Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2019-01-23 06:30:09 -0500
committerMike Pagano <mpagano@gentoo.org>2019-01-23 06:30:09 -0500
commit45b8c6fc82cd3910d7ebdc1532a9001f27b5ed55 (patch)
treefbc8cc9d618eca96046ffd3d9ce140b572e2767a
parentproj/linux-patches: Linux patch 4.14.94 (diff)
downloadlinux-patches-45b8c6fc.tar.gz
linux-patches-45b8c6fc.tar.bz2
linux-patches-45b8c6fc.zip
proj/linux-patches: Linux patch 4.14.954.14-102
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1094_linux-4.14.95.patch2077
2 files changed, 2081 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index 41aba45d..e1a1f755 100644
--- a/0000_README
+++ b/0000_README
@@ -419,6 +419,10 @@ Patch: 1093_4.14.94.patch
From: http://www.kernel.org
Desc: Linux 4.14.94
+Patch: 1094_4.14.95.patch
+From: http://www.kernel.org
+Desc: Linux 4.14.95
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1094_linux-4.14.95.patch b/1094_linux-4.14.95.patch
new file mode 100644
index 00000000..efaf68a6
--- /dev/null
+++ b/1094_linux-4.14.95.patch
@@ -0,0 +1,2077 @@
+diff --git a/Makefile b/Makefile
+index e9a138dd964a..70cc37cb3e99 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 94
++SUBLEVEL = 95
+ EXTRAVERSION =
+ NAME = Petit Gorille
+
+diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
+index 73cc4309fe01..1d6d980f80ac 100644
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -23,6 +23,8 @@
+ #include <asm/types.h>
+
+ /* Hyp Configuration Register (HCR) bits */
++#define HCR_API (UL(1) << 41)
++#define HCR_APK (UL(1) << 40)
+ #define HCR_E2H (UL(1) << 34)
+ #define HCR_ID (UL(1) << 33)
+ #define HCR_CD (UL(1) << 32)
+@@ -82,6 +84,7 @@
+ HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW)
+ #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF)
+ #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO)
++#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK)
+ #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
+
+ /* TCR_EL2 Registers bits */
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 261f3f88364c..ec393275ba04 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -414,10 +414,9 @@ CPU_LE( bic x0, x0, #(1 << 25) ) // Clear the EE bit for EL2
+ #endif
+
+ /* Hyp configuration. */
+- mov x0, #HCR_RW // 64-bit EL1
++ mov_q x0, HCR_HOST_NVHE_FLAGS
+ cbz x2, set_hcr
+- orr x0, x0, #HCR_TGE // Enable Host Extensions
+- orr x0, x0, #HCR_E2H
++ mov_q x0, HCR_HOST_VHE_FLAGS
+ set_hcr:
+ msr hcr_el2, x0
+ isb
+diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c
+index 47080c49cc7e..2bda224e8e71 100644
+--- a/arch/arm64/kernel/kaslr.c
++++ b/arch/arm64/kernel/kaslr.c
+@@ -14,6 +14,7 @@
+ #include <linux/sched.h>
+ #include <linux/types.h>
+
++#include <asm/cacheflush.h>
+ #include <asm/fixmap.h>
+ #include <asm/kernel-pgtable.h>
+ #include <asm/memory.h>
+@@ -43,7 +44,7 @@ static __init u64 get_kaslr_seed(void *fdt)
+ return ret;
+ }
+
+-static __init const u8 *get_cmdline(void *fdt)
++static __init const u8 *kaslr_get_cmdline(void *fdt)
+ {
+ static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE;
+
+@@ -109,7 +110,7 @@ u64 __init kaslr_early_init(u64 dt_phys)
+ * Check if 'nokaslr' appears on the command line, and
+ * return 0 if that is the case.
+ */
+- cmdline = get_cmdline(fdt);
++ cmdline = kaslr_get_cmdline(fdt);
+ str = strstr(cmdline, "nokaslr");
+ if (str == cmdline || (str > cmdline && *(str - 1) == ' '))
+ return 0;
+@@ -180,5 +181,8 @@ u64 __init kaslr_early_init(u64 dt_phys)
+ module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21;
+ module_alloc_base &= PAGE_MASK;
+
++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base));
++ __flush_dcache_area(&memstart_offset_seed, sizeof(memstart_offset_seed));
++
+ return offset;
+ }
+diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c
+index b2f1992c6234..44845996b554 100644
+--- a/arch/arm64/kvm/hyp/switch.c
++++ b/arch/arm64/kvm/hyp/switch.c
+@@ -127,7 +127,7 @@ static void __hyp_text __deactivate_traps_nvhe(void)
+ mdcr_el2 |= MDCR_EL2_E2PB_MASK << MDCR_EL2_E2PB_SHIFT;
+
+ write_sysreg(mdcr_el2, mdcr_el2);
+- write_sysreg(HCR_RW, hcr_el2);
++ write_sysreg(HCR_HOST_NVHE_FLAGS, hcr_el2);
+ write_sysreg(CPTR_EL2_DEFAULT, cptr_el2);
+ }
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 23e3d3e0ee5b..ae4450e891ab 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -3153,6 +3153,7 @@ config MIPS32_O32
+ config MIPS32_N32
+ bool "Kernel support for n32 binaries"
+ depends on 64BIT
++ select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
+ select COMPAT
+ select MIPS32_COMPAT
+ select SYSVIPC_COMPAT if SYSVIPC
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index f0bc3312ed11..c4ef1c31e0c4 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -224,9 +224,11 @@ static struct irq_chip ltq_eiu_type = {
+ .irq_set_type = ltq_eiu_settype,
+ };
+
+-static void ltq_hw_irqdispatch(int module)
++static void ltq_hw_irq_handler(struct irq_desc *desc)
+ {
++ int module = irq_desc_get_irq(desc) - 2;
+ u32 irq;
++ int hwirq;
+
+ irq = ltq_icu_r32(module, LTQ_ICU_IM0_IOSR);
+ if (irq == 0)
+@@ -237,7 +239,8 @@ static void ltq_hw_irqdispatch(int module)
+ * other bits might be bogus
+ */
+ irq = __fls(irq);
+- do_IRQ((int)irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module));
++ hwirq = irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module);
++ generic_handle_irq(irq_linear_revmap(ltq_domain, hwirq));
+
+ /* if this is a EBU irq, we need to ack it or get a deadlock */
+ if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT)
+@@ -245,49 +248,6 @@ static void ltq_hw_irqdispatch(int module)
+ LTQ_EBU_PCC_ISTAT);
+ }
+
+-#define DEFINE_HWx_IRQDISPATCH(x) \
+- static void ltq_hw ## x ## _irqdispatch(void) \
+- { \
+- ltq_hw_irqdispatch(x); \
+- }
+-DEFINE_HWx_IRQDISPATCH(0)
+-DEFINE_HWx_IRQDISPATCH(1)
+-DEFINE_HWx_IRQDISPATCH(2)
+-DEFINE_HWx_IRQDISPATCH(3)
+-DEFINE_HWx_IRQDISPATCH(4)
+-
+-#if MIPS_CPU_TIMER_IRQ == 7
+-static void ltq_hw5_irqdispatch(void)
+-{
+- do_IRQ(MIPS_CPU_TIMER_IRQ);
+-}
+-#else
+-DEFINE_HWx_IRQDISPATCH(5)
+-#endif
+-
+-static void ltq_hw_irq_handler(struct irq_desc *desc)
+-{
+- ltq_hw_irqdispatch(irq_desc_get_irq(desc) - 2);
+-}
+-
+-asmlinkage void plat_irq_dispatch(void)
+-{
+- unsigned int pending = read_c0_status() & read_c0_cause() & ST0_IM;
+- int irq;
+-
+- if (!pending) {
+- spurious_interrupt();
+- return;
+- }
+-
+- pending >>= CAUSEB_IP;
+- while (pending) {
+- irq = fls(pending) - 1;
+- do_IRQ(MIPS_CPU_IRQ_BASE + irq);
+- pending &= ~BIT(irq);
+- }
+-}
+-
+ static int icu_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw)
+ {
+ struct irq_chip *chip = &ltq_irq_type;
+@@ -343,28 +303,10 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent)
+ for (i = 0; i < MAX_IM; i++)
+ irq_set_chained_handler(i + 2, ltq_hw_irq_handler);
+
+- if (cpu_has_vint) {
+- pr_info("Setting up vectored interrupts\n");
+- set_vi_handler(2, ltq_hw0_irqdispatch);
+- set_vi_handler(3, ltq_hw1_irqdispatch);
+- set_vi_handler(4, ltq_hw2_irqdispatch);
+- set_vi_handler(5, ltq_hw3_irqdispatch);
+- set_vi_handler(6, ltq_hw4_irqdispatch);
+- set_vi_handler(7, ltq_hw5_irqdispatch);
+- }
+-
+ ltq_domain = irq_domain_add_linear(node,
+ (MAX_IM * INT_NUM_IM_OFFSET) + MIPS_CPU_IRQ_CASCADE,
+ &irq_domain_ops, 0);
+
+-#ifndef CONFIG_MIPS_MT_SMP
+- set_c0_status(IE_IRQ0 | IE_IRQ1 | IE_IRQ2 |
+- IE_IRQ3 | IE_IRQ4 | IE_IRQ5);
+-#else
+- set_c0_status(IE_SW0 | IE_SW1 | IE_IRQ0 | IE_IRQ1 |
+- IE_IRQ2 | IE_IRQ3 | IE_IRQ4 | IE_IRQ5);
+-#endif
+-
+ /* tell oprofile which irq to use */
+ ltq_perfcount_irq = irq_create_mapping(ltq_domain, LTQ_PERF_IRQ);
+
+diff --git a/arch/mips/pci/msi-octeon.c b/arch/mips/pci/msi-octeon.c
+index 2a5bb849b10e..288b58b00dc8 100644
+--- a/arch/mips/pci/msi-octeon.c
++++ b/arch/mips/pci/msi-octeon.c
+@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void)
+ int irq;
+ struct irq_chip *msi;
+
+- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) {
++ return 0;
++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
+ msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0;
+ msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1;
+ msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2;
+diff --git a/crypto/authenc.c b/crypto/authenc.c
+index 0db344d5a01a..053287dfad65 100644
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
+ return -EINVAL;
+ if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+ return -EINVAL;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
++
++ /*
++ * RTA_OK() didn't align the rtattr's payload when validating that it
++ * fits in the buffer. Yet, the keys should start on the next 4-byte
++ * aligned boundary. To avoid confusion, require that the rtattr
++ * payload be exactly the param struct, which has a 4-byte aligned size.
++ */
++ if (RTA_PAYLOAD(rta) != sizeof(*param))
+ return -EINVAL;
++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
+
+ param = RTA_DATA(rta);
+ keys->enckeylen = be32_to_cpu(param->enckeylen);
+
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
++ key += rta->rta_len;
++ keylen -= rta->rta_len;
+
+ if (keylen < keys->enckeylen)
+ return -EINVAL;
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index 6de852ce4cf8..4ba4470deee1 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
+ struct aead_request *req = areq->data;
+
+ err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
+- aead_request_complete(req, err);
++ authenc_esn_request_complete(req, err);
+ }
+
+ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 6d61633a7f89..7910dd8b1d3a 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -81,7 +81,7 @@
+ #include <linux/uaccess.h>
+
+ static DEFINE_IDR(loop_index_idr);
+-static DEFINE_MUTEX(loop_index_mutex);
++static DEFINE_MUTEX(loop_ctl_mutex);
+
+ static int max_part;
+ static int part_shift;
+@@ -1018,7 +1018,7 @@ static int loop_clr_fd(struct loop_device *lo)
+ */
+ if (atomic_read(&lo->lo_refcnt) > 1) {
+ lo->lo_flags |= LO_FLAGS_AUTOCLEAR;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return 0;
+ }
+
+@@ -1070,12 +1070,12 @@ static int loop_clr_fd(struct loop_device *lo)
+ if (!part_shift)
+ lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN;
+ loop_unprepare_queue(lo);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ /*
+- * Need not hold lo_ctl_mutex to fput backing file.
+- * Calling fput holding lo_ctl_mutex triggers a circular
++ * Need not hold loop_ctl_mutex to fput backing file.
++ * Calling fput holding loop_ctl_mutex triggers a circular
+ * lock dependency possibility warning as fput can take
+- * bd_mutex which is usually taken before lo_ctl_mutex.
++ * bd_mutex which is usually taken before loop_ctl_mutex.
+ */
+ fput(filp);
+ return 0;
+@@ -1097,6 +1097,12 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+ if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE)
+ return -EINVAL;
+
++ if (lo->lo_offset != info->lo_offset ||
++ lo->lo_sizelimit != info->lo_sizelimit) {
++ sync_blockdev(lo->lo_device);
++ kill_bdev(lo->lo_device);
++ }
++
+ /* I/O need to be drained during transfer transition */
+ blk_mq_freeze_queue(lo->lo_queue);
+
+@@ -1125,6 +1131,14 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+
+ if (lo->lo_offset != info->lo_offset ||
+ lo->lo_sizelimit != info->lo_sizelimit) {
++ /* kill_bdev should have truncated all the pages */
++ if (lo->lo_device->bd_inode->i_mapping->nrpages) {
++ err = -EAGAIN;
++ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
++ __func__, lo->lo_number, lo->lo_file_name,
++ lo->lo_device->bd_inode->i_mapping->nrpages);
++ goto exit;
++ }
+ if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) {
+ err = -EFBIG;
+ goto exit;
+@@ -1175,12 +1189,12 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+ static int
+ loop_get_status(struct loop_device *lo, struct loop_info64 *info)
+ {
+- struct file *file;
++ struct path path;
+ struct kstat stat;
+ int ret;
+
+ if (lo->lo_state != Lo_bound) {
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return -ENXIO;
+ }
+
+@@ -1199,17 +1213,17 @@ loop_get_status(struct loop_device *lo, struct loop_info64 *info)
+ lo->lo_encrypt_key_size);
+ }
+
+- /* Drop lo_ctl_mutex while we call into the filesystem. */
+- file = get_file(lo->lo_backing_file);
+- mutex_unlock(&lo->lo_ctl_mutex);
+- ret = vfs_getattr(&file->f_path, &stat, STATX_INO,
+- AT_STATX_SYNC_AS_STAT);
++ /* Drop loop_ctl_mutex while we call into the filesystem. */
++ path = lo->lo_backing_file->f_path;
++ path_get(&path);
++ mutex_unlock(&loop_ctl_mutex);
++ ret = vfs_getattr(&path, &stat, STATX_INO, AT_STATX_SYNC_AS_STAT);
+ if (!ret) {
+ info->lo_device = huge_encode_dev(stat.dev);
+ info->lo_inode = stat.ino;
+ info->lo_rdevice = huge_encode_dev(stat.rdev);
+ }
+- fput(file);
++ path_put(&path);
+ return ret;
+ }
+
+@@ -1294,7 +1308,7 @@ loop_get_status_old(struct loop_device *lo, struct loop_info __user *arg) {
+ int err;
+
+ if (!arg) {
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return -EINVAL;
+ }
+ err = loop_get_status(lo, &info64);
+@@ -1312,7 +1326,7 @@ loop_get_status64(struct loop_device *lo, struct loop_info64 __user *arg) {
+ int err;
+
+ if (!arg) {
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return -EINVAL;
+ }
+ err = loop_get_status(lo, &info64);
+@@ -1346,22 +1360,39 @@ static int loop_set_dio(struct loop_device *lo, unsigned long arg)
+
+ static int loop_set_block_size(struct loop_device *lo, unsigned long arg)
+ {
++ int err = 0;
++
+ if (lo->lo_state != Lo_bound)
+ return -ENXIO;
+
+ if (arg < 512 || arg > PAGE_SIZE || !is_power_of_2(arg))
+ return -EINVAL;
+
++ if (lo->lo_queue->limits.logical_block_size != arg) {
++ sync_blockdev(lo->lo_device);
++ kill_bdev(lo->lo_device);
++ }
++
+ blk_mq_freeze_queue(lo->lo_queue);
+
++ /* kill_bdev should have truncated all the pages */
++ if (lo->lo_queue->limits.logical_block_size != arg &&
++ lo->lo_device->bd_inode->i_mapping->nrpages) {
++ err = -EAGAIN;
++ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n",
++ __func__, lo->lo_number, lo->lo_file_name,
++ lo->lo_device->bd_inode->i_mapping->nrpages);
++ goto out_unfreeze;
++ }
++
+ blk_queue_logical_block_size(lo->lo_queue, arg);
+ blk_queue_physical_block_size(lo->lo_queue, arg);
+ blk_queue_io_min(lo->lo_queue, arg);
+ loop_update_dio(lo);
+-
++out_unfreeze:
+ blk_mq_unfreeze_queue(lo->lo_queue);
+
+- return 0;
++ return err;
+ }
+
+ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -1370,7 +1401,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+ struct loop_device *lo = bdev->bd_disk->private_data;
+ int err;
+
+- mutex_lock_nested(&lo->lo_ctl_mutex, 1);
++ mutex_lock_nested(&loop_ctl_mutex, 1);
+ switch (cmd) {
+ case LOOP_SET_FD:
+ err = loop_set_fd(lo, mode, bdev, arg);
+@@ -1379,7 +1410,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+ err = loop_change_fd(lo, bdev, arg);
+ break;
+ case LOOP_CLR_FD:
+- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */
++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */
+ err = loop_clr_fd(lo);
+ if (!err)
+ goto out_unlocked;
+@@ -1392,7 +1423,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+ break;
+ case LOOP_GET_STATUS:
+ err = loop_get_status_old(lo, (struct loop_info __user *) arg);
+- /* loop_get_status() unlocks lo_ctl_mutex */
++ /* loop_get_status() unlocks loop_ctl_mutex */
+ goto out_unlocked;
+ case LOOP_SET_STATUS64:
+ err = -EPERM;
+@@ -1402,7 +1433,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+ break;
+ case LOOP_GET_STATUS64:
+ err = loop_get_status64(lo, (struct loop_info64 __user *) arg);
+- /* loop_get_status() unlocks lo_ctl_mutex */
++ /* loop_get_status() unlocks loop_ctl_mutex */
+ goto out_unlocked;
+ case LOOP_SET_CAPACITY:
+ err = -EPERM;
+@@ -1422,7 +1453,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
+ default:
+ err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL;
+ }
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+
+ out_unlocked:
+ return err;
+@@ -1539,7 +1570,7 @@ loop_get_status_compat(struct loop_device *lo,
+ int err;
+
+ if (!arg) {
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return -EINVAL;
+ }
+ err = loop_get_status(lo, &info64);
+@@ -1556,16 +1587,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode,
+
+ switch(cmd) {
+ case LOOP_SET_STATUS:
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ err = loop_set_status_compat(
+ lo, (const struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ break;
+ case LOOP_GET_STATUS:
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ err = loop_get_status_compat(
+ lo, (struct compat_loop_info __user *) arg);
+- /* loop_get_status() unlocks lo_ctl_mutex */
++ /* loop_get_status() unlocks loop_ctl_mutex */
+ break;
+ case LOOP_SET_CAPACITY:
+ case LOOP_CLR_FD:
+@@ -1587,9 +1618,11 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ static int lo_open(struct block_device *bdev, fmode_t mode)
+ {
+ struct loop_device *lo;
+- int err = 0;
++ int err;
+
+- mutex_lock(&loop_index_mutex);
++ err = mutex_lock_killable(&loop_ctl_mutex);
++ if (err)
++ return err;
+ lo = bdev->bd_disk->private_data;
+ if (!lo) {
+ err = -ENXIO;
+@@ -1598,18 +1631,20 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
+
+ atomic_inc(&lo->lo_refcnt);
+ out:
+- mutex_unlock(&loop_index_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return err;
+ }
+
+-static void __lo_release(struct loop_device *lo)
++static void lo_release(struct gendisk *disk, fmode_t mode)
+ {
++ struct loop_device *lo;
+ int err;
+
++ mutex_lock(&loop_ctl_mutex);
++ lo = disk->private_data;
+ if (atomic_dec_return(&lo->lo_refcnt))
+- return;
++ goto out_unlock;
+
+- mutex_lock(&lo->lo_ctl_mutex);
+ if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) {
+ /*
+ * In autoclear mode, stop the loop thread
+@@ -1627,14 +1662,8 @@ static void __lo_release(struct loop_device *lo)
+ blk_mq_unfreeze_queue(lo->lo_queue);
+ }
+
+- mutex_unlock(&lo->lo_ctl_mutex);
+-}
+-
+-static void lo_release(struct gendisk *disk, fmode_t mode)
+-{
+- mutex_lock(&loop_index_mutex);
+- __lo_release(disk->private_data);
+- mutex_unlock(&loop_index_mutex);
++out_unlock:
++ mutex_unlock(&loop_ctl_mutex);
+ }
+
+ static const struct block_device_operations lo_fops = {
+@@ -1673,10 +1702,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data)
+ struct loop_device *lo = ptr;
+ struct loop_func_table *xfer = data;
+
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ if (lo->lo_encryption == xfer)
+ loop_release_xfer(lo);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return 0;
+ }
+
+@@ -1849,7 +1878,6 @@ static int loop_add(struct loop_device **l, int i)
+ if (!part_shift)
+ disk->flags |= GENHD_FL_NO_PART_SCAN;
+ disk->flags |= GENHD_FL_EXT_DEVT;
+- mutex_init(&lo->lo_ctl_mutex);
+ atomic_set(&lo->lo_refcnt, 0);
+ lo->lo_number = i;
+ spin_lock_init(&lo->lo_lock);
+@@ -1928,7 +1956,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
+ struct kobject *kobj;
+ int err;
+
+- mutex_lock(&loop_index_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ err = loop_lookup(&lo, MINOR(dev) >> part_shift);
+ if (err < 0)
+ err = loop_add(&lo, MINOR(dev) >> part_shift);
+@@ -1936,7 +1964,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
+ kobj = NULL;
+ else
+ kobj = get_disk(lo->lo_disk);
+- mutex_unlock(&loop_index_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+
+ *part = 0;
+ return kobj;
+@@ -1946,9 +1974,13 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
+ unsigned long parm)
+ {
+ struct loop_device *lo;
+- int ret = -ENOSYS;
++ int ret;
++
++ ret = mutex_lock_killable(&loop_ctl_mutex);
++ if (ret)
++ return ret;
+
+- mutex_lock(&loop_index_mutex);
++ ret = -ENOSYS;
+ switch (cmd) {
+ case LOOP_CTL_ADD:
+ ret = loop_lookup(&lo, parm);
+@@ -1962,19 +1994,15 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
+ ret = loop_lookup(&lo, parm);
+ if (ret < 0)
+ break;
+- mutex_lock(&lo->lo_ctl_mutex);
+ if (lo->lo_state != Lo_unbound) {
+ ret = -EBUSY;
+- mutex_unlock(&lo->lo_ctl_mutex);
+ break;
+ }
+ if (atomic_read(&lo->lo_refcnt) > 0) {
+ ret = -EBUSY;
+- mutex_unlock(&lo->lo_ctl_mutex);
+ break;
+ }
+ lo->lo_disk->private_data = NULL;
+- mutex_unlock(&lo->lo_ctl_mutex);
+ idr_remove(&loop_index_idr, lo->lo_number);
+ loop_remove(lo);
+ break;
+@@ -1984,7 +2012,7 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
+ break;
+ ret = loop_add(&lo, -1);
+ }
+- mutex_unlock(&loop_index_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+
+ return ret;
+ }
+@@ -2068,10 +2096,10 @@ static int __init loop_init(void)
+ THIS_MODULE, loop_probe, NULL, NULL);
+
+ /* pre-create number of devices given by config or max_loop */
+- mutex_lock(&loop_index_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ for (i = 0; i < nr; i++)
+ loop_add(&lo, i);
+- mutex_unlock(&loop_index_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+
+ printk(KERN_INFO "loop: module loaded\n");
+ return 0;
+diff --git a/drivers/block/loop.h b/drivers/block/loop.h
+index dfc54ceba410..b2251752452b 100644
+--- a/drivers/block/loop.h
++++ b/drivers/block/loop.h
+@@ -54,7 +54,6 @@ struct loop_device {
+
+ spinlock_t lo_lock;
+ int lo_state;
+- struct mutex lo_ctl_mutex;
+ struct kthread_worker worker;
+ struct task_struct *worker_task;
+ bool use_dio;
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index fe1414df0f33..d32cd943dff2 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -275,9 +275,10 @@ static void nbd_size_update(struct nbd_device *nbd)
+ blk_queue_physical_block_size(nbd->disk->queue, config->blksize);
+ set_capacity(nbd->disk, config->bytesize >> 9);
+ if (bdev) {
+- if (bdev->bd_disk)
++ if (bdev->bd_disk) {
+ bd_set_size(bdev, config->bytesize);
+- else
++ set_blocksize(bdev, config->blksize);
++ } else
+ bdev->bd_invalidated = 1;
+ bdput(bdev);
+ }
+diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
+index 143f8bc403b9..342bc777841c 100644
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -679,6 +679,7 @@ config CRYPTO_DEV_BCM_SPU
+ depends on ARCH_BCM_IPROC
+ depends on MAILBOX
+ default m
++ select CRYPTO_AUTHENC
+ select CRYPTO_DES
+ select CRYPTO_MD5
+ select CRYPTO_SHA1
+diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c
+index ee52c355bee0..b6be383a51a6 100644
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2846,44 +2846,28 @@ static int aead_authenc_setkey(struct crypto_aead *cipher,
+ struct spu_hw *spu = &iproc_priv.spu;
+ struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+ struct crypto_tfm *tfm = crypto_aead_tfm(cipher);
+- struct rtattr *rta = (void *)key;
+- struct crypto_authenc_key_param *param;
+- const u8 *origkey = key;
+- const unsigned int origkeylen = keylen;
+-
+- int ret = 0;
++ struct crypto_authenc_keys keys;
++ int ret;
+
+ flow_log("%s() aead:%p key:%p keylen:%u\n", __func__, cipher, key,
+ keylen);
+ flow_dump(" key: ", key, keylen);
+
+- if (!RTA_OK(rta, keylen))
+- goto badkey;
+- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+- goto badkey;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
++ ret = crypto_authenc_extractkeys(&keys, key, keylen);
++ if (ret)
+ goto badkey;
+
+- param = RTA_DATA(rta);
+- ctx->enckeylen = be32_to_cpu(param->enckeylen);
+-
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
+-
+- if (keylen < ctx->enckeylen)
+- goto badkey;
+- if (ctx->enckeylen > MAX_KEY_SIZE)
++ if (keys.enckeylen > MAX_KEY_SIZE ||
++ keys.authkeylen > MAX_KEY_SIZE)
+ goto badkey;
+
+- ctx->authkeylen = keylen - ctx->enckeylen;
+-
+- if (ctx->authkeylen > MAX_KEY_SIZE)
+- goto badkey;
++ ctx->enckeylen = keys.enckeylen;
++ ctx->authkeylen = keys.authkeylen;
+
+- memcpy(ctx->enckey, key + ctx->authkeylen, ctx->enckeylen);
++ memcpy(ctx->enckey, keys.enckey, keys.enckeylen);
+ /* May end up padding auth key. So make sure it's zeroed. */
+ memset(ctx->authkey, 0, sizeof(ctx->authkey));
+- memcpy(ctx->authkey, key, ctx->authkeylen);
++ memcpy(ctx->authkey, keys.authkey, keys.authkeylen);
+
+ switch (ctx->alg->cipher_info.alg) {
+ case CIPHER_ALG_DES:
+@@ -2891,7 +2875,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher,
+ u32 tmp[DES_EXPKEY_WORDS];
+ u32 flags = CRYPTO_TFM_RES_WEAK_KEY;
+
+- if (des_ekey(tmp, key) == 0) {
++ if (des_ekey(tmp, keys.enckey) == 0) {
+ if (crypto_aead_get_flags(cipher) &
+ CRYPTO_TFM_REQ_WEAK_KEY) {
+ crypto_aead_set_flags(cipher, flags);
+@@ -2906,7 +2890,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher,
+ break;
+ case CIPHER_ALG_3DES:
+ if (ctx->enckeylen == (DES_KEY_SIZE * 3)) {
+- const u32 *K = (const u32 *)key;
++ const u32 *K = (const u32 *)keys.enckey;
+ u32 flags = CRYPTO_TFM_RES_BAD_KEY_SCHED;
+
+ if (!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
+@@ -2957,9 +2941,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher,
+ ctx->fallback_cipher->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;
+ ctx->fallback_cipher->base.crt_flags |=
+ tfm->crt_flags & CRYPTO_TFM_REQ_MASK;
+- ret =
+- crypto_aead_setkey(ctx->fallback_cipher, origkey,
+- origkeylen);
++ ret = crypto_aead_setkey(ctx->fallback_cipher, key, keylen);
+ if (ret) {
+ flow_log(" fallback setkey() returned:%d\n", ret);
+ tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK;
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index 698580b60b2f..8fa35bc75870 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1109,13 +1109,16 @@ static int ahash_final_no_ctx(struct ahash_request *req)
+
+ desc = edesc->hw_desc;
+
+- state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE);
+- if (dma_mapping_error(jrdev, state->buf_dma)) {
+- dev_err(jrdev, "unable to map src\n");
+- goto unmap;
+- }
++ if (buflen) {
++ state->buf_dma = dma_map_single(jrdev, buf, buflen,
++ DMA_TO_DEVICE);
++ if (dma_mapping_error(jrdev, state->buf_dma)) {
++ dev_err(jrdev, "unable to map src\n");
++ goto unmap;
++ }
+
+- append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
++ append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
++ }
+
+ edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+ digestsize);
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 57e1b203cf36..4388f4e3840c 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1347,23 +1347,18 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+ int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN;
+- void *err;
+
+ if (cryptlen + authsize > max_len) {
+ dev_err(dev, "length exceeds h/w max limit\n");
+ return ERR_PTR(-EINVAL);
+ }
+
+- if (ivsize)
+- iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
+-
+ if (!dst || dst == src) {
+ src_len = assoclen + cryptlen + authsize;
+ src_nents = sg_nents_for_len(src, src_len);
+ if (src_nents < 0) {
+ dev_err(dev, "Invalid number of src SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ src_nents = (src_nents == 1) ? 0 : src_nents;
+ dst_nents = dst ? src_nents : 0;
+@@ -1373,16 +1368,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
+ src_nents = sg_nents_for_len(src, src_len);
+ if (src_nents < 0) {
+ dev_err(dev, "Invalid number of src SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ src_nents = (src_nents == 1) ? 0 : src_nents;
+ dst_len = assoclen + cryptlen + (encrypt ? authsize : 0);
+ dst_nents = sg_nents_for_len(dst, dst_len);
+ if (dst_nents < 0) {
+ dev_err(dev, "Invalid number of dst SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ dst_nents = (dst_nents == 1) ? 0 : dst_nents;
+ }
+@@ -1405,12 +1398,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
+ dma_len = 0;
+ alloc_len += icv_stashing ? authsize : 0;
+ }
++ alloc_len += ivsize;
+
+ edesc = kmalloc(alloc_len, GFP_DMA | flags);
+- if (!edesc) {
+- dev_err(dev, "could not allocate edescriptor\n");
+- err = ERR_PTR(-ENOMEM);
+- goto error_sg;
++ if (!edesc)
++ return ERR_PTR(-ENOMEM);
++ if (ivsize) {
++ iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize);
++ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
+ }
+
+ edesc->src_nents = src_nents;
+@@ -1423,10 +1418,6 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
+ DMA_BIDIRECTIONAL);
+
+ return edesc;
+-error_sg:
+- if (iv_dma)
+- dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE);
+- return err;
+ }
+
+ static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv,
+diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
+index ad6812baa611..f1259a0c2883 100644
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1578,9 +1578,14 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var,
+ struct drm_fb_helper *fb_helper = info->par;
+ struct drm_framebuffer *fb = fb_helper->fb;
+
+- if (var->pixclock != 0 || in_dbg_master())
++ if (in_dbg_master())
+ return -EINVAL;
+
++ if (var->pixclock != 0) {
++ DRM_DEBUG("fbdev emulation doesn't support changing the pixel clock, value of pixclock is ignored\n");
++ var->pixclock = 0;
++ }
++
+ /*
+ * Changes struct fb_var_screeninfo are currently not pushed back
+ * to KMS, hence fail if different settings are requested.
+diff --git a/drivers/media/platform/vivid/vivid-kthread-cap.c b/drivers/media/platform/vivid/vivid-kthread-cap.c
+index 6ca71aabb576..d300e5e7eadc 100644
+--- a/drivers/media/platform/vivid/vivid-kthread-cap.c
++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c
+@@ -877,8 +877,11 @@ int vivid_start_generating_vid_cap(struct vivid_dev *dev, bool *pstreaming)
+ "%s-vid-cap", dev->v4l2_dev.name);
+
+ if (IS_ERR(dev->kthread_vid_cap)) {
++ int err = PTR_ERR(dev->kthread_vid_cap);
++
++ dev->kthread_vid_cap = NULL;
+ v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
+- return PTR_ERR(dev->kthread_vid_cap);
++ return err;
+ }
+ *pstreaming = true;
+ vivid_grab_controls(dev, true);
+diff --git a/drivers/media/platform/vivid/vivid-kthread-out.c b/drivers/media/platform/vivid/vivid-kthread-out.c
+index 98eed5889bc1..7c8d75852816 100644
+--- a/drivers/media/platform/vivid/vivid-kthread-out.c
++++ b/drivers/media/platform/vivid/vivid-kthread-out.c
+@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struct vivid_dev *dev, bool *pstreaming)
+ "%s-vid-out", dev->v4l2_dev.name);
+
+ if (IS_ERR(dev->kthread_vid_out)) {
++ int err = PTR_ERR(dev->kthread_vid_out);
++
++ dev->kthread_vid_out = NULL;
+ v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
+- return PTR_ERR(dev->kthread_vid_out);
++ return err;
+ }
+ *pstreaming = true;
+ vivid_grab_controls(dev, true);
+diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c
+index 6f6d4df1e8a8..11b014bbacd8 100644
+--- a/drivers/media/platform/vivid/vivid-vid-common.c
++++ b/drivers/media/platform/vivid/vivid-vid-common.c
+@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_dv_timings_cap = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 14000000, 775000000,
++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 14000000, 775000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_CVT | V4L2_DV_BT_STD_GTF,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED)
+diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
+index 92a74bc34527..bd8de78e0ffd 100644
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -900,8 +900,6 @@ static int em28xx_enable_analog_tuner(struct em28xx *dev)
+ if (!mdev || !v4l2->decoder)
+ return 0;
+
+- dev->v4l2->field_count = 0;
+-
+ /*
+ * This will find the tuner that is connected into the decoder.
+ * Technically, this is not 100% correct, as the device may be
+@@ -1074,6 +1072,8 @@ int em28xx_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
+
+ em28xx_videodbg("%s\n", __func__);
+
++ dev->v4l2->field_count = 0;
++
+ /* Make sure streaming is not already in progress for this type
+ of filehandle (e.g. video, vbi) */
+ rc = res_get(dev, vq->type);
+diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
+index d06941cc6a55..f1ef4e97238e 100644
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -249,6 +249,7 @@ static void v4l_print_format(const void *arg, bool write_only)
+ const struct v4l2_window *win;
+ const struct v4l2_sdr_format *sdr;
+ const struct v4l2_meta_format *meta;
++ u32 planes;
+ unsigned i;
+
+ pr_cont("type=%s", prt_names(p->type, v4l2_type_names));
+@@ -279,7 +280,8 @@ static void v4l_print_format(const void *arg, bool write_only)
+ prt_names(mp->field, v4l2_field_names),
+ mp->colorspace, mp->num_planes, mp->flags,
+ mp->ycbcr_enc, mp->quantization, mp->xfer_func);
+- for (i = 0; i < mp->num_planes; i++)
++ planes = min_t(u32, mp->num_planes, VIDEO_MAX_PLANES);
++ for (i = 0; i < planes; i++)
+ printk(KERN_DEBUG "plane %u: bytesperline=%u sizeimage=%u\n", i,
+ mp->plane_fmt[i].bytesperline,
+ mp->plane_fmt[i].sizeimage);
+diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
+index 43522a09b11d..f1725da2a90d 100644
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1925,9 +1925,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
+ return -EINVAL;
+ }
+ }
++
++ mutex_lock(&q->mmap_lock);
++
+ if (vb2_fileio_is_active(q)) {
+ dprintk(1, "mmap: file io in progress\n");
+- return -EBUSY;
++ ret = -EBUSY;
++ goto unlock;
+ }
+
+ /*
+@@ -1935,7 +1939,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
+ */
+ ret = __find_plane_by_offset(q, off, &buffer, &plane);
+ if (ret)
+- return ret;
++ goto unlock;
+
+ vb = q->bufs[buffer];
+
+@@ -1948,11 +1952,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
+ if (length < (vma->vm_end - vma->vm_start)) {
+ dprintk(1,
+ "MMAP invalid, as it would overflow buffer length\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto unlock;
+ }
+
+- mutex_lock(&q->mmap_lock);
+ ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
++
++unlock:
+ mutex_unlock(&q->mmap_lock);
+ if (ret)
+ return ret;
+diff --git a/drivers/mfd/tps6586x.c b/drivers/mfd/tps6586x.c
+index 5628a6b5b19b..c5c320efc7b4 100644
+--- a/drivers/mfd/tps6586x.c
++++ b/drivers/mfd/tps6586x.c
+@@ -594,6 +594,29 @@ static int tps6586x_i2c_remove(struct i2c_client *client)
+ return 0;
+ }
+
++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev)
++{
++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
++
++ if (tps6586x->client->irq)
++ disable_irq(tps6586x->client->irq);
++
++ return 0;
++}
++
++static int __maybe_unused tps6586x_i2c_resume(struct device *dev)
++{
++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
++
++ if (tps6586x->client->irq)
++ enable_irq(tps6586x->client->irq);
++
++ return 0;
++}
++
++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend,
++ tps6586x_i2c_resume);
++
+ static const struct i2c_device_id tps6586x_id_table[] = {
+ { "tps6586x", 0 },
+ { },
+@@ -604,6 +627,7 @@ static struct i2c_driver tps6586x_driver = {
+ .driver = {
+ .name = "tps6586x",
+ .of_match_table = of_match_ptr(tps6586x_of_match),
++ .pm = &tps6586x_pm_ops,
+ },
+ .probe = tps6586x_i2c_probe,
+ .remove = tps6586x_i2c_remove,
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 92c483ec6cb2..192844b50c69 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -138,6 +138,8 @@ struct sdhci_msm_host {
+ bool calibration_done;
+ u8 saved_tuning_phase;
+ bool use_cdclp533;
++ bool use_cdr;
++ u32 transfer_mode;
+ };
+
+ static unsigned int msm_get_clock_rate_for_bus_mode(struct sdhci_host *host,
+@@ -815,6 +817,23 @@ out:
+ return ret;
+ }
+
++static void sdhci_msm_set_cdr(struct sdhci_host *host, bool enable)
++{
++ u32 config, oldconfig = readl_relaxed(host->ioaddr + CORE_DLL_CONFIG);
++
++ config = oldconfig;
++ if (enable) {
++ config |= CORE_CDR_EN;
++ config &= ~CORE_CDR_EXT_EN;
++ } else {
++ config &= ~CORE_CDR_EN;
++ config |= CORE_CDR_EXT_EN;
++ }
++
++ if (config != oldconfig)
++ writel_relaxed(config, host->ioaddr + CORE_DLL_CONFIG);
++}
++
+ static int sdhci_msm_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ {
+ struct sdhci_host *host = mmc_priv(mmc);
+@@ -832,8 +851,14 @@ static int sdhci_msm_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ if (host->clock <= CORE_FREQ_100MHZ ||
+ !(ios.timing == MMC_TIMING_MMC_HS400 ||
+ ios.timing == MMC_TIMING_MMC_HS200 ||
+- ios.timing == MMC_TIMING_UHS_SDR104))
++ ios.timing == MMC_TIMING_UHS_SDR104)) {
++ msm_host->use_cdr = false;
++ sdhci_msm_set_cdr(host, false);
+ return 0;
++ }
++
++ /* Clock-Data-Recovery used to dynamically adjust RX sampling point */
++ msm_host->use_cdr = true;
+
+ /*
+ * For HS400 tuning in HS200 timing requires:
+@@ -1092,6 +1117,29 @@ out:
+ __sdhci_msm_set_clock(host, clock);
+ }
+
++static void sdhci_msm_write_w(struct sdhci_host *host, u16 val, int reg)
++{
++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
++ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++
++ switch (reg) {
++ case SDHCI_TRANSFER_MODE:
++ msm_host->transfer_mode = val;
++ break;
++ case SDHCI_COMMAND:
++ if (!msm_host->use_cdr)
++ break;
++ if ((msm_host->transfer_mode & SDHCI_TRNS_READ) &&
++ (SDHCI_GET_CMD(val) != MMC_SEND_TUNING_BLOCK_HS200) &&
++ (SDHCI_GET_CMD(val) != MMC_SEND_TUNING_BLOCK))
++ sdhci_msm_set_cdr(host, true);
++ else
++ sdhci_msm_set_cdr(host, false);
++ break;
++ }
++ writew(val, host->ioaddr + reg);
++}
++
+ static const struct of_device_id sdhci_msm_dt_match[] = {
+ { .compatible = "qcom,sdhci-msm-v4" },
+ {},
+@@ -1107,6 +1155,7 @@ static const struct sdhci_ops sdhci_msm_ops = {
+ .set_bus_width = sdhci_set_bus_width,
+ .set_uhs_signaling = sdhci_msm_set_uhs_signaling,
+ .voltage_switch = sdhci_msm_voltage_switch,
++ .write_w = sdhci_msm_write_w,
+ };
+
+ static const struct sdhci_pltfm_data sdhci_msm_pdata = {
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index cf64a365362b..65c5a65af0ba 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1928,6 +1928,9 @@ static int __bond_release_one(struct net_device *bond_dev,
+ if (!bond_has_slaves(bond)) {
+ bond_set_carrier(bond);
+ eth_hw_addr_random(bond_dev);
++ bond->nest_level = SINGLE_DEPTH_NESTING;
++ } else {
++ bond->nest_level = dev_get_nest_level(bond_dev) + 1;
+ }
+
+ unblock_netpoll_tx();
+diff --git a/drivers/of/property.c b/drivers/of/property.c
+index 264c355ba1ff..fd9b734fff33 100644
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -810,6 +810,7 @@ struct device_node *of_graph_get_remote_node(const struct device_node *node,
+
+ if (!of_device_is_available(remote)) {
+ pr_debug("not available for remote node\n");
++ of_node_put(remote);
+ return NULL;
+ }
+
+diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c
+index b44c1bb687a2..ebc193f7f7dd 100644
+--- a/drivers/scsi/scsi_pm.c
++++ b/drivers/scsi/scsi_pm.c
+@@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct device *dev,
+
+ if (err == 0) {
+ pm_runtime_disable(dev);
+- pm_runtime_set_active(dev);
++ err = pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
++
++ /*
++ * Forcibly set runtime PM status of request queue to "active"
++ * to make sure we can again get requests from the queue
++ * (see also blk_pm_peek_request()).
++ *
++ * The resume hook will correct runtime PM status of the disk.
++ */
++ if (!err && scsi_is_sdev_device(dev)) {
++ struct scsi_device *sdev = to_scsi_device(dev);
++
++ if (sdev->request_queue->dev)
++ blk_set_runtime_active(sdev->request_queue);
++ }
+ }
+
+ return err;
+@@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct device *dev,
+ else
+ fn = NULL;
+
+- /*
+- * Forcibly set runtime PM status of request queue to "active" to
+- * make sure we can again get requests from the queue (see also
+- * blk_pm_peek_request()).
+- *
+- * The resume hook will correct runtime PM status of the disk.
+- */
+- if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev))
+- blk_set_runtime_active(to_scsi_device(dev)->request_queue);
+-
+ if (fn) {
+ async_schedule_domain(fn, dev, &scsi_sd_pm_domain);
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 39754cc90043..048fccc72e03 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -206,6 +206,12 @@ cache_type_store(struct device *dev, struct device_attribute *attr,
+ sp = buffer_data[0] & 0x80 ? 1 : 0;
+ buffer_data[0] &= ~0x80;
+
++ /*
++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in
++ * received mode parameter buffer before doing MODE SELECT.
++ */
++ data.device_specific = 0;
++
+ if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
+ SD_MAX_RETRIES, &data, &sshdr)) {
+ if (scsi_sense_valid(&sshdr))
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 83376caa571b..417b81c67fe9 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1254,7 +1254,8 @@ static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *
+ static int tty_reopen(struct tty_struct *tty)
+ {
+ struct tty_driver *driver = tty->driver;
+- int retval;
++ struct tty_ldisc *ld;
++ int retval = 0;
+
+ if (driver->type == TTY_DRIVER_TYPE_PTY &&
+ driver->subtype == PTY_TYPE_MASTER)
+@@ -1266,14 +1267,21 @@ static int tty_reopen(struct tty_struct *tty)
+ if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
+ return -EBUSY;
+
+- tty->count++;
++ ld = tty_ldisc_ref_wait(tty);
++ if (ld) {
++ tty_ldisc_deref(ld);
++ } else {
++ retval = tty_ldisc_lock(tty, 5 * HZ);
++ if (retval)
++ return retval;
+
+- if (tty->ldisc)
+- return 0;
++ if (!tty->ldisc)
++ retval = tty_ldisc_reinit(tty, tty->termios.c_line);
++ tty_ldisc_unlock(tty);
++ }
+
+- retval = tty_ldisc_reinit(tty, tty->termios.c_line);
+- if (retval)
+- tty->count--;
++ if (retval == 0)
++ tty->count++;
+
+ return retval;
+ }
+diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c
+index 52b7baef4f7a..5c2cec298816 100644
+--- a/drivers/tty/tty_ldsem.c
++++ b/drivers/tty/tty_ldsem.c
+@@ -307,6 +307,16 @@ down_write_failed(struct ld_semaphore *sem, long count, long timeout)
+ if (!locked)
+ ldsem_atomic_update(-LDSEM_WAIT_BIAS, sem);
+ list_del(&waiter.list);
++
++ /*
++ * In case of timeout, wake up every reader who gave the right of way
++ * to writer. Prevent separation readers into two groups:
++ * one that helds semaphore and another that sleeps.
++ * (in case of no contention with a writer)
++ */
++ if (!locked && list_empty(&sem->write_wait))
++ __ldsem_wake_readers(sem);
++
+ raw_spin_unlock_irq(&sem->wait_lock);
+
+ __set_current_state(TASK_RUNNING);
+diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+index a3edb20ea4c3..a846d32ee653 100644
+--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg)
+
+ int r = 0;
+
++ memset(&p, 0, sizeof(p));
++
+ switch (cmd) {
+ case OMAPFB_SYNC_GFX:
+ DBG("ioctl SYNC_GFX\n");
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 3323eec5c164..3911c1a80219 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -116,6 +116,20 @@ void invalidate_bdev(struct block_device *bdev)
+ }
+ EXPORT_SYMBOL(invalidate_bdev);
+
++static void set_init_blocksize(struct block_device *bdev)
++{
++ unsigned bsize = bdev_logical_block_size(bdev);
++ loff_t size = i_size_read(bdev->bd_inode);
++
++ while (bsize < PAGE_SIZE) {
++ if (size & bsize)
++ break;
++ bsize <<= 1;
++ }
++ bdev->bd_block_size = bsize;
++ bdev->bd_inode->i_blkbits = blksize_bits(bsize);
++}
++
+ int set_blocksize(struct block_device *bdev, int size)
+ {
+ /* Size must be a power of two, and between 512 and PAGE_SIZE */
+@@ -1393,18 +1407,9 @@ EXPORT_SYMBOL(check_disk_change);
+
+ void bd_set_size(struct block_device *bdev, loff_t size)
+ {
+- unsigned bsize = bdev_logical_block_size(bdev);
+-
+ inode_lock(bdev->bd_inode);
+ i_size_write(bdev->bd_inode, size);
+ inode_unlock(bdev->bd_inode);
+- while (bsize < PAGE_SIZE) {
+- if (size & bsize)
+- break;
+- bsize <<= 1;
+- }
+- bdev->bd_block_size = bsize;
+- bdev->bd_inode->i_blkbits = blksize_bits(bsize);
+ }
+ EXPORT_SYMBOL(bd_set_size);
+
+@@ -1482,8 +1487,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
+ }
+ }
+
+- if (!ret)
++ if (!ret) {
+ bd_set_size(bdev,(loff_t)get_capacity(disk)<<9);
++ set_init_blocksize(bdev);
++ }
+
+ /*
+ * If the device is invalidated, rescan partition
+@@ -1518,6 +1525,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
+ goto out_clear;
+ }
+ bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9);
++ set_init_blocksize(bdev);
+ }
+
+ if (bdev->bd_bdi == &noop_backing_dev_info)
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 858d5812eb8f..e0bdc0c902e4 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4115,6 +4115,14 @@ static void btrfs_destroy_all_ordered_extents(struct btrfs_fs_info *fs_info)
+ spin_lock(&fs_info->ordered_root_lock);
+ }
+ spin_unlock(&fs_info->ordered_root_lock);
++
++ /*
++ * We need this here because if we've been flipped read-only we won't
++ * get sync() from the umount, so we need to make sure any ordered
++ * extents that haven't had their dirty pages IO start writeout yet
++ * actually get run and error out properly.
++ */
++ btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1);
+ }
+
+ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 09829e8d759e..909f7ea92e0b 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3170,9 +3170,6 @@ out:
+ /* once for the tree */
+ btrfs_put_ordered_extent(ordered_extent);
+
+- /* Try to release some metadata so we don't get an OOM but don't wait */
+- btrfs_btree_balance_dirty_nodelay(fs_info);
+-
+ return ret;
+ }
+
+diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
+index 9f7e546d7050..f371e03cf3bf 100644
+--- a/fs/pstore/ram.c
++++ b/fs/pstore/ram.c
+@@ -711,18 +711,15 @@ static int ramoops_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct ramoops_platform_data *pdata = dev->platform_data;
++ struct ramoops_platform_data pdata_local;
+ struct ramoops_context *cxt = &oops_cxt;
+ size_t dump_mem_sz;
+ phys_addr_t paddr;
+ int err = -EINVAL;
+
+ if (dev_of_node(dev) && !pdata) {
+- pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
+- if (!pdata) {
+- pr_err("cannot allocate platform data buffer\n");
+- err = -ENOMEM;
+- goto fail_out;
+- }
++ pdata = &pdata_local;
++ memset(pdata, 0, sizeof(*pdata));
+
+ err = ramoops_parse_dt(pdev, pdata);
+ if (err < 0)
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 6e108af21481..f33b24080b1c 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4087,6 +4087,7 @@ void __refill_cfs_bandwidth_runtime(struct cfs_bandwidth *cfs_b)
+ now = sched_clock_cpu(smp_processor_id());
+ cfs_b->runtime = cfs_b->quota;
+ cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period);
++ cfs_b->expires_seq++;
+ }
+
+ static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg)
+@@ -4109,6 +4110,7 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+ struct task_group *tg = cfs_rq->tg;
+ struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg);
+ u64 amount = 0, min_amount, expires;
++ int expires_seq;
+
+ /* note: this is a positive sum as runtime_remaining <= 0 */
+ min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining;
+@@ -4125,6 +4127,7 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+ cfs_b->idle = 0;
+ }
+ }
++ expires_seq = cfs_b->expires_seq;
+ expires = cfs_b->runtime_expires;
+ raw_spin_unlock(&cfs_b->lock);
+
+@@ -4134,8 +4137,10 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+ * spread between our sched_clock and the one on which runtime was
+ * issued.
+ */
+- if ((s64)(expires - cfs_rq->runtime_expires) > 0)
++ if (cfs_rq->expires_seq != expires_seq) {
++ cfs_rq->expires_seq = expires_seq;
+ cfs_rq->runtime_expires = expires;
++ }
+
+ return cfs_rq->runtime_remaining > 0;
+ }
+@@ -4161,12 +4166,9 @@ static void expire_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+ * has not truly expired.
+ *
+ * Fortunately we can check determine whether this the case by checking
+- * whether the global deadline has advanced. It is valid to compare
+- * cfs_b->runtime_expires without any locks since we only care about
+- * exact equality, so a partial write will still work.
++ * whether the global deadline(cfs_b->expires_seq) has advanced.
+ */
+-
+- if (cfs_rq->runtime_expires != cfs_b->runtime_expires) {
++ if (cfs_rq->expires_seq == cfs_b->expires_seq) {
+ /* extend local deadline, drift is bounded above by 2 ticks */
+ cfs_rq->runtime_expires += TICK_NSEC;
+ } else {
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index b3ba6e5e99f2..452b56923c6d 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -281,8 +281,9 @@ struct cfs_bandwidth {
+ u64 quota, runtime;
+ s64 hierarchical_quota;
+ u64 runtime_expires;
++ int expires_seq;
+
+- int idle, period_active;
++ short idle, period_active;
+ struct hrtimer period_timer, slack_timer;
+ struct list_head throttled_cfs_rq;
+
+@@ -488,6 +489,7 @@ struct cfs_rq {
+
+ #ifdef CONFIG_CFS_BANDWIDTH
+ int runtime_enabled;
++ int expires_seq;
+ u64 runtime_expires;
+ s64 runtime_remaining;
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 7582f28ab306..3f3859b8d49f 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -275,7 +275,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
+ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+ int ret;
+
+- if (neigh->hh.hh_len) {
++ if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
+ neigh_hh_bridge(&neigh->hh, skb);
+ skb->dev = nf_bridge->physindev;
+ ret = br_handle_frame_finish(net, sk, skb);
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 54c7fe68040f..22e4c15a1fc3 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1134,14 +1134,16 @@ static int do_replace(struct net *net, const void __user *user,
+ tmp.name[sizeof(tmp.name) - 1] = 0;
+
+ countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+- newinfo = vmalloc(sizeof(*newinfo) + countersize);
++ newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT,
++ PAGE_KERNEL);
+ if (!newinfo)
+ return -ENOMEM;
+
+ if (countersize)
+ memset(newinfo->counters, 0, countersize);
+
+- newinfo->entries = vmalloc(tmp.entries_size);
++ newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT,
++ PAGE_KERNEL);
+ if (!newinfo->entries) {
+ ret = -ENOMEM;
+ goto free_newinfo;
+diff --git a/net/can/gw.c b/net/can/gw.c
+index 73a02af4b5d7..5114b8f07fd4 100644
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -416,13 +416,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
+ while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx])
+ (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod);
+
+- /* check for checksum updates when the CAN frame has been modified */
++ /* Has the CAN frame been modified? */
+ if (modidx) {
+- if (gwj->mod.csumfunc.crc8)
++ /* get available space for the processed CAN frame type */
++ int max_len = nskb->len - offsetof(struct can_frame, data);
++
++ /* dlc may have changed, make sure it fits to the CAN frame */
++ if (cf->can_dlc > max_len)
++ goto out_delete;
++
++ /* check for checksum updates in classic CAN length only */
++ if (gwj->mod.csumfunc.crc8) {
++ if (cf->can_dlc > 8)
++ goto out_delete;
++
+ (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
++ }
++
++ if (gwj->mod.csumfunc.xor) {
++ if (cf->can_dlc > 8)
++ goto out_delete;
+
+- if (gwj->mod.csumfunc.xor)
+ (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor);
++ }
+ }
+
+ /* clear the skb timestamp if not configured the other way */
+@@ -434,6 +450,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
+ gwj->dropped_frames++;
+ else
+ gwj->handled_frames++;
++
++ return;
++
++ out_delete:
++ /* delete frame due to misconfiguration */
++ gwj->deleted_frames++;
++ kfree_skb(nskb);
++ return;
+ }
+
+ static inline int cgw_register_filter(struct net *net, struct cgw_job *gwj)
+diff --git a/net/core/filter.c b/net/core/filter.c
+index d5158a10ac8f..542fd04bc44d 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1714,18 +1714,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
+ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
+ u32 flags)
+ {
+- /* skb->mac_len is not set on normal egress */
+- unsigned int mlen = skb->network_header - skb->mac_header;
++ unsigned int mlen = skb_network_offset(skb);
+
+- __skb_pull(skb, mlen);
++ if (mlen) {
++ __skb_pull(skb, mlen);
+
+- /* At ingress, the mac header has already been pulled once.
+- * At egress, skb_pospull_rcsum has to be done in case that
+- * the skb is originated from ingress (i.e. a forwarded skb)
+- * to ensure that rcsum starts at net header.
+- */
+- if (!skb_at_tc_ingress(skb))
+- skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
++ /* At ingress, the mac header has already been pulled once.
++ * At egress, skb_pospull_rcsum has to be done in case that
++ * the skb is originated from ingress (i.e. a forwarded skb)
++ * to ensure that rcsum starts at net header.
++ */
++ if (!skb_at_tc_ingress(skb))
++ skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
++ }
+ skb_pop_mac_header(skb);
+ skb_reset_mac_len(skb);
+ return flags & BPF_F_INGRESS ?
+diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
+index 832d69649cb6..65313c766ab3 100644
+--- a/net/core/lwt_bpf.c
++++ b/net/core/lwt_bpf.c
+@@ -65,6 +65,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
+ lwt->name ? : "<unknown>");
+ ret = BPF_OK;
+ } else {
++ skb_reset_mac_header(skb);
+ ret = skb_do_redirect(skb);
+ if (ret == 0)
+ ret = BPF_REDIRECT;
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 4ef92ebc4f6d..d1081eac3b49 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -146,19 +146,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
+
+ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
+ {
++ __be16 _ports[2], *ports;
+ struct sockaddr_in sin;
+- __be16 *ports;
+- int end;
+-
+- end = skb_transport_offset(skb) + 4;
+- if (end > 0 && !pskb_may_pull(skb, end))
+- return;
+
+ /* All current transport protocols have the port numbers in the
+ * first four bytes of the transport header and this function is
+ * written with this assumption in mind.
+ */
+- ports = (__be16 *)skb_transport_header(skb);
++ ports = skb_header_pointer(skb, skb_transport_offset(skb),
++ sizeof(_ports), &_ports);
++ if (!ports)
++ return;
+
+ sin.sin_family = AF_INET;
+ sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 461825e0680f..1ee3e0d2b587 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -349,6 +349,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info)
+ skb_reset_network_header(skb);
+ iph = ipv6_hdr(skb);
+ iph->daddr = fl6->daddr;
++ ip6_flow_hdr(iph, 0, 0);
+
+ serr = SKB_EXT_ERR(skb);
+ serr->ee.ee_errno = err;
+@@ -708,17 +709,15 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
+ }
+ if (np->rxopt.bits.rxorigdstaddr) {
+ struct sockaddr_in6 sin6;
+- __be16 *ports;
+- int end;
++ __be16 _ports[2], *ports;
+
+- end = skb_transport_offset(skb) + 4;
+- if (end <= 0 || pskb_may_pull(skb, end)) {
++ ports = skb_header_pointer(skb, skb_transport_offset(skb),
++ sizeof(_ports), &_ports);
++ if (ports) {
+ /* All current transport protocols have the port numbers in the
+ * first four bytes of the transport header and this function is
+ * written with this assumption in mind.
+ */
+- ports = (__be16 *)skb_transport_header(skb);
+-
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_addr = ipv6_hdr(skb)->daddr;
+ sin6.sin6_port = ports[1];
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 91a323f99d47..44a093c75567 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2666,7 +2666,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+- goto out;
++ goto out_put;
+ }
+
+ err = -ENXIO;
+@@ -2866,7 +2866,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+- goto out;
++ goto out_unlock;
+ }
+
+ err = -ENXIO;
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index 8002a72aae1a..7eb06fa75730 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
+
+ switch (ev) {
+ case NETDEV_UP:
+- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+- addr->a.v6.sin6_port = 0;
+- addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
+@@ -415,7 +413,6 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist,
+ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+- addr->a.v6.sin6_port = 0;
+ addr->a.v6.sin6_addr = ifp->addr;
+ addr->a.v6.sin6_scope_id = dev->ifindex;
+ addr->valid = 1;
+diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
+index df22a9c352ad..cbb04d66f564 100644
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -151,7 +151,6 @@ static void sctp_v4_copy_addrlist(struct list_head *addrlist,
+ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v4.sin_family = AF_INET;
+- addr->a.v4.sin_port = 0;
+ addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
+ addr->valid = 1;
+ INIT_LIST_HEAD(&addr->list);
+@@ -782,10 +781,9 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
+
+ switch (ev) {
+ case NETDEV_UP:
+- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v4.sin_family = AF_INET;
+- addr->a.v4.sin_port = 0;
+ addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
+ addr->valid = 1;
+ spin_lock_bh(&net->sctp.local_addr_lock);
+diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
+index ea0676f199c8..da21efac80f4 100644
+--- a/net/sunrpc/rpcb_clnt.c
++++ b/net/sunrpc/rpcb_clnt.c
+@@ -771,6 +771,12 @@ void rpcb_getport_async(struct rpc_task *task)
+ case RPCBVERS_3:
+ map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID];
+ map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC);
++ if (!map->r_addr) {
++ status = -ENOMEM;
++ dprintk("RPC: %5u %s: no memory available\n",
++ task->tk_pid, __func__);
++ goto bailout_free_args;
++ }
+ map->r_owner = "";
+ break;
+ case RPCBVERS_2:
+@@ -793,6 +799,8 @@ void rpcb_getport_async(struct rpc_task *task)
+ rpc_put_task(child);
+ return;
+
++bailout_free_args:
++ kfree(map);
+ bailout_release_client:
+ rpc_release_client(rpcb_clnt);
+ bailout_nofree:
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index e48f0b2c01b9..73895daf8943 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_buff *skb)
+ return limit;
+ }
+
++static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv)
++{
++ return TLV_GET_LEN(tlv) - TLV_SPACE(0);
++}
++
+ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
+ {
+ struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb);
+@@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv(char *str)
+ return buf;
+ }
+
++static inline bool string_is_valid(char *s, int len)
++{
++ return memchr(s, '\0', len) ? true : false;
++}
++
+ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ struct tipc_nl_compat_msg *msg,
+ struct sk_buff *arg)
+@@ -370,6 +380,7 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
+ struct nlattr *prop;
+ struct nlattr *bearer;
+ struct tipc_bearer_config *b;
++ int len;
+
+ b = (struct tipc_bearer_config *)TLV_DATA(msg->req);
+
+@@ -377,6 +388,10 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!bearer)
+ return -EMSGSIZE;
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ if (!string_is_valid(b->name, len))
++ return -EINVAL;
++
+ if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name))
+ return -EMSGSIZE;
+
+@@ -402,6 +417,7 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
+ {
+ char *name;
+ struct nlattr *bearer;
++ int len;
+
+ name = (char *)TLV_DATA(msg->req);
+
+@@ -409,6 +425,10 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!bearer)
+ return -EMSGSIZE;
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ if (!string_is_valid(name, len))
++ return -EINVAL;
++
+ if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name))
+ return -EMSGSIZE;
+
+@@ -469,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
+ struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
+ struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
+ int err;
++ int len;
+
+ if (!attrs[TIPC_NLA_LINK])
+ return -EINVAL;
+@@ -495,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
+ return err;
+
+ name = (char *)TLV_DATA(msg->req);
++
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ if (!string_is_valid(name, len))
++ return -EINVAL;
++
+ if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
+ return 0;
+
+@@ -635,6 +661,7 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
+ struct nlattr *prop;
+ struct nlattr *media;
+ struct tipc_link_config *lc;
++ int len;
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
+@@ -642,6 +669,10 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
+ if (!media)
+ return -EMSGSIZE;
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
++ if (!string_is_valid(lc->name, len))
++ return -EINVAL;
++
+ if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name))
+ return -EMSGSIZE;
+
+@@ -662,6 +693,7 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
+ struct nlattr *prop;
+ struct nlattr *bearer;
+ struct tipc_link_config *lc;
++ int len;
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
+@@ -669,6 +701,10 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
+ if (!bearer)
+ return -EMSGSIZE;
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
++ if (!string_is_valid(lc->name, len))
++ return -EINVAL;
++
+ if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name))
+ return -EMSGSIZE;
+
+@@ -717,9 +753,14 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
+ struct tipc_link_config *lc;
+ struct tipc_bearer *bearer;
+ struct tipc_media *media;
++ int len;
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ if (!string_is_valid(lc->name, len))
++ return -EINVAL;
++
+ media = tipc_media_find(lc->name);
+ if (media) {
+ cmd->doit = &tipc_nl_media_set;
+@@ -741,6 +782,7 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
+ {
+ char *name;
+ struct nlattr *link;
++ int len;
+
+ name = (char *)TLV_DATA(msg->req);
+
+@@ -748,6 +790,10 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!link)
+ return -EMSGSIZE;
+
++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ if (!string_is_valid(name, len))
++ return -EINVAL;
++
+ if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name))
+ return -EMSGSIZE;
+
+@@ -769,6 +815,8 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)
+ };
+
+ ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
++ if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query))
++ return -EINVAL;
+
+ depth = ntohl(ntq->depth);
+
+@@ -1192,7 +1240,7 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
+- if (len && !TLV_OK(msg.req, len)) {
++ if (!len || !TLV_OK(msg.req, len)) {
+ msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
+ err = -EOPNOTSUPP;
+ goto send;
+diff --git a/security/security.c b/security/security.c
+index 95a1a0f52880..4fbe4e495c02 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -993,6 +993,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
+
+ void security_cred_free(struct cred *cred)
+ {
++ /*
++ * There is a failure case in prepare_creds() that
++ * may result in a call here with ->security being NULL.
++ */
++ if (unlikely(cred->security == NULL))
++ return;
++
+ call_void_hook(cred_free, cred);
+ }
+
+diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
+index ffeb644bfecd..524068d71bc1 100644
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -730,7 +730,8 @@ static int sens_destroy(void *key, void *datum, void *p)
+ kfree(key);
+ if (datum) {
+ levdatum = datum;
+- ebitmap_destroy(&levdatum->level->cat);
++ if (levdatum->level)
++ ebitmap_destroy(&levdatum->level->cat);
+ kfree(levdatum->level);
+ }
+ kfree(datum);
+diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
+index 8298e094f4f7..7d5541c6a225 100644
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -373,7 +373,9 @@ static int yama_ptrace_access_check(struct task_struct *child,
+ break;
+ case YAMA_SCOPE_RELATIONAL:
+ rcu_read_lock();
+- if (!task_is_descendant(current, child) &&
++ if (!pid_alive(child))
++ rc = -EPERM;
++ if (!rc && !task_is_descendant(current, child) &&
+ !ptracer_exception_found(current, child) &&
+ !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
+ rc = -EPERM;