diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2019-05-08 06:03:35 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2019-05-08 06:03:35 -0400 |
| commit | 4e804abb89c6ffd929494c09f6d4b11bc0b37513 (patch) | |
| tree | c908bf29c329204cd0d894c544d4bccc65139d9d | |
| parent | Linux patch 4.9.173 (diff) | |
| download | linux-patches-4e804abb.tar.gz linux-patches-4e804abb.tar.bz2 linux-patches-4e804abb.zip | |
Linux patch 4.9.1744.9-178
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1173_linux-4.9.174.patch | 2517 |
2 files changed, 2521 insertions, 0 deletions
diff --git a/0000_README b/0000_README index b47b2c47..15510bc5 100644 --- a/0000_README +++ b/0000_README @@ -735,6 +735,10 @@ Patch: 1172_linux-4.9.173.patch From: http://www.kernel.org Desc: Linux 4.9.173 +Patch: 1173_linux-4.9.174.patch +From: http://www.kernel.org +Desc: Linux 4.9.174 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1173_linux-4.9.174.patch b/1173_linux-4.9.174.patch new file mode 100644 index 00000000..076ee1a7 --- /dev/null +++ b/1173_linux-4.9.174.patch @@ -0,0 +1,2517 @@ +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt +index 0a94ffe17ab6..b13e031beaa6 100644 +--- a/Documentation/usb/power-management.txt ++++ b/Documentation/usb/power-management.txt +@@ -365,11 +365,15 @@ autosuspend the interface's device. When the usage counter is = 0 + then the interface is considered to be idle, and the kernel may + autosuspend the device. + +-Drivers need not be concerned about balancing changes to the usage +-counter; the USB core will undo any remaining "get"s when a driver +-is unbound from its interface. As a corollary, drivers must not call +-any of the usb_autopm_* functions after their disconnect() routine has +-returned. ++Drivers must be careful to balance their overall changes to the usage ++counter. Unbalanced "get"s will remain in effect when a driver is ++unbound from its interface, preventing the device from going into ++runtime suspend should the interface be bound to a driver again. On ++the other hand, drivers are allowed to achieve this balance by calling ++the ``usb_autopm_*`` functions even after their ``disconnect`` routine ++has returned -- say from within a work-queue routine -- provided they ++retain an active reference to the interface (via ``usb_get_intf`` and ++``usb_put_intf``). + + Drivers using the async routines are responsible for their own + synchronization and mutual exclusion. +diff --git a/Makefile b/Makefile +index a4e35453f9e4..f5836837df15 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 173 ++SUBLEVEL = 174 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c +index 53c316f7301e..fe4932fda01d 100644 +--- a/arch/arm/mach-iop13xx/setup.c ++++ b/arch/arm/mach-iop13xx/setup.c +@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = { + } + }; + +-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); ++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32); + static struct iop_adma_platform_data iop13xx_adma_0_data = { + .hw_id = 0, + .pool_size = PAGE_SIZE, +@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = { + .resource = iop13xx_adma_0_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_0_data, + }, + }; +@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = { + .resource = iop13xx_adma_1_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_1_data, + }, + }; +@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = { + .resource = iop13xx_adma_2_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_2_data, + }, + }; +diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c +index db511ec2b1df..116feb6b261e 100644 +--- a/arch/arm/mach-iop13xx/tpmi.c ++++ b/arch/arm/mach-iop13xx/tpmi.c +@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = { + } + }; + +-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64); ++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32); + static struct platform_device iop13xx_tpmi_0_device = { + .name = "iop-tpmi", + .id = 0, +@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = { + .resource = iop13xx_tpmi_0_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = { + .resource = iop13xx_tpmi_1_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = { + .resource = iop13xx_tpmi_2_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = { + .resource = iop13xx_tpmi_3_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c +index a4d1f8de3b5b..d9612221e484 100644 +--- a/arch/arm/plat-iop/adma.c ++++ b/arch/arm/plat-iop/adma.c +@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = { + .resource = iop3xx_dma_0_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_0_data, + }, + }; +@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = { + .resource = iop3xx_dma_1_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_1_data, + }, + }; +@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = { + .resource = iop3xx_aau_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_aau_data, + }, + }; +diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c +index 272f49b2c68f..bb29e6ebdc0d 100644 +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -605,7 +605,7 @@ static struct platform_device orion_xor0_shared = { + .resource = orion_xor0_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor0_pdata, + }, + }; +@@ -666,7 +666,7 @@ static struct platform_device orion_xor1_shared = { + .resource = orion_xor1_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor1_pdata, + }, + }; +diff --git a/arch/arm64/include/asm/system_misc.h b/arch/arm64/include/asm/system_misc.h +index bc812435bc76..d0beefeb6d25 100644 +--- a/arch/arm64/include/asm/system_misc.h ++++ b/arch/arm64/include/asm/system_misc.h +@@ -40,7 +40,7 @@ void hook_debug_fault_code(int nr, int (*fn)(unsigned long, unsigned int, + int sig, int code, const char *name); + + struct mm_struct; +-extern void show_pte(struct mm_struct *mm, unsigned long addr); ++extern void show_pte(unsigned long addr); + extern void __show_regs(struct pt_regs *); + + extern void (*arm_pm_restart)(enum reboot_mode reboot_mode, const char *cmd); +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 051b32084776..575c11a6f9b6 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -79,18 +79,33 @@ static inline int notify_page_fault(struct pt_regs *regs, unsigned int esr) + #endif + + /* +- * Dump out the page tables associated with 'addr' in mm 'mm'. ++ * Dump out the page tables associated with 'addr' in the currently active mm. + */ +-void show_pte(struct mm_struct *mm, unsigned long addr) ++void show_pte(unsigned long addr) + { ++ struct mm_struct *mm; + pgd_t *pgd; + +- if (!mm) ++ if (addr < TASK_SIZE) { ++ /* TTBR0 */ ++ mm = current->active_mm; ++ if (mm == &init_mm) { ++ pr_alert("[%016lx] user address but active_mm is swapper\n", ++ addr); ++ return; ++ } ++ } else if (addr >= VA_START) { ++ /* TTBR1 */ + mm = &init_mm; ++ } else { ++ pr_alert("[%016lx] address between user and kernel address ranges\n", ++ addr); ++ return; ++ } + + pr_alert("pgd = %p\n", mm->pgd); + pgd = pgd_offset(mm, addr); +- pr_alert("[%08lx] *pgd=%016llx", addr, pgd_val(*pgd)); ++ pr_alert("[%016lx] *pgd=%016llx", addr, pgd_val(*pgd)); + + do { + pud_t *pud; +@@ -176,8 +191,8 @@ static bool is_el1_instruction_abort(unsigned int esr) + /* + * The kernel tried to access some page that wasn't present. + */ +-static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr, +- unsigned int esr, struct pt_regs *regs) ++static void __do_kernel_fault(unsigned long addr, unsigned int esr, ++ struct pt_regs *regs) + { + /* + * Are we prepared to handle this kernel fault? +@@ -194,7 +209,7 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr, + (addr < PAGE_SIZE) ? "NULL pointer dereference" : + "paging request", addr); + +- show_pte(mm, addr); ++ show_pte(addr); + die("Oops", regs, esr); + bust_spinlocks(0); + do_exit(SIGKILL); +@@ -216,7 +231,6 @@ static void __do_user_fault(struct task_struct *tsk, unsigned long addr, + pr_info("%s[%d]: unhandled %s (%d) at 0x%08lx, esr 0x%03x\n", + tsk->comm, task_pid_nr(tsk), inf->name, sig, + addr, esr); +- show_pte(tsk->mm, addr); + show_regs(regs); + } + +@@ -232,7 +246,6 @@ static void __do_user_fault(struct task_struct *tsk, unsigned long addr, + static void do_bad_area(unsigned long addr, unsigned int esr, struct pt_regs *regs) + { + struct task_struct *tsk = current; +- struct mm_struct *mm = tsk->active_mm; + const struct fault_info *inf; + + /* +@@ -243,7 +256,7 @@ static void do_bad_area(unsigned long addr, unsigned int esr, struct pt_regs *re + inf = esr_to_fault_info(esr); + __do_user_fault(tsk, addr, esr, inf->sig, inf->code, regs); + } else +- __do_kernel_fault(mm, addr, esr, regs); ++ __do_kernel_fault(addr, esr, regs); + } + + #define VM_FAULT_BADMAP 0x010000 +@@ -454,7 +467,7 @@ retry: + return 0; + + no_context: +- __do_kernel_fault(mm, addr, esr, regs); ++ __do_kernel_fault(addr, esr, regs); + return 0; + } + +diff --git a/arch/arm64/mm/kasan_init.c b/arch/arm64/mm/kasan_init.c +index 757009daa9ed..ff43da269fe8 100644 +--- a/arch/arm64/mm/kasan_init.c ++++ b/arch/arm64/mm/kasan_init.c +@@ -153,7 +153,7 @@ void __init kasan_init(void) + clear_pgds(KASAN_SHADOW_START, KASAN_SHADOW_END); + + vmemmap_populate(kimg_shadow_start, kimg_shadow_end, +- pfn_to_nid(virt_to_pfn(_text))); ++ pfn_to_nid(virt_to_pfn(lm_alias(_text)))); + + /* + * vmemmap_populate() has populated the shadow region that covers the +diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S +index 18d96d349a8b..f5fde8d389c9 100644 +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -181,7 +181,8 @@ ENDPROC(idmap_cpu_replace_ttbr1) + dc cvac, cur_\()\type\()p // Ensure any existing dirty + dmb sy // lines are written back before + ldr \type, [cur_\()\type\()p] // loading the entry +- tbz \type, #0, next_\()\type // Skip invalid entries ++ tbz \type, #0, skip_\()\type // Skip invalid and ++ tbnz \type, #11, skip_\()\type // non-global entries + .endm + + .macro __idmap_kpti_put_pgtable_ent_ng, type +@@ -241,8 +242,9 @@ ENTRY(idmap_kpti_install_ng_mappings) + add end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8) + do_pgd: __idmap_kpti_get_pgtable_ent pgd + tbnz pgd, #1, walk_puds +- __idmap_kpti_put_pgtable_ent_ng pgd + next_pgd: ++ __idmap_kpti_put_pgtable_ent_ng pgd ++skip_pgd: + add cur_pgdp, cur_pgdp, #8 + cmp cur_pgdp, end_pgdp + b.ne do_pgd +@@ -270,8 +272,9 @@ walk_puds: + add end_pudp, cur_pudp, #(PTRS_PER_PUD * 8) + do_pud: __idmap_kpti_get_pgtable_ent pud + tbnz pud, #1, walk_pmds +- __idmap_kpti_put_pgtable_ent_ng pud + next_pud: ++ __idmap_kpti_put_pgtable_ent_ng pud ++skip_pud: + add cur_pudp, cur_pudp, 8 + cmp cur_pudp, end_pudp + b.ne do_pud +@@ -290,8 +293,9 @@ walk_pmds: + add end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8) + do_pmd: __idmap_kpti_get_pgtable_ent pmd + tbnz pmd, #1, walk_ptes +- __idmap_kpti_put_pgtable_ent_ng pmd + next_pmd: ++ __idmap_kpti_put_pgtable_ent_ng pmd ++skip_pmd: + add cur_pmdp, cur_pmdp, #8 + cmp cur_pmdp, end_pmdp + b.ne do_pmd +@@ -309,7 +313,7 @@ walk_ptes: + add end_ptep, cur_ptep, #(PTRS_PER_PTE * 8) + do_pte: __idmap_kpti_get_pgtable_ent pte + __idmap_kpti_put_pgtable_ent_ng pte +-next_pte: ++skip_pte: + add cur_ptep, cur_ptep, #8 + cmp cur_ptep, end_ptep + b.ne do_pte +diff --git a/arch/sh/boards/of-generic.c b/arch/sh/boards/of-generic.c +index 1fb6d5714bae..fd00566677c9 100644 +--- a/arch/sh/boards/of-generic.c ++++ b/arch/sh/boards/of-generic.c +@@ -180,10 +180,10 @@ static struct sh_machine_vector __initmv sh_of_generic_mv = { + + struct sh_clk_ops; + +-void __init arch_init_clk_ops(struct sh_clk_ops **ops, int idx) ++void __init __weak arch_init_clk_ops(struct sh_clk_ops **ops, int idx) + { + } + +-void __init plat_irq_setup(void) ++void __init __weak plat_irq_setup(void) + { + } +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index de050d5a4506..00b56cc69d37 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -112,6 +112,110 @@ static __initconst const u64 amd_hw_cache_event_ids + }, + }; + ++static __initconst const u64 amd_hw_cache_event_ids_f17h ++ [PERF_COUNT_HW_CACHE_MAX] ++ [PERF_COUNT_HW_CACHE_OP_MAX] ++ [PERF_COUNT_HW_CACHE_RESULT_MAX] = { ++[C(L1D)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0x0040, /* Data Cache Accesses */ ++ [C(RESULT_MISS)] = 0xc860, /* L2$ access from DC Miss */ ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = 0xff5a, /* h/w prefetch DC Fills */ ++ [C(RESULT_MISS)] = 0, ++ }, ++}, ++[C(L1I)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0x0080, /* Instruction cache fetches */ ++ [C(RESULT_MISS)] = 0x0081, /* Instruction cache misses */ ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++}, ++[C(LL)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++}, ++[C(DTLB)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0xff45, /* All L2 DTLB accesses */ ++ [C(RESULT_MISS)] = 0xf045, /* L2 DTLB misses (PT walks) */ ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++}, ++[C(ITLB)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0x0084, /* L1 ITLB misses, L2 ITLB hits */ ++ [C(RESULT_MISS)] = 0xff85, /* L1 ITLB misses, L2 misses */ ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++}, ++[C(BPU)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0x00c2, /* Retired Branch Instr. */ ++ [C(RESULT_MISS)] = 0x00c3, /* Retired Mispredicted BI */ ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++}, ++[C(NODE)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = 0, ++ [C(RESULT_MISS)] = 0, ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++ [C(OP_PREFETCH)] = { ++ [C(RESULT_ACCESS)] = -1, ++ [C(RESULT_MISS)] = -1, ++ }, ++}, ++}; ++ + /* + * AMD Performance Monitor K7 and later, up to and including Family 16h: + */ +@@ -731,9 +835,10 @@ __init int amd_pmu_init(void) + x86_pmu.amd_nb_constraints = 0; + } + +- /* Events are common for all AMDs */ +- memcpy(hw_cache_event_ids, amd_hw_cache_event_ids, +- sizeof(hw_cache_event_ids)); ++ if (boot_cpu_data.x86 >= 0x17) ++ memcpy(hw_cache_event_ids, amd_hw_cache_event_ids_f17h, sizeof(hw_cache_event_ids)); ++ else ++ memcpy(hw_cache_event_ids, amd_hw_cache_event_ids, sizeof(hw_cache_event_ids)); + + return 0; + } +diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h +index 37f2e0b377ad..4141ead86879 100644 +--- a/arch/x86/include/asm/stacktrace.h ++++ b/arch/x86/include/asm/stacktrace.h +@@ -55,13 +55,16 @@ extern int kstack_depth_to_print; + static inline unsigned long * + get_frame_pointer(struct task_struct *task, struct pt_regs *regs) + { ++ struct inactive_task_frame *frame; ++ + if (regs) + return (unsigned long *)regs->bp; + + if (task == current) + return __builtin_frame_address(0); + +- return (unsigned long *)((struct inactive_task_frame *)task->thread.sp)->bp; ++ frame = (struct inactive_task_frame *)task->thread.sp; ++ return (unsigned long *)READ_ONCE_NOCHECK(frame->bp); + } + #else + static inline unsigned long * +diff --git a/arch/x86/kernel/acpi/wakeup_64.S b/arch/x86/kernel/acpi/wakeup_64.S +index 169963f471bb..50b8ed0317a3 100644 +--- a/arch/x86/kernel/acpi/wakeup_64.S ++++ b/arch/x86/kernel/acpi/wakeup_64.S +@@ -109,6 +109,15 @@ ENTRY(do_suspend_lowlevel) + movq pt_regs_r14(%rax), %r14 + movq pt_regs_r15(%rax), %r15 + ++#ifdef CONFIG_KASAN ++ /* ++ * The suspend path may have poisoned some areas deeper in the stack, ++ * which we now need to unpoison. ++ */ ++ movq %rsp, %rdi ++ call kasan_unpoison_task_stack_below ++#endif ++ + xorl %eax, %eax + addq $8, %rsp + FRAME_END +diff --git a/arch/x86/kernel/cpu/mcheck/mce-severity.c b/arch/x86/kernel/cpu/mcheck/mce-severity.c +index 3e0199ee5a2f..0372913e0134 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce-severity.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c +@@ -148,6 +148,11 @@ static struct severity { + SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA), + KERNEL + ), ++ MCESEV( ++ PANIC, "Instruction fetch error in kernel", ++ SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR), ++ KERNEL ++ ), + #endif + MCESEV( + PANIC, "Action required: unknown MCACOD", +diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c +index a2456d4d286a..9b8b3cb2e934 100644 +--- a/arch/x86/kernel/unwind_frame.c ++++ b/arch/x86/kernel/unwind_frame.c +@@ -6,6 +6,21 @@ + + #define FRAME_HEADER_SIZE (sizeof(long) * 2) + ++/* ++ * This disables KASAN checking when reading a value from another task's stack, ++ * since the other task could be running on another CPU and could have poisoned ++ * the stack in the meantime. ++ */ ++#define READ_ONCE_TASK_STACK(task, x) \ ++({ \ ++ unsigned long val; \ ++ if (task == current) \ ++ val = READ_ONCE(x); \ ++ else \ ++ val = READ_ONCE_NOCHECK(x); \ ++ val; \ ++}) ++ + unsigned long unwind_get_return_address(struct unwind_state *state) + { + unsigned long addr; +@@ -14,7 +29,8 @@ unsigned long unwind_get_return_address(struct unwind_state *state) + if (unwind_done(state)) + return 0; + +- addr = ftrace_graph_ret_addr(state->task, &state->graph_idx, *addr_p, ++ addr = READ_ONCE_TASK_STACK(state->task, *addr_p); ++ addr = ftrace_graph_ret_addr(state->task, &state->graph_idx, addr, + addr_p); + + return __kernel_text_address(addr) ? addr : 0; +@@ -48,7 +64,7 @@ bool unwind_next_frame(struct unwind_state *state) + if (unwind_done(state)) + return false; + +- next_bp = (unsigned long *)*state->bp; ++ next_bp = (unsigned long *)READ_ONCE_TASK_STACK(state->task,*state->bp); + + /* make sure the next frame's data is accessible */ + if (!update_stack_state(state, next_bp, FRAME_HEADER_SIZE)) +diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c +index c4328d9d9981..f838119d12b2 100644 +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace) + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index d7179dd3c9ef..3cafa1d28fed 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1058,10 +1058,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p) + seq_printf(f, "\n\n"); + + /* dump parsed data and input mappings */ ++ if (down_interruptible(&hdev->driver_input_lock)) ++ return 0; ++ + hid_dump_device(hdev, f); + seq_printf(f, "\n"); + hid_dump_input_mapping(hdev, f); + ++ up(&hdev->driver_input_lock); ++ + return 0; + } + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 2e2515a4c070..3198faf5cff4 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -1282,6 +1282,13 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) + kfree(data); + return -ENOMEM; + } ++ data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); ++ if (!data->wq) { ++ kfree(data->effect_ids); ++ kfree(data); ++ return -ENOMEM; ++ } ++ + data->hidpp = hidpp; + data->feature_index = feature_index; + data->version = version; +@@ -1326,7 +1333,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) + /* ignore boost value at response.fap.params[2] */ + + /* init the hardware command queue */ +- data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); + atomic_set(&data->workqueue_size, 0); + + /* initialize with zero autocenter to get wheel in usable state */ +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 2a44a2c3e859..6914cc18b4a1 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2368,8 +2368,19 @@ static void srpt_queue_tm_rsp(struct se_cmd *cmd) + srpt_queue_response(cmd); + } + ++/* ++ * This function is called for aborted commands if no response is sent to the ++ * initiator. Make sure that the credits freed by aborting a command are ++ * returned to the initiator the next time a response is sent by incrementing ++ * ch->req_lim_delta. ++ */ + static void srpt_aborted_task(struct se_cmd *cmd) + { ++ struct srpt_send_ioctx *ioctx = container_of(cmd, ++ struct srpt_send_ioctx, cmd); ++ struct srpt_rdma_ch *ch = ioctx->ch; ++ ++ atomic_inc(&ch->req_lim_delta); + } + + static int srpt_queue_status(struct se_cmd *cmd) +diff --git a/drivers/input/keyboard/snvs_pwrkey.c b/drivers/input/keyboard/snvs_pwrkey.c +index 7544888c4749..b8dbde746b4e 100644 +--- a/drivers/input/keyboard/snvs_pwrkey.c ++++ b/drivers/input/keyboard/snvs_pwrkey.c +@@ -156,6 +156,9 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + ++ pdata->input = input; ++ platform_set_drvdata(pdev, pdata); ++ + error = devm_request_irq(&pdev->dev, pdata->irq, + imx_snvs_pwrkey_interrupt, + 0, pdev->name, pdev); +@@ -171,9 +174,6 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + +- pdata->input = input; +- platform_set_drvdata(pdev, pdata); +- + device_init_wakeup(&pdev->dev, pdata->wakeup); + + return 0; +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c +index 56cfb5ca9c95..0a72228734ae 100644 +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -155,10 +155,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-1)"); + #define REG_GFIX 0x69 /* Fix gain control */ + + #define REG_DBLV 0x6b /* PLL control an debugging */ +-#define DBLV_BYPASS 0x00 /* Bypass PLL */ +-#define DBLV_X4 0x01 /* clock x4 */ +-#define DBLV_X6 0x10 /* clock x6 */ +-#define DBLV_X8 0x11 /* clock x8 */ ++#define DBLV_BYPASS 0x0a /* Bypass PLL */ ++#define DBLV_X4 0x4a /* clock x4 */ ++#define DBLV_X6 0x8a /* clock x6 */ ++#define DBLV_X8 0xca /* clock x8 */ + + #define REG_REG76 0x76 /* OV's name */ + #define R76_BLKPCOR 0x80 /* Black pixel correction enable */ +@@ -833,7 +833,7 @@ static int ov7675_set_framerate(struct v4l2_subdev *sd, + if (ret < 0) + return ret; + +- return ov7670_write(sd, REG_DBLV, DBLV_X4); ++ return 0; + } + + static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, +@@ -1578,11 +1578,7 @@ static int ov7670_probe(struct i2c_client *client, + if (config->clock_speed) + info->clock_speed = config->clock_speed; + +- /* +- * It should be allowed for ov7670 too when it is migrated to +- * the new frame rate formula. +- */ +- if (config->pll_bypass && id->driver_data != MODEL_OV7670) ++ if (config->pll_bypass) + info->pll_bypass = true; + + if (config->pclk_hb_disable) +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 7d16c51e6913..641a532b67cb 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count); + + static ssize_t perm_hwaddr_show(struct slave *slave, char *buf) + { +- return sprintf(buf, "%pM\n", slave->perm_hwaddr); ++ return sprintf(buf, "%*phC\n", ++ slave->dev->addr_len, ++ slave->perm_hwaddr); + } + static SLAVE_ATTR_RO(perm_hwaddr); + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 45ea2718c65d..620a470eb4c8 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5954,8 +5954,15 @@ static int bnxt_cfg_rx_mode(struct bnxt *bp) + + skip_uc: + rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ if (rc && vnic->mc_list_count) { ++ netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n", ++ rc); ++ vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST; ++ vnic->mc_list_count = 0; ++ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ } + if (rc) +- netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n", ++ netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n", + rc); + + return rc; +diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c +index 06bc8638501e..66e7a5fd4249 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hnae.c ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c +@@ -146,7 +146,6 @@ out_buffer_fail: + /* free desc along with its attached buffer */ + static void hnae_free_desc(struct hnae_ring *ring) + { +- hnae_free_buffers(ring); + dma_unmap_single(ring_to_dev(ring), ring->desc_dma_addr, + ring->desc_num * sizeof(ring->desc[0]), + ring_to_dma_dir(ring)); +@@ -179,6 +178,9 @@ static int hnae_alloc_desc(struct hnae_ring *ring) + /* fini ring, also free the buffer for the ring */ + static void hnae_fini_ring(struct hnae_ring *ring) + { ++ if (is_rx_ring(ring)) ++ hnae_free_buffers(ring); ++ + hnae_free_desc(ring); + kfree(ring->desc_cb); + ring->desc_cb = NULL; +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index ad8681cf5ef0..24a815997ec5 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -28,9 +28,6 @@ + + #define SERVICE_TIMER_HZ (1 * HZ) + +-#define NIC_TX_CLEAN_MAX_NUM 256 +-#define NIC_RX_CLEAN_MAX_NUM 64 +- + #define RCB_IRQ_NOT_INITED 0 + #define RCB_IRQ_INITED 1 + #define HNS_BUFFER_SIZE_2048 2048 +@@ -375,8 +372,6 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + wmb(); /* commit all data before submit */ + assert(skb->queue_mapping < priv->ae_handle->q_num); + hnae_queue_xmit(priv->ae_handle->qs[skb->queue_mapping], buf_num); +- ring->stats.tx_pkts++; +- ring->stats.tx_bytes += skb->len; + + return NETDEV_TX_OK; + +@@ -916,6 +911,9 @@ static int hns_nic_tx_poll_one(struct hns_nic_ring_data *ring_data, + /* issue prefetch for next Tx descriptor */ + prefetch(&ring->desc_cb[ring->next_to_clean]); + } ++ /* update tx ring statistics. */ ++ ring->stats.tx_pkts += pkts; ++ ring->stats.tx_bytes += bytes; + + NETIF_TX_UNLOCK(ndev); + +@@ -1821,7 +1819,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + hns_nic_tx_fini_pro_v2; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_TX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + for (i = h->q_num; i < h->q_num * 2; i++) { +@@ -1834,7 +1832,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + hns_nic_rx_fini_pro_v2; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_RX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + +diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h +index 2688180a7acd..f948eec7b35f 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_defines.h ++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h +@@ -193,6 +193,8 @@ + /* enable link status from external LINK_0 and LINK_1 pins */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ ++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */ ++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */ + #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */ + #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */ + #define E1000_CTRL_RST 0x04000000 /* Global reset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 82e48e355fb9..7956176c2c73 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7548,9 +7548,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + struct e1000_hw *hw = &adapter->hw; + u32 ctrl, rctl, status; + u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol; +-#ifdef CONFIG_PM +- int retval = 0; +-#endif ++ bool wake; + + rtnl_lock(); + netif_device_detach(netdev); +@@ -7563,14 +7561,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + igb_clear_interrupt_scheme(adapter); + rtnl_unlock(); + +-#ifdef CONFIG_PM +- if (!runtime) { +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- } +-#endif +- + status = rd32(E1000_STATUS); + if (status & E1000_STATUS_LU) + wufc &= ~E1000_WUFC_LNKC; +@@ -7587,10 +7577,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + } + + ctrl = rd32(E1000_CTRL); +- /* advertise wake from D3Cold */ +- #define E1000_CTRL_ADVD3WUC 0x00100000 +- /* phy power management enable */ +- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 + ctrl |= E1000_CTRL_ADVD3WUC; + wr32(E1000_CTRL, ctrl); + +@@ -7604,12 +7590,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + wr32(E1000_WUFC, 0); + } + +- *enable_wake = wufc || adapter->en_mng_pt; +- if (!*enable_wake) ++ wake = wufc || adapter->en_mng_pt; ++ if (!wake) + igb_power_down_link(adapter); + else + igb_power_up_link(adapter); + ++ if (enable_wake) ++ *enable_wake = wake; ++ + /* Release control of h/w to f/w. If f/w is AMT enabled, this + * would have already happened in close and is redundant. + */ +@@ -7624,22 +7613,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + #ifdef CONFIG_PM_SLEEP + static int igb_suspend(struct device *dev) + { +- int retval; +- bool wake; +- struct pci_dev *pdev = to_pci_dev(dev); +- +- retval = __igb_shutdown(pdev, &wake, 0); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + #endif /* CONFIG_PM_SLEEP */ + +@@ -7707,22 +7681,7 @@ static int igb_runtime_idle(struct device *dev) + + static int igb_runtime_suspend(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- int retval; +- bool wake; +- +- retval = __igb_shutdown(pdev, &wake, 1); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 1); + } + + static int igb_runtime_resume(struct device *dev) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index da9246f6c31e..d1a3a35ba87b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -92,8 +92,7 @@ static int arm_vport_context_events_cmd(struct mlx5_core_dev *dev, u16 vport, + opcode, MLX5_CMD_OP_MODIFY_NIC_VPORT_CONTEXT); + MLX5_SET(modify_nic_vport_context_in, in, field_select.change_event, 1); + MLX5_SET(modify_nic_vport_context_in, in, vport_number, vport); +- if (vport) +- MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1); ++ MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1); + nic_vport_ctx = MLX5_ADDR_OF(modify_nic_vport_context_in, + in, nic_vport_context); + +@@ -121,8 +120,7 @@ static int modify_esw_vport_context_cmd(struct mlx5_core_dev *dev, u16 vport, + MLX5_SET(modify_esw_vport_context_in, in, opcode, + MLX5_CMD_OP_MODIFY_ESW_VPORT_CONTEXT); + MLX5_SET(modify_esw_vport_context_in, in, vport_number, vport); +- if (vport) +- MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1); ++ MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1); + return mlx5_cmd_exec(dev, in, inlen, out, sizeof(out)); + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index ce97e522566a..77dc5842bd0b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -205,6 +205,11 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, + if (unlikely(rdes0 & RDES0_OWN)) + return dma_own; + ++ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { ++ stats->rx_length_errors++; ++ return discard_frame; ++ } ++ + if (unlikely(rdes0 & RDES0_ERROR_SUMMARY)) { + if (unlikely(rdes0 & RDES0_DESCRIPTOR_ERROR)) { + x->rx_desc++; +@@ -235,9 +240,10 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, + * It doesn't match with the information reported into the databook. + * At any rate, we need to understand if the CSUM hw computation is ok + * and report this info to the upper layers. */ +- ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR), +- !!(rdes0 & RDES0_FRAME_TYPE), +- !!(rdes0 & ERDES0_RX_MAC_ADDR)); ++ if (likely(ret == good_frame)) ++ ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR), ++ !!(rdes0 & RDES0_FRAME_TYPE), ++ !!(rdes0 & ERDES0_RX_MAC_ADDR)); + + if (unlikely(rdes0 & RDES0_DRIBBLING)) + x->dribbling_bit++; +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +index fd78406e2e9a..01f8f2e94c0f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +@@ -95,8 +95,6 @@ static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x, + return dma_own; + + if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { +- pr_warn("%s: Oversized frame spanned multiple buffers\n", +- __func__); + stats->rx_length_errors++; + return discard_frame; + } +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index 520352327104..77357b07f6c9 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1429,9 +1429,10 @@ static int marvell_get_sset_count(struct phy_device *phydev) + + static void marvell_get_strings(struct phy_device *phydev, u8 *data) + { ++ int count = marvell_get_sset_count(phydev); + int i; + +- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) { ++ for (i = 0; i < count; i++) { + memcpy(data + i * ETH_GSTRING_LEN, + marvell_hw_stats[i].string, ETH_GSTRING_LEN); + } +@@ -1470,9 +1471,10 @@ static u64 marvell_get_stat(struct phy_device *phydev, int i) + static void marvell_get_stats(struct phy_device *phydev, + struct ethtool_stats *stats, u64 *data) + { ++ int count = marvell_get_sset_count(phydev); + int i; + +- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) ++ for (i = 0; i < count; i++) + data[i] = marvell_get_stat(phydev, i); + } + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index f12753eb3216..96ea6c76be6e 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -709,6 +709,15 @@ bool nvmet_host_allowed(struct nvmet_req *req, struct nvmet_subsys *subsys, + return __nvmet_host_allowed(subsys, hostnqn); + } + ++static void nvmet_fatal_error_handler(struct work_struct *work) ++{ ++ struct nvmet_ctrl *ctrl = ++ container_of(work, struct nvmet_ctrl, fatal_err_work); ++ ++ pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); ++ ctrl->ops->delete_ctrl(ctrl); ++} ++ + u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + struct nvmet_req *req, u32 kato, struct nvmet_ctrl **ctrlp) + { +@@ -747,6 +756,7 @@ u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + + INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work); + INIT_LIST_HEAD(&ctrl->async_events); ++ INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + + memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE); + memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE); +@@ -849,21 +859,11 @@ void nvmet_ctrl_put(struct nvmet_ctrl *ctrl) + kref_put(&ctrl->ref, nvmet_ctrl_free); + } + +-static void nvmet_fatal_error_handler(struct work_struct *work) +-{ +- struct nvmet_ctrl *ctrl = +- container_of(work, struct nvmet_ctrl, fatal_err_work); +- +- pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); +- ctrl->ops->delete_ctrl(ctrl); +-} +- + void nvmet_ctrl_fatal_error(struct nvmet_ctrl *ctrl) + { + mutex_lock(&ctrl->lock); + if (!(ctrl->csts & NVME_CSTS_CFS)) { + ctrl->csts |= NVME_CSTS_CFS; +- INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + schedule_work(&ctrl->fatal_err_work); + } + mutex_unlock(&ctrl->lock); +diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c +index f85cae240f12..7e92e491c2e7 100644 +--- a/drivers/rtc/rtc-da9063.c ++++ b/drivers/rtc/rtc-da9063.c +@@ -480,6 +480,13 @@ static int da9063_rtc_probe(struct platform_device *pdev) + da9063_data_to_tm(data, &rtc->alarm_time, rtc); + rtc->rtc_sync = false; + ++ /* ++ * TODO: some models have alarms on a minute boundary but still support ++ * real hardware interrupts. Add this once the core supports it. ++ */ ++ if (config->rtc_data_start != RTC_SEC) ++ rtc->rtc_dev->uie_unsupported = 1; ++ + irq_alarm = platform_get_irq_byname(pdev, "ALARM"); + ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL, + da9063_alarm_event, +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 17b6235d67a5..600fb7f93939 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -454,7 +454,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm) + static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off) + { + unsigned int byte; +- int value = 0xff; /* return 0xff for ignored values */ ++ int value = -1; /* return -1 for ignored values */ + + byte = readb(rtc->regbase + reg_off); + if (byte & AR_ENB) { +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 282ea00d0f87..9d555b63d2e2 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -249,6 +249,7 @@ static struct { + {"NETAPP", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"LSI", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"ENGENIO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, ++ {"LENOVO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"SMSC", "USB 2 HS-CF", NULL, BLIST_SPARSELUN | BLIST_INQUIRY_36}, + {"SONY", "CD-ROM CDU-8001", NULL, BLIST_BORKEN}, + {"SONY", "TSL", NULL, BLIST_FORCELUN}, /* DDS3 & DDS4 autoloaders */ +diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c +index 375cede0c534..c9bc6f058424 100644 +--- a/drivers/scsi/scsi_dh.c ++++ b/drivers/scsi/scsi_dh.c +@@ -75,6 +75,7 @@ static const struct scsi_dh_blist scsi_dh_blist[] = { + {"NETAPP", "INF-01-00", "rdac", }, + {"LSI", "INF-01-00", "rdac", }, + {"ENGENIO", "INF-01-00", "rdac", }, ++ {"LENOVO", "DE_Series", "rdac", }, + {NULL, NULL, NULL }, + }; + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index d92b2808d191..6df34d68737f 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -641,13 +641,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc) + static void handle_multichannel_storage(struct hv_device *device, int max_chns) + { + struct storvsc_device *stor_device; +- int num_cpus = num_online_cpus(); + int num_sc; + struct storvsc_cmd_request *request; + struct vstor_packet *vstor_packet; + int ret, t; + +- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns); ++ /* ++ * If the number of CPUs is artificially restricted, such as ++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer ++ * sub-channels >= the number of CPUs. These sub-channels ++ * should not be created. The primary channel is already created ++ * and assigned to one CPU, so check against # CPUs - 1. ++ */ ++ num_sc = min((int)(num_online_cpus() - 1), max_chns); ++ if (!num_sc) ++ return; ++ + stor_device = get_out_stor_device(device); + if (!stor_device) + return; +diff --git a/drivers/staging/iio/addac/adt7316.c b/drivers/staging/iio/addac/adt7316.c +index 3faffe59c933..95f5be1cd498 100644 +--- a/drivers/staging/iio/addac/adt7316.c ++++ b/drivers/staging/iio/addac/adt7316.c +@@ -47,6 +47,8 @@ + #define ADT7516_MSB_AIN3 0xA + #define ADT7516_MSB_AIN4 0xB + #define ADT7316_DA_DATA_BASE 0x10 ++#define ADT7316_DA_10_BIT_LSB_SHIFT 6 ++#define ADT7316_DA_12_BIT_LSB_SHIFT 4 + #define ADT7316_DA_MSB_DATA_REGS 4 + #define ADT7316_LSB_DAC_A 0x10 + #define ADT7316_MSB_DAC_A 0x11 +@@ -1089,7 +1091,7 @@ static ssize_t adt7316_store_DAC_internal_Vref(struct device *dev, + ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK); + if (data & 0x1) + ldac_config |= ADT7516_DAC_AB_IN_VREF; +- else if (data & 0x2) ++ if (data & 0x2) + ldac_config |= ADT7516_DAC_CD_IN_VREF; + } else { + ret = kstrtou8(buf, 16, &data); +@@ -1411,7 +1413,7 @@ static IIO_DEVICE_ATTR(ex_analog_temp_offset, S_IRUGO | S_IWUSR, + static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + int channel, char *buf) + { +- u16 data; ++ u16 data = 0; + u8 msb, lsb, offset; + int ret; + +@@ -1436,7 +1438,11 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + if (ret) + return -EIO; + +- data = (msb << offset) + (lsb & ((1 << offset) - 1)); ++ if (chip->dac_bits == 12) ++ data = lsb >> ADT7316_DA_12_BIT_LSB_SHIFT; ++ else if (chip->dac_bits == 10) ++ data = lsb >> ADT7316_DA_10_BIT_LSB_SHIFT; ++ data |= msb << offset; + + return sprintf(buf, "%d\n", data); + } +@@ -1444,7 +1450,7 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + int channel, const char *buf, size_t len) + { +- u8 msb, lsb, offset; ++ u8 msb, lsb, lsb_reg, offset; + u16 data; + int ret; + +@@ -1462,9 +1468,13 @@ static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + return -EINVAL; + + if (chip->dac_bits > 8) { +- lsb = data & (1 << offset); ++ lsb = data & ((1 << offset) - 1); ++ if (chip->dac_bits == 12) ++ lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT; ++ else ++ lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT; + ret = chip->bus.write(chip->bus.client, +- ADT7316_DA_DATA_BASE + channel * 2, lsb); ++ ADT7316_DA_DATA_BASE + channel * 2, lsb_reg); + if (ret) + return -EIO; + } +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index c17b254e4f64..654199c6a36c 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -470,11 +470,6 @@ static int usb_unbind_interface(struct device *dev) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + +- /* Undo any residual pm_autopm_get_interface_* calls */ +- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r) +- usb_autopm_put_interface_no_suspend(intf); +- atomic_set(&intf->pm_usage_cnt, 0); +- + if (!error) + usb_autosuspend_device(udev); + +@@ -1625,7 +1620,6 @@ void usb_autopm_put_interface(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put_sync(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1654,7 +1648,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1676,7 +1669,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + pm_runtime_put_noidle(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend); +@@ -1707,8 +1699,6 @@ int usb_autopm_get_interface(struct usb_interface *intf) + status = pm_runtime_get_sync(&intf->dev); + if (status < 0) + pm_runtime_put_sync(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1742,8 +1732,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf) + status = pm_runtime_get(&intf->dev); + if (status < 0 && status != -EINPROGRESS) + pm_runtime_put_noidle(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1767,7 +1755,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_inc(&intf->pm_usage_cnt); + pm_runtime_get_noresume(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 0e6ab0a17c08..955cd6552e95 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -817,9 +817,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) + + if (dev->state == USB_STATE_SUSPENDED) + return -EHOSTUNREACH; +- if (size <= 0 || !buf || !index) ++ if (size <= 0 || !buf) + return -EINVAL; + buf[0] = 0; ++ if (index <= 0 || index >= 256) ++ return -EINVAL; + tbuf = kmalloc(256, GFP_NOIO); + if (!tbuf) + return -ENOMEM; +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 1e672343bcd6..efa3c86bd262 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -324,6 +324,7 @@ static void yurex_disconnect(struct usb_interface *interface) + usb_deregister_dev(interface, &yurex_class); + + /* prevent more I/O from starting */ ++ usb_poison_urb(dev->urb); + mutex_lock(&dev->io_mutex); + dev->interface = NULL; + mutex_unlock(&dev->io_mutex); +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c +index 4176d1af9bf2..fac3447021b2 100644 +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -776,18 +776,16 @@ static void rts51x_suspend_timer_fn(unsigned long data) + break; + case RTS51X_STAT_IDLE: + case RTS51X_STAT_SS: +- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) { + usb_stor_dbg(us, "Ready to enter SS state\n"); + rts51x_set_stat(chip, RTS51X_STAT_SS); + /* ignore mass storage interface's children */ + pm_suspend_ignore_children(&us->pusb_intf->dev, true); + usb_autopm_put_interface_async(us->pusb_intf); +- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + } + break; +@@ -820,11 +818,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us) + int ret; + + if (working_scsi(srb)) { +- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "working scsi, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) { + ret = usb_autopm_get_interface(us->pusb_intf); + usb_stor_dbg(us, "working scsi, ret=%d\n", ret); + } +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 5b807185f79e..777a4058c407 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -383,16 +383,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + } + + if (usb_endpoint_xfer_isoc(epd)) { +- /* validate packet size and number of packets */ +- unsigned int maxp, packets, bytes; +- +- maxp = usb_endpoint_maxp(epd); +- maxp *= usb_endpoint_maxp_mult(epd); +- bytes = pdu->u.cmd_submit.transfer_buffer_length; +- packets = DIV_ROUND_UP(bytes, maxp); +- ++ /* validate number of packets */ + if (pdu->u.cmd_submit.number_of_packets < 0 || +- pdu->u.cmd_submit.number_of_packets > packets) { ++ pdu->u.cmd_submit.number_of_packets > ++ USBIP_MAX_ISO_PACKETS) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 109e65ba01a0..0b199a2664c0 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -136,6 +136,13 @@ extern struct device_attribute dev_attr_usbip_debug; + #define USBIP_DIR_OUT 0x00 + #define USBIP_DIR_IN 0x01 + ++/* ++ * Arbitrary limit for the maximum number of isochronous packets in an URB, ++ * compare for example the uhci_submit_isochronous function in ++ * drivers/usb/host/uhci-q.c ++ */ ++#define USBIP_MAX_ISO_PACKETS 1024 ++ + /** + * struct usbip_header_basic - data pertinent to every request + * @command: the usbip request type +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 7338e43faa17..f9a75df2d22d 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1467,11 +1467,11 @@ static void __init vfio_pci_fill_ids(void) + rc = pci_add_dynid(&vfio_pci_driver, vendor, device, + subvendor, subdevice, class, class_mask, 0); + if (rc) +- pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n", ++ pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n", + vendor, device, subvendor, subdevice, + class, class_mask, rc); + else +- pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n", ++ pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n", + vendor, device, subvendor, subdevice, + class, class_mask); + } +diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c +index 59d74d1b47a8..2287e1be0e55 100644 +--- a/drivers/w1/masters/ds2490.c ++++ b/drivers/w1/masters/ds2490.c +@@ -1039,15 +1039,15 @@ static int ds_probe(struct usb_interface *intf, + /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ + alt = 3; + err = usb_set_interface(dev->udev, +- intf->altsetting[alt].desc.bInterfaceNumber, alt); ++ intf->cur_altsetting->desc.bInterfaceNumber, alt); + if (err) { + dev_err(&dev->udev->dev, "Failed to set alternative setting %d " + "for %d interface: err=%d.\n", alt, +- intf->altsetting[alt].desc.bInterfaceNumber, err); ++ intf->cur_altsetting->desc.bInterfaceNumber, err); + goto err_out_clear; + } + +- iface_desc = &intf->altsetting[alt]; ++ iface_desc = intf->cur_altsetting; + if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { + pr_info("Num endpoints=%d. It is not DS9490R.\n", + iface_desc->desc.bNumEndpoints); +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index 77e9cd7a0137..20ee612017bf 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -170,19 +170,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) + return 0; + } + +-static void debugfs_evict_inode(struct inode *inode) ++static void debugfs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void debugfs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, debugfs_i_callback); + } + + static const struct super_operations debugfs_super_operations = { + .statfs = simple_statfs, + .remount_fs = debugfs_remount, + .show_options = debugfs_show_options, +- .evict_inode = debugfs_evict_inode, ++ .destroy_inode = debugfs_destroy_inode, + }; + + static struct vfsmount *debugfs_automount(struct path *path) +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 001487b230b5..4acc677ac8fb 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -746,11 +746,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + umode_t mode, dev_t dev) + { + struct inode *inode; +- struct resv_map *resv_map; ++ struct resv_map *resv_map = NULL; + +- resv_map = resv_map_alloc(); +- if (!resv_map) +- return NULL; ++ /* ++ * Reserve maps are only needed for inodes that can have associated ++ * page allocations. ++ */ ++ if (S_ISREG(mode) || S_ISLNK(mode)) { ++ resv_map = resv_map_alloc(); ++ if (!resv_map) ++ return NULL; ++ } + + inode = new_inode(sb); + if (inode) { +@@ -782,8 +788,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + break; + } + lockdep_annotate_inode_mutex_key(inode); +- } else +- kref_put(&resv_map->refs, resv_map_release); ++ } else { ++ if (resv_map) ++ kref_put(&resv_map->refs, resv_map_release); ++ } + + return inode; + } +diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c +index 06a71dbd4833..2f236cca6095 100644 +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) + + jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); + +- if (f->target) { +- kfree(f->target); +- f->target = NULL; +- } +- + fds = f->dents; + while(fds) { + fd = fds; +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 226640563df3..76aedbc97773 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) + static void jffs2_i_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); +- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); ++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ ++ kfree(f->target); ++ kmem_cache_free(jffs2_inode_cachep, f); + } + + static void jffs2_destroy_inode(struct inode *inode) +diff --git a/include/linux/kasan.h b/include/linux/kasan.h +index 820c0ad54a01..c9df9e180610 100644 +--- a/include/linux/kasan.h ++++ b/include/linux/kasan.h +@@ -7,6 +7,7 @@ + struct kmem_cache; + struct page; + struct vm_struct; ++struct task_struct; + + #ifdef CONFIG_KASAN + +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 346665a0c49d..9b5ca59271d9 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -129,7 +129,6 @@ enum usb_interface_condition { + * @dev: driver model's view of this device + * @usb_dev: if an interface is bound to the USB major, this will point + * to the sysfs representation for that device. +- * @pm_usage_cnt: PM usage counter for this interface + * @reset_ws: Used for scheduling resets from atomic context. + * @resetting_device: USB core reset the device, so use alt setting 0 as + * current; needs bandwidth alloc after reset. +@@ -186,7 +185,6 @@ struct usb_interface { + + struct device dev; /* interface specific device info */ + struct device *usb_dev; +- atomic_t pm_usage_cnt; /* usage counter for autosuspend */ + struct work_struct reset_ws; /* for resets in atomic context */ + }; + #define to_usb_interface(d) container_of(d, struct usb_interface, dev) +diff --git a/include/net/caif/cfpkt.h b/include/net/caif/cfpkt.h +index fe328c52c46b..801489bb14c3 100644 +--- a/include/net/caif/cfpkt.h ++++ b/include/net/caif/cfpkt.h +@@ -32,6 +32,33 @@ void cfpkt_destroy(struct cfpkt *pkt); + */ + int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len); + ++static inline u8 cfpkt_extr_head_u8(struct cfpkt *pkt) ++{ ++ u8 tmp; ++ ++ cfpkt_extr_head(pkt, &tmp, 1); ++ ++ return tmp; ++} ++ ++static inline u16 cfpkt_extr_head_u16(struct cfpkt *pkt) ++{ ++ __le16 tmp; ++ ++ cfpkt_extr_head(pkt, &tmp, 2); ++ ++ return le16_to_cpu(tmp); ++} ++ ++static inline u32 cfpkt_extr_head_u32(struct cfpkt *pkt) ++{ ++ __le32 tmp; ++ ++ cfpkt_extr_head(pkt, &tmp, 4); ++ ++ return le32_to_cpu(tmp); ++} ++ + /* + * Peek header from packet. + * Reads data from packet without changing packet. +diff --git a/lib/Makefile b/lib/Makefile +index 50144a3aeebd..2447a218fff8 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -46,6 +46,7 @@ obj-$(CONFIG_TEST_BPF) += test_bpf.o + obj-$(CONFIG_TEST_FIRMWARE) += test_firmware.o + obj-$(CONFIG_TEST_HASH) += test_hash.o + obj-$(CONFIG_TEST_KASAN) += test_kasan.o ++CFLAGS_test_kasan.o += -fno-builtin + obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o + obj-$(CONFIG_TEST_LKM) += test_module.o + obj-$(CONFIG_TEST_RHASHTABLE) += test_rhashtable.o +diff --git a/lib/test_kasan.c b/lib/test_kasan.c +index fbdf87920093..4ba4cbe169a8 100644 +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -355,7 +355,7 @@ static noinline void __init kasan_stack_oob(void) + static noinline void __init ksize_unpoisons_memory(void) + { + char *ptr; +- size_t size = 123, real_size = size; ++ size_t size = 123, real_size; + + pr_info("ksize() unpoisons the whole allocated chunk\n"); + ptr = kmalloc(size, GFP_KERNEL); +diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c +index 4ce386c44cf1..1169c1fe941f 100644 +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -80,7 +80,14 @@ void kasan_unpoison_task_stack(struct task_struct *task) + /* Unpoison the stack for the current task beyond a watermark sp value. */ + asmlinkage void kasan_unpoison_task_stack_below(const void *watermark) + { +- __kasan_unpoison_stack(current, watermark); ++ /* ++ * Calculate the task stack base address. Avoid using 'current' ++ * because this function is called by early resume code which hasn't ++ * yet set up the percpu register (%gs). ++ */ ++ void *base = (void *)((unsigned long)watermark & ~(THREAD_SIZE - 1)); ++ ++ kasan_unpoison_shadow(base, watermark - base); + } + + /* +diff --git a/mm/kasan/kasan_init.c b/mm/kasan/kasan_init.c +index 3f9a41cf0ac6..31238dad85fb 100644 +--- a/mm/kasan/kasan_init.c ++++ b/mm/kasan/kasan_init.c +@@ -15,6 +15,7 @@ + #include <linux/kasan.h> + #include <linux/kernel.h> + #include <linux/memblock.h> ++#include <linux/mm.h> + #include <linux/pfn.h> + + #include <asm/page.h> +@@ -49,7 +50,7 @@ static void __init zero_pte_populate(pmd_t *pmd, unsigned long addr, + pte_t *pte = pte_offset_kernel(pmd, addr); + pte_t zero_pte; + +- zero_pte = pfn_pte(PFN_DOWN(__pa(kasan_zero_page)), PAGE_KERNEL); ++ zero_pte = pfn_pte(PFN_DOWN(__pa_symbol(kasan_zero_page)), PAGE_KERNEL); + zero_pte = pte_wrprotect(zero_pte); + + while (addr + PAGE_SIZE <= end) { +@@ -69,7 +70,7 @@ static void __init zero_pmd_populate(pud_t *pud, unsigned long addr, + next = pmd_addr_end(addr, end); + + if (IS_ALIGNED(addr, PMD_SIZE) && end - addr >= PMD_SIZE) { +- pmd_populate_kernel(&init_mm, pmd, kasan_zero_pte); ++ pmd_populate_kernel(&init_mm, pmd, lm_alias(kasan_zero_pte)); + continue; + } + +@@ -92,9 +93,9 @@ static void __init zero_pud_populate(pgd_t *pgd, unsigned long addr, + if (IS_ALIGNED(addr, PUD_SIZE) && end - addr >= PUD_SIZE) { + pmd_t *pmd; + +- pud_populate(&init_mm, pud, kasan_zero_pmd); ++ pud_populate(&init_mm, pud, lm_alias(kasan_zero_pmd)); + pmd = pmd_offset(pud, addr); +- pmd_populate_kernel(&init_mm, pmd, kasan_zero_pte); ++ pmd_populate_kernel(&init_mm, pmd, lm_alias(kasan_zero_pte)); + continue; + } + +@@ -135,11 +136,11 @@ void __init kasan_populate_zero_shadow(const void *shadow_start, + * puds,pmds, so pgd_populate(), pud_populate() + * is noops. + */ +- pgd_populate(&init_mm, pgd, kasan_zero_pud); ++ pgd_populate(&init_mm, pgd, lm_alias(kasan_zero_pud)); + pud = pud_offset(pgd, addr); +- pud_populate(&init_mm, pud, kasan_zero_pmd); ++ pud_populate(&init_mm, pud, lm_alias(kasan_zero_pmd)); + pmd = pmd_offset(pud, addr); +- pmd_populate_kernel(&init_mm, pmd, kasan_zero_pte); ++ pmd_populate_kernel(&init_mm, pmd, lm_alias(kasan_zero_pte)); + continue; + } + +diff --git a/mm/kasan/report.c b/mm/kasan/report.c +index 8ca412aebcf1..c505ac5b2d46 100644 +--- a/mm/kasan/report.c ++++ b/mm/kasan/report.c +@@ -302,6 +302,7 @@ void kasan_report(unsigned long addr, size_t size, + disable_trace_on_warning(); + + info.access_addr = (void *)addr; ++ info.first_bad_addr = (void *)addr; + info.access_size = size; + info.is_write = is_write; + info.ip = ip; +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 8b6f654bc85d..00123064eb26 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -802,6 +802,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + const u8 *mac, const unsigned short vid) + { + struct batadv_bla_claim search_claim, *claim; ++ struct batadv_bla_claim *claim_removed_entry; ++ struct hlist_node *claim_removed_node; + + ether_addr_copy(search_claim.addr, mac); + search_claim.vid = vid; +@@ -812,10 +814,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n", + mac, BATADV_PRINT_VID(vid)); + +- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim, +- batadv_choose_claim, claim); +- batadv_claim_put(claim); /* reference from the hash is gone */ ++ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash, ++ batadv_compare_claim, ++ batadv_choose_claim, claim); ++ if (!claim_removed_node) ++ goto free_claim; + ++ /* reference from the hash is gone */ ++ claim_removed_entry = hlist_entry(claim_removed_node, ++ struct batadv_bla_claim, hash_entry); ++ batadv_claim_put(claim_removed_entry); ++ ++free_claim: + /* don't need the reference from hash_find() anymore */ + batadv_claim_put(claim); + } +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index b9f9a310eb78..af4a02ad8503 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -615,14 +615,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv, + struct batadv_tt_global_entry *tt_global, + const char *message) + { ++ struct batadv_tt_global_entry *tt_removed_entry; ++ struct hlist_node *tt_removed_node; ++ + batadv_dbg(BATADV_DBG_TT, bat_priv, + "Deleting global tt entry %pM (vid: %d): %s\n", + tt_global->common.addr, + BATADV_PRINT_VID(tt_global->common.vid), message); + +- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt, +- batadv_choose_tt, &tt_global->common); +- batadv_tt_global_entry_put(tt_global); ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash, ++ batadv_compare_tt, ++ batadv_choose_tt, ++ &tt_global->common); ++ if (!tt_removed_node) ++ return; ++ ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_global_entry, ++ common.hash_entry); ++ batadv_tt_global_entry_put(tt_removed_entry); + } + + /** +@@ -1308,9 +1320,10 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + unsigned short vid, const char *message, + bool roaming) + { ++ struct batadv_tt_local_entry *tt_removed_entry; + struct batadv_tt_local_entry *tt_local_entry; + u16 flags, curr_flags = BATADV_NO_FLAGS; +- void *tt_entry_exists; ++ struct hlist_node *tt_removed_node; + + tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid); + if (!tt_local_entry) +@@ -1339,15 +1352,18 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + */ + batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); + +- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash, ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash, + batadv_compare_tt, + batadv_choose_tt, + &tt_local_entry->common); +- if (!tt_entry_exists) ++ if (!tt_removed_node) + goto out; + +- /* extra call to free the local tt entry */ +- batadv_tt_local_entry_put(tt_local_entry); ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_local_entry, ++ common.hash_entry); ++ batadv_tt_local_entry_put(tt_removed_entry); + + out: + if (tt_local_entry) +diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c +index f5afda1abc76..4dc82e9a855d 100644 +--- a/net/caif/cfctrl.c ++++ b/net/caif/cfctrl.c +@@ -352,15 +352,14 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + u8 cmdrsp; + u8 cmd; + int ret = -1; +- u16 tmp16; + u8 len; + u8 param[255]; +- u8 linkid; ++ u8 linkid = 0; + struct cfctrl *cfctrl = container_obj(layer); + struct cfctrl_request_info rsp, *req; + + +- cfpkt_extr_head(pkt, &cmdrsp, 1); ++ cmdrsp = cfpkt_extr_head_u8(pkt); + cmd = cmdrsp & CFCTRL_CMD_MASK; + if (cmd != CFCTRL_CMD_LINK_ERR + && CFCTRL_RSP_BIT != (CFCTRL_RSP_BIT & cmdrsp) +@@ -378,13 +377,12 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + u8 physlinkid; + u8 prio; + u8 tmp; +- u32 tmp32; + u8 *cp; + int i; + struct cfctrl_link_param linkparam; + memset(&linkparam, 0, sizeof(linkparam)); + +- cfpkt_extr_head(pkt, &tmp, 1); ++ tmp = cfpkt_extr_head_u8(pkt); + + serv = tmp & CFCTRL_SRV_MASK; + linkparam.linktype = serv; +@@ -392,13 +390,13 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + servtype = tmp >> 4; + linkparam.chtype = servtype; + +- cfpkt_extr_head(pkt, &tmp, 1); ++ tmp = cfpkt_extr_head_u8(pkt); + physlinkid = tmp & 0x07; + prio = tmp >> 3; + + linkparam.priority = prio; + linkparam.phyid = physlinkid; +- cfpkt_extr_head(pkt, &endpoint, 1); ++ endpoint = cfpkt_extr_head_u8(pkt); + linkparam.endpoint = endpoint & 0x03; + + switch (serv) { +@@ -407,45 +405,43 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + if (CFCTRL_ERR_BIT & cmdrsp) + break; + /* Link ID */ +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + break; + case CFCTRL_SRV_VIDEO: +- cfpkt_extr_head(pkt, &tmp, 1); ++ tmp = cfpkt_extr_head_u8(pkt); + linkparam.u.video.connid = tmp; + if (CFCTRL_ERR_BIT & cmdrsp) + break; + /* Link ID */ +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + break; + + case CFCTRL_SRV_DATAGRAM: +- cfpkt_extr_head(pkt, &tmp32, 4); + linkparam.u.datagram.connid = +- le32_to_cpu(tmp32); ++ cfpkt_extr_head_u32(pkt); + if (CFCTRL_ERR_BIT & cmdrsp) + break; + /* Link ID */ +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + break; + case CFCTRL_SRV_RFM: + /* Construct a frame, convert + * DatagramConnectionID + * to network format long and copy it out... + */ +- cfpkt_extr_head(pkt, &tmp32, 4); + linkparam.u.rfm.connid = +- le32_to_cpu(tmp32); ++ cfpkt_extr_head_u32(pkt); + cp = (u8 *) linkparam.u.rfm.volume; +- for (cfpkt_extr_head(pkt, &tmp, 1); ++ for (tmp = cfpkt_extr_head_u8(pkt); + cfpkt_more(pkt) && tmp != '\0'; +- cfpkt_extr_head(pkt, &tmp, 1)) ++ tmp = cfpkt_extr_head_u8(pkt)) + *cp++ = tmp; + *cp = '\0'; + + if (CFCTRL_ERR_BIT & cmdrsp) + break; + /* Link ID */ +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + + break; + case CFCTRL_SRV_UTIL: +@@ -454,13 +450,11 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + * to network format long and copy it out... + */ + /* Fifosize KB */ +- cfpkt_extr_head(pkt, &tmp16, 2); + linkparam.u.utility.fifosize_kb = +- le16_to_cpu(tmp16); ++ cfpkt_extr_head_u16(pkt); + /* Fifosize bufs */ +- cfpkt_extr_head(pkt, &tmp16, 2); + linkparam.u.utility.fifosize_bufs = +- le16_to_cpu(tmp16); ++ cfpkt_extr_head_u16(pkt); + /* name */ + cp = (u8 *) linkparam.u.utility.name; + caif_assert(sizeof(linkparam.u.utility.name) +@@ -468,24 +462,24 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + for (i = 0; + i < UTILITY_NAME_LENGTH + && cfpkt_more(pkt); i++) { +- cfpkt_extr_head(pkt, &tmp, 1); ++ tmp = cfpkt_extr_head_u8(pkt); + *cp++ = tmp; + } + /* Length */ +- cfpkt_extr_head(pkt, &len, 1); ++ len = cfpkt_extr_head_u8(pkt); + linkparam.u.utility.paramlen = len; + /* Param Data */ + cp = linkparam.u.utility.params; + while (cfpkt_more(pkt) && len--) { +- cfpkt_extr_head(pkt, &tmp, 1); ++ tmp = cfpkt_extr_head_u8(pkt); + *cp++ = tmp; + } + if (CFCTRL_ERR_BIT & cmdrsp) + break; + /* Link ID */ +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + /* Length */ +- cfpkt_extr_head(pkt, &len, 1); ++ len = cfpkt_extr_head_u8(pkt); + /* Param Data */ + cfpkt_extr_head(pkt, ¶m, len); + break; +@@ -522,7 +516,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + } + break; + case CFCTRL_CMD_LINK_DESTROY: +- cfpkt_extr_head(pkt, &linkid, 1); ++ linkid = cfpkt_extr_head_u8(pkt); + cfctrl->res.linkdestroy_rsp(cfctrl->serv.layer.up, linkid); + break; + case CFCTRL_CMD_LINK_ERR: +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 100c86f1f547..7f1a85c6a614 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -492,6 +492,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) + to->pkt_type = from->pkt_type; + to->priority = from->priority; + to->protocol = from->protocol; ++ to->skb_iif = from->skb_iif; + skb_dst_drop(to); + skb_dst_copy(to, from); + to->dev = from->dev; +diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c +index b82e439804d1..8c2f9aedc2af 100644 +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label) + return fl; + } + ++static void fl_free_rcu(struct rcu_head *head) ++{ ++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); ++ ++ if (fl->share == IPV6_FL_S_PROCESS) ++ put_pid(fl->owner.pid); ++ kfree(fl->opt); ++ kfree(fl); ++} ++ + + static void fl_free(struct ip6_flowlabel *fl) + { +- if (fl) { +- if (fl->share == IPV6_FL_S_PROCESS) +- put_pid(fl->owner.pid); +- kfree(fl->opt); +- kfree_rcu(fl, rcu); +- } ++ if (fl) ++ call_rcu(&fl->rcu, fl_free_rcu); + } + + static void fl_release(struct ip6_flowlabel *fl) +@@ -634,9 +640,9 @@ recheck: + if (fl1->share == IPV6_FL_S_EXCL || + fl1->share != fl->share || + ((fl1->share == IPV6_FL_S_PROCESS) && +- (fl1->owner.pid == fl->owner.pid)) || ++ (fl1->owner.pid != fl->owner.pid)) || + ((fl1->share == IPV6_FL_S_USER) && +- uid_eq(fl1->owner.uid, fl->owner.uid))) ++ !uid_eq(fl1->owner.uid, fl->owner.uid))) + goto release; + + err = -ENOMEM; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 522d4ca715c9..ea37160d5ae2 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2638,8 +2638,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + void *ph; + DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); + bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); ++ unsigned char *addr = NULL; + int tp_len, size_max; +- unsigned char *addr; + void *data; + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; +@@ -2650,7 +2650,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2660,10 +2659,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_put; ++ if (po->sk.sk_socket->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_put; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -2834,7 +2836,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- unsigned char *addr; ++ unsigned char *addr = NULL; + int err, reserve = 0; + struct sockcm_cookie sockc; + struct virtio_net_hdr vnet_hdr = { 0 }; +@@ -2851,7 +2853,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2859,10 +2860,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_unlock; ++ if (sock->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_unlock; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 9bd6f97ccd21..772df402c495 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -467,21 +467,43 @@ static int may_context_mount_inode_relabel(u32 sid, + return rc; + } + +-static int selinux_is_sblabel_mnt(struct super_block *sb) ++static int selinux_is_genfs_special_handling(struct super_block *sb) + { +- struct superblock_security_struct *sbsec = sb->s_security; +- +- return sbsec->behavior == SECURITY_FS_USE_XATTR || +- sbsec->behavior == SECURITY_FS_USE_TRANS || +- sbsec->behavior == SECURITY_FS_USE_TASK || +- sbsec->behavior == SECURITY_FS_USE_NATIVE || +- /* Special handling. Genfs but also in-core setxattr handler */ +- !strcmp(sb->s_type->name, "sysfs") || ++ /* Special handling. Genfs but also in-core setxattr handler */ ++ return !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "rootfs"); + } + ++static int selinux_is_sblabel_mnt(struct super_block *sb) ++{ ++ struct superblock_security_struct *sbsec = sb->s_security; ++ ++ /* ++ * IMPORTANT: Double-check logic in this function when adding a new ++ * SECURITY_FS_USE_* definition! ++ */ ++ BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); ++ ++ switch (sbsec->behavior) { ++ case SECURITY_FS_USE_XATTR: ++ case SECURITY_FS_USE_TRANS: ++ case SECURITY_FS_USE_TASK: ++ case SECURITY_FS_USE_NATIVE: ++ return 1; ++ ++ case SECURITY_FS_USE_GENFS: ++ return selinux_is_genfs_special_handling(sb); ++ ++ /* Never allow relabeling on context mounts */ ++ case SECURITY_FS_USE_MNTPOINT: ++ case SECURITY_FS_USE_NONE: ++ default: ++ return 0; ++ } ++} ++ + static int sb_finish_set_opts(struct super_block *sb) + { + struct superblock_security_struct *sbsec = sb->s_security; +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index 58d624938a9f..09189249d0d1 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -337,12 +337,16 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char len; ++ unsigned char *len; + unsigned count; + + if (address > 0xffff || datalen > 0xff) + return -EINVAL; + ++ len = kmalloc(sizeof(*len), GFP_KERNEL); ++ if (!len) ++ return -ENOMEM; ++ + /* query the serial number: */ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +@@ -351,7 +355,7 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + + if (ret < 0) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + /* Wait for data length. We'll get 0xff until length arrives. */ +@@ -361,28 +365,29 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, +- 0x0012, 0x0000, &len, 1, ++ 0x0012, 0x0000, len, 1, + LINE6_TIMEOUT * HZ); + if (ret < 0) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (len != 0xff) ++ if (*len != 0xff) + break; + } + +- if (len == 0xff) { ++ ret = -EIO; ++ if (*len == 0xff) { + dev_err(line6->ifcdev, "read failed after %d retries\n", + count); +- return -EIO; +- } else if (len != datalen) { ++ goto exit; ++ } else if (*len != datalen) { + /* should be equal or something went wrong */ + dev_err(line6->ifcdev, + "length mismatch (expected %d, got %d)\n", +- (int)datalen, (int)len); +- return -EIO; ++ (int)datalen, (int)*len); ++ goto exit; + } + + /* receive the result: */ +@@ -391,12 +396,12 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + 0x0013, 0x0000, data, datalen, + LINE6_TIMEOUT * HZ); + +- if (ret < 0) { ++ if (ret < 0) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +- return ret; +- } + +- return 0; ++exit: ++ kfree(len); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_read_data); + +@@ -408,12 +413,16 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char status; ++ unsigned char *status; + int count; + + if (address > 0xffff || datalen > 0xffff) + return -EINVAL; + ++ status = kmalloc(sizeof(*status), GFP_KERNEL); ++ if (!status) ++ return -ENOMEM; ++ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x0022, address, data, datalen, +@@ -422,7 +431,7 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + if (ret < 0) { + dev_err(line6->ifcdev, + "write request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + for (count = 0; count < LINE6_READ_WRITE_MAX_RETRIES; count++) { +@@ -433,28 +442,29 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, +- &status, 1, LINE6_TIMEOUT * HZ); ++ status, 1, LINE6_TIMEOUT * HZ); + + if (ret < 0) { + dev_err(line6->ifcdev, + "receiving status failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (status != 0xff) ++ if (*status != 0xff) + break; + } + +- if (status == 0xff) { ++ if (*status == 0xff) { + dev_err(line6->ifcdev, "write failed after %d retries\n", + count); +- return -EIO; +- } else if (status != 0) { ++ ret = -EIO; ++ } else if (*status != 0) { + dev_err(line6->ifcdev, "write failed (error %d)\n", ret); +- return -EIO; ++ ret = -EIO; + } +- +- return 0; ++exit: ++ kfree(status); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_write_data); + +diff --git a/sound/usb/line6/podhd.c b/sound/usb/line6/podhd.c +index 5ab9e0c89211..c0b6733c0623 100644 +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -221,28 +221,32 @@ static void podhd_startup_start_workqueue(unsigned long data) + static int podhd_dev_start(struct usb_line6_podhd *pod) + { + int ret; +- u8 init_bytes[8]; ++ u8 *init_bytes; + int i; + struct usb_device *usbdev = pod->line6.usbdev; + ++ init_bytes = kmalloc(8, GFP_KERNEL); ++ if (!init_bytes) ++ return -ENOMEM; ++ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), + 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x11, 0, + NULL, 0, LINE6_TIMEOUT * HZ); + if (ret < 0) { + dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + /* NOTE: looks like some kind of ping message */ + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x11, 0x0, +- &init_bytes, 3, LINE6_TIMEOUT * HZ); ++ init_bytes, 3, LINE6_TIMEOUT * HZ); + if (ret < 0) { + dev_err(pod->line6.ifcdev, + "receive length failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + pod->firmware_version = +@@ -251,7 +255,7 @@ static int podhd_dev_start(struct usb_line6_podhd *pod) + for (i = 0; i <= 16; i++) { + ret = line6_read_data(&pod->line6, 0xf000 + 0x08 * i, init_bytes, 8); + if (ret < 0) +- return ret; ++ goto exit; + } + + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), +@@ -259,10 +263,9 @@ static int podhd_dev_start(struct usb_line6_podhd *pod) + USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT, + 1, 0, + NULL, 0, LINE6_TIMEOUT * HZ); +- if (ret < 0) +- return ret; +- +- return 0; ++exit: ++ kfree(init_bytes); ++ return ret; + } + + static void podhd_startup_workqueue(struct work_struct *work) +diff --git a/sound/usb/line6/toneport.c b/sound/usb/line6/toneport.c +index 8e22f430d700..d3871d99ade4 100644 +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -365,15 +365,20 @@ static bool toneport_has_source_select(struct usb_line6_toneport *toneport) + /* + Setup Toneport device. + */ +-static void toneport_setup(struct usb_line6_toneport *toneport) ++static int toneport_setup(struct usb_line6_toneport *toneport) + { +- int ticks; ++ int *ticks; + struct usb_line6 *line6 = &toneport->line6; + struct usb_device *usbdev = line6->usbdev; + ++ ticks = kmalloc(sizeof(*ticks), GFP_KERNEL); ++ if (!ticks) ++ return -ENOMEM; ++ + /* sync time on device with host: */ +- ticks = (int)get_seconds(); +- line6_write_data(line6, 0x80c6, &ticks, 4); ++ *ticks = (int)get_seconds(); ++ line6_write_data(line6, 0x80c6, ticks, 4); ++ kfree(ticks); + + /* enable device: */ + toneport_send_cmd(usbdev, 0x0301, 0x0000); +@@ -388,6 +393,7 @@ static void toneport_setup(struct usb_line6_toneport *toneport) + toneport_update_led(toneport); + + mod_timer(&toneport->timer, jiffies + TONEPORT_PCM_DELAY * HZ); ++ return 0; + } + + /* +@@ -451,7 +457,9 @@ static int toneport_init(struct usb_line6 *line6, + return err; + } + +- toneport_setup(toneport); ++ err = toneport_setup(toneport); ++ if (err) ++ return err; + + /* register audio system: */ + return snd_card_register(line6->card); +@@ -463,7 +471,11 @@ static int toneport_init(struct usb_line6 *line6, + */ + static int toneport_reset_resume(struct usb_interface *interface) + { +- toneport_setup(usb_get_intfdata(interface)); ++ int err; ++ ++ err = toneport_setup(usb_get_intfdata(interface)); ++ if (err) ++ return err; + return line6_resume(interface); + } + #endif |