Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.9/0202-4.9.103-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.9/0202-4.9.103-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3179 - (show annotations) (download)
    Wed Aug 8 14:17:32 2018 UTC (5 years, 8 months ago) by niro
    File size: 111844 byte(s) 
    -linux-4.9.103
    1 diff --git a/Makefile b/Makefile
    2 index d84c39c290f7..6090f655fb32 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,6 +1,6 @@
    6 VERSION = 4
    7 PATCHLEVEL = 9
    8 -SUBLEVEL = 102
    9 +SUBLEVEL = 103
    10 EXTRAVERSION =
    11 NAME = Roaring Lionus
    12
    13 diff --git a/arch/s390/crypto/crc32be-vx.S b/arch/s390/crypto/crc32be-vx.S
    14 index 8013989cd2e5..096affb74446 100644
    15 --- a/arch/s390/crypto/crc32be-vx.S
    16 +++ b/arch/s390/crypto/crc32be-vx.S
    17 @@ -12,6 +12,7 @@
    18 */
    19
    20 #include <linux/linkage.h>
    21 +#include <asm/nospec-insn.h>
    22 #include <asm/vx-insn.h>
    23
    24 /* Vector register range containing CRC-32 constants */
    25 @@ -66,6 +67,8 @@
    26
    27 .previous
    28
    29 + GEN_BR_THUNK %r14
    30 +
    31 .text
    32 /*
    33 * The CRC-32 function(s) use these calling conventions:
    34 @@ -202,6 +205,6 @@ ENTRY(crc32_be_vgfm_16)
    35
    36 .Ldone:
    37 VLGVF %r2,%v2,3
    38 - br %r14
    39 + BR_EX %r14
    40
    41 .previous
    42 diff --git a/arch/s390/crypto/crc32le-vx.S b/arch/s390/crypto/crc32le-vx.S
    43 index 17f2504c2633..8dc98c1d7cb1 100644
    44 --- a/arch/s390/crypto/crc32le-vx.S
    45 +++ b/arch/s390/crypto/crc32le-vx.S
    46 @@ -13,6 +13,7 @@
    47 */
    48
    49 #include <linux/linkage.h>
    50 +#include <asm/nospec-insn.h>
    51 #include <asm/vx-insn.h>
    52
    53 /* Vector register range containing CRC-32 constants */
    54 @@ -75,6 +76,7 @@
    55
    56 .previous
    57
    58 + GEN_BR_THUNK %r14
    59
    60 .text
    61
    62 @@ -263,6 +265,6 @@ crc32_le_vgfm_generic:
    63
    64 .Ldone:
    65 VLGVF %r2,%v2,2
    66 - br %r14
    67 + BR_EX %r14
    68
    69 .previous
    70 diff --git a/arch/s390/include/asm/alternative-asm.h b/arch/s390/include/asm/alternative-asm.h
    71 new file mode 100644
    72 index 000000000000..955d620db23e
    73 --- /dev/null
    74 +++ b/arch/s390/include/asm/alternative-asm.h
    75 @@ -0,0 +1,108 @@
    76 +/* SPDX-License-Identifier: GPL-2.0 */
    77 +#ifndef _ASM_S390_ALTERNATIVE_ASM_H
    78 +#define _ASM_S390_ALTERNATIVE_ASM_H
    79 +
    80 +#ifdef __ASSEMBLY__
    81 +
    82 +/*
    83 + * Check the length of an instruction sequence. The length may not be larger
    84 + * than 254 bytes and it has to be divisible by 2.
    85 + */
    86 +.macro alt_len_check start,end
    87 + .if ( \end - \start ) > 254
    88 + .error "cpu alternatives does not support instructions blocks > 254 bytes\n"
    89 + .endif
    90 + .if ( \end - \start ) % 2
    91 + .error "cpu alternatives instructions length is odd\n"
    92 + .endif
    93 +.endm
    94 +
    95 +/*
    96 + * Issue one struct alt_instr descriptor entry (need to put it into
    97 + * the section .altinstructions, see below). This entry contains
    98 + * enough information for the alternatives patching code to patch an
    99 + * instruction. See apply_alternatives().
    100 + */
    101 +.macro alt_entry orig_start, orig_end, alt_start, alt_end, feature
    102 + .long \orig_start - .
    103 + .long \alt_start - .
    104 + .word \feature
    105 + .byte \orig_end - \orig_start
    106 + .byte \alt_end - \alt_start
    107 +.endm
    108 +
    109 +/*
    110 + * Fill up @bytes with nops. The macro emits 6-byte nop instructions
    111 + * for the bulk of the area, possibly followed by a 4-byte and/or
    112 + * a 2-byte nop if the size of the area is not divisible by 6.
    113 + */
    114 +.macro alt_pad_fill bytes
    115 + .fill ( \bytes ) / 6, 6, 0xc0040000
    116 + .fill ( \bytes ) % 6 / 4, 4, 0x47000000
    117 + .fill ( \bytes ) % 6 % 4 / 2, 2, 0x0700
    118 +.endm
    119 +
    120 +/*
    121 + * Fill up @bytes with nops. If the number of bytes is larger
    122 + * than 6, emit a jg instruction to branch over all nops, then
    123 + * fill an area of size (@bytes - 6) with nop instructions.
    124 + */
    125 +.macro alt_pad bytes
    126 + .if ( \bytes > 0 )
    127 + .if ( \bytes > 6 )
    128 + jg . + \bytes
    129 + alt_pad_fill \bytes - 6
    130 + .else
    131 + alt_pad_fill \bytes
    132 + .endif
    133 + .endif
    134 +.endm
    135 +
    136 +/*
    137 + * Define an alternative between two instructions. If @feature is
    138 + * present, early code in apply_alternatives() replaces @oldinstr with
    139 + * @newinstr. ".skip" directive takes care of proper instruction padding
    140 + * in case @newinstr is longer than @oldinstr.
    141 + */
    142 +.macro ALTERNATIVE oldinstr, newinstr, feature
    143 + .pushsection .altinstr_replacement,"ax"
    144 +770: \newinstr
    145 +771: .popsection
    146 +772: \oldinstr
    147 +773: alt_len_check 770b, 771b
    148 + alt_len_check 772b, 773b
    149 + alt_pad ( ( 771b - 770b ) - ( 773b - 772b ) )
    150 +774: .pushsection .altinstructions,"a"
    151 + alt_entry 772b, 774b, 770b, 771b, \feature
    152 + .popsection
    153 +.endm
    154 +
    155 +/*
    156 + * Define an alternative between two instructions. If @feature is
    157 + * present, early code in apply_alternatives() replaces @oldinstr with
    158 + * @newinstr. ".skip" directive takes care of proper instruction padding
    159 + * in case @newinstr is longer than @oldinstr.
    160 + */
    161 +.macro ALTERNATIVE_2 oldinstr, newinstr1, feature1, newinstr2, feature2
    162 + .pushsection .altinstr_replacement,"ax"
    163 +770: \newinstr1
    164 +771: \newinstr2
    165 +772: .popsection
    166 +773: \oldinstr
    167 +774: alt_len_check 770b, 771b
    168 + alt_len_check 771b, 772b
    169 + alt_len_check 773b, 774b
    170 + .if ( 771b - 770b > 772b - 771b )
    171 + alt_pad ( ( 771b - 770b ) - ( 774b - 773b ) )
    172 + .else
    173 + alt_pad ( ( 772b - 771b ) - ( 774b - 773b ) )
    174 + .endif
    175 +775: .pushsection .altinstructions,"a"
    176 + alt_entry 773b, 775b, 770b, 771b,\feature1
    177 + alt_entry 773b, 775b, 771b, 772b,\feature2
    178 + .popsection
    179 +.endm
    180 +
    181 +#endif /* __ASSEMBLY__ */
    182 +
    183 +#endif /* _ASM_S390_ALTERNATIVE_ASM_H */
    184 diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h
    185 new file mode 100644
    186 index 000000000000..9a56e738d645
    187 --- /dev/null
    188 +++ b/arch/s390/include/asm/nospec-insn.h
    189 @@ -0,0 +1,195 @@
    190 +/* SPDX-License-Identifier: GPL-2.0 */
    191 +#ifndef _ASM_S390_NOSPEC_ASM_H
    192 +#define _ASM_S390_NOSPEC_ASM_H
    193 +
    194 +#include <asm/alternative-asm.h>
    195 +#include <asm/asm-offsets.h>
    196 +
    197 +#ifdef __ASSEMBLY__
    198 +
    199 +#ifdef CONFIG_EXPOLINE
    200 +
    201 +_LC_BR_R1 = __LC_BR_R1
    202 +
    203 +/*
    204 + * The expoline macros are used to create thunks in the same format
    205 + * as gcc generates them. The 'comdat' section flag makes sure that
    206 + * the various thunks are merged into a single copy.
    207 + */
    208 + .macro __THUNK_PROLOG_NAME name
    209 + .pushsection .text.\name,"axG",@progbits,\name,comdat
    210 + .globl \name
    211 + .hidden \name
    212 + .type \name,@function
    213 +\name:
    214 + .cfi_startproc
    215 + .endm
    216 +
    217 + .macro __THUNK_EPILOG
    218 + .cfi_endproc
    219 + .popsection
    220 + .endm
    221 +
    222 + .macro __THUNK_PROLOG_BR r1,r2
    223 + __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1
    224 + .endm
    225 +
    226 + .macro __THUNK_PROLOG_BC d0,r1,r2
    227 + __THUNK_PROLOG_NAME __s390x_indirect_branch_\d0\()_\r2\()use_\r1
    228 + .endm
    229 +
    230 + .macro __THUNK_BR r1,r2
    231 + jg __s390x_indirect_jump_r\r2\()use_r\r1
    232 + .endm
    233 +
    234 + .macro __THUNK_BC d0,r1,r2
    235 + jg __s390x_indirect_branch_\d0\()_\r2\()use_\r1
    236 + .endm
    237 +
    238 + .macro __THUNK_BRASL r1,r2,r3
    239 + brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2
    240 + .endm
    241 +
    242 + .macro __DECODE_RR expand,reg,ruse
    243 + .set __decode_fail,1
    244 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    245 + .ifc \reg,%r\r1
    246 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    247 + .ifc \ruse,%r\r2
    248 + \expand \r1,\r2
    249 + .set __decode_fail,0
    250 + .endif
    251 + .endr
    252 + .endif
    253 + .endr
    254 + .if __decode_fail == 1
    255 + .error "__DECODE_RR failed"
    256 + .endif
    257 + .endm
    258 +
    259 + .macro __DECODE_RRR expand,rsave,rtarget,ruse
    260 + .set __decode_fail,1
    261 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    262 + .ifc \rsave,%r\r1
    263 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    264 + .ifc \rtarget,%r\r2
    265 + .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    266 + .ifc \ruse,%r\r3
    267 + \expand \r1,\r2,\r3
    268 + .set __decode_fail,0
    269 + .endif
    270 + .endr
    271 + .endif
    272 + .endr
    273 + .endif
    274 + .endr
    275 + .if __decode_fail == 1
    276 + .error "__DECODE_RRR failed"
    277 + .endif
    278 + .endm
    279 +
    280 + .macro __DECODE_DRR expand,disp,reg,ruse
    281 + .set __decode_fail,1
    282 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    283 + .ifc \reg,%r\r1
    284 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    285 + .ifc \ruse,%r\r2
    286 + \expand \disp,\r1,\r2
    287 + .set __decode_fail,0
    288 + .endif
    289 + .endr
    290 + .endif
    291 + .endr
    292 + .if __decode_fail == 1
    293 + .error "__DECODE_DRR failed"
    294 + .endif
    295 + .endm
    296 +
    297 + .macro __THUNK_EX_BR reg,ruse
    298 + # Be very careful when adding instructions to this macro!
    299 + # The ALTERNATIVE replacement code has a .+10 which targets
    300 + # the "br \reg" after the code has been patched.
    301 +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
    302 + exrl 0,555f
    303 + j .
    304 +#else
    305 + .ifc \reg,%r1
    306 + ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35
    307 + j .
    308 + .else
    309 + larl \ruse,555f
    310 + ex 0,0(\ruse)
    311 + j .
    312 + .endif
    313 +#endif
    314 +555: br \reg
    315 + .endm
    316 +
    317 + .macro __THUNK_EX_BC disp,reg,ruse
    318 +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
    319 + exrl 0,556f
    320 + j .
    321 +#else
    322 + larl \ruse,556f
    323 + ex 0,0(\ruse)
    324 + j .
    325 +#endif
    326 +556: b \disp(\reg)
    327 + .endm
    328 +
    329 + .macro GEN_BR_THUNK reg,ruse=%r1
    330 + __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse
    331 + __THUNK_EX_BR \reg,\ruse
    332 + __THUNK_EPILOG
    333 + .endm
    334 +
    335 + .macro GEN_B_THUNK disp,reg,ruse=%r1
    336 + __DECODE_DRR __THUNK_PROLOG_BC,\disp,\reg,\ruse
    337 + __THUNK_EX_BC \disp,\reg,\ruse
    338 + __THUNK_EPILOG
    339 + .endm
    340 +
    341 + .macro BR_EX reg,ruse=%r1
    342 +557: __DECODE_RR __THUNK_BR,\reg,\ruse
    343 + .pushsection .s390_indirect_branches,"a",@progbits
    344 + .long 557b-.
    345 + .popsection
    346 + .endm
    347 +
    348 + .macro B_EX disp,reg,ruse=%r1
    349 +558: __DECODE_DRR __THUNK_BC,\disp,\reg,\ruse
    350 + .pushsection .s390_indirect_branches,"a",@progbits
    351 + .long 558b-.
    352 + .popsection
    353 + .endm
    354 +
    355 + .macro BASR_EX rsave,rtarget,ruse=%r1
    356 +559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse
    357 + .pushsection .s390_indirect_branches,"a",@progbits
    358 + .long 559b-.
    359 + .popsection
    360 + .endm
    361 +
    362 +#else
    363 + .macro GEN_BR_THUNK reg,ruse=%r1
    364 + .endm
    365 +
    366 + .macro GEN_B_THUNK disp,reg,ruse=%r1
    367 + .endm
    368 +
    369 + .macro BR_EX reg,ruse=%r1
    370 + br \reg
    371 + .endm
    372 +
    373 + .macro B_EX disp,reg,ruse=%r1
    374 + b \disp(\reg)
    375 + .endm
    376 +
    377 + .macro BASR_EX rsave,rtarget,ruse=%r1
    378 + basr \rsave,\rtarget
    379 + .endm
    380 +#endif
    381 +
    382 +#endif /* __ASSEMBLY__ */
    383 +
    384 +#endif /* _ASM_S390_NOSPEC_ASM_H */
    385 diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile
    386 index 0501cac2ab95..5b139977a3a4 100644
    387 --- a/arch/s390/kernel/Makefile
    388 +++ b/arch/s390/kernel/Makefile
    389 @@ -63,6 +63,7 @@ obj-y += nospec-branch.o
    390
    391 extra-y += head.o head64.o vmlinux.lds
    392
    393 +obj-$(CONFIG_SYSFS) += nospec-sysfs.o
    394 CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE)
    395
    396 obj-$(CONFIG_MODULES) += module.o
    397 diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c
    398 index f3df9e0a5dec..85c8ead29582 100644
    399 --- a/arch/s390/kernel/asm-offsets.c
    400 +++ b/arch/s390/kernel/asm-offsets.c
    401 @@ -175,6 +175,7 @@ int main(void)
    402 OFFSET(__LC_MACHINE_FLAGS, lowcore, machine_flags);
    403 OFFSET(__LC_GMAP, lowcore, gmap);
    404 OFFSET(__LC_PASTE, lowcore, paste);
    405 + OFFSET(__LC_BR_R1, lowcore, br_r1_trampoline);
    406 /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */
    407 OFFSET(__LC_DUMP_REIPL, lowcore, ipib);
    408 /* hardware defined lowcore locations 0x1000 - 0x18ff */
    409 diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S
    410 index 326f717df587..61fca549a93b 100644
    411 --- a/arch/s390/kernel/base.S
    412 +++ b/arch/s390/kernel/base.S
    413 @@ -8,18 +8,22 @@
    414
    415 #include <linux/linkage.h>
    416 #include <asm/asm-offsets.h>
    417 +#include <asm/nospec-insn.h>
    418 #include <asm/ptrace.h>
    419 #include <asm/sigp.h>
    420
    421 + GEN_BR_THUNK %r9
    422 + GEN_BR_THUNK %r14
    423 +
    424 ENTRY(s390_base_mcck_handler)
    425 basr %r13,0
    426 0: lg %r15,__LC_PANIC_STACK # load panic stack
    427 aghi %r15,-STACK_FRAME_OVERHEAD
    428 larl %r1,s390_base_mcck_handler_fn
    429 - lg %r1,0(%r1)
    430 - ltgr %r1,%r1
    431 + lg %r9,0(%r1)
    432 + ltgr %r9,%r9
    433 jz 1f
    434 - basr %r14,%r1
    435 + BASR_EX %r14,%r9
    436 1: la %r1,4095
    437 lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)
    438 lpswe __LC_MCK_OLD_PSW
    439 @@ -36,10 +40,10 @@ ENTRY(s390_base_ext_handler)
    440 basr %r13,0
    441 0: aghi %r15,-STACK_FRAME_OVERHEAD
    442 larl %r1,s390_base_ext_handler_fn
    443 - lg %r1,0(%r1)
    444 - ltgr %r1,%r1
    445 + lg %r9,0(%r1)
    446 + ltgr %r9,%r9
    447 jz 1f
    448 - basr %r14,%r1
    449 + BASR_EX %r14,%r9
    450 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC
    451 ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit
    452 lpswe __LC_EXT_OLD_PSW
    453 @@ -56,10 +60,10 @@ ENTRY(s390_base_pgm_handler)
    454 basr %r13,0
    455 0: aghi %r15,-STACK_FRAME_OVERHEAD
    456 larl %r1,s390_base_pgm_handler_fn
    457 - lg %r1,0(%r1)
    458 - ltgr %r1,%r1
    459 + lg %r9,0(%r1)
    460 + ltgr %r9,%r9
    461 jz 1f
    462 - basr %r14,%r1
    463 + BASR_EX %r14,%r9
    464 lmg %r0,%r15,__LC_SAVE_AREA_SYNC
    465 lpswe __LC_PGM_OLD_PSW
    466 1: lpswe disabled_wait_psw-0b(%r13)
    467 @@ -116,7 +120,7 @@ ENTRY(diag308_reset)
    468 larl %r4,.Lcontinue_psw # Restore PSW flags
    469 lpswe 0(%r4)
    470 .Lcontinue:
    471 - br %r14
    472 + BR_EX %r14
    473 .align 16
    474 .Lrestart_psw:
    475 .long 0x00080000,0x80000000 + .Lrestart_part2
    476 diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
    477 index 1996afeb2e81..a4fd00064c80 100644
    478 --- a/arch/s390/kernel/entry.S
    479 +++ b/arch/s390/kernel/entry.S
    480 @@ -24,6 +24,7 @@
    481 #include <asm/setup.h>
    482 #include <asm/nmi.h>
    483 #include <asm/export.h>
    484 +#include <asm/nospec-insn.h>
    485
    486 __PT_R0 = __PT_GPRS
    487 __PT_R1 = __PT_GPRS + 8
    488 @@ -226,67 +227,9 @@ _PIF_WORK = (_PIF_PER_TRAP)
    489 .popsection
    490 .endm
    491
    492 -#ifdef CONFIG_EXPOLINE
    493 -
    494 - .macro GEN_BR_THUNK name,reg,tmp
    495 - .section .text.\name,"axG",@progbits,\name,comdat
    496 - .globl \name
    497 - .hidden \name
    498 - .type \name,@function
    499 -\name:
    500 - .cfi_startproc
    501 -#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
    502 - exrl 0,0f
    503 -#else
    504 - larl \tmp,0f
    505 - ex 0,0(\tmp)
    506 -#endif
    507 - j .
    508 -0: br \reg
    509 - .cfi_endproc
    510 - .endm
    511 -
    512 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1
    513 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1
    514 - GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11
    515 -
    516 - .macro BASR_R14_R9
    517 -0: brasl %r14,__s390x_indirect_jump_r1use_r9
    518 - .pushsection .s390_indirect_branches,"a",@progbits
    519 - .long 0b-.
    520 - .popsection
    521 - .endm
    522 -
    523 - .macro BR_R1USE_R14
    524 -0: jg __s390x_indirect_jump_r1use_r14
    525 - .pushsection .s390_indirect_branches,"a",@progbits
    526 - .long 0b-.
    527 - .popsection
    528 - .endm
    529 -
    530 - .macro BR_R11USE_R14
    531 -0: jg __s390x_indirect_jump_r11use_r14
    532 - .pushsection .s390_indirect_branches,"a",@progbits
    533 - .long 0b-.
    534 - .popsection
    535 - .endm
    536 -
    537 -#else /* CONFIG_EXPOLINE */
    538 -
    539 - .macro BASR_R14_R9
    540 - basr %r14,%r9
    541 - .endm
    542 -
    543 - .macro BR_R1USE_R14
    544 - br %r14
    545 - .endm
    546 -
    547 - .macro BR_R11USE_R14
    548 - br %r14
    549 - .endm
    550 -
    551 -#endif /* CONFIG_EXPOLINE */
    552 -
    553 + GEN_BR_THUNK %r9
    554 + GEN_BR_THUNK %r14
    555 + GEN_BR_THUNK %r14,%r11
    556
    557 .section .kprobes.text, "ax"
    558 .Ldummy:
    559 @@ -303,7 +246,7 @@ _PIF_WORK = (_PIF_PER_TRAP)
    560 ENTRY(__bpon)
    561 .globl __bpon
    562 BPON
    563 - BR_R1USE_R14
    564 + BR_EX %r14
    565
    566 /*
    567 * Scheduler resume function, called by switch_to
    568 @@ -333,7 +276,7 @@ ENTRY(__switch_to)
    569 TSTMSK __LC_MACHINE_FLAGS,MACHINE_FLAG_LPP
    570 jz 0f
    571 .insn s,0xb2800000,__LC_LPP # set program parameter
    572 -0: BR_R1USE_R14
    573 +0: BR_EX %r14
    574
    575 .L__critical_start:
    576
    577 @@ -399,7 +342,7 @@ sie_exit:
    578 xgr %r5,%r5
    579 lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers
    580 lg %r2,__SF_EMPTY+16(%r15) # return exit reason code
    581 - BR_R1USE_R14
    582 + BR_EX %r14
    583 .Lsie_fault:
    584 lghi %r14,-EFAULT
    585 stg %r14,__SF_EMPTY+16(%r15) # set exit reason code
    586 @@ -458,7 +401,7 @@ ENTRY(system_call)
    587 lgf %r9,0(%r8,%r10) # get system call add.
    588 TSTMSK __TI_flags(%r12),_TIF_TRACE
    589 jnz .Lsysc_tracesys
    590 - BASR_R14_R9 # call sys_xxxx
    591 + BASR_EX %r14,%r9 # call sys_xxxx
    592 stg %r2,__PT_R2(%r11) # store return value
    593
    594 .Lsysc_return:
    595 @@ -598,7 +541,7 @@ ENTRY(system_call)
    596 lmg %r3,%r7,__PT_R3(%r11)
    597 stg %r7,STACK_FRAME_OVERHEAD(%r15)
    598 lg %r2,__PT_ORIG_GPR2(%r11)
    599 - BASR_R14_R9 # call sys_xxx
    600 + BASR_EX %r14,%r9 # call sys_xxx
    601 stg %r2,__PT_R2(%r11) # store return value
    602 .Lsysc_tracenogo:
    603 TSTMSK __TI_flags(%r12),_TIF_TRACE
    604 @@ -622,7 +565,7 @@ ENTRY(ret_from_fork)
    605 lmg %r9,%r10,__PT_R9(%r11) # load gprs
    606 ENTRY(kernel_thread_starter)
    607 la %r2,0(%r10)
    608 - BASR_R14_R9
    609 + BASR_EX %r14,%r9
    610 j .Lsysc_tracenogo
    611
    612 /*
    613 @@ -698,7 +641,7 @@ ENTRY(pgm_check_handler)
    614 je .Lpgm_return
    615 lgf %r9,0(%r10,%r1) # load address of handler routine
    616 lgr %r2,%r11 # pass pointer to pt_regs
    617 - BASR_R14_R9 # branch to interrupt-handler
    618 + BASR_EX %r14,%r9 # branch to interrupt-handler
    619 .Lpgm_return:
    620 LOCKDEP_SYS_EXIT
    621 tm __PT_PSW+1(%r11),0x01 # returning to user ?
    622 @@ -976,7 +919,7 @@ ENTRY(psw_idle)
    623 stpt __TIMER_IDLE_ENTER(%r2)
    624 .Lpsw_idle_lpsw:
    625 lpswe __SF_EMPTY(%r15)
    626 - BR_R1USE_R14
    627 + BR_EX %r14
    628 .Lpsw_idle_end:
    629
    630 /*
    631 @@ -1021,7 +964,7 @@ ENTRY(save_fpu_regs)
    632 .Lsave_fpu_regs_done:
    633 oi __LC_CPU_FLAGS+7,_CIF_FPU
    634 .Lsave_fpu_regs_exit:
    635 - BR_R1USE_R14
    636 + BR_EX %r14
    637 .Lsave_fpu_regs_end:
    638 #if IS_ENABLED(CONFIG_KVM)
    639 EXPORT_SYMBOL(save_fpu_regs)
    640 @@ -1071,7 +1014,7 @@ load_fpu_regs:
    641 .Lload_fpu_regs_done:
    642 ni __LC_CPU_FLAGS+7,255-_CIF_FPU
    643 .Lload_fpu_regs_exit:
    644 - BR_R1USE_R14
    645 + BR_EX %r14
    646 .Lload_fpu_regs_end:
    647
    648 .L__critical_end:
    649 @@ -1244,7 +1187,7 @@ cleanup_critical:
    650 jl 0f
    651 clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end
    652 jl .Lcleanup_load_fpu_regs
    653 -0: BR_R11USE_R14
    654 +0: BR_EX %r14
    655
    656 .align 8
    657 .Lcleanup_table:
    658 @@ -1274,7 +1217,7 @@ cleanup_critical:
    659 ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE
    660 lctlg %c1,%c1,__LC_USER_ASCE # load primary asce
    661 larl %r9,sie_exit # skip forward to sie_exit
    662 - BR_R11USE_R14
    663 + BR_EX %r14
    664 #endif
    665
    666 .Lcleanup_system_call:
    667 @@ -1332,7 +1275,7 @@ cleanup_critical:
    668 stg %r15,56(%r11) # r15 stack pointer
    669 # set new psw address and exit
    670 larl %r9,.Lsysc_do_svc
    671 - BR_R11USE_R14
    672 + BR_EX %r14,%r11
    673 .Lcleanup_system_call_insn:
    674 .quad system_call
    675 .quad .Lsysc_stmg
    676 @@ -1342,7 +1285,7 @@ cleanup_critical:
    677
    678 .Lcleanup_sysc_tif:
    679 larl %r9,.Lsysc_tif
    680 - BR_R11USE_R14
    681 + BR_EX %r14,%r11
    682
    683 .Lcleanup_sysc_restore:
    684 # check if stpt has been executed
    685 @@ -1359,14 +1302,14 @@ cleanup_critical:
    686 mvc 0(64,%r11),__PT_R8(%r9)
    687 lmg %r0,%r7,__PT_R0(%r9)
    688 1: lmg %r8,%r9,__LC_RETURN_PSW
    689 - BR_R11USE_R14
    690 + BR_EX %r14,%r11
    691 .Lcleanup_sysc_restore_insn:
    692 .quad .Lsysc_exit_timer
    693 .quad .Lsysc_done - 4
    694
    695 .Lcleanup_io_tif:
    696 larl %r9,.Lio_tif
    697 - BR_R11USE_R14
    698 + BR_EX %r14,%r11
    699
    700 .Lcleanup_io_restore:
    701 # check if stpt has been executed
    702 @@ -1380,7 +1323,7 @@ cleanup_critical:
    703 mvc 0(64,%r11),__PT_R8(%r9)
    704 lmg %r0,%r7,__PT_R0(%r9)
    705 1: lmg %r8,%r9,__LC_RETURN_PSW
    706 - BR_R11USE_R14
    707 + BR_EX %r14,%r11
    708 .Lcleanup_io_restore_insn:
    709 .quad .Lio_exit_timer
    710 .quad .Lio_done - 4
    711 @@ -1433,17 +1376,17 @@ cleanup_critical:
    712 # prepare return psw
    713 nihh %r8,0xfcfd # clear irq & wait state bits
    714 lg %r9,48(%r11) # return from psw_idle
    715 - BR_R11USE_R14
    716 + BR_EX %r14,%r11
    717 .Lcleanup_idle_insn:
    718 .quad .Lpsw_idle_lpsw
    719
    720 .Lcleanup_save_fpu_regs:
    721 larl %r9,save_fpu_regs
    722 - BR_R11USE_R14
    723 + BR_EX %r14,%r11
    724
    725 .Lcleanup_load_fpu_regs:
    726 larl %r9,load_fpu_regs
    727 - BR_R11USE_R14
    728 + BR_EX %r14,%r11
    729
    730 /*
    731 * Integer constants
    732 diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
    733 index 9a17e4475d27..be75e8e49e43 100644
    734 --- a/arch/s390/kernel/mcount.S
    735 +++ b/arch/s390/kernel/mcount.S
    736 @@ -8,13 +8,17 @@
    737 #include <linux/linkage.h>
    738 #include <asm/asm-offsets.h>
    739 #include <asm/ftrace.h>
    740 +#include <asm/nospec-insn.h>
    741 #include <asm/ptrace.h>
    742 #include <asm/export.h>
    743
    744 + GEN_BR_THUNK %r1
    745 + GEN_BR_THUNK %r14
    746 +
    747 .section .kprobes.text, "ax"
    748
    749 ENTRY(ftrace_stub)
    750 - br %r14
    751 + BR_EX %r14
    752
    753 #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE)
    754 #define STACK_PTREGS (STACK_FRAME_OVERHEAD)
    755 @@ -22,7 +26,7 @@ ENTRY(ftrace_stub)
    756 #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW)
    757
    758 ENTRY(_mcount)
    759 - br %r14
    760 + BR_EX %r14
    761
    762 EXPORT_SYMBOL(_mcount)
    763
    764 @@ -52,7 +56,7 @@ ENTRY(ftrace_caller)
    765 #endif
    766 lgr %r3,%r14
    767 la %r5,STACK_PTREGS(%r15)
    768 - basr %r14,%r1
    769 + BASR_EX %r14,%r1
    770 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
    771 # The j instruction gets runtime patched to a nop instruction.
    772 # See ftrace_enable_ftrace_graph_caller.
    773 @@ -67,7 +71,7 @@ ftrace_graph_caller_end:
    774 #endif
    775 lg %r1,(STACK_PTREGS_PSW+8)(%r15)
    776 lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15)
    777 - br %r1
    778 + BR_EX %r1
    779
    780 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
    781
    782 @@ -80,6 +84,6 @@ ENTRY(return_to_handler)
    783 aghi %r15,STACK_FRAME_OVERHEAD
    784 lgr %r14,%r2
    785 lmg %r2,%r5,32(%r15)
    786 - br %r14
    787 + BR_EX %r14
    788
    789 #endif
    790 diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c
    791 index 9f3b5b382743..d5eed651b5ab 100644
    792 --- a/arch/s390/kernel/nospec-branch.c
    793 +++ b/arch/s390/kernel/nospec-branch.c
    794 @@ -44,24 +44,6 @@ static int __init nospec_report(void)
    795 }
    796 arch_initcall(nospec_report);
    797
    798 -#ifdef CONFIG_SYSFS
    799 -ssize_t cpu_show_spectre_v1(struct device *dev,
    800 - struct device_attribute *attr, char *buf)
    801 -{
    802 - return sprintf(buf, "Mitigation: __user pointer sanitization\n");
    803 -}
    804 -
    805 -ssize_t cpu_show_spectre_v2(struct device *dev,
    806 - struct device_attribute *attr, char *buf)
    807 -{
    808 - if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
    809 - return sprintf(buf, "Mitigation: execute trampolines\n");
    810 - if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
    811 - return sprintf(buf, "Mitigation: limited branch prediction.\n");
    812 - return sprintf(buf, "Vulnerable\n");
    813 -}
    814 -#endif
    815 -
    816 #ifdef CONFIG_EXPOLINE
    817
    818 int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF);
    819 @@ -112,7 +94,6 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end)
    820 s32 *epo;
    821
    822 /* Second part of the instruction replace is always a nop */
    823 - memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x00, 0x00 }, 4);
    824 for (epo = start; epo < end; epo++) {
    825 instr = (u8 *) epo + *epo;
    826 if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x04)
    827 @@ -133,18 +114,34 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end)
    828 br = thunk + (*(int *)(thunk + 2)) * 2;
    829 else
    830 continue;
    831 - if (br[0] != 0x07 || (br[1] & 0xf0) != 0xf0)
    832 + /* Check for unconditional branch 0x07f? or 0x47f???? */
    833 + if ((br[0] & 0xbf) != 0x07 || (br[1] & 0xf0) != 0xf0)
    834 continue;
    835 +
    836 + memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x07, 0x00 }, 4);
    837 switch (type) {
    838 case BRCL_EXPOLINE:
    839 - /* brcl to thunk, replace with br + nop */
    840 insnbuf[0] = br[0];
    841 insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
    842 + if (br[0] == 0x47) {
    843 + /* brcl to b, replace with bc + nopr */
    844 + insnbuf[2] = br[2];
    845 + insnbuf[3] = br[3];
    846 + } else {
    847 + /* brcl to br, replace with bcr + nop */
    848 + }
    849 break;
    850 case BRASL_EXPOLINE:
    851 - /* brasl to thunk, replace with basr + nop */
    852 - insnbuf[0] = 0x0d;
    853 insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
    854 + if (br[0] == 0x47) {
    855 + /* brasl to b, replace with bas + nopr */
    856 + insnbuf[0] = 0x4d;
    857 + insnbuf[2] = br[2];
    858 + insnbuf[3] = br[3];
    859 + } else {
    860 + /* brasl to br, replace with basr + nop */
    861 + insnbuf[0] = 0x0d;
    862 + }
    863 break;
    864 }
    865
    866 diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c
    867 new file mode 100644
    868 index 000000000000..8affad5f18cb
    869 --- /dev/null
    870 +++ b/arch/s390/kernel/nospec-sysfs.c
    871 @@ -0,0 +1,21 @@
    872 +// SPDX-License-Identifier: GPL-2.0
    873 +#include <linux/device.h>
    874 +#include <linux/cpu.h>
    875 +#include <asm/facility.h>
    876 +#include <asm/nospec-branch.h>
    877 +
    878 +ssize_t cpu_show_spectre_v1(struct device *dev,
    879 + struct device_attribute *attr, char *buf)
    880 +{
    881 + return sprintf(buf, "Mitigation: __user pointer sanitization\n");
    882 +}
    883 +
    884 +ssize_t cpu_show_spectre_v2(struct device *dev,
    885 + struct device_attribute *attr, char *buf)
    886 +{
    887 + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
    888 + return sprintf(buf, "Mitigation: execute trampolines\n");
    889 + if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
    890 + return sprintf(buf, "Mitigation: limited branch prediction\n");
    891 + return sprintf(buf, "Vulnerable\n");
    892 +}
    893 diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S
    894 index 89ea8c213d82..70d635da782c 100644
    895 --- a/arch/s390/kernel/reipl.S
    896 +++ b/arch/s390/kernel/reipl.S
    897 @@ -6,8 +6,11 @@
    898
    899 #include <linux/linkage.h>
    900 #include <asm/asm-offsets.h>
    901 +#include <asm/nospec-insn.h>
    902 #include <asm/sigp.h>
    903
    904 + GEN_BR_THUNK %r9
    905 +
    906 #
    907 # Issue "store status" for the current CPU to its prefix page
    908 # and call passed function afterwards
    909 @@ -66,9 +69,9 @@ ENTRY(store_status)
    910 st %r4,0(%r1)
    911 st %r5,4(%r1)
    912 stg %r2,8(%r1)
    913 - lgr %r1,%r2
    914 + lgr %r9,%r2
    915 lgr %r2,%r3
    916 - br %r1
    917 + BR_EX %r9
    918
    919 .section .bss
    920 .align 8
    921 diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S
    922 index 2d6b6e81f812..4e76aaf7bb38 100644
    923 --- a/arch/s390/kernel/swsusp.S
    924 +++ b/arch/s390/kernel/swsusp.S
    925 @@ -12,6 +12,7 @@
    926 #include <asm/ptrace.h>
    927 #include <asm/thread_info.h>
    928 #include <asm/asm-offsets.h>
    929 +#include <asm/nospec-insn.h>
    930 #include <asm/sigp.h>
    931
    932 /*
    933 @@ -23,6 +24,8 @@
    934 * (see below) in the resume process.
    935 * This function runs with disabled interrupts.
    936 */
    937 + GEN_BR_THUNK %r14
    938 +
    939 .section .text
    940 ENTRY(swsusp_arch_suspend)
    941 stmg %r6,%r15,__SF_GPRS(%r15)
    942 @@ -102,7 +105,7 @@ ENTRY(swsusp_arch_suspend)
    943 spx 0x318(%r1)
    944 lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
    945 lghi %r2,0
    946 - br %r14
    947 + BR_EX %r14
    948
    949 /*
    950 * Restore saved memory image to correct place and restore register context.
    951 @@ -200,7 +203,7 @@ pgm_check_entry:
    952 lghi %r1,0
    953 sam31
    954 sigp %r1,%r0,SIGP_SET_ARCHITECTURE
    955 - basr %r14,%r3
    956 + brasl %r14,_sclp_print_early
    957 larl %r3,.Ldisabled_wait_31
    958 lpsw 0(%r3)
    959 4:
    960 @@ -266,7 +269,7 @@ restore_registers:
    961 /* Return 0 */
    962 lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
    963 lghi %r2,0
    964 - br %r14
    965 + BR_EX %r14
    966
    967 .section .data..nosave,"aw",@progbits
    968 .align 8
    969 diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S
    970 index be9fa65bfac4..e7672edc284a 100644
    971 --- a/arch/s390/lib/mem.S
    972 +++ b/arch/s390/lib/mem.S
    973 @@ -6,6 +6,9 @@
    974
    975 #include <linux/linkage.h>
    976 #include <asm/export.h>
    977 +#include <asm/nospec-insn.h>
    978 +
    979 + GEN_BR_THUNK %r14
    980
    981 /*
    982 * memset implementation
    983 @@ -39,7 +42,7 @@ ENTRY(memset)
    984 .Lmemset_clear_rest:
    985 larl %r3,.Lmemset_xc
    986 ex %r4,0(%r3)
    987 - br %r14
    988 + BR_EX %r14
    989 .Lmemset_fill:
    990 stc %r3,0(%r2)
    991 cghi %r4,1
    992 @@ -56,7 +59,7 @@ ENTRY(memset)
    993 .Lmemset_fill_rest:
    994 larl %r3,.Lmemset_mvc
    995 ex %r4,0(%r3)
    996 - br %r14
    997 + BR_EX %r14
    998 .Lmemset_xc:
    999 xc 0(1,%r1),0(%r1)
    1000 .Lmemset_mvc:
    1001 @@ -79,7 +82,7 @@ ENTRY(memcpy)
    1002 .Lmemcpy_rest:
    1003 larl %r5,.Lmemcpy_mvc
    1004 ex %r4,0(%r5)
    1005 - br %r14
    1006 + BR_EX %r14
    1007 .Lmemcpy_loop:
    1008 mvc 0(256,%r1),0(%r3)
    1009 la %r1,256(%r1)
    1010 diff --git a/arch/s390/net/bpf_jit.S b/arch/s390/net/bpf_jit.S
    1011 index a1c917d881ec..fa716f2a95a7 100644
    1012 --- a/arch/s390/net/bpf_jit.S
    1013 +++ b/arch/s390/net/bpf_jit.S
    1014 @@ -8,6 +8,7 @@
    1015 */
    1016
    1017 #include <linux/linkage.h>
    1018 +#include <asm/nospec-insn.h>
    1019 #include "bpf_jit.h"
    1020
    1021 /*
    1022 @@ -53,7 +54,7 @@ ENTRY(sk_load_##NAME##_pos); \
    1023 clg %r3,STK_OFF_HLEN(%r15); /* Offset + SIZE > hlen? */ \
    1024 jh sk_load_##NAME##_slow; \
    1025 LOAD %r14,-SIZE(%r3,%r12); /* Get data from skb */ \
    1026 - b OFF_OK(%r6); /* Return */ \
    1027 + B_EX OFF_OK,%r6; /* Return */ \
    1028 \
    1029 sk_load_##NAME##_slow:; \
    1030 lgr %r2,%r7; /* Arg1 = skb pointer */ \
    1031 @@ -63,11 +64,14 @@ sk_load_##NAME##_slow:; \
    1032 brasl %r14,skb_copy_bits; /* Get data from skb */ \
    1033 LOAD %r14,STK_OFF_TMP(%r15); /* Load from temp bufffer */ \
    1034 ltgr %r2,%r2; /* Set cc to (%r2 != 0) */ \
    1035 - br %r6; /* Return */
    1036 + BR_EX %r6; /* Return */
    1037
    1038 sk_load_common(word, 4, llgf) /* r14 = *(u32 *) (skb->data+offset) */
    1039 sk_load_common(half, 2, llgh) /* r14 = *(u16 *) (skb->data+offset) */
    1040
    1041 + GEN_BR_THUNK %r6
    1042 + GEN_B_THUNK OFF_OK,%r6
    1043 +
    1044 /*
    1045 * Load 1 byte from SKB (optimized version)
    1046 */
    1047 @@ -79,7 +83,7 @@ ENTRY(sk_load_byte_pos)
    1048 clg %r3,STK_OFF_HLEN(%r15) # Offset >= hlen?
    1049 jnl sk_load_byte_slow
    1050 llgc %r14,0(%r3,%r12) # Get byte from skb
    1051 - b OFF_OK(%r6) # Return OK
    1052 + B_EX OFF_OK,%r6 # Return OK
    1053
    1054 sk_load_byte_slow:
    1055 lgr %r2,%r7 # Arg1 = skb pointer
    1056 @@ -89,7 +93,7 @@ sk_load_byte_slow:
    1057 brasl %r14,skb_copy_bits # Get data from skb
    1058 llgc %r14,STK_OFF_TMP(%r15) # Load result from temp buffer
    1059 ltgr %r2,%r2 # Set cc to (%r2 != 0)
    1060 - br %r6 # Return cc
    1061 + BR_EX %r6 # Return cc
    1062
    1063 #define sk_negative_common(NAME, SIZE, LOAD) \
    1064 sk_load_##NAME##_slow_neg:; \
    1065 @@ -103,7 +107,7 @@ sk_load_##NAME##_slow_neg:; \
    1066 jz bpf_error; \
    1067 LOAD %r14,0(%r2); /* Get data from pointer */ \
    1068 xr %r3,%r3; /* Set cc to zero */ \
    1069 - br %r6; /* Return cc */
    1070 + BR_EX %r6; /* Return cc */
    1071
    1072 sk_negative_common(word, 4, llgf)
    1073 sk_negative_common(half, 2, llgh)
    1074 @@ -112,4 +116,4 @@ sk_negative_common(byte, 1, llgc)
    1075 bpf_error:
    1076 # force a return 0 from jit handler
    1077 ltgr %r15,%r15 # Set condition code
    1078 - br %r6
    1079 + BR_EX %r6
    1080 diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
    1081 index e8dee623d545..e7ce2577f0c9 100644
    1082 --- a/arch/s390/net/bpf_jit_comp.c
    1083 +++ b/arch/s390/net/bpf_jit_comp.c
    1084 @@ -24,6 +24,8 @@
    1085 #include <linux/bpf.h>
    1086 #include <asm/cacheflush.h>
    1087 #include <asm/dis.h>
    1088 +#include <asm/facility.h>
    1089 +#include <asm/nospec-branch.h>
    1090 #include "bpf_jit.h"
    1091
    1092 int bpf_jit_enable __read_mostly;
    1093 @@ -41,6 +43,8 @@ struct bpf_jit {
    1094 int base_ip; /* Base address for literal pool */
    1095 int ret0_ip; /* Address of return 0 */
    1096 int exit_ip; /* Address of exit */
    1097 + int r1_thunk_ip; /* Address of expoline thunk for 'br %r1' */
    1098 + int r14_thunk_ip; /* Address of expoline thunk for 'br %r14' */
    1099 int tail_call_start; /* Tail call start offset */
    1100 int labels[1]; /* Labels for local jumps */
    1101 };
    1102 @@ -251,6 +255,19 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
    1103 REG_SET_SEEN(b2); \
    1104 })
    1105
    1106 +#define EMIT6_PCREL_RILB(op, b, target) \
    1107 +({ \
    1108 + int rel = (target - jit->prg) / 2; \
    1109 + _EMIT6(op | reg_high(b) << 16 | rel >> 16, rel & 0xffff); \
    1110 + REG_SET_SEEN(b); \
    1111 +})
    1112 +
    1113 +#define EMIT6_PCREL_RIL(op, target) \
    1114 +({ \
    1115 + int rel = (target - jit->prg) / 2; \
    1116 + _EMIT6(op | rel >> 16, rel & 0xffff); \
    1117 +})
    1118 +
    1119 #define _EMIT6_IMM(op, imm) \
    1120 ({ \
    1121 unsigned int __imm = (imm); \
    1122 @@ -470,8 +487,45 @@ static void bpf_jit_epilogue(struct bpf_jit *jit)
    1123 EMIT4(0xb9040000, REG_2, BPF_REG_0);
    1124 /* Restore registers */
    1125 save_restore_regs(jit, REGS_RESTORE);
    1126 + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
    1127 + jit->r14_thunk_ip = jit->prg;
    1128 + /* Generate __s390_indirect_jump_r14 thunk */
    1129 + if (test_facility(35)) {
    1130 + /* exrl %r0,.+10 */
    1131 + EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10);
    1132 + } else {
    1133 + /* larl %r1,.+14 */
    1134 + EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
    1135 + /* ex 0,0(%r1) */
    1136 + EMIT4_DISP(0x44000000, REG_0, REG_1, 0);
    1137 + }
    1138 + /* j . */
    1139 + EMIT4_PCREL(0xa7f40000, 0);
    1140 + }
    1141 /* br %r14 */
    1142 _EMIT2(0x07fe);
    1143 +
    1144 + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable &&
    1145 + (jit->seen & SEEN_FUNC)) {
    1146 + jit->r1_thunk_ip = jit->prg;
    1147 + /* Generate __s390_indirect_jump_r1 thunk */
    1148 + if (test_facility(35)) {
    1149 + /* exrl %r0,.+10 */
    1150 + EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10);
    1151 + /* j . */
    1152 + EMIT4_PCREL(0xa7f40000, 0);
    1153 + /* br %r1 */
    1154 + _EMIT2(0x07f1);
    1155 + } else {
    1156 + /* larl %r1,.+14 */
    1157 + EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
    1158 + /* ex 0,S390_lowcore.br_r1_tampoline */
    1159 + EMIT4_DISP(0x44000000, REG_0, REG_0,
    1160 + offsetof(struct lowcore, br_r1_trampoline));
    1161 + /* j . */
    1162 + EMIT4_PCREL(0xa7f40000, 0);
    1163 + }
    1164 + }
    1165 }
    1166
    1167 /*
    1168 @@ -977,8 +1031,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
    1169 /* lg %w1,<d(imm)>(%l) */
    1170 EMIT6_DISP_LH(0xe3000000, 0x0004, REG_W1, REG_0, REG_L,
    1171 EMIT_CONST_U64(func));
    1172 - /* basr %r14,%w1 */
    1173 - EMIT2(0x0d00, REG_14, REG_W1);
    1174 + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
    1175 + /* brasl %r14,__s390_indirect_jump_r1 */
    1176 + EMIT6_PCREL_RILB(0xc0050000, REG_14, jit->r1_thunk_ip);
    1177 + } else {
    1178 + /* basr %r14,%w1 */
    1179 + EMIT2(0x0d00, REG_14, REG_W1);
    1180 + }
    1181 /* lgr %b0,%r2: load return value into %b0 */
    1182 EMIT4(0xb9040000, BPF_REG_0, REG_2);
    1183 if (bpf_helper_changes_skb_data((void *)func)) {
    1184 diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
    1185 index 469b23d6acc2..fd7e9937ddd6 100644
    1186 --- a/arch/x86/kernel/machine_kexec_32.c
    1187 +++ b/arch/x86/kernel/machine_kexec_32.c
    1188 @@ -71,12 +71,17 @@ static void load_segments(void)
    1189 static void machine_kexec_free_page_tables(struct kimage *image)
    1190 {
    1191 free_page((unsigned long)image->arch.pgd);
    1192 + image->arch.pgd = NULL;
    1193 #ifdef CONFIG_X86_PAE
    1194 free_page((unsigned long)image->arch.pmd0);
    1195 + image->arch.pmd0 = NULL;
    1196 free_page((unsigned long)image->arch.pmd1);
    1197 + image->arch.pmd1 = NULL;
    1198 #endif
    1199 free_page((unsigned long)image->arch.pte0);
    1200 + image->arch.pte0 = NULL;
    1201 free_page((unsigned long)image->arch.pte1);
    1202 + image->arch.pte1 = NULL;
    1203 }
    1204
    1205 static int machine_kexec_alloc_page_tables(struct kimage *image)
    1206 @@ -93,7 +98,6 @@ static int machine_kexec_alloc_page_tables(struct kimage *image)
    1207 !image->arch.pmd0 || !image->arch.pmd1 ||
    1208 #endif
    1209 !image->arch.pte0 || !image->arch.pte1) {
    1210 - machine_kexec_free_page_tables(image);
    1211 return -ENOMEM;
    1212 }
    1213 return 0;
    1214 diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
    1215 index a5784a14f8d1..eae59cad0b07 100644
    1216 --- a/arch/x86/kernel/machine_kexec_64.c
    1217 +++ b/arch/x86/kernel/machine_kexec_64.c
    1218 @@ -37,8 +37,11 @@ static struct kexec_file_ops *kexec_file_loaders[] = {
    1219 static void free_transition_pgtable(struct kimage *image)
    1220 {
    1221 free_page((unsigned long)image->arch.pud);
    1222 + image->arch.pud = NULL;
    1223 free_page((unsigned long)image->arch.pmd);
    1224 + image->arch.pmd = NULL;
    1225 free_page((unsigned long)image->arch.pte);
    1226 + image->arch.pte = NULL;
    1227 }
    1228
    1229 static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
    1230 @@ -79,7 +82,6 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
    1231 set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
    1232 return 0;
    1233 err:
    1234 - free_transition_pgtable(image);
    1235 return result;
    1236 }
    1237
    1238 diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
    1239 index 3257647d4f74..bff67c5a5fe7 100644
    1240 --- a/drivers/bluetooth/btusb.c
    1241 +++ b/drivers/bluetooth/btusb.c
    1242 @@ -345,6 +345,9 @@ static const struct usb_device_id blacklist_table[] = {
    1243 { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
    1244 { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
    1245
    1246 + /* Additional Realtek 8723BU Bluetooth devices */
    1247 + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
    1248 +
    1249 /* Additional Realtek 8821AE Bluetooth devices */
    1250 { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
    1251 { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
    1252 @@ -352,6 +355,9 @@ static const struct usb_device_id blacklist_table[] = {
    1253 { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
    1254 { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
    1255
    1256 + /* Additional Realtek 8822BE Bluetooth devices */
    1257 + { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
    1258 +
    1259 /* Silicon Wave based devices */
    1260 { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
    1261
    1262 diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
    1263 index 0cdb8550729d..c745dad7f85e 100644
    1264 --- a/drivers/clk/clk.c
    1265 +++ b/drivers/clk/clk.c
    1266 @@ -1929,6 +1929,9 @@ static int clk_core_get_phase(struct clk_core *core)
    1267 int ret;
    1268
    1269 clk_prepare_lock();
    1270 + /* Always try to update cached phase if possible */
    1271 + if (core->ops->get_phase)
    1272 + core->phase = core->ops->get_phase(core->hw);
    1273 ret = core->phase;
    1274 clk_prepare_unlock();
    1275
    1276 diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c
    1277 index 077fcdc7908b..fe7d9ed1d436 100644
    1278 --- a/drivers/clk/rockchip/clk-mmc-phase.c
    1279 +++ b/drivers/clk/rockchip/clk-mmc-phase.c
    1280 @@ -58,6 +58,12 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw)
    1281 u16 degrees;
    1282 u32 delay_num = 0;
    1283
    1284 + /* See the comment for rockchip_mmc_set_phase below */
    1285 + if (!rate) {
    1286 + pr_err("%s: invalid clk rate\n", __func__);
    1287 + return -EINVAL;
    1288 + }
    1289 +
    1290 raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
    1291
    1292 degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90;
    1293 @@ -84,6 +90,23 @@ static int rockchip_mmc_set_phase(struct clk_hw *hw, int degrees)
    1294 u32 raw_value;
    1295 u32 delay;
    1296
    1297 + /*
    1298 + * The below calculation is based on the output clock from
    1299 + * MMC host to the card, which expects the phase clock inherits
    1300 + * the clock rate from its parent, namely the output clock
    1301 + * provider of MMC host. However, things may go wrong if
    1302 + * (1) It is orphan.
    1303 + * (2) It is assigned to the wrong parent.
    1304 + *
    1305 + * This check help debug the case (1), which seems to be the
    1306 + * most likely problem we often face and which makes it difficult
    1307 + * for people to debug unstable mmc tuning results.
    1308 + */
    1309 + if (!rate) {
    1310 + pr_err("%s: invalid clk rate\n", __func__);
    1311 + return -EINVAL;
    1312 + }
    1313 +
    1314 nineties = degrees / 90;
    1315 remainder = (degrees % 90);
    1316
    1317 diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c
    1318 index db6e5a9e6de6..53f16efbb8f4 100644
    1319 --- a/drivers/clk/rockchip/clk-rk3228.c
    1320 +++ b/drivers/clk/rockchip/clk-rk3228.c
    1321 @@ -369,7 +369,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = {
    1322 RK2928_CLKSEL_CON(23), 5, 2, MFLAGS, 0, 6, DFLAGS,
    1323 RK2928_CLKGATE_CON(2), 15, GFLAGS),
    1324
    1325 - COMPOSITE(SCLK_SDMMC, "sclk_sdmmc0", mux_mmc_src_p, 0,
    1326 + COMPOSITE(SCLK_SDMMC, "sclk_sdmmc", mux_mmc_src_p, 0,
    1327 RK2928_CLKSEL_CON(11), 8, 2, MFLAGS, 0, 8, DFLAGS,
    1328 RK2928_CLKGATE_CON(2), 11, GFLAGS),
    1329
    1330 diff --git a/drivers/clk/samsung/clk-exynos3250.c b/drivers/clk/samsung/clk-exynos3250.c
    1331 index 1b81e283f605..ed36728424a2 100644
    1332 --- a/drivers/clk/samsung/clk-exynos3250.c
    1333 +++ b/drivers/clk/samsung/clk-exynos3250.c
    1334 @@ -698,7 +698,7 @@ static const struct samsung_pll_rate_table exynos3250_epll_rates[] __initconst =
    1335 PLL_36XX_RATE(144000000, 96, 2, 3, 0),
    1336 PLL_36XX_RATE( 96000000, 128, 2, 4, 0),
    1337 PLL_36XX_RATE( 84000000, 112, 2, 4, 0),
    1338 - PLL_36XX_RATE( 80000004, 106, 2, 4, 43691),
    1339 + PLL_36XX_RATE( 80000003, 106, 2, 4, 43691),
    1340 PLL_36XX_RATE( 73728000, 98, 2, 4, 19923),
    1341 PLL_36XX_RATE( 67737598, 270, 3, 5, 62285),
    1342 PLL_36XX_RATE( 65535999, 174, 2, 5, 49982),
    1343 @@ -734,7 +734,7 @@ static const struct samsung_pll_rate_table exynos3250_vpll_rates[] __initconst =
    1344 PLL_36XX_RATE(148352005, 98, 2, 3, 59070),
    1345 PLL_36XX_RATE(108000000, 144, 2, 4, 0),
    1346 PLL_36XX_RATE( 74250000, 99, 2, 4, 0),
    1347 - PLL_36XX_RATE( 74176002, 98, 3, 4, 59070),
    1348 + PLL_36XX_RATE( 74176002, 98, 2, 4, 59070),
    1349 PLL_36XX_RATE( 54054000, 216, 3, 5, 14156),
    1350 PLL_36XX_RATE( 54000000, 144, 2, 5, 0),
    1351 { /* sentinel */ }
    1352 diff --git a/drivers/clk/samsung/clk-exynos5250.c b/drivers/clk/samsung/clk-exynos5250.c
    1353 index 27a227d6620c..6a0cb8a515e8 100644
    1354 --- a/drivers/clk/samsung/clk-exynos5250.c
    1355 +++ b/drivers/clk/samsung/clk-exynos5250.c
    1356 @@ -711,13 +711,13 @@ static const struct samsung_pll_rate_table epll_24mhz_tbl[] __initconst = {
    1357 /* sorted in descending order */
    1358 /* PLL_36XX_RATE(rate, m, p, s, k) */
    1359 PLL_36XX_RATE(192000000, 64, 2, 2, 0),
    1360 - PLL_36XX_RATE(180633600, 90, 3, 2, 20762),
    1361 + PLL_36XX_RATE(180633605, 90, 3, 2, 20762),
    1362 PLL_36XX_RATE(180000000, 90, 3, 2, 0),
    1363 PLL_36XX_RATE(73728000, 98, 2, 4, 19923),
    1364 - PLL_36XX_RATE(67737600, 90, 2, 4, 20762),
    1365 + PLL_36XX_RATE(67737602, 90, 2, 4, 20762),
    1366 PLL_36XX_RATE(49152000, 98, 3, 4, 19923),
    1367 - PLL_36XX_RATE(45158400, 90, 3, 4, 20762),
    1368 - PLL_36XX_RATE(32768000, 131, 3, 5, 4719),
    1369 + PLL_36XX_RATE(45158401, 90, 3, 4, 20762),
    1370 + PLL_36XX_RATE(32768001, 131, 3, 5, 4719),
    1371 { },
    1372 };
    1373
    1374 diff --git a/drivers/clk/samsung/clk-exynos5260.c b/drivers/clk/samsung/clk-exynos5260.c
    1375 index fd1d9bfc151b..8eae1752d700 100644
    1376 --- a/drivers/clk/samsung/clk-exynos5260.c
    1377 +++ b/drivers/clk/samsung/clk-exynos5260.c
    1378 @@ -65,7 +65,7 @@ static const struct samsung_pll_rate_table pll2650_24mhz_tbl[] __initconst = {
    1379 PLL_36XX_RATE(480000000, 160, 2, 2, 0),
    1380 PLL_36XX_RATE(432000000, 144, 2, 2, 0),
    1381 PLL_36XX_RATE(400000000, 200, 3, 2, 0),
    1382 - PLL_36XX_RATE(394073130, 459, 7, 2, 49282),
    1383 + PLL_36XX_RATE(394073128, 459, 7, 2, 49282),
    1384 PLL_36XX_RATE(333000000, 111, 2, 2, 0),
    1385 PLL_36XX_RATE(300000000, 100, 2, 2, 0),
    1386 PLL_36XX_RATE(266000000, 266, 3, 3, 0),
    1387 diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c
    1388 index 2fe057326552..09cdd35dc434 100644
    1389 --- a/drivers/clk/samsung/clk-exynos5433.c
    1390 +++ b/drivers/clk/samsung/clk-exynos5433.c
    1391 @@ -725,7 +725,7 @@ static const struct samsung_pll_rate_table exynos5443_pll_rates[] __initconst =
    1392 PLL_35XX_RATE(800000000U, 400, 6, 1),
    1393 PLL_35XX_RATE(733000000U, 733, 12, 1),
    1394 PLL_35XX_RATE(700000000U, 175, 3, 1),
    1395 - PLL_35XX_RATE(667000000U, 222, 4, 1),
    1396 + PLL_35XX_RATE(666000000U, 222, 4, 1),
    1397 PLL_35XX_RATE(633000000U, 211, 4, 1),
    1398 PLL_35XX_RATE(600000000U, 500, 5, 2),
    1399 PLL_35XX_RATE(552000000U, 460, 5, 2),
    1400 @@ -751,12 +751,12 @@ static const struct samsung_pll_rate_table exynos5443_pll_rates[] __initconst =
    1401 /* AUD_PLL */
    1402 static const struct samsung_pll_rate_table exynos5443_aud_pll_rates[] __initconst = {
    1403 PLL_36XX_RATE(400000000U, 200, 3, 2, 0),
    1404 - PLL_36XX_RATE(393216000U, 197, 3, 2, -25690),
    1405 + PLL_36XX_RATE(393216003U, 197, 3, 2, -25690),
    1406 PLL_36XX_RATE(384000000U, 128, 2, 2, 0),
    1407 - PLL_36XX_RATE(368640000U, 246, 4, 2, -15729),
    1408 - PLL_36XX_RATE(361507200U, 181, 3, 2, -16148),
    1409 - PLL_36XX_RATE(338688000U, 113, 2, 2, -6816),
    1410 - PLL_36XX_RATE(294912000U, 98, 1, 3, 19923),
    1411 + PLL_36XX_RATE(368639991U, 246, 4, 2, -15729),
    1412 + PLL_36XX_RATE(361507202U, 181, 3, 2, -16148),
    1413 + PLL_36XX_RATE(338687988U, 113, 2, 2, -6816),
    1414 + PLL_36XX_RATE(294912002U, 98, 1, 3, 19923),
    1415 PLL_36XX_RATE(288000000U, 96, 1, 3, 0),
    1416 PLL_36XX_RATE(252000000U, 84, 1, 3, 0),
    1417 { /* sentinel */ }
    1418 diff --git a/drivers/clk/samsung/clk-exynos7.c b/drivers/clk/samsung/clk-exynos7.c
    1419 index 5931a4140c3d..bbfa57b4e017 100644
    1420 --- a/drivers/clk/samsung/clk-exynos7.c
    1421 +++ b/drivers/clk/samsung/clk-exynos7.c
    1422 @@ -140,7 +140,7 @@ static const struct samsung_div_clock topc_div_clks[] __initconst = {
    1423 };
    1424
    1425 static const struct samsung_pll_rate_table pll1460x_24mhz_tbl[] __initconst = {
    1426 - PLL_36XX_RATE(491520000, 20, 1, 0, 31457),
    1427 + PLL_36XX_RATE(491519897, 20, 1, 0, 31457),
    1428 {},
    1429 };
    1430
    1431 diff --git a/drivers/clk/samsung/clk-s3c2410.c b/drivers/clk/samsung/clk-s3c2410.c
    1432 index d7a1e772d95a..5f50037586ea 100644
    1433 --- a/drivers/clk/samsung/clk-s3c2410.c
    1434 +++ b/drivers/clk/samsung/clk-s3c2410.c
    1435 @@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = {
    1436 PLL_35XX_RATE(226000000, 105, 1, 1),
    1437 PLL_35XX_RATE(210000000, 132, 2, 1),
    1438 /* 2410 common */
    1439 - PLL_35XX_RATE(203000000, 161, 3, 1),
    1440 + PLL_35XX_RATE(202800000, 161, 3, 1),
    1441 PLL_35XX_RATE(192000000, 88, 1, 1),
    1442 PLL_35XX_RATE(186000000, 85, 1, 1),
    1443 PLL_35XX_RATE(180000000, 82, 1, 1),
    1444 @@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = {
    1445 PLL_35XX_RATE(147000000, 90, 2, 1),
    1446 PLL_35XX_RATE(135000000, 82, 2, 1),
    1447 PLL_35XX_RATE(124000000, 116, 1, 2),
    1448 - PLL_35XX_RATE(118000000, 150, 2, 2),
    1449 + PLL_35XX_RATE(118500000, 150, 2, 2),
    1450 PLL_35XX_RATE(113000000, 105, 1, 2),
    1451 - PLL_35XX_RATE(101000000, 127, 2, 2),
    1452 + PLL_35XX_RATE(101250000, 127, 2, 2),
    1453 PLL_35XX_RATE(90000000, 112, 2, 2),
    1454 - PLL_35XX_RATE(85000000, 105, 2, 2),
    1455 + PLL_35XX_RATE(84750000, 105, 2, 2),
    1456 PLL_35XX_RATE(79000000, 71, 1, 2),
    1457 - PLL_35XX_RATE(68000000, 82, 2, 2),
    1458 - PLL_35XX_RATE(56000000, 142, 2, 3),
    1459 + PLL_35XX_RATE(67500000, 82, 2, 2),
    1460 + PLL_35XX_RATE(56250000, 142, 2, 3),
    1461 PLL_35XX_RATE(48000000, 120, 2, 3),
    1462 - PLL_35XX_RATE(51000000, 161, 3, 3),
    1463 + PLL_35XX_RATE(50700000, 161, 3, 3),
    1464 PLL_35XX_RATE(45000000, 82, 1, 3),
    1465 - PLL_35XX_RATE(34000000, 82, 2, 3),
    1466 + PLL_35XX_RATE(33750000, 82, 2, 3),
    1467 { /* sentinel */ },
    1468 };
    1469
    1470 diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
    1471 index b3855360d6bc..66d1fc7dff58 100644
    1472 --- a/drivers/clk/tegra/clk-pll.c
    1473 +++ b/drivers/clk/tegra/clk-pll.c
    1474 @@ -1145,6 +1145,8 @@ static const struct clk_ops tegra_clk_pllu_ops = {
    1475 .enable = clk_pllu_enable,
    1476 .disable = clk_pll_disable,
    1477 .recalc_rate = clk_pll_recalc_rate,
    1478 + .round_rate = clk_pll_round_rate,
    1479 + .set_rate = clk_pll_set_rate,
    1480 };
    1481
    1482 static int _pll_fixed_mdiv(struct tegra_clk_pll_params *pll_params,
    1483 diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
    1484 index 3ac6c6c4ad18..16bb66091cf0 100644
    1485 --- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
    1486 +++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
    1487 @@ -422,6 +422,7 @@ static struct platform_driver sun4i_ss_driver = {
    1488
    1489 module_platform_driver(sun4i_ss_driver);
    1490
    1491 +MODULE_ALIAS("platform:sun4i-ss");
    1492 MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
    1493 MODULE_LICENSE("GPL");
    1494 MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
    1495 diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
    1496 index 7b67e1dd97fd..0418b5a0fb64 100644
    1497 --- a/drivers/media/dvb-core/dmxdev.c
    1498 +++ b/drivers/media/dvb-core/dmxdev.c
    1499 @@ -1071,7 +1071,7 @@ static int dvb_demux_do_ioctl(struct file *file,
    1500 break;
    1501
    1502 default:
    1503 - ret = -EINVAL;
    1504 + ret = -ENOTTY;
    1505 break;
    1506 }
    1507 mutex_unlock(&dmxdev->mutex);
    1508 diff --git a/drivers/media/pci/cx23885/cx23885-cards.c b/drivers/media/pci/cx23885/cx23885-cards.c
    1509 index 99ba8d6328f0..427ece11340b 100644
    1510 --- a/drivers/media/pci/cx23885/cx23885-cards.c
    1511 +++ b/drivers/media/pci/cx23885/cx23885-cards.c
    1512 @@ -2282,6 +2282,10 @@ void cx23885_card_setup(struct cx23885_dev *dev)
    1513 &dev->i2c_bus[2].i2c_adap,
    1514 "cx25840", 0x88 >> 1, NULL);
    1515 if (dev->sd_cx25840) {
    1516 + /* set host data for clk_freq configuration */
    1517 + v4l2_set_subdev_hostdata(dev->sd_cx25840,
    1518 + &dev->clk_freq);
    1519 +
    1520 dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE;
    1521 v4l2_subdev_call(dev->sd_cx25840, core, load_fw);
    1522 }
    1523 diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c
    1524 index c86b1093ab99..dcbb3a260b52 100644
    1525 --- a/drivers/media/pci/cx23885/cx23885-core.c
    1526 +++ b/drivers/media/pci/cx23885/cx23885-core.c
    1527 @@ -872,6 +872,16 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
    1528 if (cx23885_boards[dev->board].clk_freq > 0)
    1529 dev->clk_freq = cx23885_boards[dev->board].clk_freq;
    1530
    1531 + if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE &&
    1532 + dev->pci->subsystem_device == 0x7137) {
    1533 + /* Hauppauge ImpactVCBe device ID 0x7137 is populated
    1534 + * with an 888, and a 25Mhz crystal, instead of the
    1535 + * usual third overtone 50Mhz. The default clock rate must
    1536 + * be overridden so the cx25840 is properly configured
    1537 + */
    1538 + dev->clk_freq = 25000000;
    1539 + }
    1540 +
    1541 dev->pci_bus = dev->pci->bus->number;
    1542 dev->pci_slot = PCI_SLOT(dev->pci->devfn);
    1543 cx23885_irq_add(dev, 0x001f00);
    1544 diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c
    1545 index 9a5f912ca859..0d4cacb93664 100644
    1546 --- a/drivers/media/pci/cx25821/cx25821-core.c
    1547 +++ b/drivers/media/pci/cx25821/cx25821-core.c
    1548 @@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25821_dev *dev)
    1549 dev->nr = ++cx25821_devcount;
    1550 sprintf(dev->name, "cx25821[%d]", dev->nr);
    1551
    1552 + if (dev->nr >= ARRAY_SIZE(card)) {
    1553 + CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card));
    1554 + return -ENODEV;
    1555 + }
    1556 if (dev->pci->device != 0x8210) {
    1557 pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n",
    1558 __func__, dev->pci->device);
    1559 @@ -886,9 +890,6 @@ static int cx25821_dev_setup(struct cx25821_dev *dev)
    1560 dev->channels[i].sram_channels = &cx25821_sram_channels[i];
    1561 }
    1562
    1563 - if (dev->nr > 1)
    1564 - CX25821_INFO("dev->nr > 1!");
    1565 -
    1566 /* board config */
    1567 dev->board = 1; /* card[dev->nr]; */
    1568 dev->_max_num_decoders = MAX_DECODERS;
    1569 diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c
    1570 index 0413a861a59a..5c9db0910a76 100644
    1571 --- a/drivers/media/platform/s3c-camif/camif-capture.c
    1572 +++ b/drivers/media/platform/s3c-camif/camif-capture.c
    1573 @@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(struct camif_dev *camif,
    1574 {
    1575 const struct s3c_camif_variant *variant = camif->variant;
    1576 const struct vp_pix_limits *pix_lim;
    1577 - int i = ARRAY_SIZE(camif_mbus_formats);
    1578 + unsigned int i;
    1579
    1580 /* FIXME: constraints against codec or preview path ? */
    1581 pix_lim = &variant->vp_pix_limits[VP_CODEC];
    1582
    1583 - while (i-- >= 0)
    1584 + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
    1585 if (camif_mbus_formats[i] == mf->code)
    1586 break;
    1587
    1588 - mf->code = camif_mbus_formats[i];
    1589 + if (i == ARRAY_SIZE(camif_mbus_formats))
    1590 + mf->code = camif_mbus_formats[0];
    1591
    1592 if (pad == CAMIF_SD_PAD_SINK) {
    1593 v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
    1594 diff --git a/drivers/media/platform/vivid/vivid-ctrls.c b/drivers/media/platform/vivid/vivid-ctrls.c
    1595 index aceb38d9f7e7..b1c37252a6c7 100644
    1596 --- a/drivers/media/platform/vivid/vivid-ctrls.c
    1597 +++ b/drivers/media/platform/vivid/vivid-ctrls.c
    1598 @@ -1167,6 +1167,7 @@ static int vivid_radio_rx_s_ctrl(struct v4l2_ctrl *ctrl)
    1599 v4l2_ctrl_activate(dev->radio_rx_rds_ta, dev->radio_rx_rds_controls);
    1600 v4l2_ctrl_activate(dev->radio_rx_rds_tp, dev->radio_rx_rds_controls);
    1601 v4l2_ctrl_activate(dev->radio_rx_rds_ms, dev->radio_rx_rds_controls);
    1602 + dev->radio_rx_dev.device_caps = dev->radio_rx_caps;
    1603 break;
    1604 case V4L2_CID_RDS_RECEPTION:
    1605 dev->radio_rx_rds_enabled = ctrl->val;
    1606 @@ -1241,6 +1242,7 @@ static int vivid_radio_tx_s_ctrl(struct v4l2_ctrl *ctrl)
    1607 dev->radio_tx_caps &= ~V4L2_CAP_READWRITE;
    1608 if (!dev->radio_tx_rds_controls)
    1609 dev->radio_tx_caps |= V4L2_CAP_READWRITE;
    1610 + dev->radio_tx_dev.device_caps = dev->radio_tx_caps;
    1611 break;
    1612 case V4L2_CID_RDS_TX_PTY:
    1613 if (dev->radio_rx_rds_controls)
    1614 diff --git a/drivers/media/usb/em28xx/em28xx.h b/drivers/media/usb/em28xx/em28xx.h
    1615 index d148463b22c1..6bf48a75688e 100644
    1616 --- a/drivers/media/usb/em28xx/em28xx.h
    1617 +++ b/drivers/media/usb/em28xx/em28xx.h
    1618 @@ -189,7 +189,7 @@
    1619 USB 2.0 spec says bulk packet size is always 512 bytes
    1620 */
    1621 #define EM28XX_BULK_PACKET_MULTIPLIER 384
    1622 -#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
    1623 +#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
    1624
    1625 #define EM28XX_INTERLACED_DEFAULT 1
    1626
    1627 diff --git a/drivers/media/v4l2-core/videobuf2-vmalloc.c b/drivers/media/v4l2-core/videobuf2-vmalloc.c
    1628 index ab3227b75c84..760cbf2ba01a 100644
    1629 --- a/drivers/media/v4l2-core/videobuf2-vmalloc.c
    1630 +++ b/drivers/media/v4l2-core/videobuf2-vmalloc.c
    1631 @@ -104,7 +104,7 @@ static void *vb2_vmalloc_get_userptr(struct device *dev, unsigned long vaddr,
    1632 if (nums[i-1] + 1 != nums[i])
    1633 goto fail_map;
    1634 buf->vaddr = (__force void *)
    1635 - ioremap_nocache(nums[0] << PAGE_SHIFT, size);
    1636 + ioremap_nocache(__pfn_to_phys(nums[0]), size + offset);
    1637 } else {
    1638 buf->vaddr = vm_map_ram(frame_vector_pages(vec), n_pages, -1,
    1639 PAGE_KERNEL);
    1640 diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
    1641 index 02b5f69e1a42..14cf6dfc3b14 100644
    1642 --- a/drivers/message/fusion/mptctl.c
    1643 +++ b/drivers/message/fusion/mptctl.c
    1644 @@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg)
    1645 __FILE__, __LINE__, iocnum);
    1646 return -ENODEV;
    1647 }
    1648 + if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
    1649 + return -EINVAL;
    1650 dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
    1651 ioc->name));
    1652
    1653 diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
    1654 index 5411ca48978a..cb7c3ef97134 100644
    1655 --- a/drivers/net/ethernet/mellanox/mlx4/main.c
    1656 +++ b/drivers/net/ethernet/mellanox/mlx4/main.c
    1657 @@ -2983,6 +2983,7 @@ static int mlx4_init_port_info(struct mlx4_dev *dev, int port)
    1658 mlx4_err(dev, "Failed to create file for port %d\n", port);
    1659 devlink_port_unregister(&info->devlink_port);
    1660 info->port = -1;
    1661 + return err;
    1662 }
    1663
    1664 sprintf(info->dev_mtu_name, "mlx4_port%d_mtu", port);
    1665 @@ -3004,9 +3005,10 @@ static int mlx4_init_port_info(struct mlx4_dev *dev, int port)
    1666 &info->port_attr);
    1667 devlink_port_unregister(&info->devlink_port);
    1668 info->port = -1;
    1669 + return err;
    1670 }
    1671
    1672 - return err;
    1673 + return 0;
    1674 }
    1675
    1676 static void mlx4_cleanup_port_info(struct mlx4_port_info *info)
    1677 diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
    1678 index 3e893fe890a0..8daf5db3d922 100644
    1679 --- a/drivers/net/usb/qmi_wwan.c
    1680 +++ b/drivers/net/usb/qmi_wwan.c
    1681 @@ -810,6 +810,9 @@ static const struct usb_device_id products[] = {
    1682 {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
    1683 {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
    1684 {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
    1685 + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
    1686 + {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */
    1687 + {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */
    1688 {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
    1689 {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
    1690 {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
    1691 @@ -942,6 +945,7 @@ static const struct usb_device_id products[] = {
    1692 {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
    1693 {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
    1694 {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
    1695 + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
    1696 {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
    1697 {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
    1698 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
    1699 diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
    1700 index f809eed0343c..c999b10531c5 100644
    1701 --- a/drivers/net/vmxnet3/vmxnet3_drv.c
    1702 +++ b/drivers/net/vmxnet3/vmxnet3_drv.c
    1703 @@ -369,6 +369,11 @@ vmxnet3_tq_tx_complete(struct vmxnet3_tx_queue *tq,
    1704
    1705 gdesc = tq->comp_ring.base + tq->comp_ring.next2proc;
    1706 while (VMXNET3_TCD_GET_GEN(&gdesc->tcd) == tq->comp_ring.gen) {
    1707 + /* Prevent any &gdesc->tcd field from being (speculatively)
    1708 + * read before (&gdesc->tcd)->gen is read.
    1709 + */
    1710 + dma_rmb();
    1711 +
    1712 completed += vmxnet3_unmap_pkt(VMXNET3_TCD_GET_TXIDX(
    1713 &gdesc->tcd), tq, adapter->pdev,
    1714 adapter);
    1715 @@ -1099,6 +1104,11 @@ vmxnet3_tq_xmit(struct sk_buff *skb, struct vmxnet3_tx_queue *tq,
    1716 gdesc->txd.tci = skb_vlan_tag_get(skb);
    1717 }
    1718
    1719 + /* Ensure that the write to (&gdesc->txd)->gen will be observed after
    1720 + * all other writes to &gdesc->txd.
    1721 + */
    1722 + dma_wmb();
    1723 +
    1724 /* finally flips the GEN bit of the SOP desc. */
    1725 gdesc->dword[2] = cpu_to_le32(le32_to_cpu(gdesc->dword[2]) ^
    1726 VMXNET3_TXD_GEN);
    1727 @@ -1286,6 +1296,12 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
    1728 */
    1729 break;
    1730 }
    1731 +
    1732 + /* Prevent any rcd field from being (speculatively) read before
    1733 + * rcd->gen is read.
    1734 + */
    1735 + dma_rmb();
    1736 +
    1737 BUG_ON(rcd->rqID != rq->qid && rcd->rqID != rq->qid2 &&
    1738 rcd->rqID != rq->dataRingQid);
    1739 idx = rcd->rxdIdx;
    1740 @@ -1515,6 +1531,12 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
    1741 ring->next2comp = idx;
    1742 num_to_alloc = vmxnet3_cmd_ring_desc_avail(ring);
    1743 ring = rq->rx_ring + ring_idx;
    1744 +
    1745 + /* Ensure that the writes to rxd->gen bits will be observed
    1746 + * after all other writes to rxd objects.
    1747 + */
    1748 + dma_wmb();
    1749 +
    1750 while (num_to_alloc) {
    1751 vmxnet3_getRxDesc(rxd, &ring->base[ring->next2fill].rxd,
    1752 &rxCmdDesc);
    1753 @@ -2675,7 +2697,7 @@ vmxnet3_set_mac_addr(struct net_device *netdev, void *p)
    1754 /* ==================== initialization and cleanup routines ============ */
    1755
    1756 static int
    1757 -vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter, bool *dma64)
    1758 +vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter)
    1759 {
    1760 int err;
    1761 unsigned long mmio_start, mmio_len;
    1762 @@ -2687,30 +2709,12 @@ vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter, bool *dma64)
    1763 return err;
    1764 }
    1765
    1766 - if (pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) == 0) {
    1767 - if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)) != 0) {
    1768 - dev_err(&pdev->dev,
    1769 - "pci_set_consistent_dma_mask failed\n");
    1770 - err = -EIO;
    1771 - goto err_set_mask;
    1772 - }
    1773 - *dma64 = true;
    1774 - } else {
    1775 - if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) != 0) {
    1776 - dev_err(&pdev->dev,
    1777 - "pci_set_dma_mask failed\n");
    1778 - err = -EIO;
    1779 - goto err_set_mask;
    1780 - }
    1781 - *dma64 = false;
    1782 - }
    1783 -
    1784 err = pci_request_selected_regions(pdev, (1 << 2) - 1,
    1785 vmxnet3_driver_name);
    1786 if (err) {
    1787 dev_err(&pdev->dev,
    1788 "Failed to request region for adapter: error %d\n", err);
    1789 - goto err_set_mask;
    1790 + goto err_enable_device;
    1791 }
    1792
    1793 pci_set_master(pdev);
    1794 @@ -2738,7 +2742,7 @@ vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter, bool *dma64)
    1795 iounmap(adapter->hw_addr0);
    1796 err_ioremap:
    1797 pci_release_selected_regions(pdev, (1 << 2) - 1);
    1798 -err_set_mask:
    1799 +err_enable_device:
    1800 pci_disable_device(pdev);
    1801 return err;
    1802 }
    1803 @@ -3246,7 +3250,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
    1804 #endif
    1805 };
    1806 int err;
    1807 - bool dma64 = false; /* stupid gcc */
    1808 + bool dma64;
    1809 u32 ver;
    1810 struct net_device *netdev;
    1811 struct vmxnet3_adapter *adapter;
    1812 @@ -3292,6 +3296,24 @@ vmxnet3_probe_device(struct pci_dev *pdev,
    1813 adapter->rx_ring_size = VMXNET3_DEF_RX_RING_SIZE;
    1814 adapter->rx_ring2_size = VMXNET3_DEF_RX_RING2_SIZE;
    1815
    1816 + if (pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) == 0) {
    1817 + if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)) != 0) {
    1818 + dev_err(&pdev->dev,
    1819 + "pci_set_consistent_dma_mask failed\n");
    1820 + err = -EIO;
    1821 + goto err_set_mask;
    1822 + }
    1823 + dma64 = true;
    1824 + } else {
    1825 + if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) != 0) {
    1826 + dev_err(&pdev->dev,
    1827 + "pci_set_dma_mask failed\n");
    1828 + err = -EIO;
    1829 + goto err_set_mask;
    1830 + }
    1831 + dma64 = false;
    1832 + }
    1833 +
    1834 spin_lock_init(&adapter->cmd_lock);
    1835 adapter->adapter_pa = dma_map_single(&adapter->pdev->dev, adapter,
    1836 sizeof(struct vmxnet3_adapter),
    1837 @@ -3299,7 +3321,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
    1838 if (dma_mapping_error(&adapter->pdev->dev, adapter->adapter_pa)) {
    1839 dev_err(&pdev->dev, "Failed to map dma\n");
    1840 err = -EFAULT;
    1841 - goto err_dma_map;
    1842 + goto err_set_mask;
    1843 }
    1844 adapter->shared = dma_alloc_coherent(
    1845 &adapter->pdev->dev,
    1846 @@ -3350,7 +3372,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
    1847 }
    1848 #endif /* VMXNET3_RSS */
    1849
    1850 - err = vmxnet3_alloc_pci_resources(adapter, &dma64);
    1851 + err = vmxnet3_alloc_pci_resources(adapter);
    1852 if (err < 0)
    1853 goto err_alloc_pci;
    1854
    1855 @@ -3492,7 +3514,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
    1856 err_alloc_shared:
    1857 dma_unmap_single(&adapter->pdev->dev, adapter->adapter_pa,
    1858 sizeof(struct vmxnet3_adapter), PCI_DMA_TODEVICE);
    1859 -err_dma_map:
    1860 +err_set_mask:
    1861 free_netdev(netdev);
    1862 return err;
    1863 }
    1864 diff --git a/drivers/rtc/hctosys.c b/drivers/rtc/hctosys.c
    1865 index e1cfa06810ef..e79f2a181ad2 100644
    1866 --- a/drivers/rtc/hctosys.c
    1867 +++ b/drivers/rtc/hctosys.c
    1868 @@ -49,6 +49,11 @@ static int __init rtc_hctosys(void)
    1869
    1870 tv64.tv_sec = rtc_tm_to_time64(&tm);
    1871
    1872 +#if BITS_PER_LONG == 32
    1873 + if (tv64.tv_sec > INT_MAX)
    1874 + goto err_read;
    1875 +#endif
    1876 +
    1877 err = do_settimeofday64(&tv64);
    1878
    1879 dev_info(rtc->dev.parent,
    1880 diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c
    1881 index a753ef9c1459..3e8fd33c2576 100644
    1882 --- a/drivers/rtc/rtc-snvs.c
    1883 +++ b/drivers/rtc/rtc-snvs.c
    1884 @@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct device *dev, struct rtc_time *tm)
    1885 {
    1886 struct snvs_rtc_data *data = dev_get_drvdata(dev);
    1887 unsigned long time;
    1888 + int ret;
    1889
    1890 rtc_tm_to_time(tm, &time);
    1891
    1892 /* Disable RTC first */
    1893 - snvs_rtc_enable(data, false);
    1894 + ret = snvs_rtc_enable(data, false);
    1895 + if (ret)
    1896 + return ret;
    1897
    1898 /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */
    1899 regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH);
    1900 regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH));
    1901
    1902 /* Enable RTC again */
    1903 - snvs_rtc_enable(data, true);
    1904 + ret = snvs_rtc_enable(data, true);
    1905
    1906 - return 0;
    1907 + return ret;
    1908 }
    1909
    1910 static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
    1911 @@ -287,7 +290,11 @@ static int snvs_rtc_probe(struct platform_device *pdev)
    1912 regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff);
    1913
    1914 /* Enable RTC */
    1915 - snvs_rtc_enable(data, true);
    1916 + ret = snvs_rtc_enable(data, true);
    1917 + if (ret) {
    1918 + dev_err(&pdev->dev, "failed to enable rtc %d\n", ret);
    1919 + goto error_rtc_device_register;
    1920 + }
    1921
    1922 device_init_wakeup(&pdev->dev, true);
    1923
    1924 diff --git a/drivers/rtc/rtc-tx4939.c b/drivers/rtc/rtc-tx4939.c
    1925 index 560d9a5e0225..a9528083061d 100644
    1926 --- a/drivers/rtc/rtc-tx4939.c
    1927 +++ b/drivers/rtc/rtc-tx4939.c
    1928 @@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct device *dev, struct rtc_time *tm)
    1929 for (i = 2; i < 6; i++)
    1930 buf[i] = __raw_readl(&rtcreg->dat);
    1931 spin_unlock_irq(&pdata->lock);
    1932 - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
    1933 + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
    1934 + (buf[3] << 8) | buf[2];
    1935 rtc_time_to_tm(sec, tm);
    1936 return rtc_valid_tm(tm);
    1937 }
    1938 @@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
    1939 alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
    1940 alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
    1941 spin_unlock_irq(&pdata->lock);
    1942 - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
    1943 + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
    1944 + (buf[3] << 8) | buf[2];
    1945 rtc_time_to_tm(sec, &alrm->time);
    1946 return rtc_valid_tm(&alrm->time);
    1947 }
    1948 diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
    1949 index 34367d172961..4534a7ce77b8 100644
    1950 --- a/drivers/s390/scsi/zfcp_dbf.c
    1951 +++ b/drivers/s390/scsi/zfcp_dbf.c
    1952 @@ -3,7 +3,7 @@
    1953 *
    1954 * Debug traces for zfcp.
    1955 *
    1956 - * Copyright IBM Corp. 2002, 2017
    1957 + * Copyright IBM Corp. 2002, 2018
    1958 */
    1959
    1960 #define KMSG_COMPONENT "zfcp"
    1961 @@ -287,6 +287,27 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter,
    1962 spin_unlock_irqrestore(&dbf->rec_lock, flags);
    1963 }
    1964
    1965 +/**
    1966 + * zfcp_dbf_rec_trig_lock - trace event related to triggered recovery with lock
    1967 + * @tag: identifier for event
    1968 + * @adapter: adapter on which the erp_action should run
    1969 + * @port: remote port involved in the erp_action
    1970 + * @sdev: scsi device involved in the erp_action
    1971 + * @want: wanted erp_action
    1972 + * @need: required erp_action
    1973 + *
    1974 + * The adapter->erp_lock must not be held.
    1975 + */
    1976 +void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
    1977 + struct zfcp_port *port, struct scsi_device *sdev,
    1978 + u8 want, u8 need)
    1979 +{
    1980 + unsigned long flags;
    1981 +
    1982 + read_lock_irqsave(&adapter->erp_lock, flags);
    1983 + zfcp_dbf_rec_trig(tag, adapter, port, sdev, want, need);
    1984 + read_unlock_irqrestore(&adapter->erp_lock, flags);
    1985 +}
    1986
    1987 /**
    1988 * zfcp_dbf_rec_run_lvl - trace event related to running recovery
    1989 diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
    1990 index 21c8c689b02b..7a7984a50683 100644
    1991 --- a/drivers/s390/scsi/zfcp_ext.h
    1992 +++ b/drivers/s390/scsi/zfcp_ext.h
    1993 @@ -3,7 +3,7 @@
    1994 *
    1995 * External function declarations.
    1996 *
    1997 - * Copyright IBM Corp. 2002, 2016
    1998 + * Copyright IBM Corp. 2002, 2018
    1999 */
    2000
    2001 #ifndef ZFCP_EXT_H
    2002 @@ -34,6 +34,9 @@ extern int zfcp_dbf_adapter_register(struct zfcp_adapter *);
    2003 extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *);
    2004 extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
    2005 struct zfcp_port *, struct scsi_device *, u8, u8);
    2006 +extern void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
    2007 + struct zfcp_port *port,
    2008 + struct scsi_device *sdev, u8 want, u8 need);
    2009 extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
    2010 extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
    2011 struct zfcp_erp_action *erp);
    2012 diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
    2013 index a9b8104b982e..bb99db2948ab 100644
    2014 --- a/drivers/s390/scsi/zfcp_scsi.c
    2015 +++ b/drivers/s390/scsi/zfcp_scsi.c
    2016 @@ -3,7 +3,7 @@
    2017 *
    2018 * Interface to Linux SCSI midlayer.
    2019 *
    2020 - * Copyright IBM Corp. 2002, 2017
    2021 + * Copyright IBM Corp. 2002, 2018
    2022 */
    2023
    2024 #define KMSG_COMPONENT "zfcp"
    2025 @@ -616,9 +616,9 @@ static void zfcp_scsi_rport_register(struct zfcp_port *port)
    2026 ids.port_id = port->d_id;
    2027 ids.roles = FC_RPORT_ROLE_FCP_TARGET;
    2028
    2029 - zfcp_dbf_rec_trig("scpaddy", port->adapter, port, NULL,
    2030 - ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
    2031 - ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
    2032 + zfcp_dbf_rec_trig_lock("scpaddy", port->adapter, port, NULL,
    2033 + ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
    2034 + ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
    2035 rport = fc_remote_port_add(port->adapter->scsi_host, 0, &ids);
    2036 if (!rport) {
    2037 dev_err(&port->adapter->ccw_device->dev,
    2038 @@ -640,9 +640,9 @@ static void zfcp_scsi_rport_block(struct zfcp_port *port)
    2039 struct fc_rport *rport = port->rport;
    2040
    2041 if (rport) {
    2042 - zfcp_dbf_rec_trig("scpdely", port->adapter, port, NULL,
    2043 - ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
    2044 - ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
    2045 + zfcp_dbf_rec_trig_lock("scpdely", port->adapter, port, NULL,
    2046 + ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
    2047 + ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
    2048 fc_remote_port_delete(rport);
    2049 port->rport = NULL;
    2050 }
    2051 diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
    2052 index e2962f15c189..fe670b696251 100644
    2053 --- a/drivers/scsi/aacraid/commsup.c
    2054 +++ b/drivers/scsi/aacraid/commsup.c
    2055 @@ -1374,9 +1374,10 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced)
    2056 host = aac->scsi_host_ptr;
    2057 scsi_block_requests(host);
    2058 aac_adapter_disable_int(aac);
    2059 - if (aac->thread->pid != current->pid) {
    2060 + if (aac->thread && aac->thread->pid != current->pid) {
    2061 spin_unlock_irq(host->host_lock);
    2062 kthread_stop(aac->thread);
    2063 + aac->thread = NULL;
    2064 jafo = 1;
    2065 }
    2066
    2067 @@ -1445,6 +1446,7 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced)
    2068 aac->name);
    2069 if (IS_ERR(aac->thread)) {
    2070 retval = PTR_ERR(aac->thread);
    2071 + aac->thread = NULL;
    2072 goto out;
    2073 }
    2074 }
    2075 diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
    2076 index d5b26fa541d3..ad902a6e7c12 100644
    2077 --- a/drivers/scsi/aacraid/linit.c
    2078 +++ b/drivers/scsi/aacraid/linit.c
    2079 @@ -1083,6 +1083,7 @@ static void __aac_shutdown(struct aac_dev * aac)
    2080 up(&fib->event_wait);
    2081 }
    2082 kthread_stop(aac->thread);
    2083 + aac->thread = NULL;
    2084 }
    2085 aac_adapter_disable_int(aac);
    2086 cpu = cpumask_first(cpu_online_mask);
    2087 @@ -1203,8 +1204,10 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
    2088 * Map in the registers from the adapter.
    2089 */
    2090 aac->base_size = AAC_MIN_FOOTPRINT_SIZE;
    2091 - if ((*aac_drivers[index].init)(aac))
    2092 + if ((*aac_drivers[index].init)(aac)) {
    2093 + error = -ENODEV;
    2094 goto out_unmap;
    2095 + }
    2096
    2097 if (aac->sync_mode) {
    2098 if (aac_sync_mode)
    2099 diff --git a/drivers/scsi/arm/fas216.c b/drivers/scsi/arm/fas216.c
    2100 index 24388795ee9a..936e8c735656 100644
    2101 --- a/drivers/scsi/arm/fas216.c
    2102 +++ b/drivers/scsi/arm/fas216.c
    2103 @@ -2011,7 +2011,7 @@ static void fas216_rq_sns_done(FAS216_Info *info, struct scsi_cmnd *SCpnt,
    2104 * have valid data in the sense buffer that could
    2105 * confuse the higher levels.
    2106 */
    2107 - memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer));
    2108 + memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
    2109 //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id);
    2110 //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); }
    2111 /*
    2112 diff --git a/drivers/scsi/bnx2fc/bnx2fc_io.c b/drivers/scsi/bnx2fc/bnx2fc_io.c
    2113 index f501095f91ac..bd39590d81c4 100644
    2114 --- a/drivers/scsi/bnx2fc/bnx2fc_io.c
    2115 +++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
    2116 @@ -1869,6 +1869,7 @@ void bnx2fc_process_scsi_cmd_compl(struct bnx2fc_cmd *io_req,
    2117 /* we will not receive ABTS response for this IO */
    2118 BNX2FC_IO_DBG(io_req, "Timer context finished processing "
    2119 "this scsi cmd\n");
    2120 + return;
    2121 }
    2122
    2123 /* Cancel the timeout_work, as we received IO completion */
    2124 diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
    2125 index 519dac4e341e..9a8c2f97ed70 100644
    2126 --- a/drivers/scsi/libsas/sas_scsi_host.c
    2127 +++ b/drivers/scsi/libsas/sas_scsi_host.c
    2128 @@ -222,6 +222,7 @@ int sas_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
    2129 static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
    2130 {
    2131 struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host);
    2132 + struct domain_device *dev = cmd_to_domain_dev(cmd);
    2133 struct sas_task *task = TO_SAS_TASK(cmd);
    2134
    2135 /* At this point, we only get called following an actual abort
    2136 @@ -230,6 +231,14 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
    2137 */
    2138 sas_end_task(cmd, task);
    2139
    2140 + if (dev_is_sata(dev)) {
    2141 + /* defer commands to libata so that libata EH can
    2142 + * handle ata qcs correctly
    2143 + */
    2144 + list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q);
    2145 + return;
    2146 + }
    2147 +
    2148 /* now finish the command and move it on to the error
    2149 * handler done list, this also takes it off the
    2150 * error handler pending list.
    2151 @@ -237,22 +246,6 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
    2152 scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q);
    2153 }
    2154
    2155 -static void sas_eh_defer_cmd(struct scsi_cmnd *cmd)
    2156 -{
    2157 - struct domain_device *dev = cmd_to_domain_dev(cmd);
    2158 - struct sas_ha_struct *ha = dev->port->ha;
    2159 - struct sas_task *task = TO_SAS_TASK(cmd);
    2160 -
    2161 - if (!dev_is_sata(dev)) {
    2162 - sas_eh_finish_cmd(cmd);
    2163 - return;
    2164 - }
    2165 -
    2166 - /* report the timeout to libata */
    2167 - sas_end_task(cmd, task);
    2168 - list_move_tail(&cmd->eh_entry, &ha->eh_ata_q);
    2169 -}
    2170 -
    2171 static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd)
    2172 {
    2173 struct scsi_cmnd *cmd, *n;
    2174 @@ -260,7 +253,7 @@ static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd
    2175 list_for_each_entry_safe(cmd, n, error_q, eh_entry) {
    2176 if (cmd->device->sdev_target == my_cmd->device->sdev_target &&
    2177 cmd->device->lun == my_cmd->device->lun)
    2178 - sas_eh_defer_cmd(cmd);
    2179 + sas_eh_finish_cmd(cmd);
    2180 }
    2181 }
    2182
    2183 @@ -622,12 +615,12 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
    2184 case TASK_IS_DONE:
    2185 SAS_DPRINTK("%s: task 0x%p is done\n", __func__,
    2186 task);
    2187 - sas_eh_defer_cmd(cmd);
    2188 + sas_eh_finish_cmd(cmd);
    2189 continue;
    2190 case TASK_IS_ABORTED:
    2191 SAS_DPRINTK("%s: task 0x%p is aborted\n",
    2192 __func__, task);
    2193 - sas_eh_defer_cmd(cmd);
    2194 + sas_eh_finish_cmd(cmd);
    2195 continue;
    2196 case TASK_IS_AT_LU:
    2197 SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task);
    2198 @@ -638,7 +631,7 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
    2199 "recovered\n",
    2200 SAS_ADDR(task->dev),
    2201 cmd->device->lun);
    2202 - sas_eh_defer_cmd(cmd);
    2203 + sas_eh_finish_cmd(cmd);
    2204 sas_scsi_clear_queue_lu(work_q, cmd);
    2205 goto Again;
    2206 }
    2207 diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
    2208 index 453299095847..cf15b9754402 100644
    2209 --- a/drivers/scsi/lpfc/lpfc_attr.c
    2210 +++ b/drivers/scsi/lpfc/lpfc_attr.c
    2211 @@ -635,7 +635,12 @@ lpfc_issue_lip(struct Scsi_Host *shost)
    2212 LPFC_MBOXQ_t *pmboxq;
    2213 int mbxstatus = MBXERR_ERROR;
    2214
    2215 + /*
    2216 + * If the link is offline, disabled or BLOCK_MGMT_IO
    2217 + * it doesn't make any sense to allow issue_lip
    2218 + */
    2219 if ((vport->fc_flag & FC_OFFLINE_MODE) ||
    2220 + (phba->hba_flag & LINK_DISABLED) ||
    2221 (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO))
    2222 return -EPERM;
    2223
    2224 diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
    2225 index 7d2ad633b6bc..81736457328a 100644
    2226 --- a/drivers/scsi/lpfc/lpfc_hbadisc.c
    2227 +++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
    2228 @@ -690,8 +690,9 @@ lpfc_work_done(struct lpfc_hba *phba)
    2229 (phba->hba_flag & HBA_SP_QUEUE_EVT)) {
    2230 if (pring->flag & LPFC_STOP_IOCB_EVENT) {
    2231 pring->flag |= LPFC_DEFERRED_RING_EVENT;
    2232 - /* Set the lpfc data pending flag */
    2233 - set_bit(LPFC_DATA_READY, &phba->data_flags);
    2234 + /* Preserve legacy behavior. */
    2235 + if (!(phba->hba_flag & HBA_SP_QUEUE_EVT))
    2236 + set_bit(LPFC_DATA_READY, &phba->data_flags);
    2237 } else {
    2238 if (phba->link_state >= LPFC_LINK_UP) {
    2239 pring->flag &= ~LPFC_DEFERRED_RING_EVENT;
    2240 diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
    2241 index 0902ed204ba8..6df06e716da1 100644
    2242 --- a/drivers/scsi/lpfc/lpfc_sli.c
    2243 +++ b/drivers/scsi/lpfc/lpfc_sli.c
    2244 @@ -116,6 +116,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, union lpfc_wqe *wqe)
    2245 /* set consumption flag every once in a while */
    2246 if (!((q->host_index + 1) % q->entry_repost))
    2247 bf_set(wqe_wqec, &wqe->generic.wqe_com, 1);
    2248 + else
    2249 + bf_set(wqe_wqec, &wqe->generic.wqe_com, 0);
    2250 if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED)
    2251 bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id);
    2252 lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size);
    2253 diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
    2254 index b8589068d175..ec48c010a3ba 100644
    2255 --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
    2256 +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
    2257 @@ -8853,7 +8853,7 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id)
    2258 snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name),
    2259 "fw_event_%s%d", ioc->driver_name, ioc->id);
    2260 ioc->firmware_event_thread = alloc_ordered_workqueue(
    2261 - ioc->firmware_event_name, WQ_MEM_RECLAIM);
    2262 + ioc->firmware_event_name, 0);
    2263 if (!ioc->firmware_event_thread) {
    2264 pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n",
    2265 ioc->name, __FILE__, __LINE__, __func__);
    2266 diff --git a/drivers/scsi/mvsas/mv_94xx.c b/drivers/scsi/mvsas/mv_94xx.c
    2267 index 7de5d8d75480..eb5471bc7263 100644
    2268 --- a/drivers/scsi/mvsas/mv_94xx.c
    2269 +++ b/drivers/scsi/mvsas/mv_94xx.c
    2270 @@ -1080,16 +1080,16 @@ static int mvs_94xx_gpio_write(struct mvs_prv_info *mvs_prv,
    2271 void __iomem *regs = mvi->regs_ex - 0x10200;
    2272
    2273 int drive = (i/3) & (4-1); /* drive number on host */
    2274 - u32 block = mr32(MVS_SGPIO_DCTRL +
    2275 + int driveshift = drive * 8; /* bit offset of drive */
    2276 + u32 block = ioread32be(regs + MVS_SGPIO_DCTRL +
    2277 MVS_SGPIO_HOST_OFFSET * mvi->id);
    2278
    2279 -
    2280 /*
    2281 * if bit is set then create a mask with the first
    2282 * bit of the drive set in the mask ...
    2283 */
    2284 - u32 bit = (write_data[i/8] & (1 << (i&(8-1)))) ?
    2285 - 1<<(24-drive*8) : 0;
    2286 + u32 bit = get_unaligned_be32(write_data) & (1 << i) ?
    2287 + 1 << driveshift : 0;
    2288
    2289 /*
    2290 * ... and then shift it to the right position based
    2291 @@ -1098,26 +1098,27 @@ static int mvs_94xx_gpio_write(struct mvs_prv_info *mvs_prv,
    2292 switch (i%3) {
    2293 case 0: /* activity */
    2294 block &= ~((0x7 << MVS_SGPIO_DCTRL_ACT_SHIFT)
    2295 - << (24-drive*8));
    2296 + << driveshift);
    2297 /* hardwire activity bit to SOF */
    2298 block |= LED_BLINKA_SOF << (
    2299 MVS_SGPIO_DCTRL_ACT_SHIFT +
    2300 - (24-drive*8));
    2301 + driveshift);
    2302 break;
    2303 case 1: /* id */
    2304 block &= ~((0x3 << MVS_SGPIO_DCTRL_LOC_SHIFT)
    2305 - << (24-drive*8));
    2306 + << driveshift);
    2307 block |= bit << MVS_SGPIO_DCTRL_LOC_SHIFT;
    2308 break;
    2309 case 2: /* fail */
    2310 block &= ~((0x7 << MVS_SGPIO_DCTRL_ERR_SHIFT)
    2311 - << (24-drive*8));
    2312 + << driveshift);
    2313 block |= bit << MVS_SGPIO_DCTRL_ERR_SHIFT;
    2314 break;
    2315 }
    2316
    2317 - mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
    2318 - block);
    2319 + iowrite32be(block,
    2320 + regs + MVS_SGPIO_DCTRL +
    2321 + MVS_SGPIO_HOST_OFFSET * mvi->id);
    2322
    2323 }
    2324
    2325 @@ -1132,7 +1133,7 @@ static int mvs_94xx_gpio_write(struct mvs_prv_info *mvs_prv,
    2326 void __iomem *regs = mvi->regs_ex - 0x10200;
    2327
    2328 mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
    2329 - be32_to_cpu(((u32 *) write_data)[i]));
    2330 + ((u32 *) write_data)[i]);
    2331 }
    2332 return reg_count;
    2333 }
    2334 diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
    2335 index bddaabb288d4..73c99f237b10 100644
    2336 --- a/drivers/scsi/qla2xxx/qla_isr.c
    2337 +++ b/drivers/scsi/qla2xxx/qla_isr.c
    2338 @@ -272,7 +272,8 @@ qla2x00_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
    2339 struct device_reg_2xxx __iomem *reg = &ha->iobase->isp;
    2340
    2341 /* Read all mbox registers? */
    2342 - mboxes = (1 << ha->mbx_count) - 1;
    2343 + WARN_ON_ONCE(ha->mbx_count > 32);
    2344 + mboxes = (1ULL << ha->mbx_count) - 1;
    2345 if (!ha->mcp)
    2346 ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n");
    2347 else
    2348 @@ -2516,7 +2517,8 @@ qla24xx_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
    2349 struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
    2350
    2351 /* Read all mbox registers? */
    2352 - mboxes = (1 << ha->mbx_count) - 1;
    2353 + WARN_ON_ONCE(ha->mbx_count > 32);
    2354 + mboxes = (1ULL << ha->mbx_count) - 1;
    2355 if (!ha->mcp)
    2356 ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n");
    2357 else
    2358 diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
    2359 index a7cfc270bd08..ce1d063f3e83 100644
    2360 --- a/drivers/scsi/qla4xxx/ql4_def.h
    2361 +++ b/drivers/scsi/qla4xxx/ql4_def.h
    2362 @@ -168,6 +168,8 @@
    2363 #define DEV_DB_NON_PERSISTENT 0
    2364 #define DEV_DB_PERSISTENT 1
    2365
    2366 +#define QL4_ISP_REG_DISCONNECT 0xffffffffU
    2367 +
    2368 #define COPY_ISID(dst_isid, src_isid) { \
    2369 int i, j; \
    2370 for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \
    2371 diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
    2372 index 01c3610a60cf..d8c03431d0aa 100644
    2373 --- a/drivers/scsi/qla4xxx/ql4_os.c
    2374 +++ b/drivers/scsi/qla4xxx/ql4_os.c
    2375 @@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_iscsi_transport = {
    2376
    2377 static struct scsi_transport_template *qla4xxx_scsi_transport;
    2378
    2379 +static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha)
    2380 +{
    2381 + u32 reg_val = 0;
    2382 + int rval = QLA_SUCCESS;
    2383 +
    2384 + if (is_qla8022(ha))
    2385 + reg_val = readl(&ha->qla4_82xx_reg->host_status);
    2386 + else if (is_qla8032(ha) || is_qla8042(ha))
    2387 + reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER);
    2388 + else
    2389 + reg_val = readw(&ha->reg->ctrl_status);
    2390 +
    2391 + if (reg_val == QL4_ISP_REG_DISCONNECT)
    2392 + rval = QLA_ERROR;
    2393 +
    2394 + return rval;
    2395 +}
    2396 +
    2397 static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num,
    2398 uint32_t iface_type, uint32_t payload_size,
    2399 uint32_t pid, struct sockaddr *dst_addr)
    2400 @@ -9196,10 +9214,17 @@ static int qla4xxx_eh_abort(struct scsi_cmnd *cmd)
    2401 struct srb *srb = NULL;
    2402 int ret = SUCCESS;
    2403 int wait = 0;
    2404 + int rval;
    2405
    2406 ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n",
    2407 ha->host_no, id, lun, cmd, cmd->cmnd[0]);
    2408
    2409 + rval = qla4xxx_isp_check_reg(ha);
    2410 + if (rval != QLA_SUCCESS) {
    2411 + ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
    2412 + return FAILED;
    2413 + }
    2414 +
    2415 spin_lock_irqsave(&ha->hardware_lock, flags);
    2416 srb = (struct srb *) CMD_SP(cmd);
    2417 if (!srb) {
    2418 @@ -9251,6 +9276,7 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd)
    2419 struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
    2420 struct ddb_entry *ddb_entry = cmd->device->hostdata;
    2421 int ret = FAILED, stat;
    2422 + int rval;
    2423
    2424 if (!ddb_entry)
    2425 return ret;
    2426 @@ -9270,6 +9296,12 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd)
    2427 cmd, jiffies, cmd->request->timeout / HZ,
    2428 ha->dpc_flags, cmd->result, cmd->allowed));
    2429
    2430 + rval = qla4xxx_isp_check_reg(ha);
    2431 + if (rval != QLA_SUCCESS) {
    2432 + ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
    2433 + return FAILED;
    2434 + }
    2435 +
    2436 /* FIXME: wait for hba to go online */
    2437 stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun);
    2438 if (stat != QLA_SUCCESS) {
    2439 @@ -9313,6 +9345,7 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd)
    2440 struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
    2441 struct ddb_entry *ddb_entry = cmd->device->hostdata;
    2442 int stat, ret;
    2443 + int rval;
    2444
    2445 if (!ddb_entry)
    2446 return FAILED;
    2447 @@ -9330,6 +9363,12 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd)
    2448 ha->host_no, cmd, jiffies, cmd->request->timeout / HZ,
    2449 ha->dpc_flags, cmd->result, cmd->allowed));
    2450
    2451 + rval = qla4xxx_isp_check_reg(ha);
    2452 + if (rval != QLA_SUCCESS) {
    2453 + ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
    2454 + return FAILED;
    2455 + }
    2456 +
    2457 stat = qla4xxx_reset_target(ha, ddb_entry);
    2458 if (stat != QLA_SUCCESS) {
    2459 starget_printk(KERN_INFO, scsi_target(cmd->device),
    2460 @@ -9384,9 +9423,16 @@ static int qla4xxx_eh_host_reset(struct scsi_cmnd *cmd)
    2461 {
    2462 int return_status = FAILED;
    2463 struct scsi_qla_host *ha;
    2464 + int rval;
    2465
    2466 ha = to_qla_host(cmd->device->host);
    2467
    2468 + rval = qla4xxx_isp_check_reg(ha);
    2469 + if (rval != QLA_SUCCESS) {
    2470 + ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
    2471 + return FAILED;
    2472 + }
    2473 +
    2474 if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba)
    2475 qla4_83xx_set_idc_dontreset(ha);
    2476
    2477 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
    2478 index 14ba1a2c0b7c..f8b6bf56c48e 100644
    2479 --- a/drivers/scsi/sd.c
    2480 +++ b/drivers/scsi/sd.c
    2481 @@ -2401,6 +2401,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer)
    2482 int res;
    2483 struct scsi_device *sdp = sdkp->device;
    2484 struct scsi_mode_data data;
    2485 + int disk_ro = get_disk_ro(sdkp->disk);
    2486 int old_wp = sdkp->write_prot;
    2487
    2488 set_disk_ro(sdkp->disk, 0);
    2489 @@ -2441,7 +2442,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer)
    2490 "Test WP failed, assume Write Enabled\n");
    2491 } else {
    2492 sdkp->write_prot = ((data.device_specific & 0x80) != 0);
    2493 - set_disk_ro(sdkp->disk, sdkp->write_prot);
    2494 + set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro);
    2495 if (sdkp->first_scan || old_wp != sdkp->write_prot) {
    2496 sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n",
    2497 sdkp->write_prot ? "on" : "off");
    2498 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
    2499 index f61b37109e5c..0f81d739f9e9 100644
    2500 --- a/drivers/scsi/sg.c
    2501 +++ b/drivers/scsi/sg.c
    2502 @@ -1893,7 +1893,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
    2503 num = (rem_sz > scatter_elem_sz_prev) ?
    2504 scatter_elem_sz_prev : rem_sz;
    2505
    2506 - schp->pages[k] = alloc_pages(gfp_mask, order);
    2507 + schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order);
    2508 if (!schp->pages[k])
    2509 goto out;
    2510
    2511 diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
    2512 index 0dd1984e381e..d92b2808d191 100644
    2513 --- a/drivers/scsi/storvsc_drv.c
    2514 +++ b/drivers/scsi/storvsc_drv.c
    2515 @@ -1580,7 +1580,7 @@ static struct scsi_host_template scsi_driver = {
    2516 .eh_timed_out = storvsc_eh_timed_out,
    2517 .slave_alloc = storvsc_device_alloc,
    2518 .slave_configure = storvsc_device_configure,
    2519 - .cmd_per_lun = 255,
    2520 + .cmd_per_lun = 2048,
    2521 .this_id = -1,
    2522 .use_clustering = ENABLE_CLUSTERING,
    2523 /* Make sure we dont get a sg segment crosses a page boundary */
    2524 diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.c b/drivers/scsi/sym53c8xx_2/sym_hipd.c
    2525 index 6b349e301869..c6425e3df5a0 100644
    2526 --- a/drivers/scsi/sym53c8xx_2/sym_hipd.c
    2527 +++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c
    2528 @@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char dt, u_char sfac, u_char *divp, u_char *fa
    2529 * Look for the greatest clock divisor that allows an
    2530 * input speed faster than the period.
    2531 */
    2532 - while (div-- > 0)
    2533 + while (--div > 0)
    2534 if (kpc >= (div_10M[div] << 2)) break;
    2535
    2536 /*
    2537 diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
    2538 index 2e9341233f66..98a7111dd53f 100644
    2539 --- a/drivers/scsi/ufs/ufshcd.c
    2540 +++ b/drivers/scsi/ufs/ufshcd.c
    2541 @@ -3338,6 +3338,8 @@ static int ufshcd_slave_alloc(struct scsi_device *sdev)
    2542 /* REPORT SUPPORTED OPERATION CODES is not supported */
    2543 sdev->no_report_opcodes = 1;
    2544
    2545 + /* WRITE_SAME command is not supported */
    2546 + sdev->no_write_same = 1;
    2547
    2548 ufshcd_set_queue_depth(sdev);
    2549
    2550 diff --git a/drivers/staging/lustre/lustre/include/obd.h b/drivers/staging/lustre/lustre/include/obd.h
    2551 index f6fc4dd05bd6..722c33f7eecc 100644
    2552 --- a/drivers/staging/lustre/lustre/include/obd.h
    2553 +++ b/drivers/staging/lustre/lustre/include/obd.h
    2554 @@ -253,7 +253,7 @@ struct client_obd {
    2555 struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */
    2556
    2557 /* the grant values are protected by loi_list_lock below */
    2558 - unsigned long cl_dirty_pages; /* all _dirty_ in pahges */
    2559 + unsigned long cl_dirty_pages; /* all _dirty_ in pages */
    2560 unsigned long cl_dirty_max_pages; /* allowed w/o rpc */
    2561 unsigned long cl_dirty_transit; /* dirty synchronous */
    2562 unsigned long cl_avail_grant; /* bytes of credit for ost */
    2563 diff --git a/drivers/staging/lustre/lustre/lmv/lmv_obd.c b/drivers/staging/lustre/lustre/lmv/lmv_obd.c
    2564 index cd19ce811e62..9e63171c1ec3 100644
    2565 --- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c
    2566 +++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c
    2567 @@ -2928,7 +2928,7 @@ int lmv_unpack_md(struct obd_export *exp, struct lmv_stripe_md **lsmp,
    2568 if (lsm && !lmm) {
    2569 int i;
    2570
    2571 - for (i = 1; i < lsm->lsm_md_stripe_count; i++) {
    2572 + for (i = 0; i < lsm->lsm_md_stripe_count; i++) {
    2573 /*
    2574 * For migrating inode, the master stripe and master
    2575 * object will be the same, so do not need iput, see
    2576 diff --git a/drivers/staging/lustre/lustre/osc/osc_cache.c b/drivers/staging/lustre/lustre/osc/osc_cache.c
    2577 index 4bbe219add98..1a8c9f535200 100644
    2578 --- a/drivers/staging/lustre/lustre/osc/osc_cache.c
    2579 +++ b/drivers/staging/lustre/lustre/osc/osc_cache.c
    2580 @@ -1542,7 +1542,7 @@ static int osc_enter_cache_try(struct client_obd *cli,
    2581 if (rc < 0)
    2582 return 0;
    2583
    2584 - if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
    2585 + if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
    2586 atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) {
    2587 osc_consume_write_grant(cli, &oap->oap_brw_page);
    2588 if (transient) {
    2589 diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
    2590 index 457eeb5f5239..5fe95937d811 100644
    2591 --- a/drivers/staging/rtl8192u/r8192U_core.c
    2592 +++ b/drivers/staging/rtl8192u/r8192U_core.c
    2593 @@ -1705,6 +1705,8 @@ static short rtl8192_usb_initendpoints(struct net_device *dev)
    2594
    2595 priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
    2596 priv->oldaddr = kmalloc(16, GFP_KERNEL);
    2597 + if (!priv->oldaddr)
    2598 + return -ENOMEM;
    2599 oldaddr = priv->oldaddr;
    2600 align = ((long)oldaddr) & 3;
    2601 if (align) {
    2602 diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
    2603 index f6e4373a8850..5d9038a5bbc4 100644
    2604 --- a/drivers/tty/serial/8250/8250_port.c
    2605 +++ b/drivers/tty/serial/8250/8250_port.c
    2606 @@ -1815,7 +1815,8 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
    2607
    2608 status = serial_port_in(port, UART_LSR);
    2609
    2610 - if (status & (UART_LSR_DR | UART_LSR_BI)) {
    2611 + if (status & (UART_LSR_DR | UART_LSR_BI) &&
    2612 + iir & UART_IIR_RDI) {
    2613 if (!up->dma || handle_rx_dma(up, iir))
    2614 status = serial8250_rx_chars(up, status);
    2615 }
    2616 diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c
    2617 index 5ac06fcaa9c6..fec48deb074c 100644
    2618 --- a/drivers/tty/serial/arc_uart.c
    2619 +++ b/drivers/tty/serial/arc_uart.c
    2620 @@ -596,6 +596,11 @@ static int arc_serial_probe(struct platform_device *pdev)
    2621 if (dev_id < 0)
    2622 dev_id = 0;
    2623
    2624 + if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
    2625 + dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
    2626 + return -EINVAL;
    2627 + }
    2628 +
    2629 uart = &arc_uart_ports[dev_id];
    2630 port = &uart->port;
    2631
    2632 diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
    2633 index 76103f2c4a80..937f5e10f165 100644
    2634 --- a/drivers/tty/serial/fsl_lpuart.c
    2635 +++ b/drivers/tty/serial/fsl_lpuart.c
    2636 @@ -1902,6 +1902,10 @@ static int lpuart_probe(struct platform_device *pdev)
    2637 dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
    2638 return ret;
    2639 }
    2640 + if (ret >= ARRAY_SIZE(lpuart_ports)) {
    2641 + dev_err(&pdev->dev, "serial%d out of range\n", ret);
    2642 + return -EINVAL;
    2643 + }
    2644 sport->port.line = ret;
    2645 sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart");
    2646
    2647 diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
    2648 index ecadc27eea48..b24edf634985 100644
    2649 --- a/drivers/tty/serial/imx.c
    2650 +++ b/drivers/tty/serial/imx.c
    2651 @@ -2080,6 +2080,12 @@ static int serial_imx_probe(struct platform_device *pdev)
    2652 else if (ret < 0)
    2653 return ret;
    2654
    2655 + if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
    2656 + dev_err(&pdev->dev, "serial%d out of range\n",
    2657 + sport->port.line);
    2658 + return -EINVAL;
    2659 + }
    2660 +
    2661 res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
    2662 base = devm_ioremap_resource(&pdev->dev, res);
    2663 if (IS_ERR(base))
    2664 diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
    2665 index 07390f8c3681..1d9d778828ba 100644
    2666 --- a/drivers/tty/serial/mxs-auart.c
    2667 +++ b/drivers/tty/serial/mxs-auart.c
    2668 @@ -1664,6 +1664,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
    2669 s->port.line = pdev->id < 0 ? 0 : pdev->id;
    2670 else if (ret < 0)
    2671 return ret;
    2672 + if (s->port.line >= ARRAY_SIZE(auart_port)) {
    2673 + dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
    2674 + return -EINVAL;
    2675 + }
    2676
    2677 if (of_id) {
    2678 pdev->id_entry = of_id->data;
    2679 diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
    2680 index d65f92bcd0f1..f2ab6d8aab41 100644
    2681 --- a/drivers/tty/serial/samsung.c
    2682 +++ b/drivers/tty/serial/samsung.c
    2683 @@ -1813,6 +1813,10 @@ static int s3c24xx_serial_probe(struct platform_device *pdev)
    2684
    2685 dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
    2686
    2687 + if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
    2688 + dev_err(&pdev->dev, "serial%d out of range\n", index);
    2689 + return -EINVAL;
    2690 + }
    2691 ourport = &s3c24xx_serial_ports[index];
    2692
    2693 ourport->drv_data = s3c24xx_get_driver_data(pdev);
    2694 diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
    2695 index dd4c02fa4820..7497f1d4a818 100644
    2696 --- a/drivers/tty/serial/xilinx_uartps.c
    2697 +++ b/drivers/tty/serial/xilinx_uartps.c
    2698 @@ -1106,7 +1106,7 @@ static struct uart_port *cdns_uart_get_port(int id)
    2699 struct uart_port *port;
    2700
    2701 /* Try the given port id if failed use default method */
    2702 - if (cdns_uart_port[id].mapbase != 0) {
    2703 + if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
    2704 /* Find the next unused port */
    2705 for (id = 0; id < CDNS_UART_NR_PORTS; id++)
    2706 if (cdns_uart_port[id].mapbase == 0)
    2707 diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
    2708 index 34d23cc99fbd..fe22ac7c760a 100644
    2709 --- a/drivers/usb/class/cdc-acm.c
    2710 +++ b/drivers/usb/class/cdc-acm.c
    2711 @@ -174,6 +174,7 @@ static int acm_wb_alloc(struct acm *acm)
    2712 wb = &acm->wb[wbn];
    2713 if (!wb->use) {
    2714 wb->use = 1;
    2715 + wb->len = 0;
    2716 return wbn;
    2717 }
    2718 wbn = (wbn + 1) % ACM_NW;
    2719 @@ -731,16 +732,18 @@ static int acm_tty_write(struct tty_struct *tty,
    2720 static void acm_tty_flush_chars(struct tty_struct *tty)
    2721 {
    2722 struct acm *acm = tty->driver_data;
    2723 - struct acm_wb *cur = acm->putbuffer;
    2724 + struct acm_wb *cur;
    2725 int err;
    2726 unsigned long flags;
    2727
    2728 + spin_lock_irqsave(&acm->write_lock, flags);
    2729 +
    2730 + cur = acm->putbuffer;
    2731 if (!cur) /* nothing to do */
    2732 - return;
    2733 + goto out;
    2734
    2735 acm->putbuffer = NULL;
    2736 err = usb_autopm_get_interface_async(acm->control);
    2737 - spin_lock_irqsave(&acm->write_lock, flags);
    2738 if (err < 0) {
    2739 cur->use = 0;
    2740 acm->putbuffer = cur;
    2741 diff --git a/drivers/usb/dwc2/core.h b/drivers/usb/dwc2/core.h
    2742 index 2a21a0414b1d..0f45a2f165e5 100644
    2743 --- a/drivers/usb/dwc2/core.h
    2744 +++ b/drivers/usb/dwc2/core.h
    2745 @@ -209,7 +209,7 @@ struct dwc2_hsotg_ep {
    2746 unsigned char dir_in;
    2747 unsigned char index;
    2748 unsigned char mc;
    2749 - unsigned char interval;
    2750 + u16 interval;
    2751
    2752 unsigned int halted:1;
    2753 unsigned int periodic:1;
    2754 diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
    2755 index cfdd5c3da236..09921ef07ac5 100644
    2756 --- a/drivers/usb/dwc2/gadget.c
    2757 +++ b/drivers/usb/dwc2/gadget.c
    2758 @@ -2642,12 +2642,6 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg,
    2759 dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) |
    2760 DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0);
    2761
    2762 - dwc2_hsotg_enqueue_setup(hsotg);
    2763 -
    2764 - dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
    2765 - dwc2_readl(hsotg->regs + DIEPCTL0),
    2766 - dwc2_readl(hsotg->regs + DOEPCTL0));
    2767 -
    2768 /* clear global NAKs */
    2769 val = DCTL_CGOUTNAK | DCTL_CGNPINNAK;
    2770 if (!is_usb_reset)
    2771 @@ -2658,6 +2652,12 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg,
    2772 mdelay(3);
    2773
    2774 hsotg->lx_state = DWC2_L0;
    2775 +
    2776 + dwc2_hsotg_enqueue_setup(hsotg);
    2777 +
    2778 + dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
    2779 + dwc2_readl(hsotg->regs + DIEPCTL0),
    2780 + dwc2_readl(hsotg->regs + DOEPCTL0));
    2781 }
    2782
    2783 static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg)
    2784 diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
    2785 index 919a32153060..0a0cf154814b 100644
    2786 --- a/drivers/usb/dwc2/hcd.c
    2787 +++ b/drivers/usb/dwc2/hcd.c
    2788 @@ -2268,10 +2268,22 @@ static int dwc2_core_init(struct dwc2_hsotg *hsotg, bool initial_setup)
    2789 */
    2790 static void dwc2_core_host_init(struct dwc2_hsotg *hsotg)
    2791 {
    2792 - u32 hcfg, hfir, otgctl;
    2793 + u32 hcfg, hfir, otgctl, usbcfg;
    2794
    2795 dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg);
    2796
    2797 + /* Set HS/FS Timeout Calibration to 7 (max available value).
    2798 + * The number of PHY clocks that the application programs in
    2799 + * this field is added to the high/full speed interpacket timeout
    2800 + * duration in the core to account for any additional delays
    2801 + * introduced by the PHY. This can be required, because the delay
    2802 + * introduced by the PHY in generating the linestate condition
    2803 + * can vary from one PHY to another.
    2804 + */
    2805 + usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
    2806 + usbcfg |= GUSBCFG_TOUTCAL(7);
    2807 + dwc2_writel(usbcfg, hsotg->regs + GUSBCFG);
    2808 +
    2809 /* Restart the Phy Clock */
    2810 dwc2_writel(0, hsotg->regs + PCGCTL);
    2811
    2812 diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
    2813 index a0c2b8b6edd0..53b26e978d90 100644
    2814 --- a/drivers/usb/dwc3/core.c
    2815 +++ b/drivers/usb/dwc3/core.c
    2816 @@ -161,12 +161,26 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc)
    2817 do {
    2818 reg = dwc3_readl(dwc->regs, DWC3_DCTL);
    2819 if (!(reg & DWC3_DCTL_CSFTRST))
    2820 - return 0;
    2821 + goto done;
    2822
    2823 udelay(1);
    2824 } while (--retries);
    2825
    2826 + phy_exit(dwc->usb3_generic_phy);
    2827 + phy_exit(dwc->usb2_generic_phy);
    2828 +
    2829 return -ETIMEDOUT;
    2830 +
    2831 +done:
    2832 + /*
    2833 + * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared,
    2834 + * we must wait at least 50ms before accessing the PHY domain
    2835 + * (synchronization delay). DWC_usb31 programming guide section 1.3.2.
    2836 + */
    2837 + if (dwc3_is_usb31(dwc))
    2838 + msleep(50);
    2839 +
    2840 + return 0;
    2841 }
    2842
    2843 /**
    2844 diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
    2845 index 94d6a3e2ad97..affb3d757310 100644
    2846 --- a/drivers/usb/dwc3/core.h
    2847 +++ b/drivers/usb/dwc3/core.h
    2848 @@ -238,6 +238,8 @@
    2849 #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1)
    2850
    2851 /* Global TX Fifo Size Register */
    2852 +#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */
    2853 +#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */
    2854 #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff)
    2855 #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000)
    2856
    2857 diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c
    2858 index 35b63518baf6..f221cb479e14 100644
    2859 --- a/drivers/usb/dwc3/dwc3-omap.c
    2860 +++ b/drivers/usb/dwc3/dwc3-omap.c
    2861 @@ -598,9 +598,25 @@ static int dwc3_omap_resume(struct device *dev)
    2862 return 0;
    2863 }
    2864
    2865 +static void dwc3_omap_complete(struct device *dev)
    2866 +{
    2867 + struct dwc3_omap *omap = dev_get_drvdata(dev);
    2868 +
    2869 + if (extcon_get_state(omap->edev, EXTCON_USB))
    2870 + dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_VALID);
    2871 + else
    2872 + dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_OFF);
    2873 +
    2874 + if (extcon_get_state(omap->edev, EXTCON_USB_HOST))
    2875 + dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_GROUND);
    2876 + else
    2877 + dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_FLOAT);
    2878 +}
    2879 +
    2880 static const struct dev_pm_ops dwc3_omap_dev_pm_ops = {
    2881
    2882 SET_SYSTEM_SLEEP_PM_OPS(dwc3_omap_suspend, dwc3_omap_resume)
    2883 + .complete = dwc3_omap_complete,
    2884 };
    2885
    2886 #define DEV_PM_OPS (&dwc3_omap_dev_pm_ops)
    2887 diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
    2888 index 406758ed0b23..ca97f5b36e1b 100644
    2889 --- a/drivers/usb/gadget/composite.c
    2890 +++ b/drivers/usb/gadget/composite.c
    2891 @@ -1421,7 +1421,7 @@ static int count_ext_compat(struct usb_configuration *c)
    2892 return res;
    2893 }
    2894
    2895 -static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
    2896 +static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
    2897 {
    2898 int i, count;
    2899
    2900 @@ -1448,10 +1448,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
    2901 buf += 23;
    2902 }
    2903 count += 24;
    2904 - if (count >= 4096)
    2905 - return;
    2906 + if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
    2907 + return count;
    2908 }
    2909 }
    2910 +
    2911 + return count;
    2912 }
    2913
    2914 static int count_ext_prop(struct usb_configuration *c, int interface)
    2915 @@ -1496,25 +1498,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
    2916 struct usb_os_desc *d;
    2917 struct usb_os_desc_ext_prop *ext_prop;
    2918 int j, count, n, ret;
    2919 - u8 *start = buf;
    2920
    2921 f = c->interface[interface];
    2922 + count = 10; /* header length */
    2923 for (j = 0; j < f->os_desc_n; ++j) {
    2924 if (interface != f->os_desc_table[j].if_id)
    2925 continue;
    2926 d = f->os_desc_table[j].os_desc;
    2927 if (d)
    2928 list_for_each_entry(ext_prop, &d->ext_prop, entry) {
    2929 - /* 4kB minus header length */
    2930 - n = buf - start;
    2931 - if (n >= 4086)
    2932 - return 0;
    2933 -
    2934 - count = ext_prop->data_len +
    2935 + n = ext_prop->data_len +
    2936 ext_prop->name_len + 14;
    2937 - if (count > 4086 - n)
    2938 - return -EINVAL;
    2939 - usb_ext_prop_put_size(buf, count);
    2940 + if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
    2941 + return count;
    2942 + usb_ext_prop_put_size(buf, n);
    2943 usb_ext_prop_put_type(buf, ext_prop->type);
    2944 ret = usb_ext_prop_put_name(buf, ext_prop->name,
    2945 ext_prop->name_len);
    2946 @@ -1540,11 +1537,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
    2947 default:
    2948 return -EINVAL;
    2949 }
    2950 - buf += count;
    2951 + buf += n;
    2952 + count += n;
    2953 }
    2954 }
    2955
    2956 - return 0;
    2957 + return count;
    2958 }
    2959
    2960 /*
    2961 @@ -1822,6 +1820,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
    2962 req->complete = composite_setup_complete;
    2963 buf = req->buf;
    2964 os_desc_cfg = cdev->os_desc_config;
    2965 + w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
    2966 memset(buf, 0, w_length);
    2967 buf[5] = 0x01;
    2968 switch (ctrl->bRequestType & USB_RECIP_MASK) {
    2969 @@ -1845,8 +1844,8 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
    2970 count += 16; /* header */
    2971 put_unaligned_le32(count, buf);
    2972 buf += 16;
    2973 - fill_ext_compat(os_desc_cfg, buf);
    2974 - value = w_length;
    2975 + value = fill_ext_compat(os_desc_cfg, buf);
    2976 + value = min_t(u16, w_length, value);
    2977 }
    2978 break;
    2979 case USB_RECIP_INTERFACE:
    2980 @@ -1875,8 +1874,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
    2981 interface, buf);
    2982 if (value < 0)
    2983 return value;
    2984 -
    2985 - value = w_length;
    2986 + value = min_t(u16, w_length, value);
    2987 }
    2988 break;
    2989 }
    2990 @@ -2151,8 +2149,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
    2991 goto end;
    2992 }
    2993
    2994 - /* OS feature descriptor length <= 4kB */
    2995 - cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
    2996 + cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
    2997 + GFP_KERNEL);
    2998 if (!cdev->os_desc_req->buf) {
    2999 ret = -ENOMEM;
    3000 usb_ep_free_request(ep0, cdev->os_desc_req);
    3001 diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
    3002 index 071346973dd6..af72224f8ba2 100644
    3003 --- a/drivers/usb/gadget/function/f_fs.c
    3004 +++ b/drivers/usb/gadget/function/f_fs.c
    3005 @@ -759,9 +759,13 @@ static void ffs_user_copy_worker(struct work_struct *work)
    3006 bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
    3007
    3008 if (io_data->read && ret > 0) {
    3009 + mm_segment_t oldfs = get_fs();
    3010 +
    3011 + set_fs(USER_DS);
    3012 use_mm(io_data->mm);
    3013 ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
    3014 unuse_mm(io_data->mm);
    3015 + set_fs(oldfs);
    3016 }
    3017
    3018 io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
    3019 @@ -3239,7 +3243,7 @@ static int ffs_func_setup(struct usb_function *f,
    3020 __ffs_event_add(ffs, FUNCTIONFS_SETUP);
    3021 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
    3022
    3023 - return 0;
    3024 + return USB_GADGET_DELAYED_STATUS;
    3025 }
    3026
    3027 static bool ffs_func_req_match(struct usb_function *f,
    3028 diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
    3029 index 969cfe741380..5474b5187be0 100644
    3030 --- a/drivers/usb/gadget/function/f_uac2.c
    3031 +++ b/drivers/usb/gadget/function/f_uac2.c
    3032 @@ -1040,6 +1040,8 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
    3033 dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
    3034 return ret;
    3035 }
    3036 + iad_desc.bFirstInterface = ret;
    3037 +
    3038 std_ac_if_desc.bInterfaceNumber = ret;
    3039 agdev->ac_intf = ret;
    3040 agdev->ac_alt = 0;
    3041 diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
    3042 index 188961780b8a..139f6cce30b1 100644
    3043 --- a/drivers/usb/gadget/udc/core.c
    3044 +++ b/drivers/usb/gadget/udc/core.c
    3045 @@ -190,8 +190,8 @@ EXPORT_SYMBOL_GPL(usb_ep_alloc_request);
    3046 void usb_ep_free_request(struct usb_ep *ep,
    3047 struct usb_request *req)
    3048 {
    3049 - ep->ops->free_request(ep, req);
    3050 trace_usb_ep_free_request(ep, req, 0);
    3051 + ep->ops->free_request(ep, req);
    3052 }
    3053 EXPORT_SYMBOL_GPL(usb_ep_free_request);
    3054
    3055 diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
    3056 index aac0ce8aeb0b..8991a4070792 100644
    3057 --- a/drivers/usb/gadget/udc/fsl_udc_core.c
    3058 +++ b/drivers/usb/gadget/udc/fsl_udc_core.c
    3059 @@ -1310,7 +1310,7 @@ static void udc_reset_ep_queue(struct fsl_udc *udc, u8 pipe)
    3060 {
    3061 struct fsl_ep *ep = get_ep_by_pipe(udc, pipe);
    3062
    3063 - if (ep->name)
    3064 + if (ep->ep.name)
    3065 nuke(ep, -ESHUTDOWN);
    3066 }
    3067
    3068 @@ -1698,7 +1698,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
    3069 curr_ep = get_ep_by_pipe(udc, i);
    3070
    3071 /* If the ep is configured */
    3072 - if (curr_ep->name == NULL) {
    3073 + if (!curr_ep->ep.name) {
    3074 WARNING("Invalid EP?");
    3075 continue;
    3076 }
    3077 diff --git a/drivers/usb/gadget/udc/goku_udc.h b/drivers/usb/gadget/udc/goku_udc.h
    3078 index 86d2adafe149..64eb0f2b5ea0 100644
    3079 --- a/drivers/usb/gadget/udc/goku_udc.h
    3080 +++ b/drivers/usb/gadget/udc/goku_udc.h
    3081 @@ -28,7 +28,7 @@ struct goku_udc_regs {
    3082 # define INT_EP1DATASET 0x00040
    3083 # define INT_EP2DATASET 0x00080
    3084 # define INT_EP3DATASET 0x00100
    3085 -#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */
    3086 +#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */
    3087 # define INT_EP1NAK 0x00200
    3088 # define INT_EP2NAK 0x00400
    3089 # define INT_EP3NAK 0x00800
    3090 diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
    3091 index a646ca3b0d00..1afb76e8b1a5 100644
    3092 --- a/drivers/usb/host/ohci-hcd.c
    3093 +++ b/drivers/usb/host/ohci-hcd.c
    3094 @@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *ohci)
    3095 struct usb_hcd *hcd = ohci_to_hcd(ohci);
    3096
    3097 /* Accept arbitrarily long scatter-gather lists */
    3098 - hcd->self.sg_tablesize = ~0;
    3099 + if (!(hcd->driver->flags & HCD_LOCAL_MEM))
    3100 + hcd->self.sg_tablesize = ~0;
    3101
    3102 if (distrust_firmware)
    3103 ohci->flags |= OHCI_QUIRK_HUB_POWER;
    3104 diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
    3105 index 3b7d69ca83be..48bdab4fdc8f 100644
    3106 --- a/drivers/usb/host/xhci-mem.c
    3107 +++ b/drivers/usb/host/xhci-mem.c
    3108 @@ -975,6 +975,8 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id)
    3109 if (dev->out_ctx)
    3110 xhci_free_container_ctx(xhci, dev->out_ctx);
    3111
    3112 + if (dev->udev && dev->udev->slot_id)
    3113 + dev->udev->slot_id = 0;
    3114 kfree(xhci->devs[slot_id]);
    3115 xhci->devs[slot_id] = NULL;
    3116 }
    3117 diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
    3118 index 41b8b44a391c..85449a6ddc56 100644
    3119 --- a/fs/ext2/inode.c
    3120 +++ b/fs/ext2/inode.c
    3121 @@ -1258,21 +1258,11 @@ static void __ext2_truncate_blocks(struct inode *inode, loff_t offset)
    3122
    3123 static void ext2_truncate_blocks(struct inode *inode, loff_t offset)
    3124 {
    3125 - /*
    3126 - * XXX: it seems like a bug here that we don't allow
    3127 - * IS_APPEND inode to have blocks-past-i_size trimmed off.
    3128 - * review and fix this.
    3129 - *
    3130 - * Also would be nice to be able to handle IO errors and such,
    3131 - * but that's probably too much to ask.
    3132 - */
    3133 if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
    3134 S_ISLNK(inode->i_mode)))
    3135 return;
    3136 if (ext2_inode_is_fast_symlink(inode))
    3137 return;
    3138 - if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
    3139 - return;
    3140
    3141 dax_sem_down_write(EXT2_I(inode));
    3142 __ext2_truncate_blocks(inode, offset);
    3143 diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
    3144 index 11854dd84572..b9563cdcfe28 100644
    3145 --- a/fs/hfsplus/super.c
    3146 +++ b/fs/hfsplus/super.c
    3147 @@ -588,6 +588,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
    3148 return 0;
    3149
    3150 out_put_hidden_dir:
    3151 + cancel_delayed_work_sync(&sbi->sync_work);
    3152 iput(sbi->hidden_dir);
    3153 out_put_root:
    3154 dput(sb->s_root);
    3155 diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h
    3156 index 4616a49a1c2e..667d20454a21 100644
    3157 --- a/include/linux/usb/composite.h
    3158 +++ b/include/linux/usb/composite.h
    3159 @@ -53,6 +53,9 @@
    3160 /* big enough to hold our biggest descriptor */
    3161 #define USB_COMP_EP0_BUFSIZ 1024
    3162
    3163 +/* OS feature descriptor length <= 4kB */
    3164 +#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
    3165 +
    3166 #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
    3167 struct usb_configuration;
    3168
    3169 diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
    3170 index d3cbe48b286d..7290eacc8cee 100644
    3171 --- a/include/uapi/linux/nl80211.h
    3172 +++ b/include/uapi/linux/nl80211.h
    3173 @@ -2379,6 +2379,8 @@ enum nl80211_attrs {
    3174 #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
    3175 #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
    3176
    3177 +#define NL80211_WIPHY_NAME_MAXLEN 128
    3178 +
    3179 #define NL80211_MAX_SUPP_RATES 32
    3180 #define NL80211_MAX_SUPP_HT_RATES 77
    3181 #define NL80211_MAX_SUPP_REG_RULES 64
    3182 diff --git a/net/core/sock.c b/net/core/sock.c
    3183 index e3b60460dc9c..1c4c43483b54 100644
    3184 --- a/net/core/sock.c
    3185 +++ b/net/core/sock.c
    3186 @@ -1457,7 +1457,7 @@ void sk_destruct(struct sock *sk)
    3187
    3188 static void __sk_free(struct sock *sk)
    3189 {
    3190 - if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt))
    3191 + if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk)))
    3192 sock_diag_broadcast_destroy(sk);
    3193 else
    3194 sk_destruct(sk);
    3195 diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
    3196 index 2c3c1a223df4..3b1f3bc8becb 100644
    3197 --- a/net/ipv4/ip_output.c
    3198 +++ b/net/ipv4/ip_output.c
    3199 @@ -1076,7 +1076,8 @@ static int __ip_append_data(struct sock *sk,
    3200 if (copy > length)
    3201 copy = length;
    3202
    3203 - if (!(rt->dst.dev->features&NETIF_F_SG)) {
    3204 + if (!(rt->dst.dev->features&NETIF_F_SG) &&
    3205 + skb_tailroom(skb) >= copy) {
    3206 unsigned int off;
    3207
    3208 off = skb->len;
    3209 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
    3210 index a69606031e5f..f07a0a1c98ff 100644
    3211 --- a/net/ipv4/tcp_output.c
    3212 +++ b/net/ipv4/tcp_output.c
    3213 @@ -2691,8 +2691,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
    3214 return -EBUSY;
    3215
    3216 if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
    3217 - if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
    3218 - BUG();
    3219 + if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
    3220 + WARN_ON_ONCE(1);
    3221 + return -EINVAL;
    3222 + }
    3223 if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
    3224 return -ENOMEM;
    3225 }
    3226 @@ -3236,6 +3238,7 @@ static void tcp_connect_init(struct sock *sk)
    3227 sock_reset_flag(sk, SOCK_DONE);
    3228 tp->snd_wnd = 0;
    3229 tcp_init_wl(tp, 0);
    3230 + tcp_write_queue_purge(sk);
    3231 tp->snd_una = tp->write_seq;
    3232 tp->snd_sml = tp->write_seq;
    3233 tp->snd_up = tp->write_seq;
    3234 diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
    3235 index 58a6eeeacbf7..e8560031a0be 100644
    3236 --- a/net/ipv6/ip6_output.c
    3237 +++ b/net/ipv6/ip6_output.c
    3238 @@ -1545,7 +1545,8 @@ static int __ip6_append_data(struct sock *sk,
    3239 if (copy > length)
    3240 copy = length;
    3241
    3242 - if (!(rt->dst.dev->features&NETIF_F_SG)) {
    3243 + if (!(rt->dst.dev->features&NETIF_F_SG) &&
    3244 + skb_tailroom(skb) >= copy) {
    3245 unsigned int off;
    3246
    3247 off = skb->len;
    3248 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
    3249 index a027f8c00944..b2b50756263b 100644
    3250 --- a/net/packet/af_packet.c
    3251 +++ b/net/packet/af_packet.c
    3252 @@ -2910,13 +2910,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
    3253 if (skb == NULL)
    3254 goto out_unlock;
    3255
    3256 - skb_set_network_header(skb, reserve);
    3257 + skb_reset_network_header(skb);
    3258
    3259 err = -EINVAL;
    3260 if (sock->type == SOCK_DGRAM) {
    3261 offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
    3262 if (unlikely(offset < 0))
    3263 goto out_free;
    3264 + } else if (reserve) {
    3265 + skb_push(skb, reserve);
    3266 }
    3267
    3268 /* Returns -EFAULT on error */
    3269 diff --git a/net/wireless/core.c b/net/wireless/core.c
    3270 index ce16da2905dc..7fbf4dd07277 100644
    3271 --- a/net/wireless/core.c
    3272 +++ b/net/wireless/core.c
    3273 @@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev,
    3274
    3275 ASSERT_RTNL();
    3276
    3277 + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
    3278 + return -EINVAL;
    3279 +
    3280 /* prohibit calling the thing phy%d when %d is not its number */
    3281 sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
    3282 if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
    3283 diff --git a/sound/soc/au1x/ac97c.c b/sound/soc/au1x/ac97c.c
    3284 index 29a97d52e8ad..66d6c52e7761 100644
    3285 --- a/sound/soc/au1x/ac97c.c
    3286 +++ b/sound/soc/au1x/ac97c.c
    3287 @@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97,
    3288 do {
    3289 mutex_lock(&ctx->lock);
    3290
    3291 - tmo = 5;
    3292 - while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
    3293 + tmo = 6;
    3294 + while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
    3295 udelay(21); /* wait an ac97 frame time */
    3296 if (!tmo) {
    3297 pr_debug("ac97rd timeout #1\n");
    3298 @@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97,
    3299 * poll, Forrest, poll...
    3300 */
    3301 tmo = 0x10000;
    3302 - while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
    3303 + while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
    3304 asm volatile ("nop");
    3305 data = RD(ctx, AC97_CMDRESP);
    3306
    3307 diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c
    3308 index 85324e61cbd5..2d14e37ddc3f 100644
    3309 --- a/sound/soc/samsung/i2s.c
    3310 +++ b/sound/soc/samsung/i2s.c
    3311 @@ -642,8 +642,12 @@ static int i2s_set_fmt(struct snd_soc_dai *dai,
    3312 tmp |= mod_slave;
    3313 break;
    3314 case SND_SOC_DAIFMT_CBS_CFS:
    3315 - /* Set default source clock in Master mode */
    3316 - if (i2s->rclk_srcrate == 0)
    3317 + /*
    3318 + * Set default source clock in Master mode, only when the
    3319 + * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any
    3320 + * clock configuration assigned in DT is not overwritten.
    3321 + */
    3322 + if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL)
    3323 i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0,
    3324 0, SND_SOC_CLOCK_IN);
    3325 break;
    3326 @@ -858,6 +862,11 @@ static int config_setup(struct i2s_dai *i2s)
    3327 return 0;
    3328
    3329 if (!(i2s->quirks & QUIRK_NO_MUXPSR)) {
    3330 + struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC];
    3331 +
    3332 + if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc))
    3333 + i2s->rclk_srcrate = clk_get_rate(rclksrc);
    3334 +
    3335 psr = i2s->rclk_srcrate / i2s->frmclk / rfs;
    3336 writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR);
    3337 dev_dbg(&i2s->pdev->dev,
    3338 diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
    3339 index 8a758c994506..d6b48c796bfc 100644
    3340 --- a/sound/soc/soc-topology.c
    3341 +++ b/sound/soc/soc-topology.c
    3342 @@ -1180,6 +1180,9 @@ static struct snd_kcontrol_new *soc_tplg_dapm_widget_dmixer_create(
    3343 kfree(sm);
    3344 continue;
    3345 }
    3346 +
    3347 + /* create any TLV data */
    3348 + soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr);
    3349 }
    3350 return kc;
    3351
    3352 diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
    3353 index 45655b9108e8..da9fc08b20bb 100644
    3354 --- a/sound/usb/quirks.c
    3355 +++ b/sound/usb/quirks.c
    3356 @@ -1153,24 +1153,27 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip)
    3357 return false;
    3358 }
    3359
    3360 -/* Marantz/Denon USB DACs need a vendor cmd to switch
    3361 +/* ITF-USB DSD based DACs need a vendor cmd to switch
    3362 * between PCM and native DSD mode
    3363 + * (2 altsets version)
    3364 */
    3365 -static bool is_marantz_denon_dac(unsigned int id)
    3366 +static bool is_itf_usb_dsd_2alts_dac(unsigned int id)
    3367 {
    3368 switch (id) {
    3369 case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */
    3370 case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */
    3371 case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */
    3372 + case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */
    3373 return true;
    3374 }
    3375 return false;
    3376 }
    3377
    3378 -/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch
    3379 - * between PCM/DOP and native DSD mode
    3380 +/* ITF-USB DSD based DACs need a vendor cmd to switch
    3381 + * between PCM and native DSD mode
    3382 + * (3 altsets version)
    3383 */
    3384 -static bool is_teac_dsd_dac(unsigned int id)
    3385 +static bool is_itf_usb_dsd_3alts_dac(unsigned int id)
    3386 {
    3387 switch (id) {
    3388 case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
    3389 @@ -1187,7 +1190,7 @@ int snd_usb_select_mode_quirk(struct snd_usb_substream *subs,
    3390 struct usb_device *dev = subs->dev;
    3391 int err;
    3392
    3393 - if (is_marantz_denon_dac(subs->stream->chip->usb_id)) {
    3394 + if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) {
    3395 /* First switch to alt set 0, otherwise the mode switch cmd
    3396 * will not be accepted by the DAC
    3397 */
    3398 @@ -1208,7 +1211,7 @@ int snd_usb_select_mode_quirk(struct snd_usb_substream *subs,
    3399 break;
    3400 }
    3401 mdelay(20);
    3402 - } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) {
    3403 + } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) {
    3404 /* Vendor mode switch cmd is required. */
    3405 switch (fmt->altsetting) {
    3406 case 3: /* DSD mode (DSD_U32) requested */
    3407 @@ -1304,10 +1307,10 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe,
    3408 (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
    3409 mdelay(20);
    3410
    3411 - /* Marantz/Denon devices with USB DAC functionality need a delay
    3412 + /* ITF-USB DSD based DACs functionality need a delay
    3413 * after each class compliant request
    3414 */
    3415 - if (is_marantz_denon_dac(chip->usb_id)
    3416 + if (is_itf_usb_dsd_2alts_dac(chip->usb_id)
    3417 && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
    3418 mdelay(20);
    3419
    3420 @@ -1371,14 +1374,14 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
    3421 break;
    3422 }
    3423
    3424 - /* Denon/Marantz devices with USB DAC functionality */
    3425 - if (is_marantz_denon_dac(chip->usb_id)) {
    3426 + /* ITF-USB DSD based DACs (2 altsets version) */
    3427 + if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) {
    3428 if (fp->altsetting == 2)
    3429 return SNDRV_PCM_FMTBIT_DSD_U32_BE;
    3430 }
    3431
    3432 - /* TEAC devices with USB DAC functionality */
    3433 - if (is_teac_dsd_dac(chip->usb_id)) {
    3434 + /* ITF-USB DSD based DACs (3 altsets version) */
    3435 + if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) {
    3436 if (fp->altsetting == 3)
    3437 return SNDRV_PCM_FMTBIT_DSD_U32_BE;
    3438 }