Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.9/0323-4.9.224-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.9/0323-4.9.224-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3598 - (show annotations) (download)
    Thu Aug 13 10:21:39 2020 UTC (3 years, 8 months ago) by niro
    File size: 106010 byte(s) 
    linux-224
    1 diff --git a/Makefile b/Makefile
    2 index 2a923301987e..3e58c142f92f 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,6 +1,6 @@
    6 VERSION = 4
    7 PATCHLEVEL = 9
    8 -SUBLEVEL = 223
    9 +SUBLEVEL = 224
    10 EXTRAVERSION =
    11 NAME = Roaring Lionus
    12
    13 @@ -658,20 +658,14 @@ KBUILD_CFLAGS += $(call cc-option,-fdata-sections,)
    14 endif
    15
    16 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
    17 -KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,)
    18 -else
    19 -ifdef CONFIG_PROFILE_ALL_BRANCHES
    20 -KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,)
    21 +KBUILD_CFLAGS += -Os
    22 else
    23 KBUILD_CFLAGS += -O2
    24 endif
    25 -endif
    26 -
    27 -KBUILD_CFLAGS += $(call cc-ifversion, -lt, 0409, \
    28 - $(call cc-disable-warning,maybe-uninitialized,))
    29
    30 # Tell gcc to never replace conditional load with a non-conditional one
    31 KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
    32 +KBUILD_CFLAGS += $(call cc-option,-fno-allow-store-data-races)
    33
    34 # check for 'asm goto'
    35 ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
    36 @@ -804,6 +798,17 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
    37 # disable stringop warnings in gcc 8+
    38 KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation)
    39
    40 +# We'll want to enable this eventually, but it's not going away for 5.7 at least
    41 +KBUILD_CFLAGS += $(call cc-disable-warning, zero-length-bounds)
    42 +KBUILD_CFLAGS += $(call cc-disable-warning, array-bounds)
    43 +KBUILD_CFLAGS += $(call cc-disable-warning, stringop-overflow)
    44 +
    45 +# Another good warning that we'll want to enable eventually
    46 +KBUILD_CFLAGS += $(call cc-disable-warning, restrict)
    47 +
    48 +# Enabled with W=2, disabled by default as noisy
    49 +KBUILD_CFLAGS += $(call cc-disable-warning, maybe-uninitialized)
    50 +
    51 # disable invalid "can't wrap" optimizations for signed / pointers
    52 KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
    53
    54 diff --git a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
    55 index bfd4946cf9fe..8b63b6593d3a 100644
    56 --- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
    57 +++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
    58 @@ -81,8 +81,8 @@
    59 imx27-phycard-s-rdk {
    60 pinctrl_i2c1: i2c1grp {
    61 fsl,pins = <
    62 - MX27_PAD_I2C2_SDA__I2C2_SDA 0x0
    63 - MX27_PAD_I2C2_SCL__I2C2_SCL 0x0
    64 + MX27_PAD_I2C_DATA__I2C_DATA 0x0
    65 + MX27_PAD_I2C_CLK__I2C_CLK 0x0
    66 >;
    67 };
    68
    69 diff --git a/arch/arm/boot/dts/r8a73a4.dtsi b/arch/arm/boot/dts/r8a73a4.dtsi
    70 index ca8672778fe0..547032eebd67 100644
    71 --- a/arch/arm/boot/dts/r8a73a4.dtsi
    72 +++ b/arch/arm/boot/dts/r8a73a4.dtsi
    73 @@ -135,7 +135,14 @@
    74 cmt1: timer@e6130000 {
    75 compatible = "renesas,cmt-48-r8a73a4", "renesas,cmt-48-gen2";
    76 reg = <0 0xe6130000 0 0x1004>;
    77 - interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>;
    78 + interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>,
    79 + <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>,
    80 + <GIC_SPI 122 IRQ_TYPE_LEVEL_HIGH>,
    81 + <GIC_SPI 123 IRQ_TYPE_LEVEL_HIGH>,
    82 + <GIC_SPI 124 IRQ_TYPE_LEVEL_HIGH>,
    83 + <GIC_SPI 125 IRQ_TYPE_LEVEL_HIGH>,
    84 + <GIC_SPI 126 IRQ_TYPE_LEVEL_HIGH>,
    85 + <GIC_SPI 127 IRQ_TYPE_LEVEL_HIGH>;
    86 clocks = <&mstp3_clks R8A73A4_CLK_CMT1>;
    87 clock-names = "fck";
    88 power-domains = <&pd_c5>;
    89 diff --git a/arch/arm/boot/dts/r8a7740.dtsi b/arch/arm/boot/dts/r8a7740.dtsi
    90 index 159e04eb1b9e..41244942f085 100644
    91 --- a/arch/arm/boot/dts/r8a7740.dtsi
    92 +++ b/arch/arm/boot/dts/r8a7740.dtsi
    93 @@ -467,7 +467,7 @@
    94 cpg_clocks: cpg_clocks@e6150000 {
    95 compatible = "renesas,r8a7740-cpg-clocks";
    96 reg = <0xe6150000 0x10000>;
    97 - clocks = <&extal1_clk>, <&extalr_clk>;
    98 + clocks = <&extal1_clk>, <&extal2_clk>, <&extalr_clk>;
    99 #clock-cells = <1>;
    100 clock-output-names = "system", "pllc0", "pllc1",
    101 "pllc2", "r",
    102 diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h
    103 index 58505f01962f..743bd2d77e51 100644
    104 --- a/arch/x86/include/asm/stackprotector.h
    105 +++ b/arch/x86/include/asm/stackprotector.h
    106 @@ -54,8 +54,13 @@
    107 /*
    108 * Initialize the stackprotector canary value.
    109 *
    110 - * NOTE: this must only be called from functions that never return,
    111 + * NOTE: this must only be called from functions that never return
    112 * and it must always be inlined.
    113 + *
    114 + * In addition, it should be called from a compilation unit for which
    115 + * stack protector is disabled. Alternatively, the caller should not end
    116 + * with a function call which gets tail-call optimized as that would
    117 + * lead to checking a modified canary value.
    118 */
    119 static __always_inline void boot_init_stack_canary(void)
    120 {
    121 diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
    122 index ef38bc1d1c00..fe5896259c0f 100644
    123 --- a/arch/x86/kernel/smpboot.c
    124 +++ b/arch/x86/kernel/smpboot.c
    125 @@ -249,6 +249,14 @@ static void notrace start_secondary(void *unused)
    126
    127 wmb();
    128 cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
    129 +
    130 + /*
    131 + * Prevent tail call to cpu_startup_entry() because the stack protector
    132 + * guard has been changed a couple of function calls up, in
    133 + * boot_init_stack_canary() and must not be checked before tail calling
    134 + * another function.
    135 + */
    136 + prevent_tail_call_optimization();
    137 }
    138
    139 /**
    140 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    141 index 314eb954bdee..0f66f7dd8938 100644
    142 --- a/arch/x86/kvm/x86.c
    143 +++ b/arch/x86/kvm/x86.c
    144 @@ -3128,7 +3128,7 @@ static int kvm_vcpu_ioctl_x86_setup_mce(struct kvm_vcpu *vcpu,
    145 unsigned bank_num = mcg_cap & 0xff, bank;
    146
    147 r = -EINVAL;
    148 - if (!bank_num || bank_num >= KVM_MAX_MCE_BANKS)
    149 + if (!bank_num || bank_num > KVM_MAX_MCE_BANKS)
    150 goto out;
    151 if (mcg_cap & ~(kvm_mce_cap_supported | 0xff | 0xff0000))
    152 goto out;
    153 diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
    154 index 8eca26ef6471..15a90ab3b373 100644
    155 --- a/arch/x86/xen/smp.c
    156 +++ b/arch/x86/xen/smp.c
    157 @@ -116,6 +116,7 @@ asmlinkage __visible void cpu_bringup_and_idle(int cpu)
    158 #endif
    159 cpu_bringup();
    160 cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
    161 + prevent_tail_call_optimization();
    162 }
    163
    164 void xen_smp_intr_free(unsigned int cpu)
    165 diff --git a/block/blk-core.c b/block/blk-core.c
    166 index bdb906bbfe19..4987f312a95f 100644
    167 --- a/block/blk-core.c
    168 +++ b/block/blk-core.c
    169 @@ -729,6 +729,9 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id)
    170
    171 kobject_init(&q->kobj, &blk_queue_ktype);
    172
    173 +#ifdef CONFIG_BLK_DEV_IO_TRACE
    174 + mutex_init(&q->blk_trace_mutex);
    175 +#endif
    176 mutex_init(&q->sysfs_lock);
    177 spin_lock_init(&q->__queue_lock);
    178
    179 diff --git a/crypto/lrw.c b/crypto/lrw.c
    180 index d38a382b09eb..fc3d4fec8ddd 100644
    181 --- a/crypto/lrw.c
    182 +++ b/crypto/lrw.c
    183 @@ -377,7 +377,7 @@ out_put_alg:
    184 return inst;
    185 }
    186
    187 -static void free(struct crypto_instance *inst)
    188 +static void free_inst(struct crypto_instance *inst)
    189 {
    190 crypto_drop_spawn(crypto_instance_ctx(inst));
    191 kfree(inst);
    192 @@ -386,7 +386,7 @@ static void free(struct crypto_instance *inst)
    193 static struct crypto_template crypto_tmpl = {
    194 .name = "lrw",
    195 .alloc = alloc,
    196 - .free = free,
    197 + .free = free_inst,
    198 .module = THIS_MODULE,
    199 };
    200
    201 diff --git a/crypto/xts.c b/crypto/xts.c
    202 index 305343f22a02..e41ed483e8a5 100644
    203 --- a/crypto/xts.c
    204 +++ b/crypto/xts.c
    205 @@ -329,7 +329,7 @@ out_put_alg:
    206 return inst;
    207 }
    208
    209 -static void free(struct crypto_instance *inst)
    210 +static void free_inst(struct crypto_instance *inst)
    211 {
    212 crypto_drop_spawn(crypto_instance_ctx(inst));
    213 kfree(inst);
    214 @@ -338,7 +338,7 @@ static void free(struct crypto_instance *inst)
    215 static struct crypto_template crypto_tmpl = {
    216 .name = "xts",
    217 .alloc = alloc,
    218 - .free = free,
    219 + .free = free_inst,
    220 .module = THIS_MODULE,
    221 };
    222
    223 diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
    224 index cdc47375178e..25f02f5fe0fd 100644
    225 --- a/drivers/acpi/video_detect.c
    226 +++ b/drivers/acpi/video_detect.c
    227 @@ -314,17 +314,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
    228 DMI_MATCH(DMI_PRODUCT_NAME, "Dell System XPS L702X"),
    229 },
    230 },
    231 - {
    232 - /* https://bugzilla.redhat.com/show_bug.cgi?id=1204476 */
    233 - /* https://bugs.launchpad.net/ubuntu/+source/linux-lts-trusty/+bug/1416940 */
    234 - .callback = video_detect_force_native,
    235 - .ident = "HP Pavilion dv6",
    236 - .matches = {
    237 - DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
    238 - DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv6 Notebook PC"),
    239 - },
    240 - },
    241 -
    242 { },
    243 };
    244
    245 diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c
    246 index 13c68b6434ce..15b4a44e6006 100644
    247 --- a/drivers/dma/mmp_tdma.c
    248 +++ b/drivers/dma/mmp_tdma.c
    249 @@ -362,6 +362,8 @@ static void mmp_tdma_free_descriptor(struct mmp_tdma_chan *tdmac)
    250 gen_pool_free(gpool, (unsigned long)tdmac->desc_arr,
    251 size);
    252 tdmac->desc_arr = NULL;
    253 + if (tdmac->status == DMA_ERROR)
    254 + tdmac->status = DMA_COMPLETE;
    255
    256 return;
    257 }
    258 diff --git a/drivers/dma/pch_dma.c b/drivers/dma/pch_dma.c
    259 index df95727dc2fb..8a0c70e4f727 100644
    260 --- a/drivers/dma/pch_dma.c
    261 +++ b/drivers/dma/pch_dma.c
    262 @@ -876,6 +876,7 @@ static int pch_dma_probe(struct pci_dev *pdev,
    263 }
    264
    265 pci_set_master(pdev);
    266 + pd->dma.dev = &pdev->dev;
    267
    268 err = request_irq(pdev->irq, pd_irq, IRQF_SHARED, DRV_NAME, pd);
    269 if (err) {
    270 @@ -891,7 +892,6 @@ static int pch_dma_probe(struct pci_dev *pdev,
    271 goto err_free_irq;
    272 }
    273
    274 - pd->dma.dev = &pdev->dev;
    275
    276 INIT_LIST_HEAD(&pd->dma.channels);
    277
    278 diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c
    279 index 7fbcc35e8ad3..c89c10055641 100644
    280 --- a/drivers/gpu/drm/qxl/qxl_image.c
    281 +++ b/drivers/gpu/drm/qxl/qxl_image.c
    282 @@ -210,7 +210,8 @@ qxl_image_init_helper(struct qxl_device *qdev,
    283 break;
    284 default:
    285 DRM_ERROR("unsupported image bit depth\n");
    286 - return -EINVAL; /* TODO: cleanup */
    287 + qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr);
    288 + return -EINVAL;
    289 }
    290 image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN;
    291 image->u.bitmap.x = width;
    292 diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
    293 index f7d23c1081dc..68eed45b8600 100644
    294 --- a/drivers/infiniband/core/addr.c
    295 +++ b/drivers/infiniband/core/addr.c
    296 @@ -453,16 +453,15 @@ static int addr6_resolve(struct sockaddr_in6 *src_in,
    297 struct flowi6 fl6;
    298 struct dst_entry *dst;
    299 struct rt6_info *rt;
    300 - int ret;
    301
    302 memset(&fl6, 0, sizeof fl6);
    303 fl6.daddr = dst_in->sin6_addr;
    304 fl6.saddr = src_in->sin6_addr;
    305 fl6.flowi6_oif = addr->bound_dev_if;
    306
    307 - ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6);
    308 - if (ret < 0)
    309 - return ret;
    310 + dst = ipv6_stub->ipv6_dst_lookup_flow(addr->net, NULL, &fl6, NULL);
    311 + if (IS_ERR(dst))
    312 + return PTR_ERR(dst);
    313
    314 rt = (struct rt6_info *)dst;
    315 if (ipv6_addr_any(&src_in->sin6_addr)) {
    316 @@ -552,6 +551,7 @@ static int addr_resolve(struct sockaddr *src_in,
    317 const struct sockaddr_in6 *dst_in6 =
    318 (const struct sockaddr_in6 *)dst_in;
    319
    320 + dst = NULL;
    321 ret = addr6_resolve((struct sockaddr_in6 *)src_in,
    322 dst_in6, addr,
    323 &dst);
    324 diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c
    325 index 0c92a40b3e86..e4867d6de789 100644
    326 --- a/drivers/infiniband/hw/i40iw/i40iw_hw.c
    327 +++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c
    328 @@ -479,7 +479,7 @@ void i40iw_manage_arp_cache(struct i40iw_device *iwdev,
    329 int arp_index;
    330
    331 arp_index = i40iw_arp_table(iwdev, ip_addr, ipv4, mac_addr, action);
    332 - if (arp_index == -1)
    333 + if (arp_index < 0)
    334 return;
    335 cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false);
    336 if (!cqp_request)
    337 diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
    338 index 709d6491d243..7284a9176844 100644
    339 --- a/drivers/infiniband/hw/mlx4/qp.c
    340 +++ b/drivers/infiniband/hw/mlx4/qp.c
    341 @@ -2307,6 +2307,7 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp,
    342 int send_size;
    343 int header_size;
    344 int spc;
    345 + int err;
    346 int i;
    347
    348 if (wr->wr.opcode != IB_WR_SEND)
    349 @@ -2341,7 +2342,9 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp,
    350
    351 sqp->ud_header.lrh.virtual_lane = 0;
    352 sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED);
    353 - ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey);
    354 + err = ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey);
    355 + if (err)
    356 + return err;
    357 sqp->ud_header.bth.pkey = cpu_to_be16(pkey);
    358 if (sqp->qp.mlx4_ib_qp_type == MLX4_IB_QPT_TUN_SMI_OWNER)
    359 sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn);
    360 @@ -2618,9 +2621,14 @@ static int build_mlx_header(struct mlx4_ib_sqp *sqp, struct ib_ud_wr *wr,
    361 }
    362 sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED);
    363 if (!sqp->qp.ibqp.qp_num)
    364 - ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, &pkey);
    365 + err = ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index,
    366 + &pkey);
    367 else
    368 - ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, &pkey);
    369 + err = ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index,
    370 + &pkey);
    371 + if (err)
    372 + return err;
    373 +
    374 sqp->ud_header.bth.pkey = cpu_to_be16(pkey);
    375 sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn);
    376 sqp->ud_header.bth.psn = cpu_to_be32((sqp->send_psn++) & ((1 << 24) - 1));
    377 diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
    378 index f4f3942ebbd1..d19e003e8381 100644
    379 --- a/drivers/infiniband/sw/rxe/rxe_net.c
    380 +++ b/drivers/infiniband/sw/rxe/rxe_net.c
    381 @@ -182,10 +182,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev,
    382 memcpy(&fl6.daddr, daddr, sizeof(*daddr));
    383 fl6.flowi6_proto = IPPROTO_UDP;
    384
    385 - if (unlikely(ipv6_stub->ipv6_dst_lookup(sock_net(recv_sockets.sk6->sk),
    386 - recv_sockets.sk6->sk, &ndst, &fl6))) {
    387 + ndst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(recv_sockets.sk6->sk),
    388 + recv_sockets.sk6->sk, &fl6,
    389 + NULL);
    390 + if (unlikely(IS_ERR(ndst))) {
    391 pr_err_ratelimited("no route to %pI6\n", daddr);
    392 - goto put;
    393 + return NULL;
    394 }
    395
    396 if (unlikely(ndst->error)) {
    397 diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
    398 index 736e550163e1..421cbba9a3bc 100644
    399 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
    400 +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
    401 @@ -5997,6 +5997,7 @@ static netdev_features_t bnxt_fix_features(struct net_device *dev,
    402 netdev_features_t features)
    403 {
    404 struct bnxt *bp = netdev_priv(dev);
    405 + netdev_features_t vlan_features;
    406
    407 if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp))
    408 features &= ~NETIF_F_NTUPLE;
    409 @@ -6004,12 +6005,14 @@ static netdev_features_t bnxt_fix_features(struct net_device *dev,
    410 /* Both CTAG and STAG VLAN accelaration on the RX side have to be
    411 * turned on or off together.
    412 */
    413 - if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) !=
    414 - (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) {
    415 + vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX |
    416 + NETIF_F_HW_VLAN_STAG_RX);
    417 + if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX |
    418 + NETIF_F_HW_VLAN_STAG_RX)) {
    419 if (dev->features & NETIF_F_HW_VLAN_CTAG_RX)
    420 features &= ~(NETIF_F_HW_VLAN_CTAG_RX |
    421 NETIF_F_HW_VLAN_STAG_RX);
    422 - else
    423 + else if (vlan_features)
    424 features |= NETIF_F_HW_VLAN_CTAG_RX |
    425 NETIF_F_HW_VLAN_STAG_RX;
    426 }
    427 @@ -7163,8 +7166,11 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev)
    428 result = PCI_ERS_RESULT_RECOVERED;
    429 }
    430
    431 - if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev))
    432 - dev_close(netdev);
    433 + if (result != PCI_ERS_RESULT_RECOVERED) {
    434 + if (netif_running(netdev))
    435 + dev_close(netdev);
    436 + pci_disable_device(pdev);
    437 + }
    438
    439 rtnl_unlock();
    440
    441 @@ -7175,7 +7181,7 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev)
    442 err); /* non-fatal, continue */
    443 }
    444
    445 - return PCI_ERS_RESULT_RECOVERED;
    446 + return result;
    447 }
    448
    449 /**
    450 diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
    451 index 781642d47133..751aac54f2d5 100644
    452 --- a/drivers/net/ethernet/mellanox/mlx4/main.c
    453 +++ b/drivers/net/ethernet/mellanox/mlx4/main.c
    454 @@ -2478,6 +2478,7 @@ static int mlx4_allocate_default_counters(struct mlx4_dev *dev)
    455
    456 if (!err || err == -ENOSPC) {
    457 priv->def_counter[port] = idx;
    458 + err = 0;
    459 } else if (err == -ENOENT) {
    460 err = 0;
    461 continue;
    462 @@ -2527,7 +2528,8 @@ int mlx4_counter_alloc(struct mlx4_dev *dev, u32 *idx)
    463 MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED);
    464 if (!err)
    465 *idx = get_param_l(&out_param);
    466 -
    467 + if (WARN_ON(err == -ENOSPC))
    468 + err = -EINVAL;
    469 return err;
    470 }
    471 return __mlx4_counter_alloc(dev, idx);
    472 diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
    473 index 1d5263c46eee..bb142a13d9f2 100644
    474 --- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
    475 +++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
    476 @@ -813,7 +813,6 @@ static void cmd_work_handler(struct work_struct *work)
    477 }
    478
    479 cmd->ent_arr[ent->idx] = ent;
    480 - set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
    481 lay = get_inst(cmd, ent->idx);
    482 ent->lay = lay;
    483 memset(lay, 0, sizeof(*lay));
    484 @@ -835,6 +834,7 @@ static void cmd_work_handler(struct work_struct *work)
    485
    486 if (ent->callback)
    487 schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
    488 + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
    489
    490 /* Skip sending command to fw if internal error */
    491 if (pci_channel_offline(dev->pdev) ||
    492 @@ -847,6 +847,10 @@ static void cmd_work_handler(struct work_struct *work)
    493 MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
    494
    495 mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
    496 + /* no doorbell, no need to keep the entry */
    497 + free_ent(cmd, ent->idx);
    498 + if (ent->callback)
    499 + free_cmd(ent);
    500 return;
    501 }
    502
    503 diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
    504 index 0622fd03941b..6fe61d9343cb 100644
    505 --- a/drivers/net/ethernet/moxa/moxart_ether.c
    506 +++ b/drivers/net/ethernet/moxa/moxart_ether.c
    507 @@ -571,7 +571,7 @@ static int moxart_remove(struct platform_device *pdev)
    508 struct net_device *ndev = platform_get_drvdata(pdev);
    509
    510 unregister_netdev(ndev);
    511 - free_irq(ndev->irq, ndev);
    512 + devm_free_irq(&pdev->dev, ndev->irq, ndev);
    513 moxart_mac_free_memory(ndev);
    514 free_netdev(ndev);
    515
    516 diff --git a/drivers/net/ethernet/natsemi/jazzsonic.c b/drivers/net/ethernet/natsemi/jazzsonic.c
    517 index acf3f11e38cc..68d2f31921ff 100644
    518 --- a/drivers/net/ethernet/natsemi/jazzsonic.c
    519 +++ b/drivers/net/ethernet/natsemi/jazzsonic.c
    520 @@ -247,13 +247,15 @@ static int jazz_sonic_probe(struct platform_device *pdev)
    521 goto out;
    522 err = register_netdev(dev);
    523 if (err)
    524 - goto out1;
    525 + goto undo_probe1;
    526
    527 printk("%s: MAC %pM IRQ %d\n", dev->name, dev->dev_addr, dev->irq);
    528
    529 return 0;
    530
    531 -out1:
    532 +undo_probe1:
    533 + dma_free_coherent(lp->device, SIZEOF_SONIC_DESC * SONIC_BUS_SCALE(lp->dma_bitmode),
    534 + lp->descriptors, lp->descriptors_laddr);
    535 release_mem_region(dev->base_addr, SONIC_MEM_SIZE);
    536 out:
    537 free_netdev(dev);
    538 diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
    539 index 92ad43e53c72..35d8c636de12 100644
    540 --- a/drivers/net/geneve.c
    541 +++ b/drivers/net/geneve.c
    542 @@ -835,7 +835,9 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
    543 return dst;
    544 }
    545
    546 - if (ipv6_stub->ipv6_dst_lookup(geneve->net, gs6->sock->sk, &dst, fl6)) {
    547 + dst = ipv6_stub->ipv6_dst_lookup_flow(geneve->net, gs6->sock->sk, fl6,
    548 + NULL);
    549 + if (IS_ERR(dst)) {
    550 netdev_dbg(dev, "no route to %pI6\n", &fl6->daddr);
    551 return ERR_PTR(-ENETUNREACH);
    552 }
    553 diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
    554 index df2ee65a33e3..5defa29069ca 100644
    555 --- a/drivers/net/macsec.c
    556 +++ b/drivers/net/macsec.c
    557 @@ -1315,7 +1315,8 @@ static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
    558 struct crypto_aead *tfm;
    559 int ret;
    560
    561 - tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
    562 + /* Pick a sync gcm(aes) cipher to ensure order is preserved. */
    563 + tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
    564
    565 if (IS_ERR(tfm))
    566 return tfm;
    567 diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
    568 index 557f6510bad7..7e94526de51c 100644
    569 --- a/drivers/net/phy/dp83640.c
    570 +++ b/drivers/net/phy/dp83640.c
    571 @@ -1108,7 +1108,7 @@ static struct dp83640_clock *dp83640_clock_get_bus(struct mii_bus *bus)
    572 goto out;
    573 }
    574 dp83640_clock_init(clock, bus);
    575 - list_add_tail(&phyter_clocks, &clock->list);
    576 + list_add_tail(&clock->list, &phyter_clocks);
    577 out:
    578 mutex_unlock(&phyter_clocks_lock);
    579
    580 diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
    581 index adb38a4ec9ac..1704d9e2ca8d 100644
    582 --- a/drivers/net/phy/micrel.c
    583 +++ b/drivers/net/phy/micrel.c
    584 @@ -677,8 +677,8 @@ static void kszphy_get_strings(struct phy_device *phydev, u8 *data)
    585 int i;
    586
    587 for (i = 0; i < ARRAY_SIZE(kszphy_hw_stats); i++) {
    588 - memcpy(data + i * ETH_GSTRING_LEN,
    589 - kszphy_hw_stats[i].string, ETH_GSTRING_LEN);
    590 + strlcpy(data + i * ETH_GSTRING_LEN,
    591 + kszphy_hw_stats[i].string, ETH_GSTRING_LEN);
    592 }
    593 }
    594
    595 diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
    596 index 97f6b8130db3..5755eec00d7f 100644
    597 --- a/drivers/net/usb/qmi_wwan.c
    598 +++ b/drivers/net/usb/qmi_wwan.c
    599 @@ -950,6 +950,7 @@ static const struct usb_device_id products[] = {
    600 {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
    601 {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
    602 {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
    603 + {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */
    604 {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
    605 {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */
    606 {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/
    607 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
    608 index bc4542d9a08d..58ddb6c90418 100644
    609 --- a/drivers/net/vxlan.c
    610 +++ b/drivers/net/vxlan.c
    611 @@ -1881,7 +1881,6 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
    612 bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
    613 struct dst_entry *ndst;
    614 struct flowi6 fl6;
    615 - int err;
    616
    617 if (!sock6)
    618 return ERR_PTR(-EIO);
    619 @@ -1902,11 +1901,10 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
    620 fl6.flowi6_mark = skb->mark;
    621 fl6.flowi6_proto = IPPROTO_UDP;
    622
    623 - err = ipv6_stub->ipv6_dst_lookup(vxlan->net,
    624 - sock6->sock->sk,
    625 - &ndst, &fl6);
    626 - if (err < 0)
    627 - return ERR_PTR(err);
    628 + ndst = ipv6_stub->ipv6_dst_lookup_flow(vxlan->net, sock6->sock->sk,
    629 + &fl6, NULL);
    630 + if (unlikely(IS_ERR(ndst)))
    631 + return ERR_PTR(-ENETUNREACH);
    632
    633 *saddr = fl6.saddr;
    634 if (use_cache)
    635 diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
    636 index e8c08eb97530..d1a99b2e2d4c 100644
    637 --- a/drivers/pinctrl/intel/pinctrl-cherryview.c
    638 +++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
    639 @@ -1509,11 +1509,15 @@ static void chv_gpio_irq_handler(struct irq_desc *desc)
    640 struct chv_pinctrl *pctrl = gpiochip_get_data(gc);
    641 struct irq_chip *chip = irq_desc_get_chip(desc);
    642 unsigned long pending;
    643 + unsigned long flags;
    644 u32 intr_line;
    645
    646 chained_irq_enter(chip, desc);
    647
    648 + raw_spin_lock_irqsave(&chv_lock, flags);
    649 pending = readl(pctrl->regs + CHV_INTSTAT);
    650 + raw_spin_unlock_irqrestore(&chv_lock, flags);
    651 +
    652 for_each_set_bit(intr_line, &pending, pctrl->community->nirqs) {
    653 unsigned irq, offset;
    654
    655 diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
    656 index 2aa5b37cc6d2..bf1536f1c90b 100644
    657 --- a/drivers/ptp/ptp_clock.c
    658 +++ b/drivers/ptp/ptp_clock.c
    659 @@ -171,10 +171,11 @@ static struct posix_clock_operations ptp_clock_ops = {
    660 .read = ptp_read,
    661 };
    662
    663 -static void delete_ptp_clock(struct posix_clock *pc)
    664 +static void ptp_clock_release(struct device *dev)
    665 {
    666 - struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
    667 + struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);
    668
    669 + ptp_cleanup_pin_groups(ptp);
    670 mutex_destroy(&ptp->tsevq_mux);
    671 mutex_destroy(&ptp->pincfg_mux);
    672 ida_simple_remove(&ptp_clocks_map, ptp->index);
    673 @@ -205,7 +206,6 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
    674 }
    675
    676 ptp->clock.ops = ptp_clock_ops;
    677 - ptp->clock.release = delete_ptp_clock;
    678 ptp->info = info;
    679 ptp->devid = MKDEV(major, index);
    680 ptp->index = index;
    681 @@ -214,17 +214,9 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
    682 mutex_init(&ptp->pincfg_mux);
    683 init_waitqueue_head(&ptp->tsev_wq);
    684
    685 - /* Create a new device in our class. */
    686 - ptp->dev = device_create(ptp_class, parent, ptp->devid, ptp,
    687 - "ptp%d", ptp->index);
    688 - if (IS_ERR(ptp->dev))
    689 - goto no_device;
    690 -
    691 - dev_set_drvdata(ptp->dev, ptp);
    692 -
    693 - err = ptp_populate_sysfs(ptp);
    694 + err = ptp_populate_pin_groups(ptp);
    695 if (err)
    696 - goto no_sysfs;
    697 + goto no_pin_groups;
    698
    699 /* Register a new PPS source. */
    700 if (info->pps) {
    701 @@ -235,13 +227,24 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
    702 pps.owner = info->owner;
    703 ptp->pps_source = pps_register_source(&pps, PTP_PPS_DEFAULTS);
    704 if (!ptp->pps_source) {
    705 + err = -EINVAL;
    706 pr_err("failed to register pps source\n");
    707 goto no_pps;
    708 }
    709 }
    710
    711 - /* Create a posix clock. */
    712 - err = posix_clock_register(&ptp->clock, ptp->devid);
    713 + /* Initialize a new device of our class in our clock structure. */
    714 + device_initialize(&ptp->dev);
    715 + ptp->dev.devt = ptp->devid;
    716 + ptp->dev.class = ptp_class;
    717 + ptp->dev.parent = parent;
    718 + ptp->dev.groups = ptp->pin_attr_groups;
    719 + ptp->dev.release = ptp_clock_release;
    720 + dev_set_drvdata(&ptp->dev, ptp);
    721 + dev_set_name(&ptp->dev, "ptp%d", ptp->index);
    722 +
    723 + /* Create a posix clock and link it to the device. */
    724 + err = posix_clock_register(&ptp->clock, &ptp->dev);
    725 if (err) {
    726 pr_err("failed to create posix clock\n");
    727 goto no_clock;
    728 @@ -253,10 +256,8 @@ no_clock:
    729 if (ptp->pps_source)
    730 pps_unregister_source(ptp->pps_source);
    731 no_pps:
    732 - ptp_cleanup_sysfs(ptp);
    733 -no_sysfs:
    734 - device_destroy(ptp_class, ptp->devid);
    735 -no_device:
    736 + ptp_cleanup_pin_groups(ptp);
    737 +no_pin_groups:
    738 mutex_destroy(&ptp->tsevq_mux);
    739 mutex_destroy(&ptp->pincfg_mux);
    740 ida_simple_remove(&ptp_clocks_map, index);
    741 @@ -275,10 +276,9 @@ int ptp_clock_unregister(struct ptp_clock *ptp)
    742 /* Release the clock's resources. */
    743 if (ptp->pps_source)
    744 pps_unregister_source(ptp->pps_source);
    745 - ptp_cleanup_sysfs(ptp);
    746 - device_destroy(ptp_class, ptp->devid);
    747
    748 posix_clock_unregister(&ptp->clock);
    749 +
    750 return 0;
    751 }
    752 EXPORT_SYMBOL(ptp_clock_unregister);
    753 diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
    754 index 9c5d41421b65..15346e840caa 100644
    755 --- a/drivers/ptp/ptp_private.h
    756 +++ b/drivers/ptp/ptp_private.h
    757 @@ -40,7 +40,7 @@ struct timestamp_event_queue {
    758
    759 struct ptp_clock {
    760 struct posix_clock clock;
    761 - struct device *dev;
    762 + struct device dev;
    763 struct ptp_clock_info *info;
    764 dev_t devid;
    765 int index; /* index into clocks.map */
    766 @@ -54,6 +54,8 @@ struct ptp_clock {
    767 struct device_attribute *pin_dev_attr;
    768 struct attribute **pin_attr;
    769 struct attribute_group pin_attr_group;
    770 + /* 1st entry is a pointer to the real group, 2nd is NULL terminator */
    771 + const struct attribute_group *pin_attr_groups[2];
    772 };
    773
    774 /*
    775 @@ -94,8 +96,7 @@ uint ptp_poll(struct posix_clock *pc,
    776
    777 extern const struct attribute_group *ptp_groups[];
    778
    779 -int ptp_cleanup_sysfs(struct ptp_clock *ptp);
    780 -
    781 -int ptp_populate_sysfs(struct ptp_clock *ptp);
    782 +int ptp_populate_pin_groups(struct ptp_clock *ptp);
    783 +void ptp_cleanup_pin_groups(struct ptp_clock *ptp);
    784
    785 #endif
    786 diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
    787 index 302e626fe6b0..731d0423c8aa 100644
    788 --- a/drivers/ptp/ptp_sysfs.c
    789 +++ b/drivers/ptp/ptp_sysfs.c
    790 @@ -46,27 +46,6 @@ PTP_SHOW_INT(n_periodic_outputs, n_per_out);
    791 PTP_SHOW_INT(n_programmable_pins, n_pins);
    792 PTP_SHOW_INT(pps_available, pps);
    793
    794 -static struct attribute *ptp_attrs[] = {
    795 - &dev_attr_clock_name.attr,
    796 - &dev_attr_max_adjustment.attr,
    797 - &dev_attr_n_alarms.attr,
    798 - &dev_attr_n_external_timestamps.attr,
    799 - &dev_attr_n_periodic_outputs.attr,
    800 - &dev_attr_n_programmable_pins.attr,
    801 - &dev_attr_pps_available.attr,
    802 - NULL,
    803 -};
    804 -
    805 -static const struct attribute_group ptp_group = {
    806 - .attrs = ptp_attrs,
    807 -};
    808 -
    809 -const struct attribute_group *ptp_groups[] = {
    810 - &ptp_group,
    811 - NULL,
    812 -};
    813 -
    814 -
    815 static ssize_t extts_enable_store(struct device *dev,
    816 struct device_attribute *attr,
    817 const char *buf, size_t count)
    818 @@ -91,6 +70,7 @@ static ssize_t extts_enable_store(struct device *dev,
    819 out:
    820 return err;
    821 }
    822 +static DEVICE_ATTR(extts_enable, 0220, NULL, extts_enable_store);
    823
    824 static ssize_t extts_fifo_show(struct device *dev,
    825 struct device_attribute *attr, char *page)
    826 @@ -124,6 +104,7 @@ out:
    827 mutex_unlock(&ptp->tsevq_mux);
    828 return cnt;
    829 }
    830 +static DEVICE_ATTR(fifo, 0444, extts_fifo_show, NULL);
    831
    832 static ssize_t period_store(struct device *dev,
    833 struct device_attribute *attr,
    834 @@ -151,6 +132,7 @@ static ssize_t period_store(struct device *dev,
    835 out:
    836 return err;
    837 }
    838 +static DEVICE_ATTR(period, 0220, NULL, period_store);
    839
    840 static ssize_t pps_enable_store(struct device *dev,
    841 struct device_attribute *attr,
    842 @@ -177,6 +159,57 @@ static ssize_t pps_enable_store(struct device *dev,
    843 out:
    844 return err;
    845 }
    846 +static DEVICE_ATTR(pps_enable, 0220, NULL, pps_enable_store);
    847 +
    848 +static struct attribute *ptp_attrs[] = {
    849 + &dev_attr_clock_name.attr,
    850 +
    851 + &dev_attr_max_adjustment.attr,
    852 + &dev_attr_n_alarms.attr,
    853 + &dev_attr_n_external_timestamps.attr,
    854 + &dev_attr_n_periodic_outputs.attr,
    855 + &dev_attr_n_programmable_pins.attr,
    856 + &dev_attr_pps_available.attr,
    857 +
    858 + &dev_attr_extts_enable.attr,
    859 + &dev_attr_fifo.attr,
    860 + &dev_attr_period.attr,
    861 + &dev_attr_pps_enable.attr,
    862 + NULL
    863 +};
    864 +
    865 +static umode_t ptp_is_attribute_visible(struct kobject *kobj,
    866 + struct attribute *attr, int n)
    867 +{
    868 + struct device *dev = kobj_to_dev(kobj);
    869 + struct ptp_clock *ptp = dev_get_drvdata(dev);
    870 + struct ptp_clock_info *info = ptp->info;
    871 + umode_t mode = attr->mode;
    872 +
    873 + if (attr == &dev_attr_extts_enable.attr ||
    874 + attr == &dev_attr_fifo.attr) {
    875 + if (!info->n_ext_ts)
    876 + mode = 0;
    877 + } else if (attr == &dev_attr_period.attr) {
    878 + if (!info->n_per_out)
    879 + mode = 0;
    880 + } else if (attr == &dev_attr_pps_enable.attr) {
    881 + if (!info->pps)
    882 + mode = 0;
    883 + }
    884 +
    885 + return mode;
    886 +}
    887 +
    888 +static const struct attribute_group ptp_group = {
    889 + .is_visible = ptp_is_attribute_visible,
    890 + .attrs = ptp_attrs,
    891 +};
    892 +
    893 +const struct attribute_group *ptp_groups[] = {
    894 + &ptp_group,
    895 + NULL
    896 +};
    897
    898 static int ptp_pin_name2index(struct ptp_clock *ptp, const char *name)
    899 {
    900 @@ -235,40 +268,14 @@ static ssize_t ptp_pin_store(struct device *dev, struct device_attribute *attr,
    901 return count;
    902 }
    903
    904 -static DEVICE_ATTR(extts_enable, 0220, NULL, extts_enable_store);
    905 -static DEVICE_ATTR(fifo, 0444, extts_fifo_show, NULL);
    906 -static DEVICE_ATTR(period, 0220, NULL, period_store);
    907 -static DEVICE_ATTR(pps_enable, 0220, NULL, pps_enable_store);
    908 -
    909 -int ptp_cleanup_sysfs(struct ptp_clock *ptp)
    910 +int ptp_populate_pin_groups(struct ptp_clock *ptp)
    911 {
    912 - struct device *dev = ptp->dev;
    913 - struct ptp_clock_info *info = ptp->info;
    914 -
    915 - if (info->n_ext_ts) {
    916 - device_remove_file(dev, &dev_attr_extts_enable);
    917 - device_remove_file(dev, &dev_attr_fifo);
    918 - }
    919 - if (info->n_per_out)
    920 - device_remove_file(dev, &dev_attr_period);
    921 -
    922 - if (info->pps)
    923 - device_remove_file(dev, &dev_attr_pps_enable);
    924 -
    925 - if (info->n_pins) {
    926 - sysfs_remove_group(&dev->kobj, &ptp->pin_attr_group);
    927 - kfree(ptp->pin_attr);
    928 - kfree(ptp->pin_dev_attr);
    929 - }
    930 - return 0;
    931 -}
    932 -
    933 -static int ptp_populate_pins(struct ptp_clock *ptp)
    934 -{
    935 - struct device *dev = ptp->dev;
    936 struct ptp_clock_info *info = ptp->info;
    937 int err = -ENOMEM, i, n_pins = info->n_pins;
    938
    939 + if (!n_pins)
    940 + return 0;
    941 +
    942 ptp->pin_dev_attr = kzalloc(n_pins * sizeof(*ptp->pin_dev_attr),
    943 GFP_KERNEL);
    944 if (!ptp->pin_dev_attr)
    945 @@ -292,61 +299,18 @@ static int ptp_populate_pins(struct ptp_clock *ptp)
    946 ptp->pin_attr_group.name = "pins";
    947 ptp->pin_attr_group.attrs = ptp->pin_attr;
    948
    949 - err = sysfs_create_group(&dev->kobj, &ptp->pin_attr_group);
    950 - if (err)
    951 - goto no_group;
    952 + ptp->pin_attr_groups[0] = &ptp->pin_attr_group;
    953 +
    954 return 0;
    955
    956 -no_group:
    957 - kfree(ptp->pin_attr);
    958 no_pin_attr:
    959 kfree(ptp->pin_dev_attr);
    960 no_dev_attr:
    961 return err;
    962 }
    963
    964 -int ptp_populate_sysfs(struct ptp_clock *ptp)
    965 +void ptp_cleanup_pin_groups(struct ptp_clock *ptp)
    966 {
    967 - struct device *dev = ptp->dev;
    968 - struct ptp_clock_info *info = ptp->info;
    969 - int err;
    970 -
    971 - if (info->n_ext_ts) {
    972 - err = device_create_file(dev, &dev_attr_extts_enable);
    973 - if (err)
    974 - goto out1;
    975 - err = device_create_file(dev, &dev_attr_fifo);
    976 - if (err)
    977 - goto out2;
    978 - }
    979 - if (info->n_per_out) {
    980 - err = device_create_file(dev, &dev_attr_period);
    981 - if (err)
    982 - goto out3;
    983 - }
    984 - if (info->pps) {
    985 - err = device_create_file(dev, &dev_attr_pps_enable);
    986 - if (err)
    987 - goto out4;
    988 - }
    989 - if (info->n_pins) {
    990 - err = ptp_populate_pins(ptp);
    991 - if (err)
    992 - goto out5;
    993 - }
    994 - return 0;
    995 -out5:
    996 - if (info->pps)
    997 - device_remove_file(dev, &dev_attr_pps_enable);
    998 -out4:
    999 - if (info->n_per_out)
    1000 - device_remove_file(dev, &dev_attr_period);
    1001 -out3:
    1002 - if (info->n_ext_ts)
    1003 - device_remove_file(dev, &dev_attr_fifo);
    1004 -out2:
    1005 - if (info->n_ext_ts)
    1006 - device_remove_file(dev, &dev_attr_extts_enable);
    1007 -out1:
    1008 - return err;
    1009 + kfree(ptp->pin_attr);
    1010 + kfree(ptp->pin_dev_attr);
    1011 }
    1012 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
    1013 index c924df5538dd..417927b279b6 100644
    1014 --- a/drivers/scsi/sg.c
    1015 +++ b/drivers/scsi/sg.c
    1016 @@ -695,8 +695,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
    1017 hp->flags = input_size; /* structure abuse ... */
    1018 hp->pack_id = old_hdr.pack_id;
    1019 hp->usr_ptr = NULL;
    1020 - if (__copy_from_user(cmnd, buf, cmd_size))
    1021 + if (__copy_from_user(cmnd, buf, cmd_size)) {
    1022 + sg_remove_request(sfp, srp);
    1023 return -EFAULT;
    1024 + }
    1025 /*
    1026 * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
    1027 * but is is possible that the app intended SG_DXFER_TO_DEV, because there
    1028 diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
    1029 index c4226c07e091..16f0def9df82 100644
    1030 --- a/drivers/spi/spi-dw.c
    1031 +++ b/drivers/spi/spi-dw.c
    1032 @@ -180,9 +180,11 @@ static inline u32 rx_max(struct dw_spi *dws)
    1033
    1034 static void dw_writer(struct dw_spi *dws)
    1035 {
    1036 - u32 max = tx_max(dws);
    1037 + u32 max;
    1038 u16 txw = 0;
    1039
    1040 + spin_lock(&dws->buf_lock);
    1041 + max = tx_max(dws);
    1042 while (max--) {
    1043 /* Set the tx word if the transfer's original "tx" is not null */
    1044 if (dws->tx_end - dws->len) {
    1045 @@ -194,13 +196,16 @@ static void dw_writer(struct dw_spi *dws)
    1046 dw_write_io_reg(dws, DW_SPI_DR, txw);
    1047 dws->tx += dws->n_bytes;
    1048 }
    1049 + spin_unlock(&dws->buf_lock);
    1050 }
    1051
    1052 static void dw_reader(struct dw_spi *dws)
    1053 {
    1054 - u32 max = rx_max(dws);
    1055 + u32 max;
    1056 u16 rxw;
    1057
    1058 + spin_lock(&dws->buf_lock);
    1059 + max = rx_max(dws);
    1060 while (max--) {
    1061 rxw = dw_read_io_reg(dws, DW_SPI_DR);
    1062 /* Care rx only if the transfer's original "rx" is not null */
    1063 @@ -212,6 +217,7 @@ static void dw_reader(struct dw_spi *dws)
    1064 }
    1065 dws->rx += dws->n_bytes;
    1066 }
    1067 + spin_unlock(&dws->buf_lock);
    1068 }
    1069
    1070 static void int_error_stop(struct dw_spi *dws, const char *msg)
    1071 @@ -284,18 +290,20 @@ static int dw_spi_transfer_one(struct spi_master *master,
    1072 {
    1073 struct dw_spi *dws = spi_master_get_devdata(master);
    1074 struct chip_data *chip = spi_get_ctldata(spi);
    1075 + unsigned long flags;
    1076 u8 imask = 0;
    1077 u16 txlevel = 0;
    1078 u32 cr0;
    1079 int ret;
    1080
    1081 dws->dma_mapped = 0;
    1082 -
    1083 + spin_lock_irqsave(&dws->buf_lock, flags);
    1084 dws->tx = (void *)transfer->tx_buf;
    1085 dws->tx_end = dws->tx + transfer->len;
    1086 dws->rx = transfer->rx_buf;
    1087 dws->rx_end = dws->rx + transfer->len;
    1088 dws->len = transfer->len;
    1089 + spin_unlock_irqrestore(&dws->buf_lock, flags);
    1090
    1091 spi_enable_chip(dws, 0);
    1092
    1093 @@ -487,6 +495,7 @@ int dw_spi_add_host(struct device *dev, struct dw_spi *dws)
    1094 dws->dma_inited = 0;
    1095 dws->dma_addr = (dma_addr_t)(dws->paddr + DW_SPI_DR);
    1096 snprintf(dws->name, sizeof(dws->name), "dw_spi%d", dws->bus_num);
    1097 + spin_lock_init(&dws->buf_lock);
    1098
    1099 ret = request_irq(dws->irq, dw_spi_irq, IRQF_SHARED, dws->name, master);
    1100 if (ret < 0) {
    1101 diff --git a/drivers/spi/spi-dw.h b/drivers/spi/spi-dw.h
    1102 index c21ca02f8ec5..e80338e6ffa2 100644
    1103 --- a/drivers/spi/spi-dw.h
    1104 +++ b/drivers/spi/spi-dw.h
    1105 @@ -117,6 +117,7 @@ struct dw_spi {
    1106 size_t len;
    1107 void *tx;
    1108 void *tx_end;
    1109 + spinlock_t buf_lock;
    1110 void *rx;
    1111 void *rx_end;
    1112 int dma_mapped;
    1113 diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
    1114 index 3f1662b64bab..6420cae820bc 100644
    1115 --- a/drivers/usb/gadget/configfs.c
    1116 +++ b/drivers/usb/gadget/configfs.c
    1117 @@ -259,6 +259,9 @@ static ssize_t gadget_dev_desc_UDC_store(struct config_item *item,
    1118 char *name;
    1119 int ret;
    1120
    1121 + if (strlen(page) < len)
    1122 + return -EOVERFLOW;
    1123 +
    1124 name = kstrdup(page, GFP_KERNEL);
    1125 if (!name)
    1126 return -ENOMEM;
    1127 diff --git a/drivers/usb/gadget/legacy/audio.c b/drivers/usb/gadget/legacy/audio.c
    1128 index 5d7b3c6a422b..f61936b8baaf 100644
    1129 --- a/drivers/usb/gadget/legacy/audio.c
    1130 +++ b/drivers/usb/gadget/legacy/audio.c
    1131 @@ -249,8 +249,10 @@ static int audio_bind(struct usb_composite_dev *cdev)
    1132 struct usb_descriptor_header *usb_desc;
    1133
    1134 usb_desc = usb_otg_descriptor_alloc(cdev->gadget);
    1135 - if (!usb_desc)
    1136 + if (!usb_desc) {
    1137 + status = -ENOMEM;
    1138 goto fail;
    1139 + }
    1140 usb_otg_descriptor_init(cdev->gadget, usb_desc);
    1141 otg_desc[0] = usb_desc;
    1142 otg_desc[1] = NULL;
    1143 diff --git a/drivers/usb/gadget/legacy/cdc2.c b/drivers/usb/gadget/legacy/cdc2.c
    1144 index 5ee25beb52f0..dc83e07bb242 100644
    1145 --- a/drivers/usb/gadget/legacy/cdc2.c
    1146 +++ b/drivers/usb/gadget/legacy/cdc2.c
    1147 @@ -183,8 +183,10 @@ static int cdc_bind(struct usb_composite_dev *cdev)
    1148 struct usb_descriptor_header *usb_desc;
    1149
    1150 usb_desc = usb_otg_descriptor_alloc(gadget);
    1151 - if (!usb_desc)
    1152 + if (!usb_desc) {
    1153 + status = -ENOMEM;
    1154 goto fail1;
    1155 + }
    1156 usb_otg_descriptor_init(gadget, usb_desc);
    1157 otg_desc[0] = usb_desc;
    1158 otg_desc[1] = NULL;
    1159 diff --git a/drivers/usb/gadget/legacy/ncm.c b/drivers/usb/gadget/legacy/ncm.c
    1160 index 2fb4a847dd52..5448cf4ff588 100644
    1161 --- a/drivers/usb/gadget/legacy/ncm.c
    1162 +++ b/drivers/usb/gadget/legacy/ncm.c
    1163 @@ -162,8 +162,10 @@ static int gncm_bind(struct usb_composite_dev *cdev)
    1164 struct usb_descriptor_header *usb_desc;
    1165
    1166 usb_desc = usb_otg_descriptor_alloc(gadget);
    1167 - if (!usb_desc)
    1168 + if (!usb_desc) {
    1169 + status = -ENOMEM;
    1170 goto fail;
    1171 + }
    1172 usb_otg_descriptor_init(gadget, usb_desc);
    1173 otg_desc[0] = usb_desc;
    1174 otg_desc[1] = NULL;
    1175 diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
    1176 index f57d293a1791..4b6797797141 100644
    1177 --- a/drivers/usb/gadget/udc/net2272.c
    1178 +++ b/drivers/usb/gadget/udc/net2272.c
    1179 @@ -2666,6 +2666,8 @@ net2272_plat_probe(struct platform_device *pdev)
    1180 err_req:
    1181 release_mem_region(base, len);
    1182 err:
    1183 + kfree(dev);
    1184 +
    1185 return ret;
    1186 }
    1187
    1188 diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
    1189 index b426c83ecb9b..1468dca77fac 100644
    1190 --- a/drivers/usb/host/xhci-ring.c
    1191 +++ b/drivers/usb/host/xhci-ring.c
    1192 @@ -3347,8 +3347,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
    1193 /* New sg entry */
    1194 --num_sgs;
    1195 sent_len -= block_len;
    1196 - if (num_sgs != 0) {
    1197 - sg = sg_next(sg);
    1198 + sg = sg_next(sg);
    1199 + if (num_sgs != 0 && sg) {
    1200 block_len = sg_dma_len(sg);
    1201 addr = (u64) sg_dma_address(sg);
    1202 addr += sent_len;
    1203 diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c
    1204 index 91e7e3a166a5..c67a17faaa3c 100644
    1205 --- a/drivers/usb/serial/garmin_gps.c
    1206 +++ b/drivers/usb/serial/garmin_gps.c
    1207 @@ -1161,8 +1161,8 @@ static void garmin_read_process(struct garmin_data *garmin_data_p,
    1208 send it directly to the tty port */
    1209 if (garmin_data_p->flags & FLAGS_QUEUING) {
    1210 pkt_add(garmin_data_p, data, data_length);
    1211 - } else if (bulk_data ||
    1212 - getLayerId(data) == GARMIN_LAYERID_APPL) {
    1213 + } else if (bulk_data || (data_length >= sizeof(u32) &&
    1214 + getLayerId(data) == GARMIN_LAYERID_APPL)) {
    1215
    1216 spin_lock_irqsave(&garmin_data_p->lock, flags);
    1217 garmin_data_p->flags |= APP_RESP_SEEN;
    1218 diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
    1219 index fb6dc16c754a..06916ddc3159 100644
    1220 --- a/drivers/usb/serial/qcserial.c
    1221 +++ b/drivers/usb/serial/qcserial.c
    1222 @@ -177,6 +177,7 @@ static const struct usb_device_id id_table[] = {
    1223 {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
    1224 {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
    1225 {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
    1226 + {DEVICE_SWI(0x413c, 0x81cc)}, /* Dell Wireless 5816e */
    1227 {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
    1228 {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
    1229 {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */
    1230 diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
    1231 index 0eb8c67ee138..4df15faa66d7 100644
    1232 --- a/drivers/usb/storage/unusual_uas.h
    1233 +++ b/drivers/usb/storage/unusual_uas.h
    1234 @@ -41,6 +41,13 @@
    1235 * and don't forget to CC: the USB development list <linux-usb@vger.kernel.org>
    1236 */
    1237
    1238 +/* Reported-by: Julian Groß <julian.g@posteo.de> */
    1239 +UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999,
    1240 + "LaCie",
    1241 + "2Big Quadra USB3",
    1242 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
    1243 + US_FL_NO_REPORT_OPCODES),
    1244 +
    1245 /*
    1246 * Apricorn USB3 dongle sometimes returns "USBSUSBSUSBS" in response to SCSI
    1247 * commands in UAS mode. Observed with the 1.28 firmware; are there others?
    1248 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
    1249 index e7e25a86bbff..e78553d51837 100644
    1250 --- a/fs/binfmt_elf.c
    1251 +++ b/fs/binfmt_elf.c
    1252 @@ -1100,6 +1100,18 @@ static int load_elf_binary(struct linux_binprm *bprm)
    1253 current->mm->start_stack = bprm->p;
    1254
    1255 if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
    1256 + /*
    1257 + * For architectures with ELF randomization, when executing
    1258 + * a loader directly (i.e. no interpreter listed in ELF
    1259 + * headers), move the brk area out of the mmap region
    1260 + * (since it grows up, and may collide early with the stack
    1261 + * growing down), and into the unused ELF_ET_DYN_BASE region.
    1262 + */
    1263 + if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
    1264 + loc->elf_ex.e_type == ET_DYN && !interpreter)
    1265 + current->mm->brk = current->mm->start_brk =
    1266 + ELF_ET_DYN_BASE;
    1267 +
    1268 current->mm->brk = current->mm->start_brk =
    1269 arch_randomize_brk(current->mm);
    1270 #ifdef compat_brk_randomized
    1271 diff --git a/fs/char_dev.c b/fs/char_dev.c
    1272 index 23e0477edf7d..1bbb966c0783 100644
    1273 --- a/fs/char_dev.c
    1274 +++ b/fs/char_dev.c
    1275 @@ -477,6 +477,85 @@ int cdev_add(struct cdev *p, dev_t dev, unsigned count)
    1276 return 0;
    1277 }
    1278
    1279 +/**
    1280 + * cdev_set_parent() - set the parent kobject for a char device
    1281 + * @p: the cdev structure
    1282 + * @kobj: the kobject to take a reference to
    1283 + *
    1284 + * cdev_set_parent() sets a parent kobject which will be referenced
    1285 + * appropriately so the parent is not freed before the cdev. This
    1286 + * should be called before cdev_add.
    1287 + */
    1288 +void cdev_set_parent(struct cdev *p, struct kobject *kobj)
    1289 +{
    1290 + WARN_ON(!kobj->state_initialized);
    1291 + p->kobj.parent = kobj;
    1292 +}
    1293 +
    1294 +/**
    1295 + * cdev_device_add() - add a char device and it's corresponding
    1296 + * struct device, linkink
    1297 + * @dev: the device structure
    1298 + * @cdev: the cdev structure
    1299 + *
    1300 + * cdev_device_add() adds the char device represented by @cdev to the system,
    1301 + * just as cdev_add does. It then adds @dev to the system using device_add
    1302 + * The dev_t for the char device will be taken from the struct device which
    1303 + * needs to be initialized first. This helper function correctly takes a
    1304 + * reference to the parent device so the parent will not get released until
    1305 + * all references to the cdev are released.
    1306 + *
    1307 + * This helper uses dev->devt for the device number. If it is not set
    1308 + * it will not add the cdev and it will be equivalent to device_add.
    1309 + *
    1310 + * This function should be used whenever the struct cdev and the
    1311 + * struct device are members of the same structure whose lifetime is
    1312 + * managed by the struct device.
    1313 + *
    1314 + * NOTE: Callers must assume that userspace was able to open the cdev and
    1315 + * can call cdev fops callbacks at any time, even if this function fails.
    1316 + */
    1317 +int cdev_device_add(struct cdev *cdev, struct device *dev)
    1318 +{
    1319 + int rc = 0;
    1320 +
    1321 + if (dev->devt) {
    1322 + cdev_set_parent(cdev, &dev->kobj);
    1323 +
    1324 + rc = cdev_add(cdev, dev->devt, 1);
    1325 + if (rc)
    1326 + return rc;
    1327 + }
    1328 +
    1329 + rc = device_add(dev);
    1330 + if (rc)
    1331 + cdev_del(cdev);
    1332 +
    1333 + return rc;
    1334 +}
    1335 +
    1336 +/**
    1337 + * cdev_device_del() - inverse of cdev_device_add
    1338 + * @dev: the device structure
    1339 + * @cdev: the cdev structure
    1340 + *
    1341 + * cdev_device_del() is a helper function to call cdev_del and device_del.
    1342 + * It should be used whenever cdev_device_add is used.
    1343 + *
    1344 + * If dev->devt is not set it will not remove the cdev and will be equivalent
    1345 + * to device_del.
    1346 + *
    1347 + * NOTE: This guarantees that associated sysfs callbacks are not running
    1348 + * or runnable, however any cdevs already open will remain and their fops
    1349 + * will still be callable even after this function returns.
    1350 + */
    1351 +void cdev_device_del(struct cdev *cdev, struct device *dev)
    1352 +{
    1353 + device_del(dev);
    1354 + if (dev->devt)
    1355 + cdev_del(cdev);
    1356 +}
    1357 +
    1358 static void cdev_unmap(dev_t dev, unsigned count)
    1359 {
    1360 kobj_unmap(cdev_map, dev, count);
    1361 @@ -488,6 +567,10 @@ static void cdev_unmap(dev_t dev, unsigned count)
    1362 *
    1363 * cdev_del() removes @p from the system, possibly freeing the structure
    1364 * itself.
    1365 + *
    1366 + * NOTE: This guarantees that cdev device will no longer be able to be
    1367 + * opened, however any cdevs already open will remain and their fops will
    1368 + * still be callable even after cdev_del returns.
    1369 */
    1370 void cdev_del(struct cdev *p)
    1371 {
    1372 @@ -576,5 +659,8 @@ EXPORT_SYMBOL(cdev_init);
    1373 EXPORT_SYMBOL(cdev_alloc);
    1374 EXPORT_SYMBOL(cdev_del);
    1375 EXPORT_SYMBOL(cdev_add);
    1376 +EXPORT_SYMBOL(cdev_set_parent);
    1377 +EXPORT_SYMBOL(cdev_device_add);
    1378 +EXPORT_SYMBOL(cdev_device_del);
    1379 EXPORT_SYMBOL(__register_chrdev);
    1380 EXPORT_SYMBOL(__unregister_chrdev);
    1381 diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
    1382 index 741b83c59a30..568abcd6d0dd 100644
    1383 --- a/fs/cifs/cifssmb.c
    1384 +++ b/fs/cifs/cifssmb.c
    1385 @@ -184,6 +184,18 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command)
    1386 * reconnect the same SMB session
    1387 */
    1388 mutex_lock(&ses->session_mutex);
    1389 +
    1390 + /*
    1391 + * Recheck after acquire mutex. If another thread is negotiating
    1392 + * and the server never sends an answer the socket will be closed
    1393 + * and tcpStatus set to reconnect.
    1394 + */
    1395 + if (server->tcpStatus == CifsNeedReconnect) {
    1396 + rc = -EHOSTDOWN;
    1397 + mutex_unlock(&ses->session_mutex);
    1398 + goto out;
    1399 + }
    1400 +
    1401 rc = cifs_negotiate_protocol(0, ses);
    1402 if (rc == 0 && ses->need_reconnect)
    1403 rc = cifs_setup_session(0, ses, nls_codepage);
    1404 diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
    1405 index c018d161735c..3545b237187a 100644
    1406 --- a/fs/cifs/connect.c
    1407 +++ b/fs/cifs/connect.c
    1408 @@ -551,20 +551,21 @@ static bool
    1409 server_unresponsive(struct TCP_Server_Info *server)
    1410 {
    1411 /*
    1412 - * We need to wait 2 echo intervals to make sure we handle such
    1413 + * We need to wait 3 echo intervals to make sure we handle such
    1414 * situations right:
    1415 * 1s client sends a normal SMB request
    1416 - * 2s client gets a response
    1417 + * 3s client gets a response
    1418 * 30s echo workqueue job pops, and decides we got a response recently
    1419 * and don't need to send another
    1420 * ...
    1421 * 65s kernel_recvmsg times out, and we see that we haven't gotten
    1422 * a response in >60s.
    1423 */
    1424 - if (server->tcpStatus == CifsGood &&
    1425 - time_after(jiffies, server->lstrp + 2 * server->echo_interval)) {
    1426 + if ((server->tcpStatus == CifsGood ||
    1427 + server->tcpStatus == CifsNeedNegotiate) &&
    1428 + time_after(jiffies, server->lstrp + 3 * server->echo_interval)) {
    1429 cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n",
    1430 - server->hostname, (2 * server->echo_interval) / HZ);
    1431 + server->hostname, (3 * server->echo_interval) / HZ);
    1432 cifs_reconnect(server);
    1433 wake_up(&server->response_q);
    1434 return true;
    1435 diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
    1436 index e8dc28dbe563..0a23b6002ff1 100644
    1437 --- a/fs/cifs/smb2pdu.c
    1438 +++ b/fs/cifs/smb2pdu.c
    1439 @@ -246,6 +246,18 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
    1440 * the same SMB session
    1441 */
    1442 mutex_lock(&tcon->ses->session_mutex);
    1443 +
    1444 + /*
    1445 + * Recheck after acquire mutex. If another thread is negotiating
    1446 + * and the server never sends an answer the socket will be closed
    1447 + * and tcpStatus set to reconnect.
    1448 + */
    1449 + if (server->tcpStatus == CifsNeedReconnect) {
    1450 + rc = -EHOSTDOWN;
    1451 + mutex_unlock(&tcon->ses->session_mutex);
    1452 + goto out;
    1453 + }
    1454 +
    1455 rc = cifs_negotiate_protocol(0, tcon->ses);
    1456 if (!rc && tcon->ses->need_reconnect) {
    1457 rc = cifs_setup_session(0, tcon->ses, nls_codepage);
    1458 diff --git a/fs/exec.c b/fs/exec.c
    1459 index bb03b98fd03b..cd5da140f94c 100644
    1460 --- a/fs/exec.c
    1461 +++ b/fs/exec.c
    1462 @@ -1270,6 +1270,8 @@ int flush_old_exec(struct linux_binprm * bprm)
    1463 */
    1464 set_mm_exe_file(bprm->mm, bprm->file);
    1465
    1466 + would_dump(bprm, bprm->file);
    1467 +
    1468 /*
    1469 * Release all of the old mmap stuff
    1470 */
    1471 @@ -1780,8 +1782,6 @@ static int do_execveat_common(int fd, struct filename *filename,
    1472 if (retval < 0)
    1473 goto out;
    1474
    1475 - would_dump(bprm, bprm->file);
    1476 -
    1477 retval = exec_binprm(bprm);
    1478 if (retval < 0)
    1479 goto out;
    1480 diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
    1481 index d31d93ee5e76..45c7b0f9a8e3 100644
    1482 --- a/fs/ext4/block_validity.c
    1483 +++ b/fs/ext4/block_validity.c
    1484 @@ -152,6 +152,7 @@ static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino)
    1485 return PTR_ERR(inode);
    1486 num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits;
    1487 while (i < num) {
    1488 + cond_resched();
    1489 map.m_lblk = i;
    1490 map.m_len = num - i;
    1491 n = ext4_map_blocks(NULL, inode, &map, 0);
    1492 diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
    1493 index 2fc4ba6fa07f..060881478e59 100644
    1494 --- a/include/linux/blkdev.h
    1495 +++ b/include/linux/blkdev.h
    1496 @@ -445,7 +445,8 @@ struct request_queue {
    1497 unsigned int sg_reserved_size;
    1498 int node;
    1499 #ifdef CONFIG_BLK_DEV_IO_TRACE
    1500 - struct blk_trace *blk_trace;
    1501 + struct blk_trace __rcu *blk_trace;
    1502 + struct mutex blk_trace_mutex;
    1503 #endif
    1504 /*
    1505 * for flush operations
    1506 diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
    1507 index cceb72f9e29f..45fb00427306 100644
    1508 --- a/include/linux/blktrace_api.h
    1509 +++ b/include/linux/blktrace_api.h
    1510 @@ -51,18 +51,26 @@ void __trace_note_message(struct blk_trace *, const char *fmt, ...);
    1511 **/
    1512 #define blk_add_trace_msg(q, fmt, ...) \
    1513 do { \
    1514 - struct blk_trace *bt = (q)->blk_trace; \
    1515 + struct blk_trace *bt; \
    1516 + \
    1517 + rcu_read_lock(); \
    1518 + bt = rcu_dereference((q)->blk_trace); \
    1519 if (unlikely(bt)) \
    1520 __trace_note_message(bt, fmt, ##__VA_ARGS__); \
    1521 + rcu_read_unlock(); \
    1522 } while (0)
    1523 #define BLK_TN_MAX_MSG 128
    1524
    1525 static inline bool blk_trace_note_message_enabled(struct request_queue *q)
    1526 {
    1527 - struct blk_trace *bt = q->blk_trace;
    1528 - if (likely(!bt))
    1529 - return false;
    1530 - return bt->act_mask & BLK_TC_NOTIFY;
    1531 + struct blk_trace *bt;
    1532 + bool ret;
    1533 +
    1534 + rcu_read_lock();
    1535 + bt = rcu_dereference(q->blk_trace);
    1536 + ret = bt && (bt->act_mask & BLK_TC_NOTIFY);
    1537 + rcu_read_unlock();
    1538 + return ret;
    1539 }
    1540
    1541 extern void blk_add_driver_data(struct request_queue *q, struct request *rq,
    1542 diff --git a/include/linux/cdev.h b/include/linux/cdev.h
    1543 index f8763615a5f2..408bc09ce497 100644
    1544 --- a/include/linux/cdev.h
    1545 +++ b/include/linux/cdev.h
    1546 @@ -4,6 +4,7 @@
    1547 #include <linux/kobject.h>
    1548 #include <linux/kdev_t.h>
    1549 #include <linux/list.h>
    1550 +#include <linux/device.h>
    1551
    1552 struct file_operations;
    1553 struct inode;
    1554 @@ -26,6 +27,10 @@ void cdev_put(struct cdev *p);
    1555
    1556 int cdev_add(struct cdev *, dev_t, unsigned);
    1557
    1558 +void cdev_set_parent(struct cdev *p, struct kobject *kobj);
    1559 +int cdev_device_add(struct cdev *cdev, struct device *dev);
    1560 +void cdev_device_del(struct cdev *cdev, struct device *dev);
    1561 +
    1562 void cdev_del(struct cdev *);
    1563
    1564 void cd_forget(struct inode *);
    1565 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
    1566 index 7837afabbd78..824b1b97f989 100644
    1567 --- a/include/linux/compiler.h
    1568 +++ b/include/linux/compiler.h
    1569 @@ -605,4 +605,11 @@ unsigned long read_word_at_a_time(const void *addr)
    1570 # define __kprobes
    1571 # define nokprobe_inline inline
    1572 #endif
    1573 +
    1574 +/*
    1575 + * This is needed in functions which generate the stack canary, see
    1576 + * arch/x86/kernel/smpboot.c::start_secondary() for an example.
    1577 + */
    1578 +#define prevent_tail_call_optimization() mb()
    1579 +
    1580 #endif /* __LINUX_COMPILER_H */
    1581 diff --git a/include/linux/fs.h b/include/linux/fs.h
    1582 index c2c04f891785..2d569738eb32 100644
    1583 --- a/include/linux/fs.h
    1584 +++ b/include/linux/fs.h
    1585 @@ -931,7 +931,7 @@ struct file_handle {
    1586 __u32 handle_bytes;
    1587 int handle_type;
    1588 /* file identifier */
    1589 - unsigned char f_handle[0];
    1590 + unsigned char f_handle[];
    1591 };
    1592
    1593 static inline struct file *get_file(struct file *f)
    1594 diff --git a/include/linux/pnp.h b/include/linux/pnp.h
    1595 index 2588ca6a9028..acbfe53eb948 100644
    1596 --- a/include/linux/pnp.h
    1597 +++ b/include/linux/pnp.h
    1598 @@ -219,10 +219,8 @@ struct pnp_card {
    1599 #define global_to_pnp_card(n) list_entry(n, struct pnp_card, global_list)
    1600 #define protocol_to_pnp_card(n) list_entry(n, struct pnp_card, protocol_list)
    1601 #define to_pnp_card(n) container_of(n, struct pnp_card, dev)
    1602 -#define pnp_for_each_card(card) \
    1603 - for((card) = global_to_pnp_card(pnp_cards.next); \
    1604 - (card) != global_to_pnp_card(&pnp_cards); \
    1605 - (card) = global_to_pnp_card((card)->global_list.next))
    1606 +#define pnp_for_each_card(card) \
    1607 + list_for_each_entry(card, &pnp_cards, global_list)
    1608
    1609 struct pnp_card_link {
    1610 struct pnp_card *card;
    1611 @@ -275,14 +273,9 @@ struct pnp_dev {
    1612 #define card_to_pnp_dev(n) list_entry(n, struct pnp_dev, card_list)
    1613 #define protocol_to_pnp_dev(n) list_entry(n, struct pnp_dev, protocol_list)
    1614 #define to_pnp_dev(n) container_of(n, struct pnp_dev, dev)
    1615 -#define pnp_for_each_dev(dev) \
    1616 - for((dev) = global_to_pnp_dev(pnp_global.next); \
    1617 - (dev) != global_to_pnp_dev(&pnp_global); \
    1618 - (dev) = global_to_pnp_dev((dev)->global_list.next))
    1619 -#define card_for_each_dev(card,dev) \
    1620 - for((dev) = card_to_pnp_dev((card)->devices.next); \
    1621 - (dev) != card_to_pnp_dev(&(card)->devices); \
    1622 - (dev) = card_to_pnp_dev((dev)->card_list.next))
    1623 +#define pnp_for_each_dev(dev) list_for_each_entry(dev, &pnp_global, global_list)
    1624 +#define card_for_each_dev(card, dev) \
    1625 + list_for_each_entry(dev, &(card)->devices, card_list)
    1626 #define pnp_dev_name(dev) (dev)->name
    1627
    1628 static inline void *pnp_get_drvdata(struct pnp_dev *pdev)
    1629 @@ -436,14 +429,10 @@ struct pnp_protocol {
    1630 };
    1631
    1632 #define to_pnp_protocol(n) list_entry(n, struct pnp_protocol, protocol_list)
    1633 -#define protocol_for_each_card(protocol,card) \
    1634 - for((card) = protocol_to_pnp_card((protocol)->cards.next); \
    1635 - (card) != protocol_to_pnp_card(&(protocol)->cards); \
    1636 - (card) = protocol_to_pnp_card((card)->protocol_list.next))
    1637 -#define protocol_for_each_dev(protocol,dev) \
    1638 - for((dev) = protocol_to_pnp_dev((protocol)->devices.next); \
    1639 - (dev) != protocol_to_pnp_dev(&(protocol)->devices); \
    1640 - (dev) = protocol_to_pnp_dev((dev)->protocol_list.next))
    1641 +#define protocol_for_each_card(protocol, card) \
    1642 + list_for_each_entry(card, &(protocol)->cards, protocol_list)
    1643 +#define protocol_for_each_dev(protocol, dev) \
    1644 + list_for_each_entry(dev, &(protocol)->devices, protocol_list)
    1645
    1646 extern struct bus_type pnp_bus_type;
    1647
    1648 diff --git a/include/linux/posix-clock.h b/include/linux/posix-clock.h
    1649 index 83b22ae9ae12..b39420a0321c 100644
    1650 --- a/include/linux/posix-clock.h
    1651 +++ b/include/linux/posix-clock.h
    1652 @@ -104,29 +104,32 @@ struct posix_clock_operations {
    1653 *
    1654 * @ops: Functional interface to the clock
    1655 * @cdev: Character device instance for this clock
    1656 - * @kref: Reference count.
    1657 + * @dev: Pointer to the clock's device.
    1658 * @rwsem: Protects the 'zombie' field from concurrent access.
    1659 * @zombie: If 'zombie' is true, then the hardware has disappeared.
    1660 - * @release: A function to free the structure when the reference count reaches
    1661 - * zero. May be NULL if structure is statically allocated.
    1662 *
    1663 * Drivers should embed their struct posix_clock within a private
    1664 * structure, obtaining a reference to it during callbacks using
    1665 * container_of().
    1666 + *
    1667 + * Drivers should supply an initialized but not exposed struct device
    1668 + * to posix_clock_register(). It is used to manage lifetime of the
    1669 + * driver's private structure. It's 'release' field should be set to
    1670 + * a release function for this private structure.
    1671 */
    1672 struct posix_clock {
    1673 struct posix_clock_operations ops;
    1674 struct cdev cdev;
    1675 - struct kref kref;
    1676 + struct device *dev;
    1677 struct rw_semaphore rwsem;
    1678 bool zombie;
    1679 - void (*release)(struct posix_clock *clk);
    1680 };
    1681
    1682 /**
    1683 * posix_clock_register() - register a new clock
    1684 - * @clk: Pointer to the clock. Caller must provide 'ops' and 'release'
    1685 - * @devid: Allocated device id
    1686 + * @clk: Pointer to the clock. Caller must provide 'ops' field
    1687 + * @dev: Pointer to the initialized device. Caller must provide
    1688 + * 'release' field
    1689 *
    1690 * A clock driver calls this function to register itself with the
    1691 * clock device subsystem. If 'clk' points to dynamically allocated
    1692 @@ -135,7 +138,7 @@ struct posix_clock {
    1693 *
    1694 * Returns zero on success, non-zero otherwise.
    1695 */
    1696 -int posix_clock_register(struct posix_clock *clk, dev_t devid);
    1697 +int posix_clock_register(struct posix_clock *clk, struct device *dev);
    1698
    1699 /**
    1700 * posix_clock_unregister() - unregister a clock
    1701 diff --git a/include/linux/tty.h b/include/linux/tty.h
    1702 index fe483976b119..15cf871046b3 100644
    1703 --- a/include/linux/tty.h
    1704 +++ b/include/linux/tty.h
    1705 @@ -64,7 +64,7 @@ struct tty_buffer {
    1706 int read;
    1707 int flags;
    1708 /* Data points here */
    1709 - unsigned long data[0];
    1710 + unsigned long data[];
    1711 };
    1712
    1713 /* Values for .flags field of tty_buffer */
    1714 diff --git a/include/net/addrconf.h b/include/net/addrconf.h
    1715 index b8ee8a113e32..019b06c035a8 100644
    1716 --- a/include/net/addrconf.h
    1717 +++ b/include/net/addrconf.h
    1718 @@ -206,8 +206,10 @@ struct ipv6_stub {
    1719 const struct in6_addr *addr);
    1720 int (*ipv6_sock_mc_drop)(struct sock *sk, int ifindex,
    1721 const struct in6_addr *addr);
    1722 - int (*ipv6_dst_lookup)(struct net *net, struct sock *sk,
    1723 - struct dst_entry **dst, struct flowi6 *fl6);
    1724 + struct dst_entry *(*ipv6_dst_lookup_flow)(struct net *net,
    1725 + const struct sock *sk,
    1726 + struct flowi6 *fl6,
    1727 + const struct in6_addr *final_dst);
    1728 void (*udpv6_encap_enable)(void);
    1729 void (*ndisc_send_na)(struct net_device *dev, const struct in6_addr *daddr,
    1730 const struct in6_addr *solicited_addr,
    1731 diff --git a/include/net/ipv6.h b/include/net/ipv6.h
    1732 index 168009eef5e4..1a48e10ec617 100644
    1733 --- a/include/net/ipv6.h
    1734 +++ b/include/net/ipv6.h
    1735 @@ -856,7 +856,7 @@ static inline struct sk_buff *ip6_finish_skb(struct sock *sk)
    1736
    1737 int ip6_dst_lookup(struct net *net, struct sock *sk, struct dst_entry **dst,
    1738 struct flowi6 *fl6);
    1739 -struct dst_entry *ip6_dst_lookup_flow(const struct sock *sk, struct flowi6 *fl6,
    1740 +struct dst_entry *ip6_dst_lookup_flow(struct net *net, const struct sock *sk, struct flowi6 *fl6,
    1741 const struct in6_addr *final_dst);
    1742 struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
    1743 const struct in6_addr *final_dst);
    1744 diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
    1745 index b57a9f37c297..7befec513295 100644
    1746 --- a/include/net/netfilter/nf_conntrack.h
    1747 +++ b/include/net/netfilter/nf_conntrack.h
    1748 @@ -103,7 +103,7 @@ struct nf_conn {
    1749 struct hlist_node nat_bysource;
    1750 #endif
    1751 /* all members below initialized via memset */
    1752 - u8 __nfct_init_offset[0];
    1753 + struct { } __nfct_init_offset;
    1754
    1755 /* If we were expected by an expectation, this will be it */
    1756 struct nf_conn *master;
    1757 diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
    1758 index 5432111c8761..2a87128b3075 100644
    1759 --- a/include/sound/rawmidi.h
    1760 +++ b/include/sound/rawmidi.h
    1761 @@ -76,6 +76,7 @@ struct snd_rawmidi_runtime {
    1762 size_t avail_min; /* min avail for wakeup */
    1763 size_t avail; /* max used buffer for wakeup */
    1764 size_t xruns; /* over/underruns counter */
    1765 + int buffer_ref; /* buffer reference count */
    1766 /* misc */
    1767 spinlock_t lock;
    1768 wait_queue_head_t sleep;
    1769 diff --git a/init/main.c b/init/main.c
    1770 index 148843e627a0..d47860dbe896 100644
    1771 --- a/init/main.c
    1772 +++ b/init/main.c
    1773 @@ -662,6 +662,8 @@ asmlinkage __visible void __init start_kernel(void)
    1774
    1775 /* Do the rest non-__init'ed, we're now alive */
    1776 rest_init();
    1777 +
    1778 + prevent_tail_call_optimization();
    1779 }
    1780
    1781 /* Call all constructor functions linked into the kernel. */
    1782 diff --git a/ipc/util.c b/ipc/util.c
    1783 index e65ecf3ccbda..76d4afcde7bb 100644
    1784 --- a/ipc/util.c
    1785 +++ b/ipc/util.c
    1786 @@ -751,21 +751,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos,
    1787 total++;
    1788 }
    1789
    1790 - *new_pos = pos + 1;
    1791 + ipc = NULL;
    1792 if (total >= ids->in_use)
    1793 - return NULL;
    1794 + goto out;
    1795
    1796 for (; pos < IPCMNI; pos++) {
    1797 ipc = idr_find(&ids->ipcs_idr, pos);
    1798 if (ipc != NULL) {
    1799 rcu_read_lock();
    1800 ipc_lock_object(ipc);
    1801 - return ipc;
    1802 + break;
    1803 }
    1804 }
    1805 -
    1806 - /* Out of range - return NULL to terminate iteration */
    1807 - return NULL;
    1808 +out:
    1809 + *new_pos = pos + 1;
    1810 + return ipc;
    1811 }
    1812
    1813 static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos)
    1814 diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
    1815 index e24008c098c6..45a0a26023d4 100644
    1816 --- a/kernel/time/posix-clock.c
    1817 +++ b/kernel/time/posix-clock.c
    1818 @@ -25,8 +25,6 @@
    1819 #include <linux/syscalls.h>
    1820 #include <linux/uaccess.h>
    1821
    1822 -static void delete_clock(struct kref *kref);
    1823 -
    1824 /*
    1825 * Returns NULL if the posix_clock instance attached to 'fp' is old and stale.
    1826 */
    1827 @@ -168,7 +166,7 @@ static int posix_clock_open(struct inode *inode, struct file *fp)
    1828 err = 0;
    1829
    1830 if (!err) {
    1831 - kref_get(&clk->kref);
    1832 + get_device(clk->dev);
    1833 fp->private_data = clk;
    1834 }
    1835 out:
    1836 @@ -184,7 +182,7 @@ static int posix_clock_release(struct inode *inode, struct file *fp)
    1837 if (clk->ops.release)
    1838 err = clk->ops.release(clk);
    1839
    1840 - kref_put(&clk->kref, delete_clock);
    1841 + put_device(clk->dev);
    1842
    1843 fp->private_data = NULL;
    1844
    1845 @@ -206,38 +204,35 @@ static const struct file_operations posix_clock_file_operations = {
    1846 #endif
    1847 };
    1848
    1849 -int posix_clock_register(struct posix_clock *clk, dev_t devid)
    1850 +int posix_clock_register(struct posix_clock *clk, struct device *dev)
    1851 {
    1852 int err;
    1853
    1854 - kref_init(&clk->kref);
    1855 init_rwsem(&clk->rwsem);
    1856
    1857 cdev_init(&clk->cdev, &posix_clock_file_operations);
    1858 + err = cdev_device_add(&clk->cdev, dev);
    1859 + if (err) {
    1860 + pr_err("%s unable to add device %d:%d\n",
    1861 + dev_name(dev), MAJOR(dev->devt), MINOR(dev->devt));
    1862 + return err;
    1863 + }
    1864 clk->cdev.owner = clk->ops.owner;
    1865 - err = cdev_add(&clk->cdev, devid, 1);
    1866 + clk->dev = dev;
    1867
    1868 - return err;
    1869 + return 0;
    1870 }
    1871 EXPORT_SYMBOL_GPL(posix_clock_register);
    1872
    1873 -static void delete_clock(struct kref *kref)
    1874 -{
    1875 - struct posix_clock *clk = container_of(kref, struct posix_clock, kref);
    1876 -
    1877 - if (clk->release)
    1878 - clk->release(clk);
    1879 -}
    1880 -
    1881 void posix_clock_unregister(struct posix_clock *clk)
    1882 {
    1883 - cdev_del(&clk->cdev);
    1884 + cdev_device_del(&clk->cdev, clk->dev);
    1885
    1886 down_write(&clk->rwsem);
    1887 clk->zombie = true;
    1888 up_write(&clk->rwsem);
    1889
    1890 - kref_put(&clk->kref, delete_clock);
    1891 + put_device(clk->dev);
    1892 }
    1893 EXPORT_SYMBOL_GPL(posix_clock_unregister);
    1894
    1895 diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
    1896 index bfa8bb3a6e19..6d3b432a748a 100644
    1897 --- a/kernel/trace/blktrace.c
    1898 +++ b/kernel/trace/blktrace.c
    1899 @@ -325,11 +325,12 @@ static void put_probe_ref(void)
    1900
    1901 static void blk_trace_cleanup(struct blk_trace *bt)
    1902 {
    1903 + synchronize_rcu();
    1904 blk_trace_free(bt);
    1905 put_probe_ref();
    1906 }
    1907
    1908 -int blk_trace_remove(struct request_queue *q)
    1909 +static int __blk_trace_remove(struct request_queue *q)
    1910 {
    1911 struct blk_trace *bt;
    1912
    1913 @@ -342,6 +343,17 @@ int blk_trace_remove(struct request_queue *q)
    1914
    1915 return 0;
    1916 }
    1917 +
    1918 +int blk_trace_remove(struct request_queue *q)
    1919 +{
    1920 + int ret;
    1921 +
    1922 + mutex_lock(&q->blk_trace_mutex);
    1923 + ret = __blk_trace_remove(q);
    1924 + mutex_unlock(&q->blk_trace_mutex);
    1925 +
    1926 + return ret;
    1927 +}
    1928 EXPORT_SYMBOL_GPL(blk_trace_remove);
    1929
    1930 static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
    1931 @@ -546,9 +558,8 @@ err:
    1932 return ret;
    1933 }
    1934
    1935 -int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
    1936 - struct block_device *bdev,
    1937 - char __user *arg)
    1938 +static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
    1939 + struct block_device *bdev, char __user *arg)
    1940 {
    1941 struct blk_user_trace_setup buts;
    1942 int ret;
    1943 @@ -562,11 +573,24 @@ int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
    1944 return ret;
    1945
    1946 if (copy_to_user(arg, &buts, sizeof(buts))) {
    1947 - blk_trace_remove(q);
    1948 + __blk_trace_remove(q);
    1949 return -EFAULT;
    1950 }
    1951 return 0;
    1952 }
    1953 +
    1954 +int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
    1955 + struct block_device *bdev,
    1956 + char __user *arg)
    1957 +{
    1958 + int ret;
    1959 +
    1960 + mutex_lock(&q->blk_trace_mutex);
    1961 + ret = __blk_trace_setup(q, name, dev, bdev, arg);
    1962 + mutex_unlock(&q->blk_trace_mutex);
    1963 +
    1964 + return ret;
    1965 +}
    1966 EXPORT_SYMBOL_GPL(blk_trace_setup);
    1967
    1968 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
    1969 @@ -595,7 +619,7 @@ static int compat_blk_trace_setup(struct request_queue *q, char *name,
    1970 return ret;
    1971
    1972 if (copy_to_user(arg, &buts.name, ARRAY_SIZE(buts.name))) {
    1973 - blk_trace_remove(q);
    1974 + __blk_trace_remove(q);
    1975 return -EFAULT;
    1976 }
    1977
    1978 @@ -603,11 +627,13 @@ static int compat_blk_trace_setup(struct request_queue *q, char *name,
    1979 }
    1980 #endif
    1981
    1982 -int blk_trace_startstop(struct request_queue *q, int start)
    1983 +static int __blk_trace_startstop(struct request_queue *q, int start)
    1984 {
    1985 int ret;
    1986 - struct blk_trace *bt = q->blk_trace;
    1987 + struct blk_trace *bt;
    1988
    1989 + bt = rcu_dereference_protected(q->blk_trace,
    1990 + lockdep_is_held(&q->blk_trace_mutex));
    1991 if (bt == NULL)
    1992 return -EINVAL;
    1993
    1994 @@ -642,8 +668,25 @@ int blk_trace_startstop(struct request_queue *q, int start)
    1995
    1996 return ret;
    1997 }
    1998 +
    1999 +int blk_trace_startstop(struct request_queue *q, int start)
    2000 +{
    2001 + int ret;
    2002 +
    2003 + mutex_lock(&q->blk_trace_mutex);
    2004 + ret = __blk_trace_startstop(q, start);
    2005 + mutex_unlock(&q->blk_trace_mutex);
    2006 +
    2007 + return ret;
    2008 +}
    2009 EXPORT_SYMBOL_GPL(blk_trace_startstop);
    2010
    2011 +/*
    2012 + * When reading or writing the blktrace sysfs files, the references to the
    2013 + * opened sysfs or device files should prevent the underlying block device
    2014 + * from being removed. So no further delete protection is really needed.
    2015 + */
    2016 +
    2017 /**
    2018 * blk_trace_ioctl: - handle the ioctls associated with tracing
    2019 * @bdev: the block device
    2020 @@ -661,12 +704,12 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg)
    2021 if (!q)
    2022 return -ENXIO;
    2023
    2024 - mutex_lock(&bdev->bd_mutex);
    2025 + mutex_lock(&q->blk_trace_mutex);
    2026
    2027 switch (cmd) {
    2028 case BLKTRACESETUP:
    2029 bdevname(bdev, b);
    2030 - ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
    2031 + ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
    2032 break;
    2033 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
    2034 case BLKTRACESETUP32:
    2035 @@ -677,17 +720,17 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg)
    2036 case BLKTRACESTART:
    2037 start = 1;
    2038 case BLKTRACESTOP:
    2039 - ret = blk_trace_startstop(q, start);
    2040 + ret = __blk_trace_startstop(q, start);
    2041 break;
    2042 case BLKTRACETEARDOWN:
    2043 - ret = blk_trace_remove(q);
    2044 + ret = __blk_trace_remove(q);
    2045 break;
    2046 default:
    2047 ret = -ENOTTY;
    2048 break;
    2049 }
    2050
    2051 - mutex_unlock(&bdev->bd_mutex);
    2052 + mutex_unlock(&q->blk_trace_mutex);
    2053 return ret;
    2054 }
    2055
    2056 @@ -698,10 +741,14 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg)
    2057 **/
    2058 void blk_trace_shutdown(struct request_queue *q)
    2059 {
    2060 - if (q->blk_trace) {
    2061 - blk_trace_startstop(q, 0);
    2062 - blk_trace_remove(q);
    2063 + mutex_lock(&q->blk_trace_mutex);
    2064 + if (rcu_dereference_protected(q->blk_trace,
    2065 + lockdep_is_held(&q->blk_trace_mutex))) {
    2066 + __blk_trace_startstop(q, 0);
    2067 + __blk_trace_remove(q);
    2068 }
    2069 +
    2070 + mutex_unlock(&q->blk_trace_mutex);
    2071 }
    2072
    2073 /*
    2074 @@ -722,10 +769,14 @@ void blk_trace_shutdown(struct request_queue *q)
    2075 static void blk_add_trace_rq(struct request_queue *q, struct request *rq,
    2076 unsigned int nr_bytes, u32 what)
    2077 {
    2078 - struct blk_trace *bt = q->blk_trace;
    2079 + struct blk_trace *bt;
    2080
    2081 - if (likely(!bt))
    2082 + rcu_read_lock();
    2083 + bt = rcu_dereference(q->blk_trace);
    2084 + if (likely(!bt)) {
    2085 + rcu_read_unlock();
    2086 return;
    2087 + }
    2088
    2089 if (rq->cmd_type == REQ_TYPE_BLOCK_PC) {
    2090 what |= BLK_TC_ACT(BLK_TC_PC);
    2091 @@ -736,6 +787,7 @@ static void blk_add_trace_rq(struct request_queue *q, struct request *rq,
    2092 __blk_add_trace(bt, blk_rq_pos(rq), nr_bytes, req_op(rq),
    2093 rq->cmd_flags, what, rq->errors, 0, NULL);
    2094 }
    2095 + rcu_read_unlock();
    2096 }
    2097
    2098 static void blk_add_trace_rq_abort(void *ignore,
    2099 @@ -785,13 +837,18 @@ static void blk_add_trace_rq_complete(void *ignore,
    2100 static void blk_add_trace_bio(struct request_queue *q, struct bio *bio,
    2101 u32 what, int error)
    2102 {
    2103 - struct blk_trace *bt = q->blk_trace;
    2104 + struct blk_trace *bt;
    2105
    2106 - if (likely(!bt))
    2107 + rcu_read_lock();
    2108 + bt = rcu_dereference(q->blk_trace);
    2109 + if (likely(!bt)) {
    2110 + rcu_read_unlock();
    2111 return;
    2112 + }
    2113
    2114 __blk_add_trace(bt, bio->bi_iter.bi_sector, bio->bi_iter.bi_size,
    2115 bio_op(bio), bio->bi_opf, what, error, 0, NULL);
    2116 + rcu_read_unlock();
    2117 }
    2118
    2119 static void blk_add_trace_bio_bounce(void *ignore,
    2120 @@ -836,11 +893,14 @@ static void blk_add_trace_getrq(void *ignore,
    2121 if (bio)
    2122 blk_add_trace_bio(q, bio, BLK_TA_GETRQ, 0);
    2123 else {
    2124 - struct blk_trace *bt = q->blk_trace;
    2125 + struct blk_trace *bt;
    2126
    2127 + rcu_read_lock();
    2128 + bt = rcu_dereference(q->blk_trace);
    2129 if (bt)
    2130 __blk_add_trace(bt, 0, 0, rw, 0, BLK_TA_GETRQ, 0, 0,
    2131 NULL);
    2132 + rcu_read_unlock();
    2133 }
    2134 }
    2135
    2136 @@ -852,27 +912,35 @@ static void blk_add_trace_sleeprq(void *ignore,
    2137 if (bio)
    2138 blk_add_trace_bio(q, bio, BLK_TA_SLEEPRQ, 0);
    2139 else {
    2140 - struct blk_trace *bt = q->blk_trace;
    2141 + struct blk_trace *bt;
    2142
    2143 + rcu_read_lock();
    2144 + bt = rcu_dereference(q->blk_trace);
    2145 if (bt)
    2146 __blk_add_trace(bt, 0, 0, rw, 0, BLK_TA_SLEEPRQ,
    2147 0, 0, NULL);
    2148 + rcu_read_unlock();
    2149 }
    2150 }
    2151
    2152 static void blk_add_trace_plug(void *ignore, struct request_queue *q)
    2153 {
    2154 - struct blk_trace *bt = q->blk_trace;
    2155 + struct blk_trace *bt;
    2156
    2157 + rcu_read_lock();
    2158 + bt = rcu_dereference(q->blk_trace);
    2159 if (bt)
    2160 __blk_add_trace(bt, 0, 0, 0, 0, BLK_TA_PLUG, 0, 0, NULL);
    2161 + rcu_read_unlock();
    2162 }
    2163
    2164 static void blk_add_trace_unplug(void *ignore, struct request_queue *q,
    2165 unsigned int depth, bool explicit)
    2166 {
    2167 - struct blk_trace *bt = q->blk_trace;
    2168 + struct blk_trace *bt;
    2169
    2170 + rcu_read_lock();
    2171 + bt = rcu_dereference(q->blk_trace);
    2172 if (bt) {
    2173 __be64 rpdu = cpu_to_be64(depth);
    2174 u32 what;
    2175 @@ -884,14 +952,17 @@ static void blk_add_trace_unplug(void *ignore, struct request_queue *q,
    2176
    2177 __blk_add_trace(bt, 0, 0, 0, 0, what, 0, sizeof(rpdu), &rpdu);
    2178 }
    2179 + rcu_read_unlock();
    2180 }
    2181
    2182 static void blk_add_trace_split(void *ignore,
    2183 struct request_queue *q, struct bio *bio,
    2184 unsigned int pdu)
    2185 {
    2186 - struct blk_trace *bt = q->blk_trace;
    2187 + struct blk_trace *bt;
    2188
    2189 + rcu_read_lock();
    2190 + bt = rcu_dereference(q->blk_trace);
    2191 if (bt) {
    2192 __be64 rpdu = cpu_to_be64(pdu);
    2193
    2194 @@ -900,6 +971,7 @@ static void blk_add_trace_split(void *ignore,
    2195 BLK_TA_SPLIT, bio->bi_error, sizeof(rpdu),
    2196 &rpdu);
    2197 }
    2198 + rcu_read_unlock();
    2199 }
    2200
    2201 /**
    2202 @@ -919,11 +991,15 @@ static void blk_add_trace_bio_remap(void *ignore,
    2203 struct request_queue *q, struct bio *bio,
    2204 dev_t dev, sector_t from)
    2205 {
    2206 - struct blk_trace *bt = q->blk_trace;
    2207 + struct blk_trace *bt;
    2208 struct blk_io_trace_remap r;
    2209
    2210 - if (likely(!bt))
    2211 + rcu_read_lock();
    2212 + bt = rcu_dereference(q->blk_trace);
    2213 + if (likely(!bt)) {
    2214 + rcu_read_unlock();
    2215 return;
    2216 + }
    2217
    2218 r.device_from = cpu_to_be32(dev);
    2219 r.device_to = cpu_to_be32(bio->bi_bdev->bd_dev);
    2220 @@ -932,6 +1008,7 @@ static void blk_add_trace_bio_remap(void *ignore,
    2221 __blk_add_trace(bt, bio->bi_iter.bi_sector, bio->bi_iter.bi_size,
    2222 bio_op(bio), bio->bi_opf, BLK_TA_REMAP, bio->bi_error,
    2223 sizeof(r), &r);
    2224 + rcu_read_unlock();
    2225 }
    2226
    2227 /**
    2228 @@ -952,11 +1029,15 @@ static void blk_add_trace_rq_remap(void *ignore,
    2229 struct request *rq, dev_t dev,
    2230 sector_t from)
    2231 {
    2232 - struct blk_trace *bt = q->blk_trace;
    2233 + struct blk_trace *bt;
    2234 struct blk_io_trace_remap r;
    2235
    2236 - if (likely(!bt))
    2237 + rcu_read_lock();
    2238 + bt = rcu_dereference(q->blk_trace);
    2239 + if (likely(!bt)) {
    2240 + rcu_read_unlock();
    2241 return;
    2242 + }
    2243
    2244 r.device_from = cpu_to_be32(dev);
    2245 r.device_to = cpu_to_be32(disk_devt(rq->rq_disk));
    2246 @@ -965,6 +1046,7 @@ static void blk_add_trace_rq_remap(void *ignore,
    2247 __blk_add_trace(bt, blk_rq_pos(rq), blk_rq_bytes(rq),
    2248 rq_data_dir(rq), 0, BLK_TA_REMAP, !!rq->errors,
    2249 sizeof(r), &r);
    2250 + rcu_read_unlock();
    2251 }
    2252
    2253 /**
    2254 @@ -982,10 +1064,14 @@ void blk_add_driver_data(struct request_queue *q,
    2255 struct request *rq,
    2256 void *data, size_t len)
    2257 {
    2258 - struct blk_trace *bt = q->blk_trace;
    2259 + struct blk_trace *bt;
    2260
    2261 - if (likely(!bt))
    2262 + rcu_read_lock();
    2263 + bt = rcu_dereference(q->blk_trace);
    2264 + if (likely(!bt)) {
    2265 + rcu_read_unlock();
    2266 return;
    2267 + }
    2268
    2269 if (rq->cmd_type == REQ_TYPE_BLOCK_PC)
    2270 __blk_add_trace(bt, 0, blk_rq_bytes(rq), 0, 0,
    2271 @@ -993,6 +1079,7 @@ void blk_add_driver_data(struct request_queue *q,
    2272 else
    2273 __blk_add_trace(bt, blk_rq_pos(rq), blk_rq_bytes(rq), 0, 0,
    2274 BLK_TA_DRV_DATA, rq->errors, len, data);
    2275 + rcu_read_unlock();
    2276 }
    2277 EXPORT_SYMBOL_GPL(blk_add_driver_data);
    2278
    2279 @@ -1485,6 +1572,7 @@ static int blk_trace_remove_queue(struct request_queue *q)
    2280 return -EINVAL;
    2281
    2282 put_probe_ref();
    2283 + synchronize_rcu();
    2284 blk_trace_free(bt);
    2285 return 0;
    2286 }
    2287 @@ -1646,6 +1734,7 @@ static ssize_t sysfs_blk_trace_attr_show(struct device *dev,
    2288 struct hd_struct *p = dev_to_part(dev);
    2289 struct request_queue *q;
    2290 struct block_device *bdev;
    2291 + struct blk_trace *bt;
    2292 ssize_t ret = -ENXIO;
    2293
    2294 bdev = bdget(part_devt(p));
    2295 @@ -1656,26 +1745,28 @@ static ssize_t sysfs_blk_trace_attr_show(struct device *dev,
    2296 if (q == NULL)
    2297 goto out_bdput;
    2298
    2299 - mutex_lock(&bdev->bd_mutex);
    2300 + mutex_lock(&q->blk_trace_mutex);
    2301
    2302 + bt = rcu_dereference_protected(q->blk_trace,
    2303 + lockdep_is_held(&q->blk_trace_mutex));
    2304 if (attr == &dev_attr_enable) {
    2305 - ret = sprintf(buf, "%u\n", !!q->blk_trace);
    2306 + ret = sprintf(buf, "%u\n", !!bt);
    2307 goto out_unlock_bdev;
    2308 }
    2309
    2310 - if (q->blk_trace == NULL)
    2311 + if (bt == NULL)
    2312 ret = sprintf(buf, "disabled\n");
    2313 else if (attr == &dev_attr_act_mask)
    2314 - ret = blk_trace_mask2str(buf, q->blk_trace->act_mask);
    2315 + ret = blk_trace_mask2str(buf, bt->act_mask);
    2316 else if (attr == &dev_attr_pid)
    2317 - ret = sprintf(buf, "%u\n", q->blk_trace->pid);
    2318 + ret = sprintf(buf, "%u\n", bt->pid);
    2319 else if (attr == &dev_attr_start_lba)
    2320 - ret = sprintf(buf, "%llu\n", q->blk_trace->start_lba);
    2321 + ret = sprintf(buf, "%llu\n", bt->start_lba);
    2322 else if (attr == &dev_attr_end_lba)
    2323 - ret = sprintf(buf, "%llu\n", q->blk_trace->end_lba);
    2324 + ret = sprintf(buf, "%llu\n", bt->end_lba);
    2325
    2326 out_unlock_bdev:
    2327 - mutex_unlock(&bdev->bd_mutex);
    2328 + mutex_unlock(&q->blk_trace_mutex);
    2329 out_bdput:
    2330 bdput(bdev);
    2331 out:
    2332 @@ -1689,6 +1780,7 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
    2333 struct block_device *bdev;
    2334 struct request_queue *q;
    2335 struct hd_struct *p;
    2336 + struct blk_trace *bt;
    2337 u64 value;
    2338 ssize_t ret = -EINVAL;
    2339
    2340 @@ -1717,10 +1809,12 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
    2341 if (q == NULL)
    2342 goto out_bdput;
    2343
    2344 - mutex_lock(&bdev->bd_mutex);
    2345 + mutex_lock(&q->blk_trace_mutex);
    2346
    2347 + bt = rcu_dereference_protected(q->blk_trace,
    2348 + lockdep_is_held(&q->blk_trace_mutex));
    2349 if (attr == &dev_attr_enable) {
    2350 - if (!!value == !!q->blk_trace) {
    2351 + if (!!value == !!bt) {
    2352 ret = 0;
    2353 goto out_unlock_bdev;
    2354 }
    2355 @@ -1732,22 +1826,25 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
    2356 }
    2357
    2358 ret = 0;
    2359 - if (q->blk_trace == NULL)
    2360 + if (bt == NULL) {
    2361 ret = blk_trace_setup_queue(q, bdev);
    2362 + bt = rcu_dereference_protected(q->blk_trace,
    2363 + lockdep_is_held(&q->blk_trace_mutex));
    2364 + }
    2365
    2366 if (ret == 0) {
    2367 if (attr == &dev_attr_act_mask)
    2368 - q->blk_trace->act_mask = value;
    2369 + bt->act_mask = value;
    2370 else if (attr == &dev_attr_pid)
    2371 - q->blk_trace->pid = value;
    2372 + bt->pid = value;
    2373 else if (attr == &dev_attr_start_lba)
    2374 - q->blk_trace->start_lba = value;
    2375 + bt->start_lba = value;
    2376 else if (attr == &dev_attr_end_lba)
    2377 - q->blk_trace->end_lba = value;
    2378 + bt->end_lba = value;
    2379 }
    2380
    2381 out_unlock_bdev:
    2382 - mutex_unlock(&bdev->bd_mutex);
    2383 + mutex_unlock(&q->blk_trace_mutex);
    2384 out_bdput:
    2385 bdput(bdev);
    2386 out:
    2387 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
    2388 index 6a170a78b453..b2fb25aefb2f 100644
    2389 --- a/kernel/trace/trace.c
    2390 +++ b/kernel/trace/trace.c
    2391 @@ -7032,6 +7032,19 @@ static int allocate_trace_buffers(struct trace_array *tr, int size)
    2392 */
    2393 allocate_snapshot = false;
    2394 #endif
    2395 +
    2396 + /*
    2397 + * Because of some magic with the way alloc_percpu() works on
    2398 + * x86_64, we need to synchronize the pgd of all the tables,
    2399 + * otherwise the trace events that happen in x86_64 page fault
    2400 + * handlers can't cope with accessing the chance that a
    2401 + * alloc_percpu()'d memory might be touched in the page fault trace
    2402 + * event. Oh, and we need to audit all other alloc_percpu() and vmalloc()
    2403 + * calls in tracing, because something might get triggered within a
    2404 + * page fault trace event!
    2405 + */
    2406 + vmalloc_sync_mappings();
    2407 +
    2408 return 0;
    2409 }
    2410
    2411 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
    2412 index ef710e387862..de00e0fec484 100644
    2413 --- a/mm/page_alloc.c
    2414 +++ b/mm/page_alloc.c
    2415 @@ -1408,6 +1408,7 @@ void set_zone_contiguous(struct zone *zone)
    2416 if (!__pageblock_pfn_to_page(block_start_pfn,
    2417 block_end_pfn, zone))
    2418 return;
    2419 + cond_resched();
    2420 }
    2421
    2422 /* We confirm that there is no hole */
    2423 diff --git a/mm/shmem.c b/mm/shmem.c
    2424 index 90ccbb35458b..31b0c09fe6c6 100644
    2425 --- a/mm/shmem.c
    2426 +++ b/mm/shmem.c
    2427 @@ -2082,7 +2082,11 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
    2428 struct shmem_inode_info *info = SHMEM_I(inode);
    2429 int retval = -ENOMEM;
    2430
    2431 - spin_lock_irq(&info->lock);
    2432 + /*
    2433 + * What serializes the accesses to info->flags?
    2434 + * ipc_lock_object() when called from shmctl_do_lock(),
    2435 + * no serialization needed when called from shm_destroy().
    2436 + */
    2437 if (lock && !(info->flags & VM_LOCKED)) {
    2438 if (!user_shm_lock(inode->i_size, user))
    2439 goto out_nomem;
    2440 @@ -2097,7 +2101,6 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
    2441 retval = 0;
    2442
    2443 out_nomem:
    2444 - spin_unlock_irq(&info->lock);
    2445 return retval;
    2446 }
    2447
    2448 diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
    2449 index b0cae59bd327..d2e6885479cb 100644
    2450 --- a/net/batman-adv/bat_v_ogm.c
    2451 +++ b/net/batman-adv/bat_v_ogm.c
    2452 @@ -709,7 +709,7 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset,
    2453
    2454 orig_node = batadv_v_ogm_orig_get(bat_priv, ogm_packet->orig);
    2455 if (!orig_node)
    2456 - return;
    2457 + goto out;
    2458
    2459 neigh_node = batadv_neigh_node_get_or_create(orig_node, if_incoming,
    2460 ethhdr->h_source);
    2461 diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
    2462 index a7b5cf08d363..09549885cd14 100644
    2463 --- a/net/batman-adv/network-coding.c
    2464 +++ b/net/batman-adv/network-coding.c
    2465 @@ -1012,15 +1012,8 @@ static struct batadv_nc_path *batadv_nc_get_path(struct batadv_priv *bat_priv,
    2466 */
    2467 static u8 batadv_nc_random_weight_tq(u8 tq)
    2468 {
    2469 - u8 rand_val, rand_tq;
    2470 -
    2471 - get_random_bytes(&rand_val, sizeof(rand_val));
    2472 -
    2473 /* randomize the estimated packet loss (max TQ - estimated TQ) */
    2474 - rand_tq = rand_val * (BATADV_TQ_MAX_VALUE - tq);
    2475 -
    2476 - /* normalize the randomized packet loss */
    2477 - rand_tq /= BATADV_TQ_MAX_VALUE;
    2478 + u8 rand_tq = prandom_u32_max(BATADV_TQ_MAX_VALUE + 1 - tq);
    2479
    2480 /* convert to (randomized) estimated tq again */
    2481 return BATADV_TQ_MAX_VALUE - rand_tq;
    2482 diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
    2483 index 31d7e239a1fd..121e9e7d28cc 100644
    2484 --- a/net/batman-adv/sysfs.c
    2485 +++ b/net/batman-adv/sysfs.c
    2486 @@ -1087,7 +1087,7 @@ static ssize_t batadv_store_throughput_override(struct kobject *kobj,
    2487 ret = batadv_parse_throughput(net_dev, buff, "throughput_override",
    2488 &tp_override);
    2489 if (!ret)
    2490 - return count;
    2491 + goto out;
    2492
    2493 old_tp_override = atomic_read(&hard_iface->bat_v.throughput_override);
    2494 if (old_tp_override == tp_override)
    2495 @@ -1120,6 +1120,7 @@ static ssize_t batadv_show_throughput_override(struct kobject *kobj,
    2496
    2497 tp_override = atomic_read(&hard_iface->bat_v.throughput_override);
    2498
    2499 + batadv_hardif_put(hard_iface);
    2500 return sprintf(buff, "%u.%u MBit\n", tp_override / 10,
    2501 tp_override % 10);
    2502 }
    2503 diff --git a/net/core/dev.c b/net/core/dev.c
    2504 index 842654302110..1041523aaa76 100644
    2505 --- a/net/core/dev.c
    2506 +++ b/net/core/dev.c
    2507 @@ -6939,11 +6939,13 @@ static void netdev_sync_lower_features(struct net_device *upper,
    2508 netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n",
    2509 &feature, lower->name);
    2510 lower->wanted_features &= ~feature;
    2511 - netdev_update_features(lower);
    2512 + __netdev_update_features(lower);
    2513
    2514 if (unlikely(lower->features & feature))
    2515 netdev_WARN(upper, "failed to disable %pNF on %s!\n",
    2516 &feature, lower->name);
    2517 + else
    2518 + netdev_features_change(lower);
    2519 }
    2520 }
    2521 }
    2522 diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
    2523 index ca2c9c8b9a3e..6d7ff117f379 100644
    2524 --- a/net/core/drop_monitor.c
    2525 +++ b/net/core/drop_monitor.c
    2526 @@ -159,6 +159,7 @@ static void sched_send_work(unsigned long _data)
    2527 static void trace_drop_common(struct sk_buff *skb, void *location)
    2528 {
    2529 struct net_dm_alert_msg *msg;
    2530 + struct net_dm_drop_point *point;
    2531 struct nlmsghdr *nlh;
    2532 struct nlattr *nla;
    2533 int i;
    2534 @@ -177,11 +178,13 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
    2535 nlh = (struct nlmsghdr *)dskb->data;
    2536 nla = genlmsg_data(nlmsg_data(nlh));
    2537 msg = nla_data(nla);
    2538 + point = msg->points;
    2539 for (i = 0; i < msg->entries; i++) {
    2540 - if (!memcmp(&location, msg->points[i].pc, sizeof(void *))) {
    2541 - msg->points[i].count++;
    2542 + if (!memcmp(&location, &point->pc, sizeof(void *))) {
    2543 + point->count++;
    2544 goto out;
    2545 }
    2546 + point++;
    2547 }
    2548 if (msg->entries == dm_hit_limit)
    2549 goto out;
    2550 @@ -190,8 +193,8 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
    2551 */
    2552 __nla_reserve_nohdr(dskb, sizeof(struct net_dm_drop_point));
    2553 nla->nla_len += NLA_ALIGN(sizeof(struct net_dm_drop_point));
    2554 - memcpy(msg->points[msg->entries].pc, &location, sizeof(void *));
    2555 - msg->points[msg->entries].count = 1;
    2556 + memcpy(point->pc, &location, sizeof(void *));
    2557 + point->count = 1;
    2558 msg->entries++;
    2559
    2560 if (!timer_pending(&data->send_timer)) {
    2561 diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
    2562 index 2ec86fc552df..22506194bd76 100644
    2563 --- a/net/core/netprio_cgroup.c
    2564 +++ b/net/core/netprio_cgroup.c
    2565 @@ -237,6 +237,8 @@ static void net_prio_attach(struct cgroup_taskset *tset)
    2566 struct task_struct *p;
    2567 struct cgroup_subsys_state *css;
    2568
    2569 + cgroup_sk_alloc_disable();
    2570 +
    2571 cgroup_taskset_for_each(p, css, tset) {
    2572 void *v = (void *)(unsigned long)css->cgroup->id;
    2573
    2574 diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
    2575 index 87c513b5ff2e..9438873fc3c8 100644
    2576 --- a/net/dccp/ipv6.c
    2577 +++ b/net/dccp/ipv6.c
    2578 @@ -209,7 +209,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
    2579 final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
    2580 rcu_read_unlock();
    2581
    2582 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2583 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2584 if (IS_ERR(dst)) {
    2585 err = PTR_ERR(dst);
    2586 dst = NULL;
    2587 @@ -280,7 +280,7 @@ static void dccp_v6_ctl_send_reset(const struct sock *sk, struct sk_buff *rxskb)
    2588 security_skb_classify_flow(rxskb, flowi6_to_flowi(&fl6));
    2589
    2590 /* sk = NULL, but it is safe for now. RST socket required. */
    2591 - dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
    2592 + dst = ip6_dst_lookup_flow(sock_net(ctl_sk), ctl_sk, &fl6, NULL);
    2593 if (!IS_ERR(dst)) {
    2594 skb_dst_set(skb, dst);
    2595 ip6_xmit(ctl_sk, skb, &fl6, 0, NULL, 0);
    2596 @@ -889,7 +889,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
    2597 opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk));
    2598 final_p = fl6_update_dst(&fl6, opt, &final);
    2599
    2600 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2601 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2602 if (IS_ERR(dst)) {
    2603 err = PTR_ERR(dst);
    2604 goto failure;
    2605 diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
    2606 index 0a6f72763beb..71409928763b 100644
    2607 --- a/net/ipv4/cipso_ipv4.c
    2608 +++ b/net/ipv4/cipso_ipv4.c
    2609 @@ -1272,7 +1272,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
    2610 return ret_val;
    2611 }
    2612
    2613 - secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2614 + if (secattr->attr.mls.cat)
    2615 + secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2616 }
    2617
    2618 return 0;
    2619 @@ -1453,7 +1454,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
    2620 return ret_val;
    2621 }
    2622
    2623 - secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2624 + if (secattr->attr.mls.cat)
    2625 + secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2626 }
    2627
    2628 return 0;
    2629 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
    2630 index b4f24eabfa54..81efd2d3998d 100644
    2631 --- a/net/ipv4/route.c
    2632 +++ b/net/ipv4/route.c
    2633 @@ -898,7 +898,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
    2634 /* Check for load limit; set rate_last to the latest sent
    2635 * redirect.
    2636 */
    2637 - if (peer->rate_tokens == 0 ||
    2638 + if (peer->n_redirects == 0 ||
    2639 time_after(jiffies,
    2640 (peer->rate_last +
    2641 (ip_rt_redirect_load << peer->n_redirects)))) {
    2642 diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
    2643 index bfa941fc1165..129324b36fb6 100644
    2644 --- a/net/ipv6/addrconf_core.c
    2645 +++ b/net/ipv6/addrconf_core.c
    2646 @@ -107,15 +107,16 @@ int inet6addr_notifier_call_chain(unsigned long val, void *v)
    2647 }
    2648 EXPORT_SYMBOL(inet6addr_notifier_call_chain);
    2649
    2650 -static int eafnosupport_ipv6_dst_lookup(struct net *net, struct sock *u1,
    2651 - struct dst_entry **u2,
    2652 - struct flowi6 *u3)
    2653 +static struct dst_entry *eafnosupport_ipv6_dst_lookup_flow(struct net *net,
    2654 + const struct sock *sk,
    2655 + struct flowi6 *fl6,
    2656 + const struct in6_addr *final_dst)
    2657 {
    2658 - return -EAFNOSUPPORT;
    2659 + return ERR_PTR(-EAFNOSUPPORT);
    2660 }
    2661
    2662 const struct ipv6_stub *ipv6_stub __read_mostly = &(struct ipv6_stub) {
    2663 - .ipv6_dst_lookup = eafnosupport_ipv6_dst_lookup,
    2664 + .ipv6_dst_lookup_flow = eafnosupport_ipv6_dst_lookup_flow,
    2665 };
    2666 EXPORT_SYMBOL_GPL(ipv6_stub);
    2667
    2668 diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
    2669 index 8885dbad217b..c6746aaf7fbf 100644
    2670 --- a/net/ipv6/af_inet6.c
    2671 +++ b/net/ipv6/af_inet6.c
    2672 @@ -702,7 +702,7 @@ int inet6_sk_rebuild_header(struct sock *sk)
    2673 &final);
    2674 rcu_read_unlock();
    2675
    2676 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2677 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2678 if (IS_ERR(dst)) {
    2679 sk->sk_route_caps = 0;
    2680 sk->sk_err_soft = -PTR_ERR(dst);
    2681 @@ -860,7 +860,7 @@ static struct pernet_operations inet6_net_ops = {
    2682 static const struct ipv6_stub ipv6_stub_impl = {
    2683 .ipv6_sock_mc_join = ipv6_sock_mc_join,
    2684 .ipv6_sock_mc_drop = ipv6_sock_mc_drop,
    2685 - .ipv6_dst_lookup = ip6_dst_lookup,
    2686 + .ipv6_dst_lookup_flow = ip6_dst_lookup_flow,
    2687 .udpv6_encap_enable = udpv6_encap_enable,
    2688 .ndisc_send_na = ndisc_send_na,
    2689 .nd_tbl = &nd_tbl,
    2690 diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
    2691 index 9742abf5ac26..b206415bbde7 100644
    2692 --- a/net/ipv6/calipso.c
    2693 +++ b/net/ipv6/calipso.c
    2694 @@ -1061,7 +1061,8 @@ static int calipso_opt_getattr(const unsigned char *calipso,
    2695 goto getattr_return;
    2696 }
    2697
    2698 - secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2699 + if (secattr->attr.mls.cat)
    2700 + secattr->flags |= NETLBL_SECATTR_MLS_CAT;
    2701 }
    2702
    2703 secattr->type = NETLBL_NLTYPE_CALIPSO;
    2704 diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
    2705 index 956af11e9ba3..58929622de0e 100644
    2706 --- a/net/ipv6/datagram.c
    2707 +++ b/net/ipv6/datagram.c
    2708 @@ -87,7 +87,7 @@ int ip6_datagram_dst_update(struct sock *sk, bool fix_sk_saddr)
    2709 final_p = fl6_update_dst(&fl6, opt, &final);
    2710 rcu_read_unlock();
    2711
    2712 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2713 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2714 if (IS_ERR(dst)) {
    2715 err = PTR_ERR(dst);
    2716 goto out;
    2717 diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
    2718 index 798a0950e9a6..b760ccec44d3 100644
    2719 --- a/net/ipv6/inet6_connection_sock.c
    2720 +++ b/net/ipv6/inet6_connection_sock.c
    2721 @@ -90,7 +90,7 @@ struct dst_entry *inet6_csk_route_req(const struct sock *sk,
    2722 fl6->fl6_sport = htons(ireq->ir_num);
    2723 security_req_classify_flow(req, flowi6_to_flowi(fl6));
    2724
    2725 - dst = ip6_dst_lookup_flow(sk, fl6, final_p);
    2726 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p);
    2727 if (IS_ERR(dst))
    2728 return NULL;
    2729
    2730 @@ -144,7 +144,7 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
    2731
    2732 dst = __inet6_csk_dst_check(sk, np->dst_cookie);
    2733 if (!dst) {
    2734 - dst = ip6_dst_lookup_flow(sk, fl6, final_p);
    2735 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p);
    2736
    2737 if (!IS_ERR(dst))
    2738 ip6_dst_store(sk, dst, NULL, NULL);
    2739 diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
    2740 index 11407dd6bc7c..d93a98dfe52d 100644
    2741 --- a/net/ipv6/ip6_output.c
    2742 +++ b/net/ipv6/ip6_output.c
    2743 @@ -1075,19 +1075,19 @@ EXPORT_SYMBOL_GPL(ip6_dst_lookup);
    2744 * It returns a valid dst pointer on success, or a pointer encoded
    2745 * error code.
    2746 */
    2747 -struct dst_entry *ip6_dst_lookup_flow(const struct sock *sk, struct flowi6 *fl6,
    2748 +struct dst_entry *ip6_dst_lookup_flow(struct net *net, const struct sock *sk, struct flowi6 *fl6,
    2749 const struct in6_addr *final_dst)
    2750 {
    2751 struct dst_entry *dst = NULL;
    2752 int err;
    2753
    2754 - err = ip6_dst_lookup_tail(sock_net(sk), sk, &dst, fl6);
    2755 + err = ip6_dst_lookup_tail(net, sk, &dst, fl6);
    2756 if (err)
    2757 return ERR_PTR(err);
    2758 if (final_dst)
    2759 fl6->daddr = *final_dst;
    2760
    2761 - return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
    2762 + return xfrm_lookup_route(net, dst, flowi6_to_flowi(fl6), sk, 0);
    2763 }
    2764 EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow);
    2765
    2766 @@ -1112,7 +1112,7 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
    2767
    2768 dst = ip6_sk_dst_check(sk, dst, fl6);
    2769 if (!dst)
    2770 - dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
    2771 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_dst);
    2772
    2773 return dst;
    2774 }
    2775 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
    2776 index 301978df650e..47acd20d4e1f 100644
    2777 --- a/net/ipv6/raw.c
    2778 +++ b/net/ipv6/raw.c
    2779 @@ -920,7 +920,7 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
    2780
    2781 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
    2782
    2783 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2784 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2785 if (IS_ERR(dst)) {
    2786 err = PTR_ERR(dst);
    2787 goto out;
    2788 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
    2789 index 2c4743f2d50e..03d1a61b4729 100644
    2790 --- a/net/ipv6/route.c
    2791 +++ b/net/ipv6/route.c
    2792 @@ -1373,8 +1373,10 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
    2793 {
    2794 struct rt6_info *rt6 = (struct rt6_info *)dst;
    2795
    2796 - if (dst_metric_locked(dst, RTAX_MTU))
    2797 - return;
    2798 + /* Note: do *NOT* check dst_metric_locked(dst, RTAX_MTU)
    2799 + * IPv6 pmtu discovery isn't optional, so 'mtu lock' cannot disable it.
    2800 + * [see also comment in rt6_mtu_change_route()]
    2801 + */
    2802
    2803 dst_confirm(dst);
    2804 mtu = max_t(u32, mtu, IPV6_MIN_MTU);
    2805 diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
    2806 index 7a86433d8896..4834015b27f4 100644
    2807 --- a/net/ipv6/syncookies.c
    2808 +++ b/net/ipv6/syncookies.c
    2809 @@ -230,7 +230,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
    2810 fl6.fl6_sport = inet_sk(sk)->inet_sport;
    2811 security_req_classify_flow(req, flowi6_to_flowi(&fl6));
    2812
    2813 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2814 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2815 if (IS_ERR(dst))
    2816 goto out_free;
    2817 }
    2818 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
    2819 index 4953466cf98f..7b336b7803ff 100644
    2820 --- a/net/ipv6/tcp_ipv6.c
    2821 +++ b/net/ipv6/tcp_ipv6.c
    2822 @@ -244,7 +244,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
    2823
    2824 security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
    2825
    2826 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2827 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2828 if (IS_ERR(dst)) {
    2829 err = PTR_ERR(dst);
    2830 goto failure;
    2831 @@ -841,7 +841,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
    2832 * Underlying function will use this to retrieve the network
    2833 * namespace
    2834 */
    2835 - dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
    2836 + dst = ip6_dst_lookup_flow(sock_net(ctl_sk), ctl_sk, &fl6, NULL);
    2837 if (!IS_ERR(dst)) {
    2838 skb_dst_set(buff, dst);
    2839 ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass);
    2840 diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
    2841 index 423cb095ad37..28274f397c55 100644
    2842 --- a/net/l2tp/l2tp_ip6.c
    2843 +++ b/net/l2tp/l2tp_ip6.c
    2844 @@ -620,7 +620,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
    2845
    2846 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
    2847
    2848 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
    2849 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p);
    2850 if (IS_ERR(dst)) {
    2851 err = PTR_ERR(dst);
    2852 goto out;
    2853 diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
    2854 index ffab94d61e1d..eab9c1d70856 100644
    2855 --- a/net/mpls/af_mpls.c
    2856 +++ b/net/mpls/af_mpls.c
    2857 @@ -497,16 +497,15 @@ static struct net_device *inet6_fib_lookup_dev(struct net *net,
    2858 struct net_device *dev;
    2859 struct dst_entry *dst;
    2860 struct flowi6 fl6;
    2861 - int err;
    2862
    2863 if (!ipv6_stub)
    2864 return ERR_PTR(-EAFNOSUPPORT);
    2865
    2866 memset(&fl6, 0, sizeof(fl6));
    2867 memcpy(&fl6.daddr, addr, sizeof(struct in6_addr));
    2868 - err = ipv6_stub->ipv6_dst_lookup(net, NULL, &dst, &fl6);
    2869 - if (err)
    2870 - return ERR_PTR(err);
    2871 + dst = ipv6_stub->ipv6_dst_lookup_flow(net, NULL, &fl6, NULL);
    2872 + if (IS_ERR(dst))
    2873 + return ERR_CAST(dst);
    2874
    2875 dev = dst->dev;
    2876 dev_hold(dev);
    2877 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
    2878 index 1bdae8f188e1..d507d0fc7858 100644
    2879 --- a/net/netfilter/nf_conntrack_core.c
    2880 +++ b/net/netfilter/nf_conntrack_core.c
    2881 @@ -1124,9 +1124,9 @@ __nf_conntrack_alloc(struct net *net,
    2882 *(unsigned long *)(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode.pprev) = hash;
    2883 ct->status = 0;
    2884 write_pnet(&ct->ct_net, net);
    2885 - memset(&ct->__nfct_init_offset[0], 0,
    2886 + memset(&ct->__nfct_init_offset, 0,
    2887 offsetof(struct nf_conn, proto) -
    2888 - offsetof(struct nf_conn, __nfct_init_offset[0]));
    2889 + offsetof(struct nf_conn, __nfct_init_offset));
    2890
    2891 nf_ct_zone_add(ct, zone);
    2892
    2893 diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
    2894 index cb9d1d1210cb..d0cfdff04993 100644
    2895 --- a/net/netlabel/netlabel_kapi.c
    2896 +++ b/net/netlabel/netlabel_kapi.c
    2897 @@ -748,6 +748,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
    2898 if ((off & (BITS_PER_LONG - 1)) != 0)
    2899 return -EINVAL;
    2900
    2901 + /* a null catmap is equivalent to an empty one */
    2902 + if (!catmap) {
    2903 + *offset = (u32)-1;
    2904 + return 0;
    2905 + }
    2906 +
    2907 if (off < catmap->startbit) {
    2908 off = catmap->startbit;
    2909 *offset = off;
    2910 diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
    2911 index 6125c17cffaf..d13e1de0b3a2 100644
    2912 --- a/net/sched/sch_choke.c
    2913 +++ b/net/sched/sch_choke.c
    2914 @@ -382,7 +382,8 @@ static void choke_reset(struct Qdisc *sch)
    2915
    2916 sch->q.qlen = 0;
    2917 sch->qstats.backlog = 0;
    2918 - memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
    2919 + if (q->tab)
    2920 + memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
    2921 q->head = q->tail = 0;
    2922 red_restart(&q->vars);
    2923 }
    2924 diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
    2925 index 29b7465c9d8a..4f05956b9216 100644
    2926 --- a/net/sched/sch_fq_codel.c
    2927 +++ b/net/sched/sch_fq_codel.c
    2928 @@ -428,7 +428,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt)
    2929 q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM]));
    2930
    2931 if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])
    2932 - q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
    2933 + q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
    2934
    2935 if (tb[TCA_FQ_CODEL_MEMORY_LIMIT])
    2936 q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT]));
    2937 diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
    2938 index a8d82cb7f073..633e237a406c 100644
    2939 --- a/net/sched/sch_sfq.c
    2940 +++ b/net/sched/sch_sfq.c
    2941 @@ -635,6 +635,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
    2942 if (ctl->divisor &&
    2943 (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
    2944 return -EINVAL;
    2945 +
    2946 + /* slot->allot is a short, make sure quantum is not too big. */
    2947 + if (ctl->quantum) {
    2948 + unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
    2949 +
    2950 + if (scaled <= 0 || scaled > SHRT_MAX)
    2951 + return -EINVAL;
    2952 + }
    2953 +
    2954 if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
    2955 ctl_v1->Wlog))
    2956 return -EINVAL;
    2957 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
    2958 index 34ab7f92f064..50bc8c4ca906 100644
    2959 --- a/net/sctp/ipv6.c
    2960 +++ b/net/sctp/ipv6.c
    2961 @@ -269,7 +269,7 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
    2962 final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
    2963 rcu_read_unlock();
    2964
    2965 - dst = ip6_dst_lookup_flow(sk, fl6, final_p);
    2966 + dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p);
    2967 if (!asoc || saddr) {
    2968 t->dst = dst;
    2969 memcpy(fl, &_fl, sizeof(_fl));
    2970 @@ -327,7 +327,7 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
    2971 fl6->saddr = laddr->a.v6.sin6_addr;
    2972 fl6->fl6_sport = laddr->a.v6.sin6_port;
    2973 final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
    2974 - bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
    2975 + bdst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p);
    2976
    2977 if (IS_ERR(bdst))
    2978 continue;
    2979 diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
    2980 index 05033ab05b8f..c6ff3de1de37 100644
    2981 --- a/net/tipc/udp_media.c
    2982 +++ b/net/tipc/udp_media.c
    2983 @@ -187,10 +187,13 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
    2984 .saddr = src->ipv6,
    2985 .flowi6_proto = IPPROTO_UDP
    2986 };
    2987 - err = ipv6_stub->ipv6_dst_lookup(net, ub->ubsock->sk, &ndst,
    2988 - &fl6);
    2989 - if (err)
    2990 + ndst = ipv6_stub->ipv6_dst_lookup_flow(net,
    2991 + ub->ubsock->sk,
    2992 + &fl6, NULL);
    2993 + if (IS_ERR(ndst)) {
    2994 + err = PTR_ERR(ndst);
    2995 goto tx_error;
    2996 + }
    2997 ttl = ip6_dst_hoplimit(ndst);
    2998 err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb, NULL,
    2999 &src->ipv6, &dst->ipv6, 0, ttl, 0,
    3000 diff --git a/scripts/decodecode b/scripts/decodecode
    3001 index d8824f37acce..aae7a035242b 100755
    3002 --- a/scripts/decodecode
    3003 +++ b/scripts/decodecode
    3004 @@ -98,7 +98,7 @@ faultlinenum=$(( $(wc -l $T.oo | cut -d" " -f1) - \
    3005 faultline=`cat $T.dis | head -1 | cut -d":" -f2-`
    3006 faultline=`echo "$faultline" | sed -e 's/\[/\\\[/g; s/\]/\\\]/g'`
    3007
    3008 -cat $T.oo | sed -e "${faultlinenum}s/^\(.*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
    3009 +cat $T.oo | sed -e "${faultlinenum}s/^\([^:]*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
    3010 echo
    3011 cat $T.aa
    3012 cleanup
    3013 diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
    3014 index c8b2309352d7..481c1ad1db57 100644
    3015 --- a/sound/core/rawmidi.c
    3016 +++ b/sound/core/rawmidi.c
    3017 @@ -108,6 +108,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work)
    3018 runtime->event(runtime->substream);
    3019 }
    3020
    3021 +/* buffer refcount management: call with runtime->lock held */
    3022 +static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime)
    3023 +{
    3024 + runtime->buffer_ref++;
    3025 +}
    3026 +
    3027 +static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime)
    3028 +{
    3029 + runtime->buffer_ref--;
    3030 +}
    3031 +
    3032 static int snd_rawmidi_runtime_create(struct snd_rawmidi_substream *substream)
    3033 {
    3034 struct snd_rawmidi_runtime *runtime;
    3035 @@ -125,7 +136,7 @@ static int snd_rawmidi_runtime_create(struct snd_rawmidi_substream *substream)
    3036 runtime->avail = 0;
    3037 else
    3038 runtime->avail = runtime->buffer_size;
    3039 - if ((runtime->buffer = kmalloc(runtime->buffer_size, GFP_KERNEL)) == NULL) {
    3040 + if ((runtime->buffer = kzalloc(runtime->buffer_size, GFP_KERNEL)) == NULL) {
    3041 kfree(runtime);
    3042 return -ENOMEM;
    3043 }
    3044 @@ -650,10 +661,15 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
    3045 return -EINVAL;
    3046 }
    3047 if (params->buffer_size != runtime->buffer_size) {
    3048 - newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
    3049 + newbuf = kzalloc(params->buffer_size, GFP_KERNEL);
    3050 if (!newbuf)
    3051 return -ENOMEM;
    3052 spin_lock_irq(&runtime->lock);
    3053 + if (runtime->buffer_ref) {
    3054 + spin_unlock_irq(&runtime->lock);
    3055 + kfree(newbuf);
    3056 + return -EBUSY;
    3057 + }
    3058 oldbuf = runtime->buffer;
    3059 runtime->buffer = newbuf;
    3060 runtime->buffer_size = params->buffer_size;
    3061 @@ -962,8 +978,10 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream,
    3062 long result = 0, count1;
    3063 struct snd_rawmidi_runtime *runtime = substream->runtime;
    3064 unsigned long appl_ptr;
    3065 + int err = 0;
    3066
    3067 spin_lock_irqsave(&runtime->lock, flags);
    3068 + snd_rawmidi_buffer_ref(runtime);
    3069 while (count > 0 && runtime->avail) {
    3070 count1 = runtime->buffer_size - runtime->appl_ptr;
    3071 if (count1 > count)
    3072 @@ -982,16 +1000,19 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream,
    3073 if (userbuf) {
    3074 spin_unlock_irqrestore(&runtime->lock, flags);
    3075 if (copy_to_user(userbuf + result,
    3076 - runtime->buffer + appl_ptr, count1)) {
    3077 - return result > 0 ? result : -EFAULT;
    3078 - }
    3079 + runtime->buffer + appl_ptr, count1))
    3080 + err = -EFAULT;
    3081 spin_lock_irqsave(&runtime->lock, flags);
    3082 + if (err)
    3083 + goto out;
    3084 }
    3085 result += count1;
    3086 count -= count1;
    3087 }
    3088 + out:
    3089 + snd_rawmidi_buffer_unref(runtime);
    3090 spin_unlock_irqrestore(&runtime->lock, flags);
    3091 - return result;
    3092 + return result > 0 ? result : err;
    3093 }
    3094
    3095 long snd_rawmidi_kernel_read(struct snd_rawmidi_substream *substream,
    3096 @@ -1262,6 +1283,7 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream,
    3097 return -EAGAIN;
    3098 }
    3099 }
    3100 + snd_rawmidi_buffer_ref(runtime);
    3101 while (count > 0 && runtime->avail > 0) {
    3102 count1 = runtime->buffer_size - runtime->appl_ptr;
    3103 if (count1 > count)
    3104 @@ -1293,6 +1315,7 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream,
    3105 }
    3106 __end:
    3107 count1 = runtime->avail < runtime->buffer_size;
    3108 + snd_rawmidi_buffer_unref(runtime);
    3109 spin_unlock_irqrestore(&runtime->lock, flags);
    3110 if (count1)
    3111 snd_rawmidi_output_trigger(substream, 1);
    3112 diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
    3113 index e19f447e27ae..a866a20349c3 100644
    3114 --- a/sound/pci/hda/patch_hdmi.c
    3115 +++ b/sound/pci/hda/patch_hdmi.c
    3116 @@ -2044,7 +2044,9 @@ static int generic_hdmi_build_controls(struct hda_codec *codec)
    3117
    3118 for (pin_idx = 0; pin_idx < spec->num_pins; pin_idx++) {
    3119 struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx);
    3120 + struct hdmi_eld *pin_eld = &per_pin->sink_eld;
    3121
    3122 + pin_eld->eld_valid = false;
    3123 hdmi_present_sense(per_pin, 0);
    3124 }
    3125
    3126 diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
    3127 index 000b59d474ab..df6d0211df51 100644
    3128 --- a/sound/pci/hda/patch_realtek.c
    3129 +++ b/sound/pci/hda/patch_realtek.c
    3130 @@ -4212,8 +4212,6 @@ static void alc_determine_headset_type(struct hda_codec *codec)
    3131 is_ctia = (val & 0x1c02) == 0x1c02;
    3132 break;
    3133 case 0x10ec0225:
    3134 - codec->power_save_node = 1;
    3135 - /* fall through */
    3136 case 0x10ec0295:
    3137 case 0x10ec0299:
    3138 alc_process_coef_fw(codec, coef0225);
    3139 @@ -4890,6 +4888,7 @@ enum {
    3140 ALC269_FIXUP_HP_LINE1_MIC1_LED,
    3141 ALC269_FIXUP_INV_DMIC,
    3142 ALC269_FIXUP_LENOVO_DOCK,
    3143 + ALC269_FIXUP_LENOVO_DOCK_LIMIT_BOOST,
    3144 ALC269_FIXUP_NO_SHUTUP,
    3145 ALC286_FIXUP_SONY_MIC_NO_PRESENCE,
    3146 ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT,
    3147 @@ -5157,6 +5156,12 @@ static const struct hda_fixup alc269_fixups[] = {
    3148 .chained = true,
    3149 .chain_id = ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT
    3150 },
    3151 + [ALC269_FIXUP_LENOVO_DOCK_LIMIT_BOOST] = {
    3152 + .type = HDA_FIXUP_FUNC,
    3153 + .v.func = alc269_fixup_limit_int_mic_boost,
    3154 + .chained = true,
    3155 + .chain_id = ALC269_FIXUP_LENOVO_DOCK,
    3156 + },
    3157 [ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT] = {
    3158 .type = HDA_FIXUP_FUNC,
    3159 .v.func = alc269_fixup_pincfg_no_hp_to_lineout,
    3160 @@ -5820,7 +5825,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
    3161 SND_PCI_QUIRK(0x17aa, 0x21b8, "Thinkpad Edge 14", ALC269_FIXUP_SKU_IGNORE),
    3162 SND_PCI_QUIRK(0x17aa, 0x21ca, "Thinkpad L412", ALC269_FIXUP_SKU_IGNORE),
    3163 SND_PCI_QUIRK(0x17aa, 0x21e9, "Thinkpad Edge 15", ALC269_FIXUP_SKU_IGNORE),
    3164 - SND_PCI_QUIRK(0x17aa, 0x21f6, "Thinkpad T530", ALC269_FIXUP_LENOVO_DOCK),
    3165 + SND_PCI_QUIRK(0x17aa, 0x21f6, "Thinkpad T530", ALC269_FIXUP_LENOVO_DOCK_LIMIT_BOOST),
    3166 SND_PCI_QUIRK(0x17aa, 0x21fa, "Thinkpad X230", ALC269_FIXUP_LENOVO_DOCK),
    3167 SND_PCI_QUIRK(0x17aa, 0x21f3, "Thinkpad T430", ALC269_FIXUP_LENOVO_DOCK),
    3168 SND_PCI_QUIRK(0x17aa, 0x21fb, "Thinkpad T430s", ALC269_FIXUP_LENOVO_DOCK),
    3169 @@ -5945,6 +5950,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
    3170 {.id = ALC269_FIXUP_HEADSET_MODE, .name = "headset-mode"},
    3171 {.id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, .name = "headset-mode-no-hp-mic"},
    3172 {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"},
    3173 + {.id = ALC269_FIXUP_LENOVO_DOCK_LIMIT_BOOST, .name = "lenovo-dock-limit-boost"},
    3174 {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"},
    3175 {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"},
    3176 {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"},
    3177 diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
    3178 index 064f3485a977..0484a8d8a5bb 100644
    3179 --- a/sound/usb/quirks.c
    3180 +++ b/sound/usb/quirks.c
    3181 @@ -1316,13 +1316,14 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe,
    3182 && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
    3183 mdelay(20);
    3184
    3185 - /* Zoom R16/24, Logitech H650e, Jabra 550a needs a tiny delay here,
    3186 - * otherwise requests like get/set frequency return as failed despite
    3187 - * actually succeeding.
    3188 + /* Zoom R16/24, Logitech H650e, Jabra 550a, Kingston HyperX needs a tiny
    3189 + * delay here, otherwise requests like get/set frequency return as
    3190 + * failed despite actually succeeding.
    3191 */
    3192 if ((chip->usb_id == USB_ID(0x1686, 0x00dd) ||
    3193 chip->usb_id == USB_ID(0x046d, 0x0a46) ||
    3194 - chip->usb_id == USB_ID(0x0b0e, 0x0349)) &&
    3195 + chip->usb_id == USB_ID(0x0b0e, 0x0349) ||
    3196 + chip->usb_id == USB_ID(0x0951, 0x16ad)) &&
    3197 (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
    3198 mdelay(1);
    3199 }
    3200 diff --git a/tools/objtool/check.c b/tools/objtool/check.c
    3201 index 360845926f66..b0b8ba9b800c 100644
    3202 --- a/tools/objtool/check.c
    3203 +++ b/tools/objtool/check.c
    3204 @@ -1264,7 +1264,7 @@ static int update_insn_state_regs(struct instruction *insn, struct insn_state *s
    3205 struct cfi_reg *cfa = &state->cfa;
    3206 struct stack_op *op = &insn->stack_op;
    3207
    3208 - if (cfa->base != CFI_SP)
    3209 + if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
    3210 return 0;
    3211
    3212 /* push */