commit: 22ef91783c01811b111fe515ead18c5f4336220b Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Wed Apr 3 10:48:06 2019 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Wed Apr 3 10:48:06 2019 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=22ef9178
Linux patch 4.9.167 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 + 1166_linux-4.9.167.patch | 1840 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1844 insertions(+) diff --git a/0000_README b/0000_README index 64cbb0c..112b631 100644 --- a/0000_README +++ b/0000_README @@ -707,6 +707,10 @@ Patch: 1165_linux-4.9.166.patch From: http://www.kernel.org Desc: Linux 4.9.166 +Patch: 1166_linux-4.9.167.patch +From: http://www.kernel.org +Desc: Linux 4.9.167 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1166_linux-4.9.167.patch b/1166_linux-4.9.167.patch new file mode 100644 index 0000000..6d6de0d --- /dev/null +++ b/1166_linux-4.9.167.patch @@ -0,0 +1,1840 @@ +diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt +index 3ff58a8ffabb..d1908e50b506 100644 +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong to three classes + + - VM ioctls: These query and set attributes that affect an entire virtual + machine, for example memory layout. In addition a VM ioctl is used to +- create virtual cpus (vcpus). ++ create virtual cpus (vcpus) and devices. + + Only run VM ioctls from the same process (address space) that was used + to create the VM. +@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong to three classes + Only run vcpu ioctls from the same thread that was used to create the + vcpu. + ++ - device ioctls: These query and set attributes that control the operation ++ of a single device. ++ ++ device ioctls must be issued from the same process (address space) that ++ was used to create the VM. + + 2. File descriptors + ------------------- +@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors. An initial + open("/dev/kvm") obtains a handle to the kvm subsystem; this handle + can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this + handle will create a VM file descriptor which can be used to issue VM +-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu +-and return a file descriptor pointing to it. Finally, ioctls on a vcpu +-fd can be used to control the vcpu, including the important task of +-actually running guest code. ++ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will ++create a virtual cpu or device and return a file descriptor pointing to ++the new resource. Finally, ioctls on a vcpu or device fd can be used ++to control the vcpu or device. For vcpus, this includes the important ++task of actually running guest code. + + In general file descriptors can be migrated among processes by means + of fork() and the SCM_RIGHTS facility of unix domain socket. These +diff --git a/Makefile b/Makefile +index 90478086eff5..2f030baeb162 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 166 ++SUBLEVEL = 167 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c +index bfeb25aaf9a2..326e870d7123 100644 +--- a/arch/arm/mach-imx/cpuidle-imx6q.c ++++ b/arch/arm/mach-imx/cpuidle-imx6q.c +@@ -16,30 +16,23 @@ + #include "cpuidle.h" + #include "hardware.h" + +-static atomic_t master = ATOMIC_INIT(0); +-static DEFINE_SPINLOCK(master_lock); ++static int num_idle_cpus = 0; ++static DEFINE_SPINLOCK(cpuidle_lock); + + static int imx6q_enter_wait(struct cpuidle_device *dev, + struct cpuidle_driver *drv, int index) + { +- if (atomic_inc_return(&master) == num_online_cpus()) { +- /* +- * With this lock, we prevent other cpu to exit and enter +- * this function again and become the master. +- */ +- if (!spin_trylock(&master_lock)) +- goto idle; ++ spin_lock(&cpuidle_lock); ++ if (++num_idle_cpus == num_online_cpus()) + imx6_set_lpm(WAIT_UNCLOCKED); +- cpu_do_idle(); +- imx6_set_lpm(WAIT_CLOCKED); +- spin_unlock(&master_lock); +- goto done; +- } ++ spin_unlock(&cpuidle_lock); + +-idle: + cpu_do_idle(); +-done: +- atomic_dec(&master); ++ ++ spin_lock(&cpuidle_lock); ++ if (num_idle_cpus-- == num_online_cpus()) ++ imx6_set_lpm(WAIT_CLOCKED); ++ spin_unlock(&cpuidle_lock); + + return index; + } +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 3e43874568f9..2eb8ae1b2d03 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1079,6 +1079,10 @@ config SYSVIPC_COMPAT + def_bool y + depends on COMPAT && SYSVIPC + ++config KEYS_COMPAT ++ def_bool y ++ depends on COMPAT && KEYS ++ + endmenu + + menu "Power management options" +diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h +index c4ced1d01d57..48e8f1f14872 100644 +--- a/arch/powerpc/include/asm/ppc-opcode.h ++++ b/arch/powerpc/include/asm/ppc-opcode.h +@@ -225,6 +225,7 @@ + /* Misc instructions for BPF compiler */ + #define PPC_INST_LBZ 0x88000000 + #define PPC_INST_LD 0xe8000000 ++#define PPC_INST_LDX 0x7c00002a + #define PPC_INST_LHZ 0xa0000000 + #define PPC_INST_LWZ 0x80000000 + #define PPC_INST_LHBRX 0x7c00062c +@@ -232,6 +233,7 @@ + #define PPC_INST_STB 0x98000000 + #define PPC_INST_STH 0xb0000000 + #define PPC_INST_STD 0xf8000000 ++#define PPC_INST_STDX 0x7c00012a + #define PPC_INST_STDU 0xf8000001 + #define PPC_INST_STW 0x90000000 + #define PPC_INST_STWU 0x94000000 +diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h +index 89f70073dec8..7b1d1721a26a 100644 +--- a/arch/powerpc/net/bpf_jit.h ++++ b/arch/powerpc/net/bpf_jit.h +@@ -51,6 +51,8 @@ + #define PPC_LIS(r, i) PPC_ADDIS(r, 0, i) + #define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \ + ___PPC_RA(base) | ((i) & 0xfffc)) ++#define PPC_STDX(r, base, b) EMIT(PPC_INST_STDX | ___PPC_RS(r) | \ ++ ___PPC_RA(base) | ___PPC_RB(b)) + #define PPC_STDU(r, base, i) EMIT(PPC_INST_STDU | ___PPC_RS(r) | \ + ___PPC_RA(base) | ((i) & 0xfffc)) + #define PPC_STW(r, base, i) EMIT(PPC_INST_STW | ___PPC_RS(r) | \ +@@ -65,7 +67,9 @@ + #define PPC_LBZ(r, base, i) EMIT(PPC_INST_LBZ | ___PPC_RT(r) | \ + ___PPC_RA(base) | IMM_L(i)) + #define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \ +- ___PPC_RA(base) | IMM_L(i)) ++ ___PPC_RA(base) | ((i) & 0xfffc)) ++#define PPC_LDX(r, base, b) EMIT(PPC_INST_LDX | ___PPC_RT(r) | \ ++ ___PPC_RA(base) | ___PPC_RB(b)) + #define PPC_LWZ(r, base, i) EMIT(PPC_INST_LWZ | ___PPC_RT(r) | \ + ___PPC_RA(base) | IMM_L(i)) + #define PPC_LHZ(r, base, i) EMIT(PPC_INST_LHZ | ___PPC_RT(r) | \ +@@ -85,17 +89,6 @@ + ___PPC_RA(a) | ___PPC_RB(b)) + #define PPC_BPF_STDCX(s, a, b) EMIT(PPC_INST_STDCX | ___PPC_RS(s) | \ + ___PPC_RA(a) | ___PPC_RB(b)) +- +-#ifdef CONFIG_PPC64 +-#define PPC_BPF_LL(r, base, i) do { PPC_LD(r, base, i); } while(0) +-#define PPC_BPF_STL(r, base, i) do { PPC_STD(r, base, i); } while(0) +-#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0) +-#else +-#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0) +-#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0) +-#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0) +-#endif +- + #define PPC_CMPWI(a, i) EMIT(PPC_INST_CMPWI | ___PPC_RA(a) | IMM_L(i)) + #define PPC_CMPDI(a, i) EMIT(PPC_INST_CMPDI | ___PPC_RA(a) | IMM_L(i)) + #define PPC_CMPW(a, b) EMIT(PPC_INST_CMPW | ___PPC_RA(a) | \ +diff --git a/arch/powerpc/net/bpf_jit32.h b/arch/powerpc/net/bpf_jit32.h +index a8cd7e289ecd..81a9045d8410 100644 +--- a/arch/powerpc/net/bpf_jit32.h ++++ b/arch/powerpc/net/bpf_jit32.h +@@ -122,6 +122,10 @@ DECLARE_LOAD_FUNC(sk_load_byte_msh); + #define PPC_NTOHS_OFFS(r, base, i) PPC_LHZ_OFFS(r, base, i) + #endif + ++#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0) ++#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0) ++#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0) ++ + #define SEEN_DATAREF 0x10000 /* might call external helpers */ + #define SEEN_XREG 0x20000 /* X reg is used */ + #define SEEN_MEM 0x40000 /* SEEN_MEM+(1<<n) = use mem[n] for temporary +diff --git a/arch/powerpc/net/bpf_jit64.h b/arch/powerpc/net/bpf_jit64.h +index 62fa7589db2b..bb944b6018d7 100644 +--- a/arch/powerpc/net/bpf_jit64.h ++++ b/arch/powerpc/net/bpf_jit64.h +@@ -86,6 +86,26 @@ DECLARE_LOAD_FUNC(sk_load_byte); + (imm >= SKF_LL_OFF ? func##_negative_offset : func) : \ + func##_positive_offset) + ++/* ++ * WARNING: These can use TMP_REG_2 if the offset is not at word boundary, ++ * so ensure that it isn't in use already. ++ */ ++#define PPC_BPF_LL(r, base, i) do { \ ++ if ((i) % 4) { \ ++ PPC_LI(b2p[TMP_REG_2], (i)); \ ++ PPC_LDX(r, base, b2p[TMP_REG_2]); \ ++ } else \ ++ PPC_LD(r, base, i); \ ++ } while(0) ++#define PPC_BPF_STL(r, base, i) do { \ ++ if ((i) % 4) { \ ++ PPC_LI(b2p[TMP_REG_2], (i)); \ ++ PPC_STDX(r, base, b2p[TMP_REG_2]); \ ++ } else \ ++ PPC_STD(r, base, i); \ ++ } while(0) ++#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0) ++ + #define SEEN_FUNC 0x1000 /* might call external helpers */ + #define SEEN_STACK 0x2000 /* uses BPF stack */ + #define SEEN_SKB 0x4000 /* uses sk_buff */ +diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c +index bdbbc320b006..e7d78f9156ce 100644 +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -265,7 +265,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 + * if (tail_call_cnt > MAX_TAIL_CALL_CNT) + * goto out; + */ +- PPC_LD(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); ++ PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); + PPC_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT); + PPC_BCC(COND_GT, out); + +@@ -278,7 +278,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 + /* prog = array->ptrs[index]; */ + PPC_MULI(b2p[TMP_REG_1], b2p_index, 8); + PPC_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array); +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs)); ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs)); + + /* + * if (prog == NULL) +@@ -288,7 +288,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 + PPC_BCC(COND_EQ, out); + + /* goto *(prog->bpf_func + prologue_size); */ +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func)); ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func)); + #ifdef PPC64_ELF_ABI_v1 + /* skip past the function descriptor */ + PPC_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1], +@@ -620,7 +620,7 @@ bpf_alu32_trunc: + * the instructions generated will remain the + * same across all passes + */ +- PPC_STD(dst_reg, 1, bpf_jit_stack_local(ctx)); ++ PPC_BPF_STL(dst_reg, 1, bpf_jit_stack_local(ctx)); + PPC_ADDI(b2p[TMP_REG_1], 1, bpf_jit_stack_local(ctx)); + PPC_LDBRX(dst_reg, 0, b2p[TMP_REG_1]); + break; +@@ -676,7 +676,7 @@ emit_clear: + PPC_LI32(b2p[TMP_REG_1], imm); + src_reg = b2p[TMP_REG_1]; + } +- PPC_STD(src_reg, dst_reg, off); ++ PPC_BPF_STL(src_reg, dst_reg, off); + break; + + /* +@@ -723,7 +723,7 @@ emit_clear: + break; + /* dst = *(u64 *)(ul) (src + off) */ + case BPF_LDX | BPF_MEM | BPF_DW: +- PPC_LD(dst_reg, src_reg, off); ++ PPC_BPF_LL(dst_reg, src_reg, off); + break; + + /* +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index e31001ec4c07..5a4591ff8407 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2051,14 +2051,8 @@ config RANDOMIZE_MEMORY_PHYSICAL_PADDING + If unsure, leave at the default value. + + config HOTPLUG_CPU +- bool "Support for hot-pluggable CPUs" ++ def_bool y + depends on SMP +- ---help--- +- Say Y here to allow turning CPUs off and on. CPUs can be +- controlled through /sys/devices/system/cpu. +- ( Note: power management support will enable this option +- automatically on SMP systems. ) +- Say N if you want to disable CPU hotplug. + + config BOOTPARAM_HOTPLUG_CPU0 + bool "Set default setting of cpu0_hotpluggable" +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 9a8167b175d5..83b5b2990b49 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -487,6 +487,7 @@ struct kvm_vcpu_arch { + bool tpr_access_reporting; + u64 ia32_xss; + u64 microcode_version; ++ u64 arch_capabilities; + + /* + * Paging state of the vcpu +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index a34fb7284024..75466d9417b8 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -714,7 +714,6 @@ struct vcpu_vmx { + u64 msr_guest_kernel_gs_base; + #endif + +- u64 arch_capabilities; + u64 spec_ctrl; + + u32 vm_entry_controls_shadow; +@@ -3209,12 +3208,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + + msr_info->data = to_vmx(vcpu)->spec_ctrl; + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated && +- !guest_cpuid_has_arch_capabilities(vcpu)) +- return 1; +- msr_info->data = to_vmx(vcpu)->arch_capabilities; +- break; + case MSR_IA32_SYSENTER_CS: + msr_info->data = vmcs_read32(GUEST_SYSENTER_CS); + break; +@@ -3376,11 +3369,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD, + MSR_TYPE_W); + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated) +- return 1; +- vmx->arch_capabilities = data; +- break; + case MSR_IA32_CR_PAT: + if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { + if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) +@@ -5468,8 +5456,6 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx) + ++vmx->nmsrs; + } + +- vmx->arch_capabilities = kvm_get_arch_capabilities(); +- + vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl); + + /* 22.2.1, 20.8.1 */ +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index a29df9ccbfde..8285142556b5 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2197,6 +2197,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + if (msr_info->host_initiated) + vcpu->arch.microcode_version = data; + break; ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated) ++ return 1; ++ vcpu->arch.arch_capabilities = data; ++ break; + case MSR_EFER: + return set_efer(vcpu, data); + case MSR_K7_HWCR: +@@ -2473,6 +2478,12 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + case MSR_IA32_UCODE_REV: + msr_info->data = vcpu->arch.microcode_version; + break; ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated && ++ !guest_cpuid_has_arch_capabilities(vcpu)) ++ return 1; ++ msr_info->data = vcpu->arch.arch_capabilities; ++ break; + case MSR_MTRRcap: + case 0x200 ... 0x2ff: + return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data); +@@ -7672,6 +7683,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu) + { + int r; + ++ vcpu->arch.arch_capabilities = kvm_get_arch_capabilities(); + kvm_vcpu_mtrr_init(vcpu); + r = vcpu_load(vcpu); + if (r) +diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c +index 8ff7b0d3eac6..3b68c03a281d 100644 +--- a/drivers/gpio/gpio-adnp.c ++++ b/drivers/gpio/gpio-adnp.c +@@ -132,8 +132,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + if (err < 0) + goto out; + +- if (err & BIT(pos)) +- err = -EACCES; ++ if (value & BIT(pos)) { ++ err = -EPERM; ++ goto out; ++ } + + err = 0; + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 480c2d7794eb..8feb8e9e29a6 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -4370,7 +4370,8 @@ setup_pci(struct hfc_multi *hc, struct pci_dev *pdev, + if (m->clock2) + test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip); + +- if (ent->device == 0xB410) { ++ if (ent->vendor == PCI_VENDOR_ID_DIGIUM && ++ ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) { + test_and_set_bit(HFC_CHIP_B410P, &hc->chip); + test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip); + test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip); +diff --git a/drivers/net/dsa/qca8k.c b/drivers/net/dsa/qca8k.c +index 7f64a76acd37..ebfbaf8597f4 100644 +--- a/drivers/net/dsa/qca8k.c ++++ b/drivers/net/dsa/qca8k.c +@@ -630,22 +630,6 @@ qca8k_adjust_link(struct dsa_switch *ds, int port, struct phy_device *phy) + qca8k_port_set_status(priv, port, 1); + } + +-static int +-qca8k_phy_read(struct dsa_switch *ds, int phy, int regnum) +-{ +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv; +- +- return mdiobus_read(priv->bus, phy, regnum); +-} +- +-static int +-qca8k_phy_write(struct dsa_switch *ds, int phy, int regnum, u16 val) +-{ +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv; +- +- return mdiobus_write(priv->bus, phy, regnum, val); +-} +- + static void + qca8k_get_strings(struct dsa_switch *ds, int port, uint8_t *data) + { +@@ -961,8 +945,6 @@ static struct dsa_switch_ops qca8k_switch_ops = { + .setup = qca8k_setup, + .adjust_link = qca8k_adjust_link, + .get_strings = qca8k_get_strings, +- .phy_read = qca8k_phy_read, +- .phy_write = qca8k_phy_write, + .get_ethtool_stats = qca8k_get_ethtool_stats, + .get_sset_count = qca8k_get_sset_count, + .get_eee = qca8k_get_eee, +diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c +index b9283901136e..0fdc9ad32a2e 100644 +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -156,8 +156,6 @@ static void dayna_block_output(struct net_device *dev, int count, + #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c)) + #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c)) + +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) +- + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ + static void slow_sane_get_8390_hdr(struct net_device *dev, + struct e8390_pkt_hdr *hdr, int ring_page); +@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev) + + static enum mac8390_access __init mac8390_testio(volatile unsigned long membase) + { +- unsigned long outdata = 0xA5A0B5B0; +- unsigned long indata = 0x00000000; ++ u32 outdata = 0xA5A0B5B0; ++ u32 indata = 0; ++ + /* Try writing 32 bits */ +- memcpy_toio(membase, &outdata, 4); +- /* Now compare them */ +- if (memcmp_withio(&outdata, membase, 4) == 0) ++ nubus_writel(outdata, membase); ++ /* Now read it back */ ++ indata = nubus_readl(membase); ++ if (outdata == indata) + return ACCESS_32; ++ ++ outdata = 0xC5C0D5D0; ++ indata = 0; ++ + /* Write 16 bit output */ + word_memcpy_tocard(membase, &outdata, 4); + /* Now read it back */ + word_memcpy_fromcard(&indata, membase, 4); + if (outdata == indata) + return ACCESS_16; ++ + return ACCESS_UNKNOWN; + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 20a2b01b392c..fc437d75ac76 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2931,6 +2931,20 @@ static int stmmac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + return ret; + } + ++static int stmmac_set_mac_address(struct net_device *ndev, void *addr) ++{ ++ struct stmmac_priv *priv = netdev_priv(ndev); ++ int ret = 0; ++ ++ ret = eth_mac_addr(ndev, addr); ++ if (ret) ++ return ret; ++ ++ priv->hw->mac->set_umac_addr(priv->hw, ndev->dev_addr, 0); ++ ++ return ret; ++} ++ + #ifdef CONFIG_DEBUG_FS + static struct dentry *stmmac_fs_dir; + +@@ -3137,7 +3151,7 @@ static const struct net_device_ops stmmac_netdev_ops = { + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = stmmac_poll_controller, + #endif +- .ndo_set_mac_address = eth_mac_addr, ++ .ndo_set_mac_address = stmmac_set_mac_address, + }; + + /** +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 24cc94453d38..88fe38d6a7ef 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1194,9 +1194,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + u32 rxhash; + ssize_t n; + +- if (!(tun->dev->flags & IFF_UP)) +- return -EIO; +- + if (!(tun->flags & IFF_NO_PI)) { + if (len < sizeof(pi)) + return -EINVAL; +@@ -1273,9 +1270,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + err = skb_copy_datagram_from_iter(skb, 0, from, len); + + if (err) { ++ err = -EFAULT; ++drop: + this_cpu_inc(tun->pcpu_stats->rx_dropped); + kfree_skb(skb); +- return -EFAULT; ++ return err; + } + + err = virtio_net_hdr_to_skb(skb, &gso, tun_is_little_endian(tun)); +@@ -1327,7 +1326,16 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + skb_probe_transport_header(skb, 0); + + rxhash = skb_get_hash(skb); ++ ++ rcu_read_lock(); ++ if (unlikely(!(tun->dev->flags & IFF_UP))) { ++ err = -EIO; ++ rcu_read_unlock(); ++ goto drop; ++ } ++ + netif_rx_ni(skb); ++ rcu_read_unlock(); + + stats = get_cpu_ptr(tun->pcpu_stats); + u64_stats_update_begin(&stats->syncp); +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 016f5da425ab..b6ee0c1690d8 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -3375,10 +3375,8 @@ static void __net_exit vxlan_exit_net(struct net *net) + /* If vxlan->dev is in the same netns, it has already been added + * to the list by the previous loop. + */ +- if (!net_eq(dev_net(vxlan->dev), net)) { +- gro_cells_destroy(&vxlan->gro_cells); ++ if (!net_eq(dev_net(vxlan->dev), net)) + unregister_netdevice_queue(vxlan->dev, &list); +- } + } + + unregister_netdevice_many(&list); +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index 2abcd331b05d..abe460eac712 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action) + add_timer(&erp_action->timer); + } + ++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag) ++{ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ write_lock_irqsave(&adapter->erp_lock, flags); ++ read_lock(&adapter->port_list_lock); ++ list_for_each_entry(port, &adapter->port_list, list) ++ _zfcp_erp_port_forced_reopen(port, clear, dbftag); ++ read_unlock(&adapter->port_list_lock); ++ write_unlock_irqrestore(&adapter->erp_lock, flags); ++} ++ + static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter, + int clear, char *id) + { +@@ -1306,6 +1320,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port) + struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); + int lun_status; + ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; + if (zsdev->port != port) + continue; + /* LUN under port of interest */ +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index b326f05c7f89..a39a74500e23 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32); + extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *); ++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag); + extern void zfcp_erp_set_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index 3afb200b2829..bdb257eaa2e5 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -326,6 +326,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt) + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; + int ret = SUCCESS, fc_ret; + ++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) { ++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p"); ++ zfcp_erp_wait(adapter); ++ } + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); + zfcp_erp_wait(adapter); + fc_ret = fc_block_scsi_eh(scpnt); +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 3e9cbba41464..58345d3d4682 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1284,11 +1284,6 @@ static void sd_release(struct gendisk *disk, fmode_t mode) + scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); + } + +- /* +- * XXX and what if there are packets in flight and this close() +- * XXX is followed by a "rmmod sd_mod"? +- */ +- + scsi_disk_put(sdkp); + } + +@@ -2846,6 +2841,9 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + unsigned int opt_xfer_bytes = + logical_to_bytes(sdp, sdkp->opt_xfer_blocks); + ++ if (sdkp->opt_xfer_blocks == 0) ++ return false; ++ + if (sdkp->opt_xfer_blocks > dev_max) { + sd_first_printk(KERN_WARNING, sdkp, + "Optimal transfer size %u logical blocks " \ +@@ -3257,11 +3255,23 @@ static void scsi_disk_release(struct device *dev) + { + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct gendisk *disk = sdkp->disk; +- ++ struct request_queue *q = disk->queue; ++ + spin_lock(&sd_index_lock); + ida_remove(&sd_index_ida, sdkp->index); + spin_unlock(&sd_index_lock); + ++ /* ++ * Wait until all requests that are in progress have completed. ++ * This is necessary to avoid that e.g. scsi_end_request() crashes ++ * due to clearing the disk->private_data pointer. Wait from inside ++ * scsi_disk_release() instead of from sd_release() to avoid that ++ * freezing and unfreezing the request queue affects user space I/O ++ * in case multiple processes open a /dev/sd... node concurrently. ++ */ ++ blk_mq_freeze_queue(q); ++ blk_mq_unfreeze_queue(q); ++ + disk->private_data = NULL; + put_disk(disk); + put_device(&sdkp->device->sdev_gendev); +diff --git a/drivers/staging/comedi/comedidev.h b/drivers/staging/comedi/comedidev.h +index dcb637665eb7..35432fbd6551 100644 +--- a/drivers/staging/comedi/comedidev.h ++++ b/drivers/staging/comedi/comedidev.h +@@ -984,6 +984,8 @@ int comedi_dio_insn_config(struct comedi_device *, struct comedi_subdevice *, + unsigned int mask); + unsigned int comedi_dio_update_state(struct comedi_subdevice *, + unsigned int *data); ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s, ++ struct comedi_cmd *cmd); + unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s); + unsigned int comedi_nscans_left(struct comedi_subdevice *s, + unsigned int nscans); +diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c +index 1736248bc5b8..8ca5493c66fe 100644 +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -390,11 +390,13 @@ unsigned int comedi_dio_update_state(struct comedi_subdevice *s, + EXPORT_SYMBOL_GPL(comedi_dio_update_state); + + /** +- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes ++ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in ++ * bytes + * @s: COMEDI subdevice. ++ * @cmd: COMEDI command. + * + * Determines the overall scan length according to the subdevice type and the +- * number of channels in the scan. ++ * number of channels in the scan for the specified command. + * + * For digital input, output or input/output subdevices, samples for + * multiple channels are assumed to be packed into one or more unsigned +@@ -404,9 +406,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_state); + * + * Returns the overall scan length in bytes. + */ +-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s) ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s, ++ struct comedi_cmd *cmd) + { +- struct comedi_cmd *cmd = &s->async->cmd; + unsigned int num_samples; + unsigned int bits_per_sample; + +@@ -423,6 +425,29 @@ unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s) + } + return comedi_samples_to_bytes(s, num_samples); + } ++EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd); ++ ++/** ++ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes ++ * @s: COMEDI subdevice. ++ * ++ * Determines the overall scan length according to the subdevice type and the ++ * number of channels in the scan for the current command. ++ * ++ * For digital input, output or input/output subdevices, samples for ++ * multiple channels are assumed to be packed into one or more unsigned ++ * short or unsigned int values according to the subdevice's %SDF_LSAMPL ++ * flag. For other types of subdevice, samples are assumed to occupy a ++ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag. ++ * ++ * Returns the overall scan length in bytes. ++ */ ++unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s) ++{ ++ struct comedi_cmd *cmd = &s->async->cmd; ++ ++ return comedi_bytes_per_scan_cmd(s, cmd); ++} + EXPORT_SYMBOL_GPL(comedi_bytes_per_scan); + + static unsigned int __comedi_nscans_left(struct comedi_subdevice *s, +diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c +index 0fa85d55c82f..fe03a41dc5cf 100644 +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -3477,6 +3477,7 @@ static int ni_cdio_check_chanlist(struct comedi_device *dev, + static int ni_cdio_cmdtest(struct comedi_device *dev, + struct comedi_subdevice *s, struct comedi_cmd *cmd) + { ++ unsigned int bytes_per_scan; + int err = 0; + int tmp; + +@@ -3506,9 +3507,12 @@ static int ni_cdio_cmdtest(struct comedi_device *dev, + err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0); + err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg, + cmd->chanlist_len); +- err |= comedi_check_trigger_arg_max(&cmd->stop_arg, +- s->async->prealloc_bufsz / +- comedi_bytes_per_scan(s)); ++ bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd); ++ if (bytes_per_scan) { ++ err |= comedi_check_trigger_arg_max(&cmd->stop_arg, ++ s->async->prealloc_bufsz / ++ bytes_per_scan); ++ } + + if (err) + return 3; +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index ab96629b7889..22e5116e74f8 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -977,8 +977,6 @@ static void vnt_interrupt_process(struct vnt_private *priv) + return; + } + +- MACvIntDisable(priv->PortOffset); +- + spin_lock_irqsave(&priv->lock, flags); + + /* Read low level stats */ +@@ -1067,8 +1065,6 @@ static void vnt_interrupt_process(struct vnt_private *priv) + } + + spin_unlock_irqrestore(&priv->lock, flags); +- +- MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE); + } + + static void vnt_interrupt_work(struct work_struct *work) +@@ -1078,14 +1074,17 @@ static void vnt_interrupt_work(struct work_struct *work) + + if (priv->vif) + vnt_interrupt_process(priv); ++ ++ MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE); + } + + static irqreturn_t vnt_interrupt(int irq, void *arg) + { + struct vnt_private *priv = arg; + +- if (priv->vif) +- schedule_work(&priv->interrupt_work); ++ schedule_work(&priv->interrupt_work); ++ ++ MACvIntDisable(priv->PortOffset); + + return IRQ_HANDLED; + } +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 5a341b1c65c3..d8e1945cb627 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1166,6 +1166,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + sg_dma_len(&atmel_port->sg_rx)/2, + DMA_DEV_TO_MEM, + DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(port->dev, "Preparing DMA cyclic failed\n"); ++ goto chan_err; ++ } + desc->callback = atmel_complete_rx_dma; + desc->callback_param = port; + atmel_port->desc_rx = desc; +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c +index f2b0d8cee8ef..0314e78e31ff 100644 +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -148,8 +148,10 @@ static int configure_kgdboc(void) + char *cptr = config; + struct console *cons; + +- if (!strlen(config) || isspace(config[0])) ++ if (!strlen(config) || isspace(config[0])) { ++ err = 0; + goto noconfig; ++ } + + kgdboc_io_ops.is_console = 0; + kgdb_tty_driver = NULL; +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index 8a3e92638e10..5331baf3f699 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1323,6 +1323,8 @@ static int max310x_spi_probe(struct spi_device *spi) + if (spi->dev.of_node) { + const struct of_device_id *of_id = + of_match_device(max310x_dt_ids, &spi->dev); ++ if (!of_id) ++ return -ENODEV; + + devtype = (struct max310x_devtype *)of_id->data; + } else { +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 6ff53b604ff6..bcb997935c5e 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -834,19 +834,9 @@ static void sci_transmit_chars(struct uart_port *port) + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); +- if (uart_circ_empty(xmit)) { ++ if (uart_circ_empty(xmit)) + sci_stop_tx(port); +- } else { +- ctrl = serial_port_in(port, SCSCR); +- +- if (port->type != PORT_SCI) { +- serial_port_in(port, SCxSR); /* Dummy read */ +- sci_clear_SCxSR(port, SCxSR_TDxE_CLEAR(port)); +- } + +- ctrl |= SCSCR_TIE; +- serial_port_out(port, SCSCR, ctrl); +- } + } + + /* On SH3, SCIF may read end-of-break as a space->mark char */ +diff --git a/drivers/usb/common/common.c b/drivers/usb/common/common.c +index 5ef8da6e67c3..64c76403a542 100644 +--- a/drivers/usb/common/common.c ++++ b/drivers/usb/common/common.c +@@ -148,6 +148,8 @@ enum usb_dr_mode of_usb_get_dr_mode_by_phy(struct device_node *np, int arg0) + + do { + controller = of_find_node_with_property(controller, "phys"); ++ if (!of_device_is_available(controller)) ++ continue; + index = 0; + do { + if (arg0 == -1) { +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index c6578b321838..5e6136d2ed71 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -763,21 +763,18 @@ void usb_destroy_configuration(struct usb_device *dev) + return; + + if (dev->rawdescriptors) { +- for (i = 0; i < dev->descriptor.bNumConfigurations && +- i < USB_MAXCONFIG; i++) ++ for (i = 0; i < dev->descriptor.bNumConfigurations; i++) + kfree(dev->rawdescriptors[i]); + + kfree(dev->rawdescriptors); + dev->rawdescriptors = NULL; + } + +- for (c = 0; c < dev->descriptor.bNumConfigurations && +- c < USB_MAXCONFIG; c++) { ++ for (c = 0; c < dev->descriptor.bNumConfigurations; c++) { + struct usb_host_config *cf = &dev->config[c]; + + kfree(cf->string); +- for (i = 0; i < cf->desc.bNumInterfaces && +- i < USB_MAXINTERFACES; i++) { ++ for (i = 0; i < cf->desc.bNumInterfaces; i++) { + if (cf->intf_cache[i]) + kref_put(&cf->intf_cache[i]->ref, + usb_release_interface_cache); +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index 5815120c0402..8e83649f77ce 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -340,20 +340,20 @@ try_again: + req->complete = f_hidg_req_complete; + req->context = hidg; + ++ spin_unlock_irqrestore(&hidg->write_spinlock, flags); ++ + status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); + if (status < 0) { + ERROR(hidg->func.config->cdev, + "usb_ep_queue error on int endpoint %zd\n", status); +- goto release_write_pending_unlocked; ++ goto release_write_pending; + } else { + status = count; + } +- spin_unlock_irqrestore(&hidg->write_spinlock, flags); + + return status; + release_write_pending: + spin_lock_irqsave(&hidg->write_spinlock, flags); +-release_write_pending_unlocked: + hidg->write_pending = 0; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); + +diff --git a/drivers/usb/host/xhci-rcar.c b/drivers/usb/host/xhci-rcar.c +index 0e4535e632ec..64ee8154f2bb 100644 +--- a/drivers/usb/host/xhci-rcar.c ++++ b/drivers/usb/host/xhci-rcar.c +@@ -192,5 +192,6 @@ int xhci_rcar_init_quirk(struct usb_hcd *hcd) + xhci_rcar_is_gen3(hcd->self.controller)) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT; + ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH; + return xhci_rcar_download_firmware(hcd); + } +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index f4e34a75d413..879d82223068 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1645,10 +1645,13 @@ static void handle_port_status(struct xhci_hcd *xhci, + } + } + +- if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 && +- DEV_SUPERSPEED_ANY(temp)) { ++ if ((temp & PORT_PLC) && ++ DEV_SUPERSPEED_ANY(temp) && ++ ((temp & PORT_PLS_MASK) == XDEV_U0 || ++ (temp & PORT_PLS_MASK) == XDEV_U1 || ++ (temp & PORT_PLS_MASK) == XDEV_U2)) { + xhci_dbg(xhci, "resume SS port %d finished\n", port_id); +- /* We've just brought the device into U0 through either the ++ /* We've just brought the device into U0/1/2 through either the + * Resume state after a device remote wakeup, or through the + * U3Exit state after a host-initiated resume. If it's a device + * initiated remote wake, don't pass up the link state change, +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index e679fec9ce3a..de4771ce0df6 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -311,6 +311,7 @@ struct xhci_op_regs { + */ + #define PORT_PLS_MASK (0xf << 5) + #define XDEV_U0 (0x0 << 5) ++#define XDEV_U1 (0x1 << 5) + #define XDEV_U2 (0x2 << 5) + #define XDEV_U3 (0x3 << 5) + #define XDEV_INACTIVE (0x6 << 5) +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 7bbf2ca73f68..40c58145bf80 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -77,6 +77,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */ + { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */ + { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */ ++ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */ + { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */ + { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */ + { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index b88a72220acd..f54931aa7528 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -604,6 +604,8 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index ddf5ab983dc9..15d220eaf6e6 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -566,7 +566,9 @@ + /* + * NovaTech product ids (FTDI_VID) + */ +-#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ ++#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ + + /* + * Synapse Wireless product ids (FTDI_VID) +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c +index 135eb04368f9..ea20322e1416 100644 +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -368,8 +368,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + if (!urbtrack) + return -ENOMEM; + +- kref_get(&mos_parport->ref_count); +- urbtrack->mos_parport = mos_parport; + urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urbtrack->urb) { + kfree(urbtrack); +@@ -390,6 +388,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + usb_sndctrlpipe(usbdev, 0), + (unsigned char *)urbtrack->setup, + NULL, 0, async_complete, urbtrack); ++ kref_get(&mos_parport->ref_count); ++ urbtrack->mos_parport = mos_parport; + kref_init(&urbtrack->ref_count); + INIT_LIST_HEAD(&urbtrack->urblist_entry); + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b2b7c12e5c86..9f96dd274370 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1066,7 +1066,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(3) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ +- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000), /* SIMCom SIM5218 */ ++ .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | NCTRL(3) | RSVD(4) }, + /* Quectel products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), +@@ -1941,10 +1942,12 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff), /* D-Link DWM-222 */ + .driver_info = RSVD(4) }, +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ +- { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff), /* Olicard 600 */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ + { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) }, + { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) }, +diff --git a/drivers/video/fbdev/goldfishfb.c b/drivers/video/fbdev/goldfishfb.c +index 14a93cb21310..66d58e93bc32 100644 +--- a/drivers/video/fbdev/goldfishfb.c ++++ b/drivers/video/fbdev/goldfishfb.c +@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct platform_device *pdev) + fb->fb.var.activate = FB_ACTIVATE_NOW; + fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT); + fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH); +- fb->fb.var.pixclock = 10000; ++ fb->fb.var.pixclock = 0; + + fb->fb.var.red.offset = 11; + fb->fb.var.red.length = 5; +diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c +index af6a776fa18c..5aa07de5750e 100644 +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2395,8 +2395,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio, + bitmap_clear(rbio->dbitmap, pagenr, 1); + kunmap(p); + +- for (stripe = 0; stripe < rbio->real_stripes; stripe++) ++ for (stripe = 0; stripe < nr_data; stripe++) + kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); ++ kunmap(p_page); + } + + __free_page(p_page); +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 47d11a30bee7..a36bb75383dc 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3343,9 +3343,16 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans, + } + btrfs_release_path(path); + +- /* find the first key from this transaction again */ ++ /* ++ * Find the first key from this transaction again. See the note for ++ * log_new_dir_dentries, if we're logging a directory recursively we ++ * won't be holding its i_mutex, which means we can modify the directory ++ * while we're logging it. If we remove an entry between our first ++ * search and this search we'll not find the key again and can just ++ * bail. ++ */ + ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0); +- if (WARN_ON(ret != 0)) ++ if (ret != 0) + goto done; + + /* +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index eb55ab6930b5..6d0d94fc243d 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2748,7 +2748,8 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + nfs4_schedule_stateid_recovery(server, state); + } + out: +- nfs4_sequence_free_slot(&opendata->o_res.seq_res); ++ if (!opendata->cancelled) ++ nfs4_sequence_free_slot(&opendata->o_res.seq_res); + return ret; + } + +diff --git a/fs/open.c b/fs/open.c +index a6c6244f4993..f1deb36ee1b7 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -717,6 +717,12 @@ static int do_dentry_open(struct file *f, + return 0; + } + ++ /* Any file opened for execve()/uselib() has to be a regular file. */ ++ if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { ++ error = -EACCES; ++ goto cleanup_file; ++ } ++ + if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { + error = get_write_access(inode); + if (unlikely(error)) +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 1999e85840d5..6f30cf8ef7a1 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1604,7 +1604,8 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- put_links(header); ++ if (parent) ++ put_links(header); + start_unregistering(header); + if (!--header->count) + kfree_rcu(header, rcu); +diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h +index 4a5b9a306c69..803fc26ef0ba 100644 +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -60,7 +60,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2, + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, + unsigned int offset) + { +- struct sctphdr *sh = sctp_hdr(skb); ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); + __le32 ret, old = sh->checksum; + const struct skb_checksum_ops ops = { + .update = sctp_csum_update, +diff --git a/include/net/sock.h b/include/net/sock.h +index 15bb04dec40e..116308632fae 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -650,6 +650,12 @@ static inline void sk_add_node_rcu(struct sock *sk, struct hlist_head *list) + hlist_add_head_rcu(&sk->sk_node, list); + } + ++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list) ++{ ++ sock_hold(sk); ++ hlist_add_tail_rcu(&sk->sk_node, list); ++} ++ + static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list) + { + hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list); +diff --git a/kernel/cpu.c b/kernel/cpu.c +index b5a0165b7300..bf24e8400903 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -591,6 +591,20 @@ static void undo_cpu_up(unsigned int cpu, struct cpuhp_cpu_state *st) + } + } + ++static inline bool can_rollback_cpu(struct cpuhp_cpu_state *st) ++{ ++ if (IS_ENABLED(CONFIG_HOTPLUG_CPU)) ++ return true; ++ /* ++ * When CPU hotplug is disabled, then taking the CPU down is not ++ * possible because takedown_cpu() and the architecture and ++ * subsystem specific mechanisms are not available. So the CPU ++ * which would be completely unplugged again needs to stay around ++ * in the current state. ++ */ ++ return st->state <= CPUHP_BRINGUP_CPU; ++} ++ + static int cpuhp_up_callbacks(unsigned int cpu, struct cpuhp_cpu_state *st, + enum cpuhp_state target) + { +@@ -601,8 +615,10 @@ static int cpuhp_up_callbacks(unsigned int cpu, struct cpuhp_cpu_state *st, + st->state++; + ret = cpuhp_invoke_callback(cpu, st->state, true, NULL); + if (ret) { +- st->target = prev_state; +- undo_cpu_up(cpu, st); ++ if (can_rollback_cpu(st)) { ++ st->target = prev_state; ++ undo_cpu_up(cpu, st); ++ } + break; + } + } +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1fc23cb4a3e0..d49aa4e6c916 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3326,16 +3326,22 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&req, &type, &olen, &val); ++ if (len < 0) ++ break; + + hint = type & L2CAP_CONF_HINT; + type &= L2CAP_CONF_MASK; + + switch (type) { + case L2CAP_CONF_MTU: ++ if (olen != 2) ++ break; + mtu = val; + break; + + case L2CAP_CONF_FLUSH_TO: ++ if (olen != 2) ++ break; + chan->flush_to = val; + break; + +@@ -3343,26 +3349,30 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *) val, olen); ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *) val, olen); + break; + + case L2CAP_CONF_FCS: ++ if (olen != 1) ++ break; + if (val == L2CAP_FCS_NONE) + set_bit(CONF_RECV_NO_FCS, &chan->conf_state); + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { +- remote_efs = 1; +- memcpy(&efs, (void *) val, olen); +- } ++ if (olen != sizeof(efs)) ++ break; ++ remote_efs = 1; ++ memcpy(&efs, (void *) val, olen); + break; + + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) + return -ECONNREFUSED; +- + set_bit(FLAG_EXT_CTRL, &chan->flags); + set_bit(CONF_EWS_RECV, &chan->conf_state); + chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; +@@ -3372,7 +3382,6 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + default: + if (hint) + break; +- + result = L2CAP_CONF_UNKNOWN; + *((u8 *) ptr++) = type; + break; +@@ -3537,58 +3546,65 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (len < 0) ++ break; + + switch (type) { + case L2CAP_CONF_MTU: ++ if (olen != 2) ++ break; + if (val < L2CAP_DEFAULT_MIN_MTU) { + *result = L2CAP_CONF_UNACCEPT; + chan->imtu = L2CAP_DEFAULT_MIN_MTU; + } else + chan->imtu = val; +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, ++ endptr - ptr); + break; + + case L2CAP_CONF_FLUSH_TO: ++ if (olen != 2) ++ break; + chan->flush_to = val; +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, +- 2, chan->flush_to, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, ++ chan->flush_to, endptr - ptr); + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *)val, olen); +- ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *)val, olen); + if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && + rfc.mode != chan->mode) + return -ECONNREFUSED; +- + chan->fcs = 0; +- +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, +- sizeof(rfc), (unsigned long) &rfc, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), ++ (unsigned long) &rfc, endptr - ptr); + break; + + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + chan->ack_win = min_t(u16, val, chan->ack_win); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, + chan->tx_win, endptr - ptr); + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { +- memcpy(&efs, (void *)val, olen); +- +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != chan->local_stype) +- return -ECONNREFUSED; +- +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), +- (unsigned long) &efs, endptr - ptr); +- } ++ if (olen != sizeof(efs)) ++ break; ++ memcpy(&efs, (void *)val, olen); ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != chan->local_stype) ++ return -ECONNREFUSED; ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), ++ (unsigned long) &efs, endptr - ptr); + break; + + case L2CAP_CONF_FCS: ++ if (olen != 1) ++ break; + if (*result == L2CAP_CONF_PENDING) + if (val == L2CAP_FCS_NONE) + set_bit(CONF_RECV_NO_FCS, +@@ -3717,13 +3733,18 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (len < 0) ++ break; + + switch (type) { + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *)val, olen); ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *)val, olen); + break; + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + txwin_ext = val; + break; + } +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 93c706172f40..87c513b5ff2e 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -431,8 +431,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; +- newnp->mcast_oif = inet6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 0a69d39880f2..4953466cf98f 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1056,11 +1056,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; +- newnp->mcast_oif = tcp_v6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; ++ newnp->rcv_flowinfo = 0; + if (np->repflow) +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); ++ newnp->flow_label = 0; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 14df2fcf6138..522d4ca715c9 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3278,7 +3278,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + } + + mutex_lock(&net->packet.sklist_lock); +- sk_add_node_rcu(sk, &net->packet.sklist); ++ sk_add_node_tail_rcu(sk, &net->packet.sklist); + mutex_unlock(&net->packet.sklist_lock); + + preempt_disable(); +@@ -4229,7 +4229,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order) + struct pgv *pg_vec; + int i; + +- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); ++ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); + if (unlikely(!pg_vec)) + goto out; + +diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c +index 7ca57741b2fb..7849f286bb93 100644 +--- a/net/rose/rose_subr.c ++++ b/net/rose/rose_subr.c +@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk, int frametype) + struct sk_buff *skb; + unsigned char *dptr; + unsigned char lci1, lci2; +- char buffer[100]; +- int len, faclen = 0; ++ int maxfaclen = 0; ++ int len, faclen; ++ int reserve; + +- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1; ++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1; ++ len = ROSE_MIN_LEN; + + switch (frametype) { + case ROSE_CALL_REQUEST: + len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN; +- faclen = rose_create_facilities(buffer, rose); +- len += faclen; ++ maxfaclen = 256; + break; + case ROSE_CALL_ACCEPTED: + case ROSE_CLEAR_REQUEST: +@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk, int frametype) + break; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC); ++ if (!skb) + return; + + /* + * Space for AX.25 header and PID. + */ +- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1); ++ skb_reserve(skb, reserve); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + lci1 = (rose->lci >> 8) & 0x0F; + lci2 = (rose->lci >> 0) & 0xFF; +@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk, int frametype) + dptr += ROSE_ADDR_LEN; + memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); + dptr += ROSE_ADDR_LEN; +- memcpy(dptr, buffer, faclen); ++ faclen = rose_create_facilities(dptr, rose); ++ skb_put(skb, faclen); + dptr += faclen; + break; + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 549d0a4083b3..09a353c6373a 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12942,7 +12942,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -13094,7 +13094,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -13136,7 +13136,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -13173,7 +13173,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ie_len, GFP_KERNEL); + if (!msg) + return; + +@@ -13249,7 +13249,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr, + + trace_cfg80211_notify_new_peer_candidate(dev, addr); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + ie_len, gfp); + if (!msg) + return; + +@@ -13620,7 +13620,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return -ENOMEM; + +@@ -13664,7 +13664,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie, + + trace_cfg80211_mgmt_tx_status(wdev, cookie, ack); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -14473,7 +14473,7 @@ void cfg80211_ft_event(struct net_device *netdev, + if (!ft_event->target_ap) + return; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); + if (!msg) + return; + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index cfb8f5896787..824097571467 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * + params_channels(params) / 8; + ++ err = snd_pcm_oss_period_size(substream, params, sparams); ++ if (err < 0) ++ goto failure; ++ ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); ++ if (err < 0) ++ goto failure; ++ ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, ++ runtime->oss.periods, NULL); ++ if (err < 0) ++ goto failure; ++ ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); ++ if (err < 0) { ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); ++ goto failure; ++ } ++ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); + if (!direct) { +@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + } + #endif + +- err = snd_pcm_oss_period_size(substream, params, sparams); +- if (err < 0) +- goto failure; +- +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); +- if (err < 0) +- goto failure; +- +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, +- runtime->oss.periods, NULL); +- if (err < 0) +- goto failure; +- +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); +- +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); +- goto failure; +- } +- + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 3586ab41dec4..e1138e70dbb3 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1258,8 +1258,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push) + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) ++ switch (runtime->status->state) { ++ case SNDRV_PCM_STATE_SUSPENDED: + return -EBUSY; ++ /* unresumable PCM state; return -EBUSY for skipping suspend */ ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_DISCONNECTED: ++ return -EBUSY; ++ } + runtime->trigger_master = substream; + return 0; + } +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index 59111cadaec2..c8b2309352d7 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -29,6 +29,7 @@ + #include <linux/mutex.h> + #include <linux/module.h> + #include <linux/delay.h> ++#include <linux/nospec.h> + #include <sound/rawmidi.h> + #include <sound/info.h> + #include <sound/control.h> +@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card, + return -ENXIO; + if (info->stream < 0 || info->stream > 1) + return -EINVAL; ++ info->stream = array_index_nospec(info->stream, 2); + pstr = &rmidi->streams[info->stream]; + if (pstr->substream_count == 0) + return -ENOENT; +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index 278ebb993122..c93945917235 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -617,13 +617,14 @@ int + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); + +- if (dev < 0 || dev >= dp->max_synthdev) ++ if (!info) + return -ENXIO; + +- if (dp->synths[dev].is_midi) { ++ if (info->is_midi) { + struct midi_info minf; +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); + inf->synth_type = SYNTH_TYPE_MIDI; + inf->synth_subtype = 0; + inf->nr_voices = 16; +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index 94764efb0a6a..3c1372655c33 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -240,19 +240,15 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params) + if (!(decoder->tsc_ctc_ratio_n % decoder->tsc_ctc_ratio_d)) + decoder->tsc_ctc_mult = decoder->tsc_ctc_ratio_n / + decoder->tsc_ctc_ratio_d; +- +- /* +- * Allow for timestamps appearing to backwards because a TSC +- * packet has slipped past a MTC packet, so allow 2 MTC ticks +- * or ... +- */ +- decoder->tsc_slip = multdiv(2 << decoder->mtc_shift, +- decoder->tsc_ctc_ratio_n, +- decoder->tsc_ctc_ratio_d); + } +- /* ... or 0x100 paranoia */ +- if (decoder->tsc_slip < 0x100) +- decoder->tsc_slip = 0x100; ++ ++ /* ++ * A TSC packet can slip past MTC packets so that the timestamp appears ++ * to go backwards. One estimate is that can be up to about 40 CPU ++ * cycles, which is certainly less than 0x1000 TSC ticks, but accept ++ * slippage an order of magnitude more to be on the safe side. ++ */ ++ decoder->tsc_slip = 0x10000; + + intel_pt_log("timestamp: mtc_shift %u\n", decoder->mtc_shift); + intel_pt_log("timestamp: tsc_ctc_ratio_n %u\n", decoder->tsc_ctc_ratio_n); +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 60de4c337f0a..c72586a094ed 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2793,6 +2793,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl, + { + struct kvm_device *dev = filp->private_data; + ++ if (dev->kvm->mm != current->mm) ++ return -EIO; ++ + switch (ioctl) { + case KVM_SET_DEVICE_ATTR: + return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
