Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-magellan/patches-4.17/0102-4.17.3-all-fixes.patch

    Contents of /trunk/kernel-magellan/patches-4.17/0102-4.17.3-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3142 - (show annotations) (download)
    Tue Jun 26 13:38:06 2018 UTC (5 years, 10 months ago) by niro
    File size: 78454 byte(s) 
    -linux-4.17.3
    1 diff --git a/Makefile b/Makefile
    2 index f43cd522b175..31dc3a08295a 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,7 +1,7 @@
    6 # SPDX-License-Identifier: GPL-2.0
    7 VERSION = 4
    8 PATCHLEVEL = 17
    9 -SUBLEVEL = 2
    10 +SUBLEVEL = 3
    11 EXTRAVERSION =
    12 NAME = Merciless Moray
    13
    14 diff --git a/arch/um/drivers/vector_transports.c b/arch/um/drivers/vector_transports.c
    15 index 9065047f844b..77e4ebc206ae 100644
    16 --- a/arch/um/drivers/vector_transports.c
    17 +++ b/arch/um/drivers/vector_transports.c
    18 @@ -120,7 +120,8 @@ static int raw_form_header(uint8_t *header,
    19 skb,
    20 vheader,
    21 virtio_legacy_is_little_endian(),
    22 - false
    23 + false,
    24 + 0
    25 );
    26
    27 return 0;
    28 diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
    29 index 08acd954f00e..74a9e06b6cfd 100644
    30 --- a/arch/x86/include/asm/apic.h
    31 +++ b/arch/x86/include/asm/apic.h
    32 @@ -436,6 +436,8 @@ static inline void apic_set_eoi_write(void (*eoi_write)(u32 reg, u32 v)) {}
    33
    34 #endif /* CONFIG_X86_LOCAL_APIC */
    35
    36 +extern void apic_ack_irq(struct irq_data *data);
    37 +
    38 static inline void ack_APIC_irq(void)
    39 {
    40 /*
    41 diff --git a/arch/x86/include/asm/trace/irq_vectors.h b/arch/x86/include/asm/trace/irq_vectors.h
    42 index 22647a642e98..0af81b590a0c 100644
    43 --- a/arch/x86/include/asm/trace/irq_vectors.h
    44 +++ b/arch/x86/include/asm/trace/irq_vectors.h
    45 @@ -236,7 +236,7 @@ TRACE_EVENT(vector_alloc,
    46 TP_PROTO(unsigned int irq, unsigned int vector, bool reserved,
    47 int ret),
    48
    49 - TP_ARGS(irq, vector, ret, reserved),
    50 + TP_ARGS(irq, vector, reserved, ret),
    51
    52 TP_STRUCT__entry(
    53 __field( unsigned int, irq )
    54 diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
    55 index 7553819c74c3..3982f79d2377 100644
    56 --- a/arch/x86/kernel/apic/io_apic.c
    57 +++ b/arch/x86/kernel/apic/io_apic.c
    58 @@ -1851,7 +1851,7 @@ static void ioapic_ir_ack_level(struct irq_data *irq_data)
    59 * intr-remapping table entry. Hence for the io-apic
    60 * EOI we use the pin number.
    61 */
    62 - ack_APIC_irq();
    63 + apic_ack_irq(irq_data);
    64 eoi_ioapic_pin(data->entry.vector, data);
    65 }
    66
    67 diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
    68 index bb6f7a2148d7..b708f597eee3 100644
    69 --- a/arch/x86/kernel/apic/vector.c
    70 +++ b/arch/x86/kernel/apic/vector.c
    71 @@ -235,6 +235,15 @@ static int allocate_vector(struct irq_data *irqd, const struct cpumask *dest)
    72 if (vector && cpu_online(cpu) && cpumask_test_cpu(cpu, dest))
    73 return 0;
    74
    75 + /*
    76 + * Careful here. @apicd might either have move_in_progress set or
    77 + * be enqueued for cleanup. Assigning a new vector would either
    78 + * leave a stale vector on some CPU around or in case of a pending
    79 + * cleanup corrupt the hlist.
    80 + */
    81 + if (apicd->move_in_progress || !hlist_unhashed(&apicd->clist))
    82 + return -EBUSY;
    83 +
    84 vector = irq_matrix_alloc(vector_matrix, dest, resvd, &cpu);
    85 if (vector > 0)
    86 apic_update_vector(irqd, vector, cpu);
    87 @@ -800,13 +809,18 @@ static int apic_retrigger_irq(struct irq_data *irqd)
    88 return 1;
    89 }
    90
    91 -void apic_ack_edge(struct irq_data *irqd)
    92 +void apic_ack_irq(struct irq_data *irqd)
    93 {
    94 - irq_complete_move(irqd_cfg(irqd));
    95 irq_move_irq(irqd);
    96 ack_APIC_irq();
    97 }
    98
    99 +void apic_ack_edge(struct irq_data *irqd)
    100 +{
    101 + irq_complete_move(irqd_cfg(irqd));
    102 + apic_ack_irq(irqd);
    103 +}
    104 +
    105 static struct irq_chip lapic_controller = {
    106 .name = "APIC",
    107 .irq_ack = apic_ack_edge,
    108 diff --git a/arch/x86/kernel/cpu/intel_rdt.c b/arch/x86/kernel/cpu/intel_rdt.c
    109 index 589b948e6e01..316a8875bd90 100644
    110 --- a/arch/x86/kernel/cpu/intel_rdt.c
    111 +++ b/arch/x86/kernel/cpu/intel_rdt.c
    112 @@ -821,6 +821,8 @@ static __init void rdt_quirks(void)
    113 case INTEL_FAM6_SKYLAKE_X:
    114 if (boot_cpu_data.x86_stepping <= 4)
    115 set_rdt_options("!cmt,!mbmtotal,!mbmlocal,!l3cat");
    116 + else
    117 + set_rdt_options("!l3cat");
    118 }
    119 }
    120
    121 diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
    122 index 475cb4f5f14f..c805a06e14c3 100644
    123 --- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
    124 +++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
    125 @@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
    126
    127 static u8 n_banks;
    128
    129 -#define MAX_FLAG_OPT_SIZE 3
    130 +#define MAX_FLAG_OPT_SIZE 4
    131 #define NBCFG 0x44
    132
    133 enum injection_type {
    134 diff --git a/arch/x86/platform/uv/uv_irq.c b/arch/x86/platform/uv/uv_irq.c
    135 index e4cb9f4cde8a..fc13cbbb2dce 100644
    136 --- a/arch/x86/platform/uv/uv_irq.c
    137 +++ b/arch/x86/platform/uv/uv_irq.c
    138 @@ -47,11 +47,6 @@ static void uv_program_mmr(struct irq_cfg *cfg, struct uv_irq_2_mmr_pnode *info)
    139
    140 static void uv_noop(struct irq_data *data) { }
    141
    142 -static void uv_ack_apic(struct irq_data *data)
    143 -{
    144 - ack_APIC_irq();
    145 -}
    146 -
    147 static int
    148 uv_set_irq_affinity(struct irq_data *data, const struct cpumask *mask,
    149 bool force)
    150 @@ -73,7 +68,7 @@ static struct irq_chip uv_irq_chip = {
    151 .name = "UV-CORE",
    152 .irq_mask = uv_noop,
    153 .irq_unmask = uv_noop,
    154 - .irq_eoi = uv_ack_apic,
    155 + .irq_eoi = apic_ack_irq,
    156 .irq_set_affinity = uv_set_irq_affinity,
    157 };
    158
    159 diff --git a/block/blk-mq.c b/block/blk-mq.c
    160 index 9ce9cac16c3f..90ffd8151c57 100644
    161 --- a/block/blk-mq.c
    162 +++ b/block/blk-mq.c
    163 @@ -2473,7 +2473,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q)
    164
    165 mutex_lock(&set->tag_list_lock);
    166 list_del_rcu(&q->tag_set_list);
    167 - INIT_LIST_HEAD(&q->tag_set_list);
    168 if (list_is_singular(&set->tag_list)) {
    169 /* just transitioned to unshared */
    170 set->flags &= ~BLK_MQ_F_TAG_SHARED;
    171 @@ -2481,8 +2480,8 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q)
    172 blk_mq_update_tag_set_depth(set, false);
    173 }
    174 mutex_unlock(&set->tag_list_lock);
    175 -
    176 synchronize_rcu();
    177 + INIT_LIST_HEAD(&q->tag_set_list);
    178 }
    179
    180 static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set,
    181 diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c
    182 index 68422afc365f..bc5f05906bd1 100644
    183 --- a/drivers/acpi/acpica/psloop.c
    184 +++ b/drivers/acpi/acpica/psloop.c
    185 @@ -515,6 +515,22 @@ acpi_status acpi_ps_parse_loop(struct acpi_walk_state *walk_state)
    186 if (ACPI_FAILURE(status)) {
    187 return_ACPI_STATUS(status);
    188 }
    189 + if (walk_state->opcode == AML_SCOPE_OP) {
    190 + /*
    191 + * If the scope op fails to parse, skip the body of the
    192 + * scope op because the parse failure indicates that the
    193 + * device may not exist.
    194 + */
    195 + walk_state->parser_state.aml =
    196 + walk_state->aml + 1;
    197 + walk_state->parser_state.aml =
    198 + acpi_ps_get_next_package_end
    199 + (&walk_state->parser_state);
    200 + walk_state->aml =
    201 + walk_state->parser_state.aml;
    202 + ACPI_ERROR((AE_INFO,
    203 + "Skipping Scope block"));
    204 + }
    205
    206 continue;
    207 }
    208 @@ -557,7 +573,40 @@ acpi_status acpi_ps_parse_loop(struct acpi_walk_state *walk_state)
    209 if (ACPI_FAILURE(status)) {
    210 return_ACPI_STATUS(status);
    211 }
    212 -
    213 + if ((walk_state->control_state) &&
    214 + ((walk_state->control_state->control.
    215 + opcode == AML_IF_OP)
    216 + || (walk_state->control_state->control.
    217 + opcode == AML_WHILE_OP))) {
    218 + /*
    219 + * If the if/while op fails to parse, we will skip parsing
    220 + * the body of the op.
    221 + */
    222 + parser_state->aml =
    223 + walk_state->control_state->control.
    224 + aml_predicate_start + 1;
    225 + parser_state->aml =
    226 + acpi_ps_get_next_package_end
    227 + (parser_state);
    228 + walk_state->aml = parser_state->aml;
    229 +
    230 + ACPI_ERROR((AE_INFO,
    231 + "Skipping While/If block"));
    232 + if (*walk_state->aml == AML_ELSE_OP) {
    233 + ACPI_ERROR((AE_INFO,
    234 + "Skipping Else block"));
    235 + walk_state->parser_state.aml =
    236 + walk_state->aml + 1;
    237 + walk_state->parser_state.aml =
    238 + acpi_ps_get_next_package_end
    239 + (parser_state);
    240 + walk_state->aml =
    241 + parser_state->aml;
    242 + }
    243 + ACPI_FREE(acpi_ut_pop_generic_state
    244 + (&walk_state->control_state));
    245 + }
    246 + op = NULL;
    247 continue;
    248 }
    249 }
    250 diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c
    251 index 7d9d0151ee54..3138e7a00da8 100644
    252 --- a/drivers/acpi/acpica/psobject.c
    253 +++ b/drivers/acpi/acpica/psobject.c
    254 @@ -12,6 +12,7 @@
    255 #include "acparser.h"
    256 #include "amlcode.h"
    257 #include "acconvert.h"
    258 +#include "acnamesp.h"
    259
    260 #define _COMPONENT ACPI_PARSER
    261 ACPI_MODULE_NAME("psobject")
    262 @@ -549,6 +550,21 @@ acpi_ps_complete_op(struct acpi_walk_state *walk_state,
    263
    264 do {
    265 if (*op) {
    266 + /*
    267 + * These Opcodes need to be removed from the namespace because they
    268 + * get created even if these opcodes cannot be created due to
    269 + * errors.
    270 + */
    271 + if (((*op)->common.aml_opcode == AML_REGION_OP)
    272 + || ((*op)->common.aml_opcode ==
    273 + AML_DATA_REGION_OP)) {
    274 + acpi_ns_delete_children((*op)->common.
    275 + node);
    276 + acpi_ns_remove_node((*op)->common.node);
    277 + (*op)->common.node = NULL;
    278 + acpi_ps_delete_parse_tree(*op);
    279 + }
    280 +
    281 status2 =
    282 acpi_ps_complete_this_op(walk_state, *op);
    283 if (ACPI_FAILURE(status2)) {
    284 @@ -574,6 +590,20 @@ acpi_ps_complete_op(struct acpi_walk_state *walk_state,
    285 #endif
    286 walk_state->prev_op = NULL;
    287 walk_state->prev_arg_types = walk_state->arg_types;
    288 +
    289 + if (walk_state->parse_flags & ACPI_PARSE_MODULE_LEVEL) {
    290 + /*
    291 + * There was something that went wrong while executing code at the
    292 + * module-level. We need to skip parsing whatever caused the
    293 + * error and keep going. One runtime error during the table load
    294 + * should not cause the entire table to not be loaded. This is
    295 + * because there could be correct AML beyond the parts that caused
    296 + * the runtime error.
    297 + */
    298 + ACPI_ERROR((AE_INFO,
    299 + "Ignore error and continue table load"));
    300 + return_ACPI_STATUS(AE_OK);
    301 + }
    302 return_ACPI_STATUS(status);
    303 }
    304
    305 diff --git a/drivers/acpi/acpica/uterror.c b/drivers/acpi/acpica/uterror.c
    306 index 12d4a0f6b8d2..5a64ddaed8a3 100644
    307 --- a/drivers/acpi/acpica/uterror.c
    308 +++ b/drivers/acpi/acpica/uterror.c
    309 @@ -182,20 +182,20 @@ acpi_ut_prefixed_namespace_error(const char *module_name,
    310 switch (lookup_status) {
    311 case AE_ALREADY_EXISTS:
    312
    313 - acpi_os_printf(ACPI_MSG_BIOS_ERROR);
    314 + acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR);
    315 message = "Failure creating";
    316 break;
    317
    318 case AE_NOT_FOUND:
    319
    320 - acpi_os_printf(ACPI_MSG_BIOS_ERROR);
    321 - message = "Failure looking up";
    322 + acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR);
    323 + message = "Could not resolve";
    324 break;
    325
    326 default:
    327
    328 - acpi_os_printf(ACPI_MSG_ERROR);
    329 - message = "Failure looking up";
    330 + acpi_os_printf("\n" ACPI_MSG_ERROR);
    331 + message = "Failure resolving";
    332 break;
    333 }
    334
    335 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
    336 index 346b163f6e89..9bfd2f7e4542 100644
    337 --- a/drivers/ata/libata-core.c
    338 +++ b/drivers/ata/libata-core.c
    339 @@ -4557,9 +4557,6 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
    340 { "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
    341 { "SAMSUNG SSD PM830 mSATA *", "CXM13D1Q", ATA_HORKAGE_NOLPM, },
    342
    343 - /* Sandisk devices which are known to not handle LPM well */
    344 - { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, },
    345 -
    346 /* devices that don't properly handle queued TRIM commands */
    347 { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
    348 ATA_HORKAGE_ZERO_AFTER_TRIM, },
    349 diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
    350 index de4ddd0e8550..b3ed8f9953a8 100644
    351 --- a/drivers/ata/libata-zpodd.c
    352 +++ b/drivers/ata/libata-zpodd.c
    353 @@ -35,7 +35,7 @@ struct zpodd {
    354 static int eject_tray(struct ata_device *dev)
    355 {
    356 struct ata_taskfile tf;
    357 - static const char cdb[] = { GPCMD_START_STOP_UNIT,
    358 + static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
    359 0, 0, 0,
    360 0x02, /* LoEj */
    361 0, 0, 0, 0, 0, 0, 0,
    362 diff --git a/drivers/base/core.c b/drivers/base/core.c
    363 index b610816eb887..d680fd030316 100644
    364 --- a/drivers/base/core.c
    365 +++ b/drivers/base/core.c
    366 @@ -1467,7 +1467,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
    367
    368 dir = kzalloc(sizeof(*dir), GFP_KERNEL);
    369 if (!dir)
    370 - return NULL;
    371 + return ERR_PTR(-ENOMEM);
    372
    373 dir->class = class;
    374 kobject_init(&dir->kobj, &class_dir_ktype);
    375 @@ -1477,7 +1477,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
    376 retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
    377 if (retval < 0) {
    378 kobject_put(&dir->kobj);
    379 - return NULL;
    380 + return ERR_PTR(retval);
    381 }
    382 return &dir->kobj;
    383 }
    384 @@ -1784,6 +1784,10 @@ int device_add(struct device *dev)
    385
    386 parent = get_device(dev->parent);
    387 kobj = get_device_parent(dev, parent);
    388 + if (IS_ERR(kobj)) {
    389 + error = PTR_ERR(kobj);
    390 + goto parent_error;
    391 + }
    392 if (kobj)
    393 dev->kobj.parent = kobj;
    394
    395 @@ -1882,6 +1886,7 @@ int device_add(struct device *dev)
    396 kobject_del(&dev->kobj);
    397 Error:
    398 cleanup_glue_dir(dev, glue_dir);
    399 +parent_error:
    400 put_device(parent);
    401 name_error:
    402 kfree(dev->p);
    403 @@ -2701,6 +2706,11 @@ int device_move(struct device *dev, struct device *new_parent,
    404 device_pm_lock();
    405 new_parent = get_device(new_parent);
    406 new_parent_kobj = get_device_parent(dev, new_parent);
    407 + if (IS_ERR(new_parent_kobj)) {
    408 + error = PTR_ERR(new_parent_kobj);
    409 + put_device(new_parent);
    410 + goto out;
    411 + }
    412
    413 pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
    414 __func__, new_parent ? dev_name(new_parent) : "<NULL>");
    415 diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
    416 index afbc202ca6fd..64278f472efe 100644
    417 --- a/drivers/block/nbd.c
    418 +++ b/drivers/block/nbd.c
    419 @@ -173,9 +173,12 @@ static const struct device_attribute pid_attr = {
    420 static void nbd_dev_remove(struct nbd_device *nbd)
    421 {
    422 struct gendisk *disk = nbd->disk;
    423 + struct request_queue *q;
    424 +
    425 if (disk) {
    426 + q = disk->queue;
    427 del_gendisk(disk);
    428 - blk_cleanup_queue(disk->queue);
    429 + blk_cleanup_queue(q);
    430 blk_mq_free_tag_set(&nbd->tag_set);
    431 disk->private_data = NULL;
    432 put_disk(disk);
    433 @@ -231,9 +234,18 @@ static void nbd_size_clear(struct nbd_device *nbd)
    434 static void nbd_size_update(struct nbd_device *nbd)
    435 {
    436 struct nbd_config *config = nbd->config;
    437 + struct block_device *bdev = bdget_disk(nbd->disk, 0);
    438 +
    439 blk_queue_logical_block_size(nbd->disk->queue, config->blksize);
    440 blk_queue_physical_block_size(nbd->disk->queue, config->blksize);
    441 set_capacity(nbd->disk, config->bytesize >> 9);
    442 + if (bdev) {
    443 + if (bdev->bd_disk)
    444 + bd_set_size(bdev, config->bytesize);
    445 + else
    446 + bdev->bd_invalidated = 1;
    447 + bdput(bdev);
    448 + }
    449 kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE);
    450 }
    451
    452 @@ -243,6 +255,8 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize,
    453 struct nbd_config *config = nbd->config;
    454 config->blksize = blocksize;
    455 config->bytesize = blocksize * nr_blocks;
    456 + if (nbd->task_recv != NULL)
    457 + nbd_size_update(nbd);
    458 }
    459
    460 static void nbd_complete_rq(struct request *req)
    461 @@ -1109,7 +1123,6 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b
    462 if (ret)
    463 return ret;
    464
    465 - bd_set_size(bdev, config->bytesize);
    466 if (max_part)
    467 bdev->bd_invalidated = 1;
    468 mutex_unlock(&nbd->config_lock);
    469 diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
    470 index 075d18f6ba7a..54d4c0f999ec 100644
    471 --- a/drivers/cpufreq/cpufreq.c
    472 +++ b/drivers/cpufreq/cpufreq.c
    473 @@ -696,6 +696,8 @@ static ssize_t store_##file_name \
    474 struct cpufreq_policy new_policy; \
    475 \
    476 memcpy(&new_policy, policy, sizeof(*policy)); \
    477 + new_policy.min = policy->user_policy.min; \
    478 + new_policy.max = policy->user_policy.max; \
    479 \
    480 ret = sscanf(buf, "%u", &new_policy.object); \
    481 if (ret != 1) \
    482 diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
    483 index ca38229b045a..43e14bb512c8 100644
    484 --- a/drivers/cpufreq/cpufreq_governor.c
    485 +++ b/drivers/cpufreq/cpufreq_governor.c
    486 @@ -165,7 +165,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
    487 * calls, so the previous load value can be used then.
    488 */
    489 load = j_cdbs->prev_load;
    490 - } else if (unlikely(time_elapsed > 2 * sampling_rate &&
    491 + } else if (unlikely((int)idle_time > 2 * sampling_rate &&
    492 j_cdbs->prev_load)) {
    493 /*
    494 * If the CPU had gone completely idle and a task has
    495 @@ -185,10 +185,8 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
    496 * clear prev_load to guarantee that the load will be
    497 * computed again next time.
    498 *
    499 - * Detecting this situation is easy: the governor's
    500 - * utilization update handler would not have run during
    501 - * CPU-idle periods. Hence, an unusually large
    502 - * 'time_elapsed' (as compared to the sampling rate)
    503 + * Detecting this situation is easy: an unusually large
    504 + * 'idle_time' (as compared to the sampling rate)
    505 * indicates this scenario.
    506 */
    507 load = j_cdbs->prev_load;
    508 @@ -217,8 +215,8 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
    509 j_cdbs->prev_load = load;
    510 }
    511
    512 - if (time_elapsed > 2 * sampling_rate) {
    513 - unsigned int periods = time_elapsed / sampling_rate;
    514 + if (unlikely((int)idle_time > 2 * sampling_rate)) {
    515 + unsigned int periods = idle_time / sampling_rate;
    516
    517 if (periods < idle_periods)
    518 idle_periods = periods;
    519 diff --git a/drivers/cpufreq/ti-cpufreq.c b/drivers/cpufreq/ti-cpufreq.c
    520 index 6ba709b6f095..896caba5dfe5 100644
    521 --- a/drivers/cpufreq/ti-cpufreq.c
    522 +++ b/drivers/cpufreq/ti-cpufreq.c
    523 @@ -226,7 +226,7 @@ static int ti_cpufreq_probe(struct platform_device *pdev)
    524 opp_data->cpu_dev = get_cpu_device(0);
    525 if (!opp_data->cpu_dev) {
    526 pr_err("%s: Failed to get device for CPU0\n", __func__);
    527 - ret = ENODEV;
    528 + ret = -ENODEV;
    529 goto free_opp_data;
    530 }
    531
    532 diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
    533 index 582e449be9fe..a2c53ea3b5ed 100644
    534 --- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
    535 +++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
    536 @@ -205,8 +205,7 @@ static void ish_remove(struct pci_dev *pdev)
    537 kfree(ishtp_dev);
    538 }
    539
    540 -#ifdef CONFIG_PM
    541 -static struct device *ish_resume_device;
    542 +static struct device __maybe_unused *ish_resume_device;
    543
    544 /* 50ms to get resume response */
    545 #define WAIT_FOR_RESUME_ACK_MS 50
    546 @@ -220,7 +219,7 @@ static struct device *ish_resume_device;
    547 * in that case a simple resume message is enough, others we need
    548 * a reset sequence.
    549 */
    550 -static void ish_resume_handler(struct work_struct *work)
    551 +static void __maybe_unused ish_resume_handler(struct work_struct *work)
    552 {
    553 struct pci_dev *pdev = to_pci_dev(ish_resume_device);
    554 struct ishtp_device *dev = pci_get_drvdata(pdev);
    555 @@ -262,7 +261,7 @@ static void ish_resume_handler(struct work_struct *work)
    556 *
    557 * Return: 0 to the pm core
    558 */
    559 -static int ish_suspend(struct device *device)
    560 +static int __maybe_unused ish_suspend(struct device *device)
    561 {
    562 struct pci_dev *pdev = to_pci_dev(device);
    563 struct ishtp_device *dev = pci_get_drvdata(pdev);
    564 @@ -288,7 +287,7 @@ static int ish_suspend(struct device *device)
    565 return 0;
    566 }
    567
    568 -static DECLARE_WORK(resume_work, ish_resume_handler);
    569 +static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler);
    570 /**
    571 * ish_resume() - ISH resume callback
    572 * @device: device pointer
    573 @@ -297,7 +296,7 @@ static DECLARE_WORK(resume_work, ish_resume_handler);
    574 *
    575 * Return: 0 to the pm core
    576 */
    577 -static int ish_resume(struct device *device)
    578 +static int __maybe_unused ish_resume(struct device *device)
    579 {
    580 struct pci_dev *pdev = to_pci_dev(device);
    581 struct ishtp_device *dev = pci_get_drvdata(pdev);
    582 @@ -311,21 +310,14 @@ static int ish_resume(struct device *device)
    583 return 0;
    584 }
    585
    586 -static const struct dev_pm_ops ish_pm_ops = {
    587 - .suspend = ish_suspend,
    588 - .resume = ish_resume,
    589 -};
    590 -#define ISHTP_ISH_PM_OPS (&ish_pm_ops)
    591 -#else
    592 -#define ISHTP_ISH_PM_OPS NULL
    593 -#endif /* CONFIG_PM */
    594 +static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume);
    595
    596 static struct pci_driver ish_driver = {
    597 .name = KBUILD_MODNAME,
    598 .id_table = ish_pci_tbl,
    599 .probe = ish_probe,
    600 .remove = ish_remove,
    601 - .driver.pm = ISHTP_ISH_PM_OPS,
    602 + .driver.pm = &ish_pm_ops,
    603 };
    604
    605 module_pci_driver(ish_driver);
    606 diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
    607 index ee7a37eb159a..545986cfb978 100644
    608 --- a/drivers/hid/wacom_sys.c
    609 +++ b/drivers/hid/wacom_sys.c
    610 @@ -395,6 +395,14 @@ static void wacom_usage_mapping(struct hid_device *hdev,
    611 }
    612 }
    613
    614 + /* 2nd-generation Intuos Pro Large has incorrect Y maximum */
    615 + if (hdev->vendor == USB_VENDOR_ID_WACOM &&
    616 + hdev->product == 0x0358 &&
    617 + WACOM_PEN_FIELD(field) &&
    618 + wacom_equivalent_usage(usage->hid) == HID_GD_Y) {
    619 + field->logical_maximum = 43200;
    620 + }
    621 +
    622 switch (usage->hid) {
    623 case HID_GD_X:
    624 features->x_max = field->logical_maximum;
    625 diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
    626 index 8fb8c737fffe..b0b30a568db7 100644
    627 --- a/drivers/iommu/amd_iommu.c
    628 +++ b/drivers/iommu/amd_iommu.c
    629 @@ -4379,7 +4379,7 @@ static void ir_compose_msi_msg(struct irq_data *irq_data, struct msi_msg *msg)
    630
    631 static struct irq_chip amd_ir_chip = {
    632 .name = "AMD-IR",
    633 - .irq_ack = ir_ack_apic_edge,
    634 + .irq_ack = apic_ack_irq,
    635 .irq_set_affinity = amd_ir_set_affinity,
    636 .irq_set_vcpu_affinity = amd_ir_set_vcpu_affinity,
    637 .irq_compose_msi_msg = ir_compose_msi_msg,
    638 diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
    639 index 3062a154a9fb..967450bd421a 100644
    640 --- a/drivers/iommu/intel_irq_remapping.c
    641 +++ b/drivers/iommu/intel_irq_remapping.c
    642 @@ -1223,7 +1223,7 @@ static int intel_ir_set_vcpu_affinity(struct irq_data *data, void *info)
    643
    644 static struct irq_chip intel_ir_chip = {
    645 .name = "INTEL-IR",
    646 - .irq_ack = ir_ack_apic_edge,
    647 + .irq_ack = apic_ack_irq,
    648 .irq_set_affinity = intel_ir_set_affinity,
    649 .irq_compose_msi_msg = intel_ir_compose_msi_msg,
    650 .irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity,
    651 diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
    652 index 496deee3ae3a..7d0f3074d41d 100644
    653 --- a/drivers/iommu/irq_remapping.c
    654 +++ b/drivers/iommu/irq_remapping.c
    655 @@ -156,11 +156,6 @@ void panic_if_irq_remap(const char *msg)
    656 panic(msg);
    657 }
    658
    659 -void ir_ack_apic_edge(struct irq_data *data)
    660 -{
    661 - ack_APIC_irq();
    662 -}
    663 -
    664 /**
    665 * irq_remapping_get_ir_irq_domain - Get the irqdomain associated with the IOMMU
    666 * device serving request @info
    667 diff --git a/drivers/iommu/irq_remapping.h b/drivers/iommu/irq_remapping.h
    668 index 039c7af7b190..0afef6e43be4 100644
    669 --- a/drivers/iommu/irq_remapping.h
    670 +++ b/drivers/iommu/irq_remapping.h
    671 @@ -65,8 +65,6 @@ struct irq_remap_ops {
    672 extern struct irq_remap_ops intel_irq_remap_ops;
    673 extern struct irq_remap_ops amd_iommu_irq_ops;
    674
    675 -extern void ir_ack_apic_edge(struct irq_data *data);
    676 -
    677 #else /* CONFIG_IRQ_REMAP */
    678
    679 #define irq_remapping_enabled 0
    680 diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
    681 index b67be33bd62f..cea7b2d2e60a 100644
    682 --- a/drivers/media/rc/rc-main.c
    683 +++ b/drivers/media/rc/rc-main.c
    684 @@ -1860,6 +1860,8 @@ int rc_register_device(struct rc_dev *dev)
    685 dev->device_name ?: "Unspecified device", path ?: "N/A");
    686 kfree(path);
    687
    688 + dev->registered = true;
    689 +
    690 if (dev->driver_type != RC_DRIVER_IR_RAW_TX) {
    691 rc = rc_setup_rx_device(dev);
    692 if (rc)
    693 @@ -1879,8 +1881,6 @@ int rc_register_device(struct rc_dev *dev)
    694 goto out_lirc;
    695 }
    696
    697 - dev->registered = true;
    698 -
    699 dev_dbg(&dev->dev, "Registered rc%u (driver: %s)\n", dev->minor,
    700 dev->driver_name ? dev->driver_name : "unknown");
    701
    702 diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
    703 index 102594ec3e97..a36b4fb949fa 100644
    704 --- a/drivers/media/usb/uvc/uvc_ctrl.c
    705 +++ b/drivers/media/usb/uvc/uvc_ctrl.c
    706 @@ -1607,14 +1607,12 @@ static int uvc_ctrl_get_flags(struct uvc_device *dev,
    707 ret = uvc_query_ctrl(dev, UVC_GET_INFO, ctrl->entity->id, dev->intfnum,
    708 info->selector, data, 1);
    709 if (!ret)
    710 - info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX
    711 - | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF
    712 - | (data[0] & UVC_CONTROL_CAP_GET ?
    713 - UVC_CTRL_FLAG_GET_CUR : 0)
    714 - | (data[0] & UVC_CONTROL_CAP_SET ?
    715 - UVC_CTRL_FLAG_SET_CUR : 0)
    716 - | (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ?
    717 - UVC_CTRL_FLAG_AUTO_UPDATE : 0);
    718 + info->flags |= (data[0] & UVC_CONTROL_CAP_GET ?
    719 + UVC_CTRL_FLAG_GET_CUR : 0)
    720 + | (data[0] & UVC_CONTROL_CAP_SET ?
    721 + UVC_CTRL_FLAG_SET_CUR : 0)
    722 + | (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ?
    723 + UVC_CTRL_FLAG_AUTO_UPDATE : 0);
    724
    725 kfree(data);
    726 return ret;
    727 @@ -1689,6 +1687,9 @@ static int uvc_ctrl_fill_xu_info(struct uvc_device *dev,
    728
    729 info->size = le16_to_cpup((__le16 *)data);
    730
    731 + info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX
    732 + | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF;
    733 +
    734 ret = uvc_ctrl_get_flags(dev, ctrl, info);
    735 if (ret < 0) {
    736 uvc_trace(UVC_TRACE_CONTROL,
    737 diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
    738 index 58c705f24f96..b594bae1adbd 100644
    739 --- a/drivers/net/bonding/bond_options.c
    740 +++ b/drivers/net/bonding/bond_options.c
    741 @@ -1142,6 +1142,7 @@ static int bond_option_primary_set(struct bonding *bond,
    742 slave->dev->name);
    743 rcu_assign_pointer(bond->primary_slave, slave);
    744 strcpy(bond->params.primary, slave->dev->name);
    745 + bond->force_primary = true;
    746 bond_select_active_slave(bond);
    747 goto out;
    748 }
    749 diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
    750 index a50e08bb4748..750007513f9d 100644
    751 --- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
    752 +++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
    753 @@ -267,14 +267,13 @@ static int aq_pci_probe(struct pci_dev *pdev,
    754 numvecs = min(numvecs, num_online_cpus());
    755 /*enable interrupts */
    756 #if !AQ_CFG_FORCE_LEGACY_INT
    757 - numvecs = pci_alloc_irq_vectors(self->pdev, 1, numvecs,
    758 - PCI_IRQ_MSIX | PCI_IRQ_MSI |
    759 - PCI_IRQ_LEGACY);
    760 + err = pci_alloc_irq_vectors(self->pdev, 1, numvecs,
    761 + PCI_IRQ_MSIX | PCI_IRQ_MSI |
    762 + PCI_IRQ_LEGACY);
    763
    764 - if (numvecs < 0) {
    765 - err = numvecs;
    766 + if (err < 0)
    767 goto err_hwinit;
    768 - }
    769 + numvecs = err;
    770 #endif
    771 self->irqvecs = numvecs;
    772
    773 diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
    774 index da07ccdf84bf..eb8dccd24abf 100644
    775 --- a/drivers/net/hyperv/netvsc_drv.c
    776 +++ b/drivers/net/hyperv/netvsc_drv.c
    777 @@ -126,8 +126,10 @@ static int netvsc_open(struct net_device *net)
    778 }
    779
    780 rdev = nvdev->extension;
    781 - if (!rdev->link_state)
    782 + if (!rdev->link_state) {
    783 netif_carrier_on(net);
    784 + netif_tx_wake_all_queues(net);
    785 + }
    786
    787 if (vf_netdev) {
    788 /* Setting synthetic device up transparently sets
    789 diff --git a/drivers/net/phy/dp83848.c b/drivers/net/phy/dp83848.c
    790 index cd09c3af2117..6e8e42361fd5 100644
    791 --- a/drivers/net/phy/dp83848.c
    792 +++ b/drivers/net/phy/dp83848.c
    793 @@ -74,6 +74,25 @@ static int dp83848_config_intr(struct phy_device *phydev)
    794 return phy_write(phydev, DP83848_MICR, control);
    795 }
    796
    797 +static int dp83848_config_init(struct phy_device *phydev)
    798 +{
    799 + int err;
    800 + int val;
    801 +
    802 + err = genphy_config_init(phydev);
    803 + if (err < 0)
    804 + return err;
    805 +
    806 + /* DP83620 always reports Auto Negotiation Ability on BMSR. Instead,
    807 + * we check initial value of BMCR Auto negotiation enable bit
    808 + */
    809 + val = phy_read(phydev, MII_BMCR);
    810 + if (!(val & BMCR_ANENABLE))
    811 + phydev->autoneg = AUTONEG_DISABLE;
    812 +
    813 + return 0;
    814 +}
    815 +
    816 static struct mdio_device_id __maybe_unused dp83848_tbl[] = {
    817 { TI_DP83848C_PHY_ID, 0xfffffff0 },
    818 { NS_DP83848C_PHY_ID, 0xfffffff0 },
    819 @@ -83,7 +102,7 @@ static struct mdio_device_id __maybe_unused dp83848_tbl[] = {
    820 };
    821 MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
    822
    823 -#define DP83848_PHY_DRIVER(_id, _name) \
    824 +#define DP83848_PHY_DRIVER(_id, _name, _config_init) \
    825 { \
    826 .phy_id = _id, \
    827 .phy_id_mask = 0xfffffff0, \
    828 @@ -92,7 +111,7 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
    829 .flags = PHY_HAS_INTERRUPT, \
    830 \
    831 .soft_reset = genphy_soft_reset, \
    832 - .config_init = genphy_config_init, \
    833 + .config_init = _config_init, \
    834 .suspend = genphy_suspend, \
    835 .resume = genphy_resume, \
    836 \
    837 @@ -102,10 +121,14 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
    838 }
    839
    840 static struct phy_driver dp83848_driver[] = {
    841 - DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY"),
    842 - DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY"),
    843 - DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY"),
    844 - DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY"),
    845 + DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY",
    846 + genphy_config_init),
    847 + DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY",
    848 + genphy_config_init),
    849 + DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY",
    850 + dp83848_config_init),
    851 + DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY",
    852 + genphy_config_init),
    853 };
    854 module_phy_driver(dp83848_driver);
    855
    856 diff --git a/drivers/net/tap.c b/drivers/net/tap.c
    857 index 9b6cb780affe..f0f7cd977667 100644
    858 --- a/drivers/net/tap.c
    859 +++ b/drivers/net/tap.c
    860 @@ -774,13 +774,16 @@ static ssize_t tap_put_user(struct tap_queue *q,
    861 int total;
    862
    863 if (q->flags & IFF_VNET_HDR) {
    864 + int vlan_hlen = skb_vlan_tag_present(skb) ? VLAN_HLEN : 0;
    865 struct virtio_net_hdr vnet_hdr;
    866 +
    867 vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
    868 if (iov_iter_count(iter) < vnet_hdr_len)
    869 return -EINVAL;
    870
    871 if (virtio_net_hdr_from_skb(skb, &vnet_hdr,
    872 - tap_is_little_endian(q), true))
    873 + tap_is_little_endian(q), true,
    874 + vlan_hlen))
    875 BUG();
    876
    877 if (copy_to_iter(&vnet_hdr, sizeof(vnet_hdr), iter) !=
    878 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
    879 index 23e9eb66197f..409eb8b74740 100644
    880 --- a/drivers/net/tun.c
    881 +++ b/drivers/net/tun.c
    882 @@ -2078,7 +2078,8 @@ static ssize_t tun_put_user(struct tun_struct *tun,
    883 return -EINVAL;
    884
    885 if (virtio_net_hdr_from_skb(skb, &gso,
    886 - tun_is_little_endian(tun), true)) {
    887 + tun_is_little_endian(tun), true,
    888 + vlan_hlen)) {
    889 struct skb_shared_info *sinfo = skb_shinfo(skb);
    890 pr_err("unexpected GSO type: "
    891 "0x%x, gso_size %d, hdr_len %d\n",
    892 diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
    893 index 90d07ed224d5..b0e8b9613054 100644
    894 --- a/drivers/net/usb/cdc_ncm.c
    895 +++ b/drivers/net/usb/cdc_ncm.c
    896 @@ -1124,7 +1124,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
    897 * accordingly. Otherwise, we should check here.
    898 */
    899 if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
    900 - delayed_ndp_size = ctx->max_ndp_size;
    901 + delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus);
    902 else
    903 delayed_ndp_size = 0;
    904
    905 @@ -1285,7 +1285,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
    906 /* If requested, put NDP at end of frame. */
    907 if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
    908 nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
    909 - cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_curr_size);
    910 + cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_curr_size - ctx->max_ndp_size);
    911 nth16->wNdpIndex = cpu_to_le16(skb_out->len);
    912 skb_put_data(skb_out, ctx->delayed_ndp16, ctx->max_ndp_size);
    913
    914 diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
    915 index 032e1ac10a30..8c7207535179 100644
    916 --- a/drivers/net/virtio_net.c
    917 +++ b/drivers/net/virtio_net.c
    918 @@ -1358,7 +1358,8 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
    919 hdr = skb_vnet_hdr(skb);
    920
    921 if (virtio_net_hdr_from_skb(skb, &hdr->hdr,
    922 - virtio_is_little_endian(vi->vdev), false))
    923 + virtio_is_little_endian(vi->vdev), false,
    924 + 0))
    925 BUG();
    926
    927 if (vi->mergeable_rx_bufs)
    928 diff --git a/drivers/net/wireless/intel/iwlwifi/fw/paging.c b/drivers/net/wireless/intel/iwlwifi/fw/paging.c
    929 index 1fec8e3a6b35..6afcfd1f0eec 100644
    930 --- a/drivers/net/wireless/intel/iwlwifi/fw/paging.c
    931 +++ b/drivers/net/wireless/intel/iwlwifi/fw/paging.c
    932 @@ -8,6 +8,7 @@
    933 * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
    934 * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
    935 * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
    936 + * Copyright(c) 2018 Intel Corporation
    937 *
    938 * This program is free software; you can redistribute it and/or modify
    939 * it under the terms of version 2 of the GNU General Public License as
    940 @@ -30,6 +31,7 @@
    941 * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
    942 * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
    943 * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
    944 + * Copyright(c) 2018 Intel Corporation
    945 * All rights reserved.
    946 *
    947 * Redistribution and use in source and binary forms, with or without
    948 @@ -163,7 +165,7 @@ static int iwl_alloc_fw_paging_mem(struct iwl_fw_runtime *fwrt,
    949 static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
    950 const struct fw_img *image)
    951 {
    952 - int sec_idx, idx;
    953 + int sec_idx, idx, ret;
    954 u32 offset = 0;
    955
    956 /*
    957 @@ -190,17 +192,23 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
    958 */
    959 if (sec_idx >= image->num_sec - 1) {
    960 IWL_ERR(fwrt, "Paging: Missing CSS and/or paging sections\n");
    961 - iwl_free_fw_paging(fwrt);
    962 - return -EINVAL;
    963 + ret = -EINVAL;
    964 + goto err;
    965 }
    966
    967 /* copy the CSS block to the dram */
    968 IWL_DEBUG_FW(fwrt, "Paging: load paging CSS to FW, sec = %d\n",
    969 sec_idx);
    970
    971 + if (image->sec[sec_idx].len > fwrt->fw_paging_db[0].fw_paging_size) {
    972 + IWL_ERR(fwrt, "CSS block is larger than paging size\n");
    973 + ret = -EINVAL;
    974 + goto err;
    975 + }
    976 +
    977 memcpy(page_address(fwrt->fw_paging_db[0].fw_paging_block),
    978 image->sec[sec_idx].data,
    979 - fwrt->fw_paging_db[0].fw_paging_size);
    980 + image->sec[sec_idx].len);
    981 dma_sync_single_for_device(fwrt->trans->dev,
    982 fwrt->fw_paging_db[0].fw_paging_phys,
    983 fwrt->fw_paging_db[0].fw_paging_size,
    984 @@ -221,6 +229,14 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
    985 for (idx = 1; idx < fwrt->num_of_paging_blk; idx++) {
    986 struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx];
    987
    988 + if (block->fw_paging_size > image->sec[sec_idx].len - offset) {
    989 + IWL_ERR(fwrt,
    990 + "Paging: paging size is larger than remaining data in block %d\n",
    991 + idx);
    992 + ret = -EINVAL;
    993 + goto err;
    994 + }
    995 +
    996 memcpy(page_address(block->fw_paging_block),
    997 image->sec[sec_idx].data + offset,
    998 block->fw_paging_size);
    999 @@ -231,19 +247,32 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
    1000
    1001 IWL_DEBUG_FW(fwrt,
    1002 "Paging: copied %d paging bytes to block %d\n",
    1003 - fwrt->fw_paging_db[idx].fw_paging_size,
    1004 - idx);
    1005 + block->fw_paging_size, idx);
    1006
    1007 - offset += fwrt->fw_paging_db[idx].fw_paging_size;
    1008 + offset += block->fw_paging_size;
    1009 +
    1010 + if (offset > image->sec[sec_idx].len) {
    1011 + IWL_ERR(fwrt,
    1012 + "Paging: offset goes over section size\n");
    1013 + ret = -EINVAL;
    1014 + goto err;
    1015 + }
    1016 }
    1017
    1018 /* copy the last paging block */
    1019 if (fwrt->num_of_pages_in_last_blk > 0) {
    1020 struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx];
    1021
    1022 + if (image->sec[sec_idx].len - offset > block->fw_paging_size) {
    1023 + IWL_ERR(fwrt,
    1024 + "Paging: last block is larger than paging size\n");
    1025 + ret = -EINVAL;
    1026 + goto err;
    1027 + }
    1028 +
    1029 memcpy(page_address(block->fw_paging_block),
    1030 image->sec[sec_idx].data + offset,
    1031 - FW_PAGING_SIZE * fwrt->num_of_pages_in_last_blk);
    1032 + image->sec[sec_idx].len - offset);
    1033 dma_sync_single_for_device(fwrt->trans->dev,
    1034 block->fw_paging_phys,
    1035 block->fw_paging_size,
    1036 @@ -255,6 +284,10 @@ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
    1037 }
    1038
    1039 return 0;
    1040 +
    1041 +err:
    1042 + iwl_free_fw_paging(fwrt);
    1043 + return ret;
    1044 }
    1045
    1046 static int iwl_save_fw_paging(struct iwl_fw_runtime *fwrt,
    1047 diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
    1048 index 17a0190bd88f..5dbb0f0c02ef 100644
    1049 --- a/drivers/nvme/host/pci.c
    1050 +++ b/drivers/nvme/host/pci.c
    1051 @@ -2679,8 +2679,15 @@ static pci_ers_result_t nvme_slot_reset(struct pci_dev *pdev)
    1052
    1053 dev_info(dev->ctrl.device, "restart after slot reset\n");
    1054 pci_restore_state(pdev);
    1055 - nvme_reset_ctrl(&dev->ctrl);
    1056 - return PCI_ERS_RESULT_RECOVERED;
    1057 + nvme_reset_ctrl_sync(&dev->ctrl);
    1058 +
    1059 + switch (dev->ctrl.state) {
    1060 + case NVME_CTRL_LIVE:
    1061 + case NVME_CTRL_ADMIN_ONLY:
    1062 + return PCI_ERS_RESULT_RECOVERED;
    1063 + default:
    1064 + return PCI_ERS_RESULT_DISCONNECT;
    1065 + }
    1066 }
    1067
    1068 static void nvme_error_resume(struct pci_dev *pdev)
    1069 diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
    1070 index f0be5f35ab28..9beefa6ed1ce 100644
    1071 --- a/drivers/vhost/vhost.c
    1072 +++ b/drivers/vhost/vhost.c
    1073 @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
    1074 struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
    1075 if (!node)
    1076 return NULL;
    1077 +
    1078 + /* Make sure all padding within the structure is initialized. */
    1079 + memset(&node->msg, 0, sizeof node->msg);
    1080 node->vq = vq;
    1081 node->msg.type = type;
    1082 return node;
    1083 diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c
    1084 index 74f2e6e6202a..8851d441e5fd 100644
    1085 --- a/drivers/w1/masters/mxc_w1.c
    1086 +++ b/drivers/w1/masters/mxc_w1.c
    1087 @@ -112,6 +112,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
    1088 if (IS_ERR(mdev->clk))
    1089 return PTR_ERR(mdev->clk);
    1090
    1091 + err = clk_prepare_enable(mdev->clk);
    1092 + if (err)
    1093 + return err;
    1094 +
    1095 clkrate = clk_get_rate(mdev->clk);
    1096 if (clkrate < 10000000)
    1097 dev_warn(&pdev->dev,
    1098 @@ -125,12 +129,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
    1099
    1100 res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
    1101 mdev->regs = devm_ioremap_resource(&pdev->dev, res);
    1102 - if (IS_ERR(mdev->regs))
    1103 - return PTR_ERR(mdev->regs);
    1104 -
    1105 - err = clk_prepare_enable(mdev->clk);
    1106 - if (err)
    1107 - return err;
    1108 + if (IS_ERR(mdev->regs)) {
    1109 + err = PTR_ERR(mdev->regs);
    1110 + goto out_disable_clk;
    1111 + }
    1112
    1113 /* Software reset 1-Wire module */
    1114 writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET);
    1115 @@ -146,8 +148,12 @@ static int mxc_w1_probe(struct platform_device *pdev)
    1116
    1117 err = w1_add_master_device(&mdev->bus_master);
    1118 if (err)
    1119 - clk_disable_unprepare(mdev->clk);
    1120 + goto out_disable_clk;
    1121
    1122 + return 0;
    1123 +
    1124 +out_disable_clk:
    1125 + clk_disable_unprepare(mdev->clk);
    1126 return err;
    1127 }
    1128
    1129 diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
    1130 index a41b48f82a70..4de191563261 100644
    1131 --- a/fs/binfmt_misc.c
    1132 +++ b/fs/binfmt_misc.c
    1133 @@ -387,8 +387,13 @@ static Node *create_entry(const char __user *buffer, size_t count)
    1134 s = strchr(p, del);
    1135 if (!s)
    1136 goto einval;
    1137 - *s++ = '\0';
    1138 - e->offset = simple_strtoul(p, &p, 10);
    1139 + *s = '\0';
    1140 + if (p != s) {
    1141 + int r = kstrtoint(p, 10, &e->offset);
    1142 + if (r != 0 || e->offset < 0)
    1143 + goto einval;
    1144 + }
    1145 + p = s;
    1146 if (*p++)
    1147 goto einval;
    1148 pr_debug("register: offset: %#x\n", e->offset);
    1149 @@ -428,7 +433,8 @@ static Node *create_entry(const char __user *buffer, size_t count)
    1150 if (e->mask &&
    1151 string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
    1152 goto einval;
    1153 - if (e->size + e->offset > BINPRM_BUF_SIZE)
    1154 + if (e->size > BINPRM_BUF_SIZE ||
    1155 + BINPRM_BUF_SIZE - e->size < e->offset)
    1156 goto einval;
    1157 pr_debug("register: magic/mask length: %i\n", e->size);
    1158 if (USE_DEBUG) {
    1159 diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
    1160 index 0b86cf10cf2a..775a0f2d0b45 100644
    1161 --- a/fs/btrfs/inode.c
    1162 +++ b/fs/btrfs/inode.c
    1163 @@ -1018,8 +1018,10 @@ static noinline int cow_file_range(struct inode *inode,
    1164 ram_size, /* ram_bytes */
    1165 BTRFS_COMPRESS_NONE, /* compress_type */
    1166 BTRFS_ORDERED_REGULAR /* type */);
    1167 - if (IS_ERR(em))
    1168 + if (IS_ERR(em)) {
    1169 + ret = PTR_ERR(em);
    1170 goto out_reserve;
    1171 + }
    1172 free_extent_map(em);
    1173
    1174 ret = btrfs_add_ordered_extent(inode, start, ins.objectid,
    1175 diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
    1176 index 632e26d6f7ce..28fed3e8960b 100644
    1177 --- a/fs/btrfs/ioctl.c
    1178 +++ b/fs/btrfs/ioctl.c
    1179 @@ -2654,8 +2654,10 @@ static long btrfs_ioctl_rm_dev_v2(struct file *file, void __user *arg)
    1180 }
    1181
    1182 /* Check for compatibility reject unknown flags */
    1183 - if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED)
    1184 - return -EOPNOTSUPP;
    1185 + if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) {
    1186 + ret = -EOPNOTSUPP;
    1187 + goto out;
    1188 + }
    1189
    1190 if (test_and_set_bit(BTRFS_FS_EXCL_OP, &fs_info->flags)) {
    1191 ret = BTRFS_ERROR_DEV_EXCL_RUN_IN_PROGRESS;
    1192 @@ -3826,11 +3828,6 @@ static noinline int btrfs_clone_files(struct file *file, struct file *file_src,
    1193 src->i_sb != inode->i_sb)
    1194 return -EXDEV;
    1195
    1196 - /* don't make the dst file partly checksummed */
    1197 - if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
    1198 - (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM))
    1199 - return -EINVAL;
    1200 -
    1201 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
    1202 return -EISDIR;
    1203
    1204 @@ -3840,6 +3837,13 @@ static noinline int btrfs_clone_files(struct file *file, struct file *file_src,
    1205 inode_lock(src);
    1206 }
    1207
    1208 + /* don't make the dst file partly checksummed */
    1209 + if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
    1210 + (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) {
    1211 + ret = -EINVAL;
    1212 + goto out_unlock;
    1213 + }
    1214 +
    1215 /* determine range to clone */
    1216 ret = -EINVAL;
    1217 if (off + len > src->i_size || off + len < off)
    1218 diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
    1219 index 52b39a0924e9..ad8a69ba7f13 100644
    1220 --- a/fs/btrfs/scrub.c
    1221 +++ b/fs/btrfs/scrub.c
    1222 @@ -2799,7 +2799,7 @@ static int scrub_extent(struct scrub_ctx *sctx, struct map_lookup *map,
    1223 have_csum = scrub_find_csum(sctx, logical, csum);
    1224 if (have_csum == 0)
    1225 ++sctx->stat.no_csum;
    1226 - if (sctx->is_dev_replace && !have_csum) {
    1227 + if (0 && sctx->is_dev_replace && !have_csum) {
    1228 ret = copy_nocow_pages(sctx, logical, l,
    1229 mirror_num,
    1230 physical_for_dev_replace);
    1231 diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
    1232 index 0628092b0b1b..f82152a0cb38 100644
    1233 --- a/fs/btrfs/super.c
    1234 +++ b/fs/btrfs/super.c
    1235 @@ -323,6 +323,7 @@ enum {
    1236 Opt_ssd, Opt_nossd,
    1237 Opt_ssd_spread, Opt_nossd_spread,
    1238 Opt_subvol,
    1239 + Opt_subvol_empty,
    1240 Opt_subvolid,
    1241 Opt_thread_pool,
    1242 Opt_treelog, Opt_notreelog,
    1243 @@ -388,6 +389,7 @@ static const match_table_t tokens = {
    1244 {Opt_ssd_spread, "ssd_spread"},
    1245 {Opt_nossd_spread, "nossd_spread"},
    1246 {Opt_subvol, "subvol=%s"},
    1247 + {Opt_subvol_empty, "subvol="},
    1248 {Opt_subvolid, "subvolid=%s"},
    1249 {Opt_thread_pool, "thread_pool=%u"},
    1250 {Opt_treelog, "treelog"},
    1251 @@ -461,6 +463,7 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
    1252 btrfs_set_opt(info->mount_opt, DEGRADED);
    1253 break;
    1254 case Opt_subvol:
    1255 + case Opt_subvol_empty:
    1256 case Opt_subvolid:
    1257 case Opt_subvolrootid:
    1258 case Opt_device:
    1259 diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h
    1260 index 4f3884835267..dd95a6fa24bf 100644
    1261 --- a/fs/cifs/cifsacl.h
    1262 +++ b/fs/cifs/cifsacl.h
    1263 @@ -98,4 +98,18 @@ struct cifs_ace {
    1264 struct cifs_sid sid; /* ie UUID of user or group who gets these perms */
    1265 } __attribute__((packed));
    1266
    1267 +/*
    1268 + * Minimum security identifier can be one for system defined Users
    1269 + * and Groups such as NULL SID and World or Built-in accounts such
    1270 + * as Administrator and Guest and consists of
    1271 + * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority)
    1272 + */
    1273 +#define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */
    1274 +
    1275 +/*
    1276 + * Minimum security descriptor can be one without any SACL and DACL and can
    1277 + * consist of revision, type, and two sids of minimum size for owner and group
    1278 + */
    1279 +#define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN))
    1280 +
    1281 #endif /* _CIFSACL_H */
    1282 diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
    1283 index 9c6d95ffca97..4ee32488ff74 100644
    1284 --- a/fs/cifs/smb2ops.c
    1285 +++ b/fs/cifs/smb2ops.c
    1286 @@ -1277,10 +1277,11 @@ smb2_is_session_expired(char *buf)
    1287 {
    1288 struct smb2_sync_hdr *shdr = get_sync_hdr(buf);
    1289
    1290 - if (shdr->Status != STATUS_NETWORK_SESSION_EXPIRED)
    1291 + if (shdr->Status != STATUS_NETWORK_SESSION_EXPIRED &&
    1292 + shdr->Status != STATUS_USER_SESSION_DELETED)
    1293 return false;
    1294
    1295 - cifs_dbg(FYI, "Session expired\n");
    1296 + cifs_dbg(FYI, "Session expired or deleted\n");
    1297 return true;
    1298 }
    1299
    1300 @@ -1593,8 +1594,11 @@ get_smb2_acl_by_path(struct cifs_sb_info *cifs_sb,
    1301 oparms.create_options = 0;
    1302
    1303 utf16_path = cifs_convert_path_to_utf16(path, cifs_sb);
    1304 - if (!utf16_path)
    1305 - return ERR_PTR(-ENOMEM);
    1306 + if (!utf16_path) {
    1307 + rc = -ENOMEM;
    1308 + free_xid(xid);
    1309 + return ERR_PTR(rc);
    1310 + }
    1311
    1312 oparms.tcon = tcon;
    1313 oparms.desired_access = READ_CONTROL;
    1314 @@ -1652,8 +1656,11 @@ set_smb2_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
    1315 access_flags = WRITE_DAC;
    1316
    1317 utf16_path = cifs_convert_path_to_utf16(path, cifs_sb);
    1318 - if (!utf16_path)
    1319 - return -ENOMEM;
    1320 + if (!utf16_path) {
    1321 + rc = -ENOMEM;
    1322 + free_xid(xid);
    1323 + return rc;
    1324 + }
    1325
    1326 oparms.tcon = tcon;
    1327 oparms.desired_access = access_flags;
    1328 @@ -1713,15 +1720,21 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon,
    1329
    1330 /* if file not oplocked can't be sure whether asking to extend size */
    1331 if (!CIFS_CACHE_READ(cifsi))
    1332 - if (keep_size == false)
    1333 - return -EOPNOTSUPP;
    1334 + if (keep_size == false) {
    1335 + rc = -EOPNOTSUPP;
    1336 + free_xid(xid);
    1337 + return rc;
    1338 + }
    1339
    1340 /*
    1341 * Must check if file sparse since fallocate -z (zero range) assumes
    1342 * non-sparse allocation
    1343 */
    1344 - if (!(cifsi->cifsAttrs & FILE_ATTRIBUTE_SPARSE_FILE))
    1345 - return -EOPNOTSUPP;
    1346 + if (!(cifsi->cifsAttrs & FILE_ATTRIBUTE_SPARSE_FILE)) {
    1347 + rc = -EOPNOTSUPP;
    1348 + free_xid(xid);
    1349 + return rc;
    1350 + }
    1351
    1352 /*
    1353 * need to make sure we are not asked to extend the file since the SMB3
    1354 @@ -1730,8 +1743,11 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon,
    1355 * which for a non sparse file would zero the newly extended range
    1356 */
    1357 if (keep_size == false)
    1358 - if (i_size_read(inode) < offset + len)
    1359 - return -EOPNOTSUPP;
    1360 + if (i_size_read(inode) < offset + len) {
    1361 + rc = -EOPNOTSUPP;
    1362 + free_xid(xid);
    1363 + return rc;
    1364 + }
    1365
    1366 cifs_dbg(FYI, "offset %lld len %lld", offset, len);
    1367
    1368 @@ -1764,8 +1780,11 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
    1369
    1370 /* Need to make file sparse, if not already, before freeing range. */
    1371 /* Consider adding equivalent for compressed since it could also work */
    1372 - if (!smb2_set_sparse(xid, tcon, cfile, inode, set_sparse))
    1373 - return -EOPNOTSUPP;
    1374 + if (!smb2_set_sparse(xid, tcon, cfile, inode, set_sparse)) {
    1375 + rc = -EOPNOTSUPP;
    1376 + free_xid(xid);
    1377 + return rc;
    1378 + }
    1379
    1380 cifs_dbg(FYI, "offset %lld len %lld", offset, len);
    1381
    1382 @@ -1796,8 +1815,10 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
    1383
    1384 /* if file not oplocked can't be sure whether asking to extend size */
    1385 if (!CIFS_CACHE_READ(cifsi))
    1386 - if (keep_size == false)
    1387 - return -EOPNOTSUPP;
    1388 + if (keep_size == false) {
    1389 + free_xid(xid);
    1390 + return rc;
    1391 + }
    1392
    1393 /*
    1394 * Files are non-sparse by default so falloc may be a no-op
    1395 @@ -1806,14 +1827,16 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
    1396 */
    1397 if ((cifsi->cifsAttrs & FILE_ATTRIBUTE_SPARSE_FILE) == 0) {
    1398 if (keep_size == true)
    1399 - return 0;
    1400 + rc = 0;
    1401 /* check if extending file */
    1402 else if (i_size_read(inode) >= off + len)
    1403 /* not extending file and already not sparse */
    1404 - return 0;
    1405 + rc = 0;
    1406 /* BB: in future add else clause to extend file */
    1407 else
    1408 - return -EOPNOTSUPP;
    1409 + rc = -EOPNOTSUPP;
    1410 + free_xid(xid);
    1411 + return rc;
    1412 }
    1413
    1414 if ((keep_size == true) || (i_size_read(inode) >= off + len)) {
    1415 @@ -1825,8 +1848,11 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
    1416 * ie potentially making a few extra pages at the beginning
    1417 * or end of the file non-sparse via set_sparse is harmless.
    1418 */
    1419 - if ((off > 8192) || (off + len + 8192 < i_size_read(inode)))
    1420 - return -EOPNOTSUPP;
    1421 + if ((off > 8192) || (off + len + 8192 < i_size_read(inode))) {
    1422 + rc = -EOPNOTSUPP;
    1423 + free_xid(xid);
    1424 + return rc;
    1425 + }
    1426
    1427 rc = smb2_set_sparse(xid, tcon, cfile, inode, false);
    1428 }
    1429 diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
    1430 index 0f48741a0130..32d7fd830aae 100644
    1431 --- a/fs/cifs/smb2pdu.c
    1432 +++ b/fs/cifs/smb2pdu.c
    1433 @@ -1276,6 +1276,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
    1434 sess_data->ses = ses;
    1435 sess_data->buf0_type = CIFS_NO_BUFFER;
    1436 sess_data->nls_cp = (struct nls_table *) nls_cp;
    1437 + sess_data->previous_session = ses->Suid;
    1438
    1439 #ifdef CONFIG_CIFS_SMB311
    1440 /*
    1441 @@ -2377,8 +2378,7 @@ SMB2_query_acl(const unsigned int xid, struct cifs_tcon *tcon,
    1442
    1443 return query_info(xid, tcon, persistent_fid, volatile_fid,
    1444 0, SMB2_O_INFO_SECURITY, additional_info,
    1445 - SMB2_MAX_BUFFER_SIZE,
    1446 - sizeof(struct smb2_file_all_info), data, plen);
    1447 + SMB2_MAX_BUFFER_SIZE, MIN_SEC_DESC_LEN, data, plen);
    1448 }
    1449
    1450 int
    1451 diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
    1452 index c32802c956d5..bf7fa1507e81 100644
    1453 --- a/fs/ext4/indirect.c
    1454 +++ b/fs/ext4/indirect.c
    1455 @@ -561,10 +561,16 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode,
    1456 unsigned epb = inode->i_sb->s_blocksize / sizeof(u32);
    1457 int i;
    1458
    1459 - /* Count number blocks in a subtree under 'partial' */
    1460 - count = 1;
    1461 - for (i = 0; partial + i != chain + depth - 1; i++)
    1462 - count *= epb;
    1463 + /*
    1464 + * Count number blocks in a subtree under 'partial'. At each
    1465 + * level we count number of complete empty subtrees beyond
    1466 + * current offset and then descend into the subtree only
    1467 + * partially beyond current offset.
    1468 + */
    1469 + count = 0;
    1470 + for (i = partial - chain + 1; i < depth; i++)
    1471 + count = count * epb + (epb - offsets[i] - 1);
    1472 + count++;
    1473 /* Fill in size of a hole we found */
    1474 map->m_pblk = 0;
    1475 map->m_len = min_t(unsigned int, map->m_len, count);
    1476 diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
    1477 index 70cf4c7b268a..44b4fcdc3755 100644
    1478 --- a/fs/ext4/inline.c
    1479 +++ b/fs/ext4/inline.c
    1480 @@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct inode *inode)
    1481 goto out;
    1482
    1483 if (!is.s.not_found) {
    1484 + if (is.s.here->e_value_inum) {
    1485 + EXT4_ERROR_INODE(inode, "inline data xattr refers "
    1486 + "to an external xattr inode");
    1487 + error = -EFSCORRUPTED;
    1488 + goto out;
    1489 + }
    1490 EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
    1491 (void *)ext4_raw_inode(&is.iloc));
    1492 EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
    1493 diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
    1494 index 1e50c5efae67..c73cb9346aee 100644
    1495 --- a/fs/ext4/inode.c
    1496 +++ b/fs/ext4/inode.c
    1497 @@ -4298,28 +4298,28 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
    1498 EXT4_BLOCK_SIZE_BITS(sb);
    1499 stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);
    1500
    1501 - /* If there are no blocks to remove, return now */
    1502 - if (first_block >= stop_block)
    1503 - goto out_stop;
    1504 + /* If there are blocks to remove, do it */
    1505 + if (stop_block > first_block) {
    1506
    1507 - down_write(&EXT4_I(inode)->i_data_sem);
    1508 - ext4_discard_preallocations(inode);
    1509 + down_write(&EXT4_I(inode)->i_data_sem);
    1510 + ext4_discard_preallocations(inode);
    1511
    1512 - ret = ext4_es_remove_extent(inode, first_block,
    1513 - stop_block - first_block);
    1514 - if (ret) {
    1515 - up_write(&EXT4_I(inode)->i_data_sem);
    1516 - goto out_stop;
    1517 - }
    1518 + ret = ext4_es_remove_extent(inode, first_block,
    1519 + stop_block - first_block);
    1520 + if (ret) {
    1521 + up_write(&EXT4_I(inode)->i_data_sem);
    1522 + goto out_stop;
    1523 + }
    1524
    1525 - if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
    1526 - ret = ext4_ext_remove_space(inode, first_block,
    1527 - stop_block - 1);
    1528 - else
    1529 - ret = ext4_ind_remove_space(handle, inode, first_block,
    1530 - stop_block);
    1531 + if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
    1532 + ret = ext4_ext_remove_space(inode, first_block,
    1533 + stop_block - 1);
    1534 + else
    1535 + ret = ext4_ind_remove_space(handle, inode, first_block,
    1536 + stop_block);
    1537
    1538 - up_write(&EXT4_I(inode)->i_data_sem);
    1539 + up_write(&EXT4_I(inode)->i_data_sem);
    1540 + }
    1541 if (IS_SYNC(inode))
    1542 ext4_handle_sync(handle);
    1543
    1544 @@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct ext4_inode *raw_inode,
    1545 }
    1546 }
    1547
    1548 -static inline void ext4_iget_extra_inode(struct inode *inode,
    1549 +static inline int ext4_iget_extra_inode(struct inode *inode,
    1550 struct ext4_inode *raw_inode,
    1551 struct ext4_inode_info *ei)
    1552 {
    1553 __le32 *magic = (void *)raw_inode +
    1554 EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
    1555 +
    1556 if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
    1557 EXT4_INODE_SIZE(inode->i_sb) &&
    1558 *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
    1559 ext4_set_inode_state(inode, EXT4_STATE_XATTR);
    1560 - ext4_find_inline_data_nolock(inode);
    1561 + return ext4_find_inline_data_nolock(inode);
    1562 } else
    1563 EXT4_I(inode)->i_inline_off = 0;
    1564 + return 0;
    1565 }
    1566
    1567 int ext4_get_projid(struct inode *inode, kprojid_t *projid)
    1568 @@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
    1569 ei->i_extra_isize = sizeof(struct ext4_inode) -
    1570 EXT4_GOOD_OLD_INODE_SIZE;
    1571 } else {
    1572 - ext4_iget_extra_inode(inode, raw_inode, ei);
    1573 + ret = ext4_iget_extra_inode(inode, raw_inode, ei);
    1574 + if (ret)
    1575 + goto bad_inode;
    1576 }
    1577 }
    1578
    1579 diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
    1580 index b6bec270a8e4..d792b7689d92 100644
    1581 --- a/fs/ext4/resize.c
    1582 +++ b/fs/ext4/resize.c
    1583 @@ -1933,7 +1933,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
    1584 return 0;
    1585
    1586 n_group = ext4_get_group_number(sb, n_blocks_count - 1);
    1587 - if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
    1588 + if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
    1589 ext4_warning(sb, "resize would cause inodes_count overflow");
    1590 return -EINVAL;
    1591 }
    1592 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
    1593 index 499cb4b1fbd2..fc4ced59c565 100644
    1594 --- a/fs/ext4/xattr.c
    1595 +++ b/fs/ext4/xattr.c
    1596 @@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
    1597
    1598 /* No failures allowed past this point. */
    1599
    1600 - if (!s->not_found && here->e_value_offs) {
    1601 + if (!s->not_found && here->e_value_size && here->e_value_offs) {
    1602 /* Remove the old value. */
    1603 void *first_val = s->base + min_offs;
    1604 size_t offs = le16_to_cpu(here->e_value_offs);
    1605 diff --git a/fs/orangefs/inode.c b/fs/orangefs/inode.c
    1606 index 79c61da8b1bc..c65a51d87cac 100644
    1607 --- a/fs/orangefs/inode.c
    1608 +++ b/fs/orangefs/inode.c
    1609 @@ -269,6 +269,13 @@ int orangefs_getattr(const struct path *path, struct kstat *stat,
    1610 else
    1611 stat->result_mask = STATX_BASIC_STATS &
    1612 ~STATX_SIZE;
    1613 +
    1614 + stat->attributes_mask = STATX_ATTR_IMMUTABLE |
    1615 + STATX_ATTR_APPEND;
    1616 + if (inode->i_flags & S_IMMUTABLE)
    1617 + stat->attributes |= STATX_ATTR_IMMUTABLE;
    1618 + if (inode->i_flags & S_APPEND)
    1619 + stat->attributes |= STATX_ATTR_APPEND;
    1620 }
    1621 return ret;
    1622 }
    1623 diff --git a/fs/orangefs/namei.c b/fs/orangefs/namei.c
    1624 index 1b5707c44c3f..e026bee02a66 100644
    1625 --- a/fs/orangefs/namei.c
    1626 +++ b/fs/orangefs/namei.c
    1627 @@ -326,6 +326,13 @@ static int orangefs_symlink(struct inode *dir,
    1628 ret = PTR_ERR(inode);
    1629 goto out;
    1630 }
    1631 + /*
    1632 + * This is necessary because orangefs_inode_getattr will not
    1633 + * re-read symlink size as it is impossible for it to change.
    1634 + * Invalidating the cache does not help. orangefs_new_inode
    1635 + * does not set the correct size (it does not know symname).
    1636 + */
    1637 + inode->i_size = strlen(symname);
    1638
    1639 gossip_debug(GOSSIP_NAME_DEBUG,
    1640 "Assigned symlink inode new number of %pU\n",
    1641 diff --git a/include/linux/irq.h b/include/linux/irq.h
    1642 index 65916a305f3d..4e66378f290b 100644
    1643 --- a/include/linux/irq.h
    1644 +++ b/include/linux/irq.h
    1645 @@ -551,7 +551,12 @@ extern int irq_affinity_online_cpu(unsigned int cpu);
    1646 #endif
    1647
    1648 #if defined(CONFIG_SMP) && defined(CONFIG_GENERIC_PENDING_IRQ)
    1649 -void irq_move_irq(struct irq_data *data);
    1650 +void __irq_move_irq(struct irq_data *data);
    1651 +static inline void irq_move_irq(struct irq_data *data)
    1652 +{
    1653 + if (unlikely(irqd_is_setaffinity_pending(data)))
    1654 + __irq_move_irq(data);
    1655 +}
    1656 void irq_move_masked_irq(struct irq_data *data);
    1657 void irq_force_complete_move(struct irq_desc *desc);
    1658 #else
    1659 diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
    1660 index f144216febc6..9397628a1967 100644
    1661 --- a/include/linux/virtio_net.h
    1662 +++ b/include/linux/virtio_net.h
    1663 @@ -58,7 +58,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
    1664 static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
    1665 struct virtio_net_hdr *hdr,
    1666 bool little_endian,
    1667 - bool has_data_valid)
    1668 + bool has_data_valid,
    1669 + int vlan_hlen)
    1670 {
    1671 memset(hdr, 0, sizeof(*hdr)); /* no info leak */
    1672
    1673 @@ -83,12 +84,8 @@ static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
    1674
    1675 if (skb->ip_summed == CHECKSUM_PARTIAL) {
    1676 hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
    1677 - if (skb_vlan_tag_present(skb))
    1678 - hdr->csum_start = __cpu_to_virtio16(little_endian,
    1679 - skb_checksum_start_offset(skb) + VLAN_HLEN);
    1680 - else
    1681 - hdr->csum_start = __cpu_to_virtio16(little_endian,
    1682 - skb_checksum_start_offset(skb));
    1683 + hdr->csum_start = __cpu_to_virtio16(little_endian,
    1684 + skb_checksum_start_offset(skb) + vlan_hlen);
    1685 hdr->csum_offset = __cpu_to_virtio16(little_endian,
    1686 skb->csum_offset);
    1687 } else if (has_data_valid &&
    1688 diff --git a/include/net/transp_v6.h b/include/net/transp_v6.h
    1689 index c4f5caaf3778..f6a3543e5247 100644
    1690 --- a/include/net/transp_v6.h
    1691 +++ b/include/net/transp_v6.h
    1692 @@ -45,8 +45,15 @@ int ip6_datagram_send_ctl(struct net *net, struct sock *sk, struct msghdr *msg,
    1693 struct flowi6 *fl6, struct ipcm6_cookie *ipc6,
    1694 struct sockcm_cookie *sockc);
    1695
    1696 -void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
    1697 - __u16 srcp, __u16 destp, int bucket);
    1698 +void __ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
    1699 + __u16 srcp, __u16 destp, int rqueue, int bucket);
    1700 +static inline void
    1701 +ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, __u16 srcp,
    1702 + __u16 destp, int bucket)
    1703 +{
    1704 + __ip6_dgram_sock_seq_show(seq, sp, srcp, destp, sk_rmem_alloc_get(sp),
    1705 + bucket);
    1706 +}
    1707
    1708 #define LOOPBACK4_IPV6 cpu_to_be32(0x7f000006)
    1709
    1710 diff --git a/include/net/udp.h b/include/net/udp.h
    1711 index 0676b272f6ac..1db85dcb06f6 100644
    1712 --- a/include/net/udp.h
    1713 +++ b/include/net/udp.h
    1714 @@ -244,6 +244,11 @@ static inline __be16 udp_flow_src_port(struct net *net, struct sk_buff *skb,
    1715 return htons((((u64) hash * (max - min)) >> 32) + min);
    1716 }
    1717
    1718 +static inline int udp_rqueue_get(struct sock *sk)
    1719 +{
    1720 + return sk_rmem_alloc_get(sk) - READ_ONCE(udp_sk(sk)->forward_deficit);
    1721 +}
    1722 +
    1723 /* net/ipv4/udp.c */
    1724 void udp_destruct_sock(struct sock *sk);
    1725 void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len);
    1726 diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
    1727 index e3336d904f64..facfecfc543c 100644
    1728 --- a/kernel/irq/manage.c
    1729 +++ b/kernel/irq/manage.c
    1730 @@ -204,6 +204,39 @@ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask,
    1731 return ret;
    1732 }
    1733
    1734 +#ifdef CONFIG_GENERIC_PENDING_IRQ
    1735 +static inline int irq_set_affinity_pending(struct irq_data *data,
    1736 + const struct cpumask *dest)
    1737 +{
    1738 + struct irq_desc *desc = irq_data_to_desc(data);
    1739 +
    1740 + irqd_set_move_pending(data);
    1741 + irq_copy_pending(desc, dest);
    1742 + return 0;
    1743 +}
    1744 +#else
    1745 +static inline int irq_set_affinity_pending(struct irq_data *data,
    1746 + const struct cpumask *dest)
    1747 +{
    1748 + return -EBUSY;
    1749 +}
    1750 +#endif
    1751 +
    1752 +static int irq_try_set_affinity(struct irq_data *data,
    1753 + const struct cpumask *dest, bool force)
    1754 +{
    1755 + int ret = irq_do_set_affinity(data, dest, force);
    1756 +
    1757 + /*
    1758 + * In case that the underlying vector management is busy and the
    1759 + * architecture supports the generic pending mechanism then utilize
    1760 + * this to avoid returning an error to user space.
    1761 + */
    1762 + if (ret == -EBUSY && !force)
    1763 + ret = irq_set_affinity_pending(data, dest);
    1764 + return ret;
    1765 +}
    1766 +
    1767 int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
    1768 bool force)
    1769 {
    1770 @@ -214,8 +247,8 @@ int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
    1771 if (!chip || !chip->irq_set_affinity)
    1772 return -EINVAL;
    1773
    1774 - if (irq_can_move_pcntxt(data)) {
    1775 - ret = irq_do_set_affinity(data, mask, force);
    1776 + if (irq_can_move_pcntxt(data) && !irqd_is_setaffinity_pending(data)) {
    1777 + ret = irq_try_set_affinity(data, mask, force);
    1778 } else {
    1779 irqd_set_move_pending(data);
    1780 irq_copy_pending(desc, mask);
    1781 diff --git a/kernel/irq/migration.c b/kernel/irq/migration.c
    1782 index 86ae0eb80b53..def48589ea48 100644
    1783 --- a/kernel/irq/migration.c
    1784 +++ b/kernel/irq/migration.c
    1785 @@ -38,17 +38,18 @@ bool irq_fixup_move_pending(struct irq_desc *desc, bool force_clear)
    1786 void irq_move_masked_irq(struct irq_data *idata)
    1787 {
    1788 struct irq_desc *desc = irq_data_to_desc(idata);
    1789 - struct irq_chip *chip = desc->irq_data.chip;
    1790 + struct irq_data *data = &desc->irq_data;
    1791 + struct irq_chip *chip = data->chip;
    1792
    1793 - if (likely(!irqd_is_setaffinity_pending(&desc->irq_data)))
    1794 + if (likely(!irqd_is_setaffinity_pending(data)))
    1795 return;
    1796
    1797 - irqd_clr_move_pending(&desc->irq_data);
    1798 + irqd_clr_move_pending(data);
    1799
    1800 /*
    1801 * Paranoia: cpu-local interrupts shouldn't be calling in here anyway.
    1802 */
    1803 - if (irqd_is_per_cpu(&desc->irq_data)) {
    1804 + if (irqd_is_per_cpu(data)) {
    1805 WARN_ON(1);
    1806 return;
    1807 }
    1808 @@ -73,13 +74,24 @@ void irq_move_masked_irq(struct irq_data *idata)
    1809 * For correct operation this depends on the caller
    1810 * masking the irqs.
    1811 */
    1812 - if (cpumask_any_and(desc->pending_mask, cpu_online_mask) < nr_cpu_ids)
    1813 - irq_do_set_affinity(&desc->irq_data, desc->pending_mask, false);
    1814 -
    1815 + if (cpumask_any_and(desc->pending_mask, cpu_online_mask) < nr_cpu_ids) {
    1816 + int ret;
    1817 +
    1818 + ret = irq_do_set_affinity(data, desc->pending_mask, false);
    1819 + /*
    1820 + * If the there is a cleanup pending in the underlying
    1821 + * vector management, reschedule the move for the next
    1822 + * interrupt. Leave desc->pending_mask intact.
    1823 + */
    1824 + if (ret == -EBUSY) {
    1825 + irqd_set_move_pending(data);
    1826 + return;
    1827 + }
    1828 + }
    1829 cpumask_clear(desc->pending_mask);
    1830 }
    1831
    1832 -void irq_move_irq(struct irq_data *idata)
    1833 +void __irq_move_irq(struct irq_data *idata)
    1834 {
    1835 bool masked;
    1836
    1837 @@ -90,9 +102,6 @@ void irq_move_irq(struct irq_data *idata)
    1838 */
    1839 idata = irq_desc_get_irq_data(irq_data_to_desc(idata));
    1840
    1841 - if (likely(!irqd_is_setaffinity_pending(idata)))
    1842 - return;
    1843 -
    1844 if (unlikely(irqd_irq_disabled(idata)))
    1845 return;
    1846
    1847 diff --git a/mm/backing-dev.c b/mm/backing-dev.c
    1848 index 7441bd93b732..8fe3ebd6ac00 100644
    1849 --- a/mm/backing-dev.c
    1850 +++ b/mm/backing-dev.c
    1851 @@ -412,6 +412,7 @@ static void wb_exit(struct bdi_writeback *wb)
    1852 * protected.
    1853 */
    1854 static DEFINE_SPINLOCK(cgwb_lock);
    1855 +static struct workqueue_struct *cgwb_release_wq;
    1856
    1857 /**
    1858 * wb_congested_get_create - get or create a wb_congested
    1859 @@ -522,7 +523,7 @@ static void cgwb_release(struct percpu_ref *refcnt)
    1860 {
    1861 struct bdi_writeback *wb = container_of(refcnt, struct bdi_writeback,
    1862 refcnt);
    1863 - schedule_work(&wb->release_work);
    1864 + queue_work(cgwb_release_wq, &wb->release_work);
    1865 }
    1866
    1867 static void cgwb_kill(struct bdi_writeback *wb)
    1868 @@ -784,6 +785,21 @@ static void cgwb_bdi_register(struct backing_dev_info *bdi)
    1869 spin_unlock_irq(&cgwb_lock);
    1870 }
    1871
    1872 +static int __init cgwb_init(void)
    1873 +{
    1874 + /*
    1875 + * There can be many concurrent release work items overwhelming
    1876 + * system_wq. Put them in a separate wq and limit concurrency.
    1877 + * There's no point in executing many of these in parallel.
    1878 + */
    1879 + cgwb_release_wq = alloc_workqueue("cgwb_release", 0, 1);
    1880 + if (!cgwb_release_wq)
    1881 + return -ENOMEM;
    1882 +
    1883 + return 0;
    1884 +}
    1885 +subsys_initcall(cgwb_init);
    1886 +
    1887 #else /* CONFIG_CGROUP_WRITEBACK */
    1888
    1889 static int cgwb_bdi_init(struct backing_dev_info *bdi)
    1890 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
    1891 index 22320ea27489..d2d0eb9536a3 100644
    1892 --- a/mm/page_alloc.c
    1893 +++ b/mm/page_alloc.c
    1894 @@ -4162,7 +4162,6 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order,
    1895 * orientated.
    1896 */
    1897 if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) {
    1898 - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
    1899 ac->preferred_zoneref = first_zones_zonelist(ac->zonelist,
    1900 ac->high_zoneidx, ac->nodemask);
    1901 }
    1902 diff --git a/net/dsa/tag_trailer.c b/net/dsa/tag_trailer.c
    1903 index 7d20e1f3de28..56197f0d9608 100644
    1904 --- a/net/dsa/tag_trailer.c
    1905 +++ b/net/dsa/tag_trailer.c
    1906 @@ -75,7 +75,8 @@ static struct sk_buff *trailer_rcv(struct sk_buff *skb, struct net_device *dev,
    1907 if (!skb->dev)
    1908 return NULL;
    1909
    1910 - pskb_trim_rcsum(skb, skb->len - 4);
    1911 + if (pskb_trim_rcsum(skb, skb->len - 4))
    1912 + return NULL;
    1913
    1914 return skb;
    1915 }
    1916 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
    1917 index f70586b50838..ef8cd0f7db89 100644
    1918 --- a/net/ipv4/tcp_ipv4.c
    1919 +++ b/net/ipv4/tcp_ipv4.c
    1920 @@ -1689,6 +1689,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
    1921 reqsk_put(req);
    1922 goto discard_it;
    1923 }
    1924 + if (tcp_checksum_complete(skb)) {
    1925 + reqsk_put(req);
    1926 + goto csum_error;
    1927 + }
    1928 if (unlikely(sk->sk_state != TCP_LISTEN)) {
    1929 inet_csk_reqsk_queue_drop_and_put(sk, req);
    1930 goto lookup;
    1931 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
    1932 index b61a770884fa..5f7bc5c6366a 100644
    1933 --- a/net/ipv4/udp.c
    1934 +++ b/net/ipv4/udp.c
    1935 @@ -2718,7 +2718,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
    1936 " %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %pK %d",
    1937 bucket, src, srcp, dest, destp, sp->sk_state,
    1938 sk_wmem_alloc_get(sp),
    1939 - sk_rmem_alloc_get(sp),
    1940 + udp_rqueue_get(sp),
    1941 0, 0L, 0,
    1942 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
    1943 0, sock_i_ino(sp),
    1944 diff --git a/net/ipv4/udp_diag.c b/net/ipv4/udp_diag.c
    1945 index d0390d844ac8..d9ad986c7b2c 100644
    1946 --- a/net/ipv4/udp_diag.c
    1947 +++ b/net/ipv4/udp_diag.c
    1948 @@ -163,7 +163,7 @@ static int udp_diag_dump_one(struct sk_buff *in_skb, const struct nlmsghdr *nlh,
    1949 static void udp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
    1950 void *info)
    1951 {
    1952 - r->idiag_rqueue = sk_rmem_alloc_get(sk);
    1953 + r->idiag_rqueue = udp_rqueue_get(sk);
    1954 r->idiag_wqueue = sk_wmem_alloc_get(sk);
    1955 }
    1956
    1957 diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
    1958 index a02ad100f0d7..2ee08b6a86a4 100644
    1959 --- a/net/ipv6/datagram.c
    1960 +++ b/net/ipv6/datagram.c
    1961 @@ -1019,8 +1019,8 @@ int ip6_datagram_send_ctl(struct net *net, struct sock *sk,
    1962 }
    1963 EXPORT_SYMBOL_GPL(ip6_datagram_send_ctl);
    1964
    1965 -void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
    1966 - __u16 srcp, __u16 destp, int bucket)
    1967 +void __ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
    1968 + __u16 srcp, __u16 destp, int rqueue, int bucket)
    1969 {
    1970 const struct in6_addr *dest, *src;
    1971
    1972 @@ -1036,7 +1036,7 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
    1973 dest->s6_addr32[2], dest->s6_addr32[3], destp,
    1974 sp->sk_state,
    1975 sk_wmem_alloc_get(sp),
    1976 - sk_rmem_alloc_get(sp),
    1977 + rqueue,
    1978 0, 0L, 0,
    1979 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
    1980 0,
    1981 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
    1982 index 4530a82aaa2e..b94345e657f7 100644
    1983 --- a/net/ipv6/route.c
    1984 +++ b/net/ipv6/route.c
    1985 @@ -2149,9 +2149,6 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
    1986 const struct in6_addr *daddr, *saddr;
    1987 struct rt6_info *rt6 = (struct rt6_info *)dst;
    1988
    1989 - if (rt6->rt6i_flags & RTF_LOCAL)
    1990 - return;
    1991 -
    1992 if (dst_metric_locked(dst, RTAX_MTU))
    1993 return;
    1994
    1995 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
    1996 index 6d664d83cd16..5d4eb9d2c3a7 100644
    1997 --- a/net/ipv6/tcp_ipv6.c
    1998 +++ b/net/ipv6/tcp_ipv6.c
    1999 @@ -1475,6 +1475,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
    2000 reqsk_put(req);
    2001 goto discard_it;
    2002 }
    2003 + if (tcp_checksum_complete(skb)) {
    2004 + reqsk_put(req);
    2005 + goto csum_error;
    2006 + }
    2007 if (unlikely(sk->sk_state != TCP_LISTEN)) {
    2008 inet_csk_reqsk_queue_drop_and_put(sk, req);
    2009 goto lookup;
    2010 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
    2011 index ea0730028e5d..977bd5a07cab 100644
    2012 --- a/net/ipv6/udp.c
    2013 +++ b/net/ipv6/udp.c
    2014 @@ -1475,7 +1475,8 @@ int udp6_seq_show(struct seq_file *seq, void *v)
    2015 struct inet_sock *inet = inet_sk(v);
    2016 __u16 srcp = ntohs(inet->inet_sport);
    2017 __u16 destp = ntohs(inet->inet_dport);
    2018 - ip6_dgram_sock_seq_show(seq, v, srcp, destp, bucket);
    2019 + __ip6_dgram_sock_seq_show(seq, v, srcp, destp,
    2020 + udp_rqueue_get(v), bucket);
    2021 }
    2022 return 0;
    2023 }
    2024 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
    2025 index 60c2a252bdf5..38d132d007ba 100644
    2026 --- a/net/packet/af_packet.c
    2027 +++ b/net/packet/af_packet.c
    2028 @@ -2037,7 +2037,7 @@ static int packet_rcv_vnet(struct msghdr *msg, const struct sk_buff *skb,
    2029 return -EINVAL;
    2030 *len -= sizeof(vnet_hdr);
    2031
    2032 - if (virtio_net_hdr_from_skb(skb, &vnet_hdr, vio_le(), true))
    2033 + if (virtio_net_hdr_from_skb(skb, &vnet_hdr, vio_le(), true, 0))
    2034 return -EINVAL;
    2035
    2036 return memcpy_to_msg(msg, (void *)&vnet_hdr, sizeof(vnet_hdr));
    2037 @@ -2304,7 +2304,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
    2038 if (do_vnet) {
    2039 if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
    2040 sizeof(struct virtio_net_hdr),
    2041 - vio_le(), true)) {
    2042 + vio_le(), true, 0)) {
    2043 spin_lock(&sk->sk_receive_queue.lock);
    2044 goto drop_n_account;
    2045 }
    2046 diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
    2047 index 9618b4a83cee..98c4afe7c15b 100644
    2048 --- a/net/sched/act_simple.c
    2049 +++ b/net/sched/act_simple.c
    2050 @@ -53,22 +53,22 @@ static void tcf_simp_release(struct tc_action *a)
    2051 kfree(d->tcfd_defdata);
    2052 }
    2053
    2054 -static int alloc_defdata(struct tcf_defact *d, char *defdata)
    2055 +static int alloc_defdata(struct tcf_defact *d, const struct nlattr *defdata)
    2056 {
    2057 d->tcfd_defdata = kzalloc(SIMP_MAX_DATA, GFP_KERNEL);
    2058 if (unlikely(!d->tcfd_defdata))
    2059 return -ENOMEM;
    2060 - strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
    2061 + nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
    2062 return 0;
    2063 }
    2064
    2065 -static void reset_policy(struct tcf_defact *d, char *defdata,
    2066 +static void reset_policy(struct tcf_defact *d, const struct nlattr *defdata,
    2067 struct tc_defact *p)
    2068 {
    2069 spin_lock_bh(&d->tcf_lock);
    2070 d->tcf_action = p->action;
    2071 memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
    2072 - strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
    2073 + nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
    2074 spin_unlock_bh(&d->tcf_lock);
    2075 }
    2076
    2077 @@ -87,7 +87,6 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
    2078 struct tcf_defact *d;
    2079 bool exists = false;
    2080 int ret = 0, err;
    2081 - char *defdata;
    2082
    2083 if (nla == NULL)
    2084 return -EINVAL;
    2085 @@ -110,8 +109,6 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
    2086 return -EINVAL;
    2087 }
    2088
    2089 - defdata = nla_data(tb[TCA_DEF_DATA]);
    2090 -
    2091 if (!exists) {
    2092 ret = tcf_idr_create(tn, parm->index, est, a,
    2093 &act_simp_ops, bind, false);
    2094 @@ -119,7 +116,7 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
    2095 return ret;
    2096
    2097 d = to_defact(*a);
    2098 - ret = alloc_defdata(d, defdata);
    2099 + ret = alloc_defdata(d, tb[TCA_DEF_DATA]);
    2100 if (ret < 0) {
    2101 tcf_idr_release(*a, bind);
    2102 return ret;
    2103 @@ -133,7 +130,7 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
    2104 if (!ovr)
    2105 return -EEXIST;
    2106
    2107 - reset_policy(d, defdata, parm);
    2108 + reset_policy(d, tb[TCA_DEF_DATA], parm);
    2109 }
    2110
    2111 if (ret == ACT_P_CREATED)
    2112 diff --git a/net/socket.c b/net/socket.c
    2113 index f10f1d947c78..d1b02f161429 100644
    2114 --- a/net/socket.c
    2115 +++ b/net/socket.c
    2116 @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
    2117 if (!err && (iattr->ia_valid & ATTR_UID)) {
    2118 struct socket *sock = SOCKET_I(d_inode(dentry));
    2119
    2120 - sock->sk->sk_uid = iattr->ia_uid;
    2121 + if (sock->sk)
    2122 + sock->sk->sk_uid = iattr->ia_uid;
    2123 + else
    2124 + err = -ENOENT;
    2125 }
    2126
    2127 return err;
    2128 @@ -586,12 +589,16 @@ EXPORT_SYMBOL(sock_alloc);
    2129 * an inode not a file.
    2130 */
    2131
    2132 -void sock_release(struct socket *sock)
    2133 +static void __sock_release(struct socket *sock, struct inode *inode)
    2134 {
    2135 if (sock->ops) {
    2136 struct module *owner = sock->ops->owner;
    2137
    2138 + if (inode)
    2139 + inode_lock(inode);
    2140 sock->ops->release(sock);
    2141 + if (inode)
    2142 + inode_unlock(inode);
    2143 sock->ops = NULL;
    2144 module_put(owner);
    2145 }
    2146 @@ -605,6 +612,11 @@ void sock_release(struct socket *sock)
    2147 }
    2148 sock->file = NULL;
    2149 }
    2150 +
    2151 +void sock_release(struct socket *sock)
    2152 +{
    2153 + __sock_release(sock, NULL);
    2154 +}
    2155 EXPORT_SYMBOL(sock_release);
    2156
    2157 void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
    2158 @@ -1146,7 +1158,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma)
    2159
    2160 static int sock_close(struct inode *inode, struct file *filp)
    2161 {
    2162 - sock_release(SOCKET_I(inode));
    2163 + __sock_release(SOCKET_I(inode), inode);
    2164 return 0;
    2165 }
    2166
    2167 diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
    2168 index e1c93ce74e0f..5fe29121b9a8 100644
    2169 --- a/net/tls/tls_sw.c
    2170 +++ b/net/tls/tls_sw.c
    2171 @@ -191,18 +191,12 @@ static void tls_free_both_sg(struct sock *sk)
    2172 }
    2173
    2174 static int tls_do_encryption(struct tls_context *tls_ctx,
    2175 - struct tls_sw_context *ctx, size_t data_len,
    2176 - gfp_t flags)
    2177 + struct tls_sw_context *ctx,
    2178 + struct aead_request *aead_req,
    2179 + size_t data_len)
    2180 {
    2181 - unsigned int req_size = sizeof(struct aead_request) +
    2182 - crypto_aead_reqsize(ctx->aead_send);
    2183 - struct aead_request *aead_req;
    2184 int rc;
    2185
    2186 - aead_req = kzalloc(req_size, flags);
    2187 - if (!aead_req)
    2188 - return -ENOMEM;
    2189 -
    2190 ctx->sg_encrypted_data[0].offset += tls_ctx->tx.prepend_size;
    2191 ctx->sg_encrypted_data[0].length -= tls_ctx->tx.prepend_size;
    2192
    2193 @@ -219,7 +213,6 @@ static int tls_do_encryption(struct tls_context *tls_ctx,
    2194 ctx->sg_encrypted_data[0].offset -= tls_ctx->tx.prepend_size;
    2195 ctx->sg_encrypted_data[0].length += tls_ctx->tx.prepend_size;
    2196
    2197 - kfree(aead_req);
    2198 return rc;
    2199 }
    2200
    2201 @@ -228,8 +221,14 @@ static int tls_push_record(struct sock *sk, int flags,
    2202 {
    2203 struct tls_context *tls_ctx = tls_get_ctx(sk);
    2204 struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
    2205 + struct aead_request *req;
    2206 int rc;
    2207
    2208 + req = kzalloc(sizeof(struct aead_request) +
    2209 + crypto_aead_reqsize(ctx->aead_send), sk->sk_allocation);
    2210 + if (!req)
    2211 + return -ENOMEM;
    2212 +
    2213 sg_mark_end(ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem - 1);
    2214 sg_mark_end(ctx->sg_encrypted_data + ctx->sg_encrypted_num_elem - 1);
    2215
    2216 @@ -245,15 +244,14 @@ static int tls_push_record(struct sock *sk, int flags,
    2217 tls_ctx->pending_open_record_frags = 0;
    2218 set_bit(TLS_PENDING_CLOSED_RECORD, &tls_ctx->flags);
    2219
    2220 - rc = tls_do_encryption(tls_ctx, ctx, ctx->sg_plaintext_size,
    2221 - sk->sk_allocation);
    2222 + rc = tls_do_encryption(tls_ctx, ctx, req, ctx->sg_plaintext_size);
    2223 if (rc < 0) {
    2224 /* If we are called from write_space and
    2225 * we fail, we need to set this SOCK_NOSPACE
    2226 * to trigger another write_space in the future.
    2227 */
    2228 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
    2229 - return rc;
    2230 + goto out_req;
    2231 }
    2232
    2233 free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
    2234 @@ -268,6 +266,8 @@ static int tls_push_record(struct sock *sk, int flags,
    2235 tls_err_abort(sk, EBADMSG);
    2236
    2237 tls_advance_record_sn(sk, &tls_ctx->tx);
    2238 +out_req:
    2239 + kfree(req);
    2240 return rc;
    2241 }
    2242
    2243 @@ -755,7 +755,7 @@ int tls_sw_recvmsg(struct sock *sk,
    2244 struct sk_buff *skb;
    2245 ssize_t copied = 0;
    2246 bool cmsg = false;
    2247 - int err = 0;
    2248 + int target, err = 0;
    2249 long timeo;
    2250
    2251 flags |= nonblock;
    2252 @@ -765,6 +765,7 @@ int tls_sw_recvmsg(struct sock *sk,
    2253
    2254 lock_sock(sk);
    2255
    2256 + target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
    2257 timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
    2258 do {
    2259 bool zc = false;
    2260 @@ -857,6 +858,9 @@ int tls_sw_recvmsg(struct sock *sk,
    2261 goto recv_end;
    2262 }
    2263 }
    2264 + /* If we have a new message from strparser, continue now. */
    2265 + if (copied >= target && !ctx->recv_pkt)
    2266 + break;
    2267 } while (len);
    2268
    2269 recv_end:
    2270 diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
    2271 index d1eb14842340..a12e594d4e3b 100644
    2272 --- a/sound/pci/hda/hda_controller.c
    2273 +++ b/sound/pci/hda/hda_controller.c
    2274 @@ -748,8 +748,10 @@ int snd_hda_attach_pcm_stream(struct hda_bus *_bus, struct hda_codec *codec,
    2275 return err;
    2276 strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
    2277 apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
    2278 - if (apcm == NULL)
    2279 + if (apcm == NULL) {
    2280 + snd_device_free(chip->card, pcm);
    2281 return -ENOMEM;
    2282 + }
    2283 apcm->chip = chip;
    2284 apcm->pcm = pcm;
    2285 apcm->codec = codec;
    2286 diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
    2287 index 5b4dbcec6de8..ba9a7e552183 100644
    2288 --- a/sound/pci/hda/patch_conexant.c
    2289 +++ b/sound/pci/hda/patch_conexant.c
    2290 @@ -959,12 +959,15 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
    2291 SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
    2292 SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
    2293 SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
    2294 + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
    2295 + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
    2296 SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
    2297 SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
    2298 SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
    2299 SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
    2300 SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
    2301 SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
    2302 + SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
    2303 SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
    2304 SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
    2305 SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
    2306 diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
    2307 index 01a6643fc7d4..06c2c80a045b 100644
    2308 --- a/sound/pci/hda/patch_realtek.c
    2309 +++ b/sound/pci/hda/patch_realtek.c
    2310 @@ -6580,7 +6580,6 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
    2311 SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
    2312 SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
    2313 SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
    2314 - SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
    2315 SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
    2316 SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
    2317 SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
    2318 @@ -6752,6 +6751,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
    2319 {0x1b, 0x01111010},
    2320 {0x1e, 0x01451130},
    2321 {0x21, 0x02211020}),
    2322 + SND_HDA_PIN_QUIRK(0x10ec0235, 0x17aa, "Lenovo", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
    2323 + {0x12, 0x90a60140},
    2324 + {0x14, 0x90170110},
    2325 + {0x19, 0x02a11030},
    2326 + {0x21, 0x02211020}),
    2327 SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
    2328 {0x12, 0x90a60140},
    2329 {0x14, 0x90170110},
    2330 diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
    2331 index 754e632a27bd..02b7ad1946db 100644
    2332 --- a/sound/usb/quirks-table.h
    2333 +++ b/sound/usb/quirks-table.h
    2334 @@ -3277,6 +3277,10 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
    2335 }
    2336 },
    2337
    2338 +/* disabled due to regression for other devices;
    2339 + * see https://bugzilla.kernel.org/show_bug.cgi?id=199905
    2340 + */
    2341 +#if 0
    2342 {
    2343 /*
    2344 * Nura's first gen headphones use Cambridge Silicon Radio's vendor
    2345 @@ -3324,6 +3328,7 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
    2346 }
    2347 }
    2348 },
    2349 +#endif /* disabled */
    2350
    2351 {
    2352 /*