From 90144d4f154cd71c27ff0f51f11d7880c5ffe21f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Igor=20Pe=C4=8Dovnik?= Date: Mon, 28 Dec 2015 10:23:02 +0100 Subject: [PATCH] Added headers patches to other sources, upgrades for 4.2.6 - 8, set Armbian version to 4.81 --- configuration.sh | 6 +- ...g-cubox.patch => 01-packaging-cubox.patch} | 0 .../cubox-default/02-headers-packing.patch | 13 + ...ing-next.patch => 01-packaging-next.patch} | 0 .../odroidxu-next/02-headers-packing.patch | 13 + .../kernel/odroidxu-next/patch-4.2.6-7.patch | 4131 +++++++++++++++++ .../kernel/odroidxu-next/patch-4.2.7-8.patch | 3882 ++++++++++++++++ ...-guitar.patch => 01-packagin-guitar.patch} | 0 .../s500-default/02-headers-packing.patch | 13 + ....patch => 01-udoo-packaging-v20-fix.patch} | 0 .../udoo-default/02-headers-packing.patch | 13 + ...ing-next.patch => 01-packaging-next.patch} | 0 .../kernel/udoo-next/02-headers-packing.patch | 13 + patch/kernel/udoo-next/patch-4.2.6-7.patch | 4131 +++++++++++++++++ patch/kernel/udoo-next/patch-4.2.7-8.patch | 3882 ++++++++++++++++ 15 files changed, 16094 insertions(+), 3 deletions(-) rename patch/kernel/cubox-default/{packaging-cubox.patch => 01-packaging-cubox.patch} (100%) create mode 100644 patch/kernel/cubox-default/02-headers-packing.patch rename patch/kernel/odroidxu-next/{packaging-next.patch => 01-packaging-next.patch} (100%) create mode 100644 patch/kernel/odroidxu-next/02-headers-packing.patch create mode 100644 patch/kernel/odroidxu-next/patch-4.2.6-7.patch create mode 100644 patch/kernel/odroidxu-next/patch-4.2.7-8.patch rename patch/kernel/s500-default/{packagin-guitar.patch => 01-packagin-guitar.patch} (100%) create mode 100644 patch/kernel/s500-default/02-headers-packing.patch rename patch/kernel/udoo-default/{udoo-packaging-v20-fix.patch => 01-udoo-packaging-v20-fix.patch} (100%) create mode 100644 patch/kernel/udoo-default/02-headers-packing.patch rename patch/kernel/udoo-next/{packaging-next.patch => 01-packaging-next.patch} (100%) create mode 100644 patch/kernel/udoo-next/02-headers-packing.patch create mode 100644 patch/kernel/udoo-next/patch-4.2.6-7.patch create mode 100644 patch/kernel/udoo-next/patch-4.2.7-8.patch diff --git a/configuration.sh b/configuration.sh index 0d115cffe..e180d3656 100644 --- a/configuration.sh +++ b/configuration.sh @@ -27,7 +27,7 @@ # common options - REVISION="5.00" # all boards have same revision + REVISION="4.81" # all boards have same revision SDSIZE="4000" # SD image size in MB TZDATA=`cat /etc/timezone` # Timezone for target is taken from host or defined here. USEALLCORES="yes" # Use all CPU cores for compiling @@ -243,7 +243,7 @@ guitar)#enabled #description S500 Lemaker Guitar Action quad core - #build 1wip + #build 1 LINUXFAMILY="s500" OFFSET="16" BOOTSIZE="16" @@ -255,7 +255,7 @@ odroidxu)#enabled #description Exynos5422 XU3/XU4 octa core - #build 1 + #build 3 LINUXFAMILY="odroidxu" BOOTSIZE="16" BOOTCONFIG="odroid_config" diff --git a/patch/kernel/cubox-default/packaging-cubox.patch b/patch/kernel/cubox-default/01-packaging-cubox.patch similarity index 100% rename from patch/kernel/cubox-default/packaging-cubox.patch rename to patch/kernel/cubox-default/01-packaging-cubox.patch diff --git a/patch/kernel/cubox-default/02-headers-packing.patch b/patch/kernel/cubox-default/02-headers-packing.patch new file mode 100644 index 000000000..d27fd190d --- /dev/null +++ b/patch/kernel/cubox-default/02-headers-packing.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6c3b038..616aa9b 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -334,6 +334,8 @@ mkdir -p "$destdir" + ln -sf "/usr/src/linux-headers-$version" "$kernel_headers_dir/lib/modules/$version/build" + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" + ++(cd "$destdir"; make M=scripts clean) ++ + cat <> debian/control + + Package: $kernel_headers_packagename diff --git a/patch/kernel/odroidxu-next/packaging-next.patch b/patch/kernel/odroidxu-next/01-packaging-next.patch similarity index 100% rename from patch/kernel/odroidxu-next/packaging-next.patch rename to patch/kernel/odroidxu-next/01-packaging-next.patch diff --git a/patch/kernel/odroidxu-next/02-headers-packing.patch b/patch/kernel/odroidxu-next/02-headers-packing.patch new file mode 100644 index 000000000..d27fd190d --- /dev/null +++ b/patch/kernel/odroidxu-next/02-headers-packing.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6c3b038..616aa9b 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -334,6 +334,8 @@ mkdir -p "$destdir" + ln -sf "/usr/src/linux-headers-$version" "$kernel_headers_dir/lib/modules/$version/build" + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" + ++(cd "$destdir"; make M=scripts clean) ++ + cat <> debian/control + + Package: $kernel_headers_packagename diff --git a/patch/kernel/odroidxu-next/patch-4.2.6-7.patch b/patch/kernel/odroidxu-next/patch-4.2.6-7.patch new file mode 100644 index 000000000..35ba2e411 --- /dev/null +++ b/patch/kernel/odroidxu-next/patch-4.2.6-7.patch @@ -0,0 +1,4131 @@ +diff --git a/Documentation/devicetree/bindings/usb/dwc3.txt b/Documentation/devicetree/bindings/usb/dwc3.txt +index 0815eac5b185..e12f3448846a 100644 +--- a/Documentation/devicetree/bindings/usb/dwc3.txt ++++ b/Documentation/devicetree/bindings/usb/dwc3.txt +@@ -35,6 +35,8 @@ Optional properties: + LTSSM during USB3 Compliance mode. + - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy. + - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy. ++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG, ++ disabling the suspend signal to the PHY. + - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal + utmi_l1_suspend_n, false when asserts utmi_sleep_n + - snps,hird-threshold: HIRD threshold +diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt +index 6f7fafde0884..3e2844eca266 100644 +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /proc + stat Process status + statm Process memory status information + status Process status in human readable form +- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan ++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function ++ symbol the task is blocked in - or "0" if not blocked. + pagemap Page table + stack Report full stack trace, enable via CONFIG_STACKTRACE + smaps a extension based on maps, showing the memory consumption of +@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (as of 2.6.30-rc7) + blocked bitmap of blocked signals + sigign bitmap of ignored signals + sigcatch bitmap of caught signals +- wchan address where process went to sleep ++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead) + 0 (place holder) + 0 (place holder) + exit_signal signal to send to parent thread on exit +diff --git a/Makefile b/Makefile +index 9ef37399b4e8..f5014eaf2532 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 2 +-SUBLEVEL = 6 ++SUBLEVEL = 7 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi +index b69be5c499cf..8c603fdf9da1 100644 +--- a/arch/arm/boot/dts/imx27.dtsi ++++ b/arch/arm/boot/dts/imx27.dtsi +@@ -477,7 +477,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024000 0x200>; + interrupts = <56>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 0>; + status = "disabled"; + }; +@@ -486,7 +489,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024200 0x200>; + interrupts = <54>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 1>; + dr_mode = "host"; + status = "disabled"; +@@ -496,7 +502,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024400 0x200>; + interrupts = <55>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 2>; + dr_mode = "host"; + status = "disabled"; +@@ -506,7 +515,6 @@ + #index-cells = <1>; + compatible = "fsl,imx27-usbmisc"; + reg = <0x10024600 0x200>; +- clocks = <&clks IMX27_CLK_USB_AHB_GATE>; + }; + + sahara2: sahara@10025000 { +diff --git a/arch/arm/boot/dts/omap5-uevm.dts b/arch/arm/boot/dts/omap5-uevm.dts +index 5771a149ce4a..23d645daeac1 100644 +--- a/arch/arm/boot/dts/omap5-uevm.dts ++++ b/arch/arm/boot/dts/omap5-uevm.dts +@@ -31,6 +31,24 @@ + regulator-max-microvolt = <3000000>; + }; + ++ mmc3_pwrseq: sdhci0_pwrseq { ++ compatible = "mmc-pwrseq-simple"; ++ clocks = <&clk32kgaudio>; ++ clock-names = "ext_clock"; ++ }; ++ ++ vmmcsdio_fixed: fixedregulator-mmcsdio { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsdio_fixed"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ gpio = <&gpio5 12 GPIO_ACTIVE_HIGH>; /* gpio140 WLAN_EN */ ++ enable-active-high; ++ startup-delay-us = <70000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&wlan_pins>; ++ }; ++ + /* HS USB Host PHY on PORT 2 */ + hsusb2_phy: hsusb2_phy { + compatible = "usb-nop-xceiv"; +@@ -197,12 +215,20 @@ + >; + }; + +- mcspi4_pins: pinmux_mcspi4_pins { ++ mmc3_pins: pinmux_mmc3_pins { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x01a4, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_clk */ ++ OMAP5_IOPAD(0x01a6, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_cmd */ ++ OMAP5_IOPAD(0x01a8, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data0 */ ++ OMAP5_IOPAD(0x01aa, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data1 */ ++ OMAP5_IOPAD(0x01ac, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data2 */ ++ OMAP5_IOPAD(0x01ae, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data3 */ ++ >; ++ }; ++ ++ wlan_pins: pinmux_wlan_pins { + pinctrl-single,pins = < +- 0x164 (PIN_INPUT | MUX_MODE1) /* mcspi4_clk */ +- 0x168 (PIN_INPUT | MUX_MODE1) /* mcspi4_simo */ +- 0x16a (PIN_INPUT | MUX_MODE1) /* mcspi4_somi */ +- 0x16c (PIN_INPUT | MUX_MODE1) /* mcspi4_cs0 */ ++ OMAP5_IOPAD(0x1bc, PIN_OUTPUT | MUX_MODE6) /* mcspi1_clk.gpio5_140 */ + >; + }; + +@@ -276,6 +302,12 @@ + 0x1A (PIN_OUTPUT | MUX_MODE0) /* fref_clk1_out, USB hub clk */ + >; + }; ++ ++ wlcore_irq_pin: pinmux_wlcore_irq_pin { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x040, WAKEUP_EN | PIN_INPUT_PULLUP | MUX_MODE6) /* llia_wakereqin.gpio1_wk14 */ ++ >; ++ }; + }; + + &mmc1 { +@@ -290,8 +322,25 @@ + }; + + &mmc3 { ++ vmmc-supply = <&vmmcsdio_fixed>; ++ mmc-pwrseq = <&mmc3_pwrseq>; + bus-width = <4>; +- ti,non-removable; ++ non-removable; ++ cap-power-off-card; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc3_pins &wlcore_irq_pin>; ++ interrupts-extended = <&gic GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH ++ &omap5_pmx_core 0x168>; ++ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ wlcore: wlcore@2 { ++ compatible = "ti,wl1271"; ++ reg = <2>; ++ interrupt-parent = <&gpio1>; ++ interrupts = <14 IRQ_TYPE_LEVEL_HIGH>; /* gpio 14 */ ++ ref-clock-frequency = <26000000>; ++ }; + }; + + &mmc4 { +@@ -591,11 +640,6 @@ + pinctrl-0 = <&mcspi3_pins>; + }; + +-&mcspi4 { +- pinctrl-names = "default"; +- pinctrl-0 = <&mcspi4_pins>; +-}; +- + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&uart1_pins>; +diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi +index 3ee22ee13c5a..1ba10e495f21 100644 +--- a/arch/arm/boot/dts/sama5d4.dtsi ++++ b/arch/arm/boot/dts/sama5d4.dtsi +@@ -939,11 +939,11 @@ + reg = <0xf8018000 0x4000>; + interrupts = <33 IRQ_TYPE_LEVEL_HIGH 6>; + dmas = <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(4)>, ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(4))>, + <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(5)>; ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(5))>; + dma-names = "tx", "rx"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; +diff --git a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +index d0cfadac0691..18f26ca4e375 100644 +--- a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts ++++ b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +@@ -184,18 +184,18 @@ + regulator-name = "vcc-3v0"; + }; + +- vdd_cpu: dcdc2 { ++ vdd_gpu: dcdc2 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-cpu"; ++ regulator-name = "vdd-gpu"; + }; + +- vdd_gpu: dcdc3 { ++ vdd_cpu: dcdc3 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-gpu"; ++ regulator-name = "vdd-cpu"; + }; + + vdd_sys_dll: dcdc4 { +diff --git a/arch/arm/common/edma.c b/arch/arm/common/edma.c +index 873dbfcc7dc9..56fc339571f9 100644 +--- a/arch/arm/common/edma.c ++++ b/arch/arm/common/edma.c +@@ -406,7 +406,8 @@ static irqreturn_t dma_irq_handler(int irq, void *data) + BIT(slot)); + if (edma_cc[ctlr]->intr_data[channel].callback) + edma_cc[ctlr]->intr_data[channel].callback( +- channel, EDMA_DMA_COMPLETE, ++ EDMA_CTLR_CHAN(ctlr, channel), ++ EDMA_DMA_COMPLETE, + edma_cc[ctlr]->intr_data[channel].data); + } + } while (sh_ipr); +@@ -460,7 +461,8 @@ static irqreturn_t dma_ccerr_handler(int irq, void *data) + if (edma_cc[ctlr]->intr_data[k]. + callback) { + edma_cc[ctlr]->intr_data[k]. +- callback(k, ++ callback( ++ EDMA_CTLR_CHAN(ctlr, k), + EDMA_DMA_CC_ERROR, + edma_cc[ctlr]->intr_data + [k].data); +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index 53c15dec7af6..6a9851ea6a60 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -35,6 +35,11 @@ extern void (*handle_arch_irq)(struct pt_regs *); + extern void set_handle_irq(void (*handle_irq)(struct pt_regs *)); + #endif + ++static inline int nr_legacy_irqs(void) ++{ ++ return NR_IRQS_LEGACY; ++} ++ + #endif + + #endif +diff --git a/arch/arm/mach-at91/pm_suspend.S b/arch/arm/mach-at91/pm_suspend.S +index 0d95f488b47a..a25defda3d22 100644 +--- a/arch/arm/mach-at91/pm_suspend.S ++++ b/arch/arm/mach-at91/pm_suspend.S +@@ -80,6 +80,8 @@ tmp2 .req r5 + * @r2: base address of second SDRAM Controller or 0 if not present + * @r3: pm information + */ ++/* at91_pm_suspend_in_sram must be 8-byte aligned per the requirements of fncpy() */ ++ .align 3 + ENTRY(at91_pm_suspend_in_sram) + /* Save registers on stack */ + stmfd sp!, {r4 - r12, lr} +diff --git a/arch/arm/mach-pxa/include/mach/pxa27x.h b/arch/arm/mach-pxa/include/mach/pxa27x.h +index 599b925a657c..1a4291936c58 100644 +--- a/arch/arm/mach-pxa/include/mach/pxa27x.h ++++ b/arch/arm/mach-pxa/include/mach/pxa27x.h +@@ -19,7 +19,7 @@ + #define ARB_CORE_PARK (1<<24) /* Be parked with core when idle */ + #define ARB_LOCK_FLAG (1<<23) /* Only Locking masters gain access to the bus */ + +-extern int __init pxa27x_set_pwrmode(unsigned int mode); ++extern int pxa27x_set_pwrmode(unsigned int mode); + extern void pxa27x_cpu_pm_enter(suspend_state_t state); + + #endif /* __MACH_PXA27x_H */ +diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c +index b5abdeb5bb2d..aa97547099fb 100644 +--- a/arch/arm/mach-pxa/pxa27x.c ++++ b/arch/arm/mach-pxa/pxa27x.c +@@ -84,7 +84,7 @@ EXPORT_SYMBOL_GPL(pxa27x_configure_ac97reset); + */ + static unsigned int pwrmode = PWRMODE_SLEEP; + +-int __init pxa27x_set_pwrmode(unsigned int mode) ++int pxa27x_set_pwrmode(unsigned int mode) + { + switch (mode) { + case PWRMODE_SLEEP: +diff --git a/arch/arm/mach-tegra/board-paz00.c b/arch/arm/mach-tegra/board-paz00.c +index fbe74c6806f3..49d1110cff53 100644 +--- a/arch/arm/mach-tegra/board-paz00.c ++++ b/arch/arm/mach-tegra/board-paz00.c +@@ -39,8 +39,8 @@ static struct platform_device wifi_rfkill_device = { + static struct gpiod_lookup_table wifi_gpio_lookup = { + .dev_id = "rfkill_gpio", + .table = { +- GPIO_LOOKUP_IDX("tegra-gpio", 25, NULL, 0, 0), +- GPIO_LOOKUP_IDX("tegra-gpio", 85, NULL, 1, 0), ++ GPIO_LOOKUP("tegra-gpio", 25, "reset", 0), ++ GPIO_LOOKUP("tegra-gpio", 85, "shutdown", 0), + { }, + }, + }; +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index cba12f34ff77..25ecc6afec4c 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1413,12 +1413,19 @@ static int arm_iommu_mmap_attrs(struct device *dev, struct vm_area_struct *vma, + unsigned long uaddr = vma->vm_start; + unsigned long usize = vma->vm_end - vma->vm_start; + struct page **pages = __iommu_get_pages(cpu_addr, attrs); ++ unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ unsigned long off = vma->vm_pgoff; + + vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot); + + if (!pages) + return -ENXIO; + ++ if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) ++ return -ENXIO; ++ ++ pages += off; ++ + do { + int ret = vm_insert_page(vma, uaddr, *pages++); + if (ret) { +diff --git a/arch/arm64/include/asm/irq.h b/arch/arm64/include/asm/irq.h +index bbb251b14746..8b9bf54105b3 100644 +--- a/arch/arm64/include/asm/irq.h ++++ b/arch/arm64/include/asm/irq.h +@@ -21,4 +21,9 @@ static inline void acpi_irq_init(void) + } + #define acpi_irq_init acpi_irq_init + ++static inline int nr_legacy_irqs(void) ++{ ++ return 0; ++} ++ + #endif +diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h +index d6dd9fdbc3be..d4264bb0a409 100644 +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -83,14 +83,14 @@ + #define compat_sp regs[13] + #define compat_lr regs[14] + #define compat_sp_hyp regs[15] +-#define compat_sp_irq regs[16] +-#define compat_lr_irq regs[17] +-#define compat_sp_svc regs[18] +-#define compat_lr_svc regs[19] +-#define compat_sp_abt regs[20] +-#define compat_lr_abt regs[21] +-#define compat_sp_und regs[22] +-#define compat_lr_und regs[23] ++#define compat_lr_irq regs[16] ++#define compat_sp_irq regs[17] ++#define compat_lr_svc regs[18] ++#define compat_sp_svc regs[19] ++#define compat_lr_abt regs[20] ++#define compat_sp_abt regs[21] ++#define compat_lr_und regs[22] ++#define compat_sp_und regs[23] + #define compat_r8_fiq regs[24] + #define compat_r9_fiq regs[25] + #define compat_r10_fiq regs[26] +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 98073332e2d0..4d77757b5894 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200; + #define PECOFF_EDATA_PADDING + #endif + +-#ifdef CONFIG_DEBUG_ALIGN_RODATA ++#if defined(CONFIG_DEBUG_ALIGN_RODATA) + #define ALIGN_DEBUG_RO . = ALIGN(1<> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + +diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S +index c567240386a0..d1ee95a7f7dd 100644 +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index cd4c129ce743..bafb32b4c6b4 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -278,7 +278,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -342,6 +342,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 3fc2e6d70c77..a0706fd4ce0a 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsigned long rate) + } + EXPORT_SYMBOL(clk_set_rate); + ++long clk_round_rate(struct clk *clk, unsigned long rate) ++{ ++ if (unlikely(!clk_good(clk))) ++ return 0; ++ if (clk->rates && *clk->rates) { ++ unsigned long *r = clk->rates; ++ ++ while (*r && (*r != rate)) ++ r++; ++ if (!*r) { ++ return clk->rate; ++ } ++ } ++ return rate; ++} ++EXPORT_SYMBOL(clk_round_rate); ++ + int clk_enable(struct clk *clk) + { + if (unlikely(!clk_good(clk))) +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index c98d89708e99..cbee788d9625 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1051,8 +1051,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq) + src_id, 0, 2); + + /* sending vcpu invalid */ +- if (src_id >= KVM_MAX_VCPUS || +- kvm_get_vcpu(vcpu->kvm, src_id) == NULL) ++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL) + return -EINVAL; + + if (sclp.has_sigpif) +@@ -1131,6 +1130,10 @@ static int __inject_sigp_emergency(struct kvm_vcpu *vcpu, + trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY, + irq->u.emerg.code, 0, 2); + ++ /* sending vcpu invalid */ ++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL) ++ return -EINVAL; ++ + set_bit(irq->u.emerg.code, li->sigp_emerg_pending); + set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs); + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index f32f843a3631..4a001c1b5a1a 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -289,12 +289,16 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap) + r = 0; + break; + case KVM_CAP_S390_VECTOR_REGISTERS: +- if (MACHINE_HAS_VX) { ++ mutex_lock(&kvm->lock); ++ if (atomic_read(&kvm->online_vcpus)) { ++ r = -EBUSY; ++ } else if (MACHINE_HAS_VX) { + set_kvm_facility(kvm->arch.model.fac->mask, 129); + set_kvm_facility(kvm->arch.model.fac->list, 129); + r = 0; + } else + r = -EINVAL; ++ mutex_unlock(&kvm->lock); + break; + case KVM_CAP_S390_USER_STSI: + kvm->arch.user_stsi = 1; +@@ -1037,7 +1041,9 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + if (!kvm->arch.sca) + goto out_err; + spin_lock(&kvm_lock); +- sca_offset = (sca_offset + 16) & 0x7f0; ++ sca_offset += 16; ++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE) ++ sca_offset = 0; + kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset); + spin_unlock(&kvm_lock); + +diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c +index 72e58bd2bee7..7171056fc24d 100644 +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vcpu *vcpu, u8 order_code, + u16 cpu_addr, u32 parameter, u64 *status_reg) + { + int rc; +- struct kvm_vcpu *dst_vcpu; ++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + +- if (cpu_addr >= KVM_MAX_VCPUS) +- return SIGP_CC_NOT_OPERATIONAL; +- +- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + +@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu) + trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); + + if (order_code == SIGP_EXTERNAL_CALL) { +- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); ++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + + kvm_s390_vcpu_wakeup(dest_vcpu); +diff --git a/arch/tile/kernel/usb.c b/arch/tile/kernel/usb.c +index f0da5a237e94..9f1e05e12255 100644 +--- a/arch/tile/kernel/usb.c ++++ b/arch/tile/kernel/usb.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + + static u64 ehci_dmamask = DMA_BIT_MASK(32); +diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h +index ccffa53750a8..39bcefc20de7 100644 +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -60,6 +60,7 @@ struct legacy_pic { + void (*mask_all)(void); + void (*restore_mask)(void); + void (*init)(int auto_eoi); ++ int (*probe)(void); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); + }; +diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h +index e16466ec473c..e9cd7befcb76 100644 +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -112,6 +112,16 @@ struct x86_emulate_ops { + struct x86_exception *fault); + + /* ++ * read_phys: Read bytes of standard (non-emulated/special) memory. ++ * Used for descriptor reading. ++ * @addr: [IN ] Physical address from which to read. ++ * @val: [OUT] Value read from memory. ++ * @bytes: [IN ] Number of bytes to read from memory. ++ */ ++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr, ++ void *val, unsigned int bytes); ++ ++ /* + * write_std: Write bytes of standard (non-emulated/special) memory. + * Used for descriptor writing. + * @addr: [IN ] Linear address to which to write. +diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h +index b5d7640abc5d..8a4add8e4639 100644 +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c +index 2683f36e4e0a..ea4ba83ca0cf 100644 +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -360,7 +360,11 @@ int __init arch_probe_nr_irqs(void) + if (nr < nr_irqs) + nr_irqs = nr; + +- return nr_legacy_irqs(); ++ /* ++ * We don't know if PIC is present at this point so we need to do ++ * probe() to get the right number of legacy IRQs. ++ */ ++ return legacy_pic->probe(); + } + + #ifdef CONFIG_X86_IO_APIC +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index cb9e5df42dd2..e4f929d97c42 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -272,10 +272,9 @@ __setup("nosmap", setup_disable_smap); + + static __always_inline void setup_smap(struct cpuinfo_x86 *c) + { +- unsigned long eflags; ++ unsigned long eflags = native_save_fl(); + + /* This should have been cleared long ago */ +- raw_local_save_flags(eflags); + BUG_ON(eflags & X86_EFLAGS_AC); + + if (cpu_has(c, X86_FEATURE_SMAP)) { +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index 50ec9af1bd51..6545e6ddbfb1 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame, + */ + void fpu__init_prepare_fx_sw_frame(void) + { +- int fsave_header_size = sizeof(struct fregs_state); + int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; + +- if (config_enabled(CONFIG_X86_32)) +- size += fsave_header_size; +- + fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; + fx_sw_reserved.extended_size = size; + fx_sw_reserved.xfeatures = xfeatures_mask; + fx_sw_reserved.xstate_size = xstate_size; + +- if (config_enabled(CONFIG_IA32_EMULATION)) { ++ if (config_enabled(CONFIG_IA32_EMULATION) || ++ config_enabled(CONFIG_X86_32)) { ++ int fsave_header_size = sizeof(struct fregs_state); ++ + fx_sw_reserved_ia32 = fx_sw_reserved; +- fx_sw_reserved_ia32.extended_size += fsave_header_size; ++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; + } + } + +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 62fc001c7846..2c4ac072a702 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature) + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return NULL; + +- xsave = ¤t->thread.fpu.state.xsave; + /* + * We should not ever be requesting features that we + * have not enabled. Remember that pcntxt_mask is +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S +index 1d40ca8a73f2..ffdc0e860390 100644 +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -65,6 +65,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 16cb827a5b27..be22f5a2192e 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -295,16 +295,11 @@ static void unmask_8259A(void) + raw_spin_unlock_irqrestore(&i8259A_lock, flags); + } + +-static void init_8259A(int auto_eoi) ++static int probe_8259A(void) + { + unsigned long flags; + unsigned char probe_val = ~(1 << PIC_CASCADE_IR); + unsigned char new_val; +- +- i8259A_auto_eoi = auto_eoi; +- +- raw_spin_lock_irqsave(&i8259A_lock, flags); +- + /* + * Check to see if we have a PIC. + * Mask all except the cascade and read +@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi) + * have a PIC, we will read 0xff as opposed to the + * value we wrote. + */ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */ + outb(probe_val, PIC_MASTER_IMR); + new_val = inb(PIC_MASTER_IMR); + if (new_val != probe_val) { + printk(KERN_INFO "Using NULL legacy PIC\n"); + legacy_pic = &null_legacy_pic; +- raw_spin_unlock_irqrestore(&i8259A_lock, flags); +- return; + } + ++ raw_spin_unlock_irqrestore(&i8259A_lock, flags); ++ return nr_legacy_irqs(); ++} ++ ++static void init_8259A(int auto_eoi) ++{ ++ unsigned long flags; ++ ++ i8259A_auto_eoi = auto_eoi; ++ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */ + + /* +@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(unsigned int irq) + { + return 0; + } ++static int legacy_pic_probe(void) ++{ ++ return 0; ++} + + struct legacy_pic null_legacy_pic = { + .nr_legacy_irqs = 0, +@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = { + .mask_all = legacy_pic_noop, + .restore_mask = legacy_pic_noop, + .init = legacy_pic_int_noop, ++ .probe = legacy_pic_probe, + .irq_pending = legacy_pic_irq_pending_noop, + .make_irq = legacy_pic_uint_noop, + }; +@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = { + .mask_all = mask_8259A, + .restore_mask = unmask_8259A, + .init = init_8259A, ++ .probe = probe_8259A, + .irq_pending = i8259A_irq_pending, + .make_irq = make_8259A_irq, + }; +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 80f874bf999e..1e6f70f1f251 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); + #endif + + tboot_probe(); +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S +index b9242bacbe59..4cf401f581e7 100644 +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -34,10 +34,11 @@ + #include + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +49,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +132,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 2392541a96e6..f17c342355f6 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt) + #define GET_SMSTATE(type, smbase, offset) \ + ({ \ + type __val; \ +- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \ +- sizeof(__val), NULL); \ ++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \ ++ sizeof(__val)); \ + if (r != X86EMUL_CONTINUE) \ + return X86EMUL_UNHANDLEABLE; \ + __val; \ +@@ -2484,17 +2484,36 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed +- * to read_std/write_std are not virtual. +- * +- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. ++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU ++ * supports long mode. + */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (emulator_has_longmode(ctxt)) { ++ struct desc_struct cs_desc; ++ ++ /* Zero CR4.PCIDE before CR0.PG. */ ++ if (cr4 & X86_CR4_PCIDE) { ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); ++ cr4 &= ~X86_CR4_PCIDE; ++ } ++ ++ /* A 32-bit code segment is required to clear EFER.LMA. */ ++ memset(&cs_desc, 0, sizeof(cs_desc)); ++ cs_desc.type = 0xb; ++ cs_desc.s = cs_desc.g = cs_desc.p = 1; ++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS); ++ } ++ ++ /* For the 64-bit case, this will clear EFER.LMA. */ + cr0 = ctxt->ops->get_cr(ctxt, 0); + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); +- cr4 = ctxt->ops->get_cr(ctxt, 4); ++ ++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ + if (cr4 & X86_CR4_PAE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ + efer = 0; + ctxt->ops->set_msr(ctxt, MSR_EFER, efer); + +@@ -4455,7 +4474,7 @@ static const struct opcode twobyte_table[256] = { + F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N, + /* 0xA8 - 0xAF */ + I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg), +- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm), ++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm), + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 2a5ca97c263b..236e346584c3 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir) + struct kvm_lapic *apic = vcpu->arch.apic; + + __kvm_apic_update_irr(pir, apic->regs); ++ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + EXPORT_SYMBOL_GPL(kvm_apic_update_irr); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2d32b67a1043..00da6e85a27f 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1085,7 +1085,7 @@ static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc) + return target_tsc - tsc; + } + +-static void init_vmcb(struct vcpu_svm *svm, bool init_event) ++static void init_vmcb(struct vcpu_svm *svm) + { + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; +@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1156,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + init_sys_seg(&save->ldtr, SEG_TYPE_LDT); + init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16); + +- if (!init_event) +- svm_set_efer(&svm->vcpu, 0); ++ svm_set_efer(&svm->vcpu, 0); + save->dr6 = 0xffff0ff0; + kvm_set_rflags(&svm->vcpu, 2); + save->rip = 0x0000fff0; +@@ -1211,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + if (kvm_vcpu_is_reset_bsp(&svm->vcpu)) + svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP; + } +- init_vmcb(svm, init_event); ++ init_vmcb(svm); + + kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy); + kvm_register_write(vcpu, VCPU_REGS_RDX, eax); +@@ -1267,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id) + clear_page(svm->vmcb); + svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT; + svm->asid_generation = 0; +- init_vmcb(svm, false); ++ init_vmcb(svm); + + svm_init_osvw(&svm->vcpu); + +@@ -1795,6 +1795,12 @@ static int ud_interception(struct vcpu_svm *svm) + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -1889,7 +1895,7 @@ static int shutdown_interception(struct vcpu_svm *svm) + * so reinitialize it. + */ + clear_page(svm->vmcb); +- init_vmcb(svm, false); ++ init_vmcb(svm); + + kvm_run->exit_reason = KVM_EXIT_SHUTDOWN; + return 0; +@@ -3369,6 +3375,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index aa9e8229571d..e77d75b8772a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -4780,8 +4780,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + vmx_set_cr0(vcpu, cr0); /* enter rmode */ + vmx->vcpu.arch.cr0 = cr0; + vmx_set_cr4(vcpu, 0); +- if (!init_event) +- vmx_set_efer(vcpu, 0); ++ vmx_set_efer(vcpu, 0); + vmx_fpu_activate(vcpu); + update_exception_bitmap(vcpu); + +@@ -5118,6 +5117,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 373328b71599..2781e2b0201d 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -621,7 +621,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) + if ((cr0 ^ old_cr0) & update_bits) + kvm_mmu_reset_context(vcpu); + +- if ((cr0 ^ old_cr0) & X86_CR0_CD) ++ if (((cr0 ^ old_cr0) & X86_CR0_CD) && ++ kvm_arch_has_noncoherent_dma(vcpu->kvm) && ++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED)) + kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL); + + return 0; +@@ -4260,6 +4262,15 @@ static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); + } + ++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, ++ unsigned long addr, void *val, unsigned int bytes) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes); ++ ++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; ++} ++ + int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + gva_t addr, void *val, + unsigned int bytes, +@@ -4995,6 +5006,7 @@ static const struct x86_emulate_ops emulate_ops = { + .write_gpr = emulator_write_gpr, + .read_std = kvm_read_guest_virt_system, + .write_std = kvm_write_guest_virt_system, ++ .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, + .write_emulated = emulator_write_emulated, +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index db1b0bc5017c..c28f6185f8a4 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm, + } + + /* ++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, ++ * we might run off the end of the bounds table if we are on ++ * a 64-bit kernel and try to get 8 bytes. ++ */ ++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, ++ long __user *bd_entry_ptr) ++{ ++ u32 bd_entry_32; ++ int ret; ++ ++ if (is_64bit_mm(mm)) ++ return get_user(*bd_entry_ret, bd_entry_ptr); ++ ++ /* ++ * Note that get_user() uses the type of the *pointer* to ++ * establish the size of the get, not the destination. ++ */ ++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); ++ *bd_entry_ret = bd_entry_32; ++ return ret; ++} ++ ++/* + * Get the base of bounds tables pointed by specific bounds + * directory entry. + */ +@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm, + int need_write = 0; + + pagefault_disable(); +- ret = get_user(bd_entry, bd_entry_ptr); ++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); + pagefault_enable(); + if (!ret) + break; +@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm, + */ + static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) + { +- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); +- if (is_64bit_mm(mm)) +- return virt_space / MPX_BD_NR_ENTRIES_64; +- else +- return virt_space / MPX_BD_NR_ENTRIES_32; ++ unsigned long long virt_space; ++ unsigned long long GB = (1ULL << 30); ++ ++ /* ++ * This covers 32-bit emulation as well as 32-bit kernels ++ * running on 64-bit harware. ++ */ ++ if (!is_64bit_mm(mm)) ++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; ++ ++ /* ++ * 'x86_virt_bits' returns what the hardware is capable ++ * of, and returns the full >32-bit adddress space when ++ * running 32-bit kernels on 64-bit hardware. ++ */ ++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); ++ return virt_space / MPX_BD_NR_ENTRIES_64; + } + + /* +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index e527a3e13939..fa893c3ec408 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x04CA, 0x300f) }, + { USB_DEVICE(0x04CA, 0x3010) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0930, 0x0227) }, + { USB_DEVICE(0x0b05, 0x17d0) }, +@@ -104,6 +105,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x0CF3, 0x311F) }, + { USB_DEVICE(0x0cf3, 0x3121) }, + { USB_DEVICE(0x0CF3, 0x817a) }, ++ { USB_DEVICE(0x0CF3, 0x817b) }, + { USB_DEVICE(0x0cf3, 0xe003) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0CF3, 0xE005) }, +@@ -153,6 +155,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -164,6 +167,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b4cf8d9c9dac..7d9b09f4158c 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -192,6 +192,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -203,6 +204,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/clk/bcm/clk-iproc-pll.c b/drivers/clk/bcm/clk-iproc-pll.c +index 2dda4e8295a9..d679ab869653 100644 +--- a/drivers/clk/bcm/clk-iproc-pll.c ++++ b/drivers/clk/bcm/clk-iproc-pll.c +@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + struct iproc_pll *pll = clk->pll; + const struct iproc_pll_ctrl *ctrl = pll->ctrl; + u32 val; +- u64 ndiv; +- unsigned int ndiv_int, ndiv_frac, pdiv; ++ u64 ndiv, ndiv_int, ndiv_frac; ++ unsigned int pdiv; + + if (parent_rate == 0) + return 0; +@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + val = readl(pll->pll_base + ctrl->ndiv_int.offset); + ndiv_int = (val >> ctrl->ndiv_int.shift) & + bit_mask(ctrl->ndiv_int.width); +- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift; ++ ndiv = ndiv_int << 20; + + if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) { + val = readl(pll->pll_base + ctrl->ndiv_frac.offset); + ndiv_frac = (val >> ctrl->ndiv_frac.shift) & + bit_mask(ctrl->ndiv_frac.width); +- +- if (ndiv_frac != 0) +- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) | +- ndiv_frac; ++ ndiv += ndiv_frac; + } + + val = readl(pll->pll_base + ctrl->pdiv.offset); + pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width); + +- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift; ++ clk->rate = (ndiv * parent_rate) >> 20; + + if (pdiv == 0) + clk->rate *= 2; +diff --git a/drivers/clk/versatile/clk-icst.c b/drivers/clk/versatile/clk-icst.c +index bc96f103bd7c..9064636a867f 100644 +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct device *dev, + icst->lockreg = base + desc->lock_offset; + + clk = clk_register(dev, &icst->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(pclone); + kfree(icst); ++ } + + return clk; + } +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c +index c5265c1262c5..6aacd205a774 100644 +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_client *client, + + twl6040->clk32k = devm_clk_get(&client->dev, "clk32k"); + if (IS_ERR(twl6040->clk32k)) { ++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + dev_info(&client->dev, "clk32k is not handled\n"); + twl6040->clk32k = NULL; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a98dd4f1b0e3..cbbb1c93386d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1751,6 +1751,7 @@ err_undo_flags: + slave_dev->dev_addr)) + eth_hw_addr_random(bond_dev); + if (bond_dev->type != ARPHRD_ETHER) { ++ dev_close(bond_dev); + ether_setup(bond_dev); + bond_dev->flags |= IFF_MASTER; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index aede704605c6..141c2a42d7ed 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev) + nla_put(skb, IFLA_CAN_BITTIMING_CONST, + sizeof(*priv->bittiming_const), priv->bittiming_const)) || + +- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || ++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || + nla_put_u32(skb, IFLA_CAN_STATE, state) || + nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || + nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 7b92e911a616..f10834be48a5 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -218,6 +218,9 @@ static void sja1000_start(struct net_device *dev) + priv->write_reg(priv, SJA1000_RXERR, 0x0); + priv->read_reg(priv, SJA1000_ECC); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index a4473d8ff4fa..f672dba345f7 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_channel *channel) + packet->rdesc_count, 1); + + /* Make sure ownership is written to the descriptor */ +- dma_wmb(); ++ smp_wmb(); + + ring->cur = cur_index + 1; + if (!packet->skb->xmit_more || +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index aae9d5ecd182..dde0486667e0 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1807,6 +1807,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + struct netdev_queue *txq; + int processed = 0; + unsigned int tx_packets = 0, tx_bytes = 0; ++ unsigned int cur; + + DBGPR("-->xgbe_tx_poll\n"); + +@@ -1814,10 +1815,15 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + if (!ring) + return 0; + ++ cur = ring->cur; ++ ++ /* Be sure we get ring->cur before accessing descriptor data */ ++ smp_rmb(); ++ + txq = netdev_get_tx_queue(netdev, channel->queue_index); + + while ((processed < XGBE_TX_DESC_MAX_PROC) && +- (ring->dirty != ring->cur)) { ++ (ring->dirty != cur)) { + rdata = XGBE_GET_DESC_DATA(ring, ring->dirty); + rdesc = rdata->rdesc; + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index de63266de16b..5d1dde3f3540 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1775,7 +1775,7 @@ static int fec_enet_mdio_read(struct mii_bus *bus, int mii_id, int regnum) + int ret = 0; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + fep->mii_timeout = 0; +@@ -1811,11 +1811,13 @@ static int fec_enet_mdio_write(struct mii_bus *bus, int mii_id, int regnum, + struct fec_enet_private *fep = bus->priv; + struct device *dev = &fep->pdev->dev; + unsigned long time_left; +- int ret = 0; ++ int ret; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; ++ else ++ ret = 0; + + fep->mii_timeout = 0; + reinit_completion(&fep->mdio_done); +@@ -2866,7 +2868,7 @@ fec_enet_open(struct net_device *ndev) + int ret; + + ret = pm_runtime_get_sync(&fep->pdev->dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + pinctrl_pm_select_default_state(&fep->pdev->dev); +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 09ec32e33076..7e788073c154 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + /* Set CPU queue access map - all CPUs have access to all RX + * queues and to all TX queues + */ +- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++) ++ for_each_present_cpu(cpu) + mvreg_write(pp, MVNETA_CPU_MAP(cpu), + (MVNETA_CPU_RXQ_ACCESS_ALL_MASK | + MVNETA_CPU_TXQ_ACCESS_ALL_MASK)); +@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo, + } + + skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size); +- if (!skb) +- goto err_drop_frame; + ++ /* After refill old buffer has to be unmapped regardless ++ * the skb is successfully built or not. ++ */ + dma_unmap_single(dev->dev.parent, phys_addr, + MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE); + ++ if (!skb) ++ goto err_drop_frame; ++ + rcvd_pkts++; + rcvd_bytes += rx_bytes; + +diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c +index 0a3202047569..2177e56ed0be 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) + } + } + +- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); ++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); + priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; + INIT_WORK(&priv->mfunc.master.comm_work, + mlx4_master_comm_channel); +diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c +index 8e81e53c370e..ad8f95df4310 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe) + return; + } + +- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); ++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); + s_eqe->slave_id = slave; + /* ensure all information is written before setting the ownersip bit */ + dma_wmb(); +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index b1a4ea21c91c..4dd18f4bb5ae 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1809,7 +1809,9 @@ static void efx_ef10_tx_write(struct efx_tx_queue *tx_queue) + unsigned int write_ptr; + efx_qword_t *txd; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/farch.c b/drivers/net/ethernet/sfc/farch.c +index f08266f0eca2..5a1c5a8f278a 100644 +--- a/drivers/net/ethernet/sfc/farch.c ++++ b/drivers/net/ethernet/sfc/farch.c +@@ -321,7 +321,9 @@ void efx_farch_tx_write(struct efx_tx_queue *tx_queue) + unsigned write_ptr; + unsigned old_write_count = tx_queue->write_count; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h +index 47d1e3a96522..b8e8ce1caf0f 100644 +--- a/drivers/net/ethernet/sfc/net_driver.h ++++ b/drivers/net/ethernet/sfc/net_driver.h +@@ -219,6 +219,7 @@ struct efx_tx_buffer { + * @tso_packets: Number of packets via the TSO xmit path + * @pushes: Number of times the TX push feature has been used + * @pio_packets: Number of times the TX PIO feature has been used ++ * @xmit_more_available: Are any packets waiting to be pushed to the NIC + * @empty_read_count: If the completion path has seen the queue as empty + * and the transmission path has not yet checked this, the value of + * @read_count bitwise-added to %EFX_EMPTY_COUNT_VALID; otherwise 0. +@@ -253,6 +254,7 @@ struct efx_tx_queue { + unsigned int tso_packets; + unsigned int pushes; + unsigned int pio_packets; ++ bool xmit_more_available; + /* Statistics to supplement MAC stats */ + unsigned long tx_packets; + +diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c +index 1833a0146571..67f6afaa022f 100644 +--- a/drivers/net/ethernet/sfc/tx.c ++++ b/drivers/net/ethernet/sfc/tx.c +@@ -431,8 +431,20 @@ finish_packet: + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tx_packets++; + +@@ -722,6 +734,7 @@ void efx_init_tx_queue(struct efx_tx_queue *tx_queue) + tx_queue->read_count = 0; + tx_queue->old_read_count = 0; + tx_queue->empty_read_count = 0 | EFX_EMPTY_COUNT_VALID; ++ tx_queue->xmit_more_available = false; + + /* Set up TX descriptor ring */ + efx_nic_init_tx(tx_queue); +@@ -747,6 +760,7 @@ void efx_fini_tx_queue(struct efx_tx_queue *tx_queue) + + ++tx_queue->read_count; + } ++ tx_queue->xmit_more_available = false; + netdev_tx_reset_queue(tx_queue->core_txq); + } + +@@ -1302,8 +1316,20 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue, + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tso_bursts++; + return NETDEV_TX_OK; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 771cda2a48b2..2e51b816a7e8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -721,10 +721,13 @@ static int stmmac_get_ts_info(struct net_device *dev, + { + struct stmmac_priv *priv = netdev_priv(dev); + +- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) { ++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) { + +- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE | ++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + + if (priv->ptp_clock) +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 248478c6f6e4..197c93937c2d 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -137,7 +137,7 @@ static const struct proto_ops macvtap_socket_ops; + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ + NETIF_F_TSO6 | NETIF_F_UFO) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) +-#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) ++#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST) + + static struct macvlan_dev *macvtap_get_vlan_rcu(const struct net_device *dev) + { +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 2ed75060da50..5e0b43283bce 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -589,7 +589,7 @@ static int pppoe_release(struct socket *sock) + + po = pppox_sk(sk); + +- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (po->pppoe_dev) { + dev_put(po->pppoe_dev); + po->pppoe_dev = NULL; + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 64a60afbe50c..8f1738c3b3c5 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -765,6 +765,10 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 0d3c474ff76d..a5ea8a984c53 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2070,7 +2070,8 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + enum ieee80211_band band; + const u8 *ht_mcs_mask; + const u16 *vht_mcs_mask; +- int i, n, max_nss; ++ int i, n; ++ u8 max_nss; + u32 stbc; + + lockdep_assert_held(&ar->conf_mutex); +@@ -2155,7 +2156,7 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + arg->peer_ht_rates.rates[i] = i; + } else { + arg->peer_ht_rates.num_rates = n; +- arg->peer_num_spatial_streams = max_nss; ++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss); + } + + ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n", +@@ -4021,7 +4022,7 @@ static int ath10k_config(struct ieee80211_hw *hw, u32 changed) + + static u32 get_nss_from_chainmask(u16 chain_mask) + { +- if ((chain_mask & 0x15) == 0x15) ++ if ((chain_mask & 0xf) == 0xf) + return 4; + else if ((chain_mask & 0x7) == 0x7) + return 3; +diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c +index 865d578dee82..fd6aef7d4496 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)}, +@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)}, + {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} +diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c +index 9e144e71da0b..dab9b91b3f3d 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) { +- ret = 0; +- goto out; +- } ++ if (ret >= 0) ++ return 0; + + usleep_range(200, 1000); + t += 200; +@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + IWL_ERR(trans, "Couldn't prepare the card\n"); + +-out: +- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, +- CSR_RESET_LINK_PWR_MGMT_DISABLED); +- + return ret; + } + +diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c +index 5a0636d43a1b..5583856fc5c4 100644 +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (struct mwifiex_private *) file->private_data; + unsigned long addr = get_zeroed_page(GFP_KERNEL); + char *buf = (char *) addr; +- int pos = 0, ret = 0, i; ++ int pos, ret, i; + u8 value[MAX_EEPROM_DATA]; + + if (!buf) +@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + + if (saved_offset == -1) { + /* No command has been given */ +- pos += snprintf(buf, PAGE_SIZE, "0"); ++ pos = snprintf(buf, PAGE_SIZE, "0"); + goto done; + } + +@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (u16) saved_bytes, value); + if (ret) { + ret = -EINVAL; +- goto done; ++ goto out_free; + } + +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); + + for (i = 0; i < saved_bytes; i++) +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); +- +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); + + done: ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++out_free: + free_page(addr); + return ret; + } +diff --git a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +index a9c9a077c77d..bc3d907fd20f 100644 +--- a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h ++++ b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +@@ -680,7 +680,7 @@ void lnet_debug_peer(lnet_nid_t nid); + static inline void + lnet_peer_set_alive(lnet_peer_t *lp) + { +- lp->lp_last_alive = lp->lp_last_query = get_seconds(); ++ lp->lp_last_alive = lp->lp_last_query = jiffies; + if (!lp->lp_alive) + lnet_notify_locked(lp, 0, 1, lp->lp_last_alive); + } +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index f8b5b332e7c3..943a0e204532 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = { + {USB_DEVICE(0x0DF6, 0x0058)}, + {USB_DEVICE(0x0DF6, 0x0049)}, + {USB_DEVICE(0x0DF6, 0x004C)}, ++ {USB_DEVICE(0x0DF6, 0x006C)}, + {USB_DEVICE(0x0DF6, 0x0064)}, + /* Skyworth */ + {USB_DEVICE(0x14b2, 0x3300)}, +diff --git a/drivers/tty/mips_ejtag_fdc.c b/drivers/tty/mips_ejtag_fdc.c +index 358323c83b4f..43a2ba0c0fe9 100644 +--- a/drivers/tty/mips_ejtag_fdc.c ++++ b/drivers/tty/mips_ejtag_fdc.c +@@ -1045,38 +1045,6 @@ err_destroy_ports: + return ret; + } + +-static int mips_ejtag_fdc_tty_remove(struct mips_cdmm_device *dev) +-{ +- struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +- struct mips_ejtag_fdc_tty_port *dport; +- int nport; +- unsigned int cfg; +- +- if (priv->irq >= 0) { +- raw_spin_lock_irq(&priv->lock); +- cfg = mips_ejtag_fdc_read(priv, REG_FDCFG); +- /* Disable interrupts */ +- cfg &= ~(REG_FDCFG_TXINTTHRES | REG_FDCFG_RXINTTHRES); +- cfg |= REG_FDCFG_TXINTTHRES_DISABLED; +- cfg |= REG_FDCFG_RXINTTHRES_DISABLED; +- mips_ejtag_fdc_write(priv, REG_FDCFG, cfg); +- raw_spin_unlock_irq(&priv->lock); +- } else { +- priv->removing = true; +- del_timer_sync(&priv->poll_timer); +- } +- kthread_stop(priv->thread); +- if (dev->cpu == 0) +- mips_ejtag_fdc_con.tty_drv = NULL; +- tty_unregister_driver(priv->driver); +- for (nport = 0; nport < NUM_TTY_CHANNELS; nport++) { +- dport = &priv->ports[nport]; +- tty_port_destroy(&dport->port); +- } +- put_tty_driver(priv->driver); +- return 0; +-} +- + static int mips_ejtag_fdc_tty_cpu_down(struct mips_cdmm_device *dev) + { + struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +@@ -1149,12 +1117,11 @@ static struct mips_cdmm_driver mips_ejtag_fdc_tty_driver = { + .name = "mips_ejtag_fdc", + }, + .probe = mips_ejtag_fdc_tty_probe, +- .remove = mips_ejtag_fdc_tty_remove, + .cpu_down = mips_ejtag_fdc_tty_cpu_down, + .cpu_up = mips_ejtag_fdc_tty_cpu_up, + .id_table = mips_ejtag_fdc_tty_ids, + }; +-module_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); ++builtin_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); + + static int __init mips_ejtag_fdc_init_console(void) + { +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index afc1879f66e0..dedac8ab85bf 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -169,7 +169,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty, + { + struct n_tty_data *ldata = tty->disc_data; + +- tty_audit_add_data(tty, to, n, ldata->icanon); ++ tty_audit_add_data(tty, from, n, ldata->icanon); + return copy_to_user(to, from, n); + } + +diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c +index 90ca082935f6..3d245cd3d8e6 100644 +--- a/drivers/tty/tty_audit.c ++++ b/drivers/tty/tty_audit.c +@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty, + * + * Audit @data of @size from @tty, if necessary. + */ +-void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon) + { + struct tty_audit_buf *buf; +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 774df354af55..1aa028638120 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1279,18 +1279,22 @@ int tty_send_xchar(struct tty_struct *tty, char ch) + int was_stopped = tty->stopped; + + if (tty->ops->send_xchar) { ++ down_read(&tty->termios_rwsem); + tty->ops->send_xchar(tty, ch); ++ up_read(&tty->termios_rwsem); + return 0; + } + + if (tty_write_lock(tty, 0) < 0) + return -ERESTARTSYS; + ++ down_read(&tty->termios_rwsem); + if (was_stopped) + start_tty(tty); + tty->ops->write(tty, &ch, 1); + if (was_stopped) + stop_tty(tty); ++ up_read(&tty->termios_rwsem); + tty_write_unlock(tty); + return 0; + } +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c +index 5232fb60b0b1..043e332e7423 100644 +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -1142,16 +1142,12 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file, + spin_unlock_irq(&tty->flow_lock); + break; + case TCIOFF: +- down_read(&tty->termios_rwsem); + if (STOP_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, STOP_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + case TCION: +- down_read(&tty->termios_rwsem); + if (START_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, START_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + default: + return -EINVAL; +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index fa774323ebda..846ceb91ec14 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -68,6 +68,12 @@ struct ci_hdrc_imx_data { + struct imx_usbmisc_data *usbmisc_data; + bool supports_runtime_pm; + bool in_lpm; ++ /* SoC before i.mx6 (except imx23/imx28) needs three clks */ ++ bool need_three_clks; ++ struct clk *clk_ipg; ++ struct clk *clk_ahb; ++ struct clk *clk_per; ++ /* --------------------------------- */ + }; + + /* Common functions shared by usbmisc drivers */ +@@ -119,6 +125,102 @@ static struct imx_usbmisc_data *usbmisc_get_init_data(struct device *dev) + } + + /* End of common functions shared by usbmisc drivers*/ ++static int imx_get_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ data->clk_ipg = devm_clk_get(dev, "ipg"); ++ if (IS_ERR(data->clk_ipg)) { ++ /* If the platform only needs one clocks */ ++ data->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(data->clk)) { ++ ret = PTR_ERR(data->clk); ++ dev_err(dev, ++ "Failed to get clks, err=%ld,%ld\n", ++ PTR_ERR(data->clk), PTR_ERR(data->clk_ipg)); ++ return ret; ++ } ++ return ret; ++ } ++ ++ data->clk_ahb = devm_clk_get(dev, "ahb"); ++ if (IS_ERR(data->clk_ahb)) { ++ ret = PTR_ERR(data->clk_ahb); ++ dev_err(dev, ++ "Failed to get ahb clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->clk_per = devm_clk_get(dev, "per"); ++ if (IS_ERR(data->clk_per)) { ++ ret = PTR_ERR(data->clk_per); ++ dev_err(dev, ++ "Failed to get per clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->need_three_clks = true; ++ return ret; ++} ++ ++static int imx_prepare_enable_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ if (data->need_three_clks) { ++ ret = clk_prepare_enable(data->clk_ipg); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ipg clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_ahb); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ahb clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_per); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable per clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ } else { ++ ret = clk_prepare_enable(data->clk); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ } ++ ++ return ret; ++} ++ ++static void imx_disable_unprepare_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ ++ if (data->need_three_clks) { ++ clk_disable_unprepare(data->clk_per); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ } else { ++ clk_disable_unprepare(data->clk); ++ } ++} + + static int ci_hdrc_imx_probe(struct platform_device *pdev) + { +@@ -137,23 +239,18 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + if (!data) + return -ENOMEM; + ++ platform_set_drvdata(pdev, data); + data->usbmisc_data = usbmisc_get_init_data(&pdev->dev); + if (IS_ERR(data->usbmisc_data)) + return PTR_ERR(data->usbmisc_data); + +- data->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(data->clk)) { +- dev_err(&pdev->dev, +- "Failed to get clock, err=%ld\n", PTR_ERR(data->clk)); +- return PTR_ERR(data->clk); +- } ++ ret = imx_get_clks(&pdev->dev); ++ if (ret) ++ return ret; + +- ret = clk_prepare_enable(data->clk); +- if (ret) { +- dev_err(&pdev->dev, +- "Failed to prepare or enable clock, err=%d\n", ret); ++ ret = imx_prepare_enable_clks(&pdev->dev); ++ if (ret) + return ret; +- } + + data->phy = devm_usb_get_phy_by_phandle(&pdev->dev, "fsl,usbphy", 0); + if (IS_ERR(data->phy)) { +@@ -196,8 +293,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + goto disable_device; + } + +- platform_set_drvdata(pdev, data); +- + if (data->supports_runtime_pm) { + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -210,7 +305,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + disable_device: + ci_hdrc_remove_device(data->ci_pdev); + err_clk: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + return ret; + } + +@@ -224,7 +319,7 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev) + pm_runtime_put_noidle(&pdev->dev); + } + ci_hdrc_remove_device(data->ci_pdev); +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + + return 0; + } +@@ -236,7 +331,7 @@ static int imx_controller_suspend(struct device *dev) + + dev_dbg(dev, "at %s\n", __func__); + +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + data->in_lpm = true; + + return 0; +@@ -254,7 +349,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + } + +- ret = clk_prepare_enable(data->clk); ++ ret = imx_prepare_enable_clks(dev); + if (ret) + return ret; + +@@ -269,7 +364,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + + clk_disable: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + return ret; + } + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index 6e53c24fa1cb..92937c14f818 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1730,6 +1730,22 @@ static int ci_udc_start(struct usb_gadget *gadget, + return retval; + } + ++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci) ++{ ++ if (!ci_otg_is_fsm_mode(ci)) ++ return; ++ ++ mutex_lock(&ci->fsm.lock); ++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) { ++ ci->fsm.a_bidl_adis_tmout = 1; ++ ci_hdrc_otg_fsm_start(ci); ++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) { ++ ci->fsm.protocol = PROTO_UNDEF; ++ ci->fsm.otg->state = OTG_STATE_UNDEFINED; ++ } ++ mutex_unlock(&ci->fsm.lock); ++} ++ + /** + * ci_udc_stop: unregister a gadget driver + */ +@@ -1754,6 +1770,7 @@ static int ci_udc_stop(struct usb_gadget *gadget) + ci->driver = NULL; + spin_unlock_irqrestore(&ci->lock, flags); + ++ ci_udc_stop_for_otg_fsm(ci); + return 0; + } + +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c +index f38e875a3fb1..8218ba7eb263 100644 +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -873,11 +873,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock) + + add_wait_queue(&usblp->wwait, &waita); + for (;;) { +- set_current_state(TASK_INTERRUPTIBLE); + if (mutex_lock_interruptible(&usblp->mut)) { + rc = -EINTR; + break; + } ++ set_current_state(TASK_INTERRUPTIBLE); + rc = usblp_wtest(usblp, nonblock); + mutex_unlock(&usblp->mut); + if (rc <= 0) +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index ff5773c66b84..c0566ecd9977 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -490,6 +490,9 @@ static int dwc3_phy_setup(struct dwc3 *dwc) + if (dwc->dis_u2_susphy_quirk) + reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; + ++ if (dwc->dis_enblslpm_quirk) ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ + dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); + + return 0; +@@ -509,12 +512,18 @@ static int dwc3_core_init(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_GSNPSID); + /* This should read as U3 followed by revision number */ +- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) { ++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) { ++ /* Detected DWC_usb3 IP */ ++ dwc->revision = reg; ++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) { ++ /* Detected DWC_usb31 IP */ ++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER); ++ dwc->revision |= DWC3_REVISION_IS_DWC31; ++ } else { + dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); + ret = -ENODEV; + goto err0; + } +- dwc->revision = reg; + + /* + * Write Linux Version Code to our GUID register so it's easy to figure +@@ -881,6 +890,8 @@ static int dwc3_probe(struct platform_device *pdev) + "snps,dis_u3_susphy_quirk"); + dwc->dis_u2_susphy_quirk = of_property_read_bool(node, + "snps,dis_u2_susphy_quirk"); ++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev, ++ "snps,dis_enblslpm_quirk"); + + dwc->tx_de_emphasis_quirk = of_property_read_bool(node, + "snps,tx_de_emphasis_quirk"); +@@ -911,6 +922,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk; + dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk; + dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk; ++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk; + + dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk; + if (pdata->tx_de_emphasis) +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 044778884585..6e53ce9ce320 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -108,6 +108,9 @@ + #define DWC3_GPRTBIMAP_FS0 0xc188 + #define DWC3_GPRTBIMAP_FS1 0xc18c + ++#define DWC3_VER_NUMBER 0xc1a0 ++#define DWC3_VER_TYPE 0xc1a4 ++ + #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04)) + #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04)) + +@@ -175,6 +178,7 @@ + #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31) + #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6) + #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4) ++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8) + + /* Global USB2 PHY Vendor Control Register */ + #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25) +@@ -712,6 +716,8 @@ struct dwc3_scratchpad_array { + * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk + * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy + * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy ++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG, ++ * disabling the suspend signal to the PHY. + * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk + * @tx_de_emphasis: Tx de-emphasis value + * 0 - -6dB de-emphasis +@@ -766,6 +772,14 @@ struct dwc3 { + u32 num_event_buffers; + u32 u1u2; + u32 maximum_speed; ++ ++ /* ++ * All 3.1 IP version constants are greater than the 3.0 IP ++ * version constants. This works for most version checks in ++ * dwc3. However, in the future, this may not apply as ++ * features may be developed on newer versions of the 3.0 IP ++ * that are not in the 3.1 IP. ++ */ + u32 revision; + + #define DWC3_REVISION_173A 0x5533173a +@@ -788,6 +802,13 @@ struct dwc3 { + #define DWC3_REVISION_270A 0x5533270a + #define DWC3_REVISION_280A 0x5533280a + ++/* ++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really ++ * just so dwc31 revisions are always larger than dwc3. ++ */ ++#define DWC3_REVISION_IS_DWC31 0x80000000 ++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31) ++ + enum dwc3_ep0_next ep0_next_event; + enum dwc3_ep0_state ep0state; + enum dwc3_link_state link_state; +@@ -841,6 +862,7 @@ struct dwc3 { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 27e4fc896e9d..04b87ebe6f94 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -27,6 +27,8 @@ + #include "platform_data.h" + + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 +@@ -100,6 +102,22 @@ static int dwc3_pci_quirks(struct pci_dev *pdev) + } + } + ++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS && ++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) { ++ ++ struct dwc3_platform_data pdata; ++ ++ memset(&pdata, 0, sizeof(pdata)); ++ pdata.usb3_lpm_capable = true; ++ pdata.has_lpm_erratum = true; ++ pdata.dis_enblslpm_quirk = true; ++ ++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata, ++ sizeof(pdata)); ++ } ++ + return 0; + } + +@@ -172,6 +190,14 @@ static const struct pci_device_id dwc3_pci_id_table[] = { + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3), + }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI), ++ }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31), ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 333a7c0078fc..6fbf461d523c 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1859,27 +1859,32 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + unsigned int i; + int ret; + +- req = next_request(&dep->req_queued); +- if (!req) { +- WARN_ON_ONCE(1); +- return 1; +- } +- i = 0; + do { +- slot = req->start_slot + i; +- if ((slot == DWC3_TRB_NUM - 1) && ++ req = next_request(&dep->req_queued); ++ if (!req) { ++ WARN_ON_ONCE(1); ++ return 1; ++ } ++ i = 0; ++ do { ++ slot = req->start_slot + i; ++ if ((slot == DWC3_TRB_NUM - 1) && + usb_endpoint_xfer_isoc(dep->endpoint.desc)) +- slot++; +- slot %= DWC3_TRB_NUM; +- trb = &dep->trb_pool[slot]; ++ slot++; ++ slot %= DWC3_TRB_NUM; ++ trb = &dep->trb_pool[slot]; ++ ++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, ++ event, status); ++ if (ret) ++ break; ++ } while (++i < req->request.num_mapped_sgs); ++ ++ dwc3_gadget_giveback(dep, req, status); + +- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, +- event, status); + if (ret) + break; +- } while (++i < req->request.num_mapped_sgs); +- +- dwc3_gadget_giveback(dep, req, status); ++ } while (1); + + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && + list_empty(&dep->req_queued)) { +@@ -2709,12 +2714,34 @@ int dwc3_gadget_init(struct dwc3 *dwc) + } + + dwc->gadget.ops = &dwc3_gadget_ops; +- dwc->gadget.max_speed = USB_SPEED_SUPER; + dwc->gadget.speed = USB_SPEED_UNKNOWN; + dwc->gadget.sg_supported = true; + dwc->gadget.name = "dwc3-gadget"; + + /* ++ * FIXME We might be setting max_speed to revision < DWC3_REVISION_220A) ++ dwc3_trace(trace_dwc3_gadget, ++ "Changing max_speed on rev %08x\n", ++ dwc->revision); ++ ++ dwc->gadget.max_speed = dwc->maximum_speed; ++ ++ /* + * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize + * on ep out. + */ +diff --git a/drivers/usb/dwc3/platform_data.h b/drivers/usb/dwc3/platform_data.h +index d3614ecbb9ca..db2938002260 100644 +--- a/drivers/usb/dwc3/platform_data.h ++++ b/drivers/usb/dwc3/platform_data.h +@@ -42,6 +42,7 @@ struct dwc3_platform_data { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c +index 4095cce05e6a..35fff450bdc8 100644 +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -1634,7 +1634,7 @@ static irqreturn_t usba_udc_irq(int irq, void *devid) + spin_lock(&udc->lock); + + int_enb = usba_int_enb_get(udc); +- status = usba_readl(udc, INT_STA) & int_enb; ++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED); + DBG(DBG_INT, "irq, status=%#08x\n", status); + + if (status & USBA_DET_SUSPEND) { +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 2bee912ca65b..baa0191666aa 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1846,7 +1846,7 @@ static void defect7374_disable_data_eps(struct net2280 *dev) + + for (i = 1; i < 5; i++) { + ep = &dev->ep[i]; +- writel(0, &ep->cfg->ep_cfg); ++ writel(i, &ep->cfg->ep_cfg); + } + + /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */ +diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c +index bfcbb9aa8816..ee8d5faa0194 100644 +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -224,7 +224,8 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) + priv->phy = devm_phy_optional_get(&pdev->dev, "usb"); + if (IS_ERR(priv->phy)) { + err = PTR_ERR(priv->phy); +- goto err_phy_get; ++ if (err != -ENOSYS) ++ goto err_phy_get; + } else { + err = phy_init(priv->phy); + if (err) +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index d7b9f484d4e9..6062996d35a6 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -175,6 +175,16 @@ int xhci_reset(struct xhci_hcd *xhci) + command |= CMD_RESET; + writel(command, &xhci->op_regs->command); + ++ /* Existing Intel xHCI controllers require a delay of 1 mS, ++ * after setting the CMD_RESET bit, and before accessing any ++ * HC registers. This allows the HC to complete the ++ * reset operation and be ready for HC register access. ++ * Without this delay, the subsequent HC register access, ++ * may result in a system hang very rarely. ++ */ ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ udelay(1000); ++ + ret = xhci_handshake(&xhci->op_regs->command, + CMD_RESET, 0, 10 * 1000 * 1000); + if (ret) +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 514a6cdaeff6..2fe6d263eb6b 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -132,7 +132,7 @@ static inline struct musb *dev_to_musb(struct device *dev) + /*-------------------------------------------------------------------------*/ + + #ifndef CONFIG_BLACKFIN +-static int musb_ulpi_read(struct usb_phy *phy, u32 offset) ++static int musb_ulpi_read(struct usb_phy *phy, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -151,7 +151,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset) + * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM. + */ + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, + MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR); + +@@ -176,7 +176,7 @@ out: + return ret; + } + +-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) ++static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -191,8 +191,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) + power &= ~MUSB_POWER_SUSPENDM; + musb_writeb(addr, MUSB_POWER, power); + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); +- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); ++ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ); + + while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL) +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 7c8eb4c4c175..4021846139c9 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb); + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001 + #define NOVATELWIRELESS_PRODUCT_E362 0x9010 + #define NOVATELWIRELESS_PRODUCT_E371 0x9011 ++#define NOVATELWIRELESS_PRODUCT_U620L 0x9022 + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + +@@ -357,6 +358,7 @@ static void option_instat_callback(struct urb *urb); + /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick * + * It seems to contain a Qualcomm QSC6240/6290 chipset */ + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 ++#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 + + /* iBall 3.5G connect wireless modem */ + #define IBALL_3_5G_CONNECT 0x9605 +@@ -522,6 +524,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = { + .sendsetup = BIT(0) | BIT(1), + }; + ++static const struct option_blacklist_info four_g_w100_blacklist = { ++ .sendsetup = BIT(1) | BIT(2), ++ .reserved = BIT(3), ++}; ++ + static const struct option_blacklist_info alcatel_x200_blacklist = { + .sendsetup = BIT(0) | BIT(1), + .reserved = BIT(4), +@@ -1060,6 +1067,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) }, + + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) }, +@@ -1653,6 +1661,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), + .driver_info = (kernel_ulong_t)&four_g_w14_blacklist + }, ++ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), ++ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist ++ }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index f49d262e926b..514fa91cf74e 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -22,6 +22,8 @@ + #define DRIVER_AUTHOR "Qualcomm Inc" + #define DRIVER_DESC "Qualcomm USB Serial driver" + ++#define QUECTEL_EC20_PID 0x9215 ++ + /* standard device layouts supported by this driver */ + enum qcserial_layouts { + QCSERIAL_G2K = 0, /* Gobi 2000 */ +@@ -169,6 +171,38 @@ static const struct usb_device_id id_table[] = { + }; + MODULE_DEVICE_TABLE(usb, id_table); + ++static int handle_quectel_ec20(struct device *dev, int ifnum) ++{ ++ int altsetting = 0; ++ ++ /* ++ * Quectel EC20 Mini PCIe LTE module layout: ++ * 0: DM/DIAG (use libqcdm from ModemManager for communication) ++ * 1: NMEA ++ * 2: AT-capable modem port ++ * 3: Modem interface ++ * 4: NDIS ++ */ ++ switch (ifnum) { ++ case 0: ++ dev_dbg(dev, "Quectel EC20 DM/DIAG interface found\n"); ++ break; ++ case 1: ++ dev_dbg(dev, "Quectel EC20 NMEA GPS interface found\n"); ++ break; ++ case 2: ++ case 3: ++ dev_dbg(dev, "Quectel EC20 Modem port found\n"); ++ break; ++ case 4: ++ /* Don't claim the QMI/net interface */ ++ altsetting = -1; ++ break; ++ } ++ ++ return altsetting; ++} ++ + static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + { + struct usb_host_interface *intf = serial->interface->cur_altsetting; +@@ -178,6 +212,10 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + __u8 ifnum; + int altsetting = -1; + ++ /* we only support vendor specific functions */ ++ if (intf->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) ++ goto done; ++ + nintf = serial->dev->actconfig->desc.bNumInterfaces; + dev_dbg(dev, "Num Interfaces = %d\n", nintf); + ifnum = intf->desc.bInterfaceNumber; +@@ -237,6 +275,12 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + altsetting = -1; + break; + case QCSERIAL_G2K: ++ /* handle non-standard layouts */ ++ if (nintf == 5 && id->idProduct == QUECTEL_EC20_PID) { ++ altsetting = handle_quectel_ec20(dev, ifnum); ++ goto done; ++ } ++ + /* + * Gobi 2K+ USB layout: + * 0: QMI/net +@@ -297,29 +341,39 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + break; + case QCSERIAL_HWI: + /* +- * Huawei layout: +- * 0: AT-capable modem port +- * 1: DM/DIAG +- * 2: AT-capable modem port +- * 3: CCID-compatible PCSC interface +- * 4: QMI/net +- * 5: NMEA ++ * Huawei devices map functions by subclass + protocol ++ * instead of interface numbers. The protocol identify ++ * a specific function, while the subclass indicate a ++ * specific firmware source ++ * ++ * This is a blacklist of functions known to be ++ * non-serial. The rest are assumed to be serial and ++ * will be handled by this driver + */ +- switch (ifnum) { +- case 0: +- case 2: +- dev_dbg(dev, "Modem port found\n"); +- break; +- case 1: +- dev_dbg(dev, "DM/DIAG interface found\n"); +- break; +- case 5: +- dev_dbg(dev, "NMEA GPS interface found\n"); +- break; +- default: +- /* don't claim any unsupported interface */ ++ switch (intf->desc.bInterfaceProtocol) { ++ /* QMI combined (qmi_wwan) */ ++ case 0x07: ++ case 0x37: ++ case 0x67: ++ /* QMI data (qmi_wwan) */ ++ case 0x08: ++ case 0x38: ++ case 0x68: ++ /* QMI control (qmi_wwan) */ ++ case 0x09: ++ case 0x39: ++ case 0x69: ++ /* NCM like (huawei_cdc_ncm) */ ++ case 0x16: ++ case 0x46: ++ case 0x76: + altsetting = -1; + break; ++ default: ++ dev_dbg(dev, "Huawei type serial port found (%02x/%02x/%02x)\n", ++ intf->desc.bInterfaceClass, ++ intf->desc.bInterfaceSubClass, ++ intf->desc.bInterfaceProtocol); + } + break; + default: +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c +index e9da41d9fe7f..2694df2f4559 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -159,6 +159,7 @@ static const struct usb_device_id ti_id_table_3410[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +@@ -191,6 +192,7 @@ static const struct usb_device_id ti_id_table_combined[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h +index 4a2423e84d55..98f35c656c02 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.h ++++ b/drivers/usb/serial/ti_usb_3410_5052.h +@@ -56,6 +56,10 @@ + #define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID + #define ABBOTT_STRIP_PORT_ID 0x3420 + ++/* Honeywell vendor and product IDs */ ++#define HONEYWELL_VENDOR_ID 0x10ac ++#define HONEYWELL_HGI80_PRODUCT_ID 0x0102 /* Honeywell HGI80 */ ++ + /* Commands */ + #define TI_GET_VERSION 0x01 + #define TI_GET_PORT_STATUS 0x02 +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 96093ae369a5..cdc3d3360764 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #endif +@@ -420,7 +421,7 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi) + return xen_allocate_irq_dynamic(); + + /* Legacy IRQ descriptors are already allocated by the arch. */ +- if (gsi < NR_IRQS_LEGACY) ++ if (gsi < nr_legacy_irqs()) + irq = gsi; + else + irq = irq_alloc_desc_at(gsi, -1); +@@ -446,7 +447,7 @@ static void xen_free_irq(unsigned irq) + kfree(info); + + /* Legacy IRQ descriptors are managed by the arch. */ +- if (irq < NR_IRQS_LEGACY) ++ if (irq < nr_legacy_irqs()) + return; + + irq_free_desc(irq); +diff --git a/fs/proc/array.c b/fs/proc/array.c +index ce065cf3104f..57fde2dfd4af 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -372,7 +372,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, + static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task, int whole) + { +- unsigned long vsize, eip, esp, wchan = ~0UL; ++ unsigned long vsize, eip, esp, wchan = 0; + int priority, nice; + int tty_pgrp = -1, tty_nr = 0; + sigset_t sigign, sigcatch; +@@ -504,7 +504,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); +- seq_put_decimal_ull(m, ' ', wchan); ++ ++ /* ++ * We used to output the absolute kernel address, but that's an ++ * information leak - so instead we show a 0/1 flag here, to signal ++ * to user-space whether there's a wchan field in /proc/PID/wchan. ++ * ++ * This works with older implementations of procps as well. ++ */ ++ if (wchan) ++ seq_puts(m, " 1"); ++ else ++ seq_puts(m, " 0"); ++ + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ll(m, ' ', task->exit_signal); +diff --git a/fs/proc/base.c b/fs/proc/base.c +index aa50d1ac28fc..83a43c131e9d 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + + wchan = get_wchan(task); + +- if (lookup_symbol_name(wchan, symname) < 0) { +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- return 0; +- seq_printf(m, "%lu", wchan); +- } else { ++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) + seq_printf(m, "%s", symname); +- } ++ else ++ seq_putc(m, '0'); + + return 0; + } +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 05e99b8ef465..053f122b592d 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -436,6 +436,17 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + (vcpup = kvm_get_vcpu(kvm, idx)) != NULL; \ + idx++) + ++static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id) ++{ ++ struct kvm_vcpu *vcpu; ++ int i; ++ ++ kvm_for_each_vcpu(i, vcpu, kvm) ++ if (vcpu->vcpu_id == id) ++ return vcpu; ++ return NULL; ++} ++ + #define kvm_for_each_memslot(memslot, slots) \ + for (memslot = &slots->memslots[0]; \ + memslot < slots->memslots + KVM_MEM_SLOTS_NUM && memslot->npages;\ +diff --git a/include/linux/tty.h b/include/linux/tty.h +index ad6c8913aa3e..342a760d5729 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops); + + /* tty_audit.c */ + #ifdef CONFIG_AUDIT +-extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++extern void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon); + extern void tty_audit_exit(void); + extern void tty_audit_fork(struct signal_struct *sig); +@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); + extern void tty_audit_push(struct tty_struct *tty); + extern int tty_audit_push_current(void); + #else +-static inline void tty_audit_add_data(struct tty_struct *tty, +- unsigned char *data, size_t size, unsigned icanon) ++static inline void tty_audit_add_data(struct tty_struct *tty, const void *data, ++ size_t size, unsigned icanon) + { + } + static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch) +diff --git a/include/net/inet_common.h b/include/net/inet_common.h +index 279f83591971..109e3ee9108c 100644 +--- a/include/net/inet_common.h ++++ b/include/net/inet_common.h +@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, + + static inline void inet_ctl_sock_destroy(struct sock *sk) + { +- sock_release(sk->sk_socket); ++ if (sk) ++ sock_release(sk->sk_socket); + } + + #endif +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 5fa643b4e891..ff6d78ff68df 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -306,7 +306,7 @@ void fib_flush_external(struct net *net); + + /* Exported by fib_semantics.c */ + int ip_fib_check_default(__be32 gw, struct net_device *dev); +-int fib_sync_down_dev(struct net_device *dev, unsigned long event); ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force); + int fib_sync_down_addr(struct net *net, __be32 local); + int fib_sync_up(struct net_device *dev, unsigned int nh_flags); + void fib_select_multipath(struct fib_result *res); +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index f1a117f8cad2..0bec4588c3c8 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned long arg) + { + struct hidp_session *session = (struct hidp_session *) arg; + ++ /* The HIDP user-space API only contains calls to add and remove ++ * devices. There is no way to forward events of any kind. Therefore, ++ * we have to forcefully disconnect a device on idle-timeouts. This is ++ * unfortunate and weird API design, but it is spec-compliant and ++ * required for backwards-compatibility. Hence, on idle-timeout, we ++ * signal driver-detach events, so poll() will be woken up with an ++ * error-condition on both sockets. ++ */ ++ ++ session->intr_sock->sk->sk_err = EUNATCH; ++ session->ctrl_sock->sk->sk_err = EUNATCH; ++ wake_up_interruptible(sk_sleep(session->intr_sock->sk)); ++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk)); ++ + hidp_session_terminate(session); + } + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 92720f3fe573..e32a9e4910da 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + } else { + u8 addr_type; + ++ if (cp->addr.type == BDADDR_LE_PUBLIC) ++ addr_type = ADDR_LE_DEV_PUBLIC; ++ else ++ addr_type = ADDR_LE_DEV_RANDOM; ++ + conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, + &cp->addr.bdaddr); + if (conn) { +@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + */ + if (!cp->disconnect) + conn = NULL; ++ } else { ++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type); + } + +- if (cp->addr.type == BDADDR_LE_PUBLIC) +- addr_type = ADDR_LE_DEV_PUBLIC; +- else +- addr_type = ADDR_LE_DEV_RANDOM; +- + hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); + + err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); +diff --git a/net/core/dst.c b/net/core/dst.c +index 002144bea935..cc4a086ae09c 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -287,7 +287,7 @@ void dst_release(struct dst_entry *dst) + if (unlikely(newrefcnt < 0)) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 6bbc54940eb4..d7116cf4eba4 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1063,9 +1063,10 @@ static void nl_fib_lookup_exit(struct net *net) + net->ipv4.fibnl = NULL; + } + +-static void fib_disable_ip(struct net_device *dev, unsigned long event) ++static void fib_disable_ip(struct net_device *dev, unsigned long event, ++ bool force) + { +- if (fib_sync_down_dev(dev, event)) ++ if (fib_sync_down_dev(dev, event, force)) + fib_flush(dev_net(dev)); + rt_cache_flush(dev_net(dev)); + arp_ifdown(dev); +@@ -1093,7 +1094,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, + /* Last address was deleted from this interface. + * Disable IP. + */ +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + } else { + rt_cache_flush(dev_net(dev)); + } +@@ -1110,7 +1111,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + unsigned int flags; + + if (event == NETDEV_UNREGISTER) { +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + rt_flush_dev(dev); + return NOTIFY_DONE; + } +@@ -1131,14 +1132,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + rt_cache_flush(net); + break; + case NETDEV_DOWN: +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, false); + break; + case NETDEV_CHANGE: + flags = dev_get_flags(dev); + if (flags & (IFF_RUNNING | IFF_LOWER_UP)) + fib_sync_up(dev, RTNH_F_LINKDOWN); + else +- fib_sync_down_dev(dev, event); ++ fib_sync_down_dev(dev, event, false); + /* fall through */ + case NETDEV_CHANGEMTU: + rt_cache_flush(net); +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 3a06586b170c..71bad5c82445 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1132,7 +1132,13 @@ int fib_sync_down_addr(struct net *net, __be32 local) + return ret; + } + +-int fib_sync_down_dev(struct net_device *dev, unsigned long event) ++/* Event force Flags Description ++ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host ++ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host ++ * NETDEV_DOWN 1 LINKDOWN|DEAD Last address removed ++ * NETDEV_UNREGISTER 1 LINKDOWN|DEAD Device removed ++ */ ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force) + { + int ret = 0; + int scope = RT_SCOPE_NOWHERE; +@@ -1141,8 +1147,7 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event) + struct hlist_head *head = &fib_info_devhash[hash]; + struct fib_nh *nh; + +- if (event == NETDEV_UNREGISTER || +- event == NETDEV_DOWN) ++ if (force) + scope = -1; + + hlist_for_each_entry(nh, head, nh_hash) { +@@ -1291,6 +1296,13 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags) + if (!(dev->flags & IFF_UP)) + return 0; + ++ if (nh_flags & RTNH_F_DEAD) { ++ unsigned int flags = dev_get_flags(dev); ++ ++ if (flags & (IFF_RUNNING | IFF_LOWER_UP)) ++ nh_flags |= RTNH_F_LINKDOWN; ++ } ++ + prev_fi = NULL; + hash = fib_devindex_hashfn(dev->ifindex); + head = &fib_info_devhash[hash]; +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index b0c6258ffb79..ea3aedb7dd0e 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1561,7 +1561,7 @@ static struct key_vector *leaf_walk_rcu(struct key_vector **tn, t_key key) + do { + /* record parent and next child index */ + pn = n; +- cindex = key ? get_index(key, pn) : 0; ++ cindex = (key > pn->key) ? get_index(key, pn) : 0; + + if (cindex >> pn->bits) + break; +diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c +index 5aa46d4b44ef..5a8ee3282550 100644 +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -36,7 +36,8 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, + SKB_GSO_TCP_ECN | + SKB_GSO_GRE | + SKB_GSO_GRE_CSUM | +- SKB_GSO_IPIP))) ++ SKB_GSO_IPIP | ++ SKB_GSO_SIT))) + goto out; + + if (!skb->encapsulation) +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 3a2c0162c3ba..df28693f32e1 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1683,8 +1683,8 @@ static inline int ipmr_forward_finish(struct sock *sk, struct sk_buff *skb) + { + struct ip_options *opt = &(IPCB(skb)->opt); + +- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); + + if (unlikely(opt->optlen)) + ip_forward_options(skb); +@@ -1746,7 +1746,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt, + * to blackhole. + */ + +- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS); ++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS); + ip_rt_put(rt); + goto out_free; + } +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 0330ab2e2b63..a1442c5a3e0c 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -47,14 +47,14 @@ static void set_local_port_range(struct net *net, int range[2]) + { + bool same_parity = !((range[0] ^ range[1]) & 1); + +- write_seqlock(&net->ipv4.ip_local_ports.lock); ++ write_seqlock_bh(&net->ipv4.ip_local_ports.lock); + if (same_parity && !net->ipv4.ip_local_ports.warned) { + net->ipv4.ip_local_ports.warned = true; + pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); + } + net->ipv4.ip_local_ports.range[0] = range[0]; + net->ipv4.ip_local_ports.range[1] = range[1]; +- write_sequnlock(&net->ipv4.ip_local_ports.lock); ++ write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); + } + + /* Validate changes from /proc interface. */ +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index b7dedd9d36d8..747a4c47e070 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3406,7 +3406,7 @@ static int tcp_xmit_probe_skb(struct sock *sk, int urgent, int mib) + */ + tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK); + skb_mstamp_get(&skb->skb_mstamp); +- NET_INC_STATS_BH(sock_net(sk), mib); ++ NET_INC_STATS(sock_net(sk), mib); + return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC); + } + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 21c2c818df3b..c8c1fea06003 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -411,6 +411,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + if (err) { + ipv6_mc_destroy_dev(ndev); + del_timer(&ndev->regen_timer); ++ snmp6_unregister_dev(ndev); + goto err_release; + } + /* protected by rtnl_lock */ +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index ac35a28599be..85c4b2fff504 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1394,34 +1394,20 @@ static int ipip6_tunnel_init(struct net_device *dev) + return 0; + } + +-static int __net_init ipip6_fb_tunnel_init(struct net_device *dev) ++static void __net_init ipip6_fb_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + struct iphdr *iph = &tunnel->parms.iph; + struct net *net = dev_net(dev); + struct sit_net *sitn = net_generic(net, sit_net_id); + +- tunnel->dev = dev; +- tunnel->net = dev_net(dev); +- + iph->version = 4; + iph->protocol = IPPROTO_IPV6; + iph->ihl = 5; + iph->ttl = 64; + +- dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); +- if (!dev->tstats) +- return -ENOMEM; +- +- tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst); +- if (!tunnel->dst_cache) { +- free_percpu(dev->tstats); +- return -ENOMEM; +- } +- + dev_hold(dev); + rcu_assign_pointer(sitn->tunnels_wc[0], tunnel); +- return 0; + } + + static int ipip6_validate(struct nlattr *tb[], struct nlattr *data[]) +@@ -1831,23 +1817,19 @@ static int __net_init sit_init_net(struct net *net) + */ + sitn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL; + +- err = ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); +- if (err) +- goto err_dev_free; +- +- ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); + err = register_netdev(sitn->fb_tunnel_dev); + if (err) + goto err_reg_dev; + ++ ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); ++ ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); ++ + t = netdev_priv(sitn->fb_tunnel_dev); + + strcpy(t->parms.name, sitn->fb_tunnel_dev->name); + return 0; + + err_reg_dev: +- dev_put(sitn->fb_tunnel_dev); +-err_dev_free: + ipip6_dev_free(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; +diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c +index a26c401ef4a4..43964594aa12 100644 +--- a/net/irda/irlmp.c ++++ b/net/irda/irlmp.c +@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) + for (element = hashbin_get_first(iter->hashbin); + element != NULL; + element = hashbin_get_next(iter->hashbin)) { +- if (!off || *off-- == 0) { ++ if (!off || (*off)-- == 0) { + /* NB: hashbin left locked */ + return element; + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 9b2cc278ac2a..33bf779df350 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3378,7 +3378,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, + + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { +- int sig = ifmgd->ave_beacon_signal; ++ int sig = ifmgd->ave_beacon_signal / 16; + int last_sig = ifmgd->last_ave_beacon_signal; + struct ieee80211_event event = { + .type = RSSI_EVENT, +@@ -4999,6 +4999,25 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata, + return 0; + } + ++ if (ifmgd->assoc_data && ++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) { ++ sdata_info(sdata, ++ "aborting association with %pM by local choice (Reason: %u=%s)\n", ++ req->bssid, req->reason_code, ++ ieee80211_get_reason_code_string(req->reason_code)); ++ ++ drv_mgd_prepare_tx(sdata->local, sdata); ++ ieee80211_send_deauth_disassoc(sdata, req->bssid, ++ IEEE80211_STYPE_DEAUTH, ++ req->reason_code, tx, ++ frame_buf); ++ ieee80211_destroy_assoc_data(sdata, false); ++ ieee80211_report_disconnect(sdata, frame_buf, ++ sizeof(frame_buf), true, ++ req->reason_code); ++ return 0; ++ } ++ + if (ifmgd->associated && + ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { + sdata_info(sdata, +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 6f14591d8ca9..0b13bfa6f32f 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -33,11 +33,11 @@ + __field(u32, chan_width) \ + __field(u32, center_freq1) \ + __field(u32, center_freq2) +-#define CHANDEF_ASSIGN(c) \ +- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \ +- __entry->chan_width = (c)->width; \ +- __entry->center_freq1 = (c)->center_freq1; \ +- __entry->center_freq2 = (c)->center_freq2; ++#define CHANDEF_ASSIGN(c) \ ++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \ ++ __entry->chan_width = (c) ? (c)->width : 0; \ ++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \ ++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0; + #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz" + #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \ + __entry->center_freq1, __entry->center_freq2 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 43e5aadd7a89..f5fa8c09cb42 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee80211_noa_data *data, u32 tsf, int i) + if (end > 0) + return false; + ++ /* One shot NOA */ ++ if (data->count[i] == 1) ++ return false; ++ ++ if (data->desc[i].interval == 0) ++ return false; ++ + /* End time is in the past, check for repetitions */ + skip = DIV_ROUND_UP(-end, data->desc[i].interval); + if (data->count[i] < 255) { +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a133d16eb053..8b158f71bff6 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2346,7 +2346,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + int pos, idx, shift; + + err = 0; +- netlink_table_grab(); ++ netlink_lock_table(); + for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) { + if (len - pos < sizeof(u32)) + break; +@@ -2361,7 +2361,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + } + if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) + err = -EFAULT; +- netlink_table_ungrab(); ++ netlink_unlock_table(); + break; + } + default: +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index 609f92283d1b..30b09f04c142 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -101,6 +101,20 @@ struct nci_hcp_packet { + #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f) + #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f) + ++static int nci_hci_result_to_errno(u8 result) ++{ ++ switch (result) { ++ case NCI_HCI_ANY_OK: ++ return 0; ++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN: ++ return -EOPNOTSUPP; ++ case NCI_HCI_ANY_E_TIMEOUT: ++ return -ETIME; ++ default: ++ return -1; ++ } ++} ++ + /* HCI core */ + static void nci_hci_reset_pipes(struct nci_hci_dev *hdev) + { +@@ -146,18 +160,18 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (!conn_info) + return -EPROTO; + +- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len + ++ i = 0; ++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + + NCI_DATA_HDR_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE); ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2); + *skb_push(skb, 1) = data_type; + +- i = 0; +- len = conn_info->max_pkt_payload_len; +- + do { ++ len = conn_info->max_pkt_payload_len; ++ + /* If last packet add NCI_HFP_NO_CHAINING */ + if (i + conn_info->max_pkt_payload_len - + (skb->len + 1) >= data_len) { +@@ -177,9 +191,15 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + return r; + + i += len; ++ + if (i < data_len) { +- skb_trim(skb, 0); +- skb_pull(skb, len); ++ skb = nci_skb_alloc(ndev, ++ conn_info->max_pkt_payload_len + ++ NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1); + } + } while (i < data_len); + +@@ -212,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + const u8 *param, size_t param_len, + struct sk_buff **skb) + { +- struct nci_conn_info *conn_info; ++ struct nci_hcp_message *message; ++ struct nci_conn_info *conn_info; + struct nci_data data; + int r; + u8 pipe = ndev->hci_dev->gate2pipe[gate]; +@@ -232,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); +- +- if (r == NCI_STATUS_OK && skb) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +@@ -328,9 +355,6 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + struct nci_conn_info *conn_info; + u8 status = result; + +- if (result != NCI_HCI_ANY_OK) +- goto exit; +- + conn_info = ndev->hci_dev->conn_info; + if (!conn_info) { + status = NCI_STATUS_REJECTED; +@@ -340,7 +364,7 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + conn_info->rx_skb = skb; + + exit: +- nci_req_complete(ndev, status); ++ nci_req_complete(ndev, NCI_STATUS_OK); + } + + /* Receive hcp message for pipe, with type and cmd. +@@ -378,7 +402,7 @@ static void nci_hci_msg_rx_work(struct work_struct *work) + u8 pipe, type, instruction; + + while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) { +- pipe = skb->data[0]; ++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]); + skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN); + message = (struct nci_hcp_message *)skb->data; + type = NCI_HCP_MSG_GET_TYPE(message->header); +@@ -395,7 +419,7 @@ void nci_hci_data_received_cb(void *context, + { + struct nci_dev *ndev = (struct nci_dev *)context; + struct nci_hcp_packet *packet; +- u8 pipe, type, instruction; ++ u8 pipe, type; + struct sk_buff *hcp_skb; + struct sk_buff *frag_skb; + int msg_len; +@@ -415,7 +439,7 @@ void nci_hci_data_received_cb(void *context, + + /* it's the last fragment. Does it need re-aggregation? */ + if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) { +- pipe = packet->header & NCI_HCI_FRAGMENT; ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); + + msg_len = 0; +@@ -434,7 +458,7 @@ void nci_hci_data_received_cb(void *context, + *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe; + + skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) { +- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; ++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; + memcpy(skb_put(hcp_skb, msg_len), frag_skb->data + + NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len); + } +@@ -452,11 +476,10 @@ void nci_hci_data_received_cb(void *context, + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { +- pipe = packet->header; +- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header); +- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN + +- NCI_HCI_HCP_MESSAGE_HEADER_LEN); +- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb); ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); ++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN); ++ nci_hci_hcp_message_rx(ndev, pipe, type, ++ NCI_STATUS_OK, hcp_skb); + } else { + skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb); + schedule_work(&ndev->hci_dev->msg_rx_work); +@@ -488,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe); + int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + const u8 *param, size_t param_len) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -520,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, + (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ } + + kfree(tmp); + return r; +@@ -529,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param); + int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + struct sk_buff **skb) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -553,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7851b1222a36..71cb085e16fd 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2784,22 +2784,40 @@ static int packet_release(struct socket *sock) + * Attach a packet hook. + */ + +-static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) ++static int packet_do_bind(struct sock *sk, const char *name, int ifindex, ++ __be16 proto) + { + struct packet_sock *po = pkt_sk(sk); + struct net_device *dev_curr; + __be16 proto_curr; + bool need_rehook; ++ struct net_device *dev = NULL; ++ int ret = 0; ++ bool unlisted = false; + +- if (po->fanout) { +- if (dev) +- dev_put(dev); +- ++ if (po->fanout) + return -EINVAL; +- } + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ rcu_read_lock(); ++ ++ if (name) { ++ dev = dev_get_by_name_rcu(sock_net(sk), name); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } else if (ifindex) { ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } ++ ++ if (dev) ++ dev_hold(dev); + + proto_curr = po->prot_hook.type; + dev_curr = po->prot_hook.dev; +@@ -2807,14 +2825,29 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + need_rehook = proto_curr != proto || dev_curr != dev; + + if (need_rehook) { +- unregister_prot_hook(sk, true); ++ if (po->running) { ++ rcu_read_unlock(); ++ __unregister_prot_hook(sk, true); ++ rcu_read_lock(); ++ dev_curr = po->prot_hook.dev; ++ if (dev) ++ unlisted = !dev_get_by_index_rcu(sock_net(sk), ++ dev->ifindex); ++ } + + po->num = proto; + po->prot_hook.type = proto; +- po->prot_hook.dev = dev; + +- po->ifindex = dev ? dev->ifindex : 0; +- packet_cached_dev_assign(po, dev); ++ if (unlikely(unlisted)) { ++ dev_put(dev); ++ po->prot_hook.dev = NULL; ++ po->ifindex = -1; ++ packet_cached_dev_reset(po); ++ } else { ++ po->prot_hook.dev = dev; ++ po->ifindex = dev ? dev->ifindex : 0; ++ packet_cached_dev_assign(po, dev); ++ } + } + if (dev_curr) + dev_put(dev_curr); +@@ -2822,7 +2855,7 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + if (proto == 0 || !need_rehook) + goto out_unlock; + +- if (!dev || (dev->flags & IFF_UP)) { ++ if (!unlisted && (!dev || (dev->flags & IFF_UP))) { + register_prot_hook(sk); + } else { + sk->sk_err = ENETDOWN; +@@ -2831,9 +2864,10 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + } + + out_unlock: ++ rcu_read_unlock(); + spin_unlock(&po->bind_lock); + release_sock(sk); +- return 0; ++ return ret; + } + + /* +@@ -2845,8 +2879,6 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + { + struct sock *sk = sock->sk; + char name[15]; +- struct net_device *dev; +- int err = -ENODEV; + + /* + * Check legality +@@ -2856,19 +2888,13 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + return -EINVAL; + strlcpy(name, uaddr->sa_data, sizeof(name)); + +- dev = dev_get_by_name(sock_net(sk), name); +- if (dev) +- err = packet_do_bind(sk, dev, pkt_sk(sk)->num); +- return err; ++ return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sockaddr_ll *sll = (struct sockaddr_ll *)uaddr; + struct sock *sk = sock->sk; +- struct net_device *dev = NULL; +- int err; +- + + /* + * Check legality +@@ -2879,16 +2905,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- if (sll->sll_ifindex) { +- err = -ENODEV; +- dev = dev_get_by_index(sock_net(sk), sll->sll_ifindex); +- if (dev == NULL) +- goto out; +- } +- err = packet_do_bind(sk, dev, sll->sll_protocol ? : pkt_sk(sk)->num); +- +-out: +- return err; ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, ++ sll->sll_protocol ? : pkt_sk(sk)->num); + } + + static struct proto packet_proto = { +diff --git a/net/rds/connection.c b/net/rds/connection.c +index da6da57e5f36..9d66705f9d41 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,6 +187,12 @@ new_conn: + } + } + ++ if (trans == NULL) { ++ kmem_cache_free(rds_conn_slab, conn); ++ conn = ERR_PTR(-ENODEV); ++ goto out; ++ } ++ + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c +index fbc5ef88bc0e..27a992154804 100644 +--- a/net/rds/tcp_recv.c ++++ b/net/rds/tcp_recv.c +@@ -214,8 +214,15 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb, + } + + to_copy = min(tc->t_tinc_data_rem, left); +- pskb_pull(clone, offset); +- pskb_trim(clone, to_copy); ++ if (!pskb_pull(clone, offset) || ++ pskb_trim(clone, to_copy)) { ++ pr_warn("rds_tcp_data_recv: pull/trim failed " ++ "left %zu data_rem %zu skb_len %d\n", ++ left, tc->t_tinc_data_rem, skb->len); ++ kfree_skb(clone); ++ desc->error = -ENOMEM; ++ goto out; ++ } + skb_queue_tail(&tinc->ti_skb_list, clone); + + rdsdebug("skb %p data %p len %d off %u to_copy %zu -> " +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 08b4cc7d496d..b3a393104b17 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + { + struct sk_buff *head = *headbuf; + struct sk_buff *frag = *buf; +- struct sk_buff *tail; ++ struct sk_buff *tail = NULL; + struct tipc_msg *msg; + u32 fragid; + int delta; +@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (unlikely(skb_unclone(frag, GFP_ATOMIC))) + goto err; + head = *headbuf = frag; +- skb_frag_list_init(head); +- TIPC_SKB_CB(head)->tail = NULL; + *buf = NULL; ++ TIPC_SKB_CB(head)->tail = NULL; ++ if (skb_is_nonlinear(head)) { ++ skb_walk_frags(head, tail) { ++ TIPC_SKB_CB(head)->tail = tail; ++ } ++ } else { ++ skb_frag_list_init(head); ++ } + return 0; + } + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 66deebc66aa1..f8dfee5072c0 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -48,6 +48,7 @@ + #include + #include "core.h" + #include "bearer.h" ++#include "msg.h" + + /* IANA assigned UDP port */ + #define UDP_PORT_DEFAULT 6118 +@@ -216,6 +217,10 @@ static int tipc_udp_recv(struct sock *sk, struct sk_buff *skb) + { + struct udp_bearer *ub; + struct tipc_bearer *b; ++ int usr = msg_user(buf_msg(skb)); ++ ++ if ((usr == LINK_PROTOCOL) || (usr == NAME_DISTRIBUTOR)) ++ skb_linearize(skb); + + ub = rcu_dereference_sk_user_data(sk); + if (!ub) { +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 76b41578a838..d059cf31d754 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3408,12 +3408,6 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + wdev->iftype)) + return -EINVAL; + +- if (info->attrs[NL80211_ATTR_ACL_POLICY]) { +- params.acl = parse_acl_data(&rdev->wiphy, info); +- if (IS_ERR(params.acl)) +- return PTR_ERR(params.acl); +- } +- + if (info->attrs[NL80211_ATTR_SMPS_MODE]) { + params.smps_mode = + nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); +@@ -3437,6 +3431,12 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + params.smps_mode = NL80211_SMPS_OFF; + } + ++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) { ++ params.acl = parse_acl_data(&rdev->wiphy, info); ++ if (IS_ERR(params.acl)) ++ return PTR_ERR(params.acl); ++ } ++ + wdev_lock(wdev); + err = rdev_start_ap(rdev, dev, ¶ms); + if (!err) { +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 417ebb11cf48..bec63e0d2605 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint { + u8 running_status_length; + } ports[0x10]; + u8 seen_f5; ++ bool in_sysex; ++ u8 last_cin; + u8 error_resubmit; + int current_port; + }; +@@ -468,6 +470,39 @@ static void snd_usbmidi_maudio_broken_running_status_input( + } + + /* ++ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4 ++ * but the previously seen CIN, but still with three data bytes. ++ */ ++static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep, ++ uint8_t *buffer, int buffer_length) ++{ ++ unsigned int i, cin, length; ++ ++ for (i = 0; i + 3 < buffer_length; i += 4) { ++ if (buffer[i] == 0 && i > 0) ++ break; ++ cin = buffer[i] & 0x0f; ++ if (ep->in_sysex && ++ cin == ep->last_cin && ++ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0) ++ cin = 0x4; ++#if 0 ++ if (buffer[i + 1] == 0x90) { ++ /* ++ * Either a corrupted running status or a real note-on ++ * message; impossible to detect reliably. ++ */ ++ } ++#endif ++ length = snd_usbmidi_cin_length[cin]; ++ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length); ++ ep->in_sysex = cin == 0x4; ++ if (!ep->in_sysex) ++ ep->last_cin = cin; ++ } ++} ++ ++/* + * CME protocol: like the standard protocol, but SysEx commands are sent as a + * single USB packet preceded by a 0x0F byte. + */ +@@ -660,6 +695,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = { + .output_packet = snd_usbmidi_output_standard_packet, + }; + ++static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = { ++ .input = ch345_broken_sysex_input, ++ .output = snd_usbmidi_standard_output, ++ .output_packet = snd_usbmidi_output_standard_packet, ++}; ++ + /* + * AKAI MPD16 protocol: + * +@@ -1341,6 +1382,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi *umidi, + * Various chips declare a packet size larger than 4 bytes, but + * do not actually work with larger packets: + */ ++ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */ + case USB_ID(0x0a92, 0x1020): /* ESI M4U */ + case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */ + case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */ +@@ -2375,6 +2417,10 @@ int snd_usbmidi_create(struct snd_card *card, + + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; ++ case QUIRK_MIDI_CH345: ++ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops; ++ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); ++ break; + default: + dev_err(&umidi->dev->dev, "invalid quirk type %d\n", + quirk->type); +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index e4756651a52c..ecc2a4ea014d 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2820,6 +2820,17 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .idProduct = 0x1020, + }, + ++/* QinHeng devices */ ++{ ++ USB_DEVICE(0x1a86, 0x752d), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "QinHeng", ++ .product_name = "CH345", ++ .ifnum = 1, ++ .type = QUIRK_MIDI_CH345 ++ } ++}, ++ + /* KeithMcMillen Stringport */ + { + USB_DEVICE(0x1f38, 0x0001), +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 00ebc0ca008e..eef9b8e4b949 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -535,6 +535,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, + [QUIRK_MIDI_CME] = create_any_midi_quirk, + [QUIRK_MIDI_AKAI] = create_any_midi_quirk, + [QUIRK_MIDI_FTDI] = create_any_midi_quirk, ++ [QUIRK_MIDI_CH345] = create_any_midi_quirk, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, + [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk, + [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk, +@@ -1271,6 +1272,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */ + case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */ + case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */ ++ case USB_ID(0x20b1, 0x3023): /* Aune X1S 32BIT/384 DSD DAC */ + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 91d0380431b4..991aa84491cd 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -94,6 +94,7 @@ enum quirk_type { + QUIRK_MIDI_AKAI, + QUIRK_MIDI_US122L, + QUIRK_MIDI_FTDI, ++ QUIRK_MIDI_CH345, + QUIRK_AUDIO_STANDARD_INTERFACE, + QUIRK_AUDIO_FIXED_ENDPOINT, + QUIRK_AUDIO_EDIROL_UAXX, diff --git a/patch/kernel/odroidxu-next/patch-4.2.7-8.patch b/patch/kernel/odroidxu-next/patch-4.2.7-8.patch new file mode 100644 index 000000000..7aca417ed --- /dev/null +++ b/patch/kernel/odroidxu-next/patch-4.2.7-8.patch @@ -0,0 +1,3882 @@ +diff --git a/Makefile b/Makefile +index f5014eaf2532..06b988951ccb 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 2 +-SUBLEVEL = 7 ++SUBLEVEL = 8 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 017b7d58ae06..55f8a6a706fc 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3439,6 +3439,7 @@ static void rbd_queue_workfn(struct work_struct *work) + goto err_rq; + } + img_request->rq = rq; ++ snapc = NULL; /* img_request consumes a ref */ + + if (op_type == OBJ_OP_DISCARD) + result = rbd_img_request_fill(img_request, OBJ_REQUEST_NODATA, +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index f51d376d10ba..c2f5117fd8cb 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -3675,6 +3675,11 @@ static int pci_probe(struct pci_dev *dev, + + reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0); + ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet); ++ /* JMicron JMB38x often shows 0 at first read, just ignore it */ ++ if (!ohci->it_context_support) { ++ ohci_notice(ohci, "overriding IsoXmitIntMask\n"); ++ ohci->it_context_support = 0xf; ++ } + reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0); + ohci->it_context_mask = ohci->it_context_support; + ohci->n_it = hweight32(ohci->it_context_mask); +diff --git a/drivers/media/pci/cobalt/Kconfig b/drivers/media/pci/cobalt/Kconfig +index 6a1c0089bb62..4ecf171d14a2 100644 +--- a/drivers/media/pci/cobalt/Kconfig ++++ b/drivers/media/pci/cobalt/Kconfig +@@ -1,6 +1,6 @@ + config VIDEO_COBALT + tristate "Cisco Cobalt support" +- depends on VIDEO_V4L2 && I2C && MEDIA_CONTROLLER ++ depends on VIDEO_V4L2 && I2C && VIDEO_V4L2_SUBDEV_API + depends on PCI_MSI && MTD_COMPLEX_MAPPINGS && GPIOLIB + depends on SND + select I2C_ALGOBIT +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 3b90afb8c293..6f2a748524f3 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -1325,7 +1325,12 @@ err_disable_device: + static void nicvf_remove(struct pci_dev *pdev) + { + struct net_device *netdev = pci_get_drvdata(pdev); +- struct nicvf *nic = netdev_priv(netdev); ++ struct nicvf *nic; ++ ++ if (!netdev) ++ return; ++ ++ nic = netdev_priv(netdev); + + unregister_netdev(netdev); + nicvf_unregister_interrupts(nic); +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index 731423ca575d..8bead97373ab 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -4934,26 +4934,41 @@ static void rem_slave_counters(struct mlx4_dev *dev, int slave) + struct res_counter *counter; + struct res_counter *tmp; + int err; +- int index; ++ int *counters_arr = NULL; ++ int i, j; + + err = move_all_busy(dev, slave, RES_COUNTER); + if (err) + mlx4_warn(dev, "rem_slave_counters: Could not move all counters - too busy for slave %d\n", + slave); + +- spin_lock_irq(mlx4_tlock(dev)); +- list_for_each_entry_safe(counter, tmp, counter_list, com.list) { +- if (counter->com.owner == slave) { +- index = counter->com.res_id; +- rb_erase(&counter->com.node, +- &tracker->res_tree[RES_COUNTER]); +- list_del(&counter->com.list); +- kfree(counter); +- __mlx4_counter_free(dev, index); ++ counters_arr = kmalloc_array(dev->caps.max_counters, ++ sizeof(*counters_arr), GFP_KERNEL); ++ if (!counters_arr) ++ return; ++ ++ do { ++ i = 0; ++ j = 0; ++ spin_lock_irq(mlx4_tlock(dev)); ++ list_for_each_entry_safe(counter, tmp, counter_list, com.list) { ++ if (counter->com.owner == slave) { ++ counters_arr[i++] = counter->com.res_id; ++ rb_erase(&counter->com.node, ++ &tracker->res_tree[RES_COUNTER]); ++ list_del(&counter->com.list); ++ kfree(counter); ++ } ++ } ++ spin_unlock_irq(mlx4_tlock(dev)); ++ ++ while (j < i) { ++ __mlx4_counter_free(dev, counters_arr[j++]); + mlx4_release_resource(dev, slave, RES_COUNTER, 1, 0); + } +- } +- spin_unlock_irq(mlx4_tlock(dev)); ++ } while (i); ++ ++ kfree(counters_arr); + } + + static void rem_slave_xrcdns(struct mlx4_dev *dev, int slave) +diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c +index a83263743665..2b7550c43f78 100644 +--- a/drivers/net/ethernet/via/via-rhine.c ++++ b/drivers/net/ethernet/via/via-rhine.c +@@ -2134,10 +2134,11 @@ static int rhine_rx(struct net_device *dev, int limit) + } + + skb_put(skb, pkt_len); +- skb->protocol = eth_type_trans(skb, dev); + + rhine_rx_vlan_tag(skb, desc, data_size); + ++ skb->protocol = eth_type_trans(skb, dev); ++ + netif_receive_skb(skb); + + u64_stats_update_begin(&rp->rx_stats.syncp); +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 9c71295f2fef..85e640440bd9 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -675,7 +675,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = { + { PHY_ID_BCM5461, 0xfffffff0 }, + { PHY_ID_BCM54616S, 0xfffffff0 }, + { PHY_ID_BCM5464, 0xfffffff0 }, +- { PHY_ID_BCM5482, 0xfffffff0 }, ++ { PHY_ID_BCM5481, 0xfffffff0 }, + { PHY_ID_BCM5482, 0xfffffff0 }, + { PHY_ID_BCM50610, 0xfffffff0 }, + { PHY_ID_BCM50610M, 0xfffffff0 }, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8f1738c3b3c5..de27f510c0f3 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -775,6 +775,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ ++ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ + {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */ + {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */ + {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */ +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index aac314e14188..bb25b8d00570 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3404,7 +3404,7 @@ int btrfs_set_disk_extent_flags(struct btrfs_trans_handle *trans, + int btrfs_free_extent(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid, +- u64 owner, u64 offset, int no_quota); ++ u64 owner, u64 offset); + + int btrfs_free_reserved_extent(struct btrfs_root *root, u64 start, u64 len, + int delalloc); +@@ -3417,7 +3417,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans, + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, +- u64 root_objectid, u64 owner, u64 offset, int no_quota); ++ u64 root_objectid, u64 owner, u64 offset); + + int btrfs_start_dirty_block_groups(struct btrfs_trans_handle *trans, + struct btrfs_root *root); +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c +index ac3e81da6d4e..7832031fef68 100644 +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -197,6 +197,119 @@ static inline void drop_delayed_ref(struct btrfs_trans_handle *trans, + trans->delayed_ref_updates--; + } + ++static bool merge_ref(struct btrfs_trans_handle *trans, ++ struct btrfs_delayed_ref_root *delayed_refs, ++ struct btrfs_delayed_ref_head *head, ++ struct btrfs_delayed_ref_node *ref, ++ u64 seq) ++{ ++ struct btrfs_delayed_ref_node *next; ++ bool done = false; ++ ++ next = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node, ++ list); ++ while (!done && &next->list != &head->ref_list) { ++ int mod; ++ struct btrfs_delayed_ref_node *next2; ++ ++ next2 = list_next_entry(next, list); ++ ++ if (next == ref) ++ goto next; ++ ++ if (seq && next->seq >= seq) ++ goto next; ++ ++ if (next->type != ref->type) ++ goto next; ++ ++ if ((ref->type == BTRFS_TREE_BLOCK_REF_KEY || ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY) && ++ comp_tree_refs(btrfs_delayed_node_to_tree_ref(ref), ++ btrfs_delayed_node_to_tree_ref(next), ++ ref->type)) ++ goto next; ++ if ((ref->type == BTRFS_EXTENT_DATA_REF_KEY || ++ ref->type == BTRFS_SHARED_DATA_REF_KEY) && ++ comp_data_refs(btrfs_delayed_node_to_data_ref(ref), ++ btrfs_delayed_node_to_data_ref(next))) ++ goto next; ++ ++ if (ref->action == next->action) { ++ mod = next->ref_mod; ++ } else { ++ if (ref->ref_mod < next->ref_mod) { ++ swap(ref, next); ++ done = true; ++ } ++ mod = -next->ref_mod; ++ } ++ ++ drop_delayed_ref(trans, delayed_refs, head, next); ++ ref->ref_mod += mod; ++ if (ref->ref_mod == 0) { ++ drop_delayed_ref(trans, delayed_refs, head, ref); ++ done = true; ++ } else { ++ /* ++ * Can't have multiples of the same ref on a tree block. ++ */ ++ WARN_ON(ref->type == BTRFS_TREE_BLOCK_REF_KEY || ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY); ++ } ++next: ++ next = next2; ++ } ++ ++ return done; ++} ++ ++void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans, ++ struct btrfs_fs_info *fs_info, ++ struct btrfs_delayed_ref_root *delayed_refs, ++ struct btrfs_delayed_ref_head *head) ++{ ++ struct btrfs_delayed_ref_node *ref; ++ u64 seq = 0; ++ ++ assert_spin_locked(&head->lock); ++ ++ if (list_empty(&head->ref_list)) ++ return; ++ ++ /* We don't have too many refs to merge for data. */ ++ if (head->is_data) ++ return; ++ ++ spin_lock(&fs_info->tree_mod_seq_lock); ++ if (!list_empty(&fs_info->tree_mod_seq_list)) { ++ struct seq_list *elem; ++ ++ elem = list_first_entry(&fs_info->tree_mod_seq_list, ++ struct seq_list, list); ++ seq = elem->seq; ++ } ++ spin_unlock(&fs_info->tree_mod_seq_lock); ++ ++ ref = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node, ++ list); ++ while (&ref->list != &head->ref_list) { ++ if (seq && ref->seq >= seq) ++ goto next; ++ ++ if (merge_ref(trans, delayed_refs, head, ref, seq)) { ++ if (list_empty(&head->ref_list)) ++ break; ++ ref = list_first_entry(&head->ref_list, ++ struct btrfs_delayed_ref_node, ++ list); ++ continue; ++ } ++next: ++ ref = list_next_entry(ref, list); ++ } ++} ++ + int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_root *delayed_refs, + u64 seq) +@@ -292,8 +405,7 @@ add_delayed_ref_tail_merge(struct btrfs_trans_handle *trans, + exist = list_entry(href->ref_list.prev, struct btrfs_delayed_ref_node, + list); + /* No need to compare bytenr nor is_head */ +- if (exist->type != ref->type || exist->no_quota != ref->no_quota || +- exist->seq != ref->seq) ++ if (exist->type != ref->type || exist->seq != ref->seq) + goto add_tail; + + if ((exist->type == BTRFS_TREE_BLOCK_REF_KEY || +@@ -524,7 +636,7 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_head *head_ref, + struct btrfs_delayed_ref_node *ref, u64 bytenr, + u64 num_bytes, u64 parent, u64 ref_root, int level, +- int action, int no_quota) ++ int action) + { + struct btrfs_delayed_tree_ref *full_ref; + struct btrfs_delayed_ref_root *delayed_refs; +@@ -546,7 +658,6 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + ref->action = action; + ref->is_head = 0; + ref->in_tree = 1; +- ref->no_quota = no_quota; + ref->seq = seq; + + full_ref = btrfs_delayed_node_to_tree_ref(ref); +@@ -579,7 +690,7 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_head *head_ref, + struct btrfs_delayed_ref_node *ref, u64 bytenr, + u64 num_bytes, u64 parent, u64 ref_root, u64 owner, +- u64 offset, int action, int no_quota) ++ u64 offset, int action) + { + struct btrfs_delayed_data_ref *full_ref; + struct btrfs_delayed_ref_root *delayed_refs; +@@ -602,7 +713,6 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info, + ref->action = action; + ref->is_head = 0; + ref->in_tree = 1; +- ref->no_quota = no_quota; + ref->seq = seq; + + full_ref = btrfs_delayed_node_to_data_ref(ref); +@@ -633,17 +743,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, u64 parent, + u64 ref_root, int level, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota) ++ struct btrfs_delayed_extent_op *extent_op) + { + struct btrfs_delayed_tree_ref *ref; + struct btrfs_delayed_ref_head *head_ref; + struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_qgroup_extent_record *record = NULL; + +- if (!is_fstree(ref_root) || !fs_info->quota_enabled) +- no_quota = 0; +- + BUG_ON(extent_op && extent_op->is_data); + ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS); + if (!ref) +@@ -672,8 +778,7 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + bytenr, num_bytes, action, 0); + + add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr, +- num_bytes, parent, ref_root, level, action, +- no_quota); ++ num_bytes, parent, ref_root, level, action); + spin_unlock(&delayed_refs->lock); + + return 0; +@@ -694,17 +799,13 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + u64 bytenr, u64 num_bytes, + u64 parent, u64 ref_root, + u64 owner, u64 offset, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota) ++ struct btrfs_delayed_extent_op *extent_op) + { + struct btrfs_delayed_data_ref *ref; + struct btrfs_delayed_ref_head *head_ref; + struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_qgroup_extent_record *record = NULL; + +- if (!is_fstree(ref_root) || !fs_info->quota_enabled) +- no_quota = 0; +- + BUG_ON(extent_op && !extent_op->is_data); + ref = kmem_cache_alloc(btrfs_delayed_data_ref_cachep, GFP_NOFS); + if (!ref) +@@ -740,7 +841,7 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + + add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr, + num_bytes, parent, ref_root, owner, offset, +- action, no_quota); ++ action); + spin_unlock(&delayed_refs->lock); + + return 0; +diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h +index 13fb5e6090fe..930887a4275f 100644 +--- a/fs/btrfs/delayed-ref.h ++++ b/fs/btrfs/delayed-ref.h +@@ -68,7 +68,6 @@ struct btrfs_delayed_ref_node { + + unsigned int action:8; + unsigned int type:8; +- unsigned int no_quota:1; + /* is this node still in the rbtree? */ + unsigned int is_head:1; + unsigned int in_tree:1; +@@ -233,15 +232,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, u64 parent, + u64 ref_root, int level, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota); ++ struct btrfs_delayed_extent_op *extent_op); + int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, + u64 parent, u64 ref_root, + u64 owner, u64 offset, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota); ++ struct btrfs_delayed_extent_op *extent_op); + int btrfs_add_delayed_extent_op(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 07204bf601ed..5d870c4eac05 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -95,8 +95,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 parent, u64 root_objectid, + u64 flags, struct btrfs_disk_key *key, +- int level, struct btrfs_key *ins, +- int no_quota); ++ int level, struct btrfs_key *ins); + static int do_chunk_alloc(struct btrfs_trans_handle *trans, + struct btrfs_root *extent_root, u64 flags, + int force); +@@ -1941,8 +1940,7 @@ int btrfs_discard_extent(struct btrfs_root *root, u64 bytenr, + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, +- u64 root_objectid, u64 owner, u64 offset, +- int no_quota) ++ u64 root_objectid, u64 owner, u64 offset) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -1954,12 +1952,12 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, (int)owner, +- BTRFS_ADD_DELAYED_REF, NULL, no_quota); ++ BTRFS_ADD_DELAYED_REF, NULL); + } else { + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, owner, offset, +- BTRFS_ADD_DELAYED_REF, NULL, no_quota); ++ BTRFS_ADD_DELAYED_REF, NULL); + } + return ret; + } +@@ -1980,15 +1978,11 @@ static int __btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + u64 num_bytes = node->num_bytes; + u64 refs; + int ret; +- int no_quota = node->no_quota; + + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; + +- if (!is_fstree(root_objectid) || !root->fs_info->quota_enabled) +- no_quota = 1; +- + path->reada = 1; + path->leave_spinning = 1; + /* this will setup the path even if it fails to insert the back ref */ +@@ -2223,8 +2217,7 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans, + parent, ref_root, + extent_op->flags_to_set, + &extent_op->key, +- ref->level, &ins, +- node->no_quota); ++ ref->level, &ins); + } else if (node->action == BTRFS_ADD_DELAYED_REF) { + ret = __btrfs_inc_extent_ref(trans, root, node, + parent, ref_root, +@@ -2365,7 +2358,21 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans, + } + } + ++ /* ++ * We need to try and merge add/drops of the same ref since we ++ * can run into issues with relocate dropping the implicit ref ++ * and then it being added back again before the drop can ++ * finish. If we merged anything we need to re-loop so we can ++ * get a good ref. ++ * Or we can get node references of the same type that weren't ++ * merged when created due to bumps in the tree mod seq, and ++ * we need to merge them to prevent adding an inline extent ++ * backref before dropping it (triggering a BUG_ON at ++ * insert_inline_extent_backref()). ++ */ + spin_lock(&locked_ref->lock); ++ btrfs_merge_delayed_refs(trans, fs_info, delayed_refs, ++ locked_ref); + + /* + * locked_ref is the head node, so we have to go one +@@ -3038,7 +3045,7 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans, + int level; + int ret = 0; + int (*process_func)(struct btrfs_trans_handle *, struct btrfs_root *, +- u64, u64, u64, u64, u64, u64, int); ++ u64, u64, u64, u64, u64, u64); + + + if (btrfs_test_is_dummy_root(root)) +@@ -3079,15 +3086,14 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans, + key.offset -= btrfs_file_extent_offset(buf, fi); + ret = process_func(trans, root, bytenr, num_bytes, + parent, ref_root, key.objectid, +- key.offset, 1); ++ key.offset); + if (ret) + goto fail; + } else { + bytenr = btrfs_node_blockptr(buf, i); + num_bytes = root->nodesize; + ret = process_func(trans, root, bytenr, num_bytes, +- parent, ref_root, level - 1, 0, +- 1); ++ parent, ref_root, level - 1, 0); + if (ret) + goto fail; + } +@@ -6137,7 +6143,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + int extent_slot = 0; + int found_extent = 0; + int num_to_del = 1; +- int no_quota = node->no_quota; + u32 item_size; + u64 refs; + u64 bytenr = node->bytenr; +@@ -6146,9 +6151,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + bool skinny_metadata = btrfs_fs_incompat(root->fs_info, + SKINNY_METADATA); + +- if (!info->quota_enabled || !is_fstree(root_objectid)) +- no_quota = 1; +- + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; +@@ -6474,7 +6476,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans, + buf->start, buf->len, + parent, root->root_key.objectid, + btrfs_header_level(buf), +- BTRFS_DROP_DELAYED_REF, NULL, 0); ++ BTRFS_DROP_DELAYED_REF, NULL); + BUG_ON(ret); /* -ENOMEM */ + } + +@@ -6522,7 +6524,7 @@ out: + /* Can return -ENOMEM */ + int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid, +- u64 owner, u64 offset, int no_quota) ++ u64 owner, u64 offset) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -6545,13 +6547,13 @@ int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root, + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, (int)owner, +- BTRFS_DROP_DELAYED_REF, NULL, no_quota); ++ BTRFS_DROP_DELAYED_REF, NULL); + } else { + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, owner, + offset, BTRFS_DROP_DELAYED_REF, +- NULL, no_quota); ++ NULL); + } + return ret; + } +@@ -7333,8 +7335,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 parent, u64 root_objectid, + u64 flags, struct btrfs_disk_key *key, +- int level, struct btrfs_key *ins, +- int no_quota) ++ int level, struct btrfs_key *ins) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -7424,7 +7425,7 @@ int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans, + ret = btrfs_add_delayed_data_ref(root->fs_info, trans, ins->objectid, + ins->offset, 0, + root_objectid, owner, offset, +- BTRFS_ADD_DELAYED_EXTENT, NULL, 0); ++ BTRFS_ADD_DELAYED_EXTENT, NULL); + return ret; + } + +@@ -7641,7 +7642,7 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans, + ins.objectid, ins.offset, + parent, root_objectid, level, + BTRFS_ADD_DELAYED_EXTENT, +- extent_op, 0); ++ extent_op); + if (ret) + goto out_free_delayed; + } +@@ -8189,7 +8190,7 @@ skip: + } + } + ret = btrfs_free_extent(trans, root, bytenr, blocksize, parent, +- root->root_key.objectid, level - 1, 0, 0); ++ root->root_key.objectid, level - 1, 0); + BUG_ON(ret); /* -ENOMEM */ + } + btrfs_tree_unlock(next); +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index b823fac91c92..5e314856a58c 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -756,8 +756,16 @@ next_slot: + } + + btrfs_item_key_to_cpu(leaf, &key, path->slots[0]); +- if (key.objectid > ino || +- key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end) ++ ++ if (key.objectid > ino) ++ break; ++ if (WARN_ON_ONCE(key.objectid < ino) || ++ key.type < BTRFS_EXTENT_DATA_KEY) { ++ ASSERT(del_nr == 0); ++ path->slots[0]++; ++ goto next_slot; ++ } ++ if (key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end) + break; + + fi = btrfs_item_ptr(leaf, path->slots[0], +@@ -776,8 +784,8 @@ next_slot: + btrfs_file_extent_inline_len(leaf, + path->slots[0], fi); + } else { +- WARN_ON(1); +- extent_end = search_start; ++ /* can't happen */ ++ BUG(); + } + + /* +@@ -847,7 +855,7 @@ next_slot: + disk_bytenr, num_bytes, 0, + root->root_key.objectid, + new_key.objectid, +- start - extent_offset, 1); ++ start - extent_offset); + BUG_ON(ret); /* -ENOMEM */ + } + key.offset = start; +@@ -925,7 +933,7 @@ delete_extent_item: + disk_bytenr, num_bytes, 0, + root->root_key.objectid, + key.objectid, key.offset - +- extent_offset, 0); ++ extent_offset); + BUG_ON(ret); /* -ENOMEM */ + inode_sub_bytes(inode, + extent_end - key.offset); +@@ -1204,7 +1212,7 @@ again: + + ret = btrfs_inc_extent_ref(trans, root, bytenr, num_bytes, 0, + root->root_key.objectid, +- ino, orig_offset, 1); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + + if (split == start) { +@@ -1231,7 +1239,7 @@ again: + del_nr++; + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + 0, root->root_key.objectid, +- ino, orig_offset, 0); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + } + other_start = 0; +@@ -1248,7 +1256,7 @@ again: + del_nr++; + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + 0, root->root_key.objectid, +- ino, orig_offset, 0); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + } + if (del_nr == 0) { +@@ -1868,8 +1876,13 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + struct btrfs_log_ctx ctx; + int ret = 0; + bool full_sync = 0; +- const u64 len = end - start + 1; ++ u64 len; + ++ /* ++ * The range length can be represented by u64, we have to do the typecasts ++ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync() ++ */ ++ len = (u64)end - (u64)start + 1; + trace_btrfs_sync_file(file, datasync); + + /* +@@ -2057,8 +2070,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + } + } + if (!full_sync) { +- ret = btrfs_wait_ordered_range(inode, start, +- end - start + 1); ++ ret = btrfs_wait_ordered_range(inode, start, len); + if (ret) { + btrfs_end_transaction(trans, root); + goto out; +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index b54e63038b96..9aabff2102f8 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1294,8 +1294,14 @@ next_slot: + num_bytes = 0; + btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]); + +- if (found_key.objectid > ino || +- found_key.type > BTRFS_EXTENT_DATA_KEY || ++ if (found_key.objectid > ino) ++ break; ++ if (WARN_ON_ONCE(found_key.objectid < ino) || ++ found_key.type < BTRFS_EXTENT_DATA_KEY) { ++ path->slots[0]++; ++ goto next_slot; ++ } ++ if (found_key.type > BTRFS_EXTENT_DATA_KEY || + found_key.offset > end) + break; + +@@ -2569,7 +2575,7 @@ again: + ret = btrfs_inc_extent_ref(trans, root, new->bytenr, + new->disk_len, 0, + backref->root_id, backref->inum, +- new->file_pos, 0); /* start - extent_offset */ ++ new->file_pos); /* start - extent_offset */ + if (ret) { + btrfs_abort_transaction(trans, root, ret); + goto out_free_path; +@@ -4184,6 +4190,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans, + + } + ++static int truncate_inline_extent(struct inode *inode, ++ struct btrfs_path *path, ++ struct btrfs_key *found_key, ++ const u64 item_end, ++ const u64 new_size) ++{ ++ struct extent_buffer *leaf = path->nodes[0]; ++ int slot = path->slots[0]; ++ struct btrfs_file_extent_item *fi; ++ u32 size = (u32)(new_size - found_key->offset); ++ struct btrfs_root *root = BTRFS_I(inode)->root; ++ ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); ++ ++ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) { ++ loff_t offset = new_size; ++ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE); ++ ++ /* ++ * Zero out the remaining of the last page of our inline extent, ++ * instead of directly truncating our inline extent here - that ++ * would be much more complex (decompressing all the data, then ++ * compressing the truncated data, which might be bigger than ++ * the size of the inline extent, resize the extent, etc). ++ * We release the path because to get the page we might need to ++ * read the extent item from disk (data not in the page cache). ++ */ ++ btrfs_release_path(path); ++ return btrfs_truncate_page(inode, offset, page_end - offset, 0); ++ } ++ ++ btrfs_set_file_extent_ram_bytes(leaf, fi, size); ++ size = btrfs_file_extent_calc_inline_size(size); ++ btrfs_truncate_item(root, path, size, 1); ++ ++ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) ++ inode_sub_bytes(inode, item_end + 1 - new_size); ++ ++ return 0; ++} ++ + /* + * this can truncate away extent items, csum items and directory items. + * It starts at a high offset and removes keys until it can't find +@@ -4378,27 +4425,40 @@ search_again: + * special encodings + */ + if (!del_item && +- btrfs_file_extent_compression(leaf, fi) == 0 && + btrfs_file_extent_encryption(leaf, fi) == 0 && + btrfs_file_extent_other_encoding(leaf, fi) == 0) { +- u32 size = new_size - found_key.offset; +- +- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) +- inode_sub_bytes(inode, item_end + 1 - +- new_size); + + /* +- * update the ram bytes to properly reflect +- * the new size of our item ++ * Need to release path in order to truncate a ++ * compressed extent. So delete any accumulated ++ * extent items so far. + */ +- btrfs_set_file_extent_ram_bytes(leaf, fi, size); +- size = +- btrfs_file_extent_calc_inline_size(size); +- btrfs_truncate_item(root, path, size, 1); ++ if (btrfs_file_extent_compression(leaf, fi) != ++ BTRFS_COMPRESS_NONE && pending_del_nr) { ++ err = btrfs_del_items(trans, root, path, ++ pending_del_slot, ++ pending_del_nr); ++ if (err) { ++ btrfs_abort_transaction(trans, ++ root, ++ err); ++ goto error; ++ } ++ pending_del_nr = 0; ++ } ++ ++ err = truncate_inline_extent(inode, path, ++ &found_key, ++ item_end, ++ new_size); ++ if (err) { ++ btrfs_abort_transaction(trans, ++ root, err); ++ goto error; ++ } + } else if (test_bit(BTRFS_ROOT_REF_COWS, + &root->state)) { +- inode_sub_bytes(inode, item_end + 1 - +- found_key.offset); ++ inode_sub_bytes(inode, item_end + 1 - new_size); + } + } + delete: +@@ -4428,7 +4488,7 @@ delete: + ret = btrfs_free_extent(trans, root, extent_start, + extent_num_bytes, 0, + btrfs_header_owner(leaf), +- ino, extent_offset, 0); ++ ino, extent_offset); + BUG_ON(ret); + if (btrfs_should_throttle_delayed_refs(trans, root)) + btrfs_async_run_delayed_refs(root, +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 641d3dc4f31e..be4e53c61dd9 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3195,41 +3195,6 @@ out: + return ret; + } + +-/* Helper to check and see if this root currently has a ref on the given disk +- * bytenr. If it does then we need to update the quota for this root. This +- * doesn't do anything if quotas aren't enabled. +- */ +-static int check_ref(struct btrfs_trans_handle *trans, struct btrfs_root *root, +- u64 disko) +-{ +- struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem); +- struct ulist *roots; +- struct ulist_iterator uiter; +- struct ulist_node *root_node = NULL; +- int ret; +- +- if (!root->fs_info->quota_enabled) +- return 1; +- +- btrfs_get_tree_mod_seq(root->fs_info, &tree_mod_seq_elem); +- ret = btrfs_find_all_roots(trans, root->fs_info, disko, +- tree_mod_seq_elem.seq, &roots); +- if (ret < 0) +- goto out; +- ret = 0; +- ULIST_ITER_INIT(&uiter); +- while ((root_node = ulist_next(roots, &uiter))) { +- if (root_node->val == root->objectid) { +- ret = 1; +- break; +- } +- } +- ulist_free(roots); +-out: +- btrfs_put_tree_mod_seq(root->fs_info, &tree_mod_seq_elem); +- return ret; +-} +- + static int clone_finish_inode_update(struct btrfs_trans_handle *trans, + struct inode *inode, + u64 endoff, +@@ -3320,6 +3285,150 @@ static void clone_update_extent_map(struct inode *inode, + &BTRFS_I(inode)->runtime_flags); + } + ++/* ++ * Make sure we do not end up inserting an inline extent into a file that has ++ * already other (non-inline) extents. If a file has an inline extent it can ++ * not have any other extents and the (single) inline extent must start at the ++ * file offset 0. Failing to respect these rules will lead to file corruption, ++ * resulting in EIO errors on read/write operations, hitting BUG_ON's in mm, etc ++ * ++ * We can have extents that have been already written to disk or we can have ++ * dirty ranges still in delalloc, in which case the extent maps and items are ++ * created only when we run delalloc, and the delalloc ranges might fall outside ++ * the range we are currently locking in the inode's io tree. So we check the ++ * inode's i_size because of that (i_size updates are done while holding the ++ * i_mutex, which we are holding here). ++ * We also check to see if the inode has a size not greater than "datal" but has ++ * extents beyond it, due to an fallocate with FALLOC_FL_KEEP_SIZE (and we are ++ * protected against such concurrent fallocate calls by the i_mutex). ++ * ++ * If the file has no extents but a size greater than datal, do not allow the ++ * copy because we would need turn the inline extent into a non-inline one (even ++ * with NO_HOLES enabled). If we find our destination inode only has one inline ++ * extent, just overwrite it with the source inline extent if its size is less ++ * than the source extent's size, or we could copy the source inline extent's ++ * data into the destination inode's inline extent if the later is greater then ++ * the former. ++ */ ++static int clone_copy_inline_extent(struct inode *src, ++ struct inode *dst, ++ struct btrfs_trans_handle *trans, ++ struct btrfs_path *path, ++ struct btrfs_key *new_key, ++ const u64 drop_start, ++ const u64 datal, ++ const u64 skip, ++ const u64 size, ++ char *inline_data) ++{ ++ struct btrfs_root *root = BTRFS_I(dst)->root; ++ const u64 aligned_end = ALIGN(new_key->offset + datal, ++ root->sectorsize); ++ int ret; ++ struct btrfs_key key; ++ ++ if (new_key->offset > 0) ++ return -EOPNOTSUPP; ++ ++ key.objectid = btrfs_ino(dst); ++ key.type = BTRFS_EXTENT_DATA_KEY; ++ key.offset = 0; ++ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); ++ if (ret < 0) { ++ return ret; ++ } else if (ret > 0) { ++ if (path->slots[0] >= btrfs_header_nritems(path->nodes[0])) { ++ ret = btrfs_next_leaf(root, path); ++ if (ret < 0) ++ return ret; ++ else if (ret > 0) ++ goto copy_inline_extent; ++ } ++ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]); ++ if (key.objectid == btrfs_ino(dst) && ++ key.type == BTRFS_EXTENT_DATA_KEY) { ++ ASSERT(key.offset > 0); ++ return -EOPNOTSUPP; ++ } ++ } else if (i_size_read(dst) <= datal) { ++ struct btrfs_file_extent_item *ei; ++ u64 ext_len; ++ ++ /* ++ * If the file size is <= datal, make sure there are no other ++ * extents following (can happen do to an fallocate call with ++ * the flag FALLOC_FL_KEEP_SIZE). ++ */ ++ ei = btrfs_item_ptr(path->nodes[0], path->slots[0], ++ struct btrfs_file_extent_item); ++ /* ++ * If it's an inline extent, it can not have other extents ++ * following it. ++ */ ++ if (btrfs_file_extent_type(path->nodes[0], ei) == ++ BTRFS_FILE_EXTENT_INLINE) ++ goto copy_inline_extent; ++ ++ ext_len = btrfs_file_extent_num_bytes(path->nodes[0], ei); ++ if (ext_len > aligned_end) ++ return -EOPNOTSUPP; ++ ++ ret = btrfs_next_item(root, path); ++ if (ret < 0) { ++ return ret; ++ } else if (ret == 0) { ++ btrfs_item_key_to_cpu(path->nodes[0], &key, ++ path->slots[0]); ++ if (key.objectid == btrfs_ino(dst) && ++ key.type == BTRFS_EXTENT_DATA_KEY) ++ return -EOPNOTSUPP; ++ } ++ } ++ ++copy_inline_extent: ++ /* ++ * We have no extent items, or we have an extent at offset 0 which may ++ * or may not be inlined. All these cases are dealt the same way. ++ */ ++ if (i_size_read(dst) > datal) { ++ /* ++ * If the destination inode has an inline extent... ++ * This would require copying the data from the source inline ++ * extent into the beginning of the destination's inline extent. ++ * But this is really complex, both extents can be compressed ++ * or just one of them, which would require decompressing and ++ * re-compressing data (which could increase the new compressed ++ * size, not allowing the compressed data to fit anymore in an ++ * inline extent). ++ * So just don't support this case for now (it should be rare, ++ * we are not really saving space when cloning inline extents). ++ */ ++ return -EOPNOTSUPP; ++ } ++ ++ btrfs_release_path(path); ++ ret = btrfs_drop_extents(trans, root, dst, drop_start, aligned_end, 1); ++ if (ret) ++ return ret; ++ ret = btrfs_insert_empty_item(trans, root, path, new_key, size); ++ if (ret) ++ return ret; ++ ++ if (skip) { ++ const u32 start = btrfs_file_extent_calc_inline_size(0); ++ ++ memmove(inline_data + start, inline_data + start + skip, datal); ++ } ++ ++ write_extent_buffer(path->nodes[0], inline_data, ++ btrfs_item_ptr_offset(path->nodes[0], ++ path->slots[0]), ++ size); ++ inode_add_bytes(dst, datal); ++ ++ return 0; ++} ++ + /** + * btrfs_clone() - clone a range from inode file to another + * +@@ -3344,9 +3453,7 @@ static int btrfs_clone(struct inode *src, struct inode *inode, + u32 nritems; + int slot; + int ret; +- int no_quota; + const u64 len = olen_aligned; +- u64 last_disko = 0; + u64 last_dest_end = destoff; + + ret = -ENOMEM; +@@ -3392,7 +3499,6 @@ static int btrfs_clone(struct inode *src, struct inode *inode, + + nritems = btrfs_header_nritems(path->nodes[0]); + process_slot: +- no_quota = 1; + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(BTRFS_I(src)->root, path); + if (ret < 0) +@@ -3544,35 +3650,13 @@ process_slot: + btrfs_set_file_extent_num_bytes(leaf, extent, + datal); + +- /* +- * We need to look up the roots that point at +- * this bytenr and see if the new root does. If +- * it does not we need to make sure we update +- * quotas appropriately. +- */ +- if (disko && root != BTRFS_I(src)->root && +- disko != last_disko) { +- no_quota = check_ref(trans, root, +- disko); +- if (no_quota < 0) { +- btrfs_abort_transaction(trans, +- root, +- ret); +- btrfs_end_transaction(trans, +- root); +- ret = no_quota; +- goto out; +- } +- } +- + if (disko) { + inode_add_bytes(inode, datal); + ret = btrfs_inc_extent_ref(trans, root, + disko, diskl, 0, + root->root_key.objectid, + btrfs_ino(inode), +- new_key.offset - datao, +- no_quota); ++ new_key.offset - datao); + if (ret) { + btrfs_abort_transaction(trans, + root, +@@ -3586,21 +3670,6 @@ process_slot: + } else if (type == BTRFS_FILE_EXTENT_INLINE) { + u64 skip = 0; + u64 trim = 0; +- u64 aligned_end = 0; +- +- /* +- * Don't copy an inline extent into an offset +- * greater than zero. Having an inline extent +- * at such an offset results in chaos as btrfs +- * isn't prepared for such cases. Just skip +- * this case for the same reasons as commented +- * at btrfs_ioctl_clone(). +- */ +- if (last_dest_end > 0) { +- ret = -EOPNOTSUPP; +- btrfs_end_transaction(trans, root); +- goto out; +- } + + if (off > key.offset) { + skip = off - key.offset; +@@ -3618,42 +3687,22 @@ process_slot: + size -= skip + trim; + datal -= skip + trim; + +- aligned_end = ALIGN(new_key.offset + datal, +- root->sectorsize); +- ret = btrfs_drop_extents(trans, root, inode, +- drop_start, +- aligned_end, +- 1); ++ ret = clone_copy_inline_extent(src, inode, ++ trans, path, ++ &new_key, ++ drop_start, ++ datal, ++ skip, size, buf); + if (ret) { + if (ret != -EOPNOTSUPP) + btrfs_abort_transaction(trans, +- root, ret); +- btrfs_end_transaction(trans, root); +- goto out; +- } +- +- ret = btrfs_insert_empty_item(trans, root, path, +- &new_key, size); +- if (ret) { +- btrfs_abort_transaction(trans, root, +- ret); ++ root, ++ ret); + btrfs_end_transaction(trans, root); + goto out; + } +- +- if (skip) { +- u32 start = +- btrfs_file_extent_calc_inline_size(0); +- memmove(buf+start, buf+start+skip, +- datal); +- } +- + leaf = path->nodes[0]; + slot = path->slots[0]; +- write_extent_buffer(leaf, buf, +- btrfs_item_ptr_offset(leaf, slot), +- size); +- inode_add_bytes(inode, datal); + } + + /* If we have an implicit hole (NO_HOLES feature). */ +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 88cbb5995667..3a828a33cd67 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1716,7 +1716,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans, + ret = btrfs_inc_extent_ref(trans, root, new_bytenr, + num_bytes, parent, + btrfs_header_owner(leaf), +- key.objectid, key.offset, 1); ++ key.objectid, key.offset); + if (ret) { + btrfs_abort_transaction(trans, root, ret); + break; +@@ -1724,7 +1724,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans, + + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + parent, btrfs_header_owner(leaf), +- key.objectid, key.offset, 1); ++ key.objectid, key.offset); + if (ret) { + btrfs_abort_transaction(trans, root, ret); + break; +@@ -1900,23 +1900,21 @@ again: + + ret = btrfs_inc_extent_ref(trans, src, old_bytenr, blocksize, + path->nodes[level]->start, +- src->root_key.objectid, level - 1, 0, +- 1); ++ src->root_key.objectid, level - 1, 0); + BUG_ON(ret); + ret = btrfs_inc_extent_ref(trans, dest, new_bytenr, blocksize, + 0, dest->root_key.objectid, level - 1, +- 0, 1); ++ 0); + BUG_ON(ret); + + ret = btrfs_free_extent(trans, src, new_bytenr, blocksize, + path->nodes[level]->start, +- src->root_key.objectid, level - 1, 0, +- 1); ++ src->root_key.objectid, level - 1, 0); + BUG_ON(ret); + + ret = btrfs_free_extent(trans, dest, old_bytenr, blocksize, + 0, dest->root_key.objectid, level - 1, +- 0, 1); ++ 0); + BUG_ON(ret); + + btrfs_unlock_up_safe(path, 0); +@@ -2746,7 +2744,7 @@ static int do_relocation(struct btrfs_trans_handle *trans, + node->eb->start, blocksize, + upper->eb->start, + btrfs_header_owner(upper->eb), +- node->level, 0, 1); ++ node->level, 0); + BUG_ON(ret); + + ret = btrfs_drop_subtree(trans, root, eb, upper->eb); +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index aa72bfd28f7d..890933b61267 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -2351,8 +2351,14 @@ static int send_subvol_begin(struct send_ctx *sctx) + } + + TLV_PUT_STRING(sctx, BTRFS_SEND_A_PATH, name, namelen); +- TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, +- sctx->send_root->root_item.uuid); ++ ++ if (!btrfs_is_empty_uuid(sctx->send_root->root_item.received_uuid)) ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, ++ sctx->send_root->root_item.received_uuid); ++ else ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, ++ sctx->send_root->root_item.uuid); ++ + TLV_PUT_U64(sctx, BTRFS_SEND_A_CTRANSID, + le64_to_cpu(sctx->send_root->root_item.ctransid)); + if (parent_root) { +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 9c45431e69ab..7639695075dd 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -700,7 +700,7 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans, + ret = btrfs_inc_extent_ref(trans, root, + ins.objectid, ins.offset, + 0, root->root_key.objectid, +- key->objectid, offset, 0); ++ key->objectid, offset); + if (ret) + goto out; + } else { +diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c +index 6f518c90e1c1..1fcd7b6e7564 100644 +--- a/fs/btrfs/xattr.c ++++ b/fs/btrfs/xattr.c +@@ -313,8 +313,10 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size) + /* check to make sure this item is what we want */ + if (found_key.objectid != key.objectid) + break; +- if (found_key.type != BTRFS_XATTR_ITEM_KEY) ++ if (found_key.type > BTRFS_XATTR_ITEM_KEY) + break; ++ if (found_key.type < BTRFS_XATTR_ITEM_KEY) ++ goto next; + + di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item); + if (verify_dir_item(root, leaf, di)) +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 6aa07af67603..df45a818c570 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1935,7 +1935,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc, + + len = sizeof(*head) + + pathlen1 + pathlen2 + 2*(1 + sizeof(u32) + sizeof(u64)) + +- sizeof(struct timespec); ++ sizeof(struct ceph_timespec); + + /* calculate (max) length for cap releases */ + len += sizeof(struct ceph_mds_request_release) * +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index c711be8d6a3c..9c8d23316da1 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent) + dput(dentry); + dentry = ERR_PTR(-EEXIST); + } +- if (IS_ERR(dentry)) ++ ++ if (IS_ERR(dentry)) { + mutex_unlock(&d_inode(parent)->i_mutex); ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count); ++ } ++ + return dentry; + } + +diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c +index 45731558138c..54a5169327a3 100644 +--- a/fs/ext4/crypto.c ++++ b/fs/ext4/crypto.c +@@ -296,7 +296,6 @@ static int ext4_page_crypto(struct ext4_crypto_ctx *ctx, + else + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c +index 7dc4eb55913c..f9d53c2bd756 100644 +--- a/fs/ext4/crypto_fname.c ++++ b/fs/ext4/crypto_fname.c +@@ -121,7 +121,6 @@ static int ext4_fname_encrypt(struct inode *inode, + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, ciphertext_len, iv); + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +@@ -183,7 +182,6 @@ static int ext4_fname_decrypt(struct inode *inode, + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, iv); + res = crypto_ablkcipher_decrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c +index 442d24e8efc0..9bad1132ac8f 100644 +--- a/fs/ext4/crypto_key.c ++++ b/fs/ext4/crypto_key.c +@@ -71,7 +71,6 @@ static int ext4_derive_key_aes(char deriving_key[EXT4_AES_128_ECB_KEY_SIZE], + EXT4_AES_256_XTS_KEY_SIZE, NULL); + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +@@ -208,7 +207,12 @@ retry: + goto out; + } + crypt_info->ci_keyring_key = keyring_key; +- BUG_ON(keyring_key->type != &key_type_logon); ++ if (keyring_key->type != &key_type_logon) { ++ printk_once(KERN_WARNING ++ "ext4: key type must be logon\n"); ++ res = -ENOKEY; ++ goto out; ++ } + ukp = ((struct user_key_payload *)keyring_key->payload.data); + if (ukp->datalen != sizeof(struct ext4_encryption_key)) { + res = -EINVAL; +@@ -217,7 +221,13 @@ retry: + master_key = (struct ext4_encryption_key *)ukp->data; + BUILD_BUG_ON(EXT4_AES_128_ECB_KEY_SIZE != + EXT4_KEY_DERIVATION_NONCE_SIZE); +- BUG_ON(master_key->size != EXT4_AES_256_XTS_KEY_SIZE); ++ if (master_key->size != EXT4_AES_256_XTS_KEY_SIZE) { ++ printk_once(KERN_WARNING ++ "ext4: key size incorrect: %d\n", ++ master_key->size); ++ res = -ENOKEY; ++ goto out; ++ } + res = ext4_derive_key_aes(ctx.nonce, master_key->raw, + raw_key); + got_key: +diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c +index 02c4e5df7afb..f92fa93e67f1 100644 +--- a/fs/ext4/crypto_policy.c ++++ b/fs/ext4/crypto_policy.c +@@ -137,7 +137,8 @@ int ext4_is_child_context_consistent_with_parent(struct inode *parent, + + if ((parent == NULL) || (child == NULL)) { + pr_err("parent %p child %p\n", parent, child); +- BUG_ON(1); ++ WARN_ON(1); /* Should never happen */ ++ return 0; + } + /* no restrictions if the parent directory is not encrypted */ + if (!ext4_encrypted_inode(parent)) +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c +index d41843181818..e770c1ee4613 100644 +--- a/fs/ext4/ext4_jbd2.c ++++ b/fs/ext4/ext4_jbd2.c +@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle) + return 0; + } + ++ err = handle->h_err; + if (!handle->h_transaction) { +- err = jbd2_journal_stop(handle); +- return handle->h_err ? handle->h_err : err; ++ rc = jbd2_journal_stop(handle); ++ return err ? err : rc; + } + + sb = handle->h_transaction->t_journal->j_private; +- err = handle->h_err; + rc = jbd2_journal_stop(handle); + + if (!err) +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c +index 5602450f03f6..89e96f99dae7 100644 +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -425,6 +425,7 @@ int ext4_bio_write_page(struct ext4_io_submit *io, + struct buffer_head *bh, *head; + int ret = 0; + int nr_submitted = 0; ++ int nr_to_submit = 0; + + blocksize = 1 << inode->i_blkbits; + +@@ -477,11 +478,13 @@ int ext4_bio_write_page(struct ext4_io_submit *io, + unmap_underlying_metadata(bh->b_bdev, bh->b_blocknr); + } + set_buffer_async_write(bh); ++ nr_to_submit++; + } while ((bh = bh->b_this_page) != head); + + bh = head = page_buffers(page); + +- if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode)) { ++ if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode) && ++ nr_to_submit) { + data_page = ext4_encrypt(inode, page); + if (IS_ERR(data_page)) { + ret = PTR_ERR(data_page); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index a5e8c744e962..bc24d1b44b8f 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -397,9 +397,13 @@ static void ext4_handle_error(struct super_block *sb) + smp_wmb(); + sb->s_flags |= MS_RDONLY; + } +- if (test_opt(sb, ERRORS_PANIC)) ++ if (test_opt(sb, ERRORS_PANIC)) { ++ if (EXT4_SB(sb)->s_journal && ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) ++ return; + panic("EXT4-fs (device %s): panic forced after error\n", + sb->s_id); ++ } + } + + #define ext4_error_ratelimit(sb) \ +@@ -588,8 +592,12 @@ void __ext4_abort(struct super_block *sb, const char *function, + jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); + save_error_info(sb, function, line); + } +- if (test_opt(sb, ERRORS_PANIC)) ++ if (test_opt(sb, ERRORS_PANIC)) { ++ if (EXT4_SB(sb)->s_journal && ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) ++ return; + panic("EXT4-fs panic from previous error\n"); ++ } + } + + void __ext4_msg(struct super_block *sb, +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 2721513adb1f..fd2787a39b87 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2071,8 +2071,12 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) ++ if (errno) { + jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); ++ } + } + + /** +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 4afbe13321cb..f27cc76ed5e6 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1816,7 +1816,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0) + nfsi->attr_gencount = fattr->gencount; + } +- invalid &= ~NFS_INO_INVALID_ATTR; ++ ++ /* Don't declare attrcache up to date if there were no attrs! */ ++ if (fattr->valid != 0) ++ invalid &= ~NFS_INO_INVALID_ATTR; ++ + /* Don't invalidate the data if we were to blame */ + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) + || S_ISLNK(inode->i_mode))) +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 3aa6a9ba5113..199648d5fcc5 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -33,7 +33,7 @@ static int nfs_get_cb_ident_idr(struct nfs_client *clp, int minorversion) + return ret; + idr_preload(GFP_KERNEL); + spin_lock(&nn->nfs_client_lock); +- ret = idr_alloc(&nn->cb_ident_idr, clp, 0, 0, GFP_NOWAIT); ++ ret = idr_alloc(&nn->cb_ident_idr, clp, 1, 0, GFP_NOWAIT); + if (ret >= 0) + clp->cl_cb_ident = ret; + spin_unlock(&nn->nfs_client_lock); +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 75189cd34583..5ea13286e2b0 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -765,16 +765,68 @@ void nfs4_unhash_stid(struct nfs4_stid *s) + s->sc_type = 0; + } + +-static void ++/** ++ * nfs4_get_existing_delegation - Discover if this delegation already exists ++ * @clp: a pointer to the nfs4_client we're granting a delegation to ++ * @fp: a pointer to the nfs4_file we're granting a delegation on ++ * ++ * Return: ++ * On success: NULL if an existing delegation was not found. ++ * ++ * On error: -EAGAIN if one was previously granted to this nfs4_client ++ * for this nfs4_file. ++ * ++ */ ++ ++static int ++nfs4_get_existing_delegation(struct nfs4_client *clp, struct nfs4_file *fp) ++{ ++ struct nfs4_delegation *searchdp = NULL; ++ struct nfs4_client *searchclp = NULL; ++ ++ lockdep_assert_held(&state_lock); ++ lockdep_assert_held(&fp->fi_lock); ++ ++ list_for_each_entry(searchdp, &fp->fi_delegations, dl_perfile) { ++ searchclp = searchdp->dl_stid.sc_client; ++ if (clp == searchclp) { ++ return -EAGAIN; ++ } ++ } ++ return 0; ++} ++ ++/** ++ * hash_delegation_locked - Add a delegation to the appropriate lists ++ * @dp: a pointer to the nfs4_delegation we are adding. ++ * @fp: a pointer to the nfs4_file we're granting a delegation on ++ * ++ * Return: ++ * On success: NULL if the delegation was successfully hashed. ++ * ++ * On error: -EAGAIN if one was previously granted to this ++ * nfs4_client for this nfs4_file. Delegation is not hashed. ++ * ++ */ ++ ++static int + hash_delegation_locked(struct nfs4_delegation *dp, struct nfs4_file *fp) + { ++ int status; ++ struct nfs4_client *clp = dp->dl_stid.sc_client; ++ + lockdep_assert_held(&state_lock); + lockdep_assert_held(&fp->fi_lock); + ++ status = nfs4_get_existing_delegation(clp, fp); ++ if (status) ++ return status; ++ ++fp->fi_delegees; + atomic_inc(&dp->dl_stid.sc_count); + dp->dl_stid.sc_type = NFS4_DELEG_STID; + list_add(&dp->dl_perfile, &fp->fi_delegations); +- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); ++ list_add(&dp->dl_perclnt, &clp->cl_delegations); ++ return 0; + } + + static bool +@@ -3351,6 +3403,7 @@ static void init_open_stateid(struct nfs4_ol_stateid *stp, struct nfs4_file *fp, + stp->st_access_bmap = 0; + stp->st_deny_bmap = 0; + stp->st_openstp = NULL; ++ init_rwsem(&stp->st_rwsem); + spin_lock(&oo->oo_owner.so_client->cl_lock); + list_add(&stp->st_perstateowner, &oo->oo_owner.so_stateids); + spin_lock(&fp->fi_lock); +@@ -3939,6 +3992,18 @@ static struct file_lock *nfs4_alloc_init_lease(struct nfs4_file *fp, int flag) + return fl; + } + ++/** ++ * nfs4_setlease - Obtain a delegation by requesting lease from vfs layer ++ * @dp: a pointer to the nfs4_delegation we're adding. ++ * ++ * Return: ++ * On success: Return code will be 0 on success. ++ * ++ * On error: -EAGAIN if there was an existing delegation. ++ * nonzero if there is an error in other cases. ++ * ++ */ ++ + static int nfs4_setlease(struct nfs4_delegation *dp) + { + struct nfs4_file *fp = dp->dl_stid.sc_file; +@@ -3970,16 +4035,19 @@ static int nfs4_setlease(struct nfs4_delegation *dp) + goto out_unlock; + /* Race breaker */ + if (fp->fi_deleg_file) { +- status = 0; +- ++fp->fi_delegees; +- hash_delegation_locked(dp, fp); ++ status = hash_delegation_locked(dp, fp); + goto out_unlock; + } + fp->fi_deleg_file = filp; +- fp->fi_delegees = 1; +- hash_delegation_locked(dp, fp); ++ fp->fi_delegees = 0; ++ status = hash_delegation_locked(dp, fp); + spin_unlock(&fp->fi_lock); + spin_unlock(&state_lock); ++ if (status) { ++ /* Should never happen, this is a new fi_deleg_file */ ++ WARN_ON_ONCE(1); ++ goto out_fput; ++ } + return 0; + out_unlock: + spin_unlock(&fp->fi_lock); +@@ -3999,6 +4067,15 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh, + if (fp->fi_had_conflict) + return ERR_PTR(-EAGAIN); + ++ spin_lock(&state_lock); ++ spin_lock(&fp->fi_lock); ++ status = nfs4_get_existing_delegation(clp, fp); ++ spin_unlock(&fp->fi_lock); ++ spin_unlock(&state_lock); ++ ++ if (status) ++ return ERR_PTR(status); ++ + dp = alloc_init_deleg(clp, fh, odstate); + if (!dp) + return ERR_PTR(-ENOMEM); +@@ -4017,9 +4094,7 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh, + status = -EAGAIN; + goto out_unlock; + } +- ++fp->fi_delegees; +- hash_delegation_locked(dp, fp); +- status = 0; ++ status = hash_delegation_locked(dp, fp); + out_unlock: + spin_unlock(&fp->fi_lock); + spin_unlock(&state_lock); +@@ -4180,15 +4255,20 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf + */ + if (stp) { + /* Stateid was found, this is an OPEN upgrade */ ++ down_read(&stp->st_rwsem); + status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open); +- if (status) ++ if (status) { ++ up_read(&stp->st_rwsem); + goto out; ++ } + } else { + stp = open->op_stp; + open->op_stp = NULL; + init_open_stateid(stp, fp, open); ++ down_read(&stp->st_rwsem); + status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open); + if (status) { ++ up_read(&stp->st_rwsem); + release_open_stateid(stp); + goto out; + } +@@ -4200,6 +4280,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf + } + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&open->op_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_read(&stp->st_rwsem); + + if (nfsd4_has_session(&resp->cstate)) { + if (open->op_deleg_want & NFS4_SHARE_WANT_NO_DELEG) { +@@ -4814,10 +4895,13 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_ + * revoked delegations are kept only for free_stateid. + */ + return nfserr_bad_stateid; ++ down_write(&stp->st_rwsem); + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); +- if (status) +- return status; +- return nfs4_check_fh(current_fh, &stp->st_stid); ++ if (status == nfs_ok) ++ status = nfs4_check_fh(current_fh, &stp->st_stid); ++ if (status != nfs_ok) ++ up_write(&stp->st_rwsem); ++ return status; + } + + /* +@@ -4864,6 +4948,7 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs + return status; + oo = openowner(stp->st_stateowner); + if (!(oo->oo_flags & NFS4_OO_CONFIRMED)) { ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + return nfserr_bad_stateid; + } +@@ -4894,11 +4979,14 @@ nfsd4_open_confirm(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + oo = openowner(stp->st_stateowner); + status = nfserr_bad_stateid; +- if (oo->oo_flags & NFS4_OO_CONFIRMED) ++ if (oo->oo_flags & NFS4_OO_CONFIRMED) { ++ up_write(&stp->st_rwsem); + goto put_stateid; ++ } + oo->oo_flags |= NFS4_OO_CONFIRMED; + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&oc->oc_resp_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_write(&stp->st_rwsem); + dprintk("NFSD: %s: success, seqid=%d stateid=" STATEID_FMT "\n", + __func__, oc->oc_seqid, STATEID_VAL(&stp->st_stid.sc_stateid)); + +@@ -4977,6 +5065,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp, + memcpy(&od->od_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); + status = nfs_ok; + put_stateid: ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + out: + nfsd4_bump_seqid(cstate, status); +@@ -5030,6 +5119,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&close->cl_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_write(&stp->st_rwsem); + + nfsd4_close_open_stateid(stp); + +@@ -5260,6 +5350,7 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo, + stp->st_access_bmap = 0; + stp->st_deny_bmap = open_stp->st_deny_bmap; + stp->st_openstp = open_stp; ++ init_rwsem(&stp->st_rwsem); + list_add(&stp->st_locks, &open_stp->st_locks); + list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids); + spin_lock(&fp->fi_lock); +@@ -5428,6 +5519,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + &open_stp, nn); + if (status) + goto out; ++ up_write(&open_stp->st_rwsem); + open_sop = openowner(open_stp->st_stateowner); + status = nfserr_bad_stateid; + if (!same_clid(&open_sop->oo_owner.so_client->cl_clientid, +@@ -5435,6 +5527,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + status = lookup_or_create_lock_state(cstate, open_stp, lock, + &lock_stp, &new); ++ if (status == nfs_ok) ++ down_write(&lock_stp->st_rwsem); + } else { + status = nfs4_preprocess_seqid_op(cstate, + lock->lk_old_lock_seqid, +@@ -5540,6 +5634,8 @@ out: + seqid_mutating_err(ntohl(status))) + lock_sop->lo_owner.so_seqid++; + ++ up_write(&lock_stp->st_rwsem); ++ + /* + * If this is a new, never-before-used stateid, and we are + * returning an error, then just go ahead and release it. +@@ -5710,6 +5806,7 @@ nfsd4_locku(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + fput: + fput(filp); + put_stateid: ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + out: + nfsd4_bump_seqid(cstate, status); +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h +index 4874ce515fc1..fada614d6db1 100644 +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -534,15 +534,16 @@ struct nfs4_file { + * Better suggestions welcome. + */ + struct nfs4_ol_stateid { +- struct nfs4_stid st_stid; /* must be first field */ +- struct list_head st_perfile; +- struct list_head st_perstateowner; +- struct list_head st_locks; +- struct nfs4_stateowner * st_stateowner; +- struct nfs4_clnt_odstate * st_clnt_odstate; +- unsigned char st_access_bmap; +- unsigned char st_deny_bmap; +- struct nfs4_ol_stateid * st_openstp; ++ struct nfs4_stid st_stid; ++ struct list_head st_perfile; ++ struct list_head st_perstateowner; ++ struct list_head st_locks; ++ struct nfs4_stateowner *st_stateowner; ++ struct nfs4_clnt_odstate *st_clnt_odstate; ++ unsigned char st_access_bmap; ++ unsigned char st_deny_bmap; ++ struct nfs4_ol_stateid *st_openstp; ++ struct rw_semaphore st_rwsem; + }; + + static inline struct nfs4_ol_stateid *openlockstateid(struct nfs4_stid *s) +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 6e6abb93fda5..ff040125c190 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -365,6 +365,8 @@ static int ocfs2_mknod(struct inode *dir, + mlog_errno(status); + goto leave; + } ++ /* update inode->i_mode after mask with "umask". */ ++ inode->i_mode = mode; + + handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb, + S_ISDIR(mode), +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h +index 82806c60aa42..e4b464983322 100644 +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -224,7 +224,7 @@ struct ipv6_pinfo { + struct ipv6_ac_socklist *ipv6_ac_list; + struct ipv6_fl_socklist __rcu *ipv6_fl_list; + +- struct ipv6_txoptions *opt; ++ struct ipv6_txoptions __rcu *opt; + struct sk_buff *pktoptions; + struct sk_buff *rxpmtu; + struct inet6_cork cork; +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h +index eb1cebed3f36..c90c9b70e568 100644 +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1007,6 +1007,7 @@ struct journal_s + #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file + * data write error in ordered + * mode */ ++#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */ + + /* + * Function declarations for the journaling transaction and buffer +diff --git a/include/net/af_unix.h b/include/net/af_unix.h +index cb1b9bbda332..49c7683e1096 100644 +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -62,6 +62,7 @@ struct unix_sock { + #define UNIX_GC_CANDIDATE 0 + #define UNIX_GC_MAYBE_CYCLE 1 + struct socket_wq peer_wq; ++ wait_queue_t peer_wake; + }; + + static inline struct unix_sock *unix_sk(struct sock *sk) +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h +index 3b76849c190f..75a888c254e4 100644 +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -165,7 +165,8 @@ static inline void rt6_update_expires(struct rt6_info *rt0, int timeout) + + static inline u32 rt6_get_cookie(const struct rt6_info *rt) + { +- if (rt->rt6i_flags & RTF_PCPU || unlikely(rt->dst.flags & DST_NOCACHE)) ++ if (rt->rt6i_flags & RTF_PCPU || ++ (unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from)) + rt = (struct rt6_info *)(rt->dst.from); + + return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0; +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index b8529aa1dae7..b0f7445c0fdc 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -83,11 +83,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + err = ip6_local_out_sk(sk, skb); + + if (net_xmit_eval(err) == 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += pkt_len; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else { + stats->tx_errors++; + stats->tx_aborted_errors++; +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index d8214cb88bbc..9c2897e56ee1 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -207,12 +207,13 @@ static inline void iptunnel_xmit_stats(int err, + struct pcpu_sw_netstats __percpu *stats) + { + if (err > 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats); + + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += err; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else if (err < 0) { + err_stats->tx_errors++; + err_stats->tx_aborted_errors++; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 82dbdb092a5d..177a89689095 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock; + */ + + struct ipv6_txoptions { ++ atomic_t refcnt; + /* Length of this structure */ + int tot_len; + +@@ -217,7 +218,7 @@ struct ipv6_txoptions { + struct ipv6_opt_hdr *dst0opt; + struct ipv6_rt_hdr *srcrt; /* Routing Header */ + struct ipv6_opt_hdr *dst1opt; +- ++ struct rcu_head rcu; + /* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */ + }; + +@@ -252,6 +253,24 @@ struct ipv6_fl_socklist { + struct rcu_head rcu; + }; + ++static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np) ++{ ++ struct ipv6_txoptions *opt; ++ ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt && !atomic_inc_not_zero(&opt->refcnt)) ++ opt = NULL; ++ rcu_read_unlock(); ++ return opt; ++} ++ ++static inline void txopt_put(struct ipv6_txoptions *opt) ++{ ++ if (opt && atomic_dec_and_test(&opt->refcnt)) ++ kfree_rcu(opt, rcu); ++} ++ + struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label); + struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, + struct ip6_flowlabel *fl, +@@ -490,6 +509,7 @@ struct ip6_create_arg { + u32 user; + const struct in6_addr *src; + const struct in6_addr *dst; ++ int iif; + u8 ecn; + }; + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 2738f6f87908..49dda3835061 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -61,6 +61,9 @@ struct Qdisc { + */ + #define TCQ_F_WARN_NONWC (1 << 16) + #define TCQ_F_CPUSTATS 0x20 /* run using percpu statistics */ ++#define TCQ_F_NOPARENT 0x40 /* root of its hierarchy : ++ * qdisc_tree_decrease_qlen() should stop. ++ */ + u32 limit; + const struct Qdisc_ops *ops; + struct qdisc_size_table __rcu *stab; +diff --git a/include/net/switchdev.h b/include/net/switchdev.h +index d5671f118bfc..0b9197975603 100644 +--- a/include/net/switchdev.h ++++ b/include/net/switchdev.h +@@ -268,7 +268,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb, + struct net_device *filter_dev, + int idx) + { +- return -EOPNOTSUPP; ++ return idx; + } + + #endif +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index cb31229a6fa4..34265a1ddb51 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -104,7 +104,7 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value, + /* all elements already exist */ + return -EEXIST; + +- memcpy(array->value + array->elem_size * index, value, array->elem_size); ++ memcpy(array->value + array->elem_size * index, value, map->value_size); + return 0; + } + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 84195dacb8b6..ecdb1717ef3a 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2210,7 +2210,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn, + ndm->ndm_pad2 = 0; + ndm->ndm_flags = pn->flags | NTF_PROXY; + ndm->ndm_type = RTN_UNICAST; +- ndm->ndm_ifindex = pn->dev->ifindex; ++ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0; + ndm->ndm_state = NUD_NONE; + + if (nla_put(skb, NDA_DST, tbl->key_len, pn->key)) +@@ -2285,7 +2285,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb, + if (h > s_h) + s_idx = 0; + for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) { +- if (dev_net(n->dev) != net) ++ if (pneigh_net(n) != net) + continue; + if (idx < s_idx) + goto next; +diff --git a/net/core/scm.c b/net/core/scm.c +index 3b6899b7d810..8a1741b14302 100644 +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) + err = put_user(cmlen, &cm->cmsg_len); + if (!err) { + cmlen = CMSG_SPACE(i*sizeof(int)); ++ if (msg->msg_controllen < cmlen) ++ cmlen = msg->msg_controllen; + msg->msg_control += cmlen; + msg->msg_controllen -= cmlen; + } +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 5165571f397a..a0490508d213 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -202,7 +202,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req) + security_req_classify_flow(req, flowi6_to_flowi(&fl6)); + + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +@@ -219,7 +221,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req) + &ireq->ir_v6_loc_addr, + &ireq->ir_v6_rmt_addr); + fl6.daddr = ireq->ir_v6_rmt_addr; +- err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); ++ rcu_read_lock(); ++ err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), ++ np->tclass); ++ rcu_read_unlock(); + err = net_xmit_eval(err); + } + +@@ -415,6 +420,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, + { + struct inet_request_sock *ireq = inet_rsk(req); + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); ++ struct ipv6_txoptions *opt; + struct inet_sock *newinet; + struct dccp6_sock *newdp6; + struct sock *newsk; +@@ -534,13 +540,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, + * Yes, keeping reference count would be much more clever, but we make + * one more one thing there: reattach optmem to newsk. + */ +- if (np->opt != NULL) +- newnp->opt = ipv6_dup_options(newsk, np->opt); +- ++ opt = rcu_dereference(np->opt); ++ if (opt) { ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ } + inet_csk(newsk)->icsk_ext_hdr_len = 0; +- if (newnp->opt != NULL) +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen + +- newnp->opt->opt_flen); ++ if (opt) ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen + ++ opt->opt_flen; + + dccp_sync_mss(newsk, dst_mtu(dst)); + +@@ -793,6 +801,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + struct ipv6_pinfo *np = inet6_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); + struct in6_addr *saddr = NULL, *final_p, final; ++ struct ipv6_txoptions *opt; + struct flowi6 fl6; + struct dst_entry *dst; + int addr_type; +@@ -892,7 +901,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + fl6.fl6_sport = inet->inet_sport; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ final_p = fl6_update_dst(&fl6, opt, &final); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +@@ -912,9 +922,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + __ip6_dst_store(sk, dst, NULL, NULL); + + icsk->icsk_ext_hdr_len = 0; +- if (np->opt != NULL) +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen + +- np->opt->opt_nflen); ++ if (opt) ++ icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen; + + inet->inet_dport = usin->sin6_port; + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index df28693f32e1..c3bfebd501ed 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -134,7 +134,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb, + struct mfc_cache *c, struct rtmsg *rtm); + static void mroute_netlink_event(struct mr_table *mrt, struct mfc_cache *mfc, + int cmd); +-static void mroute_clean_tables(struct mr_table *mrt); ++static void mroute_clean_tables(struct mr_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES +@@ -351,7 +351,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id) + static void ipmr_free_table(struct mr_table *mrt) + { + del_timer_sync(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1209,7 +1209,7 @@ static int ipmr_mfc_add(struct net *net, struct mr_table *mrt, + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr_table *mrt) ++static void mroute_clean_tables(struct mr_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1218,8 +1218,9 @@ static void mroute_clean_tables(struct mr_table *mrt) + /* Shut down all active vif entries */ + + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif_table[i].flags & VIFF_STATIC)) +- vif_delete(mrt, i, 0, &list); ++ if (!all && (mrt->vif_table[i].flags & VIFF_STATIC)) ++ continue; ++ vif_delete(mrt, i, 0, &list); + } + unregister_netdevice_many(&list); + +@@ -1227,7 +1228,7 @@ static void mroute_clean_tables(struct mr_table *mrt) + + for (i = 0; i < MFC_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + list_del_rcu(&c->list); + mroute_netlink_event(mrt, c, RTM_DELROUTE); +@@ -1262,7 +1263,7 @@ static void mrtsock_destruct(struct sock *sk) + NETCONFA_IFINDEX_ALL, + net->ipv4.devconf_all); + RCU_INIT_POINTER(mrt->mroute_sk, NULL); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + } + } + rtnl_unlock(); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 728f5b3d3c64..77730b43469d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4434,19 +4434,34 @@ static int __must_check tcp_queue_rcv(struct sock *sk, struct sk_buff *skb, int + int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size) + { + struct sk_buff *skb; ++ int err = -ENOMEM; ++ int data_len = 0; + bool fragstolen; + + if (size == 0) + return 0; + +- skb = alloc_skb(size, sk->sk_allocation); ++ if (size > PAGE_SIZE) { ++ int npages = min_t(size_t, size >> PAGE_SHIFT, MAX_SKB_FRAGS); ++ ++ data_len = npages << PAGE_SHIFT; ++ size = data_len + (size & ~PAGE_MASK); ++ } ++ skb = alloc_skb_with_frags(size - data_len, data_len, ++ PAGE_ALLOC_COSTLY_ORDER, ++ &err, sk->sk_allocation); + if (!skb) + goto err; + ++ skb_put(skb, size - data_len); ++ skb->data_len = data_len; ++ skb->len = size; ++ + if (tcp_try_rmem_schedule(sk, skb, skb->truesize)) + goto err_free; + +- if (memcpy_from_msg(skb_put(skb, size), msg, size)) ++ err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size); ++ if (err) + goto err_free; + + TCP_SKB_CB(skb)->seq = tcp_sk(sk)->rcv_nxt; +@@ -4462,7 +4477,8 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size) + err_free: + kfree_skb(skb); + err: +- return -ENOMEM; ++ return err; ++ + } + + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb) +@@ -5620,6 +5636,7 @@ discard: + } + + tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1; ++ tp->copied_seq = tp->rcv_nxt; + tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1; + + /* RFC1323: The window in SYN & SYN/ACK segments is +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 0ea2e1c5d395..569c63894472 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -922,7 +922,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, + } + + md5sig = rcu_dereference_protected(tp->md5sig_info, +- sock_owned_by_user(sk)); ++ sock_owned_by_user(sk) || ++ lockdep_is_held(&sk->sk_lock.slock)); + if (!md5sig) { + md5sig = kmalloc(sizeof(*md5sig), gfp); + if (!md5sig) +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 5b752f58a900..1e63c8fe1db8 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -176,6 +176,18 @@ static int tcp_write_timeout(struct sock *sk) + syn_set = true; + } else { + if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0, 0)) { ++ /* Some middle-boxes may black-hole Fast Open _after_ ++ * the handshake. Therefore we conservatively disable ++ * Fast Open on this path on recurring timeouts with ++ * few or zero bytes acked after Fast Open. ++ */ ++ if (tp->syn_data_acked && ++ tp->bytes_acked <= tp->rx_opt.mss_clamp) { ++ tcp_fastopen_cache_set(sk, 0, NULL, true, 0); ++ if (icsk->icsk_retransmits == sysctl_tcp_retries1) ++ NET_INC_STATS_BH(sock_net(sk), ++ LINUX_MIB_TCPFASTOPENACTIVEFAIL); ++ } + /* Black hole detection */ + tcp_mtu_probing(icsk, sk); + +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 7de52b65173f..d87519efc3bd 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -426,9 +426,11 @@ void inet6_destroy_sock(struct sock *sk) + + /* Free tx options */ + +- opt = xchg(&np->opt, NULL); +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + } + EXPORT_SYMBOL_GPL(inet6_destroy_sock); + +@@ -657,7 +659,10 @@ int inet6_sk_rebuild_header(struct sock *sk) + fl6.fl6_sport = inet->inet_sport; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), ++ &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index b10a88986a98..13ca4cf5616f 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -167,8 +167,10 @@ ipv4_connected: + + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- opt = flowlabel ? flowlabel->opt : np->opt; ++ rcu_read_lock(); ++ opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt); + final_p = fl6_update_dst(&fl6, opt, &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + err = 0; +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index a7bbbe45570b..adbd6958c398 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt) + *((char **)&opt2->dst1opt) += dif; + if (opt2->srcrt) + *((char **)&opt2->srcrt) += dif; ++ atomic_set(&opt2->refcnt, 1); + } + return opt2; + } +@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, + return ERR_PTR(-ENOBUFS); + + memset(opt2, 0, tot_len); +- ++ atomic_set(&opt2->refcnt, 1); + opt2->tot_len = tot_len; + p = (char *)(opt2 + 1); + +diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c +index 6927f3fb5597..9beed302eb36 100644 +--- a/net/ipv6/inet6_connection_sock.c ++++ b/net/ipv6/inet6_connection_sock.c +@@ -77,7 +77,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk, + memset(fl6, 0, sizeof(*fl6)); + fl6->flowi6_proto = IPPROTO_TCP; + fl6->daddr = ireq->ir_v6_rmt_addr; +- final_p = fl6_update_dst(fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + fl6->saddr = ireq->ir_v6_loc_addr; + fl6->flowi6_oif = ireq->ir_iif; + fl6->flowi6_mark = ireq->ir_mark; +@@ -207,7 +209,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk, + fl6->fl6_dport = inet->inet_dport; + security_sk_classify_flow(sk, flowi6_to_flowi(fl6)); + +- final_p = fl6_update_dst(fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + + dst = __inet6_csk_dst_check(sk, np->dst_cookie); + if (!dst) { +@@ -240,7 +244,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused + /* Restore final destination back after routing done */ + fl6.daddr = sk->sk_v6_daddr; + +- res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); ++ res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), ++ np->tclass); + rcu_read_unlock(); + return res; + } +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 5f36266b1f5e..a7aef4b52d65 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -118,7 +118,7 @@ static void mr6_netlink_event(struct mr6_table *mrt, struct mfc6_cache *mfc, + int cmd); + static int ip6mr_rtm_dumproute(struct sk_buff *skb, + struct netlink_callback *cb); +-static void mroute_clean_tables(struct mr6_table *mrt); ++static void mroute_clean_tables(struct mr6_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES +@@ -335,7 +335,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) + static void ip6mr_free_table(struct mr6_table *mrt) + { + del_timer_sync(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1543,7 +1543,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt, + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr6_table *mrt) ++static void mroute_clean_tables(struct mr6_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1553,8 +1553,9 @@ static void mroute_clean_tables(struct mr6_table *mrt) + * Shut down all active vif entries + */ + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif6_table[i].flags & VIFF_STATIC)) +- mif6_delete(mrt, i, &list); ++ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) ++ continue; ++ mif6_delete(mrt, i, &list); + } + unregister_netdevice_many(&list); + +@@ -1563,7 +1564,7 @@ static void mroute_clean_tables(struct mr6_table *mrt) + */ + for (i = 0; i < MFC6_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + write_lock_bh(&mrt_lock); + list_del(&c->list); +@@ -1626,7 +1627,7 @@ int ip6mr_sk_done(struct sock *sk) + net->ipv6.devconf_all); + write_unlock_bh(&mrt_lock); + +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + err = 0; + break; + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 63e6956917c9..4449ad1f8114 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk, + icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie); + } + } +- opt = xchg(&inet6_sk(sk)->opt, opt); ++ opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt, ++ opt); + sk_dst_reset(sk); + + return opt; +@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + sk->sk_socket->ops = &inet_dgram_ops; + sk->sk_family = PF_INET; + } +- opt = xchg(&np->opt, NULL); +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt, ++ NULL); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + pktopt = xchg(&np->pktoptions, NULL); + kfree_skb(pktopt); + +@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) + break; + +- opt = ipv6_renew_options(sk, np->opt, optname, ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ opt = ipv6_renew_options(sk, opt, optname, + (struct ipv6_opt_hdr __user *)optval, + optlen); + if (IS_ERR(opt)) { +@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + retv = 0; + opt = ipv6_update_options(sk, opt); + sticky_done: +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + break; + } + +@@ -486,6 +493,7 @@ sticky_done: + break; + + memset(opt, 0, sizeof(*opt)); ++ atomic_set(&opt->refcnt, 1); + opt->tot_len = sizeof(*opt) + optlen; + retv = -EFAULT; + if (copy_from_user(opt+1, optval, optlen)) +@@ -502,8 +510,10 @@ update: + retv = 0; + opt = ipv6_update_options(sk, opt); + done: +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + break; + } + case IPV6_UNICAST_HOPS: +@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, + case IPV6_RTHDR: + case IPV6_DSTOPTS: + { ++ struct ipv6_txoptions *opt; + + lock_sock(sk); +- len = ipv6_getsockopt_sticky(sk, np->opt, +- optname, optval, len); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len); + release_sock(sk); + /* check if ipv6_getsockopt_sticky() returns err code */ + if (len < 0) +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 083b2927fc67..41e3b5ee8d0b 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1651,7 +1651,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); + } else { + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + } +@@ -2014,7 +2013,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len); + } else + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 6d02498172c1..2a4682c847b0 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -190,7 +190,7 @@ static void nf_ct_frag6_expire(unsigned long data) + /* Creation primitives. */ + static inline struct frag_queue *fq_find(struct net *net, __be32 id, + u32 user, struct in6_addr *src, +- struct in6_addr *dst, u8 ecn) ++ struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -200,6 +200,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id, + arg.user = user; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + local_bh_disable(); +@@ -603,7 +604,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) + fhdr = (struct frag_hdr *)skb_transport_header(clone); + + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq == NULL) { + pr_debug("Can't find and can't create new queue\n"); + goto ret_orig; +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index ca4700cb26c4..92d532967c90 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -731,6 +731,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, + + static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + { ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ipv6_txoptions opt_space; + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); + struct in6_addr *daddr, *final_p, final; +@@ -837,8 +838,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (!(opt->opt_nflen|opt->opt_flen)) + opt = NULL; + } +- if (!opt) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -904,6 +907,7 @@ done: + dst_release(dst); + out: + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + return err < 0 ? err : len; + do_confirm: + dst_confirm(dst); +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index f1159bb76e0a..04013a910ce5 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -108,7 +108,10 @@ bool ip6_frag_match(const struct inet_frag_queue *q, const void *a) + return fq->id == arg->id && + fq->user == arg->user && + ipv6_addr_equal(&fq->saddr, arg->src) && +- ipv6_addr_equal(&fq->daddr, arg->dst); ++ ipv6_addr_equal(&fq->daddr, arg->dst) && ++ (arg->iif == fq->iif || ++ !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST | ++ IPV6_ADDR_LINKLOCAL))); + } + EXPORT_SYMBOL(ip6_frag_match); + +@@ -180,7 +183,7 @@ static void ip6_frag_expire(unsigned long data) + + static struct frag_queue * + fq_find(struct net *net, __be32 id, const struct in6_addr *src, +- const struct in6_addr *dst, u8 ecn) ++ const struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -190,6 +193,7 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src, + arg.user = IP6_DEFRAG_LOCAL_DELIVER; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + hash = inet6_hash_frag(id, src, dst); +@@ -551,7 +555,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + } + + fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq) { + int ret; + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index dd6ebba5846c..8478719ef500 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -401,6 +401,14 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, + } + } + ++static bool __rt6_check_expired(const struct rt6_info *rt) ++{ ++ if (rt->rt6i_flags & RTF_EXPIRES) ++ return time_after(jiffies, rt->dst.expires); ++ else ++ return false; ++} ++ + static bool rt6_check_expired(const struct rt6_info *rt) + { + if (rt->rt6i_flags & RTF_EXPIRES) { +@@ -1255,7 +1263,8 @@ static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie) + + static struct dst_entry *rt6_dst_from_check(struct rt6_info *rt, u32 cookie) + { +- if (rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK && ++ if (!__rt6_check_expired(rt) && ++ rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK && + rt6_check((struct rt6_info *)(rt->dst.from), cookie)) + return &rt->dst; + else +@@ -1275,7 +1284,8 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie) + + rt6_dst_from_metrics_check(rt); + +- if ((rt->rt6i_flags & RTF_PCPU) || unlikely(dst->flags & DST_NOCACHE)) ++ if (rt->rt6i_flags & RTF_PCPU || ++ (unlikely(dst->flags & DST_NOCACHE) && rt->dst.from)) + return rt6_dst_from_check(rt, cookie); + else + return rt6_check(rt, cookie); +@@ -1326,6 +1336,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu) + rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires); + } + ++static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt) ++{ ++ return !(rt->rt6i_flags & RTF_CACHE) && ++ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node); ++} ++ + static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + const struct ipv6hdr *iph, u32 mtu) + { +@@ -1339,7 +1355,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + if (mtu >= dst_mtu(dst)) + return; + +- if (rt6->rt6i_flags & RTF_CACHE) { ++ if (!rt6_cache_allowed_for_pmtu(rt6)) { + rt6_do_update_pmtu(rt6, mtu); + } else { + const struct in6_addr *daddr, *saddr; +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index 0909f4e0d53c..f30bfdcdea54 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -225,7 +225,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + memset(&fl6, 0, sizeof(fl6)); + fl6.flowi6_proto = IPPROTO_TCP; + fl6.daddr = ireq->ir_v6_rmt_addr; +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final); + fl6.saddr = ireq->ir_v6_loc_addr; + fl6.flowi6_oif = sk->sk_bound_dev_if; + fl6.flowi6_mark = ireq->ir_mark; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 7a6cea5e4274..45e473ee340b 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + struct ipv6_pinfo *np = inet6_sk(sk); + struct tcp_sock *tp = tcp_sk(sk); + struct in6_addr *saddr = NULL, *final_p, final; ++ struct ipv6_txoptions *opt; + struct flowi6 fl6; + struct dst_entry *dst; + int addr_type; +@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + fl6.fl6_dport = usin->sin6_port; + fl6.fl6_sport = inet->inet_sport; + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ final_p = fl6_update_dst(&fl6, opt, &final); + + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + tcp_fetch_timewait_stamp(sk, dst); + + icsk->icsk_ext_hdr_len = 0; +- if (np->opt) +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen + +- np->opt->opt_nflen); ++ if (opt) ++ icsk->icsk_ext_hdr_len = opt->opt_flen + ++ opt->opt_nflen; + + tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr); + +@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst, + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts)); + + skb_set_queue_mapping(skb, queue_mapping); +- err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass); ++ err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), ++ np->tclass); + err = net_xmit_eval(err); + } + +@@ -991,6 +994,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + struct inet_request_sock *ireq; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct tcp6_sock *newtcp6sk; ++ struct ipv6_txoptions *opt; + struct inet_sock *newinet; + struct tcp_sock *newtp; + struct sock *newsk; +@@ -1126,13 +1130,15 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + but we make one more one thing there: reattach optmem + to newsk. + */ +- if (np->opt) +- newnp->opt = ipv6_dup_options(newsk, np->opt); +- ++ opt = rcu_dereference(np->opt); ++ if (opt) { ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ } + inet_csk(newsk)->icsk_ext_hdr_len = 0; +- if (newnp->opt) +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen + +- newnp->opt->opt_flen); ++ if (opt) ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen + ++ opt->opt_flen; + + tcp_ca_openreq_child(newsk, dst); + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index e51fc3eee6db..7333f3575fc5 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1107,6 +1107,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); + struct in6_addr *daddr, *final_p, final; + struct ipv6_txoptions *opt = NULL; ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ip6_flowlabel *flowlabel = NULL; + struct flowi6 fl6; + struct dst_entry *dst; +@@ -1260,8 +1261,10 @@ do_udp_sendmsg: + opt = NULL; + connected = 0; + } +- if (!opt) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -1370,6 +1373,7 @@ release_dst: + out: + dst_release(dst); + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + if (!err) + return len; + /* +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index d1ded3777815..0ce9da948ad7 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name); + struct in6_addr *daddr, *final_p, final; + struct ipv6_pinfo *np = inet6_sk(sk); ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ipv6_txoptions *opt = NULL; + struct ip6_flowlabel *flowlabel = NULL; + struct dst_entry *dst = NULL; +@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + opt = NULL; + } + +- if (opt == NULL) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -631,6 +634,7 @@ done: + dst_release(dst); + out: + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + + return err < 0 ? err : len; + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 71cb085e16fd..71d671c06952 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1622,6 +1622,20 @@ static void fanout_release(struct sock *sk) + kfree_rcu(po->rollover, rcu); + } + ++static bool packet_extra_vlan_len_allowed(const struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ /* Earlier code assumed this would be a VLAN pkt, double-check ++ * this now that we have the actual packet in hand. We can only ++ * do this check on Ethernet devices. ++ */ ++ if (unlikely(dev->type != ARPHRD_ETHER)) ++ return false; ++ ++ skb_reset_mac_header(skb); ++ return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q)); ++} ++ + static const struct proto_ops packet_ops; + + static const struct proto_ops packet_ops_spkt; +@@ -1783,18 +1797,10 @@ retry: + goto retry; + } + +- if (len > (dev->mtu + dev->hard_header_len + extra_len)) { +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ +- struct ethhdr *ehdr; +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) { +- err = -EMSGSIZE; +- goto out_unlock; +- } ++ if (len > (dev->mtu + dev->hard_header_len + extra_len) && ++ !packet_extra_vlan_len_allowed(dev, skb)) { ++ err = -EMSGSIZE; ++ goto out_unlock; + } + + skb->protocol = proto; +@@ -2213,6 +2219,15 @@ static bool ll_header_truncated(const struct net_device *dev, int len) + return false; + } + ++static void tpacket_set_protocol(const struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ if (dev->type == ARPHRD_ETHER) { ++ skb_reset_mac_header(skb); ++ skb->protocol = eth_hdr(skb)->h_proto; ++ } ++} ++ + static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + void *frame, struct net_device *dev, int size_max, + __be16 proto, unsigned char *addr, int hlen) +@@ -2249,8 +2264,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + skb_reserve(skb, hlen); + skb_reset_network_header(skb); + +- if (!packet_use_direct_xmit(po)) +- skb_probe_transport_header(skb, 0); + if (unlikely(po->tp_tx_has_off)) { + int off_min, off_max, off; + off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll); +@@ -2296,6 +2309,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + dev->hard_header_len); + if (unlikely(err)) + return err; ++ if (!skb->protocol) ++ tpacket_set_protocol(dev, skb); + + data += dev->hard_header_len; + to_write -= dev->hard_header_len; +@@ -2330,6 +2345,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + len = ((to_write > len_max) ? len_max : to_write); + } + ++ skb_probe_transport_header(skb, 0); ++ + return tp_len; + } + +@@ -2374,12 +2391,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + if (unlikely(!(dev->flags & IFF_UP))) + goto out_put; + +- reserve = dev->hard_header_len + VLAN_HLEN; ++ if (po->sk.sk_socket->type == SOCK_RAW) ++ reserve = dev->hard_header_len; + size_max = po->tx_ring.frame_size + - (po->tp_hdrlen - sizeof(struct sockaddr_ll)); + +- if (size_max > dev->mtu + reserve) +- size_max = dev->mtu + reserve; ++ if (size_max > dev->mtu + reserve + VLAN_HLEN) ++ size_max = dev->mtu + reserve + VLAN_HLEN; + + do { + ph = packet_current_frame(po, &po->tx_ring, +@@ -2406,18 +2424,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto, + addr, hlen); + if (likely(tp_len >= 0) && +- tp_len > dev->mtu + dev->hard_header_len) { +- struct ethhdr *ehdr; +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ ++ tp_len > dev->mtu + reserve && ++ !packet_extra_vlan_len_allowed(dev, skb)) ++ tp_len = -EMSGSIZE; + +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) +- tp_len = -EMSGSIZE; +- } + if (unlikely(tp_len < 0)) { + if (po->tp_loss) { + __packet_set_status(po, ph, +@@ -2638,18 +2648,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags); + +- if (!gso_type && (len > dev->mtu + reserve + extra_len)) { +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ +- struct ethhdr *ehdr; +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) { +- err = -EMSGSIZE; +- goto out_free; +- } ++ if (!gso_type && (len > dev->mtu + reserve + extra_len) && ++ !packet_extra_vlan_len_allowed(dev, skb)) { ++ err = -EMSGSIZE; ++ goto out_free; + } + + skb->protocol = proto; +@@ -2680,8 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + len += vnet_hdr_len; + } + +- if (!packet_use_direct_xmit(po)) +- skb_probe_transport_header(skb, reserve); ++ skb_probe_transport_header(skb, reserve); ++ + if (unlikely(extra_len == 4)) + skb->no_fcs = 1; + +diff --git a/net/rds/connection.c b/net/rds/connection.c +index 9d66705f9d41..da6da57e5f36 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,12 +187,6 @@ new_conn: + } + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/send.c b/net/rds/send.c +index e9430f537f9c..7b30c0f3180d 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index f06aa01d60fd..1a0aa2a7cfeb 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -253,7 +253,8 @@ int qdisc_set_default(const char *name) + } + + /* We know handle. Find qdisc among all qdisc's attached to device +- (root qdisc, all its children, children of children etc.) ++ * (root qdisc, all its children, children of children etc.) ++ * Note: caller either uses rtnl or rcu_read_lock() + */ + + static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle) +@@ -264,7 +265,7 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle) + root->handle == handle) + return root; + +- list_for_each_entry(q, &root->list, list) { ++ list_for_each_entry_rcu(q, &root->list, list) { + if (q->handle == handle) + return q; + } +@@ -277,15 +278,18 @@ void qdisc_list_add(struct Qdisc *q) + struct Qdisc *root = qdisc_dev(q)->qdisc; + + WARN_ON_ONCE(root == &noop_qdisc); +- list_add_tail(&q->list, &root->list); ++ ASSERT_RTNL(); ++ list_add_tail_rcu(&q->list, &root->list); + } + } + EXPORT_SYMBOL(qdisc_list_add); + + void qdisc_list_del(struct Qdisc *q) + { +- if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) +- list_del(&q->list); ++ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) { ++ ASSERT_RTNL(); ++ list_del_rcu(&q->list); ++ } + } + EXPORT_SYMBOL(qdisc_list_del); + +@@ -750,14 +754,18 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) + if (n == 0) + return; + drops = max_t(int, n, 0); ++ rcu_read_lock(); + while ((parentid = sch->parent)) { + if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS)) +- return; ++ break; + ++ if (sch->flags & TCQ_F_NOPARENT) ++ break; ++ /* TODO: perform the search on a per txq basis */ + sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid)); + if (sch == NULL) { +- WARN_ON(parentid != TC_H_ROOT); +- return; ++ WARN_ON_ONCE(parentid != TC_H_ROOT); ++ break; + } + cops = sch->ops->cl_ops; + if (cops->qlen_notify) { +@@ -768,6 +776,7 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) + sch->q.qlen -= n; + __qdisc_qstats_drop(sch, drops); + } ++ rcu_read_unlock(); + } + EXPORT_SYMBOL(qdisc_tree_decrease_qlen); + +@@ -941,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE; ++ sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + sch->handle = handle; +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 6efca30894aa..b453270be3fd 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -743,7 +743,7 @@ static void attach_one_default_qdisc(struct net_device *dev, + return; + } + if (!netif_is_multiqueue(dev)) +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + dev_queue->qdisc_sleeping = qdisc; + } +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c +index f3cbaecd283a..3e82f047caaf 100644 +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -63,7 +63,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt) + if (qdisc == NULL) + goto err; + priv->qdiscs[ntx] = qdisc; +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + sch->flags |= TCQ_F_MQROOT; +@@ -156,7 +156,7 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new, + + *old = dev_graft_qdisc(dev_queue, new); + if (new) +- new->flags |= TCQ_F_ONETXQUEUE; ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + if (dev->flags & IFF_UP) + dev_activate(dev); + return 0; +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 3811a745452c..ad70ecf57ce7 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -132,7 +132,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt) + goto err; + } + priv->qdiscs[i] = qdisc; +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + /* If the mqprio options indicate that hardware should own +@@ -209,7 +209,7 @@ static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new, + *old = dev_graft_qdisc(dev_queue, new); + + if (new) +- new->flags |= TCQ_F_ONETXQUEUE; ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + + if (dev->flags & IFF_UP) + dev_activate(dev); +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 4f15b7d730e1..1543e39f47c3 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -809,8 +809,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, + if (!has_sha1) + return -EINVAL; + +- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0], +- hmacs->shmac_num_idents * sizeof(__u16)); ++ for (i = 0; i < hmacs->shmac_num_idents; i++) ++ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]); + ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) + + hmacs->shmac_num_idents * sizeof(__u16)); + return 0; +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 17bef01b9aa3..3ec88be0faec 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7375,6 +7375,13 @@ struct proto sctp_prot = { + + #if IS_ENABLED(CONFIG_IPV6) + ++#include ++static void sctp_v6_destroy_sock(struct sock *sk) ++{ ++ sctp_destroy_sock(sk); ++ inet6_destroy_sock(sk); ++} ++ + struct proto sctpv6_prot = { + .name = "SCTPv6", + .owner = THIS_MODULE, +@@ -7384,7 +7391,7 @@ struct proto sctpv6_prot = { + .accept = sctp_accept, + .ioctl = sctp_ioctl, + .init = sctp_init_sock, +- .destroy = sctp_destroy_sock, ++ .destroy = sctp_v6_destroy_sock, + .shutdown = sctp_shutdown, + .setsockopt = sctp_setsockopt, + .getsockopt = sctp_getsockopt, +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 94f658235fb4..128b0982c96b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -326,6 +326,118 @@ found: + return s; + } + ++/* Support code for asymmetrically connected dgram sockets ++ * ++ * If a datagram socket is connected to a socket not itself connected ++ * to the first socket (eg, /dev/log), clients may only enqueue more ++ * messages if the present receive queue of the server socket is not ++ * "too large". This means there's a second writeability condition ++ * poll and sendmsg need to test. The dgram recv code will do a wake ++ * up on the peer_wait wait queue of a socket upon reception of a ++ * datagram which needs to be propagated to sleeping would-be writers ++ * since these might not have sent anything so far. This can't be ++ * accomplished via poll_wait because the lifetime of the server ++ * socket might be less than that of its clients if these break their ++ * association with it or if the server socket is closed while clients ++ * are still connected to it and there's no way to inform "a polling ++ * implementation" that it should let go of a certain wait queue ++ * ++ * In order to propagate a wake up, a wait_queue_t of the client ++ * socket is enqueued on the peer_wait queue of the server socket ++ * whose wake function does a wake_up on the ordinary client socket ++ * wait queue. This connection is established whenever a write (or ++ * poll for write) hit the flow control condition and broken when the ++ * association to the server socket is dissolved or after a wake up ++ * was relayed. ++ */ ++ ++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags, ++ void *key) ++{ ++ struct unix_sock *u; ++ wait_queue_head_t *u_sleep; ++ ++ u = container_of(q, struct unix_sock, peer_wake); ++ ++ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait, ++ q); ++ u->peer_wake.private = NULL; ++ ++ /* relaying can only happen while the wq still exists */ ++ u_sleep = sk_sleep(&u->sk); ++ if (u_sleep) ++ wake_up_interruptible_poll(u_sleep, key); ++ ++ return 0; ++} ++ ++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ int rc; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ rc = 0; ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (!u->peer_wake.private) { ++ u->peer_wake.private = other; ++ __add_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ ++ rc = 1; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++ return rc; ++} ++ ++static void unix_dgram_peer_wake_disconnect(struct sock *sk, ++ struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (u->peer_wake.private == other) { ++ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ u->peer_wake.private = NULL; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++} ++ ++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk, ++ struct sock *other) ++{ ++ unix_dgram_peer_wake_disconnect(sk, other); ++ wake_up_interruptible_poll(sk_sleep(sk), ++ POLLOUT | ++ POLLWRNORM | ++ POLLWRBAND); ++} ++ ++/* preconditions: ++ * - unix_peer(sk) == other ++ * - association is stable ++ */ ++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) ++{ ++ int connected; ++ ++ connected = unix_dgram_peer_wake_connect(sk, other); ++ ++ if (unix_recvq_full(other)) ++ return 1; ++ ++ if (connected) ++ unix_dgram_peer_wake_disconnect(sk, other); ++ ++ return 0; ++} ++ + static inline int unix_writable(struct sock *sk) + { + return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; +@@ -430,6 +542,8 @@ static void unix_release_sock(struct sock *sk, int embrion) + skpair->sk_state_change(skpair); + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); + } ++ ++ unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ + unix_peer(sk) = NULL; + } +@@ -440,6 +554,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + if (state == TCP_LISTEN) + unix_release_sock(skb->sk, 1); + /* passed fds are erased in the kfree_skb hook */ ++ UNIXCB(skb).consumed = skb->len; + kfree_skb(skb); + } + +@@ -664,6 +779,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern) + INIT_LIST_HEAD(&u->link); + mutex_init(&u->readlock); /* single task reading lock */ + init_waitqueue_head(&u->peer_wait); ++ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay); + unix_insert_socket(unix_sockets_unbound(sk), sk); + out: + if (sk == NULL) +@@ -1031,6 +1147,8 @@ restart: + if (unix_peer(sk)) { + struct sock *old_peer = unix_peer(sk); + unix_peer(sk) = other; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); ++ + unix_state_double_unlock(sk, other); + + if (other != old_peer) +@@ -1432,6 +1550,14 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen + return err; + } + ++static bool unix_passcred_enabled(const struct socket *sock, ++ const struct sock *other) ++{ ++ return test_bit(SOCK_PASSCRED, &sock->flags) || ++ !other->sk_socket || ++ test_bit(SOCK_PASSCRED, &other->sk_socket->flags); ++} ++ + /* + * Some apps rely on write() giving SCM_CREDENTIALS + * We include credentials if source or destination socket +@@ -1442,14 +1568,41 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock, + { + if (UNIXCB(skb).pid) + return; +- if (test_bit(SOCK_PASSCRED, &sock->flags) || +- !other->sk_socket || +- test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) { ++ if (unix_passcred_enabled(sock, other)) { + UNIXCB(skb).pid = get_pid(task_tgid(current)); + current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid); + } + } + ++static int maybe_init_creds(struct scm_cookie *scm, ++ struct socket *socket, ++ const struct sock *other) ++{ ++ int err; ++ struct msghdr msg = { .msg_controllen = 0 }; ++ ++ err = scm_send(socket, &msg, scm, false); ++ if (err) ++ return err; ++ ++ if (unix_passcred_enabled(socket, other)) { ++ scm->pid = get_pid(task_tgid(current)); ++ current_uid_gid(&scm->creds.uid, &scm->creds.gid); ++ } ++ return err; ++} ++ ++static bool unix_skb_scm_eq(struct sk_buff *skb, ++ struct scm_cookie *scm) ++{ ++ const struct unix_skb_parms *u = &UNIXCB(skb); ++ ++ return u->pid == scm->pid && ++ uid_eq(u->uid, scm->creds.uid) && ++ gid_eq(u->gid, scm->creds.gid) && ++ unix_secdata_eq(scm, skb); ++} ++ + /* + * Send AF_UNIX data. + */ +@@ -1470,6 +1623,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + struct scm_cookie scm; + int max_level; + int data_len = 0; ++ int sk_locked; + + wait_for_unix_gc(); + err = scm_send(sock, msg, &scm, false); +@@ -1548,12 +1702,14 @@ restart: + goto out_free; + } + ++ sk_locked = 0; + unix_state_lock(other); ++restart_locked: + err = -EPERM; + if (!unix_may_send(sk, other)) + goto out_unlock; + +- if (sock_flag(other, SOCK_DEAD)) { ++ if (unlikely(sock_flag(other, SOCK_DEAD))) { + /* + * Check with 1003.1g - what should + * datagram error +@@ -1561,10 +1717,14 @@ restart: + unix_state_unlock(other); + sock_put(other); + ++ if (!sk_locked) ++ unix_state_lock(sk); ++ + err = 0; +- unix_state_lock(sk); + if (unix_peer(sk) == other) { + unix_peer(sk) = NULL; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, other); ++ + unix_state_unlock(sk); + + unix_dgram_disconnected(sk, other); +@@ -1590,21 +1750,38 @@ restart: + goto out_unlock; + } + +- if (unix_peer(other) != sk && unix_recvq_full(other)) { +- if (!timeo) { +- err = -EAGAIN; +- goto out_unlock; ++ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ if (timeo) { ++ timeo = unix_wait_for_peer(other, timeo); ++ ++ err = sock_intr_errno(timeo); ++ if (signal_pending(current)) ++ goto out_free; ++ ++ goto restart; + } + +- timeo = unix_wait_for_peer(other, timeo); ++ if (!sk_locked) { ++ unix_state_unlock(other); ++ unix_state_double_lock(sk, other); ++ } + +- err = sock_intr_errno(timeo); +- if (signal_pending(current)) +- goto out_free; ++ if (unix_peer(sk) != other || ++ unix_dgram_peer_wake_me(sk, other)) { ++ err = -EAGAIN; ++ sk_locked = 1; ++ goto out_unlock; ++ } + +- goto restart; ++ if (!sk_locked) { ++ sk_locked = 1; ++ goto restart_locked; ++ } + } + ++ if (unlikely(sk_locked)) ++ unix_state_unlock(sk); ++ + if (sock_flag(other, SOCK_RCVTSTAMP)) + __net_timestamp(skb); + maybe_add_creds(skb, sock, other); +@@ -1618,6 +1795,8 @@ restart: + return len; + + out_unlock: ++ if (sk_locked) ++ unix_state_unlock(sk); + unix_state_unlock(other); + out_free: + kfree_skb(skb); +@@ -1739,8 +1918,10 @@ out_err: + static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, + int offset, size_t size, int flags) + { +- int err = 0; +- bool send_sigpipe = true; ++ int err; ++ bool send_sigpipe = false; ++ bool init_scm = true; ++ struct scm_cookie scm; + struct sock *other, *sk = socket->sk; + struct sk_buff *skb, *newskb = NULL, *tail = NULL; + +@@ -1758,7 +1939,7 @@ alloc_skb: + newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT, + &err, 0); + if (!newskb) +- return err; ++ goto err; + } + + /* we must acquire readlock as we modify already present +@@ -1767,12 +1948,12 @@ alloc_skb: + err = mutex_lock_interruptible(&unix_sk(other)->readlock); + if (err) { + err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS; +- send_sigpipe = false; + goto err; + } + + if (sk->sk_shutdown & SEND_SHUTDOWN) { + err = -EPIPE; ++ send_sigpipe = true; + goto err_unlock; + } + +@@ -1781,23 +1962,34 @@ alloc_skb: + if (sock_flag(other, SOCK_DEAD) || + other->sk_shutdown & RCV_SHUTDOWN) { + err = -EPIPE; ++ send_sigpipe = true; + goto err_state_unlock; + } + ++ if (init_scm) { ++ err = maybe_init_creds(&scm, socket, other); ++ if (err) ++ goto err_state_unlock; ++ init_scm = false; ++ } ++ + skb = skb_peek_tail(&other->sk_receive_queue); + if (tail && tail == skb) { + skb = newskb; +- } else if (!skb) { +- if (newskb) ++ } else if (!skb || !unix_skb_scm_eq(skb, &scm)) { ++ if (newskb) { + skb = newskb; +- else ++ } else { ++ tail = skb; + goto alloc_skb; ++ } + } else if (newskb) { + /* this is fast path, we don't necessarily need to + * call to kfree_skb even though with newskb == NULL + * this - does no harm + */ + consume_skb(newskb); ++ newskb = NULL; + } + + if (skb_append_pagefrags(skb, page, offset, size)) { +@@ -1810,14 +2002,20 @@ alloc_skb: + skb->truesize += size; + atomic_add(size, &sk->sk_wmem_alloc); + +- if (newskb) ++ if (newskb) { ++ err = unix_scm_to_skb(&scm, skb, false); ++ if (err) ++ goto err_state_unlock; ++ spin_lock(&other->sk_receive_queue.lock); + __skb_queue_tail(&other->sk_receive_queue, newskb); ++ spin_unlock(&other->sk_receive_queue.lock); ++ } + + unix_state_unlock(other); + mutex_unlock(&unix_sk(other)->readlock); + + other->sk_data_ready(other); +- ++ scm_destroy(&scm); + return size; + + err_state_unlock: +@@ -1828,6 +2026,8 @@ err: + kfree_skb(newskb); + if (send_sigpipe && !(flags & MSG_NOSIGNAL)) + send_sig(SIGPIPE, current, 0); ++ if (!init_scm) ++ scm_destroy(&scm); + return err; + } + +@@ -2071,6 +2271,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) + + do { + int chunk; ++ bool drop_skb; + struct sk_buff *skb, *last; + + unix_state_lock(sk); +@@ -2130,10 +2331,7 @@ unlock: + + if (check_creds) { + /* Never glue messages from different writers */ +- if ((UNIXCB(skb).pid != scm.pid) || +- !uid_eq(UNIXCB(skb).uid, scm.creds.uid) || +- !gid_eq(UNIXCB(skb).gid, scm.creds.gid) || +- !unix_secdata_eq(&scm, skb)) ++ if (!unix_skb_scm_eq(skb, &scm)) + break; + } else if (test_bit(SOCK_PASSCRED, &sock->flags)) { + /* Copy credentials */ +@@ -2151,7 +2349,11 @@ unlock: + } + + chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size); ++ skb_get(skb); + chunk = state->recv_actor(skb, skip, chunk, state); ++ drop_skb = !unix_skb_len(skb); ++ /* skb is only safe to use if !drop_skb */ ++ consume_skb(skb); + if (chunk < 0) { + if (copied == 0) + copied = -EFAULT; +@@ -2160,6 +2362,18 @@ unlock: + copied += chunk; + size -= chunk; + ++ if (drop_skb) { ++ /* the skb was touched by a concurrent reader; ++ * we should not expect anything from this skb ++ * anymore and assume it invalid - we can be ++ * sure it was dropped from the socket queue ++ * ++ * let's report a short read ++ */ ++ err = 0; ++ break; ++ } ++ + /* Mark read part of skb as used */ + if (!(flags & MSG_PEEK)) { + UNIXCB(skb).consumed += chunk; +@@ -2453,14 +2667,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, + return mask; + + writable = unix_writable(sk); +- other = unix_peer_get(sk); +- if (other) { +- if (unix_peer(other) != sk) { +- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); +- if (unix_recvq_full(other)) +- writable = 0; +- } +- sock_put(other); ++ if (writable) { ++ unix_state_lock(sk); ++ ++ other = unix_peer(sk); ++ if (other && unix_peer(other) != sk && ++ unix_recvq_full(other) && ++ unix_dgram_peer_wake_me(sk, other)) ++ writable = 0; ++ ++ unix_state_unlock(sk); + } + + if (writable) +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a97db5fc8a15..9d1f91db57e6 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -48,8 +48,9 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info"); + #define is_haswell(codec) ((codec)->core.vendor_id == 0x80862807) + #define is_broadwell(codec) ((codec)->core.vendor_id == 0x80862808) + #define is_skylake(codec) ((codec)->core.vendor_id == 0x80862809) ++#define is_broxton(codec) ((codec)->core.vendor_id == 0x8086280a) + #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \ +- || is_skylake(codec)) ++ || is_skylake(codec) || is_broxton(codec)) + + #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882) + #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883) +diff --git a/tools/net/Makefile b/tools/net/Makefile +index ee577ea03ba5..ddf888010652 100644 +--- a/tools/net/Makefile ++++ b/tools/net/Makefile +@@ -4,6 +4,9 @@ CC = gcc + LEX = flex + YACC = bison + ++CFLAGS += -Wall -O2 ++CFLAGS += -D__EXPORTED_HEADERS__ -I../../include/uapi -I../../include ++ + %.yacc.c: %.y + $(YACC) -o $@ -d $< + +@@ -12,15 +15,13 @@ YACC = bison + + all : bpf_jit_disasm bpf_dbg bpf_asm + +-bpf_jit_disasm : CFLAGS = -Wall -O2 -DPACKAGE='bpf_jit_disasm' ++bpf_jit_disasm : CFLAGS += -DPACKAGE='bpf_jit_disasm' + bpf_jit_disasm : LDLIBS = -lopcodes -lbfd -ldl + bpf_jit_disasm : bpf_jit_disasm.o + +-bpf_dbg : CFLAGS = -Wall -O2 + bpf_dbg : LDLIBS = -lreadline + bpf_dbg : bpf_dbg.o + +-bpf_asm : CFLAGS = -Wall -O2 -I. + bpf_asm : LDLIBS = + bpf_asm : bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o + bpf_exp.lex.o : bpf_exp.yacc.c diff --git a/patch/kernel/s500-default/packagin-guitar.patch b/patch/kernel/s500-default/01-packagin-guitar.patch similarity index 100% rename from patch/kernel/s500-default/packagin-guitar.patch rename to patch/kernel/s500-default/01-packagin-guitar.patch diff --git a/patch/kernel/s500-default/02-headers-packing.patch b/patch/kernel/s500-default/02-headers-packing.patch new file mode 100644 index 000000000..d27fd190d --- /dev/null +++ b/patch/kernel/s500-default/02-headers-packing.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6c3b038..616aa9b 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -334,6 +334,8 @@ mkdir -p "$destdir" + ln -sf "/usr/src/linux-headers-$version" "$kernel_headers_dir/lib/modules/$version/build" + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" + ++(cd "$destdir"; make M=scripts clean) ++ + cat <> debian/control + + Package: $kernel_headers_packagename diff --git a/patch/kernel/udoo-default/udoo-packaging-v20-fix.patch b/patch/kernel/udoo-default/01-udoo-packaging-v20-fix.patch similarity index 100% rename from patch/kernel/udoo-default/udoo-packaging-v20-fix.patch rename to patch/kernel/udoo-default/01-udoo-packaging-v20-fix.patch diff --git a/patch/kernel/udoo-default/02-headers-packing.patch b/patch/kernel/udoo-default/02-headers-packing.patch new file mode 100644 index 000000000..d27fd190d --- /dev/null +++ b/patch/kernel/udoo-default/02-headers-packing.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6c3b038..616aa9b 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -334,6 +334,8 @@ mkdir -p "$destdir" + ln -sf "/usr/src/linux-headers-$version" "$kernel_headers_dir/lib/modules/$version/build" + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" + ++(cd "$destdir"; make M=scripts clean) ++ + cat <> debian/control + + Package: $kernel_headers_packagename diff --git a/patch/kernel/udoo-next/packaging-next.patch b/patch/kernel/udoo-next/01-packaging-next.patch similarity index 100% rename from patch/kernel/udoo-next/packaging-next.patch rename to patch/kernel/udoo-next/01-packaging-next.patch diff --git a/patch/kernel/udoo-next/02-headers-packing.patch b/patch/kernel/udoo-next/02-headers-packing.patch new file mode 100644 index 000000000..d27fd190d --- /dev/null +++ b/patch/kernel/udoo-next/02-headers-packing.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6c3b038..616aa9b 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -334,6 +334,8 @@ mkdir -p "$destdir" + ln -sf "/usr/src/linux-headers-$version" "$kernel_headers_dir/lib/modules/$version/build" + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" + ++(cd "$destdir"; make M=scripts clean) ++ + cat <> debian/control + + Package: $kernel_headers_packagename diff --git a/patch/kernel/udoo-next/patch-4.2.6-7.patch b/patch/kernel/udoo-next/patch-4.2.6-7.patch new file mode 100644 index 000000000..35ba2e411 --- /dev/null +++ b/patch/kernel/udoo-next/patch-4.2.6-7.patch @@ -0,0 +1,4131 @@ +diff --git a/Documentation/devicetree/bindings/usb/dwc3.txt b/Documentation/devicetree/bindings/usb/dwc3.txt +index 0815eac5b185..e12f3448846a 100644 +--- a/Documentation/devicetree/bindings/usb/dwc3.txt ++++ b/Documentation/devicetree/bindings/usb/dwc3.txt +@@ -35,6 +35,8 @@ Optional properties: + LTSSM during USB3 Compliance mode. + - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy. + - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy. ++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG, ++ disabling the suspend signal to the PHY. + - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal + utmi_l1_suspend_n, false when asserts utmi_sleep_n + - snps,hird-threshold: HIRD threshold +diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt +index 6f7fafde0884..3e2844eca266 100644 +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /proc + stat Process status + statm Process memory status information + status Process status in human readable form +- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan ++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function ++ symbol the task is blocked in - or "0" if not blocked. + pagemap Page table + stack Report full stack trace, enable via CONFIG_STACKTRACE + smaps a extension based on maps, showing the memory consumption of +@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (as of 2.6.30-rc7) + blocked bitmap of blocked signals + sigign bitmap of ignored signals + sigcatch bitmap of caught signals +- wchan address where process went to sleep ++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead) + 0 (place holder) + 0 (place holder) + exit_signal signal to send to parent thread on exit +diff --git a/Makefile b/Makefile +index 9ef37399b4e8..f5014eaf2532 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 2 +-SUBLEVEL = 6 ++SUBLEVEL = 7 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi +index b69be5c499cf..8c603fdf9da1 100644 +--- a/arch/arm/boot/dts/imx27.dtsi ++++ b/arch/arm/boot/dts/imx27.dtsi +@@ -477,7 +477,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024000 0x200>; + interrupts = <56>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 0>; + status = "disabled"; + }; +@@ -486,7 +489,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024200 0x200>; + interrupts = <54>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 1>; + dr_mode = "host"; + status = "disabled"; +@@ -496,7 +502,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024400 0x200>; + interrupts = <55>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 2>; + dr_mode = "host"; + status = "disabled"; +@@ -506,7 +515,6 @@ + #index-cells = <1>; + compatible = "fsl,imx27-usbmisc"; + reg = <0x10024600 0x200>; +- clocks = <&clks IMX27_CLK_USB_AHB_GATE>; + }; + + sahara2: sahara@10025000 { +diff --git a/arch/arm/boot/dts/omap5-uevm.dts b/arch/arm/boot/dts/omap5-uevm.dts +index 5771a149ce4a..23d645daeac1 100644 +--- a/arch/arm/boot/dts/omap5-uevm.dts ++++ b/arch/arm/boot/dts/omap5-uevm.dts +@@ -31,6 +31,24 @@ + regulator-max-microvolt = <3000000>; + }; + ++ mmc3_pwrseq: sdhci0_pwrseq { ++ compatible = "mmc-pwrseq-simple"; ++ clocks = <&clk32kgaudio>; ++ clock-names = "ext_clock"; ++ }; ++ ++ vmmcsdio_fixed: fixedregulator-mmcsdio { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsdio_fixed"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ gpio = <&gpio5 12 GPIO_ACTIVE_HIGH>; /* gpio140 WLAN_EN */ ++ enable-active-high; ++ startup-delay-us = <70000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&wlan_pins>; ++ }; ++ + /* HS USB Host PHY on PORT 2 */ + hsusb2_phy: hsusb2_phy { + compatible = "usb-nop-xceiv"; +@@ -197,12 +215,20 @@ + >; + }; + +- mcspi4_pins: pinmux_mcspi4_pins { ++ mmc3_pins: pinmux_mmc3_pins { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x01a4, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_clk */ ++ OMAP5_IOPAD(0x01a6, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_cmd */ ++ OMAP5_IOPAD(0x01a8, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data0 */ ++ OMAP5_IOPAD(0x01aa, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data1 */ ++ OMAP5_IOPAD(0x01ac, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data2 */ ++ OMAP5_IOPAD(0x01ae, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data3 */ ++ >; ++ }; ++ ++ wlan_pins: pinmux_wlan_pins { + pinctrl-single,pins = < +- 0x164 (PIN_INPUT | MUX_MODE1) /* mcspi4_clk */ +- 0x168 (PIN_INPUT | MUX_MODE1) /* mcspi4_simo */ +- 0x16a (PIN_INPUT | MUX_MODE1) /* mcspi4_somi */ +- 0x16c (PIN_INPUT | MUX_MODE1) /* mcspi4_cs0 */ ++ OMAP5_IOPAD(0x1bc, PIN_OUTPUT | MUX_MODE6) /* mcspi1_clk.gpio5_140 */ + >; + }; + +@@ -276,6 +302,12 @@ + 0x1A (PIN_OUTPUT | MUX_MODE0) /* fref_clk1_out, USB hub clk */ + >; + }; ++ ++ wlcore_irq_pin: pinmux_wlcore_irq_pin { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x040, WAKEUP_EN | PIN_INPUT_PULLUP | MUX_MODE6) /* llia_wakereqin.gpio1_wk14 */ ++ >; ++ }; + }; + + &mmc1 { +@@ -290,8 +322,25 @@ + }; + + &mmc3 { ++ vmmc-supply = <&vmmcsdio_fixed>; ++ mmc-pwrseq = <&mmc3_pwrseq>; + bus-width = <4>; +- ti,non-removable; ++ non-removable; ++ cap-power-off-card; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc3_pins &wlcore_irq_pin>; ++ interrupts-extended = <&gic GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH ++ &omap5_pmx_core 0x168>; ++ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ wlcore: wlcore@2 { ++ compatible = "ti,wl1271"; ++ reg = <2>; ++ interrupt-parent = <&gpio1>; ++ interrupts = <14 IRQ_TYPE_LEVEL_HIGH>; /* gpio 14 */ ++ ref-clock-frequency = <26000000>; ++ }; + }; + + &mmc4 { +@@ -591,11 +640,6 @@ + pinctrl-0 = <&mcspi3_pins>; + }; + +-&mcspi4 { +- pinctrl-names = "default"; +- pinctrl-0 = <&mcspi4_pins>; +-}; +- + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&uart1_pins>; +diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi +index 3ee22ee13c5a..1ba10e495f21 100644 +--- a/arch/arm/boot/dts/sama5d4.dtsi ++++ b/arch/arm/boot/dts/sama5d4.dtsi +@@ -939,11 +939,11 @@ + reg = <0xf8018000 0x4000>; + interrupts = <33 IRQ_TYPE_LEVEL_HIGH 6>; + dmas = <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(4)>, ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(4))>, + <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(5)>; ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(5))>; + dma-names = "tx", "rx"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; +diff --git a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +index d0cfadac0691..18f26ca4e375 100644 +--- a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts ++++ b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +@@ -184,18 +184,18 @@ + regulator-name = "vcc-3v0"; + }; + +- vdd_cpu: dcdc2 { ++ vdd_gpu: dcdc2 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-cpu"; ++ regulator-name = "vdd-gpu"; + }; + +- vdd_gpu: dcdc3 { ++ vdd_cpu: dcdc3 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-gpu"; ++ regulator-name = "vdd-cpu"; + }; + + vdd_sys_dll: dcdc4 { +diff --git a/arch/arm/common/edma.c b/arch/arm/common/edma.c +index 873dbfcc7dc9..56fc339571f9 100644 +--- a/arch/arm/common/edma.c ++++ b/arch/arm/common/edma.c +@@ -406,7 +406,8 @@ static irqreturn_t dma_irq_handler(int irq, void *data) + BIT(slot)); + if (edma_cc[ctlr]->intr_data[channel].callback) + edma_cc[ctlr]->intr_data[channel].callback( +- channel, EDMA_DMA_COMPLETE, ++ EDMA_CTLR_CHAN(ctlr, channel), ++ EDMA_DMA_COMPLETE, + edma_cc[ctlr]->intr_data[channel].data); + } + } while (sh_ipr); +@@ -460,7 +461,8 @@ static irqreturn_t dma_ccerr_handler(int irq, void *data) + if (edma_cc[ctlr]->intr_data[k]. + callback) { + edma_cc[ctlr]->intr_data[k]. +- callback(k, ++ callback( ++ EDMA_CTLR_CHAN(ctlr, k), + EDMA_DMA_CC_ERROR, + edma_cc[ctlr]->intr_data + [k].data); +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index 53c15dec7af6..6a9851ea6a60 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -35,6 +35,11 @@ extern void (*handle_arch_irq)(struct pt_regs *); + extern void set_handle_irq(void (*handle_irq)(struct pt_regs *)); + #endif + ++static inline int nr_legacy_irqs(void) ++{ ++ return NR_IRQS_LEGACY; ++} ++ + #endif + + #endif +diff --git a/arch/arm/mach-at91/pm_suspend.S b/arch/arm/mach-at91/pm_suspend.S +index 0d95f488b47a..a25defda3d22 100644 +--- a/arch/arm/mach-at91/pm_suspend.S ++++ b/arch/arm/mach-at91/pm_suspend.S +@@ -80,6 +80,8 @@ tmp2 .req r5 + * @r2: base address of second SDRAM Controller or 0 if not present + * @r3: pm information + */ ++/* at91_pm_suspend_in_sram must be 8-byte aligned per the requirements of fncpy() */ ++ .align 3 + ENTRY(at91_pm_suspend_in_sram) + /* Save registers on stack */ + stmfd sp!, {r4 - r12, lr} +diff --git a/arch/arm/mach-pxa/include/mach/pxa27x.h b/arch/arm/mach-pxa/include/mach/pxa27x.h +index 599b925a657c..1a4291936c58 100644 +--- a/arch/arm/mach-pxa/include/mach/pxa27x.h ++++ b/arch/arm/mach-pxa/include/mach/pxa27x.h +@@ -19,7 +19,7 @@ + #define ARB_CORE_PARK (1<<24) /* Be parked with core when idle */ + #define ARB_LOCK_FLAG (1<<23) /* Only Locking masters gain access to the bus */ + +-extern int __init pxa27x_set_pwrmode(unsigned int mode); ++extern int pxa27x_set_pwrmode(unsigned int mode); + extern void pxa27x_cpu_pm_enter(suspend_state_t state); + + #endif /* __MACH_PXA27x_H */ +diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c +index b5abdeb5bb2d..aa97547099fb 100644 +--- a/arch/arm/mach-pxa/pxa27x.c ++++ b/arch/arm/mach-pxa/pxa27x.c +@@ -84,7 +84,7 @@ EXPORT_SYMBOL_GPL(pxa27x_configure_ac97reset); + */ + static unsigned int pwrmode = PWRMODE_SLEEP; + +-int __init pxa27x_set_pwrmode(unsigned int mode) ++int pxa27x_set_pwrmode(unsigned int mode) + { + switch (mode) { + case PWRMODE_SLEEP: +diff --git a/arch/arm/mach-tegra/board-paz00.c b/arch/arm/mach-tegra/board-paz00.c +index fbe74c6806f3..49d1110cff53 100644 +--- a/arch/arm/mach-tegra/board-paz00.c ++++ b/arch/arm/mach-tegra/board-paz00.c +@@ -39,8 +39,8 @@ static struct platform_device wifi_rfkill_device = { + static struct gpiod_lookup_table wifi_gpio_lookup = { + .dev_id = "rfkill_gpio", + .table = { +- GPIO_LOOKUP_IDX("tegra-gpio", 25, NULL, 0, 0), +- GPIO_LOOKUP_IDX("tegra-gpio", 85, NULL, 1, 0), ++ GPIO_LOOKUP("tegra-gpio", 25, "reset", 0), ++ GPIO_LOOKUP("tegra-gpio", 85, "shutdown", 0), + { }, + }, + }; +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index cba12f34ff77..25ecc6afec4c 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1413,12 +1413,19 @@ static int arm_iommu_mmap_attrs(struct device *dev, struct vm_area_struct *vma, + unsigned long uaddr = vma->vm_start; + unsigned long usize = vma->vm_end - vma->vm_start; + struct page **pages = __iommu_get_pages(cpu_addr, attrs); ++ unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ unsigned long off = vma->vm_pgoff; + + vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot); + + if (!pages) + return -ENXIO; + ++ if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) ++ return -ENXIO; ++ ++ pages += off; ++ + do { + int ret = vm_insert_page(vma, uaddr, *pages++); + if (ret) { +diff --git a/arch/arm64/include/asm/irq.h b/arch/arm64/include/asm/irq.h +index bbb251b14746..8b9bf54105b3 100644 +--- a/arch/arm64/include/asm/irq.h ++++ b/arch/arm64/include/asm/irq.h +@@ -21,4 +21,9 @@ static inline void acpi_irq_init(void) + } + #define acpi_irq_init acpi_irq_init + ++static inline int nr_legacy_irqs(void) ++{ ++ return 0; ++} ++ + #endif +diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h +index d6dd9fdbc3be..d4264bb0a409 100644 +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -83,14 +83,14 @@ + #define compat_sp regs[13] + #define compat_lr regs[14] + #define compat_sp_hyp regs[15] +-#define compat_sp_irq regs[16] +-#define compat_lr_irq regs[17] +-#define compat_sp_svc regs[18] +-#define compat_lr_svc regs[19] +-#define compat_sp_abt regs[20] +-#define compat_lr_abt regs[21] +-#define compat_sp_und regs[22] +-#define compat_lr_und regs[23] ++#define compat_lr_irq regs[16] ++#define compat_sp_irq regs[17] ++#define compat_lr_svc regs[18] ++#define compat_sp_svc regs[19] ++#define compat_lr_abt regs[20] ++#define compat_sp_abt regs[21] ++#define compat_lr_und regs[22] ++#define compat_sp_und regs[23] + #define compat_r8_fiq regs[24] + #define compat_r9_fiq regs[25] + #define compat_r10_fiq regs[26] +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 98073332e2d0..4d77757b5894 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200; + #define PECOFF_EDATA_PADDING + #endif + +-#ifdef CONFIG_DEBUG_ALIGN_RODATA ++#if defined(CONFIG_DEBUG_ALIGN_RODATA) + #define ALIGN_DEBUG_RO . = ALIGN(1<> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + +diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S +index c567240386a0..d1ee95a7f7dd 100644 +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index cd4c129ce743..bafb32b4c6b4 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -278,7 +278,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -342,6 +342,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 3fc2e6d70c77..a0706fd4ce0a 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsigned long rate) + } + EXPORT_SYMBOL(clk_set_rate); + ++long clk_round_rate(struct clk *clk, unsigned long rate) ++{ ++ if (unlikely(!clk_good(clk))) ++ return 0; ++ if (clk->rates && *clk->rates) { ++ unsigned long *r = clk->rates; ++ ++ while (*r && (*r != rate)) ++ r++; ++ if (!*r) { ++ return clk->rate; ++ } ++ } ++ return rate; ++} ++EXPORT_SYMBOL(clk_round_rate); ++ + int clk_enable(struct clk *clk) + { + if (unlikely(!clk_good(clk))) +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index c98d89708e99..cbee788d9625 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1051,8 +1051,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq) + src_id, 0, 2); + + /* sending vcpu invalid */ +- if (src_id >= KVM_MAX_VCPUS || +- kvm_get_vcpu(vcpu->kvm, src_id) == NULL) ++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL) + return -EINVAL; + + if (sclp.has_sigpif) +@@ -1131,6 +1130,10 @@ static int __inject_sigp_emergency(struct kvm_vcpu *vcpu, + trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY, + irq->u.emerg.code, 0, 2); + ++ /* sending vcpu invalid */ ++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL) ++ return -EINVAL; ++ + set_bit(irq->u.emerg.code, li->sigp_emerg_pending); + set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs); + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index f32f843a3631..4a001c1b5a1a 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -289,12 +289,16 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap) + r = 0; + break; + case KVM_CAP_S390_VECTOR_REGISTERS: +- if (MACHINE_HAS_VX) { ++ mutex_lock(&kvm->lock); ++ if (atomic_read(&kvm->online_vcpus)) { ++ r = -EBUSY; ++ } else if (MACHINE_HAS_VX) { + set_kvm_facility(kvm->arch.model.fac->mask, 129); + set_kvm_facility(kvm->arch.model.fac->list, 129); + r = 0; + } else + r = -EINVAL; ++ mutex_unlock(&kvm->lock); + break; + case KVM_CAP_S390_USER_STSI: + kvm->arch.user_stsi = 1; +@@ -1037,7 +1041,9 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + if (!kvm->arch.sca) + goto out_err; + spin_lock(&kvm_lock); +- sca_offset = (sca_offset + 16) & 0x7f0; ++ sca_offset += 16; ++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE) ++ sca_offset = 0; + kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset); + spin_unlock(&kvm_lock); + +diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c +index 72e58bd2bee7..7171056fc24d 100644 +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vcpu *vcpu, u8 order_code, + u16 cpu_addr, u32 parameter, u64 *status_reg) + { + int rc; +- struct kvm_vcpu *dst_vcpu; ++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + +- if (cpu_addr >= KVM_MAX_VCPUS) +- return SIGP_CC_NOT_OPERATIONAL; +- +- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + +@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu) + trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); + + if (order_code == SIGP_EXTERNAL_CALL) { +- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); ++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + + kvm_s390_vcpu_wakeup(dest_vcpu); +diff --git a/arch/tile/kernel/usb.c b/arch/tile/kernel/usb.c +index f0da5a237e94..9f1e05e12255 100644 +--- a/arch/tile/kernel/usb.c ++++ b/arch/tile/kernel/usb.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + + static u64 ehci_dmamask = DMA_BIT_MASK(32); +diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h +index ccffa53750a8..39bcefc20de7 100644 +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -60,6 +60,7 @@ struct legacy_pic { + void (*mask_all)(void); + void (*restore_mask)(void); + void (*init)(int auto_eoi); ++ int (*probe)(void); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); + }; +diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h +index e16466ec473c..e9cd7befcb76 100644 +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -112,6 +112,16 @@ struct x86_emulate_ops { + struct x86_exception *fault); + + /* ++ * read_phys: Read bytes of standard (non-emulated/special) memory. ++ * Used for descriptor reading. ++ * @addr: [IN ] Physical address from which to read. ++ * @val: [OUT] Value read from memory. ++ * @bytes: [IN ] Number of bytes to read from memory. ++ */ ++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr, ++ void *val, unsigned int bytes); ++ ++ /* + * write_std: Write bytes of standard (non-emulated/special) memory. + * Used for descriptor writing. + * @addr: [IN ] Linear address to which to write. +diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h +index b5d7640abc5d..8a4add8e4639 100644 +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c +index 2683f36e4e0a..ea4ba83ca0cf 100644 +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -360,7 +360,11 @@ int __init arch_probe_nr_irqs(void) + if (nr < nr_irqs) + nr_irqs = nr; + +- return nr_legacy_irqs(); ++ /* ++ * We don't know if PIC is present at this point so we need to do ++ * probe() to get the right number of legacy IRQs. ++ */ ++ return legacy_pic->probe(); + } + + #ifdef CONFIG_X86_IO_APIC +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index cb9e5df42dd2..e4f929d97c42 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -272,10 +272,9 @@ __setup("nosmap", setup_disable_smap); + + static __always_inline void setup_smap(struct cpuinfo_x86 *c) + { +- unsigned long eflags; ++ unsigned long eflags = native_save_fl(); + + /* This should have been cleared long ago */ +- raw_local_save_flags(eflags); + BUG_ON(eflags & X86_EFLAGS_AC); + + if (cpu_has(c, X86_FEATURE_SMAP)) { +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index 50ec9af1bd51..6545e6ddbfb1 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame, + */ + void fpu__init_prepare_fx_sw_frame(void) + { +- int fsave_header_size = sizeof(struct fregs_state); + int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; + +- if (config_enabled(CONFIG_X86_32)) +- size += fsave_header_size; +- + fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; + fx_sw_reserved.extended_size = size; + fx_sw_reserved.xfeatures = xfeatures_mask; + fx_sw_reserved.xstate_size = xstate_size; + +- if (config_enabled(CONFIG_IA32_EMULATION)) { ++ if (config_enabled(CONFIG_IA32_EMULATION) || ++ config_enabled(CONFIG_X86_32)) { ++ int fsave_header_size = sizeof(struct fregs_state); ++ + fx_sw_reserved_ia32 = fx_sw_reserved; +- fx_sw_reserved_ia32.extended_size += fsave_header_size; ++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; + } + } + +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 62fc001c7846..2c4ac072a702 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature) + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return NULL; + +- xsave = ¤t->thread.fpu.state.xsave; + /* + * We should not ever be requesting features that we + * have not enabled. Remember that pcntxt_mask is +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S +index 1d40ca8a73f2..ffdc0e860390 100644 +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -65,6 +65,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 16cb827a5b27..be22f5a2192e 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -295,16 +295,11 @@ static void unmask_8259A(void) + raw_spin_unlock_irqrestore(&i8259A_lock, flags); + } + +-static void init_8259A(int auto_eoi) ++static int probe_8259A(void) + { + unsigned long flags; + unsigned char probe_val = ~(1 << PIC_CASCADE_IR); + unsigned char new_val; +- +- i8259A_auto_eoi = auto_eoi; +- +- raw_spin_lock_irqsave(&i8259A_lock, flags); +- + /* + * Check to see if we have a PIC. + * Mask all except the cascade and read +@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi) + * have a PIC, we will read 0xff as opposed to the + * value we wrote. + */ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */ + outb(probe_val, PIC_MASTER_IMR); + new_val = inb(PIC_MASTER_IMR); + if (new_val != probe_val) { + printk(KERN_INFO "Using NULL legacy PIC\n"); + legacy_pic = &null_legacy_pic; +- raw_spin_unlock_irqrestore(&i8259A_lock, flags); +- return; + } + ++ raw_spin_unlock_irqrestore(&i8259A_lock, flags); ++ return nr_legacy_irqs(); ++} ++ ++static void init_8259A(int auto_eoi) ++{ ++ unsigned long flags; ++ ++ i8259A_auto_eoi = auto_eoi; ++ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */ + + /* +@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(unsigned int irq) + { + return 0; + } ++static int legacy_pic_probe(void) ++{ ++ return 0; ++} + + struct legacy_pic null_legacy_pic = { + .nr_legacy_irqs = 0, +@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = { + .mask_all = legacy_pic_noop, + .restore_mask = legacy_pic_noop, + .init = legacy_pic_int_noop, ++ .probe = legacy_pic_probe, + .irq_pending = legacy_pic_irq_pending_noop, + .make_irq = legacy_pic_uint_noop, + }; +@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = { + .mask_all = mask_8259A, + .restore_mask = unmask_8259A, + .init = init_8259A, ++ .probe = probe_8259A, + .irq_pending = i8259A_irq_pending, + .make_irq = make_8259A_irq, + }; +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 80f874bf999e..1e6f70f1f251 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); + #endif + + tboot_probe(); +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S +index b9242bacbe59..4cf401f581e7 100644 +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -34,10 +34,11 @@ + #include + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +49,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +132,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 2392541a96e6..f17c342355f6 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt) + #define GET_SMSTATE(type, smbase, offset) \ + ({ \ + type __val; \ +- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \ +- sizeof(__val), NULL); \ ++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \ ++ sizeof(__val)); \ + if (r != X86EMUL_CONTINUE) \ + return X86EMUL_UNHANDLEABLE; \ + __val; \ +@@ -2484,17 +2484,36 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed +- * to read_std/write_std are not virtual. +- * +- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. ++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU ++ * supports long mode. + */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (emulator_has_longmode(ctxt)) { ++ struct desc_struct cs_desc; ++ ++ /* Zero CR4.PCIDE before CR0.PG. */ ++ if (cr4 & X86_CR4_PCIDE) { ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); ++ cr4 &= ~X86_CR4_PCIDE; ++ } ++ ++ /* A 32-bit code segment is required to clear EFER.LMA. */ ++ memset(&cs_desc, 0, sizeof(cs_desc)); ++ cs_desc.type = 0xb; ++ cs_desc.s = cs_desc.g = cs_desc.p = 1; ++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS); ++ } ++ ++ /* For the 64-bit case, this will clear EFER.LMA. */ + cr0 = ctxt->ops->get_cr(ctxt, 0); + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); +- cr4 = ctxt->ops->get_cr(ctxt, 4); ++ ++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ + if (cr4 & X86_CR4_PAE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ + efer = 0; + ctxt->ops->set_msr(ctxt, MSR_EFER, efer); + +@@ -4455,7 +4474,7 @@ static const struct opcode twobyte_table[256] = { + F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N, + /* 0xA8 - 0xAF */ + I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg), +- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm), ++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm), + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 2a5ca97c263b..236e346584c3 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir) + struct kvm_lapic *apic = vcpu->arch.apic; + + __kvm_apic_update_irr(pir, apic->regs); ++ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + EXPORT_SYMBOL_GPL(kvm_apic_update_irr); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2d32b67a1043..00da6e85a27f 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1085,7 +1085,7 @@ static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc) + return target_tsc - tsc; + } + +-static void init_vmcb(struct vcpu_svm *svm, bool init_event) ++static void init_vmcb(struct vcpu_svm *svm) + { + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; +@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1156,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + init_sys_seg(&save->ldtr, SEG_TYPE_LDT); + init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16); + +- if (!init_event) +- svm_set_efer(&svm->vcpu, 0); ++ svm_set_efer(&svm->vcpu, 0); + save->dr6 = 0xffff0ff0; + kvm_set_rflags(&svm->vcpu, 2); + save->rip = 0x0000fff0; +@@ -1211,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + if (kvm_vcpu_is_reset_bsp(&svm->vcpu)) + svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP; + } +- init_vmcb(svm, init_event); ++ init_vmcb(svm); + + kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy); + kvm_register_write(vcpu, VCPU_REGS_RDX, eax); +@@ -1267,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id) + clear_page(svm->vmcb); + svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT; + svm->asid_generation = 0; +- init_vmcb(svm, false); ++ init_vmcb(svm); + + svm_init_osvw(&svm->vcpu); + +@@ -1795,6 +1795,12 @@ static int ud_interception(struct vcpu_svm *svm) + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -1889,7 +1895,7 @@ static int shutdown_interception(struct vcpu_svm *svm) + * so reinitialize it. + */ + clear_page(svm->vmcb); +- init_vmcb(svm, false); ++ init_vmcb(svm); + + kvm_run->exit_reason = KVM_EXIT_SHUTDOWN; + return 0; +@@ -3369,6 +3375,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index aa9e8229571d..e77d75b8772a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -4780,8 +4780,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + vmx_set_cr0(vcpu, cr0); /* enter rmode */ + vmx->vcpu.arch.cr0 = cr0; + vmx_set_cr4(vcpu, 0); +- if (!init_event) +- vmx_set_efer(vcpu, 0); ++ vmx_set_efer(vcpu, 0); + vmx_fpu_activate(vcpu); + update_exception_bitmap(vcpu); + +@@ -5118,6 +5117,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 373328b71599..2781e2b0201d 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -621,7 +621,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) + if ((cr0 ^ old_cr0) & update_bits) + kvm_mmu_reset_context(vcpu); + +- if ((cr0 ^ old_cr0) & X86_CR0_CD) ++ if (((cr0 ^ old_cr0) & X86_CR0_CD) && ++ kvm_arch_has_noncoherent_dma(vcpu->kvm) && ++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED)) + kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL); + + return 0; +@@ -4260,6 +4262,15 @@ static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); + } + ++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, ++ unsigned long addr, void *val, unsigned int bytes) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes); ++ ++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; ++} ++ + int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + gva_t addr, void *val, + unsigned int bytes, +@@ -4995,6 +5006,7 @@ static const struct x86_emulate_ops emulate_ops = { + .write_gpr = emulator_write_gpr, + .read_std = kvm_read_guest_virt_system, + .write_std = kvm_write_guest_virt_system, ++ .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, + .write_emulated = emulator_write_emulated, +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index db1b0bc5017c..c28f6185f8a4 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm, + } + + /* ++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, ++ * we might run off the end of the bounds table if we are on ++ * a 64-bit kernel and try to get 8 bytes. ++ */ ++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, ++ long __user *bd_entry_ptr) ++{ ++ u32 bd_entry_32; ++ int ret; ++ ++ if (is_64bit_mm(mm)) ++ return get_user(*bd_entry_ret, bd_entry_ptr); ++ ++ /* ++ * Note that get_user() uses the type of the *pointer* to ++ * establish the size of the get, not the destination. ++ */ ++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); ++ *bd_entry_ret = bd_entry_32; ++ return ret; ++} ++ ++/* + * Get the base of bounds tables pointed by specific bounds + * directory entry. + */ +@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm, + int need_write = 0; + + pagefault_disable(); +- ret = get_user(bd_entry, bd_entry_ptr); ++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); + pagefault_enable(); + if (!ret) + break; +@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm, + */ + static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) + { +- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); +- if (is_64bit_mm(mm)) +- return virt_space / MPX_BD_NR_ENTRIES_64; +- else +- return virt_space / MPX_BD_NR_ENTRIES_32; ++ unsigned long long virt_space; ++ unsigned long long GB = (1ULL << 30); ++ ++ /* ++ * This covers 32-bit emulation as well as 32-bit kernels ++ * running on 64-bit harware. ++ */ ++ if (!is_64bit_mm(mm)) ++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; ++ ++ /* ++ * 'x86_virt_bits' returns what the hardware is capable ++ * of, and returns the full >32-bit adddress space when ++ * running 32-bit kernels on 64-bit hardware. ++ */ ++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); ++ return virt_space / MPX_BD_NR_ENTRIES_64; + } + + /* +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index e527a3e13939..fa893c3ec408 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x04CA, 0x300f) }, + { USB_DEVICE(0x04CA, 0x3010) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0930, 0x0227) }, + { USB_DEVICE(0x0b05, 0x17d0) }, +@@ -104,6 +105,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x0CF3, 0x311F) }, + { USB_DEVICE(0x0cf3, 0x3121) }, + { USB_DEVICE(0x0CF3, 0x817a) }, ++ { USB_DEVICE(0x0CF3, 0x817b) }, + { USB_DEVICE(0x0cf3, 0xe003) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0CF3, 0xE005) }, +@@ -153,6 +155,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -164,6 +167,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b4cf8d9c9dac..7d9b09f4158c 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -192,6 +192,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -203,6 +204,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/clk/bcm/clk-iproc-pll.c b/drivers/clk/bcm/clk-iproc-pll.c +index 2dda4e8295a9..d679ab869653 100644 +--- a/drivers/clk/bcm/clk-iproc-pll.c ++++ b/drivers/clk/bcm/clk-iproc-pll.c +@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + struct iproc_pll *pll = clk->pll; + const struct iproc_pll_ctrl *ctrl = pll->ctrl; + u32 val; +- u64 ndiv; +- unsigned int ndiv_int, ndiv_frac, pdiv; ++ u64 ndiv, ndiv_int, ndiv_frac; ++ unsigned int pdiv; + + if (parent_rate == 0) + return 0; +@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + val = readl(pll->pll_base + ctrl->ndiv_int.offset); + ndiv_int = (val >> ctrl->ndiv_int.shift) & + bit_mask(ctrl->ndiv_int.width); +- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift; ++ ndiv = ndiv_int << 20; + + if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) { + val = readl(pll->pll_base + ctrl->ndiv_frac.offset); + ndiv_frac = (val >> ctrl->ndiv_frac.shift) & + bit_mask(ctrl->ndiv_frac.width); +- +- if (ndiv_frac != 0) +- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) | +- ndiv_frac; ++ ndiv += ndiv_frac; + } + + val = readl(pll->pll_base + ctrl->pdiv.offset); + pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width); + +- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift; ++ clk->rate = (ndiv * parent_rate) >> 20; + + if (pdiv == 0) + clk->rate *= 2; +diff --git a/drivers/clk/versatile/clk-icst.c b/drivers/clk/versatile/clk-icst.c +index bc96f103bd7c..9064636a867f 100644 +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct device *dev, + icst->lockreg = base + desc->lock_offset; + + clk = clk_register(dev, &icst->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(pclone); + kfree(icst); ++ } + + return clk; + } +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c +index c5265c1262c5..6aacd205a774 100644 +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_client *client, + + twl6040->clk32k = devm_clk_get(&client->dev, "clk32k"); + if (IS_ERR(twl6040->clk32k)) { ++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + dev_info(&client->dev, "clk32k is not handled\n"); + twl6040->clk32k = NULL; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a98dd4f1b0e3..cbbb1c93386d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1751,6 +1751,7 @@ err_undo_flags: + slave_dev->dev_addr)) + eth_hw_addr_random(bond_dev); + if (bond_dev->type != ARPHRD_ETHER) { ++ dev_close(bond_dev); + ether_setup(bond_dev); + bond_dev->flags |= IFF_MASTER; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index aede704605c6..141c2a42d7ed 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev) + nla_put(skb, IFLA_CAN_BITTIMING_CONST, + sizeof(*priv->bittiming_const), priv->bittiming_const)) || + +- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || ++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || + nla_put_u32(skb, IFLA_CAN_STATE, state) || + nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || + nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 7b92e911a616..f10834be48a5 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -218,6 +218,9 @@ static void sja1000_start(struct net_device *dev) + priv->write_reg(priv, SJA1000_RXERR, 0x0); + priv->read_reg(priv, SJA1000_ECC); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index a4473d8ff4fa..f672dba345f7 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_channel *channel) + packet->rdesc_count, 1); + + /* Make sure ownership is written to the descriptor */ +- dma_wmb(); ++ smp_wmb(); + + ring->cur = cur_index + 1; + if (!packet->skb->xmit_more || +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index aae9d5ecd182..dde0486667e0 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1807,6 +1807,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + struct netdev_queue *txq; + int processed = 0; + unsigned int tx_packets = 0, tx_bytes = 0; ++ unsigned int cur; + + DBGPR("-->xgbe_tx_poll\n"); + +@@ -1814,10 +1815,15 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + if (!ring) + return 0; + ++ cur = ring->cur; ++ ++ /* Be sure we get ring->cur before accessing descriptor data */ ++ smp_rmb(); ++ + txq = netdev_get_tx_queue(netdev, channel->queue_index); + + while ((processed < XGBE_TX_DESC_MAX_PROC) && +- (ring->dirty != ring->cur)) { ++ (ring->dirty != cur)) { + rdata = XGBE_GET_DESC_DATA(ring, ring->dirty); + rdesc = rdata->rdesc; + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index de63266de16b..5d1dde3f3540 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1775,7 +1775,7 @@ static int fec_enet_mdio_read(struct mii_bus *bus, int mii_id, int regnum) + int ret = 0; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + fep->mii_timeout = 0; +@@ -1811,11 +1811,13 @@ static int fec_enet_mdio_write(struct mii_bus *bus, int mii_id, int regnum, + struct fec_enet_private *fep = bus->priv; + struct device *dev = &fep->pdev->dev; + unsigned long time_left; +- int ret = 0; ++ int ret; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; ++ else ++ ret = 0; + + fep->mii_timeout = 0; + reinit_completion(&fep->mdio_done); +@@ -2866,7 +2868,7 @@ fec_enet_open(struct net_device *ndev) + int ret; + + ret = pm_runtime_get_sync(&fep->pdev->dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + pinctrl_pm_select_default_state(&fep->pdev->dev); +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 09ec32e33076..7e788073c154 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + /* Set CPU queue access map - all CPUs have access to all RX + * queues and to all TX queues + */ +- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++) ++ for_each_present_cpu(cpu) + mvreg_write(pp, MVNETA_CPU_MAP(cpu), + (MVNETA_CPU_RXQ_ACCESS_ALL_MASK | + MVNETA_CPU_TXQ_ACCESS_ALL_MASK)); +@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo, + } + + skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size); +- if (!skb) +- goto err_drop_frame; + ++ /* After refill old buffer has to be unmapped regardless ++ * the skb is successfully built or not. ++ */ + dma_unmap_single(dev->dev.parent, phys_addr, + MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE); + ++ if (!skb) ++ goto err_drop_frame; ++ + rcvd_pkts++; + rcvd_bytes += rx_bytes; + +diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c +index 0a3202047569..2177e56ed0be 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) + } + } + +- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); ++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); + priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; + INIT_WORK(&priv->mfunc.master.comm_work, + mlx4_master_comm_channel); +diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c +index 8e81e53c370e..ad8f95df4310 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe) + return; + } + +- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); ++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); + s_eqe->slave_id = slave; + /* ensure all information is written before setting the ownersip bit */ + dma_wmb(); +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index b1a4ea21c91c..4dd18f4bb5ae 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1809,7 +1809,9 @@ static void efx_ef10_tx_write(struct efx_tx_queue *tx_queue) + unsigned int write_ptr; + efx_qword_t *txd; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/farch.c b/drivers/net/ethernet/sfc/farch.c +index f08266f0eca2..5a1c5a8f278a 100644 +--- a/drivers/net/ethernet/sfc/farch.c ++++ b/drivers/net/ethernet/sfc/farch.c +@@ -321,7 +321,9 @@ void efx_farch_tx_write(struct efx_tx_queue *tx_queue) + unsigned write_ptr; + unsigned old_write_count = tx_queue->write_count; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h +index 47d1e3a96522..b8e8ce1caf0f 100644 +--- a/drivers/net/ethernet/sfc/net_driver.h ++++ b/drivers/net/ethernet/sfc/net_driver.h +@@ -219,6 +219,7 @@ struct efx_tx_buffer { + * @tso_packets: Number of packets via the TSO xmit path + * @pushes: Number of times the TX push feature has been used + * @pio_packets: Number of times the TX PIO feature has been used ++ * @xmit_more_available: Are any packets waiting to be pushed to the NIC + * @empty_read_count: If the completion path has seen the queue as empty + * and the transmission path has not yet checked this, the value of + * @read_count bitwise-added to %EFX_EMPTY_COUNT_VALID; otherwise 0. +@@ -253,6 +254,7 @@ struct efx_tx_queue { + unsigned int tso_packets; + unsigned int pushes; + unsigned int pio_packets; ++ bool xmit_more_available; + /* Statistics to supplement MAC stats */ + unsigned long tx_packets; + +diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c +index 1833a0146571..67f6afaa022f 100644 +--- a/drivers/net/ethernet/sfc/tx.c ++++ b/drivers/net/ethernet/sfc/tx.c +@@ -431,8 +431,20 @@ finish_packet: + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tx_packets++; + +@@ -722,6 +734,7 @@ void efx_init_tx_queue(struct efx_tx_queue *tx_queue) + tx_queue->read_count = 0; + tx_queue->old_read_count = 0; + tx_queue->empty_read_count = 0 | EFX_EMPTY_COUNT_VALID; ++ tx_queue->xmit_more_available = false; + + /* Set up TX descriptor ring */ + efx_nic_init_tx(tx_queue); +@@ -747,6 +760,7 @@ void efx_fini_tx_queue(struct efx_tx_queue *tx_queue) + + ++tx_queue->read_count; + } ++ tx_queue->xmit_more_available = false; + netdev_tx_reset_queue(tx_queue->core_txq); + } + +@@ -1302,8 +1316,20 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue, + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tso_bursts++; + return NETDEV_TX_OK; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 771cda2a48b2..2e51b816a7e8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -721,10 +721,13 @@ static int stmmac_get_ts_info(struct net_device *dev, + { + struct stmmac_priv *priv = netdev_priv(dev); + +- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) { ++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) { + +- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE | ++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + + if (priv->ptp_clock) +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 248478c6f6e4..197c93937c2d 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -137,7 +137,7 @@ static const struct proto_ops macvtap_socket_ops; + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ + NETIF_F_TSO6 | NETIF_F_UFO) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) +-#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) ++#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST) + + static struct macvlan_dev *macvtap_get_vlan_rcu(const struct net_device *dev) + { +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 2ed75060da50..5e0b43283bce 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -589,7 +589,7 @@ static int pppoe_release(struct socket *sock) + + po = pppox_sk(sk); + +- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (po->pppoe_dev) { + dev_put(po->pppoe_dev); + po->pppoe_dev = NULL; + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 64a60afbe50c..8f1738c3b3c5 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -765,6 +765,10 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 0d3c474ff76d..a5ea8a984c53 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2070,7 +2070,8 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + enum ieee80211_band band; + const u8 *ht_mcs_mask; + const u16 *vht_mcs_mask; +- int i, n, max_nss; ++ int i, n; ++ u8 max_nss; + u32 stbc; + + lockdep_assert_held(&ar->conf_mutex); +@@ -2155,7 +2156,7 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + arg->peer_ht_rates.rates[i] = i; + } else { + arg->peer_ht_rates.num_rates = n; +- arg->peer_num_spatial_streams = max_nss; ++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss); + } + + ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n", +@@ -4021,7 +4022,7 @@ static int ath10k_config(struct ieee80211_hw *hw, u32 changed) + + static u32 get_nss_from_chainmask(u16 chain_mask) + { +- if ((chain_mask & 0x15) == 0x15) ++ if ((chain_mask & 0xf) == 0xf) + return 4; + else if ((chain_mask & 0x7) == 0x7) + return 3; +diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c +index 865d578dee82..fd6aef7d4496 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)}, +@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)}, + {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} +diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c +index 9e144e71da0b..dab9b91b3f3d 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) { +- ret = 0; +- goto out; +- } ++ if (ret >= 0) ++ return 0; + + usleep_range(200, 1000); + t += 200; +@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + IWL_ERR(trans, "Couldn't prepare the card\n"); + +-out: +- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, +- CSR_RESET_LINK_PWR_MGMT_DISABLED); +- + return ret; + } + +diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c +index 5a0636d43a1b..5583856fc5c4 100644 +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (struct mwifiex_private *) file->private_data; + unsigned long addr = get_zeroed_page(GFP_KERNEL); + char *buf = (char *) addr; +- int pos = 0, ret = 0, i; ++ int pos, ret, i; + u8 value[MAX_EEPROM_DATA]; + + if (!buf) +@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + + if (saved_offset == -1) { + /* No command has been given */ +- pos += snprintf(buf, PAGE_SIZE, "0"); ++ pos = snprintf(buf, PAGE_SIZE, "0"); + goto done; + } + +@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (u16) saved_bytes, value); + if (ret) { + ret = -EINVAL; +- goto done; ++ goto out_free; + } + +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); + + for (i = 0; i < saved_bytes; i++) +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); +- +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); + + done: ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++out_free: + free_page(addr); + return ret; + } +diff --git a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +index a9c9a077c77d..bc3d907fd20f 100644 +--- a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h ++++ b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +@@ -680,7 +680,7 @@ void lnet_debug_peer(lnet_nid_t nid); + static inline void + lnet_peer_set_alive(lnet_peer_t *lp) + { +- lp->lp_last_alive = lp->lp_last_query = get_seconds(); ++ lp->lp_last_alive = lp->lp_last_query = jiffies; + if (!lp->lp_alive) + lnet_notify_locked(lp, 0, 1, lp->lp_last_alive); + } +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index f8b5b332e7c3..943a0e204532 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = { + {USB_DEVICE(0x0DF6, 0x0058)}, + {USB_DEVICE(0x0DF6, 0x0049)}, + {USB_DEVICE(0x0DF6, 0x004C)}, ++ {USB_DEVICE(0x0DF6, 0x006C)}, + {USB_DEVICE(0x0DF6, 0x0064)}, + /* Skyworth */ + {USB_DEVICE(0x14b2, 0x3300)}, +diff --git a/drivers/tty/mips_ejtag_fdc.c b/drivers/tty/mips_ejtag_fdc.c +index 358323c83b4f..43a2ba0c0fe9 100644 +--- a/drivers/tty/mips_ejtag_fdc.c ++++ b/drivers/tty/mips_ejtag_fdc.c +@@ -1045,38 +1045,6 @@ err_destroy_ports: + return ret; + } + +-static int mips_ejtag_fdc_tty_remove(struct mips_cdmm_device *dev) +-{ +- struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +- struct mips_ejtag_fdc_tty_port *dport; +- int nport; +- unsigned int cfg; +- +- if (priv->irq >= 0) { +- raw_spin_lock_irq(&priv->lock); +- cfg = mips_ejtag_fdc_read(priv, REG_FDCFG); +- /* Disable interrupts */ +- cfg &= ~(REG_FDCFG_TXINTTHRES | REG_FDCFG_RXINTTHRES); +- cfg |= REG_FDCFG_TXINTTHRES_DISABLED; +- cfg |= REG_FDCFG_RXINTTHRES_DISABLED; +- mips_ejtag_fdc_write(priv, REG_FDCFG, cfg); +- raw_spin_unlock_irq(&priv->lock); +- } else { +- priv->removing = true; +- del_timer_sync(&priv->poll_timer); +- } +- kthread_stop(priv->thread); +- if (dev->cpu == 0) +- mips_ejtag_fdc_con.tty_drv = NULL; +- tty_unregister_driver(priv->driver); +- for (nport = 0; nport < NUM_TTY_CHANNELS; nport++) { +- dport = &priv->ports[nport]; +- tty_port_destroy(&dport->port); +- } +- put_tty_driver(priv->driver); +- return 0; +-} +- + static int mips_ejtag_fdc_tty_cpu_down(struct mips_cdmm_device *dev) + { + struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +@@ -1149,12 +1117,11 @@ static struct mips_cdmm_driver mips_ejtag_fdc_tty_driver = { + .name = "mips_ejtag_fdc", + }, + .probe = mips_ejtag_fdc_tty_probe, +- .remove = mips_ejtag_fdc_tty_remove, + .cpu_down = mips_ejtag_fdc_tty_cpu_down, + .cpu_up = mips_ejtag_fdc_tty_cpu_up, + .id_table = mips_ejtag_fdc_tty_ids, + }; +-module_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); ++builtin_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); + + static int __init mips_ejtag_fdc_init_console(void) + { +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index afc1879f66e0..dedac8ab85bf 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -169,7 +169,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty, + { + struct n_tty_data *ldata = tty->disc_data; + +- tty_audit_add_data(tty, to, n, ldata->icanon); ++ tty_audit_add_data(tty, from, n, ldata->icanon); + return copy_to_user(to, from, n); + } + +diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c +index 90ca082935f6..3d245cd3d8e6 100644 +--- a/drivers/tty/tty_audit.c ++++ b/drivers/tty/tty_audit.c +@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty, + * + * Audit @data of @size from @tty, if necessary. + */ +-void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon) + { + struct tty_audit_buf *buf; +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 774df354af55..1aa028638120 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1279,18 +1279,22 @@ int tty_send_xchar(struct tty_struct *tty, char ch) + int was_stopped = tty->stopped; + + if (tty->ops->send_xchar) { ++ down_read(&tty->termios_rwsem); + tty->ops->send_xchar(tty, ch); ++ up_read(&tty->termios_rwsem); + return 0; + } + + if (tty_write_lock(tty, 0) < 0) + return -ERESTARTSYS; + ++ down_read(&tty->termios_rwsem); + if (was_stopped) + start_tty(tty); + tty->ops->write(tty, &ch, 1); + if (was_stopped) + stop_tty(tty); ++ up_read(&tty->termios_rwsem); + tty_write_unlock(tty); + return 0; + } +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c +index 5232fb60b0b1..043e332e7423 100644 +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -1142,16 +1142,12 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file, + spin_unlock_irq(&tty->flow_lock); + break; + case TCIOFF: +- down_read(&tty->termios_rwsem); + if (STOP_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, STOP_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + case TCION: +- down_read(&tty->termios_rwsem); + if (START_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, START_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + default: + return -EINVAL; +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index fa774323ebda..846ceb91ec14 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -68,6 +68,12 @@ struct ci_hdrc_imx_data { + struct imx_usbmisc_data *usbmisc_data; + bool supports_runtime_pm; + bool in_lpm; ++ /* SoC before i.mx6 (except imx23/imx28) needs three clks */ ++ bool need_three_clks; ++ struct clk *clk_ipg; ++ struct clk *clk_ahb; ++ struct clk *clk_per; ++ /* --------------------------------- */ + }; + + /* Common functions shared by usbmisc drivers */ +@@ -119,6 +125,102 @@ static struct imx_usbmisc_data *usbmisc_get_init_data(struct device *dev) + } + + /* End of common functions shared by usbmisc drivers*/ ++static int imx_get_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ data->clk_ipg = devm_clk_get(dev, "ipg"); ++ if (IS_ERR(data->clk_ipg)) { ++ /* If the platform only needs one clocks */ ++ data->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(data->clk)) { ++ ret = PTR_ERR(data->clk); ++ dev_err(dev, ++ "Failed to get clks, err=%ld,%ld\n", ++ PTR_ERR(data->clk), PTR_ERR(data->clk_ipg)); ++ return ret; ++ } ++ return ret; ++ } ++ ++ data->clk_ahb = devm_clk_get(dev, "ahb"); ++ if (IS_ERR(data->clk_ahb)) { ++ ret = PTR_ERR(data->clk_ahb); ++ dev_err(dev, ++ "Failed to get ahb clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->clk_per = devm_clk_get(dev, "per"); ++ if (IS_ERR(data->clk_per)) { ++ ret = PTR_ERR(data->clk_per); ++ dev_err(dev, ++ "Failed to get per clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->need_three_clks = true; ++ return ret; ++} ++ ++static int imx_prepare_enable_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ if (data->need_three_clks) { ++ ret = clk_prepare_enable(data->clk_ipg); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ipg clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_ahb); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ahb clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_per); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable per clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ } else { ++ ret = clk_prepare_enable(data->clk); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ } ++ ++ return ret; ++} ++ ++static void imx_disable_unprepare_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ ++ if (data->need_three_clks) { ++ clk_disable_unprepare(data->clk_per); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ } else { ++ clk_disable_unprepare(data->clk); ++ } ++} + + static int ci_hdrc_imx_probe(struct platform_device *pdev) + { +@@ -137,23 +239,18 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + if (!data) + return -ENOMEM; + ++ platform_set_drvdata(pdev, data); + data->usbmisc_data = usbmisc_get_init_data(&pdev->dev); + if (IS_ERR(data->usbmisc_data)) + return PTR_ERR(data->usbmisc_data); + +- data->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(data->clk)) { +- dev_err(&pdev->dev, +- "Failed to get clock, err=%ld\n", PTR_ERR(data->clk)); +- return PTR_ERR(data->clk); +- } ++ ret = imx_get_clks(&pdev->dev); ++ if (ret) ++ return ret; + +- ret = clk_prepare_enable(data->clk); +- if (ret) { +- dev_err(&pdev->dev, +- "Failed to prepare or enable clock, err=%d\n", ret); ++ ret = imx_prepare_enable_clks(&pdev->dev); ++ if (ret) + return ret; +- } + + data->phy = devm_usb_get_phy_by_phandle(&pdev->dev, "fsl,usbphy", 0); + if (IS_ERR(data->phy)) { +@@ -196,8 +293,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + goto disable_device; + } + +- platform_set_drvdata(pdev, data); +- + if (data->supports_runtime_pm) { + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -210,7 +305,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + disable_device: + ci_hdrc_remove_device(data->ci_pdev); + err_clk: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + return ret; + } + +@@ -224,7 +319,7 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev) + pm_runtime_put_noidle(&pdev->dev); + } + ci_hdrc_remove_device(data->ci_pdev); +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + + return 0; + } +@@ -236,7 +331,7 @@ static int imx_controller_suspend(struct device *dev) + + dev_dbg(dev, "at %s\n", __func__); + +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + data->in_lpm = true; + + return 0; +@@ -254,7 +349,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + } + +- ret = clk_prepare_enable(data->clk); ++ ret = imx_prepare_enable_clks(dev); + if (ret) + return ret; + +@@ -269,7 +364,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + + clk_disable: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + return ret; + } + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index 6e53c24fa1cb..92937c14f818 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1730,6 +1730,22 @@ static int ci_udc_start(struct usb_gadget *gadget, + return retval; + } + ++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci) ++{ ++ if (!ci_otg_is_fsm_mode(ci)) ++ return; ++ ++ mutex_lock(&ci->fsm.lock); ++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) { ++ ci->fsm.a_bidl_adis_tmout = 1; ++ ci_hdrc_otg_fsm_start(ci); ++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) { ++ ci->fsm.protocol = PROTO_UNDEF; ++ ci->fsm.otg->state = OTG_STATE_UNDEFINED; ++ } ++ mutex_unlock(&ci->fsm.lock); ++} ++ + /** + * ci_udc_stop: unregister a gadget driver + */ +@@ -1754,6 +1770,7 @@ static int ci_udc_stop(struct usb_gadget *gadget) + ci->driver = NULL; + spin_unlock_irqrestore(&ci->lock, flags); + ++ ci_udc_stop_for_otg_fsm(ci); + return 0; + } + +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c +index f38e875a3fb1..8218ba7eb263 100644 +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -873,11 +873,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock) + + add_wait_queue(&usblp->wwait, &waita); + for (;;) { +- set_current_state(TASK_INTERRUPTIBLE); + if (mutex_lock_interruptible(&usblp->mut)) { + rc = -EINTR; + break; + } ++ set_current_state(TASK_INTERRUPTIBLE); + rc = usblp_wtest(usblp, nonblock); + mutex_unlock(&usblp->mut); + if (rc <= 0) +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index ff5773c66b84..c0566ecd9977 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -490,6 +490,9 @@ static int dwc3_phy_setup(struct dwc3 *dwc) + if (dwc->dis_u2_susphy_quirk) + reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; + ++ if (dwc->dis_enblslpm_quirk) ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ + dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); + + return 0; +@@ -509,12 +512,18 @@ static int dwc3_core_init(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_GSNPSID); + /* This should read as U3 followed by revision number */ +- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) { ++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) { ++ /* Detected DWC_usb3 IP */ ++ dwc->revision = reg; ++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) { ++ /* Detected DWC_usb31 IP */ ++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER); ++ dwc->revision |= DWC3_REVISION_IS_DWC31; ++ } else { + dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); + ret = -ENODEV; + goto err0; + } +- dwc->revision = reg; + + /* + * Write Linux Version Code to our GUID register so it's easy to figure +@@ -881,6 +890,8 @@ static int dwc3_probe(struct platform_device *pdev) + "snps,dis_u3_susphy_quirk"); + dwc->dis_u2_susphy_quirk = of_property_read_bool(node, + "snps,dis_u2_susphy_quirk"); ++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev, ++ "snps,dis_enblslpm_quirk"); + + dwc->tx_de_emphasis_quirk = of_property_read_bool(node, + "snps,tx_de_emphasis_quirk"); +@@ -911,6 +922,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk; + dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk; + dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk; ++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk; + + dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk; + if (pdata->tx_de_emphasis) +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 044778884585..6e53ce9ce320 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -108,6 +108,9 @@ + #define DWC3_GPRTBIMAP_FS0 0xc188 + #define DWC3_GPRTBIMAP_FS1 0xc18c + ++#define DWC3_VER_NUMBER 0xc1a0 ++#define DWC3_VER_TYPE 0xc1a4 ++ + #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04)) + #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04)) + +@@ -175,6 +178,7 @@ + #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31) + #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6) + #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4) ++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8) + + /* Global USB2 PHY Vendor Control Register */ + #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25) +@@ -712,6 +716,8 @@ struct dwc3_scratchpad_array { + * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk + * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy + * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy ++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG, ++ * disabling the suspend signal to the PHY. + * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk + * @tx_de_emphasis: Tx de-emphasis value + * 0 - -6dB de-emphasis +@@ -766,6 +772,14 @@ struct dwc3 { + u32 num_event_buffers; + u32 u1u2; + u32 maximum_speed; ++ ++ /* ++ * All 3.1 IP version constants are greater than the 3.0 IP ++ * version constants. This works for most version checks in ++ * dwc3. However, in the future, this may not apply as ++ * features may be developed on newer versions of the 3.0 IP ++ * that are not in the 3.1 IP. ++ */ + u32 revision; + + #define DWC3_REVISION_173A 0x5533173a +@@ -788,6 +802,13 @@ struct dwc3 { + #define DWC3_REVISION_270A 0x5533270a + #define DWC3_REVISION_280A 0x5533280a + ++/* ++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really ++ * just so dwc31 revisions are always larger than dwc3. ++ */ ++#define DWC3_REVISION_IS_DWC31 0x80000000 ++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31) ++ + enum dwc3_ep0_next ep0_next_event; + enum dwc3_ep0_state ep0state; + enum dwc3_link_state link_state; +@@ -841,6 +862,7 @@ struct dwc3 { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 27e4fc896e9d..04b87ebe6f94 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -27,6 +27,8 @@ + #include "platform_data.h" + + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 +@@ -100,6 +102,22 @@ static int dwc3_pci_quirks(struct pci_dev *pdev) + } + } + ++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS && ++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) { ++ ++ struct dwc3_platform_data pdata; ++ ++ memset(&pdata, 0, sizeof(pdata)); ++ pdata.usb3_lpm_capable = true; ++ pdata.has_lpm_erratum = true; ++ pdata.dis_enblslpm_quirk = true; ++ ++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata, ++ sizeof(pdata)); ++ } ++ + return 0; + } + +@@ -172,6 +190,14 @@ static const struct pci_device_id dwc3_pci_id_table[] = { + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3), + }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI), ++ }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31), ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 333a7c0078fc..6fbf461d523c 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1859,27 +1859,32 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + unsigned int i; + int ret; + +- req = next_request(&dep->req_queued); +- if (!req) { +- WARN_ON_ONCE(1); +- return 1; +- } +- i = 0; + do { +- slot = req->start_slot + i; +- if ((slot == DWC3_TRB_NUM - 1) && ++ req = next_request(&dep->req_queued); ++ if (!req) { ++ WARN_ON_ONCE(1); ++ return 1; ++ } ++ i = 0; ++ do { ++ slot = req->start_slot + i; ++ if ((slot == DWC3_TRB_NUM - 1) && + usb_endpoint_xfer_isoc(dep->endpoint.desc)) +- slot++; +- slot %= DWC3_TRB_NUM; +- trb = &dep->trb_pool[slot]; ++ slot++; ++ slot %= DWC3_TRB_NUM; ++ trb = &dep->trb_pool[slot]; ++ ++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, ++ event, status); ++ if (ret) ++ break; ++ } while (++i < req->request.num_mapped_sgs); ++ ++ dwc3_gadget_giveback(dep, req, status); + +- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, +- event, status); + if (ret) + break; +- } while (++i < req->request.num_mapped_sgs); +- +- dwc3_gadget_giveback(dep, req, status); ++ } while (1); + + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && + list_empty(&dep->req_queued)) { +@@ -2709,12 +2714,34 @@ int dwc3_gadget_init(struct dwc3 *dwc) + } + + dwc->gadget.ops = &dwc3_gadget_ops; +- dwc->gadget.max_speed = USB_SPEED_SUPER; + dwc->gadget.speed = USB_SPEED_UNKNOWN; + dwc->gadget.sg_supported = true; + dwc->gadget.name = "dwc3-gadget"; + + /* ++ * FIXME We might be setting max_speed to revision < DWC3_REVISION_220A) ++ dwc3_trace(trace_dwc3_gadget, ++ "Changing max_speed on rev %08x\n", ++ dwc->revision); ++ ++ dwc->gadget.max_speed = dwc->maximum_speed; ++ ++ /* + * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize + * on ep out. + */ +diff --git a/drivers/usb/dwc3/platform_data.h b/drivers/usb/dwc3/platform_data.h +index d3614ecbb9ca..db2938002260 100644 +--- a/drivers/usb/dwc3/platform_data.h ++++ b/drivers/usb/dwc3/platform_data.h +@@ -42,6 +42,7 @@ struct dwc3_platform_data { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c +index 4095cce05e6a..35fff450bdc8 100644 +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -1634,7 +1634,7 @@ static irqreturn_t usba_udc_irq(int irq, void *devid) + spin_lock(&udc->lock); + + int_enb = usba_int_enb_get(udc); +- status = usba_readl(udc, INT_STA) & int_enb; ++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED); + DBG(DBG_INT, "irq, status=%#08x\n", status); + + if (status & USBA_DET_SUSPEND) { +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 2bee912ca65b..baa0191666aa 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1846,7 +1846,7 @@ static void defect7374_disable_data_eps(struct net2280 *dev) + + for (i = 1; i < 5; i++) { + ep = &dev->ep[i]; +- writel(0, &ep->cfg->ep_cfg); ++ writel(i, &ep->cfg->ep_cfg); + } + + /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */ +diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c +index bfcbb9aa8816..ee8d5faa0194 100644 +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -224,7 +224,8 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) + priv->phy = devm_phy_optional_get(&pdev->dev, "usb"); + if (IS_ERR(priv->phy)) { + err = PTR_ERR(priv->phy); +- goto err_phy_get; ++ if (err != -ENOSYS) ++ goto err_phy_get; + } else { + err = phy_init(priv->phy); + if (err) +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index d7b9f484d4e9..6062996d35a6 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -175,6 +175,16 @@ int xhci_reset(struct xhci_hcd *xhci) + command |= CMD_RESET; + writel(command, &xhci->op_regs->command); + ++ /* Existing Intel xHCI controllers require a delay of 1 mS, ++ * after setting the CMD_RESET bit, and before accessing any ++ * HC registers. This allows the HC to complete the ++ * reset operation and be ready for HC register access. ++ * Without this delay, the subsequent HC register access, ++ * may result in a system hang very rarely. ++ */ ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ udelay(1000); ++ + ret = xhci_handshake(&xhci->op_regs->command, + CMD_RESET, 0, 10 * 1000 * 1000); + if (ret) +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 514a6cdaeff6..2fe6d263eb6b 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -132,7 +132,7 @@ static inline struct musb *dev_to_musb(struct device *dev) + /*-------------------------------------------------------------------------*/ + + #ifndef CONFIG_BLACKFIN +-static int musb_ulpi_read(struct usb_phy *phy, u32 offset) ++static int musb_ulpi_read(struct usb_phy *phy, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -151,7 +151,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset) + * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM. + */ + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, + MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR); + +@@ -176,7 +176,7 @@ out: + return ret; + } + +-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) ++static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -191,8 +191,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) + power &= ~MUSB_POWER_SUSPENDM; + musb_writeb(addr, MUSB_POWER, power); + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); +- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); ++ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ); + + while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL) +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 7c8eb4c4c175..4021846139c9 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb); + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001 + #define NOVATELWIRELESS_PRODUCT_E362 0x9010 + #define NOVATELWIRELESS_PRODUCT_E371 0x9011 ++#define NOVATELWIRELESS_PRODUCT_U620L 0x9022 + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + +@@ -357,6 +358,7 @@ static void option_instat_callback(struct urb *urb); + /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick * + * It seems to contain a Qualcomm QSC6240/6290 chipset */ + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 ++#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 + + /* iBall 3.5G connect wireless modem */ + #define IBALL_3_5G_CONNECT 0x9605 +@@ -522,6 +524,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = { + .sendsetup = BIT(0) | BIT(1), + }; + ++static const struct option_blacklist_info four_g_w100_blacklist = { ++ .sendsetup = BIT(1) | BIT(2), ++ .reserved = BIT(3), ++}; ++ + static const struct option_blacklist_info alcatel_x200_blacklist = { + .sendsetup = BIT(0) | BIT(1), + .reserved = BIT(4), +@@ -1060,6 +1067,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) }, + + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) }, +@@ -1653,6 +1661,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), + .driver_info = (kernel_ulong_t)&four_g_w14_blacklist + }, ++ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), ++ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist ++ }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index f49d262e926b..514fa91cf74e 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -22,6 +22,8 @@ + #define DRIVER_AUTHOR "Qualcomm Inc" + #define DRIVER_DESC "Qualcomm USB Serial driver" + ++#define QUECTEL_EC20_PID 0x9215 ++ + /* standard device layouts supported by this driver */ + enum qcserial_layouts { + QCSERIAL_G2K = 0, /* Gobi 2000 */ +@@ -169,6 +171,38 @@ static const struct usb_device_id id_table[] = { + }; + MODULE_DEVICE_TABLE(usb, id_table); + ++static int handle_quectel_ec20(struct device *dev, int ifnum) ++{ ++ int altsetting = 0; ++ ++ /* ++ * Quectel EC20 Mini PCIe LTE module layout: ++ * 0: DM/DIAG (use libqcdm from ModemManager for communication) ++ * 1: NMEA ++ * 2: AT-capable modem port ++ * 3: Modem interface ++ * 4: NDIS ++ */ ++ switch (ifnum) { ++ case 0: ++ dev_dbg(dev, "Quectel EC20 DM/DIAG interface found\n"); ++ break; ++ case 1: ++ dev_dbg(dev, "Quectel EC20 NMEA GPS interface found\n"); ++ break; ++ case 2: ++ case 3: ++ dev_dbg(dev, "Quectel EC20 Modem port found\n"); ++ break; ++ case 4: ++ /* Don't claim the QMI/net interface */ ++ altsetting = -1; ++ break; ++ } ++ ++ return altsetting; ++} ++ + static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + { + struct usb_host_interface *intf = serial->interface->cur_altsetting; +@@ -178,6 +212,10 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + __u8 ifnum; + int altsetting = -1; + ++ /* we only support vendor specific functions */ ++ if (intf->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) ++ goto done; ++ + nintf = serial->dev->actconfig->desc.bNumInterfaces; + dev_dbg(dev, "Num Interfaces = %d\n", nintf); + ifnum = intf->desc.bInterfaceNumber; +@@ -237,6 +275,12 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + altsetting = -1; + break; + case QCSERIAL_G2K: ++ /* handle non-standard layouts */ ++ if (nintf == 5 && id->idProduct == QUECTEL_EC20_PID) { ++ altsetting = handle_quectel_ec20(dev, ifnum); ++ goto done; ++ } ++ + /* + * Gobi 2K+ USB layout: + * 0: QMI/net +@@ -297,29 +341,39 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + break; + case QCSERIAL_HWI: + /* +- * Huawei layout: +- * 0: AT-capable modem port +- * 1: DM/DIAG +- * 2: AT-capable modem port +- * 3: CCID-compatible PCSC interface +- * 4: QMI/net +- * 5: NMEA ++ * Huawei devices map functions by subclass + protocol ++ * instead of interface numbers. The protocol identify ++ * a specific function, while the subclass indicate a ++ * specific firmware source ++ * ++ * This is a blacklist of functions known to be ++ * non-serial. The rest are assumed to be serial and ++ * will be handled by this driver + */ +- switch (ifnum) { +- case 0: +- case 2: +- dev_dbg(dev, "Modem port found\n"); +- break; +- case 1: +- dev_dbg(dev, "DM/DIAG interface found\n"); +- break; +- case 5: +- dev_dbg(dev, "NMEA GPS interface found\n"); +- break; +- default: +- /* don't claim any unsupported interface */ ++ switch (intf->desc.bInterfaceProtocol) { ++ /* QMI combined (qmi_wwan) */ ++ case 0x07: ++ case 0x37: ++ case 0x67: ++ /* QMI data (qmi_wwan) */ ++ case 0x08: ++ case 0x38: ++ case 0x68: ++ /* QMI control (qmi_wwan) */ ++ case 0x09: ++ case 0x39: ++ case 0x69: ++ /* NCM like (huawei_cdc_ncm) */ ++ case 0x16: ++ case 0x46: ++ case 0x76: + altsetting = -1; + break; ++ default: ++ dev_dbg(dev, "Huawei type serial port found (%02x/%02x/%02x)\n", ++ intf->desc.bInterfaceClass, ++ intf->desc.bInterfaceSubClass, ++ intf->desc.bInterfaceProtocol); + } + break; + default: +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c +index e9da41d9fe7f..2694df2f4559 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -159,6 +159,7 @@ static const struct usb_device_id ti_id_table_3410[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +@@ -191,6 +192,7 @@ static const struct usb_device_id ti_id_table_combined[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h +index 4a2423e84d55..98f35c656c02 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.h ++++ b/drivers/usb/serial/ti_usb_3410_5052.h +@@ -56,6 +56,10 @@ + #define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID + #define ABBOTT_STRIP_PORT_ID 0x3420 + ++/* Honeywell vendor and product IDs */ ++#define HONEYWELL_VENDOR_ID 0x10ac ++#define HONEYWELL_HGI80_PRODUCT_ID 0x0102 /* Honeywell HGI80 */ ++ + /* Commands */ + #define TI_GET_VERSION 0x01 + #define TI_GET_PORT_STATUS 0x02 +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 96093ae369a5..cdc3d3360764 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #endif +@@ -420,7 +421,7 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi) + return xen_allocate_irq_dynamic(); + + /* Legacy IRQ descriptors are already allocated by the arch. */ +- if (gsi < NR_IRQS_LEGACY) ++ if (gsi < nr_legacy_irqs()) + irq = gsi; + else + irq = irq_alloc_desc_at(gsi, -1); +@@ -446,7 +447,7 @@ static void xen_free_irq(unsigned irq) + kfree(info); + + /* Legacy IRQ descriptors are managed by the arch. */ +- if (irq < NR_IRQS_LEGACY) ++ if (irq < nr_legacy_irqs()) + return; + + irq_free_desc(irq); +diff --git a/fs/proc/array.c b/fs/proc/array.c +index ce065cf3104f..57fde2dfd4af 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -372,7 +372,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, + static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task, int whole) + { +- unsigned long vsize, eip, esp, wchan = ~0UL; ++ unsigned long vsize, eip, esp, wchan = 0; + int priority, nice; + int tty_pgrp = -1, tty_nr = 0; + sigset_t sigign, sigcatch; +@@ -504,7 +504,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); +- seq_put_decimal_ull(m, ' ', wchan); ++ ++ /* ++ * We used to output the absolute kernel address, but that's an ++ * information leak - so instead we show a 0/1 flag here, to signal ++ * to user-space whether there's a wchan field in /proc/PID/wchan. ++ * ++ * This works with older implementations of procps as well. ++ */ ++ if (wchan) ++ seq_puts(m, " 1"); ++ else ++ seq_puts(m, " 0"); ++ + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ll(m, ' ', task->exit_signal); +diff --git a/fs/proc/base.c b/fs/proc/base.c +index aa50d1ac28fc..83a43c131e9d 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + + wchan = get_wchan(task); + +- if (lookup_symbol_name(wchan, symname) < 0) { +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- return 0; +- seq_printf(m, "%lu", wchan); +- } else { ++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) + seq_printf(m, "%s", symname); +- } ++ else ++ seq_putc(m, '0'); + + return 0; + } +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 05e99b8ef465..053f122b592d 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -436,6 +436,17 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + (vcpup = kvm_get_vcpu(kvm, idx)) != NULL; \ + idx++) + ++static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id) ++{ ++ struct kvm_vcpu *vcpu; ++ int i; ++ ++ kvm_for_each_vcpu(i, vcpu, kvm) ++ if (vcpu->vcpu_id == id) ++ return vcpu; ++ return NULL; ++} ++ + #define kvm_for_each_memslot(memslot, slots) \ + for (memslot = &slots->memslots[0]; \ + memslot < slots->memslots + KVM_MEM_SLOTS_NUM && memslot->npages;\ +diff --git a/include/linux/tty.h b/include/linux/tty.h +index ad6c8913aa3e..342a760d5729 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops); + + /* tty_audit.c */ + #ifdef CONFIG_AUDIT +-extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++extern void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon); + extern void tty_audit_exit(void); + extern void tty_audit_fork(struct signal_struct *sig); +@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); + extern void tty_audit_push(struct tty_struct *tty); + extern int tty_audit_push_current(void); + #else +-static inline void tty_audit_add_data(struct tty_struct *tty, +- unsigned char *data, size_t size, unsigned icanon) ++static inline void tty_audit_add_data(struct tty_struct *tty, const void *data, ++ size_t size, unsigned icanon) + { + } + static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch) +diff --git a/include/net/inet_common.h b/include/net/inet_common.h +index 279f83591971..109e3ee9108c 100644 +--- a/include/net/inet_common.h ++++ b/include/net/inet_common.h +@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, + + static inline void inet_ctl_sock_destroy(struct sock *sk) + { +- sock_release(sk->sk_socket); ++ if (sk) ++ sock_release(sk->sk_socket); + } + + #endif +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 5fa643b4e891..ff6d78ff68df 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -306,7 +306,7 @@ void fib_flush_external(struct net *net); + + /* Exported by fib_semantics.c */ + int ip_fib_check_default(__be32 gw, struct net_device *dev); +-int fib_sync_down_dev(struct net_device *dev, unsigned long event); ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force); + int fib_sync_down_addr(struct net *net, __be32 local); + int fib_sync_up(struct net_device *dev, unsigned int nh_flags); + void fib_select_multipath(struct fib_result *res); +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index f1a117f8cad2..0bec4588c3c8 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned long arg) + { + struct hidp_session *session = (struct hidp_session *) arg; + ++ /* The HIDP user-space API only contains calls to add and remove ++ * devices. There is no way to forward events of any kind. Therefore, ++ * we have to forcefully disconnect a device on idle-timeouts. This is ++ * unfortunate and weird API design, but it is spec-compliant and ++ * required for backwards-compatibility. Hence, on idle-timeout, we ++ * signal driver-detach events, so poll() will be woken up with an ++ * error-condition on both sockets. ++ */ ++ ++ session->intr_sock->sk->sk_err = EUNATCH; ++ session->ctrl_sock->sk->sk_err = EUNATCH; ++ wake_up_interruptible(sk_sleep(session->intr_sock->sk)); ++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk)); ++ + hidp_session_terminate(session); + } + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 92720f3fe573..e32a9e4910da 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + } else { + u8 addr_type; + ++ if (cp->addr.type == BDADDR_LE_PUBLIC) ++ addr_type = ADDR_LE_DEV_PUBLIC; ++ else ++ addr_type = ADDR_LE_DEV_RANDOM; ++ + conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, + &cp->addr.bdaddr); + if (conn) { +@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + */ + if (!cp->disconnect) + conn = NULL; ++ } else { ++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type); + } + +- if (cp->addr.type == BDADDR_LE_PUBLIC) +- addr_type = ADDR_LE_DEV_PUBLIC; +- else +- addr_type = ADDR_LE_DEV_RANDOM; +- + hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); + + err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); +diff --git a/net/core/dst.c b/net/core/dst.c +index 002144bea935..cc4a086ae09c 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -287,7 +287,7 @@ void dst_release(struct dst_entry *dst) + if (unlikely(newrefcnt < 0)) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 6bbc54940eb4..d7116cf4eba4 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1063,9 +1063,10 @@ static void nl_fib_lookup_exit(struct net *net) + net->ipv4.fibnl = NULL; + } + +-static void fib_disable_ip(struct net_device *dev, unsigned long event) ++static void fib_disable_ip(struct net_device *dev, unsigned long event, ++ bool force) + { +- if (fib_sync_down_dev(dev, event)) ++ if (fib_sync_down_dev(dev, event, force)) + fib_flush(dev_net(dev)); + rt_cache_flush(dev_net(dev)); + arp_ifdown(dev); +@@ -1093,7 +1094,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, + /* Last address was deleted from this interface. + * Disable IP. + */ +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + } else { + rt_cache_flush(dev_net(dev)); + } +@@ -1110,7 +1111,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + unsigned int flags; + + if (event == NETDEV_UNREGISTER) { +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + rt_flush_dev(dev); + return NOTIFY_DONE; + } +@@ -1131,14 +1132,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + rt_cache_flush(net); + break; + case NETDEV_DOWN: +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, false); + break; + case NETDEV_CHANGE: + flags = dev_get_flags(dev); + if (flags & (IFF_RUNNING | IFF_LOWER_UP)) + fib_sync_up(dev, RTNH_F_LINKDOWN); + else +- fib_sync_down_dev(dev, event); ++ fib_sync_down_dev(dev, event, false); + /* fall through */ + case NETDEV_CHANGEMTU: + rt_cache_flush(net); +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 3a06586b170c..71bad5c82445 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1132,7 +1132,13 @@ int fib_sync_down_addr(struct net *net, __be32 local) + return ret; + } + +-int fib_sync_down_dev(struct net_device *dev, unsigned long event) ++/* Event force Flags Description ++ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host ++ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host ++ * NETDEV_DOWN 1 LINKDOWN|DEAD Last address removed ++ * NETDEV_UNREGISTER 1 LINKDOWN|DEAD Device removed ++ */ ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force) + { + int ret = 0; + int scope = RT_SCOPE_NOWHERE; +@@ -1141,8 +1147,7 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event) + struct hlist_head *head = &fib_info_devhash[hash]; + struct fib_nh *nh; + +- if (event == NETDEV_UNREGISTER || +- event == NETDEV_DOWN) ++ if (force) + scope = -1; + + hlist_for_each_entry(nh, head, nh_hash) { +@@ -1291,6 +1296,13 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags) + if (!(dev->flags & IFF_UP)) + return 0; + ++ if (nh_flags & RTNH_F_DEAD) { ++ unsigned int flags = dev_get_flags(dev); ++ ++ if (flags & (IFF_RUNNING | IFF_LOWER_UP)) ++ nh_flags |= RTNH_F_LINKDOWN; ++ } ++ + prev_fi = NULL; + hash = fib_devindex_hashfn(dev->ifindex); + head = &fib_info_devhash[hash]; +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index b0c6258ffb79..ea3aedb7dd0e 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1561,7 +1561,7 @@ static struct key_vector *leaf_walk_rcu(struct key_vector **tn, t_key key) + do { + /* record parent and next child index */ + pn = n; +- cindex = key ? get_index(key, pn) : 0; ++ cindex = (key > pn->key) ? get_index(key, pn) : 0; + + if (cindex >> pn->bits) + break; +diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c +index 5aa46d4b44ef..5a8ee3282550 100644 +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -36,7 +36,8 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, + SKB_GSO_TCP_ECN | + SKB_GSO_GRE | + SKB_GSO_GRE_CSUM | +- SKB_GSO_IPIP))) ++ SKB_GSO_IPIP | ++ SKB_GSO_SIT))) + goto out; + + if (!skb->encapsulation) +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 3a2c0162c3ba..df28693f32e1 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1683,8 +1683,8 @@ static inline int ipmr_forward_finish(struct sock *sk, struct sk_buff *skb) + { + struct ip_options *opt = &(IPCB(skb)->opt); + +- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); + + if (unlikely(opt->optlen)) + ip_forward_options(skb); +@@ -1746,7 +1746,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt, + * to blackhole. + */ + +- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS); ++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS); + ip_rt_put(rt); + goto out_free; + } +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 0330ab2e2b63..a1442c5a3e0c 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -47,14 +47,14 @@ static void set_local_port_range(struct net *net, int range[2]) + { + bool same_parity = !((range[0] ^ range[1]) & 1); + +- write_seqlock(&net->ipv4.ip_local_ports.lock); ++ write_seqlock_bh(&net->ipv4.ip_local_ports.lock); + if (same_parity && !net->ipv4.ip_local_ports.warned) { + net->ipv4.ip_local_ports.warned = true; + pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); + } + net->ipv4.ip_local_ports.range[0] = range[0]; + net->ipv4.ip_local_ports.range[1] = range[1]; +- write_sequnlock(&net->ipv4.ip_local_ports.lock); ++ write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); + } + + /* Validate changes from /proc interface. */ +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index b7dedd9d36d8..747a4c47e070 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3406,7 +3406,7 @@ static int tcp_xmit_probe_skb(struct sock *sk, int urgent, int mib) + */ + tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK); + skb_mstamp_get(&skb->skb_mstamp); +- NET_INC_STATS_BH(sock_net(sk), mib); ++ NET_INC_STATS(sock_net(sk), mib); + return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC); + } + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 21c2c818df3b..c8c1fea06003 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -411,6 +411,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + if (err) { + ipv6_mc_destroy_dev(ndev); + del_timer(&ndev->regen_timer); ++ snmp6_unregister_dev(ndev); + goto err_release; + } + /* protected by rtnl_lock */ +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index ac35a28599be..85c4b2fff504 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1394,34 +1394,20 @@ static int ipip6_tunnel_init(struct net_device *dev) + return 0; + } + +-static int __net_init ipip6_fb_tunnel_init(struct net_device *dev) ++static void __net_init ipip6_fb_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + struct iphdr *iph = &tunnel->parms.iph; + struct net *net = dev_net(dev); + struct sit_net *sitn = net_generic(net, sit_net_id); + +- tunnel->dev = dev; +- tunnel->net = dev_net(dev); +- + iph->version = 4; + iph->protocol = IPPROTO_IPV6; + iph->ihl = 5; + iph->ttl = 64; + +- dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); +- if (!dev->tstats) +- return -ENOMEM; +- +- tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst); +- if (!tunnel->dst_cache) { +- free_percpu(dev->tstats); +- return -ENOMEM; +- } +- + dev_hold(dev); + rcu_assign_pointer(sitn->tunnels_wc[0], tunnel); +- return 0; + } + + static int ipip6_validate(struct nlattr *tb[], struct nlattr *data[]) +@@ -1831,23 +1817,19 @@ static int __net_init sit_init_net(struct net *net) + */ + sitn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL; + +- err = ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); +- if (err) +- goto err_dev_free; +- +- ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); + err = register_netdev(sitn->fb_tunnel_dev); + if (err) + goto err_reg_dev; + ++ ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); ++ ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); ++ + t = netdev_priv(sitn->fb_tunnel_dev); + + strcpy(t->parms.name, sitn->fb_tunnel_dev->name); + return 0; + + err_reg_dev: +- dev_put(sitn->fb_tunnel_dev); +-err_dev_free: + ipip6_dev_free(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; +diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c +index a26c401ef4a4..43964594aa12 100644 +--- a/net/irda/irlmp.c ++++ b/net/irda/irlmp.c +@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) + for (element = hashbin_get_first(iter->hashbin); + element != NULL; + element = hashbin_get_next(iter->hashbin)) { +- if (!off || *off-- == 0) { ++ if (!off || (*off)-- == 0) { + /* NB: hashbin left locked */ + return element; + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 9b2cc278ac2a..33bf779df350 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3378,7 +3378,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, + + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { +- int sig = ifmgd->ave_beacon_signal; ++ int sig = ifmgd->ave_beacon_signal / 16; + int last_sig = ifmgd->last_ave_beacon_signal; + struct ieee80211_event event = { + .type = RSSI_EVENT, +@@ -4999,6 +4999,25 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata, + return 0; + } + ++ if (ifmgd->assoc_data && ++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) { ++ sdata_info(sdata, ++ "aborting association with %pM by local choice (Reason: %u=%s)\n", ++ req->bssid, req->reason_code, ++ ieee80211_get_reason_code_string(req->reason_code)); ++ ++ drv_mgd_prepare_tx(sdata->local, sdata); ++ ieee80211_send_deauth_disassoc(sdata, req->bssid, ++ IEEE80211_STYPE_DEAUTH, ++ req->reason_code, tx, ++ frame_buf); ++ ieee80211_destroy_assoc_data(sdata, false); ++ ieee80211_report_disconnect(sdata, frame_buf, ++ sizeof(frame_buf), true, ++ req->reason_code); ++ return 0; ++ } ++ + if (ifmgd->associated && + ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { + sdata_info(sdata, +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 6f14591d8ca9..0b13bfa6f32f 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -33,11 +33,11 @@ + __field(u32, chan_width) \ + __field(u32, center_freq1) \ + __field(u32, center_freq2) +-#define CHANDEF_ASSIGN(c) \ +- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \ +- __entry->chan_width = (c)->width; \ +- __entry->center_freq1 = (c)->center_freq1; \ +- __entry->center_freq2 = (c)->center_freq2; ++#define CHANDEF_ASSIGN(c) \ ++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \ ++ __entry->chan_width = (c) ? (c)->width : 0; \ ++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \ ++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0; + #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz" + #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \ + __entry->center_freq1, __entry->center_freq2 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 43e5aadd7a89..f5fa8c09cb42 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee80211_noa_data *data, u32 tsf, int i) + if (end > 0) + return false; + ++ /* One shot NOA */ ++ if (data->count[i] == 1) ++ return false; ++ ++ if (data->desc[i].interval == 0) ++ return false; ++ + /* End time is in the past, check for repetitions */ + skip = DIV_ROUND_UP(-end, data->desc[i].interval); + if (data->count[i] < 255) { +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a133d16eb053..8b158f71bff6 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2346,7 +2346,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + int pos, idx, shift; + + err = 0; +- netlink_table_grab(); ++ netlink_lock_table(); + for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) { + if (len - pos < sizeof(u32)) + break; +@@ -2361,7 +2361,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + } + if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) + err = -EFAULT; +- netlink_table_ungrab(); ++ netlink_unlock_table(); + break; + } + default: +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index 609f92283d1b..30b09f04c142 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -101,6 +101,20 @@ struct nci_hcp_packet { + #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f) + #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f) + ++static int nci_hci_result_to_errno(u8 result) ++{ ++ switch (result) { ++ case NCI_HCI_ANY_OK: ++ return 0; ++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN: ++ return -EOPNOTSUPP; ++ case NCI_HCI_ANY_E_TIMEOUT: ++ return -ETIME; ++ default: ++ return -1; ++ } ++} ++ + /* HCI core */ + static void nci_hci_reset_pipes(struct nci_hci_dev *hdev) + { +@@ -146,18 +160,18 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (!conn_info) + return -EPROTO; + +- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len + ++ i = 0; ++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + + NCI_DATA_HDR_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE); ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2); + *skb_push(skb, 1) = data_type; + +- i = 0; +- len = conn_info->max_pkt_payload_len; +- + do { ++ len = conn_info->max_pkt_payload_len; ++ + /* If last packet add NCI_HFP_NO_CHAINING */ + if (i + conn_info->max_pkt_payload_len - + (skb->len + 1) >= data_len) { +@@ -177,9 +191,15 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + return r; + + i += len; ++ + if (i < data_len) { +- skb_trim(skb, 0); +- skb_pull(skb, len); ++ skb = nci_skb_alloc(ndev, ++ conn_info->max_pkt_payload_len + ++ NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1); + } + } while (i < data_len); + +@@ -212,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + const u8 *param, size_t param_len, + struct sk_buff **skb) + { +- struct nci_conn_info *conn_info; ++ struct nci_hcp_message *message; ++ struct nci_conn_info *conn_info; + struct nci_data data; + int r; + u8 pipe = ndev->hci_dev->gate2pipe[gate]; +@@ -232,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); +- +- if (r == NCI_STATUS_OK && skb) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +@@ -328,9 +355,6 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + struct nci_conn_info *conn_info; + u8 status = result; + +- if (result != NCI_HCI_ANY_OK) +- goto exit; +- + conn_info = ndev->hci_dev->conn_info; + if (!conn_info) { + status = NCI_STATUS_REJECTED; +@@ -340,7 +364,7 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + conn_info->rx_skb = skb; + + exit: +- nci_req_complete(ndev, status); ++ nci_req_complete(ndev, NCI_STATUS_OK); + } + + /* Receive hcp message for pipe, with type and cmd. +@@ -378,7 +402,7 @@ static void nci_hci_msg_rx_work(struct work_struct *work) + u8 pipe, type, instruction; + + while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) { +- pipe = skb->data[0]; ++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]); + skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN); + message = (struct nci_hcp_message *)skb->data; + type = NCI_HCP_MSG_GET_TYPE(message->header); +@@ -395,7 +419,7 @@ void nci_hci_data_received_cb(void *context, + { + struct nci_dev *ndev = (struct nci_dev *)context; + struct nci_hcp_packet *packet; +- u8 pipe, type, instruction; ++ u8 pipe, type; + struct sk_buff *hcp_skb; + struct sk_buff *frag_skb; + int msg_len; +@@ -415,7 +439,7 @@ void nci_hci_data_received_cb(void *context, + + /* it's the last fragment. Does it need re-aggregation? */ + if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) { +- pipe = packet->header & NCI_HCI_FRAGMENT; ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); + + msg_len = 0; +@@ -434,7 +458,7 @@ void nci_hci_data_received_cb(void *context, + *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe; + + skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) { +- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; ++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; + memcpy(skb_put(hcp_skb, msg_len), frag_skb->data + + NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len); + } +@@ -452,11 +476,10 @@ void nci_hci_data_received_cb(void *context, + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { +- pipe = packet->header; +- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header); +- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN + +- NCI_HCI_HCP_MESSAGE_HEADER_LEN); +- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb); ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); ++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN); ++ nci_hci_hcp_message_rx(ndev, pipe, type, ++ NCI_STATUS_OK, hcp_skb); + } else { + skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb); + schedule_work(&ndev->hci_dev->msg_rx_work); +@@ -488,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe); + int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + const u8 *param, size_t param_len) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -520,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, + (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ } + + kfree(tmp); + return r; +@@ -529,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param); + int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + struct sk_buff **skb) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -553,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7851b1222a36..71cb085e16fd 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2784,22 +2784,40 @@ static int packet_release(struct socket *sock) + * Attach a packet hook. + */ + +-static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) ++static int packet_do_bind(struct sock *sk, const char *name, int ifindex, ++ __be16 proto) + { + struct packet_sock *po = pkt_sk(sk); + struct net_device *dev_curr; + __be16 proto_curr; + bool need_rehook; ++ struct net_device *dev = NULL; ++ int ret = 0; ++ bool unlisted = false; + +- if (po->fanout) { +- if (dev) +- dev_put(dev); +- ++ if (po->fanout) + return -EINVAL; +- } + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ rcu_read_lock(); ++ ++ if (name) { ++ dev = dev_get_by_name_rcu(sock_net(sk), name); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } else if (ifindex) { ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } ++ ++ if (dev) ++ dev_hold(dev); + + proto_curr = po->prot_hook.type; + dev_curr = po->prot_hook.dev; +@@ -2807,14 +2825,29 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + need_rehook = proto_curr != proto || dev_curr != dev; + + if (need_rehook) { +- unregister_prot_hook(sk, true); ++ if (po->running) { ++ rcu_read_unlock(); ++ __unregister_prot_hook(sk, true); ++ rcu_read_lock(); ++ dev_curr = po->prot_hook.dev; ++ if (dev) ++ unlisted = !dev_get_by_index_rcu(sock_net(sk), ++ dev->ifindex); ++ } + + po->num = proto; + po->prot_hook.type = proto; +- po->prot_hook.dev = dev; + +- po->ifindex = dev ? dev->ifindex : 0; +- packet_cached_dev_assign(po, dev); ++ if (unlikely(unlisted)) { ++ dev_put(dev); ++ po->prot_hook.dev = NULL; ++ po->ifindex = -1; ++ packet_cached_dev_reset(po); ++ } else { ++ po->prot_hook.dev = dev; ++ po->ifindex = dev ? dev->ifindex : 0; ++ packet_cached_dev_assign(po, dev); ++ } + } + if (dev_curr) + dev_put(dev_curr); +@@ -2822,7 +2855,7 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + if (proto == 0 || !need_rehook) + goto out_unlock; + +- if (!dev || (dev->flags & IFF_UP)) { ++ if (!unlisted && (!dev || (dev->flags & IFF_UP))) { + register_prot_hook(sk); + } else { + sk->sk_err = ENETDOWN; +@@ -2831,9 +2864,10 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + } + + out_unlock: ++ rcu_read_unlock(); + spin_unlock(&po->bind_lock); + release_sock(sk); +- return 0; ++ return ret; + } + + /* +@@ -2845,8 +2879,6 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + { + struct sock *sk = sock->sk; + char name[15]; +- struct net_device *dev; +- int err = -ENODEV; + + /* + * Check legality +@@ -2856,19 +2888,13 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + return -EINVAL; + strlcpy(name, uaddr->sa_data, sizeof(name)); + +- dev = dev_get_by_name(sock_net(sk), name); +- if (dev) +- err = packet_do_bind(sk, dev, pkt_sk(sk)->num); +- return err; ++ return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sockaddr_ll *sll = (struct sockaddr_ll *)uaddr; + struct sock *sk = sock->sk; +- struct net_device *dev = NULL; +- int err; +- + + /* + * Check legality +@@ -2879,16 +2905,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- if (sll->sll_ifindex) { +- err = -ENODEV; +- dev = dev_get_by_index(sock_net(sk), sll->sll_ifindex); +- if (dev == NULL) +- goto out; +- } +- err = packet_do_bind(sk, dev, sll->sll_protocol ? : pkt_sk(sk)->num); +- +-out: +- return err; ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, ++ sll->sll_protocol ? : pkt_sk(sk)->num); + } + + static struct proto packet_proto = { +diff --git a/net/rds/connection.c b/net/rds/connection.c +index da6da57e5f36..9d66705f9d41 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,6 +187,12 @@ new_conn: + } + } + ++ if (trans == NULL) { ++ kmem_cache_free(rds_conn_slab, conn); ++ conn = ERR_PTR(-ENODEV); ++ goto out; ++ } ++ + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c +index fbc5ef88bc0e..27a992154804 100644 +--- a/net/rds/tcp_recv.c ++++ b/net/rds/tcp_recv.c +@@ -214,8 +214,15 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb, + } + + to_copy = min(tc->t_tinc_data_rem, left); +- pskb_pull(clone, offset); +- pskb_trim(clone, to_copy); ++ if (!pskb_pull(clone, offset) || ++ pskb_trim(clone, to_copy)) { ++ pr_warn("rds_tcp_data_recv: pull/trim failed " ++ "left %zu data_rem %zu skb_len %d\n", ++ left, tc->t_tinc_data_rem, skb->len); ++ kfree_skb(clone); ++ desc->error = -ENOMEM; ++ goto out; ++ } + skb_queue_tail(&tinc->ti_skb_list, clone); + + rdsdebug("skb %p data %p len %d off %u to_copy %zu -> " +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 08b4cc7d496d..b3a393104b17 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + { + struct sk_buff *head = *headbuf; + struct sk_buff *frag = *buf; +- struct sk_buff *tail; ++ struct sk_buff *tail = NULL; + struct tipc_msg *msg; + u32 fragid; + int delta; +@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (unlikely(skb_unclone(frag, GFP_ATOMIC))) + goto err; + head = *headbuf = frag; +- skb_frag_list_init(head); +- TIPC_SKB_CB(head)->tail = NULL; + *buf = NULL; ++ TIPC_SKB_CB(head)->tail = NULL; ++ if (skb_is_nonlinear(head)) { ++ skb_walk_frags(head, tail) { ++ TIPC_SKB_CB(head)->tail = tail; ++ } ++ } else { ++ skb_frag_list_init(head); ++ } + return 0; + } + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 66deebc66aa1..f8dfee5072c0 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -48,6 +48,7 @@ + #include + #include "core.h" + #include "bearer.h" ++#include "msg.h" + + /* IANA assigned UDP port */ + #define UDP_PORT_DEFAULT 6118 +@@ -216,6 +217,10 @@ static int tipc_udp_recv(struct sock *sk, struct sk_buff *skb) + { + struct udp_bearer *ub; + struct tipc_bearer *b; ++ int usr = msg_user(buf_msg(skb)); ++ ++ if ((usr == LINK_PROTOCOL) || (usr == NAME_DISTRIBUTOR)) ++ skb_linearize(skb); + + ub = rcu_dereference_sk_user_data(sk); + if (!ub) { +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 76b41578a838..d059cf31d754 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3408,12 +3408,6 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + wdev->iftype)) + return -EINVAL; + +- if (info->attrs[NL80211_ATTR_ACL_POLICY]) { +- params.acl = parse_acl_data(&rdev->wiphy, info); +- if (IS_ERR(params.acl)) +- return PTR_ERR(params.acl); +- } +- + if (info->attrs[NL80211_ATTR_SMPS_MODE]) { + params.smps_mode = + nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); +@@ -3437,6 +3431,12 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + params.smps_mode = NL80211_SMPS_OFF; + } + ++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) { ++ params.acl = parse_acl_data(&rdev->wiphy, info); ++ if (IS_ERR(params.acl)) ++ return PTR_ERR(params.acl); ++ } ++ + wdev_lock(wdev); + err = rdev_start_ap(rdev, dev, ¶ms); + if (!err) { +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 417ebb11cf48..bec63e0d2605 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint { + u8 running_status_length; + } ports[0x10]; + u8 seen_f5; ++ bool in_sysex; ++ u8 last_cin; + u8 error_resubmit; + int current_port; + }; +@@ -468,6 +470,39 @@ static void snd_usbmidi_maudio_broken_running_status_input( + } + + /* ++ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4 ++ * but the previously seen CIN, but still with three data bytes. ++ */ ++static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep, ++ uint8_t *buffer, int buffer_length) ++{ ++ unsigned int i, cin, length; ++ ++ for (i = 0; i + 3 < buffer_length; i += 4) { ++ if (buffer[i] == 0 && i > 0) ++ break; ++ cin = buffer[i] & 0x0f; ++ if (ep->in_sysex && ++ cin == ep->last_cin && ++ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0) ++ cin = 0x4; ++#if 0 ++ if (buffer[i + 1] == 0x90) { ++ /* ++ * Either a corrupted running status or a real note-on ++ * message; impossible to detect reliably. ++ */ ++ } ++#endif ++ length = snd_usbmidi_cin_length[cin]; ++ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length); ++ ep->in_sysex = cin == 0x4; ++ if (!ep->in_sysex) ++ ep->last_cin = cin; ++ } ++} ++ ++/* + * CME protocol: like the standard protocol, but SysEx commands are sent as a + * single USB packet preceded by a 0x0F byte. + */ +@@ -660,6 +695,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = { + .output_packet = snd_usbmidi_output_standard_packet, + }; + ++static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = { ++ .input = ch345_broken_sysex_input, ++ .output = snd_usbmidi_standard_output, ++ .output_packet = snd_usbmidi_output_standard_packet, ++}; ++ + /* + * AKAI MPD16 protocol: + * +@@ -1341,6 +1382,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi *umidi, + * Various chips declare a packet size larger than 4 bytes, but + * do not actually work with larger packets: + */ ++ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */ + case USB_ID(0x0a92, 0x1020): /* ESI M4U */ + case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */ + case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */ +@@ -2375,6 +2417,10 @@ int snd_usbmidi_create(struct snd_card *card, + + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; ++ case QUIRK_MIDI_CH345: ++ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops; ++ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); ++ break; + default: + dev_err(&umidi->dev->dev, "invalid quirk type %d\n", + quirk->type); +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index e4756651a52c..ecc2a4ea014d 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2820,6 +2820,17 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .idProduct = 0x1020, + }, + ++/* QinHeng devices */ ++{ ++ USB_DEVICE(0x1a86, 0x752d), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "QinHeng", ++ .product_name = "CH345", ++ .ifnum = 1, ++ .type = QUIRK_MIDI_CH345 ++ } ++}, ++ + /* KeithMcMillen Stringport */ + { + USB_DEVICE(0x1f38, 0x0001), +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 00ebc0ca008e..eef9b8e4b949 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -535,6 +535,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, + [QUIRK_MIDI_CME] = create_any_midi_quirk, + [QUIRK_MIDI_AKAI] = create_any_midi_quirk, + [QUIRK_MIDI_FTDI] = create_any_midi_quirk, ++ [QUIRK_MIDI_CH345] = create_any_midi_quirk, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, + [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk, + [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk, +@@ -1271,6 +1272,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */ + case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */ + case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */ ++ case USB_ID(0x20b1, 0x3023): /* Aune X1S 32BIT/384 DSD DAC */ + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 91d0380431b4..991aa84491cd 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -94,6 +94,7 @@ enum quirk_type { + QUIRK_MIDI_AKAI, + QUIRK_MIDI_US122L, + QUIRK_MIDI_FTDI, ++ QUIRK_MIDI_CH345, + QUIRK_AUDIO_STANDARD_INTERFACE, + QUIRK_AUDIO_FIXED_ENDPOINT, + QUIRK_AUDIO_EDIROL_UAXX, diff --git a/patch/kernel/udoo-next/patch-4.2.7-8.patch b/patch/kernel/udoo-next/patch-4.2.7-8.patch new file mode 100644 index 000000000..7aca417ed --- /dev/null +++ b/patch/kernel/udoo-next/patch-4.2.7-8.patch @@ -0,0 +1,3882 @@ +diff --git a/Makefile b/Makefile +index f5014eaf2532..06b988951ccb 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 2 +-SUBLEVEL = 7 ++SUBLEVEL = 8 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 017b7d58ae06..55f8a6a706fc 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3439,6 +3439,7 @@ static void rbd_queue_workfn(struct work_struct *work) + goto err_rq; + } + img_request->rq = rq; ++ snapc = NULL; /* img_request consumes a ref */ + + if (op_type == OBJ_OP_DISCARD) + result = rbd_img_request_fill(img_request, OBJ_REQUEST_NODATA, +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index f51d376d10ba..c2f5117fd8cb 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -3675,6 +3675,11 @@ static int pci_probe(struct pci_dev *dev, + + reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0); + ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet); ++ /* JMicron JMB38x often shows 0 at first read, just ignore it */ ++ if (!ohci->it_context_support) { ++ ohci_notice(ohci, "overriding IsoXmitIntMask\n"); ++ ohci->it_context_support = 0xf; ++ } + reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0); + ohci->it_context_mask = ohci->it_context_support; + ohci->n_it = hweight32(ohci->it_context_mask); +diff --git a/drivers/media/pci/cobalt/Kconfig b/drivers/media/pci/cobalt/Kconfig +index 6a1c0089bb62..4ecf171d14a2 100644 +--- a/drivers/media/pci/cobalt/Kconfig ++++ b/drivers/media/pci/cobalt/Kconfig +@@ -1,6 +1,6 @@ + config VIDEO_COBALT + tristate "Cisco Cobalt support" +- depends on VIDEO_V4L2 && I2C && MEDIA_CONTROLLER ++ depends on VIDEO_V4L2 && I2C && VIDEO_V4L2_SUBDEV_API + depends on PCI_MSI && MTD_COMPLEX_MAPPINGS && GPIOLIB + depends on SND + select I2C_ALGOBIT +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 3b90afb8c293..6f2a748524f3 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -1325,7 +1325,12 @@ err_disable_device: + static void nicvf_remove(struct pci_dev *pdev) + { + struct net_device *netdev = pci_get_drvdata(pdev); +- struct nicvf *nic = netdev_priv(netdev); ++ struct nicvf *nic; ++ ++ if (!netdev) ++ return; ++ ++ nic = netdev_priv(netdev); + + unregister_netdev(netdev); + nicvf_unregister_interrupts(nic); +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index 731423ca575d..8bead97373ab 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -4934,26 +4934,41 @@ static void rem_slave_counters(struct mlx4_dev *dev, int slave) + struct res_counter *counter; + struct res_counter *tmp; + int err; +- int index; ++ int *counters_arr = NULL; ++ int i, j; + + err = move_all_busy(dev, slave, RES_COUNTER); + if (err) + mlx4_warn(dev, "rem_slave_counters: Could not move all counters - too busy for slave %d\n", + slave); + +- spin_lock_irq(mlx4_tlock(dev)); +- list_for_each_entry_safe(counter, tmp, counter_list, com.list) { +- if (counter->com.owner == slave) { +- index = counter->com.res_id; +- rb_erase(&counter->com.node, +- &tracker->res_tree[RES_COUNTER]); +- list_del(&counter->com.list); +- kfree(counter); +- __mlx4_counter_free(dev, index); ++ counters_arr = kmalloc_array(dev->caps.max_counters, ++ sizeof(*counters_arr), GFP_KERNEL); ++ if (!counters_arr) ++ return; ++ ++ do { ++ i = 0; ++ j = 0; ++ spin_lock_irq(mlx4_tlock(dev)); ++ list_for_each_entry_safe(counter, tmp, counter_list, com.list) { ++ if (counter->com.owner == slave) { ++ counters_arr[i++] = counter->com.res_id; ++ rb_erase(&counter->com.node, ++ &tracker->res_tree[RES_COUNTER]); ++ list_del(&counter->com.list); ++ kfree(counter); ++ } ++ } ++ spin_unlock_irq(mlx4_tlock(dev)); ++ ++ while (j < i) { ++ __mlx4_counter_free(dev, counters_arr[j++]); + mlx4_release_resource(dev, slave, RES_COUNTER, 1, 0); + } +- } +- spin_unlock_irq(mlx4_tlock(dev)); ++ } while (i); ++ ++ kfree(counters_arr); + } + + static void rem_slave_xrcdns(struct mlx4_dev *dev, int slave) +diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c +index a83263743665..2b7550c43f78 100644 +--- a/drivers/net/ethernet/via/via-rhine.c ++++ b/drivers/net/ethernet/via/via-rhine.c +@@ -2134,10 +2134,11 @@ static int rhine_rx(struct net_device *dev, int limit) + } + + skb_put(skb, pkt_len); +- skb->protocol = eth_type_trans(skb, dev); + + rhine_rx_vlan_tag(skb, desc, data_size); + ++ skb->protocol = eth_type_trans(skb, dev); ++ + netif_receive_skb(skb); + + u64_stats_update_begin(&rp->rx_stats.syncp); +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 9c71295f2fef..85e640440bd9 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -675,7 +675,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = { + { PHY_ID_BCM5461, 0xfffffff0 }, + { PHY_ID_BCM54616S, 0xfffffff0 }, + { PHY_ID_BCM5464, 0xfffffff0 }, +- { PHY_ID_BCM5482, 0xfffffff0 }, ++ { PHY_ID_BCM5481, 0xfffffff0 }, + { PHY_ID_BCM5482, 0xfffffff0 }, + { PHY_ID_BCM50610, 0xfffffff0 }, + { PHY_ID_BCM50610M, 0xfffffff0 }, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8f1738c3b3c5..de27f510c0f3 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -775,6 +775,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ ++ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ + {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */ + {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */ + {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */ +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index aac314e14188..bb25b8d00570 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3404,7 +3404,7 @@ int btrfs_set_disk_extent_flags(struct btrfs_trans_handle *trans, + int btrfs_free_extent(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid, +- u64 owner, u64 offset, int no_quota); ++ u64 owner, u64 offset); + + int btrfs_free_reserved_extent(struct btrfs_root *root, u64 start, u64 len, + int delalloc); +@@ -3417,7 +3417,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans, + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, +- u64 root_objectid, u64 owner, u64 offset, int no_quota); ++ u64 root_objectid, u64 owner, u64 offset); + + int btrfs_start_dirty_block_groups(struct btrfs_trans_handle *trans, + struct btrfs_root *root); +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c +index ac3e81da6d4e..7832031fef68 100644 +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -197,6 +197,119 @@ static inline void drop_delayed_ref(struct btrfs_trans_handle *trans, + trans->delayed_ref_updates--; + } + ++static bool merge_ref(struct btrfs_trans_handle *trans, ++ struct btrfs_delayed_ref_root *delayed_refs, ++ struct btrfs_delayed_ref_head *head, ++ struct btrfs_delayed_ref_node *ref, ++ u64 seq) ++{ ++ struct btrfs_delayed_ref_node *next; ++ bool done = false; ++ ++ next = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node, ++ list); ++ while (!done && &next->list != &head->ref_list) { ++ int mod; ++ struct btrfs_delayed_ref_node *next2; ++ ++ next2 = list_next_entry(next, list); ++ ++ if (next == ref) ++ goto next; ++ ++ if (seq && next->seq >= seq) ++ goto next; ++ ++ if (next->type != ref->type) ++ goto next; ++ ++ if ((ref->type == BTRFS_TREE_BLOCK_REF_KEY || ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY) && ++ comp_tree_refs(btrfs_delayed_node_to_tree_ref(ref), ++ btrfs_delayed_node_to_tree_ref(next), ++ ref->type)) ++ goto next; ++ if ((ref->type == BTRFS_EXTENT_DATA_REF_KEY || ++ ref->type == BTRFS_SHARED_DATA_REF_KEY) && ++ comp_data_refs(btrfs_delayed_node_to_data_ref(ref), ++ btrfs_delayed_node_to_data_ref(next))) ++ goto next; ++ ++ if (ref->action == next->action) { ++ mod = next->ref_mod; ++ } else { ++ if (ref->ref_mod < next->ref_mod) { ++ swap(ref, next); ++ done = true; ++ } ++ mod = -next->ref_mod; ++ } ++ ++ drop_delayed_ref(trans, delayed_refs, head, next); ++ ref->ref_mod += mod; ++ if (ref->ref_mod == 0) { ++ drop_delayed_ref(trans, delayed_refs, head, ref); ++ done = true; ++ } else { ++ /* ++ * Can't have multiples of the same ref on a tree block. ++ */ ++ WARN_ON(ref->type == BTRFS_TREE_BLOCK_REF_KEY || ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY); ++ } ++next: ++ next = next2; ++ } ++ ++ return done; ++} ++ ++void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans, ++ struct btrfs_fs_info *fs_info, ++ struct btrfs_delayed_ref_root *delayed_refs, ++ struct btrfs_delayed_ref_head *head) ++{ ++ struct btrfs_delayed_ref_node *ref; ++ u64 seq = 0; ++ ++ assert_spin_locked(&head->lock); ++ ++ if (list_empty(&head->ref_list)) ++ return; ++ ++ /* We don't have too many refs to merge for data. */ ++ if (head->is_data) ++ return; ++ ++ spin_lock(&fs_info->tree_mod_seq_lock); ++ if (!list_empty(&fs_info->tree_mod_seq_list)) { ++ struct seq_list *elem; ++ ++ elem = list_first_entry(&fs_info->tree_mod_seq_list, ++ struct seq_list, list); ++ seq = elem->seq; ++ } ++ spin_unlock(&fs_info->tree_mod_seq_lock); ++ ++ ref = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node, ++ list); ++ while (&ref->list != &head->ref_list) { ++ if (seq && ref->seq >= seq) ++ goto next; ++ ++ if (merge_ref(trans, delayed_refs, head, ref, seq)) { ++ if (list_empty(&head->ref_list)) ++ break; ++ ref = list_first_entry(&head->ref_list, ++ struct btrfs_delayed_ref_node, ++ list); ++ continue; ++ } ++next: ++ ref = list_next_entry(ref, list); ++ } ++} ++ + int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_root *delayed_refs, + u64 seq) +@@ -292,8 +405,7 @@ add_delayed_ref_tail_merge(struct btrfs_trans_handle *trans, + exist = list_entry(href->ref_list.prev, struct btrfs_delayed_ref_node, + list); + /* No need to compare bytenr nor is_head */ +- if (exist->type != ref->type || exist->no_quota != ref->no_quota || +- exist->seq != ref->seq) ++ if (exist->type != ref->type || exist->seq != ref->seq) + goto add_tail; + + if ((exist->type == BTRFS_TREE_BLOCK_REF_KEY || +@@ -524,7 +636,7 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_head *head_ref, + struct btrfs_delayed_ref_node *ref, u64 bytenr, + u64 num_bytes, u64 parent, u64 ref_root, int level, +- int action, int no_quota) ++ int action) + { + struct btrfs_delayed_tree_ref *full_ref; + struct btrfs_delayed_ref_root *delayed_refs; +@@ -546,7 +658,6 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + ref->action = action; + ref->is_head = 0; + ref->in_tree = 1; +- ref->no_quota = no_quota; + ref->seq = seq; + + full_ref = btrfs_delayed_node_to_tree_ref(ref); +@@ -579,7 +690,7 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info, + struct btrfs_delayed_ref_head *head_ref, + struct btrfs_delayed_ref_node *ref, u64 bytenr, + u64 num_bytes, u64 parent, u64 ref_root, u64 owner, +- u64 offset, int action, int no_quota) ++ u64 offset, int action) + { + struct btrfs_delayed_data_ref *full_ref; + struct btrfs_delayed_ref_root *delayed_refs; +@@ -602,7 +713,6 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info, + ref->action = action; + ref->is_head = 0; + ref->in_tree = 1; +- ref->no_quota = no_quota; + ref->seq = seq; + + full_ref = btrfs_delayed_node_to_data_ref(ref); +@@ -633,17 +743,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, u64 parent, + u64 ref_root, int level, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota) ++ struct btrfs_delayed_extent_op *extent_op) + { + struct btrfs_delayed_tree_ref *ref; + struct btrfs_delayed_ref_head *head_ref; + struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_qgroup_extent_record *record = NULL; + +- if (!is_fstree(ref_root) || !fs_info->quota_enabled) +- no_quota = 0; +- + BUG_ON(extent_op && extent_op->is_data); + ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS); + if (!ref) +@@ -672,8 +778,7 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + bytenr, num_bytes, action, 0); + + add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr, +- num_bytes, parent, ref_root, level, action, +- no_quota); ++ num_bytes, parent, ref_root, level, action); + spin_unlock(&delayed_refs->lock); + + return 0; +@@ -694,17 +799,13 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + u64 bytenr, u64 num_bytes, + u64 parent, u64 ref_root, + u64 owner, u64 offset, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota) ++ struct btrfs_delayed_extent_op *extent_op) + { + struct btrfs_delayed_data_ref *ref; + struct btrfs_delayed_ref_head *head_ref; + struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_qgroup_extent_record *record = NULL; + +- if (!is_fstree(ref_root) || !fs_info->quota_enabled) +- no_quota = 0; +- + BUG_ON(extent_op && !extent_op->is_data); + ref = kmem_cache_alloc(btrfs_delayed_data_ref_cachep, GFP_NOFS); + if (!ref) +@@ -740,7 +841,7 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + + add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr, + num_bytes, parent, ref_root, owner, offset, +- action, no_quota); ++ action); + spin_unlock(&delayed_refs->lock); + + return 0; +diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h +index 13fb5e6090fe..930887a4275f 100644 +--- a/fs/btrfs/delayed-ref.h ++++ b/fs/btrfs/delayed-ref.h +@@ -68,7 +68,6 @@ struct btrfs_delayed_ref_node { + + unsigned int action:8; + unsigned int type:8; +- unsigned int no_quota:1; + /* is this node still in the rbtree? */ + unsigned int is_head:1; + unsigned int in_tree:1; +@@ -233,15 +232,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, u64 parent, + u64 ref_root, int level, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota); ++ struct btrfs_delayed_extent_op *extent_op); + int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, + u64 parent, u64 ref_root, + u64 owner, u64 offset, int action, +- struct btrfs_delayed_extent_op *extent_op, +- int no_quota); ++ struct btrfs_delayed_extent_op *extent_op); + int btrfs_add_delayed_extent_op(struct btrfs_fs_info *fs_info, + struct btrfs_trans_handle *trans, + u64 bytenr, u64 num_bytes, +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 07204bf601ed..5d870c4eac05 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -95,8 +95,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 parent, u64 root_objectid, + u64 flags, struct btrfs_disk_key *key, +- int level, struct btrfs_key *ins, +- int no_quota); ++ int level, struct btrfs_key *ins); + static int do_chunk_alloc(struct btrfs_trans_handle *trans, + struct btrfs_root *extent_root, u64 flags, + int force); +@@ -1941,8 +1940,7 @@ int btrfs_discard_extent(struct btrfs_root *root, u64 bytenr, + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, +- u64 root_objectid, u64 owner, u64 offset, +- int no_quota) ++ u64 root_objectid, u64 owner, u64 offset) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -1954,12 +1952,12 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, (int)owner, +- BTRFS_ADD_DELAYED_REF, NULL, no_quota); ++ BTRFS_ADD_DELAYED_REF, NULL); + } else { + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, owner, offset, +- BTRFS_ADD_DELAYED_REF, NULL, no_quota); ++ BTRFS_ADD_DELAYED_REF, NULL); + } + return ret; + } +@@ -1980,15 +1978,11 @@ static int __btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + u64 num_bytes = node->num_bytes; + u64 refs; + int ret; +- int no_quota = node->no_quota; + + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; + +- if (!is_fstree(root_objectid) || !root->fs_info->quota_enabled) +- no_quota = 1; +- + path->reada = 1; + path->leave_spinning = 1; + /* this will setup the path even if it fails to insert the back ref */ +@@ -2223,8 +2217,7 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans, + parent, ref_root, + extent_op->flags_to_set, + &extent_op->key, +- ref->level, &ins, +- node->no_quota); ++ ref->level, &ins); + } else if (node->action == BTRFS_ADD_DELAYED_REF) { + ret = __btrfs_inc_extent_ref(trans, root, node, + parent, ref_root, +@@ -2365,7 +2358,21 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans, + } + } + ++ /* ++ * We need to try and merge add/drops of the same ref since we ++ * can run into issues with relocate dropping the implicit ref ++ * and then it being added back again before the drop can ++ * finish. If we merged anything we need to re-loop so we can ++ * get a good ref. ++ * Or we can get node references of the same type that weren't ++ * merged when created due to bumps in the tree mod seq, and ++ * we need to merge them to prevent adding an inline extent ++ * backref before dropping it (triggering a BUG_ON at ++ * insert_inline_extent_backref()). ++ */ + spin_lock(&locked_ref->lock); ++ btrfs_merge_delayed_refs(trans, fs_info, delayed_refs, ++ locked_ref); + + /* + * locked_ref is the head node, so we have to go one +@@ -3038,7 +3045,7 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans, + int level; + int ret = 0; + int (*process_func)(struct btrfs_trans_handle *, struct btrfs_root *, +- u64, u64, u64, u64, u64, u64, int); ++ u64, u64, u64, u64, u64, u64); + + + if (btrfs_test_is_dummy_root(root)) +@@ -3079,15 +3086,14 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans, + key.offset -= btrfs_file_extent_offset(buf, fi); + ret = process_func(trans, root, bytenr, num_bytes, + parent, ref_root, key.objectid, +- key.offset, 1); ++ key.offset); + if (ret) + goto fail; + } else { + bytenr = btrfs_node_blockptr(buf, i); + num_bytes = root->nodesize; + ret = process_func(trans, root, bytenr, num_bytes, +- parent, ref_root, level - 1, 0, +- 1); ++ parent, ref_root, level - 1, 0); + if (ret) + goto fail; + } +@@ -6137,7 +6143,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + int extent_slot = 0; + int found_extent = 0; + int num_to_del = 1; +- int no_quota = node->no_quota; + u32 item_size; + u64 refs; + u64 bytenr = node->bytenr; +@@ -6146,9 +6151,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + bool skinny_metadata = btrfs_fs_incompat(root->fs_info, + SKINNY_METADATA); + +- if (!info->quota_enabled || !is_fstree(root_objectid)) +- no_quota = 1; +- + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; +@@ -6474,7 +6476,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans, + buf->start, buf->len, + parent, root->root_key.objectid, + btrfs_header_level(buf), +- BTRFS_DROP_DELAYED_REF, NULL, 0); ++ BTRFS_DROP_DELAYED_REF, NULL); + BUG_ON(ret); /* -ENOMEM */ + } + +@@ -6522,7 +6524,7 @@ out: + /* Can return -ENOMEM */ + int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root, + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid, +- u64 owner, u64 offset, int no_quota) ++ u64 owner, u64 offset) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -6545,13 +6547,13 @@ int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root, + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, (int)owner, +- BTRFS_DROP_DELAYED_REF, NULL, no_quota); ++ BTRFS_DROP_DELAYED_REF, NULL); + } else { + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr, + num_bytes, + parent, root_objectid, owner, + offset, BTRFS_DROP_DELAYED_REF, +- NULL, no_quota); ++ NULL); + } + return ret; + } +@@ -7333,8 +7335,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + u64 parent, u64 root_objectid, + u64 flags, struct btrfs_disk_key *key, +- int level, struct btrfs_key *ins, +- int no_quota) ++ int level, struct btrfs_key *ins) + { + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -7424,7 +7425,7 @@ int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans, + ret = btrfs_add_delayed_data_ref(root->fs_info, trans, ins->objectid, + ins->offset, 0, + root_objectid, owner, offset, +- BTRFS_ADD_DELAYED_EXTENT, NULL, 0); ++ BTRFS_ADD_DELAYED_EXTENT, NULL); + return ret; + } + +@@ -7641,7 +7642,7 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans, + ins.objectid, ins.offset, + parent, root_objectid, level, + BTRFS_ADD_DELAYED_EXTENT, +- extent_op, 0); ++ extent_op); + if (ret) + goto out_free_delayed; + } +@@ -8189,7 +8190,7 @@ skip: + } + } + ret = btrfs_free_extent(trans, root, bytenr, blocksize, parent, +- root->root_key.objectid, level - 1, 0, 0); ++ root->root_key.objectid, level - 1, 0); + BUG_ON(ret); /* -ENOMEM */ + } + btrfs_tree_unlock(next); +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index b823fac91c92..5e314856a58c 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -756,8 +756,16 @@ next_slot: + } + + btrfs_item_key_to_cpu(leaf, &key, path->slots[0]); +- if (key.objectid > ino || +- key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end) ++ ++ if (key.objectid > ino) ++ break; ++ if (WARN_ON_ONCE(key.objectid < ino) || ++ key.type < BTRFS_EXTENT_DATA_KEY) { ++ ASSERT(del_nr == 0); ++ path->slots[0]++; ++ goto next_slot; ++ } ++ if (key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end) + break; + + fi = btrfs_item_ptr(leaf, path->slots[0], +@@ -776,8 +784,8 @@ next_slot: + btrfs_file_extent_inline_len(leaf, + path->slots[0], fi); + } else { +- WARN_ON(1); +- extent_end = search_start; ++ /* can't happen */ ++ BUG(); + } + + /* +@@ -847,7 +855,7 @@ next_slot: + disk_bytenr, num_bytes, 0, + root->root_key.objectid, + new_key.objectid, +- start - extent_offset, 1); ++ start - extent_offset); + BUG_ON(ret); /* -ENOMEM */ + } + key.offset = start; +@@ -925,7 +933,7 @@ delete_extent_item: + disk_bytenr, num_bytes, 0, + root->root_key.objectid, + key.objectid, key.offset - +- extent_offset, 0); ++ extent_offset); + BUG_ON(ret); /* -ENOMEM */ + inode_sub_bytes(inode, + extent_end - key.offset); +@@ -1204,7 +1212,7 @@ again: + + ret = btrfs_inc_extent_ref(trans, root, bytenr, num_bytes, 0, + root->root_key.objectid, +- ino, orig_offset, 1); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + + if (split == start) { +@@ -1231,7 +1239,7 @@ again: + del_nr++; + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + 0, root->root_key.objectid, +- ino, orig_offset, 0); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + } + other_start = 0; +@@ -1248,7 +1256,7 @@ again: + del_nr++; + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + 0, root->root_key.objectid, +- ino, orig_offset, 0); ++ ino, orig_offset); + BUG_ON(ret); /* -ENOMEM */ + } + if (del_nr == 0) { +@@ -1868,8 +1876,13 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + struct btrfs_log_ctx ctx; + int ret = 0; + bool full_sync = 0; +- const u64 len = end - start + 1; ++ u64 len; + ++ /* ++ * The range length can be represented by u64, we have to do the typecasts ++ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync() ++ */ ++ len = (u64)end - (u64)start + 1; + trace_btrfs_sync_file(file, datasync); + + /* +@@ -2057,8 +2070,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + } + } + if (!full_sync) { +- ret = btrfs_wait_ordered_range(inode, start, +- end - start + 1); ++ ret = btrfs_wait_ordered_range(inode, start, len); + if (ret) { + btrfs_end_transaction(trans, root); + goto out; +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index b54e63038b96..9aabff2102f8 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1294,8 +1294,14 @@ next_slot: + num_bytes = 0; + btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]); + +- if (found_key.objectid > ino || +- found_key.type > BTRFS_EXTENT_DATA_KEY || ++ if (found_key.objectid > ino) ++ break; ++ if (WARN_ON_ONCE(found_key.objectid < ino) || ++ found_key.type < BTRFS_EXTENT_DATA_KEY) { ++ path->slots[0]++; ++ goto next_slot; ++ } ++ if (found_key.type > BTRFS_EXTENT_DATA_KEY || + found_key.offset > end) + break; + +@@ -2569,7 +2575,7 @@ again: + ret = btrfs_inc_extent_ref(trans, root, new->bytenr, + new->disk_len, 0, + backref->root_id, backref->inum, +- new->file_pos, 0); /* start - extent_offset */ ++ new->file_pos); /* start - extent_offset */ + if (ret) { + btrfs_abort_transaction(trans, root, ret); + goto out_free_path; +@@ -4184,6 +4190,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans, + + } + ++static int truncate_inline_extent(struct inode *inode, ++ struct btrfs_path *path, ++ struct btrfs_key *found_key, ++ const u64 item_end, ++ const u64 new_size) ++{ ++ struct extent_buffer *leaf = path->nodes[0]; ++ int slot = path->slots[0]; ++ struct btrfs_file_extent_item *fi; ++ u32 size = (u32)(new_size - found_key->offset); ++ struct btrfs_root *root = BTRFS_I(inode)->root; ++ ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); ++ ++ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) { ++ loff_t offset = new_size; ++ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE); ++ ++ /* ++ * Zero out the remaining of the last page of our inline extent, ++ * instead of directly truncating our inline extent here - that ++ * would be much more complex (decompressing all the data, then ++ * compressing the truncated data, which might be bigger than ++ * the size of the inline extent, resize the extent, etc). ++ * We release the path because to get the page we might need to ++ * read the extent item from disk (data not in the page cache). ++ */ ++ btrfs_release_path(path); ++ return btrfs_truncate_page(inode, offset, page_end - offset, 0); ++ } ++ ++ btrfs_set_file_extent_ram_bytes(leaf, fi, size); ++ size = btrfs_file_extent_calc_inline_size(size); ++ btrfs_truncate_item(root, path, size, 1); ++ ++ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) ++ inode_sub_bytes(inode, item_end + 1 - new_size); ++ ++ return 0; ++} ++ + /* + * this can truncate away extent items, csum items and directory items. + * It starts at a high offset and removes keys until it can't find +@@ -4378,27 +4425,40 @@ search_again: + * special encodings + */ + if (!del_item && +- btrfs_file_extent_compression(leaf, fi) == 0 && + btrfs_file_extent_encryption(leaf, fi) == 0 && + btrfs_file_extent_other_encoding(leaf, fi) == 0) { +- u32 size = new_size - found_key.offset; +- +- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) +- inode_sub_bytes(inode, item_end + 1 - +- new_size); + + /* +- * update the ram bytes to properly reflect +- * the new size of our item ++ * Need to release path in order to truncate a ++ * compressed extent. So delete any accumulated ++ * extent items so far. + */ +- btrfs_set_file_extent_ram_bytes(leaf, fi, size); +- size = +- btrfs_file_extent_calc_inline_size(size); +- btrfs_truncate_item(root, path, size, 1); ++ if (btrfs_file_extent_compression(leaf, fi) != ++ BTRFS_COMPRESS_NONE && pending_del_nr) { ++ err = btrfs_del_items(trans, root, path, ++ pending_del_slot, ++ pending_del_nr); ++ if (err) { ++ btrfs_abort_transaction(trans, ++ root, ++ err); ++ goto error; ++ } ++ pending_del_nr = 0; ++ } ++ ++ err = truncate_inline_extent(inode, path, ++ &found_key, ++ item_end, ++ new_size); ++ if (err) { ++ btrfs_abort_transaction(trans, ++ root, err); ++ goto error; ++ } + } else if (test_bit(BTRFS_ROOT_REF_COWS, + &root->state)) { +- inode_sub_bytes(inode, item_end + 1 - +- found_key.offset); ++ inode_sub_bytes(inode, item_end + 1 - new_size); + } + } + delete: +@@ -4428,7 +4488,7 @@ delete: + ret = btrfs_free_extent(trans, root, extent_start, + extent_num_bytes, 0, + btrfs_header_owner(leaf), +- ino, extent_offset, 0); ++ ino, extent_offset); + BUG_ON(ret); + if (btrfs_should_throttle_delayed_refs(trans, root)) + btrfs_async_run_delayed_refs(root, +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 641d3dc4f31e..be4e53c61dd9 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3195,41 +3195,6 @@ out: + return ret; + } + +-/* Helper to check and see if this root currently has a ref on the given disk +- * bytenr. If it does then we need to update the quota for this root. This +- * doesn't do anything if quotas aren't enabled. +- */ +-static int check_ref(struct btrfs_trans_handle *trans, struct btrfs_root *root, +- u64 disko) +-{ +- struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem); +- struct ulist *roots; +- struct ulist_iterator uiter; +- struct ulist_node *root_node = NULL; +- int ret; +- +- if (!root->fs_info->quota_enabled) +- return 1; +- +- btrfs_get_tree_mod_seq(root->fs_info, &tree_mod_seq_elem); +- ret = btrfs_find_all_roots(trans, root->fs_info, disko, +- tree_mod_seq_elem.seq, &roots); +- if (ret < 0) +- goto out; +- ret = 0; +- ULIST_ITER_INIT(&uiter); +- while ((root_node = ulist_next(roots, &uiter))) { +- if (root_node->val == root->objectid) { +- ret = 1; +- break; +- } +- } +- ulist_free(roots); +-out: +- btrfs_put_tree_mod_seq(root->fs_info, &tree_mod_seq_elem); +- return ret; +-} +- + static int clone_finish_inode_update(struct btrfs_trans_handle *trans, + struct inode *inode, + u64 endoff, +@@ -3320,6 +3285,150 @@ static void clone_update_extent_map(struct inode *inode, + &BTRFS_I(inode)->runtime_flags); + } + ++/* ++ * Make sure we do not end up inserting an inline extent into a file that has ++ * already other (non-inline) extents. If a file has an inline extent it can ++ * not have any other extents and the (single) inline extent must start at the ++ * file offset 0. Failing to respect these rules will lead to file corruption, ++ * resulting in EIO errors on read/write operations, hitting BUG_ON's in mm, etc ++ * ++ * We can have extents that have been already written to disk or we can have ++ * dirty ranges still in delalloc, in which case the extent maps and items are ++ * created only when we run delalloc, and the delalloc ranges might fall outside ++ * the range we are currently locking in the inode's io tree. So we check the ++ * inode's i_size because of that (i_size updates are done while holding the ++ * i_mutex, which we are holding here). ++ * We also check to see if the inode has a size not greater than "datal" but has ++ * extents beyond it, due to an fallocate with FALLOC_FL_KEEP_SIZE (and we are ++ * protected against such concurrent fallocate calls by the i_mutex). ++ * ++ * If the file has no extents but a size greater than datal, do not allow the ++ * copy because we would need turn the inline extent into a non-inline one (even ++ * with NO_HOLES enabled). If we find our destination inode only has one inline ++ * extent, just overwrite it with the source inline extent if its size is less ++ * than the source extent's size, or we could copy the source inline extent's ++ * data into the destination inode's inline extent if the later is greater then ++ * the former. ++ */ ++static int clone_copy_inline_extent(struct inode *src, ++ struct inode *dst, ++ struct btrfs_trans_handle *trans, ++ struct btrfs_path *path, ++ struct btrfs_key *new_key, ++ const u64 drop_start, ++ const u64 datal, ++ const u64 skip, ++ const u64 size, ++ char *inline_data) ++{ ++ struct btrfs_root *root = BTRFS_I(dst)->root; ++ const u64 aligned_end = ALIGN(new_key->offset + datal, ++ root->sectorsize); ++ int ret; ++ struct btrfs_key key; ++ ++ if (new_key->offset > 0) ++ return -EOPNOTSUPP; ++ ++ key.objectid = btrfs_ino(dst); ++ key.type = BTRFS_EXTENT_DATA_KEY; ++ key.offset = 0; ++ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); ++ if (ret < 0) { ++ return ret; ++ } else if (ret > 0) { ++ if (path->slots[0] >= btrfs_header_nritems(path->nodes[0])) { ++ ret = btrfs_next_leaf(root, path); ++ if (ret < 0) ++ return ret; ++ else if (ret > 0) ++ goto copy_inline_extent; ++ } ++ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]); ++ if (key.objectid == btrfs_ino(dst) && ++ key.type == BTRFS_EXTENT_DATA_KEY) { ++ ASSERT(key.offset > 0); ++ return -EOPNOTSUPP; ++ } ++ } else if (i_size_read(dst) <= datal) { ++ struct btrfs_file_extent_item *ei; ++ u64 ext_len; ++ ++ /* ++ * If the file size is <= datal, make sure there are no other ++ * extents following (can happen do to an fallocate call with ++ * the flag FALLOC_FL_KEEP_SIZE). ++ */ ++ ei = btrfs_item_ptr(path->nodes[0], path->slots[0], ++ struct btrfs_file_extent_item); ++ /* ++ * If it's an inline extent, it can not have other extents ++ * following it. ++ */ ++ if (btrfs_file_extent_type(path->nodes[0], ei) == ++ BTRFS_FILE_EXTENT_INLINE) ++ goto copy_inline_extent; ++ ++ ext_len = btrfs_file_extent_num_bytes(path->nodes[0], ei); ++ if (ext_len > aligned_end) ++ return -EOPNOTSUPP; ++ ++ ret = btrfs_next_item(root, path); ++ if (ret < 0) { ++ return ret; ++ } else if (ret == 0) { ++ btrfs_item_key_to_cpu(path->nodes[0], &key, ++ path->slots[0]); ++ if (key.objectid == btrfs_ino(dst) && ++ key.type == BTRFS_EXTENT_DATA_KEY) ++ return -EOPNOTSUPP; ++ } ++ } ++ ++copy_inline_extent: ++ /* ++ * We have no extent items, or we have an extent at offset 0 which may ++ * or may not be inlined. All these cases are dealt the same way. ++ */ ++ if (i_size_read(dst) > datal) { ++ /* ++ * If the destination inode has an inline extent... ++ * This would require copying the data from the source inline ++ * extent into the beginning of the destination's inline extent. ++ * But this is really complex, both extents can be compressed ++ * or just one of them, which would require decompressing and ++ * re-compressing data (which could increase the new compressed ++ * size, not allowing the compressed data to fit anymore in an ++ * inline extent). ++ * So just don't support this case for now (it should be rare, ++ * we are not really saving space when cloning inline extents). ++ */ ++ return -EOPNOTSUPP; ++ } ++ ++ btrfs_release_path(path); ++ ret = btrfs_drop_extents(trans, root, dst, drop_start, aligned_end, 1); ++ if (ret) ++ return ret; ++ ret = btrfs_insert_empty_item(trans, root, path, new_key, size); ++ if (ret) ++ return ret; ++ ++ if (skip) { ++ const u32 start = btrfs_file_extent_calc_inline_size(0); ++ ++ memmove(inline_data + start, inline_data + start + skip, datal); ++ } ++ ++ write_extent_buffer(path->nodes[0], inline_data, ++ btrfs_item_ptr_offset(path->nodes[0], ++ path->slots[0]), ++ size); ++ inode_add_bytes(dst, datal); ++ ++ return 0; ++} ++ + /** + * btrfs_clone() - clone a range from inode file to another + * +@@ -3344,9 +3453,7 @@ static int btrfs_clone(struct inode *src, struct inode *inode, + u32 nritems; + int slot; + int ret; +- int no_quota; + const u64 len = olen_aligned; +- u64 last_disko = 0; + u64 last_dest_end = destoff; + + ret = -ENOMEM; +@@ -3392,7 +3499,6 @@ static int btrfs_clone(struct inode *src, struct inode *inode, + + nritems = btrfs_header_nritems(path->nodes[0]); + process_slot: +- no_quota = 1; + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(BTRFS_I(src)->root, path); + if (ret < 0) +@@ -3544,35 +3650,13 @@ process_slot: + btrfs_set_file_extent_num_bytes(leaf, extent, + datal); + +- /* +- * We need to look up the roots that point at +- * this bytenr and see if the new root does. If +- * it does not we need to make sure we update +- * quotas appropriately. +- */ +- if (disko && root != BTRFS_I(src)->root && +- disko != last_disko) { +- no_quota = check_ref(trans, root, +- disko); +- if (no_quota < 0) { +- btrfs_abort_transaction(trans, +- root, +- ret); +- btrfs_end_transaction(trans, +- root); +- ret = no_quota; +- goto out; +- } +- } +- + if (disko) { + inode_add_bytes(inode, datal); + ret = btrfs_inc_extent_ref(trans, root, + disko, diskl, 0, + root->root_key.objectid, + btrfs_ino(inode), +- new_key.offset - datao, +- no_quota); ++ new_key.offset - datao); + if (ret) { + btrfs_abort_transaction(trans, + root, +@@ -3586,21 +3670,6 @@ process_slot: + } else if (type == BTRFS_FILE_EXTENT_INLINE) { + u64 skip = 0; + u64 trim = 0; +- u64 aligned_end = 0; +- +- /* +- * Don't copy an inline extent into an offset +- * greater than zero. Having an inline extent +- * at such an offset results in chaos as btrfs +- * isn't prepared for such cases. Just skip +- * this case for the same reasons as commented +- * at btrfs_ioctl_clone(). +- */ +- if (last_dest_end > 0) { +- ret = -EOPNOTSUPP; +- btrfs_end_transaction(trans, root); +- goto out; +- } + + if (off > key.offset) { + skip = off - key.offset; +@@ -3618,42 +3687,22 @@ process_slot: + size -= skip + trim; + datal -= skip + trim; + +- aligned_end = ALIGN(new_key.offset + datal, +- root->sectorsize); +- ret = btrfs_drop_extents(trans, root, inode, +- drop_start, +- aligned_end, +- 1); ++ ret = clone_copy_inline_extent(src, inode, ++ trans, path, ++ &new_key, ++ drop_start, ++ datal, ++ skip, size, buf); + if (ret) { + if (ret != -EOPNOTSUPP) + btrfs_abort_transaction(trans, +- root, ret); +- btrfs_end_transaction(trans, root); +- goto out; +- } +- +- ret = btrfs_insert_empty_item(trans, root, path, +- &new_key, size); +- if (ret) { +- btrfs_abort_transaction(trans, root, +- ret); ++ root, ++ ret); + btrfs_end_transaction(trans, root); + goto out; + } +- +- if (skip) { +- u32 start = +- btrfs_file_extent_calc_inline_size(0); +- memmove(buf+start, buf+start+skip, +- datal); +- } +- + leaf = path->nodes[0]; + slot = path->slots[0]; +- write_extent_buffer(leaf, buf, +- btrfs_item_ptr_offset(leaf, slot), +- size); +- inode_add_bytes(inode, datal); + } + + /* If we have an implicit hole (NO_HOLES feature). */ +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 88cbb5995667..3a828a33cd67 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1716,7 +1716,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans, + ret = btrfs_inc_extent_ref(trans, root, new_bytenr, + num_bytes, parent, + btrfs_header_owner(leaf), +- key.objectid, key.offset, 1); ++ key.objectid, key.offset); + if (ret) { + btrfs_abort_transaction(trans, root, ret); + break; +@@ -1724,7 +1724,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans, + + ret = btrfs_free_extent(trans, root, bytenr, num_bytes, + parent, btrfs_header_owner(leaf), +- key.objectid, key.offset, 1); ++ key.objectid, key.offset); + if (ret) { + btrfs_abort_transaction(trans, root, ret); + break; +@@ -1900,23 +1900,21 @@ again: + + ret = btrfs_inc_extent_ref(trans, src, old_bytenr, blocksize, + path->nodes[level]->start, +- src->root_key.objectid, level - 1, 0, +- 1); ++ src->root_key.objectid, level - 1, 0); + BUG_ON(ret); + ret = btrfs_inc_extent_ref(trans, dest, new_bytenr, blocksize, + 0, dest->root_key.objectid, level - 1, +- 0, 1); ++ 0); + BUG_ON(ret); + + ret = btrfs_free_extent(trans, src, new_bytenr, blocksize, + path->nodes[level]->start, +- src->root_key.objectid, level - 1, 0, +- 1); ++ src->root_key.objectid, level - 1, 0); + BUG_ON(ret); + + ret = btrfs_free_extent(trans, dest, old_bytenr, blocksize, + 0, dest->root_key.objectid, level - 1, +- 0, 1); ++ 0); + BUG_ON(ret); + + btrfs_unlock_up_safe(path, 0); +@@ -2746,7 +2744,7 @@ static int do_relocation(struct btrfs_trans_handle *trans, + node->eb->start, blocksize, + upper->eb->start, + btrfs_header_owner(upper->eb), +- node->level, 0, 1); ++ node->level, 0); + BUG_ON(ret); + + ret = btrfs_drop_subtree(trans, root, eb, upper->eb); +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index aa72bfd28f7d..890933b61267 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -2351,8 +2351,14 @@ static int send_subvol_begin(struct send_ctx *sctx) + } + + TLV_PUT_STRING(sctx, BTRFS_SEND_A_PATH, name, namelen); +- TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, +- sctx->send_root->root_item.uuid); ++ ++ if (!btrfs_is_empty_uuid(sctx->send_root->root_item.received_uuid)) ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, ++ sctx->send_root->root_item.received_uuid); ++ else ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID, ++ sctx->send_root->root_item.uuid); ++ + TLV_PUT_U64(sctx, BTRFS_SEND_A_CTRANSID, + le64_to_cpu(sctx->send_root->root_item.ctransid)); + if (parent_root) { +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 9c45431e69ab..7639695075dd 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -700,7 +700,7 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans, + ret = btrfs_inc_extent_ref(trans, root, + ins.objectid, ins.offset, + 0, root->root_key.objectid, +- key->objectid, offset, 0); ++ key->objectid, offset); + if (ret) + goto out; + } else { +diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c +index 6f518c90e1c1..1fcd7b6e7564 100644 +--- a/fs/btrfs/xattr.c ++++ b/fs/btrfs/xattr.c +@@ -313,8 +313,10 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size) + /* check to make sure this item is what we want */ + if (found_key.objectid != key.objectid) + break; +- if (found_key.type != BTRFS_XATTR_ITEM_KEY) ++ if (found_key.type > BTRFS_XATTR_ITEM_KEY) + break; ++ if (found_key.type < BTRFS_XATTR_ITEM_KEY) ++ goto next; + + di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item); + if (verify_dir_item(root, leaf, di)) +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 6aa07af67603..df45a818c570 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1935,7 +1935,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc, + + len = sizeof(*head) + + pathlen1 + pathlen2 + 2*(1 + sizeof(u32) + sizeof(u64)) + +- sizeof(struct timespec); ++ sizeof(struct ceph_timespec); + + /* calculate (max) length for cap releases */ + len += sizeof(struct ceph_mds_request_release) * +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index c711be8d6a3c..9c8d23316da1 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent) + dput(dentry); + dentry = ERR_PTR(-EEXIST); + } +- if (IS_ERR(dentry)) ++ ++ if (IS_ERR(dentry)) { + mutex_unlock(&d_inode(parent)->i_mutex); ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count); ++ } ++ + return dentry; + } + +diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c +index 45731558138c..54a5169327a3 100644 +--- a/fs/ext4/crypto.c ++++ b/fs/ext4/crypto.c +@@ -296,7 +296,6 @@ static int ext4_page_crypto(struct ext4_crypto_ctx *ctx, + else + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c +index 7dc4eb55913c..f9d53c2bd756 100644 +--- a/fs/ext4/crypto_fname.c ++++ b/fs/ext4/crypto_fname.c +@@ -121,7 +121,6 @@ static int ext4_fname_encrypt(struct inode *inode, + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, ciphertext_len, iv); + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +@@ -183,7 +182,6 @@ static int ext4_fname_decrypt(struct inode *inode, + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, iv); + res = crypto_ablkcipher_decrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c +index 442d24e8efc0..9bad1132ac8f 100644 +--- a/fs/ext4/crypto_key.c ++++ b/fs/ext4/crypto_key.c +@@ -71,7 +71,6 @@ static int ext4_derive_key_aes(char deriving_key[EXT4_AES_128_ECB_KEY_SIZE], + EXT4_AES_256_XTS_KEY_SIZE, NULL); + res = crypto_ablkcipher_encrypt(req); + if (res == -EINPROGRESS || res == -EBUSY) { +- BUG_ON(req->base.data != &ecr); + wait_for_completion(&ecr.completion); + res = ecr.res; + } +@@ -208,7 +207,12 @@ retry: + goto out; + } + crypt_info->ci_keyring_key = keyring_key; +- BUG_ON(keyring_key->type != &key_type_logon); ++ if (keyring_key->type != &key_type_logon) { ++ printk_once(KERN_WARNING ++ "ext4: key type must be logon\n"); ++ res = -ENOKEY; ++ goto out; ++ } + ukp = ((struct user_key_payload *)keyring_key->payload.data); + if (ukp->datalen != sizeof(struct ext4_encryption_key)) { + res = -EINVAL; +@@ -217,7 +221,13 @@ retry: + master_key = (struct ext4_encryption_key *)ukp->data; + BUILD_BUG_ON(EXT4_AES_128_ECB_KEY_SIZE != + EXT4_KEY_DERIVATION_NONCE_SIZE); +- BUG_ON(master_key->size != EXT4_AES_256_XTS_KEY_SIZE); ++ if (master_key->size != EXT4_AES_256_XTS_KEY_SIZE) { ++ printk_once(KERN_WARNING ++ "ext4: key size incorrect: %d\n", ++ master_key->size); ++ res = -ENOKEY; ++ goto out; ++ } + res = ext4_derive_key_aes(ctx.nonce, master_key->raw, + raw_key); + got_key: +diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c +index 02c4e5df7afb..f92fa93e67f1 100644 +--- a/fs/ext4/crypto_policy.c ++++ b/fs/ext4/crypto_policy.c +@@ -137,7 +137,8 @@ int ext4_is_child_context_consistent_with_parent(struct inode *parent, + + if ((parent == NULL) || (child == NULL)) { + pr_err("parent %p child %p\n", parent, child); +- BUG_ON(1); ++ WARN_ON(1); /* Should never happen */ ++ return 0; + } + /* no restrictions if the parent directory is not encrypted */ + if (!ext4_encrypted_inode(parent)) +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c +index d41843181818..e770c1ee4613 100644 +--- a/fs/ext4/ext4_jbd2.c ++++ b/fs/ext4/ext4_jbd2.c +@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle) + return 0; + } + ++ err = handle->h_err; + if (!handle->h_transaction) { +- err = jbd2_journal_stop(handle); +- return handle->h_err ? handle->h_err : err; ++ rc = jbd2_journal_stop(handle); ++ return err ? err : rc; + } + + sb = handle->h_transaction->t_journal->j_private; +- err = handle->h_err; + rc = jbd2_journal_stop(handle); + + if (!err) +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c +index 5602450f03f6..89e96f99dae7 100644 +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -425,6 +425,7 @@ int ext4_bio_write_page(struct ext4_io_submit *io, + struct buffer_head *bh, *head; + int ret = 0; + int nr_submitted = 0; ++ int nr_to_submit = 0; + + blocksize = 1 << inode->i_blkbits; + +@@ -477,11 +478,13 @@ int ext4_bio_write_page(struct ext4_io_submit *io, + unmap_underlying_metadata(bh->b_bdev, bh->b_blocknr); + } + set_buffer_async_write(bh); ++ nr_to_submit++; + } while ((bh = bh->b_this_page) != head); + + bh = head = page_buffers(page); + +- if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode)) { ++ if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode) && ++ nr_to_submit) { + data_page = ext4_encrypt(inode, page); + if (IS_ERR(data_page)) { + ret = PTR_ERR(data_page); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index a5e8c744e962..bc24d1b44b8f 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -397,9 +397,13 @@ static void ext4_handle_error(struct super_block *sb) + smp_wmb(); + sb->s_flags |= MS_RDONLY; + } +- if (test_opt(sb, ERRORS_PANIC)) ++ if (test_opt(sb, ERRORS_PANIC)) { ++ if (EXT4_SB(sb)->s_journal && ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) ++ return; + panic("EXT4-fs (device %s): panic forced after error\n", + sb->s_id); ++ } + } + + #define ext4_error_ratelimit(sb) \ +@@ -588,8 +592,12 @@ void __ext4_abort(struct super_block *sb, const char *function, + jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); + save_error_info(sb, function, line); + } +- if (test_opt(sb, ERRORS_PANIC)) ++ if (test_opt(sb, ERRORS_PANIC)) { ++ if (EXT4_SB(sb)->s_journal && ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) ++ return; + panic("EXT4-fs panic from previous error\n"); ++ } + } + + void __ext4_msg(struct super_block *sb, +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 2721513adb1f..fd2787a39b87 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2071,8 +2071,12 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) ++ if (errno) { + jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); ++ } + } + + /** +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 4afbe13321cb..f27cc76ed5e6 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1816,7 +1816,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0) + nfsi->attr_gencount = fattr->gencount; + } +- invalid &= ~NFS_INO_INVALID_ATTR; ++ ++ /* Don't declare attrcache up to date if there were no attrs! */ ++ if (fattr->valid != 0) ++ invalid &= ~NFS_INO_INVALID_ATTR; ++ + /* Don't invalidate the data if we were to blame */ + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) + || S_ISLNK(inode->i_mode))) +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 3aa6a9ba5113..199648d5fcc5 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -33,7 +33,7 @@ static int nfs_get_cb_ident_idr(struct nfs_client *clp, int minorversion) + return ret; + idr_preload(GFP_KERNEL); + spin_lock(&nn->nfs_client_lock); +- ret = idr_alloc(&nn->cb_ident_idr, clp, 0, 0, GFP_NOWAIT); ++ ret = idr_alloc(&nn->cb_ident_idr, clp, 1, 0, GFP_NOWAIT); + if (ret >= 0) + clp->cl_cb_ident = ret; + spin_unlock(&nn->nfs_client_lock); +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 75189cd34583..5ea13286e2b0 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -765,16 +765,68 @@ void nfs4_unhash_stid(struct nfs4_stid *s) + s->sc_type = 0; + } + +-static void ++/** ++ * nfs4_get_existing_delegation - Discover if this delegation already exists ++ * @clp: a pointer to the nfs4_client we're granting a delegation to ++ * @fp: a pointer to the nfs4_file we're granting a delegation on ++ * ++ * Return: ++ * On success: NULL if an existing delegation was not found. ++ * ++ * On error: -EAGAIN if one was previously granted to this nfs4_client ++ * for this nfs4_file. ++ * ++ */ ++ ++static int ++nfs4_get_existing_delegation(struct nfs4_client *clp, struct nfs4_file *fp) ++{ ++ struct nfs4_delegation *searchdp = NULL; ++ struct nfs4_client *searchclp = NULL; ++ ++ lockdep_assert_held(&state_lock); ++ lockdep_assert_held(&fp->fi_lock); ++ ++ list_for_each_entry(searchdp, &fp->fi_delegations, dl_perfile) { ++ searchclp = searchdp->dl_stid.sc_client; ++ if (clp == searchclp) { ++ return -EAGAIN; ++ } ++ } ++ return 0; ++} ++ ++/** ++ * hash_delegation_locked - Add a delegation to the appropriate lists ++ * @dp: a pointer to the nfs4_delegation we are adding. ++ * @fp: a pointer to the nfs4_file we're granting a delegation on ++ * ++ * Return: ++ * On success: NULL if the delegation was successfully hashed. ++ * ++ * On error: -EAGAIN if one was previously granted to this ++ * nfs4_client for this nfs4_file. Delegation is not hashed. ++ * ++ */ ++ ++static int + hash_delegation_locked(struct nfs4_delegation *dp, struct nfs4_file *fp) + { ++ int status; ++ struct nfs4_client *clp = dp->dl_stid.sc_client; ++ + lockdep_assert_held(&state_lock); + lockdep_assert_held(&fp->fi_lock); + ++ status = nfs4_get_existing_delegation(clp, fp); ++ if (status) ++ return status; ++ ++fp->fi_delegees; + atomic_inc(&dp->dl_stid.sc_count); + dp->dl_stid.sc_type = NFS4_DELEG_STID; + list_add(&dp->dl_perfile, &fp->fi_delegations); +- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations); ++ list_add(&dp->dl_perclnt, &clp->cl_delegations); ++ return 0; + } + + static bool +@@ -3351,6 +3403,7 @@ static void init_open_stateid(struct nfs4_ol_stateid *stp, struct nfs4_file *fp, + stp->st_access_bmap = 0; + stp->st_deny_bmap = 0; + stp->st_openstp = NULL; ++ init_rwsem(&stp->st_rwsem); + spin_lock(&oo->oo_owner.so_client->cl_lock); + list_add(&stp->st_perstateowner, &oo->oo_owner.so_stateids); + spin_lock(&fp->fi_lock); +@@ -3939,6 +3992,18 @@ static struct file_lock *nfs4_alloc_init_lease(struct nfs4_file *fp, int flag) + return fl; + } + ++/** ++ * nfs4_setlease - Obtain a delegation by requesting lease from vfs layer ++ * @dp: a pointer to the nfs4_delegation we're adding. ++ * ++ * Return: ++ * On success: Return code will be 0 on success. ++ * ++ * On error: -EAGAIN if there was an existing delegation. ++ * nonzero if there is an error in other cases. ++ * ++ */ ++ + static int nfs4_setlease(struct nfs4_delegation *dp) + { + struct nfs4_file *fp = dp->dl_stid.sc_file; +@@ -3970,16 +4035,19 @@ static int nfs4_setlease(struct nfs4_delegation *dp) + goto out_unlock; + /* Race breaker */ + if (fp->fi_deleg_file) { +- status = 0; +- ++fp->fi_delegees; +- hash_delegation_locked(dp, fp); ++ status = hash_delegation_locked(dp, fp); + goto out_unlock; + } + fp->fi_deleg_file = filp; +- fp->fi_delegees = 1; +- hash_delegation_locked(dp, fp); ++ fp->fi_delegees = 0; ++ status = hash_delegation_locked(dp, fp); + spin_unlock(&fp->fi_lock); + spin_unlock(&state_lock); ++ if (status) { ++ /* Should never happen, this is a new fi_deleg_file */ ++ WARN_ON_ONCE(1); ++ goto out_fput; ++ } + return 0; + out_unlock: + spin_unlock(&fp->fi_lock); +@@ -3999,6 +4067,15 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh, + if (fp->fi_had_conflict) + return ERR_PTR(-EAGAIN); + ++ spin_lock(&state_lock); ++ spin_lock(&fp->fi_lock); ++ status = nfs4_get_existing_delegation(clp, fp); ++ spin_unlock(&fp->fi_lock); ++ spin_unlock(&state_lock); ++ ++ if (status) ++ return ERR_PTR(status); ++ + dp = alloc_init_deleg(clp, fh, odstate); + if (!dp) + return ERR_PTR(-ENOMEM); +@@ -4017,9 +4094,7 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh, + status = -EAGAIN; + goto out_unlock; + } +- ++fp->fi_delegees; +- hash_delegation_locked(dp, fp); +- status = 0; ++ status = hash_delegation_locked(dp, fp); + out_unlock: + spin_unlock(&fp->fi_lock); + spin_unlock(&state_lock); +@@ -4180,15 +4255,20 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf + */ + if (stp) { + /* Stateid was found, this is an OPEN upgrade */ ++ down_read(&stp->st_rwsem); + status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open); +- if (status) ++ if (status) { ++ up_read(&stp->st_rwsem); + goto out; ++ } + } else { + stp = open->op_stp; + open->op_stp = NULL; + init_open_stateid(stp, fp, open); ++ down_read(&stp->st_rwsem); + status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open); + if (status) { ++ up_read(&stp->st_rwsem); + release_open_stateid(stp); + goto out; + } +@@ -4200,6 +4280,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf + } + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&open->op_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_read(&stp->st_rwsem); + + if (nfsd4_has_session(&resp->cstate)) { + if (open->op_deleg_want & NFS4_SHARE_WANT_NO_DELEG) { +@@ -4814,10 +4895,13 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_ + * revoked delegations are kept only for free_stateid. + */ + return nfserr_bad_stateid; ++ down_write(&stp->st_rwsem); + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); +- if (status) +- return status; +- return nfs4_check_fh(current_fh, &stp->st_stid); ++ if (status == nfs_ok) ++ status = nfs4_check_fh(current_fh, &stp->st_stid); ++ if (status != nfs_ok) ++ up_write(&stp->st_rwsem); ++ return status; + } + + /* +@@ -4864,6 +4948,7 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs + return status; + oo = openowner(stp->st_stateowner); + if (!(oo->oo_flags & NFS4_OO_CONFIRMED)) { ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + return nfserr_bad_stateid; + } +@@ -4894,11 +4979,14 @@ nfsd4_open_confirm(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + oo = openowner(stp->st_stateowner); + status = nfserr_bad_stateid; +- if (oo->oo_flags & NFS4_OO_CONFIRMED) ++ if (oo->oo_flags & NFS4_OO_CONFIRMED) { ++ up_write(&stp->st_rwsem); + goto put_stateid; ++ } + oo->oo_flags |= NFS4_OO_CONFIRMED; + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&oc->oc_resp_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_write(&stp->st_rwsem); + dprintk("NFSD: %s: success, seqid=%d stateid=" STATEID_FMT "\n", + __func__, oc->oc_seqid, STATEID_VAL(&stp->st_stid.sc_stateid)); + +@@ -4977,6 +5065,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp, + memcpy(&od->od_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); + status = nfs_ok; + put_stateid: ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + out: + nfsd4_bump_seqid(cstate, status); +@@ -5030,6 +5119,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + update_stateid(&stp->st_stid.sc_stateid); + memcpy(&close->cl_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t)); ++ up_write(&stp->st_rwsem); + + nfsd4_close_open_stateid(stp); + +@@ -5260,6 +5350,7 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo, + stp->st_access_bmap = 0; + stp->st_deny_bmap = open_stp->st_deny_bmap; + stp->st_openstp = open_stp; ++ init_rwsem(&stp->st_rwsem); + list_add(&stp->st_locks, &open_stp->st_locks); + list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids); + spin_lock(&fp->fi_lock); +@@ -5428,6 +5519,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + &open_stp, nn); + if (status) + goto out; ++ up_write(&open_stp->st_rwsem); + open_sop = openowner(open_stp->st_stateowner); + status = nfserr_bad_stateid; + if (!same_clid(&open_sop->oo_owner.so_client->cl_clientid, +@@ -5435,6 +5527,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + goto out; + status = lookup_or_create_lock_state(cstate, open_stp, lock, + &lock_stp, &new); ++ if (status == nfs_ok) ++ down_write(&lock_stp->st_rwsem); + } else { + status = nfs4_preprocess_seqid_op(cstate, + lock->lk_old_lock_seqid, +@@ -5540,6 +5634,8 @@ out: + seqid_mutating_err(ntohl(status))) + lock_sop->lo_owner.so_seqid++; + ++ up_write(&lock_stp->st_rwsem); ++ + /* + * If this is a new, never-before-used stateid, and we are + * returning an error, then just go ahead and release it. +@@ -5710,6 +5806,7 @@ nfsd4_locku(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + fput: + fput(filp); + put_stateid: ++ up_write(&stp->st_rwsem); + nfs4_put_stid(&stp->st_stid); + out: + nfsd4_bump_seqid(cstate, status); +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h +index 4874ce515fc1..fada614d6db1 100644 +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -534,15 +534,16 @@ struct nfs4_file { + * Better suggestions welcome. + */ + struct nfs4_ol_stateid { +- struct nfs4_stid st_stid; /* must be first field */ +- struct list_head st_perfile; +- struct list_head st_perstateowner; +- struct list_head st_locks; +- struct nfs4_stateowner * st_stateowner; +- struct nfs4_clnt_odstate * st_clnt_odstate; +- unsigned char st_access_bmap; +- unsigned char st_deny_bmap; +- struct nfs4_ol_stateid * st_openstp; ++ struct nfs4_stid st_stid; ++ struct list_head st_perfile; ++ struct list_head st_perstateowner; ++ struct list_head st_locks; ++ struct nfs4_stateowner *st_stateowner; ++ struct nfs4_clnt_odstate *st_clnt_odstate; ++ unsigned char st_access_bmap; ++ unsigned char st_deny_bmap; ++ struct nfs4_ol_stateid *st_openstp; ++ struct rw_semaphore st_rwsem; + }; + + static inline struct nfs4_ol_stateid *openlockstateid(struct nfs4_stid *s) +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 6e6abb93fda5..ff040125c190 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -365,6 +365,8 @@ static int ocfs2_mknod(struct inode *dir, + mlog_errno(status); + goto leave; + } ++ /* update inode->i_mode after mask with "umask". */ ++ inode->i_mode = mode; + + handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb, + S_ISDIR(mode), +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h +index 82806c60aa42..e4b464983322 100644 +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -224,7 +224,7 @@ struct ipv6_pinfo { + struct ipv6_ac_socklist *ipv6_ac_list; + struct ipv6_fl_socklist __rcu *ipv6_fl_list; + +- struct ipv6_txoptions *opt; ++ struct ipv6_txoptions __rcu *opt; + struct sk_buff *pktoptions; + struct sk_buff *rxpmtu; + struct inet6_cork cork; +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h +index eb1cebed3f36..c90c9b70e568 100644 +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1007,6 +1007,7 @@ struct journal_s + #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file + * data write error in ordered + * mode */ ++#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */ + + /* + * Function declarations for the journaling transaction and buffer +diff --git a/include/net/af_unix.h b/include/net/af_unix.h +index cb1b9bbda332..49c7683e1096 100644 +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -62,6 +62,7 @@ struct unix_sock { + #define UNIX_GC_CANDIDATE 0 + #define UNIX_GC_MAYBE_CYCLE 1 + struct socket_wq peer_wq; ++ wait_queue_t peer_wake; + }; + + static inline struct unix_sock *unix_sk(struct sock *sk) +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h +index 3b76849c190f..75a888c254e4 100644 +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -165,7 +165,8 @@ static inline void rt6_update_expires(struct rt6_info *rt0, int timeout) + + static inline u32 rt6_get_cookie(const struct rt6_info *rt) + { +- if (rt->rt6i_flags & RTF_PCPU || unlikely(rt->dst.flags & DST_NOCACHE)) ++ if (rt->rt6i_flags & RTF_PCPU || ++ (unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from)) + rt = (struct rt6_info *)(rt->dst.from); + + return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0; +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index b8529aa1dae7..b0f7445c0fdc 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -83,11 +83,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + err = ip6_local_out_sk(sk, skb); + + if (net_xmit_eval(err) == 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += pkt_len; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else { + stats->tx_errors++; + stats->tx_aborted_errors++; +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index d8214cb88bbc..9c2897e56ee1 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -207,12 +207,13 @@ static inline void iptunnel_xmit_stats(int err, + struct pcpu_sw_netstats __percpu *stats) + { + if (err > 0) { +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats); ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats); + + u64_stats_update_begin(&tstats->syncp); + tstats->tx_bytes += err; + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); + } else if (err < 0) { + err_stats->tx_errors++; + err_stats->tx_aborted_errors++; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 82dbdb092a5d..177a89689095 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock; + */ + + struct ipv6_txoptions { ++ atomic_t refcnt; + /* Length of this structure */ + int tot_len; + +@@ -217,7 +218,7 @@ struct ipv6_txoptions { + struct ipv6_opt_hdr *dst0opt; + struct ipv6_rt_hdr *srcrt; /* Routing Header */ + struct ipv6_opt_hdr *dst1opt; +- ++ struct rcu_head rcu; + /* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */ + }; + +@@ -252,6 +253,24 @@ struct ipv6_fl_socklist { + struct rcu_head rcu; + }; + ++static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np) ++{ ++ struct ipv6_txoptions *opt; ++ ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt && !atomic_inc_not_zero(&opt->refcnt)) ++ opt = NULL; ++ rcu_read_unlock(); ++ return opt; ++} ++ ++static inline void txopt_put(struct ipv6_txoptions *opt) ++{ ++ if (opt && atomic_dec_and_test(&opt->refcnt)) ++ kfree_rcu(opt, rcu); ++} ++ + struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label); + struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, + struct ip6_flowlabel *fl, +@@ -490,6 +509,7 @@ struct ip6_create_arg { + u32 user; + const struct in6_addr *src; + const struct in6_addr *dst; ++ int iif; + u8 ecn; + }; + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 2738f6f87908..49dda3835061 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -61,6 +61,9 @@ struct Qdisc { + */ + #define TCQ_F_WARN_NONWC (1 << 16) + #define TCQ_F_CPUSTATS 0x20 /* run using percpu statistics */ ++#define TCQ_F_NOPARENT 0x40 /* root of its hierarchy : ++ * qdisc_tree_decrease_qlen() should stop. ++ */ + u32 limit; + const struct Qdisc_ops *ops; + struct qdisc_size_table __rcu *stab; +diff --git a/include/net/switchdev.h b/include/net/switchdev.h +index d5671f118bfc..0b9197975603 100644 +--- a/include/net/switchdev.h ++++ b/include/net/switchdev.h +@@ -268,7 +268,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb, + struct net_device *filter_dev, + int idx) + { +- return -EOPNOTSUPP; ++ return idx; + } + + #endif +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index cb31229a6fa4..34265a1ddb51 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -104,7 +104,7 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value, + /* all elements already exist */ + return -EEXIST; + +- memcpy(array->value + array->elem_size * index, value, array->elem_size); ++ memcpy(array->value + array->elem_size * index, value, map->value_size); + return 0; + } + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 84195dacb8b6..ecdb1717ef3a 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2210,7 +2210,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn, + ndm->ndm_pad2 = 0; + ndm->ndm_flags = pn->flags | NTF_PROXY; + ndm->ndm_type = RTN_UNICAST; +- ndm->ndm_ifindex = pn->dev->ifindex; ++ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0; + ndm->ndm_state = NUD_NONE; + + if (nla_put(skb, NDA_DST, tbl->key_len, pn->key)) +@@ -2285,7 +2285,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb, + if (h > s_h) + s_idx = 0; + for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) { +- if (dev_net(n->dev) != net) ++ if (pneigh_net(n) != net) + continue; + if (idx < s_idx) + goto next; +diff --git a/net/core/scm.c b/net/core/scm.c +index 3b6899b7d810..8a1741b14302 100644 +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) + err = put_user(cmlen, &cm->cmsg_len); + if (!err) { + cmlen = CMSG_SPACE(i*sizeof(int)); ++ if (msg->msg_controllen < cmlen) ++ cmlen = msg->msg_controllen; + msg->msg_control += cmlen; + msg->msg_controllen -= cmlen; + } +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 5165571f397a..a0490508d213 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -202,7 +202,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req) + security_req_classify_flow(req, flowi6_to_flowi(&fl6)); + + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +@@ -219,7 +221,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req) + &ireq->ir_v6_loc_addr, + &ireq->ir_v6_rmt_addr); + fl6.daddr = ireq->ir_v6_rmt_addr; +- err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); ++ rcu_read_lock(); ++ err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), ++ np->tclass); ++ rcu_read_unlock(); + err = net_xmit_eval(err); + } + +@@ -415,6 +420,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, + { + struct inet_request_sock *ireq = inet_rsk(req); + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); ++ struct ipv6_txoptions *opt; + struct inet_sock *newinet; + struct dccp6_sock *newdp6; + struct sock *newsk; +@@ -534,13 +540,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, + * Yes, keeping reference count would be much more clever, but we make + * one more one thing there: reattach optmem to newsk. + */ +- if (np->opt != NULL) +- newnp->opt = ipv6_dup_options(newsk, np->opt); +- ++ opt = rcu_dereference(np->opt); ++ if (opt) { ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ } + inet_csk(newsk)->icsk_ext_hdr_len = 0; +- if (newnp->opt != NULL) +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen + +- newnp->opt->opt_flen); ++ if (opt) ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen + ++ opt->opt_flen; + + dccp_sync_mss(newsk, dst_mtu(dst)); + +@@ -793,6 +801,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + struct ipv6_pinfo *np = inet6_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); + struct in6_addr *saddr = NULL, *final_p, final; ++ struct ipv6_txoptions *opt; + struct flowi6 fl6; + struct dst_entry *dst; + int addr_type; +@@ -892,7 +901,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + fl6.fl6_sport = inet->inet_sport; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ final_p = fl6_update_dst(&fl6, opt, &final); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +@@ -912,9 +922,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + __ip6_dst_store(sk, dst, NULL, NULL); + + icsk->icsk_ext_hdr_len = 0; +- if (np->opt != NULL) +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen + +- np->opt->opt_nflen); ++ if (opt) ++ icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen; + + inet->inet_dport = usin->sin6_port; + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index df28693f32e1..c3bfebd501ed 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -134,7 +134,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb, + struct mfc_cache *c, struct rtmsg *rtm); + static void mroute_netlink_event(struct mr_table *mrt, struct mfc_cache *mfc, + int cmd); +-static void mroute_clean_tables(struct mr_table *mrt); ++static void mroute_clean_tables(struct mr_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES +@@ -351,7 +351,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id) + static void ipmr_free_table(struct mr_table *mrt) + { + del_timer_sync(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1209,7 +1209,7 @@ static int ipmr_mfc_add(struct net *net, struct mr_table *mrt, + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr_table *mrt) ++static void mroute_clean_tables(struct mr_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1218,8 +1218,9 @@ static void mroute_clean_tables(struct mr_table *mrt) + /* Shut down all active vif entries */ + + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif_table[i].flags & VIFF_STATIC)) +- vif_delete(mrt, i, 0, &list); ++ if (!all && (mrt->vif_table[i].flags & VIFF_STATIC)) ++ continue; ++ vif_delete(mrt, i, 0, &list); + } + unregister_netdevice_many(&list); + +@@ -1227,7 +1228,7 @@ static void mroute_clean_tables(struct mr_table *mrt) + + for (i = 0; i < MFC_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + list_del_rcu(&c->list); + mroute_netlink_event(mrt, c, RTM_DELROUTE); +@@ -1262,7 +1263,7 @@ static void mrtsock_destruct(struct sock *sk) + NETCONFA_IFINDEX_ALL, + net->ipv4.devconf_all); + RCU_INIT_POINTER(mrt->mroute_sk, NULL); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + } + } + rtnl_unlock(); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 728f5b3d3c64..77730b43469d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4434,19 +4434,34 @@ static int __must_check tcp_queue_rcv(struct sock *sk, struct sk_buff *skb, int + int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size) + { + struct sk_buff *skb; ++ int err = -ENOMEM; ++ int data_len = 0; + bool fragstolen; + + if (size == 0) + return 0; + +- skb = alloc_skb(size, sk->sk_allocation); ++ if (size > PAGE_SIZE) { ++ int npages = min_t(size_t, size >> PAGE_SHIFT, MAX_SKB_FRAGS); ++ ++ data_len = npages << PAGE_SHIFT; ++ size = data_len + (size & ~PAGE_MASK); ++ } ++ skb = alloc_skb_with_frags(size - data_len, data_len, ++ PAGE_ALLOC_COSTLY_ORDER, ++ &err, sk->sk_allocation); + if (!skb) + goto err; + ++ skb_put(skb, size - data_len); ++ skb->data_len = data_len; ++ skb->len = size; ++ + if (tcp_try_rmem_schedule(sk, skb, skb->truesize)) + goto err_free; + +- if (memcpy_from_msg(skb_put(skb, size), msg, size)) ++ err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size); ++ if (err) + goto err_free; + + TCP_SKB_CB(skb)->seq = tcp_sk(sk)->rcv_nxt; +@@ -4462,7 +4477,8 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size) + err_free: + kfree_skb(skb); + err: +- return -ENOMEM; ++ return err; ++ + } + + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb) +@@ -5620,6 +5636,7 @@ discard: + } + + tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1; ++ tp->copied_seq = tp->rcv_nxt; + tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1; + + /* RFC1323: The window in SYN & SYN/ACK segments is +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 0ea2e1c5d395..569c63894472 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -922,7 +922,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, + } + + md5sig = rcu_dereference_protected(tp->md5sig_info, +- sock_owned_by_user(sk)); ++ sock_owned_by_user(sk) || ++ lockdep_is_held(&sk->sk_lock.slock)); + if (!md5sig) { + md5sig = kmalloc(sizeof(*md5sig), gfp); + if (!md5sig) +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 5b752f58a900..1e63c8fe1db8 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -176,6 +176,18 @@ static int tcp_write_timeout(struct sock *sk) + syn_set = true; + } else { + if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0, 0)) { ++ /* Some middle-boxes may black-hole Fast Open _after_ ++ * the handshake. Therefore we conservatively disable ++ * Fast Open on this path on recurring timeouts with ++ * few or zero bytes acked after Fast Open. ++ */ ++ if (tp->syn_data_acked && ++ tp->bytes_acked <= tp->rx_opt.mss_clamp) { ++ tcp_fastopen_cache_set(sk, 0, NULL, true, 0); ++ if (icsk->icsk_retransmits == sysctl_tcp_retries1) ++ NET_INC_STATS_BH(sock_net(sk), ++ LINUX_MIB_TCPFASTOPENACTIVEFAIL); ++ } + /* Black hole detection */ + tcp_mtu_probing(icsk, sk); + +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 7de52b65173f..d87519efc3bd 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -426,9 +426,11 @@ void inet6_destroy_sock(struct sock *sk) + + /* Free tx options */ + +- opt = xchg(&np->opt, NULL); +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + } + EXPORT_SYMBOL_GPL(inet6_destroy_sock); + +@@ -657,7 +659,10 @@ int inet6_sk_rebuild_header(struct sock *sk) + fl6.fl6_sport = inet->inet_sport; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), ++ &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + if (IS_ERR(dst)) { +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index b10a88986a98..13ca4cf5616f 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -167,8 +167,10 @@ ipv4_connected: + + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- opt = flowlabel ? flowlabel->opt : np->opt; ++ rcu_read_lock(); ++ opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt); + final_p = fl6_update_dst(&fl6, opt, &final); ++ rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sk, &fl6, final_p); + err = 0; +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index a7bbbe45570b..adbd6958c398 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt) + *((char **)&opt2->dst1opt) += dif; + if (opt2->srcrt) + *((char **)&opt2->srcrt) += dif; ++ atomic_set(&opt2->refcnt, 1); + } + return opt2; + } +@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, + return ERR_PTR(-ENOBUFS); + + memset(opt2, 0, tot_len); +- ++ atomic_set(&opt2->refcnt, 1); + opt2->tot_len = tot_len; + p = (char *)(opt2 + 1); + +diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c +index 6927f3fb5597..9beed302eb36 100644 +--- a/net/ipv6/inet6_connection_sock.c ++++ b/net/ipv6/inet6_connection_sock.c +@@ -77,7 +77,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk, + memset(fl6, 0, sizeof(*fl6)); + fl6->flowi6_proto = IPPROTO_TCP; + fl6->daddr = ireq->ir_v6_rmt_addr; +- final_p = fl6_update_dst(fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + fl6->saddr = ireq->ir_v6_loc_addr; + fl6->flowi6_oif = ireq->ir_iif; + fl6->flowi6_mark = ireq->ir_mark; +@@ -207,7 +209,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk, + fl6->fl6_dport = inet->inet_dport; + security_sk_classify_flow(sk, flowi6_to_flowi(fl6)); + +- final_p = fl6_update_dst(fl6, np->opt, &final); ++ rcu_read_lock(); ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); ++ rcu_read_unlock(); + + dst = __inet6_csk_dst_check(sk, np->dst_cookie); + if (!dst) { +@@ -240,7 +244,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused + /* Restore final destination back after routing done */ + fl6.daddr = sk->sk_v6_daddr; + +- res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); ++ res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), ++ np->tclass); + rcu_read_unlock(); + return res; + } +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 5f36266b1f5e..a7aef4b52d65 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -118,7 +118,7 @@ static void mr6_netlink_event(struct mr6_table *mrt, struct mfc6_cache *mfc, + int cmd); + static int ip6mr_rtm_dumproute(struct sk_buff *skb, + struct netlink_callback *cb); +-static void mroute_clean_tables(struct mr6_table *mrt); ++static void mroute_clean_tables(struct mr6_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES +@@ -335,7 +335,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) + static void ip6mr_free_table(struct mr6_table *mrt) + { + del_timer_sync(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1543,7 +1543,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt, + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr6_table *mrt) ++static void mroute_clean_tables(struct mr6_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1553,8 +1553,9 @@ static void mroute_clean_tables(struct mr6_table *mrt) + * Shut down all active vif entries + */ + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif6_table[i].flags & VIFF_STATIC)) +- mif6_delete(mrt, i, &list); ++ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) ++ continue; ++ mif6_delete(mrt, i, &list); + } + unregister_netdevice_many(&list); + +@@ -1563,7 +1564,7 @@ static void mroute_clean_tables(struct mr6_table *mrt) + */ + for (i = 0; i < MFC6_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + write_lock_bh(&mrt_lock); + list_del(&c->list); +@@ -1626,7 +1627,7 @@ int ip6mr_sk_done(struct sock *sk) + net->ipv6.devconf_all); + write_unlock_bh(&mrt_lock); + +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + err = 0; + break; + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 63e6956917c9..4449ad1f8114 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk, + icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie); + } + } +- opt = xchg(&inet6_sk(sk)->opt, opt); ++ opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt, ++ opt); + sk_dst_reset(sk); + + return opt; +@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + sk->sk_socket->ops = &inet_dgram_ops; + sk->sk_family = PF_INET; + } +- opt = xchg(&np->opt, NULL); +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt, ++ NULL); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + pktopt = xchg(&np->pktoptions, NULL); + kfree_skb(pktopt); + +@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) + break; + +- opt = ipv6_renew_options(sk, np->opt, optname, ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ opt = ipv6_renew_options(sk, opt, optname, + (struct ipv6_opt_hdr __user *)optval, + optlen); + if (IS_ERR(opt)) { +@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + retv = 0; + opt = ipv6_update_options(sk, opt); + sticky_done: +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + break; + } + +@@ -486,6 +493,7 @@ sticky_done: + break; + + memset(opt, 0, sizeof(*opt)); ++ atomic_set(&opt->refcnt, 1); + opt->tot_len = sizeof(*opt) + optlen; + retv = -EFAULT; + if (copy_from_user(opt+1, optval, optlen)) +@@ -502,8 +510,10 @@ update: + retv = 0; + opt = ipv6_update_options(sk, opt); + done: +- if (opt) +- sock_kfree_s(sk, opt, opt->tot_len); ++ if (opt) { ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc); ++ txopt_put(opt); ++ } + break; + } + case IPV6_UNICAST_HOPS: +@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, + case IPV6_RTHDR: + case IPV6_DSTOPTS: + { ++ struct ipv6_txoptions *opt; + + lock_sock(sk); +- len = ipv6_getsockopt_sticky(sk, np->opt, +- optname, optval, len); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len); + release_sock(sk); + /* check if ipv6_getsockopt_sticky() returns err code */ + if (len < 0) +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 083b2927fc67..41e3b5ee8d0b 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1651,7 +1651,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); + } else { + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + } +@@ -2014,7 +2013,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len); + } else + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 6d02498172c1..2a4682c847b0 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -190,7 +190,7 @@ static void nf_ct_frag6_expire(unsigned long data) + /* Creation primitives. */ + static inline struct frag_queue *fq_find(struct net *net, __be32 id, + u32 user, struct in6_addr *src, +- struct in6_addr *dst, u8 ecn) ++ struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -200,6 +200,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id, + arg.user = user; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + local_bh_disable(); +@@ -603,7 +604,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) + fhdr = (struct frag_hdr *)skb_transport_header(clone); + + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq == NULL) { + pr_debug("Can't find and can't create new queue\n"); + goto ret_orig; +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index ca4700cb26c4..92d532967c90 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -731,6 +731,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, + + static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + { ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ipv6_txoptions opt_space; + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); + struct in6_addr *daddr, *final_p, final; +@@ -837,8 +838,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (!(opt->opt_nflen|opt->opt_flen)) + opt = NULL; + } +- if (!opt) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -904,6 +907,7 @@ done: + dst_release(dst); + out: + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + return err < 0 ? err : len; + do_confirm: + dst_confirm(dst); +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index f1159bb76e0a..04013a910ce5 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -108,7 +108,10 @@ bool ip6_frag_match(const struct inet_frag_queue *q, const void *a) + return fq->id == arg->id && + fq->user == arg->user && + ipv6_addr_equal(&fq->saddr, arg->src) && +- ipv6_addr_equal(&fq->daddr, arg->dst); ++ ipv6_addr_equal(&fq->daddr, arg->dst) && ++ (arg->iif == fq->iif || ++ !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST | ++ IPV6_ADDR_LINKLOCAL))); + } + EXPORT_SYMBOL(ip6_frag_match); + +@@ -180,7 +183,7 @@ static void ip6_frag_expire(unsigned long data) + + static struct frag_queue * + fq_find(struct net *net, __be32 id, const struct in6_addr *src, +- const struct in6_addr *dst, u8 ecn) ++ const struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -190,6 +193,7 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src, + arg.user = IP6_DEFRAG_LOCAL_DELIVER; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + hash = inet6_hash_frag(id, src, dst); +@@ -551,7 +555,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + } + + fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq) { + int ret; + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index dd6ebba5846c..8478719ef500 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -401,6 +401,14 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, + } + } + ++static bool __rt6_check_expired(const struct rt6_info *rt) ++{ ++ if (rt->rt6i_flags & RTF_EXPIRES) ++ return time_after(jiffies, rt->dst.expires); ++ else ++ return false; ++} ++ + static bool rt6_check_expired(const struct rt6_info *rt) + { + if (rt->rt6i_flags & RTF_EXPIRES) { +@@ -1255,7 +1263,8 @@ static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie) + + static struct dst_entry *rt6_dst_from_check(struct rt6_info *rt, u32 cookie) + { +- if (rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK && ++ if (!__rt6_check_expired(rt) && ++ rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK && + rt6_check((struct rt6_info *)(rt->dst.from), cookie)) + return &rt->dst; + else +@@ -1275,7 +1284,8 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie) + + rt6_dst_from_metrics_check(rt); + +- if ((rt->rt6i_flags & RTF_PCPU) || unlikely(dst->flags & DST_NOCACHE)) ++ if (rt->rt6i_flags & RTF_PCPU || ++ (unlikely(dst->flags & DST_NOCACHE) && rt->dst.from)) + return rt6_dst_from_check(rt, cookie); + else + return rt6_check(rt, cookie); +@@ -1326,6 +1336,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu) + rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires); + } + ++static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt) ++{ ++ return !(rt->rt6i_flags & RTF_CACHE) && ++ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node); ++} ++ + static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + const struct ipv6hdr *iph, u32 mtu) + { +@@ -1339,7 +1355,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + if (mtu >= dst_mtu(dst)) + return; + +- if (rt6->rt6i_flags & RTF_CACHE) { ++ if (!rt6_cache_allowed_for_pmtu(rt6)) { + rt6_do_update_pmtu(rt6, mtu); + } else { + const struct in6_addr *daddr, *saddr; +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index 0909f4e0d53c..f30bfdcdea54 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -225,7 +225,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + memset(&fl6, 0, sizeof(fl6)); + fl6.flowi6_proto = IPPROTO_TCP; + fl6.daddr = ireq->ir_v6_rmt_addr; +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final); + fl6.saddr = ireq->ir_v6_loc_addr; + fl6.flowi6_oif = sk->sk_bound_dev_if; + fl6.flowi6_mark = ireq->ir_mark; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 7a6cea5e4274..45e473ee340b 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + struct ipv6_pinfo *np = inet6_sk(sk); + struct tcp_sock *tp = tcp_sk(sk); + struct in6_addr *saddr = NULL, *final_p, final; ++ struct ipv6_txoptions *opt; + struct flowi6 fl6; + struct dst_entry *dst; + int addr_type; +@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + fl6.fl6_dport = usin->sin6_port; + fl6.fl6_sport = inet->inet_sport; + +- final_p = fl6_update_dst(&fl6, np->opt, &final); ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk)); ++ final_p = fl6_update_dst(&fl6, opt, &final); + + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + tcp_fetch_timewait_stamp(sk, dst); + + icsk->icsk_ext_hdr_len = 0; +- if (np->opt) +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen + +- np->opt->opt_nflen); ++ if (opt) ++ icsk->icsk_ext_hdr_len = opt->opt_flen + ++ opt->opt_nflen; + + tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr); + +@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst, + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts)); + + skb_set_queue_mapping(skb, queue_mapping); +- err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass); ++ err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), ++ np->tclass); + err = net_xmit_eval(err); + } + +@@ -991,6 +994,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + struct inet_request_sock *ireq; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct tcp6_sock *newtcp6sk; ++ struct ipv6_txoptions *opt; + struct inet_sock *newinet; + struct tcp_sock *newtp; + struct sock *newsk; +@@ -1126,13 +1130,15 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + but we make one more one thing there: reattach optmem + to newsk. + */ +- if (np->opt) +- newnp->opt = ipv6_dup_options(newsk, np->opt); +- ++ opt = rcu_dereference(np->opt); ++ if (opt) { ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ } + inet_csk(newsk)->icsk_ext_hdr_len = 0; +- if (newnp->opt) +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen + +- newnp->opt->opt_flen); ++ if (opt) ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen + ++ opt->opt_flen; + + tcp_ca_openreq_child(newsk, dst); + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index e51fc3eee6db..7333f3575fc5 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1107,6 +1107,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); + struct in6_addr *daddr, *final_p, final; + struct ipv6_txoptions *opt = NULL; ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ip6_flowlabel *flowlabel = NULL; + struct flowi6 fl6; + struct dst_entry *dst; +@@ -1260,8 +1261,10 @@ do_udp_sendmsg: + opt = NULL; + connected = 0; + } +- if (!opt) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -1370,6 +1373,7 @@ release_dst: + out: + dst_release(dst); + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + if (!err) + return len; + /* +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index d1ded3777815..0ce9da948ad7 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name); + struct in6_addr *daddr, *final_p, final; + struct ipv6_pinfo *np = inet6_sk(sk); ++ struct ipv6_txoptions *opt_to_free = NULL; + struct ipv6_txoptions *opt = NULL; + struct ip6_flowlabel *flowlabel = NULL; + struct dst_entry *dst = NULL; +@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + opt = NULL; + } + +- if (opt == NULL) +- opt = np->opt; ++ if (!opt) { ++ opt = txopt_get(np); ++ opt_to_free = opt; ++ } + if (flowlabel) + opt = fl6_merge_options(&opt_space, flowlabel, opt); + opt = ipv6_fixup_options(&opt_space, opt); +@@ -631,6 +634,7 @@ done: + dst_release(dst); + out: + fl6_sock_release(flowlabel); ++ txopt_put(opt_to_free); + + return err < 0 ? err : len; + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 71cb085e16fd..71d671c06952 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1622,6 +1622,20 @@ static void fanout_release(struct sock *sk) + kfree_rcu(po->rollover, rcu); + } + ++static bool packet_extra_vlan_len_allowed(const struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ /* Earlier code assumed this would be a VLAN pkt, double-check ++ * this now that we have the actual packet in hand. We can only ++ * do this check on Ethernet devices. ++ */ ++ if (unlikely(dev->type != ARPHRD_ETHER)) ++ return false; ++ ++ skb_reset_mac_header(skb); ++ return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q)); ++} ++ + static const struct proto_ops packet_ops; + + static const struct proto_ops packet_ops_spkt; +@@ -1783,18 +1797,10 @@ retry: + goto retry; + } + +- if (len > (dev->mtu + dev->hard_header_len + extra_len)) { +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ +- struct ethhdr *ehdr; +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) { +- err = -EMSGSIZE; +- goto out_unlock; +- } ++ if (len > (dev->mtu + dev->hard_header_len + extra_len) && ++ !packet_extra_vlan_len_allowed(dev, skb)) { ++ err = -EMSGSIZE; ++ goto out_unlock; + } + + skb->protocol = proto; +@@ -2213,6 +2219,15 @@ static bool ll_header_truncated(const struct net_device *dev, int len) + return false; + } + ++static void tpacket_set_protocol(const struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ if (dev->type == ARPHRD_ETHER) { ++ skb_reset_mac_header(skb); ++ skb->protocol = eth_hdr(skb)->h_proto; ++ } ++} ++ + static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + void *frame, struct net_device *dev, int size_max, + __be16 proto, unsigned char *addr, int hlen) +@@ -2249,8 +2264,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + skb_reserve(skb, hlen); + skb_reset_network_header(skb); + +- if (!packet_use_direct_xmit(po)) +- skb_probe_transport_header(skb, 0); + if (unlikely(po->tp_tx_has_off)) { + int off_min, off_max, off; + off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll); +@@ -2296,6 +2309,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + dev->hard_header_len); + if (unlikely(err)) + return err; ++ if (!skb->protocol) ++ tpacket_set_protocol(dev, skb); + + data += dev->hard_header_len; + to_write -= dev->hard_header_len; +@@ -2330,6 +2345,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + len = ((to_write > len_max) ? len_max : to_write); + } + ++ skb_probe_transport_header(skb, 0); ++ + return tp_len; + } + +@@ -2374,12 +2391,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + if (unlikely(!(dev->flags & IFF_UP))) + goto out_put; + +- reserve = dev->hard_header_len + VLAN_HLEN; ++ if (po->sk.sk_socket->type == SOCK_RAW) ++ reserve = dev->hard_header_len; + size_max = po->tx_ring.frame_size + - (po->tp_hdrlen - sizeof(struct sockaddr_ll)); + +- if (size_max > dev->mtu + reserve) +- size_max = dev->mtu + reserve; ++ if (size_max > dev->mtu + reserve + VLAN_HLEN) ++ size_max = dev->mtu + reserve + VLAN_HLEN; + + do { + ph = packet_current_frame(po, &po->tx_ring, +@@ -2406,18 +2424,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto, + addr, hlen); + if (likely(tp_len >= 0) && +- tp_len > dev->mtu + dev->hard_header_len) { +- struct ethhdr *ehdr; +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ ++ tp_len > dev->mtu + reserve && ++ !packet_extra_vlan_len_allowed(dev, skb)) ++ tp_len = -EMSGSIZE; + +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) +- tp_len = -EMSGSIZE; +- } + if (unlikely(tp_len < 0)) { + if (po->tp_loss) { + __packet_set_status(po, ph, +@@ -2638,18 +2648,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags); + +- if (!gso_type && (len > dev->mtu + reserve + extra_len)) { +- /* Earlier code assumed this would be a VLAN pkt, +- * double-check this now that we have the actual +- * packet in hand. +- */ +- struct ethhdr *ehdr; +- skb_reset_mac_header(skb); +- ehdr = eth_hdr(skb); +- if (ehdr->h_proto != htons(ETH_P_8021Q)) { +- err = -EMSGSIZE; +- goto out_free; +- } ++ if (!gso_type && (len > dev->mtu + reserve + extra_len) && ++ !packet_extra_vlan_len_allowed(dev, skb)) { ++ err = -EMSGSIZE; ++ goto out_free; + } + + skb->protocol = proto; +@@ -2680,8 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + len += vnet_hdr_len; + } + +- if (!packet_use_direct_xmit(po)) +- skb_probe_transport_header(skb, reserve); ++ skb_probe_transport_header(skb, reserve); ++ + if (unlikely(extra_len == 4)) + skb->no_fcs = 1; + +diff --git a/net/rds/connection.c b/net/rds/connection.c +index 9d66705f9d41..da6da57e5f36 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,12 +187,6 @@ new_conn: + } + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/send.c b/net/rds/send.c +index e9430f537f9c..7b30c0f3180d 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index f06aa01d60fd..1a0aa2a7cfeb 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -253,7 +253,8 @@ int qdisc_set_default(const char *name) + } + + /* We know handle. Find qdisc among all qdisc's attached to device +- (root qdisc, all its children, children of children etc.) ++ * (root qdisc, all its children, children of children etc.) ++ * Note: caller either uses rtnl or rcu_read_lock() + */ + + static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle) +@@ -264,7 +265,7 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle) + root->handle == handle) + return root; + +- list_for_each_entry(q, &root->list, list) { ++ list_for_each_entry_rcu(q, &root->list, list) { + if (q->handle == handle) + return q; + } +@@ -277,15 +278,18 @@ void qdisc_list_add(struct Qdisc *q) + struct Qdisc *root = qdisc_dev(q)->qdisc; + + WARN_ON_ONCE(root == &noop_qdisc); +- list_add_tail(&q->list, &root->list); ++ ASSERT_RTNL(); ++ list_add_tail_rcu(&q->list, &root->list); + } + } + EXPORT_SYMBOL(qdisc_list_add); + + void qdisc_list_del(struct Qdisc *q) + { +- if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) +- list_del(&q->list); ++ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) { ++ ASSERT_RTNL(); ++ list_del_rcu(&q->list); ++ } + } + EXPORT_SYMBOL(qdisc_list_del); + +@@ -750,14 +754,18 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) + if (n == 0) + return; + drops = max_t(int, n, 0); ++ rcu_read_lock(); + while ((parentid = sch->parent)) { + if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS)) +- return; ++ break; + ++ if (sch->flags & TCQ_F_NOPARENT) ++ break; ++ /* TODO: perform the search on a per txq basis */ + sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid)); + if (sch == NULL) { +- WARN_ON(parentid != TC_H_ROOT); +- return; ++ WARN_ON_ONCE(parentid != TC_H_ROOT); ++ break; + } + cops = sch->ops->cl_ops; + if (cops->qlen_notify) { +@@ -768,6 +776,7 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) + sch->q.qlen -= n; + __qdisc_qstats_drop(sch, drops); + } ++ rcu_read_unlock(); + } + EXPORT_SYMBOL(qdisc_tree_decrease_qlen); + +@@ -941,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE; ++ sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + sch->handle = handle; +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 6efca30894aa..b453270be3fd 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -743,7 +743,7 @@ static void attach_one_default_qdisc(struct net_device *dev, + return; + } + if (!netif_is_multiqueue(dev)) +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + dev_queue->qdisc_sleeping = qdisc; + } +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c +index f3cbaecd283a..3e82f047caaf 100644 +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -63,7 +63,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt) + if (qdisc == NULL) + goto err; + priv->qdiscs[ntx] = qdisc; +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + sch->flags |= TCQ_F_MQROOT; +@@ -156,7 +156,7 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new, + + *old = dev_graft_qdisc(dev_queue, new); + if (new) +- new->flags |= TCQ_F_ONETXQUEUE; ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + if (dev->flags & IFF_UP) + dev_activate(dev); + return 0; +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 3811a745452c..ad70ecf57ce7 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -132,7 +132,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt) + goto err; + } + priv->qdiscs[i] = qdisc; +- qdisc->flags |= TCQ_F_ONETXQUEUE; ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + /* If the mqprio options indicate that hardware should own +@@ -209,7 +209,7 @@ static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new, + *old = dev_graft_qdisc(dev_queue, new); + + if (new) +- new->flags |= TCQ_F_ONETXQUEUE; ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + + if (dev->flags & IFF_UP) + dev_activate(dev); +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 4f15b7d730e1..1543e39f47c3 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -809,8 +809,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, + if (!has_sha1) + return -EINVAL; + +- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0], +- hmacs->shmac_num_idents * sizeof(__u16)); ++ for (i = 0; i < hmacs->shmac_num_idents; i++) ++ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]); + ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) + + hmacs->shmac_num_idents * sizeof(__u16)); + return 0; +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 17bef01b9aa3..3ec88be0faec 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7375,6 +7375,13 @@ struct proto sctp_prot = { + + #if IS_ENABLED(CONFIG_IPV6) + ++#include ++static void sctp_v6_destroy_sock(struct sock *sk) ++{ ++ sctp_destroy_sock(sk); ++ inet6_destroy_sock(sk); ++} ++ + struct proto sctpv6_prot = { + .name = "SCTPv6", + .owner = THIS_MODULE, +@@ -7384,7 +7391,7 @@ struct proto sctpv6_prot = { + .accept = sctp_accept, + .ioctl = sctp_ioctl, + .init = sctp_init_sock, +- .destroy = sctp_destroy_sock, ++ .destroy = sctp_v6_destroy_sock, + .shutdown = sctp_shutdown, + .setsockopt = sctp_setsockopt, + .getsockopt = sctp_getsockopt, +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 94f658235fb4..128b0982c96b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -326,6 +326,118 @@ found: + return s; + } + ++/* Support code for asymmetrically connected dgram sockets ++ * ++ * If a datagram socket is connected to a socket not itself connected ++ * to the first socket (eg, /dev/log), clients may only enqueue more ++ * messages if the present receive queue of the server socket is not ++ * "too large". This means there's a second writeability condition ++ * poll and sendmsg need to test. The dgram recv code will do a wake ++ * up on the peer_wait wait queue of a socket upon reception of a ++ * datagram which needs to be propagated to sleeping would-be writers ++ * since these might not have sent anything so far. This can't be ++ * accomplished via poll_wait because the lifetime of the server ++ * socket might be less than that of its clients if these break their ++ * association with it or if the server socket is closed while clients ++ * are still connected to it and there's no way to inform "a polling ++ * implementation" that it should let go of a certain wait queue ++ * ++ * In order to propagate a wake up, a wait_queue_t of the client ++ * socket is enqueued on the peer_wait queue of the server socket ++ * whose wake function does a wake_up on the ordinary client socket ++ * wait queue. This connection is established whenever a write (or ++ * poll for write) hit the flow control condition and broken when the ++ * association to the server socket is dissolved or after a wake up ++ * was relayed. ++ */ ++ ++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags, ++ void *key) ++{ ++ struct unix_sock *u; ++ wait_queue_head_t *u_sleep; ++ ++ u = container_of(q, struct unix_sock, peer_wake); ++ ++ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait, ++ q); ++ u->peer_wake.private = NULL; ++ ++ /* relaying can only happen while the wq still exists */ ++ u_sleep = sk_sleep(&u->sk); ++ if (u_sleep) ++ wake_up_interruptible_poll(u_sleep, key); ++ ++ return 0; ++} ++ ++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ int rc; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ rc = 0; ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (!u->peer_wake.private) { ++ u->peer_wake.private = other; ++ __add_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ ++ rc = 1; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++ return rc; ++} ++ ++static void unix_dgram_peer_wake_disconnect(struct sock *sk, ++ struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (u->peer_wake.private == other) { ++ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ u->peer_wake.private = NULL; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++} ++ ++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk, ++ struct sock *other) ++{ ++ unix_dgram_peer_wake_disconnect(sk, other); ++ wake_up_interruptible_poll(sk_sleep(sk), ++ POLLOUT | ++ POLLWRNORM | ++ POLLWRBAND); ++} ++ ++/* preconditions: ++ * - unix_peer(sk) == other ++ * - association is stable ++ */ ++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) ++{ ++ int connected; ++ ++ connected = unix_dgram_peer_wake_connect(sk, other); ++ ++ if (unix_recvq_full(other)) ++ return 1; ++ ++ if (connected) ++ unix_dgram_peer_wake_disconnect(sk, other); ++ ++ return 0; ++} ++ + static inline int unix_writable(struct sock *sk) + { + return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; +@@ -430,6 +542,8 @@ static void unix_release_sock(struct sock *sk, int embrion) + skpair->sk_state_change(skpair); + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); + } ++ ++ unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ + unix_peer(sk) = NULL; + } +@@ -440,6 +554,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + if (state == TCP_LISTEN) + unix_release_sock(skb->sk, 1); + /* passed fds are erased in the kfree_skb hook */ ++ UNIXCB(skb).consumed = skb->len; + kfree_skb(skb); + } + +@@ -664,6 +779,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern) + INIT_LIST_HEAD(&u->link); + mutex_init(&u->readlock); /* single task reading lock */ + init_waitqueue_head(&u->peer_wait); ++ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay); + unix_insert_socket(unix_sockets_unbound(sk), sk); + out: + if (sk == NULL) +@@ -1031,6 +1147,8 @@ restart: + if (unix_peer(sk)) { + struct sock *old_peer = unix_peer(sk); + unix_peer(sk) = other; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); ++ + unix_state_double_unlock(sk, other); + + if (other != old_peer) +@@ -1432,6 +1550,14 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen + return err; + } + ++static bool unix_passcred_enabled(const struct socket *sock, ++ const struct sock *other) ++{ ++ return test_bit(SOCK_PASSCRED, &sock->flags) || ++ !other->sk_socket || ++ test_bit(SOCK_PASSCRED, &other->sk_socket->flags); ++} ++ + /* + * Some apps rely on write() giving SCM_CREDENTIALS + * We include credentials if source or destination socket +@@ -1442,14 +1568,41 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock, + { + if (UNIXCB(skb).pid) + return; +- if (test_bit(SOCK_PASSCRED, &sock->flags) || +- !other->sk_socket || +- test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) { ++ if (unix_passcred_enabled(sock, other)) { + UNIXCB(skb).pid = get_pid(task_tgid(current)); + current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid); + } + } + ++static int maybe_init_creds(struct scm_cookie *scm, ++ struct socket *socket, ++ const struct sock *other) ++{ ++ int err; ++ struct msghdr msg = { .msg_controllen = 0 }; ++ ++ err = scm_send(socket, &msg, scm, false); ++ if (err) ++ return err; ++ ++ if (unix_passcred_enabled(socket, other)) { ++ scm->pid = get_pid(task_tgid(current)); ++ current_uid_gid(&scm->creds.uid, &scm->creds.gid); ++ } ++ return err; ++} ++ ++static bool unix_skb_scm_eq(struct sk_buff *skb, ++ struct scm_cookie *scm) ++{ ++ const struct unix_skb_parms *u = &UNIXCB(skb); ++ ++ return u->pid == scm->pid && ++ uid_eq(u->uid, scm->creds.uid) && ++ gid_eq(u->gid, scm->creds.gid) && ++ unix_secdata_eq(scm, skb); ++} ++ + /* + * Send AF_UNIX data. + */ +@@ -1470,6 +1623,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + struct scm_cookie scm; + int max_level; + int data_len = 0; ++ int sk_locked; + + wait_for_unix_gc(); + err = scm_send(sock, msg, &scm, false); +@@ -1548,12 +1702,14 @@ restart: + goto out_free; + } + ++ sk_locked = 0; + unix_state_lock(other); ++restart_locked: + err = -EPERM; + if (!unix_may_send(sk, other)) + goto out_unlock; + +- if (sock_flag(other, SOCK_DEAD)) { ++ if (unlikely(sock_flag(other, SOCK_DEAD))) { + /* + * Check with 1003.1g - what should + * datagram error +@@ -1561,10 +1717,14 @@ restart: + unix_state_unlock(other); + sock_put(other); + ++ if (!sk_locked) ++ unix_state_lock(sk); ++ + err = 0; +- unix_state_lock(sk); + if (unix_peer(sk) == other) { + unix_peer(sk) = NULL; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, other); ++ + unix_state_unlock(sk); + + unix_dgram_disconnected(sk, other); +@@ -1590,21 +1750,38 @@ restart: + goto out_unlock; + } + +- if (unix_peer(other) != sk && unix_recvq_full(other)) { +- if (!timeo) { +- err = -EAGAIN; +- goto out_unlock; ++ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ if (timeo) { ++ timeo = unix_wait_for_peer(other, timeo); ++ ++ err = sock_intr_errno(timeo); ++ if (signal_pending(current)) ++ goto out_free; ++ ++ goto restart; + } + +- timeo = unix_wait_for_peer(other, timeo); ++ if (!sk_locked) { ++ unix_state_unlock(other); ++ unix_state_double_lock(sk, other); ++ } + +- err = sock_intr_errno(timeo); +- if (signal_pending(current)) +- goto out_free; ++ if (unix_peer(sk) != other || ++ unix_dgram_peer_wake_me(sk, other)) { ++ err = -EAGAIN; ++ sk_locked = 1; ++ goto out_unlock; ++ } + +- goto restart; ++ if (!sk_locked) { ++ sk_locked = 1; ++ goto restart_locked; ++ } + } + ++ if (unlikely(sk_locked)) ++ unix_state_unlock(sk); ++ + if (sock_flag(other, SOCK_RCVTSTAMP)) + __net_timestamp(skb); + maybe_add_creds(skb, sock, other); +@@ -1618,6 +1795,8 @@ restart: + return len; + + out_unlock: ++ if (sk_locked) ++ unix_state_unlock(sk); + unix_state_unlock(other); + out_free: + kfree_skb(skb); +@@ -1739,8 +1918,10 @@ out_err: + static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, + int offset, size_t size, int flags) + { +- int err = 0; +- bool send_sigpipe = true; ++ int err; ++ bool send_sigpipe = false; ++ bool init_scm = true; ++ struct scm_cookie scm; + struct sock *other, *sk = socket->sk; + struct sk_buff *skb, *newskb = NULL, *tail = NULL; + +@@ -1758,7 +1939,7 @@ alloc_skb: + newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT, + &err, 0); + if (!newskb) +- return err; ++ goto err; + } + + /* we must acquire readlock as we modify already present +@@ -1767,12 +1948,12 @@ alloc_skb: + err = mutex_lock_interruptible(&unix_sk(other)->readlock); + if (err) { + err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS; +- send_sigpipe = false; + goto err; + } + + if (sk->sk_shutdown & SEND_SHUTDOWN) { + err = -EPIPE; ++ send_sigpipe = true; + goto err_unlock; + } + +@@ -1781,23 +1962,34 @@ alloc_skb: + if (sock_flag(other, SOCK_DEAD) || + other->sk_shutdown & RCV_SHUTDOWN) { + err = -EPIPE; ++ send_sigpipe = true; + goto err_state_unlock; + } + ++ if (init_scm) { ++ err = maybe_init_creds(&scm, socket, other); ++ if (err) ++ goto err_state_unlock; ++ init_scm = false; ++ } ++ + skb = skb_peek_tail(&other->sk_receive_queue); + if (tail && tail == skb) { + skb = newskb; +- } else if (!skb) { +- if (newskb) ++ } else if (!skb || !unix_skb_scm_eq(skb, &scm)) { ++ if (newskb) { + skb = newskb; +- else ++ } else { ++ tail = skb; + goto alloc_skb; ++ } + } else if (newskb) { + /* this is fast path, we don't necessarily need to + * call to kfree_skb even though with newskb == NULL + * this - does no harm + */ + consume_skb(newskb); ++ newskb = NULL; + } + + if (skb_append_pagefrags(skb, page, offset, size)) { +@@ -1810,14 +2002,20 @@ alloc_skb: + skb->truesize += size; + atomic_add(size, &sk->sk_wmem_alloc); + +- if (newskb) ++ if (newskb) { ++ err = unix_scm_to_skb(&scm, skb, false); ++ if (err) ++ goto err_state_unlock; ++ spin_lock(&other->sk_receive_queue.lock); + __skb_queue_tail(&other->sk_receive_queue, newskb); ++ spin_unlock(&other->sk_receive_queue.lock); ++ } + + unix_state_unlock(other); + mutex_unlock(&unix_sk(other)->readlock); + + other->sk_data_ready(other); +- ++ scm_destroy(&scm); + return size; + + err_state_unlock: +@@ -1828,6 +2026,8 @@ err: + kfree_skb(newskb); + if (send_sigpipe && !(flags & MSG_NOSIGNAL)) + send_sig(SIGPIPE, current, 0); ++ if (!init_scm) ++ scm_destroy(&scm); + return err; + } + +@@ -2071,6 +2271,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) + + do { + int chunk; ++ bool drop_skb; + struct sk_buff *skb, *last; + + unix_state_lock(sk); +@@ -2130,10 +2331,7 @@ unlock: + + if (check_creds) { + /* Never glue messages from different writers */ +- if ((UNIXCB(skb).pid != scm.pid) || +- !uid_eq(UNIXCB(skb).uid, scm.creds.uid) || +- !gid_eq(UNIXCB(skb).gid, scm.creds.gid) || +- !unix_secdata_eq(&scm, skb)) ++ if (!unix_skb_scm_eq(skb, &scm)) + break; + } else if (test_bit(SOCK_PASSCRED, &sock->flags)) { + /* Copy credentials */ +@@ -2151,7 +2349,11 @@ unlock: + } + + chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size); ++ skb_get(skb); + chunk = state->recv_actor(skb, skip, chunk, state); ++ drop_skb = !unix_skb_len(skb); ++ /* skb is only safe to use if !drop_skb */ ++ consume_skb(skb); + if (chunk < 0) { + if (copied == 0) + copied = -EFAULT; +@@ -2160,6 +2362,18 @@ unlock: + copied += chunk; + size -= chunk; + ++ if (drop_skb) { ++ /* the skb was touched by a concurrent reader; ++ * we should not expect anything from this skb ++ * anymore and assume it invalid - we can be ++ * sure it was dropped from the socket queue ++ * ++ * let's report a short read ++ */ ++ err = 0; ++ break; ++ } ++ + /* Mark read part of skb as used */ + if (!(flags & MSG_PEEK)) { + UNIXCB(skb).consumed += chunk; +@@ -2453,14 +2667,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, + return mask; + + writable = unix_writable(sk); +- other = unix_peer_get(sk); +- if (other) { +- if (unix_peer(other) != sk) { +- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); +- if (unix_recvq_full(other)) +- writable = 0; +- } +- sock_put(other); ++ if (writable) { ++ unix_state_lock(sk); ++ ++ other = unix_peer(sk); ++ if (other && unix_peer(other) != sk && ++ unix_recvq_full(other) && ++ unix_dgram_peer_wake_me(sk, other)) ++ writable = 0; ++ ++ unix_state_unlock(sk); + } + + if (writable) +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a97db5fc8a15..9d1f91db57e6 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -48,8 +48,9 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info"); + #define is_haswell(codec) ((codec)->core.vendor_id == 0x80862807) + #define is_broadwell(codec) ((codec)->core.vendor_id == 0x80862808) + #define is_skylake(codec) ((codec)->core.vendor_id == 0x80862809) ++#define is_broxton(codec) ((codec)->core.vendor_id == 0x8086280a) + #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \ +- || is_skylake(codec)) ++ || is_skylake(codec) || is_broxton(codec)) + + #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882) + #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883) +diff --git a/tools/net/Makefile b/tools/net/Makefile +index ee577ea03ba5..ddf888010652 100644 +--- a/tools/net/Makefile ++++ b/tools/net/Makefile +@@ -4,6 +4,9 @@ CC = gcc + LEX = flex + YACC = bison + ++CFLAGS += -Wall -O2 ++CFLAGS += -D__EXPORTED_HEADERS__ -I../../include/uapi -I../../include ++ + %.yacc.c: %.y + $(YACC) -o $@ -d $< + +@@ -12,15 +15,13 @@ YACC = bison + + all : bpf_jit_disasm bpf_dbg bpf_asm + +-bpf_jit_disasm : CFLAGS = -Wall -O2 -DPACKAGE='bpf_jit_disasm' ++bpf_jit_disasm : CFLAGS += -DPACKAGE='bpf_jit_disasm' + bpf_jit_disasm : LDLIBS = -lopcodes -lbfd -ldl + bpf_jit_disasm : bpf_jit_disasm.o + +-bpf_dbg : CFLAGS = -Wall -O2 + bpf_dbg : LDLIBS = -lreadline + bpf_dbg : bpf_dbg.o + +-bpf_asm : CFLAGS = -Wall -O2 -I. + bpf_asm : LDLIBS = + bpf_asm : bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o + bpf_exp.lex.o : bpf_exp.yacc.c