahead(mapping, filp,
-+					ra->start, ra->size, ra->async_size);
-+}
-+
- /*
-  * Turn a non-refcounted page (->_count == 0) into refcounted with
-  * a count of one.
-@@ -119,7 +134,7 @@ struct compact_control {
- 	unsigned long nr_migratepages;	/* Number of pages to migrate */
- 	unsigned long free_pfn;		/* isolate_freepages search base */
- 	unsigned long migrate_pfn;	/* isolate_migratepages search base */
--	bool sync;			/* Synchronous migration */
-+	enum migrate_mode mode;		/* Async or sync migration mode */
- 	bool ignore_skip_hint;		/* Scan blocks even if marked skip */
- 	bool finished_update_free;	/* True when the zone cached pfns are
- 					 * no longer being updated
-@@ -129,7 +144,10 @@ struct compact_control {
- 	int order;			/* order a direct compactor needs */
- 	int migratetype;		/* MOVABLE, RECLAIMABLE etc */
- 	struct zone *zone;
--	bool contended;			/* True if a lock was contended */
-+	bool contended;			/* True if a lock was contended, or
-+					 * need_resched() true during async
-+					 * compaction
-+					 */
- };
- 
- unsigned long
-diff --git a/mm/madvise.c b/mm/madvise.c
-index 539eeb9..a402f8f 100644
---- a/mm/madvise.c
-+++ b/mm/madvise.c
-@@ -195,7 +195,7 @@ static void force_shm_swapin_readahead(struct vm_area_struct *vma,
- 	for (; start < end; start += PAGE_SIZE) {
- 		index = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- 
--		page = find_get_page(mapping, index);
-+		page = find_get_entry(mapping, index);
- 		if (!radix_tree_exceptional_entry(page)) {
- 			if (page)
- 				page_cache_release(page);
-diff --git a/mm/memory-failure.c b/mm/memory-failure.c
-index 33365e9..a98c7fc 100644
---- a/mm/memory-failure.c
-+++ b/mm/memory-failure.c
-@@ -1540,7 +1540,7 @@ static int soft_offline_huge_page(struct page *page, int flags)
- 
- 	/* Keep page count to indicate a given hugepage is isolated. */
- 	list_move(&hpage->lru, &pagelist);
--	ret = migrate_pages(&pagelist, new_page, MPOL_MF_MOVE_ALL,
-+	ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
- 				MIGRATE_SYNC, MR_MEMORY_FAILURE);
- 	if (ret) {
- 		pr_info("soft offline: %#lx: migration failed %d, type %lx\n",
-@@ -1621,7 +1621,7 @@ static int __soft_offline_page(struct page *page, int flags)
- 		inc_zone_page_state(page, NR_ISOLATED_ANON +
- 					page_is_file_cache(page));
- 		list_add(&page->lru, &pagelist);
--		ret = migrate_pages(&pagelist, new_page, MPOL_MF_MOVE_ALL,
-+		ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
- 					MIGRATE_SYNC, MR_MEMORY_FAILURE);
- 		if (ret) {
- 			if (!list_empty(&pagelist)) {
-diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
-index a650db2..f6f2383 100644
---- a/mm/memory_hotplug.c
-+++ b/mm/memory_hotplug.c
-@@ -1332,7 +1332,7 @@ do_migrate_range(unsigned long start_pfn, unsigned long end_pfn)
- 		 * alloc_migrate_target should be improooooved!!
- 		 * migrate_pages returns # of failed pages.
- 		 */
--		ret = migrate_pages(&source, alloc_migrate_target, 0,
-+		ret = migrate_pages(&source, alloc_migrate_target, NULL, 0,
- 					MIGRATE_SYNC, MR_MEMORY_HOTPLUG);
- 		if (ret)
- 			putback_movable_pages(&source);
-diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 796c7e6..e8fff0f 100644
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1060,7 +1060,7 @@ static int migrate_to_node(struct mm_struct *mm, int source, int dest,
- 			flags | MPOL_MF_DISCONTIG_OK, &pagelist);
- 
- 	if (!list_empty(&pagelist)) {
--		err = migrate_pages(&pagelist, new_node_page, dest,
-+		err = migrate_pages(&pagelist, new_node_page, NULL, dest,
- 					MIGRATE_SYNC, MR_SYSCALL);
- 		if (err)
- 			putback_movable_pages(&pagelist);
-@@ -1306,7 +1306,7 @@ static long do_mbind(unsigned long start, unsigned long len,
- 
- 		if (!list_empty(&pagelist)) {
- 			WARN_ON_ONCE(flags & MPOL_MF_LAZY);
--			nr_failed = migrate_pages(&pagelist, new_page,
-+			nr_failed = migrate_pages(&pagelist, new_page, NULL,
- 				start, MIGRATE_SYNC, MR_MEMPOLICY_MBIND);
- 			if (nr_failed)
- 				putback_movable_pages(&pagelist);
-diff --git a/mm/migrate.c b/mm/migrate.c
-index 13f47fb..3acac4a 100644
---- a/mm/migrate.c
-+++ b/mm/migrate.c
-@@ -941,8 +941,9 @@ out:
-  * Obtain the lock on page, remove all ptes and migrate the page
-  * to the newly allocated page in newpage.
-  */
--static int unmap_and_move(new_page_t get_new_page, unsigned long private,
--			struct page *page, int force, enum migrate_mode mode)
-+static int unmap_and_move(new_page_t get_new_page, free_page_t put_new_page,
-+			unsigned long private, struct page *page, int force,
-+			enum migrate_mode mode)
- {
- 	int rc = 0;
- 	int *result = NULL;
-@@ -986,11 +987,18 @@ out:
- 				page_is_file_cache(page));
- 		putback_lru_page(page);
- 	}
-+
- 	/*
--	 * Move the new page to the LRU. If migration was not successful
--	 * then this will free the page.
-+	 * If migration was not successful and there's a freeing callback, use
-+	 * it.  Otherwise, putback_lru_page() will drop the reference grabbed
-+	 * during isolation.
- 	 */
--	putback_lru_page(newpage);
-+	if (rc != MIGRATEPAGE_SUCCESS && put_new_page) {
-+		ClearPageSwapBacked(newpage);
-+		put_new_page(newpage, private);
-+	} else
-+		putback_lru_page(newpage);
-+
- 	if (result) {
- 		if (rc)
- 			*result = rc;
-@@ -1019,8 +1027,9 @@ out:
-  * will wait in the page fault for migration to complete.
-  */
- static int unmap_and_move_huge_page(new_page_t get_new_page,
--				unsigned long private, struct page *hpage,
--				int force, enum migrate_mode mode)
-+				free_page_t put_new_page, unsigned long private,
-+				struct page *hpage, int force,
-+				enum migrate_mode mode)
- {
- 	int rc = 0;
- 	int *result = NULL;
-@@ -1059,20 +1068,30 @@ static int unmap_and_move_huge_page(new_page_t get_new_page,
- 	if (!page_mapped(hpage))
- 		rc = move_to_new_page(new_hpage, hpage, 1, mode);
- 
--	if (rc)
-+	if (rc != MIGRATEPAGE_SUCCESS)
- 		remove_migration_ptes(hpage, hpage);
- 
- 	if (anon_vma)
- 		put_anon_vma(anon_vma);
- 
--	if (!rc)
-+	if (rc == MIGRATEPAGE_SUCCESS)
- 		hugetlb_cgroup_migrate(hpage, new_hpage);
- 
- 	unlock_page(hpage);
- out:
- 	if (rc != -EAGAIN)
- 		putback_active_hugepage(hpage);
--	put_page(new_hpage);
-+
-+	/*
-+	 * If migration was not successful and there's a freeing callback, use
-+	 * it.  Otherwise, put_page() will drop the reference grabbed during
-+	 * isolation.
-+	 */
-+	if (rc != MIGRATEPAGE_SUCCESS && put_new_page)
-+		put_new_page(new_hpage, private);
-+	else
-+		put_page(new_hpage);
-+
- 	if (result) {
- 		if (rc)
- 			*result = rc;
-@@ -1089,6 +1108,8 @@ out:
-  * @from:		The list of pages to be migrated.
-  * @get_new_page:	The function used to allocate free pages to be used
-  *			as the target of the page migration.
-+ * @put_new_page:	The function used to free target pages if migration
-+ *			fails, or NULL if no special handling is necessary.
-  * @private:		Private data to be passed on to get_new_page()
-  * @mode:		The migration mode that specifies the constraints for
-  *			page migration, if any.
-@@ -1102,7 +1123,8 @@ out:
-  * Returns the number of pages that were not migrated, or an error code.
-  */
- int migrate_pages(struct list_head *from, new_page_t get_new_page,
--		unsigned long private, enum migrate_mode mode, int reason)
-+		free_page_t put_new_page, unsigned long private,
-+		enum migrate_mode mode, int reason)
- {
- 	int retry = 1;
- 	int nr_failed = 0;
-@@ -1124,10 +1146,11 @@ int migrate_pages(struct list_head *from, new_page_t get_new_page,
- 
- 			if (PageHuge(page))
- 				rc = unmap_and_move_huge_page(get_new_page,
--						private, page, pass > 2, mode);
-+						put_new_page, private, page,
-+						pass > 2, mode);
- 			else
--				rc = unmap_and_move(get_new_page, private,
--						page, pass > 2, mode);
-+				rc = unmap_and_move(get_new_page, put_new_page,
-+						private, page, pass > 2, mode);
- 
- 			switch(rc) {
- 			case -ENOMEM:
-@@ -1276,7 +1299,7 @@ set_status:
- 
- 	err = 0;
- 	if (!list_empty(&pagelist)) {
--		err = migrate_pages(&pagelist, new_page_node,
-+		err = migrate_pages(&pagelist, new_page_node, NULL,
- 				(unsigned long)pm, MIGRATE_SYNC, MR_SYSCALL);
- 		if (err)
- 			putback_movable_pages(&pagelist);
-@@ -1732,7 +1755,8 @@ int migrate_misplaced_page(struct page *page, struct vm_area_struct *vma,
- 
- 	list_add(&page->lru, &migratepages);
- 	nr_remaining = migrate_pages(&migratepages, alloc_misplaced_dst_page,
--				     node, MIGRATE_ASYNC, MR_NUMA_MISPLACED);
-+				     NULL, node, MIGRATE_ASYNC,
-+				     MR_NUMA_MISPLACED);
- 	if (nr_remaining) {
- 		if (!list_empty(&migratepages)) {
- 			list_del(&page->lru);
-diff --git a/mm/mincore.c b/mm/mincore.c
-index 1016233..725c809 100644
---- a/mm/mincore.c
-+++ b/mm/mincore.c
-@@ -70,13 +70,21 @@ static unsigned char mincore_page(struct address_space *mapping, pgoff_t pgoff)
- 	 * any other file mapping (ie. marked !present and faulted in with
- 	 * tmpfs's .fault). So swapped out tmpfs mappings are tested here.
- 	 */
--	page = find_get_page(mapping, pgoff);
- #ifdef CONFIG_SWAP
--	/* shmem/tmpfs may return swap: account for swapcache page too. */
--	if (radix_tree_exceptional_entry(page)) {
--		swp_entry_t swap = radix_to_swp_entry(page);
--		page = find_get_page(swap_address_space(swap), swap.val);
--	}
-+	if (shmem_mapping(mapping)) {
-+		page = find_get_entry(mapping, pgoff);
-+		/*
-+		 * shmem/tmpfs may return swap: account for swapcache
-+		 * page too.
-+		 */
-+		if (radix_tree_exceptional_entry(page)) {
-+			swp_entry_t swp = radix_to_swp_entry(page);
-+			page = find_get_page(swap_address_space(swp), swp.val);
-+		}
-+	} else
-+		page = find_get_page(mapping, pgoff);
-+#else
-+	page = find_get_page(mapping, pgoff);
- #endif
- 	if (page) {
- 		present = PageUptodate(page);
-diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 7b2611a..4b25829 100644
---- a/mm/page_alloc.c
-+++ b/mm/page_alloc.c
-@@ -943,6 +943,7 @@ struct page *__rmqueue_smallest(struct zone *zone, unsigned int order,
- 		rmv_page_order(page);
- 		area->nr_free--;
- 		expand(zone, page, order, current_order, area, migratetype);
-+		set_freepage_migratetype(page, migratetype);
- 		return page;
- 	}
- 
-@@ -1069,7 +1070,9 @@ static int try_to_steal_freepages(struct zone *zone, struct page *page,
- 
- 	/*
- 	 * When borrowing from MIGRATE_CMA, we need to release the excess
--	 * buddy pages to CMA itself.
-+	 * buddy pages to CMA itself. We also ensure the freepage_migratetype
-+	 * is set to CMA so it is returned to the correct freelist in case
-+	 * the page ends up being not actually allocated from the pcp lists.
- 	 */
- 	if (is_migrate_cma(fallback_type))
- 		return fallback_type;
-@@ -1137,6 +1140,12 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype)
- 
- 			expand(zone, page, order, current_order, area,
- 			       new_type);
-+			/* The freepage_migratetype may differ from pageblock's
-+			 * migratetype depending on the decisions in
-+			 * try_to_steal_freepages. This is OK as long as it does
-+			 * not differ for MIGRATE_CMA type.
-+			 */
-+			set_freepage_migratetype(page, new_type);
- 
- 			trace_mm_page_alloc_extfrag(page, order, current_order,
- 				start_migratetype, migratetype, new_type);
-@@ -1187,7 +1196,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order,
- 			unsigned long count, struct list_head *list,
- 			int migratetype, int cold)
- {
--	int mt = migratetype, i;
-+	int i;
- 
- 	spin_lock(&zone->lock);
- 	for (i = 0; i < count; ++i) {
-@@ -1208,14 +1217,8 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order,
- 			list_add(&page->lru, list);
- 		else
- 			list_add_tail(&page->lru, list);
--		if (IS_ENABLED(CONFIG_CMA)) {
--			mt = get_pageblock_migratetype(page);
--			if (!is_migrate_cma(mt) && !is_migrate_isolate(mt))
--				mt = migratetype;
--		}
--		set_freepage_migratetype(page, mt);
- 		list = &page->lru;
--		if (is_migrate_cma(mt))
-+		if (is_migrate_cma(get_freepage_migratetype(page)))
- 			__mod_zone_page_state(zone, NR_FREE_CMA_PAGES,
- 					      -(1 << order));
- 	}
-@@ -1584,7 +1587,7 @@ again:
- 		if (!page)
- 			goto failed;
- 		__mod_zone_freepage_state(zone, -(1 << order),
--					  get_pageblock_migratetype(page));
-+					  get_freepage_migratetype(page));
- 	}
- 
- 	__mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order));
-@@ -2246,7 +2249,7 @@ static struct page *
- __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
- 	struct zonelist *zonelist, enum zone_type high_zoneidx,
- 	nodemask_t *nodemask, int alloc_flags, struct zone *preferred_zone,
--	int migratetype, bool sync_migration,
-+	int migratetype, enum migrate_mode mode,
- 	bool *contended_compaction, bool *deferred_compaction,
- 	unsigned long *did_some_progress)
- {
-@@ -2260,7 +2263,7 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
- 
- 	current->flags |= PF_MEMALLOC;
- 	*did_some_progress = try_to_compact_pages(zonelist, order, gfp_mask,
--						nodemask, sync_migration,
-+						nodemask, mode,
- 						contended_compaction);
- 	current->flags &= ~PF_MEMALLOC;
- 
-@@ -2293,7 +2296,7 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
- 		 * As async compaction considers a subset of pageblocks, only
- 		 * defer if the failure was a sync compaction failure.
- 		 */
--		if (sync_migration)
-+		if (mode != MIGRATE_ASYNC)
- 			defer_compaction(preferred_zone, order);
- 
- 		cond_resched();
-@@ -2306,9 +2309,8 @@ static inline struct page *
- __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
- 	struct zonelist *zonelist, enum zone_type high_zoneidx,
- 	nodemask_t *nodemask, int alloc_flags, struct zone *preferred_zone,
--	int migratetype, bool sync_migration,
--	bool *contended_compaction, bool *deferred_compaction,
--	unsigned long *did_some_progress)
-+	int migratetype, enum migrate_mode mode, bool *contended_compaction,
-+	bool *deferred_compaction, unsigned long *did_some_progress)
- {
- 	return NULL;
- }
-@@ -2503,7 +2505,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order,
- 	int alloc_flags;
- 	unsigned long pages_reclaimed = 0;
- 	unsigned long did_some_progress;
--	bool sync_migration = false;
-+	enum migrate_mode migration_mode = MIGRATE_ASYNC;
- 	bool deferred_compaction = false;
- 	bool contended_compaction = false;
- 
-@@ -2597,17 +2599,15 @@ rebalance:
- 	 * Try direct compaction. The first pass is asynchronous. Subsequent
- 	 * attempts after direct reclaim are synchronous
- 	 */
--	page = __alloc_pages_direct_compact(gfp_mask, order,
--					zonelist, high_zoneidx,
--					nodemask,
--					alloc_flags, preferred_zone,
--					migratetype, sync_migration,
--					&contended_compaction,
-+	page = __alloc_pages_direct_compact(gfp_mask, order, zonelist,
-+					high_zoneidx, nodemask, alloc_flags,
-+					preferred_zone, migratetype,
-+					migration_mode, &contended_compaction,
- 					&deferred_compaction,
- 					&did_some_progress);
- 	if (page)
- 		goto got_pg;
--	sync_migration = true;
-+	migration_mode = MIGRATE_SYNC_LIGHT;
- 
- 	/*
- 	 * If compaction is deferred for high-order allocations, it is because
-@@ -2682,12 +2682,10 @@ rebalance:
- 		 * direct reclaim and reclaim/compaction depends on compaction
- 		 * being called after reclaim so call directly if necessary
- 		 */
--		page = __alloc_pages_direct_compact(gfp_mask, order,
--					zonelist, high_zoneidx,
--					nodemask,
--					alloc_flags, preferred_zone,
--					migratetype, sync_migration,
--					&contended_compaction,
-+		page = __alloc_pages_direct_compact(gfp_mask, order, zonelist,
-+					high_zoneidx, nodemask, alloc_flags,
-+					preferred_zone, migratetype,
-+					migration_mode, &contended_compaction,
- 					&deferred_compaction,
- 					&did_some_progress);
- 		if (page)
-@@ -6261,7 +6259,7 @@ static int __alloc_contig_migrate_range(struct compact_control *cc,
- 		cc->nr_migratepages -= nr_reclaimed;
- 
- 		ret = migrate_pages(&cc->migratepages, alloc_migrate_target,
--				    0, MIGRATE_SYNC, MR_CMA);
-+				    NULL, 0, cc->mode, MR_CMA);
- 	}
- 	if (ret < 0) {
- 		putback_movable_pages(&cc->migratepages);
-@@ -6300,7 +6298,7 @@ int alloc_contig_range(unsigned long start, unsigned long end,
- 		.nr_migratepages = 0,
- 		.order = -1,
- 		.zone = page_zone(pfn_to_page(start)),
--		.sync = true,
-+		.mode = MIGRATE_SYNC,
- 		.ignore_skip_hint = true,
- 	};
- 	INIT_LIST_HEAD(&cc.migratepages);
-diff --git a/mm/readahead.c b/mm/readahead.c
-index 1fa0d6f..0ca36a7 100644
---- a/mm/readahead.c
-+++ b/mm/readahead.c
-@@ -8,9 +8,7 @@
-  */
- 
- #include <linux/kernel.h>
--#include <linux/fs.h>
- #include <linux/gfp.h>
--#include <linux/mm.h>
- #include <linux/export.h>
- #include <linux/blkdev.h>
- #include <linux/backing-dev.h>
-@@ -20,6 +18,8 @@
- #include <linux/syscalls.h>
- #include <linux/file.h>
- 
-+#include "internal.h"
-+
- /*
-  * Initialise a struct file's readahead state.  Assumes that the caller has
-  * memset *ra to zero.
-@@ -149,8 +149,7 @@ out:
-  *
-  * Returns the number of pages requested, or the maximum amount of I/O allowed.
-  */
--static int
--__do_page_cache_readahead(struct address_space *mapping, struct file *filp,
-+int __do_page_cache_readahead(struct address_space *mapping, struct file *filp,
- 			pgoff_t offset, unsigned long nr_to_read,
- 			unsigned long lookahead_size)
- {
-@@ -179,7 +178,7 @@ __do_page_cache_readahead(struct address_space *mapping, struct file *filp,
- 		rcu_read_lock();
- 		page = radix_tree_lookup(&mapping->page_tree, page_offset);
- 		rcu_read_unlock();
--		if (page)
-+		if (page && !radix_tree_exceptional_entry(page))
- 			continue;
- 
- 		page = page_cache_alloc_readahead(mapping);
-@@ -244,20 +243,6 @@ unsigned long max_sane_readahead(unsigned long nr)
- }
- 
- /*
-- * Submit IO for the read-ahead request in file_ra_state.
-- */
--unsigned long ra_submit(struct file_ra_state *ra,
--		       struct address_space *mapping, struct file *filp)
--{
--	int actual;
--
--	actual = __do_page_cache_readahead(mapping, filp,
--					ra->start, ra->size, ra->async_size);
--
--	return actual;
--}
--
--/*
-  * Set the initial window size, round to next power of 2 and square
-  * for small size, x 4 for medium, and x 2 for large
-  * for 128k (32 page) max ra
-@@ -347,7 +332,7 @@ static pgoff_t count_history_pages(struct address_space *mapping,
- 	pgoff_t head;
- 
- 	rcu_read_lock();
--	head = radix_tree_prev_hole(&mapping->page_tree, offset - 1, max);
-+	head = page_cache_prev_hole(mapping, offset - 1, max);
- 	rcu_read_unlock();
- 
- 	return offset - 1 - head;
-@@ -427,7 +412,7 @@ ondemand_readahead(struct address_space *mapping,
- 		pgoff_t start;
- 
- 		rcu_read_lock();
--		start = radix_tree_next_hole(&mapping->page_tree, offset+1,max);
-+		start = page_cache_next_hole(mapping, offset + 1, max);
- 		rcu_read_unlock();
- 
- 		if (!start || start - offset > max)
-diff --git a/mm/shmem.c b/mm/shmem.c
-index f0d698b..0f14475 100644
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -243,19 +243,17 @@ static int shmem_radix_tree_replace(struct address_space *mapping,
- 			pgoff_t index, void *expected, void *replacement)
- {
- 	void **pslot;
--	void *item = NULL;
-+	void *item;
- 
- 	VM_BUG_ON(!expected);
-+	VM_BUG_ON(!replacement);
- 	pslot = radix_tree_lookup_slot(&mapping->page_tree, index);
--	if (pslot)
--		item = radix_tree_deref_slot_protected(pslot,
--							&mapping->tree_lock);
-+	if (!pslot)
-+		return -ENOENT;
-+	item = radix_tree_deref_slot_protected(pslot, &mapping->tree_lock);
- 	if (item != expected)
- 		return -ENOENT;
--	if (replacement)
--		radix_tree_replace_slot(pslot, replacement);
--	else
--		radix_tree_delete(&mapping->page_tree, index);
-+	radix_tree_replace_slot(pslot, replacement);
- 	return 0;
- }
- 
-@@ -332,84 +330,20 @@ static void shmem_delete_from_page_cache(struct page *page, void *radswap)
- }
- 
- /*
-- * Like find_get_pages, but collecting swap entries as well as pages.
-- */
--static unsigned shmem_find_get_pages_and_swap(struct address_space *mapping,
--					pgoff_t start, unsigned int nr_pages,
--					struct page **pages, pgoff_t *indices)
--{
--	void **slot;
--	unsigned int ret = 0;
--	struct radix_tree_iter iter;
--
--	if (!nr_pages)
--		return 0;
--
--	rcu_read_lock();
--restart:
--	radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, start) {
--		struct page *page;
--repeat:
--		page = radix_tree_deref_slot(slot);
--		if (unlikely(!page))
--			continue;
--		if (radix_tree_exception(page)) {
--			if (radix_tree_deref_retry(page))
--				goto restart;
--			/*
--			 * Otherwise, we must be storing a swap entry
--			 * here as an exceptional entry: so return it
--			 * without attempting to raise page count.
--			 */
--			goto export;
--		}
--		if (!page_cache_get_speculative(page))
--			goto repeat;
--
--		/* Has the page moved? */
--		if (unlikely(page != *slot)) {
--			page_cache_release(page);
--			goto repeat;
--		}
--export:
--		indices[ret] = iter.index;
--		pages[ret] = page;
--		if (++ret == nr_pages)
--			break;
--	}
--	rcu_read_unlock();
--	return ret;
--}
--
--/*
-  * Remove swap entry from radix tree, free the swap and its page cache.
-  */
- static int shmem_free_swap(struct address_space *mapping,
- 			   pgoff_t index, void *radswap)
- {
--	int error;
-+	void *old;
- 
- 	spin_lock_irq(&mapping->tree_lock);
--	error = shmem_radix_tree_replace(mapping, index, radswap, NULL);
-+	old = radix_tree_delete_item(&mapping->page_tree, index, radswap);
- 	spin_unlock_irq(&mapping->tree_lock);
--	if (!error)
--		free_swap_and_cache(radix_to_swp_entry(radswap));
--	return error;
--}
--
--/*
-- * Pagevec may contain swap entries, so shuffle up pages before releasing.
-- */
--static void shmem_deswap_pagevec(struct pagevec *pvec)
--{
--	int i, j;
--
--	for (i = 0, j = 0; i < pagevec_count(pvec); i++) {
--		struct page *page = pvec->pages[i];
--		if (!radix_tree_exceptional_entry(page))
--			pvec->pages[j++] = page;
--	}
--	pvec->nr = j;
-+	if (old != radswap)
-+		return -ENOENT;
-+	free_swap_and_cache(radix_to_swp_entry(radswap));
-+	return 0;
- }
- 
- /*
-@@ -430,12 +364,12 @@ void shmem_unlock_mapping(struct address_space *mapping)
- 		 * Avoid pagevec_lookup(): find_get_pages() returns 0 as if it
- 		 * has finished, if it hits a row of PAGEVEC_SIZE swap entries.
- 		 */
--		pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
--					PAGEVEC_SIZE, pvec.pages, indices);
-+		pvec.nr = find_get_entries(mapping, index,
-+					   PAGEVEC_SIZE, pvec.pages, indices);
- 		if (!pvec.nr)
- 			break;
- 		index = indices[pvec.nr - 1] + 1;
--		shmem_deswap_pagevec(&pvec);
-+		pagevec_remove_exceptionals(&pvec);
- 		check_move_unevictable_pages(pvec.pages, pvec.nr);
- 		pagevec_release(&pvec);
- 		cond_resched();
-@@ -467,9 +401,9 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- 	pagevec_init(&pvec, 0);
- 	index = start;
- 	while (index < end) {
--		pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
--				min(end - index, (pgoff_t)PAGEVEC_SIZE),
--							pvec.pages, indices);
-+		pvec.nr = find_get_entries(mapping, index,
-+			min(end - index, (pgoff_t)PAGEVEC_SIZE),
-+			pvec.pages, indices);
- 		if (!pvec.nr)
- 			break;
- 		mem_cgroup_uncharge_start();
-@@ -498,7 +432,7 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- 			}
- 			unlock_page(page);
- 		}
--		shmem_deswap_pagevec(&pvec);
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		cond_resched();
-@@ -536,9 +470,10 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- 	index = start;
- 	while (index < end) {
- 		cond_resched();
--		pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
-+
-+		pvec.nr = find_get_entries(mapping, index,
- 				min(end - index, (pgoff_t)PAGEVEC_SIZE),
--							pvec.pages, indices);
-+				pvec.pages, indices);
- 		if (!pvec.nr) {
- 			/* If all gone or hole-punch or unfalloc, we're done */
- 			if (index == start || end != -1)
-@@ -581,7 +516,7 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- 			}
- 			unlock_page(page);
- 		}
--		shmem_deswap_pagevec(&pvec);
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		index++;
-@@ -1088,7 +1023,7 @@ static int shmem_getpage_gfp(struct inode *inode, pgoff_t index,
- 		return -EFBIG;
- repeat:
- 	swap.val = 0;
--	page = find_lock_page(mapping, index);
-+	page = find_lock_entry(mapping, index);
- 	if (radix_tree_exceptional_entry(page)) {
- 		swap = radix_to_swp_entry(page);
- 		page = NULL;
-@@ -1483,6 +1418,11 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode
- 	return inode;
- }
- 
-+bool shmem_mapping(struct address_space *mapping)
-+{
-+	return mapping->backing_dev_info == &shmem_backing_dev_info;
-+}
-+
- #ifdef CONFIG_TMPFS
- static const struct inode_operations shmem_symlink_inode_operations;
- static const struct inode_operations shmem_short_symlink_operations;
-@@ -1795,7 +1735,7 @@ static pgoff_t shmem_seek_hole_data(struct address_space *mapping,
- 	pagevec_init(&pvec, 0);
- 	pvec.nr = 1;		/* start small: we may be there already */
- 	while (!done) {
--		pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
-+		pvec.nr = find_get_entries(mapping, index,
- 					pvec.nr, pvec.pages, indices);
- 		if (!pvec.nr) {
- 			if (whence == SEEK_DATA)
-@@ -1822,7 +1762,7 @@ static pgoff_t shmem_seek_hole_data(struct address_space *mapping,
- 				break;
- 			}
- 		}
--		shmem_deswap_pagevec(&pvec);
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		pvec.nr = PAGEVEC_SIZE;
- 		cond_resched();
-diff --git a/mm/swap.c b/mm/swap.c
-index 0092097..c8048d7 100644
---- a/mm/swap.c
-+++ b/mm/swap.c
-@@ -948,6 +948,57 @@ void __pagevec_lru_add(struct pagevec *pvec)
- EXPORT_SYMBOL(__pagevec_lru_add);
- 
- /**
-+ * pagevec_lookup_entries - gang pagecache lookup
-+ * @pvec:	Where the resulting entries are placed
-+ * @mapping:	The address_space to search
-+ * @start:	The starting entry index
-+ * @nr_entries:	The maximum number of entries
-+ * @indices:	The cache indices corresponding to the entries in @pvec
-+ *
-+ * pagevec_lookup_entries() will search for and return a group of up
-+ * to @nr_entries pages and shadow entries in the mapping.  All
-+ * entries are placed in @pvec.  pagevec_lookup_entries() takes a
-+ * reference against actual pages in @pvec.
-+ *
-+ * The search returns a group of mapping-contiguous entries with
-+ * ascending indexes.  There may be holes in the indices due to
-+ * not-present entries.
-+ *
-+ * pagevec_lookup_entries() returns the number of entries which were
-+ * found.
-+ */
-+unsigned pagevec_lookup_entries(struct pagevec *pvec,
-+				struct address_space *mapping,
-+				pgoff_t start, unsigned nr_pages,
-+				pgoff_t *indices)
-+{
-+	pvec->nr = find_get_entries(mapping, start, nr_pages,
-+				    pvec->pages, indices);
-+	return pagevec_count(pvec);
-+}
-+
-+/**
-+ * pagevec_remove_exceptionals - pagevec exceptionals pruning
-+ * @pvec:	The pagevec to prune
-+ *
-+ * pagevec_lookup_entries() fills both pages and exceptional radix
-+ * tree entries into the pagevec.  This function prunes all
-+ * exceptionals from @pvec without leaving holes, so that it can be
-+ * passed on to page-only pagevec operations.
-+ */
-+void pagevec_remove_exceptionals(struct pagevec *pvec)
-+{
-+	int i, j;
-+
-+	for (i = 0, j = 0; i < pagevec_count(pvec); i++) {
-+		struct page *page = pvec->pages[i];
-+		if (!radix_tree_exceptional_entry(page))
-+			pvec->pages[j++] = page;
-+	}
-+	pvec->nr = j;
-+}
-+
-+/**
-  * pagevec_lookup - gang pagecache lookup
-  * @pvec:	Where the resulting pages are placed
-  * @mapping:	The address_space to search
-diff --git a/mm/truncate.c b/mm/truncate.c
-index ac18edc..827ad8d 100644
---- a/mm/truncate.c
-+++ b/mm/truncate.c
-@@ -23,6 +23,22 @@
- #include <linux/rmap.h>
- #include "internal.h"
- 
-+static void clear_exceptional_entry(struct address_space *mapping,
-+				    pgoff_t index, void *entry)
-+{
-+	/* Handled by shmem itself */
-+	if (shmem_mapping(mapping))
-+		return;
-+
-+	spin_lock_irq(&mapping->tree_lock);
-+	/*
-+	 * Regular page slots are stabilized by the page lock even
-+	 * without the tree itself locked.  These unlocked entries
-+	 * need verification under the tree lock.
-+	 */
-+	radix_tree_delete_item(&mapping->page_tree, index, entry);
-+	spin_unlock_irq(&mapping->tree_lock);
-+}
- 
- /**
-  * do_invalidatepage - invalidate part or all of a page
-@@ -209,6 +225,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
- 	unsigned int	partial_start;	/* inclusive */
- 	unsigned int	partial_end;	/* exclusive */
- 	struct pagevec	pvec;
-+	pgoff_t		indices[PAGEVEC_SIZE];
- 	pgoff_t		index;
- 	int		i;
- 
-@@ -239,17 +256,23 @@ void truncate_inode_pages_range(struct address_space *mapping,
- 
- 	pagevec_init(&pvec, 0);
- 	index = start;
--	while (index < end && pagevec_lookup(&pvec, mapping, index,
--			min(end - index, (pgoff_t)PAGEVEC_SIZE))) {
-+	while (index < end && pagevec_lookup_entries(&pvec, mapping, index,
-+			min(end - index, (pgoff_t)PAGEVEC_SIZE),
-+			indices)) {
- 		mem_cgroup_uncharge_start();
- 		for (i = 0; i < pagevec_count(&pvec); i++) {
- 			struct page *page = pvec.pages[i];
- 
- 			/* We rely upon deletion not changing page->index */
--			index = page->index;
-+			index = indices[i];
- 			if (index >= end)
- 				break;
- 
-+			if (radix_tree_exceptional_entry(page)) {
-+				clear_exceptional_entry(mapping, index, page);
-+				continue;
-+			}
-+
- 			if (!trylock_page(page))
- 				continue;
- 			WARN_ON(page->index != index);
-@@ -260,6 +283,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
- 			truncate_inode_page(mapping, page);
- 			unlock_page(page);
- 		}
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		cond_resched();
-@@ -308,14 +332,16 @@ void truncate_inode_pages_range(struct address_space *mapping,
- 	index = start;
- 	for ( ; ; ) {
- 		cond_resched();
--		if (!pagevec_lookup(&pvec, mapping, index,
--			min(end - index, (pgoff_t)PAGEVEC_SIZE))) {
-+		if (!pagevec_lookup_entries(&pvec, mapping, index,
-+			min(end - index, (pgoff_t)PAGEVEC_SIZE),
-+			indices)) {
- 			if (index == start)
- 				break;
- 			index = start;
- 			continue;
- 		}
--		if (index == start && pvec.pages[0]->index >= end) {
-+		if (index == start && indices[0] >= end) {
-+			pagevec_remove_exceptionals(&pvec);
- 			pagevec_release(&pvec);
- 			break;
- 		}
-@@ -324,16 +350,22 @@ void truncate_inode_pages_range(struct address_space *mapping,
- 			struct page *page = pvec.pages[i];
- 
- 			/* We rely upon deletion not changing page->index */
--			index = page->index;
-+			index = indices[i];
- 			if (index >= end)
- 				break;
- 
-+			if (radix_tree_exceptional_entry(page)) {
-+				clear_exceptional_entry(mapping, index, page);
-+				continue;
-+			}
-+
- 			lock_page(page);
- 			WARN_ON(page->index != index);
- 			wait_on_page_writeback(page);
- 			truncate_inode_page(mapping, page);
- 			unlock_page(page);
- 		}
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		index++;
-@@ -376,6 +408,7 @@ EXPORT_SYMBOL(truncate_inode_pages);
- unsigned long invalidate_mapping_pages(struct address_space *mapping,
- 		pgoff_t start, pgoff_t end)
- {
-+	pgoff_t indices[PAGEVEC_SIZE];
- 	struct pagevec pvec;
- 	pgoff_t index = start;
- 	unsigned long ret;
-@@ -391,17 +424,23 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping,
- 	 */
- 
- 	pagevec_init(&pvec, 0);
--	while (index <= end && pagevec_lookup(&pvec, mapping, index,
--			min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1)) {
-+	while (index <= end && pagevec_lookup_entries(&pvec, mapping, index,
-+			min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1,
-+			indices)) {
- 		mem_cgroup_uncharge_start();
- 		for (i = 0; i < pagevec_count(&pvec); i++) {
- 			struct page *page = pvec.pages[i];
- 
- 			/* We rely upon deletion not changing page->index */
--			index = page->index;
-+			index = indices[i];
- 			if (index > end)
- 				break;
- 
-+			if (radix_tree_exceptional_entry(page)) {
-+				clear_exceptional_entry(mapping, index, page);
-+				continue;
-+			}
-+
- 			if (!trylock_page(page))
- 				continue;
- 			WARN_ON(page->index != index);
-@@ -415,6 +454,7 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping,
- 				deactivate_page(page);
- 			count += ret;
- 		}
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		cond_resched();
-@@ -482,6 +522,7 @@ static int do_launder_page(struct address_space *mapping, struct page *page)
- int invalidate_inode_pages2_range(struct address_space *mapping,
- 				  pgoff_t start, pgoff_t end)
- {
-+	pgoff_t indices[PAGEVEC_SIZE];
- 	struct pagevec pvec;
- 	pgoff_t index;
- 	int i;
-@@ -492,17 +533,23 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
- 	cleancache_invalidate_inode(mapping);
- 	pagevec_init(&pvec, 0);
- 	index = start;
--	while (index <= end && pagevec_lookup(&pvec, mapping, index,
--			min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1)) {
-+	while (index <= end && pagevec_lookup_entries(&pvec, mapping, index,
-+			min(end - index, (pgoff_t)PAGEVEC_SIZE - 1) + 1,
-+			indices)) {
- 		mem_cgroup_uncharge_start();
- 		for (i = 0; i < pagevec_count(&pvec); i++) {
- 			struct page *page = pvec.pages[i];
- 
- 			/* We rely upon deletion not changing page->index */
--			index = page->index;
-+			index = indices[i];
- 			if (index > end)
- 				break;
- 
-+			if (radix_tree_exceptional_entry(page)) {
-+				clear_exceptional_entry(mapping, index, page);
-+				continue;
-+			}
-+
- 			lock_page(page);
- 			WARN_ON(page->index != index);
- 			if (page->mapping != mapping) {
-@@ -540,6 +587,7 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
- 				ret = ret2;
- 			unlock_page(page);
- 		}
-+		pagevec_remove_exceptionals(&pvec);
- 		pagevec_release(&pvec);
- 		mem_cgroup_uncharge_end();
- 		cond_resched();
-diff --git a/mm/vmscan.c b/mm/vmscan.c
-index 0c0b36e..deb139e 100644
---- a/mm/vmscan.c
-+++ b/mm/vmscan.c
-@@ -2018,13 +2018,27 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc)
- 	unsigned long nr_reclaimed = 0;
- 	unsigned long nr_to_reclaim = sc->nr_to_reclaim;
- 	struct blk_plug plug;
--	bool scan_adjusted = false;
-+	bool scan_adjusted;
- 
- 	get_scan_count(lruvec, sc, nr);
- 
- 	/* Record the original scan target for proportional adjustments later */
- 	memcpy(targets, nr, sizeof(nr));
- 
-+	/*
-+	 * Global reclaiming within direct reclaim at DEF_PRIORITY is a normal
-+	 * event that can occur when there is little memory pressure e.g.
-+	 * multiple streaming readers/writers. Hence, we do not abort scanning
-+	 * when the requested number of pages are reclaimed when scanning at
-+	 * DEF_PRIORITY on the assumption that the fact we are direct
-+	 * reclaiming implies that kswapd is not keeping up and it is best to
-+	 * do a batch of work at once. For memcg reclaim one check is made to
-+	 * abort proportional reclaim if either the file or anon lru has already
-+	 * dropped to zero at the first pass.
-+	 */
-+	scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() &&
-+			 sc->priority == DEF_PRIORITY);
-+
- 	blk_start_plug(&plug);
- 	while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] ||
- 					nr[LRU_INACTIVE_FILE]) {
-@@ -2045,17 +2059,8 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc)
- 			continue;
- 
- 		/*
--		 * For global direct reclaim, reclaim only the number of pages
--		 * requested. Less care is taken to scan proportionally as it
--		 * is more important to minimise direct reclaim stall latency
--		 * than it is to properly age the LRU lists.
--		 */
--		if (global_reclaim(sc) && !current_is_kswapd())
--			break;
--
--		/*
- 		 * For kswapd and memcg, reclaim at least the number of pages
--		 * requested. Ensure that the anon and file LRUs shrink
-+		 * requested. Ensure that the anon and file LRUs are scanned
- 		 * proportionally what was requested by get_scan_count(). We
- 		 * stop reclaiming one LRU and reduce the amount scanning
- 		 * proportional to the original scan target.
-@@ -2063,6 +2068,15 @@ static void shrink_lruvec(struct lruvec *lruvec, struct scan_control *sc)
- 		nr_file = nr[LRU_INACTIVE_FILE] + nr[LRU_ACTIVE_FILE];
- 		nr_anon = nr[LRU_INACTIVE_ANON] + nr[LRU_ACTIVE_ANON];
- 
-+		/*
-+		 * It's just vindictive to attack the larger once the smaller
-+		 * has gone to zero.  And given the way we stop scanning the
-+		 * smaller below, this makes sure that we only make one nudge
-+		 * towards proportionality once we've got nr_to_reclaim.
-+		 */
-+		if (!nr_file || !nr_anon)
-+			break;
-+
- 		if (nr_file > nr_anon) {
- 			unsigned long scan_target = targets[LRU_INACTIVE_ANON] +
- 						targets[LRU_ACTIVE_ANON] + 1;
-diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
-index 6e7a236..06f19b9 100644
---- a/net/ceph/crypto.c
-+++ b/net/ceph/crypto.c
-@@ -89,11 +89,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void)
- 
- static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
- 
-+/*
-+ * Should be used for buffers allocated with ceph_kvmalloc().
-+ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
-+ * in-buffer (msg front).
-+ *
-+ * Dispose of @sgt with teardown_sgtable().
-+ *
-+ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
-+ * in cases where a single sg is sufficient.  No attempt to reduce the
-+ * number of sgs by squeezing physically contiguous pages together is
-+ * made though, for simplicity.
-+ */
-+static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
-+			 const void *buf, unsigned int buf_len)
-+{
-+	struct scatterlist *sg;
-+	const bool is_vmalloc = is_vmalloc_addr(buf);
-+	unsigned int off = offset_in_page(buf);
-+	unsigned int chunk_cnt = 1;
-+	unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
-+	int i;
-+	int ret;
-+
-+	if (buf_len == 0) {
-+		memset(sgt, 0, sizeof(*sgt));
-+		return -EINVAL;
-+	}
-+
-+	if (is_vmalloc) {
-+		chunk_cnt = chunk_len >> PAGE_SHIFT;
-+		chunk_len = PAGE_SIZE;
-+	}
-+
-+	if (chunk_cnt > 1) {
-+		ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
-+		if (ret)
-+			return ret;
-+	} else {
-+		WARN_ON(chunk_cnt != 1);
-+		sg_init_table(prealloc_sg, 1);
-+		sgt->sgl = prealloc_sg;
-+		sgt->nents = sgt->orig_nents = 1;
-+	}
-+
-+	for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
-+		struct page *page;
-+		unsigned int len = min(chunk_len - off, buf_len);
-+
-+		if (is_vmalloc)
-+			page = vmalloc_to_page(buf);
-+		else
-+			page = virt_to_page(buf);
-+
-+		sg_set_page(sg, page, len, off);
-+
-+		off = 0;
-+		buf += len;
-+		buf_len -= len;
-+	}
-+	WARN_ON(buf_len != 0);
-+
-+	return 0;
-+}
-+
-+static void teardown_sgtable(struct sg_table *sgt)
-+{
-+	if (sgt->orig_nents > 1)
-+		sg_free_table(sgt);
-+}
-+
- static int ceph_aes_encrypt(const void *key, int key_len,
- 			    void *dst, size_t *dst_len,
- 			    const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[2], sg_out[1];
-+	struct scatterlist sg_in[2], prealloc_sg;
-+	struct sg_table sg_out;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
- 	int ret;
-@@ -109,16 +180,18 @@ static int ceph_aes_encrypt(const void *key, int key_len,
- 
- 	*dst_len = src_len + zero_padding;
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	sg_init_table(sg_in, 2);
- 	sg_set_buf(&sg_in[0], src, src_len);
- 	sg_set_buf(&sg_in[1], pad, zero_padding);
--	sg_init_table(sg_out, 1);
--	sg_set_buf(sg_out, dst, *dst_len);
-+	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
-+	if (ret)
-+		goto out_tfm;
-+
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
-+
- 	/*
- 	print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
- 		       key, key_len, 1);
-@@ -127,16 +200,22 @@ static int ceph_aes_encrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
- 			pad, zero_padding, 1);
- 	*/
--	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
-+	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
- 				     src_len + zero_padding);
--	crypto_free_blkcipher(tfm);
--	if (ret < 0)
-+	if (ret < 0) {
- 		pr_err("ceph_aes_crypt failed %d\n", ret);
-+		goto out_sg;
-+	}
- 	/*
- 	print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_out);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
-@@ -144,7 +223,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 			     const void *src1, size_t src1_len,
- 			     const void *src2, size_t src2_len)
- {
--	struct scatterlist sg_in[3], sg_out[1];
-+	struct scatterlist sg_in[3], prealloc_sg;
-+	struct sg_table sg_out;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
- 	int ret;
-@@ -160,17 +240,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 
- 	*dst_len = src1_len + src2_len + zero_padding;
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	sg_init_table(sg_in, 3);
- 	sg_set_buf(&sg_in[0], src1, src1_len);
- 	sg_set_buf(&sg_in[1], src2, src2_len);
- 	sg_set_buf(&sg_in[2], pad, zero_padding);
--	sg_init_table(sg_out, 1);
--	sg_set_buf(sg_out, dst, *dst_len);
-+	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
-+	if (ret)
-+		goto out_tfm;
-+
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
-+
- 	/*
- 	print_hex_dump(KERN_ERR, "enc  key: ", DUMP_PREFIX_NONE, 16, 1,
- 		       key, key_len, 1);
-@@ -181,23 +263,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 	print_hex_dump(KERN_ERR, "enc  pad: ", DUMP_PREFIX_NONE, 16, 1,
- 			pad, zero_padding, 1);
- 	*/
--	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
-+	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
- 				     src1_len + src2_len + zero_padding);
--	crypto_free_blkcipher(tfm);
--	if (ret < 0)
-+	if (ret < 0) {
- 		pr_err("ceph_aes_crypt2 failed %d\n", ret);
-+		goto out_sg;
-+	}
- 	/*
- 	print_hex_dump(KERN_ERR, "enc  out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_out);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_decrypt(const void *key, int key_len,
- 			    void *dst, size_t *dst_len,
- 			    const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[1], sg_out[2];
-+	struct sg_table sg_in;
-+	struct scatterlist sg_out[2], prealloc_sg;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm };
- 	char pad[16];
-@@ -209,16 +298,16 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	if (IS_ERR(tfm))
- 		return PTR_ERR(tfm);
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
--	sg_init_table(sg_in, 1);
- 	sg_init_table(sg_out, 2);
--	sg_set_buf(sg_in, src, src_len);
- 	sg_set_buf(&sg_out[0], dst, *dst_len);
- 	sg_set_buf(&sg_out[1], pad, sizeof(pad));
-+	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
-+	if (ret)
-+		goto out_tfm;
- 
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
- 
- 	/*
-@@ -227,12 +316,10 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec  in: ", DUMP_PREFIX_NONE, 16, 1,
- 		       src, src_len, 1);
- 	*/
--
--	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
--	crypto_free_blkcipher(tfm);
-+	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
- 	if (ret < 0) {
- 		pr_err("ceph_aes_decrypt failed %d\n", ret);
--		return ret;
-+		goto out_sg;
- 	}
- 
- 	if (src_len <= *dst_len)
-@@ -250,7 +337,12 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_in);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_decrypt2(const void *key, int key_len,
-@@ -258,7 +350,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 			     void *dst2, size_t *dst2_len,
- 			     const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[1], sg_out[3];
-+	struct sg_table sg_in;
-+	struct scatterlist sg_out[3], prealloc_sg;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm };
- 	char pad[16];
-@@ -270,17 +363,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 	if (IS_ERR(tfm))
- 		return PTR_ERR(tfm);
- 
--	sg_init_table(sg_in, 1);
--	sg_set_buf(sg_in, src, src_len);
- 	sg_init_table(sg_out, 3);
- 	sg_set_buf(&sg_out[0], dst1, *dst1_len);
- 	sg_set_buf(&sg_out[1], dst2, *dst2_len);
- 	sg_set_buf(&sg_out[2], pad, sizeof(pad));
-+	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
-+	if (ret)
-+		goto out_tfm;
- 
- 	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
- 
- 	/*
-@@ -289,12 +382,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec   in: ", DUMP_PREFIX_NONE, 16, 1,
- 		       src, src_len, 1);
- 	*/
--
--	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
--	crypto_free_blkcipher(tfm);
-+	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
- 	if (ret < 0) {
- 		pr_err("ceph_aes_decrypt failed %d\n", ret);
--		return ret;
-+		goto out_sg;
- 	}
- 
- 	if (src_len <= *dst1_len)
-@@ -324,7 +415,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 		       dst2, *dst2_len, 1);
- 	*/
- 
--	return 0;
-+out_sg:
-+	teardown_sgtable(&sg_in);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- 
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index cb57aa8..b27f6d3 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -962,8 +962,6 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
- 	else
- 		dev->flags &= ~IFF_POINTOPOINT;
- 
--	dev->iflink = p->link;
--
- 	/* Precalculate GRE options length */
- 	if (t->parms.o_flags&(GRE_CSUM|GRE_KEY|GRE_SEQ)) {
- 		if (t->parms.o_flags&GRE_CSUM)
-@@ -1273,6 +1271,7 @@ static int ip6gre_tunnel_init(struct net_device *dev)
- 		u64_stats_init(&ip6gre_tunnel_stats->syncp);
- 	}
- 
-+	dev->iflink = tunnel->parms.link;
- 
- 	return 0;
- }
-@@ -1474,6 +1473,8 @@ static int ip6gre_tap_init(struct net_device *dev)
- 		u64_stats_init(&ip6gre_tap_stats->syncp);
- 	}
- 
-+	dev->iflink = tunnel->parms.link;
-+
- 	return 0;
- }
- 
-diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
-index 9120339..657639d 100644
---- a/net/ipv6/ip6_tunnel.c
-+++ b/net/ipv6/ip6_tunnel.c
-@@ -272,9 +272,6 @@ static int ip6_tnl_create2(struct net_device *dev)
- 	int err;
- 
- 	t = netdev_priv(dev);
--	err = ip6_tnl_dev_init(dev);
--	if (err < 0)
--		goto out;
- 
- 	err = register_netdevice(dev);
- 	if (err < 0)
-@@ -1456,6 +1453,7 @@ ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
- 
- 
- static const struct net_device_ops ip6_tnl_netdev_ops = {
-+	.ndo_init	= ip6_tnl_dev_init,
- 	.ndo_uninit	= ip6_tnl_dev_uninit,
- 	.ndo_start_xmit = ip6_tnl_xmit,
- 	.ndo_do_ioctl	= ip6_tnl_ioctl,
-@@ -1547,16 +1545,10 @@ static int __net_init ip6_fb_tnl_dev_init(struct net_device *dev)
- 	struct ip6_tnl *t = netdev_priv(dev);
- 	struct net *net = dev_net(dev);
- 	struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
--	int err = ip6_tnl_dev_init_gen(dev);
--
--	if (err)
--		return err;
- 
- 	t->parms.proto = IPPROTO_IPV6;
- 	dev_hold(dev);
- 
--	ip6_tnl_link_config(t);
--
- 	rcu_assign_pointer(ip6n->tnls_wc[0], t);
- 	return 0;
- }
-diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
-index 2d19272..9a5339f 100644
---- a/net/ipv6/ip6_vti.c
-+++ b/net/ipv6/ip6_vti.c
-@@ -172,10 +172,6 @@ static int vti6_tnl_create2(struct net_device *dev)
- 	struct vti6_net *ip6n = net_generic(net, vti6_net_id);
- 	int err;
- 
--	err = vti6_dev_init(dev);
--	if (err < 0)
--		goto out;
--
- 	err = register_netdevice(dev);
- 	if (err < 0)
- 		goto out;
-@@ -693,6 +689,7 @@ static int vti6_change_mtu(struct net_device *dev, int new_mtu)
- }
- 
- static const struct net_device_ops vti6_netdev_ops = {
-+	.ndo_init	= vti6_dev_init,
- 	.ndo_uninit	= vti6_dev_uninit,
- 	.ndo_start_xmit = vti6_tnl_xmit,
- 	.ndo_do_ioctl	= vti6_ioctl,
-@@ -772,16 +769,10 @@ static int __net_init vti6_fb_tnl_dev_init(struct net_device *dev)
- 	struct ip6_tnl *t = netdev_priv(dev);
- 	struct net *net = dev_net(dev);
- 	struct vti6_net *ip6n = net_generic(net, vti6_net_id);
--	int err = vti6_dev_init_gen(dev);
--
--	if (err)
--		return err;
- 
- 	t->parms.proto = IPPROTO_IPV6;
- 	dev_hold(dev);
- 
--	vti6_link_config(t);
--
- 	rcu_assign_pointer(ip6n->tnls_wc[0], t);
- 	return 0;
- }
-diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
-index b12b11b..317b6db 100644
---- a/net/ipv6/sit.c
-+++ b/net/ipv6/sit.c
-@@ -195,10 +195,8 @@ static int ipip6_tunnel_create(struct net_device *dev)
- 	struct sit_net *sitn = net_generic(net, sit_net_id);
- 	int err;
- 
--	err = ipip6_tunnel_init(dev);
--	if (err < 0)
--		goto out;
--	ipip6_tunnel_clone_6rd(dev, sitn);
-+	memcpy(dev->dev_addr, &t->parms.iph.saddr, 4);
-+	memcpy(dev->broadcast, &t->parms.iph.daddr, 4);
- 
- 	if ((__force u16)t->parms.i_flags & SIT_ISATAP)
- 		dev->priv_flags |= IFF_ISATAP;
-@@ -207,7 +205,8 @@ static int ipip6_tunnel_create(struct net_device *dev)
- 	if (err < 0)
- 		goto out;
- 
--	strcpy(t->parms.name, dev->name);
-+	ipip6_tunnel_clone_6rd(dev, sitn);
-+
- 	dev->rtnl_link_ops = &sit_link_ops;
- 
- 	dev_hold(dev);
-@@ -1321,6 +1320,7 @@ static int ipip6_tunnel_change_mtu(struct net_device *dev, int new_mtu)
- }
- 
- static const struct net_device_ops ipip6_netdev_ops = {
-+	.ndo_init	= ipip6_tunnel_init,
- 	.ndo_uninit	= ipip6_tunnel_uninit,
- 	.ndo_start_xmit	= sit_tunnel_xmit,
- 	.ndo_do_ioctl	= ipip6_tunnel_ioctl,
-@@ -1367,9 +1367,7 @@ static int ipip6_tunnel_init(struct net_device *dev)
- 
- 	tunnel->dev = dev;
- 	tunnel->net = dev_net(dev);
--
--	memcpy(dev->dev_addr, &tunnel->parms.iph.saddr, 4);
--	memcpy(dev->broadcast, &tunnel->parms.iph.daddr, 4);
-+	strcpy(tunnel->parms.name, dev->name);
- 
- 	ipip6_tunnel_bind_dev(dev);
- 	dev->tstats = alloc_percpu(struct pcpu_sw_netstats);
-@@ -1401,7 +1399,6 @@ static int __net_init ipip6_fb_tunnel_init(struct net_device *dev)
- 
- 	tunnel->dev = dev;
- 	tunnel->net = dev_net(dev);
--	strcpy(tunnel->parms.name, dev->name);
- 
- 	iph->version		= 4;
- 	iph->protocol		= IPPROTO_IPV6;
-diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
-index ea7013c..3f076b9 100644
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -815,7 +815,7 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,
- 
- 	memset(&params, 0, sizeof(params));
- 	memset(&csa_ie, 0, sizeof(csa_ie));
--	err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon,
-+	err = ieee80211_parse_ch_switch_ie(sdata, elems,
- 					   ifibss->chandef.chan->band,
- 					   sta_flags, ifibss->bssid, &csa_ie);
- 	/* can't switch to destination channel, fail */
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index b127902..bf7a1bb 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1569,7 +1569,6 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
-  * ieee80211_parse_ch_switch_ie - parses channel switch IEs
-  * @sdata: the sdata of the interface which has received the frame
-  * @elems: parsed 802.11 elements received with the frame
-- * @beacon: indicates if the frame was a beacon or probe response
-  * @current_band: indicates the current band
-  * @sta_flags: contains information about own capabilities and restrictions
-  *	to decide which channel switch announcements can be accepted. Only the
-@@ -1583,7 +1582,7 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
-  * Return: 0 on success, <0 on error and >0 if there is nothing to parse.
-  */
- int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
--				 struct ieee802_11_elems *elems, bool beacon,
-+				 struct ieee802_11_elems *elems,
- 				 enum ieee80211_band current_band,
- 				 u32 sta_flags, u8 *bssid,
- 				 struct ieee80211_csa_ie *csa_ie);
-diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index 8f7fabc..06f5de4 100644
---- a/net/mac80211/iface.c
-+++ b/net/mac80211/iface.c
-@@ -760,10 +760,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 	int i, flushed;
- 	struct ps_data *ps;
- 	struct cfg80211_chan_def chandef;
-+	bool cancel_scan;
- 
- 	clear_bit(SDATA_STATE_RUNNING, &sdata->state);
- 
--	if (rcu_access_pointer(local->scan_sdata) == sdata)
-+	cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
-+	if (cancel_scan)
- 		ieee80211_scan_cancel(local);
- 
- 	/*
-@@ -973,6 +975,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 
- 	ieee80211_recalc_ps(local, -1);
- 
-+	if (cancel_scan)
-+		flush_delayed_work(&local->scan_work);
-+
- 	if (local->open_count == 0) {
- 		ieee80211_stop_device(local);
- 
-diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
-index 5b919ca..3d52d1d 100644
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -885,7 +885,7 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
- 
- 	memset(&params, 0, sizeof(params));
- 	memset(&csa_ie, 0, sizeof(csa_ie));
--	err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, band,
-+	err = ieee80211_parse_ch_switch_ie(sdata, elems, band,
- 					   sta_flags, sdata->vif.addr,
- 					   &csa_ie);
- 	if (err < 0)
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 189eef0..c9535a9 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -1001,7 +1001,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
- 
- 	current_band = cbss->channel->band;
- 	memset(&csa_ie, 0, sizeof(csa_ie));
--	res = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, current_band,
-+	res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
- 					   ifmgd->flags,
- 					   ifmgd->associated->bssid, &csa_ie);
- 	if (res	< 0)
-@@ -1086,7 +1086,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
- 		ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
- 	else
- 		mod_timer(&ifmgd->chswitch_timer,
--			  TU_TO_EXP_TIME(csa_ie.count * cbss->beacon_interval));
-+			  TU_TO_EXP_TIME((csa_ie.count - 1) *
-+					 cbss->beacon_interval));
- }
- 
- static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
-diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
-index 3e57f96..095c160 100644
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -1679,11 +1679,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
- 	sc = le16_to_cpu(hdr->seq_ctrl);
- 	frag = sc & IEEE80211_SCTL_FRAG;
- 
--	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
--		   is_multicast_ether_addr(hdr->addr1))) {
--		/* not fragmented */
-+	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-+		goto out;
-+
-+	if (is_multicast_ether_addr(hdr->addr1)) {
-+		rx->local->dot11MulticastReceivedFrameCount++;
- 		goto out;
- 	}
-+
- 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
- 
- 	if (skb_linearize(rx->skb))
-@@ -1776,10 +1779,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
-  out:
- 	if (rx->sta)
- 		rx->sta->rx_packets++;
--	if (is_multicast_ether_addr(hdr->addr1))
--		rx->local->dot11MulticastReceivedFrameCount++;
--	else
--		ieee80211_led_rx(rx->local);
-+	ieee80211_led_rx(rx->local);
- 	return RX_CONTINUE;
- }
- 
-diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
-index 6ab0090..efeba56 100644
---- a/net/mac80211/spectmgmt.c
-+++ b/net/mac80211/spectmgmt.c
-@@ -22,7 +22,7 @@
- #include "wme.h"
- 
- int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
--				 struct ieee802_11_elems *elems, bool beacon,
-+				 struct ieee802_11_elems *elems,
- 				 enum ieee80211_band current_band,
- 				 u32 sta_flags, u8 *bssid,
- 				 struct ieee80211_csa_ie *csa_ie)
-@@ -91,19 +91,13 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
- 		return -EINVAL;
- 	}
- 
--	if (!beacon && sec_chan_offs) {
-+	if (sec_chan_offs) {
- 		secondary_channel_offset = sec_chan_offs->sec_chan_offs;
--	} else if (beacon && ht_oper) {
--		secondary_channel_offset =
--			ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET;
- 	} else if (!(sta_flags & IEEE80211_STA_DISABLE_HT)) {
--		/* If it's not a beacon, HT is enabled and the IE not present,
--		 * it's 20 MHz, 802.11-2012 8.5.2.6:
--		 *	This element [the Secondary Channel Offset Element] is
--		 *	present when switching to a 40 MHz channel. It may be
--		 *	present when switching to a 20 MHz channel (in which
--		 *	case the secondary channel offset is set to SCN).
--		 */
-+		/* If the secondary channel offset IE is not present,
-+		 * we can't know what's the post-CSA offset, so the
-+		 * best we can do is use 20MHz.
-+		*/
- 		secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE;
- 	}
- 
-diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
-index de770ec..cf99377 100644
---- a/net/netfilter/ipset/ip_set_core.c
-+++ b/net/netfilter/ipset/ip_set_core.c
-@@ -636,7 +636,7 @@ ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
- 	struct ip_set *set;
- 	struct ip_set_net *inst = ip_set_pernet(net);
- 
--	if (index > inst->ip_set_max)
-+	if (index >= inst->ip_set_max)
- 		return IPSET_INVALID_ID;
- 
- 	nfnl_lock(NFNL_SUBSYS_IPSET);
-diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
-index a155d19..6ff12a1 100644
---- a/net/netfilter/nfnetlink_log.c
-+++ b/net/netfilter/nfnetlink_log.c
-@@ -45,7 +45,8 @@
- #define NFULNL_NLBUFSIZ_DEFAULT	NLMSG_GOODSIZE
- #define NFULNL_TIMEOUT_DEFAULT 	100	/* every second */
- #define NFULNL_QTHRESH_DEFAULT 	100	/* 100 packets */
--#define NFULNL_COPY_RANGE_MAX	0xFFFF	/* max packet size is limited by 16-bit struct nfattr nfa_len field */
-+/* max packet size is limited by 16-bit struct nfattr nfa_len field */
-+#define NFULNL_COPY_RANGE_MAX	(0xFFFF - NLA_HDRLEN)
- 
- #define PRINTR(x, args...)	do { if (net_ratelimit()) \
- 				     printk(x, ## args); } while (0);
-@@ -255,6 +256,8 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
- 
- 	case NFULNL_COPY_PACKET:
- 		inst->copy_mode = mode;
-+		if (range == 0)
-+			range = NFULNL_COPY_RANGE_MAX;
- 		inst->copy_range = min_t(unsigned int,
- 					 range, NFULNL_COPY_RANGE_MAX);
- 		break;
-@@ -346,26 +349,25 @@ nfulnl_alloc_skb(struct net *net, u32 peer_portid, unsigned int inst_size,
- 	return skb;
- }
- 
--static int
-+static void
- __nfulnl_send(struct nfulnl_instance *inst)
- {
--	int status = -1;
--
- 	if (inst->qlen > 1) {
- 		struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
- 						 NLMSG_DONE,
- 						 sizeof(struct nfgenmsg),
- 						 0);
--		if (!nlh)
-+		if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
-+			      inst->skb->len, skb_tailroom(inst->skb))) {
-+			kfree_skb(inst->skb);
- 			goto out;
-+		}
- 	}
--	status = nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
--				   MSG_DONTWAIT);
--
-+	nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
-+			  MSG_DONTWAIT);
-+out:
- 	inst->qlen = 0;
- 	inst->skb = NULL;
--out:
--	return status;
- }
- 
- static void
-@@ -652,7 +654,8 @@ nfulnl_log_packet(struct net *net,
- 		+ nla_total_size(sizeof(u_int32_t))	/* gid */
- 		+ nla_total_size(plen)			/* prefix */
- 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
--		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
-+		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
-+		+ nla_total_size(sizeof(struct nfgenmsg));	/* NLMSG_DONE */
- 
- 	if (in && skb_mac_header_was_set(skb)) {
- 		size +=   nla_total_size(skb->dev->hard_header_len)
-@@ -681,8 +684,7 @@ nfulnl_log_packet(struct net *net,
- 		break;
- 
- 	case NFULNL_COPY_PACKET:
--		if (inst->copy_range == 0
--		    || inst->copy_range > skb->len)
-+		if (inst->copy_range > skb->len)
- 			data_len = skb->len;
- 		else
- 			data_len = inst->copy_range;
-@@ -695,8 +697,7 @@ nfulnl_log_packet(struct net *net,
- 		goto unlock_and_release;
- 	}
- 
--	if (inst->skb &&
--	    size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) {
-+	if (inst->skb && size > skb_tailroom(inst->skb)) {
- 		/* either the queue len is too high or we don't have
- 		 * enough room in the skb left. flush to userspace. */
- 		__nfulnl_flush(inst);
-diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
-index 82cb823..ad97961 100644
---- a/net/netfilter/nft_compat.c
-+++ b/net/netfilter/nft_compat.c
-@@ -678,7 +678,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
- 	family = ctx->afi->family;
- 
- 	/* Re-use the existing target if it's already loaded. */
--	list_for_each_entry(nft_target, &nft_match_list, head) {
-+	list_for_each_entry(nft_target, &nft_target_list, head) {
- 		struct xt_target *target = nft_target->ops.data;
- 
- 		if (strcmp(target->name, tg_name) == 0 &&
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index 5d97d8f..d477d47 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -1627,6 +1627,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
- 	 * ack chunk whose serial number matches that of the request.
- 	 */
- 	list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
-+		if (sctp_chunk_pending(ack))
-+			continue;
- 		if (ack->subh.addip_hdr->serial == serial) {
- 			sctp_chunk_hold(ack);
- 			return ack;
-diff --git a/net/sctp/auth.c b/net/sctp/auth.c
-index 0e85291..fb7976a 100644
---- a/net/sctp/auth.c
-+++ b/net/sctp/auth.c
-@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
- 		list_add(&cur_key->key_list, sh_keys);
- 
- 	cur_key->key = key;
--	sctp_auth_key_hold(key);
--
- 	return 0;
- nomem:
- 	if (!replace)
-diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
-index 4de12af..7e8a16c 100644
---- a/net/sctp/inqueue.c
-+++ b/net/sctp/inqueue.c
-@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- 		} else {
- 			/* Nothing to do. Next chunk in the packet, please. */
- 			ch = (sctp_chunkhdr_t *) chunk->chunk_end;
--
- 			/* Force chunk->skb->data to chunk->chunk_end.  */
--			skb_pull(chunk->skb,
--				 chunk->chunk_end - chunk->skb->data);
--
--			/* Verify that we have at least chunk headers
--			 * worth of buffer left.
--			 */
--			if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
--				sctp_chunk_free(chunk);
--				chunk = queue->in_progress = NULL;
--			}
-+			skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
-+			/* We are guaranteed to pull a SCTP header. */
- 		}
- 	}
- 
-@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- 	skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
- 	chunk->subh.v = NULL; /* Subheader is no longer valid.  */
- 
--	if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
-+	if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
-+	    skb_tail_pointer(chunk->skb)) {
- 		/* This is not a singleton */
- 		chunk->singleton = 0;
- 	} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
--		/* RFC 2960, Section 6.10  Bundling
--		 *
--		 * Partial chunks MUST NOT be placed in an SCTP packet.
--		 * If the receiver detects a partial chunk, it MUST drop
--		 * the chunk.
--		 *
--		 * Since the end of the chunk is past the end of our buffer
--		 * (which contains the whole packet, we can freely discard
--		 * the whole packet.
--		 */
--		sctp_chunk_free(chunk);
--		chunk = queue->in_progress = NULL;
--
--		return NULL;
-+		/* Discard inside state machine. */
-+		chunk->pdiscard = 1;
-+		chunk->chunk_end = skb_tail_pointer(chunk->skb);
- 	} else {
- 		/* We are at the end of the packet, so mark the chunk
- 		 * in case we need to send a SACK.
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index fee5552..43abb64 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -2609,6 +2609,9 @@ do_addr_param:
- 		addr_param = param.v + sizeof(sctp_addip_param_t);
- 
- 		af = sctp_get_af_specific(param_type2af(param.p->type));
-+		if (af == NULL)
-+			break;
-+
- 		af->from_addr_param(&addr, addr_param,
- 				    htons(asoc->peer.port), 0);
- 
-@@ -3110,50 +3113,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
- 	return SCTP_ERROR_NO_ERROR;
- }
- 
--/* Verify the ASCONF packet before we process it.  */
--int sctp_verify_asconf(const struct sctp_association *asoc,
--		       struct sctp_paramhdr *param_hdr, void *chunk_end,
--		       struct sctp_paramhdr **errp) {
--	sctp_addip_param_t *asconf_param;
-+/* Verify the ASCONF packet before we process it. */
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+			struct sctp_chunk *chunk, bool addr_param_needed,
-+			struct sctp_paramhdr **errp)
-+{
-+	sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
- 	union sctp_params param;
--	int length, plen;
-+	bool addr_param_seen = false;
- 
--	param.v = (sctp_paramhdr_t *) param_hdr;
--	while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
--		length = ntohs(param.p->length);
--		*errp = param.p;
--
--		if (param.v > chunk_end - length ||
--		    length < sizeof(sctp_paramhdr_t))
--			return 0;
-+	sctp_walk_params(param, addip, addip_hdr.params) {
-+		size_t length = ntohs(param.p->length);
- 
-+		*errp = param.p;
- 		switch (param.p->type) {
-+		case SCTP_PARAM_ERR_CAUSE:
-+			break;
-+		case SCTP_PARAM_IPV4_ADDRESS:
-+			if (length != sizeof(sctp_ipv4addr_param_t))
-+				return false;
-+			addr_param_seen = true;
-+			break;
-+		case SCTP_PARAM_IPV6_ADDRESS:
-+			if (length != sizeof(sctp_ipv6addr_param_t))
-+				return false;
-+			addr_param_seen = true;
-+			break;
- 		case SCTP_PARAM_ADD_IP:
- 		case SCTP_PARAM_DEL_IP:
- 		case SCTP_PARAM_SET_PRIMARY:
--			asconf_param = (sctp_addip_param_t *)param.v;
--			plen = ntohs(asconf_param->param_hdr.length);
--			if (plen < sizeof(sctp_addip_param_t) +
--			    sizeof(sctp_paramhdr_t))
--				return 0;
-+			/* In ASCONF chunks, these need to be first. */
-+			if (addr_param_needed && !addr_param_seen)
-+				return false;
-+			length = ntohs(param.addip->param_hdr.length);
-+			if (length < sizeof(sctp_addip_param_t) +
-+				     sizeof(sctp_paramhdr_t))
-+				return false;
- 			break;
- 		case SCTP_PARAM_SUCCESS_REPORT:
- 		case SCTP_PARAM_ADAPTATION_LAYER_IND:
- 			if (length != sizeof(sctp_addip_param_t))
--				return 0;
--
-+				return false;
- 			break;
- 		default:
--			break;
-+			/* This is unkown to us, reject! */
-+			return false;
- 		}
--
--		param.v += WORD_ROUND(length);
- 	}
- 
--	if (param.v != chunk_end)
--		return 0;
-+	/* Remaining sanity checks. */
-+	if (addr_param_needed && !addr_param_seen)
-+		return false;
-+	if (!addr_param_needed && addr_param_seen)
-+		return false;
-+	if (param.v != chunk->chunk_end)
-+		return false;
- 
--	return 1;
-+	return true;
- }
- 
- /* Process an incoming ASCONF chunk with the next expected serial no. and
-@@ -3162,16 +3178,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 				       struct sctp_chunk *asconf)
- {
-+	sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
-+	bool all_param_pass = true;
-+	union sctp_params param;
- 	sctp_addiphdr_t		*hdr;
- 	union sctp_addr_param	*addr_param;
- 	sctp_addip_param_t	*asconf_param;
- 	struct sctp_chunk	*asconf_ack;
--
- 	__be16	err_code;
- 	int	length = 0;
- 	int	chunk_len;
- 	__u32	serial;
--	int	all_param_pass = 1;
- 
- 	chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
- 	hdr = (sctp_addiphdr_t *)asconf->skb->data;
-@@ -3199,9 +3216,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 		goto done;
- 
- 	/* Process the TLVs contained within the ASCONF chunk. */
--	while (chunk_len > 0) {
-+	sctp_walk_params(param, addip, addip_hdr.params) {
-+		/* Skip preceeding address parameters. */
-+		if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
-+		    param.p->type == SCTP_PARAM_IPV6_ADDRESS)
-+			continue;
-+
- 		err_code = sctp_process_asconf_param(asoc, asconf,
--						     asconf_param);
-+						     param.addip);
- 		/* ADDIP 4.1 A7)
- 		 * If an error response is received for a TLV parameter,
- 		 * all TLVs with no response before the failed TLV are
-@@ -3209,28 +3231,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 		 * the failed response are considered unsuccessful unless
- 		 * a specific success indication is present for the parameter.
- 		 */
--		if (SCTP_ERROR_NO_ERROR != err_code)
--			all_param_pass = 0;
--
-+		if (err_code != SCTP_ERROR_NO_ERROR)
-+			all_param_pass = false;
- 		if (!all_param_pass)
--			sctp_add_asconf_response(asconf_ack,
--						 asconf_param->crr_id, err_code,
--						 asconf_param);
-+			sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
-+						 err_code, param.addip);
- 
- 		/* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
- 		 * an IP address sends an 'Out of Resource' in its response, it
- 		 * MUST also fail any subsequent add or delete requests bundled
- 		 * in the ASCONF.
- 		 */
--		if (SCTP_ERROR_RSRC_LOW == err_code)
-+		if (err_code == SCTP_ERROR_RSRC_LOW)
- 			goto done;
--
--		/* Move to the next ASCONF param. */
--		length = ntohs(asconf_param->param_hdr.length);
--		asconf_param = (void *)asconf_param + length;
--		chunk_len -= length;
- 	}
--
- done:
- 	asoc->peer.addip_serial++;
- 
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index 7194fe85..3e287a3 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
- {
- 	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
- 
-+	/* Previously already marked? */
-+	if (unlikely(chunk->pdiscard))
-+		return 0;
- 	if (unlikely(chunk_length < required_length))
- 		return 0;
- 
-@@ -3591,9 +3594,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- 	struct sctp_chunk	*asconf_ack = NULL;
- 	struct sctp_paramhdr	*err_param = NULL;
- 	sctp_addiphdr_t		*hdr;
--	union sctp_addr_param	*addr_param;
- 	__u32			serial;
--	int			length;
- 
- 	if (!sctp_vtag_verify(chunk, asoc)) {
- 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
-@@ -3618,17 +3619,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- 	hdr = (sctp_addiphdr_t *)chunk->skb->data;
- 	serial = ntohl(hdr->serial);
- 
--	addr_param = (union sctp_addr_param *)hdr->params;
--	length = ntohs(addr_param->p.length);
--	if (length < sizeof(sctp_paramhdr_t))
--		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
--			   (void *)addr_param, commands);
--
- 	/* Verify the ASCONF chunk before processing it. */
--	if (!sctp_verify_asconf(asoc,
--			    (sctp_paramhdr_t *)((void *)addr_param + length),
--			    (void *)chunk->chunk_end,
--			    &err_param))
-+	if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
- 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- 						  (void *)err_param, commands);
- 
-@@ -3745,10 +3737,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
- 	rcvd_serial = ntohl(addip_hdr->serial);
- 
- 	/* Verify the ASCONF-ACK chunk before processing it. */
--	if (!sctp_verify_asconf(asoc,
--	    (sctp_paramhdr_t *)addip_hdr->params,
--	    (void *)asconf_ack->chunk_end,
--	    &err_param))
-+	if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
- 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- 			   (void *)err_param, commands);
- 
-diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
-index f4b12c2..5a723df 100644
---- a/sound/usb/mixer_quirks.c
-+++ b/sound/usb/mixer_quirks.c
-@@ -885,6 +885,11 @@ static int snd_ftu_eff_switch_put(struct snd_kcontrol *kctl,
- 	return changed;
- }
- 
-+static void kctl_private_value_free(struct snd_kcontrol *kctl)
-+{
-+	kfree((void *)kctl->private_value);
-+}
-+
- static int snd_ftu_create_effect_switch(struct usb_mixer_interface *mixer,
- 	int validx, int bUnitID)
- {
-@@ -919,6 +924,7 @@ static int snd_ftu_create_effect_switch(struct usb_mixer_interface *mixer,
- 		return -ENOMEM;
- 	}
- 
-+	kctl->private_free = kctl_private_value_free;
- 	err = snd_ctl_add(mixer->chip->card, kctl);
- 	if (err < 0)
- 		return err;
diff --git a/3.14.26/1025_linux-3.14.26.patch b/3.14.26/1025_linux-3.14.26.patch
deleted file mode 100644
index 275454e..0000000
--- a/3.14.26/1025_linux-3.14.26.patch
+++ /dev/null
@@ -1,2603 +0,0 @@
-diff --git a/Documentation/devicetree/bindings/interrupt-controller/interrupts.txt b/Documentation/devicetree/bindings/interrupt-controller/interrupts.txt
-index ce6a1a0..8a3c408 100644
---- a/Documentation/devicetree/bindings/interrupt-controller/interrupts.txt
-+++ b/Documentation/devicetree/bindings/interrupt-controller/interrupts.txt
-@@ -30,10 +30,6 @@ should only be used when a device has multiple interrupt parents.
-   Example:
- 	interrupts-extended = <&intc1 5 1>, <&intc2 1 0>;
- 
--A device node may contain either "interrupts" or "interrupts-extended", but not
--both. If both properties are present, then the operating system should log an
--error and use only the data in "interrupts".
--
- 2) Interrupt controller nodes
- -----------------------------
- 
-diff --git a/Makefile b/Makefile
-index eb96e40..63a5ee8 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 25
-+SUBLEVEL = 26
- EXTRAVERSION =
- NAME = Remembering Coco
- 
-diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
-index 71a06b2..3e635ee 100644
---- a/arch/arm/include/asm/thread_info.h
-+++ b/arch/arm/include/asm/thread_info.h
-@@ -43,16 +43,6 @@ struct cpu_context_save {
- 	__u32	extra[2];		/* Xscale 'acc' register, etc */
- };
- 
--struct arm_restart_block {
--	union {
--		/* For user cache flushing */
--		struct {
--			unsigned long start;
--			unsigned long end;
--		} cache;
--	};
--};
--
- /*
-  * low level task data that entry.S needs immediate access to.
-  * __switch_to() assumes cpu_context follows immediately after cpu_domain.
-@@ -78,7 +68,6 @@ struct thread_info {
- 	unsigned long		thumbee_state;	/* ThumbEE Handler Base register */
- #endif
- 	struct restart_block	restart_block;
--	struct arm_restart_block	arm_restart_block;
- };
- 
- #define INIT_THREAD_INFO(tsk)						\
-diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 9265b8b..3f31443 100644
---- a/arch/arm/kernel/traps.c
-+++ b/arch/arm/kernel/traps.c
-@@ -510,8 +510,6 @@ static int bad_syscall(int n, struct pt_regs *regs)
- 	return regs->ARM_r0;
- }
- 
--static long do_cache_op_restart(struct restart_block *);
--
- static inline int
- __do_cache_op(unsigned long start, unsigned long end)
- {
-@@ -520,24 +518,8 @@ __do_cache_op(unsigned long start, unsigned long end)
- 	do {
- 		unsigned long chunk = min(PAGE_SIZE, end - start);
- 
--		if (signal_pending(current)) {
--			struct thread_info *ti = current_thread_info();
--
--			ti->restart_block = (struct restart_block) {
--				.fn	= do_cache_op_restart,
--			};
--
--			ti->arm_restart_block = (struct arm_restart_block) {
--				{
--					.cache = {
--						.start	= start,
--						.end	= end,
--					},
--				},
--			};
--
--			return -ERESTART_RESTARTBLOCK;
--		}
-+		if (fatal_signal_pending(current))
-+			return 0;
- 
- 		ret = flush_cache_user_range(start, start + chunk);
- 		if (ret)
-@@ -550,15 +532,6 @@ __do_cache_op(unsigned long start, unsigned long end)
- 	return 0;
- }
- 
--static long do_cache_op_restart(struct restart_block *unused)
--{
--	struct arm_restart_block *restart_block;
--
--	restart_block = &current_thread_info()->arm_restart_block;
--	return __do_cache_op(restart_block->cache.start,
--			     restart_block->cache.end);
--}
--
- static inline int
- do_cache_op(unsigned long start, unsigned long end, int flags)
- {
-diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S
-index 74f6033..fdedc31 100644
---- a/arch/arm/mm/proc-v7.S
-+++ b/arch/arm/mm/proc-v7.S
-@@ -211,7 +211,6 @@ __v7_pj4b_setup:
- /* Auxiliary Debug Modes Control 1 Register */
- #define PJ4B_STATIC_BP (1 << 2) /* Enable Static BP */
- #define PJ4B_INTER_PARITY (1 << 8) /* Disable Internal Parity Handling */
--#define PJ4B_BCK_OFF_STREX (1 << 5) /* Enable the back off of STREX instr */
- #define PJ4B_CLEAN_LINE (1 << 16) /* Disable data transfer for clean line */
- 
- /* Auxiliary Debug Modes Control 2 Register */
-@@ -234,7 +233,6 @@ __v7_pj4b_setup:
- 	/* Auxiliary Debug Modes Control 1 Register */
- 	mrc	p15, 1,	r0, c15, c1, 1
- 	orr     r0, r0, #PJ4B_CLEAN_LINE
--	orr     r0, r0, #PJ4B_BCK_OFF_STREX
- 	orr     r0, r0, #PJ4B_INTER_PARITY
- 	bic	r0, r0, #PJ4B_STATIC_BP
- 	mcr	p15, 1,	r0, c15, c1, 1
-diff --git a/arch/arm/mm/proc-xscale.S b/arch/arm/mm/proc-xscale.S
-index d19b1cf..b34b95f 100644
---- a/arch/arm/mm/proc-xscale.S
-+++ b/arch/arm/mm/proc-xscale.S
-@@ -535,7 +535,7 @@ ENTRY(cpu_xscale_do_suspend)
- 	mrc	p15, 0, r5, c15, c1, 0	@ CP access reg
- 	mrc	p15, 0, r6, c13, c0, 0	@ PID
- 	mrc	p15, 0, r7, c3, c0, 0	@ domain ID
--	mrc	p15, 0, r8, c1, c1, 0	@ auxiliary control reg
-+	mrc	p15, 0, r8, c1, c0, 1	@ auxiliary control reg
- 	mrc	p15, 0, r9, c1, c0, 0	@ control reg
- 	bic	r4, r4, #2		@ clear frequency change bit
- 	stmia	r0, {r4 - r9}		@ store cp regs
-@@ -552,7 +552,7 @@ ENTRY(cpu_xscale_do_resume)
- 	mcr	p15, 0, r6, c13, c0, 0	@ PID
- 	mcr	p15, 0, r7, c3, c0, 0	@ domain ID
- 	mcr	p15, 0, r1, c2, c0, 0	@ translation table base addr
--	mcr	p15, 0, r8, c1, c1, 0	@ auxiliary control reg
-+	mcr	p15, 0, r8, c1, c0, 1	@ auxiliary control reg
- 	mov	r0, r9			@ control register
- 	b	cpu_resume_mmu
- ENDPROC(cpu_xscale_do_resume)
-diff --git a/arch/mips/loongson/common/Makefile b/arch/mips/loongson/common/Makefile
-index 9e4484c..9005a8d6 100644
---- a/arch/mips/loongson/common/Makefile
-+++ b/arch/mips/loongson/common/Makefile
-@@ -11,7 +11,8 @@ obj-$(CONFIG_PCI) += pci.o
- # Serial port support
- #
- obj-$(CONFIG_EARLY_PRINTK) += early_printk.o
--obj-$(CONFIG_SERIAL_8250) += serial.o
-+loongson-serial-$(CONFIG_SERIAL_8250) := serial.o
-+obj-y += $(loongson-serial-m) $(loongson-serial-y)
- obj-$(CONFIG_LOONGSON_UART_BASE) += uart_base.o
- obj-$(CONFIG_LOONGSON_MC146818) += rtc.o
- 
-diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
-index 6854ed5..83a1dfd 100644
---- a/arch/mips/oprofile/backtrace.c
-+++ b/arch/mips/oprofile/backtrace.c
-@@ -92,7 +92,7 @@ static inline int unwind_user_frame(struct stackframe *old_frame,
- 				/* This marks the end of the previous function,
- 				   which means we overran. */
- 				break;
--			stack_size = (unsigned) stack_adjustment;
-+			stack_size = (unsigned long) stack_adjustment;
- 		} else if (is_ra_save_ins(&ip)) {
- 			int ra_slot = ip.i_format.simmediate;
- 			if (ra_slot < 0)
-diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
-index beedaf0..d558b85 100644
---- a/arch/powerpc/platforms/powernv/pci-ioda.c
-+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
-@@ -902,7 +902,6 @@ static int pnv_pci_ioda_msi_setup(struct pnv_phb *phb, struct pci_dev *dev,
- 				  unsigned int is_64, struct msi_msg *msg)
- {
- 	struct pnv_ioda_pe *pe = pnv_ioda_get_pe(dev);
--	struct pci_dn *pdn = pci_get_pdn(dev);
- 	struct irq_data *idata;
- 	struct irq_chip *ichip;
- 	unsigned int xive_num = hwirq - phb->msi_base;
-@@ -918,7 +917,7 @@ static int pnv_pci_ioda_msi_setup(struct pnv_phb *phb, struct pci_dev *dev,
- 		return -ENXIO;
- 
- 	/* Force 32-bit MSI on some broken devices */
--	if (pdn && pdn->force_32bit_msi)
-+	if (dev->no_64bit_msi)
- 		is_64 = 0;
- 
- 	/* Assign XIVE to PE */
-diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c
-index 8518817..52c1162 100644
---- a/arch/powerpc/platforms/powernv/pci.c
-+++ b/arch/powerpc/platforms/powernv/pci.c
-@@ -1,3 +1,4 @@
-+
- /*
-  * Support PCI/PCIe on PowerNV platforms
-  *
-@@ -50,9 +51,8 @@ static int pnv_msi_check_device(struct pci_dev* pdev, int nvec, int type)
- {
- 	struct pci_controller *hose = pci_bus_to_host(pdev->bus);
- 	struct pnv_phb *phb = hose->private_data;
--	struct pci_dn *pdn = pci_get_pdn(pdev);
- 
--	if (pdn && pdn->force_32bit_msi && !phb->msi32_support)
-+	if (pdev->no_64bit_msi && !phb->msi32_support)
- 		return -ENODEV;
- 
- 	return (phb && phb->msi_bmp.bitmap) ? 0 : -ENODEV;
-diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c
-index 0c882e8..6849d85 100644
---- a/arch/powerpc/platforms/pseries/msi.c
-+++ b/arch/powerpc/platforms/pseries/msi.c
-@@ -428,7 +428,7 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type)
- 	 */
- again:
- 	if (type == PCI_CAP_ID_MSI) {
--		if (pdn->force_32bit_msi) {
-+		if (pdev->no_64bit_msi) {
- 			rc = rtas_change_msi(pdn, RTAS_CHANGE_32MSI_FN, nvec);
- 			if (rc < 0) {
- 				/*
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index b079098..bc5fbc2 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -288,10 +288,10 @@ static inline void disable_surveillance(void)
- 	args.token = rtas_token("set-indicator");
- 	if (args.token == RTAS_UNKNOWN_SERVICE)
- 		return;
--	args.nargs = 3;
--	args.nret = 1;
-+	args.nargs = cpu_to_be32(3);
-+	args.nret = cpu_to_be32(1);
- 	args.rets = &args.args[3];
--	args.args[0] = SURVEILLANCE_TOKEN;
-+	args.args[0] = cpu_to_be32(SURVEILLANCE_TOKEN);
- 	args.args[1] = 0;
- 	args.args[2] = 0;
- 	enter_rtas(__pa(&args));
-diff --git a/arch/sparc/include/uapi/asm/swab.h b/arch/sparc/include/uapi/asm/swab.h
-index a34ad07..4c7c12d 100644
---- a/arch/sparc/include/uapi/asm/swab.h
-+++ b/arch/sparc/include/uapi/asm/swab.h
-@@ -9,9 +9,9 @@ static inline __u16 __arch_swab16p(const __u16 *addr)
- {
- 	__u16 ret;
- 
--	__asm__ __volatile__ ("lduha [%1] %2, %0"
-+	__asm__ __volatile__ ("lduha [%2] %3, %0"
- 			      : "=r" (ret)
--			      : "r" (addr), "i" (ASI_PL));
-+			      : "m" (*addr), "r" (addr), "i" (ASI_PL));
- 	return ret;
- }
- #define __arch_swab16p __arch_swab16p
-@@ -20,9 +20,9 @@ static inline __u32 __arch_swab32p(const __u32 *addr)
- {
- 	__u32 ret;
- 
--	__asm__ __volatile__ ("lduwa [%1] %2, %0"
-+	__asm__ __volatile__ ("lduwa [%2] %3, %0"
- 			      : "=r" (ret)
--			      : "r" (addr), "i" (ASI_PL));
-+			      : "m" (*addr), "r" (addr), "i" (ASI_PL));
- 	return ret;
- }
- #define __arch_swab32p __arch_swab32p
-@@ -31,9 +31,9 @@ static inline __u64 __arch_swab64p(const __u64 *addr)
- {
- 	__u64 ret;
- 
--	__asm__ __volatile__ ("ldxa [%1] %2, %0"
-+	__asm__ __volatile__ ("ldxa [%2] %3, %0"
- 			      : "=r" (ret)
--			      : "r" (addr), "i" (ASI_PL));
-+			      : "m" (*addr), "r" (addr), "i" (ASI_PL));
- 	return ret;
- }
- #define __arch_swab64p __arch_swab64p
-diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index 5f12968..1717156 100644
---- a/arch/x86/include/asm/cpufeature.h
-+++ b/arch/x86/include/asm/cpufeature.h
-@@ -203,6 +203,7 @@
- #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */
- #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */
- #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */
-+#define X86_FEATURE_VMMCALL	(8*32+15) /* Prefer vmmcall to vmcall */
- 
- 
- /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
-diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h
-index c7678e4..e62cf89 100644
---- a/arch/x86/include/asm/kvm_para.h
-+++ b/arch/x86/include/asm/kvm_para.h
-@@ -2,6 +2,7 @@
- #define _ASM_X86_KVM_PARA_H
- 
- #include <asm/processor.h>
-+#include <asm/alternative.h>
- #include <uapi/asm/kvm_para.h>
- 
- extern void kvmclock_init(void);
-@@ -16,10 +17,15 @@ static inline bool kvm_check_and_clear_guest_paused(void)
- }
- #endif /* CONFIG_KVM_GUEST */
- 
--/* This instruction is vmcall.  On non-VT architectures, it will generate a
-- * trap that we will then rewrite to the appropriate instruction.
-+#ifdef CONFIG_DEBUG_RODATA
-+#define KVM_HYPERCALL \
-+        ALTERNATIVE(".byte 0x0f,0x01,0xc1", ".byte 0x0f,0x01,0xd9", X86_FEATURE_VMMCALL)
-+#else
-+/* On AMD processors, vmcall will generate a trap that we will
-+ * then rewrite to the appropriate instruction.
-  */
- #define KVM_HYPERCALL ".byte 0x0f,0x01,0xc1"
-+#endif
- 
- /* For KVM hypercalls, a three-byte sequence of either the vmcall or the vmmcall
-  * instruction.  The hypervisor may replace it with something else but only the
-diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
-index f48b17d..3a52ee0 100644
---- a/arch/x86/include/asm/page_32_types.h
-+++ b/arch/x86/include/asm/page_32_types.h
-@@ -20,7 +20,6 @@
- #define THREAD_SIZE_ORDER	1
- #define THREAD_SIZE		(PAGE_SIZE << THREAD_SIZE_ORDER)
- 
--#define STACKFAULT_STACK 0
- #define DOUBLEFAULT_STACK 1
- #define NMI_STACK 0
- #define DEBUG_STACK 0
-diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
-index 8de6d9c..d54d1ee 100644
---- a/arch/x86/include/asm/page_64_types.h
-+++ b/arch/x86/include/asm/page_64_types.h
-@@ -14,12 +14,11 @@
- #define IRQ_STACK_ORDER 2
- #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
- 
--#define STACKFAULT_STACK 1
--#define DOUBLEFAULT_STACK 2
--#define NMI_STACK 3
--#define DEBUG_STACK 4
--#define MCE_STACK 5
--#define N_EXCEPTION_STACKS 5  /* hw limit: 7 */
-+#define DOUBLEFAULT_STACK 1
-+#define NMI_STACK 2
-+#define DEBUG_STACK 3
-+#define MCE_STACK 4
-+#define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
- 
- #define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
- #define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
-diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
-index e1940c0..e870ea9 100644
---- a/arch/x86/include/asm/thread_info.h
-+++ b/arch/x86/include/asm/thread_info.h
-@@ -144,7 +144,7 @@ struct thread_info {
- /* Only used for 64 bit */
- #define _TIF_DO_NOTIFY_MASK						\
- 	(_TIF_SIGPENDING | _TIF_MCE_NOTIFY | _TIF_NOTIFY_RESUME |	\
--	 _TIF_USER_RETURN_NOTIFY)
-+	 _TIF_USER_RETURN_NOTIFY | _TIF_UPROBE)
- 
- /* flags to check in __switch_to() */
- #define _TIF_WORK_CTXSW							\
-diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
-index 58d66fe..b409b17 100644
---- a/arch/x86/include/asm/traps.h
-+++ b/arch/x86/include/asm/traps.h
-@@ -39,6 +39,7 @@ asmlinkage void simd_coprocessor_error(void);
- 
- #ifdef CONFIG_TRACING
- asmlinkage void trace_page_fault(void);
-+#define trace_stack_segment stack_segment
- #define trace_divide_error divide_error
- #define trace_bounds bounds
- #define trace_invalid_op invalid_op
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index c67ffa6..c005fdd 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -508,6 +508,13 @@ static void early_init_amd(struct cpuinfo_x86 *c)
- 	}
- #endif
- 
-+	/*
-+	 * This is only needed to tell the kernel whether to use VMCALL
-+	 * and VMMCALL.  VMMCALL is never executed except under virt, so
-+	 * we can set it unconditionally.
-+	 */
-+	set_cpu_cap(c, X86_FEATURE_VMMCALL);
-+
- 	/* F16h erratum 793, CVE-2013-6885 */
- 	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
- 		u64 val;
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 3f27f5f..e6bddd5 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -144,6 +144,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
- 
- static int __init x86_xsave_setup(char *s)
- {
-+	if (strlen(s))
-+		return 0;
- 	setup_clear_cpu_cap(X86_FEATURE_XSAVE);
- 	setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
- 	setup_clear_cpu_cap(X86_FEATURE_AVX);
-diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index addb207..66e274a 100644
---- a/arch/x86/kernel/dumpstack_64.c
-+++ b/arch/x86/kernel/dumpstack_64.c
-@@ -24,7 +24,6 @@ static char x86_stack_ids[][8] = {
- 		[ DEBUG_STACK-1			]	= "#DB",
- 		[ NMI_STACK-1			]	= "NMI",
- 		[ DOUBLEFAULT_STACK-1		]	= "#DF",
--		[ STACKFAULT_STACK-1		]	= "#SS",
- 		[ MCE_STACK-1			]	= "#MC",
- #if DEBUG_STKSZ > EXCEPTION_STKSZ
- 		[ N_EXCEPTION_STACKS ...
-diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 03cd2a8..02553d6 100644
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1053,9 +1053,15 @@ ENTRY(native_iret)
- 	jnz native_irq_return_ldt
- #endif
- 
-+.global native_irq_return_iret
- native_irq_return_iret:
-+	/*
-+	 * This may fault.  Non-paranoid faults on return to userspace are
-+	 * handled by fixup_bad_iret.  These include #SS, #GP, and #NP.
-+	 * Double-faults due to espfix64 are handled in do_double_fault.
-+	 * Other faults here are fatal.
-+	 */
- 	iretq
--	_ASM_EXTABLE(native_irq_return_iret, bad_iret)
- 
- #ifdef CONFIG_X86_ESPFIX64
- native_irq_return_ldt:
-@@ -1083,25 +1089,6 @@ native_irq_return_ldt:
- 	jmp native_irq_return_iret
- #endif
- 
--	.section .fixup,"ax"
--bad_iret:
--	/*
--	 * The iret traps when the %cs or %ss being restored is bogus.
--	 * We've lost the original trap vector and error code.
--	 * #GPF is the most likely one to get for an invalid selector.
--	 * So pretend we completed the iret and took the #GPF in user mode.
--	 *
--	 * We are now running with the kernel GS after exception recovery.
--	 * But error_entry expects us to have user GS to match the user %cs,
--	 * so swap back.
--	 */
--	pushq $0
--
--	SWAPGS
--	jmp general_protection
--
--	.previous
--
- 	/* edi: workmask, edx: work */
- retint_careful:
- 	CFI_RESTORE_STATE
-@@ -1147,37 +1134,6 @@ ENTRY(retint_kernel)
- 	CFI_ENDPROC
- END(common_interrupt)
- 
--	/*
--	 * If IRET takes a fault on the espfix stack, then we
--	 * end up promoting it to a doublefault.  In that case,
--	 * modify the stack to make it look like we just entered
--	 * the #GP handler from user space, similar to bad_iret.
--	 */
--#ifdef CONFIG_X86_ESPFIX64
--	ALIGN
--__do_double_fault:
--	XCPT_FRAME 1 RDI+8
--	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
--	sarq $PGDIR_SHIFT,%rax
--	cmpl $ESPFIX_PGD_ENTRY,%eax
--	jne do_double_fault		/* No, just deliver the fault */
--	cmpl $__KERNEL_CS,CS(%rdi)
--	jne do_double_fault
--	movq RIP(%rdi),%rax
--	cmpq $native_irq_return_iret,%rax
--	jne do_double_fault		/* This shouldn't happen... */
--	movq PER_CPU_VAR(kernel_stack),%rax
--	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
--	movq %rax,RSP(%rdi)
--	movq $0,(%rax)			/* Missing (lost) #GP error code */
--	movq $general_protection,RIP(%rdi)
--	retq
--	CFI_ENDPROC
--END(__do_double_fault)
--#else
--# define __do_double_fault do_double_fault
--#endif
--
- /*
-  * End of kprobes section
-  */
-@@ -1379,7 +1335,7 @@ zeroentry overflow do_overflow
- zeroentry bounds do_bounds
- zeroentry invalid_op do_invalid_op
- zeroentry device_not_available do_device_not_available
--paranoiderrorentry double_fault __do_double_fault
-+paranoiderrorentry double_fault do_double_fault
- zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
- errorentry invalid_TSS do_invalid_TSS
- errorentry segment_not_present do_segment_not_present
-@@ -1549,7 +1505,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
- 
- paranoidzeroentry_ist debug do_debug DEBUG_STACK
- paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
--paranoiderrorentry stack_segment do_stack_segment
-+errorentry stack_segment do_stack_segment
- #ifdef CONFIG_XEN
- zeroentry xen_debug do_debug
- zeroentry xen_int3 do_int3
-@@ -1659,16 +1615,15 @@ error_sti:
- 
- /*
-  * There are two places in the kernel that can potentially fault with
-- * usergs. Handle them here. The exception handlers after iret run with
-- * kernel gs again, so don't set the user space flag. B stepping K8s
-- * sometimes report an truncated RIP for IRET exceptions returning to
-- * compat mode. Check for these here too.
-+ * usergs. Handle them here.  B stepping K8s sometimes report a
-+ * truncated RIP for IRET exceptions returning to compat mode. Check
-+ * for these here too.
-  */
- error_kernelspace:
- 	incl %ebx
- 	leaq native_irq_return_iret(%rip),%rcx
- 	cmpq %rcx,RIP+8(%rsp)
--	je error_swapgs
-+	je error_bad_iret
- 	movl %ecx,%eax	/* zero extend */
- 	cmpq %rax,RIP+8(%rsp)
- 	je bstep_iret
-@@ -1679,7 +1634,15 @@ error_kernelspace:
- bstep_iret:
- 	/* Fix truncated RIP */
- 	movq %rcx,RIP+8(%rsp)
--	jmp error_swapgs
-+	/* fall through */
-+
-+error_bad_iret:
-+	SWAPGS
-+	mov %rsp,%rdi
-+	call fixup_bad_iret
-+	mov %rax,%rsp
-+	decl %ebx	/* Return to usergs */
-+	jmp error_sti
- 	CFI_ENDPROC
- END(error_entry)
- 
-diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 57409f6..f9d976e 100644
---- a/arch/x86/kernel/traps.c
-+++ b/arch/x86/kernel/traps.c
-@@ -218,32 +218,40 @@ DO_ERROR_INFO(X86_TRAP_UD,     SIGILL,  "invalid opcode",		invalid_op,		     ILL
- DO_ERROR     (X86_TRAP_OLD_MF, SIGFPE,  "coprocessor segment overrun",	coprocessor_segment_overrun			  )
- DO_ERROR     (X86_TRAP_TS,     SIGSEGV, "invalid TSS",			invalid_TSS					  )
- DO_ERROR     (X86_TRAP_NP,     SIGBUS,  "segment not present",		segment_not_present				  )
--#ifdef CONFIG_X86_32
- DO_ERROR     (X86_TRAP_SS,     SIGBUS,  "stack segment",		stack_segment					  )
--#endif
- DO_ERROR_INFO(X86_TRAP_AC,     SIGBUS,  "alignment check",		alignment_check,	     BUS_ADRALN, 0	  )
- 
- #ifdef CONFIG_X86_64
- /* Runs on IST stack */
--dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
--{
--	enum ctx_state prev_state;
--
--	prev_state = exception_enter();
--	if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
--		       X86_TRAP_SS, SIGBUS) != NOTIFY_STOP) {
--		preempt_conditional_sti(regs);
--		do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
--		preempt_conditional_cli(regs);
--	}
--	exception_exit(prev_state);
--}
--
- dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
- {
- 	static const char str[] = "double fault";
- 	struct task_struct *tsk = current;
- 
-+#ifdef CONFIG_X86_ESPFIX64
-+	extern unsigned char native_irq_return_iret[];
-+
-+	/*
-+	 * If IRET takes a non-IST fault on the espfix64 stack, then we
-+	 * end up promoting it to a doublefault.  In that case, modify
-+	 * the stack to make it look like we just entered the #GP
-+	 * handler from user space, similar to bad_iret.
-+	 */
-+	if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
-+		regs->cs == __KERNEL_CS &&
-+		regs->ip == (unsigned long)native_irq_return_iret)
-+	{
-+		struct pt_regs *normal_regs = task_pt_regs(current);
-+
-+		/* Fake a #GP(0) from userspace. */
-+		memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
-+		normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
-+		regs->ip = (unsigned long)general_protection;
-+		regs->sp = (unsigned long)&normal_regs->orig_ax;
-+		return;
-+	}
-+#endif
-+
- 	exception_enter();
- 	/* Return not checked because double check cannot be ignored */
- 	notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
-@@ -376,6 +384,35 @@ asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
- 		*regs = *eregs;
- 	return regs;
- }
-+
-+struct bad_iret_stack {
-+	void *error_entry_ret;
-+	struct pt_regs regs;
-+};
-+
-+asmlinkage __visible
-+struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
-+{
-+	/*
-+	 * This is called from entry_64.S early in handling a fault
-+	 * caused by a bad iret to user mode.  To handle the fault
-+	 * correctly, we want move our stack frame to task_pt_regs
-+	 * and we want to pretend that the exception came from the
-+	 * iret target.
-+	 */
-+	struct bad_iret_stack *new_stack =
-+		container_of(task_pt_regs(current),
-+			     struct bad_iret_stack, regs);
-+
-+	/* Copy the IRET target to the new stack. */
-+	memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
-+
-+	/* Copy the remainder of the stack from the current stack. */
-+	memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
-+
-+	BUG_ON(!user_mode_vm(&new_stack->regs));
-+	return new_stack;
-+}
- #endif
- 
- /*
-@@ -748,7 +785,7 @@ void __init trap_init(void)
- 	set_intr_gate(X86_TRAP_OLD_MF, coprocessor_segment_overrun);
- 	set_intr_gate(X86_TRAP_TS, invalid_TSS);
- 	set_intr_gate(X86_TRAP_NP, segment_not_present);
--	set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
-+	set_intr_gate(X86_TRAP_SS, stack_segment);
- 	set_intr_gate(X86_TRAP_GP, general_protection);
- 	set_intr_gate(X86_TRAP_SPURIOUS, spurious_interrupt_bug);
- 	set_intr_gate(X86_TRAP_MF, coprocessor_error);
-diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index f35c66c..2308a40 100644
---- a/arch/x86/mm/init_64.c
-+++ b/arch/x86/mm/init_64.c
-@@ -1110,7 +1110,7 @@ void mark_rodata_ro(void)
- 	unsigned long end = (unsigned long) &__end_rodata_hpage_align;
- 	unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
- 	unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
--	unsigned long all_end = PFN_ALIGN(&_end);
-+	unsigned long all_end;
- 
- 	printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
- 	       (end - start) >> 10);
-@@ -1121,7 +1121,16 @@ void mark_rodata_ro(void)
- 	/*
- 	 * The rodata/data/bss/brk section (but not the kernel text!)
- 	 * should also be not-executable.
-+	 *
-+	 * We align all_end to PMD_SIZE because the existing mapping
-+	 * is a full PMD. If we would align _brk_end to PAGE_SIZE we
-+	 * split the PMD and the reminder between _brk_end and the end
-+	 * of the PMD will remain mapped executable.
-+	 *
-+	 * Any PMD which was setup after the one which covers _brk_end
-+	 * has been zapped already via cleanup_highmem().
- 	 */
-+	all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
- 	set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
- 
- 	rodata_test();
-diff --git a/arch/x86/tools/calc_run_size.pl b/arch/x86/tools/calc_run_size.pl
-index 0b0b124..23210ba 100644
---- a/arch/x86/tools/calc_run_size.pl
-+++ b/arch/x86/tools/calc_run_size.pl
-@@ -19,7 +19,16 @@ while (<>) {
- 		if ($file_offset == 0) {
- 			$file_offset = $offset;
- 		} elsif ($file_offset != $offset) {
--			die ".bss and .brk lack common file offset\n";
-+			# BFD linker shows the same file offset in ELF.
-+			# Gold linker shows them as consecutive.
-+			next if ($file_offset + $mem_size == $offset + $size);
-+
-+			printf STDERR "file_offset: 0x%lx\n", $file_offset;
-+			printf STDERR "mem_size: 0x%lx\n", $mem_size;
-+			printf STDERR "offset: 0x%lx\n", $offset;
-+			printf STDERR "size: 0x%lx\n", $size;
-+
-+			die ".bss and .brk are non-contiguous\n";
- 		}
- 	}
- }
-diff --git a/drivers/clocksource/sun4i_timer.c b/drivers/clocksource/sun4i_timer.c
-index bf497af..7d19f86 100644
---- a/drivers/clocksource/sun4i_timer.c
-+++ b/drivers/clocksource/sun4i_timer.c
-@@ -182,6 +182,12 @@ static void __init sun4i_timer_init(struct device_node *node)
- 	/* Make sure timer is stopped before playing with interrupts */
- 	sun4i_clkevt_time_stop(0);
- 
-+	sun4i_clockevent.cpumask = cpu_possible_mask;
-+	sun4i_clockevent.irq = irq;
-+
-+	clockevents_config_and_register(&sun4i_clockevent, rate,
-+					TIMER_SYNC_TICKS, 0xffffffff);
-+
- 	ret = setup_irq(irq, &sun4i_timer_irq);
- 	if (ret)
- 		pr_warn("failed to setup irq %d\n", irq);
-@@ -189,12 +195,6 @@ static void __init sun4i_timer_init(struct device_node *node)
- 	/* Enable timer0 interrupt */
- 	val = readl(timer_base + TIMER_IRQ_EN_REG);
- 	writel(val | TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_EN_REG);
--
--	sun4i_clockevent.cpumask = cpu_possible_mask;
--	sun4i_clockevent.irq = irq;
--
--	clockevents_config_and_register(&sun4i_clockevent, rate,
--					TIMER_SYNC_TICKS, 0xffffffff);
- }
- CLOCKSOURCE_OF_DECLARE(sun4i, "allwinner,sun4i-timer",
- 		       sun4i_timer_init);
-diff --git a/drivers/gpu/drm/radeon/r600_dpm.c b/drivers/gpu/drm/radeon/r600_dpm.c
-index 813db8d..3334f91 100644
---- a/drivers/gpu/drm/radeon/r600_dpm.c
-+++ b/drivers/gpu/drm/radeon/r600_dpm.c
-@@ -1209,7 +1209,7 @@ int r600_parse_extended_power_table(struct radeon_device *rdev)
- 					(mode_info->atom_context->bios + data_offset +
- 					 le16_to_cpu(ext_hdr->usPowerTuneTableOffset));
- 				rdev->pm.dpm.dyn_state.cac_tdp_table->maximum_power_delivery_limit =
--					ppt->usMaximumPowerDeliveryLimit;
-+					le16_to_cpu(ppt->usMaximumPowerDeliveryLimit);
- 				pt = &ppt->power_tune_table;
- 			} else {
- 				ATOM_PPLIB_POWERTUNE_Table *ppt = (ATOM_PPLIB_POWERTUNE_Table *)
-diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-index 089c9ff..b3f0293 100644
---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
-+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-@@ -202,6 +202,16 @@ static bool radeon_msi_ok(struct radeon_device *rdev)
- 	if (rdev->flags & RADEON_IS_AGP)
- 		return false;
- 
-+	/*
-+	 * Older chips have a HW limitation, they can only generate 40 bits
-+	 * of address for "64-bit" MSIs which breaks on some platforms, notably
-+	 * IBM POWER servers, so we limit them
-+	 */
-+	if (rdev->family < CHIP_BONAIRE) {
-+		dev_info(rdev->dev, "radeon: MSI limited to 32-bit\n");
-+		rdev->pdev->no_64bit_msi = 1;
-+	}
-+
- 	/* force MSI on */
- 	if (radeon_msi == 1)
- 		return true;
-diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
-index c5c194c..a96cfc3 100644
---- a/drivers/infiniband/ulp/isert/ib_isert.c
-+++ b/drivers/infiniband/ulp/isert/ib_isert.c
-@@ -112,9 +112,12 @@ isert_conn_setup_qp(struct isert_conn *isert_conn, struct rdma_cm_id *cma_id)
- 	attr.cap.max_recv_wr = ISERT_QP_MAX_RECV_DTOS;
- 	/*
- 	 * FIXME: Use devattr.max_sge - 2 for max_send_sge as
--	 * work-around for RDMA_READ..
-+	 * work-around for RDMA_READs with ConnectX-2.
-+	 *
-+	 * Also, still make sure to have at least two SGEs for
-+	 * outgoing control PDU responses.
- 	 */
--	attr.cap.max_send_sge = device->dev_attr.max_sge - 2;
-+	attr.cap.max_send_sge = max(2, device->dev_attr.max_sge - 2);
- 	isert_conn->max_sge = attr.cap.max_send_sge;
- 
- 	attr.cap.max_recv_sge = 1;
-@@ -220,12 +223,16 @@ isert_create_device_ib_res(struct isert_device *device)
- 	struct isert_cq_desc *cq_desc;
- 	struct ib_device_attr *dev_attr;
- 	int ret = 0, i, j;
-+	int max_rx_cqe, max_tx_cqe;
- 
- 	dev_attr = &device->dev_attr;
- 	ret = isert_query_device(ib_dev, dev_attr);
- 	if (ret)
- 		return ret;
- 
-+	max_rx_cqe = min(ISER_MAX_RX_CQ_LEN, dev_attr->max_cqe);
-+	max_tx_cqe = min(ISER_MAX_TX_CQ_LEN, dev_attr->max_cqe);
-+
- 	/* asign function handlers */
- 	if (dev_attr->device_cap_flags & IB_DEVICE_MEM_MGT_EXTENSIONS) {
- 		device->use_fastreg = 1;
-@@ -261,7 +268,7 @@ isert_create_device_ib_res(struct isert_device *device)
- 						isert_cq_rx_callback,
- 						isert_cq_event_callback,
- 						(void *)&cq_desc[i],
--						ISER_MAX_RX_CQ_LEN, i);
-+						max_rx_cqe, i);
- 		if (IS_ERR(device->dev_rx_cq[i])) {
- 			ret = PTR_ERR(device->dev_rx_cq[i]);
- 			device->dev_rx_cq[i] = NULL;
-@@ -273,7 +280,7 @@ isert_create_device_ib_res(struct isert_device *device)
- 						isert_cq_tx_callback,
- 						isert_cq_event_callback,
- 						(void *)&cq_desc[i],
--						ISER_MAX_TX_CQ_LEN, i);
-+						max_tx_cqe, i);
- 		if (IS_ERR(device->dev_tx_cq[i])) {
- 			ret = PTR_ERR(device->dev_tx_cq[i]);
- 			device->dev_tx_cq[i] = NULL;
-@@ -718,14 +725,25 @@ wake_up:
- 	complete(&isert_conn->conn_wait);
- }
- 
--static void
-+static int
- isert_disconnected_handler(struct rdma_cm_id *cma_id, bool disconnect)
- {
--	struct isert_conn *isert_conn = (struct isert_conn *)cma_id->context;
-+	struct isert_conn *isert_conn;
-+
-+	if (!cma_id->qp) {
-+		struct isert_np *isert_np = cma_id->context;
-+
-+		isert_np->np_cm_id = NULL;
-+		return -1;
-+	}
-+
-+	isert_conn = (struct isert_conn *)cma_id->context;
- 
- 	isert_conn->disconnect = disconnect;
- 	INIT_WORK(&isert_conn->conn_logout_work, isert_disconnect_work);
- 	schedule_work(&isert_conn->conn_logout_work);
-+
-+	return 0;
- }
- 
- static int
-@@ -740,6 +758,9 @@ isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
- 	switch (event->event) {
- 	case RDMA_CM_EVENT_CONNECT_REQUEST:
- 		ret = isert_connect_request(cma_id, event);
-+		if (ret)
-+			pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
-+				event->event, ret);
- 		break;
- 	case RDMA_CM_EVENT_ESTABLISHED:
- 		isert_connected_handler(cma_id);
-@@ -749,7 +770,7 @@ isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
- 	case RDMA_CM_EVENT_DEVICE_REMOVAL: /* FALLTHRU */
- 		disconnect = true;
- 	case RDMA_CM_EVENT_TIMEWAIT_EXIT:  /* FALLTHRU */
--		isert_disconnected_handler(cma_id, disconnect);
-+		ret = isert_disconnected_handler(cma_id, disconnect);
- 		break;
- 	case RDMA_CM_EVENT_CONNECT_ERROR:
- 	default:
-@@ -757,12 +778,6 @@ isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
- 		break;
- 	}
- 
--	if (ret != 0) {
--		pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
--		       event->event, ret);
--		dump_stack();
--	}
--
- 	return ret;
- }
- 
-@@ -970,7 +985,8 @@ isert_put_login_tx(struct iscsi_conn *conn, struct iscsi_login *login,
- 	}
- 	if (!login->login_failed) {
- 		if (login->login_complete) {
--			if (isert_conn->conn_device->use_fastreg) {
-+			if (!conn->sess->sess_ops->SessionType &&
-+			    isert_conn->conn_device->use_fastreg) {
- 				ret = isert_conn_create_fastreg_pool(isert_conn);
- 				if (ret) {
- 					pr_err("Conn: %p failed to create"
-@@ -1937,7 +1953,7 @@ isert_put_response(struct iscsi_conn *conn, struct iscsi_cmd *cmd)
- 		isert_cmd->tx_desc.num_sge = 2;
- 	}
- 
--	isert_init_send_wr(isert_conn, isert_cmd, send_wr, true);
-+	isert_init_send_wr(isert_conn, isert_cmd, send_wr, false);
- 
- 	pr_debug("Posting SCSI Response IB_WR_SEND >>>>>>>>>>>>>>>>>>>>>>\n");
- 
-@@ -2456,7 +2472,7 @@ isert_put_datain(struct iscsi_conn *conn, struct iscsi_cmd *cmd)
- 			     &isert_cmd->tx_desc.iscsi_header);
- 	isert_init_tx_hdrs(isert_conn, &isert_cmd->tx_desc);
- 	isert_init_send_wr(isert_conn, isert_cmd,
--			   &isert_cmd->tx_desc.send_wr, true);
-+			   &isert_cmd->tx_desc.send_wr, false);
- 
- 	atomic_add(wr->send_wr_num + 1, &isert_conn->post_send_buf_count);
- 
-@@ -2768,7 +2784,8 @@ isert_free_np(struct iscsi_np *np)
- {
- 	struct isert_np *isert_np = (struct isert_np *)np->np_context;
- 
--	rdma_destroy_id(isert_np->np_cm_id);
-+	if (isert_np->np_cm_id)
-+		rdma_destroy_id(isert_np->np_cm_id);
- 
- 	np->np_context = NULL;
- 	kfree(isert_np);
-diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
-index d1078ce..0097b8d 100644
---- a/drivers/infiniband/ulp/srpt/ib_srpt.c
-+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
-@@ -2091,6 +2091,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
- 	if (!qp_init)
- 		goto out;
- 
-+retry:
- 	ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch,
- 			      ch->rq_size + srp_sq_size, 0);
- 	if (IS_ERR(ch->cq)) {
-@@ -2114,6 +2115,13 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
- 	ch->qp = ib_create_qp(sdev->pd, qp_init);
- 	if (IS_ERR(ch->qp)) {
- 		ret = PTR_ERR(ch->qp);
-+		if (ret == -ENOMEM) {
-+			srp_sq_size /= 2;
-+			if (srp_sq_size >= MIN_SRPT_SQ_SIZE) {
-+				ib_destroy_cq(ch->cq);
-+				goto retry;
-+			}
-+		}
- 		printk(KERN_ERR "failed to create_qp ret= %d\n", ret);
- 		goto err_destroy_cq;
- 	}
-diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
-index 603fe0d..517829f 100644
---- a/drivers/input/joystick/xpad.c
-+++ b/drivers/input/joystick/xpad.c
-@@ -1003,9 +1003,19 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
- 		}
- 
- 		ep_irq_in = &intf->cur_altsetting->endpoint[1].desc;
--		usb_fill_bulk_urb(xpad->bulk_out, udev,
--				usb_sndbulkpipe(udev, ep_irq_in->bEndpointAddress),
--				xpad->bdata, XPAD_PKT_LEN, xpad_bulk_out, xpad);
-+		if (usb_endpoint_is_bulk_out(ep_irq_in)) {
-+			usb_fill_bulk_urb(xpad->bulk_out, udev,
-+					  usb_sndbulkpipe(udev,
-+							  ep_irq_in->bEndpointAddress),
-+					  xpad->bdata, XPAD_PKT_LEN,
-+					  xpad_bulk_out, xpad);
-+		} else {
-+			usb_fill_int_urb(xpad->bulk_out, udev,
-+					 usb_sndintpipe(udev,
-+							ep_irq_in->bEndpointAddress),
-+					 xpad->bdata, XPAD_PKT_LEN,
-+					 xpad_bulk_out, xpad, 0);
-+		}
- 
- 		/*
- 		 * Submit the int URB immediately rather than waiting for open
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 1e76eb8..a3769cf 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -140,6 +140,10 @@ static const struct min_max_quirk min_max_pnpid_table[] = {
- 		(const char * const []){"LEN2001", NULL},
- 		1024, 5022, 2508, 4832
- 	},
-+	{
-+		(const char * const []){"LEN2006", NULL},
-+		1264, 5675, 1171, 4688
-+	},
- 	{ }
- };
- 
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index cc38948..1537982 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -2450,9 +2450,9 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
- 		if (!rtnl_trylock())
- 			goto re_arm;
- 
--		if (slave_state_changed) {
-+		if (slave_state_changed)
- 			bond_slave_state_change(bond);
--		} else if (do_failover) {
-+		if (do_failover) {
- 			/* the bond_select_active_slave must hold RTNL
- 			 * and curr_slave_lock for write.
- 			 */
-diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
-index fc59bc6..cc11f7f 100644
---- a/drivers/net/can/dev.c
-+++ b/drivers/net/can/dev.c
-@@ -384,7 +384,7 @@ void can_free_echo_skb(struct net_device *dev, unsigned int idx)
- 	BUG_ON(idx >= priv->echo_skb_max);
- 
- 	if (priv->echo_skb[idx]) {
--		kfree_skb(priv->echo_skb[idx]);
-+		dev_kfree_skb_any(priv->echo_skb[idx]);
- 		priv->echo_skb[idx] = NULL;
- 	}
- }
-diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
-index 7fbe859..f34f7fa 100644
---- a/drivers/net/can/usb/esd_usb2.c
-+++ b/drivers/net/can/usb/esd_usb2.c
-@@ -1141,6 +1141,7 @@ static void esd_usb2_disconnect(struct usb_interface *intf)
- 			}
- 		}
- 		unlink_all_urbs(dev);
-+		kfree(dev);
- 	}
- }
- 
-diff --git a/drivers/net/ieee802154/fakehard.c b/drivers/net/ieee802154/fakehard.c
-index bf0d55e..6adbef8 100644
---- a/drivers/net/ieee802154/fakehard.c
-+++ b/drivers/net/ieee802154/fakehard.c
-@@ -376,17 +376,20 @@ static int ieee802154fake_probe(struct platform_device *pdev)
- 
- 	err = wpan_phy_register(phy);
- 	if (err)
--		goto out;
-+		goto err_phy_reg;
- 
- 	err = register_netdev(dev);
--	if (err < 0)
--		goto out;
-+	if (err)
-+		goto err_netdev_reg;
- 
- 	dev_info(&pdev->dev, "Added ieee802154 HardMAC hardware\n");
- 	return 0;
- 
--out:
--	unregister_netdev(dev);
-+err_netdev_reg:
-+	wpan_phy_unregister(phy);
-+err_phy_reg:
-+	free_netdev(dev);
-+	wpan_phy_free(phy);
- 	return err;
- }
- 
-diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
-index 1aff970..1dc628f 100644
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -506,7 +506,9 @@ static int pptp_getname(struct socket *sock, struct sockaddr *uaddr,
- 	int len = sizeof(struct sockaddr_pppox);
- 	struct sockaddr_pppox sp;
- 
--	sp.sa_family	  = AF_PPPOX;
-+	memset(&sp.sa_addr, 0, sizeof(sp.sa_addr));
-+
-+	sp.sa_family    = AF_PPPOX;
- 	sp.sa_protocol  = PX_PROTO_PPTP;
- 	sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr;
- 
-diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
-index d510f1d..db21af8 100644
---- a/drivers/net/usb/qmi_wwan.c
-+++ b/drivers/net/usb/qmi_wwan.c
-@@ -769,6 +769,7 @@ static const struct usb_device_id products[] = {
- 	{QMI_FIXED_INTF(0x413c, 0x81a4, 8)},	/* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
- 	{QMI_FIXED_INTF(0x413c, 0x81a8, 8)},	/* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
- 	{QMI_FIXED_INTF(0x413c, 0x81a9, 8)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
-+	{QMI_FIXED_INTF(0x03f0, 0x581d, 4)},	/* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */
- 
- 	/* 4. Gobi 1000 devices */
- 	{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)},	/* Acer Gobi Modem Device */
-diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
-index 09facba..390c2de 100644
---- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
-+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
-@@ -647,6 +647,19 @@ static void ar9003_hw_override_ini(struct ath_hw *ah)
- 		ah->enabled_cals |= TX_CL_CAL;
- 	else
- 		ah->enabled_cals &= ~TX_CL_CAL;
-+
-+	if (AR_SREV_9340(ah) || AR_SREV_9531(ah) || AR_SREV_9550(ah)) {
-+		if (ah->is_clk_25mhz) {
-+			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
-+			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
-+			REG_WRITE(ah, AR_SLP32_INC, 0x0001e7ae);
-+		} else {
-+			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
-+			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
-+			REG_WRITE(ah, AR_SLP32_INC, 0x0001e800);
-+		}
-+		udelay(100);
-+	}
- }
- 
- static void ar9003_hw_prog_ini(struct ath_hw *ah,
-diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
-index 9078a6c..dcc1494 100644
---- a/drivers/net/wireless/ath/ath9k/hw.c
-+++ b/drivers/net/wireless/ath/ath9k/hw.c
-@@ -858,19 +858,6 @@ static void ath9k_hw_init_pll(struct ath_hw *ah,
- 	udelay(RTC_PLL_SETTLE_DELAY);
- 
- 	REG_WRITE(ah, AR_RTC_SLEEP_CLK, AR_RTC_FORCE_DERIVED_CLK);
--
--	if (AR_SREV_9340(ah) || AR_SREV_9550(ah)) {
--		if (ah->is_clk_25mhz) {
--			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
--			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
--			REG_WRITE(ah,  AR_SLP32_INC, 0x0001e7ae);
--		} else {
--			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
--			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
--			REG_WRITE(ah,  AR_SLP32_INC, 0x0001e800);
--		}
--		udelay(100);
--	}
- }
- 
- static void ath9k_hw_init_interrupt_masks(struct ath_hw *ah,
-diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
-index 5642ccc..22d49d5 100644
---- a/drivers/net/wireless/rt2x00/rt2x00queue.c
-+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
-@@ -158,55 +158,29 @@ void rt2x00queue_align_frame(struct sk_buff *skb)
- 	skb_trim(skb, frame_length);
- }
- 
--void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
-+/*
-+ * H/W needs L2 padding between the header and the paylod if header size
-+ * is not 4 bytes aligned.
-+ */
-+void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
- {
--	unsigned int payload_length = skb->len - header_length;
--	unsigned int header_align = ALIGN_SIZE(skb, 0);
--	unsigned int payload_align = ALIGN_SIZE(skb, header_length);
--	unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
-+	unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
- 
--	/*
--	 * Adjust the header alignment if the payload needs to be moved more
--	 * than the header.
--	 */
--	if (payload_align > header_align)
--		header_align += 4;
--
--	/* There is nothing to do if no alignment is needed */
--	if (!header_align)
-+	if (!l2pad)
- 		return;
- 
--	/* Reserve the amount of space needed in front of the frame */
--	skb_push(skb, header_align);
--
--	/*
--	 * Move the header.
--	 */
--	memmove(skb->data, skb->data + header_align, header_length);
--
--	/* Move the payload, if present and if required */
--	if (payload_length && payload_align)
--		memmove(skb->data + header_length + l2pad,
--			skb->data + header_length + l2pad + payload_align,
--			payload_length);
--
--	/* Trim the skb to the correct size */
--	skb_trim(skb, header_length + l2pad + payload_length);
-+	skb_push(skb, l2pad);
-+	memmove(skb->data, skb->data + l2pad, hdr_len);
- }
- 
--void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
-+void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
- {
--	/*
--	 * L2 padding is only present if the skb contains more than just the
--	 * IEEE 802.11 header.
--	 */
--	unsigned int l2pad = (skb->len > header_length) ?
--				L2PAD_SIZE(header_length) : 0;
-+	unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
- 
- 	if (!l2pad)
- 		return;
- 
--	memmove(skb->data + l2pad, skb->data, header_length);
-+	memmove(skb->data + l2pad, skb->data, hdr_len);
- 	skb_pull(skb, l2pad);
- }
- 
-diff --git a/drivers/of/address.c b/drivers/of/address.c
-index 1a54f1f..005c657 100644
---- a/drivers/of/address.c
-+++ b/drivers/of/address.c
-@@ -401,6 +401,21 @@ static struct of_bus *of_match_bus(struct device_node *np)
- 	return NULL;
- }
- 
-+static int of_empty_ranges_quirk(void)
-+{
-+	if (IS_ENABLED(CONFIG_PPC)) {
-+		/* To save cycles, we cache the result */
-+		static int quirk_state = -1;
-+
-+		if (quirk_state < 0)
-+			quirk_state =
-+				of_machine_is_compatible("Power Macintosh") ||
-+				of_machine_is_compatible("MacRISC");
-+		return quirk_state;
-+	}
-+	return false;
-+}
-+
- static int of_translate_one(struct device_node *parent, struct of_bus *bus,
- 			    struct of_bus *pbus, __be32 *addr,
- 			    int na, int ns, int pna, const char *rprop)
-@@ -426,12 +441,10 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus,
- 	 * This code is only enabled on powerpc. --gcl
- 	 */
- 	ranges = of_get_property(parent, rprop, &rlen);
--#if !defined(CONFIG_PPC)
--	if (ranges == NULL) {
-+	if (ranges == NULL && !of_empty_ranges_quirk()) {
- 		pr_err("OF: no ranges; cannot translate\n");
- 		return 1;
- 	}
--#endif /* !defined(CONFIG_PPC) */
- 	if (ranges == NULL || rlen == 0) {
- 		offset = of_read_number(addr, na);
- 		memset(addr, 0, pna * 4);
-diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
-index fb02fc2..ced17f2 100644
---- a/drivers/pci/msi.c
-+++ b/drivers/pci/msi.c
-@@ -599,6 +599,20 @@ error_attrs:
- 	return ret;
- }
- 
-+static int msi_verify_entries(struct pci_dev *dev)
-+{
-+	struct msi_desc *entry;
-+
-+	list_for_each_entry(entry, &dev->msi_list, list) {
-+		if (!dev->no_64bit_msi || !entry->msg.address_hi)
-+			continue;
-+		dev_err(&dev->dev, "Device has broken 64-bit MSI but arch"
-+			" tried to assign one above 4G\n");
-+		return -EIO;
-+	}
-+	return 0;
-+}
-+
- /**
-  * msi_capability_init - configure device's MSI capability structure
-  * @dev: pointer to the pci_dev data structure of MSI device function
-@@ -652,6 +666,13 @@ static int msi_capability_init(struct pci_dev *dev, int nvec)
- 		return ret;
- 	}
- 
-+	ret = msi_verify_entries(dev);
-+	if (ret) {
-+		msi_mask_irq(entry, mask, ~mask);
-+		free_msi_irqs(dev);
-+		return ret;
-+	}
-+
- 	ret = populate_msi_sysfs(dev);
- 	if (ret) {
- 		msi_mask_irq(entry, mask, ~mask);
-@@ -767,6 +788,11 @@ static int msix_capability_init(struct pci_dev *dev,
- 	if (ret)
- 		goto out_avail;
- 
-+	/* Check if all MSI entries honor device restrictions */
-+	ret = msi_verify_entries(dev);
-+	if (ret)
-+		goto out_free;
-+
- 	/*
- 	 * Some devices require MSI-X to be enabled before we can touch the
- 	 * MSI-X registers.  We need to mask all the vectors to prevent
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 6e34498..34dff3a 100644
---- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -395,15 +395,16 @@ static void pci_read_bridge_mmio_pref(struct pci_bus *child)
- {
- 	struct pci_dev *dev = child->self;
- 	u16 mem_base_lo, mem_limit_lo;
--	unsigned long base, limit;
-+	u64 base64, limit64;
-+	dma_addr_t base, limit;
- 	struct pci_bus_region region;
- 	struct resource *res;
- 
- 	res = child->resource[2];
- 	pci_read_config_word(dev, PCI_PREF_MEMORY_BASE, &mem_base_lo);
- 	pci_read_config_word(dev, PCI_PREF_MEMORY_LIMIT, &mem_limit_lo);
--	base = ((unsigned long) mem_base_lo & PCI_PREF_RANGE_MASK) << 16;
--	limit = ((unsigned long) mem_limit_lo & PCI_PREF_RANGE_MASK) << 16;
-+	base64 = (mem_base_lo & PCI_PREF_RANGE_MASK) << 16;
-+	limit64 = (mem_limit_lo & PCI_PREF_RANGE_MASK) << 16;
- 
- 	if ((mem_base_lo & PCI_PREF_RANGE_TYPE_MASK) == PCI_PREF_RANGE_TYPE_64) {
- 		u32 mem_base_hi, mem_limit_hi;
-@@ -417,18 +418,20 @@ static void pci_read_bridge_mmio_pref(struct pci_bus *child)
- 		 * this, just assume they are not being used.
- 		 */
- 		if (mem_base_hi <= mem_limit_hi) {
--#if BITS_PER_LONG == 64
--			base |= ((unsigned long) mem_base_hi) << 32;
--			limit |= ((unsigned long) mem_limit_hi) << 32;
--#else
--			if (mem_base_hi || mem_limit_hi) {
--				dev_err(&dev->dev, "can't handle 64-bit "
--					"address space for bridge\n");
--				return;
--			}
--#endif
-+			base64 |= (u64) mem_base_hi << 32;
-+			limit64 |= (u64) mem_limit_hi << 32;
- 		}
- 	}
-+
-+	base = (dma_addr_t) base64;
-+	limit = (dma_addr_t) limit64;
-+
-+	if (base != base64) {
-+		dev_err(&dev->dev, "can't handle bridge window above 4GB (bus address %#010llx)\n",
-+			(unsigned long long) base64);
-+		return;
-+	}
-+
- 	if (base <= limit) {
- 		res->flags = (mem_base_lo & PCI_PREF_RANGE_TYPE_MASK) |
- 					 IORESOURCE_MEM | IORESOURCE_PREFETCH;
-diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
-index 9b94850..cc6b13b 100644
---- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
-+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
-@@ -411,6 +411,7 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
- 	struct fc_frame_header *fh;
- 	struct fcoe_rcv_info *fr;
- 	struct fcoe_percpu_s *bg;
-+	struct sk_buff *tmp_skb;
- 	unsigned short oxid;
- 
- 	interface = container_of(ptype, struct bnx2fc_interface,
-@@ -423,6 +424,12 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
- 		goto err;
- 	}
- 
-+	tmp_skb = skb_share_check(skb, GFP_ATOMIC);
-+	if (!tmp_skb)
-+		goto err;
-+
-+	skb = tmp_skb;
-+
- 	if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
- 		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
- 		goto err;
-diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
-index 49014a1..c1d04d4 100644
---- a/drivers/scsi/scsi_devinfo.c
-+++ b/drivers/scsi/scsi_devinfo.c
-@@ -202,6 +202,7 @@ static struct {
- 	{"IOMEGA", "Io20S         *F", NULL, BLIST_KEY},
- 	{"INSITE", "Floptical   F*8I", NULL, BLIST_KEY},
- 	{"INSITE", "I325VM", NULL, BLIST_KEY},
-+	{"Intel", "Multi-Flex", NULL, BLIST_NO_RSOC},
- 	{"iRiver", "iFP Mass Driver", NULL, BLIST_NOT_LOCKABLE | BLIST_INQUIRY_36},
- 	{"LASOUND", "CDX7405", "3.10", BLIST_MAX5LUN | BLIST_SINGLELUN},
- 	{"MATSHITA", "PD-1", NULL, BLIST_FORCELUN | BLIST_SINGLELUN},
-diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
-index e63d270..e543b80 100644
---- a/drivers/spi/spi-dw.c
-+++ b/drivers/spi/spi-dw.c
-@@ -394,9 +394,6 @@ static void pump_transfers(unsigned long data)
- 	chip = dws->cur_chip;
- 	spi = message->spi;
- 
--	if (unlikely(!chip->clk_div))
--		chip->clk_div = dws->max_freq / chip->speed_hz;
--
- 	if (message->state == ERROR_STATE) {
- 		message->status = -EIO;
- 		goto early_exit;
-@@ -437,7 +434,7 @@ static void pump_transfers(unsigned long data)
- 	if (transfer->speed_hz) {
- 		speed = chip->speed_hz;
- 
--		if (transfer->speed_hz != speed) {
-+		if ((transfer->speed_hz != speed) || (!chip->clk_div)) {
- 			speed = transfer->speed_hz;
- 			if (speed > dws->max_freq) {
- 				printk(KERN_ERR "MRST SPI0: unsupported"
-@@ -659,7 +656,6 @@ static int dw_spi_setup(struct spi_device *spi)
- 		dev_err(&spi->dev, "No max speed HZ parameter\n");
- 		return -EINVAL;
- 	}
--	chip->speed_hz = spi->max_speed_hz;
- 
- 	chip->tmode = 0; /* Tx & Rx */
- 	/* Default SPI mode is SCPOL = 0, SCPH = 0 */
-diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
-index fed699f..2185a71 100644
---- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
-+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
-@@ -57,6 +57,7 @@ static struct usb_device_id rtw_usb_id_tbl[] = {
- 	{USB_DEVICE(0x07b8, 0x8179)}, /* Abocom - Abocom */
- 	{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
- 	{USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
-+	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
- 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
- 	{}	/* Terminating entry */
- };
-diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 9232c773..e6463ef 100644
---- a/drivers/target/target_core_transport.c
-+++ b/drivers/target/target_core_transport.c
-@@ -2230,7 +2230,7 @@ transport_generic_new_cmd(struct se_cmd *cmd)
- 	 * and let it call back once the write buffers are ready.
- 	 */
- 	target_add_to_state_list(cmd);
--	if (cmd->data_direction != DMA_TO_DEVICE) {
-+	if (cmd->data_direction != DMA_TO_DEVICE || cmd->data_length == 0) {
- 		target_execute_cmd(cmd);
- 		return 0;
- 	}
-diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
-index c854593..b195fdb 100644
---- a/drivers/usb/core/quirks.c
-+++ b/drivers/usb/core/quirks.c
-@@ -44,6 +44,9 @@ static const struct usb_device_id usb_quirk_list[] = {
- 	/* Creative SB Audigy 2 NX */
- 	{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
- 
-+	/* Microsoft Wireless Laser Mouse 6000 Receiver */
-+	{ USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME },
-+
- 	/* Microsoft LifeCam-VX700 v2.0 */
- 	{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
- 
-diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
-index 75cb1ff..73c43e5 100644
---- a/drivers/usb/host/xhci-pci.c
-+++ b/drivers/usb/host/xhci-pci.c
-@@ -281,7 +281,7 @@ static int xhci_pci_suspend(struct usb_hcd *hcd, bool do_wakeup)
- 	if (xhci_compliance_mode_recovery_timer_quirk_check())
- 		pdev->no_d3cold = true;
- 
--	return xhci_suspend(xhci);
-+	return xhci_suspend(xhci, do_wakeup);
- }
- 
- static int xhci_pci_resume(struct usb_hcd *hcd, bool hibernated)
-diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
-index 8abda5c..1d5ba3c 100644
---- a/drivers/usb/host/xhci-plat.c
-+++ b/drivers/usb/host/xhci-plat.c
-@@ -205,7 +205,15 @@ static int xhci_plat_suspend(struct device *dev)
- 	struct usb_hcd	*hcd = dev_get_drvdata(dev);
- 	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
- 
--	return xhci_suspend(xhci);
-+	/*
-+	 * xhci_suspend() needs `do_wakeup` to know whether host is allowed
-+	 * to do wakeup during suspend. Since xhci_plat_suspend is currently
-+	 * only designed for system suspend, device_may_wakeup() is enough
-+	 * to dertermine whether host is allowed to do wakeup. Need to
-+	 * reconsider this when xhci_plat_suspend enlarges its scope, e.g.,
-+	 * also applies to runtime suspend.
-+	 */
-+	return xhci_suspend(xhci, device_may_wakeup(dev));
- }
- 
- static int xhci_plat_resume(struct device *dev)
-diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
-index 0e6665a..1710a86 100644
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -1180,9 +1180,8 @@ static void xhci_handle_cmd_reset_ep(struct xhci_hcd *xhci, int slot_id,
- 				false);
- 		xhci_ring_cmd_db(xhci);
- 	} else {
--		/* Clear our internal halted state and restart the ring(s) */
-+		/* Clear our internal halted state */
- 		xhci->devs[slot_id]->eps[ep_index].ep_state &= ~EP_HALTED;
--		ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
- 	}
- }
- 
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 82b563f..17e3987 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -35,6 +35,8 @@
- #define DRIVER_AUTHOR "Sarah Sharp"
- #define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver"
- 
-+#define	PORT_WAKE_BITS	(PORT_WKOC_E | PORT_WKDISC_E | PORT_WKCONN_E)
-+
- /* Some 0.95 hardware can't handle the chain bit on a Link TRB being cleared */
- static int link_quirk;
- module_param(link_quirk, int, S_IRUGO | S_IWUSR);
-@@ -842,13 +844,47 @@ static void xhci_clear_command_ring(struct xhci_hcd *xhci)
- 	xhci_set_cmd_ring_deq(xhci);
- }
- 
-+static void xhci_disable_port_wake_on_bits(struct xhci_hcd *xhci)
-+{
-+	int port_index;
-+	__le32 __iomem **port_array;
-+	unsigned long flags;
-+	u32 t1, t2;
-+
-+	spin_lock_irqsave(&xhci->lock, flags);
-+
-+	/* disble usb3 ports Wake bits*/
-+	port_index = xhci->num_usb3_ports;
-+	port_array = xhci->usb3_ports;
-+	while (port_index--) {
-+		t1 = readl(port_array[port_index]);
-+		t1 = xhci_port_state_to_neutral(t1);
-+		t2 = t1 & ~PORT_WAKE_BITS;
-+		if (t1 != t2)
-+			writel(t2, port_array[port_index]);
-+	}
-+
-+	/* disble usb2 ports Wake bits*/
-+	port_index = xhci->num_usb2_ports;
-+	port_array = xhci->usb2_ports;
-+	while (port_index--) {
-+		t1 = readl(port_array[port_index]);
-+		t1 = xhci_port_state_to_neutral(t1);
-+		t2 = t1 & ~PORT_WAKE_BITS;
-+		if (t1 != t2)
-+			writel(t2, port_array[port_index]);
-+	}
-+
-+	spin_unlock_irqrestore(&xhci->lock, flags);
-+}
-+
- /*
-  * Stop HC (not bus-specific)
-  *
-  * This is called when the machine transition into S3/S4 mode.
-  *
-  */
--int xhci_suspend(struct xhci_hcd *xhci)
-+int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
- {
- 	int			rc = 0;
- 	unsigned int		delay = XHCI_MAX_HALT_USEC;
-@@ -859,6 +895,10 @@ int xhci_suspend(struct xhci_hcd *xhci)
- 			xhci->shared_hcd->state != HC_STATE_SUSPENDED)
- 		return -EINVAL;
- 
-+	/* Clear root port wake on bits if wakeup not allowed. */
-+	if (!do_wakeup)
-+		xhci_disable_port_wake_on_bits(xhci);
-+
- 	/* Don't poll the roothubs on bus suspend. */
- 	xhci_dbg(xhci, "%s: stopping port polling.\n", __func__);
- 	clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
-diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
-index 8faef64..96e9e78 100644
---- a/drivers/usb/host/xhci.h
-+++ b/drivers/usb/host/xhci.h
-@@ -1760,7 +1760,7 @@ void xhci_shutdown(struct usb_hcd *hcd);
- int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
- 
- #ifdef	CONFIG_PM
--int xhci_suspend(struct xhci_hcd *xhci);
-+int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup);
- int xhci_resume(struct xhci_hcd *xhci, bool hibernated);
- #else
- #define	xhci_suspend	NULL
-diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
-index 3beae72..5741e94 100644
---- a/drivers/usb/serial/cp210x.c
-+++ b/drivers/usb/serial/cp210x.c
-@@ -120,6 +120,7 @@ static const struct usb_device_id id_table[] = {
- 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
- 	{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
- 	{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
-+	{ USB_DEVICE(0x10C4, 0x8875) }, /* CEL MeshConnect USB Stick */
- 	{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
- 	{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
- 	{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
-diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
-index a523ada..debcdef 100644
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -483,6 +483,39 @@ static const struct usb_device_id id_table_combined[] = {
- 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FD_PID) },
- 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FE_PID) },
- 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FF_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_4701_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9300_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9301_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9302_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9303_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9304_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9305_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9306_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9307_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9308_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9309_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930A_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930B_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930C_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930D_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930E_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930F_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9310_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9311_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9312_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9313_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9314_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9315_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9316_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9317_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9318_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9319_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931A_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931B_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931C_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931D_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931E_PID) },
-+	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931F_PID) },
- 	{ USB_DEVICE(FTDI_VID, FTDI_PERLE_ULTRAPORT_PID) },
- 	{ USB_DEVICE(FTDI_VID, FTDI_PIEGROUP_PID) },
- 	{ USB_DEVICE(FTDI_VID, FTDI_TNC_X_PID) },
-diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
-index 6786b70..e52409c9 100644
---- a/drivers/usb/serial/ftdi_sio_ids.h
-+++ b/drivers/usb/serial/ftdi_sio_ids.h
-@@ -926,8 +926,8 @@
- #define BAYER_CONTOUR_CABLE_PID        0x6001
- 
- /*
-- * The following are the values for the Matrix Orbital FTDI Range
-- * Anything in this range will use an FT232RL.
-+ * Matrix Orbital Intelligent USB displays.
-+ * http://www.matrixorbital.com
-  */
- #define MTXORB_VID			0x1B3D
- #define MTXORB_FTDI_RANGE_0100_PID	0x0100
-@@ -1186,8 +1186,39 @@
- #define MTXORB_FTDI_RANGE_01FD_PID	0x01FD
- #define MTXORB_FTDI_RANGE_01FE_PID	0x01FE
- #define MTXORB_FTDI_RANGE_01FF_PID	0x01FF
--
--
-+#define MTXORB_FTDI_RANGE_4701_PID	0x4701
-+#define MTXORB_FTDI_RANGE_9300_PID	0x9300
-+#define MTXORB_FTDI_RANGE_9301_PID	0x9301
-+#define MTXORB_FTDI_RANGE_9302_PID	0x9302
-+#define MTXORB_FTDI_RANGE_9303_PID	0x9303
-+#define MTXORB_FTDI_RANGE_9304_PID	0x9304
-+#define MTXORB_FTDI_RANGE_9305_PID	0x9305
-+#define MTXORB_FTDI_RANGE_9306_PID	0x9306
-+#define MTXORB_FTDI_RANGE_9307_PID	0x9307
-+#define MTXORB_FTDI_RANGE_9308_PID	0x9308
-+#define MTXORB_FTDI_RANGE_9309_PID	0x9309
-+#define MTXORB_FTDI_RANGE_930A_PID	0x930A
-+#define MTXORB_FTDI_RANGE_930B_PID	0x930B
-+#define MTXORB_FTDI_RANGE_930C_PID	0x930C
-+#define MTXORB_FTDI_RANGE_930D_PID	0x930D
-+#define MTXORB_FTDI_RANGE_930E_PID	0x930E
-+#define MTXORB_FTDI_RANGE_930F_PID	0x930F
-+#define MTXORB_FTDI_RANGE_9310_PID	0x9310
-+#define MTXORB_FTDI_RANGE_9311_PID	0x9311
-+#define MTXORB_FTDI_RANGE_9312_PID	0x9312
-+#define MTXORB_FTDI_RANGE_9313_PID	0x9313
-+#define MTXORB_FTDI_RANGE_9314_PID	0x9314
-+#define MTXORB_FTDI_RANGE_9315_PID	0x9315
-+#define MTXORB_FTDI_RANGE_9316_PID	0x9316
-+#define MTXORB_FTDI_RANGE_9317_PID	0x9317
-+#define MTXORB_FTDI_RANGE_9318_PID	0x9318
-+#define MTXORB_FTDI_RANGE_9319_PID	0x9319
-+#define MTXORB_FTDI_RANGE_931A_PID	0x931A
-+#define MTXORB_FTDI_RANGE_931B_PID	0x931B
-+#define MTXORB_FTDI_RANGE_931C_PID	0x931C
-+#define MTXORB_FTDI_RANGE_931D_PID	0x931D
-+#define MTXORB_FTDI_RANGE_931E_PID	0x931E
-+#define MTXORB_FTDI_RANGE_931F_PID	0x931F
- 
- /*
-  * The Mobility Lab (TML)
-diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
-index 265c677..49101fe 100644
---- a/drivers/usb/serial/keyspan.c
-+++ b/drivers/usb/serial/keyspan.c
-@@ -311,24 +311,30 @@ static void	usa26_indat_callback(struct urb *urb)
- 		if ((data[0] & 0x80) == 0) {
- 			/* no errors on individual bytes, only
- 			   possible overrun err */
--			if (data[0] & RXERROR_OVERRUN)
--				err = TTY_OVERRUN;
--			else
--				err = 0;
-+			if (data[0] & RXERROR_OVERRUN) {
-+				tty_insert_flip_char(&port->port, 0,
-+								TTY_OVERRUN);
-+			}
- 			for (i = 1; i < urb->actual_length ; ++i)
--				tty_insert_flip_char(&port->port, data[i], err);
-+				tty_insert_flip_char(&port->port, data[i],
-+								TTY_NORMAL);
- 		} else {
- 			/* some bytes had errors, every byte has status */
- 			dev_dbg(&port->dev, "%s - RX error!!!!\n", __func__);
- 			for (i = 0; i + 1 < urb->actual_length; i += 2) {
--				int stat = data[i], flag = 0;
--				if (stat & RXERROR_OVERRUN)
--					flag |= TTY_OVERRUN;
--				if (stat & RXERROR_FRAMING)
--					flag |= TTY_FRAME;
--				if (stat & RXERROR_PARITY)
--					flag |= TTY_PARITY;
-+				int stat = data[i];
-+				int flag = TTY_NORMAL;
-+
-+				if (stat & RXERROR_OVERRUN) {
-+					tty_insert_flip_char(&port->port, 0,
-+								TTY_OVERRUN);
-+				}
- 				/* XXX should handle break (0x10) */
-+				if (stat & RXERROR_PARITY)
-+					flag = TTY_PARITY;
-+				else if (stat & RXERROR_FRAMING)
-+					flag = TTY_FRAME;
-+
- 				tty_insert_flip_char(&port->port, data[i+1],
- 						flag);
- 			}
-@@ -666,14 +672,19 @@ static void	usa49_indat_callback(struct urb *urb)
- 		} else {
- 			/* some bytes had errors, every byte has status */
- 			for (i = 0; i + 1 < urb->actual_length; i += 2) {
--				int stat = data[i], flag = 0;
--				if (stat & RXERROR_OVERRUN)
--					flag |= TTY_OVERRUN;
--				if (stat & RXERROR_FRAMING)
--					flag |= TTY_FRAME;
--				if (stat & RXERROR_PARITY)
--					flag |= TTY_PARITY;
-+				int stat = data[i];
-+				int flag = TTY_NORMAL;
-+
-+				if (stat & RXERROR_OVERRUN) {
-+					tty_insert_flip_char(&port->port, 0,
-+								TTY_OVERRUN);
-+				}
- 				/* XXX should handle break (0x10) */
-+				if (stat & RXERROR_PARITY)
-+					flag = TTY_PARITY;
-+				else if (stat & RXERROR_FRAMING)
-+					flag = TTY_FRAME;
-+
- 				tty_insert_flip_char(&port->port, data[i+1],
- 						flag);
- 			}
-@@ -730,15 +741,19 @@ static void usa49wg_indat_callback(struct urb *urb)
- 			 */
- 			for (x = 0; x + 1 < len &&
- 				    i + 1 < urb->actual_length; x += 2) {
--				int stat = data[i], flag = 0;
-+				int stat = data[i];
-+				int flag = TTY_NORMAL;
- 
--				if (stat & RXERROR_OVERRUN)
--					flag |= TTY_OVERRUN;
--				if (stat & RXERROR_FRAMING)
--					flag |= TTY_FRAME;
--				if (stat & RXERROR_PARITY)
--					flag |= TTY_PARITY;
-+				if (stat & RXERROR_OVERRUN) {
-+					tty_insert_flip_char(&port->port, 0,
-+								TTY_OVERRUN);
-+				}
- 				/* XXX should handle break (0x10) */
-+				if (stat & RXERROR_PARITY)
-+					flag = TTY_PARITY;
-+				else if (stat & RXERROR_FRAMING)
-+					flag = TTY_FRAME;
-+
- 				tty_insert_flip_char(&port->port, data[i+1],
- 						     flag);
- 				i += 2;
-@@ -790,25 +805,31 @@ static void usa90_indat_callback(struct urb *urb)
- 			if ((data[0] & 0x80) == 0) {
- 				/* no errors on individual bytes, only
- 				   possible overrun err*/
--				if (data[0] & RXERROR_OVERRUN)
--					err = TTY_OVERRUN;
--				else
--					err = 0;
-+				if (data[0] & RXERROR_OVERRUN) {
-+					tty_insert_flip_char(&port->port, 0,
-+								TTY_OVERRUN);
-+				}
- 				for (i = 1; i < urb->actual_length ; ++i)
- 					tty_insert_flip_char(&port->port,
--							data[i], err);
-+							data[i], TTY_NORMAL);
- 			}  else {
- 			/* some bytes had errors, every byte has status */
- 				dev_dbg(&port->dev, "%s - RX error!!!!\n", __func__);
- 				for (i = 0; i + 1 < urb->actual_length; i += 2) {
--					int stat = data[i], flag = 0;
--					if (stat & RXERROR_OVERRUN)
--						flag |= TTY_OVERRUN;
--					if (stat & RXERROR_FRAMING)
--						flag |= TTY_FRAME;
--					if (stat & RXERROR_PARITY)
--						flag |= TTY_PARITY;
-+					int stat = data[i];
-+					int flag = TTY_NORMAL;
-+
-+					if (stat & RXERROR_OVERRUN) {
-+						tty_insert_flip_char(
-+								&port->port, 0,
-+								TTY_OVERRUN);
-+					}
- 					/* XXX should handle break (0x10) */
-+					if (stat & RXERROR_PARITY)
-+						flag = TTY_PARITY;
-+					else if (stat & RXERROR_FRAMING)
-+						flag = TTY_FRAME;
-+
- 					tty_insert_flip_char(&port->port,
- 							data[i+1], flag);
- 				}
-diff --git a/drivers/usb/serial/ssu100.c b/drivers/usb/serial/ssu100.c
-index a7fe664..70a098d 100644
---- a/drivers/usb/serial/ssu100.c
-+++ b/drivers/usb/serial/ssu100.c
-@@ -490,10 +490,9 @@ static void ssu100_update_lsr(struct usb_serial_port *port, u8 lsr,
- 			if (*tty_flag == TTY_NORMAL)
- 				*tty_flag = TTY_FRAME;
- 		}
--		if (lsr & UART_LSR_OE){
-+		if (lsr & UART_LSR_OE) {
- 			port->icount.overrun++;
--			if (*tty_flag == TTY_NORMAL)
--				*tty_flag = TTY_OVERRUN;
-+			tty_insert_flip_char(&port->port, 0, TTY_OVERRUN);
- 		}
- 	}
- 
-@@ -511,12 +510,8 @@ static void ssu100_process_read_urb(struct urb *urb)
- 	if ((len >= 4) &&
- 	    (packet[0] == 0x1b) && (packet[1] == 0x1b) &&
- 	    ((packet[2] == 0x00) || (packet[2] == 0x01))) {
--		if (packet[2] == 0x00) {
-+		if (packet[2] == 0x00)
- 			ssu100_update_lsr(port, packet[3], &flag);
--			if (flag == TTY_OVERRUN)
--				tty_insert_flip_char(&port->port, 0,
--						TTY_OVERRUN);
--		}
- 		if (packet[2] == 0x01)
- 			ssu100_update_msr(port, packet[3]);
- 
-diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
-index e48d4a6..5d0b7b8 100644
---- a/drivers/vhost/scsi.c
-+++ b/drivers/vhost/scsi.c
-@@ -1200,6 +1200,7 @@ static int
- vhost_scsi_set_endpoint(struct vhost_scsi *vs,
- 			struct vhost_scsi_target *t)
- {
-+	struct se_portal_group *se_tpg;
- 	struct tcm_vhost_tport *tv_tport;
- 	struct tcm_vhost_tpg *tpg;
- 	struct tcm_vhost_tpg **vs_tpg;
-@@ -1247,6 +1248,21 @@ vhost_scsi_set_endpoint(struct vhost_scsi *vs,
- 				ret = -EEXIST;
- 				goto out;
- 			}
-+			/*
-+			 * In order to ensure individual vhost-scsi configfs
-+			 * groups cannot be removed while in use by vhost ioctl,
-+			 * go ahead and take an explicit se_tpg->tpg_group.cg_item
-+			 * dependency now.
-+			 */
-+			se_tpg = &tpg->se_tpg;
-+			ret = configfs_depend_item(se_tpg->se_tpg_tfo->tf_subsys,
-+						   &se_tpg->tpg_group.cg_item);
-+			if (ret) {
-+				pr_warn("configfs_depend_item() failed: %d\n", ret);
-+				kfree(vs_tpg);
-+				mutex_unlock(&tpg->tv_tpg_mutex);
-+				goto out;
-+			}
- 			tpg->tv_tpg_vhost_count++;
- 			tpg->vhost_scsi = vs;
- 			vs_tpg[tpg->tport_tpgt] = tpg;
-@@ -1289,6 +1305,7 @@ static int
- vhost_scsi_clear_endpoint(struct vhost_scsi *vs,
- 			  struct vhost_scsi_target *t)
- {
-+	struct se_portal_group *se_tpg;
- 	struct tcm_vhost_tport *tv_tport;
- 	struct tcm_vhost_tpg *tpg;
- 	struct vhost_virtqueue *vq;
-@@ -1337,6 +1354,13 @@ vhost_scsi_clear_endpoint(struct vhost_scsi *vs,
- 		vs->vs_tpg[target] = NULL;
- 		match = true;
- 		mutex_unlock(&tpg->tv_tpg_mutex);
-+		/*
-+		 * Release se_tpg->tpg_group.cg_item configfs dependency now
-+		 * to allow vhost-scsi WWPN se_tpg->tpg_group shutdown to occur.
-+		 */
-+		se_tpg = &tpg->se_tpg;
-+		configfs_undepend_item(se_tpg->se_tpg_tfo->tf_subsys,
-+				       &se_tpg->tpg_group.cg_item);
- 	}
- 	if (match) {
- 		for (i = 0; i < VHOST_SCSI_MAX_VQ; i++) {
-diff --git a/fs/aio.c b/fs/aio.c
-index f45ddaa..2f7e8c2 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -165,6 +165,15 @@ static struct vfsmount *aio_mnt;
- static const struct file_operations aio_ring_fops;
- static const struct address_space_operations aio_ctx_aops;
- 
-+/* Backing dev info for aio fs.
-+ * -no dirty page accounting or writeback happens
-+ */
-+static struct backing_dev_info aio_fs_backing_dev_info = {
-+	.name           = "aiofs",
-+	.state          = 0,
-+	.capabilities   = BDI_CAP_NO_ACCT_AND_WRITEBACK | BDI_CAP_MAP_COPY,
-+};
-+
- static struct file *aio_private_file(struct kioctx *ctx, loff_t nr_pages)
- {
- 	struct qstr this = QSTR_INIT("[aio]", 5);
-@@ -176,6 +185,7 @@ static struct file *aio_private_file(struct kioctx *ctx, loff_t nr_pages)
- 
- 	inode->i_mapping->a_ops = &aio_ctx_aops;
- 	inode->i_mapping->private_data = ctx;
-+	inode->i_mapping->backing_dev_info = &aio_fs_backing_dev_info;
- 	inode->i_size = PAGE_SIZE * nr_pages;
- 
- 	path.dentry = d_alloc_pseudo(aio_mnt->mnt_sb, &this);
-@@ -221,6 +231,9 @@ static int __init aio_setup(void)
- 	if (IS_ERR(aio_mnt))
- 		panic("Failed to create aio fs mount.");
- 
-+	if (bdi_init(&aio_fs_backing_dev_info))
-+		panic("Failed to init aio fs backing dev info.");
-+
- 	kiocb_cachep = KMEM_CACHE(kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC);
- 	kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC);
- 
-@@ -282,11 +295,6 @@ static const struct file_operations aio_ring_fops = {
- 	.mmap = aio_ring_mmap,
- };
- 
--static int aio_set_page_dirty(struct page *page)
--{
--	return 0;
--}
--
- #if IS_ENABLED(CONFIG_MIGRATION)
- static int aio_migratepage(struct address_space *mapping, struct page *new,
- 			struct page *old, enum migrate_mode mode)
-@@ -358,7 +366,7 @@ out:
- #endif
- 
- static const struct address_space_operations aio_ctx_aops = {
--	.set_page_dirty = aio_set_page_dirty,
-+	.set_page_dirty = __set_page_dirty_no_writeback,
- #if IS_ENABLED(CONFIG_MIGRATION)
- 	.migratepage	= aio_migratepage,
- #endif
-@@ -413,7 +421,6 @@ static int aio_setup_ring(struct kioctx *ctx)
- 		pr_debug("pid(%d) page[%d]->count=%d\n",
- 			 current->pid, i, page_count(page));
- 		SetPageUptodate(page);
--		SetPageDirty(page);
- 		unlock_page(page);
- 
- 		ctx->ring_pages[i] = page;
-diff --git a/fs/locks.c b/fs/locks.c
-index 4dd39b9..2c61c4e 100644
---- a/fs/locks.c
-+++ b/fs/locks.c
-@@ -2235,16 +2235,28 @@ void locks_remove_flock(struct file *filp)
- 
- 	while ((fl = *before) != NULL) {
- 		if (fl->fl_file == filp) {
--			if (IS_FLOCK(fl)) {
--				locks_delete_lock(before);
--				continue;
--			}
- 			if (IS_LEASE(fl)) {
- 				lease_modify(before, F_UNLCK);
- 				continue;
- 			}
--			/* What? */
--			BUG();
-+
-+			/*
-+			 * There's a leftover lock on the list of a type that
-+			 * we didn't expect to see. Most likely a classic
-+			 * POSIX lock that ended up not getting released
-+			 * properly, or that raced onto the list somehow. Log
-+			 * some info about it and then just remove it from
-+			 * the list.
-+			 */
-+			WARN(!IS_FLOCK(fl),
-+				"leftover lock: dev=%u:%u ino=%lu type=%hhd flags=0x%x start=%lld end=%lld\n",
-+				MAJOR(inode->i_sb->s_dev),
-+				MINOR(inode->i_sb->s_dev), inode->i_ino,
-+				fl->fl_type, fl->fl_flags,
-+				fl->fl_start, fl->fl_end);
-+
-+			locks_delete_lock(before);
-+			continue;
-  		}
- 		before = &fl->fl_next;
- 	}
-diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
-index 2ffebf2..27d7f27 100644
---- a/fs/nfs/pagelist.c
-+++ b/fs/nfs/pagelist.c
-@@ -113,7 +113,7 @@ __nfs_iocounter_wait(struct nfs_io_counter *c)
- 		if (atomic_read(&c->io_count) == 0)
- 			break;
- 		ret = nfs_wait_bit_killable(&c->flags);
--	} while (atomic_read(&c->io_count) != 0);
-+	} while (atomic_read(&c->io_count) != 0 && !ret);
- 	finish_wait(wq, &q.wait);
- 	return ret;
- }
-diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
-index cc8c5b3..f42bbe5 100644
---- a/fs/nfsd/nfs4callback.c
-+++ b/fs/nfsd/nfs4callback.c
-@@ -784,8 +784,12 @@ static bool nfsd41_cb_get_slot(struct nfs4_client *clp, struct rpc_task *task)
- {
- 	if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
- 		rpc_sleep_on(&clp->cl_cb_waitq, task, NULL);
--		dprintk("%s slot is busy\n", __func__);
--		return false;
-+		/* Race breaker */
-+		if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
-+			dprintk("%s slot is busy\n", __func__);
-+			return false;
-+		}
-+		rpc_wake_up_queued_task(&clp->cl_cb_waitq, task);
- 	}
- 	return true;
- }
-diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
-index f8f060f..6040da8 100644
---- a/fs/nfsd/nfscache.c
-+++ b/fs/nfsd/nfscache.c
-@@ -224,13 +224,6 @@ hash_refile(struct svc_cacherep *rp)
- 	hlist_add_head(&rp->c_hash, cache_hash + hash_32(rp->c_xid, maskbits));
- }
- 
--static inline bool
--nfsd_cache_entry_expired(struct svc_cacherep *rp)
--{
--	return rp->c_state != RC_INPROG &&
--	       time_after(jiffies, rp->c_timestamp + RC_EXPIRE);
--}
--
- /*
-  * Walk the LRU list and prune off entries that are older than RC_EXPIRE.
-  * Also prune the oldest ones when the total exceeds the max number of entries.
-@@ -242,8 +235,14 @@ prune_cache_entries(void)
- 	long freed = 0;
- 
- 	list_for_each_entry_safe(rp, tmp, &lru_head, c_lru) {
--		if (!nfsd_cache_entry_expired(rp) &&
--		    num_drc_entries <= max_drc_entries)
-+		/*
-+		 * Don't free entries attached to calls that are still
-+		 * in-progress, but do keep scanning the list.
-+		 */
-+		if (rp->c_state == RC_INPROG)
-+			continue;
-+		if (num_drc_entries <= max_drc_entries &&
-+		    time_before(jiffies, rp->c_timestamp + RC_EXPIRE))
- 			break;
- 		nfsd_reply_cache_free_locked(rp);
- 		freed++;
-diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
-index 479eb68..f417fef 100644
---- a/fs/nfsd/nfsd.h
-+++ b/fs/nfsd/nfsd.h
-@@ -328,12 +328,15 @@ void		nfsd_lockd_shutdown(void);
- 	(NFSD4_SUPPORTED_ATTRS_WORD2 | FATTR4_WORD2_SUPPATTR_EXCLCREAT)
- 
- #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
--#define NFSD4_2_SUPPORTED_ATTRS_WORD2 \
--	(NFSD4_1_SUPPORTED_ATTRS_WORD2 | FATTR4_WORD2_SECURITY_LABEL)
-+#define NFSD4_2_SECURITY_ATTRS		FATTR4_WORD2_SECURITY_LABEL
- #else
--#define NFSD4_2_SUPPORTED_ATTRS_WORD2 0
-+#define NFSD4_2_SECURITY_ATTRS		0
- #endif
- 
-+#define NFSD4_2_SUPPORTED_ATTRS_WORD2 \
-+	(NFSD4_1_SUPPORTED_ATTRS_WORD2 | \
-+	NFSD4_2_SECURITY_ATTRS)
-+
- static inline u32 nfsd_suppattrs0(u32 minorversion)
- {
- 	return minorversion ? NFSD4_1_SUPPORTED_ATTRS_WORD0
-diff --git a/include/linux/bitops.h b/include/linux/bitops.h
-index be5fd38..5d858e0 100644
---- a/include/linux/bitops.h
-+++ b/include/linux/bitops.h
-@@ -18,8 +18,11 @@
-  * position @h. For example
-  * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000.
-  */
--#define GENMASK(h, l)		(((U32_C(1) << ((h) - (l) + 1)) - 1) << (l))
--#define GENMASK_ULL(h, l)	(((U64_C(1) << ((h) - (l) + 1)) - 1) << (l))
-+#define GENMASK(h, l) \
-+	(((~0UL) << (l)) & (~0UL >> (BITS_PER_LONG - 1 - (h))))
-+
-+#define GENMASK_ULL(h, l) \
-+	(((~0ULL) << (l)) & (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h))))
- 
- extern unsigned int __sw_hweight8(unsigned int w);
- extern unsigned int __sw_hweight16(unsigned int w);
-diff --git a/include/linux/iio/events.h b/include/linux/iio/events.h
-index 8bbd7bc..03fa332 100644
---- a/include/linux/iio/events.h
-+++ b/include/linux/iio/events.h
-@@ -72,7 +72,7 @@ struct iio_event_data {
- 
- #define IIO_EVENT_CODE_EXTRACT_TYPE(mask) ((mask >> 56) & 0xFF)
- 
--#define IIO_EVENT_CODE_EXTRACT_DIR(mask) ((mask >> 48) & 0xCF)
-+#define IIO_EVENT_CODE_EXTRACT_DIR(mask) ((mask >> 48) & 0x7F)
- 
- #define IIO_EVENT_CODE_EXTRACT_CHAN_TYPE(mask) ((mask >> 32) & 0xFF)
- 
-diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
-index 0068708..0a21fbe 100644
---- a/include/linux/inetdevice.h
-+++ b/include/linux/inetdevice.h
-@@ -242,7 +242,7 @@ static inline void in_dev_put(struct in_device *idev)
- static __inline__ __be32 inet_make_mask(int logmask)
- {
- 	if (logmask)
--		return htonl(~((1<<(32-logmask))-1));
-+		return htonl(~((1U<<(32-logmask))-1));
- 	return 0;
- }
- 
-diff --git a/include/linux/pci.h b/include/linux/pci.h
-index 33aa2ca..0e5e16c 100644
---- a/include/linux/pci.h
-+++ b/include/linux/pci.h
-@@ -324,6 +324,7 @@ struct pci_dev {
- 	unsigned int	is_added:1;
- 	unsigned int	is_busmaster:1; /* device is busmaster */
- 	unsigned int	no_msi:1;	/* device may not use msi */
-+	unsigned int	no_64bit_msi:1; /* device may only use 32-bit MSIs */
- 	unsigned int	block_cfg_access:1;	/* config space access is blocked */
- 	unsigned int	broken_parity_status:1;	/* Device generates false positive parity */
- 	unsigned int	irq_reroute_variant:2;	/* device needs IRQ rerouting variant */
-diff --git a/include/sound/soc-dpcm.h b/include/sound/soc-dpcm.h
-index 2883a7a..98f2ade 100644
---- a/include/sound/soc-dpcm.h
-+++ b/include/sound/soc-dpcm.h
-@@ -102,6 +102,8 @@ struct snd_soc_dpcm_runtime {
- 	/* state and update */
- 	enum snd_soc_dpcm_update runtime_update;
- 	enum snd_soc_dpcm_state state;
-+
-+	int trigger_pending; /* trigger cmd + 1 if pending, 0 if not */
- };
- 
- /* can this BE stop and free */
-diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
-index 307d87c..1139b22 100644
---- a/kernel/events/uprobes.c
-+++ b/kernel/events/uprobes.c
-@@ -1621,7 +1621,6 @@ bool uprobe_deny_signal(void)
- 		if (__fatal_signal_pending(t) || arch_uprobe_xol_was_trapped(t)) {
- 			utask->state = UTASK_SSTEP_TRAPPED;
- 			set_tsk_thread_flag(t, TIF_UPROBE);
--			set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
- 		}
- 	}
- 
-diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
-index b851cc5..fbda6b5 100644
---- a/net/batman-adv/hard-interface.c
-+++ b/net/batman-adv/hard-interface.c
-@@ -83,7 +83,7 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev)
- 		return true;
- 
- 	/* no more parents..stop recursion */
--	if (net_dev->iflink == net_dev->ifindex)
-+	if (net_dev->iflink == 0 || net_dev->iflink == net_dev->ifindex)
- 		return false;
- 
- 	/* recurse over the parent device */
-diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
-index f2e1573..8f7bd56 100644
---- a/net/ipv4/fib_rules.c
-+++ b/net/ipv4/fib_rules.c
-@@ -62,6 +62,10 @@ int __fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
- 	else
- 		res->tclassid = 0;
- #endif
-+
-+	if (err == -ESRCH)
-+		err = -ENETUNREACH;
-+
- 	return err;
- }
- EXPORT_SYMBOL_GPL(__fib_lookup);
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index e21934b..0d33f94 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -217,6 +217,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident)
- 					     &ipv6_hdr(skb)->daddr))
- 				continue;
- #endif
-+		} else {
-+			continue;
- 		}
- 
- 		if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif)
-diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
-index 00b2a6d..d65aea2 100644
---- a/net/ipx/af_ipx.c
-+++ b/net/ipx/af_ipx.c
-@@ -1763,6 +1763,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
- 	struct ipxhdr *ipx = NULL;
- 	struct sk_buff *skb;
- 	int copied, rc;
-+	bool locked = true;
- 
- 	lock_sock(sk);
- 	/* put the autobinding in */
-@@ -1789,6 +1790,8 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
- 	if (sock_flag(sk, SOCK_ZAPPED))
- 		goto out;
- 
-+	release_sock(sk);
-+	locked = false;
- 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
- 				flags & MSG_DONTWAIT, &rc);
- 	if (!skb)
-@@ -1822,7 +1825,8 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
- out_free:
- 	skb_free_datagram(sk, skb);
- out:
--	release_sock(sk);
-+	if (locked)
-+		release_sock(sk);
- 	return rc;
- }
- 
-diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
-index 0fcbe90..12528e9 100644
---- a/sound/soc/codecs/sgtl5000.c
-+++ b/sound/soc/codecs/sgtl5000.c
-@@ -1369,8 +1369,7 @@ static int sgtl5000_probe(struct snd_soc_codec *codec)
- 
- 	/* enable small pop, introduce 400ms delay in turning off */
- 	snd_soc_update_bits(codec, SGTL5000_CHIP_REF_CTRL,
--				SGTL5000_SMALL_POP,
--				SGTL5000_SMALL_POP);
-+				SGTL5000_SMALL_POP, 1);
- 
- 	/* disable short cut detector */
- 	snd_soc_write(codec, SGTL5000_CHIP_SHORT_CTRL, 0);
-diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h
-index 2f8c889..bd7a344 100644
---- a/sound/soc/codecs/sgtl5000.h
-+++ b/sound/soc/codecs/sgtl5000.h
-@@ -275,7 +275,7 @@
- #define SGTL5000_BIAS_CTRL_MASK			0x000e
- #define SGTL5000_BIAS_CTRL_SHIFT		1
- #define SGTL5000_BIAS_CTRL_WIDTH		3
--#define SGTL5000_SMALL_POP			0x0001
-+#define SGTL5000_SMALL_POP			0
- 
- /*
-  * SGTL5000_CHIP_MIC_CTRL
-diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
-index 53c03af..0502e3f 100644
---- a/sound/soc/codecs/wm_adsp.c
-+++ b/sound/soc/codecs/wm_adsp.c
-@@ -1341,6 +1341,7 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp)
- 			  file, blocks, pos - firmware->size);
- 
- out_fw:
-+	regmap_async_complete(regmap);
- 	release_firmware(firmware);
- 	wm_adsp_buf_free(&buf_list);
- out:
-diff --git a/sound/soc/sh/fsi.c b/sound/soc/sh/fsi.c
-index 1967f44..9d0c59c 100644
---- a/sound/soc/sh/fsi.c
-+++ b/sound/soc/sh/fsi.c
-@@ -1785,8 +1785,7 @@ static const struct snd_soc_dai_ops fsi_dai_ops = {
- static struct snd_pcm_hardware fsi_pcm_hardware = {
- 	.info =		SNDRV_PCM_INFO_INTERLEAVED	|
- 			SNDRV_PCM_INFO_MMAP		|
--			SNDRV_PCM_INFO_MMAP_VALID	|
--			SNDRV_PCM_INFO_PAUSE,
-+			SNDRV_PCM_INFO_MMAP_VALID,
- 	.buffer_bytes_max	= 64 * 1024,
- 	.period_bytes_min	= 32,
- 	.period_bytes_max	= 8192,
-diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
-index 743de5e..37fcd93 100644
---- a/sound/soc/sh/rcar/core.c
-+++ b/sound/soc/sh/rcar/core.c
-@@ -626,8 +626,7 @@ static void rsnd_dai_remove(struct platform_device *pdev,
- static struct snd_pcm_hardware rsnd_pcm_hardware = {
- 	.info =		SNDRV_PCM_INFO_INTERLEAVED	|
- 			SNDRV_PCM_INFO_MMAP		|
--			SNDRV_PCM_INFO_MMAP_VALID	|
--			SNDRV_PCM_INFO_PAUSE,
-+			SNDRV_PCM_INFO_MMAP_VALID,
- 	.buffer_bytes_max	= 64 * 1024,
- 	.period_bytes_min	= 32,
- 	.period_bytes_max	= 8192,
-diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
-index 02733de..e28704e 100644
---- a/sound/soc/soc-pcm.c
-+++ b/sound/soc/soc-pcm.c
-@@ -1258,13 +1258,36 @@ static void dpcm_set_fe_runtime(struct snd_pcm_substream *substream)
- 		dpcm_init_runtime_hw(runtime, &cpu_dai_drv->capture);
- }
- 
-+static int dpcm_fe_dai_do_trigger(struct snd_pcm_substream *substream, int cmd);
-+
-+/* Set FE's runtime_update state; the state is protected via PCM stream lock
-+ * for avoiding the race with trigger callback.
-+ * If the state is unset and a trigger is pending while the previous operation,
-+ * process the pending trigger action here.
-+ */
-+static void dpcm_set_fe_update_state(struct snd_soc_pcm_runtime *fe,
-+				     int stream, enum snd_soc_dpcm_update state)
-+{
-+	struct snd_pcm_substream *substream =
-+		snd_soc_dpcm_get_substream(fe, stream);
-+
-+	snd_pcm_stream_lock_irq(substream);
-+	if (state == SND_SOC_DPCM_UPDATE_NO && fe->dpcm[stream].trigger_pending) {
-+		dpcm_fe_dai_do_trigger(substream,
-+				       fe->dpcm[stream].trigger_pending - 1);
-+		fe->dpcm[stream].trigger_pending = 0;
-+	}
-+	fe->dpcm[stream].runtime_update = state;
-+	snd_pcm_stream_unlock_irq(substream);
-+}
-+
- static int dpcm_fe_dai_startup(struct snd_pcm_substream *fe_substream)
- {
- 	struct snd_soc_pcm_runtime *fe = fe_substream->private_data;
- 	struct snd_pcm_runtime *runtime = fe_substream->runtime;
- 	int stream = fe_substream->stream, ret = 0;
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_FE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_FE);
- 
- 	ret = dpcm_be_dai_startup(fe, fe_substream->stream);
- 	if (ret < 0) {
-@@ -1286,13 +1309,13 @@ static int dpcm_fe_dai_startup(struct snd_pcm_substream *fe_substream)
- 	dpcm_set_fe_runtime(fe_substream);
- 	snd_pcm_limit_hw_rates(runtime);
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 	return 0;
- 
- unwind:
- 	dpcm_be_dai_startup_unwind(fe, fe_substream->stream);
- be_err:
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 	return ret;
- }
- 
-@@ -1339,7 +1362,7 @@ static int dpcm_fe_dai_shutdown(struct snd_pcm_substream *substream)
- 	struct snd_soc_pcm_runtime *fe = substream->private_data;
- 	int stream = substream->stream;
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_FE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_FE);
- 
- 	/* shutdown the BEs */
- 	dpcm_be_dai_shutdown(fe, substream->stream);
-@@ -1353,7 +1376,7 @@ static int dpcm_fe_dai_shutdown(struct snd_pcm_substream *substream)
- 	dpcm_dapm_stream_event(fe, stream, SND_SOC_DAPM_STREAM_STOP);
- 
- 	fe->dpcm[stream].state = SND_SOC_DPCM_STATE_CLOSE;
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 	return 0;
- }
- 
-@@ -1401,7 +1424,7 @@ static int dpcm_fe_dai_hw_free(struct snd_pcm_substream *substream)
- 	int err, stream = substream->stream;
- 
- 	mutex_lock_nested(&fe->card->mutex, SND_SOC_CARD_CLASS_RUNTIME);
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_FE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_FE);
- 
- 	dev_dbg(fe->dev, "ASoC: hw_free FE %s\n", fe->dai_link->name);
- 
-@@ -1416,7 +1439,7 @@ static int dpcm_fe_dai_hw_free(struct snd_pcm_substream *substream)
- 	err = dpcm_be_dai_hw_free(fe, stream);
- 
- 	fe->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_FREE;
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 
- 	mutex_unlock(&fe->card->mutex);
- 	return 0;
-@@ -1509,7 +1532,7 @@ static int dpcm_fe_dai_hw_params(struct snd_pcm_substream *substream,
- 	int ret, stream = substream->stream;
- 
- 	mutex_lock_nested(&fe->card->mutex, SND_SOC_CARD_CLASS_RUNTIME);
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_FE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_FE);
- 
- 	memcpy(&fe->dpcm[substream->stream].hw_params, params,
- 			sizeof(struct snd_pcm_hw_params));
-@@ -1532,7 +1555,7 @@ static int dpcm_fe_dai_hw_params(struct snd_pcm_substream *substream,
- 		fe->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_PARAMS;
- 
- out:
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 	mutex_unlock(&fe->card->mutex);
- 	return ret;
- }
-@@ -1646,7 +1669,7 @@ int dpcm_be_dai_trigger(struct snd_soc_pcm_runtime *fe, int stream,
- }
- EXPORT_SYMBOL_GPL(dpcm_be_dai_trigger);
- 
--static int dpcm_fe_dai_trigger(struct snd_pcm_substream *substream, int cmd)
-+static int dpcm_fe_dai_do_trigger(struct snd_pcm_substream *substream, int cmd)
- {
- 	struct snd_soc_pcm_runtime *fe = substream->private_data;
- 	int stream = substream->stream, ret;
-@@ -1720,6 +1743,23 @@ out:
- 	return ret;
- }
- 
-+static int dpcm_fe_dai_trigger(struct snd_pcm_substream *substream, int cmd)
-+{
-+	struct snd_soc_pcm_runtime *fe = substream->private_data;
-+	int stream = substream->stream;
-+
-+	/* if FE's runtime_update is already set, we're in race;
-+	 * process this trigger later at exit
-+	 */
-+	if (fe->dpcm[stream].runtime_update != SND_SOC_DPCM_UPDATE_NO) {
-+		fe->dpcm[stream].trigger_pending = cmd + 1;
-+		return 0; /* delayed, assuming it's successful */
-+	}
-+
-+	/* we're alone, let's trigger */
-+	return dpcm_fe_dai_do_trigger(substream, cmd);
-+}
-+
- int dpcm_be_dai_prepare(struct snd_soc_pcm_runtime *fe, int stream)
- {
- 	struct snd_soc_dpcm *dpcm;
-@@ -1763,7 +1803,7 @@ static int dpcm_fe_dai_prepare(struct snd_pcm_substream *substream)
- 
- 	dev_dbg(fe->dev, "ASoC: prepare FE %s\n", fe->dai_link->name);
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_FE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_FE);
- 
- 	/* there is no point preparing this FE if there are no BEs */
- 	if (list_empty(&fe->dpcm[stream].be_clients)) {
-@@ -1790,7 +1830,7 @@ static int dpcm_fe_dai_prepare(struct snd_pcm_substream *substream)
- 	fe->dpcm[stream].state = SND_SOC_DPCM_STATE_PREPARE;
- 
- out:
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 	mutex_unlock(&fe->card->mutex);
- 
- 	return ret;
-@@ -1937,11 +1977,11 @@ static int dpcm_run_new_update(struct snd_soc_pcm_runtime *fe, int stream)
- {
- 	int ret;
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_BE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_BE);
- 	ret = dpcm_run_update_startup(fe, stream);
- 	if (ret < 0)
- 		dev_err(fe->dev, "ASoC: failed to startup some BEs\n");
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 
- 	return ret;
- }
-@@ -1950,11 +1990,11 @@ static int dpcm_run_old_update(struct snd_soc_pcm_runtime *fe, int stream)
- {
- 	int ret;
- 
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_BE;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_BE);
- 	ret = dpcm_run_update_shutdown(fe, stream);
- 	if (ret < 0)
- 		dev_err(fe->dev, "ASoC: failed to shutdown some BEs\n");
--	fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO;
-+	dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
- 
- 	return ret;
- }
-diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
-index c64a3d9..827d404 100644
---- a/sound/usb/quirks.c
-+++ b/sound/usb/quirks.c
-@@ -1142,6 +1142,20 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe,
- 	if ((le16_to_cpu(dev->descriptor.idVendor) == 0x23ba) &&
- 	    (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
- 		mdelay(20);
-+
-+	/* Marantz/Denon devices with USB DAC functionality need a delay
-+	 * after each class compliant request
-+	 */
-+	if ((le16_to_cpu(dev->descriptor.idVendor) == 0x154e) &&
-+	    (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) {
-+
-+		switch (le16_to_cpu(dev->descriptor.idProduct)) {
-+		case 0x3005: /* Marantz HD-DAC1 */
-+		case 0x3006: /* Marantz SA-14S1 */
-+			mdelay(20);
-+			break;
-+		}
-+	}
- }
- 
- /*
diff --git a/3.14.26/4420_grsecurity-3.0-3.14.26-201412071005.patch b/3.14.26/4420_grsecurity-3.0-3.14.26-201412142109.patch
index 0803058..a5539ed 100644
--- a/3.14.26/4420_grsecurity-3.0-3.14.26-201412071005.patch
+++ b/3.14.26/4420_grsecurity-3.0-3.14.26-201412142109.patch
@@ -897,7 +897,7 @@ index 4733d32..b142a40 100644
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index 62d2cb5..26e43ca 100644
+index 62d2cb5..26a6f3c 100644
 --- a/arch/arm/include/asm/atomic.h
 +++ b/arch/arm/include/asm/atomic.h
 @@ -18,17 +18,41 @@
@@ -932,7 +932,7 @@ index 62d2cb5..26e43ca 100644
  #define atomic_read(v)	(*(volatile int *)&(v)->counter)
 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile int *)&v->counter;
 +}
  #define atomic_set(v,i)	(((v)->counter) = (i))
 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
@@ -9624,7 +9624,7 @@ index 6777177..cb5e44f 100644
  		addr = vm_unmapped_area(&info);
  	}
 diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
-index be56a24..443328f 100644
+index be56a24..eaef2ca 100644
 --- a/arch/sparc/include/asm/atomic_64.h
 +++ b/arch/sparc/include/asm/atomic_64.h
 @@ -14,18 +14,40 @@
@@ -9633,12 +9633,12 @@ index be56a24..443328f 100644
  #define atomic_read(v)		(*(volatile int *)&(v)->counter)
 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile int *)&v->counter;
 +}
  #define atomic64_read(v)	(*(volatile long *)&(v)->counter)
 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile long *)&v->counter;
 +}
  
  #define atomic_set(v, i)	(((v)->counter) = i)
@@ -9893,10 +9893,18 @@ index 9b1c36d..209298b 100644
  static inline pmd_t *pmd_alloc_one(struct mm_struct *mm,
  				   unsigned long address)
 diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h
-index 2c8d41f..06b1206 100644
+index 2c8d41f..f337fbc 100644
 --- a/arch/sparc/include/asm/pgalloc_64.h
 +++ b/arch/sparc/include/asm/pgalloc_64.h
-@@ -38,6 +38,7 @@ static inline void __pud_populate(pud_t *pud, pmd_t *pmd)
+@@ -21,6 +21,7 @@ static inline void __pgd_populate(pgd_t *pgd, pud_t *pud)
+ }
+ 
+ #define pgd_populate(MM, PGD, PUD)	__pgd_populate(PGD, PUD)
++#define pgd_populate_kernel(MM, PGD, PMD)	pgd_populate((MM), (PGD), (PMD))
+ 
+ static inline pgd_t *pgd_alloc(struct mm_struct *mm)
+ {
+@@ -38,6 +39,7 @@ static inline void __pud_populate(pud_t *pud, pmd_t *pmd)
  }
  
  #define pud_populate(MM, PUD, PMD)	__pud_populate(PUD, PMD)
@@ -41928,6 +41936,159 @@ index dbc2def..0a9f710 100644
  	if (unlikely(ret != 0)) {
  		kobject_put(&zone->kobj);
  		return ret;
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+index cf4bad2..3d50d64 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -54,7 +54,7 @@
+ 
+ #define NUM_PAGES_TO_ALLOC		(PAGE_SIZE/sizeof(struct page *))
+ #define SMALL_ALLOCATION		16
+-#define FREE_ALL_PAGES			(~0U)
++#define FREE_ALL_PAGES			(~0UL)
+ /* times are in msecs */
+ #define PAGE_FREE_INTERVAL		1000
+ 
+@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
+  * @free_all: If set to true will free all pages in pool
+  * @gfp: GFP flags.
+  **/
+-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
++static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
+ 			      gfp_t gfp)
+ {
+ 	unsigned long irq_flags;
+ 	struct page *p;
+ 	struct page **pages_to_free;
+-	unsigned freed_pages = 0,
+-		 npages_to_free = nr_free;
++	unsigned long freed_pages = 0, npages_to_free = nr_free;
+ 
+ 	if (NUM_PAGES_TO_ALLOC < nr_free)
+ 		npages_to_free = NUM_PAGES_TO_ALLOC;
+@@ -366,7 +365,8 @@ restart:
+ 		__list_del(&p->lru, &pool->list);
+ 
+ 		ttm_pool_update_free_locked(pool, freed_pages);
+-		nr_free -= freed_pages;
++		if (likely(nr_free != FREE_ALL_PAGES))
++			nr_free -= freed_pages;
+ 	}
+ 
+ 	spin_unlock_irqrestore(&pool->lock, irq_flags);
+@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	unsigned i;
+ 	unsigned pool_offset;
+ 	struct ttm_page_pool *pool;
+-	int shrink_pages = sc->nr_to_scan;
++	unsigned long shrink_pages = sc->nr_to_scan;
+ 	unsigned long freed = 0;
+ 
+ 	if (!mutex_trylock(&lock))
+@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	pool_offset = ++start_pool % NUM_POOLS;
+ 	/* select start pool in round robin fashion */
+ 	for (i = 0; i < NUM_POOLS; ++i) {
+-		unsigned nr_free = shrink_pages;
++		unsigned long nr_free = shrink_pages;
+ 		if (shrink_pages == 0)
+ 			break;
+ 		pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
+@@ -669,7 +669,7 @@ out:
+ }
+ 
+ /* Put all pages in pages list to correct pool to wait for reuse */
+-static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
++static void ttm_put_pages(struct page **pages, unsigned long npages, int flags,
+ 			  enum ttm_caching_state cstate)
+ {
+ 	unsigned long irq_flags;
+@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
+ 	struct list_head plist;
+ 	struct page *p = NULL;
+ 	gfp_t gfp_flags = GFP_USER;
+-	unsigned count;
++	unsigned long count;
+ 	int r;
+ 
+ 	/* set zero flag for page allocation if required */
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+index ca65df1..4f0024b 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+@@ -56,7 +56,7 @@
+ 
+ #define NUM_PAGES_TO_ALLOC		(PAGE_SIZE/sizeof(struct page *))
+ #define SMALL_ALLOCATION		4
+-#define FREE_ALL_PAGES			(~0U)
++#define FREE_ALL_PAGES			(~0UL)
+ /* times are in msecs */
+ #define IS_UNDEFINED			(0)
+ #define IS_WC				(1<<1)
+@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
+  * @nr_free: If set to true will free all pages in pool
+  * @gfp: GFP flags.
+  **/
+-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
++static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
+ 				       gfp_t gfp)
+ {
+ 	unsigned long irq_flags;
+ 	struct dma_page *dma_p, *tmp;
+ 	struct page **pages_to_free;
+ 	struct list_head d_pages;
+-	unsigned freed_pages = 0,
+-		 npages_to_free = nr_free;
++	unsigned long freed_pages = 0, npages_to_free = nr_free;
+ 
+ 	if (NUM_PAGES_TO_ALLOC < nr_free)
+ 		npages_to_free = NUM_PAGES_TO_ALLOC;
+@@ -494,7 +493,8 @@ restart:
+ 	/* remove range of pages from the pool */
+ 	if (freed_pages) {
+ 		ttm_pool_update_free_locked(pool, freed_pages);
+-		nr_free -= freed_pages;
++		if (likely(nr_free != FREE_ALL_PAGES))
++			nr_free -= freed_pages;
+ 	}
+ 
+ 	spin_unlock_irqrestore(&pool->lock, irq_flags);
+@@ -928,7 +928,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
+ 	struct dma_page *d_page, *next;
+ 	enum pool_type type;
+ 	bool is_cached = false;
+-	unsigned count = 0, i, npages = 0;
++	unsigned long count = 0, i, npages = 0;
+ 	unsigned long irq_flags;
+ 
+ 	type = ttm_to_type(ttm->page_flags, ttm->caching_state);
+@@ -1005,7 +1005,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	static unsigned start_pool;
+ 	unsigned idx = 0;
+ 	unsigned pool_offset;
+-	unsigned shrink_pages = sc->nr_to_scan;
++	unsigned long shrink_pages = sc->nr_to_scan;
+ 	struct device_pools *p;
+ 	unsigned long freed = 0;
+ 
+@@ -1018,7 +1018,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 		goto out;
+ 	pool_offset = ++start_pool % _manager->npools;
+ 	list_for_each_entry(p, &_manager->pools, pools) {
+-		unsigned nr_free;
++		unsigned long nr_free;
+ 
+ 		if (!p->dev)
+ 			continue;
+@@ -1032,7 +1032,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 						      sc->gfp_mask);
+ 		freed += nr_free - shrink_pages;
+ 
+-		pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
++		pr_debug("%s: (%s:%d) Asked to shrink %lu, have %lu more to go\n",
+ 			 p->pool->dev_name, p->pool->name, current->pid,
+ 			 nr_free, shrink_pages);
+ 	}
 diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
 index dbadd49..1b7457b 100644
 --- a/drivers/gpu/drm/udl/udl_fb.c
@@ -43811,6 +43972,34 @@ index c9a02fe..0debc75 100644
  	kref_init(&serio_raw->kref);
  	INIT_LIST_HEAD(&serio_raw->client_list);
  	init_waitqueue_head(&serio_raw->wait);
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 9cbef59..76d5cd3 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -878,11 +878,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
+ 
+ static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
+ {
++	phys_addr_t physaddr;
+ 	WARN_ON(address & 0x7ULL);
+ 
+ 	memset(cmd, 0, sizeof(*cmd));
+-	cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
+-	cmd->data[1] = upper_32_bits(__pa(address));
++
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
++	if (object_starts_on_stack(address)) {
++		void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
++		physaddr = __pa((u64)adjbuf);
++	} else
++#endif
++	physaddr = __pa(address);
++
++	cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
++	cmd->data[1] = upper_32_bits(physaddr);
+ 	cmd->data[2] = 1;
+ 	CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
+ }
 diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
 index e5555fc..937986d 100644
 --- a/drivers/iommu/iommu.c
@@ -47251,6 +47440,19 @@ index 70651f8..7eb1bdf 100644
  	.kind			= "bond",
  	.priv_size		= sizeof(struct bonding),
  	.setup			= bond_setup,
+diff --git a/drivers/net/caif/caif_hsi.c b/drivers/net/caif/caif_hsi.c
+index 5e40a8b..126bfda 100644
+--- a/drivers/net/caif/caif_hsi.c
++++ b/drivers/net/caif/caif_hsi.c
+@@ -1445,7 +1445,7 @@ err:
+ 	return -ENODEV;
+ }
+ 
+-static struct rtnl_link_ops caif_hsi_link_ops __read_mostly = {
++static struct rtnl_link_ops caif_hsi_link_ops = {
+ 	.kind		= "cfhsi",
+ 	.priv_size	= sizeof(struct cfhsi),
+ 	.setup		= cfhsi_setup,
 diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
 index 9e7d95d..d447b88 100644
 --- a/drivers/net/can/Kconfig
@@ -47264,6 +47466,45 @@ index 9e7d95d..d447b88 100644
  	---help---
  	  Say Y here if you want to support for Freescale FlexCAN.
  
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index cc11f7f..bf7de8b 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -756,7 +756,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
+ 	return -EOPNOTSUPP;
+ }
+ 
+-static struct rtnl_link_ops can_link_ops __read_mostly = {
++static struct rtnl_link_ops can_link_ops = {
+ 	.kind		= "can",
+ 	.maxtype	= IFLA_CAN_MAX,
+ 	.policy		= can_policy,
+diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
+index 4e94057..32032ff 100644
+--- a/drivers/net/can/vcan.c
++++ b/drivers/net/can/vcan.c
+@@ -166,7 +166,7 @@ static void vcan_setup(struct net_device *dev)
+ 	dev->destructor		= free_netdev;
+ }
+ 
+-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
++static struct rtnl_link_ops vcan_link_ops = {
+ 	.kind	= "vcan",
+ 	.setup	= vcan_setup,
+ };
+diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
+index bd8f84b..68ba9f1 100644
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -155,7 +155,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
++static struct rtnl_link_ops dummy_link_ops = {
+ 	.kind		= "dummy",
+ 	.setup		= dummy_setup,
+ 	.validate	= dummy_validate,
 diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
 index 455d4c3..3353ee7 100644
 --- a/drivers/net/ethernet/8390/ax88796.c
@@ -47726,6 +47967,19 @@ index 6adbef8..cd6a5f1 100644
  
  	priv = netdev_priv(dev);
  	priv->phy = phy;
+diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
+index d7b2e94..0812ae9 100644
+--- a/drivers/net/ifb.c
++++ b/drivers/net/ifb.c
+@@ -252,7 +252,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
++static struct rtnl_link_ops ifb_link_ops = {
+ 	.kind		= "ifb",
+ 	.priv_size	= sizeof(struct ifb_private),
+ 	.setup		= ifb_setup,
 diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
 index fbf7dcd..ad71499 100644
 --- a/drivers/net/macvlan.c
@@ -47793,6 +48047,19 @@ index 07c942b..bce8b8a 100644
  	.notifier_call	= macvtap_device_event,
  };
  
+diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c
+index d2bb12b..d6c921e 100644
+--- a/drivers/net/nlmon.c
++++ b/drivers/net/nlmon.c
+@@ -162,7 +162,7 @@ static int nlmon_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops nlmon_link_ops __read_mostly = {
++static struct rtnl_link_ops nlmon_link_ops = {
+ 	.kind			= "nlmon",
+ 	.priv_size		= sizeof(struct nlmon),
+ 	.setup			= nlmon_setup,
 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
 index 5a1897d..e860630 100644
 --- a/drivers/net/ppp/ppp_generic.c
@@ -47829,9 +48096,18 @@ index 1252d9c..80e660b 100644
  
  	/* We've got a compressed packet; read the change byte */
 diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 979fe43..1f1230c 100644
+index 979fe43..3f92d61 100644
 --- a/drivers/net/team/team.c
 +++ b/drivers/net/team/team.c
+@@ -2086,7 +2086,7 @@ static unsigned int team_get_num_rx_queues(void)
+ 	return TEAM_DEFAULT_NUM_RX_QUEUES;
+ }
+ 
+-static struct rtnl_link_ops team_link_ops __read_mostly = {
++static struct rtnl_link_ops team_link_ops = {
+ 	.kind			= DRV_NAME,
+ 	.priv_size		= sizeof(struct team),
+ 	.setup			= team_setup,
 @@ -2874,7 +2874,7 @@ static int team_device_event(struct notifier_block *unused,
  	return NOTIFY_DONE;
  }
@@ -47842,9 +48118,18 @@ index 979fe43..1f1230c 100644
  };
  
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index ec63314..17810e8 100644
+index ec63314..465e154 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
+@@ -1436,7 +1436,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return -EINVAL;
+ }
+ 
+-static struct rtnl_link_ops tun_link_ops __read_mostly = {
++static struct rtnl_link_ops tun_link_ops = {
+ 	.kind		= DRV_NAME,
+ 	.priv_size	= sizeof(struct tun_struct),
+ 	.setup		= tun_setup,
 @@ -1882,7 +1882,7 @@ unlock:
  }
  
@@ -84001,7 +84286,7 @@ index a964f72..b475afb 100644
  }
  
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 218b058..1ce7ad0 100644
+index 218b058..7a1fb15 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -133,6 +133,7 @@ struct fs_struct;
@@ -84158,6 +84443,15 @@ index 218b058..1ce7ad0 100644
  #ifdef CONFIG_FUTEX
  	struct robust_list_head __user *robust_list;
  #ifdef CONFIG_COMPAT
+@@ -1556,7 +1599,7 @@ struct task_struct {
+ 	 * Number of functions that haven't been traced
+ 	 * because of depth overrun.
+ 	 */
+-	atomic_t trace_overrun;
++	atomic_unchecked_t trace_overrun;
+ 	/* Pause for the tracing */
+ 	atomic_t tracing_graph_pause;
+ #endif
 @@ -1588,7 +1631,78 @@ struct task_struct {
  	unsigned int	sequential_io;
  	unsigned int	sequential_io_avg;
@@ -93000,7 +93294,7 @@ index 4f3a3c03..04b7886 100644
  
  	ret = -EIO;
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index e3be87e..7480b36 100644
+index e3be87e..abc908f 100644
 --- a/kernel/trace/ftrace.c
 +++ b/kernel/trace/ftrace.c
 @@ -1965,12 +1965,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
@@ -93043,6 +93337,15 @@ index e3be87e..7480b36 100644
  int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
  {
  	return 0;
+@@ -4933,7 +4938,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
+ 
+ 		if (t->ret_stack == NULL) {
+ 			atomic_set(&t->tracing_graph_pause, 0);
+-			atomic_set(&t->trace_overrun, 0);
++			atomic_set_unchecked(&t->trace_overrun, 0);
+ 			t->curr_ret_stack = -1;
+ 			/* Make sure the tasks see the -1 first: */
+ 			smp_wmb();
 @@ -5067,6 +5072,10 @@ static void update_function_graph_func(void)
  		ftrace_graph_entry = ftrace_graph_entry_test;
  }
@@ -93062,6 +93365,15 @@ index e3be87e..7480b36 100644
  	register_pm_notifier(&ftrace_suspend_notifier);
  
  	ftrace_graph_active++;
+@@ -5134,7 +5142,7 @@ static void
+ graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
+ {
+ 	atomic_set(&t->tracing_graph_pause, 0);
+-	atomic_set(&t->trace_overrun, 0);
++	atomic_set_unchecked(&t->trace_overrun, 0);
+ 	t->ftrace_timestamp = 0;
+ 	/* make curr_ret_stack visible before we add the ret_stack */
+ 	smp_wmb();
 diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
 index 774a080..7fa60b1 100644
 --- a/kernel/trace/ring_buffer.c
@@ -93398,6 +93710,28 @@ index e4c4efc..ef4e975 100644
  static void __add_event_to_tracers(struct ftrace_event_call *call);
  
  /* Add an additional event_call dynamically */
+diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
+index 0b99120..881174f 100644
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -110,7 +110,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+ 
+ 	/* The return trace stack is full */
+ 	if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
+-		atomic_inc(&current->trace_overrun);
++		atomic_inc_unchecked(&current->trace_overrun);
+ 		return -EBUSY;
+ 	}
+ 
+@@ -207,7 +207,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
+ 	*ret = current->ret_stack[index].ret;
+ 	trace->func = current->ret_stack[index].func;
+ 	trace->calltime = current->ret_stack[index].calltime;
+-	trace->overrun = atomic_read(&current->trace_overrun);
++	trace->overrun = atomic_read_unchecked(&current->trace_overrun);
+ 	trace->depth = index;
+ }
+ 
 diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
 index 0abd9b8..6a663a2 100644
 --- a/kernel/trace/trace_mmiotrace.c
@@ -99731,6 +100065,19 @@ index 44ebd5c..1f732bae 100644
  			struct vlan_net *vn;
  
  			vn = net_generic(net, vlan_net_id);
+diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
+index c7e634a..041cbdb 100644
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -238,7 +238,7 @@ nla_put_failure:
+ 	return -EMSGSIZE;
+ }
+ 
+-struct rtnl_link_ops vlan_link_ops __read_mostly = {
++struct rtnl_link_ops vlan_link_ops = {
+ 	.kind		= "vlan",
+ 	.maxtype	= IFLA_VLAN_MAX,
+ 	.policy		= vlan_policy,
 diff --git a/net/9p/client.c b/net/9p/client.c
 index 9186550..e604a2f 100644
 --- a/net/9p/client.c
@@ -100036,7 +100383,7 @@ index c46387a..6ad5ef9 100644
  	frag_header.no = 0;
  	frag_header.total_size = htons(skb->len);
 diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
-index f82c267..0e56d32 100644
+index f82c267..8a27a34 100644
 --- a/net/batman-adv/soft-interface.c
 +++ b/net/batman-adv/soft-interface.c
 @@ -283,7 +283,7 @@ send:
@@ -100066,6 +100413,15 @@ index f82c267..0e56d32 100644
  
  	bat_priv->primary_if = NULL;
  	bat_priv->num_ifaces = 0;
+@@ -929,7 +929,7 @@ int batadv_softif_is_valid(const struct net_device *net_dev)
+ 	return 0;
+ }
+ 
+-struct rtnl_link_ops batadv_link_ops __read_mostly = {
++struct rtnl_link_ops batadv_link_ops = {
+ 	.kind		= "batadv",
+ 	.priv_size	= sizeof(struct batadv_priv),
+ 	.setup		= batadv_softif_init_early,
 diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
 index 78370ab..1cb3614 100644
 --- a/net/batman-adv/types.h
@@ -100222,6 +100578,19 @@ index f9c0980a..fcbbfeb 100644
  
  	tty_port_close(&dev->port, tty, filp);
  }
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index e8844d9..df3afa0 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -482,7 +482,7 @@ static struct rtnl_af_ops br_af_ops = {
+ 	.get_link_af_size	= br_get_link_af_size,
+ };
+ 
+-struct rtnl_link_ops br_link_ops __read_mostly = {
++struct rtnl_link_ops br_link_ops = {
+ 	.kind		= "bridge",
+ 	.priv_size	= sizeof(struct net_bridge),
+ 	.setup		= br_dev_setup,
 diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
 index 1059ed3..d70846a 100644
 --- a/net/bridge/netfilter/ebtables.c
@@ -100296,6 +100665,19 @@ index 0f45522..dab651f 100644
  					 p->sequence_no);
  			list_del(&p->list);
  			goto out;
+diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
+index 4589ff67..46d6b8f 100644
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -516,7 +516,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
+ };
+ 
+ 
+-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
++static struct rtnl_link_ops ipcaif_link_ops = {
+ 	.kind		= "caif",
+ 	.priv_size	= sizeof(struct chnl_net),
+ 	.setup		= ipcaif_net_setup,
 diff --git a/net/can/af_can.c b/net/can/af_can.c
 index a27f8aa..67174a3 100644
 --- a/net/can/af_can.c
@@ -101399,6 +101781,32 @@ index 5325b54..a0d4d69 100644
  		return -EFAULT;
  
  	*lenp = len;
+diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
+index 01a5261..29cea68 100644
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -86,7 +86,7 @@ nla_put_failure:
+ 	return -EMSGSIZE;
+ }
+ 
+-static struct rtnl_link_ops hsr_link_ops __read_mostly = {
++static struct rtnl_link_ops hsr_link_ops = {
+ 	.kind		= "hsr",
+ 	.maxtype	= IFLA_HSR_MAX,
+ 	.policy		= hsr_policy,
+diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
+index 8edfea5..a17998f 100644
+--- a/net/ieee802154/6lowpan.c
++++ b/net/ieee802154/6lowpan.c
+@@ -714,7 +714,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
+ 	dev_put(real_dev);
+ }
+ 
+-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
++static struct rtnl_link_ops lowpan_link_ops = {
+ 	.kind		= "lowpan",
+ 	.priv_size	= sizeof(struct lowpan_dev_info),
+ 	.setup		= lowpan_setup,
 diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
 index 07bd8ed..c574801 100644
 --- a/net/ipv4/af_inet.c
diff --git a/3.14.26/4425_grsec_remove_EI_PAX.patch b/3.14.26/4425_grsec_remove_EI_PAX.patch
index fc51f79..86e242a 100644
--- a/3.14.26/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.26/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
 --- linux-3.7.1-hardened.orig/security/Kconfig	2012-12-26 08:39:29.000000000 -0500
 +++ linux-3.7.1-hardened/security/Kconfig	2012-12-26 09:05:44.000000000 -0500
-@@ -268,7 +268,7 @@
+@@ -273,7 +273,7 @@
  
  config PAX_EI_PAX
  	bool 'Use legacy ELF header marking'
diff --git a/3.14.26/4427_force_XATTR_PAX_tmpfs.patch b/3.14.26/4427_force_XATTR_PAX_tmpfs.patch
index f78ac39..aa540ad 100644
--- a/3.14.26/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.26/4427_force_XATTR_PAX_tmpfs.patch
@@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -2300,14 +2300,12 @@
+@@ -2300,14 +2296,12 @@
  	if (err)
  		return err;
  
diff --git a/3.14.26/4450_grsec-kconfig-default-gids.patch b/3.14.26/4450_grsec-kconfig-default-gids.patch
index ff7afeb..722821b 100644
--- a/3.14.26/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.26/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 diff -Nuar a/security/Kconfig b/security/Kconfig
 --- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
-@@ -196,7 +196,7 @@
+@@ -201,7 +201,7 @@
  
  config GRKERNSEC_PROC_GID
  	int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
-@@ -207,7 +207,7 @@
+@@ -212,7 +212,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
          int "GID for TPE-untrusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
  	  Setting this GID determines which group untrusted users should
  	  be added to.  These users will be placed under grsecurity's Trusted Path
-@@ -219,7 +219,7 @@
+@@ -224,7 +224,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
          int "GID for TPE-trusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
            Setting this GID determines what group TPE restrictions will be
            *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -228,7 +228,7 @@
+@@ -233,7 +233,7 @@
  config GRKERNSEC_SYMLINKOWN_GID
          int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
          depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.14.26/4475_emutramp_default_on.patch b/3.14.26/4475_emutramp_default_on.patch
index cf88fd9..ad4967a 100644
--- a/3.14.26/4475_emutramp_default_on.patch
+++ b/3.14.26/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
 --- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
 +++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
-@@ -428,7 +428,7 @@
+@@ -433,7 +433,7 @@
  
  config PAX_EMUTRAMP
  	bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
  	depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
  	help
  	  There are some programs and libraries that for one reason or
-@@ -451,6 +451,12 @@
+@@ -456,6 +456,12 @@
  	  utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
  	  for the affected files.
  
diff --git a/3.17.6/0000_README b/3.17.6/0000_README
index 1073e62..502f413 100644
--- a/3.17.6/0000_README
+++ b/3.17.6/0000_README
@@ -2,11 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	1005_linux-3.17.6.patch
-From:	http://www.kernel.org
-Desc:	Linux 3.17.6
-
-Patch:	4420_grsecurity-3.0-3.17.6-201412071639.patch
+Patch:	4420_grsecurity-3.0-3.17.6-201412142110.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.17.6/1005_linux-3.17.6.patch b/3.17.6/1005_linux-3.17.6.patch
deleted file mode 100644
index 8056fe0..0000000
--- a/3.17.6/1005_linux-3.17.6.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 42585f6..bb43e9e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 17
--SUBLEVEL = 5
-+SUBLEVEL = 6
- EXTRAVERSION =
- NAME = Shuffling Zombie Juror
- 
-diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index ec94ba9..de88c4a 100644
---- a/net/netfilter/nf_conntrack_core.c
-+++ b/net/netfilter/nf_conntrack_core.c
-@@ -611,16 +611,12 @@ __nf_conntrack_confirm(struct sk_buff *skb)
- 	 */
- 	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
- 	pr_debug("Confirming conntrack %p\n", ct);
--
--	/* We have to check the DYING flag after unlink to prevent
--	 * a race against nf_ct_get_next_corpse() possibly called from
--	 * user context, else we insert an already 'dead' hash, blocking
--	 * further use of that particular connection -JM.
--	 */
--	nf_ct_del_from_dying_or_unconfirmed_list(ct);
-+	/* We have to check the DYING flag inside the lock to prevent
-+	   a race against nf_ct_get_next_corpse() possibly called from
-+	   user context, else we insert an already 'dead' hash, blocking
-+	   further use of that particular connection -JM */
- 
- 	if (unlikely(nf_ct_is_dying(ct))) {
--		nf_ct_add_to_dying_list(ct);
- 		nf_conntrack_double_unlock(hash, reply_hash);
- 		local_bh_enable();
- 		return NF_ACCEPT;
-@@ -640,6 +636,8 @@ __nf_conntrack_confirm(struct sk_buff *skb)
- 		    zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)))
- 			goto out;
- 
-+	nf_ct_del_from_dying_or_unconfirmed_list(ct);
-+
- 	/* Timer relative to confirmation time, not original
- 	   setting time, otherwise we'd get timer wrap in
- 	   weird delay cases. */
diff --git a/3.17.6/4420_grsecurity-3.0-3.17.6-201412071639.patch b/3.17.6/4420_grsecurity-3.0-3.17.6-201412142110.patch
index 6e7c28d..44d9bab 100644
--- a/3.17.6/4420_grsecurity-3.0-3.17.6-201412071639.patch
+++ b/3.17.6/4420_grsecurity-3.0-3.17.6-201412142110.patch
@@ -979,7 +979,7 @@ index 32cbbd5..c102df9 100644
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index 3040359..a494fa3 100644
+index 3040359..2e964a2 100644
 --- a/arch/arm/include/asm/atomic.h
 +++ b/arch/arm/include/asm/atomic.h
 @@ -18,17 +18,41 @@
@@ -1014,7 +1014,7 @@ index 3040359..a494fa3 100644
  #define atomic_read(v)	(*(volatile int *)&(v)->counter)
 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile int *)&v->counter;
 +}
  #define atomic_set(v,i)	(((v)->counter) = (i))
 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
@@ -8169,7 +8169,7 @@ index 4bc7b62..107e0b2 100644
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
 diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
-index 28992d0..434c881 100644
+index 28992d0..bbbff7e 100644
 --- a/arch/powerpc/include/asm/atomic.h
 +++ b/arch/powerpc/include/asm/atomic.h
 @@ -12,6 +12,11 @@
@@ -8503,7 +8503,37 @@ index 28992d0..434c881 100644
  /**
   * __atomic_add_unless - add unless the number is a given value
   * @v: pointer of type atomic_t
-@@ -271,6 +406,11 @@ static __inline__ int atomic_dec_if_positive(atomic_t *v)
+@@ -194,11 +329,27 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+ 	PPC_ATOMIC_ENTRY_BARRIER
+ "1:	lwarx	%0,0,%1		# __atomic_add_unless\n\
+ 	cmpw	0,%0,%3 \n\
+-	beq-	2f \n\
+-	add	%0,%2,%0 \n"
++	beq-	2f \n"
++
++#ifdef CONFIG_PAX_REFCOUNT
++"	mcrxr	cr0\n"
++"	addo.	%0,%2,%0\n"
++"	bf 4*cr0+so, 4f\n"
++"3:.long " "0x00c00b00""\n"
++"4:\n"
++#else
++	"add	%0,%2,%0 \n"
++#endif
++
+ 	PPC405_ERR77(0,%2)
+ "	stwcx.	%0,0,%1 \n\
+ 	bne-	1b \n"
++"5:"
++
++#ifdef CONFIG_PAX_REFCOUNT
++	_ASM_EXTABLE(3b, 5b)
++#endif
++
+ 	PPC_ATOMIC_EXIT_BARRIER
+ "	subf	%0,%2,%0 \n\
+ 2:"
+@@ -271,6 +422,11 @@ static __inline__ int atomic_dec_if_positive(atomic_t *v)
  }
  #define atomic_dec_if_positive atomic_dec_if_positive
  
@@ -8515,7 +8545,7 @@ index 28992d0..434c881 100644
  #ifdef __powerpc64__
  
  #define ATOMIC64_INIT(i)	{ (i) }
-@@ -284,11 +424,25 @@ static __inline__ long atomic64_read(const atomic64_t *v)
+@@ -284,11 +440,25 @@ static __inline__ long atomic64_read(const atomic64_t *v)
  	return t;
  }
  
@@ -8541,7 +8571,7 @@ index 28992d0..434c881 100644
  static __inline__ void atomic64_add(long a, atomic64_t *v)
  {
  	long t;
-@@ -303,12 +457,76 @@ static __inline__ void atomic64_add(long a, atomic64_t *v)
+@@ -303,12 +473,76 @@ static __inline__ void atomic64_add(long a, atomic64_t *v)
  	: "cc");
  }
  
@@ -8618,7 +8648,7 @@ index 28992d0..434c881 100644
  "1:	ldarx	%0,0,%2		# atomic64_add_return\n\
  	add	%0,%1,%0\n\
  	stdcx.	%0,0,%2 \n\
-@@ -328,6 +546,36 @@ static __inline__ void atomic64_sub(long a, atomic64_t *v)
+@@ -328,6 +562,36 @@ static __inline__ void atomic64_sub(long a, atomic64_t *v)
  	long t;
  
  	__asm__ __volatile__(
@@ -8655,7 +8685,7 @@ index 28992d0..434c881 100644
  "1:	ldarx	%0,0,%3		# atomic64_sub\n\
  	subf	%0,%2,%0\n\
  	stdcx.	%0,0,%3 \n\
-@@ -343,6 +591,40 @@ static __inline__ long atomic64_sub_return(long a, atomic64_t *v)
+@@ -343,6 +607,40 @@ static __inline__ long atomic64_sub_return(long a, atomic64_t *v)
  
  	__asm__ __volatile__(
  	PPC_ATOMIC_ENTRY_BARRIER
@@ -8696,7 +8726,7 @@ index 28992d0..434c881 100644
  "1:	ldarx	%0,0,%2		# atomic64_sub_return\n\
  	subf	%0,%1,%0\n\
  	stdcx.	%0,0,%2 \n\
-@@ -355,36 +637,23 @@ static __inline__ long atomic64_sub_return(long a, atomic64_t *v)
+@@ -355,36 +653,23 @@ static __inline__ long atomic64_sub_return(long a, atomic64_t *v)
  	return t;
  }
  
@@ -8726,7 +8756,7 @@ index 28992d0..434c881 100644
  }
  
 -static __inline__ long atomic64_inc_return(atomic64_t *v)
-+static __inline__ int atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
++static __inline__ long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
  {
 -	long t;
 -
@@ -8746,7 +8776,7 @@ index 28992d0..434c881 100644
  }
  
  /*
-@@ -397,36 +666,18 @@ static __inline__ long atomic64_inc_return(atomic64_t *v)
+@@ -397,36 +682,18 @@ static __inline__ long atomic64_inc_return(atomic64_t *v)
   */
  #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
  
@@ -8794,7 +8824,7 @@ index 28992d0..434c881 100644
  }
  
  #define atomic64_sub_and_test(a, v)	(atomic64_sub_return((a), (v)) == 0)
-@@ -459,6 +710,16 @@ static __inline__ long atomic64_dec_if_positive(atomic64_t *v)
+@@ -459,6 +726,16 @@ static __inline__ long atomic64_dec_if_positive(atomic64_t *v)
  #define atomic64_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
  #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
  
@@ -8811,6 +8841,39 @@ index 28992d0..434c881 100644
  /**
   * atomic64_add_unless - add unless the number is a given value
   * @v: pointer of type atomic64_t
+@@ -474,13 +751,29 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
+ 
+ 	__asm__ __volatile__ (
+ 	PPC_ATOMIC_ENTRY_BARRIER
+-"1:	ldarx	%0,0,%1		# __atomic_add_unless\n\
++"1:	ldarx	%0,0,%1		# atomic64_add_unless\n\
+ 	cmpd	0,%0,%3 \n\
+-	beq-	2f \n\
+-	add	%0,%2,%0 \n"
++	beq-	2f \n"
++
++#ifdef CONFIG_PAX_REFCOUNT
++"	mcrxr	cr0\n"
++"	addo.	%0,%2,%0\n"
++"	bf 4*cr0+so, 4f\n"
++"3:.long " "0x00c00b00""\n"
++"4:\n"
++#else
++	"add	%0,%2,%0 \n"
++#endif
++
+ "	stdcx.	%0,0,%1 \n\
+ 	bne-	1b \n"
+ 	PPC_ATOMIC_EXIT_BARRIER
++"5:"
++
++#ifdef CONFIG_PAX_REFCOUNT
++	_ASM_EXTABLE(3b, 5b)
++#endif
++
+ "	subf	%0,%2,%0 \n\
+ 2:"
+ 	: "=&r" (t)
 diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
 index bab79a1..4a3eabc 100644
 --- a/arch/powerpc/include/asm/barrier.h
@@ -10503,7 +10566,7 @@ index 6777177..cb5e44f 100644
  		addr = vm_unmapped_area(&info);
  	}
 diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
-index bb894c8..8141d5c 100644
+index bb894c8..81b82e9 100644
 --- a/arch/sparc/include/asm/atomic_64.h
 +++ b/arch/sparc/include/asm/atomic_64.h
 @@ -15,18 +15,40 @@
@@ -10512,12 +10575,12 @@ index bb894c8..8141d5c 100644
  #define atomic_read(v)		(*(volatile int *)&(v)->counter)
 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile int *)&v->counter;
 +}
  #define atomic64_read(v)	(*(volatile long *)&(v)->counter)
 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
 +{
-+	return v->counter;
++	return *(const volatile long *)&v->counter;
 +}
  
  #define atomic_set(v, i)	(((v)->counter) = i)
@@ -17168,18 +17231,19 @@ index 59c6c40..5e0b22c 100644
  struct compat_timespec {
  	compat_time_t	tv_sec;
 diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index 2075e6c..d65aa96 100644
+index 2075e6c..4d368b4 100644
 --- a/arch/x86/include/asm/cpufeature.h
 +++ b/arch/x86/include/asm/cpufeature.h
-@@ -204,14 +204,14 @@
+@@ -203,7 +203,7 @@
+ #define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
  #define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
  #define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
- 
 -
 +#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
+ 
  /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
  #define X86_FEATURE_FSGSBASE	( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
- #define X86_FEATURE_TSC_ADJUST	( 9*32+ 1) /* TSC adjustment MSR 0x3b */
+@@ -211,7 +211,7 @@
  #define X86_FEATURE_BMI1	( 9*32+ 3) /* 1st group bit manipulation extensions */
  #define X86_FEATURE_HLE		( 9*32+ 4) /* Hardware Lock Elision */
  #define X86_FEATURE_AVX2	( 9*32+ 5) /* AVX2 instructions */
@@ -42212,6 +42276,159 @@ index dbc2def..0a9f710 100644
  	if (unlikely(ret != 0)) {
  		kobject_put(&zone->kobj);
  		return ret;
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+index 09874d6..d6da1de 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -54,7 +54,7 @@
+ 
+ #define NUM_PAGES_TO_ALLOC		(PAGE_SIZE/sizeof(struct page *))
+ #define SMALL_ALLOCATION		16
+-#define FREE_ALL_PAGES			(~0U)
++#define FREE_ALL_PAGES			(~0UL)
+ /* times are in msecs */
+ #define PAGE_FREE_INTERVAL		1000
+ 
+@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
+  * @free_all: If set to true will free all pages in pool
+  * @gfp: GFP flags.
+  **/
+-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
++static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
+ 			      gfp_t gfp)
+ {
+ 	unsigned long irq_flags;
+ 	struct page *p;
+ 	struct page **pages_to_free;
+-	unsigned freed_pages = 0,
+-		 npages_to_free = nr_free;
++	unsigned long freed_pages = 0, npages_to_free = nr_free;
+ 
+ 	if (NUM_PAGES_TO_ALLOC < nr_free)
+ 		npages_to_free = NUM_PAGES_TO_ALLOC;
+@@ -366,7 +365,8 @@ restart:
+ 		__list_del(&p->lru, &pool->list);
+ 
+ 		ttm_pool_update_free_locked(pool, freed_pages);
+-		nr_free -= freed_pages;
++		if (likely(nr_free != FREE_ALL_PAGES))
++			nr_free -= freed_pages;
+ 	}
+ 
+ 	spin_unlock_irqrestore(&pool->lock, irq_flags);
+@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	unsigned i;
+ 	unsigned pool_offset;
+ 	struct ttm_page_pool *pool;
+-	int shrink_pages = sc->nr_to_scan;
++	unsigned long shrink_pages = sc->nr_to_scan;
+ 	unsigned long freed = 0;
+ 
+ 	if (!mutex_trylock(&lock))
+@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	pool_offset = ++start_pool % NUM_POOLS;
+ 	/* select start pool in round robin fashion */
+ 	for (i = 0; i < NUM_POOLS; ++i) {
+-		unsigned nr_free = shrink_pages;
++		unsigned long nr_free = shrink_pages;
+ 		if (shrink_pages == 0)
+ 			break;
+ 		pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
+@@ -669,7 +669,7 @@ out:
+ }
+ 
+ /* Put all pages in pages list to correct pool to wait for reuse */
+-static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
++static void ttm_put_pages(struct page **pages, unsigned long npages, int flags,
+ 			  enum ttm_caching_state cstate)
+ {
+ 	unsigned long irq_flags;
+@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
+ 	struct list_head plist;
+ 	struct page *p = NULL;
+ 	gfp_t gfp_flags = GFP_USER;
+-	unsigned count;
++	unsigned long count;
+ 	int r;
+ 
+ 	/* set zero flag for page allocation if required */
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+index c96db43..c367557 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+@@ -56,7 +56,7 @@
+ 
+ #define NUM_PAGES_TO_ALLOC		(PAGE_SIZE/sizeof(struct page *))
+ #define SMALL_ALLOCATION		4
+-#define FREE_ALL_PAGES			(~0U)
++#define FREE_ALL_PAGES			(~0UL)
+ /* times are in msecs */
+ #define IS_UNDEFINED			(0)
+ #define IS_WC				(1<<1)
+@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
+  * @nr_free: If set to true will free all pages in pool
+  * @gfp: GFP flags.
+  **/
+-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
++static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
+ 				       gfp_t gfp)
+ {
+ 	unsigned long irq_flags;
+ 	struct dma_page *dma_p, *tmp;
+ 	struct page **pages_to_free;
+ 	struct list_head d_pages;
+-	unsigned freed_pages = 0,
+-		 npages_to_free = nr_free;
++	unsigned long freed_pages = 0, npages_to_free = nr_free;
+ 
+ 	if (NUM_PAGES_TO_ALLOC < nr_free)
+ 		npages_to_free = NUM_PAGES_TO_ALLOC;
+@@ -494,7 +493,8 @@ restart:
+ 	/* remove range of pages from the pool */
+ 	if (freed_pages) {
+ 		ttm_pool_update_free_locked(pool, freed_pages);
+-		nr_free -= freed_pages;
++		if (likely(nr_free != FREE_ALL_PAGES))
++			nr_free -= freed_pages;
+ 	}
+ 
+ 	spin_unlock_irqrestore(&pool->lock, irq_flags);
+@@ -929,7 +929,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
+ 	struct dma_page *d_page, *next;
+ 	enum pool_type type;
+ 	bool is_cached = false;
+-	unsigned count = 0, i, npages = 0;
++	unsigned long count = 0, i, npages = 0;
+ 	unsigned long irq_flags;
+ 
+ 	type = ttm_to_type(ttm->page_flags, ttm->caching_state);
+@@ -1007,7 +1007,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 	static unsigned start_pool;
+ 	unsigned idx = 0;
+ 	unsigned pool_offset;
+-	unsigned shrink_pages = sc->nr_to_scan;
++	unsigned long shrink_pages = sc->nr_to_scan;
+ 	struct device_pools *p;
+ 	unsigned long freed = 0;
+ 
+@@ -1020,7 +1020,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 		goto out;
+ 	pool_offset = ++start_pool % _manager->npools;
+ 	list_for_each_entry(p, &_manager->pools, pools) {
+-		unsigned nr_free;
++		unsigned long nr_free;
+ 
+ 		if (!p->dev)
+ 			continue;
+@@ -1034,7 +1034,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ 						      sc->gfp_mask);
+ 		freed += nr_free - shrink_pages;
+ 
+-		pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
++		pr_debug("%s: (%s:%d) Asked to shrink %lu, have %lu more to go\n",
+ 			 p->pool->dev_name, p->pool->name, current->pid,
+ 			 nr_free, shrink_pages);
+ 	}
 diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
 index d1da339..829235e 100644
 --- a/drivers/gpu/drm/udl/udl_fb.c
@@ -43914,6 +44131,19 @@ index c00ae09..04e91be 100644
  
  #include "qib_common.h"
  #include "qib_verbs.h"
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+index cdc7df4..a2fdfdb 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+@@ -156,7 +156,7 @@ static size_t ipoib_get_size(const struct net_device *dev)
+ 		nla_total_size(2);	/* IFLA_IPOIB_UMCAST */
+ }
+ 
+-static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
++static struct rtnl_link_ops ipoib_link_ops = {
+ 	.kind		= "ipoib",
+ 	.maxtype	= IFLA_IPOIB_MAX,
+ 	.policy		= ipoib_policy,
 diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
 index de05545..b535322 100644
 --- a/drivers/input/evdev.c
@@ -44096,6 +44326,34 @@ index c9a02fe..0debc75 100644
  	kref_init(&serio_raw->kref);
  	INIT_LIST_HEAD(&serio_raw->client_list);
  	init_waitqueue_head(&serio_raw->wait);
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 5aff937..9cff67c 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -798,11 +798,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
+ 
+ static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
+ {
++	phys_addr_t physaddr;
+ 	WARN_ON(address & 0x7ULL);
+ 
+ 	memset(cmd, 0, sizeof(*cmd));
+-	cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
+-	cmd->data[1] = upper_32_bits(__pa(address));
++
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
++	if (object_starts_on_stack(address)) {
++		void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
++		physaddr = __pa((u64)adjbuf);
++	} else
++#endif
++	physaddr = __pa(address);
++
++	cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
++	cmd->data[1] = upper_32_bits(physaddr);
+ 	cmd->data[2] = 1;
+ 	CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
+ }
 diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
 index a83cc2a..64462e6 100644
 --- a/drivers/iommu/arm-smmu.c
@@ -47541,6 +47799,19 @@ index d163e11..f517018 100644
  	.kind			= "bond",
  	.priv_size		= sizeof(struct bonding),
  	.setup			= bond_setup,
+diff --git a/drivers/net/caif/caif_hsi.c b/drivers/net/caif/caif_hsi.c
+index 5e40a8b..126bfda 100644
+--- a/drivers/net/caif/caif_hsi.c
++++ b/drivers/net/caif/caif_hsi.c
+@@ -1445,7 +1445,7 @@ err:
+ 	return -ENODEV;
+ }
+ 
+-static struct rtnl_link_ops caif_hsi_link_ops __read_mostly = {
++static struct rtnl_link_ops caif_hsi_link_ops = {
+ 	.kind		= "cfhsi",
+ 	.priv_size	= sizeof(struct cfhsi),
+ 	.setup		= cfhsi_setup,
 diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
 index 4168822..f38eeddf 100644
 --- a/drivers/net/can/Kconfig
@@ -47554,6 +47825,45 @@ index 4168822..f38eeddf 100644
  	---help---
  	  Say Y here if you want to support for Freescale FlexCAN.
  
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 6403503..a0c8bb6 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -869,7 +869,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
+ 	return -EOPNOTSUPP;
+ }
+ 
+-static struct rtnl_link_ops can_link_ops __read_mostly = {
++static struct rtnl_link_ops can_link_ops = {
+ 	.kind		= "can",
+ 	.maxtype	= IFLA_CAN_MAX,
+ 	.policy		= can_policy,
+diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
+index 4e94057..32032ff 100644
+--- a/drivers/net/can/vcan.c
++++ b/drivers/net/can/vcan.c
+@@ -166,7 +166,7 @@ static void vcan_setup(struct net_device *dev)
+ 	dev->destructor		= free_netdev;
+ }
+ 
+-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
++static struct rtnl_link_ops vcan_link_ops = {
+ 	.kind	= "vcan",
+ 	.setup	= vcan_setup,
+ };
+diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
+index ff435fb..d408b1f 100644
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -149,7 +149,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
++static struct rtnl_link_ops dummy_link_ops = {
+ 	.kind		= "dummy",
+ 	.setup		= dummy_setup,
+ 	.validate	= dummy_validate,
 diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
 index 1d162cc..b546a75 100644
 --- a/drivers/net/ethernet/8390/ax88796.c
@@ -48707,6 +49017,19 @@ index 6cbc56a..5f7e6c8 100644
  
  	priv = netdev_priv(dev);
  	priv->phy = phy;
+diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
+index d2d4a3d..8b7a1be 100644
+--- a/drivers/net/ifb.c
++++ b/drivers/net/ifb.c
+@@ -252,7 +252,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
++static struct rtnl_link_ops ifb_link_ops = {
+ 	.kind		= "ifb",
+ 	.priv_size	= sizeof(struct ifb_private),
+ 	.setup		= ifb_setup,
 diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
 index 5f17ad0..e0463c8 100644
 --- a/drivers/net/macvlan.c
@@ -48753,9 +49076,18 @@ index 5f17ad0..e0463c8 100644
  };
  
 diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 07c942b..2d8b073 100644
+index 07c942b..bce8b8a 100644
 --- a/drivers/net/macvtap.c
 +++ b/drivers/net/macvtap.c
+@@ -422,7 +422,7 @@ static void macvtap_setup(struct net_device *dev)
+ 	dev->tx_queue_len = TUN_READQ_SIZE;
+ }
+ 
+-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
++static struct rtnl_link_ops macvtap_link_ops = {
+ 	.kind		= "macvtap",
+ 	.setup		= macvtap_setup,
+ 	.newlink	= macvtap_newlink,
 @@ -1023,7 +1023,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
  		}
  
@@ -48774,6 +49106,19 @@ index 07c942b..2d8b073 100644
  	.notifier_call	= macvtap_device_event,
  };
  
+diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c
+index 34924df..a747360 100644
+--- a/drivers/net/nlmon.c
++++ b/drivers/net/nlmon.c
+@@ -154,7 +154,7 @@ static int nlmon_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return 0;
+ }
+ 
+-static struct rtnl_link_ops nlmon_link_ops __read_mostly = {
++static struct rtnl_link_ops nlmon_link_ops = {
+ 	.kind			= "nlmon",
+ 	.priv_size		= sizeof(struct nlmon),
+ 	.setup			= nlmon_setup,
 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
 index 17ecdd6..79ad848 100644
 --- a/drivers/net/ppp/ppp_generic.c
@@ -48810,9 +49155,18 @@ index 079f7ad..b2a2bfa7 100644
  
  	/* We've got a compressed packet; read the change byte */
 diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 1f76c2ea..9681171 100644
+index 1f76c2ea..997760b 100644
 --- a/drivers/net/team/team.c
 +++ b/drivers/net/team/team.c
+@@ -2072,7 +2072,7 @@ static unsigned int team_get_num_rx_queues(void)
+ 	return TEAM_DEFAULT_NUM_RX_QUEUES;
+ }
+ 
+-static struct rtnl_link_ops team_link_ops __read_mostly = {
++static struct rtnl_link_ops team_link_ops = {
+ 	.kind			= DRV_NAME,
+ 	.priv_size		= sizeof(struct team),
+ 	.setup			= team_setup,
 @@ -2862,7 +2862,7 @@ static int team_device_event(struct notifier_block *unused,
  	return NOTIFY_DONE;
  }
@@ -48823,9 +49177,18 @@ index 1f76c2ea..9681171 100644
  };
  
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index d965e8a..f119e64 100644
+index d965e8a..6226000 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
+@@ -1414,7 +1414,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
+ 	return -EINVAL;
+ }
+ 
+-static struct rtnl_link_ops tun_link_ops __read_mostly = {
++static struct rtnl_link_ops tun_link_ops = {
+ 	.kind		= DRV_NAME,
+ 	.priv_size	= sizeof(struct tun_struct),
+ 	.setup		= tun_setup,
 @@ -1861,7 +1861,7 @@ unlock:
  }
  
@@ -84759,7 +85122,7 @@ index ed8f9e7..999bc96 100644
  }
  
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 2b1d9e9..10ba706 100644
+index 2b1d9e9..7fd5067 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -132,6 +132,7 @@ struct fs_struct;
@@ -84916,6 +85279,15 @@ index 2b1d9e9..10ba706 100644
  #ifdef CONFIG_FUTEX
  	struct robust_list_head __user *robust_list;
  #ifdef CONFIG_COMPAT
+@@ -1618,7 +1661,7 @@ struct task_struct {
+ 	 * Number of functions that haven't been traced
+ 	 * because of depth overrun.
+ 	 */
+-	atomic_t trace_overrun;
++	atomic_unchecked_t trace_overrun;
+ 	/* Pause for the tracing */
+ 	atomic_t tracing_graph_pause;
+ #endif
 @@ -1644,7 +1687,78 @@ struct task_struct {
  	unsigned int	sequential_io;
  	unsigned int	sequential_io_avg;
@@ -93965,7 +94337,7 @@ index c1bd4ad..4b861dc 100644
  
  	ret = -EIO;
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 5916a8e..5cd3b1f 100644
+index 5916a8e..220c9c2 100644
 --- a/kernel/trace/ftrace.c
 +++ b/kernel/trace/ftrace.c
 @@ -2128,12 +2128,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
@@ -93999,6 +94371,24 @@ index 5916a8e..5cd3b1f 100644
  
  	start_pg = ftrace_allocate_pages(count);
  	if (!start_pg)
+@@ -5254,7 +5261,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
+ 
+ 		if (t->ret_stack == NULL) {
+ 			atomic_set(&t->tracing_graph_pause, 0);
+-			atomic_set(&t->trace_overrun, 0);
++			atomic_set_unchecked(&t->trace_overrun, 0);
+ 			t->curr_ret_stack = -1;
+ 			/* Make sure the tasks see the -1 first: */
+ 			smp_wmb();
+@@ -5467,7 +5474,7 @@ static void
+ graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
+ {
+ 	atomic_set(&t->tracing_graph_pause, 0);
+-	atomic_set(&t->trace_overrun, 0);
++	atomic_set_unchecked(&t->trace_overrun, 0);
+ 	t->ftrace_timestamp = 0;
+ 	/* make curr_ret_stack visible before we add the ret_stack */
+ 	smp_wmb();
 diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
 index a56e07c..d46f0ba 100644
 --- a/kernel/trace/ring_buffer.c
@@ -94335,6 +94725,28 @@ index ef06ce7..3ea161d 100644
  static void __add_event_to_tracers(struct ftrace_event_call *call);
  
  /* Add an additional event_call dynamically */
+diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
+index f0a0c98..3692dc8 100644
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -133,7 +133,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+ 
+ 	/* The return trace stack is full */
+ 	if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
+-		atomic_inc(&current->trace_overrun);
++		atomic_inc_unchecked(&current->trace_overrun);
+ 		return -EBUSY;
+ 	}
+ 
+@@ -230,7 +230,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
+ 	*ret = current->ret_stack[index].ret;
+ 	trace->func = current->ret_stack[index].func;
+ 	trace->calltime = current->ret_stack[index].calltime;
+-	trace->overrun = atomic_read(&current->trace_overrun);
++	trace->overrun = atomic_read_unchecked(&current->trace_overrun);
+ 	trace->depth = index;
+ }
+ 
 diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
 index 0abd9b8..6a663a2 100644
 --- a/kernel/trace/trace_mmiotrace.c
@@ -100573,6 +100985,19 @@ index 64c6bed..b79a5de 100644
  			struct vlan_net *vn;
  
  			vn = net_generic(net, vlan_net_id);
+diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
+index 8ac8a5c..991defc 100644
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -238,7 +238,7 @@ nla_put_failure:
+ 	return -EMSGSIZE;
+ }
+ 
+-struct rtnl_link_ops vlan_link_ops __read_mostly = {
++struct rtnl_link_ops vlan_link_ops = {
+ 	.kind		= "vlan",
+ 	.maxtype	= IFLA_VLAN_MAX,
+ 	.policy		= vlan_policy,
 diff --git a/net/9p/client.c b/net/9p/client.c
 index e86a9bea..e91f70e 100644
 --- a/net/9p/client.c
@@ -100878,7 +101303,7 @@ index fc1835c..eead856 100644
  	frag_header.no = 0;
  	frag_header.total_size = htons(skb->len);
 diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
-index 5467955..30cc771 100644
+index 5467955..75ad4e3 100644
 --- a/net/batman-adv/soft-interface.c
 +++ b/net/batman-adv/soft-interface.c
 @@ -296,7 +296,7 @@ send:
@@ -100908,6 +101333,15 @@ index 5467955..30cc771 100644
  
  	bat_priv->primary_if = NULL;
  	bat_priv->num_ifaces = 0;
+@@ -983,7 +983,7 @@ int batadv_softif_is_valid(const struct net_device *net_dev)
+ 	return 0;
+ }
+ 
+-struct rtnl_link_ops batadv_link_ops __read_mostly = {
++struct rtnl_link_ops batadv_link_ops = {
+ 	.kind		= "batadv",
+ 	.priv_size	= sizeof(struct batadv_priv),
+ 	.setup		= batadv_softif_init_early,
 diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
 index 8854c05..ee5d5497 100644
 --- a/net/batman-adv/types.h
@@ -101064,6 +101498,19 @@ index 8e385a0..a5bdd8e 100644
  
  	tty_port_close(&dev->port, tty, filp);
  }
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index cb5fcf6..ad0a1a5 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -484,7 +484,7 @@ static struct rtnl_af_ops br_af_ops = {
+ 	.get_link_af_size	= br_get_link_af_size,
+ };
+ 
+-struct rtnl_link_ops br_link_ops __read_mostly = {
++struct rtnl_link_ops br_link_ops = {
+ 	.kind		= "bridge",
+ 	.priv_size	= sizeof(struct net_bridge),
+ 	.setup		= br_dev_setup,
 diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
 index 6d69631..b8fdc85 100644
 --- a/net/bridge/netfilter/ebtables.c
@@ -101138,6 +101585,19 @@ index f5afda1..dcf770a 100644
  					 p->sequence_no);
  			list_del(&p->list);
  			goto out;
+diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
+index 4589ff67..46d6b8f 100644
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -516,7 +516,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
+ };
+ 
+ 
+-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
++static struct rtnl_link_ops ipcaif_link_ops = {
+ 	.kind		= "caif",
+ 	.priv_size	= sizeof(struct chnl_net),
+ 	.setup		= ipcaif_net_setup,
 diff --git a/net/can/af_can.c b/net/can/af_can.c
 index ce82337..5d17b4d 100644
 --- a/net/can/af_can.c
@@ -102261,6 +102721,32 @@ index 5325b54..a0d4d69 100644
  		return -EFAULT;
  
  	*lenp = len;
+diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
+index a2c7e4c..3dc9f67 100644
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -102,7 +102,7 @@ nla_put_failure:
+ 	return -EMSGSIZE;
+ }
+ 
+-static struct rtnl_link_ops hsr_link_ops __read_mostly = {
++static struct rtnl_link_ops hsr_link_ops = {
+ 	.kind		= "hsr",
+ 	.maxtype	= IFLA_HSR_MAX,
+ 	.policy		= hsr_policy,
+diff --git a/net/ieee802154/6lowpan_rtnl.c b/net/ieee802154/6lowpan_rtnl.c
+index 6591d27..499b971 100644
+--- a/net/ieee802154/6lowpan_rtnl.c
++++ b/net/ieee802154/6lowpan_rtnl.c
+@@ -590,7 +590,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
+ 	dev_put(real_dev);
+ }
+ 
+-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
++static struct rtnl_link_ops lowpan_link_ops = {
+ 	.kind		= "lowpan",
+ 	.priv_size	= sizeof(struct lowpan_dev_info),
+ 	.setup		= lowpan_setup,
 diff --git a/net/ieee802154/reassembly.c b/net/ieee802154/reassembly.c
 index 32755cb..236d827 100644
 --- a/net/ieee802154/reassembly.c
@@ -105383,6 +105869,19 @@ index 64dc864..7a9e2a4 100644
  
  	/* Queue all of the segments. */
  	skb = segs;
+diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
+index 8451612..c8872bc 100644
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -122,7 +122,7 @@ static const struct net_device_ops internal_dev_netdev_ops = {
+ 	.ndo_get_stats64 = internal_dev_get_stats,
+ };
+ 
+-static struct rtnl_link_ops internal_dev_link_ops __read_mostly = {
++static struct rtnl_link_ops internal_dev_link_ops = {
+ 	.kind = "openvswitch",
+ };
+ 
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
 index 93896d2..b701c88 100644
 --- a/net/packet/af_packet.c
diff --git a/3.17.6/4425_grsec_remove_EI_PAX.patch b/3.17.6/4425_grsec_remove_EI_PAX.patch
index fc51f79..86e242a 100644
--- a/3.17.6/4425_grsec_remove_EI_PAX.patch
+++ b/3.17.6/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
 --- linux-3.7.1-hardened.orig/security/Kconfig	2012-12-26 08:39:29.000000000 -0500
 +++ linux-3.7.1-hardened/security/Kconfig	2012-12-26 09:05:44.000000000 -0500
-@@ -268,7 +268,7 @@
+@@ -273,7 +273,7 @@
  
  config PAX_EI_PAX
  	bool 'Use legacy ELF header marking'
diff --git a/3.17.6/4450_grsec-kconfig-default-gids.patch b/3.17.6/4450_grsec-kconfig-default-gids.patch
index 8a63d7f..039bad1 100644
--- a/3.17.6/4450_grsec-kconfig-default-gids.patch
+++ b/3.17.6/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 diff -Nuar a/security/Kconfig b/security/Kconfig
 --- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
-@@ -196,7 +196,7 @@
+@@ -201,7 +201,7 @@
  
  config GRKERNSEC_PROC_GID
  	int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
-@@ -207,7 +207,7 @@
+@@ -212,7 +212,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
          int "GID for TPE-untrusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
  	  Setting this GID determines which group untrusted users should
  	  be added to.  These users will be placed under grsecurity's Trusted Path
-@@ -219,7 +219,7 @@
+@@ -224,7 +224,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
          int "GID for TPE-trusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
            Setting this GID determines what group TPE restrictions will be
            *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -228,7 +228,7 @@
+@@ -233,7 +233,7 @@
  config GRKERNSEC_SYMLINKOWN_GID
          int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
          depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.17.6/4475_emutramp_default_on.patch b/3.17.6/4475_emutramp_default_on.patch
index cf88fd9..ad4967a 100644
--- a/3.17.6/4475_emutramp_default_on.patch
+++ b/3.17.6/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
 --- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
 +++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
-@@ -428,7 +428,7 @@
+@@ -433,7 +433,7 @@
  
  config PAX_EMUTRAMP
  	bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
  	depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
  	help
  	  There are some programs and libraries that for one reason or
-@@ -451,6 +451,12 @@
+@@ -456,6 +456,12 @@
  	  utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
  	  for the affected files.
  
diff --git a/3.2.64/0000_README b/3.2.65/0000_README
index a5c330a..70f7d8b 100644
--- a/3.2.64/0000_README
+++ b/3.2.65/0000_README
@@ -174,7 +174,11 @@ Patch:	1063_linux-3.2.64.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.64
 
-Patch:	4420_grsecurity-3.0-3.2.64-201412040015.patch
+Patch:	1064_linux-3.2.65.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.65
+
+Patch:	4420_grsecurity-3.0-3.2.65-201412142045.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.64/1021_linux-3.2.22.patch b/3.2.65/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.64/1021_linux-3.2.22.patch
+++ b/3.2.65/1021_linux-3.2.22.patch
diff --git a/3.2.64/1022_linux-3.2.23.patch b/3.2.65/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.64/1022_linux-3.2.23.patch
+++ b/3.2.65/1022_linux-3.2.23.patch
diff --git a/3.2.64/1023_linux-3.2.24.patch b/3.2.65/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.64/1023_linux-3.2.24.patch
+++ b/3.2.65/1023_linux-3.2.24.patch
diff --git a/3.2.64/1024_linux-3.2.25.patch b/3.2.65/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.64/1024_linux-3.2.25.patch
+++ b/3.2.65/1024_linux-3.2.25.patch
diff --git a/3.2.64/1025_linux-3.2.26.patch b/3.2.65/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.64/1025_linux-3.2.26.patch
+++ b/3.2.65/1025_linux-3.2.26.patch
diff --git a/3.2.64/1026_linux-3.2.27.patch b/3.2.65/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.64/1026_linux-3.2.27.patch
+++ b/3.2.65/1026_linux-3.2.27.patch
diff --git a/3.2.64/1027_linux-3.2.28.patch b/3.2.65/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.64/1027_linux-3.2.28.patch
+++ b/3.2.65/1027_linux-3.2.28.patch
diff --git a/3.2.64/1028_linux-3.2.29.patch b/3.2.65/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.64/1028_linux-3.2.29.patch
+++ b/3.2.65/1028_linux-3.2.29.patch
diff --git a/3.2.64/1029_linux-3.2.30.patch b/3.2.65/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.64/1029_linux-3.2.30.patch
+++ b/3.2.65/1029_linux-3.2.30.patch
diff --git a/3.2.64/1030_linux-3.2.31.patch b/3.2.65/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.64/1030_linux-3.2.31.patch
+++ b/3.2.65/1030_linux-3.2.31.patch
diff --git a/3.2.64/1031_linux-3.2.32.patch b/3.2.65/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.64/1031_linux-3.2.32.patch
+++ b/3.2.65/1031_linux-3.2.32.patch
diff --git a/3.2.64/1032_linux-3.2.33.patch b/3.2.65/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.64/1032_linux-3.2.33.patch
+++ b/3.2.65/1032_linux-3.2.33.patch
diff --git a/3.2.64/1033_linux-3.2.34.patch b/3.2.65/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.64/1033_linux-3.2.34.patch
+++ b/3.2.65/1033_linux-3.2.34.patch
diff --git a/3.2.64/1034_linux-3.2.35.patch b/3.2.65/1034_linux-3.2.35.patch
index 76a9c19..76a9c19 100644
--- a/3.2.64/1034_linux-3.2.35.patch
+++ b/3.2.65/1034_linux-3.2.35.patch
diff --git a/3.2.64/1035_linux-3.2.36.patch b/3.2.65/1035_linux-3.2.36.patch
index 5d192a3..5d192a3 100644
--- a/3.2.64/1035_linux-3.2.36.patch
+++ b/3.2.65/1035_linux-3.2.36.patch
diff --git a/3.2.64/1036_linux-3.2.37.patch b/3.2.65/1036_linux-3.2.37.patch
index ad13251..ad13251 100644
--- a/3.2.64/1036_linux-3.2.37.patch
+++ b/3.2.65/1036_linux-3.2.37.patch
diff --git a/3.2.64/1037_linux-3.2.38.patch b/3.2.65/1037_linux-3.2.38.patch
index a3c106f..a3c106f 100644
--- a/3.2.64/1037_linux-3.2.38.patch
+++ b/3.2.65/1037_linux-3.2.38.patch
diff --git a/3.2.64/1038_linux-3.2.39.patch b/3.2.65/1038_linux-3.2.39.patch
index 5639e92..5639e92 100644
--- a/3.2.64/1038_linux-3.2.39.patch
+++ b/3.2.65/1038_linux-3.2.39.patch
diff --git a/3.2.64/1039_linux-3.2.40.patch b/3.2.65/1039_linux-3.2.40.patch
index f26b39c..f26b39c 100644
--- a/3.2.64/1039_linux-3.2.40.patch
+++ b/3.2.65/1039_linux-3.2.40.patch
diff --git a/3.2.64/1040_linux-3.2.41.patch b/3.2.65/1040_linux-3.2.41.patch
index 0d27fcb..0d27fcb 100644
--- a/3.2.64/1040_linux-3.2.41.patch
+++ b/3.2.65/1040_linux-3.2.41.patch
diff --git a/3.2.64/1041_linux-3.2.42.patch b/3.2.65/1041_linux-3.2.42.patch
index 77a08ed..77a08ed 100644
--- a/3.2.64/1041_linux-3.2.42.patch
+++ b/3.2.65/1041_linux-3.2.42.patch
diff --git a/3.2.64/1042_linux-3.2.43.patch b/3.2.65/1042_linux-3.2.43.patch
index a3f878b..a3f878b 100644
--- a/3.2.64/1042_linux-3.2.43.patch
+++ b/3.2.65/1042_linux-3.2.43.patch
diff --git a/3.2.64/1043_linux-3.2.44.patch b/3.2.65/1043_linux-3.2.44.patch
index 3d5e6ff..3d5e6ff 100644
--- a/3.2.64/1043_linux-3.2.44.patch
+++ b/3.2.65/1043_linux-3.2.44.patch
diff --git a/3.2.64/1044_linux-3.2.45.patch b/3.2.65/1044_linux-3.2.45.patch
index 44e1767..44e1767 100644
--- a/3.2.64/1044_linux-3.2.45.patch
+++ b/3.2.65/1044_linux-3.2.45.patch
diff --git a/3.2.64/1045_linux-3.2.46.patch b/3.2.65/1045_linux-3.2.46.patch
index bc10efd..bc10efd 100644
--- a/3.2.64/1045_linux-3.2.46.patch
+++ b/3.2.65/1045_linux-3.2.46.patch
diff --git a/3.2.64/1046_linux-3.2.47.patch b/3.2.65/1046_linux-3.2.47.patch
index b74563c..b74563c 100644
--- a/3.2.64/1046_linux-3.2.47.patch
+++ b/3.2.65/1046_linux-3.2.47.patch
diff --git a/3.2.64/1047_linux-3.2.48.patch b/3.2.65/1047_linux-3.2.48.patch
index 6d55b1f..6d55b1f 100644
--- a/3.2.64/1047_linux-3.2.48.patch
+++ b/3.2.65/1047_linux-3.2.48.patch
diff --git a/3.2.64/1048_linux-3.2.49.patch b/3.2.65/1048_linux-3.2.49.patch
index 2dab0cf..2dab0cf 100644
--- a/3.2.64/1048_linux-3.2.49.patch
+++ b/3.2.65/1048_linux-3.2.49.patch
diff --git a/3.2.64/1049_linux-3.2.50.patch b/3.2.65/1049_linux-3.2.50.patch
index 20b3015..20b3015 100644
--- a/3.2.64/1049_linux-3.2.50.patch
+++ b/3.2.65/1049_linux-3.2.50.patch
diff --git a/3.2.64/1050_linux-3.2.51.patch b/3.2.65/1050_linux-3.2.51.patch
index 5d5832b..5d5832b 100644
--- a/3.2.64/1050_linux-3.2.51.patch
+++ b/3.2.65/1050_linux-3.2.51.patch
diff --git a/3.2.64/1051_linux-3.2.52.patch b/3.2.65/1051_linux-3.2.52.patch
index 94b9359..94b9359 100644
--- a/3.2.64/1051_linux-3.2.52.patch
+++ b/3.2.65/1051_linux-3.2.52.patch
diff --git a/3.2.64/1052_linux-3.2.53.patch b/3.2.65/1052_linux-3.2.53.patch
index 986d714..986d714 100644
--- a/3.2.64/1052_linux-3.2.53.patch
+++ b/3.2.65/1052_linux-3.2.53.patch
diff --git a/3.2.64/1053_linux-3.2.54.patch b/3.2.65/1053_linux-3.2.54.patch
index a907496..a907496 100644
--- a/3.2.64/1053_linux-3.2.54.patch
+++ b/3.2.65/1053_linux-3.2.54.patch
diff --git a/3.2.64/1054_linux-3.2.55.patch b/3.2.65/1054_linux-3.2.55.patch
index 6071ff5..6071ff5 100644
--- a/3.2.64/1054_linux-3.2.55.patch
+++ b/3.2.65/1054_linux-3.2.55.patch
diff --git a/3.2.64/1055_linux-3.2.56.patch b/3.2.65/1055_linux-3.2.56.patch
index 2e8239c..2e8239c 100644
--- a/3.2.64/1055_linux-3.2.56.patch
+++ b/3.2.65/1055_linux-3.2.56.patch
diff --git a/3.2.64/1056_linux-3.2.57.patch b/3.2.65/1056_linux-3.2.57.patch
index 7b8f174..7b8f174 100644
--- a/3.2.64/1056_linux-3.2.57.patch
+++ b/3.2.65/1056_linux-3.2.57.patch
diff --git a/3.2.64/1057_linux-3.2.58.patch b/3.2.65/1057_linux-3.2.58.patch
index db5723a..db5723a 100644
--- a/3.2.64/1057_linux-3.2.58.patch
+++ b/3.2.65/1057_linux-3.2.58.patch
diff --git a/3.2.64/1058_linux-3.2.59.patch b/3.2.65/1058_linux-3.2.59.patch
index cd59fe9..cd59fe9 100644
--- a/3.2.64/1058_linux-3.2.59.patch
+++ b/3.2.65/1058_linux-3.2.59.patch
diff --git a/3.2.64/1059_linux-3.2.60.patch b/3.2.65/1059_linux-3.2.60.patch
index c5a9389..c5a9389 100644
--- a/3.2.64/1059_linux-3.2.60.patch
+++ b/3.2.65/1059_linux-3.2.60.patch
diff --git a/3.2.64/1060_linux-3.2.61.patch b/3.2.65/1060_linux-3.2.61.patch
index a1bf580..a1bf580 100644
--- a/3.2.64/1060_linux-3.2.61.patch
+++ b/3.2.65/1060_linux-3.2.61.patch
diff --git a/3.2.64/1061_linux-3.2.62.patch b/3.2.65/1061_linux-3.2.62.patch
index 34217f0..34217f0 100644
--- a/3.2.64/1061_linux-3.2.62.patch
+++ b/3.2.65/1061_linux-3.2.62.patch
diff --git a/3.2.64/1062_linux-3.2.63.patch b/3.2.65/1062_linux-3.2.63.patch
index f7c7415..f7c7415 100644
--- a/3.2.64/1062_linux-3.2.63.patch
+++ b/3.2.65/1062_linux-3.2.63.patch
diff --git a/3.2.64/1063_linux-3.2.64.patch b/3.2.65/1063_linux-3.2.64.patch
index 862b4f0..862b4f0 100644
--- a/3.2.64/1063_linux-3.2.64.patch
+++ b/3.2.65/1063_linux-3.2.64.patch
diff --git a/3.2.65/1064_linux-3.2.65.patch b/3.2.65/1064_linux-3.2.65.patch
new file mode 100644
index 0000000..c3ae4fa
--- /dev/null
+++ b/3.2.65/1064_linux-3.2.65.patch
@@ -0,0 +1,5801 @@
+diff --git a/Documentation/lzo.txt b/Documentation/lzo.txt
+new file mode 100644
+index 0000000..ea45dd3
+--- /dev/null
++++ b/Documentation/lzo.txt
+@@ -0,0 +1,164 @@
++
++LZO stream format as understood by Linux's LZO decompressor
++===========================================================
++
++Introduction
++
++  This is not a specification. No specification seems to be publicly available
++  for the LZO stream format. This document describes what input format the LZO
++  decompressor as implemented in the Linux kernel understands. The file subject
++  of this analysis is lib/lzo/lzo1x_decompress_safe.c. No analysis was made on
++  the compressor nor on any other implementations though it seems likely that
++  the format matches the standard one. The purpose of this document is to
++  better understand what the code does in order to propose more efficient fixes
++  for future bug reports.
++
++Description
++
++  The stream is composed of a series of instructions, operands, and data. The
++  instructions consist in a few bits representing an opcode, and bits forming
++  the operands for the instruction, whose size and position depend on the
++  opcode and on the number of literals copied by previous instruction. The
++  operands are used to indicate :
++
++    - a distance when copying data from the dictionary (past output buffer)
++    - a length (number of bytes to copy from dictionary)
++    - the number of literals to copy, which is retained in variable "state"
++      as a piece of information for next instructions.
++
++  Optionally depending on the opcode and operands, extra data may follow. These
++  extra data can be a complement for the operand (eg: a length or a distance
++  encoded on larger values), or a literal to be copied to the output buffer.
++
++  The first byte of the block follows a different encoding from other bytes, it
++  seems to be optimized for literal use only, since there is no dictionary yet
++  prior to that byte.
++
++  Lengths are always encoded on a variable size starting with a small number
++  of bits in the operand. If the number of bits isn't enough to represent the
++  length, up to 255 may be added in increments by consuming more bytes with a
++  rate of at most 255 per extra byte (thus the compression ratio cannot exceed
++  around 255:1). The variable length encoding using #bits is always the same :
++
++       length = byte & ((1 << #bits) - 1)
++       if (!length) {
++               length = ((1 << #bits) - 1)
++               length += 255*(number of zero bytes)
++               length += first-non-zero-byte
++       }
++       length += constant (generally 2 or 3)
++
++  For references to the dictionary, distances are relative to the output
++  pointer. Distances are encoded using very few bits belonging to certain
++  ranges, resulting in multiple copy instructions using different encodings.
++  Certain encodings involve one extra byte, others involve two extra bytes
++  forming a little-endian 16-bit quantity (marked LE16 below).
++
++  After any instruction except the large literal copy, 0, 1, 2 or 3 literals
++  are copied before starting the next instruction. The number of literals that
++  were copied may change the meaning and behaviour of the next instruction. In
++  practice, only one instruction needs to know whether 0, less than 4, or more
++  literals were copied. This is the information stored in the <state> variable
++  in this implementation. This number of immediate literals to be copied is
++  generally encoded in the last two bits of the instruction but may also be
++  taken from the last two bits of an extra operand (eg: distance).
++
++  End of stream is declared when a block copy of distance 0 is seen. Only one
++  instruction may encode this distance (0001HLLL), it takes one LE16 operand
++  for the distance, thus requiring 3 bytes.
++
++  IMPORTANT NOTE : in the code some length checks are missing because certain
++  instructions are called under the assumption that a certain number of bytes
++  follow because it has already been garanteed before parsing the instructions.
++  They just have to "refill" this credit if they consume extra bytes. This is
++  an implementation design choice independant on the algorithm or encoding.
++
++Byte sequences
++
++  First byte encoding :
++
++      0..17   : follow regular instruction encoding, see below. It is worth
++                noting that codes 16 and 17 will represent a block copy from
++                the dictionary which is empty, and that they will always be
++                invalid at this place.
++
++      18..21  : copy 0..3 literals
++                state = (byte - 17) = 0..3  [ copy <state> literals ]
++                skip byte
++
++      22..255 : copy literal string
++                length = (byte - 17) = 4..238
++                state = 4 [ don't copy extra literals ]
++                skip byte
++
++  Instruction encoding :
++
++      0 0 0 0 X X X X  (0..15)
++        Depends on the number of literals copied by the last instruction.
++        If last instruction did not copy any literal (state == 0), this
++        encoding will be a copy of 4 or more literal, and must be interpreted
++        like this :
++
++           0 0 0 0 L L L L  (0..15)  : copy long literal string
++           length = 3 + (L ?: 15 + (zero_bytes * 255) + non_zero_byte)
++           state = 4  (no extra literals are copied)
++
++        If last instruction used to copy between 1 to 3 literals (encoded in
++        the instruction's opcode or distance), the instruction is a copy of a
++        2-byte block from the dictionary within a 1kB distance. It is worth
++        noting that this instruction provides little savings since it uses 2
++        bytes to encode a copy of 2 other bytes but it encodes the number of
++        following literals for free. It must be interpreted like this :
++
++           0 0 0 0 D D S S  (0..15)  : copy 2 bytes from <= 1kB distance
++           length = 2
++           state = S (copy S literals after this block)
++         Always followed by exactly one byte : H H H H H H H H
++           distance = (H << 2) + D + 1
++
++        If last instruction used to copy 4 or more literals (as detected by
++        state == 4), the instruction becomes a copy of a 3-byte block from the
++        dictionary from a 2..3kB distance, and must be interpreted like this :
++
++           0 0 0 0 D D S S  (0..15)  : copy 3 bytes from 2..3 kB distance
++           length = 3
++           state = S (copy S literals after this block)
++         Always followed by exactly one byte : H H H H H H H H
++           distance = (H << 2) + D + 2049
++
++      0 0 0 1 H L L L  (16..31)
++           Copy of a block within 16..48kB distance (preferably less than 10B)
++           length = 2 + (L ?: 7 + (zero_bytes * 255) + non_zero_byte)
++        Always followed by exactly one LE16 :  D D D D D D D D : D D D D D D S S
++           distance = 16384 + (H << 14) + D
++           state = S (copy S literals after this block)
++           End of stream is reached if distance == 16384
++
++      0 0 1 L L L L L  (32..63)
++           Copy of small block within 16kB distance (preferably less than 34B)
++           length = 2 + (L ?: 31 + (zero_bytes * 255) + non_zero_byte)
++        Always followed by exactly one LE16 :  D D D D D D D D : D D D D D D S S
++           distance = D + 1
++           state = S (copy S literals after this block)
++
++      0 1 L D D D S S  (64..127)
++           Copy 3-4 bytes from block within 2kB distance
++           state = S (copy S literals after this block)
++           length = 3 + L
++         Always followed by exactly one byte : H H H H H H H H
++           distance = (H << 3) + D + 1
++
++      1 L L D D D S S  (128..255)
++           Copy 5-8 bytes from block within 2kB distance
++           state = S (copy S literals after this block)
++           length = 5 + L
++         Always followed by exactly one byte : H H H H H H H H
++           distance = (H << 3) + D + 1
++
++Authors
++
++  This document was written by Willy Tarreau <w@1wt.eu> on 2014/07/19 during an
++  analysis of the decompression code available in Linux 3.16-rc5. The code is
++  tricky, it is possible that this document contains mistakes or that a few
++  corner cases were overlooked. In any case, please report any doubt, fix, or
++  proposed updates to the author(s) so that the document can be updated.
+diff --git a/Makefile b/Makefile
+index 2b58ffc..1433109 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 64
++SUBLEVEL = 65
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/mm/proc-xscale.S b/arch/arm/mm/proc-xscale.S
+index b09d036..76a8015 100644
+--- a/arch/arm/mm/proc-xscale.S
++++ b/arch/arm/mm/proc-xscale.S
+@@ -528,7 +528,7 @@ ENTRY(cpu_xscale_do_suspend)
+ 	mrc	p15, 0, r5, c15, c1, 0	@ CP access reg
+ 	mrc	p15, 0, r6, c13, c0, 0	@ PID
+ 	mrc	p15, 0, r7, c3, c0, 0	@ domain ID
+-	mrc	p15, 0, r8, c1, c1, 0	@ auxiliary control reg
++	mrc	p15, 0, r8, c1, c0, 1	@ auxiliary control reg
+ 	mrc	p15, 0, r9, c1, c0, 0	@ control reg
+ 	bic	r4, r4, #2		@ clear frequency change bit
+ 	stmia	r0, {r4 - r9}		@ store cp regs
+@@ -545,7 +545,7 @@ ENTRY(cpu_xscale_do_resume)
+ 	mcr	p15, 0, r6, c13, c0, 0	@ PID
+ 	mcr	p15, 0, r7, c3, c0, 0	@ domain ID
+ 	mcr	p15, 0, r1, c2, c0, 0	@ translation table base addr
+-	mcr	p15, 0, r8, c1, c1, 0	@ auxiliary control reg
++	mcr	p15, 0, r8, c1, c0, 1	@ auxiliary control reg
+ 	mov	r0, r9			@ control register
+ 	b	cpu_resume_mmu
+ ENDPROC(cpu_xscale_do_resume)
+diff --git a/arch/m68k/mm/hwtest.c b/arch/m68k/mm/hwtest.c
+index 2c7dde3..2a5259f 100644
+--- a/arch/m68k/mm/hwtest.c
++++ b/arch/m68k/mm/hwtest.c
+@@ -28,9 +28,11 @@
+ int hwreg_present( volatile void *regp )
+ {
+     int	ret = 0;
++    unsigned long flags;
+     long	save_sp, save_vbr;
+     long	tmp_vectors[3];
+ 
++    local_irq_save(flags);
+     __asm__ __volatile__
+ 	(	"movec	%/vbr,%2\n\t"
+ 		"movel	#Lberr1,%4@(8)\n\t"
+@@ -46,6 +48,7 @@ int hwreg_present( volatile void *regp )
+ 		: "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr)
+ 		: "a" (regp), "a" (tmp_vectors)
+                 );
++    local_irq_restore(flags);
+ 
+     return( ret );
+ }
+@@ -58,9 +61,11 @@ EXPORT_SYMBOL(hwreg_present);
+ int hwreg_write( volatile void *regp, unsigned short val )
+ {
+ 	int		ret;
++	unsigned long flags;
+ 	long	save_sp, save_vbr;
+ 	long	tmp_vectors[3];
+ 
++	local_irq_save(flags);
+ 	__asm__ __volatile__
+ 	(	"movec	%/vbr,%2\n\t"
+ 		"movel	#Lberr2,%4@(8)\n\t"
+@@ -78,6 +83,7 @@ int hwreg_write( volatile void *regp, unsigned short val )
+ 		: "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr)
+ 		: "a" (regp), "a" (tmp_vectors), "g" (val)
+ 	);
++	local_irq_restore(flags);
+ 
+ 	return( ret );
+ }
+diff --git a/arch/mips/include/asm/ftrace.h b/arch/mips/include/asm/ftrace.h
+index ce35c9a..370ae7c 100644
+--- a/arch/mips/include/asm/ftrace.h
++++ b/arch/mips/include/asm/ftrace.h
+@@ -24,7 +24,7 @@ do {							\
+ 	asm volatile (					\
+ 		"1: " load " %[" STR(dst) "], 0(%[" STR(src) "])\n"\
+ 		"   li %[" STR(error) "], 0\n"		\
+-		"2:\n"					\
++		"2: .insn\n"				\
+ 							\
+ 		".section .fixup, \"ax\"\n"		\
+ 		"3: li %[" STR(error) "], 1\n"		\
+@@ -46,7 +46,7 @@ do {						\
+ 	asm volatile (				\
+ 		"1: " store " %[" STR(src) "], 0(%[" STR(dst) "])\n"\
+ 		"   li %[" STR(error) "], 0\n"	\
+-		"2:\n"				\
++		"2: .insn\n"			\
+ 						\
+ 		".section .fixup, \"ax\"\n"	\
+ 		"3: li %[" STR(error) "], 1\n"	\
+diff --git a/arch/mips/loongson/common/Makefile b/arch/mips/loongson/common/Makefile
+index e526488..ce415f7 100644
+--- a/arch/mips/loongson/common/Makefile
++++ b/arch/mips/loongson/common/Makefile
+@@ -10,7 +10,8 @@ obj-$(CONFIG_GENERIC_GPIO) += gpio.o
+ # Serial port support
+ #
+ obj-$(CONFIG_EARLY_PRINTK) += early_printk.o
+-obj-$(CONFIG_SERIAL_8250) += serial.o
++loongson-serial-$(CONFIG_SERIAL_8250) := serial.o
++obj-y += $(loongson-serial-m) $(loongson-serial-y)
+ obj-$(CONFIG_LOONGSON_UART_BASE) += uart_base.o
+ obj-$(CONFIG_LOONGSON_MC146818) += rtc.o
+ 
+diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
+index 6854ed5..83a1dfd 100644
+--- a/arch/mips/oprofile/backtrace.c
++++ b/arch/mips/oprofile/backtrace.c
+@@ -92,7 +92,7 @@ static inline int unwind_user_frame(struct stackframe *old_frame,
+ 				/* This marks the end of the previous function,
+ 				   which means we overran. */
+ 				break;
+-			stack_size = (unsigned) stack_adjustment;
++			stack_size = (unsigned long) stack_adjustment;
+ 		} else if (is_ra_save_ins(&ip)) {
+ 			int ra_slot = ip.i_format.simmediate;
+ 			if (ra_slot < 0)
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index 5482d1e..4d576a1 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -43,6 +43,7 @@ static int __interrupt_is_deliverable(struct kvm_vcpu *vcpu,
+ 			return 0;
+ 		if (vcpu->arch.sie_block->gcr[0] & 0x2000ul)
+ 			return 1;
++		return 0;
+ 	case KVM_S390_INT_EMERGENCY:
+ 		if (psw_extint_disabled(vcpu))
+ 			return 0;
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 15d24cb..9171618 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -435,6 +435,7 @@ struct kvm_vcpu_arch {
+ 	u64 mmio_gva;
+ 	unsigned access;
+ 	gfn_t mmio_gfn;
++	u64 mmio_gen;
+ 
+ 	/* used for guest single stepping over the given code position */
+ 	unsigned long singlestep_rip;
+diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
+index ade619f..88dae6b3 100644
+--- a/arch/x86/include/asm/page_32_types.h
++++ b/arch/x86/include/asm/page_32_types.h
+@@ -18,7 +18,6 @@
+ #define THREAD_ORDER	1
+ #define THREAD_SIZE 	(PAGE_SIZE << THREAD_ORDER)
+ 
+-#define STACKFAULT_STACK 0
+ #define DOUBLEFAULT_STACK 1
+ #define NMI_STACK 0
+ #define DEBUG_STACK 0
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 7639dbf..a9e9937 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -14,12 +14,11 @@
+ #define IRQ_STACK_ORDER 2
+ #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
+ 
+-#define STACKFAULT_STACK 1
+-#define DOUBLEFAULT_STACK 2
+-#define NMI_STACK 3
+-#define DEBUG_STACK 4
+-#define MCE_STACK 5
+-#define N_EXCEPTION_STACKS 5  /* hw limit: 7 */
++#define DOUBLEFAULT_STACK 1
++#define NMI_STACK 2
++#define DEBUG_STACK 3
++#define MCE_STACK 4
++#define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
+ 
+ #define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
+ #define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index c4e3581..838a3b4 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1213,7 +1213,7 @@ void __cpuinit setup_local_APIC(void)
+ 	unsigned int value, queued;
+ 	int i, j, acked = 0;
+ 	unsigned long long tsc = 0, ntsc;
+-	long long max_loops = cpu_khz;
++	long long max_loops = cpu_khz ? cpu_khz : 1000000;
+ 
+ 	if (cpu_has_tsc)
+ 		rdtscll(tsc);
+@@ -1309,11 +1309,13 @@ void __cpuinit setup_local_APIC(void)
+ 			       acked);
+ 			break;
+ 		}
+-		if (cpu_has_tsc) {
+-			rdtscll(ntsc);
+-			max_loops = (cpu_khz << 10) - (ntsc - tsc);
+-		} else
+-			max_loops--;
++		if (queued) {
++			if (cpu_has_tsc && cpu_khz) {
++				rdtscll(ntsc);
++				max_loops = (cpu_khz << 10) - (ntsc - tsc);
++			} else
++				max_loops--;
++		}
+ 	} while (queued && max_loops > 0);
+ 	WARN_ON(max_loops <= 0);
+ 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index ca93cc7..6284d6d 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -140,6 +140,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
+ 
+ static int __init x86_xsave_setup(char *s)
+ {
++	if (strlen(s))
++		return 0;
+ 	setup_clear_cpu_cap(X86_FEATURE_XSAVE);
+ 	setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
+ 	return 1;
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
+index 3e6ff6c..e7a64dd 100644
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -143,6 +143,21 @@ static void __cpuinit early_init_intel(struct cpuinfo_x86 *c)
+ 			setup_clear_cpu_cap(X86_FEATURE_ERMS);
+ 		}
+ 	}
++
++	/*
++	 * Intel Quark Core DevMan_001.pdf section 6.4.11
++	 * "The operating system also is required to invalidate (i.e., flush)
++	 *  the TLB when any changes are made to any of the page table entries.
++	 *  The operating system must reload CR3 to cause the TLB to be flushed"
++	 *
++	 * As a result cpu_has_pge() in arch/x86/include/asm/tlbflush.h should
++	 * be false so that __flush_tlb_all() causes CR3 insted of CR4.PGE
++	 * to be modified
++	 */
++	if (c->x86 == 5 && c->x86_model == 9) {
++		pr_info("Disabling PGE capability bit\n");
++		setup_clear_cpu_cap(X86_FEATURE_PGE);
++	}
+ }
+ 
+ #ifdef CONFIG_X86_32
+diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
+index 6d728d9..5e890cc 100644
+--- a/arch/x86/kernel/dumpstack_64.c
++++ b/arch/x86/kernel/dumpstack_64.c
+@@ -24,7 +24,6 @@ static char x86_stack_ids[][8] = {
+ 		[ DEBUG_STACK-1			]	= "#DB",
+ 		[ NMI_STACK-1			]	= "NMI",
+ 		[ DOUBLEFAULT_STACK-1		]	= "#DF",
+-		[ STACKFAULT_STACK-1		]	= "#SS",
+ 		[ MCE_STACK-1			]	= "#MC",
+ #if DEBUG_STKSZ > EXCEPTION_STKSZ
+ 		[ N_EXCEPTION_STACKS ...
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 4b511ef..9d28dba 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -873,13 +873,16 @@ ENTRY(native_iret)
+ 	jnz native_irq_return_ldt
+ #endif
+ 
++.global native_irq_return_iret
+ native_irq_return_iret:
++	/*
++	 * This may fault.  Non-paranoid faults on return to userspace are
++	 * handled by fixup_bad_iret.  These include #SS, #GP, and #NP.
++	 * Double-faults due to espfix64 are handled in do_double_fault.
++	 * Other faults here are fatal.
++	 */
+ 	iretq
+ 
+-	.section __ex_table,"a"
+-	.quad native_irq_return_iret, bad_iret
+-	.previous
+-
+ #ifdef CONFIG_X86_ESPFIX64
+ native_irq_return_ldt:
+ 	pushq_cfi %rax
+@@ -906,25 +909,6 @@ native_irq_return_ldt:
+ 	jmp native_irq_return_iret
+ #endif
+ 
+-	.section .fixup,"ax"
+-bad_iret:
+-	/*
+-	 * The iret traps when the %cs or %ss being restored is bogus.
+-	 * We've lost the original trap vector and error code.
+-	 * #GPF is the most likely one to get for an invalid selector.
+-	 * So pretend we completed the iret and took the #GPF in user mode.
+-	 *
+-	 * We are now running with the kernel GS after exception recovery.
+-	 * But error_entry expects us to have user GS to match the user %cs,
+-	 * so swap back.
+-	 */
+-	pushq $0
+-
+-	SWAPGS
+-	jmp general_protection
+-
+-	.previous
+-
+ 	/* edi: workmask, edx: work */
+ retint_careful:
+ 	CFI_RESTORE_STATE
+@@ -972,37 +956,6 @@ ENTRY(retint_kernel)
+ 	CFI_ENDPROC
+ END(common_interrupt)
+ 
+-	/*
+-	 * If IRET takes a fault on the espfix stack, then we
+-	 * end up promoting it to a doublefault.  In that case,
+-	 * modify the stack to make it look like we just entered
+-	 * the #GP handler from user space, similar to bad_iret.
+-	 */
+-#ifdef CONFIG_X86_ESPFIX64
+-	ALIGN
+-__do_double_fault:
+-	XCPT_FRAME 1 RDI+8
+-	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
+-	sarq $PGDIR_SHIFT,%rax
+-	cmpl $ESPFIX_PGD_ENTRY,%eax
+-	jne do_double_fault		/* No, just deliver the fault */
+-	cmpl $__KERNEL_CS,CS(%rdi)
+-	jne do_double_fault
+-	movq RIP(%rdi),%rax
+-	cmpq $native_irq_return_iret,%rax
+-	jne do_double_fault		/* This shouldn't happen... */
+-	movq PER_CPU_VAR(kernel_stack),%rax
+-	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
+-	movq %rax,RSP(%rdi)
+-	movq $0,(%rax)			/* Missing (lost) #GP error code */
+-	movq $general_protection,RIP(%rdi)
+-	retq
+-	CFI_ENDPROC
+-END(__do_double_fault)
+-#else
+-# define __do_double_fault do_double_fault
+-#endif
+-
+ /*
+  * End of kprobes section
+  */
+@@ -1169,7 +1122,7 @@ zeroentry overflow do_overflow
+ zeroentry bounds do_bounds
+ zeroentry invalid_op do_invalid_op
+ zeroentry device_not_available do_device_not_available
+-paranoiderrorentry double_fault __do_double_fault
++paranoiderrorentry double_fault do_double_fault
+ zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
+ errorentry invalid_TSS do_invalid_TSS
+ errorentry segment_not_present do_segment_not_present
+@@ -1383,7 +1336,7 @@ apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
+ 
+ paranoidzeroentry_ist debug do_debug DEBUG_STACK
+ paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
+-paranoiderrorentry stack_segment do_stack_segment
++errorentry stack_segment do_stack_segment
+ #ifdef CONFIG_XEN
+ zeroentry xen_debug do_debug
+ zeroentry xen_int3 do_int3
+@@ -1493,16 +1446,15 @@ error_sti:
+ 
+ /*
+  * There are two places in the kernel that can potentially fault with
+- * usergs. Handle them here. The exception handlers after iret run with
+- * kernel gs again, so don't set the user space flag. B stepping K8s
+- * sometimes report an truncated RIP for IRET exceptions returning to
+- * compat mode. Check for these here too.
++ * usergs. Handle them here.  B stepping K8s sometimes report a
++ * truncated RIP for IRET exceptions returning to compat mode. Check
++ * for these here too.
+  */
+ error_kernelspace:
+ 	incl %ebx
+ 	leaq native_irq_return_iret(%rip),%rcx
+ 	cmpq %rcx,RIP+8(%rsp)
+-	je error_swapgs
++	je error_bad_iret
+ 	movl %ecx,%eax	/* zero extend */
+ 	cmpq %rax,RIP+8(%rsp)
+ 	je bstep_iret
+@@ -1513,7 +1465,15 @@ error_kernelspace:
+ bstep_iret:
+ 	/* Fix truncated RIP */
+ 	movq %rcx,RIP+8(%rsp)
+-	jmp error_swapgs
++	/* fall through */
++
++error_bad_iret:
++	SWAPGS
++	mov %rsp,%rdi
++	call fixup_bad_iret
++	mov %rax,%rsp
++	decl %ebx	/* Return to usergs */
++	jmp error_sti
+ 	CFI_ENDPROC
+ END(error_entry)
+ 
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 20061b9..2aff347 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -213,29 +213,41 @@ DO_ERROR(X86_TRAP_OLD_MF, SIGFPE, "coprocessor segment overrun",
+ 		coprocessor_segment_overrun)
+ DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present)
+-#ifdef CONFIG_X86_32
+ DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment)
+-#endif
+ DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check,
+ 		BUS_ADRALN, 0)
+ 
+ #ifdef CONFIG_X86_64
+ /* Runs on IST stack */
+-dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
+-{
+-	if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
+-			X86_TRAP_SS, SIGBUS) == NOTIFY_STOP)
+-		return;
+-	preempt_conditional_sti(regs);
+-	do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
+-	preempt_conditional_cli(regs);
+-}
+-
+ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
+ {
+ 	static const char str[] = "double fault";
+ 	struct task_struct *tsk = current;
+ 
++#ifdef CONFIG_X86_ESPFIX64
++	extern unsigned char native_irq_return_iret[];
++
++	/*
++	 * If IRET takes a non-IST fault on the espfix64 stack, then we
++	 * end up promoting it to a doublefault.  In that case, modify
++	 * the stack to make it look like we just entered the #GP
++	 * handler from user space, similar to bad_iret.
++	 */
++	if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
++		regs->cs == __KERNEL_CS &&
++		regs->ip == (unsigned long)native_irq_return_iret)
++	{
++		struct pt_regs *normal_regs = task_pt_regs(current);
++
++		/* Fake a #GP(0) from userspace. */
++		memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
++		normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
++		regs->ip = (unsigned long)general_protection;
++		regs->sp = (unsigned long)&normal_regs->orig_ax;
++		return;
++	}
++#endif
++
+ 	/* Return not checked because double check cannot be ignored */
+ 	notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
+ 
+@@ -332,7 +344,7 @@ dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code)
+  * for scheduling or signal handling. The actual stack switch is done in
+  * entry.S
+  */
+-asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
++asmlinkage notrace __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
+ {
+ 	struct pt_regs *regs = eregs;
+ 	/* Did already sync */
+@@ -351,6 +363,35 @@ asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
+ 		*regs = *eregs;
+ 	return regs;
+ }
++
++struct bad_iret_stack {
++	void *error_entry_ret;
++	struct pt_regs regs;
++};
++
++asmlinkage notrace __kprobes
++struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
++{
++	/*
++	 * This is called from entry_64.S early in handling a fault
++	 * caused by a bad iret to user mode.  To handle the fault
++	 * correctly, we want move our stack frame to task_pt_regs
++	 * and we want to pretend that the exception came from the
++	 * iret target.
++	 */
++	struct bad_iret_stack *new_stack =
++		container_of(task_pt_regs(current),
++			     struct bad_iret_stack, regs);
++
++	/* Copy the IRET target to the new stack. */
++	memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
++
++	/* Copy the remainder of the stack from the current stack. */
++	memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
++
++	BUG_ON(!user_mode_vm(&new_stack->regs));
++	return new_stack;
++}
+ #endif
+ 
+ /*
+@@ -711,7 +752,7 @@ void __init trap_init(void)
+ 	set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun);
+ 	set_intr_gate(X86_TRAP_TS, &invalid_TSS);
+ 	set_intr_gate(X86_TRAP_NP, &segment_not_present);
+-	set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
++	set_intr_gate(X86_TRAP_SS, stack_segment);
+ 	set_intr_gate(X86_TRAP_GP, &general_protection);
+ 	set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug);
+ 	set_intr_gate(X86_TRAP_MF, &coprocessor_error);
+diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
+index 1ec515b..9f3706e 100644
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -961,14 +961,17 @@ void __init tsc_init(void)
+ 
+ 	x86_init.timers.tsc_pre_init();
+ 
+-	if (!cpu_has_tsc)
++	if (!cpu_has_tsc) {
++		setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ 		return;
++	}
+ 
+ 	tsc_khz = x86_platform.calibrate_tsc();
+ 	cpu_khz = tsc_khz;
+ 
+ 	if (!tsc_khz) {
+ 		mark_tsc_unstable("could not calculate TSC khz");
++		setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ 		return;
+ 	}
+ 
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index db2ffef..bfc9507 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2842,7 +2842,7 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu)
+ 	if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ 		return;
+ 
+-	vcpu_clear_mmio_info(vcpu, ~0ul);
++	vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
+ 	trace_kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC);
+ 	if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
+ 		hpa_t root = vcpu->arch.mmu.root_hpa;
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 82f97a5..7a2d9d6 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3390,9 +3390,9 @@ static int handle_exit(struct kvm_vcpu *vcpu)
+ 
+ 	if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
+ 	    || !svm_exit_handlers[exit_code]) {
+-		kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+-		kvm_run->hw.hardware_exit_reason = exit_code;
+-		return 0;
++		WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
++		kvm_queue_exception(vcpu, UD_VECTOR);
++		return 1;
+ 	}
+ 
+ 	return svm_exit_handlers[exit_code](svm);
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 578b1c6..8831c43 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5925,10 +5925,10 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+ 	    && kvm_vmx_exit_handlers[exit_reason])
+ 		return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ 	else {
+-		vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
+-		vcpu->run->hw.hardware_exit_reason = exit_reason;
++		WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++		kvm_queue_exception(vcpu, UD_VECTOR);
++		return 1;
+ 	}
+-	return 0;
+ }
+ 
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index 0e22f64..6c3c94f 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -81,15 +81,23 @@ static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu,
+ 	vcpu->arch.mmio_gva = gva & PAGE_MASK;
+ 	vcpu->arch.access = access;
+ 	vcpu->arch.mmio_gfn = gfn;
++	vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation;
++}
++
++static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu)
++{
++	return vcpu->arch.mmio_gen == kvm_memslots(vcpu->kvm)->generation;
+ }
+ 
+ /*
+- * Clear the mmio cache info for the given gva,
+- * specially, if gva is ~0ul, we clear all mmio cache info.
++ * Clear the mmio cache info for the given gva. If gva is MMIO_GVA_ANY, we
++ * clear all mmio cache info.
+  */
++#define MMIO_GVA_ANY (~(gva_t)0)
++
+ static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva)
+ {
+-	if (gva != (~0ul) && vcpu->arch.mmio_gva != (gva & PAGE_MASK))
++	if (gva != MMIO_GVA_ANY && vcpu->arch.mmio_gva != (gva & PAGE_MASK))
+ 		return;
+ 
+ 	vcpu->arch.mmio_gva = 0;
+@@ -97,7 +105,8 @@ static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva)
+ 
+ static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva)
+ {
+-	if (vcpu->arch.mmio_gva && vcpu->arch.mmio_gva == (gva & PAGE_MASK))
++	if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gva &&
++	      vcpu->arch.mmio_gva == (gva & PAGE_MASK))
+ 		return true;
+ 
+ 	return false;
+@@ -105,7 +114,8 @@ static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva)
+ 
+ static inline bool vcpu_match_mmio_gpa(struct kvm_vcpu *vcpu, gpa_t gpa)
+ {
+-	if (vcpu->arch.mmio_gfn && vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT)
++	if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gfn &&
++	      vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT)
+ 		return true;
+ 
+ 	return false;
+diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
+index 44b93da..266f717 100644
+--- a/arch/x86/mm/init_64.c
++++ b/arch/x86/mm/init_64.c
+@@ -778,6 +778,7 @@ void mark_rodata_ro(void)
+ 	unsigned long text_end = PAGE_ALIGN((unsigned long) &__stop___ex_table);
+ 	unsigned long rodata_end = PAGE_ALIGN((unsigned long) &__end_rodata);
+ 	unsigned long data_start = (unsigned long) &_sdata;
++	unsigned long all_end;
+ 
+ 	printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
+ 	       (end - start) >> 10);
+@@ -786,10 +787,19 @@ void mark_rodata_ro(void)
+ 	kernel_set_to_readonly = 1;
+ 
+ 	/*
+-	 * The rodata section (but not the kernel text!) should also be
+-	 * not-executable.
++	 * The rodata/data/bss/brk section (but not the kernel text!)
++	 * should also be not-executable.
++	 *
++	 * We align all_end to PMD_SIZE because the existing mapping
++	 * is a full PMD. If we would align _brk_end to PAGE_SIZE we
++	 * split the PMD and the reminder between _brk_end and the end
++	 * of the PMD will remain mapped executable.
++	 *
++	 * Any PMD which was setup after the one which covers _brk_end
++	 * has been zapped already via cleanup_highmem().
+ 	 */
+-	set_memory_nx(rodata_start, (end - rodata_start) >> PAGE_SHIFT);
++	all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
++	set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
+ 
+ 	rodata_test();
+ 
+diff --git a/arch/xtensa/include/asm/unistd.h b/arch/xtensa/include/asm/unistd.h
+index 798ee6d..7ab1f52 100644
+--- a/arch/xtensa/include/asm/unistd.h
++++ b/arch/xtensa/include/asm/unistd.h
+@@ -394,7 +394,8 @@ __SYSCALL(174, sys_chroot, 1)
+ #define __NR_pivot_root 			175
+ __SYSCALL(175, sys_pivot_root, 2)
+ #define __NR_umount 				176
+-__SYSCALL(176, sys_umount, 2)
++__SYSCALL(176, sys_oldumount, 1)
++#define __ARCH_WANT_SYS_OLDUMOUNT
+ #define __NR_swapoff 				177
+ __SYSCALL(177, sys_swapoff, 1)
+ #define __NR_sync 				178
+diff --git a/block/blk-settings.c b/block/blk-settings.c
+index fa1eb04..d55a3e4 100644
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -521,7 +521,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
+ 		bottom = max(b->physical_block_size, b->io_min) + alignment;
+ 
+ 		/* Verify that top and bottom intervals line up */
+-		if (max(top, bottom) & (min(top, bottom) - 1)) {
++		if (max(top, bottom) % min(top, bottom)) {
+ 			t->misaligned = 1;
+ 			ret = -1;
+ 		}
+@@ -562,7 +562,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
+ 
+ 	/* Find lowest common alignment_offset */
+ 	t->alignment_offset = lcm(t->alignment_offset, alignment)
+-		& (max(t->physical_block_size, t->io_min) - 1);
++		% max(t->physical_block_size, t->io_min);
+ 
+ 	/* Verify that new alignment_offset is on a logical block boundary */
+ 	if (t->alignment_offset & (t->logical_block_size - 1)) {
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 9e76a32..f124268 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -505,7 +505,7 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
+ 
+ 	if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
+ 		err = DRIVER_ERROR << 24;
+-		goto out;
++		goto error;
+ 	}
+ 
+ 	memset(sense, 0, sizeof(sense));
+@@ -515,7 +515,6 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
+ 
+ 	blk_execute_rq(q, disk, rq, 0);
+ 
+-out:
+ 	err = rq->errors & 0xff;	/* only 8 bit SCSI status */
+ 	if (err) {
+ 		if (rq->sense_len && rq->sense) {
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index a19c027..83187f4 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -49,7 +49,7 @@ struct skcipher_ctx {
+ 	struct ablkcipher_request req;
+ };
+ 
+-#define MAX_SGL_ENTS ((PAGE_SIZE - sizeof(struct skcipher_sg_list)) / \
++#define MAX_SGL_ENTS ((4096 - sizeof(struct skcipher_sg_list)) / \
+ 		      sizeof(struct scatterlist) - 1)
+ 
+ static inline int skcipher_sndbuf(struct sock *sk)
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 4007f62..923ac15 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -61,6 +61,7 @@ enum board_ids {
+ 	/* board IDs by feature in alphabetical order */
+ 	board_ahci,
+ 	board_ahci_ign_iferr,
++	board_ahci_nomsi,
+ 	board_ahci_noncq,
+ 	board_ahci_nosntf,
+ 	board_ahci_yes_fbs,
+@@ -124,6 +125,13 @@ static const struct ata_port_info ahci_port_info[] = {
+ 		.udma_mask	= ATA_UDMA6,
+ 		.port_ops	= &ahci_ops,
+ 	},
++	[board_ahci_nomsi] = {
++		AHCI_HFLAGS	(AHCI_HFLAG_NO_MSI),
++		.flags		= AHCI_FLAG_COMMON,
++		.pio_mask	= ATA_PIO4,
++		.udma_mask	= ATA_UDMA6,
++		.port_ops	= &ahci_ops,
++	},
+ 	[board_ahci_noncq] = {
+ 		AHCI_HFLAGS	(AHCI_HFLAG_NO_NCQ),
+ 		.flags		= AHCI_FLAG_COMMON,
+@@ -323,6 +331,11 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ 	{ PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */
+ 	{ PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */
+ 	{ PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */
++	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
++	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H RAID */
++	{ PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
++	{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
++	{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
+ 
+ 	/* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ 	{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+@@ -482,10 +495,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ 	{ PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci },	/* ASM1062 */
+ 
+ 	/*
+-	 * Samsung SSDs found on some macbooks.  NCQ times out.
+-	 * https://bugzilla.kernel.org/show_bug.cgi?id=60731
++	 * Samsung SSDs found on some macbooks.  NCQ times out if MSI is
++	 * enabled.  https://bugzilla.kernel.org/show_bug.cgi?id=60731
+ 	 */
+-	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_noncq },
++	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_nomsi },
+ 
+ 	/* Enmotus */
+ 	{ PCI_DEVICE(0x1c44, 0x8000), board_ahci },
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 4cadfa2..8eae157 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -2008,13 +2008,15 @@ static int ata_bus_softreset(struct ata_port *ap, unsigned int devmask,
+ 
+ 	DPRINTK("ata%u: bus reset via SRST\n", ap->print_id);
+ 
+-	/* software reset.  causes dev0 to be selected */
+-	iowrite8(ap->ctl, ioaddr->ctl_addr);
+-	udelay(20);	/* FIXME: flush */
+-	iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr);
+-	udelay(20);	/* FIXME: flush */
+-	iowrite8(ap->ctl, ioaddr->ctl_addr);
+-	ap->last_ctl = ap->ctl;
++	if (ap->ioaddr.ctl_addr) {
++		/* software reset.  causes dev0 to be selected */
++		iowrite8(ap->ctl, ioaddr->ctl_addr);
++		udelay(20);	/* FIXME: flush */
++		iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr);
++		udelay(20);	/* FIXME: flush */
++		iowrite8(ap->ctl, ioaddr->ctl_addr);
++		ap->last_ctl = ap->ctl;
++	}
+ 
+ 	/* wait the port to become ready */
+ 	return ata_sff_wait_after_reset(&ap->link, devmask, deadline);
+@@ -2215,10 +2217,6 @@ void ata_sff_error_handler(struct ata_port *ap)
+ 
+ 	spin_unlock_irqrestore(ap->lock, flags);
+ 
+-	/* ignore ata_sff_softreset if ctl isn't accessible */
+-	if (softreset == ata_sff_softreset && !ap->ioaddr.ctl_addr)
+-		softreset = NULL;
+-
+ 	/* ignore built-in hardresets if SCR access is not available */
+ 	if ((hardreset == sata_std_hardreset ||
+ 	     hardreset == sata_sff_hardreset) && !sata_scr_valid(&ap->link))
+diff --git a/drivers/ata/pata_serverworks.c b/drivers/ata/pata_serverworks.c
+index 71eaf385..5929dde 100644
+--- a/drivers/ata/pata_serverworks.c
++++ b/drivers/ata/pata_serverworks.c
+@@ -252,12 +252,18 @@ static void serverworks_set_dmamode(struct ata_port *ap, struct ata_device *adev
+ 	pci_write_config_byte(pdev, 0x54, ultra_cfg);
+ }
+ 
+-static struct scsi_host_template serverworks_sht = {
++static struct scsi_host_template serverworks_osb4_sht = {
++	ATA_BMDMA_SHT(DRV_NAME),
++	.sg_tablesize	= LIBATA_DUMB_MAX_PRD,
++};
++
++static struct scsi_host_template serverworks_csb_sht = {
+ 	ATA_BMDMA_SHT(DRV_NAME),
+ };
+ 
+ static struct ata_port_operations serverworks_osb4_port_ops = {
+ 	.inherits	= &ata_bmdma_port_ops,
++	.qc_prep	= ata_bmdma_dumb_qc_prep,
+ 	.cable_detect	= serverworks_cable_detect,
+ 	.mode_filter	= serverworks_osb4_filter,
+ 	.set_piomode	= serverworks_set_piomode,
+@@ -266,6 +272,7 @@ static struct ata_port_operations serverworks_osb4_port_ops = {
+ 
+ static struct ata_port_operations serverworks_csb_port_ops = {
+ 	.inherits	= &serverworks_osb4_port_ops,
++	.qc_prep	= ata_bmdma_qc_prep,
+ 	.mode_filter	= serverworks_csb_filter,
+ };
+ 
+@@ -405,6 +412,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
+ 		}
+ 	};
+ 	const struct ata_port_info *ppi[] = { &info[id->driver_data], NULL };
++	struct scsi_host_template *sht = &serverworks_csb_sht;
+ 	int rc;
+ 
+ 	rc = pcim_enable_device(pdev);
+@@ -418,6 +426,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
+ 		/* Select non UDMA capable OSB4 if we can't do fixups */
+ 		if (rc < 0)
+ 			ppi[0] = &info[1];
++		sht = &serverworks_osb4_sht;
+ 	}
+ 	/* setup CSB5/CSB6 : South Bridge and IDE option RAID */
+ 	else if ((pdev->device == PCI_DEVICE_ID_SERVERWORKS_CSB5IDE) ||
+@@ -434,7 +443,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
+ 			ppi[1] = &ata_dummy_port_info;
+ 	}
+ 
+-	return ata_pci_bmdma_init_one(pdev, ppi, &serverworks_sht, NULL, 0);
++	return ata_pci_bmdma_init_one(pdev, ppi, sht, NULL, 0);
+ }
+ 
+ #ifdef CONFIG_PM
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 3719c94..763b356 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -521,6 +521,9 @@ static int _request_firmware(const struct firmware **firmware_p,
+ 	if (!firmware_p)
+ 		return -EINVAL;
+ 
++	if (!name || name[0] == '\0')
++		return -EINVAL;
++
+ 	*firmware_p = firmware = kzalloc(sizeof(*firmware), GFP_KERNEL);
+ 	if (!firmware) {
+ 		dev_err(device, "%s: kmalloc(struct firmware) failed\n",
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index dddcb1d..8750d52 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -305,6 +305,9 @@ static void btusb_intr_complete(struct urb *urb)
+ 			BT_ERR("%s corrupted event packet", hdev->name);
+ 			hdev->stat.err_rx++;
+ 		}
++	} else if (urb->status == -ENOENT) {
++		/* Avoid suspend failed when usb_kill_urb */
++		return;
+ 	}
+ 
+ 	if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
+@@ -392,6 +395,9 @@ static void btusb_bulk_complete(struct urb *urb)
+ 			BT_ERR("%s corrupted ACL packet", hdev->name);
+ 			hdev->stat.err_rx++;
+ 		}
++	} else if (urb->status == -ENOENT) {
++		/* Avoid suspend failed when usb_kill_urb */
++		return;
+ 	}
+ 
+ 	if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
+@@ -485,6 +491,9 @@ static void btusb_isoc_complete(struct urb *urb)
+ 				hdev->stat.err_rx++;
+ 			}
+ 		}
++	} else if (urb->status == -ENOENT) {
++		/* Avoid suspend failed when usb_kill_urb */
++		return;
+ 	}
+ 
+ 	if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index c244f0e..edf45ae 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -954,8 +954,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * pool while mixing, and hash one final time.
+ 	 */
+ 	sha_transform(hash.w, extract, workspace);
+-	memset(extract, 0, sizeof(extract));
+-	memset(workspace, 0, sizeof(workspace));
++	memzero_explicit(extract, sizeof(extract));
++	memzero_explicit(workspace, sizeof(workspace));
+ 
+ 	/*
+ 	 * In case the hash function has some recognizable output
+@@ -978,7 +978,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	}
+ 
+ 	memcpy(out, &hash, EXTRACT_SIZE);
+-	memset(&hash, 0, sizeof(hash));
++	memzero_explicit(&hash, sizeof(hash));
+ }
+ 
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -1010,7 +1010,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ 	}
+ 
+ 	/* Wipe data just returned from memory */
+-	memset(tmp, 0, sizeof(tmp));
++	memzero_explicit(tmp, sizeof(tmp));
+ 
+ 	return ret;
+ }
+@@ -1047,7 +1047,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+ 	}
+ 
+ 	/* Wipe data just returned from memory */
+-	memset(tmp, 0, sizeof(tmp));
++	memzero_explicit(tmp, sizeof(tmp));
+ 
+ 	return ret;
+ }
+diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
+index b97d4f0..ee96b91 100644
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -1605,8 +1605,7 @@ static int dispatch_ioctl(struct client *client,
+ 	    _IOC_SIZE(cmd) > sizeof(buffer))
+ 		return -ENOTTY;
+ 
+-	if (_IOC_DIR(cmd) == _IOC_READ)
+-		memset(&buffer, 0, _IOC_SIZE(cmd));
++	memset(&buffer, 0, sizeof(buffer));
+ 
+ 	if (_IOC_DIR(cmd) & _IOC_WRITE)
+ 		if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+index 7c88f1f..eb9735e 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -1826,6 +1826,14 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
+ 		DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
+ 	};
+ 	int i;
++	u32 assumed_bpp = 2;
++
++	/*
++	 * If using screen objects, then assume 32-bpp because that's what the
++	 * SVGA device is assuming
++	 */
++	if (dev_priv->sou_priv)
++		assumed_bpp = 4;
+ 
+ 	/* Add preferred mode */
+ 	{
+@@ -1836,8 +1844,9 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
+ 		mode->vdisplay = du->pref_height;
+ 		vmw_guess_mode_timing(mode);
+ 
+-		if (vmw_kms_validate_mode_vram(dev_priv, mode->hdisplay * 2,
+-					       mode->vdisplay)) {
++		if (vmw_kms_validate_mode_vram(dev_priv,
++						mode->hdisplay * assumed_bpp,
++						mode->vdisplay)) {
+ 			drm_mode_probed_add(connector, mode);
+ 		} else {
+ 			drm_mode_destroy(dev, mode);
+@@ -1859,7 +1868,8 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
+ 		    bmode->vdisplay > max_height)
+ 			continue;
+ 
+-		if (!vmw_kms_validate_mode_vram(dev_priv, bmode->hdisplay * 2,
++		if (!vmw_kms_validate_mode_vram(dev_priv,
++						bmode->hdisplay * assumed_bpp,
+ 						bmode->vdisplay))
+ 			continue;
+ 
+diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
+index f4c3d28..44a1ea4 100644
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -207,8 +207,10 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
+ 	ret = vmbus_post_msg(open_msg,
+ 			       sizeof(struct vmbus_channel_open_channel));
+ 
+-	if (ret != 0)
++	if (ret != 0) {
++		err = ret;
+ 		goto error1;
++	}
+ 
+ 	t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ);
+ 	if (t == 0) {
+@@ -400,7 +402,6 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+ 	u32 next_gpadl_handle;
+ 	unsigned long flags;
+ 	int ret = 0;
+-	int t;
+ 
+ 	next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
+ 	atomic_inc(&vmbus_connection.next_gpadl_handle);
+@@ -447,9 +448,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+ 
+ 		}
+ 	}
+-	t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
+-	BUG_ON(t == 0);
+-
++	wait_for_completion(&msginfo->waitevent);
+ 
+ 	/* At this point, we received the gpadl created msg */
+ 	*gpadl_handle = gpadlmsg->gpadl;
+@@ -472,7 +471,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
+ 	struct vmbus_channel_gpadl_teardown *msg;
+ 	struct vmbus_channel_msginfo *info;
+ 	unsigned long flags;
+-	int ret, t;
++	int ret;
+ 
+ 	info = kmalloc(sizeof(*info) +
+ 		       sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
+@@ -494,11 +493,12 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
+ 	ret = vmbus_post_msg(msg,
+ 			       sizeof(struct vmbus_channel_gpadl_teardown));
+ 
+-	BUG_ON(ret != 0);
+-	t = wait_for_completion_timeout(&info->waitevent, 5*HZ);
+-	BUG_ON(t == 0);
++	if (ret)
++		goto post_msg_err;
++
++	wait_for_completion(&info->waitevent);
+ 
+-	/* Received a torndown response */
++post_msg_err:
+ 	spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
+ 	list_del(&info->msglistentry);
+ 	spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
+@@ -531,11 +531,28 @@ void vmbus_close(struct vmbus_channel *channel)
+ 
+ 	ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel));
+ 
+-	BUG_ON(ret != 0);
++	if (ret) {
++		pr_err("Close failed: close post msg return is %d\n", ret);
++		/*
++		 * If we failed to post the close msg,
++		 * it is perhaps better to leak memory.
++		 */
++		return;
++	}
++
+ 	/* Tear down the gpadl for the channel's ring buffer */
+-	if (channel->ringbuffer_gpadlhandle)
+-		vmbus_teardown_gpadl(channel,
+-					  channel->ringbuffer_gpadlhandle);
++	if (channel->ringbuffer_gpadlhandle) {
++		ret = vmbus_teardown_gpadl(channel,
++					   channel->ringbuffer_gpadlhandle);
++		if (ret) {
++			pr_err("Close failed: teardown gpadl return %d\n", ret);
++			/*
++			 * If we failed to teardown gpadl,
++			 * it is perhaps better to leak memory.
++			 */
++			return;
++		}
++	}
+ 
+ 	/* Cleanup the ring buffers for this channel */
+ 	hv_ringbuffer_cleanup(&channel->outbound);
+diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
+index d7f3df9..96548d7 100644
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -284,10 +284,21 @@ int vmbus_post_msg(void *buffer, size_t buflen)
+ 	 * insufficient resources. Retry the operation a couple of
+ 	 * times before giving up.
+ 	 */
+-	while (retries < 3) {
+-		ret =  hv_post_message(conn_id, 1, buffer, buflen);
+-		if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
++	while (retries < 10) {
++		ret = hv_post_message(conn_id, 1, buffer, buflen);
++
++		switch (ret) {
++		case HV_STATUS_INSUFFICIENT_BUFFERS:
++			ret = -ENOMEM;
++		case -ENOMEM:
++			break;
++		case HV_STATUS_SUCCESS:
+ 			return ret;
++		default:
++			pr_err("hv_post_msg() failed; error code:%d\n", ret);
++			return -EINVAL;
++		}
++
+ 		retries++;
+ 		msleep(100);
+ 	}
+diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
+index 0fb100e..17ed6fb 100644
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -158,6 +158,8 @@ int hv_init(void)
+ 	memset(hv_context.synic_event_page, 0, sizeof(void *) * MAX_NUM_CPUS);
+ 	memset(hv_context.synic_message_page, 0,
+ 	       sizeof(void *) * MAX_NUM_CPUS);
++	memset(hv_context.post_msg_page, 0,
++	       sizeof(void *) * MAX_NUM_CPUS);
+ 
+ 	if (!query_hypervisor_presence())
+ 		goto cleanup;
+@@ -258,26 +260,18 @@ u16 hv_post_message(union hv_connection_id connection_id,
+ 		  enum hv_message_type message_type,
+ 		  void *payload, size_t payload_size)
+ {
+-	struct aligned_input {
+-		u64 alignment8;
+-		struct hv_input_post_message msg;
+-	};
+ 
+ 	struct hv_input_post_message *aligned_msg;
+ 	u16 status;
+-	unsigned long addr;
+ 
+ 	if (payload_size > HV_MESSAGE_PAYLOAD_BYTE_COUNT)
+ 		return -EMSGSIZE;
+ 
+-	addr = (unsigned long)kmalloc(sizeof(struct aligned_input), GFP_ATOMIC);
+-	if (!addr)
+-		return -ENOMEM;
+-
+ 	aligned_msg = (struct hv_input_post_message *)
+-			(ALIGN(addr, HV_HYPERCALL_PARAM_ALIGN));
++			hv_context.post_msg_page[get_cpu()];
+ 
+ 	aligned_msg->connectionid = connection_id;
++	aligned_msg->reserved = 0;
+ 	aligned_msg->message_type = message_type;
+ 	aligned_msg->payload_size = payload_size;
+ 	memcpy((void *)aligned_msg->payload, payload, payload_size);
+@@ -285,8 +279,7 @@ u16 hv_post_message(union hv_connection_id connection_id,
+ 	status = do_hypercall(HVCALL_POST_MESSAGE, aligned_msg, NULL)
+ 		& 0xFFFF;
+ 
+-	kfree((void *)addr);
+-
++	put_cpu();
+ 	return status;
+ }
+ 
+@@ -347,6 +340,14 @@ void hv_synic_init(void *irqarg)
+ 		goto cleanup;
+ 	}
+ 
++	hv_context.post_msg_page[cpu] =
++		(void *)get_zeroed_page(GFP_ATOMIC);
++
++	if (hv_context.post_msg_page[cpu] == NULL) {
++		pr_err("Unable to allocate post msg page\n");
++		goto cleanup;
++	}
++
+ 	/* Setup the Synic's message page */
+ 	rdmsrl(HV_X64_MSR_SIMP, simp.as_uint64);
+ 	simp.simp_enabled = 1;
+@@ -388,6 +389,8 @@ cleanup:
+ 
+ 	if (hv_context.synic_message_page[cpu])
+ 		free_page((unsigned long)hv_context.synic_message_page[cpu]);
++	if (hv_context.post_msg_page[cpu])
++		free_page((unsigned long)hv_context.post_msg_page[cpu]);
+ 	return;
+ }
+ 
+@@ -426,4 +429,5 @@ void hv_synic_cleanup(void *arg)
+ 
+ 	free_page((unsigned long)hv_context.synic_message_page[cpu]);
+ 	free_page((unsigned long)hv_context.synic_event_page[cpu]);
++	free_page((unsigned long)hv_context.post_msg_page[cpu]);
+ }
+diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
+index 0aee112..be2f3af 100644
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -485,6 +485,10 @@ struct hv_context {
+ 
+ 	void *synic_message_page[MAX_NUM_CPUS];
+ 	void *synic_event_page[MAX_NUM_CPUS];
++	/*
++	 * buffer to post messages to the host.
++	 */
++	void *post_msg_page[MAX_NUM_CPUS];
+ };
+ 
+ extern struct hv_context hv_context;
+diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
+index 2189cbf..0c4c556 100644
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -979,9 +979,19 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
+ 		}
+ 
+ 		ep_irq_in = &intf->cur_altsetting->endpoint[1].desc;
+-		usb_fill_bulk_urb(xpad->bulk_out, udev,
+-				usb_sndbulkpipe(udev, ep_irq_in->bEndpointAddress),
+-				xpad->bdata, XPAD_PKT_LEN, xpad_bulk_out, xpad);
++		if (usb_endpoint_is_bulk_out(ep_irq_in)) {
++			usb_fill_bulk_urb(xpad->bulk_out, udev,
++					  usb_sndbulkpipe(udev,
++							  ep_irq_in->bEndpointAddress),
++					  xpad->bdata, XPAD_PKT_LEN,
++					  xpad_bulk_out, xpad);
++		} else {
++			usb_fill_int_urb(xpad->bulk_out, udev,
++					 usb_sndintpipe(udev,
++							ep_irq_in->bEndpointAddress),
++					 xpad->bdata, XPAD_PKT_LEN,
++					 xpad_bulk_out, xpad, 0);
++		}
+ 
+ 		/*
+ 		 * Submit the int URB immediately rather than waiting for open
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index 9c40c11..64ce6d9 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -372,7 +372,13 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
+ 	struct alps_data *priv = psmouse->private;
+ 	const struct alps_model_info *model = priv->i;
+ 
+-	if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */
++	/*
++	 * Check if we are dealing with a bare PS/2 packet, presumably from
++	 * a device connected to the external PS/2 port. Because bare PS/2
++	 * protocol does not have enough constant bits to self-synchronize
++	 * properly we only do this if the device is fully synchronized.
++	 */
++	if (!psmouse->out_of_sync_cnt && (psmouse->packet[0] & 0xc8) == 0x08) {
+ 		if (psmouse->pktcnt == 3) {
+ 			alps_report_bare_ps2_packet(psmouse, psmouse->packet,
+ 						    true);
+@@ -745,6 +751,9 @@ int alps_init(struct psmouse *psmouse)
+ 	/* We are having trouble resyncing ALPS touchpads so disable it for now */
+ 	psmouse->resync_time = 0;
+ 
++	/* Allow 2 invalid packets without resetting device */
++	psmouse->resetafter = psmouse->pktsize * 2;
++
+ 	return 0;
+ 
+ init_fail:
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index a50e121..bb41f94 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -495,6 +495,8 @@ static void synaptics_parse_agm(const unsigned char buf[],
+ 	priv->agm_pending = true;
+ }
+ 
++static bool is_forcepad;
++
+ static int synaptics_parse_hw_state(const unsigned char buf[],
+ 				    struct synaptics_data *priv,
+ 				    struct synaptics_hw_state *hw)
+@@ -524,7 +526,7 @@ static int synaptics_parse_hw_state(const unsigned char buf[],
+ 		hw->left  = (buf[0] & 0x01) ? 1 : 0;
+ 		hw->right = (buf[0] & 0x02) ? 1 : 0;
+ 
+-		if (SYN_CAP_FORCEPAD(priv->ext_cap_0c)) {
++		if (is_forcepad) {
+ 			/*
+ 			 * ForcePads, like Clickpads, use middle button
+ 			 * bits to report primary button clicks.
+@@ -1507,6 +1509,18 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
+ 	{ }
+ };
+ 
++static const struct dmi_system_id forcepad_dmi_table[] __initconst = {
++#if defined(CONFIG_DMI) && defined(CONFIG_X86)
++	{
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook Folio 1040 G1"),
++		},
++	},
++#endif
++	{ }
++};
++
+ void __init synaptics_module_init(void)
+ {
+ 	const struct dmi_system_id *min_max_dmi;
+@@ -1517,6 +1531,12 @@ void __init synaptics_module_init(void)
+ 	min_max_dmi = dmi_first_match(min_max_dmi_table);
+ 	if (min_max_dmi)
+ 		quirk_min_max = min_max_dmi->driver_data;
++
++	/*
++	 * Unfortunately ForcePad capability is not exported over PS/2,
++	 * so we have to resort to checking DMI.
++	 */
++	is_forcepad = dmi_check_system(forcepad_dmi_table);
+ }
+ 
+ int synaptics_init(struct psmouse *psmouse)
+diff --git a/drivers/input/mouse/synaptics.h b/drivers/input/mouse/synaptics.h
+index 908d167..6cf156d 100644
+--- a/drivers/input/mouse/synaptics.h
++++ b/drivers/input/mouse/synaptics.h
+@@ -76,12 +76,9 @@
+  *					for noise.
+  * 2	0x08	image sensor		image sensor tracks 5 fingers, but only
+  *					reports 2.
++ * 2	0x01	uniform clickpad	whole clickpad moves instead of being
++ *					hinged at the top.
+  * 2	0x20	report min		query 0x0f gives min coord reported
+- * 2	0x80	forcepad		forcepad is a variant of clickpad that
+- *					does not have physical buttons but rather
+- *					uses pressure above certain threshold to
+- *					report primary clicks. Forcepads also have
+- *					clickpad bit set.
+  */
+ #define SYN_CAP_CLICKPAD(ex0c)		((ex0c) & 0x100000) /* 1-button ClickPad */
+ #define SYN_CAP_CLICKPAD2BTN(ex0c)	((ex0c) & 0x000100) /* 2-button ClickPad */
+@@ -90,7 +87,6 @@
+ #define SYN_CAP_ADV_GESTURE(ex0c)	((ex0c) & 0x080000)
+ #define SYN_CAP_REDUCED_FILTERING(ex0c)	((ex0c) & 0x000400)
+ #define SYN_CAP_IMAGE_SENSOR(ex0c)	((ex0c) & 0x000800)
+-#define SYN_CAP_FORCEPAD(ex0c)		((ex0c) & 0x008000)
+ 
+ /* synaptics modes query bits */
+ #define SYN_MODE_ABSOLUTE(m)		((m) & (1 << 7))
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+index bab8238..a5c6a8c 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -101,6 +101,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
+ 	},
+ 	{
+ 		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"),
++		},
++	},
++	{
++		.matches = {
+ 			DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
+ 			DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"),
+ 			DMI_MATCH(DMI_PRODUCT_VERSION, "8500"),
+@@ -602,6 +608,22 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = {
+ 		},
+ 	},
+ 	{
++		/* Fujitsu A544 laptop */
++		/* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"),
++		},
++	},
++	{
++		/* Fujitsu AH544 laptop */
++		/* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"),
++		},
++	},
++	{
+ 		/* Fujitsu U574 laptop */
+ 		/* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
+ 		.matches = {
+diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
+index 910d2f8..3bf72679 100644
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -468,6 +468,7 @@ static void __relink_lru(struct dm_buffer *b, int dirty)
+ 	b->list_mode = dirty;
+ 	list_del(&b->lru_list);
+ 	list_add(&b->lru_list, &c->lru[dirty]);
++	b->last_accessed = jiffies;
+ }
+ 
+ /*----------------------------------------------------------------
+@@ -1323,9 +1324,9 @@ static void drop_buffers(struct dm_bufio_client *c)
+ 
+ /*
+  * Test if the buffer is unused and too old, and commit it.
+- * At if noio is set, we must not do any I/O because we hold
+- * dm_bufio_clients_lock and we would risk deadlock if the I/O gets rerouted to
+- * different bufio client.
++ * And if GFP_NOFS is used, we must not do any I/O because we hold
++ * dm_bufio_clients_lock and we would risk deadlock if the I/O gets
++ * rerouted to different bufio client.
+  */
+ static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
+ 				unsigned long max_jiffies)
+@@ -1333,7 +1334,7 @@ static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
+ 	if (jiffies - b->last_accessed < max_jiffies)
+ 		return 1;
+ 
+-	if (!(gfp & __GFP_IO)) {
++	if (!(gfp & __GFP_FS)) {
+ 		if (test_bit(B_READING, &b->state) ||
+ 		    test_bit(B_WRITING, &b->state) ||
+ 		    test_bit(B_DIRTY, &b->state))
+@@ -1372,7 +1373,7 @@ static int shrink(struct shrinker *shrinker, struct shrink_control *sc)
+ 	unsigned long r;
+ 	unsigned long nr_to_scan = sc->nr_to_scan;
+ 
+-	if (sc->gfp_mask & __GFP_IO)
++	if (sc->gfp_mask & __GFP_FS)
+ 		dm_bufio_lock(c);
+ 	else if (!dm_bufio_trylock(c))
+ 		return !nr_to_scan ? 0 : -1;
+diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-log-userspace-transfer.c
+index 1f23e04..e5bd3ef 100644
+--- a/drivers/md/dm-log-userspace-transfer.c
++++ b/drivers/md/dm-log-userspace-transfer.c
+@@ -272,7 +272,7 @@ int dm_ulog_tfr_init(void)
+ 
+ 	r = cn_add_callback(&ulog_cn_id, "dmlogusr", cn_ulog_callback);
+ 	if (r) {
+-		cn_del_callback(&ulog_cn_id);
++		kfree(prealloced_cn_msg);
+ 		return r;
+ 	}
+ 
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index 86862ea..8158f63 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -591,8 +591,7 @@ struct dm_raid_superblock {
+ 	__le32 layout;
+ 	__le32 stripe_sectors;
+ 
+-	__u8 pad[452];		/* Round struct to 512 bytes. */
+-				/* Always set to 0 when writing. */
++	/* Remainder of a logical block is zero-filled when writing (see super_sync()). */
+ } __packed;
+ 
+ static int read_disk_sb(struct md_rdev *rdev, int size)
+@@ -625,7 +624,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
+ 		if ((r->raid_disk >= 0) && test_bit(Faulty, &r->flags))
+ 			failed_devices |= (1ULL << r->raid_disk);
+ 
+-	memset(sb, 0, sizeof(*sb));
++	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
+ 
+ 	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
+ 	sb->features = cpu_to_le32(0);	/* No features yet */
+@@ -660,7 +659,11 @@ static int super_load(struct md_rdev *rdev, struct md_rdev *refdev)
+ 	uint64_t events_sb, events_refsb;
+ 
+ 	rdev->sb_start = 0;
+-	rdev->sb_size = sizeof(*sb);
++	rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
++	if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
++		DMERR("superblock size of a logical block is no longer valid");
++		return -EINVAL;
++	}
+ 
+ 	ret = read_disk_sb(rdev, rdev->sb_size);
+ 	if (ret)
+diff --git a/drivers/media/dvb/frontends/ds3000.c b/drivers/media/dvb/frontends/ds3000.c
+index 90bf573..2151c99 100644
+--- a/drivers/media/dvb/frontends/ds3000.c
++++ b/drivers/media/dvb/frontends/ds3000.c
+@@ -925,6 +925,13 @@ struct dvb_frontend *ds3000_attach(const struct ds3000_config *config,
+ 	memcpy(&state->frontend.ops, &ds3000_ops,
+ 			sizeof(struct dvb_frontend_ops));
+ 	state->frontend.demodulator_priv = state;
++
++	/*
++	 * Some devices like T480 starts with voltage on. Be sure
++	 * to turn voltage off during init, as this can otherwise
++	 * interfere with Unicable SCR systems.
++	 */
++	ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF);
+ 	return &state->frontend;
+ 
+ error3:
+diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c
+index 656d4c9..8fd00e8 100644
+--- a/drivers/media/video/uvc/uvc_driver.c
++++ b/drivers/media/video/uvc/uvc_driver.c
+@@ -2126,6 +2126,15 @@ static struct usb_device_id uvc_ids[] = {
+ 	  .bInterfaceSubClass	= 1,
+ 	  .bInterfaceProtocol	= 0,
+ 	  .driver_info		= UVC_QUIRK_PROBE_MINMAX },
++	/* Dell XPS M1330 (OmniVision OV7670 webcam) */
++	{ .match_flags		= USB_DEVICE_ID_MATCH_DEVICE
++				| USB_DEVICE_ID_MATCH_INT_INFO,
++	  .idVendor		= 0x05a9,
++	  .idProduct		= 0x7670,
++	  .bInterfaceClass	= USB_CLASS_VIDEO,
++	  .bInterfaceSubClass	= 1,
++	  .bInterfaceProtocol	= 0,
++	  .driver_info		= UVC_QUIRK_PROBE_DEF },
+ 	/* Apple Built-In iSight */
+ 	{ .match_flags		= USB_DEVICE_ID_MATCH_DEVICE
+ 				| USB_DEVICE_ID_MATCH_INT_INFO,
+diff --git a/drivers/media/video/v4l2-common.c b/drivers/media/video/v4l2-common.c
+index 5c6100f..d46495d 100644
+--- a/drivers/media/video/v4l2-common.c
++++ b/drivers/media/video/v4l2-common.c
+@@ -487,16 +487,13 @@ static unsigned int clamp_align(unsigned int x, unsigned int min,
+ 	/* Bits that must be zero to be aligned */
+ 	unsigned int mask = ~((1 << align) - 1);
+ 
++	/* Clamp to aligned min and max */
++	x = clamp(x, (min + ~mask) & mask, max & mask);
++
+ 	/* Round to nearest aligned value */
+ 	if (align)
+ 		x = (x + (1 << (align - 1))) & mask;
+ 
+-	/* Clamp to aligned value of min and max */
+-	if (x < min)
+-		x = (min + ~mask) & mask;
+-	else if (x > max)
+-		x = max & mask;
+-
+ 	return x;
+ }
+ 
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index de87f82..1eac27f 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -352,7 +352,7 @@ void can_free_echo_skb(struct net_device *dev, unsigned int idx)
+ 	BUG_ON(idx >= priv->echo_skb_max);
+ 
+ 	if (priv->echo_skb[idx]) {
+-		kfree_skb(priv->echo_skb[idx]);
++		dev_kfree_skb_any(priv->echo_skb[idx]);
+ 		priv->echo_skb[idx] = NULL;
+ 	}
+ }
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
+index eb8b0e6..9ecf098 100644
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -1097,6 +1097,7 @@ static void esd_usb2_disconnect(struct usb_interface *intf)
+ 			}
+ 		}
+ 		unlink_all_urbs(dev);
++		kfree(dev);
+ 	}
+ }
+ 
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 3ed983c..4782d79 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -588,7 +588,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 			if (file == ppp->owner)
+ 				ppp_shutdown_interface(ppp);
+ 		}
+-		if (atomic_long_read(&file->f_count) <= 2) {
++		if (atomic_long_read(&file->f_count) < 2) {
+ 			ppp_release(NULL, file);
+ 			err = 0;
+ 		} else
+diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h
+index 4778620..5396e3b 100644
+--- a/drivers/net/wireless/rt2x00/rt2800.h
++++ b/drivers/net/wireless/rt2x00/rt2800.h
+@@ -1737,7 +1737,7 @@ struct mac_iveiv_entry {
+  * 2 - drop tx power by 12dBm,
+  * 3 - increase tx power by 6dBm
+  */
+-#define BBP1_TX_POWER_CTRL		FIELD8(0x07)
++#define BBP1_TX_POWER_CTRL		FIELD8(0x03)
+ #define BBP1_TX_ANTENNA			FIELD8(0x18)
+ 
+ /*
+diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
+index 3d4ea1fb..ee7efd2 100644
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -1031,6 +1031,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	/* Ovislink */
+ 	{ USB_DEVICE(0x1b75, 0x3071) },
+ 	{ USB_DEVICE(0x1b75, 0x3072) },
++	{ USB_DEVICE(0x1b75, 0xa200) },
+ 	/* Para */
+ 	{ USB_DEVICE(0x20b8, 0x8888) },
+ 	/* Pegatron */
+diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
+index 4d792a2..c5bdbe9 100644
+--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
+@@ -148,55 +148,29 @@ void rt2x00queue_align_frame(struct sk_buff *skb)
+ 	skb_trim(skb, frame_length);
+ }
+ 
+-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
++/*
++ * H/W needs L2 padding between the header and the paylod if header size
++ * is not 4 bytes aligned.
++ */
++void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+-	unsigned int payload_length = skb->len - header_length;
+-	unsigned int header_align = ALIGN_SIZE(skb, 0);
+-	unsigned int payload_align = ALIGN_SIZE(skb, header_length);
+-	unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
++	unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+ 
+-	/*
+-	 * Adjust the header alignment if the payload needs to be moved more
+-	 * than the header.
+-	 */
+-	if (payload_align > header_align)
+-		header_align += 4;
+-
+-	/* There is nothing to do if no alignment is needed */
+-	if (!header_align)
++	if (!l2pad)
+ 		return;
+ 
+-	/* Reserve the amount of space needed in front of the frame */
+-	skb_push(skb, header_align);
+-
+-	/*
+-	 * Move the header.
+-	 */
+-	memmove(skb->data, skb->data + header_align, header_length);
+-
+-	/* Move the payload, if present and if required */
+-	if (payload_length && payload_align)
+-		memmove(skb->data + header_length + l2pad,
+-			skb->data + header_length + l2pad + payload_align,
+-			payload_length);
+-
+-	/* Trim the skb to the correct size */
+-	skb_trim(skb, header_length + l2pad + payload_length);
++	skb_push(skb, l2pad);
++	memmove(skb->data, skb->data + l2pad, hdr_len);
+ }
+ 
+-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
++void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+-	/*
+-	 * L2 padding is only present if the skb contains more than just the
+-	 * IEEE 802.11 header.
+-	 */
+-	unsigned int l2pad = (skb->len > header_length) ?
+-				L2PAD_SIZE(header_length) : 0;
++	unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+ 
+ 	if (!l2pad)
+ 		return;
+ 
+-	memmove(skb->data + l2pad, skb->data, header_length);
++	memmove(skb->data + l2pad, skb->data, hdr_len);
+ 	skb_pull(skb, l2pad);
+ }
+ 
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 45c1727..53a613f 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -333,6 +333,22 @@ static struct of_bus *of_match_bus(struct device_node *np)
+ 	return NULL;
+ }
+ 
++static int of_empty_ranges_quirk(void)
++{
++#ifdef CONFIG_PPC
++	/* To save cycles, we cache the result */
++	static int quirk_state = -1;
++
++	if (quirk_state < 0)
++		quirk_state =
++			of_machine_is_compatible("Power Macintosh") ||
++			of_machine_is_compatible("MacRISC");
++	return quirk_state;
++#else
++	return false;
++#endif
++}
++
+ static int of_translate_one(struct device_node *parent, struct of_bus *bus,
+ 			    struct of_bus *pbus, u32 *addr,
+ 			    int na, int ns, int pna, const char *rprop)
+@@ -358,12 +374,10 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus,
+ 	 * This code is only enabled on powerpc. --gcl
+ 	 */
+ 	ranges = of_get_property(parent, rprop, &rlen);
+-#if !defined(CONFIG_PPC)
+-	if (ranges == NULL) {
++	if (ranges == NULL && !of_empty_ranges_quirk()) {
+ 		pr_err("OF: no ranges; cannot translate\n");
+ 		return 1;
+ 	}
+-#endif /* !defined(CONFIG_PPC) */
+ 	if (ranges == NULL || rlen == 0) {
+ 		offset = of_read_number(addr, na);
+ 		memset(addr, 0, pna * 4);
+diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
+index 9350af9..dc126a2 100644
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -237,6 +237,13 @@ static int pciehp_probe(struct pcie_device *dev)
+ 	else if (pciehp_acpi_slot_detection_check(dev->port))
+ 		goto err_out_none;
+ 
++	if (!dev->port->subordinate) {
++		/* Can happen if we run out of bus numbers during probe */
++		dev_err(&dev->device,
++			"Hotplug bridge without secondary bus, ignoring\n");
++		goto err_out_none;
++	}
++
+ 	ctrl = pcie_init(dev);
+ 	if (!ctrl) {
+ 		dev_err(&dev->device, "Controller initialization failed\n");
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index 106be0d..1e6be19 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -173,7 +173,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
+ {
+ 	struct pci_dev *pci_dev = to_pci_dev(dev);
+ 
+-	return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x\n",
++	return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n",
+ 		       pci_dev->vendor, pci_dev->device,
+ 		       pci_dev->subsystem_vendor, pci_dev->subsystem_device,
+ 		       (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8),
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index f0c8c5d..9b48d61 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -26,6 +26,7 @@
+ #include <linux/dmi.h>
+ #include <linux/pci-aspm.h>
+ #include <linux/ioport.h>
++#include <linux/mm.h>
+ #include <asm/dma.h>	/* isa_dma_bridge_buggy */
+ #include "pci.h"
+ 
+@@ -352,6 +353,25 @@ static void __devinit quirk_citrine(struct pci_dev *dev)
+ }
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM,	PCI_DEVICE_ID_IBM_CITRINE,	quirk_citrine);
+ 
++/*  On IBM Crocodile ipr SAS adapters, expand BAR to system page size */
++static void quirk_extend_bar_to_page(struct pci_dev *dev)
++{
++	int i;
++
++	for (i = 0; i < PCI_STD_RESOURCE_END; i++) {
++		struct resource *r = &dev->resource[i];
++
++		if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) {
++			r->end = PAGE_SIZE - 1;
++			r->start = 0;
++			r->flags |= IORESOURCE_UNSET;
++			dev_info(&dev->dev, "expanded BAR %d to page size: %pR\n",
++				 i, r);
++		}
++	}
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, 0x034a, quirk_extend_bar_to_page);
++
+ /*
+  *  S3 868 and 968 chips report region size equal to 32M, but they decode 64M.
+  *  If it's needed, re-allocate the region.
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+index 8c6156a..b215f32 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -407,6 +407,7 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
+ 	struct fc_frame_header *fh;
+ 	struct fcoe_rcv_info *fr;
+ 	struct fcoe_percpu_s *bg;
++	struct sk_buff *tmp_skb;
+ 	unsigned short oxid;
+ 
+ 	interface = container_of(ptype, struct bnx2fc_interface,
+@@ -418,6 +419,12 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
+ 		goto err;
+ 	}
+ 
++	tmp_skb = skb_share_check(skb, GFP_ATOMIC);
++	if (!tmp_skb)
++		goto err;
++
++	skb = tmp_skb;
++
+ 	if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
+ 		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
+ 		goto err;
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 603a2cb..64c8a80 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1126,8 +1126,8 @@ static void complete_scsi_command(struct CommandList *cp)
+ 	scsi_set_resid(cmd, ei->ResidualCnt);
+ 
+ 	if (ei->CommandStatus == 0) {
+-		cmd->scsi_done(cmd);
+ 		cmd_free(h, cp);
++		cmd->scsi_done(cmd);
+ 		return;
+ 	}
+ 
+@@ -1300,8 +1300,8 @@ static void complete_scsi_command(struct CommandList *cp)
+ 		dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
+ 				cp, ei->CommandStatus);
+ 	}
+-	cmd->scsi_done(cmd);
+ 	cmd_free(h, cp);
++	cmd->scsi_done(cmd);
+ }
+ 
+ static int hpsa_scsi_detect(struct ctlr_info *h)
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index d2f8061..f51234e 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1665,8 +1665,10 @@ static void scsi_restart_operations(struct Scsi_Host *shost)
+ 	 * is no point trying to lock the door of an off-line device.
+ 	 */
+ 	shost_for_each_device(sdev, shost) {
+-		if (scsi_device_online(sdev) && sdev->locked)
++		if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) {
+ 			scsi_eh_lock_door(sdev);
++			sdev->was_reset = 0;
++		}
+ 	}
+ 
+ 	/*
+diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
+index e743a45..c0ca0ee 100644
+--- a/drivers/spi/spi-dw-mid.c
++++ b/drivers/spi/spi-dw-mid.c
+@@ -88,7 +88,13 @@ err_exit:
+ 
+ static void mid_spi_dma_exit(struct dw_spi *dws)
+ {
++	if (!dws->dma_inited)
++		return;
++
++	dmaengine_terminate_all(dws->txchan);
+ 	dma_release_channel(dws->txchan);
++
++	dmaengine_terminate_all(dws->rxchan);
+ 	dma_release_channel(dws->rxchan);
+ }
+ 
+@@ -135,7 +141,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change)
+ 	txconf.dst_addr = dws->dma_addr;
+ 	txconf.dst_maxburst = LNW_DMA_MSIZE_16;
+ 	txconf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+-	txconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
++	txconf.dst_addr_width = dws->dma_width;
+ 
+ 	txchan->device->device_control(txchan, DMA_SLAVE_CONFIG,
+ 				       (unsigned long) &txconf);
+@@ -157,7 +163,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change)
+ 	rxconf.src_addr = dws->dma_addr;
+ 	rxconf.src_maxburst = LNW_DMA_MSIZE_16;
+ 	rxconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+-	rxconf.src_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
++	rxconf.src_addr_width = dws->dma_width;
+ 
+ 	rxchan->device->device_control(rxchan, DMA_SLAVE_CONFIG,
+ 				       (unsigned long) &rxconf);
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 082458d..9eddaab 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -400,9 +400,6 @@ static void pump_transfers(unsigned long data)
+ 	chip = dws->cur_chip;
+ 	spi = message->spi;
+ 
+-	if (unlikely(!chip->clk_div))
+-		chip->clk_div = dws->max_freq / chip->speed_hz;
+-
+ 	if (message->state == ERROR_STATE) {
+ 		message->status = -EIO;
+ 		goto early_exit;
+@@ -444,7 +441,7 @@ static void pump_transfers(unsigned long data)
+ 	if (transfer->speed_hz) {
+ 		speed = chip->speed_hz;
+ 
+-		if (transfer->speed_hz != speed) {
++		if ((transfer->speed_hz != speed) || (!chip->clk_div)) {
+ 			speed = transfer->speed_hz;
+ 			if (speed > dws->max_freq) {
+ 				printk(KERN_ERR "MRST SPI0: unsupported"
+@@ -683,7 +680,6 @@ static int dw_spi_setup(struct spi_device *spi)
+ 		dev_err(&spi->dev, "No max speed HZ parameter\n");
+ 		return -EINVAL;
+ 	}
+-	chip->speed_hz = spi->max_speed_hz;
+ 
+ 	chip->tmode = 0; /* Tx & Rx */
+ 	/* Default SPI mode is SCPOL = 0, SCPH = 0 */
+diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c
+index 5559b22..62b21ca 100644
+--- a/drivers/spi/spi-pl022.c
++++ b/drivers/spi/spi-pl022.c
+@@ -1078,7 +1078,7 @@ err_rxdesc:
+ 		     pl022->sgt_tx.nents, DMA_TO_DEVICE);
+ err_tx_sgmap:
+ 	dma_unmap_sg(rxchan->device->dev, pl022->sgt_rx.sgl,
+-		     pl022->sgt_tx.nents, DMA_FROM_DEVICE);
++		     pl022->sgt_rx.nents, DMA_FROM_DEVICE);
+ err_rx_sgmap:
+ 	sg_free_table(&pl022->sgt_tx);
+ err_alloc_tx_sg:
+diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c
+index 1086e0b..b8819de 100644
+--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
+@@ -112,10 +112,10 @@ static struct iio_chan_spec ad5933_channels[] = {
+ 	IIO_CHAN(IIO_TEMP, 0, 1, 1, NULL, 0, 0, 0,
+ 		 0, AD5933_REG_TEMP_DATA, IIO_ST('s', 14, 16, 0), 0),
+ 	/* Ring Channels */
+-	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "real_raw", 0, 0,
++	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "real", 0, 0,
+ 		 (1 << IIO_CHAN_INFO_SCALE_SEPARATE),
+ 		 AD5933_REG_REAL_DATA, 0, IIO_ST('s', 16, 16, 0), 0),
+-	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "imag_raw", 0, 0,
++	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "imag", 0, 0,
+ 		 (1 << IIO_CHAN_INFO_SCALE_SEPARATE),
+ 		 AD5933_REG_IMAG_DATA, 1, IIO_ST('s', 16, 16, 0), 0),
+ };
+diff --git a/drivers/staging/iio/meter/ade7758_core.c b/drivers/staging/iio/meter/ade7758_core.c
+index c5dafbd..5a46d91 100644
+--- a/drivers/staging/iio/meter/ade7758_core.c
++++ b/drivers/staging/iio/meter/ade7758_core.c
+@@ -662,63 +662,63 @@ static const struct attribute_group ade7758_attribute_group = {
+ };
+ 
+ static struct iio_chan_spec ade7758_channels[] = {
+-	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "raw", 0, 0,
++	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, NULL, 0, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_A, AD7758_VOLTAGE),
+ 		0, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_CURRENT, 0, 1, 0, "raw", 0, 0,
++	IIO_CHAN(IIO_CURRENT, 0, 1, 0, NULL, 0, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_A, AD7758_CURRENT),
+ 		1, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent_raw", 0, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent", 0, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_A, AD7758_APP_PWR),
+ 		2, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "active_raw", 0, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "active", 0, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_A, AD7758_ACT_PWR),
+ 		3, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive_raw", 0, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive", 0, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_A, AD7758_REACT_PWR),
+ 		4, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "raw", 1, 0,
++	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, NULL, 1, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_B, AD7758_VOLTAGE),
+ 		5, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_CURRENT, 0, 1, 0, "raw", 1, 0,
++	IIO_CHAN(IIO_CURRENT, 0, 1, 0, NULL, 1, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_B, AD7758_CURRENT),
+ 		6, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent_raw", 1, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent", 1, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_B, AD7758_APP_PWR),
+ 		7, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "active_raw", 1, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "active", 1, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_B, AD7758_ACT_PWR),
+ 		8, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive_raw", 1, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive", 1, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_B, AD7758_REACT_PWR),
+ 		9, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "raw", 2, 0,
++	IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, NULL, 2, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_C, AD7758_VOLTAGE),
+ 		10, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_CURRENT, 0, 1, 0, "raw", 2, 0,
++	IIO_CHAN(IIO_CURRENT, 0, 1, 0, NULL, 2, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_C, AD7758_CURRENT),
+ 		11, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent_raw", 2, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "apparent", 2, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_C, AD7758_APP_PWR),
+ 		12, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "active_raw", 2, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "active", 2, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_C, AD7758_ACT_PWR),
+ 		13, IIO_ST('s', 24, 32, 0), 0),
+-	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive_raw", 2, 0,
++	IIO_CHAN(IIO_POWER, 0, 1, 0, "reactive", 2, 0,
+ 		(1 << IIO_CHAN_INFO_SCALE_SHARED),
+ 		AD7758_WT(AD7758_PHASE_C, AD7758_REACT_PWR),
+ 		14, IIO_ST('s', 24, 32, 0), 0),
+diff --git a/drivers/staging/iio/sysfs.h b/drivers/staging/iio/sysfs.h
+index 868952b..afcec4f 100644
+--- a/drivers/staging/iio/sysfs.h
++++ b/drivers/staging/iio/sysfs.h
+@@ -147,7 +147,7 @@ enum iio_event_direction {
+ 
+ #define IIO_EVENT_CODE_EXTRACT_TYPE(mask) ((mask >> 56) & 0xFF)
+ 
+-#define IIO_EVENT_CODE_EXTRACT_DIR(mask) ((mask >> 48) & 0xCF)
++#define IIO_EVENT_CODE_EXTRACT_DIR(mask) ((mask >> 48) & 0x7F)
+ 
+ #define IIO_EVENT_CODE_EXTRACT_CHAN_TYPE(mask) ((mask >> 32) & 0xFF)
+ 
+diff --git a/drivers/staging/mei/init.c b/drivers/staging/mei/init.c
+index 8bf3479..a78e63b 100644
+--- a/drivers/staging/mei/init.c
++++ b/drivers/staging/mei/init.c
+@@ -132,6 +132,7 @@ struct mei_device *mei_device_init(struct pci_dev *pdev)
+ 	init_waitqueue_head(&dev->wait_recvd_msg);
+ 	init_waitqueue_head(&dev->wait_stop_wd);
+ 	dev->mei_state = MEI_INITIALIZING;
++	dev->reset_count = 0;
+ 	dev->iamthif_state = MEI_IAMTHIF_IDLE;
+ 	dev->wd_interface_reg = false;
+ 
+@@ -290,6 +291,14 @@ void mei_reset(struct mei_device *dev, int interrupts_enabled)
+ 
+ 	dev->need_reset = false;
+ 
++	dev->reset_count++;
++	if (dev->reset_count > MEI_MAX_CONSEC_RESET) {
++		dev_err(&dev->pdev->dev, "reset: reached maximal consecutive resets: disabling the device\n");
++		dev->mei_state = MEI_DISABLED;
++		return;
++	}
++
++
+ 	if (dev->mei_state != MEI_INITIALIZING) {
+ 		if (dev->mei_state != MEI_DISABLED &&
+ 		    dev->mei_state != MEI_POWER_DOWN)
+diff --git a/drivers/staging/mei/interrupt.c b/drivers/staging/mei/interrupt.c
+index 882d106..42b7c9a 100644
+--- a/drivers/staging/mei/interrupt.c
++++ b/drivers/staging/mei/interrupt.c
+@@ -770,6 +770,7 @@ static void mei_irq_thread_read_bus_message(struct mei_device *dev,
+ 					 */
+ 					bitmap_set(dev->host_clients_map, 0, 3);
+ 					dev->mei_state = MEI_ENABLED;
++					dev->reset_count = 0;
+ 
+ 					/* if wd initialization fails, initialization the AMTHI client,
+ 					 * otherwise the AMTHI client will be initialized after the WD client connect response
+@@ -1527,7 +1528,8 @@ void mei_timer(struct work_struct *work)
+ 		}
+ 	}
+ out:
+-	 schedule_delayed_work(&dev->timer_work, 2 * HZ);
++	 if (dev->mei_state != MEI_DISABLED)
++		schedule_delayed_work(&dev->timer_work, 2 * HZ);
+ 	 mutex_unlock(&dev->device_lock);
+ }
+ 
+diff --git a/drivers/staging/mei/main.c b/drivers/staging/mei/main.c
+index eb05c36..44ed7a8 100644
+--- a/drivers/staging/mei/main.c
++++ b/drivers/staging/mei/main.c
+@@ -106,6 +106,27 @@ MODULE_DEVICE_TABLE(pci, mei_pci_tbl);
+ static DEFINE_MUTEX(mei_mutex);
+ 
+ /**
++ * mei_quirk_probe - probe for devices that doesn't valid ME interface
++ * @pdev: PCI device structure
++ * @ent: entry into pci_device_table
++ *
++ * returns true if ME Interface is valid, false otherwise
++ */
++static bool __devinit mei_quirk_probe(struct pci_dev *pdev,
++				const struct pci_device_id *ent)
++{
++	u32 reg;
++	if (ent->device == MEI_DEV_ID_PBG_1) {
++		pci_read_config_dword(pdev, 0x48, &reg);
++		/* make sure that bit 9 is up and bit 10 is down */
++		if ((reg & 0x600) == 0x200) {
++			dev_info(&pdev->dev, "Device doesn't have valid ME Interface\n");
++			return false;
++		}
++	}
++	return true;
++}
++/**
+  * mei_probe - Device Initialization Routine
+  *
+  * @pdev: PCI device structure
+@@ -120,6 +141,12 @@ static int __devinit mei_probe(struct pci_dev *pdev,
+ 	int err;
+ 
+ 	mutex_lock(&mei_mutex);
++
++	if (!mei_quirk_probe(pdev, ent)) {
++		err = -ENODEV;
++		goto end;
++	}
++
+ 	if (mei_device) {
+ 		err = -EEXIST;
+ 		goto end;
+diff --git a/drivers/staging/mei/mei_dev.h b/drivers/staging/mei/mei_dev.h
+index af4b1af..264bf23 100644
+--- a/drivers/staging/mei/mei_dev.h
++++ b/drivers/staging/mei/mei_dev.h
+@@ -64,6 +64,11 @@ extern const uuid_le mei_wd_guid;
+ extern const u8 mei_wd_state_independence_msg[3][4];
+ 
+ /*
++ * maximum number of consecutive resets
++ */
++#define MEI_MAX_CONSEC_RESET  3
++
++/*
+  * Number of File descriptors/handles
+  * that can be opened to the driver.
+  *
+@@ -178,7 +183,11 @@ struct mei_io_list {
+ 	int status;
+ };
+ 
+-/* MEI private device struct */
++/**
++ * mei_device - MEI private device struct
++ *
++ * @reset_count - limits the number of consecutive resets
++ */
+ struct mei_device {
+ 	struct pci_dev *pdev;	/* pointer to pci device struct */
+ 	/*
+@@ -225,6 +234,7 @@ struct mei_device {
+ 	/*
+ 	 * mei device  states
+ 	 */
++	unsigned long reset_count;
+ 	enum mei_states mei_state;
+ 	enum mei_init_clients_states init_clients_state;
+ 	u16 init_clients_timer;
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 898c1de..be1218f 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -3147,8 +3147,7 @@ static void transport_complete_qf(struct se_cmd *cmd)
+ 
+ 	if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
+ 		ret = cmd->se_tfo->queue_status(cmd);
+-		if (ret)
+-			goto out;
++		goto out;
+ 	}
+ 
+ 	switch (cmd->data_direction) {
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index d7162a2..145817c 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -360,7 +360,7 @@ uart_get_baud_rate(struct uart_port *port, struct ktermios *termios,
+ 		 * The spd_hi, spd_vhi, spd_shi, spd_warp kludge...
+ 		 * Die! Die! Die!
+ 		 */
+-		if (baud == 38400)
++		if (try == 0 && baud == 38400)
+ 			baud = altbaud;
+ 
+ 		/*
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 446df6b..613f06a 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1594,6 +1594,7 @@ int tty_release(struct inode *inode, struct file *filp)
+ 	int	devpts;
+ 	int	idx;
+ 	char	buf[64];
++	long	timeout = 0;
+ 
+ 	if (tty_paranoia_check(tty, inode, "tty_release_dev"))
+ 		return 0;
+@@ -1721,7 +1722,11 @@ int tty_release(struct inode *inode, struct file *filp)
+ 				    "active!\n", tty_name(tty, buf));
+ 		tty_unlock();
+ 		mutex_unlock(&tty_mutex);
+-		schedule();
++		schedule_timeout_killable(timeout);
++		if (timeout < 120 * HZ)
++			timeout = 2 * timeout + 1;
++		else
++			timeout = MAX_SCHEDULE_TIMEOUT;
+ 	}
+ 
+ 	/*
+diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
+index f343808..fb95acc 100644
+--- a/drivers/tty/vt/consolemap.c
++++ b/drivers/tty/vt/consolemap.c
+@@ -518,6 +518,8 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list)
+ 
+ 	/* Save original vc_unipagdir_loc in case we allocate a new one */
+ 	p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc;
++	if (!p)
++		return -EINVAL;
+ 	if (p->readonly) return -EIO;
+ 	
+ 	if (!ct) return 0;
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 29e76be..6647081 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -819,11 +819,12 @@ static void acm_tty_set_termios(struct tty_struct *tty,
+ 	/* FIXME: Needs to clear unsupported bits in the termios */
+ 	acm->clocal = ((termios->c_cflag & CLOCAL) != 0);
+ 
+-	if (!newline.dwDTERate) {
++	if (C_BAUD(tty) == B0) {
+ 		newline.dwDTERate = acm->line.dwDTERate;
+ 		newctrl &= ~ACM_CTRL_DTR;
+-	} else
++	} else if (termios_old && (termios_old->c_cflag & CBAUD) == B0) {
+ 		newctrl |=  ACM_CTRL_DTR;
++	}
+ 
+ 	if (newctrl != acm->ctrlout)
+ 		acm_set_control(acm, acm->ctrlout = newctrl);
+@@ -1509,6 +1510,7 @@ static const struct usb_device_id acm_ids[] = {
+ 	{ USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
+ 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ 	},
++	{ USB_DEVICE(0x2184, 0x001c) },	/* GW Instek AFG-2225 */
+ 	{ USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */
+ 	},
+ 	/* Motorola H24 HSPA module: */
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 032e5a6..c0ee52a 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1896,6 +1896,8 @@ int usb_alloc_streams(struct usb_interface *interface,
+ 		return -EINVAL;
+ 	if (dev->speed != USB_SPEED_SUPER)
+ 		return -EINVAL;
++	if (dev->state < USB_STATE_CONFIGURED)
++		return -ENODEV;
+ 
+ 	/* Streams only apply to bulk endpoints. */
+ 	for (i = 0; i < num_eps; i++)
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 10aec1a..18286ce 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1633,8 +1633,10 @@ void usb_set_device_state(struct usb_device *udev,
+ 					|| new_state == USB_STATE_SUSPENDED)
+ 				;	/* No change to wakeup settings */
+ 			else if (new_state == USB_STATE_CONFIGURED)
+-				wakeup = udev->actconfig->desc.bmAttributes
+-					 & USB_CONFIG_ATT_WAKEUP;
++				wakeup = (udev->quirks &
++					USB_QUIRK_IGNORE_REMOTE_WAKEUP) ? 0 :
++					udev->actconfig->desc.bmAttributes &
++					USB_CONFIG_ATT_WAKEUP;
+ 			else
+ 				wakeup = 0;
+ 		}
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 3677d22..3dbb18c 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -43,6 +43,9 @@ static const struct usb_device_id usb_quirk_list[] = {
+ 	/* Creative SB Audigy 2 NX */
+ 	{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
+ 
++	/* Microsoft Wireless Laser Mouse 6000 Receiver */
++	{ USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ 	/* Microsoft LifeCam-VX700 v2.0 */
+ 	{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
+ 
+@@ -154,6 +157,13 @@ static const struct usb_device_id usb_quirk_list[] = {
+ 	/* INTEL VALUE SSD */
+ 	{ USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+ 
++	/* USB3503 */
++	{ USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
++
++	/* ASUS Base Station(T100) */
++	{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
++			USB_QUIRK_IGNORE_REMOTE_WAKEUP },
++
+ 	{ }  /* terminating entry must be last */
+ };
+ 
+diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c
+index d433fdf..087d402 100644
+--- a/drivers/usb/gadget/udc-core.c
++++ b/drivers/usb/gadget/udc-core.c
+@@ -358,6 +358,11 @@ static ssize_t usb_udc_softconn_store(struct device *dev,
+ {
+ 	struct usb_udc		*udc = container_of(dev, struct usb_udc, dev);
+ 
++	if (!udc->driver) {
++		dev_err(dev, "soft-connect without a gadget driver\n");
++		return -EOPNOTSUPP;
++	}
++
+ 	if (sysfs_streq(buf, "connect")) {
+ 		if (udc_is_newstyle(udc))
+ 			usb_gadget_udc_start(udc->gadget, udc->driver);
+diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
+index a3b569f..a8bbeed 100644
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -21,7 +21,6 @@
+  */
+ 
+ #include <linux/gfp.h>
+-#include <linux/device.h>
+ #include <asm/unaligned.h>
+ 
+ #include "xhci.h"
+@@ -996,9 +995,7 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
+ 			t2 |= PORT_LINK_STROBE | XDEV_U3;
+ 			set_bit(port_index, &bus_state->bus_suspended);
+ 		}
+-		if (hcd->self.root_hub->do_remote_wakeup
+-				&& device_may_wakeup(hcd->self.controller)) {
+-
++		if (hcd->self.root_hub->do_remote_wakeup) {
+ 			if (t1 & PORT_CONNECT) {
+ 				t2 |= PORT_WKOC_E | PORT_WKDISC_E;
+ 				t2 &= ~PORT_WKCONN_E;
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index e9ce957..a464dbc 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -118,20 +118,6 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ 		xhci->quirks |= XHCI_SPURIOUS_REBOOT;
+ 		xhci->quirks |= XHCI_AVOID_BEI;
+ 	}
+-	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+-	    (pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI ||
+-	     pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI)) {
+-		/* Workaround for occasional spurious wakeups from S5 (or
+-		 * any other sleep) on Haswell machines with LPT and LPT-LP
+-		 * with the new Intel BIOS
+-		 */
+-		/* Limit the quirk to only known vendors, as this triggers
+-		 * yet another BIOS bug on some other machines
+-		 * https://bugzilla.kernel.org/show_bug.cgi?id=66171
+-		 */
+-		if (pdev->subsystem_vendor == PCI_VENDOR_ID_HP)
+-			xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
+-	}
+ 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
+ 			pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
+ 		xhci->quirks |= XHCI_RESET_ON_RESUME;
+@@ -249,7 +235,7 @@ static int xhci_pci_suspend(struct usb_hcd *hcd, bool do_wakeup)
+ 			xhci->shared_hcd->state != HC_STATE_SUSPENDED)
+ 		return -EINVAL;
+ 
+-	retval = xhci_suspend(xhci);
++	retval = xhci_suspend(xhci, do_wakeup);
+ 
+ 	return retval;
+ }
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 4b6abb6..3755274 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1164,9 +1164,8 @@ static void handle_reset_ep_completion(struct xhci_hcd *xhci,
+ 				false);
+ 		xhci_ring_cmd_db(xhci);
+ 	} else {
+-		/* Clear our internal halted state and restart the ring(s) */
++		/* Clear our internal halted state */
+ 		xhci->devs[slot_id]->eps[ep_index].ep_state &= ~EP_HALTED;
+-		ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
+ 	}
+ }
+ 
+@@ -1845,22 +1844,13 @@ static int finish_td(struct xhci_hcd *xhci, struct xhci_td *td,
+ 		ep->stopped_td = td;
+ 		return 0;
+ 	} else {
+-		if (trb_comp_code == COMP_STALL) {
+-			/* The transfer is completed from the driver's
+-			 * perspective, but we need to issue a set dequeue
+-			 * command for this stalled endpoint to move the dequeue
+-			 * pointer past the TD.  We can't do that here because
+-			 * the halt condition must be cleared first.  Let the
+-			 * USB class driver clear the stall later.
+-			 */
+-			ep->stopped_td = td;
+-			ep->stopped_stream = ep_ring->stream_id;
+-		} else if (xhci_requires_manual_halt_cleanup(xhci,
+-					ep_ctx, trb_comp_code)) {
+-			/* Other types of errors halt the endpoint, but the
+-			 * class driver doesn't call usb_reset_endpoint() unless
+-			 * the error is -EPIPE.  Clear the halted status in the
+-			 * xHCI hardware manually.
++		if (trb_comp_code == COMP_STALL ||
++		    xhci_requires_manual_halt_cleanup(xhci, ep_ctx,
++						      trb_comp_code)) {
++			/* Issue a reset endpoint command to clear the host side
++			 * halt, followed by a set dequeue command to move the
++			 * dequeue pointer past the TD.
++			 * The class driver clears the device side halt later.
+ 			 */
+ 			xhci_cleanup_halted_endpoint(xhci,
+ 					slot_id, ep_index, ep_ring->stream_id,
+@@ -1981,9 +1971,7 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
+ 		else
+ 			td->urb->actual_length = 0;
+ 
+-		xhci_cleanup_halted_endpoint(xhci,
+-			slot_id, ep_index, 0, td, event_trb);
+-		return finish_td(xhci, td, event_trb, event, ep, status, true);
++		return finish_td(xhci, td, event_trb, event, ep, status, false);
+ 	}
+ 	/*
+ 	 * Did we transfer any data, despite the errors that might have
+@@ -2515,17 +2503,8 @@ cleanup:
+ 		if (ret) {
+ 			urb = td->urb;
+ 			urb_priv = urb->hcpriv;
+-			/* Leave the TD around for the reset endpoint function
+-			 * to use(but only if it's not a control endpoint,
+-			 * since we already queued the Set TR dequeue pointer
+-			 * command for stalled control endpoints).
+-			 */
+-			if (usb_endpoint_xfer_control(&urb->ep->desc) ||
+-				(trb_comp_code != COMP_STALL &&
+-					trb_comp_code != COMP_BABBLE))
+-				xhci_urb_free_priv(xhci, urb_priv);
+-			else
+-				kfree(urb_priv);
++
++			xhci_urb_free_priv(xhci, urb_priv);
+ 
+ 			usb_hcd_unlink_urb_from_ep(bus_to_hcd(urb->dev->bus), urb);
+ 			if ((urb->actual_length != urb->transfer_buffer_length &&
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 4cc1804..5c535a8 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -33,6 +33,8 @@
+ #define DRIVER_AUTHOR "Sarah Sharp"
+ #define DRIVER_DESC "'eXtensible' Host Controller (xHC) Driver"
+ 
++#define	PORT_WAKE_BITS	(PORT_WKOC_E | PORT_WKDISC_E | PORT_WKCONN_E)
++
+ /* Some 0.95 hardware can't handle the chain bit on a Link TRB being cleared */
+ static int link_quirk;
+ module_param(link_quirk, int, S_IRUGO | S_IWUSR);
+@@ -867,19 +869,57 @@ static void xhci_clear_command_ring(struct xhci_hcd *xhci)
+ 	xhci_set_cmd_ring_deq(xhci);
+ }
+ 
++static void xhci_disable_port_wake_on_bits(struct xhci_hcd *xhci)
++{
++	int port_index;
++	__le32 __iomem **port_array;
++	unsigned long flags;
++	u32 t1, t2;
++
++	spin_lock_irqsave(&xhci->lock, flags);
++
++	/* disble usb3 ports Wake bits*/
++	port_index = xhci->num_usb3_ports;
++	port_array = xhci->usb3_ports;
++	while (port_index--) {
++		t1 = readl(port_array[port_index]);
++		t1 = xhci_port_state_to_neutral(t1);
++		t2 = t1 & ~PORT_WAKE_BITS;
++		if (t1 != t2)
++			writel(t2, port_array[port_index]);
++	}
++
++	/* disble usb2 ports Wake bits*/
++	port_index = xhci->num_usb2_ports;
++	port_array = xhci->usb2_ports;
++	while (port_index--) {
++		t1 = readl(port_array[port_index]);
++		t1 = xhci_port_state_to_neutral(t1);
++		t2 = t1 & ~PORT_WAKE_BITS;
++		if (t1 != t2)
++			writel(t2, port_array[port_index]);
++	}
++
++	spin_unlock_irqrestore(&xhci->lock, flags);
++}
++
+ /*
+  * Stop HC (not bus-specific)
+  *
+  * This is called when the machine transition into S3/S4 mode.
+  *
+  */
+-int xhci_suspend(struct xhci_hcd *xhci)
++int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
+ {
+ 	int			rc = 0;
+ 	unsigned int		delay = XHCI_MAX_HALT_USEC;
+ 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
+ 	u32			command;
+ 
++	/* Clear root port wake on bits if wakeup not allowed. */
++	if (!do_wakeup)
++		xhci_disable_port_wake_on_bits(xhci);
++
+ 	/* Don't poll the roothubs on bus suspend. */
+ 	xhci_dbg(xhci, "%s: stopping port polling.\n", __func__);
+ 	clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
+@@ -2842,60 +2882,33 @@ void xhci_cleanup_stalled_ring(struct xhci_hcd *xhci,
+ 	}
+ }
+ 
+-/* Deal with stalled endpoints.  The core should have sent the control message
+- * to clear the halt condition.  However, we need to make the xHCI hardware
+- * reset its sequence number, since a device will expect a sequence number of
+- * zero after the halt condition is cleared.
++/* Called when clearing halted device. The core should have sent the control
++ * message to clear the device halt condition. The host side of the halt should
++ * already be cleared with a reset endpoint command issued when the STALL tx
++ * event was received.
++ *
+  * Context: in_interrupt
+  */
++
+ void xhci_endpoint_reset(struct usb_hcd *hcd,
+ 		struct usb_host_endpoint *ep)
+ {
+ 	struct xhci_hcd *xhci;
+-	struct usb_device *udev;
+-	unsigned int ep_index;
+-	unsigned long flags;
+-	int ret;
+-	struct xhci_virt_ep *virt_ep;
+ 
+ 	xhci = hcd_to_xhci(hcd);
+-	udev = (struct usb_device *) ep->hcpriv;
+-	/* Called with a root hub endpoint (or an endpoint that wasn't added
+-	 * with xhci_add_endpoint()
+-	 */
+-	if (!ep->hcpriv)
+-		return;
+-	ep_index = xhci_get_endpoint_index(&ep->desc);
+-	virt_ep = &xhci->devs[udev->slot_id]->eps[ep_index];
+-	if (!virt_ep->stopped_td) {
+-		xhci_dbg(xhci, "Endpoint 0x%x not halted, refusing to reset.\n",
+-				ep->desc.bEndpointAddress);
+-		return;
+-	}
+-	if (usb_endpoint_xfer_control(&ep->desc)) {
+-		xhci_dbg(xhci, "Control endpoint stall already handled.\n");
+-		return;
+-	}
+ 
+-	xhci_dbg(xhci, "Queueing reset endpoint command\n");
+-	spin_lock_irqsave(&xhci->lock, flags);
+-	ret = xhci_queue_reset_ep(xhci, udev->slot_id, ep_index);
+ 	/*
+-	 * Can't change the ring dequeue pointer until it's transitioned to the
+-	 * stopped state, which is only upon a successful reset endpoint
+-	 * command.  Better hope that last command worked!
++	 * We might need to implement the config ep cmd in xhci 4.8.1 note:
++	 * The Reset Endpoint Command may only be issued to endpoints in the
++	 * Halted state. If software wishes reset the Data Toggle or Sequence
++	 * Number of an endpoint that isn't in the Halted state, then software
++	 * may issue a Configure Endpoint Command with the Drop and Add bits set
++	 * for the target endpoint. that is in the Stopped state.
+ 	 */
+-	if (!ret) {
+-		xhci_cleanup_stalled_ring(xhci, udev, ep_index);
+-		kfree(virt_ep->stopped_td);
+-		xhci_ring_cmd_db(xhci);
+-	}
+-	virt_ep->stopped_td = NULL;
+-	virt_ep->stopped_stream = 0;
+-	spin_unlock_irqrestore(&xhci->lock, flags);
+ 
+-	if (ret)
+-		xhci_warn(xhci, "FIXME allocate a new ring segment\n");
++	/* For now just print debug to follow the situation */
++	xhci_dbg(xhci, "Endpoint 0x%x ep reset callback called\n",
++		 ep->desc.bEndpointAddress);
+ }
+ 
+ static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 1bc91c8..2090a03 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1698,7 +1698,7 @@ void xhci_shutdown(struct usb_hcd *hcd);
+ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
+ 
+ #ifdef	CONFIG_PM
+-int xhci_suspend(struct xhci_hcd *xhci);
++int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup);
+ int xhci_resume(struct xhci_hcd *xhci, bool hibernated);
+ #else
+ #define	xhci_suspend	NULL
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index 3de63f5..da92d2d 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -126,8 +126,10 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
+ 	{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
+ 	{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
++	{ USB_DEVICE(0x10C4, 0x8875) }, /* CEL MeshConnect USB Stick */
+ 	{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ 	{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
++	{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
+ 	{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ 	{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+ 	{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
+@@ -160,7 +162,9 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ 	{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
+ 	{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
++	{ USB_DEVICE(0x1BA4, 0x0002) },	/* Silicon Labs 358x factory default */
+ 	{ USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
++	{ USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */
+ 	{ USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
+ 	{ USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
+ 	{ USB_DEVICE(0x1FB9, 0x0100) }, /* Lake Shore Model 121 Current Source */
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 8fe5c13..f6a6205 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -156,6 +156,7 @@ static struct ftdi_sio_quirk ftdi_8u2232c_quirk = {
+  * /sys/bus/usb/ftdi_sio/new_id, then send patch/report!
+  */
+ static struct usb_device_id id_table_combined [] = {
++	{ USB_DEVICE(FTDI_VID, FTDI_BRICK_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) },
+@@ -493,6 +494,39 @@ static struct usb_device_id id_table_combined [] = {
+ 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FD_PID) },
+ 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FE_PID) },
+ 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_01FF_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_4701_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9300_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9301_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9302_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9303_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9304_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9305_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9306_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9307_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9308_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9309_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930A_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930B_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930C_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930D_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930E_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_930F_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9310_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9311_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9312_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9313_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9314_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9315_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9316_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9317_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9318_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_9319_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931A_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931B_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931C_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931D_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931E_PID) },
++	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_931F_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_PERLE_ULTRAPORT_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_PIEGROUP_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_TNC_X_PID) },
+@@ -685,6 +719,8 @@ static struct usb_device_id id_table_combined [] = {
+ 	{ USB_DEVICE(FTDI_VID, XSENS_CONVERTER_5_PID) },
+ 	{ USB_DEVICE(FTDI_VID, XSENS_CONVERTER_6_PID) },
+ 	{ USB_DEVICE(FTDI_VID, XSENS_CONVERTER_7_PID) },
++	{ USB_DEVICE(XSENS_VID, XSENS_AWINDA_DONGLE_PID) },
++	{ USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) },
+ 	{ USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) },
+ 	{ USB_DEVICE(XSENS_VID, XSENS_MTW_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_OMNI1509) },
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index bd509de..5735fb7 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -30,6 +30,12 @@
+ 
+ /*** third-party PIDs (using FTDI_VID) ***/
+ 
++/*
++ * Certain versions of the official Windows FTDI driver reprogrammed
++ * counterfeit FTDI devices to PID 0. Support these devices anyway.
++ */
++#define FTDI_BRICK_PID		0x0000
++
+ #define FTDI_LUMEL_PD12_PID	0x6002
+ 
+ /*
+@@ -143,8 +149,12 @@
+  * Xsens Technologies BV products (http://www.xsens.com).
+  */
+ #define XSENS_VID		0x2639
+-#define XSENS_CONVERTER_PID	0xD00D	/* Xsens USB-serial converter */
++#define XSENS_AWINDA_STATION_PID 0x0101
++#define XSENS_AWINDA_DONGLE_PID 0x0102
+ #define XSENS_MTW_PID		0x0200	/* Xsens MTw */
++#define XSENS_CONVERTER_PID	0xD00D	/* Xsens USB-serial converter */
++
++/* Xsens devices using FTDI VID */
+ #define XSENS_CONVERTER_0_PID	0xD388	/* Xsens USB converter */
+ #define XSENS_CONVERTER_1_PID	0xD389	/* Xsens Wireless Receiver */
+ #define XSENS_CONVERTER_2_PID	0xD38A
+@@ -910,8 +920,8 @@
+ #define BAYER_CONTOUR_CABLE_PID        0x6001
+ 
+ /*
+- * The following are the values for the Matrix Orbital FTDI Range
+- * Anything in this range will use an FT232RL.
++ * Matrix Orbital Intelligent USB displays.
++ * http://www.matrixorbital.com
+  */
+ #define MTXORB_VID			0x1B3D
+ #define MTXORB_FTDI_RANGE_0100_PID	0x0100
+@@ -1170,8 +1180,39 @@
+ #define MTXORB_FTDI_RANGE_01FD_PID	0x01FD
+ #define MTXORB_FTDI_RANGE_01FE_PID	0x01FE
+ #define MTXORB_FTDI_RANGE_01FF_PID	0x01FF
+-
+-
++#define MTXORB_FTDI_RANGE_4701_PID	0x4701
++#define MTXORB_FTDI_RANGE_9300_PID	0x9300
++#define MTXORB_FTDI_RANGE_9301_PID	0x9301
++#define MTXORB_FTDI_RANGE_9302_PID	0x9302
++#define MTXORB_FTDI_RANGE_9303_PID	0x9303
++#define MTXORB_FTDI_RANGE_9304_PID	0x9304
++#define MTXORB_FTDI_RANGE_9305_PID	0x9305
++#define MTXORB_FTDI_RANGE_9306_PID	0x9306
++#define MTXORB_FTDI_RANGE_9307_PID	0x9307
++#define MTXORB_FTDI_RANGE_9308_PID	0x9308
++#define MTXORB_FTDI_RANGE_9309_PID	0x9309
++#define MTXORB_FTDI_RANGE_930A_PID	0x930A
++#define MTXORB_FTDI_RANGE_930B_PID	0x930B
++#define MTXORB_FTDI_RANGE_930C_PID	0x930C
++#define MTXORB_FTDI_RANGE_930D_PID	0x930D
++#define MTXORB_FTDI_RANGE_930E_PID	0x930E
++#define MTXORB_FTDI_RANGE_930F_PID	0x930F
++#define MTXORB_FTDI_RANGE_9310_PID	0x9310
++#define MTXORB_FTDI_RANGE_9311_PID	0x9311
++#define MTXORB_FTDI_RANGE_9312_PID	0x9312
++#define MTXORB_FTDI_RANGE_9313_PID	0x9313
++#define MTXORB_FTDI_RANGE_9314_PID	0x9314
++#define MTXORB_FTDI_RANGE_9315_PID	0x9315
++#define MTXORB_FTDI_RANGE_9316_PID	0x9316
++#define MTXORB_FTDI_RANGE_9317_PID	0x9317
++#define MTXORB_FTDI_RANGE_9318_PID	0x9318
++#define MTXORB_FTDI_RANGE_9319_PID	0x9319
++#define MTXORB_FTDI_RANGE_931A_PID	0x931A
++#define MTXORB_FTDI_RANGE_931B_PID	0x931B
++#define MTXORB_FTDI_RANGE_931C_PID	0x931C
++#define MTXORB_FTDI_RANGE_931D_PID	0x931D
++#define MTXORB_FTDI_RANGE_931E_PID	0x931E
++#define MTXORB_FTDI_RANGE_931F_PID	0x931F
+ 
+ /*
+  * The Mobility Lab (TML)
+diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
+index b668069..e9b39e3 100644
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -437,24 +437,28 @@ static void	usa26_indat_callback(struct urb *urb)
+ 		if ((data[0] & 0x80) == 0) {
+ 			/* no errors on individual bytes, only
+ 			   possible overrun err */
+-			if (data[0] & RXERROR_OVERRUN)
+-				err = TTY_OVERRUN;
+-			else
+-				err = 0;
++			if (data[0] & RXERROR_OVERRUN) {
++				tty_insert_flip_char(tty, 0, TTY_OVERRUN);
++			}
+ 			for (i = 1; i < urb->actual_length ; ++i)
+-				tty_insert_flip_char(tty, data[i], err);
++				tty_insert_flip_char(tty, data[i], TTY_NORMAL);
+ 		} else {
+ 			/* some bytes had errors, every byte has status */
+ 			dbg("%s - RX error!!!!", __func__);
+ 			for (i = 0; i + 1 < urb->actual_length; i += 2) {
+-				int stat = data[i], flag = 0;
+-				if (stat & RXERROR_OVERRUN)
+-					flag |= TTY_OVERRUN;
+-				if (stat & RXERROR_FRAMING)
+-					flag |= TTY_FRAME;
+-				if (stat & RXERROR_PARITY)
+-					flag |= TTY_PARITY;
++				int stat = data[i];
++				int flag = TTY_NORMAL;
++
++				if (stat & RXERROR_OVERRUN) {
++					tty_insert_flip_char(tty, 0,
++								TTY_OVERRUN);
++				}
+ 				/* XXX should handle break (0x10) */
++				if (stat & RXERROR_PARITY)
++					flag = TTY_PARITY;
++				else if (stat & RXERROR_FRAMING)
++					flag = TTY_FRAME;
++
+ 				tty_insert_flip_char(tty, data[i+1], flag);
+ 			}
+ 		}
+@@ -832,14 +836,19 @@ static void	usa49_indat_callback(struct urb *urb)
+ 		} else {
+ 			/* some bytes had errors, every byte has status */
+ 			for (i = 0; i + 1 < urb->actual_length; i += 2) {
+-				int stat = data[i], flag = 0;
+-				if (stat & RXERROR_OVERRUN)
+-					flag |= TTY_OVERRUN;
+-				if (stat & RXERROR_FRAMING)
+-					flag |= TTY_FRAME;
+-				if (stat & RXERROR_PARITY)
+-					flag |= TTY_PARITY;
++				int stat = data[i];
++				int flag = TTY_NORMAL;
++
++				if (stat & RXERROR_OVERRUN) {
++					tty_insert_flip_char(tty, 0,
++								TTY_OVERRUN);
++				}
+ 				/* XXX should handle break (0x10) */
++				if (stat & RXERROR_PARITY)
++					flag = TTY_PARITY;
++				else if (stat & RXERROR_FRAMING)
++					flag = TTY_FRAME;
++
+ 				tty_insert_flip_char(tty, data[i+1], flag);
+ 			}
+ 		}
+@@ -900,14 +909,19 @@ static void usa49wg_indat_callback(struct urb *urb)
+ 				 * some bytes had errors, every byte has status
+ 				 */
+ 				for (x = 0; x + 1 < len; x += 2) {
+-					int stat = data[i], flag = 0;
+-					if (stat & RXERROR_OVERRUN)
+-						flag |= TTY_OVERRUN;
+-					if (stat & RXERROR_FRAMING)
+-						flag |= TTY_FRAME;
+-					if (stat & RXERROR_PARITY)
+-						flag |= TTY_PARITY;
++					int stat = data[i];
++					int flag = TTY_NORMAL;
++
++					if (stat & RXERROR_OVERRUN) {
++						tty_insert_flip_char(tty, 0,
++								     TTY_OVERRUN);
++					}
+ 					/* XXX should handle break (0x10) */
++					if (stat & RXERROR_PARITY)
++						flag = TTY_PARITY;
++					else if (stat & RXERROR_FRAMING)
++						flag = TTY_FRAME;
++
+ 					tty_insert_flip_char(tty,
+ 							data[i+1], flag);
+ 					i += 2;
+@@ -967,25 +981,31 @@ static void usa90_indat_callback(struct urb *urb)
+ 			if ((data[0] & 0x80) == 0) {
+ 				/* no errors on individual bytes, only
+ 				   possible overrun err*/
+-				if (data[0] & RXERROR_OVERRUN)
+-					err = TTY_OVERRUN;
+-				else
+-					err = 0;
++				if (data[0] & RXERROR_OVERRUN) {
++					tty_insert_flip_char(tty, 0,
++							     TTY_OVERRUN);
++				}
+ 				for (i = 1; i < urb->actual_length ; ++i)
+ 					tty_insert_flip_char(tty, data[i],
+-									err);
++							     TTY_NORMAL);
+ 			}  else {
+ 			/* some bytes had errors, every byte has status */
+ 				dbg("%s - RX error!!!!", __func__);
+ 				for (i = 0; i + 1 < urb->actual_length; i += 2) {
+-					int stat = data[i], flag = 0;
+-					if (stat & RXERROR_OVERRUN)
+-						flag |= TTY_OVERRUN;
+-					if (stat & RXERROR_FRAMING)
+-						flag |= TTY_FRAME;
+-					if (stat & RXERROR_PARITY)
+-						flag |= TTY_PARITY;
++					int stat = data[i];
++					int flag = TTY_NORMAL;
++
++					if (stat & RXERROR_OVERRUN) {
++						tty_insert_flip_char(
++								tty, 0,
++								TTY_OVERRUN);
++					}
+ 					/* XXX should handle break (0x10) */
++					if (stat & RXERROR_PARITY)
++						flag = TTY_PARITY;
++					else if (stat & RXERROR_FRAMING)
++						flag = TTY_FRAME;
++
+ 					tty_insert_flip_char(tty, data[i+1],
+ 									flag);
+ 				}
+diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c
+index ddd1463..16a6420 100644
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -463,7 +463,8 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port,
+ 			);
+ 
+ 			priv->cur_pos = priv->cur_pos + length;
+-			result = usb_submit_urb(port->write_urb, GFP_NOIO);
++			result = usb_submit_urb(port->write_urb,
++					GFP_ATOMIC);
+ 			dbg("%s - port %d Send write URB returns: %i",
+ 					__func__, port->number, result);
+ 			todo = priv->filled - priv->cur_pos;
+@@ -487,7 +488,7 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port,
+ 			port->interrupt_in_urb->dev = port->serial->dev;
+ 
+ 			result = usb_submit_urb(port->interrupt_in_urb,
+-								GFP_NOIO);
++					GFP_ATOMIC);
+ 			dbg("%s - port %d Send read URB returns: %i",
+ 					__func__, port->number, result);
+ 		}
+diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
+index d6c5ed6..e629533 100644
+--- a/drivers/usb/serial/opticon.c
++++ b/drivers/usb/serial/opticon.c
+@@ -293,7 +293,7 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port,
+ 
+ 	/* The conncected devices do not have a bulk write endpoint,
+ 	 * to transmit data to de barcode device the control endpoint is used */
+-	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
++	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_ATOMIC);
+ 	if (!dr) {
+ 		dev_err(&port->dev, "out of memory\n");
+ 		count = -ENOMEM;
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index d8360be..64ea95d 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -269,6 +269,7 @@ static void option_instat_callback(struct urb *urb);
+ #define TELIT_PRODUCT_DE910_DUAL		0x1010
+ #define TELIT_PRODUCT_UE910_V2			0x1012
+ #define TELIT_PRODUCT_LE920			0x1200
++#define TELIT_PRODUCT_LE910			0x1201
+ 
+ /* ZTE PRODUCTS */
+ #define ZTE_VENDOR_ID				0x19d2
+@@ -359,6 +360,7 @@ static void option_instat_callback(struct urb *urb);
+ 
+ /* Haier products */
+ #define HAIER_VENDOR_ID				0x201e
++#define HAIER_PRODUCT_CE81B			0x10f8
+ #define HAIER_PRODUCT_CE100			0x2009
+ 
+ /* Cinterion (formerly Siemens) products */
+@@ -586,6 +588,11 @@ static const struct option_blacklist_info zte_1255_blacklist = {
+ 	.reserved = BIT(3) | BIT(4),
+ };
+ 
++static const struct option_blacklist_info telit_le910_blacklist = {
++	.sendsetup = BIT(0),
++	.reserved = BIT(1) | BIT(2),
++};
++
+ static const struct option_blacklist_info telit_le920_blacklist = {
+ 	.sendsetup = BIT(0),
+ 	.reserved = BIT(1) | BIT(5),
+@@ -1135,6 +1142,8 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) },
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
++	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
++		.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
+ 		.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
+@@ -1610,6 +1619,7 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
+ 	{ USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
+ 	{ USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(HAIER_VENDOR_ID, HAIER_PRODUCT_CE81B, 0xff, 0xff, 0xff) },
+ 	/* Pirelli  */
+ 	{ USB_DEVICE(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_1)},
+ 	{ USB_DEVICE(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_2)},
+diff --git a/drivers/usb/serial/ssu100.c b/drivers/usb/serial/ssu100.c
+index bf1f8ea..ad8e5f3 100644
+--- a/drivers/usb/serial/ssu100.c
++++ b/drivers/usb/serial/ssu100.c
+@@ -599,10 +599,10 @@ static void ssu100_update_lsr(struct usb_serial_port *port, u8 lsr,
+ 			if (*tty_flag == TTY_NORMAL)
+ 				*tty_flag = TTY_FRAME;
+ 		}
+-		if (lsr & UART_LSR_OE){
++		if (lsr & UART_LSR_OE) {
+ 			priv->icount.overrun++;
+-			if (*tty_flag == TTY_NORMAL)
+-				*tty_flag = TTY_OVERRUN;
++			tty_insert_flip_char(tty_port_tty_get(&port->port),
++					     0, TTY_OVERRUN);
+ 		}
+ 	}
+ 
+@@ -623,11 +623,8 @@ static int ssu100_process_packet(struct urb *urb,
+ 	if ((len >= 4) &&
+ 	    (packet[0] == 0x1b) && (packet[1] == 0x1b) &&
+ 	    ((packet[2] == 0x00) || (packet[2] == 0x01))) {
+-		if (packet[2] == 0x00) {
++		if (packet[2] == 0x00)
+ 			ssu100_update_lsr(port, packet[3], &flag);
+-			if (flag == TTY_OVERRUN)
+-				tty_insert_flip_char(tty, 0, TTY_OVERRUN);
+-		}
+ 		if (packet[2] == 0x01)
+ 			ssu100_update_msr(port, packet[3]);
+ 
+diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
+index 0e5c91c..366395c 100644
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -1119,6 +1119,31 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us)
+ 		 */
+ 		if (result == USB_STOR_XFER_LONG)
+ 			fake_sense = 1;
++
++		/*
++		 * Sometimes a device will mistakenly skip the data phase
++		 * and go directly to the status phase without sending a
++		 * zero-length packet.  If we get a 13-byte response here,
++		 * check whether it really is a CSW.
++		 */
++		if (result == USB_STOR_XFER_SHORT &&
++				srb->sc_data_direction == DMA_FROM_DEVICE &&
++				transfer_length - scsi_get_resid(srb) ==
++					US_BULK_CS_WRAP_LEN) {
++			struct scatterlist *sg = NULL;
++			unsigned int offset = 0;
++
++			if (usb_stor_access_xfer_buf((unsigned char *) bcs,
++					US_BULK_CS_WRAP_LEN, srb, &sg,
++					&offset, FROM_XFER_BUF) ==
++						US_BULK_CS_WRAP_LEN &&
++					bcs->Signature ==
++						cpu_to_le32(US_BULK_CS_SIGN)) {
++				US_DEBUGP("Device skipped data phase\n");
++				scsi_set_resid(srb, transfer_length);
++				goto skipped_data_phase;
++			}
++		}
+ 	}
+ 
+ 	/* See flow chart on pg 15 of the Bulk Only Transport spec for
+@@ -1154,6 +1179,7 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us)
+ 	if (result != USB_STOR_XFER_GOOD)
+ 		return USB_STOR_TRANSPORT_ERROR;
+ 
++ skipped_data_phase:
+ 	/* check bulk status */
+ 	residue = le32_to_cpu(bcs->Residue);
+ 	US_DEBUGP("Bulk Status S 0x%x T 0x%x R %u Stat 0x%x\n",
+diff --git a/drivers/video/cfbcopyarea.c b/drivers/video/cfbcopyarea.c
+index bcb5723..6d4bfee 100644
+--- a/drivers/video/cfbcopyarea.c
++++ b/drivers/video/cfbcopyarea.c
+@@ -55,8 +55,8 @@ bitcpy(struct fb_info *p, unsigned long __iomem *dst, unsigned dst_idx,
+ 	 * If you suspect bug in this function, compare it with this simple
+ 	 * memmove implementation.
+ 	 */
+-	fb_memmove((char *)dst + ((dst_idx & (bits - 1))) / 8,
+-		   (char *)src + ((src_idx & (bits - 1))) / 8, n / 8);
++	memmove((char *)dst + ((dst_idx & (bits - 1))) / 8,
++		(char *)src + ((src_idx & (bits - 1))) / 8, n / 8);
+ 	return;
+ #endif
+ 
+@@ -221,8 +221,8 @@ bitcpy_rev(struct fb_info *p, unsigned long __iomem *dst, unsigned dst_idx,
+ 	 * If you suspect bug in this function, compare it with this simple
+ 	 * memmove implementation.
+ 	 */
+-	fb_memmove((char *)dst + ((dst_idx & (bits - 1))) / 8,
+-		   (char *)src + ((src_idx & (bits - 1))) / 8, n / 8);
++	memmove((char *)dst + ((dst_idx & (bits - 1))) / 8,
++		(char *)src + ((src_idx & (bits - 1))) / 8, n / 8);
+ 	return;
+ #endif
+ 
+@@ -324,7 +324,10 @@ bitcpy_rev(struct fb_info *p, unsigned long __iomem *dst, unsigned dst_idx,
+ 				d0 = d0 << left | d1 >> right;
+ 			}
+ 			d0 = fb_rev_pixels_in_long(d0, bswapmask);
+-			FB_WRITEL(comp(d0, FB_READL(dst), first), dst);
++			if (!first)
++				FB_WRITEL(d0, dst);
++			else
++				FB_WRITEL(comp(d0, FB_READL(dst), first), dst);
+ 			d0 = d1;
+ 			dst--;
+ 			n -= dst_idx+1;
+diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c
+index 28b1a83..6cbb206 100644
+--- a/drivers/video/console/bitblit.c
++++ b/drivers/video/console/bitblit.c
+@@ -205,7 +205,6 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info,
+ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
+ 			      int bottom_only)
+ {
+-	int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
+ 	unsigned int cw = vc->vc_font.width;
+ 	unsigned int ch = vc->vc_font.height;
+ 	unsigned int rw = info->var.xres - (vc->vc_cols*cw);
+@@ -214,7 +213,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
+ 	unsigned int bs = info->var.yres - bh;
+ 	struct fb_fillrect region;
+ 
+-	region.color = attr_bgcol_ec(bgshift, vc, info);
++	region.color = 0;
+ 	region.rop = ROP_COPY;
+ 
+ 	if (rw && !bottom_only) {
+diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c
+index 41b32ae..5a3cbf6 100644
+--- a/drivers/video/console/fbcon_ccw.c
++++ b/drivers/video/console/fbcon_ccw.c
+@@ -197,9 +197,8 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info,
+ 	unsigned int bh = info->var.xres - (vc->vc_rows*ch);
+ 	unsigned int bs = vc->vc_rows*ch;
+ 	struct fb_fillrect region;
+-	int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
+ 
+-	region.color = attr_bgcol_ec(bgshift,vc,info);
++	region.color = 0;
+ 	region.rop = ROP_COPY;
+ 
+ 	if (rw && !bottom_only) {
+diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c
+index 6a73782..7d3fd9b 100644
+--- a/drivers/video/console/fbcon_cw.c
++++ b/drivers/video/console/fbcon_cw.c
+@@ -181,9 +181,8 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info,
+ 	unsigned int bh = info->var.xres - (vc->vc_rows*ch);
+ 	unsigned int rs = info->var.yres - rw;
+ 	struct fb_fillrect region;
+-	int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
+ 
+-	region.color = attr_bgcol_ec(bgshift,vc,info);
++	region.color = 0;
+ 	region.rop = ROP_COPY;
+ 
+ 	if (rw && !bottom_only) {
+diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c
+index ff0872c..19e3714 100644
+--- a/drivers/video/console/fbcon_ud.c
++++ b/drivers/video/console/fbcon_ud.c
+@@ -227,9 +227,8 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info,
+ 	unsigned int rw = info->var.xres - (vc->vc_cols*cw);
+ 	unsigned int bh = info->var.yres - (vc->vc_rows*ch);
+ 	struct fb_fillrect region;
+-	int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
+ 
+-	region.color = attr_bgcol_ec(bgshift,vc,info);
++	region.color = 0;
+ 	region.rop = ROP_COPY;
+ 
+ 	if (rw && !bottom_only) {
+diff --git a/fs/buffer.c b/fs/buffer.c
+index 59496e7..c457f84 100644
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -2019,6 +2019,7 @@ int generic_write_end(struct file *file, struct address_space *mapping,
+ 			struct page *page, void *fsdata)
+ {
+ 	struct inode *inode = mapping->host;
++	loff_t old_size = inode->i_size;
+ 	int i_size_changed = 0;
+ 
+ 	copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
+@@ -2038,6 +2039,8 @@ int generic_write_end(struct file *file, struct address_space *mapping,
+ 	unlock_page(page);
+ 	page_cache_release(page);
+ 
++	if (old_size < pos)
++		pagecache_isize_extended(inode, old_size, pos);
+ 	/*
+ 	 * Don't mark the inode dirty under page lock. First, it unnecessarily
+ 	 * makes the holding time of page lock longer. Second, it forces lock
+@@ -2258,6 +2261,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping,
+ 		err = 0;
+ 
+ 		balance_dirty_pages_ratelimited(mapping);
++
++		if (unlikely(fatal_signal_pending(current))) {
++			err = -EINTR;
++			goto out;
++		}
+ 	}
+ 
+ 	/* page covers the boundary, find the boundary offset */
+diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
+index a9be90d..782569b 100644
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -1112,7 +1112,7 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ 	}
+ 
+ 	rc = vfs_setxattr(lower_dentry, name, value, size, flags);
+-	if (!rc)
++	if (!rc && dentry->d_inode)
+ 		fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
+ out:
+ 	return rc;
+diff --git a/fs/ext3/super.c b/fs/ext3/super.c
+index b7f314f..562ede3 100644
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -1303,13 +1303,6 @@ set_qf_format:
+ 					"not specified.");
+ 			return 0;
+ 		}
+-	} else {
+-		if (sbi->s_jquota_fmt) {
+-			ext3_msg(sb, KERN_ERR, "error: journaled quota format "
+-					"specified with no journaling "
+-					"enabled.");
+-			return 0;
+-		}
+ 	}
+ #endif
+ 	return 1;
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 40f4d06..6858d9d 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1874,6 +1874,7 @@ int ext4_get_block(struct inode *inode, sector_t iblock,
+ 				struct buffer_head *bh_result, int create);
+ 
+ extern struct inode *ext4_iget(struct super_block *, unsigned long);
++extern struct inode *ext4_iget_normal(struct super_block *, unsigned long);
+ extern int  ext4_write_inode(struct inode *, struct writeback_control *);
+ extern int  ext4_setattr(struct dentry *, struct iattr *);
+ extern int  ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 6d1f577..a308844 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -813,6 +813,10 @@ got:
+ 		struct buffer_head *block_bitmap_bh;
+ 
+ 		block_bitmap_bh = ext4_read_block_bitmap(sb, group);
++		if (!block_bitmap_bh) {
++			err = -EIO;
++			goto out;
++		}
+ 		BUFFER_TRACE(block_bitmap_bh, "get block bitmap access");
+ 		err = ext4_journal_get_write_access(handle, block_bitmap_bh);
+ 		if (err) {
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 55d4f46..f06857b 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -155,15 +155,14 @@ void ext4_evict_inode(struct inode *inode)
+ 		goto no_delete;
+ 	}
+ 
+-	if (!is_bad_inode(inode))
+-		dquot_initialize(inode);
++	if (is_bad_inode(inode))
++		goto no_delete;
++	dquot_initialize(inode);
+ 
+ 	if (ext4_should_order_data(inode))
+ 		ext4_begin_ordered_truncate(inode, 0);
+ 	truncate_inode_pages(&inode->i_data, 0);
+ 
+-	if (is_bad_inode(inode))
+-		goto no_delete;
+ 
+ 	handle = ext4_journal_start(inode, ext4_blocks_for_truncate(inode)+3);
+ 	if (IS_ERR(handle)) {
+@@ -2410,6 +2409,20 @@ static int ext4_nonda_switch(struct super_block *sb)
+ 	return 0;
+ }
+ 
++/* We always reserve for an inode update; the superblock could be there too */
++static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len)
++{
++	if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
++				EXT4_FEATURE_RO_COMPAT_LARGE_FILE)))
++		return 1;
++
++	if (pos + len <= 0x7fffffffULL)
++		return 1;
++
++	/* We might need to update the superblock to set LARGE_FILE */
++	return 2;
++}
++
+ static int ext4_da_write_begin(struct file *file, struct address_space *mapping,
+ 			       loff_t pos, unsigned len, unsigned flags,
+ 			       struct page **pagep, void **fsdata)
+@@ -2436,7 +2449,8 @@ retry:
+ 	 * to journalling the i_disksize update if writes to the end
+ 	 * of file which has an already mapped buffer.
+ 	 */
+-	handle = ext4_journal_start(inode, 1);
++	handle = ext4_journal_start(inode,
++				ext4_da_write_credits(inode, pos, len));
+ 	if (IS_ERR(handle)) {
+ 		ret = PTR_ERR(handle);
+ 		goto out;
+@@ -3959,6 +3973,13 @@ bad_inode:
+ 	return ERR_PTR(ret);
+ }
+ 
++struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino)
++{
++	if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)
++		return ERR_PTR(-EIO);
++	return ext4_iget(sb, ino);
++}
++
+ static int ext4_inode_blocks_set(handle_t *handle,
+ 				struct ext4_inode *raw_inode,
+ 				struct ext4_inode_info *ei)
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 2e0e34f..cd39fa7 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1040,7 +1040,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, stru
+ 					 dentry->d_name.name);
+ 			return ERR_PTR(-EIO);
+ 		}
+-		inode = ext4_iget(dir->i_sb, ino);
++		inode = ext4_iget_normal(dir->i_sb, ino);
+ 		if (inode == ERR_PTR(-ESTALE)) {
+ 			EXT4_ERROR_INODE(dir,
+ 					 "deleted inode referenced: %u",
+@@ -1074,7 +1074,7 @@ struct dentry *ext4_get_parent(struct dentry *child)
+ 		return ERR_PTR(-EIO);
+ 	}
+ 
+-	return d_obtain_alias(ext4_iget(child->d_inode->i_sb, ino));
++	return d_obtain_alias(ext4_iget_normal(child->d_inode->i_sb, ino));
+ }
+ 
+ #define S_SHIFT 12
+@@ -1408,31 +1408,38 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry,
+ 		hinfo.hash_version += EXT4_SB(dir->i_sb)->s_hash_unsigned;
+ 	hinfo.seed = EXT4_SB(dir->i_sb)->s_hash_seed;
+ 	ext4fs_dirhash(name, namelen, &hinfo);
++	memset(frames, 0, sizeof(frames));
+ 	frame = frames;
+ 	frame->entries = entries;
+ 	frame->at = entries;
+ 	frame->bh = bh;
+ 	bh = bh2;
+ 
+-	ext4_handle_dirty_metadata(handle, dir, frame->bh);
+-	ext4_handle_dirty_metadata(handle, dir, bh);
++	retval = ext4_handle_dirty_metadata(handle, dir, frame->bh);
++	if (retval)
++		goto out_frames;	
++	retval = ext4_handle_dirty_metadata(handle, dir, bh);
++	if (retval)
++		goto out_frames;	
+ 
+ 	de = do_split(handle,dir, &bh, frame, &hinfo, &retval);
+ 	if (!de) {
+-		/*
+-		 * Even if the block split failed, we have to properly write
+-		 * out all the changes we did so far. Otherwise we can end up
+-		 * with corrupted filesystem.
+-		 */
+-		ext4_mark_inode_dirty(handle, dir);
+-		dx_release(frames);
+-		return retval;
++		goto out_frames;
+ 	}
+ 	dx_release(frames);
+ 
+ 	retval = add_dirent_to_buf(handle, dentry, inode, de, bh);
+ 	brelse(bh);
+ 	return retval;
++out_frames:
++	/*
++	 * Even if the block split failed, we have to properly write
++	 * out all the changes we did so far. Otherwise we can end up
++	 * with corrupted filesystem.
++	 */
++	ext4_mark_inode_dirty(handle, dir);
++	dx_release(frames);
++	return retval;
+ }
+ 
+ /*
+@@ -1979,7 +1986,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
+ 	struct ext4_iloc iloc;
+ 	int err = 0, rc;
+ 
+-	if (!ext4_handle_valid(handle))
++	if (!ext4_handle_valid(handle) || is_bad_inode(inode))
+ 		return 0;
+ 
+ 	mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 6e67b97..9e9e67b 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -692,7 +692,7 @@ static void update_backups(struct super_block *sb,
+ 		    (err = ext4_journal_restart(handle, EXT4_MAX_TRANS_DATA)))
+ 			break;
+ 
+-		bh = sb_getblk(sb, group * bpg + blk_off);
++		bh = sb_getblk(sb, (ext4_fsblk_t)group * bpg + blk_off);
+ 		if (!bh) {
+ 			err = -ENOMEM;
+ 			break;
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 6581ee7..422be11 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1185,7 +1185,7 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb,
+ 	 * Currently we don't know the generation for parent directory, so
+ 	 * a generation of 0 means "accept any"
+ 	 */
+-	inode = ext4_iget(sb, ino);
++	inode = ext4_iget_normal(sb, ino);
+ 	if (IS_ERR(inode))
+ 		return ERR_CAST(inode);
+ 	if (generation && inode->i_generation != generation) {
+@@ -1931,13 +1931,6 @@ set_qf_format:
+ 					"not specified");
+ 			return 0;
+ 		}
+-	} else {
+-		if (sbi->s_jquota_fmt) {
+-			ext4_msg(sb, KERN_ERR, "journaled quota format "
+-					"specified with no journaling "
+-					"enabled");
+-			return 0;
+-		}
+ 	}
+ #endif
+ 	if (test_opt(sb, DIOREAD_NOLOCK)) {
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 05617bd..c6ac876 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -144,14 +144,28 @@ ext4_listxattr(struct dentry *dentry, char *buffer, size_t size)
+ }
+ 
+ static int
+-ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end)
++ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end,
++		       void *value_start)
+ {
+-	while (!IS_LAST_ENTRY(entry)) {
+-		struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(entry);
++	struct ext4_xattr_entry *e = entry;
++
++	while (!IS_LAST_ENTRY(e)) {
++		struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
+ 		if ((void *)next >= end)
+ 			return -EIO;
+-		entry = next;
++		e = next;
+ 	}
++
++	while (!IS_LAST_ENTRY(entry)) {
++		if (entry->e_value_size != 0 &&
++		    (value_start + le16_to_cpu(entry->e_value_offs) <
++		     (void *)e + sizeof(__u32) ||
++		     value_start + le16_to_cpu(entry->e_value_offs) +
++		    le32_to_cpu(entry->e_value_size) > end))
++			return -EIO;
++		entry = EXT4_XATTR_NEXT(entry);
++	}
++
+ 	return 0;
+ }
+ 
+@@ -163,7 +177,8 @@ ext4_xattr_check_block(struct buffer_head *bh)
+ 	if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
+ 	    BHDR(bh)->h_blocks != cpu_to_le32(1))
+ 		return -EIO;
+-	error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size);
++	error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
++				       bh->b_data);
+ 	return error;
+ }
+ 
+@@ -276,7 +291,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
+ 	header = IHDR(inode, raw_inode);
+ 	entry = IFIRST(header);
+ 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+-	error = ext4_xattr_check_names(entry, end);
++	error = ext4_xattr_check_names(entry, end, entry);
+ 	if (error)
+ 		goto cleanup;
+ 	error = ext4_xattr_find_entry(&entry, name_index, name,
+@@ -403,7 +418,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
+ 	raw_inode = ext4_raw_inode(&iloc);
+ 	header = IHDR(inode, raw_inode);
+ 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+-	error = ext4_xattr_check_names(IFIRST(header), end);
++	error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
+ 	if (error)
+ 		goto cleanup;
+ 	error = ext4_xattr_list_entries(dentry, IFIRST(header),
+@@ -914,7 +929,8 @@ ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
+ 	is->s.here = is->s.first;
+ 	is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
+-		error = ext4_xattr_check_names(IFIRST(header), is->s.end);
++		error = ext4_xattr_check_names(IFIRST(header), is->s.end,
++					       IFIRST(header));
+ 		if (error)
+ 			return error;
+ 		/* Find the named attribute. */
+diff --git a/fs/ioprio.c b/fs/ioprio.c
+index f79dab8..5b55511 100644
+--- a/fs/ioprio.c
++++ b/fs/ioprio.c
+@@ -169,14 +169,16 @@ out:
+ 
+ int ioprio_best(unsigned short aprio, unsigned short bprio)
+ {
+-	unsigned short aclass = IOPRIO_PRIO_CLASS(aprio);
+-	unsigned short bclass = IOPRIO_PRIO_CLASS(bprio);
++	unsigned short aclass;
++	unsigned short bclass;
+ 
+-	if (aclass == IOPRIO_CLASS_NONE)
+-		aclass = IOPRIO_CLASS_BE;
+-	if (bclass == IOPRIO_CLASS_NONE)
+-		bclass = IOPRIO_CLASS_BE;
++	if (!ioprio_valid(aprio))
++		aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
++	if (!ioprio_valid(bprio))
++		bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
+ 
++	aclass = IOPRIO_PRIO_CLASS(aprio);
++	bclass = IOPRIO_PRIO_CLASS(bprio);
+ 	if (aclass == bclass)
+ 		return min(aprio, bprio);
+ 	if (aclass > bclass)
+diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c
+index 23d7451..ef744e1 100644
+--- a/fs/lockd/mon.c
++++ b/fs/lockd/mon.c
+@@ -111,6 +111,12 @@ static int nsm_mon_unmon(struct nsm_handle *nsm, u32 proc, struct nsm_res *res)
+ 
+ 	msg.rpc_proc = &clnt->cl_procinfo[proc];
+ 	status = rpc_call_sync(clnt, &msg, 0);
++	if (status == -ECONNREFUSED) {
++		dprintk("lockd:	NSM upcall RPC failed, status=%d, forcing rebind\n",
++				status);
++		rpc_force_rebind(clnt);
++		status = rpc_call_sync(clnt, &msg, 0);
++	}
+ 	if (status < 0)
+ 		dprintk("lockd: NSM upcall RPC failed, status=%d\n",
+ 				status);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 61a1303..351989e 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5612,7 +5612,7 @@ static int nfs41_proc_async_sequence(struct nfs_client *clp, struct rpc_cred *cr
+ 	int ret = 0;
+ 
+ 	if ((renew_flags & NFS4_RENEW_TIMEOUT) == 0)
+-		return 0;
++		return -EAGAIN;
+ 	task = _nfs41_proc_sequence(clp, cred, &nfs41_sequence_ops);
+ 	if (IS_ERR(task))
+ 		ret = PTR_ERR(task);
+diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c
+index dc484c0..78071cf9 100644
+--- a/fs/nfs/nfs4renewd.c
++++ b/fs/nfs/nfs4renewd.c
+@@ -88,10 +88,18 @@ nfs4_renew_state(struct work_struct *work)
+ 			}
+ 			nfs_expire_all_delegations(clp);
+ 		} else {
++			int ret;
++
+ 			/* Queue an asynchronous RENEW. */
+-			ops->sched_state_renewal(clp, cred, renew_flags);
++			ret = ops->sched_state_renewal(clp, cred, renew_flags);
+ 			put_rpccred(cred);
+-			goto out_exp;
++			switch (ret) {
++			default:
++				goto out_exp;
++			case -EAGAIN:
++			case -ENOMEM:
++				break;
++			}
+ 		}
+ 	} else {
+ 		dprintk("%s: failed to call renewd. Reason: lease not expired \n",
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index b2e1136..ce4168a 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1447,7 +1447,8 @@ restart:
+ 			if (status < 0) {
+ 				set_bit(ops->owner_flag_bit, &sp->so_flags);
+ 				nfs4_put_state_owner(sp);
+-				return nfs4_recovery_handle_error(clp, status);
++				status = nfs4_recovery_handle_error(clp, status);
++				return (status != 0) ? status : -EAGAIN;
+ 			}
+ 
+ 			nfs4_put_state_owner(sp);
+@@ -1456,7 +1457,7 @@ restart:
+ 		spin_unlock(&clp->cl_lock);
+ 	}
+ 	rcu_read_unlock();
+-	return status;
++	return 0;
+ }
+ 
+ static int nfs4_check_lease(struct nfs_client *clp)
+@@ -1729,23 +1730,18 @@ static void nfs4_state_manager(struct nfs_client *clp)
+ 		if (test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) {
+ 			status = nfs4_do_reclaim(clp,
+ 				clp->cl_mvops->reboot_recovery_ops);
+-			if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) ||
+-			    test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state))
+-				continue;
+-			nfs4_state_end_reclaim_reboot(clp);
+-			if (test_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state))
++			if (status == -EAGAIN)
+ 				continue;
+ 			if (status < 0)
+ 				goto out_error;
++			nfs4_state_end_reclaim_reboot(clp);
+ 		}
+ 
+ 		/* Now recover expired state... */
+ 		if (test_and_clear_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state)) {
+ 			status = nfs4_do_reclaim(clp,
+ 				clp->cl_mvops->nograce_recovery_ops);
+-			if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) ||
+-			    test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state) ||
+-			    test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state))
++			if (status == -EAGAIN)
+ 				continue;
+ 			if (status < 0)
+ 				goto out_error;
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index 809a38a..51b4f43 100644
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -785,8 +785,12 @@ static bool nfsd41_cb_get_slot(struct nfs4_client *clp, struct rpc_task *task)
+ {
+ 	if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
+ 		rpc_sleep_on(&clp->cl_cb_waitq, task, NULL);
+-		dprintk("%s slot is busy\n", __func__);
+-		return false;
++		/* Race breaker */
++		if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
++			dprintk("%s slot is busy\n", __func__);
++			return false;
++		}
++		rpc_wake_up_queued_task(&clp->cl_cb_waitq, task);
+ 	}
+ 	return true;
+ }
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index eebccfe..9a959de 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1111,7 +1111,8 @@ static bool need_wrongsec_check(struct svc_rqst *rqstp)
+ 	 */
+ 	if (argp->opcnt == resp->opcnt)
+ 		return false;
+-
++	if (next->opnum == OP_ILLEGAL)
++		return false;
+ 	nextd = OPDESC(next);
+ 	/*
+ 	 * Rest of 2.6.3.1.1: certain operations will return WRONGSEC
+diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
+index 9860f6b..d57995e 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -65,7 +65,7 @@ static int create_fd(struct fsnotify_group *group, struct fsnotify_event *event)
+ 
+ 	pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+ 
+-	client_fd = get_unused_fd();
++	client_fd = get_unused_fd_flags(group->fanotify_data.f_flags);
+ 	if (client_fd < 0)
+ 		return client_fd;
+ 
+diff --git a/fs/super.c b/fs/super.c
+index 2a698f6..531de18 100644
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -68,6 +68,8 @@ static int prune_super(struct shrinker *shrink, struct shrink_control *sc)
+ 
+ 	total_objects = sb->s_nr_dentry_unused +
+ 			sb->s_nr_inodes_unused + fs_objects + 1;
++	if (!total_objects)
++		total_objects = 1;
+ 
+ 	if (sc->nr_to_scan) {
+ 		int	dentries;
+diff --git a/fs/ubifs/commit.c b/fs/ubifs/commit.c
+index fb3b5c8..b2ca12f 100644
+--- a/fs/ubifs/commit.c
++++ b/fs/ubifs/commit.c
+@@ -166,15 +166,10 @@ static int do_commit(struct ubifs_info *c)
+ 	err = ubifs_orphan_end_commit(c);
+ 	if (err)
+ 		goto out;
+-	old_ltail_lnum = c->ltail_lnum;
+-	err = ubifs_log_end_commit(c, new_ltail_lnum);
+-	if (err)
+-		goto out;
+ 	err = dbg_check_old_index(c, &zroot);
+ 	if (err)
+ 		goto out;
+ 
+-	mutex_lock(&c->mst_mutex);
+ 	c->mst_node->cmt_no      = cpu_to_le64(c->cmt_no);
+ 	c->mst_node->log_lnum    = cpu_to_le32(new_ltail_lnum);
+ 	c->mst_node->root_lnum   = cpu_to_le32(zroot.lnum);
+@@ -203,8 +198,9 @@ static int do_commit(struct ubifs_info *c)
+ 		c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
+ 	else
+ 		c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS);
+-	err = ubifs_write_master(c);
+-	mutex_unlock(&c->mst_mutex);
++
++	old_ltail_lnum = c->ltail_lnum;
++	err = ubifs_log_end_commit(c, new_ltail_lnum);
+ 	if (err)
+ 		goto out;
+ 
+diff --git a/fs/ubifs/log.c b/fs/ubifs/log.c
+index f9fd068..843beda 100644
+--- a/fs/ubifs/log.c
++++ b/fs/ubifs/log.c
+@@ -110,10 +110,14 @@ static inline long long empty_log_bytes(const struct ubifs_info *c)
+ 	h = (long long)c->lhead_lnum * c->leb_size + c->lhead_offs;
+ 	t = (long long)c->ltail_lnum * c->leb_size;
+ 
+-	if (h >= t)
++	if (h > t)
+ 		return c->log_bytes - h + t;
+-	else
++	else if (h != t)
+ 		return t - h;
++	else if (c->lhead_lnum != c->ltail_lnum)
++		return 0;
++	else
++		return c->log_bytes;
+ }
+ 
+ /**
+@@ -453,9 +457,9 @@ out:
+  * @ltail_lnum: new log tail LEB number
+  *
+  * This function is called on when the commit operation was finished. It
+- * moves log tail to new position and unmaps LEBs which contain obsolete data.
+- * Returns zero in case of success and a negative error code in case of
+- * failure.
++ * moves log tail to new position and updates the master node so that it stores
++ * the new log tail LEB number. Returns zero in case of success and a negative
++ * error code in case of failure.
+  */
+ int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum)
+ {
+@@ -483,7 +487,12 @@ int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum)
+ 	spin_unlock(&c->buds_lock);
+ 
+ 	err = dbg_check_bud_bytes(c);
++	if (err)
++		goto out;
+ 
++	err = ubifs_write_master(c);
++
++out:
+ 	mutex_unlock(&c->log_mutex);
+ 	return err;
+ }
+diff --git a/fs/ubifs/master.c b/fs/ubifs/master.c
+index 278c238..bb9f481 100644
+--- a/fs/ubifs/master.c
++++ b/fs/ubifs/master.c
+@@ -352,10 +352,9 @@ int ubifs_read_master(struct ubifs_info *c)
+  * ubifs_write_master - write master node.
+  * @c: UBIFS file-system description object
+  *
+- * This function writes the master node. The caller has to take the
+- * @c->mst_mutex lock before calling this function. Returns zero in case of
+- * success and a negative error code in case of failure. The master node is
+- * written twice to enable recovery.
++ * This function writes the master node. Returns zero in case of success and a
++ * negative error code in case of failure. The master node is written twice to
++ * enable recovery.
+  */
+ int ubifs_write_master(struct ubifs_info *c)
+ {
+diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
+index 2f467e5..201bcfc 100644
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1985,7 +1985,6 @@ static struct ubifs_info *alloc_ubifs_info(struct ubi_volume_desc *ubi)
+ 		mutex_init(&c->lp_mutex);
+ 		mutex_init(&c->tnc_mutex);
+ 		mutex_init(&c->log_mutex);
+-		mutex_init(&c->mst_mutex);
+ 		mutex_init(&c->umount_mutex);
+ 		mutex_init(&c->bu_mutex);
+ 		mutex_init(&c->write_reserve_mutex);
+diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
+index a39fce5..223dd42 100644
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -1044,7 +1044,6 @@ struct ubifs_debug_info;
+  *
+  * @mst_node: master node
+  * @mst_offs: offset of valid master node
+- * @mst_mutex: protects the master node area, @mst_node, and @mst_offs
+  *
+  * @max_bu_buf_len: maximum bulk-read buffer length
+  * @bu_mutex: protects the pre-allocated bulk-read buffer and @c->bu
+@@ -1284,7 +1283,6 @@ struct ubifs_info {
+ 
+ 	struct ubifs_mst_node *mst_node;
+ 	int mst_offs;
+-	struct mutex mst_mutex;
+ 
+ 	int max_bu_buf_len;
+ 	struct mutex bu_mutex;
+diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h
+index c37fd89..7daeaba 100644
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -56,7 +56,6 @@
+ 	{0x1002, 0x4C64, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
+ 	{0x1002, 0x4C66, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
+ 	{0x1002, 0x4C67, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
+-	{0x1002, 0x4C6E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV280|RADEON_IS_MOBILITY}, \
+ 	{0x1002, 0x4E44, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
+ 	{0x1002, 0x4E45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
+ 	{0x1002, 0x4E46, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index ff039f0..c7e834b 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -1060,10 +1060,9 @@ static inline int queue_alignment_offset(struct request_queue *q)
+ static inline int queue_limit_alignment_offset(struct queue_limits *lim, sector_t sector)
+ {
+ 	unsigned int granularity = max(lim->physical_block_size, lim->io_min);
+-	unsigned int alignment = (sector << 9) & (granularity - 1);
++	unsigned int alignment = sector_div(sector, granularity >> 9) << 9;
+ 
+-	return (granularity + lim->alignment_offset - alignment)
+-		& (granularity - 1);
++	return (granularity + lim->alignment_offset - alignment) % granularity;
+ }
+ 
+ static inline int bdev_alignment_offset(struct block_device *bdev)
+diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
+index 5633053..9ac1a7a 100644
+--- a/include/linux/compiler-gcc.h
++++ b/include/linux/compiler-gcc.h
+@@ -37,6 +37,9 @@
+     __asm__ ("" : "=r"(__ptr) : "0"(ptr));		\
+     (typeof(ptr)) (__ptr + (off)); })
+ 
++/* Make the optimizer believe the variable can be manipulated arbitrarily. */
++#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
++
+ #ifdef __CHECKER__
+ #define __must_be_array(arr) 0
+ #else
+diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
+new file mode 100644
+index 0000000..cdd1cc2
+--- /dev/null
++++ b/include/linux/compiler-gcc5.h
+@@ -0,0 +1,66 @@
++#ifndef __LINUX_COMPILER_H
++#error "Please don't include <linux/compiler-gcc5.h> directly, include <linux/compiler.h> instead."
++#endif
++
++#define __used				__attribute__((__used__))
++#define __must_check			__attribute__((warn_unused_result))
++#define __compiler_offsetof(a, b)	__builtin_offsetof(a, b)
++
++/* Mark functions as cold. gcc will assume any path leading to a call
++   to them will be unlikely.  This means a lot of manual unlikely()s
++   are unnecessary now for any paths leading to the usual suspects
++   like BUG(), printk(), panic() etc. [but let's keep them for now for
++   older compilers]
++
++   Early snapshots of gcc 4.3 don't support this and we can't detect this
++   in the preprocessor, but we can live with this because they're unreleased.
++   Maketime probing would be overkill here.
++
++   gcc also has a __attribute__((__hot__)) to move hot functions into
++   a special section, but I don't see any sense in this right now in
++   the kernel context */
++#define __cold			__attribute__((__cold__))
++
++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
++
++#ifndef __CHECKER__
++# define __compiletime_warning(message) __attribute__((warning(message)))
++# define __compiletime_error(message) __attribute__((error(message)))
++#endif /* __CHECKER__ */
++
++/*
++ * Mark a position in code as unreachable.  This can be used to
++ * suppress control flow warnings after asm blocks that transfer
++ * control elsewhere.
++ *
++ * Early snapshots of gcc 4.5 don't support this and we can't detect
++ * this in the preprocessor, but we can live with this because they're
++ * unreleased.  Really, we need to have autoconf for the kernel.
++ */
++#define unreachable() __builtin_unreachable()
++
++/* Mark a function definition as prohibited from being cloned. */
++#define __noclone	__attribute__((__noclone__))
++
++/*
++ * Tell the optimizer that something else uses this function or variable.
++ */
++#define __visible __attribute__((externally_visible))
++
++/*
++ * GCC 'asm goto' miscompiles certain code sequences:
++ *
++ *   http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
++ *
++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
++ * Fixed in GCC 4.8.2 and later versions.
++ *
++ * (asm goto is automatically volatile - the naming reflects this.)
++ */
++#define asm_volatile_goto(x...)	do { asm goto(x); asm (""); } while (0)
++
++#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP
++#define __HAVE_BUILTIN_BSWAP32__
++#define __HAVE_BUILTIN_BSWAP64__
++#define __HAVE_BUILTIN_BSWAP16__
++#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
+diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
+index cba9593..1a97cac 100644
+--- a/include/linux/compiler-intel.h
++++ b/include/linux/compiler-intel.h
+@@ -15,6 +15,7 @@
+  */
+ #undef barrier
+ #undef RELOC_HIDE
++#undef OPTIMIZER_HIDE_VAR
+ 
+ #define barrier() __memory_barrier()
+ 
+@@ -23,6 +24,12 @@
+      __ptr = (unsigned long) (ptr);				\
+     (typeof(ptr)) (__ptr + (off)); })
+ 
++/* This should act as an optimization barrier on var.
++ * Given that this compiler does not have inline assembly, a compiler barrier
++ * is the best we can do.
++ */
++#define OPTIMIZER_HIDE_VAR(var) barrier()
++
+ /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
+ #define __must_be_array(a) 0
+ 
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 320d6c9..7c7546b 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -164,6 +164,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+     (typeof(ptr)) (__ptr + (off)); })
+ #endif
+ 
++#ifndef OPTIMIZER_HIDE_VAR
++#define OPTIMIZER_HIDE_VAR(var) barrier()
++#endif
++
+ #endif /* __KERNEL__ */
+ 
+ #endif /* __ASSEMBLY__ */
+diff --git a/include/linux/khugepaged.h b/include/linux/khugepaged.h
+index 6b394f0..eeb3079 100644
+--- a/include/linux/khugepaged.h
++++ b/include/linux/khugepaged.h
+@@ -6,7 +6,8 @@
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ extern int __khugepaged_enter(struct mm_struct *mm);
+ extern void __khugepaged_exit(struct mm_struct *mm);
+-extern int khugepaged_enter_vma_merge(struct vm_area_struct *vma);
++extern int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
++				      unsigned long vm_flags);
+ 
+ #define khugepaged_enabled()					       \
+ 	(transparent_hugepage_flags &				       \
+@@ -35,13 +36,13 @@ static inline void khugepaged_exit(struct mm_struct *mm)
+ 		__khugepaged_exit(mm);
+ }
+ 
+-static inline int khugepaged_enter(struct vm_area_struct *vma)
++static inline int khugepaged_enter(struct vm_area_struct *vma,
++				   unsigned long vm_flags)
+ {
+ 	if (!test_bit(MMF_VM_HUGEPAGE, &vma->vm_mm->flags))
+ 		if ((khugepaged_always() ||
+-		     (khugepaged_req_madv() &&
+-		      vma->vm_flags & VM_HUGEPAGE)) &&
+-		    !(vma->vm_flags & VM_NOHUGEPAGE))
++		     (khugepaged_req_madv() && (vm_flags & VM_HUGEPAGE))) &&
++		    !(vm_flags & VM_NOHUGEPAGE))
+ 			if (__khugepaged_enter(vma->vm_mm))
+ 				return -ENOMEM;
+ 	return 0;
+@@ -54,11 +55,13 @@ static inline int khugepaged_fork(struct mm_struct *mm, struct mm_struct *oldmm)
+ static inline void khugepaged_exit(struct mm_struct *mm)
+ {
+ }
+-static inline int khugepaged_enter(struct vm_area_struct *vma)
++static inline int khugepaged_enter(struct vm_area_struct *vma,
++				   unsigned long vm_flags)
+ {
+ 	return 0;
+ }
+-static inline int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
++static inline int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
++					     unsigned long vm_flags)
+ {
+ 	return 0;
+ }
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 305fd75..7f40120 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -952,6 +952,7 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping,
+ 
+ extern void truncate_pagecache(struct inode *inode, loff_t old, loff_t new);
+ extern void truncate_setsize(struct inode *inode, loff_t newsize);
++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to);
+ extern int vmtruncate(struct inode *inode, loff_t offset);
+ extern int vmtruncate_range(struct inode *inode, loff_t offset, loff_t end);
+ 
+diff --git a/include/linux/string.h b/include/linux/string.h
+index e033564..8515a4d 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -144,5 +144,7 @@ static inline bool strstarts(const char *str, const char *prefix)
+ {
+ 	return strncmp(str, prefix, strlen(prefix)) == 0;
+ }
++
++void memzero_explicit(void *s, size_t count);
+ #endif
+ #endif /* _LINUX_STRING_H_ */
+diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
+index 3e93de7..8eeeb87 100644
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -30,4 +30,7 @@
+    descriptor */
+ #define USB_QUIRK_DELAY_INIT		0x00000040
+ 
++/* device generates spurious wakeup, ignore remote wakeup capability */
++#define USB_QUIRK_IGNORE_REMOTE_WAKEUP	0x00000200
++
+ #endif /* __LINUX_USB_QUIRKS_H */
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index fe46019..238255b 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -358,13 +358,6 @@ static inline void tcp_dec_quickack_mode(struct sock *sk,
+ #define	TCP_ECN_DEMAND_CWR	4
+ #define	TCP_ECN_SEEN		8
+ 
+-static __inline__ void
+-TCP_ECN_create_request(struct request_sock *req, struct tcphdr *th)
+-{
+-	if (sysctl_tcp_ecn && th->ece && th->cwr)
+-		inet_rsk(req)->ecn_ok = 1;
+-}
+-
+ enum tcp_tw_status {
+ 	TCP_TW_SUCCESS = 0,
+ 	TCP_TW_RST = 1,
+@@ -652,6 +645,22 @@ struct tcp_skb_cb {
+ 
+ #define TCP_SKB_CB(__skb)	((struct tcp_skb_cb *)&((__skb)->cb[0]))
+ 
++/* RFC3168 : 6.1.1 SYN packets must not have ECT/ECN bits set
++ *
++ * If we receive a SYN packet with these bits set, it means a network is
++ * playing bad games with TOS bits. In order to avoid possible false congestion
++ * notifications, we disable TCP ECN negociation.
++ */
++static inline void
++TCP_ECN_create_request(struct request_sock *req, const struct sk_buff *skb)
++{
++	const struct tcphdr *th = tcp_hdr(skb);
++
++	if (sysctl_tcp_ecn && th->ece && th->cwr &&
++	    INET_ECN_is_not_ect(TCP_SKB_CB(skb)->ip_dsfield))
++		inet_rsk(req)->ecn_ok = 1;
++}
++
+ /* Due to TSO, an SKB can be composed of multiple actual
+  * packets.  To keep these tracked properly, we use this.
+  */
+diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
+index 0caf1f8..8a14284 100644
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(int count)
+ 		chunk->owners[i].index = i;
+ 	}
+ 	fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch);
++	chunk->mark.mask = FS_IN_IGNORED;
+ 	return chunk;
+ }
+ 
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 4a14895..2a4bf43 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -36,6 +36,7 @@
+ #include <linux/perf_event.h>
+ #include <linux/ftrace_event.h>
+ #include <linux/hw_breakpoint.h>
++#include <linux/compat.h>
+ 
+ #include "internal.h"
+ 
+@@ -3444,6 +3445,25 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 	return 0;
+ }
+ 
++#ifdef CONFIG_COMPAT
++static long perf_compat_ioctl(struct file *file, unsigned int cmd,
++				unsigned long arg)
++{
++	switch (_IOC_NR(cmd)) {
++	case _IOC_NR(PERF_EVENT_IOC_SET_FILTER):
++		/* Fix up pointer size (usually 4 -> 8 in 32-on-64-bit case */
++		if (_IOC_SIZE(cmd) == sizeof(compat_uptr_t)) {
++			cmd &= ~IOCSIZE_MASK;
++			cmd |= sizeof(void *) << IOCSIZE_SHIFT;
++		}
++		break;
++	}
++	return perf_ioctl(file, cmd, arg);
++}
++#else
++# define perf_compat_ioctl NULL
++#endif
++
+ int perf_event_task_enable(void)
+ {
+ 	struct perf_event *event;
+@@ -3910,7 +3930,7 @@ static const struct file_operations perf_fops = {
+ 	.read			= perf_read,
+ 	.poll			= perf_poll,
+ 	.unlocked_ioctl		= perf_ioctl,
+-	.compat_ioctl		= perf_ioctl,
++	.compat_ioctl		= perf_compat_ioctl,
+ 	.mmap			= perf_mmap,
+ 	.fasync			= perf_fasync,
+ };
+diff --git a/kernel/futex.c b/kernel/futex.c
+index f31f190..7481595 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -484,8 +484,14 @@ static struct futex_pi_state * alloc_pi_state(void)
+ 	return pi_state;
+ }
+ 
++/*
++ * Must be called with the hb lock held.
++ */
+ static void free_pi_state(struct futex_pi_state *pi_state)
+ {
++	if (!pi_state)
++		return;
++
+ 	if (!atomic_dec_and_test(&pi_state->refcount))
+ 		return;
+ 
+@@ -1399,15 +1405,6 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
+ 	}
+ 
+ retry:
+-	if (pi_state != NULL) {
+-		/*
+-		 * We will have to lookup the pi_state again, so free this one
+-		 * to keep the accounting correct.
+-		 */
+-		free_pi_state(pi_state);
+-		pi_state = NULL;
+-	}
+-
+ 	ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+ 	if (unlikely(ret != 0))
+ 		goto out;
+@@ -1495,6 +1492,8 @@ retry_private:
+ 		case 0:
+ 			break;
+ 		case -EFAULT:
++			free_pi_state(pi_state);
++			pi_state = NULL;
+ 			double_unlock_hb(hb1, hb2);
+ 			put_futex_key(&key2);
+ 			put_futex_key(&key1);
+@@ -1504,6 +1503,8 @@ retry_private:
+ 			goto out;
+ 		case -EAGAIN:
+ 			/* The owner was exiting, try again. */
++			free_pi_state(pi_state);
++			pi_state = NULL;
+ 			double_unlock_hb(hb1, hb2);
+ 			put_futex_key(&key2);
+ 			put_futex_key(&key1);
+@@ -1580,6 +1581,7 @@ retry_private:
+ 	}
+ 
+ out_unlock:
++	free_pi_state(pi_state);
+ 	double_unlock_hb(hb1, hb2);
+ 
+ 	/*
+@@ -1596,8 +1598,6 @@ out_put_keys:
+ out_put_key1:
+ 	put_futex_key(&key1);
+ out:
+-	if (pi_state != NULL)
+-		free_pi_state(pi_state);
+ 	return ret ? ret : task_count;
+ }
+ 
+diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
+index e885be1..02824a5 100644
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -589,6 +589,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
+ 			goto out;
+ 		}
+ 	} else {
++		memset(&event.sigev_value, 0, sizeof(event.sigev_value));
+ 		event.sigev_notify = SIGEV_SIGNAL;
+ 		event.sigev_signo = SIGALRM;
+ 		event.sigev_value.sival_int = new_timer->it_id;
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 013bd2e..e4ce628 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -503,8 +503,14 @@ int hibernation_restore(int platform_mode)
+ 	error = dpm_suspend_start(PMSG_QUIESCE);
+ 	if (!error) {
+ 		error = resume_target_kernel(platform_mode);
+-		dpm_resume_end(PMSG_RECOVER);
++		/*
++		 * The above should either succeed and jump to the new kernel,
++		 * or return with an error. Otherwise things are just
++		 * undefined, so let's be paranoid.
++		 */
++		BUG_ON(!error);
+ 	}
++	dpm_resume_end(PMSG_RECOVER);
+ 	pm_restore_gfp_mask();
+ 	ftrace_start();
+ 	resume_console();
+diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
+index 7c75bbb..1129062 100644
+--- a/kernel/trace/trace_syscalls.c
++++ b/kernel/trace/trace_syscalls.c
+@@ -309,7 +309,7 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
+ 	int syscall_nr;
+ 
+ 	syscall_nr = syscall_get_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, enabled_enter_syscalls))
+ 		return;
+@@ -349,7 +349,7 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
+ 	int syscall_nr;
+ 
+ 	syscall_nr = syscall_get_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, enabled_exit_syscalls))
+ 		return;
+@@ -519,6 +519,8 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
+ 	int size;
+ 
+ 	syscall_nr = syscall_get_nr(current, regs);
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
++		return;
+ 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
+ 		return;
+ 
+@@ -593,6 +595,8 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
+ 	int size;
+ 
+ 	syscall_nr = syscall_get_nr(current, regs);
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
++		return;
+ 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
+ 		return;
+ 
+diff --git a/lib/bitmap.c b/lib/bitmap.c
+index 0d4a127..dbc526f 100644
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -129,7 +129,9 @@ void __bitmap_shift_right(unsigned long *dst,
+ 		lower = src[off + k];
+ 		if (left && off + k == lim - 1)
+ 			lower &= mask;
+-		dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem;
++		dst[k] = lower >> rem;
++		if (rem)
++			dst[k] |= upper << (BITS_PER_LONG - rem);
+ 		if (left && k == lim - 1)
+ 			dst[k] &= mask;
+ 	}
+@@ -170,7 +172,9 @@ void __bitmap_shift_left(unsigned long *dst,
+ 		upper = src[k];
+ 		if (left && k == lim - 1)
+ 			upper &= (1UL << left) - 1;
+-		dst[k + off] = lower  >> (BITS_PER_LONG - rem) | upper << rem;
++		dst[k + off] = upper << rem;
++		if (rem)
++			dst[k + off] |= lower >> (BITS_PER_LONG - rem);
+ 		if (left && k + off == lim - 1)
+ 			dst[k + off] &= (1UL << left) - 1;
+ 	}
+diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c
+index 8563081..a1c387f 100644
+--- a/lib/lzo/lzo1x_decompress_safe.c
++++ b/lib/lzo/lzo1x_decompress_safe.c
+@@ -19,31 +19,21 @@
+ #include <linux/lzo.h>
+ #include "lzodefs.h"
+ 
+-#define HAVE_IP(t, x)					\
+-	(((size_t)(ip_end - ip) >= (size_t)(t + x)) &&	\
+-	 (((t + x) >= t) && ((t + x) >= x)))
++#define HAVE_IP(x)      ((size_t)(ip_end - ip) >= (size_t)(x))
++#define HAVE_OP(x)      ((size_t)(op_end - op) >= (size_t)(x))
++#define NEED_IP(x)      if (!HAVE_IP(x)) goto input_overrun
++#define NEED_OP(x)      if (!HAVE_OP(x)) goto output_overrun
++#define TEST_LB(m_pos)  if ((m_pos) < out) goto lookbehind_overrun
+ 
+-#define HAVE_OP(t, x)					\
+-	(((size_t)(op_end - op) >= (size_t)(t + x)) &&	\
+-	 (((t + x) >= t) && ((t + x) >= x)))
+-
+-#define NEED_IP(t, x)					\
+-	do {						\
+-		if (!HAVE_IP(t, x))			\
+-			goto input_overrun;		\
+-	} while (0)
+-
+-#define NEED_OP(t, x)					\
+-	do {						\
+-		if (!HAVE_OP(t, x))			\
+-			goto output_overrun;		\
+-	} while (0)
+-
+-#define TEST_LB(m_pos)					\
+-	do {						\
+-		if ((m_pos) < out)			\
+-			goto lookbehind_overrun;	\
+-	} while (0)
++/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base
++ * count without overflowing an integer. The multiply will overflow when
++ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier
++ * depending on the base count. Since the base count is taken from a u8
++ * and a few bits, it is safe to assume that it will always be lower than
++ * or equal to 2*255, thus we can always prevent any overflow by accepting
++ * two less 255 steps. See Documentation/lzo.txt for more information.
++ */
++#define MAX_255_COUNT      ((((size_t)~0) / 255) - 2)
+ 
+ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
+ 			  unsigned char *out, size_t *out_len)
+@@ -75,17 +65,24 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
+ 		if (t < 16) {
+ 			if (likely(state == 0)) {
+ 				if (unlikely(t == 0)) {
++					size_t offset;
++					const unsigned char *ip_last = ip;
++
+ 					while (unlikely(*ip == 0)) {
+-						t += 255;
+ 						ip++;
+-						NEED_IP(1, 0);
++						NEED_IP(1);
+ 					}
+-					t += 15 + *ip++;
++					offset = ip - ip_last;
++					if (unlikely(offset > MAX_255_COUNT))
++						return LZO_E_ERROR;
++
++					offset = (offset << 8) - offset;
++					t += offset + 15 + *ip++;
+ 				}
+ 				t += 3;
+ copy_literal_run:
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+-				if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
++				if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
+ 					const unsigned char *ie = ip + t;
+ 					unsigned char *oe = op + t;
+ 					do {
+@@ -101,8 +98,8 @@ copy_literal_run:
+ 				} else
+ #endif
+ 				{
+-					NEED_OP(t, 0);
+-					NEED_IP(t, 3);
++					NEED_OP(t);
++					NEED_IP(t + 3);
+ 					do {
+ 						*op++ = *ip++;
+ 					} while (--t > 0);
+@@ -115,7 +112,7 @@ copy_literal_run:
+ 				m_pos -= t >> 2;
+ 				m_pos -= *ip++ << 2;
+ 				TEST_LB(m_pos);
+-				NEED_OP(2, 0);
++				NEED_OP(2);
+ 				op[0] = m_pos[0];
+ 				op[1] = m_pos[1];
+ 				op += 2;
+@@ -136,13 +133,20 @@ copy_literal_run:
+ 		} else if (t >= 32) {
+ 			t = (t & 31) + (3 - 1);
+ 			if (unlikely(t == 2)) {
++				size_t offset;
++				const unsigned char *ip_last = ip;
++
+ 				while (unlikely(*ip == 0)) {
+-					t += 255;
+ 					ip++;
+-					NEED_IP(1, 0);
++					NEED_IP(1);
+ 				}
+-				t += 31 + *ip++;
+-				NEED_IP(2, 0);
++				offset = ip - ip_last;
++				if (unlikely(offset > MAX_255_COUNT))
++					return LZO_E_ERROR;
++
++				offset = (offset << 8) - offset;
++				t += offset + 31 + *ip++;
++				NEED_IP(2);
+ 			}
+ 			m_pos = op - 1;
+ 			next = get_unaligned_le16(ip);
+@@ -154,13 +158,20 @@ copy_literal_run:
+ 			m_pos -= (t & 8) << 11;
+ 			t = (t & 7) + (3 - 1);
+ 			if (unlikely(t == 2)) {
++				size_t offset;
++				const unsigned char *ip_last = ip;
++
+ 				while (unlikely(*ip == 0)) {
+-					t += 255;
+ 					ip++;
+-					NEED_IP(1, 0);
++					NEED_IP(1);
+ 				}
+-				t += 7 + *ip++;
+-				NEED_IP(2, 0);
++				offset = ip - ip_last;
++				if (unlikely(offset > MAX_255_COUNT))
++					return LZO_E_ERROR;
++
++				offset = (offset << 8) - offset;
++				t += offset + 7 + *ip++;
++				NEED_IP(2);
+ 			}
+ 			next = get_unaligned_le16(ip);
+ 			ip += 2;
+@@ -174,7 +185,7 @@ copy_literal_run:
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ 		if (op - m_pos >= 8) {
+ 			unsigned char *oe = op + t;
+-			if (likely(HAVE_OP(t, 15))) {
++			if (likely(HAVE_OP(t + 15))) {
+ 				do {
+ 					COPY8(op, m_pos);
+ 					op += 8;
+@@ -184,7 +195,7 @@ copy_literal_run:
+ 					m_pos += 8;
+ 				} while (op < oe);
+ 				op = oe;
+-				if (HAVE_IP(6, 0)) {
++				if (HAVE_IP(6)) {
+ 					state = next;
+ 					COPY4(op, ip);
+ 					op += next;
+@@ -192,7 +203,7 @@ copy_literal_run:
+ 					continue;
+ 				}
+ 			} else {
+-				NEED_OP(t, 0);
++				NEED_OP(t);
+ 				do {
+ 					*op++ = *m_pos++;
+ 				} while (op < oe);
+@@ -201,7 +212,7 @@ copy_literal_run:
+ #endif
+ 		{
+ 			unsigned char *oe = op + t;
+-			NEED_OP(t, 0);
++			NEED_OP(t);
+ 			op[0] = m_pos[0];
+ 			op[1] = m_pos[1];
+ 			op += 2;
+@@ -214,15 +225,15 @@ match_next:
+ 		state = next;
+ 		t = next;
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+-		if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
++		if (likely(HAVE_IP(6) && HAVE_OP(4))) {
+ 			COPY4(op, ip);
+ 			op += t;
+ 			ip += t;
+ 		} else
+ #endif
+ 		{
+-			NEED_IP(t, 3);
+-			NEED_OP(t, 0);
++			NEED_IP(t + 3);
++			NEED_OP(t);
+ 			while (t > 0) {
+ 				*op++ = *ip++;
+ 				t--;
+diff --git a/lib/string.c b/lib/string.c
+index dc4a863..40136f6 100644
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -583,6 +583,22 @@ void *memset(void *s, int c, size_t count)
+ EXPORT_SYMBOL(memset);
+ #endif
+ 
++/**
++ * memzero_explicit - Fill a region of memory (e.g. sensitive
++ *		      keying data) with 0s.
++ * @s: Pointer to the start of the area.
++ * @count: The size of the area.
++ *
++ * memzero_explicit() doesn't need an arch-specific version as
++ * it just invokes the one of memset() implicitly.
++ */
++void memzero_explicit(void *s, size_t count)
++{
++	memset(s, 0, count);
++	OPTIMIZER_HIDE_VAR(s);
++}
++EXPORT_SYMBOL(memzero_explicit);
++
+ #ifndef __HAVE_ARCH_MEMCPY
+ /**
+  * memcpy - Copy one area of memory to another
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index ed0ed8a..79166c2 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -682,7 +682,7 @@ int do_huge_pmd_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	if (haddr >= vma->vm_start && haddr + HPAGE_PMD_SIZE <= vma->vm_end) {
+ 		if (unlikely(anon_vma_prepare(vma)))
+ 			return VM_FAULT_OOM;
+-		if (unlikely(khugepaged_enter(vma)))
++		if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
+ 			return VM_FAULT_OOM;
+ 		page = alloc_hugepage_vma(transparent_hugepage_defrag(vma),
+ 					  vma, haddr, numa_node_id(), 0);
+@@ -1493,7 +1493,7 @@ int hugepage_madvise(struct vm_area_struct *vma,
+ 		 * register it here without waiting a page fault that
+ 		 * may not happen any time soon.
+ 		 */
+-		if (unlikely(khugepaged_enter_vma_merge(vma)))
++		if (unlikely(khugepaged_enter_vma_merge(vma, *vm_flags)))
+ 			return -ENOMEM;
+ 		break;
+ 	case MADV_NOHUGEPAGE:
+@@ -1625,7 +1625,8 @@ int __khugepaged_enter(struct mm_struct *mm)
+ 	return 0;
+ }
+ 
+-int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
++int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
++			       unsigned long vm_flags)
+ {
+ 	unsigned long hstart, hend;
+ 	if (!vma->anon_vma)
+@@ -1641,11 +1642,11 @@ int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
+ 	 * If is_pfn_mapping() is true is_learn_pfn_mapping() must be
+ 	 * true too, verify it here.
+ 	 */
+-	VM_BUG_ON(is_linear_pfn_mapping(vma) || vma->vm_flags & VM_NO_THP);
++	VM_BUG_ON(is_linear_pfn_mapping(vma) || vm_flags & VM_NO_THP);
+ 	hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
+ 	hend = vma->vm_end & HPAGE_PMD_MASK;
+ 	if (hstart < hend)
+-		return khugepaged_enter(vma);
++		return khugepaged_enter(vma, vm_flags);
+ 	return 0;
+ }
+ 
+diff --git a/mm/memory.c b/mm/memory.c
+index 483e665..5a7f314 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1178,8 +1178,10 @@ again:
+ 			if (unlikely(page_mapcount(page) < 0))
+ 				print_bad_pte(vma, addr, ptent, page);
+ 			force_flush = !__tlb_remove_page(tlb, page);
+-			if (force_flush)
++			if (force_flush) {
++				addr += PAGE_SIZE;
+ 				break;
++			}
+ 			continue;
+ 		}
+ 		/*
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 6182c8a..f2badbf 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -796,7 +796,7 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+ 				end, prev->vm_pgoff, NULL);
+ 		if (err)
+ 			return NULL;
+-		khugepaged_enter_vma_merge(prev);
++		khugepaged_enter_vma_merge(prev, vm_flags);
+ 		return prev;
+ 	}
+ 
+@@ -815,7 +815,7 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+ 				next->vm_pgoff - pglen, NULL);
+ 		if (err)
+ 			return NULL;
+-		khugepaged_enter_vma_merge(area);
++		khugepaged_enter_vma_merge(area, vm_flags);
+ 		return area;
+ 	}
+ 
+@@ -1741,7 +1741,7 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 		}
+ 	}
+ 	vma_unlock_anon_vma(vma);
+-	khugepaged_enter_vma_merge(vma);
++	khugepaged_enter_vma_merge(vma, vma->vm_flags);
+ 	return error;
+ }
+ #endif /* CONFIG_STACK_GROWSUP || CONFIG_IA64 */
+@@ -1792,7 +1792,7 @@ int expand_downwards(struct vm_area_struct *vma,
+ 		}
+ 	}
+ 	vma_unlock_anon_vma(vma);
+-	khugepaged_enter_vma_merge(vma);
++	khugepaged_enter_vma_merge(vma, vma->vm_flags);
+ 	return error;
+ }
+ 
+diff --git a/mm/page_cgroup.c b/mm/page_cgroup.c
+index 2d123f9..6f4ef53 100644
+--- a/mm/page_cgroup.c
++++ b/mm/page_cgroup.c
+@@ -160,6 +160,7 @@ static void free_page_cgroup(void *addr)
+ 			sizeof(struct page_cgroup) * PAGES_PER_SECTION;
+ 
+ 		BUG_ON(PageReserved(page));
++		kmemleak_free(addr);
+ 		free_pages_exact(addr, table_size);
+ 	}
+ }
+diff --git a/mm/truncate.c b/mm/truncate.c
+index 40d186f..143883a 100644
+--- a/mm/truncate.c
++++ b/mm/truncate.c
+@@ -20,6 +20,7 @@
+ #include <linux/buffer_head.h>	/* grr. try_to_release_page,
+ 				   do_invalidatepage */
+ #include <linux/cleancache.h>
++#include <linux/rmap.h>
+ #include "internal.h"
+ 
+ 
+@@ -575,12 +576,64 @@ void truncate_setsize(struct inode *inode, loff_t newsize)
+ 
+ 	oldsize = inode->i_size;
+ 	i_size_write(inode, newsize);
+-
++	if (newsize > oldsize)
++		pagecache_isize_extended(inode, oldsize, newsize);
+ 	truncate_pagecache(inode, oldsize, newsize);
+ }
+ EXPORT_SYMBOL(truncate_setsize);
+ 
+ /**
++ * pagecache_isize_extended - update pagecache after extension of i_size
++ * @inode:	inode for which i_size was extended
++ * @from:	original inode size
++ * @to:		new inode size
++ *
++ * Handle extension of inode size either caused by extending truncate or by
++ * write starting after current i_size. We mark the page straddling current
++ * i_size RO so that page_mkwrite() is called on the nearest write access to
++ * the page.  This way filesystem can be sure that page_mkwrite() is called on
++ * the page before user writes to the page via mmap after the i_size has been
++ * changed.
++ *
++ * The function must be called after i_size is updated so that page fault
++ * coming after we unlock the page will already see the new i_size.
++ * The function must be called while we still hold i_mutex - this not only
++ * makes sure i_size is stable but also that userspace cannot observe new
++ * i_size value before we are prepared to store mmap writes at new inode size.
++ */
++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to)
++{
++	int bsize = 1 << inode->i_blkbits;
++	loff_t rounded_from;
++	struct page *page;
++	pgoff_t index;
++
++	WARN_ON(to > inode->i_size);
++
++	if (from >= to || bsize == PAGE_CACHE_SIZE)
++		return;
++	/* Page straddling @from will not have any hole block created? */
++	rounded_from = round_up(from, bsize);
++	if (to <= rounded_from || !(rounded_from & (PAGE_CACHE_SIZE - 1)))
++		return;
++
++	index = from >> PAGE_CACHE_SHIFT;
++	page = find_lock_page(inode->i_mapping, index);
++	/* Page not cached? Nothing to do */
++	if (!page)
++		return;
++	/*
++	 * See clear_page_dirty_for_io() for details why set_page_dirty()
++	 * is needed.
++	 */
++	if (page_mkclean(page))
++		set_page_dirty(page);
++	unlock_page(page);
++	page_cache_release(page);
++}
++EXPORT_SYMBOL(pagecache_isize_extended);
++
++/**
+  * vmtruncate - unmap mappings "freed" by truncate() syscall
+  * @inode: inode of the file used
+  * @newsize: file offset to start truncating
+diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
+index 85f3bc0..21e777b 100644
+--- a/net/ceph/crypto.c
++++ b/net/ceph/crypto.c
+@@ -90,11 +90,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void)
+ 
+ static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
+ 
++/*
++ * Should be used for buffers allocated with ceph_kvmalloc().
++ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
++ * in-buffer (msg front).
++ *
++ * Dispose of @sgt with teardown_sgtable().
++ *
++ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
++ * in cases where a single sg is sufficient.  No attempt to reduce the
++ * number of sgs by squeezing physically contiguous pages together is
++ * made though, for simplicity.
++ */
++static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
++			 const void *buf, unsigned int buf_len)
++{
++	struct scatterlist *sg;
++	const bool is_vmalloc = is_vmalloc_addr(buf);
++	unsigned int off = offset_in_page(buf);
++	unsigned int chunk_cnt = 1;
++	unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
++	int i;
++	int ret;
++
++	if (buf_len == 0) {
++		memset(sgt, 0, sizeof(*sgt));
++		return -EINVAL;
++	}
++
++	if (is_vmalloc) {
++		chunk_cnt = chunk_len >> PAGE_SHIFT;
++		chunk_len = PAGE_SIZE;
++	}
++
++	if (chunk_cnt > 1) {
++		ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
++		if (ret)
++			return ret;
++	} else {
++		WARN_ON(chunk_cnt != 1);
++		sg_init_table(prealloc_sg, 1);
++		sgt->sgl = prealloc_sg;
++		sgt->nents = sgt->orig_nents = 1;
++	}
++
++	for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
++		struct page *page;
++		unsigned int len = min(chunk_len - off, buf_len);
++
++		if (is_vmalloc)
++			page = vmalloc_to_page(buf);
++		else
++			page = virt_to_page(buf);
++
++		sg_set_page(sg, page, len, off);
++
++		off = 0;
++		buf += len;
++		buf_len -= len;
++	}
++	WARN_ON(buf_len != 0);
++
++	return 0;
++}
++
++static void teardown_sgtable(struct sg_table *sgt)
++{
++	if (sgt->orig_nents > 1)
++		sg_free_table(sgt);
++}
++
+ static int ceph_aes_encrypt(const void *key, int key_len,
+ 			    void *dst, size_t *dst_len,
+ 			    const void *src, size_t src_len)
+ {
+-	struct scatterlist sg_in[2], sg_out[1];
++	struct scatterlist sg_in[2], prealloc_sg;
++	struct sg_table sg_out;
+ 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
+ 	int ret;
+@@ -110,16 +181,18 @@ static int ceph_aes_encrypt(const void *key, int key_len,
+ 
+ 	*dst_len = src_len + zero_padding;
+ 
+-	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	sg_init_table(sg_in, 2);
+ 	sg_set_buf(&sg_in[0], src, src_len);
+ 	sg_set_buf(&sg_in[1], pad, zero_padding);
+-	sg_init_table(sg_out, 1);
+-	sg_set_buf(sg_out, dst, *dst_len);
++	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
++	if (ret)
++		goto out_tfm;
++
++	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	iv = crypto_blkcipher_crt(tfm)->iv;
+ 	ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ 	memcpy(iv, aes_iv, ivsize);
++
+ 	/*
+ 	print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       key, key_len, 1);
+@@ -128,16 +201,22 @@ static int ceph_aes_encrypt(const void *key, int key_len,
+ 	print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
+ 			pad, zero_padding, 1);
+ 	*/
+-	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
++	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
+ 				     src_len + zero_padding);
+-	crypto_free_blkcipher(tfm);
+-	if (ret < 0)
++	if (ret < 0) {
+ 		pr_err("ceph_aes_crypt failed %d\n", ret);
++		goto out_sg;
++	}
+ 	/*
+ 	print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       dst, *dst_len, 1);
+ 	*/
+-	return 0;
++
++out_sg:
++	teardown_sgtable(&sg_out);
++out_tfm:
++	crypto_free_blkcipher(tfm);
++	return ret;
+ }
+ 
+ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+@@ -145,7 +224,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+ 			     const void *src1, size_t src1_len,
+ 			     const void *src2, size_t src2_len)
+ {
+-	struct scatterlist sg_in[3], sg_out[1];
++	struct scatterlist sg_in[3], prealloc_sg;
++	struct sg_table sg_out;
+ 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
+ 	int ret;
+@@ -161,17 +241,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+ 
+ 	*dst_len = src1_len + src2_len + zero_padding;
+ 
+-	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	sg_init_table(sg_in, 3);
+ 	sg_set_buf(&sg_in[0], src1, src1_len);
+ 	sg_set_buf(&sg_in[1], src2, src2_len);
+ 	sg_set_buf(&sg_in[2], pad, zero_padding);
+-	sg_init_table(sg_out, 1);
+-	sg_set_buf(sg_out, dst, *dst_len);
++	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
++	if (ret)
++		goto out_tfm;
++
++	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	iv = crypto_blkcipher_crt(tfm)->iv;
+ 	ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ 	memcpy(iv, aes_iv, ivsize);
++
+ 	/*
+ 	print_hex_dump(KERN_ERR, "enc  key: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       key, key_len, 1);
+@@ -182,23 +264,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+ 	print_hex_dump(KERN_ERR, "enc  pad: ", DUMP_PREFIX_NONE, 16, 1,
+ 			pad, zero_padding, 1);
+ 	*/
+-	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
++	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
+ 				     src1_len + src2_len + zero_padding);
+-	crypto_free_blkcipher(tfm);
+-	if (ret < 0)
++	if (ret < 0) {
+ 		pr_err("ceph_aes_crypt2 failed %d\n", ret);
++		goto out_sg;
++	}
+ 	/*
+ 	print_hex_dump(KERN_ERR, "enc  out: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       dst, *dst_len, 1);
+ 	*/
+-	return 0;
++
++out_sg:
++	teardown_sgtable(&sg_out);
++out_tfm:
++	crypto_free_blkcipher(tfm);
++	return ret;
+ }
+ 
+ static int ceph_aes_decrypt(const void *key, int key_len,
+ 			    void *dst, size_t *dst_len,
+ 			    const void *src, size_t src_len)
+ {
+-	struct scatterlist sg_in[1], sg_out[2];
++	struct sg_table sg_in;
++	struct scatterlist sg_out[2], prealloc_sg;
+ 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ 	struct blkcipher_desc desc = { .tfm = tfm };
+ 	char pad[16];
+@@ -210,16 +299,16 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ 	if (IS_ERR(tfm))
+ 		return PTR_ERR(tfm);
+ 
+-	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+-	sg_init_table(sg_in, 1);
+ 	sg_init_table(sg_out, 2);
+-	sg_set_buf(sg_in, src, src_len);
+ 	sg_set_buf(&sg_out[0], dst, *dst_len);
+ 	sg_set_buf(&sg_out[1], pad, sizeof(pad));
++	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
++	if (ret)
++		goto out_tfm;
+ 
++	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	iv = crypto_blkcipher_crt(tfm)->iv;
+ 	ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ 	memcpy(iv, aes_iv, ivsize);
+ 
+ 	/*
+@@ -228,12 +317,10 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ 	print_hex_dump(KERN_ERR, "dec  in: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       src, src_len, 1);
+ 	*/
+-
+-	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
+-	crypto_free_blkcipher(tfm);
++	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
+ 	if (ret < 0) {
+ 		pr_err("ceph_aes_decrypt failed %d\n", ret);
+-		return ret;
++		goto out_sg;
+ 	}
+ 
+ 	if (src_len <= *dst_len)
+@@ -251,7 +338,12 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ 	print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       dst, *dst_len, 1);
+ 	*/
+-	return 0;
++
++out_sg:
++	teardown_sgtable(&sg_in);
++out_tfm:
++	crypto_free_blkcipher(tfm);
++	return ret;
+ }
+ 
+ static int ceph_aes_decrypt2(const void *key, int key_len,
+@@ -259,7 +351,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ 			     void *dst2, size_t *dst2_len,
+ 			     const void *src, size_t src_len)
+ {
+-	struct scatterlist sg_in[1], sg_out[3];
++	struct sg_table sg_in;
++	struct scatterlist sg_out[3], prealloc_sg;
+ 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ 	struct blkcipher_desc desc = { .tfm = tfm };
+ 	char pad[16];
+@@ -271,17 +364,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ 	if (IS_ERR(tfm))
+ 		return PTR_ERR(tfm);
+ 
+-	sg_init_table(sg_in, 1);
+-	sg_set_buf(sg_in, src, src_len);
+ 	sg_init_table(sg_out, 3);
+ 	sg_set_buf(&sg_out[0], dst1, *dst1_len);
+ 	sg_set_buf(&sg_out[1], dst2, *dst2_len);
+ 	sg_set_buf(&sg_out[2], pad, sizeof(pad));
++	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
++	if (ret)
++		goto out_tfm;
+ 
+ 	crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ 	iv = crypto_blkcipher_crt(tfm)->iv;
+ 	ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ 	memcpy(iv, aes_iv, ivsize);
+ 
+ 	/*
+@@ -290,12 +383,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ 	print_hex_dump(KERN_ERR, "dec   in: ", DUMP_PREFIX_NONE, 16, 1,
+ 		       src, src_len, 1);
+ 	*/
+-
+-	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
+-	crypto_free_blkcipher(tfm);
++	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
+ 	if (ret < 0) {
+ 		pr_err("ceph_aes_decrypt failed %d\n", ret);
+-		return ret;
++		goto out_sg;
+ 	}
+ 
+ 	if (src_len <= *dst1_len)
+@@ -325,7 +416,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ 		       dst2, *dst2_len, 1);
+ 	*/
+ 
+-	return 0;
++out_sg:
++	teardown_sgtable(&sg_in);
++out_tfm:
++	crypto_free_blkcipher(tfm);
++	return ret;
+ }
+ 
+ 
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 7a239f0..e85a8d2 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -99,7 +99,12 @@ struct workqueue_struct *ceph_msgr_wq;
+ 
+ int ceph_msgr_init(void)
+ {
+-	ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_NON_REENTRANT, 0);
++	/*
++	 * The number of active work items is limited by the number of
++	 * connections, so leave @max_active at default.
++	 */
++	ceph_msgr_wq = alloc_workqueue("ceph-msgr",
++				       WQ_NON_REENTRANT | WQ_MEM_RECLAIM, 0);
+ 	if (!ceph_msgr_wq) {
+ 		pr_err("msgr_init failed to create workqueue\n");
+ 		return -ENOMEM;
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 223085f..115157b 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1333,11 +1333,11 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
+ 	iph->ihl = 5;
+ 	iph->tos = inet->tos;
+ 	iph->frag_off = df;
+-	ip_select_ident(skb, sk);
+ 	iph->ttl = ttl;
+ 	iph->protocol = sk->sk_protocol;
+ 	iph->saddr = fl4->saddr;
+ 	iph->daddr = fl4->daddr;
++	ip_select_ident(skb, sk);
+ 
+ 	if (opt) {
+ 		iph->ihl += opt->optlen>>2;
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 92d7138..26eb8e2 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1352,7 +1352,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
+ 		goto drop_and_free;
+ 
+ 	if (!want_cookie || tmp_opt.tstamp_ok)
+-		TCP_ECN_create_request(req, tcp_hdr(skb));
++		TCP_ECN_create_request(req, skb);
+ 
+ 	if (want_cookie) {
+ 		isn = cookie_v4_init_sequence(sk, skb, &req->mss);
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index c69358c..057a9d2 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1254,7 +1254,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
+ 	ipv6_addr_copy(&treq->rmt_addr, &ipv6_hdr(skb)->saddr);
+ 	ipv6_addr_copy(&treq->loc_addr, &ipv6_hdr(skb)->daddr);
+ 	if (!want_cookie || tmp_opt.tstamp_ok)
+-		TCP_ECN_create_request(req, tcp_hdr(skb));
++		TCP_ECN_create_request(req, skb);
+ 
+ 	treq->iif = sk->sk_bound_dev_if;
+ 
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 8260cd5..24ec86f 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -382,10 +382,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ 	u32 hw_reconf_flags = 0;
+ 	int i;
+ 	enum nl80211_channel_type orig_ct;
++	bool cancel_scan;
+ 
+ 	clear_bit(SDATA_STATE_RUNNING, &sdata->state);
+ 
+-	if (local->scan_sdata == sdata)
++	cancel_scan = local->scan_sdata == sdata;
++	if (cancel_scan)
+ 		ieee80211_scan_cancel(local);
+ 
+ 	/*
+@@ -543,6 +545,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ 
+ 	ieee80211_recalc_ps(local, -1);
+ 
++	if (cancel_scan)
++		flush_delayed_work(&local->scan_work);
++
+ 	if (local->open_count == 0) {
+ 		if (local->ops->napi_poll)
+ 			napi_disable(&local->napi);
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 71d8564..2064612 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1470,11 +1470,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+-		   is_multicast_ether_addr(hdr->addr1))) {
+-		/* not fragmented */
++	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
++		goto out;
++
++	if (is_multicast_ether_addr(hdr->addr1)) {
++		rx->local->dot11MulticastReceivedFrameCount++;
+ 		goto out;
+ 	}
++
+ 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+ 	if (skb_linearize(rx->skb))
+@@ -1567,10 +1570,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+  out:
+ 	if (rx->sta)
+ 		rx->sta->rx_packets++;
+-	if (is_multicast_ether_addr(hdr->addr1))
+-		rx->local->dot11MulticastReceivedFrameCount++;
+-	else
+-		ieee80211_led_rx(rx->local);
++	ieee80211_led_rx(rx->local);
+ 	return RX_CONTINUE;
+ }
+ 
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 296192c..5e3080c 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1054,17 +1054,12 @@ static int receive_cb_reply(struct svc_sock *svsk, struct svc_rqst *rqstp)
+ 	xid = *p++;
+ 	calldir = *p;
+ 
+-	if (bc_xprt)
+-		req = xprt_lookup_rqst(bc_xprt, xid);
+-
+-	if (!req) {
+-		printk(KERN_NOTICE
+-			"%s: Got unrecognized reply: "
+-			"calldir 0x%x xpt_bc_xprt %p xid %08x\n",
+-			__func__, ntohl(calldir),
+-			bc_xprt, xid);
++	if (!bc_xprt)
+ 		return -EAGAIN;
+-	}
++	spin_lock_bh(&bc_xprt->transport_lock);
++	req = xprt_lookup_rqst(bc_xprt, xid);
++	if (!req)
++		goto unlock_notfound;
+ 
+ 	memcpy(&req->rq_private_buf, &req->rq_rcv_buf, sizeof(struct xdr_buf));
+ 	/*
+@@ -1075,11 +1070,21 @@ static int receive_cb_reply(struct svc_sock *svsk, struct svc_rqst *rqstp)
+ 	dst = &req->rq_private_buf.head[0];
+ 	src = &rqstp->rq_arg.head[0];
+ 	if (dst->iov_len < src->iov_len)
+-		return -EAGAIN; /* whatever; just giving up. */
++		goto unlock_eagain; /* whatever; just giving up. */
+ 	memcpy(dst->iov_base, src->iov_base, src->iov_len);
+ 	xprt_complete_rqst(req->rq_task, svsk->sk_reclen);
+ 	rqstp->rq_arg.len = 0;
++	spin_unlock_bh(&bc_xprt->transport_lock);
+ 	return 0;
++unlock_notfound:
++	printk(KERN_NOTICE
++		"%s: Got unrecognized reply: "
++		"calldir 0x%x xpt_bc_xprt %p xid %08x\n",
++		__func__, ntohl(calldir),
++		bc_xprt, ntohl(xid));
++unlock_eagain:
++	spin_unlock_bh(&bc_xprt->transport_lock);
++	return -EAGAIN;
+ }
+ 
+ static int copy_pages_to_kvecs(struct kvec *vec, struct page **pages, int len)
+diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
+index 3439872..0d29603 100644
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -218,9 +218,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ {
+ 	const struct evm_ima_xattr_data *xattr_data = xattr_value;
+ 
+-	if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
+-	    && (xattr_data->type == EVM_XATTR_HMAC))
+-		return -EPERM;
++	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
++		if (!xattr_value_len)
++			return -EINVAL;
++		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
++			return -EPERM;
++	}
+ 	return evm_protect_xattr(dentry, xattr_name, xattr_value,
+ 				 xattr_value_len);
+ }
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 69477ff..0cd7097a 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -435,6 +435,7 @@ next_inode:
+ 				list_entry(sbsec->isec_head.next,
+ 					   struct inode_security_struct, list);
+ 		struct inode *inode = isec->inode;
++		list_del_init(&isec->list);
+ 		spin_unlock(&sbsec->isec_lock);
+ 		inode = igrab(inode);
+ 		if (inode) {
+@@ -443,7 +444,6 @@ next_inode:
+ 			iput(inode);
+ 		}
+ 		spin_lock(&sbsec->isec_lock);
+-		list_del_init(&isec->list);
+ 		goto next_inode;
+ 	}
+ 	spin_unlock(&sbsec->isec_lock);
+diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
+index 91cdf94..4dbb66e 100644
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -204,6 +204,8 @@ static int snd_pcm_status_user_compat(struct snd_pcm_substream *substream,
+ 	if (err < 0)
+ 		return err;
+ 
++	if (clear_user(src, sizeof(*src)))
++		return -EFAULT;
+ 	if (put_user(status.state, &src->state) ||
+ 	    put_user(status.trigger_tstamp.tv_sec, &src->trigger_tstamp.tv_sec) ||
+ 	    put_user(status.trigger_tstamp.tv_nsec, &src->trigger_tstamp.tv_nsec) ||
+diff --git a/sound/pci/emu10k1/emu10k1_callback.c b/sound/pci/emu10k1/emu10k1_callback.c
+index a0afa50..f35284b 100644
+--- a/sound/pci/emu10k1/emu10k1_callback.c
++++ b/sound/pci/emu10k1/emu10k1_callback.c
+@@ -85,6 +85,8 @@ snd_emu10k1_ops_setup(struct snd_emux *emux)
+  * get more voice for pcm
+  *
+  * terminate most inactive voice and give it as a pcm voice.
++ *
++ * voice_lock is already held.
+  */
+ int
+ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
+@@ -92,12 +94,10 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
+ 	struct snd_emux *emu;
+ 	struct snd_emux_voice *vp;
+ 	struct best_voice best[V_END];
+-	unsigned long flags;
+ 	int i;
+ 
+ 	emu = hw->synth;
+ 
+-	spin_lock_irqsave(&emu->voice_lock, flags);
+ 	lookup_voices(emu, hw, best, 1); /* no OFF voices */
+ 	for (i = 0; i < V_END; i++) {
+ 		if (best[i].voice >= 0) {
+@@ -113,11 +113,9 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
+ 			vp->emu->num_voices--;
+ 			vp->ch = -1;
+ 			vp->state = SNDRV_EMUX_ST_OFF;
+-			spin_unlock_irqrestore(&emu->voice_lock, flags);
+ 			return ch;
+ 		}
+ 	}
+-	spin_unlock_irqrestore(&emu->voice_lock, flags);
+ 
+ 	/* not found */
+ 	return -ENOMEM;
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index fea6895..dcc95c5 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2667,6 +2667,7 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
+ 	struct azx *chip;
+ 	int i, err;
+ 	unsigned short gcap;
++	unsigned int dma_bits = 64;
+ 	static struct snd_device_ops ops = {
+ 		.dev_free = azx_dev_free,
+ 	};
+@@ -2754,9 +2755,14 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
+ 	gcap = azx_readw(chip, GCAP);
+ 	snd_printdd(SFX "chipset global capabilities = 0x%x\n", gcap);
+ 
++	/* AMD devices support 40 or 48bit DMA, take the safe one */
++	if (chip->pci->vendor == PCI_VENDOR_ID_AMD)
++		dma_bits = 40;
++
+ 	/* disable SB600 64bit support for safety */
+ 	if (chip->pci->vendor == PCI_VENDOR_ID_ATI) {
+ 		struct pci_dev *p_smbus;
++		dma_bits = 40;
+ 		p_smbus = pci_get_device(PCI_VENDOR_ID_ATI,
+ 					 PCI_DEVICE_ID_ATI_SBX00_SMBUS,
+ 					 NULL);
+@@ -2779,9 +2785,11 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
+ 		chip->align_buffer_size = 0;
+ 
+ 	/* allow 64bit DMA address if supported by H/W */
+-	if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
+-		pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64));
+-	else {
++	if (!(gcap & ICH6_GCAP_64OK))
++		dma_bits = 32;
++	if (!pci_set_dma_mask(pci, DMA_BIT_MASK(dma_bits))) {
++		pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(dma_bits));
++	} else {
+ 		pci_set_dma_mask(pci, DMA_BIT_MASK(32));
+ 		pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32));
+ 	}
+diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
+index b5d4a97..c8cdf91 100644
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1304,8 +1304,7 @@ static int sgtl5000_probe(struct snd_soc_codec *codec)
+ 
+ 	/* enable small pop, introduce 400ms delay in turning off */
+ 	snd_soc_update_bits(codec, SGTL5000_CHIP_REF_CTRL,
+-				SGTL5000_SMALL_POP,
+-				SGTL5000_SMALL_POP);
++				SGTL5000_SMALL_POP, 1);
+ 
+ 	/* disable short cut detector */
+ 	snd_soc_write(codec, SGTL5000_CHIP_SHORT_CTRL, 0);
+diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h
+index d3a68bb..0bd6e1c 100644
+--- a/sound/soc/codecs/sgtl5000.h
++++ b/sound/soc/codecs/sgtl5000.h
+@@ -275,7 +275,7 @@
+ #define SGTL5000_BIAS_CTRL_MASK			0x000e
+ #define SGTL5000_BIAS_CTRL_SHIFT		1
+ #define SGTL5000_BIAS_CTRL_WIDTH		3
+-#define SGTL5000_SMALL_POP			0x0001
++#define SGTL5000_SMALL_POP			0
+ 
+ /*
+  * SGTL5000_CHIP_MIC_CTRL
+diff --git a/sound/soc/sh/fsi.c b/sound/soc/sh/fsi.c
+index 3d7016e..4a2c639 100644
+--- a/sound/soc/sh/fsi.c
++++ b/sound/soc/sh/fsi.c
+@@ -1096,8 +1096,7 @@ static struct snd_soc_dai_ops fsi_dai_ops = {
+ static struct snd_pcm_hardware fsi_pcm_hardware = {
+ 	.info =		SNDRV_PCM_INFO_INTERLEAVED	|
+ 			SNDRV_PCM_INFO_MMAP		|
+-			SNDRV_PCM_INFO_MMAP_VALID	|
+-			SNDRV_PCM_INFO_PAUSE,
++			SNDRV_PCM_INFO_MMAP_VALID,
+ 	.formats		= FSI_FMTS,
+ 	.rates			= FSI_RATES,
+ 	.rate_min		= 8000,
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 3b79a4a..b3ac389 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -568,18 +568,19 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
+ {
+ 	struct snd_card *card;
+ 	struct list_head *p;
++	bool was_shutdown;
+ 
+ 	if (chip == (void *)-1L)
+ 		return;
+ 
+ 	card = chip->card;
+ 	down_write(&chip->shutdown_rwsem);
++	was_shutdown = chip->shutdown;
+ 	chip->shutdown = 1;
+ 	up_write(&chip->shutdown_rwsem);
+ 
+ 	mutex_lock(&register_mutex);
+-	chip->num_interfaces--;
+-	if (chip->num_interfaces <= 0) {
++	if (!was_shutdown) {
+ 		snd_card_disconnect(card);
+ 		/* release the pcm resources */
+ 		list_for_each(p, &chip->pcm_list) {
+@@ -593,6 +594,10 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
+ 		list_for_each(p, &chip->mixer_list) {
+ 			snd_usb_mixer_disconnect(p);
+ 		}
++	}
++
++	chip->num_interfaces--;
++	if (chip->num_interfaces <= 0) {
+ 		usb_chip[chip->index] = NULL;
+ 		mutex_unlock(&register_mutex);
+ 		snd_card_free_when_closed(card);
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index c946700..e32c93c 100644
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
+ 				gfn_t base_gfn, unsigned long npages);
+ 
+ static pfn_t kvm_pin_pages(struct kvm *kvm, struct kvm_memory_slot *slot,
+-			   gfn_t gfn, unsigned long size)
++			   gfn_t gfn, unsigned long npages)
+ {
+ 	gfn_t end_gfn;
+ 	pfn_t pfn;
+ 
+ 	pfn     = gfn_to_pfn_memslot(kvm, slot, gfn);
+-	end_gfn = gfn + (size >> PAGE_SHIFT);
++	end_gfn = gfn + npages;
+ 	gfn    += 1;
+ 
+ 	if (is_error_pfn(pfn))
+@@ -117,7 +117,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+ 		 * Pin all pages we are about to map in memory. This is
+ 		 * important because we unmap and unpin in 4kb steps later.
+ 		 */
+-		pfn = kvm_pin_pages(kvm, slot, gfn, page_size);
++		pfn = kvm_pin_pages(kvm, slot, gfn, page_size >> PAGE_SHIFT);
+ 		if (is_error_pfn(pfn)) {
+ 			gfn += 1;
+ 			continue;
+@@ -129,7 +129,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+ 		if (r) {
+ 			printk(KERN_ERR "kvm_iommu_map_address:"
+ 			       "iommu failed to map pfn=%llx\n", pfn);
+-			kvm_unpin_pages(kvm, pfn, page_size);
++			kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ 			goto unmap_pages;
+ 		}
+ 
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index d83aa5e..8b0617a 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -52,6 +52,7 @@
+ 
+ #include <asm/processor.h>
+ #include <asm/io.h>
++#include <asm/ioctl.h>
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+ 
+@@ -1766,6 +1767,9 @@ static long kvm_vcpu_ioctl(struct file *filp,
+ 	if (vcpu->kvm->mm != current->mm)
+ 		return -EIO;
+ 
++	if (unlikely(_IOC_TYPE(ioctl) != KVMIO))
++		return -EINVAL;
++
+ #if defined(CONFIG_S390) || defined(CONFIG_PPC)
+ 	/*
+ 	 * Special cases: vcpu ioctls that are asynchronous to vcpu execution,
diff --git a/3.2.64/4420_grsecurity-3.0-3.2.64-201412040015.patch b/3.2.65/4420_grsecurity-3.0-3.2.65-201412142045.patch
index 0db3165..209df09 100644
--- a/3.2.64/4420_grsecurity-3.0-3.2.64-201412040015.patch
+++ b/3.2.65/4420_grsecurity-3.0-3.2.65-201412142045.patch
@@ -278,7 +278,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index 2b58ffc..6be5392 100644
+index 1433109..a4bb56c 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -14151,10 +14151,10 @@ index 5478825..839e88c 100644
  #define flush_insn_slot(p)	do { } while (0)
  
 diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 15d24cb..ee4dcd1 100644
+index 9171618..481a636 100644
 --- a/arch/x86/include/asm/kvm_host.h
 +++ b/arch/x86/include/asm/kvm_host.h
-@@ -459,7 +459,7 @@ struct kvm_arch {
+@@ -460,7 +460,7 @@ struct kvm_arch {
  	unsigned int n_requested_mmu_pages;
  	unsigned int n_max_mmu_pages;
  	unsigned int indirect_shadow_pages;
@@ -14646,7 +14646,7 @@ index 8ca8283..8dc71fa 100644
  
  #include <asm-generic/memory_model.h>
 diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
-index 7639dbf..9dc5a94 100644
+index a9e9937..2bf88cc 100644
 --- a/arch/x86/include/asm/page_64_types.h
 +++ b/arch/x86/include/asm/page_64_types.h
 @@ -1,7 +1,7 @@
@@ -14658,7 +14658,7 @@ index 7639dbf..9dc5a94 100644
  #define THREAD_SIZE  (PAGE_SIZE << THREAD_ORDER)
  #define CURRENT_MASK (~(THREAD_SIZE - 1))
  
-@@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
+@@ -55,7 +55,7 @@ void copy_page(void *to, void *from);
  
  /* duplicated to the one in bootmem.h */
  extern unsigned long max_pfn;
@@ -17448,7 +17448,7 @@ index bda833c..a9bdd97 100644
  }
  
 diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
-index c4e3581..7e2f9d0 100644
+index 838a3b4..71de0f5 100644
 --- a/arch/x86/kernel/apic/apic.c
 +++ b/arch/x86/kernel/apic/apic.c
 @@ -174,7 +174,7 @@ int first_system_vector = 0xfe;
@@ -17460,7 +17460,7 @@ index c4e3581..7e2f9d0 100644
  
  int pic_mode;
  
-@@ -1857,7 +1857,7 @@ void smp_error_interrupt(struct pt_regs *regs)
+@@ -1859,7 +1859,7 @@ void smp_error_interrupt(struct pt_regs *regs)
  	apic_write(APIC_ESR, 0);
  	v1 = apic_read(APIC_ESR);
  	ack_APIC_irq();
@@ -17845,7 +17845,7 @@ index f07becc..b17b101 100644
  		if (c->x86_model == 3 && c->x86_mask == 0)
  			size = 64;
 diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index ca93cc7..def63d0 100644
+index 6284d6d..ac6d8c6 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
 @@ -84,60 +84,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = {
@@ -17908,8 +17908,8 @@ index ca93cc7..def63d0 100644
 -
  static int __init x86_xsave_setup(char *s)
  {
- 	setup_clear_cpu_cap(X86_FEATURE_XSAVE);
-@@ -372,7 +318,7 @@ void switch_to_new_gdt(int cpu)
+ 	if (strlen(s))
+@@ -374,7 +320,7 @@ void switch_to_new_gdt(int cpu)
  {
  	struct desc_ptr gdt_descr;
  
@@ -17918,7 +17918,7 @@ index ca93cc7..def63d0 100644
  	gdt_descr.size = GDT_SIZE - 1;
  	load_gdt(&gdt_descr);
  	/* Reload the per-cpu base */
-@@ -839,6 +785,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
+@@ -841,6 +787,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
  	/* Filter out anything that depends on CPUID levels we don't have */
  	filter_cpuid_features(c, true);
  
@@ -17929,7 +17929,7 @@ index ca93cc7..def63d0 100644
  	/* If the model name is still unset, do table lookup. */
  	if (!c->x86_model_id[0]) {
  		const char *p;
-@@ -1019,6 +969,9 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1021,6 +971,9 @@ static __init int setup_disablecpuid(char *arg)
  }
  __setup("clearcpuid=", setup_disablecpuid);
  
@@ -17939,7 +17939,7 @@ index ca93cc7..def63d0 100644
  #ifdef CONFIG_X86_64
  struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
  
-@@ -1034,7 +987,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
+@@ -1036,7 +989,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
  EXPORT_PER_CPU_SYMBOL(current_task);
  
  DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -17948,7 +17948,7 @@ index ca93cc7..def63d0 100644
  EXPORT_PER_CPU_SYMBOL(kernel_stack);
  
  DEFINE_PER_CPU(char *, irq_stack_ptr) =
-@@ -1099,7 +1052,7 @@ struct pt_regs * __cpuinit idle_regs(struct pt_regs *regs)
+@@ -1101,7 +1054,7 @@ struct pt_regs * __cpuinit idle_regs(struct pt_regs *regs)
  {
  	memset(regs, 0, sizeof(struct pt_regs));
  	regs->fs = __KERNEL_PERCPU;
@@ -17957,7 +17957,7 @@ index ca93cc7..def63d0 100644
  
  	return regs;
  }
-@@ -1154,7 +1107,7 @@ void __cpuinit cpu_init(void)
+@@ -1156,7 +1109,7 @@ void __cpuinit cpu_init(void)
  	int i;
  
  	cpu = stack_smp_processor_id();
@@ -17966,7 +17966,7 @@ index ca93cc7..def63d0 100644
  	oist = &per_cpu(orig_ist, cpu);
  
  #ifdef CONFIG_NUMA
-@@ -1180,7 +1133,7 @@ void __cpuinit cpu_init(void)
+@@ -1182,7 +1135,7 @@ void __cpuinit cpu_init(void)
  	switch_to_new_gdt(cpu);
  	loadsegment(fs, 0);
  
@@ -17975,7 +17975,7 @@ index ca93cc7..def63d0 100644
  
  	memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
  	syscall_init();
-@@ -1189,7 +1142,6 @@ void __cpuinit cpu_init(void)
+@@ -1191,7 +1144,6 @@ void __cpuinit cpu_init(void)
  	wrmsrl(MSR_KERNEL_GS_BASE, 0);
  	barrier();
  
@@ -17983,7 +17983,7 @@ index ca93cc7..def63d0 100644
  	if (cpu != 0)
  		enable_x2apic();
  
-@@ -1243,7 +1195,7 @@ void __cpuinit cpu_init(void)
+@@ -1245,7 +1197,7 @@ void __cpuinit cpu_init(void)
  {
  	int cpu = smp_processor_id();
  	struct task_struct *curr = current;
@@ -17993,10 +17993,10 @@ index ca93cc7..def63d0 100644
  
  	if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
 diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 3e6ff6c..54b4992 100644
+index e7a64dd..6a192f6 100644
 --- a/arch/x86/kernel/cpu/intel.c
 +++ b/arch/x86/kernel/cpu/intel.c
-@@ -174,7 +174,7 @@ static void __cpuinit trap_init_f00f_bug(void)
+@@ -189,7 +189,7 @@ static void __cpuinit trap_init_f00f_bug(void)
  	 * Update the IDT descriptor and reload the IDT so that
  	 * it uses the read-only mapped virtual address.
  	 */
@@ -18670,10 +18670,10 @@ index c99f9ed..76cf602 100644
 +EXPORT_SYMBOL(pax_check_alloca);
 +#endif
 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index 6d728d9..c4c40f5 100644
+index 5e890cc..048f251 100644
 --- a/arch/x86/kernel/dumpstack_64.c
 +++ b/arch/x86/kernel/dumpstack_64.c
-@@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -118,9 +118,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  	unsigned long *irq_stack_end =
  		(unsigned long *)per_cpu(irq_stack_ptr, cpu);
  	unsigned used = 0;
@@ -18684,7 +18684,7 @@ index 6d728d9..c4c40f5 100644
  
  	if (!task)
  		task = current;
-@@ -142,10 +142,10 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -141,10 +141,10 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  	 * current stack address. If the stacks consist of nested
  	 * exceptions
  	 */
@@ -18696,7 +18696,7 @@ index 6d728d9..c4c40f5 100644
  		estack_end = in_exception_stack(cpu, (unsigned long)stack,
  						&used, &id);
  
-@@ -153,7 +153,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -152,7 +152,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  			if (ops->stack(data, id) < 0)
  				break;
  
@@ -18705,7 +18705,7 @@ index 6d728d9..c4c40f5 100644
  					     data, estack_end, &graph);
  			ops->stack(data, "<EOE>");
  			/*
-@@ -161,6 +161,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -160,6 +160,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  			 * second-to-last pointer (index -2 to end) in the
  			 * exception stack:
  			 */
@@ -18714,7 +18714,7 @@ index 6d728d9..c4c40f5 100644
  			stack = (unsigned long *) estack_end[-2];
  			continue;
  		}
-@@ -172,7 +174,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -171,7 +173,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  			if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
  				if (ops->stack(data, "IRQ") < 0)
  					break;
@@ -18723,7 +18723,7 @@ index 6d728d9..c4c40f5 100644
  					ops, data, irq_stack_end, &graph);
  				/*
  				 * We link to the next stack (which would be
-@@ -191,7 +193,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
+@@ -190,7 +192,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
  	/*
  	 * This handles the process stack:
  	 */
@@ -18734,7 +18734,7 @@ index 6d728d9..c4c40f5 100644
  	put_cpu();
  }
  EXPORT_SYMBOL(dump_trace);
-@@ -249,7 +253,7 @@ void show_registers(struct pt_regs *regs)
+@@ -248,7 +252,7 @@ void show_registers(struct pt_regs *regs)
  {
  	int i;
  	unsigned long sp;
@@ -18743,7 +18743,7 @@ index 6d728d9..c4c40f5 100644
  	struct task_struct *cur = current;
  
  	sp = regs->sp;
-@@ -305,3 +309,50 @@ int is_valid_bugaddr(unsigned long ip)
+@@ -304,3 +308,50 @@ int is_valid_bugaddr(unsigned long ip)
  
  	return ud2 == 0x0b0f;
  }
@@ -19640,7 +19640,7 @@ index 0fa4f89..40ff646 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 4b511ef..29ec529 100644
+index 9d28dbac..9d8b7a4 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -56,6 +56,8 @@
@@ -20343,32 +20343,16 @@ index 4b511ef..29ec529 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -970,7 +1307,7 @@ ENTRY(retint_kernel)
+@@ -954,7 +1291,7 @@ ENTRY(retint_kernel)
  	jmp exit_intr
  #endif
  	CFI_ENDPROC
 -END(common_interrupt)
 +ENDPROC(common_interrupt)
  
- 	/*
- 	 * If IRET takes a fault on the espfix stack, then we
-@@ -992,13 +1329,13 @@ __do_double_fault:
- 	cmpq $native_irq_return_iret,%rax
- 	jne do_double_fault		/* This shouldn't happen... */
- 	movq PER_CPU_VAR(kernel_stack),%rax
--	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
-+	subq $(6*8),%rax		/* Reset to original stack */
- 	movq %rax,RSP(%rdi)
- 	movq $0,(%rax)			/* Missing (lost) #GP error code */
- 	movq $general_protection,RIP(%rdi)
- 	retq
- 	CFI_ENDPROC
--END(__do_double_fault)
-+ENDPROC(__do_double_fault)
- #else
- # define __do_double_fault do_double_fault
- #endif
-@@ -1018,7 +1355,7 @@ ENTRY(\sym)
+ /*
+  * End of kprobes section
+@@ -971,7 +1308,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -20377,7 +20361,7 @@ index 4b511ef..29ec529 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1088,7 +1425,7 @@ ENTRY(\sym)
+@@ -1041,7 +1378,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20386,7 +20370,7 @@ index 4b511ef..29ec529 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1105,10 +1442,10 @@ ENTRY(\sym)
+@@ -1058,10 +1395,10 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit	/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20399,7 +20383,7 @@ index 4b511ef..29ec529 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1120,12 +1457,18 @@ ENTRY(\sym)
+@@ -1073,12 +1410,18 @@ ENTRY(\sym)
  	TRACE_IRQS_OFF
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
@@ -20419,7 +20403,7 @@ index 4b511ef..29ec529 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1142,7 +1485,7 @@ ENTRY(\sym)
+@@ -1095,7 +1438,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit			/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20428,7 +20412,7 @@ index 4b511ef..29ec529 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1161,7 +1504,7 @@ ENTRY(\sym)
+@@ -1114,7 +1457,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20437,7 +20421,7 @@ index 4b511ef..29ec529 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1191,9 +1534,10 @@ gs_change:
+@@ -1144,9 +1487,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -20449,7 +20433,7 @@ index 4b511ef..29ec529 100644
  
  	.section __ex_table,"a"
  	.align 8
-@@ -1215,13 +1559,14 @@ ENTRY(kernel_thread_helper)
+@@ -1168,13 +1512,14 @@ ENTRY(kernel_thread_helper)
  	 * Here we are in the child and the registers are set as they were
  	 * at kernel_thread() invocation in the parent.
  	 */
@@ -20465,7 +20449,7 @@ index 4b511ef..29ec529 100644
  
  /*
   * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
-@@ -1248,11 +1593,11 @@ ENTRY(kernel_execve)
+@@ -1201,11 +1546,11 @@ ENTRY(kernel_execve)
  	RESTORE_REST
  	testq %rax,%rax
  	je int_ret_from_sys_call
@@ -20479,7 +20463,7 @@ index 4b511ef..29ec529 100644
  
  /* Call softirq on interrupt stack. Interrupts are off. */
  ENTRY(call_softirq)
-@@ -1270,9 +1615,10 @@ ENTRY(call_softirq)
+@@ -1223,9 +1568,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -20491,7 +20475,7 @@ index 4b511ef..29ec529 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1310,7 +1656,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1263,7 +1609,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -20500,7 +20484,7 @@ index 4b511ef..29ec529 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1369,7 +1715,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1322,7 +1668,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -20509,7 +20493,7 @@ index 4b511ef..29ec529 100644
  
  apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1418,16 +1764,31 @@ ENTRY(paranoid_exit)
+@@ -1371,16 +1717,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -20542,7 +20526,7 @@ index 4b511ef..29ec529 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1456,7 +1817,7 @@ paranoid_schedule:
+@@ -1409,7 +1770,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -20551,7 +20535,7 @@ index 4b511ef..29ec529 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1483,12 +1844,23 @@ ENTRY(error_entry)
+@@ -1436,12 +1797,23 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -20576,16 +20560,16 @@ index 4b511ef..29ec529 100644
  	ret
  
  /*
-@@ -1515,7 +1887,7 @@ bstep_iret:
- 	movq %rcx,RIP+8(%rsp)
- 	jmp error_swapgs
+@@ -1475,7 +1847,7 @@ error_bad_iret:
+ 	decl %ebx	/* Return to usergs */
+ 	jmp error_sti
  	CFI_ENDPROC
 -END(error_entry)
 +ENDPROC(error_entry)
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1535,7 +1907,7 @@ ENTRY(error_exit)
+@@ -1495,7 +1867,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -20594,7 +20578,7 @@ index 4b511ef..29ec529 100644
  
  
  	/* runs on exception stack */
-@@ -1547,6 +1919,7 @@ ENTRY(nmi)
+@@ -1507,6 +1879,7 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -20602,7 +20586,7 @@ index 4b511ef..29ec529 100644
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1557,12 +1930,28 @@ ENTRY(nmi)
+@@ -1517,12 +1890,28 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
@@ -20632,7 +20616,7 @@ index 4b511ef..29ec529 100644
  	jmp irq_return
  nmi_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1591,14 +1980,14 @@ nmi_schedule:
+@@ -1551,14 +1940,14 @@ nmi_schedule:
  	jmp paranoid_exit
  	CFI_ENDPROC
  #endif
@@ -24325,7 +24309,7 @@ index 09ff517..df19fbff 100644
  	.short 0
  	.quad	0x00cf9b000000ffff	# __KERNEL32_CS
 diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 20061b9..e2d53a8 100644
+index 2aff347..a6d2a52 100644
 --- a/arch/x86/kernel/traps.c
 +++ b/arch/x86/kernel/traps.c
 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
@@ -24396,7 +24380,7 @@ index 20061b9..e2d53a8 100644
  	return;
  
  #ifdef CONFIG_X86_32
-@@ -242,6 +248,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
+@@ -254,6 +260,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
  	tsk->thread.error_code = error_code;
  	tsk->thread.trap_no = X86_TRAP_DF;
  
@@ -24408,7 +24392,7 @@ index 20061b9..e2d53a8 100644
  	/*
  	 * This is always a kernel trap and never fixable (and thus must
  	 * never return).
-@@ -259,14 +270,30 @@ do_general_protection(struct pt_regs *regs, long error_code)
+@@ -271,14 +282,30 @@ do_general_protection(struct pt_regs *regs, long error_code)
  	conditional_sti(regs);
  
  #ifdef CONFIG_X86_32
@@ -24441,7 +24425,7 @@ index 20061b9..e2d53a8 100644
  	tsk->thread.error_code = error_code;
  	tsk->thread.trap_no = X86_TRAP_GP;
  
-@@ -299,6 +326,13 @@ gp_in_kernel:
+@@ -311,6 +338,13 @@ gp_in_kernel:
  	if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
  			X86_TRAP_GP, SIGSEGV) == NOTIFY_STOP)
  		return;
@@ -24455,7 +24439,16 @@ index 20061b9..e2d53a8 100644
  	die("general protection fault", regs, error_code);
  }
  
-@@ -419,7 +453,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -389,7 +423,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+ 	/* Copy the remainder of the stack from the current stack. */
+ 	memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
+ 
+-	BUG_ON(!user_mode_vm(&new_stack->regs));
++	BUG_ON(!user_mode(&new_stack->regs));
+ 	return new_stack;
+ }
+ #endif
+@@ -460,7 +494,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
  	/* It's safe to allow irq's after DR6 has been saved */
  	preempt_conditional_sti(regs);
  
@@ -24464,7 +24457,7 @@ index 20061b9..e2d53a8 100644
  		handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
  					X86_TRAP_DB);
  		preempt_conditional_cli(regs);
-@@ -433,7 +467,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -474,7 +508,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
  	 * We already checked v86 mode above, so we can check for kernel mode
  	 * by just checking the CPL of CS.
  	 */
@@ -24473,7 +24466,7 @@ index 20061b9..e2d53a8 100644
  		tsk->thread.debugreg6 &= ~DR_STEP;
  		set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
  		regs->flags &= ~X86_EFLAGS_TF;
-@@ -463,7 +497,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
+@@ -504,7 +538,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
  		return;
  	conditional_sti(regs);
  
@@ -24482,7 +24475,7 @@ index 20061b9..e2d53a8 100644
  	{
  		if (!fixup_exception(regs)) {
  			task->thread.error_code = error_code;
-@@ -576,8 +610,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void)
+@@ -617,8 +651,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void)
  void __math_state_restore(struct task_struct *tsk)
  {
  	/* We need a safe address that is cheap to find and that is already
@@ -25018,7 +25011,7 @@ index 176205a..920cd58 100644
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
 diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index db2ffef..1e6c37a 100644
+index bfc9507..bf85b38 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
 @@ -3558,7 +3558,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
@@ -25062,7 +25055,7 @@ index 9299410..ade2f9b 100644
  	spin_unlock(&vcpu->kvm->mmu_lock);
  
 diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 82f97a5..159a0df 100644
+index 7a2d9d6..0e8286c 100644
 --- a/arch/x86/kvm/svm.c
 +++ b/arch/x86/kvm/svm.c
 @@ -3403,7 +3403,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
@@ -25089,7 +25082,7 @@ index 82f97a5..159a0df 100644
  
  	local_irq_disable();
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 578b1c6..5a7039c 100644
+index 8831c43..98f1a3e 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -1100,12 +1100,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -29584,7 +29577,7 @@ index 29f7c6d9..5122941 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 44b93da..5a0b3ee 100644
+index 266f717..51ef7c9 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -29719,7 +29712,7 @@ index 44b93da..5a0b3ee 100644
  		spin_unlock(&init_mm.page_table_lock);
  		pgd_changed = true;
  	}
-@@ -856,8 +870,8 @@ int kern_addr_valid(unsigned long addr)
+@@ -866,8 +880,8 @@ int kern_addr_valid(unsigned long addr)
  static struct vm_area_struct gate_vma = {
  	.vm_start	= VSYSCALL_START,
  	.vm_end		= VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -29730,7 +29723,7 @@ index 44b93da..5a0b3ee 100644
  };
  
  struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
-@@ -891,7 +905,7 @@ int in_gate_area_no_mm(unsigned long addr)
+@@ -901,7 +915,7 @@ int in_gate_area_no_mm(unsigned long addr)
  
  const char *arch_vma_name(struct vm_area_struct *vma)
  {
@@ -32697,7 +32690,7 @@ index 41b0435..09f9f28 100644
  
  EXPORT_SYMBOL(blk_unregister_region);
 diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 9e76a32..a220c64 100644
+index f124268..e5bfd12 100644
 --- a/block/scsi_ioctl.c
 +++ b/block/scsi_ioctl.c
 @@ -66,7 +66,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p)
@@ -35578,7 +35571,7 @@ index da3cfee..a5a6606 100644
  
  	*ppos = i;
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index c244f0e..2b94e16 100644
+index edf45ae..2b94e16 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
 @@ -255,10 +255,8 @@
@@ -36507,17 +36500,6 @@ index c244f0e..2b94e16 100644
  	spin_lock_irqsave(&r->lock, flags);
  	for (i = 0; i < r->poolinfo->poolwords; i += 16)
  		sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
-@@ -954,8 +1056,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
- 	 * pool while mixing, and hash one final time.
- 	 */
- 	sha_transform(hash.w, extract, workspace);
--	memset(extract, 0, sizeof(extract));
--	memset(workspace, 0, sizeof(workspace));
-+	memzero_explicit(extract, sizeof(extract));
-+	memzero_explicit(workspace, sizeof(workspace));
- 
- 	/*
- 	 * In case the hash function has some recognizable output
 @@ -966,27 +1068,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
  	hash.w[1] ^= hash.w[4];
  	hash.w[2] ^= rol32(hash.w[2], 16);
@@ -36534,8 +36516,7 @@ index c244f0e..2b94e16 100644
 -	}
 -
  	memcpy(out, &hash, EXTRACT_SIZE);
--	memset(&hash, 0, sizeof(hash));
-+	memzero_explicit(&hash, sizeof(hash));
+ 	memzero_explicit(&hash, sizeof(hash));
  }
  
 +/*
@@ -36583,13 +36564,7 @@ index c244f0e..2b94e16 100644
  			spin_lock_irqsave(&r->lock, flags);
  			if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
  				panic("Hardware RNG duplicated output!\n");
-@@ -1010,17 +1126,22 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
- 	}
- 
- 	/* Wipe data just returned from memory */
--	memset(tmp, 0, sizeof(tmp));
-+	memzero_explicit(tmp, sizeof(tmp));
- 
+@@ -1015,12 +1131,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
  	return ret;
  }
  
@@ -36616,15 +36591,6 @@ index c244f0e..2b94e16 100644
  			ret = -EFAULT;
  			break;
  		}
-@@ -1047,7 +1168,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
- 	}
- 
- 	/* Wipe data just returned from memory */
--	memset(tmp, 0, sizeof(tmp));
-+	memzero_explicit(tmp, sizeof(tmp));
- 
- 	return ret;
- }
 @@ -1055,11 +1176,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
  /*
   * This function is the exported kernel interface.  It returns some
@@ -37767,7 +37733,7 @@ index 85661b0..cdd4560 100644
  	card->driver->update_phy_reg(card, 4,
  				     PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
 diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
-index b97d4f0..86be331 100644
+index ee96b91..86be331 100644
 --- a/drivers/firewire/core-cdev.c
 +++ b/drivers/firewire/core-cdev.c
 @@ -1331,8 +1331,7 @@ static int init_iso_resource(struct client *client,
@@ -37780,16 +37746,6 @@ index b97d4f0..86be331 100644
  		return -EINVAL;
  
  	r  = kmalloc(sizeof(*r), GFP_KERNEL);
-@@ -1605,8 +1604,7 @@ static int dispatch_ioctl(struct client *client,
- 	    _IOC_SIZE(cmd) > sizeof(buffer))
- 		return -ENOTTY;
- 
--	if (_IOC_DIR(cmd) == _IOC_READ)
--		memset(&buffer, 0, _IOC_SIZE(cmd));
-+	memset(&buffer, 0, sizeof(buffer));
- 
- 	if (_IOC_DIR(cmd) & _IOC_WRITE)
- 		if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
 diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
 index 1f3dd51..1ad071c 100644
 --- a/drivers/firewire/core-device.c
@@ -39525,6 +39481,85 @@ index e70ddd8..ddfa1cd 100644
  	if (unlikely(ret != 0)) {
  		kobject_put(&zone->kobj);
  		return ret;
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+index 508c64c..03018ec 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -51,7 +51,7 @@
+ 
+ #define NUM_PAGES_TO_ALLOC		(PAGE_SIZE/sizeof(struct page *))
+ #define SMALL_ALLOCATION		16
+-#define FREE_ALL_PAGES			(~0U)
++#define FREE_ALL_PAGES			(~0UL)
+ /* times are in msecs */
+ #define PAGE_FREE_INTERVAL		1000
+ 
+@@ -301,13 +301,12 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
+  * @pool: to free the pages from
+  * @free_all: If set to true will free all pages in pool
+  **/
+-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free)
++static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free)
+ {
+ 	unsigned long irq_flags;
+ 	struct page *p;
+ 	struct page **pages_to_free;
+-	unsigned freed_pages = 0,
+-		 npages_to_free = nr_free;
++	unsigned long freed_pages = 0, npages_to_free = nr_free;
+ 
+ 	if (NUM_PAGES_TO_ALLOC < nr_free)
+ 		npages_to_free = NUM_PAGES_TO_ALLOC;
+@@ -369,7 +368,8 @@ restart:
+ 		__list_del(&p->lru, &pool->list);
+ 
+ 		ttm_pool_update_free_locked(pool, freed_pages);
+-		nr_free -= freed_pages;
++		if (likely(nr_free != FREE_ALL_PAGES))
++			nr_free -= freed_pages;
+ 	}
+ 
+ 	spin_unlock_irqrestore(&pool->lock, irq_flags);
+@@ -403,7 +403,7 @@ static int ttm_pool_mm_shrink(struct shrinker *shrink,
+ 	unsigned i;
+ 	unsigned pool_offset;
+ 	struct ttm_page_pool *pool;
+-	int shrink_pages = sc->nr_to_scan;
++	unsigned long shrink_pages = sc->nr_to_scan;
+ 
+ 	if (shrink_pages == 0)
+ 		goto out;
+@@ -412,7 +412,7 @@ static int ttm_pool_mm_shrink(struct shrinker *shrink,
+ 	pool_offset = ++start_pool % NUM_POOLS;
+ 	/* select start pool in round robin fashion */
+ 	for (i = 0; i < NUM_POOLS; ++i) {
+-		unsigned nr_free = shrink_pages;
++		unsigned long nr_free = shrink_pages;
+ 		if (shrink_pages == 0)
+ 			break;
+ 		pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
+@@ -744,7 +744,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
+ }
+ 
+ /* Put all pages in pages list to correct pool to wait for reuse */
+-void ttm_put_pages(struct list_head *pages, unsigned page_count, int flags,
++void ttm_put_pages(struct list_head *pages, unsigned long page_count, int flags,
+ 		   enum ttm_caching_state cstate, dma_addr_t *dma_address)
+ {
+ 	unsigned long irq_flags;
+diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
+index f9cc548..92bad48 100644
+--- a/drivers/gpu/drm/ttm/ttm_tt.c
++++ b/drivers/gpu/drm/ttm/ttm_tt.c
+@@ -281,7 +281,7 @@ EXPORT_SYMBOL(ttm_tt_set_placement_caching);
+ static void ttm_tt_free_alloced_pages(struct ttm_tt *ttm)
+ {
+ 	int i;
+-	unsigned count = 0;
++	unsigned long count = 0;
+ 	struct list_head h;
+ 	struct page *cur_page;
+ 	struct ttm_backend *be = ttm->be;
 diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h
 index 9cf87d9..2000b7d 100644
 --- a/drivers/gpu/drm/via/via_drv.h
@@ -39825,12 +39860,12 @@ index 4ef02b2..8a96831 100644
  
  		for (i = 0; i < hid->maxcollection; i++)
 diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
-index f4c3d28..82f45a9 100644
+index 44a1ea4..21cce84 100644
 --- a/drivers/hv/channel.c
 +++ b/drivers/hv/channel.c
-@@ -402,8 +402,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+@@ -403,8 +403,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+ 	unsigned long flags;
  	int ret = 0;
- 	int t;
  
 -	next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
 -	atomic_inc(&vmbus_connection.next_gpadl_handle);
@@ -39840,7 +39875,7 @@ index f4c3d28..82f45a9 100644
  	ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
  	if (ret)
 diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
-index 0fb100e..8a1a2a4 100644
+index 17ed6fb..82e91a7 100644
 --- a/drivers/hv/hv.c
 +++ b/drivers/hv/hv.c
 @@ -132,7 +132,7 @@ static u64 do_hypercall(u64 control, void *input, void *output)
@@ -39852,7 +39887,7 @@ index 0fb100e..8a1a2a4 100644
  
  	__asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
  			      "=a"(hv_status_lo) : "d" (control_hi),
-@@ -176,7 +176,7 @@ int hv_init(void)
+@@ -178,7 +178,7 @@ int hv_init(void)
  	/* See if the hypercall page is already set */
  	rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
  
@@ -39862,10 +39897,10 @@ index 0fb100e..8a1a2a4 100644
  	if (!virtaddr)
  		goto cleanup;
 diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
-index 0aee112..b72d21f 100644
+index be2f3af..9911b09 100644
 --- a/drivers/hv/hyperv_vmbus.h
 +++ b/drivers/hv/hyperv_vmbus.h
-@@ -556,7 +556,7 @@ enum vmbus_connect_state {
+@@ -560,7 +560,7 @@ enum vmbus_connect_state {
  struct vmbus_connection {
  	enum vmbus_connect_state conn_state;
  
@@ -41635,7 +41670,7 @@ index b8d8611..7a4a04b 100644
  #include <linux/input.h>
  #include <linux/gameport.h>
 diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
-index 2189cbf..05ad609 100644
+index 0c4c556..759171c 100644
 --- a/drivers/input/joystick/xpad.c
 +++ b/drivers/input/joystick/xpad.c
 @@ -714,7 +714,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
@@ -41726,6 +41761,34 @@ index 4d4cd14..d6fdd87 100644
  	kref_init(&serio_raw->kref);
  	INIT_LIST_HEAD(&serio_raw->client_list);
  	init_waitqueue_head(&serio_raw->wait);
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 486982f..56816d7 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -536,11 +536,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
+ 
+ static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
+ {
++	phys_addr_t physaddr;
+ 	WARN_ON(address & 0x7ULL);
+ 
+ 	memset(cmd, 0, sizeof(*cmd));
+-	cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
+-	cmd->data[1] = upper_32_bits(__pa(address));
++
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
++	if (object_starts_on_stack(address)) {
++		void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
++		physaddr = __pa((u64)adjbuf);
++	} else
++#endif
++	physaddr = __pa(address);
++
++	cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
++	cmd->data[1] = upper_32_bits(physaddr);
+ 	cmd->data[2] = 1;
+ 	CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
+ }
 diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c
 index e44933d..9ba484a 100644
 --- a/drivers/isdn/capi/capi.c
@@ -42396,7 +42459,7 @@ index e6a300c..cc9c96c 100644
  			DMWARN("name not supplied when creating device");
  			return -EINVAL;
 diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-log-userspace-transfer.c
-index 1f23e04..08d9a20 100644
+index e5bd3ef..c69d0b7 100644
 --- a/drivers/md/dm-log-userspace-transfer.c
 +++ b/drivers/md/dm-log-userspace-transfer.c
 @@ -134,7 +134,7 @@ static void cn_ulog_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
@@ -43497,10 +43560,10 @@ index 404f63a..4796533 100644
  #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
  extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
 diff --git a/drivers/media/dvb/frontends/ds3000.c b/drivers/media/dvb/frontends/ds3000.c
-index 90bf573..e8463da 100644
+index 2151c99..a4bf818 100644
 --- a/drivers/media/dvb/frontends/ds3000.c
 +++ b/drivers/media/dvb/frontends/ds3000.c
-@@ -1210,7 +1210,7 @@ static int ds3000_set_frontend(struct dvb_frontend *fe,
+@@ -1217,7 +1217,7 @@ static int ds3000_set_frontend(struct dvb_frontend *fe,
  
  	for (i = 0; i < 30 ; i++) {
  		ds3000_read_status(fe, &status);
@@ -45512,18 +45575,9 @@ index b0f9015..edcb1f3 100644
  };
  
 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index 3ed983c..359f1b9 100644
+index 4782d79..359f1b9 100644
 --- a/drivers/net/ppp/ppp_generic.c
 +++ b/drivers/net/ppp/ppp_generic.c
-@@ -588,7 +588,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			if (file == ppp->owner)
- 				ppp_shutdown_interface(ppp);
- 		}
--		if (atomic_long_read(&file->f_count) <= 2) {
-+		if (atomic_long_read(&file->f_count) < 2) {
- 			ppp_release(NULL, file);
- 			err = 0;
- 		} else
 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
  	void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
  	struct ppp_stats stats;
@@ -47090,7 +47144,7 @@ index 6d2eea9..4bf3318 100644
  	mutex_lock(&pci_hp_mutex);
  	/*
 diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
-index 9350af9..68623c4 100644
+index dc126a2..46fecf8 100644
 --- a/drivers/pci/hotplug/pciehp_core.c
 +++ b/drivers/pci/hotplug/pciehp_core.c
 @@ -91,7 +91,7 @@ static int init_slot(struct controller *ctrl)
@@ -47103,7 +47157,7 @@ index 9350af9..68623c4 100644
  	int retval = -ENOMEM;
  
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 106be0d..45a52b5 100644
+index 1e6be19..3bcdd51 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -950,7 +950,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
@@ -47966,7 +48020,7 @@ index ee77a58..af9d518 100644
  
  	/* These three are default values which can be overridden */
 diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 603a2cb..12ece99 100644
+index 64c8a80..ba5263c 100644
 --- a/drivers/scsi/hpsa.c
 +++ b/drivers/scsi/hpsa.c
 @@ -523,7 +523,7 @@ static inline u32 next_command(struct ctlr_info *h)
@@ -50341,7 +50395,7 @@ index 6845228..df77141 100644
  
  		core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 898c1de..b2ca488 100644
+index be1218f..3481d56 100644
 --- a/drivers/target/target_core_transport.c
 +++ b/drivers/target/target_core_transport.c
 @@ -1343,7 +1343,7 @@ struct se_device *transport_add_device_to_core_hba(
@@ -50383,7 +50437,7 @@ index 898c1de..b2ca488 100644
  	    cmd->t_task_list_num)
  		atomic_set(&cmd->t_transport_sent, 1);
  
-@@ -4304,7 +4304,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd)
+@@ -4303,7 +4303,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd)
  		atomic_set(&cmd->transport_lun_stop, 0);
  	}
  	if (!atomic_read(&cmd->t_transport_active) ||
@@ -50392,7 +50446,7 @@ index 898c1de..b2ca488 100644
  		spin_unlock_irqrestore(&cmd->t_state_lock, flags);
  		return false;
  	}
-@@ -4562,7 +4562,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
+@@ -4561,7 +4561,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
  {
  	int ret = 0;
  
@@ -50401,7 +50455,7 @@ index 898c1de..b2ca488 100644
  		if (!send_status ||
  		     (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
  			return 1;
-@@ -4599,7 +4599,7 @@ void transport_send_task_abort(struct se_cmd *cmd)
+@@ -4598,7 +4598,7 @@ void transport_send_task_abort(struct se_cmd *cmd)
  	 */
  	if (cmd->data_direction == DMA_TO_DEVICE) {
  		if (cmd->se_tfo->write_pending_status(cmd) != 0) {
@@ -51011,7 +51065,7 @@ index 43db715..82134aa 100644
  
  		if (get_user(c, buf))
 diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 446df6b..85128a5 100644
+index 613f06a..a3bfd37 100644
 --- a/drivers/tty/tty_io.c
 +++ b/drivers/tty/tty_io.c
 @@ -1089,7 +1089,7 @@ static inline ssize_t do_tty_write(
@@ -51023,7 +51077,7 @@ index 446df6b..85128a5 100644
  		tty_update_time(&inode->i_mtime);
  		ret = written;
  	}
-@@ -3250,7 +3250,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
+@@ -3255,7 +3255,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
  
  void tty_default_fops(struct file_operations *fops)
  {
@@ -51433,7 +51487,7 @@ index 49257b3..13133cd 100644
  				    dev->rawdescriptors[i] + (*ppos - pos),
  				    min(len, alloclen))) {
 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 032e5a6..bc422e4 100644
+index c0ee52a..145ce87 100644
 --- a/drivers/usb/core/hcd.c
 +++ b/drivers/usb/core/hcd.c
 @@ -1475,7 +1475,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
@@ -51455,7 +51509,7 @@ index 032e5a6..bc422e4 100644
  			wake_up(&usb_kill_urb_queue);
  		usb_put_urb(urb);
 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 10aec1a..387cff3 100644
+index 18286ce..c6d2114 100644
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
 @@ -25,6 +25,7 @@
@@ -51466,7 +51520,7 @@ index 10aec1a..387cff3 100644
  
  #include <asm/uaccess.h>
  #include <asm/byteorder.h>
-@@ -3483,6 +3484,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -3485,6 +3486,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
  		return;
  	}
  
@@ -57015,22 +57069,10 @@ index 200f63b..490b833 100644
  /*
   * used by btrfsctl to scan devices when no FS is mounted
 diff --git a/fs/buffer.c b/fs/buffer.c
-index 59496e7..5df71b8 100644
+index c457f84..3e206d5 100644
 --- a/fs/buffer.c
 +++ b/fs/buffer.c
-@@ -2258,6 +2258,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping,
- 		err = 0;
- 
- 		balance_dirty_pages_ratelimited(mapping);
-+
-+		if (unlikely(fatal_signal_pending(current))) {
-+			err = -EINTR;
-+			goto out;
-+		}
- 	}
- 
- 	/* page covers the boundary, find the boundary offset */
-@@ -3318,7 +3323,7 @@ void __init buffer_init(void)
+@@ -3326,7 +3326,7 @@ void __init buffer_init(void)
  	bh_cachep = kmem_cache_create("buffer_head",
  			sizeof(struct buffer_head), 0,
  				(SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
@@ -57937,7 +57979,7 @@ index 01951c6b..01de40e 100644
  }
  EXPORT_SYMBOL_GPL(debugfs_create_dir);
 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
-index a9be90d..3cf866c 100644
+index 782569b..175dea4 100644
 --- a/fs/ecryptfs/inode.c
 +++ b/fs/ecryptfs/inode.c
 @@ -705,7 +705,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
@@ -59216,10 +59258,10 @@ index a203892..4e64db5 100644
  	}
  	return 1;
 diff --git a/fs/ext3/super.c b/fs/ext3/super.c
-index b7f314f..ef3b16c 100644
+index 562ede3..5e56315 100644
 --- a/fs/ext3/super.c
 +++ b/fs/ext3/super.c
-@@ -3065,6 +3065,7 @@ static struct file_system_type ext3_fs_type = {
+@@ -3058,6 +3058,7 @@ static struct file_system_type ext3_fs_type = {
  	.kill_sb	= kill_block_super,
  	.fs_flags	= FS_REQUIRES_DEV,
  };
@@ -59268,7 +59310,7 @@ index 2845a1f..f29de63 100644
  		if (free_clusters >= (nclusters + dirty_clusters))
  			return 1;
 diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
-index 40f4d06..7f3507d 100644
+index 6858d9d..590047a 100644
 --- a/fs/ext4/ext4.h
 +++ b/fs/ext4/ext4.h
 @@ -1218,19 +1218,19 @@ struct ext4_sb_info {
@@ -59432,7 +59474,7 @@ index f3358ab..fbb1d90 100644
  		       "MMP failure info: last update time: %llu, last update "
  		       "node: %s, last update device: %s\n",
 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 6581ee7..96fd5e1 100644
+index 422be11..ef4b528 100644
 --- a/fs/ext4/super.c
 +++ b/fs/ext4/super.c
 @@ -92,6 +92,8 @@ static struct file_system_type ext2_fs_type = {
@@ -59462,7 +59504,7 @@ index 6581ee7..96fd5e1 100644
  	"Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
  
  #ifdef CONFIG_QUOTA
-@@ -2467,7 +2471,7 @@ struct ext4_attr {
+@@ -2460,7 +2464,7 @@ struct ext4_attr {
  	ssize_t (*store)(struct ext4_attr *, struct ext4_sb_info *,
  			 const char *, size_t);
  	int offset;
@@ -59471,7 +59513,7 @@ index 6581ee7..96fd5e1 100644
  
  static int parse_strtoul(const char *buf,
  		unsigned long max, unsigned long *value)
-@@ -3174,7 +3178,6 @@ int ext4_calculate_overhead(struct super_block *sb)
+@@ -3167,7 +3171,6 @@ int ext4_calculate_overhead(struct super_block *sb)
  	ext4_fsblk_t overhead = 0;
  	char *buf = (char *) get_zeroed_page(GFP_KERNEL);
  
@@ -59479,7 +59521,7 @@ index 6581ee7..96fd5e1 100644
  	if (!buf)
  		return -ENOMEM;
  
-@@ -5051,7 +5054,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
+@@ -5044,7 +5047,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
  		return 0;
  	return 1;
  }
@@ -59487,7 +59529,7 @@ index 6581ee7..96fd5e1 100644
  #else
  static inline void register_as_ext2(void) { }
  static inline void unregister_as_ext2(void) { }
-@@ -5084,7 +5086,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
+@@ -5077,7 +5079,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
  		return 0;
  	return 1;
  }
@@ -59495,7 +59537,7 @@ index 6581ee7..96fd5e1 100644
  #else
  static inline void register_as_ext3(void) { }
  static inline void unregister_as_ext3(void) { }
-@@ -5098,6 +5099,7 @@ static struct file_system_type ext4_fs_type = {
+@@ -5091,6 +5092,7 @@ static struct file_system_type ext4_fs_type = {
  	.kill_sb	= kill_block_super,
  	.fs_flags	= FS_REQUIRES_DEV,
  };
@@ -59504,10 +59546,10 @@ index 6581ee7..96fd5e1 100644
  static int __init ext4_init_feat_adverts(void)
  {
 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 05617bd..aac23ad 100644
+index c6ac876..8ea8de1 100644
 --- a/fs/ext4/xattr.c
 +++ b/fs/ext4/xattr.c
-@@ -328,7 +328,7 @@ static int
+@@ -343,7 +343,7 @@ static int
  ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
  			char *buffer, size_t buffer_size)
  {
@@ -59516,7 +59558,7 @@ index 05617bd..aac23ad 100644
  
  	for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
  		const struct xattr_handler *handler =
-@@ -345,9 +345,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
+@@ -360,9 +360,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
  				buffer += size;
  			}
  			rest -= size;
@@ -62468,7 +62510,7 @@ index b78b5b6..c64d84f 100644
  
  void nfs_fattr_init(struct nfs_fattr *fattr)
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 61a1303..3e0034a 100644
+index 351989e..8b551bb 100644
 --- a/fs/nfs/nfs4proc.c
 +++ b/fs/nfs/nfs4proc.c
 @@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
@@ -62509,7 +62551,7 @@ index 1943898..396c460 100644
 -
  #endif /* CONFIG_NFS_V4 */
 diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
-index eebccfe..a2ed0a1 100644
+index 9a959de..db4b27b 100644
 --- a/fs/nfsd/nfs4proc.c
 +++ b/fs/nfsd/nfs4proc.c
 @@ -1039,7 +1039,7 @@ struct nfsd4_operation {
@@ -62732,7 +62774,7 @@ index e7bc1d7..06bd4bb 100644
  	}
  
 diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
-index 9860f6b..55df672 100644
+index d57995e..76a343a 100644
 --- a/fs/notify/fanotify/fanotify_user.c
 +++ b/fs/notify/fanotify/fanotify_user.c
 @@ -277,7 +277,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
@@ -65695,10 +65737,10 @@ index 7b21801..ee8fe9b 100644
  	generic_fillattr(inode, stat);
  	return 0;
 diff --git a/fs/super.c b/fs/super.c
-index 2a698f6..056eff7 100644
+index 531de18..dfecd9e 100644
 --- a/fs/super.c
 +++ b/fs/super.c
-@@ -295,19 +295,19 @@ EXPORT_SYMBOL(deactivate_super);
+@@ -297,19 +297,19 @@ EXPORT_SYMBOL(deactivate_super);
   *	and want to turn it into a full-blown active reference.  grab_super()
   *	is called with sb_lock held and drops it.  Returns 1 in case of
   *	success, 0 if we had failed (superblock contents was already dead or
@@ -65725,7 +65767,7 @@ index 2a698f6..056eff7 100644
  	up_write(&s->s_umount);
  	put_super(s);
  	return 0;
-@@ -436,11 +436,6 @@ retry:
+@@ -438,11 +438,6 @@ retry:
  				destroy_super(s);
  				s = NULL;
  			}
@@ -65737,7 +65779,7 @@ index 2a698f6..056eff7 100644
  			return old;
  		}
  	}
-@@ -650,10 +645,10 @@ restart:
+@@ -652,10 +647,10 @@ restart:
  		if (list_empty(&sb->s_instances))
  			continue;
  		if (sb->s_bdev == bdev) {
@@ -65911,10 +65953,10 @@ index 9228950..bbad895 100644
  	int err;
  
 diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
-index 2f467e5..3222f9b 100644
+index 201bcfc..cee4d16 100644
 --- a/fs/ubifs/super.c
 +++ b/fs/ubifs/super.c
-@@ -2192,6 +2192,7 @@ static struct file_system_type ubifs_fs_type = {
+@@ -2191,6 +2191,7 @@ static struct file_system_type ubifs_fs_type = {
  	.mount   = ubifs_mount,
  	.kill_sb = kill_ubifs_super,
  };
@@ -78415,6 +78457,19 @@ index 26c1f78..6722682 100644
  
  /**
   * struct ttm_mem_global - Global memory accounting structure.
+diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
+index 129de12..d73359c 100644
+--- a/include/drm/ttm/ttm_page_alloc.h
++++ b/include/drm/ttm/ttm_page_alloc.h
+@@ -54,7 +54,7 @@ int ttm_get_pages(struct list_head *pages,
+  * @dma_address: The DMA (bus) address of pages (if TTM_PAGE_FLAG_DMA32 set).
+  */
+ void ttm_put_pages(struct list_head *pages,
+-		   unsigned page_count,
++		   unsigned long page_count,
+ 		   int flags,
+ 		   enum ttm_caching_state cstate,
+ 		   dma_addr_t *dma_address);
 diff --git a/include/linux/Kbuild b/include/linux/Kbuild
 index a3ce901..fd50c75 100644
 --- a/include/linux/Kbuild
@@ -78569,10 +78624,10 @@ index 87a375f..94c85dd 100644
  	if (sizeof(l) == 4)
  		return fls(l);
 diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index ff039f0..cdf89ae 100644
+index c7e834b..dec8d67 100644
 --- a/include/linux/blkdev.h
 +++ b/include/linux/blkdev.h
-@@ -1316,7 +1316,7 @@ struct block_device_operations {
+@@ -1315,7 +1315,7 @@ struct block_device_operations {
  	/* this callback is with swap_lock and sometimes page table lock held */
  	void (*swap_slot_free_notify) (struct block_device *, unsigned long);
  	struct module *owner;
@@ -78764,20 +78819,6 @@ index d42bd48..554dcd5 100644
  
  /*
   * epoll (fs/eventpoll.c) compat bits follow ...
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index 5633053..9ac1a7a 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -37,6 +37,9 @@
-     __asm__ ("" : "=r"(__ptr) : "0"(ptr));		\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* Make the optimizer believe the variable can be manipulated arbitrarily. */
-+#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
-+
- #ifdef __CHECKER__
- #define __must_be_array(arr) 0
- #else
 diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
 index e2a360a..1d61efb 100644
 --- a/include/linux/compiler-gcc4.h
@@ -78821,33 +78862,8 @@ index e2a360a..1d61efb 100644
  #endif
  
  #if __GNUC_MINOR__ > 0
-diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
-index cba9593..1a97cac 100644
---- a/include/linux/compiler-intel.h
-+++ b/include/linux/compiler-intel.h
-@@ -15,6 +15,7 @@
-  */
- #undef barrier
- #undef RELOC_HIDE
-+#undef OPTIMIZER_HIDE_VAR
- 
- #define barrier() __memory_barrier()
- 
-@@ -23,6 +24,12 @@
-      __ptr = (unsigned long) (ptr);				\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* This should act as an optimization barrier on var.
-+ * Given that this compiler does not have inline assembly, a compiler barrier
-+ * is the best we can do.
-+ */
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+
- /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
- #define __must_be_array(a) 0
- 
 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 320d6c9..92ea3ae 100644
+index 7c7546b..92ea3ae 100644
 --- a/include/linux/compiler.h
 +++ b/include/linux/compiler.h
 @@ -5,31 +5,51 @@
@@ -78914,18 +78930,7 @@ index 320d6c9..92ea3ae 100644
  #endif
  
  #ifdef __KERNEL__
-@@ -164,6 +186,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
-     (typeof(ptr)) (__ptr + (off)); })
- #endif
- 
-+#ifndef OPTIMIZER_HIDE_VAR
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+#endif
-+
- #endif /* __KERNEL__ */
- 
- #endif /* __ASSEMBLY__ */
-@@ -264,6 +290,30 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -268,6 +290,30 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
  # define __attribute_const__	/* unimplemented */
  #endif
  
@@ -78956,7 +78961,7 @@ index 320d6c9..92ea3ae 100644
  /*
   * Tell gcc if a function is cold. The compiler will assume any path
   * directly leading to the call is unlikely.
-@@ -273,6 +323,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -277,6 +323,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
  #define __cold
  #endif
  
@@ -78979,7 +78984,7 @@ index 320d6c9..92ea3ae 100644
  /* Simple shorthand for a section definition */
  #ifndef __section
  # define __section(S) __attribute__ ((__section__(#S)))
-@@ -292,6 +358,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -296,6 +358,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
  #endif
  #ifndef __compiletime_error
  # define __compiletime_error(message)
@@ -78998,7 +79003,7 @@ index 320d6c9..92ea3ae 100644
  #endif
  
  /*
-@@ -306,6 +384,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -310,6 +384,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
   * use is to mediate communication between process-level code and irq/NMI
   * handlers, all running on the same CPU.
   */
@@ -81676,7 +81681,7 @@ index 3797270..7765ede 100644
  struct mca_bus {
  	u64			default_dma_mask;
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 305fd75..cdbfb05 100644
+index 7f40120..8879e77 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -115,7 +115,14 @@ extern unsigned int kobjsize(const void *objp);
@@ -81724,7 +81729,7 @@ index 305fd75..cdbfb05 100644
  
  static inline void unmap_shared_mapping_range(struct address_space *mapping,
  		loff_t const holebegin, loff_t const holelen)
-@@ -984,10 +992,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
+@@ -985,10 +993,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
  }
  #endif
  
@@ -81739,7 +81744,7 @@ index 305fd75..cdbfb05 100644
  
  int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  		     unsigned long start, int len, unsigned int foll_flags,
-@@ -1013,34 +1021,6 @@ int set_page_dirty(struct page *page);
+@@ -1014,34 +1022,6 @@ int set_page_dirty(struct page *page);
  int set_page_dirty_lock(struct page *page);
  int clear_page_dirty_for_io(struct page *page);
  
@@ -81774,7 +81779,7 @@ index 305fd75..cdbfb05 100644
  extern unsigned long move_page_tables(struct vm_area_struct *vma,
  		unsigned long old_addr, struct vm_area_struct *new_vma,
  		unsigned long new_addr, unsigned long len);
-@@ -1135,6 +1115,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
+@@ -1136,6 +1116,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
  }
  #endif
  
@@ -81790,7 +81795,7 @@ index 305fd75..cdbfb05 100644
  int vma_wants_writenotify(struct vm_area_struct *vma);
  
  extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
-@@ -1153,8 +1142,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
+@@ -1154,8 +1143,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
  {
  	return 0;
  }
@@ -81806,7 +81811,7 @@ index 305fd75..cdbfb05 100644
  #endif
  
  #ifdef __PAGETABLE_PMD_FOLDED
-@@ -1163,8 +1159,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
+@@ -1164,8 +1160,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
  {
  	return 0;
  }
@@ -81822,7 +81827,7 @@ index 305fd75..cdbfb05 100644
  #endif
  
  int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
-@@ -1182,11 +1185,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
+@@ -1183,11 +1186,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
  		NULL: pud_offset(pgd, address);
  }
  
@@ -81846,7 +81851,7 @@ index 305fd75..cdbfb05 100644
  #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
  
  #if USE_SPLIT_PTLOCKS
-@@ -1397,7 +1412,7 @@ extern int install_special_mapping(struct mm_struct *mm,
+@@ -1398,7 +1413,7 @@ extern int install_special_mapping(struct mm_struct *mm,
  				   unsigned long addr, unsigned long len,
  				   unsigned long flags, struct page **pages);
  
@@ -81855,7 +81860,7 @@ index 305fd75..cdbfb05 100644
  
  extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	unsigned long len, unsigned long prot,
-@@ -1420,6 +1435,7 @@ out:
+@@ -1421,6 +1436,7 @@ out:
  }
  
  extern int do_munmap(struct mm_struct *, unsigned long, size_t);
@@ -81863,7 +81868,7 @@ index 305fd75..cdbfb05 100644
  
  extern unsigned long do_brk(unsigned long, unsigned long);
  
-@@ -1477,6 +1493,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
+@@ -1478,6 +1494,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
  extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
  					     struct vm_area_struct **pprev);
  
@@ -81874,7 +81879,7 @@ index 305fd75..cdbfb05 100644
  /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
     NULL if none.  Assume start_addr < end_addr. */
  static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
-@@ -1493,15 +1513,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
+@@ -1494,15 +1514,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
  	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
  }
  
@@ -81890,7 +81895,7 @@ index 305fd75..cdbfb05 100644
  struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
  int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
  			unsigned long pfn, unsigned long size, pgprot_t);
-@@ -1537,6 +1548,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+@@ -1538,6 +1549,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
  static inline void vm_stat_account(struct mm_struct *mm,
  			unsigned long flags, struct file *file, long pages)
  {
@@ -81903,7 +81908,7 @@ index 305fd75..cdbfb05 100644
  }
  #endif /* CONFIG_PROC_FS */
  
-@@ -1617,7 +1634,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -1618,7 +1635,7 @@ extern int unpoison_memory(unsigned long pfn);
  extern int sysctl_memory_failure_early_kill;
  extern int sysctl_memory_failure_recovery;
  extern void shake_page(struct page *p, int access);
@@ -81912,7 +81917,7 @@ index 305fd75..cdbfb05 100644
  extern int soft_offline_page(struct page *page, int flags);
  
  extern void dump_page(struct page *page);
-@@ -1631,5 +1648,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
+@@ -1632,5 +1649,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
  				unsigned int pages_per_huge_page);
  #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
  
@@ -84084,7 +84089,7 @@ index 6a40c76..1747b67 100644
  enum {
  	false	= 0,
 diff --git a/include/linux/string.h b/include/linux/string.h
-index e033564..7cdb1a8 100644
+index 8515a4d..3d9feb7 100644
 --- a/include/linux/string.h
 +++ b/include/linux/string.h
 @@ -133,7 +133,7 @@ int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4);
@@ -84096,15 +84101,6 @@ index e033564..7cdb1a8 100644
  
  /**
   * strstarts - does @str start with @prefix?
-@@ -144,5 +144,8 @@ static inline bool strstarts(const char *str, const char *prefix)
- {
- 	return strncmp(str, prefix, strlen(prefix)) == 0;
- }
-+
-+void memzero_explicit(void *s, size_t count);
-+
- #endif
- #endif /* _LINUX_STRING_H_ */
 diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
 index 3d8f9c4..349a695 100644
 --- a/include/linux/sunrpc/clnt.h
@@ -85728,10 +85724,10 @@ index e6454b6..7a6b6bc 100644
  static inline struct page *sk_stream_alloc_page(struct sock *sk)
  {
 diff --git a/include/net/tcp.h b/include/net/tcp.h
-index fe46019..ce07abd 100644
+index 238255b..d91d5ca 100644
 --- a/include/net/tcp.h
 +++ b/include/net/tcp.h
-@@ -433,6 +433,25 @@ extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
+@@ -426,6 +426,25 @@ extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
  extern struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, 
  				    struct ip_options *opt);
  #ifdef CONFIG_SYN_COOKIES
@@ -85757,7 +85753,7 @@ index fe46019..ce07abd 100644
  extern __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, 
  				     __u16 *mss);
  #else
-@@ -470,7 +489,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
+@@ -463,7 +482,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
  extern void tcp_xmit_retransmit_queue(struct sock *);
  extern void tcp_simple_retransmit(struct sock *);
  extern int tcp_trim_head(struct sock *, struct sk_buff *, u32);
@@ -85766,7 +85762,7 @@ index fe46019..ce07abd 100644
  
  extern void tcp_send_probe0(struct sock *);
  extern void tcp_send_partial(struct sock *);
-@@ -633,8 +652,8 @@ struct tcp_skb_cb {
+@@ -626,8 +645,8 @@ struct tcp_skb_cb {
  		struct inet6_skb_parm	h6;
  #endif
  	} header;	/* For incoming frames		*/
@@ -85777,7 +85773,7 @@ index fe46019..ce07abd 100644
  	__u32		when;		/* used to compute rtt's	*/
  	__u8		tcp_flags;	/* TCP header flags. (tcp[13])	*/
  	__u8		sacked;		/* State flags for SACK/FACK.	*/
-@@ -647,7 +666,7 @@ struct tcp_skb_cb {
+@@ -640,7 +659,7 @@ struct tcp_skb_cb {
  #define TCPCB_EVER_RETRANS	0x80	/* Ever retransmitted frame	*/
  #define TCPCB_RETRANS		(TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS)
  
@@ -87880,10 +87876,10 @@ index 63786e7..0780cac 100644
  #ifdef CONFIG_MODULE_UNLOAD
  		{
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 4a14895..e44008c 100644
+index 2a4bf43..9f6ecac 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu;
+@@ -146,8 +146,15 @@ static struct srcu_struct pmus_srcu;
   *   0 - disallow raw tracepoint access for unpriv
   *   1 - disallow cpu events for unpriv
   *   2 - disallow kernel profiling for unpriv
@@ -87900,7 +87896,7 @@ index 4a14895..e44008c 100644
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -173,7 +180,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
+@@ -174,7 +181,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
  	return 0;
  }
  
@@ -87909,7 +87905,7 @@ index 4a14895..e44008c 100644
  
  static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
  			      enum event_type_t event_type);
-@@ -2599,7 +2606,7 @@ static void __perf_event_read(void *info)
+@@ -2600,7 +2607,7 @@ static void __perf_event_read(void *info)
  
  static inline u64 perf_event_count(struct perf_event *event)
  {
@@ -87918,7 +87914,7 @@ index 4a14895..e44008c 100644
  }
  
  static u64 perf_event_read(struct perf_event *event)
-@@ -3142,9 +3149,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
+@@ -3143,9 +3150,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
  	mutex_lock(&event->child_mutex);
  	total += perf_event_read(event);
  	*enabled += event->total_time_enabled +
@@ -87930,7 +87926,7 @@ index 4a14895..e44008c 100644
  
  	list_for_each_entry(child, &event->child_list, child_list) {
  		total += perf_event_read(child);
-@@ -3536,10 +3543,10 @@ void perf_event_update_userpage(struct perf_event *event)
+@@ -3556,10 +3563,10 @@ void perf_event_update_userpage(struct perf_event *event)
  		userpg->offset -= local64_read(&event->hw.prev_count);
  
  	userpg->time_enabled = enabled +
@@ -87943,7 +87939,7 @@ index 4a14895..e44008c 100644
  
  	barrier();
  	++userpg->lock;
-@@ -4047,11 +4054,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -4067,11 +4074,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
  	values[n++] = perf_event_count(event);
  	if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
  		values[n++] = enabled +
@@ -87957,7 +87953,7 @@ index 4a14895..e44008c 100644
  	}
  	if (read_format & PERF_FORMAT_ID)
  		values[n++] = primary_event_id(event);
-@@ -4702,12 +4709,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4722,12 +4729,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
  		 * need to add enough zero bytes after the string to handle
  		 * the 64bit alignment we do later.
  		 */
@@ -87972,7 +87968,7 @@ index 4a14895..e44008c 100644
  		if (IS_ERR(name)) {
  			name = strncpy(tmp, "//toolong", sizeof(tmp));
  			goto got_name;
-@@ -6073,7 +6080,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -6093,7 +6100,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
  	event->parent		= parent_event;
  
  	event->ns		= get_pid_ns(current->nsproxy->pid_ns);
@@ -87981,7 +87977,7 @@ index 4a14895..e44008c 100644
  
  	event->state		= PERF_EVENT_STATE_INACTIVE;
  
-@@ -6319,6 +6326,11 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -6339,6 +6346,11 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (flags & ~PERF_FLAG_ALL)
  		return -EINVAL;
  
@@ -87993,7 +87989,7 @@ index 4a14895..e44008c 100644
  	err = perf_copy_attr(attr_uptr, &attr);
  	if (err)
  		return err;
-@@ -6617,10 +6629,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6637,10 +6649,10 @@ static void sync_child_event(struct perf_event *child_event,
  	/*
  	 * Add back the child's count to the parent's count:
  	 */
@@ -88647,7 +88643,7 @@ index 29b4604..ee14dbd 100644
  			else
  				new_fs = fs;
 diff --git a/kernel/futex.c b/kernel/futex.c
-index f31f190..8d00f9b 100644
+index 7481595..64a53fb 100644
 --- a/kernel/futex.c
 +++ b/kernel/futex.c
 @@ -54,6 +54,7 @@
@@ -90497,7 +90493,7 @@ index 962c291..31cf69d7 100644
  		.clock_get	= thread_cpu_clock_get,
  		.timer_create	= thread_cpu_timer_create,
 diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
-index e885be1..f005738 100644
+index 02824a5..92dc581 100644
 --- a/kernel/posix-timers.c
 +++ b/kernel/posix-timers.c
 @@ -43,6 +43,7 @@
@@ -90589,7 +90585,7 @@ index e885be1..f005738 100644
  	int it_id_set = IT_ID_NOT_SET;
  
  	if (!kc)
-@@ -966,6 +967,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
+@@ -967,6 +968,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
  	if (copy_from_user(&new_tp, tp, sizeof (*tp)))
  		return -EFAULT;
  
@@ -93965,37 +93961,10 @@ index c5b20a3..6b38c73 100644
  
  	local_irq_save(flags);
 diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
-index 7c75bbb..f32b331 100644
+index 1129062..f32b331 100644
 --- a/kernel/trace/trace_syscalls.c
 +++ b/kernel/trace/trace_syscalls.c
-@@ -309,7 +309,7 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int syscall_nr;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_enter_syscalls))
- 		return;
-@@ -349,7 +349,7 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int syscall_nr;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
--	if (syscall_nr < 0)
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- 		return;
- 	if (!test_bit(syscall_nr, enabled_exit_syscalls))
- 		return;
-@@ -519,6 +519,8 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
-+		return;
- 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
- 		return;
- 
-@@ -554,6 +556,8 @@ int perf_sysenter_enable(struct ftrace_event_call *call)
+@@ -556,6 +556,8 @@ int perf_sysenter_enable(struct ftrace_event_call *call)
  	int num;
  
  	num = ((struct syscall_metadata *)call->data)->syscall_nr;
@@ -94004,7 +93973,7 @@ index 7c75bbb..f32b331 100644
  
  	mutex_lock(&syscall_trace_lock);
  	if (!sys_perf_refcount_enter)
-@@ -574,6 +578,8 @@ void perf_sysenter_disable(struct ftrace_event_call *call)
+@@ -576,6 +578,8 @@ void perf_sysenter_disable(struct ftrace_event_call *call)
  	int num;
  
  	num = ((struct syscall_metadata *)call->data)->syscall_nr;
@@ -94013,16 +93982,7 @@ index 7c75bbb..f32b331 100644
  
  	mutex_lock(&syscall_trace_lock);
  	sys_perf_refcount_enter--;
-@@ -593,6 +599,8 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- 	int size;
- 
- 	syscall_nr = syscall_get_nr(current, regs);
-+	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
-+		return;
- 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
- 		return;
- 
-@@ -630,6 +638,8 @@ int perf_sysexit_enable(struct ftrace_event_call *call)
+@@ -634,6 +638,8 @@ int perf_sysexit_enable(struct ftrace_event_call *call)
  	int num;
  
  	num = ((struct syscall_metadata *)call->data)->syscall_nr;
@@ -94031,7 +93991,7 @@ index 7c75bbb..f32b331 100644
  
  	mutex_lock(&syscall_trace_lock);
  	if (!sys_perf_refcount_exit)
-@@ -650,6 +660,8 @@ void perf_sysexit_disable(struct ftrace_event_call *call)
+@@ -654,6 +660,8 @@ void perf_sysexit_disable(struct ftrace_event_call *call)
  	int num;
  
  	num = ((struct syscall_metadata *)call->data)->syscall_nr;
@@ -94181,10 +94141,10 @@ index c06efca..bcafc28 100644
  
  ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
 diff --git a/lib/bitmap.c b/lib/bitmap.c
-index 0d4a127..33a06c7 100644
+index dbc526f..528d2c2 100644
 --- a/lib/bitmap.c
 +++ b/lib/bitmap.c
-@@ -419,7 +419,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
+@@ -423,7 +423,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
  {
  	int c, old_c, totaldigits, ndigits, nchunks, nbits;
  	u32 chunk;
@@ -94193,7 +94153,7 @@ index 0d4a127..33a06c7 100644
  
  	bitmap_zero(maskp, nmaskbits);
  
-@@ -504,7 +504,7 @@ int bitmap_parse_user(const char __user *ubuf,
+@@ -508,7 +508,7 @@ int bitmap_parse_user(const char __user *ubuf,
  {
  	if (!access_ok(VERIFY_READ, ubuf, ulen))
  		return -EFAULT;
@@ -94202,7 +94162,7 @@ index 0d4a127..33a06c7 100644
  				ulen, 1, maskp, nmaskbits);
  
  }
-@@ -596,7 +596,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
+@@ -600,7 +600,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
  {
  	unsigned a, b;
  	int c, old_c, totaldigits;
@@ -94211,7 +94171,7 @@ index 0d4a127..33a06c7 100644
  	int exp_digit, in_range;
  
  	totaldigits = c = 0;
-@@ -696,7 +696,7 @@ int bitmap_parselist_user(const char __user *ubuf,
+@@ -700,7 +700,7 @@ int bitmap_parselist_user(const char __user *ubuf,
  {
  	if (!access_ok(VERIFY_READ, ubuf, ulen))
  		return -EFAULT;
@@ -95166,33 +95126,6 @@ index 1f44bdc..009bfe8 100644
 +		pr_info("prandom: %d self tests passed\n", runs);
 +}
 +#endif
-diff --git a/lib/string.c b/lib/string.c
-index dc4a863..40136f6 100644
---- a/lib/string.c
-+++ b/lib/string.c
-@@ -583,6 +583,22 @@ void *memset(void *s, int c, size_t count)
- EXPORT_SYMBOL(memset);
- #endif
- 
-+/**
-+ * memzero_explicit - Fill a region of memory (e.g. sensitive
-+ *		      keying data) with 0s.
-+ * @s: Pointer to the start of the area.
-+ * @count: The size of the area.
-+ *
-+ * memzero_explicit() doesn't need an arch-specific version as
-+ * it just invokes the one of memset() implicitly.
-+ */
-+void memzero_explicit(void *s, size_t count)
-+{
-+	memset(s, 0, count);
-+	OPTIMIZER_HIDE_VAR(s);
-+}
-+EXPORT_SYMBOL(memzero_explicit);
-+
- #ifndef __HAVE_ARCH_MEMCPY
- /**
-  * memcpy - Copy one area of memory to another
 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
 index ae02e42..4ffc938 100644
 --- a/lib/vsprintf.c
@@ -95502,7 +95435,7 @@ index 09fc744..3936897 100644
  	set_page_address(page, (void *)vaddr);
  
 diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index ed0ed8a..d629a89 100644
+index 79166c2..7ce048f 100644
 --- a/mm/huge_memory.c
 +++ b/mm/huge_memory.c
 @@ -704,7 +704,7 @@ out:
@@ -95907,7 +95840,7 @@ index 51901b1..79af2f4 100644
  	/* keep elevated page count for bad page */
  	return ret;
 diff --git a/mm/memory.c b/mm/memory.c
-index 483e66505..32583a0 100644
+index 5a7f314..f1012e1 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -95936,7 +95869,7 @@ index 483e66505..32583a0 100644
  }
  
  /*
-@@ -1582,12 +1589,6 @@ no_page_table:
+@@ -1584,12 +1591,6 @@ no_page_table:
  	return page;
  }
  
@@ -95949,7 +95882,7 @@ index 483e66505..32583a0 100644
  /**
   * __get_user_pages() - pin user pages in memory
   * @tsk:	task_struct of target task
-@@ -1660,10 +1661,10 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -1662,10 +1663,10 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  			(VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
  	i = 0;
  
@@ -95962,7 +95895,7 @@ index 483e66505..32583a0 100644
  		if (!vma && in_gate_area(mm, start)) {
  			unsigned long pg = start & PAGE_MASK;
  			pgd_t *pgd;
-@@ -1711,7 +1712,7 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -1713,7 +1714,7 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  			goto next_page;
  		}
  
@@ -95971,7 +95904,7 @@ index 483e66505..32583a0 100644
  		    (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
  		    !(vm_flags & vma->vm_flags))
  			return i ? : -EFAULT;
-@@ -1738,11 +1739,6 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -1740,11 +1741,6 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  				int ret;
  				unsigned int fault_flags = 0;
  
@@ -95983,7 +95916,7 @@ index 483e66505..32583a0 100644
  				if (foll_flags & FOLL_WRITE)
  					fault_flags |= FAULT_FLAG_WRITE;
  				if (nonblocking)
-@@ -1816,7 +1812,7 @@ next_page:
+@@ -1818,7 +1814,7 @@ next_page:
  			start += PAGE_SIZE;
  			nr_pages--;
  		} while (nr_pages && start < vma->vm_end);
@@ -95992,7 +95925,7 @@ index 483e66505..32583a0 100644
  	return i;
  }
  EXPORT_SYMBOL(__get_user_pages);
-@@ -2028,6 +2024,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
+@@ -2030,6 +2026,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
  	page_add_file_rmap(page);
  	set_pte_at(mm, addr, pte, mk_pte(page, prot));
  
@@ -96003,7 +95936,7 @@ index 483e66505..32583a0 100644
  	retval = 0;
  	pte_unmap_unlock(pte, ptl);
  	return retval;
-@@ -2062,10 +2062,22 @@ out:
+@@ -2064,10 +2064,22 @@ out:
  int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
  			struct page *page)
  {
@@ -96026,7 +95959,7 @@ index 483e66505..32583a0 100644
  	vma->vm_flags |= VM_INSERTPAGE;
  	return insert_page(vma, addr, page, vma->vm_page_prot);
  }
-@@ -2151,6 +2163,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
+@@ -2153,6 +2165,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
  			unsigned long pfn)
  {
  	BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
@@ -96034,7 +95967,7 @@ index 483e66505..32583a0 100644
  
  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;
-@@ -2405,7 +2418,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
+@@ -2407,7 +2420,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
  
  	BUG_ON(pud_huge(*pud));
  
@@ -96045,7 +95978,7 @@ index 483e66505..32583a0 100644
  	if (!pmd)
  		return -ENOMEM;
  	do {
-@@ -2425,7 +2440,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
+@@ -2427,7 +2442,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
  	unsigned long next;
  	int err;
  
@@ -96056,7 +95989,7 @@ index 483e66505..32583a0 100644
  	if (!pud)
  		return -ENOMEM;
  	do {
-@@ -2513,6 +2530,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
+@@ -2515,6 +2532,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
  		copy_user_highpage(dst, src, va, vma);
  }
  
@@ -96243,7 +96176,7 @@ index 483e66505..32583a0 100644
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2724,6 +2921,12 @@ gotten:
+@@ -2726,6 +2923,12 @@ gotten:
  	 */
  	page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -96256,7 +96189,7 @@ index 483e66505..32583a0 100644
  		if (old_page) {
  			if (!PageAnon(old_page)) {
  				dec_mm_counter_fast(mm, MM_FILEPAGES);
-@@ -2775,6 +2978,10 @@ gotten:
+@@ -2777,6 +2980,10 @@ gotten:
  			page_remove_rmap(old_page);
  		}
  
@@ -96267,7 +96200,7 @@ index 483e66505..32583a0 100644
  		/* Free the old page.. */
  		new_page = old_page;
  		ret |= VM_FAULT_WRITE;
-@@ -3054,6 +3261,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3056,6 +3263,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	swap_free(entry);
  	if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
  		try_to_free_swap(page);
@@ -96279,7 +96212,7 @@ index 483e66505..32583a0 100644
  	unlock_page(page);
  	if (swapcache) {
  		/*
-@@ -3077,6 +3289,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3079,6 +3291,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -96291,7 +96224,7 @@ index 483e66505..32583a0 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  out:
-@@ -3096,40 +3313,6 @@ out_release:
+@@ -3098,40 +3315,6 @@ out_release:
  }
  
  /*
@@ -96332,7 +96265,7 @@ index 483e66505..32583a0 100644
   * We enter with non-exclusive mmap_sem (to exclude vma changes,
   * but allow concurrent faults), and pte mapped but not yet locked.
   * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3138,27 +3321,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3140,27 +3323,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  		unsigned long address, pte_t *page_table, pmd_t *pmd,
  		unsigned int flags)
  {
@@ -96365,7 +96298,7 @@ index 483e66505..32583a0 100644
  	if (unlikely(anon_vma_prepare(vma)))
  		goto oom;
  	page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -3177,6 +3356,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3179,6 +3358,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (!pte_none(*page_table))
  		goto release;
  
@@ -96377,7 +96310,7 @@ index 483e66505..32583a0 100644
  	inc_mm_counter_fast(mm, MM_ANONPAGES);
  	page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -3184,6 +3368,12 @@ setpte:
+@@ -3186,6 +3370,12 @@ setpte:
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -96390,7 +96323,7 @@ index 483e66505..32583a0 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	return 0;
-@@ -3327,6 +3517,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3329,6 +3519,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 */
  	/* Only go through if we didn't race with anybody else... */
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -96403,7 +96336,7 @@ index 483e66505..32583a0 100644
  		flush_icache_page(vma, page);
  		entry = mk_pte(page, vma->vm_page_prot);
  		if (flags & FAULT_FLAG_WRITE)
-@@ -3346,6 +3542,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3348,6 +3544,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  
  		/* no need to invalidate: a not-present page won't be cached */
  		update_mmu_cache(vma, address, page_table);
@@ -96418,7 +96351,7 @@ index 483e66505..32583a0 100644
  	} else {
  		if (cow_page)
  			mem_cgroup_uncharge_page(cow_page);
-@@ -3499,6 +3703,12 @@ int handle_pte_fault(struct mm_struct *mm,
+@@ -3501,6 +3705,12 @@ int handle_pte_fault(struct mm_struct *mm,
  		if (flags & FAULT_FLAG_WRITE)
  			flush_tlb_fix_spurious_fault(vma, address);
  	}
@@ -96431,7 +96364,7 @@ index 483e66505..32583a0 100644
  unlock:
  	pte_unmap_unlock(pte, ptl);
  	return 0;
-@@ -3515,6 +3725,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3517,6 +3727,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	pmd_t *pmd;
  	pte_t *pte;
  
@@ -96442,7 +96375,7 @@ index 483e66505..32583a0 100644
  	__set_current_state(TASK_RUNNING);
  
  	count_vm_event(PGFAULT);
-@@ -3526,6 +3740,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3528,6 +3742,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, flags);
  
@@ -96477,7 +96410,7 @@ index 483e66505..32583a0 100644
  retry:
  	pgd = pgd_offset(mm, address);
  	pud = pud_alloc(mm, pgd, address);
-@@ -3567,7 +3809,7 @@ retry:
+@@ -3569,7 +3811,7 @@ retry:
  	 * run pte_offset_map on the pmd, if an huge pmd could
  	 * materialize from under us from a different thread.
  	 */
@@ -96486,7 +96419,7 @@ index 483e66505..32583a0 100644
  		return VM_FAULT_OOM;
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
-@@ -3604,6 +3846,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3606,6 +3848,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -96510,7 +96443,7 @@ index 483e66505..32583a0 100644
  #endif /* __PAGETABLE_PUD_FOLDED */
  
  #ifndef __PAGETABLE_PMD_FOLDED
-@@ -3634,11 +3893,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3636,11 +3895,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -96548,7 +96481,7 @@ index 483e66505..32583a0 100644
  	struct vm_area_struct * vma;
  
  	vma = find_vma(current->mm, addr);
-@@ -3671,7 +3954,7 @@ static int __init gate_vma_init(void)
+@@ -3673,7 +3956,7 @@ static int __init gate_vma_init(void)
  	gate_vma.vm_start = FIXADDR_USER_START;
  	gate_vma.vm_end = FIXADDR_USER_END;
  	gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -96557,7 +96490,7 @@ index 483e66505..32583a0 100644
  	/*
  	 * Make sure the vDSO gets into every core dump.
  	 * Dumping its contents makes post-mortem fully interpretable later
-@@ -3811,8 +4094,8 @@ out:
+@@ -3813,8 +4096,8 @@ out:
  	return ret;
  }
  
@@ -96568,7 +96501,7 @@ index 483e66505..32583a0 100644
  {
  	resource_size_t phys_addr;
  	unsigned long prot = 0;
-@@ -3837,8 +4120,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
+@@ -3839,8 +4122,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
   * Access another process' address space as given in mm.  If non-NULL, use the
   * given task for page fault accounting.
   */
@@ -96579,7 +96512,7 @@ index 483e66505..32583a0 100644
  {
  	struct vm_area_struct *vma;
  	void *old_buf = buf;
-@@ -3846,7 +4129,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3848,7 +4131,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
  	down_read(&mm->mmap_sem);
  	/* ignore errors, just check how much was successfully transferred */
  	while (len) {
@@ -96588,7 +96521,7 @@ index 483e66505..32583a0 100644
  		void *maddr;
  		struct page *page = NULL;
  
-@@ -3905,8 +4188,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3907,8 +4190,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
   *
   * The caller must hold a reference on @mm.
   */
@@ -96599,7 +96532,7 @@ index 483e66505..32583a0 100644
  {
  	return __access_remote_vm(NULL, mm, addr, buf, len, write);
  }
-@@ -3916,11 +4199,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
+@@ -3918,11 +4201,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
   * Source/target buffer must be kernel space,
   * Do not walk the page table directly, use get_user_pages
   */
@@ -96849,7 +96782,7 @@ index 1ffd97a..ed75674 100644
  int mminit_loglevel;
  
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 6182c8a..9476c8e 100644
+index f2badbf..06d44c2 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -30,6 +30,7 @@
@@ -97023,7 +96956,7 @@ index 6182c8a..9476c8e 100644
 +		}
  		if (err)
  			return NULL;
- 		khugepaged_enter_vma_merge(prev);
+ 		khugepaged_enter_vma_merge(prev, vm_flags);
 @@ -807,12 +878,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
   			mpol_equal(policy, vma_policy(next)) &&
  			can_vma_merge_before(next, vm_flags,
@@ -97053,7 +96986,7 @@ index 6182c8a..9476c8e 100644
 +		}
  		if (err)
  			return NULL;
- 		khugepaged_enter_vma_merge(area);
+ 		khugepaged_enter_vma_merge(area, vm_flags);
 @@ -921,15 +1007,22 @@ none:
  void vm_stat_account(struct mm_struct *mm, unsigned long flags,
  						struct file *file, long pages)
@@ -97742,7 +97675,7 @@ index 6182c8a..9476c8e 100644
 +	if (locknext)
 +		vma_unlock_anon_vma(vma->vm_next);
  	vma_unlock_anon_vma(vma);
- 	khugepaged_enter_vma_merge(vma);
+ 	khugepaged_enter_vma_merge(vma, vma->vm_flags);
  	return error;
 @@ -1753,6 +2065,8 @@ int expand_downwards(struct vm_area_struct *vma,
  				   unsigned long address)
@@ -97808,7 +97741,7 @@ index 6182c8a..9476c8e 100644
  	vma_unlock_anon_vma(vma);
 +	if (lockprev)
 +		vma_unlock_anon_vma(prev);
- 	khugepaged_enter_vma_merge(vma);
+ 	khugepaged_enter_vma_merge(vma, vma->vm_flags);
  	return error;
  }
  
@@ -101742,323 +101675,6 @@ index ba873c3..3b00036 100644
  
  	if (!can_dir) {
  		printk(KERN_INFO "can: failed to create /proc/net/can . "
-diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
-index 85f3bc0..21e777b 100644
---- a/net/ceph/crypto.c
-+++ b/net/ceph/crypto.c
-@@ -90,11 +90,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void)
- 
- static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
- 
-+/*
-+ * Should be used for buffers allocated with ceph_kvmalloc().
-+ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
-+ * in-buffer (msg front).
-+ *
-+ * Dispose of @sgt with teardown_sgtable().
-+ *
-+ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
-+ * in cases where a single sg is sufficient.  No attempt to reduce the
-+ * number of sgs by squeezing physically contiguous pages together is
-+ * made though, for simplicity.
-+ */
-+static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
-+			 const void *buf, unsigned int buf_len)
-+{
-+	struct scatterlist *sg;
-+	const bool is_vmalloc = is_vmalloc_addr(buf);
-+	unsigned int off = offset_in_page(buf);
-+	unsigned int chunk_cnt = 1;
-+	unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
-+	int i;
-+	int ret;
-+
-+	if (buf_len == 0) {
-+		memset(sgt, 0, sizeof(*sgt));
-+		return -EINVAL;
-+	}
-+
-+	if (is_vmalloc) {
-+		chunk_cnt = chunk_len >> PAGE_SHIFT;
-+		chunk_len = PAGE_SIZE;
-+	}
-+
-+	if (chunk_cnt > 1) {
-+		ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
-+		if (ret)
-+			return ret;
-+	} else {
-+		WARN_ON(chunk_cnt != 1);
-+		sg_init_table(prealloc_sg, 1);
-+		sgt->sgl = prealloc_sg;
-+		sgt->nents = sgt->orig_nents = 1;
-+	}
-+
-+	for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
-+		struct page *page;
-+		unsigned int len = min(chunk_len - off, buf_len);
-+
-+		if (is_vmalloc)
-+			page = vmalloc_to_page(buf);
-+		else
-+			page = virt_to_page(buf);
-+
-+		sg_set_page(sg, page, len, off);
-+
-+		off = 0;
-+		buf += len;
-+		buf_len -= len;
-+	}
-+	WARN_ON(buf_len != 0);
-+
-+	return 0;
-+}
-+
-+static void teardown_sgtable(struct sg_table *sgt)
-+{
-+	if (sgt->orig_nents > 1)
-+		sg_free_table(sgt);
-+}
-+
- static int ceph_aes_encrypt(const void *key, int key_len,
- 			    void *dst, size_t *dst_len,
- 			    const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[2], sg_out[1];
-+	struct scatterlist sg_in[2], prealloc_sg;
-+	struct sg_table sg_out;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
- 	int ret;
-@@ -110,16 +181,18 @@ static int ceph_aes_encrypt(const void *key, int key_len,
- 
- 	*dst_len = src_len + zero_padding;
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	sg_init_table(sg_in, 2);
- 	sg_set_buf(&sg_in[0], src, src_len);
- 	sg_set_buf(&sg_in[1], pad, zero_padding);
--	sg_init_table(sg_out, 1);
--	sg_set_buf(sg_out, dst, *dst_len);
-+	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
-+	if (ret)
-+		goto out_tfm;
-+
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
-+
- 	/*
- 	print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
- 		       key, key_len, 1);
-@@ -128,16 +201,22 @@ static int ceph_aes_encrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
- 			pad, zero_padding, 1);
- 	*/
--	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
-+	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
- 				     src_len + zero_padding);
--	crypto_free_blkcipher(tfm);
--	if (ret < 0)
-+	if (ret < 0) {
- 		pr_err("ceph_aes_crypt failed %d\n", ret);
-+		goto out_sg;
-+	}
- 	/*
- 	print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_out);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
-@@ -145,7 +224,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 			     const void *src1, size_t src1_len,
- 			     const void *src2, size_t src2_len)
- {
--	struct scatterlist sg_in[3], sg_out[1];
-+	struct scatterlist sg_in[3], prealloc_sg;
-+	struct sg_table sg_out;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
- 	int ret;
-@@ -161,17 +241,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 
- 	*dst_len = src1_len + src2_len + zero_padding;
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	sg_init_table(sg_in, 3);
- 	sg_set_buf(&sg_in[0], src1, src1_len);
- 	sg_set_buf(&sg_in[1], src2, src2_len);
- 	sg_set_buf(&sg_in[2], pad, zero_padding);
--	sg_init_table(sg_out, 1);
--	sg_set_buf(sg_out, dst, *dst_len);
-+	ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
-+	if (ret)
-+		goto out_tfm;
-+
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
-+
- 	/*
- 	print_hex_dump(KERN_ERR, "enc  key: ", DUMP_PREFIX_NONE, 16, 1,
- 		       key, key_len, 1);
-@@ -182,23 +264,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
- 	print_hex_dump(KERN_ERR, "enc  pad: ", DUMP_PREFIX_NONE, 16, 1,
- 			pad, zero_padding, 1);
- 	*/
--	ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
-+	ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
- 				     src1_len + src2_len + zero_padding);
--	crypto_free_blkcipher(tfm);
--	if (ret < 0)
-+	if (ret < 0) {
- 		pr_err("ceph_aes_crypt2 failed %d\n", ret);
-+		goto out_sg;
-+	}
- 	/*
- 	print_hex_dump(KERN_ERR, "enc  out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_out);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_decrypt(const void *key, int key_len,
- 			    void *dst, size_t *dst_len,
- 			    const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[1], sg_out[2];
-+	struct sg_table sg_in;
-+	struct scatterlist sg_out[2], prealloc_sg;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm };
- 	char pad[16];
-@@ -210,16 +299,16 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	if (IS_ERR(tfm))
- 		return PTR_ERR(tfm);
- 
--	crypto_blkcipher_setkey((void *)tfm, key, key_len);
--	sg_init_table(sg_in, 1);
- 	sg_init_table(sg_out, 2);
--	sg_set_buf(sg_in, src, src_len);
- 	sg_set_buf(&sg_out[0], dst, *dst_len);
- 	sg_set_buf(&sg_out[1], pad, sizeof(pad));
-+	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
-+	if (ret)
-+		goto out_tfm;
- 
-+	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
- 
- 	/*
-@@ -228,12 +317,10 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec  in: ", DUMP_PREFIX_NONE, 16, 1,
- 		       src, src_len, 1);
- 	*/
--
--	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
--	crypto_free_blkcipher(tfm);
-+	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
- 	if (ret < 0) {
- 		pr_err("ceph_aes_decrypt failed %d\n", ret);
--		return ret;
-+		goto out_sg;
- 	}
- 
- 	if (src_len <= *dst_len)
-@@ -251,7 +338,12 @@ static int ceph_aes_decrypt(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1,
- 		       dst, *dst_len, 1);
- 	*/
--	return 0;
-+
-+out_sg:
-+	teardown_sgtable(&sg_in);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- static int ceph_aes_decrypt2(const void *key, int key_len,
-@@ -259,7 +351,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 			     void *dst2, size_t *dst2_len,
- 			     const void *src, size_t src_len)
- {
--	struct scatterlist sg_in[1], sg_out[3];
-+	struct sg_table sg_in;
-+	struct scatterlist sg_out[3], prealloc_sg;
- 	struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
- 	struct blkcipher_desc desc = { .tfm = tfm };
- 	char pad[16];
-@@ -271,17 +364,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 	if (IS_ERR(tfm))
- 		return PTR_ERR(tfm);
- 
--	sg_init_table(sg_in, 1);
--	sg_set_buf(sg_in, src, src_len);
- 	sg_init_table(sg_out, 3);
- 	sg_set_buf(&sg_out[0], dst1, *dst1_len);
- 	sg_set_buf(&sg_out[1], dst2, *dst2_len);
- 	sg_set_buf(&sg_out[2], pad, sizeof(pad));
-+	ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
-+	if (ret)
-+		goto out_tfm;
- 
- 	crypto_blkcipher_setkey((void *)tfm, key, key_len);
- 	iv = crypto_blkcipher_crt(tfm)->iv;
- 	ivsize = crypto_blkcipher_ivsize(tfm);
--
- 	memcpy(iv, aes_iv, ivsize);
- 
- 	/*
-@@ -290,12 +383,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 	print_hex_dump(KERN_ERR, "dec   in: ", DUMP_PREFIX_NONE, 16, 1,
- 		       src, src_len, 1);
- 	*/
--
--	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
--	crypto_free_blkcipher(tfm);
-+	ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
- 	if (ret < 0) {
- 		pr_err("ceph_aes_decrypt failed %d\n", ret);
--		return ret;
-+		goto out_sg;
- 	}
- 
- 	if (src_len <= *dst1_len)
-@@ -325,7 +416,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
- 		       dst2, *dst2_len, 1);
- 	*/
- 
--	return 0;
-+out_sg:
-+	teardown_sgtable(&sg_in);
-+out_tfm:
-+	crypto_free_blkcipher(tfm);
-+	return ret;
- }
- 
- 
 diff --git a/net/compat.c b/net/compat.c
 index 759e542..7cf6606 100644
 --- a/net/compat.c
@@ -104325,7 +103941,7 @@ index afe6886..297e5fb 100644
  	/* step 6: check the URG bit */
  	tcp_urg(sk, skb, th);
 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index 92d7138..df6f00f 100644
+index 26eb8e2..14989a5 100644
 --- a/net/ipv4/tcp_ipv4.c
 +++ b/net/ipv4/tcp_ipv4.c
 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
@@ -105105,7 +104721,7 @@ index 166a57c..dc4e6b8 100644
  	struct ctl_table *ipv6_icmp_table;
  	int err;
 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index c69358c..d1e5855 100644
+index 057a9d2..bc870ad 100644
 --- a/net/ipv6/tcp_ipv6.c
 +++ b/net/ipv6/tcp_ipv6.c
 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
@@ -105276,9 +104892,19 @@ index d131a95..e2c60f8 100644
  
  int udp6_seq_show(struct seq_file *seq, void *v)
 diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
-index db78e7d..df6de01 100644
+index db78e7d..0e6a420 100644
 --- a/net/ipv6/xfrm6_policy.c
 +++ b/net/ipv6/xfrm6_policy.c
+@@ -125,8 +125,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ {
+ 	struct flowi6 *fl6 = &fl->u.ip6;
+ 	int onlyproto = 0;
+-	u16 offset = skb_network_header_len(skb);
+ 	const struct ipv6hdr *hdr = ipv6_hdr(skb);
++	u16 offset = sizeof(*hdr);
+ 	struct ipv6_opt_hdr *exthdr;
+ 	const unsigned char *nh = skb_network_header(skb);
+ 	u8 nexthdr = nh[IP6CB(skb)->nhoff];
 @@ -160,8 +160,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
  		case IPPROTO_DCCP:
  			if (!onlyproto && (nh + offset + 4 < skb->data ||
@@ -105662,7 +105288,7 @@ index a9cf593..b04a2d5 100644
  	/* number of interfaces with corresponding FIF_ flags */
  	int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index 8260cd5..f13516d 100644
+index 24ec86f..54ee7ef 100644
 --- a/net/mac80211/iface.c
 +++ b/net/mac80211/iface.c
 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up)
@@ -105701,7 +105327,7 @@ index 8260cd5..f13516d 100644
  		drv_stop(local);
   err_del_bss:
  	sdata->bss = NULL;
-@@ -472,7 +472,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+@@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
  	}
  
  	if (going_down)
@@ -105710,9 +105336,9 @@ index 8260cd5..f13516d 100644
  
  	switch (sdata->vif.type) {
  	case NL80211_IFTYPE_AP_VLAN:
-@@ -543,7 +543,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 
- 	ieee80211_recalc_ps(local, -1);
+@@ -548,7 +548,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ 	if (cancel_scan)
+ 		flush_delayed_work(&local->scan_work);
  
 -	if (local->open_count == 0) {
 +	if (local_read(&local->open_count) == 0) {
@@ -108105,7 +107731,7 @@ index ce13632..144987d 100644
  	struct unix_gid ug;
  	struct cache_head *ch;
 diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
-index 296192c..5a95b93 100644
+index 5e3080c..df0e1a9 100644
 --- a/net/sunrpc/svcsock.c
 +++ b/net/sunrpc/svcsock.c
 @@ -396,7 +396,7 @@ static int svc_partial_recvfrom(struct svc_rqst *rqstp,
@@ -112344,7 +111970,7 @@ index dca1c22..4fa4591 100644
  		lock = &avc_cache.slots_lock[hvalue];
  
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 69477ff..3af4da9 100644
+index 0cd7097a..3af4da9 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
 @@ -95,8 +95,6 @@
@@ -112356,22 +111982,6 @@ index 69477ff..3af4da9 100644
  /* SECMARK reference count */
  static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
  
-@@ -435,6 +433,7 @@ next_inode:
- 				list_entry(sbsec->isec_head.next,
- 					   struct inode_security_struct, list);
- 		struct inode *inode = isec->inode;
-+		list_del_init(&isec->list);
- 		spin_unlock(&sbsec->isec_lock);
- 		inode = igrab(inode);
- 		if (inode) {
-@@ -443,7 +442,6 @@ next_inode:
- 			iput(inode);
- 		}
- 		spin_lock(&sbsec->isec_lock);
--		list_del_init(&isec->list);
- 		goto next_inode;
- 	}
- 	spin_unlock(&sbsec->isec_lock);
 @@ -2035,6 +2033,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
  		new_tsec->sid = old_tsec->exec_sid;
  		/* Reset exec SID on execve. */
@@ -112730,7 +112340,7 @@ index 542f69e..fe6e8c3 100644
  				}
  			} else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
 diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
-index 91cdf943..4085161 100644
+index 4dbb66e..eda2998 100644
 --- a/sound/core/pcm_compat.c
 +++ b/sound/core/pcm_compat.c
 @@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream,
@@ -121060,10 +120670,10 @@ index 0000000..4378111
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..ea4ae44
+index 0000000..b45b095
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,5116 @@
+@@ -0,0 +1,5117 @@
 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
 +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
@@ -124453,6 +124063,7 @@ index 0000000..ea4ae44
 +__ext4_get_inode_loc_43332 __ext4_get_inode_loc 0 43332 NULL
 +svc_pool_map_get_43386 svc_pool_map_get 0 43386 NULL
 +xenfb_write_43412 xenfb_write 3 43412 NULL
++ext4_xattr_check_names_43422 ext4_xattr_check_names 0 43422 NULL
 +__alloc_bootmem_low_43423 __alloc_bootmem_low 1 43423 NULL
 +usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL
 +usb_string_43443 usb_string 0 43443 NULL nohasharray
@@ -127622,49 +127233,11 @@ index 547628e..74de9f2 100644
 +#endif
 +
  #endif
-diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
-index c946700..e32c93c 100644
---- a/virt/kvm/iommu.c
-+++ b/virt/kvm/iommu.c
-@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
- 				gfn_t base_gfn, unsigned long npages);
- 
- static pfn_t kvm_pin_pages(struct kvm *kvm, struct kvm_memory_slot *slot,
--			   gfn_t gfn, unsigned long size)
-+			   gfn_t gfn, unsigned long npages)
- {
- 	gfn_t end_gfn;
- 	pfn_t pfn;
- 
- 	pfn     = gfn_to_pfn_memslot(kvm, slot, gfn);
--	end_gfn = gfn + (size >> PAGE_SHIFT);
-+	end_gfn = gfn + npages;
- 	gfn    += 1;
- 
- 	if (is_error_pfn(pfn))
-@@ -117,7 +117,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- 		 * Pin all pages we are about to map in memory. This is
- 		 * important because we unmap and unpin in 4kb steps later.
- 		 */
--		pfn = kvm_pin_pages(kvm, slot, gfn, page_size);
-+		pfn = kvm_pin_pages(kvm, slot, gfn, page_size >> PAGE_SHIFT);
- 		if (is_error_pfn(pfn)) {
- 			gfn += 1;
- 			continue;
-@@ -129,7 +129,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- 		if (r) {
- 			printk(KERN_ERR "kvm_iommu_map_address:"
- 			       "iommu failed to map pfn=%llx\n", pfn);
--			kvm_unpin_pages(kvm, pfn, page_size);
-+			kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
- 			goto unmap_pages;
- 		}
- 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index d83aa5e..52970b8 100644
+index 8b0617a..05843b4 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -75,12 +75,17 @@ LIST_HEAD(vm_list);
+@@ -76,12 +76,17 @@ LIST_HEAD(vm_list);
  
  static cpumask_var_t cpus_hardware_enabled;
  static int kvm_usage_count = 0;
@@ -127684,7 +127257,7 @@ index d83aa5e..52970b8 100644
  
  struct dentry *kvm_debugfs_dir;
  
-@@ -659,7 +664,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+@@ -660,7 +665,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
  	/* We can read the guest memory with __xxx_user() later on. */
  	if (user_alloc &&
  	    ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
@@ -127693,7 +127266,7 @@ index d83aa5e..52970b8 100644
  			(void __user *)(unsigned long)mem->userspace_addr,
  			mem->memory_size)))
  		goto out;
-@@ -1493,8 +1498,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
+@@ -1494,8 +1499,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
  
  int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len)
  {
@@ -127713,7 +127286,7 @@ index d83aa5e..52970b8 100644
  }
  EXPORT_SYMBOL_GPL(kvm_clear_guest_page);
  
-@@ -1660,7 +1674,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
+@@ -1661,7 +1675,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
  	return 0;
  }
  
@@ -127722,7 +127295,7 @@ index d83aa5e..52970b8 100644
  	.release        = kvm_vcpu_release,
  	.unlocked_ioctl = kvm_vcpu_ioctl,
  #ifdef CONFIG_COMPAT
-@@ -2183,7 +2197,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma)
+@@ -2187,7 +2201,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma)
  	return 0;
  }
  
@@ -127731,7 +127304,7 @@ index d83aa5e..52970b8 100644
  	.release        = kvm_vm_release,
  	.unlocked_ioctl = kvm_vm_ioctl,
  #ifdef CONFIG_COMPAT
-@@ -2281,7 +2295,7 @@ out:
+@@ -2285,7 +2299,7 @@ out:
  	return r;
  }
  
@@ -127740,7 +127313,7 @@ index d83aa5e..52970b8 100644
  	.unlocked_ioctl = kvm_dev_ioctl,
  	.compat_ioctl   = kvm_dev_ioctl,
  	.llseek		= noop_llseek,
-@@ -2307,7 +2321,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -2311,7 +2325,7 @@ static void hardware_enable_nolock(void *junk)
  
  	if (r) {
  		cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -127749,7 +127322,7 @@ index d83aa5e..52970b8 100644
  		printk(KERN_INFO "kvm: enabling virtualization on "
  				 "CPU%d failed\n", cpu);
  	}
-@@ -2361,10 +2375,10 @@ static int hardware_enable_all(void)
+@@ -2365,10 +2379,10 @@ static int hardware_enable_all(void)
  
  	kvm_usage_count++;
  	if (kvm_usage_count == 1) {
@@ -127762,7 +127335,7 @@ index d83aa5e..52970b8 100644
  			hardware_disable_all_nolock();
  			r = -EBUSY;
  		}
-@@ -2715,7 +2729,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
+@@ -2719,7 +2733,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
  	kvm_arch_vcpu_put(vcpu);
  }
  
@@ -127771,7 +127344,7 @@ index d83aa5e..52970b8 100644
  		  struct module *module)
  {
  	int r;
-@@ -2778,7 +2792,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2782,7 +2796,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (!vcpu_align)
  		vcpu_align = __alignof__(struct kvm_vcpu);
  	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -127780,7 +127353,7 @@ index d83aa5e..52970b8 100644
  	if (!kvm_vcpu_cache) {
  		r = -ENOMEM;
  		goto out_free_3;
-@@ -2788,9 +2802,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2792,9 +2806,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (r)
  		goto out_free;
  
@@ -127792,7 +127365,7 @@ index d83aa5e..52970b8 100644
  
  	r = misc_register(&kvm_dev);
  	if (r) {
-@@ -2800,9 +2816,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2804,9 +2820,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  
  	register_syscore_ops(&kvm_syscore_ops);
  
diff --git a/3.2.64/4425_grsec_remove_EI_PAX.patch b/3.2.65/4425_grsec_remove_EI_PAX.patch
index cf65d90..366baa8 100644
--- a/3.2.64/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.65/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
 --- linux-3.7.1-hardened.orig/security/Kconfig	2012-12-26 08:39:29.000000000 -0500
 +++ linux-3.7.1-hardened/security/Kconfig	2012-12-26 09:05:44.000000000 -0500
-@@ -267,7 +267,7 @@
+@@ -272,7 +272,7 @@
  
  config PAX_EI_PAX
  	bool 'Use legacy ELF header marking'
diff --git a/3.2.64/4427_force_XATTR_PAX_tmpfs.patch b/3.2.65/4427_force_XATTR_PAX_tmpfs.patch
index caaeed1..caaeed1 100644
--- a/3.2.64/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.2.65/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.64/4430_grsec-remove-localversion-grsec.patch b/3.2.65/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.64/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.65/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.64/4435_grsec-mute-warnings.patch b/3.2.65/4435_grsec-mute-warnings.patch
index da01ac7..da01ac7 100644
--- a/3.2.64/4435_grsec-mute-warnings.patch
+++ b/3.2.65/4435_grsec-mute-warnings.patch
diff --git a/3.2.64/4440_grsec-remove-protected-paths.patch b/3.2.65/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.2.64/4440_grsec-remove-protected-paths.patch
+++ b/3.2.65/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.64/4450_grsec-kconfig-default-gids.patch b/3.2.65/4450_grsec-kconfig-default-gids.patch
index b4a0e64..9456d08 100644
--- a/3.2.64/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.65/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 diff -Nuar a/security/Kconfig b/security/Kconfig
 --- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
-@@ -195,7 +195,7 @@
+@@ -200,7 +200,7 @@
  
  config GRKERNSEC_PROC_GID
  	int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
-@@ -206,7 +206,7 @@
+@@ -211,7 +211,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
          int "GID for TPE-untrusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
  	  Setting this GID determines which group untrusted users should
  	  be added to.  These users will be placed under grsecurity's Trusted Path
-@@ -218,7 +218,7 @@
+@@ -223,7 +223,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
          int "GID for TPE-trusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
            Setting this GID determines what group TPE restrictions will be
            *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -227,7 +227,7 @@
+@@ -232,7 +232,7 @@
  config GRKERNSEC_SYMLINKOWN_GID
          int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
          depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.2.64/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.65/4465_selinux-avc_audit-log-curr_ip.patch
index ed1cb9b..ed1cb9b 100644
--- a/3.2.64/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.65/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.64/4470_disable-compat_vdso.patch b/3.2.65/4470_disable-compat_vdso.patch
index 42bc94d..42bc94d 100644
--- a/3.2.64/4470_disable-compat_vdso.patch
+++ b/3.2.65/4470_disable-compat_vdso.patch
diff --git a/3.2.64/4475_emutramp_default_on.patch b/3.2.65/4475_emutramp_default_on.patch
index 941870b..1f3d51a 100644
--- a/3.2.64/4475_emutramp_default_on.patch
+++ b/3.2.65/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
 --- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
 +++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
-@@ -427,7 +427,7 @@
+@@ -432,7 +432,7 @@
  
  config PAX_EMUTRAMP
  	bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
  	depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
  	help
  	  There are some programs and libraries that for one reason or
-@@ -450,6 +450,12 @@
+@@ -455,6 +455,12 @@
  	  utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
  	  for the affected files.