Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.9/0248-4.9.149-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.9/0248-4.9.149-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3301 - (show annotations) (download)
    Tue Mar 12 10:43:09 2019 UTC (5 years, 2 months ago) by niro
    File size: 56978 byte(s) 
    -linux-4.9.149
    1 diff --git a/Makefile b/Makefile
    2 index 1b71b11ea63e..1feac0246fe2 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,6 +1,6 @@
    6 VERSION = 4
    7 PATCHLEVEL = 9
    8 -SUBLEVEL = 148
    9 +SUBLEVEL = 149
    10 EXTRAVERSION =
    11 NAME = Roaring Lionus
    12
    13 diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
    14 index 0dbc1c6ab7dc..68dedca5a47e 100644
    15 --- a/arch/arm64/include/asm/kvm_arm.h
    16 +++ b/arch/arm64/include/asm/kvm_arm.h
    17 @@ -99,7 +99,7 @@
    18 TCR_EL2_ORGN0_MASK | TCR_EL2_IRGN0_MASK | TCR_EL2_T0SZ_MASK)
    19
    20 /* VTCR_EL2 Registers bits */
    21 -#define VTCR_EL2_RES1 (1 << 31)
    22 +#define VTCR_EL2_RES1 (1U << 31)
    23 #define VTCR_EL2_HD (1 << 22)
    24 #define VTCR_EL2_HA (1 << 21)
    25 #define VTCR_EL2_PS_MASK TCR_EL2_PS_MASK
    26 diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
    27 index 37fe58c19a90..542c3ede9722 100644
    28 --- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
    29 +++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
    30 @@ -13,6 +13,7 @@
    31 #include <stdint.h>
    32 #include <stdio.h>
    33 #include <stdlib.h>
    34 +#include "../../../../include/linux/sizes.h"
    35
    36 int main(int argc, char *argv[])
    37 {
    38 @@ -45,11 +46,11 @@ int main(int argc, char *argv[])
    39 vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
    40
    41 /*
    42 - * Align with 16 bytes: "greater than that used for any standard data
    43 - * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
    44 + * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
    45 + * which may be as large as 64KB depending on the kernel configuration.
    46 */
    47
    48 - vmlinuz_load_addr += (16 - vmlinux_size % 16);
    49 + vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
    50
    51 printf("0x%llx\n", vmlinuz_load_addr);
    52
    53 diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
    54 index 396236a02b8c..59defc5e88aa 100644
    55 --- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
    56 +++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
    57 @@ -290,7 +290,8 @@ static cvmx_helper_interface_mode_t __cvmx_get_mode_cn7xxx(int interface)
    58 case 3:
    59 return CVMX_HELPER_INTERFACE_MODE_LOOP;
    60 case 4:
    61 - return CVMX_HELPER_INTERFACE_MODE_RGMII;
    62 + /* TODO: Implement support for AGL (RGMII). */
    63 + return CVMX_HELPER_INTERFACE_MODE_DISABLED;
    64 default:
    65 return CVMX_HELPER_INTERFACE_MODE_DISABLED;
    66 }
    67 diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h
    68 index 514cbc0a6a67..ef6f00798011 100644
    69 --- a/arch/mips/include/asm/pgtable-64.h
    70 +++ b/arch/mips/include/asm/pgtable-64.h
    71 @@ -193,6 +193,11 @@ static inline int pmd_bad(pmd_t pmd)
    72
    73 static inline int pmd_present(pmd_t pmd)
    74 {
    75 +#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
    76 + if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
    77 + return pmd_val(pmd) & _PAGE_PRESENT;
    78 +#endif
    79 +
    80 return pmd_val(pmd) != (unsigned long) invalid_pte_table;
    81 }
    82
    83 diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
    84 index 22a0ccb17ad0..9a8167b175d5 100644
    85 --- a/arch/x86/include/asm/kvm_host.h
    86 +++ b/arch/x86/include/asm/kvm_host.h
    87 @@ -1324,7 +1324,7 @@ asmlinkage void kvm_spurious_fault(void);
    88 "cmpb $0, kvm_rebooting \n\t" \
    89 "jne 668b \n\t" \
    90 __ASM_SIZE(push) " $666b \n\t" \
    91 - "call kvm_spurious_fault \n\t" \
    92 + "jmp kvm_spurious_fault \n\t" \
    93 ".popsection \n\t" \
    94 _ASM_EXTABLE(666b, 667b)
    95
    96 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
    97 index 011050820608..9446a3a2fc69 100644
    98 --- a/arch/x86/kvm/vmx.c
    99 +++ b/arch/x86/kvm/vmx.c
    100 @@ -6548,9 +6548,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
    101
    102 gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
    103 if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
    104 - skip_emulated_instruction(vcpu);
    105 trace_kvm_fast_mmio(gpa);
    106 - return 1;
    107 + /*
    108 + * Doing kvm_skip_emulated_instruction() depends on undefined
    109 + * behavior: Intel's manual doesn't mandate
    110 + * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG
    111 + * occurs and while on real hardware it was observed to be set,
    112 + * other hypervisors (namely Hyper-V) don't set it, we end up
    113 + * advancing IP with some random value. Disable fast mmio when
    114 + * running nested and keep it for real hardware in hope that
    115 + * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
    116 + */
    117 + if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) {
    118 + skip_emulated_instruction(vcpu);
    119 + return 1;
    120 + }
    121 + else
    122 + return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
    123 + NULL, 0) == EMULATE_DONE;
    124 }
    125
    126 ret = handle_mmio_page_fault(vcpu, gpa, true);
    127 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    128 index 27d13b870e07..46e0ad71b4da 100644
    129 --- a/arch/x86/kvm/x86.c
    130 +++ b/arch/x86/kvm/x86.c
    131 @@ -5707,7 +5707,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
    132 * handle watchpoints yet, those would be handled in
    133 * the emulate_ops.
    134 */
    135 - if (kvm_vcpu_check_breakpoint(vcpu, &r))
    136 + if (!(emulation_type & EMULTYPE_SKIP) &&
    137 + kvm_vcpu_check_breakpoint(vcpu, &r))
    138 return r;
    139
    140 ctxt->interruptibility = 0;
    141 diff --git a/drivers/base/platform-msi.c b/drivers/base/platform-msi.c
    142 index be6a599bc0c1..7ba1d731dece 100644
    143 --- a/drivers/base/platform-msi.c
    144 +++ b/drivers/base/platform-msi.c
    145 @@ -375,14 +375,16 @@ void platform_msi_domain_free(struct irq_domain *domain, unsigned int virq,
    146 unsigned int nvec)
    147 {
    148 struct platform_msi_priv_data *data = domain->host_data;
    149 - struct msi_desc *desc;
    150 - for_each_msi_entry(desc, data->dev) {
    151 + struct msi_desc *desc, *tmp;
    152 + for_each_msi_entry_safe(desc, tmp, data->dev) {
    153 if (WARN_ON(!desc->irq || desc->nvec_used != 1))
    154 return;
    155 if (!(desc->irq >= virq && desc->irq < (virq + nvec)))
    156 continue;
    157
    158 irq_domain_free_irqs_common(domain, desc->irq, 1);
    159 + list_del(&desc->list);
    160 + free_msi_entry(desc);
    161 }
    162 }
    163
    164 diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
    165 index caa86b19c76d..f74f451baf6a 100644
    166 --- a/drivers/char/tpm/tpm_i2c_nuvoton.c
    167 +++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
    168 @@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
    169 struct device *dev = chip->dev.parent;
    170 struct i2c_client *client = to_i2c_client(dev);
    171 u32 ordinal;
    172 + unsigned long duration;
    173 size_t count = 0;
    174 int burst_count, bytes2write, retries, rc = -EIO;
    175
    176 @@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
    177 return rc;
    178 }
    179 ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
    180 - rc = i2c_nuvoton_wait_for_data_avail(chip,
    181 - tpm_calc_ordinal_duration(chip,
    182 - ordinal),
    183 - &priv->read_queue);
    184 + if (chip->flags & TPM_CHIP_FLAG_TPM2)
    185 + duration = tpm2_calc_ordinal_duration(chip, ordinal);
    186 + else
    187 + duration = tpm_calc_ordinal_duration(chip, ordinal);
    188 +
    189 + rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
    190 if (rc) {
    191 dev_err(dev, "%s() timeout command duration\n", __func__);
    192 i2c_nuvoton_ready(chip);
    193 diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
    194 index d0e722a0e8cf..523378d1396e 100644
    195 --- a/drivers/clk/rockchip/clk-rk3188.c
    196 +++ b/drivers/clk/rockchip/clk-rk3188.c
    197 @@ -381,7 +381,7 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
    198 COMPOSITE_NOMUX(0, "spdif_pre", "i2s_src", 0,
    199 RK2928_CLKSEL_CON(5), 0, 7, DFLAGS,
    200 RK2928_CLKGATE_CON(0), 13, GFLAGS),
    201 - COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pll", CLK_SET_RATE_PARENT,
    202 + COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pre", CLK_SET_RATE_PARENT,
    203 RK2928_CLKSEL_CON(9), 0,
    204 RK2928_CLKGATE_CON(0), 14, GFLAGS,
    205 &common_spdif_fracmux),
    206 diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
    207 index 471984ec2db0..30adc5745cba 100644
    208 --- a/drivers/input/mouse/elan_i2c_core.c
    209 +++ b/drivers/input/mouse/elan_i2c_core.c
    210 @@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
    211 static const struct acpi_device_id elan_acpi_id[] = {
    212 { "ELAN0000", 0 },
    213 { "ELAN0100", 0 },
    214 + { "ELAN0501", 0 },
    215 { "ELAN0600", 0 },
    216 { "ELAN0602", 0 },
    217 { "ELAN0605", 0 },
    218 diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
    219 index dd7e38ac29bd..d15347de415a 100644
    220 --- a/drivers/isdn/capi/kcapi.c
    221 +++ b/drivers/isdn/capi/kcapi.c
    222 @@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
    223 u16 ret;
    224
    225 if (contr == 0) {
    226 - strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
    227 + strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
    228 return CAPI_NOERROR;
    229 }
    230
    231 @@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
    232
    233 ctr = get_capi_ctr_by_nr(contr);
    234 if (ctr && ctr->state == CAPI_CTR_RUNNING) {
    235 - strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
    236 + strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
    237 ret = CAPI_NOERROR;
    238 } else
    239 ret = CAPI_REGNOTINSTALLED;
    240 diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
    241 index 1f463f4c3024..d2f72f3635aa 100644
    242 --- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
    243 +++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
    244 @@ -1618,7 +1618,7 @@ typedef struct { u16 __; u8 _; } __packed x24;
    245 unsigned s; \
    246 \
    247 for (s = 0; s < len; s++) { \
    248 - u8 chr = font8x16[text[s] * 16 + line]; \
    249 + u8 chr = font8x16[(u8)text[s] * 16 + line]; \
    250 \
    251 if (hdiv == 2 && tpg->hflip) { \
    252 pos[3] = (chr & (0x01 << 6) ? fg : bg); \
    253 diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
    254 index d5c84ecf2027..25d4fd4f4c0b 100644
    255 --- a/drivers/media/platform/vivid/vivid-vid-cap.c
    256 +++ b/drivers/media/platform/vivid/vivid-vid-cap.c
    257 @@ -452,6 +452,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
    258 tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
    259 break;
    260 }
    261 + vfree(dev->bitmap_cap);
    262 + dev->bitmap_cap = NULL;
    263 vivid_update_quality(dev);
    264 tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
    265 dev->crop_cap = dev->src_rect;
    266 diff --git a/drivers/mtd/spi-nor/Kconfig b/drivers/mtd/spi-nor/Kconfig
    267 index 4a682ee0f632..b4f6cadd28fe 100644
    268 --- a/drivers/mtd/spi-nor/Kconfig
    269 +++ b/drivers/mtd/spi-nor/Kconfig
    270 @@ -31,7 +31,7 @@ config MTD_SPI_NOR_USE_4K_SECTORS
    271
    272 config SPI_ATMEL_QUADSPI
    273 tristate "Atmel Quad SPI Controller"
    274 - depends on ARCH_AT91 || (ARM && COMPILE_TEST)
    275 + depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110)
    276 depends on OF && HAS_IOMEM
    277 help
    278 This enables support for the Quad SPI controller in master mode.
    279 diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
    280 index b375ae9f98ef..4996228fd7e6 100644
    281 --- a/drivers/net/ethernet/ibm/ibmveth.c
    282 +++ b/drivers/net/ethernet/ibm/ibmveth.c
    283 @@ -1162,11 +1162,15 @@ out:
    284
    285 map_failed_frags:
    286 last = i+1;
    287 - for (i = 0; i < last; i++)
    288 + for (i = 1; i < last; i++)
    289 dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
    290 descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
    291 DMA_TO_DEVICE);
    292
    293 + dma_unmap_single(&adapter->vdev->dev,
    294 + descs[0].fields.address,
    295 + descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
    296 + DMA_TO_DEVICE);
    297 map_failed:
    298 if (!firmware_has_feature(FW_FEATURE_CMO))
    299 netdev_err(netdev, "tx: unable to map xmit buffer\n");
    300 diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    301 index da1d73fe1a81..d5e8ac86c195 100644
    302 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    303 +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    304 @@ -1167,11 +1167,6 @@ static int mlx5e_get_ts_info(struct net_device *dev,
    305 struct ethtool_ts_info *info)
    306 {
    307 struct mlx5e_priv *priv = netdev_priv(dev);
    308 - int ret;
    309 -
    310 - ret = ethtool_op_get_ts_info(dev, info);
    311 - if (ret)
    312 - return ret;
    313
    314 info->phc_index = priv->tstamp.ptp ?
    315 ptp_clock_index(priv->tstamp.ptp) : -1;
    316 @@ -1179,9 +1174,9 @@ static int mlx5e_get_ts_info(struct net_device *dev,
    317 if (!MLX5_CAP_GEN(priv->mdev, device_frequency_khz))
    318 return 0;
    319
    320 - info->so_timestamping |= SOF_TIMESTAMPING_TX_HARDWARE |
    321 - SOF_TIMESTAMPING_RX_HARDWARE |
    322 - SOF_TIMESTAMPING_RAW_HARDWARE;
    323 + info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
    324 + SOF_TIMESTAMPING_RX_HARDWARE |
    325 + SOF_TIMESTAMPING_RAW_HARDWARE;
    326
    327 info->tx_types = BIT(HWTSTAMP_TX_OFF) |
    328 BIT(HWTSTAMP_TX_ON);
    329 diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
    330 index 5f3402ba9916..13dfc197bdd8 100644
    331 --- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
    332 +++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
    333 @@ -390,7 +390,7 @@ static void del_rule(struct fs_node *node)
    334 }
    335 if ((fte->action & MLX5_FLOW_CONTEXT_ACTION_FWD_DEST) &&
    336 --fte->dests_size) {
    337 - modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST),
    338 + modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST);
    339 err = mlx5_cmd_update_fte(dev, ft,
    340 fg->id,
    341 modify_mask,
    342 diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
    343 index f04be9e8980f..5048a6df6a8e 100644
    344 --- a/drivers/net/phy/phy_device.c
    345 +++ b/drivers/net/phy/phy_device.c
    346 @@ -163,11 +163,8 @@ static int mdio_bus_phy_restore(struct device *dev)
    347 if (ret < 0)
    348 return ret;
    349
    350 - /* The PHY needs to renegotiate. */
    351 - phydev->link = 0;
    352 - phydev->state = PHY_UP;
    353 -
    354 - phy_start_machine(phydev);
    355 + if (phydev->attached_dev && phydev->adjust_link)
    356 + phy_start_machine(phydev);
    357
    358 return 0;
    359 }
    360 diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
    361 index 2b728cc52e3a..134eb184fa22 100644
    362 --- a/drivers/net/usb/qmi_wwan.c
    363 +++ b/drivers/net/usb/qmi_wwan.c
    364 @@ -951,7 +951,7 @@ static const struct usb_device_id products[] = {
    365 {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
    366 {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
    367 {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
    368 - {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
    369 + {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
    370 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
    371 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
    372 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
    373 diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
    374 index 1bc5e93d2a34..eb56bb5916be 100644
    375 --- a/drivers/net/wan/x25_asy.c
    376 +++ b/drivers/net/wan/x25_asy.c
    377 @@ -488,8 +488,10 @@ static int x25_asy_open(struct net_device *dev)
    378
    379 /* Cleanup */
    380 kfree(sl->xbuff);
    381 + sl->xbuff = NULL;
    382 noxbuff:
    383 kfree(sl->rbuff);
    384 + sl->rbuff = NULL;
    385 norbuff:
    386 return -ENOMEM;
    387 }
    388 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
    389 index aceae791baf3..14ceeaaa7fe5 100644
    390 --- a/drivers/net/xen-netfront.c
    391 +++ b/drivers/net/xen-netfront.c
    392 @@ -903,7 +903,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
    393 if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
    394 unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
    395
    396 - BUG_ON(pull_to <= skb_headlen(skb));
    397 + BUG_ON(pull_to < skb_headlen(skb));
    398 __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
    399 }
    400 if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
    401 diff --git a/drivers/nfc/nxp-nci/firmware.c b/drivers/nfc/nxp-nci/firmware.c
    402 index 5291797324ba..553011f58339 100644
    403 --- a/drivers/nfc/nxp-nci/firmware.c
    404 +++ b/drivers/nfc/nxp-nci/firmware.c
    405 @@ -24,7 +24,7 @@
    406 #include <linux/completion.h>
    407 #include <linux/firmware.h>
    408 #include <linux/nfc.h>
    409 -#include <linux/unaligned/access_ok.h>
    410 +#include <asm/unaligned.h>
    411
    412 #include "nxp-nci.h"
    413
    414 diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
    415 index 36099e557730..06a157c63416 100644
    416 --- a/drivers/nfc/nxp-nci/i2c.c
    417 +++ b/drivers/nfc/nxp-nci/i2c.c
    418 @@ -36,7 +36,7 @@
    419 #include <linux/of_gpio.h>
    420 #include <linux/of_irq.h>
    421 #include <linux/platform_data/nxp-nci.h>
    422 -#include <linux/unaligned/access_ok.h>
    423 +#include <asm/unaligned.h>
    424
    425 #include <net/nfc/nfc.h>
    426
    427 diff --git a/drivers/rtc/rtc-m41t80.c b/drivers/rtc/rtc-m41t80.c
    428 index c4ca6a385790..6b6b623cc250 100644
    429 --- a/drivers/rtc/rtc-m41t80.c
    430 +++ b/drivers/rtc/rtc-m41t80.c
    431 @@ -333,7 +333,7 @@ static int m41t80_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
    432 alrm->time.tm_min = bcd2bin(alarmvals[3] & 0x7f);
    433 alrm->time.tm_hour = bcd2bin(alarmvals[2] & 0x3f);
    434 alrm->time.tm_mday = bcd2bin(alarmvals[1] & 0x3f);
    435 - alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f);
    436 + alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f) - 1;
    437
    438 alrm->enabled = !!(alarmvals[0] & M41T80_ALMON_AFE);
    439 alrm->pending = (flags & M41T80_FLAGS_AF) && alrm->enabled;
    440 diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
    441 index f35cc10772f6..25abf2d1732a 100644
    442 --- a/drivers/spi/spi-bcm2835.c
    443 +++ b/drivers/spi/spi-bcm2835.c
    444 @@ -88,7 +88,7 @@ struct bcm2835_spi {
    445 u8 *rx_buf;
    446 int tx_len;
    447 int rx_len;
    448 - bool dma_pending;
    449 + unsigned int dma_pending;
    450 };
    451
    452 static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg)
    453 @@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id)
    454 /* Write as many bytes as possible to FIFO */
    455 bcm2835_wr_fifo(bs);
    456
    457 - /* based on flags decide if we can finish the transfer */
    458 - if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) {
    459 + if (!bs->rx_len) {
    460 /* Transfer complete - reset SPI HW */
    461 bcm2835_spi_reset_hw(master);
    462 /* wake up the framework */
    463 @@ -233,10 +232,9 @@ static void bcm2835_spi_dma_done(void *data)
    464 * is called the tx-dma must have finished - can't get to this
    465 * situation otherwise...
    466 */
    467 - dmaengine_terminate_all(master->dma_tx);
    468 -
    469 - /* mark as no longer pending */
    470 - bs->dma_pending = 0;
    471 + if (cmpxchg(&bs->dma_pending, true, false)) {
    472 + dmaengine_terminate_all(master->dma_tx);
    473 + }
    474
    475 /* and mark as completed */;
    476 complete(&master->xfer_completion);
    477 @@ -342,6 +340,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master,
    478 if (ret) {
    479 /* need to reset on errors */
    480 dmaengine_terminate_all(master->dma_tx);
    481 + bs->dma_pending = false;
    482 bcm2835_spi_reset_hw(master);
    483 return ret;
    484 }
    485 @@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master,
    486 struct bcm2835_spi *bs = spi_master_get_devdata(master);
    487
    488 /* if an error occurred and we have an active dma, then terminate */
    489 - if (bs->dma_pending) {
    490 + if (cmpxchg(&bs->dma_pending, true, false)) {
    491 dmaengine_terminate_all(master->dma_tx);
    492 dmaengine_terminate_all(master->dma_rx);
    493 - bs->dma_pending = 0;
    494 }
    495 /* and reset */
    496 bcm2835_spi_reset_hw(master);
    497 diff --git a/drivers/staging/wilc1000/wilc_sdio.c b/drivers/staging/wilc1000/wilc_sdio.c
    498 index 39b73fb27398..63c8701dedcf 100644
    499 --- a/drivers/staging/wilc1000/wilc_sdio.c
    500 +++ b/drivers/staging/wilc1000/wilc_sdio.c
    501 @@ -830,6 +830,7 @@ static int sdio_read_int(struct wilc *wilc, u32 *int_status)
    502 if (!g_sdio.irq_gpio) {
    503 int i;
    504
    505 + cmd.read_write = 0;
    506 cmd.function = 1;
    507 cmd.address = 0x04;
    508 cmd.data = 0;
    509 diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
    510 index 7497f1d4a818..fcf2e51f2cfe 100644
    511 --- a/drivers/tty/serial/xilinx_uartps.c
    512 +++ b/drivers/tty/serial/xilinx_uartps.c
    513 @@ -128,7 +128,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout, 1-255");
    514 #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
    515 #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
    516 #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
    517 -#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
    518 +#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
    519
    520 /*
    521 * Do not enable parity error interrupt for the following
    522 @@ -362,7 +362,7 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
    523 cdns_uart_handle_tx(dev_id);
    524 isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
    525 }
    526 - if (isrstatus & CDNS_UART_IXR_MASK)
    527 + if (isrstatus & CDNS_UART_IXR_RXMASK)
    528 cdns_uart_handle_rx(dev_id, isrstatus);
    529
    530 spin_unlock(&port->lock);
    531 diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
    532 index cd4f96354fa8..6c0bb38c4089 100644
    533 --- a/drivers/usb/class/cdc-acm.c
    534 +++ b/drivers/usb/class/cdc-acm.c
    535 @@ -502,6 +502,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
    536 if (retval)
    537 goto error_init_termios;
    538
    539 + /*
    540 + * Suppress initial echoing for some devices which might send data
    541 + * immediately after acm driver has been installed.
    542 + */
    543 + if (acm->quirks & DISABLE_ECHO)
    544 + tty->termios.c_lflag &= ~ECHO;
    545 +
    546 tty->driver_data = acm;
    547
    548 return 0;
    549 @@ -1620,6 +1627,9 @@ static const struct usb_device_id acm_ids[] = {
    550 { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
    551 .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
    552 },
    553 + { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */
    554 + .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
    555 + },
    556 { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */
    557 .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
    558 },
    559 diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
    560 index b30ac5fcde68..1ad9ff9f493d 100644
    561 --- a/drivers/usb/class/cdc-acm.h
    562 +++ b/drivers/usb/class/cdc-acm.h
    563 @@ -134,3 +134,4 @@ struct acm {
    564 #define QUIRK_CONTROL_LINE_STATE BIT(6)
    565 #define CLEAR_HALT_CONDITIONS BIT(7)
    566 #define SEND_ZERO_PACKET BIT(8)
    567 +#define DISABLE_ECHO BIT(9)
    568 diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
    569 index 7bf78be1fd32..72c3ed76a77d 100644
    570 --- a/drivers/usb/host/r8a66597-hcd.c
    571 +++ b/drivers/usb/host/r8a66597-hcd.c
    572 @@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
    573
    574 static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
    575 struct usb_host_endpoint *hep)
    576 +__acquires(r8a66597->lock)
    577 +__releases(r8a66597->lock)
    578 {
    579 struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
    580 struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
    581 @@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
    582 return;
    583 pipenum = pipe->info.pipenum;
    584
    585 + spin_lock_irqsave(&r8a66597->lock, flags);
    586 if (pipenum == 0) {
    587 kfree(hep->hcpriv);
    588 hep->hcpriv = NULL;
    589 + spin_unlock_irqrestore(&r8a66597->lock, flags);
    590 return;
    591 }
    592
    593 - spin_lock_irqsave(&r8a66597->lock, flags);
    594 pipe_stop(r8a66597, pipe);
    595 pipe_irq_disable(r8a66597, pipenum);
    596 disable_irq_empty(r8a66597, pipenum);
    597 diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
    598 index 1e3445dd84b2..7bc2c9fef605 100644
    599 --- a/drivers/usb/serial/option.c
    600 +++ b/drivers/usb/serial/option.c
    601 @@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = {
    602 { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
    603 { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
    604 .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
    605 + { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
    606 + .driver_info = RSVD(4) | RSVD(5) },
    607 + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
    608 + .driver_info = RSVD(6) },
    609 { } /* Terminating entry */
    610 };
    611 MODULE_DEVICE_TABLE(usb, option_ids);
    612 diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
    613 index 3da25ad267a2..4966768d3c98 100644
    614 --- a/drivers/usb/serial/pl2303.c
    615 +++ b/drivers/usb/serial/pl2303.c
    616 @@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = {
    617 { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
    618 { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
    619 { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
    620 + { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
    621 { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
    622 + { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
    623 { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
    624 { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
    625 + { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
    626 + { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
    627 + { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
    628 { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
    629 { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
    630 { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
    631 diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
    632 index 123289085ee2..a84f0959ab34 100644
    633 --- a/drivers/usb/serial/pl2303.h
    634 +++ b/drivers/usb/serial/pl2303.h
    635 @@ -123,10 +123,15 @@
    636
    637 /* Hewlett-Packard POS Pole Displays */
    638 #define HP_VENDOR_ID 0x03f0
    639 +#define HP_LM920_PRODUCT_ID 0x026b
    640 +#define HP_TD620_PRODUCT_ID 0x0956
    641 #define HP_LD960_PRODUCT_ID 0x0b39
    642 #define HP_LCM220_PRODUCT_ID 0x3139
    643 #define HP_LCM960_PRODUCT_ID 0x3239
    644 #define HP_LD220_PRODUCT_ID 0x3524
    645 +#define HP_LD220TA_PRODUCT_ID 0x4349
    646 +#define HP_LD960TA_PRODUCT_ID 0x4439
    647 +#define HP_LM940_PRODUCT_ID 0x5039
    648
    649 /* Cressi Edy (diving computer) PC interface */
    650 #define CRESSI_VENDOR_ID 0x04b8
    651 diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
    652 index 4c5625cb540c..53b1b3cfce84 100644
    653 --- a/drivers/vhost/vhost.c
    654 +++ b/drivers/vhost/vhost.c
    655 @@ -2145,6 +2145,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
    656 return -EFAULT;
    657 }
    658 if (unlikely(vq->log_used)) {
    659 + /* Make sure used idx is seen before log. */
    660 + smp_wmb();
    661 /* Log used index update. */
    662 log_write(vq->log_base,
    663 vq->log_addr + offsetof(struct vring_used, idx),
    664 diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
    665 index 8257a5a97cc0..98c25b969ab8 100644
    666 --- a/fs/cifs/smb2maperror.c
    667 +++ b/fs/cifs/smb2maperror.c
    668 @@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
    669 {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"},
    670 {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"},
    671 {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"},
    672 - {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"},
    673 - {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"},
    674 + {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"},
    675 + {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"},
    676 {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"},
    677 {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS,
    678 "STATUS_CTL_FILE_NOT_SUPPORTED"},
    679 diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
    680 index d06cfe372609..1008384d5ed5 100644
    681 --- a/fs/ext4/inline.c
    682 +++ b/fs/ext4/inline.c
    683 @@ -702,8 +702,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
    684
    685 if (!PageUptodate(page)) {
    686 ret = ext4_read_inline_page(inode, page);
    687 - if (ret < 0)
    688 + if (ret < 0) {
    689 + unlock_page(page);
    690 + put_page(page);
    691 goto out_up_read;
    692 + }
    693 }
    694
    695 ret = 1;
    696 diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
    697 index 9be605c63ae1..58e6b8a03e90 100644
    698 --- a/fs/ext4/resize.c
    699 +++ b/fs/ext4/resize.c
    700 @@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)
    701 }
    702
    703 if (reserved_gdb || gdb_off == 0) {
    704 - if (ext4_has_feature_resize_inode(sb) ||
    705 + if (!ext4_has_feature_resize_inode(sb) ||
    706 !le16_to_cpu(es->s_reserved_gdt_blocks)) {
    707 ext4_warning(sb,
    708 "No reserved GDT blocks, can't resize");
    709 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
    710 index 75177eb498ed..6810234b0b27 100644
    711 --- a/fs/ext4/super.c
    712 +++ b/fs/ext4/super.c
    713 @@ -1076,6 +1076,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid,
    714 ext4_nfs_get_inode);
    715 }
    716
    717 +static int ext4_nfs_commit_metadata(struct inode *inode)
    718 +{
    719 + struct writeback_control wbc = {
    720 + .sync_mode = WB_SYNC_ALL
    721 + };
    722 +
    723 + trace_ext4_nfs_commit_metadata(inode);
    724 + return ext4_write_inode(inode, &wbc);
    725 +}
    726 +
    727 /*
    728 * Try to release metadata pages (indirect blocks, directories) which are
    729 * mapped via the block device. Since these pages could have journal heads
    730 @@ -1258,6 +1268,7 @@ static const struct export_operations ext4_export_ops = {
    731 .fh_to_dentry = ext4_fh_to_dentry,
    732 .fh_to_parent = ext4_fh_to_parent,
    733 .get_parent = ext4_get_parent,
    734 + .commit_metadata = ext4_nfs_commit_metadata,
    735 };
    736
    737 enum {
    738 @@ -5425,9 +5436,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
    739 qf_inode->i_flags |= S_NOQUOTA;
    740 lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
    741 err = dquot_enable(qf_inode, type, format_id, flags);
    742 - iput(qf_inode);
    743 if (err)
    744 lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
    745 + iput(qf_inode);
    746
    747 return err;
    748 }
    749 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
    750 index 22f765069655..ec9beaa69abb 100644
    751 --- a/fs/ext4/xattr.c
    752 +++ b/fs/ext4/xattr.c
    753 @@ -1499,7 +1499,7 @@ retry:
    754 base = IFIRST(header);
    755 end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
    756 min_offs = end - base;
    757 - total_ino = sizeof(struct ext4_xattr_ibody_header);
    758 + total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
    759
    760 error = xattr_check_inode(inode, header, end);
    761 if (error)
    762 diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
    763 index c8f408d8a582..83a96334dc07 100644
    764 --- a/fs/f2fs/super.c
    765 +++ b/fs/f2fs/super.c
    766 @@ -1427,10 +1427,10 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
    767 return 1;
    768 }
    769
    770 - if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
    771 + if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
    772 f2fs_msg(sb, KERN_INFO,
    773 - "Wrong segment_count / block_count (%u > %u)",
    774 - segment_count, le32_to_cpu(raw_super->block_count));
    775 + "Wrong segment_count / block_count (%u > %llu)",
    776 + segment_count, le64_to_cpu(raw_super->block_count));
    777 return 1;
    778 }
    779
    780 diff --git a/include/linux/msi.h b/include/linux/msi.h
    781 index 0db320b7bb15..debc8aa4ec19 100644
    782 --- a/include/linux/msi.h
    783 +++ b/include/linux/msi.h
    784 @@ -108,6 +108,8 @@ struct msi_desc {
    785 list_first_entry(dev_to_msi_list((dev)), struct msi_desc, list)
    786 #define for_each_msi_entry(desc, dev) \
    787 list_for_each_entry((desc), dev_to_msi_list((dev)), list)
    788 +#define for_each_msi_entry_safe(desc, tmp, dev) \
    789 + list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
    790
    791 #ifdef CONFIG_PCI_MSI
    792 #define first_pci_msi_entry(pdev) first_msi_entry(&(pdev)->dev)
    793 diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
    794 index ac377a23265f..597b84d4805b 100644
    795 --- a/include/linux/ptr_ring.h
    796 +++ b/include/linux/ptr_ring.h
    797 @@ -384,6 +384,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
    798 else if (destroy)
    799 destroy(ptr);
    800
    801 + if (producer >= size)
    802 + producer = 0;
    803 r->size = size;
    804 r->producer = producer;
    805 r->consumer = 0;
    806 diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
    807 index 2a1abbf8da74..95f33eeee984 100644
    808 --- a/include/net/gro_cells.h
    809 +++ b/include/net/gro_cells.h
    810 @@ -86,6 +86,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells)
    811 for_each_possible_cpu(i) {
    812 struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
    813
    814 + napi_disable(&cell->napi);
    815 netif_napi_del(&cell->napi);
    816 __skb_queue_purge(&cell->napi_skbs);
    817 }
    818 diff --git a/include/net/sock.h b/include/net/sock.h
    819 index 6d42ed883bf9..15bb04dec40e 100644
    820 --- a/include/net/sock.h
    821 +++ b/include/net/sock.h
    822 @@ -284,6 +284,7 @@ struct sock_common {
    823 * @sk_filter: socket filtering instructions
    824 * @sk_timer: sock cleanup timer
    825 * @sk_stamp: time stamp of last packet received
    826 + * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
    827 * @sk_tsflags: SO_TIMESTAMPING socket options
    828 * @sk_tskey: counter to disambiguate concurrent tstamp requests
    829 * @sk_socket: Identd and reporting IO signals
    830 @@ -425,6 +426,9 @@ struct sock {
    831 long sk_sndtimeo;
    832 struct timer_list sk_timer;
    833 ktime_t sk_stamp;
    834 +#if BITS_PER_LONG==32
    835 + seqlock_t sk_stamp_seq;
    836 +#endif
    837 u16 sk_tsflags;
    838 u8 sk_shutdown;
    839 u32 sk_tskey;
    840 @@ -2114,6 +2118,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
    841 atomic_add(segs, &sk->sk_drops);
    842 }
    843
    844 +static inline ktime_t sock_read_timestamp(struct sock *sk)
    845 +{
    846 +#if BITS_PER_LONG==32
    847 + unsigned int seq;
    848 + ktime_t kt;
    849 +
    850 + do {
    851 + seq = read_seqbegin(&sk->sk_stamp_seq);
    852 + kt = sk->sk_stamp;
    853 + } while (read_seqretry(&sk->sk_stamp_seq, seq));
    854 +
    855 + return kt;
    856 +#else
    857 + return sk->sk_stamp;
    858 +#endif
    859 +}
    860 +
    861 +static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
    862 +{
    863 +#if BITS_PER_LONG==32
    864 + write_seqlock(&sk->sk_stamp_seq);
    865 + sk->sk_stamp = kt;
    866 + write_sequnlock(&sk->sk_stamp_seq);
    867 +#else
    868 + sk->sk_stamp = kt;
    869 +#endif
    870 +}
    871 +
    872 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
    873 struct sk_buff *skb);
    874 void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
    875 @@ -2138,7 +2170,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
    876 (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
    877 __sock_recv_timestamp(msg, sk, skb);
    878 else
    879 - sk->sk_stamp = kt;
    880 + sock_write_timestamp(sk, kt);
    881
    882 if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
    883 __sock_recv_wifi_status(msg, sk, skb);
    884 @@ -2158,7 +2190,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
    885 if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
    886 __sock_recv_ts_and_drops(msg, sk, skb);
    887 else
    888 - sk->sk_stamp = skb->tstamp;
    889 + sock_write_timestamp(sk, skb->tstamp);
    890 }
    891
    892 void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
    893 diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h
    894 index 09c71e9aaebf..215668b14f61 100644
    895 --- a/include/trace/events/ext4.h
    896 +++ b/include/trace/events/ext4.h
    897 @@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode,
    898 (unsigned long) __entry->ino, __entry->drop)
    899 );
    900
    901 +TRACE_EVENT(ext4_nfs_commit_metadata,
    902 + TP_PROTO(struct inode *inode),
    903 +
    904 + TP_ARGS(inode),
    905 +
    906 + TP_STRUCT__entry(
    907 + __field( dev_t, dev )
    908 + __field( ino_t, ino )
    909 + ),
    910 +
    911 + TP_fast_assign(
    912 + __entry->dev = inode->i_sb->s_dev;
    913 + __entry->ino = inode->i_ino;
    914 + ),
    915 +
    916 + TP_printk("dev %d,%d ino %lu",
    917 + MAJOR(__entry->dev), MINOR(__entry->dev),
    918 + (unsigned long) __entry->ino)
    919 +);
    920 +
    921 TRACE_EVENT(ext4_mark_inode_dirty,
    922 TP_PROTO(struct inode *inode, unsigned long IP),
    923
    924 diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
    925 index 2fdebabbfacd..2772f6a13fcb 100644
    926 --- a/net/ax25/af_ax25.c
    927 +++ b/net/ax25/af_ax25.c
    928 @@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
    929 break;
    930 }
    931
    932 - dev = dev_get_by_name(&init_net, devname);
    933 + rtnl_lock();
    934 + dev = __dev_get_by_name(&init_net, devname);
    935 if (!dev) {
    936 + rtnl_unlock();
    937 res = -ENODEV;
    938 break;
    939 }
    940
    941 ax25->ax25_dev = ax25_dev_ax25dev(dev);
    942 + if (!ax25->ax25_dev) {
    943 + rtnl_unlock();
    944 + res = -ENODEV;
    945 + break;
    946 + }
    947 ax25_fillin_cb(ax25, ax25->ax25_dev);
    948 - dev_put(dev);
    949 + rtnl_unlock();
    950 break;
    951
    952 default:
    953 diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
    954 index 3d106767b272..5faca5db6385 100644
    955 --- a/net/ax25/ax25_dev.c
    956 +++ b/net/ax25/ax25_dev.c
    957 @@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
    958 if ((s = ax25_dev_list) == ax25_dev) {
    959 ax25_dev_list = s->next;
    960 spin_unlock_bh(&ax25_dev_lock);
    961 + dev->ax25_ptr = NULL;
    962 dev_put(dev);
    963 kfree(ax25_dev);
    964 return;
    965 @@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
    966 if (s->next == ax25_dev) {
    967 s->next = ax25_dev->next;
    968 spin_unlock_bh(&ax25_dev_lock);
    969 + dev->ax25_ptr = NULL;
    970 dev_put(dev);
    971 kfree(ax25_dev);
    972 return;
    973 diff --git a/net/compat.c b/net/compat.c
    974 index 73671e6ec6eb..633fcf6ee369 100644
    975 --- a/net/compat.c
    976 +++ b/net/compat.c
    977 @@ -457,12 +457,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
    978 err = -ENOENT;
    979 if (!sock_flag(sk, SOCK_TIMESTAMP))
    980 sock_enable_timestamp(sk, SOCK_TIMESTAMP);
    981 - tv = ktime_to_timeval(sk->sk_stamp);
    982 + tv = ktime_to_timeval(sock_read_timestamp(sk));
    983 +
    984 if (tv.tv_sec == -1)
    985 return err;
    986 if (tv.tv_sec == 0) {
    987 - sk->sk_stamp = ktime_get_real();
    988 - tv = ktime_to_timeval(sk->sk_stamp);
    989 + ktime_t kt = ktime_get_real();
    990 + sock_write_timestamp(sk, kt);
    991 + tv = ktime_to_timeval(kt);
    992 }
    993 err = 0;
    994 if (put_user(tv.tv_sec, &ctv->tv_sec) ||
    995 @@ -485,12 +487,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
    996 err = -ENOENT;
    997 if (!sock_flag(sk, SOCK_TIMESTAMP))
    998 sock_enable_timestamp(sk, SOCK_TIMESTAMP);
    999 - ts = ktime_to_timespec(sk->sk_stamp);
    1000 + ts = ktime_to_timespec(sock_read_timestamp(sk));
    1001 if (ts.tv_sec == -1)
    1002 return err;
    1003 if (ts.tv_sec == 0) {
    1004 - sk->sk_stamp = ktime_get_real();
    1005 - ts = ktime_to_timespec(sk->sk_stamp);
    1006 + ktime_t kt = ktime_get_real();
    1007 + sock_write_timestamp(sk, kt);
    1008 + ts = ktime_to_timespec(kt);
    1009 }
    1010 err = 0;
    1011 if (put_user(ts.tv_sec, &ctv->tv_sec) ||
    1012 diff --git a/net/core/sock.c b/net/core/sock.c
    1013 index 1c4c43483b54..68c831e1a5c0 100644
    1014 --- a/net/core/sock.c
    1015 +++ b/net/core/sock.c
    1016 @@ -2467,6 +2467,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
    1017 sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
    1018
    1019 sk->sk_stamp = ktime_set(-1L, 0);
    1020 +#if BITS_PER_LONG==32
    1021 + seqlock_init(&sk->sk_stamp_seq);
    1022 +#endif
    1023
    1024 #ifdef CONFIG_NET_RX_BUSY_POLL
    1025 sk->sk_napi_id = 0;
    1026 diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
    1027 index 50ed47559bb7..34d20a2a5cbd 100644
    1028 --- a/net/ieee802154/6lowpan/tx.c
    1029 +++ b/net/ieee802154/6lowpan/tx.c
    1030 @@ -48,6 +48,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev,
    1031 const struct ipv6hdr *hdr = ipv6_hdr(skb);
    1032 struct neighbour *n;
    1033
    1034 + if (!daddr)
    1035 + return -EINVAL;
    1036 +
    1037 /* TODO:
    1038 * if this package isn't ipv6 one, where should it be routed?
    1039 */
    1040 diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
    1041 index 80e48f40c3a8..496f8d86b503 100644
    1042 --- a/net/ipv4/ip_fragment.c
    1043 +++ b/net/ipv4/ip_fragment.c
    1044 @@ -345,10 +345,10 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
    1045 struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
    1046 struct rb_node **rbn, *parent;
    1047 struct sk_buff *skb1, *prev_tail;
    1048 + int ihl, end, skb1_run_end;
    1049 struct net_device *dev;
    1050 unsigned int fragsize;
    1051 int flags, offset;
    1052 - int ihl, end;
    1053 int err = -ENOENT;
    1054 u8 ecn;
    1055
    1056 @@ -418,7 +418,9 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
    1057 * overlapping fragment, the entire datagram (and any constituent
    1058 * fragments) MUST be silently discarded.
    1059 *
    1060 - * We do the same here for IPv4 (and increment an snmp counter).
    1061 + * We do the same here for IPv4 (and increment an snmp counter) but
    1062 + * we do not want to drop the whole queue in response to a duplicate
    1063 + * fragment.
    1064 */
    1065
    1066 /* Find out where to put this fragment. */
    1067 @@ -442,13 +444,17 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
    1068 do {
    1069 parent = *rbn;
    1070 skb1 = rb_to_skb(parent);
    1071 + skb1_run_end = skb1->ip_defrag_offset +
    1072 + FRAG_CB(skb1)->frag_run_len;
    1073 if (end <= skb1->ip_defrag_offset)
    1074 rbn = &parent->rb_left;
    1075 - else if (offset >= skb1->ip_defrag_offset +
    1076 - FRAG_CB(skb1)->frag_run_len)
    1077 + else if (offset >= skb1_run_end)
    1078 rbn = &parent->rb_right;
    1079 - else /* Found an overlap with skb1. */
    1080 - goto discard_qp;
    1081 + else if (offset >= skb1->ip_defrag_offset &&
    1082 + end <= skb1_run_end)
    1083 + goto err; /* No new data, potential duplicate */
    1084 + else
    1085 + goto discard_qp; /* Found an overlap */
    1086 } while (*rbn);
    1087 /* Here we have parent properly set, and rbn pointing to
    1088 * one of its NULL left/right children. Insert skb.
    1089 diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
    1090 index 742a3432c3ea..354926e61f06 100644
    1091 --- a/net/ipv4/ipmr.c
    1092 +++ b/net/ipv4/ipmr.c
    1093 @@ -68,6 +68,8 @@
    1094 #include <linux/netconf.h>
    1095 #include <net/nexthop.h>
    1096
    1097 +#include <linux/nospec.h>
    1098 +
    1099 struct ipmr_rule {
    1100 struct fib_rule common;
    1101 };
    1102 @@ -1562,6 +1564,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
    1103 return -EFAULT;
    1104 if (vr.vifi >= mrt->maxvif)
    1105 return -EINVAL;
    1106 + vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
    1107 read_lock(&mrt_lock);
    1108 vif = &mrt->vif_table[vr.vifi];
    1109 if (VIF_EXISTS(mrt, vr.vifi)) {
    1110 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
    1111 index 9c5afa5153ce..f89516d04150 100644
    1112 --- a/net/ipv6/ip6_tunnel.c
    1113 +++ b/net/ipv6/ip6_tunnel.c
    1114 @@ -907,6 +907,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
    1115 goto drop;
    1116 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
    1117 goto drop;
    1118 + ipv6h = ipv6_hdr(skb);
    1119 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
    1120 goto drop;
    1121 if (iptunnel_pull_header(skb, 0, tpi->proto, false))
    1122 diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
    1123 index b283f293ee4a..caad40d6e74d 100644
    1124 --- a/net/ipv6/ip6_udp_tunnel.c
    1125 +++ b/net/ipv6/ip6_udp_tunnel.c
    1126 @@ -15,7 +15,7 @@
    1127 int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
    1128 struct socket **sockp)
    1129 {
    1130 - struct sockaddr_in6 udp6_addr;
    1131 + struct sockaddr_in6 udp6_addr = {};
    1132 int err;
    1133 struct socket *sock = NULL;
    1134
    1135 @@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
    1136 goto error;
    1137
    1138 if (cfg->peer_udp_port) {
    1139 + memset(&udp6_addr, 0, sizeof(udp6_addr));
    1140 udp6_addr.sin6_family = AF_INET6;
    1141 memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
    1142 sizeof(udp6_addr.sin6_addr));
    1143 diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
    1144 index 3213921cdfee..c2b2ee71fc6c 100644
    1145 --- a/net/ipv6/ip6_vti.c
    1146 +++ b/net/ipv6/ip6_vti.c
    1147 @@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
    1148 return 0;
    1149 }
    1150
    1151 + ipv6h = ipv6_hdr(skb);
    1152 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
    1153 t->dev->stats.rx_dropped++;
    1154 rcu_read_unlock();
    1155 diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
    1156 index 4b93ad4fe6d8..ad597b4b22a0 100644
    1157 --- a/net/ipv6/ip6mr.c
    1158 +++ b/net/ipv6/ip6mr.c
    1159 @@ -72,6 +72,8 @@ struct mr6_table {
    1160 #endif
    1161 };
    1162
    1163 +#include <linux/nospec.h>
    1164 +
    1165 struct ip6mr_rule {
    1166 struct fib_rule common;
    1167 };
    1168 @@ -1873,6 +1875,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
    1169 return -EFAULT;
    1170 if (vr.mifi >= mrt->maxvif)
    1171 return -EINVAL;
    1172 + vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
    1173 read_lock(&mrt_lock);
    1174 vif = &mrt->vif6_table[vr.mifi];
    1175 if (MIF_EXISTS(mrt, vr.mifi)) {
    1176 @@ -1947,6 +1950,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
    1177 return -EFAULT;
    1178 if (vr.mifi >= mrt->maxvif)
    1179 return -EINVAL;
    1180 + vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
    1181 read_lock(&mrt_lock);
    1182 vif = &mrt->vif6_table[vr.mifi];
    1183 if (MIF_EXISTS(mrt, vr.mifi)) {
    1184 diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
    1185 index ed212ffc1d9d..046ae1caecea 100644
    1186 --- a/net/netrom/af_netrom.c
    1187 +++ b/net/netrom/af_netrom.c
    1188 @@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
    1189 sk_for_each(s, &nr_list)
    1190 if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
    1191 s->sk_state == TCP_LISTEN) {
    1192 - bh_lock_sock(s);
    1193 + sock_hold(s);
    1194 goto found;
    1195 }
    1196 s = NULL;
    1197 @@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
    1198 struct nr_sock *nr = nr_sk(s);
    1199
    1200 if (nr->my_index == index && nr->my_id == id) {
    1201 - bh_lock_sock(s);
    1202 + sock_hold(s);
    1203 goto found;
    1204 }
    1205 }
    1206 @@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
    1207
    1208 if (nr->your_index == index && nr->your_id == id &&
    1209 !ax25cmp(&nr->dest_addr, dest)) {
    1210 - bh_lock_sock(s);
    1211 + sock_hold(s);
    1212 goto found;
    1213 }
    1214 }
    1215 @@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
    1216 if (i != 0 && j != 0) {
    1217 if ((sk=nr_find_socket(i, j)) == NULL)
    1218 break;
    1219 - bh_unlock_sock(sk);
    1220 + sock_put(sk);
    1221 }
    1222
    1223 id++;
    1224 @@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
    1225 }
    1226
    1227 if (sk != NULL) {
    1228 + bh_lock_sock(sk);
    1229 skb_reset_transport_header(skb);
    1230
    1231 if (frametype == NR_CONNACK && skb->len == 22)
    1232 @@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
    1233
    1234 ret = nr_process_rx_frame(sk, skb);
    1235 bh_unlock_sock(sk);
    1236 + sock_put(sk);
    1237 return ret;
    1238 }
    1239
    1240 @@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
    1241 (make = nr_make_new(sk)) == NULL) {
    1242 nr_transmit_refusal(skb, 0);
    1243 if (sk)
    1244 - bh_unlock_sock(sk);
    1245 + sock_put(sk);
    1246 return 0;
    1247 }
    1248
    1249 + bh_lock_sock(sk);
    1250 +
    1251 window = skb->data[20];
    1252
    1253 skb->sk = make;
    1254 @@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
    1255 sk->sk_data_ready(sk);
    1256
    1257 bh_unlock_sock(sk);
    1258 + sock_put(sk);
    1259
    1260 nr_insert_socket(make);
    1261
    1262 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
    1263 index 24412e8f4061..a9d0358d4f3b 100644
    1264 --- a/net/packet/af_packet.c
    1265 +++ b/net/packet/af_packet.c
    1266 @@ -2660,8 +2660,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
    1267 sll_addr)))
    1268 goto out;
    1269 proto = saddr->sll_protocol;
    1270 - addr = saddr->sll_addr;
    1271 + addr = saddr->sll_halen ? saddr->sll_addr : NULL;
    1272 dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
    1273 + if (addr && dev && saddr->sll_halen < dev->addr_len)
    1274 + goto out;
    1275 }
    1276
    1277 err = -ENXIO;
    1278 @@ -2857,8 +2859,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
    1279 if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
    1280 goto out;
    1281 proto = saddr->sll_protocol;
    1282 - addr = saddr->sll_addr;
    1283 + addr = saddr->sll_halen ? saddr->sll_addr : NULL;
    1284 dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
    1285 + if (addr && dev && saddr->sll_halen < dev->addr_len)
    1286 + goto out;
    1287 }
    1288
    1289 err = -ENXIO;
    1290 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
    1291 index f4d5efb1d231..e7866d47934d 100644
    1292 --- a/net/sctp/ipv6.c
    1293 +++ b/net/sctp/ipv6.c
    1294 @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
    1295 if (addr) {
    1296 addr->a.v6.sin6_family = AF_INET6;
    1297 addr->a.v6.sin6_port = 0;
    1298 + addr->a.v6.sin6_flowinfo = 0;
    1299 addr->a.v6.sin6_addr = ifa->addr;
    1300 addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
    1301 addr->valid = 1;
    1302 diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
    1303 index 266a30c8b88b..33f599cb0936 100644
    1304 --- a/net/sunrpc/svcsock.c
    1305 +++ b/net/sunrpc/svcsock.c
    1306 @@ -572,7 +572,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
    1307 /* Don't enable netstamp, sunrpc doesn't
    1308 need that much accuracy */
    1309 }
    1310 - svsk->sk_sk->sk_stamp = skb->tstamp;
    1311 + sock_write_timestamp(svsk->sk_sk, skb->tstamp);
    1312 set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
    1313
    1314 len = skb->len;
    1315 diff --git a/net/tipc/socket.c b/net/tipc/socket.c
    1316 index 9d3f047305ce..57df99ca6347 100644
    1317 --- a/net/tipc/socket.c
    1318 +++ b/net/tipc/socket.c
    1319 @@ -2281,11 +2281,15 @@ void tipc_sk_reinit(struct net *net)
    1320 goto walk_stop;
    1321
    1322 while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
    1323 - spin_lock_bh(&tsk->sk.sk_lock.slock);
    1324 + sock_hold(&tsk->sk);
    1325 + rhashtable_walk_stop(&iter);
    1326 + lock_sock(&tsk->sk);
    1327 msg = &tsk->phdr;
    1328 msg_set_prevnode(msg, tn->own_addr);
    1329 msg_set_orignode(msg, tn->own_addr);
    1330 - spin_unlock_bh(&tsk->sk.sk_lock.slock);
    1331 + release_sock(&tsk->sk);
    1332 + rhashtable_walk_start(&iter);
    1333 + sock_put(&tsk->sk);
    1334 }
    1335 walk_stop:
    1336 rhashtable_walk_stop(&iter);
    1337 diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
    1338 index 107375d80c70..133e72654e77 100644
    1339 --- a/net/tipc/udp_media.c
    1340 +++ b/net/tipc/udp_media.c
    1341 @@ -243,10 +243,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
    1342 }
    1343
    1344 err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr);
    1345 - if (err) {
    1346 - kfree_skb(_skb);
    1347 + if (err)
    1348 goto out;
    1349 - }
    1350 }
    1351 err = 0;
    1352 out:
    1353 @@ -676,6 +674,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
    1354 if (err)
    1355 goto err;
    1356
    1357 + if (remote.proto != local.proto) {
    1358 + err = -EINVAL;
    1359 + goto err;
    1360 + }
    1361 +
    1362 b->bcast_addr.media_id = TIPC_MEDIA_TYPE_UDP;
    1363 b->bcast_addr.broadcast = 1;
    1364 rcu_assign_pointer(b->media_ptr, ub);
    1365 diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
    1366 index 4aa391c5c733..008f3424dcbc 100644
    1367 --- a/net/vmw_vsock/vmci_transport.c
    1368 +++ b/net/vmw_vsock/vmci_transport.c
    1369 @@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src,
    1370 false);
    1371 }
    1372
    1373 +static int
    1374 +vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
    1375 + struct sockaddr_vm *dst,
    1376 + enum vmci_transport_packet_type type,
    1377 + u64 size,
    1378 + u64 mode,
    1379 + struct vmci_transport_waiting_info *wait,
    1380 + u16 proto,
    1381 + struct vmci_handle handle)
    1382 +{
    1383 + struct vmci_transport_packet *pkt;
    1384 + int err;
    1385 +
    1386 + pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
    1387 + if (!pkt)
    1388 + return -ENOMEM;
    1389 +
    1390 + err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
    1391 + mode, wait, proto, handle,
    1392 + true);
    1393 + kfree(pkt);
    1394 +
    1395 + return err;
    1396 +}
    1397 +
    1398 static int
    1399 vmci_transport_send_control_pkt(struct sock *sk,
    1400 enum vmci_transport_packet_type type,
    1401 @@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk,
    1402 u16 proto,
    1403 struct vmci_handle handle)
    1404 {
    1405 - struct vmci_transport_packet *pkt;
    1406 struct vsock_sock *vsk;
    1407 - int err;
    1408
    1409 vsk = vsock_sk(sk);
    1410
    1411 @@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk,
    1412 if (!vsock_addr_bound(&vsk->remote_addr))
    1413 return -EINVAL;
    1414
    1415 - pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
    1416 - if (!pkt)
    1417 - return -ENOMEM;
    1418 -
    1419 - err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
    1420 - &vsk->remote_addr, type, size,
    1421 - mode, wait, proto, handle,
    1422 - true);
    1423 - kfree(pkt);
    1424 -
    1425 - return err;
    1426 + return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
    1427 + &vsk->remote_addr,
    1428 + type, size, mode,
    1429 + wait, proto, handle);
    1430 }
    1431
    1432 static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
    1433 @@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
    1434 static int vmci_transport_send_reset(struct sock *sk,
    1435 struct vmci_transport_packet *pkt)
    1436 {
    1437 + struct sockaddr_vm *dst_ptr;
    1438 + struct sockaddr_vm dst;
    1439 + struct vsock_sock *vsk;
    1440 +
    1441 if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
    1442 return 0;
    1443 - return vmci_transport_send_control_pkt(sk,
    1444 - VMCI_TRANSPORT_PACKET_TYPE_RST,
    1445 - 0, 0, NULL, VSOCK_PROTO_INVALID,
    1446 - VMCI_INVALID_HANDLE);
    1447 +
    1448 + vsk = vsock_sk(sk);
    1449 +
    1450 + if (!vsock_addr_bound(&vsk->local_addr))
    1451 + return -EINVAL;
    1452 +
    1453 + if (vsock_addr_bound(&vsk->remote_addr)) {
    1454 + dst_ptr = &vsk->remote_addr;
    1455 + } else {
    1456 + vsock_addr_init(&dst, pkt->dg.src.context,
    1457 + pkt->src_port);
    1458 + dst_ptr = &dst;
    1459 + }
    1460 + return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
    1461 + VMCI_TRANSPORT_PACKET_TYPE_RST,
    1462 + 0, 0, NULL, VSOCK_PROTO_INVALID,
    1463 + VMCI_INVALID_HANDLE);
    1464 }
    1465
    1466 static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
    1467 diff --git a/sound/core/pcm.c b/sound/core/pcm.c
    1468 index 6bda8f6c5f84..cdff5f976480 100644
    1469 --- a/sound/core/pcm.c
    1470 +++ b/sound/core/pcm.c
    1471 @@ -25,6 +25,7 @@
    1472 #include <linux/time.h>
    1473 #include <linux/mutex.h>
    1474 #include <linux/device.h>
    1475 +#include <linux/nospec.h>
    1476 #include <sound/core.h>
    1477 #include <sound/minors.h>
    1478 #include <sound/pcm.h>
    1479 @@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
    1480 return -EFAULT;
    1481 if (stream < 0 || stream > 1)
    1482 return -EINVAL;
    1483 + stream = array_index_nospec(stream, 2);
    1484 if (get_user(subdevice, &info->subdevice))
    1485 return -EFAULT;
    1486 mutex_lock(&register_mutex);
    1487 diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
    1488 index 50b216fc369f..5d422d65e62b 100644
    1489 --- a/sound/pci/emu10k1/emufx.c
    1490 +++ b/sound/pci/emu10k1/emufx.c
    1491 @@ -36,6 +36,7 @@
    1492 #include <linux/init.h>
    1493 #include <linux/mutex.h>
    1494 #include <linux/moduleparam.h>
    1495 +#include <linux/nospec.h>
    1496
    1497 #include <sound/core.h>
    1498 #include <sound/tlv.h>
    1499 @@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu,
    1500
    1501 if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
    1502 return -EINVAL;
    1503 + ipcm->substream = array_index_nospec(ipcm->substream,
    1504 + EMU10K1_FX8010_PCM_COUNT);
    1505 if (ipcm->channels > 32)
    1506 return -EINVAL;
    1507 pcm = &emu->fx8010.pcm[ipcm->substream];
    1508 @@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu,
    1509
    1510 if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
    1511 return -EINVAL;
    1512 + ipcm->substream = array_index_nospec(ipcm->substream,
    1513 + EMU10K1_FX8010_PCM_COUNT);
    1514 pcm = &emu->fx8010.pcm[ipcm->substream];
    1515 mutex_lock(&emu->fx8010.lock);
    1516 spin_lock_irq(&emu->reg_lock);
    1517 diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
    1518 index 0621920f7617..e85fb04ec7be 100644
    1519 --- a/sound/pci/hda/hda_tegra.c
    1520 +++ b/sound/pci/hda/hda_tegra.c
    1521 @@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev)
    1522 struct snd_card *card = dev_get_drvdata(dev);
    1523 struct azx *chip = card->private_data;
    1524 struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
    1525 + struct hdac_bus *bus = azx_bus(chip);
    1526
    1527 snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
    1528
    1529 azx_stop_chip(chip);
    1530 + synchronize_irq(bus->irq);
    1531 azx_enter_link_reset(chip);
    1532 hda_tegra_disable_clocks(hda);
    1533
    1534 diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
    1535 index d392e867e9ab..ba9cd75e4c98 100644
    1536 --- a/sound/pci/hda/patch_conexant.c
    1537 +++ b/sound/pci/hda/patch_conexant.c
    1538 @@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
    1539 SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
    1540 SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
    1541 SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
    1542 + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
    1543 SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
    1544 SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
    1545 SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
    1546 diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
    1547 index b94fc6357139..b044dea3c815 100644
    1548 --- a/sound/pci/rme9652/hdsp.c
    1549 +++ b/sound/pci/rme9652/hdsp.c
    1550 @@ -30,6 +30,7 @@
    1551 #include <linux/math64.h>
    1552 #include <linux/vmalloc.h>
    1553 #include <linux/io.h>
    1554 +#include <linux/nospec.h>
    1555
    1556 #include <sound/core.h>
    1557 #include <sound/control.h>
    1558 @@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
    1559 struct snd_pcm_channel_info *info)
    1560 {
    1561 struct hdsp *hdsp = snd_pcm_substream_chip(substream);
    1562 - int mapped_channel;
    1563 + unsigned int channel = info->channel;
    1564
    1565 - if (snd_BUG_ON(info->channel >= hdsp->max_channels))
    1566 + if (snd_BUG_ON(channel >= hdsp->max_channels))
    1567 return -EINVAL;
    1568 + channel = array_index_nospec(channel, hdsp->max_channels);
    1569
    1570 - if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
    1571 + if (hdsp->channel_map[channel] < 0)
    1572 return -EINVAL;
    1573
    1574 - info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
    1575 + info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
    1576 info->first = 0;
    1577 info->step = 32;
    1578 return 0;
    1579 diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
    1580 index e557946718a9..d9fcae071b47 100644
    1581 --- a/sound/synth/emux/emux_hwdep.c
    1582 +++ b/sound/synth/emux/emux_hwdep.c
    1583 @@ -22,9 +22,9 @@
    1584 #include <sound/core.h>
    1585 #include <sound/hwdep.h>
    1586 #include <linux/uaccess.h>
    1587 +#include <linux/nospec.h>
    1588 #include "emux_voice.h"
    1589
    1590 -
    1591 #define TMP_CLIENT_ID 0x1001
    1592
    1593 /*
    1594 @@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
    1595 return -EFAULT;
    1596 if (info.mode < 0 || info.mode >= EMUX_MD_END)
    1597 return -EINVAL;
    1598 + info.mode = array_index_nospec(info.mode, EMUX_MD_END);
    1599
    1600 if (info.port < 0) {
    1601 for (i = 0; i < emu->num_ports; i++)
    1602 emu->portptrs[i]->ctrls[info.mode] = info.value;
    1603 } else {
    1604 - if (info.port < emu->num_ports)
    1605 + if (info.port < emu->num_ports) {
    1606 + info.port = array_index_nospec(info.port, emu->num_ports);
    1607 emu->portptrs[info.port]->ctrls[info.mode] = info.value;
    1608 + }
    1609 }
    1610 return 0;
    1611 }
    1612 diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
    1613 index 0f84371d4d6b..c86c1d5ea65c 100644
    1614 --- a/tools/perf/util/pmu.c
    1615 +++ b/tools/perf/util/pmu.c
    1616 @@ -103,7 +103,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
    1617 char path[PATH_MAX];
    1618 char *lc;
    1619
    1620 - snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
    1621 + scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
    1622
    1623 fd = open(path, O_RDONLY);
    1624 if (fd == -1)
    1625 @@ -163,7 +163,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n
    1626 ssize_t sret;
    1627 int fd;
    1628
    1629 - snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
    1630 + scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
    1631
    1632 fd = open(path, O_RDONLY);
    1633 if (fd == -1)
    1634 @@ -193,7 +193,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name)
    1635 char path[PATH_MAX];
    1636 int fd;
    1637
    1638 - snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
    1639 + scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
    1640
    1641 fd = open(path, O_RDONLY);
    1642 if (fd == -1)
    1643 @@ -211,7 +211,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias,
    1644 char path[PATH_MAX];
    1645 int fd;
    1646
    1647 - snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
    1648 + scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
    1649
    1650 fd = open(path, O_RDONLY);
    1651 if (fd == -1)