Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-magellan/patches-4.13/0105-4.13.6-all-fixes.patch

    Contents of /trunk/kernel-magellan/patches-4.13/0105-4.13.6-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3009 - (show annotations) (download)
    Wed Oct 25 09:41:34 2017 UTC (6 years, 6 months ago) by niro
    File size: 188568 byte(s) 
    -linux-4.13.6
    1 diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
    2 index 36f528a7fdd6..8caa60734647 100644
    3 --- a/Documentation/filesystems/overlayfs.txt
    4 +++ b/Documentation/filesystems/overlayfs.txt
    5 @@ -210,8 +210,11 @@ path as another overlay mount and it may use a lower layer path that is
    6 beneath or above the path of another overlay lower layer path.
    7
    8 Using an upper layer path and/or a workdir path that are already used by
    9 -another overlay mount is not allowed and will fail with EBUSY. Using
    10 +another overlay mount is not allowed and may fail with EBUSY. Using
    11 partially overlapping paths is not allowed but will not fail with EBUSY.
    12 +If files are accessed from two overlayfs mounts which share or overlap the
    13 +upper layer and/or workdir path the behavior of the overlay is undefined,
    14 +though it will not result in a crash or deadlock.
    15
    16 Mounting an overlay using an upper layer path, where the upper layer path
    17 was previously used by another mounted overlay in combination with a
    18 diff --git a/Makefile b/Makefile
    19 index 189f1a748e4c..9e1af1af327b 100644
    20 --- a/Makefile
    21 +++ b/Makefile
    22 @@ -1,6 +1,6 @@
    23 VERSION = 4
    24 PATCHLEVEL = 13
    25 -SUBLEVEL = 5
    26 +SUBLEVEL = 6
    27 EXTRAVERSION =
    28 NAME = Fearless Coyote
    29
    30 diff --git a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi
    31 index 4d360713ed12..30d48ecf46e0 100644
    32 --- a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi
    33 +++ b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi
    34 @@ -254,7 +254,7 @@
    35
    36 ap_syscon: system-controller@6f4000 {
    37 compatible = "syscon", "simple-mfd";
    38 - reg = <0x6f4000 0x1000>;
    39 + reg = <0x6f4000 0x2000>;
    40
    41 ap_clk: clock {
    42 compatible = "marvell,ap806-clock";
    43 @@ -265,7 +265,7 @@
    44 compatible = "marvell,ap806-pinctrl";
    45 };
    46
    47 - ap_gpio: gpio {
    48 + ap_gpio: gpio@1040 {
    49 compatible = "marvell,armada-8k-gpio";
    50 offset = <0x1040>;
    51 ngpios = <20>;
    52 diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
    53 index f0e6d717885b..d06fbe4cd38d 100644
    54 --- a/arch/arm64/kernel/armv8_deprecated.c
    55 +++ b/arch/arm64/kernel/armv8_deprecated.c
    56 @@ -649,4 +649,4 @@ static int __init armv8_deprecated_init(void)
    57 return 0;
    58 }
    59
    60 -late_initcall(armv8_deprecated_init);
    61 +core_initcall(armv8_deprecated_init);
    62 diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
    63 index 9f9e0064c8c1..276eecab6cea 100644
    64 --- a/arch/arm64/kernel/cpufeature.c
    65 +++ b/arch/arm64/kernel/cpufeature.c
    66 @@ -1294,4 +1294,4 @@ static int __init enable_mrs_emulation(void)
    67 return 0;
    68 }
    69
    70 -late_initcall(enable_mrs_emulation);
    71 +core_initcall(enable_mrs_emulation);
    72 diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c
    73 index 1df770e8cbe0..7275fed271af 100644
    74 --- a/arch/powerpc/kernel/dt_cpu_ftrs.c
    75 +++ b/arch/powerpc/kernel/dt_cpu_ftrs.c
    76 @@ -102,10 +102,10 @@ static void cpufeatures_flush_tlb(void)
    77 case PVR_POWER8:
    78 case PVR_POWER8E:
    79 case PVR_POWER8NVL:
    80 - __flush_tlb_power8(POWER8_TLB_SETS);
    81 + __flush_tlb_power8(TLB_INVAL_SCOPE_GLOBAL);
    82 break;
    83 case PVR_POWER9:
    84 - __flush_tlb_power9(POWER9_TLB_SETS_HASH);
    85 + __flush_tlb_power9(TLB_INVAL_SCOPE_GLOBAL);
    86 break;
    87 default:
    88 pr_err("unknown CPU version for boot TLB flush\n");
    89 diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
    90 index f14f3c04ec7e..d9dfdf7ede45 100644
    91 --- a/arch/powerpc/kernel/exceptions-64s.S
    92 +++ b/arch/powerpc/kernel/exceptions-64s.S
    93 @@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
    94 EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
    95 TRAMP_KVM(PACA_EXGEN, 0x700)
    96 EXC_COMMON_BEGIN(program_check_common)
    97 - EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
    98 + /*
    99 + * It's possible to receive a TM Bad Thing type program check with
    100 + * userspace register values (in particular r1), but with SRR1 reporting
    101 + * that we came from the kernel. Normally that would confuse the bad
    102 + * stack logic, and we would report a bad kernel stack pointer. Instead
    103 + * we switch to the emergency stack if we're taking a TM Bad Thing from
    104 + * the kernel.
    105 + */
    106 + li r10,MSR_PR /* Build a mask of MSR_PR .. */
    107 + oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
    108 + and r10,r10,r12 /* Mask SRR1 with that. */
    109 + srdi r10,r10,8 /* Shift it so we can compare */
    110 + cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
    111 + bne 1f /* If != go to normal path. */
    112 +
    113 + /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
    114 + andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
    115 + /* 3 in EXCEPTION_PROLOG_COMMON */
    116 + mr r10,r1 /* Save r1 */
    117 + ld r1,PACAEMERGSP(r13) /* Use emergency stack */
    118 + subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
    119 + b 3f /* Jump into the macro !! */
    120 +1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
    121 bl save_nvgprs
    122 RECONCILE_IRQ_STATE(r10, r11)
    123 addi r3,r1,STACK_FRAME_OVERHEAD
    124 diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
    125 index c83c115858c1..b2c002993d78 100644
    126 --- a/arch/powerpc/kernel/signal_64.c
    127 +++ b/arch/powerpc/kernel/signal_64.c
    128 @@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
    129 if (MSR_TM_RESV(msr))
    130 return -EINVAL;
    131
    132 - /* pull in MSR TM from user context */
    133 + /* pull in MSR TS bits from user context */
    134 regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
    135
    136 + /*
    137 + * Ensure that TM is enabled in regs->msr before we leave the signal
    138 + * handler. It could be the case that (a) user disabled the TM bit
    139 + * through the manipulation of the MSR bits in uc_mcontext or (b) the
    140 + * TM bit was disabled because a sufficient number of context switches
    141 + * happened whilst in the signal handler and load_tm overflowed,
    142 + * disabling the TM bit. In either case we can end up with an illegal
    143 + * TM state leading to a TM Bad Thing when we return to userspace.
    144 + */
    145 + regs->msr |= MSR_TM;
    146 +
    147 /* pull in MSR LE from user context */
    148 regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
    149
    150 diff --git a/arch/powerpc/kvm/book3s_xive.c b/arch/powerpc/kvm/book3s_xive.c
    151 index 13304622ab1c..bf457843e032 100644
    152 --- a/arch/powerpc/kvm/book3s_xive.c
    153 +++ b/arch/powerpc/kvm/book3s_xive.c
    154 @@ -622,7 +622,7 @@ int kvmppc_xive_get_xive(struct kvm *kvm, u32 irq, u32 *server,
    155 return -EINVAL;
    156 state = &sb->irq_state[idx];
    157 arch_spin_lock(&sb->lock);
    158 - *server = state->guest_server;
    159 + *server = state->act_server;
    160 *priority = state->guest_priority;
    161 arch_spin_unlock(&sb->lock);
    162
    163 @@ -1331,7 +1331,7 @@ static int xive_get_source(struct kvmppc_xive *xive, long irq, u64 addr)
    164 xive->saved_src_count++;
    165
    166 /* Convert saved state into something compatible with xics */
    167 - val = state->guest_server;
    168 + val = state->act_server;
    169 prio = state->saved_scan_prio;
    170
    171 if (prio == MASKED) {
    172 @@ -1507,7 +1507,6 @@ static int xive_set_source(struct kvmppc_xive *xive, long irq, u64 addr)
    173 /* First convert prio and mark interrupt as untargetted */
    174 act_prio = xive_prio_from_guest(guest_prio);
    175 state->act_priority = MASKED;
    176 - state->guest_server = server;
    177
    178 /*
    179 * We need to drop the lock due to the mutex below. Hopefully
    180 diff --git a/arch/powerpc/kvm/book3s_xive.h b/arch/powerpc/kvm/book3s_xive.h
    181 index 5938f7644dc1..6ba63f8e8a61 100644
    182 --- a/arch/powerpc/kvm/book3s_xive.h
    183 +++ b/arch/powerpc/kvm/book3s_xive.h
    184 @@ -35,7 +35,6 @@ struct kvmppc_xive_irq_state {
    185 struct xive_irq_data *pt_data; /* XIVE Pass-through associated data */
    186
    187 /* Targetting as set by guest */
    188 - u32 guest_server; /* Current guest selected target */
    189 u8 guest_priority; /* Guest set priority */
    190 u8 saved_priority; /* Saved priority when masking */
    191
    192 diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
    193 index 897aa1400eb8..bbb73aa0eb8f 100644
    194 --- a/arch/powerpc/platforms/powernv/setup.c
    195 +++ b/arch/powerpc/platforms/powernv/setup.c
    196 @@ -272,7 +272,15 @@ static void pnv_kexec_cpu_down(int crash_shutdown, int secondary)
    197 #ifdef CONFIG_MEMORY_HOTPLUG_SPARSE
    198 static unsigned long pnv_memory_block_size(void)
    199 {
    200 - return 256UL * 1024 * 1024;
    201 + /*
    202 + * We map the kernel linear region with 1GB large pages on radix. For
    203 + * memory hot unplug to work our memory block size must be at least
    204 + * this size.
    205 + */
    206 + if (radix_enabled())
    207 + return 1UL * 1024 * 1024 * 1024;
    208 + else
    209 + return 256UL * 1024 * 1024;
    210 }
    211 #endif
    212
    213 diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h
    214 index bc62e7cbf1b1..59ad3d132353 100644
    215 --- a/arch/x86/include/asm/kvm_para.h
    216 +++ b/arch/x86/include/asm/kvm_para.h
    217 @@ -88,7 +88,7 @@ static inline long kvm_hypercall4(unsigned int nr, unsigned long p1,
    218 bool kvm_para_available(void);
    219 unsigned int kvm_arch_para_features(void);
    220 void __init kvm_guest_init(void);
    221 -void kvm_async_pf_task_wait(u32 token);
    222 +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel);
    223 void kvm_async_pf_task_wake(u32 token);
    224 u32 kvm_read_and_reset_pf_reason(void);
    225 extern void kvm_disable_steal_time(void);
    226 @@ -103,7 +103,7 @@ static inline void kvm_spinlock_init(void)
    227
    228 #else /* CONFIG_KVM_GUEST */
    229 #define kvm_guest_init() do {} while (0)
    230 -#define kvm_async_pf_task_wait(T) do {} while(0)
    231 +#define kvm_async_pf_task_wait(T, I) do {} while(0)
    232 #define kvm_async_pf_task_wake(T) do {} while(0)
    233
    234 static inline bool kvm_para_available(void)
    235 diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
    236 index 58590a698a1a..e5e4306e4546 100644
    237 --- a/arch/x86/kernel/kvm.c
    238 +++ b/arch/x86/kernel/kvm.c
    239 @@ -117,7 +117,11 @@ static struct kvm_task_sleep_node *_find_apf_task(struct kvm_task_sleep_head *b,
    240 return NULL;
    241 }
    242
    243 -void kvm_async_pf_task_wait(u32 token)
    244 +/*
    245 + * @interrupt_kernel: Is this called from a routine which interrupts the kernel
    246 + * (other than user space)?
    247 + */
    248 +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel)
    249 {
    250 u32 key = hash_32(token, KVM_TASK_SLEEP_HASHBITS);
    251 struct kvm_task_sleep_head *b = &async_pf_sleepers[key];
    252 @@ -140,8 +144,10 @@ void kvm_async_pf_task_wait(u32 token)
    253
    254 n.token = token;
    255 n.cpu = smp_processor_id();
    256 - n.halted = is_idle_task(current) || preempt_count() > 1 ||
    257 - rcu_preempt_depth();
    258 + n.halted = is_idle_task(current) ||
    259 + (IS_ENABLED(CONFIG_PREEMPT_COUNT)
    260 + ? preempt_count() > 1 || rcu_preempt_depth()
    261 + : interrupt_kernel);
    262 init_swait_queue_head(&n.wq);
    263 hlist_add_head(&n.link, &b->list);
    264 raw_spin_unlock(&b->lock);
    265 @@ -269,7 +275,7 @@ do_async_page_fault(struct pt_regs *regs, unsigned long error_code)
    266 case KVM_PV_REASON_PAGE_NOT_PRESENT:
    267 /* page is swapped out by the host. */
    268 prev_state = exception_enter();
    269 - kvm_async_pf_task_wait((u32)read_cr2());
    270 + kvm_async_pf_task_wait((u32)read_cr2(), !user_mode(regs));
    271 exception_exit(prev_state);
    272 break;
    273 case KVM_PV_REASON_PAGE_READY:
    274 diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
    275 index 56e68dfac974..7558531c1215 100644
    276 --- a/arch/x86/kvm/mmu.c
    277 +++ b/arch/x86/kvm/mmu.c
    278 @@ -3799,7 +3799,7 @@ int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
    279 case KVM_PV_REASON_PAGE_NOT_PRESENT:
    280 vcpu->arch.apf.host_apf_reason = 0;
    281 local_irq_disable();
    282 - kvm_async_pf_task_wait(fault_address);
    283 + kvm_async_pf_task_wait(fault_address, 0);
    284 local_irq_enable();
    285 break;
    286 case KVM_PV_REASON_PAGE_READY:
    287 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
    288 index e1324f280e06..4d50ced94686 100644
    289 --- a/arch/x86/net/bpf_jit_comp.c
    290 +++ b/arch/x86/net/bpf_jit_comp.c
    291 @@ -282,9 +282,9 @@ static void emit_bpf_tail_call(u8 **pprog)
    292 /* if (index >= array->map.max_entries)
    293 * goto out;
    294 */
    295 - EMIT4(0x48, 0x8B, 0x46, /* mov rax, qword ptr [rsi + 16] */
    296 + EMIT2(0x89, 0xD2); /* mov edx, edx */
    297 + EMIT3(0x39, 0x56, /* cmp dword ptr [rsi + 16], edx */
    298 offsetof(struct bpf_array, map.max_entries));
    299 - EMIT3(0x48, 0x39, 0xD0); /* cmp rax, rdx */
    300 #define OFFSET1 47 /* number of bytes to jump */
    301 EMIT2(X86_JBE, OFFSET1); /* jbe out */
    302 label1 = cnt;
    303 diff --git a/block/bsg-lib.c b/block/bsg-lib.c
    304 index c587c71d78af..82ddfcd23939 100644
    305 --- a/block/bsg-lib.c
    306 +++ b/block/bsg-lib.c
    307 @@ -207,20 +207,34 @@ static int bsg_init_rq(struct request_queue *q, struct request *req, gfp_t gfp)
    308 struct bsg_job *job = blk_mq_rq_to_pdu(req);
    309 struct scsi_request *sreq = &job->sreq;
    310
    311 + /* called right after the request is allocated for the request_queue */
    312 +
    313 + sreq->sense = kzalloc(SCSI_SENSE_BUFFERSIZE, gfp);
    314 + if (!sreq->sense)
    315 + return -ENOMEM;
    316 +
    317 + return 0;
    318 +}
    319 +
    320 +static void bsg_initialize_rq(struct request *req)
    321 +{
    322 + struct bsg_job *job = blk_mq_rq_to_pdu(req);
    323 + struct scsi_request *sreq = &job->sreq;
    324 + void *sense = sreq->sense;
    325 +
    326 + /* called right before the request is given to the request_queue user */
    327 +
    328 memset(job, 0, sizeof(*job));
    329
    330 scsi_req_init(sreq);
    331 +
    332 + sreq->sense = sense;
    333 sreq->sense_len = SCSI_SENSE_BUFFERSIZE;
    334 - sreq->sense = kzalloc(sreq->sense_len, gfp);
    335 - if (!sreq->sense)
    336 - return -ENOMEM;
    337
    338 job->req = req;
    339 - job->reply = sreq->sense;
    340 + job->reply = sense;
    341 job->reply_len = sreq->sense_len;
    342 job->dd_data = job + 1;
    343 -
    344 - return 0;
    345 }
    346
    347 static void bsg_exit_rq(struct request_queue *q, struct request *req)
    348 @@ -250,6 +264,7 @@ struct request_queue *bsg_setup_queue(struct device *dev, char *name,
    349 q->cmd_size = sizeof(struct bsg_job) + dd_job_size;
    350 q->init_rq_fn = bsg_init_rq;
    351 q->exit_rq_fn = bsg_exit_rq;
    352 + q->initialize_rq_fn = bsg_initialize_rq;
    353 q->request_fn = bsg_request_fn;
    354
    355 ret = blk_init_allocated_queue(q);
    356 diff --git a/drivers/auxdisplay/charlcd.c b/drivers/auxdisplay/charlcd.c
    357 index cfeb049a01ef..642afd88870b 100644
    358 --- a/drivers/auxdisplay/charlcd.c
    359 +++ b/drivers/auxdisplay/charlcd.c
    360 @@ -647,18 +647,25 @@ static ssize_t charlcd_write(struct file *file, const char __user *buf,
    361 static int charlcd_open(struct inode *inode, struct file *file)
    362 {
    363 struct charlcd_priv *priv = to_priv(the_charlcd);
    364 + int ret;
    365
    366 + ret = -EBUSY;
    367 if (!atomic_dec_and_test(&charlcd_available))
    368 - return -EBUSY; /* open only once at a time */
    369 + goto fail; /* open only once at a time */
    370
    371 + ret = -EPERM;
    372 if (file->f_mode & FMODE_READ) /* device is write-only */
    373 - return -EPERM;
    374 + goto fail;
    375
    376 if (priv->must_clear) {
    377 charlcd_clear_display(&priv->lcd);
    378 priv->must_clear = false;
    379 }
    380 return nonseekable_open(inode, file);
    381 +
    382 + fail:
    383 + atomic_inc(&charlcd_available);
    384 + return ret;
    385 }
    386
    387 static int charlcd_release(struct inode *inode, struct file *file)
    388 diff --git a/drivers/auxdisplay/panel.c b/drivers/auxdisplay/panel.c
    389 index 7a8b8fb2f572..c54c20700d37 100644
    390 --- a/drivers/auxdisplay/panel.c
    391 +++ b/drivers/auxdisplay/panel.c
    392 @@ -1105,14 +1105,21 @@ static ssize_t keypad_read(struct file *file,
    393
    394 static int keypad_open(struct inode *inode, struct file *file)
    395 {
    396 + int ret;
    397 +
    398 + ret = -EBUSY;
    399 if (!atomic_dec_and_test(&keypad_available))
    400 - return -EBUSY; /* open only once at a time */
    401 + goto fail; /* open only once at a time */
    402
    403 + ret = -EPERM;
    404 if (file->f_mode & FMODE_WRITE) /* device is read-only */
    405 - return -EPERM;
    406 + goto fail;
    407
    408 keypad_buflen = 0; /* flush the buffer on opening */
    409 return 0;
    410 + fail:
    411 + atomic_inc(&keypad_available);
    412 + return ret;
    413 }
    414
    415 static int keypad_release(struct inode *inode, struct file *file)
    416 diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c
    417 index d1c33a85059e..df8945d7f009 100644
    418 --- a/drivers/base/arch_topology.c
    419 +++ b/drivers/base/arch_topology.c
    420 @@ -160,12 +160,12 @@ int __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu)
    421 }
    422
    423 #ifdef CONFIG_CPU_FREQ
    424 -static cpumask_var_t cpus_to_visit;
    425 -static bool cap_parsing_done;
    426 -static void parsing_done_workfn(struct work_struct *work);
    427 -static DECLARE_WORK(parsing_done_work, parsing_done_workfn);
    428 +static bool cap_parsing_done __initdata;
    429 +static cpumask_var_t cpus_to_visit __initdata;
    430 +static void __init parsing_done_workfn(struct work_struct *work);
    431 +static __initdata DECLARE_WORK(parsing_done_work, parsing_done_workfn);
    432
    433 -static int
    434 +static int __init
    435 init_cpu_capacity_callback(struct notifier_block *nb,
    436 unsigned long val,
    437 void *data)
    438 @@ -200,7 +200,7 @@ init_cpu_capacity_callback(struct notifier_block *nb,
    439 return 0;
    440 }
    441
    442 -static struct notifier_block init_cpu_capacity_notifier = {
    443 +static struct notifier_block init_cpu_capacity_notifier __initdata = {
    444 .notifier_call = init_cpu_capacity_callback,
    445 };
    446
    447 @@ -226,7 +226,7 @@ static int __init register_cpufreq_notifier(void)
    448 }
    449 core_initcall(register_cpufreq_notifier);
    450
    451 -static void parsing_done_workfn(struct work_struct *work)
    452 +static void __init parsing_done_workfn(struct work_struct *work)
    453 {
    454 cpufreq_unregister_notifier(&init_cpu_capacity_notifier,
    455 CPUFREQ_POLICY_NOTIFIER);
    456 diff --git a/drivers/base/platform.c b/drivers/base/platform.c
    457 index d1bd99271066..9045c5f3734e 100644
    458 --- a/drivers/base/platform.c
    459 +++ b/drivers/base/platform.c
    460 @@ -868,7 +868,8 @@ static ssize_t driver_override_store(struct device *dev,
    461 struct platform_device *pdev = to_platform_device(dev);
    462 char *driver_override, *old, *cp;
    463
    464 - if (count > PATH_MAX)
    465 + /* We need to keep extra room for a newline */
    466 + if (count >= (PAGE_SIZE - 1))
    467 return -EINVAL;
    468
    469 driver_override = kstrndup(buf, count, GFP_KERNEL);
    470 diff --git a/drivers/clk/samsung/clk-exynos4.c b/drivers/clk/samsung/clk-exynos4.c
    471 index e40b77583c47..d8d3cb67b402 100644
    472 --- a/drivers/clk/samsung/clk-exynos4.c
    473 +++ b/drivers/clk/samsung/clk-exynos4.c
    474 @@ -294,6 +294,18 @@ static const struct samsung_clk_reg_dump src_mask_suspend_e4210[] = {
    475 #define PLL_ENABLED (1 << 31)
    476 #define PLL_LOCKED (1 << 29)
    477
    478 +static void exynos4_clk_enable_pll(u32 reg)
    479 +{
    480 + u32 pll_con = readl(reg_base + reg);
    481 + pll_con |= PLL_ENABLED;
    482 + writel(pll_con, reg_base + reg);
    483 +
    484 + while (!(pll_con & PLL_LOCKED)) {
    485 + cpu_relax();
    486 + pll_con = readl(reg_base + reg);
    487 + }
    488 +}
    489 +
    490 static void exynos4_clk_wait_for_pll(u32 reg)
    491 {
    492 u32 pll_con;
    493 @@ -315,6 +327,9 @@ static int exynos4_clk_suspend(void)
    494 samsung_clk_save(reg_base, exynos4_save_pll,
    495 ARRAY_SIZE(exynos4_clk_pll_regs));
    496
    497 + exynos4_clk_enable_pll(EPLL_CON0);
    498 + exynos4_clk_enable_pll(VPLL_CON0);
    499 +
    500 if (exynos4_soc == EXYNOS4210) {
    501 samsung_clk_save(reg_base, exynos4_save_soc,
    502 ARRAY_SIZE(exynos4210_clk_save));
    503 diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c
    504 index d805b6e6fe71..27743be5b768 100644
    505 --- a/drivers/gpu/drm/i915/intel_audio.c
    506 +++ b/drivers/gpu/drm/i915/intel_audio.c
    507 @@ -606,11 +606,6 @@ void intel_audio_codec_enable(struct intel_encoder *intel_encoder,
    508 connector->encoder->base.id,
    509 connector->encoder->name);
    510
    511 - /* ELD Conn_Type */
    512 - connector->eld[5] &= ~(3 << 2);
    513 - if (intel_crtc_has_dp_encoder(crtc_state))
    514 - connector->eld[5] |= (1 << 2);
    515 -
    516 connector->eld[6] = drm_av_sync_delay(connector, adjusted_mode) / 2;
    517
    518 if (dev_priv->display.audio_codec_enable)
    519 diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
    520 index 7ea7fd1e8856..645488071944 100644
    521 --- a/drivers/gpu/drm/i915/intel_bios.c
    522 +++ b/drivers/gpu/drm/i915/intel_bios.c
    523 @@ -1163,6 +1163,13 @@ static void parse_ddi_port(struct drm_i915_private *dev_priv, enum port port,
    524 is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0;
    525 is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR);
    526
    527 + if (port == PORT_A && is_dvi) {
    528 + DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n",
    529 + is_hdmi ? "/HDMI" : "");
    530 + is_dvi = false;
    531 + is_hdmi = false;
    532 + }
    533 +
    534 info->supports_dvi = is_dvi;
    535 info->supports_hdmi = is_hdmi;
    536 info->supports_dp = is_dp;
    537 diff --git a/drivers/gpu/drm/i915/intel_modes.c b/drivers/gpu/drm/i915/intel_modes.c
    538 index 951e834dd274..28a778b785ac 100644
    539 --- a/drivers/gpu/drm/i915/intel_modes.c
    540 +++ b/drivers/gpu/drm/i915/intel_modes.c
    541 @@ -30,6 +30,21 @@
    542 #include "intel_drv.h"
    543 #include "i915_drv.h"
    544
    545 +static void intel_connector_update_eld_conn_type(struct drm_connector *connector)
    546 +{
    547 + u8 conn_type;
    548 +
    549 + if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort ||
    550 + connector->connector_type == DRM_MODE_CONNECTOR_eDP) {
    551 + conn_type = DRM_ELD_CONN_TYPE_DP;
    552 + } else {
    553 + conn_type = DRM_ELD_CONN_TYPE_HDMI;
    554 + }
    555 +
    556 + connector->eld[DRM_ELD_SAD_COUNT_CONN_TYPE] &= ~DRM_ELD_CONN_TYPE_MASK;
    557 + connector->eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= conn_type;
    558 +}
    559 +
    560 /**
    561 * intel_connector_update_modes - update connector from edid
    562 * @connector: DRM connector device to use
    563 @@ -44,6 +59,8 @@ int intel_connector_update_modes(struct drm_connector *connector,
    564 ret = drm_add_edid_modes(connector, edid);
    565 drm_edid_to_eld(connector, edid);
    566
    567 + intel_connector_update_eld_conn_type(connector);
    568 +
    569 return ret;
    570 }
    571
    572 diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
    573 index 5b40c2614599..ef241d66562e 100644
    574 --- a/drivers/hid/hid-rmi.c
    575 +++ b/drivers/hid/hid-rmi.c
    576 @@ -436,17 +436,24 @@ static int rmi_post_resume(struct hid_device *hdev)
    577 if (!(data->device_flags & RMI_DEVICE))
    578 return 0;
    579
    580 - ret = rmi_reset_attn_mode(hdev);
    581 + /* Make sure the HID device is ready to receive events */
    582 + ret = hid_hw_open(hdev);
    583 if (ret)
    584 return ret;
    585
    586 + ret = rmi_reset_attn_mode(hdev);
    587 + if (ret)
    588 + goto out;
    589 +
    590 ret = rmi_driver_resume(rmi_dev, false);
    591 if (ret) {
    592 hid_warn(hdev, "Failed to resume device: %d\n", ret);
    593 - return ret;
    594 + goto out;
    595 }
    596
    597 - return 0;
    598 +out:
    599 + hid_hw_close(hdev);
    600 + return ret;
    601 }
    602 #endif /* CONFIG_PM */
    603
    604 diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
    605 index 046f692fd0a2..364150435c62 100644
    606 --- a/drivers/hid/i2c-hid/i2c-hid.c
    607 +++ b/drivers/hid/i2c-hid/i2c-hid.c
    608 @@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
    609 {
    610 /* the worst case is computed from the set_report command with a
    611 * reportID > 15 and the maximum report length */
    612 - int args_len = sizeof(__u8) + /* optional ReportID byte */
    613 + int args_len = sizeof(__u8) + /* ReportID */
    614 + sizeof(__u8) + /* optional ReportID byte */
    615 sizeof(__u16) + /* data register */
    616 sizeof(__u16) + /* size of the report */
    617 report_size; /* report */
    618 diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
    619 index 838c1ebfffa9..a805ee2989cb 100644
    620 --- a/drivers/hid/wacom_sys.c
    621 +++ b/drivers/hid/wacom_sys.c
    622 @@ -668,8 +668,10 @@ static struct wacom_hdev_data *wacom_get_hdev_data(struct hid_device *hdev)
    623
    624 /* Try to find an already-probed interface from the same device */
    625 list_for_each_entry(data, &wacom_udev_list, list) {
    626 - if (compare_device_paths(hdev, data->dev, '/'))
    627 + if (compare_device_paths(hdev, data->dev, '/')) {
    628 + kref_get(&data->kref);
    629 return data;
    630 + }
    631 }
    632
    633 /* Fallback to finding devices that appear to be "siblings" */
    634 @@ -766,6 +768,9 @@ static int wacom_led_control(struct wacom *wacom)
    635 if (!wacom->led.groups)
    636 return -ENOTSUPP;
    637
    638 + if (wacom->wacom_wac.features.type == REMOTE)
    639 + return -ENOTSUPP;
    640 +
    641 if (wacom->wacom_wac.pid) { /* wireless connected */
    642 report_id = WAC_CMD_WL_LED_CONTROL;
    643 buf_size = 13;
    644 diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
    645 index bb17d7bbefd3..aa692e28b2cd 100644
    646 --- a/drivers/hid/wacom_wac.c
    647 +++ b/drivers/hid/wacom_wac.c
    648 @@ -567,8 +567,8 @@ static int wacom_intuos_pad(struct wacom_wac *wacom)
    649 keys = data[9] & 0x07;
    650 }
    651 } else {
    652 - buttons = ((data[6] & 0x10) << 10) |
    653 - ((data[5] & 0x10) << 9) |
    654 + buttons = ((data[6] & 0x10) << 5) |
    655 + ((data[5] & 0x10) << 4) |
    656 ((data[6] & 0x0F) << 4) |
    657 (data[5] & 0x0F);
    658 }
    659 @@ -1227,11 +1227,17 @@ static void wacom_intuos_pro2_bt_pen(struct wacom_wac *wacom)
    660 continue;
    661
    662 if (range) {
    663 + /* Fix rotation alignment: userspace expects zero at left */
    664 + int16_t rotation = (int16_t)get_unaligned_le16(&frame[9]);
    665 + rotation += 1800/4;
    666 + if (rotation > 899)
    667 + rotation -= 1800;
    668 +
    669 input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1]));
    670 input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3]));
    671 - input_report_abs(pen_input, ABS_TILT_X, frame[7]);
    672 - input_report_abs(pen_input, ABS_TILT_Y, frame[8]);
    673 - input_report_abs(pen_input, ABS_Z, get_unaligned_le16(&frame[9]));
    674 + input_report_abs(pen_input, ABS_TILT_X, (char)frame[7]);
    675 + input_report_abs(pen_input, ABS_TILT_Y, (char)frame[8]);
    676 + input_report_abs(pen_input, ABS_Z, rotation);
    677 input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11]));
    678 }
    679 input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5]));
    680 @@ -1319,12 +1325,19 @@ static void wacom_intuos_pro2_bt_pad(struct wacom_wac *wacom)
    681 unsigned char *data = wacom->data;
    682
    683 int buttons = (data[282] << 1) | ((data[281] >> 6) & 0x01);
    684 - int ring = data[285];
    685 - int prox = buttons | (ring & 0x80);
    686 + int ring = data[285] & 0x7F;
    687 + bool ringstatus = data[285] & 0x80;
    688 + bool prox = buttons || ringstatus;
    689 +
    690 + /* Fix touchring data: userspace expects 0 at left and increasing clockwise */
    691 + ring = 71 - ring;
    692 + ring += 3*72/16;
    693 + if (ring > 71)
    694 + ring -= 72;
    695
    696 wacom_report_numbered_buttons(pad_input, 9, buttons);
    697
    698 - input_report_abs(pad_input, ABS_WHEEL, (ring & 0x80) ? (ring & 0x7f) : 0);
    699 + input_report_abs(pad_input, ABS_WHEEL, ringstatus ? ring : 0);
    700
    701 input_report_key(pad_input, wacom->tool[1], prox ? 1 : 0);
    702 input_report_abs(pad_input, ABS_MISC, prox ? PAD_DEVICE_ID : 0);
    703 @@ -1616,6 +1629,20 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
    704 return 0;
    705 }
    706
    707 +static int wacom_offset_rotation(struct input_dev *input, struct hid_usage *usage,
    708 + int value, int num, int denom)
    709 +{
    710 + struct input_absinfo *abs = &input->absinfo[usage->code];
    711 + int range = (abs->maximum - abs->minimum + 1);
    712 +
    713 + value += num*range/denom;
    714 + if (value > abs->maximum)
    715 + value -= range;
    716 + else if (value < abs->minimum)
    717 + value += range;
    718 + return value;
    719 +}
    720 +
    721 int wacom_equivalent_usage(int usage)
    722 {
    723 if ((usage & HID_USAGE_PAGE) == WACOM_HID_UP_WACOMDIGITIZER) {
    724 @@ -1898,6 +1925,7 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field
    725 unsigned equivalent_usage = wacom_equivalent_usage(usage->hid);
    726 int i;
    727 bool is_touch_on = value;
    728 + bool do_report = false;
    729
    730 /*
    731 * Avoid reporting this event and setting inrange_state if this usage
    732 @@ -1912,6 +1940,29 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field
    733 }
    734
    735 switch (equivalent_usage) {
    736 + case WACOM_HID_WD_TOUCHRING:
    737 + /*
    738 + * Userspace expects touchrings to increase in value with
    739 + * clockwise gestures and have their zero point at the
    740 + * tablet's left. HID events "should" be clockwise-
    741 + * increasing and zero at top, though the MobileStudio
    742 + * Pro and 2nd-gen Intuos Pro don't do this...
    743 + */
    744 + if (hdev->vendor == 0x56a &&
    745 + (hdev->product == 0x34d || hdev->product == 0x34e || /* MobileStudio Pro */
    746 + hdev->product == 0x357 || hdev->product == 0x358)) { /* Intuos Pro 2 */
    747 + value = (field->logical_maximum - value);
    748 +
    749 + if (hdev->product == 0x357 || hdev->product == 0x358)
    750 + value = wacom_offset_rotation(input, usage, value, 3, 16);
    751 + else if (hdev->product == 0x34d || hdev->product == 0x34e)
    752 + value = wacom_offset_rotation(input, usage, value, 1, 2);
    753 + }
    754 + else {
    755 + value = wacom_offset_rotation(input, usage, value, 1, 4);
    756 + }
    757 + do_report = true;
    758 + break;
    759 case WACOM_HID_WD_TOUCHRINGSTATUS:
    760 if (!value)
    761 input_event(input, usage->type, usage->code, 0);
    762 @@ -1945,10 +1996,14 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field
    763 value, i);
    764 /* fall through*/
    765 default:
    766 + do_report = true;
    767 + break;
    768 + }
    769 +
    770 + if (do_report) {
    771 input_event(input, usage->type, usage->code, value);
    772 if (value)
    773 wacom_wac->hid_data.pad_input_event_flag = true;
    774 - break;
    775 }
    776 }
    777
    778 @@ -2086,22 +2141,34 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
    779 wacom_wac->hid_data.tipswitch |= value;
    780 return;
    781 case HID_DG_TOOLSERIALNUMBER:
    782 - wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL);
    783 - wacom_wac->serial[0] |= (__u32)value;
    784 + if (value) {
    785 + wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL);
    786 + wacom_wac->serial[0] |= (__u32)value;
    787 + }
    788 return;
    789 + case HID_DG_TWIST:
    790 + /*
    791 + * Userspace expects pen twist to have its zero point when
    792 + * the buttons/finger is on the tablet's left. HID values
    793 + * are zero when buttons are toward the top.
    794 + */
    795 + value = wacom_offset_rotation(input, usage, value, 1, 4);
    796 + break;
    797 case WACOM_HID_WD_SENSE:
    798 wacom_wac->hid_data.sense_state = value;
    799 return;
    800 case WACOM_HID_WD_SERIALHI:
    801 - wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF);
    802 - wacom_wac->serial[0] |= ((__u64)value) << 32;
    803 - /*
    804 - * Non-USI EMR devices may contain additional tool type
    805 - * information here. See WACOM_HID_WD_TOOLTYPE case for
    806 - * more details.
    807 - */
    808 - if (value >> 20 == 1) {
    809 - wacom_wac->id[0] |= value & 0xFFFFF;
    810 + if (value) {
    811 + wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF);
    812 + wacom_wac->serial[0] |= ((__u64)value) << 32;
    813 + /*
    814 + * Non-USI EMR devices may contain additional tool type
    815 + * information here. See WACOM_HID_WD_TOOLTYPE case for
    816 + * more details.
    817 + */
    818 + if (value >> 20 == 1) {
    819 + wacom_wac->id[0] |= value & 0xFFFFF;
    820 + }
    821 }
    822 return;
    823 case WACOM_HID_WD_TOOLTYPE:
    824 @@ -2205,7 +2272,7 @@ static void wacom_wac_pen_report(struct hid_device *hdev,
    825 input_report_key(input, wacom_wac->tool[0], prox);
    826 if (wacom_wac->serial[0]) {
    827 input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]);
    828 - input_report_abs(input, ABS_MISC, id);
    829 + input_report_abs(input, ABS_MISC, prox ? id : 0);
    830 }
    831
    832 wacom_wac->hid_data.tipswitch = false;
    833 @@ -2216,6 +2283,7 @@ static void wacom_wac_pen_report(struct hid_device *hdev,
    834 if (!prox) {
    835 wacom_wac->tool[0] = 0;
    836 wacom_wac->id[0] = 0;
    837 + wacom_wac->serial[0] = 0;
    838 }
    839 }
    840
    841 diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
    842 index 4bbb8dea4727..037361158074 100644
    843 --- a/drivers/hv/channel_mgmt.c
    844 +++ b/drivers/hv/channel_mgmt.c
    845 @@ -922,14 +922,10 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr)
    846
    847 void vmbus_hvsock_device_unregister(struct vmbus_channel *channel)
    848 {
    849 - mutex_lock(&vmbus_connection.channel_mutex);
    850 -
    851 BUG_ON(!is_hvsock_channel(channel));
    852
    853 channel->rescind = true;
    854 vmbus_device_unregister(channel->device_obj);
    855 -
    856 - mutex_unlock(&vmbus_connection.channel_mutex);
    857 }
    858 EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister);
    859
    860 diff --git a/drivers/hv/hv_fcopy.c b/drivers/hv/hv_fcopy.c
    861 index daa75bd41f86..2364281d8593 100644
    862 --- a/drivers/hv/hv_fcopy.c
    863 +++ b/drivers/hv/hv_fcopy.c
    864 @@ -170,6 +170,10 @@ static void fcopy_send_data(struct work_struct *dummy)
    865 out_src = smsg_out;
    866 break;
    867
    868 + case WRITE_TO_FILE:
    869 + out_src = fcopy_transaction.fcopy_msg;
    870 + out_len = sizeof(struct hv_do_fcopy);
    871 + break;
    872 default:
    873 out_src = fcopy_transaction.fcopy_msg;
    874 out_len = fcopy_transaction.recv_len;
    875 diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c
    876 index da40df2ff27d..ed6262be3643 100644
    877 --- a/drivers/hwtracing/intel_th/pci.c
    878 +++ b/drivers/hwtracing/intel_th/pci.c
    879 @@ -90,6 +90,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = {
    880 PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x19e1),
    881 .driver_data = (kernel_ulong_t)0,
    882 },
    883 + {
    884 + /* Lewisburg PCH */
    885 + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa1a6),
    886 + .driver_data = (kernel_ulong_t)0,
    887 + },
    888 {
    889 /* Gemini Lake */
    890 PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
    891 diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
    892 index 0e731143f6a4..08b8305fee44 100644
    893 --- a/drivers/hwtracing/stm/core.c
    894 +++ b/drivers/hwtracing/stm/core.c
    895 @@ -1119,7 +1119,7 @@ void stm_source_unregister_device(struct stm_source_data *data)
    896
    897 stm_source_link_drop(src);
    898
    899 - device_destroy(&stm_source_class, src->dev.devt);
    900 + device_unregister(&src->dev);
    901 }
    902 EXPORT_SYMBOL_GPL(stm_source_unregister_device);
    903
    904 diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c
    905 index e6706a09e100..47c3d7f32900 100644
    906 --- a/drivers/iio/adc/ad7793.c
    907 +++ b/drivers/iio/adc/ad7793.c
    908 @@ -257,7 +257,7 @@ static int ad7793_setup(struct iio_dev *indio_dev,
    909 unsigned int vref_mv)
    910 {
    911 struct ad7793_state *st = iio_priv(indio_dev);
    912 - int i, ret = -1;
    913 + int i, ret;
    914 unsigned long long scale_uv;
    915 u32 id;
    916
    917 @@ -266,7 +266,7 @@ static int ad7793_setup(struct iio_dev *indio_dev,
    918 return ret;
    919
    920 /* reset the serial interface */
    921 - ret = spi_write(st->sd.spi, (u8 *)&ret, sizeof(ret));
    922 + ret = ad_sd_reset(&st->sd, 32);
    923 if (ret < 0)
    924 goto out;
    925 usleep_range(500, 2000); /* Wait for at least 500us */
    926 diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
    927 index d10bd0c97233..22c4c17cd996 100644
    928 --- a/drivers/iio/adc/ad_sigma_delta.c
    929 +++ b/drivers/iio/adc/ad_sigma_delta.c
    930 @@ -177,6 +177,34 @@ int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta,
    931 }
    932 EXPORT_SYMBOL_GPL(ad_sd_read_reg);
    933
    934 +/**
    935 + * ad_sd_reset() - Reset the serial interface
    936 + *
    937 + * @sigma_delta: The sigma delta device
    938 + * @reset_length: Number of SCLKs with DIN = 1
    939 + *
    940 + * Returns 0 on success, an error code otherwise.
    941 + **/
    942 +int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
    943 + unsigned int reset_length)
    944 +{
    945 + uint8_t *buf;
    946 + unsigned int size;
    947 + int ret;
    948 +
    949 + size = DIV_ROUND_UP(reset_length, 8);
    950 + buf = kcalloc(size, sizeof(*buf), GFP_KERNEL);
    951 + if (!buf)
    952 + return -ENOMEM;
    953 +
    954 + memset(buf, 0xff, size);
    955 + ret = spi_write(sigma_delta->spi, buf, size);
    956 + kfree(buf);
    957 +
    958 + return ret;
    959 +}
    960 +EXPORT_SYMBOL_GPL(ad_sd_reset);
    961 +
    962 static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
    963 unsigned int mode, unsigned int channel)
    964 {
    965 diff --git a/drivers/iio/adc/mcp320x.c b/drivers/iio/adc/mcp320x.c
    966 index 634717ae12f3..071dd23a33d9 100644
    967 --- a/drivers/iio/adc/mcp320x.c
    968 +++ b/drivers/iio/adc/mcp320x.c
    969 @@ -17,6 +17,8 @@
    970 * MCP3204
    971 * MCP3208
    972 * ------------
    973 + * 13 bit converter
    974 + * MCP3301
    975 *
    976 * Datasheet can be found here:
    977 * http://ww1.microchip.com/downloads/en/DeviceDoc/21293C.pdf mcp3001
    978 @@ -96,7 +98,7 @@ static int mcp320x_channel_to_tx_data(int device_index,
    979 }
    980
    981 static int mcp320x_adc_conversion(struct mcp320x *adc, u8 channel,
    982 - bool differential, int device_index)
    983 + bool differential, int device_index, int *val)
    984 {
    985 int ret;
    986
    987 @@ -117,19 +119,25 @@ static int mcp320x_adc_conversion(struct mcp320x *adc, u8 channel,
    988
    989 switch (device_index) {
    990 case mcp3001:
    991 - return (adc->rx_buf[0] << 5 | adc->rx_buf[1] >> 3);
    992 + *val = (adc->rx_buf[0] << 5 | adc->rx_buf[1] >> 3);
    993 + return 0;
    994 case mcp3002:
    995 case mcp3004:
    996 case mcp3008:
    997 - return (adc->rx_buf[0] << 2 | adc->rx_buf[1] >> 6);
    998 + *val = (adc->rx_buf[0] << 2 | adc->rx_buf[1] >> 6);
    999 + return 0;
    1000 case mcp3201:
    1001 - return (adc->rx_buf[0] << 7 | adc->rx_buf[1] >> 1);
    1002 + *val = (adc->rx_buf[0] << 7 | adc->rx_buf[1] >> 1);
    1003 + return 0;
    1004 case mcp3202:
    1005 case mcp3204:
    1006 case mcp3208:
    1007 - return (adc->rx_buf[0] << 4 | adc->rx_buf[1] >> 4);
    1008 + *val = (adc->rx_buf[0] << 4 | adc->rx_buf[1] >> 4);
    1009 + return 0;
    1010 case mcp3301:
    1011 - return sign_extend32((adc->rx_buf[0] & 0x1f) << 8 | adc->rx_buf[1], 12);
    1012 + *val = sign_extend32((adc->rx_buf[0] & 0x1f) << 8
    1013 + | adc->rx_buf[1], 12);
    1014 + return 0;
    1015 default:
    1016 return -EINVAL;
    1017 }
    1018 @@ -150,12 +158,10 @@ static int mcp320x_read_raw(struct iio_dev *indio_dev,
    1019 switch (mask) {
    1020 case IIO_CHAN_INFO_RAW:
    1021 ret = mcp320x_adc_conversion(adc, channel->address,
    1022 - channel->differential, device_index);
    1023 -
    1024 + channel->differential, device_index, val);
    1025 if (ret < 0)
    1026 goto out;
    1027
    1028 - *val = ret;
    1029 ret = IIO_VAL_INT;
    1030 break;
    1031
    1032 @@ -312,6 +318,7 @@ static int mcp320x_probe(struct spi_device *spi)
    1033 indio_dev->name = spi_get_device_id(spi)->name;
    1034 indio_dev->modes = INDIO_DIRECT_MODE;
    1035 indio_dev->info = &mcp320x_info;
    1036 + spi_set_drvdata(spi, indio_dev);
    1037
    1038 chip_info = &mcp320x_chip_infos[spi_get_device_id(spi)->driver_data];
    1039 indio_dev->channels = chip_info->channels;
    1040 diff --git a/drivers/iio/adc/stm32-adc.c b/drivers/iio/adc/stm32-adc.c
    1041 index 5bfcc1f13105..10e1d8328461 100644
    1042 --- a/drivers/iio/adc/stm32-adc.c
    1043 +++ b/drivers/iio/adc/stm32-adc.c
    1044 @@ -1543,7 +1543,7 @@ static int stm32_adc_chan_of_init(struct iio_dev *indio_dev)
    1045
    1046 num_channels = of_property_count_u32_elems(node, "st,adc-channels");
    1047 if (num_channels < 0 ||
    1048 - num_channels >= adc_info->max_channels) {
    1049 + num_channels > adc_info->max_channels) {
    1050 dev_err(&indio_dev->dev, "Bad st,adc-channels?\n");
    1051 return num_channels < 0 ? num_channels : -EINVAL;
    1052 }
    1053 diff --git a/drivers/iio/adc/twl4030-madc.c b/drivers/iio/adc/twl4030-madc.c
    1054 index bd3d37fc2144..0c86fbb3033e 100644
    1055 --- a/drivers/iio/adc/twl4030-madc.c
    1056 +++ b/drivers/iio/adc/twl4030-madc.c
    1057 @@ -887,8 +887,10 @@ static int twl4030_madc_probe(struct platform_device *pdev)
    1058
    1059 /* Enable 3v1 bias regulator for MADC[3:6] */
    1060 madc->usb3v1 = devm_regulator_get(madc->dev, "vusb3v1");
    1061 - if (IS_ERR(madc->usb3v1))
    1062 - return -ENODEV;
    1063 + if (IS_ERR(madc->usb3v1)) {
    1064 + ret = -ENODEV;
    1065 + goto err_i2c;
    1066 + }
    1067
    1068 ret = regulator_enable(madc->usb3v1);
    1069 if (ret)
    1070 @@ -897,11 +899,13 @@ static int twl4030_madc_probe(struct platform_device *pdev)
    1071 ret = iio_device_register(iio_dev);
    1072 if (ret) {
    1073 dev_err(&pdev->dev, "could not register iio device\n");
    1074 - goto err_i2c;
    1075 + goto err_usb3v1;
    1076 }
    1077
    1078 return 0;
    1079
    1080 +err_usb3v1:
    1081 + regulator_disable(madc->usb3v1);
    1082 err_i2c:
    1083 twl4030_madc_set_current_generator(madc, 0, 0);
    1084 err_current_generator:
    1085 diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
    1086 index 17ec4cee51dc..a47428b4d31b 100644
    1087 --- a/drivers/iio/industrialio-core.c
    1088 +++ b/drivers/iio/industrialio-core.c
    1089 @@ -310,8 +310,10 @@ static ssize_t iio_debugfs_read_reg(struct file *file, char __user *userbuf,
    1090 ret = indio_dev->info->debugfs_reg_access(indio_dev,
    1091 indio_dev->cached_reg_addr,
    1092 0, &val);
    1093 - if (ret)
    1094 + if (ret) {
    1095 dev_err(indio_dev->dev.parent, "%s: read failed\n", __func__);
    1096 + return ret;
    1097 + }
    1098
    1099 len = snprintf(buf, sizeof(buf), "0x%X\n", val);
    1100
    1101 diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
    1102 index 0d2ea3ee371b..8f26428804a2 100644
    1103 --- a/drivers/iio/pressure/bmp280-core.c
    1104 +++ b/drivers/iio/pressure/bmp280-core.c
    1105 @@ -573,7 +573,7 @@ static int bmp280_chip_config(struct bmp280_data *data)
    1106 u8 osrs = BMP280_OSRS_TEMP_X(data->oversampling_temp + 1) |
    1107 BMP280_OSRS_PRESS_X(data->oversampling_press + 1);
    1108
    1109 - ret = regmap_update_bits(data->regmap, BMP280_REG_CTRL_MEAS,
    1110 + ret = regmap_write_bits(data->regmap, BMP280_REG_CTRL_MEAS,
    1111 BMP280_OSRS_TEMP_MASK |
    1112 BMP280_OSRS_PRESS_MASK |
    1113 BMP280_MODE_MASK,
    1114 diff --git a/drivers/iio/trigger/stm32-timer-trigger.c b/drivers/iio/trigger/stm32-timer-trigger.c
    1115 index 25ad6abfee22..ea128bd82a28 100644
    1116 --- a/drivers/iio/trigger/stm32-timer-trigger.c
    1117 +++ b/drivers/iio/trigger/stm32-timer-trigger.c
    1118 @@ -138,6 +138,7 @@ static void stm32_timer_stop(struct stm32_timer_trigger *priv)
    1119 clk_disable(priv->clk);
    1120
    1121 /* Stop timer */
    1122 + regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, 0);
    1123 regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN, 0);
    1124 regmap_write(priv->regmap, TIM_PSC, 0);
    1125 regmap_write(priv->regmap, TIM_ARR, 0);
    1126 @@ -679,8 +680,9 @@ static ssize_t stm32_count_set_preset(struct iio_dev *indio_dev,
    1127 if (ret)
    1128 return ret;
    1129
    1130 + /* TIMx_ARR register shouldn't be buffered (ARPE=0) */
    1131 + regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, 0);
    1132 regmap_write(priv->regmap, TIM_ARR, preset);
    1133 - regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, TIM_CR1_ARPE);
    1134
    1135 return len;
    1136 }
    1137 diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
    1138 index 6c44609fd83a..cd2b3c69771a 100644
    1139 --- a/drivers/isdn/i4l/isdn_ppp.c
    1140 +++ b/drivers/isdn/i4l/isdn_ppp.c
    1141 @@ -825,7 +825,6 @@ isdn_ppp_write(int min, struct file *file, const char __user *buf, int count)
    1142 isdn_net_local *lp;
    1143 struct ippp_struct *is;
    1144 int proto;
    1145 - unsigned char protobuf[4];
    1146
    1147 is = file->private_data;
    1148
    1149 @@ -839,24 +838,28 @@ isdn_ppp_write(int min, struct file *file, const char __user *buf, int count)
    1150 if (!lp)
    1151 printk(KERN_DEBUG "isdn_ppp_write: lp == NULL\n");
    1152 else {
    1153 - /*
    1154 - * Don't reset huptimer for
    1155 - * LCP packets. (Echo requests).
    1156 - */
    1157 - if (copy_from_user(protobuf, buf, 4))
    1158 - return -EFAULT;
    1159 - proto = PPP_PROTOCOL(protobuf);
    1160 - if (proto != PPP_LCP)
    1161 - lp->huptimer = 0;
    1162 + if (lp->isdn_device < 0 || lp->isdn_channel < 0) {
    1163 + unsigned char protobuf[4];
    1164 + /*
    1165 + * Don't reset huptimer for
    1166 + * LCP packets. (Echo requests).
    1167 + */
    1168 + if (copy_from_user(protobuf, buf, 4))
    1169 + return -EFAULT;
    1170 +
    1171 + proto = PPP_PROTOCOL(protobuf);
    1172 + if (proto != PPP_LCP)
    1173 + lp->huptimer = 0;
    1174
    1175 - if (lp->isdn_device < 0 || lp->isdn_channel < 0)
    1176 return 0;
    1177 + }
    1178
    1179 if ((dev->drv[lp->isdn_device]->flags & DRV_FLAG_RUNNING) &&
    1180 lp->dialstate == 0 &&
    1181 (lp->flags & ISDN_NET_CONNECTED)) {
    1182 unsigned short hl;
    1183 struct sk_buff *skb;
    1184 + unsigned char *cpy_buf;
    1185 /*
    1186 * we need to reserve enough space in front of
    1187 * sk_buff. old call to dev_alloc_skb only reserved
    1188 @@ -869,11 +872,21 @@ isdn_ppp_write(int min, struct file *file, const char __user *buf, int count)
    1189 return count;
    1190 }
    1191 skb_reserve(skb, hl);
    1192 - if (copy_from_user(skb_put(skb, count), buf, count))
    1193 + cpy_buf = skb_put(skb, count);
    1194 + if (copy_from_user(cpy_buf, buf, count))
    1195 {
    1196 kfree_skb(skb);
    1197 return -EFAULT;
    1198 }
    1199 +
    1200 + /*
    1201 + * Don't reset huptimer for
    1202 + * LCP packets. (Echo requests).
    1203 + */
    1204 + proto = PPP_PROTOCOL(cpy_buf);
    1205 + if (proto != PPP_LCP)
    1206 + lp->huptimer = 0;
    1207 +
    1208 if (is->debug & 0x40) {
    1209 printk(KERN_DEBUG "ppp xmit: len %d\n", (int) skb->len);
    1210 isdn_ppp_frame_log("xmit", skb->data, skb->len, 32, is->unit, lp->ppp_slot);
    1211 diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h
    1212 index 24eddbdf2ab4..203144762f36 100644
    1213 --- a/drivers/md/dm-core.h
    1214 +++ b/drivers/md/dm-core.h
    1215 @@ -149,5 +149,6 @@ static inline bool dm_message_test_buffer_overflow(char *result, unsigned maxlen
    1216
    1217 extern atomic_t dm_global_event_nr;
    1218 extern wait_queue_head_t dm_global_eventq;
    1219 +void dm_issue_global_event(void);
    1220
    1221 #endif
    1222 diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
    1223 index cdf6b1e12460..e3dd64a12f55 100644
    1224 --- a/drivers/md/dm-crypt.c
    1225 +++ b/drivers/md/dm-crypt.c
    1226 @@ -2470,6 +2470,7 @@ static int crypt_ctr_cipher_old(struct dm_target *ti, char *cipher_in, char *key
    1227 kfree(cipher_api);
    1228 return ret;
    1229 }
    1230 + kfree(cipher_api);
    1231
    1232 return 0;
    1233 bad_mem:
    1234 @@ -2588,6 +2589,10 @@ static int crypt_ctr_optional(struct dm_target *ti, unsigned int argc, char **ar
    1235 ti->error = "Invalid feature value for sector_size";
    1236 return -EINVAL;
    1237 }
    1238 + if (ti->len & ((cc->sector_size >> SECTOR_SHIFT) - 1)) {
    1239 + ti->error = "Device size is not multiple of sector_size feature";
    1240 + return -EINVAL;
    1241 + }
    1242 cc->sector_shift = __ffs(cc->sector_size) - SECTOR_SHIFT;
    1243 } else if (!strcasecmp(opt_string, "iv_large_sectors"))
    1244 set_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
    1245 diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
    1246 index e06f0ef7d2ec..e9f9884b66a8 100644
    1247 --- a/drivers/md/dm-ioctl.c
    1248 +++ b/drivers/md/dm-ioctl.c
    1249 @@ -477,9 +477,13 @@ static int remove_all(struct file *filp, struct dm_ioctl *param, size_t param_si
    1250 * Round up the ptr to an 8-byte boundary.
    1251 */
    1252 #define ALIGN_MASK 7
    1253 +static inline size_t align_val(size_t val)
    1254 +{
    1255 + return (val + ALIGN_MASK) & ~ALIGN_MASK;
    1256 +}
    1257 static inline void *align_ptr(void *ptr)
    1258 {
    1259 - return (void *) (((size_t) (ptr + ALIGN_MASK)) & ~ALIGN_MASK);
    1260 + return (void *)align_val((size_t)ptr);
    1261 }
    1262
    1263 /*
    1264 @@ -505,7 +509,7 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_
    1265 struct hash_cell *hc;
    1266 size_t len, needed = 0;
    1267 struct gendisk *disk;
    1268 - struct dm_name_list *nl, *old_nl = NULL;
    1269 + struct dm_name_list *orig_nl, *nl, *old_nl = NULL;
    1270 uint32_t *event_nr;
    1271
    1272 down_write(&_hash_lock);
    1273 @@ -516,17 +520,15 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_
    1274 */
    1275 for (i = 0; i < NUM_BUCKETS; i++) {
    1276 list_for_each_entry (hc, _name_buckets + i, name_list) {
    1277 - needed += sizeof(struct dm_name_list);
    1278 - needed += strlen(hc->name) + 1;
    1279 - needed += ALIGN_MASK;
    1280 - needed += (sizeof(uint32_t) + ALIGN_MASK) & ~ALIGN_MASK;
    1281 + needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
    1282 + needed += align_val(sizeof(uint32_t));
    1283 }
    1284 }
    1285
    1286 /*
    1287 * Grab our output buffer.
    1288 */
    1289 - nl = get_result_buffer(param, param_size, &len);
    1290 + nl = orig_nl = get_result_buffer(param, param_size, &len);
    1291 if (len < needed) {
    1292 param->flags |= DM_BUFFER_FULL_FLAG;
    1293 goto out;
    1294 @@ -549,11 +551,16 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_
    1295 strcpy(nl->name, hc->name);
    1296
    1297 old_nl = nl;
    1298 - event_nr = align_ptr(((void *) (nl + 1)) + strlen(hc->name) + 1);
    1299 + event_nr = align_ptr(nl->name + strlen(hc->name) + 1);
    1300 *event_nr = dm_get_event_nr(hc->md);
    1301 nl = align_ptr(event_nr + 1);
    1302 }
    1303 }
    1304 + /*
    1305 + * If mismatch happens, security may be compromised due to buffer
    1306 + * overflow, so it's better to crash.
    1307 + */
    1308 + BUG_ON((char *)nl - (char *)orig_nl != needed);
    1309
    1310 out:
    1311 up_write(&_hash_lock);
    1312 @@ -1621,7 +1628,8 @@ static int target_message(struct file *filp, struct dm_ioctl *param, size_t para
    1313 * which has a variable size, is not used by the function processing
    1314 * the ioctl.
    1315 */
    1316 -#define IOCTL_FLAGS_NO_PARAMS 1
    1317 +#define IOCTL_FLAGS_NO_PARAMS 1
    1318 +#define IOCTL_FLAGS_ISSUE_GLOBAL_EVENT 2
    1319
    1320 /*-----------------------------------------------------------------
    1321 * Implementation of open/close/ioctl on the special char
    1322 @@ -1635,12 +1643,12 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
    1323 ioctl_fn fn;
    1324 } _ioctls[] = {
    1325 {DM_VERSION_CMD, 0, NULL}, /* version is dealt with elsewhere */
    1326 - {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS, remove_all},
    1327 + {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, remove_all},
    1328 {DM_LIST_DEVICES_CMD, 0, list_devices},
    1329
    1330 - {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS, dev_create},
    1331 - {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS, dev_remove},
    1332 - {DM_DEV_RENAME_CMD, 0, dev_rename},
    1333 + {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_create},
    1334 + {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_remove},
    1335 + {DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename},
    1336 {DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend},
    1337 {DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status},
    1338 {DM_DEV_WAIT_CMD, 0, dev_wait},
    1339 @@ -1869,6 +1877,9 @@ static int ctl_ioctl(struct file *file, uint command, struct dm_ioctl __user *us
    1340 unlikely(ioctl_flags & IOCTL_FLAGS_NO_PARAMS))
    1341 DMERR("ioctl %d tried to output some data but has IOCTL_FLAGS_NO_PARAMS set", cmd);
    1342
    1343 + if (!r && ioctl_flags & IOCTL_FLAGS_ISSUE_GLOBAL_EVENT)
    1344 + dm_issue_global_event();
    1345 +
    1346 /*
    1347 * Copy the results back to userland.
    1348 */
    1349 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
    1350 index 825eaffc24da..eed539a4eec2 100644
    1351 --- a/drivers/md/dm.c
    1352 +++ b/drivers/md/dm.c
    1353 @@ -52,6 +52,12 @@ static struct workqueue_struct *deferred_remove_workqueue;
    1354 atomic_t dm_global_event_nr = ATOMIC_INIT(0);
    1355 DECLARE_WAIT_QUEUE_HEAD(dm_global_eventq);
    1356
    1357 +void dm_issue_global_event(void)
    1358 +{
    1359 + atomic_inc(&dm_global_event_nr);
    1360 + wake_up(&dm_global_eventq);
    1361 +}
    1362 +
    1363 /*
    1364 * One of these is allocated per bio.
    1365 */
    1366 @@ -1865,9 +1871,8 @@ static void event_callback(void *context)
    1367 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
    1368
    1369 atomic_inc(&md->event_nr);
    1370 - atomic_inc(&dm_global_event_nr);
    1371 wake_up(&md->eventq);
    1372 - wake_up(&dm_global_eventq);
    1373 + dm_issue_global_event();
    1374 }
    1375
    1376 /*
    1377 @@ -2283,6 +2288,7 @@ struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table)
    1378 }
    1379
    1380 map = __bind(md, table, &limits);
    1381 + dm_issue_global_event();
    1382
    1383 out:
    1384 mutex_unlock(&md->suspend_lock);
    1385 diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
    1386 index 2bae69e39544..b64be0ba1222 100644
    1387 --- a/drivers/mmc/core/mmc.c
    1388 +++ b/drivers/mmc/core/mmc.c
    1389 @@ -1286,6 +1286,23 @@ int mmc_hs400_to_hs200(struct mmc_card *card)
    1390 return err;
    1391 }
    1392
    1393 +static void mmc_select_driver_type(struct mmc_card *card)
    1394 +{
    1395 + int card_drv_type, drive_strength, drv_type;
    1396 +
    1397 + card_drv_type = card->ext_csd.raw_driver_strength |
    1398 + mmc_driver_type_mask(0);
    1399 +
    1400 + drive_strength = mmc_select_drive_strength(card,
    1401 + card->ext_csd.hs200_max_dtr,
    1402 + card_drv_type, &drv_type);
    1403 +
    1404 + card->drive_strength = drive_strength;
    1405 +
    1406 + if (drv_type)
    1407 + mmc_set_driver_type(card->host, drv_type);
    1408 +}
    1409 +
    1410 static int mmc_select_hs400es(struct mmc_card *card)
    1411 {
    1412 struct mmc_host *host = card->host;
    1413 @@ -1341,6 +1358,8 @@ static int mmc_select_hs400es(struct mmc_card *card)
    1414 goto out_err;
    1415 }
    1416
    1417 + mmc_select_driver_type(card);
    1418 +
    1419 /* Switch card to HS400 */
    1420 val = EXT_CSD_TIMING_HS400 |
    1421 card->drive_strength << EXT_CSD_DRV_STR_SHIFT;
    1422 @@ -1374,23 +1393,6 @@ static int mmc_select_hs400es(struct mmc_card *card)
    1423 return err;
    1424 }
    1425
    1426 -static void mmc_select_driver_type(struct mmc_card *card)
    1427 -{
    1428 - int card_drv_type, drive_strength, drv_type;
    1429 -
    1430 - card_drv_type = card->ext_csd.raw_driver_strength |
    1431 - mmc_driver_type_mask(0);
    1432 -
    1433 - drive_strength = mmc_select_drive_strength(card,
    1434 - card->ext_csd.hs200_max_dtr,
    1435 - card_drv_type, &drv_type);
    1436 -
    1437 - card->drive_strength = drive_strength;
    1438 -
    1439 - if (drv_type)
    1440 - mmc_set_driver_type(card->host, drv_type);
    1441 -}
    1442 -
    1443 /*
    1444 * For device supporting HS200 mode, the following sequence
    1445 * should be done before executing the tuning process.
    1446 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
    1447 index fc63992ab0e0..c99dc59d729b 100644
    1448 --- a/drivers/net/bonding/bond_main.c
    1449 +++ b/drivers/net/bonding/bond_main.c
    1450 @@ -4289,7 +4289,7 @@ static int bond_check_params(struct bond_params *params)
    1451 int bond_mode = BOND_MODE_ROUNDROBIN;
    1452 int xmit_hashtype = BOND_XMIT_POLICY_LAYER2;
    1453 int lacp_fast = 0;
    1454 - int tlb_dynamic_lb = 0;
    1455 + int tlb_dynamic_lb;
    1456
    1457 /* Convert string parameters. */
    1458 if (mode) {
    1459 @@ -4601,16 +4601,13 @@ static int bond_check_params(struct bond_params *params)
    1460 }
    1461 ad_user_port_key = valptr->value;
    1462
    1463 - if ((bond_mode == BOND_MODE_TLB) || (bond_mode == BOND_MODE_ALB)) {
    1464 - bond_opt_initstr(&newval, "default");
    1465 - valptr = bond_opt_parse(bond_opt_get(BOND_OPT_TLB_DYNAMIC_LB),
    1466 - &newval);
    1467 - if (!valptr) {
    1468 - pr_err("Error: No tlb_dynamic_lb default value");
    1469 - return -EINVAL;
    1470 - }
    1471 - tlb_dynamic_lb = valptr->value;
    1472 + bond_opt_initstr(&newval, "default");
    1473 + valptr = bond_opt_parse(bond_opt_get(BOND_OPT_TLB_DYNAMIC_LB), &newval);
    1474 + if (!valptr) {
    1475 + pr_err("Error: No tlb_dynamic_lb default value");
    1476 + return -EINVAL;
    1477 }
    1478 + tlb_dynamic_lb = valptr->value;
    1479
    1480 if (lp_interval == 0) {
    1481 pr_warn("Warning: ip_interval must be between 1 and %d, so it was reset to %d\n",
    1482 diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
    1483 index a12d603d41c6..5931aa2fe997 100644
    1484 --- a/drivers/net/bonding/bond_options.c
    1485 +++ b/drivers/net/bonding/bond_options.c
    1486 @@ -754,6 +754,9 @@ static int bond_option_mode_set(struct bonding *bond,
    1487 bond->params.miimon);
    1488 }
    1489
    1490 + if (newval->value == BOND_MODE_ALB)
    1491 + bond->params.tlb_dynamic_lb = 1;
    1492 +
    1493 /* don't cache arp_validate between modes */
    1494 bond->params.arp_validate = BOND_ARP_VALIDATE_NONE;
    1495 bond->params.mode = newval->value;
    1496 diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
    1497 index 5bcdd33101b0..c75271c722a7 100644
    1498 --- a/drivers/net/dsa/mv88e6xxx/chip.c
    1499 +++ b/drivers/net/dsa/mv88e6xxx/chip.c
    1500 @@ -1184,6 +1184,10 @@ static int mv88e6xxx_port_check_hw_vlan(struct dsa_switch *ds, int port,
    1501 };
    1502 int i, err;
    1503
    1504 + /* DSA and CPU ports have to be members of multiple vlans */
    1505 + if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port))
    1506 + return 0;
    1507 +
    1508 if (!vid_begin)
    1509 return -EOPNOTSUPP;
    1510
    1511 @@ -4015,7 +4019,9 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev)
    1512 if (chip->irq > 0) {
    1513 if (mv88e6xxx_has(chip, MV88E6XXX_FLAG_G2_INT))
    1514 mv88e6xxx_g2_irq_free(chip);
    1515 + mutex_lock(&chip->reg_lock);
    1516 mv88e6xxx_g1_irq_free(chip);
    1517 + mutex_unlock(&chip->reg_lock);
    1518 }
    1519 }
    1520
    1521 diff --git a/drivers/net/ethernet/ibm/emac/mal.c b/drivers/net/ethernet/ibm/emac/mal.c
    1522 index 91b1a558f37d..248888328232 100644
    1523 --- a/drivers/net/ethernet/ibm/emac/mal.c
    1524 +++ b/drivers/net/ethernet/ibm/emac/mal.c
    1525 @@ -402,7 +402,7 @@ static int mal_poll(struct napi_struct *napi, int budget)
    1526 unsigned long flags;
    1527
    1528 MAL_DBG2(mal, "poll(%d)" NL, budget);
    1529 - again:
    1530 +
    1531 /* Process TX skbs */
    1532 list_for_each(l, &mal->poll_list) {
    1533 struct mal_commac *mc =
    1534 @@ -451,7 +451,6 @@ static int mal_poll(struct napi_struct *napi, int budget)
    1535 spin_lock_irqsave(&mal->lock, flags);
    1536 mal_disable_eob_irq(mal);
    1537 spin_unlock_irqrestore(&mal->lock, flags);
    1538 - goto again;
    1539 }
    1540 mc->ops->poll_tx(mc->dev);
    1541 }
    1542 diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
    1543 index 85298051a3e4..145e392ab849 100644
    1544 --- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
    1545 +++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
    1546 @@ -572,12 +572,13 @@ void mlx5_rdma_netdev_free(struct net_device *netdev)
    1547 {
    1548 struct mlx5e_priv *priv = mlx5i_epriv(netdev);
    1549 const struct mlx5e_profile *profile = priv->profile;
    1550 + struct mlx5_core_dev *mdev = priv->mdev;
    1551
    1552 mlx5e_detach_netdev(priv);
    1553 profile->cleanup(priv);
    1554 destroy_workqueue(priv->wq);
    1555 free_netdev(netdev);
    1556
    1557 - mlx5e_destroy_mdev_resources(priv->mdev);
    1558 + mlx5e_destroy_mdev_resources(mdev);
    1559 }
    1560 EXPORT_SYMBOL(mlx5_rdma_netdev_free);
    1561 diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
    1562 index c6a3e61b53bd..73390f90b581 100644
    1563 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
    1564 +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
    1565 @@ -572,15 +572,14 @@ static void mlxsw_sp_span_entry_destroy(struct mlxsw_sp *mlxsw_sp,
    1566 }
    1567
    1568 static struct mlxsw_sp_span_entry *
    1569 -mlxsw_sp_span_entry_find(struct mlxsw_sp_port *port)
    1570 +mlxsw_sp_span_entry_find(struct mlxsw_sp *mlxsw_sp, u8 local_port)
    1571 {
    1572 - struct mlxsw_sp *mlxsw_sp = port->mlxsw_sp;
    1573 int i;
    1574
    1575 for (i = 0; i < mlxsw_sp->span.entries_count; i++) {
    1576 struct mlxsw_sp_span_entry *curr = &mlxsw_sp->span.entries[i];
    1577
    1578 - if (curr->used && curr->local_port == port->local_port)
    1579 + if (curr->used && curr->local_port == local_port)
    1580 return curr;
    1581 }
    1582 return NULL;
    1583 @@ -591,7 +590,8 @@ static struct mlxsw_sp_span_entry
    1584 {
    1585 struct mlxsw_sp_span_entry *span_entry;
    1586
    1587 - span_entry = mlxsw_sp_span_entry_find(port);
    1588 + span_entry = mlxsw_sp_span_entry_find(port->mlxsw_sp,
    1589 + port->local_port);
    1590 if (span_entry) {
    1591 /* Already exists, just take a reference */
    1592 span_entry->ref_count++;
    1593 @@ -780,12 +780,13 @@ static int mlxsw_sp_span_mirror_add(struct mlxsw_sp_port *from,
    1594 }
    1595
    1596 static void mlxsw_sp_span_mirror_remove(struct mlxsw_sp_port *from,
    1597 - struct mlxsw_sp_port *to,
    1598 + u8 destination_port,
    1599 enum mlxsw_sp_span_type type)
    1600 {
    1601 struct mlxsw_sp_span_entry *span_entry;
    1602
    1603 - span_entry = mlxsw_sp_span_entry_find(to);
    1604 + span_entry = mlxsw_sp_span_entry_find(from->mlxsw_sp,
    1605 + destination_port);
    1606 if (!span_entry) {
    1607 netdev_err(from->dev, "no span entry found\n");
    1608 return;
    1609 @@ -1560,14 +1561,12 @@ static void
    1610 mlxsw_sp_port_del_cls_matchall_mirror(struct mlxsw_sp_port *mlxsw_sp_port,
    1611 struct mlxsw_sp_port_mall_mirror_tc_entry *mirror)
    1612 {
    1613 - struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
    1614 enum mlxsw_sp_span_type span_type;
    1615 - struct mlxsw_sp_port *to_port;
    1616
    1617 - to_port = mlxsw_sp->ports[mirror->to_local_port];
    1618 span_type = mirror->ingress ?
    1619 MLXSW_SP_SPAN_INGRESS : MLXSW_SP_SPAN_EGRESS;
    1620 - mlxsw_sp_span_mirror_remove(mlxsw_sp_port, to_port, span_type);
    1621 + mlxsw_sp_span_mirror_remove(mlxsw_sp_port, mirror->to_local_port,
    1622 + span_type);
    1623 }
    1624
    1625 static int
    1626 @@ -2519,7 +2518,9 @@ static int mlxsw_sp_flash_device(struct net_device *dev,
    1627 return err;
    1628 }
    1629
    1630 -#define MLXSW_SP_QSFP_I2C_ADDR 0x50
    1631 +#define MLXSW_SP_I2C_ADDR_LOW 0x50
    1632 +#define MLXSW_SP_I2C_ADDR_HIGH 0x51
    1633 +#define MLXSW_SP_EEPROM_PAGE_LENGTH 256
    1634
    1635 static int mlxsw_sp_query_module_eeprom(struct mlxsw_sp_port *mlxsw_sp_port,
    1636 u16 offset, u16 size, void *data,
    1637 @@ -2528,12 +2529,25 @@ static int mlxsw_sp_query_module_eeprom(struct mlxsw_sp_port *mlxsw_sp_port,
    1638 struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
    1639 char eeprom_tmp[MLXSW_SP_REG_MCIA_EEPROM_SIZE];
    1640 char mcia_pl[MLXSW_REG_MCIA_LEN];
    1641 + u16 i2c_addr;
    1642 int status;
    1643 int err;
    1644
    1645 size = min_t(u16, size, MLXSW_SP_REG_MCIA_EEPROM_SIZE);
    1646 +
    1647 + if (offset < MLXSW_SP_EEPROM_PAGE_LENGTH &&
    1648 + offset + size > MLXSW_SP_EEPROM_PAGE_LENGTH)
    1649 + /* Cross pages read, read until offset 256 in low page */
    1650 + size = MLXSW_SP_EEPROM_PAGE_LENGTH - offset;
    1651 +
    1652 + i2c_addr = MLXSW_SP_I2C_ADDR_LOW;
    1653 + if (offset >= MLXSW_SP_EEPROM_PAGE_LENGTH) {
    1654 + i2c_addr = MLXSW_SP_I2C_ADDR_HIGH;
    1655 + offset -= MLXSW_SP_EEPROM_PAGE_LENGTH;
    1656 + }
    1657 +
    1658 mlxsw_reg_mcia_pack(mcia_pl, mlxsw_sp_port->mapping.module,
    1659 - 0, 0, offset, size, MLXSW_SP_QSFP_I2C_ADDR);
    1660 + 0, 0, offset, size, i2c_addr);
    1661
    1662 err = mlxsw_reg_query(mlxsw_sp->core, MLXSW_REG(mcia), mcia_pl);
    1663 if (err)
    1664 diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
    1665 index bcd4708b3745..97f18cdc9516 100644
    1666 --- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
    1667 +++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
    1668 @@ -876,7 +876,8 @@ static void emac_mac_rx_descs_refill(struct emac_adapter *adpt,
    1669
    1670 curr_rxbuf->dma_addr =
    1671 dma_map_single(adpt->netdev->dev.parent, skb->data,
    1672 - curr_rxbuf->length, DMA_FROM_DEVICE);
    1673 + adpt->rxbuf_size, DMA_FROM_DEVICE);
    1674 +
    1675 ret = dma_mapping_error(adpt->netdev->dev.parent,
    1676 curr_rxbuf->dma_addr);
    1677 if (ret) {
    1678 diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c
    1679 index ca22f2898664..d24b47b8e0b2 100644
    1680 --- a/drivers/net/ethernet/realtek/8139too.c
    1681 +++ b/drivers/net/ethernet/realtek/8139too.c
    1682 @@ -2135,11 +2135,12 @@ static int rtl8139_poll(struct napi_struct *napi, int budget)
    1683 if (likely(RTL_R16(IntrStatus) & RxAckBits))
    1684 work_done += rtl8139_rx(dev, tp, budget);
    1685
    1686 - if (work_done < budget && napi_complete_done(napi, work_done)) {
    1687 + if (work_done < budget) {
    1688 unsigned long flags;
    1689
    1690 spin_lock_irqsave(&tp->lock, flags);
    1691 - RTL_W16_F(IntrMask, rtl8139_intr_mask);
    1692 + if (napi_complete_done(napi, work_done))
    1693 + RTL_W16_F(IntrMask, rtl8139_intr_mask);
    1694 spin_unlock_irqrestore(&tp->lock, flags);
    1695 }
    1696 spin_unlock(&tp->rx_lock);
    1697 diff --git a/drivers/net/ethernet/rocker/rocker_tlv.h b/drivers/net/ethernet/rocker/rocker_tlv.h
    1698 index a63ef82e7c72..dfae3c9d57c6 100644
    1699 --- a/drivers/net/ethernet/rocker/rocker_tlv.h
    1700 +++ b/drivers/net/ethernet/rocker/rocker_tlv.h
    1701 @@ -139,40 +139,52 @@ rocker_tlv_start(struct rocker_desc_info *desc_info)
    1702 int rocker_tlv_put(struct rocker_desc_info *desc_info,
    1703 int attrtype, int attrlen, const void *data);
    1704
    1705 -static inline int rocker_tlv_put_u8(struct rocker_desc_info *desc_info,
    1706 - int attrtype, u8 value)
    1707 +static inline int
    1708 +rocker_tlv_put_u8(struct rocker_desc_info *desc_info, int attrtype, u8 value)
    1709 {
    1710 - return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &value);
    1711 + u8 tmp = value; /* work around GCC PR81715 */
    1712 +
    1713 + return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &tmp);
    1714 }
    1715
    1716 -static inline int rocker_tlv_put_u16(struct rocker_desc_info *desc_info,
    1717 - int attrtype, u16 value)
    1718 +static inline int
    1719 +rocker_tlv_put_u16(struct rocker_desc_info *desc_info, int attrtype, u16 value)
    1720 {
    1721 - return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &value);
    1722 + u16 tmp = value;
    1723 +
    1724 + return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &tmp);
    1725 }
    1726
    1727 -static inline int rocker_tlv_put_be16(struct rocker_desc_info *desc_info,
    1728 - int attrtype, __be16 value)
    1729 +static inline int
    1730 +rocker_tlv_put_be16(struct rocker_desc_info *desc_info, int attrtype, __be16 value)
    1731 {
    1732 - return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &value);
    1733 + __be16 tmp = value;
    1734 +
    1735 + return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &tmp);
    1736 }
    1737
    1738 -static inline int rocker_tlv_put_u32(struct rocker_desc_info *desc_info,
    1739 - int attrtype, u32 value)
    1740 +static inline int
    1741 +rocker_tlv_put_u32(struct rocker_desc_info *desc_info, int attrtype, u32 value)
    1742 {
    1743 - return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &value);
    1744 + u32 tmp = value;
    1745 +
    1746 + return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &tmp);
    1747 }
    1748
    1749 -static inline int rocker_tlv_put_be32(struct rocker_desc_info *desc_info,
    1750 - int attrtype, __be32 value)
    1751 +static inline int
    1752 +rocker_tlv_put_be32(struct rocker_desc_info *desc_info, int attrtype, __be32 value)
    1753 {
    1754 - return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &value);
    1755 + __be32 tmp = value;
    1756 +
    1757 + return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &tmp);
    1758 }
    1759
    1760 -static inline int rocker_tlv_put_u64(struct rocker_desc_info *desc_info,
    1761 - int attrtype, u64 value)
    1762 +static inline int
    1763 +rocker_tlv_put_u64(struct rocker_desc_info *desc_info, int attrtype, u64 value)
    1764 {
    1765 - return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &value);
    1766 + u64 tmp = value;
    1767 +
    1768 + return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &tmp);
    1769 }
    1770
    1771 static inline struct rocker_tlv *
    1772 diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
    1773 index a366b3747eeb..8a280b48e3a9 100644
    1774 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
    1775 +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
    1776 @@ -315,6 +315,7 @@ static int stmmac_dt_phy(struct plat_stmmacenet_data *plat,
    1777 { .compatible = "allwinner,sun8i-h3-emac" },
    1778 { .compatible = "allwinner,sun8i-v3s-emac" },
    1779 { .compatible = "allwinner,sun50i-a64-emac" },
    1780 + {},
    1781 };
    1782
    1783 /* If phy-handle property is passed from DT, use it as the PHY */
    1784 diff --git a/drivers/net/phy/xilinx_gmii2rgmii.c b/drivers/net/phy/xilinx_gmii2rgmii.c
    1785 index d15dd3938ba8..2e5150b0b8d5 100644
    1786 --- a/drivers/net/phy/xilinx_gmii2rgmii.c
    1787 +++ b/drivers/net/phy/xilinx_gmii2rgmii.c
    1788 @@ -44,7 +44,7 @@ static int xgmiitorgmii_read_status(struct phy_device *phydev)
    1789 priv->phy_drv->read_status(phydev);
    1790
    1791 val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG);
    1792 - val &= XILINX_GMII2RGMII_SPEED_MASK;
    1793 + val &= ~XILINX_GMII2RGMII_SPEED_MASK;
    1794
    1795 if (phydev->speed == SPEED_1000)
    1796 val |= BMCR_SPEED1000;
    1797 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
    1798 index 0a2c0a42283f..cb1f7747adad 100644
    1799 --- a/drivers/net/tun.c
    1800 +++ b/drivers/net/tun.c
    1801 @@ -1298,11 +1298,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
    1802 switch (tun->flags & TUN_TYPE_MASK) {
    1803 case IFF_TUN:
    1804 if (tun->flags & IFF_NO_PI) {
    1805 - switch (skb->data[0] & 0xf0) {
    1806 - case 0x40:
    1807 + u8 ip_version = skb->len ? (skb->data[0] >> 4) : 0;
    1808 +
    1809 + switch (ip_version) {
    1810 + case 4:
    1811 pi.proto = htons(ETH_P_IP);
    1812 break;
    1813 - case 0x60:
    1814 + case 6:
    1815 pi.proto = htons(ETH_P_IPV6);
    1816 break;
    1817 default:
    1818 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    1819 index 7e689c86d565..f27d6fe4d5c0 100644
    1820 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    1821 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    1822 @@ -980,7 +980,7 @@ static void brcmf_escan_prep(struct brcmf_cfg80211_info *cfg,
    1823
    1824 eth_broadcast_addr(params_le->bssid);
    1825 params_le->bss_type = DOT11_BSSTYPE_ANY;
    1826 - params_le->scan_type = 0;
    1827 + params_le->scan_type = BRCMF_SCANTYPE_ACTIVE;
    1828 params_le->channel_num = 0;
    1829 params_le->nprobes = cpu_to_le32(-1);
    1830 params_le->active_time = cpu_to_le32(-1);
    1831 @@ -988,12 +988,9 @@ static void brcmf_escan_prep(struct brcmf_cfg80211_info *cfg,
    1832 params_le->home_time = cpu_to_le32(-1);
    1833 memset(&params_le->ssid_le, 0, sizeof(params_le->ssid_le));
    1834
    1835 - /* if request is null exit so it will be all channel broadcast scan */
    1836 - if (!request)
    1837 - return;
    1838 -
    1839 n_ssids = request->n_ssids;
    1840 n_channels = request->n_channels;
    1841 +
    1842 /* Copy channel array if applicable */
    1843 brcmf_dbg(SCAN, "### List of channelspecs to scan ### %d\n",
    1844 n_channels);
    1845 @@ -1030,16 +1027,8 @@ static void brcmf_escan_prep(struct brcmf_cfg80211_info *cfg,
    1846 ptr += sizeof(ssid_le);
    1847 }
    1848 } else {
    1849 - brcmf_dbg(SCAN, "Broadcast scan %p\n", request->ssids);
    1850 - if ((request->ssids) && request->ssids->ssid_len) {
    1851 - brcmf_dbg(SCAN, "SSID %s len=%d\n",
    1852 - params_le->ssid_le.SSID,
    1853 - request->ssids->ssid_len);
    1854 - params_le->ssid_le.SSID_len =
    1855 - cpu_to_le32(request->ssids->ssid_len);
    1856 - memcpy(&params_le->ssid_le.SSID, request->ssids->ssid,
    1857 - request->ssids->ssid_len);
    1858 - }
    1859 + brcmf_dbg(SCAN, "Performing passive scan\n");
    1860 + params_le->scan_type = BRCMF_SCANTYPE_PASSIVE;
    1861 }
    1862 /* Adding mask to channel numbers */
    1863 params_le->channel_num =
    1864 @@ -3162,6 +3151,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
    1865 struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
    1866 s32 status;
    1867 struct brcmf_escan_result_le *escan_result_le;
    1868 + u32 escan_buflen;
    1869 struct brcmf_bss_info_le *bss_info_le;
    1870 struct brcmf_bss_info_le *bss = NULL;
    1871 u32 bi_length;
    1872 @@ -3181,11 +3171,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
    1873
    1874 if (status == BRCMF_E_STATUS_PARTIAL) {
    1875 brcmf_dbg(SCAN, "ESCAN Partial result\n");
    1876 + if (e->datalen < sizeof(*escan_result_le)) {
    1877 + brcmf_err("invalid event data length\n");
    1878 + goto exit;
    1879 + }
    1880 escan_result_le = (struct brcmf_escan_result_le *) data;
    1881 if (!escan_result_le) {
    1882 brcmf_err("Invalid escan result (NULL pointer)\n");
    1883 goto exit;
    1884 }
    1885 + escan_buflen = le32_to_cpu(escan_result_le->buflen);
    1886 + if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
    1887 + escan_buflen > e->datalen ||
    1888 + escan_buflen < sizeof(*escan_result_le)) {
    1889 + brcmf_err("Invalid escan buffer length: %d\n",
    1890 + escan_buflen);
    1891 + goto exit;
    1892 + }
    1893 if (le16_to_cpu(escan_result_le->bss_count) != 1) {
    1894 brcmf_err("Invalid bss_count %d: ignoring\n",
    1895 escan_result_le->bss_count);
    1896 @@ -3202,9 +3204,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
    1897 }
    1898
    1899 bi_length = le32_to_cpu(bss_info_le->length);
    1900 - if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
    1901 - WL_ESCAN_RESULTS_FIXED_SIZE)) {
    1902 - brcmf_err("Invalid bss_info length %d: ignoring\n",
    1903 + if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
    1904 + brcmf_err("Ignoring invalid bss_info length: %d\n",
    1905 bi_length);
    1906 goto exit;
    1907 }
    1908 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
    1909 index 8391989b1882..e0d22fedb2b4 100644
    1910 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
    1911 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
    1912 @@ -45,6 +45,11 @@
    1913 #define BRCMF_SCAN_PARAMS_COUNT_MASK 0x0000ffff
    1914 #define BRCMF_SCAN_PARAMS_NSSID_SHIFT 16
    1915
    1916 +/* scan type definitions */
    1917 +#define BRCMF_SCANTYPE_DEFAULT 0xFF
    1918 +#define BRCMF_SCANTYPE_ACTIVE 0
    1919 +#define BRCMF_SCANTYPE_PASSIVE 1
    1920 +
    1921 #define BRCMF_WSEC_MAX_PSK_LEN 32
    1922 #define BRCMF_WSEC_PASSPHRASE BIT(0)
    1923
    1924 diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    1925 index ce901be5fba8..f0132c492a79 100644
    1926 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    1927 +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
    1928 @@ -1589,6 +1589,11 @@ static void iwl_mvm_mc_iface_iterator(void *_data, u8 *mac,
    1929 struct iwl_mvm_mc_iter_data *data = _data;
    1930 struct iwl_mvm *mvm = data->mvm;
    1931 struct iwl_mcast_filter_cmd *cmd = mvm->mcast_filter_cmd;
    1932 + struct iwl_host_cmd hcmd = {
    1933 + .id = MCAST_FILTER_CMD,
    1934 + .flags = CMD_ASYNC,
    1935 + .dataflags[0] = IWL_HCMD_DFL_NOCOPY,
    1936 + };
    1937 int ret, len;
    1938
    1939 /* if we don't have free ports, mcast frames will be dropped */
    1940 @@ -1603,7 +1608,10 @@ static void iwl_mvm_mc_iface_iterator(void *_data, u8 *mac,
    1941 memcpy(cmd->bssid, vif->bss_conf.bssid, ETH_ALEN);
    1942 len = roundup(sizeof(*cmd) + cmd->count * ETH_ALEN, 4);
    1943
    1944 - ret = iwl_mvm_send_cmd_pdu(mvm, MCAST_FILTER_CMD, CMD_ASYNC, len, cmd);
    1945 + hcmd.len[0] = len;
    1946 + hcmd.data[0] = cmd;
    1947 +
    1948 + ret = iwl_mvm_send_cmd(mvm, &hcmd);
    1949 if (ret)
    1950 IWL_ERR(mvm, "mcast filter cmd error. ret=%d\n", ret);
    1951 }
    1952 diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
    1953 index cdf4c0e471b9..ba41b660b259 100644
    1954 --- a/drivers/nvme/host/pci.c
    1955 +++ b/drivers/nvme/host/pci.c
    1956 @@ -93,7 +93,7 @@ struct nvme_dev {
    1957 struct mutex shutdown_lock;
    1958 bool subsystem;
    1959 void __iomem *cmb;
    1960 - dma_addr_t cmb_dma_addr;
    1961 + pci_bus_addr_t cmb_bus_addr;
    1962 u64 cmb_size;
    1963 u32 cmbsz;
    1964 u32 cmbloc;
    1965 @@ -1218,7 +1218,7 @@ static int nvme_alloc_sq_cmds(struct nvme_dev *dev, struct nvme_queue *nvmeq,
    1966 if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz)) {
    1967 unsigned offset = (qid - 1) * roundup(SQ_SIZE(depth),
    1968 dev->ctrl.page_size);
    1969 - nvmeq->sq_dma_addr = dev->cmb_dma_addr + offset;
    1970 + nvmeq->sq_dma_addr = dev->cmb_bus_addr + offset;
    1971 nvmeq->sq_cmds_io = dev->cmb + offset;
    1972 } else {
    1973 nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth),
    1974 @@ -1517,7 +1517,7 @@ static void __iomem *nvme_map_cmb(struct nvme_dev *dev)
    1975 resource_size_t bar_size;
    1976 struct pci_dev *pdev = to_pci_dev(dev->dev);
    1977 void __iomem *cmb;
    1978 - dma_addr_t dma_addr;
    1979 + int bar;
    1980
    1981 dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
    1982 if (!(NVME_CMB_SZ(dev->cmbsz)))
    1983 @@ -1530,7 +1530,8 @@ static void __iomem *nvme_map_cmb(struct nvme_dev *dev)
    1984 szu = (u64)1 << (12 + 4 * NVME_CMB_SZU(dev->cmbsz));
    1985 size = szu * NVME_CMB_SZ(dev->cmbsz);
    1986 offset = szu * NVME_CMB_OFST(dev->cmbloc);
    1987 - bar_size = pci_resource_len(pdev, NVME_CMB_BIR(dev->cmbloc));
    1988 + bar = NVME_CMB_BIR(dev->cmbloc);
    1989 + bar_size = pci_resource_len(pdev, bar);
    1990
    1991 if (offset > bar_size)
    1992 return NULL;
    1993 @@ -1543,12 +1544,11 @@ static void __iomem *nvme_map_cmb(struct nvme_dev *dev)
    1994 if (size > bar_size - offset)
    1995 size = bar_size - offset;
    1996
    1997 - dma_addr = pci_resource_start(pdev, NVME_CMB_BIR(dev->cmbloc)) + offset;
    1998 - cmb = ioremap_wc(dma_addr, size);
    1999 + cmb = ioremap_wc(pci_resource_start(pdev, bar) + offset, size);
    2000 if (!cmb)
    2001 return NULL;
    2002
    2003 - dev->cmb_dma_addr = dma_addr;
    2004 + dev->cmb_bus_addr = pci_bus_address(pdev, bar) + offset;
    2005 dev->cmb_size = size;
    2006 return cmb;
    2007 }
    2008 diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
    2009 index fd88dabd599d..9f1d53e18956 100644
    2010 --- a/drivers/scsi/scsi_scan.c
    2011 +++ b/drivers/scsi/scsi_scan.c
    2012 @@ -956,6 +956,9 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
    2013 if (*bflags & BLIST_NO_DIF)
    2014 sdev->no_dif = 1;
    2015
    2016 + if (*bflags & BLIST_UNMAP_LIMIT_WS)
    2017 + sdev->unmap_limit_for_ws = 1;
    2018 +
    2019 sdev->eh_timeout = SCSI_DEFAULT_EH_TIMEOUT;
    2020
    2021 if (*bflags & BLIST_TRY_VPD_PAGES)
    2022 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
    2023 index e2647f2d4430..b93d92572c01 100644
    2024 --- a/drivers/scsi/sd.c
    2025 +++ b/drivers/scsi/sd.c
    2026 @@ -715,13 +715,21 @@ static void sd_config_discard(struct scsi_disk *sdkp, unsigned int mode)
    2027 break;
    2028
    2029 case SD_LBP_WS16:
    2030 - max_blocks = min_not_zero(sdkp->max_ws_blocks,
    2031 - (u32)SD_MAX_WS16_BLOCKS);
    2032 + if (sdkp->device->unmap_limit_for_ws)
    2033 + max_blocks = sdkp->max_unmap_blocks;
    2034 + else
    2035 + max_blocks = sdkp->max_ws_blocks;
    2036 +
    2037 + max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS16_BLOCKS);
    2038 break;
    2039
    2040 case SD_LBP_WS10:
    2041 - max_blocks = min_not_zero(sdkp->max_ws_blocks,
    2042 - (u32)SD_MAX_WS10_BLOCKS);
    2043 + if (sdkp->device->unmap_limit_for_ws)
    2044 + max_blocks = sdkp->max_unmap_blocks;
    2045 + else
    2046 + max_blocks = sdkp->max_ws_blocks;
    2047 +
    2048 + max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS10_BLOCKS);
    2049 break;
    2050
    2051 case SD_LBP_ZERO:
    2052 @@ -3101,8 +3109,6 @@ static int sd_revalidate_disk(struct gendisk *disk)
    2053 sd_read_security(sdkp, buffer);
    2054 }
    2055
    2056 - sdkp->first_scan = 0;
    2057 -
    2058 /*
    2059 * We now have all cache related info, determine how we deal
    2060 * with flush requests.
    2061 @@ -3117,7 +3123,7 @@ static int sd_revalidate_disk(struct gendisk *disk)
    2062 q->limits.max_dev_sectors = logical_to_sectors(sdp, dev_max);
    2063
    2064 /*
    2065 - * Use the device's preferred I/O size for reads and writes
    2066 + * Determine the device's preferred I/O size for reads and writes
    2067 * unless the reported value is unreasonably small, large, or
    2068 * garbage.
    2069 */
    2070 @@ -3131,8 +3137,19 @@ static int sd_revalidate_disk(struct gendisk *disk)
    2071 rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
    2072 (sector_t)BLK_DEF_MAX_SECTORS);
    2073
    2074 - /* Combine with controller limits */
    2075 - q->limits.max_sectors = min(rw_max, queue_max_hw_sectors(q));
    2076 + /* Do not exceed controller limit */
    2077 + rw_max = min(rw_max, queue_max_hw_sectors(q));
    2078 +
    2079 + /*
    2080 + * Only update max_sectors if previously unset or if the current value
    2081 + * exceeds the capabilities of the hardware.
    2082 + */
    2083 + if (sdkp->first_scan ||
    2084 + q->limits.max_sectors > q->limits.max_dev_sectors ||
    2085 + q->limits.max_sectors > q->limits.max_hw_sectors)
    2086 + q->limits.max_sectors = rw_max;
    2087 +
    2088 + sdkp->first_scan = 0;
    2089
    2090 set_capacity(disk, logical_to_sectors(sdp, sdkp->capacity));
    2091 sd_config_write_same(sdkp);
    2092 diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c
    2093 index d11c6de9c777..6150d2780e22 100644
    2094 --- a/drivers/staging/iio/adc/ad7192.c
    2095 +++ b/drivers/staging/iio/adc/ad7192.c
    2096 @@ -223,11 +223,9 @@ static int ad7192_setup(struct ad7192_state *st,
    2097 struct iio_dev *indio_dev = spi_get_drvdata(st->sd.spi);
    2098 unsigned long long scale_uv;
    2099 int i, ret, id;
    2100 - u8 ones[6];
    2101
    2102 /* reset the serial interface */
    2103 - memset(&ones, 0xFF, 6);
    2104 - ret = spi_write(st->sd.spi, &ones, 6);
    2105 + ret = ad_sd_reset(&st->sd, 48);
    2106 if (ret < 0)
    2107 goto out;
    2108 usleep_range(500, 1000); /* Wait for at least 500us */
    2109 diff --git a/drivers/staging/media/imx/imx-media-of.c b/drivers/staging/media/imx/imx-media-of.c
    2110 index b026fe66467c..90e7e702a411 100644
    2111 --- a/drivers/staging/media/imx/imx-media-of.c
    2112 +++ b/drivers/staging/media/imx/imx-media-of.c
    2113 @@ -167,7 +167,7 @@ of_parse_subdev(struct imx_media_dev *imxmd, struct device_node *sd_np,
    2114 of_parse_sensor(imxmd, imxsd, sd_np);
    2115
    2116 for (i = 0; i < num_pads; i++) {
    2117 - struct device_node *epnode = NULL, *port, *remote_np;
    2118 + struct device_node *epnode = NULL, *port, *remote_np = NULL;
    2119 struct imx_media_subdev *remote_imxsd;
    2120 struct imx_media_pad *pad;
    2121 int remote_pad;
    2122 diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
    2123 index 0159ca4407d8..be08849175ea 100644
    2124 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
    2125 +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
    2126 @@ -612,18 +612,20 @@ free_pagelist(struct vchiq_pagelist_info *pagelistinfo,
    2127 if (head_bytes > actual)
    2128 head_bytes = actual;
    2129
    2130 - memcpy((char *)page_address(pages[0]) +
    2131 + memcpy((char *)kmap(pages[0]) +
    2132 pagelist->offset,
    2133 fragments,
    2134 head_bytes);
    2135 + kunmap(pages[0]);
    2136 }
    2137 if ((actual >= 0) && (head_bytes < actual) &&
    2138 (tail_bytes != 0)) {
    2139 - memcpy((char *)page_address(pages[num_pages - 1]) +
    2140 + memcpy((char *)kmap(pages[num_pages - 1]) +
    2141 ((pagelist->offset + actual) &
    2142 (PAGE_SIZE - 1) & ~(g_cache_line_size - 1)),
    2143 fragments + g_cache_line_size,
    2144 tail_bytes);
    2145 + kunmap(pages[num_pages - 1]);
    2146 }
    2147
    2148 down(&g_free_fragments_mutex);
    2149 diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
    2150 index 8f972247b1c1..6499391695b7 100644
    2151 --- a/drivers/usb/class/cdc-wdm.c
    2152 +++ b/drivers/usb/class/cdc-wdm.c
    2153 @@ -194,8 +194,10 @@ static void wdm_in_callback(struct urb *urb)
    2154 /*
    2155 * only set a new error if there is no previous error.
    2156 * Errors are only cleared during read/open
    2157 + * Avoid propagating -EPIPE (stall) to userspace since it is
    2158 + * better handled as an empty read
    2159 */
    2160 - if (desc->rerr == 0)
    2161 + if (desc->rerr == 0 && status != -EPIPE)
    2162 desc->rerr = status;
    2163
    2164 if (length + desc->length > desc->wMaxCommand) {
    2165 diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
    2166 index 4be52c602e9b..68b54bd88d1e 100644
    2167 --- a/drivers/usb/core/config.c
    2168 +++ b/drivers/usb/core/config.c
    2169 @@ -643,15 +643,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
    2170
    2171 } else if (header->bDescriptorType ==
    2172 USB_DT_INTERFACE_ASSOCIATION) {
    2173 + struct usb_interface_assoc_descriptor *d;
    2174 +
    2175 + d = (struct usb_interface_assoc_descriptor *)header;
    2176 + if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
    2177 + dev_warn(ddev,
    2178 + "config %d has an invalid interface association descriptor of length %d, skipping\n",
    2179 + cfgno, d->bLength);
    2180 + continue;
    2181 + }
    2182 +
    2183 if (iad_num == USB_MAXIADS) {
    2184 dev_warn(ddev, "found more Interface "
    2185 "Association Descriptors "
    2186 "than allocated for in "
    2187 "configuration %d\n", cfgno);
    2188 } else {
    2189 - config->intf_assoc[iad_num] =
    2190 - (struct usb_interface_assoc_descriptor
    2191 - *)header;
    2192 + config->intf_assoc[iad_num] = d;
    2193 iad_num++;
    2194 }
    2195
    2196 @@ -852,7 +860,7 @@ int usb_get_configuration(struct usb_device *dev)
    2197 }
    2198
    2199 if (dev->quirks & USB_QUIRK_DELAY_INIT)
    2200 - msleep(100);
    2201 + msleep(200);
    2202
    2203 result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno,
    2204 bigbuffer, length);
    2205 diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
    2206 index 0ff0feddfd1f..1d4dfdeb61c1 100644
    2207 --- a/drivers/usb/core/devio.c
    2208 +++ b/drivers/usb/core/devio.c
    2209 @@ -140,6 +140,9 @@ module_param(usbfs_memory_mb, uint, 0644);
    2210 MODULE_PARM_DESC(usbfs_memory_mb,
    2211 "maximum MB allowed for usbfs buffers (0 = no limit)");
    2212
    2213 +/* Hard limit, necessary to avoid arithmetic overflow */
    2214 +#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
    2215 +
    2216 static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */
    2217
    2218 /* Check whether it's okay to allocate more memory for a transfer */
    2219 @@ -1460,6 +1463,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
    2220 USBDEVFS_URB_ZERO_PACKET |
    2221 USBDEVFS_URB_NO_INTERRUPT))
    2222 return -EINVAL;
    2223 + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
    2224 + return -EINVAL;
    2225 if (uurb->buffer_length > 0 && !uurb->buffer)
    2226 return -EINVAL;
    2227 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
    2228 @@ -1571,7 +1576,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
    2229 totlen += isopkt[u].length;
    2230 }
    2231 u *= sizeof(struct usb_iso_packet_descriptor);
    2232 - uurb->buffer_length = totlen;
    2233 + if (totlen <= uurb->buffer_length)
    2234 + uurb->buffer_length = totlen;
    2235 + else
    2236 + WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
    2237 + totlen, uurb->buffer_length);
    2238 break;
    2239
    2240 default:
    2241 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
    2242 index 822f8c50e423..78c2aca5b0fc 100644
    2243 --- a/drivers/usb/core/hub.c
    2244 +++ b/drivers/usb/core/hub.c
    2245 @@ -4825,7 +4825,7 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
    2246 goto loop;
    2247
    2248 if (udev->quirks & USB_QUIRK_DELAY_INIT)
    2249 - msleep(1000);
    2250 + msleep(2000);
    2251
    2252 /* consecutive bus-powered hubs aren't reliable; they can
    2253 * violate the voltage drop budget. if the new child has
    2254 diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
    2255 index 4c38ea41ae96..371a07d874a3 100644
    2256 --- a/drivers/usb/core/message.c
    2257 +++ b/drivers/usb/core/message.c
    2258 @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
    2259 elength = 1;
    2260 goto next_desc;
    2261 }
    2262 + if ((buflen < elength) || (elength < 3)) {
    2263 + dev_err(&intf->dev, "invalid descriptor buffer length\n");
    2264 + break;
    2265 + }
    2266 if (buffer[1] != USB_DT_CS_INTERFACE) {
    2267 dev_err(&intf->dev, "skipping garbage\n");
    2268 goto next_desc;
    2269 diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
    2270 index 827e376bfa97..75e6cb044eb2 100644
    2271 --- a/drivers/usb/dwc3/ep0.c
    2272 +++ b/drivers/usb/dwc3/ep0.c
    2273 @@ -990,6 +990,8 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
    2274 DWC3_TRBCTL_CONTROL_DATA,
    2275 true);
    2276
    2277 + req->trb = &dwc->ep0_trb[dep->trb_enqueue - 1];
    2278 +
    2279 /* Now prepare one extra TRB to align transfer size */
    2280 dwc3_ep0_prepare_one_trb(dep, dwc->bounce_addr,
    2281 maxpacket - rem,
    2282 @@ -1015,6 +1017,8 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
    2283 DWC3_TRBCTL_CONTROL_DATA,
    2284 true);
    2285
    2286 + req->trb = &dwc->ep0_trb[dep->trb_enqueue - 1];
    2287 +
    2288 /* Now prepare one extra TRB to align transfer size */
    2289 dwc3_ep0_prepare_one_trb(dep, dwc->bounce_addr,
    2290 0, DWC3_TRBCTL_CONTROL_DATA,
    2291 @@ -1029,6 +1033,9 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
    2292 dwc3_ep0_prepare_one_trb(dep, req->request.dma,
    2293 req->request.length, DWC3_TRBCTL_CONTROL_DATA,
    2294 false);
    2295 +
    2296 + req->trb = &dwc->ep0_trb[dep->trb_enqueue];
    2297 +
    2298 ret = dwc3_ep0_start_trans(dep);
    2299 }
    2300
    2301 diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
    2302 index f95bddd6513f..daf3a07e3ffb 100644
    2303 --- a/drivers/usb/gadget/function/f_mass_storage.c
    2304 +++ b/drivers/usb/gadget/function/f_mass_storage.c
    2305 @@ -307,8 +307,6 @@ struct fsg_common {
    2306 struct completion thread_notifier;
    2307 struct task_struct *thread_task;
    2308
    2309 - /* Callback functions. */
    2310 - const struct fsg_operations *ops;
    2311 /* Gadget's private data. */
    2312 void *private_data;
    2313
    2314 @@ -2440,6 +2438,7 @@ static void handle_exception(struct fsg_common *common)
    2315 static int fsg_main_thread(void *common_)
    2316 {
    2317 struct fsg_common *common = common_;
    2318 + int i;
    2319
    2320 /*
    2321 * Allow the thread to be killed by a signal, but set the signal mask
    2322 @@ -2485,21 +2484,16 @@ static int fsg_main_thread(void *common_)
    2323 common->thread_task = NULL;
    2324 spin_unlock_irq(&common->lock);
    2325
    2326 - if (!common->ops || !common->ops->thread_exits
    2327 - || common->ops->thread_exits(common) < 0) {
    2328 - int i;
    2329 + /* Eject media from all LUNs */
    2330
    2331 - down_write(&common->filesem);
    2332 - for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
    2333 - struct fsg_lun *curlun = common->luns[i];
    2334 - if (!curlun || !fsg_lun_is_open(curlun))
    2335 - continue;
    2336 + down_write(&common->filesem);
    2337 + for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
    2338 + struct fsg_lun *curlun = common->luns[i];
    2339
    2340 + if (curlun && fsg_lun_is_open(curlun))
    2341 fsg_lun_close(curlun);
    2342 - curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
    2343 - }
    2344 - up_write(&common->filesem);
    2345 }
    2346 + up_write(&common->filesem);
    2347
    2348 /* Let fsg_unbind() know the thread has exited */
    2349 complete_and_exit(&common->thread_notifier, 0);
    2350 @@ -2690,13 +2684,6 @@ void fsg_common_remove_luns(struct fsg_common *common)
    2351 }
    2352 EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
    2353
    2354 -void fsg_common_set_ops(struct fsg_common *common,
    2355 - const struct fsg_operations *ops)
    2356 -{
    2357 - common->ops = ops;
    2358 -}
    2359 -EXPORT_SYMBOL_GPL(fsg_common_set_ops);
    2360 -
    2361 void fsg_common_free_buffers(struct fsg_common *common)
    2362 {
    2363 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
    2364 diff --git a/drivers/usb/gadget/function/f_mass_storage.h b/drivers/usb/gadget/function/f_mass_storage.h
    2365 index d3902313b8ac..dc05ca0c4359 100644
    2366 --- a/drivers/usb/gadget/function/f_mass_storage.h
    2367 +++ b/drivers/usb/gadget/function/f_mass_storage.h
    2368 @@ -60,17 +60,6 @@ struct fsg_module_parameters {
    2369 struct fsg_common;
    2370
    2371 /* FSF callback functions */
    2372 -struct fsg_operations {
    2373 - /*
    2374 - * Callback function to call when thread exits. If no
    2375 - * callback is set or it returns value lower then zero MSF
    2376 - * will force eject all LUNs it operates on (including those
    2377 - * marked as non-removable or with prevent_medium_removal flag
    2378 - * set).
    2379 - */
    2380 - int (*thread_exits)(struct fsg_common *common);
    2381 -};
    2382 -
    2383 struct fsg_lun_opts {
    2384 struct config_group group;
    2385 struct fsg_lun *lun;
    2386 @@ -142,9 +131,6 @@ void fsg_common_remove_lun(struct fsg_lun *lun);
    2387
    2388 void fsg_common_remove_luns(struct fsg_common *common);
    2389
    2390 -void fsg_common_set_ops(struct fsg_common *common,
    2391 - const struct fsg_operations *ops);
    2392 -
    2393 int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
    2394 unsigned int id, const char *name,
    2395 const char **name_pfx);
    2396 diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
    2397 index 684900fcfe24..5c28bee327e1 100644
    2398 --- a/drivers/usb/gadget/legacy/inode.c
    2399 +++ b/drivers/usb/gadget/legacy/inode.c
    2400 @@ -28,7 +28,7 @@
    2401 #include <linux/aio.h>
    2402 #include <linux/uio.h>
    2403 #include <linux/refcount.h>
    2404 -
    2405 +#include <linux/delay.h>
    2406 #include <linux/device.h>
    2407 #include <linux/moduleparam.h>
    2408
    2409 @@ -116,6 +116,7 @@ enum ep0_state {
    2410 struct dev_data {
    2411 spinlock_t lock;
    2412 refcount_t count;
    2413 + int udc_usage;
    2414 enum ep0_state state; /* P: lock */
    2415 struct usb_gadgetfs_event event [N_EVENT];
    2416 unsigned ev_next;
    2417 @@ -513,9 +514,9 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
    2418 INIT_WORK(&priv->work, ep_user_copy_worker);
    2419 schedule_work(&priv->work);
    2420 }
    2421 - spin_unlock(&epdata->dev->lock);
    2422
    2423 usb_ep_free_request(ep, req);
    2424 + spin_unlock(&epdata->dev->lock);
    2425 put_ep(epdata);
    2426 }
    2427
    2428 @@ -939,9 +940,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
    2429 struct usb_request *req = dev->req;
    2430
    2431 if ((retval = setup_req (ep, req, 0)) == 0) {
    2432 + ++dev->udc_usage;
    2433 spin_unlock_irq (&dev->lock);
    2434 retval = usb_ep_queue (ep, req, GFP_KERNEL);
    2435 spin_lock_irq (&dev->lock);
    2436 + --dev->udc_usage;
    2437 }
    2438 dev->state = STATE_DEV_CONNECTED;
    2439
    2440 @@ -983,11 +986,14 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
    2441 retval = -EIO;
    2442 else {
    2443 len = min (len, (size_t)dev->req->actual);
    2444 -// FIXME don't call this with the spinlock held ...
    2445 + ++dev->udc_usage;
    2446 + spin_unlock_irq(&dev->lock);
    2447 if (copy_to_user (buf, dev->req->buf, len))
    2448 retval = -EFAULT;
    2449 else
    2450 retval = len;
    2451 + spin_lock_irq(&dev->lock);
    2452 + --dev->udc_usage;
    2453 clean_req (dev->gadget->ep0, dev->req);
    2454 /* NOTE userspace can't yet choose to stall */
    2455 }
    2456 @@ -1131,6 +1137,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
    2457 retval = setup_req (dev->gadget->ep0, dev->req, len);
    2458 if (retval == 0) {
    2459 dev->state = STATE_DEV_CONNECTED;
    2460 + ++dev->udc_usage;
    2461 spin_unlock_irq (&dev->lock);
    2462 if (copy_from_user (dev->req->buf, buf, len))
    2463 retval = -EFAULT;
    2464 @@ -1142,6 +1149,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
    2465 GFP_KERNEL);
    2466 }
    2467 spin_lock_irq(&dev->lock);
    2468 + --dev->udc_usage;
    2469 if (retval < 0) {
    2470 clean_req (dev->gadget->ep0, dev->req);
    2471 } else
    2472 @@ -1243,9 +1251,21 @@ static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
    2473 struct usb_gadget *gadget = dev->gadget;
    2474 long ret = -ENOTTY;
    2475
    2476 - if (gadget->ops->ioctl)
    2477 + spin_lock_irq(&dev->lock);
    2478 + if (dev->state == STATE_DEV_OPENED ||
    2479 + dev->state == STATE_DEV_UNBOUND) {
    2480 + /* Not bound to a UDC */
    2481 + } else if (gadget->ops->ioctl) {
    2482 + ++dev->udc_usage;
    2483 + spin_unlock_irq(&dev->lock);
    2484 +
    2485 ret = gadget->ops->ioctl (gadget, code, value);
    2486
    2487 + spin_lock_irq(&dev->lock);
    2488 + --dev->udc_usage;
    2489 + }
    2490 + spin_unlock_irq(&dev->lock);
    2491 +
    2492 return ret;
    2493 }
    2494
    2495 @@ -1463,10 +1483,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
    2496 if (value < 0)
    2497 break;
    2498
    2499 + ++dev->udc_usage;
    2500 spin_unlock (&dev->lock);
    2501 value = usb_ep_queue (gadget->ep0, dev->req,
    2502 GFP_KERNEL);
    2503 spin_lock (&dev->lock);
    2504 + --dev->udc_usage;
    2505 if (value < 0) {
    2506 clean_req (gadget->ep0, dev->req);
    2507 break;
    2508 @@ -1490,8 +1512,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
    2509 req->length = value;
    2510 req->zero = value < w_length;
    2511
    2512 + ++dev->udc_usage;
    2513 spin_unlock (&dev->lock);
    2514 value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
    2515 + spin_lock(&dev->lock);
    2516 + --dev->udc_usage;
    2517 + spin_unlock(&dev->lock);
    2518 if (value < 0) {
    2519 DBG (dev, "ep_queue --> %d\n", value);
    2520 req->status = 0;
    2521 @@ -1518,21 +1544,24 @@ static void destroy_ep_files (struct dev_data *dev)
    2522 /* break link to FS */
    2523 ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
    2524 list_del_init (&ep->epfiles);
    2525 + spin_unlock_irq (&dev->lock);
    2526 +
    2527 dentry = ep->dentry;
    2528 ep->dentry = NULL;
    2529 parent = d_inode(dentry->d_parent);
    2530
    2531 /* break link to controller */
    2532 + mutex_lock(&ep->lock);
    2533 if (ep->state == STATE_EP_ENABLED)
    2534 (void) usb_ep_disable (ep->ep);
    2535 ep->state = STATE_EP_UNBOUND;
    2536 usb_ep_free_request (ep->ep, ep->req);
    2537 ep->ep = NULL;
    2538 + mutex_unlock(&ep->lock);
    2539 +
    2540 wake_up (&ep->wait);
    2541 put_ep (ep);
    2542
    2543 - spin_unlock_irq (&dev->lock);
    2544 -
    2545 /* break link to dcache */
    2546 inode_lock(parent);
    2547 d_delete (dentry);
    2548 @@ -1603,6 +1632,11 @@ gadgetfs_unbind (struct usb_gadget *gadget)
    2549
    2550 spin_lock_irq (&dev->lock);
    2551 dev->state = STATE_DEV_UNBOUND;
    2552 + while (dev->udc_usage > 0) {
    2553 + spin_unlock_irq(&dev->lock);
    2554 + usleep_range(1000, 2000);
    2555 + spin_lock_irq(&dev->lock);
    2556 + }
    2557 spin_unlock_irq (&dev->lock);
    2558
    2559 destroy_ep_files (dev);
    2560 diff --git a/drivers/usb/gadget/legacy/mass_storage.c b/drivers/usb/gadget/legacy/mass_storage.c
    2561 index e99ab57ee3e5..fcba59782f26 100644
    2562 --- a/drivers/usb/gadget/legacy/mass_storage.c
    2563 +++ b/drivers/usb/gadget/legacy/mass_storage.c
    2564 @@ -107,15 +107,6 @@ static unsigned int fsg_num_buffers = CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS;
    2565
    2566 FSG_MODULE_PARAMETERS(/* no prefix */, mod_data);
    2567
    2568 -static unsigned long msg_registered;
    2569 -static void msg_cleanup(void);
    2570 -
    2571 -static int msg_thread_exits(struct fsg_common *common)
    2572 -{
    2573 - msg_cleanup();
    2574 - return 0;
    2575 -}
    2576 -
    2577 static int msg_do_config(struct usb_configuration *c)
    2578 {
    2579 struct fsg_opts *opts;
    2580 @@ -154,9 +145,6 @@ static struct usb_configuration msg_config_driver = {
    2581
    2582 static int msg_bind(struct usb_composite_dev *cdev)
    2583 {
    2584 - static const struct fsg_operations ops = {
    2585 - .thread_exits = msg_thread_exits,
    2586 - };
    2587 struct fsg_opts *opts;
    2588 struct fsg_config config;
    2589 int status;
    2590 @@ -173,8 +161,6 @@ static int msg_bind(struct usb_composite_dev *cdev)
    2591 if (status)
    2592 goto fail;
    2593
    2594 - fsg_common_set_ops(opts->common, &ops);
    2595 -
    2596 status = fsg_common_set_cdev(opts->common, cdev, config.can_stall);
    2597 if (status)
    2598 goto fail_set_cdev;
    2599 @@ -256,18 +242,12 @@ MODULE_LICENSE("GPL");
    2600
    2601 static int __init msg_init(void)
    2602 {
    2603 - int ret;
    2604 -
    2605 - ret = usb_composite_probe(&msg_driver);
    2606 - set_bit(0, &msg_registered);
    2607 -
    2608 - return ret;
    2609 + return usb_composite_probe(&msg_driver);
    2610 }
    2611 module_init(msg_init);
    2612
    2613 -static void msg_cleanup(void)
    2614 +static void __exit msg_cleanup(void)
    2615 {
    2616 - if (test_and_clear_bit(0, &msg_registered))
    2617 - usb_composite_unregister(&msg_driver);
    2618 + usb_composite_unregister(&msg_driver);
    2619 }
    2620 module_exit(msg_cleanup);
    2621 diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
    2622 index 98d71400f8a1..a884c022df7a 100644
    2623 --- a/drivers/usb/gadget/udc/atmel_usba_udc.c
    2624 +++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
    2625 @@ -29,6 +29,8 @@
    2626 #include <linux/of_gpio.h>
    2627
    2628 #include "atmel_usba_udc.h"
    2629 +#define USBA_VBUS_IRQFLAGS (IRQF_ONESHOT \
    2630 + | IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING)
    2631
    2632 #ifdef CONFIG_USB_GADGET_DEBUG_FS
    2633 #include <linux/debugfs.h>
    2634 @@ -2361,7 +2363,7 @@ static int usba_udc_probe(struct platform_device *pdev)
    2635 IRQ_NOAUTOEN);
    2636 ret = devm_request_threaded_irq(&pdev->dev,
    2637 gpio_to_irq(udc->vbus_pin), NULL,
    2638 - usba_vbus_irq_thread, IRQF_ONESHOT,
    2639 + usba_vbus_irq_thread, USBA_VBUS_IRQFLAGS,
    2640 "atmel_usba_udc", udc);
    2641 if (ret) {
    2642 udc->vbus_pin = -ENODEV;
    2643 diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
    2644 index e6f04eee95c4..63c5fe6f7bd4 100644
    2645 --- a/drivers/usb/gadget/udc/core.c
    2646 +++ b/drivers/usb/gadget/udc/core.c
    2647 @@ -1314,8 +1314,7 @@ static int udc_bind_to_driver(struct usb_udc *udc, struct usb_gadget_driver *dri
    2648 udc->dev.driver = &driver->driver;
    2649 udc->gadget->dev.driver = &driver->driver;
    2650
    2651 - if (driver->max_speed < udc->gadget->max_speed)
    2652 - usb_gadget_udc_set_speed(udc, driver->max_speed);
    2653 + usb_gadget_udc_set_speed(udc, driver->max_speed);
    2654
    2655 ret = driver->bind(udc->gadget, driver);
    2656 if (ret)
    2657 diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
    2658 index 3c3760315910..374f85f612d9 100644
    2659 --- a/drivers/usb/gadget/udc/dummy_hcd.c
    2660 +++ b/drivers/usb/gadget/udc/dummy_hcd.c
    2661 @@ -237,6 +237,8 @@ struct dummy_hcd {
    2662
    2663 struct usb_device *udev;
    2664 struct list_head urbp_list;
    2665 + struct urbp *next_frame_urbp;
    2666 +
    2667 u32 stream_en_ep;
    2668 u8 num_stream[30 / 2];
    2669
    2670 @@ -253,11 +255,13 @@ struct dummy {
    2671 */
    2672 struct dummy_ep ep[DUMMY_ENDPOINTS];
    2673 int address;
    2674 + int callback_usage;
    2675 struct usb_gadget gadget;
    2676 struct usb_gadget_driver *driver;
    2677 struct dummy_request fifo_req;
    2678 u8 fifo_buf[FIFO_SIZE];
    2679 u16 devstatus;
    2680 + unsigned ints_enabled:1;
    2681 unsigned udc_suspended:1;
    2682 unsigned pullup:1;
    2683
    2684 @@ -440,18 +444,27 @@ static void set_link_state(struct dummy_hcd *dum_hcd)
    2685 (~dum_hcd->old_status) & dum_hcd->port_status;
    2686
    2687 /* Report reset and disconnect events to the driver */
    2688 - if (dum->driver && (disconnect || reset)) {
    2689 + if (dum->ints_enabled && (disconnect || reset)) {
    2690 stop_activity(dum);
    2691 + ++dum->callback_usage;
    2692 + spin_unlock(&dum->lock);
    2693 if (reset)
    2694 usb_gadget_udc_reset(&dum->gadget, dum->driver);
    2695 else
    2696 dum->driver->disconnect(&dum->gadget);
    2697 + spin_lock(&dum->lock);
    2698 + --dum->callback_usage;
    2699 }
    2700 - } else if (dum_hcd->active != dum_hcd->old_active) {
    2701 + } else if (dum_hcd->active != dum_hcd->old_active &&
    2702 + dum->ints_enabled) {
    2703 + ++dum->callback_usage;
    2704 + spin_unlock(&dum->lock);
    2705 if (dum_hcd->old_active && dum->driver->suspend)
    2706 dum->driver->suspend(&dum->gadget);
    2707 else if (!dum_hcd->old_active && dum->driver->resume)
    2708 dum->driver->resume(&dum->gadget);
    2709 + spin_lock(&dum->lock);
    2710 + --dum->callback_usage;
    2711 }
    2712
    2713 dum_hcd->old_status = dum_hcd->port_status;
    2714 @@ -972,8 +985,11 @@ static int dummy_udc_start(struct usb_gadget *g,
    2715 * can't enumerate without help from the driver we're binding.
    2716 */
    2717
    2718 + spin_lock_irq(&dum->lock);
    2719 dum->devstatus = 0;
    2720 dum->driver = driver;
    2721 + dum->ints_enabled = 1;
    2722 + spin_unlock_irq(&dum->lock);
    2723
    2724 return 0;
    2725 }
    2726 @@ -984,6 +1000,16 @@ static int dummy_udc_stop(struct usb_gadget *g)
    2727 struct dummy *dum = dum_hcd->dum;
    2728
    2729 spin_lock_irq(&dum->lock);
    2730 + dum->ints_enabled = 0;
    2731 + stop_activity(dum);
    2732 +
    2733 + /* emulate synchronize_irq(): wait for callbacks to finish */
    2734 + while (dum->callback_usage > 0) {
    2735 + spin_unlock_irq(&dum->lock);
    2736 + usleep_range(1000, 2000);
    2737 + spin_lock_irq(&dum->lock);
    2738 + }
    2739 +
    2740 dum->driver = NULL;
    2741 spin_unlock_irq(&dum->lock);
    2742
    2743 @@ -1037,7 +1063,12 @@ static int dummy_udc_probe(struct platform_device *pdev)
    2744 memzero_explicit(&dum->gadget, sizeof(struct usb_gadget));
    2745 dum->gadget.name = gadget_name;
    2746 dum->gadget.ops = &dummy_ops;
    2747 - dum->gadget.max_speed = USB_SPEED_SUPER;
    2748 + if (mod_data.is_super_speed)
    2749 + dum->gadget.max_speed = USB_SPEED_SUPER;
    2750 + else if (mod_data.is_high_speed)
    2751 + dum->gadget.max_speed = USB_SPEED_HIGH;
    2752 + else
    2753 + dum->gadget.max_speed = USB_SPEED_FULL;
    2754
    2755 dum->gadget.dev.parent = &pdev->dev;
    2756 init_dummy_udc_hw(dum);
    2757 @@ -1246,6 +1277,8 @@ static int dummy_urb_enqueue(
    2758
    2759 list_add_tail(&urbp->urbp_list, &dum_hcd->urbp_list);
    2760 urb->hcpriv = urbp;
    2761 + if (!dum_hcd->next_frame_urbp)
    2762 + dum_hcd->next_frame_urbp = urbp;
    2763 if (usb_pipetype(urb->pipe) == PIPE_CONTROL)
    2764 urb->error_count = 1; /* mark as a new urb */
    2765
    2766 @@ -1521,6 +1554,8 @@ static struct dummy_ep *find_endpoint(struct dummy *dum, u8 address)
    2767 if (!is_active((dum->gadget.speed == USB_SPEED_SUPER ?
    2768 dum->ss_hcd : dum->hs_hcd)))
    2769 return NULL;
    2770 + if (!dum->ints_enabled)
    2771 + return NULL;
    2772 if ((address & ~USB_DIR_IN) == 0)
    2773 return &dum->ep[0];
    2774 for (i = 1; i < DUMMY_ENDPOINTS; i++) {
    2775 @@ -1762,6 +1797,7 @@ static void dummy_timer(unsigned long _dum_hcd)
    2776 spin_unlock_irqrestore(&dum->lock, flags);
    2777 return;
    2778 }
    2779 + dum_hcd->next_frame_urbp = NULL;
    2780
    2781 for (i = 0; i < DUMMY_ENDPOINTS; i++) {
    2782 if (!ep_info[i].name)
    2783 @@ -1778,6 +1814,10 @@ static void dummy_timer(unsigned long _dum_hcd)
    2784 int type;
    2785 int status = -EINPROGRESS;
    2786
    2787 + /* stop when we reach URBs queued after the timer interrupt */
    2788 + if (urbp == dum_hcd->next_frame_urbp)
    2789 + break;
    2790 +
    2791 urb = urbp->urb;
    2792 if (urb->unlinked)
    2793 goto return_urb;
    2794 @@ -1857,10 +1897,12 @@ static void dummy_timer(unsigned long _dum_hcd)
    2795 * until setup() returns; no reentrancy issues etc.
    2796 */
    2797 if (value > 0) {
    2798 + ++dum->callback_usage;
    2799 spin_unlock(&dum->lock);
    2800 value = dum->driver->setup(&dum->gadget,
    2801 &setup);
    2802 spin_lock(&dum->lock);
    2803 + --dum->callback_usage;
    2804
    2805 if (value >= 0) {
    2806 /* no delays (max 64KB data stage) */
    2807 @@ -2561,8 +2603,6 @@ static struct hc_driver dummy_hcd = {
    2808 .product_desc = "Dummy host controller",
    2809 .hcd_priv_size = sizeof(struct dummy_hcd),
    2810
    2811 - .flags = HCD_USB3 | HCD_SHARED,
    2812 -
    2813 .reset = dummy_setup,
    2814 .start = dummy_start,
    2815 .stop = dummy_stop,
    2816 @@ -2591,8 +2631,12 @@ static int dummy_hcd_probe(struct platform_device *pdev)
    2817 dev_info(&pdev->dev, "%s, driver " DRIVER_VERSION "\n", driver_desc);
    2818 dum = *((void **)dev_get_platdata(&pdev->dev));
    2819
    2820 - if (!mod_data.is_super_speed)
    2821 + if (mod_data.is_super_speed)
    2822 + dummy_hcd.flags = HCD_USB3 | HCD_SHARED;
    2823 + else if (mod_data.is_high_speed)
    2824 dummy_hcd.flags = HCD_USB2;
    2825 + else
    2826 + dummy_hcd.flags = HCD_USB11;
    2827 hs_hcd = usb_create_hcd(&dummy_hcd, &pdev->dev, dev_name(&pdev->dev));
    2828 if (!hs_hcd)
    2829 return -ENOMEM;
    2830 diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
    2831 index e1de8fe599a3..89ce1eddfe77 100644
    2832 --- a/drivers/usb/gadget/udc/renesas_usb3.c
    2833 +++ b/drivers/usb/gadget/udc/renesas_usb3.c
    2834 @@ -1032,7 +1032,7 @@ static int usb3_write_pipe(struct renesas_usb3_ep *usb3_ep,
    2835 usb3_ep->ep.maxpacket);
    2836 u8 *buf = usb3_req->req.buf + usb3_req->req.actual;
    2837 u32 tmp = 0;
    2838 - bool is_last;
    2839 + bool is_last = !len ? true : false;
    2840
    2841 if (usb3_wait_pipe_status(usb3_ep, PX_STA_BUFSTS) < 0)
    2842 return -EBUSY;
    2843 @@ -1053,7 +1053,8 @@ static int usb3_write_pipe(struct renesas_usb3_ep *usb3_ep,
    2844 usb3_write(usb3, tmp, fifo_reg);
    2845 }
    2846
    2847 - is_last = usb3_is_transfer_complete(usb3_ep, usb3_req);
    2848 + if (!is_last)
    2849 + is_last = usb3_is_transfer_complete(usb3_ep, usb3_req);
    2850 /* Send the data */
    2851 usb3_set_px_con_send(usb3_ep, len, is_last);
    2852
    2853 @@ -1144,7 +1145,8 @@ static void usb3_start_pipe0(struct renesas_usb3_ep *usb3_ep,
    2854 usb3_set_p0_con_for_ctrl_read_data(usb3);
    2855 } else {
    2856 usb3_clear_bit(usb3, P0_MOD_DIR, USB3_P0_MOD);
    2857 - usb3_set_p0_con_for_ctrl_write_data(usb3);
    2858 + if (usb3_req->req.length)
    2859 + usb3_set_p0_con_for_ctrl_write_data(usb3);
    2860 }
    2861
    2862 usb3_p0_xfer(usb3_ep, usb3_req);
    2863 @@ -2047,7 +2049,16 @@ static u32 usb3_calc_ramarea(int ram_size)
    2864 static u32 usb3_calc_rammap_val(struct renesas_usb3_ep *usb3_ep,
    2865 const struct usb_endpoint_descriptor *desc)
    2866 {
    2867 - return usb3_ep->rammap_val | PN_RAMMAP_MPKT(usb_endpoint_maxp(desc));
    2868 + int i;
    2869 + const u32 max_packet_array[] = {8, 16, 32, 64, 512};
    2870 + u32 mpkt = PN_RAMMAP_MPKT(1024);
    2871 +
    2872 + for (i = 0; i < ARRAY_SIZE(max_packet_array); i++) {
    2873 + if (usb_endpoint_maxp(desc) <= max_packet_array[i])
    2874 + mpkt = PN_RAMMAP_MPKT(max_packet_array[i]);
    2875 + }
    2876 +
    2877 + return usb3_ep->rammap_val | mpkt;
    2878 }
    2879
    2880 static int usb3_enable_pipe_n(struct renesas_usb3_ep *usb3_ep,
    2881 diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
    2882 index 658d9d1f9ea3..6dda3623a276 100644
    2883 --- a/drivers/usb/host/pci-quirks.c
    2884 +++ b/drivers/usb/host/pci-quirks.c
    2885 @@ -447,7 +447,7 @@ static int usb_asmedia_wait_write(struct pci_dev *pdev)
    2886 if ((value & ASMT_CONTROL_WRITE_BIT) == 0)
    2887 return 0;
    2888
    2889 - usleep_range(40, 60);
    2890 + udelay(50);
    2891 }
    2892
    2893 dev_warn(&pdev->dev, "%s: check_write_ready timeout", __func__);
    2894 @@ -1022,7 +1022,7 @@ EXPORT_SYMBOL_GPL(usb_disable_xhci_ports);
    2895 *
    2896 * Takes care of the handoff between the Pre-OS (i.e. BIOS) and the OS.
    2897 * It signals to the BIOS that the OS wants control of the host controller,
    2898 - * and then waits 5 seconds for the BIOS to hand over control.
    2899 + * and then waits 1 second for the BIOS to hand over control.
    2900 * If we timeout, assume the BIOS is broken and take control anyway.
    2901 */
    2902 static void quirk_usb_handoff_xhci(struct pci_dev *pdev)
    2903 @@ -1069,9 +1069,9 @@ static void quirk_usb_handoff_xhci(struct pci_dev *pdev)
    2904 if (val & XHCI_HC_BIOS_OWNED) {
    2905 writel(val | XHCI_HC_OS_OWNED, base + ext_cap_offset);
    2906
    2907 - /* Wait for 5 seconds with 10 microsecond polling interval */
    2908 + /* Wait for 1 second with 10 microsecond polling interval */
    2909 timeout = handshake(base + ext_cap_offset, XHCI_HC_BIOS_OWNED,
    2910 - 0, 5000, 10);
    2911 + 0, 1000000, 10);
    2912
    2913 /* Assume a buggy BIOS and take HC ownership anyway */
    2914 if (timeout) {
    2915 @@ -1100,7 +1100,7 @@ static void quirk_usb_handoff_xhci(struct pci_dev *pdev)
    2916 * operational or runtime registers. Wait 5 seconds and no more.
    2917 */
    2918 timeout = handshake(op_reg_base + XHCI_STS_OFFSET, XHCI_STS_CNR, 0,
    2919 - 5000, 10);
    2920 + 5000000, 10);
    2921 /* Assume a buggy HC and start HC initialization anyway */
    2922 if (timeout) {
    2923 val = readl(op_reg_base + XHCI_STS_OFFSET);
    2924 diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
    2925 index 00721e8807ab..950dee33bfcc 100644
    2926 --- a/drivers/usb/host/xhci-hub.c
    2927 +++ b/drivers/usb/host/xhci-hub.c
    2928 @@ -112,7 +112,7 @@ static int xhci_create_usb3_bos_desc(struct xhci_hcd *xhci, char *buf,
    2929
    2930 /* If PSI table exists, add the custom speed attributes from it */
    2931 if (usb3_1 && xhci->usb3_rhub.psi_count) {
    2932 - u32 ssp_cap_base, bm_attrib, psi;
    2933 + u32 ssp_cap_base, bm_attrib, psi, psi_mant, psi_exp;
    2934 int offset;
    2935
    2936 ssp_cap_base = USB_DT_BOS_SIZE + USB_DT_USB_SS_CAP_SIZE;
    2937 @@ -139,6 +139,15 @@ static int xhci_create_usb3_bos_desc(struct xhci_hcd *xhci, char *buf,
    2938 for (i = 0; i < xhci->usb3_rhub.psi_count; i++) {
    2939 psi = xhci->usb3_rhub.psi[i];
    2940 psi &= ~USB_SSP_SUBLINK_SPEED_RSVD;
    2941 + psi_exp = XHCI_EXT_PORT_PSIE(psi);
    2942 + psi_mant = XHCI_EXT_PORT_PSIM(psi);
    2943 +
    2944 + /* Shift to Gbps and set SSP Link BIT(14) if 10Gpbs */
    2945 + for (; psi_exp < 3; psi_exp++)
    2946 + psi_mant /= 1000;
    2947 + if (psi_mant >= 10)
    2948 + psi |= BIT(14);
    2949 +
    2950 if ((psi & PLT_MASK) == PLT_SYM) {
    2951 /* Symmetric, create SSA RX and TX from one PSI entry */
    2952 put_unaligned_le32(psi, &buf[offset]);
    2953 @@ -1473,9 +1482,6 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
    2954 t2 |= PORT_WKOC_E | PORT_WKCONN_E;
    2955 t2 &= ~PORT_WKDISC_E;
    2956 }
    2957 - if ((xhci->quirks & XHCI_U2_DISABLE_WAKE) &&
    2958 - (hcd->speed < HCD_USB3))
    2959 - t2 &= ~PORT_WAKE_BITS;
    2960 } else
    2961 t2 &= ~PORT_WAKE_BITS;
    2962
    2963 diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
    2964 index 8071c8fdd15e..76f392954733 100644
    2965 --- a/drivers/usb/host/xhci-pci.c
    2966 +++ b/drivers/usb/host/xhci-pci.c
    2967 @@ -54,11 +54,6 @@
    2968 #define PCI_DEVICE_ID_INTEL_APL_XHCI 0x5aa8
    2969 #define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0
    2970
    2971 -#define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
    2972 -#define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
    2973 -#define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
    2974 -#define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
    2975 -
    2976 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
    2977
    2978 static const char hcd_name[] = "xhci_hcd";
    2979 @@ -142,13 +137,6 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
    2980 if (pdev->vendor == PCI_VENDOR_ID_AMD)
    2981 xhci->quirks |= XHCI_TRUST_TX_LENGTH;
    2982
    2983 - if ((pdev->vendor == PCI_VENDOR_ID_AMD) &&
    2984 - ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) ||
    2985 - (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_3) ||
    2986 - (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_2) ||
    2987 - (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1)))
    2988 - xhci->quirks |= XHCI_U2_DISABLE_WAKE;
    2989 -
    2990 if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
    2991 xhci->quirks |= XHCI_LPM_SUPPORT;
    2992 xhci->quirks |= XHCI_INTEL_HOST;
    2993 diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
    2994 index c04144b25a67..208740771ff9 100644
    2995 --- a/drivers/usb/host/xhci-plat.c
    2996 +++ b/drivers/usb/host/xhci-plat.c
    2997 @@ -186,14 +186,18 @@ static int xhci_plat_probe(struct platform_device *pdev)
    2998 * 2. xhci_plat is child of a device from firmware (dwc3-plat)
    2999 * 3. xhci_plat is grandchild of a pci device (dwc3-pci)
    3000 */
    3001 - sysdev = &pdev->dev;
    3002 - if (sysdev->parent && !sysdev->of_node && sysdev->parent->of_node)
    3003 - sysdev = sysdev->parent;
    3004 + for (sysdev = &pdev->dev; sysdev; sysdev = sysdev->parent) {
    3005 + if (is_of_node(sysdev->fwnode) ||
    3006 + is_acpi_device_node(sysdev->fwnode))
    3007 + break;
    3008 #ifdef CONFIG_PCI
    3009 - else if (sysdev->parent && sysdev->parent->parent &&
    3010 - sysdev->parent->parent->bus == &pci_bus_type)
    3011 - sysdev = sysdev->parent->parent;
    3012 + else if (sysdev->bus == &pci_bus_type)
    3013 + break;
    3014 #endif
    3015 + }
    3016 +
    3017 + if (!sysdev)
    3018 + sysdev = &pdev->dev;
    3019
    3020 /* Try to set 64-bit DMA first */
    3021 if (WARN_ON(!sysdev->dma_mask))
    3022 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
    3023 index b2ff1ff1a02f..ee198ea47f49 100644
    3024 --- a/drivers/usb/host/xhci.c
    3025 +++ b/drivers/usb/host/xhci.c
    3026 @@ -1703,7 +1703,8 @@ static int xhci_add_endpoint(struct usb_hcd *hcd, struct usb_device *udev,
    3027 if (xhci->quirks & XHCI_MTK_HOST) {
    3028 ret = xhci_mtk_add_ep_quirk(hcd, udev, ep);
    3029 if (ret < 0) {
    3030 - xhci_free_endpoint_ring(xhci, virt_dev, ep_index);
    3031 + xhci_ring_free(xhci, virt_dev->eps[ep_index].new_ring);
    3032 + virt_dev->eps[ep_index].new_ring = NULL;
    3033 return ret;
    3034 }
    3035 }
    3036 diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
    3037 index e3e935291ed6..d7420bb9f2e2 100644
    3038 --- a/drivers/usb/host/xhci.h
    3039 +++ b/drivers/usb/host/xhci.h
    3040 @@ -728,6 +728,8 @@ struct xhci_ep_ctx {
    3041 #define EP_MAXPSTREAMS(p) (((p) << 10) & EP_MAXPSTREAMS_MASK)
    3042 /* Endpoint is set up with a Linear Stream Array (vs. Secondary Stream Array) */
    3043 #define EP_HAS_LSA (1 << 15)
    3044 +/* hosts with LEC=1 use bits 31:24 as ESIT high bits. */
    3045 +#define CTX_TO_MAX_ESIT_PAYLOAD_HI(p) (((p) >> 24) & 0xff)
    3046
    3047 /* ep_info2 bitmasks */
    3048 /*
    3049 @@ -1674,7 +1676,7 @@ struct xhci_bus_state {
    3050
    3051 static inline unsigned int hcd_index(struct usb_hcd *hcd)
    3052 {
    3053 - if (hcd->speed == HCD_USB3)
    3054 + if (hcd->speed >= HCD_USB3)
    3055 return 0;
    3056 else
    3057 return 1;
    3058 @@ -1819,7 +1821,7 @@ struct xhci_hcd {
    3059 /* For controller with a broken Port Disable implementation */
    3060 #define XHCI_BROKEN_PORT_PED (1 << 25)
    3061 #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26)
    3062 -#define XHCI_U2_DISABLE_WAKE (1 << 27)
    3063 +/* Reserved. It was XHCI_U2_DISABLE_WAKE */
    3064 #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28)
    3065
    3066 unsigned int num_active_eps;
    3067 @@ -2452,8 +2454,8 @@ static inline const char *xhci_decode_ep_context(u32 info, u32 info2, u64 deq,
    3068 u8 lsa;
    3069 u8 hid;
    3070
    3071 - esit = EP_MAX_ESIT_PAYLOAD_HI(info) << 16 |
    3072 - EP_MAX_ESIT_PAYLOAD_LO(tx_info);
    3073 + esit = CTX_TO_MAX_ESIT_PAYLOAD_HI(info) << 16 |
    3074 + CTX_TO_MAX_ESIT_PAYLOAD(tx_info);
    3075
    3076 ep_state = info & EP_STATE_MASK;
    3077 max_pstr = info & EP_MAXPSTREAMS_MASK;
    3078 diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
    3079 index d1af831f43eb..68f26904c316 100644
    3080 --- a/drivers/usb/renesas_usbhs/fifo.c
    3081 +++ b/drivers/usb/renesas_usbhs/fifo.c
    3082 @@ -282,11 +282,26 @@ static void usbhsf_fifo_clear(struct usbhs_pipe *pipe,
    3083 struct usbhs_fifo *fifo)
    3084 {
    3085 struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
    3086 + int ret = 0;
    3087
    3088 - if (!usbhs_pipe_is_dcp(pipe))
    3089 - usbhsf_fifo_barrier(priv, fifo);
    3090 + if (!usbhs_pipe_is_dcp(pipe)) {
    3091 + /*
    3092 + * This driver checks the pipe condition first to avoid -EBUSY
    3093 + * from usbhsf_fifo_barrier() with about 10 msec delay in
    3094 + * the interrupt handler if the pipe is RX direction and empty.
    3095 + */
    3096 + if (usbhs_pipe_is_dir_in(pipe))
    3097 + ret = usbhs_pipe_is_accessible(pipe);
    3098 + if (!ret)
    3099 + ret = usbhsf_fifo_barrier(priv, fifo);
    3100 + }
    3101
    3102 - usbhs_write(priv, fifo->ctr, BCLR);
    3103 + /*
    3104 + * if non-DCP pipe, this driver should set BCLR when
    3105 + * usbhsf_fifo_barrier() returns 0.
    3106 + */
    3107 + if (!ret)
    3108 + usbhs_write(priv, fifo->ctr, BCLR);
    3109 }
    3110
    3111 static int usbhsf_fifo_rcv_len(struct usbhs_priv *priv,
    3112 diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
    3113 index 1a59f335b063..a3ccb899df60 100644
    3114 --- a/drivers/usb/storage/transport.c
    3115 +++ b/drivers/usb/storage/transport.c
    3116 @@ -834,13 +834,25 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
    3117 if (result == USB_STOR_TRANSPORT_GOOD) {
    3118 srb->result = SAM_STAT_GOOD;
    3119 srb->sense_buffer[0] = 0x0;
    3120 + }
    3121 +
    3122 + /*
    3123 + * ATA-passthru commands use sense data to report
    3124 + * the command completion status, and often devices
    3125 + * return Check Condition status when nothing is
    3126 + * wrong.
    3127 + */
    3128 + else if (srb->cmnd[0] == ATA_16 ||
    3129 + srb->cmnd[0] == ATA_12) {
    3130 + /* leave the data alone */
    3131 + }
    3132
    3133 /*
    3134 * If there was a problem, report an unspecified
    3135 * hardware error to prevent the higher layers from
    3136 * entering an infinite retry loop.
    3137 */
    3138 - } else {
    3139 + else {
    3140 srb->result = DID_ERROR << 16;
    3141 if ((sshdr.response_code & 0x72) == 0x72)
    3142 srb->sense_buffer[1] = HARDWARE_ERROR;
    3143 diff --git a/drivers/usb/storage/uas-detect.h b/drivers/usb/storage/uas-detect.h
    3144 index f58caa9e6a27..a155cd02bce2 100644
    3145 --- a/drivers/usb/storage/uas-detect.h
    3146 +++ b/drivers/usb/storage/uas-detect.h
    3147 @@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_host_interface *intf)
    3148 intf->desc.bInterfaceProtocol == USB_PR_UAS);
    3149 }
    3150
    3151 -static int uas_find_uas_alt_setting(struct usb_interface *intf)
    3152 +static struct usb_host_interface *uas_find_uas_alt_setting(
    3153 + struct usb_interface *intf)
    3154 {
    3155 int i;
    3156
    3157 @@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(struct usb_interface *intf)
    3158 struct usb_host_interface *alt = &intf->altsetting[i];
    3159
    3160 if (uas_is_interface(alt))
    3161 - return alt->desc.bAlternateSetting;
    3162 + return alt;
    3163 }
    3164
    3165 - return -ENODEV;
    3166 + return NULL;
    3167 }
    3168
    3169 static int uas_find_endpoints(struct usb_host_interface *alt,
    3170 @@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb_interface *intf,
    3171 struct usb_device *udev = interface_to_usbdev(intf);
    3172 struct usb_hcd *hcd = bus_to_hcd(udev->bus);
    3173 unsigned long flags = id->driver_info;
    3174 - int r, alt;
    3175 -
    3176 + struct usb_host_interface *alt;
    3177 + int r;
    3178
    3179 alt = uas_find_uas_alt_setting(intf);
    3180 - if (alt < 0)
    3181 + if (!alt)
    3182 return 0;
    3183
    3184 - r = uas_find_endpoints(&intf->altsetting[alt], eps);
    3185 + r = uas_find_endpoints(alt, eps);
    3186 if (r < 0)
    3187 return 0;
    3188
    3189 diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
    3190 index 5ef014ba6ae8..9876af4ab64e 100644
    3191 --- a/drivers/usb/storage/uas.c
    3192 +++ b/drivers/usb/storage/uas.c
    3193 @@ -873,14 +873,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids);
    3194 static int uas_switch_interface(struct usb_device *udev,
    3195 struct usb_interface *intf)
    3196 {
    3197 - int alt;
    3198 + struct usb_host_interface *alt;
    3199
    3200 alt = uas_find_uas_alt_setting(intf);
    3201 - if (alt < 0)
    3202 - return alt;
    3203 + if (!alt)
    3204 + return -ENODEV;
    3205
    3206 - return usb_set_interface(udev,
    3207 - intf->altsetting[0].desc.bInterfaceNumber, alt);
    3208 + return usb_set_interface(udev, alt->desc.bInterfaceNumber,
    3209 + alt->desc.bAlternateSetting);
    3210 }
    3211
    3212 static int uas_configure_endpoints(struct uas_dev_info *devinfo)
    3213 diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
    3214 index 5a70c33ef0e0..eb06d88b41d6 100644
    3215 --- a/drivers/usb/storage/unusual_devs.h
    3216 +++ b/drivers/usb/storage/unusual_devs.h
    3217 @@ -1459,6 +1459,13 @@ UNUSUAL_DEV( 0x0bc2, 0x3010, 0x0000, 0x0000,
    3218 USB_SC_DEVICE, USB_PR_DEVICE, NULL,
    3219 US_FL_SANE_SENSE ),
    3220
    3221 +/* Reported by Kris Lindgren <kris.lindgren@gmail.com> */
    3222 +UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9999,
    3223 + "Seagate",
    3224 + "External",
    3225 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
    3226 + US_FL_NO_WP_DETECT ),
    3227 +
    3228 UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999,
    3229 "Maxtor",
    3230 "USB to SATA",
    3231 diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
    3232 index 35a1e777b449..9a53912bdfe9 100644
    3233 --- a/drivers/uwb/hwa-rc.c
    3234 +++ b/drivers/uwb/hwa-rc.c
    3235 @@ -825,6 +825,8 @@ static int hwarc_probe(struct usb_interface *iface,
    3236
    3237 if (iface->cur_altsetting->desc.bNumEndpoints < 1)
    3238 return -ENODEV;
    3239 + if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc))
    3240 + return -ENODEV;
    3241
    3242 result = -ENOMEM;
    3243 uwb_rc = uwb_rc_alloc();
    3244 diff --git a/drivers/uwb/uwbd.c b/drivers/uwb/uwbd.c
    3245 index 01c20a260a8b..39dd4ef53c77 100644
    3246 --- a/drivers/uwb/uwbd.c
    3247 +++ b/drivers/uwb/uwbd.c
    3248 @@ -302,18 +302,22 @@ static int uwbd(void *param)
    3249 /** Start the UWB daemon */
    3250 void uwbd_start(struct uwb_rc *rc)
    3251 {
    3252 - rc->uwbd.task = kthread_run(uwbd, rc, "uwbd");
    3253 - if (rc->uwbd.task == NULL)
    3254 + struct task_struct *task = kthread_run(uwbd, rc, "uwbd");
    3255 + if (IS_ERR(task)) {
    3256 + rc->uwbd.task = NULL;
    3257 printk(KERN_ERR "UWB: Cannot start management daemon; "
    3258 "UWB won't work\n");
    3259 - else
    3260 + } else {
    3261 + rc->uwbd.task = task;
    3262 rc->uwbd.pid = rc->uwbd.task->pid;
    3263 + }
    3264 }
    3265
    3266 /* Stop the UWB daemon and free any unprocessed events */
    3267 void uwbd_stop(struct uwb_rc *rc)
    3268 {
    3269 - kthread_stop(rc->uwbd.task);
    3270 + if (rc->uwbd.task)
    3271 + kthread_stop(rc->uwbd.task);
    3272 uwbd_flush(rc);
    3273 }
    3274
    3275 diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
    3276 index 3f3eb7b17cac..806eb85343fb 100644
    3277 --- a/fs/btrfs/ctree.h
    3278 +++ b/fs/btrfs/ctree.h
    3279 @@ -723,7 +723,7 @@ struct btrfs_delayed_root;
    3280 * Indicate that a whole-filesystem exclusive operation is running
    3281 * (device replace, resize, device add/delete, balance)
    3282 */
    3283 -#define BTRFS_FS_EXCL_OP 14
    3284 +#define BTRFS_FS_EXCL_OP 16
    3285
    3286 struct btrfs_fs_info {
    3287 u8 fsid[BTRFS_FSID_SIZE];
    3288 diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
    3289 index 0aff9b278c19..4aa3d4c27dfe 100644
    3290 --- a/fs/btrfs/extent_io.c
    3291 +++ b/fs/btrfs/extent_io.c
    3292 @@ -2799,7 +2799,7 @@ static int submit_extent_page(int op, int op_flags, struct extent_io_tree *tree,
    3293 }
    3294 }
    3295
    3296 - bio = btrfs_bio_alloc(bdev, sector << 9);
    3297 + bio = btrfs_bio_alloc(bdev, (u64)sector << 9);
    3298 bio_add_page(bio, page, page_size, offset);
    3299 bio->bi_end_io = end_io_func;
    3300 bio->bi_private = tree;
    3301 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
    3302 index acb6f97deb97..196a07a87179 100644
    3303 --- a/fs/overlayfs/copy_up.c
    3304 +++ b/fs/overlayfs/copy_up.c
    3305 @@ -561,10 +561,8 @@ static int ovl_do_copy_up(struct ovl_copy_up_ctx *c)
    3306 c->tmpfile = true;
    3307 err = ovl_copy_up_locked(c);
    3308 } else {
    3309 - err = -EIO;
    3310 - if (lock_rename(c->workdir, c->destdir) != NULL) {
    3311 - pr_err("overlayfs: failed to lock workdir+upperdir\n");
    3312 - } else {
    3313 + err = ovl_lock_rename_workdir(c->workdir, c->destdir);
    3314 + if (!err) {
    3315 err = ovl_copy_up_locked(c);
    3316 unlock_rename(c->workdir, c->destdir);
    3317 }
    3318 diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
    3319 index 48b70e6490f3..9b97b35b39c8 100644
    3320 --- a/fs/overlayfs/dir.c
    3321 +++ b/fs/overlayfs/dir.c
    3322 @@ -216,26 +216,6 @@ static int ovl_create_upper(struct dentry *dentry, struct inode *inode,
    3323 return err;
    3324 }
    3325
    3326 -static int ovl_lock_rename_workdir(struct dentry *workdir,
    3327 - struct dentry *upperdir)
    3328 -{
    3329 - /* Workdir should not be the same as upperdir */
    3330 - if (workdir == upperdir)
    3331 - goto err;
    3332 -
    3333 - /* Workdir should not be subdir of upperdir and vice versa */
    3334 - if (lock_rename(workdir, upperdir) != NULL)
    3335 - goto err_unlock;
    3336 -
    3337 - return 0;
    3338 -
    3339 -err_unlock:
    3340 - unlock_rename(workdir, upperdir);
    3341 -err:
    3342 - pr_err("overlayfs: failed to lock workdir+upperdir\n");
    3343 - return -EIO;
    3344 -}
    3345 -
    3346 static struct dentry *ovl_clear_empty(struct dentry *dentry,
    3347 struct list_head *list)
    3348 {
    3349 diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
    3350 index 8aef2b304b2d..9deec68075dc 100644
    3351 --- a/fs/overlayfs/namei.c
    3352 +++ b/fs/overlayfs/namei.c
    3353 @@ -506,6 +506,7 @@ static struct dentry *ovl_lookup_index(struct dentry *dentry,
    3354
    3355 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
    3356 if (IS_ERR(index)) {
    3357 + err = PTR_ERR(index);
    3358 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
    3359 "overlayfs: mount with '-o index=off' to disable inodes index.\n",
    3360 d_inode(origin)->i_ino, name.len, name.name,
    3361 diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
    3362 index e927a62c97ae..f57f47742f5f 100644
    3363 --- a/fs/overlayfs/overlayfs.h
    3364 +++ b/fs/overlayfs/overlayfs.h
    3365 @@ -234,6 +234,7 @@ bool ovl_inuse_trylock(struct dentry *dentry);
    3366 void ovl_inuse_unlock(struct dentry *dentry);
    3367 int ovl_nlink_start(struct dentry *dentry, bool *locked);
    3368 void ovl_nlink_end(struct dentry *dentry, bool locked);
    3369 +int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir);
    3370
    3371 static inline bool ovl_is_impuredir(struct dentry *dentry)
    3372 {
    3373 diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
    3374 index 878a750986dd..25d9b5adcd42 100644
    3375 --- a/fs/overlayfs/ovl_entry.h
    3376 +++ b/fs/overlayfs/ovl_entry.h
    3377 @@ -37,6 +37,9 @@ struct ovl_fs {
    3378 bool noxattr;
    3379 /* sb common to all layers */
    3380 struct super_block *same_sb;
    3381 + /* Did we take the inuse lock? */
    3382 + bool upperdir_locked;
    3383 + bool workdir_locked;
    3384 };
    3385
    3386 /* private information held for every overlayfs dentry */
    3387 diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
    3388 index 3d424a51cabb..74f7ead442f0 100644
    3389 --- a/fs/overlayfs/readdir.c
    3390 +++ b/fs/overlayfs/readdir.c
    3391 @@ -672,6 +672,7 @@ int ovl_indexdir_cleanup(struct dentry *dentry, struct vfsmount *mnt,
    3392 struct path *lowerstack, unsigned int numlower)
    3393 {
    3394 int err;
    3395 + struct dentry *index = NULL;
    3396 struct inode *dir = dentry->d_inode;
    3397 struct path path = { .mnt = mnt, .dentry = dentry };
    3398 LIST_HEAD(list);
    3399 @@ -690,8 +691,6 @@ int ovl_indexdir_cleanup(struct dentry *dentry, struct vfsmount *mnt,
    3400
    3401 inode_lock_nested(dir, I_MUTEX_PARENT);
    3402 list_for_each_entry(p, &list, l_node) {
    3403 - struct dentry *index;
    3404 -
    3405 if (p->name[0] == '.') {
    3406 if (p->len == 1)
    3407 continue;
    3408 @@ -701,6 +700,7 @@ int ovl_indexdir_cleanup(struct dentry *dentry, struct vfsmount *mnt,
    3409 index = lookup_one_len(p->name, dentry, p->len);
    3410 if (IS_ERR(index)) {
    3411 err = PTR_ERR(index);
    3412 + index = NULL;
    3413 break;
    3414 }
    3415 err = ovl_verify_index(index, lowerstack, numlower);
    3416 @@ -712,7 +712,9 @@ int ovl_indexdir_cleanup(struct dentry *dentry, struct vfsmount *mnt,
    3417 break;
    3418 }
    3419 dput(index);
    3420 + index = NULL;
    3421 }
    3422 + dput(index);
    3423 inode_unlock(dir);
    3424 out:
    3425 ovl_cache_free(&list);
    3426 diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
    3427 index d86e89f97201..a1464905c1ea 100644
    3428 --- a/fs/overlayfs/super.c
    3429 +++ b/fs/overlayfs/super.c
    3430 @@ -210,9 +210,10 @@ static void ovl_put_super(struct super_block *sb)
    3431
    3432 dput(ufs->indexdir);
    3433 dput(ufs->workdir);
    3434 - ovl_inuse_unlock(ufs->workbasedir);
    3435 + if (ufs->workdir_locked)
    3436 + ovl_inuse_unlock(ufs->workbasedir);
    3437 dput(ufs->workbasedir);
    3438 - if (ufs->upper_mnt)
    3439 + if (ufs->upper_mnt && ufs->upperdir_locked)
    3440 ovl_inuse_unlock(ufs->upper_mnt->mnt_root);
    3441 mntput(ufs->upper_mnt);
    3442 for (i = 0; i < ufs->numlower; i++)
    3443 @@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
    3444 goto out_put_upperpath;
    3445
    3446 err = -EBUSY;
    3447 - if (!ovl_inuse_trylock(upperpath.dentry)) {
    3448 - pr_err("overlayfs: upperdir is in-use by another mount\n");
    3449 + if (ovl_inuse_trylock(upperpath.dentry)) {
    3450 + ufs->upperdir_locked = true;
    3451 + } else if (ufs->config.index) {
    3452 + pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n");
    3453 goto out_put_upperpath;
    3454 + } else {
    3455 + pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
    3456 }
    3457
    3458 err = ovl_mount_dir(ufs->config.workdir, &workpath);
    3459 @@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
    3460 }
    3461
    3462 err = -EBUSY;
    3463 - if (!ovl_inuse_trylock(workpath.dentry)) {
    3464 - pr_err("overlayfs: workdir is in-use by another mount\n");
    3465 + if (ovl_inuse_trylock(workpath.dentry)) {
    3466 + ufs->workdir_locked = true;
    3467 + } else if (ufs->config.index) {
    3468 + pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n");
    3469 goto out_put_workpath;
    3470 + } else {
    3471 + pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
    3472 }
    3473
    3474 ufs->workbasedir = workpath.dentry;
    3475 @@ -1155,11 +1164,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
    3476 out_free_lowertmp:
    3477 kfree(lowertmp);
    3478 out_unlock_workdentry:
    3479 - ovl_inuse_unlock(workpath.dentry);
    3480 + if (ufs->workdir_locked)
    3481 + ovl_inuse_unlock(workpath.dentry);
    3482 out_put_workpath:
    3483 path_put(&workpath);
    3484 out_unlock_upperdentry:
    3485 - ovl_inuse_unlock(upperpath.dentry);
    3486 + if (ufs->upperdir_locked)
    3487 + ovl_inuse_unlock(upperpath.dentry);
    3488 out_put_upperpath:
    3489 path_put(&upperpath);
    3490 out_free_config:
    3491 diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
    3492 index f46ad75dc96a..8bff64f14190 100644
    3493 --- a/fs/overlayfs/util.c
    3494 +++ b/fs/overlayfs/util.c
    3495 @@ -418,7 +418,7 @@ void ovl_inuse_unlock(struct dentry *dentry)
    3496 }
    3497 }
    3498
    3499 -/* Called must hold OVL_I(inode)->oi_lock */
    3500 +/* Caller must hold OVL_I(inode)->lock */
    3501 static void ovl_cleanup_index(struct dentry *dentry)
    3502 {
    3503 struct inode *dir = ovl_indexdir(dentry->d_sb)->d_inode;
    3504 @@ -457,6 +457,9 @@ static void ovl_cleanup_index(struct dentry *dentry)
    3505 err = PTR_ERR(index);
    3506 if (!IS_ERR(index))
    3507 err = ovl_cleanup(dir, index);
    3508 + else
    3509 + index = NULL;
    3510 +
    3511 inode_unlock(dir);
    3512 if (err)
    3513 goto fail;
    3514 @@ -545,3 +548,22 @@ void ovl_nlink_end(struct dentry *dentry, bool locked)
    3515 mutex_unlock(&OVL_I(d_inode(dentry))->lock);
    3516 }
    3517 }
    3518 +
    3519 +int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir)
    3520 +{
    3521 + /* Workdir should not be the same as upperdir */
    3522 + if (workdir == upperdir)
    3523 + goto err;
    3524 +
    3525 + /* Workdir should not be subdir of upperdir and vice versa */
    3526 + if (lock_rename(workdir, upperdir) != NULL)
    3527 + goto err_unlock;
    3528 +
    3529 + return 0;
    3530 +
    3531 +err_unlock:
    3532 + unlock_rename(workdir, upperdir);
    3533 +err:
    3534 + pr_err("overlayfs: failed to lock workdir+upperdir\n");
    3535 + return -EIO;
    3536 +}
    3537 diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
    3538 index b0d5897bc4e6..be795bf20147 100644
    3539 --- a/fs/userfaultfd.c
    3540 +++ b/fs/userfaultfd.c
    3541 @@ -566,6 +566,12 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
    3542 break;
    3543 if (ACCESS_ONCE(ctx->released) ||
    3544 fatal_signal_pending(current)) {
    3545 + /*
    3546 + * &ewq->wq may be queued in fork_event, but
    3547 + * __remove_wait_queue ignores the head
    3548 + * parameter. It would be a problem if it
    3549 + * didn't.
    3550 + */
    3551 __remove_wait_queue(&ctx->event_wqh, &ewq->wq);
    3552 if (ewq->msg.event == UFFD_EVENT_FORK) {
    3553 struct userfaultfd_ctx *new;
    3554 @@ -1039,6 +1045,12 @@ static ssize_t userfaultfd_ctx_read(struct userfaultfd_ctx *ctx, int no_wait,
    3555 (unsigned long)
    3556 uwq->msg.arg.reserved.reserved1;
    3557 list_move(&uwq->wq.entry, &fork_event);
    3558 + /*
    3559 + * fork_nctx can be freed as soon as
    3560 + * we drop the lock, unless we take a
    3561 + * reference on it.
    3562 + */
    3563 + userfaultfd_ctx_get(fork_nctx);
    3564 spin_unlock(&ctx->event_wqh.lock);
    3565 ret = 0;
    3566 break;
    3567 @@ -1069,19 +1081,53 @@ static ssize_t userfaultfd_ctx_read(struct userfaultfd_ctx *ctx, int no_wait,
    3568
    3569 if (!ret && msg->event == UFFD_EVENT_FORK) {
    3570 ret = resolve_userfault_fork(ctx, fork_nctx, msg);
    3571 + spin_lock(&ctx->event_wqh.lock);
    3572 + if (!list_empty(&fork_event)) {
    3573 + /*
    3574 + * The fork thread didn't abort, so we can
    3575 + * drop the temporary refcount.
    3576 + */
    3577 + userfaultfd_ctx_put(fork_nctx);
    3578 +
    3579 + uwq = list_first_entry(&fork_event,
    3580 + typeof(*uwq),
    3581 + wq.entry);
    3582 + /*
    3583 + * If fork_event list wasn't empty and in turn
    3584 + * the event wasn't already released by fork
    3585 + * (the event is allocated on fork kernel
    3586 + * stack), put the event back to its place in
    3587 + * the event_wq. fork_event head will be freed
    3588 + * as soon as we return so the event cannot
    3589 + * stay queued there no matter the current
    3590 + * "ret" value.
    3591 + */
    3592 + list_del(&uwq->wq.entry);
    3593 + __add_wait_queue(&ctx->event_wqh, &uwq->wq);
    3594
    3595 - if (!ret) {
    3596 - spin_lock(&ctx->event_wqh.lock);
    3597 - if (!list_empty(&fork_event)) {
    3598 - uwq = list_first_entry(&fork_event,
    3599 - typeof(*uwq),
    3600 - wq.entry);
    3601 - list_del(&uwq->wq.entry);
    3602 - __add_wait_queue(&ctx->event_wqh, &uwq->wq);
    3603 + /*
    3604 + * Leave the event in the waitqueue and report
    3605 + * error to userland if we failed to resolve
    3606 + * the userfault fork.
    3607 + */
    3608 + if (likely(!ret))
    3609 userfaultfd_event_complete(ctx, uwq);
    3610 - }
    3611 - spin_unlock(&ctx->event_wqh.lock);
    3612 + } else {
    3613 + /*
    3614 + * Here the fork thread aborted and the
    3615 + * refcount from the fork thread on fork_nctx
    3616 + * has already been released. We still hold
    3617 + * the reference we took before releasing the
    3618 + * lock above. If resolve_userfault_fork
    3619 + * failed we've to drop it because the
    3620 + * fork_nctx has to be freed in such case. If
    3621 + * it succeeded we'll hold it because the new
    3622 + * uffd references it.
    3623 + */
    3624 + if (ret)
    3625 + userfaultfd_ctx_put(fork_nctx);
    3626 }
    3627 + spin_unlock(&ctx->event_wqh.lock);
    3628 }
    3629
    3630 return ret;
    3631 diff --git a/fs/xattr.c b/fs/xattr.c
    3632 index 464c94bf65f9..5441a6d95396 100644
    3633 --- a/fs/xattr.c
    3634 +++ b/fs/xattr.c
    3635 @@ -249,7 +249,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
    3636 }
    3637 memcpy(value, buffer, len);
    3638 out:
    3639 - security_release_secctx(buffer, len);
    3640 + kfree(buffer);
    3641 out_noalloc:
    3642 return len;
    3643 }
    3644 diff --git a/include/asm-generic/percpu.h b/include/asm-generic/percpu.h
    3645 index 0504ef8f3aa3..976f8ac26665 100644
    3646 --- a/include/asm-generic/percpu.h
    3647 +++ b/include/asm-generic/percpu.h
    3648 @@ -115,15 +115,35 @@ do { \
    3649 (__ret); \
    3650 })
    3651
    3652 -#define this_cpu_generic_read(pcp) \
    3653 +#define __this_cpu_generic_read_nopreempt(pcp) \
    3654 ({ \
    3655 typeof(pcp) __ret; \
    3656 preempt_disable_notrace(); \
    3657 - __ret = raw_cpu_generic_read(pcp); \
    3658 + __ret = READ_ONCE(*raw_cpu_ptr(&(pcp))); \
    3659 preempt_enable_notrace(); \
    3660 __ret; \
    3661 })
    3662
    3663 +#define __this_cpu_generic_read_noirq(pcp) \
    3664 +({ \
    3665 + typeof(pcp) __ret; \
    3666 + unsigned long __flags; \
    3667 + raw_local_irq_save(__flags); \
    3668 + __ret = raw_cpu_generic_read(pcp); \
    3669 + raw_local_irq_restore(__flags); \
    3670 + __ret; \
    3671 +})
    3672 +
    3673 +#define this_cpu_generic_read(pcp) \
    3674 +({ \
    3675 + typeof(pcp) __ret; \
    3676 + if (__native_word(pcp)) \
    3677 + __ret = __this_cpu_generic_read_nopreempt(pcp); \
    3678 + else \
    3679 + __ret = __this_cpu_generic_read_noirq(pcp); \
    3680 + __ret; \
    3681 +})
    3682 +
    3683 #define this_cpu_generic_to_op(pcp, val, op) \
    3684 do { \
    3685 unsigned long __flags; \
    3686 diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
    3687 index 5ba430cc9a87..1fc7abd28b0b 100644
    3688 --- a/include/linux/iio/adc/ad_sigma_delta.h
    3689 +++ b/include/linux/iio/adc/ad_sigma_delta.h
    3690 @@ -111,6 +111,9 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
    3691 int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
    3692 unsigned int size, unsigned int *val);
    3693
    3694 +int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
    3695 + unsigned int reset_length);
    3696 +
    3697 int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
    3698 const struct iio_chan_spec *chan, int *val);
    3699 int ad_sd_calibrate_all(struct ad_sigma_delta *sigma_delta,
    3700 diff --git a/include/linux/mmu_notifier.h b/include/linux/mmu_notifier.h
    3701 index 7b2e31b1745a..6866e8126982 100644
    3702 --- a/include/linux/mmu_notifier.h
    3703 +++ b/include/linux/mmu_notifier.h
    3704 @@ -400,6 +400,11 @@ extern void mmu_notifier_synchronize(void);
    3705
    3706 #else /* CONFIG_MMU_NOTIFIER */
    3707
    3708 +static inline int mm_has_notifiers(struct mm_struct *mm)
    3709 +{
    3710 + return 0;
    3711 +}
    3712 +
    3713 static inline void mmu_notifier_release(struct mm_struct *mm)
    3714 {
    3715 }
    3716 diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h
    3717 index 5012b524283d..60248d644b6f 100644
    3718 --- a/include/linux/trace_events.h
    3719 +++ b/include/linux/trace_events.h
    3720 @@ -277,6 +277,7 @@ struct trace_event_call {
    3721 int perf_refcount;
    3722 struct hlist_head __percpu *perf_events;
    3723 struct bpf_prog *prog;
    3724 + struct perf_event *bpf_prog_owner;
    3725
    3726 int (*perf_perm)(struct trace_event_call *,
    3727 struct perf_event *);
    3728 diff --git a/include/net/netlink.h b/include/net/netlink.h
    3729 index ef8e6c3a80a6..4c72c7866da5 100644
    3730 --- a/include/net/netlink.h
    3731 +++ b/include/net/netlink.h
    3732 @@ -768,7 +768,10 @@ static inline int nla_parse_nested(struct nlattr *tb[], int maxtype,
    3733 */
    3734 static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
    3735 {
    3736 - return nla_put(skb, attrtype, sizeof(u8), &value);
    3737 + /* temporary variables to work around GCC PR81715 with asan-stack=1 */
    3738 + u8 tmp = value;
    3739 +
    3740 + return nla_put(skb, attrtype, sizeof(u8), &tmp);
    3741 }
    3742
    3743 /**
    3744 @@ -779,7 +782,9 @@ static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
    3745 */
    3746 static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
    3747 {
    3748 - return nla_put(skb, attrtype, sizeof(u16), &value);
    3749 + u16 tmp = value;
    3750 +
    3751 + return nla_put(skb, attrtype, sizeof(u16), &tmp);
    3752 }
    3753
    3754 /**
    3755 @@ -790,7 +795,9 @@ static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
    3756 */
    3757 static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
    3758 {
    3759 - return nla_put(skb, attrtype, sizeof(__be16), &value);
    3760 + __be16 tmp = value;
    3761 +
    3762 + return nla_put(skb, attrtype, sizeof(__be16), &tmp);
    3763 }
    3764
    3765 /**
    3766 @@ -801,7 +808,9 @@ static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
    3767 */
    3768 static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
    3769 {
    3770 - return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
    3771 + __be16 tmp = value;
    3772 +
    3773 + return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
    3774 }
    3775
    3776 /**
    3777 @@ -812,7 +821,9 @@ static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
    3778 */
    3779 static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
    3780 {
    3781 - return nla_put(skb, attrtype, sizeof(__le16), &value);
    3782 + __le16 tmp = value;
    3783 +
    3784 + return nla_put(skb, attrtype, sizeof(__le16), &tmp);
    3785 }
    3786
    3787 /**
    3788 @@ -823,7 +834,9 @@ static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
    3789 */
    3790 static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
    3791 {
    3792 - return nla_put(skb, attrtype, sizeof(u32), &value);
    3793 + u32 tmp = value;
    3794 +
    3795 + return nla_put(skb, attrtype, sizeof(u32), &tmp);
    3796 }
    3797
    3798 /**
    3799 @@ -834,7 +847,9 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
    3800 */
    3801 static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
    3802 {
    3803 - return nla_put(skb, attrtype, sizeof(__be32), &value);
    3804 + __be32 tmp = value;
    3805 +
    3806 + return nla_put(skb, attrtype, sizeof(__be32), &tmp);
    3807 }
    3808
    3809 /**
    3810 @@ -845,7 +860,9 @@ static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
    3811 */
    3812 static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
    3813 {
    3814 - return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
    3815 + __be32 tmp = value;
    3816 +
    3817 + return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
    3818 }
    3819
    3820 /**
    3821 @@ -856,7 +873,9 @@ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
    3822 */
    3823 static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
    3824 {
    3825 - return nla_put(skb, attrtype, sizeof(__le32), &value);
    3826 + __le32 tmp = value;
    3827 +
    3828 + return nla_put(skb, attrtype, sizeof(__le32), &tmp);
    3829 }
    3830
    3831 /**
    3832 @@ -869,7 +888,9 @@ static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
    3833 static inline int nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
    3834 u64 value, int padattr)
    3835 {
    3836 - return nla_put_64bit(skb, attrtype, sizeof(u64), &value, padattr);
    3837 + u64 tmp = value;
    3838 +
    3839 + return nla_put_64bit(skb, attrtype, sizeof(u64), &tmp, padattr);
    3840 }
    3841
    3842 /**
    3843 @@ -882,7 +903,9 @@ static inline int nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
    3844 static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value,
    3845 int padattr)
    3846 {
    3847 - return nla_put_64bit(skb, attrtype, sizeof(__be64), &value, padattr);
    3848 + __be64 tmp = value;
    3849 +
    3850 + return nla_put_64bit(skb, attrtype, sizeof(__be64), &tmp, padattr);
    3851 }
    3852
    3853 /**
    3854 @@ -895,7 +918,9 @@ static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value,
    3855 static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value,
    3856 int padattr)
    3857 {
    3858 - return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value,
    3859 + __be64 tmp = value;
    3860 +
    3861 + return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp,
    3862 padattr);
    3863 }
    3864
    3865 @@ -909,7 +934,9 @@ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value,
    3866 static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value,
    3867 int padattr)
    3868 {
    3869 - return nla_put_64bit(skb, attrtype, sizeof(__le64), &value, padattr);
    3870 + __le64 tmp = value;
    3871 +
    3872 + return nla_put_64bit(skb, attrtype, sizeof(__le64), &tmp, padattr);
    3873 }
    3874
    3875 /**
    3876 @@ -920,7 +947,9 @@ static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value,
    3877 */
    3878 static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
    3879 {
    3880 - return nla_put(skb, attrtype, sizeof(s8), &value);
    3881 + s8 tmp = value;
    3882 +
    3883 + return nla_put(skb, attrtype, sizeof(s8), &tmp);
    3884 }
    3885
    3886 /**
    3887 @@ -931,7 +960,9 @@ static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
    3888 */
    3889 static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
    3890 {
    3891 - return nla_put(skb, attrtype, sizeof(s16), &value);
    3892 + s16 tmp = value;
    3893 +
    3894 + return nla_put(skb, attrtype, sizeof(s16), &tmp);
    3895 }
    3896
    3897 /**
    3898 @@ -942,7 +973,9 @@ static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
    3899 */
    3900 static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
    3901 {
    3902 - return nla_put(skb, attrtype, sizeof(s32), &value);
    3903 + s32 tmp = value;
    3904 +
    3905 + return nla_put(skb, attrtype, sizeof(s32), &tmp);
    3906 }
    3907
    3908 /**
    3909 @@ -955,7 +988,9 @@ static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
    3910 static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value,
    3911 int padattr)
    3912 {
    3913 - return nla_put_64bit(skb, attrtype, sizeof(s64), &value, padattr);
    3914 + s64 tmp = value;
    3915 +
    3916 + return nla_put_64bit(skb, attrtype, sizeof(s64), &tmp, padattr);
    3917 }
    3918
    3919 /**
    3920 @@ -1005,7 +1040,9 @@ static inline int nla_put_msecs(struct sk_buff *skb, int attrtype,
    3921 static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype,
    3922 __be32 addr)
    3923 {
    3924 - return nla_put_be32(skb, attrtype, addr);
    3925 + __be32 tmp = addr;
    3926 +
    3927 + return nla_put_be32(skb, attrtype, tmp);
    3928 }
    3929
    3930 /**
    3931 diff --git a/include/net/protocol.h b/include/net/protocol.h
    3932 index 65ba335b0e7e..4fc75f7ae23b 100644
    3933 --- a/include/net/protocol.h
    3934 +++ b/include/net/protocol.h
    3935 @@ -39,8 +39,8 @@
    3936
    3937 /* This is used to register protocols. */
    3938 struct net_protocol {
    3939 - void (*early_demux)(struct sk_buff *skb);
    3940 - void (*early_demux_handler)(struct sk_buff *skb);
    3941 + int (*early_demux)(struct sk_buff *skb);
    3942 + int (*early_demux_handler)(struct sk_buff *skb);
    3943 int (*handler)(struct sk_buff *skb);
    3944 void (*err_handler)(struct sk_buff *skb, u32 info);
    3945 unsigned int no_policy:1,
    3946 diff --git a/include/net/route.h b/include/net/route.h
    3947 index cb0a76d9dde1..58458966e31e 100644
    3948 --- a/include/net/route.h
    3949 +++ b/include/net/route.h
    3950 @@ -175,7 +175,9 @@ static inline struct rtable *ip_route_output_gre(struct net *net, struct flowi4
    3951 fl4->fl4_gre_key = gre_key;
    3952 return ip_route_output_key(net, fl4);
    3953 }
    3954 -
    3955 +int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
    3956 + u8 tos, struct net_device *dev,
    3957 + struct in_device *in_dev, u32 *itag);
    3958 int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
    3959 u8 tos, struct net_device *devin);
    3960 int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
    3961 diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h
    3962 index 1060494ac230..b8c86ec1a8f5 100644
    3963 --- a/include/net/sctp/ulpevent.h
    3964 +++ b/include/net/sctp/ulpevent.h
    3965 @@ -153,8 +153,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event);
    3966 static inline int sctp_ulpevent_type_enabled(__u16 sn_type,
    3967 struct sctp_event_subscribe *mask)
    3968 {
    3969 + int offset = sn_type - SCTP_SN_TYPE_BASE;
    3970 char *amask = (char *) mask;
    3971 - return amask[sn_type - SCTP_SN_TYPE_BASE];
    3972 +
    3973 + if (offset >= sizeof(struct sctp_event_subscribe))
    3974 + return 0;
    3975 + return amask[offset];
    3976 }
    3977
    3978 /* Given an event subscription, is this event enabled? */
    3979 diff --git a/include/net/tcp.h b/include/net/tcp.h
    3980 index f642a39f9eee..48978125947b 100644
    3981 --- a/include/net/tcp.h
    3982 +++ b/include/net/tcp.h
    3983 @@ -347,7 +347,7 @@ void tcp_v4_err(struct sk_buff *skb, u32);
    3984
    3985 void tcp_shutdown(struct sock *sk, int how);
    3986
    3987 -void tcp_v4_early_demux(struct sk_buff *skb);
    3988 +int tcp_v4_early_demux(struct sk_buff *skb);
    3989 int tcp_v4_rcv(struct sk_buff *skb);
    3990
    3991 int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw);
    3992 diff --git a/include/net/udp.h b/include/net/udp.h
    3993 index 626c2d8a70c5..1e6b2476d427 100644
    3994 --- a/include/net/udp.h
    3995 +++ b/include/net/udp.h
    3996 @@ -259,7 +259,7 @@ static inline struct sk_buff *skb_recv_udp(struct sock *sk, unsigned int flags,
    3997 return __skb_recv_udp(sk, flags, noblock, &peeked, &off, err);
    3998 }
    3999
    4000 -void udp_v4_early_demux(struct sk_buff *skb);
    4001 +int udp_v4_early_demux(struct sk_buff *skb);
    4002 bool udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst);
    4003 int udp_get_port(struct sock *sk, unsigned short snum,
    4004 int (*saddr_cmp)(const struct sock *,
    4005 diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
    4006 index 0979a5f3b69a..6ff1bab23679 100644
    4007 --- a/include/scsi/scsi_device.h
    4008 +++ b/include/scsi/scsi_device.h
    4009 @@ -182,6 +182,7 @@ struct scsi_device {
    4010 unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
    4011 unsigned broken_fua:1; /* Don't set FUA bit */
    4012 unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
    4013 + unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
    4014
    4015 atomic_t disk_events_disable_depth; /* disable depth for disk events */
    4016
    4017 diff --git a/include/scsi/scsi_devinfo.h b/include/scsi/scsi_devinfo.h
    4018 index 9592570e092a..36b03013d629 100644
    4019 --- a/include/scsi/scsi_devinfo.h
    4020 +++ b/include/scsi/scsi_devinfo.h
    4021 @@ -29,5 +29,6 @@
    4022 #define BLIST_TRY_VPD_PAGES 0x10000000 /* Attempt to read VPD pages */
    4023 #define BLIST_NO_RSOC 0x20000000 /* don't try to issue RSOC */
    4024 #define BLIST_MAX_1024 0x40000000 /* maximum 1024 sector cdb length */
    4025 +#define BLIST_UNMAP_LIMIT_WS 0x80000000 /* Use UNMAP limit for WRITE SAME */
    4026
    4027 #endif
    4028 diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
    4029 index e99e3e6f8b37..f0add86219f0 100644
    4030 --- a/include/uapi/linux/bpf.h
    4031 +++ b/include/uapi/linux/bpf.h
    4032 @@ -294,7 +294,7 @@ union bpf_attr {
    4033 * jump into another BPF program
    4034 * @ctx: context pointer passed to next program
    4035 * @prog_array_map: pointer to map which type is BPF_MAP_TYPE_PROG_ARRAY
    4036 - * @index: index inside array that selects specific program to run
    4037 + * @index: 32-bit index inside array that selects specific program to run
    4038 * Return: 0 on success or negative error
    4039 *
    4040 * int bpf_clone_redirect(skb, ifindex, flags)
    4041 diff --git a/include/uapi/linux/dm-ioctl.h b/include/uapi/linux/dm-ioctl.h
    4042 index 412c06a624c8..ccaea525340b 100644
    4043 --- a/include/uapi/linux/dm-ioctl.h
    4044 +++ b/include/uapi/linux/dm-ioctl.h
    4045 @@ -269,9 +269,9 @@ enum {
    4046 #define DM_DEV_SET_GEOMETRY _IOWR(DM_IOCTL, DM_DEV_SET_GEOMETRY_CMD, struct dm_ioctl)
    4047
    4048 #define DM_VERSION_MAJOR 4
    4049 -#define DM_VERSION_MINOR 36
    4050 +#define DM_VERSION_MINOR 37
    4051 #define DM_VERSION_PATCHLEVEL 0
    4052 -#define DM_VERSION_EXTRA "-ioctl (2017-06-09)"
    4053 +#define DM_VERSION_EXTRA "-ioctl (2017-09-20)"
    4054
    4055 /* Status bits */
    4056 #define DM_READONLY_FLAG (1 << 0) /* In/Out */
    4057 diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
    4058 index ce1169af39d7..2a5d63040a0b 100644
    4059 --- a/include/uapi/linux/usb/ch9.h
    4060 +++ b/include/uapi/linux/usb/ch9.h
    4061 @@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor {
    4062 __u8 iFunction;
    4063 } __attribute__ ((packed));
    4064
    4065 +#define USB_DT_INTERFACE_ASSOCIATION_SIZE 8
    4066
    4067 /*-------------------------------------------------------------------------*/
    4068
    4069 diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
    4070 index ad5f55922a13..9a1bed1f3029 100644
    4071 --- a/kernel/bpf/core.c
    4072 +++ b/kernel/bpf/core.c
    4073 @@ -1010,7 +1010,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,
    4074 struct bpf_map *map = (struct bpf_map *) (unsigned long) BPF_R2;
    4075 struct bpf_array *array = container_of(map, struct bpf_array, map);
    4076 struct bpf_prog *prog;
    4077 - u64 index = BPF_R3;
    4078 + u32 index = BPF_R3;
    4079
    4080 if (unlikely(index >= array->map.max_entries))
    4081 goto out;
    4082 diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
    4083 index 6c772adabad2..1939d91da1f8 100644
    4084 --- a/kernel/bpf/syscall.c
    4085 +++ b/kernel/bpf/syscall.c
    4086 @@ -144,15 +144,17 @@ static int bpf_map_alloc_id(struct bpf_map *map)
    4087
    4088 static void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock)
    4089 {
    4090 + unsigned long flags;
    4091 +
    4092 if (do_idr_lock)
    4093 - spin_lock_bh(&map_idr_lock);
    4094 + spin_lock_irqsave(&map_idr_lock, flags);
    4095 else
    4096 __acquire(&map_idr_lock);
    4097
    4098 idr_remove(&map_idr, map->id);
    4099
    4100 if (do_idr_lock)
    4101 - spin_unlock_bh(&map_idr_lock);
    4102 + spin_unlock_irqrestore(&map_idr_lock, flags);
    4103 else
    4104 __release(&map_idr_lock);
    4105 }
    4106 diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
    4107 index 664d93972373..3940019b9740 100644
    4108 --- a/kernel/bpf/verifier.c
    4109 +++ b/kernel/bpf/verifier.c
    4110 @@ -1978,7 +1978,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
    4111 }
    4112 } else {
    4113 if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
    4114 - (insn->imm != 16 && insn->imm != 32 && insn->imm != 64)) {
    4115 + (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||
    4116 + BPF_CLASS(insn->code) == BPF_ALU64) {
    4117 verbose("BPF_END uses reserved fields\n");
    4118 return -EINVAL;
    4119 }
    4120 diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
    4121 index df2e0f14a95d..6d60aafbe8c1 100644
    4122 --- a/kernel/cgroup/cgroup.c
    4123 +++ b/kernel/cgroup/cgroup.c
    4124 @@ -2168,6 +2168,14 @@ static int cgroup_migrate_execute(struct cgroup_mgctx *mgctx)
    4125 list_del_init(&cset->mg_node);
    4126 }
    4127 spin_unlock_irq(&css_set_lock);
    4128 +
    4129 + /*
    4130 + * Re-initialize the cgroup_taskset structure in case it is reused
    4131 + * again in another cgroup_migrate_add_task()/cgroup_migrate_execute()
    4132 + * iteration.
    4133 + */
    4134 + tset->nr_tasks = 0;
    4135 + tset->csets = &tset->src_csets;
    4136 return ret;
    4137 }
    4138
    4139 diff --git a/kernel/events/core.c b/kernel/events/core.c
    4140 index 03ac9c8b02fb..7242a6e1ec76 100644
    4141 --- a/kernel/events/core.c
    4142 +++ b/kernel/events/core.c
    4143 @@ -8121,6 +8121,7 @@ static int perf_event_set_bpf_prog(struct perf_event *event, u32 prog_fd)
    4144 }
    4145 }
    4146 event->tp_event->prog = prog;
    4147 + event->tp_event->bpf_prog_owner = event;
    4148
    4149 return 0;
    4150 }
    4151 @@ -8135,7 +8136,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event)
    4152 return;
    4153
    4154 prog = event->tp_event->prog;
    4155 - if (prog) {
    4156 + if (prog && event->tp_event->bpf_prog_owner == event) {
    4157 event->tp_event->prog = NULL;
    4158 bpf_prog_put(prog);
    4159 }
    4160 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
    4161 index 725819569fa7..2ee3e3345ff3 100644
    4162 --- a/kernel/trace/ftrace.c
    4163 +++ b/kernel/trace/ftrace.c
    4164 @@ -4954,9 +4954,6 @@ static char ftrace_graph_buf[FTRACE_FILTER_SIZE] __initdata;
    4165 static char ftrace_graph_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
    4166 static int ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer);
    4167
    4168 -static unsigned long save_global_trampoline;
    4169 -static unsigned long save_global_flags;
    4170 -
    4171 static int __init set_graph_function(char *str)
    4172 {
    4173 strlcpy(ftrace_graph_buf, str, FTRACE_FILTER_SIZE);
    4174 @@ -6756,17 +6753,6 @@ void unregister_ftrace_graph(void)
    4175 unregister_pm_notifier(&ftrace_suspend_notifier);
    4176 unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL);
    4177
    4178 -#ifdef CONFIG_DYNAMIC_FTRACE
    4179 - /*
    4180 - * Function graph does not allocate the trampoline, but
    4181 - * other global_ops do. We need to reset the ALLOC_TRAMP flag
    4182 - * if one was used.
    4183 - */
    4184 - global_ops.trampoline = save_global_trampoline;
    4185 - if (save_global_flags & FTRACE_OPS_FL_ALLOC_TRAMP)
    4186 - global_ops.flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
    4187 -#endif
    4188 -
    4189 out:
    4190 mutex_unlock(&ftrace_lock);
    4191 }
    4192 diff --git a/lib/ratelimit.c b/lib/ratelimit.c
    4193 index 08f8043cac61..d01f47135239 100644
    4194 --- a/lib/ratelimit.c
    4195 +++ b/lib/ratelimit.c
    4196 @@ -48,7 +48,9 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func)
    4197 if (time_is_before_jiffies(rs->begin + rs->interval)) {
    4198 if (rs->missed) {
    4199 if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) {
    4200 - pr_warn("%s: %d callbacks suppressed\n", func, rs->missed);
    4201 + printk_deferred(KERN_WARNING
    4202 + "%s: %d callbacks suppressed\n",
    4203 + func, rs->missed);
    4204 rs->missed = 0;
    4205 }
    4206 }
    4207 diff --git a/mm/ksm.c b/mm/ksm.c
    4208 index db20f8436bc3..86f0db3d6cdb 100644
    4209 --- a/mm/ksm.c
    4210 +++ b/mm/ksm.c
    4211 @@ -1990,6 +1990,7 @@ static void stable_tree_append(struct rmap_item *rmap_item,
    4212 */
    4213 static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
    4214 {
    4215 + struct mm_struct *mm = rmap_item->mm;
    4216 struct rmap_item *tree_rmap_item;
    4217 struct page *tree_page = NULL;
    4218 struct stable_node *stable_node;
    4219 @@ -2062,9 +2063,11 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
    4220 if (ksm_use_zero_pages && (checksum == zero_checksum)) {
    4221 struct vm_area_struct *vma;
    4222
    4223 - vma = find_mergeable_vma(rmap_item->mm, rmap_item->address);
    4224 + down_read(&mm->mmap_sem);
    4225 + vma = find_mergeable_vma(mm, rmap_item->address);
    4226 err = try_to_merge_one_page(vma, page,
    4227 ZERO_PAGE(rmap_item->address));
    4228 + up_read(&mm->mmap_sem);
    4229 /*
    4230 * In case of failure, the page was not really empty, so we
    4231 * need to continue. Otherwise we're done.
    4232 diff --git a/mm/madvise.c b/mm/madvise.c
    4233 index 4d7d1e5ddba9..4edca1d86339 100644
    4234 --- a/mm/madvise.c
    4235 +++ b/mm/madvise.c
    4236 @@ -614,18 +614,26 @@ static int madvise_inject_error(int behavior,
    4237 {
    4238 struct page *page;
    4239 struct zone *zone;
    4240 + unsigned int order;
    4241
    4242 if (!capable(CAP_SYS_ADMIN))
    4243 return -EPERM;
    4244
    4245 - for (; start < end; start += PAGE_SIZE <<
    4246 - compound_order(compound_head(page))) {
    4247 +
    4248 + for (; start < end; start += PAGE_SIZE << order) {
    4249 int ret;
    4250
    4251 ret = get_user_pages_fast(start, 1, 0, &page);
    4252 if (ret != 1)
    4253 return ret;
    4254
    4255 + /*
    4256 + * When soft offlining hugepages, after migrating the page
    4257 + * we dissolve it, therefore in the second loop "page" will
    4258 + * no longer be a compound page, and order will be 0.
    4259 + */
    4260 + order = compound_order(compound_head(page));
    4261 +
    4262 if (PageHWPoison(page)) {
    4263 put_page(page);
    4264 continue;
    4265 diff --git a/mm/oom_kill.c b/mm/oom_kill.c
    4266 index 9e8b4f030c1c..5f6a52903770 100644
    4267 --- a/mm/oom_kill.c
    4268 +++ b/mm/oom_kill.c
    4269 @@ -40,6 +40,7 @@
    4270 #include <linux/ratelimit.h>
    4271 #include <linux/kthread.h>
    4272 #include <linux/init.h>
    4273 +#include <linux/mmu_notifier.h>
    4274
    4275 #include <asm/tlb.h>
    4276 #include "internal.h"
    4277 @@ -494,6 +495,21 @@ static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm)
    4278 goto unlock_oom;
    4279 }
    4280
    4281 + /*
    4282 + * If the mm has notifiers then we would need to invalidate them around
    4283 + * unmap_page_range and that is risky because notifiers can sleep and
    4284 + * what they do is basically undeterministic. So let's have a short
    4285 + * sleep to give the oom victim some more time.
    4286 + * TODO: we really want to get rid of this ugly hack and make sure that
    4287 + * notifiers cannot block for unbounded amount of time and add
    4288 + * mmu_notifier_invalidate_range_{start,end} around unmap_page_range
    4289 + */
    4290 + if (mm_has_notifiers(mm)) {
    4291 + up_read(&mm->mmap_sem);
    4292 + schedule_timeout_idle(HZ);
    4293 + goto unlock_oom;
    4294 + }
    4295 +
    4296 /*
    4297 * increase mm_users only after we know we will reap something so
    4298 * that the mmput_async is called only when we have reaped something
    4299 diff --git a/mm/rodata_test.c b/mm/rodata_test.c
    4300 index 6bb4deb12e78..d908c8769b48 100644
    4301 --- a/mm/rodata_test.c
    4302 +++ b/mm/rodata_test.c
    4303 @@ -14,7 +14,7 @@
    4304 #include <linux/uaccess.h>
    4305 #include <asm/sections.h>
    4306
    4307 -const int rodata_test_data = 0xC3;
    4308 +static const int rodata_test_data = 0xC3;
    4309
    4310 void rodata_test(void)
    4311 {
    4312 diff --git a/mm/swap.c b/mm/swap.c
    4313 index 60b1d2a75852..ea84f04d75a4 100644
    4314 --- a/mm/swap.c
    4315 +++ b/mm/swap.c
    4316 @@ -575,7 +575,7 @@ static void lru_lazyfree_fn(struct page *page, struct lruvec *lruvec,
    4317 void *arg)
    4318 {
    4319 if (PageLRU(page) && PageAnon(page) && PageSwapBacked(page) &&
    4320 - !PageUnevictable(page)) {
    4321 + !PageSwapCache(page) && !PageUnevictable(page)) {
    4322 bool active = PageActive(page);
    4323
    4324 del_page_from_lru_list(page, lruvec,
    4325 @@ -665,7 +665,7 @@ void deactivate_file_page(struct page *page)
    4326 void mark_page_lazyfree(struct page *page)
    4327 {
    4328 if (PageLRU(page) && PageAnon(page) && PageSwapBacked(page) &&
    4329 - !PageUnevictable(page)) {
    4330 + !PageSwapCache(page) && !PageUnevictable(page)) {
    4331 struct pagevec *pvec = &get_cpu_var(lru_lazyfree_pvecs);
    4332
    4333 get_page(page);
    4334 diff --git a/mm/swap_state.c b/mm/swap_state.c
    4335 index b68c93014f50..fe9309ba948c 100644
    4336 --- a/mm/swap_state.c
    4337 +++ b/mm/swap_state.c
    4338 @@ -219,6 +219,17 @@ int add_to_swap(struct page *page)
    4339 * clear SWAP_HAS_CACHE flag.
    4340 */
    4341 goto fail;
    4342 + /*
    4343 + * Normally the page will be dirtied in unmap because its pte should be
    4344 + * dirty. A special case is MADV_FREE page. The page'e pte could have
    4345 + * dirty bit cleared but the page's SwapBacked bit is still set because
    4346 + * clearing the dirty bit and SwapBacked bit has no lock protected. For
    4347 + * such page, unmap will not set dirty bit for it, so page reclaim will
    4348 + * not write the page out. This can cause data corruption when the page
    4349 + * is swap in later. Always setting the dirty bit for the page solves
    4350 + * the problem.
    4351 + */
    4352 + set_page_dirty(page);
    4353
    4354 return 1;
    4355
    4356 diff --git a/net/core/dev.c b/net/core/dev.c
    4357 index 86b4b0a79e7a..6fa30a4c60ef 100644
    4358 --- a/net/core/dev.c
    4359 +++ b/net/core/dev.c
    4360 @@ -4408,6 +4408,7 @@ static u32 netif_receive_generic_xdp(struct sk_buff *skb,
    4361 __skb_pull(skb, off);
    4362 else if (off < 0)
    4363 __skb_push(skb, -off);
    4364 + skb->mac_header += off;
    4365
    4366 switch (act) {
    4367 case XDP_TX:
    4368 diff --git a/net/core/filter.c b/net/core/filter.c
    4369 index 169974998c76..18d591f1ae5a 100644
    4370 --- a/net/core/filter.c
    4371 +++ b/net/core/filter.c
    4372 @@ -975,10 +975,14 @@ static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp)
    4373
    4374 bool sk_filter_charge(struct sock *sk, struct sk_filter *fp)
    4375 {
    4376 - bool ret = __sk_filter_charge(sk, fp);
    4377 - if (ret)
    4378 - refcount_inc(&fp->refcnt);
    4379 - return ret;
    4380 + if (!refcount_inc_not_zero(&fp->refcnt))
    4381 + return false;
    4382 +
    4383 + if (!__sk_filter_charge(sk, fp)) {
    4384 + sk_filter_release(fp);
    4385 + return false;
    4386 + }
    4387 + return true;
    4388 }
    4389
    4390 static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
    4391 diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
    4392 index 0385dece1f6f..7c1ffd6f9501 100644
    4393 --- a/net/core/gen_estimator.c
    4394 +++ b/net/core/gen_estimator.c
    4395 @@ -83,10 +83,10 @@ static void est_timer(unsigned long arg)
    4396 u64 rate, brate;
    4397
    4398 est_fetch_counters(est, &b);
    4399 - brate = (b.bytes - est->last_bytes) << (8 - est->ewma_log);
    4400 + brate = (b.bytes - est->last_bytes) << (10 - est->ewma_log - est->intvl_log);
    4401 brate -= (est->avbps >> est->ewma_log);
    4402
    4403 - rate = (u64)(b.packets - est->last_packets) << (8 - est->ewma_log);
    4404 + rate = (u64)(b.packets - est->last_packets) << (10 - est->ewma_log - est->intvl_log);
    4405 rate -= (est->avpps >> est->ewma_log);
    4406
    4407 write_seqcount_begin(&est->seq);
    4408 diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
    4409 index 9201e3621351..e07c8847c6cf 100644
    4410 --- a/net/core/rtnetlink.c
    4411 +++ b/net/core/rtnetlink.c
    4412 @@ -3867,6 +3867,9 @@ static int rtnl_fill_statsinfo(struct sk_buff *skb, struct net_device *dev,
    4413 return -EMSGSIZE;
    4414
    4415 ifsm = nlmsg_data(nlh);
    4416 + ifsm->family = PF_UNSPEC;
    4417 + ifsm->pad1 = 0;
    4418 + ifsm->pad2 = 0;
    4419 ifsm->ifindex = dev->ifindex;
    4420 ifsm->filter_mask = filter_mask;
    4421
    4422 diff --git a/net/core/sock.c b/net/core/sock.c
    4423 index ac2a404c73eb..0967da925022 100644
    4424 --- a/net/core/sock.c
    4425 +++ b/net/core/sock.c
    4426 @@ -1646,6 +1646,8 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
    4427
    4428 sock_copy(newsk, sk);
    4429
    4430 + newsk->sk_prot_creator = sk->sk_prot;
    4431 +
    4432 /* SANITY */
    4433 if (likely(newsk->sk_net_refcnt))
    4434 get_net(sock_net(newsk));
    4435 @@ -1673,13 +1675,16 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
    4436
    4437 sock_reset_flag(newsk, SOCK_DONE);
    4438
    4439 - filter = rcu_dereference_protected(newsk->sk_filter, 1);
    4440 + rcu_read_lock();
    4441 + filter = rcu_dereference(sk->sk_filter);
    4442 if (filter != NULL)
    4443 /* though it's an empty new sock, the charging may fail
    4444 * if sysctl_optmem_max was changed between creation of
    4445 * original socket and cloning
    4446 */
    4447 is_charged = sk_filter_charge(newsk, filter);
    4448 + RCU_INIT_POINTER(newsk->sk_filter, filter);
    4449 + rcu_read_unlock();
    4450
    4451 if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
    4452 /* We need to make sure that we don't uncharge the new
    4453 diff --git a/net/dsa/slave.c b/net/dsa/slave.c
    4454 index 9507bd38cf04..07677540129a 100644
    4455 --- a/net/dsa/slave.c
    4456 +++ b/net/dsa/slave.c
    4457 @@ -1180,26 +1180,32 @@ int dsa_slave_create(struct dsa_switch *ds, struct device *parent,
    4458 p->old_duplex = -1;
    4459
    4460 ds->ports[port].netdev = slave_dev;
    4461 - ret = register_netdev(slave_dev);
    4462 - if (ret) {
    4463 - netdev_err(master, "error %d registering interface %s\n",
    4464 - ret, slave_dev->name);
    4465 - ds->ports[port].netdev = NULL;
    4466 - free_netdev(slave_dev);
    4467 - return ret;
    4468 - }
    4469
    4470 netif_carrier_off(slave_dev);
    4471
    4472 ret = dsa_slave_phy_setup(p, slave_dev);
    4473 if (ret) {
    4474 netdev_err(master, "error %d setting up slave phy\n", ret);
    4475 - unregister_netdev(slave_dev);
    4476 - free_netdev(slave_dev);
    4477 - return ret;
    4478 + goto out_free;
    4479 + }
    4480 +
    4481 + ret = register_netdev(slave_dev);
    4482 + if (ret) {
    4483 + netdev_err(master, "error %d registering interface %s\n",
    4484 + ret, slave_dev->name);
    4485 + goto out_phy;
    4486 }
    4487
    4488 return 0;
    4489 +
    4490 +out_phy:
    4491 + phy_disconnect(p->phy);
    4492 + if (of_phy_is_fixed_link(p->dp->dn))
    4493 + of_phy_deregister_fixed_link(p->dp->dn);
    4494 +out_free:
    4495 + free_netdev(slave_dev);
    4496 + ds->ports[port].netdev = NULL;
    4497 + return ret;
    4498 }
    4499
    4500 void dsa_slave_destroy(struct net_device *slave_dev)
    4501 diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
    4502 index fa2dc8f692c6..57fc13c6ab2b 100644
    4503 --- a/net/ipv4/ip_input.c
    4504 +++ b/net/ipv4/ip_input.c
    4505 @@ -311,9 +311,10 @@ static inline bool ip_rcv_options(struct sk_buff *skb)
    4506 static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
    4507 {
    4508 const struct iphdr *iph = ip_hdr(skb);
    4509 - struct rtable *rt;
    4510 + int (*edemux)(struct sk_buff *skb);
    4511 struct net_device *dev = skb->dev;
    4512 - void (*edemux)(struct sk_buff *skb);
    4513 + struct rtable *rt;
    4514 + int err;
    4515
    4516 /* if ingress device is enslaved to an L3 master device pass the
    4517 * skb to its handler for processing
    4518 @@ -331,7 +332,9 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
    4519
    4520 ipprot = rcu_dereference(inet_protos[protocol]);
    4521 if (ipprot && (edemux = READ_ONCE(ipprot->early_demux))) {
    4522 - edemux(skb);
    4523 + err = edemux(skb);
    4524 + if (unlikely(err))
    4525 + goto drop_error;
    4526 /* must reload iph, skb->head might have changed */
    4527 iph = ip_hdr(skb);
    4528 }
    4529 @@ -342,13 +345,10 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
    4530 * how the packet travels inside Linux networking.
    4531 */
    4532 if (!skb_valid_dst(skb)) {
    4533 - int err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
    4534 - iph->tos, dev);
    4535 - if (unlikely(err)) {
    4536 - if (err == -EXDEV)
    4537 - __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);
    4538 - goto drop;
    4539 - }
    4540 + err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
    4541 + iph->tos, dev);
    4542 + if (unlikely(err))
    4543 + goto drop_error;
    4544 }
    4545
    4546 #ifdef CONFIG_IP_ROUTE_CLASSID
    4547 @@ -399,6 +399,11 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
    4548 drop:
    4549 kfree_skb(skb);
    4550 return NET_RX_DROP;
    4551 +
    4552 +drop_error:
    4553 + if (err == -EXDEV)
    4554 + __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);
    4555 + goto drop;
    4556 }
    4557
    4558 /*
    4559 diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
    4560 index 0192c255e508..74bd46c5bda7 100644
    4561 --- a/net/ipv4/ip_vti.c
    4562 +++ b/net/ipv4/ip_vti.c
    4563 @@ -168,6 +168,7 @@ static netdev_tx_t vti_xmit(struct sk_buff *skb, struct net_device *dev,
    4564 struct ip_tunnel_parm *parms = &tunnel->parms;
    4565 struct dst_entry *dst = skb_dst(skb);
    4566 struct net_device *tdev; /* Device to other host */
    4567 + int pkt_len = skb->len;
    4568 int err;
    4569 int mtu;
    4570
    4571 @@ -229,7 +230,7 @@ static netdev_tx_t vti_xmit(struct sk_buff *skb, struct net_device *dev,
    4572
    4573 err = dst_output(tunnel->net, skb->sk, skb);
    4574 if (net_xmit_eval(err) == 0)
    4575 - err = skb->len;
    4576 + err = pkt_len;
    4577 iptunnel_xmit_stats(dev, err);
    4578 return NETDEV_TX_OK;
    4579
    4580 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
    4581 index 2331de20ca50..c5aa25be7108 100644
    4582 --- a/net/ipv4/route.c
    4583 +++ b/net/ipv4/route.c
    4584 @@ -1520,43 +1520,56 @@ struct rtable *rt_dst_alloc(struct net_device *dev,
    4585 EXPORT_SYMBOL(rt_dst_alloc);
    4586
    4587 /* called in rcu_read_lock() section */
    4588 -static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
    4589 - u8 tos, struct net_device *dev, int our)
    4590 +int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
    4591 + u8 tos, struct net_device *dev,
    4592 + struct in_device *in_dev, u32 *itag)
    4593 {
    4594 - struct rtable *rth;
    4595 - struct in_device *in_dev = __in_dev_get_rcu(dev);
    4596 - unsigned int flags = RTCF_MULTICAST;
    4597 - u32 itag = 0;
    4598 int err;
    4599
    4600 /* Primary sanity checks. */
    4601 -
    4602 if (!in_dev)
    4603 return -EINVAL;
    4604
    4605 if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) ||
    4606 skb->protocol != htons(ETH_P_IP))
    4607 - goto e_inval;
    4608 + return -EINVAL;
    4609
    4610 if (ipv4_is_loopback(saddr) && !IN_DEV_ROUTE_LOCALNET(in_dev))
    4611 - goto e_inval;
    4612 + return -EINVAL;
    4613
    4614 if (ipv4_is_zeronet(saddr)) {
    4615 if (!ipv4_is_local_multicast(daddr))
    4616 - goto e_inval;
    4617 + return -EINVAL;
    4618 } else {
    4619 err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
    4620 - in_dev, &itag);
    4621 + in_dev, itag);
    4622 if (err < 0)
    4623 - goto e_err;
    4624 + return err;
    4625 }
    4626 + return 0;
    4627 +}
    4628 +
    4629 +/* called in rcu_read_lock() section */
    4630 +static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
    4631 + u8 tos, struct net_device *dev, int our)
    4632 +{
    4633 + struct in_device *in_dev = __in_dev_get_rcu(dev);
    4634 + unsigned int flags = RTCF_MULTICAST;
    4635 + struct rtable *rth;
    4636 + u32 itag = 0;
    4637 + int err;
    4638 +
    4639 + err = ip_mc_validate_source(skb, daddr, saddr, tos, dev, in_dev, &itag);
    4640 + if (err)
    4641 + return err;
    4642 +
    4643 if (our)
    4644 flags |= RTCF_LOCAL;
    4645
    4646 rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
    4647 IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
    4648 if (!rth)
    4649 - goto e_nobufs;
    4650 + return -ENOBUFS;
    4651
    4652 #ifdef CONFIG_IP_ROUTE_CLASSID
    4653 rth->dst.tclassid = itag;
    4654 @@ -1572,13 +1585,6 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
    4655
    4656 skb_dst_set(skb, &rth->dst);
    4657 return 0;
    4658 -
    4659 -e_nobufs:
    4660 - return -ENOBUFS;
    4661 -e_inval:
    4662 - return -EINVAL;
    4663 -e_err:
    4664 - return err;
    4665 }
    4666
    4667
    4668 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
    4669 index 21022db7a2a6..b1441bc8192f 100644
    4670 --- a/net/ipv4/tcp_ipv4.c
    4671 +++ b/net/ipv4/tcp_ipv4.c
    4672 @@ -1504,23 +1504,23 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
    4673 }
    4674 EXPORT_SYMBOL(tcp_v4_do_rcv);
    4675
    4676 -void tcp_v4_early_demux(struct sk_buff *skb)
    4677 +int tcp_v4_early_demux(struct sk_buff *skb)
    4678 {
    4679 const struct iphdr *iph;
    4680 const struct tcphdr *th;
    4681 struct sock *sk;
    4682
    4683 if (skb->pkt_type != PACKET_HOST)
    4684 - return;
    4685 + return 0;
    4686
    4687 if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct tcphdr)))
    4688 - return;
    4689 + return 0;
    4690
    4691 iph = ip_hdr(skb);
    4692 th = tcp_hdr(skb);
    4693
    4694 if (th->doff < sizeof(struct tcphdr) / 4)
    4695 - return;
    4696 + return 0;
    4697
    4698 sk = __inet_lookup_established(dev_net(skb->dev), &tcp_hashinfo,
    4699 iph->saddr, th->source,
    4700 @@ -1539,6 +1539,7 @@ void tcp_v4_early_demux(struct sk_buff *skb)
    4701 skb_dst_set_noref(skb, dst);
    4702 }
    4703 }
    4704 + return 0;
    4705 }
    4706
    4707 /* Packet is added to VJ-style prequeue for processing in process
    4708 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
    4709 index b7661a68d498..40f7c8ee9ba6 100644
    4710 --- a/net/ipv4/tcp_output.c
    4711 +++ b/net/ipv4/tcp_output.c
    4712 @@ -991,6 +991,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
    4713 struct tcp_skb_cb *tcb;
    4714 struct tcp_out_options opts;
    4715 unsigned int tcp_options_size, tcp_header_size;
    4716 + struct sk_buff *oskb = NULL;
    4717 struct tcp_md5sig_key *md5;
    4718 struct tcphdr *th;
    4719 int err;
    4720 @@ -998,12 +999,10 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
    4721 BUG_ON(!skb || !tcp_skb_pcount(skb));
    4722 tp = tcp_sk(sk);
    4723
    4724 - skb->skb_mstamp = tp->tcp_mstamp;
    4725 if (clone_it) {
    4726 TCP_SKB_CB(skb)->tx.in_flight = TCP_SKB_CB(skb)->end_seq
    4727 - tp->snd_una;
    4728 - tcp_rate_skb_sent(sk, skb);
    4729 -
    4730 + oskb = skb;
    4731 if (unlikely(skb_cloned(skb)))
    4732 skb = pskb_copy(skb, gfp_mask);
    4733 else
    4734 @@ -1011,6 +1010,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
    4735 if (unlikely(!skb))
    4736 return -ENOBUFS;
    4737 }
    4738 + skb->skb_mstamp = tp->tcp_mstamp;
    4739
    4740 inet = inet_sk(sk);
    4741 tcb = TCP_SKB_CB(skb);
    4742 @@ -1122,12 +1122,15 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
    4743
    4744 err = icsk->icsk_af_ops->queue_xmit(sk, skb, &inet->cork.fl);
    4745
    4746 - if (likely(err <= 0))
    4747 - return err;
    4748 -
    4749 - tcp_enter_cwr(sk);
    4750 -
    4751 - return net_xmit_eval(err);
    4752 + if (unlikely(err > 0)) {
    4753 + tcp_enter_cwr(sk);
    4754 + err = net_xmit_eval(err);
    4755 + }
    4756 + if (!err && oskb) {
    4757 + oskb->skb_mstamp = tp->tcp_mstamp;
    4758 + tcp_rate_skb_sent(sk, oskb);
    4759 + }
    4760 + return err;
    4761 }
    4762
    4763 /* This routine just queues the buffer for sending.
    4764 @@ -2866,10 +2869,11 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
    4765 skb_headroom(skb) >= 0xFFFF)) {
    4766 struct sk_buff *nskb;
    4767
    4768 - skb->skb_mstamp = tp->tcp_mstamp;
    4769 nskb = __pskb_copy(skb, MAX_TCP_HEADER, GFP_ATOMIC);
    4770 err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
    4771 -ENOBUFS;
    4772 + if (!err)
    4773 + skb->skb_mstamp = tp->tcp_mstamp;
    4774 } else {
    4775 err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
    4776 }
    4777 @@ -3416,6 +3420,10 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
    4778 goto done;
    4779 }
    4780
    4781 + /* data was not sent, this is our new send_head */
    4782 + sk->sk_send_head = syn_data;
    4783 + tp->packets_out -= tcp_skb_pcount(syn_data);
    4784 +
    4785 fallback:
    4786 /* Send a regular SYN with Fast Open cookie request option */
    4787 if (fo->cookie.len > 0)
    4788 @@ -3468,6 +3476,11 @@ int tcp_connect(struct sock *sk)
    4789 */
    4790 tp->snd_nxt = tp->write_seq;
    4791 tp->pushed_seq = tp->write_seq;
    4792 + buff = tcp_send_head(sk);
    4793 + if (unlikely(buff)) {
    4794 + tp->snd_nxt = TCP_SKB_CB(buff)->seq;
    4795 + tp->pushed_seq = TCP_SKB_CB(buff)->seq;
    4796 + }
    4797 TCP_INC_STATS(sock_net(sk), TCP_MIB_ACTIVEOPENS);
    4798
    4799 /* Timer for repeating the SYN until an answer. */
    4800 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
    4801 index 979e4d8526ba..84861d71face 100644
    4802 --- a/net/ipv4/udp.c
    4803 +++ b/net/ipv4/udp.c
    4804 @@ -2217,9 +2217,10 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
    4805 return NULL;
    4806 }
    4807
    4808 -void udp_v4_early_demux(struct sk_buff *skb)
    4809 +int udp_v4_early_demux(struct sk_buff *skb)
    4810 {
    4811 struct net *net = dev_net(skb->dev);
    4812 + struct in_device *in_dev = NULL;
    4813 const struct iphdr *iph;
    4814 const struct udphdr *uh;
    4815 struct sock *sk = NULL;
    4816 @@ -2229,25 +2230,21 @@ void udp_v4_early_demux(struct sk_buff *skb)
    4817
    4818 /* validate the packet */
    4819 if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))
    4820 - return;
    4821 + return 0;
    4822
    4823 iph = ip_hdr(skb);
    4824 uh = udp_hdr(skb);
    4825
    4826 - if (skb->pkt_type == PACKET_BROADCAST ||
    4827 - skb->pkt_type == PACKET_MULTICAST) {
    4828 - struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
    4829 + if (skb->pkt_type == PACKET_MULTICAST) {
    4830 + in_dev = __in_dev_get_rcu(skb->dev);
    4831
    4832 if (!in_dev)
    4833 - return;
    4834 + return 0;
    4835
    4836 - /* we are supposed to accept bcast packets */
    4837 - if (skb->pkt_type == PACKET_MULTICAST) {
    4838 - ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
    4839 - iph->protocol);
    4840 - if (!ours)
    4841 - return;
    4842 - }
    4843 + ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
    4844 + iph->protocol);
    4845 + if (!ours)
    4846 + return 0;
    4847
    4848 sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
    4849 uh->source, iph->saddr, dif);
    4850 @@ -2257,7 +2254,7 @@ void udp_v4_early_demux(struct sk_buff *skb)
    4851 }
    4852
    4853 if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
    4854 - return;
    4855 + return 0;
    4856
    4857 skb->sk = sk;
    4858 skb->destructor = sock_efree;
    4859 @@ -2266,12 +2263,23 @@ void udp_v4_early_demux(struct sk_buff *skb)
    4860 if (dst)
    4861 dst = dst_check(dst, 0);
    4862 if (dst) {
    4863 + u32 itag = 0;
    4864 +
    4865 /* set noref for now.
    4866 * any place which wants to hold dst has to call
    4867 * dst_hold_safe()
    4868 */
    4869 skb_dst_set_noref(skb, dst);
    4870 +
    4871 + /* for unconnected multicast sockets we need to validate
    4872 + * the source on each packet
    4873 + */
    4874 + if (!inet_sk(sk)->inet_daddr && in_dev)
    4875 + return ip_mc_validate_source(skb, iph->daddr,
    4876 + iph->saddr, iph->tos,
    4877 + skb->dev, in_dev, &itag);
    4878 }
    4879 + return 0;
    4880 }
    4881
    4882 int udp_rcv(struct sk_buff *skb)
    4883 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
    4884 index 936e9ab4dda5..ba757c28a301 100644
    4885 --- a/net/ipv6/addrconf.c
    4886 +++ b/net/ipv6/addrconf.c
    4887 @@ -4982,9 +4982,10 @@ static void inet6_ifa_notify(int event, struct inet6_ifaddr *ifa)
    4888
    4889 /* Don't send DELADDR notification for TENTATIVE address,
    4890 * since NEWADDR notification is sent only after removing
    4891 - * TENTATIVE flag.
    4892 + * TENTATIVE flag, if DAD has not failed.
    4893 */
    4894 - if (ifa->flags & IFA_F_TENTATIVE && event == RTM_DELADDR)
    4895 + if (ifa->flags & IFA_F_TENTATIVE && !(ifa->flags & IFA_F_DADFAILED) &&
    4896 + event == RTM_DELADDR)
    4897 return;
    4898
    4899 skb = nlmsg_new(inet6_ifaddr_msgsize(), GFP_ATOMIC);
    4900 diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
    4901 index b7a72d409334..1602b491b281 100644
    4902 --- a/net/ipv6/ip6_gre.c
    4903 +++ b/net/ipv6/ip6_gre.c
    4904 @@ -940,24 +940,25 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
    4905 }
    4906
    4907 static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
    4908 - unsigned short type,
    4909 - const void *daddr, const void *saddr, unsigned int len)
    4910 + unsigned short type, const void *daddr,
    4911 + const void *saddr, unsigned int len)
    4912 {
    4913 struct ip6_tnl *t = netdev_priv(dev);
    4914 - struct ipv6hdr *ipv6h = skb_push(skb, t->hlen);
    4915 - __be16 *p = (__be16 *)(ipv6h+1);
    4916 + struct ipv6hdr *ipv6h;
    4917 + __be16 *p;
    4918
    4919 - ip6_flow_hdr(ipv6h, 0,
    4920 - ip6_make_flowlabel(dev_net(dev), skb,
    4921 - t->fl.u.ip6.flowlabel, true,
    4922 - &t->fl.u.ip6));
    4923 + ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
    4924 + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
    4925 + t->fl.u.ip6.flowlabel,
    4926 + true, &t->fl.u.ip6));
    4927 ipv6h->hop_limit = t->parms.hop_limit;
    4928 ipv6h->nexthdr = NEXTHDR_GRE;
    4929 ipv6h->saddr = t->parms.laddr;
    4930 ipv6h->daddr = t->parms.raddr;
    4931
    4932 - p[0] = t->parms.o_flags;
    4933 - p[1] = htons(type);
    4934 + p = (__be16 *)(ipv6h + 1);
    4935 + p[0] = t->parms.o_flags;
    4936 + p[1] = htons(type);
    4937
    4938 /*
    4939 * Set the source hardware address.
    4940 @@ -1310,6 +1311,7 @@ static void ip6gre_tap_setup(struct net_device *dev)
    4941 dev->features |= NETIF_F_NETNS_LOCAL;
    4942 dev->priv_flags &= ~IFF_TX_SKB_SHARING;
    4943 dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
    4944 + netif_keep_dst(dev);
    4945 }
    4946
    4947 static bool ip6gre_netlink_encap_parms(struct nlattr *data[],
    4948 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
    4949 index 3a0ba2ae4b0f..4425b4411bb9 100644
    4950 --- a/net/ipv6/ip6_tunnel.c
    4951 +++ b/net/ipv6/ip6_tunnel.c
    4952 @@ -1043,6 +1043,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
    4953 struct dst_entry *dst = NULL, *ndst = NULL;
    4954 struct net_device *tdev;
    4955 int mtu;
    4956 + unsigned int eth_hlen = t->dev->type == ARPHRD_ETHER ? ETH_HLEN : 0;
    4957 unsigned int psh_hlen = sizeof(struct ipv6hdr) + t->encap_hlen;
    4958 unsigned int max_headroom = psh_hlen;
    4959 bool use_cache = false;
    4960 @@ -1124,7 +1125,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
    4961 t->parms.name);
    4962 goto tx_err_dst_release;
    4963 }
    4964 - mtu = dst_mtu(dst) - psh_hlen - t->tun_hlen;
    4965 + mtu = dst_mtu(dst) - eth_hlen - psh_hlen - t->tun_hlen;
    4966 if (encap_limit >= 0) {
    4967 max_headroom += 8;
    4968 mtu -= 8;
    4969 @@ -1133,7 +1134,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
    4970 mtu = IPV6_MIN_MTU;
    4971 if (skb_dst(skb) && !t->parms.collect_md)
    4972 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
    4973 - if (skb->len - t->tun_hlen > mtu && !skb_is_gso(skb)) {
    4974 + if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {
    4975 *pmtu = mtu;
    4976 err = -EMSGSIZE;
    4977 goto tx_err_dst_release;
    4978 @@ -2258,6 +2259,9 @@ static int __init ip6_tunnel_init(void)
    4979 {
    4980 int err;
    4981
    4982 + if (!ipv6_mod_enabled())
    4983 + return -EOPNOTSUPP;
    4984 +
    4985 err = register_pernet_device(&ip6_tnl_net_ops);
    4986 if (err < 0)
    4987 goto out_pernet;
    4988 diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
    4989 index 486c2305f53c..e3e3ea655464 100644
    4990 --- a/net/ipv6/ip6_vti.c
    4991 +++ b/net/ipv6/ip6_vti.c
    4992 @@ -445,6 +445,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
    4993 struct dst_entry *dst = skb_dst(skb);
    4994 struct net_device *tdev;
    4995 struct xfrm_state *x;
    4996 + int pkt_len = skb->len;
    4997 int err = -1;
    4998 int mtu;
    4999
    5000 @@ -502,7 +503,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
    5001 struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
    5002
    5003 u64_stats_update_begin(&tstats->syncp);
    5004 - tstats->tx_bytes += skb->len;
    5005 + tstats->tx_bytes += pkt_len;
    5006 tstats->tx_packets++;
    5007 u64_stats_update_end(&tstats->syncp);
    5008 } else {
    5009 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
    5010 index d6886228e1d0..30b4d55e88f3 100644
    5011 --- a/net/ipv6/udp.c
    5012 +++ b/net/ipv6/udp.c
    5013 @@ -1011,6 +1011,7 @@ static void udp6_hwcsum_outgoing(struct sock *sk, struct sk_buff *skb,
    5014 */
    5015 offset = skb_transport_offset(skb);
    5016 skb->csum = skb_checksum(skb, offset, skb->len - offset, 0);
    5017 + csum = skb->csum;
    5018
    5019 skb->ip_summed = CHECKSUM_NONE;
    5020
    5021 diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
    5022 index 90165a6874bc..525c66f1121a 100644
    5023 --- a/net/l2tp/l2tp_core.c
    5024 +++ b/net/l2tp/l2tp_core.c
    5025 @@ -1665,14 +1665,12 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
    5026
    5027 /* This function is used by the netlink TUNNEL_DELETE command.
    5028 */
    5029 -int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
    5030 +void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
    5031 {
    5032 - l2tp_tunnel_inc_refcount(tunnel);
    5033 - if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
    5034 - l2tp_tunnel_dec_refcount(tunnel);
    5035 - return 1;
    5036 + if (!test_and_set_bit(0, &tunnel->dead)) {
    5037 + l2tp_tunnel_inc_refcount(tunnel);
    5038 + queue_work(l2tp_wq, &tunnel->del_work);
    5039 }
    5040 - return 0;
    5041 }
    5042 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
    5043
    5044 diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
    5045 index 9101297f27ad..7c5a51f62afc 100644
    5046 --- a/net/l2tp/l2tp_core.h
    5047 +++ b/net/l2tp/l2tp_core.h
    5048 @@ -160,6 +160,9 @@ struct l2tp_tunnel_cfg {
    5049
    5050 struct l2tp_tunnel {
    5051 int magic; /* Should be L2TP_TUNNEL_MAGIC */
    5052 +
    5053 + unsigned long dead;
    5054 +
    5055 struct rcu_head rcu;
    5056 rwlock_t hlist_lock; /* protect session_hlist */
    5057 struct hlist_head session_hlist[L2TP_HASH_SIZE];
    5058 @@ -248,7 +251,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id,
    5059 u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
    5060 struct l2tp_tunnel **tunnelp);
    5061 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
    5062 -int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
    5063 +void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
    5064 struct l2tp_session *l2tp_session_create(int priv_size,
    5065 struct l2tp_tunnel *tunnel,
    5066 u32 session_id, u32 peer_session_id,
    5067 diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
    5068 index 4de2ec94b08c..cf456720930c 100644
    5069 --- a/net/l2tp/l2tp_eth.c
    5070 +++ b/net/l2tp/l2tp_eth.c
    5071 @@ -44,7 +44,6 @@ struct l2tp_eth {
    5072 struct net_device *dev;
    5073 struct sock *tunnel_sock;
    5074 struct l2tp_session *session;
    5075 - struct list_head list;
    5076 atomic_long_t tx_bytes;
    5077 atomic_long_t tx_packets;
    5078 atomic_long_t tx_dropped;
    5079 @@ -58,17 +57,6 @@ struct l2tp_eth_sess {
    5080 struct net_device *dev;
    5081 };
    5082
    5083 -/* per-net private data for this module */
    5084 -static unsigned int l2tp_eth_net_id;
    5085 -struct l2tp_eth_net {
    5086 - struct list_head l2tp_eth_dev_list;
    5087 - spinlock_t l2tp_eth_lock;
    5088 -};
    5089 -
    5090 -static inline struct l2tp_eth_net *l2tp_eth_pernet(struct net *net)
    5091 -{
    5092 - return net_generic(net, l2tp_eth_net_id);
    5093 -}
    5094
    5095 static int l2tp_eth_dev_init(struct net_device *dev)
    5096 {
    5097 @@ -84,12 +72,6 @@ static int l2tp_eth_dev_init(struct net_device *dev)
    5098
    5099 static void l2tp_eth_dev_uninit(struct net_device *dev)
    5100 {
    5101 - struct l2tp_eth *priv = netdev_priv(dev);
    5102 - struct l2tp_eth_net *pn = l2tp_eth_pernet(dev_net(dev));
    5103 -
    5104 - spin_lock(&pn->l2tp_eth_lock);
    5105 - list_del_init(&priv->list);
    5106 - spin_unlock(&pn->l2tp_eth_lock);
    5107 dev_put(dev);
    5108 }
    5109
    5110 @@ -272,7 +254,6 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
    5111 struct l2tp_eth *priv;
    5112 struct l2tp_eth_sess *spriv;
    5113 int rc;
    5114 - struct l2tp_eth_net *pn;
    5115
    5116 tunnel = l2tp_tunnel_find(net, tunnel_id);
    5117 if (!tunnel) {
    5118 @@ -310,7 +291,6 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
    5119 priv = netdev_priv(dev);
    5120 priv->dev = dev;
    5121 priv->session = session;
    5122 - INIT_LIST_HEAD(&priv->list);
    5123
    5124 priv->tunnel_sock = tunnel->sock;
    5125 session->recv_skb = l2tp_eth_dev_recv;
    5126 @@ -331,10 +311,6 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
    5127 strlcpy(session->ifname, dev->name, IFNAMSIZ);
    5128
    5129 dev_hold(dev);
    5130 - pn = l2tp_eth_pernet(dev_net(dev));
    5131 - spin_lock(&pn->l2tp_eth_lock);
    5132 - list_add(&priv->list, &pn->l2tp_eth_dev_list);
    5133 - spin_unlock(&pn->l2tp_eth_lock);
    5134
    5135 return 0;
    5136
    5137 @@ -347,22 +323,6 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
    5138 return rc;
    5139 }
    5140
    5141 -static __net_init int l2tp_eth_init_net(struct net *net)
    5142 -{
    5143 - struct l2tp_eth_net *pn = net_generic(net, l2tp_eth_net_id);
    5144 -
    5145 - INIT_LIST_HEAD(&pn->l2tp_eth_dev_list);
    5146 - spin_lock_init(&pn->l2tp_eth_lock);
    5147 -
    5148 - return 0;
    5149 -}
    5150 -
    5151 -static struct pernet_operations l2tp_eth_net_ops = {
    5152 - .init = l2tp_eth_init_net,
    5153 - .id = &l2tp_eth_net_id,
    5154 - .size = sizeof(struct l2tp_eth_net),
    5155 -};
    5156 -
    5157
    5158 static const struct l2tp_nl_cmd_ops l2tp_eth_nl_cmd_ops = {
    5159 .session_create = l2tp_eth_create,
    5160 @@ -376,25 +336,18 @@ static int __init l2tp_eth_init(void)
    5161
    5162 err = l2tp_nl_register_ops(L2TP_PWTYPE_ETH, &l2tp_eth_nl_cmd_ops);
    5163 if (err)
    5164 - goto out;
    5165 -
    5166 - err = register_pernet_device(&l2tp_eth_net_ops);
    5167 - if (err)
    5168 - goto out_unreg;
    5169 + goto err;
    5170
    5171 pr_info("L2TP ethernet pseudowire support (L2TPv3)\n");
    5172
    5173 return 0;
    5174
    5175 -out_unreg:
    5176 - l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
    5177 -out:
    5178 +err:
    5179 return err;
    5180 }
    5181
    5182 static void __exit l2tp_eth_exit(void)
    5183 {
    5184 - unregister_pernet_device(&l2tp_eth_net_ops);
    5185 l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
    5186 }
    5187
    5188 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
    5189 index 5acee49db90b..7e794ad50cb0 100644
    5190 --- a/net/netlink/af_netlink.c
    5191 +++ b/net/netlink/af_netlink.c
    5192 @@ -2262,10 +2262,13 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
    5193
    5194 mutex_unlock(nlk->cb_mutex);
    5195
    5196 + ret = 0;
    5197 if (cb->start)
    5198 - cb->start(cb);
    5199 + ret = cb->start(cb);
    5200 +
    5201 + if (!ret)
    5202 + ret = netlink_dump(sk);
    5203
    5204 - ret = netlink_dump(sk);
    5205 sock_put(sk);
    5206
    5207 if (ret)
    5208 diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
    5209 index 6b44fe405282..294444bb075c 100644
    5210 --- a/net/openvswitch/datapath.c
    5211 +++ b/net/openvswitch/datapath.c
    5212 @@ -1126,7 +1126,8 @@ static int ovs_nla_init_match_and_action(struct net *net,
    5213 if (!a[OVS_FLOW_ATTR_KEY]) {
    5214 OVS_NLERR(log,
    5215 "Flow key attribute not present in set flow.");
    5216 - return -EINVAL;
    5217 + error = -EINVAL;
    5218 + goto error;
    5219 }
    5220
    5221 *acts = get_flow_actions(net, a[OVS_FLOW_ATTR_ACTIONS], key,
    5222 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
    5223 index 1c61af9af67d..29d7b7e5b128 100644
    5224 --- a/net/packet/af_packet.c
    5225 +++ b/net/packet/af_packet.c
    5226 @@ -1686,10 +1686,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
    5227
    5228 mutex_lock(&fanout_mutex);
    5229
    5230 - err = -EINVAL;
    5231 - if (!po->running)
    5232 - goto out;
    5233 -
    5234 err = -EALREADY;
    5235 if (po->fanout)
    5236 goto out;
    5237 @@ -1751,7 +1747,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
    5238 list_add(&match->list, &fanout_list);
    5239 }
    5240 err = -EINVAL;
    5241 - if (match->type == type &&
    5242 +
    5243 + spin_lock(&po->bind_lock);
    5244 + if (po->running &&
    5245 + match->type == type &&
    5246 match->prot_hook.type == po->prot_hook.type &&
    5247 match->prot_hook.dev == po->prot_hook.dev) {
    5248 err = -ENOSPC;
    5249 @@ -1763,6 +1762,13 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
    5250 err = 0;
    5251 }
    5252 }
    5253 + spin_unlock(&po->bind_lock);
    5254 +
    5255 + if (err && !refcount_read(&match->sk_ref)) {
    5256 + list_del(&match->list);
    5257 + kfree(match);
    5258 + }
    5259 +
    5260 out:
    5261 if (err && rollover) {
    5262 kfree(rollover);
    5263 @@ -2836,6 +2842,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
    5264 struct virtio_net_hdr vnet_hdr = { 0 };
    5265 int offset = 0;
    5266 struct packet_sock *po = pkt_sk(sk);
    5267 + bool has_vnet_hdr = false;
    5268 int hlen, tlen, linear;
    5269 int extra_len = 0;
    5270
    5271 @@ -2879,6 +2886,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
    5272 err = packet_snd_vnet_parse(msg, &len, &vnet_hdr);
    5273 if (err)
    5274 goto out_unlock;
    5275 + has_vnet_hdr = true;
    5276 }
    5277
    5278 if (unlikely(sock_flag(sk, SOCK_NOFCS))) {
    5279 @@ -2937,7 +2945,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
    5280 skb->priority = sk->sk_priority;
    5281 skb->mark = sockc.mark;
    5282
    5283 - if (po->has_vnet_hdr) {
    5284 + if (has_vnet_hdr) {
    5285 err = virtio_net_hdr_to_skb(skb, &vnet_hdr, vio_le());
    5286 if (err)
    5287 goto out_free;
    5288 @@ -3065,13 +3073,15 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
    5289 int ret = 0;
    5290 bool unlisted = false;
    5291
    5292 - if (po->fanout)
    5293 - return -EINVAL;
    5294 -
    5295 lock_sock(sk);
    5296 spin_lock(&po->bind_lock);
    5297 rcu_read_lock();
    5298
    5299 + if (po->fanout) {
    5300 + ret = -EINVAL;
    5301 + goto out_unlock;
    5302 + }
    5303 +
    5304 if (name) {
    5305 dev = dev_get_by_name_rcu(sock_net(sk), name);
    5306 if (!dev) {
    5307 diff --git a/net/sched/act_api.c b/net/sched/act_api.c
    5308 index f2e9ed34a963..0c5dbb172437 100644
    5309 --- a/net/sched/act_api.c
    5310 +++ b/net/sched/act_api.c
    5311 @@ -174,7 +174,7 @@ static int tcf_del_walker(struct tcf_hashinfo *hinfo, struct sk_buff *skb,
    5312 hlist_for_each_entry_safe(p, n, head, tcfa_head) {
    5313 ret = __tcf_hash_release(p, false, true);
    5314 if (ret == ACT_P_DELETED) {
    5315 - module_put(p->ops->owner);
    5316 + module_put(ops->owner);
    5317 n_i++;
    5318 } else if (ret < 0)
    5319 goto nla_put_failure;
    5320 @@ -506,13 +506,15 @@ EXPORT_SYMBOL(tcf_action_exec);
    5321
    5322 int tcf_action_destroy(struct list_head *actions, int bind)
    5323 {
    5324 + const struct tc_action_ops *ops;
    5325 struct tc_action *a, *tmp;
    5326 int ret = 0;
    5327
    5328 list_for_each_entry_safe(a, tmp, actions, list) {
    5329 + ops = a->ops;
    5330 ret = __tcf_hash_release(a, bind, true);
    5331 if (ret == ACT_P_DELETED)
    5332 - module_put(a->ops->owner);
    5333 + module_put(ops->owner);
    5334 else if (ret < 0)
    5335 return ret;
    5336 }
    5337 diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
    5338 index 9dc26c32cf32..d720f9376add 100644
    5339 --- a/net/sched/cls_matchall.c
    5340 +++ b/net/sched/cls_matchall.c
    5341 @@ -32,6 +32,7 @@ static int mall_classify(struct sk_buff *skb, const struct tcf_proto *tp,
    5342 if (tc_skip_sw(head->flags))
    5343 return -1;
    5344
    5345 + *res = head->res;
    5346 return tcf_exts_exec(skb, &head->exts, res);
    5347 }
    5348
    5349 diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
    5350 index 4ba6da5fb254..ff49421ee48a 100644
    5351 --- a/net/sched/sch_generic.c
    5352 +++ b/net/sched/sch_generic.c
    5353 @@ -681,6 +681,7 @@ void qdisc_reset(struct Qdisc *qdisc)
    5354 qdisc->gso_skb = NULL;
    5355 }
    5356 qdisc->q.qlen = 0;
    5357 + qdisc->qstats.backlog = 0;
    5358 }
    5359 EXPORT_SYMBOL(qdisc_reset);
    5360
    5361 diff --git a/net/tipc/msg.c b/net/tipc/msg.c
    5362 index 6ef379f004ac..121e59a1d0e7 100644
    5363 --- a/net/tipc/msg.c
    5364 +++ b/net/tipc/msg.c
    5365 @@ -551,7 +551,7 @@ bool tipc_msg_lookup_dest(struct net *net, struct sk_buff *skb, int *err)
    5366 return false;
    5367 if (msg_errcode(msg))
    5368 return false;
    5369 - *err = -TIPC_ERR_NO_NAME;
    5370 + *err = TIPC_ERR_NO_NAME;
    5371 if (skb_linearize(skb))
    5372 return false;
    5373 msg = buf_msg(skb);
    5374 diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
    5375 index 750ba5d24a49..359b1f34c805 100644
    5376 --- a/net/wireless/nl80211.c
    5377 +++ b/net/wireless/nl80211.c
    5378 @@ -549,6 +549,14 @@ nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
    5379 [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
    5380 };
    5381
    5382 +/* policy for packet pattern attributes */
    5383 +static const struct nla_policy
    5384 +nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
    5385 + [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
    5386 + [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
    5387 + [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
    5388 +};
    5389 +
    5390 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
    5391 struct netlink_callback *cb,
    5392 struct cfg80211_registered_device **rdev,
    5393 @@ -10529,7 +10537,8 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
    5394 u8 *mask_pat;
    5395
    5396 nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
    5397 - NULL, info->extack);
    5398 + nl80211_packet_pattern_policy,
    5399 + info->extack);
    5400 err = -EINVAL;
    5401 if (!pat_tb[NL80211_PKTPAT_MASK] ||
    5402 !pat_tb[NL80211_PKTPAT_PATTERN])
    5403 @@ -10778,7 +10787,8 @@ static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
    5404 rem) {
    5405 u8 *mask_pat;
    5406
    5407 - nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, NULL, NULL);
    5408 + nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
    5409 + nl80211_packet_pattern_policy, NULL);
    5410 if (!pat_tb[NL80211_PKTPAT_MASK] ||
    5411 !pat_tb[NL80211_PKTPAT_PATTERN])
    5412 return -EINVAL;
    5413 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
    5414 index 463af86812c7..a9e89177a346 100644
    5415 --- a/security/smack/smack_lsm.c
    5416 +++ b/security/smack/smack_lsm.c
    5417 @@ -1499,7 +1499,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
    5418 * @inode: the object
    5419 * @name: attribute name
    5420 * @buffer: where to put the result
    5421 - * @alloc: unused
    5422 + * @alloc: duplicate memory
    5423 *
    5424 * Returns the size of the attribute or an error code
    5425 */
    5426 @@ -1512,43 +1512,38 @@ static int smack_inode_getsecurity(struct inode *inode,
    5427 struct super_block *sbp;
    5428 struct inode *ip = (struct inode *)inode;
    5429 struct smack_known *isp;
    5430 - int ilen;
    5431 - int rc = 0;
    5432
    5433 - if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
    5434 + if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
    5435 isp = smk_of_inode(inode);
    5436 - ilen = strlen(isp->smk_known);
    5437 - *buffer = isp->smk_known;
    5438 - return ilen;
    5439 - }
    5440 + else {
    5441 + /*
    5442 + * The rest of the Smack xattrs are only on sockets.
    5443 + */
    5444 + sbp = ip->i_sb;
    5445 + if (sbp->s_magic != SOCKFS_MAGIC)
    5446 + return -EOPNOTSUPP;
    5447
    5448 - /*
    5449 - * The rest of the Smack xattrs are only on sockets.
    5450 - */
    5451 - sbp = ip->i_sb;
    5452 - if (sbp->s_magic != SOCKFS_MAGIC)
    5453 - return -EOPNOTSUPP;
    5454 + sock = SOCKET_I(ip);
    5455 + if (sock == NULL || sock->sk == NULL)
    5456 + return -EOPNOTSUPP;
    5457
    5458 - sock = SOCKET_I(ip);
    5459 - if (sock == NULL || sock->sk == NULL)
    5460 - return -EOPNOTSUPP;
    5461 -
    5462 - ssp = sock->sk->sk_security;
    5463 + ssp = sock->sk->sk_security;
    5464
    5465 - if (strcmp(name, XATTR_SMACK_IPIN) == 0)
    5466 - isp = ssp->smk_in;
    5467 - else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
    5468 - isp = ssp->smk_out;
    5469 - else
    5470 - return -EOPNOTSUPP;
    5471 + if (strcmp(name, XATTR_SMACK_IPIN) == 0)
    5472 + isp = ssp->smk_in;
    5473 + else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
    5474 + isp = ssp->smk_out;
    5475 + else
    5476 + return -EOPNOTSUPP;
    5477 + }
    5478
    5479 - ilen = strlen(isp->smk_known);
    5480 - if (rc == 0) {
    5481 - *buffer = isp->smk_known;
    5482 - rc = ilen;
    5483 + if (alloc) {
    5484 + *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
    5485 + if (*buffer == NULL)
    5486 + return -ENOMEM;
    5487 }
    5488
    5489 - return rc;
    5490 + return strlen(isp->smk_known);
    5491 }
    5492
    5493
    5494 diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
    5495 index fec1dfdb14ad..4490a699030b 100644
    5496 --- a/sound/core/compress_offload.c
    5497 +++ b/sound/core/compress_offload.c
    5498 @@ -948,14 +948,13 @@ static const struct file_operations snd_compr_file_ops = {
    5499 static int snd_compress_dev_register(struct snd_device *device)
    5500 {
    5501 int ret = -EINVAL;
    5502 - char str[16];
    5503 struct snd_compr *compr;
    5504
    5505 if (snd_BUG_ON(!device || !device->device_data))
    5506 return -EBADFD;
    5507 compr = device->device_data;
    5508
    5509 - pr_debug("reg %s for device %s, direction %d\n", str, compr->name,
    5510 + pr_debug("reg device %s, direction %d\n", compr->name,
    5511 compr->direction);
    5512 /* register compressed device */
    5513 ret = snd_register_device(SNDRV_DEVICE_TYPE_COMPRESS,
    5514 diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c
    5515 index d15ecf9febbf..e54f5f549e38 100644
    5516 --- a/sound/pci/echoaudio/echoaudio.c
    5517 +++ b/sound/pci/echoaudio/echoaudio.c
    5518 @@ -1272,11 +1272,11 @@ static int snd_echo_mixer_info(struct snd_kcontrol *kcontrol,
    5519
    5520 chip = snd_kcontrol_chip(kcontrol);
    5521 uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
    5522 + uinfo->count = 1;
    5523 uinfo->value.integer.min = ECHOGAIN_MINOUT;
    5524 uinfo->value.integer.max = ECHOGAIN_MAXOUT;
    5525 uinfo->dimen.d[0] = num_busses_out(chip);
    5526 uinfo->dimen.d[1] = num_busses_in(chip);
    5527 - uinfo->count = uinfo->dimen.d[0] * uinfo->dimen.d[1];
    5528 return 0;
    5529 }
    5530
    5531 @@ -1344,11 +1344,11 @@ static int snd_echo_vmixer_info(struct snd_kcontrol *kcontrol,
    5532
    5533 chip = snd_kcontrol_chip(kcontrol);
    5534 uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
    5535 + uinfo->count = 1;
    5536 uinfo->value.integer.min = ECHOGAIN_MINOUT;
    5537 uinfo->value.integer.max = ECHOGAIN_MAXOUT;
    5538 uinfo->dimen.d[0] = num_busses_out(chip);
    5539 uinfo->dimen.d[1] = num_pipes_out(chip);
    5540 - uinfo->count = uinfo->dimen.d[0] * uinfo->dimen.d[1];
    5541 return 0;
    5542 }
    5543
    5544 @@ -1728,6 +1728,7 @@ static int snd_echo_vumeters_info(struct snd_kcontrol *kcontrol,
    5545 struct snd_ctl_elem_info *uinfo)
    5546 {
    5547 uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
    5548 + uinfo->count = 96;
    5549 uinfo->value.integer.min = ECHOGAIN_MINOUT;
    5550 uinfo->value.integer.max = 0;
    5551 #ifdef ECHOCARD_HAS_VMIXER
    5552 @@ -1737,7 +1738,6 @@ static int snd_echo_vumeters_info(struct snd_kcontrol *kcontrol,
    5553 #endif
    5554 uinfo->dimen.d[1] = 16; /* 16 channels */
    5555 uinfo->dimen.d[2] = 2; /* 0=level, 1=peak */
    5556 - uinfo->count = uinfo->dimen.d[0] * uinfo->dimen.d[1] * uinfo->dimen.d[2];
    5557 return 0;
    5558 }
    5559
    5560 diff --git a/sound/usb/card.c b/sound/usb/card.c
    5561 index 6640277a725b..383facf2dc11 100644
    5562 --- a/sound/usb/card.c
    5563 +++ b/sound/usb/card.c
    5564 @@ -221,6 +221,7 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
    5565 struct usb_interface_descriptor *altsd;
    5566 void *control_header;
    5567 int i, protocol;
    5568 + int rest_bytes;
    5569
    5570 /* find audiocontrol interface */
    5571 host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
    5572 @@ -235,6 +236,15 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
    5573 return -EINVAL;
    5574 }
    5575
    5576 + rest_bytes = (void *)(host_iface->extra + host_iface->extralen) -
    5577 + control_header;
    5578 +
    5579 + /* just to be sure -- this shouldn't hit at all */
    5580 + if (rest_bytes <= 0) {
    5581 + dev_err(&dev->dev, "invalid control header\n");
    5582 + return -EINVAL;
    5583 + }
    5584 +
    5585 switch (protocol) {
    5586 default:
    5587 dev_warn(&dev->dev,
    5588 @@ -245,11 +255,21 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
    5589 case UAC_VERSION_1: {
    5590 struct uac1_ac_header_descriptor *h1 = control_header;
    5591
    5592 + if (rest_bytes < sizeof(*h1)) {
    5593 + dev_err(&dev->dev, "too short v1 buffer descriptor\n");
    5594 + return -EINVAL;
    5595 + }
    5596 +
    5597 if (!h1->bInCollection) {
    5598 dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
    5599 return -EINVAL;
    5600 }
    5601
    5602 + if (rest_bytes < h1->bLength) {
    5603 + dev_err(&dev->dev, "invalid buffer length (v1)\n");
    5604 + return -EINVAL;
    5605 + }
    5606 +
    5607 if (h1->bLength < sizeof(*h1) + h1->bInCollection) {
    5608 dev_err(&dev->dev, "invalid UAC_HEADER (v1)\n");
    5609 return -EINVAL;
    5610 diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
    5611 index bf618e1500ac..e7b934f4d837 100644
    5612 --- a/sound/usb/usx2y/usb_stream.c
    5613 +++ b/sound/usb/usx2y/usb_stream.c
    5614 @@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
    5615 }
    5616
    5617 pg = get_order(read_size);
    5618 - sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
    5619 + sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
    5620 + __GFP_NOWARN, pg);
    5621 if (!sk->s) {
    5622 snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
    5623 goto out;
    5624 @@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
    5625 pg = get_order(write_size);
    5626
    5627 sk->write_page =
    5628 - (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
    5629 + (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
    5630 + __GFP_NOWARN, pg);
    5631 if (!sk->write_page) {
    5632 snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
    5633 usb_stream_free(sk);
    5634 diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
    5635 index d3ed7324105e..48c145eeeaf7 100644
    5636 --- a/tools/testing/selftests/bpf/test_verifier.c
    5637 +++ b/tools/testing/selftests/bpf/test_verifier.c
    5638 @@ -6009,6 +6009,22 @@ static struct bpf_test tests[] = {
    5639 .result = REJECT,
    5640 .result_unpriv = REJECT,
    5641 },
    5642 + {
    5643 + "invalid 64-bit BPF_END",
    5644 + .insns = {
    5645 + BPF_MOV32_IMM(BPF_REG_0, 0),
    5646 + {
    5647 + .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
    5648 + .dst_reg = BPF_REG_0,
    5649 + .src_reg = 0,
    5650 + .off = 0,
    5651 + .imm = 32,
    5652 + },
    5653 + BPF_EXIT_INSN(),
    5654 + },
    5655 + .errstr = "BPF_END uses reserved fields",
    5656 + .result = REJECT,
    5657 + },
    5658 };
    5659
    5660 static int probe_filter_length(const struct bpf_insn *fp)