diff --git a/config/kernel/linux-rk3399-default.config b/config/kernel/linux-rk3399-default.config index 383dd94b4c..14d9b66400 100644 --- a/config/kernel/linux-rk3399-default.config +++ b/config/kernel/linux-rk3399-default.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.4.178 Kernel Configuration +# Linux/arm64 4.4.180 Kernel Configuration # CONFIG_ARM64=y CONFIG_64BIT=y @@ -2494,6 +2494,7 @@ CONFIG_DEVPTS_MULTIPLE_INSTANCES=y # CONFIG_NOZOMI is not set # CONFIG_N_GSM is not set # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set @@ -2545,7 +2546,6 @@ CONFIG_HW_RANDOM=y # CONFIG_HW_RANDOM_TIMERIOMEM is not set CONFIG_HW_RANDOM_TPM=y CONFIG_HW_RANDOM_ROCKCHIP=m -# CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # diff --git a/patch/kernel/rk3399-default/04-patch-4.4.178-179.patch b/patch/kernel/rk3399-default/04-patch-4.4.178-179.patch new file mode 100644 index 0000000000..7683ede405 --- /dev/null +++ b/patch/kernel/rk3399-default/04-patch-4.4.178-179.patch @@ -0,0 +1,5286 @@ +diff --git a/Documentation/arm/kernel_mode_neon.txt b/Documentation/arm/kernel_mode_neon.txt +index 525452726d31..b9e060c5b61e 100644 +--- a/Documentation/arm/kernel_mode_neon.txt ++++ b/Documentation/arm/kernel_mode_neon.txt +@@ -6,7 +6,7 @@ TL;DR summary + * Use only NEON instructions, or VFP instructions that don't rely on support + code + * Isolate your NEON code in a separate compilation unit, and compile it with +- '-mfpu=neon -mfloat-abi=softfp' ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp' + * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your + NEON code + * Don't sleep in your NEON code, and be aware that it will be executed with +@@ -87,7 +87,7 @@ instructions appearing in unexpected places if no special care is taken. + Therefore, the recommended and only supported way of using NEON/VFP in the + kernel is by adhering to the following rules: + * isolate the NEON code in a separate compilation unit and compile it with +- '-mfpu=neon -mfloat-abi=softfp'; ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'; + * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls + into the unit containing the NEON code from a compilation unit which is *not* + built with the GCC flag '-mfpu=neon' set. +diff --git a/Makefile b/Makefile +index 35be7983ef2d..ee0a50b871b9 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 178 ++SUBLEVEL = 179 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -610,7 +610,7 @@ all: vmlinux + ifeq ($(cc-name),clang) + ifneq ($(CROSS_COMPILE),) + CLANG_TARGET := --target=$(notdir $(CROSS_COMPILE:%-=%)) +-GCC_TOOLCHAIN_DIR := $(dir $(shell which $(LD))) ++GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) + CLANG_PREFIX := --prefix=$(GCC_TOOLCHAIN_DIR) + GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) + endif +@@ -639,7 +639,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context) + KBUILD_CFLAGS += $(call cc-disable-warning, attribute-alias) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE +-KBUILD_CFLAGS += $(call cc-option,-Oz,-Os) ++KBUILD_CFLAGS += -Os + else + ifdef CONFIG_PROFILE_ALL_BRANCHES + KBUILD_CFLAGS += -O2 +diff --git a/arch/arm/boot/dts/sama5d2-pinfunc.h b/arch/arm/boot/dts/sama5d2-pinfunc.h +index 8a394f336003..ee65702f9645 100644 +--- a/arch/arm/boot/dts/sama5d2-pinfunc.h ++++ b/arch/arm/boot/dts/sama5d2-pinfunc.h +@@ -517,7 +517,7 @@ + #define PIN_PC9__GPIO PINMUX_PIN(PIN_PC9, 0, 0) + #define PIN_PC9__FIQ PINMUX_PIN(PIN_PC9, 1, 3) + #define PIN_PC9__GTSUCOMP PINMUX_PIN(PIN_PC9, 2, 1) +-#define PIN_PC9__ISC_D0 PINMUX_PIN(PIN_PC9, 2, 1) ++#define PIN_PC9__ISC_D0 PINMUX_PIN(PIN_PC9, 3, 1) + #define PIN_PC9__TIOA4 PINMUX_PIN(PIN_PC9, 4, 2) + #define PIN_PC10 74 + #define PIN_PC10__GPIO PINMUX_PIN(PIN_PC10, 0, 0) +diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl +index fac0533ea633..f64e8413ab9a 100644 +--- a/arch/arm/crypto/sha256-armv4.pl ++++ b/arch/arm/crypto/sha256-armv4.pl +@@ -205,10 +205,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped +index 555a1a8eec90..72c248081d27 100644 +--- a/arch/arm/crypto/sha256-core.S_shipped ++++ b/arch/arm/crypto/sha256-core.S_shipped +@@ -86,10 +86,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl +index a2b11a844357..5fe336420bcf 100644 +--- a/arch/arm/crypto/sha512-armv4.pl ++++ b/arch/arm/crypto/sha512-armv4.pl +@@ -267,10 +267,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped +index 3694c4d4ca2b..de9bd7f55242 100644 +--- a/arch/arm/crypto/sha512-core.S_shipped ++++ b/arch/arm/crypto/sha512-core.S_shipped +@@ -134,10 +134,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h +index 3ff5642d9788..27c1d26b05b5 100644 +--- a/arch/arm/include/asm/barrier.h ++++ b/arch/arm/include/asm/barrier.h +@@ -10,6 +10,8 @@ + #define sev() __asm__ __volatile__ ("sev" : : : "memory") + #define wfe() __asm__ __volatile__ ("wfe" : : : "memory") + #define wfi() __asm__ __volatile__ ("wfi" : : : "memory") ++#else ++#define wfe() do { } while (0) + #endif + + #if __LINUX_ARM_ARCH__ >= 7 +diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h +index 8a1e8e995dae..08509183c7df 100644 +--- a/arch/arm/include/asm/processor.h ++++ b/arch/arm/include/asm/processor.h +@@ -77,7 +77,11 @@ extern void release_thread(struct task_struct *); + unsigned long get_wchan(struct task_struct *p); + + #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327) +-#define cpu_relax() smp_mb() ++#define cpu_relax() \ ++ do { \ ++ smp_mb(); \ ++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \ ++ } while (0) + #else + #define cpu_relax() barrier() + #endif +diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c +index 8bf3b7c09888..46519916a465 100644 +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -87,8 +87,11 @@ void machine_crash_nonpanic_core(void *unused) + + set_cpu_online(smp_processor_id(), false); + atomic_dec(&waiting_for_crash_ipi); +- while (1) ++ ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static void machine_kexec_mask_interrupts(void) +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index 69bda1a5707e..1f665acaa6a9 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -15,7 +15,7 @@ struct patch { + unsigned int insn; + }; + +-static DEFINE_SPINLOCK(patch_lock); ++static DEFINE_RAW_SPINLOCK(patch_lock); + + static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + __acquires(&patch_lock) +@@ -32,7 +32,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + return addr; + + if (flags) +- spin_lock_irqsave(&patch_lock, *flags); ++ raw_spin_lock_irqsave(&patch_lock, *flags); + else + __acquire(&patch_lock); + +@@ -47,7 +47,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags) + clear_fixmap(fixmap); + + if (flags) +- spin_unlock_irqrestore(&patch_lock, *flags); ++ raw_spin_unlock_irqrestore(&patch_lock, *flags); + else + __release(&patch_lock); + } +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 08ce9e36dc5a..0f1c11861147 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -563,8 +563,10 @@ static void ipi_cpu_stop(unsigned int cpu) + local_fiq_disable(); + local_irq_disable(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static DEFINE_PER_CPU(struct completion *, cpu_completion); +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 0bee233fef9a..314cfb232a63 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[]; + static const struct unwind_idx *__origin_unwind_idx; + extern const struct unwind_idx __stop_unwind_idx[]; + +-static DEFINE_SPINLOCK(unwind_lock); ++static DEFINE_RAW_SPINLOCK(unwind_lock); + static LIST_HEAD(unwind_tables); + + /* Convert a prel31 symbol to an absolute address */ +@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + /* module unwind tables */ + struct unwind_table *table; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_for_each_entry(table, &unwind_tables, list) { + if (addr >= table->begin_addr && + addr < table->end_addr) { +@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + break; + } + } +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + } + + pr_debug("%s: idx = %p\n", __func__, idx); +@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size, + tab->begin_addr = text_addr; + tab->end_addr = text_addr + text_size; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_add_tail(&tab->list, &unwind_tables); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + return tab; + } +@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab) + if (!tab) + return; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_del(&tab->list); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + kfree(tab); + } +diff --git a/arch/arm/lib/Makefile b/arch/arm/lib/Makefile +index d8a780799506..06348a3d50c2 100644 +--- a/arch/arm/lib/Makefile ++++ b/arch/arm/lib/Makefile +@@ -35,7 +35,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpartialcopygeneric.S + $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S + + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) +- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon ++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon + CFLAGS_xor-neon.o += $(NEON_FLAGS) + obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o + endif +diff --git a/arch/arm/lib/xor-neon.c b/arch/arm/lib/xor-neon.c +index 2c40aeab3eaa..c691b901092f 100644 +--- a/arch/arm/lib/xor-neon.c ++++ b/arch/arm/lib/xor-neon.c +@@ -14,7 +14,7 @@ + MODULE_LICENSE("GPL"); + + #ifndef __ARM_NEON__ +-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon' ++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon' + #endif + + /* +diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c +index 0ce4548ef7f0..4b9e9d1d8229 100644 +--- a/arch/arm/mach-omap2/prm_common.c ++++ b/arch/arm/mach-omap2/prm_common.c +@@ -533,8 +533,10 @@ void omap_prm_reset_system(void) + + prm_ll_data->reset_system(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + /** +diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig +index 57729b915003..b9396dcf836d 100644 +--- a/arch/arm/plat-samsung/Kconfig ++++ b/arch/arm/plat-samsung/Kconfig +@@ -255,7 +255,7 @@ config S3C_PM_DEBUG_LED_SMDK + + config SAMSUNG_PM_CHECK + bool "S3C2410 PM Suspend Memory CRC" +- depends on PM ++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210) + select CRC32 + help + Enable the PM code's memory area checksum over sleep. This option +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h +index 195fd56b2377..34d4d2e2f561 100644 +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -33,8 +33,8 @@ + " prfm pstl1strm, %2\n" \ + "1: ldxr %w1, %2\n" \ + insn "\n" \ +-"2: stlxr %w3, %w0, %2\n" \ +-" cbnz %w3, 1b\n" \ ++"2: stlxr %w0, %w3, %2\n" \ ++" cbnz %w0, 1b\n" \ + " dmb ish\n" \ + "3:\n" \ + " .pushsection .fixup,\"ax\"\n" \ +@@ -61,23 +61,23 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + + switch (op) { + case FUTEX_OP_SET: +- __futex_atomic_op("mov %w0, %w4", ++ __futex_atomic_op("mov %w3, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op("add %w0, %w1, %w4", ++ __futex_atomic_op("add %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_OR: +- __futex_atomic_op("orr %w0, %w1, %w4", ++ __futex_atomic_op("orr %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_ANDN: +- __futex_atomic_op("and %w0, %w1, %w4", ++ __futex_atomic_op("and %w3, %w1, %w4", + ret, oldval, uaddr, tmp, ~oparg); + break; + case FUTEX_OP_XOR: +- __futex_atomic_op("eor %w0, %w1, %w4", ++ __futex_atomic_op("eor %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + default: +diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c +index bcac81e600b9..f72743dc070d 100644 +--- a/arch/arm64/kernel/kgdb.c ++++ b/arch/arm64/kernel/kgdb.c +@@ -215,25 +215,34 @@ int kgdb_arch_handle_exception(int exception_vector, int signo, + + static int kgdb_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + kgdb_handle_exception(1, SIGTRAP, 0, regs); +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_brk_fn) + + static int kgdb_compiled_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + compiled_break = 1; + kgdb_handle_exception(1, SIGTRAP, 0, regs); + +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_compiled_brk_fn); + + static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + kgdb_handle_exception(1, SIGTRAP, 0, regs); +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_step_brk_fn); + + static struct break_hook kgdb_brkpt_hook = { +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 04c4b88706d8..89abdf9af4e6 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -589,11 +589,12 @@ void __init hook_debug_fault_code(int nr, + debug_fault_info[nr].name = name; + } + +-asmlinkage int __exception do_debug_exception(unsigned long addr, ++asmlinkage int __exception do_debug_exception(unsigned long addr_if_watchpoint, + unsigned int esr, + struct pt_regs *regs) + { + const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); ++ unsigned long pc = instruction_pointer(regs); + struct siginfo info; + int rv; + +@@ -604,16 +605,16 @@ asmlinkage int __exception do_debug_exception(unsigned long addr, + if (interrupts_enabled(regs)) + trace_hardirqs_off(); + +- if (!inf->fn(addr, esr, regs)) { ++ if (!inf->fn(addr_if_watchpoint, esr, regs)) { + rv = 1; + } else { + pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", +- inf->name, esr, addr); ++ inf->name, esr, pc); + + info.si_signo = inf->sig; + info.si_errno = 0; + info.si_code = inf->code; +- info.si_addr = (void __user *)addr; ++ info.si_addr = (void __user *)pc; + arm64_notify_die("", regs, &info, 0); + rv = 0; + } +diff --git a/arch/h8300/Makefile b/arch/h8300/Makefile +index e1c02ca230cb..073bba6f9f60 100644 +--- a/arch/h8300/Makefile ++++ b/arch/h8300/Makefile +@@ -23,7 +23,7 @@ KBUILD_AFLAGS += $(aflags-y) + LDFLAGS += $(ldflags-y) + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := h8300-unknown-linux- ++CROSS_COMPILE := $(call cc-cross-prefix, h8300-unknown-linux- h8300-linux-) + endif + + core-y += arch/$(ARCH)/kernel/ arch/$(ARCH)/mm/ +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 6da2cd0897f3..e94745321cac 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE + AFLAGS_header.o += -I$(obj) + $(obj)/header.o: $(obj)/voffset.h $(obj)/zoffset.h + +-LDFLAGS_setup.elf := -T ++LDFLAGS_setup.elf := -m elf_i386 -T + $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE + $(call if_changed,ld) + +diff --git a/arch/x86/crypto/poly1305-avx2-x86_64.S b/arch/x86/crypto/poly1305-avx2-x86_64.S +index eff2f414e22b..ec234c43b3f4 100644 +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -321,6 +321,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -359,16 +365,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S +index 338c748054ed..639d9760b089 100644 +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -251,16 +251,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -518,6 +518,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -556,16 +562,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +index 0977e7607046..5937b112ebc2 100644 +--- a/arch/x86/include/asm/xen/hypercall.h ++++ b/arch/x86/include/asm/xen/hypercall.h +@@ -215,6 +215,9 @@ privcmd_call(unsigned call, + __HYPERCALL_DECLS; + __HYPERCALL_5ARG(a1, a2, a3, a4, a5); + ++ if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) ++ return -EINVAL; ++ + stac(); + asm volatile(CALL_NOSPEC + : __HYPERCALL_5PARAM +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index 15e47c1cd412..6e4e4191abb5 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -121,7 +121,7 @@ static void set_cx86_reorder(void) + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + /* Load/Store Serialize to mem access disable (=reorder it) */ +- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80); ++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80); + /* set load/store serialize from 1GB to 4GB */ + ccr3 |= 0xe0; + setCx86(CX86_CCR3, ccr3); +@@ -132,11 +132,11 @@ static void set_cx86_memwb(void) + printk(KERN_INFO "Enable Memory-Write-back mode on Cyrix/NSC processor.\n"); + + /* CCR2 bit 2: unlock NW bit */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04); + /* set 'Not Write-through' */ + write_cr0(read_cr0() | X86_CR0_NW); + /* CCR2 bit 2: lock NW bit and set WT1 */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14); + } + + /* +@@ -150,14 +150,14 @@ static void geode_configure(void) + local_irq_save(flags); + + /* Suspend on halt power saving and enable #SUSP pin */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + + ccr3 = getCx86(CX86_CCR3); + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + + /* FPU fast, DTE cache, Mem bypass */ +- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38); ++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38); + setCx86(CX86_CCR3, ccr3); /* disable MAPEN */ + + set_cx86_memwb(); +@@ -292,7 +292,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + /* GXm supports extended cpuid levels 'ala' AMD */ + if (c->cpuid_level == 2) { + /* Enable cxMMX extensions (GX1 Datasheet 54) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1); + + /* + * GXm : 0x30 ... 0x5f GXm datasheet 51 +@@ -315,7 +315,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + if (dir1 > 7) { + dir0_msn++; /* M II */ + /* Enable MMX extensions (App note 108) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1); + } else { + /* A 6x86MX - it has the bug. */ + set_cpu_bug(c, X86_BUG_COMA); +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index 3fdc1e53aaac..9cce5504a5c7 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -825,6 +825,8 @@ int __init hpet_enable(void) + return 0; + + hpet_set_mapping(); ++ if (!hpet_virt_address) ++ return 0; + + /* + * Read the period and check for a sane value: +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c +index 2bcfb5f2bc44..433f17d154e2 100644 +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -351,6 +351,7 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp) + #endif + default: + WARN_ON_ONCE(1); ++ return -EINVAL; + } + + /* +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index c6f466d6cc57..a9fc2292d9ce 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -541,6 +541,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -742,15 +743,21 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -772,8 +779,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -791,6 +815,8 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index a703842b54de..17e1e60b6b40 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -365,7 +365,7 @@ SECTIONS + * Per-cpu symbols which need to be offset from __per_cpu_load + * for the boot processor. + */ +-#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load ++#define INIT_PER_CPU(x) init_per_cpu__##x = ABSOLUTE(x) + __per_cpu_load + INIT_PER_CPU(gdt_page); + INIT_PER_CPU(irq_stack_union); + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index f1507626ed36..5dd56e3517f3 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2567,15 +2567,13 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2589,13 +2587,16 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); + +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + if (emulator_has_longmode(ctxt)) +diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile +index 2730d775ef9a..228cb16962ba 100644 +--- a/arch/x86/realmode/rm/Makefile ++++ b/arch/x86/realmode/rm/Makefile +@@ -43,7 +43,7 @@ $(obj)/pasyms.h: $(REALMODE_OBJS) FORCE + targets += realmode.lds + $(obj)/realmode.lds: $(obj)/pasyms.h + +-LDFLAGS_realmode.elf := --emit-relocs -T ++LDFLAGS_realmode.elf := -m elf_i386 --emit-relocs -T + CPPFLAGS_realmode.lds += -P -C -I$(obj) + + targets += realmode.elf +diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c +index 7538d802b65a..483593068139 100644 +--- a/arch/xtensa/kernel/stacktrace.c ++++ b/arch/xtensa/kernel/stacktrace.c +@@ -272,10 +272,14 @@ static int return_address_cb(struct stackframe *frame, void *data) + return 1; + } + ++/* ++ * level == 0 is for the return address from the caller of this function, ++ * not from this function itself. ++ */ + unsigned long return_address(unsigned level) + { + struct return_addr_data r = { +- .skip = level + 1, ++ .skip = level, + }; + walk_stackframe(stack_pointer(NULL), return_address_cb, &r); + return r.addr; +diff --git a/block/bio.c b/block/bio.c +index 63363a689922..cf513f74dffd 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q, + } + } + +- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) ++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) { ++ if (!map_data) ++ __free_page(page); + break; ++ } + + len -= bytes; + offset = 0; +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 0e02c60a57b6..743d6cb7f8cd 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -3494,7 +3494,49 @@ static struct hash_testvec poly1305_tv_template[] = { + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* +diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c +index cb3dedb1beae..b133dac8a7f2 100644 +--- a/drivers/acpi/sbs.c ++++ b/drivers/acpi/sbs.c +@@ -443,9 +443,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs) + + /* + * The spec requires that bit 4 always be 1. If it's not set, assume +- * that the implementation doesn't support an SBS charger ++ * that the implementation doesn't support an SBS charger. ++ * ++ * And on some MacBooks a status of 0xffff is always returned, no ++ * matter whether the charger is plugged in or not, which is also ++ * wrong, so ignore the SBS charger for those too. + */ +- if (!((status >> 4) & 0x1)) ++ if (!((status >> 4) & 0x1) || status == 0xffff) + return -ENODEV; + + sbs->charger_present = (status >> 15) & 0x1; +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d203940203b6..aee23092f50e 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -265,6 +265,7 @@ + /* #define ERRLOGMASK (CD_WARNING|CD_OPEN|CD_COUNT_TRACKS|CD_CLOSE) */ + /* #define ERRLOGMASK (CD_WARNING|CD_REG_UNREG|CD_DO_IOCTL|CD_OPEN|CD_CLOSE|CD_COUNT_TRACKS) */ + ++#include + #include + #include + #include +@@ -3677,9 +3678,9 @@ static struct ctl_table_header *cdrom_sysctl_header; + + static void cdrom_sysctl_register(void) + { +- static int initialized; ++ static atomic_t initialized = ATOMIC_INIT(0); + +- if (initialized == 1) ++ if (!atomic_add_unless(&initialized, 1, 1)) + return; + + cdrom_sysctl_header = register_sysctl_table(cdrom_root_table); +@@ -3690,8 +3691,6 @@ static void cdrom_sysctl_register(void) + cdrom_sysctl_settings.debug = debug; + cdrom_sysctl_settings.lock = lockdoor; + cdrom_sysctl_settings.check = check_media_type; +- +- initialized = 1; + } + + static void cdrom_sysctl_unregister(void) +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 3143db57ce44..2bc741bea8f3 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -389,7 +389,7 @@ config XILINX_HWICAP + + config R3964 + tristate "Siemens R3964 line discipline" +- depends on TTY ++ depends on TTY && BROKEN + ---help--- + This driver allows synchronous communication with devices using the + Siemens R3964 packet protocol. Unless you are dealing with special +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index 240b6cf1d97c..72e073895ed9 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -376,7 +376,7 @@ static __init int hpet_mmap_enable(char *str) + pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); + return 1; + } +-__setup("hpet_mmap", hpet_mmap_enable); ++__setup("hpet_mmap=", hpet_mmap_enable); + + static int hpet_mmap(struct file *file, struct vm_area_struct *vma) + { +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 3fa2f8a009b3..1c5c4314c6b5 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -73,7 +73,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + + if (!vi->busy) { + vi->busy = true; +- init_completion(&vi->have_data); ++ reinit_completion(&vi->have_data); + register_buffer(vi, buf, size); + } + +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index 35308dfff754..8226e3b6dc1f 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -109,19 +109,29 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) + struct crb_priv *priv = chip->vendor.priv; + unsigned int expected; + +- /* sanity check */ +- if (count < 6) ++ /* A sanity check that the upper layer wants to get at least the header ++ * as that is the minimum size for any TPM response. ++ */ ++ if (count < TPM_HEADER_SIZE) + return -EIO; + ++ /* If this bit is set, according to the spec, the TPM is in ++ * unrecoverable condition. ++ */ + if (le32_to_cpu(ioread32(&priv->cca->sts)) & CRB_CA_STS_ERROR) + return -EIO; + +- memcpy_fromio(buf, priv->rsp, 6); +- expected = be32_to_cpup((__be32 *) &buf[2]); +- if (expected > count || expected < 6) ++ /* Read the first 8 bytes in order to get the length of the response. ++ * We read exactly a quad word in order to make sure that the remaining ++ * reads will be aligned. ++ */ ++ memcpy_fromio(buf, priv->rsp, 8); ++ ++ expected = be32_to_cpup((__be32 *)&buf[2]); ++ if (expected > count || expected < TPM_HEADER_SIZE) + return -EIO; + +- memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); ++ memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8); + + return expected; + } +diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c +index dd8f0eb3170a..73f7e0f7e34a 100644 +--- a/drivers/char/tpm/tpm_i2c_atmel.c ++++ b/drivers/char/tpm/tpm_i2c_atmel.c +@@ -65,7 +65,15 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len) + dev_dbg(&chip->dev, + "%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__, + (int)min_t(size_t, 64, len), buf, len, status); +- return status; ++ ++ if (status < 0) ++ return status; ++ ++ /* The upper layer does not support incomplete sends. */ ++ if (status != len) ++ return -E2BIG; ++ ++ return 0; + } + + static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count) +diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c +index 4afca3968773..e3b8bebfdd30 100644 +--- a/drivers/crypto/amcc/crypto4xx_alg.c ++++ b/drivers/crypto/amcc/crypto4xx_alg.c +@@ -138,7 +138,8 @@ static int crypto4xx_setkey_aes(struct crypto_ablkcipher *cipher, + sa = (struct dynamic_sa_ctl *) ctx->sa_in; + ctx->hash_final = 0; + +- set_dynamic_sa_command_0(sa, SA_NOT_SAVE_HASH, SA_NOT_SAVE_IV, ++ set_dynamic_sa_command_0(sa, SA_NOT_SAVE_HASH, (cm == CRYPTO_MODE_CBC ? ++ SA_SAVE_IV : SA_NOT_SAVE_IV), + SA_LOAD_HASH_FROM_SA, SA_LOAD_IV_FROM_STATE, + SA_NO_HEADER_PROC, SA_HASH_ALG_NULL, + SA_CIPHER_ALG_AES, SA_PAD_TYPE_ZERO, +diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c +index 78d0722feacb..1e810f5f03fa 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -645,6 +645,15 @@ static u32 crypto4xx_ablkcipher_done(struct crypto4xx_device *dev, + addr = dma_map_page(dev->core_dev->device, sg_page(dst), + dst->offset, dst->length, DMA_FROM_DEVICE); + } ++ ++ if (pd_uinfo->sa_va->sa_command_0.bf.save_iv == SA_SAVE_IV) { ++ struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req); ++ ++ crypto4xx_memcpy_from_le32((u32 *)req->iv, ++ pd_uinfo->sr_va->save_iv, ++ crypto_skcipher_ivsize(skcipher)); ++ } ++ + crypto4xx_ret_sg_desc(dev, pd_uinfo); + if (ablk_req->base.complete != NULL) + ablk_req->base.complete(&ablk_req->base, 0); +diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c +index dfa337ae06fc..529b315a6683 100644 +--- a/drivers/dma/imx-dma.c ++++ b/drivers/dma/imx-dma.c +@@ -286,7 +286,7 @@ static inline int imxdma_sg_next(struct imxdma_desc *d) + struct scatterlist *sg = d->sg; + unsigned long now; + +- now = min(d->len, sg_dma_len(sg)); ++ now = min_t(size_t, d->len, sg_dma_len(sg)); + if (d->len != IMX_DMA_LENGTH_LOOP) + d->len -= now; + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index c8f79dcaaee8..67f201b8dcda 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -632,7 +632,10 @@ static void handle_cont_sngl_cycle_dma_done(struct tegra_dma_channel *tdc, + + sgreq = list_first_entry(&tdc->pending_sg_req, typeof(*sgreq), node); + dma_desc = sgreq->dma_desc; +- dma_desc->bytes_transferred += sgreq->req_len; ++ /* if we dma for long enough the transfer count will wrap */ ++ dma_desc->bytes_transferred = ++ (dma_desc->bytes_transferred + sgreq->req_len) % ++ dma_desc->bytes_requested; + + /* Callback need to be call */ + if (!dma_desc->cb_count) +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index f7fbb46d5d79..9943273ec981 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -872,14 +872,16 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + if (trigger) + omap_set_gpio_triggering(bank, offset, trigger); + +- /* For level-triggered GPIOs, the clearing must be done after +- * the HW source is cleared, thus after the handler has run */ +- if (bank->level_mask & BIT(offset)) { +- omap_set_gpio_irqenable(bank, offset, 0); ++ omap_set_gpio_irqenable(bank, offset, 1); ++ ++ /* ++ * For level-triggered GPIOs, clearing must be done after the source ++ * is cleared, thus after the handler has run. OMAP4 needs this done ++ * after enabing the interrupt to clear the wakeup status. ++ */ ++ if (bank->level_mask & BIT(offset)) + omap_clear_gpio_irqstatus(bank, offset); +- } + +- omap_set_gpio_irqenable(bank, offset, 1); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 5a1bafb5ecbb..ff12d926eb65 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -3019,6 +3019,7 @@ static int drm_dp_mst_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs + msg.u.i2c_read.transactions[i].i2c_dev_id = msgs[i].addr; + msg.u.i2c_read.transactions[i].num_bytes = msgs[i].len; + msg.u.i2c_read.transactions[i].bytes = msgs[i].buf; ++ msg.u.i2c_read.transactions[i].no_stop_bit = !(msgs[i].flags & I2C_M_STOP); + } + msg.u.i2c_read.read_i2c_device_id = msgs[num - 1].addr; + msg.u.i2c_read.num_bytes_read = msgs[num - 1].len; +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 0edc10b44004..c80cc18747cb 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -54,7 +54,8 @@ static void etm4_os_unlock(void *info) + + static bool etm4_arch_supported(u8 arch) + { +- switch (arch) { ++ /* Mask out the minor version number */ ++ switch (arch & 0xf0) { + case ETM_ARCH_V4: + break; + default: +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index e4587411b447..153376009b46 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -2936,16 +2936,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, + the underlying bus driver */ + break; + case I2C_SMBUS_I2C_BLOCK_DATA: ++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { ++ dev_err(&adapter->dev, "Invalid block %s size %d\n", ++ read_write == I2C_SMBUS_READ ? "read" : "write", ++ data->block[0]); ++ return -EINVAL; ++ } + if (read_write == I2C_SMBUS_READ) { + msg[1].len = data->block[0]; + } else { + msg[0].len = data->block[0] + 1; +- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { +- dev_err(&adapter->dev, +- "Invalid block write size %d\n", +- data->block[0]); +- return -EINVAL; +- } + for (i = 1; i <= data->block[0]; i++) + msgbuf0[i] = data->block[i]; + } +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index 18c1b06684c1..0667b2875ee4 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1343,6 +1343,8 @@ static int kxcjk1013_resume(struct device *dev) + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index 22c4c17cd996..a1d072ecb717 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta, + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); +diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c +index d83e5b75a37b..4b317ffd144c 100644 +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_dev *idev, + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; +diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c +index 90841abd3ce4..a4dc6a3783d0 100644 +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -519,11 +519,10 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + } else + return -EINVAL; + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -531,6 +530,7 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } +diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c +index 21cb41a60fe8..3a70b418d913 100644 +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c +@@ -805,8 +805,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev) + unsigned long flags; + + for (i = 0 ; i < dev->num_ports; i++) { +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); + det = &sriov->alias_guid.ports_guid[i]; ++ cancel_delayed_work_sync(&det->alias_guid_work); + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); + while (!list_empty(&det->cb_list)) { + cb_ctx = list_entry(det->cb_list.next, +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index 39a488889fc7..5dc920fe1326 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -39,7 +39,7 @@ + + #include "mlx4_ib.h" + +-#define CM_CLEANUP_CACHE_TIMEOUT (5 * HZ) ++#define CM_CLEANUP_CACHE_TIMEOUT (30 * HZ) + + struct id_map_entry { + struct rb_node node; +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 5a63e32a4a6b..cbad1926cec1 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) + for (tmp = dev; tmp; tmp = tmp->bus->self) + level++; + +- size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); ++ size = sizeof(*info) + level * sizeof(info->path[0]); + if (size <= sizeof(dmar_pci_notify_info_buf)) { + info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; + } else { +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 8b4a4d95669a..3e97c4b2ebed 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1598,6 +1598,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu) + u32 pmen; + unsigned long flags; + ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) ++ return; ++ + raw_spin_lock_irqsave(&iommu->register_lock, flags); + pmen = readl(iommu->reg + DMAR_PMEN_REG); + pmen &= ~DMA_PMEN_EPM; +diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c +index 59b76833f0d3..fd077c176a62 100644 +--- a/drivers/leds/leds-lp55xx-common.c ++++ b/drivers/leds/leds-lp55xx-common.c +@@ -200,7 +200,7 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + if (!fw) { + dev_err(dev, "firmware request failed\n"); +- goto out; ++ return; + } + + /* handling firmware data is chip dependent */ +@@ -213,9 +213,9 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + mutex_unlock(&chip->lock); + +-out: + /* firmware should be released for other channel use */ + release_firmware(chip->fw); ++ chip->fw = NULL; + } + + static int lp55xx_request_firmware(struct lp55xx_chip *chip) +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 5a5c1f1bd8a5..463ce6757338 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -215,7 +215,9 @@ STORE(__cached_dev) + d_strtoul(writeback_rate_d_term); + d_strtoul_nonzero(writeback_rate_p_term_inverse); + +- d_strtoi_h(sequential_cutoff); ++ sysfs_strtoul_clamp(sequential_cutoff, ++ dc->sequential_cutoff, ++ 0, UINT_MAX); + d_strtoi_h(readahead); + + if (attr == &sysfs_clear_stats) +@@ -645,8 +647,17 @@ STORE(__bch_cache_set) + c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT; + + /* See count_io_errors() for why 88 */ +- if (attr == &sysfs_io_error_halflife) +- c->error_decay = strtoul_or_return(buf) / 88; ++ if (attr == &sysfs_io_error_halflife) { ++ unsigned long v = 0; ++ ssize_t ret; ++ ++ ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX); ++ if (!ret) { ++ c->error_decay = v / 88; ++ return size; ++ } ++ return ret; ++ } + + sysfs_strtoul(journal_delay_ms, c->journal_delay_ms); + sysfs_strtoul(verify, c->verify); +diff --git a/drivers/md/bcache/sysfs.h b/drivers/md/bcache/sysfs.h +index 0526fe92a683..e7a3c12aa66f 100644 +--- a/drivers/md/bcache/sysfs.h ++++ b/drivers/md/bcache/sysfs.h +@@ -80,9 +80,16 @@ do { \ + + #define sysfs_strtoul_clamp(file, var, min, max) \ + do { \ +- if (attr == &sysfs_ ## file) \ +- return strtoul_safe_clamp(buf, var, min, max) \ +- ?: (ssize_t) size; \ ++ if (attr == &sysfs_ ## file) { \ ++ unsigned long v = 0; \ ++ ssize_t ret; \ ++ ret = strtoul_safe_clamp(buf, v, min, max); \ ++ if (!ret) { \ ++ var = v; \ ++ return size; \ ++ } \ ++ return ret; \ ++ } \ + } while (0) + + #define strtoul_or_return(cp) \ +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 07eaa9f90712..d52ea584e0bc 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3210,6 +3210,13 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv) + as.argc = argc; + as.argv = argv; + ++ /* make sure metadata and data are different devices */ ++ if (!strcmp(argv[0], argv[1])) { ++ ti->error = "Error setting metadata or data device"; ++ r = -EINVAL; ++ goto out_unlock; ++ } ++ + /* + * Set default pool features. + */ +@@ -4092,6 +4099,12 @@ static int thin_ctr(struct dm_target *ti, unsigned argc, char **argv) + tc->sort_bio_list = RB_ROOT; + + if (argc == 3) { ++ if (!strcmp(argv[0], argv[2])) { ++ ti->error = "Error setting origin device"; ++ r = -EINVAL; ++ goto bad_origin_dev; ++ } ++ + r = dm_get_device(ti, argv[2], FMODE_READ, &origin_dev); + if (r) { + ti->error = "Error opening origin device"; +diff --git a/drivers/media/i2c/soc_camera/mt9m111.c b/drivers/media/i2c/soc_camera/mt9m111.c +index 6dfaead6aaa8..1d1ca03c797f 100644 +--- a/drivers/media/i2c/soc_camera/mt9m111.c ++++ b/drivers/media/i2c/soc_camera/mt9m111.c +@@ -988,6 +988,8 @@ static int mt9m111_probe(struct i2c_client *client, + mt9m111->rect.top = MT9M111_MIN_DARK_ROWS; + mt9m111->rect.width = MT9M111_MAX_WIDTH; + mt9m111->rect.height = MT9M111_MAX_HEIGHT; ++ mt9m111->width = mt9m111->rect.width; ++ mt9m111->height = mt9m111->rect.height; + mt9m111->fmt = &mt9m111_colour_fmts[0]; + mt9m111->lastpage = -1; + mutex_init(&mt9m111->power_lock); +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 03a1b606655d..009a4bb77d05 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -289,7 +289,7 @@ static void emmaprp_device_run(void *priv) + { + struct emmaprp_ctx *ctx = priv; + struct emmaprp_q_data *s_q_data, *d_q_data; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct emmaprp_dev *pcdev = ctx->dev; + unsigned int s_width, s_height; + unsigned int d_width, d_height; +@@ -309,8 +309,8 @@ static void emmaprp_device_run(void *priv) + d_height = d_q_data->height; + d_size = d_width * d_height; + +- p_in = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- p_out = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ p_in = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ p_out = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + if (!p_in || !p_out) { + v4l2_err(&pcdev->v4l2_dev, + "Acquiring kernel pointers to buffers failed\n"); +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index e1936d9d27da..2b939555cccb 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -497,7 +497,7 @@ static void device_run(void *prv) + { + struct g2d_ctx *ctx = prv; + struct g2d_dev *dev = ctx->dev; +- struct vb2_buffer *src, *dst; ++ struct vb2_v4l2_buffer *src, *dst; + unsigned long flags; + u32 cmd = 0; + +@@ -512,10 +512,10 @@ static void device_run(void *prv) + spin_lock_irqsave(&dev->ctrl_lock, flags); + + g2d_set_src_size(dev, &ctx->in); +- g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(src, 0)); ++ g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0)); + + g2d_set_dst_size(dev, &ctx->out); +- g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(dst, 0)); ++ g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(&dst->vb2_buf, 0)); + + g2d_set_rop4(dev, ctx->rop); + g2d_set_flip(dev, ctx->flip); +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index 9c6fc09b88e0..0d981bbf38bc 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -788,14 +788,14 @@ static void skip(struct s5p_jpeg_buffer *buf, long len); + static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, x, components; + + jpeg_buffer.size = 2; /* Ls */ + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sos + 2; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + + word = 0; +@@ -825,14 +825,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, n, j; + + for (j = 0; j < ctx->out_q.dht.n; ++j) { + jpeg_buffer.size = ctx->out_q.dht.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dht.marker[j]; + jpeg_buffer.curr = 0; + +@@ -884,13 +884,13 @@ static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + int c, x, components; + + jpeg_buffer.size = ctx->out_q.sof_len; + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sof; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sof; + jpeg_buffer.curr = 0; + + skip(&jpeg_buffer, 5); /* P, Y, X */ +@@ -915,14 +915,14 @@ static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, j; + + for (j = 0; j < ctx->out_q.dqt.n; ++j) { + jpeg_buffer.size = ctx->out_q.dqt.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dqt.marker[j]; + jpeg_buffer.curr = 0; + +@@ -1262,13 +1262,16 @@ static int s5p_jpeg_querycap(struct file *file, void *priv, + return 0; + } + +-static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n, ++static int enum_fmt(struct s5p_jpeg_ctx *ctx, ++ struct s5p_jpeg_fmt *sjpeg_formats, int n, + struct v4l2_fmtdesc *f, u32 type) + { + int i, num = 0; ++ unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag; + + for (i = 0; i < n; ++i) { +- if (sjpeg_formats[i].flags & type) { ++ if (sjpeg_formats[i].flags & type && ++ sjpeg_formats[i].flags & fmt_ver_flag) { + /* index-th format of type type found ? */ + if (num == f->index) + break; +@@ -1294,11 +1297,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_CAPTURE); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_CAPTURE); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_CAPTURE); + } + + static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, +@@ -1307,11 +1310,11 @@ static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_OUTPUT); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_OUTPUT); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_OUTPUT); + } + + static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx, +@@ -2016,15 +2019,15 @@ static void s5p_jpeg_device_run(void *priv) + { + struct s5p_jpeg_ctx *ctx = priv; + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + unsigned long src_addr, dst_addr, flags; + + spin_lock_irqsave(&ctx->jpeg->slock, flags); + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- src_addr = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- dst_addr = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ src_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ dst_addr = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + + s5p_jpeg_reset(jpeg->regs); + s5p_jpeg_poweron(jpeg->regs); +@@ -2097,7 +2100,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size, padding_bytes = 0; + +@@ -2116,7 +2119,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + vb = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size - padding_bytes; +@@ -2134,7 +2137,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2142,7 +2145,7 @@ static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + if (jpeg->variant->version == SJPEG_EXYNOS5433 && + ctx->mode == S5P_JPEG_DECODE) + jpeg_addr += ctx->out_q.sos; +@@ -2257,7 +2260,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size; + +@@ -2271,7 +2274,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + fmt = ctx->cap_q.fmt; + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size; +@@ -2289,7 +2292,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2297,7 +2300,7 @@ static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + exynos3250_jpeg_jpgadr(jpeg->regs, jpeg_addr); + } + +diff --git a/drivers/media/platform/sh_veu.c b/drivers/media/platform/sh_veu.c +index d6ab33e7060a..b9f4cdee555e 100644 +--- a/drivers/media/platform/sh_veu.c ++++ b/drivers/media/platform/sh_veu.c +@@ -277,13 +277,13 @@ static void sh_veu_process(struct sh_veu_dev *veu, + static void sh_veu_device_run(void *priv) + { + struct sh_veu_dev *veu = priv; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + + src_buf = v4l2_m2m_next_src_buf(veu->m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(veu->m2m_ctx); + + if (src_buf && dst_buf) +- sh_veu_process(veu, src_buf, dst_buf); ++ sh_veu_process(veu, &src_buf->vb2_buf, &dst_buf->vb2_buf); + } + + /* ========== video ioctls ========== */ +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index ea2a2ebc6b91..dba7565571a5 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1147,7 +1147,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host) + { + } + #endif +-static void __init init_mmcsd_host(struct mmc_davinci_host *host) ++static void init_mmcsd_host(struct mmc_davinci_host *host) + { + + mmc_davinci_reset_ctrl(host, 1); +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index 5bcf4f45f8b4..20d422558fa3 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -921,7 +921,7 @@ static inline void set_cmd_timeout(struct mmc_omap_host *host, struct mmc_reques + reg &= ~(1 << 5); + OMAP_MMC_WRITE(host, SDIO, reg); + /* Set maximum timeout */ +- OMAP_MMC_WRITE(host, CTO, 0xff); ++ OMAP_MMC_WRITE(host, CTO, 0xfd); + } + + static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req) +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a32dcb6718ca..fde7f5efc47d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3067,8 +3067,12 @@ static int bond_netdev_event(struct notifier_block *this, + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 9ef4caa4b84d..3c20d0dc9256 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -120,7 +120,7 @@ static void enic_init_affinity_hint(struct enic *enic) + + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || enic_is_notify_intr(enic, i) || +- (enic->msix[i].affinity_mask && ++ (cpumask_available(enic->msix[i].affinity_mask) && + !cpumask_empty(enic->msix[i].affinity_mask))) + continue; + if (zalloc_cpumask_var(&enic->msix[i].affinity_mask, +@@ -149,7 +149,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || + enic_is_notify_intr(enic, i) || +- !enic->msix[i].affinity_mask || ++ !cpumask_available(enic->msix[i].affinity_mask) || + cpumask_empty(enic->msix[i].affinity_mask)) + continue; + err = irq_set_affinity_hint(enic->msix_entry[i].vector, +@@ -162,7 +162,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->wq_count; i++) { + int wq_intr = enic_msix_wq_intr(enic, i); + +- if (enic->msix[wq_intr].affinity_mask && ++ if (cpumask_available(enic->msix[wq_intr].affinity_mask) && + !cpumask_empty(enic->msix[wq_intr].affinity_mask)) + netif_set_xps_queue(enic->netdev, + enic->msix[wq_intr].affinity_mask, +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 6369d88b81c1..6b1cacd86c6e 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2131,7 +2131,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->rx_ring->name, + sizeof(adapter->rx_ring->name) - 1, +- "%s-rx-0", netdev->name); ++ "%.14s-rx-0", netdev->name); + else + memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +@@ -2147,7 +2147,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->tx_ring->name, + sizeof(adapter->tx_ring->name) - 1, +- "%s-tx-0", netdev->name); ++ "%.14s-tx-0", netdev->name); + else + memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 3b67140eed73..ee6fefe92af4 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -717,6 +717,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ +diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.h b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +index 662d12703b69..57b503ae63f1 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.h ++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +@@ -17,7 +17,7 @@ + + struct mt7601u_dev; + +-#define MT7601U_EE_MAX_VER 0x0c ++#define MT7601U_EE_MAX_VER 0x0d + #define MT7601U_EEPROM_SIZE 256 + + #define MT7601U_DEFAULT_TX_POWER 6 +diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h +index d3fbe33d2324..a13f08fd8690 100644 +--- a/drivers/net/wireless/rsi/rsi_common.h ++++ b/drivers/net/wireless/rsi/rsi_common.h +@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle) + atomic_inc(&handle->thread_done); + rsi_set_event(&handle->event); + +- wait_for_completion(&handle->completion); + return kthread_stop(handle->task); + } + +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index 7b27c7e23af2..cc10b72607c6 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -1123,8 +1123,11 @@ static int wl12xx_chip_wakeup(struct wl1271 *wl, bool plt) + goto out; + + ret = wl12xx_fetch_firmware(wl, plt); +- if (ret < 0) +- goto out; ++ if (ret < 0) { ++ kfree(wl->fw_status); ++ kfree(wl->raw_fw_status); ++ kfree(wl->tx_res_if); ++ } + + out: + return ret; +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 84d501f5ff4e..d85010ebac5a 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3623,6 +3623,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172, + quirk_dma_func1_alias); +diff --git a/drivers/regulator/act8865-regulator.c b/drivers/regulator/act8865-regulator.c +index f8d4cd3d1397..63a00d1d9360 100644 +--- a/drivers/regulator/act8865-regulator.c ++++ b/drivers/regulator/act8865-regulator.c +@@ -131,7 +131,7 @@ + * ACT8865 voltage number + */ + #define ACT8865_VOLTAGE_NUM 64 +-#define ACT8600_SUDCDC_VOLTAGE_NUM 255 ++#define ACT8600_SUDCDC_VOLTAGE_NUM 256 + + struct act8865 { + struct regmap *regmap; +@@ -154,7 +154,8 @@ static const struct regulator_linear_range act8600_sudcdc_voltage_ranges[] = { + REGULATOR_LINEAR_RANGE(3000000, 0, 63, 0), + REGULATOR_LINEAR_RANGE(3000000, 64, 159, 100000), + REGULATOR_LINEAR_RANGE(12600000, 160, 191, 200000), +- REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), ++ REGULATOR_LINEAR_RANGE(19000000, 192, 247, 400000), ++ REGULATOR_LINEAR_RANGE(41400000, 248, 255, 0), + }; + + static struct regulator_ops act8865_ops = { +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index ac7acd257c99..2422094f1f15 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3847,6 +3847,7 @@ int megasas_alloc_cmds(struct megasas_instance *instance) + if (megasas_create_frame_pool(instance)) { + dev_printk(KERN_DEBUG, &instance->pdev->dev, "Error creating frame DMA pool\n"); + megasas_free_cmds(instance); ++ return -ENOMEM; + } + + return 0; +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 850ddc5fac04..3e2288af56bc 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -217,7 +217,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget, + extern void scsi_requeue_run_queue(struct work_struct *work); + + sdev = kzalloc(sizeof(*sdev) + shost->transportt->device_size, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!sdev) + goto out; + +@@ -791,7 +791,7 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result, + */ + sdev->inquiry = kmemdup(inq_result, + max_t(size_t, sdev->inquiry_len, 36), +- GFP_ATOMIC); ++ GFP_KERNEL); + if (sdev->inquiry == NULL) + return SCSI_SCAN_NO_RESPONSE; + +@@ -1085,7 +1085,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + if (!sdev) + goto out; + +- result = kmalloc(result_len, GFP_ATOMIC | ++ result = kmalloc(result_len, GFP_KERNEL | + ((shost->unchecked_isa_dma) ? __GFP_DMA : 0)); + if (!result) + goto out_free_sdev; +diff --git a/drivers/soc/qcom/qcom_gsbi.c b/drivers/soc/qcom/qcom_gsbi.c +index 09c669e70d63..038abc377fdb 100644 +--- a/drivers/soc/qcom/qcom_gsbi.c ++++ b/drivers/soc/qcom/qcom_gsbi.c +@@ -138,7 +138,7 @@ static int gsbi_probe(struct platform_device *pdev) + struct resource *res; + void __iomem *base; + struct gsbi_info *gsbi; +- int i; ++ int i, ret; + u32 mask, gsbi_num; + const struct crci_config *config = NULL; + +@@ -221,7 +221,10 @@ static int gsbi_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, gsbi); + +- return of_platform_populate(node, NULL, NULL, &pdev->dev); ++ ret = of_platform_populate(node, NULL, NULL, &pdev->dev); ++ if (ret) ++ clk_disable_unprepare(gsbi->hclk); ++ return ret; + } + + static int gsbi_remove(struct platform_device *pdev) +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index de2c1bfe28b5..c4f5e5bbb8dc 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -131,13 +131,17 @@ static int tegra_fuse_probe(struct platform_device *pdev) + /* take over the memory region from the early initialization */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + fuse->base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(fuse->base)) +- return PTR_ERR(fuse->base); ++ if (IS_ERR(fuse->base)) { ++ err = PTR_ERR(fuse->base); ++ fuse->base = base; ++ return err; ++ } + + fuse->clk = devm_clk_get(&pdev->dev, "fuse"); + if (IS_ERR(fuse->clk)) { + dev_err(&pdev->dev, "failed to get FUSE clock: %ld", + PTR_ERR(fuse->clk)); ++ fuse->base = base; + return PTR_ERR(fuse->clk); + } + +@@ -146,8 +150,10 @@ static int tegra_fuse_probe(struct platform_device *pdev) + + if (fuse->soc->probe) { + err = fuse->soc->probe(fuse); +- if (err < 0) ++ if (err < 0) { ++ fuse->base = base; + return err; ++ } + } + + if (tegra_fuse_create_sysfs(&pdev->dev, fuse->soc->info->size, +diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c +index 95b537a8ecdb..6778e2b73667 100644 +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -472,10 +472,8 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -527,6 +525,9 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -535,9 +536,6 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; +diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c +index 8c7393ef762d..95e53cfd76a4 100644 +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -691,10 +691,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev) + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -809,6 +807,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -817,8 +817,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) +diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c +index 5836e5554433..d4c374cc4f74 100644 +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -20,6 +20,13 @@ enum int3400_thermal_uuid { + INT3400_THERMAL_PASSIVE_1, + INT3400_THERMAL_ACTIVE, + INT3400_THERMAL_CRITICAL, ++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE, ++ INT3400_THERMAL_EMERGENCY_CALL_MODE, ++ INT3400_THERMAL_PASSIVE_2, ++ INT3400_THERMAL_POWER_BOSS, ++ INT3400_THERMAL_VIRTUAL_SENSOR, ++ INT3400_THERMAL_COOLING_MODE, ++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING, + INT3400_THERMAL_MAXIMUM_UUID, + }; + +@@ -27,6 +34,13 @@ static u8 *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = { + "42A441D6-AE6A-462b-A84B-4A8CE79027D3", + "3A95C389-E4B8-4629-A526-C52C88626BAE", + "97C68AE7-15FA-499c-B8C9-5DA81D606E0A", ++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D", ++ "5349962F-71E6-431D-9AE8-0A635B710AEE", ++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75", ++ "F5A35014-C209-46A4-993A-EB56DE7530A1", ++ "6ED722A7-9240-48A5-B479-31EEF723D7CF", ++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531", ++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1", + }; + + struct int3400_thermal_priv { +@@ -271,10 +285,9 @@ static int int3400_thermal_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) { +- int3400_thermal_ops.get_mode = int3400_thermal_get_mode; +- int3400_thermal_ops.set_mode = int3400_thermal_set_mode; +- } ++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode; ++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode; ++ + priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0, + priv, &int3400_thermal_ops, + &int3400_thermal_params, 0, 0); +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 82c4d2e45319..864cceea46ad 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -466,4 +466,27 @@ config MIPS_EJTAG_FDC_KGDB_CHAN + help + FDC channel number to use for KGDB. + ++config LDISC_AUTOLOAD ++ bool "Automatically load TTY Line Disciplines" ++ default y ++ help ++ Historically the kernel has always automatically loaded any ++ line discipline that is in a kernel module when a user asks ++ for it to be loaded with the TIOCSETD ioctl, or through other ++ means. This is not always the best thing to do on systems ++ where you know you will not be using some of the more ++ "ancient" line disciplines, so prevent the kernel from doing ++ this unless the request is coming from a process with the ++ CAP_SYS_MODULE permissions. ++ ++ Say 'Y' here if you trust your userspace users to do the right ++ thing, or if you have only provided the line disciplines that ++ you know you will be using, or if you wish to continue to use ++ the traditional method of on-demand loading of these modules ++ by any user. ++ ++ This functionality can be changed at runtime with the ++ dev.tty.ldisc_autoload sysctl, this configuration option will ++ only set the default value of this functionality. ++ + endif # TTY +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index f5c4e92b5172..fc46c8cf5fcd 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -169,6 +169,8 @@ struct atmel_uart_port { + unsigned int pending_status; + spinlock_t lock_suspended; + ++ bool hd_start_rx; /* can start RX during half-duplex operation */ ++ + int (*prepare_rx)(struct uart_port *port); + int (*prepare_tx)(struct uart_port *port); + void (*schedule_rx)(struct uart_port *port); +@@ -237,6 +239,12 @@ static inline void atmel_uart_write_char(struct uart_port *port, u8 value) + + #endif + ++static inline int atmel_uart_is_half_duplex(struct uart_port *port) ++{ ++ return (port->rs485.flags & SER_RS485_ENABLED) && ++ !(port->rs485.flags & SER_RS485_RX_DURING_TX); ++} ++ + #ifdef CONFIG_SERIAL_ATMEL_PDC + static bool atmel_use_pdc_rx(struct uart_port *port) + { +@@ -481,9 +489,9 @@ static void atmel_stop_tx(struct uart_port *port) + /* Disable interrupts */ + atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask); + +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_start_rx(port); ++ + } + + /* +@@ -500,8 +508,7 @@ static void atmel_start_tx(struct uart_port *port) + return; + + if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port)) +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_stop_rx(port); + + if (atmel_use_pdc_tx(port)) +@@ -810,10 +817,14 @@ static void atmel_complete_tx_dma(void *arg) + */ + if (!uart_circ_empty(xmit)) + tasklet_schedule(&atmel_port->tasklet); +- else if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { +- /* DMA done, stop TX, start RX for RS485 */ +- atmel_start_rx(port); ++ else if (atmel_uart_is_half_duplex(port)) { ++ /* ++ * DMA done, re-enable TXEMPTY and signal that we can stop ++ * TX and start RX for RS485 ++ */ ++ atmel_port->hd_start_rx = true; ++ atmel_uart_writel(port, ATMEL_US_IER, ++ atmel_port->tx_done_mask); + } + + spin_unlock_irqrestore(&port->lock, flags); +@@ -1253,9 +1264,20 @@ atmel_handle_transmit(struct uart_port *port, unsigned int pending) + struct atmel_uart_port *atmel_port = to_atmel_uart_port(port); + + if (pending & atmel_port->tx_done_mask) { +- /* Either PDC or interrupt transmission */ + atmel_uart_writel(port, ATMEL_US_IDR, + atmel_port->tx_done_mask); ++ ++ /* Start RX if flag was set and FIFO is empty */ ++ if (atmel_port->hd_start_rx) { ++ if (!(atmel_uart_readl(port, ATMEL_US_CSR) ++ & ATMEL_US_TXEMPTY)) ++ dev_warn(port->dev, "Should start RX, but TX fifo is not empty\n"); ++ ++ atmel_port->hd_start_rx = false; ++ atmel_start_rx(port); ++ return; ++ } ++ + tasklet_schedule(&atmel_port->tasklet); + } + } +@@ -1388,8 +1410,7 @@ static void atmel_tx_pdc(struct uart_port *port) + atmel_uart_writel(port, ATMEL_US_IER, + atmel_port->tx_done_mask); + } else { +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { ++ if (atmel_uart_is_half_duplex(port)) { + /* DMA done, stop TX, start RX for RS485 */ + atmel_start_rx(port); + } +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 4f2f4aca8d2e..06efcef1b495 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1145,7 +1145,7 @@ static void cdns_uart_console_write(struct console *co, const char *s, + * + * Return: 0 on success, negative errno otherwise. + */ +-static int __init cdns_uart_console_setup(struct console *co, char *options) ++static int cdns_uart_console_setup(struct console *co, char *options) + { + struct uart_port *port = &cdns_uart_port[co->index]; + int baud = 9600; +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 355e9cad680d..4706df20191b 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -25,7 +25,7 @@ + * Byte threshold to limit memory consumption for flip buffers. + * The actual memory limit is > 2x this amount. + */ +-#define TTYB_DEFAULT_MEM_LIMIT 65536 ++#define TTYB_DEFAULT_MEM_LIMIT (640 * 1024UL) + + /* + * We default to dicing tty buffer allocations to this many characters +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 5b86ebc76a8a..b7effcfee91d 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -513,6 +513,8 @@ void proc_clear_tty(struct task_struct *p) + tty_kref_put(tty); + } + ++extern void tty_sysctl_init(void); ++ + /** + * proc_set_tty - set the controlling terminal + * +@@ -3689,6 +3691,7 @@ void console_sysfs_notify(void) + */ + int __init tty_init(void) + { ++ tty_sysctl_init(); + cdev_init(&tty_cdev, &tty_fops); + if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) || + register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0) +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index d9e013dc2c08..02ab7e2d4494 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -148,6 +148,13 @@ static void put_ldops(struct tty_ldisc_ops *ldops) + * takes tty_ldiscs_lock to guard against ldisc races + */ + ++#if defined(CONFIG_LDISC_AUTOLOAD) ++ #define INITIAL_AUTOLOAD_STATE 1 ++#else ++ #define INITIAL_AUTOLOAD_STATE 0 ++#endif ++static int tty_ldisc_autoload = INITIAL_AUTOLOAD_STATE; ++ + static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + { + struct tty_ldisc *ld; +@@ -162,6 +169,8 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + */ + ldops = get_ldops(disc); + if (IS_ERR(ldops)) { ++ if (!capable(CAP_SYS_MODULE) && !tty_ldisc_autoload) ++ return ERR_PTR(-EPERM); + request_module("tty-ldisc-%d", disc); + ldops = get_ldops(disc); + if (IS_ERR(ldops)) +@@ -830,3 +839,41 @@ void tty_ldisc_begin(void) + /* Setup the default TTY line discipline. */ + (void) tty_register_ldisc(N_TTY, &tty_ldisc_N_TTY); + } ++ ++static int zero; ++static int one = 1; ++static struct ctl_table tty_table[] = { ++ { ++ .procname = "ldisc_autoload", ++ .data = &tty_ldisc_autoload, ++ .maxlen = sizeof(tty_ldisc_autoload), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &zero, ++ .extra2 = &one, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_dir_table[] = { ++ { ++ .procname = "tty", ++ .mode = 0555, ++ .child = tty_table, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_root_table[] = { ++ { ++ .procname = "dev", ++ .mode = 0555, ++ .child = tty_dir_table, ++ }, ++ { } ++}; ++ ++void tty_sysctl_init(void) ++{ ++ register_sysctl_table(tty_root_table); ++} +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 57ee43512992..dee22d8effda 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -913,8 +913,15 @@ static int ci_hdrc_probe(struct platform_device *pdev) + } else if (ci->platdata->usb_phy) { + ci->usb_phy = ci->platdata->usb_phy; + } else { ++ ci->usb_phy = devm_usb_get_phy_by_phandle(dev->parent, "phys", ++ 0); + ci->phy = devm_phy_get(dev->parent, "usb-phy"); +- ci->usb_phy = devm_usb_get_phy(dev->parent, USB_PHY_TYPE_USB2); ++ ++ /* Fallback to grabbing any registered USB2 PHY */ ++ if (IS_ERR(ci->usb_phy) && ++ PTR_ERR(ci->usb_phy) != -EPROBE_DEFER) ++ ci->usb_phy = devm_usb_get_phy(dev->parent, ++ USB_PHY_TYPE_USB2); + + /* if both generic PHY and USB PHY layers aren't enabled */ + if (PTR_ERR(ci->phy) == -ENOSYS && +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index ea2bd6208a2f..9eae191728d2 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -425,6 +425,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + { + unsigned int x; + ++ if (image->width > info->var.xres || image->height > info->var.yres) ++ return; ++ + if (rotate == FB_ROTATE_UR) { + for (x = 0; + x < num && image->dx + image->width <= info->var.xres; +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c +index 6caca025019d..1e9bb8db7b48 100644 +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -59,6 +59,8 @@ enum { + Opt_cache_loose, Opt_fscache, Opt_mmap, + /* Access options */ + Opt_access, Opt_posixacl, ++ /* Lock timeout option */ ++ Opt_locktimeout, + /* Error token */ + Opt_err + }; +@@ -78,6 +80,7 @@ static const match_table_t tokens = { + {Opt_cachetag, "cachetag=%s"}, + {Opt_access, "access=%s"}, + {Opt_posixacl, "posixacl"}, ++ {Opt_locktimeout, "locktimeout=%u"}, + {Opt_err, NULL} + }; + +@@ -126,6 +129,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #ifdef CONFIG_9P_FSCACHE + v9ses->cachetag = NULL; + #endif ++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT; + + if (!opts) + return 0; +@@ -298,6 +302,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #endif + break; + ++ case Opt_locktimeout: ++ r = match_int(&args[0], &option); ++ if (r < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "integer field, but no integer?\n"); ++ ret = r; ++ continue; ++ } ++ if (option < 1) { ++ p9_debug(P9_DEBUG_ERROR, ++ "locktimeout must be a greater than zero integer.\n"); ++ ret = -EINVAL; ++ continue; ++ } ++ v9ses->session_lock_timeout = (long)option * HZ; ++ break; ++ + default: + continue; + } +diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h +index 6877050384a1..3775f275ede3 100644 +--- a/fs/9p/v9fs.h ++++ b/fs/9p/v9fs.h +@@ -116,6 +116,7 @@ struct v9fs_session_info { + struct list_head slist; /* list of sessions registered with v9fs */ + struct backing_dev_info bdi; + struct rw_semaphore rename_sem; ++ long session_lock_timeout; /* retry interval for blocking locks */ + }; + + /* cache_validity flags */ +diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c +index 7d889f56b8e7..05769219d2c2 100644 +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + int err = 0; + struct p9_fid *fid; + int buflen; +- int reclen = 0; + struct p9_rdir *rdir; + struct kvec kvec; + +@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + while (rdir->head < rdir->tail) { + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); +- if (err) { ++ if (err <= 0) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); + return -EIO; + } +- reclen = st.size+2; + + over = !dir_emit(ctx, st.name, strlen(st.name), + v9fs_qid2ino(&st.qid), dt_type(&st)); +@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + if (over) + return 0; + +- rdir->head += reclen; +- ctx->pos += reclen; ++ rdir->head += err; ++ ctx->pos += err; + } + } + } +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index 62ce8b4a7e5f..373cc50544e9 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + uint8_t status = P9_LOCK_ERROR; + int res = 0; + unsigned char fl_type; ++ struct v9fs_session_info *v9ses; + + fid = filp->private_data; + BUG_ON(fid == NULL); +@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + if (IS_SETLKW(cmd)) + flock.flags = P9_LOCK_FLAGS_BLOCK; + ++ v9ses = v9fs_inode2v9ses(file_inode(filp)); ++ + /* + * if its a blocked request and we get P9_LOCK_BLOCKED as the status + * for lock request, keep on trying +@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + break; + if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd)) + break; +- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0) ++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout) ++ != 0) + break; + /* + * p9_client_lock_dotl overwrites flock.client_id with the +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index f010d6c8dd14..f1f32e55d877 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -850,6 +850,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + current->flags |= PF_RANDOMIZE; + + setup_new_exec(bprm); ++ install_exec_creds(bprm); + + /* Do this so that we can load the interpreter, if need be. We will + change some of these later */ +@@ -1084,7 +1085,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + goto out; + #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */ + +- install_exec_creds(bprm); + retval = create_elf_tables(bprm, &loc->elf_ex, + load_addr, interp_load_addr); + if (retval < 0) +diff --git a/fs/buffer.c b/fs/buffer.c +index 6f7d519a093b..f278e27bd8c0 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2985,6 +2985,13 @@ void guard_bio_eod(int rw, struct bio *bio) + /* Uhhuh. We've got a bio that straddles the device size! */ + truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); + ++ /* ++ * The bio contains more than one segment which spans EOD, just return ++ * and let IO layer turn it into an EIO ++ */ ++ if (truncated_bytes > bvec->bv_len) ++ return; ++ + /* Truncate the bio.. */ + bio->bi_iter.bi_size -= truncated_bytes; + bvec->bv_len -= truncated_bytes; +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index 7dc886c9a78f..1ea643faf04b 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -266,9 +266,9 @@ static void dump_referral(const struct dfs_info3_param *ref) + { + cifs_dbg(FYI, "DFS: ref path: %s\n", ref->path_name); + cifs_dbg(FYI, "DFS: node path: %s\n", ref->node_name); +- cifs_dbg(FYI, "DFS: fl: %hd, srv_type: %hd\n", ++ cifs_dbg(FYI, "DFS: fl: %d, srv_type: %d\n", + ref->flags, ref->server_type); +- cifs_dbg(FYI, "DFS: ref_flags: %hd, path_consumed: %hd\n", ++ cifs_dbg(FYI, "DFS: ref_flags: %d, path_consumed: %d\n", + ref->ref_flag, ref->path_consumed); + } + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index eacf57c24ca9..9cb72fd40eff 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1255,6 +1255,11 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol) + const char *delims = "/\\"; + size_t len; + ++ if (unlikely(!devname || !*devname)) { ++ cifs_dbg(VFS, "Device name not specified.\n"); ++ return -EINVAL; ++ } ++ + /* make sure we have a valid UNC double delimiter prefix */ + len = strspn(devname, delims); + if (len != 2) +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 0305e3866216..23a8374fa97f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1574,8 +1574,20 @@ cifs_setlk(struct file *file, struct file_lock *flock, __u32 type, + rc = server->ops->mand_unlock_range(cfile, flock, xid); + + out: +- if (flock->fl_flags & FL_POSIX && !rc) ++ if (flock->fl_flags & FL_POSIX) { ++ /* ++ * If this is a request to remove all locks because we ++ * are closing the file, it doesn't matter if the ++ * unlocking failed as both cifs.ko and the SMB server ++ * remove the lock on file close ++ */ ++ if (rc) { ++ cifs_dbg(VFS, "%s failed rc=%d\n", __func__, rc); ++ if (!(flock->fl_flags & FL_CLOSE)) ++ return rc; ++ } + rc = locks_lock_file_wait(file, flock); ++ } + return rc; + } + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 5c3187df9ab9..d8bd8dd36211 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -759,43 +759,50 @@ cifs_get_inode_info(struct inode **inode, const char *full_path, + } else if ((rc == -EACCES) && backup_cred(cifs_sb) && + (strcmp(server->vals->version_string, SMB1_VERSION_STRING) + == 0)) { +- /* +- * For SMB2 and later the backup intent flag is already +- * sent if needed on open and there is no path based +- * FindFirst operation to use to retry with +- */ +- +- srchinf = kzalloc(sizeof(struct cifs_search_info), +- GFP_KERNEL); +- if (srchinf == NULL) { +- rc = -ENOMEM; +- goto cgii_exit; +- } ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ ++ srchinf = kzalloc(sizeof(struct cifs_search_info), ++ GFP_KERNEL); ++ if (srchinf == NULL) { ++ rc = -ENOMEM; ++ goto cgii_exit; ++ } + +- srchinf->endOfSearch = false; ++ srchinf->endOfSearch = false; ++ if (tcon->unix_ext) ++ srchinf->info_level = SMB_FIND_FILE_UNIX; ++ else if ((tcon->ses->capabilities & ++ tcon->ses->server->vals->cap_nt_find) == 0) ++ srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD; ++ else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM) + srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO; ++ else /* no srvino useful for fallback to some netapp */ ++ srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO; + +- srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | +- CIFS_SEARCH_CLOSE_AT_END | +- CIFS_SEARCH_BACKUP_SEARCH; ++ srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | ++ CIFS_SEARCH_CLOSE_AT_END | ++ CIFS_SEARCH_BACKUP_SEARCH; + +- rc = CIFSFindFirst(xid, tcon, full_path, +- cifs_sb, NULL, srchflgs, srchinf, false); +- if (!rc) { +- data = +- (FILE_ALL_INFO *)srchinf->srch_entries_start; ++ rc = CIFSFindFirst(xid, tcon, full_path, ++ cifs_sb, NULL, srchflgs, srchinf, false); ++ if (!rc) { ++ data = (FILE_ALL_INFO *)srchinf->srch_entries_start; + +- cifs_dir_info_to_fattr(&fattr, +- (FILE_DIRECTORY_INFO *)data, cifs_sb); +- fattr.cf_uniqueid = le64_to_cpu( +- ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); +- validinum = true; ++ cifs_dir_info_to_fattr(&fattr, ++ (FILE_DIRECTORY_INFO *)data, cifs_sb); ++ fattr.cf_uniqueid = le64_to_cpu( ++ ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); ++ validinum = true; + +- cifs_buf_release(srchinf->ntwrk_buf_start); +- } +- kfree(srchinf); +- if (rc) +- goto cgii_exit; ++ cifs_buf_release(srchinf->ntwrk_buf_start); ++ } ++ kfree(srchinf); ++ if (rc) ++ goto cgii_exit; + } else + goto cgii_exit; + +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index efd72e1fae74..f7a9adab0b84 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -305,7 +305,7 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + remaining = tgt_total_cnt - total_in_tgt; + + if (remaining < 0) { +- cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%hu\n", ++ cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%u\n", + tgt_total_cnt, total_in_tgt); + return -EPROTO; + } +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 98c25b969ab8..7e93d5706bf6 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -1034,7 +1034,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO, + "STATUS_UNFINISHED_CONTEXT_DELETED"}, + {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"}, +- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"}, ++ /* Note that ENOATTTR and ENODATA are the same errno */ ++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"}, + {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"}, + {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO, + "STATUS_WRONG_CREDENTIAL_HANDLE"}, +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index 8f3e78eb0bbd..08f3a0c0f468 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1323,6 +1323,7 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + ext4_lblk_t offsets[4], offsets2[4]; + Indirect chain[4], chain2[4]; + Indirect *partial, *partial2; ++ Indirect *p = NULL, *p2 = NULL; + ext4_lblk_t max_block; + __le32 nr = 0, nr2 = 0; + int n = 0, n2 = 0; +@@ -1364,7 +1365,7 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + } + + +- partial = ext4_find_shared(inode, n, offsets, chain, &nr); ++ partial = p = ext4_find_shared(inode, n, offsets, chain, &nr); + if (nr) { + if (partial == chain) { + /* Shared branch grows from the inode */ +@@ -1389,13 +1390,11 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + partial->p + 1, + (__le32 *)partial->bh->b_data+addr_per_block, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); + partial--; + } + + end_range: +- partial2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); ++ partial2 = p2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); + if (nr2) { + if (partial2 == chain2) { + /* +@@ -1425,16 +1424,14 @@ end_range: + (__le32 *)partial2->bh->b_data, + partial2->p, + (chain2+n2-1) - partial2); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); + partial2--; + } + goto do_indirects; + } + + /* Punch happened within the same level (n == n2) */ +- partial = ext4_find_shared(inode, n, offsets, chain, &nr); +- partial2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); ++ partial = p = ext4_find_shared(inode, n, offsets, chain, &nr); ++ partial2 = p2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); + + /* Free top, but only if partial2 isn't its subtree. */ + if (nr) { +@@ -1491,15 +1488,7 @@ end_range: + partial->p + 1, + partial2->p, + (chain+n-1) - partial); +- while (partial > chain) { +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); +- } +- while (partial2 > chain2) { +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); +- } +- return 0; ++ goto cleanup; + } + + /* +@@ -1514,8 +1503,6 @@ end_range: + partial->p + 1, + (__le32 *)partial->bh->b_data+addr_per_block, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); + partial--; + } + if (partial2 > chain2 && depth2 <= depth) { +@@ -1523,11 +1510,21 @@ end_range: + (__le32 *)partial2->bh->b_data, + partial2->p, + (chain2+n2-1) - partial2); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); + partial2--; + } + } ++ ++cleanup: ++ while (p && p > chain) { ++ BUFFER_TRACE(p->bh, "call brelse"); ++ brelse(p->bh); ++ p--; ++ } ++ while (p2 && p2 > chain2) { ++ BUFFER_TRACE(p2->bh, "call brelse"); ++ brelse(p2->bh); ++ p2--; ++ } + return 0; + + do_indirects: +@@ -1535,7 +1532,7 @@ do_indirects: + switch (offsets[0]) { + default: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_IND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 1); +@@ -1543,7 +1540,7 @@ do_indirects: + } + case EXT4_IND_BLOCK: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_DIND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 2); +@@ -1551,7 +1548,7 @@ do_indirects: + } + case EXT4_DIND_BLOCK: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_TIND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 3); +@@ -1560,5 +1557,5 @@ do_indirects: + case EXT4_TIND_BLOCK: + ; + } +- return 0; ++ goto cleanup; + } +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index bcd7c4788903..e44e3cd738b6 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -599,6 +599,13 @@ resizefs_out: + + if ((flags & BLKDEV_DISCARD_SECURE) && !blk_queue_secdiscard(q)) + return -EOPNOTSUPP; ++ /* ++ * We haven't replayed the journal, so we cannot use our ++ * block-bitmap-guided storage zapping commands. ++ */ ++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb)) ++ return -EROFS; ++ + if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 4bd12247a9be..5223eb25bf59 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -907,11 +907,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb, + memcpy(n_group_desc, o_group_desc, + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); + n_group_desc[gdb_num] = gdb_bh; ++ ++ BUFFER_TRACE(gdb_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, gdb_bh); ++ if (err) { ++ kvfree(n_group_desc); ++ brelse(gdb_bh); ++ return err; ++ } ++ + EXT4_SB(sb)->s_group_desc = n_group_desc; + EXT4_SB(sb)->s_gdb_count++; + kvfree(o_group_desc); +- BUFFER_TRACE(gdb_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, gdb_bh); + return err; + } + +@@ -2040,6 +2047,10 @@ out: + free_flex_gd(flex_gd); + if (resize_inode != NULL) + iput(resize_inode); +- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count); ++ if (err) ++ ext4_warning(sb, "error (%d) occurred during " ++ "file system resize", err); ++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", ++ ext4_blocks_count(es)); + return err; + } +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index dbd7adff8b5a..bd0dfaecfac3 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1143,7 +1143,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + unsigned int sit_segs, nat_segs; + unsigned int sit_bitmap_size, nat_bitmap_size; + unsigned int log_blocks_per_seg; +- int i; ++ int i, j; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +@@ -1184,11 +1184,43 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) + return 1; ++ for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) == ++ le32_to_cpu(ckpt->cur_node_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Node segment (%u, %u) has the same " ++ "segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_node_segno[i])); ++ return 1; ++ } ++ } + } + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) + return 1; ++ for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_data_segno[i]) == ++ le32_to_cpu(ckpt->cur_data_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Data segment (%u, %u) has the same " ++ "segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_data_segno[i])); ++ return 1; ++ } ++ } ++ } ++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { ++ for (j = i; j < NR_CURSEG_DATA_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) == ++ le32_to_cpu(ckpt->cur_data_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Data segment (%u) and Data segment (%u)" ++ " has the same segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_node_segno[i])); ++ return 1; ++ } ++ } + } + + sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); +diff --git a/fs/f2fs/trace.c b/fs/f2fs/trace.c +index 145fb659ad44..8f327fa7ae47 100644 +--- a/fs/f2fs/trace.c ++++ b/fs/f2fs/trace.c +@@ -60,6 +60,7 @@ void f2fs_trace_pid(struct page *page) + + page->private = pid; + ++retry: + if (radix_tree_preload(GFP_NOFS)) + return; + +@@ -70,7 +71,12 @@ void f2fs_trace_pid(struct page *page) + if (p) + radix_tree_delete(&pids, pid); + +- f2fs_radix_tree_insert(&pids, pid, current); ++ if (radix_tree_insert(&pids, pid, current)) { ++ spin_unlock(&pids_lock); ++ radix_tree_preload_end(); ++ cond_resched(); ++ goto retry; ++ } + + trace_printk("%3x:%3x %4x %-16s\n", + MAJOR(inode->i_sb->s_dev), MINOR(inode->i_sb->s_dev), +diff --git a/fs/file.c b/fs/file.c +index 39f8f15921da..7e9eb65a2912 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -474,6 +474,7 @@ struct files_struct init_files = { + .full_fds_bits = init_files.full_fds_bits_init, + }, + .file_lock = __SPIN_LOCK_UNLOCKED(init_files.file_lock), ++ .resize_wait = __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait), + }; + + static unsigned long find_next_fd(struct fdtable *fdt, unsigned long start) +diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c +index 3c45a9301a09..a87a08e1bfab 100644 +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -621,13 +621,15 @@ static void o2nm_node_group_drop_item(struct config_group *group, + struct o2nm_node *node = to_o2nm_node(item); + struct o2nm_cluster *cluster = to_o2nm_cluster(group->cg_item.ci_parent); + +- o2net_disconnect_node(node); ++ if (cluster->cl_nodes[node->nd_num] == node) { ++ o2net_disconnect_node(node); + +- if (cluster->cl_has_local && +- (cluster->cl_local_node == node->nd_num)) { +- cluster->cl_has_local = 0; +- cluster->cl_local_node = O2NM_INVALID_NODE_NUM; +- o2net_stop_listening(node); ++ if (cluster->cl_has_local && ++ (cluster->cl_local_node == node->nd_num)) { ++ cluster->cl_has_local = 0; ++ cluster->cl_local_node = O2NM_INVALID_NODE_NUM; ++ o2net_stop_listening(node); ++ } + } + + /* XXX call into net to stop this node from trading messages */ +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index f8aa54272121..eedacae889b9 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -408,12 +408,21 @@ static int ovl_create_or_link(struct dentry *dentry, int mode, dev_t rdev, + err = ovl_create_upper(dentry, inode, &stat, link, hardlink); + } else { + const struct cred *old_cred; ++ struct cred *override_cred; + + old_cred = ovl_override_creds(dentry->d_sb); + +- err = ovl_create_over_whiteout(dentry, inode, &stat, link, +- hardlink); ++ err = -ENOMEM; ++ override_cred = prepare_creds(); ++ if (override_cred) { ++ override_cred->fsuid = old_cred->fsuid; ++ override_cred->fsgid = old_cred->fsgid; ++ put_cred(override_creds(override_cred)); ++ put_cred(override_cred); + ++ err = ovl_create_over_whiteout(dentry, inode, &stat, ++ link, hardlink); ++ } + revert_creds(old_cred); + } + +diff --git a/include/linux/atalk.h b/include/linux/atalk.h +index 73fd8b7e9534..af43ed404ff4 100644 +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -150,19 +150,29 @@ extern int sysctl_aarp_retransmit_limit; + extern int sysctl_aarp_resolve_time; + + #ifdef CONFIG_SYSCTL +-extern void atalk_register_sysctl(void); ++extern int atalk_register_sysctl(void); + extern void atalk_unregister_sysctl(void); + #else +-#define atalk_register_sysctl() do { } while(0) +-#define atalk_unregister_sysctl() do { } while(0) ++static inline int atalk_register_sysctl(void) ++{ ++ return 0; ++} ++static inline void atalk_unregister_sysctl(void) ++{ ++} + #endif + + #ifdef CONFIG_PROC_FS + extern int atalk_proc_init(void); + extern void atalk_proc_exit(void); + #else +-#define atalk_proc_init() ({ 0; }) +-#define atalk_proc_exit() do { } while(0) ++static inline int atalk_proc_init(void) ++{ ++ return 0; ++} ++static inline void atalk_proc_exit(void) ++{ ++} + #endif /* CONFIG_PROC_FS */ + + #endif /* __LINUX_ATALK_H__ */ +diff --git a/include/linux/bitrev.h b/include/linux/bitrev.h +index fb790b8449c1..333e42cf08de 100644 +--- a/include/linux/bitrev.h ++++ b/include/linux/bitrev.h +@@ -31,32 +31,32 @@ static inline u32 __bitrev32(u32 x) + + #define __constant_bitrev32(x) \ + ({ \ +- u32 __x = x; \ +- __x = (__x >> 16) | (__x << 16); \ +- __x = ((__x & (u32)0xFF00FF00UL) >> 8) | ((__x & (u32)0x00FF00FFUL) << 8); \ +- __x = ((__x & (u32)0xF0F0F0F0UL) >> 4) | ((__x & (u32)0x0F0F0F0FUL) << 4); \ +- __x = ((__x & (u32)0xCCCCCCCCUL) >> 2) | ((__x & (u32)0x33333333UL) << 2); \ +- __x = ((__x & (u32)0xAAAAAAAAUL) >> 1) | ((__x & (u32)0x55555555UL) << 1); \ +- __x; \ ++ u32 ___x = x; \ ++ ___x = (___x >> 16) | (___x << 16); \ ++ ___x = ((___x & (u32)0xFF00FF00UL) >> 8) | ((___x & (u32)0x00FF00FFUL) << 8); \ ++ ___x = ((___x & (u32)0xF0F0F0F0UL) >> 4) | ((___x & (u32)0x0F0F0F0FUL) << 4); \ ++ ___x = ((___x & (u32)0xCCCCCCCCUL) >> 2) | ((___x & (u32)0x33333333UL) << 2); \ ++ ___x = ((___x & (u32)0xAAAAAAAAUL) >> 1) | ((___x & (u32)0x55555555UL) << 1); \ ++ ___x; \ + }) + + #define __constant_bitrev16(x) \ + ({ \ +- u16 __x = x; \ +- __x = (__x >> 8) | (__x << 8); \ +- __x = ((__x & (u16)0xF0F0U) >> 4) | ((__x & (u16)0x0F0FU) << 4); \ +- __x = ((__x & (u16)0xCCCCU) >> 2) | ((__x & (u16)0x3333U) << 2); \ +- __x = ((__x & (u16)0xAAAAU) >> 1) | ((__x & (u16)0x5555U) << 1); \ +- __x; \ ++ u16 ___x = x; \ ++ ___x = (___x >> 8) | (___x << 8); \ ++ ___x = ((___x & (u16)0xF0F0U) >> 4) | ((___x & (u16)0x0F0FU) << 4); \ ++ ___x = ((___x & (u16)0xCCCCU) >> 2) | ((___x & (u16)0x3333U) << 2); \ ++ ___x = ((___x & (u16)0xAAAAU) >> 1) | ((___x & (u16)0x5555U) << 1); \ ++ ___x; \ + }) + + #define __constant_bitrev8(x) \ + ({ \ +- u8 __x = x; \ +- __x = (__x >> 4) | (__x << 4); \ +- __x = ((__x & (u8)0xCCU) >> 2) | ((__x & (u8)0x33U) << 2); \ +- __x = ((__x & (u8)0xAAU) >> 1) | ((__x & (u8)0x55U) << 1); \ +- __x; \ ++ u8 ___x = x; \ ++ ___x = (___x >> 4) | (___x << 4); \ ++ ___x = ((___x & (u8)0xCCU) >> 2) | ((___x & (u8)0x33U) << 2); \ ++ ___x = ((___x & (u8)0xAAU) >> 1) | ((___x & (u8)0x55U) << 1); \ ++ ___x; \ + }) + + #define bitrev32(x) \ +diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h +index e23392517db9..cb527c78de9f 100644 +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -197,6 +197,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 19d0778ec382..121c8f99ecdd 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -125,7 +125,7 @@ ring_buffer_consume(struct ring_buffer *buffer, int cpu, u64 *ts, + unsigned long *lost_events); + + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu); ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags); + void ring_buffer_read_prepare_sync(void); + void ring_buffer_read_start(struct ring_buffer_iter *iter); + void ring_buffer_read_finish(struct ring_buffer_iter *iter); +diff --git a/include/linux/string.h b/include/linux/string.h +index c026b7a19e26..870268d42ae7 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -110,6 +110,9 @@ extern void * memscan(void *,int,__kernel_size_t); + #ifndef __HAVE_ARCH_MEMCMP + extern int memcmp(const void *,const void *,__kernel_size_t); + #endif ++#ifndef __HAVE_ARCH_BCMP ++extern int bcmp(const void *,const void *,__kernel_size_t); ++#endif + #ifndef __HAVE_ARCH_MEMCHR + extern void * memchr(const void *,int,__kernel_size_t); + #endif +diff --git a/include/linux/swap.h b/include/linux/swap.h +index d8ca2eaa3a8b..0a0b7529dae4 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -135,9 +135,9 @@ struct swap_extent { + /* + * Max bad pages in the new format.. + */ +-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x) + #define MAX_SWAP_BADPAGES \ +- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int)) ++ ((offsetof(union swap_header, magic.magic) - \ ++ offsetof(union swap_header, info.badpages)) / sizeof(int)) + + enum { + SWP_USED = (1 << 0), /* is slot in swap_info[] used? */ +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 6965dfe7e88b..0daed810724d 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -53,6 +53,7 @@ struct net { + */ + spinlock_t rules_mod_lock; + ++ u32 hash_mix; + atomic64_t cookie_gen; + + struct list_head list; /* list of network namespaces */ +diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h +index e8d1448425a7..b1d0d46344e2 100644 +--- a/include/net/netfilter/br_netfilter.h ++++ b/include/net/netfilter/br_netfilter.h +@@ -42,7 +42,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) + } + + struct net_device *setup_pre_routing(struct sk_buff *skb); +-void br_netfilter_enable(void); + + #if IS_ENABLED(CONFIG_IPV6) + int br_validate_ipv6(struct net *net, struct sk_buff *skb); +diff --git a/include/net/netns/hash.h b/include/net/netns/hash.h +index 69a6715d9f3f..a347b2f9e748 100644 +--- a/include/net/netns/hash.h ++++ b/include/net/netns/hash.h +@@ -1,21 +1,10 @@ + #ifndef __NET_NS_HASH_H__ + #define __NET_NS_HASH_H__ + +-#include +- +-struct net; ++#include + + static inline u32 net_hash_mix(const struct net *net) + { +-#ifdef CONFIG_NET_NS +- /* +- * shift this right to eliminate bits, that are +- * always zeroed +- */ +- +- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT); +-#else +- return 0; +-#endif ++ return net->hash_mix; + } + #endif +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e53dfb5b826e..17230ca00bd4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5998,6 +5998,7 @@ static void perf_event_mmap_output(struct perf_event *event, + struct perf_output_handle handle; + struct perf_sample_data sample; + int size = mmap_event->event_id.header.size; ++ u32 type = mmap_event->event_id.header.type; + int ret; + + if (!perf_event_mmap_match(event, data)) +@@ -6041,6 +6042,7 @@ static void perf_event_mmap_output(struct perf_event *event, + perf_output_end(&handle); + out: + mmap_event->event_id.header.size = size; ++ mmap_event->event_id.header.type = type; + } + + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c +index 3c74e13a95dc..67aafc2b249c 100644 +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -1056,6 +1056,10 @@ int irq_chip_set_vcpu_affinity_parent(struct irq_data *data, void *vcpu_info) + int irq_chip_set_wake_parent(struct irq_data *data, unsigned int on) + { + data = data->parent_data; ++ ++ if (data->chip->flags & IRQCHIP_SKIP_SET_WAKE) ++ return 0; ++ + if (data->chip->irq_set_wake) + return data->chip->irq_set_wake(data, on); + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index d8daf6c55d2b..a53998cba804 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -668,7 +668,6 @@ static void unoptimize_kprobe(struct kprobe *p, bool force) + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -682,9 +681,8 @@ static int reuse_unused_kprobe(struct kprobe *ap) + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index a49c565529a0..774ab79d3ec7 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3314,9 +3314,6 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + unsigned int depth; + int i; + +- if (unlikely(!debug_locks)) +- return 0; +- + depth = curr->lockdep_depth; + /* + * This function is about (re)setting the class of a held lock, +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 6051007918ad..d706cf4fda99 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4016,12 +4016,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer) + return HRTIMER_NORESTART; + } + ++extern const u64 max_cfs_quota_period; ++ + static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + { + struct cfs_bandwidth *cfs_b = + container_of(timer, struct cfs_bandwidth, period_timer); + int overrun; + int idle = 0; ++ int count = 0; + + raw_spin_lock(&cfs_b->lock); + for (;;) { +@@ -4029,6 +4032,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + if (!overrun) + break; + ++ if (++count > 3) { ++ u64 new, old = ktime_to_ns(cfs_b->period); ++ ++ new = (old * 147) / 128; /* ~115% */ ++ new = min(new, max_cfs_quota_period); ++ ++ cfs_b->period = ns_to_ktime(new); ++ ++ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ ++ cfs_b->quota *= new; ++ cfs_b->quota = div64_u64(cfs_b->quota, old); ++ ++ pr_warn_ratelimited( ++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", ++ smp_processor_id(), ++ div_u64(new, NSEC_PER_USEC), ++ div_u64(cfs_b->quota, NSEC_PER_USEC)); ++ ++ /* reset count so we don't come right back in here */ ++ count = 0; ++ } ++ + idle = do_sched_cfs_period_timer(cfs_b, overrun); + } + if (idle) +@@ -6022,10 +6047,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq) + if (cfs_rq->last_h_load_update == now) + return; + +- cfs_rq->h_load_next = NULL; ++ WRITE_ONCE(cfs_rq->h_load_next, NULL); + for_each_sched_entity(se) { + cfs_rq = cfs_rq_of(se); +- cfs_rq->h_load_next = se; ++ WRITE_ONCE(cfs_rq->h_load_next, se); + if (cfs_rq->last_h_load_update == now) + break; + } +@@ -6035,7 +6060,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq) + cfs_rq->last_h_load_update = now; + } + +- while ((se = cfs_rq->h_load_next) != NULL) { ++ while ((se = READ_ONCE(cfs_rq->h_load_next)) != NULL) { + load = cfs_rq->h_load; + load = div64_ul(load * se->avg.load_avg, + cfs_rq_load_avg(cfs_rq) + 1); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index beadcf83ceba..c140659db669 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -125,7 +125,9 @@ static int zero; + static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; ++static unsigned long zero_ul; + static unsigned long one_ul = 1; ++static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; + #ifdef CONFIG_PRINTK + static int ten_thousand = 10000; +@@ -1603,6 +1605,8 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, ++ .extra1 = &zero_ul, ++ .extra2 = &long_max, + }, + { + .procname = "nr_open", +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index d90b42b39908..6380ec0453e0 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +@@ -5165,7 +5166,7 @@ static struct ftrace_ops control_ops = { + INIT_OPS_HASH(control_ops) + }; + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -5214,11 +5215,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -5239,6 +5242,7 @@ static void ftrace_ops_recurs_func(unsigned long ip, unsigned long parent_ip, + + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_recurs_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 74b20e3ab8c6..5e091614fe39 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4042,6 +4042,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer + * @buffer: The ring buffer to read from + * @cpu: The cpu buffer to iterate over ++ * @flags: gfp flags to use for memory allocation + * + * This performs the initial preparations necessary to iterate + * through the buffer. Memory is allocated, buffer recording +@@ -4059,7 +4060,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * This overall must be paired with ring_buffer_read_finish. + */ + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct ring_buffer_iter *iter; +@@ -4067,7 +4068,7 @@ ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return NULL; + +- iter = kmalloc(sizeof(*iter), GFP_KERNEL); ++ iter = kmalloc(sizeof(*iter), flags); + if (!iter) + return NULL; + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 8c097de8a596..ae00e68ceae3 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3122,7 +3122,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + } + ring_buffer_read_prepare_sync(); + for_each_tracing_cpu(cpu) { +@@ -3132,7 +3133,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + } else { + cpu = iter->cpu_file; + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + ring_buffer_read_prepare_sync(); + ring_buffer_read_start(iter->buffer_iter[cpu]); + tracing_iter_reset(iter, cpu); +diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c +index 57149bce6aad..896458285fdd 100644 +--- a/kernel/trace/trace_kdb.c ++++ b/kernel/trace/trace_kdb.c +@@ -50,14 +50,16 @@ static void ftrace_dump_buf(int skip_lines, long cpu_file) + if (cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter.buffer_iter[cpu] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu]); + tracing_iter_reset(&iter, cpu); + } + } else { + iter.cpu_file = cpu_file; + iter.buffer_iter[cpu_file] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu_file); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu_file, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu_file]); + tracing_iter_reset(&iter, cpu_file); + } +diff --git a/lib/bsearch.c b/lib/bsearch.c +index e33c179089db..d50048446b77 100644 +--- a/lib/bsearch.c ++++ b/lib/bsearch.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + /* + * bsearch - binary search an array of elements +@@ -51,3 +52,4 @@ void *bsearch(const void *key, const void *base, size_t num, size_t size, + return NULL; + } + EXPORT_SYMBOL(bsearch); ++NOKPROBE_SYMBOL(bsearch); +diff --git a/lib/div64.c b/lib/div64.c +index 62a698a432bc..75b8521c2146 100644 +--- a/lib/div64.c ++++ b/lib/div64.c +@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder) + quot = div_u64_rem(dividend, divisor, &rem32); + *remainder = rem32; + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor) + if (high == 0) { + quot = div_u64(dividend, divisor); + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c +index 1afb545a37c5..6d35274170bc 100644 +--- a/lib/int_sqrt.c ++++ b/lib/int_sqrt.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + + /** + * int_sqrt - rough approximation to sqrt +@@ -21,10 +22,7 @@ unsigned long int_sqrt(unsigned long x) + if (x <= 1) + return x; + +- m = 1UL << (BITS_PER_LONG - 2); +- while (m > x) +- m >>= 2; +- ++ m = 1UL << (__fls(x) & ~1UL); + while (m != 0) { + b = y + m; + y >>= 1; +diff --git a/lib/raid6/Makefile b/lib/raid6/Makefile +index 3b10a48fa040..a84efd4aad37 100644 +--- a/lib/raid6/Makefile ++++ b/lib/raid6/Makefile +@@ -23,7 +23,7 @@ endif + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) + NEON_FLAGS := -ffreestanding + ifeq ($(ARCH),arm) +-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon ++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon + endif + ifeq ($(ARCH),arm64) + CFLAGS_REMOVE_neon1.o += -mgeneral-regs-only +diff --git a/lib/string.c b/lib/string.c +index 1a90db9bc6e1..c7cf65ac42ad 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -746,6 +746,26 @@ __visible int memcmp(const void *cs, const void *ct, size_t count) + EXPORT_SYMBOL(memcmp); + #endif + ++#ifndef __HAVE_ARCH_BCMP ++/** ++ * bcmp - returns 0 if and only if the buffers have identical contents. ++ * @a: pointer to first buffer. ++ * @b: pointer to second buffer. ++ * @len: size of buffers. ++ * ++ * The sign or magnitude of a non-zero return value has no particular ++ * meaning, and architectures may implement their own more efficient bcmp(). So ++ * while this particular implementation is a simple (tail) call to memcmp, do ++ * not rely on anything but whether the return value is zero or non-zero. ++ */ ++#undef bcmp ++int bcmp(const void *a, const void *b, size_t len) ++{ ++ return memcmp(a, b, len); ++} ++EXPORT_SYMBOL(bcmp); ++#endif ++ + #ifndef __HAVE_ARCH_MEMSCAN + /** + * memscan - Find a character in an area of memory. +diff --git a/mm/cma.c b/mm/cma.c +index 43f4a122e969..f0d91aca5a4c 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -339,12 +339,14 @@ int __init cma_declare_contiguous(phys_addr_t base, + + ret = cma_init_reserved_mem(base, size, order_per_bit, res_cma); + if (ret) +- goto err; ++ goto free_mem; + + pr_info("Reserved %ld MiB at %pa\n", (unsigned long)size / SZ_1M, + &base); + return 0; + ++free_mem: ++ memblock_free(base, size); + err: + pr_err("Failed to reserve %ld MiB\n", (unsigned long)size / SZ_1M); + return ret; +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 5418ab0c5e2c..878d05bd185c 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -514,12 +514,16 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr, + if (node_isset(nid, *qp->nmask) == !!(flags & MPOL_MF_INVERT)) + continue; + +- if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) ++ if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) { ++ if (!vma_migratable(vma)) ++ break; + migrate_page_add(page, qp->pagelist, flags); ++ } else ++ break; + } + pte_unmap_unlock(pte - 1, ptl); + cond_resched(); +- return 0; ++ return addr != end ? -EIO : 0; + } + + static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask, +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 4d1eac0d4fc5..de1f34c5a2f1 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -255,6 +255,7 @@ static void free_page_ext(void *addr) + table_size = sizeof(struct page_ext) * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +diff --git a/mm/slab.c b/mm/slab.c +index 92df044f5e00..d043b8007f23 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -660,14 +660,6 @@ static void start_cpu_timer(int cpu) + + static void init_arraycache(struct array_cache *ac, int limit, int batch) + { +- /* +- * The array_cache structures contain pointers to free object. +- * However, when such objects are allocated or transferred to another +- * cache the pointers are not cleared and they could be counted as +- * valid references during a kmemleak scan. Therefore, kmemleak must +- * not scan such objects. +- */ +- kmemleak_no_scan(ac); + if (ac) { + ac->avail = 0; + ac->limit = limit; +@@ -683,6 +675,14 @@ static struct array_cache *alloc_arraycache(int node, int entries, + struct array_cache *ac = NULL; + + ac = kmalloc_node(memsize, gfp, node); ++ /* ++ * The array_cache structures contain pointers to free object. ++ * However, when such objects are allocated or transferred to another ++ * cache the pointers are not cleared and they could be counted as ++ * valid references during a kmemleak scan. Therefore, kmemleak must ++ * not scan such objects. ++ */ ++ kmemleak_no_scan(ac); + init_arraycache(ac, entries, batchcount); + return ac; + } +@@ -876,6 +876,7 @@ static struct alien_cache *__alloc_alien_cache(int node, int entries, + + alc = kmalloc_node(memsize, gfp, node); + if (alc) { ++ kmemleak_no_scan(alc); + init_arraycache(&alc->ac, entries, batch); + spin_lock_init(&alc->lock); + } +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 400e580725da..7c556b59f0ec 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -446,7 +446,11 @@ nocache: + } + + found: +- if (addr + size > vend) ++ /* ++ * Check also calculated address against the vstart, ++ * because it can be 0 because of big align request. ++ */ ++ if (addr + size > vend || addr < vstart) + goto overflow; + + va->va_start = addr; +diff --git a/mm/vmstat.c b/mm/vmstat.c +index 6af9bbad94c7..dd0a13013cb4 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -857,13 +857,8 @@ const char * const vmstat_text[] = { + #endif + #endif /* CONFIG_MEMORY_BALLOON */ + #ifdef CONFIG_DEBUG_TLBFLUSH +-#ifdef CONFIG_SMP + "nr_tlb_remote_flush", + "nr_tlb_remote_flush_received", +-#else +- "", /* nr_tlb_remote_flush */ +- "", /* nr_tlb_remote_flush_received */ +-#endif /* CONFIG_SMP */ + "nr_tlb_local_flush_all", + "nr_tlb_local_flush_one", + #endif /* CONFIG_DEBUG_TLBFLUSH */ +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 145f80518064..7f1b45c082c9 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st) + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); ++ return ret; + } + +- return ret; ++ return fake_pdu.offset; + } + EXPORT_SYMBOL(p9stat_read); + +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index af46bc49e1e9..b5f84f428aa6 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -293,7 +293,7 @@ out_interface: + goto out; + } + +-void __exit atalk_proc_exit(void) ++void atalk_proc_exit(void) + { + remove_proc_entry("interface", atalk_proc_dir); + remove_proc_entry("route", atalk_proc_dir); +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index d5871ac493eb..4246df3b7ae8 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __initconst = + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +- int rc = proto_register(&ddp_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&ddp_proto, 0); ++ if (rc) + goto out; + +- (void)sock_register(&atalk_family_ops); ++ rc = sock_register(&atalk_family_ops); ++ if (rc) ++ goto out_proto; ++ + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) + printk(atalk_err_snap); +@@ -1925,12 +1929,33 @@ static int __init atalk_init(void) + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + +- register_netdevice_notifier(&ddp_notifier); ++ rc = register_netdevice_notifier(&ddp_notifier); ++ if (rc) ++ goto out_sock; ++ + aarp_proto_init(); +- atalk_proc_init(); +- atalk_register_sysctl(); ++ rc = atalk_proc_init(); ++ if (rc) ++ goto out_aarp; ++ ++ rc = atalk_register_sysctl(); ++ if (rc) ++ goto out_proc; + out: + return rc; ++out_proc: ++ atalk_proc_exit(); ++out_aarp: ++ aarp_cleanup_module(); ++ unregister_netdevice_notifier(&ddp_notifier); ++out_sock: ++ dev_remove_pack(&ppptalk_packet_type); ++ dev_remove_pack(<alk_packet_type); ++ unregister_snap_client(ddp_dl); ++ sock_unregister(PF_APPLETALK); ++out_proto: ++ proto_unregister(&ddp_proto); ++ goto out; + } + module_init(atalk_init); + +diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c +index ebb864361f7a..4e6042e0fcac 100644 +--- a/net/appletalk/sysctl_net_atalk.c ++++ b/net/appletalk/sysctl_net_atalk.c +@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] = { + + static struct ctl_table_header *atalk_table_header; + +-void atalk_register_sysctl(void) ++int __init atalk_register_sysctl(void) + { + atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table); ++ if (!atalk_table_header) ++ return -ENOMEM; ++ return 0; + } + + void atalk_unregister_sysctl(void) +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 10e4066991b8..e4afac94ff15 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -721,7 +721,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -739,6 +742,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index c842f40c1173..ea1cd8b21708 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -558,13 +558,12 @@ static int hci_sock_release(struct socket *sock) + if (!sk) + return 0; + +- hdev = hci_pi(sk)->hdev; +- + if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) + atomic_dec(&monitor_promisc); + + bt_sock_unlink(&hci_sk_list, sk); + ++ hdev = hci_pi(sk)->hdev; + if (hdev) { + if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { + /* When releasing an user channel exclusive access, +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index d80c15d028fe..a52b4ffe30f4 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1894,7 +1894,8 @@ static void br_multicast_start_querier(struct net_bridge *br, + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -1906,6 +1907,7 @@ static void br_multicast_start_querier(struct net_bridge *br, + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 6def85d75b1d..93b5525bcccf 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -873,11 +873,6 @@ static const struct nf_br_ops br_ops = { + .br_dev_xmit_hook = br_nf_dev_xmit, + }; + +-void br_netfilter_enable(void) +-{ +-} +-EXPORT_SYMBOL_GPL(br_netfilter_enable); +- + /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because + * br_dev_queue_push_xmit is called afterwards */ + static struct nf_hook_ops br_nf_ops[] __read_mostly = { +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index b6bca625b0d2..9a53c66deb64 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1287,17 +1287,22 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr) + + gstrings.len = ret; + +- data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (gstrings.len) { ++ data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- __ethtool_get_strings(dev, gstrings.string_set, data); ++ __ethtool_get_strings(dev, gstrings.string_set, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &gstrings, sizeof(gstrings))) + goto out; + useraddr += sizeof(gstrings); +- if (copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) ++ if (gstrings.len && ++ copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) + goto out; + ret = 0; + +@@ -1385,17 +1390,21 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr) + return -EFAULT; + + stats.n_stats = n_stats; +- data = kmalloc(n_stats * sizeof(u64), GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (n_stats) { ++ data = kmalloc(n_stats * sizeof(u64), GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- ops->get_ethtool_stats(dev, &stats, data); ++ ops->get_ethtool_stats(dev, &stats, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &stats, sizeof(stats))) + goto out; + useraddr += sizeof(stats); +- if (copy_to_user(useraddr, data, stats.n_stats * sizeof(u64))) ++ if (n_stats && copy_to_user(useraddr, data, n_stats * sizeof(u64))) + goto out; + ret = 0; + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index ccd20669ac00..087ce1598b74 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -280,6 +280,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) + + atomic_set(&net->count, 1); + atomic_set(&net->passive, 1); ++ get_random_bytes(&net->hash_mix, sizeof(u32)); + net->dev_base_seq = 1; + net->user_ns = user_ns; + idr_init(&net->netns_ids); +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index d83888bc33d3..b5a137338e50 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -116,6 +116,7 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -173,13 +174,14 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 97bf6c785767..1d580d290054 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1164,9 +1164,23 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + + static void ipv4_link_failure(struct sk_buff *skb) + { ++ struct ip_options opt; + struct rtable *rt; ++ int res; ++ ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) ++ return; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 62f90f6b7a9d..7ccbbd0d3e43 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -66,11 +66,6 @@ static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA; + module_param(dctcp_alpha_on_init, uint, 0644); + MODULE_PARM_DESC(dctcp_alpha_on_init, "parameter for initial alpha value"); + +-static unsigned int dctcp_clamp_alpha_on_loss __read_mostly; +-module_param(dctcp_clamp_alpha_on_loss, uint, 0644); +-MODULE_PARM_DESC(dctcp_clamp_alpha_on_loss, +- "parameter for clamping alpha on loss"); +- + static struct tcp_congestion_ops dctcp_reno; + + static void dctcp_reset(const struct tcp_sock *tp, struct dctcp *ca) +@@ -211,21 +206,23 @@ static void dctcp_update_alpha(struct sock *sk, u32 flags) + } + } + +-static void dctcp_state(struct sock *sk, u8 new_state) ++static void dctcp_react_to_loss(struct sock *sk) + { +- if (dctcp_clamp_alpha_on_loss && new_state == TCP_CA_Loss) { +- struct dctcp *ca = inet_csk_ca(sk); ++ struct dctcp *ca = inet_csk_ca(sk); ++ struct tcp_sock *tp = tcp_sk(sk); + +- /* If this extension is enabled, we clamp dctcp_alpha to +- * max on packet loss; the motivation is that dctcp_alpha +- * is an indicator to the extend of congestion and packet +- * loss is an indicator of extreme congestion; setting +- * this in practice turned out to be beneficial, and +- * effectively assumes total congestion which reduces the +- * window by half. +- */ +- ca->dctcp_alpha = DCTCP_MAX_ALPHA; +- } ++ ca->loss_cwnd = tp->snd_cwnd; ++ tp->snd_ssthresh = max(tp->snd_cwnd >> 1U, 2U); ++} ++ ++static void dctcp_state(struct sock *sk, u8 new_state) ++{ ++ if (new_state == TCP_CA_Recovery && ++ new_state != inet_csk(sk)->icsk_ca_state) ++ dctcp_react_to_loss(sk); ++ /* We handle RTO in dctcp_cwnd_event to ensure that we perform only ++ * one loss-adjustment per RTT. ++ */ + } + + static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) +@@ -237,6 +234,9 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) + case CA_EVENT_ECN_NO_CE: + dctcp_ce_state_1_to_0(sk); + break; ++ case CA_EVENT_LOSS: ++ dctcp_react_to_loss(sk); ++ break; + default: + /* Don't care for the rest. */ + break; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index aff90b0ddb63..44a3aa7a41e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -365,11 +365,12 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb) + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -382,8 +383,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index f8cca81d66f2..e39dc94486b2 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -575,7 +575,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + inet6_sk(skb->sk) : NULL; + struct ipv6hdr *tmp_hdr; + struct frag_hdr *fh; +- unsigned int mtu, hlen, left, len; ++ unsigned int mtu, hlen, left, len, nexthdr_offset; + int hroom, troom; + __be32 frag_id; + int ptr, offset = 0, err = 0; +@@ -586,6 +586,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + goto fail; + hlen = err; + nexthdr = *prevhdr; ++ nexthdr_offset = prevhdr - skb_network_header(skb); + + mtu = ip6_skb_dst_mtu(skb); + +@@ -620,6 +621,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + (err = skb_checksum_help(skb))) + goto fail; + ++ prevhdr = skb_network_header(skb) + nexthdr_offset; + hroom = LL_RESERVED_SPACE(rt->dst.dev); + if (skb_has_frag_list(skb)) { + int first_len = skb_pagelen(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 7c7a74ea2b0d..f072a4c4575c 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -622,7 +622,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + IPPROTO_IPIP, + RT_TOS(eiph->tos), 0); + if (IS_ERR(rt) || +- rt->dst.dev->type != ARPHRD_TUNNEL) { ++ rt->dst.dev->type != ARPHRD_TUNNEL6) { + if (!IS_ERR(rt)) + ip_rt_put(rt); + goto out; +@@ -632,7 +632,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + ip_rt_put(rt); + if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos, + skb2->dev) || +- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL) ++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6) + goto out; + } + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 96582ec9c807..77736190dc15 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -693,6 +693,10 @@ static int ipip6_rcv(struct sk_buff *skb) + if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6))) + goto out; + ++ /* skb can be uncloned in iptunnel_pull_header, so ++ * old iph is no longer valid ++ */ ++ iph = (const struct iphdr *)skb_mac_header(skb); + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { + if (log_ecn_error) +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 18b0d65baff0..6019988bfb84 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1157,6 +1157,9 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + +diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c +index 1caaccbc306c..7e4063621960 100644 +--- a/net/netfilter/xt_physdev.c ++++ b/net/netfilter/xt_physdev.c +@@ -96,8 +96,7 @@ match_outdev: + static int physdev_mt_check(const struct xt_mtchk_param *par) + { + const struct xt_physdev_info *info = par->matchinfo; +- +- br_netfilter_enable(); ++ static bool brnf_probed __read_mostly; + + if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || + info->bitmask & ~XT_PHYSDEV_OP_MASK) +@@ -113,6 +112,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) + if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) + return -EINVAL; + } ++ ++ if (!brnf_probed) { ++ brnf_probed = true; ++ request_module("br_netfilter"); ++ } ++ + return 0; + } + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 537917dfa83a..9b676f8fc16f 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1736,14 +1736,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, + + struct sw_flow_actions *acts; + int new_acts_size; +- int req_size = NLA_ALIGN(attr_len); ++ size_t req_size = NLA_ALIGN(attr_len); + int next_offset = offsetof(struct sw_flow_actions, actions) + + (*sfa)->actions_len; + + if (req_size <= (ksize(*sfa) - next_offset)) + goto out; + +- new_acts_size = ksize(*sfa) * 2; ++ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { + if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { +diff --git a/net/rds/tcp.c b/net/rds/tcp.c +index 18e50a8fc05f..554d4b461983 100644 +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -346,7 +346,7 @@ static void rds_tcp_kill_sock(struct net *net) + list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) { + struct net *c_net = read_pnet(&tc->conn->c_net); + +- if (net != c_net || !tc->t_sock) ++ if (net != c_net) + continue; + list_move_tail(&tc->t_tcp_node, &tmp_list); + } +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 9f2f3c48b7b6..247d1888c386 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -598,6 +598,7 @@ out: + static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) + { + /* No address mapping for V4 sockets */ ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); + } + +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index 9f5cdd49ff0b..4250d3d6f391 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -47,49 +47,9 @@ typedef struct { + struct devtable { + const char *device_id; /* name of table, __mod___*_device_table. */ + unsigned long id_size; +- void *function; ++ int (*do_entry)(const char *filename, void *symval, char *alias); + }; + +-#define ___cat(a,b) a ## b +-#define __cat(a,b) ___cat(a,b) +- +-/* we need some special handling for this host tool running eventually on +- * Darwin. The Mach-O section handling is a bit different than ELF section +- * handling. The differnces in detail are: +- * a) we have segments which have sections +- * b) we need a API call to get the respective section symbols */ +-#if defined(__MACH__) +-#include +- +-#define INIT_SECTION(name) do { \ +- unsigned long name ## _len; \ +- char *__cat(pstart_,name) = getsectdata("__TEXT", \ +- #name, &__cat(name,_len)); \ +- char *__cat(pstop_,name) = __cat(pstart_,name) + \ +- __cat(name, _len); \ +- __cat(__start_,name) = (void *)__cat(pstart_,name); \ +- __cat(__stop_,name) = (void *)__cat(pstop_,name); \ +- } while (0) +-#define SECTION(name) __attribute__((section("__TEXT, " #name))) +- +-struct devtable **__start___devtable, **__stop___devtable; +-#else +-#define INIT_SECTION(name) /* no-op for ELF */ +-#define SECTION(name) __attribute__((section(#name))) +- +-/* We construct a table of pointers in an ELF section (pointers generally +- * go unpadded by gcc). ld creates boundary syms for us. */ +-extern struct devtable *__start___devtable[], *__stop___devtable[]; +-#endif /* __MACH__ */ +- +-#if !defined(__used) +-# if __GNUC__ == 3 && __GNUC_MINOR__ < 3 +-# define __used __attribute__((__unused__)) +-# else +-# define __used __attribute__((__used__)) +-# endif +-#endif +- + /* Define a variable f that holds the value of field f of struct devid + * based at address m. + */ +@@ -102,16 +62,6 @@ extern struct devtable *__start___devtable[], *__stop___devtable[]; + #define DEF_FIELD_ADDR(m, devid, f) \ + typeof(((struct devid *)0)->f) *f = ((m) + OFF_##devid##_##f) + +-/* Add a table entry. We test function type matches while we're here. */ +-#define ADD_TO_DEVTABLE(device_id, type, function) \ +- static struct devtable __cat(devtable,__LINE__) = { \ +- device_id + 0*sizeof((function)((const char *)NULL, \ +- (void *)NULL, \ +- (char *)NULL)), \ +- SIZE_##type, (function) }; \ +- static struct devtable *SECTION(__devtable) __used \ +- __cat(devtable_ptr,__LINE__) = &__cat(devtable,__LINE__) +- + #define ADD(str, sep, cond, field) \ + do { \ + strcat(str, sep); \ +@@ -388,7 +338,6 @@ static int do_hid_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("hid", hid_device_id, do_hid_entry); + + /* Looks like: ieee1394:venNmoNspNverN */ + static int do_ieee1394_entry(const char *filename, +@@ -413,7 +362,6 @@ static int do_ieee1394_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ieee1394", ieee1394_device_id, do_ieee1394_entry); + + /* Looks like: pci:vNdNsvNsdNbcNscNiN. */ + static int do_pci_entry(const char *filename, +@@ -457,7 +405,6 @@ static int do_pci_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pci", pci_device_id, do_pci_entry); + + /* looks like: "ccw:tNmNdtNdmN" */ + static int do_ccw_entry(const char *filename, +@@ -481,7 +428,6 @@ static int do_ccw_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ccw", ccw_device_id, do_ccw_entry); + + /* looks like: "ap:tN" */ + static int do_ap_entry(const char *filename, +@@ -492,7 +438,6 @@ static int do_ap_entry(const char *filename, + sprintf(alias, "ap:t%02X*", dev_type); + return 1; + } +-ADD_TO_DEVTABLE("ap", ap_device_id, do_ap_entry); + + /* looks like: "css:tN" */ + static int do_css_entry(const char *filename, +@@ -503,7 +448,6 @@ static int do_css_entry(const char *filename, + sprintf(alias, "css:t%01X", type); + return 1; + } +-ADD_TO_DEVTABLE("css", css_device_id, do_css_entry); + + /* Looks like: "serio:tyNprNidNexN" */ + static int do_serio_entry(const char *filename, +@@ -523,7 +467,6 @@ static int do_serio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("serio", serio_device_id, do_serio_entry); + + /* looks like: "acpi:ACPI0003" or "acpi:PNP0C0B" or "acpi:LNXVIDEO" or + * "acpi:bbsspp" (bb=base-class, ss=sub-class, pp=prog-if) +@@ -561,7 +504,6 @@ static int do_acpi_entry(const char *filename, + } + return 1; + } +-ADD_TO_DEVTABLE("acpi", acpi_device_id, do_acpi_entry); + + /* looks like: "pnp:dD" */ + static void do_pnp_device_entry(void *symval, unsigned long size, +@@ -682,7 +624,6 @@ static int do_pcmcia_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pcmcia", pcmcia_device_id, do_pcmcia_entry); + + static int do_of_entry (const char *filename, void *symval, char *alias) + { +@@ -707,7 +648,6 @@ static int do_of_entry (const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("of", of_device_id, do_of_entry); + + static int do_vio_entry(const char *filename, void *symval, + char *alias) +@@ -727,7 +667,6 @@ static int do_vio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("vio", vio_device_id, do_vio_entry); + + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +@@ -800,7 +739,6 @@ static int do_input_entry(const char *filename, void *symval, + do_input(alias, *swbit, 0, INPUT_DEVICE_ID_SW_MAX); + return 1; + } +-ADD_TO_DEVTABLE("input", input_device_id, do_input_entry); + + static int do_eisa_entry(const char *filename, void *symval, + char *alias) +@@ -812,7 +750,6 @@ static int do_eisa_entry(const char *filename, void *symval, + strcat(alias, "*"); + return 1; + } +-ADD_TO_DEVTABLE("eisa", eisa_device_id, do_eisa_entry); + + /* Looks like: parisc:tNhvNrevNsvN */ + static int do_parisc_entry(const char *filename, void *symval, +@@ -832,7 +769,6 @@ static int do_parisc_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("parisc", parisc_device_id, do_parisc_entry); + + /* Looks like: sdio:cNvNdN. */ + static int do_sdio_entry(const char *filename, +@@ -849,7 +785,6 @@ static int do_sdio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("sdio", sdio_device_id, do_sdio_entry); + + /* Looks like: ssb:vNidNrevN. */ + static int do_ssb_entry(const char *filename, +@@ -866,7 +801,6 @@ static int do_ssb_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ssb", ssb_device_id, do_ssb_entry); + + /* Looks like: bcma:mNidNrevNclN. */ + static int do_bcma_entry(const char *filename, +@@ -885,7 +819,6 @@ static int do_bcma_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("bcma", bcma_device_id, do_bcma_entry); + + /* Looks like: virtio:dNvN */ + static int do_virtio_entry(const char *filename, void *symval, +@@ -901,7 +834,6 @@ static int do_virtio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("virtio", virtio_device_id, do_virtio_entry); + + /* + * Looks like: vmbus:guid +@@ -924,7 +856,6 @@ static int do_vmbus_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("vmbus", hv_vmbus_device_id, do_vmbus_entry); + + /* Looks like: i2c:S */ + static int do_i2c_entry(const char *filename, void *symval, +@@ -935,7 +866,6 @@ static int do_i2c_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("i2c", i2c_device_id, do_i2c_entry); + + /* Looks like: spi:S */ + static int do_spi_entry(const char *filename, void *symval, +@@ -946,7 +876,6 @@ static int do_spi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("spi", spi_device_id, do_spi_entry); + + static const struct dmifield { + const char *prefix; +@@ -1001,7 +930,6 @@ static int do_dmi_entry(const char *filename, void *symval, + strcat(alias, ":"); + return 1; + } +-ADD_TO_DEVTABLE("dmi", dmi_system_id, do_dmi_entry); + + static int do_platform_entry(const char *filename, + void *symval, char *alias) +@@ -1010,7 +938,6 @@ static int do_platform_entry(const char *filename, + sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name); + return 1; + } +-ADD_TO_DEVTABLE("platform", platform_device_id, do_platform_entry); + + static int do_mdio_entry(const char *filename, + void *symval, char *alias) +@@ -1035,7 +962,6 @@ static int do_mdio_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("mdio", mdio_device_id, do_mdio_entry); + + /* Looks like: zorro:iN. */ + static int do_zorro_entry(const char *filename, void *symval, +@@ -1046,7 +972,6 @@ static int do_zorro_entry(const char *filename, void *symval, + ADD(alias, "i", id != ZORRO_WILDCARD, id); + return 1; + } +-ADD_TO_DEVTABLE("zorro", zorro_device_id, do_zorro_entry); + + /* looks like: "pnp:dD" */ + static int do_isapnp_entry(const char *filename, +@@ -1062,7 +987,6 @@ static int do_isapnp_entry(const char *filename, + (function >> 12) & 0x0f, (function >> 8) & 0x0f); + return 1; + } +-ADD_TO_DEVTABLE("isapnp", isapnp_device_id, do_isapnp_entry); + + /* Looks like: "ipack:fNvNdN". */ + static int do_ipack_entry(const char *filename, +@@ -1078,7 +1002,6 @@ static int do_ipack_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ipack", ipack_device_id, do_ipack_entry); + + /* + * Append a match expression for a single masked hex digit. +@@ -1149,7 +1072,6 @@ static int do_amba_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("amba", amba_id, do_amba_entry); + + /* + * looks like: "mipscdmm:tN" +@@ -1165,7 +1087,6 @@ static int do_mips_cdmm_entry(const char *filename, + sprintf(alias, "mipscdmm:t%02X*", type); + return 1; + } +-ADD_TO_DEVTABLE("mipscdmm", mips_cdmm_device_id, do_mips_cdmm_entry); + + /* LOOKS like cpu:type:x86,venVVVVfamFFFFmodMMMM:feature:*,FEAT,* + * All fields are numbers. It would be nicer to use strings for vendor +@@ -1190,7 +1111,6 @@ static int do_x86cpu_entry(const char *filename, void *symval, + sprintf(alias + strlen(alias), "%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("x86cpu", x86_cpu_id, do_x86cpu_entry); + + /* LOOKS like cpu:type:*:feature:*FEAT* */ + static int do_cpu_entry(const char *filename, void *symval, char *alias) +@@ -1200,7 +1120,6 @@ static int do_cpu_entry(const char *filename, void *symval, char *alias) + sprintf(alias, "cpu:type:*:feature:*%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("cpu", cpu_feature, do_cpu_entry); + + /* Looks like: mei:S:uuid:N:* */ + static int do_mei_entry(const char *filename, void *symval, +@@ -1219,7 +1138,6 @@ static int do_mei_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("mei", mei_cl_device_id, do_mei_entry); + + /* Looks like: rapidio:vNdNavNadN */ + static int do_rio_entry(const char *filename, +@@ -1239,7 +1157,6 @@ static int do_rio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("rapidio", rio_device_id, do_rio_entry); + + /* Looks like: ulpi:vNpN */ + static int do_ulpi_entry(const char *filename, void *symval, +@@ -1252,7 +1169,6 @@ static int do_ulpi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("ulpi", ulpi_device_id, do_ulpi_entry); + + /* Looks like: hdaudio:vNrNaN */ + static int do_hda_entry(const char *filename, void *symval, char *alias) +@@ -1269,7 +1185,6 @@ static int do_hda_entry(const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("hdaudio", hda_device_id, do_hda_entry); + + /* Does namelen bytes of name exactly match the symbol? */ + static bool sym_is(const char *name, unsigned namelen, const char *symbol) +@@ -1283,12 +1198,11 @@ static bool sym_is(const char *name, unsigned namelen, const char *symbol) + static void do_table(void *symval, unsigned long size, + unsigned long id_size, + const char *device_id, +- void *function, ++ int (*do_entry)(const char *filename, void *symval, char *alias), + struct module *mod) + { + unsigned int i; + char alias[500]; +- int (*do_entry)(const char *, void *entry, char *alias) = function; + + device_id_check(mod->name, device_id, size, id_size, symval); + /* Leave last one: it's the terminator. */ +@@ -1302,6 +1216,44 @@ static void do_table(void *symval, unsigned long size, + } + } + ++static const struct devtable devtable[] = { ++ {"hid", SIZE_hid_device_id, do_hid_entry}, ++ {"ieee1394", SIZE_ieee1394_device_id, do_ieee1394_entry}, ++ {"pci", SIZE_pci_device_id, do_pci_entry}, ++ {"ccw", SIZE_ccw_device_id, do_ccw_entry}, ++ {"ap", SIZE_ap_device_id, do_ap_entry}, ++ {"css", SIZE_css_device_id, do_css_entry}, ++ {"serio", SIZE_serio_device_id, do_serio_entry}, ++ {"acpi", SIZE_acpi_device_id, do_acpi_entry}, ++ {"pcmcia", SIZE_pcmcia_device_id, do_pcmcia_entry}, ++ {"vio", SIZE_vio_device_id, do_vio_entry}, ++ {"input", SIZE_input_device_id, do_input_entry}, ++ {"eisa", SIZE_eisa_device_id, do_eisa_entry}, ++ {"parisc", SIZE_parisc_device_id, do_parisc_entry}, ++ {"sdio", SIZE_sdio_device_id, do_sdio_entry}, ++ {"ssb", SIZE_ssb_device_id, do_ssb_entry}, ++ {"bcma", SIZE_bcma_device_id, do_bcma_entry}, ++ {"virtio", SIZE_virtio_device_id, do_virtio_entry}, ++ {"vmbus", SIZE_hv_vmbus_device_id, do_vmbus_entry}, ++ {"i2c", SIZE_i2c_device_id, do_i2c_entry}, ++ {"spi", SIZE_spi_device_id, do_spi_entry}, ++ {"dmi", SIZE_dmi_system_id, do_dmi_entry}, ++ {"platform", SIZE_platform_device_id, do_platform_entry}, ++ {"mdio", SIZE_mdio_device_id, do_mdio_entry}, ++ {"zorro", SIZE_zorro_device_id, do_zorro_entry}, ++ {"isapnp", SIZE_isapnp_device_id, do_isapnp_entry}, ++ {"ipack", SIZE_ipack_device_id, do_ipack_entry}, ++ {"amba", SIZE_amba_id, do_amba_entry}, ++ {"mipscdmm", SIZE_mips_cdmm_device_id, do_mips_cdmm_entry}, ++ {"x86cpu", SIZE_x86_cpu_id, do_x86cpu_entry}, ++ {"cpu", SIZE_cpu_feature, do_cpu_entry}, ++ {"mei", SIZE_mei_cl_device_id, do_mei_entry}, ++ {"rapidio", SIZE_rio_device_id, do_rio_entry}, ++ {"ulpi", SIZE_ulpi_device_id, do_ulpi_entry}, ++ {"hdaudio", SIZE_hda_device_id, do_hda_entry}, ++ {"of", SIZE_of_device_id, do_of_entry}, ++}; ++ + /* Create MODULE_ALIAS() statements. + * At this time, we cannot write the actual output C source yet, + * so we write into the mod->dev_table_buf buffer. */ +@@ -1354,13 +1306,14 @@ void handle_moddevtable(struct module *mod, struct elf_info *info, + else if (sym_is(name, namelen, "pnp_card")) + do_pnp_card_entries(symval, sym->st_size, mod); + else { +- struct devtable **p; +- INIT_SECTION(__devtable); ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(devtable); i++) { ++ const struct devtable *p = &devtable[i]; + +- for (p = __start___devtable; p < __stop___devtable; p++) { +- if (sym_is(name, namelen, (*p)->device_id)) { +- do_table(symval, sym->st_size, (*p)->id_size, +- (*p)->device_id, (*p)->function, mod); ++ if (sym_is(name, namelen, p->device_id)) { ++ do_table(symval, sym->st_size, p->id_size, ++ p->device_id, p->do_entry, mod); + break; + } + } +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index 03c1652c9a1f..db3bdc91c520 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, + devcg->behavior == DEVCG_DEFAULT_ALLOW) { + rc = dev_exception_add(devcg, ex); + if (rc) +- break; ++ return rc; + } else { + /* + * in the other possible cases: +diff --git a/sound/core/info.c b/sound/core/info.c +index 8ab72e0f5932..358a6947342d 100644 +--- a/sound/core/info.c ++++ b/sound/core/info.c +@@ -724,8 +724,11 @@ snd_info_create_entry(const char *name, struct snd_info_entry *parent) + INIT_LIST_HEAD(&entry->children); + INIT_LIST_HEAD(&entry->list); + entry->parent = parent; +- if (parent) ++ if (parent) { ++ mutex_lock(&parent->access); + list_add_tail(&entry->list, &parent->children); ++ mutex_unlock(&parent->access); ++ } + return entry; + } + +@@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info_entry * entry) + list_for_each_entry_safe(p, n, &entry->children, list) + snd_info_free_entry(p); + +- list_del(&entry->list); ++ p = entry->parent; ++ if (p) { ++ mutex_lock(&p->access); ++ list_del(&entry->list); ++ mutex_unlock(&p->access); ++ } + kfree(entry->name); + if (entry->private_free) + entry->private_free(entry); +diff --git a/sound/core/init.c b/sound/core/init.c +index 20f37fb3800e..67765c61e5d5 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -405,14 +405,7 @@ int snd_card_disconnect(struct snd_card *card) + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -428,7 +421,7 @@ int snd_card_disconnect(struct snd_card *card) + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -444,6 +437,13 @@ int snd_card_disconnect(struct snd_card *card) + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 4d6f0f56d54a..252392abd1b9 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1342,6 +1342,14 @@ int snd_pcm_suspend_all(struct snd_pcm *pcm) + /* FIXME: the open/close code should lock this as well */ + if (substream->runtime == NULL) + continue; ++ ++ /* ++ * Skip BE dai link PCM's that are internal and may ++ * not have their substream ops set. ++ */ ++ if (!substream->ops) ++ continue; ++ + err = snd_pcm_suspend(substream); + if (err < 0 && err != -EBUSY) + return err; +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 73ee8476584d..0d0e0c2651c2 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client, + + /* fill the info fields */ + if (client_info.name[0]) +- strlcpy(client->name, client_info.name, sizeof(client->name)); ++ strscpy(client->name, client_info.name, sizeof(client->name)); + + client->filter = client_info.filter; + client->event_lost = client_info.event_lost; +@@ -1558,7 +1558,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client, + /* set queue name */ + if (! info.name[0]) + snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + snd_use_lock_free(&q->use_lock); + + if (copy_to_user(arg, &info, sizeof(info))) +@@ -1636,7 +1636,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client, + queuefree(q); + return -EPERM; + } +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + return 0; +diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h +index a371c075ac87..e26702559f61 100644 +--- a/sound/drivers/opl3/opl3_voice.h ++++ b/sound/drivers/opl3/opl3_voice.h +@@ -41,7 +41,7 @@ void snd_opl3_timer_func(unsigned long data); + + /* Prototypes for opl3_drums.c */ + void snd_opl3_load_drums(struct snd_opl3 *opl3); +-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan); ++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan); + + /* Prototypes for opl3_oss.c */ + #ifdef CONFIG_SND_SEQUENCER_OSS +diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c +index b8e2391c33ff..0c7fe1418447 100644 +--- a/sound/isa/sb/sb8.c ++++ b/sound/isa/sb/sb8.c +@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev) + + /* block the 0x388 port to avoid PnP conflicts */ + acard->fm_res = request_region(0x388, 4, "SoundBlaster FM"); ++ if (!acard->fm_res) { ++ err = -EBUSY; ++ goto _err; ++ } + + if (port[dev] != SNDRV_AUTO_PORT) { + if ((err = snd_sbdsp_create(card, port[dev], irq[dev], +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index 286f5e3686a3..d73ee11a32bd 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -1953,6 +1953,11 @@ static int snd_echo_create(struct snd_card *card, + } + chip->dsp_registers = (volatile u32 __iomem *) + ioremap_nocache(chip->dsp_registers_phys, sz); ++ if (!chip->dsp_registers) { ++ dev_err(chip->card->dev, "ioremap failed\n"); ++ snd_echo_free(chip); ++ return -ENOMEM; ++ } + + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 1b05d1c5d9fd..a32fe14b4687 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -659,6 +659,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + asrc_fail: + of_node_put(asrc_np); + of_node_put(codec_np); ++ put_device(&cpu_pdev->dev); + fail: + of_node_put(cpu_np); + +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index a87836d4de15..40075b9afb79 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -57,6 +57,8 @@ struct fsl_esai { + u32 fifo_depth; + u32 slot_width; + u32 slots; ++ u32 tx_mask; ++ u32 rx_mask; + u32 hck_rate[2]; + u32 sck_rate[2]; + bool hck_dir[2]; +@@ -357,21 +359,13 @@ static int fsl_esai_set_dai_tdm_slot(struct snd_soc_dai *dai, u32 tx_mask, + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, + ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots)); + +- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMA, +- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(tx_mask)); +- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMB, +- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(tx_mask)); +- + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, + ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots)); + +- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMA, +- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(rx_mask)); +- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMB, +- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(rx_mask)); +- + esai_priv->slot_width = slot_width; + esai_priv->slots = slots; ++ esai_priv->tx_mask = tx_mask; ++ esai_priv->rx_mask = rx_mask; + + return 0; + } +@@ -582,6 +576,7 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd, + bool tx = substream->stream == SNDRV_PCM_STREAM_PLAYBACK; + u8 i, channels = substream->runtime->channels; + u32 pins = DIV_ROUND_UP(channels, esai_priv->slots); ++ u32 mask; + + switch (cmd) { + case SNDRV_PCM_TRIGGER_START: +@@ -594,15 +589,38 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd, + for (i = 0; tx && i < channels; i++) + regmap_write(esai_priv->regmap, REG_ESAI_ETDR, 0x0); + ++ /* ++ * When set the TE/RE in the end of enablement flow, there ++ * will be channel swap issue for multi data line case. ++ * In order to workaround this issue, we switch the bit ++ * enablement sequence to below sequence ++ * 1) clear the xSMB & xSMA: which is done in probe and ++ * stop state. ++ * 2) set TE/RE ++ * 3) set xSMB ++ * 4) set xSMA: xSMA is the last one in this flow, which ++ * will trigger esai to start. ++ */ + regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx), + tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK, + tx ? ESAI_xCR_TE(pins) : ESAI_xCR_RE(pins)); ++ mask = tx ? esai_priv->tx_mask : esai_priv->rx_mask; ++ ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx), ++ ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(mask)); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx), ++ ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(mask)); ++ + break; + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: + regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx), + tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK, 0); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx), ++ ESAI_xSMA_xS_MASK, 0); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx), ++ ESAI_xSMB_xS_MASK, 0); + + /* Disable and reset FIFO */ + regmap_update_bits(esai_priv->regmap, REG_ESAI_xFCR(tx), +@@ -887,6 +905,15 @@ static int fsl_esai_probe(struct platform_device *pdev) + return ret; + } + ++ esai_priv->tx_mask = 0xFFFFFFFF; ++ esai_priv->rx_mask = 0xFFFFFFFF; ++ ++ /* Clear the TSMA, TSMB, RSMA, RSMB */ ++ regmap_write(esai_priv->regmap, REG_ESAI_TSMA, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_TSMB, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_RSMA, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_RSMB, 0); ++ + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_esai_component, + &fsl_esai_dai, 1); + if (ret) { +diff --git a/sound/soc/fsl/imx-sgtl5000.c b/sound/soc/fsl/imx-sgtl5000.c +index b99e0b5e00e9..8e525f7ac08d 100644 +--- a/sound/soc/fsl/imx-sgtl5000.c ++++ b/sound/soc/fsl/imx-sgtl5000.c +@@ -115,6 +115,7 @@ static int imx_sgtl5000_probe(struct platform_device *pdev) + ret = -EPROBE_DEFER; + goto fail; + } ++ put_device(&ssi_pdev->dev); + codec_dev = of_find_i2c_device_by_node(codec_np); + if (!codec_dev) { + dev_err(&pdev->dev, "failed to find codec platform device\n"); +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 6e4a10fe9dd0..743746a3c50d 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2419,7 +2419,7 @@ static int arg_num_eval(struct print_arg *arg, long long *val) + static char *arg_eval (struct print_arg *arg) + { + long long val; +- static char buf[20]; ++ static char buf[24]; + + switch (arg->type) { + case PRINT_ATOM: +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 47719bde34c6..4e64ba8163bb 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1320,8 +1320,9 @@ int cmd_top(int argc, const char **argv, const char *prefix __maybe_unused) + symbol_conf.priv_size = sizeof(struct annotation); + + symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL); +- if (symbol__init(NULL) < 0) +- return -1; ++ status = symbol__init(NULL); ++ if (status < 0) ++ goto out_delete_evlist; + + sort__setup_elide(stdout); + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index da474d743b6a..ea3161170f9e 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -42,7 +42,7 @@ int test__perf_evsel__tp_sched_test(void) + return -1; + } + +- if (perf_evsel__test_field(evsel, "prev_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "prev_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "prev_pid", 4, true)) +@@ -54,7 +54,7 @@ int test__perf_evsel__tp_sched_test(void) + if (perf_evsel__test_field(evsel, "prev_state", sizeof(long), true)) + ret = -1; + +- if (perf_evsel__test_field(evsel, "next_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "next_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "next_pid", 4, true)) +@@ -72,7 +72,7 @@ int test__perf_evsel__tp_sched_test(void) + return -1; + } + +- if (perf_evsel__test_field(evsel, "comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "pid", 4, true)) +@@ -84,5 +84,6 @@ int test__perf_evsel__tp_sched_test(void) + if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) + ret = -1; + ++ perf_evsel__delete(evsel); + return ret; + } +diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c +index 2006485a2859..3848d5ab378d 100644 +--- a/tools/perf/tests/openat-syscall-all-cpus.c ++++ b/tools/perf/tests/openat-syscall-all-cpus.c +@@ -35,7 +35,7 @@ int test__openat_syscall_event_on_all_cpus(void) + if (IS_ERR(evsel)) { + tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat"); + pr_debug("%s\n", errbuf); +- goto out_thread_map_delete; ++ goto out_cpu_map_delete; + } + + if (perf_evsel__open(evsel, cpus, threads) < 0) { +@@ -109,6 +109,8 @@ out_close_fd: + perf_evsel__close_fd(evsel, 1, threads->nr); + out_evsel_delete: + perf_evsel__delete(evsel); ++out_cpu_map_delete: ++ cpu_map__put(cpus); + out_thread_map_delete: + thread_map__put(threads); + return err; +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index f0bd4825f95a..97fde9275f42 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1051,6 +1051,7 @@ void perf_evsel__exit(struct perf_evsel *evsel) + { + assert(list_empty(&evsel->node)); + assert(evsel->evlist == NULL); ++ perf_evsel__free_counts(evsel); + perf_evsel__free_fd(evsel); + perf_evsel__free_id(evsel); + perf_evsel__free_config_terms(evsel); +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 33c79e415075..532e7bf06868 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3089,6 +3089,9 @@ int fork_it(char **argv) + signal(SIGQUIT, SIG_IGN); + if (waitpid(child_pid, &status, 0) == -1) + err(status, "waitpid"); ++ ++ if (WIFEXITED(status)) ++ status = WEXITSTATUS(status); + } + /* + * n.b. fork_it() does not check for errors from for_all_cpus() diff --git a/patch/kernel/rk3399-default/04-patch-4.4.179-180.patch b/patch/kernel/rk3399-default/04-patch-4.4.179-180.patch new file mode 100644 index 0000000000..d147c76798 --- /dev/null +++ b/patch/kernel/rk3399-default/04-patch-4.4.179-180.patch @@ -0,0 +1,5154 @@ +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu +index 50f95689ab38..e4cd3be77663 100644 +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -277,6 +277,8 @@ What: /sys/devices/system/cpu/vulnerabilities + /sys/devices/system/cpu/vulnerabilities/spectre_v1 + /sys/devices/system/cpu/vulnerabilities/spectre_v2 + /sys/devices/system/cpu/vulnerabilities/spec_store_bypass ++ /sys/devices/system/cpu/vulnerabilities/l1tf ++ /sys/devices/system/cpu/vulnerabilities/mds + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +diff --git a/Documentation/hw-vuln/mds.rst b/Documentation/hw-vuln/mds.rst +new file mode 100644 +index 000000000000..3f92728be021 +--- /dev/null ++++ b/Documentation/hw-vuln/mds.rst +@@ -0,0 +1,305 @@ ++MDS - Microarchitectural Data Sampling ++====================================== ++ ++Microarchitectural Data Sampling is a hardware vulnerability which allows ++unprivileged speculative access to data which is available in various CPU ++internal buffers. ++ ++Affected processors ++------------------- ++ ++This vulnerability affects a wide range of Intel processors. The ++vulnerability is not present on: ++ ++ - Processors from AMD, Centaur and other non Intel vendors ++ ++ - Older processor models, where the CPU family is < 6 ++ ++ - Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus) ++ ++ - Intel processors which have the ARCH_CAP_MDS_NO bit set in the ++ IA32_ARCH_CAPABILITIES MSR. ++ ++Whether a processor is affected or not can be read out from the MDS ++vulnerability file in sysfs. See :ref:`mds_sys_info`. ++ ++Not all processors are affected by all variants of MDS, but the mitigation ++is identical for all of them so the kernel treats them as a single ++vulnerability. ++ ++Related CVEs ++------------ ++ ++The following CVE entries are related to the MDS vulnerability: ++ ++ ============== ===== =================================================== ++ CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling ++ CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling ++ CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling ++ CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory ++ ============== ===== =================================================== ++ ++Problem ++------- ++ ++When performing store, load, L1 refill operations, processors write data ++into temporary microarchitectural structures (buffers). The data in the ++buffer can be forwarded to load operations as an optimization. ++ ++Under certain conditions, usually a fault/assist caused by a load ++operation, data unrelated to the load memory address can be speculatively ++forwarded from the buffers. Because the load operation causes a fault or ++assist and its result will be discarded, the forwarded data will not cause ++incorrect program execution or state changes. But a malicious operation ++may be able to forward this speculative data to a disclosure gadget which ++allows in turn to infer the value via a cache side channel attack. ++ ++Because the buffers are potentially shared between Hyper-Threads cross ++Hyper-Thread attacks are possible. ++ ++Deeper technical information is available in the MDS specific x86 ++architecture section: :ref:`Documentation/x86/mds.rst `. ++ ++ ++Attack scenarios ++---------------- ++ ++Attacks against the MDS vulnerabilities can be mounted from malicious non ++priviledged user space applications running on hosts or guest. Malicious ++guest OSes can obviously mount attacks as well. ++ ++Contrary to other speculation based vulnerabilities the MDS vulnerability ++does not allow the attacker to control the memory target address. As a ++consequence the attacks are purely sampling based, but as demonstrated with ++the TLBleed attack samples can be postprocessed successfully. ++ ++Web-Browsers ++^^^^^^^^^^^^ ++ ++ It's unclear whether attacks through Web-Browsers are possible at ++ all. The exploitation through Java-Script is considered very unlikely, ++ but other widely used web technologies like Webassembly could possibly be ++ abused. ++ ++ ++.. _mds_sys_info: ++ ++MDS system information ++----------------------- ++ ++The Linux kernel provides a sysfs interface to enumerate the current MDS ++status of the system: whether the system is vulnerable, and which ++mitigations are active. The relevant sysfs file is: ++ ++/sys/devices/system/cpu/vulnerabilities/mds ++ ++The possible values in this file are: ++ ++ .. list-table:: ++ ++ * - 'Not affected' ++ - The processor is not vulnerable ++ * - 'Vulnerable' ++ - The processor is vulnerable, but no mitigation enabled ++ * - 'Vulnerable: Clear CPU buffers attempted, no microcode' ++ - The processor is vulnerable but microcode is not updated. ++ ++ The mitigation is enabled on a best effort basis. See :ref:`vmwerv` ++ * - 'Mitigation: Clear CPU buffers' ++ - The processor is vulnerable and the CPU buffer clearing mitigation is ++ enabled. ++ ++If the processor is vulnerable then the following information is appended ++to the above information: ++ ++ ======================== ============================================ ++ 'SMT vulnerable' SMT is enabled ++ 'SMT mitigated' SMT is enabled and mitigated ++ 'SMT disabled' SMT is disabled ++ 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown ++ ======================== ============================================ ++ ++.. _vmwerv: ++ ++Best effort mitigation mode ++^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ If the processor is vulnerable, but the availability of the microcode based ++ mitigation mechanism is not advertised via CPUID the kernel selects a best ++ effort mitigation mode. This mode invokes the mitigation instructions ++ without a guarantee that they clear the CPU buffers. ++ ++ This is done to address virtualization scenarios where the host has the ++ microcode update applied, but the hypervisor is not yet updated to expose ++ the CPUID to the guest. If the host has updated microcode the protection ++ takes effect otherwise a few cpu cycles are wasted pointlessly. ++ ++ The state in the mds sysfs file reflects this situation accordingly. ++ ++ ++Mitigation mechanism ++------------------------- ++ ++The kernel detects the affected CPUs and the presence of the microcode ++which is required. ++ ++If a CPU is affected and the microcode is available, then the kernel ++enables the mitigation by default. The mitigation can be controlled at boot ++time via a kernel command line option. See ++:ref:`mds_mitigation_control_command_line`. ++ ++.. _cpu_buffer_clear: ++ ++CPU buffer clearing ++^^^^^^^^^^^^^^^^^^^ ++ ++ The mitigation for MDS clears the affected CPU buffers on return to user ++ space and when entering a guest. ++ ++ If SMT is enabled it also clears the buffers on idle entry when the CPU ++ is only affected by MSBDS and not any other MDS variant, because the ++ other variants cannot be protected against cross Hyper-Thread attacks. ++ ++ For CPUs which are only affected by MSBDS the user space, guest and idle ++ transition mitigations are sufficient and SMT is not affected. ++ ++.. _virt_mechanism: ++ ++Virtualization mitigation ++^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The protection for host to guest transition depends on the L1TF ++ vulnerability of the CPU: ++ ++ - CPU is affected by L1TF: ++ ++ If the L1D flush mitigation is enabled and up to date microcode is ++ available, the L1D flush mitigation is automatically protecting the ++ guest transition. ++ ++ If the L1D flush mitigation is disabled then the MDS mitigation is ++ invoked explicit when the host MDS mitigation is enabled. ++ ++ For details on L1TF and virtualization see: ++ :ref:`Documentation/hw-vuln//l1tf.rst `. ++ ++ - CPU is not affected by L1TF: ++ ++ CPU buffers are flushed before entering the guest when the host MDS ++ mitigation is enabled. ++ ++ The resulting MDS protection matrix for the host to guest transition: ++ ++ ============ ===== ============= ============ ================= ++ L1TF MDS VMX-L1FLUSH Host MDS MDS-State ++ ++ Don't care No Don't care N/A Not affected ++ ++ Yes Yes Disabled Off Vulnerable ++ ++ Yes Yes Disabled Full Mitigated ++ ++ Yes Yes Enabled Don't care Mitigated ++ ++ No Yes N/A Off Vulnerable ++ ++ No Yes N/A Full Mitigated ++ ============ ===== ============= ============ ================= ++ ++ This only covers the host to guest transition, i.e. prevents leakage from ++ host to guest, but does not protect the guest internally. Guests need to ++ have their own protections. ++ ++.. _xeon_phi: ++ ++XEON PHI specific considerations ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The XEON PHI processor family is affected by MSBDS which can be exploited ++ cross Hyper-Threads when entering idle states. Some XEON PHI variants allow ++ to use MWAIT in user space (Ring 3) which opens an potential attack vector ++ for malicious user space. The exposure can be disabled on the kernel ++ command line with the 'ring3mwait=disable' command line option. ++ ++ XEON PHI is not affected by the other MDS variants and MSBDS is mitigated ++ before the CPU enters a idle state. As XEON PHI is not affected by L1TF ++ either disabling SMT is not required for full protection. ++ ++.. _mds_smt_control: ++ ++SMT control ++^^^^^^^^^^^ ++ ++ All MDS variants except MSBDS can be attacked cross Hyper-Threads. That ++ means on CPUs which are affected by MFBDS or MLPDS it is necessary to ++ disable SMT for full protection. These are most of the affected CPUs; the ++ exception is XEON PHI, see :ref:`xeon_phi`. ++ ++ Disabling SMT can have a significant performance impact, but the impact ++ depends on the type of workloads. ++ ++ See the relevant chapter in the L1TF mitigation documentation for details: ++ :ref:`Documentation/hw-vuln/l1tf.rst `. ++ ++ ++.. _mds_mitigation_control_command_line: ++ ++Mitigation control on the kernel command line ++--------------------------------------------- ++ ++The kernel command line allows to control the MDS mitigations at boot ++time with the option "mds=". The valid arguments for this option are: ++ ++ ============ ============================================================= ++ full If the CPU is vulnerable, enable all available mitigations ++ for the MDS vulnerability, CPU buffer clearing on exit to ++ userspace and when entering a VM. Idle transitions are ++ protected as well if SMT is enabled. ++ ++ It does not automatically disable SMT. ++ ++ off Disables MDS mitigations completely. ++ ++ ============ ============================================================= ++ ++Not specifying this option is equivalent to "mds=full". ++ ++ ++Mitigation selection guide ++-------------------------- ++ ++1. Trusted userspace ++^^^^^^^^^^^^^^^^^^^^ ++ ++ If all userspace applications are from a trusted source and do not ++ execute untrusted code which is supplied externally, then the mitigation ++ can be disabled. ++ ++ ++2. Virtualization with trusted guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The same considerations as above versus trusted user space apply. ++ ++3. Virtualization with untrusted guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The protection depends on the state of the L1TF mitigations. ++ See :ref:`virt_mechanism`. ++ ++ If the MDS mitigation is enabled and SMT is disabled, guest to host and ++ guest to guest attacks are prevented. ++ ++.. _mds_default_mitigations: ++ ++Default mitigations ++------------------- ++ ++ The kernel default mitigations for vulnerable processors are: ++ ++ - Enable CPU buffer clearing ++ ++ The kernel does not by default enforce the disabling of SMT, which leaves ++ SMT systems vulnerable when running untrusted code. The same rationale as ++ for L1TF applies. ++ See :ref:`Documentation/hw-vuln//l1tf.rst `. +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index da515c535e62..175d57049168 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2035,6 +2035,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Format: , + Specifies range of consoles to be captured by the MDA. + ++ mds= [X86,INTEL] ++ Control mitigation for the Micro-architectural Data ++ Sampling (MDS) vulnerability. ++ ++ Certain CPUs are vulnerable to an exploit against CPU ++ internal buffers which can forward information to a ++ disclosure gadget under certain conditions. ++ ++ In vulnerable processors, the speculatively ++ forwarded data can be used in a cache side channel ++ attack, to access data to which the attacker does ++ not have direct access. ++ ++ This parameter controls the MDS mitigation. The ++ options are: ++ ++ full - Enable MDS mitigation on vulnerable CPUs ++ off - Unconditionally disable MDS mitigation ++ ++ Not specifying this option is equivalent to ++ mds=full. ++ ++ For details see: Documentation/hw-vuln/mds.rst ++ + mem=nn[KMG] [KNL,BOOT] Force usage of a specific amount of memory + Amount of memory to be used when the kernel is not able + to see the whole system memory or for test. +@@ -2149,6 +2173,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + in the "bleeding edge" mini2440 support kernel at + http://repo.or.cz/w/linux-2.6/mini2440.git + ++ mitigations= ++ [X86] Control optional mitigations for CPU ++ vulnerabilities. This is a set of curated, ++ arch-independent options, each of which is an ++ aggregation of existing arch-specific options. ++ ++ off ++ Disable all optional CPU mitigations. This ++ improves system performance, but it may also ++ expose users to several CPU vulnerabilities. ++ Equivalent to: nopti [X86] ++ nospectre_v2 [X86] ++ spectre_v2_user=off [X86] ++ spec_store_bypass_disable=off [X86] ++ mds=off [X86] ++ ++ auto (default) ++ Mitigate all CPU vulnerabilities, but leave SMT ++ enabled, even if it's vulnerable. This is for ++ users who don't want to be surprised by SMT ++ getting disabled across kernel upgrades, or who ++ have other ways of avoiding SMT-based attacks. ++ Equivalent to: (default behavior) ++ + mminit_loglevel= + [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this + parameter allows control of the logging verbosity for +@@ -2450,7 +2498,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + nohugeiomap [KNL,x86] Disable kernel huge I/O mappings. + +- nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 ++ nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds ++ check bypass). With this option data leaks are possible ++ in the system. ++ ++ nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2 + (indirect branch prediction) vulnerability. System may + allow data leaks with this option, which is equivalent + to spectre_v2=off. +@@ -3600,9 +3652,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + spectre_v2= [X86] Control mitigation of Spectre variant 2 + (indirect branch speculation) vulnerability. ++ The default operation protects the kernel from ++ user space attacks. + +- on - unconditionally enable +- off - unconditionally disable ++ on - unconditionally enable, implies ++ spectre_v2_user=on ++ off - unconditionally disable, implies ++ spectre_v2_user=off + auto - kernel detects whether your CPU model is + vulnerable + +@@ -3612,6 +3668,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + CONFIG_RETPOLINE configuration option, and the + compiler with which the kernel was built. + ++ Selecting 'on' will also enable the mitigation ++ against user space to user space task attacks. ++ ++ Selecting 'off' will disable both the kernel and ++ the user space protections. ++ + Specific mitigations can also be selected manually: + + retpoline - replace indirect branches +@@ -3621,6 +3683,48 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Not specifying this option is equivalent to + spectre_v2=auto. + ++ spectre_v2_user= ++ [X86] Control mitigation of Spectre variant 2 ++ (indirect branch speculation) vulnerability between ++ user space tasks ++ ++ on - Unconditionally enable mitigations. Is ++ enforced by spectre_v2=on ++ ++ off - Unconditionally disable mitigations. Is ++ enforced by spectre_v2=off ++ ++ prctl - Indirect branch speculation is enabled, ++ but mitigation can be enabled via prctl ++ per thread. The mitigation control state ++ is inherited on fork. ++ ++ prctl,ibpb ++ - Like "prctl" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different user ++ space processes. ++ ++ seccomp ++ - Same as "prctl" above, but all seccomp ++ threads will enable the mitigation unless ++ they explicitly opt out. ++ ++ seccomp,ibpb ++ - Like "seccomp" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different ++ user space processes. ++ ++ auto - Kernel selects the mitigation depending on ++ the available CPU features and vulnerability. ++ ++ Default mitigation: ++ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" ++ ++ Not specifying this option is equivalent to ++ spectre_v2_user=auto. ++ + spec_store_bypass_disable= + [HW] Control Speculative Store Bypass (SSB) Disable mitigation + (Speculative Store Bypass vulnerability) +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 2fb35658d151..709d24b4b533 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -387,6 +387,7 @@ tcp_min_rtt_wlen - INTEGER + minimum RTT when it is moved to a longer path (e.g., due to traffic + engineering). A longer window makes the filter more resistant to RTT + inflations such as transient congestion. The unit is seconds. ++ Possible values: 0 - 86400 (1 day) + Default: 300 + + tcp_moderate_rcvbuf - BOOLEAN +diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt +index 32f3d55c54b7..c4dbe6f7cdae 100644 +--- a/Documentation/spec_ctrl.txt ++++ b/Documentation/spec_ctrl.txt +@@ -92,3 +92,12 @@ Speculation misfeature controls + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); ++ ++- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes ++ (Mitigate Spectre V2 style attacks against user processes) ++ ++ Invocations: ++ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt +index 0a94ffe17ab6..b13e031beaa6 100644 +--- a/Documentation/usb/power-management.txt ++++ b/Documentation/usb/power-management.txt +@@ -365,11 +365,15 @@ autosuspend the interface's device. When the usage counter is = 0 + then the interface is considered to be idle, and the kernel may + autosuspend the device. + +-Drivers need not be concerned about balancing changes to the usage +-counter; the USB core will undo any remaining "get"s when a driver +-is unbound from its interface. As a corollary, drivers must not call +-any of the usb_autopm_* functions after their disconnect() routine has +-returned. ++Drivers must be careful to balance their overall changes to the usage ++counter. Unbalanced "get"s will remain in effect when a driver is ++unbound from its interface, preventing the device from going into ++runtime suspend should the interface be bound to a driver again. On ++the other hand, drivers are allowed to achieve this balance by calling ++the ``usb_autopm_*`` functions even after their ``disconnect`` routine ++has returned -- say from within a work-queue routine -- provided they ++retain an active reference to the interface (via ``usb_get_intf`` and ++``usb_put_intf``). + + Drivers using the async routines are responsible for their own + synchronization and mutual exclusion. +diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst +new file mode 100644 +index 000000000000..534e9baa4e1d +--- /dev/null ++++ b/Documentation/x86/mds.rst +@@ -0,0 +1,225 @@ ++Microarchitectural Data Sampling (MDS) mitigation ++================================================= ++ ++.. _mds: ++ ++Overview ++-------- ++ ++Microarchitectural Data Sampling (MDS) is a family of side channel attacks ++on internal buffers in Intel CPUs. The variants are: ++ ++ - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) ++ - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) ++ - Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127) ++ - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091) ++ ++MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a ++dependent load (store-to-load forwarding) as an optimization. The forward ++can also happen to a faulting or assisting load operation for a different ++memory address, which can be exploited under certain conditions. Store ++buffers are partitioned between Hyper-Threads so cross thread forwarding is ++not possible. But if a thread enters or exits a sleep state the store ++buffer is repartitioned which can expose data from one thread to the other. ++ ++MFBDS leaks Fill Buffer Entries. Fill buffers are used internally to manage ++L1 miss situations and to hold data which is returned or sent in response ++to a memory or I/O operation. Fill buffers can forward data to a load ++operation and also write data to the cache. When the fill buffer is ++deallocated it can retain the stale data of the preceding operations which ++can then be forwarded to a faulting or assisting load operation, which can ++be exploited under certain conditions. Fill buffers are shared between ++Hyper-Threads so cross thread leakage is possible. ++ ++MLPDS leaks Load Port Data. Load ports are used to perform load operations ++from memory or I/O. The received data is then forwarded to the register ++file or a subsequent operation. In some implementations the Load Port can ++contain stale data from a previous operation which can be forwarded to ++faulting or assisting loads under certain conditions, which again can be ++exploited eventually. Load ports are shared between Hyper-Threads so cross ++thread leakage is possible. ++ ++MDSUM is a special case of MSBDS, MFBDS and MLPDS. An uncacheable load from ++memory that takes a fault or assist can leave data in a microarchitectural ++structure that may later be observed using one of the same methods used by ++MSBDS, MFBDS or MLPDS. ++ ++Exposure assumptions ++-------------------- ++ ++It is assumed that attack code resides in user space or in a guest with one ++exception. The rationale behind this assumption is that the code construct ++needed for exploiting MDS requires: ++ ++ - to control the load to trigger a fault or assist ++ ++ - to have a disclosure gadget which exposes the speculatively accessed ++ data for consumption through a side channel. ++ ++ - to control the pointer through which the disclosure gadget exposes the ++ data ++ ++The existence of such a construct in the kernel cannot be excluded with ++100% certainty, but the complexity involved makes it extremly unlikely. ++ ++There is one exception, which is untrusted BPF. The functionality of ++untrusted BPF is limited, but it needs to be thoroughly investigated ++whether it can be used to create such a construct. ++ ++ ++Mitigation strategy ++------------------- ++ ++All variants have the same mitigation strategy at least for the single CPU ++thread case (SMT off): Force the CPU to clear the affected buffers. ++ ++This is achieved by using the otherwise unused and obsolete VERW ++instruction in combination with a microcode update. The microcode clears ++the affected CPU buffers when the VERW instruction is executed. ++ ++For virtualization there are two ways to achieve CPU buffer ++clearing. Either the modified VERW instruction or via the L1D Flush ++command. The latter is issued when L1TF mitigation is enabled so the extra ++VERW can be avoided. If the CPU is not affected by L1TF then VERW needs to ++be issued. ++ ++If the VERW instruction with the supplied segment selector argument is ++executed on a CPU without the microcode update there is no side effect ++other than a small number of pointlessly wasted CPU cycles. ++ ++This does not protect against cross Hyper-Thread attacks except for MSBDS ++which is only exploitable cross Hyper-thread when one of the Hyper-Threads ++enters a C-state. ++ ++The kernel provides a function to invoke the buffer clearing: ++ ++ mds_clear_cpu_buffers() ++ ++The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state ++(idle) transitions. ++ ++As a special quirk to address virtualization scenarios where the host has ++the microcode updated, but the hypervisor does not (yet) expose the ++MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the ++hope that it might actually clear the buffers. The state is reflected ++accordingly. ++ ++According to current knowledge additional mitigations inside the kernel ++itself are not required because the necessary gadgets to expose the leaked ++data cannot be controlled in a way which allows exploitation from malicious ++user space or VM guests. ++ ++Kernel internal mitigation modes ++-------------------------------- ++ ++ ======= ============================================================ ++ off Mitigation is disabled. Either the CPU is not affected or ++ mds=off is supplied on the kernel command line ++ ++ full Mitigation is enabled. CPU is affected and MD_CLEAR is ++ advertised in CPUID. ++ ++ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not ++ advertised in CPUID. That is mainly for virtualization ++ scenarios where the host has the updated microcode but the ++ hypervisor does not expose MD_CLEAR in CPUID. It's a best ++ effort approach without guarantee. ++ ======= ============================================================ ++ ++If the CPU is affected and mds=off is not supplied on the kernel command ++line then the kernel selects the appropriate mitigation mode depending on ++the availability of the MD_CLEAR CPUID bit. ++ ++Mitigation points ++----------------- ++ ++1. Return to user space ++^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ When transitioning from kernel to user space the CPU buffers are flushed ++ on affected CPUs when the mitigation is not disabled on the kernel ++ command line. The migitation is enabled through the static key ++ mds_user_clear. ++ ++ The mitigation is invoked in prepare_exit_to_usermode() which covers ++ most of the kernel to user space transitions. There are a few exceptions ++ which are not invoking prepare_exit_to_usermode() on return to user ++ space. These exceptions use the paranoid exit code. ++ ++ - Non Maskable Interrupt (NMI): ++ ++ Access to sensible data like keys, credentials in the NMI context is ++ mostly theoretical: The CPU can do prefetching or execute a ++ misspeculated code path and thereby fetching data which might end up ++ leaking through a buffer. ++ ++ But for mounting other attacks the kernel stack address of the task is ++ already valuable information. So in full mitigation mode, the NMI is ++ mitigated on the return from do_nmi() to provide almost complete ++ coverage. ++ ++ - Double fault (#DF): ++ ++ A double fault is usually fatal, but the ESPFIX workaround, which can ++ be triggered from user space through modify_ldt(2) is a recoverable ++ double fault. #DF uses the paranoid exit path, so explicit mitigation ++ in the double fault handler is required. ++ ++ - Machine Check Exception (#MC): ++ ++ Another corner case is a #MC which hits between the CPU buffer clear ++ invocation and the actual return to user. As this still is in kernel ++ space it takes the paranoid exit path which does not clear the CPU ++ buffers. So the #MC handler repopulates the buffers to some ++ extent. Machine checks are not reliably controllable and the window is ++ extremly small so mitigation would just tick a checkbox that this ++ theoretical corner case is covered. To keep the amount of special ++ cases small, ignore #MC. ++ ++ - Debug Exception (#DB): ++ ++ This takes the paranoid exit path only when the INT1 breakpoint is in ++ kernel space. #DB on a user space address takes the regular exit path, ++ so no extra mitigation required. ++ ++ ++2. C-State transition ++^^^^^^^^^^^^^^^^^^^^^ ++ ++ When a CPU goes idle and enters a C-State the CPU buffers need to be ++ cleared on affected CPUs when SMT is active. This addresses the ++ repartitioning of the store buffer when one of the Hyper-Threads enters ++ a C-State. ++ ++ When SMT is inactive, i.e. either the CPU does not support it or all ++ sibling threads are offline CPU buffer clearing is not required. ++ ++ The idle clearing is enabled on CPUs which are only affected by MSBDS ++ and not by any other MDS variant. The other MDS variants cannot be ++ protected against cross Hyper-Thread attacks because the Fill Buffer and ++ the Load Ports are shared. So on CPUs affected by other variants, the ++ idle clearing would be a window dressing exercise and is therefore not ++ activated. ++ ++ The invocation is controlled by the static key mds_idle_clear which is ++ switched depending on the chosen mitigation mode and the SMT state of ++ the system. ++ ++ The buffer clear is only invoked before entering the C-State to prevent ++ that stale data from the idling CPU from spilling to the Hyper-Thread ++ sibling after the store buffer got repartitioned and all entries are ++ available to the non idle sibling. ++ ++ When coming out of idle the store buffer is partitioned again so each ++ sibling has half of it available. The back from idle CPU could be then ++ speculatively exposed to contents of the sibling. The buffers are ++ flushed either on exit to user space or on VMENTER so malicious code ++ in user space or the guest cannot speculatively access them. ++ ++ The mitigation is hooked into all variants of halt()/mwait(), but does ++ not cover the legacy ACPI IO-Port mechanism because the ACPI idle driver ++ has been superseded by the intel_idle driver around 2010 and is ++ preferred on all affected CPUs which are expected to gain the MD_CLEAR ++ functionality in microcode. Aside of that the IO-Port mechanism is a ++ legacy interface which is only used on older systems which are either ++ not affected or do not receive microcode updates anymore. +diff --git a/Makefile b/Makefile +index ee0a50b871b9..6023a9dbad59 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 179 ++SUBLEVEL = 180 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +index d6d98d426384..cae04e806036 100644 +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +@@ -90,6 +90,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ phy-reset-duration = <10>; /* in msecs */ + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; + phy-supply = <&vdd_eth_io_reg>; + status = "disabled"; +diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c +index 53c316f7301e..fe4932fda01d 100644 +--- a/arch/arm/mach-iop13xx/setup.c ++++ b/arch/arm/mach-iop13xx/setup.c +@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = { + } + }; + +-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); ++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32); + static struct iop_adma_platform_data iop13xx_adma_0_data = { + .hw_id = 0, + .pool_size = PAGE_SIZE, +@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = { + .resource = iop13xx_adma_0_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_0_data, + }, + }; +@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = { + .resource = iop13xx_adma_1_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_1_data, + }, + }; +@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = { + .resource = iop13xx_adma_2_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_2_data, + }, + }; +diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c +index db511ec2b1df..116feb6b261e 100644 +--- a/arch/arm/mach-iop13xx/tpmi.c ++++ b/arch/arm/mach-iop13xx/tpmi.c +@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = { + } + }; + +-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64); ++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32); + static struct platform_device iop13xx_tpmi_0_device = { + .name = "iop-tpmi", + .id = 0, +@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = { + .resource = iop13xx_tpmi_0_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = { + .resource = iop13xx_tpmi_1_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = { + .resource = iop13xx_tpmi_2_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = { + .resource = iop13xx_tpmi_3_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c +index a4d1f8de3b5b..d9612221e484 100644 +--- a/arch/arm/plat-iop/adma.c ++++ b/arch/arm/plat-iop/adma.c +@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = { + .resource = iop3xx_dma_0_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_0_data, + }, + }; +@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = { + .resource = iop3xx_dma_1_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_1_data, + }, + }; +@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = { + .resource = iop3xx_aau_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_aau_data, + }, + }; +diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c +index 8861c367d061..51c3737ddba7 100644 +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -645,7 +645,7 @@ static struct platform_device orion_xor0_shared = { + .resource = orion_xor0_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor0_pdata, + }, + }; +@@ -706,7 +706,7 @@ static struct platform_device orion_xor1_shared = { + .resource = orion_xor1_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor1_pdata, + }, + }; +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 87c697181d25..4faff3e77b25 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -126,7 +126,7 @@ trace_a_syscall: + subu t1, v0, __NR_O32_Linux + move a1, v0 + bnez t1, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ ++ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ + .set pop + + 1: jal syscall_trace_enter +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 4598d087dec2..4d1262cf630c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -893,13 +893,7 @@ config NR_CPUS + approximately eight kilobytes to the kernel image. + + config SCHED_SMT +- bool "SMT (Hyperthreading) scheduler support" +- depends on SMP +- ---help--- +- SMT scheduler support improves the CPU scheduler's decision making +- when dealing with Intel Pentium 4 chips with HyperThreading at a +- cost of slightly increased overhead in some places. If unsure say +- N here. ++ def_bool y if SMP + + config SCHED_MC + def_bool y +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index 071582a3b5c0..57be07f27f37 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #define CREATE_TRACE_POINTS + #include +@@ -295,6 +296,8 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) + #endif + + user_enter(); ++ ++ mds_user_clear_cpu_buffers(); + } + + #define SYSCALL_EXIT_WORK_FLAGS \ +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 0ad96c647541..7017a81d53cf 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -51,38 +51,52 @@ static int eject_tray(struct ata_device *dev) + /* Per the spec, only slot type and drawer type ODD can be supported */ + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + { +- char buf[16]; ++ char *buf; + unsigned int ret; +- struct rm_feature_desc *desc = (void *)(buf + 8); ++ struct rm_feature_desc *desc; + struct ata_taskfile tf; + static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +- 0, sizeof(buf), ++ 0, 16, + 0, 0, 0, + }; + ++ buf = kzalloc(16, GFP_KERNEL); ++ if (!buf) ++ return ODD_MECH_TYPE_UNSUPPORTED; ++ desc = (void *)(buf + 8); ++ + ata_tf_init(dev, &tf); + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + tf.protocol = ATAPI_PROT_PIO; +- tf.lbam = sizeof(buf); ++ tf.lbam = 16; + + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE, +- buf, sizeof(buf), 0); +- if (ret) ++ buf, 16, 0); ++ if (ret) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (be16_to_cpu(desc->feature_code) != 3) ++ if (be16_to_cpu(desc->feature_code) != 3) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_SLOT; +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1) ++ } else if (desc->mech_type == 1 && desc->load == 0 && ++ desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_DRAWER; +- else ++ } else { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + } + + /* Test if ODD is zero power ready by sense code */ +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 41090ef5facb..3934aaf9d157 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -530,11 +530,18 @@ ssize_t __weak cpu_show_l1tf(struct device *dev, + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_mds(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); + static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); + static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); ++static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -542,6 +549,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_spectre_v2.attr, + &dev_attr_spec_store_bypass.attr, + &dev_attr_l1tf.attr, ++ &dev_attr_mds.attr, + NULL + }; + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index ae361ee90587..da3902ac16c8 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -82,7 +82,6 @@ + + static DEFINE_IDR(loop_index_idr); + static DEFINE_MUTEX(loop_index_mutex); +-static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; + static int part_shift; +@@ -1045,7 +1044,7 @@ static int loop_clr_fd(struct loop_device *lo) + */ + if (atomic_read(&lo->lo_refcnt) > 1) { + lo->lo_flags |= LO_FLAGS_AUTOCLEAR; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + return 0; + } + +@@ -1094,12 +1093,12 @@ static int loop_clr_fd(struct loop_device *lo) + if (!part_shift) + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; + loop_unprepare_queue(lo); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + /* +- * Need not hold loop_ctl_mutex to fput backing file. +- * Calling fput holding loop_ctl_mutex triggers a circular ++ * Need not hold lo_ctl_mutex to fput backing file. ++ * Calling fput holding lo_ctl_mutex triggers a circular + * lock dependency possibility warning as fput can take +- * bd_mutex which is usually taken before loop_ctl_mutex. ++ * bd_mutex which is usually taken before lo_ctl_mutex. + */ + fput(filp); + return 0; +@@ -1362,7 +1361,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + struct loop_device *lo = bdev->bd_disk->private_data; + int err; + +- mutex_lock_nested(&loop_ctl_mutex, 1); ++ mutex_lock_nested(&lo->lo_ctl_mutex, 1); + switch (cmd) { + case LOOP_SET_FD: + err = loop_set_fd(lo, mode, bdev, arg); +@@ -1371,7 +1370,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + err = loop_change_fd(lo, bdev, arg); + break; + case LOOP_CLR_FD: +- /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ ++ /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ + err = loop_clr_fd(lo); + if (!err) + goto out_unlocked; +@@ -1407,7 +1406,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + default: + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; + } +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + + out_unlocked: + return err; +@@ -1540,16 +1539,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, + + switch(cmd) { + case LOOP_SET_STATUS: +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + err = loop_set_status_compat( + lo, (const struct compat_loop_info __user *) arg); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + case LOOP_GET_STATUS: +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: +@@ -1593,7 +1592,7 @@ static void __lo_release(struct loop_device *lo) + if (atomic_dec_return(&lo->lo_refcnt)) + return; + +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { + /* + * In autoclear mode, stop the loop thread +@@ -1610,7 +1609,7 @@ static void __lo_release(struct loop_device *lo) + loop_flush(lo); + } + +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + } + + static void lo_release(struct gendisk *disk, fmode_t mode) +@@ -1656,10 +1655,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data) + struct loop_device *lo = ptr; + struct loop_func_table *xfer = data; + +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_encryption == xfer) + loop_release_xfer(lo); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + return 0; + } + +@@ -1821,6 +1820,7 @@ static int loop_add(struct loop_device **l, int i) + if (!part_shift) + disk->flags |= GENHD_FL_NO_PART_SCAN; + disk->flags |= GENHD_FL_EXT_DEVT; ++ mutex_init(&lo->lo_ctl_mutex); + atomic_set(&lo->lo_refcnt, 0); + lo->lo_number = i; + spin_lock_init(&lo->lo_lock); +@@ -1933,19 +1933,19 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + } + if (atomic_read(&lo->lo_refcnt) > 0) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +diff --git a/drivers/block/loop.h b/drivers/block/loop.h +index a923e74495ce..60f0fd2c0c65 100644 +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -55,6 +55,7 @@ struct loop_device { + + spinlock_t lo_lock; + int lo_state; ++ struct mutex lo_ctl_mutex; + struct kthread_worker worker; + struct task_struct *worker_task; + bool use_dio; +diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c +index c4328d9d9981..f838119d12b2 100644 +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace) + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); +diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c +index 98686edbcdbb..33de3a1bac49 100644 +--- a/drivers/gpu/ipu-v3/ipu-dp.c ++++ b/drivers/gpu/ipu-v3/ipu-dp.c +@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp, + ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs, + DP_COM_CONF_CSC_DEF_BOTH); + } else { +- if (flow->foreground.in_cs == flow->out_cs) ++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN || ++ flow->foreground.in_cs == flow->out_cs) + /* + * foreground identical to output, apply color + * conversion on background +@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp) + struct ipu_dp_priv *priv = flow->priv; + u32 reg, csc; + ++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ + if (!dp->foreground) + return; + +@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp) + + reg = readl(flow->base + DP_COM_CONF); + csc = reg & DP_COM_CONF_CSC_DEF_MASK; +- if (csc == DP_COM_CONF_CSC_DEF_FG) +- reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG) ++ reg |= DP_COM_CONF_CSC_DEF_BG; + + reg &= ~DP_COM_CONF_FG_EN; + writel(reg, flow->base + DP_COM_CONF); +@@ -350,6 +354,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base) + mutex_init(&priv->mutex); + + for (i = 0; i < IPUV3_NUM_FLOWS; i++) { ++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN; + priv->flow[i].foreground.foreground = true; + priv->flow[i].base = priv->base + ipu_dp_flow_base[i]; + priv->flow[i].priv = priv; +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index d7179dd3c9ef..3cafa1d28fed 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1058,10 +1058,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p) + seq_printf(f, "\n\n"); + + /* dump parsed data and input mappings */ ++ if (down_interruptible(&hdev->driver_input_lock)) ++ return 0; ++ + hid_dump_device(hdev, f); + seq_printf(f, "\n"); + hid_dump_input_mapping(hdev, f); + ++ up(&hdev->driver_input_lock); ++ + return 0; + } + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 8d74e691ac90..ee3c66c02043 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -783,6 +783,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break; + case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break; + ++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break; ++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break; ++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break; ++ + case 0x082: map_key_clear(KEY_VIDEO_NEXT); break; + case 0x083: map_key_clear(KEY_LAST); break; + case 0x084: map_key_clear(KEY_ENTER); break; +@@ -913,6 +917,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break; + case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break; + ++ case 0x29f: map_key_clear(KEY_SCALE); break; ++ + default: map_key_clear(KEY_UNKNOWN); + } + break; +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index eb43943cdf07..189eb6269971 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -597,7 +597,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 475c5a74f2d1..6398e86a272b 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_device *pdev) + } + free_irq(irq, indio_dev); + clk_disable_unprepare(xadc->clk); +- cancel_delayed_work(&xadc->zynq_unmask_work); ++ cancel_delayed_work_sync(&xadc->zynq_unmask_work); + kfree(xadc->data); + kfree(indio_dev->channels); + +diff --git a/drivers/input/keyboard/snvs_pwrkey.c b/drivers/input/keyboard/snvs_pwrkey.c +index 9adf13a5864a..57143365e945 100644 +--- a/drivers/input/keyboard/snvs_pwrkey.c ++++ b/drivers/input/keyboard/snvs_pwrkey.c +@@ -156,6 +156,9 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + ++ pdata->input = input; ++ platform_set_drvdata(pdev, pdata); ++ + error = devm_request_irq(&pdev->dev, pdata->irq, + imx_snvs_pwrkey_interrupt, + 0, pdev->name, pdev); +@@ -172,9 +175,6 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + +- pdata->input = input; +- platform_set_drvdata(pdev, pdata); +- + device_init_wakeup(&pdev->dev, pdata->wakeup); + + return 0; +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 94f1bf772ec9..db85cc5791dc 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -295,7 +295,7 @@ static void iommu_write_l2(struct amd_iommu *iommu, u8 address, u32 val) + static void iommu_set_exclusion_range(struct amd_iommu *iommu) + { + u64 start = iommu->exclusion_start & PAGE_MASK; +- u64 limit = (start + iommu->exclusion_length) & PAGE_MASK; ++ u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK; + u64 entry; + + if (!iommu->exclusion_start) +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 5e65dc6def7e..17517889d46b 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3897,26 +3897,15 @@ static void handle_parity_checks6(struct r5conf *conf, struct stripe_head *sh, + case check_state_check_result: + sh->check_state = check_state_idle; + ++ if (s->failed > 1) ++ break; + /* handle a successful check operation, if parity is correct + * we are done. Otherwise update the mismatch count and repair + * parity if !MD_RECOVERY_CHECK + */ + if (sh->ops.zero_sum_result == 0) { +- /* both parities are correct */ +- if (!s->failed) +- set_bit(STRIPE_INSYNC, &sh->state); +- else { +- /* in contrast to the raid5 case we can validate +- * parity, but still have a failure to write +- * back +- */ +- sh->check_state = check_state_compute_result; +- /* Returning at this point means that we may go +- * off and bring p and/or q uptodate again so +- * we make sure to check zero_sum_result again +- * to verify if p or q need writeback +- */ +- } ++ /* Any parity checked was correct */ ++ set_bit(STRIPE_INSYNC, &sh->state); + } else { + atomic64_add(STRIPE_SECTORS, &conf->mddev->resync_mismatches); + if (test_bit(MD_RECOVERY_CHECK, &conf->mddev->recovery)) +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c +index e1b5dc84c14e..24a0c21a3d8d 100644 +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -155,10 +155,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-1)"); + #define REG_GFIX 0x69 /* Fix gain control */ + + #define REG_DBLV 0x6b /* PLL control an debugging */ +-#define DBLV_BYPASS 0x00 /* Bypass PLL */ +-#define DBLV_X4 0x01 /* clock x4 */ +-#define DBLV_X6 0x10 /* clock x6 */ +-#define DBLV_X8 0x11 /* clock x8 */ ++#define DBLV_BYPASS 0x0a /* Bypass PLL */ ++#define DBLV_X4 0x4a /* clock x4 */ ++#define DBLV_X6 0x8a /* clock x6 */ ++#define DBLV_X8 0xca /* clock x8 */ + + #define REG_REG76 0x76 /* OV's name */ + #define R76_BLKPCOR 0x80 /* Black pixel correction enable */ +@@ -833,7 +833,7 @@ static int ov7675_set_framerate(struct v4l2_subdev *sd, + if (ret < 0) + return ret; + +- return ov7670_write(sd, REG_DBLV, DBLV_X4); ++ return 0; + } + + static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, +@@ -1578,11 +1578,7 @@ static int ov7670_probe(struct i2c_client *client, + if (config->clock_speed) + info->clock_speed = config->clock_speed; + +- /* +- * It should be allowed for ov7670 too when it is migrated to +- * the new frame rate formula. +- */ +- if (config->pll_bypass && id->driver_data != MODEL_OV7670) ++ if (config->pll_bypass) + info->pll_bypass = true; + + if (config->pclk_hb_disable) +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 66560a8fcfa2..1022e80aaf97 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1066,13 +1066,6 @@ static int bond_option_arp_validate_set(struct bonding *bond, + { + netdev_info(bond->dev, "Setting arp_validate to %s (%llu)\n", + newval->string, newval->value); +- +- if (bond->dev->flags & IFF_UP) { +- if (!newval->value) +- bond->recv_probe = NULL; +- else if (bond->params.arp_interval) +- bond->recv_probe = bond_arp_rcv; +- } + bond->params.arp_validate = newval->value; + + return 0; +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 7d16c51e6913..641a532b67cb 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count); + + static ssize_t perm_hwaddr_show(struct slave *slave, char *buf) + { +- return sprintf(buf, "%pM\n", slave->perm_hwaddr); ++ return sprintf(buf, "%*phC\n", ++ slave->dev->addr_len, ++ slave->perm_hwaddr); + } + static SLAVE_ATTR_RO(perm_hwaddr); + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 00bd7be85679..d9ab970dcbe9 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4957,8 +4957,15 @@ static int bnxt_cfg_rx_mode(struct bnxt *bp) + + skip_uc: + rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ if (rc && vnic->mc_list_count) { ++ netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n", ++ rc); ++ vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST; ++ vnic->mc_list_count = 0; ++ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ } + if (rc) +- netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n", ++ netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n", + rc); + + return rc; +diff --git a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +index 89714f5e0dfc..c8b9a73d6b1b 100644 +--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c ++++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +@@ -253,14 +253,12 @@ uec_set_ringparam(struct net_device *netdev, + return -EINVAL; + } + ++ if (netif_running(netdev)) ++ return -EBUSY; ++ + ug_info->bdRingLenRx[queue] = ring->rx_pending; + ug_info->bdRingLenTx[queue] = ring->tx_pending; + +- if (netif_running(netdev)) { +- /* FIXME: restart automatically */ +- netdev_info(netdev, "Please re-open the interface\n"); +- } +- + return ret; + } + +diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c +index b3645297477e..3ce41efe8a94 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hnae.c ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c +@@ -144,7 +144,6 @@ out_buffer_fail: + /* free desc along with its attached buffer */ + static void hnae_free_desc(struct hnae_ring *ring) + { +- hnae_free_buffers(ring); + dma_unmap_single(ring_to_dev(ring), ring->desc_dma_addr, + ring->desc_num * sizeof(ring->desc[0]), + ring_to_dma_dir(ring)); +@@ -177,6 +176,9 @@ static int hnae_alloc_desc(struct hnae_ring *ring) + /* fini ring, also free the buffer for the ring */ + static void hnae_fini_ring(struct hnae_ring *ring) + { ++ if (is_rx_ring(ring)) ++ hnae_free_buffers(ring); ++ + hnae_free_desc(ring); + kfree(ring->desc_cb); + ring->desc_cb = NULL; +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 2fa54b0b0679..6d649e7b45a9 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -28,9 +28,6 @@ + + #define SERVICE_TIMER_HZ (1 * HZ) + +-#define NIC_TX_CLEAN_MAX_NUM 256 +-#define NIC_RX_CLEAN_MAX_NUM 64 +- + #define RCB_IRQ_NOT_INITED 0 + #define RCB_IRQ_INITED 1 + +@@ -1408,7 +1405,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + rd->fini_process = hns_nic_tx_fini_pro; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_TX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + for (i = h->q_num; i < h->q_num * 2; i++) { +@@ -1420,7 +1417,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + rd->fini_process = hns_nic_rx_fini_pro; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_RX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 2a0dc127df3f..1a56de06b014 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3183,6 +3183,7 @@ static ssize_t ehea_probe_port(struct device *dev, + + if (ehea_add_adapter_mr(adapter)) { + pr_err("creating MR failed\n"); ++ of_node_put(eth_dn); + return -EIO; + } + +diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h +index b1915043bc0c..7b9fb71137da 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_defines.h ++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h +@@ -193,6 +193,8 @@ + /* enable link status from external LINK_0 and LINK_1 pins */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ ++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */ ++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */ + #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */ + #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */ + #define E1000_CTRL_RST 0x04000000 /* Global reset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c1796aa2dde5..70ed5e5c3514 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7325,9 +7325,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + struct e1000_hw *hw = &adapter->hw; + u32 ctrl, rctl, status; + u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol; +-#ifdef CONFIG_PM +- int retval = 0; +-#endif ++ bool wake; + + rtnl_lock(); + netif_device_detach(netdev); +@@ -7338,14 +7336,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + igb_clear_interrupt_scheme(adapter); + rtnl_unlock(); + +-#ifdef CONFIG_PM +- if (!runtime) { +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- } +-#endif +- + status = rd32(E1000_STATUS); + if (status & E1000_STATUS_LU) + wufc &= ~E1000_WUFC_LNKC; +@@ -7362,10 +7352,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + } + + ctrl = rd32(E1000_CTRL); +- /* advertise wake from D3Cold */ +- #define E1000_CTRL_ADVD3WUC 0x00100000 +- /* phy power management enable */ +- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 + ctrl |= E1000_CTRL_ADVD3WUC; + wr32(E1000_CTRL, ctrl); + +@@ -7379,12 +7365,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + wr32(E1000_WUFC, 0); + } + +- *enable_wake = wufc || adapter->en_mng_pt; +- if (!*enable_wake) ++ wake = wufc || adapter->en_mng_pt; ++ if (!wake) + igb_power_down_link(adapter); + else + igb_power_up_link(adapter); + ++ if (enable_wake) ++ *enable_wake = wake; ++ + /* Release control of h/w to f/w. If f/w is AMT enabled, this + * would have already happened in close and is redundant. + */ +@@ -7399,22 +7388,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + #ifdef CONFIG_PM_SLEEP + static int igb_suspend(struct device *dev) + { +- int retval; +- bool wake; +- struct pci_dev *pdev = to_pci_dev(dev); +- +- retval = __igb_shutdown(pdev, &wake, 0); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + #endif /* CONFIG_PM_SLEEP */ + +@@ -7483,22 +7457,7 @@ static int igb_runtime_idle(struct device *dev) + + static int igb_runtime_suspend(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- int retval; +- bool wake; +- +- retval = __igb_shutdown(pdev, &wake, 1); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 1); + } + + static int igb_runtime_resume(struct device *dev) +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 1edc973df4c4..7377dca6eb57 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -547,9 +547,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + /* set dma read address */ + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00); + +- /* start the packet dma process, and set auto-dequeue rx */ +- ks8851_wrreg16(ks, KS_RXQCR, +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE); ++ /* start DMA access */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + + if (rxlen > 4) { + unsigned int rxalign; +@@ -580,7 +579,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + } + } + +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); ++ /* end DMA access and dequeue packet */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF); + } + } + +@@ -797,6 +797,15 @@ static void ks8851_tx_work(struct work_struct *work) + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); ++ int ret; ++ ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT, ++ dev->name, ks); ++ if (ret < 0) { ++ netdev_err(dev, "failed to get irq\n"); ++ return ret; ++ } + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +@@ -861,6 +870,7 @@ static int ks8851_net_open(struct net_device *dev) + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + + mutex_unlock(&ks->lock); ++ mii_check_link(&ks->mii); + return 0; + } + +@@ -911,6 +921,8 @@ static int ks8851_net_stop(struct net_device *dev) + dev_kfree_skb(txb); + } + ++ free_irq(dev->irq, ks); ++ + return 0; + } + +@@ -1516,6 +1528,7 @@ static int ks8851_probe(struct spi_device *spi) + + spi_set_drvdata(spi, ks); + ++ netif_carrier_off(ks->netdev); + ndev->if_port = IF_PORT_100BASET; + ndev->netdev_ops = &ks8851_netdev_ops; + ndev->irq = spi->irq; +@@ -1542,14 +1555,6 @@ static int ks8851_probe(struct spi_device *spi) + ks8851_read_selftest(ks); + ks8851_init_mac(ks); + +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq, +- IRQF_TRIGGER_LOW | IRQF_ONESHOT, +- ndev->name, ks); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to get irq\n"); +- goto err_irq; +- } +- + ret = register_netdev(ndev); + if (ret) { + dev_err(&spi->dev, "failed to register network device\n"); +@@ -1562,14 +1567,10 @@ static int ks8851_probe(struct spi_device *spi) + + return 0; + +- + err_netdev: +- free_irq(ndev->irq, ks); +- +-err_irq: ++err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +-err_id: + regulator_disable(ks->vdd_reg); + err_reg: + regulator_disable(ks->vdd_io); +@@ -1587,7 +1588,6 @@ static int ks8851_remove(struct spi_device *spi) + dev_info(&spi->dev, "remove\n"); + + unregister_netdev(priv->netdev); +- free_irq(spi->irq, priv); + if (gpio_is_valid(priv->gpio)) + gpio_set_value(priv->gpio, 0); + regulator_disable(priv->vdd_reg); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 0a2318cad34d..63ebc491057b 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -1038,6 +1038,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode) + + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) { + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE); ++ if (!skb) ++ break; + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr); + skb_put(skb, QLCNIC_ILB_PKT_SIZE); + adapter->ahw->diag_cnt = 0; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 059113dce6e0..f4d6512f066c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1792,8 +1792,6 @@ static int stmmac_open(struct net_device *dev) + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- stmmac_check_ether_addr(priv); +- + if (priv->pcs != STMMAC_PCS_RGMII && priv->pcs != STMMAC_PCS_TBI && + priv->pcs != STMMAC_PCS_RTBI) { + ret = stmmac_init_phy(dev); +@@ -2929,6 +2927,8 @@ int stmmac_dvr_probe(struct device *device, + if (ret) + goto error_hw_init; + ++ stmmac_check_ether_addr(priv); ++ + ndev->netdev_ops = &stmmac_netdev_ops; + + ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | +diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c +index 4e70e7586a09..a5732edc8437 100644 +--- a/drivers/net/ethernet/ti/netcp_ethss.c ++++ b/drivers/net/ethernet/ti/netcp_ethss.c +@@ -3122,12 +3122,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev, + + ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device, + gbe_dev->dma_chan_name, gbe_dev->tx_queue_id); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + ret = netcp_txpipe_open(&gbe_dev->tx_pipe); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + /* Create network interfaces */ + INIT_LIST_HEAD(&gbe_dev->gbe_intf_head); +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 4684644703cc..58ba579793f8 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1595,12 +1595,14 @@ static int axienet_probe(struct platform_device *pdev) + ret = of_address_to_resource(np, 0, &dmares); + if (ret) { + dev_err(&pdev->dev, "unable to get DMA resource\n"); ++ of_node_put(np); + goto free_netdev; + } + lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares); + if (IS_ERR(lp->dma_regs)) { + dev_err(&pdev->dev, "could not map DMA regs\n"); + ret = PTR_ERR(lp->dma_regs); ++ of_node_put(np); + goto free_netdev; + } + lp->rx_irq = irq_of_parse_and_map(np, 1); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index cfd81eb1b532..ddceed3c5a4a 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 267a90423154..7b3ef6dc45a4 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1136,6 +1136,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev) + return -EINVAL; + } + ++ if (netdev_has_upper_dev(dev, port_dev)) { ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n", +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index f1f8227e7342..01f95d192d25 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -148,6 +148,7 @@ struct ipheth_device { + u8 bulk_in; + u8 bulk_out; + struct delayed_work carrier_work; ++ bool confirmed_pairing; + }; + + static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags); +@@ -259,7 +260,7 @@ static void ipheth_rcvbulk_callback(struct urb *urb) + + dev->net->stats.rx_packets++; + dev->net->stats.rx_bytes += len; +- ++ dev->confirmed_pairing = true; + netif_rx(skb); + ipheth_rx_submit(dev, GFP_ATOMIC); + } +@@ -280,14 +281,24 @@ static void ipheth_sndbulk_callback(struct urb *urb) + dev_err(&dev->intf->dev, "%s: urb status: %d\n", + __func__, status); + +- netif_wake_queue(dev->net); ++ if (status == 0) ++ netif_wake_queue(dev->net); ++ else ++ // on URB error, trigger immediate poll ++ schedule_delayed_work(&dev->carrier_work, 0); + } + + static int ipheth_carrier_set(struct ipheth_device *dev) + { +- struct usb_device *udev = dev->udev; ++ struct usb_device *udev; + int retval; + ++ if (!dev) ++ return 0; ++ if (!dev->confirmed_pairing) ++ return 0; ++ ++ udev = dev->udev; + retval = usb_control_msg(udev, + usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP), + IPHETH_CMD_CARRIER_CHECK, /* request */ +@@ -302,11 +313,14 @@ static int ipheth_carrier_set(struct ipheth_device *dev) + return retval; + } + +- if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) ++ if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) { + netif_carrier_on(dev->net); +- else ++ if (dev->tx_urb->status != -EINPROGRESS) ++ netif_wake_queue(dev->net); ++ } else { + netif_carrier_off(dev->net); +- ++ netif_stop_queue(dev->net); ++ } + return 0; + } + +@@ -386,7 +400,6 @@ static int ipheth_open(struct net_device *net) + return retval; + + schedule_delayed_work(&dev->carrier_work, IPHETH_CARRIER_CHECK_TIMEOUT); +- netif_start_queue(net); + return retval; + } + +@@ -489,7 +502,7 @@ static int ipheth_probe(struct usb_interface *intf, + dev->udev = udev; + dev->net = netdev; + dev->intf = intf; +- ++ dev->confirmed_pairing = false; + /* Set up endpoints */ + hintf = usb_altnum_to_altsetting(intf, IPHETH_ALT_INTFNUM); + if (hintf == NULL) { +@@ -540,7 +553,9 @@ static int ipheth_probe(struct usb_interface *intf, + retval = -EIO; + goto err_register_netdev; + } +- ++ // carrier down and transmit queues stopped until packet from device ++ netif_carrier_off(netdev); ++ netif_tx_stop_all_queues(netdev); + dev_info(&intf->dev, "Apple iPhone USB Ethernet device attached\n"); + return 0; + +diff --git a/drivers/net/wireless/cw1200/scan.c b/drivers/net/wireless/cw1200/scan.c +index 9f1037e7e55c..2ce0193614f2 100644 +--- a/drivers/net/wireless/cw1200/scan.c ++++ b/drivers/net/wireless/cw1200/scan.c +@@ -84,8 +84,11 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + + frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0, + req->ie_len); +- if (!frame.skb) ++ if (!frame.skb) { ++ mutex_unlock(&priv->conf_mutex); ++ up(&priv->scan.lock); + return -ENOMEM; ++ } + + if (req->ie_len) + memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len); +diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c +index cb477518dd0e..4c129450495d 100644 +--- a/drivers/nvdimm/btt_devs.c ++++ b/drivers/nvdimm/btt_devs.c +@@ -170,14 +170,15 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + + nd_btt->id = ida_simple_get(&nd_region->btt_ida, 0, 0, GFP_KERNEL); +- if (nd_btt->id < 0) { +- kfree(nd_btt); +- return NULL; +- } ++ if (nd_btt->id < 0) ++ goto out_nd_btt; + + nd_btt->lbasize = lbasize; +- if (uuid) ++ if (uuid) { + uuid = kmemdup(uuid, 16, GFP_KERNEL); ++ if (!uuid) ++ goto out_put_id; ++ } + nd_btt->uuid = uuid; + dev = &nd_btt->dev; + dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); +@@ -192,6 +193,13 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + } + return dev; ++ ++out_put_id: ++ ida_simple_remove(&nd_region->btt_ida, nd_btt->id); ++ ++out_nd_btt: ++ kfree(nd_btt); ++ return NULL; + } + + struct device *nd_btt_create(struct nd_region *nd_region) +diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c +index f73c29558cd3..c54ff94c491d 100644 +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -4394,14 +4394,16 @@ sony_pic_read_possible_resource(struct acpi_resource *resource, void *context) + } + return AE_OK; + } ++ ++ case ACPI_RESOURCE_TYPE_END_TAG: ++ return AE_OK; ++ + default: + dprintk("Resource %d isn't an IRQ nor an IO port\n", + resource->type); ++ return AE_CTRL_TERMINATE; + +- case ACPI_RESOURCE_TYPE_END_TAG: +- return AE_OK; + } +- return AE_CTRL_TERMINATE; + } + + static int sony_pic_possible_resources(struct acpi_device *device) +diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c +index d6c853bbfa9f..e93beecd5010 100644 +--- a/drivers/rtc/rtc-da9063.c ++++ b/drivers/rtc/rtc-da9063.c +@@ -491,6 +491,13 @@ static int da9063_rtc_probe(struct platform_device *pdev) + da9063_data_to_tm(data, &rtc->alarm_time, rtc); + rtc->rtc_sync = false; + ++ /* ++ * TODO: some models have alarms on a minute boundary but still support ++ * real hardware interrupts. Add this once the core supports it. ++ */ ++ if (config->rtc_data_start != RTC_SEC) ++ rtc->rtc_dev->uie_unsupported = 1; ++ + irq_alarm = platform_get_irq_byname(pdev, "ALARM"); + ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL, + da9063_alarm_event, +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 2b81dd4baf17..104c854d6a8a 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -455,7 +455,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm) + static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off) + { + unsigned int byte; +- int value = 0xff; /* return 0xff for ignored values */ ++ int value = -1; /* return -1 for ignored values */ + + byte = readb(rtc->regbase + reg_off); + if (byte & AR_ENB) { +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 80a43074c2f9..c530610f61ac 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2066,14 +2066,14 @@ static int dasd_eckd_end_analysis(struct dasd_block *block) + blk_per_trk = recs_per_track(&private->rdc_data, 0, block->bp_block); + + raw: +- block->blocks = (private->real_cyl * ++ block->blocks = ((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk); + + dev_info(&device->cdev->dev, +- "DASD with %d KB/block, %d KB total size, %d KB/track, " ++ "DASD with %u KB/block, %lu KB total size, %u KB/track, " + "%s\n", (block->bp_block >> 10), +- ((private->real_cyl * ++ (((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk * (block->bp_block >> 9)) >> 1), + ((blk_per_trk * block->bp_block) >> 10), +diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c +index bae98521c808..3e5a7912044f 100644 +--- a/drivers/s390/char/con3270.c ++++ b/drivers/s390/char/con3270.c +@@ -627,7 +627,7 @@ con3270_init(void) + (void (*)(unsigned long)) con3270_read_tasklet, + (unsigned long) condev->read); + +- raw3270_add_view(&condev->view, &con3270_fn, 1); ++ raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ); + + INIT_LIST_HEAD(&condev->freemem); + for (i = 0; i < CON3270_STRING_PAGES; i++) { +diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c +index 71e974738014..f0c86bcbe316 100644 +--- a/drivers/s390/char/fs3270.c ++++ b/drivers/s390/char/fs3270.c +@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp) + + init_waitqueue_head(&fp->wait); + fp->fs_pid = get_pid(task_pid(current)); +- rc = raw3270_add_view(&fp->view, &fs3270_fn, minor); ++ rc = raw3270_add_view(&fp->view, &fs3270_fn, minor, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + fs3270_free_view(&fp->view); + goto out; +diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c +index 220acb4cbee5..9c350e6d75bf 100644 +--- a/drivers/s390/char/raw3270.c ++++ b/drivers/s390/char/raw3270.c +@@ -956,7 +956,7 @@ raw3270_deactivate_view(struct raw3270_view *view) + * Add view to device with minor "minor". + */ + int +-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) ++raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, int subclass) + { + unsigned long flags; + struct raw3270 *rp; +@@ -978,6 +978,7 @@ raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) + view->cols = rp->cols; + view->ascebc = rp->ascebc; + spin_lock_init(&view->lock); ++ lockdep_set_subclass(&view->lock, subclass); + list_add(&view->list, &rp->view_list); + rc = 0; + spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags); +diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h +index e1e41c2861fb..5ae54317857a 100644 +--- a/drivers/s390/char/raw3270.h ++++ b/drivers/s390/char/raw3270.h +@@ -155,6 +155,8 @@ struct raw3270_fn { + struct raw3270_view { + struct list_head list; + spinlock_t lock; ++#define RAW3270_VIEW_LOCK_IRQ 0 ++#define RAW3270_VIEW_LOCK_BH 1 + atomic_t ref_count; + struct raw3270 *dev; + struct raw3270_fn *fn; +@@ -163,7 +165,7 @@ struct raw3270_view { + unsigned char *ascebc; /* ascii -> ebcdic table */ + }; + +-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int); ++int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int); + int raw3270_activate_view(struct raw3270_view *); + void raw3270_del_view(struct raw3270_view *); + void raw3270_deactivate_view(struct raw3270_view *); +diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c +index e96fc7fd9498..ab95d24b991b 100644 +--- a/drivers/s390/char/tty3270.c ++++ b/drivers/s390/char/tty3270.c +@@ -937,7 +937,8 @@ static int tty3270_install(struct tty_driver *driver, struct tty_struct *tty) + return PTR_ERR(tp); + + rc = raw3270_add_view(&tp->view, &tty3270_fn, +- tty->index + RAW3270_FIRSTMINOR); ++ tty->index + RAW3270_FIRSTMINOR, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + tty3270_free_view(tp); + return rc; +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 05c37d6d4afe..a31821d94677 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev) + if (priv->channel[direction] == NULL) { + if (direction == CTCM_WRITE) + channel_free(priv->channel[CTCM_READ]); ++ result = -ENODEV; + goto out_dev; + } + priv->channel[direction]->netdev = dev; +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c +index 237688af179b..f7630cf581cd 100644 +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -238,10 +238,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + list_for_each_entry(port, &adapter->port_list, list) { + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range)) + zfcp_fc_test_link(port); +- if (!port->d_id) +- zfcp_erp_port_reopen(port, +- ZFCP_STATUS_COMMON_ERP_FAILED, +- "fcrscn1"); + } + read_unlock_irqrestore(&adapter->port_list_lock, flags); + } +@@ -249,6 +245,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + { + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data; ++ struct zfcp_adapter *adapter = fsf_req->adapter; + struct fc_els_rscn *head; + struct fc_els_rscn_page *page; + u16 i; +@@ -261,6 +258,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + /* see FC-FS */ + no_entries = head->rscn_plen / sizeof(struct fc_els_rscn_page); + ++ if (no_entries > 1) { ++ /* handle failed ports */ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ read_lock_irqsave(&adapter->port_list_lock, flags); ++ list_for_each_entry(port, &adapter->port_list, list) { ++ if (port->d_id) ++ continue; ++ zfcp_erp_port_reopen(port, ++ ZFCP_STATUS_COMMON_ERP_FAILED, ++ "fcrscn1"); ++ } ++ read_unlock_irqrestore(&adapter->port_list_lock, flags); ++ } ++ + for (i = 1; i < no_entries; i++) { + /* skip head and start with 1st element */ + page++; +diff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c +index c2a6f9f29427..ddbdaade654d 100644 +--- a/drivers/scsi/csiostor/csio_scsi.c ++++ b/drivers/scsi/csiostor/csio_scsi.c +@@ -1713,8 +1713,11 @@ csio_scsi_err_handler(struct csio_hw *hw, struct csio_ioreq *req) + } + + out: +- if (req->nsge > 0) ++ if (req->nsge > 0) { + scsi_dma_unmap(cmnd); ++ if (req->dcopy && (host_status == DID_OK)) ++ host_status = csio_scsi_copy_to_sgl(hw, req); ++ } + + cmnd->result = (((host_status) << 16) | scsi_status); + cmnd->scsi_done(cmnd); +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 7be581f7c35d..1a6f65db615e 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task) + unsigned long flags; + + spin_lock_irqsave(&task->task_state_lock, flags); +- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) ++ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { + task->task_state_flags |= SAS_TASK_STATE_ABORTED; ++ complete(&task->slow_task->completion); ++ } + spin_unlock_irqrestore(&task->task_state_lock, flags); +- +- complete(&task->slow_task->completion); + } + + static void smp_task_done(struct sas_task *task) + { +- if (!del_timer(&task->slow_task->timer)) +- return; ++ del_timer(&task->slow_task->timer); + complete(&task->slow_task->completion); + } + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index ac12ee844bfc..31c29a5d1f38 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -431,7 +431,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -504,7 +504,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index f9f899ec9427..c158967b59d7 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3207,6 +3207,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session, + if (iscsi_conn_bind(cls_session, cls_conn, is_leading)) + return -EINVAL; + ep = iscsi_lookup_endpoint(transport_fd); ++ if (!ep) ++ return -EINVAL; + conn = cls_conn->dd_data; + qla_conn = conn->dd_data; + qla_conn->qla_ep = ep->dd_data; +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 44b7a69d022a..45cd4cf93af3 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -613,13 +613,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc) + static void handle_multichannel_storage(struct hv_device *device, int max_chns) + { + struct storvsc_device *stor_device; +- int num_cpus = num_online_cpus(); + int num_sc; + struct storvsc_cmd_request *request; + struct vstor_packet *vstor_packet; + int ret, t; + +- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns); ++ /* ++ * If the number of CPUs is artificially restricted, such as ++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer ++ * sub-channels >= the number of CPUs. These sub-channels ++ * should not be created. The primary channel is already created ++ * and assigned to one CPU, so check against # CPUs - 1. ++ */ ++ num_sc = min((int)(num_online_cpus() - 1), max_chns); ++ if (!num_sc) ++ return; ++ + stor_device = get_out_stor_device(device); + if (!stor_device) + return; +diff --git a/drivers/staging/iio/addac/adt7316.c b/drivers/staging/iio/addac/adt7316.c +index 3adc4516918c..8c5cfb9400d0 100644 +--- a/drivers/staging/iio/addac/adt7316.c ++++ b/drivers/staging/iio/addac/adt7316.c +@@ -47,6 +47,8 @@ + #define ADT7516_MSB_AIN3 0xA + #define ADT7516_MSB_AIN4 0xB + #define ADT7316_DA_DATA_BASE 0x10 ++#define ADT7316_DA_10_BIT_LSB_SHIFT 6 ++#define ADT7316_DA_12_BIT_LSB_SHIFT 4 + #define ADT7316_DA_MSB_DATA_REGS 4 + #define ADT7316_LSB_DAC_A 0x10 + #define ADT7316_MSB_DAC_A 0x11 +@@ -1092,7 +1094,7 @@ static ssize_t adt7316_store_DAC_internal_Vref(struct device *dev, + ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK); + if (data & 0x1) + ldac_config |= ADT7516_DAC_AB_IN_VREF; +- else if (data & 0x2) ++ if (data & 0x2) + ldac_config |= ADT7516_DAC_CD_IN_VREF; + } else { + ret = kstrtou8(buf, 16, &data); +@@ -1414,7 +1416,7 @@ static IIO_DEVICE_ATTR(ex_analog_temp_offset, S_IRUGO | S_IWUSR, + static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + int channel, char *buf) + { +- u16 data; ++ u16 data = 0; + u8 msb, lsb, offset; + int ret; + +@@ -1439,7 +1441,11 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + if (ret) + return -EIO; + +- data = (msb << offset) + (lsb & ((1 << offset) - 1)); ++ if (chip->dac_bits == 12) ++ data = lsb >> ADT7316_DA_12_BIT_LSB_SHIFT; ++ else if (chip->dac_bits == 10) ++ data = lsb >> ADT7316_DA_10_BIT_LSB_SHIFT; ++ data |= msb << offset; + + return sprintf(buf, "%d\n", data); + } +@@ -1447,7 +1453,7 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + int channel, const char *buf, size_t len) + { +- u8 msb, lsb, offset; ++ u8 msb, lsb, lsb_reg, offset; + u16 data; + int ret; + +@@ -1465,9 +1471,13 @@ static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + return -EINVAL; + + if (chip->dac_bits > 8) { +- lsb = data & (1 << offset); ++ lsb = data & ((1 << offset) - 1); ++ if (chip->dac_bits == 12) ++ lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT; ++ else ++ lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT; + ret = chip->bus.write(chip->bus.client, +- ADT7316_DA_DATA_BASE + channel * 2, lsb); ++ ADT7316_DA_DATA_BASE + channel * 2, lsb_reg); + if (ret) + return -EIO; + } +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 17a22073d226..032f3c13b8c4 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1448,7 +1448,7 @@ static int __init sc16is7xx_init(void) + ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx i2c --> %d\n", ret); +- return ret; ++ goto err_i2c; + } + #endif + +@@ -1456,10 +1456,18 @@ static int __init sc16is7xx_init(void) + ret = spi_register_driver(&sc16is7xx_spi_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx spi --> %d\n", ret); +- return ret; ++ goto err_spi; + } + #endif + return ret; ++ ++err_spi: ++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C ++ i2c_del_driver(&sc16is7xx_i2c_uart_driver); ++#endif ++err_i2c: ++ uart_unregister_driver(&sc16is7xx_uart); ++ return ret; + } + module_init(sc16is7xx_init); + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index e9d6cf146fcc..654199c6a36c 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -470,11 +470,6 @@ static int usb_unbind_interface(struct device *dev) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + +- /* Undo any residual pm_autopm_get_interface_* calls */ +- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r) +- usb_autopm_put_interface_no_suspend(intf); +- atomic_set(&intf->pm_usage_cnt, 0); +- + if (!error) + usb_autosuspend_device(udev); + +@@ -1625,7 +1620,6 @@ void usb_autopm_put_interface(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put_sync(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1654,7 +1648,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1676,7 +1669,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + pm_runtime_put_noidle(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend); +@@ -1707,8 +1699,6 @@ int usb_autopm_get_interface(struct usb_interface *intf) + status = pm_runtime_get_sync(&intf->dev); + if (status < 0) + pm_runtime_put_sync(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1742,8 +1732,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf) + status = pm_runtime_get(&intf->dev); + if (status < 0 && status != -EINPROGRESS) + pm_runtime_put_noidle(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1767,7 +1755,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_inc(&intf->pm_usage_cnt); + pm_runtime_get_noresume(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume); +@@ -1888,14 +1875,11 @@ int usb_runtime_idle(struct device *dev) + return -EBUSY; + } + +-int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + { + struct usb_hcd *hcd = bus_to_hcd(udev->bus); + int ret = -EPERM; + +- if (enable && !udev->usb2_hw_lpm_allowed) +- return 0; +- + if (hcd->driver->set_usb2_hw_lpm) { + ret = hcd->driver->set_usb2_hw_lpm(hcd, udev, enable); + if (!ret) +@@ -1905,6 +1889,24 @@ int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + return ret; + } + ++int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_capable || ++ !udev->usb2_hw_lpm_allowed || ++ udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 1); ++} ++ ++int usb_disable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 0); ++} ++ + #endif /* CONFIG_PM */ + + struct bus_type usb_bus_type = { +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 3a6978458d95..7c87c0b38bcf 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3116,8 +3116,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + } + + /* disable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + if (usb_disable_ltm(udev)) { + dev_err(&udev->dev, "Failed to disable LTM before suspend\n."); +@@ -3163,8 +3162,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + usb_enable_ltm(udev); + err_ltm: + /* Try to enable USB2 hardware LPM again */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + if (udev->do_remote_wakeup) + (void) usb_disable_remote_wakeup(udev); +@@ -3443,8 +3441,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + hub_port_logical_disconnect(hub, port1); + } else { + /* Try to enable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + /* Try to enable USB3 LTM and LPM */ + usb_enable_ltm(udev); +@@ -4270,7 +4267,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev) + if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) || + connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) { + udev->usb2_hw_lpm_allowed = 1; +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + } + } + +@@ -5415,8 +5412,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + /* Disable USB2 hardware LPM. + * It will be re-enabled by the enumeration process. + */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency +@@ -5526,7 +5522,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + + done: + /* Now that the alt settings are re-installed, enable LTM and LPM. */ +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); + usb_release_bos_descriptor(udev); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 08cba309eb78..adc696a76b20 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -820,9 +820,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) + + if (dev->state == USB_STATE_SUSPENDED) + return -EHOSTUNREACH; +- if (size <= 0 || !buf || !index) ++ if (size <= 0 || !buf) + return -EINVAL; + buf[0] = 0; ++ if (index <= 0 || index >= 256) ++ return -EINVAL; + tbuf = kmalloc(256, GFP_NOIO); + if (!tbuf) + return -ENOMEM; +@@ -1184,8 +1186,7 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0) + dev->actconfig->interface[i] = NULL; + } + +- if (dev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(dev, 0); ++ usb_disable_usb2_hardware_lpm(dev); + usb_unlocked_disable_lpm(dev); + usb_disable_ltm(dev); + +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 65b6e6b84043..6dc0f4e25cf3 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -472,7 +472,10 @@ static ssize_t usb2_hardware_lpm_store(struct device *dev, + + if (!ret) { + udev->usb2_hw_lpm_allowed = value; +- ret = usb_set_usb2_hardware_lpm(udev, value); ++ if (value) ++ ret = usb_enable_usb2_hardware_lpm(udev); ++ else ++ ret = usb_disable_usb2_hardware_lpm(udev); + } + + usb_unlock_device(udev); +diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h +index 53318126ed91..6b2f11544283 100644 +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -84,7 +84,8 @@ extern int usb_remote_wakeup(struct usb_device *dev); + extern int usb_runtime_suspend(struct device *dev); + extern int usb_runtime_resume(struct device *dev); + extern int usb_runtime_idle(struct device *dev); +-extern int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable); ++extern int usb_enable_usb2_hardware_lpm(struct usb_device *udev); ++extern int usb_disable_usb2_hardware_lpm(struct usb_device *udev); + + #else + +@@ -104,7 +105,12 @@ static inline int usb_autoresume_device(struct usb_device *udev) + return 0; + } + +-static inline int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static inline int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return 0; ++} ++ ++static inline int usb_disable_usb2_hardware_lpm(struct usb_device *udev) + { + return 0; + } +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 22b4797383cd..4378e758baef 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -867,7 +867,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->regs_size = resource_size(res); + + /* default to highest possible threshold */ +- lpm_nyet_threshold = 0xff; ++ lpm_nyet_threshold = 0xf; + + /* default to -3.5dB de-emphasis */ + tx_de_emphasis = 1; +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 3b6e34fc032b..553922c3be85 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -962,6 +962,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); + return -EINVAL; + } +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 8efeadf30b4d..3a8d056a5d16 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -870,9 +870,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) + (void) readl(&ep->dev->pci->pcimstctl); + + writel(BIT(DMA_START), &dma->dmastat); +- +- if (!ep->is_in) +- stop_out_naking(ep); + } + + static void start_dma(struct net2280_ep *ep, struct net2280_request *req) +@@ -911,6 +908,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) + writel(BIT(DMA_START), &dma->dmastat); + return; + } ++ stop_out_naking(ep); + } + + tmp = dmactl_default; +@@ -1272,9 +1270,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); +- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n", +- __func__); ++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__); + return -EINVAL; + } + +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c +index d5434e7a3b2e..86f9944f337d 100644 +--- a/drivers/usb/host/u132-hcd.c ++++ b/drivers/usb/host/u132-hcd.c +@@ -3214,6 +3214,9 @@ static int __init u132_hcd_init(void) + printk(KERN_INFO "driver %s\n", hcd_name); + workqueue = create_singlethread_workqueue("u132"); + retval = platform_driver_register(&u132_platform_driver); ++ if (retval) ++ destroy_workqueue(workqueue); ++ + return retval; + } + +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 5594a4a4a83f..a8b6d0036e5d 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_interface *interface) + usb_deregister_dev(interface, &yurex_class); + + /* prevent more I/O from starting */ ++ usb_poison_urb(dev->urb); + mutex_lock(&dev->io_mutex); + dev->interface = NULL; + mutex_unlock(&dev->io_mutex); +diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c +index 54e170dd3dad..faead4f32b1c 100644 +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -350,39 +350,59 @@ void usb_serial_generic_read_bulk_callback(struct urb *urb) + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; + unsigned long flags; ++ bool stopped = false; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) { + if (urb == port->read_urbs[i]) + break; + } +- set_bit(i, &port->read_urbs_free); + + dev_dbg(&port->dev, "%s - urb %d, len %d\n", __func__, i, + urb->actual_length); +- switch (urb->status) { ++ switch (status) { + case 0: ++ usb_serial_debug_data(&port->dev, __func__, urb->actual_length, ++ data); ++ port->serial->type->process_read_urb(urb); + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); +- return; ++ __func__, status); ++ stopped = true; ++ break; + case -EPIPE: + dev_err(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); +- return; ++ __func__, status); ++ stopped = true; ++ break; + default: + dev_dbg(&port->dev, "%s - nonzero urb status: %d\n", +- __func__, urb->status); +- goto resubmit; ++ __func__, status); ++ break; + } + +- usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data); +- port->serial->type->process_read_urb(urb); ++ /* ++ * Make sure URB processing is done before marking as free to avoid ++ * racing with unthrottle() on another CPU. Matches the barriers ++ * implied by the test_and_clear_bit() in ++ * usb_serial_generic_submit_read_urb(). ++ */ ++ smp_mb__before_atomic(); ++ set_bit(i, &port->read_urbs_free); ++ /* ++ * Make sure URB is marked as free before checking the throttled flag ++ * to avoid racing with unthrottle() on another CPU. Matches the ++ * smp_mb() in unthrottle(). ++ */ ++ smp_mb__after_atomic(); ++ ++ if (stopped) ++ return; + +-resubmit: + /* Throttle the device if requested by tty */ + spin_lock_irqsave(&port->lock, flags); + port->throttled = port->throttle_req; +@@ -399,6 +419,7 @@ void usb_serial_generic_write_bulk_callback(struct urb *urb) + { + unsigned long flags; + struct usb_serial_port *port = urb->context; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) { +@@ -410,22 +431,22 @@ void usb_serial_generic_write_bulk_callback(struct urb *urb) + set_bit(i, &port->write_urbs_free); + spin_unlock_irqrestore(&port->lock, flags); + +- switch (urb->status) { ++ switch (status) { + case 0: + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + case -EPIPE: + dev_err_console(port, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + default: + dev_err_console(port, "%s - nonzero urb status: %d\n", +- __func__, urb->status); ++ __func__, status); + goto resubmit; + } + +@@ -456,6 +477,12 @@ void usb_serial_generic_unthrottle(struct tty_struct *tty) + port->throttled = port->throttle_req = 0; + spin_unlock_irq(&port->lock); + ++ /* ++ * Matches the smp_mb__after_atomic() in ++ * usb_serial_generic_read_bulk_callback(). ++ */ ++ smp_mb(); ++ + if (was_throttled) + usb_serial_generic_submit_read_urbs(port, GFP_KERNEL); + } +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c +index 20433563a601..be432bec0c5b 100644 +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -772,18 +772,16 @@ static void rts51x_suspend_timer_fn(unsigned long data) + break; + case RTS51X_STAT_IDLE: + case RTS51X_STAT_SS: +- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) { + usb_stor_dbg(us, "Ready to enter SS state\n"); + rts51x_set_stat(chip, RTS51X_STAT_SS); + /* ignore mass storage interface's children */ + pm_suspend_ignore_children(&us->pusb_intf->dev, true); + usb_autopm_put_interface_async(us->pusb_intf); +- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + } + break; +@@ -816,11 +814,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us) + int ret; + + if (working_scsi(srb)) { +- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "working scsi, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) { + ret = usb_autopm_get_interface(us->pusb_intf); + usb_stor_dbg(us, "working scsi, ret=%d\n", ret); + } +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 6cac8f26b97a..e657b111b320 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -772,23 +772,33 @@ static int uas_slave_alloc(struct scsi_device *sdev) + { + struct uas_dev_info *devinfo = + (struct uas_dev_info *)sdev->host->hostdata; ++ int maxp; + + sdev->hostdata = devinfo; + +- /* USB has unusual DMA-alignment requirements: Although the +- * starting address of each scatter-gather element doesn't matter, +- * the length of each element except the last must be divisible +- * by the Bulk maxpacket value. There's currently no way to +- * express this by block-layer constraints, so we'll cop out +- * and simply require addresses to be aligned at 512-byte +- * boundaries. This is okay since most block I/O involves +- * hardware sectors that are multiples of 512 bytes in length, +- * and since host controllers up through USB 2.0 have maxpacket +- * values no larger than 512. +- * +- * But it doesn't suffice for Wireless USB, where Bulk maxpacket +- * values can be as large as 2048. To make that work properly +- * will require changes to the block layer. ++ /* ++ * We have two requirements here. We must satisfy the requirements ++ * of the physical HC and the demands of the protocol, as we ++ * definitely want no additional memory allocation in this path ++ * ruling out using bounce buffers. ++ * ++ * For a transmission on USB to continue we must never send ++ * a package that is smaller than maxpacket. Hence the length of each ++ * scatterlist element except the last must be divisible by the ++ * Bulk maxpacket value. ++ * If the HC does not ensure that through SG, ++ * the upper layer must do that. We must assume nothing ++ * about the capabilities off the HC, so we use the most ++ * pessimistic requirement. ++ */ ++ ++ maxp = usb_maxpacket(devinfo->udev, devinfo->data_in_pipe, 0); ++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1); ++ ++ /* ++ * The protocol has no requirements on alignment in the strict sense. ++ * Controllers may or may not have alignment restrictions. ++ * As this is not exported, we use an extremely conservative guess. + */ + blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1)); + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 56cacb68040c..808e3a317954 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -380,22 +380,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + } + + if (usb_endpoint_xfer_isoc(epd)) { +- /* validate packet size and number of packets */ +- unsigned int maxp, packets, bytes; +- +-#define USB_EP_MAXP_MULT_SHIFT 11 +-#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) +-#define USB_EP_MAXP_MULT(m) \ +- (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) +- +- maxp = usb_endpoint_maxp(epd); +- maxp *= (USB_EP_MAXP_MULT( +- __le16_to_cpu(epd->wMaxPacketSize)) + 1); +- bytes = pdu->u.cmd_submit.transfer_buffer_length; +- packets = DIV_ROUND_UP(bytes, maxp); +- ++ /* validate number of packets */ + if (pdu->u.cmd_submit.number_of_packets < 0 || +- pdu->u.cmd_submit.number_of_packets > packets) { ++ pdu->u.cmd_submit.number_of_packets > ++ USBIP_MAX_ISO_PACKETS) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 0fc5ace57c0e..af903aa4ad90 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug; + #define USBIP_DIR_OUT 0x00 + #define USBIP_DIR_IN 0x01 + ++/* ++ * Arbitrary limit for the maximum number of isochronous packets in an URB, ++ * compare for example the uhci_submit_isochronous function in ++ * drivers/usb/host/uhci-q.c ++ */ ++#define USBIP_MAX_ISO_PACKETS 1024 ++ + /** + * struct usbip_header_basic - data pertinent to every request + * @command: the usbip request type +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index b31b84f56e8f..47b229fa5e8e 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1191,11 +1191,11 @@ static void __init vfio_pci_fill_ids(void) + rc = pci_add_dynid(&vfio_pci_driver, vendor, device, + subvendor, subdevice, class, class_mask, 0); + if (rc) +- pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n", ++ pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n", + vendor, device, subvendor, subdevice, + class, class_mask, rc); + else +- pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n", ++ pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n", + vendor, device, subvendor, subdevice, + class, class_mask); + } +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 2fa280671c1e..875634d0d020 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -53,10 +53,16 @@ module_param_named(disable_hugepages, + MODULE_PARM_DESC(disable_hugepages, + "Disable VFIO IOMMU support for IOMMU hugepages."); + ++static unsigned int dma_entry_limit __read_mostly = U16_MAX; ++module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); ++MODULE_PARM_DESC(dma_entry_limit, ++ "Maximum number of user DMA mappings per container (65535)."); ++ + struct vfio_iommu { + struct list_head domain_list; + struct mutex lock; + struct rb_root dma_list; ++ unsigned int dma_avail; + bool v2; + bool nesting; + }; +@@ -382,6 +388,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma) + vfio_unmap_unpin(iommu, dma); + vfio_unlink_dma(iommu, dma); + kfree(dma); ++ iommu->dma_avail++; + } + + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) +@@ -582,12 +589,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu, + return -EEXIST; + } + ++ if (!iommu->dma_avail) { ++ mutex_unlock(&iommu->lock); ++ return -ENOSPC; ++ } ++ + dma = kzalloc(sizeof(*dma), GFP_KERNEL); + if (!dma) { + mutex_unlock(&iommu->lock); + return -ENOMEM; + } + ++ iommu->dma_avail--; + dma->iova = iova; + dma->vaddr = vaddr; + dma->prot = prot; +@@ -903,6 +916,7 @@ static void *vfio_iommu_type1_open(unsigned long arg) + + INIT_LIST_HEAD(&iommu->domain_list); + iommu->dma_list = RB_ROOT; ++ iommu->dma_avail = dma_entry_limit; + mutex_init(&iommu->lock); + + return iommu; +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 590a0f51a249..9f96c7e61387 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + * hypervisor. + */ + lb_offset = param.local_vaddr & (PAGE_SIZE - 1); ++ if (param.count == 0 || ++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) ++ return -EINVAL; + num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* Allocate the buffers we need */ +@@ -335,8 +338,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + struct fsl_hv_ioctl_prop param; + char __user *upath, *upropname; + void __user *upropval; +- char *path = NULL, *propname = NULL; +- void *propval = NULL; ++ char *path, *propname; ++ void *propval; + int ret = 0; + + /* Get the parameters from the user. */ +@@ -348,32 +351,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + upropval = (void __user *)(uintptr_t)param.propval; + + path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); +- if (IS_ERR(path)) { +- ret = PTR_ERR(path); +- goto out; +- } ++ if (IS_ERR(path)) ++ return PTR_ERR(path); + + propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); + if (IS_ERR(propname)) { + ret = PTR_ERR(propname); +- goto out; ++ goto err_free_path; + } + + if (param.proplen > FH_DTPROP_MAX_PROPLEN) { + ret = -EINVAL; +- goto out; ++ goto err_free_propname; + } + + propval = kmalloc(param.proplen, GFP_KERNEL); + if (!propval) { + ret = -ENOMEM; +- goto out; ++ goto err_free_propname; + } + + if (set) { + if (copy_from_user(propval, upropval, param.proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + + param.ret = fh_partition_set_dtprop(param.handle, +@@ -392,7 +393,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + if (copy_to_user(upropval, propval, param.proplen) || + put_user(param.proplen, &p->proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + } + } +@@ -400,10 +401,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + if (put_user(param.ret, &p->ret)) + ret = -EFAULT; + +-out: +- kfree(path); ++err_free_propval: + kfree(propval); ++err_free_propname: + kfree(propname); ++err_free_path: ++ kfree(path); + + return ret; + } +diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c +index 59d74d1b47a8..2287e1be0e55 100644 +--- a/drivers/w1/masters/ds2490.c ++++ b/drivers/w1/masters/ds2490.c +@@ -1039,15 +1039,15 @@ static int ds_probe(struct usb_interface *intf, + /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ + alt = 3; + err = usb_set_interface(dev->udev, +- intf->altsetting[alt].desc.bInterfaceNumber, alt); ++ intf->cur_altsetting->desc.bInterfaceNumber, alt); + if (err) { + dev_err(&dev->udev->dev, "Failed to set alternative setting %d " + "for %d interface: err=%d.\n", alt, +- intf->altsetting[alt].desc.bInterfaceNumber, err); ++ intf->cur_altsetting->desc.bInterfaceNumber, err); + goto err_out_clear; + } + +- iface_desc = &intf->altsetting[alt]; ++ iface_desc = intf->cur_altsetting; + if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { + pr_info("Num endpoints=%d. It is not DS9490R.\n", + iface_desc->desc.bNumEndpoints); +diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c +index be7d187d53fd..d636e2660e62 100644 +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1288,6 +1288,7 @@ void ceph_dentry_lru_del(struct dentry *dn) + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + { + struct ceph_inode_info *dci = ceph_inode(dir); ++ unsigned hash; + + switch (dci->i_dir_layout.dl_dir_hash) { + case 0: /* for backward compat */ +@@ -1295,8 +1296,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + return dn->d_name.hash; + + default: +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, ++ spin_lock(&dn->d_lock); ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, + dn->d_name.name, dn->d_name.len); ++ spin_unlock(&dn->d_lock); ++ return hash; + } + } + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 9f0d99094cc1..a663b676d566 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -474,6 +474,7 @@ static void ceph_i_callback(struct rcu_head *head) + struct inode *inode = container_of(head, struct inode, i_rcu); + struct ceph_inode_info *ci = ceph_inode(inode); + ++ kfree(ci->i_symlink); + kmem_cache_free(ceph_inode_cachep, ci); + } + +@@ -505,7 +506,6 @@ void ceph_destroy_inode(struct inode *inode) + ceph_put_snap_realm(mdsc, realm); + } + +- kfree(ci->i_symlink); + while ((n = rb_first(&ci->i_fragtree)) != NULL) { + frag = rb_entry(n, struct ceph_inode_frag, node); + rb_erase(n, &ci->i_fragtree); +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 35e6e0b2cf34..a5de8e22629b 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1198,6 +1198,15 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, + list_add(&ci->i_prealloc_cap_flush->list, &to_remove); + ci->i_prealloc_cap_flush = NULL; + } ++ ++ if (drop && ++ ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ceph_put_snap_context(ci->i_head_snapc); ++ ci->i_head_snapc = NULL; ++ } + } + spin_unlock(&ci->i_ceph_lock); + while (!list_empty(&to_remove)) { +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index a485d0cdc559..3d876a1cf567 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -567,7 +567,12 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + capsnap = NULL; + + update_snapc: +- if (ci->i_head_snapc) { ++ if (ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ci->i_head_snapc = NULL; ++ } else { + ci->i_head_snapc = ceph_get_snap_context(new_snapc); + dout(" new snapc is %p\n", new_snapc); + } +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index d8bd8dd36211..0f210cb5038a 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -1669,6 +1669,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry, + if (rc == 0 || rc != -EBUSY) + goto do_rename_exit; + ++ /* Don't fall back to using SMB on SMB 2+ mount */ ++ if (server->vals->protocol_id != 0) ++ goto do_rename_exit; ++ + /* open-file renames don't work across directories */ + if (to_dentry->d_parent != from_dentry->d_parent) + goto do_rename_exit; +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index 22fe11baef2b..3530e1c3ff56 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -164,19 +164,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) + return 0; + } + +-static void debugfs_evict_inode(struct inode *inode) ++static void debugfs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void debugfs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, debugfs_i_callback); + } + + static const struct super_operations debugfs_super_operations = { + .statfs = simple_statfs, + .remount_fs = debugfs_remount, + .show_options = debugfs_show_options, +- .evict_inode = debugfs_evict_inode, ++ .destroy_inode = debugfs_destroy_inode, + }; + + static struct vfsmount *debugfs_automount(struct path *path) +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index cefae2350da5..27c4e2ac39a9 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -745,11 +745,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + umode_t mode, dev_t dev) + { + struct inode *inode; +- struct resv_map *resv_map; ++ struct resv_map *resv_map = NULL; + +- resv_map = resv_map_alloc(); +- if (!resv_map) +- return NULL; ++ /* ++ * Reserve maps are only needed for inodes that can have associated ++ * page allocations. ++ */ ++ if (S_ISREG(mode) || S_ISLNK(mode)) { ++ resv_map = resv_map_alloc(); ++ if (!resv_map) ++ return NULL; ++ } + + inode = new_inode(sb); + if (inode) { +@@ -790,8 +796,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + break; + } + lockdep_annotate_inode_mutex_key(inode); +- } else +- kref_put(&resv_map->refs, resv_map_release); ++ } else { ++ if (resv_map) ++ kref_put(&resv_map->refs, resv_map_release); ++ } + + return inode; + } +diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c +index bfebbf13698c..5b52ea41b84f 100644 +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) + + jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); + +- if (f->target) { +- kfree(f->target); +- f->target = NULL; +- } +- + fds = f->dents; + while(fds) { + fd = fds; +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 023e7f32ee1b..9fc297df8c75 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) + static void jffs2_i_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); +- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); ++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ ++ kfree(f->target); ++ kmem_cache_free(jffs2_inode_cachep, f); + } + + static void jffs2_destroy_inode(struct inode *inode) +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 9b42139a479b..dced329a8584 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(void *options, + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 24ace275160c..4fa3f0ba9ab3 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -874,8 +874,9 @@ static void nfsd4_cb_prepare(struct rpc_task *task, void *calldata) + cb->cb_seq_status = 1; + cb->cb_status = 0; + if (minorversion) { +- if (!nfsd41_cb_get_slot(clp, task)) ++ if (!cb->cb_holds_slot && !nfsd41_cb_get_slot(clp, task)) + return; ++ cb->cb_holds_slot = true; + } + rpc_call_start(task); + } +@@ -902,6 +903,9 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + return true; + } + ++ if (!cb->cb_holds_slot) ++ goto need_restart; ++ + switch (cb->cb_seq_status) { + case 0: + /* +@@ -939,6 +943,7 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + cb->cb_seq_status); + } + ++ cb->cb_holds_slot = false; + clear_bit(0, &clp->cl_cb_slot_busy); + rpc_wake_up_next(&clp->cl_cb_waitq); + dprintk("%s: freed slot, new seqid=%d\n", __func__, +@@ -1146,6 +1151,7 @@ void nfsd4_init_cb(struct nfsd4_callback *cb, struct nfs4_client *clp, + cb->cb_seq_status = 1; + cb->cb_status = 0; + cb->cb_need_restart = false; ++ cb->cb_holds_slot = false; + } + + void nfsd4_run_cb(struct nfsd4_callback *cb) +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h +index 86af697c21d3..2c26bedda7be 100644 +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -70,6 +70,7 @@ struct nfsd4_callback { + int cb_seq_status; + int cb_status; + bool cb_need_restart; ++ bool cb_holds_slot; + }; + + struct nfsd4_callback_ops { +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index c7e32a891502..2eea16a81500 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,9 +1550,11 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index defeaac0745f..e76d03f44c80 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -1,28 +1,9 @@ + #ifndef _LINUX_BITOPS_H + #define _LINUX_BITOPS_H + #include ++#include + +-#ifdef __KERNEL__ +-#define BIT(nr) (1UL << (nr)) +-#define BIT_ULL(nr) (1ULL << (nr)) +-#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) +-#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) +-#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) +-#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) +-#define BITS_PER_BYTE 8 + #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long)) +-#endif +- +-/* +- * Create a contiguous bitmask starting at bit position @l and ending at +- * position @h. For example +- * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. +- */ +-#define GENMASK(h, l) \ +- (((~0UL) << (l)) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) +- +-#define GENMASK_ULL(h, l) \ +- (((~0ULL) << (l)) & (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) + + extern unsigned int __sw_hweight8(unsigned int w); + extern unsigned int __sw_hweight16(unsigned int w); +diff --git a/include/linux/bits.h b/include/linux/bits.h +new file mode 100644 +index 000000000000..2b7b532c1d51 +--- /dev/null ++++ b/include/linux/bits.h +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __LINUX_BITS_H ++#define __LINUX_BITS_H ++#include ++ ++#define BIT(nr) (1UL << (nr)) ++#define BIT_ULL(nr) (1ULL << (nr)) ++#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) ++#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) ++#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) ++#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) ++#define BITS_PER_BYTE 8 ++ ++/* ++ * Create a contiguous bitmask starting at bit position @l and ending at ++ * position @h. For example ++ * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. ++ */ ++#define GENMASK(h, l) \ ++ (((~0UL) - (1UL << (l)) + 1) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) ++ ++#define GENMASK_ULL(h, l) \ ++ (((~0ULL) - (1ULL << (l)) + 1) & \ ++ (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) ++ ++#endif /* __LINUX_BITS_H */ +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 063c73ed6d78..664f892d6e73 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -50,6 +50,8 @@ extern ssize_t cpu_show_spec_store_bypass(struct device *dev, + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_l1tf(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_mds(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, +@@ -294,4 +296,21 @@ bool cpu_wait_death(unsigned int cpu, int seconds); + bool cpu_report_death(void); + #endif /* #ifdef CONFIG_HOTPLUG_CPU */ + ++/* ++ * These are used for a global "mitigations=" cmdline option for toggling ++ * optional CPU mitigations. ++ */ ++enum cpu_mitigations { ++ CPU_MITIGATIONS_OFF, ++ CPU_MITIGATIONS_AUTO, ++}; ++ ++extern enum cpu_mitigations cpu_mitigations; ++ ++/* mitigations=off */ ++static inline bool cpu_mitigations_off(void) ++{ ++ return cpu_mitigations == CPU_MITIGATIONS_OFF; ++} ++ + #endif /* _LINUX_CPU_H_ */ +diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h +index 68904469fba1..2209eb0740b0 100644 +--- a/include/linux/jump_label.h ++++ b/include/linux/jump_label.h +@@ -267,9 +267,15 @@ struct static_key_false { + #define DEFINE_STATIC_KEY_TRUE(name) \ + struct static_key_true name = STATIC_KEY_TRUE_INIT + ++#define DECLARE_STATIC_KEY_TRUE(name) \ ++ extern struct static_key_true name ++ + #define DEFINE_STATIC_KEY_FALSE(name) \ + struct static_key_false name = STATIC_KEY_FALSE_INIT + ++#define DECLARE_STATIC_KEY_FALSE(name) \ ++ extern struct static_key_false name ++ + extern bool ____wrong_branch_error(void); + + #define static_key_enabled(x) \ +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h +index 81fdf4b8aba4..8b1e2bd46bb7 100644 +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -57,14 +57,17 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + #define PTRACE_MODE_READ 0x01 + #define PTRACE_MODE_ATTACH 0x02 + #define PTRACE_MODE_NOAUDIT 0x04 +-#define PTRACE_MODE_FSCREDS 0x08 +-#define PTRACE_MODE_REALCREDS 0x10 ++#define PTRACE_MODE_FSCREDS 0x08 ++#define PTRACE_MODE_REALCREDS 0x10 ++#define PTRACE_MODE_SCHED 0x20 ++#define PTRACE_MODE_IBPB 0x40 + + /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ + #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) + #define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) + #define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) + #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) ++#define PTRACE_MODE_SPEC_IBPB (PTRACE_MODE_ATTACH_REALCREDS | PTRACE_MODE_IBPB) + + /** + * ptrace_may_access - check whether the caller is permitted to access +@@ -82,6 +85,20 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + */ + extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); + ++/** ++ * ptrace_may_access - check whether the caller is permitted to access ++ * a target task. ++ * @task: target task ++ * @mode: selects type of access and caller credentials ++ * ++ * Returns true on success, false on denial. ++ * ++ * Similar to ptrace_may_access(). Only to be called from context switch ++ * code. Does not call into audit and the regular LSM hooks due to locking ++ * constraints. ++ */ ++extern bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode); ++ + static inline int ptrace_reparented(struct task_struct *child) + { + return !same_thread_group(child->real_parent, child->parent); +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 48a59f731406..a0b540f800d9 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2169,6 +2169,8 @@ static inline void memalloc_noio_restore(unsigned int flags) + #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ + #define PFA_SPEC_SSB_DISABLE 4 /* Speculative Store Bypass disabled */ + #define PFA_SPEC_SSB_FORCE_DISABLE 5 /* Speculative Store Bypass force disabled*/ ++#define PFA_SPEC_IB_DISABLE 6 /* Indirect branch speculation restricted */ ++#define PFA_SPEC_IB_FORCE_DISABLE 7 /* Indirect branch speculation permanently restricted */ + + + #define TASK_PFA_TEST(name, func) \ +@@ -2199,6 +2201,13 @@ TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable) + TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) + TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) + ++TASK_PFA_TEST(SPEC_IB_DISABLE, spec_ib_disable) ++TASK_PFA_SET(SPEC_IB_DISABLE, spec_ib_disable) ++TASK_PFA_CLEAR(SPEC_IB_DISABLE, spec_ib_disable) ++ ++TASK_PFA_TEST(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable) ++TASK_PFA_SET(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable) ++ + /* + * task->jobctl flags + */ +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h +new file mode 100644 +index 000000000000..559ac4590593 +--- /dev/null ++++ b/include/linux/sched/smt.h +@@ -0,0 +1,20 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_SCHED_SMT_H ++#define _LINUX_SCHED_SMT_H ++ ++#include ++ ++#ifdef CONFIG_SCHED_SMT ++extern atomic_t sched_smt_present; ++ ++static __always_inline bool sched_smt_active(void) ++{ ++ return atomic_read(&sched_smt_present); ++} ++#else ++static inline bool sched_smt_active(void) { return false; } ++#endif ++ ++void arch_smt_update(void); ++ ++#endif +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 5c03ebc6dfa0..02bffcc611c3 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -127,7 +127,6 @@ enum usb_interface_condition { + * @dev: driver model's view of this device + * @usb_dev: if an interface is bound to the USB major, this will point + * to the sysfs representation for that device. +- * @pm_usage_cnt: PM usage counter for this interface + * @reset_ws: Used for scheduling resets from atomic context. + * @resetting_device: USB core reset the device, so use alt setting 0 as + * current; needs bandwidth alloc after reset. +@@ -184,7 +183,6 @@ struct usb_interface { + + struct device dev; /* interface specific device info */ + struct device *usb_dev; +- atomic_t pm_usage_cnt; /* usage counter for autosuspend */ + struct work_struct reset_ws; /* for resets in atomic context */ + }; + #define to_usb_interface(d) container_of(d, struct usb_interface, dev) +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index 18dd7a3caf2f..af032e5405f6 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -162,6 +162,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, + const struct in6_addr *addr); + int ipv6_sock_mc_drop(struct sock *sk, int ifindex, + const struct in6_addr *addr); ++void __ipv6_sock_mc_close(struct sock *sk); + void ipv6_sock_mc_close(struct sock *sk); + bool inet6_mc_check(struct sock *sk, const struct in6_addr *mc_addr, + const struct in6_addr *src_addr); +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 876688b5a356..7c0c83dfe86e 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -174,6 +174,9 @@ struct adv_info { + + #define HCI_MAX_SHORT_NAME_LENGTH 10 + ++/* Min encryption key size to match with SMP */ ++#define HCI_MIN_ENC_KEY_SIZE 7 ++ + /* Default LE RPA expiry time, 15 minutes */ + #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60) + +diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h +index 64776b72e1eb..64ec0d62e5f5 100644 +--- a/include/uapi/linux/prctl.h ++++ b/include/uapi/linux/prctl.h +@@ -202,6 +202,7 @@ struct prctl_mm_map { + #define PR_SET_SPECULATION_CTRL 53 + /* Speculation control variants */ + # define PR_SPEC_STORE_BYPASS 0 ++# define PR_SPEC_INDIRECT_BRANCH 1 + /* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + # define PR_SPEC_NOT_AFFECTED 0 + # define PR_SPEC_PRCTL (1UL << 0) +diff --git a/init/main.c b/init/main.c +index 49926d95442f..e88c8cdef6a7 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -538,6 +538,8 @@ asmlinkage __visible void __init start_kernel(void) + } + #else + pr_notice("Kernel command line: %s\n", boot_command_line); + #endif ++ /* parameters may set static keys */ ++ jump_label_init(); + parse_early_param(); + after_dashes = parse_args("Booting kernel", + static_command_line, __start___param, +@@ -547,8 +549,6 @@ asmlinkage __visible void __init start_kernel(void) + parse_args("Setting init args", after_dashes, NULL, 0, -1, -1, + NULL, set_init_arg); + +- jump_label_init(); +- + /* + * These use large bootmem allocations and must precede + * kmem_cache_init() +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 42ce0b0ae5c5..3225c3a9d028 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -199,6 +200,12 @@ void cpu_hotplug_enable(void) + EXPORT_SYMBOL_GPL(cpu_hotplug_enable); + #endif /* CONFIG_HOTPLUG_CPU */ + ++/* ++ * Architectures that need SMT-specific errata handling during SMT hotplug ++ * should override this. ++ */ ++void __weak arch_smt_update(void) { } ++ + /* Need to know about CPUs going up/down? */ + int register_cpu_notifier(struct notifier_block *nb) + { +@@ -434,6 +441,7 @@ out_release: + cpu_hotplug_done(); + if (!err) + cpu_notify_nofail(CPU_POST_DEAD | mod, hcpu); ++ arch_smt_update(); + return err; + } + +@@ -537,8 +545,8 @@ out_notify: + __cpu_notify(CPU_UP_CANCELED | mod, hcpu, nr_calls, NULL); + out: + cpu_hotplug_done(); + trace_sched_cpu_hotplug(cpu, ret, 1); +- ++ arch_smt_update(); + return ret; + } + +@@ -834,5 +842,18 @@ void init_cpu_online(const struct cpumask *src) + { + cpumask_copy(to_cpumask(cpu_online_bits), src); + } ++ ++enum cpu_mitigations cpu_mitigations = CPU_MITIGATIONS_AUTO; ++ ++static int __init mitigations_parse_cmdline(char *arg) ++{ ++ if (!strcmp(arg, "off")) ++ cpu_mitigations = CPU_MITIGATIONS_OFF; ++ else if (!strcmp(arg, "auto")) ++ cpu_mitigations = CPU_MITIGATIONS_AUTO; ++ ++ return 0; ++} ++early_param("mitigations", mitigations_parse_cmdline); + + static ATOMIC_NOTIFIER_HEAD(idle_notifier); +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 83cea913983c..92c7eb1aeded 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -319,8 +319,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 5e2cd1030702..8303874c2a06 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -228,6 +228,9 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) + + static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) + { ++ if (mode & PTRACE_MODE_SCHED) ++ return false; ++ + if (mode & PTRACE_MODE_NOAUDIT) + return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); + else +@@ -295,9 +298,16 @@ ok: + !ptrace_has_cap(mm->user_ns, mode))) + return -EPERM; + ++ if (mode & PTRACE_MODE_SCHED) ++ return 0; + return security_ptrace_access_check(task, mode); + } + ++bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode) ++{ ++ return __ptrace_may_access(task, mode | PTRACE_MODE_SCHED); ++} ++ + bool ptrace_may_access(struct task_struct *task, unsigned int mode) + { + int err; +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index d0618951014b..d35a7d528ea6 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5610,6 +5610,10 @@ static void set_cpu_rq_start_time(void) + rq->age_stamp = sched_clock_cpu(cpu); + } + ++#ifdef CONFIG_SCHED_SMT ++atomic_t sched_smt_present = ATOMIC_INIT(0); ++#endif ++ + static int sched_cpu_active(struct notifier_block *nfb, + unsigned long action, void *hcpu) + { +@@ -5626,11 +5630,23 @@ static int sched_cpu_active(struct notifier_block *nfb, + * set_cpu_online(). But it might not yet have marked itself + * as active, which is essential from here on. + */ ++#ifdef CONFIG_SCHED_SMT ++ /* ++ * When going up, increment the number of cores with SMT present. ++ */ ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ atomic_inc(&sched_smt_present); ++#endif + set_cpu_active(cpu, true); + stop_machine_unpark(cpu); + return NOTIFY_OK; + + case CPU_DOWN_FAILED: ++#ifdef CONFIG_SCHED_SMT ++ /* Same as for CPU_ONLINE */ ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ atomic_inc(&sched_smt_present); ++#endif + set_cpu_active(cpu, true); + return NOTIFY_OK; + +@@ -5645,7 +5661,15 @@ static int sched_cpu_inactive(struct notifier_block *nfb, + switch (action & ~CPU_TASKS_FROZEN) { + case CPU_DOWN_PREPARE: + set_cpu_active((long)hcpu, false); ++#ifdef CONFIG_SCHED_SMT ++ /* ++ * When going down, decrement the number of cores with SMT present. ++ */ ++ if (cpumask_weight(cpu_smt_mask((long)hcpu)) == 2) ++ atomic_dec(&sched_smt_present); ++#endif + return NOTIFY_OK; ++ + default: + return NOTIFY_DONE; + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d706cf4fda99..75bfa23f97b4 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -1722,6 +1722,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period) + if (p->last_task_numa_placement) { + delta = runtime - p->last_sum_exec_runtime; + *period = now - p->last_task_numa_placement; ++ ++ /* Avoid time going backwards, prevent potential divide error: */ ++ if (unlikely((s64)*period < 0)) ++ *period = 0; + } else { + delta = p->se.avg.load_sum / p->se.load.weight; + *period = LOAD_AVG_MAX; +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 6893ee31df4d..8b96df04ba78 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c +index 1adecb4b87c8..7e4d715f9c22 100644 +--- a/kernel/time/timer_stats.c ++++ b/kernel/time/timer_stats.c +@@ -417,7 +417,7 @@ static int __init init_tstats_procfs(void) + { + struct proc_dir_entry *pe; + +- pe = proc_create("timer_stats", 0644, NULL, &tstats_fops); ++ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops); + if (!pe) + return -ENOMEM; + return 0; +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 5e091614fe39..1cf2402c6922 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -701,7 +701,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu) + + preempt_disable_notrace(); + time = rb_time_stamp(buffer); +- preempt_enable_no_resched_notrace(); ++ preempt_enable_notrace(); + + return time; + } +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index ac9791dd4768..5139c4ebb96b 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -363,10 +363,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + ifrr.ifr_ifru = ifr->ifr_ifru; + + switch (cmd) { ++ case SIOCSHWTSTAMP: ++ if (!net_eq(dev_net(dev), &init_net)) ++ break; + case SIOCGMIIPHY: + case SIOCGMIIREG: + case SIOCSMIIREG: +- case SIOCSHWTSTAMP: + case SIOCGHWTSTAMP: + if (netif_device_present(real_dev) && ops->ndo_do_ioctl) + err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 80be0ee17ff3..83d4d574fa44 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1177,6 +1177,14 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + ++ /* The minimum encryption key size needs to be enforced by the ++ * host stack before establishing any L2CAP connections. The ++ * specification in theory allows a minimum of 1, but to align ++ * BR/EDR and LE transports, a minimum of 7 is chosen. ++ */ ++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) ++ return 0; ++ + return 1; + } + +diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c +index 008ba439bd62..cc80c76177b6 100644 +--- a/net/bluetooth/hidp/sock.c ++++ b/net/bluetooth/hidp/sock.c +@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long + sockfd_put(csock); + return err; + } ++ ca.name[sizeof(ca.name)-1] = 0; + + err = hidp_connection_add(&ca, csock, isock); + if (!err && copy_to_user(argp, &ca, sizeof(ca))) +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 50e84e634dfe..c7a281549d91 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -471,13 +471,15 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) + call_netdevice_notifiers(NETDEV_JOIN, dev); + + err = dev_set_allmulti(dev, 1); +- if (err) +- goto put_back; ++ if (err) { ++ kfree(p); /* kobject not yet init'd, manually free */ ++ goto err1; ++ } + + err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), + SYSFS_BRIDGE_PORT_ATTR); + if (err) +- goto err1; ++ goto err2; + + err = br_sysfs_addif(p); + if (err) +@@ -551,12 +553,9 @@ err3: + sysfs_remove_link(br->ifobj, p->dev->name); + err2: + kobject_put(&p->kobj); +- p = NULL; /* kobject_put frees */ +-err1: + dev_set_allmulti(dev, -1); +-put_back: ++err1: + dev_put(dev); +- kfree(p); + return err; + } + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 93b5525bcccf..2ae0451fd634 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -507,6 +507,7 @@ static unsigned int br_nf_pre_routing(void *priv, + nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IP); ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; + + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index 69dfd212e50d..f94c83f5cc37 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -237,6 +237,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, + nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IPV6); ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); ++ + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, + br_nf_pre_routing_finish_ipv6); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index f13402d407e4..1a87cf78fadc 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2046,7 +2046,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; +diff --git a/net/core/filter.c b/net/core/filter.c +index 1a9ded6af138..3c5f51198c41 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to_probe) + return codes[code_to_probe]; + } + ++static bool bpf_check_basics_ok(const struct sock_filter *filter, ++ unsigned int flen) ++{ ++ if (filter == NULL) ++ return false; ++ if (flen == 0 || flen > BPF_MAXINSNS) ++ return false; ++ ++ return true; ++} ++ + /** + * bpf_check_classic - verify socket filter code + * @filter: filter to verify +@@ -762,9 +773,6 @@ static int bpf_check_classic(const struct sock_filter *filter, + bool anc_found; + int pc; + +- if (flen == 0 || flen > BPF_MAXINSNS) +- return -EINVAL; +- + /* Check the filter code now */ + for (pc = 0; pc < flen; pc++) { + const struct sock_filter *ftest = &filter[pc]; +@@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) + struct bpf_prog *fp; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, + int err; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, + bool locked) + { + unsigned int fsize = bpf_classic_proglen(fprog); +- unsigned int bpf_fsize = bpf_prog_size(fprog->len); + struct bpf_prog *prog; + int err; + +@@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, + return -EPERM; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + +- prog = bpf_prog_alloc(bpf_fsize, 0); ++ prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); + if (!prog) + return -ENOMEM; + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index c11bb6d2d00a..6d5a0a7ebe10 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -475,6 +475,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) + to->pkt_type = from->pkt_type; + to->priority = from->priority; + to->protocol = from->protocol; ++ to->skb_iif = from->skb_iif; + skb_dst_drop(to); + skb_dst_copy(to, from); + to->dev = from->dev; +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 4d3d4291c82f..e742323d69e1 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -167,6 +167,7 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) + */ + static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + { ++ int dif = inet_iif(skb); + struct sock *sk; + struct hlist_head *head; + int delivered = 0; +@@ -179,8 +180,7 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + + net = dev_net(skb->dev); + sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, +- iph->saddr, iph->daddr, +- skb->dev->ifindex); ++ iph->saddr, iph->daddr, dif); + + while (sk) { + delivered = 1; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 1d580d290054..a58effba760a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1162,25 +1162,39 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + return dst; + } + +-static void ipv4_link_failure(struct sk_buff *skb) ++static void ipv4_send_dest_unreach(struct sk_buff *skb) + { + struct ip_options opt; +- struct rtable *rt; + int res; + + /* Recompile ip options since IPCB may not be valid anymore. ++ * Also check we have a reasonable ipv4 header. + */ +- memset(&opt, 0, sizeof(opt)); +- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) || ++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5) ++ return; + +- rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); +- rcu_read_unlock(); ++ memset(&opt, 0, sizeof(opt)); ++ if (ip_hdr(skb)->ihl > 5) { ++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4)) ++ return; ++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); + +- if (res) +- return; ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); + ++ if (res) ++ return; ++ } + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); ++} ++ ++static void ipv4_link_failure(struct sk_buff *skb) ++{ ++ struct rtable *rt; ++ ++ ipv4_send_dest_unreach(skb); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index da90c74d12ef..167ca0fddf9e 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -42,6 +42,7 @@ static int tcp_syn_retries_min = 1; + static int tcp_syn_retries_max = MAX_TCP_SYNCNT; + static int ip_ping_group_range_min[] = { 0, 0 }; + static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; ++static int one_day_secs = 24 * 3600; + + /* Update system visible IP port range */ + static void set_local_port_range(struct net *net, int range[2]) +@@ -597,7 +598,9 @@ static struct ctl_table ipv4_table[] = { + .data = &sysctl_tcp_min_rtt_wlen, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &one_day_secs + }, + { + .procname = "tcp_low_latency", +diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c +index f3a0a9c0f61e..c6061f7343f1 100644 +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label) + return fl; + } + ++static void fl_free_rcu(struct rcu_head *head) ++{ ++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); ++ ++ if (fl->share == IPV6_FL_S_PROCESS) ++ put_pid(fl->owner.pid); ++ kfree(fl->opt); ++ kfree(fl); ++} ++ + + static void fl_free(struct ip6_flowlabel *fl) + { +- if (fl) { +- if (fl->share == IPV6_FL_S_PROCESS) +- put_pid(fl->owner.pid); +- kfree(fl->opt); +- kfree_rcu(fl, rcu); +- } ++ if (fl) ++ call_rcu(&fl->rcu, fl_free_rcu); + } + + static void fl_release(struct ip6_flowlabel *fl) +@@ -633,9 +639,9 @@ recheck: + if (fl1->share == IPV6_FL_S_EXCL || + fl1->share != fl->share || + ((fl1->share == IPV6_FL_S_PROCESS) && +- (fl1->owner.pid == fl->owner.pid)) || ++ (fl1->owner.pid != fl->owner.pid)) || + ((fl1->share == IPV6_FL_S_USER) && +- uid_eq(fl1->owner.uid, fl->owner.uid))) ++ !uid_eq(fl1->owner.uid, fl->owner.uid))) + goto release; + + err = -ENOMEM; +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 8d11a034ca3f..71263754b19b 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -121,6 +121,7 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk, + static bool setsockopt_needs_rtnl(int optname) + { + switch (optname) { ++ case IPV6_ADDRFORM: + case IPV6_ADD_MEMBERSHIP: + case IPV6_DROP_MEMBERSHIP: + case IPV6_JOIN_ANYCAST: +@@ -199,7 +200,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + } + + fl6_free_socklist(sk); +- ipv6_sock_mc_close(sk); ++ __ipv6_sock_mc_close(sk); + + /* + * Sock is moving from IPv6 to IPv4 (sk_prot), so +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index a5ec9a0cbb80..976c8133a281 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -276,16 +276,14 @@ static struct inet6_dev *ip6_mc_find_dev_rcu(struct net *net, + return idev; + } + +-void ipv6_sock_mc_close(struct sock *sk) ++void __ipv6_sock_mc_close(struct sock *sk) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct ipv6_mc_socklist *mc_lst; + struct net *net = sock_net(sk); + +- if (!rcu_access_pointer(np->ipv6_mc_list)) +- return; ++ ASSERT_RTNL(); + +- rtnl_lock(); + while ((mc_lst = rtnl_dereference(np->ipv6_mc_list)) != NULL) { + struct net_device *dev; + +@@ -303,8 +301,17 @@ void ipv6_sock_mc_close(struct sock *sk) + + atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc); + kfree_rcu(mc_lst, rcu); +- + } ++} ++ ++void ipv6_sock_mc_close(struct sock *sk) ++{ ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (!rcu_access_pointer(np->ipv6_mc_list)) ++ return; ++ rtnl_lock(); ++ __ipv6_sock_mc_close(sk); + rtnl_unlock(); + } + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 77736190dc15..5039486c4f86 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1076,7 +1076,7 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev) + if (!tdev && tunnel->parms.link) + tdev = __dev_get_by_index(tunnel->net, tunnel->parms.link); + +- if (tdev) { ++ if (tdev && !netif_is_l3_master(tdev)) { + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + + dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr); +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index ac212542a217..c4509a10ce52 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1484,7 +1484,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, + if (!cp) { + int v; + +- if (!sysctl_schedule_icmp(ipvs)) ++ if (ipip || !sysctl_schedule_icmp(ipvs)) + return NF_ACCEPT; + + if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index b6e72af15237..cdafbd38a456 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1699,7 +1699,7 @@ static int __init xt_init(void) + seqcount_init(&per_cpu(xt_recseq, i)); + } + +- xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); ++ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); + if (!xt) + return -ENOMEM; + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7d93228ba1e1..c78bcc13ebab 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2490,8 +2490,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + void *ph; + DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); + bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); ++ unsigned char *addr = NULL; + int tp_len, size_max; +- unsigned char *addr; + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen; +@@ -2511,10 +2511,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_put; ++ if (po->sk.sk_socket->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_put; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -2652,7 +2655,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- unsigned char *addr; ++ unsigned char *addr = NULL; + int err, reserve = 0; + struct sockcm_cookie sockc; + struct virtio_net_hdr vnet_hdr = { 0 }; +@@ -2672,7 +2675,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2680,10 +2682,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_unlock; ++ if (sock->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_unlock; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -4518,14 +4523,29 @@ static void __exit packet_exit(void) + + static int __init packet_init(void) + { +- int rc = proto_register(&packet_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&packet_proto, 0); ++ if (rc) + goto out; ++ rc = sock_register(&packet_family_ops); ++ if (rc) ++ goto out_proto; ++ rc = register_pernet_subsys(&packet_net_ops); ++ if (rc) ++ goto out_sock; ++ rc = register_netdevice_notifier(&packet_netdev_notifier); ++ if (rc) ++ goto out_pernet; + +- sock_register(&packet_family_ops); +- register_pernet_subsys(&packet_net_ops); +- register_netdevice_notifier(&packet_netdev_notifier); ++ return 0; ++ ++out_pernet: ++ unregister_pernet_subsys(&packet_net_ops); ++out_sock: ++ sock_unregister(PF_PACKET); ++out_proto: ++ proto_unregister(&packet_proto); + out: + return rc; + } +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index af17b00145e1..a8ab98b53a3a 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,7 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + ++static inline int cache_is_valid(struct cache_head *h); + static void cache_fresh_locked(struct cache_head *head, time_t expiry, + struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, +@@ -100,6 +101,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; ++ if (cache_is_valid(tmp) == -EAGAIN) ++ set_bit(CACHE_NEGATIVE, &tmp->flags); + cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index e9653c42cdd1..8400211537a2 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -262,8 +262,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + if (msg->rep_type) + tipc_tlv_init(msg->rep, msg->rep_type); + +- if (cmd->header) +- (*cmd->header)(msg); ++ if (cmd->header) { ++ err = (*cmd->header)(msg); ++ if (err) { ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return err; ++ } ++ } + + arg = nlmsg_new(0, GFP_KERNEL); + if (!arg) { +@@ -382,7 +388,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + +@@ -727,7 +738,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index d58de1dc5360..510049a7bd1d 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -126,7 +126,8 @@ do_resize: + case KEY_DOWN: + break; + case KEY_BACKSPACE: +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + if (pos) { + wattrset(dialog, dlg.inputbox.atr); + if (input_x == 0) { +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index d42d534a66cd..f7049e288e93 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -1046,7 +1046,7 @@ static int do_match(int key, struct match_state *state, int *ans) + state->match_direction = FIND_NEXT_MATCH_UP; + *ans = get_mext_match(state->pattern, + state->match_direction); +- } else if (key == KEY_BACKSPACE || key == 127) { ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) { + state->pattern[strlen(state->pattern)-1] = '\0'; + adj_match_dir(&state->match_direction); + } else +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 4b2f44c20caf..9a65035cf787 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window, + case KEY_F(F_EXIT): + case KEY_F(F_BACK): + break; +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + case KEY_BACKSPACE: + if (cursor_position > 0) { + memmove(&result[cursor_position-1], +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 99212ff6a568..ab2759d88bc6 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -396,22 +396,44 @@ static int may_context_mount_inode_relabel(u32 sid, + return rc; + } + +-static int selinux_is_sblabel_mnt(struct super_block *sb) ++static int selinux_is_genfs_special_handling(struct super_block *sb) + { +- struct superblock_security_struct *sbsec = sb->s_security; +- +- return sbsec->behavior == SECURITY_FS_USE_XATTR || +- sbsec->behavior == SECURITY_FS_USE_TRANS || +- sbsec->behavior == SECURITY_FS_USE_TASK || +- sbsec->behavior == SECURITY_FS_USE_NATIVE || +- /* Special handling. Genfs but also in-core setxattr handler */ +- !strcmp(sb->s_type->name, "sysfs") || ++ /* Special handling. Genfs but also in-core setxattr handler */ ++ return !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "tracefs") || + !strcmp(sb->s_type->name, "rootfs"); + } + ++static int selinux_is_sblabel_mnt(struct super_block *sb) ++{ ++ struct superblock_security_struct *sbsec = sb->s_security; ++ ++ /* ++ * IMPORTANT: Double-check logic in this function when adding a new ++ * SECURITY_FS_USE_* definition! ++ */ ++ BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); ++ ++ switch (sbsec->behavior) { ++ case SECURITY_FS_USE_XATTR: ++ case SECURITY_FS_USE_TRANS: ++ case SECURITY_FS_USE_TASK: ++ case SECURITY_FS_USE_NATIVE: ++ return 1; ++ ++ case SECURITY_FS_USE_GENFS: ++ return selinux_is_genfs_special_handling(sb); ++ ++ /* Never allow relabeling on context mounts */ ++ case SECURITY_FS_USE_MNTPOINT: ++ case SECURITY_FS_USE_NONE: ++ default: ++ return 0; ++ } ++} ++ + static int sb_finish_set_opts(struct super_block *sb) + { + struct superblock_security_struct *sbsec = sb->s_security; +diff --git a/sound/soc/codecs/cs4270.c b/sound/soc/codecs/cs4270.c +index 3670086b9227..f273533c6653 100644 +--- a/sound/soc/codecs/cs4270.c ++++ b/sound/soc/codecs/cs4270.c +@@ -641,6 +641,7 @@ static const struct regmap_config cs4270_regmap = { + .reg_defaults = cs4270_reg_defaults, + .num_reg_defaults = ARRAY_SIZE(cs4270_reg_defaults), + .cache_type = REGCACHE_RBTREE, ++ .write_flag_mask = CS4270_I2C_INCR, + + .readable_reg = cs4270_reg_is_readable, + .volatile_reg = cs4270_reg_is_volatile, +diff --git a/sound/soc/codecs/tlv320aic32x4.c b/sound/soc/codecs/tlv320aic32x4.c +index f2d3191961e1..714bd0e3fc71 100644 +--- a/sound/soc/codecs/tlv320aic32x4.c ++++ b/sound/soc/codecs/tlv320aic32x4.c +@@ -234,6 +234,8 @@ static const struct snd_soc_dapm_widget aic32x4_dapm_widgets[] = { + SND_SOC_DAPM_INPUT("IN2_R"), + SND_SOC_DAPM_INPUT("IN3_L"), + SND_SOC_DAPM_INPUT("IN3_R"), ++ SND_SOC_DAPM_INPUT("CM_L"), ++ SND_SOC_DAPM_INPUT("CM_R"), + }; + + static const struct snd_soc_dapm_route aic32x4_dapm_routes[] = { +diff --git a/sound/soc/intel/common/sst-dsp.c b/sound/soc/intel/common/sst-dsp.c +index c9452e02e0dd..c0a50ecb6dbd 100644 +--- a/sound/soc/intel/common/sst-dsp.c ++++ b/sound/soc/intel/common/sst-dsp.c +@@ -463,11 +463,15 @@ struct sst_dsp *sst_dsp_new(struct device *dev, + goto irq_err; + + err = sst_dma_new(sst); +- if (err) +- dev_warn(dev, "sst_dma_new failed %d\n", err); ++ if (err) { ++ dev_err(dev, "sst_dma_new failed %d\n", err); ++ goto dma_err; ++ } + + return sst; + ++dma_err: ++ free_irq(sst->irq, sst); + irq_err: + if (sst->ops->free) + sst->ops->free(sst); +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index f99eb8f44282..1c0d44c86c01 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -882,10 +882,13 @@ static int soc_pcm_hw_params(struct snd_pcm_substream *substream, + codec_params = *params; + + /* fixup params based on TDM slot masks */ +- if (codec_dai->tx_mask) ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && ++ codec_dai->tx_mask) + soc_pcm_codec_params_fixup(&codec_params, + codec_dai->tx_mask); +- if (codec_dai->rx_mask) ++ ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE && ++ codec_dai->rx_mask) + soc_pcm_codec_params_fixup(&codec_params, + codec_dai->rx_mask); + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index be78078a10ba..954dc4423cb0 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -307,12 +307,16 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char len; ++ unsigned char *len; + unsigned count; + + if (address > 0xffff || datalen > 0xff) + return -EINVAL; + ++ len = kmalloc(sizeof(*len), GFP_KERNEL); ++ if (!len) ++ return -ENOMEM; ++ + /* query the serial number: */ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +@@ -321,7 +325,7 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + + if (ret < 0) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + /* Wait for data length. We'll get 0xff until length arrives. */ +@@ -331,28 +335,29 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, +- 0x0012, 0x0000, &len, 1, ++ 0x0012, 0x0000, len, 1, + LINE6_TIMEOUT * HZ); + if (ret < 0) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (len != 0xff) ++ if (*len != 0xff) + break; + } + +- if (len == 0xff) { ++ ret = -EIO; ++ if (*len == 0xff) { + dev_err(line6->ifcdev, "read failed after %d retries\n", + count); +- return -EIO; +- } else if (len != datalen) { ++ goto exit; ++ } else if (*len != datalen) { + /* should be equal or something went wrong */ + dev_err(line6->ifcdev, + "length mismatch (expected %d, got %d)\n", +- (int)datalen, (int)len); +- return -EIO; ++ (int)datalen, (int)*len); ++ goto exit; + } + + /* receive the result: */ +@@ -361,12 +366,12 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + 0x0013, 0x0000, data, datalen, + LINE6_TIMEOUT * HZ); + +- if (ret < 0) { ++ if (ret < 0) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +- return ret; +- } + +- return 0; ++exit: ++ kfree(len); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_read_data); + +@@ -378,12 +383,16 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char status; ++ unsigned char *status; + int count; + + if (address > 0xffff || datalen > 0xffff) + return -EINVAL; + ++ status = kmalloc(sizeof(*status), GFP_KERNEL); ++ if (!status) ++ return -ENOMEM; ++ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x0022, address, data, datalen, +@@ -392,7 +401,7 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + if (ret < 0) { + dev_err(line6->ifcdev, + "write request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + for (count = 0; count < LINE6_READ_WRITE_MAX_RETRIES; count++) { +@@ -403,28 +412,29 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, +- &status, 1, LINE6_TIMEOUT * HZ); ++ status, 1, LINE6_TIMEOUT * HZ); + + if (ret < 0) { + dev_err(line6->ifcdev, + "receiving status failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (status != 0xff) ++ if (*status != 0xff) + break; + } + +- if (status == 0xff) { ++ if (*status == 0xff) { + dev_err(line6->ifcdev, "write failed after %d retries\n", + count); +- return -EIO; +- } else if (status != 0) { ++ ret = -EIO; ++ } else if (*status != 0) { + dev_err(line6->ifcdev, "write failed (error %d)\n", ret); +- return -EIO; ++ ret = -EIO; + } +- +- return 0; ++exit: ++ kfree(status); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_write_data); + +diff --git a/sound/usb/line6/toneport.c b/sound/usb/line6/toneport.c +index 6d4c50c9b17d..5512b3d532e7 100644 +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -365,15 +365,20 @@ static bool toneport_has_source_select(struct usb_line6_toneport *toneport) + /* + Setup Toneport device. + */ +-static void toneport_setup(struct usb_line6_toneport *toneport) ++static int toneport_setup(struct usb_line6_toneport *toneport) + { +- int ticks; ++ int *ticks; + struct usb_line6 *line6 = &toneport->line6; + struct usb_device *usbdev = line6->usbdev; + ++ ticks = kmalloc(sizeof(*ticks), GFP_KERNEL); ++ if (!ticks) ++ return -ENOMEM; ++ + /* sync time on device with host: */ +- ticks = (int)get_seconds(); +- line6_write_data(line6, 0x80c6, &ticks, 4); ++ *ticks = (int)get_seconds(); ++ line6_write_data(line6, 0x80c6, ticks, 4); ++ kfree(ticks); + + /* enable device: */ + toneport_send_cmd(usbdev, 0x0301, 0x0000); +@@ -388,6 +393,7 @@ static void toneport_setup(struct usb_line6_toneport *toneport) + toneport_update_led(toneport); + + mod_timer(&toneport->timer, jiffies + TONEPORT_PCM_DELAY * HZ); ++ return 0; + } + + /* +@@ -451,7 +457,9 @@ static int toneport_init(struct usb_line6 *line6, + return err; + } + +- toneport_setup(toneport); ++ err = toneport_setup(toneport); ++ if (err) ++ return err; + + /* register audio system: */ + return snd_card_register(line6->card); +@@ -463,7 +471,11 @@ static int toneport_init(struct usb_line6 *line6, + */ + static int toneport_reset_resume(struct usb_interface *interface) + { +- toneport_setup(usb_get_intfdata(interface)); ++ int err; ++ ++ err = toneport_setup(usb_get_intfdata(interface)); ++ if (err) ++ return err; + return line6_resume(interface); + } + #endif +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 743746a3c50d..df3c73e9dea4 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2201,7 +2201,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer) + return val & 0xffffffff; + + if (strcmp(type, "u64") == 0 || +- strcmp(type, "s64")) ++ strcmp(type, "s64") == 0) + return val; + + if (strcmp(type, "s8") == 0) +diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile +index e367b1a85d70..3c04e2a85599 100644 +--- a/tools/power/x86/turbostat/Makefile ++++ b/tools/power/x86/turbostat/Makefile +@@ -8,7 +8,7 @@ ifeq ("$(origin O)", "command line") + endif + + turbostat : turbostat.c +-CFLAGS += -Wall ++CFLAGS += -Wall -I../../../include + CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/asm/msr-index.h"' + + %: %.c +diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests +index 16058bbea7a8..c195b4478662 100755 +--- a/tools/testing/selftests/net/run_netsocktests ++++ b/tools/testing/selftests/net/run_netsocktests +@@ -6,7 +6,7 @@ echo "--------------------" + ./socket + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ exit 1 + else + echo "[PASS]" + fi +-